From e69bdf07c3466e88e3a24e8bcd3f6ce96f1f1fe2 Mon Sep 17 00:00:00 2001 From: eddiek Date: Wed, 25 Sep 2024 16:40:24 +0300 Subject: [PATCH 01/12] GitHub repository sync --- .github/workflows/code-analysis.yaml | 10 + .gitignore | 140 + README.md | 22 + aws/images/launch.png | Bin 0 -> 2941 bytes aws/images/step1_aws.png | Bin 0 -> 29773 bytes aws/images/step2_aws.png | Bin 0 -> 77305 bytes aws/templates/README.md | 35 + aws/templates/asg/README.md | 22 + aws/templates/asg/autoscale.yaml | 607 +++ aws/templates/cluster/README.md | 26 + aws/templates/cluster/cluster-master.yaml | 510 +++ aws/templates/cluster/cluster.yaml | 736 ++++ aws/templates/cross-az-cluster/README.md | 26 + .../cross-az-cluster-master.yaml | 513 +++ .../cross-az-cluster/cross-az-cluster.yaml | 755 ++++ aws/templates/general/README.md | 29 + aws/templates/general/amis.yaml | 915 +++++ aws/templates/general/cme-iam-role.yaml | 159 + aws/templates/geo-cluster/README.md | 26 + .../geo-cluster/geo-cluster-master.yaml | 518 +++ aws/templates/geo-cluster/geo-cluster.yaml | 708 ++++ aws/templates/gwlb-asg/README.md | 58 + aws/templates/gwlb-asg/gwlb-master.yaml | 721 ++++ aws/templates/gwlb-asg/gwlb.yaml | 720 ++++ aws/templates/gwlb-asg/qs-gwlb-master.yaml | 947 +++++ aws/templates/gwlb-asg/qs-gwlb.yaml | 915 +++++ aws/templates/gwlb-asg/tgw-gwlb-master.yaml | 862 +++++ aws/templates/gwlb-asg/tgw-gwlb.yaml | 1206 ++++++ aws/templates/management/README.md | 22 + aws/templates/management/management.yaml | 569 +++ aws/templates/mds/README.md | 21 + aws/templates/mds/mds.yaml | 510 +++ aws/templates/single-gw/README.md | 25 + aws/templates/single-gw/gateway-master.yaml | 489 +++ aws/templates/single-gw/gateway.yaml | 587 +++ aws/templates/standalone/README.md | 26 + .../standalone/standalone-master.yaml | 434 +++ aws/templates/standalone/standalone.yaml | 521 +++ aws/templates/tgw-asg/README.md | 26 + aws/templates/tgw-asg/tgw-asg-master.yaml | 688 ++++ aws/templates/tgw-asg/tgw-asg.yaml | 679 ++++ aws/templates/tgw-cross-az-cluster/README.md | 26 + .../tgw-cross-az-cluster-master.yaml | 523 +++ .../tgw-cross-az-cluster.yaml | 519 +++ aws/templates/tgw-ha/README.md | 26 + aws/templates/tgw-ha/tgw-ha-master.yaml | 525 +++ aws/templates/tgw-ha/tgw-ha.yaml | 522 +++ azure/misc/azure_ha_test.py | 424 +++ azure/misc/nva_bgp_config.conf | 38 + azure/templates/README.MD | 69 + .../README.md | 22 + .../createUiDefinition.json | 1516 ++++++++ .../mainTemplate.json | 1169 ++++++ azure/templates/marketplace-ha/README.md | 21 + .../marketplace-ha/createUiDefinition.json | 1650 +++++++++ .../marketplace-ha/mainTemplate.json | 1453 ++++++++ .../marketplace-management/README.md | 21 + .../createUiDefinition.json | 702 ++++ .../marketplace-management/mainTemplate.json | 920 +++++ azure/templates/marketplace-mds/README.md | 21 + .../marketplace-mds/createUiDefinition.json | 637 ++++ .../marketplace-mds/mainTemplate.json | 903 +++++ .../createUiDefinition.json | 338 ++ .../marketplace-single-waap/mainTemplate.json | 567 +++ azure/templates/marketplace-single/README.md | 22 + .../createUiDefinition.json | 1353 +++++++ .../marketplace-single/mainTemplate.json | 942 +++++ .../createUiDefinition.json | 513 +++ .../marketplace-stack-ha/mainTemplate.json | 689 ++++ .../createUiDefinition.json | 306 ++ .../mainTemplate.json | 465 +++ .../createUiDefinition.json | 513 +++ .../mainTemplate.json | 552 +++ .../createUiDefinition.json | 795 ++++ .../marketplace-vmss-waap/mainTemplate.json | 1039 ++++++ azure/templates/marketplace-vmss/README.md | 23 + .../marketplace-vmss/createUiDefinition.json | 1752 +++++++++ .../marketplace-vmss/mainTemplate.json | 1323 +++++++ .../CreateUIDefinition.MultiVm.json | 1 + .../nestedtemplates/azure-func-sami.json | 240 ++ .../existing-nsg-RoleAssignment.json | 48 + .../gateway-load-balancers.json | 153 + .../nestedtemplates/load-balancers-waap.json | 285 ++ .../nestedtemplates/load-balancers.json | 259 ++ .../storageAccount-existing.json | 30 + .../nestedtemplates/storageAccount-new.json | 42 + .../vnet-1-subnet-existing.json | 87 + .../nestedtemplates/vnet-1-subnet-new.json | 167 + .../vnet-2-subnet-ha-existing.json | 87 + .../nestedtemplates/vnet-2-subnet-ha-new.json | 200 + .../vnet-2-subnet-ha2-existing.json | 76 + .../vnet-2-subnet-ha2-new.json | 192 + .../vnet-4-subnet-existing.json | 137 + .../nestedtemplates/vnet-4-subnet-new.json | 322 ++ .../nestedtemplates/vnet-existing-no-rt.json | 81 + .../vnet-existing-stack-ha.json | 93 + .../vnet-existing-stack-mgmt.json | 67 + .../nestedtemplates/vnet-existing-stack.json | 95 + .../nestedtemplates/vnet-existing.json | 76 + .../nestedtemplates/vnet-new-no-rt.json | 107 + .../nestedtemplates/vnet-new-stack-ha.json | 141 + .../nestedtemplates/vnet-new-stack-mgmt.json | 87 + .../nestedtemplates/vnet-new-stack.json | 165 + azure/templates/nestedtemplates/vnet-new.json | 196 + azure/templates/single-ipv6/README.md | 10 + azure/templates/single-ipv6/mainTemplate.json | 1038 ++++++ azure/templates/vmss-ipv6/README.md | 9 + azure/templates/vmss-ipv6/mainTemplate.json | 1367 +++++++ azure/templates/vwan-managed-app/README.md | 85 + .../vwan-managed-app/mainTemplate.json | 284 ++ common/central_license_debug_collector.sh | 118 + .../CME_API.postman_collection | 3255 +++++++++++++++++ common/cme_api_postman/README.md | 19 + common/cme_xff_inject.sh | 7 + common/custom-management-script.py | 128 + common/custom_scripts/README.md | 21 + common/custom_scripts/password_script.sh | 10 + common/maintenance_mode/README.md | 19 + common/maintenance_mode/grub.conf | 11 + common/simulate_cpu_load.sh | 11 + common/static_route_config.sh | 13 + common/vwan_postman/README.md | 66 + .../vwan_postman/vwan.postman_collection.json | 1307 +++++++ contrib/README.md | 2 + .../templates/ha-public-ip-prefix/README.MD | 51 + .../ha-publicipprefix-parameters.json | 106 + .../ha-publicipprefix.json | 1033 ++++++ .../ha-redeploy-single-member/README.MD | 41 + .../ha-redeploy-single-member.json | 561 +++ .../mainTemplate.json | 1055 ++++++ .../vmss-publicipprefixinstances/README.MD | 47 + .../vmss-publicipprefix-instances.json | 891 +++++ .../vmss-publicipprefixinstanceselb/README.MD | 51 + .../mainTemplate.json | 922 +++++ .../nestedtemplates/load-balancers.json | 283 ++ .../vnet-2-subnet-ha-existing.json | 124 + contrib/cme/examples/README.md | 2 + contrib/terraform-azure-gwlb/README.md | 70 + contrib/terraform-azure-gwlb/app-main.tf | 382 ++ contrib/terraform-azure-gwlb/app-variables.tf | 26 + .../terraform-azure-gwlb/cpcluster-main.tf | 461 +++ .../cpcluster-variables.tf | 201 + contrib/terraform-azure-gwlb/cpmgmt-main.tf | 189 + .../terraform-azure-gwlb/cpmgmt-variables.tf | 28 + contrib/terraform-azure-gwlb/customdata.sh | 17 + .../deployment-variables.tf | 29 + .../files/azure-gwlb-template.json | 849 +++++ contrib/terraform-azure-gwlb/gwlb-main.tf | 156 + .../terraform-azure-gwlb/gwlb-variables.tf | 25 + .../modules/common/main.tf | 5 + .../modules/common/outputs.tf | 127 + .../modules/common/variables.tf | 293 ++ .../modules/common/versions.tf | 3 + .../modules/network-security-group/main.tf | 23 + .../modules/network-security-group/output.tf | 7 + .../network-security-group/variables.tf | 43 + .../network-security-group/versions.tf | 3 + .../terraform-azure-gwlb/modules/vnet/main.tf | 80 + .../modules/vnet/outputs.tf | 27 + .../modules/vnet/variables.tf | 63 + .../modules/vnet/versions.tf | 3 + contrib/terraform-azure-gwlb/net-main.tf | 261 ++ contrib/terraform-azure-gwlb/net-variables.tf | 26 + contrib/terraform-azure-gwlb/terraform.tfvars | 31 + contrib/terraform-azure-gwlb/tfc-project.tf | 20 + .../zimages/azure-gwlb-design.jpg | Bin 0 -> 329545 bytes .../azure/vmss-new-vnet-with-peer/README.md | 152 + .../vmss-new-vnet-with-peer/azure_public_key | 0 .../vmss-new-vnet-with-peer/cloud-init.sh | 12 + .../images/Topology-2.JPG | Bin 0 -> 51157 bytes .../azure/vmss-new-vnet-with-peer/main.tf | 364 ++ .../vmss-new-vnet-with-peer/terraform.tfvars | 29 + .../vmss-new-vnet-with-peer/variables.tf | 274 ++ deprecated/README.md | 2 + deprecated/aws/templates/README.md | 13 + deprecated/aws/templates/asg-r8030/README.md | 22 + .../aws/templates/asg-r8030/autoscale.json | 1188 ++++++ .../aws/templates/cluster-r8030/README.md | 25 + .../cluster-r8030/cluster-into-vpc.json | 1313 +++++++ .../aws/templates/cluster-r8030/cluster.json | 515 +++ .../aws/templates/gateway-r7730/README.md | 21 + .../gateway-2-nic-existing-vpc.json | 486 +++ .../aws/templates/gateways-r7730/README.md | 21 + .../gateways-r7730/inter-az-cluster.json | 505 +++ .../aws/templates/instance-r7730/README.md | 21 + .../aws/templates/instance-r7730/gwinvpc.json | 269 ++ .../aws/templates/management-r7730/README.md | 21 + .../management-r7730/r7730-management.json | 656 ++++ .../aws/templates/management-r80/README.md | 21 + .../aws/templates/management-r80/r80.json | 725 ++++ .../aws/templates/management-r8030/README.md | 22 + .../management-r8030/management.json | 1323 +++++++ deprecated/aws/templates/mds-r8030/README.md | 23 + deprecated/aws/templates/mds-r8030/mds.json | 1270 +++++++ .../aws/templates/single-gw-r8030/README.md | 25 + .../single-gw-r8030/gateway-into-vpc.json | 1000 +++++ .../templates/single-gw-r8030/gateway.json | 543 +++ .../aws/templates/tgw-asg-r8030/README.md | 25 + .../checkpoint-tgw-asg-master.yaml | 471 +++ .../tgw-asg-r8030/checkpoint-tgw-asg.yaml | 488 +++ .../aws/templates/transit-vpc-r8030/README.md | 34 + .../checkpoint-transit-master.yaml | 354 ++ .../transit-vpc-r8030/checkpoint-transit.yaml | 361 ++ .../transit-vpc-r8030/transit-master.yaml | 241 ++ .../templates/transit-vpc-r8030/transit.yaml | 230 ++ .../azure/misc/azure_ha_test_python2.py | 414 +++ .../templates/R7730/cluster-r7730/README.MD | 13 + .../cluster-r7730/createUiDefinition.json | 348 ++ .../R7730/cluster-r7730/mainTemplate.json | 684 ++++ .../R7730/cluster-r7730/vnet-existing.json | 93 + .../R7730/cluster-r7730/vnet-new.json | 172 + .../templates/R7730/mgmt-r7730/README.MD | 13 + .../R7730/mgmt-r7730/createUiDefinition.json | 281 ++ .../R7730/mgmt-r7730/mainTemplate.json | 553 +++ .../mgmt-r7730/vnet-1-subnet-existing.json | 73 + .../R7730/mgmt-r7730/vnet-1-subnet-new.json | 96 + .../templates/R7730/single-r7730/README.MD | 13 + .../single-r7730/createUiDefinition.json | 379 ++ .../R7730/single-r7730/mainTemplate.json | 524 +++ .../R7730/single-r7730/vnet-existing.json | 99 + .../R7730/single-r7730/vnet-new.json | 187 + .../templates/R7730/vmss-r7730/README.MD | 13 + .../R7730/vmss-r7730/createUiDefinition.json | 385 ++ .../R7730/vmss-r7730/mainTemplate.json | 678 ++++ .../vmss-r7730/vnet-1-subnet-existing.json | 67 + .../R7730/vmss-r7730/vnet-1-subnet-new.json | 87 + .../R8010-R8020/cluster-r8010/README.MD | 13 + .../cluster-r8010/createUiDefinition.json | 380 ++ .../cluster-r8010/mainTemplate.json | 731 ++++ .../nestedtemplates/vnet-existing.json | 99 + .../nestedtemplates/vnet-new.json | 187 + .../R8010-R8020/ha-r8010-r8020/README.MD | 13 + .../ha-r8010-r8020/createUiDefinition.json | 1284 +++++++ .../ha-r8010-r8020/mainTemplate.json | 960 +++++ .../vnet-2-subnet-ha2-existing.json | 93 + .../vnet-2-subnet-ha2-new.json | 217 ++ .../R8010-R8020/mgmt-r8010-r8020/README.MD | 13 + .../mgmt-r8010-r8020/createUiDefinition.json | 409 +++ .../mgmt-r8010-r8020/mainTemplate.json | 633 ++++ .../vnet-1-subnet-existing.json | 73 + .../nestedtemplates/vnet-1-subnet-new.json | 96 + .../R8010-R8020/single-r8010-r8020/README.MD | 13 + .../createUiDefinition.json | 754 ++++ .../single-r8010-r8020/mainTemplate.json | 599 +++ .../nestedtemplates/vnet-existing.json | 99 + .../nestedtemplates/vnet-new.json | 187 + .../R8010-R8020/vmss-r8010-r8020/README.MD | 13 + .../vmss-r8010-r8020/createUiDefinition.json | 1056 ++++++ .../vmss-r8010-r8020/mainTemplate.json | 874 +++++ .../nestedtemplates/load-balancers.json | 279 ++ .../vnet-2-subnet-ha-existing.json | 124 + .../nestedtemplates/vnet-2-subnet-ha-new.json | 216 ++ .../azure/templates/R8030/ha-r8030/README.MD | 13 + .../R8030/ha-r8030/createUiDefinition.json | 730 ++++ .../R8030/ha-r8030/mainTemplate.json | 1029 ++++++ .../vnet-2-subnet-ha2-existing.json | 30 + .../vnet-2-subnet-ha2-new.json | 178 + .../azure/templates/R8030/mds-r8030/README.MD | 13 + .../R8030/mds-r8030/createUiDefinition.json | 377 ++ .../R8030/mds-r8030/mainTemplate.json | 625 ++++ .../vnet-1-subnet-existing.json | 78 + .../nestedtemplates/vnet-1-subnet-new.json | 157 + .../templates/R8030/mgmt-r8030/README.MD | 13 + .../R8030/mgmt-r8030/createUiDefinition.json | 387 ++ .../R8030/mgmt-r8030/mainTemplate.json | 629 ++++ .../vnet-1-subnet-existing.json | 78 + .../nestedtemplates/vnet-1-subnet-new.json | 157 + .../templates/R8030/single-r8030/README.MD | 13 + .../single-r8030/createUiDefinition.json | 603 +++ .../R8030/single-r8030/mainTemplate.json | 638 ++++ .../nestedtemplates/vnet-existing.json | 30 + .../nestedtemplates/vnet-new.json | 151 + .../templates/R8030/vmss-r8030/README.MD | 13 + .../R8030/vmss-r8030/createUiDefinition.json | 1106 ++++++ .../R8030/vmss-r8030/mainTemplate.json | 1026 ++++++ .../nestedtemplates/load-balancers.json | 252 ++ .../vnet-2-subnet-ha-existing.json | 78 + .../nestedtemplates/vnet-2-subnet-ha-new.json | 188 + .../R8040-R81/ha-r8040-r81/README.md | 21 + .../ha-r8040-r81/createUiDefinition.json | 1602 ++++++++ .../R8040-R81/ha-r8040-r81/mainTemplate.json | 1294 +++++++ .../R8040-R81/mds-r8040-r81/README.md | 21 + .../mds-r8040-r81/createUiDefinition.json | 589 +++ .../R8040-R81/mds-r8040-r81/mainTemplate.json | 746 ++++ .../R8040-R81/mgmt-r840-r81/README.md | 21 + .../mgmt-r840-r81/createUiDefinition.json | 654 ++++ .../R8040-R81/mgmt-r840-r81/mainTemplate.json | 751 ++++ .../R8040-R81/single-ipv6-r8040-r81/README.md | 10 + .../single-ipv6-r8040-r81/mainTemplate.json | 887 +++++ .../R8040-R81/single-r8040-r81/README.md | 22 + .../single-r8040-r81/createUiDefinition.json | 1305 +++++++ .../single-r8040-r81/mainTemplate.json | 779 ++++ .../R8040-R81/vmss-ipv6-r8040-r81/README.md | 9 + .../vmss-ipv6-r8040-r81/mainTemplate.json | 1209 ++++++ .../R8040-R81/vmss-r8040-r81/README.md | 23 + .../vmss-r8040-r81/createUiDefinition.json | 1732 +++++++++ .../vmss-r8040-r81/mainTemplate.json | 1156 ++++++ deprecated/azure/templates/README.MD | 5 + .../stack-ha/createUiDefinition.json | 438 +++ .../stack-R8030/stack-ha/mainTemplate.json | 703 ++++ .../stack-mgmt/createUiDefinition.json | 371 ++ .../stack-R8030/stack-mgmt/mainTemplate.json | 472 +++ .../stack-single/createUiDefinition.json | 441 +++ .../stack-single/mainTemplate.json | 556 +++ .../createUiDefinition.json | 763 ++++ .../stack-ha-r8040-r81/mainTemplate.json | 699 ++++ .../createUiDefinition.json | 366 ++ .../mainTemplate.json | 472 +++ .../createUiDefinition.json | 763 ++++ .../stack-single-r8040-r81/mainTemplate.json | 562 +++ .../R80.30/autoscale-byol-R80.30/README.md | 126 + .../c2d_deployment_configuration.json | 7 + .../check-point-autoscale--byol.py | 621 ++++ .../check-point-autoscale--byol.py.schema | 202 + .../R80.30/autoscale-byol-R80.30/common.py | 262 ++ .../R80.30/autoscale-byol-R80.30/config.yaml | 50 + .../R80.30/autoscale-byol-R80.30/default.py | 134 + .../R80.30/autoscale-byol-R80.30/images.py | 10 + .../R80.30/autoscale-byol-R80.30/password.py | 135 + .../R80.30/autoscale-payg-R80.30/README.md | 126 + .../c2d_deployment_configuration.json | 7 + .../check-point-autoscale--payg.py | 621 ++++ .../check-point-autoscale--payg.py.schema | 202 + .../R80.30/autoscale-payg-R80.30/common.py | 262 ++ .../R80.30/autoscale-payg-R80.30/config.yaml | 50 + .../R80.30/autoscale-payg-R80.30/default.py | 134 + .../R80.30/autoscale-payg-R80.30/images.py | 10 + .../R80.30/autoscale-payg-R80.30/password.py | 135 + .../gcp/R80.30/ha-byol-R80.30/README.md | 178 + .../c2d_deployment_configuration.json | 7 + .../check-point-cluster--byol.py | 713 ++++ .../check-point-cluster--byol.py.schema | 384 ++ .../gcp/R80.30/ha-byol-R80.30/common.py | 262 ++ .../gcp/R80.30/ha-byol-R80.30/config.yaml | 69 + .../gcp/R80.30/ha-byol-R80.30/default.py | 134 + .../gcp/R80.30/ha-byol-R80.30/images.py | 10 + .../gcp/R80.30/ha-byol-R80.30/password.py | 135 + .../gcp/R80.30/ha-payg-R80.30/README.md | 178 + .../c2d_deployment_configuration.json | 7 + .../check-point-cluster--payg.py | 713 ++++ .../check-point-cluster--payg.py.schema | 384 ++ .../gcp/R80.30/ha-payg-R80.30/common.py | 262 ++ .../gcp/R80.30/ha-payg-R80.30/config.yaml | 69 + .../gcp/R80.30/ha-payg-R80.30/default.py | 134 + .../gcp/R80.30/ha-payg-R80.30/images.py | 10 + .../gcp/R80.30/ha-payg-R80.30/password.py | 135 + .../gcp/R80.30/single-byol-R80.30/README.md | 131 + .../c2d_deployment_configuration.json | 7 + .../check-point-vsec--byol.py | 729 ++++ .../check-point-vsec--byol.py.schema | 343 ++ .../gcp/R80.30/single-byol-R80.30/common.py | 262 ++ .../gcp/R80.30/single-byol-R80.30/config.yaml | 48 + .../gcp/R80.30/single-byol-R80.30/default.py | 134 + .../gcp/R80.30/single-byol-R80.30/images.py | 10 + .../gcp/R80.30/single-byol-R80.30/password.py | 135 + .../gcp/R80.30/single-payg-R80.30/README.md | 131 + .../c2d_deployment_configuration.json | 7 + .../check-point-vsec--payg.py | 729 ++++ .../check-point-vsec--payg.py.schema | 343 ++ .../gcp/R80.30/single-payg-R80.30/common.py | 262 ++ .../gcp/R80.30/single-payg-R80.30/config.yaml | 46 + .../gcp/R80.30/single-payg-R80.30/default.py | 134 + .../gcp/R80.30/single-payg-R80.30/images.py | 10 + .../gcp/R80.30/single-payg-R80.30/password.py | 135 + .../gcp/R80.40-R81/autoscale-byol/README.md | 126 + .../c2d_deployment_configuration.json | 7 + .../check-point-autoscale--byol.py | 381 ++ .../check-point-autoscale--byol.py.schema | 215 ++ .../gcp/R80.40-R81/autoscale-byol/common.py | 262 ++ .../gcp/R80.40-R81/autoscale-byol/config.yaml | 50 + .../gcp/R80.40-R81/autoscale-byol/default.py | 134 + .../gcp/R80.40-R81/autoscale-byol/images.py | 34 + .../gcp/R80.40-R81/autoscale-byol/password.py | 135 + .../gcp/R80.40-R81/autoscale-payg/README.md | 126 + .../c2d_deployment_configuration.json | 7 + .../check-point-autoscale--payg.py | 381 ++ .../check-point-autoscale--payg.py.schema | 215 ++ .../gcp/R80.40-R81/autoscale-payg/common.py | 262 ++ .../gcp/R80.40-R81/autoscale-payg/config.yaml | 50 + .../gcp/R80.40-R81/autoscale-payg/default.py | 134 + .../gcp/R80.40-R81/autoscale-payg/images.py | 34 + .../gcp/R80.40-R81/autoscale-payg/password.py | 135 + deprecated/gcp/R80.40-R81/ha-byol/README.md | 187 + .../ha-byol/c2d_deployment_configuration.json | 7 + .../ha-byol/check-point-cluster--byol.py | 494 +++ .../check-point-cluster--byol.py.schema | 400 ++ deprecated/gcp/R80.40-R81/ha-byol/common.py | 262 ++ deprecated/gcp/R80.40-R81/ha-byol/config.yaml | 73 + deprecated/gcp/R80.40-R81/ha-byol/default.py | 134 + deprecated/gcp/R80.40-R81/ha-byol/images.py | 34 + deprecated/gcp/R80.40-R81/ha-byol/password.py | 135 + deprecated/gcp/R80.40-R81/ha-payg/README.md | 187 + .../ha-payg/c2d_deployment_configuration.json | 7 + .../ha-payg/check-point-cluster--payg.py | 494 +++ .../check-point-cluster--payg.py.schema | 400 ++ deprecated/gcp/R80.40-R81/ha-payg/common.py | 262 ++ deprecated/gcp/R80.40-R81/ha-payg/config.yaml | 73 + deprecated/gcp/R80.40-R81/ha-payg/default.py | 134 + deprecated/gcp/R80.40-R81/ha-payg/images.py | 34 + deprecated/gcp/R80.40-R81/ha-payg/password.py | 135 + .../gcp/R80.40-R81/single-byol/README.md | 134 + .../c2d_deployment_configuration.json | 7 + .../single-byol/check-point-vsec--byol.py | 479 +++ .../check-point-vsec--byol.py.schema | 363 ++ .../gcp/R80.40-R81/single-byol/common.py | 262 ++ .../gcp/R80.40-R81/single-byol/config.yaml | 50 + .../gcp/R80.40-R81/single-byol/default.py | 134 + .../gcp/R80.40-R81/single-byol/images.py | 34 + .../gcp/R80.40-R81/single-byol/password.py | 135 + .../gcp/R80.40-R81/single-payg/README.md | 133 + .../c2d_deployment_configuration.json | 7 + .../single-payg/check-point-vsec--payg.py | 474 +++ .../check-point-vsec--payg.py.schema | 359 ++ .../gcp/R80.40-R81/single-payg/common.py | 262 ++ .../gcp/R80.40-R81/single-payg/config.yaml | 48 + .../gcp/R80.40-R81/single-payg/default.py | 134 + .../gcp/R80.40-R81/single-payg/images.py | 34 + .../gcp/R80.40-R81/single-payg/password.py | 135 + deprecated/gcp/README.MD | 5 + .../high-availability-existing-vnet/README.md | 239 ++ .../azure_public_key | 0 .../cloud-init.sh | 22 + .../high-availability-existing-vnet/main.tf | 531 +++ .../terraform.tfvars | 38 + .../variables.tf | 339 ++ .../versions.tf | 12 + .../high-availability-new-vnet/README.md | 242 ++ .../azure_public_key | 0 .../high-availability-new-vnet/cloud-init.sh | 22 + .../high-availability-new-vnet/main.tf | 550 +++ .../terraform.tfvars | 36 + .../high-availability-new-vnet/variables.tf | 328 ++ .../high-availability-new-vnet/versions.tf | 12 + .../management-existing-vnet/README.md | 189 + .../management-existing-vnet/azure_public_key | 0 .../management-existing-vnet/cloud-init.sh | 16 + .../management-existing-vnet/main.tf | 312 ++ .../management-existing-vnet/terraform.tfvars | 30 + .../management-existing-vnet/variables.tf | 251 ++ .../management-existing-vnet/versions.tf | 12 + .../R8040-R81/management-new-vnet/README.md | 187 + .../management-new-vnet/azure_public_key | 0 .../management-new-vnet/cloud-init.sh | 16 + .../R8040-R81/management-new-vnet/main.tf | 316 ++ .../management-new-vnet/terraform.tfvars | 29 + .../management-new-vnet/variables.tf | 249 ++ .../R8040-R81/management-new-vnet/versions.tf | 12 + .../R8040-R81/mds-existing-vnet/README.md | 195 + .../mds-existing-vnet/azure_public_key | 0 .../R8040-R81/mds-existing-vnet/cloud-init.sh | 20 + .../azure/R8040-R81/mds-existing-vnet/main.tf | 316 ++ .../mds-existing-vnet/terraform.tfvars | 35 + .../R8040-R81/mds-existing-vnet/variables.tf | 280 ++ .../R8040-R81/mds-existing-vnet/versions.tf | 12 + .../azure/R8040-R81/mds-new-vnet/README.md | 188 + .../R8040-R81/mds-new-vnet/azure_public_key | 0 .../R8040-R81/mds-new-vnet/cloud-init.sh | 20 + .../azure/R8040-R81/mds-new-vnet/main.tf | 321 ++ .../R8040-R81/mds-new-vnet/terraform.tfvars | 34 + .../azure/R8040-R81/mds-new-vnet/variables.tf | 278 ++ .../azure/R8040-R81/mds-new-vnet/versions.tf | 12 + .../R8040-R81/modules/add-routing-intent.py | 29 + .../azure/R8040-R81/modules/common/main.tf | 5 + .../azure/R8040-R81/modules/common/outputs.tf | 130 + .../R8040-R81/modules/common/variables.tf | 369 ++ .../R8040-R81/modules/common/versions.tf | 3 + .../modules/network-security-group/main.tf | 23 + .../modules/network-security-group/output.tf | 7 + .../network-security-group/variables.tf | 43 + .../network-security-group/versions.tf | 3 + .../azure/R8040-R81/modules/vnet/main.tf | 80 + .../azure/R8040-R81/modules/vnet/outputs.tf | 27 + .../azure/R8040-R81/modules/vnet/variables.tf | 63 + .../azure/R8040-R81/modules/vnet/versions.tf | 3 + .../R8040-R81/nva-into-existing-hub/README.md | 172 + .../R8040-R81/nva-into-existing-hub/main.tf | 195 + .../nva-into-existing-hub/terraform.tfvars | 31 + .../nva-into-existing-hub/variables.tf | 198 + .../nva-into-existing-hub/versions.tf | 17 + .../R8040-R81/nva-into-new-vwan/README.md | 182 + .../azure/R8040-R81/nva-into-new-vwan/main.tf | 202 + .../nva-into-new-vwan/terraform.tfvars | 32 + .../R8040-R81/nva-into-new-vwan/variables.tf | 209 ++ .../R8040-R81/nva-into-new-vwan/versions.tf | 17 + .../single-gateway-existing-vnet/README.md | 200 + .../azure_public_key | 0 .../cloud-init.sh | 18 + .../single-gateway-existing-vnet/main.tf | 257 ++ .../terraform.tfvars | 35 + .../single-gateway-existing-vnet/variables.tf | 281 ++ .../single-gateway-existing-vnet/versions.tf | 12 + .../single-gateway-new-vnet/README.md | 197 + .../single-gateway-new-vnet/azure_public_key | 0 .../single-gateway-new-vnet/cloud-init.sh | 18 + .../R8040-R81/single-gateway-new-vnet/main.tf | 256 ++ .../single-gateway-new-vnet/terraform.tfvars | 33 + .../single-gateway-new-vnet/variables.tf | 280 ++ .../single-gateway-new-vnet/versions.tf | 12 + .../R8040-R81/vmss-existing-vnet/README.md | 247 ++ .../vmss-existing-vnet/azure_public_key | 0 .../vmss-existing-vnet/cloud-init.sh | 17 + .../R8040-R81/vmss-existing-vnet/main.tf | 446 +++ .../vmss-existing-vnet/terraform.tfvars | 43 + .../R8040-R81/vmss-existing-vnet/variables.tf | 404 ++ .../R8040-R81/vmss-existing-vnet/versions.tf | 14 + .../azure/R8040-R81/vmss-new-vnet/README.md | 247 ++ .../R8040-R81/vmss-new-vnet/azure_public_key | 0 .../R8040-R81/vmss-new-vnet/cloud-init.sh | 17 + .../azure/R8040-R81/vmss-new-vnet/main.tf | 442 +++ .../R8040-R81/vmss-new-vnet/terraform.tfvars | 42 + .../R8040-R81/vmss-new-vnet/variables.tf | 393 ++ .../azure/R8040-R81/vmss-new-vnet/versions.tf | 14 + deprecated/terraform/azure/README.md | 12 + .../autoscale-into-existing-vpc/README.md | 233 ++ .../autoscale-into-existing-vpc/locals.tf | 63 + .../autoscale-into-existing-vpc/main.tf | 197 + .../autoscale-into-existing-vpc/output.tf | 33 + .../terraform.tfvars | 36 + .../autoscale-into-existing-vpc/variables.tf | 157 + .../autoscale-into-new-vpc/README.md | 241 ++ .../autoscale-into-new-vpc/locals.tf | 48 + .../R8040-R81/autoscale-into-new-vpc/main.tf | 73 + .../autoscale-into-new-vpc/output.tf | 46 + .../autoscale-into-new-vpc/terraform.tfvars | 34 + .../autoscale-into-new-vpc/variables.tf | 150 + .../R8040-R81/common/cluster-member/main.tf | 130 + .../R8040-R81/common/cluster-member/output.tf | 6 + .../common/cluster-member/variables.tf | 174 + .../R8040-R81/common/firewall-rule/main.tf | 10 + .../R8040-R81/common/firewall-rule/output.tf | 3 + .../common/firewall-rule/variables.tf | 17 + .../gcp/R8040-R81/common/members-a-b/main.tf | 85 + .../R8040-R81/common/members-a-b/output.tf | 13 + .../R8040-R81/common/members-a-b/variables.tf | 175 + .../common/network-and-subnet/main.tf | 21 + .../common/network-and-subnet/output.tf | 18 + .../common/network-and-subnet/variables.tf | 27 + .../gcp/R8040-R81/common/startup-script.sh | 3 + .../gcp/R8040-R81/high-availability/README.md | 317 ++ .../gcp/R8040-R81/high-availability/locals.tf | 106 + .../gcp/R8040-R81/high-availability/main.tf | 250 ++ .../gcp/R8040-R81/high-availability/output.tf | 117 + .../high-availability/terraform.tfvars | 53 + .../R8040-R81/high-availability/variables.tf | 302 ++ .../single-into-existing-vpc/README.md | 275 ++ .../single-into-existing-vpc/locals.tf | 55 + .../single-into-existing-vpc/main.tf | 218 ++ .../single-into-existing-vpc/output.tf | 18 + .../single-into-existing-vpc/terraform.tfvars | 46 + .../single-into-existing-vpc/variables.tf | 254 ++ .../R8040-R81/single-into-new-vpc/README.md | 270 ++ .../gcp/R8040-R81/single-into-new-vpc/main.tf | 90 + .../R8040-R81/single-into-new-vpc/output.tf | 30 + .../single-into-new-vpc/terraform.tfvars | 45 + .../single-into-new-vpc/variables.tf | 256 ++ gcp/deployment-packages/README.MD | 5 + .../autoscale-byol/README.md | 126 + .../c2d_deployment_configuration.json | 7 + .../check-point-autoscale--byol.py | 379 ++ .../check-point-autoscale--byol.py.schema | 213 ++ .../autoscale-byol/common.py | 262 ++ .../autoscale-byol/config.yaml | 50 + .../autoscale-byol/default.py | 134 + .../autoscale-byol/images.py | 34 + .../autoscale-byol/password.py | 135 + .../autoscale-payg/README.md | 126 + .../c2d_deployment_configuration.json | 7 + .../check-point-autoscale--payg.py | 379 ++ .../check-point-autoscale--payg.py.schema | 213 ++ .../autoscale-payg/common.py | 262 ++ .../autoscale-payg/config.yaml | 50 + .../autoscale-payg/default.py | 134 + .../autoscale-payg/images.py | 34 + .../autoscale-payg/password.py | 135 + gcp/deployment-packages/ha-byol/README.md | 187 + .../ha-byol/c2d_deployment_configuration.json | 7 + .../ha-byol/check-point-cluster--byol.py | 492 +++ .../check-point-cluster--byol.py.schema | 398 ++ gcp/deployment-packages/ha-byol/common.py | 262 ++ gcp/deployment-packages/ha-byol/config.yaml | 73 + gcp/deployment-packages/ha-byol/default.py | 134 + gcp/deployment-packages/ha-byol/images.py | 34 + gcp/deployment-packages/ha-byol/password.py | 135 + gcp/deployment-packages/ha-payg/README.md | 187 + .../ha-payg/c2d_deployment_configuration.json | 7 + .../ha-payg/check-point-cluster--payg.py | 492 +++ .../check-point-cluster--payg.py.schema | 398 ++ gcp/deployment-packages/ha-payg/common.py | 262 ++ gcp/deployment-packages/ha-payg/config.yaml | 73 + gcp/deployment-packages/ha-payg/default.py | 134 + gcp/deployment-packages/ha-payg/images.py | 34 + gcp/deployment-packages/ha-payg/password.py | 135 + gcp/deployment-packages/single-byol/README.md | 134 + .../c2d_deployment_configuration.json | 7 + .../single-byol/check-point-vsec--byol.py | 475 +++ .../check-point-vsec--byol.py.schema | 355 ++ gcp/deployment-packages/single-byol/common.py | 262 ++ .../single-byol/config.yaml | 50 + .../single-byol/default.py | 134 + gcp/deployment-packages/single-byol/images.py | 34 + .../single-byol/password.py | 135 + gcp/deployment-packages/single-payg/README.md | 133 + .../c2d_deployment_configuration.json | 7 + .../single-payg/check-point-vsec--payg.py | 475 +++ .../check-point-vsec--payg.py.schema | 353 ++ gcp/deployment-packages/single-payg/common.py | 262 ++ .../single-payg/config.yaml | 48 + .../single-payg/default.py | 134 + gcp/deployment-packages/single-payg/images.py | 34 + .../single-payg/password.py | 135 + terraform/.gitattributes | 1 + terraform/.gitignore | 14 + terraform/LICENSE | 199 + terraform/alicloud/cluster-master/README.md | 174 + terraform/alicloud/cluster-master/locals.tf | 28 + terraform/alicloud/cluster-master/main.tf | 53 + terraform/alicloud/cluster-master/output.tf | 48 + .../alicloud/cluster-master/terraform.tfvars | 47 + .../alicloud/cluster-master/variables.tf | 150 + terraform/alicloud/cluster-master/versions.tf | 9 + terraform/alicloud/cluster/README.md | 158 + .../cluster/cluster_member_a_userdata.yaml | 4 + .../cluster/cluster_member_b_userdata.yaml | 4 + terraform/alicloud/cluster/locals.tf | 46 + terraform/alicloud/cluster/main.tf | 178 + terraform/alicloud/cluster/output.tf | 33 + terraform/alicloud/cluster/terraform.tfvars | 40 + terraform/alicloud/cluster/variables.tf | 144 + terraform/alicloud/cluster/versions.tf | 9 + terraform/alicloud/gateway-master/README.md | 155 + terraform/alicloud/gateway-master/locals.tf | 17 + terraform/alicloud/gateway-master/main.tf | 49 + terraform/alicloud/gateway-master/output.tf | 33 + .../alicloud/gateway-master/terraform.tfvars | 42 + .../alicloud/gateway-master/variables.tf | 140 + terraform/alicloud/gateway-master/versions.tf | 9 + terraform/alicloud/gateway/README.md | 141 + terraform/alicloud/gateway/locals.tf | 23 + terraform/alicloud/gateway/main.tf | 70 + terraform/alicloud/gateway/output.tf | 21 + terraform/alicloud/gateway/terraform.tfvars | 37 + terraform/alicloud/gateway/variables.tf | 133 + terraform/alicloud/gateway/versions.tf | 9 + .../alicloud/management-master/README.md | 135 + .../alicloud/management-master/locals.tf | 20 + terraform/alicloud/management-master/main.tf | 40 + .../alicloud/management-master/output.tf | 25 + .../management-master/terraform.tfvars | 40 + .../alicloud/management-master/variables.tf | 137 + .../alicloud/management-master/versions.tf | 9 + terraform/alicloud/management/README.md | 128 + terraform/alicloud/management/locals.tf | 24 + terraform/alicloud/management/main.tf | 177 + .../management/management_userdata.yaml | 4 + terraform/alicloud/management/output.tf | 19 + .../alicloud/management/terraform.tfvars | 35 + terraform/alicloud/management/variables.tf | 128 + terraform/alicloud/management/versions.tf | 9 + .../modules/cluster-ram-role/locals.tf | 5 + .../alicloud/modules/cluster-ram-role/main.tf | 54 + .../modules/cluster-ram-role/output.tf | 9 + .../modules/cluster-ram-role/variables.tf | 5 + .../modules/cluster-ram-role/versions.tf | 9 + .../modules/common/elastic_ip/locals.tf | 12 + .../modules/common/elastic_ip/main.tf | 10 + .../modules/common/elastic_ip/output.tf | 7 + .../modules/common/elastic_ip/variables.tf | 22 + .../modules/common/elastic_ip/versions.tf | 9 + .../gateway_instance/gateway_userdata.yaml | 4 + .../modules/common/gateway_instance/locals.tf | 22 + .../modules/common/gateway_instance/main.tf | 28 + .../modules/common/gateway_instance/output.tf | 6 + .../common/gateway_instance/variables.tf | 100 + .../common/gateway_instance/versions.tf | 9 + .../modules/common/instance_type/main.tf | 28 + .../modules/common/instance_type/variables.tf | 20 + .../modules/common/instance_type/versions.tf | 3 + .../common/internal_default_route/locals.tf | 3 + .../common/internal_default_route/main.tf | 7 + .../common/internal_default_route/output.tf | 3 + .../internal_default_route/variables.tf | 9 + .../common/internal_default_route/versions.tf | 9 + .../modules/common/permissive_sg/main.tf | 27 + .../modules/common/permissive_sg/output.tf | 6 + .../modules/common/permissive_sg/variables.tf | 13 + .../modules/common/permissive_sg/versions.tf | 9 + .../modules/common/version_license/main.tf | 23 + .../common/version_license/variables.tf | 19 + .../common/version_license/versions.tf | 9 + terraform/alicloud/modules/images/images.yaml | 210 ++ terraform/alicloud/modules/images/main.tf | 20 + terraform/alicloud/modules/images/output.tf | 6 + .../alicloud/modules/images/variables.tf | 20 + terraform/alicloud/modules/images/versions.tf | 3 + terraform/alicloud/modules/vpc/locals.tf | 6 + terraform/alicloud/modules/vpc/main.tf | 38 + terraform/alicloud/modules/vpc/output.tf | 15 + terraform/alicloud/modules/vpc/variables.tf | 23 + terraform/alicloud/modules/vpc/versions.tf | 9 + terraform/aws/README.md | 13 + terraform/aws/autoscale-gwlb/README.md | 185 + .../aws/autoscale-gwlb/asg_userdata.yaml | 29 + terraform/aws/autoscale-gwlb/locals.tf | 56 + terraform/aws/autoscale-gwlb/main.tf | 202 + terraform/aws/autoscale-gwlb/output.tf | 41 + terraform/aws/autoscale-gwlb/terraform.tfvars | 42 + terraform/aws/autoscale-gwlb/variables.tf | 191 + terraform/aws/autoscale-gwlb/versions.tf | 15 + terraform/aws/autoscale/README.md | 199 + terraform/aws/autoscale/asg_userdata.yaml | 4 + terraform/aws/autoscale/locals.tf | 62 + terraform/aws/autoscale/main.tf | 248 ++ terraform/aws/autoscale/output.tf | 43 + terraform/aws/autoscale/terraform.tfvars | 45 + terraform/aws/autoscale/variables.tf | 190 + terraform/aws/autoscale/versions.tf | 15 + terraform/aws/cluster-master/README.md | 221 ++ terraform/aws/cluster-master/locals.tf | 52 + terraform/aws/cluster-master/main.tf | 64 + terraform/aws/cluster-master/output.tf | 24 + terraform/aws/cluster-master/terraform.tfvars | 47 + terraform/aws/cluster-master/variables.tf | 183 + terraform/aws/cluster-master/versions.tf | 12 + terraform/aws/cluster/README.md | 201 + .../cluster/cluster_member_a_userdata.yaml | 4 + .../cluster/cluster_member_b_userdata.yaml | 4 + terraform/aws/cluster/locals.tf | 69 + terraform/aws/cluster/main.tf | 291 ++ terraform/aws/cluster/output.tf | 24 + terraform/aws/cluster/terraform.tfvars | 43 + terraform/aws/cluster/variables.tf | 181 + terraform/aws/cluster/versions.tf | 12 + terraform/aws/cme-iam-role-gwlb/README.md | 101 + terraform/aws/cme-iam-role-gwlb/main.tf | 110 + terraform/aws/cme-iam-role-gwlb/output.tf | 13 + .../aws/cme-iam-role-gwlb/terraform.tfvars | 5 + terraform/aws/cme-iam-role-gwlb/variables.tf | 42 + terraform/aws/cme-iam-role-gwlb/versions.tf | 9 + terraform/aws/cme-iam-role/README.md | 102 + terraform/aws/cme-iam-role/main.tf | 136 + terraform/aws/cme-iam-role/output.tf | 12 + terraform/aws/cme-iam-role/terraform.tfvars | 5 + terraform/aws/cme-iam-role/variables.tf | 42 + terraform/aws/cme-iam-role/versions.tf | 9 + .../aws/cross-az-cluster-master/README.md | 219 ++ .../aws/cross-az-cluster-master/locals.tf | 58 + terraform/aws/cross-az-cluster-master/main.tf | 70 + .../aws/cross-az-cluster-master/output.tf | 24 + .../cross-az-cluster-master/terraform.tfvars | 48 + .../aws/cross-az-cluster-master/variables.tf | 183 + .../aws/cross-az-cluster-master/versions.tf | 12 + terraform/aws/cross-az-cluster/README.md | 196 + .../cluster_member_a_userdata.yaml | 4 + .../cluster_member_b_userdata.yaml | 4 + terraform/aws/cross-az-cluster/locals.tf | 75 + terraform/aws/cross-az-cluster/main.tf | 294 ++ terraform/aws/cross-az-cluster/output.tf | 30 + .../aws/cross-az-cluster/terraform.tfvars | 42 + terraform/aws/cross-az-cluster/variables.tf | 181 + terraform/aws/cross-az-cluster/versions.tf | 12 + terraform/aws/gateway-master/README.md | 216 ++ terraform/aws/gateway-master/locals.tf | 48 + terraform/aws/gateway-master/main.tf | 66 + terraform/aws/gateway-master/output.tf | 33 + terraform/aws/gateway-master/terraform.tfvars | 50 + terraform/aws/gateway-master/variables.tf | 195 + terraform/aws/gateway-master/versions.tf | 12 + terraform/aws/gateway/README.md | 191 + terraform/aws/gateway/locals.tf | 48 + terraform/aws/gateway/main.tf | 119 + terraform/aws/gateway/output.tf | 21 + terraform/aws/gateway/terraform.tfvars | 46 + terraform/aws/gateway/variables.tf | 192 + terraform/aws/gateway/versions.tf | 12 + terraform/aws/gwlb-master/README.md | 235 ++ terraform/aws/gwlb-master/locals.tf | 61 + terraform/aws/gwlb-master/main.tf | 69 + terraform/aws/gwlb-master/output.tf | 24 + terraform/aws/gwlb-master/terraform.tfvars | 56 + terraform/aws/gwlb-master/variables.tf | 274 ++ terraform/aws/gwlb-master/versions.tf | 15 + terraform/aws/gwlb/README.md | 228 ++ terraform/aws/gwlb/locals.tf | 55 + terraform/aws/gwlb/main.tf | 99 + terraform/aws/gwlb/output.tf | 22 + terraform/aws/gwlb/terraform.tfvars | 52 + terraform/aws/gwlb/variables.tf | 263 ++ terraform/aws/gwlb/versions.tf | 15 + terraform/aws/management/README.md | 200 + terraform/aws/management/locals.tf | 76 + terraform/aws/management/main.tf | 221 ++ .../aws/management/management_userdata.yaml | 4 + terraform/aws/management/output.tf | 19 + terraform/aws/management/terraform.tfvars | 42 + terraform/aws/management/variables.tf | 194 + terraform/aws/management/versions.tf | 12 + terraform/aws/mds/README.md | 190 + terraform/aws/mds/locals.tf | 69 + terraform/aws/mds/main.tf | 194 + terraform/aws/mds/mds_userdata.yaml | 4 + terraform/aws/mds/output.tf | 13 + terraform/aws/mds/terraform.tfvars | 41 + terraform/aws/mds/variables.tf | 175 + terraform/aws/mds/versions.tf | 12 + terraform/aws/modules/amis/main.tf | 22 + terraform/aws/modules/amis/output.tf | 6 + terraform/aws/modules/amis/variables.tf | 26 + .../aws/modules/cloudwatch-policy/main.tf | 18 + .../modules/cloudwatch-policy/variables.tf | 9 + .../aws/modules/cluster-iam-role/main.tf | 38 + .../aws/modules/cluster-iam-role/output.tf | 9 + .../aws/modules/common/elastic_ip/locals.tf | 3 + .../aws/modules/common/elastic_ip/main.tf | 10 + .../aws/modules/common/elastic_ip/output.tf | 9 + .../modules/common/elastic_ip/variables.tf | 13 + .../gateway_instance/gateway_userdata.yaml | 4 + .../modules/common/gateway_instance/locals.tf | 39 + .../modules/common/gateway_instance/main.tf | 63 + .../modules/common/gateway_instance/output.tf | 9 + .../common/gateway_instance/variables.tf | 147 + .../aws/modules/common/instance_type/main.tf | 353 ++ .../modules/common/instance_type/variables.tf | 22 + .../common/internal_default_route/locals.tf | 3 + .../common/internal_default_route/main.tf | 6 + .../common/internal_default_route/output.tf | 3 + .../internal_default_route/variables.tf | 9 + .../aws/modules/common/load_balancer/main.tf | 36 + .../modules/common/load_balancer/output.tf | 18 + .../modules/common/load_balancer/variables.tf | 62 + .../aws/modules/common/permissive_sg/main.tf | 20 + .../modules/common/permissive_sg/output.tf | 9 + .../modules/common/permissive_sg/variables.tf | 13 + .../modules/common/version_license/main.tf | 60 + .../common/version_license/variables.tf | 21 + .../aws/modules/custom-autoscale/locals.tf | 9 + .../aws/modules/custom-autoscale/main.tf | 94 + .../aws/modules/custom-autoscale/variables.tf | 89 + .../aws/modules/custom-autoscale/vpc/main.tf | 52 + .../modules/custom-autoscale/vpc/output.tf | 12 + .../modules/custom-autoscale/vpc/variables.tf | 17 + terraform/aws/modules/vpc/main.tf | 66 + terraform/aws/modules/vpc/output.tf | 18 + terraform/aws/modules/vpc/variables.tf | 22 + terraform/aws/qs-autoscale-master/README.md | 258 ++ terraform/aws/qs-autoscale-master/locals.tf | 63 + terraform/aws/qs-autoscale-master/main.tf | 60 + terraform/aws/qs-autoscale-master/output.tf | 58 + .../aws/qs-autoscale-master/terraform.tfvars | 57 + .../aws/qs-autoscale-master/variables.tf | 240 ++ terraform/aws/qs-autoscale-master/versions.tf | 15 + terraform/aws/qs-autoscale/README.md | 239 ++ terraform/aws/qs-autoscale/locals.tf | 71 + terraform/aws/qs-autoscale/main.tf | 165 + terraform/aws/qs-autoscale/output.tf | 45 + terraform/aws/qs-autoscale/terraform.tfvars | 48 + terraform/aws/qs-autoscale/variables.tf | 231 ++ terraform/aws/qs-autoscale/versions.tf | 15 + terraform/aws/standalone-master/README.md | 201 + terraform/aws/standalone-master/locals.tf | 35 + terraform/aws/standalone-master/main.tf | 63 + terraform/aws/standalone-master/output.tf | 27 + .../aws/standalone-master/terraform.tfvars | 43 + terraform/aws/standalone-master/variables.tf | 174 + terraform/aws/standalone-master/versions.tf | 12 + terraform/aws/standalone/README.md | 177 + terraform/aws/standalone/locals.tf | 41 + terraform/aws/standalone/main.tf | 145 + terraform/aws/standalone/output.tf | 15 + .../aws/standalone/standalone_userdata.yaml | 4 + terraform/aws/standalone/terraform.tfvars | 39 + terraform/aws/standalone/variables.tf | 172 + terraform/aws/standalone/versions.tf | 12 + .../tap/Check Point NOW onboarding page.docx | Bin 0 -> 287849 bytes .../tap/CheckPoint_NOW_onboarding_page.pdf | Bin 0 -> 390187 bytes terraform/aws/tap/README.md | 259 ++ terraform/aws/tap/main.tf | 301 ++ terraform/aws/tap/output.tf | 34 + terraform/aws/tap/tap_lambda.py | 155 + terraform/aws/tap/tap_termination_lambda.py | 26 + terraform/aws/tap/tap_user_data.sh | 37 + terraform/aws/tap/terraform.tfvars | 21 + terraform/aws/tap/variables.tf | 89 + terraform/aws/tgw-asg-master/README.md | 223 ++ terraform/aws/tgw-asg-master/locals.tf | 64 + terraform/aws/tgw-asg-master/main.tf | 55 + terraform/aws/tgw-asg-master/output.tf | 24 + terraform/aws/tgw-asg-master/terraform.tfvars | 47 + terraform/aws/tgw-asg-master/variables.tf | 217 ++ terraform/aws/tgw-asg-master/versions.tf | 15 + terraform/aws/tgw-asg/README.md | 213 ++ terraform/aws/tgw-asg/locals.tf | 64 + terraform/aws/tgw-asg/main.tf | 64 + terraform/aws/tgw-asg/output.tf | 18 + terraform/aws/tgw-asg/terraform.tfvars | 43 + terraform/aws/tgw-asg/variables.tf | 211 ++ terraform/aws/tgw-asg/versions.tf | 15 + .../aws/tgw-cross-az-cluster-master/README.md | 210 ++ .../aws/tgw-cross-az-cluster-master/locals.tf | 61 + .../aws/tgw-cross-az-cluster-master/main.tf | 73 + .../aws/tgw-cross-az-cluster-master/output.tf | 30 + .../terraform.tfvars | 48 + .../tgw-cross-az-cluster-master/variables.tf | 200 + .../tgw-cross-az-cluster-master/versions.tf | 15 + terraform/aws/tgw-cross-az-cluster/README.md | 205 ++ terraform/aws/tgw-cross-az-cluster/locals.tf | 60 + terraform/aws/tgw-cross-az-cluster/main.tf | 62 + terraform/aws/tgw-cross-az-cluster/output.tf | 27 + .../aws/tgw-cross-az-cluster/terraform.tfvars | 43 + .../aws/tgw-cross-az-cluster/variables.tf | 201 + .../aws/tgw-cross-az-cluster/versions.tf | 15 + terraform/aws/tgw-gwlb-master/README.md | 264 ++ terraform/aws/tgw-gwlb-master/locals.tf | 62 + terraform/aws/tgw-gwlb-master/main.tf | 85 + terraform/aws/tgw-gwlb-master/output.tf | 24 + .../aws/tgw-gwlb-master/terraform.tfvars | 76 + terraform/aws/tgw-gwlb-master/variables.tf | 326 ++ terraform/aws/tgw-gwlb-master/versions.tf | 15 + terraform/aws/tgw-gwlb/README.md | 263 ++ terraform/aws/tgw-gwlb/locals.tf | 60 + terraform/aws/tgw-gwlb/main.tf | 438 +++ terraform/aws/tgw-gwlb/output.tf | 24 + terraform/aws/tgw-gwlb/terraform.tfvars | 69 + terraform/aws/tgw-gwlb/variables.tf | 333 ++ terraform/aws/tgw-gwlb/versions.tf | 15 + terraform/azure/README.md | 12 + .../high-availability-existing-vnet/README.md | 239 ++ .../azure_public_key | 0 .../cloud-init.sh | 22 + .../high-availability-existing-vnet/main.tf | 531 +++ .../terraform.tfvars | 38 + .../variables.tf | 339 ++ .../versions.tf | 12 + .../high-availability-new-vnet/README.md | 242 ++ .../azure_public_key | 0 .../high-availability-new-vnet/cloud-init.sh | 22 + .../azure/high-availability-new-vnet/main.tf | 550 +++ .../terraform.tfvars | 36 + .../high-availability-new-vnet/variables.tf | 328 ++ .../high-availability-new-vnet/versions.tf | 12 + .../azure/management-existing-vnet/README.md | 189 + .../management-existing-vnet/azure_public_key | 0 .../management-existing-vnet/cloud-init.sh | 16 + .../azure/management-existing-vnet/main.tf | 312 ++ .../management-existing-vnet/terraform.tfvars | 30 + .../management-existing-vnet/variables.tf | 251 ++ .../management-existing-vnet/versions.tf | 12 + terraform/azure/management-new-vnet/README.md | 187 + .../management-new-vnet/azure_public_key | 0 .../azure/management-new-vnet/cloud-init.sh | 16 + terraform/azure/management-new-vnet/main.tf | 316 ++ .../management-new-vnet/terraform.tfvars | 29 + .../azure/management-new-vnet/variables.tf | 249 ++ .../azure/management-new-vnet/versions.tf | 12 + terraform/azure/mds-existing-vnet/README.md | 195 + .../azure/mds-existing-vnet/azure_public_key | 0 .../azure/mds-existing-vnet/cloud-init.sh | 20 + terraform/azure/mds-existing-vnet/main.tf | 316 ++ .../azure/mds-existing-vnet/terraform.tfvars | 35 + .../azure/mds-existing-vnet/variables.tf | 280 ++ terraform/azure/mds-existing-vnet/versions.tf | 12 + terraform/azure/mds-new-vnet/README.md | 188 + terraform/azure/mds-new-vnet/azure_public_key | 0 terraform/azure/mds-new-vnet/cloud-init.sh | 20 + terraform/azure/mds-new-vnet/main.tf | 321 ++ terraform/azure/mds-new-vnet/terraform.tfvars | 34 + terraform/azure/mds-new-vnet/variables.tf | 278 ++ terraform/azure/mds-new-vnet/versions.tf | 12 + terraform/azure/modules/add-routing-intent.py | 29 + terraform/azure/modules/common/main.tf | 5 + terraform/azure/modules/common/outputs.tf | 130 + terraform/azure/modules/common/variables.tf | 369 ++ terraform/azure/modules/common/versions.tf | 3 + .../modules/network-security-group/main.tf | 23 + .../modules/network-security-group/output.tf | 7 + .../network-security-group/variables.tf | 43 + .../network-security-group/versions.tf | 3 + terraform/azure/modules/vnet/main.tf | 80 + terraform/azure/modules/vnet/outputs.tf | 27 + terraform/azure/modules/vnet/variables.tf | 63 + terraform/azure/modules/vnet/versions.tf | 3 + .../azure/nva-into-existing-hub/README.md | 172 + terraform/azure/nva-into-existing-hub/main.tf | 195 + .../nva-into-existing-hub/terraform.tfvars | 31 + .../azure/nva-into-existing-hub/variables.tf | 198 + .../azure/nva-into-existing-hub/versions.tf | 17 + terraform/azure/nva-into-new-vwan/README.md | 182 + terraform/azure/nva-into-new-vwan/main.tf | 202 + .../azure/nva-into-new-vwan/terraform.tfvars | 32 + .../azure/nva-into-new-vwan/variables.tf | 209 ++ terraform/azure/nva-into-new-vwan/versions.tf | 17 + .../single-gateway-existing-vnet/README.md | 200 + .../azure_public_key | 0 .../cloud-init.sh | 18 + .../single-gateway-existing-vnet/main.tf | 257 ++ .../terraform.tfvars | 35 + .../single-gateway-existing-vnet/variables.tf | 281 ++ .../single-gateway-existing-vnet/versions.tf | 12 + .../azure/single-gateway-new-vnet/README.md | 197 + .../single-gateway-new-vnet/azure_public_key | 0 .../single-gateway-new-vnet/cloud-init.sh | 18 + .../azure/single-gateway-new-vnet/main.tf | 256 ++ .../single-gateway-new-vnet/terraform.tfvars | 33 + .../single-gateway-new-vnet/variables.tf | 280 ++ .../azure/single-gateway-new-vnet/versions.tf | 12 + terraform/azure/vmss-existing-vnet/README.md | 247 ++ .../azure/vmss-existing-vnet/azure_public_key | 0 .../azure/vmss-existing-vnet/cloud-init.sh | 17 + terraform/azure/vmss-existing-vnet/main.tf | 446 +++ .../azure/vmss-existing-vnet/terraform.tfvars | 43 + .../azure/vmss-existing-vnet/variables.tf | 404 ++ .../azure/vmss-existing-vnet/versions.tf | 14 + terraform/azure/vmss-new-vnet/README.md | 247 ++ .../azure/vmss-new-vnet/azure_public_key | 0 terraform/azure/vmss-new-vnet/cloud-init.sh | 17 + terraform/azure/vmss-new-vnet/main.tf | 442 +++ .../azure/vmss-new-vnet/terraform.tfvars | 42 + terraform/azure/vmss-new-vnet/variables.tf | 393 ++ terraform/azure/vmss-new-vnet/versions.tf | 14 + terraform/gcp/README.md | 12 + .../gcp/autoscale-into-existing-vpc/README.md | 233 ++ .../gcp/autoscale-into-existing-vpc/locals.tf | 63 + .../gcp/autoscale-into-existing-vpc/main.tf | 197 + .../gcp/autoscale-into-existing-vpc/output.tf | 33 + .../terraform.tfvars | 36 + .../autoscale-into-existing-vpc/variables.tf | 157 + .../gcp/autoscale-into-new-vpc/README.md | 241 ++ .../gcp/autoscale-into-new-vpc/locals.tf | 48 + terraform/gcp/autoscale-into-new-vpc/main.tf | 73 + .../gcp/autoscale-into-new-vpc/output.tf | 46 + .../autoscale-into-new-vpc/terraform.tfvars | 34 + .../gcp/autoscale-into-new-vpc/variables.tf | 150 + terraform/gcp/common/cluster-member/main.tf | 130 + terraform/gcp/common/cluster-member/output.tf | 6 + .../gcp/common/cluster-member/variables.tf | 174 + terraform/gcp/common/firewall-rule/main.tf | 10 + terraform/gcp/common/firewall-rule/output.tf | 3 + .../gcp/common/firewall-rule/variables.tf | 17 + terraform/gcp/common/members-a-b/main.tf | 85 + terraform/gcp/common/members-a-b/output.tf | 13 + terraform/gcp/common/members-a-b/variables.tf | 175 + .../gcp/common/network-and-subnet/main.tf | 21 + .../gcp/common/network-and-subnet/output.tf | 18 + .../common/network-and-subnet/variables.tf | 27 + terraform/gcp/common/startup-script.sh | 3 + terraform/gcp/high-availability/README.md | 317 ++ terraform/gcp/high-availability/locals.tf | 106 + terraform/gcp/high-availability/main.tf | 250 ++ terraform/gcp/high-availability/output.tf | 117 + .../gcp/high-availability/terraform.tfvars | 53 + terraform/gcp/high-availability/variables.tf | 302 ++ .../gcp/single-into-existing-vpc/README.md | 275 ++ .../gcp/single-into-existing-vpc/locals.tf | 55 + .../gcp/single-into-existing-vpc/main.tf | 218 ++ .../gcp/single-into-existing-vpc/output.tf | 18 + .../single-into-existing-vpc/terraform.tfvars | 46 + .../gcp/single-into-existing-vpc/variables.tf | 254 ++ terraform/gcp/single-into-new-vpc/README.md | 270 ++ terraform/gcp/single-into-new-vpc/main.tf | 90 + terraform/gcp/single-into-new-vpc/output.tf | 30 + .../gcp/single-into-new-vpc/terraform.tfvars | 45 + .../gcp/single-into-new-vpc/variables.tf | 256 ++ 1061 files changed, 198947 insertions(+) create mode 100644 .github/workflows/code-analysis.yaml create mode 100755 .gitignore create mode 100644 README.md create mode 100755 aws/images/launch.png create mode 100755 aws/images/step1_aws.png create mode 100755 aws/images/step2_aws.png create mode 100644 aws/templates/README.md create mode 100644 aws/templates/asg/README.md create mode 100644 aws/templates/asg/autoscale.yaml create mode 100644 aws/templates/cluster/README.md create mode 100755 aws/templates/cluster/cluster-master.yaml create mode 100755 aws/templates/cluster/cluster.yaml create mode 100644 aws/templates/cross-az-cluster/README.md create mode 100644 aws/templates/cross-az-cluster/cross-az-cluster-master.yaml create mode 100644 aws/templates/cross-az-cluster/cross-az-cluster.yaml create mode 100644 aws/templates/general/README.md create mode 100644 aws/templates/general/amis.yaml create mode 100644 aws/templates/general/cme-iam-role.yaml create mode 100644 aws/templates/geo-cluster/README.md create mode 100644 aws/templates/geo-cluster/geo-cluster-master.yaml create mode 100644 aws/templates/geo-cluster/geo-cluster.yaml create mode 100644 aws/templates/gwlb-asg/README.md create mode 100644 aws/templates/gwlb-asg/gwlb-master.yaml create mode 100644 aws/templates/gwlb-asg/gwlb.yaml create mode 100644 aws/templates/gwlb-asg/qs-gwlb-master.yaml create mode 100644 aws/templates/gwlb-asg/qs-gwlb.yaml create mode 100644 aws/templates/gwlb-asg/tgw-gwlb-master.yaml create mode 100644 aws/templates/gwlb-asg/tgw-gwlb.yaml create mode 100644 aws/templates/management/README.md create mode 100755 aws/templates/management/management.yaml create mode 100644 aws/templates/mds/README.md create mode 100644 aws/templates/mds/mds.yaml create mode 100644 aws/templates/single-gw/README.md create mode 100644 aws/templates/single-gw/gateway-master.yaml create mode 100644 aws/templates/single-gw/gateway.yaml create mode 100644 aws/templates/standalone/README.md create mode 100644 aws/templates/standalone/standalone-master.yaml create mode 100644 aws/templates/standalone/standalone.yaml create mode 100644 aws/templates/tgw-asg/README.md create mode 100644 aws/templates/tgw-asg/tgw-asg-master.yaml create mode 100644 aws/templates/tgw-asg/tgw-asg.yaml create mode 100644 aws/templates/tgw-cross-az-cluster/README.md create mode 100644 aws/templates/tgw-cross-az-cluster/tgw-cross-az-cluster-master.yaml create mode 100644 aws/templates/tgw-cross-az-cluster/tgw-cross-az-cluster.yaml create mode 100644 aws/templates/tgw-ha/README.md create mode 100644 aws/templates/tgw-ha/tgw-ha-master.yaml create mode 100644 aws/templates/tgw-ha/tgw-ha.yaml create mode 100755 azure/misc/azure_ha_test.py create mode 100644 azure/misc/nva_bgp_config.conf create mode 100644 azure/templates/README.MD create mode 100644 azure/templates/marketplace-gateway-load-balancer/README.md create mode 100644 azure/templates/marketplace-gateway-load-balancer/createUiDefinition.json create mode 100644 azure/templates/marketplace-gateway-load-balancer/mainTemplate.json create mode 100644 azure/templates/marketplace-ha/README.md create mode 100644 azure/templates/marketplace-ha/createUiDefinition.json create mode 100644 azure/templates/marketplace-ha/mainTemplate.json create mode 100644 azure/templates/marketplace-management/README.md create mode 100644 azure/templates/marketplace-management/createUiDefinition.json create mode 100644 azure/templates/marketplace-management/mainTemplate.json create mode 100644 azure/templates/marketplace-mds/README.md create mode 100644 azure/templates/marketplace-mds/createUiDefinition.json create mode 100644 azure/templates/marketplace-mds/mainTemplate.json create mode 100755 azure/templates/marketplace-single-waap/createUiDefinition.json create mode 100755 azure/templates/marketplace-single-waap/mainTemplate.json create mode 100644 azure/templates/marketplace-single/README.md create mode 100644 azure/templates/marketplace-single/createUiDefinition.json create mode 100644 azure/templates/marketplace-single/mainTemplate.json create mode 100644 azure/templates/marketplace-stack-ha/createUiDefinition.json create mode 100755 azure/templates/marketplace-stack-ha/mainTemplate.json create mode 100644 azure/templates/marketplace-stack-management/createUiDefinition.json create mode 100755 azure/templates/marketplace-stack-management/mainTemplate.json create mode 100644 azure/templates/marketplace-stack-single/createUiDefinition.json create mode 100755 azure/templates/marketplace-stack-single/mainTemplate.json create mode 100755 azure/templates/marketplace-vmss-waap/createUiDefinition.json create mode 100755 azure/templates/marketplace-vmss-waap/mainTemplate.json create mode 100644 azure/templates/marketplace-vmss/README.md create mode 100644 azure/templates/marketplace-vmss/createUiDefinition.json create mode 100644 azure/templates/marketplace-vmss/mainTemplate.json create mode 100644 azure/templates/nestedtemplates/CreateUIDefinition.MultiVm.json create mode 100755 azure/templates/nestedtemplates/azure-func-sami.json create mode 100755 azure/templates/nestedtemplates/existing-nsg-RoleAssignment.json create mode 100755 azure/templates/nestedtemplates/gateway-load-balancers.json create mode 100755 azure/templates/nestedtemplates/load-balancers-waap.json create mode 100644 azure/templates/nestedtemplates/load-balancers.json create mode 100644 azure/templates/nestedtemplates/storageAccount-existing.json create mode 100644 azure/templates/nestedtemplates/storageAccount-new.json create mode 100644 azure/templates/nestedtemplates/vnet-1-subnet-existing.json create mode 100644 azure/templates/nestedtemplates/vnet-1-subnet-new.json create mode 100644 azure/templates/nestedtemplates/vnet-2-subnet-ha-existing.json create mode 100644 azure/templates/nestedtemplates/vnet-2-subnet-ha-new.json create mode 100644 azure/templates/nestedtemplates/vnet-2-subnet-ha2-existing.json create mode 100644 azure/templates/nestedtemplates/vnet-2-subnet-ha2-new.json create mode 100644 azure/templates/nestedtemplates/vnet-4-subnet-existing.json create mode 100644 azure/templates/nestedtemplates/vnet-4-subnet-new.json create mode 100644 azure/templates/nestedtemplates/vnet-existing-no-rt.json create mode 100644 azure/templates/nestedtemplates/vnet-existing-stack-ha.json create mode 100644 azure/templates/nestedtemplates/vnet-existing-stack-mgmt.json create mode 100644 azure/templates/nestedtemplates/vnet-existing-stack.json create mode 100644 azure/templates/nestedtemplates/vnet-existing.json create mode 100644 azure/templates/nestedtemplates/vnet-new-no-rt.json create mode 100644 azure/templates/nestedtemplates/vnet-new-stack-ha.json create mode 100644 azure/templates/nestedtemplates/vnet-new-stack-mgmt.json create mode 100644 azure/templates/nestedtemplates/vnet-new-stack.json create mode 100644 azure/templates/nestedtemplates/vnet-new.json create mode 100755 azure/templates/single-ipv6/README.md create mode 100755 azure/templates/single-ipv6/mainTemplate.json create mode 100755 azure/templates/vmss-ipv6/README.md create mode 100755 azure/templates/vmss-ipv6/mainTemplate.json create mode 100644 azure/templates/vwan-managed-app/README.md create mode 100644 azure/templates/vwan-managed-app/mainTemplate.json create mode 100755 common/central_license_debug_collector.sh create mode 100644 common/cme_api_postman/CME_API.postman_collection create mode 100755 common/cme_api_postman/README.md create mode 100644 common/cme_xff_inject.sh create mode 100755 common/custom-management-script.py create mode 100644 common/custom_scripts/README.md create mode 100644 common/custom_scripts/password_script.sh create mode 100755 common/maintenance_mode/README.md create mode 100755 common/maintenance_mode/grub.conf create mode 100644 common/simulate_cpu_load.sh create mode 100755 common/static_route_config.sh create mode 100644 common/vwan_postman/README.md create mode 100755 common/vwan_postman/vwan.postman_collection.json create mode 100644 contrib/README.md create mode 100644 contrib/azure/templates/ha-public-ip-prefix/README.MD create mode 100644 contrib/azure/templates/ha-public-ip-prefix/ha-publicipprefix-parameters.json create mode 100644 contrib/azure/templates/ha-public-ip-prefix/ha-publicipprefix.json create mode 100644 contrib/azure/templates/ha-redeploy-single-member/README.MD create mode 100644 contrib/azure/templates/ha-redeploy-single-member/ha-redeploy-single-member.json create mode 100644 contrib/azure/templates/ha-redeploy-single-member/mainTemplate.json create mode 100644 contrib/azure/templates/vmss-publicipprefixinstances/README.MD create mode 100644 contrib/azure/templates/vmss-publicipprefixinstances/vmss-publicipprefix-instances.json create mode 100644 contrib/azure/templates/vmss-publicipprefixinstanceselb/README.MD create mode 100644 contrib/azure/templates/vmss-publicipprefixinstanceselb/mainTemplate.json create mode 100644 contrib/azure/templates/vmss-publicipprefixinstanceselb/nestedtemplates/load-balancers.json create mode 100644 contrib/azure/templates/vmss-publicipprefixinstanceselb/nestedtemplates/vnet-2-subnet-ha-existing.json create mode 100644 contrib/cme/examples/README.md create mode 100644 contrib/terraform-azure-gwlb/README.md create mode 100644 contrib/terraform-azure-gwlb/app-main.tf create mode 100644 contrib/terraform-azure-gwlb/app-variables.tf create mode 100644 contrib/terraform-azure-gwlb/cpcluster-main.tf create mode 100644 contrib/terraform-azure-gwlb/cpcluster-variables.tf create mode 100644 contrib/terraform-azure-gwlb/cpmgmt-main.tf create mode 100644 contrib/terraform-azure-gwlb/cpmgmt-variables.tf create mode 100644 contrib/terraform-azure-gwlb/customdata.sh create mode 100644 contrib/terraform-azure-gwlb/deployment-variables.tf create mode 100644 contrib/terraform-azure-gwlb/files/azure-gwlb-template.json create mode 100644 contrib/terraform-azure-gwlb/gwlb-main.tf create mode 100644 contrib/terraform-azure-gwlb/gwlb-variables.tf create mode 100644 contrib/terraform-azure-gwlb/modules/common/main.tf create mode 100644 contrib/terraform-azure-gwlb/modules/common/outputs.tf create mode 100644 contrib/terraform-azure-gwlb/modules/common/variables.tf create mode 100644 contrib/terraform-azure-gwlb/modules/common/versions.tf create mode 100644 contrib/terraform-azure-gwlb/modules/network-security-group/main.tf create mode 100644 contrib/terraform-azure-gwlb/modules/network-security-group/output.tf create mode 100644 contrib/terraform-azure-gwlb/modules/network-security-group/variables.tf create mode 100644 contrib/terraform-azure-gwlb/modules/network-security-group/versions.tf create mode 100644 contrib/terraform-azure-gwlb/modules/vnet/main.tf create mode 100644 contrib/terraform-azure-gwlb/modules/vnet/outputs.tf create mode 100644 contrib/terraform-azure-gwlb/modules/vnet/variables.tf create mode 100644 contrib/terraform-azure-gwlb/modules/vnet/versions.tf create mode 100644 contrib/terraform-azure-gwlb/net-main.tf create mode 100644 contrib/terraform-azure-gwlb/net-variables.tf create mode 100644 contrib/terraform-azure-gwlb/terraform.tfvars create mode 100644 contrib/terraform-azure-gwlb/tfc-project.tf create mode 100644 contrib/terraform-azure-gwlb/zimages/azure-gwlb-design.jpg create mode 100755 contrib/terraform/azure/vmss-new-vnet-with-peer/README.md create mode 100755 contrib/terraform/azure/vmss-new-vnet-with-peer/azure_public_key create mode 100755 contrib/terraform/azure/vmss-new-vnet-with-peer/cloud-init.sh create mode 100644 contrib/terraform/azure/vmss-new-vnet-with-peer/images/Topology-2.JPG create mode 100755 contrib/terraform/azure/vmss-new-vnet-with-peer/main.tf create mode 100755 contrib/terraform/azure/vmss-new-vnet-with-peer/terraform.tfvars create mode 100755 contrib/terraform/azure/vmss-new-vnet-with-peer/variables.tf create mode 100644 deprecated/README.md create mode 100644 deprecated/aws/templates/README.md create mode 100644 deprecated/aws/templates/asg-r8030/README.md create mode 100755 deprecated/aws/templates/asg-r8030/autoscale.json create mode 100644 deprecated/aws/templates/cluster-r8030/README.md create mode 100644 deprecated/aws/templates/cluster-r8030/cluster-into-vpc.json create mode 100644 deprecated/aws/templates/cluster-r8030/cluster.json create mode 100644 deprecated/aws/templates/gateway-r7730/README.md create mode 100755 deprecated/aws/templates/gateway-r7730/gateway-2-nic-existing-vpc.json create mode 100644 deprecated/aws/templates/gateways-r7730/README.md create mode 100755 deprecated/aws/templates/gateways-r7730/inter-az-cluster.json create mode 100644 deprecated/aws/templates/instance-r7730/README.md create mode 100755 deprecated/aws/templates/instance-r7730/gwinvpc.json create mode 100644 deprecated/aws/templates/management-r7730/README.md create mode 100755 deprecated/aws/templates/management-r7730/r7730-management.json create mode 100644 deprecated/aws/templates/management-r80/README.md create mode 100755 deprecated/aws/templates/management-r80/r80.json create mode 100644 deprecated/aws/templates/management-r8030/README.md create mode 100755 deprecated/aws/templates/management-r8030/management.json create mode 100644 deprecated/aws/templates/mds-r8030/README.md create mode 100755 deprecated/aws/templates/mds-r8030/mds.json create mode 100644 deprecated/aws/templates/single-gw-r8030/README.md create mode 100644 deprecated/aws/templates/single-gw-r8030/gateway-into-vpc.json create mode 100644 deprecated/aws/templates/single-gw-r8030/gateway.json create mode 100644 deprecated/aws/templates/tgw-asg-r8030/README.md create mode 100755 deprecated/aws/templates/tgw-asg-r8030/checkpoint-tgw-asg-master.yaml create mode 100755 deprecated/aws/templates/tgw-asg-r8030/checkpoint-tgw-asg.yaml create mode 100644 deprecated/aws/templates/transit-vpc-r8030/README.md create mode 100755 deprecated/aws/templates/transit-vpc-r8030/checkpoint-transit-master.yaml create mode 100755 deprecated/aws/templates/transit-vpc-r8030/checkpoint-transit.yaml create mode 100755 deprecated/aws/templates/transit-vpc-r8030/transit-master.yaml create mode 100755 deprecated/aws/templates/transit-vpc-r8030/transit.yaml create mode 100644 deprecated/azure/misc/azure_ha_test_python2.py create mode 100644 deprecated/azure/templates/R7730/cluster-r7730/README.MD create mode 100644 deprecated/azure/templates/R7730/cluster-r7730/createUiDefinition.json create mode 100644 deprecated/azure/templates/R7730/cluster-r7730/mainTemplate.json create mode 100644 deprecated/azure/templates/R7730/cluster-r7730/vnet-existing.json create mode 100644 deprecated/azure/templates/R7730/cluster-r7730/vnet-new.json create mode 100644 deprecated/azure/templates/R7730/mgmt-r7730/README.MD create mode 100644 deprecated/azure/templates/R7730/mgmt-r7730/createUiDefinition.json create mode 100644 deprecated/azure/templates/R7730/mgmt-r7730/mainTemplate.json create mode 100644 deprecated/azure/templates/R7730/mgmt-r7730/vnet-1-subnet-existing.json create mode 100644 deprecated/azure/templates/R7730/mgmt-r7730/vnet-1-subnet-new.json create mode 100644 deprecated/azure/templates/R7730/single-r7730/README.MD create mode 100644 deprecated/azure/templates/R7730/single-r7730/createUiDefinition.json create mode 100644 deprecated/azure/templates/R7730/single-r7730/mainTemplate.json create mode 100644 deprecated/azure/templates/R7730/single-r7730/vnet-existing.json create mode 100644 deprecated/azure/templates/R7730/single-r7730/vnet-new.json create mode 100644 deprecated/azure/templates/R7730/vmss-r7730/README.MD create mode 100644 deprecated/azure/templates/R7730/vmss-r7730/createUiDefinition.json create mode 100644 deprecated/azure/templates/R7730/vmss-r7730/mainTemplate.json create mode 100644 deprecated/azure/templates/R7730/vmss-r7730/vnet-1-subnet-existing.json create mode 100644 deprecated/azure/templates/R7730/vmss-r7730/vnet-1-subnet-new.json create mode 100644 deprecated/azure/templates/R8010-R8020/cluster-r8010/README.MD create mode 100644 deprecated/azure/templates/R8010-R8020/cluster-r8010/createUiDefinition.json create mode 100644 deprecated/azure/templates/R8010-R8020/cluster-r8010/mainTemplate.json create mode 100644 deprecated/azure/templates/R8010-R8020/cluster-r8010/nestedtemplates/vnet-existing.json create mode 100644 deprecated/azure/templates/R8010-R8020/cluster-r8010/nestedtemplates/vnet-new.json create mode 100644 deprecated/azure/templates/R8010-R8020/ha-r8010-r8020/README.MD create mode 100644 deprecated/azure/templates/R8010-R8020/ha-r8010-r8020/createUiDefinition.json create mode 100644 deprecated/azure/templates/R8010-R8020/ha-r8010-r8020/mainTemplate.json create mode 100644 deprecated/azure/templates/R8010-R8020/ha-r8010-r8020/nestedtemplates/vnet-2-subnet-ha2-existing.json create mode 100644 deprecated/azure/templates/R8010-R8020/ha-r8010-r8020/nestedtemplates/vnet-2-subnet-ha2-new.json create mode 100644 deprecated/azure/templates/R8010-R8020/mgmt-r8010-r8020/README.MD create mode 100644 deprecated/azure/templates/R8010-R8020/mgmt-r8010-r8020/createUiDefinition.json create mode 100644 deprecated/azure/templates/R8010-R8020/mgmt-r8010-r8020/mainTemplate.json create mode 100644 deprecated/azure/templates/R8010-R8020/mgmt-r8010-r8020/nestedtemplates/vnet-1-subnet-existing.json create mode 100644 deprecated/azure/templates/R8010-R8020/mgmt-r8010-r8020/nestedtemplates/vnet-1-subnet-new.json create mode 100644 deprecated/azure/templates/R8010-R8020/single-r8010-r8020/README.MD create mode 100644 deprecated/azure/templates/R8010-R8020/single-r8010-r8020/createUiDefinition.json create mode 100644 deprecated/azure/templates/R8010-R8020/single-r8010-r8020/mainTemplate.json create mode 100644 deprecated/azure/templates/R8010-R8020/single-r8010-r8020/nestedtemplates/vnet-existing.json create mode 100644 deprecated/azure/templates/R8010-R8020/single-r8010-r8020/nestedtemplates/vnet-new.json create mode 100644 deprecated/azure/templates/R8010-R8020/vmss-r8010-r8020/README.MD create mode 100644 deprecated/azure/templates/R8010-R8020/vmss-r8010-r8020/createUiDefinition.json create mode 100644 deprecated/azure/templates/R8010-R8020/vmss-r8010-r8020/mainTemplate.json create mode 100644 deprecated/azure/templates/R8010-R8020/vmss-r8010-r8020/nestedtemplates/load-balancers.json create mode 100644 deprecated/azure/templates/R8010-R8020/vmss-r8010-r8020/nestedtemplates/vnet-2-subnet-ha-existing.json create mode 100644 deprecated/azure/templates/R8010-R8020/vmss-r8010-r8020/nestedtemplates/vnet-2-subnet-ha-new.json create mode 100644 deprecated/azure/templates/R8030/ha-r8030/README.MD create mode 100644 deprecated/azure/templates/R8030/ha-r8030/createUiDefinition.json create mode 100644 deprecated/azure/templates/R8030/ha-r8030/mainTemplate.json create mode 100644 deprecated/azure/templates/R8030/ha-r8030/nestedtemplates/vnet-2-subnet-ha2-existing.json create mode 100644 deprecated/azure/templates/R8030/ha-r8030/nestedtemplates/vnet-2-subnet-ha2-new.json create mode 100644 deprecated/azure/templates/R8030/mds-r8030/README.MD create mode 100644 deprecated/azure/templates/R8030/mds-r8030/createUiDefinition.json create mode 100644 deprecated/azure/templates/R8030/mds-r8030/mainTemplate.json create mode 100644 deprecated/azure/templates/R8030/mds-r8030/nestedtemplates/vnet-1-subnet-existing.json create mode 100644 deprecated/azure/templates/R8030/mds-r8030/nestedtemplates/vnet-1-subnet-new.json create mode 100644 deprecated/azure/templates/R8030/mgmt-r8030/README.MD create mode 100644 deprecated/azure/templates/R8030/mgmt-r8030/createUiDefinition.json create mode 100644 deprecated/azure/templates/R8030/mgmt-r8030/mainTemplate.json create mode 100644 deprecated/azure/templates/R8030/mgmt-r8030/nestedtemplates/vnet-1-subnet-existing.json create mode 100644 deprecated/azure/templates/R8030/mgmt-r8030/nestedtemplates/vnet-1-subnet-new.json create mode 100644 deprecated/azure/templates/R8030/single-r8030/README.MD create mode 100644 deprecated/azure/templates/R8030/single-r8030/createUiDefinition.json create mode 100644 deprecated/azure/templates/R8030/single-r8030/mainTemplate.json create mode 100644 deprecated/azure/templates/R8030/single-r8030/nestedtemplates/vnet-existing.json create mode 100644 deprecated/azure/templates/R8030/single-r8030/nestedtemplates/vnet-new.json create mode 100644 deprecated/azure/templates/R8030/vmss-r8030/README.MD create mode 100644 deprecated/azure/templates/R8030/vmss-r8030/createUiDefinition.json create mode 100644 deprecated/azure/templates/R8030/vmss-r8030/mainTemplate.json create mode 100644 deprecated/azure/templates/R8030/vmss-r8030/nestedtemplates/load-balancers.json create mode 100644 deprecated/azure/templates/R8030/vmss-r8030/nestedtemplates/vnet-2-subnet-ha-existing.json create mode 100644 deprecated/azure/templates/R8030/vmss-r8030/nestedtemplates/vnet-2-subnet-ha-new.json create mode 100644 deprecated/azure/templates/R8040-R81/ha-r8040-r81/README.md create mode 100644 deprecated/azure/templates/R8040-R81/ha-r8040-r81/createUiDefinition.json create mode 100644 deprecated/azure/templates/R8040-R81/ha-r8040-r81/mainTemplate.json create mode 100644 deprecated/azure/templates/R8040-R81/mds-r8040-r81/README.md create mode 100644 deprecated/azure/templates/R8040-R81/mds-r8040-r81/createUiDefinition.json create mode 100644 deprecated/azure/templates/R8040-R81/mds-r8040-r81/mainTemplate.json create mode 100644 deprecated/azure/templates/R8040-R81/mgmt-r840-r81/README.md create mode 100644 deprecated/azure/templates/R8040-R81/mgmt-r840-r81/createUiDefinition.json create mode 100644 deprecated/azure/templates/R8040-R81/mgmt-r840-r81/mainTemplate.json create mode 100644 deprecated/azure/templates/R8040-R81/single-ipv6-r8040-r81/README.md create mode 100644 deprecated/azure/templates/R8040-R81/single-ipv6-r8040-r81/mainTemplate.json create mode 100644 deprecated/azure/templates/R8040-R81/single-r8040-r81/README.md create mode 100644 deprecated/azure/templates/R8040-R81/single-r8040-r81/createUiDefinition.json create mode 100644 deprecated/azure/templates/R8040-R81/single-r8040-r81/mainTemplate.json create mode 100644 deprecated/azure/templates/R8040-R81/vmss-ipv6-r8040-r81/README.md create mode 100644 deprecated/azure/templates/R8040-R81/vmss-ipv6-r8040-r81/mainTemplate.json create mode 100644 deprecated/azure/templates/R8040-R81/vmss-r8040-r81/README.md create mode 100644 deprecated/azure/templates/R8040-R81/vmss-r8040-r81/createUiDefinition.json create mode 100644 deprecated/azure/templates/R8040-R81/vmss-r8040-r81/mainTemplate.json create mode 100644 deprecated/azure/templates/README.MD create mode 100644 deprecated/azure/templates/stack-R8030/stack-ha/createUiDefinition.json create mode 100644 deprecated/azure/templates/stack-R8030/stack-ha/mainTemplate.json create mode 100644 deprecated/azure/templates/stack-R8030/stack-mgmt/createUiDefinition.json create mode 100644 deprecated/azure/templates/stack-R8030/stack-mgmt/mainTemplate.json create mode 100644 deprecated/azure/templates/stack-R8030/stack-single/createUiDefinition.json create mode 100644 deprecated/azure/templates/stack-R8030/stack-single/mainTemplate.json create mode 100644 deprecated/azure/templates/stack-R8040-R81/stack-ha-r8040-r81/createUiDefinition.json create mode 100644 deprecated/azure/templates/stack-R8040-R81/stack-ha-r8040-r81/mainTemplate.json create mode 100644 deprecated/azure/templates/stack-R8040-R81/stack-management-r8040-r81/createUiDefinition.json create mode 100644 deprecated/azure/templates/stack-R8040-R81/stack-management-r8040-r81/mainTemplate.json create mode 100644 deprecated/azure/templates/stack-R8040-R81/stack-single-r8040-r81/createUiDefinition.json create mode 100644 deprecated/azure/templates/stack-R8040-R81/stack-single-r8040-r81/mainTemplate.json create mode 100644 deprecated/gcp/R80.30/autoscale-byol-R80.30/README.md create mode 100644 deprecated/gcp/R80.30/autoscale-byol-R80.30/c2d_deployment_configuration.json create mode 100644 deprecated/gcp/R80.30/autoscale-byol-R80.30/check-point-autoscale--byol.py create mode 100644 deprecated/gcp/R80.30/autoscale-byol-R80.30/check-point-autoscale--byol.py.schema create mode 100644 deprecated/gcp/R80.30/autoscale-byol-R80.30/common.py create mode 100644 deprecated/gcp/R80.30/autoscale-byol-R80.30/config.yaml create mode 100644 deprecated/gcp/R80.30/autoscale-byol-R80.30/default.py create mode 100644 deprecated/gcp/R80.30/autoscale-byol-R80.30/images.py create mode 100644 deprecated/gcp/R80.30/autoscale-byol-R80.30/password.py create mode 100644 deprecated/gcp/R80.30/autoscale-payg-R80.30/README.md create mode 100644 deprecated/gcp/R80.30/autoscale-payg-R80.30/c2d_deployment_configuration.json create mode 100644 deprecated/gcp/R80.30/autoscale-payg-R80.30/check-point-autoscale--payg.py create mode 100644 deprecated/gcp/R80.30/autoscale-payg-R80.30/check-point-autoscale--payg.py.schema create mode 100644 deprecated/gcp/R80.30/autoscale-payg-R80.30/common.py create mode 100644 deprecated/gcp/R80.30/autoscale-payg-R80.30/config.yaml create mode 100644 deprecated/gcp/R80.30/autoscale-payg-R80.30/default.py create mode 100644 deprecated/gcp/R80.30/autoscale-payg-R80.30/images.py create mode 100644 deprecated/gcp/R80.30/autoscale-payg-R80.30/password.py create mode 100644 deprecated/gcp/R80.30/ha-byol-R80.30/README.md create mode 100644 deprecated/gcp/R80.30/ha-byol-R80.30/c2d_deployment_configuration.json create mode 100644 deprecated/gcp/R80.30/ha-byol-R80.30/check-point-cluster--byol.py create mode 100644 deprecated/gcp/R80.30/ha-byol-R80.30/check-point-cluster--byol.py.schema create mode 100644 deprecated/gcp/R80.30/ha-byol-R80.30/common.py create mode 100644 deprecated/gcp/R80.30/ha-byol-R80.30/config.yaml create mode 100644 deprecated/gcp/R80.30/ha-byol-R80.30/default.py create mode 100644 deprecated/gcp/R80.30/ha-byol-R80.30/images.py create mode 100644 deprecated/gcp/R80.30/ha-byol-R80.30/password.py create mode 100644 deprecated/gcp/R80.30/ha-payg-R80.30/README.md create mode 100644 deprecated/gcp/R80.30/ha-payg-R80.30/c2d_deployment_configuration.json create mode 100644 deprecated/gcp/R80.30/ha-payg-R80.30/check-point-cluster--payg.py create mode 100644 deprecated/gcp/R80.30/ha-payg-R80.30/check-point-cluster--payg.py.schema create mode 100644 deprecated/gcp/R80.30/ha-payg-R80.30/common.py create mode 100644 deprecated/gcp/R80.30/ha-payg-R80.30/config.yaml create mode 100644 deprecated/gcp/R80.30/ha-payg-R80.30/default.py create mode 100644 deprecated/gcp/R80.30/ha-payg-R80.30/images.py create mode 100644 deprecated/gcp/R80.30/ha-payg-R80.30/password.py create mode 100644 deprecated/gcp/R80.30/single-byol-R80.30/README.md create mode 100644 deprecated/gcp/R80.30/single-byol-R80.30/c2d_deployment_configuration.json create mode 100644 deprecated/gcp/R80.30/single-byol-R80.30/check-point-vsec--byol.py create mode 100644 deprecated/gcp/R80.30/single-byol-R80.30/check-point-vsec--byol.py.schema create mode 100644 deprecated/gcp/R80.30/single-byol-R80.30/common.py create mode 100644 deprecated/gcp/R80.30/single-byol-R80.30/config.yaml create mode 100644 deprecated/gcp/R80.30/single-byol-R80.30/default.py create mode 100644 deprecated/gcp/R80.30/single-byol-R80.30/images.py create mode 100644 deprecated/gcp/R80.30/single-byol-R80.30/password.py create mode 100644 deprecated/gcp/R80.30/single-payg-R80.30/README.md create mode 100644 deprecated/gcp/R80.30/single-payg-R80.30/c2d_deployment_configuration.json create mode 100644 deprecated/gcp/R80.30/single-payg-R80.30/check-point-vsec--payg.py create mode 100644 deprecated/gcp/R80.30/single-payg-R80.30/check-point-vsec--payg.py.schema create mode 100644 deprecated/gcp/R80.30/single-payg-R80.30/common.py create mode 100644 deprecated/gcp/R80.30/single-payg-R80.30/config.yaml create mode 100644 deprecated/gcp/R80.30/single-payg-R80.30/default.py create mode 100644 deprecated/gcp/R80.30/single-payg-R80.30/images.py create mode 100644 deprecated/gcp/R80.30/single-payg-R80.30/password.py create mode 100644 deprecated/gcp/R80.40-R81/autoscale-byol/README.md create mode 100644 deprecated/gcp/R80.40-R81/autoscale-byol/c2d_deployment_configuration.json create mode 100644 deprecated/gcp/R80.40-R81/autoscale-byol/check-point-autoscale--byol.py create mode 100644 deprecated/gcp/R80.40-R81/autoscale-byol/check-point-autoscale--byol.py.schema create mode 100644 deprecated/gcp/R80.40-R81/autoscale-byol/common.py create mode 100644 deprecated/gcp/R80.40-R81/autoscale-byol/config.yaml create mode 100644 deprecated/gcp/R80.40-R81/autoscale-byol/default.py create mode 100644 deprecated/gcp/R80.40-R81/autoscale-byol/images.py create mode 100644 deprecated/gcp/R80.40-R81/autoscale-byol/password.py create mode 100644 deprecated/gcp/R80.40-R81/autoscale-payg/README.md create mode 100644 deprecated/gcp/R80.40-R81/autoscale-payg/c2d_deployment_configuration.json create mode 100644 deprecated/gcp/R80.40-R81/autoscale-payg/check-point-autoscale--payg.py create mode 100644 deprecated/gcp/R80.40-R81/autoscale-payg/check-point-autoscale--payg.py.schema create mode 100644 deprecated/gcp/R80.40-R81/autoscale-payg/common.py create mode 100644 deprecated/gcp/R80.40-R81/autoscale-payg/config.yaml create mode 100644 deprecated/gcp/R80.40-R81/autoscale-payg/default.py create mode 100644 deprecated/gcp/R80.40-R81/autoscale-payg/images.py create mode 100644 deprecated/gcp/R80.40-R81/autoscale-payg/password.py create mode 100644 deprecated/gcp/R80.40-R81/ha-byol/README.md create mode 100644 deprecated/gcp/R80.40-R81/ha-byol/c2d_deployment_configuration.json create mode 100644 deprecated/gcp/R80.40-R81/ha-byol/check-point-cluster--byol.py create mode 100644 deprecated/gcp/R80.40-R81/ha-byol/check-point-cluster--byol.py.schema create mode 100644 deprecated/gcp/R80.40-R81/ha-byol/common.py create mode 100644 deprecated/gcp/R80.40-R81/ha-byol/config.yaml create mode 100644 deprecated/gcp/R80.40-R81/ha-byol/default.py create mode 100644 deprecated/gcp/R80.40-R81/ha-byol/images.py create mode 100644 deprecated/gcp/R80.40-R81/ha-byol/password.py create mode 100644 deprecated/gcp/R80.40-R81/ha-payg/README.md create mode 100644 deprecated/gcp/R80.40-R81/ha-payg/c2d_deployment_configuration.json create mode 100644 deprecated/gcp/R80.40-R81/ha-payg/check-point-cluster--payg.py create mode 100644 deprecated/gcp/R80.40-R81/ha-payg/check-point-cluster--payg.py.schema create mode 100644 deprecated/gcp/R80.40-R81/ha-payg/common.py create mode 100644 deprecated/gcp/R80.40-R81/ha-payg/config.yaml create mode 100644 deprecated/gcp/R80.40-R81/ha-payg/default.py create mode 100644 deprecated/gcp/R80.40-R81/ha-payg/images.py create mode 100644 deprecated/gcp/R80.40-R81/ha-payg/password.py create mode 100644 deprecated/gcp/R80.40-R81/single-byol/README.md create mode 100644 deprecated/gcp/R80.40-R81/single-byol/c2d_deployment_configuration.json create mode 100644 deprecated/gcp/R80.40-R81/single-byol/check-point-vsec--byol.py create mode 100644 deprecated/gcp/R80.40-R81/single-byol/check-point-vsec--byol.py.schema create mode 100644 deprecated/gcp/R80.40-R81/single-byol/common.py create mode 100644 deprecated/gcp/R80.40-R81/single-byol/config.yaml create mode 100644 deprecated/gcp/R80.40-R81/single-byol/default.py create mode 100644 deprecated/gcp/R80.40-R81/single-byol/images.py create mode 100644 deprecated/gcp/R80.40-R81/single-byol/password.py create mode 100644 deprecated/gcp/R80.40-R81/single-payg/README.md create mode 100644 deprecated/gcp/R80.40-R81/single-payg/c2d_deployment_configuration.json create mode 100644 deprecated/gcp/R80.40-R81/single-payg/check-point-vsec--payg.py create mode 100644 deprecated/gcp/R80.40-R81/single-payg/check-point-vsec--payg.py.schema create mode 100644 deprecated/gcp/R80.40-R81/single-payg/common.py create mode 100644 deprecated/gcp/R80.40-R81/single-payg/config.yaml create mode 100644 deprecated/gcp/R80.40-R81/single-payg/default.py create mode 100644 deprecated/gcp/R80.40-R81/single-payg/images.py create mode 100644 deprecated/gcp/R80.40-R81/single-payg/password.py create mode 100644 deprecated/gcp/README.MD create mode 100644 deprecated/terraform/azure/R8040-R81/high-availability-existing-vnet/README.md create mode 100644 deprecated/terraform/azure/R8040-R81/high-availability-existing-vnet/azure_public_key create mode 100644 deprecated/terraform/azure/R8040-R81/high-availability-existing-vnet/cloud-init.sh create mode 100644 deprecated/terraform/azure/R8040-R81/high-availability-existing-vnet/main.tf create mode 100644 deprecated/terraform/azure/R8040-R81/high-availability-existing-vnet/terraform.tfvars create mode 100644 deprecated/terraform/azure/R8040-R81/high-availability-existing-vnet/variables.tf create mode 100644 deprecated/terraform/azure/R8040-R81/high-availability-existing-vnet/versions.tf create mode 100644 deprecated/terraform/azure/R8040-R81/high-availability-new-vnet/README.md create mode 100644 deprecated/terraform/azure/R8040-R81/high-availability-new-vnet/azure_public_key create mode 100644 deprecated/terraform/azure/R8040-R81/high-availability-new-vnet/cloud-init.sh create mode 100644 deprecated/terraform/azure/R8040-R81/high-availability-new-vnet/main.tf create mode 100644 deprecated/terraform/azure/R8040-R81/high-availability-new-vnet/terraform.tfvars create mode 100644 deprecated/terraform/azure/R8040-R81/high-availability-new-vnet/variables.tf create mode 100644 deprecated/terraform/azure/R8040-R81/high-availability-new-vnet/versions.tf create mode 100644 deprecated/terraform/azure/R8040-R81/management-existing-vnet/README.md create mode 100644 deprecated/terraform/azure/R8040-R81/management-existing-vnet/azure_public_key create mode 100644 deprecated/terraform/azure/R8040-R81/management-existing-vnet/cloud-init.sh create mode 100644 deprecated/terraform/azure/R8040-R81/management-existing-vnet/main.tf create mode 100644 deprecated/terraform/azure/R8040-R81/management-existing-vnet/terraform.tfvars create mode 100644 deprecated/terraform/azure/R8040-R81/management-existing-vnet/variables.tf create mode 100644 deprecated/terraform/azure/R8040-R81/management-existing-vnet/versions.tf create mode 100644 deprecated/terraform/azure/R8040-R81/management-new-vnet/README.md create mode 100644 deprecated/terraform/azure/R8040-R81/management-new-vnet/azure_public_key create mode 100644 deprecated/terraform/azure/R8040-R81/management-new-vnet/cloud-init.sh create mode 100644 deprecated/terraform/azure/R8040-R81/management-new-vnet/main.tf create mode 100644 deprecated/terraform/azure/R8040-R81/management-new-vnet/terraform.tfvars create mode 100644 deprecated/terraform/azure/R8040-R81/management-new-vnet/variables.tf create mode 100644 deprecated/terraform/azure/R8040-R81/management-new-vnet/versions.tf create mode 100644 deprecated/terraform/azure/R8040-R81/mds-existing-vnet/README.md create mode 100644 deprecated/terraform/azure/R8040-R81/mds-existing-vnet/azure_public_key create mode 100644 deprecated/terraform/azure/R8040-R81/mds-existing-vnet/cloud-init.sh create mode 100644 deprecated/terraform/azure/R8040-R81/mds-existing-vnet/main.tf create mode 100644 deprecated/terraform/azure/R8040-R81/mds-existing-vnet/terraform.tfvars create mode 100644 deprecated/terraform/azure/R8040-R81/mds-existing-vnet/variables.tf create mode 100644 deprecated/terraform/azure/R8040-R81/mds-existing-vnet/versions.tf create mode 100644 deprecated/terraform/azure/R8040-R81/mds-new-vnet/README.md create mode 100644 deprecated/terraform/azure/R8040-R81/mds-new-vnet/azure_public_key create mode 100644 deprecated/terraform/azure/R8040-R81/mds-new-vnet/cloud-init.sh create mode 100644 deprecated/terraform/azure/R8040-R81/mds-new-vnet/main.tf create mode 100644 deprecated/terraform/azure/R8040-R81/mds-new-vnet/terraform.tfvars create mode 100644 deprecated/terraform/azure/R8040-R81/mds-new-vnet/variables.tf create mode 100644 deprecated/terraform/azure/R8040-R81/mds-new-vnet/versions.tf create mode 100644 deprecated/terraform/azure/R8040-R81/modules/add-routing-intent.py create mode 100644 deprecated/terraform/azure/R8040-R81/modules/common/main.tf create mode 100644 deprecated/terraform/azure/R8040-R81/modules/common/outputs.tf create mode 100644 deprecated/terraform/azure/R8040-R81/modules/common/variables.tf create mode 100644 deprecated/terraform/azure/R8040-R81/modules/common/versions.tf create mode 100644 deprecated/terraform/azure/R8040-R81/modules/network-security-group/main.tf create mode 100644 deprecated/terraform/azure/R8040-R81/modules/network-security-group/output.tf create mode 100644 deprecated/terraform/azure/R8040-R81/modules/network-security-group/variables.tf create mode 100644 deprecated/terraform/azure/R8040-R81/modules/network-security-group/versions.tf create mode 100644 deprecated/terraform/azure/R8040-R81/modules/vnet/main.tf create mode 100644 deprecated/terraform/azure/R8040-R81/modules/vnet/outputs.tf create mode 100644 deprecated/terraform/azure/R8040-R81/modules/vnet/variables.tf create mode 100644 deprecated/terraform/azure/R8040-R81/modules/vnet/versions.tf create mode 100644 deprecated/terraform/azure/R8040-R81/nva-into-existing-hub/README.md create mode 100644 deprecated/terraform/azure/R8040-R81/nva-into-existing-hub/main.tf create mode 100644 deprecated/terraform/azure/R8040-R81/nva-into-existing-hub/terraform.tfvars create mode 100644 deprecated/terraform/azure/R8040-R81/nva-into-existing-hub/variables.tf create mode 100644 deprecated/terraform/azure/R8040-R81/nva-into-existing-hub/versions.tf create mode 100644 deprecated/terraform/azure/R8040-R81/nva-into-new-vwan/README.md create mode 100644 deprecated/terraform/azure/R8040-R81/nva-into-new-vwan/main.tf create mode 100644 deprecated/terraform/azure/R8040-R81/nva-into-new-vwan/terraform.tfvars create mode 100644 deprecated/terraform/azure/R8040-R81/nva-into-new-vwan/variables.tf create mode 100644 deprecated/terraform/azure/R8040-R81/nva-into-new-vwan/versions.tf create mode 100644 deprecated/terraform/azure/R8040-R81/single-gateway-existing-vnet/README.md create mode 100644 deprecated/terraform/azure/R8040-R81/single-gateway-existing-vnet/azure_public_key create mode 100644 deprecated/terraform/azure/R8040-R81/single-gateway-existing-vnet/cloud-init.sh create mode 100644 deprecated/terraform/azure/R8040-R81/single-gateway-existing-vnet/main.tf create mode 100644 deprecated/terraform/azure/R8040-R81/single-gateway-existing-vnet/terraform.tfvars create mode 100644 deprecated/terraform/azure/R8040-R81/single-gateway-existing-vnet/variables.tf create mode 100644 deprecated/terraform/azure/R8040-R81/single-gateway-existing-vnet/versions.tf create mode 100644 deprecated/terraform/azure/R8040-R81/single-gateway-new-vnet/README.md create mode 100644 deprecated/terraform/azure/R8040-R81/single-gateway-new-vnet/azure_public_key create mode 100644 deprecated/terraform/azure/R8040-R81/single-gateway-new-vnet/cloud-init.sh create mode 100644 deprecated/terraform/azure/R8040-R81/single-gateway-new-vnet/main.tf create mode 100644 deprecated/terraform/azure/R8040-R81/single-gateway-new-vnet/terraform.tfvars create mode 100644 deprecated/terraform/azure/R8040-R81/single-gateway-new-vnet/variables.tf create mode 100644 deprecated/terraform/azure/R8040-R81/single-gateway-new-vnet/versions.tf create mode 100644 deprecated/terraform/azure/R8040-R81/vmss-existing-vnet/README.md create mode 100644 deprecated/terraform/azure/R8040-R81/vmss-existing-vnet/azure_public_key create mode 100644 deprecated/terraform/azure/R8040-R81/vmss-existing-vnet/cloud-init.sh create mode 100644 deprecated/terraform/azure/R8040-R81/vmss-existing-vnet/main.tf create mode 100644 deprecated/terraform/azure/R8040-R81/vmss-existing-vnet/terraform.tfvars create mode 100644 deprecated/terraform/azure/R8040-R81/vmss-existing-vnet/variables.tf create mode 100644 deprecated/terraform/azure/R8040-R81/vmss-existing-vnet/versions.tf create mode 100644 deprecated/terraform/azure/R8040-R81/vmss-new-vnet/README.md create mode 100644 deprecated/terraform/azure/R8040-R81/vmss-new-vnet/azure_public_key create mode 100644 deprecated/terraform/azure/R8040-R81/vmss-new-vnet/cloud-init.sh create mode 100644 deprecated/terraform/azure/R8040-R81/vmss-new-vnet/main.tf create mode 100644 deprecated/terraform/azure/R8040-R81/vmss-new-vnet/terraform.tfvars create mode 100644 deprecated/terraform/azure/R8040-R81/vmss-new-vnet/variables.tf create mode 100644 deprecated/terraform/azure/R8040-R81/vmss-new-vnet/versions.tf create mode 100644 deprecated/terraform/azure/README.md create mode 100644 deprecated/terraform/gcp/R8040-R81/autoscale-into-existing-vpc/README.md create mode 100644 deprecated/terraform/gcp/R8040-R81/autoscale-into-existing-vpc/locals.tf create mode 100644 deprecated/terraform/gcp/R8040-R81/autoscale-into-existing-vpc/main.tf create mode 100644 deprecated/terraform/gcp/R8040-R81/autoscale-into-existing-vpc/output.tf create mode 100644 deprecated/terraform/gcp/R8040-R81/autoscale-into-existing-vpc/terraform.tfvars create mode 100644 deprecated/terraform/gcp/R8040-R81/autoscale-into-existing-vpc/variables.tf create mode 100644 deprecated/terraform/gcp/R8040-R81/autoscale-into-new-vpc/README.md create mode 100644 deprecated/terraform/gcp/R8040-R81/autoscale-into-new-vpc/locals.tf create mode 100644 deprecated/terraform/gcp/R8040-R81/autoscale-into-new-vpc/main.tf create mode 100644 deprecated/terraform/gcp/R8040-R81/autoscale-into-new-vpc/output.tf create mode 100644 deprecated/terraform/gcp/R8040-R81/autoscale-into-new-vpc/terraform.tfvars create mode 100644 deprecated/terraform/gcp/R8040-R81/autoscale-into-new-vpc/variables.tf create mode 100644 deprecated/terraform/gcp/R8040-R81/common/cluster-member/main.tf create mode 100644 deprecated/terraform/gcp/R8040-R81/common/cluster-member/output.tf create mode 100644 deprecated/terraform/gcp/R8040-R81/common/cluster-member/variables.tf create mode 100644 deprecated/terraform/gcp/R8040-R81/common/firewall-rule/main.tf create mode 100644 deprecated/terraform/gcp/R8040-R81/common/firewall-rule/output.tf create mode 100644 deprecated/terraform/gcp/R8040-R81/common/firewall-rule/variables.tf create mode 100644 deprecated/terraform/gcp/R8040-R81/common/members-a-b/main.tf create mode 100644 deprecated/terraform/gcp/R8040-R81/common/members-a-b/output.tf create mode 100644 deprecated/terraform/gcp/R8040-R81/common/members-a-b/variables.tf create mode 100644 deprecated/terraform/gcp/R8040-R81/common/network-and-subnet/main.tf create mode 100644 deprecated/terraform/gcp/R8040-R81/common/network-and-subnet/output.tf create mode 100644 deprecated/terraform/gcp/R8040-R81/common/network-and-subnet/variables.tf create mode 100644 deprecated/terraform/gcp/R8040-R81/common/startup-script.sh create mode 100644 deprecated/terraform/gcp/R8040-R81/high-availability/README.md create mode 100644 deprecated/terraform/gcp/R8040-R81/high-availability/locals.tf create mode 100644 deprecated/terraform/gcp/R8040-R81/high-availability/main.tf create mode 100644 deprecated/terraform/gcp/R8040-R81/high-availability/output.tf create mode 100644 deprecated/terraform/gcp/R8040-R81/high-availability/terraform.tfvars create mode 100644 deprecated/terraform/gcp/R8040-R81/high-availability/variables.tf create mode 100644 deprecated/terraform/gcp/R8040-R81/single-into-existing-vpc/README.md create mode 100644 deprecated/terraform/gcp/R8040-R81/single-into-existing-vpc/locals.tf create mode 100644 deprecated/terraform/gcp/R8040-R81/single-into-existing-vpc/main.tf create mode 100644 deprecated/terraform/gcp/R8040-R81/single-into-existing-vpc/output.tf create mode 100644 deprecated/terraform/gcp/R8040-R81/single-into-existing-vpc/terraform.tfvars create mode 100644 deprecated/terraform/gcp/R8040-R81/single-into-existing-vpc/variables.tf create mode 100644 deprecated/terraform/gcp/R8040-R81/single-into-new-vpc/README.md create mode 100644 deprecated/terraform/gcp/R8040-R81/single-into-new-vpc/main.tf create mode 100644 deprecated/terraform/gcp/R8040-R81/single-into-new-vpc/output.tf create mode 100644 deprecated/terraform/gcp/R8040-R81/single-into-new-vpc/terraform.tfvars create mode 100644 deprecated/terraform/gcp/R8040-R81/single-into-new-vpc/variables.tf create mode 100644 gcp/deployment-packages/README.MD create mode 100644 gcp/deployment-packages/autoscale-byol/README.md create mode 100755 gcp/deployment-packages/autoscale-byol/c2d_deployment_configuration.json create mode 100755 gcp/deployment-packages/autoscale-byol/check-point-autoscale--byol.py create mode 100755 gcp/deployment-packages/autoscale-byol/check-point-autoscale--byol.py.schema create mode 100755 gcp/deployment-packages/autoscale-byol/common.py create mode 100644 gcp/deployment-packages/autoscale-byol/config.yaml create mode 100755 gcp/deployment-packages/autoscale-byol/default.py create mode 100755 gcp/deployment-packages/autoscale-byol/images.py create mode 100755 gcp/deployment-packages/autoscale-byol/password.py create mode 100644 gcp/deployment-packages/autoscale-payg/README.md create mode 100755 gcp/deployment-packages/autoscale-payg/c2d_deployment_configuration.json create mode 100755 gcp/deployment-packages/autoscale-payg/check-point-autoscale--payg.py create mode 100755 gcp/deployment-packages/autoscale-payg/check-point-autoscale--payg.py.schema create mode 100755 gcp/deployment-packages/autoscale-payg/common.py create mode 100644 gcp/deployment-packages/autoscale-payg/config.yaml create mode 100755 gcp/deployment-packages/autoscale-payg/default.py create mode 100755 gcp/deployment-packages/autoscale-payg/images.py create mode 100755 gcp/deployment-packages/autoscale-payg/password.py create mode 100644 gcp/deployment-packages/ha-byol/README.md create mode 100755 gcp/deployment-packages/ha-byol/c2d_deployment_configuration.json create mode 100755 gcp/deployment-packages/ha-byol/check-point-cluster--byol.py create mode 100755 gcp/deployment-packages/ha-byol/check-point-cluster--byol.py.schema create mode 100755 gcp/deployment-packages/ha-byol/common.py create mode 100644 gcp/deployment-packages/ha-byol/config.yaml create mode 100755 gcp/deployment-packages/ha-byol/default.py create mode 100755 gcp/deployment-packages/ha-byol/images.py create mode 100755 gcp/deployment-packages/ha-byol/password.py create mode 100644 gcp/deployment-packages/ha-payg/README.md create mode 100755 gcp/deployment-packages/ha-payg/c2d_deployment_configuration.json create mode 100755 gcp/deployment-packages/ha-payg/check-point-cluster--payg.py create mode 100755 gcp/deployment-packages/ha-payg/check-point-cluster--payg.py.schema create mode 100755 gcp/deployment-packages/ha-payg/common.py create mode 100644 gcp/deployment-packages/ha-payg/config.yaml create mode 100755 gcp/deployment-packages/ha-payg/default.py create mode 100755 gcp/deployment-packages/ha-payg/images.py create mode 100755 gcp/deployment-packages/ha-payg/password.py create mode 100644 gcp/deployment-packages/single-byol/README.md create mode 100755 gcp/deployment-packages/single-byol/c2d_deployment_configuration.json create mode 100755 gcp/deployment-packages/single-byol/check-point-vsec--byol.py create mode 100755 gcp/deployment-packages/single-byol/check-point-vsec--byol.py.schema create mode 100755 gcp/deployment-packages/single-byol/common.py create mode 100644 gcp/deployment-packages/single-byol/config.yaml create mode 100755 gcp/deployment-packages/single-byol/default.py create mode 100755 gcp/deployment-packages/single-byol/images.py create mode 100755 gcp/deployment-packages/single-byol/password.py create mode 100644 gcp/deployment-packages/single-payg/README.md create mode 100755 gcp/deployment-packages/single-payg/c2d_deployment_configuration.json create mode 100755 gcp/deployment-packages/single-payg/check-point-vsec--payg.py create mode 100755 gcp/deployment-packages/single-payg/check-point-vsec--payg.py.schema create mode 100755 gcp/deployment-packages/single-payg/common.py create mode 100644 gcp/deployment-packages/single-payg/config.yaml create mode 100755 gcp/deployment-packages/single-payg/default.py create mode 100755 gcp/deployment-packages/single-payg/images.py create mode 100755 gcp/deployment-packages/single-payg/password.py create mode 100644 terraform/.gitattributes create mode 100644 terraform/.gitignore create mode 100644 terraform/LICENSE create mode 100755 terraform/alicloud/cluster-master/README.md create mode 100755 terraform/alicloud/cluster-master/locals.tf create mode 100755 terraform/alicloud/cluster-master/main.tf create mode 100755 terraform/alicloud/cluster-master/output.tf create mode 100755 terraform/alicloud/cluster-master/terraform.tfvars create mode 100755 terraform/alicloud/cluster-master/variables.tf create mode 100755 terraform/alicloud/cluster-master/versions.tf create mode 100755 terraform/alicloud/cluster/README.md create mode 100644 terraform/alicloud/cluster/cluster_member_a_userdata.yaml create mode 100644 terraform/alicloud/cluster/cluster_member_b_userdata.yaml create mode 100755 terraform/alicloud/cluster/locals.tf create mode 100755 terraform/alicloud/cluster/main.tf create mode 100755 terraform/alicloud/cluster/output.tf create mode 100755 terraform/alicloud/cluster/terraform.tfvars create mode 100755 terraform/alicloud/cluster/variables.tf create mode 100755 terraform/alicloud/cluster/versions.tf create mode 100755 terraform/alicloud/gateway-master/README.md create mode 100755 terraform/alicloud/gateway-master/locals.tf create mode 100755 terraform/alicloud/gateway-master/main.tf create mode 100755 terraform/alicloud/gateway-master/output.tf create mode 100755 terraform/alicloud/gateway-master/terraform.tfvars create mode 100755 terraform/alicloud/gateway-master/variables.tf create mode 100755 terraform/alicloud/gateway-master/versions.tf create mode 100755 terraform/alicloud/gateway/README.md create mode 100755 terraform/alicloud/gateway/locals.tf create mode 100755 terraform/alicloud/gateway/main.tf create mode 100755 terraform/alicloud/gateway/output.tf create mode 100755 terraform/alicloud/gateway/terraform.tfvars create mode 100755 terraform/alicloud/gateway/variables.tf create mode 100755 terraform/alicloud/gateway/versions.tf create mode 100755 terraform/alicloud/management-master/README.md create mode 100755 terraform/alicloud/management-master/locals.tf create mode 100755 terraform/alicloud/management-master/main.tf create mode 100755 terraform/alicloud/management-master/output.tf create mode 100755 terraform/alicloud/management-master/terraform.tfvars create mode 100755 terraform/alicloud/management-master/variables.tf create mode 100755 terraform/alicloud/management-master/versions.tf create mode 100755 terraform/alicloud/management/README.md create mode 100755 terraform/alicloud/management/locals.tf create mode 100755 terraform/alicloud/management/main.tf create mode 100644 terraform/alicloud/management/management_userdata.yaml create mode 100755 terraform/alicloud/management/output.tf create mode 100755 terraform/alicloud/management/terraform.tfvars create mode 100755 terraform/alicloud/management/variables.tf create mode 100755 terraform/alicloud/management/versions.tf create mode 100755 terraform/alicloud/modules/cluster-ram-role/locals.tf create mode 100755 terraform/alicloud/modules/cluster-ram-role/main.tf create mode 100755 terraform/alicloud/modules/cluster-ram-role/output.tf create mode 100755 terraform/alicloud/modules/cluster-ram-role/variables.tf create mode 100755 terraform/alicloud/modules/cluster-ram-role/versions.tf create mode 100755 terraform/alicloud/modules/common/elastic_ip/locals.tf create mode 100755 terraform/alicloud/modules/common/elastic_ip/main.tf create mode 100755 terraform/alicloud/modules/common/elastic_ip/output.tf create mode 100755 terraform/alicloud/modules/common/elastic_ip/variables.tf create mode 100755 terraform/alicloud/modules/common/elastic_ip/versions.tf create mode 100644 terraform/alicloud/modules/common/gateway_instance/gateway_userdata.yaml create mode 100755 terraform/alicloud/modules/common/gateway_instance/locals.tf create mode 100755 terraform/alicloud/modules/common/gateway_instance/main.tf create mode 100755 terraform/alicloud/modules/common/gateway_instance/output.tf create mode 100755 terraform/alicloud/modules/common/gateway_instance/variables.tf create mode 100755 terraform/alicloud/modules/common/gateway_instance/versions.tf create mode 100755 terraform/alicloud/modules/common/instance_type/main.tf create mode 100755 terraform/alicloud/modules/common/instance_type/variables.tf create mode 100755 terraform/alicloud/modules/common/instance_type/versions.tf create mode 100755 terraform/alicloud/modules/common/internal_default_route/locals.tf create mode 100755 terraform/alicloud/modules/common/internal_default_route/main.tf create mode 100755 terraform/alicloud/modules/common/internal_default_route/output.tf create mode 100755 terraform/alicloud/modules/common/internal_default_route/variables.tf create mode 100755 terraform/alicloud/modules/common/internal_default_route/versions.tf create mode 100755 terraform/alicloud/modules/common/permissive_sg/main.tf create mode 100755 terraform/alicloud/modules/common/permissive_sg/output.tf create mode 100755 terraform/alicloud/modules/common/permissive_sg/variables.tf create mode 100755 terraform/alicloud/modules/common/permissive_sg/versions.tf create mode 100755 terraform/alicloud/modules/common/version_license/main.tf create mode 100755 terraform/alicloud/modules/common/version_license/variables.tf create mode 100755 terraform/alicloud/modules/common/version_license/versions.tf create mode 100755 terraform/alicloud/modules/images/images.yaml create mode 100755 terraform/alicloud/modules/images/main.tf create mode 100755 terraform/alicloud/modules/images/output.tf create mode 100755 terraform/alicloud/modules/images/variables.tf create mode 100755 terraform/alicloud/modules/images/versions.tf create mode 100755 terraform/alicloud/modules/vpc/locals.tf create mode 100755 terraform/alicloud/modules/vpc/main.tf create mode 100755 terraform/alicloud/modules/vpc/output.tf create mode 100755 terraform/alicloud/modules/vpc/variables.tf create mode 100755 terraform/alicloud/modules/vpc/versions.tf create mode 100644 terraform/aws/README.md create mode 100755 terraform/aws/autoscale-gwlb/README.md create mode 100755 terraform/aws/autoscale-gwlb/asg_userdata.yaml create mode 100755 terraform/aws/autoscale-gwlb/locals.tf create mode 100755 terraform/aws/autoscale-gwlb/main.tf create mode 100755 terraform/aws/autoscale-gwlb/output.tf create mode 100755 terraform/aws/autoscale-gwlb/terraform.tfvars create mode 100644 terraform/aws/autoscale-gwlb/variables.tf create mode 100755 terraform/aws/autoscale-gwlb/versions.tf create mode 100755 terraform/aws/autoscale/README.md create mode 100755 terraform/aws/autoscale/asg_userdata.yaml create mode 100755 terraform/aws/autoscale/locals.tf create mode 100755 terraform/aws/autoscale/main.tf create mode 100755 terraform/aws/autoscale/output.tf create mode 100755 terraform/aws/autoscale/terraform.tfvars create mode 100755 terraform/aws/autoscale/variables.tf create mode 100755 terraform/aws/autoscale/versions.tf create mode 100755 terraform/aws/cluster-master/README.md create mode 100755 terraform/aws/cluster-master/locals.tf create mode 100755 terraform/aws/cluster-master/main.tf create mode 100755 terraform/aws/cluster-master/output.tf create mode 100755 terraform/aws/cluster-master/terraform.tfvars create mode 100755 terraform/aws/cluster-master/variables.tf create mode 100755 terraform/aws/cluster-master/versions.tf create mode 100755 terraform/aws/cluster/README.md create mode 100755 terraform/aws/cluster/cluster_member_a_userdata.yaml create mode 100755 terraform/aws/cluster/cluster_member_b_userdata.yaml create mode 100755 terraform/aws/cluster/locals.tf create mode 100755 terraform/aws/cluster/main.tf create mode 100755 terraform/aws/cluster/output.tf create mode 100755 terraform/aws/cluster/terraform.tfvars create mode 100755 terraform/aws/cluster/variables.tf create mode 100755 terraform/aws/cluster/versions.tf create mode 100644 terraform/aws/cme-iam-role-gwlb/README.md create mode 100644 terraform/aws/cme-iam-role-gwlb/main.tf create mode 100644 terraform/aws/cme-iam-role-gwlb/output.tf create mode 100644 terraform/aws/cme-iam-role-gwlb/terraform.tfvars create mode 100644 terraform/aws/cme-iam-role-gwlb/variables.tf create mode 100644 terraform/aws/cme-iam-role-gwlb/versions.tf create mode 100755 terraform/aws/cme-iam-role/README.md create mode 100755 terraform/aws/cme-iam-role/main.tf create mode 100755 terraform/aws/cme-iam-role/output.tf create mode 100755 terraform/aws/cme-iam-role/terraform.tfvars create mode 100755 terraform/aws/cme-iam-role/variables.tf create mode 100755 terraform/aws/cme-iam-role/versions.tf create mode 100755 terraform/aws/cross-az-cluster-master/README.md create mode 100755 terraform/aws/cross-az-cluster-master/locals.tf create mode 100755 terraform/aws/cross-az-cluster-master/main.tf create mode 100755 terraform/aws/cross-az-cluster-master/output.tf create mode 100755 terraform/aws/cross-az-cluster-master/terraform.tfvars create mode 100755 terraform/aws/cross-az-cluster-master/variables.tf create mode 100755 terraform/aws/cross-az-cluster-master/versions.tf create mode 100755 terraform/aws/cross-az-cluster/README.md create mode 100755 terraform/aws/cross-az-cluster/cluster_member_a_userdata.yaml create mode 100755 terraform/aws/cross-az-cluster/cluster_member_b_userdata.yaml create mode 100755 terraform/aws/cross-az-cluster/locals.tf create mode 100755 terraform/aws/cross-az-cluster/main.tf create mode 100755 terraform/aws/cross-az-cluster/output.tf create mode 100755 terraform/aws/cross-az-cluster/terraform.tfvars create mode 100755 terraform/aws/cross-az-cluster/variables.tf create mode 100755 terraform/aws/cross-az-cluster/versions.tf create mode 100755 terraform/aws/gateway-master/README.md create mode 100755 terraform/aws/gateway-master/locals.tf create mode 100755 terraform/aws/gateway-master/main.tf create mode 100755 terraform/aws/gateway-master/output.tf create mode 100755 terraform/aws/gateway-master/terraform.tfvars create mode 100755 terraform/aws/gateway-master/variables.tf create mode 100755 terraform/aws/gateway-master/versions.tf create mode 100755 terraform/aws/gateway/README.md create mode 100755 terraform/aws/gateway/locals.tf create mode 100755 terraform/aws/gateway/main.tf create mode 100755 terraform/aws/gateway/output.tf create mode 100755 terraform/aws/gateway/terraform.tfvars create mode 100755 terraform/aws/gateway/variables.tf create mode 100755 terraform/aws/gateway/versions.tf create mode 100755 terraform/aws/gwlb-master/README.md create mode 100755 terraform/aws/gwlb-master/locals.tf create mode 100755 terraform/aws/gwlb-master/main.tf create mode 100755 terraform/aws/gwlb-master/output.tf create mode 100755 terraform/aws/gwlb-master/terraform.tfvars create mode 100755 terraform/aws/gwlb-master/variables.tf create mode 100755 terraform/aws/gwlb-master/versions.tf create mode 100755 terraform/aws/gwlb/README.md create mode 100755 terraform/aws/gwlb/locals.tf create mode 100755 terraform/aws/gwlb/main.tf create mode 100755 terraform/aws/gwlb/output.tf create mode 100755 terraform/aws/gwlb/terraform.tfvars create mode 100755 terraform/aws/gwlb/variables.tf create mode 100755 terraform/aws/gwlb/versions.tf create mode 100755 terraform/aws/management/README.md create mode 100755 terraform/aws/management/locals.tf create mode 100755 terraform/aws/management/main.tf create mode 100755 terraform/aws/management/management_userdata.yaml create mode 100755 terraform/aws/management/output.tf create mode 100755 terraform/aws/management/terraform.tfvars create mode 100755 terraform/aws/management/variables.tf create mode 100755 terraform/aws/management/versions.tf create mode 100755 terraform/aws/mds/README.md create mode 100755 terraform/aws/mds/locals.tf create mode 100755 terraform/aws/mds/main.tf create mode 100755 terraform/aws/mds/mds_userdata.yaml create mode 100755 terraform/aws/mds/output.tf create mode 100755 terraform/aws/mds/terraform.tfvars create mode 100755 terraform/aws/mds/variables.tf create mode 100755 terraform/aws/mds/versions.tf create mode 100644 terraform/aws/modules/amis/main.tf create mode 100644 terraform/aws/modules/amis/output.tf create mode 100644 terraform/aws/modules/amis/variables.tf create mode 100755 terraform/aws/modules/cloudwatch-policy/main.tf create mode 100755 terraform/aws/modules/cloudwatch-policy/variables.tf create mode 100755 terraform/aws/modules/cluster-iam-role/main.tf create mode 100755 terraform/aws/modules/cluster-iam-role/output.tf create mode 100755 terraform/aws/modules/common/elastic_ip/locals.tf create mode 100755 terraform/aws/modules/common/elastic_ip/main.tf create mode 100755 terraform/aws/modules/common/elastic_ip/output.tf create mode 100755 terraform/aws/modules/common/elastic_ip/variables.tf create mode 100755 terraform/aws/modules/common/gateway_instance/gateway_userdata.yaml create mode 100755 terraform/aws/modules/common/gateway_instance/locals.tf create mode 100755 terraform/aws/modules/common/gateway_instance/main.tf create mode 100755 terraform/aws/modules/common/gateway_instance/output.tf create mode 100755 terraform/aws/modules/common/gateway_instance/variables.tf create mode 100755 terraform/aws/modules/common/instance_type/main.tf create mode 100755 terraform/aws/modules/common/instance_type/variables.tf create mode 100755 terraform/aws/modules/common/internal_default_route/locals.tf create mode 100755 terraform/aws/modules/common/internal_default_route/main.tf create mode 100755 terraform/aws/modules/common/internal_default_route/output.tf create mode 100755 terraform/aws/modules/common/internal_default_route/variables.tf create mode 100755 terraform/aws/modules/common/load_balancer/main.tf create mode 100755 terraform/aws/modules/common/load_balancer/output.tf create mode 100755 terraform/aws/modules/common/load_balancer/variables.tf create mode 100755 terraform/aws/modules/common/permissive_sg/main.tf create mode 100755 terraform/aws/modules/common/permissive_sg/output.tf create mode 100755 terraform/aws/modules/common/permissive_sg/variables.tf create mode 100755 terraform/aws/modules/common/version_license/main.tf create mode 100755 terraform/aws/modules/common/version_license/variables.tf create mode 100755 terraform/aws/modules/custom-autoscale/locals.tf create mode 100755 terraform/aws/modules/custom-autoscale/main.tf create mode 100755 terraform/aws/modules/custom-autoscale/variables.tf create mode 100644 terraform/aws/modules/custom-autoscale/vpc/main.tf create mode 100644 terraform/aws/modules/custom-autoscale/vpc/output.tf create mode 100644 terraform/aws/modules/custom-autoscale/vpc/variables.tf create mode 100755 terraform/aws/modules/vpc/main.tf create mode 100755 terraform/aws/modules/vpc/output.tf create mode 100755 terraform/aws/modules/vpc/variables.tf create mode 100755 terraform/aws/qs-autoscale-master/README.md create mode 100755 terraform/aws/qs-autoscale-master/locals.tf create mode 100755 terraform/aws/qs-autoscale-master/main.tf create mode 100755 terraform/aws/qs-autoscale-master/output.tf create mode 100755 terraform/aws/qs-autoscale-master/terraform.tfvars create mode 100755 terraform/aws/qs-autoscale-master/variables.tf create mode 100755 terraform/aws/qs-autoscale-master/versions.tf create mode 100755 terraform/aws/qs-autoscale/README.md create mode 100755 terraform/aws/qs-autoscale/locals.tf create mode 100755 terraform/aws/qs-autoscale/main.tf create mode 100755 terraform/aws/qs-autoscale/output.tf create mode 100755 terraform/aws/qs-autoscale/terraform.tfvars create mode 100755 terraform/aws/qs-autoscale/variables.tf create mode 100755 terraform/aws/qs-autoscale/versions.tf create mode 100755 terraform/aws/standalone-master/README.md create mode 100755 terraform/aws/standalone-master/locals.tf create mode 100755 terraform/aws/standalone-master/main.tf create mode 100755 terraform/aws/standalone-master/output.tf create mode 100755 terraform/aws/standalone-master/terraform.tfvars create mode 100755 terraform/aws/standalone-master/variables.tf create mode 100755 terraform/aws/standalone-master/versions.tf create mode 100755 terraform/aws/standalone/README.md create mode 100755 terraform/aws/standalone/locals.tf create mode 100755 terraform/aws/standalone/main.tf create mode 100755 terraform/aws/standalone/output.tf create mode 100755 terraform/aws/standalone/standalone_userdata.yaml create mode 100755 terraform/aws/standalone/terraform.tfvars create mode 100755 terraform/aws/standalone/variables.tf create mode 100755 terraform/aws/standalone/versions.tf create mode 100644 terraform/aws/tap/Check Point NOW onboarding page.docx create mode 100644 terraform/aws/tap/CheckPoint_NOW_onboarding_page.pdf create mode 100644 terraform/aws/tap/README.md create mode 100644 terraform/aws/tap/main.tf create mode 100644 terraform/aws/tap/output.tf create mode 100644 terraform/aws/tap/tap_lambda.py create mode 100644 terraform/aws/tap/tap_termination_lambda.py create mode 100644 terraform/aws/tap/tap_user_data.sh create mode 100644 terraform/aws/tap/terraform.tfvars create mode 100644 terraform/aws/tap/variables.tf create mode 100755 terraform/aws/tgw-asg-master/README.md create mode 100755 terraform/aws/tgw-asg-master/locals.tf create mode 100755 terraform/aws/tgw-asg-master/main.tf create mode 100755 terraform/aws/tgw-asg-master/output.tf create mode 100755 terraform/aws/tgw-asg-master/terraform.tfvars create mode 100755 terraform/aws/tgw-asg-master/variables.tf create mode 100755 terraform/aws/tgw-asg-master/versions.tf create mode 100755 terraform/aws/tgw-asg/README.md create mode 100755 terraform/aws/tgw-asg/locals.tf create mode 100755 terraform/aws/tgw-asg/main.tf create mode 100755 terraform/aws/tgw-asg/output.tf create mode 100755 terraform/aws/tgw-asg/terraform.tfvars create mode 100755 terraform/aws/tgw-asg/variables.tf create mode 100755 terraform/aws/tgw-asg/versions.tf create mode 100755 terraform/aws/tgw-cross-az-cluster-master/README.md create mode 100755 terraform/aws/tgw-cross-az-cluster-master/locals.tf create mode 100755 terraform/aws/tgw-cross-az-cluster-master/main.tf create mode 100755 terraform/aws/tgw-cross-az-cluster-master/output.tf create mode 100755 terraform/aws/tgw-cross-az-cluster-master/terraform.tfvars create mode 100755 terraform/aws/tgw-cross-az-cluster-master/variables.tf create mode 100755 terraform/aws/tgw-cross-az-cluster-master/versions.tf create mode 100755 terraform/aws/tgw-cross-az-cluster/README.md create mode 100755 terraform/aws/tgw-cross-az-cluster/locals.tf create mode 100755 terraform/aws/tgw-cross-az-cluster/main.tf create mode 100755 terraform/aws/tgw-cross-az-cluster/output.tf create mode 100755 terraform/aws/tgw-cross-az-cluster/terraform.tfvars create mode 100755 terraform/aws/tgw-cross-az-cluster/variables.tf create mode 100755 terraform/aws/tgw-cross-az-cluster/versions.tf create mode 100755 terraform/aws/tgw-gwlb-master/README.md create mode 100755 terraform/aws/tgw-gwlb-master/locals.tf create mode 100755 terraform/aws/tgw-gwlb-master/main.tf create mode 100755 terraform/aws/tgw-gwlb-master/output.tf create mode 100755 terraform/aws/tgw-gwlb-master/terraform.tfvars create mode 100755 terraform/aws/tgw-gwlb-master/variables.tf create mode 100755 terraform/aws/tgw-gwlb-master/versions.tf create mode 100755 terraform/aws/tgw-gwlb/README.md create mode 100755 terraform/aws/tgw-gwlb/locals.tf create mode 100755 terraform/aws/tgw-gwlb/main.tf create mode 100755 terraform/aws/tgw-gwlb/output.tf create mode 100755 terraform/aws/tgw-gwlb/terraform.tfvars create mode 100755 terraform/aws/tgw-gwlb/variables.tf create mode 100755 terraform/aws/tgw-gwlb/versions.tf create mode 100755 terraform/azure/README.md create mode 100755 terraform/azure/high-availability-existing-vnet/README.md create mode 100755 terraform/azure/high-availability-existing-vnet/azure_public_key create mode 100755 terraform/azure/high-availability-existing-vnet/cloud-init.sh create mode 100755 terraform/azure/high-availability-existing-vnet/main.tf create mode 100755 terraform/azure/high-availability-existing-vnet/terraform.tfvars create mode 100755 terraform/azure/high-availability-existing-vnet/variables.tf create mode 100755 terraform/azure/high-availability-existing-vnet/versions.tf create mode 100755 terraform/azure/high-availability-new-vnet/README.md create mode 100755 terraform/azure/high-availability-new-vnet/azure_public_key create mode 100755 terraform/azure/high-availability-new-vnet/cloud-init.sh create mode 100755 terraform/azure/high-availability-new-vnet/main.tf create mode 100755 terraform/azure/high-availability-new-vnet/terraform.tfvars create mode 100755 terraform/azure/high-availability-new-vnet/variables.tf create mode 100755 terraform/azure/high-availability-new-vnet/versions.tf create mode 100755 terraform/azure/management-existing-vnet/README.md create mode 100755 terraform/azure/management-existing-vnet/azure_public_key create mode 100755 terraform/azure/management-existing-vnet/cloud-init.sh create mode 100755 terraform/azure/management-existing-vnet/main.tf create mode 100755 terraform/azure/management-existing-vnet/terraform.tfvars create mode 100755 terraform/azure/management-existing-vnet/variables.tf create mode 100755 terraform/azure/management-existing-vnet/versions.tf create mode 100755 terraform/azure/management-new-vnet/README.md create mode 100755 terraform/azure/management-new-vnet/azure_public_key create mode 100755 terraform/azure/management-new-vnet/cloud-init.sh create mode 100755 terraform/azure/management-new-vnet/main.tf create mode 100755 terraform/azure/management-new-vnet/terraform.tfvars create mode 100755 terraform/azure/management-new-vnet/variables.tf create mode 100755 terraform/azure/management-new-vnet/versions.tf create mode 100755 terraform/azure/mds-existing-vnet/README.md create mode 100644 terraform/azure/mds-existing-vnet/azure_public_key create mode 100755 terraform/azure/mds-existing-vnet/cloud-init.sh create mode 100755 terraform/azure/mds-existing-vnet/main.tf create mode 100755 terraform/azure/mds-existing-vnet/terraform.tfvars create mode 100755 terraform/azure/mds-existing-vnet/variables.tf create mode 100755 terraform/azure/mds-existing-vnet/versions.tf create mode 100755 terraform/azure/mds-new-vnet/README.md create mode 100644 terraform/azure/mds-new-vnet/azure_public_key create mode 100755 terraform/azure/mds-new-vnet/cloud-init.sh create mode 100755 terraform/azure/mds-new-vnet/main.tf create mode 100755 terraform/azure/mds-new-vnet/terraform.tfvars create mode 100755 terraform/azure/mds-new-vnet/variables.tf create mode 100755 terraform/azure/mds-new-vnet/versions.tf create mode 100644 terraform/azure/modules/add-routing-intent.py create mode 100755 terraform/azure/modules/common/main.tf create mode 100755 terraform/azure/modules/common/outputs.tf create mode 100755 terraform/azure/modules/common/variables.tf create mode 100755 terraform/azure/modules/common/versions.tf create mode 100755 terraform/azure/modules/network-security-group/main.tf create mode 100755 terraform/azure/modules/network-security-group/output.tf create mode 100755 terraform/azure/modules/network-security-group/variables.tf create mode 100755 terraform/azure/modules/network-security-group/versions.tf create mode 100755 terraform/azure/modules/vnet/main.tf create mode 100755 terraform/azure/modules/vnet/outputs.tf create mode 100755 terraform/azure/modules/vnet/variables.tf create mode 100755 terraform/azure/modules/vnet/versions.tf create mode 100644 terraform/azure/nva-into-existing-hub/README.md create mode 100644 terraform/azure/nva-into-existing-hub/main.tf create mode 100644 terraform/azure/nva-into-existing-hub/terraform.tfvars create mode 100644 terraform/azure/nva-into-existing-hub/variables.tf create mode 100644 terraform/azure/nva-into-existing-hub/versions.tf create mode 100644 terraform/azure/nva-into-new-vwan/README.md create mode 100644 terraform/azure/nva-into-new-vwan/main.tf create mode 100644 terraform/azure/nva-into-new-vwan/terraform.tfvars create mode 100644 terraform/azure/nva-into-new-vwan/variables.tf create mode 100644 terraform/azure/nva-into-new-vwan/versions.tf create mode 100755 terraform/azure/single-gateway-existing-vnet/README.md create mode 100644 terraform/azure/single-gateway-existing-vnet/azure_public_key create mode 100755 terraform/azure/single-gateway-existing-vnet/cloud-init.sh create mode 100755 terraform/azure/single-gateway-existing-vnet/main.tf create mode 100755 terraform/azure/single-gateway-existing-vnet/terraform.tfvars create mode 100755 terraform/azure/single-gateway-existing-vnet/variables.tf create mode 100755 terraform/azure/single-gateway-existing-vnet/versions.tf create mode 100755 terraform/azure/single-gateway-new-vnet/README.md create mode 100644 terraform/azure/single-gateway-new-vnet/azure_public_key create mode 100755 terraform/azure/single-gateway-new-vnet/cloud-init.sh create mode 100755 terraform/azure/single-gateway-new-vnet/main.tf create mode 100755 terraform/azure/single-gateway-new-vnet/terraform.tfvars create mode 100755 terraform/azure/single-gateway-new-vnet/variables.tf create mode 100755 terraform/azure/single-gateway-new-vnet/versions.tf create mode 100755 terraform/azure/vmss-existing-vnet/README.md create mode 100755 terraform/azure/vmss-existing-vnet/azure_public_key create mode 100755 terraform/azure/vmss-existing-vnet/cloud-init.sh create mode 100755 terraform/azure/vmss-existing-vnet/main.tf create mode 100755 terraform/azure/vmss-existing-vnet/terraform.tfvars create mode 100755 terraform/azure/vmss-existing-vnet/variables.tf create mode 100644 terraform/azure/vmss-existing-vnet/versions.tf create mode 100755 terraform/azure/vmss-new-vnet/README.md create mode 100755 terraform/azure/vmss-new-vnet/azure_public_key create mode 100755 terraform/azure/vmss-new-vnet/cloud-init.sh create mode 100755 terraform/azure/vmss-new-vnet/main.tf create mode 100755 terraform/azure/vmss-new-vnet/terraform.tfvars create mode 100755 terraform/azure/vmss-new-vnet/variables.tf create mode 100644 terraform/azure/vmss-new-vnet/versions.tf create mode 100755 terraform/gcp/README.md create mode 100755 terraform/gcp/autoscale-into-existing-vpc/README.md create mode 100755 terraform/gcp/autoscale-into-existing-vpc/locals.tf create mode 100755 terraform/gcp/autoscale-into-existing-vpc/main.tf create mode 100755 terraform/gcp/autoscale-into-existing-vpc/output.tf create mode 100755 terraform/gcp/autoscale-into-existing-vpc/terraform.tfvars create mode 100755 terraform/gcp/autoscale-into-existing-vpc/variables.tf create mode 100755 terraform/gcp/autoscale-into-new-vpc/README.md create mode 100755 terraform/gcp/autoscale-into-new-vpc/locals.tf create mode 100755 terraform/gcp/autoscale-into-new-vpc/main.tf create mode 100755 terraform/gcp/autoscale-into-new-vpc/output.tf create mode 100755 terraform/gcp/autoscale-into-new-vpc/terraform.tfvars create mode 100755 terraform/gcp/autoscale-into-new-vpc/variables.tf create mode 100755 terraform/gcp/common/cluster-member/main.tf create mode 100755 terraform/gcp/common/cluster-member/output.tf create mode 100755 terraform/gcp/common/cluster-member/variables.tf create mode 100755 terraform/gcp/common/firewall-rule/main.tf create mode 100755 terraform/gcp/common/firewall-rule/output.tf create mode 100755 terraform/gcp/common/firewall-rule/variables.tf create mode 100755 terraform/gcp/common/members-a-b/main.tf create mode 100755 terraform/gcp/common/members-a-b/output.tf create mode 100755 terraform/gcp/common/members-a-b/variables.tf create mode 100755 terraform/gcp/common/network-and-subnet/main.tf create mode 100755 terraform/gcp/common/network-and-subnet/output.tf create mode 100755 terraform/gcp/common/network-and-subnet/variables.tf create mode 100755 terraform/gcp/common/startup-script.sh create mode 100755 terraform/gcp/high-availability/README.md create mode 100755 terraform/gcp/high-availability/locals.tf create mode 100755 terraform/gcp/high-availability/main.tf create mode 100755 terraform/gcp/high-availability/output.tf create mode 100755 terraform/gcp/high-availability/terraform.tfvars create mode 100755 terraform/gcp/high-availability/variables.tf create mode 100755 terraform/gcp/single-into-existing-vpc/README.md create mode 100755 terraform/gcp/single-into-existing-vpc/locals.tf create mode 100755 terraform/gcp/single-into-existing-vpc/main.tf create mode 100755 terraform/gcp/single-into-existing-vpc/output.tf create mode 100755 terraform/gcp/single-into-existing-vpc/terraform.tfvars create mode 100755 terraform/gcp/single-into-existing-vpc/variables.tf create mode 100644 terraform/gcp/single-into-new-vpc/README.md create mode 100644 terraform/gcp/single-into-new-vpc/main.tf create mode 100644 terraform/gcp/single-into-new-vpc/output.tf create mode 100644 terraform/gcp/single-into-new-vpc/terraform.tfvars create mode 100644 terraform/gcp/single-into-new-vpc/variables.tf diff --git a/.github/workflows/code-analysis.yaml b/.github/workflows/code-analysis.yaml new file mode 100644 index 00000000..527a9415 --- /dev/null +++ b/.github/workflows/code-analysis.yaml @@ -0,0 +1,10 @@ +name: Secure Code Analysis + +on: + - push + - pull_request + +jobs: + code-analysis: + uses: CheckPointSW/secure-code-workflow/.github/workflows/code-analysis.yml@latest + secrets: inherit diff --git a/.gitignore b/.gitignore new file mode 100755 index 00000000..b19ec88e --- /dev/null +++ b/.gitignore @@ -0,0 +1,140 @@ +.idea/ +# Byte-compiled / optimized / DLL files +__pycache__/ +*.py[cod] +*$py.class + +# C extensions +*.so + +# Distribution / packaging +.Python +build/ +BUILD/ +develop-eggs/ +dist/ +downloads/ +eggs/ +.eggs/ +lib/ +lib64/ +parts/ +sdist/ +var/ +wheels/ +share/python-wheels/ +*.egg-info/ +.installed.cfg +*.egg +MANIFEST + +# PyInstaller +# Usually these files are written by a python script from a template +# before PyInstaller builds the exe, so as to inject date/other infos into it. +*.manifest +*.spec + +# Installer logs +pip-log.txt +pip-delete-this-directory.txt + +# Unit test / coverage reports +htmlcov/ +.tox/ +.nox/ +.coverage +.coverage.* +.cache +nosetests.xml +coverage.xml +*.cover +*.py,cover +.hypothesis/ +.pytest_cache/ +cover/ + +# Translations +*.mo +*.pot + +# Django stuff: +*.log +local_settings.py +db.sqlite3 +db.sqlite3-journal + +# Flask stuff: +instance/ +.webassets-cache + +# Scrapy stuff: +.scrapy + +# Sphinx documentation +docs/_build/ + +# PyBuilder +.pybuilder/ +target/ + +# Jupyter Notebook +.ipynb_checkpoints + +# IPython +profile_default/ +ipython_config.py + +# pyenv +# For a library or package, you might want to ignore these files since the code is +# intended to run in multiple environments; otherwise, check them in: +# .python-version + +# pipenv +# According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control. +# However, in case of collaboration, if having platform-specific dependencies or dependencies +# having no cross-platform support, pipenv may install dependencies that don't work, or not +# install all needed dependencies. +#Pipfile.lock + +# PEP 582; used by e.g. github.com/David-OConnor/pyflow +__pypackages__/ + +# Celery stuff +celerybeat-schedule +celerybeat.pid + +# SageMath parsed files +*.sage.py + +# Environments +.env +.venv +env/ +venv/ +ENV/ +env.bak/ +venv.bak/ + +# Spyder project settings +.spyderproject +.spyproject + +# Rope project settings +.ropeproject + +# mkdocs documentation +/site + +# mypy +.mypy_cache/ +.dmypy.json +dmypy.json + +# Pyre type checker +.pyre/ + +# pytype static type analyzer +.pytype/ + +# Cython debug symbols +cython_debug/ \ No newline at end of file diff --git a/README.md b/README.md new file mode 100644 index 00000000..70d47f9e --- /dev/null +++ b/README.md @@ -0,0 +1,22 @@ +# Check Point CloudGuard Network Repository Overview +Check Point CloudGuard Network (formerly known as CloudGuard IaaS) repository. + +The repository contains: + +* Solution/CloudFormation templates +* Terraform modules +* Tools and scripts that can be used with CloudGuard for Public Cloud solutions +* Deprecated Solution/CloudFormation templates +* Community-supported content + +## Related Products and Solutions +* CloudGuard Network Security for Azure +* CloudGuard Network Security for AWS +* CloudGuard Network Security for GCP +* CloudGuard Network Security for AliCloud +* CloudGuard Network Security for Azure Stack + +## References +* For more information about Check Point CloudGuard for Public Cloud, see https://www.checkpoint.com/products/iaas-public-cloud-security/ +* CloudGuard documentation is available at https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk132552& +* CloudGuard Network CheckMates community is available at https://community.checkpoint.com/t5/CloudGuard-IaaS/bd-p/cloudguard-iaas diff --git a/aws/images/launch.png b/aws/images/launch.png new file mode 100755 index 0000000000000000000000000000000000000000..b16d779c493cfdac15923f3114ba94d01bf98999 GIT binary patch literal 2941 zcmV-@3xf2CP)004&&004{<00AEV003vB002H&00Br#000h50000B=O+L10005n zX+uL$P-t&-Z*ypGa3D!TLm+T+Z)Rz1WdHy;%bk$G_W^)-PS50WJ!Ba@scL5yTRrMFE7>J3iZ#h|3MEudGkN;2U76tA0Zyq@7uVVMS5rl zX7b6rnY@`dFF^a)?R%RuSAjG$I@nm1r_Y|t+$YSVg=@Hv>tR$D-sYn%P+Wg)CGb5D z|D*-{_-ZY1ddsfkd@>&u+VC@rE~$?X8T>a+w1kZ67KHGIJ6Y4N~QNydDF%rI|f8GqE6UI8s_UZA^;fh?Kg0rN)d*d_WUwG7RQBFQT zIGBzCegmpPnW^$|xPAZt010qNS#tmY3labT3lag+-G2N400|9AL_t(&L+zV?P*p_~ z$KOm%jYU$DDAErxOaU=4P;gLDi4e<5lSa+5Kq)gd!pT&A_zWABkOZB9FiIWm7ctsT zwWO((YAh=!Cnt-VvFX>0_PeGgPxpHsXW4t--shwG!)Nc#e7tY>oU`}b-S6Aod*yjZ zJDz&!AYF6E7K*=mEnSqoCd~hg)X5uo{O_;X#aj6Cn;$!s;eN1yzB~2{Hvr+Fk&)9H zY0S)xHgaxn=ElQ>787P~as^|mgK@^#LjwsD*HQoR57GLqZwC|-3kc#tfVXNjebQb> zzji!He|@pd1|4k)a~gv&{^@Wdb+p&evl|yud1Zx7NUy&2DGSDVcv^OS#4`^9j_zMi zbg+@=y?Ubk)&8J9%;}3Y_9r^J`23A>s;geaLV`v%ZGXR0HeH9OxMDl2Z12t{`nkQ9 zsC^}K;=L+AjG_t?ava{ihBjAu$y>UL=HI!F3JW(-Y3U|~Fr zJzr|HpGqJ{?`rJM?Kizz1RHj0g%Ly3tCZ6cCc$W27NGQGW;MbxmajF&Pz zohbpK!YCjo4ngT;4;#RkY^Ms9MdQii@lf0PBBR|6#PyH4fMY?*z!;h}ahTEfzXCbp zTDZ2!-W?Xryw_@LGWF;&oh~@9&?q9AiS*@6XsNSiA&kE@6X8J%dXZVkEFfH1+jJ?M zyLJufT$Alop|Uuib8Kr|V6>Z%nEw5u_%oO_DTB-6(_DEoWv30K1KSqcV*d@ukp*O3 z&twmleUE#oPt=W8Tay(%d(KoM!l8?3#*Bv<5fi{h8~Z2LhSg?GZ8h(O@UoEwgn|+f zgz}-)!Fxygabn+CS42Q2+o?iDVI1eUr#{taH*tQ%nH+O$*C?YM{F8Q12HHZKXxn5D z7VqpFs~vm^bh<<&M`q>{-dN}7SF6pn&W?v4ur%PCT=2vW&ESo-5)fV>eg7_0<}aLJ zz|8`a4RkznC1s~ZD!=|QXH)BggO&ZjV^^@fd1<_B9nL6Ay|kmpNZj?Kd#P(JyeWq3 zD+@2?^4j@v)-rUiF%Kuw2J$!Akq6p<58Bl8MZ0nxAi3-DZn?JACvh1$qkMelaP~8` z5s18uaaKFPUqo2a^h1_32njQiPTAeoJ_rJ`z+?l>;7vCR2w-jdahJ8OznSiiAwfYp zz+?mH5ZpXE1f3+`Z0QVVhnea`0EnHHAI)WH2OSI_oTW~DaMt6+CV2pfcY>VZ50Sth zqR@R|cM}kVib0ng;Dc*PY@l47_bx&dd$3#-J;sU?5jll4xl=k_M@mX53kfq4#3bB! zUAfhsPe9NLG=o<_N4wz|Q#vZ)Sdl-JI` zMENW%=)-mJ)yuk%An~}i)H&mw9DjM3C5rRdM@P?7+I4F~=uWQsz0b^g9_I z55C-jE+n6rOh;VYTz=e#m;{IlPjnE_A0O1RW`GjV{*8$?0sXe;%5H%h1kQTQYB+zr zBZcNoiKfViGuThg%Wmz*_MJ7C+se*5w1YFss23k+-KZ;kgDrNQVB#fTCm(N3rl-7@ z(agLk_Sa)f?MlqGS?4Q%xo7bkozj)7^SbcSW6+Ln2X49Q#P-gx;&l<(#pFD&tYLp7 zkNgl5$QoWue;%02dm!Ts1Oa_z4YDbTV8BgEXPA&qMyKJkbSyr@E*&OiQ=POS0|3E0 z>-0f!;`DW^bAs#WWqc73H19X`a0$M^_# zA?b%KYl1GOg50U}`|IO)_QC&J#ExFswFg2$1O!#PfsS+oHwjEOkTo>IX5U;sfXnyY z9K+=us|Ip;`c=J@PkqUyHXoc(hOhWI>+ZbXH@H>BvC7BI*RAekOw9D{i{u(^ZJ-YK zEoI3qm|Wol8`_qBNFLC`+RP92^9{t3TZUP&x`6D+AxoORKhnX|95nFL`(^aXjt#6C z^%T}GYX!A8B+$`TpMXq>00_(t+#nd49N`D-H;wl_Y2;-@((FmSspq-AskwAoU)9FN z(PwcTe0869ntbAhFUl=d@hZky2VaRpJFq8N9UpAG6XYcA0NfA!agD>wLtB#hGdcks+q5{2%QbgjqT1M5 zGl=p=bUo@P#r2@4SHvqjd=Ue`Ky`@G+mRfCjn^p{*GmZj;4|vl8xoZd?oGcQHomAw zn-Ys_bSGE%NR0RvUEABQE*NG{!V{ec$Rs5DvgQ=gf~na`3$N9WW$^&@CK>{2TQ``F zJn8#JxdDNN2|Zq`OYPhXIYs0YlF&69;XTq@jcG~)3+7H^@!0+^3=au-qFh*7)*%Gft}b6G3UjQZbrJc^<6(XvF|NW;-hI1pHv&;^qO zmb0ixlZb#%JQqf0S{wWkJafs|H?0`MIsvx72f|+@qVk@?F?<2MP?R7iu!RYIo>=bN z7iA4iQX6cXQHF3}7tvu-S##f5ipgBcOPAkYB;s$PVHle~jp`RA(2Larc|(mr9XzFB zpA;rE!I+xBxSBu=W}RDR+~6u69O_pYn1vvsrNwEqxoiMGMmj-#n9yKr!5Kk)hc8m}Nh?uAr`{FjG(sO+9T5%)>UUvs ngnya({{|0K82{jZnM(9G9lJ2&?EU>R00000NkvXXu0mjfzX_8$ literal 0 HcmV?d00001 diff --git a/aws/images/step1_aws.png b/aws/images/step1_aws.png new file mode 100755 index 0000000000000000000000000000000000000000..a626c70530cbb151a9e99b2f236223c15265278a GIT binary patch literal 29773 zcmeFYd0dj||32DGGdc4qb!IA4b8D>3$u)OT$#KdpwY1!oa!nD<1vdny@ss9~nz&ZFq?kN8+)qm~UwM*XF={L_^yY|Q)UnhUJNA}85faV+7pRW=<9e>@08B<%7 z9efjM?`FSiS4-hu@s)37$KPLb@=M&cOQHYs<113!qp)4O5@(%%v%i=cyt0#b2L!GD zxU+qziud+0yj8Ks9rC2+$-+el?`7KAd(n+Hu%toHh>QchKX=L{<+)$Wzj@_{e66od z9`)Z;ws?8zyvl(ezPbLxPrv^9tHIHuN51dcb>!&Wuj4sg#oru<+C{>tY$}n7r7o=| zb>CV2lzyr2L`|?*Ax01 z2G1BT%6RzLqHG}TPCZGQIzPJ2a_qdVT;D61=CW$BJ>~@X;#}v3NcxjBV`15MZDE_D zaS7{|cajKCJC{b7xBTa-zo)-bMlYwE#r7tr_b&9b%|4I|&L=Gp4-}I9ezIT)JbR1P zkv4mDQ-W$|Y7W;L#=17XX&)S_>`WhT>IB2-S9&H%nybUHylq=Z1E52G!6Md)fKB228;|BRbW+b1@UX{Zs zI7RazdSAK&_e1kA?M-s`Tg*Gc=BRJWEZbK+$bZK`OivzSA(Iq6qg~5ej?80TVhm@< zG|GluSv4MdRi0`T&M-7A{GRHT=L0S{>92wZ1zU*U9i(@}+%g+3AIQCB+tSABd{9lt z56&-}(x2c0_Nbx5%Ddv-^ny0e#xM{YVA?-fb=EQTa?yIU`0DzGCF}a88R_7rIyxqY z6j!UlIzD>S1Yx8t!8=n}K4D#q_E?oxs6=Z9e7Y6vfH*{XNjF~x!BfV0vgr;)EA{sD=H062Tiap1SU^Rb^t24#I+!)iZE*V|oCKFLLoR?5FLPM84kVYhnEr>gYYcIi5 zAA&MVAXDrH+?9G8yjij&EqoddO|~jmDoPVjA0^c*+j$>+UZ0)xH%wkXk7EV+C%dT?|tmwlmL0Gv}!;1Bi`O0QO zZ!tE_b05Mkoe6H{$(BBD8oe;PmM~gkdM}kc7s--^Xwm4aG z`HD@@O#M1xQ=zH=^H8Hc2Be110LnWbCzTSn97Y0hIPgmGfN>pU>q7g<taSCYy)#!PbNi2%i5B)w{DSSc(?z z+_sLFxpEPMFicP}w)E6%t#DD5sc9Ow+DySBI z=YYfQCA+!Zxdj|9VBeE04RwdS0{Zzfa}mz0d1V~e@#^=?l7tiMpAJJv+C6&>!>y)gtJ=qaK|8x1c8fo#pqFnpAWcjpi3DNmUH0)81z|;= zi9){>JmjdHZokQIi!lqsg)bCkl`cb6Q_8*q%`B;@Nb&fbOCctK<%f1x%$g1?=DGcj ztJP^#L(ieU@7ccXOM!~#k0Ea&C5Y~(_k%t(P@)(?HC zS(=@+OSwGjJ8a3`k9fj?@+7YIF?pBuBflm4aX|TbG{H{G=0FBgyB3}bZ$TCZ#SKo2 zXmaX1`#kxOn*o?=jfQYi9lgxl7B~B0mJeOlW?z-l6;da(j?H9;5Dl8`T?o$YD)F1+ z8_E|^XEhSqVZ*{W zX-I5ua7}#*Q_t3z7x^EIlJvmTe2=al-N!H|4`F0GKHvCc5T0^n#EsN&w%X5N0}K%5Sxf zos^HD#c@(12X47i5a)7P+2KXSlP9{&gCzNu`aRW==lqn*!$bEX0>Epo+7DgB=CsZVqV@-|=R4MA{Ie$xdj4mz{y&01 zZ_#A1r4JSg^YDlv$D;m0&f_ZGq60S5D)_K-r(JEcEf(IA=)0C*! z{$CAC{z-EHegJP!tyU`44qWX8V^nT^!^!* z)NNZRdb!Z`dM)-T_F0QWdaD4mUk7g35u>st-PRucGQILoa>@~gN``)_p_jT>_8V3Q z!k9GIz1#d%Ca5OwVX4OOM#ZG<U57qzqT^r>!p+Vh> zP(gFwh7V;Q_MdYL<;mZY=$C^tb)HKt)PR{nqQuGM%VK8^Y2CQr`U$b|Dezja{Jh!K zqUUdnoW6v`VrO{K^YebG!1PoDOU53as;Se5tIBBQzniwC=~GTu9_jUJ+S(jai_1)t zS4Cel-RJpbDy?Hx&_)-P7=;=&dkgT-diThCTB`2R^KD#bJ-;i1#gY)6(Hb;q?zipvo~1Jef-StQ`j znWjKoz0IYT^I?`4q|sg@M4h>zmk?T&){^)DySjchg4v z-{wexv|!5({;~wGVEPErK*F{7p#_%aYI^UxrpaZMwLgQT2bjWHNK5<5M)MI8xhAeB z|HGGvF{P=FeH(BG(`ilYeOm%z+{MC+_Z)ZLwwCuBBR)-$FC`-u8~YP>7Edj$2EZPs z9a(?2!eI@VfkRjL4(ubL{W;yA2N{vd^Lz=fybK<@VG&m z+2K$+fc+IWLAIoyFV{i9=O1hdn|kis1&<+ImHT^cifJ3Effd-agoG+6_cZu!uaaWm zc?B!X-5+gj0qg04&{o6rN&S;@#*f2WV&g4_+2h7Z1d3Oo5HyVsa-b|~x2+NTYbW(`!2QBB&F@ZN6T zOC?W8fVIhAt#4~mWZKJj*QS*i+&~pC9x3BOufIk~qXIHHJm#dLYVMM-6UpdaFM7l6 zv_16d1H1(x6sN|}yarh2kh3=H%g1X1%@`~xdF18uovdW*)uT+iB>_Q(<5G_ z4A~EL?p@8fWNX&otY7^TtC0fTm`J_sl`O6&u{7Nu10wlR-qNBI04M#EbPD=5t7PGzF2;m&AQLGnqkDoxg(og1Oq>j`3?pgWR7GkGMc9 zqkmtY;tg)8>T>1}?JW>(TpaODxo7j{&#Y5UkH-?lN=G%x_Cu|yN0C(vq^0$HfzU0= zaDh;(&i5(MWL~o&e2KKub+dnM>3PEM#eJ)d_h&PMu%jOk83ij^;Xxyh(t=j}@kSab zGhkUPFi_)E`Z<&+P*`Ou7qu0{8iH z#{Nk7w%3|uDX9VZv2r@cm7aYtbA^90y<}Tec?8R12pGnYym*PM*HNygf z82Y;woA%ayyWg?V|L`%$SR-)J6sq2wr1H6x{^)lzP~Ovj?=&+9(pWQm=w~Jn>aDj* zTYmk)p(mt&8@D!_Wf6*`yPO=&EJ+EGq7KXQjT73Bad^|y$-mZA6QH-Rx+B_Snbu~g z(4jvJ>8|;ZEQ?je^rB*01gw>`aGI~BW_JM4(G-_)j$!vHqPIH&(z`u>{oO?ir?iFB z%e1azll5+h&93~K3TaZetx4!={YHk`P5f}^cp~(gPdp)MsxMm+%i;&V*baGFly#Io zoSBf#y2de^5^wdwFUzni*_Fk*V~Y?a4`#^+gwP2L!RcCi7ruDanGE%&fD!LGzqq$W z^$)&#D^ZKZ2K%^%z&F!}(3Hs_5N8LEa9y^1YZazD<`tL>?ZyT0lNe=7xJrfqz=>Np ztpSVhUQ=CdFpW`h|GQ?uHG3ikpdfc?`MG>eGUL27wQt9JnJM*73*>jb-nLHDVK91+ zm+1xkh+SC{&8ESmtM4|3p3_+6;?^zTasw|pB`9Kkr6v_}DVgA-8tc`Aw|GGdABYm* zt2>43ZK5`KP?H|n3n`q6Y8By#6IC+&RdHcIX>r@btU`U+4xSe(xjUL9r zg4Esi=w8BsZ&sHFDz+#>T}3&o`8|XAa^AAVLtkqUZBeD z8!zE|be*}!ks1MhZk`IHN%qWM^T>hc>xNTcIbFHQf&9gl2IMJ?F-#=iwS%)YN5y_p?Q=(vq=ZwI~=wJo$LBcPXTv4CQw@5BZ*Mk@F@L>+eHRFt5B$^3OcFX&|E+D zM67t*vD^H^=HtoApEG5>JY+?iE%e=NAY_)*0UP(2OAqYr9t)UIMQ3auj=zHA4>8?y zz6}xu_(7=+L&MfqgSBh7I@g{pgn9u*VSfSXs7HTQ5!&?(T&OS}Rao_a59aW+ijP5P8T__cI7BkC(K(|+iFsxgQacGjj10aCN;H5A$D zpK#xO$DswfvtHqC5Cf07KwIQ*zpLbX0sq|Ghi7$sk~qnNo@EZ}AA5&e81=0L7EE19 zq$=&jC^p}U3TjAe@xK>ri-nmFj++I91auAdH|FKC@@{OyLi#JuuZWe zdfSc7dEc^}6h{I~2?lsJp);R=hh>|BQ-5Z(d`)k|?CrGS5C|A(KUzq}$TzZN#GJ85 zA!o3nnpht>_*@LR_9(@2eYsei6a^`s2*~{q#{J>p%68jAUzF2?6uL=}t;$pPwz zlUH-xnx74eeNpN}NLoBVBcNs`D=8o)HfNJgL5W`K2jQ%VO?(7M(v$E_@ZP_Qkkn$v zo8hO|OZ@m|jQk;aV%LX6P>r&WTbEgEACKA+Mg_E7bFt>8urL{*UwT4c8B(O-eYNiic2nk!>$?v*=HNhDQ5QGuN ziOK9b3a5sjnXWY8%?5j?f5xBXgm zDVm2ldECYu4~4I_FB$k69NH47qf1b(mEH!OqyD}I(}qekKBjbBME$fIM7{=y-ODXZ zEgDbmjy7>)|H1JE*=4tRcTBo}giC0()b^amAw{i7xA+>yLSxEhN{?bub&C7mFaPQhUFCvDdwE+tx!~XLb-_A$LY!GMXNfU ztMg5Y>lv#VUOh)9i{1$SC3UQ!tWU$c}D7ro^@x9MC*rknpU_7AMX7K82W zIZaJ>iDGv|_ZYkwJ^Dx8{ei4hJ&^0sX5-=wjM+G18%W-|f_QgHaIm~9YzoVIvMeG` zU^Z_D&DSlSI{u=LnDMiBY#j1A$B^hL8_G&J@ui2?41Q^wEQK=7erqIs7zasy#=Ok_ zbrd|b?<~$4OGZ3azBdOd?=QLi?uAeH^xtS{JdRA7n7H=9%rr^^t=GpMnf*kRG*tBI z_Kd<(ej|JBG~Z6RG!p9zL&GV-dub`Br0>DF29MpPmpsgt@BF27ps$?JudwuYm}>XI zSrsKQ9-39$IH}$GLsxRqc#pI=`a=}>Sw;%`xky$9qn{1Yl;yVkDYi{EBFVuu`pNCsgr@GeO#$w_ zdP;0s?O1K=Q;E6!uQSK{x(~0qWz-Ef{f!;c03kC^M&D4(-hPatKNI;0ym#k^$MZnt z4h61}?afEVdx*vH)OLB_X#VZi6#galmC?-GeEXsL#kcS2X%i-YPP+azpT8jcO_9OhzpWa}! zUcL{wTtV^aS(pCL?H`Wm3Np@!ro7GrNKB|3!*99dCuf<^sSPP8*?+V zHS~gb`K+E)nk*-aWE{5a^&6!3iicVAB!zS`Wk5K^<`XrGyFdKeb#{ol`pcv{ zhtHqhit3)uL#kuhau+ji*<)^>0zeFwzgza-U%1oh+tb$ByFHBE;|Q$r36?zBHuGFE zKQ@`JR&Nj!lsxlixRF0mXG|m8#~;F_Ge(xI9!`*Dn%-o_w+Ce$B!f zara*|nQG1WA2|<8B}?u8*G^U7JZaKmsHG&tEXaKZ4vzax>1Ut4z76D@NF{^($oa9D zm8;!2-p4TVP=e-|RQ@8sIAjl#_u;z?9ogT5c zznl{khtby*M0dWCr~wc0e8S87qW$y&nJHRt0KFq)J$(^BoO%z%+4@jqyMVZl!Y4e= zit~zmk-ywIz{%|w?K|VoCC(-pV)W#WKu|h|uNJjJMvKJ+%uK6^c{9jYEu|#0q&)}Q zZiT%~L;HMg*f;!a#mS^;&GNlmqRkP^OTqPGGj?|T8?4VyH0H+gmRU;_jK5jJw|CiL`{0GSk2&k3xAeQ(XpSyv%qJY_ z_>0b8h|4#Od2jrLk)9;hQ>63s_O00@JjQx`2XzVjfKNrA#29$k+Kh)!_F)Q+XO{F% ztkDgVxtHyr(HZYK_<=trf2fO@$?tqX`?vQ}iR%KT)69`kKvqAnDr6ushlg-nw{ z(-ADc@h4d?veq{6wTKZhFq`m<`$2!ApvkKbFuE#8&zf2bNUe1)^uT#-d7FeRjq^za zRrJVBN1A!t=BKukfMgc}l2V-TRce|FIT>^NCqOw~T^c5%W|}g-N)sKgN^Xu~s(E!u zOJ!86fvi`%)Q_+%7+-@KBoEH|tq8CmKXg?W#?P?YAZa2AAY$;X-=Z)kV0YcT?WcD` zvoBY#{|1Jj+p#4H&3BS_2m6dBPKXFo`wcsYlS6{5wfCLsxgu;LC2+Tb=acL1jeadp zlPyiR_syGG21=P56Z>5eJ3E#{uu0&8qLI_9>p%J1#Yu+V3in^baKC)!+@Z##D zUZMEa2g}q)^Iyfy4DMb_PJ4X~z#yODKxteshRgD*!q$>(UuhD*ayR)dvm3LXhUrtB zikFkyL_A?29Wn^? z%8u6p);TYut*_J$lY>KdstF|^I;kew-mHz;+o;RCzIzEu^;^R*A*MIeID}c z-VNrB0>N|9b*O@;d)Py1*Zbcr{`!Ae_fOD0|m z3Es9=H&+w=wir>AkdZIBAvhe$-%yd!lxNnW(_ZF8ZvYQfef(c3bL$_KVq^$P^S@Ef ze-qRxa_}()Fc@P z`F}vY@6ok>X0r8JnKP|4`M<&3Yr>?&Y5?ms8L1Jsv%@4YOvZ{#pZ9H+VqZK%N){}8 z6T*cCbE(Gvr52dQkI$t_Zq%_ua$9s}_&Ik7J~BN6CfuZkawR+LE=&K#mW;HW?Z4%b zPiYG|Iw8!vk&_0?rKaoZ+oN$qDcU63WhoXo{zXL?zej7`9Nn4(x{pc66ZQDbt~#Xo z<^V7^04ArPcGJfq<|Vc0^&7zu2TOXEDF@c%@NHK6DV5*u4Iw+)dG=iM8E@f;YHhK6 z>Cd-f77Ojnx5KBmq;MIX5+p;7T#H1k{2Js;>hKw}10X$?wo2^wQzAoW zBInQlNA4QDCK7N9Z@88n*sDmk#V1~0B}%}{L3m8E9}0aXnl<=N^r^p^+eh4P+@?go zaIL+uXkrXEpM*y!9Q#L0i`qvuc8UTOq0)JyGKQQ^=)cM>xgr9!MqKGUI3TOBs^tGVA zWMoy!_^Y)$R%WEA1GwXe%^P=Ez078;)v7PvPO`$y5_ZgC`>`*GePslu8ggs!)!Gzn za>I7!^5JGq;d#h4L@`qdd4N$iy zmENhfal5P}E5hi}>mgsIl3u^i3Xd^e7)<3l-wECR9US%6hSblHNmb*Voyt_M2&3|1 z2XeK7iB$Ff-;HysCoMWKL#C>SgTE3MR3L<})>=$}DlCJ$s;DOvTV$d*ocd=S{!Bc@ zar>~$S>o1sXyA{D%$YDRWCON@0fiLEat)3_HxZ&1<$db zu!M|thuVCPn$1^RdCMZ=mOb@X(G&5;!a%84r3aHIR*z>yaSNsClMAgZpc>b9C15SP z{dXH+Tr$eXryPF*u})a-XqW%a+*VR(ysB+M`eR+>&HjTAlB^CcOX}&M>4iZK4X>>< zogCaNfNPE^7#4`~4iAxHNqK9HaT!{J)!s7_0ZAvWg5E99K?q7aNJbM@mM02`+LDzl z@&Jqydbiplh`Fr0aIkRTZf#y+^(0`#cQcjm+sEC#){+Dm6QAxCG%ZWmnYoDAP{)C5 z=#3i-!63pH((8K#^PCgVabZ6h{!;)Cr@JNMs=w!EO1 zAqfLBf0_X+pl{GN!RT{Wt0O=$=^q0w$p7Ns(5U)pBkI0X#A+p3l#?3FA{iiqAGkC! zX-T%I9-`CYGvFUCHic6FdeM!&3^K#W1eAF{($U}RK9S=h*z8}sv(RIp1AbQGG1zH1 z{iADRe=BMIBo~GZ^uz2JJ+dEiUKsF*K;!(zA-a1`bKy)TiHOVkEgU6P-rq`*B=|vn z*OW8Z_mlia@huM%R`MCR+uH!pXkwMEfx1IWc*+YMdX`dD(W%uYRA@3-zdrh!*EI86 zFS|)$>I%#lk>)MpJRuGn#*#t7vP$CwW}!)qy<&0)x2J()Ubjx)oWSgSE#L8Ds&w(C z$v-=mbFsDRqP>e<>In;aDYol&+<2q1-Q3=J-nXkO;Ea8UqVafNLWF}fvt*D`j#3i! zgW1P1tz`@fpu!hQPBUITj2y8zQ?}=)+TMl2wZ=9(B@4F0^<{n^cDuW=o3kS5&b>ZB zG7!3rAe!O4^E2QSbS~-IwBmT>u}pPzJJ1frYH>{`GlL~I)pxTF^x@Z9G{YK3sUcC_ zw}LjixI5L@*douexMV#59FZn7Dh`TJK|Xe-QOMqIkWV<HyN*tma$H#mT0X1aM)(tY@5*NguG_%eP@5x5zzVCJ=##zri)o{9FU4jyC7aF zPDl&@Rj5fj^yJl}m6juMhV8(0dzbhOW3|T$Cx<-fv~PUk4lRJuVGWP_ZdI4xHm}|+ zT@^7>3ElQXm0SH5;}PUsw?sB-RdqwFZgp)55ww{iG+Q9o;>Yg4YEeU@j|?qO@mM)J z5p(?|e3ohNf8PjiiM5XD2fCv$+irA!H9z*QSsyREGIc7!NNTyylQvnoXbEZzf#eQr zY=;JVL&jyP1~a^?+QtRS(h})YW1_o&5?>g zBDvfS#~fT`c21IRtaNt0ICUm&8EuQtc7Oy z=;I~~{q0VbTKrD0R8lKlBfj|1pUqmqGjpU{wS%OBYUHYAaDTb|(04L-aag%6l;0LF zeXDa!)`iKp=(N^8rjRG0z(m)j5$=8KA6;riJ%ZI{_$|)6WW7DQ!asz9J|F`&ZU))A zzA#v-6Q13N^$n;KY{;T~x2tv$~sqlF15SB9E z$AHc2unZfYIS`y%d9!VxtM8h8o~)*e`Y<8PV-r_wA%GULg<*0;GOY2dktJqW`AkP) ziK%ibbFLz|hPZ%x9PdZBbJ&*co`T!!jp2PF@GC5m_qNj#M(_vUD5)6RW+rFq>l3UVEO6Fq8wYj}uyO&s_;)MK-o={&g^Vcx^?OFzyB;TPiR{X& z@v8GpIV1yVV6R0_?}jCsSCvA4z`!|=f6}hT+pM;gOOMBHpQXOPM`pEYgG|urF%;o( zo8T(Kf)FsT3);AFq5{9 z%Ob3i3e0X5JVG##vM|JEY|d_NGd*&x5)ZxTO(T=UH}U}P*!z*Pol15g4=cZo9)G_M zJE8NhTG2!8%mcT=gvZ|)2wAU_33g>J;GjP4ol#WU;d8S5ku945`047jC=U5DTUS%U z@gN~ZpZwMy)}DJM_e<6S-14ph*G5Vl;$I}MCb_QSQ7Wt{-2&(Z$I=(%6ZK88TcR)5Dx})^r~=om;f^N z*+1i;wFKVlxY}RK8qx_aAc|}AW|4Qr=XxW@HxRB3&JAu0&I`>w=N5h0vdBEJNB8qk zqe|YAMR7)%C9C&cL_)Kz&xWa8yDnb@c<+51TOsscc^dY#?*0(bj_1D;?n?TZn4R#z z$Vo;0Gvr6hW_P9k&gUXh4mwjM0Re*%;YFtcKUYLqE<8%sQ+fnn8mq(g-|i-4Fo#m- zCx9f(ZfQ+9fuIFwvX(UUluZU_XWg%vFoyA$K0XGxBNW;HzEX6`dMTyo)W6EtoONP? zxI}e;blMsNFDf>lxir-l87I8-VkC0D40OYO=z=U@T=wYllne@LC9@r!bGePYaVoDC zdEZ89*Dgli+4SqQ%hcbT!Byz{&UYdwW5Eywy`YF0=mg#{0>qQ?v6U)jyZ=x()>ls% z=1ozDXXhy%1%*spH^-FwKn7M`wy7oAexqw7G{Vp}SDGOVv@X;z-w;+gK2l2)?cBbVVB3>HX*W3lty|(3Iu`cVRq-OisAJe zHk&ibDdQ=j{vOnLTa#IUPPM8JnNbcW%Frb&z~-qbds-QRM z=Vc=QA*Na+a=xk)dM549^AMEMeh({sgX*pZn_XFhTH#4=jh%!f0`Ih>xmBFg4e&KB(wX`(`3> zZI+NUJ+j;}mb0AFGBTJNLAzrNop4gHDj0z7s|`9CIj}=1f04Bg+qJ8p?{?t5WcGgS zTLrgnR}@dR$&l&YR9Y<4#I3<}fDXovJ-3w&T={5eqxrOIT>AcU+-IsO2^zDcBKgV{ zI%Nw(6*l%T`cU4a@k=PcSUIyi%ie`3xDuBZ*sYgYf;ddmVxJ%BTWwcHx=ccOtjlR1 z|Lh<+fb6Vd{R0swwG8bV!UEnnB~)mu)9&mOsQ%eYxx>%oNa}1hZyU>k9JRMzVLIRr#3x7Ue1LH6E2ce_jvHf7OYc zEKZFdrFG=u^pcwcej@A5D2pi0DF%g(^<()$I>q9Kyy3{rY|uMTgvGvSOlYTipqb7p zGI{ey@z<|oR(h9PP(20;<;>l?t}Wl1`x+TDuh8iiB)T~lC-W|)CuD4ug|h`H*7d#a1w`1jMBxtD7_z<)DqgJ3{VYOkZ7nto z`b|X%B1rmMe#w4!7Un<=l-O;GMaZ;sZ6OoWXaMt@7E|GJ7LUIL0;~o>*2iKA@3q&i zFDH<#wR@Vp2()CzJO>`hZSCacH4JWF0HD9^&9(VAb^c<1*OeW{LdTjgKY)tQtA9Dugcj1Um>bWyLf-s!ae%dvjaGl*S4QU-(ByO<3qeAcl|N+kNIhEMg;yKf*@T!Y zZwq%_zS>y;2{0ebs$Ri&QRs5r8s*{^#!skd4KiMFIbWVbC1nL=?}P37egCAB!Fds} zTx6>9Xhu%j*K4+$j+376UEm__#xWXKtq%vJ2V`uaWwd)VFIX7SHA#a^F5{)4f>z4j`%x$pE{R!Hr?-kJls=j}`UjVGXv8v0fp5pL-d~ zXGTAM;B~kW6@@iU7%cJiSEo+a%Modjw@MI(jSDjO=^gi5Cu^3}`3F#^Wls9&6PYD5 zUOEGvc?|=rsoJXm!CZwUj+a8p%;V-Kx|4(VH`J;}B4-_pV~2`w4p`vj2Xe=dmOHrV z;!a(WwI-&i)5I=e9Gx1Hf-t_p?^hrkNI?o6j3xPr>!Z2wPbG@sRNFt0@ua5#UD0mb z*K@sNU%5e_-UH7 z(*5LJI_gI=Z2N3F!a)nD_Mrk!b9a7!OXSXj)G(UY+ItzjdO3MIlQ+2lMydr10+S`j z)@H|Nd!f5;&RWZEAnTe+qlCAQfiPAkSjeNKPPMP~xqxqI9ntQ|j9GJ=s-Ur*sqhzB zH-u~)b2WN@NF1@trrw>bfGRTwmsQ&VFao~%O`k(`ZdKvnThe$r)`MJX3 z>C%?;;P@TkP6h6iIpl-}M{E}%5Zsk#n`tr*f!pX+8vU~po6?yv<5s51uHUsw5blkl zyD&@D9Q&bFyutvCkQ$1Zf>Ngf7yN$~zJ5;;40KPft;k?Lq_mK^p0Tm9d;;~OPi>M+ zpwt3D2#=pef5*$1P93_m_OTX|8(*#jXeVc@vZ>Yh`)cT=Ah}x6m3$z3-jX)cel2EZlOvKfjaE*=<#K{* ztu41vNF^da-Cn=w7<&{bFxy(%qx)8qqo8k7Rczg zJBSN-)3!m_8ao73X1Q-)&bYGf(DFp>(S|yD1L-GR?8!d9M|a1(g6RN=Ifvp!2Y`=C zCE`wOV9sU12sgY?Q1}4B3ED01*)3-h^)$ghP!zZgZ&z*&w1&dEUOjE{(YVQ@93OlF z`c7p(pSbDGJx&AKOv1Q3Xjw&g_(Z zGBg>lidM^WgRvd{h#tMw8aa8W|MxL_=N1(#-|hEKDofp~ypm z!f|7<)d9mX_$g+ji`{!CTDCr{j1;;8PH)#W0K1P=h%WLi^>Q}*5>WjQ5bxikh;MjZG1u%uO~#l1fq!4hxNv3tZN-h_Q=bbxONmW$$6Mk2Ch2L0NC6=5Yd<3 zSP-eVDDx6cotJr?KEo{)^q(JbF;hd9i&D5tlON9|?d6|#$@7OoB!6s6CsfojOIW5( zkCV-j!_`Cs#l@5I=Oq$4Q+;-9UW5rB$Aq45jSRP$Z2A7FZA+@RvD(#F9=wa^f;vys zkEZ{kQDtsYX3gw%s+V&9o-@!2WO zd66{+ld~1wtqo>>rb0h>36Hmo7i=VEdz0QScU8RUs4eFoIYaoqt>F3@thlwlZnSVh z(La4+S};k|>+7#(z{wj5!3k!Cu85fxz(^dxEgrS-!X&RIk2JmlOTW_F$$N><`)-$! zcfJhWojEMA`8Wz2O;3BjV=)JQnDHTNix?!%P8E*!;iywc>_8kbH6cSB2b{pMgcn7p zAHLh5Zh56szj;OP(N2FN<4)4B9^vH^J$HodgTsCxG1r)Ir7igJ=d=stGL{8RlS0{j zih4lihaFJLDzJ_@>;isWl@J}c^&ZR)UzIuWCYtIVcsrUq=}!L3O4{LPEa(z8*Hk1R z@=wZXL?s5WR8vj^Z^}H{FgB&UZl|I5cHB^->g(TVn!}OqGSd-XVyqGx0NxMsb8K_Q z$~3@_FSWisi>Jp)-Nbms+Ji9uvc6(eGAT$fSSPi7p|9~Kq$r_E=1j(UyQtRpikHB` z`rhL9<3k?E_yEK-o&dYV`K0aDG;qGjc)S^WMY7#){<6xKR{8A#6mdyeVGi{*>PJdh zT)vyAo4>y}&aN?~Rui|*xyrl?Z!r;MgHqeXgw8&b$%776*Hen5?lA#(`K6xCw^~e; zWcOT}-+p8cnoR#rA!T1c2NdGo+Xup+AKM#`2k zeg-0{cqNc}+5m-YH>815Y-(F_gHTo^D{lwild(nAXgQskx@r>He}?Y>DmVR22qM@V z106p0x!shn&yZWznSi7>Cf>Wf=U~*+Pm<+!7J2Jp#`}^D?j;Dg@&HPpN~JAkcoQ5% z^P}l?dsNXIDSfscL8Y1!32`SQL%gy4$s>{)B%ho<|6-zcEY>4AquXuZbe&Z6H02p& z?MC}UUQ!K33JY9oYn+ueK!XKWi#+irTVeEv@e*g`etf;N%so=V?4$J<-pQQc-ZUI= zo8nD$Wo{ArOEbwkCkBy1)Y_((wFMnF+tC&}-IX$!%jYor8U%%}l)c7}6UOIz3zF{y zAIvOybKCx3`3Pzt%t5Tll{RL`ms&@qd?yt@M9l)lBB0+-iKvz7qJ5pLcw439{rz4f*GJyl1c{)mI!+@n|?pyl!Oj|j6E-Q*`gow73ghtIA+I6+zt z?Gs(F3S6#5hw?73M6bd`s>g((0V^DKwMD3;Da5TZ`je-vK|o%d$%^Qj?p*nWntC&| zZlPVqBc0$G)7P)R-*tJ}T50cFJLtkV?SpfzLE0%o2HiyX`sm6s*3TLs>S`R`b!@<~q+N;dsk_(e&Z9jnah|TS<3o zEdj(TFEU&!*r1R-Gb-!x!-~ER?TRG7(C8Wtr2u9`;zxMG^buG~SCbCw zS;L_L8XQ8&K8N!tpLdHYb-1-`su+ns62u4{ZghiP!ecvU6b=0~<06UQ%%LoXu@;a$ zF+m8)WYO$35BkozhP!vUpZdt|9NrO6WAq{+9L|MNRgb}P?_cZ|%gKyv1Dx@2pUm=* z)VD1{+%7RdUx|wXi;g_DN30SU|epO7~29$v6dXl0!bjd2{_*E;Ag7kz&_9I#EbnUS5hn$R_XhD_{%vv z4paK14-PFl04`>?S)@A{T(bLSy|D{>Ww&F(;Z~_wWD9}TD&$Wa%~tR3hY2TGmc@9L z|E;|*k80}N`nI*zwurPB6#*G4g7PxSJQHV`1Qh{gii!$|0T}}cNwm~jW(5S4Au2;; zjK~y7LL3+rgeVAMOcV?;5E7F>Lgx3x-rM*7`>u7r@9SD$pOv+;&N*2*InS{7v-ke} zepz?6(4k1>-H4mth|ip2+M+`5-El)8xV0;fh?E?<{Tuf7j;g24Kz7W@%KfWP!27^P zV-LyRi%gz6BtOMra|~G9x(1}FHXIyC5}5+2vNqG>1sjU@|L`RTT50L%?uc^@aIpu4 zvGKD9sJ4QhIohnIaI562v)&F{EPRR9Y-AIuJT`Ch24g_eBfsk0K!*LHS5-sV$CPF{ z#_G^l>+Y+mysLT!a5giZGvuEl0SSVvSm)it-B*GbMsrY-R)S>HenHPDG)>sqd1bs8 zCC&r(t3dF2WP|a#b)RD{T)$_7lj;uqdB-nNfHM=$O`LvnVftO{rJLnD7$E79RQHAV z(vmVAJ5gur`uFFLrQZxV<-DG%tA^-|j*Nf3!FaZ#+G7Z^V_IjF ziM07{X(UNfiiDatxCkD(~T#fFOzAl?!)#bsj(v9*FG zo>yZd4FVdrzZXTpHzkv$)Y|~++@<&!g(68?bp(*4mB@0;AP2T-a}A?;J_#I2$Z70< z!gm3JGM{Y8>-EhKq(~bppp^O5x@#u}zqXCKDsnAUzd@G0ef#@nfJC&>Eq>aIE{uAA z)n~?j^}2(ku(a}?^GB6{V3pD=ewpI4U=Aztb?U5?evZEtFTV)NZXr8356fRq#$6W3 zYAHjp03-O^rQ|6;w=EIKg)#?;x?Uz1-Dw?ArOpZahdpAhbq&_`n|F}&LLn(58to;a zM&ixxLaa#|5f!Jxj&u!wKYBiR6vA@jyZ~p#G30wy}QZL=HGwx`lEIS9Wy&_|Mfi$;{|^sV1`>GpIN|)4EgVw$AFndQ0vKi(4NEWqC$>?rP``J+u%rU_;l_-+E3R|z?o2j-yDbFRx1SX?{v6yshAA%{Tci=f( z1Ue7HpMEEr`h*zjs7FXg!nt%-Qjps=z1LxQb<8%QMf*^u7wCi=SQNfCl=3j`HVer< zI=MuEsa_OHRy??eY_AT`?8o@W_ryR&S|)iU$%oRG!ALw&8`Ik(wUpMg#7`KlP6$v( zvw)bdS8ygSL9l(5y72ZTfYAUn!H$?IEy0(vgR;zH;Ox#6FY$Bo`b462^lBUvK!N|V z%I-feJrVZm9#lwbSnZY0+q#12T z-BwjYS@)rNmE%a$4c6|O!nd5>gC>Bl=!Kk#o1U~}t55RZwiUg76BCZP{COOIqav0ffWZ9gC0?L;cus4kP zeB1cVmpZCph$`VB;Sb>eY=I>7G$K`uUcPyu^2R^wNdMONhPRKqJ2T8*7uJ=v?QZGe4?c=h+kEQ;SAeVRD zcN^kAABW^aj;9yqPM^85*bokK==_=5XO6(e-tX_i5sBDZ@BXFgg|(DQ!s|r6MYbwyT@7-^Mxq^vMN47xPVG5s`qd%t z?FXcY-^U38#q*=#=hM4Vg1G;vWtE1A1UvWjmAsUCyw~50zm(T$&KNeR6UpdJt zGttW_9(}wMHRGhw1XbIXn|AA@eTn;TDcbmkmtjZCDfVx|LlfYD{MMG@Gcz2qWE4qS zsvuR77>`F**8EG^i;Y6WlXDA0+*Kt?!Z*E^^>}LfjXX?qK)+hBdV5o%b}7|F6To>x zXZ3r*Uw^gk>05sBtNdL$=p)Em`P;Ujx6NZ*eiR~Vpne`Aa2IN27-s>|eH8vPf^mR* z`8uTk0L1`6NF3Xov$TCY5pJM+@AHE-aUozTT=7CXL8sZBgUyfywdv$r-~{cBAvm!4 zJ}g@@r+2a6H*@z?faRyypVMfACgZn0?fAxaqFewuQPGabxiN48dz*Je5YiFb)M(W+ zJz+@V&@VOpU|{KP%s$whS~s^8-f_e;4pH20_jZi+9*A8X8#VLG?NH@vLM>yFXepTm znwXxDg}r)5TsQ(e-%s1C*1YtUAoEZEe7@XXeM9h5_&}6pclghoe4L<)_1G`7%^#Me zW-%f^<-?wRn;icuz*eFCq!WF=2XNJR995P6{9~(LhAPP!MC&-(Z6I!%KDjL1S&V&l z(rialXU@BU2i^7u9;^asZa&+|l`|1U!ZC$sd{;HR?0(%M8UEK(G3;d^(($ z;gt@%686w~0xYXi3}|3)iQ8T~sX3n2j;Q(=eeINF@+B*bJDuB4;^^x;`*!CQ>h+E` zuFqQ1n}V?NV`J(d&!l@*PrAj^8^(=#GjAw}2X8JWy`5qV_O)u(vk_H^ZhEiUYiZeW zddn!1MNS?~8Q+Z~UbCovE^eZ3um8gK&5rGxe=o(^!OKxZ+s~8g34mn!gDOpl=GZ~qQr@jau>_wp#JR)5N%{9V;kNgH^32nJA@j8Ab+Q1` z!fywgQH7q(q-+4)__*z9_ZwIDj1&p{hoIrdhF%2G=|o5gy~128uE{^;WrIM z@9UuJ>|N3eTXuVACX7VyA`uxEuz3R8<6UfDffP-{@x^v{2C(fCO(ZuQ9*w@=&w1xt z7V2WoaJ$6;(0cHZ518JKEff!!)Q6Z76#a4xR$knZAdPs^-@ZEK!|80DY@NgTk!9y* zpwm@fZ7{yuMCo6%p0cC)!?h)FY@x)rGX^>R=E};Sm}igtAf1B!1ABnb#8PleW3Hxc zckY7ps6N>5((_gTJE9nwvSTK@rz=!5|qL-BkaUsoiHaiRfk3&>T>%|+=r2kUhW z@Arc3(Bd#G)8q;CReCflagQG6H|-Hx!lZ&flP7I|SB7QUjk^X!J%V{o8_ACt|A`6T zRXc`<+_Hi}^0sEtBF!GT;o<^9BpIUvZNZ-m!1}aqP-*3fmcAbhc0zVS()#a3RTlgk z2zEgKVynBP-T_2A<=6dv^(Z;d3q`>*_Z%7ViW5eR)DSkE-1Dd6%Px;b0IcBjZvd?S z#})US@&`KS1i&CI`l{Qs$RY2~BkNm;#fNdA#vH*A$Uh?BtVAxlC4pubiK zfH~Pidg-oZA|mAbND1U>JQM_tvd%6=%_X%N-$k?-lm<+~LtF9QfPW&CKB$;-;F zYR)H{eEFs?mw_h-qSb*t0~S{KeV+fz8~J2|FTm#L8VkJ-HOBh{Q}c%9-<|oqvwSTT z4GolKx7gT`{Gn+F@s!>t8UcL^UGr7*Gk7|pJNm`Q=~h_ua@^5EVGAJcgSSgBJn`;# z+0GXDMQ@U5vE=H98{AHdW4~jO(eWV(Lc&ktZ_l2X;Z-NPg7Pl5^?Nz}4_qmSB+@37FJ z9a%th+t$$DNT?N8MM+%#G$(g=*l7*?Wna+qWu#M+&lqXo!As^h`&S+P2YL^#KkHwdTt?*4fGR4EcMsi9s0_MR4?XBRd{f0WkYUpJgi+Q+8-90kn_XbDb28+N_Tb1R(*SIiY?d)NMS@2Y2r$SM zsw^P&^pHNikrh8eXH#dLz_GDyp^V^W)Qf@Bg#pE!sSAB_mJJqbZinH<`zD3bQ+a&M zi_61`fMiJ#IqM=;&{~e+<7y;EwVjr$ss8W^UJGV*(m!pu>ctcpPr~3{U&O|&IzE7g z0xB`7Om>C{&YKzJ{C-hKfhneg>{;ft1ST;E5t;^;f@w1TzB)Adx|y)QO3J5GQydjL zB0(JXTtqfKIvh?R>oLXcq^?$%80xz8!W^!vUn|-IeUKDllH@Dpe;JL)WWNh}v!4Ct0oUq9xF_M}d+n7~6AWY;a zME;X-W4JG&^}z?(m{__81%5;=5HVpS3pp07iG`+_Z{o>9#-;q{?~xRMg*Ebt45XrL zcamNOjYM5}rwVdM3v7VT4%5yHv3@YW zHi)TS-V6mm91%1I>YSTp%$YE2cVop#>5K_#2L)9xeBuUuHr5CxgmvNhu#@WSM&wr} zSkA*&ajE?xi>&A-g-`SG_6AvT`_O0;+o4G&-laNoT12?);@ei_xnvOzSHJ{Cbf#ps znI#w|->Q^&B}cJrtyE42_UVYGcB{|ljwSUAyJJ!E3G{$4xpS|b%=@hzg&6;JT4QVJ z4~rZ|5uLubjTo=m7CIQ4@%=Ib|K1q_!Y0c65y@S1)(-#-vrIY~#%(#y4O||J@Z!iy z6X_p^(SA*x=H_I*(kCiS(UQ)3w4_PB#%#J>ISfl8K02E0{4RG=-*8NflINz>x-^i4 zXVGZNwETFqWmy`ZI@-2#%ONzUgLg zXdyyyN(ldvv;?TOL|p+=bD3I`;0u|<#H;brw5f;V&!5VIi~3edNq##}L$l3$WQJo! z9Xyg&sqjG1Xw_PMeKDJ83OZ(Knrb33e7JVwL%scsc2?M|R_Q1>I>ueaZ5nlgNo4me ze;24?Z9y>C4e2%q){&;Lb=Z&fBX5=NyMT%+QrJ?8F!SJ1i^FsaFCxX>k^M53)0HxJ zZ%)dfty~}ws(0H(kRs`%R)3ZKzzx(}IAo&y6;C3`0$;r%II5KxPUqKgU4U{dY+xQM z@*`A$+2bjqu^fc_Yk#NP+P8(Nt5orbZ+O@X@P&>I_cgq;O=7zYV>(^o906e~KgN@R zH)Wr$KvF+t9Ja@x57+(d1p;-fG~^ss0|$mIbRcy{N5LJKbIZZ}Oti7l>`#Nqn86Ya zkZ*c6FX6*#f99YAXc=#ae?5ey>IE)z5MyrTCm%vVQ>D;3hIPx*%NVkNg#%ENBKuji zBCSPqBl!G*)J|v>`o@S}eJe`$A_%$)r#Z*m?1Nb}q}7r?e-zS5gOsL5SMu9L?~TT> zL%FCS@DioBVWnb8=!&z6@#se^6`d}WxuB^Oz_w8R8Wk@raHcVLJFVcTrmW(HEzZ}l z3TY$|l%szVUSfC^yD~7`F=-mJB?_1ViwScxCY+pNKsvct*Zd}EjI5Eq7J3vg*x?3B zPx4Z_vtUXqi%m2)T0q_LPd*{YIwZbf=-j=ka&$=lL0fHU{HR0kzA9;Njo9$fyvvxy ze}RUPamF{zWU}51=o@z-q>02$;E~H>W_yE)hWRPdcdN4AM_r&sJ~Xsn5EaPi2dBo0 ztM~ZJAHGZ0-nB}b02ZDDSxLkHF#IhoBbr?fv37z5+U?}<7l{;sA{mO1>yb@R0^BDI z_mCVVB#hr`4Z45#vUo>iyTT!&0Rf9^?A%d4>p_jhSw5lX^#j6KaHc_KO?0 zuPQaGVH`030CmnK9nW#Hge^V2K6NZjRcJ)4%Vp|UuLhBvDqd2yEpc2+WUoQS2-lyD zF7`7}-<$~ZS#6Pu5OzO}uZS$)z)k%j1NBZ<_Hr0q4>=bofoI4F#o((19$ zC}l`-31c$CVwZ$k;U29{9FoecI-CfOgW0u0ea}Qyuy^>~-7aAVz>b+&^NgxaNk;p;5trm{Cv1j?`4 z73{S$-F)kZj}+uQ`37Tr__*rwP1OZi2o!|h{6+N7>713j=HVRaFRvaJbIiuK)FM-` z!7tauFM7dFVIa(m?|xC1Ph7>KMPnDzabQVy_+mhEMcP(TJIRPMx{nlcN+qN_2}&r_ z1IyyARsf}zoWi?wL_uOtPC2<=%-^Kc9z+ciaE6Nd2_DvKI=8^*Bd{Bxs*esHyK2|i z97NJ@l}=VdXg@5gt~kC4Iy()-=5j5$6kptKj_Fvm7@7vDFKRRh>`K1HCJC_|vQ;^Q z2{^i*2824;pxFak7jEzFA<;FF`+|fusl7E;Krgh9wOHwPc00tvd{2P}DUhNLIY0cq z@bqPfO9@t$U!Jm8Vet4F0SyQCNwdWTdAGW2Br3RKd*c(^O6R`OLby5CF< zbmqzrb072o4}DWYC7quky~l{u_)-18=e@qG!w(SlctML*EcAj)V|}9EE|0bMW$CTe z&y$H#2DhgywK;MaJ(rP&pDianI^~?<(t&t(7`|Q>-z;I`jC4>R$l+mAv{#Fg`Fm+c z8xHDK5k>(P8*Gz#$qwkpX%}-l!_V)_l6skjsuQQhggR&6rGyW^)X!J2tgno>q5+hM z`6lLFjXdvCovb2k&XD%DULDcbfYd1wuho2=x#*k;YJKSh9Z~N3MvH5AP_xqk)cUeZ1-ql=;v~ryqP7d z057mo&IdIMCIxqUpHI!T7~q@wks(xe4G^m93!axG!Uc|Y2`2~@I#l9Q!OM-tGMaGC zD)HeRrJe%A_GIZwoz~?3fgYT6fhP-X{4m*EuqvmfM~91vOvd#)TyYU=sWel#kBdqa zwWKAB0v9kIAZwR$5)BCSd1KM+VPUC_tK{`dO4{ATSfpb*0u+l*2<763=^cq7!<`h+ zY$r%VNlvY@L<770%ZHG+qht@?1_%ZRNW)QzX9$SPNV{Wpnz~bPMYc&Wqx8pu7@RqH z-CN0eMPEtM3uq?TVPG`G+8P4GNHp%u(l?(R1y>9&Ns2M+8+;Q9CJ?v);lhu7fth&W8yAg0f2-T!fMX9#$NGF3Lapt543s&g2A< z@4Pr|xfSSUL5bN~Drdoca7ZJ`B1H#Cz|kaO6-Tu^f!uf$is)0l&k3 zsYt2o_#P77oTM;C#dP+K-`;%ED9o*MUYLCb!dV8^z$nMbVs;v?DWZoUp@dVaj;bet z5Xq)t8Tq z>sr*-Hj7fngf5~a;uygo75x*;-aenh4~VTs8;nRAM2HDYAAb`);r^r5PCqC$5g|+S zdDo`+&KLCQH(rW|EYX|FNPon2Em3TK^O^cu>yv_8ALK1XILg3sp1l;0DfHRW)(Dd;wn*d&_p)x-6+KuFl3q@W+R9Z1w_mJY|bKt7OOk?akA_zvxRx z{M|=?&m-kT_$x1wy+FQDqPFArC0`l({71!4{yGoq?@UMGkMmFsnG62s1as2-D-!Ama=w17JoALJ!N;wn$ zf~)vHzwgZk^oW!dLbxF5k8RRfT(#z*dq;uue;hw;{@bemWv%*uem?yF5Kw(`ww}~b Zpm?m6%GgL&xN>wo4*MKxI&k)v{{}9qv^I!SPM_W;2m=mdx0IzSj)LvYu@A-E0h zHcQCwz5l+gSGBdfZ)>;fR#7wbZ8?4V>vPU`dP0>IrLmuoJplj!Tjsr_DgZoU2LR-0 z4CMQ7cmkP<0KgBBkrY>Vo7tUr_mbB_pdTou$e4UJA}}Ht_}uf3z)1Y_;(4yrmf=gC z_)&|Ax6p|q3#dl=Xpv6(=nq+yDyEA4SQ>o#=j4^QvGS~3q$UjE8|Pg{N%AJI<2q1p z8$sSp%&vRF8=iyu>pmOlp8JkrjY4?%4<#m72n0j=&xhNeuZS3FA4(-t-m>JsLfoOA z8uC!Oe|!&n`tLn$LN)t;HEF{?Gb{e9X`~|G5&EwxYgi%Qe|nJO{D0i&j;gAKh4`mW z`qFJY1P{&L_kSo57oVIQpX~By8*0j@cFR~5^U!xeQBg)%u_I#t1Uh#OB?x+5Ga2UL z@y6M{q8J1^TxyF;C?sBJabV*Xzm%^zeEbbe?8(nrlUdeI^LIi&1P)VaIff#p)gS-i z^=-VM5yuuA7AQXq_BI$!ty}e$baVPte8wHUe8t_vL!m!aBup6WTUQ~Zb=5k66dhsYIC`JpiChSI22x{@((VRpUpXhUQLd--4F~)1{i4ugO ziVTo7^7dz&bBDc5Na0%#7KBT?exE<;F*mGeOo{QO43lk!pnZhZ4rJmt=}b*1eoJ(< z?ps!<6W(Z??I|pyd;YK#eOz=L%>4$4_JQ;G$+21Pt6>E{2?Yrc|MiMT^jgGe_T`I< zS#OZaV812wV-DfJN*HWwD7P?xa;R^eese+6MTMq08(v_Q4Uzk4@>#t-_iGJj)wz%~ z+!-f3gHctiTn52g@gf2RN`T4b4i7w&KlyrFz={sYe02%ow&Y;SHE0t?ub;^}SSZEP zP=Hi!P$6urEm|(0dRr>LyNNo-t$Ur#@E~Jm&Ll$N`pW%D&utIsjVf~v=JauHJfM=L zzfhA!?dK7kTrO3L$3&w{lip};me<8@GR1~vYo=GjcU@xOcJ8{c{M5dLqv#p*s?FPf zO8me}o4zhcF_Mx3bqLJ5Ih zSfJh;b5{FdNOSEUMH_56F_jXun984OqcABi4)hNG zbapYPsbs&b70Xp$Y>Cr0Tg<5lsCC;8NDW&#z#Mn4o8~uLT{dH>E_)`OwQb;%SJ@nw zU7Gd*py5z5&qQ5I>%Z1ykEDbiZ%P)h2Z|XnzE*zqp#HaU-}^(1Ov?}uxlB1vm9?L1 zX$vm5r#sPJRxzbF8F>{>h?H~%|6ML{BZnNp;+YFt70eugaWXq2g)CI>&0unXA2~eP zTX%qu3NVwSmnpVz?tnc_Q8g8mo!(hP?VM7k*@6IeD@^Kucc8@s2ncG?_f1S}`vx-6!Q)*3E5JH3s* zBUhv={K70XMe3)0)+Rrb#^YY;!D@k1gBFJAJXAmHKbZb)-Z#}QDjHVK;l_15$nT?? zv#PDfvK4|#m0fJM&b5TD1weun`GG@$L(=?GHU>X=vxhb5nbcVx-Nl*WT7QZpZ)i5~ z)%eIlkf~g%9zLV!b`1(@SVXWP0Y17nA~bM8Ya3o^jpaqr8)9!Ibr33470&0>8DFNF zR{z9i|LP8AXY8$upQ-5?m9~6zK7&#RyaszaP#h#3TrzrW4!FzeId6u-fFl$qVs8!HH0#@f#KUaY)471*UWWz<@ z%N|NSle5Z@{!{7>GNSaKEsIW*nxTFaHCHEa6m(|xW(#Et3%&+AE!75@Qp)_=Ww$0` zd)jrA=~n0D=aD3>g_9?*H4D0Fg-HXe49$0MXSCRIGoY17-y9K_XSUTDpRR?z-LAlR z&*xR69OKjtxzz>LthrjPKdH_v8Iu^CIXs(fFNNrO17_2*70Mg=s6c^M#e}tvNPXo- z=hWPl^u`6W#+%9w6?nnBT?_${SHRo8#aNrv5UgC?qhz(Ih|L5VQ~JOcYt$$EYvxN! zW=5X%j&!9v@#p9~cw*m3F53;x{Ep9YaZ>}$KIt}vDRXG=Olp%)B zx>tQ8$xjD1czJv(pBl=c7ce5A!u4&#t{Z5x$lKxMh@ZD^4lpgDzHON>EUhbrJ0~}7 zvfDi`gqmfdRLx8B%!NB>M;hu(;MEz3MN|KM_txrWJPGu!hQ&pn(RT`BAEYOEeo>V1 zJ^119y&d~rA6U%Vi?l11kiU$}t~a?_6@NBi@SUixnZnF@^(t+)lSG+u?e?n&9SXEV zWdEbC$csKzFXvaf*Na3i>~;o;p{G+gGnny1yzt>oV<91jCi>@9Q231eG7Ujk7`hfF zMb#&ak~F02*qEuosNC$aN3`$)=Ug;eOD-Epa9Z76OIxYI!AR%klv6B8A}Ef?m#NZ5 z)r((e*GP9P;gAAY^3~9Jw<_SNXt%uiwRC?m<8Ew1Q}j1Tg**&EpJhh#;G!>moXt7Un3iU zA;4+bf&l^E0l!vPd>6Y5SL-$=ku5XtVVOv5S6NTZz)POl%R{rj9g`~xf>;A2{&%uw z-J-F;*6UWyOb9qk3R|@hW5g$#7Ky%2rkK}-^u@7+GZ)YF!S_c5&cjTF>vhYzXgD8Z`>CPAo9*enX+0@M2 zRRNm?KtFhMe3@#HkumYR)ImhOfo*LKJb zZY?|6NY%~8d9WhiK}J99X;zx)z$RCZ-c z{(#RX+Wt*HCtgCv8iYJ!j4XJIGh@Vu??C((pO9jP`1>0K6u`_u-PU(JObTjKM1?IWE z(n|hw{p7(F*i15dr#jxhzyC5c!=_=(xPuao%II$d>%yL`a(d<|G3ogSnvJOowVn73 zE44I)>7}9qo1^{ar+#07R1|Urff(+K9Xr6gk?h2twJz3b=kV0*bSh0o(KME(Jb7WX zUd|Z*4aIrUSORD?*$lGwqy*eD^TW~^LXmB}GJzw*;Y&H9cpw^+lGF6I$0@ioPG`aU z78Z`_9|TGClyDnETJSY`5v5IBIADTaV|n+9<#=JzM0UV&JhhKkI*=s6AcLA>v$^pi zVR!Ity-^e&0So^Z@b$&*T*t@a3|p>}4(b+qMUXuwI*@*SH8D(@OG)dHcFS|{b|%Dn zQnV%>dm;O4cW+@ilZH`)vl9_}C~TA)k%vgWO&&X=4CXBnP!{Saf(PQ>tttDkH!Sr$ zt@OFDp148Lq!o{;AMQ21m{t3td$MWPVsY*(BJlB%zolP_ch6k9em#$lr`yDJ@S((F z&BD&)2}ljSY`PqNtW+XNTQE@$=ksaHtR#PNRJM0v;mRy|`X~r@oVMk$VG6R@v+)tc zP5Np0GSJeKfolsJTe*k=iPSSoW?45(M)pdd?rdxzi7oNi4OT6Ueom`z;*q=U3v+IH zV$#U78DwEQ`ENJ9aaW81o9;CR6qmU6iw|UR=397a0`|X`(olIZ-mBdobNqG&qSMa?`GRJXK(!S^jO& ztjLE~BsG5hm!Dm9P2uq1)6vov5&!?m6aRn3z5id;D8aZhAStO7veVL3ZzKvV_OPtG z#!NcD`77TOEJJ2Rb?G;x_Fza?mnpL>14izEw{G>}aXiM3K$S0ZB<+y|D$v8?O!@fl zItj1b$2zoAY1eBySeh5TpTm~&5euNRRd4(CQcuHZAw| z|DFn0;RHkG2GxlsKhHm^oCQC1#N4jO3}KaVyv(;p>11Q-YbSRPtir`MrzRWigq9hO zW${64)$AG+_o;hI-L;i`pFL;;w0~9OaBih|l8XK0z*ii#0GBbSpYqS+rOq;K)}wXI;=^|==otvS5xKkYv9e3w2Ot*P?UhVUJ!hOX_RQ< zWo`8uOM1xa`Qyg{f8ntpF-f+=HeED*?YMU%8@W$mU_jpU+eWcq?!6`T;BHn8RRUYr^RJJvQr8%VnZh7a1+!A<{|><+5M5=0YWd(`r=-Ilw|5i!7=DS zd5i~Y;MeMS%|>k97_f>?_OCo6iw?nR?yW--c2M)nF+f6ksP!zXIcj}ztTaYHIwV3S zaSi2LZS~2i^-4bPyVi(TZ^9y0FH&B<e-!?1=S)q_TA3j1Wt2NoOg?%kC>Zz>L#c((~A% z?t8{;q%PWtw$JB*k13lVk@VBG3M^m~y1aY-Hq4btYHl(*-`9gR`zAK(d0fl&VbgGB zpgMkq%icADKSia2pz93cecRDBUnPpYnyzy*$Vd)}A9Ps_APJD$*!_8O6OAHwzH-tI z8oEA#VKgDFmT|CMnz!|(Gt7eR-444ltV#}+1YqvIl+^pCCeOCe7t)SS@8SiCF;3y2j`Q5#B#L2d}Obd+ff-9(g@r-p}toU+UGm zFCK~a&T1*ag&XgVkM9+HqVT44{+!FP^ohNjoB-e)btV2bxB8=s{fG+{8wF1OI4IxPfgy0+D2Us5dmfTAkxu%?}BWGaADj_yJ%<$azO#4Iuo$C zBxDywO;0*@eSC`7t4MuojA)CG5Z#C*k;P@-)YPso3jHADa@8q#-=;W9 z7ivAS*xo=$9|^m(MHM)G;0YbCp>Ho`ZS~_*Ytm<P_8DcCw;p5Mr zQ=-b{M6o+D+utgPd_hOc02!S<=E52BY~sU3T$yqOb3FuaH3l2ON!qhK*iCdFAQl{I2KsIv-^FFbm%He`r6;_>5y z_!$6C77%lEKmLNy8)-Oh)Ls0vA8}zm$HKzi#d^7RAh&ojvHsg7i#n*|Zd2z@;P9dj z!bW}Bd*zmTyViXQ23bDl!?`@1xsT+b*t(>9=3IPfGz_YyxL9rqs1sXisj>P_teooP zO3vr-aK74Ic5510 zgA64#+P*_*OMh$F6Z<`WX551D+crISpdH0PyUEJ{G#_(77TLL}aTB42xvsdFrkxrb zeXum_^jD*bh!{X7nje&psw=+CMR*o)5F~i13e8u@7%Ip%>KU0@nwnZ_T}|A>E$zo6RO|JY8~WJe8UBt=KvZS3H+w6 zOE>5_s^g^tfGjGavR9bJqr3!KZ(ZFRzT)iVmcCP&Waua?ok3rBHmLLx2Q>+f26b9! zNV28~n$Hrg|M`1JsPD+@6Sa_>w$}t3SD#8Lvn0?W{y?0oP?n~0+;33?n+>X9bvqF- z&!}gl$G03A2BjSLK`ZOo^R$=xNHo_6(S1BcDg}g9Oa@^gMN-R~n)Zz~%e{s3z_6+0 z^^+DS{(3Y(+Al&+3cg6@Ap9AI4LloRsgkhSUMB`9-Wru*y}G(iF+5iOC|d3d8+q>E z#CFJ)w%%E24fu()*C**_(0agARwg-d|8fdHx_+rMFVL(u4F#|?7xW)@XfHN?5Ks%Z zKVBy(h~NGd>s|?{gyZkKSY)ccExGpi>5y9Abg58NzX$xtkEi8*1kk7$y^}QB_Wqvw z*{Y(F(O>IWWhuEaVh6wr=?@9*x%4S+B(A>RfoF)=gM9)3yPI4N%sU zd1PS*tb4VHA0J+mbF7-A&R=a!muCEe?iBC$ryeVSiSpA+>x*B!PWPGxuNzCFNUx46#w?r5$ety;B(_<6cA*UbISxz7Uiov=Cjw<{<}y1(7r?jf&0c$HE#(tB$84ep!2;@O3DHW728*Ba5NGwQi_bVvn>(j|_o+bOLZ9k5*gdZhor zZK=ff%q7s2aMHmCrnT;7o2M;k@6h;pf#5#U>c{jrFev3VFZ zM02f;nY425$(Ww^brs-8mx8F(3)0F=qJ8PJl>DpJa{?+*QW<^Dni!s(uwV|_Pjy^aiD+KHHV^gKyD>zT~PKO_zN zT-O8Upjd!jhP$_DNY=|=&CBF%l=snNBmjpZRC%-C z{?7)fBX+bR2Wb#h3!?R963?RvCfRhgJ>KOe&M2UaHRW(HIb`mLwCG)o&+S3scUg8? zmSv9Au%Y2TOYR=&b4ny&Q4CgTI-^1Gwb+sxXpOlwb@B;O{tZWXOfDM|Z4-XQNhiPn zcqa$lj>B(ZeFpqxD&4V=d~!@!={au-7>C`4_2&ZzS;Rf`@~GeK5)XeO@q`QH^$G#* z7VO;k4yF4fi|02=UU$tZj93v1z|~j!cV>q}a0PjAPwh|vg?Ezj48V=2+-Ma5yk9)_ zfJ7^y{5}71U;53(hr|ooSyNlMK3}dMOzn7s-**+Mt0nS2?bREwFWGr-SYHQqE$Y|W zCrC8B{6{7>xkxC+=MI7%Rp+eDER9CuP2?>sm~Wp})GpRWx&p0Gg@R(d;T&m$9(&PSXa?8U9tyZSy z#s)@|Wyqwi1}-9m1YyMKHYSrfBT?wQWJwIX{C6gYG|r*nkl^AvwqYitEnYQ;VxzFI#J3 zL&Yw5kf+1~fpR)ec&~k)Mnr*?in+l%0yqzVL+eqQRL@N1YhsNxY`T?5jb6Xyouk6^ zMj}+QKqcpQ$A%n=ZvEpv?_>&JI;~BD%^e*d2OE#C63azR#cIpEpBK9DEP{Vn+M)ZY zo82!V1_@*1q4F7#M^-$x85@qrJ5xnnvX2hZfhrN2h$x^6%Rz#=$A$aU8X zJDfZ3H(qp2HtQY5iEXjOl`xPZ-EEai zv!A;!{Mo*idAL)@?dX072bbKP1>x2744Wavc|tfya8+dGpb?f2u7WvVxauaJOd|Ln zT<(yNJ9l|(<#RZoYZl4)u>mh(fRPZ|3|AR*V~{2u?>%F}=Wd@>sE zAx7KVLeks$%Roz+uIA0S!wtr3LqOq#!*K&Xh(&SRk%+=LNIi9w42e|acgf=NHF!e- zyz@FcP8<+DKgGKT(PhjVht)7Nzh#f#_?biHHUf1e^hTZAg>a;g7mT_*h#SR_w3wps zw^B4#fW{^-wY3E#S+**r+rI@ z(D7@Khk&dw%9lAONCjqYGu&GkXl<|YHZ${7db~8d11)R4`_3n3 ze>tW3@%O>ts6$^B)(I2^h)&GPg5Tyy&}o1J$)*<6nC&sQM$!Fr#WM4=C1>VpemQT4 zv5l?}Pc^tz)s?${r1^%49jLkpfMm>X*m8f(U8tG*vp2`4;Nz3Le&f=b)<;_B+*JQB zd{wZQbcpKA_cclzPr$^V_O5mGkz-9~$;H}ud1kXmdo|^YC}2+vWpx8(>U3+Tp;x5p zsYHMt!0w{qCY5BlxirYv#J_xWaWgjSuk|%BS!c>_Vj_F&$I+;gxA1-dh)zCtBH0V@ zWq*b+-6AYZ!~Q4JP3oak^~UeNU6(BBcx)rtK9#XP67wviqxp&S>hnaM?bWu) zAnXsuszJ}U=iR#`U+PZXjZqioecc7m+U>W+;*$8Rur&3B1=vP&>kj(jL39!#j|I;; zlvWcLXbob9(OTt-IoQjBKK!Rg($CC9V9MLiYecYC9-lG-sm_r_O#`HvK#%y`eCg`D zy~4xRwT#4f$oils&H?JLts++1NB_@eo05w^f zFSJHi?Vfo|=RGo0MHggHhAa2~#J*&`PnC9s8O-JJU+F1YR=O-J0 zUSGrj5o*=B5xyvZ2AHiLj?91?+V-KjGIGG(Klajh-1YR!_GaE`3qbMN20aUC%xX zZqXAhJND@MrgaZ#FuBj9w^A8&)YQ{whdI_Lni5029)gISAl-&dyBP+k=7Cy#nt_8Y8TX5FFZ?qBdI9qq56 z`IKFlZ7jfaGzl`%ejV9z@P2?kX3#a#q_bfBZ!MZ6IYVj-g;behzPH3r%a~s!Wkl@@WXT(ad$2n z`7U7NGKJ)?MvOe&AEC=qzL;|y(#~YQ54%UJh>N#HuEq~9W!B>aJ`7GiBqZ$Y^sKU? zqC!l+@q_fgIscz$zCDe$mh0;++QHZ&U0tZP*AMpf^ZAOfOY6g8{u*z>GN{g!0De;D zU}(7FAPcX|GX5$D(S-9yjU2u^mHb0pU~6+gT6Evs)=A_tROt(&4GINl{@Ix`Zm97W zPfdZ#o;WX~@l9i~3=I;^mfs8X_nOVzrk=VflaB%7w^+x&EwrKYnW;AN^VCPz;*Jty zr@?=$(9ihD$WQWvP=?TUH06lW`|1Z9^T-Twv@1r)`li6JE67~6D)@>`d5yA>BxasAyrVI>tzDK@vdH&?U{1d z-D~6J<);Elrq_0^%erkZD$EgtW!Pj@C2olmakpA;^KVW>5x3jAf?TpBuH=_1QHYb$ z(m$(ESWhBMxeJb(q9TVCQ0FTd5NOXFj^a2@+NKh-GV2=OZm>BBUfy0E%*B%C4eo&t z$F^^KUi6_3TswAQiN^dDn^`f@MA+YrzgcKB_;frWDYSwl`!hSJF0GKcB-aDe(WcWN zBCO8q*hgI76=_6Gnu^378K7vIb1FmWDoqo*3aG?V@OGaVKX=KYGn<2@)ZEs)PjAu~ z?S8L6%A}akqlZW1=I_a(=TN@u|M1H9&xr`eBDL1-yWh70riYJ7bLR8QW-fN3oIxC^ zZzMj`xW>6TV=xWAo<|mN!PuH=(?AB23#d&SpQ^B|>-lP<7J>ZUS00?9FC% zgI&@>(nT|OD^@i=(4P%=J_TMa7dy+LO`)`g`_#1&Q9GNIc_~l;sL>S1s<^x~RfY&K zcK@2FN!NaJadOnvlh)d3*M1DvboS_}W_l`&ON;3Zh#L}yvl_*v^Lh*=BL~OsVkw%^ zwFgDo+(x@`M$0NH0CB0=;q%CruipE3B1kFt1YZcgnl~Ezw#km)Y8~GyROzl#*Dlfm zl?HyfMT}_4Lmv`CMjbRLq?86|_8=3|Kx4htsjhG!An=64*V#dTZm@f*$Hy2ut!7!v zTI<|Ve*ehe*|6`z_8NyQ(h1lka6kyzXq72!pZe9vgSg-Q6Su}avBf(?J#^&0cC6yR zmbY$_C)|BJk)~SEt41P0Q~6YTM}aV8_qPZ1%{Ko^00|rbv|Jin=(amU^4PZP=|a-o z@_qH4>USZTBPm+j!iw_C`x{$ExBx8;vkf_bv7%UlSVIN6e~coD0A6SM&02mO@a<`uN`*V%S37{v zxdHE?wwM=-z}JoH6xr#Hu;3w)zDV|4uf;qoT2>RSrXFK+sArR%uH~dgqbwC;EMBQO z*efB6rFI@1NyI(vH#d}G(A5w4{`asBx2S+hmYqwt|u(S>OY$JP`dUT0j<9o zdP+%=tAXx223 zai5*5?oq0#93`|D4baLT?n zicoBxpN1O0oeNApX*%}k=j2>!AuHB^0MCI7_M2 zog5zy_Ntl(lY(Ks&D(lWcN-6U<5OJQ>1NNqvv%Hb+`X4b0J4gGqV2}WuRn@K{yWrl zUA(*UHasT@JYHz*D)3`0vgeP=jV(Xul(N#E?o%NHe{>OH%!-|n^lMLoevA&ChUBzy zDC+V-a6ejohei(L0^iD*Jn_DpE-}6Ivu>f1<<;>2U2JG3J&&;17ye-4;$SYF6SR+u z0xU+QtJ1u1X9P~D$+nF-2t(;5;sRQVYjuJM;B>>XFpQug&Xq=XM0KqiW#B*PGME? zw(jHTqI~DWR~A%T*5J39M8C~33R*3?PFEr^z;)<~#8$ zgAm+VcT_(RI__ITqdB1fKfaHBMvyop@o$RLO;<1ShrxO1H?>R*R*FM7x)O8HtyI>v zo9>CN+-Mh1Re`$Iu~@3Os1&YVYQJJ#(IvcJJSB6iyL4EKr*O2fq1NJ23n;6i*IEsrtD|H*y`TI8uw*4XsfFC9JW22A^NJ zjD{VMGU!;hJ?O`FY)|oW(4!Z&OVlX9tcxqot_t<@HX z#soMhj6>6@J5ViPLn& zzqY}w@fPkK!|x8kiIyigyR=h%UzZzz?#n$&1dJLE2AlFlULQgdvLj(@n>^~@seD#p z6X7If3(f}XQ}&}r)LoaP$!epHS64lh6wnvamSG_Gby4@XQ_F4XsyWgm!5#+B-A4uv zdv;d8^&DS?#L^8(n*vekbS(=NVuICrSEFC3rR$JJ8bneBR*K_()g&sM7N?QPT|{d) z*G7}yr)Ep%V+8R4yPjTmu=-HpIT|_kts1ivjM!v*nP!5{8H|hQOAmt(LO)g%3G%Vh zYQ6ryZjtjAzm$Q2amHe}-W~i?lC?MfxNL5>?}g>l07`%!0sRbr1TF1;U?{_EtS)^_ ztv=nSm0i}iTT4+$;ZdX z>$9qvow7b!mS#89Fd&G)lS|q}t3E`hY*@_9mZSfr&%XM-FCn`qn0reo;dxBurkOi6 z{-o}mnJonDYrgtIO8uhy3lep2k$w>mHMPUoPMPE_(bp>xUr$3p@02-RL>UgXknv`2&BG#xm;pvz?xRr zQR{w;sV?jMsYgiLub?BuRghb`@cE>76Dc4zW4^bM#yXjD&&|;Or?(*MdsZGvT&JaHQiPop~_kaGD zq_)`euoR#Fe8R_{p#8sk~N$` z)t-4zce{iS<(Py$DvVF9JfW{@Mk6fo8Al2eEC&R{si12^AH;_be4*8)7XQ5yuB5O< z;oI{H7Af|&Hu1sFr*ALkQ=afE3l`Qoaz!&#mqh`75xWfq`_m9#bo0|bxrL^ed2QeD zg~@dCb|T~is+iv$_4XxHOYJU?$ZJFF;V1MD!onApy0?E^pW2A{$>lFlHia=(jix*Y zB_zBEsIoV#h#VaMf!^CN?fQqwnh9TbYw%Vq34~hgQT-W-=5Sl6D(8d3U3Sq|gM#{$ z=V}v{Q|11p9{{nJz8G(qs8b}|dEc6^6j8q$LCGz`(3H@v7@nI6qnaD&)eKD|*Lr_) ztnoT&H|xVp?I(NlCqYlXZ4P8phbpW@&6A}}u>U6_RQeihM4LL^q>ylyD@Vka05g8+!cR zW8m^-{+*B=%VOuu6Q*9Ui%$oSh3796;QZV=>XDv6XMyVyq0F@7g9(K)#qt<%|4%?uOg zrl1F^315YcDz>aI*vY;pu1Jk(W{a&Y8^Sk8DRi&jwc`dO$r(X7#X}<8JD7-67)lyVLEa!%sLqri zRUPZ`&2%n^mLD#X8i2j}2aOxkjJ@8M%K#0iDKiyvuvypkp?CKV-Bg)`{yePo$~K;w z!T=&=FKMVxtz>;f-z&(l-RA^ctGkKm+zqT;NA+N>{t@%BNJJh?w+_#ron(0_ACu~` zs5A51AXk~0NLCkJcXfV%o0p)y-|Qhyckkz|^~**+sxGr`sH=wOH4<0vuRiJRjV~ zvnO1@5(VOOSvohQl|~E-d(?)Vh7aRNN+0sMkD~*t8zgPL$`t1|d0FYEFikY7?7YT& zWGige>>dsY@y?_s?OX+CtC7rQtFLsN{Shwzz+ptKOm^tePivyN-CzFlk^XYkmr|GI zmYWy_^pkE=pSx?99Arx0(V~SN9V3w+7ggF$^m6hri}Z1eqLk@3VgDX2IUhD@3Xgwj zic85yHL^NEMYSf9m?7eP`zg-A*4gn94dx<|gEYm%mclR6&*v)A-Z@(%(@{=khFMl)rB;;;iB9(hg{L(Su#RRvD zE0q0xXgvc9vY$jkQMpl>$AD+!Xkpg!%t)HOL(}`@H;FX7cV3zzeiFtO7BXXjWrH}; zqwIRMx~lJ+C6aK(K0Yd-n&XISeNRtBNNV}t)I#?@BWh?!nA(N2;Y7-C68pyUYobAR zwdxD%DdJl^poCKQbW((4Alr0*sYx0aKI64{xpBCOFG=;*VC$ZabNisRb|1~LQA7jY z-*n+%mNlAWW!N4UjPY9E-lr`c%iZUo!8-Kd?Nij+yj$b5D1J>!evU^;V=biukqr7> zu7}R@jc!&N+sAJ7XAT@ql8Z*l)QH7sN!vvNY+$J2+!Gr7w#W3e>FTz4b9f&g-9;Ch zbm7Ntkx#&qPt)F>pv&g@2Y|MVp?b1|nvmB5F>|p|n(nK9vgy9z!V!7$(|l=VC)Vk3 zIB_6&Y1CF?A83z>kGXo|_&!9qZtL3w#yQJ>?e4@4LU(rt)6s(XWZKr=cdBPc2dncb zgKL*q>BDVz{;xsGhmYnjnWcR2OMb6`HnAgR3;pjT=_;daL{rze^=wN#FAJExdEJ_2 zW1>C2E)41ysEP#IIQD;os1i;;3!96mi6@WF5rF^5m;Nt93|-;@TNorIrLH|Zr>8!A z4y@EZ55w%J?i`aSzN-F8#b!d6IHe9Pa3JI@qc5Tqtghtd3E27(@f#4MsZPiYv->GA7&vaG(4~*Q{r89+YKkp2ah08K`XO+GWFMLV+7krmA;?GO}F9za& z>6P{W(}?;%4F11zx&BM9sN(-XAt;~Uxt`nHC9+9XRNOz#l$iJ$aS1i&#|sOS9L;8H z`yg1w{XsV}_FIy9Fg|qCo{7&+>~`MO?I5!Z<@pb?m$LG#_s_+(ZHoC=Af#Cb_UCVP zwE&dyP*%8#W}?NG>V2x=Q0xuVGWl6*hlmKroe3q?`v@0( zL9pi!ufA12rVS~ORUa8SmA#{!uQGQU%X<>jeX)zX>95^?hYmk)oTZK>$|%0p~hhnClbxR{g*W6W)M-|tSkSUPb%J_lJrbzrT%eEp~_rz z&GV`J7w|u9+vK&|eUtNrde$61%1^`)hcjaburu-Se0tzVs=RN;$YA2S{%m-&f_+j3Kj z9nl7edBb@eN4qgKe9%YN!>TRS7004+K4`njXoQ@+ruh$}#K}3knjvV*2d-Kl7smki zs=t=rscxpEM=raqk=sYe3f5s}$%um2&n^=q)pQ>_p7deK3O8@gYX^@T*w89?{IDCX zW{cBFxV6E%ZR$Jd$n`x1xu0%i#aim-Dd@zk?rouJf7Tfu_3lFxcy2m0J~^9fi_sp< zlB3Aqvq4C?j?neEX&JGTn7K6DlJ?#AX{c1@xE;0{&P~wrrP?;)+vVeGrzz5x&3(-=AwLr)i-fC;y%Q(v(yO3!LvT7VXBmJvur-@%^zuD9T8KE;f}_ z#haL>5cA}DJasA;gZXAsxBUVz>Jo*c?|qY-fRYAuJABE{(EsxokkNhTn$l9(wWy|> zHF1$WZHs{fBpV*ls7PeWM^#SaVo0g+}KH(O$i=I96rtq~D zZW2RX-A$VD=ggA{8TB>6 z@pV5r0DIOPQ8sn?uJLlzC3uZyIWqEk#wgRP>IpP+)#hi!>D^Nz1poGzD37AO_D*r%d^+*?yU>u6fco>9iZ+T2Gcj33jdSH3CN8-4S-ne&~U9 z#jU{g+rQtDF(PQDb5~QBhvs(SP-|iVB!W=&SqH{*nt5cbV4bqQh#+f|f7eBvqwjOW z(vhtf4Q{*-p=Mc4O~b>iWbQblgKX~bk3E4=D|uwy>OlZbULU}Fnu`rl0Hv+ptBJyl z`x0G1Q13V5yN;ZyR~B{44ZwnKf2!P*^y;%B3sh-LTc&lm6%AgP@L-gcdNrg z;vNG$$S_`uhXrJJqt@jI9tuf}GS_MC{f`t;uG=BoZ9F~2na z=U9{h`o%ppCvDh!{cA_luI0k|sIqeskxS`U@xN%Oe$6MAwmD5>HQ}f?h^vbeZ{VlN zvbw$OnvY{C{Rr2u=8Z4bh(vFKsS*v?pEQ(Y z=yt=hs?3!+$LzIYjmaSUfX-0ZPL*++9U~x)0(KRBRVKIbyy^a$1zX%1m#W$MP)&cY z_V5CK=6P!wJPienEpl|oTo?O0@6z1(B>O;WK6S7E;`ju46OQ7^eU#bmJ&7rpeGEs_ z!`8jy33lKU1Qn)$)PNP@YJp8o?}smd=~2v9jeB%N@mEL0nScjdE=*SdpMJ_=u|-bIHiD$>X=I5UYd#R;3Rw% zDCvNT6wy8piOlYR-2cYdd&M=`b?e?yM3f>bO+i4BUIhfCqezF)I{}g2I{`vd1f(kn zNbkMZ&_bk3?=?W^orIdu*?FFKt#9w|x7WeGk8+SZ$vx-DY~%W0LqkS;z_LUHzOBaf zRPdig>Q4*jK#|cJ6>DTw(B=5yNp%6M);|MbHubW$OSV-CvQx5t(t~)|xbWZEN}wGl z&HK;w|1xi#eCt;V3vblJn0(NA50cYTze0ISew^pM(tqDKyI^`)yu)pb2Y%fOsuZm+ zzs%o3rCpdFIvv&-+rQWGRkjZ)-oQ^PNzf^|+G#~HxY^E~?R|?l6z*yUw!yv?Ds8?t zlwvJS9*YoqU;w%!V@114&NE}Ud;|5k+3XN% zh1Pa?6~QVmUbp(O6ko{d+1_MNzHADN!Luh?Nk4wzhu`PJdC~$nc6sG>f?i`?HBn+! z=NH%Bxq-Db)(M$@op8YtK`wjE6KO?&X?=T5HcmL)ENIA|iTw zOHeBUYMB~qZ1l%TDior90}aQ&!awBDTcur9iOl|F_sqgGt_A-0Nq6~ zGBGkPR4n_nxOpHi#9hFE!q3y3XO`DR4KuqgiNpJs`>BG`YM{khFHE)gW(7;9aq|hH zTIN`=OJaiCTgb6zBO~#a^0+d$FhveZ+XRBKmNJ2Pt`9m|zs17Mz_&OitqybTS9R%c z4EH{kNUOQUy|2uq?z|8gdwma=tUfOG2wb2VY8M>)8M;J=BG@(QN zT)MIr=Y-HOQe9cf+jv*^;|sT2UDCfIN7n=#m^66$V+a?wz2otxc2!b zdsA^WZL-HpfjUG2JM_+U`?e-mI$GW1_c0&8h2_frK+A_Of7*HxlQKrD*bIub#qY!1 z{mh+1H;d6z9t%%Cs=jIV?C3rL3yPb3VMm+ZDedw+E$vtFd*C8YcB$7U9oz)?>hrWp zAaHLW#k&u1t$M1+?Nz8or5CZ+6;I_b?J{>29WQ5H`sZ%Ek@okoLiTQb5!J>wiW@~5 zJQS+aWhF-&c=tv6w%A#Ts->88DRu_c^r2c?-%4}e%4ja2+X($We-{(k0bUN#;y|)r zqZYqPZVD_DiV!mQoBGwpBQaS?AObJq4A_Xf+;bB-pXSMb&7I;o1 z`Ov>V73z9?=5O5Jc6d6c=n(^IQkh!Vi-LCjecv$qBbZ)i>@hjH)E>ha+7OSxZJ|t8 z=>D}2M=cY}b-l(Yb=?T%vnz%-M!-BIk42j^pTAf zNz9bQindFYHO+&+{2D|bvm17Wo~+=_D=BMScsQ9w{i@8lrFyebA{4}dG*^Uoss!LA z&pu@0FL}wm*wT-M3!Bu%#~TJGsZiy^3$~PbqDDq`g1+!juU5s2>hkgx=p*ZWnDip{ z2X93?L079k=*TG9^;U`M}>;0%@9cI_uK~ z+M5kLir0Im$!g)7^Uco_citV4;m&Zie>9qn_Lbg=unf_|lb?m15lj|3^@yZiEW<^Q zj2~EgNir+Eu^$qJxqM!pW^;Uh3uZHT{>JA0pGFx-YCg~N#d}ik*FwO+3tw?)grCb7 zVY$TedCeKI%q%{2iYw!Q*`qRb!cXI0yA0DVS|sZ~U5~|qsauyqYQGKKmzMAS^%gb7T)w*s=?5fwW5Fp}F6N%FS4F%f}qRY46ulG{~rfJTEWTqUp z3uSVyJP^6x^^Pa?;|cNE^E^g&O(IXLqLI81&99y3!9L+BLfZaLxaM;LNet@SHn>y}4So(pvi?qaW) zVUnZM7e^PQLKgB&!R!=-^c!KxP;x7)wL7*li$rD;DWfW}WSGe#O|LAqc!EL-_U*sI z=##1IK^ZvN{dxV%)pUd!=oa0g`QRCUfPKezC*6I`h6{lvn#7k|k^zp1-EUZrM|xYL z$wF!=dP-vkUI@&~Z00};{NHF>V#0z=pjog$vD4AN6Glo9KxM288r*$c`obu%G&Uj-$XVf zqHx{RP`t;Nq`P|uv%&AYt@aa^cx}l&_Z}$ezv=9l7!roGP4&`8KP2D$=2s`yR;S`~ zLLpP4tEzrYEZ z3$Zk4FqMhX?REEVAxpP3#a-rs^f3ebt=}V`;BCeZQK7m}|9ZAZpP#&xYP;SrgZtEY z0B3ajogSU<3{C+QZ$XZ6UWP4h*B;H?cNcpv+l;d3a2M_ENOy7xgV680;++IdJU_$TCBdmLp`1R zL`I45@3*?R!;L>jgPhS9DgkSp?*i&FL6rh6SH6|}%n!d9%eSO&j5kB3ioTJbd6DNb znl};D*53bk+S!nl%0P;#l*6BGGFdT!ZRf%fg5k)+!;o*XTq!SECcS5_!dfjo+t2=# zq!gf~3EqG3vJ5i)r%R4Zw(hsy9pW^m)LB}emj9Ve=)HQ4>XM5K{Yi5J8@54ZzoG*W za+mqumLjdt?#*^y5yh2qzuXNcLcr}}64#Y-X7fab7lY{`Il8Kk02+e+4bRCW9H`2m z9_M-~GvawcRx0~bYR!jRexu(M9knCNlzSTq+glC%7l&ws*QZ)uTM4J ziU5z;zRy)^PhRhmHqYScUnX!$CeAgJ1ztw^z~Me$1pp7eg6(0kd@W%Fgxs<$7asH` zn63<3u*kU8%F*GzA~UCVNn3lxcnB9YJq|FuE#U?Pem%CMdeQ7t0k5&`nR{~*5MZ&r z)LjAq-~u%7vQ%!+fBZlq&H3VM<}?9+2#s=F=bbpo7fX+%Tr3X@E~8J=7m(lysELiF z(n8gz)AL;38apfF`hO@yO#2YWOuLfv<0nzUeyM?9BkZt+J^{6r&9wjA8lZ~Y;VVwc!ZF%S zM$g_fJ{Nne)_}2ZKNv%M07#mWI5ml-M9imhJ-a~e6{|<*`?Z6_N`qfRf&8x|&#ws} zLm2F&a97bxsGl+z6kOrCicn?RExfzC#OuUTVSIf4l@{nP9YVZ4+4My~i=ARVWhcMb zdVT_5SDRg`IpuqhTy#^V^?2)#VChtLa(&cJX9^eD6dL&8#V%k8*nu+Pq|cdtygStq zA{;BaFZ?2w(zb@q?L@?mU(lhAh0$=AH^)FGpQNtG!Ba->? zb$;U&F2)rBqFHCe4KHmwE+PY0UgP{9XHzg;wovJ7vv#l7u;j)7ECp1Z$TH-6-KEDm zHfGoU=?&7BWdXM$Z&rFp*1dJ=t0SxM#}Jx_uVNzH@-T1)DPaf~edSzA`pFvhEI+`R z!$f@}T84!whjM`Q37)rHqJQI!IpTbwKh#H{_~gv!apQ7Y5H~-SiY>AEzTwgAsg^qi zOMh8pY}kjTP;?9^(=jCWeUiE7{Owy5{Y}fJZK4njwP^kBD6%~YB@oDHJ+U|BIhUh2 zQ})7(0#$SnHLi~3yPi~X;lf+2t(X0Q&DT^vT2h0Yfvrz>(+!0WG`g7^FQbm0(2M^r z5A4}*c*g=)e+uBv$tO`VJVlZ+IHZIUKf|R8nm_U^jq$kP$yuV^)W4$8FcTlOzBe^w z007~cZ^NhTPU^q&Rq|M(1t}R&9K*O_w2`>5R7IrEE0DHxFlD*X% z^~)302cd~Z36&$~blP8vw2TfzhdUMN8G zXkEZ@bm=CF{C$PKQ}DYkv{!&`{Y1T5o-FQ!HuH3gRL*P1!M?Z?#&OgB9UM~sIOse3 z`iMh&q(2alNxN;1ENVuk*KATaG_QY5rMlNLO$;vYy%#)F#YPgyZdhhr2tz8&&DWU^ zAMekrA0WpSq{Whr8@(2qR~gg9$7U-^`bVRP{FR^anLDeIT@soQA4UE?aB~4upGgJZ zB?nZCVsrNm5{Estbf*G5D%34{EHcXXiKaO(1)BqIO&6|dc3D`N;42EgSJZp(B)oT2 z^9tebJh@3!7SI6J(q{#GL*idn+NUzO0S$@wJ&v0j;@E=htb6m6e)?-xqZd4mthu?% z3)9ALIuTnWQu9*TY1;N2AvfaRD3YB%Vqncv-kU-W;-pKC%vvaLxM9BdfI$R)CHHf( zV$n|nb4_QYw+VC);w;{?P{;)XSvQRh>N5d2k4qA%_%aPaKGzh(_Fkpp1T$*3qcsx0 ztIAVfF<)QPZ&`d@fKq%Bkk-{;79xDbvb{A=wL{!SU#juRQam;*tGvY78(zKNGw*Q^ z@cCA~M)y&Fqc5NRaK2N!0ld}xD_-DT?Z&Ki{0nG%m}vBK&x>OR(|u&ofu>X=NjJPM z)Yin3@&(|nKlf&LHcb6UtXNT~pAXDuaX`IdGDmbDEX4x& z943fYMftq3Ny9sef>Ovwxj8X`BxBh^H@lCP*Z10Y!gPD~AT-SEE70gR(L;4-y!K42 zd+oe#Iq3;B!s)#bEF&$y8E zD;%Y<m~Ip3oX;MwaRdjF+LrQ~8qVK1D9i*=vl+UdnF z+DAu28H)CFZ`ZOINLBojouV2FAMA5|39v)gZ94WDmNSuJ~FWgo%UH&+4b zcc7}EawqGtsC&W3Xk|CRB_I2g(17%qx85VE5wgSIP)Bn^Qqn#*E$Ob6S3YJ`a-<@k z*ejilYPo>9u#7J~d4Ut-a>SJdg0M+|_U$ObT^5%3o$`x;#42Z=*=P+{KcG(w<8 zmP*MgAq}xNopB|xg?v*_MMWVC^!;UcP4#o0Teill2$!g)VNZf;z-~TBmc%>j%&m$R zmCkDNT?vOgOGGIDu#%g%M_O4nu2yKG8;Rx?!iglCPJ$r}8_GVud{|?_^S2f3a&F;UI zYk$~eCOV^ zztf__-#63MbZ;1!ue3eBoJR9h-~k9H!`-UL{Gve8{92YI8RQN?dY!E%!bm4cZ3DTk zU}1dBbNa11$RhYj6t`U6a=!5r$rE!|>Wh@O2wwr1o@F=TW)RBUxxlUFb!tug-LMJW;Kz0- zG8Z)p^X{8#)kjp-TqWODvhLXe1FXzuYi=CvqSTdI_tKqFd(jj`k4Vn9u8(x+o*AO^6nLenuvWoX@}QE4bj) zV@M2VAEdp>-V(FoZ&|Kwy0XlL06We4pM_ksi8BGD)Lg?lhjM~D(kAAQh-T}O&Tg7B z2Iyv`AJ=&riA3AWo3Lnef=m}pDs7ED+Nv~I=aBK|GjA>oju9(Q z*9$-y_W&t|mCE*0@J}+tUP`5T)-a;S(i1Ef6g9o;Xi@8*(d-@^izO!3C`QqMtgE&^ z7s2J@`B>dO{T7M(STapJtC+skn@@5MZ=s`E5*(U_2-0FbXOj0eoL=(<5uIe6zvxMy*0HpT~z zw%HjZ0yy{c^X8J~79!n<2QAe|A28jqEg)uBmjGyQ`($DO;)1gq_Bw9s&9Vki`|-x&Ca zqCDX(ioZ1F^Dyw5?3e52AXScLrwS-?zRF2$vFq>cG0n01;hg@-XlFvT=4PKC#}pAA z+pN z8m;`&TvLW3ptu<6?NR#mI86-zC@yva<*#Bre}Xvu$pePYORx(q$y!zSavX|&*y|Q> z$?Cuqv-WK#^Ny!KN*DvXg~}jca;e}7yc|O>i`k?vPN^D4TZJbHuM>aKS@w8YWke|B zy|kfQ`c-WP&Q?_-1z^fm9yjtRFO!Xw=C+UFX?)q+0LgcD%Z5|WI+UgPHj!q`&n|DA zP85571vb0GN20XNH=oR}4!-g)Mij04e@?jPZvBj^o^1svUnr^8OR3#UXG%-H1a?3= zP3K9djQ;JH_SpY)wong(u`l3Gv@aC>%}RQw$^*7WrgTMoi$CnTLj+XS1xL4-wV2}R zvsKa_Pu-j^rsa--&(!0Su~k@%p)*J`2nBPv(D}rpD;h2nauV25u+v z5_Wpl2Rf9LJLHbK2%*~6U0`ZKThCu2j!#1&;kR70n6|x}p+Kk2Xi*)yW1qUS3(wu3 z+@C9wN3nF+v0;`d8a5kUbovWZHko(Ua`K27ChZ zSd@597*Coe0vF192!KyLg4A>Cy}q$^?E(Ulq4wo7jjo=#FFy?wkoC0s9F|Phv*S~ek+e8lEsF4r0~pZm3-tTSRB%t1lGD&rFtAfkvO*KQ1#A;xN68$5!!pL1c99W z_T&&8zERU6-3g6d60%AHe?jh@K~$en*6bjX3O=4{*}kR47=uM~N;=;JIk?!OESjy3 zS<hM(j|LV`YWZ4u?W5JCjsGT(cRPXKz#&8W1#bDR9AtolP?1c(Q7mUTs|RbDd6K*SKq;{;+L$%7jV}k5t>UW8+Nv?y+c= zZ*yNjmTn>I!A?v>%wo-bLM>}iQ}c6rwY{cOPh_M1RLPm6d640+v@r4ZCY9y{QK2HA zGkrYVS5*&p2U}AOG%tS|q+r z0FNQKpyzT`bZ-6MViLpWWC)y-4p#(r4koxMGhIF2bViH5)ee~3d!IffHJ4Q}Wr6hy z@a-8RX_YGbDt~FHwir*VgbimNqTkVIZ7-)}Upo`McW2U;YeWvA;DVP!ZaS$(pRJl5Sm3iR1Op zFA>F}4zAL@D!}9-G`yQ!Q_TQrW0CF14egAD_+07r*l8 z`8s*TYoc<qGhLB^kFC)A0w-+nhDQ-@vVro&{{n&3~B z!tn)xr!UO9!fpC_1@;9m-^Qhh1kAvMQ7Q{3V;0rKSsr4R=@T8aa@5$Y)myZ}40~EH zxSG_oOtcDhC`G_Yononl3Ak)m)C(e_YO>FcJs~p9SbB>Ct53T=v5L{zA(C~Jx~C+R z@zZzhU{&7tlQpaENn031a5Otwwj>r)c@7ft6t&L`Ut5w}bJf>O>$m8%K0fU$wc!}p zmLBIS%YD2`pHxSYM7zeHYf#c)zg%p;xh@pBv;VrT8L>mlP~3>PE7jLq7WNq~d-rbz ztyu7nq}Du{xmn$&Pw~+i%t|Fm$&TkSP_FJNVArZIg(qeQS~nH*RC|u>GzLSFSmwyG zRrc{ZmZUuRYwApi4X<3qTeNuTm56|vSsiq_IK$>QYlW=c$luxEpHt7TfVC4;QKKDm zX77-Y`Xgr|esAp;vc_8Z6*x0`s)PYDocF18x!dCYgj8P0%#wy>yuwLs&55?lDq$?p zUaa5*z0jP)VPbHw#`-rr2C_xHbU2f~@cH?XA@BBQ$$-s(t>r5=7(1{oTk0n@nfJD9 zep9+q$_?%~<60Vg_dcr3S+FN!|r6s&Fepn za%AG_wym0mPc>b#SqzY`r>XGYKHuu@dHGcQ$)jB4E`)KpyHaqHdwDH5;trQ#!#m+g z56$lnl7xj>c#NrM%IxZtmgrPYJ{Fw=9TafB6ek~*)U0u30K|pwHwhFjvr?>ggo@d* z_1&V#RlSnF&S#X+#G(*IHZD1j~$hrO_~FVj)i+tcr{7wvZIMjT&9?k$*xvyeyy1SRrp z7aLtb;1BWUaxx#+&fobc(MZ&@JMJ&Ii4a-~PO*0T!43kKQLHZd*%ieXlXscN3L!QTLQe)h6$_NY+D0DZiK{Ua{)}ubxP| z&uA7T52A@E3%42y$UXM%2y}#b+;I9h3vodIE>>kZ_;DPs4hLj%KAj842ORx3z>=kB z?F`h{5u_GDAf}*q0Kp${MwzuHIJvRb;^1GX1A~JeQnn)Dia~F3T*o}&|6po%>*Q#{ zCbSKx3y!iB!S@Z3LomM*L@$NmfB9*tlE)QU?3_m4P1$fzJa(o%`dx`%{%d;TNm@Q)5c{PUQldB-(*_yA5S{a=7fp3KZYn(3@pFGXRSOB7wl zf>Sy&GM`1Ovj2J0O~dt&{-T4~7Hdwu=USo3lU#zN$BrhwUeqoZ;9 zn?K3_MXJDH9yKG))BdCpLtOuoH(#P|mBhoN_hS42QdNGM3`_HNA0*p;4u~JkW> z+8GxIMRRn81}qUAweBBrW;BbP|8XcO6w@s7x(N!6QB$=yJdA^=vkaLdz|VLq%eXQX z7h#+8UusZYLjEPkv=@=ob0dU5GLXl*S_aHlVxg)Bk)#M;u`>U;Xs z)xjXzuhDOoBg>c$ZIV2LJ8)^f-sPfkxF~O`1zUN2piYK-psU+7%8yq?+R#!bo@lu$ zWKq?>kpHHNtg@h|P?;U}ze0{{4 zuD_%!?5`SKIjx*pMVOPO1A%-H-ix1Uo+W3}G&G|7?i|yB%-Ib3I+X0{>p;PRy#M@@ zwV*gg0_tQ6;Cn|4hb}iHyfeU_DjBEAU98)HB6o~5Upng zYwK-IJL!#%=J56i%1JtHj`>^DXM|Hl)!~f_Oik&q_VEBxl@zBO%)>%wZAde~dvqf+ zYFG+uy0&8bS2Q#nQr@~crV<=_HjsfcvbB==-i_K{|B0xbgkDHj8jaGAq@SEYwZ7br z2r1%B&d?#AzEF9Mvd)UE9Inh*Bwlf%&_At$ti=ANqm#9&a&=g6`e0{mK8*>HxuRX? z`+HZW{vty|a2S_D7_O8iHx2xHKG0Y=+x@3PkZ`r#hXi(DoA8rK2l9rYR5;W?w z1O6uFEowhEGTPeNJ7C>!4{i?bB0Hk!^IdpOsLj4F_rV6QIo59AE{D|VlD|v3p_ZNq zxRp~kPm}Mz5gTors%Y9!3oc(xmV0j|I1R%EreeVsffz+&!YGXAl z&H;pIW6^+`KSPr>cK~`114FTE6b3rDD45asN8gE)x@Z4BbS-BV@5VfmbQV1P(;CZ? zA&Fi@Ptq;=i(jnMy>s7!>Hz{(@NToxN)p4QXIij-uW|z9Kr<=qp7zVz41L`G_9?KK zfS}!FDsXwzgYPd46&+09Jcp9fO=+L^Y+u{0WiQ7OtF^Xz0QK2f6C+5h*5de8!%51B=nTKD$;pra?=Y4AtdJ8cyU9`S;9O{(0uIID z@S{$x?Wt^?aq~hVbvi;koF{uBAW`gtR>;X(`5?<3fahS-BTkZTMUU$<^zu$D-EO9z zw^xmzg!<*mtpNq8D3Xe$c6vLB-LtwaVN6ofG2LgsXxCH-#j?P0Z)s9$1RmT`>&QjB z|51QD<@=7*d(-8z$jHdO)JsBq06|#i`nWaNv}AMy>&^)6X2bRgG*jU3veuq#QO9fG(S*&Iu2~|_PqP?Ty~|+rJWWP3Os&+zIgE(X4>&|B^oR#qZ-w}udc4nI&-;F=*rw=QW^#q)!vmsIpJJN#mQ_gVbNE9Gh($cc8X)>8B#L?jxn}QU4o1rw!!|xy zZBA5X1$939<0oS*>xsdu6Up`9u)($Z0*8nEPcLrZD#b*fg5GhpZLkOnN+Y&Xn?k{U5ve_kDX1_C0NLN2q zvh`m-b+q+W?_kE%pO$IqyHJr$o*M4>20ZMl-|%ZTn1l+@g+F&8?5ytwW)DWUX@TRl zwCd=^N+x>is%5uqFyMiGUc^%p|6gV8za7F1?`Y08>`hqlPj_qo-V^fcDp<%Xv)+ ze?{81*GpO|;cgtV0}n1l-Fy&D(cjXQ>uTkw;#g=euHmAjjBJ30%b3(N^iPKjn6LJe zR`<1mdWe(v^dd0c%^6tX-Huk}LRsj5d!xC2H)@E=PcArR!ZW4={bBPZ7psu@rXTN{ zkrF2hw+I~dPZm(pWP08fpKJwF|Wj~MS2s5Ux@hmU=WtK)mPu_2egT$ zS0vq0@L*%hTl-h4M3S4WUeg@ufeiagLs;oVFTeW3M4_u<*XayHL;%l^i{trkePYkU zOgnU5o7iX{e@=H^T#$uKdk~)t7(!M;Pz@(I$DES`TfoxCG1%~<0&5n_l1fZx)VVZX zB-QI*7vK@&Pfum>4v6;kP#pTNRaJqZDFrDX(H!z+Kl1wDY6uBIOtxCUL@6B4s-OjBT$?h^8t=RoH(%yByNuAZI<-!hJ{q z2cx4S(Bg^h8lk>Vwd_uj=#xNZ7GeEYhbKN7+&!Z;n>s!rL1}4iHJ)5(OBMd=8mBxf zExs82iSUVB_l9QS*~EQT+eS_<6;m{7!`#U^0Eak)r!ppu^w)${Js*o5U)tb~pNUZB z$xbLJ=>3K=)_4M_V_*>nai5+{rKoV>41i6_Tpr^g#c6{j@hN}zc4~wFQdH-@$VvpBYZC>fzp87LGePiS@n*MRa*~dQ z)iLg4DblYKJ6gR+`D(L@DO~k^Vr6&MnYk8rT#0>`b<8sOJhw*vj*q#0b6f_;O*Vn=0V74o%ESa> zYLNiVo&`-qZJosWSE#N94x7sgh4u2?5{s~HY8IiO=9c9BJO)MxeN&yfjDb)_)RPz>ha*WK!0&MHuk=EM_K6NLL2AK)1Zc5e%MG#?PE zND`7|IAo$Jx=-taf=lNKvq&b19KIE4Ak0!o1R`M76>*F93yB2#pcY0k@FJ@7`TK1a z%E1&j`PFUaiQIw*EM>@dy{hC`rOo$n`8uX=Rt;QwaF^JO2T~Wy0Ws+=8qZePCjY+t z1-J(M#lS}WL80*528Wr~5KsirEw*^PeSCh?VV)1>aBgNW)FuqukbyuH?l=rI!|4HT z9hp|@T&U6MA#~)4aVU9pv3FznvRN5>tLnt^k_EQ8!;h|w-S>xGrzeJ^^A*J3S#{>dwMVA|h54}c>G1wg<7@9i z&40TFCVAXaThx$qFjdcgEc!k2#k?y<+2Ps>E8u|jKeA}p%URHV)-R=cA15mx{?&PD z!IM30OgepiT+`8Y3mi)-Q(UPZIA3&dnF(lC0t}wZh+Co}cO@4{0l@6b_)1l#K<1Si z%8K;P44N2!&bzJ{pp)dW`@B2+6X0(=zKVGL02v?_3fzKyQUb$XXwUf_o=0?9QS`#2 z=_>hsfwx)Xj!44ms#(@OZrV&oF=D^!11`k;RN7@$#%Rr)bSNJ)7g6&oiVqLYv*O9( zLSKmUcjLH0da|ZcQDJwP064Fl6HLdq?P`sMi#a_yWsQnhW+wbO%Vn8lQ)Y^IEgP5- zAm1GI;(RguprO~_AFwtW3U&YO72^F)8+qL#7T{FTx9Rd@ri+eM6-V z%XJ*R5%2#^I(le26rhluMywKbDsy}-h@l$#Q<`#q>7hohl=*28s4OLe2J|suRroLl z-vl6!5EgSEs)JUfigVp@-VVhC`IFxI26~QcD=aJN4q<))e$bmtc+ZF99roW(pfRC_ zZvPL+W1eWH``Iv51f4W@F`Si`qgUaOUNhl$IGfRoz}s<)m{UP|JN!A(0XRPuuSf;u zausxaUwzlKzD3305X*n8w|AoBP-jXoCK(V6W?aq`myawqC+j@Qix8uzE-#QAwJbuT z$I^@$e*qkUU0KbI1iJ}KmL^ACbGvyzXXrr7LJ!I0=;BPDG5&0#(A{Mez$zi=My%g< z@3_WdlqG5pv0E?dzR0XAjP~%lf9m~y9~Kmp2sy0C#*D=hv}o5eh`6KHEP0-WzZ1D; z`=|QAFu4;!$?y3UjzyMOlub`w;!TmLVO{vN^@_94>A)`%94C8n?0mP_qmT8TGpjh2 z^JH4Gr}bjz`ID!ry02X0I-b0(B{Y3jnz!0Q+poi8__k^PMeovfKc&i};R{sS zWu*c-b}sM0jWoRGU-8SAQJW`p6T$*OZo)gBi9r#qcl># z%FEU;N{ql}Goi(^(mVmj0q3QCu$gUTtTU42p7E_zVx%UV};{lU+s!){!+pb;YS zKF*WwtdOu@MblhEJsO0>n?_98cj#rX8&Vbpxx;}FA`Z4Mu0 zlUO&`?apN-@d~Z#Umthw+k~FORoR99y!AXik#SUVwBKXC`xsWgeK6+zYTWwMC#l~i zaD~0Es-|rYD&2)F35er4%hOW_~MlrxaeZU0nM3bb9&? zXsDN`o8-2Ax6deQTV^0{YE5cxN{MhQvdksc^8+@CX24hU37|+*?!*_eFqU3dnNci2 z*s`X7V{hWQ)L&%d^aA#-jckrU^Y(nEBa_8we}DAgh(44DYuxwT_A_hU@->6wLaq#o z!_j`1?H+DAvJ5J&v}a;uCZ*lbv@`#4fBRa*a_DD)XU7{(E??E(?k6!EtAeW0F*KirZBe z8ZncJlyvO<9ci7zD!ZfE23^hP7^1m)Q!ArwFU`hm+X@whnCRhAfYea0iQqTvHkH;9 zOiPSYM^h)2L0U(!aQ?mqW54<2gPb)O_XifCxQfqYI23}*5GGKXOShltPU5O`JEXv~ zEtlnlb%};RUjWAefnwYe1_dv%kAki}9YNK{6DL_&S5vvkHX9okOUoUdhR~?NA6~l{ zy!hgzl#-&@D-qaJcjw7)ytydKa65R#jYK^%@Dm%r5IhUjs(0s zt3S5EMoz!;hLqygZ20i7fxiY`y1E`G{DyvKOZ;4S31e`%47t5f-7)g)FS`$zzrKIp zNgoQ@oOxN{Z2$P-&vauSGnJA%?^AA?kCTVmK1LPG$F%CWDjQ-o&jN4WGYPA^tWH>T zvGvt8cy?qK$l-dh5-p56UXspGHmSW#RxZCkLFf&1EpBP|4Z#wTD8hFqsdsnj~q&BR0Q2)sZIW9AHqU=&j z=7)_9+idg2#_HzrP*g-B*W!1@NmU%jOM5Dp#ghehd5_h6;u8}8VurW(7iyEhm%@j% zf>+YY(84ImzX%#5PccxVOg;>@&d@xlQ521I`jCvPEK9Q&hlV;~MiyU%Op? zQMk%%9CLju&=kQgZd7$qySNG}H&0SZoHNf5PSPrTsCpa()4n@sk~tDxFv4Ms@32z!uGce-GI8p=Bv`oeIZrPqOPWV@L{et zT18Q@#bIe){BUZ2CO7woVA-G-KCc0+%GIuCtuc!$6_hO8T)TZuKR7SlA0m23{>IM; zvKhG8VS-vHM%ZFW#v!vE|D*lDIhkZZdfej30QxDP?bs(^jMz&e#7ChsRjU;CVSKGaQZTF5?5jEw43pi0EWOh7jc^p38a}BaD~2CjWL+d zxdSf}jqyiiv^1DN=wmF0=p1}6fa1R`tp)KeWk&w2FOWv=;tD;WJy&)5bFURQ9R)ru z2D)h);(koJKWo9x<*#1pP=!Q)>czgiq#7r5yx!IIua{2%1&?w}TnvS4XR(Qqbl$e& z#CSR?Cx;HJs|d@HQka(oqH0pQ4toDtsgl3H0u}B#LL%v&jjg2RdMouL!Y#RvAXfdT z<>WMzf#jyWmdbHJoT`KnjA6^>B$a`uqTKAIkLCLRqzY;Iwkasn*Yhni{3g2b8kM0S z%zj-^BOI1-iDIgFe@6gv{svI@A?wb!Zj*6`zw7iVQQ=dq;mVs#iy=f*ihF~9O>vvI zoF8_@uiaDK^JXGE{n}yt8mT+50=RwSlWwW@z^oa!TTVCf9zv`@$gaI zvLANeFdMYv#ZT@}s-1fFQga)pK;C|`mE^Mg1b+irEj^O3FqZfEXGbXhdJDHHc2H?y zLR@vod$bpphkGO$LUz)N_B&(~0+8QKwN0MfeiWE58vgk4;vYAt8NHWUiyXicVrue{ zx1Al{|BJY{jEbxI-b5QuLa-!2@C1Tef9g9k$Gl>UB&d`SR8kFcrlvAn zV-VBTeyTJqTJYxKU1-s;2>EO0My@J@WN^Q_XI9B-rv8QR#;oE4%$>K8GaG(va^9apqboxbJYtS51DOs z-DC2Mg`M^?ZI50}B85|4VJx;NUBY{y*zc_M8AM!BvcxgLm*5s#dA;6GVP+#u-vsh1 zf?jyR1YGadqK{muqy)up-Vln&r+abCF4a~9RS{ZNN>g~Vm+UhYRh(4Y{%^2& z{4Hvt!jPGrnV6tHLo~tN2XMb+^U02uUigsG;9ufVl&Erg!Zg)fJsDbN8-SmRen@ z&{2m)5-@o=KYuBCH921GsgVdi=Y zXjn7FHiG2ia*g60TM#y0xTEWm>)zDuHGE%)gtmkz=G|0-?SkV{%R|f?4my;5oKuAD z`~IK!_*2#WoT1@(paX;)97-E3X0Yl&9+h_X~IPAv}A z;dr*Us6JBn+)h*C`W+f*_1D2;3Bw{N&U+Oc4y zEhK)BTdp^OO4Cfc}H}fdZF<}^(G4LZYpn!t8Rs2 zC3~P9jdb{@(6!kKGUGhC+UtFl2e(h>&L<7em0{?(w zaTY(5ZVNpByS2Xf)=c3XOWDJ79Zh}4ecP=D%jpg|TDfZZk`tZqD$=_#2{)jvZ*zrG zbP`fqSXZV7NdPY-EN!_tw}JC3fd7i(^woS2GwxwFx%vEJ^RToKMy-E$b(QJ7ytkot zbatK6tPw2GMo$$WBzv2k^HHa&sL28tO@be)>Kr(sCd_Gdd-RKRg`lByzvrn|kN@dt`b2b zDLLsg6jR(^c_5Q`)W5f07iHz;*81^+9|};k+F0neud$lR;K~NCSgyVc)H>KqXx8%U zbDX-dlhz>o^wHAG0_%#BuNAzS5`5R*oG&S1liXeRR6z0NLpzoxAzbD3HC5Z0-ioiD zgblb++~>DxY2%77!9_IfB5bwgoS(IepIs67m*-IddKrfIX=YC@a_`KcBkQ>(NYMa) zFTW^^WNtfdrW)o?kDjA*e8IJQnMe{(Vr8Xbl$@Hl^*P7VsvuvCSK)))a834i9?}6U z(jQn4g2y#=pD&s%n)MlmRBwAClMTt9e{w*Z8oh?>6E6zF)1iWJt`YZpzjyT$GMftSe(1W6%d?j zZT>q{ ze&3d!x0~B7gSHzjx__-g`!sPVd`5pYzoX)j$fCBR=)ah}qR*jm;r~hxsSqOz+cEyg zx1)dpH7KgDzvq^y{%3^S`_BlNE7bj80KOu{|7ZsNk44q;QXdt?x*v?(-~f)Z3U%r& zj&^o87ZAJJ4Niu=Tb-Z`oUhP@hW6_}N~I_ouu-dY;yVziOf~{v#Mj5mOOXE#t}XX# zglap&dQOfNL<-~&CAnDA`dh191ZcfX0PvuDBy$v{lWH!+vvRQ>^Yw!(kcJ2#4st;; ztM%+khfCP7<#p@_f54M3nz+9|D;}yM=<*RHrraRG}6g9J_q_ zeBwDgDiN=nzA<<71^$+FH(mOp9VP^PBA8OrQXM8(pP<9Ieaf4>fO|-#z1ng^33#^6 z3I!lgjIHQD)UWdIi0h$0g#T?#Y8sN^a8k27q-n#dtOR$G=+7l>z+L(eNEfm4juXhmUcW;^?_7kakfG5me>#iRF%s?{{B~7UNkkn-K`TC-|M2*i zW(P^j*)<=HM*ZRMMNB}r>s{{UL>NtF;Z9?I5VVcgm82e2x+`UYBXgL3{J;>8s zt;BgxBQukDIuTS4T8|njk22|tqcEtqye-?Yth04u5Cc`HM9jPYP8aw)pNME!)!R+a zPgbhd0?nUJsEHf*PUre>7UHkm%v>6sh*@=Vk5B?zwDf={+rbMBRBbGNY08`WZ$aid zU}0_=+YB85`=a*U_DAh4-WUu};onzo+_)goU77S6)2-!L)$F58;Y)qdz`(l$#o4Rd z;=8M?yBjE~dy18N;SiiyJwi2Om5l#*K5B(1pY*SJAk6=9`u?vLC5N~Jq^6XM zA5ECd&>!hhc5U)+(KAwye%zCS>3LzhI98QFUs%hR4#|lXV!t{P(d~vCP~BH~9Q+9t zq+l9jnS6r0;dLx515`nIW-CLZ-3e$wO`cDtSx2D&h6) zk7QXcHi{BX1p{=fy3sX@E` zP1WWrN&1}ZIjY4j0m^J7ZxfOjS}TH-*Ov1qg2#lUrwu%O|#-_R#^t4+FHOeQ*_Gbo6cd>#uAMI>t`4bnRsd(EHgeAP+=Z%sfUcw0| zfGrcuZ0&{qfeseQp=Kj;zMQct79qh^2fN?zxUVwTqT#Iy3lS2Pp~dhXO3vn} z*26D5P>shN@0T`#g~5ufja^F{>b6ItwY|eE@I73EEKRak>PHzzcXsH6O|-V1$_E*H zPm!%B7q0f6Wf-q_2A|3Y%locGVcdu+AWw*KBn3JYE>dn7k56X`6R{H_G*l`=z>`73 z0TaBilDZ4~P)<%TCROZFZJzP+1rhqYh!bB&=EY801NKWdzhCsmXxB;GvOFS9c9TD2 zlj%FBkMz#cr+$qW@dQj}W<4)u>nKK5c$PSb9@3?I`|Zhn7gdiY;HI;h?b5@Jw!;EE zRJp~*&%8Vt#c_gc4cs>KtDG9CZQK+&1|6d5hT}ye-s1ztkQb(xb+hOm(MXrU2518t z!9`F0>@mb!4FKq-frgHRv!gb2T}R?)(GVlOKB;m;aCI)u&$t*;VfrGsE%0+|*3U)T zRmy;OS0Zy`BvV?<{^&oBB}BRttS#)DT6EVYz=a0zOh4L}fNm5xCy|j=2PH<&=eFQ( zFnU0zLT&KmN>Za)&-BfH;{%-G=->_Cn3NWY>E>4xiFd28^#0f~M8GhgzqmZADS;IWwQ7Z==TT#_ zR!8?x>}6zHheeNk1p_Fe1MHK(>bGT&rhPmv2?DchZqsx9u>Tp}UD<># zuH*Wv!TqV9U@|q?lu~@X@rAt{AgFz@{fNG^4W?uE`5P>aVgXvonIXf5_S(ztpo@ck z94~`uu0g}o!@lKI9p_=4IldiMKw}7;7*z4ocUxzv;1J8Fpknbd_axI^3z!Q>e-1w1 z5A!VtoIfjI7irUg$vaI`P*c+bab$Wb$XKufIKEI+lZekwKp(&HpyPW*E>NL{j?Wt% z(%g=xMy5e?~uiznOVE9?(YDd;S!y zYVYb->+<;7=>dFI01 z%e~)gM-X=V1C9%{aWh|}0Z(NR-S10|ieTstISzqbOE|zp3(TT+S`!yaV zr5abb{oBM{_m5Ul{3;ua8E~rWG;p%fwlB__WEj(Ns586bVtf82<*6=i6k}n!Dmn~p z(wHBt!X*ZcRCE%A%5Rih-(15E1$~ z?Rt{8ddnm9^3fRO`ZUv>u?xv51gFdBO}*oU8WyE3j-?BKw6S*H|3Iw(k1}Wt3r07@ zB0D^kUh7BSGZ0HjLGCj^MNj9hU7-)B5a>`G38r1HS*WhIglbkm40P0|dmU-*6EFKm z8@=ysn@0N1OD~6+zux3{r+U&%_!<7*pG%?Sr2bF%o+3}q2WlBjK|HS0`ici-qtS~^ zcV2c`k+&}o_ii;}{kiB2Om8;5+7s1|(HGPcNz^_TszIW!C*iA7_R?`HY1Pm?Mc}|6>DkhBl!}#Nn zjjs@`*1oXBTwOy{_L>}R+_>dm=g{0yB!ePBXqU2bwb{W8HI zeVPXYpnf`Iz@gW&X`DK`L2gfI zNus}Q0x*B%OXQq;etWCR_PN)E>+q5n-b-ue-6UB=X$&>{&P#w^YRgMk!JhJRejL+9=bNm|dChs_80dkK z3dU-Z2`AUZW^}n`SPgt+>BiQH1%jix$f(wwRyr=e5&e#q^;j*DF2IYoJu_l`i5;69 zMFnP(fC3DoohE7p%$`UEpOEM)-=Cws`l%4f#}K3~j!kExHz0uJLb=^w$C<2yDh>xz zDE`3OHtz0v)cm>)qJq-VT=VaF<|+mSCtt0hV1G&v%~2;hQ#9#FBbaA;m8 z!`EnL--2K&C4wYKbe?U%uCT9{Sc$o_e+R8;s*JD^9 z)yi_K3N$}CO{ch(uhAr}Lc(K`ci$E#x<%1O&VJU9m;Pw^n)Oig0%aQCvP*uuD*=!f zPSGio^^wIn;jG%z$dspfh$D;wdxO`OgCE}WG!Xsvk~qS11$FYJWkT7YTB{xjVv<(; znW*=g-~q~C2vN$sX+?B1)3t=Fiixq)O!VX|%4>;zSgBFMx^2-SLtg-irjlff-CPx- zazSke73L-nJ|_*4zYx5J6scoXlpifmi&uW+-#@U6Gswo|VX5C=kT<&^9OP5Dp&ix8 zWp2R$%h5l-{Q0YzYS6b%{qT;5Wz~ton?GGFWyWbJR#0!W;!C&)L8Q&797=~$2s0qBzpI&*$(|{iZ>#c|{`9Z{+3fI>Om-!mu6V{<>C!J9^nPyI zS5~;ycBxWOL}qW@zk^D+AB8+kiarFjA5TY!PWxBLHB;_qiXTWiP^~1 zGnKpPrgna-o-5_f=ZQ!kU;C*8%ED!=Q2dhX5#8&=YDMs_)?S+7X)iB{0VncGPM)8% zZ{pFbyj+rVdprx1G!izET+#?Ei>H_4IQcko&a3c*vx&u|p+|Pp-&o2bnT{g|J4J5PDfJl=#hf$ zhFyx7?7P-MSx+85yqe1P37Yi_unIT+epa*hwotZ8DP<^U7Oyz^vu$obuO#*9^jY8;SS-S8b29N&OWuxDFM@0$!AndjW*{CcB z3FZPBSE9%D9Y@wHwD^b4D?o2Fkv70PuTb`fE&zw?zO}IG>rfw_rZTLP0IfSJz;hOV zXyYV5_C;1h3FO{1z9yGD{`9cYm4#tl;56Qk-AWlM0kZjO^Zb5#ty7vveJ$APH;n|Z zZ7#PZe>|~_J6lA}MqA?|F!#~tiuGlx%UuM#r?&;>@sh_Qz?&6K`TO_}$hb+S?wUok zacb;l5ubiu2(Y8k(>>bLOgq$PrQ{zoqCv6KYBaU5tP$kimlatsn)n=p!&OKli_3S% z-WbCun!_t_%xUt1&K>Ut?DQ*!JC1^7DBtt%2508WU#jVg%d*$y4SPiqf``HVYfX_? zzM|n(b9(F5Ze;aV8iPe-+mcC1`B4S*=Zwbp@0yMGU;uNL9G}ACmVm3o-88^N7SKy7 zipa(Y80;8L^@E{%c{E2Ne3qCxJ&A$zEcEV+I>ay*^>h-_yuDhJ!v{dX%)0q#lhtgK z{?p49ER0k%PKF^pkAt>W6!Ds6KjXw<1@# z?cnydaU`|p$qPex_6ZyIA;o^ToB#ZIb$p)L;AG2IQN7?^i9pE&xsNLDp8wo7)&r#9 z>`dyzjwObE%yi8`Hg0WW9*z_bPlwyaK3PnPa5@*{H%+hT?WL3t4Fq_Pl(T!YPbJ>Ad%NX}^+W-*Ls8xl z7C4O2Ymvqv4XYc)UNIYHqXDIk{nh$ zPWay~e13J2L#V2~K@uOFs26ohSiB`Y^JB0bDb4`T^x7)ixOBm6ReY}~BW=kgKH0MA z*x{9AZ)}@UEoJa!f>JfSwg>t*=*R{%jug~hmu2xe-u4hvT;wQF5TG^b0~CP7FN!t$ zz}wF5Nix1Zj#9_0VDKx3vt=*S<<$+k?bV4RF6GWtBZ}x4Tn(_3$hxx6%>>y)UvqNj zSCKLXelu&2NQ>vsDbHZ5@ae-tgvzGW&U|-iLk1Yfptx?%r}BfF6uz$lC3T&muU z%tPD=ZwG8-(D%$;w_%7`FRqZ59$9ENA$~^~YZ>bae|S_m-&U=zIOCW#pYkdPKD79< z!fVyLR)co^WkWSb`OED-q@<^VYjdC#=a#x&M+tPc&?I)n<56*i0kOsLS-~0L{7QO; z3KC0-a6$N;;glSJWZHg1nfM-Cj*hS^>{(5Yytmn!osUoVu*+CFKLI6Fl`pntQ~SA# z8c-$}AU5S6CLt>yXdqMgjmp;hH+bNg_P7qP9%5Pk!q}j>T3_8GVobFZqdB4aV#1HS z=F9+bx={hQ%Z-b~3>zN6dC1GXH@Uxr_qu0IYgJ-HlN`!RNEu>uTRqfKqft+!EMT!u zBBu1wXzG!Lld^7`7fH84TNI1x$%J8t-@2T)0jHy@xr#D`DAgCI$i-?&SwGPGF1DW0 zjC3`rjY#5P8S?UI?c&jPNb`NqB2SpwT-^-Hs??R1<;F0@m~F1J4zWt{tliV@lt9Jh zy(~~ZJgIgpSNuudRfGb7#u`k~IntK!hHM=Kw>_k1hz`I$uQ4 zw4LWFjJF%B$D{VFcN4XTD2?Tyr!knxJy?|WZF%_`cqOho)dei67kw?^6uDjf=5FbBm>()uv=dQxOWQ(Bfx9mzY&&s5dxsGJq9}nnU2oXHoBx+r91gM zfUUn)mri4EQ7&}Yu6lPwvNU4>00QSeIh*IkTAcb~>En07{R!B!HNfc<9zBTGBS7D> zus3)w_+e$+C*N&xS5opXz!pLJKE*AZ_8m<(8*=xu5>n#2ovUBR6+Nxg4^n3VHxCAV4d#h!Uq8gZLFlwQN+2?BX4!FGSGfnM4)tjsj4^?IgyVb@;INRbYX`B-6k44KxjhvF@lq(*}v-*43w6x#umV6N% zwoS9>3rJ9?AVJRTjIrNaX9Tg1>~#~aD}}^ zN$a}8oP}bmPJRrNUZYkq#-WPaAGsf^>npuaTxcbq!Ch1<`QW7zIbdGwXi||is@{5m zcks!4{S%1G(uPaQR3$R`D)2B17lia&s@r4nQi%dvU*i^@D$m~z0OfRrW+{P|?|{&B zQO}8%j5x#jy8&LwnWLicA+^PVjQ!^LIMb6Uqx4cAoT8%oINaFi^fn9t0yr}qoYP|H z^Lr(s(_i0le?xP1vjq7(!j3}e*M?+o8L+vo!YP}j*yAJU#7rHTz0w@3o)jJViZ+*# z%p8?x;JWSq=b7W(oGGi`!X=(n{j00G_EIIwo`w11Jd42+W-f|rQc@oQi!Mxfk?DHW zmoD@j-rO;Ibpuu%eI&GYMaLh*;3vQ(N2s1!taxb5L zvjUr+Z80PE69$Dh^{kL;mJz1?u|ah4XQ_XLZ7)|iDsqG|y43b*YAaUaIfeSF&|$cCGu-9! zBI3Am>wammDXDt|eB2skm(-z68S`T23bw5`tY)GaBx2o&m)bPT7v#DL9ypqTI35g9 z<0iKAOS3f)#giNfxS920o%IxkccZKsOLWFyynb+*hAv+D^9QpreHGcWH(cwJSnF%j zMu9S1M$5A52EnC5Bxe!_yr@u!6A$(90J!%07PVw~To}b<6S&LIwk9em)ax6w;{Sb> z@C#1cnPLx0!N>3Ef`!`7`N$OD4WP39&_6OoWZ#^E=ghIfO-pLCw(f>zW;Ss22HEXh z+l4+W*igkxmfL)rJbEG?1GEAo1%J}_ihL8!fcBdD@qRKLvNwedTO_3mSJSnh{? z2_jDV(ac-7vOerFi$(Jas)$Fx2B)++|2f8WF~W$Pk71}?)(#lIC(N^d4=OFkg<(ae z3pMg_FPCF0`N=joz`C-!X#-c&t3A@`%~sHc9BJOf6mGi z?SqKtJvslHylU_!h!5WDfr0{E?Q7|r=722IWj^3Kmlmss+q1Y=(&34~i4_Nn=D*;7+x=uC5OQVLq>`Id z7pXw6WR3ieyzv>e=620Id)=dZ+p&A%FqNxL&f4@(=(MJZ%TDM8alnZUSl(Fs`i1!$~kKxrNwSM*?>r+77}C3~-^ zWVzAFjtCbhTB!2e8Qc^t1j@!j38XvQve{b>B|ZmSp*5ALIfil zrZ+y>OA*$rA38KdGcY4<+1k*XLb!9ny)bz*Zq#AFa-XvySgSUo)s$CT`Q&@%)&}JF z%PiS2A^rx+-7jC)&WPO2X$VNNOm*G^KKAZoD2y3;cU8)1iEsk~m5h(X>B6iJv zII>S|r^sP(xZK=MckinRc;LAHi?#WG1^fJO;DY{d7UeC00=`iDH{#;%12O+Rio+&~Bx^k_U;Iaz( z8S0j`vRw!)v&dL@* zK%cal5*qVbCy-Q1H*G_2h3*e(@caR4ztz;YhxwU)A#?VnJb)wcje^ss@{$)Id>oK> zb;7QnHj0d{IAInT9-QB;D{`nHzpHjCEO?+tC8c3TF;k*$Wm@reN4vr=xaP-)pC!Lu zx0em|t4B~BxyC2Q2B^O)0DL4 z0pP6-DMk<|3u%@-W%JzBB_*v>QjGKU6dkk!vGK~?;;dnq9IhYRwSsoKfgUP2F81NH zforJoPUzsAzwswKkq7)RJ#|!Z3{U>L2&^K!6f;5-h`{~Ad5{(EW(c2;+LP5Joi`8n}m-zIR zB~KEgM{q@5Oww5cKHKJbRf-DOfcyE;QL_yyZjXy{!q1sv>2F_AtU>V;wDUjie?Mv; zIHwFg;l+tree0By@Qg6*d&rexF}QztR*JUzgb}qK#5SYf+yq(t9H^?%E1!7F_GC%& zIRFq=XRv(4?pXXtuUT&*NFUFEyN6r=M!&g-QIm?;pBY@yx1q1A`B-=~SK`B4#zugn zW*H`i!1R!tVnN;c$$JsPEFERl;6F9H2&+YznKpwD7iapz$dYnRj(K+4Gv!5jJq-Yi zgb6M5RA=*{s*E&4m>%Un${Phg%r)76F&Wde*pZTOW{jB%A%dkjlF8OeCe6^8GB8NB z-v>^iW3janq$}nZ5i+^3&~Gqj{X-vbb4&qTM&{6<{pr=$sGQo4%BvWd)ZP2>L4;TU zu-Mwws%-#oeh4_bbS8#rnAsd@MihZBhw0zY@*!YRF-P#WUn{uwZoNwQKD`k71X8l+a^f9^*^3&m@ z0en}A=H0#=V>K(?PKU7W-#{J#KG92Qdqt4|>KhUYK# zZ7N$NpM$Lo`uq#EPIq^=xs#JOdl)V^ zTBuu5y?B-;dZbgTvCCr1^T9%AiYh}czqG3LD&!9ep3Qk<_C(RHB9el?BB;TmTwpwJ zsKo7kQ_2#}yG=-99akDf+DdoLP)B&I#)n_`c!(XM`;jq>?%CB9P&nWkjLQ86+_iev zdhAd8*VZ712TGutU%vEp`7bUadxsT{*COstj+^f0so7A^p+q@az0fe@{#Z&X8t3+C zY5opL>V7ok{z6L1q^Cnr@NR2k$NkVs*zoi5#mqjC@@bnb1?mRl;LDX#P(&iTF}0%9 z6pD7q;LhI5%U9MAg@^ll*!&hzc#c5aWBb{1_3KO8C13x<`jg^?=Q4>b6>My~Fc!Kn zGS(B@)4WGP`goW*+*X>n{yPLSAq|oBdT-_E-ec6l(h&=Oty}yi19)Pi5 zJCB6xop+DxFm&5dU(;H72el|Qro6~{2S&$834Kb$%cLZBTbGms@|9JgM>PUox)HRd zJFC0UEMpkSdiJ~LP`$i#oRk=u*KX}uKbJNjI&58OI>7ZTn1BvZ8fHy%V}9OxSA-i; zGSV{OUT)~gl&2EO?LBQX2ZLlDAddJ^`6R39fsB6h+FCACZ+_?yHsCN)c+McDri07W zpK89@aqy?jMZ`euz*W)%Xq~(=Yb?r-;#~NQ-grnn#mq4vH-p`cUKsNd-@dRBRmrg;Y8d z)0*Hl*G>Iuks)2i?^YkU~XtVX3$#rlG{q@=>NvwgGY=XYyf zy!flsVQkByUK3+t-hE!_s%nzwq1Cz~ywNh7F_nhjhVejQWiDF#?O=zUzJ4OAmQ>jH zvIIFg<>B$NqsPT|;v;0jCx$RI9yX z3;X-VM)T;;d-s~_KA=2{+7Iy(6$d@o(?*_Etc|7ORR`O)X)liS**+8Y9S~n|;?xJi zx|4tq+a;alcvF6IO2IsL>)(4>r6ji%b(U6GF3*8A<6ATnQ$Mzfq{ZIh_zDz<`m7&# z6k49)7(!!-`xTb5n?C;2n)=qo*L_(4WTAL>d}2mcRvsWTwqnO`)ep=V)E-12*CWl- z8tkm|2NFnK{hW7a@#$%%?5VVC`H-~XBX-H25A^BiWb2Eb&F-=jtr#>AFR`nCg#m%zUei*OegT>MG*iV3@5$HZIza8DrL5r;=So~%os3z#2@X`z;+@N!3X> z!Su8ZW97T$*1_WAVtWlgvlI_s@;N`aZ-hR(Ya0m!bN%-I{*5WreuQMMp;{$N%wR** zQerIff;Y0Ko-QI03TbU=RLf%B6Ge6cEZ=80!pe0M9BP|=b<#({6Hdo$&>AFsTq4>}W5cAvA?5qPHnt{b;NqCznI}U1d z-)8U7M4n?w0uYNC5!2?gE-qc&2NYDjK3pY|S_3`|ZgwBs2BV^sHx{s!Y*5YE&_HIu z9zFOu0k4j{se{+sgw*<`-qB6i2h)7=k@n+E{socN35qD>hl9l(RYZXXx~3$7b)mOV z0LlkYx_4;tbQW^rLS-v2ogAH1Lo+3V40h}ovCl1m{!EW9UEJ*7IJj<45Wl~|kdz~p z*;DH2CB;kU7RzSNo^Aisxrz&xec)Dsq>>cV7HA5t9-DAa8@*GbZu|6s6cEs+8$=5w zg2JsH?ZnN<9)hz2_Lo)~vubFFc$-^!?=R5JI|&ex8NU8?JQ_o>66H=V=Kt*(D(7jy{2DN=Z$FIh1UTF68Mug`8}}CV2E_cRoMEfYRN=y#E0Kz*2`6KZ6|7 z4^rk+_U1(r8T=!FF3{`<8!3??0L(wm5ULLPG1hx; z$*XFW{a9z&cD+f9^L`QiF~`f6MiztdDWBg{o)~x%G|?%sOs#L;Jp$OGhJ|`CK%mig zye4*)C0{IqWq;=)N*rL{I2<~mCMxpS(xKmD@7_E%*IN@0KXw`>=t-@NBv9<}TS;s% zJ#TLifVkRpBsNjD3aaqXvedNlDmU5Btwn~l$55dOFS(j{7!YME>D?NxU0LraCo0WH zCKIyVIdzt;D>d#@^Eg#i205a)9gp?cf3)MZs^;{|x)=+rNK~pI8JOTYLT^eT_ih;e z{mIhRbOGUF+5VD_R8RNJlyrU;cf_=Gd|n8+o-3JERnX)?fCKV(@>T1O>uO$m$t`j< z81k#qxt6$aG{^bc+5GJA5L2)@xT-$ZbYS5snuu;?jp*Cs4DxApzzgrm1N${4xL@Jf z<|R~hA$XW#=An2GXfi6Day-Ypzd17@ewyjie5j;6?XKFY+9CryN|S2sK_|cULT&5U zJ%D&5?2IIu5I0*XqL}AJSP7l$z7y zXY%LKaIjJ=NgtRA2IN|6yGFdt<{|E&@0flUonc^rsq9j|la&}8fSgv?t<`5|vl@{x z>HC5?9ny$%n^4;LiYonUT;kTW$I5`Bkk=0Fyx6r%C*byR$v7M33O_2NNQiWwGvu8i46kX|PMLK&2o17DW3rFWAW#r#qjzk++IjFp z`xTd9HiM0KTgMMs*VQTLi8sk8kX+b$;FAtO!MmNeSDxUaTZE!R*V`E}L}be@Bpvwc z^M@3fj4Uq|F4#J=h_&XN-S$HBIAZe3!i!_DVTNfp6KsCrTW-q5xKf?#4Qx_Rf0gKX z3?uC78(G~=uZ=~c`+jm=a{(^n8WFmTEQ4^_OVF(|xgR@pk61r)(O7PRyz^ZPtyBUu z(T6rHDP(Uf5EA%j(HLorcJRISu&Cr{AdVVkzpAeh!;Bs|jBwL$561^cDdHQUl|28} zx~Yia7mM00)k1oM6ThSK!eYMNyDv0@sv|ir*|9u}^o7Hoh>-=wdc?E>nsoC-CZ?&{LHC>h%*gIzD_Ru-HWxEvD! z9?4Ktm~9i7cD*6Zn@@@tZnW$tajkswGpIZqHo!(s=GwCw5ox!$Smi+j*rB*}zHBo3 z{lZeAHO02*cno37kF6MWU}J~ZJbh}NgJopCqN2LAP_9)4uQRGDpL%U)Wc>w*a~@xi zA?%E6o0ha9QOORk?brMHcqW{cGO=vdUw6E=z^@(-`$e!_lg~vl`i4r|q*8HUq(*e6 zLZ_-}Pp?F*X)7wDJ3Z?#yeVDxeMo&T=FFDXeza*u^?=(cl~$?Tko6JJ!vbW@t@2PP zQnN+i1#s8mV4&!qoP-L~*JLiZIIq@`ohYQb*RK;4t`sj_-{5pr)1UngJF}rd#+tD; zcd?9OTA@3)z)0na!fqGMvbACUU`U6LwzG5^9bijkLu}bU!=hn3hc~m(+PWy(#x0p2 zik!c)aSaBcMyWJUymPCS+~%Oe$t~cg4@E;*W`VgnJ!#Te@&iq~6FC`<`(ot3_pm%; zO6|XtW;B&|EuVW!8_&!O&FT+{60D1-EDy@=E;WuMP6CD{Y}>yz zvBlfr&7Z4B40zTjfNS4VFIO11rpdyQrcLE7$kUOobP_6H9bd7!kcSE9Fw`-0ikBC9 zV>6R$oCaI6nrUFx1-djPUtVj4iY}FYkhKxli%yN`79=E$)mT~Z*ckUpd&XQ4`A?x+c+_Mt-BR_w-#vEbcXw-1LirO5i z(&=_KYmV#RF@J7JVF3x&(5GXB5u;^Et~-Q}93K#8jV!O6TLwBt7>5>k^N(nr`!49ms9vj6 zNKCfdgFS6;N4jy{!_(WeHPXor#|jsgDib;7szY3L!gyKQ7b}c`u8VspR+>|CL3`cJ zA8cfS^8OsDzWEQ_A)oP$3t@y9JC|jk@di`*%uLehB|rPcYZV}th227~Np-#D%(Ca| zRIVpYH-9~PU22rEMl?%nn&veTkukrWPVH+*OE9Q4wyi88SRz#rlcAC#5pz`74r`yU zVY;gN6HiOJeyha_J6bm9XXxyz>F&33Z<trOD=|; zgZ*|>rGfk$I|$UgAgAndrLyQ`31<=jnD}{S2B#3<6IdVQWT2_3L6LnjduWTR>Xx=I z>x63fkraApo8T#|it%N3iXA|n^+g#}Z652f#$4zrtm=ifulKg39?%`}8Xe5lQ*8T~ zOiszEUPedCAJ-AKh7$t`sAdk=iN(IVW&FndJr8B2_2b+fz?~e>`+m5y@9Tbdg0DXU z5b~)1a{bfmvd-$sPAYyyN?g|>goYusRdo&qTh@0c$Zv6X!~A_T=i{6XnRRECQiW~b zBsR914Yph<6sG7qSBNxw?n1*+3nJV7_VpDf>=#s&e3u)i-Er=swip)SLT$A+QoF+# zHSKpE>vJ;b;;K_T9xbxnvu|bG^qMzs=QQ}ntfWMt9}bnP8Ml@lutV`gn|-=B@{|@H z$lW1M;dYCOb#_e>fGUf(bSae@S6x|Hb@6sh6OYsVte?YG)WdEMnXT6+hN? zEu2q{^QMbsI6Pb9`Zau2a@u3AUbEqr$@!DnA1=3@hskYW7Zxb01C>Lb^zY}vT78}i z7I_|iE^9aQjoGuKbHvL@;Zt)Bt|#BPHq??tMabD!V*H|E|lD30%47ac+fNeCJU1c%`6 z?h@SHLvVLzfFwu)0fGm2x8N?p-C=MEu7eNG?aA-IPn~o2-uKqtb*s+lPg7G&Gqcv} z?sq-*`g$U&fG1(DRKlyz?da@^_UfnbO4}O?@d{ccauEv8L#_ii*MRK=>U_Z0S78I@V06F4TJdMpaF?Ga`(PPzTOI-jZLy~YH#uQV9s47Ml>cXp9tJ@1uhy@X-6%G&28KwTuSbB?8z{nyJ z=s^!hODG9|mmsgcR1?vX3ah3jj<3#+-m;Ic-#gR&KC{Z_u{G6ap9uun3V$X% zX$z#=mnP{>dsqU>Jkk?!-f9%il^P_d84EvEXQibmiOy~R zJGXeq`CGhG*{koU->!8*%7oe&r?Qp}k8cjN)E8BpK8Q-IXZ3FlmF7|oPGbm}s0`I2 zBGH+U&E;u{Z4)ccc(i@najK$U|I=qj<>gsuBZ=3*Xra|3iBhCOe8Y1d^MwkkQVA84 z@=wveUzlkK9D``(6+qhvyk3-tP^A=iI#n$q?wfd>)_+}&@$dhlnCKy+b$q71otB=r z11eC{3<-Wn)LH>kWj*^2r$un?mzsK&EP!Edl3 zYzDNI+Md<(s3tcsxoUsj4lPXgl+Mtk-|%wgBrGL8#S^+mT<>Kxm~V_CaE+l?`dsib zdLxgd-*qo%<8wuBdB^Pn`V)x&#i&**bEtxehh6%HJyI$iucT03tB;~YWWs*Xd|}&` zx{>)_IqwqCL8xBUz~F~-|9MNPcB*sp2LSD=cs8)oagRdoOyv!6z~=AuXu@_f{v4Uh zUvM^o{*J-jP#YIC#z{=fDf#F0gT)dsf61_9?8Nu)r(j6Rrc59Yw^^_4Czp*d6aFlp{%p6WqOetcq@gML!AFxkt?^ zcW1(PM3;LidDQygrwTegOQ1^)c2K}~QM$muoHo7x-8MKHGU`(X7KUtr(6*LuuF%&B z&uYj^gs(g{Sjv&d(liZzXn}lieVpQ~vK7r3$Sc|AR7x3m@?)y&5`NliZEY4xGBHIL z>8TgTZO3+8;?OZPdQXm$~7gs4#7&A*y#D)ztP6u3H6~RJDyJ4r^ zn>0mehyjYFPY>k$UN^SkZ5duXr$Ko+MegHM__cu#^An&hFxi@@v9YtWD`uXYnYjdB z$LIVh+8|0cA`*hE7(g6uB9ZeiU$W`nB(x4N3G5#lha&F&5KBv8^72rTwjZLZktphu zQ@sV>_U@6X()@cmHX6>KD#_D8I))4q-uY$kC4gH+MAs?~84O!Vh{I0wc@kA%W8sKn)8CFgV18o;a2gM1GJU)~LVu|EU z3ZB1{mQc!TnKMg38}=!?zx#cNDhzY6LIdLDSCYZ(r>*lcMo?@&bI5w__Sfa+qGv7EL-*b1m4I~aPWMNfPIkq;O&_; zHkuo!_#*T9^AhEBXXrWZyUB$nY0zc^w!zBIp&YWDeD+HnG!U7++^6hf zMqVS!a7X9MW?WmNhZJo1+Fqwv52Ov5j@BG#Ubk-BRig~~I6?M1H}+hU-NP<*hpD3E)>Yo;-}Xy|3%wz~Q`aq_h* z)1{cfZ(ifs9tGngRL9)6nA3~^LKhjg5EMjgUpAd!MP;27muw?yHgGT8({iaBi%0&L z@ML)*rjmu`7sZ+eoxYTV5e5?JWAB*#q^a7-0YBZdAFTuQrh2MVKR$f>hij%zPZ`c^ z@t02|;E=~B1T*4+G8BwB1>g&!HDIrO;)QTSIUhEsi0v%#=~|>zZHqZN2sth~ZXrSz zp}<24d>PI$r|%y#%AIENM)K%|e}jYAu^eW3I4a?)?vapaXy6NRYKxn|i_u}V*(N#Y zws>Uihg%41bi$i!S!gyEc~;Tp;zQlJMW?UlwUO{c=aq|n!$+8G;d#XDZ37Bu!yc6Y z?^?XQj9Wlnwy#z(J@@;pi)%Fs=sKd1Y^}ICa%hLvm86Avo3WFi>1Zs)Vp%q}Wo->r zqhs&5OEmd%_>lTZh7jIvvTB8lOncTwOpib2X)6k9s9d6ur*?z>qEAORir@?%K-yx_ z-@4xn)P`M_?o&T;?G-u_tfaa+)>(q%*op0TCJ_Lco49eM+u@kM=e z=554xS0v@*v)SeGZ=ITGWzGl)n1W=U3tZ$yp9M~OTRKC|u@M~4NoF4NOPe;$m_sFc zav-uaPY&d$au11Q%gd|SN_4e~t1-gp7G>%_+*ThiiH<*_)*??8`qa`H5t-{>*=-UD z^g!Fw&V5Z}aHUKx>7$eGgMSbB42()C_R3!wDr;FJ7uztkI}>v<#U%leOo!U}k&pA&Ui(N1eFuVEM!_TifhqU$;(Ceb-gar+)ZD zG$xa!Sv+MOC;ca4v7&)Px<+!>B~z?poi;KJ(}usk9d*{wU}uq7~a@ie?+g=Aqx;j88AA0 zC6XWW)`%?@Q#RoI31zdS6)R>8#Gul{3TY`9`vVoIAPz}H0j3*6Jw%A>CBHGD`E}om z_Lx{x+$;6y6&6Hkk8Er&rtc-_$O_K)b>T_+US_dDg?EVJj z%_<8QCjDkL^$pvV+Tc(&wOTV&bTDT|LRPGRp@viR42h|2NSIi{H~BS;M5f z#S=wz3%yRxS@(Ta1p3Fq1)(uUHroRZ-kR;aQ3gYqGHKmo-+YT#HEugis{B^B9YDUV zO~AX;>hE7~d@X4#@A8n6~%&zSL>X7by#Ygki77;-->f zJtSXn@|pY2xoy8cEBe_FpetFXhFbAst9qvb_v3A}O*lFZGU*;}jZ@U|!Vin3l$52E zw3GC-WlBEp&q{MXAJjG@5)o5@_wVxu8y!ONfoKv%1eK*pY8XkI_>0*{ZJ+@$>mMBp zZfc9VW%>%s$=EcpcAv4+0O8&XVnTsmEA?&=O3FGJT;!qf2xaEO!`+R88JkmP>)Ruo zchTplD3g+C2e^b2<&blBM^=JbpVc8z+O-G85&IadSVw=8i@eJh>%OVp=;%j>TT?#P zVuws+WrdL%=SW9i%%2gXK)1Fw1l-E8V6TIxpqp!#<76ZIlOU(|MFq8T=AEq>x7A~W zrNu^}Ho8<`v%W^_W^4@Z6*-@!V`37DiCJipg87t@xsNVmihi+aN;usbUe8zLuBfoG zp|_h+e|ooa*wG;e!S>)tIvNEiL)lYg89;jz_^~2rRB5_Uo$t9Mr_iUxyNCc~{WX;u z4ZCveJlRsjqe3fkZ(E(yOTF2ArQJ~lbP}e=3AN>KE}_hDaG)P)ti)=vwzhWU(#|FY-Tz04b=;zETD4w%b}o+Y zbZqf!%<1s$mXyZ2Is^Y>Xv-WoY9zOd&1L#;B3=0%*mugawLEKSwxB;rN2d0aY-d}R z?%5R$^AJrFk|SoD(#*&=A?F#<7F25z>coI@t2ZV?TD(_ z(Yz3gN;lF&Nu#=?@xi*0mWV_IYDhTS`y3V}Y+nq;o0TFb52&+)r-cGXk;#86WbnTx zCeC_RS{OcT7L?VRO$sC&0w_vaZAC*mKHt|8cihDys2>KVpbqeAj}&Xh13TVYeFXtS z#qGv*-+QO4Kig^-9yvGuI;SvPVWq4UrY7EzVe#ZqfWVt4zqLtB;{53@X{9XQxjdkI zg6E;3>b|zwCj;M3d0+$ShWv_3D355DMNk?zIt}D+{PVm2zjGA-Yd`TnJ!_*wclQN6 zjaE?h--J{K+3(GS(*<-^)-W(tBp*G_%)uebx$j{{NN~;8>mBD}&BHQ7&O3bp7pi<9 z#~BUN9E|0hDa#eKdw`tx+Mp{>?4>{1_c) zqr&OqwTH|hXiKf&rdD_mE_+Eyi7yx|1v^|QQ0bKQBhciKP|EP1DYpRhZ8f=oe(joj z1(?^TAj7}M1rac0f**l_ovz9{cTJ8?pG-}eNKKj2)Vv_V#snI-godS-8KDmiaopWZ zU7ub24WV1&2Uf|&&{j|QMEXT}D_@zziurKTw1=|9)ao7Zt-QRvesc65@B2U8*R{g0 zlPn*2b{oPj4xVK@J136uqZC3ilp5>0)>$Jm0SpumOpPD_+*{?t`9c8OzMal%Tf$2Ed zSWzr*L$1c#P>nsga4^RtZf@c~z=nn&!sjt|9@~_*oT4r4hDySqn@{CG0JRo*RxdG$ z`TKKeIU_UNvHBAH{{%yNP!K?k_w4C!y_DY^ z?E-t_(_dW~rME)6%uh1-Fy_b_KE_P=g|V@};wQIov4oPSZ9PM!m$O6BL{rJb2ML}{wR{nRtMfeIJjAJjK#?SMn!;?)h4>B z+zgo21Q|>S(`{)b%I^piHDA!VdEXt`2^s+X5ujOX-*M+EteA-`gghmITRgDygk~Y2T=UlD%U76hg-+@N^$)bC6 zwhtdCi?7Zm#1^CXf!bx^P@oMNHb0)6O_i!&*YS^s9=>k!fA*jgV*2ymobXy6>GCu{ zHdnLIRTbUA%-XQuZu_A7qe-f&2t_oWc|tB4)$4K2i*a8g>(}oY3nsAq&tDwJ7HH7b z$WlgolM2;kTu#G<+~YA}a5(lgS%4stY=-Yc$)q`aS631Jq!8()XPBzV@>gwY5637m zYNcmepa5MJkSAm;Lcn;SppT*=>>2ngrF`BOs{cDg1ayJIqiZuzctP= zbzQ&}EZ^rR3S)od`(ni_SN?W5@VuSZ`fLACV)}b?P-c*{1~yBL4?3lNL0u4Aw8F_k z%mZCA##m{eCp0Y!iHgM_{lnZJr7!hXf1N_@0Hw7mghv=1gduZ?kgJKJ?sZb-4Ey7F zeFdiOZEXJ)eFsV6Ba6Fw_rZB63*pZ#2}Tt-Rx){iQ2eDhMNP<*!`i5E8cYNA@2#Yv zUL>{P)9dSJ;XQxi#tVb<6LztYXG(AS1)KBbtX_B}4LKIObbtD}v(ZkPUKti&1Ns1c zv~Eu;_sGFd`%1Nfd0%7d?C&8GGLal)6L(FiG*o-~9FKmk!b|DX8_-mujybV(9%GYL zy>1!Dqc$fQMV|)#b_>yB$dzsQgN){lGM7dTw@-OVo=_50P6nH@e8~fEZ-Pv1jH#*3lV;dRkAZ$j^f>QyBIlofe zwL|#Js3!qZZ8VS7{Y%S>nV|nzuO0yVfr9{)x<{O@A0XrVvC+{BIbn!zdL#y zdNrM#P7+fVmjxTO)bf5QrB9?M6AS6PiLOr-D>Km5IRkkv2GT`qtOj(P@`gnca1s20 z{VWZ3SkP9|mxe>mBW6shPJ5Yf1)I-yKMlR z0f&jj@$5uVVZ+W{JV7uq zo4&L_A$acQcuWxdlH!0l2|N6&N(Cly9>}7Ee+(1zzZ-yi#loKTOu_5Ehgwcczty=E zD0*JIm)dQQB+*$-7r{#);NM7L0c+*iVT_VivyinXcRCYLaVGLaT|$5lJ$TGf|10xY zFdDw{MVovt@XwB)6(lR+GHJl0n6rF<02iPV0FM78l>0v}CQppbCC+)0Vf}1#a|ifg zUasEeejDdEXz}nfrD3PwPhI)Ra$w@*(3?Z(IX9|Zgf0t};k1okUm zf-?Bhodg8e7fWvo7NZ3SMP?G)_I>bn$bR$&%?8=WKs@l?j1z@B*M`fE&v+051%^5| z97Ch1Ppg3@T!H~4M&b|4<7-#sQ3 zlWA|yVmNl#9-BM_9giZ-2p&Wdu2)(X?jG>J-P?R|2MvYt1 zn=%33+9nW13(dv%XSn5NC57jxnIpxalTuxq~`rmR@81KLQS5+c68<#qL9Y`eoqQysL+*)`?KNLMYl8gz22o()RNl;`>V*7m^#e8`301UyJ za4&aW=KGxRe!E=f7JR;Klg-`b2P+Ga!33XdwoS4>XsT-$8T#JeC9dyUj4Tz^2QDc; zcwTP4d{MfkdUSIBy^VQkT#GKn>!Frd!^Zqwy^EB_tBeZqa_*I6zSTr34IEC1xMY8a z{XM89$C&|}Odx-bD`^WfXJh=jOO?h%FW%RhdYTp2`FTA6$H(Pyrk+bd|qVgI0h z@9>rWUL(2TowxW$ArR@K$WX01CpPT@SC_4vhSp?}W}3FD%a96Ez~}o-kMV(8hp%(Y z+~3Gd_deStT3f~?`uq{neT|sY`O+u zOkhe&7<4!JsTXcU06ceroM)7&Z^RD%B!c=+wS{pn^Q72a%8g|7xh@h=APAr*At&jQ zNU|W2sAh)K!Gnb!v6-di)O+JmE|4SjS+eBgl16kYe6pol=Q3YpEDAz9jZ7(bFI}Pt zI`|PhCbHi_9-NlyRoFiKsbqmV^IpaUdZ`ecf=G7<@}Tz zS!b=Ra75BWwDQCLz;;Nn$KluGn$P6)N7Sa99we|CkZTKY0%ty}@iE)Ab|)5XA1 zGjw|P*D>q2ba}$M#>Yal`{CZgxIyPCQ(hg%;|gR_tZ$$VXySu&ET8Z0&_x+iaYqm1 zyvs-M4~Zxo*timwq%*=zI2uXJX@8f~AW@cMM!Wyraer2+nz_QtK^6VtB!>JAhF8j% z$(7A|1)uGrln^x+k{rlP5i7XaI>llpuZ-Yrtp*3J^$jxlMo)`?Q*oz}pK4I%38XLaw{}6G`J8%Mn_qt4$Lb+NpEGzdCylU*&`W$x%s*Qw2jU?~;WGDuH5z2B zNN%hHJqORx^Gl~%DER3JiG=*lKXu1QmA&XQ#3y}*jl`B4QYS8`Gz`?5DocRi<6OH5 z%p`@F(IOS6^*i*AT0Ui^h{kXD^h)6Rw;BWyxwd1|F06H^mC+FohqnUvLBGLr`tWr*^0rn{fI#`MUPdvofX@<+>)2crnIGo}QAx;-pDzbR&dR$)XKqz9QlONSsMso`vJ;SKm* zZ&f+?dX02y*7Q;-KpMC3}Yamwq( z19apS>?z1nEnW-L+RwgGH7lkSTM(l5oCZfI>ZHHXOfMVU4GI*eDwEULEqXaQ;G)g* zQWN~`ElJ?pHv6bvFkW7Sz#F1JAd&6oA{0+Zm6i~eEFaOcka<8DsEPGVd>Ulm`qCB9RiEi3kG&ZrYXh38@bE%#cibE~NMlFg+&(pS ze`fbD$m|2Qj=vFRBpS$xfRB4gBDZXwx{p@dJTozN+OO^Q&$qY(6Fgbn3)9`rNN^EY?G{!m!7!+cHZo;&1;!(w|h>tcbQ{K5bS96=LqdVj_ z#(nX?FmGPesXT7X!^x@|r!RPKZ z$RIC6y1Sn6i`QBU`g=+!m(6@`&cJf(OUUo+l+>-v7obOAZr}kqx{=W9aIYzJl3!w- zo_jv^j^8@e2ri1rr(DhbT9Fo9>&nOZd6{_2#!|9a4P=it&8XEks=zFam~yi}G33!1 z%ma`f-~8AG=HKxx8a>C}$ocIr-vtV(v=(1sYN$$5%zvNp1v~CDtrXb;qA z&s!QNYr92TU&+OxUjxlLHWnan!GK!P$?aG6jP<9GU`Z7Rc>{NK9o29;o6btqumn48 zA8k}^l&7#|9Px$9RDw6m3%@+)$leA}aVan?aLZlRk)c0&9=+;}kK7(%F=xjH4tQ%bpLK87Mhb=~wmFke!?fKbS0qO%Zie zEL@hpa($Y?*e4%cUVLp0+zMnIom@q_KV+!CA?;fx7V)#^d*;KhjX=}4`0mWVzueSH zT2xVYj_D1OTF>&ZR&=aJMv(VoyjzD%HZm|5wvTU~!eCrI@SkM!9q5xB*9BUaMb^5F zetA|Ijk!Tq_zMN7`vuA18-|LR*(y0|iqrCxVOj_r z6%`1!Pq_lN_9!U@C<0FRkU(5qPe7KNg63;^tVIWcMoc$Mw}V89EgerWKu;be#~s`~ zF$^$8K<$FQ*S%mHL66y%V%Yb>*Mf`bv<4B&T|Hat4eXVs{vJ^4T`bsq73@`qwU?;* z%)k=!u>Q^q5Z_N<+URubx?Yp3S4tvfv7HWIzx;Cb5okt58FZ;qW#P%n%N^vidlT@I zy;C-b5NIB1RU}}xP=3tV;Ew+h>O^060mWTrwC$}Q1j5Cdm)@0dd@Ey9?`&z^j-7fp zD%bt%ZLZ7iKr@5Pg%KhAig=u!*wD!z{_HSx+HgP0GKaFXPoH)m&ua}b!5EH zQCEKY&Z3^Gi$x`CgEw-rr-q#`{d39RX0cL!d8f3J`ik4+E*?oO;)@h18g?JM+2G}? zWS=1-(3C9iDm}+c`LL|K*s3Y5d^sCP`A2f_Dmu`eCpLzXHE$(&!s??YIUgW=q{tR@>}p!L7)K%omDx^&DOC<7v7-FBKqVR>to! zJ{odsz}wna4*PHllL&5pYf|sjI6J){%)1sd3gKl6-!bDU5R1a@)1X73iJk%TFjs8o zeR0-$3sT0;F_#fIkc&S`2qUyMdqeSu&+{uGa9MHU!Q}xSWe#Qf=av4+?{Db0(T{{r zdLP;z8lR}QDL3o1PxZBq)SpP52X~KCGiA6rZcG^tgEBgQ&Z&VVJyc<(`j>}wg_2k+ z5ZrLDX8{i%CxXog$c0nxja}ngHR}2x0&*xTic59QbHUw%TqSo*2ASo&%gzGnJ`K4b zNtu;{zKMkQZf;uD#^E=SCk=bL8d@+ygO&>JrM>mU+`2D73c%Hx-37HE5CM?F-;71A z)3D^3@1)eGOfo0+X{6SWtk}&s9ejXFk}%;@i+WPvv|DM~_j$V9OyS6U+tvm)be5h^ z4xKBfh8`DH=#xY&{^cE2tc~7<2b*S6{Xe_VR1TXAi!L;z#V^Z5dD?f) zrKxA_oQ+QFA)E1Fj}I~|10_avRA#i{9$7AqCz4`C8tSI~cGF~+D5>lBCfeM3P4=(R zJVV;-9PVaB(h_u?;}DcjRDENNT`$n$ZHeamR*R-?gv@|2f`T%Ef1in9sF2tp1eW!; z_r7ur(voTx61r?cMW?|ZCTb!6Wi`>&L0@~(?ZM&wJc*-%)hJHH)|;DWIF)~EuiULE zUIIz3YLf?!=z7tF!I{P!ht)@~H6Kkk^{sl315*BEJDCb(JaSOMX)SZwLzM4q z?N4KKVhRg0E{kGTOpT+6oy(r`IIgy)d)*ul4NmPuCFNpkIqiyH(=9m(p@K2|A%_Lk zydNQ(iLK@YKogzs+#d)`m}{{z^Oj1Bb&3&ocpS7V9y7i?uL%GURC}D*z9b# zM^bcGRQ`hH*#Hfu@`cK3`m}9OxDZan0>_T%|Ib`3@r$7C3AT~K@U{Xbvvh&9q?Gt5 zaG|u3=6iom?swOod;QfeT7z~P27Nqi%rx5B=h%xYV&C>f+1n>lLK(tR8qtLq{wbIm|({ zWfAe1d$9U>W^&#_8IeARi97Iq*n_&hU@I7!NDk7e2y5l>-cL*Vix&36k!dM0zm9mj z7q|%UOab%K#YA5&etNZ9kFycm&V5N8BPm90?BpajuG{k0Ct+I*H#gO+FNE407J8W5 zfKC@VdC8Tto^yg*by-ck{M@zzx|Vku;EiJD*X6n>AQ7;w$$2g3N`AZhZ1jvSe@Ey_noT;;h)`Gb^!Yow9)-w9qX{c9d?Vs2~v+@4>~N4rpM3it^{6lG2wj2ccP)_iZy8kYZ-KsU5Ok z_SWwTu0B7Tp(G&sA`V2Pw^27izM_fDjDWct!{5?80cm*8hugQ@DUvAEPx(kJOr(}N zdT%e=K+$WFK*J}3A!G8UGR)BBAU78Rl#WSUoZs`h%BNvPJ7pE}*Xal%@VE*ZtuKG> zuEjzoB(AN?^bggA?6_hbOy5<$`Pntr*Q1Yo?ybF`g8+I;oV^Syn0^kYpvGf>3uHXI zd!Pq@`)s7pcRoz6uF#AYH~AuQQzfZs-j#SU|2i~wG6?L$iA1`GbKvH!cW^=+)1;SN ztmbdO-H7w8&bEYLH>{cwSt){$q8lDZAZP&vQ*z#ul>efHx^lh2aU~Yet|ou591AHc zte_@*&tQ)Zs!#c$J?nCyY_$J9yq7uhc?Er8!##><-Jd_~&*YD>NFQN>1FfQlI=9w4 zYvI}B>4&l6$t~o2G<=cTd|AW&;l*63LE)SnlE?VB4-2WKPTq1|idUQiiVcebo-_Mj zb)25t9lgPMqU#pbwRBKDfIOjM(wXFx)V>Bg_K!6+%Q2mngYRG<%rZj%;7pbd*dq1TEowtTxcdVojnRD;mAp49K)gh3j3#lsc z_pUUwOKcwsR?=p#Pz*mMxD!{R-gNA0YAOiY&e8i8S^^^&VpVlp1H>b+5-@uWYjaf# z2C!E^9hMVoOaqZYoP0wO_|#aS&=!&X-8lJ>bzED zqBh-ojR-7yweZ&zdWn`<15;}$|BMx?r1~a?!I!OIKb$$X{*Rp8pfTLtPnGA2My?Q7 z=IzXNKL0xn+giw~ERJE5o7#M9Dp}zhw;j5B!EN$qvIx@iHJk}7jc7#1O&?s!Myu<- zziylRRwzj%RjZC$r0eR~i{5WBmZ@g7d-+a`f*tnYxc=FFN1Yh~ZKk$~n~8qBHpKXp zD0PwF681*_3o0K#=9*xzOyspO?Ynb%x##vNwDm)rp$nR%-K?zUf7VQ++x0c;N(k z%8I1!mqeV?ElWvAK1%e@(4(v0e{^T^j;Czju42xp@xSJr*kSpY<1>Z6(sT|gDJs-e zI}7hAS!j?R>uWLHr6(9uIAMr{@1H^|o%lo_9JA(SnVw#0OkY z>Rha(#*{Mg`7>4k1QL$LH#LdMo~R66cQG@2nr!mA2ka_o`lEP@s(mj5Ruz&S7&Z3^8PA~HW zPaWF}836BlgA{Y_FZw6q9t|#Kz{npl0Z$+Nbim(j7DIl92y-=FyLtt_;rZ|NM)v*r z76AAUH#Rn=^R6Cs4AqOLwGFTQAL`zSa#Y#_dj#`8y4bDWGR9tOJ(}T+%s}_onXHg- z0u%;jef^TU=HsQN8lKPLf$<4J5{nb39Z4TkH-p?HYj~o%hV`@!we?(kPdgqLX)BwL z9|bPbbzPP7YnqQIXKHxp9)&c*tmu;Gr%Fn@WsrYAPWjH%IINVt;lxtu?9>4y@c~o3 zGPH@Iy1s_KAFyeYxeod`?rrm==kbY{i@UdLo+b%+r4ec#Gh?D)8K0J}QSul1OXq zP^fAFw1Pb91r9=`LOH`%W}}1LfWcl33?!KaM{2orp0*M=KMFTlKR7rPF@IvN^c8owU%mIYd4NwAkxQo89oKgR-Ze%Ii8{JY;J0Y zZ7NY#)-ilt)C)v-ZPM9Ha@r?^2|O-29S4>s#ViUs;=veOq^iZS0}Q!X7zmdSB=U@2 zqs(8^c?Dm`CG_vA_tUbZW@+}TMdvh5Xb}l5T_(|k+>Vr3*M*d{FX8Sv5se?Q3|?bu z3%kV!GrV^=M5@szbpHx+Jr`LXFq0APH@t0E()ZIdAE+%^WA_fFOL*h;D*fTpJkNWp z{rC1`3T4Ad6Ld6yN=iX!w~{z z%~ttPUzFYNU2U|9>!-8Y4hqG(u6aj=L)i~W?YV|l49dOM=8$7U5FKCP9a0OgVXx|k zfzNLitT){{NB6#5!{MLv(!oJ`VPe$acfIdF_l z9(>j0<9&0nC(IzwhXf*ZK7;LVLg6W&6=qgjHVbu;ZVe%O27<5Ro<`_3_?GQQn6(WQ zF%-qw>0!I5+Z%WD#gQ|!YZ=tW>gJaHDi+iEP=@2?m&agamLzQ*$D8OC8XbNu!PdOps5NoeDG_zyY~&+9pw7jI^SR!fHyr> z^pcGoMV+$*MJs9l$3MD5bNA^Y1v(Ci0?s9^+##7#4tx#OeG1H`kyM^WXV;okmEw)c zDgE5UBg^T~#pa2vS1mKT_2rvH$klXaisptvN5$A)KwmWHpip_mSM00>Q*=N#z{ny} z>N?YtHqFw$xJ~tsR9u+b1osGB-HG5FpNq+oqRxgPAIQz#kW)|QqAN@{Ap zTbqJ3#Tqea|05}AxbE&T;`BHwIEr0t&$^1(8%d4!5&YR|IyIXKNroyA9e;OHY^u-k zJ-Iluh_EmyF<#VF0w&wnLs!?a1PG}@wSizTyJd)}QZ$XGVD z*^3LmUvOngzs%Ws(+*i)9Ne4YjLAOKa!B5=(^yENuc5%sY%Fd@ncxODj7<7_GKb)w zVz`|)I;B$=XaYk7yJ-MZfLe6Bt{A%sVL z>20a4n#5J5z7IDob^}tYTwOU}ckWg4d$55iIAOMG_B}f3*9mqi%B#8){I7ydbNf_` zS~kdU$(Lpki#~HBo8md}^kT&t?@Z@ieqo%arGgc&qEh{xb#{_kX;D?NDRPaS7h4-1 z#AvYc1aK4g_Q;X28)zFJ#+x*s&74oy3WsmNHWg1L3-RlJ})z8 zS7&h3mR5NgzmhGaBhN$eWVq*ORqeQFaq?67W0Pu;{Nt(N;?d*}fpq&?*jLgi)S zvMxl(DJZkI9q^f=0c<*yN82g}Dzr)I?YB@=>9SLm%L#3!sDb%=ybs|Msj#>SNZbt; zPl+iZ0JME^N(1#wdLe`hZ-9KQ+JXIRNoKpI`u5S6%0yoee$AS#kYuZzbg?w>i6`Tq zz3=*rczl^a7xP&Yf}x?Q{foRJrwuc`B^I}(!Ib8sdnr2IJxIenPv<5M8)#-#b+52J z{m^t7$=!Tg2pjdid<`+UHKJp=9hI_M-Y26PmC6ww0p z-PqsU-Fq@Qi+fUoln?Y+E(jV}$FX_7KQhoMKQ4SnhtcYx>Nl`eGd?Wy*XG(H1XtCju=CeZ0RwJ=HT1Z;N55NN7Cgmcq# zfP#zoLsA%accgAs@I_+YLB%}yqMR`DMdFz}WH{7hdKP2l}C~knBl_qSlSX|=tK<7~_$25~>(RpmVVa&?BlqSb2|9J?)SH1`GmdW? zOhTBXWheAimPJFTZq`>y?$^Bsx8GT`&Ar&&7uIclOvvtRZc3d$>2<4byB-hm`)FxT zGgkDG64&3b!Kf71Ba!{_0*$B6ZG3((uiR*Y-?yGdKkM3V^G=-Ci~6Bakm6V3b?p<> z^zl_n)FjqYdhw7(&l0SN=3*hsxzjAEsGr(>wrRKd zVkYH+@;?&Fsm?CMVoLaV*Q6rX9;j#&`K**udW-$iK%~))vJv(X3+csNR`S&6so0z& zD?(?z$0Oi(FoGEut7$roet%s&rdP!OYg{@K==KM%N(2G9IQbiGu)yS9jyJrdYd0ij zDT#{r_M}%k`_8Rg15`+~n0hZtzb`pDaroU~%E&>lKJH`#Hi_MV@UR!9MGU%f32u5X zQ2DLNu#R%Bek#?VLA_Ovg%bRtnn0q9wIO-IthPf6wOrvDX z_tQqj|I*Qt~2)KYpFm^fQM_NI=`! zh~fL-TmJv2x#x^(s#`XQf{1{Trl269N>xC5QxcGl^cD~)5fCC^h!PWuigZ4y(h-rK zAiad5NKrZnQbVMRgh1$_Uhwi1|NKX(PpK`eOp4YkI$Q7fST=!+CadYGdC(StK0I(eU~bxw zOyqo|vY!d*Np6Z*aXw05*+DEl_{@Jz)ql%f7+8%!=Slz?&J^Lf$7N{(@yHFp;h`A& zg=#O`eWZUI@wh}d&b}sE=)oJn*HH>|zks_nc57LHy$NVM>q?|cd)+{i0Ls6q@WaKc zRc|t_eq_~ys;1Lu#1xK;_RoEB@ttI145)_h?W*MXyP_j!?MyS9!*NOsp4D2k6z|^H^8N(|8q#&+ zQNu>Qleo%BtHeHf2tO&H0ttYobUwhY)+B_djFm3O?d$CsW?7Ode z!N|w0rxyFu&qwUjoW_`wF;9p3a@*>GrH166pjU<&=er78`3ig-Ja-F2&+I(KJ2uEa zsS}@}ISsI4_@Gf}$3QGhQtM#NjSSbnh*vnKXb{wU0}y@qW!Feg|6qjW+ZoNa)Bbc= zyF}Xy(Hl<}SIsj3q$0(e$NBZ|``eNE3OlrONcuB~1n?lhih9N<_N7ps5e1<$#=1Q= zBBK2%I6&=q(|04vOKatagrb^F7|tX5@F;{8@#XO^#n z?wz3jvJW?oe9f&a*s4w=b`f<2B$`dFk22qkDHd7Xn6 z_Drat@3&Y~t2gVHljC_==%S%+1Ml~9YG_|*mx!j;R`T9(+YHp{WT#IIVYdD4pWAFO z1_l9r;@trQKYw|Ao^ufW>z~R4mT8HHM_Xhy@j@TM%nno8{YyS=0#_h>7r_u&9X<$a zLR`UOLdAFS@~%7Ug%hNXM;_x9acNy9rg+&Ky4}*gdu6Jk);2cxb%L)3Jr9z-X=>~d za>dn-KTTc3p3RpI5!JTsOJ!Nw#Qd<4-gi}9vaTYym9GowqkZ;rW|vFLr++VM4}q>( zOlKJ2y8<64nWU+C==YDn{i5836B=5iFmDipEl#h6>#BzK<4a5Ey2qQ!9EM~DUX(P~ zX%8PdP0R;f_b7tju09)@U}HVxD#hW(xgi`@?d-c&ligB?n`vEYL)c4!K(|#xHqnmb zJqkL!DL3>$%bLg%(Fso?h(FgH3P@_aab999G=Ah!<)Lzo-4Nurog1B3By9~3nE48~ zqO)Eb`d+GK6qnqWYli6OKW)yExmKij=RNgHdDy~2W3byx-Viom*ro0HNHxTf!r6%B zqTUI!kJNRC4@)y|rfBFl+{tZEAPM8UezhFXO6)W4DqfCzbqG&OXwpSxnK{a;Qp6%W z!pL9QUgD6?WuBzElnCclaWY;W#rQh_75AO`M|Ug?0~{U~pl_KxF{a1Ct77?Y(W)gq zvQ12!EYQYtfU06`__KJRcmV_Q<-X-+hkalvfA#<|xwh$KsMnxBpWe_d+6tf!(=Y4(y=RZc3*r_;s4!f@*!#Nl!=Fwx9zGmH0 zld-8LKos)1KUg+6R6F$LjfLNt>bZLAK#09etdL={ocO^j&hL8ew|?y_EImG<0^n|<-@jGTg4=j zaqla~PUwNn?`m!Elk{mGrjd`2(2he+^l~WL!a5Ct*s^H-9y0(JoW=7+32UEN??3)s z)2V3k(i)7Hx94X>TZkJ$0+)XG@aU?E;4c#@b>7Px%Kk0jsCyep>YzGW_OLh<6P_LK z*N$!1by}WdakgdxR&xm|)E8Nm`DMmRHq^=eBoLFF58VxPb;p!tgjLniw#g#5op>TC z9KbNrIMK2=d3_$&wR1uXFJ0x;qs-rQu(~3ljGQ}oWKrZ_?(nr_JPW^>jY&<}>8P(Q zso%Z*PUhBNQ;AlD2(ulLM7_?^PUNzpf{`07r2N(hEl7B%YQW;mi=y1>W!3MA6$pD( zS{ztNa;FA1m7_eKdP-A22s(XSn0su^^*}Y5U%NX4bfjyK&iTCnVL^~CVh)Kd8?hb0 z!C`jU4VgMfjCQ76&iS)9&uI1bvIE1eC_KAAU(*xBm&;%)N?Tj%{G~;WFZa`5Jv!7< zv0TB53pWGyY%(vH>fdSpYqDC1-4Km7%dtB5L(1l(O5R#j_ysly*( zhYi><(xPKeP|ur*)BJnl=X6v1h$5|c7=c)d9@1Q6twQSQ75uh?uF#wxmo9U2|GSQQPv8Lcx)?6|&+7 zrK_JNUxaMPo!R2a#F(Z1$R>_}_Xa0#GQ4=;Z`2j{Tl=f>W;#de!J~~C?(lS?MR!;P zm#nrq3IyV%74tdKlA6ju)(Zj7;s{Ivx$lFtz z*~D0R3xR`0Usjp}*7h;`@D(+Icc?DLT9ftkyN^kIUrA|M%6AZ;?1*3L{(DJ+3-o95 z7n=XdCb2Vec!}JIxHNN!g2XOkcRINIn>IX4JI$e4jbcoIiIVOt?U^4~btOt;Ay80i zlQI?0p{f=Au>AhRuloeD*N-TXYg^=K5NJS9GIvxk(TyWXw$do{3Nb!5MMe46vn}DF z0E<`KkpmH-18OS9EqHXEG4M?&kL9f}z0uDld45jh~5tCJzqx+UVf$>h2r;qto1fVT6+WY$^2`f4q&LlSnGLnJ|8QkZ$B|DVdQ&{i%}Wsd34W_trVfXhmQ&4*k1Q5Ax5Sa} z&Pq9O9%g&EK5?9yX{uQr`m4I1AK9L~ujud>vk=W&&pvnMM_jMFl(pGbX$ zg+YH=J4yLY-I1Q0n4rG$bdj9+v^%4pyv~U7m-T)ZQs~?2 zY7XJou+|{%K(YyMzS2VTySNA_M%iYgbLcV?r%{0|X723oL@7%NcS={T(zcw`W?g}Q zbfDNX(mCcV+*H7MD8*9v7G!X&C&BJKu6W7j3-_@q@qLSu)f$?H+GtBIfE{NvP7liV z?DNP6OUexG@XKj*!>d)@N&hCsPLuup!yHX3@?PAb)AER1_It`|Rd;G}_KLd5*f%Mk zrBO>KFdO}2)zzC@B;c&gw!@dKXRqm@H@X$>AKpybh0-RO6BFnF&PtTW9+Oq{?FFb?NMklx9_AklCS36DcfZGjI>#@Xc~l# z{)GPBGZWKCTd5_r_;a#a$DaSB4-HeW_el$o{Tu232Cyef0(O>A9+cScO-GW`d_3&a zQ&VK06S{-u_xkIt%a!qd{f}PrBo3G$<+*k`3-j|ojxWQCEzHdcP{w1lKs^(-R-=+_ z3Wd@)JAe6qG(jm=I3WT^0fp0^v{~1)|9=5%KFB||0W8NK9Y)MFoG!hBMDkgtzWXrD z>Y5aT6G8wxWEXwoNPI>DI$Iyy(zHp-64O*Z zcWcsVvaXhwy&ApqA!+aJ1Yx&xRcB&`bL>usbg@jxxTx@fCu;qd-`p!xjM2d-!Vuw7 zjo2T~Dihdo{)mCJsLTbiz5N^&2fqZ5t&iIXh29lvt#o znsUhD058l^#Zd$!fgo<+ZTV+FyHnkkgFTxR>%AIL4+b=+LKs~OEjqu=oDuGP9_85_ z9Hl!aJ7kk9+UO6t*ZrC?CUMcjHQixxP^!s>32P%aY-wa+#H;vZgyizOuc~qyd~Y~U z=xXf29aP%&Vpt;VmuB6sr$&ep^uqY>o0RicNkfC$S6ZVdB7NQnEwiTV=t35^-5uX7 zU_WPovM)8@h0F}Sk>wQ{e}0NUu2;mB%Fvyy%NTEFDZ5*4^K#moF^AhKs>*!&&cycK z4``QjQTH&DhzcJZZpF7mjSCkVTKRA}*jjnZ63eFG|04&ZrC95<6(19AZm@ptimH=| zdH_;>9Kl}Lt;w)mi?kWtx9nW%Vi+(OndY<@?LNe0j^qs@XvJG!Z1VGZWxpLlR9lB9 z$zMgnSvLbEDz)PnUhg+YfBy33JM7JR3-zQc!Ufy`4DF%{fG~x|gwhSzeFRIodH`A`}U9HQX zdY{+3KfJL(=VuI#E=gbSzZrIEt8Kd0?fcBQQZzcPahQPh3SC2c^b|~cFU`mk%#m70 zg1a~3tf~$v7VAWL*Mtb2Ma5CyBbfk_qA{P=hod}$l_)r<$`_TPZYmNzaSLWN0tSm) zZ>8OW`NF?y_5=Q&Wb!R;1=iX-7*$g&ro7)tumgd_zp8G7qQ~B+S4W32*FuO&vJ=-p z%-*4)S30P<`T`HWvQm(z_vBfaS0;3&=4sEgL+-ptIZR1v*fvWBO)L0M=ipNb7ph># z2_r!d%yz{~&>x?Vy+(z`C#57D>OH50fLkt*B&MyX^#?Bv&Qm6_2==CWxOFlgD7qxm zQg0aqa-l!kS^XyC0IR{9bG>_^bfRH153dbQMS)ikVS)YTH(f@q5^0qctMOl`*aBuC zMgEtE(Z$!Hq@zdF!`>dFwauXjD*|DS&RE^5xG}L8_l!8fd z0>3H5;fLGVmielDUqy6638M~-f6sA+*Waa|n%i@NWFD+EW*9xmk9&v2VoFxy14tXm zUtY|$B$eAcV1BLHt{2uV5~zv4b*2SD%e<*KYhmfIet3(BWZ6zk*GpGQzk&Yep*T@6 zIOjR>d(#Ju9dhb*ik3F&I9|2hU$TFtrhPXR--+Z^%0HP&HJF@wU*efSi4*enX>zc| zG8eJL2Kl3ad6EiWp*uUUXm0j;=eNu zL3!1(*<5Y4Tai?J=#GHly4>AopCijMJ+r}kkw<~3$$iRLDi6-*J>Gmcq%yqfiugLn{?h+I_#>}EATOadf~;~ z)fq*qQ+rbZ&SVKrr#R;AJuqQ~mAyokWs5{DXndhF*szrVx0S~!=7qyXW>d-ME&|(k zZ@DLjJ}^-tF0ns+g7lT0cDycuKr)?-rN>uIus@`Mkp8_N=k;=JiVL%c_v&f{Bg{9k z%4}(cHl1cb2)u8nVH)PZ(6|<*z-O{J)}xt|{S@op71m0NdY0g#fUD`O+m7T + + + Description + Notes + Direct Launch + + + + + + Deploys and configures the Security Gateways as an AWS Auto Scaling group.

For more details, refer to the CloudGuard Network Auto Scaling for AWS R80.20 and Higher Deployment Guide . + + Deploys an Auto Scaling group of Security Gateways into an existing VPC. + + + + +
+
\ No newline at end of file diff --git a/aws/templates/asg/autoscale.yaml b/aws/templates/asg/autoscale.yaml new file mode 100644 index 00000000..15e36d55 --- /dev/null +++ b/aws/templates/asg/autoscale.yaml @@ -0,0 +1,607 @@ +AWSTemplateFormatVersion: 2010-09-09 +Description: Create an Auto Scaling group of Check Point gateways (20240417) +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: VPC Network Configuration + Parameters: + - VPC + - GatewaysSubnets + - Label: + default: EC2 Instances Configuration + Parameters: + - GatewayName + - GatewayInstanceType + - KeyName + - VolumeSize + - VolumeType + - EnableVolumeEncryption + - EnableInstanceConnect + - Label: + default: Auto Scaling Configuration + Parameters: + - GatewaysMinSize + - GatewaysMaxSize + - AdminEmail + - GatewaysTargetGroups + - Label: + default: Check Point Settings + Parameters: + - GatewayVersion + - Shell + - GatewayPasswordHash + - GatewayMaintenancePasswordHash + - GatewaySICKey + - AllowUploadDownload + - CloudWatch + - GatewayBootstrapScript + - Label: + default: Automatic Provisioning with Security Management Server Settings + Parameters: + - ControlGatewayOverPrivateOrPublicAddress + - ManagementServer + - ConfigurationTemplate + - Label: + default: Proxy Configuration (optional) + Parameters: + - ELBType + - ELBPort + - ELBClients + ParameterLabels: + VPC: + default: VPC + GatewaysSubnets: + default: Gateways subnets + GatewayName: + default: Gateways name + GatewayInstanceType: + default: Gateways instance type + KeyName: + default: Key name + VolumeSize: + default: Root volume size (GB) + VolumeType: + default: Volume Type + EnableVolumeEncryption: + default: Enable volume encryption + EnableInstanceConnect: + default: Enable AWS Instance Connect + GatewaysMinSize: + default: Minimum Gateway group size + GatewaysMaxSize: + default: Maximum Gateway group size + AdminEmail: + default: Email address + GatewaysTargetGroups: + default: Gateways target groups + GatewayVersion: + default: Gateways version & license + Shell: + default: Admin shell + GatewayPasswordHash: + default: Gateways Password hash + GatewayMaintenancePasswordHash: + default: Gateway Maintenance Password hash + GatewaySICKey: + default: Gateways SIC key + AllowUploadDownload: + default: Allow upload & download + CloudWatch: + default: CloudWatch metrics + GatewayBootstrapScript: + default: Gateways bootstrap script + ControlGatewayOverPrivateOrPublicAddress: + default: Gateways addresses + ManagementServer: + default: Management Server + ConfigurationTemplate: + default: Configuration template + ELBType: + default: Proxy type + ELBPort: + default: Proxy port + ELBClients: + default: Allowed proxy clients +Parameters: + VPC: + Description: Select an existing VPC. + Type: AWS::EC2::VPC::Id + MinLength: 1 + GatewaysSubnets: + Description: Select at least 2 public subnets in the VPC. + Type: List + MinLength: 2 + GatewayName: + Description: The name tag of the Security Gateway instances. (optional) + Type: String + Default: Check-Point-Gateway + GatewayInstanceType: + Description: The instance type of the Secutiry Gateways. + Type: String + Default: c5.xlarge + AllowedValues: + - c4.large + - c4.xlarge + - c5.large + - c5.xlarge + - c5.2xlarge + - c5.4xlarge + - c5.9xlarge + - c5.12xlarge + - c5.18xlarge + - c5.24xlarge + - c5n.large + - c5n.xlarge + - c5n.2xlarge + - c5n.4xlarge + - c5n.9xlarge + - c5n.18xlarge + - c5d.large + - c5d.xlarge + - c5d.2xlarge + - c5d.4xlarge + - c5d.9xlarge + - c5d.12xlarge + - c5d.18xlarge + - c5d.24xlarge + - m5.large + - m5.xlarge + - m5.2xlarge + - m5.4xlarge + - m5.8xlarge + - m5.12xlarge + - m5.16xlarge + - m5.24xlarge + - m6i.large + - m6i.xlarge + - m6i.2xlarge + - m6i.4xlarge + - m6i.8xlarge + - m6i.12xlarge + - m6i.16xlarge + - m6i.24xlarge + - m6i.32xlarge + - c6i.large + - c6i.xlarge + - c6i.2xlarge + - c6i.4xlarge + - c6i.8xlarge + - c6i.12xlarge + - c6i.16xlarge + - c6i.24xlarge + - c6i.32xlarge + - c6in.large + - c6in.xlarge + - c6in.2xlarge + - c6in.4xlarge + - c6in.8xlarge + - c6in.12xlarge + - c6in.16xlarge + - c6in.24xlarge + - c6in.32xlarge + - r5.large + - r5.xlarge + - r5.2xlarge + - r5.4xlarge + - r5.8xlarge + - r5.12xlarge + - r5.16xlarge + - r5.24xlarge + - r5a.large + - r5a.xlarge + - r5a.2xlarge + - r5a.4xlarge + - r5a.8xlarge + - r5a.12xlarge + - r5a.16xlarge + - r5a.24xlarge + - r5b.large + - r5b.xlarge + - r5b.2xlarge + - r5b.4xlarge + - r5b.8xlarge + - r5b.12xlarge + - r5b.16xlarge + - r5b.24xlarge + - r5n.large + - r5n.xlarge + - r5n.2xlarge + - r5n.4xlarge + - r5n.8xlarge + - r5n.12xlarge + - r5n.16xlarge + - r5n.24xlarge + - r6i.large + - r6i.xlarge + - r6i.2xlarge + - r6i.4xlarge + - r6i.8xlarge + - r6i.12xlarge + - r6i.16xlarge + - r6i.24xlarge + - r6i.32xlarge + - m6a.large + - m6a.xlarge + - m6a.2xlarge + - m6a.4xlarge + - m6a.8xlarge + - m6a.12xlarge + - m6a.16xlarge + - m6a.24xlarge + - m6a.32xlarge + - m6a.48xlarge + ConstraintDescription: must be a valid EC2 instance type. + KeyName: + Description: The EC2 Key Pair to allow SSH access to the instances. + Type: AWS::EC2::KeyPair::KeyName + MinLength: 1 + ConstraintDescription: Must be the name of an existing EC2 KeyPair. + VolumeSize: + Type: Number + Default: 100 + MinValue: 100 + VolumeType: + Description: General Purpose SSD Volume Type + Type: String + Default: gp3 + AllowedValues: + - gp3 + - gp2 + EnableVolumeEncryption: + Description: Encrypt Auto Scaling instances volume with default AWS KMS key. + Type: String + Default: true + AllowedValues: + - true + - false + EnableInstanceConnect: + Description: Enable SSH connection over AWS web console. + Type: String + Default: false + AllowedValues: + - true + - false + GatewaysMinSize: + Description: The minimal number of gateways in the Auto Scaling group. + Type: Number + Default: 2 + MinValue: 1 + GatewaysMaxSize: + Description: The maximal number of gateways in the Auto Scaling group. + Type: Number + Default: 10 + MinValue: 1 + AdminEmail: + Description: Notifications about scaling events will be sent to this email address. (optional) + Type: String + Default: '' + AllowedPattern: '^(([a-zA-Z0-9_\-\.]+)@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.)|(([a-zA-Z0-9\-]+\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})(\]?))?$' + ConstraintDescription: Must be a valid email address. + GatewaysTargetGroups: + Description: A list of Target Groups to associate with the Auto Scaling. + group (comma separated list of ARNs, without spaces) (optional) + Type: String + Default: '' + GatewayVersion: + Type: String + Default: R81.20-BYOL + AllowedValues: + - R80.40-BYOL + - R80.40-PAYG-NGTP + - R80.40-PAYG-NGTX + - R81-BYOL + - R81-PAYG-NGTP + - R81-PAYG-NGTX + - R81.10-BYOL + - R81.10-PAYG-NGTP + - R81.10-PAYG-NGTX + - R81.20-BYOL + - R81.20-PAYG-NGTP + - R81.20-PAYG-NGTX + Shell: + Description: Change the admin shell to enable advanced command line configuration. + Type: String + Default: /etc/cli.sh + AllowedValues: + - /etc/cli.sh + - /bin/bash + - /bin/csh + - /bin/tcsh + GatewayPasswordHash: + Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD". + to get the PASSWORD's hash) (optional) + Type: String + Default: '' + AllowedPattern: '^[\$\./a-zA-Z0-9]*$' + NoEcho: true + GatewayMaintenancePasswordHash: + Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + GatewaySICKey: + Description: The Secure Internal Communication key creates trusted connections. + between Check Point components. Choose a random string consisting of at least + 8 alphanumeric characters. + Type: String + AllowedPattern: '^[a-zA-Z0-9]{8,}$' + ConstraintDescription: At least 8 alpha numeric characters. + NoEcho: true + AllowUploadDownload: + Description: Automatically download updates and share statistical data for product improvement purpose. + Improve product experience by sending data to Check Point + Type: String + Default: true + AllowedValues: + - true + - false + CloudWatch: + Description: Report Check Point specific CloudWatch metrics. + Type: String + Default: false + AllowedValues: + - true + - false + GatewayBootstrapScript: + Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional) + Type: String + Default: '' + NoEcho: true + ControlGatewayOverPrivateOrPublicAddress: + Description: Determines if the gateways are provisioned using their private or public address. + Type: String + Default: private + AllowedValues: + - private + - public + ManagementServer: + Description: The name that represents the Security Management Server in the automatic provisioning configuration. + Type: String + Default: management-server + MinLength: 1 + ConfigurationTemplate: + Description: A name of a gateway configuration template in the automatic provisioning configuration. + Type: String + Default: ASG-configuration + MinLength: 1 + MaxLength: 30 + ELBType: + Type: String + Default: none + AllowedValues: + - none + - internal + - internet-facing + ELBPort: + Type: Number + Default: 8080 + ELBClients: + Type: String + Default: 0.0.0.0/0 + AllowedPattern: '^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})$' +Conditions: + ProvidedAdminEmail: !Not [!Equals [!Ref AdminEmail, '']] + ProvidedTargetGroups: !Not [!Equals [!Ref GatewaysTargetGroups, '']] + EnableCloudWatch: !Equals [!Ref CloudWatch, true] + CreateELB: !Not [!Equals [!Ref ELBType, none]] +Resources: + ChkpGatewayRole: + Type: AWS::IAM::Role + Condition: EnableCloudWatch + Properties: + AssumeRolePolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Principal: + Service: + - ec2.amazonaws.com + Action: + - sts:AssumeRole + Path: / + CloudwatchPolicy: + Condition: EnableCloudWatch + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.amazonaws.com/iam/cloudwatch-policy.yaml + Parameters: + PolicyName: ChkpGatewayPolicy + PolicyRole: !Ref ChkpGatewayRole + InstanceProfile: + Type: AWS::IAM::InstanceProfile + Condition: EnableCloudWatch + Properties: + Path: / + Roles: + - !Ref ChkpGatewayRole + AMI: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.amazonaws.com/utils/amis.yaml + Parameters: + Version: !Join ['-', [!Ref GatewayVersion, GW]] + NotificationTopic: + Type: AWS::SNS::Topic + Condition: ProvidedAdminEmail + Properties: + Subscription: + - Endpoint: !Ref AdminEmail + Protocol: email + ElasticLoadBalancer: + Type: AWS::ElasticLoadBalancing::LoadBalancer + Condition: CreateELB + Properties: + CrossZone: true + Listeners: + - LoadBalancerPort: !Ref ELBPort + InstancePort: !Ref ELBPort + Protocol: TCP + HealthCheck: + Target: !Join [':', [TCP, !Ref ELBPort]] + HealthyThreshold: 3 + UnhealthyThreshold: 5 + Interval: 30 + Timeout: 5 + Scheme: !Ref ELBType + Subnets: !Ref GatewaysSubnets + Policies: + - PolicyName: EnableProxyProtocol + PolicyType: ProxyProtocolPolicyType + Attributes: + - Name: ProxyProtocol + Value: true + InstancePorts: + - !Ref ELBPort + SecurityGroups: + - !Ref ELBSecurityGroup + PermissiveSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + Tags: + - Key: Name + Value: !Join ['_', [!Ref 'AWS::StackName', PermissiveSecurityGroup]] + GroupDescription: Permissive security group. + VpcId: !Ref VPC + SecurityGroupIngress: + - IpProtocol: -1 + CidrIp: 0.0.0.0/0 + GatewayGroup: + Type: AWS::AutoScaling::AutoScalingGroup + DependsOn: GatewayLaunchTemplate + Properties: + VPCZoneIdentifier: !Ref GatewaysSubnets + LaunchTemplate: + LaunchTemplateId: !Ref GatewayLaunchTemplate + Version: !GetAtt GatewayLaunchTemplate.LatestVersionNumber + MinSize: !Ref GatewaysMinSize + MaxSize: !Ref GatewaysMaxSize + LoadBalancerNames: !If [CreateELB, [!Ref ElasticLoadBalancer], !Ref 'AWS::NoValue'] + TargetGroupARNs: !If [ProvidedTargetGroups, !Split [',', !Ref GatewaysTargetGroups], !Ref 'AWS::NoValue'] + HealthCheckGracePeriod: 3600 + HealthCheckType: ELB + NotificationConfiguration: !If + - ProvidedAdminEmail + - TopicARN: !Ref NotificationTopic + NotificationTypes: + - autoscaling:EC2_INSTANCE_LAUNCH + - autoscaling:EC2_INSTANCE_LAUNCH_ERROR + - autoscaling:EC2_INSTANCE_TERMINATE + - autoscaling:EC2_INSTANCE_TERMINATE_ERROR + - !Ref 'AWS::NoValue' + Tags: + - Key: Name + Value: !Ref GatewayName + PropagateAtLaunch: true + - Key: x-chkp-tags + Value: !Join + - ':' + - - !Join ['=', [management, !Ref ManagementServer]] + - !Join ['=', [template, !Ref ConfigurationTemplate]] + - !Join ['=', [ip-address, !Ref ControlGatewayOverPrivateOrPublicAddress]] + PropagateAtLaunch: true + GatewayLaunchTemplate: + Type: AWS::EC2::LaunchTemplate + Properties: + LaunchTemplateData: + NetworkInterfaces: + - DeviceIndex: 0 + AssociatePublicIpAddress: true + Groups: + - !Ref PermissiveSecurityGroup + Monitoring: + Enabled: true + KeyName: !Ref KeyName + ImageId: !GetAtt AMI.Outputs.ImageId + InstanceType: !Ref GatewayInstanceType + BlockDeviceMappings: + - DeviceName: '/dev/xvda' + Ebs: + Encrypted: !Ref EnableVolumeEncryption + VolumeType: !Ref VolumeType + VolumeSize: !Ref VolumeSize + IamInstanceProfile: + Name: !If [EnableCloudWatch, !Ref InstanceProfile, !Ref 'AWS::NoValue'] + UserData: + 'Fn::Base64': + !Join + - |+ + + - - '#cloud-config' + - 'runcmd:' + - ' - |' + - ' set -e' + - !Sub ' admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; cw=${CloudWatch} ; eic=${EnableInstanceConnect}' + - !Join ['', [' sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ')"']] + - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayPasswordHash, ')"']] + - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"']] + - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']] + - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}] + - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" sicKey=\"${sic}\" installationType=\"autoscale\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20240204\" templateName=\"autoscale\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" bootstrapScript64=\"${bootstrap}\"' + VersionDescription: Initial template version + GatewayScaleUpPolicy: + Type: AWS::AutoScaling::ScalingPolicy + Properties: + AdjustmentType: ChangeInCapacity + AutoScalingGroupName: !Ref GatewayGroup + Cooldown: 300 + ScalingAdjustment: 1 + GatewayScaleDownPolicy: + Type: AWS::AutoScaling::ScalingPolicy + Properties: + AdjustmentType: ChangeInCapacity + AutoScalingGroupName: !Ref GatewayGroup + Cooldown: 300 + ScalingAdjustment: -1 + CPUAlarmHigh: + Type: AWS::CloudWatch::Alarm + Properties: + AlarmDescription: Scale-up if CPU > 80% for 10 minutes. + MetricName: CPUUtilization + Namespace: AWS/EC2 + Statistic: Average + Period: 300 + EvaluationPeriods: 2 + Threshold: 80 + AlarmActions: + - !Ref GatewayScaleUpPolicy + Dimensions: + - Name: AutoScalingGroupName + Value: !Ref GatewayGroup + ComparisonOperator: GreaterThanThreshold + CPUAlarmLow: + Type: AWS::CloudWatch::Alarm + Properties: + AlarmDescription: Scale-down if CPU < 60% for 10 minutes. + MetricName: CPUUtilization + Namespace: AWS/EC2 + Statistic: Average + Period: 300 + EvaluationPeriods: 2 + Threshold: 60 + AlarmActions: + - !Ref GatewayScaleDownPolicy + Dimensions: + - Name: AutoScalingGroupName + Value: !Ref GatewayGroup + ComparisonOperator: LessThanThreshold + ELBSecurityGroup: + Type: AWS::EC2::SecurityGroup + Condition: CreateELB + Properties: + GroupDescription: ELB security group. + VpcId: !Ref VPC + SecurityGroupIngress: + - IpProtocol: tcp + CidrIp: !Ref ELBClients + FromPort: !Ref ELBPort + ToPort: !Ref ELBPort +Outputs: + URL: + Description: The URL of the Proxy. + Condition: CreateELB + Value: !Join ['', ['http://', !GetAtt ElasticLoadBalancer.DNSName]] + SecurityGroup: + Description: The Security Group of the Auto Scaling group. + Value: !GetAtt PermissiveSecurityGroup.GroupId diff --git a/aws/templates/cluster/README.md b/aws/templates/cluster/README.md new file mode 100644 index 00000000..03bbe934 --- /dev/null +++ b/aws/templates/cluster/README.md @@ -0,0 +1,26 @@ +## Security Cluster + + + + + + + + + + + + + + + + + + + + +
DescriptionNotesDirect Launch
+ Deploys and configures two Security Gateways as a Cluster.

For more details, refer to the CloudGuard Network for AWS Security Cluster R80.20 and Higher Deployment Guide. + 		Creates a new VPC and deploys a Cluster into it.
Deploys a Cluster into an existing VPC.
+
+
\ No newline at end of file diff --git a/aws/templates/cluster/cluster-master.yaml b/aws/templates/cluster/cluster-master.yaml new file mode 100755 index 00000000..0f73a08c --- /dev/null +++ b/aws/templates/cluster/cluster-master.yaml @@ -0,0 +1,510 @@ +AWSTemplateFormatVersion: 2010-09-09 +Description: Deploy a Check Point Cluster in a new VPC (20240204) +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: VPC Network Configuration + Parameters: + - AvailabilityZone + - VPCCIDR + - PublicSubnetCIDR + - PrivateSubnetCIDR + - Label: + default: EC2 Instance Configuration + Parameters: + - GatewayName + - GatewayInstanceType + - KeyName + - AllocatePublicAddress + - VolumeSize + - VolumeType + - VolumeEncryption + - EnableInstanceConnect + - GatewayPredefinedRole + - TerminationProtection + - Label: + default: Check Point Settings + Parameters: + - GatewayVersion + - Shell + - GatewayPasswordHash + - GatewayMaintenancePasswordHash + - GatewaySICKey + - Label: + default: Quick connect to Smart-1 Cloud (Recommended) + Parameters: + - MemberAToken + - MemberBToken + - Label: + default: Advanced Settings + Parameters: + - ResourcesTagName + - GatewayHostname + - AllowUploadDownload + - CloudWatch + - GatewayBootstrapScript + - NTPPrimary + - NTPSecondary + ParameterLabels: + VPCCIDR: + default: VPC CIDR + AvailabilityZone: + default: Availability zone + PublicSubnetCIDR: + default: Public subnet CIDR + PrivateSubnetCIDR: + default: Private subnet CIDR + GatewayName: + default: Gateway Name + GatewayInstanceType: + default: Security Gateways instance type + KeyName: + default: Key name + AllocatePublicAddress: + default: Allocate Elastic IPs + VolumeSize: + default: Root volume size (GB) + VolumeType: + default: Volume Type + VolumeEncryption: + default: Volume encryption KMS key identifier + EnableInstanceConnect: + default: Enable AWS Instance Connect + GatewayPredefinedRole: + default: Existing IAM role name + TerminationProtection: + default: Termination Protection + GatewayVersion: + default: Version & license + Shell: + default: Admin shell + GatewayPasswordHash: + default: Password hash + GatewayMaintenancePasswordHash: + default: Gateway Maintenance Password hash + GatewaySICKey: + default: SIC key + MemberAToken: + default: Smart-1 Cloud Token for member A + MemberBToken: + default: Smart-1 Cloud Token for member B + ResourcesTagName: + default: Resources prefix tag + GatewayHostname: + default: Gateway Hostname + AllowUploadDownload: + default: Allow upload & download + CloudWatch: + default: CloudWatch metrics + GatewayBootstrapScript: + default: Bootstrap Script + NTPPrimary: + default: Primary NTP server + NTPSecondary: + default: Secondary NTP server +Parameters: + AvailabilityZone: + Description: The availability zone in which to deploy the cluster. + Type: AWS::EC2::AvailabilityZone::Name + MinLength: 1 + VPCCIDR: + Description: The CIDR block for your VPC. + Type: String + Default: 10.0.0.0/16 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PublicSubnetCIDR: + Description: The external subnet of the cluster. The cluster's public IPs will be generated from this subnet. + Type: String + Default: 10.0.10.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PrivateSubnetCIDR: + Description: The internal subnet of the cluster. The cluster's private IPs will be generated from this subnet. + Type: String + Default: 10.0.11.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + GatewayName: + Description: The name tag of the Security Gateway instances. (optional) + Type: String + Default: Check-Point-Cluster + GatewayInstanceType: + Description: The instance type of the Secutiry Gateway. + Type: String + Default: c5.xlarge + AllowedValues: + - c4.large + - c4.xlarge + - c5.large + - c5.xlarge + - c5.2xlarge + - c5.4xlarge + - c5.9xlarge + - c5.12xlarge + - c5.18xlarge + - c5.24xlarge + - c5n.large + - c5n.xlarge + - c5n.2xlarge + - c5n.4xlarge + - c5n.9xlarge + - c5n.18xlarge + - c5d.large + - c5d.xlarge + - c5d.2xlarge + - c5d.4xlarge + - c5d.9xlarge + - c5d.12xlarge + - c5d.18xlarge + - c5d.24xlarge + - m5.large + - m5.xlarge + - m5.2xlarge + - m5.4xlarge + - m5.8xlarge + - m5.12xlarge + - m5.16xlarge + - m5.24xlarge + - m6i.large + - m6i.xlarge + - m6i.2xlarge + - m6i.4xlarge + - m6i.8xlarge + - m6i.12xlarge + - m6i.16xlarge + - m6i.24xlarge + - m6i.32xlarge + - c6i.large + - c6i.xlarge + - c6i.2xlarge + - c6i.4xlarge + - c6i.8xlarge + - c6i.12xlarge + - c6i.16xlarge + - c6i.24xlarge + - c6i.32xlarge + - c6in.large + - c6in.xlarge + - c6in.2xlarge + - c6in.4xlarge + - c6in.8xlarge + - c6in.12xlarge + - c6in.16xlarge + - c6in.24xlarge + - c6in.32xlarge + - r5.large + - r5.xlarge + - r5.2xlarge + - r5.4xlarge + - r5.8xlarge + - r5.12xlarge + - r5.16xlarge + - r5.24xlarge + - r5a.large + - r5a.xlarge + - r5a.2xlarge + - r5a.4xlarge + - r5a.8xlarge + - r5a.12xlarge + - r5a.16xlarge + - r5a.24xlarge + - r5b.large + - r5b.xlarge + - r5b.2xlarge + - r5b.4xlarge + - r5b.8xlarge + - r5b.12xlarge + - r5b.16xlarge + - r5b.24xlarge + - r5n.large + - r5n.xlarge + - r5n.2xlarge + - r5n.4xlarge + - r5n.8xlarge + - r5n.12xlarge + - r5n.16xlarge + - r5n.24xlarge + - r6i.large + - r6i.xlarge + - r6i.2xlarge + - r6i.4xlarge + - r6i.8xlarge + - r6i.12xlarge + - r6i.16xlarge + - r6i.24xlarge + - r6i.32xlarge + - m6a.large + - m6a.xlarge + - m6a.2xlarge + - m6a.4xlarge + - m6a.8xlarge + - m6a.12xlarge + - m6a.16xlarge + - m6a.24xlarge + - m6a.32xlarge + - m6a.48xlarge + ConstraintDescription: must be a valid EC2 instance type. + KeyName: + Description: The EC2 Key Pair to allow SSH access to the instance. + Type: AWS::EC2::KeyPair::KeyName + MinLength: 1 + AllocatePublicAddress: + Description: Allocate an Elastic IP for each cluster member, in addition to the shared cluster Elastic IP. + Type: String + Default: true + AllowedValues: + - true + - false + VolumeSize: + Type: Number + Default: 100 + MinValue: 100 + VolumeType: + Description: General Purpose SSD Volume Type + Type: String + Default: gp3 + AllowedValues: + - gp3 + - gp2 + VolumeEncryption: + Description: KMS or CMK key Identifier - Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs'). + Type: String + Default: alias/aws/ebs + EnableInstanceConnect: + Description: Enable SSH connection over AWS web console. + Default: false + Type: String + AllowedValues: + - true + - false + GatewayPredefinedRole: + Description: A predefined IAM role to attach to the cluster profile. (optional) + Type: String + Default: '' + TerminationProtection: + Description: Prevents an instance from accidental termination. + Type: String + Default: false + AllowedValues: + - true + - false + GatewayVersion: + Type: String + Default: R81.20-BYOL + AllowedValues: + - R80.40-BYOL + - R80.40-PAYG-NGTP + - R80.40-PAYG-NGTX + - R81-BYOL + - R81-PAYG-NGTP + - R81-PAYG-NGTX + - R81.10-BYOL + - R81.10-PAYG-NGTP + - R81.10-PAYG-NGTX + - R81.20-BYOL + - R81.20-PAYG-NGTP + - R81.20-PAYG-NGTX + Shell: + Description: Change the admin shell to enable advanced command line configuration. + Type: String + Default: /etc/cli.sh + AllowedValues: + - /etc/cli.sh + - /bin/bash + - /bin/csh + - /bin/tcsh + GatewayPasswordHash: + Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD". + to get the PASSWORD's hash) (optional) + Type: String + Default: '' + AllowedPattern: '^[\$\./a-zA-Z0-9]*$' + NoEcho: true + GatewayMaintenancePasswordHash: + Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + GatewaySICKey: + Description: The Secure Internal Communication key creates trusted connections. + between Check Point components. Choose a random string consisting of at least + 8 alphanumeric characters + Type: String + AllowedPattern: '^[a-zA-Z0-9]{8,}$' + ConstraintDescription: At least 8 alpha numeric characters. + NoEcho: true + MemberAToken: + Description: Follow the instructions in sk180501 to quickly connect this Single AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. + AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)' + Type: String + NoEcho: true + MemberBToken: + Description: Follow the instructions in sk180501 to quickly connect this Single AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. + AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)' + Type: String + NoEcho: true + ResourcesTagName: + Description: Name tag prefix of the resources (optional). + Type: String + Default: '' + GatewayHostname: + Description: The host name will be appended with member-a/b accordingly (optional). The name must not contain reserved words. For details, refer to sk40179. + Type: String + Default: '' + AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z]))?$' + ConstraintDescription: A valid hostname label or an empty string. + AllowUploadDownload: + Description: Automatically download updates and share statistical data for product improvement purpose. + Type: String + Default: true + AllowedValues: + - true + - false + CloudWatch: + Description: Report Check Point specific CloudWatch metrics. + Type: String + Default: false + AllowedValues: + - true + - false + GatewayBootstrapScript: + Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional) + Type: String + Default: '' + NoEcho: true + NTPPrimary: + Description: (optional) + Type: String + Default: 169.254.169.123 + AllowedPattern: '^[\.a-zA-Z0-9\-]*$' + NTPSecondary: + Description: (optional) + Type: String + Default: 0.pool.ntp.org + AllowedPattern: '^[\.a-zA-Z0-9\-]*$' +Conditions: + AllocateAddress: !Equals [!Ref AllocatePublicAddress, true] +Resources: + VPCStack: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.amazonaws.com/utils/vpc.yaml + Parameters: + AvailabilityZones: !Ref AvailabilityZone + NumberOfAZs: 1 + VPCCIDR: !Ref VPCCIDR + PublicSubnet1CIDR: !Ref PublicSubnetCIDR + PrivateSubnet1CIDR: !Ref PrivateSubnetCIDR + InternalRouteTable: + Type: AWS::EC2::RouteTable + DependsOn: VPCStack + Properties: + VpcId: !GetAtt VPCStack.Outputs.VPCID + Tags: + - Key: Name + Value: Private Subnets Route Table + ClusterStack: + Type: AWS::CloudFormation::Stack + DependsOn: VPCStack + Properties: + TemplateURL: https://cgi-cfts.s3.amazonaws.com/cluster/cluster.yaml + Parameters: + VPC: !GetAtt VPCStack.Outputs.VPCID + PublicSubnet: !GetAtt VPCStack.Outputs.PublicSubnet1ID + PrivateSubnet: !GetAtt VPCStack.Outputs.PrivateSubnet1ID + InternalRouteTable: !Ref InternalRouteTable + GatewayName: !Ref GatewayName + GatewayInstanceType: !Ref GatewayInstanceType + KeyName: !Ref KeyName + AllocatePublicAddress: !Ref AllocatePublicAddress + VolumeSize: !Ref VolumeSize + VolumeType: !Ref VolumeType + VolumeEncryption: !Ref VolumeEncryption + EnableInstanceConnect: !Ref EnableInstanceConnect + GatewayPredefinedRole: !Ref GatewayPredefinedRole + TerminationProtection: !Ref TerminationProtection + GatewayVersion: !Ref GatewayVersion + Shell: !Ref Shell + GatewayPasswordHash: !Ref GatewayPasswordHash + GatewayMaintenancePasswordHash: !Ref GatewayMaintenancePasswordHash + GatewaySICKey: !Ref GatewaySICKey + MemberAToken: !Ref MemberAToken + MemberBToken: !Ref MemberBToken + ResourcesTagName: !Ref ResourcesTagName + GatewayHostname: !Ref GatewayHostname + AllowUploadDownload: !Ref AllowUploadDownload + CloudWatch: !Ref CloudWatch + GatewayBootstrapScript: !Ref GatewayBootstrapScript + NTPPrimary: !Ref NTPPrimary + NTPSecondary: !Ref NTPSecondary +Outputs: + ClusterPublicAddress: + Description: The public address of the cluster. + Value: !GetAtt ClusterStack.Outputs.ClusterPublicAddress + MemberAPublicAddress: + Condition: AllocateAddress + Description: The public address of member A. + Value: !GetAtt ClusterStack.Outputs.MemberAPublicAddress + MemberASSH: + Condition: AllocateAddress + Description: SSH command to member A. + Value: !GetAtt ClusterStack.Outputs.MemberASSH + MemberAURL: + Condition: AllocateAddress + Description: URL to the member A portal. + Value: !GetAtt ClusterStack.Outputs.MemberAURL + MemberAExternalInterface: + Condition: AllocateAddress + Description: The external interface of member A. + Value: !GetAtt ClusterStack.Outputs.MemberAExternalInterface + MemberAPrivateExternalAddress: + Description: The private external address of member A. + Value: !GetAtt ClusterStack.Outputs.MemberAPrivateExternalAddress + MemberAPrivateInternalAddress: + Description: The private internal address of member A. + Value: !GetAtt ClusterStack.Outputs.MemberAPrivateInternalAddress + MemberBPublicAddress: + Condition: AllocateAddress + Description: The public address of member B. + Value: !GetAtt ClusterStack.Outputs.MemberBPublicAddress + MemberBSSH: + Condition: AllocateAddress + Description: SSH command to member B. + Value: !GetAtt ClusterStack.Outputs.MemberBSSH + MemberBURL: + Condition: AllocateAddress + Description: URL to the member B portal. + Value: !GetAtt ClusterStack.Outputs.MemberBURL + MemberBPrivateExternalAddress: + Description: The private external address of member B. + Value: !GetAtt ClusterStack.Outputs.MemberBPrivateExternalAddress + MemberBPrivateInternalAddress: + Description: The private internal address of member B. + Value: !GetAtt ClusterStack.Outputs.MemberBPrivateInternalAddress + ClusterPrivateAliasExternalAddress: + Description: The secondary external private IP address of the cluster. + Value: !GetAtt ClusterStack.Outputs.ClusterPrivateAliasExternalAddress + ClusterPrivateAliasInternalAddress: + Description: The secondary internal private IP address of the cluster. + Value: !GetAtt ClusterStack.Outputs.ClusterPrivateAliasInternalAddress +Rules: + MemberATokenNotProvided: + RuleCondition: !Equals [!Ref MemberAToken, ''] + Assertions: + - AssertDescription: "Smart-1 Cloud Token for member A can not be empty." + Assert: !Equals [!Ref MemberBToken, ''] + MemberBTokenNotProvided: + RuleCondition: !Equals [ !Ref MemberBToken, '' ] + Assertions: + - AssertDescription: "Smart-1 Cloud Token for member B can not be empty." + Assert: !Equals [ !Ref MemberAToken, '' ] + MembersTokenValueEquals: + RuleCondition: !EachMemberEquals [ [ !Ref MemberBToken ], !Ref MemberAToken ] + Assertions: + - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token" + Assert: !Equals [ !Ref MemberAToken, '' ] + - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token" + Assert: !Equals [ !Ref MemberBToken, '' ] \ No newline at end of file diff --git a/aws/templates/cluster/cluster.yaml b/aws/templates/cluster/cluster.yaml new file mode 100755 index 00000000..f065f4f3 --- /dev/null +++ b/aws/templates/cluster/cluster.yaml @@ -0,0 +1,736 @@ +AWSTemplateFormatVersion: 2010-09-09 +Description: Deploys a Check Point Cluster into an existing VPC (20240204) +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: VPC Network Configuration + Parameters: + - VPC + - PublicSubnet + - PrivateSubnet + - InternalRouteTable + - Label: + default: EC2 Instance Configuration + Parameters: + - GatewayName + - GatewayInstanceType + - KeyName + - AllocatePublicAddress + - VolumeSize + - VolumeType + - VolumeEncryption + - EnableInstanceConnect + - GatewayPredefinedRole + - TerminationProtection + - Label: + default: Check Point Settings + Parameters: + - GatewayVersion + - Shell + - GatewayPasswordHash + - GatewayMaintenancePasswordHash + - GatewaySICKey + - Label: + default: Quick connect to Smart-1 Cloud (Recommended) + Parameters: + - MemberAToken + - MemberBToken + - Label: + default: Advanced Settings + Parameters: + - ResourcesTagName + - GatewayHostname + - AllowUploadDownload + - CloudWatch + - GatewayBootstrapScript + - NTPPrimary + - NTPSecondary + ParameterLabels: + VPC: + default: VPC + PublicSubnet: + default: Public subnet + PrivateSubnet: + default: Private subnet + InternalRouteTable: + default: Internal route table + GatewayName: + default: Gateway Name + GatewayInstanceType: + default: Security Gateways instance type + KeyName: + default: Key name + AllocatePublicAddress: + default: Allocate Elastic IPs + VolumeSize: + default: Root volume size (GB) + VolumeType: + default: Volume Type + VolumeEncryption: + default: Volume encryption KMS key identifier + EnableInstanceConnect: + default: Enable AWS Instance Connect + GatewayPredefinedRole: + default: Existing IAM role name + TerminationProtection: + default: Termination Protection + GatewayVersion: + default: Version & license + Shell: + default: Admin shell + GatewayPasswordHash: + default: Password hash + GatewayMaintenancePasswordHash: + default: Gateway Maintenance Password hash + GatewaySICKey: + default: SIC key + MemberAToken: + default: Smart-1 Cloud Token for member A + MemberBToken: + default: Smart-1 Cloud Token for member B + ResourcesTagName: + default: Resources prefix tag + GatewayHostname: + default: Gateway Hostname + AllowUploadDownload: + default: Allow upload & download + CloudWatch: + default: CloudWatch metrics + GatewayBootstrapScript: + default: Bootstrap Script + NTPPrimary: + default: Primary NTP server + NTPSecondary: + default: Secondary NTP server +Parameters: + VPC: + Description: Select an existing VPC. + Type: AWS::EC2::VPC::Id + MinLength: 1 + PublicSubnet: + Description: The public subnet of the cluster. The cluster's public IPs will be generated from this subnet. The subnet's route table must have 0.0.0.0/0 route to Internet Gateway. + Type: AWS::EC2::Subnet::Id + MinLength: 1 + PrivateSubnet: + Description: The private subnet of the cluster. The cluster's private IPs will be generated from this subnet. + Type: AWS::EC2::Subnet::Id + MinLength: 1 + InternalRouteTable: + Description: The route table id in which to set 0.0.0.0/0 route to the Active Cluster member instance in this route table (e.g. rtb-12a34567). Route table cannot have an existing 0.0.0.0/0 route. If empty - traffic will not be routed through the Security Cluster, this requires manual configuration in the route table. (optional) + Type: String + Default: '' + GatewayName: + Description: The name tag of the Security Gateway instances. (optional) + Type: String + Default: Check-Point-Cluster + GatewayInstanceType: + Description: The instance type of the Secutiry Gateway. + Type: String + Default: c5.xlarge + AllowedValues: + - c4.large + - c4.xlarge + - c5.large + - c5.xlarge + - c5.2xlarge + - c5.4xlarge + - c5.9xlarge + - c5.12xlarge + - c5.18xlarge + - c5.24xlarge + - c5n.large + - c5n.xlarge + - c5n.2xlarge + - c5n.4xlarge + - c5n.9xlarge + - c5n.18xlarge + - c5d.large + - c5d.xlarge + - c5d.2xlarge + - c5d.4xlarge + - c5d.9xlarge + - c5d.12xlarge + - c5d.18xlarge + - c5d.24xlarge + - m5.large + - m5.xlarge + - m5.2xlarge + - m5.4xlarge + - m5.8xlarge + - m5.12xlarge + - m5.16xlarge + - m5.24xlarge + - m6i.large + - m6i.xlarge + - m6i.2xlarge + - m6i.4xlarge + - m6i.8xlarge + - m6i.12xlarge + - m6i.16xlarge + - m6i.24xlarge + - m6i.32xlarge + - c6i.large + - c6i.xlarge + - c6i.2xlarge + - c6i.4xlarge + - c6i.8xlarge + - c6i.12xlarge + - c6i.16xlarge + - c6i.24xlarge + - c6i.32xlarge + - c6in.large + - c6in.xlarge + - c6in.2xlarge + - c6in.4xlarge + - c6in.8xlarge + - c6in.12xlarge + - c6in.16xlarge + - c6in.24xlarge + - c6in.32xlarge + - r5.large + - r5.xlarge + - r5.2xlarge + - r5.4xlarge + - r5.8xlarge + - r5.12xlarge + - r5.16xlarge + - r5.24xlarge + - r5a.large + - r5a.xlarge + - r5a.2xlarge + - r5a.4xlarge + - r5a.8xlarge + - r5a.12xlarge + - r5a.16xlarge + - r5a.24xlarge + - r5b.large + - r5b.xlarge + - r5b.2xlarge + - r5b.4xlarge + - r5b.8xlarge + - r5b.12xlarge + - r5b.16xlarge + - r5b.24xlarge + - r5n.large + - r5n.xlarge + - r5n.2xlarge + - r5n.4xlarge + - r5n.8xlarge + - r5n.12xlarge + - r5n.16xlarge + - r5n.24xlarge + - r6i.large + - r6i.xlarge + - r6i.2xlarge + - r6i.4xlarge + - r6i.8xlarge + - r6i.12xlarge + - r6i.16xlarge + - r6i.24xlarge + - r6i.32xlarge + - m6a.large + - m6a.xlarge + - m6a.2xlarge + - m6a.4xlarge + - m6a.8xlarge + - m6a.12xlarge + - m6a.16xlarge + - m6a.24xlarge + - m6a.32xlarge + - m6a.48xlarge + ConstraintDescription: must be a valid EC2 instance type. + KeyName: + Description: The EC2 Key Pair to allow SSH access to the instance. + Type: AWS::EC2::KeyPair::KeyName + MinLength: 1 + ConstraintDescription: must be the name of an existing EC2 KeyPair. + AllocatePublicAddress: + Description: Allocate an Elastic IP for each cluster member, in addition to the shared cluster Elastic IP. + Type: String + Default: true + AllowedValues: + - true + - false + VolumeSize: + Type: Number + Default: 100 + MinValue: 100 + VolumeType: + Description: General Purpose SSD Volume Type + Type: String + Default: gp3 + AllowedValues: + - gp3 + - gp2 + VolumeEncryption: + Description: KMS or CMK key Identifier - Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs'). + Type: String + Default: alias/aws/ebs + EnableInstanceConnect: + Description: Enable SSH connection over AWS web console. + Type: String + Default: false + AllowedValues: + - true + - false + GatewayPredefinedRole: + Description: A predefined IAM role to attach to the cluster profile. (optional) + Type: String + Default: '' + TerminationProtection: + Description: Prevents an instance from accidental termination. + Type: String + Default: false + AllowedValues: + - true + - false + GatewayVersion: + Type: String + Default: R81.20-BYOL + AllowedValues: + - R80.40-BYOL + - R80.40-PAYG-NGTP + - R80.40-PAYG-NGTX + - R81-BYOL + - R81-PAYG-NGTP + - R81-PAYG-NGTX + - R81.10-BYOL + - R81.10-PAYG-NGTP + - R81.10-PAYG-NGTX + - R81.20-BYOL + - R81.20-PAYG-NGTP + - R81.20-PAYG-NGTX + Shell: + Description: Change the admin shell to enable advanced command line configuration. + Type: String + Default: /etc/cli.sh + AllowedValues: + - /etc/cli.sh + - /bin/bash + - /bin/csh + - /bin/tcsh + GatewayPasswordHash: + Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD". + to get the PASSWORD's hash) (optional) + Type: String + Default: '' + AllowedPattern: '^[\$\./a-zA-Z0-9]*$' + NoEcho: true + GatewayMaintenancePasswordHash: + Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + GatewaySICKey: + Description: The Secure Internal Communication key creates trusted connections. + between Check Point components. Choose a random string consisting of at least + 8 alphanumeric characters + Type: String + AllowedPattern: '^[a-zA-Z0-9]{8,}$' + ConstraintDescription: At least 8 alpha numeric characters. + NoEcho: true + MemberAToken: + Description: Follow the instructions in sk180501 to quickly connect this Single AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. + AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)' + Type: String + NoEcho: true + MemberBToken: + Description: Follow the instructions in sk180501 to quickly connect this Single AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. + AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)' + Type: String + NoEcho: true + ResourcesTagName: + Description: Name tag prefix of the resources (optional). + Type: String + Default: '' + GatewayHostname: + Description: The host name will be appended with member-a/b accordingly (optional). The name must not contain reserved words. For details, refer to sk40179. + Type: String + Default: '' + AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z]))?$' + ConstraintDescription: A valid hostname label or an empty string. + AllowUploadDownload: + Description: Automatically download updates and share statistical data for product improvement purpose. + Improve product experience by sending data to Check Point + Type: String + Default: true + AllowedValues: + - true + - false + CloudWatch: + Description: Report Check Point specific CloudWatch metrics. + Type: String + Default: false + AllowedValues: + - true + - false + GatewayBootstrapScript: + Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional) + Type: String + Default: '' + NoEcho: true + NTPPrimary: + Description: (optional) + Type: String + Default: 169.254.169.123 + AllowedPattern: '^[\.a-zA-Z0-9\-]*$' + NTPSecondary: + Description: (optional) + Type: String + Default: 0.pool.ntp.org + AllowedPattern: '^[\.a-zA-Z0-9\-]*$' +Conditions: + ProvidedRouteTable: !Not [!Equals [!Ref InternalRouteTable, '']] + AllocateAddress: !Equals [!Ref AllocatePublicAddress, true] + EncryptedVolume: !Not [!Equals [!Ref VolumeEncryption, '']] + CreateRole: !Equals [!Ref GatewayPredefinedRole, ''] + ProvidedPassHash: !Not [!Equals [!Ref GatewayPasswordHash, '']] + ProvidedResourcesTag: !Not [!Equals [!Ref ResourcesTagName, '']] + EmptyHostName: !Equals [!Ref GatewayHostname, ''] + EnableCloudWatch: !Equals [!Ref CloudWatch, true] +Resources: + ClusterReadyHandle: + Type: AWS::CloudFormation::WaitConditionHandle + Condition: AllocateAddress + Properties: {} + ClusterReadyCondition: + Type: AWS::CloudFormation::WaitCondition + DependsOn: [MemberAInstance, MemberBInstance] + Condition: AllocateAddress + Properties: + Count: 2 + Handle: !Ref ClusterReadyHandle + Timeout: 1800 + ClusterRole: + Condition: CreateRole + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.amazonaws.com/iam/cluster-iam-role.yaml + ClusterInstanceProfile: + Type: AWS::IAM::InstanceProfile + Properties: + Path: / + Roles: [!If [CreateRole, !GetAtt ClusterRole.Outputs.ClusterIAMRole, !Ref GatewayPredefinedRole]] + CloudwatchPolicy: + Condition: EnableCloudWatch + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.amazonaws.com/iam/cloudwatch-policy.yaml + Parameters: + PolicyName: !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName'] + PolicyRole: !If [CreateRole, !GetAtt ClusterRole.Outputs.ClusterIAMRole, !Ref GatewayPredefinedRole] + AMI: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.amazonaws.com/utils/amis.yaml + Parameters: + Version: !Join [-, [!Ref GatewayVersion, GW]] + PermissiveSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Permissive security group. + VpcId: !Ref VPC + SecurityGroupIngress: + - IpProtocol: -1 + CidrIp: 0.0.0.0/0 + Tags: + - Key: Name + Value: + !Join + - _ + - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName'] + - PermissiveSecurityGroup + MemberAExternalInterface: + Type: AWS::EC2::NetworkInterface + DependsOn: PermissiveSecurityGroup + Properties: + Description: Member A external. + SecondaryPrivateIpAddressCount: 1 + SourceDestCheck: false + GroupSet: [!Ref PermissiveSecurityGroup] + SubnetId: !Ref PublicSubnet + Tags: + - Key: Name + Value: + !Join + - _ + - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName'] + - Member_A_ExternalInterface + MemberBExternalInterface: + Type: AWS::EC2::NetworkInterface + DependsOn: PermissiveSecurityGroup + Properties: + Description: Member B external. + SourceDestCheck: false + GroupSet: [!Ref PermissiveSecurityGroup] + SubnetId: !Ref PublicSubnet + Tags: + - Key: Name + Value: + !Join + - _ + - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName'] + - Member_B_ExternalInterface + MemberAInternalInterface: + Type: AWS::EC2::NetworkInterface + DependsOn: PermissiveSecurityGroup + Properties: + Description: Member A internal. + SecondaryPrivateIpAddressCount: 1 + GroupSet: [!Ref PermissiveSecurityGroup] + SourceDestCheck: false + SubnetId: !Ref PrivateSubnet + Tags: + - Key: Name + Value: + !Join + - _ + - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName'] + - Member_A_InternalInterface + MemberBInternalInterface: + Type: AWS::EC2::NetworkInterface + DependsOn: PermissiveSecurityGroup + Properties: + Description: Member B internal. + GroupSet: [!Ref PermissiveSecurityGroup] + SourceDestCheck: false + SubnetId: !Ref PrivateSubnet + Tags: + - Key: Name + Value: + !Join + - _ + - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName'] + - Member_B_InternalInterface + InternalDefaultRoute: + Type: AWS::EC2::Route + Condition: ProvidedRouteTable + DependsOn: MemberAInternalInterface + Properties: + DestinationCidrBlock: 0.0.0.0/0 + NetworkInterfaceId: !Ref MemberAInternalInterface + RouteTableId: !Ref InternalRouteTable + PrivateSubnetRouteTableAssociation: + Type: AWS::EC2::SubnetRouteTableAssociation + Condition: ProvidedRouteTable + Properties: + RouteTableId: !Ref InternalRouteTable + SubnetId: !Ref PrivateSubnet + MemberAInstance: + Type: AWS::EC2::Instance + DependsOn: [MemberAExternalInterface, MemberAInternalInterface] + Properties: + Tags: + - Key: Name + Value: !Join ['-', [!Ref GatewayName, Member-A]] + - Key: x-chkp-member-ips + Value: !Join + - ':' + - - !Join [ '=', [ public-ip, !If [ AllocateAddress, !Ref MemberAPublicAddress, '' ] ] ] + - !Join [ '=', [ external-private-ip, !GetAtt MemberAExternalInterface.PrimaryPrivateIpAddress ] ] + - !Join [ '=', [ internal-private-ip, !GetAtt MemberAInternalInterface.PrimaryPrivateIpAddress ] ] + - Key: x-chkp-cluster-ips + Value: !Join + - ':' + - - !Join [ '=', [ cluster-ip, !Ref ClusterPublicAddress ] ] + - !Join [ '=', [ cluster-eth0-private-ip, !Select [ 0, !GetAtt MemberAExternalInterface.SecondaryPrivateIpAddresses ] ] ] + - !Join [ '=', [ cluster-eth1-private-ip, !Select [ 0, !GetAtt MemberAInternalInterface.SecondaryPrivateIpAddresses ] ] ] + ImageId: !GetAtt AMI.Outputs.ImageId + InstanceType: !Ref GatewayInstanceType + BlockDeviceMappings: + - DeviceName: '/dev/xvda' + Ebs: + Encrypted: !If [EncryptedVolume, true, false] + KmsKeyId: !If [EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue'] + VolumeType: !Ref VolumeType + VolumeSize: !Ref VolumeSize + KeyName: !Ref KeyName + NetworkInterfaces: + - DeviceIndex: 0 + NetworkInterfaceId: !Ref MemberAExternalInterface + - DeviceIndex: 1 + NetworkInterfaceId: !Ref MemberAInternalInterface + IamInstanceProfile: !Ref ClusterInstanceProfile + DisableApiTermination: !Ref TerminationProtection + UserData: + 'Fn::Base64': + !Join + - |+ + + - - '#cloud-config' + - 'runcmd:' + - ' - |' + - ' set -e' + - !Sub ' admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; cw=${CloudWatch} ; eic=${EnableInstanceConnect} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; tokenA=''${MemberAToken}''' + - !If [AllocateAddress, !Sub ' wait_handle=''${ClusterReadyHandle}''',!Ref 'AWS::NoValue'] + - !If [EmptyHostName, ' hostname=""',!Sub ' hostname=${GatewayHostname}-member-a'] + - !Join ['', [' eip="', !If [AllocateAddress, !Ref MemberAPublicAddress, ''], '"']] + - !Join ['', [' sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ')"']] + - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayPasswordHash, ')"']] + - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"']] + - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']] + - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}] + - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${tokenA}\"" installationType=\"cluster\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20240204\" templateName=\"cluster\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" elasticIp=\"${eip}\" bootstrapScript64=\"${bootstrap}\"' + MemberBInstance: + Type: AWS::EC2::Instance + DependsOn: [MemberBExternalInterface, MemberBInternalInterface] + Properties: + Tags: + - Key: Name + Value: !Join ['-', [!Ref GatewayName, Member-B]] + - Key: x-chkp-member-ips + Value: !Join + - ':' + - - !Join [ '=', [ public-ip, !If [ AllocateAddress, !Ref MemberBPublicAddress, '' ] ] ] + - !Join [ '=', [ external-private-ip, !GetAtt MemberBExternalInterface.PrimaryPrivateIpAddress ] ] + - !Join [ '=', [ internal-private-ip, !GetAtt MemberBInternalInterface.PrimaryPrivateIpAddress ] ] + - Key: x-chkp-cluster-ips + Value: !Join + - ':' + - - !Join [ '=', [ cluster-ip, !Ref ClusterPublicAddress ] ] + - !Join [ '=', [ cluster-eth0-private-ip, !Select [ 0, !GetAtt MemberAExternalInterface.SecondaryPrivateIpAddresses ] ] ] + - !Join [ '=', [ cluster-eth1-private-ip, !Select [ 0, !GetAtt MemberAInternalInterface.SecondaryPrivateIpAddresses ] ] ] + ImageId: !GetAtt AMI.Outputs.ImageId + InstanceType: !Ref GatewayInstanceType + BlockDeviceMappings: + - DeviceName: '/dev/xvda' + Ebs: + Encrypted: !If [EncryptedVolume, true, false] + KmsKeyId: !If [EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue'] + VolumeType: !Ref VolumeType + VolumeSize: !Ref VolumeSize + KeyName: !Ref KeyName + NetworkInterfaces: + - DeviceIndex: 0 + NetworkInterfaceId: !Ref MemberBExternalInterface + - DeviceIndex: 1 + NetworkInterfaceId: !Ref MemberBInternalInterface + IamInstanceProfile: !Ref ClusterInstanceProfile + DisableApiTermination: !Ref TerminationProtection + UserData: + 'Fn::Base64': + !Join + - |+ + + - - '#cloud-config' + - 'runcmd:' + - ' - |' + - ' set -e' + - !Sub ' admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; cw=${CloudWatch} ; eic=${EnableInstanceConnect} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; tokenB=''${MemberBToken}''' + - !If [AllocateAddress, !Sub ' wait_handle=''${ClusterReadyHandle}''',!Ref 'AWS::NoValue'] + - !If [EmptyHostName, ' hostname=""',!Sub ' hostname=${GatewayHostname}-member-b'] + - !Join ['', [' eip="', !If [AllocateAddress, !Ref MemberBPublicAddress, ''], '"']] + - !Join ['', [' sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ')"']] + - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayPasswordHash, ')"']] + - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']] + - !Sub [' version=${Version}', {Version: !Select [0, !Split ['.', !Select [0, !Split ['-', !Ref GatewayVersion]]]]}] + - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${tokenB}\"" installationType=\"cluster\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20230923\" templateName=\"cluster\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" elasticIp=\"${eip}\" bootstrapScript64=\"${bootstrap}\"' + ClusterPublicAddress: + Type: AWS::EC2::EIP + Properties: + Domain: vpc + MemberAPublicAddress: + Type: AWS::EC2::EIP + Condition: AllocateAddress + Properties: + Domain: vpc + MemberBPublicAddress: + Type: AWS::EC2::EIP + Condition: AllocateAddress + Properties: + Domain: vpc + ClusterAddressAssoc: + Type: AWS::EC2::EIPAssociation + DependsOn: MemberAInstance + Properties: + NetworkInterfaceId: !Ref MemberAExternalInterface + AllocationId: !GetAtt ClusterPublicAddress.AllocationId + PrivateIpAddress: !Select [0, !GetAtt MemberAExternalInterface.SecondaryPrivateIpAddresses] + MemberAAddressAssoc: + Type: AWS::EC2::EIPAssociation + Condition: AllocateAddress + DependsOn: MemberAInstance + Properties: + NetworkInterfaceId: !Ref MemberAExternalInterface + AllocationId: !GetAtt MemberAPublicAddress.AllocationId + PrivateIpAddress: !GetAtt MemberAExternalInterface.PrimaryPrivateIpAddress + MemberBAddressAssoc: + Type: AWS::EC2::EIPAssociation + Condition: AllocateAddress + DependsOn: MemberBInstance + Properties: + NetworkInterfaceId: !Ref MemberBExternalInterface + AllocationId: !GetAtt MemberBPublicAddress.AllocationId + PrivateIpAddress: !GetAtt MemberBExternalInterface.PrimaryPrivateIpAddress +Outputs: + ClusterPublicAddress: + Description: The public address of the cluster. + Value: !Ref ClusterPublicAddress + MemberAPublicAddress: + Condition: AllocateAddress + Description: The public address of member A. + Value: !Ref MemberAPublicAddress + MemberASSH: + Condition: AllocateAddress + Description: SSH command to member A. + Value: !Join ['', ['ssh -i ', !Ref KeyName, ' admin@', !Ref MemberAPublicAddress]] + MemberAURL: + Condition: AllocateAddress + Description: URL to the member A portal. + Value: !Join ['', ['https://', !Ref MemberAPublicAddress]] + MemberAExternalInterface: + Condition: AllocateAddress + Description: The external interface of member A. + Value: !Ref MemberAExternalInterface + MemberAPrivateExternalAddress: + Description: The private external address of member A. + Value: !GetAtt MemberAExternalInterface.PrimaryPrivateIpAddress + MemberAPrivateInternalAddress: + Description: The private internal address of member A. + Value: !GetAtt MemberAInternalInterface.PrimaryPrivateIpAddress + MemberBPublicAddress: + Condition: AllocateAddress + Description: The public address of member B. + Value: !Ref MemberBPublicAddress + MemberBSSH: + Condition: AllocateAddress + Description: SSH command to member B. + Value: !Join ['', ['ssh -i ', !Ref KeyName, ' admin@', !Ref MemberBPublicAddress]] + MemberBURL: + Condition: AllocateAddress + Description: URL to the member B portal. + Value: !Join ['', ['https://', !Ref MemberBPublicAddress]] + MemberBPrivateExternalAddress: + Description: The private external address of member B. + Value: !GetAtt MemberBExternalInterface.PrimaryPrivateIpAddress + MemberBPrivateInternalAddress: + Description: The private internal address of member B. + Value: !GetAtt MemberBInternalInterface.PrimaryPrivateIpAddress + ClusterPrivateAliasExternalAddress: + Description: The secondary external private IP address of the cluster. + Value: !Select [ 0, !GetAtt MemberAExternalInterface.SecondaryPrivateIpAddresses ] + ClusterPrivateAliasInternalAddress: + Description: The secondary internal private IP address of the cluster. + Value: !Select [ 0, !GetAtt MemberAInternalInterface.SecondaryPrivateIpAddresses ] + +Rules: + MemberATokenNotProvided: + RuleCondition: !Equals [!Ref MemberAToken, ''] + Assertions: + - AssertDescription: "Smart-1 Cloud Token for member A can not be empty." + Assert: !Equals [!Ref MemberBToken, ''] + MemberBTokenNotProvided: + RuleCondition: !Equals [ !Ref MemberBToken, '' ] + Assertions: + - AssertDescription: "Smart-1 Cloud Token for member B can not be empty." + Assert: !Equals [ !Ref MemberAToken, '' ] + MembersTokenValueEquals: + RuleCondition: !EachMemberEquals [[!Ref MemberBToken], !Ref MemberAToken] + Assertions: + - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token" + Assert: !Equals [ !Ref MemberAToken, '' ] + - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token" + Assert: !Equals [ !Ref MemberBToken, '' ] + diff --git a/aws/templates/cross-az-cluster/README.md b/aws/templates/cross-az-cluster/README.md new file mode 100644 index 00000000..1a44f78e --- /dev/null +++ b/aws/templates/cross-az-cluster/README.md @@ -0,0 +1,26 @@ + +## Cross Availability Zone Cluster + + + + + + + + + + + + + + + + + + + +
DescriptionNotesDirect Launch
+ Deploys two Security Gateways, each in a different Availability Zone.

For more details, refer to Cross Availability Zone Cluster for AWS R81.20 Administration Guide. + 		Creates a new VPC and deploys a Cross Availability Zone Cluster of Security Gateways into it.
Deploys a Cross Availability Zone Cluster of Security Gateways into an existing VPC.
+
+
\ No newline at end of file diff --git a/aws/templates/cross-az-cluster/cross-az-cluster-master.yaml b/aws/templates/cross-az-cluster/cross-az-cluster-master.yaml new file mode 100644 index 00000000..65ed15aa --- /dev/null +++ b/aws/templates/cross-az-cluster/cross-az-cluster-master.yaml @@ -0,0 +1,513 @@ +AWSTemplateFormatVersion: 2010-09-09 +Description: Deploy a Check Point Cluster in a new VPC (20240204) +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: VPC Network Configuration + Parameters: + - AvailabilityZones + - VPCCIDR + - PublicSubnet1CIDR + - PublicSubnet2CIDR + - PrivateSubnet1CIDR + - PrivateSubnet2CIDR + - Label: + default: EC2 Instance Configuration + Parameters: + - GatewayName + - GatewayInstanceType + - KeyName + - AllocatePublicAddress + - VolumeSize + - VolumeEncryption + - EnableInstanceConnect + - GatewayPredefinedRole + - TerminationProtection + - Label: + default: Check Point Settings + Parameters: + - GatewayVersion + - Shell + - GatewayPasswordHash + - GatewayMaintenancePasswordHash + - GatewaySICKey + - Label: + default: Quick connect to Smart-1 Cloud (Recommended) + Parameters: + - MemberAToken + - MemberBToken + - Label: + default: Advanced Settings + Parameters: + - ResourcesTagName + - GatewayHostname + - AllowUploadDownload + - CloudWatch + - GatewayBootstrapScript + - NTPPrimary + - NTPSecondary + ParameterLabels: + AvailabilityZones: + default: Availability zones + VPCCIDR: + default: VPC CIDR + PublicSubnet1CIDR: + default: Public subnet 1 CIDR + PublicSubnet2CIDR: + default: Public subnet 2 CIDR + PrivateSubnet1CIDR: + default: Private subnet 1 CIDR + PrivateSubnet2CIDR: + default: Private subnet 2 CIDR + GatewayName: + default: Gateway Name + GatewayInstanceType: + default: Security Gateways instance type + KeyName: + default: Key name + AllocatePublicAddress: + default: Allocate Elastic IPs + VolumeSize: + default: Root volume size (GB) + VolumeEncryption: + default: Volume encryption KMS key identifier + EnableInstanceConnect: + default: Enable AWS Instance Connect + GatewayPredefinedRole: + default: Existing IAM role name + TerminationProtection: + default: Termination Protection + GatewayVersion: + default: Version & license + Shell: + default: Admin shell + GatewayPasswordHash: + default: Password hash + GatewayMaintenancePasswordHash: + default: Gateway Maintenance Password hash + GatewaySICKey: + default: SIC key + MemberAToken: + default: Smart-1 Cloud Token for member A + MemberBToken: + default: Smart-1 Cloud Token for member B + ResourcesTagName: + default: Resources prefix tag + GatewayHostname: + default: Gateway Hostname + AllowUploadDownload: + default: Allow upload & download + CloudWatch: + default: CloudWatch metrics + GatewayBootstrapScript: + default: Bootstrap Script + NTPPrimary: + default: Primary NTP server + NTPSecondary: + default: Secondary NTP server +Parameters: + AvailabilityZones: + Description: The availability zones in which to deploy the cluster. + Type: List + MinLength: 2 + VPCCIDR: + Description: The CIDR block for your VPC. + Type: String + Default: 10.0.0.0/16 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PublicSubnet1CIDR: + Description: The 1st external subnet of the cluster. The cluster's public IPs will be generated from this subnet. + Type: String + Default: 10.0.10.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PublicSubnet2CIDR: + Description: The 2nd external subnet of the cluster. The cluster's public IPs will be generated from this subnet. + Type: String + Default: 10.0.20.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PrivateSubnet1CIDR: + Description: The 1st internal subnet of the cluster. The cluster's private IPs will be generated from this subnet. + Type: String + Default: 10.0.11.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PrivateSubnet2CIDR: + Description: The 2nd internal subnet of the cluster. The cluster's private IPs will be generated from this subnet. + Type: String + Default: 10.0.21.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + GatewayName: + Description: The name tag of the Security Gateway instances. (optional) + Type: String + Default: Check-Point-Cluster + GatewayInstanceType: + Description: The instance type of the Secutiry Gateway. + Type: String + Default: c5.xlarge + AllowedValues: + - c4.large + - c4.xlarge + - c5.large + - c5.xlarge + - c5.2xlarge + - c5.4xlarge + - c5.9xlarge + - c5.12xlarge + - c5.18xlarge + - c5.24xlarge + - c5n.large + - c5n.xlarge + - c5n.2xlarge + - c5n.4xlarge + - c5n.9xlarge + - c5n.18xlarge + - c5d.large + - c5d.xlarge + - c5d.2xlarge + - c5d.4xlarge + - c5d.9xlarge + - c5d.12xlarge + - c5d.18xlarge + - c5d.24xlarge + - m5.large + - m5.xlarge + - m5.2xlarge + - m5.4xlarge + - m5.8xlarge + - m5.12xlarge + - m5.16xlarge + - m5.24xlarge + - m6i.large + - m6i.xlarge + - m6i.2xlarge + - m6i.4xlarge + - m6i.8xlarge + - m6i.12xlarge + - m6i.16xlarge + - m6i.24xlarge + - m6i.32xlarge + - c6i.large + - c6i.xlarge + - c6i.2xlarge + - c6i.4xlarge + - c6i.8xlarge + - c6i.12xlarge + - c6i.16xlarge + - c6i.24xlarge + - c6i.32xlarge + - c6in.large + - c6in.xlarge + - c6in.2xlarge + - c6in.4xlarge + - c6in.8xlarge + - c6in.12xlarge + - c6in.16xlarge + - c6in.24xlarge + - c6in.32xlarge + - r5.large + - r5.xlarge + - r5.2xlarge + - r5.4xlarge + - r5.8xlarge + - r5.12xlarge + - r5.16xlarge + - r5.24xlarge + - r5a.large + - r5a.xlarge + - r5a.2xlarge + - r5a.4xlarge + - r5a.8xlarge + - r5a.12xlarge + - r5a.16xlarge + - r5a.24xlarge + - r5b.large + - r5b.xlarge + - r5b.2xlarge + - r5b.4xlarge + - r5b.8xlarge + - r5b.12xlarge + - r5b.16xlarge + - r5b.24xlarge + - r5n.large + - r5n.xlarge + - r5n.2xlarge + - r5n.4xlarge + - r5n.8xlarge + - r5n.12xlarge + - r5n.16xlarge + - r5n.24xlarge + - r6i.large + - r6i.xlarge + - r6i.2xlarge + - r6i.4xlarge + - r6i.8xlarge + - r6i.12xlarge + - r6i.16xlarge + - r6i.24xlarge + - r6i.32xlarge + - m6a.large + - m6a.xlarge + - m6a.2xlarge + - m6a.4xlarge + - m6a.8xlarge + - m6a.12xlarge + - m6a.16xlarge + - m6a.24xlarge + - m6a.32xlarge + - m6a.48xlarge + ConstraintDescription: must be a valid EC2 instance type. + KeyName: + Description: The EC2 Key Pair to allow SSH access to the instance. + Type: AWS::EC2::KeyPair::KeyName + MinLength: 1 + AllocatePublicAddress: + Description: Allocate an Elastic IP for each cluster member, in addition to the shared cluster Elastic IP. + Type: String + Default: true + AllowedValues: + - true + - false + VolumeSize: + Type: Number + Default: 100 + MinValue: 100 + VolumeEncryption: + Description: KMS or CMK key Identifier - Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs'). + Type: String + Default: alias/aws/ebs + EnableInstanceConnect: + Description: Enable SSH connection over AWS web console. + Default: false + Type: String + AllowedValues: + - true + - false + GatewayPredefinedRole: + Description: A predefined IAM role to attach to the cluster profile. (optional) + Type: String + Default: '' + TerminationProtection: + Description: Prevents an instance from accidental termination. + Type: String + Default: false + AllowedValues: + - true + - false + GatewayVersion: + Type: String + Default: R81.20-BYOL + AllowedValues: + - R81.20-BYOL + - R81.20-PAYG-NGTP + - R81.20-PAYG-NGTX + Shell: + Description: Change the admin shell to enable advanced command line configuration. + Type: String + Default: /etc/cli.sh + AllowedValues: + - /etc/cli.sh + - /bin/bash + - /bin/csh + - /bin/tcsh + GatewayPasswordHash: + Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD". + to get the PASSWORD's hash) (optional) + Type: String + Default: '' + AllowedPattern: '^[\$\./a-zA-Z0-9]*$' + NoEcho: true + GatewayMaintenancePasswordHash: + Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + GatewaySICKey: + Description: The Secure Internal Communication key creates trusted connections. + between Check Point components. Choose a random string consisting of at least + 8 alphanumeric characters + Type: String + AllowedPattern: '^[a-zA-Z0-9]{8,}$' + ConstraintDescription: At least 8 alpha numeric characters. + NoEcho: true + MemberAToken: + Description: Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. + AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)' + Type: String + NoEcho: true + MemberBToken: + Description: Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. + AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)' + Type: String + NoEcho: true + ResourcesTagName: + Description: Name tag prefix of the resources. (optional) + Type: String + Default: '' + GatewayHostname: + Description: The host name will be appended with member-a/b accordingly (optional). The name must not contain reserved words. For details, refer to sk40179. + Type: String + Default: '' + AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z]))?$' + ConstraintDescription: A valid hostname label or an empty string. + AllowUploadDownload: + Description: Automatically download updates and share statistical data for product improvement purpose. + Improve product experience by sending data to Check Point. + Type: String + Default: true + AllowedValues: + - true + - false + CloudWatch: + Description: Report Check Point specific CloudWatch metrics. + Type: String + Default: false + AllowedValues: + - true + - false + GatewayBootstrapScript: + Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional) + Type: String + Default: '' + NoEcho: true + NTPPrimary: + Description: (optional) + Type: String + Default: 169.254.169.123 + AllowedPattern: '^[\.a-zA-Z0-9\-]*$' + NTPSecondary: + Description: (optional) + Type: String + Default: 0.pool.ntp.org + AllowedPattern: '^[\.a-zA-Z0-9\-]*$' +Conditions: + AllocateAddress: !Equals [!Ref AllocatePublicAddress, true] +Resources: + VPCStack: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.amazonaws.com/utils/vpc.yaml + Parameters: + AvailabilityZones: !Join [',', !Ref AvailabilityZones] + NumberOfAZs: 2 + VPCCIDR: !Ref VPCCIDR + PublicSubnet1CIDR: !Ref PublicSubnet1CIDR + PublicSubnet2CIDR: !Ref PublicSubnet2CIDR + PrivateSubnet1CIDR: !Ref PrivateSubnet1CIDR + PrivateSubnet2CIDR: !Ref PrivateSubnet2CIDR + InternalRouteTable: + Type: AWS::EC2::RouteTable + DependsOn: VPCStack + Properties: + VpcId: !GetAtt VPCStack.Outputs.VPCID + Tags: + - Key: Name + Value: Private Subnets Route Table + ClusterStack: + Type: AWS::CloudFormation::Stack + DependsOn: VPCStack + Properties: + TemplateURL: https://cgi-cfts.s3.amazonaws.com/cluster/cross-az-cluster.yaml + Parameters: + VPC: !GetAtt VPCStack.Outputs.VPCID + PublicSubnetA: !GetAtt VPCStack.Outputs.PublicSubnet1ID + PublicSubnetB: !GetAtt VPCStack.Outputs.PublicSubnet2ID + PrivateSubnetA: !GetAtt VPCStack.Outputs.PrivateSubnet1ID + PrivateSubnetB: !GetAtt VPCStack.Outputs.PrivateSubnet2ID + InternalRouteTable: !Ref InternalRouteTable + GatewayName: !Ref GatewayName + GatewayInstanceType: !Ref GatewayInstanceType + KeyName: !Ref KeyName + AllocatePublicAddress: !Ref AllocatePublicAddress + VolumeSize: !Ref VolumeSize + VolumeEncryption: !Ref VolumeEncryption + EnableInstanceConnect: !Ref EnableInstanceConnect + GatewayPredefinedRole: !Ref GatewayPredefinedRole + TerminationProtection: !Ref TerminationProtection + GatewayVersion: !Ref GatewayVersion + Shell: !Ref Shell + GatewayPasswordHash: !Ref GatewayPasswordHash + GatewayMaintenancePasswordHash: !Ref GatewayMaintenancePasswordHash + GatewaySICKey: !Ref GatewaySICKey + MemberAToken: !Ref MemberAToken + MemberBToken: !Ref MemberBToken + ResourcesTagName: !Ref ResourcesTagName + GatewayHostname: !Ref GatewayHostname + AllowUploadDownload: !Ref AllowUploadDownload + CloudWatch: !Ref CloudWatch + GatewayBootstrapScript: !Ref GatewayBootstrapScript + NTPPrimary: !Ref NTPPrimary + NTPSecondary: !Ref NTPSecondary +Outputs: + ClusterPublicAddress: + Description: The public address of the cluster. + Value: !GetAtt ClusterStack.Outputs.ClusterPublicAddress + MemberAPublicAddress: + Condition: AllocateAddress + Description: The public address of member A. + Value: !GetAtt ClusterStack.Outputs.MemberAPublicAddress + MemberASSH: + Condition: AllocateAddress + Description: SSH command to member A. + Value: !GetAtt ClusterStack.Outputs.MemberASSH + MemberAURL: + Condition: AllocateAddress + Description: URL to the member A portal. + Value: !GetAtt ClusterStack.Outputs.MemberAURL + MemberAExternalInterface: + Condition: AllocateAddress + Description: The external interface of member A. + Value: !GetAtt ClusterStack.Outputs.MemberAExternalInterface + MemberAPrivateExternalAddress: + Description: The primary external private address of member A. + Value: !GetAtt ClusterStack.Outputs.MemberAPrivateExternalAddress + MemberAPrivateAliasAddress: + Description: The secondary external private IP address of Member A. + Value: !GetAtt ClusterStack.Outputs.MemberAPrivateAliasAddress + MemberAPrivateInternalAddress: + Description: The private Internal address of member A. + Value: !GetAtt ClusterStack.Outputs.MemberAPrivateInternalAddress + MemberBPublicAddress: + Condition: AllocateAddress + Description: The public address of member B. + Value: !GetAtt ClusterStack.Outputs.MemberBPublicAddress + MemberBSSH: + Condition: AllocateAddress + Description: SSH command to member B. + Value: !GetAtt ClusterStack.Outputs.MemberBSSH + MemberBURL: + Condition: AllocateAddress + Description: URL to the member B portal. + Value: !GetAtt ClusterStack.Outputs.MemberBURL + MemberBPrivateExternalAddress: + Description: The primary external private address of member B. + Value: !GetAtt ClusterStack.Outputs.MemberBPrivateExternalAddress + MemberBPrivateAliasAddress: + Description: The secondary external private IP address of Member B. + Value: !GetAtt ClusterStack.Outputs.MemberBPrivateAliasAddress + MemberBPrivateInternalAddress: + Description: The private Internal address of member B. + Value: !GetAtt ClusterStack.Outputs.MemberBPrivateInternalAddress +Rules: + MemberATokenNotProvided: + RuleCondition: !Equals [!Ref MemberAToken, ''] + Assertions: + - AssertDescription: "Smart-1 Cloud Token for member A can not be empty." + Assert: !Equals [!Ref MemberBToken, ''] + MemberBTokenNotProvided: + RuleCondition: !Equals [ !Ref MemberBToken, '' ] + Assertions: + - AssertDescription: "Smart-1 Cloud Token for member B can not be empty." + Assert: !Equals [ !Ref MemberAToken, '' ] + MembersTokenValueEquals: + RuleCondition: !EachMemberEquals [ [ !Ref MemberBToken ], !Ref MemberAToken ] + Assertions: + - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token" + Assert: !Equals [ !Ref MemberAToken, '' ] + - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token" + Assert: !Equals [ !Ref MemberBToken, '' ] \ No newline at end of file diff --git a/aws/templates/cross-az-cluster/cross-az-cluster.yaml b/aws/templates/cross-az-cluster/cross-az-cluster.yaml new file mode 100644 index 00000000..7f4a56ac --- /dev/null +++ b/aws/templates/cross-az-cluster/cross-az-cluster.yaml @@ -0,0 +1,755 @@ +AWSTemplateFormatVersion: 2010-09-09 +Description: Deploys a Check Point Cluster into an existing VPC (20240204) +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: VPC Network Configuration + Parameters: + - VPC + - PublicSubnetA + - PublicSubnetB + - PrivateSubnetA + - PrivateSubnetB + - InternalRouteTable + - Label: + default: EC2 Instance Configuration + Parameters: + - GatewayName + - GatewayInstanceType + - KeyName + - AllocatePublicAddress + - VolumeSize + - VolumeType + - VolumeEncryption + - EnableInstanceConnect + - GatewayPredefinedRole + - TerminationProtection + - Label: + default: Check Point Settings + Parameters: + - GatewayVersion + - Shell + - GatewayPasswordHash + - GatewayMaintenancePasswordHash + - GatewaySICKey + - Label: + default: Quick connect to Smart-1 Cloud (Recommended) + Parameters: + - MemberAToken + - MemberBToken + - Label: + default: Advanced Settings + Parameters: + - ResourcesTagName + - GatewayHostname + - AllowUploadDownload + - CloudWatch + - GatewayBootstrapScript + - NTPPrimary + - NTPSecondary + ParameterLabels: + VPC: + default: VPC + PublicSubnetA: + default: Public subnet 1 + PublicSubnetB: + default: Public subnet 2 + PrivateSubnetA: + default: Private subnet 1 + PrivateSubnetB: + default: Private subnet 2 + InternalRouteTable: + default: Internal route table + GatewayName: + default: Gateway Name + GatewayInstanceType: + default: Security Gateways instance type + KeyName: + default: Key name + AllocatePublicAddress: + default: Allocate Elastic IPs + VolumeSize: + default: Root volume size (GB) + VolumeType: + default: Volume Type + VolumeEncryption: + default: Volume encryption KMS key identifier + EnableInstanceConnect: + default: Enable AWS Instance Connect + GatewayPredefinedRole: + default: Existing IAM role name + TerminationProtection: + default: Termination Protection + GatewayVersion: + default: Version & license + Shell: + default: Admin shell + GatewayPasswordHash: + default: Password hash + GatewayMaintenancePasswordHash: + default: Gateway Maintenance Password hash + GatewaySICKey: + default: SIC key + MemberAToken: + default: Smart-1 Cloud Token for member A + MemberBToken: + default: Smart-1 Cloud Token for member B + ResourcesTagName: + default: Resources prefix tag + GatewayHostname: + default: Gateway Hostname + AllowUploadDownload: + default: Allow upload & download + CloudWatch: + default: CloudWatch metrics + GatewayBootstrapScript: + default: Bootstrap Script + NTPPrimary: + default: Primary NTP server + NTPSecondary: + default: Secondary NTP server +Parameters: + VPC: + Description: Select an existing VPC. + Type: AWS::EC2::VPC::Id + MinLength: 1 + PublicSubnetA: + Description: Select a public subnet for the first Security Gateway. + Type: AWS::EC2::Subnet::Id + MinLength: 1 + ConstraintDescription: you must select a public subnet for the first Security Gateway. + PublicSubnetB: + Description: Select a public subnet for the second Security Gateway. + Type: AWS::EC2::Subnet::Id + MinLength: 1 + ConstraintDescription: you must select a public subnet for the second Security Gateway. + PrivateSubnetA: + Description: Select a private subnet for the first Security Gateway. + Type: AWS::EC2::Subnet::Id + MinLength: 1 + ConstraintDescription: you must select a private subnet for the first Security Gateway. + PrivateSubnetB: + Description: Select a private subnet for the second Security Gateway. + Type: AWS::EC2::Subnet::Id + MinLength: 1 + ConstraintDescription: you must select a private subnet for the second Security Gateway. + InternalRouteTable: + Description: Set 0.0.0.0/0 route to the Active Cluster member instance in this route table (e.g. rtb-12a34567). Route table cannot have an existing 0.0.0.0/0 route. If empty - traffic will not be routed through the Security Cluster, this requires manual configuration in the Route Table. (optional) + Type: String + Default: '' + GatewayName: + Description: The name tag of the Security Gateway instances. (optional) + Type: String + Default: Check-Point-Cluster + GatewayInstanceType: + Description: The instance type of the Secutiry Gateway. + Type: String + Default: c5.xlarge + AllowedValues: + - c4.large + - c4.xlarge + - c5.large + - c5.xlarge + - c5.2xlarge + - c5.4xlarge + - c5.9xlarge + - c5.12xlarge + - c5.18xlarge + - c5.24xlarge + - c5n.large + - c5n.xlarge + - c5n.2xlarge + - c5n.4xlarge + - c5n.9xlarge + - c5n.18xlarge + - c5d.large + - c5d.xlarge + - c5d.2xlarge + - c5d.4xlarge + - c5d.9xlarge + - c5d.12xlarge + - c5d.18xlarge + - c5d.24xlarge + - m5.large + - m5.xlarge + - m5.2xlarge + - m5.4xlarge + - m5.8xlarge + - m5.12xlarge + - m5.16xlarge + - m5.24xlarge + - m6i.large + - m6i.xlarge + - m6i.2xlarge + - m6i.4xlarge + - m6i.8xlarge + - m6i.12xlarge + - m6i.16xlarge + - m6i.24xlarge + - m6i.32xlarge + - c6i.large + - c6i.xlarge + - c6i.2xlarge + - c6i.4xlarge + - c6i.8xlarge + - c6i.12xlarge + - c6i.16xlarge + - c6i.24xlarge + - c6i.32xlarge + - c6in.large + - c6in.xlarge + - c6in.2xlarge + - c6in.4xlarge + - c6in.8xlarge + - c6in.12xlarge + - c6in.16xlarge + - c6in.24xlarge + - c6in.32xlarge + - r5.large + - r5.xlarge + - r5.2xlarge + - r5.4xlarge + - r5.8xlarge + - r5.12xlarge + - r5.16xlarge + - r5.24xlarge + - r5a.large + - r5a.xlarge + - r5a.2xlarge + - r5a.4xlarge + - r5a.8xlarge + - r5a.12xlarge + - r5a.16xlarge + - r5a.24xlarge + - r5b.large + - r5b.xlarge + - r5b.2xlarge + - r5b.4xlarge + - r5b.8xlarge + - r5b.12xlarge + - r5b.16xlarge + - r5b.24xlarge + - r5n.large + - r5n.xlarge + - r5n.2xlarge + - r5n.4xlarge + - r5n.8xlarge + - r5n.12xlarge + - r5n.16xlarge + - r5n.24xlarge + - r6i.large + - r6i.xlarge + - r6i.2xlarge + - r6i.4xlarge + - r6i.8xlarge + - r6i.12xlarge + - r6i.16xlarge + - r6i.24xlarge + - r6i.32xlarge + - m6a.large + - m6a.xlarge + - m6a.2xlarge + - m6a.4xlarge + - m6a.8xlarge + - m6a.12xlarge + - m6a.16xlarge + - m6a.24xlarge + - m6a.32xlarge + - m6a.48xlarge + ConstraintDescription: must be a valid EC2 instance type. + KeyName: + Description: The EC2 Key Pair to allow SSH access to the instance. + Type: AWS::EC2::KeyPair::KeyName + MinLength: 1 + ConstraintDescription: must be the name of an existing EC2 KeyPair. + AllocatePublicAddress: + Description: Allocate an Elastic IP for each cluster member, in addition to the shared cluster Elastic IP. + Type: String + Default: true + AllowedValues: + - true + - false + VolumeSize: + Type: Number + Default: 100 + MinValue: 100 + VolumeType: + Description: General Purpose SSD Volume Type + Type: String + Default: gp3 + AllowedValues: + - gp3 + - gp2 + VolumeEncryption: + Description: KMS or CMK key Identifier - Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs'). + Type: String + Default: alias/aws/ebs + EnableInstanceConnect: + Description: Enable SSH connection over AWS web console. + Type: String + Default: false + AllowedValues: + - true + - false + GatewayPredefinedRole: + Description: A predefined IAM role to attach to the cluster profile. (optional) + Type: String + Default: '' + TerminationProtection: + Description: Prevents an instance from accidental termination. + Type: String + Default: false + AllowedValues: + - true + - false + GatewayVersion: + Type: String + Default: R81.20-BYOL + AllowedValues: + - R81.20-BYOL + - R81.20-PAYG-NGTP + - R81.20-PAYG-NGTX + Shell: + Description: Change the admin shell to enable advanced command line configuration. + Type: String + Default: /etc/cli.sh + AllowedValues: + - /etc/cli.sh + - /bin/bash + - /bin/csh + - /bin/tcsh + GatewayPasswordHash: + Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" + to get the PASSWORD's hash). (optional) + Type: String + Default: '' + AllowedPattern: '^[\$\./a-zA-Z0-9]*$' + NoEcho: true + GatewayMaintenancePasswordHash: + Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + GatewaySICKey: + Description: The Secure Internal Communication key creates trusted connections + between Check Point components. Choose a random string consisting of at least + 8 alphanumeric characters. + Type: String + AllowedPattern: '^[a-zA-Z0-9]{8,}$' + ConstraintDescription: At least 8 alpha numeric characters. + NoEcho: true + MemberAToken: + Description: Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. + AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)' + Type: String + NoEcho: true + MemberBToken: + Description: Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. + AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)' + Type: String + NoEcho: true + ResourcesTagName: + Description: Name tag prefix of the resources. (optional) + Type: String + Default: '' + GatewayHostname: + Description: The host name will be appended with member-a/b accordingly (optional). The name must not contain reserved words. For details, refer to sk40179. + Type: String + Default: '' + AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z]))?$' + ConstraintDescription: A valid hostname label or an empty string. + AllowUploadDownload: + Description: Automatically download updates and share statistical data for product improvement purpose + Improve product experience by sending data to Check Point. + Type: String + Default: true + AllowedValues: + - true + - false + CloudWatch: + Description: Report Check Point specific CloudWatch metrics. + Type: String + Default: false + AllowedValues: + - true + - false + GatewayBootstrapScript: + Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional) + Type: String + Default: '' + NoEcho: true + NTPPrimary: + Description: (optional) + Type: String + Default: 169.254.169.123 + AllowedPattern: '^[\.a-zA-Z0-9\-]*$' + NTPSecondary: + Description: (optional) + Type: String + Default: 0.pool.ntp.org + AllowedPattern: '^[\.a-zA-Z0-9\-]*$' +Conditions: + ProvidedRouteTable: !Not [!Equals [!Ref InternalRouteTable, '']] + AllocateAddress: !Equals [!Ref AllocatePublicAddress, true] + EncryptedVolume: !Not [!Equals [!Ref VolumeEncryption, '']] + CreateRole: !Equals [!Ref GatewayPredefinedRole, ''] + ProvidedResourcesTag: !Not [!Equals [!Ref ResourcesTagName, '']] + EmptyHostName: !Equals [!Ref GatewayHostname, ''] + EnableCloudWatch: !Equals [!Ref CloudWatch, true] +Resources: + ClusterReadyHandle: + Type: AWS::CloudFormation::WaitConditionHandle + Condition: AllocateAddress + Properties: {} + ClusterReadyCondition: + Type: AWS::CloudFormation::WaitCondition + DependsOn: [MemberAInstance, MemberBInstance] + Condition: AllocateAddress + Properties: + Count: 2 + Handle: !Ref ClusterReadyHandle + Timeout: 1800 + ClusterRole: + Condition: CreateRole + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.amazonaws.com/iam/cluster-iam-role.yaml + ClusterInstanceProfile: + Type: AWS::IAM::InstanceProfile + Properties: + Path: / + Roles: [!If [CreateRole, !GetAtt ClusterRole.Outputs.ClusterIAMRole, !Ref GatewayPredefinedRole]] + CloudwatchPolicy: + Condition: EnableCloudWatch + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.amazonaws.com/iam/cloudwatch-policy.yaml + Parameters: + PolicyName: !If [ ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName' ] + PolicyRole: !If [CreateRole, !GetAtt ClusterRole.Outputs.ClusterIAMRole, !Ref GatewayPredefinedRole] + AMI: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.amazonaws.com/utils/amis.yaml + Parameters: + Version: !Join ['-', [!Ref GatewayVersion, GW]] + PermissiveSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Permissive security group. + VpcId: !Ref VPC + SecurityGroupIngress: + - IpProtocol: -1 + CidrIp: 0.0.0.0/0 + Tags: + - Key: Name + Value: + !Join + - _ + - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName'] + - PermissiveSecurityGroup + MemberAExternalInterface: + Type: AWS::EC2::NetworkInterface + DependsOn: PermissiveSecurityGroup + Properties: + Description: Member A external. + SecondaryPrivateIpAddressCount: 1 + SourceDestCheck: false + GroupSet: [!Ref PermissiveSecurityGroup] + SubnetId: !Ref PublicSubnetA + Tags: + - Key: Name + Value: + !Join + - _ + - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName'] + - Member_A_ExternalInterface + MemberBExternalInterface: + Type: AWS::EC2::NetworkInterface + DependsOn: PermissiveSecurityGroup + Properties: + Description: Member B external. + SecondaryPrivateIpAddressCount: 1 + SourceDestCheck: false + GroupSet: [!Ref PermissiveSecurityGroup] + SubnetId: !Ref PublicSubnetB + Tags: + - Key: Name + Value: + !Join + - _ + - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName'] + - Member_B_ExternalInterface + MemberAInternalInterface: + Type: AWS::EC2::NetworkInterface + DependsOn: PermissiveSecurityGroup + Properties: + Description: Member A internal. + GroupSet: [!Ref PermissiveSecurityGroup] + SourceDestCheck: false + SubnetId: !Ref PrivateSubnetA + Tags: + - Key: Name + Value: + !Join + - _ + - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName'] + - Member_A_InternalInterface + MemberBInternalInterface: + Type: AWS::EC2::NetworkInterface + DependsOn: PermissiveSecurityGroup + Properties: + Description: Member B internal. + GroupSet: [!Ref PermissiveSecurityGroup] + SourceDestCheck: false + SubnetId: !Ref PrivateSubnetB + Tags: + - Key: Name + Value: + !Join + - _ + - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName'] + - Member_B_InternalInterface + InternalDefaultRoute: + Type: AWS::EC2::Route + Condition: ProvidedRouteTable + DependsOn: MemberAInternalInterface + Properties: + DestinationCidrBlock: 0.0.0.0/0 + NetworkInterfaceId: !Ref MemberAInternalInterface + RouteTableId: !Ref InternalRouteTable + PrivateSubnet1RouteTableAssociation: + Type: AWS::EC2::SubnetRouteTableAssociation + Condition: ProvidedRouteTable + Properties: + RouteTableId: !Ref InternalRouteTable + SubnetId: !Ref PrivateSubnetA + PrivateSubnet2RouteTableAssociation: + Type: AWS::EC2::SubnetRouteTableAssociation + Condition: ProvidedRouteTable + Properties: + RouteTableId: !Ref InternalRouteTable + SubnetId: !Ref PrivateSubnetB + ClusterPublicAddress: + Type: AWS::EC2::EIP + Properties: + Domain: vpc + MemberAPublicAddress: + Type: AWS::EC2::EIP + Condition: AllocateAddress + Properties: + Domain: vpc + MemberBPublicAddress: + Type: AWS::EC2::EIP + Condition: AllocateAddress + Properties: + Domain: vpc + ClusterAddressAssoc: + Type: AWS::EC2::EIPAssociation + DependsOn: MemberAInstance + Properties: + NetworkInterfaceId: !Ref MemberAExternalInterface + AllocationId: !GetAtt ClusterPublicAddress.AllocationId + PrivateIpAddress: !Select [0, !GetAtt MemberAExternalInterface.SecondaryPrivateIpAddresses] + MemberAAddressAssoc: + Type: AWS::EC2::EIPAssociation + Condition: AllocateAddress + DependsOn: MemberAInstance + Properties: + NetworkInterfaceId: !Ref MemberAExternalInterface + AllocationId: !GetAtt MemberAPublicAddress.AllocationId + PrivateIpAddress: !GetAtt MemberAExternalInterface.PrimaryPrivateIpAddress + MemberBAddressAssoc: + Type: AWS::EC2::EIPAssociation + Condition: AllocateAddress + DependsOn: MemberBInstance + Properties: + NetworkInterfaceId: !Ref MemberBExternalInterface + AllocationId: !GetAtt MemberBPublicAddress.AllocationId + PrivateIpAddress: !GetAtt MemberBExternalInterface.PrimaryPrivateIpAddress + MemberAInstance: + Type: AWS::EC2::Instance + DependsOn: [MemberAExternalInterface, MemberAInternalInterface, ClusterPublicAddress, MemberBInternalInterface, MemberBExternalInterface] + Properties: + Tags: + - Key: Name + Value: !Join ['-', [!Ref GatewayName, Member-A]] + - Key: x-chkp-member-ips + Value: !Join + - ':' + - - !Join [ '=', [ public-ip, !Ref MemberAPublicAddress ] ] + - !Join [ '=', [ external-private-ip, !GetAtt MemberAExternalInterface.PrimaryPrivateIpAddress ] ] + - !Join [ '=', [ internal-private-ip, !GetAtt MemberAInternalInterface.PrimaryPrivateIpAddress ] ] + - Key: x-chkp-cluster-ips + Value: !Join + - ':' + - - !Join [ '=', [ cluster-ip, !Ref ClusterPublicAddress ] ] + - !Join [ '=', [ secondary-external-private-ip, !Select [ 0, !GetAtt MemberAExternalInterface.SecondaryPrivateIpAddresses ] ] ] + ImageId: !GetAtt AMI.Outputs.ImageId + InstanceType: !Ref GatewayInstanceType + BlockDeviceMappings: + - DeviceName: '/dev/xvda' + Ebs: + Encrypted: !If [EncryptedVolume, true, false] + KmsKeyId: !If [EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue'] + VolumeType: !Ref VolumeType + VolumeSize: !Ref VolumeSize + KeyName: !Ref KeyName + NetworkInterfaces: + - DeviceIndex: 0 + NetworkInterfaceId: !Ref MemberAExternalInterface + - DeviceIndex: 1 + NetworkInterfaceId: !Ref MemberAInternalInterface + IamInstanceProfile: !Ref ClusterInstanceProfile + DisableApiTermination: !Ref TerminationProtection + UserData: + 'Fn::Base64': + !Join + - |+ + + - - '#cloud-config' + - 'runcmd:' + - ' - |' + - ' set -e' + - !Sub ' admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; cw=${CloudWatch} ; eic=${EnableInstanceConnect} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; tokenA=''${MemberAToken}''' + - !If [AllocateAddress, !Sub ' wait_handle=''${ClusterReadyHandle}''',!Ref 'AWS::NoValue'] + - !If [EmptyHostName, ' hostname=""',!Sub ' hostname=${GatewayHostname}-member-a'] + - !Join ['', [' other_member_ip="', !GetAtt MemberBInternalInterface.PrimaryPrivateIpAddress, '"']] + - !Join ['', [' secondary_ip="', !Select [0, !GetAtt MemberAExternalInterface.SecondaryPrivateIpAddresses], '"']] + - !Join ['', [' remote_secondary_ip="', !Select [0, !GetAtt MemberBExternalInterface.SecondaryPrivateIpAddresses], '"']] + - !Join ['', [' cluster_ip="', !Ref ClusterPublicAddress, '"']] + - !Join ['', [' eip="', !If [AllocateAddress, !Ref MemberAPublicAddress, ''], '"']] + - !Join ['', [' sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ')"']] + - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayPasswordHash, ')"']] + - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"']] + - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']] + - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}] + - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${tokenA}\"" installationType=\"cross-az-cluster\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20240204\" templateName=\"cross_az_cluster\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" elasticIp=\"${eip}\" otherMemberIp=\"${other_member_ip}\" clusterIp=\"${cluster_ip}\" secondaryIp=\"${secondary_ip}\" otherMemberPrivateClusterIp=\"${remote_secondary_ip}\" bootstrapScript64=\"${bootstrap}\"' + MemberBInstance: + Type: AWS::EC2::Instance + DependsOn: [MemberBExternalInterface, MemberBInternalInterface, ClusterPublicAddress, MemberAInternalInterface, MemberAExternalInterface] + Properties: + Tags: + - Key: Name + Value: !Join ['-', [!Ref GatewayName, Member-B]] + - Key: x-chkp-member-ips + Value: !Join + - ':' + - - !Join [ '=', [ public-ip, !Ref MemberBPublicAddress ] ] + - !Join [ '=', [ external-private-ip, !GetAtt MemberBExternalInterface.PrimaryPrivateIpAddress ] ] + - !Join [ '=', [ internal-private-ip, !GetAtt MemberBInternalInterface.PrimaryPrivateIpAddress ] ] + - Key: x-chkp-cluster-ips + Value: !Join + - ':' + - - !Join [ '=', [ cluster-ip, !Ref ClusterPublicAddress ] ] + - !Join [ '=', [ secondary-external-private-ip, !Select [ 0, !GetAtt MemberBExternalInterface.SecondaryPrivateIpAddresses ] ] ] + ImageId: !GetAtt AMI.Outputs.ImageId + InstanceType: !Ref GatewayInstanceType + BlockDeviceMappings: + - DeviceName: '/dev/xvda' + Ebs: + Encrypted: !If [EncryptedVolume, true, false] + KmsKeyId: !If [EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue'] + VolumeType: !Ref VolumeType + VolumeSize: !Ref VolumeSize + KeyName: !Ref KeyName + NetworkInterfaces: + - DeviceIndex: 0 + NetworkInterfaceId: !Ref MemberBExternalInterface + - DeviceIndex: 1 + NetworkInterfaceId: !Ref MemberBInternalInterface + IamInstanceProfile: !Ref ClusterInstanceProfile + DisableApiTermination: !Ref TerminationProtection + UserData: + 'Fn::Base64': + !Join + - |+ + + - - '#cloud-config' + - 'runcmd:' + - ' - |' + - ' set -e' + - !Sub ' admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; cw=${CloudWatch} ; eic=${EnableInstanceConnect} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; tokenB=''${MemberBToken}''' + - !If [AllocateAddress, !Sub ' wait_handle=''${ClusterReadyHandle}''',!Ref 'AWS::NoValue'] + - !If [EmptyHostName, ' hostname=""',!Sub ' hostname=${GatewayHostname}-member-b'] + - !Join ['', [' other_member_ip="', !GetAtt MemberAInternalInterface.PrimaryPrivateIpAddress, '"']] + - !Join ['', [' secondary_ip="', !Select [0, !GetAtt MemberBExternalInterface.SecondaryPrivateIpAddresses], '"']] + - !Join ['', [' remote_secondary_ip="', !Select [0, !GetAtt MemberAExternalInterface.SecondaryPrivateIpAddresses], '"']] + - !Join ['', [' cluster_ip="', !Ref ClusterPublicAddress, '"']] + - !Join ['', [' eip="', !If [AllocateAddress, !Ref MemberBPublicAddress, ''], '"']] + - !Join ['', [' sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ')"']] + - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayPasswordHash, ')"']] + - !Join [ '', [ ' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"' ] ] + - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']] + - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}] + - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${tokenB}\"" installationType=\"cross-az-cluster\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20240204\" templateName=\"cross_az_cluster\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" elasticIp=\"${eip}\" otherMemberIp=\"${other_member_ip}\" clusterIp=\"${cluster_ip}\" secondaryIp=\"${secondary_ip}\" otherMemberPrivateClusterIp=\"${remote_secondary_ip}\" bootstrapScript64=\"${bootstrap}\"' +Outputs: + ClusterPublicAddress: + Description: The public address of the cluster. + Value: !Ref ClusterPublicAddress + MemberAPublicAddress: + Condition: AllocateAddress + Description: The public address of member A. + Value: !Ref MemberAPublicAddress + MemberASSH: + Condition: AllocateAddress + Description: SSH command to member A. + Value: !Join ['', ['ssh -i ', !Ref KeyName, ' admin@', !Ref MemberAPublicAddress]] + MemberAURL: + Condition: AllocateAddress + Description: URL to the member A portal. + Value: !Join ['', ['https://', !Ref MemberAPublicAddress]] + MemberAExternalInterface: + Condition: AllocateAddress + Description: The external interface of member A. + Value: !Ref MemberAExternalInterface + MemberAPrivateExternalAddress: + Description: The primary external private address of member A. + Value: !GetAtt MemberAExternalInterface.PrimaryPrivateIpAddress + MemberAPrivateAliasAddress: + Description: The secondary external private IP address of Member A. + Value: !Select [0, !GetAtt MemberAExternalInterface.SecondaryPrivateIpAddresses] + MemberAPrivateInternalAddress: + Description: The private Internal address of member A. + Value: !GetAtt MemberAInternalInterface.PrimaryPrivateIpAddress + MemberBPublicAddress: + Condition: AllocateAddress + Description: The public address of member B. + Value: !Ref MemberBPublicAddress + MemberBSSH: + Condition: AllocateAddress + Description: SSH command to member B. + Value: !Join ['', ['ssh -i ', !Ref KeyName, ' admin@', !Ref MemberBPublicAddress]] + MemberBURL: + Condition: AllocateAddress + Description: URL to the member B portal. + Value: !Join ['', ['https://', !Ref MemberBPublicAddress]] + MemberBPrivateExternalAddress: + Description: The primary external private address of member B. + Value: !GetAtt MemberBExternalInterface.PrimaryPrivateIpAddress + MemberBPrivateAliasAddress: + Description: The secondary external private IP address of Member B. + Value: !Select [0, !GetAtt MemberBExternalInterface.SecondaryPrivateIpAddresses] + MemberBPrivateInternalAddress: + Description: The private Internal address of member B. + Value: !GetAtt MemberBInternalInterface.PrimaryPrivateIpAddress +Rules: + MemberATokenNotProvided: + RuleCondition: !Equals [!Ref MemberAToken, ''] + Assertions: + - AssertDescription: "Smart-1 Cloud Token for member A can not be empty." + Assert: !Equals [!Ref MemberBToken, ''] + MemberBTokenNotProvided: + RuleCondition: !Equals [ !Ref MemberBToken, '' ] + Assertions: + - AssertDescription: "Smart-1 Cloud Token for member B can not be empty." + Assert: !Equals [ !Ref MemberAToken, '' ] + MembersTokenValueEquals: + RuleCondition: !EachMemberEquals [ [ !Ref MemberBToken ], !Ref MemberAToken ] + Assertions: + - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token" + Assert: !Equals [ !Ref MemberAToken, '' ] + - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token" + Assert: !Equals [ !Ref MemberBToken, '' ] diff --git a/aws/templates/general/README.md b/aws/templates/general/README.md new file mode 100644 index 00000000..67940b88 --- /dev/null +++ b/aws/templates/general/README.md @@ -0,0 +1,29 @@ +## General + + + + + + + + + + + + + + + + + + +
DescriptionDirect Launch
+ Create an IAM role for Security Management Server
+ Creates an IAM role in your account preconfigured with permissions to manage resources.
+ For more details, refer to sk122074 . +
+ Current Check Point AMIs
+ A helper template that returns the latest Check Point AMIs in a given region. +
+
+
diff --git a/aws/templates/general/amis.yaml b/aws/templates/general/amis.yaml new file mode 100644 index 00000000..bd3bd833 --- /dev/null +++ b/aws/templates/general/amis.yaml @@ -0,0 +1,915 @@ +AWSTemplateFormatVersion: '2010-09-09' +Description: Returns a Check Point Amazon Machine ID (20211212) +Parameters: + Version: + Description: Security Gateway or Management Server version + Type: String + Default: R81.10-BYOL-GW + AllowedValues: + - BYOL + - PAYG + - R80 + - R77.30-BYOL + - R77.30-PAYG-NGTP + - R80.10-BYOL + - R80.10-PAYG-NGTP + - R80.10-PAYG-MGMT + - R80.10-BYOL-GW + - R80.10-PAYG-NGTP-GW + - R80.10-PAYG-NGTX-GW + - R80.20-BYOL-MGMT + - R80.20-PAYG-MGMT + - R80.20-BYOL-GW + - R80.20-PAYG-NGTP-GW + - R80.20-PAYG-NGTX-GW + - R80.30-BYOL-MGMT + - R80.30-PAYG-MGMT + - R80.30-BYOL-GW + - R80.30-PAYG-NGTP-GW + - R80.30-PAYG-NGTX-GW + - R80.40-PAYG-NGTP + - R80.40-BYOL-MGMT + - R80.40-PAYG-MGMT + - R80.40-BYOL-GW + - R80.40-PAYG-NGTP-GW + - R80.40-PAYG-NGTX-GW + - R81-PAYG-NGTP + - R81-BYOL-MGMT + - R81-PAYG-MGMT + - R81-BYOL-GW + - R81-PAYG-NGTP-GW + - R81-PAYG-NGTX-GW + - R81.10-PAYG-NGTP + - R81.10-BYOL-MGMT + - R81.10-PAYG-MGMT + - R81.10-BYOL-GW + - R81.10-PAYG-NGTP-GW + - R81.10-PAYG-NGTX-GW +Mappings: + ConverterMap: + BYOL: + Value: R7730BYOL + PAYG: + Value: R7730PAYGNGTP + R77.30-BYOL: + Value: R7730BYOL + R77.30-PAYG-NGTP: + Value: R7730PAYGNGTP + R80: + Value: R80 + R80.10-BYOL: + Value: R8010BYOL + R80.10-PAYG-NGTP: + Value: R8010PAYGNGTP + R80.10-PAYG-MGMT: + Value: R8010PAYGMGMT + R80.10-BYOL-GW: + Value: R8010BYOLGW + R80.10-PAYG-NGTP-GW: + Value: R8010PAYGNGTPGW + R80.10-PAYG-NGTX-GW: + Value: R8010PAYGNGTXGW + R80.20-BYOL-MGMT: + Value: R8020BYOLMGMT + R80.20-PAYG-MGMT: + Value: R8020PAYGMGMT + R80.20-BYOL-GW: + Value: R8020BYOLGW + R80.20-PAYG-NGTP-GW: + Value: R8020PAYGNGTPGW + R80.20-PAYG-NGTX-GW: + Value: R8020PAYGNGTXGW + R80.30-BYOL-MGMT: + Value: R8030BYOLMGMT + R80.30-PAYG-MGMT: + Value: R8030PAYGMGMT + R80.30-BYOL-GW: + Value: R8030BYOLGW + R80.30-PAYG-NGTP-GW: + Value: R8030PAYGNGTPGW + R80.30-PAYG-NGTX-GW: + Value: R8030PAYGNGTXGW + R80.40-PAYG-NGTP: + Value: R8040PAYGNGTP + R80.40-BYOL-MGMT: + Value: R8040BYOLMGMT + R80.40-PAYG-MGMT: + Value: R8040PAYGMGMT + R80.40-BYOL-GW: + Value: R8040BYOLGW + R80.40-PAYG-NGTP-GW: + Value: R8040PAYGNGTPGW + R80.40-PAYG-NGTX-GW: + Value: R8040PAYGNGTXGW + R81-PAYG-NGTP: + Value: R81PAYGNGTP + R81-BYOL-MGMT: + Value: R81BYOLMGMT + R81-PAYG-MGMT: + Value: R81PAYGMGMT + R81-BYOL-GW: + Value: R81BYOLGW + R81-PAYG-NGTP-GW: + Value: R81PAYGNGTPGW + R81-PAYG-NGTX-GW: + Value: R81PAYGNGTXGW + R81.10-PAYG-NGTP: + Value: R8110PAYGNGTP + R81.10-BYOL-MGMT: + Value: R8110BYOLMGMT + R81.10-PAYG-MGMT: + Value: R8110PAYGMGMT + R81.10-BYOL-GW: + Value: R8110BYOLGW + R81.10-PAYG-NGTP-GW: + Value: R8110PAYGNGTPGW + R81.10-PAYG-NGTX-GW: + Value: R8110PAYGNGTXGW + RegionMap: + af-south-1: + R8030BYOLGW: ami-03af0e13c4ef52af0 + R8030BYOLMGMT: ami-0878d191130b438b8 + R8030PAYGMGMT: ami-084cc07760fdf3661 + R8030PAYGNGTPGW: ami-0abbe0a796322f47b + R8030PAYGNGTXGW: ami-0f1e5dc1dd05952fe + R8040BYOLGW: ami-0b722a57c402895db + R8040BYOLMGMT: ami-0841f5aed2d637bca + R8040PAYGMGMT: ami-027fbb6429155a5a2 + R8040PAYGNGTP: ami-0de82fe9b5d9212a7 + R8040PAYGNGTPGW: ami-0df93235cb8356c71 + R8040PAYGNGTXGW: ami-07dde32d9e2583902 + R8110BYOLGW: ami-02ea93d096df66a1e + R8110BYOLMGMT: ami-0b17daa9dfb81932e + R8110PAYGMGMT: ami-0b1e138e3f28d2741 + R8110PAYGNGTP: ami-0d9cc6c53e32a7993 + R8110PAYGNGTPGW: ami-0e0ea459f8809c0f8 + R8110PAYGNGTXGW: ami-0b3bf34bb4cc98f7a + R81BYOLGW: ami-0d608e9a55af43b14 + R81BYOLMGMT: ami-05e4f33f1f4f5980b + R81PAYGMGMT: ami-09826060728c2dd20 + R81PAYGNGTP: ami-0ae8bc19770eb9318 + R81PAYGNGTPGW: ami-08d2f92d2e494d09c + R81PAYGNGTXGW: ami-0ece2b66ace15fc73 + ap-east-1: + R8020BYOLGW: ami-de9be2af + R8020BYOLMGMT: ami-e3067d92 + R8020PAYGMGMT: ami-ee057e9f + R8020PAYGNGTPGW: ami-fc94ed8d + R8020PAYGNGTXGW: ami-5f443c2e + R8030BYOLGW: ami-0e7a79dcfdb34b21f + R8030BYOLMGMT: ami-0ddc119eedf4ad071 + R8030PAYGMGMT: ami-05dcd50979140f7e1 + R8030PAYGNGTPGW: ami-0aa9e5c4d92ba1240 + R8030PAYGNGTXGW: ami-04e3451134ccb2e26 + R8040BYOLGW: ami-006e36addf78026b9 + R8040BYOLMGMT: ami-03f1429f8fe15a6d0 + R8040PAYGMGMT: ami-09aad7825e4cf9984 + R8040PAYGNGTP: ami-036d3215f14b5718d + R8040PAYGNGTPGW: ami-0f6ab2c88f1a75df8 + R8040PAYGNGTXGW: ami-09573df975d8670f4 + R8110BYOLGW: ami-0edcc40517f40e403 + R8110BYOLMGMT: ami-0b14934c8573d930a + R8110PAYGMGMT: ami-0c1184517cfd96142 + R8110PAYGNGTP: ami-03880aad4b38db61f + R8110PAYGNGTPGW: ami-03b3418800bf690a1 + R8110PAYGNGTXGW: ami-098c38485679d798b + R81BYOLGW: ami-0b3f9ba1975e21b71 + R81BYOLMGMT: ami-08ca394f0eca95d8c + R81PAYGMGMT: ami-07ae3a976760167f1 + R81PAYGNGTP: ami-0832f4c1f50aab8e8 + R81PAYGNGTPGW: ami-0c97a829e15d5abef + R81PAYGNGTXGW: ami-0b51df5d83f1f0df7 + ap-northeast-1: + R7730BYOL: ami-62dea804 + R7730PAYGNGTP: ami-16dfa970 + R80: ami-baccb2dd + R8010BYOL: ami-03b171c04f1a2b667 + R8010BYOLGW: ami-01733527b6ed34b77 + R8010PAYGMGMT: ami-089f2a71639b800da + R8010PAYGNGTP: ami-009b7d100548b52d7 + R8010PAYGNGTPGW: ami-022b5fbf3b014333a + R8010PAYGNGTXGW: ami-07533055a2d3d7c9e + R8020BYOLGW: ami-04c278979cdcde217 + R8020BYOLMGMT: ami-0f17b285accca6862 + R8020PAYGMGMT: ami-0ad39d1aada8aa0c7 + R8020PAYGNGTPGW: ami-08c2fbdbe73946ff2 + R8020PAYGNGTXGW: ami-0314cd1c93e71d931 + R8030BYOLGW: ami-0baa10c7e12142d6a + R8030BYOLMGMT: ami-039628b16ebd96076 + R8030PAYGMGMT: ami-0325f629deba2005d + R8030PAYGNGTPGW: ami-0b6010e142d4ab70e + R8030PAYGNGTXGW: ami-0ec559ca316eb2f83 + R8040BYOLGW: ami-094062bcb4dab8cc0 + R8040BYOLMGMT: ami-0a444eda520768e41 + R8040PAYGMGMT: ami-0906a2bc4a85e0a13 + R8040PAYGNGTP: ami-04d2676b1e71e8a88 + R8040PAYGNGTPGW: ami-0b36510632878236e + R8040PAYGNGTXGW: ami-0ba537b6674ba611b + R8110BYOLGW: ami-0c75ce281bb868a7a + R8110BYOLMGMT: ami-083f8bde2db27d7cc + R8110PAYGMGMT: ami-0a35ea9836259ccc9 + R8110PAYGNGTP: ami-092eb4506998b13a1 + R8110PAYGNGTPGW: ami-0b7574f386f46f351 + R8110PAYGNGTXGW: ami-044a10f3c57f840b8 + R81BYOLGW: ami-051a44f3e6052f590 + R81BYOLMGMT: ami-00915b46b649664e9 + R81PAYGMGMT: ami-08e00074b1ca97206 + R81PAYGNGTP: ami-031aadfb6aacf577c + R81PAYGNGTPGW: ami-062d4bb88963b8f1d + R81PAYGNGTXGW: ami-0a510d5041fc8887b + ap-northeast-2: + R7730BYOL: ami-e5b1138b + R7730PAYGNGTP: ami-74b6141a + R80: ami-d3d302bd + R8010BYOL: ami-07861c833126ee7d3 + R8010BYOLGW: ami-00c10f7a335270f92 + R8010PAYGMGMT: ami-00a975c02fe778029 + R8010PAYGNGTP: ami-07d71e25ae8c42424 + R8010PAYGNGTPGW: ami-0a375565bb42bf9a6 + R8010PAYGNGTXGW: ami-00617bdd53d331eb4 + R8020BYOLGW: ami-097c7847403a3920f + R8020BYOLMGMT: ami-076736817cfbcd7c1 + R8020PAYGMGMT: ami-067a469f8d4bf291e + R8020PAYGNGTPGW: ami-0d2c45ce8157240ec + R8020PAYGNGTXGW: ami-04c9b29e62efbfa55 + R8030BYOLGW: ami-030c8cc568b1900db + R8030BYOLMGMT: ami-018baaa632f91cd8b + R8030PAYGMGMT: ami-0a63498f1aa49672e + R8030PAYGNGTPGW: ami-0486b0f96466ad215 + R8030PAYGNGTXGW: ami-017bc94a3e5416857 + R8040BYOLGW: ami-032176aff103778eb + R8040BYOLMGMT: ami-0138ead19c026f65c + R8040PAYGMGMT: ami-07302dd5572efdfc4 + R8040PAYGNGTP: ami-0319a1e03b1dfd6e5 + R8040PAYGNGTPGW: ami-024dbc3fd51e4b8ea + R8040PAYGNGTXGW: ami-0b715c8b68b798034 + R8110BYOLGW: ami-01b7bbd71ba2b072c + R8110BYOLMGMT: ami-03252124476deab9c + R8110PAYGMGMT: ami-0fb1ff7bccd89f976 + R8110PAYGNGTP: ami-08cb4bb054ced809b + R8110PAYGNGTPGW: ami-0f2f3b4489a03cfe9 + R8110PAYGNGTXGW: ami-0e5fc77ffe7d9d58e + R81BYOLGW: ami-00ed25702180b8842 + R81BYOLMGMT: ami-0cad014d84f076dfa + R81PAYGMGMT: ami-062316a77d8c3b8fd + R81PAYGNGTP: ami-01a04065eb10dd19d + R81PAYGNGTPGW: ami-00c11ac82e44c15fc + R81PAYGNGTXGW: ami-0613a2c7ec8fd6fdc + ap-northeast-3: + R8030BYOLGW: ami-0bd69e21a2c3fa214 + R8030BYOLMGMT: ami-066cbf5a9b72b348c + R8030PAYGMGMT: ami-07418824f5e711d1e + R8030PAYGNGTPGW: ami-0f4e515c0a7213995 + R8030PAYGNGTXGW: ami-0eabc25e39142662c + R8040BYOLGW: ami-05b2f228936560013 + R8040BYOLMGMT: ami-05b0aa65f503642e4 + R8040PAYGMGMT: ami-00127e01f45734c14 + R8040PAYGNGTP: ami-01d6c7a76383df85d + R8040PAYGNGTPGW: ami-0d95a38a0cbdf3645 + R8040PAYGNGTXGW: ami-0bf9331d722000bcd + R8110BYOLGW: ami-08548b821cfe1d351 + R8110BYOLMGMT: ami-051b08ab5fd0ae08e + R8110PAYGMGMT: ami-0569a418f5bef264b + R8110PAYGNGTP: ami-0a31b87f265f0f302 + R8110PAYGNGTPGW: ami-044134b1978f89842 + R8110PAYGNGTXGW: ami-058f377c27868969c + R81BYOLGW: ami-0f991b47f87d4ea49 + R81BYOLMGMT: ami-0097e6a80df53335c + R81PAYGMGMT: ami-09044a81932d0323f + R81PAYGNGTP: ami-01211212c98b5f87d + R81PAYGNGTPGW: ami-0acdce80f2cc5f96e + R81PAYGNGTXGW: ami-0990cfbb26be4fb9a + ap-south-1: + R7730BYOL: ami-ef104280 + R7730PAYGNGTP: ami-7412401b + R80: ami-54d7a13b + R8010BYOL: ami-0d70af9a3bf7ed166 + R8010BYOLGW: ami-005813656f2cc2109 + R8010PAYGMGMT: ami-0fc83d32e683d94f9 + R8010PAYGNGTP: ami-0ca38a5ab32a32402 + R8010PAYGNGTPGW: ami-0bdbc0c3c684b67da + R8010PAYGNGTXGW: ami-028a56db679aae09d + R8020BYOLGW: ami-04cadb01804793765 + R8020BYOLMGMT: ami-0373d39ed8e2a4547 + R8020PAYGMGMT: ami-08e59f7d8f19321c6 + R8020PAYGNGTPGW: ami-02624d5f00eeb282b + R8020PAYGNGTXGW: ami-036b79a31e0f7c8de + R8030BYOLGW: ami-0ba102ca3b3ece6fb + R8030BYOLMGMT: ami-0cfb57dfdd59176e9 + R8030PAYGMGMT: ami-029fdb9a3ce21a696 + R8030PAYGNGTPGW: ami-0281167f57d2c45d0 + R8030PAYGNGTXGW: ami-05b7128205d79d2b1 + R8040BYOLGW: ami-0daa614bc473454e8 + R8040BYOLMGMT: ami-02c4ce0de18c28067 + R8040PAYGMGMT: ami-0fc426b26027390d9 + R8040PAYGNGTP: ami-038ed08d18172138c + R8040PAYGNGTPGW: ami-0234b18cf63ecbe52 + R8040PAYGNGTXGW: ami-0d0d4f47aa8d3dab3 + R8110BYOLGW: ami-04410172c35fd9678 + R8110BYOLMGMT: ami-01f93cb97096b6f55 + R8110PAYGMGMT: ami-0b41e8f9a15db769f + R8110PAYGNGTP: ami-0480043e64ab1ed06 + R8110PAYGNGTPGW: ami-03b42ad050bdf0273 + R8110PAYGNGTXGW: ami-061efa414e3be09ac + R81BYOLGW: ami-0e01f76a7e99869f4 + R81BYOLMGMT: ami-02e7869a8e45be6da + R81PAYGMGMT: ami-0c18a5c4267c7faa1 + R81PAYGNGTP: ami-024893a43ba55f2e1 + R81PAYGNGTPGW: ami-02a622558079e1ae7 + R81PAYGNGTXGW: ami-052839dfcc5ed25d1 + ap-southeast-1: + R7730BYOL: ami-ecf8b990 + R7730PAYGNGTP: ami-95fbbae9 + R80: ami-4dd3792e + R8010BYOL: ami-07760a643c67c74e9 + R8010BYOLGW: ami-01df2f1c8a432f0bd + R8010PAYGMGMT: ami-095b04b5b63ea4abc + R8010PAYGNGTP: ami-0e726234e298325f8 + R8010PAYGNGTPGW: ami-023f0cf2bfc594e49 + R8010PAYGNGTXGW: ami-01899ce6a0aff8a62 + R8020BYOLGW: ami-077131e03ee155037 + R8020BYOLMGMT: ami-0aace42e71cc045a3 + R8020PAYGMGMT: ami-05fe62173e8a32170 + R8020PAYGNGTPGW: ami-0b465f9ba2e93f2eb + R8020PAYGNGTXGW: ami-07982feb9d5f02ab9 + R8030BYOLGW: ami-08a3e82440e058919 + R8030BYOLMGMT: ami-01efe7e8fe8e615cb + R8030PAYGMGMT: ami-065d880f3472eaf09 + R8030PAYGNGTPGW: ami-019d509bb164d4288 + R8030PAYGNGTXGW: ami-04f09f44342ca3dc0 + R8040BYOLGW: ami-0155db11f7ad84c17 + R8040BYOLMGMT: ami-085ec63e383296b71 + R8040PAYGMGMT: ami-0f3e9b8b75d81ada6 + R8040PAYGNGTP: ami-025e3836ec1b70932 + R8040PAYGNGTPGW: ami-0d34a3a2afa4c374f + R8040PAYGNGTXGW: ami-0d3b255ae35c2a587 + R8110BYOLGW: ami-031b7f0794d89b308 + R8110BYOLMGMT: ami-045bb128b10c86256 + R8110PAYGMGMT: ami-07c69f5dc41dd5179 + R8110PAYGNGTP: ami-0758258154b907b8c + R8110PAYGNGTPGW: ami-0dca2c0a6cb0c3d4e + R8110PAYGNGTXGW: ami-0e998a70357981080 + R81BYOLGW: ami-0e9e27a4084357f94 + R81BYOLMGMT: ami-0c7930970435d9eb7 + R81PAYGMGMT: ami-09969ebb367a585c6 + R81PAYGNGTP: ami-05e858d288a762c60 + R81PAYGNGTPGW: ami-0dab47829bf181d9a + R81PAYGNGTXGW: ami-0f7e09a0683f3803b + ap-southeast-2: + R7730BYOL: ami-e3728981 + R7730PAYGNGTP: ami-56778c34 + R80: ami-1a8d8979 + R8010BYOL: ami-057c1ce8ef1c5c545 + R8010BYOLGW: ami-03fe7ae0469b2be02 + R8010PAYGMGMT: ami-045e1a116c83c5b6c + R8010PAYGNGTP: ami-0aa3f436612fc8303 + R8010PAYGNGTPGW: ami-028638674c03bc856 + R8010PAYGNGTXGW: ami-0158539021dc0b3b6 + R8020BYOLGW: ami-0f4872cba7b3d8520 + R8020BYOLMGMT: ami-01315a5548051c5a9 + R8020PAYGMGMT: ami-0cb5a075174025ab6 + R8020PAYGNGTPGW: ami-00ccc52d9a39e8213 + R8020PAYGNGTXGW: ami-0f46b9f96931f3fd2 + R8030BYOLGW: ami-0a66cddf714abcb06 + R8030BYOLMGMT: ami-043fa31e4909cb774 + R8030PAYGMGMT: ami-01ebceb26a5f96b64 + R8030PAYGNGTPGW: ami-01ac4c817f522742f + R8030PAYGNGTXGW: ami-0ee7e08cb3e411862 + R8040BYOLGW: ami-0f9992f519edd8622 + R8040BYOLMGMT: ami-09563abb4e6ca2c2b + R8040PAYGMGMT: ami-094fd3ae1bac73f89 + R8040PAYGNGTP: ami-066b84b7ee7a3ac5c + R8040PAYGNGTPGW: ami-08680ca28120e95b2 + R8040PAYGNGTXGW: ami-0c5e5d03d92a61044 + R8110BYOLGW: ami-07a177a53e3237fa3 + R8110BYOLMGMT: ami-01d8e8958d9f5d9c1 + R8110PAYGMGMT: ami-03a3d8289487d8bf0 + R8110PAYGNGTP: ami-0769e1512bf08b7d4 + R8110PAYGNGTPGW: ami-0ad8de5f3f9542c1a + R8110PAYGNGTXGW: ami-065f0ab151a5f439b + R81BYOLGW: ami-0d14873e1dd7fca1f + R81BYOLMGMT: ami-09a07c2845bdd1e21 + R81PAYGMGMT: ami-0a1a9ae35d53d4d95 + R81PAYGNGTP: ami-0d58088decdfe42c1 + R81PAYGNGTPGW: ami-0d249a36533a5711b + R81PAYGNGTXGW: ami-07b22b64d1ffee34f + ca-central-1: + R7730BYOL: ami-4faa2e2b + R7730PAYGNGTP: ami-5ea82c3a + R80: ami-09ec516d + R8010BYOL: ami-088b18e35373a7f00 + R8010BYOLGW: ami-004f7b86744ca27ac + R8010PAYGMGMT: ami-0639bf109ec7eea53 + R8010PAYGNGTP: ami-03dd17eaeffc101a5 + R8010PAYGNGTPGW: ami-0386853b322be7389 + R8010PAYGNGTXGW: ami-0b6aca50c60adc5f3 + R8020BYOLGW: ami-0fa35bf3cbb283cc9 + R8020BYOLMGMT: ami-025d9f859062b9e23 + R8020PAYGMGMT: ami-037991f7332217dcd + R8020PAYGNGTPGW: ami-068837ad2434bbff6 + R8020PAYGNGTXGW: ami-00e1cdc4afa3cc45d + R8030BYOLGW: ami-003becb34e252f67a + R8030BYOLMGMT: ami-0e278a92f273fc18c + R8030PAYGMGMT: ami-08f5829bd83489e3e + R8030PAYGNGTPGW: ami-03fc40c7bfdcab1c3 + R8030PAYGNGTXGW: ami-097dea5c130823562 + R8040BYOLGW: ami-05313c79b6d30fb39 + R8040BYOLMGMT: ami-0031b0c17b9125fb8 + R8040PAYGMGMT: ami-0511998dee05d0c9a + R8040PAYGNGTP: ami-0871962466b8a5a51 + R8040PAYGNGTPGW: ami-063d657a7212ae300 + R8040PAYGNGTXGW: ami-0ead7d67e4f5f2381 + R8110BYOLGW: ami-0457f615ae8f850a1 + R8110BYOLMGMT: ami-01c246da1dfd702ca + R8110PAYGMGMT: ami-03385bbba3bf1f6d0 + R8110PAYGNGTP: ami-05e80af4effb8bc0a + R8110PAYGNGTPGW: ami-01ebb32b1bec3d943 + R8110PAYGNGTXGW: ami-0df8a5610363ccf00 + R81BYOLGW: ami-0835b73dfce287bbc + R81BYOLMGMT: ami-00c1c8bbec305d13d + R81PAYGMGMT: ami-09364e355a9f699eb + R81PAYGNGTP: ami-0c9dc29bee4d535e9 + R81PAYGNGTPGW: ami-08ea9297f04c33c6e + R81PAYGNGTXGW: ami-0556b84ce43d25eae + eu-central-1: + R7730BYOL: ami-98f397f7 + R7730PAYGNGTP: ami-a1f195ce + R80: ami-1cb77873 + R8010BYOL: ami-0408826efa12e9aa8 + R8010BYOLGW: ami-08909417a335f2cc6 + R8010PAYGMGMT: ami-01d678ffb4f4cbced + R8010PAYGNGTP: ami-065126c92c0fbb5c4 + R8010PAYGNGTPGW: ami-0613f0114c9ba42f1 + R8010PAYGNGTXGW: ami-0096fb48b37a4eb59 + R8020BYOLGW: ami-05c1cd8fcc05d02b9 + R8020BYOLMGMT: ami-0d35e44e22e1efbbc + R8020PAYGMGMT: ami-0d7166fcb095f0bcc + R8020PAYGNGTPGW: ami-00400189047c609d0 + R8020PAYGNGTXGW: ami-0e0f11dd7f27ae927 + R8030BYOLGW: ami-0868e270693016bff + R8030BYOLMGMT: ami-07fea8b7f7a20109e + R8030PAYGMGMT: ami-08622043d6ded1e73 + R8030PAYGNGTPGW: ami-092d6d417212f00f4 + R8030PAYGNGTXGW: ami-0fb7b15a4209025b2 + R8040BYOLGW: ami-0855a673a7851cfd8 + R8040BYOLMGMT: ami-02d56f4858b97006a + R8040PAYGMGMT: ami-0c07596fb04d06615 + R8040PAYGNGTP: ami-0fd4c287a100e5154 + R8040PAYGNGTPGW: ami-0da7ec09e4914e0b5 + R8040PAYGNGTXGW: ami-0a9eca0d6cfc9a435 + R8110BYOLGW: ami-055a6317fb9047379 + R8110BYOLMGMT: ami-0a578b3bb366567c2 + R8110PAYGMGMT: ami-068718d593d49d052 + R8110PAYGNGTP: ami-05c17b5cc05d68745 + R8110PAYGNGTPGW: ami-0e0a21ef6f5da6411 + R8110PAYGNGTXGW: ami-0deb975082e100670 + R81BYOLGW: ami-0aeb92f140fe36d7b + R81BYOLMGMT: ami-0f5e71cc274362538 + R81PAYGMGMT: ami-044d2fca4574bc93d + R81PAYGNGTP: ami-0c9ee5867b1bad025 + R81PAYGNGTPGW: ami-0f36e6aed64a1b6a0 + R81PAYGNGTXGW: ami-034d41e17d6013377 + eu-north-1: + R8020BYOLGW: ami-b2b03ecc + R8020BYOLMGMT: ami-b4cf44ca + R8020PAYGMGMT: ami-b4c843ca + R8020PAYGNGTPGW: ami-34b13f4a + R8020PAYGNGTXGW: ami-66ec6418 + R8030BYOLGW: ami-0816a2896171bbb38 + R8030BYOLMGMT: ami-0c33f93d2c5a7685b + R8030PAYGMGMT: ami-083fd7c7de13b067f + R8030PAYGNGTPGW: ami-0db2ad56f0a8cf8da + R8030PAYGNGTXGW: ami-0842095fc68703677 + R8040BYOLGW: ami-02740e516f96ece83 + R8040BYOLMGMT: ami-09d208d0a88dbe462 + R8040PAYGMGMT: ami-050be078a0fa63335 + R8040PAYGNGTP: ami-0aa468ef4fecab848 + R8040PAYGNGTPGW: ami-00b70b7e2d05cc149 + R8040PAYGNGTXGW: ami-015b058b058156900 + R8110BYOLGW: ami-08dd0f9d65a063cde + R8110BYOLMGMT: ami-054ec01dfc0ad7535 + R8110PAYGMGMT: ami-0472926c7b42e41bf + R8110PAYGNGTP: ami-04dc222edf7549957 + R8110PAYGNGTPGW: ami-0ae7e62c14c5d8e3c + R8110PAYGNGTXGW: ami-008aa1284773c4674 + R81BYOLGW: ami-0c5876920fea1437c + R81BYOLMGMT: ami-0123aaa0e57bbf717 + R81PAYGMGMT: ami-0f5b03c0ae5424752 + R81PAYGNGTP: ami-08178122a9dc108f7 + R81PAYGNGTPGW: ami-0f0a64c683931f061 + R81PAYGNGTXGW: ami-0ef26b4e8e9603cab + eu-south-1: + R8030BYOLGW: ami-0f6ea5a3ecd690516 + R8030BYOLMGMT: ami-0513a62780606c2b7 + R8030PAYGMGMT: ami-0f91fa9d0000e6ecb + R8030PAYGNGTPGW: ami-00a307e402c74bfa6 + R8030PAYGNGTXGW: ami-08c752aa84df99b8b + R8040BYOLGW: ami-0cdec9d8d3c343ded + R8040BYOLMGMT: ami-0e2b5308c9d3c9711 + R8040PAYGMGMT: ami-0bff34e6245603903 + R8040PAYGNGTP: ami-060b71dfc4cb80a73 + R8040PAYGNGTPGW: ami-0832ec87cb1e3f07d + R8040PAYGNGTXGW: ami-0ac2c78aa3edb83ae + R8110BYOLGW: ami-083744fddd654e487 + R8110BYOLMGMT: ami-0d526cc274b3384b7 + R8110PAYGMGMT: ami-0b4b35f666b3e20cf + R8110PAYGNGTP: ami-031199fb24a9d8361 + R8110PAYGNGTPGW: ami-0e7aedc192fb693a3 + R8110PAYGNGTXGW: ami-0477ae2d12c77ad70 + R81BYOLGW: ami-06ad92019911a3212 + R81BYOLMGMT: ami-09ec9482f4a30da1a + R81PAYGMGMT: ami-021d560084aac2532 + R81PAYGNGTP: ami-00f4c8a8c323859f5 + R81PAYGNGTPGW: ami-095e9af13d0c973ac + R81PAYGNGTXGW: ami-00ba54000e62a2ce8 + eu-west-1: + R7730BYOL: ami-0d610a74 + R7730PAYGNGTP: ami-0f600b76 + R80: ami-7c66510f + R8010BYOL: ami-0afd8ac581c0910ba + R8010BYOLGW: ami-09dc5e32b9dfc0579 + R8010PAYGMGMT: ami-0bc54382eefa16887 + R8010PAYGNGTP: ami-08114474e1a2eeb8a + R8010PAYGNGTPGW: ami-029e2439e1e2776ae + R8010PAYGNGTXGW: ami-0f30ab8d92b94ddb9 + R8020BYOLGW: ami-0f33541dab1ed55a3 + R8020BYOLMGMT: ami-0ac513a63e08647e6 + R8020PAYGMGMT: ami-012f09b535dabef2b + R8020PAYGNGTPGW: ami-000e62e5fab54198d + R8020PAYGNGTXGW: ami-0505fe24955ed29ea + R8030BYOLGW: ami-0701d32fd9db6b5b9 + R8030BYOLMGMT: ami-0cc64c5d8138a1b8e + R8030PAYGMGMT: ami-0b82b9e18b3e6f90c + R8030PAYGNGTPGW: ami-09ae59bb48e8d164d + R8030PAYGNGTXGW: ami-0f29a9e7513326b97 + R8040BYOLGW: ami-03da5e7684e334493 + R8040BYOLMGMT: ami-0ef7a4188bd04d498 + R8040PAYGMGMT: ami-0c08a90bcb2c0be3a + R8040PAYGNGTP: ami-074709d485f6bc7ec + R8040PAYGNGTPGW: ami-02ac1d55a1abacf85 + R8040PAYGNGTXGW: ami-09ce21bf6754bea02 + R8110BYOLGW: ami-07ed98090d847cc26 + R8110BYOLMGMT: ami-085bde5b02743e747 + R8110PAYGMGMT: ami-08374ce7537ffb39b + R8110PAYGNGTP: ami-0484f2a3a88751652 + R8110PAYGNGTPGW: ami-0e0790923e34e010b + R8110PAYGNGTXGW: ami-0b00364820a669886 + R81BYOLGW: ami-0aadac035dc0f2205 + R81BYOLMGMT: ami-0c41c52b0c4408240 + R81PAYGMGMT: ami-0dc9932fbecfe21a3 + R81PAYGNGTP: ami-0c9e08d5296655112 + R81PAYGNGTPGW: ami-0d91e6001ec249b73 + R81PAYGNGTXGW: ami-0e47038524a4cdf88 + eu-west-2: + R7730BYOL: ami-f1947196 + R7730PAYGNGTP: ami-5896733f + R80: ami-d49c96b0 + R8010BYOL: ami-037cbdfb453b16460 + R8010BYOLGW: ami-022a1b343943e2290 + R8010PAYGMGMT: ami-0a68722435a74b89a + R8010PAYGNGTP: ami-0bc5171032edd1240 + R8010PAYGNGTPGW: ami-05259824ddeb5cb0a + R8010PAYGNGTXGW: ami-070c6359481b8d365 + R8020BYOLGW: ami-0f646df97f3aca149 + R8020BYOLMGMT: ami-074e6a2e97c5d38e7 + R8020PAYGMGMT: ami-02aaa3e97e2ec504e + R8020PAYGNGTPGW: ami-09f1bda44f355ca32 + R8020PAYGNGTXGW: ami-00bfdd98ad57b4833 + R8030BYOLGW: ami-082007c24f226aa4e + R8030BYOLMGMT: ami-01f6f69a1301b3a67 + R8030PAYGMGMT: ami-0f96d688301d136b7 + R8030PAYGNGTPGW: ami-03362fc955bf0bb73 + R8030PAYGNGTXGW: ami-064750e60bf6e7176 + R8040BYOLGW: ami-0c97bd4fdb04eedb8 + R8040BYOLMGMT: ami-0aaba8b6227eed80f + R8040PAYGMGMT: ami-000d562ab106f8e8e + R8040PAYGNGTP: ami-0cbb495ad0c90d2f3 + R8040PAYGNGTPGW: ami-069ec73aa8655d3ce + R8040PAYGNGTXGW: ami-0b0da8b8647bf7261 + R8110BYOLGW: ami-0fbdb431d9207f894 + R8110BYOLMGMT: ami-0ea05e6685bbf246c + R8110PAYGMGMT: ami-0b5edaecd89a30b82 + R8110PAYGNGTP: ami-09bc49698e3856b4a + R8110PAYGNGTPGW: ami-00e840aed0ccf8830 + R8110PAYGNGTXGW: ami-0e7fea16089ca6a10 + R81BYOLGW: ami-014af5cbb8f08ef76 + R81BYOLMGMT: ami-081af5a6474747996 + R81PAYGMGMT: ami-0873651f596c5af79 + R81PAYGNGTP: ami-09a2e3c4de113eb63 + R81PAYGNGTPGW: ami-0cdce7d36370388eb + R81PAYGNGTXGW: ami-024dba915d3f488a5 + eu-west-3: + R8020BYOLGW: ami-0e3cf44775e0b27f3 + R8020BYOLMGMT: ami-0ab52dca5ee654c3d + R8020PAYGMGMT: ami-0cfafe191cd830615 + R8020PAYGNGTPGW: ami-0a984b71664d90df8 + R8020PAYGNGTXGW: ami-0c0ad90b14474144b + R8030BYOLGW: ami-0058d3a2fd9bbf331 + R8030BYOLMGMT: ami-0b698ba03b931ea4a + R8030PAYGMGMT: ami-0d7abb21c40c139f8 + R8030PAYGNGTPGW: ami-015409ae2b88cd570 + R8030PAYGNGTXGW: ami-0167b0ff3c9965ed9 + R8040BYOLGW: ami-0c6a225b2b71784e0 + R8040BYOLMGMT: ami-04a6f4836d98dfffb + R8040PAYGMGMT: ami-02db135d2fa15c2ed + R8040PAYGNGTP: ami-08b683f8ec3df7cb5 + R8040PAYGNGTPGW: ami-085aeef1012ed1fde + R8040PAYGNGTXGW: ami-04adcc0f685b2a479 + R8110BYOLGW: ami-0b5636b102723d564 + R8110BYOLMGMT: ami-0616bad63e08c09b4 + R8110PAYGMGMT: ami-0cd642e130fb7b36c + R8110PAYGNGTP: ami-03d3dfad3a0507f0b + R8110PAYGNGTPGW: ami-03905701ed8a809bb + R8110PAYGNGTXGW: ami-079ea6ebbaab9c655 + R81BYOLGW: ami-04891a02af063a69c + R81BYOLMGMT: ami-0abae9ef622c81ce8 + R81PAYGMGMT: ami-075f8df13b3b8585d + R81PAYGNGTP: ami-05026a3694a8fea2f + R81PAYGNGTPGW: ami-0cde0d7793223781b + R81PAYGNGTXGW: ami-005b1b1a04545669d + me-south-1: + R8020BYOLGW: ami-0ced3e9c36e09eb77 + R8020BYOLMGMT: ami-05a7a580a372e9477 + R8030BYOLGW: ami-00ad6307498e44ef9 + R8030BYOLMGMT: ami-033a6660cacfc6031 + R8030PAYGMGMT: ami-0fab614028aba78da + R8030PAYGNGTPGW: ami-0e72ce61de66d2f77 + R8030PAYGNGTXGW: ami-040a8969a32e4c8fd + R8040BYOLGW: ami-0caca3f57055802fc + R8040BYOLMGMT: ami-0c5f3511b4b6775b3 + R8040PAYGMGMT: ami-0ac7336be75148e1c + R8040PAYGNGTP: ami-0414273614b637bc0 + R8040PAYGNGTPGW: ami-06c2b3f198dbafd4e + R8040PAYGNGTXGW: ami-0508c5354df7e53cb + R8110BYOLGW: ami-07e978b51867321c7 + R8110BYOLMGMT: ami-0633660ba7692f184 + R8110PAYGMGMT: ami-0bc1787aee83f0748 + R8110PAYGNGTP: ami-06adfd8f8f0954715 + R8110PAYGNGTPGW: ami-0f4d7b17ef77821df + R8110PAYGNGTXGW: ami-0c85339635434298b + R81BYOLGW: ami-0af48660d3165c57f + R81BYOLMGMT: ami-0f5415c537d0284aa + R81PAYGMGMT: ami-09b62c52acd3f9e61 + R81PAYGNGTP: ami-0b7a2a76014d38401 + R81PAYGNGTPGW: ami-04860faf1af991ef2 + R81PAYGNGTXGW: ami-0704114c9325bb4c1 + sa-east-1: + R7730BYOL: ami-465a142a + R7730PAYGNGTP: ami-145f1178 + R80: ami-902a4ffc + R8010BYOL: ami-07260e53cab503dba + R8010BYOLGW: ami-0eeacdb5e101d1cae + R8010PAYGMGMT: ami-0380f7acf92398c71 + R8010PAYGNGTP: ami-0ce6ae0b05edf700d + R8010PAYGNGTPGW: ami-0ab0b9d970bbc1999 + R8010PAYGNGTXGW: ami-07001708edf1a5d19 + R8020BYOLGW: ami-0770cd3dd2f8015b4 + R8020BYOLMGMT: ami-0954d03f5c4518a01 + R8020PAYGMGMT: ami-0a8f3a430cfc237bb + R8020PAYGNGTPGW: ami-02c6354520206a247 + R8020PAYGNGTXGW: ami-0de5ac9524daac7fa + R8030BYOLGW: ami-03a504b71a46c4969 + R8030BYOLMGMT: ami-04e0f3314ca1514e1 + R8030PAYGMGMT: ami-006e4dfec0a5c8400 + R8030PAYGNGTPGW: ami-0330aa745160cf710 + R8030PAYGNGTXGW: ami-0815ab34344057cff + R8040BYOLGW: ami-033f68a4773e50095 + R8040BYOLMGMT: ami-0206fc7a2f2a85e98 + R8040PAYGMGMT: ami-0278b17df7e8560a9 + R8040PAYGNGTP: ami-032f39036c0d6f0d9 + R8040PAYGNGTPGW: ami-0b965f729db8917d6 + R8040PAYGNGTXGW: ami-0fff9b5c847027203 + R8110BYOLGW: ami-0e2f9a46317b9d1d8 + R8110BYOLMGMT: ami-0506598a227058d4d + R8110PAYGMGMT: ami-09c4c6b27dcb0f089 + R8110PAYGNGTP: ami-06dd56f72f0dae01c + R8110PAYGNGTPGW: ami-05d6285e27ca9a12e + R8110PAYGNGTXGW: ami-0c5a33ccb2dbab1c8 + R81BYOLGW: ami-0b02761297e8cc184 + R81BYOLMGMT: ami-0aad379a2e76871c4 + R81PAYGMGMT: ami-05a8eaafd0086dd30 + R81PAYGNGTP: ami-0aabf7d0c4e06f558 + R81PAYGNGTPGW: ami-04b8196cc52d9cc77 + R81PAYGNGTXGW: ami-031af8b5efac7a855 + us-east-1: + R7730BYOL: ami-a5e7ecdf + R7730PAYGNGTP: ami-38e3e842 + R80: ami-a66981b0 + R8010BYOL: ami-0440ee050d3e88cfb + R8010BYOLGW: ami-0124c88f4fdd536ad + R8010PAYGMGMT: ami-08eade031a29d7baa + R8010PAYGNGTP: ami-091e783ea2c3140f5 + R8010PAYGNGTPGW: ami-020c71af2189ed276 + R8010PAYGNGTXGW: ami-0b57721fd1acec863 + R8020BYOLGW: ami-0a6b1e46c8f177855 + R8020BYOLMGMT: ami-0ea21bf4cc69253ba + R8020PAYGMGMT: ami-01fb6697db4809fb2 + R8020PAYGNGTPGW: ami-0a3134e64a8bf4a72 + R8020PAYGNGTXGW: ami-00a8424868cdd4279 + R8030BYOLGW: ami-03170775e3dcdc0fd + R8030BYOLMGMT: ami-0f4efe815a0d05ada + R8030PAYGMGMT: ami-07cf15e8e47c0b63f + R8030PAYGNGTPGW: ami-0ba0d6dc0ee67d195 + R8030PAYGNGTXGW: ami-06a91bdda557b2154 + R8040BYOLGW: ami-0ff245803cb655372 + R8040BYOLMGMT: ami-03c9ca61805b44229 + R8040PAYGMGMT: ami-06f4b914d5d4126e7 + R8040PAYGNGTP: ami-0b7a1ca7f5ee3f0e6 + R8040PAYGNGTPGW: ami-0eff7e741b2b1dcbd + R8040PAYGNGTXGW: ami-049ac6bede4e97a69 + R8110BYOLGW: ami-007424b2d44c31736 + R8110BYOLMGMT: ami-0ac445e19e4e78df8 + R8110PAYGMGMT: ami-0084c0d044ae2f224 + R8110PAYGNGTP: ami-0a87db56a71c29734 + R8110PAYGNGTPGW: ami-07446fd99ed3ad3c6 + R8110PAYGNGTXGW: ami-0b793df740544b65a + R81BYOLGW: ami-03174299fab6da85a + R81BYOLMGMT: ami-02266130eb2e8d7b3 + R81PAYGMGMT: ami-096757964d178972a + R81PAYGNGTP: ami-0b6be36b68c920621 + R81PAYGNGTPGW: ami-0b5e54d90f2650c87 + R81PAYGNGTXGW: ami-06640d255ed8de0d1 + us-east-2: + R7730BYOL: ami-da6652bf + R7730PAYGNGTP: ami-7d675318 + R80: ami-5840653d + R8010BYOL: ami-0a10586bafc475f7d + R8010BYOLGW: ami-05cfbd1548bc51b40 + R8010PAYGMGMT: ami-08627e9d094884b6d + R8010PAYGNGTP: ami-0d304c8b8895df14b + R8010PAYGNGTPGW: ami-0c6ed3eef7fc48b59 + R8010PAYGNGTXGW: ami-0f9e87edcb3adeb6b + R8020BYOLGW: ami-07adfc0ccbd419b8d + R8020BYOLMGMT: ami-013d31a41cbace161 + R8020PAYGMGMT: ami-0578aad5c8d5e117d + R8020PAYGNGTPGW: ami-0fe9baf33b2fc46c7 + R8020PAYGNGTXGW: ami-034eb4193422cd09e + R8030BYOLGW: ami-0fccb40ef3e1bb986 + R8030BYOLMGMT: ami-0df45405c19402db5 + R8030PAYGMGMT: ami-02c0eb86c1cfda2d8 + R8030PAYGNGTPGW: ami-07be19e9bff005ddd + R8030PAYGNGTXGW: ami-023346b8d18cfe326 + R8040BYOLGW: ami-076d9e0f09a5b4c9d + R8040BYOLMGMT: ami-088a4cb03ab6615c5 + R8040PAYGMGMT: ami-0399edc966bc550f4 + R8040PAYGNGTP: ami-045500ebd9f70e687 + R8040PAYGNGTPGW: ami-0c6a8b8dda122a2d3 + R8040PAYGNGTXGW: ami-06bb92cd6f1f4bee8 + R8110BYOLGW: ami-0fe85e5c21e91ea44 + R8110BYOLMGMT: ami-039ffa22f6cb700fa + R8110PAYGMGMT: ami-0ff42bfcd43b9ebb1 + R8110PAYGNGTP: ami-0ca516c6fe13248e3 + R8110PAYGNGTPGW: ami-053d15df7035bffa9 + R8110PAYGNGTXGW: ami-03a8882e7e9268d53 + R81BYOLGW: ami-0e584963b2a998078 + R81BYOLMGMT: ami-0ab75994f0ad3d853 + R81PAYGMGMT: ami-050116f25c888713a + R81PAYGNGTP: ami-0b7f832d76085989e + R81PAYGNGTPGW: ami-01937447a0b671fb5 + R81PAYGNGTXGW: ami-020f075b90d4f31d2 + us-gov-east-1: + R8030BYOLGW: ami-020c3c10069e62316 + R8030BYOLMGMT: ami-02d527d37a8dd2f4e + R8030PAYGMGMT: ami-0a96048bd5acaf6e5 + R8030PAYGNGTPGW: ami-0a306691000515541 + R8030PAYGNGTXGW: ami-04a8ac3953a87499d + R8040BYOLGW: ami-047323d40ba898e21 + R8040BYOLMGMT: ami-086027b27b8a71892 + R8040PAYGMGMT: ami-0573429d8bf258f54 + R8040PAYGNGTP: ami-0479eafce15f392bc + R8040PAYGNGTPGW: ami-0bd921beeade72e91 + R8040PAYGNGTXGW: ami-0c2e611e2839d1a17 + R8110BYOLGW: ami-0dc68b66fb044298c + R8110BYOLMGMT: ami-04255be5c30842cee + R8110PAYGMGMT: ami-0980da9a23280d97d + R8110PAYGNGTP: ami-0d7012d3c5fdafdef + R8110PAYGNGTPGW: ami-0e9ded98fd1e23249 + R8110PAYGNGTXGW: ami-0ba0db07e14d72e65 + R81BYOLGW: ami-025e652ae7a7cf7ed + R81BYOLMGMT: ami-04255be5c30842cee + R81PAYGMGMT: ami-0a2db3233a27664e6 + R81PAYGNGTP: ami-0a3f74786a48358b8 + R81PAYGNGTPGW: ami-07b7c0602db8a843b + R81PAYGNGTXGW: ami-07446d49da0e508ad + us-gov-west-1: + R7730BYOL: ami-185dcb79 + R7730PAYGNGTP: ami-7c5cca1d + R80: ami-0b269d6a + R8010BYOL: ami-30851351 + R8010BYOLGW: ami-ed0f768c + R8010PAYGMGMT: ami-1b6f1f7a + R8010PAYGNGTP: ami-505cc231 + R8010PAYGNGTPGW: ami-090b7268 + R8010PAYGNGTXGW: ami-170d7476 + R8020BYOLGW: ami-1091f071 + R8020BYOLMGMT: ami-56e09a37 + R8020PAYGMGMT: ami-53e09a32 + R8020PAYGNGTPGW: ami-6693f207 + R8020PAYGNGTXGW: ami-1d74057c + R8030BYOLGW: ami-03ae5602e1eae6d32 + R8030BYOLMGMT: ami-0ad54e22c27a1692b + R8030PAYGMGMT: ami-0ba31a7758fd39c6d + R8030PAYGNGTPGW: ami-046a9871517b40485 + R8030PAYGNGTXGW: ami-05b079f04f0c20cb6 + R8040BYOLGW: ami-008501303b3e3f1f4 + R8040BYOLMGMT: ami-02af4fc9a4ab553e5 + R8040PAYGMGMT: ami-0763ecd1d1f92502b + R8040PAYGNGTP: ami-0e5a19ff2e6c723f7 + R8040PAYGNGTPGW: ami-055a35ab40c835338 + R8040PAYGNGTXGW: ami-0bb56cbc6a73f21fe + R8110BYOLGW: ami-0668982ff6606bb2f + R8110BYOLMGMT: ami-05f01726f897d5577 + R8110PAYGMGMT: ami-005a191a34c1e6681 + R8110PAYGNGTP: ami-0b22deca697af2647 + R8110PAYGNGTPGW: ami-031a5e8b5bfd6dc0f + R8110PAYGNGTXGW: ami-0c88eeb20a7eb0794 + R81BYOLGW: ami-007a9c4211a366b44 + R81BYOLMGMT: ami-05f01726f897d5577 + R81PAYGMGMT: ami-01bb8e4cef6359f8a + R81PAYGNGTP: ami-0946ef6884986e797 + R81PAYGNGTPGW: ami-03ed83cf79d74e3df + R81PAYGNGTXGW: ami-0d3fbf8119e88de82 + us-west-1: + R7730BYOL: ami-9a7779fa + R7730PAYGNGTP: ami-e9747a89 + R80: ami-6b04560b + R8010BYOL: ami-05638ae2b353d70af + R8010BYOLGW: ami-080e8737fb2e85e8c + R8010PAYGMGMT: ami-0c573cf5a90e27c95 + R8010PAYGNGTP: ami-0f859106e82110b41 + R8010PAYGNGTPGW: ami-0c0537945b239e780 + R8010PAYGNGTXGW: ami-054574dbcc5435088 + R8020BYOLGW: ami-0ec9959052929d301 + R8020BYOLMGMT: ami-0e9c3d76490288937 + R8020PAYGMGMT: ami-056da473b095447b3 + R8020PAYGNGTPGW: ami-066b154d2f9ac76dd + R8020PAYGNGTXGW: ami-034edfbdac10ba48a + R8030BYOLGW: ami-0f3d85f20b1e729e5 + R8030BYOLMGMT: ami-00c5c9257bb3abaab + R8030PAYGMGMT: ami-02a9479ed8f0e241e + R8030PAYGNGTPGW: ami-05db4ed60ed6d2ae2 + R8030PAYGNGTXGW: ami-084308058e95353ff + R8040BYOLGW: ami-06f0ec3aafb884e27 + R8040BYOLMGMT: ami-068afdebed6e687e0 + R8040PAYGMGMT: ami-050ee2a472c36293d + R8040PAYGNGTP: ami-0725b90f5b6749cb3 + R8040PAYGNGTPGW: ami-0890412c009fb4f41 + R8040PAYGNGTXGW: ami-033a2aaf71753d1a8 + R8110BYOLGW: ami-0dc3bb0b9b1ac2749 + R8110BYOLMGMT: ami-0c7a1913f94aa3ebf + R8110PAYGMGMT: ami-0fa2f04f282dc4680 + R8110PAYGNGTP: ami-0ad5745360fbbeac3 + R8110PAYGNGTPGW: ami-0be55276f5f1d7158 + R8110PAYGNGTXGW: ami-0fd592a3c70541d8b + R81BYOLGW: ami-0d9ec959469a34b98 + R81BYOLMGMT: ami-016fead41e7aef422 + R81PAYGMGMT: ami-0384d69d91bc76bf9 + R81PAYGNGTP: ami-00d659bf1a1da7dd3 + R81PAYGNGTPGW: ami-0ce96ce6035f8d574 + R81PAYGNGTXGW: ami-09ad09f82e06a21cd + us-west-2: + R7730BYOL: ami-d972f5a1 + R7730PAYGNGTP: ami-d77dfaaf + R80: ami-b7ff40d7 + R8010BYOL: ami-0b80165993f1dbae5 + R8010BYOLGW: ami-07336f4d55ecbfaa2 + R8010PAYGMGMT: ami-0348f20190c8dc7f8 + R8010PAYGNGTP: ami-0cbf6b8cb0655bcd6 + R8010PAYGNGTPGW: ami-05a257fbb4f202fff + R8010PAYGNGTXGW: ami-0b4794847d7185dab + R8020BYOLGW: ami-073d8ecd3b05d4a86 + R8020BYOLMGMT: ami-054b2881c9baced2e + R8020PAYGMGMT: ami-0467631c9da49090d + R8020PAYGNGTPGW: ami-0d941e5382ef77168 + R8020PAYGNGTXGW: ami-0759646662b017119 + R8030BYOLGW: ami-05ba79f4c2c0d2f71 + R8030BYOLMGMT: ami-0f8c54b15afe13f9f + R8030PAYGMGMT: ami-0429a4efb451f85d1 + R8030PAYGNGTPGW: ami-059e754e35e2825a4 + R8030PAYGNGTXGW: ami-08f8598c439143abc + R8040BYOLGW: ami-00d43219d98df6307 + R8040BYOLMGMT: ami-01e52ed8fde0994f7 + R8040PAYGMGMT: ami-09464f900adc59381 + R8040PAYGNGTP: ami-0c6294327d0ec776e + R8040PAYGNGTPGW: ami-08f6f71ebd33f47a6 + R8040PAYGNGTXGW: ami-07169f659d8cc0a86 + R8110BYOLGW: ami-01d9bb616b359a7de + R8110BYOLMGMT: ami-0309922da03f9f486 + R8110PAYGMGMT: ami-02cde105f1e8f8351 + R8110PAYGNGTP: ami-058cc8afc5b217cc3 + R8110PAYGNGTPGW: ami-051c82cead8b4a9f1 + R8110PAYGNGTXGW: ami-09228d9ff29e80659 + R81BYOLGW: ami-017e0b6d807998d6a + R81BYOLMGMT: ami-0005b60ab19904280 + R81PAYGMGMT: ami-018ea3c7f99152efc + R81PAYGNGTP: ami-0bc32f42a5bad02cc + R81PAYGNGTPGW: ami-0e3a1782975ed8dfd + R81PAYGNGTXGW: ami-080baf9e6316012e9 +Resources: + DummyHandle: + Type: AWS::CloudFormation::WaitConditionHandle + Properties: {} +Outputs: + ImageId: + Description: Check Point Security Gateway AMI + Value: !FindInMap [RegionMap ,!Ref 'AWS::Region', !FindInMap [ConverterMap, !Ref 'Version', Value]] diff --git a/aws/templates/general/cme-iam-role.yaml b/aws/templates/general/cme-iam-role.yaml new file mode 100644 index 00000000..45680af7 --- /dev/null +++ b/aws/templates/general/cme-iam-role.yaml @@ -0,0 +1,159 @@ +AWSTemplateFormatVersion: 2010-09-09 +Description: Creates an IAM role for selected permissions (20240507) +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: IAM + Parameters: + - Permissions + - Label: + default: Advanced Configuration (optional) + Parameters: + - STSRoles + - TrustedAccount + ParameterLabels: + Permissions: + default: IAM role + STSRoles: + default: STS roles + TrustedAccount: + default: Trusted Account ID +Parameters: + Permissions: + Type: String + Default: Create with read permissions + AllowedValues: + - Create with read permissions + - Create with read-write permissions + - Create with assume role permissions (specify an STS role ARN) + STSRoles: + Description: The IAM role will be able to assume these STS Roles (comma separated list of ARNs, without spaces). + Type: String + Default: '' + TrustedAccount: + Description: A 12 digits number that represents the ID of a trusted account. IAM users in this account will be able assume the IAM role and receive the permissions attached to it. + Type: String + Default: '' + AllowedPattern: '^([0-9]{12})|$' +Conditions: + AllowReadPermissions: !Or + - !Equals [!Ref Permissions, Create with read permissions] + - !Equals [!Ref Permissions, Create with read-write permissions] + AllowWritePermissions: !Equals [!Ref Permissions, Create with read-write permissions] + ProvidedSTSRoles: !Not [!Equals [!Ref STSRoles, '']] + NotProvidedTrustedAccount: !Equals ['', !Ref TrustedAccount] + ProvidedTrustedAccount: !Not [!Condition NotProvidedTrustedAccount] +Resources: + CMEIAMRole: + Type: AWS::IAM::Role + Properties: + AssumeRolePolicyDocument: + Version: 2012-10-17 + Statement: + - !If + - ProvidedTrustedAccount + - Effect: Allow + Principal: + AWS: [!Ref TrustedAccount] + Action: ['sts:AssumeRole'] + - !Ref 'AWS::NoValue' + - !If + - NotProvidedTrustedAccount + - Effect: Allow + Principal: + Service: [ec2.amazonaws.com] + Action: ['sts:AssumeRole'] + - !Ref 'AWS::NoValue' + Path: / + Policies: + - PolicyName: CMEPolicy + PolicyDocument: + Version: 2012-10-17 + Statement: + - !If + - ProvidedSTSRoles + - Effect: Allow + Action: ['sts:AssumeRole'] + Resource: !Split [',', !Ref STSRoles] + - !Ref 'AWS::NoValue' + - !If + - AllowReadPermissions + - Effect: Allow + Action: + - autoscaling:DescribeAutoScalingGroups + - ec2:DescribeRegions + - ec2:DescribeCustomerGateways + - ec2:DescribeInstances + - ec2:DescribeNetworkInterfaces + - ec2:DescribeRouteTables + - ec2:DescribeSecurityGroups + - ec2:DescribeSubnets + - ec2:DescribeTransitGateways + - ec2:DescribeTransitGatewayAttachments + - ec2:DescribeTransitGatewayRouteTables + - ec2:DescribeVpcs + - ec2:DescribeVpnGateways + - ec2:DescribeVpnConnections + - ec2:GetTransitGatewayAttachmentPropagations + - elasticloadbalancing:DescribeLoadBalancers + - elasticloadbalancing:DescribeTags + - elasticloadbalancing:DescribeListeners + - elasticloadbalancing:DescribeTargetGroups + - elasticloadbalancing:DescribeRules + - elasticloadbalancing:DescribeTargetHealth + Resource: '*' + - !Ref 'AWS::NoValue' + - !If + - AllowWritePermissions + - Effect: Allow + Action: + - ec2:AssociateTransitGatewayRouteTable + - ec2:AttachVpnGateway + - ec2:CreateCustomerGateway + - ec2:CreateVpnConnection + - ec2:CreateVpnGateway + - ec2:DeleteCustomerGateway + - ec2:DeleteVpnConnection + - ec2:DeleteVpnGateway + - ec2:DetachVpnGateway + - ec2:DisableTransitGatewayRouteTablePropagation + - ec2:DisableVgwRoutePropagation + - ec2:DisassociateTransitGatewayRouteTable + - ec2:EnableTransitGatewayRouteTablePropagation + - ec2:EnableVgwRoutePropagation + Resource: '*' + - !Ref 'AWS::NoValue' + - !If + - AllowWritePermissions + - Effect: Allow + Action: + - cloudformation:DescribeStacks + - cloudformation:DescribeStackResources + - cloudformation:ListStacks + Resource: '*' + - !Ref 'AWS::NoValue' + - !If + - AllowWritePermissions + - Effect: Allow + Action: + - cloudformation:CreateStack + - cloudformation:DeleteStack + Resource: 'arn:aws:cloudformation:*:*:stack/vpn-by-tag--*/*' + - !Ref 'AWS::NoValue' + InstanceProfile: + Type: AWS::IAM::InstanceProfile + Properties: + InstanceProfileName: !Ref CMEIAMRole + Roles: + - !Ref CMEIAMRole +Outputs: + CMEIAMRole: + Description: The IAM role. + Value: !Ref CMEIAMRole + CMEARNRole: + Description: The IAM role ARN. + Value: !GetAtt CMEIAMRole.Arn + InstanceProfile: + Description: The Instance Profile ARN. + Value: !GetAtt InstanceProfile.Arn \ No newline at end of file diff --git a/aws/templates/geo-cluster/README.md b/aws/templates/geo-cluster/README.md new file mode 100644 index 00000000..e6e30d5d --- /dev/null +++ b/aws/templates/geo-cluster/README.md @@ -0,0 +1,26 @@ + +## Cross Availability Zone Cluster + + + + + + + + + + + + + + + + + + + +
DescriptionNotesDirect Launch
+ Deploys two Security Gateways, each in a different Availability Zone.

For more details, refer to CloudGuard Transit Gateway High Availability for AWS R80.40 Administration Guide. + 		Creates a new VPC and deploys a Cross Availability Zone Cluster of Security Gateways into it.
Deploys a Cross Availability Zone Cluster of Security Gateways into an existing VPC.
+
+
\ No newline at end of file diff --git a/aws/templates/geo-cluster/geo-cluster-master.yaml b/aws/templates/geo-cluster/geo-cluster-master.yaml new file mode 100644 index 00000000..d030832c --- /dev/null +++ b/aws/templates/geo-cluster/geo-cluster-master.yaml @@ -0,0 +1,518 @@ +AWSTemplateFormatVersion: 2010-09-09 +Description: Deploy a Check Point cross AZ Cluster in a new VPC (20240204) +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: VPC Network Configuration + Parameters: + - AvailabilityZones + - VPCCIDR + - PublicSubnet1CIDR + - PublicSubnet2CIDR + - PrivateSubnet1CIDR + - PrivateSubnet2CIDR + - Label: + default: EC2 Instance Configuration + Parameters: + - GatewayName + - GatewayInstanceType + - KeyName + - AllocatePublicAddress + - VolumeSize + - VolumeType + - VolumeEncryption + - EnableInstanceConnect + - GatewayPredefinedRole + - TerminationProtection + - Label: + default: Check Point Settings + Parameters: + - GatewayVersion + - Shell + - GatewayPasswordHash + - GatewayMaintenancePasswordHash + - GatewaySICKey + - Label: + default: Quick connect to Smart-1 Cloud (Recommended) + Parameters: + - MemberAToken + - MemberBToken + - Label: + default: Advanced Settings + Parameters: + - ResourcesTagName + - GatewayHostname + - AllowUploadDownload + - CloudWatch + - GatewayBootstrapScript + - NTPPrimary + - NTPSecondary + ParameterLabels: + AvailabilityZones: + default: Availability Zones + VPCCIDR: + default: VPC CIDR + PublicSubnet1CIDR: + default: Public subnet 1 CIDR + PublicSubnet2CIDR: + default: Public subnet 2 CIDR + PrivateSubnet1CIDR: + default: Private subnet 1 CIDR + PrivateSubnet2CIDR: + default: Private subnet 2 CIDR + GatewayName: + default: Gateway Name + GatewayInstanceType: + default: Security Gateways instance type + KeyName: + default: Key name + AllocatePublicAddress: + default: Allocate Elastic IPs for cluster members + VolumeSize: + default: Root volume size (GB) + VolumeType: + default: Volume Type + VolumeEncryption: + default: Volume encryption KMS key identifier + EnableInstanceConnect: + default: Enable AWS Instance Connect + GatewayPredefinedRole: + default: Existing IAM role name + TerminationProtection: + default: Termination Protection + GatewayVersion: + default: Gateways version & license + Shell: + default: Admin shell + GatewayPasswordHash: + default: Password hash + GatewayMaintenancePasswordHash: + default: Gateway Maintenance Password hash + GatewaySICKey: + default: SIC key + MemberAToken: + default: Smart-1 Cloud Token for member A + MemberBToken: + default: Smart-1 Cloud Token for member B + ResourcesTagName: + default: Resources prefix tag + GatewayHostname: + default: Gateway Hostname + AllowUploadDownload: + default: Allow upload & download + CloudWatch: + default: CloudWatch metrics + GatewayBootstrapScript: + default: Bootstrap Script + NTPPrimary: + default: Primary NTP server + NTPSecondary: + default: Secondary NTP server +Parameters: + AvailabilityZones: + Description: The Availability Zones (AZs) to use for the subnets in the VPC. Select two (the logical order is preserved). + Type: List + MinLength: 2 + VPCCIDR: + Description: CIDR block for the VPC. + Type: String + Default: 10.0.0.0/16 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PublicSubnet1CIDR: + Description: CIDR block for public subnet 1 located in the 1st Availability Zone. The cluster's public IPs will be generated from this subnet. + Type: String + Default: 10.0.10.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PublicSubnet2CIDR: + Description: CIDR block for public subnet 2 located in the 2nd Availability Zone. The cluster's public IPs will be generated from this subnet. + Type: String + Default: 10.0.20.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PrivateSubnet1CIDR: + Description: CIDR block for private subnet 1 located in the 1st Availability Zone. The cluster's private IPs will be generated from this subnet. + Type: String + Default: 10.0.11.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PrivateSubnet2CIDR: + Description: CIDR block for private subnet 2 located in the 2nd Availability Zone. The cluster's private IPs will be generated from this subnet. + Type: String + Default: 10.0.21.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + GatewayName: + Description: The name tag of the Security Gateway instances. (optional) + Type: String + Default: Check-Point-Cluster + GatewayInstanceType: + Description: The instance type of the Secutiry Gateway. + Type: String + Default: c5.xlarge + AllowedValues: + - c4.large + - c4.xlarge + - c5.large + - c5.xlarge + - c5.2xlarge + - c5.4xlarge + - c5.9xlarge + - c5.12xlarge + - c5.18xlarge + - c5.24xlarge + - c5n.large + - c5n.xlarge + - c5n.2xlarge + - c5n.4xlarge + - c5n.9xlarge + - c5n.18xlarge + - c5d.large + - c5d.xlarge + - c5d.2xlarge + - c5d.4xlarge + - c5d.9xlarge + - c5d.12xlarge + - c5d.18xlarge + - c5d.24xlarge + - m5.large + - m5.xlarge + - m5.2xlarge + - m5.4xlarge + - m5.8xlarge + - m5.12xlarge + - m5.16xlarge + - m5.24xlarge + - m6i.large + - m6i.xlarge + - m6i.2xlarge + - m6i.4xlarge + - m6i.8xlarge + - m6i.12xlarge + - m6i.16xlarge + - m6i.24xlarge + - m6i.32xlarge + - c6i.large + - c6i.xlarge + - c6i.2xlarge + - c6i.4xlarge + - c6i.8xlarge + - c6i.12xlarge + - c6i.16xlarge + - c6i.24xlarge + - c6i.32xlarge + - c6in.large + - c6in.xlarge + - c6in.2xlarge + - c6in.4xlarge + - c6in.8xlarge + - c6in.12xlarge + - c6in.16xlarge + - c6in.24xlarge + - c6in.32xlarge + - r5.large + - r5.xlarge + - r5.2xlarge + - r5.4xlarge + - r5.8xlarge + - r5.12xlarge + - r5.16xlarge + - r5.24xlarge + - r5a.large + - r5a.xlarge + - r5a.2xlarge + - r5a.4xlarge + - r5a.8xlarge + - r5a.12xlarge + - r5a.16xlarge + - r5a.24xlarge + - r5b.large + - r5b.xlarge + - r5b.2xlarge + - r5b.4xlarge + - r5b.8xlarge + - r5b.12xlarge + - r5b.16xlarge + - r5b.24xlarge + - r5n.large + - r5n.xlarge + - r5n.2xlarge + - r5n.4xlarge + - r5n.8xlarge + - r5n.12xlarge + - r5n.16xlarge + - r5n.24xlarge + - r6i.large + - r6i.xlarge + - r6i.2xlarge + - r6i.4xlarge + - r6i.8xlarge + - r6i.12xlarge + - r6i.16xlarge + - r6i.24xlarge + - r6i.32xlarge + - m6a.large + - m6a.xlarge + - m6a.2xlarge + - m6a.4xlarge + - m6a.8xlarge + - m6a.12xlarge + - m6a.16xlarge + - m6a.24xlarge + - m6a.32xlarge + - m6a.48xlarge + ConstraintDescription: must be a valid EC2 instance type. + KeyName: + Description: The EC2 Key Pair to allow SSH access to the Security Gateways. + Type: AWS::EC2::KeyPair::KeyName + MinLength: 1 + ConstraintDescription: must be the name of an existing EC2 KeyPair. + AllocatePublicAddress: + Description: When choosing "false", make sure the cluster members can connect to an ec2 endpoint. + Default: true + Type: String + AllowedValues: + - true + - false + VolumeSize: + Type: Number + Default: 100 + MinValue: 100 + VolumeType: + Description: General Purpose SSD Volume Type + Type: String + Default: gp3 + AllowedValues: + - gp3 + - gp2 + VolumeEncryption: + Description: KMS or CMK key Identifier - Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs'). + Type: String + Default: alias/aws/ebs + EnableInstanceConnect: + Description: Enable SSH connection over AWS web console. + Type: String + Default: false + AllowedValues: + - true + - false + GatewayPredefinedRole: + Description: A predefined IAM role to attach to the cluster profile. (optional) + Type: String + Default: '' + TerminationProtection: + Description: Prevents an instance from accidental termination. + Type: String + Default: false + AllowedValues: + - true + - false + GatewayVersion: + Description: The license to install on the Security Gateways. + Type: String + Default: R81.10-BYOL + AllowedValues: + - R80.40-BYOL + - R80.40-PAYG-NGTP + - R80.40-PAYG-NGTX + - R81-BYOL + - R81-PAYG-NGTP + - R81-PAYG-NGTX + - R81.10-BYOL + - R81.10-PAYG-NGTP + - R81.10-PAYG-NGTX + Shell: + Description: Change the admin shell to enable advanced command line configuration. + Type: String + Default: /etc/cli.sh + AllowedValues: + - /etc/cli.sh + - /bin/bash + - /bin/csh + - /bin/tcsh + GatewayPasswordHash: + Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to + get the PASSWORD's hash). (optional) + Type: String + Default: '' + AllowedPattern: '^[\$\./a-zA-Z0-9]*$' + NoEcho: true + GatewayMaintenancePasswordHash: + Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + GatewaySICKey: + Description: The Secure Internal Communication key creates trusted connections between + Check Point components. Choose a random string consisting of at least 8 + alphanumeric characters. + Type: String + AllowedPattern: '^[a-zA-Z0-9]{8,}$' + ConstraintDescription: At least 8 alpha numeric characters. + NoEcho: true + MemberAToken: + Description: Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. + AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)' + Type: String + NoEcho: true + MemberBToken: + Description: Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. + AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)' + Type: String + NoEcho: true + ResourcesTagName: + Description: Name tag prefix of the resources. (optional) + Type: String + Default: '' + GatewayHostname: + Description: The host name will be appended with member-a/b accordingly (optional). The name must not contain reserved words. For details, refer to sk40179. + Type: String + Default: '' + AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z]))?$' + ConstraintDescription: A valid hostname label or an empty string. + AllowUploadDownload: + Description: >- + Automatically download updates and share statistical data for product improvement purpose. + Type: String + Default: true + AllowedValues: + - true + - false + CloudWatch: + Description: Report Check Point specific CloudWatch metrics. + Type: String + Default: false + AllowedValues: + - true + - false + GatewayBootstrapScript: + Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional) + Type: String + Default: '' + NoEcho: true + NTPPrimary: + Description: (optional) + Type: String + Default: 169.254.169.123 + AllowedPattern: '^[\.a-zA-Z0-9\-]*$' + NTPSecondary: + Description: (optional) + Type: String + Default: 0.pool.ntp.org + AllowedPattern: '^[\.a-zA-Z0-9\-]*$' +Conditions: + AllocateAddress: !Equals [!Ref AllocatePublicAddress, true] +Resources: + VPCStack: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.amazonaws.com/utils/vpc.yaml + Parameters: + AvailabilityZones: !Join [',', !Ref AvailabilityZones] + NumberOfAZs: 2 + VPCCIDR: !Ref VPCCIDR + PublicSubnet1CIDR: !Ref PublicSubnet1CIDR + PublicSubnet2CIDR: !Ref PublicSubnet2CIDR + PrivateSubnet1CIDR: !Ref PrivateSubnet1CIDR + PrivateSubnet2CIDR: !Ref PrivateSubnet2CIDR + InternalRouteTable: + Type: AWS::EC2::RouteTable + DependsOn: VPCStack + Properties: + VpcId: !GetAtt VPCStack.Outputs.VPCID + Tags: + - Key: Name + Value: Private Subnets Route Table + ClusterStack: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.amazonaws.com/cluster/geo-cluster.yaml + Parameters: + VPC: !GetAtt VPCStack.Outputs.VPCID + PublicSubnetA: !GetAtt VPCStack.Outputs.PublicSubnet1ID + PublicSubnetB: !GetAtt VPCStack.Outputs.PublicSubnet2ID + PrivateSubnetA: !GetAtt VPCStack.Outputs.PrivateSubnet1ID + PrivateSubnetB: !GetAtt VPCStack.Outputs.PrivateSubnet2ID + InternalRouteTable: !Ref InternalRouteTable + GatewayName: !Ref GatewayName + GatewayInstanceType: !Ref GatewayInstanceType + KeyName: !Ref KeyName + AllocatePublicAddress: !Ref AllocatePublicAddress + VolumeSize: !Ref VolumeSize + VolumeType: !Ref VolumeType + VolumeEncryption: !Ref VolumeEncryption + EnableInstanceConnect: !Ref EnableInstanceConnect + GatewayPredefinedRole: !Ref GatewayPredefinedRole + TerminationProtection: !Ref TerminationProtection + GatewayVersion: !Ref GatewayVersion + Shell: !Ref Shell + GatewayPasswordHash: !Ref GatewayPasswordHash + GatewayMaintenancePasswordHash: !Ref GatewayMaintenancePasswordHash + GatewaySICKey: !Ref GatewaySICKey + MemberAToken: !Ref MemberAToken + MemberBToken: !Ref MemberBToken + ResourcesTagName: !Ref ResourcesTagName + GatewayHostname: !Ref GatewayHostname + AllowUploadDownload: !Ref AllowUploadDownload + CloudWatch: !Ref CloudWatch + GatewayBootstrapScript: !Ref GatewayBootstrapScript + NTPPrimary: !Ref NTPPrimary + NTPSecondary: !Ref NTPSecondary +Outputs: + MemberAPublicAddress: + Condition: AllocateAddress + Description: The public address of member A. + Value: !GetAtt ClusterStack.Outputs.MemberAPublicAddress + MemberAPrivateExternalAddress: + Description: The private external address of member A. + Value: !GetAtt ClusterStack.Outputs.MemberAPrivateExternalAddress + MemberAPrivateInternalAddress: + Description: The private internal address of member A. + Value: !GetAtt ClusterStack.Outputs.MemberAPrivateInternalAddress + MemberASSH: + Condition: AllocateAddress + Description: SSH command to member A. + Value: !GetAtt ClusterStack.Outputs.MemberASSH + MemberAURL: + Condition: AllocateAddress + Description: URL to the member A portal. + Value: !GetAtt ClusterStack.Outputs.MemberAURL + MemberBPublicAddress: + Condition: AllocateAddress + Description: The public address of member B. + Value: !GetAtt ClusterStack.Outputs.MemberBPublicAddress + MemberBPrivateExternalAddress: + Description: The private external address of member B. + Value: !GetAtt ClusterStack.Outputs.MemberBPrivateExternalAddress + MemberBPrivateInternalAddress: + Description: The private internal address of member B. + Value: !GetAtt ClusterStack.Outputs.MemberBPrivateInternalAddress + MemberBSSH: + Condition: AllocateAddress + Description: SSH command to member B. + Value: !GetAtt ClusterStack.Outputs.MemberBSSH + MemberBURL: + Condition: AllocateAddress + Description: URL to the member B portal. + Value: !GetAtt ClusterStack.Outputs.MemberBURL +Rules: + MemberATokenNotProvided: + RuleCondition: !Equals [!Ref MemberAToken, ''] + Assertions: + - AssertDescription: "Smart-1 Cloud Token for member A can not be empty." + Assert: !Equals [!Ref MemberBToken, ''] + MemberBTokenNotProvided: + RuleCondition: !Equals [ !Ref MemberBToken, '' ] + Assertions: + - AssertDescription: "Smart-1 Cloud Token for member B can not be empty." + Assert: !Equals [ !Ref MemberAToken, '' ] + MembersTokenValueEquals: + RuleCondition: !EachMemberEquals [ [ !Ref MemberBToken ], !Ref MemberAToken ] + Assertions: + - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token" + Assert: !Equals [ !Ref MemberAToken, '' ] + - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token" + Assert: !Equals [ !Ref MemberBToken, '' ] \ No newline at end of file diff --git a/aws/templates/geo-cluster/geo-cluster.yaml b/aws/templates/geo-cluster/geo-cluster.yaml new file mode 100644 index 00000000..86d9ea95 --- /dev/null +++ b/aws/templates/geo-cluster/geo-cluster.yaml @@ -0,0 +1,708 @@ +AWSTemplateFormatVersion: 2010-09-09 +Description: Deploys a Check Point cross AZ Cluster into an existing VPC (20240204) +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: VPC Network Configuration + Parameters: + - VPC + - PublicSubnetA + - PublicSubnetB + - PrivateSubnetA + - PrivateSubnetB + - InternalRouteTable + - Label: + default: EC2 Instance Configuration + Parameters: + - GatewayName + - GatewayInstanceType + - KeyName + - AllocatePublicAddress + - VolumeSize + - VolumeType + - VolumeEncryption + - EnableInstanceConnect + - GatewayPredefinedRole + - TerminationProtection + - Label: + default: Check Point Settings + Parameters: + - GatewayVersion + - Shell + - GatewayPasswordHash + - GatewayMaintenancePasswordHash + - GatewaySICKey + - Label: + default: Quick connect to Smart-1 Cloud (Recommended) + Parameters: + - MemberAToken + - MemberBToken + - Label: + default: Advanced Settings + Parameters: + - ResourcesTagName + - GatewayHostname + - AllowUploadDownload + - CloudWatch + - GatewayBootstrapScript + - NTPPrimary + - NTPSecondary + ParameterLabels: + VPC: + default: VPC + PublicSubnetA: + default: Public subnet 1 + PublicSubnetB: + default: Public subnet 2 + PrivateSubnetA: + default: Private subnet 1 + PrivateSubnetB: + default: Private subnet 2 + InternalRouteTable: + default: Internal route table + GatewayName: + default: Gateway Name + GatewayInstanceType: + default: Security Gateways instance type + KeyName: + default: Key name + AllocatePublicAddress: + default: Allocate Elastic IPs for cluster members + VolumeSize: + default: Root volume size (GB) + VolumeType: + default: Volume Type + VolumeEncryption: + default: Volume encryption KMS key identifier + EnableInstanceConnect: + default: Enable AWS Instance Connect + GatewayPredefinedRole: + default: Existing IAM role name + TerminationProtection: + default: Termination Protection + GatewayVersion: + default: Gateways version & license + Shell: + default: Admin shell + GatewayPasswordHash: + default: Password hash + GatewayMaintenancePasswordHash: + default: Gateway Maintenance Password hash + GatewaySICKey: + default: SIC key + MemberAToken: + default: Smart-1 Cloud Token for member A + MemberBToken: + default: Smart-1 Cloud Token for member B + ResourcesTagName: + default: Resources prefix tag + GatewayHostname: + default: Gateway Hostname + AllowUploadDownload: + default: Allow upload & download + CloudWatch: + default: CloudWatch metrics + GatewayBootstrapScript: + default: Bootstrap Script + NTPPrimary: + default: Primary NTP server + NTPSecondary: + default: Secondary NTP server +Parameters: + VPC: + Description: Select an existing VPC. + Type: AWS::EC2::VPC::Id + MinLength: 1 + ConstraintDescription: you must select a VPC. + PublicSubnetA: + Description: Select a public subnet for the first Security Gateway. + Type: AWS::EC2::Subnet::Id + MinLength: 1 + ConstraintDescription: you must select a public subnet for the first Security Gateway. + PublicSubnetB: + Description: Select a public subnet for the second Security Gateway. + Type: AWS::EC2::Subnet::Id + MinLength: 1 + ConstraintDescription: you must select a public subnet for the second Security Gateway. + PrivateSubnetA: + Description: Select a private subnet for the first Security Gateway. + Type: AWS::EC2::Subnet::Id + MinLength: 1 + ConstraintDescription: you must select a private subnet for the first Security Gateway. + PrivateSubnetB: + Description: Select a private subnet for the second Security Gateway. + Type: AWS::EC2::Subnet::Id + MinLength: 1 + ConstraintDescription: you must select a private subnet for the second Security Gateway. + InternalRouteTable: + Description: Set 0.0.0.0/0 route to the Active Cluster member instance in this route table (e.g. rtb-12a34567). Route table cannot have an existing 0.0.0.0/0 route. If empty - traffic will not be routed through the Security Cluster, this requires manual configuration in the Route Table. (optional) + Type: String + Default: '' + GatewayName: + Description: The name tag of the Security Gateway instances. (optional) + Type: String + Default: Check-Point-Cluster + GatewayInstanceType: + Type: String + Default: c5.xlarge + AllowedValues: + - c4.large + - c4.xlarge + - c5.large + - c5.xlarge + - c5.2xlarge + - c5.4xlarge + - c5.9xlarge + - c5.12xlarge + - c5.18xlarge + - c5.24xlarge + - c5n.large + - c5n.xlarge + - c5n.2xlarge + - c5n.4xlarge + - c5n.9xlarge + - c5n.18xlarge + - c5d.large + - c5d.xlarge + - c5d.2xlarge + - c5d.4xlarge + - c5d.9xlarge + - c5d.12xlarge + - c5d.18xlarge + - c5d.24xlarge + - m5.large + - m5.xlarge + - m5.2xlarge + - m5.4xlarge + - m5.8xlarge + - m5.12xlarge + - m5.16xlarge + - m5.24xlarge + - m6i.large + - m6i.xlarge + - m6i.2xlarge + - m6i.4xlarge + - m6i.8xlarge + - m6i.12xlarge + - m6i.16xlarge + - m6i.24xlarge + - m6i.32xlarge + - c6i.large + - c6i.xlarge + - c6i.2xlarge + - c6i.4xlarge + - c6i.8xlarge + - c6i.12xlarge + - c6i.16xlarge + - c6i.24xlarge + - c6i.32xlarge + - c6in.large + - c6in.xlarge + - c6in.2xlarge + - c6in.4xlarge + - c6in.8xlarge + - c6in.12xlarge + - c6in.16xlarge + - c6in.24xlarge + - c6in.32xlarge + - r5.large + - r5.xlarge + - r5.2xlarge + - r5.4xlarge + - r5.8xlarge + - r5.12xlarge + - r5.16xlarge + - r5.24xlarge + - r5a.large + - r5a.xlarge + - r5a.2xlarge + - r5a.4xlarge + - r5a.8xlarge + - r5a.12xlarge + - r5a.16xlarge + - r5a.24xlarge + - r5b.large + - r5b.xlarge + - r5b.2xlarge + - r5b.4xlarge + - r5b.8xlarge + - r5b.12xlarge + - r5b.16xlarge + - r5b.24xlarge + - r5n.large + - r5n.xlarge + - r5n.2xlarge + - r5n.4xlarge + - r5n.8xlarge + - r5n.12xlarge + - r5n.16xlarge + - r5n.24xlarge + - r6i.large + - r6i.xlarge + - r6i.2xlarge + - r6i.4xlarge + - r6i.8xlarge + - r6i.12xlarge + - r6i.16xlarge + - r6i.24xlarge + - r6i.32xlarge + - m6a.large + - m6a.xlarge + - m6a.2xlarge + - m6a.4xlarge + - m6a.8xlarge + - m6a.12xlarge + - m6a.16xlarge + - m6a.24xlarge + - m6a.32xlarge + - m6a.48xlarge + ConstraintDescription: must be a valid EC2 instance type. + KeyName: + Description: The EC2 Key Pair to allow SSH access to the Security Gateways. + Type: AWS::EC2::KeyPair::KeyName + MinLength: 1 + ConstraintDescription: must be the name of an existing EC2 KeyPair. + AllocatePublicAddress: + Description: When choosing "false", make sure the cluster members can connect to an ec2 endpoint. + Default: true + Type: String + AllowedValues: + - true + - false + VolumeSize: + Type: Number + Default: 100 + MinValue: 100 + VolumeType: + Description: General Purpose SSD Volume Type + Type: String + Default: gp3 + AllowedValues: + - gp3 + - gp2 + VolumeEncryption: + Description: KMS or CMK key Identifier - Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs'). + Type: String + Default: alias/aws/ebs + EnableInstanceConnect: + Description: Enable SSH connection over AWS web console. + Type: String + Default: false + AllowedValues: + - true + - false + GatewayPredefinedRole: + Description: A predefined IAM role to attach to the cluster profile. (optional) + Type: String + Default: '' + TerminationProtection: + Description: Prevents an instance from accidental termination. + Type: String + Default: false + AllowedValues: + - true + - false + GatewayVersion: + Description: The license to install on the Security Gateways. + Type: String + Default: R81.10-BYOL + AllowedValues: + - R80.40-BYOL + - R80.40-PAYG-NGTP + - R80.40-PAYG-NGTX + - R81-BYOL + - R81-PAYG-NGTP + - R81-PAYG-NGTX + - R81.10-BYOL + - R81.10-PAYG-NGTP + - R81.10-PAYG-NGTX + Shell: + Description: Change the admin shell to enable advanced command line configuration. + Type: String + Default: /etc/cli.sh + AllowedValues: + - /etc/cli.sh + - /bin/bash + - /bin/csh + - /bin/tcsh + GatewayPasswordHash: + Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to + get the PASSWORD's hash). (optional) + Type: String + Default: '' + AllowedPattern: '^[\$\./a-zA-Z0-9]*$' + NoEcho: true + GatewayMaintenancePasswordHash: + Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + GatewaySICKey: + Description: The Secure Internal Communication key creates trusted connections between + Check Point components. Choose a random string consisting of at least 8 + alphanumeric characters. + Type: String + AllowedPattern: '^[a-zA-Z0-9]{8,}$' + ConstraintDescription: At least 8 alpha numeric characters. + NoEcho: true + MemberAToken: + Description: Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. + AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)' + Type: String + NoEcho: true + MemberBToken: + Description: Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. + AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)' + Type: String + NoEcho: true + ResourcesTagName: + Description: Name tag prefix of the resources. (optional) + Type: String + Default: '' + GatewayHostname: + Description: The host name will be appended with member-a/b accordingly (optional). The name must not contain reserved words. For details, refer to sk40179. + Type: String + Default: '' + AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z]))?$' + ConstraintDescription: A valid hostname label or an empty string. + AllowUploadDownload: + Description: >- + Automatically download updates and share statistical data for product improvement purpose. + Type: String + Default: true + AllowedValues: + - true + - false + CloudWatch: + Description: Report Check Point specific CloudWatch metrics. + Type: String + Default: false + AllowedValues: + - true + - false + GatewayBootstrapScript: + Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional) + Type: String + Default: '' + NoEcho: true + NTPPrimary: + Description: (optional) + Type: String + Default: 169.254.169.123 + AllowedPattern: '^[\.a-zA-Z0-9\-]*$' + NTPSecondary: + Description: (optional) + Type: String + Default: 0.pool.ntp.org + AllowedPattern: '^[\.a-zA-Z0-9\-]*$' +Conditions: + ProvidedRouteTable: !Not [!Equals [!Ref InternalRouteTable, '']] + AllocateAddress: !Equals [!Ref AllocatePublicAddress, true] + EncryptedVolume: !Not [!Equals [!Ref VolumeEncryption, '']] + CreateRole: !Equals [!Ref GatewayPredefinedRole, ''] + ProvidedPassHash: !Not [!Equals [!Ref GatewayPasswordHash, '']] + ProvidedResourcesTag: !Not [!Equals [!Ref ResourcesTagName, '']] + EmptyHostName: !Equals [!Ref GatewayHostname, ''] + EnableCloudWatch: !Equals [!Ref CloudWatch, true] +Resources: + ClusterReadyHandle: + Type: AWS::CloudFormation::WaitConditionHandle + Condition: AllocateAddress + Properties: {} + ClusterReadyCondition: + Type: AWS::CloudFormation::WaitCondition + Condition: AllocateAddress + DependsOn: [MemberAInstance, MemberBInstance] + Properties: + Count: 2 + Handle: !Ref ClusterReadyHandle + Timeout: 1800 + ClusterRole: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.amazonaws.com/iam/cluster-iam-role.yaml + ClusterInstanceProfile: + Type: AWS::IAM::InstanceProfile + Properties: + Path: / + Roles: [!If [CreateRole, !GetAtt ClusterRole.Outputs.ClusterIAMRole, !Ref GatewayPredefinedRole]] + CloudwatchPolicy: + Condition: EnableCloudWatch + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.amazonaws.com/iam/cloudwatch-policy.yaml + Parameters: + PolicyName: !If [ ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName' ] + PolicyRole: !If [CreateRole, !GetAtt ClusterRole.Outputs.ClusterIAMRole, !Ref GatewayPredefinedRole] + AMI: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.amazonaws.com/utils/amis.yaml + Parameters: + Version: !Join ['-', [!Ref GatewayVersion, GW]] + PermissiveSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Permissive security group. + VpcId: !Ref VPC + SecurityGroupIngress: + - IpProtocol: -1 + CidrIp: 0.0.0.0/0 + Tags: + - Key: Name + Value: + !Join + - _ + - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName'] + - PermissiveSecurityGroup + MemberAExternalInterface: + Type: AWS::EC2::NetworkInterface + Properties: + Description: External. + SourceDestCheck: false + GroupSet: [!Ref PermissiveSecurityGroup] + SubnetId: !Ref PublicSubnetA + Tags: + - Key: Name + Value: + !Join + - _ + - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName'] + - Member_A_ExternalInterface + MemberBExternalInterface: + Type: AWS::EC2::NetworkInterface + Properties: + Description: External. + SourceDestCheck: false + GroupSet: [!Ref PermissiveSecurityGroup] + SubnetId: !Ref PublicSubnetB + Tags: + - Key: Name + Value: + !Join + - _ + - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName'] + - Member_B_ExternalInterface + MemberAInternalInterface: + Type: AWS::EC2::NetworkInterface + Properties: + Description: Internal. + GroupSet: [!Ref PermissiveSecurityGroup] + SourceDestCheck: false + SubnetId: !Ref PrivateSubnetA + Tags: + - Key: Name + Value: + !Join + - _ + - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName'] + - Member_A_InternalInterface + MemberBInternalInterface: + Type: AWS::EC2::NetworkInterface + Properties: + Description: Internal. + GroupSet: [!Ref PermissiveSecurityGroup] + SourceDestCheck: false + SubnetId: !Ref PrivateSubnetB + Tags: + - Key: Name + Value: + !Join + - _ + - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName'] + - Member_B_InternalInterface + InternalDefaultRoute: + Type: AWS::EC2::Route + Condition: ProvidedRouteTable + DependsOn: MemberAInternalInterface + Properties: + DestinationCidrBlock: 0.0.0.0/0 + NetworkInterfaceId: !Ref MemberAInternalInterface + RouteTableId: !Ref InternalRouteTable + PrivateSubnet1RouteTableAssociation: + Type: AWS::EC2::SubnetRouteTableAssociation + Condition: ProvidedRouteTable + Properties: + RouteTableId: !Ref InternalRouteTable + SubnetId: !Ref PrivateSubnetA + PrivateSubnet2RouteTableAssociation: + Type: AWS::EC2::SubnetRouteTableAssociation + Condition: ProvidedRouteTable + Properties: + RouteTableId: !Ref InternalRouteTable + SubnetId: !Ref PrivateSubnetB + MemberAInstance: + Type: AWS::EC2::Instance + DependsOn: MemberAInternalInterface + Properties: + Tags: + - Key: Name + Value: !Join ['-', [!Ref GatewayName, Member-A]] + ImageId: !GetAtt AMI.Outputs.ImageId + InstanceType: !Ref GatewayInstanceType + BlockDeviceMappings: + - DeviceName: '/dev/xvda' + Ebs: + Encrypted: !If [EncryptedVolume, true, false] + KmsKeyId: !If [EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue'] + VolumeType: !Ref VolumeType + VolumeSize: !Ref VolumeSize + KeyName: !Ref KeyName + NetworkInterfaces: + - DeviceIndex: 0 + NetworkInterfaceId: !Ref MemberAExternalInterface + - DeviceIndex: 1 + NetworkInterfaceId: !Ref MemberAInternalInterface + IamInstanceProfile: !Ref ClusterInstanceProfile + DisableApiTermination: !Ref TerminationProtection + UserData: !Base64 + 'Fn::Join': + - |+ + + - - '#cloud-config' + - 'runcmd:' + - ' - |' + - ' set -e' + - !Sub ' admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; cw=${CloudWatch} ; eic=${EnableInstanceConnect} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; tokenA=''${MemberAToken}''' + - !If [AllocateAddress, !Sub ' wait_handle=''${ClusterReadyHandle}''',!Ref 'AWS::NoValue'] + - !If [EmptyHostName, ' hostname=""',!Sub ' hostname=${GatewayHostname}-member-a'] + - !Join ['', [' other_member_ip="', !GetAtt MemberBInternalInterface.PrimaryPrivateIpAddress, '"']] + - !Join ['', [' eip="', !If [AllocateAddress, !Ref MemberAPublicAddress, ''], '"']] + - !Join ['', [' sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ')"']] + - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayPasswordHash, ')"']] + - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"']] + - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']] + - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}] + - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${tokenA}\"" installationType=\"geo-cluster\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20240204\" templateName=\"geo_cluster\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" elasticIp=\"${eip}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" otherMemberIp=\"${other_member_ip}\" bootstrapScript64=\"${bootstrap}\"' + MemberBInstance: + Type: AWS::EC2::Instance + DependsOn: MemberBInternalInterface + Properties: + Tags: + - Key: Name + Value: !Join ['-', [!Ref GatewayName, Member-B]] + ImageId: !GetAtt AMI.Outputs.ImageId + InstanceType: !Ref GatewayInstanceType + BlockDeviceMappings: + - DeviceName: '/dev/xvda' + Ebs: + Encrypted: !If [EncryptedVolume, true, false] + KmsKeyId: !If [EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue'] + VolumeType: !Ref VolumeType + VolumeSize: !Ref VolumeSize + KeyName: !Ref KeyName + NetworkInterfaces: + - DeviceIndex: 0 + NetworkInterfaceId: !Ref MemberBExternalInterface + - DeviceIndex: 1 + NetworkInterfaceId: !Ref MemberBInternalInterface + IamInstanceProfile: !Ref ClusterInstanceProfile + DisableApiTermination: !Ref TerminationProtection + UserData: !Base64 + 'Fn::Join': + - |+ + + - - '#cloud-config' + - 'runcmd:' + - ' - |' + - ' set -e' + - !Sub ' admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; cw=${CloudWatch} ; eic=${EnableInstanceConnect} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; tokenB=''${MemberBToken}''' + - !If [AllocateAddress, !Sub ' wait_handle=''${ClusterReadyHandle}''',!Ref 'AWS::NoValue'] + - !If [EmptyHostName, ' hostname=""',!Sub ' hostname=${GatewayHostname}-member-b'] + - !Join ['', [' other_member_ip="', !GetAtt MemberAInternalInterface.PrimaryPrivateIpAddress, '"']] + - !Join ['', [' eip="', !If [AllocateAddress, !Ref MemberBPublicAddress, ''], '"']] + - !Join ['', [' sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ')"']] + - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayPasswordHash, ')"']] + - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"']] + - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']] + - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}] + - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${tokenB}\"" installationType=\"geo-cluster\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20240204\" templateName=\"geo_cluster\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" elasticIp=\"${eip}\" otherMemberIp=\"${other_member_ip}\" bootstrapScript64=\"${bootstrap}\"' + MemberAPublicAddress: + Type: AWS::EC2::EIP + Condition: AllocateAddress + Properties: + Domain: vpc + MemberBPublicAddress: + Type: AWS::EC2::EIP + Condition: AllocateAddress + Properties: + Domain: vpc + MemberAAddressAssoc: + Type: AWS::EC2::EIPAssociation + Condition: AllocateAddress + DependsOn: MemberAInstance + Properties: + NetworkInterfaceId: !Ref MemberAExternalInterface + AllocationId: !GetAtt MemberAPublicAddress.AllocationId + PrivateIpAddress: !GetAtt MemberAExternalInterface.PrimaryPrivateIpAddress + MemberBAddressAssoc: + Type: AWS::EC2::EIPAssociation + Condition: AllocateAddress + DependsOn: MemberBInstance + Properties: + NetworkInterfaceId: !Ref MemberBExternalInterface + AllocationId: !GetAtt MemberBPublicAddress.AllocationId + PrivateIpAddress: !GetAtt MemberBExternalInterface.PrimaryPrivateIpAddress +Outputs: + MemberAPublicAddress: + Condition: AllocateAddress + Description: The public address of member A. + Value: !Ref MemberAPublicAddress + MemberAPrivateExternalAddress: + Description: The private external address of member A. + Value: !GetAtt MemberAExternalInterface.PrimaryPrivateIpAddress + MemberAPrivateInternalAddress: + Description: The private internal address of member A. + Value: !GetAtt MemberAInternalInterface.PrimaryPrivateIpAddress + MemberAExternalInterface: + Description: The external interface of member A. + Value: !Ref MemberAExternalInterface + MemberASSH: + Condition: AllocateAddress + Description: SSH command to member A. + Value: !Join ['', ['ssh -i ', !Ref KeyName, ' admin@', !Ref MemberAPublicAddress]] + MemberAURL: + Condition: AllocateAddress + Description: URL to the member A portal. + Value: !Join ['', ['https://', !Ref MemberAPublicAddress]] + MemberBPublicAddress: + Condition: AllocateAddress + Description: The public address of member B. + Value: !Ref MemberBPublicAddress + MemberBPrivateExternalAddress: + Description: The private external address of member B. + Value: !GetAtt MemberBExternalInterface.PrimaryPrivateIpAddress + MemberBPrivateInternalAddress: + Description: The private internal address of member B. + Value: !GetAtt MemberBInternalInterface.PrimaryPrivateIpAddress + MemberBExternalInterface: + Description: The external interface of member B. + Value: !Ref MemberBExternalInterface + MemberBSSH: + Condition: AllocateAddress + Description: SSH command to member B. + Value: !Join ['', ['ssh -i ', !Ref KeyName, ' admin@', !Ref MemberBPublicAddress]] + MemberBURL: + Condition: AllocateAddress + Description: URL to the member B portal. + Value: !Join ['', ['https://', !Ref MemberBPublicAddress]] +Rules: + MemberATokenNotProvided: + RuleCondition: !Equals [!Ref MemberAToken, ''] + Assertions: + - AssertDescription: "Smart-1 Cloud Token for member A can not be empty." + Assert: !Equals [!Ref MemberBToken, ''] + MemberBTokenNotProvided: + RuleCondition: !Equals [ !Ref MemberBToken, '' ] + Assertions: + - AssertDescription: "Smart-1 Cloud Token for member B can not be empty." + Assert: !Equals [ !Ref MemberAToken, '' ] + MembersTokenValueEquals: + RuleCondition: !EachMemberEquals [ [ !Ref MemberBToken ], !Ref MemberAToken ] + Assertions: + - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token" + Assert: !Equals [ !Ref MemberAToken, '' ] + - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token" + Assert: !Equals [ !Ref MemberBToken, '' ] \ No newline at end of file diff --git a/aws/templates/gwlb-asg/README.md b/aws/templates/gwlb-asg/README.md new file mode 100644 index 00000000..26eda643 --- /dev/null +++ b/aws/templates/gwlb-asg/README.md @@ -0,0 +1,58 @@ + +## Gateway Load Balancer (GWLB) Auto Scaling Group + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
DescriptionNotesDirect Launch
+ Deploys and configures an AWS Auto Scaling group configured for Gateway Load Balancer in a Centralized Security VPC.

For more details, refer to CloudGuard Network for AWS Centralized Gateway Load Balancer R80.40 Deployment Guide. + 		Creates a new VPC and deploys into it a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server.
+ Deploys and configures an AWS Auto Scaling group configured for Gateway Load Balancer in a Centralized Security VPC.

For more details, refer to CloudGuard Network for AWS Centralized Gateway Load Balancer R80.40 Deployment Guide. + 		Deploys a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server into an existing VPC.
+ Deploys and configures an AWS Auto Scaling group configured for Gateway Load Balancer in a Centralized Security VPC for Transit Gateway.

For more details, refer to CloudGuard Network for AWS Gateway Load Balancer Security VPC for Transit Gateway R80.40 Deployment Guide. + 		Creates a new VPC and deploys into it a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, Gateway Load Balancer Endpoints and NAT Gateways for each AZ, for Transit Gateway.
+ Deploys and configures an AWS Auto Scaling group configured for Gateway Load Balancer in a Centralized Security VPC for Transit Gateway.

For more details, refer to CloudGuard Network for AWS Gateway Load Balancer Security VPC for Transit Gateway R80.40 Deployment Guide. + 		Deploys a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, Gateway Load Balancer Endpoints and NAT Gateways for each AZ, for Transit Gateway into an existing VPC.
+ Deploys and configures a Quick Start AWS Auto Scaling Group configured for Gateway Load Balancer in a Centralized Security VPC, and Servers in Servers VPC

For more details, refer to CloudGuard Network for AWS Centralized Gateway Load Balancer R80.40 Deployment Guide. + 		Creates a new Security VPC with Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, Servers' VPC with Gateway Load Balancer Endpoints (1 per Availability Zone), Application Load Balancer in Servers' VPC, Servers and optionally a Security Management Server.
+
+ Deploys and configures a Quick Start AWS Auto Scaling Group configured for Gateway Load Balancer in a Centralized Security VPC, and Servers in Servers VPC.

For more details, refer to CloudGuard Network for AWS Centralized Gateway Load Balancer R80.40 Deployment Guide. + 		Deploys a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, optionally a Security Management Server into an existing Security VPC, Gateway Load Balancer Endpoints (1 per Availability Zone), Application Load Balancer and Servers into an existing Servers' VPC.
+
+
+
diff --git a/aws/templates/gwlb-asg/gwlb-master.yaml b/aws/templates/gwlb-asg/gwlb-master.yaml new file mode 100644 index 00000000..d10e85ad --- /dev/null +++ b/aws/templates/gwlb-asg/gwlb-master.yaml @@ -0,0 +1,721 @@ +AWSTemplateFormatVersion: 2010-09-09 +Description: Deploy a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, in a new VPC (20240204) +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: VPC Network Configuration + Parameters: + - AvailabilityZones + - NumberOfAZs + - VPCCIDR + - PublicSubnet1CIDR + - PublicSubnet2CIDR + - PublicSubnet3CIDR + - PublicSubnet4CIDR + - Label: + default: General Settings + Parameters: + - KeyName + - EnableVolumeEncryption + - VolumeSize + - VolumeType + - EnableInstanceConnect + - TerminationProtection + - AllowUploadDownload + - ManagementServer + - ConfigurationTemplate + - AdminEmail + - Shell + - Label: + default: Gateway Load Balancer Configuration + Parameters: + - GWLBName + - TargetGroupName + - AcceptConnectionRequired + - CrossZoneLoadBalancing + - Label: + default: Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration + Parameters: + - GatewayName + - GatewayInstanceType + - GatewaysMinSize + - GatewaysMaxSize + - GatewayVersion + - GatewayPasswordHash + - GatewayMaintenancePasswordHash + - GatewaySICKey + - ControlGatewayOverPrivateOrPublicAddress + - AllocatePublicAddress + - CloudWatch + - Label: + default: Check Point CloudGuard IaaS Security Management Server Configuration + Parameters: + - ManagementDeploy + - ManagementInstanceType + - ManagementVersion + - ManagementPasswordHash + - ManagementMaintenancePasswordHash + - GatewaysPolicy + - AdminCIDR + - GatewayManagement + - GatewaysAddresses + ParameterLabels: + AvailabilityZones: + default: Availability Zones + NumberOfAZs: + default: Number of AZs + VPCCIDR: + default: VPC CIDR + PublicSubnet1CIDR: + default: Auto Scaling Group Public Subnet 1 + PublicSubnet2CIDR: + default: Auto Scaling Group Public Subnet 2 + PublicSubnet3CIDR: + default: Auto Scaling Group Public Subnet 3 + PublicSubnet4CIDR: + default: Auto Scaling Group Public Subnet 4 + KeyName: + default: Key name + EnableVolumeEncryption: + default: Enable environment volume encryption + VolumeSize: + default: Root volume size (GB) + VolumeType: + default: Volume Type + EnableInstanceConnect: + default: Enable AWS Instance Connect + TerminationProtection: + default: Termination Protection + AllowUploadDownload: + default: Allow upload & download + ManagementServer: + default: Management Server + ConfigurationTemplate: + default: Configuration template + AdminEmail: + default: Email address + Shell: + default: Admin shell + GWLBName: + default: Gateway Load Balancer Name + TargetGroupName: + default: Target Group Name + AcceptConnectionRequired: + default: Connection Acceptance Required + CrossZoneLoadBalancing: + default: Enable Cross Zone Load Balancing + GatewayName: + default: Gateways instance name + GatewayInstanceType: + default: Gateways instance type + GatewaysMinSize: + default: Minimum group size + GatewaysMaxSize: + default: Maximum group size + GatewayVersion: + default: Gateways version & license + GatewayPasswordHash: + default: Gateways Password hash + GatewayMaintenancePasswordHash: + default: Gateway Maintenance Password hash + GatewaySICKey: + default: Gateways SIC key + ControlGatewayOverPrivateOrPublicAddress: + default: Gateways addresses + AllocatePublicAddress: + default: Allocate Public IPs + CloudWatch: + default: CloudWatch metrics + ManagementDeploy: + default: Deploy Management Server + ManagementInstanceType: + default: Management instance type + ManagementVersion: + default: Management version & license + ManagementPasswordHash: + default: Management password hash + ManagementMaintenancePasswordHash: + default: Management Maintenance Password hash + GatewaysPolicy: + default: Security Policy + AdminCIDR: + default: Administrator addresses + GatewayManagement: + default: Manage Gateways + GatewaysAddresses: + default: Gateways addresses +Parameters: + AvailabilityZones: + Description: List of Availability Zones (AZs) to use for the subnets in the VPC. Select at least two. + Type: List + MinLength: 2 + NumberOfAZs: + Description: Number of Availability Zones to use in the VPC. This must match your selections in the list of Availability Zones parameter. + Type: Number + Default: 2 + MinValue: 2 + MaxValue: 4 + VPCCIDR: + Description: CIDR block for the VPC. + Type: String + Default: 10.0.0.0/16 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PublicSubnet1CIDR: + Description: CIDR block for public subnet 1 located in the 1st Availability Zone. If you choose to deploy a Security Management Server it will be deployed in this subnet. + Type: String + Default: 10.0.10.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PublicSubnet2CIDR: + Description: CIDR block for public subnet 2 located in the 2nd Availability Zone. + Type: String + Default: 10.0.20.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PublicSubnet3CIDR: + Description: CIDR block for public subnet 3 located in the 3rd Availability Zone. + Type: String + Default: 10.0.30.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PublicSubnet4CIDR: + Description: CIDR block for public subnet 4 located in the 4th Availability Zone. + Type: String + Default: 10.0.40.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + KeyName: + Description: The EC2 Key Pair to allow SSH access to the instances created by this stack. + Type: AWS::EC2::KeyPair::KeyName + MinLength: 1 + ConstraintDescription: Must be the name of an existing EC2 KeyPair. + EnableVolumeEncryption: + Description: Encrypt Environment instances volume with default AWS KMS key. + Type: String + Default: true + AllowedValues: + - true + - false + VolumeSize: + Type: Number + MinValue: 100 + Default: 100 + VolumeType: + Description: General Purpose SSD Volume Type + Type: String + Default: gp3 + AllowedValues: + - gp3 + - gp2 + EnableInstanceConnect: + Description: Enable SSH connection over AWS web console. + Type: String + Default: false + AllowedValues: + - true + - false + TerminationProtection: + Description: Prevents an instance from accidental termination. + Type: String + Default: false + AllowedValues: + - true + - false + AllowUploadDownload: + Description: Automatically download updates and share statistical data for product improvement purpose. + Type: String + Default: true + AllowedValues: + - true + - false + ManagementServer: + Description: The name that represents the Security Management Server in the automatic provisioning configuration. + Type: String + Default: gwlb-management-server + MinLength: 1 + ConfigurationTemplate: + Description: A name of a gateway configuration template in the automatic provisioning configuration. + Type: String + Default: gwlb-ASG-configuration + MinLength: 1 + MaxLength: 30 + AdminEmail: + Description: Notifications about scaling events will be sent to this email address. (optional) + Type: String + Default: '' + AllowedPattern: '^(([a-zA-Z0-9_\-\.]+)@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.)|(([a-zA-Z0-9\-]+\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})(\]?))?$' + Shell: + Description: Change the admin shell to enable advanced command line configuration. Applies for Security Gateways and Security Management Server if deployed. + Type: String + Default: /etc/cli.sh + AllowedValues: + - /etc/cli.sh + - /bin/bash + - /bin/csh + - /bin/tcsh + GWLBName: + Description: Gateway Load Balancer name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. A name cannot begin or end with a hyphen. + Type: String + AllowedPattern: '^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])$' + Default: gwlb1 + MaxLength: 32 + ConstraintDescription: Must be a valid GWLB Name. + TargetGroupName: + Description: Target Group Name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. A name cannot begin or end with a hyphen. + Type: String + AllowedPattern: '^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])$' + Default: tg1 + MaxLength: 32 + ConstraintDescription: Must be a valid target group name. + AcceptConnectionRequired: + Description: Indicate whether requests from service consumers to create an endpoint to your service must be accepted. Default is set to false(acceptance not required). + Default: "false" + AllowedValues: ["true", "false"] + Type: String + ConstraintDescription: Must be true or false. + CrossZoneLoadBalancing: + Description: Select 'true' to enable cross-az load balancing. NOTE! this may cause a spike in cross-az charges. + Type: String + Default: true + AllowedValues: + - true + - false + GatewayName: + Description: The name tag of the Security Gateway instances. (optional) + Type: String + Default: Check-Point-Gateway + GatewayInstanceType: + Description: The EC2 instance type for the Security Gateways. + Type: String + Default: c5.xlarge + AllowedValues: + - c4.large + - c4.xlarge + - c5.large + - c5.xlarge + - c5.2xlarge + - c5.4xlarge + - c5.9xlarge + - c5.12xlarge + - c5.18xlarge + - c5.24xlarge + - c5n.large + - c5n.xlarge + - c5n.2xlarge + - c5n.4xlarge + - c5n.9xlarge + - c5n.18xlarge + - c5d.large + - c5d.xlarge + - c5d.2xlarge + - c5d.4xlarge + - c5d.9xlarge + - c5d.12xlarge + - c5d.18xlarge + - c5d.24xlarge + - m5.large + - m5.xlarge + - m5.2xlarge + - m5.4xlarge + - m5.8xlarge + - m5.12xlarge + - m5.16xlarge + - m5.24xlarge + - m6i.large + - m6i.xlarge + - m6i.2xlarge + - m6i.4xlarge + - m6i.8xlarge + - m6i.12xlarge + - m6i.16xlarge + - m6i.24xlarge + - m6i.32xlarge + - c6i.large + - c6i.xlarge + - c6i.2xlarge + - c6i.4xlarge + - c6i.8xlarge + - c6i.12xlarge + - c6i.16xlarge + - c6i.24xlarge + - c6i.32xlarge + - c6in.large + - c6in.xlarge + - c6in.2xlarge + - c6in.4xlarge + - c6in.8xlarge + - c6in.12xlarge + - c6in.16xlarge + - c6in.24xlarge + - c6in.32xlarge + - r5.large + - r5.xlarge + - r5.2xlarge + - r5.4xlarge + - r5.8xlarge + - r5.12xlarge + - r5.16xlarge + - r5.24xlarge + - r5a.large + - r5a.xlarge + - r5a.2xlarge + - r5a.4xlarge + - r5a.8xlarge + - r5a.12xlarge + - r5a.16xlarge + - r5a.24xlarge + - r5b.large + - r5b.xlarge + - r5b.2xlarge + - r5b.4xlarge + - r5b.8xlarge + - r5b.12xlarge + - r5b.16xlarge + - r5b.24xlarge + - r5n.large + - r5n.xlarge + - r5n.2xlarge + - r5n.4xlarge + - r5n.8xlarge + - r5n.12xlarge + - r5n.16xlarge + - r5n.24xlarge + - r6i.large + - r6i.xlarge + - r6i.2xlarge + - r6i.4xlarge + - r6i.8xlarge + - r6i.12xlarge + - r6i.16xlarge + - r6i.24xlarge + - r6i.32xlarge + - m6a.large + - m6a.xlarge + - m6a.2xlarge + - m6a.4xlarge + - m6a.8xlarge + - m6a.12xlarge + - m6a.16xlarge + - m6a.24xlarge + - m6a.32xlarge + - m6a.48xlarge + ConstraintDescription: Must be a valid EC2 instance type + GatewaysMinSize: + Description: The minimal number of Security Gateways. + Type: Number + Default: 2 + MinValue: 1 + GatewaysMaxSize: + Description: The maximal number of Security Gateways. + Type: Number + Default: 10 + MinValue: 1 + GatewayVersion: + Description: The version and license to install on the Security Gateways. + Type: String + Default: R81.20-BYOL + AllowedValues: + - R80.40-BYOL + - R80.40-PAYG-NGTP + - R80.40-PAYG-NGTX + - R81.20-BYOL + - R81.20-PAYG-NGTP + - R81.20-PAYG-NGTX + GatewayPasswordHash: + Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash). (optional) + Type: String + Default: '' + AllowedPattern: '^[\$\./a-zA-Z0-9]*$' + NoEcho: true + GatewayMaintenancePasswordHash: + Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + GatewaySICKey: + Description: The Secure Internal Communication key creates trusted connections between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters. + Type: String + AllowedPattern: '^[a-zA-Z0-9]{8,}$' + ConstraintDescription: Secure Internal Communication activation key should contain only alpha numeric characters and be at least 8 characters long. + NoEcho: true + ControlGatewayOverPrivateOrPublicAddress: + Description: Determines if the gateways are provisioned using their private or public address. + Type: String + Default: private + AllowedValues: + - private + - public + AllocatePublicAddress: + Description: Allocate a Public IP for gateway members. + Type: String + Default: false + AllowedValues: + - true + - false + CloudWatch: + Description: Report Check Point specific CloudWatch metrics. + Type: String + Default: false + AllowedValues: + - true + - false + ManagementDeploy: + Description: Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section. + Type: String + Default: true + AllowedValues: + - true + - false + ManagementInstanceType: + Description: The EC2 instance type of the Security Management Server. + Type: String + Default: m5.xlarge + AllowedValues: + - c5.large + - c5.xlarge + - c5.2xlarge + - c5.4xlarge + - c5.9xlarge + - c5.12xlarge + - c5.18xlarge + - c5.24xlarge + - c5n.large + - c5n.xlarge + - c5n.2xlarge + - c5n.4xlarge + - c5n.9xlarge + - c5n.18xlarge + - c5d.large + - c5d.xlarge + - c5d.2xlarge + - c5d.4xlarge + - c5d.9xlarge + - c5d.12xlarge + - c5d.18xlarge + - c5d.24xlarge + - m5.large + - m5.xlarge + - m5.2xlarge + - m5.4xlarge + - m5.8xlarge + - m5.12xlarge + - m5.16xlarge + - m5.24xlarge + - m6i.large + - m6i.xlarge + - m6i.2xlarge + - m6i.4xlarge + - m6i.8xlarge + - m6i.12xlarge + - m6i.16xlarge + - m6i.24xlarge + - m6i.32xlarge + - c6i.large + - c6i.xlarge + - c6i.2xlarge + - c6i.4xlarge + - c6i.8xlarge + - c6i.12xlarge + - c6i.16xlarge + - c6i.24xlarge + - c6i.32xlarge + - c6in.large + - c6in.xlarge + - c6in.2xlarge + - c6in.4xlarge + - c6in.8xlarge + - c6in.12xlarge + - c6in.16xlarge + - c6in.24xlarge + - c6in.32xlarge + - r5.large + - r5.xlarge + - r5.2xlarge + - r5.4xlarge + - r5.8xlarge + - r5.12xlarge + - r5.16xlarge + - r5.24xlarge + - r5a.large + - r5a.xlarge + - r5a.2xlarge + - r5a.4xlarge + - r5a.8xlarge + - r5a.12xlarge + - r5a.16xlarge + - r5a.24xlarge + - r5b.large + - r5b.xlarge + - r5b.2xlarge + - r5b.4xlarge + - r5b.8xlarge + - r5b.12xlarge + - r5b.16xlarge + - r5b.24xlarge + - r5n.large + - r5n.xlarge + - r5n.2xlarge + - r5n.4xlarge + - r5n.8xlarge + - r5n.12xlarge + - r5n.16xlarge + - r5n.24xlarge + - r6i.large + - r6i.xlarge + - r6i.2xlarge + - r6i.4xlarge + - r6i.8xlarge + - r6i.12xlarge + - r6i.16xlarge + - r6i.24xlarge + - r6i.32xlarge + - m6a.large + - m6a.xlarge + - m6a.2xlarge + - m6a.4xlarge + - m6a.8xlarge + - m6a.12xlarge + - m6a.16xlarge + - m6a.24xlarge + - m6a.32xlarge + - m6a.48xlarge + ConstraintDescription: Must be a valid EC2 instance type + ManagementVersion: + Description: The license to install on the Security Management Server. + Type: String + Default: R81.20-BYOL + AllowedValues: + - R80.40-BYOL + - R80.40-PAYG + - R81-BYOL + - R81-PAYG + - R81.10-BYOL + - R81.10-PAYG + - R81.20-BYOL + - R81.20-PAYG + ManagementPasswordHash: + Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash). (optional) + Type: String + Default: '' + AllowedPattern: '^[\$\./a-zA-Z0-9]*$' + NoEcho: true + ManagementMaintenancePasswordHash: + Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + GatewaysPolicy: + Description: The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group. + Type: String + Default: Standard + MinLength: 1 + AdminCIDR: + Description: Allow web, SSH, and graphical clients only from this network to communicate with the Security Management Server. + Type: String + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$' + GatewayManagement: + Description: Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address. + Type: String + Default: Locally managed + AllowedValues: + - Locally managed + - Over the internet + GatewaysAddresses: + Description: Allow gateways only from this network to communicate with the Security Management Server. + Type: String + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$' +Conditions: + 4AZs: !Equals [!Ref NumberOfAZs, 4] + 3AZs: !Or [!Equals [!Ref NumberOfAZs, 3], !Condition 4AZs] + DeployManagement: !Equals [!Ref ManagementDeploy, true] +Resources: + VPCStack: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.amazonaws.com/utils/vpc.yaml + Parameters: + AvailabilityZones: !Join [',' , !Ref AvailabilityZones] + NumberOfAZs: !Ref NumberOfAZs + VPCCIDR: !Ref VPCCIDR + PublicSubnet1CIDR: !Ref PublicSubnet1CIDR + PublicSubnet2CIDR: !Ref PublicSubnet2CIDR + PublicSubnet3CIDR: !Ref PublicSubnet3CIDR + PublicSubnet4CIDR: !Ref PublicSubnet4CIDR + CreatePrivateSubnets: false + GWLBStack: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.amazonaws.com/gwlb/gwlb.yaml + Parameters: + VPC: !GetAtt VPCStack.Outputs.VPCID + GatewaysSubnets: !Join + - ',' + - - !GetAtt VPCStack.Outputs.PublicSubnet1ID + - !GetAtt VPCStack.Outputs.PublicSubnet2ID + - !If [3AZs, !GetAtt VPCStack.Outputs.PublicSubnet3ID, !Ref 'AWS::NoValue'] + - !If [4AZs, !GetAtt VPCStack.Outputs.PublicSubnet4ID, !Ref 'AWS::NoValue'] + KeyName: !Ref KeyName + EnableVolumeEncryption: !Ref EnableVolumeEncryption + VolumeType: !Ref VolumeType + VolumeSize: !Ref VolumeSize + EnableInstanceConnect: !Ref EnableInstanceConnect + TerminationProtection: !Ref TerminationProtection + AllowUploadDownload: !Ref AllowUploadDownload + ManagementServer: !Ref ManagementServer + ConfigurationTemplate: !Ref ConfigurationTemplate + AdminEmail: !Ref AdminEmail + Shell: !Ref Shell + GWLBName: !Ref GWLBName + TargetGroupName: !Ref TargetGroupName + AcceptConnectionRequired: !Ref AcceptConnectionRequired + CrossZoneLoadBalancing: !Ref CrossZoneLoadBalancing + GatewayName: !Ref GatewayName + GatewayInstanceType: !Ref GatewayInstanceType + GatewaysMinSize: !Ref GatewaysMinSize + GatewaysMaxSize: !Ref GatewaysMaxSize + GatewayVersion: !Ref GatewayVersion + GatewayPasswordHash: !Ref GatewayPasswordHash + GatewayMaintenancePasswordHash: !Ref GatewayMaintenancePasswordHash + GatewaySICKey: !Ref GatewaySICKey + ControlGatewayOverPrivateOrPublicAddress: !Ref ControlGatewayOverPrivateOrPublicAddress + AllocatePublicAddress: !Ref AllocatePublicAddress + CloudWatch: !Ref CloudWatch + ManagementDeploy: !Ref ManagementDeploy + ManagementInstanceType: !Ref ManagementInstanceType + ManagementVersion: !Ref ManagementVersion + ManagementPasswordHash: !Ref ManagementPasswordHash + ManagementMaintenancePasswordHash: !Ref ManagementMaintenancePasswordHash + GatewaysPolicy: !Ref GatewaysPolicy + AdminCIDR: !Ref AdminCIDR + GatewayManagement: !Ref GatewayManagement + GatewaysAddresses: !Ref GatewaysAddresses +Outputs: + VPCID: + Description: VPC ID. + Value: !GetAtt VPCStack.Outputs.VPCID + ManagementPublicAddress: + Description: The public address of the management server. + Value: !GetAtt GWLBStack.Outputs.ManagementPublicAddress + Condition: DeployManagement + ConfigurationTemplateName: + Description: The name that represents the configuration template. Configurations required to automatically provision the Gateways in the Auto Scaling Group, such as what Security Policy to install and which Blades to enable, will be placed under this template name. + Value: !GetAtt GWLBStack.Outputs.ConfigurationTemplateName + ControllerName: + Description: The name that represents the controller. Configurations required to connect to your AWS environment, such as credentials and regions, will be placed under this controller name + Value: !GetAtt GWLBStack.Outputs.ControllerName + GWLBName: + Description: Gateway Load Balancer Name. + Value: !Ref GWLBName + GWLBServiceName: + Description: Gateway Load Balancer Service Name. + Value: !GetAtt GWLBStack.Outputs.GWLBServiceName +Rules: + GatewayAddressAllocationRule: + RuleCondition: !Equals [!Ref ControlGatewayOverPrivateOrPublicAddress, 'public'] + Assertions: + - AssertDescription: "Gateway's selected to be provisioned by public IP, but ['AllocatePublicAddress'] parameter is false" + Assert: !Equals [!Ref AllocatePublicAddress, 'true'] diff --git a/aws/templates/gwlb-asg/gwlb.yaml b/aws/templates/gwlb-asg/gwlb.yaml new file mode 100644 index 00000000..8b2d8830 --- /dev/null +++ b/aws/templates/gwlb-asg/gwlb.yaml @@ -0,0 +1,720 @@ +AWSTemplateFormatVersion: 2010-09-09 +Description: Deploy a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, in a new VPC (20240204) +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: Network Configuration + Parameters: + - VPC + - GatewaysSubnets + - Label: + default: General Settings + Parameters: + - KeyName + - EnableVolumeEncryption + - VolumeSize + - VolumeType + - EnableInstanceConnect + - TerminationProtection + - AllowUploadDownload + - ManagementServer + - ConfigurationTemplate + - AdminEmail + - Shell + - Label: + default: Gateway Load Balancer Configuration + Parameters: + - GWLBName + - TargetGroupName + - AcceptConnectionRequired + - CrossZoneLoadBalancing + - Label: + default: Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration + Parameters: + - GatewayName + - GatewayInstanceType + - GatewaysMinSize + - GatewaysMaxSize + - GatewayVersion + - GatewayPasswordHash + - GatewayMaintenancePasswordHash + - GatewaySICKey + - ControlGatewayOverPrivateOrPublicAddress + - AllocatePublicAddress + - CloudWatch + - Label: + default: Check Point CloudGuard IaaS Security Management Server Configuration + Parameters: + - ManagementDeploy + - ManagementInstanceType + - ManagementVersion + - ManagementPasswordHash + - ManagementMaintenancePasswordHash + - GatewaysPolicy + - AdminCIDR + - GatewayManagement + - GatewaysAddresses + ParameterLabels: + VPC: + default: VPC + GatewaysSubnets: + default: Gateways subnets + KeyName: + default: Key name + EnableVolumeEncryption: + default: Enable environment volume encryption + VolumeSize: + default: Root volume size (GB) + VolumeType: + default: Volume Type + EnableInstanceConnect: + default: Enable AWS Instance Connect + TerminationProtection: + default: Termination Protection + AllowUploadDownload: + default: Allow upload & download + ManagementServer: + default: Management Server + ConfigurationTemplate: + default: Configuration template + AdminEmail: + default: Email address + Shell: + default: Admin shell + GWLBName: + default: Gateway Load Balancer Name + TargetGroupName: + default: Target Group Name + AcceptConnectionRequired: + default: Connection Acceptance Required + CrossZoneLoadBalancing: + default: Enable Cross Zone Load Balancing + GatewayName: + default: Gateways instance name + GatewayInstanceType: + default: Gateways instance type + GatewaysMinSize: + default: Minimum group size + GatewaysMaxSize: + default: Maximum group size + GatewayVersion: + default: Gateways version & license + GatewayPasswordHash: + default: Gateways Password hash + GatewayMaintenancePasswordHash: + default: Gateway Maintenance Password hash + GatewaySICKey: + default: Gateways SIC key + ControlGatewayOverPrivateOrPublicAddress: + default: Gateways addresses + AllocatePublicAddress: + default: Allocate Public IPs + CloudWatch: + default: CloudWatch metrics + ManagementDeploy: + default: Deploy Management Server + ManagementInstanceType: + default: Management instance type + ManagementVersion: + default: Management version & license + ManagementPasswordHash: + default: Management password hash + ManagementMaintenancePasswordHash: + default: Management Maintenance Password hash + GatewaysPolicy: + default: Security Policy + AdminCIDR: + default: Administrator addresses + GatewayManagement: + default: Manage Gateways + GatewaysAddresses: + default: Gateways addresses +Parameters: + VPC: + Description: Select an existing VPC. + Type: AWS::EC2::VPC::Id + MinLength: 1 + ConstraintDescription: You must select a VPC. + GatewaysSubnets: + Description: Select at least 2 public subnets in the VPC. + Type: List + MinLength: 2 + KeyName: + Description: The EC2 Key Pair to allow SSH access to the instances created by this stack. + Type: AWS::EC2::KeyPair::KeyName + MinLength: 1 + ConstraintDescription: Must be the name of an existing EC2 KeyPair. + EnableVolumeEncryption: + Description: Encrypt Environment instances volume with default AWS KMS key. + Type: String + Default: true + AllowedValues: + - true + - false + VolumeSize: + Type: Number + MinValue: 100 + Default: 100 + VolumeType: + Description: General Purpose SSD Volume Type + Type: String + Default: gp3 + AllowedValues: + - gp3 + - gp2 + EnableInstanceConnect: + Description: Enable SSH connection over AWS web console. + Type: String + Default: false + AllowedValues: + - true + - false + TerminationProtection: + Description: Prevents an instance from accidental termination. + Type: String + Default: false + AllowedValues: + - true + - false + AllowUploadDownload: + Description: Automatically download updates and share statistical data for product improvement purpose. + Type: String + Default: true + AllowedValues: + - true + - false + ManagementServer: + Description: The name that represents the Security Management Server in the automatic provisioning configuration. + Type: String + Default: gwlb-management-server + MinLength: 1 + ConfigurationTemplate: + Description: A name of a gateway configuration template in the automatic provisioning configuration. + Type: String + Default: gwlb-ASG-configuration + MinLength: 1 + MaxLength: 30 + AdminEmail: + Description: Notifications about scaling events will be sent to this email address. (optional) + Type: String + Default: '' + AllowedPattern: '^(([a-zA-Z0-9_\-\.]+)@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.)|(([a-zA-Z0-9\-]+\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})(\]?))?$' + Shell: + Description: Change the admin shell to enable advanced command line configuration. Applies for Security Gateways and Security Management Server if deployed. + Type: String + Default: /etc/cli.sh + AllowedValues: + - /etc/cli.sh + - /bin/bash + - /bin/csh + - /bin/tcsh + GWLBName: + Description: Gateway Load Balancer name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. A name cannot begin or end with a hyphen. + Type: String + Default: gwlb1 + ConstraintDescription: Must be a valid GWLB Name. + TargetGroupName: + Description: Target Group Name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. A name cannot begin or end with a hyphen. + Type: String + Default: tg1 + ConstraintDescription: Must be a valid target group name. + AcceptConnectionRequired: + Description: Indicate whether requests from service consumers to create an endpoint to your service must be accepted. Default is set to false(acceptance not required). + Default: "false" + AllowedValues: ["true", "false"] + Type: String + ConstraintDescription: Must be true or false. + CrossZoneLoadBalancing: + Description: Select 'true' to enable cross-az load balancing. NOTE! this may cause a spike in cross-az charges. + Type: String + Default: true + AllowedValues: + - true + - false + GatewayName: + Description: The name tag of the Security Gateway instances. (optional) + Type: String + Default: Check-Point-Gateway + GatewayInstanceType: + Description: The EC2 instance type for the Security Gateways. + Type: String + Default: c5.xlarge + AllowedValues: + - c4.large + - c4.xlarge + - c5.large + - c5.xlarge + - c5.2xlarge + - c5.4xlarge + - c5.9xlarge + - c5.12xlarge + - c5.18xlarge + - c5.24xlarge + - c5n.large + - c5n.xlarge + - c5n.2xlarge + - c5n.4xlarge + - c5n.9xlarge + - c5n.18xlarge + - c5d.large + - c5d.xlarge + - c5d.2xlarge + - c5d.4xlarge + - c5d.9xlarge + - c5d.12xlarge + - c5d.18xlarge + - c5d.24xlarge + - m5.large + - m5.xlarge + - m5.2xlarge + - m5.4xlarge + - m5.8xlarge + - m5.12xlarge + - m5.16xlarge + - m5.24xlarge + - m6i.large + - m6i.xlarge + - m6i.2xlarge + - m6i.4xlarge + - m6i.8xlarge + - m6i.12xlarge + - m6i.16xlarge + - m6i.24xlarge + - m6i.32xlarge + - c6i.large + - c6i.xlarge + - c6i.2xlarge + - c6i.4xlarge + - c6i.8xlarge + - c6i.12xlarge + - c6i.16xlarge + - c6i.24xlarge + - c6i.32xlarge + - c6in.large + - c6in.xlarge + - c6in.2xlarge + - c6in.4xlarge + - c6in.8xlarge + - c6in.12xlarge + - c6in.16xlarge + - c6in.24xlarge + - c6in.32xlarge + - r5.large + - r5.xlarge + - r5.2xlarge + - r5.4xlarge + - r5.8xlarge + - r5.12xlarge + - r5.16xlarge + - r5.24xlarge + - r5a.large + - r5a.xlarge + - r5a.2xlarge + - r5a.4xlarge + - r5a.8xlarge + - r5a.12xlarge + - r5a.16xlarge + - r5a.24xlarge + - r5b.large + - r5b.xlarge + - r5b.2xlarge + - r5b.4xlarge + - r5b.8xlarge + - r5b.12xlarge + - r5b.16xlarge + - r5b.24xlarge + - r5n.large + - r5n.xlarge + - r5n.2xlarge + - r5n.4xlarge + - r5n.8xlarge + - r5n.12xlarge + - r5n.16xlarge + - r5n.24xlarge + - r6i.large + - r6i.xlarge + - r6i.2xlarge + - r6i.4xlarge + - r6i.8xlarge + - r6i.12xlarge + - r6i.16xlarge + - r6i.24xlarge + - r6i.32xlarge + - m6a.large + - m6a.xlarge + - m6a.2xlarge + - m6a.4xlarge + - m6a.8xlarge + - m6a.12xlarge + - m6a.16xlarge + - m6a.24xlarge + - m6a.32xlarge + - m6a.48xlarge + ConstraintDescription: Must be a valid EC2 instance type + GatewaysMinSize: + Description: The minimal number of Security Gateways. + Type: Number + Default: 2 + MinValue: 1 + GatewaysMaxSize: + Description: The maximal number of Security Gateways. + Type: Number + Default: 10 + MinValue: 1 + GatewayVersion: + Description: The version and license to install on the Security Gateways. + Type: String + Default: R81.20-BYOL + AllowedValues: + - R80.40-BYOL + - R80.40-PAYG-NGTP + - R80.40-PAYG-NGTX + - R81.20-BYOL + - R81.20-PAYG-NGTP + - R81.20-PAYG-NGTX + GatewayPasswordHash: + Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash). (optional) + Type: String + Default: '' + AllowedPattern: '^[\$\./a-zA-Z0-9]*$' + NoEcho: true + GatewayMaintenancePasswordHash: + Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + GatewaySICKey: + Description: The Secure Internal Communication key creates trusted connections between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters. + Type: String + AllowedPattern: '^[a-zA-Z0-9]{8,}$' + ConstraintDescription: Secure Internal Communication acti.vation key should contain only alpha numeric characters and be at least 8 characters long. + NoEcho: true + ControlGatewayOverPrivateOrPublicAddress: + Description: Determines if the gateways are provisioned using their private or public address. + Type: String + Default: private + AllowedValues: + - private + - public + AllocatePublicAddress: + Description: Allocate a Public IP for gateway members. + Type: String + Default: false + AllowedValues: + - true + - false + CloudWatch: + Description: Report Check Point specific CloudWatch metrics. + Type: String + Default: false + AllowedValues: + - true + - false + ManagementDeploy: + Description: Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section. + Type: String + Default: true + AllowedValues: + - true + - false + ManagementInstanceType: + Description: The EC2 instance type of the Security Management Server. + Type: String + Default: m5.xlarge + AllowedValues: + - c5.large + - c5.xlarge + - c5.2xlarge + - c5.4xlarge + - c5.9xlarge + - c5.12xlarge + - c5.18xlarge + - c5.24xlarge + - c5n.large + - c5n.xlarge + - c5n.2xlarge + - c5n.4xlarge + - c5n.9xlarge + - c5n.18xlarge + - c5d.large + - c5d.xlarge + - c5d.2xlarge + - c5d.4xlarge + - c5d.9xlarge + - c5d.12xlarge + - c5d.18xlarge + - c5d.24xlarge + - m5.large + - m5.xlarge + - m5.2xlarge + - m5.4xlarge + - m5.8xlarge + - m5.12xlarge + - m5.16xlarge + - m5.24xlarge + - m6i.large + - m6i.xlarge + - m6i.2xlarge + - m6i.4xlarge + - m6i.8xlarge + - m6i.12xlarge + - m6i.16xlarge + - m6i.24xlarge + - m6i.32xlarge + - c6i.large + - c6i.xlarge + - c6i.2xlarge + - c6i.4xlarge + - c6i.8xlarge + - c6i.12xlarge + - c6i.16xlarge + - c6i.24xlarge + - c6i.32xlarge + - c6in.large + - c6in.xlarge + - c6in.2xlarge + - c6in.4xlarge + - c6in.8xlarge + - c6in.12xlarge + - c6in.16xlarge + - c6in.24xlarge + - c6in.32xlarge + - r5.large + - r5.xlarge + - r5.2xlarge + - r5.4xlarge + - r5.8xlarge + - r5.12xlarge + - r5.16xlarge + - r5.24xlarge + - r5a.large + - r5a.xlarge + - r5a.2xlarge + - r5a.4xlarge + - r5a.8xlarge + - r5a.12xlarge + - r5a.16xlarge + - r5a.24xlarge + - r5b.large + - r5b.xlarge + - r5b.2xlarge + - r5b.4xlarge + - r5b.8xlarge + - r5b.12xlarge + - r5b.16xlarge + - r5b.24xlarge + - r5n.large + - r5n.xlarge + - r5n.2xlarge + - r5n.4xlarge + - r5n.8xlarge + - r5n.12xlarge + - r5n.16xlarge + - r5n.24xlarge + - r6i.large + - r6i.xlarge + - r6i.2xlarge + - r6i.4xlarge + - r6i.8xlarge + - r6i.12xlarge + - r6i.16xlarge + - r6i.24xlarge + - r6i.32xlarge + - m6a.large + - m6a.xlarge + - m6a.2xlarge + - m6a.4xlarge + - m6a.8xlarge + - m6a.12xlarge + - m6a.16xlarge + - m6a.24xlarge + - m6a.32xlarge + - m6a.48xlarge + ConstraintDescription: Must be a valid EC2 instance type + ManagementVersion: + Description: The license to install on the Security Management Server. + Type: String + Default: R81.20-BYOL + AllowedValues: + - R80.40-BYOL + - R80.40-PAYG + - R81-BYOL + - R81-PAYG + - R81.10-BYOL + - R81.10-PAYG + - R81.20-BYOL + - R81.20-PAYG + ManagementPasswordHash: + Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash). (optional) + Type: String + Default: '' + AllowedPattern: '^[\$\./a-zA-Z0-9]*$' + NoEcho: true + ManagementMaintenancePasswordHash: + Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + GatewaysPolicy: + Description: The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group. + Type: String + Default: Standard + MinLength: 1 + AdminCIDR: + Description: Allow web, SSH, and graphical clients only from this network to communicate with the Security Management Server. + Type: String + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$' + GatewayManagement: + Description: Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address. + Type: String + Default: Locally managed + AllowedValues: + - Locally managed + - Over the internet + GatewaysAddresses: + Description: Allow gateways only from this network to communicate with the Security Management Server. + Type: String + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$' +Conditions: + DeployManagement: !Equals [!Ref ManagementDeploy, true] + VolumeEncryption: !Equals [!Ref EnableVolumeEncryption, true] +Resources: + GatewayLoadBalancer: + Type: AWS::ElasticLoadBalancingV2::LoadBalancer + Properties: + Type: gateway + Name: !Ref GWLBName + LoadBalancerAttributes: + - Key: load_balancing.cross_zone.enabled + Value: !Ref CrossZoneLoadBalancing + Subnets: !Ref GatewaysSubnets + Tags: + - Key: x-chkp-management + Value: !Ref ManagementServer + - Key: x-chkp-template + Value: !Ref ConfigurationTemplate + VpcEndpointService: + Type: AWS::EC2::VPCEndpointService + Properties: + AcceptanceRequired: !Ref AcceptConnectionRequired + GatewayLoadBalancerArns: + - !Ref GatewayLoadBalancer + TargetGroup: + Type: AWS::ElasticLoadBalancingV2::TargetGroup + Properties: + Name: !Ref TargetGroupName + Port: 6081 + Protocol: GENEVE + HealthCheckPort: 8117 + HealthCheckProtocol: TCP + TargetGroupAttributes: + - Key: deregistration_delay.timeout_seconds + Value: 20 + VpcId: !Ref VPC + TargetType: instance + Tags: + - Key: Name + Value: !Join + - "" + - - !Ref AWS::StackName + - "-tg1" + Listener: + Type: AWS::ElasticLoadBalancingV2::Listener + Properties: + DefaultActions: + - Type: forward + TargetGroupArn: !Ref TargetGroup + LoadBalancerArn: !Ref GatewayLoadBalancer + SecurityGatewaysStack: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.amazonaws.com/gwlb/autoscale-gwlb.yaml + Parameters: + VPC: !Ref VPC + GatewaysSubnets: !Join [',', !Ref GatewaysSubnets] + GatewayName: !Ref GatewayName + GatewayInstanceType: !Ref GatewayInstanceType + KeyName: !Ref KeyName + Shell: !Ref Shell + EnableVolumeEncryption: !Ref EnableVolumeEncryption + VolumeType: !Ref VolumeType + VolumeSize: !Ref VolumeSize + EnableInstanceConnect: !Ref EnableInstanceConnect + GatewaysMinSize: !Ref GatewaysMinSize + GatewaysMaxSize: !Ref GatewaysMaxSize + AdminEmail: !Ref AdminEmail + GatewaysTargetGroups: !Ref TargetGroup + GatewayVersion: !Ref GatewayVersion + GatewayPasswordHash: !Ref GatewayPasswordHash + GatewayMaintenancePasswordHash: !Ref GatewayMaintenancePasswordHash + GatewaySICKey: !Ref GatewaySICKey + AllowUploadDownload: !Ref AllowUploadDownload + ControlGatewayOverPrivateOrPublicAddress: !Ref ControlGatewayOverPrivateOrPublicAddress + AllocatePublicAddress: !Ref AllocatePublicAddress + CloudWatch: !Ref CloudWatch + ManagementServer: !Ref ManagementServer + ConfigurationTemplate: !Ref ConfigurationTemplate + ManagementStack: + Type: AWS::CloudFormation::Stack + Condition: DeployManagement + Properties: + TemplateURL: https://cgi-cfts.s3.amazonaws.com/gwlb/management-gwlb.yaml + Parameters: + VPC: !Ref VPC + ManagementSubnet: !Select [0, !Ref GatewaysSubnets] + ManagementName: !Ref ManagementServer + ManagementInstanceType: !Ref ManagementInstanceType + KeyName: !Ref KeyName + Shell: !Ref Shell + VolumeEncryption: !If [VolumeEncryption, alias/aws/ebs, ''] + VolumeType: !Ref VolumeType + VolumeSize: !Ref VolumeSize + EnableInstanceConnect: !Ref EnableInstanceConnect + ManagementPermissions: Create with read-write permissions + ManagementVersion: !Ref ManagementVersion + ManagementPasswordHash: !Ref ManagementPasswordHash + ManagementMaintenancePasswordHash: !Ref ManagementMaintenancePasswordHash + AllowUploadDownload: !Ref AllowUploadDownload + AdminCIDR: !Ref AdminCIDR + GatewayManagement: !Ref GatewayManagement + GatewaysAddresses: !Ref GatewaysAddresses + TerminationProtection: !Ref TerminationProtection + ManagementBootstrapScript: !Join + - ';' + - - 'echo -e "\nStarting Bootstrap script\n"' + - !Sub 'policy=${GatewaysPolicy} ; region=${AWS::Region} ; conf_template=${ConfigurationTemplate} ; mgmt=${ManagementServer}' + - !Sub ['version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}] + - !Join ['', ['sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ' | base64 -d)"']] + - 'controller="gwlb-controller"' + - 'echo "Creating CME configuration"' + - 'autoprov_cfg -f init AWS -mn "${mgmt}" -tn "${conf_template}" -cn "${controller}" -po "${policy}" -otp "${sic}" -r "${region}" -ver "${version}" -iam' + - 'echo -e "\nFinished Bootstrap script\n"' +Outputs: + VPCID: + Description: VPC ID. + Value: !Ref VPC + ManagementPublicAddress: + Description: The public address of the management server. + Value: !GetAtt ManagementStack.Outputs.PublicAddress + Condition: DeployManagement + ConfigurationTemplateName: + Description: The name that represents the configuration template. Configurations required to automatically provision the Gateways in the Auto Scaling Group, such as what Security Policy to install and which Blades to enable, will be placed under this template name. + Value: !Ref ConfigurationTemplate + ControllerName: + Description: The name that represents the controller. Configurations required to connect to your AWS environment, such as credentials and regions, will be placed under this controller name. + Value: gwlb-controller + GWLBName: + Description: Gateway Load Balancer Name. + Value: !Ref GWLBName + GWLBServiceName: + Description: Gateway Load Balancer Service Name. + Value: !Sub ['com.amazonaws.vpce.${AWS::Region}.${Service}', {Service: !Ref VpcEndpointService}] +Rules: + GatewayAddressAllocationRule: + RuleCondition: !Equals [!Ref ControlGatewayOverPrivateOrPublicAddress, 'public'] + Assertions: + - AssertDescription: "Gateway's selected to be provisioned by public IP, but ['AllocatePublicAddress'] parameter is false" + Assert: !Equals [!Ref AllocatePublicAddress, 'true'] diff --git a/aws/templates/gwlb-asg/qs-gwlb-master.yaml b/aws/templates/gwlb-asg/qs-gwlb-master.yaml new file mode 100644 index 00000000..c95da46e --- /dev/null +++ b/aws/templates/gwlb-asg/qs-gwlb-master.yaml @@ -0,0 +1,947 @@ +AWSTemplateFormatVersion: 2010-09-09 +Description: Deploy a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, in a new VPC (05072024) +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: Security VPC Network Configuration + Parameters: + - AvailabilityZones + - NumberOfAZs + - SecurityVPCCIDR + - SecurityPublicSubnet1CIDR + - SecurityPublicSubnet2CIDR + - SecurityPublicSubnet3CIDR + - SecurityPublicSubnet4CIDR + - Label: + default: Servers VPC Network Configuration + Parameters: + - ServersVPCCIDR + - ServersPublicSubnet1CIDR + - ServersPublicSubnet2CIDR + - ServersPublicSubnet3CIDR + - ServersPublicSubnet4CIDR + - GWLBeSubnet1CIDR + - GWLBeSubnet2CIDR + - GWLBeSubnet3CIDR + - GWLBeSubnet4CIDR + - SubnetTagsInboundCIDR + - SubnetTagsOutboundCIDR + + - Label: + default: General Settings + Parameters: + - KeyName + - EnableVolumeEncryption + - VolumeSize + - VolumeType + - EnableInstanceConnect + - TerminationProtection + - AllowUploadDownload + - ManagementServer + - ConfigurationTemplate + - AdminEmail + - Shell + - Label: + default: Gateway Load Balancer Configuration + Parameters: + - GWLBName + - TargetGroupName + - AcceptConnectionRequired + - CrossZoneLoadBalancing + - Label: + default: Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration + Parameters: + - GatewayName + - GatewayInstanceType + - GatewaysMinSize + - GatewaysMaxSize + - GatewayVersion + - GatewayPasswordHash + - GatewayMaintenancePasswordHash + - GatewaySICKey + - ControlGatewayOverPrivateOrPublicAddress + - AllocatePublicAddress + - CloudWatch + - Label: + default: Check Point CloudGuard IaaS Security Management Server Configuration + Parameters: + - ManagementDeploy + - ManagementInstanceType + - ManagementVersion + - ManagementPasswordHash + - ManagementMaintenancePasswordHash + - GatewaysPolicy + - GatewaysBlades + - AdminCIDR + - GatewayManagement + - GatewaysAddresses + - Label: + default: Web Servers Auto Scaling Group Configuration + Parameters: + - ServerAMI + - ALBProtocol + - ServicePort + - ServerInstanceType + - ResourcesTagName + ParameterLabels: + AvailabilityZones: + default: Availability Zones + NumberOfAZs: + default: Number of AZs + SecurityVPCCIDR: + default: Security VPC CIDR + SecurityPublicSubnet1CIDR: + default: Security Auto Scaling Group Public Subnet 1 + SecurityPublicSubnet2CIDR: + default: Security Auto Scaling Group Public Subnet 2 + SecurityPublicSubnet3CIDR: + default: Security Auto Scaling Group Public Subnet 3 + SecurityPublicSubnet4CIDR: + default: Security Auto Scaling Group Public Subnet 4 + ServersVPCCIDR: + default: Servers VPC CIDR + ServersPublicSubnet1CIDR: + default: Servers Auto Scaling Group Public Subnet 1 + ServersPublicSubnet2CIDR: + default: Servers Auto Scaling Group Public Subnet 2 + ServersPublicSubnet3CIDR: + default: Servers Auto Scaling Group Public Subnet 3 + ServersPublicSubnet4CIDR: + default: Servers Auto Scaling Group Public Subnet 4 + SubnetTagsOutboundCIDR: + default: Outbound Subnet tagging for Inspection + SubnetTagsInboundCIDR: + default: Inbound Subnet tagging for Inspection + GWLBeSubnet1CIDR: + default: GWLBe subnet 1 CIDR + GWLBeSubnet2CIDR: + default: GWLBe subnet 2 CIDR + GWLBeSubnet3CIDR: + default: GWLBe subnet 3 CIDR + GWLBeSubnet4CIDR: + default: GWLBe subnet 4 CIDR + KeyName: + default: Key name + EnableVolumeEncryption: + default: Enable environment volume encryption + VolumeSize: + default: Root volume size (GB) + VolumeType: + default: Volume Type + EnableInstanceConnect: + default: Enable AWS Instance Connect + TerminationProtection: + default: Termination Protection + AllowUploadDownload: + default: Allow upload & download + ManagementServer: + default: Management Server + ConfigurationTemplate: + default: Configuration template + AdminEmail: + default: Email address + Shell: + default: Admin shell + GWLBName: + default: Gateway Load Balancer Name + TargetGroupName: + default: Target Group Name + AcceptConnectionRequired: + default: Connection Acceptance Required + CrossZoneLoadBalancing: + default: Enable Cross Zone Load Balancing + GatewayName: + default: Gateways instance name + GatewayInstanceType: + default: Gateways instance type + GatewaysMinSize: + default: Minimum group size + GatewaysMaxSize: + default: Maximum group size + GatewayVersion: + default: Gateways version & license + GatewayPasswordHash: + default: Gateways Password hash + GatewayMaintenancePasswordHash: + default: Gateway Maintenance Password hash + GatewaySICKey: + default: Gateways SIC key + ControlGatewayOverPrivateOrPublicAddress: + default: Gateways addresses + AllocatePublicAddress: + default: Allocate Public IPs + CloudWatch: + default: CloudWatch metrics + GatewaysBlades: + default: Default Blades + ManagementDeploy: + default: Deploy Management Server + ManagementInstanceType: + default: Management instance type + ManagementVersion: + default: Management version & license + ManagementPasswordHash: + default: Management password hash + ManagementMaintenancePasswordHash: + default: Management Maintenance Password hash + GatewaysPolicy: + default: Security Policy + AdminCIDR: + default: Administrator addresses + GatewayManagement: + default: Manage Gateways + GatewaysAddresses: + default: Gateways addresses + ALBProtocol: + default: ALB Protocol + ServicePort: + default: Custom service port + ServerInstanceType: + default: Servers instance type + ServerAMI: + default: AMI ID + ResourcesTagName: + default: Resources tag name +Parameters: + AvailabilityZones: + Description: List of Availability Zones (AZs) to use for the subnets in the VPC. Select at least two. + Type: List + MinLength: 2 + NumberOfAZs: + Description: Number of Availability Zones to use in the VPC. This must match your selections in the list of Availability Zones parameter. + Type: Number + Default: 2 + MinValue: 2 + MaxValue: 4 + SecurityVPCCIDR: + Description: CIDR block for the VPC. + Type: String + Default: 10.0.0.0/16 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + SecurityPublicSubnet1CIDR: + Description: CIDR block for public subnet 1 located in the 1st Availability Zone. If you choose to deploy a Security Management Server it will be deployed in this subnet. + Type: String + Default: 10.0.10.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + SecurityPublicSubnet2CIDR: + Description: CIDR block for public subnet 2 located in the 2nd Availability Zone. + Type: String + Default: 10.0.20.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + SecurityPublicSubnet3CIDR: + Description: CIDR block for public subnet 3 located in the 3rd Availability Zone. + Type: String + Default: 10.0.30.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + SecurityPublicSubnet4CIDR: + Description: CIDR block for public subnet 4 located in the 4th Availability Zone. + Type: String + Default: 10.0.40.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + ServersVPCCIDR: + Description: CIDR block for the VPC. + Type: String + Default: 192.168.0.0/16 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + ServersPublicSubnet1CIDR: + Description: CIDR block for public subnet 1 located in the 1st Availability Zone. + Type: String + Default: 192.168.10.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + ServersPublicSubnet2CIDR: + Description: CIDR block for public subnet 2 located in the 2nd Availability Zone. + Type: String + Default: 192.168.20.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + ServersPublicSubnet3CIDR: + Description: CIDR block for public subnet 3 located in the 3rd Availability Zone. + Type: String + Default: 192.168.30.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + ServersPublicSubnet4CIDR: + Description: CIDR block for public subnet 4 located in the 4th Availability Zone. + Type: String + Default: 192.168.40.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + GWLBeSubnet1CIDR: + Description: CIDR block for the GWLBe subnet 1 located in Availability Zone 1. + Type: String + Default: 192.168.70.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + GWLBeSubnet2CIDR: + Description: CIDR block for the GWLBe subnet 2 located in Availability Zone 2. + Type: String + Default: 192.168.80.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + GWLBeSubnet3CIDR: + Description: CIDR block for the GWLBe subnet 3 located in Availability Zone 3. + Type: String + Default: 192.168.90.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + GWLBeSubnet4CIDR: + Description: CIDR block for the GWLBe subnet 4 located in Availability Zone 4. + Type: String + Default: 192.168.100.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + KeyName: + Description: The EC2 Key Pair to allow SSH access to the instances created by this stack. + Type: AWS::EC2::KeyPair::KeyName + MinLength: 1 + ConstraintDescription: Must be the name of an existing EC2 KeyPair. + EnableVolumeEncryption: + Description: Encrypt Environment instances volume with default AWS KMS key. + Type: String + Default: true + AllowedValues: + - true + - false + VolumeSize: + Type: Number + MinValue: 100 + Default: 100 + VolumeType: + Description: General Purpose SSD Volume Type + Type: String + Default: gp3 + AllowedValues: + - gp3 + - gp2 + EnableInstanceConnect: + Description: Enable SSH connection over AWS web console. + Type: String + Default: false + AllowedValues: + - true + - false + TerminationProtection: + Description: Prevents an instance from accidental termination. + Type: String + Default: false + AllowedValues: + - true + - false + AllowUploadDownload: + Description: Automatically download updates and share statistical data for product improvement purpose. + Type: String + Default: true + AllowedValues: + - true + - false + ManagementServer: + Description: The name that represents the Security Management Server in the automatic provisioning configuration. + Type: String + Default: gwlb-management-server + MinLength: 1 + ConfigurationTemplate: + Description: A name of a gateway configuration template in the automatic provisioning configuration. + Type: String + Default: gwlb-ASG-configuration + MinLength: 1 + MaxLength: 30 + AdminEmail: + Description: Notifications about scaling events will be sent to this email address. (optional) + Type: String + Default: '' + AllowedPattern: '^(([a-zA-Z0-9_\-\.]+)@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.)|(([a-zA-Z0-9\-]+\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})(\]?))?$' + Shell: + Description: Change the admin shell to enable advanced command line configuration. Applies for Security Gateways and Security Management Server if deployed. + Type: String + Default: /etc/cli.sh + AllowedValues: + - /etc/cli.sh + - /bin/bash + - /bin/csh + - /bin/tcsh + GWLBName: + Description: Gateway Load Balancer name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. A name cannot begin or end with a hyphen. + Type: String + AllowedPattern: '^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])$' + Default: gwlb1 + MaxLength: 32 + ConstraintDescription: Must be a valid GWLB Name. + TargetGroupName: + Description: Target Group Name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. A name cannot begin or end with a hyphen. + Type: String + AllowedPattern: '^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])$' + Default: tg1 + MaxLength: 32 + ConstraintDescription: Must be a valid target group name. + AcceptConnectionRequired: + Description: Indicate whether requests from service consumers to create an endpoint to your service must be accepted. Default is set to false(acceptance not required). + Default: "false" + AllowedValues: ["true", "false"] + Type: String + ConstraintDescription: Must be true or false. + CrossZoneLoadBalancing: + Description: Select 'true' to enable cross-az load balancing. NOTE! this may cause a spike in cross-az charges. + Type: String + Default: true + AllowedValues: + - true + - false + GatewayName: + Description: The name tag of the Security Gateway instances. (optional) + Type: String + Default: Check-Point-Gateway + GatewayInstanceType: + Description: The EC2 instance type for the Security Gateways. + Type: String + Default: c5.xlarge + AllowedValues: + - c4.large + - c4.xlarge + - c5.large + - c5.xlarge + - c5.2xlarge + - c5.4xlarge + - c5.9xlarge + - c5.12xlarge + - c5.18xlarge + - c5.24xlarge + - c5n.large + - c5n.xlarge + - c5n.2xlarge + - c5n.4xlarge + - c5n.9xlarge + - c5n.18xlarge + - c5d.large + - c5d.xlarge + - c5d.2xlarge + - c5d.4xlarge + - c5d.9xlarge + - c5d.12xlarge + - c5d.18xlarge + - c5d.24xlarge + - m5.large + - m5.xlarge + - m5.2xlarge + - m5.4xlarge + - m5.8xlarge + - m5.12xlarge + - m5.16xlarge + - m5.24xlarge + - m6i.large + - m6i.xlarge + - m6i.2xlarge + - m6i.4xlarge + - m6i.8xlarge + - m6i.12xlarge + - m6i.16xlarge + - m6i.24xlarge + - m6i.32xlarge + - c6i.large + - c6i.xlarge + - c6i.2xlarge + - c6i.4xlarge + - c6i.8xlarge + - c6i.12xlarge + - c6i.16xlarge + - c6i.24xlarge + - c6i.32xlarge + - c6in.large + - c6in.xlarge + - c6in.2xlarge + - c6in.4xlarge + - c6in.8xlarge + - c6in.12xlarge + - c6in.16xlarge + - c6in.24xlarge + - c6in.32xlarge + - r5.large + - r5.xlarge + - r5.2xlarge + - r5.4xlarge + - r5.8xlarge + - r5.12xlarge + - r5.16xlarge + - r5.24xlarge + - r5a.large + - r5a.xlarge + - r5a.2xlarge + - r5a.4xlarge + - r5a.8xlarge + - r5a.12xlarge + - r5a.16xlarge + - r5a.24xlarge + - r5b.large + - r5b.xlarge + - r5b.2xlarge + - r5b.4xlarge + - r5b.8xlarge + - r5b.12xlarge + - r5b.16xlarge + - r5b.24xlarge + - r5n.large + - r5n.xlarge + - r5n.2xlarge + - r5n.4xlarge + - r5n.8xlarge + - r5n.12xlarge + - r5n.16xlarge + - r5n.24xlarge + - r6i.large + - r6i.xlarge + - r6i.2xlarge + - r6i.4xlarge + - r6i.8xlarge + - r6i.12xlarge + - r6i.16xlarge + - r6i.24xlarge + - r6i.32xlarge + - m6a.large + - m6a.xlarge + - m6a.2xlarge + - m6a.4xlarge + - m6a.8xlarge + - m6a.12xlarge + - m6a.16xlarge + - m6a.24xlarge + - m6a.32xlarge + - m6a.48xlarge + ConstraintDescription: Must be a valid EC2 instance type + GatewaysMinSize: + Description: The minimal number of Security Gateways. + Type: Number + Default: 2 + MinValue: 1 + GatewaysMaxSize: + Description: The maximal number of Security Gateways. + Type: Number + Default: 10 + MinValue: 1 + GatewayVersion: + Description: The version and license to install on the Security Gateways. + Type: String + Default: R81.20-BYOL + AllowedValues: + - R81.20-BYOL + - R81.20-PAYG-NGTP + - R81.20-PAYG-NGTX + GatewayPasswordHash: + Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash). (optional) + Type: String + Default: '' + AllowedPattern: '^[\$\./a-zA-Z0-9]*$' + NoEcho: true + GatewayMaintenancePasswordHash: + Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes (use command " grub2-mkpasswd-pbkdf2" to get the PASSWORD's hash). For R81.10 and below the Admin user's password is used also as maintenance-mode password. (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + GatewaySICKey: + Description: The Secure Internal Communication key creates trusted connections between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters. + Type: String + AllowedPattern: '^[a-zA-Z0-9]{8,}$' + ConstraintDescription: Secure Internal Communication activation key should contain only alpha numeric characters and be at least 8 characters long. + NoEcho: true + ControlGatewayOverPrivateOrPublicAddress: + Description: Determines if the gateways are provisioned using their private or public address. + Type: String + Default: private + AllowedValues: + - private + - public + AllocatePublicAddress: + Description: Allocate a Public IP for gateway members. + Type: String + Default: false + AllowedValues: + - true + - false + CloudWatch: + Description: Report Check Point specific CloudWatch metrics. + Type: String + Default: false + AllowedValues: + - true + - false + ManagementDeploy: + Description: Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section. + Type: String + Default: true + AllowedValues: + - true + - false + ManagementInstanceType: + Description: The EC2 instance type of the Security Management Server. + Type: String + Default: m5.xlarge + AllowedValues: + - c5.large + - c5.xlarge + - c5.2xlarge + - c5.4xlarge + - c5.9xlarge + - c5.12xlarge + - c5.18xlarge + - c5.24xlarge + - c5n.large + - c5n.xlarge + - c5n.2xlarge + - c5n.4xlarge + - c5n.9xlarge + - c5n.18xlarge + - c5d.large + - c5d.xlarge + - c5d.2xlarge + - c5d.4xlarge + - c5d.9xlarge + - c5d.12xlarge + - c5d.18xlarge + - c5d.24xlarge + - m5.large + - m5.xlarge + - m5.2xlarge + - m5.4xlarge + - m5.8xlarge + - m5.12xlarge + - m5.16xlarge + - m5.24xlarge + - m6i.large + - m6i.xlarge + - m6i.2xlarge + - m6i.4xlarge + - m6i.8xlarge + - m6i.12xlarge + - m6i.16xlarge + - m6i.24xlarge + - m6i.32xlarge + - c6i.large + - c6i.xlarge + - c6i.2xlarge + - c6i.4xlarge + - c6i.8xlarge + - c6i.12xlarge + - c6i.16xlarge + - c6i.24xlarge + - c6i.32xlarge + - c6in.large + - c6in.xlarge + - c6in.2xlarge + - c6in.4xlarge + - c6in.8xlarge + - c6in.12xlarge + - c6in.16xlarge + - c6in.24xlarge + - c6in.32xlarge + - r5.large + - r5.xlarge + - r5.2xlarge + - r5.4xlarge + - r5.8xlarge + - r5.12xlarge + - r5.16xlarge + - r5.24xlarge + - r5a.large + - r5a.xlarge + - r5a.2xlarge + - r5a.4xlarge + - r5a.8xlarge + - r5a.12xlarge + - r5a.16xlarge + - r5a.24xlarge + - r5b.large + - r5b.xlarge + - r5b.2xlarge + - r5b.4xlarge + - r5b.8xlarge + - r5b.12xlarge + - r5b.16xlarge + - r5b.24xlarge + - r5n.large + - r5n.xlarge + - r5n.2xlarge + - r5n.4xlarge + - r5n.8xlarge + - r5n.12xlarge + - r5n.16xlarge + - r5n.24xlarge + - r6i.large + - r6i.xlarge + - r6i.2xlarge + - r6i.4xlarge + - r6i.8xlarge + - r6i.12xlarge + - r6i.16xlarge + - r6i.24xlarge + - r6i.32xlarge + - m6a.large + - m6a.xlarge + - m6a.2xlarge + - m6a.4xlarge + - m6a.8xlarge + - m6a.12xlarge + - m6a.16xlarge + - m6a.24xlarge + - m6a.32xlarge + - m6a.48xlarge + ConstraintDescription: Must be a valid EC2 instance type + ManagementVersion: + Description: The license to install on the Security Management Server. + Type: String + Default: R81.20-BYOL + AllowedValues: + - R81-BYOL + - R81-PAYG + - R81.10-BYOL + - R81.10-PAYG + - R81.20-BYOL + - R81.20-PAYG + ManagementPasswordHash: + Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash). (optional) + Type: String + Default: '' + AllowedPattern: '^[\$\./a-zA-Z0-9]*$' + NoEcho: true + ManagementMaintenancePasswordHash: + Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes (use command " grub2-mkpasswd-pbkdf2" to get the PASSWORD's hash). For R81.10 and below the Admin user's password is used also as maintenance-mode password. (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + GatewaysPolicy: + Description: The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group. + Type: String + Default: Standard + MinLength: 1 + GatewaysBlades: + Description: Turn on the Intrusion Prevention System, Application Control, Anti-Virus and Anti-Bot Blades (these and additional Blades can be manually turned on or off later). + Type: String + Default: true + AdminCIDR: + Description: Allow web, SSH, and graphical clients only from this network to communicate with the Security Management Server. + Type: String + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$' + GatewayManagement: + Description: Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address. + Type: String + Default: Locally managed + AllowedValues: + - Locally managed + - Over the internet + GatewaysAddresses: + Description: Allow gateways only from this network to communicate with the Security Management Server. + Type: String + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$' + ALBProtocol: + Description: The protocol to use on the Application Load Balancer. + Type: String + Default: HTTP + AllowedValues: + - HTTP + - HTTPS + ServicePort: + Description: 'The external Load Balancer listens to this port. Leave this field blank to use default ports: 80 for HTTP and 443 for HTTPS.' + Type: String + AllowedPattern: '^([0-9]{1,4}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])?$' + ConstraintDescription: Custom service port must be a number between 0 and 65535. + ResourcesTagName: + Description: The name tag of the resources. (optional) + Type: String + Default: '' + ServerInstanceType: + Description: The EC2 instance type for the web servers. + Type: String + Default: t3.micro + AllowedValues: + - t3.nano + - t3.micro + - t3.small + - t3.medium + - t3.large + - t3.xlarge + - t3.2xlarge + ConstraintDescription: Must be a valid EC2 instance type. + ServerAMI: + Description: The Amazon Machine Image ID of a preconfigured web server (e.g. ami-0dc7dc63). + Type: String + AllowedPattern: '^(ami-(([0-9a-f]{8})|([0-9a-f]{17})))$' + ConstraintDescription: Amazon Machine Image ID must be in the form ami-xxxxxxxx or ami-xxxxxxxxxxxxxxxxx. + SubnetTagsInboundCIDR: + Description: Inbound Subnet tagging for Inspection (Comma-delimited list of CIDR blocks for inspection), For more information, visit the documentation at CloudGuard Network for AWS Gateway Load Balancer Auto Scaling Group Deployment Guide Admin guide. + Type: CommaDelimitedList + Default: "0.0.0.0/0" + SubnetTagsOutboundCIDR: + Description: Outbound Subnet tagging for Inspection (Comma-delimited list of CIDR blocks for inspection), For more information, visit the documentation at CloudGuard Network for AWS Gateway Load Balancer Auto Scaling Group Deployment Guide Admin guide. + Type: CommaDelimitedList + Default: "0.0.0.0/0" +Conditions: + 4AZs: !Equals [!Ref NumberOfAZs, 4] + 3AZs: !Or [!Equals [!Ref NumberOfAZs, 3], !Condition 4AZs] + DeployManagement: !Equals [!Ref ManagementDeploy, true] + EncryptedProtocol: !Equals [ ALBProtocol, HTTPS ] + ProvidedPort: !Not [!Equals [!Ref ServicePort, '']] + ProvidedResourcesTag: !Not [!Equals [!Ref ResourcesTagName, '']] +Resources: + SecurityVPCStack: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.amazonaws.com/utils/vpc.yaml + Parameters: + AvailabilityZones: !Join [',' , !Ref AvailabilityZones] + NumberOfAZs: !Ref NumberOfAZs + VPCCIDR: !Ref SecurityVPCCIDR + PublicSubnet1CIDR: !Ref SecurityPublicSubnet1CIDR + PublicSubnet2CIDR: !Ref SecurityPublicSubnet2CIDR + PublicSubnet3CIDR: !Ref SecurityPublicSubnet3CIDR + PublicSubnet4CIDR: !Ref SecurityPublicSubnet4CIDR + CreatePrivateSubnets: false + ServersVPCStack: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.amazonaws.com/gwlb/qs-gwlb-servers-vpc.yaml + Parameters: + AvailabilityZones: !Join [ ',' , !Ref AvailabilityZones ] + NumberOfAZs: !Ref NumberOfAZs + VPCCIDR: !Ref ServersVPCCIDR + ServersSubnet1CIDR: !Ref ServersPublicSubnet1CIDR + ServersSubnet2CIDR: !Ref ServersPublicSubnet2CIDR + ServersSubnet3CIDR: !Ref ServersPublicSubnet3CIDR + ServersSubnet4CIDR: !Ref ServersPublicSubnet4CIDR + GWLBeSubnet1CIDR: !Ref GWLBeSubnet1CIDR + GWLBeSubnet2CIDR: !Ref GWLBeSubnet2CIDR + GWLBeSubnet3CIDR: !Ref GWLBeSubnet3CIDR + GWLBeSubnet4CIDR: !Ref GWLBeSubnet4CIDR + SubnetTagsOutboundCIDR: !Join [ ',' , !Ref SubnetTagsOutboundCIDR ] + SubnetTagsInboundCIDR: !Join [ ',' , !Ref SubnetTagsInboundCIDR ] + MainStack: + Type: AWS::CloudFormation::Stack + DependsOn: [SecurityVPCStack, ServersVPCStack] + Properties: + TemplateURL: https://cgi-cfts.s3.amazonaws.com/gwlb/qs-gwlb.yaml + Parameters: + SecurityVPC: !GetAtt SecurityVPCStack.Outputs.VPCID + NumberOfAZs: !Ref NumberOfAZs + GatewaysSubnets: !Join + - ',' + - - !GetAtt SecurityVPCStack.Outputs.PublicSubnet1ID + - !GetAtt SecurityVPCStack.Outputs.PublicSubnet2ID + - !If [ 3AZs, !GetAtt SecurityVPCStack.Outputs.PublicSubnet3ID, !Ref 'AWS::NoValue' ] + - !If [ 4AZs, !GetAtt SecurityVPCStack.Outputs.PublicSubnet4ID, !Ref 'AWS::NoValue' ] + ServersVPC: !GetAtt ServersVPCStack.Outputs.VPCID + ServersSubnets: !Join [',', [!GetAtt ServersVPCStack.Outputs.ServersSubnet1ID, !GetAtt ServersVPCStack.Outputs.ServersSubnet2ID, !If [ 3AZs, !GetAtt ServersVPCStack.Outputs.ServersSubnet3ID, !Ref 'AWS::NoValue' ], !If [ 4AZs, !GetAtt ServersVPCStack.Outputs.ServersSubnet4ID, !Ref 'AWS::NoValue' ]]] + GWLBeSubnets: !Join [',', [!GetAtt ServersVPCStack.Outputs.GWLBeSubnet1ID, !GetAtt ServersVPCStack.Outputs.GWLBeSubnet2ID, !If [ 3AZs, !GetAtt ServersVPCStack.Outputs.GWLBeSubnet3ID, !Ref 'AWS::NoValue' ], !If [ 4AZs, !GetAtt ServersVPCStack.Outputs.GWLBeSubnet4ID, !Ref 'AWS::NoValue' ]]] + KeyName: !Ref KeyName + EnableVolumeEncryption: !Ref EnableVolumeEncryption + VolumeType: !Ref VolumeType + VolumeSize: !Ref VolumeSize + EnableInstanceConnect: !Ref EnableInstanceConnect + TerminationProtection: !Ref TerminationProtection + AllowUploadDownload: !Ref AllowUploadDownload + ManagementServer: !Ref ManagementServer + ConfigurationTemplate: !Ref ConfigurationTemplate + AdminEmail: !Ref AdminEmail + Shell: !Ref Shell + GWLBName: !Ref GWLBName + TargetGroupName: !Ref TargetGroupName + AcceptConnectionRequired: !Ref AcceptConnectionRequired + CrossZoneLoadBalancing: !Ref CrossZoneLoadBalancing + GatewayName: !Ref GatewayName + GatewayInstanceType: !Ref GatewayInstanceType + GatewaysMinSize: !Ref GatewaysMinSize + GatewaysMaxSize: !Ref GatewaysMaxSize + GatewayVersion: !Ref GatewayVersion + GatewayPasswordHash: !Ref GatewayPasswordHash + GatewayMaintenancePasswordHash: !Ref GatewayMaintenancePasswordHash + GatewaySICKey: !Ref GatewaySICKey + ControlGatewayOverPrivateOrPublicAddress: !Ref ControlGatewayOverPrivateOrPublicAddress + AllocatePublicAddress: !Ref AllocatePublicAddress + CloudWatch: !Ref CloudWatch + ManagementDeploy: !Ref ManagementDeploy + ManagementInstanceType: !Ref ManagementInstanceType + ManagementVersion: !Ref ManagementVersion + ManagementPasswordHash: !Ref ManagementPasswordHash + ManagementMaintenancePasswordHash: !Ref ManagementMaintenancePasswordHash + GatewaysPolicy: !Ref GatewaysPolicy + GatewaysBlades: !Ref GatewaysBlades + AdminCIDR: !Ref AdminCIDR + GatewayManagement: !Ref GatewayManagement + GatewaysAddresses: !Ref GatewaysAddresses + ALBProtocol: !Ref ALBProtocol + ServicePort: !Ref ServicePort + ResourcesTagName: !Ref ResourcesTagName + ServerInstanceType: !Ref ServerInstanceType + ServerAMI: !Ref ServerAMI + ServerIGW: !GetAtt ServersVPCStack.Outputs.IGWID + ServersCIDRs: !Join + - ',' + - - !Ref ServersPublicSubnet1CIDR + - !Ref ServersPublicSubnet2CIDR + - !If [ 3AZs, !Ref ServersPublicSubnet3CIDR, !Ref 'AWS::NoValue' ] + - !If [ 4AZs, !Ref ServersPublicSubnet4CIDR, !Ref 'AWS::NoValue' ] + +Outputs: + SecurityVPCID: + Description: Security VPC ID. + Value: !GetAtt SecurityVPCStack.Outputs.VPCID + ServersVPCID: + Description: Servers VPC ID. + Value: !GetAtt ServersVPCStack.Outputs.VPCID + ManagementPublicAddress: + Description: The public address of the management server. + Value: !GetAtt MainStack.Outputs.ManagementPublicAddress + Condition: DeployManagement + ConfigurationTemplateName: + Description: The name that represents the configuration template. Configurations required to automatically provision the Gateways in the Auto Scaling Group, such as what Security Policy to install and which Blades to enable, will be placed under this template name. + Value: !GetAtt MainStack.Outputs.ConfigurationTemplateName + ControllerName: + Description: The name that represents the controller. Configurations required to connect to your AWS environment, such as credentials and regions, will be placed under this controller name. + Value: !GetAtt MainStack.Outputs.ControllerName + GWLBName: + Description: Gateway Load Balancer Name. + Value: !GetAtt MainStack.Outputs.GWLBName + GWLBServiceName: + Description: Gateway Load Balancer Service Name. + Value: !GetAtt MainStack.Outputs.GWLBServiceName + VpcEndpointService: + Description: Endpoint Service Name. + Value: !GetAtt MainStack.Outputs.VpcEndpointService + ServerPorts: + Description: The internal Load Balancer should listen to this port. + Value: !GetAtt MainStack.Outputs.ServerPorts + Condition: DeployManagement + ServerLBURL: + Description: The URL of the Servers Application Load Balancer. + Value: !GetAtt MainStack.Outputs.ServerLBURL + Condition: DeployManagement + ServerSecurityGroupID: + Description: The Application Servers Security Group ID. + Value: !GetAtt MainStack.Outputs.ServerSecurityGroupID + Condition: DeployManagement + Server1EndpointRoute: + Description: Server 1 GWLB EndPoint route entry + Value: !Sub ['${ROUTE1} | ${AZ1}', {ROUTE1: !GetAtt MainStack.Outputs.Server1EndpointRoute, AZ1: !Select [0, !Ref AvailabilityZones]}] + Server2EndpointRoute: + Description: Server 2 GWLB EndPoint route entry + Value: !Sub ['${ROUTE2} | ${AZ2}', {ROUTE2: !GetAtt MainStack.Outputs.Server2EndpointRoute, AZ2: !Select [1, !Ref AvailabilityZones]}] + Server3EndpointRoute: + Description: Server 3 GWLB EndPoint route entry + Value: !Sub ['${ROUTE3} | ${AZ3}', {ROUTE3: !GetAtt MainStack.Outputs.Server3EndpointRoute, AZ3: !Select [2, !Ref AvailabilityZones]}] + Condition: 3AZs + Server4EndpointRoute: + Description: Server 4 GWLB EndPoint route entry + Value: !Sub ['${ROUTE4} | ${AZ4}', {ROUTE4: !GetAtt MainStack.Outputs.Server4EndpointRoute, AZ4: !Select [3, !Ref AvailabilityZones]}] + Condition: 4AZs + +Rules: + GatewayAddressAllocationRule: + RuleCondition: !Equals [!Ref ControlGatewayOverPrivateOrPublicAddress, 'public'] + Assertions: + - AssertDescription: "Gateway's selected to be provisioned by public IP, but ['AllocatePublicAddress'] parameter is false" + Assert: !Equals [!Ref AllocatePublicAddress, 'true'] diff --git a/aws/templates/gwlb-asg/qs-gwlb.yaml b/aws/templates/gwlb-asg/qs-gwlb.yaml new file mode 100644 index 00000000..1e560d67 --- /dev/null +++ b/aws/templates/gwlb-asg/qs-gwlb.yaml @@ -0,0 +1,915 @@ +AWSTemplateFormatVersion: 2010-09-09 +Description: "Deploy a Quick-Start Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, optionally: Security Management Server and Application Server Autoscale in an existing VPC (05072024)" +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: General Network Configuration + Parameters: + - NumberOfAZs + - Label: + default: Security Network Configuration + Parameters: + - SecurityVPC + - GatewaysSubnets + - Label: + default: Servers Network Configuration + Parameters: + - ServersVPC + - ServersSubnets + - ServersCIDRs + - GWLBeSubnets + - ServerIGW + - Label: + default: General Settings + Parameters: + - KeyName + - EnableVolumeEncryption + - VolumeSize + - VolumeType + - EnableInstanceConnect + - TerminationProtection + - AllowUploadDownload + - ManagementServer + - ConfigurationTemplate + - AdminEmail + - Shell + - Label: + default: Gateway Load Balancer Configuration + Parameters: + - GWLBName + - TargetGroupName + - AcceptConnectionRequired + - CrossZoneLoadBalancing + - Label: + default: Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration + Parameters: + - GatewayName + - GatewayInstanceType + - GatewaysMinSize + - GatewaysMaxSize + - GatewayVersion + - GatewayPasswordHash + - GatewayMaintenancePasswordHash + - GatewaySICKey + - ControlGatewayOverPrivateOrPublicAddress + - AllocatePublicAddress + - CloudWatch + - Label: + default: Check Point CloudGuard IaaS Security Management Server Configuration + Parameters: + - ManagementDeploy + - ManagementInstanceType + - ManagementVersion + - ManagementPasswordHash + - ManagementMaintenancePasswordHash + - GatewaysPolicy + - GatewaysBlades + - AdminCIDR + - GatewayManagement + - GatewaysAddresses + - Label: + default: Web Servers Auto Scaling Group Configuration + Parameters: + - ServerInstanceType + - ServerAMI + - ALBProtocol + - ServicePort + - ResourcesTagName + ParameterLabels: + NumberOfAZs: + default: Number of AZs + SecurityVPC: + default: SecurityVPC + GatewaysSubnets: + default: Gateways subnets + ServersVPC: + default: ServersVPC + ServersSubnets: + default: Servers subnets + ServersCIDRs: + default: ServersCIDRs + GWLBeSubnets: + default: GWLBe subnets + ServerIGW: + default: Server VPC IGW + KeyName: + default: Key name + EnableVolumeEncryption: + default: Enable environment volume encryption + VolumeSize: + default: Root volume size (GB) + VolumeType: + default: Volume Type + EnableInstanceConnect: + default: Enable AWS Instance Connect + TerminationProtection: + default: Termination Protection + AllowUploadDownload: + default: Allow upload & download + ManagementServer: + default: Management Server + ConfigurationTemplate: + default: Configuration template + AdminEmail: + default: Email address + Shell: + default: Admin shell + GWLBName: + default: Gateway Load Balancer Name + TargetGroupName: + default: Target Group Name + AcceptConnectionRequired: + default: Connection Acceptance Required + CrossZoneLoadBalancing: + default: Enable Cross Zone Load Balancing + GatewayName: + default: Gateways instance name + GatewayInstanceType: + default: Gateways instance type + GatewaysMinSize: + default: Minimum group size + GatewaysMaxSize: + default: Maximum group size + GatewayVersion: + default: Gateways version & license + GatewayPasswordHash: + default: Gateways Password hash + GatewayMaintenancePasswordHash: + default: Gateway Maintenance Password hash + GatewaySICKey: + default: Gateways SIC key + ControlGatewayOverPrivateOrPublicAddress: + default: Gateways addresses + AllocatePublicAddress: + default: Allocate Public IPs + CloudWatch: + default: CloudWatch metrics + ManagementDeploy: + default: Deploy Management Server + ManagementInstanceType: + default: Management instance type + ManagementVersion: + default: Management version & license + ManagementPasswordHash: + default: Management password hash + ManagementMaintenancePasswordHash: + default: Management Maintenance Password hash + GatewaysPolicy: + default: Security Policy + GatewaysBlades: + default: Default Blades + AdminCIDR: + default: Administrator addresses + GatewayManagement: + default: Manage Gateways + GatewaysAddresses: + default: Gateways addresses + ServerInstanceType: + default: Servers instance type + ServerAMI: + default: AMI ID + ALBProtocol: + default: ALB Protocol + ServicePort: + default: Custom service port + ResourcesTagName: + default: Resources tag name +Parameters: + NumberOfAZs: + Description: Number of Availability Zones to use in the VPC. This must match your selections in the list of Availability Zones parameter. + Type: Number + Default: 2 + MinValue: 2 + MaxValue: 4 + SecurityVPC: + Description: Select an existing Security VPC. + Type: AWS::EC2::VPC::Id + MinLength: 1 + ConstraintDescription: You must select a VPC. + GatewaysSubnets: + Description: Select at least 2 public subnets in the Security VPC. + Type: List + MinLength: 2 + ServersVPC: + Description: Select an existing VPC for Serevrs deployment. + Type: AWS::EC2::VPC::Id + MinLength: 1 + ConstraintDescription: You must select a VPC. + ServersSubnets: + Description: Select at least 2 private subnets in the VPC for Servers deployment. + Type: List + MinLength: 2 + GWLBeSubnets: + Description: Select at least 2 public subnets in the VPC for GWLBe deployment. + Type: List + MinLength: 2 + ServerIGW: + Description: Internet gateway It that attached to Servers VPC + Type: String + KeyName: + Description: The EC2 Key Pair to allow SSH access to the instances created by this stack. + Type: AWS::EC2::KeyPair::KeyName + MinLength: 1 + ConstraintDescription: Must be the name of an existing EC2 KeyPair. + EnableVolumeEncryption: + Description: Encrypt Environment instances volume with default AWS KMS key. + Type: String + Default: true + AllowedValues: + - true + - false + VolumeSize: + Type: Number + MinValue: 100 + Default: 100 + VolumeType: + Description: General Purpose SSD Volume Type + Type: String + Default: gp3 + AllowedValues: + - gp3 + - gp2 + EnableInstanceConnect: + Description: Enable SSH connection over AWS web console. + Type: String + Default: false + AllowedValues: + - true + - false + TerminationProtection: + Description: Prevents an instance from accidental termination. + Type: String + Default: false + AllowedValues: + - true + - false + AllowUploadDownload: + Description: Automatically download updates and share statistical data for product improvement purpose. + Type: String + Default: true + AllowedValues: + - true + - false + ManagementServer: + Description: The name that represents the Security Management Server in the automatic provisioning configuration. + Type: String + Default: gwlb-management-server + MinLength: 1 + ConfigurationTemplate: + Description: A name of a gateway configuration template in the automatic provisioning configuration. + Type: String + Default: gwlb-ASG-configuration + MinLength: 1 + MaxLength: 30 + AdminEmail: + Description: Notifications about scaling events will be sent to this email address. (optional) + Type: String + Default: '' + AllowedPattern: '^(([a-zA-Z0-9_\-\.]+)@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.)|(([a-zA-Z0-9\-]+\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})(\]?))?$' + Shell: + Description: Change the admin shell to enable advanced command line configuration. Applies for Security Gateways and Security Management Server if deployed. + Type: String + Default: /etc/cli.sh + AllowedValues: + - /etc/cli.sh + - /bin/bash + - /bin/csh + - /bin/tcsh + GWLBName: + Description: Gateway Load Balancer name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. A name cannot begin or end with a hyphen. + Type: String + Default: gwlb1 + ConstraintDescription: Must be a valid GWLB Name. + TargetGroupName: + Description: Target Group Name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. A name cannot begin or end with a hyphen. + Type: String + Default: tg1 + ConstraintDescription: Must be a valid target group name. + AcceptConnectionRequired: + Description: Indicate whether requests from service consumers to create an endpoint to your service must be accepted. Default is set to false(acceptance not required). + Default: "false" + AllowedValues: ["true", "false"] + Type: String + ConstraintDescription: Must be true or false. + CrossZoneLoadBalancing: + Description: Select 'true' to enable cross-az load balancing. NOTE! this may cause a spike in cross-az charges. + Type: String + Default: true + AllowedValues: + - true + - false + GatewayName: + Description: The name tag of the Security Gateway instances. (optional) + Type: String + Default: Check-Point-Gateway + GatewayInstanceType: + Description: The EC2 instance type for the Security Gateways. + Type: String + Default: c5.xlarge + AllowedValues: + - c4.large + - c4.xlarge + - c5.large + - c5.xlarge + - c5.2xlarge + - c5.4xlarge + - c5.9xlarge + - c5.12xlarge + - c5.18xlarge + - c5.24xlarge + - c5n.large + - c5n.xlarge + - c5n.2xlarge + - c5n.4xlarge + - c5n.9xlarge + - c5n.18xlarge + - c5d.large + - c5d.xlarge + - c5d.2xlarge + - c5d.4xlarge + - c5d.9xlarge + - c5d.12xlarge + - c5d.18xlarge + - c5d.24xlarge + - m5.large + - m5.xlarge + - m5.2xlarge + - m5.4xlarge + - m5.8xlarge + - m5.12xlarge + - m5.16xlarge + - m5.24xlarge + - m6i.large + - m6i.xlarge + - m6i.2xlarge + - m6i.4xlarge + - m6i.8xlarge + - m6i.12xlarge + - m6i.16xlarge + - m6i.24xlarge + - m6i.32xlarge + - c6i.large + - c6i.xlarge + - c6i.2xlarge + - c6i.4xlarge + - c6i.8xlarge + - c6i.12xlarge + - c6i.16xlarge + - c6i.24xlarge + - c6i.32xlarge + - c6in.large + - c6in.xlarge + - c6in.2xlarge + - c6in.4xlarge + - c6in.8xlarge + - c6in.12xlarge + - c6in.16xlarge + - c6in.24xlarge + - c6in.32xlarge + - r5.large + - r5.xlarge + - r5.2xlarge + - r5.4xlarge + - r5.8xlarge + - r5.12xlarge + - r5.16xlarge + - r5.24xlarge + - r5a.large + - r5a.xlarge + - r5a.2xlarge + - r5a.4xlarge + - r5a.8xlarge + - r5a.12xlarge + - r5a.16xlarge + - r5a.24xlarge + - r5b.large + - r5b.xlarge + - r5b.2xlarge + - r5b.4xlarge + - r5b.8xlarge + - r5b.12xlarge + - r5b.16xlarge + - r5b.24xlarge + - r5n.large + - r5n.xlarge + - r5n.2xlarge + - r5n.4xlarge + - r5n.8xlarge + - r5n.12xlarge + - r5n.16xlarge + - r5n.24xlarge + - r6i.large + - r6i.xlarge + - r6i.2xlarge + - r6i.4xlarge + - r6i.8xlarge + - r6i.12xlarge + - r6i.16xlarge + - r6i.24xlarge + - r6i.32xlarge + - m6a.large + - m6a.xlarge + - m6a.2xlarge + - m6a.4xlarge + - m6a.8xlarge + - m6a.12xlarge + - m6a.16xlarge + - m6a.24xlarge + - m6a.32xlarge + - m6a.48xlarge + ConstraintDescription: Must be a valid EC2 instance type + GatewaysMinSize: + Description: The minimal number of Security Gateways. + Type: Number + Default: 2 + MinValue: 1 + GatewaysMaxSize: + Description: The maximal number of Security Gateways. + Type: Number + Default: 10 + MinValue: 1 + GatewayVersion: + Description: The version and license to install on the Security Gateways. + Type: String + Default: R81.20-BYOL + AllowedValues: + - R81.20-BYOL + - R81.20-PAYG-NGTP + - R81.20-PAYG-NGTX + GatewayPasswordHash: + Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash). (optional) + Type: String + Default: '' + AllowedPattern: '^[\$\./a-zA-Z0-9]*$' + NoEcho: true + GatewayMaintenancePasswordHash: + Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes (use command " grub2-mkpasswd-pbkdf2" to get the PASSWORD's hash). For R81.10 and below the Admin user's password is used also as maintenance-mode password. (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + GatewaySICKey: + Description: The Secure Internal Communication key creates trusted connections between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters. + Type: String + AllowedPattern: '^[a-zA-Z0-9]{8,}$' + ConstraintDescription: Secure Internal Communication acti.vation key should contain only alpha numeric characters and be at least 8 characters long. + NoEcho: true + ControlGatewayOverPrivateOrPublicAddress: + Description: Determines if the gateways are provisioned using their private or public address. + Type: String + Default: private + AllowedValues: + - private + - public + AllocatePublicAddress: + Description: Allocate a Public IP for gateway members. + Type: String + Default: false + AllowedValues: + - true + - false + CloudWatch: + Description: Report Check Point specific CloudWatch metrics. + Type: String + Default: false + AllowedValues: + - true + - false + ManagementDeploy: + Description: Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section. + Type: String + Default: true + AllowedValues: + - true + - false + ManagementInstanceType: + Description: The EC2 instance type of the Security Management Server. + Type: String + Default: m5.xlarge + AllowedValues: + - c5.large + - c5.xlarge + - c5.2xlarge + - c5.4xlarge + - c5.9xlarge + - c5.12xlarge + - c5.18xlarge + - c5.24xlarge + - c5n.large + - c5n.xlarge + - c5n.2xlarge + - c5n.4xlarge + - c5n.9xlarge + - c5n.18xlarge + - c5d.large + - c5d.xlarge + - c5d.2xlarge + - c5d.4xlarge + - c5d.9xlarge + - c5d.12xlarge + - c5d.18xlarge + - c5d.24xlarge + - m5.large + - m5.xlarge + - m5.2xlarge + - m5.4xlarge + - m5.8xlarge + - m5.12xlarge + - m5.16xlarge + - m5.24xlarge + - m6i.large + - m6i.xlarge + - m6i.2xlarge + - m6i.4xlarge + - m6i.8xlarge + - m6i.12xlarge + - m6i.16xlarge + - m6i.24xlarge + - m6i.32xlarge + - c6i.large + - c6i.xlarge + - c6i.2xlarge + - c6i.4xlarge + - c6i.8xlarge + - c6i.12xlarge + - c6i.16xlarge + - c6i.24xlarge + - c6i.32xlarge + - c6in.large + - c6in.xlarge + - c6in.2xlarge + - c6in.4xlarge + - c6in.8xlarge + - c6in.12xlarge + - c6in.16xlarge + - c6in.24xlarge + - c6in.32xlarge + - r5.large + - r5.xlarge + - r5.2xlarge + - r5.4xlarge + - r5.8xlarge + - r5.12xlarge + - r5.16xlarge + - r5.24xlarge + - r5a.large + - r5a.xlarge + - r5a.2xlarge + - r5a.4xlarge + - r5a.8xlarge + - r5a.12xlarge + - r5a.16xlarge + - r5a.24xlarge + - r5b.large + - r5b.xlarge + - r5b.2xlarge + - r5b.4xlarge + - r5b.8xlarge + - r5b.12xlarge + - r5b.16xlarge + - r5b.24xlarge + - r5n.large + - r5n.xlarge + - r5n.2xlarge + - r5n.4xlarge + - r5n.8xlarge + - r5n.12xlarge + - r5n.16xlarge + - r5n.24xlarge + - r6i.large + - r6i.xlarge + - r6i.2xlarge + - r6i.4xlarge + - r6i.8xlarge + - r6i.12xlarge + - r6i.16xlarge + - r6i.24xlarge + - r6i.32xlarge + - m6a.large + - m6a.xlarge + - m6a.2xlarge + - m6a.4xlarge + - m6a.8xlarge + - m6a.12xlarge + - m6a.16xlarge + - m6a.24xlarge + - m6a.32xlarge + - m6a.48xlarge + ConstraintDescription: Must be a valid EC2 instance type + ManagementVersion: + Description: The license to install on the Security Management Server. + Type: String + Default: R81.20-BYOL + AllowedValues: + - R81-BYOL + - R81-PAYG + - R81.10-BYOL + - R81.10-PAYG + - R81.20-BYOL + - R81.20-PAYG + ManagementPasswordHash: + Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash). (optional) + Type: String + Default: '' + AllowedPattern: '^[\$\./a-zA-Z0-9]*$' + NoEcho: true + ManagementMaintenancePasswordHash: + Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes (use command " grub2-mkpasswd-pbkdf2" to get the PASSWORD's hash). For R81.10 and below the Admin user's password is used also as maintenance-mode password. (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + GatewaysPolicy: + Description: The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group. + Type: String + Default: Standard + MinLength: 1 + GatewaysBlades: + Description: Turn on the Intrusion Prevention System, Application Control, Anti-Virus and Anti-Bot Blades (these and additional Blades can be manually turned on or off later). + Type: String + Default: true + AdminCIDR: + Description: Allow web, SSH, and graphical clients only from this network to communicate with the Security Management Server. + Type: String + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$' + GatewayManagement: + Description: Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address. + Type: String + Default: Locally managed + AllowedValues: + - Locally managed + - Over the internet + GatewaysAddresses: + Description: Allow gateways only from this network to communicate with the Security Management Server. + Type: String + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$' + ALBProtocol: + Description: The protocol to use on the Application Load Balancer. + Type: String + Default: HTTP + AllowedValues: + - HTTP + - HTTPS + ServicePort: + Description: 'The external Load Balancer listens to this port. Leave this field blank to use default ports: 80 for HTTP and 443 for HTTPS.' + Type: String + AllowedPattern: '^([0-9]{1,4}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])?$' + ConstraintDescription: Custom service port must be a number between 0 and 65535. + ResourcesTagName: + Description: The name tag of the resources. (optional) + Type: String + Default: '' + ServerInstanceType: + Description: The EC2 instance type for the web servers. + Type: String + Default: t3.micro + AllowedValues: + - t3.nano + - t3.micro + - t3.small + - t3.medium + - t3.large + - t3.xlarge + - t3.2xlarge + ConstraintDescription: Must be a valid EC2 instance type. + ServerAMI: + Description: The Amazon Machine Image ID of a preconfigured web server (e.g. ami-0dc7dc63). + Type: String + AllowedPattern: '^(ami-(([0-9a-f]{8})|([0-9a-f]{17})))$' + ConstraintDescription: Amazon Machine Image ID must be in the form ami-xxxxxxxx or ami-xxxxxxxxxxxxxxxxx. + ServersCIDRs: + Description: CIDR's block of each Servers private subnet(divided by coma, without spaces) + Type: CommaDelimitedList + Default: "192.168.0.10/24, 192.168.0.20/24" +Conditions: + 4AZs: !Equals [!Ref NumberOfAZs, 4] + 3AZs: !Or [!Equals [!Ref NumberOfAZs, 3], !Condition 4AZs] + 2AZs: !Or [!Equals [!Ref NumberOfAZs, 2], !Condition 3AZs] + DeployManagement: !Equals [!Ref ManagementDeploy, true] + VolumeEncryption: !Equals [!Ref EnableVolumeEncryption, true] + ProvidedPort: !Not [!Equals [!Ref ServicePort, '']] + ProvidedResourcesTag: !Not [!Equals [!Ref ResourcesTagName, '']] + EncryptedProtocol: !Equals [ ALBProtocol, HTTPS ] +Resources: + GatewayLoadBalancer: + Type: AWS::ElasticLoadBalancingV2::LoadBalancer + Properties: + Type: gateway + Name: !Ref GWLBName + LoadBalancerAttributes: + - Key: load_balancing.cross_zone.enabled + Value: !Ref CrossZoneLoadBalancing + Subnets: !Ref GatewaysSubnets + Tags: + - Key: x-chkp-management + Value: !Ref ManagementServer + - Key: x-chkp-template + Value: !Ref ConfigurationTemplate + VpcEndpointService: + Type: AWS::EC2::VPCEndpointService + Properties: + AcceptanceRequired: !Ref AcceptConnectionRequired + GatewayLoadBalancerArns: + - !Ref GatewayLoadBalancer + TargetGroup: + Type: AWS::ElasticLoadBalancingV2::TargetGroup + Properties: + Name: !Ref TargetGroupName + Port: 6081 + Protocol: GENEVE + HealthCheckPort: 8117 + HealthCheckProtocol: TCP + TargetGroupAttributes: + - Key: deregistration_delay.timeout_seconds + Value: 20 + VpcId: !Ref SecurityVPC + TargetType: instance + Tags: + - Key: Name + Value: !Join + - "" + - - !Ref AWS::StackName + - "-tg1" + Listener: + Type: AWS::ElasticLoadBalancingV2::Listener + Properties: + DefaultActions: + - Type: forward + TargetGroupArn: !Ref TargetGroup + LoadBalancerArn: !Ref GatewayLoadBalancer + SecurityGatewaysStack: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.amazonaws.com/gwlb/autoscale-gwlb.yaml + Parameters: + VPC: !Ref SecurityVPC + GatewaysSubnets: !Join [',', !Ref GatewaysSubnets] + GatewayName: !Ref GatewayName + GatewayInstanceType: !Ref GatewayInstanceType + KeyName: !Ref KeyName + Shell: !Ref Shell + EnableVolumeEncryption: !Ref EnableVolumeEncryption + VolumeType: !Ref VolumeType + VolumeSize: !Ref VolumeSize + EnableInstanceConnect: !Ref EnableInstanceConnect + GatewaysMinSize: !Ref GatewaysMinSize + GatewaysMaxSize: !Ref GatewaysMaxSize + AdminEmail: !Ref AdminEmail + GatewaysTargetGroups: !Ref TargetGroup + GatewayVersion: !Ref GatewayVersion + GatewayPasswordHash: !Ref GatewayPasswordHash + GatewayMaintenancePasswordHash: !Ref GatewayMaintenancePasswordHash + GatewaySICKey: !Ref GatewaySICKey + AllowUploadDownload: !Ref AllowUploadDownload + ControlGatewayOverPrivateOrPublicAddress: !Ref ControlGatewayOverPrivateOrPublicAddress + AllocatePublicAddress: !Ref AllocatePublicAddress + CloudWatch: !Ref CloudWatch + ManagementServer: !Ref ManagementServer + ConfigurationTemplate: !Ref ConfigurationTemplate + GatewayBootstrapScript: !Join + - ';' + - - 'echo -e "\nStarting Bootstrap script\n"' + - 'echo "Adding quickstart identifier to cloud-version"' + - 'cv_template="gwlb_qs"' + - 'cv_path="/etc/cloud-version"' + - 'if test -f ${cv_path}; then sed -i ''/template_name/c\template_name: ''"${cv_template}"'''' /etc/cloud-version; fi' + - 'cv_json_path="/etc/cloud-version.json"' + - 'cv_json_path_tmp="/etc/cloud-version-tmp.json"' + - 'if test -f ${cv_json_path}; then cat ${cv_json_path} | jq ''.template_name = "''"${cv_template}"''"'' > ${cv_json_path_tmp}; mv ${cv_json_path_tmp} ${cv_json_path}; fi' + - 'echo -e "\nFinished Bootstrap script\n"' + ManagementStack: + Type: AWS::CloudFormation::Stack + Condition: DeployManagement + DependsOn: GWLBeEndpointStack + Properties: + TemplateURL: https://cgi-cfts.s3.amazonaws.com/gwlb/management-gwlb.yaml + Parameters: + VPC: !Ref SecurityVPC + ManagementSubnet: !Select [0, !Ref GatewaysSubnets] + ManagementName: !Ref ManagementServer + ManagementInstanceType: !Ref ManagementInstanceType + KeyName: !Ref KeyName + Shell: !Ref Shell + VolumeEncryption: !If [VolumeEncryption, alias/aws/ebs, ''] + VolumeType: !Ref VolumeType + VolumeSize: !Ref VolumeSize + EnableInstanceConnect: !Ref EnableInstanceConnect + ManagementPermissions: Create with read-write permissions + ManagementVersion: !Ref ManagementVersion + ManagementPasswordHash: !Ref ManagementPasswordHash + ManagementMaintenancePasswordHash: !Ref ManagementMaintenancePasswordHash + AllowUploadDownload: !Ref AllowUploadDownload + AdminCIDR: !Ref AdminCIDR + GatewayManagement: !Ref GatewayManagement + GatewaysAddresses: !Ref GatewaysAddresses + TerminationProtection: !Ref TerminationProtection + ManagementBootstrapScript: !Join + - ';' + - - 'echo -e "\nStarting Bootstrap script\n"' + - !Sub 'policy=${GatewaysPolicy} ; region=${AWS::Region} ; conf_template=${ConfigurationTemplate} ; mgmt=${ManagementServer} ; blades=${GatewaysBlades}' + - !Sub ['version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}] + - !Join ['', ['sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ' | base64 -d)"']] + - 'controller="gwlb-controller"' + - 'echo "Adding quickstart identifier to cloud-version"' + - 'cv_template="management_gwlb_qs"' + - 'cv_path="/etc/cloud-version"' + - 'if test -f ${cv_path}; then sed -i ''/template_name/c\template_name: ''"${cv_template}"'''' /etc/cloud-version; fi' + - 'cv_json_path="/etc/cloud-version.json"' + - 'cv_json_path_tmp="/etc/cloud-version-tmp.json"' + - 'if test -f ${cv_json_path}; then cat ${cv_json_path} | jq ''.template_name = "''"${cv_template}"''"'' > ${cv_json_path_tmp}; mv ${cv_json_path_tmp} ${cv_json_path}; fi' + - 'echo "Creating CME configuration"' + - 'autoprov_cfg -f init AWS -mn "${mgmt}" -tn "${conf_template}" -cn "${controller}" -po "${policy}" -otp "${sic}" -r "${region}" -ver "${version}" -iam -ss' + - 'autoprov_cfg -f set controller AWS -cn "${controller}" -ct "${conf_template}"' + - '${blades} && autoprov_cfg -f set template -tn "${conf_template}" -ips -appi -av -ab' + - 'echo "Set Scan GWLB Load Balancer parameter"' + - 'autoprovision_file="${FWDIR}/conf/autoprovision.json"' + - 'autoprovision_file_tmp="${FWDIR}/conf/autoprovision.json.tmp"' + - 'if test -f ${autoprovision_file}; then jq ".controllers.\"${controller}\".sync |= . + {\"lb\": false}" "${autoprovision_file}" > "${autoprovision_file_tmp}"; mv "${autoprovision_file_tmp}" "${autoprovision_file}"; fi' + - 'echo -e "\nFinished Bootstrap script\n"' + GWLBeEndpointStack: + Type: AWS::CloudFormation::Stack + DependsOn: VpcEndpointService + Properties: + TemplateURL: https://cgi-cfts.s3.amazonaws.com/gwlb/qs-gwlb-endpoints.yaml + Parameters: + NumberOfAZs: !Ref NumberOfAZs + GWLBeVPC: !Ref ServersVPC + GWLBeSubnets: !Join [',', !Ref GWLBeSubnets] + GWLBServiceName: !Sub ["com.amazonaws.vpce.${AWS::Region}.${Service}", {Service: !Ref VpcEndpointService}] + ServersSubnets: !Join [',', !Ref ServersSubnets] + ServersCIDRs: !Join [',', !Ref ServersCIDRs] + ServerIGW: !Ref ServerIGW + ServersStacks: + Type: AWS::CloudFormation::Stack + DependsOn: GWLBeEndpointStack + Properties: + TemplateURL: https://cgi-cfts.s3.amazonaws.com/gwlb/qs-gwlb-servers-autoscale.yaml + Parameters: + VPC: !Ref ServersVPC + Subnets: !Join [',', !Ref ServersSubnets] + ResourcesTagName: !Ref ResourcesTagName + ALBProtocol: !Ref ALBProtocol + ServicePort: !If [ProvidedPort, !Ref ServicePort, !If [EncryptedProtocol, 443, 80]] + AdminEmail: !Ref AdminEmail + ServerInstanceType: !Ref ServerInstanceType + ServerAMI: !Ref ServerAMI + KeyName: !Ref KeyName + AllocateServerPublicAddress: true + ServersMinSize: !Ref GatewaysMinSize + ServersMaxSize: !Ref GatewaysMaxSize +Outputs: + SecurityVPCID: + Description: Security VPC ID. + Value: !Ref SecurityVPC + ManagementPublicAddress: + Description: The public address of the management server. + Value: !GetAtt ManagementStack.Outputs.PublicAddress + Condition: DeployManagement + ConfigurationTemplateName: + Description: The name that represents the configuration template. Configurations required to automatically provision the Gateways in the Auto Scaling Group, such as what Security Policy to install and which Blades to enable, will be placed under this template name. + Value: !Ref ConfigurationTemplate + ControllerName: + Description: The name that represents the controller. Configurations required to connect to your AWS environment, such as credentials and regions, will be placed under this controller name. + Value: gwlb-controller + GWLBName: + Description: Gateway Load Balancer Name. + Value: !Ref GWLBName + GWLBServiceName: + Description: Gateway Load Balancer Service Name. + Value: !Sub ["com.amazonaws.vpce.${AWS::Region}.${Service}", {Service: !Ref VpcEndpointService}] + VpcEndpointService: + Description: Endpoint Service Name. + Value: !Ref VpcEndpointService + ServerPorts: + Description: The internal Load Balancer should listen to this port. + Value: !If [EncryptedProtocol, 443, 80] + Condition: DeployManagement + ServerLBURL: + Description: The URL of the Servers Application Load Balancer. + Value: !GetAtt ServersStacks.Outputs.ServerLBURL + Condition: DeployManagement + ServerSecurityGroupID: + Description: The Application Servers Security Group ID. + Value: !GetAtt ServersStacks.Outputs.ServerSecurityGroupID + Condition: DeployManagement + Server1EndpointRoute: + Description: Server 1 GWLB EndPoint route entry + Value: !GetAtt GWLBeEndpointStack.Outputs.Server1EndpointRoute + Server2EndpointRoute: + Description: Server 2 GWLB EndPoint route entry + Value: !GetAtt GWLBeEndpointStack.Outputs.Server2EndpointRoute + Server3EndpointRoute: + Description: Server 3 GWLB EndPoint route entry + Value: !GetAtt GWLBeEndpointStack.Outputs.Server3EndpointRoute + Condition: 3AZs + Server4EndpointRoute: + Description: Server 4 GWLB EndPoint route entry + Value: !GetAtt GWLBeEndpointStack.Outputs.Server4EndpointRoute + Condition: 4AZs +Rules: + GatewayAddressAllocationRule: + RuleCondition: !Equals [!Ref ControlGatewayOverPrivateOrPublicAddress, 'public'] + Assertions: + - AssertDescription: "Gateway's selected to be provisioned by public IP, but ['AllocatePublicAddress'] parameter is false" + Assert: !Equals [!Ref AllocatePublicAddress, 'true'] diff --git a/aws/templates/gwlb-asg/tgw-gwlb-master.yaml b/aws/templates/gwlb-asg/tgw-gwlb-master.yaml new file mode 100644 index 00000000..f0284de3 --- /dev/null +++ b/aws/templates/gwlb-asg/tgw-gwlb-master.yaml @@ -0,0 +1,862 @@ +AWSTemplateFormatVersion: 2010-09-09 +Description: Deploy a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, Gateway Load Balancer Endpoints and NAT Gateways for each AZ, in a new VPC for Transit Gateway (20240204) +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: VPC Network Configuration + Parameters: + - AvailabilityZones + - NumberOfAZs + - VPCCIDR + - PublicSubnet1CIDR + - PublicSubnet2CIDR + - PublicSubnet3CIDR + - PublicSubnet4CIDR + - TgwSubnet1CIDR + - TgwSubnet2CIDR + - TgwSubnet3CIDR + - TgwSubnet4CIDR + - NatGwSubnet1CIDR + - NatGwSubnet2CIDR + - NatGwSubnet3CIDR + - NatGwSubnet4CIDR + - GWLBeSubnet1CIDR + - GWLBeSubnet2CIDR + - GWLBeSubnet3CIDR + - GWLBeSubnet4CIDR + - Label: + default: General Settings + Parameters: + - KeyName + - EnableVolumeEncryption + - VolumeSize + - VolumeType + - EnableInstanceConnect + - TerminationProtection + - AllowUploadDownload + - ManagementServer + - ConfigurationTemplate + - AdminEmail + - Shell + - Label: + default: Gateway Load Balancer Configuration + Parameters: + - GWLBName + - TargetGroupName + - CrossZoneLoadBalancing + - Label: + default: Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration + Parameters: + - GatewayName + - GatewayInstanceType + - GatewaysMinSize + - GatewaysMaxSize + - GatewayVersion + - GatewayPasswordHash + - GatewayMaintenancePasswordHash + - GatewaySICKey + - ControlGatewayOverPrivateOrPublicAddress + - AllocatePublicAddress + - CloudWatch + - Label: + default: Check Point CloudGuard IaaS Security Management Server Configuration + Parameters: + - ManagementDeploy + - ManagementInstanceType + - ManagementVersion + - ManagementPasswordHash + - ManagementMaintenancePasswordHash + - GatewaysPolicy + - AdminCIDR + - GatewayManagement + - GatewaysAddresses + ParameterLabels: + AvailabilityZones: + default: Availability Zones + NumberOfAZs: + default: Number of AZs + VPCCIDR: + default: VPC CIDR + PublicSubnet1CIDR: + default: Public subnet 1 CIDR + PublicSubnet2CIDR: + default: Public subnet 2 CIDR + PublicSubnet3CIDR: + default: Public subnet 3 CIDR + PublicSubnet4CIDR: + default: Public subnet 4 CIDR + TgwSubnet1CIDR: + default: TGW subnet 1 CIDR + TgwSubnet2CIDR: + default: TGW subnet 2 CIDR + TgwSubnet3CIDR: + default: TGW subnet 3 CIDR + TgwSubnet4CIDR: + default: TGW subnet 4 CIDR + NatGwSubnet1CIDR: + default: NAT subnet 1 CIDR + NatGwSubnet2CIDR: + default: NAT subnet 2 CIDR + NatGwSubnet3CIDR: + default: NAT subnet 3 CIDR + NatGwSubnet4CIDR: + default: NAT subnet 4 CIDR + GWLBeSubnet1CIDR: + default: Gateway Load Balancer Endpoint subnet 1 CIDR + GWLBeSubnet2CIDR: + default: Gateway Load Balancer Endpoint subnet 2 CIDR + GWLBeSubnet3CIDR: + default: Gateway Load Balancer Endpoint subnet 3 CIDR + GWLBeSubnet4CIDR: + default: Gateway Load Balancer Endpoint subnet 4 CIDR + KeyName: + default: Key name + EnableVolumeEncryption: + default: Enable environment volume encryption + VolumeSize: + default: Root volume size (GB) + VolumeType: + default: Volume Type + EnableInstanceConnect: + default: Enable AWS Instance Connect + TerminationProtection: + default: Termination Protection + AllowUploadDownload: + default: Allow upload & download + ManagementServer: + default: Management Server + ConfigurationTemplate: + default: Configuration template + AdminEmail: + default: Email address + Shell: + default: Admin shell + GWLBName: + default: Gateway Load Balancer Name + TargetGroupName: + default: Target Group Name + CrossZoneLoadBalancing: + default: Enable Cross Zone Load Balancing + GatewayName: + default: Gateways instance name + GatewayInstanceType: + default: Gateways instance type + GatewaysMinSize: + default: Minimum group size + GatewaysMaxSize: + default: Maximum group size + GatewayVersion: + default: Gateways version & license + GatewayPasswordHash: + default: Gateways Password hash + GatewayMaintenancePasswordHash: + default: Gateway Maintenance Password hash + GatewaySICKey: + default: Gateways SIC key + ControlGatewayOverPrivateOrPublicAddress: + default: Gateways addresses + AllocatePublicAddress: + default: Allocate Public IPs + CloudWatch: + default: CloudWatch metrics + ManagementDeploy: + default: Deploy Management Server + ManagementInstanceType: + default: Management instance type + ManagementVersion: + default: Management version & license + ManagementPasswordHash: + default: Management password hash + ManagementMaintenancePasswordHash: + default: Management Maintenance Password hash + GatewaysPolicy: + default: Security Policy + AdminCIDR: + default: Administrator addresses + GatewayManagement: + default: Manage Gateways + GatewaysAddresses: + default: Gateways addresses +Parameters: + AvailabilityZones: + Description: The Availability Zones (AZs) to use for the subnets in the VPC. Select two (the logical order is preserved). + Type: List + MinLength: 2 + NumberOfAZs: + Description: Number of Availability Zones to use in the VPC. This must match your selections in the list of Availability Zones parameter. + Type: Number + Default: 2 + MinValue: 2 + MaxValue: 4 + VPCCIDR: + Description: The CIDR block of the provided VPC. + Type: String + Default: 10.0.0.0/16 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PublicSubnet1CIDR: + Description: CIDR block for public subnet 1 located in the 1st Availability Zone. + Type: String + Default: 10.0.10.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PublicSubnet2CIDR: + Description: CIDR block for public subnet 2 located in the 2nd Availability Zone. + Type: String + Default: 10.0.20.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PublicSubnet3CIDR: + Description: CIDR block for public subnet 3 located in the 3rd Availability Zone. + Type: String + Default: 10.0.30.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PublicSubnet4CIDR: + Description: CIDR block for public subnet 4 located in the 4th Availability Zone. + Type: String + Default: 10.0.40.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + TgwSubnet1CIDR: + Description: CIDR block for TGW subnet 1 located in the 1st Availability Zone. + Type: String + Default: 10.0.12.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + TgwSubnet2CIDR: + Description: CIDR block for TGW subnet 2 located in the 2nd Availability Zone. + Type: String + Default: 10.0.22.0/24 + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + TgwSubnet3CIDR: + Description: CIDR block for TGW subnet 3 located in the 3rd Availability Zone. + Type: String + Default: 10.0.32.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + TgwSubnet4CIDR: + Description: CIDR block for TGW subnet 4 located in the 4th Availability Zone. + Type: String + Default: 10.0.42.0/24 + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + NatGwSubnet1CIDR: + Description: CIDR block for NAT subnet 1 located in the 1st Availability Zone. + Type: String + Default: 10.0.13.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + NatGwSubnet2CIDR: + Description: CIDR block for NAT subnet 2 located in the 2nd Availability Zone. + Type: String + Default: 10.0.23.0/24 + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + NatGwSubnet3CIDR: + Description: CIDR block for NAT subnet 3 located in the 3rd Availability Zone. + Type: String + Default: 10.0.33.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + NatGwSubnet4CIDR: + Description: CIDR block for NAT subnet 4 located in the 4th Availability Zone. + Type: String + Default: 10.0.43.0/24 + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + GWLBeSubnet1CIDR: + Description: CIDR block for GWLBe subnet 1 located in the 1st Availability Zone. + Type: String + Default: 10.0.14.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + GWLBeSubnet2CIDR: + Description: CIDR block for GWLBe subnet 2 located in the 2nd Availability Zone. + Type: String + Default: 10.0.24.0/24 + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + GWLBeSubnet3CIDR: + Description: CIDR block for GWLBe subnet 3 located in the 3rd Availability Zone. + Type: String + Default: 10.0.34.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + GWLBeSubnet4CIDR: + Description: CIDR block for GWLBe subnet 4 located in the 4th Availability Zone. + Type: String + Default: 10.0.44.0/24 + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + KeyName: + Description: The EC2 Key Pair to allow SSH access to the instances created by this stack. + Type: AWS::EC2::KeyPair::KeyName + MinLength: 1 + ConstraintDescription: Must be the name of an existing EC2 KeyPair. + EnableVolumeEncryption: + Description: Encrypt Environment instances volume with default AWS KMS key. + Type: String + Default: true + AllowedValues: + - true + - false + VolumeSize: + Type: Number + MinValue: 100 + Default: 100 + VolumeType: + Description: General Purpose SSD Volume Type + Type: String + Default: gp3 + AllowedValues: + - gp3 + - gp2 + EnableInstanceConnect: + Description: Enable SSH connection over AWS web console. + Type: String + Default: false + AllowedValues: + - true + - false + TerminationProtection: + Description: Prevents an instance from accidental termination. + Type: String + Default: false + AllowedValues: + - true + - false + AllowUploadDownload: + Description: Automatically download updates and share statistical data for product improvement purpose. + Type: String + Default: true + AllowedValues: + - true + - false + ManagementServer: + Description: The name that represents the Security Management Server in the automatic provisioning configuration. + Type: String + Default: gwlb-management-server + MinLength: 1 + ConfigurationTemplate: + Description: A name of a gateway configuration template in the automatic provisioning configuration. + Type: String + Default: gwlb-ASG-configuration + MinLength: 1 + MaxLength: 30 + AdminEmail: + Description: Notifications about scaling events will be sent to this email address. (optional) + Type: String + Default: '' + AllowedPattern: '^(([a-zA-Z0-9_\-\.]+)@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.)|(([a-zA-Z0-9\-]+\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})(\]?))?$' + Shell: + Description: Change the admin shell to enable advanced command line configuration. Applies for Security Gateways and Security Management Server if deployed. + Type: String + Default: /etc/cli.sh + AllowedValues: + - /etc/cli.sh + - /bin/bash + - /bin/csh + - /bin/tcsh + GWLBName: + Description: Gateway Load Balancer name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. A name cannot begin or end with a hyphen. + Type: String + AllowedPattern: '^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])$' + Default: gwlb1 + MaxLength: 32 + ConstraintDescription: Must be a valid GWLB Name + TargetGroupName: + Description: Target Group Name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. A name cannot begin or end with a hyphen. + Type: String + AllowedPattern: '^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])$' + Default: tg1 + MaxLength: 32 + ConstraintDescription: Must be a valid target group name. + CrossZoneLoadBalancing: + Description: Select 'true' to enable cross-az load balancing. NOTE! this may cause a spike in cross-az charges. + Type: String + Default: true + AllowedValues: + - true + - false + GatewayName: + Description: The name tag of the Security Gateway instances. (optional) + Type: String + Default: Check-Point-Gateway + GatewayInstanceType: + Description: The EC2 instance type for the Security Gateways + Type: String + Default: c5.xlarge + AllowedValues: + - c4.large + - c4.xlarge + - c5.large + - c5.xlarge + - c5.2xlarge + - c5.4xlarge + - c5.9xlarge + - c5.12xlarge + - c5.18xlarge + - c5.24xlarge + - c5n.large + - c5n.xlarge + - c5n.2xlarge + - c5n.4xlarge + - c5n.9xlarge + - c5n.18xlarge + - c5d.large + - c5d.xlarge + - c5d.2xlarge + - c5d.4xlarge + - c5d.9xlarge + - c5d.12xlarge + - c5d.18xlarge + - c5d.24xlarge + - m5.large + - m5.xlarge + - m5.2xlarge + - m5.4xlarge + - m5.8xlarge + - m5.12xlarge + - m5.16xlarge + - m5.24xlarge + - m6i.large + - m6i.xlarge + - m6i.2xlarge + - m6i.4xlarge + - m6i.8xlarge + - m6i.12xlarge + - m6i.16xlarge + - m6i.24xlarge + - m6i.32xlarge + - c6i.large + - c6i.xlarge + - c6i.2xlarge + - c6i.4xlarge + - c6i.8xlarge + - c6i.12xlarge + - c6i.16xlarge + - c6i.24xlarge + - c6i.32xlarge + - c6in.large + - c6in.xlarge + - c6in.2xlarge + - c6in.4xlarge + - c6in.8xlarge + - c6in.12xlarge + - c6in.16xlarge + - c6in.24xlarge + - c6in.32xlarge + - r5.large + - r5.xlarge + - r5.2xlarge + - r5.4xlarge + - r5.8xlarge + - r5.12xlarge + - r5.16xlarge + - r5.24xlarge + - r5a.large + - r5a.xlarge + - r5a.2xlarge + - r5a.4xlarge + - r5a.8xlarge + - r5a.12xlarge + - r5a.16xlarge + - r5a.24xlarge + - r5b.large + - r5b.xlarge + - r5b.2xlarge + - r5b.4xlarge + - r5b.8xlarge + - r5b.12xlarge + - r5b.16xlarge + - r5b.24xlarge + - r5n.large + - r5n.xlarge + - r5n.2xlarge + - r5n.4xlarge + - r5n.8xlarge + - r5n.12xlarge + - r5n.16xlarge + - r5n.24xlarge + - r6i.large + - r6i.xlarge + - r6i.2xlarge + - r6i.4xlarge + - r6i.8xlarge + - r6i.12xlarge + - r6i.16xlarge + - r6i.24xlarge + - r6i.32xlarge + - m6a.large + - m6a.xlarge + - m6a.2xlarge + - m6a.4xlarge + - m6a.8xlarge + - m6a.12xlarge + - m6a.16xlarge + - m6a.24xlarge + - m6a.32xlarge + - m6a.48xlarge + ConstraintDescription: Must be a valid EC2 instance type + GatewaysMinSize: + Description: The minimal number of Security Gateways. + Type: Number + Default: 2 + MinValue: 1 + GatewaysMaxSize: + Description: The maximal number of Security Gateways. + Type: Number + Default: 10 + MinValue: 1 + GatewayVersion: + Description: The version and license to install on the Security Gateways. + Type: String + Default: R81.20-BYOL + AllowedValues: + - R80.40-BYOL + - R80.40-PAYG-NGTP + - R80.40-PAYG-NGTX + - R81.20-BYOL + - R81.20-PAYG-NGTP + - R81.20-PAYG-NGTX + GatewayPasswordHash: + Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash). (optional) + Type: String + Default: '' + AllowedPattern: '^[\$\./a-zA-Z0-9]*$' + NoEcho: true + GatewayMaintenancePasswordHash: + Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + GatewaySICKey: + Description: The Secure Internal Communication key creates trusted connections between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters. + Type: String + AllowedPattern: '^[a-zA-Z0-9]{8,}$' + ConstraintDescription: Secure Internal Communication activation key should contain only alpha numeric characters and be at least 8 characters long. + NoEcho: true + ControlGatewayOverPrivateOrPublicAddress: + Description: Determines if the gateways are provisioned using their private or public address. + Type: String + Default: private + AllowedValues: + - private + - public + AllocatePublicAddress: + Description: Allocate a Public IP for gateway members. + Type: String + Default: false + AllowedValues: + - true + - false + CloudWatch: + Description: Report Check Point specific CloudWatch metrics. + Type: String + Default: false + AllowedValues: + - true + - false + ManagementDeploy: + Description: Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section. + Type: String + Default: true + AllowedValues: + - true + - false + ManagementInstanceType: + Description: The EC2 instance type of the Security Management Server. + Type: String + Default: m5.xlarge + AllowedValues: + - c5.large + - c5.xlarge + - c5.2xlarge + - c5.4xlarge + - c5.9xlarge + - c5.12xlarge + - c5.18xlarge + - c5.24xlarge + - c5n.large + - c5n.xlarge + - c5n.2xlarge + - c5n.4xlarge + - c5n.9xlarge + - c5n.18xlarge + - c5d.large + - c5d.xlarge + - c5d.2xlarge + - c5d.4xlarge + - c5d.9xlarge + - c5d.12xlarge + - c5d.18xlarge + - c5d.24xlarge + - m5.large + - m5.xlarge + - m5.2xlarge + - m5.4xlarge + - m5.8xlarge + - m5.12xlarge + - m5.16xlarge + - m5.24xlarge + - m6i.large + - m6i.xlarge + - m6i.2xlarge + - m6i.4xlarge + - m6i.8xlarge + - m6i.12xlarge + - m6i.16xlarge + - m6i.24xlarge + - m6i.32xlarge + - c6i.large + - c6i.xlarge + - c6i.2xlarge + - c6i.4xlarge + - c6i.8xlarge + - c6i.12xlarge + - c6i.16xlarge + - c6i.24xlarge + - c6i.32xlarge + - c6in.large + - c6in.xlarge + - c6in.2xlarge + - c6in.4xlarge + - c6in.8xlarge + - c6in.12xlarge + - c6in.16xlarge + - c6in.24xlarge + - c6in.32xlarge + - r5.large + - r5.xlarge + - r5.2xlarge + - r5.4xlarge + - r5.8xlarge + - r5.12xlarge + - r5.16xlarge + - r5.24xlarge + - r5a.large + - r5a.xlarge + - r5a.2xlarge + - r5a.4xlarge + - r5a.8xlarge + - r5a.12xlarge + - r5a.16xlarge + - r5a.24xlarge + - r5b.large + - r5b.xlarge + - r5b.2xlarge + - r5b.4xlarge + - r5b.8xlarge + - r5b.12xlarge + - r5b.16xlarge + - r5b.24xlarge + - r5n.large + - r5n.xlarge + - r5n.2xlarge + - r5n.4xlarge + - r5n.8xlarge + - r5n.12xlarge + - r5n.16xlarge + - r5n.24xlarge + - r6i.large + - r6i.xlarge + - r6i.2xlarge + - r6i.4xlarge + - r6i.8xlarge + - r6i.12xlarge + - r6i.16xlarge + - r6i.24xlarge + - r6i.32xlarge + - m6a.large + - m6a.xlarge + - m6a.2xlarge + - m6a.4xlarge + - m6a.8xlarge + - m6a.12xlarge + - m6a.16xlarge + - m6a.24xlarge + - m6a.32xlarge + - m6a.48xlarge + ConstraintDescription: Must be a valid EC2 instance type + ManagementVersion: + Description: The license to install on the Security Management Server. + Type: String + Default: R81.20-BYOL + AllowedValues: + - R80.40-BYOL + - R80.40-PAYG + - R81-BYOL + - R81-PAYG + - R81.10-BYOL + - R81.10-PAYG + - R81.20-BYOL + - R81.20-PAYG + ManagementPasswordHash: + Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash). (optional) + Type: String + Default: '' + AllowedPattern: '^[\$\./a-zA-Z0-9]*$' + NoEcho: true + ManagementMaintenancePasswordHash: + Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + GatewaysPolicy: + Description: The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group. + Type: String + Default: Standard + MinLength: 1 + AdminCIDR: + Description: Allow web, SSH, and graphical clients only from this network to communicate with the Security Management Server. + Type: String + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$' + GatewayManagement: + Description: Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address. + Type: String + Default: Locally managed + AllowedValues: + - Locally managed + - Over the internet + GatewaysAddresses: + Description: Allow gateways only from this network to communicate with the Security Management Server. + Type: String + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$' +Conditions: + 4AZs: !Equals [!Ref NumberOfAZs, 4] + 3AZs: !Or [!Equals [!Ref NumberOfAZs, 3], !Condition 4AZs] + DeployManagement: !Equals [!Ref ManagementDeploy, true] + VolumeEncryption: !Equals [!Ref EnableVolumeEncryption, true] +Resources: + VPCStack: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.amazonaws.com/utils/vpc.yaml + Parameters: + AvailabilityZones: !Join [',', !Ref AvailabilityZones] + NumberOfAZs: !Ref NumberOfAZs + VPCCIDR: !Ref VPCCIDR + PublicSubnet1CIDR: !Ref PublicSubnet1CIDR + PublicSubnet2CIDR: !Ref PublicSubnet2CIDR + PublicSubnet3CIDR: !Ref PublicSubnet3CIDR + PublicSubnet4CIDR: !Ref PublicSubnet4CIDR + CreatePrivateSubnets: false + CreateAttachmentSubnets: true + AttachmentSubnet1CIDR: !Ref TgwSubnet1CIDR + AttachmentSubnet2CIDR: !Ref TgwSubnet2CIDR + AttachmentSubnet3CIDR: !Ref TgwSubnet3CIDR + AttachmentSubnet4CIDR: !Ref TgwSubnet4CIDR + TgwGwlbStack: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.amazonaws.com/gwlb/tgw-gwlb.yaml + Parameters: + VPC: !GetAtt VPCStack.Outputs.VPCID + IGWID: !GetAtt VPCStack.Outputs.IGWID + AvailabilityZones: !Join [',', !Ref AvailabilityZones] + NumberOfAZs: !Ref NumberOfAZs + GatewaysSubnets: !Join + - ',' + - - !GetAtt VPCStack.Outputs.PublicSubnet1ID + - !GetAtt VPCStack.Outputs.PublicSubnet2ID + - !If [3AZs, !GetAtt VPCStack.Outputs.PublicSubnet3ID, !Ref 'AWS::NoValue'] + - !If [4AZs, !GetAtt VPCStack.Outputs.PublicSubnet4ID, !Ref 'AWS::NoValue'] + TgwSubnet1Id: !GetAtt VPCStack.Outputs.AttachmentSubnet1ID + TgwSubnet2Id: !GetAtt VPCStack.Outputs.AttachmentSubnet2ID + TgwSubnet3Id: !If [3AZs, !GetAtt VPCStack.Outputs.AttachmentSubnet3ID, ""] + TgwSubnet4Id: !If [4AZs, !GetAtt VPCStack.Outputs.AttachmentSubnet4ID, ""] + NatGwSubnet1CIDR: !Ref NatGwSubnet1CIDR + NatGwSubnet2CIDR: !Ref NatGwSubnet2CIDR + NatGwSubnet3CIDR: !Ref NatGwSubnet3CIDR + NatGwSubnet4CIDR: !Ref NatGwSubnet4CIDR + GWLBeSubnet1CIDR: !Ref GWLBeSubnet1CIDR + GWLBeSubnet2CIDR: !Ref GWLBeSubnet2CIDR + GWLBeSubnet3CIDR: !Ref GWLBeSubnet3CIDR + GWLBeSubnet4CIDR: !Ref GWLBeSubnet4CIDR + KeyName: !Ref KeyName + EnableVolumeEncryption: !Ref EnableVolumeEncryption + VolumeType: !Ref VolumeType + VolumeSize: !Ref VolumeSize + EnableInstanceConnect: !Ref EnableInstanceConnect + TerminationProtection: !Ref TerminationProtection + AllowUploadDownload: !Ref AllowUploadDownload + ManagementServer: !Ref ManagementServer + ConfigurationTemplate: !Ref ConfigurationTemplate + AdminEmail: !Ref AdminEmail + Shell: !Ref Shell + GatewayName: !Ref GatewayName + GatewayInstanceType: !Ref GatewayInstanceType + GatewaysMinSize: !Ref GatewaysMinSize + GatewaysMaxSize: !Ref GatewaysMaxSize + GatewayVersion: !Ref GatewayVersion + GatewayPasswordHash: !Ref GatewayPasswordHash + GatewayMaintenancePasswordHash: !Ref GatewayMaintenancePasswordHash + GatewaySICKey: !Ref GatewaySICKey + ControlGatewayOverPrivateOrPublicAddress: !Ref ControlGatewayOverPrivateOrPublicAddress + AllocatePublicAddress: !Ref AllocatePublicAddress + CloudWatch: !Ref CloudWatch + GWLBName: !Ref GWLBName + TargetGroupName: !Ref TargetGroupName + CrossZoneLoadBalancing: !Ref CrossZoneLoadBalancing + ManagementDeploy: !Ref ManagementDeploy + ManagementInstanceType: !Ref ManagementInstanceType + ManagementVersion: !Ref ManagementVersion + ManagementPasswordHash: !Ref ManagementPasswordHash + ManagementMaintenancePasswordHash: !Ref ManagementMaintenancePasswordHash + GatewaysPolicy: !Ref GatewaysPolicy + AdminCIDR: !Ref AdminCIDR + GatewayManagement: !Ref GatewayManagement + GatewaysAddresses: !Ref GatewaysAddresses +Outputs: + VPCID: + Description: VPC ID. + Value: !GetAtt VPCStack.Outputs.VPCID + ManagementPublicAddress: + Description: The public address of the management server. + Value: !GetAtt TgwGwlbStack.Outputs.ManagementPublicAddress + Condition: DeployManagement + ConfigurationTemplateName: + Description: The name that represents the configuration template. Configurations required to automatically provision the Gateways in the Auto Scaling Group, such as what Security Policy to install and which Blades to enable, will be placed under this template name. + Value: !GetAtt TgwGwlbStack.Outputs.ConfigurationTemplateName + ControllerName: + Description: The name that represents the controller. Configurations required to connect to your AWS environment, such as credentials and regions, will be placed under this controller name. + Value: !GetAtt TgwGwlbStack.Outputs.ControllerName + GWLBName: + Description: Gateway Load Balancer Name. + Value: !Ref GWLBName + GWLBServiceName: + Description: Gateway Load Balancer Service Name. + Value: !GetAtt TgwGwlbStack.Outputs.GWLBServiceName + TgwSubnet1ID: + Description: TGW subnet 1 ID in Availability Zone 1. + Value: !GetAtt VPCStack.Outputs.AttachmentSubnet1ID + TgwSubnet2ID: + Description: TGW subnet 2 ID in Availability Zone 2. + Value: !GetAtt VPCStack.Outputs.AttachmentSubnet2ID + TgwSubnet3ID: + Description: TGW subnet 3 ID in Availability Zone 3. + Value: !GetAtt VPCStack.Outputs.AttachmentSubnet3ID + Condition: 3AZs + TgwSubnet4ID: + Description: TGW subnet 4 ID in Availability Zone 4. + Value: !GetAtt VPCStack.Outputs.AttachmentSubnet4ID + Condition: 4AZs + TgwSubnet1CIDR: + Description: TGW subnet 1 CIDR in Availability Zone 1. + Value: !GetAtt VPCStack.Outputs.AttachmentSubnet1CIDR + TgwSubnet2CIDR: + Description: TGW subnet 2 CIDR in Availability Zone 2. + Value: !GetAtt VPCStack.Outputs.AttachmentSubnet2CIDR + TgwSubnet3CIDR: + Description: TGW subnet 3 CIDR in Availability Zone 3. + Value: !GetAtt VPCStack.Outputs.AttachmentSubnet3CIDR + Condition: 3AZs + TgwSubnet4CIDR: + Description: TGW subnet 4 CIDR in Availability Zone 4. + Value: !GetAtt VPCStack.Outputs.AttachmentSubnet4CIDR + Condition: 4AZs +Rules: + GatewayAddressAllocationRule: + RuleCondition: !Equals [!Ref ControlGatewayOverPrivateOrPublicAddress, 'public'] + Assertions: + - AssertDescription: "Gateway's selected to be provisioned by public IP, but ['AllocatePublicAddress'] parameter is false" + Assert: !Equals [!Ref AllocatePublicAddress, 'true'] diff --git a/aws/templates/gwlb-asg/tgw-gwlb.yaml b/aws/templates/gwlb-asg/tgw-gwlb.yaml new file mode 100644 index 00000000..0801a10a --- /dev/null +++ b/aws/templates/gwlb-asg/tgw-gwlb.yaml @@ -0,0 +1,1206 @@ +AWSTemplateFormatVersion: 2010-09-09 +Description: Deploy a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, Gateway Load Balancer Endpoints and NAT Gateways for each AZ, in an existing VPC for Transit Gateway (20240204) +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: VPC Network Configuration + Parameters: + - VPC + - IGWID + - AvailabilityZones + - NumberOfAZs + - GatewaysSubnets + - TgwSubnet1Id + - TgwSubnet2Id + - TgwSubnet3Id + - TgwSubnet4Id + - NatGwSubnet1CIDR + - NatGwSubnet2CIDR + - NatGwSubnet3CIDR + - NatGwSubnet4CIDR + - GWLBeSubnet1CIDR + - GWLBeSubnet2CIDR + - GWLBeSubnet3CIDR + - GWLBeSubnet4CIDR + - Label: + default: General Settings + Parameters: + - KeyName + - EnableVolumeEncryption + - VolumeSize + - VolumeType + - EnableInstanceConnect + - TerminationProtection + - AllowUploadDownload + - ManagementServer + - ConfigurationTemplate + - AdminEmail + - Shell + - Label: + default: Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration + Parameters: + - GatewayName + - GatewayInstanceType + - GatewaysMinSize + - GatewaysMaxSize + - GatewayVersion + - GatewayPasswordHash + - GatewayMaintenancePasswordHash + - GatewaySICKey + - ControlGatewayOverPrivateOrPublicAddress + - AllocatePublicAddress + - CloudWatch + - Label: + default: Gateway Load Balancer Configuration + Parameters: + - GWLBName + - TargetGroupName + - CrossZoneLoadBalancing + - Label: + default: Check Point CloudGuard IaaS Security Management Server Configuration + Parameters: + - ManagementDeploy + - ManagementInstanceType + - ManagementVersion + - ManagementPasswordHash + - ManagementMaintenancePasswordHash + - GatewaysPolicy + - AdminCIDR + - GatewayManagement + - GatewaysAddresses + ParameterLabels: + VPC: + default: VPC + IGWID: + default: Internet Gateway ID + AvailabilityZones: + default: Availability Zones + NumberOfAZs: + default: Number of AZs + GatewaysSubnets: + default: Gateways subnets + TgwSubnet1Id: + default: Transit Gateway Attachment subnet 1 Id + TgwSubnet2Id: + default: Transit Gateway Attachment subnet 2 Id + TgwSubnet3Id: + default: Transit Gateway Attachment subnet 3 Id + TgwSubnet4Id: + default: Transit Gateway Attachment subnet 4 Id + NatGwSubnet1CIDR: + default: NAT subnet 1 CIDR + NatGwSubnet2CIDR: + default: NAT subnet 2 CIDR + NatGwSubnet3CIDR: + default: NAT subnet 3 CIDR + NatGwSubnet4CIDR: + default: NAT subnet 4 CIDR + GWLBeSubnet1CIDR: + default: Gateway Load Balancer Endpoint subnet 1 CIDR + GWLBeSubnet2CIDR: + default: Gateway Load Balancer Endpoint subnet 2 CIDR + GWLBeSubnet3CIDR: + default: Gateway Load Balancer Endpoint subnet 3 CIDR + GWLBeSubnet4CIDR: + default: Gateway Load Balancer Endpoint subnet 4 CIDR + KeyName: + default: Key name + EnableVolumeEncryption: + default: Enable environment volume encryption + VolumeSize: + default: Root volume size (GB) + VolumeType: + default: Volume Type + EnableInstanceConnect: + default: Enable AWS Instance Connect + TerminationProtection: + default: Termination Protection + AllowUploadDownload: + default: Allow upload & download + ManagementServer: + default: Management Server + ConfigurationTemplate: + default: Configuration template + AdminEmail: + default: Email address + Shell: + default: Admin shell + GatewayName: + default: Gateways instance name + GatewayInstanceType: + default: Gateways instance type + GatewaysMinSize: + default: Minimum group size + GatewaysMaxSize: + default: Maximum group size + GatewayVersion: + default: Gateways version & license + GatewayPasswordHash: + default: Gateways Password hash + GatewayMaintenancePasswordHash: + default: Gateway Maintenance Password hash + GatewaySICKey: + default: Gateways SIC key + ControlGatewayOverPrivateOrPublicAddress: + default: Gateways addresses + AllocatePublicAddress: + default: Allocate Public IPs + CloudWatch: + default: CloudWatch metrics + GWLBName: + default: Gateway Load Balancer Name + TargetGroupName: + default: Target Group Name + CrossZoneLoadBalancing: + default: Enable Cross Zone Load Balancing + ManagementDeploy: + default: Deploy Management Server + ManagementInstanceType: + default: Management instance type + ManagementVersion: + default: Management version & license + ManagementPasswordHash: + default: Management password hash + ManagementMaintenancePasswordHash: + default: Management Maintenance Password hash + GatewaysPolicy: + default: Security Policy + AdminCIDR: + default: Administrator addresses + GatewayManagement: + default: Manage Gateways + GatewaysAddresses: + default: Gateways addresses +Parameters: + VPC: + Description: Select an existing VPC. + Type: AWS::EC2::VPC::Id + MinLength: 1 + ConstraintDescription: You must select a VPC. + IGWID: + Description: VPC's Internet Gateway Id (e.g. igw-123a4567). + Type: String + MinLength: 1 + ConstraintDescription: You must insert an Internet Gateway Id. + AvailabilityZones: + Description: The Availability Zones (AZs) to use for the subnets in the VPC. Select two (the logical order is preserved). + Type: List + MinLength: 2 + NumberOfAZs: + Description: Number of Availability Zones to use in the VPC. This must match your selections in the list of Availability Zones parameter. + Type: Number + Default: 2 + MinValue: 2 + MaxValue: 4 + GatewaysSubnets: + Description: Select at least 2 public subnets in the VPC. If you choose to deploy a Security Management Server it will be deployed in the first subnet. + Type: List + MinLength: 2 + TgwSubnet1Id: + Description: The TGW attachment subnet ID located in the 1st Availability Zone. + Type: String + MinLength: 1 + ConstraintDescription: You must insert Tgw Subnet Id for Availability Zone 1. + TgwSubnet2Id: + Description: The TGW attachment subnet ID located in the 2nd Availability Zone. + Type: String + MinLength: 1 + ConstraintDescription: You must insert Tgw Subnet Id for Availability Zone 2. + TgwSubnet3Id: + Description: The TGW attachment subnet ID located in the 3rd Availability Zone. + Type: String + TgwSubnet4Id: + Description: The TGW attachment subnet ID located in the 4th Availability Zone. + Type: String + NatGwSubnet1CIDR: + Description: CIDR block for NAT subnet 1 located in the 1st Availability Zone. + Type: String + Default: 10.0.13.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + NatGwSubnet2CIDR: + Description: CIDR block for NAT subnet 2 located in the 2nd Availability Zone. + Type: String + Default: 10.0.23.0/24 + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + NatGwSubnet3CIDR: + Description: CIDR block for NAT subnet 3 located in the 3rd Availability Zone. + Type: String + Default: 10.0.33.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + NatGwSubnet4CIDR: + Description: CIDR block for NAT subnet 4 located in the 4th Availability Zone. + Type: String + Default: 10.0.43.0/24 + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + GWLBeSubnet1CIDR: + Description: CIDR block for GWLBe subnet 1 located in the 1st Availability Zone. + Type: String + Default: 10.0.14.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + GWLBeSubnet2CIDR: + Description: CIDR block for GWLBe subnet 2 located in the 2nd Availability Zone. + Type: String + Default: 10.0.24.0/24 + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + GWLBeSubnet3CIDR: + Description: CIDR block for GWLBe subnet 3 located in the 3rd Availability Zone. + Type: String + Default: 10.0.34.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + GWLBeSubnet4CIDR: + Description: CIDR block for GWLBe subnet 4 located in the 4th Availability Zone. + Type: String + Default: 10.0.44.0/24 + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + KeyName: + Description: The EC2 Key Pair to allow SSH access to the instances created by this stack. + Type: AWS::EC2::KeyPair::KeyName + MinLength: 1 + ConstraintDescription: Must be the name of an existing EC2 KeyPair. + EnableVolumeEncryption: + Description: Encrypt Environment instances volume with default AWS KMS key. + Type: String + Default: true + AllowedValues: + - true + - false + VolumeSize: + Type: Number + MinValue: 100 + Default: 100 + VolumeType: + Description: General Purpose SSD Volume Type + Type: String + Default: gp3 + AllowedValues: + - gp3 + - gp2 + EnableInstanceConnect: + Description: Enable SSH connection over AWS web console. + Type: String + Default: false + AllowedValues: + - true + - false + TerminationProtection: + Description: Prevents an instance from accidental termination. + Type: String + Default: false + AllowedValues: + - true + - false + AllowUploadDownload: + Description: Automatically download updates and share statistical data for product improvement purpose. + Type: String + Default: true + AllowedValues: + - true + - false + ManagementServer: + Description: The name that represents the Security Management Server in the automatic provisioning configuration. + Type: String + Default: gwlb-management-server + MinLength: 1 + ConfigurationTemplate: + Description: A name of a gateway configuration template in the automatic provisioning configuration. + Type: String + Default: gwlb-ASG-configuration + MinLength: 1 + MaxLength: 30 + AdminEmail: + Description: Notifications about scaling events will be sent to this email address. (optional) + Type: String + Default: '' + AllowedPattern: '^(([a-zA-Z0-9_\-\.]+)@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.)|(([a-zA-Z0-9\-]+\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})(\]?))?$' + Shell: + Description: Change the admin shell to enable advanced command line configuration. Applies for Security Gateways and Security Management Server if deployed. + Type: String + Default: /etc/cli.sh + AllowedValues: + - /etc/cli.sh + - /bin/bash + - /bin/csh + - /bin/tcsh + GatewayName: + Description: The name tag of the Security Gateway instances. (optional) + Type: String + Default: Check-Point-Gateway + GatewayInstanceType: + Description: The EC2 instance type for the Security Gateways. + Type: String + Default: c5.xlarge + AllowedValues: + - c4.large + - c4.xlarge + - c5.large + - c5.xlarge + - c5.2xlarge + - c5.4xlarge + - c5.9xlarge + - c5.12xlarge + - c5.18xlarge + - c5.24xlarge + - c5n.large + - c5n.xlarge + - c5n.2xlarge + - c5n.4xlarge + - c5n.9xlarge + - c5n.18xlarge + - c5d.large + - c5d.xlarge + - c5d.2xlarge + - c5d.4xlarge + - c5d.9xlarge + - c5d.12xlarge + - c5d.18xlarge + - c5d.24xlarge + - m5.large + - m5.xlarge + - m5.2xlarge + - m5.4xlarge + - m5.8xlarge + - m5.12xlarge + - m5.16xlarge + - m5.24xlarge + - m6i.large + - m6i.xlarge + - m6i.2xlarge + - m6i.4xlarge + - m6i.8xlarge + - m6i.12xlarge + - m6i.16xlarge + - m6i.24xlarge + - m6i.32xlarge + - c6i.large + - c6i.xlarge + - c6i.2xlarge + - c6i.4xlarge + - c6i.8xlarge + - c6i.12xlarge + - c6i.16xlarge + - c6i.24xlarge + - c6i.32xlarge + - c6in.large + - c6in.xlarge + - c6in.2xlarge + - c6in.4xlarge + - c6in.8xlarge + - c6in.12xlarge + - c6in.16xlarge + - c6in.24xlarge + - c6in.32xlarge + - r5.large + - r5.xlarge + - r5.2xlarge + - r5.4xlarge + - r5.8xlarge + - r5.12xlarge + - r5.16xlarge + - r5.24xlarge + - r5a.large + - r5a.xlarge + - r5a.2xlarge + - r5a.4xlarge + - r5a.8xlarge + - r5a.12xlarge + - r5a.16xlarge + - r5a.24xlarge + - r5b.large + - r5b.xlarge + - r5b.2xlarge + - r5b.4xlarge + - r5b.8xlarge + - r5b.12xlarge + - r5b.16xlarge + - r5b.24xlarge + - r5n.large + - r5n.xlarge + - r5n.2xlarge + - r5n.4xlarge + - r5n.8xlarge + - r5n.12xlarge + - r5n.16xlarge + - r5n.24xlarge + - r6i.large + - r6i.xlarge + - r6i.2xlarge + - r6i.4xlarge + - r6i.8xlarge + - r6i.12xlarge + - r6i.16xlarge + - r6i.24xlarge + - r6i.32xlarge + - m6a.large + - m6a.xlarge + - m6a.2xlarge + - m6a.4xlarge + - m6a.8xlarge + - m6a.12xlarge + - m6a.16xlarge + - m6a.24xlarge + - m6a.32xlarge + - m6a.48xlarge + ConstraintDescription: Must be a valid EC2 instance type. + GatewaysMinSize: + Description: The minimal number of Security Gateways. + Type: Number + Default: 2 + MinValue: 1 + GatewaysMaxSize: + Description: The maximal number of Security Gateways. + Type: Number + Default: 10 + MinValue: 1 + GatewayVersion: + Description: The version and license to install on the Security Gateways. + Type: String + Default: R81.20-BYOL + AllowedValues: + - R80.40-BYOL + - R80.40-PAYG-NGTP + - R80.40-PAYG-NGTX + - R81.20-BYOL + - R81.20-PAYG-NGTP + - R81.20-PAYG-NGTX + GatewayPasswordHash: + Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash). (optional) + Type: String + Default: '' + AllowedPattern: '^[\$\./a-zA-Z0-9]*$' + NoEcho: true + GatewayMaintenancePasswordHash: + Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + GatewaySICKey: + Description: The Secure Internal Communication key creates trusted connections between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters. + Type: String + AllowedPattern: '^[a-zA-Z0-9]{8,}$' + ConstraintDescription: Secure Internal Communication activation key should contain only alpha numeric characters and be at least 8 characters long. + NoEcho: true + ControlGatewayOverPrivateOrPublicAddress: + Description: Determines if the gateways are provisioned using their private or public address. + Type: String + Default: private + AllowedValues: + - private + - public + AllocatePublicAddress: + Description: Allocate a Public IP for gateway members. + Type: String + Default: false + AllowedValues: + - true + - false + CloudWatch: + Description: Report Check Point specific CloudWatch metrics. + Type: String + Default: false + AllowedValues: + - true + - false + GWLBName: + Description: Gateway Load Balancer name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. A name cannot begin or end with a hyphen. + Type: String + Default: gwlb1 + ConstraintDescription: Must be a valid GWLB Name + TargetGroupName: + Description: Target Group Name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. A name cannot begin or end with a hyphen. + Type: String + Default: tg1 + ConstraintDescription: Must be a valid target group name. + CrossZoneLoadBalancing: + Description: Select 'true' to enable cross-az load balancing. NOTE! this may cause a spike in cross-az charges. + Type: String + Default: true + AllowedValues: + - true + - false + ManagementDeploy: + Description: Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section. + Type: String + Default: true + AllowedValues: + - true + - false + ManagementInstanceType: + Description: The EC2 instance type of the Security Management Server. + Type: String + Default: m5.xlarge + AllowedValues: + - c5.large + - c5.xlarge + - c5.2xlarge + - c5.4xlarge + - c5.9xlarge + - c5.12xlarge + - c5.18xlarge + - c5.24xlarge + - c5n.large + - c5n.xlarge + - c5n.2xlarge + - c5n.4xlarge + - c5n.9xlarge + - c5n.18xlarge + - c5d.large + - c5d.xlarge + - c5d.2xlarge + - c5d.4xlarge + - c5d.9xlarge + - c5d.12xlarge + - c5d.18xlarge + - c5d.24xlarge + - m5.large + - m5.xlarge + - m5.2xlarge + - m5.4xlarge + - m5.8xlarge + - m5.12xlarge + - m5.16xlarge + - m5.24xlarge + - m6i.large + - m6i.xlarge + - m6i.2xlarge + - m6i.4xlarge + - m6i.8xlarge + - m6i.12xlarge + - m6i.16xlarge + - m6i.24xlarge + - m6i.32xlarge + - c6i.large + - c6i.xlarge + - c6i.2xlarge + - c6i.4xlarge + - c6i.8xlarge + - c6i.12xlarge + - c6i.16xlarge + - c6i.24xlarge + - c6i.32xlarge + - c6in.large + - c6in.xlarge + - c6in.2xlarge + - c6in.4xlarge + - c6in.8xlarge + - c6in.12xlarge + - c6in.16xlarge + - c6in.24xlarge + - c6in.32xlarge + - r5.large + - r5.xlarge + - r5.2xlarge + - r5.4xlarge + - r5.8xlarge + - r5.12xlarge + - r5.16xlarge + - r5.24xlarge + - r5a.large + - r5a.xlarge + - r5a.2xlarge + - r5a.4xlarge + - r5a.8xlarge + - r5a.12xlarge + - r5a.16xlarge + - r5a.24xlarge + - r5b.large + - r5b.xlarge + - r5b.2xlarge + - r5b.4xlarge + - r5b.8xlarge + - r5b.12xlarge + - r5b.16xlarge + - r5b.24xlarge + - r5n.large + - r5n.xlarge + - r5n.2xlarge + - r5n.4xlarge + - r5n.8xlarge + - r5n.12xlarge + - r5n.16xlarge + - r5n.24xlarge + - r6i.large + - r6i.xlarge + - r6i.2xlarge + - r6i.4xlarge + - r6i.8xlarge + - r6i.12xlarge + - r6i.16xlarge + - r6i.24xlarge + - r6i.32xlarge + - m6a.large + - m6a.xlarge + - m6a.2xlarge + - m6a.4xlarge + - m6a.8xlarge + - m6a.12xlarge + - m6a.16xlarge + - m6a.24xlarge + - m6a.32xlarge + - m6a.48xlarge + ConstraintDescription: Must be a valid EC2 instance type. + ManagementVersion: + Description: The license to install on the Security Management Server. + Type: String + Default: R81.20-BYOL + AllowedValues: + - R80.40-BYOL + - R80.40-PAYG + - R81-BYOL + - R81-PAYG + - R81.10-BYOL + - R81.10-PAYG + - R81.20-BYOL + - R81.20-PAYG + ManagementPasswordHash: + Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash). (optional) + Type: String + Default: '' + AllowedPattern: '^[\$\./a-zA-Z0-9]*$' + NoEcho: true + ManagementMaintenancePasswordHash: + Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + GatewaysPolicy: + Description: The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group. + Type: String + Default: Standard + MinLength: 1 + AdminCIDR: + Description: Allow web, SSH, and graphical clients only from this network to communicate with the Security Management Server. + Type: String + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$' + GatewayManagement: + Description: Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address. + Type: String + Default: Locally managed + AllowedValues: + - Locally managed + - Over the internet + GatewaysAddresses: + Description: Allow gateways only from this network to communicate with the Security Management Server. + Type: String + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$' +Conditions: + 4AZs: !Equals [!Ref NumberOfAZs, 4] + 3AZs: !Or [!Equals [!Ref NumberOfAZs, 3], !Condition 4AZs] + DeployManagement: !Equals [!Ref ManagementDeploy, true] + VolumeEncryption: !Equals [!Ref EnableVolumeEncryption, true] +Resources: + GWLBeSubnet1: + Type: AWS::EC2::Subnet + Properties: + VpcId: !Ref VPC + CidrBlock: !Ref GWLBeSubnet1CIDR + AvailabilityZone: !Select [0, !Ref AvailabilityZones] + Tags: + - Key: Name + Value: GWLBe subnet 1 + - Key: Network + Value: Private + GWLBeSubnet2: + Type: AWS::EC2::Subnet + Properties: + VpcId: !Ref VPC + CidrBlock: !Ref GWLBeSubnet2CIDR + AvailabilityZone: !Select [1, !Ref AvailabilityZones] + Tags: + - Key: Name + Value: GWLBe subnet 2 + - Key: Network + Value: Private + GWLBeSubnet3: + Type: AWS::EC2::Subnet + Condition: 3AZs + Properties: + VpcId: !Ref VPC + CidrBlock: !Ref GWLBeSubnet3CIDR + AvailabilityZone: !Select [2, !Ref AvailabilityZones] + Tags: + - Key: Name + Value: GWLBe subnet 3 + - Key: Network + Value: Private + GWLBeSubnet4: + Type: AWS::EC2::Subnet + Condition: 4AZs + Properties: + VpcId: !Ref VPC + CidrBlock: !Ref GWLBeSubnet4CIDR + AvailabilityZone: !Select [3, !Ref AvailabilityZones] + Tags: + - Key: Name + Value: GWLBe subnet 4 + - Key: Network + Value: Private + GWLBeSubnet1RouteTable: + Type: AWS::EC2::RouteTable + Properties: + VpcId: !Ref VPC + Tags: + - Key: Name + Value: GWLBe Subnet 1 Route Table + - Key: Network + Value: Private + GWLBeSubnet1NatGwDefaultRoute: + Type: AWS::EC2::Route + Properties: + DestinationCidrBlock: 0.0.0.0/0 + NatGatewayId: !Ref NatGateway1 + RouteTableId: !Ref GWLBeSubnet1RouteTable + GWLBeSubnet1RouteTableAssociation: + Type: AWS::EC2::SubnetRouteTableAssociation + Properties: + RouteTableId: !Ref GWLBeSubnet1RouteTable + SubnetId: !Ref GWLBeSubnet1 + GWLBeSubnet2RouteTable: + Type: AWS::EC2::RouteTable + Properties: + VpcId: !Ref VPC + Tags: + - Key: Name + Value: GWLBe Subnet 2 Route Table + - Key: Network + Value: Private + GWLBeSubnet2NatGwDefaultRoute: + Type: AWS::EC2::Route + Properties: + DestinationCidrBlock: 0.0.0.0/0 + NatGatewayId: !Ref NatGateway2 + RouteTableId: !Ref GWLBeSubnet2RouteTable + GWLBeSubnet2RouteTableAssociation: + Type: AWS::EC2::SubnetRouteTableAssociation + Properties: + RouteTableId: !Ref GWLBeSubnet2RouteTable + SubnetId: !Ref GWLBeSubnet2 + GWLBeSubnet3RouteTable: + Type: AWS::EC2::RouteTable + Condition: 3AZs + Properties: + VpcId: !Ref VPC + Tags: + - Key: Name + Value: GWLBe Subnet 3 Route Table + - Key: Network + Value: Private + GWLBeSubnet3NatGwDefaultRoute: + Type: AWS::EC2::Route + Condition: 3AZs + Properties: + DestinationCidrBlock: 0.0.0.0/0 + NatGatewayId: !Ref NatGateway3 + RouteTableId: !Ref GWLBeSubnet3RouteTable + GWLBeSubnet3RouteTableAssociation: + Type: AWS::EC2::SubnetRouteTableAssociation + Condition: 3AZs + Properties: + RouteTableId: !Ref GWLBeSubnet3RouteTable + SubnetId: !Ref GWLBeSubnet3 + GWLBeSubnet4RouteTable: + Type: AWS::EC2::RouteTable + Condition: 4AZs + Properties: + VpcId: !Ref VPC + Tags: + - Key: Name + Value: GWLBe Subnet 4 Route Table + - Key: Network + Value: Private + GWLBeSubnet4NatGwDefaultRoute: + Type: AWS::EC2::Route + Condition: 4AZs + Properties: + DestinationCidrBlock: 0.0.0.0/0 + NatGatewayId: !Ref NatGateway4 + RouteTableId: !Ref GWLBeSubnet4RouteTable + GWLBeSubnet4RouteTableAssociation: + Type: AWS::EC2::SubnetRouteTableAssociation + Condition: 4AZs + Properties: + RouteTableId: !Ref GWLBeSubnet4RouteTable + SubnetId: !Ref GWLBeSubnet4 + NatGwSubnet1: + Type: AWS::EC2::Subnet + Properties: + VpcId: !Ref VPC + CidrBlock: !Ref NatGwSubnet1CIDR + AvailabilityZone: !Select [0, !Ref AvailabilityZones] + Tags: + - Key: Name + Value: NAT subnet 1 + - Key: Network + Value: Private + NatGwSubnet2: + Type: AWS::EC2::Subnet + Properties: + VpcId: !Ref VPC + CidrBlock: !Ref NatGwSubnet2CIDR + AvailabilityZone: !Select [1, !Ref AvailabilityZones] + Tags: + - Key: Name + Value: NAT subnet 2 + - Key: Network + Value: Private + NatGwSubnet3: + Type: AWS::EC2::Subnet + Condition: 3AZs + Properties: + VpcId: !Ref VPC + CidrBlock: !Ref NatGwSubnet3CIDR + AvailabilityZone: !Select [2, !Ref AvailabilityZones] + Tags: + - Key: Name + Value: NAT subnet 3 + - Key: Network + Value: Private + NatGwSubnet4: + Type: AWS::EC2::Subnet + Condition: 4AZs + Properties: + VpcId: !Ref VPC + CidrBlock: !Ref NatGwSubnet4CIDR + AvailabilityZone: !Select [3, !Ref AvailabilityZones] + Tags: + - Key: Name + Value: NAT subnet 4 + - Key: Network + Value: Private + NatGwSubnet1RouteTable: + Type: AWS::EC2::RouteTable + Properties: + VpcId: !Ref VPC + Tags: + - Key: Name + Value: NAT Subnet 1 Route Table + - Key: Network + Value: Public + NatGwSubnet1NatGwDefaultRoute: + Type: AWS::EC2::Route + Properties: + DestinationCidrBlock: 0.0.0.0/0 + GatewayId: !Ref IGWID + RouteTableId: !Ref NatGwSubnet1RouteTable + NatGwSubnet1RouteTableAssociation: + Type: AWS::EC2::SubnetRouteTableAssociation + Properties: + RouteTableId: !Ref NatGwSubnet1RouteTable + SubnetId: !Ref NatGwSubnet1 + NatGwSubnet2RouteTable: + Type: AWS::EC2::RouteTable + Properties: + VpcId: !Ref VPC + Tags: + - Key: Name + Value: NAT Subnet 2 Route Table + - Key: Network + Value: Public + NatGwSubnet2NatGwDefaultRoute: + Type: AWS::EC2::Route + Properties: + DestinationCidrBlock: 0.0.0.0/0 + GatewayId: !Ref IGWID + RouteTableId: !Ref NatGwSubnet2RouteTable + NatGwSubnet2RouteTableAssociation: + Type: AWS::EC2::SubnetRouteTableAssociation + Properties: + RouteTableId: !Ref NatGwSubnet2RouteTable + SubnetId: !Ref NatGwSubnet2 + NatGwSubnet3RouteTable: + Type: AWS::EC2::RouteTable + Condition: 3AZs + Properties: + VpcId: !Ref VPC + Tags: + - Key: Name + Value: NAT Subnet 3 Route Table + - Key: Network + Value: Public + NatGwSubnet3NatGwDefaultRoute: + Type: AWS::EC2::Route + Condition: 3AZs + Properties: + DestinationCidrBlock: 0.0.0.0/0 + GatewayId: !Ref IGWID + RouteTableId: !Ref NatGwSubnet3RouteTable + NatGwSubnet3RouteTableAssociation: + Type: AWS::EC2::SubnetRouteTableAssociation + Condition: 3AZs + Properties: + RouteTableId: !Ref NatGwSubnet3RouteTable + SubnetId: !Ref NatGwSubnet3 + NatGwSubnet4RouteTable: + Type: AWS::EC2::RouteTable + Condition: 4AZs + Properties: + VpcId: !Ref VPC + Tags: + - Key: Name + Value: NAT Subnet 4 Route Table + - Key: Network + Value: Public + NatGwSubnet4NatGwDefaultRoute: + Type: AWS::EC2::Route + Condition: 4AZs + Properties: + DestinationCidrBlock: 0.0.0.0/0 + GatewayId: !Ref IGWID + RouteTableId: !Ref NatGwSubnet4RouteTable + NatGwSubnet4RouteTableAssociation: + Type: AWS::EC2::SubnetRouteTableAssociation + Condition: 4AZs + Properties: + RouteTableId: !Ref NatGwSubnet4RouteTable + SubnetId: !Ref NatGwSubnet4 + GWLBStack: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.amazonaws.com/gwlb/gwlb.yaml + Parameters: + VPC: !Ref VPC + GatewaysSubnets: !Join [',', !Ref GatewaysSubnets] + KeyName: !Ref KeyName + EnableVolumeEncryption: !Ref EnableVolumeEncryption + VolumeType: !Ref VolumeType + VolumeSize: !Ref VolumeSize + EnableInstanceConnect: !Ref EnableInstanceConnect + TerminationProtection: !Ref TerminationProtection + AllowUploadDownload: !Ref AllowUploadDownload + ManagementServer: !Ref ManagementServer + ConfigurationTemplate: !Ref ConfigurationTemplate + AdminEmail: !Ref AdminEmail + Shell: !Ref Shell + GWLBName: !Ref GWLBName + TargetGroupName: !Ref TargetGroupName + AcceptConnectionRequired: false + CrossZoneLoadBalancing: !Ref CrossZoneLoadBalancing + GatewayName: !Ref GatewayName + GatewayInstanceType: !Ref GatewayInstanceType + GatewaysMinSize: !Ref GatewaysMinSize + GatewaysMaxSize: !Ref GatewaysMaxSize + GatewayVersion: !Ref GatewayVersion + GatewayPasswordHash: !Ref GatewayPasswordHash + GatewayMaintenancePasswordHash: !Ref GatewayMaintenancePasswordHash + GatewaySICKey: !Ref GatewaySICKey + ControlGatewayOverPrivateOrPublicAddress: !Ref ControlGatewayOverPrivateOrPublicAddress + AllocatePublicAddress: !Ref AllocatePublicAddress + CloudWatch: !Ref CloudWatch + ManagementDeploy: !Ref ManagementDeploy + ManagementInstanceType: !Ref ManagementInstanceType + ManagementVersion: !Ref ManagementVersion + ManagementPasswordHash: !Ref ManagementPasswordHash + ManagementMaintenancePasswordHash: !Ref ManagementMaintenancePasswordHash + GatewaysPolicy: !Ref GatewaysPolicy + AdminCIDR: !Ref AdminCIDR + GatewayManagement: !Ref GatewayManagement + GatewaysAddresses: !Ref GatewaysAddresses + GWLBe1: + DependsOn: [GWLBStack, GWLBeSubnet1] + Type: AWS::EC2::VPCEndpoint + Properties: + VpcId: !Ref VPC + VpcEndpointType: GatewayLoadBalancer + SubnetIds: + - !Ref GWLBeSubnet1 + ServiceName: !GetAtt GWLBStack.Outputs.GWLBServiceName + GWLBe2: + DependsOn: [GWLBStack, GWLBeSubnet2] + Type: AWS::EC2::VPCEndpoint + Properties: + VpcId: !Ref VPC + VpcEndpointType: GatewayLoadBalancer + SubnetIds: + - !Ref GWLBeSubnet2 + ServiceName: !GetAtt GWLBStack.Outputs.GWLBServiceName + GWLBe3: + DependsOn: [GWLBStack, GWLBeSubnet3] + Type: AWS::EC2::VPCEndpoint + Condition: 3AZs + Properties: + VpcId: !Ref VPC + VpcEndpointType: GatewayLoadBalancer + SubnetIds: + - !Ref GWLBeSubnet3 + ServiceName: !GetAtt GWLBStack.Outputs.GWLBServiceName + GWLBe4: + DependsOn: [GWLBStack, GWLBeSubnet4] + Type: AWS::EC2::VPCEndpoint + Condition: 4AZs + Properties: + VpcId: !Ref VPC + VpcEndpointType: GatewayLoadBalancer + SubnetIds: + - !Ref GWLBeSubnet4 + ServiceName: !GetAtt GWLBStack.Outputs.GWLBServiceName + TGWAttachmentSubnet1RouteTable: + Type: AWS::EC2::RouteTable + Properties: + VpcId: !Ref VPC + Tags: + - Key: Name + Value: TGW Attachment Subnet 1 Route Table + - Key: Network + Value: Private + TGWAttachmentSubnet1GWLBeDefaultRoute: + Type: AWS::EC2::Route + Properties: + DestinationCidrBlock: 0.0.0.0/0 + VpcEndpointId: !Ref GWLBe1 + RouteTableId: !Ref TGWAttachmentSubnet1RouteTable + TGWAttachmentSubnet1RouteTableAssociation: + Type: AWS::EC2::SubnetRouteTableAssociation + Properties: + RouteTableId: !Ref TGWAttachmentSubnet1RouteTable + SubnetId: !Ref TgwSubnet1Id + TGWAttachmentSubnet2RouteTable: + Type: AWS::EC2::RouteTable + Properties: + VpcId: !Ref VPC + Tags: + - Key: Name + Value: TGW Attachment Subnet 2 Route Table + - Key: Network + Value: Private + TGWAttachmentSubnet2GWLBeDefaultRoute: + Type: AWS::EC2::Route + Properties: + DestinationCidrBlock: 0.0.0.0/0 + VpcEndpointId: !Ref GWLBe2 + RouteTableId: !Ref TGWAttachmentSubnet2RouteTable + TGWAttachmentSubnet2RouteTableAssociation: + Type: AWS::EC2::SubnetRouteTableAssociation + Properties: + RouteTableId: !Ref TGWAttachmentSubnet2RouteTable + SubnetId: !Ref TgwSubnet2Id + TGWAttachmentSubnet3RouteTable: + Type: AWS::EC2::RouteTable + Condition: 3AZs + Properties: + VpcId: !Ref VPC + Tags: + - Key: Name + Value: TGW Attachment Subnet 3 Route Table + - Key: Network + Value: Private + TGWAttachmentSubnet3GWLBeDefaultRoute: + Type: AWS::EC2::Route + Condition: 3AZs + Properties: + DestinationCidrBlock: 0.0.0.0/0 + VpcEndpointId: !Ref GWLBe3 + RouteTableId: !Ref TGWAttachmentSubnet3RouteTable + TGWAttachmentSubnet3RouteTableAssociation: + Type: AWS::EC2::SubnetRouteTableAssociation + Condition: 3AZs + Properties: + RouteTableId: !Ref TGWAttachmentSubnet3RouteTable + SubnetId: !Ref TgwSubnet3Id + TGWAttachmentSubnet4RouteTable: + Type: AWS::EC2::RouteTable + Condition: 4AZs + Properties: + VpcId: !Ref VPC + Tags: + - Key: Name + Value: TGW Attachment Subnet 4 Route Table + - Key: Network + Value: Private + TGWAttachmentSubnet4GWLBeDefaultRoute: + Type: AWS::EC2::Route + Condition: 4AZs + Properties: + DestinationCidrBlock: 0.0.0.0/0 + VpcEndpointId: !Ref GWLBe4 + RouteTableId: !Ref TGWAttachmentSubnet4RouteTable + TGWAttachmentSubnet4RouteTableAssociation: + Type: AWS::EC2::SubnetRouteTableAssociation + Condition: 4AZs + Properties: + RouteTableId: !Ref TGWAttachmentSubnet4RouteTable + SubnetId: !Ref TgwSubnet4Id + NatGwPublicAddress1: + Type: AWS::EC2::EIP + Properties: + Domain: vpc + NatGwPublicAddress2: + Type: AWS::EC2::EIP + Properties: + Domain: vpc + NatGwPublicAddress3: + Type: AWS::EC2::EIP + Condition: 3AZs + Properties: + Domain: vpc + NatGwPublicAddress4: + Type: AWS::EC2::EIP + Condition: 4AZs + Properties: + Domain: vpc + NatGateway1: + DependsOn: [GWLBStack, NatGwSubnet1] + Type: AWS::EC2::NatGateway + Properties: + AllocationId: !GetAtt NatGwPublicAddress1.AllocationId + SubnetId: !Ref NatGwSubnet1 + Tags: + - Key: Name + Value: NatGW1 + NatGateway2: + DependsOn: [GWLBStack, NatGwSubnet2] + Type: AWS::EC2::NatGateway + Properties: + AllocationId: !GetAtt NatGwPublicAddress2.AllocationId + SubnetId: !Ref NatGwSubnet2 + Tags: + - Key: Name + Value: NatGW2 + NatGateway3: + DependsOn: [GWLBStack, NatGwSubnet3] + Type: AWS::EC2::NatGateway + Condition: 3AZs + Properties: + AllocationId: !GetAtt NatGwPublicAddress3.AllocationId + SubnetId: !Ref NatGwSubnet3 + Tags: + - Key: Name + Value: NatGW3 + NatGateway4: + DependsOn: [GWLBStack, NatGwSubnet4] + Type: AWS::EC2::NatGateway + Condition: 4AZs + Properties: + AllocationId: !GetAtt NatGwPublicAddress4.AllocationId + SubnetId: !Ref NatGwSubnet4 + Tags: + - Key: Name + Value: NatGW4 +Outputs: + ManagementPublicAddress: + Description: The public address of the management server. + Value: !GetAtt GWLBStack.Outputs.ManagementPublicAddress + Condition: DeployManagement + ConfigurationTemplateName: + Description: The name that represents the configuration template. Configurations required to automatically provision the Gateways in the Auto Scaling Group, such as what Security Policy to install and which Blades to enable, will be placed under this template name. + Value: !GetAtt GWLBStack.Outputs.ConfigurationTemplateName + ControllerName: + Description: The name that represents the controller. Configurations required to connect to your AWS environment, such as credentials and regions, will be placed under this controller name. + Value: !GetAtt GWLBStack.Outputs.ControllerName + GWLBName: + Description: Gateway Load Balancer Name. + Value: !Ref GWLBName + GWLBServiceName: + Description: Gateway Load Balancer Service Name. + Value: !GetAtt GWLBStack.Outputs.GWLBServiceName +Rules: + GatewayAddressAllocationRule: + RuleCondition: !Equals [!Ref ControlGatewayOverPrivateOrPublicAddress, 'public'] + Assertions: + - AssertDescription: "Gateway's selected to be provisioned by public IP, but ['AllocatePublicAddress'] parameter is false" + Assert: !Equals [!Ref AllocatePublicAddress, 'true'] diff --git a/aws/templates/management/README.md b/aws/templates/management/README.md new file mode 100644 index 00000000..f8565c48 --- /dev/null +++ b/aws/templates/management/README.md @@ -0,0 +1,22 @@ + +## Security Management Server + + + + + + + + + + + + + + + +
DescriptionNotesDirect Launch
+ Deploys and configures a Security Management Server.

For more details, refer to sk130372. + 		Deploys a Security Management Server into an existing VPC.
+
+
\ No newline at end of file diff --git a/aws/templates/management/management.yaml b/aws/templates/management/management.yaml new file mode 100755 index 00000000..4ec20f7a --- /dev/null +++ b/aws/templates/management/management.yaml @@ -0,0 +1,569 @@ +AWSTemplateFormatVersion: 2010-09-09 +Description: Deploys a Check Point Management Server (20240417) +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: VPC Network Configuration + Parameters: + - VPC + - ManagementSubnet + - Label: + default: EC2 Instance Configuration + Parameters: + - ManagementName + - ManagementInstanceType + - KeyName + - AllocatePublicAddress + - VolumeSize + - VolumeType + - VolumeEncryption + - EnableInstanceConnect + - TerminationProtection + - Label: + default: IAM Permissions (ignored when the installation is not Primary Management + Server) + Parameters: + - ManagementPermissions + - ManagementPredefinedRole + - ManagementSTSRoles + - Label: + default: Check Point Settings + Parameters: + - ManagementVersion + - Shell + - ManagementPasswordHash + - ManagementMaintenancePasswordHash + - Label: + default: Security Management Server Settings + Parameters: + - ManagementHostname + - ManagementInstallationType + - SICKey + - AllowUploadDownload + - AdminCIDR + - GatewayManagement + - GatewaysAddresses + - ManagementBootstrapScript + - NTPPrimary + - NTPSecondary + ParameterLabels: + VPC: + default: VPC + ManagementSubnet: + default: Management subnet + ManagementName: + default: Management name + ManagementInstanceType: + default: Instance type + KeyName: + default: Key name + AllocatePublicAddress: + default: Allocate an Elastic IP + VolumeSize: + default: Root volume size (GB) + VolumeType: + default: Volume Type + VolumeEncryption: + default: Volume encryption KMS key identifier + EnableInstanceConnect: + default: Enable AWS Instance Connect + TerminationProtection: + default: Termination Protection + ManagementPermissions: + default: IAM role + ManagementPredefinedRole: + default: Existing IAM role name + ManagementSTSRoles: + default: STS roles + ManagementVersion: + default: Version & license + Shell: + default: Admin shell + ManagementPasswordHash: + default: Password hash + ManagementMaintenancePasswordHash: + default: Management Maintenance Password hash + ManagementHostname: + default: Management hostname + ManagementInstallationType: + default: Management installation type + SICKey: + default: SIC key + AllowUploadDownload: + default: Allow upload & download + AdminCIDR: + default: Administrator addresses + GatewayManagement: + default: Gateways management + GatewaysAddresses: + default: Gateways addresses + ManagementBootstrapScript: + default: Management bootstrap script + NTPPrimary: + default: Primary NTP server + NTPSecondary: + default: Secondary NTP server +Parameters: + VPC: + Description: Select an existing VPC. + Type: AWS::EC2::VPC::Id + MinLength: 1 + ManagementSubnet: + Description: To access the instance from the internet, make sure the subnet has + a route to the internet. + Type: AWS::EC2::Subnet::Id + MinLength: 1 + ManagementName: + Description: The Management name tag. + Type: String + Default: Check-Point-Management + ManagementInstanceType: + Description: The instance type of the Security Management Server. + Type: String + Default: m5.xlarge + AllowedValues: + - c5.large + - c5.xlarge + - c5.2xlarge + - c5.4xlarge + - c5.9xlarge + - c5.12xlarge + - c5.18xlarge + - c5.24xlarge + - c5n.large + - c5n.xlarge + - c5n.2xlarge + - c5n.4xlarge + - c5n.9xlarge + - c5n.18xlarge + - c5d.large + - c5d.xlarge + - c5d.2xlarge + - c5d.4xlarge + - c5d.9xlarge + - c5d.12xlarge + - c5d.18xlarge + - c5d.24xlarge + - m5.large + - m5.xlarge + - m5.2xlarge + - m5.4xlarge + - m5.8xlarge + - m5.12xlarge + - m5.16xlarge + - m5.24xlarge + - m6i.large + - m6i.xlarge + - m6i.2xlarge + - m6i.4xlarge + - m6i.8xlarge + - m6i.12xlarge + - m6i.16xlarge + - m6i.24xlarge + - m6i.32xlarge + - c6i.large + - c6i.xlarge + - c6i.2xlarge + - c6i.4xlarge + - c6i.8xlarge + - c6i.12xlarge + - c6i.16xlarge + - c6i.24xlarge + - c6i.32xlarge + - c6in.large + - c6in.xlarge + - c6in.2xlarge + - c6in.4xlarge + - c6in.8xlarge + - c6in.12xlarge + - c6in.16xlarge + - c6in.24xlarge + - c6in.32xlarge + - r5.large + - r5.xlarge + - r5.2xlarge + - r5.4xlarge + - r5.8xlarge + - r5.12xlarge + - r5.16xlarge + - r5.24xlarge + - r5a.large + - r5a.xlarge + - r5a.2xlarge + - r5a.4xlarge + - r5a.8xlarge + - r5a.12xlarge + - r5a.16xlarge + - r5a.24xlarge + - r5b.large + - r5b.xlarge + - r5b.2xlarge + - r5b.4xlarge + - r5b.8xlarge + - r5b.12xlarge + - r5b.16xlarge + - r5b.24xlarge + - r5n.large + - r5n.xlarge + - r5n.2xlarge + - r5n.4xlarge + - r5n.8xlarge + - r5n.12xlarge + - r5n.16xlarge + - r5n.24xlarge + - r6i.large + - r6i.xlarge + - r6i.2xlarge + - r6i.4xlarge + - r6i.8xlarge + - r6i.12xlarge + - r6i.16xlarge + - r6i.24xlarge + - r6i.32xlarge + - m6a.large + - m6a.xlarge + - m6a.2xlarge + - m6a.4xlarge + - m6a.8xlarge + - m6a.12xlarge + - m6a.16xlarge + - m6a.24xlarge + - m6a.32xlarge + - m6a.48xlarge + ConstraintDescription: must be a valid EC2 instance type. + KeyName: + Description: The EC2 Key Pair to allow SSH access to the instance. + Type: AWS::EC2::KeyPair::KeyName + MinLength: 1 + ConstraintDescription: must be the name of an existing EC2 KeyPair. + AllocatePublicAddress: + Description: Allocate an elastic IP for the Management. + Type: String + Default: true + AllowedValues: + - true + - false + VolumeSize: + Type: Number + MinValue: 100 + Default: 100 + VolumeType: + Description: General Purpose SSD Volume Type + Type: String + Default: gp3 + AllowedValues: + - gp3 + - gp2 + VolumeEncryption: + Description: KMS or CMK key Identifier - Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs'). + Type: String + Default: alias/aws/ebs + EnableInstanceConnect: + Description: Enable SSH connection over AWS web console. + Type: String + Default: false + AllowedValues: + - true + - false + TerminationProtection: + Description: Prevents an instance from accidental termination. + Type: String + Default: false + AllowedValues: + - true + - false + ManagementPermissions: + Description: IAM role to attach to the instance profile. + Type: String + Default: Create with read permissions + AllowedValues: + - None (configure later) + - Use existing (specify an existing IAM role name) + - Create with assume role permissions (specify an STS role ARN) + - Create with read permissions + - Create with read-write permissions + ManagementPredefinedRole: + Description: A predefined IAM role to attach to the instance profile. Ignored. + if IAM role is not set to 'Use existing' + Type: String + Default: '' + ManagementSTSRoles: + Description: The IAM role will be able to assume these STS Roles (comma separated + list of ARNs, without spaces). Ignored if IAM role is set to 'None' or 'Use + existing'. + Type: CommaDelimitedList + Default: '' + ManagementVersion: + Description: The license to install on the Security Management Server. + Type: String + Default: R81.20-BYOL + AllowedValues: + - R80.40-BYOL + - R80.40-PAYG + - R81-BYOL + - R81-PAYG + - R81.10-BYOL + - R81.10-PAYG + - R81.20-BYOL + - R81.20-PAYG + Shell: + Description: Change the admin shell to enable advanced command line configuration. + Type: String + Default: /etc/cli.sh + AllowedValues: + - /etc/cli.sh + - /bin/bash + - /bin/csh + - /bin/tcsh + ManagementPasswordHash: + Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" + to get the PASSWORD's hash). (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + ManagementMaintenancePasswordHash: + Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + ManagementHostname: + Description: The name must not contain reserved words. For details, refer to sk40179 (optional). + Type: String + Default: mgmt-aws + AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$' + ConstraintDescription: A valid hostname label or an empty string. + ManagementInstallationType: + Description: Determines the Management Server installation type. + Type: String + Default: Primary management + AllowedValues: + - Primary management + - Secondary management + - Log Server + SICKey: + Description: >- + Mandatory only if deploying a secondary Management Server or Log Server, the Secure Internal + Communication key creates trusted connections between Check Point components. + Choose a random string consisting of at least 8 alphanumeric characters. + Type: String + Default: '' + AllowedPattern: '(|[a-zA-Z0-9]{8,})' + ConstraintDescription: Can be empty if this is a primary Management Server. Otherwise, + at least 8 alpha numeric characters. + NoEcho: true + AllowUploadDownload: + Description: Automatically download updates and share statistical data for product improvement purpose. + Type: String + Default: true + AllowedValues: + - true + - false + AdminCIDR: + Description: Allow web, SSH, and graphical clients only from this network to communicate + with the Management Server. + Type: String + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$' + GatewaysAddresses: + Description: Allow gateways only from this network to communicate with the Management + Server. + Type: String + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$' + GatewayManagement: + Description: Select 'Over the internet' if any of the gateways you wish to manage + are not directly accessed via their private IP address. + Type: String + Default: Locally managed + AllowedValues: + - Locally managed + - Over the internet + ManagementBootstrapScript: + Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional) + Type: String + Default: '' + NoEcho: true + NTPPrimary: + Description: (optional) + Type: String + Default: 169.254.169.123 + AllowedPattern: '[\.a-zA-Z0-9\-]*' + NTPSecondary: + Description: (optional) + Type: String + Default: 0.pool.ntp.org + AllowedPattern: '[\.a-zA-Z0-9\-]*' +Conditions: + EIP: !Equals [!Ref AllocatePublicAddress, true] + ManageOverInternet: !Equals [!Ref GatewayManagement, Over the internet] + ManageOverInternetAndEIP: !And [!Condition EIP, !Condition ManageOverInternet] + CreateRole: !Or + - !Equals [!Ref ManagementPermissions, Create with assume role permissions (specify an STS role ARN)] + - !Equals [!Ref ManagementPermissions, Create with read permissions] + - !Equals [!Ref ManagementPermissions, Create with read-write permissions] + EncryptedVolume: !Not [!Equals [!Ref VolumeEncryption, '']] + UseRole: !Not [!Equals [!Ref ManagementPermissions, None (configure later)]] + NoSIC: !Equals [!Ref SICKey, ''] + PreRole: !And [!Condition UseRole, !Not [!Condition CreateRole]] +Resources: + AMI: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.amazonaws.com/utils/amis.yaml + Parameters: + Version: !Join ['-', [!Ref ManagementVersion, MGMT]] + ManagementReadyHandle: + Type: AWS::CloudFormation::WaitConditionHandle + Condition: EIP + Properties: {} + ManagementReadyCondition: + Type: AWS::CloudFormation::WaitCondition + Condition: EIP + DependsOn: ManagementInstance + Properties: + Handle: !Ref ManagementReadyHandle + Timeout: 1800 + ManagementSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Management security group + VpcId: !Ref VPC + SecurityGroupIngress: + - CidrIp: !Ref GatewaysAddresses + IpProtocol: tcp + FromPort: 257 + ToPort: 257 + - CidrIp: !Ref GatewaysAddresses + IpProtocol: tcp + FromPort: 8211 + ToPort: 8211 + - CidrIp: !Ref GatewaysAddresses + IpProtocol: tcp + FromPort: 18191 + ToPort: 18191 + - CidrIp: !Ref GatewaysAddresses + IpProtocol: tcp + FromPort: 18192 + ToPort: 18192 + - CidrIp: !Ref GatewaysAddresses + IpProtocol: tcp + FromPort: 18208 + ToPort: 18208 + - CidrIp: !Ref GatewaysAddresses + IpProtocol: tcp + FromPort: 18210 + ToPort: 18210 + - CidrIp: !Ref GatewaysAddresses + IpProtocol: tcp + FromPort: 18211 + ToPort: 18211 + - CidrIp: !Ref GatewaysAddresses + IpProtocol: tcp + FromPort: 18221 + ToPort: 18221 + - CidrIp: !Ref GatewaysAddresses + IpProtocol: tcp + FromPort: 18264 + ToPort: 18264 + - CidrIp: !Ref AdminCIDR + IpProtocol: tcp + FromPort: 22 + ToPort: 22 + - CidrIp: !Ref AdminCIDR + IpProtocol: tcp + FromPort: 443 + ToPort: 443 + - CidrIp: !Ref AdminCIDR + IpProtocol: tcp + FromPort: 18190 + ToPort: 18190 + - CidrIp: !Ref AdminCIDR + IpProtocol: tcp + FromPort: 19009 + ToPort: 19009 + ManagementRoleStack: + Type: AWS::CloudFormation::Stack + Condition: CreateRole + Properties: + TemplateURL: https://cgi-cfts.s3.amazonaws.com/iam/cme-iam-role.yaml + Parameters: + Permissions: !Ref ManagementPermissions + STSRoles: !Join [',', !Ref ManagementSTSRoles] + InstanceProfile: + Type: AWS::IAM::InstanceProfile + Condition: PreRole + Properties: + Path: / + Roles: + - !Ref ManagementPredefinedRole + ManagementInstance: + Type: AWS::EC2::Instance + DependsOn: ManagementSecurityGroup + Properties: + Tags: + - Key: Name + Value: !Ref ManagementName + ImageId: !GetAtt AMI.Outputs.ImageId + InstanceType: !Ref ManagementInstanceType + IamInstanceProfile: !If [UseRole, !If [PreRole, !Ref InstanceProfile, !GetAtt ManagementRoleStack.Outputs.CMEIAMRole], !Ref 'AWS::NoValue'] + KeyName: !Ref KeyName + NetworkInterfaces: + - DeviceIndex: 0 + AssociatePublicIpAddress: false + Description: eth0 + GroupSet: + - !Ref ManagementSecurityGroup + DeleteOnTermination: true + SubnetId: !Ref ManagementSubnet + BlockDeviceMappings: + - DeviceName: /dev/xvda + Ebs: + Encrypted: !If [EncryptedVolume, true, false] + KmsKeyId: !If [EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue'] + VolumeType: !Ref VolumeType + VolumeSize: !Ref VolumeSize + DisableApiTermination: !Ref TerminationProtection + UserData: + 'Fn::Base64': + !Join + - |+ + + - - '#cloud-config' + - 'runcmd:' + - ' - |' + - ' set -e' + - !Sub ' admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; hostname=${ManagementHostname} ; eic=${EnableInstanceConnect} ; admin_subnet=${AdminCIDR} ; eip=${AllocatePublicAddress} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; mgmt_install_type=''${ManagementInstallationType}''' + - !If [EIP, !Sub ' wait_handle=''${ManagementReadyHandle}''',!Ref 'AWS::NoValue'] + - !If [NoSIC, ' sic=""', !Join ['', [' sic="$(echo ', 'Fn::Base64': !Ref SICKey, ')"']]] + - !If [ManageOverInternetAndEIP, ' pub_mgmt=true', ' pub_mgmt=false'] + - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref ManagementBootstrapScript, ')"']] + - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref ManagementPasswordHash, ')"']] + - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref ManagementMaintenancePasswordHash, ')"']] + - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref ManagementVersion]]}] + - ' python3 /etc/cloud_config.py waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" installationType=\"management\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20240204\" templateName=\"management\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" "management_installation_type=\"${mgmt_install_type}\"" adminSubnet=\"${admin_subnet}\" allocatePublicAddress=\"${eip}\" overTheInternet=\"${pub_mgmt}\" bootstrapScript64=\"${bootstrap}\"' + PublicAddress: + Type: AWS::EC2::EIP + Condition: EIP + Properties: + Domain: vpc + AddressAssoc: + Type: AWS::EC2::EIPAssociation + Condition: EIP + DependsOn: ManagementInstance + Properties: + InstanceId: !Ref ManagementInstance + AllocationId: !GetAtt PublicAddress.AllocationId +Outputs: + PublicAddress: + Condition: EIP + Description: The public address of the Management Server. + Value: !Ref PublicAddress + SSH: + Condition: EIP + Description: SSH command. + Value: !Join ['', ['ssh -i ', !Ref KeyName, ' admin@', !Ref PublicAddress]] + URL: + Condition: EIP + Description: URL to the portal. + Value: !Join ['', ['https://', !Ref PublicAddress]] diff --git a/aws/templates/mds/README.md b/aws/templates/mds/README.md new file mode 100644 index 00000000..e920da1f --- /dev/null +++ b/aws/templates/mds/README.md @@ -0,0 +1,21 @@ +## Multi-Domain Management Server + + + + + + + + + + + + + + + +
DescriptionNotesDirect Launch
+ Deploys and configures a Multi-Domain Security Management Server.

For more details, refer to sk143213. + 		Deploys a Multi-Domain Security Management Server into an existing VPC.
+
+
diff --git a/aws/templates/mds/mds.yaml b/aws/templates/mds/mds.yaml new file mode 100644 index 00000000..241bb981 --- /dev/null +++ b/aws/templates/mds/mds.yaml @@ -0,0 +1,510 @@ +AWSTemplateFormatVersion: '2010-09-09' +Description: Deploys a Check Point Multi-Domain Server (20240417) +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: VPC Network Configuration + Parameters: + - VPC + - MDSSubnet + - Label: + default: EC2 Instance Configuration + Parameters: + - MDSName + - MDSInstanceType + - KeyName + - VolumeSize + - VolumeType + - VolumeEncryption + - EnableInstanceConnect + - TerminationProtection + - Label: + default: IAM Permissions (ignored when the installation type is not Primary + Multi-Domain Server) + Parameters: + - MDSPermissions + - MDSPredefinedRole + - MDSSTSRoles + - Label: + default: Check Point Settings + Parameters: + - MDSVersion + - Shell + - MDSPasswordHash + - MDSMaintenancePasswordHash + - Label: + default: Multi-Domain Server Settings + Parameters: + - MDSHostname + - MDSInstallationType + - MDSSICKey + - AllowUploadDownload + - AdminCIDR + - GatewaysAddresses + - MDSBootstrapScript + - NTPPrimary + - NTPSecondary + ParameterLabels: + VPC: + default: VPC + MDSSubnet: + default: MDS subnet + MDSName: + default: MDS name + MDSInstanceType: + default: Instance type + KeyName: + default: Key name + VolumeSize: + default: Root volume size (GB) + VolumeType: + default: Volume Type + VolumeEncryption: + default: Volume encryption KMS key identifier + EnableInstanceConnect: + default: Enable AWS Instance Connect + TerminationProtection: + default: Termination Protection + MDSPermissions: + default: IAM role + MDSPredefinedRole: + default: Existing IAM role name + MDSSTSRoles: + default: STS roles + MDSVersion: + default: Version & license + Shell: + default: Admin shell + MDSPasswordHash: + default: Password hash + MDSMaintenancePasswordHash: + default: MDS Maintenance Password hash + MDSHostname: + default: MDS hostname + MDSInstallationType: + default: MDS installation type + MDSSICKey: + default: SIC key + AllowUploadDownload: + default: Allow upload & download + AdminCIDR: + default: Administrator addresses + GatewaysAddresses: + default: Gateways addresses + MDSBootstrapScript: + default: MDS Bootstrap script + NTPPrimary: + default: Primary NTP server + NTPSecondary: + default: Secondary NTP server +Parameters: + VPC: + Description: Select an existing VPC. + Type: AWS::EC2::VPC::Id + MinLength: 1 + MDSSubnet: + Description: To access the instance from the internet, make sure the subnet has. + a route to the internet + Type: AWS::EC2::Subnet::Id + MinLength: 1 + MDSName: + Description: The MDS name tag. + Type: String + Default: Check-Point-MDS + MDSInstanceType: + Description: The instance type of the Multi-Domain Server. + Type: String + Default: m5.2xlarge + AllowedValues: + - c5.large + - c5.xlarge + - c5.2xlarge + - c5.4xlarge + - c5.9xlarge + - c5.12xlarge + - c5.18xlarge + - c5.24xlarge + - c5n.large + - c5n.xlarge + - c5n.2xlarge + - c5n.4xlarge + - c5n.9xlarge + - c5n.18xlarge + - c5d.large + - c5d.xlarge + - c5d.2xlarge + - c5d.4xlarge + - c5d.9xlarge + - c5d.12xlarge + - c5d.18xlarge + - c5d.24xlarge + - m5.large + - m5.xlarge + - m5.2xlarge + - m5.4xlarge + - m5.8xlarge + - m5.12xlarge + - m5.16xlarge + - m5.24xlarge + - m6i.large + - m6i.xlarge + - m6i.2xlarge + - m6i.4xlarge + - m6i.8xlarge + - m6i.12xlarge + - m6i.16xlarge + - m6i.24xlarge + - m6i.32xlarge + - c6i.large + - c6i.xlarge + - c6i.2xlarge + - c6i.4xlarge + - c6i.8xlarge + - c6i.12xlarge + - c6i.16xlarge + - c6i.24xlarge + - c6i.32xlarge + - c6in.large + - c6in.xlarge + - c6in.2xlarge + - c6in.4xlarge + - c6in.8xlarge + - c6in.12xlarge + - c6in.16xlarge + - c6in.24xlarge + - c6in.32xlarge + - r5.large + - r5.xlarge + - r5.2xlarge + - r5.4xlarge + - r5.8xlarge + - r5.12xlarge + - r5.16xlarge + - r5.24xlarge + - r5a.large + - r5a.xlarge + - r5a.2xlarge + - r5a.4xlarge + - r5a.8xlarge + - r5a.12xlarge + - r5a.16xlarge + - r5a.24xlarge + - r5b.large + - r5b.xlarge + - r5b.2xlarge + - r5b.4xlarge + - r5b.8xlarge + - r5b.12xlarge + - r5b.16xlarge + - r5b.24xlarge + - r5n.large + - r5n.xlarge + - r5n.2xlarge + - r5n.4xlarge + - r5n.8xlarge + - r5n.12xlarge + - r5n.16xlarge + - r5n.24xlarge + - r6i.large + - r6i.xlarge + - r6i.2xlarge + - r6i.4xlarge + - r6i.8xlarge + - r6i.12xlarge + - r6i.16xlarge + - r6i.24xlarge + - r6i.32xlarge + - m6a.large + - m6a.xlarge + - m6a.2xlarge + - m6a.4xlarge + - m6a.8xlarge + - m6a.12xlarge + - m6a.16xlarge + - m6a.24xlarge + - m6a.32xlarge + - m6a.48xlarge + ConstraintDescription: must be a valid EC2 instance type. + KeyName: + Description: The EC2 Key Pair to allow SSH access to the instance. + Type: AWS::EC2::KeyPair::KeyName + MinLength: 1 + ConstraintDescription: must be the name of an existing EC2 KeyPair. + VolumeSize: + Type: Number + MinValue: 100 + Default: 100 + VolumeType: + Description: General Purpose SSD Volume Type + Type: String + Default: gp3 + AllowedValues: + - gp3 + - gp2 + VolumeEncryption: + Description: KMS or CMK key Identifier - Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs'). + Type: String + Default: alias/aws/ebs + EnableInstanceConnect: + Description: Enable SSH connection over AWS web console. + Type: String + Default: false + AllowedValues: + - true + - false + TerminationProtection: + Description: Prevents an instance from accidental termination. + Type: String + Default: false + AllowedValues: + - true + - false + MDSPermissions: + Description: IAM role to attach to the instance profile. + Type: String + Default: Create with read permissions + AllowedValues: + - None (configure later) + - Use existing (specify an existing IAM role name) + - Create with assume role permissions (specify an STS role ARN) + - Create with read permissions + - Create with read-write permissions + MDSPredefinedRole: + Description: A predefined IAM role to attach to the instance profile. Ignored + if IAM role is not set to 'Use existing'. + Type: String + Default: '' + MDSSTSRoles: + Description: The IAM role will be able to assume these STS Roles (comma separated + list of ARNs, without spaces). Ignored if IAM role is set to 'None' or 'Use + existing'. + Type: CommaDelimitedList + Default: '' + MDSVersion: + Description: The license to install on the Multi-Domain Server. + Type: String + Default: R81.20-BYOL + AllowedValues: + - R80.40-BYOL + - R81-BYOL + - R81.10-BYOL + - R81.20-BYOL + Shell: + Description: Change the admin shell to enable advanced command line configuration. + Type: String + Default: /etc/cli.sh + AllowedValues: + - /etc/cli.sh + - /bin/bash + - /bin/csh + - /bin/tcsh + MDSPasswordHash: + Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" + to get the PASSWORD's hash). (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + MDSMaintenancePasswordHash: + Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + MDSHostname: + Description: The name must not contain reserved words. For details, refer to sk40179 (optional). + Type: String + Default: mds-aws + AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$' + ConstraintDescription: A valid hostname label or an empty string. + MDSInstallationType: + Description: Determines the Multi-Domain Server installation type. + Type: String + Default: Primary Multi-Domain Server + AllowedValues: + - Primary Multi-Domain Server + - Secondary Multi-Domain Server + - Multi-Domain Log Server + MDSSICKey: + Description: >- + Mandatory if deploying a Secondary Multi-Domain Server or Multi-Domain Log Server, + the Secure Internal Communication key creates trusted connections between Check + Point components. Choose a random string consisting of at least 8 alphanumeric + characters. + Type: String + Default: '' + AllowedPattern: '(|[a-zA-Z0-9]{8,})' + ConstraintDescription: Can be empty if this is a Primary Multi-Domain Server. + Otherwise, at least 8 alpha numeric characters. + NoEcho: true + AllowUploadDownload: + Description: Automatically download updates and share statistical data for product improvement purpose. + Type: String + Default: true + AllowedValues: + - true + - false + AdminCIDR: + Description: Allow web, SSH, and graphical clients only from this network to communicate + with the Multi-Domain Server. The address should be either 0.0.0.0/0 (any address) or /32 (specific address) + Type: String + AllowedPattern: '^((0.0.0.0\/0)|)$|^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/32)$' + ConstraintDescription: Administrator address must be either 0.0.0.0/0 or /32 + GatewaysAddresses: + Description: Allow gateways only from this network to communicate with the Multi-Domain. + Server + Type: String + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$' + MDSBootstrapScript: + Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional) + Type: String + Default: '' + NoEcho: true + NTPPrimary: + Description: (optional) + Type: String + Default: 169.254.169.123 + AllowedPattern: '[\.a-zA-Z0-9\-]*' + NTPSecondary: + Description: (optional) + Type: String + Default: '0.pool.ntp.org' + AllowedPattern: '[\.a-zA-Z0-9\-]*' +Conditions: + EncryptedVolume: !Not [!Equals [!Ref VolumeEncryption, '']] + CreateRole: !And + - !Or + - !Condition PrimaryMDS + - !Condition SecondaryMDS + - !Or + - !Equals [!Ref MDSPermissions, Create with assume role permissions (specify an STS role ARN)] + - !Equals [!Ref MDSPermissions, Create with read permissions] + - !Equals [!Ref MDSPermissions, Create with read-write permissions] + UseRole: !And [!Or [!Condition PrimaryMDS, !Condition SecondaryMDS], !Not [!Equals [!Ref MDSPermissions, None (configure later)]]] + PrimaryMDS: !Equals [!Ref MDSInstallationType, Primary Multi-Domain Server] + SecondaryMDS: !Equals [!Ref MDSInstallationType, Secondary Multi-Domain Server] + PreRole: !And [!Condition UseRole, !Not [!Condition CreateRole]] +Resources: + AMI: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.amazonaws.com/utils/amis.yaml + Parameters: + Version: !Join ['-', [!Ref MDSVersion, MGMT]] + MDSSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: MDS security group + VpcId: !Ref VPC + SecurityGroupIngress: + - CidrIp: !Ref GatewaysAddresses + IpProtocol: tcp + FromPort: 257 + ToPort: 257 + - CidrIp: !Ref GatewaysAddresses + IpProtocol: tcp + FromPort: 8211 + ToPort: 8211 + - CidrIp: !Ref GatewaysAddresses + IpProtocol: tcp + FromPort: 18191 + ToPort: 18191 + - CidrIp: !Ref GatewaysAddresses + IpProtocol: tcp + FromPort: 18192 + ToPort: 18192 + - CidrIp: !Ref GatewaysAddresses + IpProtocol: tcp + FromPort: 18208 + ToPort: 18208 + - CidrIp: !Ref GatewaysAddresses + IpProtocol: tcp + FromPort: 18210 + ToPort: 18210 + - CidrIp: !Ref GatewaysAddresses + IpProtocol: tcp + FromPort: 18211 + ToPort: 18211 + - CidrIp: !Ref GatewaysAddresses + IpProtocol: tcp + FromPort: 18221 + ToPort: 18221 + - CidrIp: !Ref GatewaysAddresses + IpProtocol: tcp + FromPort: 18264 + ToPort: 18264 + - CidrIp: !Ref AdminCIDR + IpProtocol: tcp + FromPort: 22 + ToPort: 22 + - CidrIp: !Ref AdminCIDR + IpProtocol: tcp + FromPort: 443 + ToPort: 443 + - CidrIp: !Ref AdminCIDR + IpProtocol: tcp + FromPort: 18190 + ToPort: 18190 + - CidrIp: !Ref AdminCIDR + IpProtocol: tcp + FromPort: 19009 + ToPort: 19009 + MDSRoleStack: + Type: AWS::CloudFormation::Stack + Condition: CreateRole + Properties: + TemplateURL: https://cgi-cfts.s3.amazonaws.com/iam/cme-iam-role.yaml + Parameters: + Permissions: !Ref MDSPermissions + STSRoles: !Join [',', !Ref MDSSTSRoles] + InstanceProfile: + Type: AWS::IAM::InstanceProfile + Condition: PreRole + Properties: + Path: / + Roles: + - !Ref MDSPredefinedRole + MDSInstance: + Type: AWS::EC2::Instance + DependsOn: MDSSecurityGroup + Properties: + Tags: + - Key: Name + Value: !Ref MDSName + ImageId: !GetAtt AMI.Outputs.ImageId + InstanceType: !Ref MDSInstanceType + IamInstanceProfile: !If [UseRole, !If [PreRole, !Ref InstanceProfile, !GetAtt MDSRoleStack.Outputs.CMEIAMRole], !Ref 'AWS::NoValue'] + KeyName: !Ref KeyName + NetworkInterfaces: + - DeviceIndex: 0 + AssociatePublicIpAddress: false + Description: eth0 + GroupSet: + - !Ref MDSSecurityGroup + DeleteOnTermination: true + SubnetId: !Ref MDSSubnet + BlockDeviceMappings: + - DeviceName: /dev/xvda + Ebs: + Encrypted: !If [EncryptedVolume, true, false] + KmsKeyId: !If [EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue'] + VolumeType: !Ref VolumeType + VolumeSize: !Ref VolumeSize + DisableApiTermination: !Ref TerminationProtection + UserData: !Base64 + Fn::Join: + - |+ + + - - '#cloud-config' + - 'runcmd:' + - ' - |' + - ' set -e' + - !Sub ' admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; hostname=${MDSHostname} ; eic=${EnableInstanceConnect} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; admin_subnet=${AdminCIDR}' + - !If [PrimaryMDS, ' primary=true ; secondary=false', !If [SecondaryMDS, ' primary=false ; secondary=true', ' primary=false ; secondary=false']] + - !If [PrimaryMDS, ' sic=notused', !Join ['', [' sic="$(echo ', 'Fn::Base64': !Ref MDSSICKey, ')"']]] + - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref MDSBootstrapScript, ')"']] + - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref MDSPasswordHash, ')"']] + - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref MDSMaintenancePasswordHash, ')"']] + - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref MDSVersion]]}] + - ' python3 /etc/cloud_config.py sicKey=\"${sic}\" installationType=\"mds\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20240204\" templateName=\"mds\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" primary=\"${primary}\" secondary=\"${secondary}\" adminSubnet=\"${admin_subnet}\" bootstrapScript64=\"${bootstrap}\"' \ No newline at end of file diff --git a/aws/templates/single-gw/README.md b/aws/templates/single-gw/README.md new file mode 100644 index 00000000..34e01aba --- /dev/null +++ b/aws/templates/single-gw/README.md @@ -0,0 +1,25 @@ +## Security Gateway + + + + + + + + + + + + + + + + + + + +
DescriptionNotesDirect Launch
+ Deploys and configures a Security Gateway.

To deploy the Security Gateway so that it will be automatically provisioned, refer to sk131434. + 		Creates a new VPC and deploys a Security Gateway into it.
Deploys a Security Gateway into an existing VPC.
+
+
diff --git a/aws/templates/single-gw/gateway-master.yaml b/aws/templates/single-gw/gateway-master.yaml new file mode 100644 index 00000000..3c34df22 --- /dev/null +++ b/aws/templates/single-gw/gateway-master.yaml @@ -0,0 +1,489 @@ +AWSTemplateFormatVersion: 2010-09-09 +Description: Deploys a Check Point Security Gateway into a new VPC (20240204) +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: VPC Network Configuration + Parameters: + - AvailabilityZone + - VPCCIDR + - PublicSubnetCIDR + - PrivateSubnetCIDR + - Label: + default: EC2 Instance Configuration + Parameters: + - GatewayName + - GatewayInstanceType + - KeyName + - AllocatePublicAddress + - VolumeSize + - VolumeType + - VolumeEncryption + - EnableInstanceConnect + - TerminationProtection + - Label: + default: Check Point Settings + Parameters: + - GatewayVersion + - Shell + - GatewaySICKey + - GatewayPasswordHash + - GatewayMaintenancePasswordHash + - Label: + default: Quick connect to Smart-1 Cloud (Recommended) + Parameters: + - GatewayToken + - Label: + default: Advanced Settings + Parameters: + - ResourcesTagName + - GatewayHostname + - AllowUploadDownload + - CloudWatch + - GatewayBootstrapScript + - NTPPrimary + - NTPSecondary + - Label: + default: Automatic Provisioning with Security Management Server Settings (optional) + Parameters: + - ControlGatewayOverPrivateOrPublicAddress + - ManagementServer + - ConfigurationTemplate + ParameterLabels: + AvailabilityZone: + default: Availability zone + VPCCIDR: + default: VPC CIDR + PublicSubnetCIDR: + default: Public subnet CIDR + PrivateSubnetCIDR: + default: Private subnet CIDR + GatewayName: + default: Gateway Name + GatewayInstanceType: + default: Gateway Instance type + KeyName: + default: Key name + AllocatePublicAddress: + default: Allocate an Elastic IP + VolumeSize: + default: Root volume size (GB) + VolumeType: + default: Volume Type + VolumeEncryption: + default: Volume encryption KMS key identifier + EnableInstanceConnect: + default: Enable AWS Instance Connect + TerminationProtection: + default: Termination Protection + GatewayVersion: + default: Gateway Version & license + Shell: + default: Admin shell + GatewaySICKey: + default: Gateway SIC key + GatewayToken: + default: Smart-1 Cloud Token + GatewayPasswordHash: + default: Gateway Password hash + GatewayMaintenancePasswordHash: + default: Gateway Maintenance Password hash + ResourcesTagName: + default: Resources prefix tag + GatewayHostname: + default: Gateway Hostname + AllowUploadDownload: + default: Allow upload & download + CloudWatch: + default: CloudWatch metrics + GatewayBootstrapScript: + default: Bootstrap Script + NTPPrimary: + default: Primary NTP server + NTPSecondary: + default: Secondary NTP server + ControlGatewayOverPrivateOrPublicAddress: + default: Gateway address + ManagementServer: + default: Management Server + ConfigurationTemplate: + default: Configuration template +Parameters: + AvailabilityZone: + Description: The availability zone in which to deploy the instance. + Type: AWS::EC2::AvailabilityZone::Name + MinLength: 1 + VPCCIDR: + Description: The CIDR block of the VPC. + Type: String + Default: 10.0.0.0/16 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PublicSubnetCIDR: + Description: The public subnet of the Security Gateway. + Type: String + Default: 10.0.10.0/24 + PrivateSubnetCIDR: + Description: The private subnet of the Security Gateway. + Type: String + Default: 10.0.11.0/24 + GatewayName: + Type: String + Default: Check-Point-Gateway + GatewayInstanceType: + Description: The instance type of the Secutiry Gateways. + Type: String + Default: c5.xlarge + AllowedValues: + - c4.large + - c4.xlarge + - c5.large + - c5.xlarge + - c5.2xlarge + - c5.4xlarge + - c5.9xlarge + - c5.12xlarge + - c5.18xlarge + - c5.24xlarge + - c5n.large + - c5n.xlarge + - c5n.2xlarge + - c5n.4xlarge + - c5n.9xlarge + - c5n.18xlarge + - c5d.large + - c5d.xlarge + - c5d.2xlarge + - c5d.4xlarge + - c5d.9xlarge + - c5d.12xlarge + - c5d.18xlarge + - c5d.24xlarge + - m5.large + - m5.xlarge + - m5.2xlarge + - m5.4xlarge + - m5.8xlarge + - m5.12xlarge + - m5.16xlarge + - m5.24xlarge + - m6i.large + - m6i.xlarge + - m6i.2xlarge + - m6i.4xlarge + - m6i.8xlarge + - m6i.12xlarge + - m6i.16xlarge + - m6i.24xlarge + - m6i.32xlarge + - c6i.large + - c6i.xlarge + - c6i.2xlarge + - c6i.4xlarge + - c6i.8xlarge + - c6i.12xlarge + - c6i.16xlarge + - c6i.24xlarge + - c6i.32xlarge + - c6in.large + - c6in.xlarge + - c6in.2xlarge + - c6in.4xlarge + - c6in.8xlarge + - c6in.12xlarge + - c6in.16xlarge + - c6in.24xlarge + - c6in.32xlarge + - r5.large + - r5.xlarge + - r5.2xlarge + - r5.4xlarge + - r5.8xlarge + - r5.12xlarge + - r5.16xlarge + - r5.24xlarge + - r5a.large + - r5a.xlarge + - r5a.2xlarge + - r5a.4xlarge + - r5a.8xlarge + - r5a.12xlarge + - r5a.16xlarge + - r5a.24xlarge + - r5b.large + - r5b.xlarge + - r5b.2xlarge + - r5b.4xlarge + - r5b.8xlarge + - r5b.12xlarge + - r5b.16xlarge + - r5b.24xlarge + - r5n.large + - r5n.xlarge + - r5n.2xlarge + - r5n.4xlarge + - r5n.8xlarge + - r5n.12xlarge + - r5n.16xlarge + - r5n.24xlarge + - r6i.large + - r6i.xlarge + - r6i.2xlarge + - r6i.4xlarge + - r6i.8xlarge + - r6i.12xlarge + - r6i.16xlarge + - r6i.24xlarge + - r6i.32xlarge + - m6a.large + - m6a.xlarge + - m6a.2xlarge + - m6a.4xlarge + - m6a.8xlarge + - m6a.12xlarge + - m6a.16xlarge + - m6a.24xlarge + - m6a.32xlarge + - m6a.48xlarge + ConstraintDescription: Must be a valid EC2 instance type + KeyName: + Description: The EC2 Key Pair to allow SSH access to the instance. + Type: AWS::EC2::KeyPair::KeyName + MinLength: 1 + ConstraintDescription: must be the name of an existing EC2 KeyPair. + AllocatePublicAddress: + Type: String + Default: true + AllowedValues: + - true + - false + VolumeSize: + Type: Number + Default: 100 + MinValue: 100 + VolumeType: + Description: General Purpose SSD Volume Type + Type: String + Default: gp3 + AllowedValues: + - gp3 + - gp2 + VolumeEncryption: + Description: KMS or CMK key Identifier - Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs'). + Type: String + Default: alias/aws/ebs + EnableInstanceConnect: + Description: Ec2 Instance Connect is not supported with versions prior to R80.40. + Type: String + Default: false + AllowedValues: + - true + - false + TerminationProtection: + Description: Prevents an instance from accidental termination. + Type: String + Default: false + AllowedValues: + - true + - false + GatewayVersion: + Type: String + Default: R81.20-BYOL + AllowedValues: + - R80.40-BYOL + - R80.40-PAYG-NGTP + - R80.40-PAYG-NGTX + - R81-BYOL + - R81-PAYG-NGTP + - R81-PAYG-NGTX + - R81.10-BYOL + - R81.10-PAYG-NGTP + - R81.10-PAYG-NGTX + - R81.20-BYOL + - R81.20-PAYG-NGTP + - R81.20-PAYG-NGTX + Shell: + Description: Change the admin shell to enable advanced command line configuration. + Type: String + Default: /etc/cli.sh + AllowedValues: + - /etc/cli.sh + - /bin/bash + - /bin/csh + - /bin/tcsh + GatewaySICKey: + Description: The Secure Internal Communication key creates trusted connections + between Check Point components. Choose a random string consisting of at least + 8 alphanumeric characters. + Type: String + AllowedPattern: '[a-zA-Z0-9]{8,}' + NoEcho: true + GatewayToken: + Description: Follow the instructions in sk180501 to quickly connect this Gateway to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. + AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)' + Type: String + NoEcho: true + GatewayPasswordHash: + Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" + to get the PASSWORD's hash). (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + GatewayMaintenancePasswordHash: + Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + ResourcesTagName: + Description: The name tag of the resources. (optional) + Type: String + Default: '' + GatewayHostname: + Description: The name must not contain reserved words. For details, refer to sk40179 (optional). + Type: String + Default: '' + AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$' + ConstraintDescription: A valid hostname label or an empty string. + AllowUploadDownload: + Description: Automatically download updates and share statistical data for product improvement purpose. + Type: String + Default: true + AllowedValues: + - true + - false + CloudWatch: + Description: Report Check Point specific CloudWatch metrics. + Type: String + Default: false + AllowedValues: + - true + - false + GatewayBootstrapScript: + Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional) + Type: String + Default: '' + NoEcho: true + NTPPrimary: + Description: (optional) + Type: String + Default: 169.254.169.123 + AllowedPattern: '^[\.a-zA-Z0-9\-]*$' + NTPSecondary: + Description: (optional) + Type: String + Default: 0.pool.ntp.org + AllowedPattern: '^[\.a-zA-Z0-9\-]*$' + ControlGatewayOverPrivateOrPublicAddress: + Description: Determines if the Security Gateway is provisioned using its private. + or public address + Type: String + Default: private + AllowedValues: + - private + - public + ManagementServer: + Description: The name that represents the Security Management Server in the automatic. + provisioning configuration. + Type: String + ConfigurationTemplate: + Description: A name of a Security Gateway configuration template in the automatic. + provisioning configuration. + Type: String + MaxLength: 30 +Conditions: + AllocateAddress: !Equals [!Ref AllocatePublicAddress, true] + ProvidedResourcesTag: !Not [!Equals [!Ref ResourcesTagName, '']] +Resources: + VPCStack: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.amazonaws.com/utils/vpc.yaml + Parameters: + AvailabilityZones: !Ref AvailabilityZone + NumberOfAZs: 1 + VPCCIDR: !Ref VPCCIDR + PublicSubnet1CIDR: !Ref PublicSubnetCIDR + CreatePrivateSubnets: true + PrivateSubnet1CIDR: !Ref PrivateSubnetCIDR + CreateAttachmentSubnets: false + InternalRoutingTable: + Type: AWS::EC2::RouteTable + Properties: + VpcId: !GetAtt VPCStack.Outputs.VPCID + Tags: + - Key: Name + Value: + !Join + - _ + - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName'] + - InternalRoutingTable + InternalNetworkRouteAssociation: + Type: AWS::EC2::SubnetRouteTableAssociation + Properties: + RouteTableId: !Ref InternalRoutingTable + SubnetId: !GetAtt VPCStack.Outputs.PrivateSubnet1ID + GatewayStack: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.amazonaws.com/gateway/gateway.yaml + Parameters: + VPC: !GetAtt VPCStack.Outputs.VPCID + PublicSubnet: !GetAtt VPCStack.Outputs.PublicSubnet1ID + PrivateSubnet: !GetAtt VPCStack.Outputs.PrivateSubnet1ID + InternalRouteTable: !Ref InternalRoutingTable + GatewayName: !Ref GatewayName + GatewayInstanceType: !Ref GatewayInstanceType + KeyName: !Ref KeyName + AllocatePublicAddress: !Ref AllocatePublicAddress + VolumeSize: !Ref VolumeSize + VolumeType: !Ref VolumeType + VolumeEncryption: !Ref VolumeEncryption + EnableInstanceConnect: !Ref EnableInstanceConnect + TerminationProtection: !Ref TerminationProtection + GatewayVersion: !Ref GatewayVersion + Shell: !Ref Shell + GatewaySICKey: !Ref GatewaySICKey + GatewayToken: !Ref GatewayToken + GatewayPasswordHash: !Ref GatewayPasswordHash + GatewayMaintenancePasswordHash: !Ref GatewayMaintenancePasswordHash + ResourcesTagName: !Ref ResourcesTagName + GatewayHostname: !Ref GatewayHostname + AllowUploadDownload: !Ref AllowUploadDownload + CloudWatch: !Ref CloudWatch + GatewayBootstrapScript: !Ref GatewayBootstrapScript + NTPPrimary: !Ref NTPPrimary + NTPSecondary: !Ref NTPSecondary + ControlGatewayOverPrivateOrPublicAddress: !Ref ControlGatewayOverPrivateOrPublicAddress + ManagementServer: !Ref ManagementServer + ConfigurationTemplate: !Ref ConfigurationTemplate +Outputs: + CheckPointInstancePublicAddress: + Condition: AllocateAddress + Description: The public address of the Check Point instance. + Value: !GetAtt GatewayStack.Outputs.PublicAddress + CheckPointInstancePrivateExternalAddress: + Description: The private external address of the Check Point instance. + Value: !GetAtt GatewayStack.Outputs.PrivateExternalAddress + CheckPointInstancePrivateInternalAddress: + Description: The private internal address of the Check Point instance. + Value: !GetAtt GatewayStack.Outputs.PrivateInternalAddress + CheckPointInstanceSSH: + Condition: AllocateAddress + Description: SSH command to the Check Point instance. + Value: !GetAtt GatewayStack.Outputs.SSH + CheckPointInstanceURL: + Condition: AllocateAddress + Description: URL to the portal + Value: !GetAtt GatewayStack.Outputs.URL + ManagementName: + Description: The name that represents the Security Management Server. + Value: !Ref ManagementServer + ConfigurationTemplateName: + Description: The name that represents the configuration template. Configurations + required to automatically provision the Gateways in the Auto Scaling Group, + such as what Security Policy to install and which Blades to enable, will be + placed under this template name. + Value: !Ref ConfigurationTemplate diff --git a/aws/templates/single-gw/gateway.yaml b/aws/templates/single-gw/gateway.yaml new file mode 100644 index 00000000..5c66f2fa --- /dev/null +++ b/aws/templates/single-gw/gateway.yaml @@ -0,0 +1,587 @@ +AWSTemplateFormatVersion: 2010-09-09 +Description: Deploys a Check Point Security Gateway into an existing VPC (20240204) +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: VPC Network Configuration + Parameters: + - VPC + - PublicSubnet + - PrivateSubnet + - InternalRouteTable + - Label: + default: EC2 Instance Configuration + Parameters: + - GatewayName + - GatewayInstanceType + - KeyName + - AllocatePublicAddress + - VolumeSize + - VolumeType + - VolumeEncryption + - EnableInstanceConnect + - TerminationProtection + - Label: + default: Check Point Settings + Parameters: + - GatewayVersion + - Shell + - GatewaySICKey + - GatewayPasswordHash + - GatewayMaintenancePasswordHash + - Label: + default: Quick connect to Smart-1 Cloud (Recommended) + Parameters: + - GatewayToken + - Label: + default: Advanced Settings + Parameters: + - ResourcesTagName + - GatewayHostname + - AllowUploadDownload + - CloudWatch + - GatewayBootstrapScript + - NTPPrimary + - NTPSecondary + - Label: + default: Automatic Provisioning with Security Management Server Settings (optional) + Parameters: + - ControlGatewayOverPrivateOrPublicAddress + - ManagementServer + - ConfigurationTemplate + ParameterLabels: + VPC: + default: VPC + PublicSubnet: + default: Public subnet + PrivateSubnet: + default: Private subnet + InternalRouteTable: + default: Internal route table + GatewayName: + default: Gateway Name + GatewayInstanceType: + default: Gateway Instance type + KeyName: + default: Key name + AllocatePublicAddress: + default: Allocate an Elastic IP + VolumeSize: + default: Root volume size (GB) + VolumeType: + default: Volume Type + VolumeEncryption: + default: Volume encryption KMS key identifier + EnableInstanceConnect: + default: Enable AWS Instance Connect + TerminationProtection: + default: Termination Protection + GatewayVersion: + default: Gateway Version & license + Shell: + default: Admin shell + GatewaySICKey: + default: Gateway SIC key + GatewayToken: + default: Smart-1 Cloud Token + GatewayPasswordHash: + default: Gateway Password hash + GatewayMaintenancePasswordHash: + default: Gateway Maintenance Password hash + ResourcesTagName: + default: Resources prefix tag + GatewayHostname: + default: Gateway Hostname + AllowUploadDownload: + default: Allow upload & download + CloudWatch: + default: CloudWatch metrics + GatewayBootstrapScript: + default: Bootstrap Script + NTPPrimary: + default: Primary NTP server + NTPSecondary: + default: Secondary NTP server + ControlGatewayOverPrivateOrPublicAddress: + default: Gateway address + ManagementServer: + default: Management Server + ConfigurationTemplate: + default: Configuration template +Parameters: + VPC: + Type: AWS::EC2::VPC::Id + MinLength: 1 + PublicSubnet: + Description: The public subnet of the security gateway. + Type: AWS::EC2::Subnet::Id + MinLength: 1 + PrivateSubnet: + Description: The private subnet of the security gateway. + Type: AWS::EC2::Subnet::Id + MinLength: 1 + InternalRouteTable: + Description: The route table id in which to set 0.0.0.0/0 route to the Gateway instance (e.g. rtb-12a34567). Route table cannot have an existing 0.0.0.0/0 route. If empty - traffic will not be routed through the Security Gateway, this requires manual configuration in the route table. (optional) + Type: String + Default: '' + GatewayName: + Description: The name tag of the Security Gateway instances. (optional) + Type: String + Default: Check-Point-Gateway + GatewayInstanceType: + Description: The instance type of the Secutiry Gateway. + Type: String + Default: c5.xlarge + AllowedValues: + - c4.large + - c4.xlarge + - c5.large + - c5.xlarge + - c5.2xlarge + - c5.4xlarge + - c5.9xlarge + - c5.12xlarge + - c5.18xlarge + - c5.24xlarge + - c5n.large + - c5n.xlarge + - c5n.2xlarge + - c5n.4xlarge + - c5n.9xlarge + - c5n.18xlarge + - c5d.large + - c5d.xlarge + - c5d.2xlarge + - c5d.4xlarge + - c5d.9xlarge + - c5d.12xlarge + - c5d.18xlarge + - c5d.24xlarge + - m5.large + - m5.xlarge + - m5.2xlarge + - m5.4xlarge + - m5.8xlarge + - m5.12xlarge + - m5.16xlarge + - m5.24xlarge + - m6i.large + - m6i.xlarge + - m6i.2xlarge + - m6i.4xlarge + - m6i.8xlarge + - m6i.12xlarge + - m6i.16xlarge + - m6i.24xlarge + - m6i.32xlarge + - c6i.large + - c6i.xlarge + - c6i.2xlarge + - c6i.4xlarge + - c6i.8xlarge + - c6i.12xlarge + - c6i.16xlarge + - c6i.24xlarge + - c6i.32xlarge + - c6in.large + - c6in.xlarge + - c6in.2xlarge + - c6in.4xlarge + - c6in.8xlarge + - c6in.12xlarge + - c6in.16xlarge + - c6in.24xlarge + - c6in.32xlarge + - r5.large + - r5.xlarge + - r5.2xlarge + - r5.4xlarge + - r5.8xlarge + - r5.12xlarge + - r5.16xlarge + - r5.24xlarge + - r5a.large + - r5a.xlarge + - r5a.2xlarge + - r5a.4xlarge + - r5a.8xlarge + - r5a.12xlarge + - r5a.16xlarge + - r5a.24xlarge + - r5b.large + - r5b.xlarge + - r5b.2xlarge + - r5b.4xlarge + - r5b.8xlarge + - r5b.12xlarge + - r5b.16xlarge + - r5b.24xlarge + - r5n.large + - r5n.xlarge + - r5n.2xlarge + - r5n.4xlarge + - r5n.8xlarge + - r5n.12xlarge + - r5n.16xlarge + - r5n.24xlarge + - r6i.large + - r6i.xlarge + - r6i.2xlarge + - r6i.4xlarge + - r6i.8xlarge + - r6i.12xlarge + - r6i.16xlarge + - r6i.24xlarge + - r6i.32xlarge + - m6a.large + - m6a.xlarge + - m6a.2xlarge + - m6a.4xlarge + - m6a.8xlarge + - m6a.12xlarge + - m6a.16xlarge + - m6a.24xlarge + - m6a.32xlarge + - m6a.48xlarge + ConstraintDescription: Must be a valid EC2 instance type + KeyName: + Description: The EC2 Key Pair to allow SSH access to the instance. + Type: AWS::EC2::KeyPair::KeyName + MinLength: 1 + ConstraintDescription: must be the name of an existing EC2 KeyPair. + AllocatePublicAddress: + Type: String + Default: true + AllowedValues: + - true + - false + VolumeSize: + Type: Number + Default: 100 + MinValue: 100 + VolumeType: + Description: General Purpose SSD Volume Type + Type: String + Default: gp3 + AllowedValues: + - gp3 + - gp2 + VolumeEncryption: + Description: KMS or CMK key Identifier - Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs'). + Type: String + Default: alias/aws/ebs + EnableInstanceConnect: + Description: Ec2 Instance Connect is not supported with versions prior to R80.40. + Type: String + Default: false + AllowedValues: + - true + - false + TerminationProtection: + Description: Prevents an instance from accidental termination. + Type: String + Default: false + AllowedValues: + - true + - false + GatewayVersion: + Type: String + Default: R81.20-BYOL + AllowedValues: + - R80.40-BYOL + - R80.40-PAYG-NGTP + - R80.40-PAYG-NGTX + - R81-BYOL + - R81-PAYG-NGTP + - R81-PAYG-NGTX + - R81.10-BYOL + - R81.10-PAYG-NGTP + - R81.10-PAYG-NGTX + - R81.20-BYOL + - R81.20-PAYG-NGTP + - R81.20-PAYG-NGTX + Shell: + Description: Change the admin shell to enable advanced command line configuration. + Type: String + Default: /etc/cli.sh + AllowedValues: + - /etc/cli.sh + - /bin/bash + - /bin/csh + - /bin/tcsh + GatewaySICKey: + Description: The Secure Internal Communication key creates trusted connections + between Check Point components. Choose a random string consisting of at least + 8 alphanumeric characters. + Type: String + AllowedPattern: '[a-zA-Z0-9]{8,}' + NoEcho: true + GatewayToken: + Description: Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. + Type: String + AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)' + NoEcho: true + GatewayPasswordHash: + Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" + to get the PASSWORD's hash). (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + GatewayMaintenancePasswordHash: + Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + ResourcesTagName: + Description: The name tag of the resources. (optional) + Type: String + Default: '' + GatewayHostname: + Description: The name must not contain reserved words. For details, refer to sk40179 (optional). + Type: String + Default: '' + AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$' + ConstraintDescription: A valid hostname label or an empty string. + AllowUploadDownload: + Description: Automatically download updates and share statistical data for product improvement purpose. + Type: String + Default: true + AllowedValues: + - true + - false + CloudWatch: + Description: Report Check Point specific CloudWatch metrics. + Type: String + Default: false + AllowedValues: + - true + - false + GatewayBootstrapScript: + Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional) + Type: String + Default: '' + NoEcho: true + NTPPrimary: + Description: (optional) + Type: String + Default: 169.254.169.123 + AllowedPattern: '^[\.a-zA-Z0-9\-]*$' + NTPSecondary: + Description: (optional) + Type: String + Default: 0.pool.ntp.org + AllowedPattern: '^[\.a-zA-Z0-9\-]*$' + ControlGatewayOverPrivateOrPublicAddress: + Description: Determines if the Security Gateway is provisioned using its private + or public address. + Type: String + Default: private + AllowedValues: + - private + - public + ManagementServer: + Description: The name that represents the Security Management Server in the automatic + provisioning configuration. + Type: String + ConfigurationTemplate: + Description: A name of a Security Gateway configuration template in the automatic + provisioning configuration. + Type: String + MaxLength: 30 +Conditions: + ProvidedRouteTable: !Not [!Equals [!Ref InternalRouteTable, '']] + AllocateAddress: !Equals [!Ref AllocatePublicAddress, true] + EncryptedVolume: !Not [!Equals [!Ref VolumeEncryption, '']] + ProvidedResourcesTag: !Not [!Equals [!Ref ResourcesTagName, '']] + ProvidedManagementParameters: !And [!Not [!Equals [!Ref ManagementServer, '']], !Not [!Equals [!Ref ConfigurationTemplate, '']]] + EnableCloudWatch: !Equals [!Ref CloudWatch, true] +Resources: + ReadyHandle: + Type: AWS::CloudFormation::WaitConditionHandle + Condition: AllocateAddress + Properties: {} + ReadyCondition: + Type: AWS::CloudFormation::WaitCondition + Condition: AllocateAddress + DependsOn: GatewayInstance + Properties: + Handle: !Ref ReadyHandle + Timeout: 1800 + GatewayIAMRole: + Condition: EnableCloudWatch + Type: AWS::IAM::Role + Properties: + AssumeRolePolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Principal: + Service: [ ec2.amazonaws.com ] + Action: sts:AssumeRole + Path: / + GatewayInstanceProfile: + Condition: EnableCloudWatch + Type: AWS::IAM::InstanceProfile + Properties: + Path: / + Roles: [!Ref GatewayIAMRole] + CloudwatchPolicy: + Condition: EnableCloudWatch + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.amazonaws.com/iam/cloudwatch-policy.yaml + Parameters: + PolicyName: !If [ ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName' ] + PolicyRole: !Ref GatewayIAMRole + AMI: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.amazonaws.com/utils/amis.yaml + Parameters: + Version: !Join ['-', [!Ref GatewayVersion,GW]] + ExternalNetworkInterface: + Type: AWS::EC2::NetworkInterface + Properties: + Tags: + - Key: Name + Value: + !Join + - _ + - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName'] + - ExternalNetworkInterface + Description: eth0 + SourceDestCheck: false + GroupSet: + - !Ref PermissiveSecurityGroup + SubnetId: !Ref PublicSubnet + InternalNetworkInterface: + Type: AWS::EC2::NetworkInterface + Properties: + Tags: + - Key: Name + Value: + !Join + - _ + - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName'] + - InternalNetworkInterface + Description: eth1 + SourceDestCheck: false + GroupSet: + - !Ref PermissiveSecurityGroup + SubnetId: !Ref PrivateSubnet + PermissiveSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + Tags: + - Key: Name + Value: + !Join + - _ + - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName'] + - PermissiveSecurityGroup + GroupDescription: Permissive security group. + VpcId: !Ref VPC + SecurityGroupIngress: + - IpProtocol: -1 + CidrIp: 0.0.0.0/0 + InternalDefaultRoute: + Type: AWS::EC2::Route + Condition: ProvidedRouteTable + Properties: + DestinationCidrBlock: 0.0.0.0/0 + NetworkInterfaceId: !Ref InternalNetworkInterface + RouteTableId: !Ref InternalRouteTable + GatewayInstance: + Type: AWS::EC2::Instance + Properties: + Tags: + - Key: Name + Value: !Ref GatewayName + - !If + - ProvidedManagementParameters + - Key: x-chkp-tags + Value: + !Join + - ':' + - - !Join ['=', [management, !Ref ManagementServer]] + - !Join ['=', [template,!Ref ConfigurationTemplate]] + - !Join ['=',[ip-address, !Ref ControlGatewayOverPrivateOrPublicAddress]] + - !Ref 'AWS::NoValue' + ImageId: !GetAtt AMI.Outputs.ImageId + InstanceType: !Ref GatewayInstanceType + BlockDeviceMappings: + - DeviceName: '/dev/xvda' + Ebs: + Encrypted: !If [EncryptedVolume, true, false] + KmsKeyId: !If [EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue'] + VolumeType: !Ref VolumeType + VolumeSize: !Ref VolumeSize + IamInstanceProfile: !If [EnableCloudWatch, !Ref GatewayInstanceProfile, !Ref 'AWS::NoValue'] + DisableApiTermination: !Ref TerminationProtection + UserData: + 'Fn::Base64': + !Join + - |+ + + - - '#cloud-config' + - 'runcmd:' + - ' - |' + - ' set -e' + - !Sub ' admin_shell=${Shell} ; hostname=${GatewayHostname} ; allow_info=${AllowUploadDownload} ; cw=${CloudWatch} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; eic=${EnableInstanceConnect} ; eip=${AllocatePublicAddress} ; token=''${GatewayToken}''' + - !If [AllocateAddress, !Sub ' wait_handle=''${ReadyHandle}''',!Ref 'AWS::NoValue'] + - !Join ['', [' sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ')"']] + - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayPasswordHash, ')"']] + - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"']] + - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']] + - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}] + - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${token}\"" installationType=\"gateway\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20240204\" templateName=\"gateway\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" allocatePublicAddress=\"${eip}\" bootstrapScript64=\"${bootstrap}\"' + KeyName: !Ref KeyName + NetworkInterfaces: + - DeviceIndex: 0 + NetworkInterfaceId: !Ref ExternalNetworkInterface + - DeviceIndex: 1 + NetworkInterfaceId: !Ref InternalNetworkInterface + PublicAddress: + Type: AWS::EC2::EIP + Condition: AllocateAddress + Properties: + Domain: vpc + AddressAssoc: + Type: AWS::EC2::EIPAssociation + Condition: AllocateAddress + DependsOn: GatewayInstance + Properties: + NetworkInterfaceId: !Ref ExternalNetworkInterface + AllocationId: !GetAtt PublicAddress.AllocationId + PrivateIpAddress: !GetAtt ExternalNetworkInterface.PrimaryPrivateIpAddress +Outputs: + PublicAddress: + Description: The public address of the Check Point instance. + Value: !Ref PublicAddress + Condition: AllocateAddress + PrivateExternalAddress: + Description: The private external address of the Check Point instance. + Value: !GetAtt ExternalNetworkInterface.PrimaryPrivateIpAddress + PrivateInternalAddress: + Description: The private internal address of the Check Point instance. + Value: !GetAtt InternalNetworkInterface.PrimaryPrivateIpAddress + SSH: + Description: SSH command to the Check Point instance. + Value: !Join ['', ['ssh -i ', !Ref KeyName, ' admin@', !Ref PublicAddress]] + Condition: AllocateAddress + URL: + Description: URL to the portal. + Value: !Join ['', ['https://', !Ref PublicAddress]] + Condition: AllocateAddress + ManagementName: + Description: The name that represents the Security Management Server. + Value: !Ref ManagementServer + ConfigurationTemplateName: + Description: The name that represents the configuration template. Configurations + required to automatically provision the Gateways in the Auto Scaling Group, + such as what Security Policy to install and which Blades to enable, will be + placed under this template name. + Value: !Ref ConfigurationTemplate diff --git a/aws/templates/standalone/README.md b/aws/templates/standalone/README.md new file mode 100644 index 00000000..b7afb4c3 --- /dev/null +++ b/aws/templates/standalone/README.md @@ -0,0 +1,26 @@ + +## Security Management Server & Security Gateway (Standalone Deployment) + + + + + + + + + + + + + + + + + + + +
DescriptionNotesDirect Launch
+ Deploys and configures Standalone or a manually configurable instance. + Creates a new VPC and deploys a Standalone or a manually configurable instance into it.
Deploys a Standalone or a manually configurable instance into an existing VPC.
+
+
diff --git a/aws/templates/standalone/standalone-master.yaml b/aws/templates/standalone/standalone-master.yaml new file mode 100644 index 00000000..4f598a3f --- /dev/null +++ b/aws/templates/standalone/standalone-master.yaml @@ -0,0 +1,434 @@ +AWSTemplateFormatVersion: 2010-09-09 +Description: Deploys either a manually configurable or a Check Point CloudGuard IaaS + Security Gateway & Management (Standalone) instance in a new VPC (20240204) +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: VPC Network Configuration + Parameters: + - AvailabilityZone + - VPCCIDR + - PublicSubnetCIDR + - PrivateSubnetCIDR + - Label: + default: EC2 Instance Configuration + Parameters: + - StandaloneName + - StandaloneInstanceType + - KeyName + - AllocatePublicAddress + - VolumeSize + - VolumeType + - VolumeEncryption + - EnableInstanceConnect + - TerminationProtection + - Label: + default: Check Point Settings + Parameters: + - StandaloneVersion + - Shell + - StandalonePasswordHash + - StandaloneMaintenancePasswordHash + - Label: + default: Advanced Settings + Parameters: + - ResourcesTagName + - StandaloneHostname + - AllowUploadDownload + - CloudWatch + - StandaloneBootstrapScript + - NTPPrimary + - NTPSecondary + - AdminCIDR + - GatewaysAddresses + ParameterLabels: + AvailabilityZone: + default: Availability zone + VPCCIDR: + default: VPC CIDR + PublicSubnetCIDR: + default: Public subnet CIDR + PrivateSubnetCIDR: + default: Private subnet CIDR + StandaloneName: + default: Standalone Name + StandaloneInstanceType: + default: Instance type + KeyName: + default: Key name + AllocatePublicAddress: + default: Allocate an Elastic IP + VolumeSize: + default: Root volume size (GB) + VolumeType: + default: Volume Type + VolumeEncryption: + default: Volume encryption KMS key identifier + EnableInstanceConnect: + default: Enable AWS Instance Connect + TerminationProtection: + default: Termination Protection + StandaloneVersion: + default: License + Shell: + default: Admin shell + StandalonePasswordHash: + default: Standalone Password hash + StandaloneMaintenancePasswordHash: + default: Gateway Maintenance Password hash + ResourcesTagName: + default: Resources prefix tag + StandaloneHostname: + default: Standalone Hostname + AllowUploadDownload: + default: Allow upload & download + CloudWatch: + default: CloudWatch metrics + StandaloneBootstrapScript: + default: Bootstrap Script + NTPPrimary: + default: Primary NTP server + NTPSecondary: + default: Secondary NTP server + AdminCIDR: + default: Administrator addresses + GatewaysAddresses: + default: Gateways addresses +Parameters: + AvailabilityZone: + Description: The availability zone in which to deploy the instance. + Type: AWS::EC2::AvailabilityZone::Name + MinLength: 1 + VPCCIDR: + Description: The CIDR block of the VPC. + Type: String + Default: 10.0.0.0/16 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PublicSubnetCIDR: + Description: The public subnet of the Security Gateway. + Type: String + Default: 10.0.10.0/24 + PrivateSubnetCIDR: + Description: The private subnet of the Security Gateway. + Type: String + Default: 10.0.11.0/24 + StandaloneName: + Type: String + Default: Check-Point-Instance + KeyName: + Description: The EC2 Key Pair to allow SSH access to the instance. + Type: AWS::EC2::KeyPair::KeyName + MinLength: 1 + ConstraintDescription: must be the name of an existing EC2 KeyPair. + AllocatePublicAddress: + Default: true + Type: String + AllowedValues: + - true + - false + VolumeSize: + Type: Number + MinValue: 100 + Default: 100 + VolumeType: + Description: General Purpose SSD Volume Type + Type: String + Default: gp3 + AllowedValues: + - gp3 + - gp2 + VolumeEncryption: + Description: KMS or CMK key Identifier - Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs'). + Type: String + Default: alias/aws/ebs + EnableInstanceConnect: + Description: Ec2 Instance Connect is not supported with versions prior to R80.40. + Default: false + Type: String + AllowedValues: + - true + - false + TerminationProtection: + Description: Prevents an instance from accidental termination. + Type: String + Default: false + AllowedValues: + - true + - false + StandaloneVersion: + Description: Standalone Version & License. + Type: String + Default: R81.20-BYOL + AllowedValues: + - R80.40-PAYG-NGTP + - R80.40-BYOL + - R81-PAYG-NGTP + - R81-BYOL + - R81.10-PAYG-NGTP + - R81.10-BYOL + - R81.20-PAYG-NGTP + - R81.20-BYOL + Shell: + Description: Change the admin shell to enable advanced command line configuration. + Type: String + Default: /etc/cli.sh + AllowedValues: + - /etc/cli.sh + - /bin/bash + - /bin/csh + - /bin/tcsh + StandalonePasswordHash: + Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" + to get the PASSWORD's hash). (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + StandaloneMaintenancePasswordHash: + Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + StandaloneInstanceType: + Description: The instance type of the Security Gateway & Management (Standalone) instance. + Type: String + Default: c5.xlarge + AllowedValues: + - c4.large + - c4.xlarge + - c5.large + - c5.xlarge + - c5.2xlarge + - c5.4xlarge + - c5.9xlarge + - c5.12xlarge + - c5.18xlarge + - c5.24xlarge + - c5n.large + - c5n.xlarge + - c5n.2xlarge + - c5n.4xlarge + - c5n.9xlarge + - c5n.18xlarge + - c5d.large + - c5d.xlarge + - c5d.2xlarge + - c5d.4xlarge + - c5d.9xlarge + - c5d.12xlarge + - c5d.18xlarge + - c5d.24xlarge + - m5.large + - m5.xlarge + - m5.2xlarge + - m5.4xlarge + - m5.8xlarge + - m5.12xlarge + - m5.16xlarge + - m5.24xlarge + - m6i.large + - m6i.xlarge + - m6i.2xlarge + - m6i.4xlarge + - m6i.8xlarge + - m6i.12xlarge + - m6i.16xlarge + - m6i.24xlarge + - m6i.32xlarge + - c6i.large + - c6i.xlarge + - c6i.2xlarge + - c6i.4xlarge + - c6i.8xlarge + - c6i.12xlarge + - c6i.16xlarge + - c6i.24xlarge + - c6i.32xlarge + - c6in.large + - c6in.xlarge + - c6in.2xlarge + - c6in.4xlarge + - c6in.8xlarge + - c6in.12xlarge + - c6in.16xlarge + - c6in.24xlarge + - c6in.32xlarge + - r5.large + - r5.xlarge + - r5.2xlarge + - r5.4xlarge + - r5.8xlarge + - r5.12xlarge + - r5.16xlarge + - r5.24xlarge + - r5a.large + - r5a.xlarge + - r5a.2xlarge + - r5a.4xlarge + - r5a.8xlarge + - r5a.12xlarge + - r5a.16xlarge + - r5a.24xlarge + - r5b.large + - r5b.xlarge + - r5b.2xlarge + - r5b.4xlarge + - r5b.8xlarge + - r5b.12xlarge + - r5b.16xlarge + - r5b.24xlarge + - r5n.large + - r5n.xlarge + - r5n.2xlarge + - r5n.4xlarge + - r5n.8xlarge + - r5n.12xlarge + - r5n.16xlarge + - r5n.24xlarge + - r6i.large + - r6i.xlarge + - r6i.2xlarge + - r6i.4xlarge + - r6i.8xlarge + - r6i.12xlarge + - r6i.16xlarge + - r6i.24xlarge + - r6i.32xlarge + - m6a.large + - m6a.xlarge + - m6a.2xlarge + - m6a.4xlarge + - m6a.8xlarge + - m6a.12xlarge + - m6a.16xlarge + - m6a.24xlarge + - m6a.32xlarge + - m6a.48xlarge + ConstraintDescription: Must be a valid EC2 instance type + ResourcesTagName: + Description: The name tag of the resources. (optional) + Type: String + Default: '' + StandaloneHostname: + Description: The name must not contain reserved words. For details, refer to sk40179 (optional). + Type: String + Default: '' + AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$' + ConstraintDescription: A valid hostname label or an empty string. + AllowUploadDownload: + Description: Automatically download updates and share statistical data for product improvement purpose. + Type: String + Default: true + AllowedValues: + - true + - false + CloudWatch: + Description: Report Check Point specific CloudWatch metrics. + Type: String + Default: false + AllowedValues: + - true + - false + StandaloneBootstrapScript: + Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional) + Type: String + Default: '' + NoEcho: true + NTPPrimary: + Description: (optional) + Type: String + Default: 169.254.169.123 + AllowedPattern: '^[\.a-zA-Z0-9\-]*$' + NTPSecondary: + Description: (optional) + Type: String + Default: 0.pool.ntp.org + AllowedPattern: '^[\.a-zA-Z0-9\-]*$' + AdminCIDR: + Description: Allow web, SSH, and graphical clients only from this network to communicate. + with the Management Server + Type: String + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$' + GatewaysAddresses: + Description: Allow gateways only from this network to communicate with the Management. + Server. (optional) + Type: String + AllowedPattern: '^((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2])))?$' +Conditions: + AllocateAddress: !Equals [!Ref AllocatePublicAddress, true] + ProvidedResourcesTag: !Not [!Equals [!Ref ResourcesTagName, '']] +Resources: + VPCStack: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.amazonaws.com/utils/vpc.yaml + Parameters: + AvailabilityZones: !Ref AvailabilityZone + NumberOfAZs: 1 + VPCCIDR: !Ref VPCCIDR + PublicSubnet1CIDR: !Ref PublicSubnetCIDR + CreatePrivateSubnets: true + PrivateSubnet1CIDR: !Ref PrivateSubnetCIDR + CreateAttachmentSubnets: false + InternalRoutingTable: + Type: AWS::EC2::RouteTable + Properties: + VpcId: !GetAtt VPCStack.Outputs.VPCID + Tags: + - Key: Name + Value: !Join + - _ + - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName'] + - InternalRoutingTable + InternalNetworkRouteAssociation: + Type: AWS::EC2::SubnetRouteTableAssociation + Properties: + RouteTableId: !Ref InternalRoutingTable + SubnetId: !GetAtt VPCStack.Outputs.PrivateSubnet1ID + StandaloneStack: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.amazonaws.com/gateway/standalone.yaml + Parameters: + VPC: !GetAtt VPCStack.Outputs.VPCID + PublicSubnet: !GetAtt VPCStack.Outputs.PublicSubnet1ID + PrivateSubnet: !GetAtt VPCStack.Outputs.PrivateSubnet1ID + InternalRouteTable: !Ref InternalRoutingTable + StandaloneName: !Ref StandaloneName + StandaloneInstanceType: !Ref StandaloneInstanceType + KeyName: !Ref KeyName + AllocatePublicAddress: !Ref AllocatePublicAddress + VolumeSize: !Ref VolumeSize + VolumeType: !Ref VolumeType + VolumeEncryption: !Ref VolumeEncryption + EnableInstanceConnect: !Ref EnableInstanceConnect + TerminationProtection: !Ref TerminationProtection + StandaloneVersion: !Ref StandaloneVersion + Shell: !Ref Shell + StandalonePasswordHash: !Ref StandalonePasswordHash + StandaloneMaintenancePasswordHash: !Ref StandaloneMaintenancePasswordHash + ResourcesTagName: !Ref ResourcesTagName + StandaloneHostname: !Ref StandaloneHostname + AllowUploadDownload: !Ref AllowUploadDownload + CloudWatch: !Ref CloudWatch + StandaloneBootstrapScript: !Ref StandaloneBootstrapScript + NTPPrimary: !Ref NTPPrimary + NTPSecondary: !Ref NTPSecondary + AdminCIDR: !Ref AdminCIDR + GatewaysAddresses: !Ref GatewaysAddresses +Outputs: + CheckPointInstancePublicAddress: + Condition: AllocateAddress + Description: The public address of the Check Point instance. + Value: !GetAtt StandaloneStack.Outputs.PublicAddress + CheckPointInstanceSSH: + Condition: AllocateAddress + Description: SSH command to the Check Point instance. + Value: !GetAtt StandaloneStack.Outputs.SSH + CheckPointInstanceURL: + Condition: AllocateAddress + Description: URL to the portal. + Value: !GetAtt StandaloneStack.Outputs.URL diff --git a/aws/templates/standalone/standalone.yaml b/aws/templates/standalone/standalone.yaml new file mode 100644 index 00000000..78f36aba --- /dev/null +++ b/aws/templates/standalone/standalone.yaml @@ -0,0 +1,521 @@ +AWSTemplateFormatVersion: 2010-09-09 +Description: Deploys either a manually configurable or a Check Point CloudGuard IaaS + Security Gateway & Management (Standalone) instance into an existing VPC (20240204) +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: VPC Network Configuration + Parameters: + - VPC + - PublicSubnet + - PrivateSubnet + - InternalRouteTable + - Label: + default: EC2 Instance Configuration + Parameters: + - StandaloneName + - StandaloneInstanceType + - KeyName + - AllocatePublicAddress + - VolumeSize + - VolumeType + - VolumeEncryption + - EnableInstanceConnect + - TerminationProtection + - Label: + default: Check Point Settings + Parameters: + - StandaloneVersion + - Shell + - StandalonePasswordHash + - StandaloneMaintenancePasswordHash + - Label: + default: Advanced Settings + Parameters: + - ResourcesTagName + - StandaloneHostname + - AllowUploadDownload + - CloudWatch + - StandaloneBootstrapScript + - NTPPrimary + - NTPSecondary + - AdminCIDR + - GatewaysAddresses + ParameterLabels: + VPC: + default: VPC + PublicSubnet: + default: Public subnet + PrivateSubnet: + default: Private subnet + InternalRouteTable: + default: Internal route table + StandaloneName: + default: Standalone Name + StandaloneInstanceType: + default: Standalone Instance type + KeyName: + default: Key name + AllocatePublicAddress: + default: Allocate an Elastic IP + VolumeSize: + default: Root volume size (GB) + VolumeType: + default: Volume Type + VolumeEncryption: + default: Volume encryption KMS key identifier + EnableInstanceConnect: + default: Enable AWS Instance Connect + TerminationProtection: + default: Termination Protection + StandaloneVersion: + default: License + Shell: + default: Admin shell + StandalonePasswordHash: + default: Standalone Password hash + StandaloneMaintenancePasswordHash: + default: Standalone Maintenance Password hash + ResourcesTagName: + default: Resources prefix tag + StandaloneHostname: + default: Standalone Hostname + AllowUploadDownload: + default: Allow upload & download + CloudWatch: + default: CloudWatch metrics + StandaloneBootstrapScript: + default: Bootstrap Script + NTPPrimary: + default: Primary NTP server + NTPSecondary: + default: Secondary NTP server + AdminCIDR: + default: Administrator addresses + GatewaysAddresses: + default: Gateways addresses +Parameters: + VPC: + Type: AWS::EC2::VPC::Id + MinLength: 1 + PublicSubnet: + Description: The public subnet of the Security Gateway. + Type: AWS::EC2::Subnet::Id + MinLength: 1 + PrivateSubnet: + Description: The private subnet of the Security Gateway. + Type: AWS::EC2::Subnet::Id + MinLength: 1 + InternalRouteTable: + Description: The route table id in which to set 0.0.0.0/0 route to the Security Gateway instance in this route table (e.g. rtb-12a34567). Route table cannot have an existing 0.0.0.0/0 route. If empty - traffic will not be routed through the Security Gateway, this requires manual configuration in the route table. (optional) + Type: String + Default: '' + StandaloneName: + Type: String + Default: Check-Point-Instance + StandaloneInstanceType: + Description: The instance type of the Security Gateway & Management (Standalone) instance. + Type: String + Default: c5.xlarge + AllowedValues: + - c4.large + - c4.xlarge + - c5.large + - c5.xlarge + - c5.2xlarge + - c5.4xlarge + - c5.9xlarge + - c5.12xlarge + - c5.18xlarge + - c5.24xlarge + - c5n.large + - c5n.xlarge + - c5n.2xlarge + - c5n.4xlarge + - c5n.9xlarge + - c5n.18xlarge + - c5d.large + - c5d.xlarge + - c5d.2xlarge + - c5d.4xlarge + - c5d.9xlarge + - c5d.12xlarge + - c5d.18xlarge + - c5d.24xlarge + - m5.large + - m5.xlarge + - m5.2xlarge + - m5.4xlarge + - m5.8xlarge + - m5.12xlarge + - m5.16xlarge + - m5.24xlarge + - m6i.large + - m6i.xlarge + - m6i.2xlarge + - m6i.4xlarge + - m6i.8xlarge + - m6i.12xlarge + - m6i.16xlarge + - m6i.24xlarge + - m6i.32xlarge + - c6i.large + - c6i.xlarge + - c6i.2xlarge + - c6i.4xlarge + - c6i.8xlarge + - c6i.12xlarge + - c6i.16xlarge + - c6i.24xlarge + - c6i.32xlarge + - c6in.large + - c6in.xlarge + - c6in.2xlarge + - c6in.4xlarge + - c6in.8xlarge + - c6in.12xlarge + - c6in.16xlarge + - c6in.24xlarge + - c6in.32xlarge + - r5.large + - r5.xlarge + - r5.2xlarge + - r5.4xlarge + - r5.8xlarge + - r5.12xlarge + - r5.16xlarge + - r5.24xlarge + - r5a.large + - r5a.xlarge + - r5a.2xlarge + - r5a.4xlarge + - r5a.8xlarge + - r5a.12xlarge + - r5a.16xlarge + - r5a.24xlarge + - r5b.large + - r5b.xlarge + - r5b.2xlarge + - r5b.4xlarge + - r5b.8xlarge + - r5b.12xlarge + - r5b.16xlarge + - r5b.24xlarge + - r5n.large + - r5n.xlarge + - r5n.2xlarge + - r5n.4xlarge + - r5n.8xlarge + - r5n.12xlarge + - r5n.16xlarge + - r5n.24xlarge + - r6i.large + - r6i.xlarge + - r6i.2xlarge + - r6i.4xlarge + - r6i.8xlarge + - r6i.12xlarge + - r6i.16xlarge + - r6i.24xlarge + - r6i.32xlarge + - m6a.large + - m6a.xlarge + - m6a.2xlarge + - m6a.4xlarge + - m6a.8xlarge + - m6a.12xlarge + - m6a.16xlarge + - m6a.24xlarge + - m6a.32xlarge + - m6a.48xlarge + ConstraintDescription: Must be a valid EC2 instance type + KeyName: + Description: The EC2 Key Pair to allow SSH access to the instance. + Type: AWS::EC2::KeyPair::KeyName + MinLength: 1 + ConstraintDescription: must be the name of an existing EC2 KeyPair. + AllocatePublicAddress: + Default: true + Type: String + AllowedValues: + - true + - false + VolumeSize: + Type: Number + MinValue: 100 + Default: 100 + VolumeType: + Description: General Purpose SSD Volume Type + Type: String + Default: gp3 + AllowedValues: + - gp3 + - gp2 + VolumeEncryption: + Description: KMS or CMK key Identifier - Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs'). + Type: String + Default: alias/aws/ebs + EnableInstanceConnect: + Description: Ec2 Instance Connect is not supported with versions prior to R80.40. + Default: false + Type: String + AllowedValues: + - true + - false + TerminationProtection: + Description: Prevents an instance from accidental termination. + Type: String + Default: false + AllowedValues: + - true + - false + StandaloneVersion: + Description: Standalone Version & License. + Type: String + Default: R81.20-BYOL + AllowedValues: + - R80.40-PAYG-NGTP + - R80.40-BYOL + - R81-PAYG-NGTP + - R81-BYOL + - R81.10-PAYG-NGTP + - R81.10-BYOL + - R81.20-PAYG-NGTP + - R81.20-BYOL + Shell: + Description: Change the admin shell to enable advanced command line configuration. + Type: String + Default: /etc/cli.sh + AllowedValues: + - /etc/cli.sh + - /bin/bash + - /bin/csh + - /bin/tcsh + StandalonePasswordHash: + Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" + to get the PASSWORD's hash). (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + StandaloneMaintenancePasswordHash: + Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + ResourcesTagName: + Description: The name tag of the resources. (optional) + Type: String + Default: '' + StandaloneHostname: + Description: The name must not contain reserved words. For details, refer to sk40179 (optional). + Type: String + Default: '' + AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$' + ConstraintDescription: A valid hostname label or an empty string. + AllowUploadDownload: + Description: Automatically download updates and share statistical data for product improvement purpose. + Type: String + Default: true + AllowedValues: + - true + - false + CloudWatch: + Description: Report Check Point specific CloudWatch metrics. + Type: String + Default: false + AllowedValues: + - true + - false + StandaloneBootstrapScript: + Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional) + Type: String + Default: '' + NoEcho: true + NTPPrimary: + Description: (optional) + Type: String + Default: 169.254.169.123 + AllowedPattern: '^[\.a-zA-Z0-9\-]*$' + NTPSecondary: + Description: (optional) + Type: String + Default: 0.pool.ntp.org + AllowedPattern: '^[\.a-zA-Z0-9\-]*$' + AdminCIDR: + Description: Allow web, SSH, and graphical clients only from this network to communicate. + with the Management Server. + Type: String + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$' + GatewaysAddresses: + Description: Allow gateways only from this network to communicate with the Management. + Server. (optional) + Type: String + AllowedPattern: '^((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2])))?$' +Conditions: + ProvidedResourcesTag: !Not [!Equals [!Ref ResourcesTagName, '']] + AllocateAddress: !Equals [!Ref AllocatePublicAddress, true] + EncryptedVolume: !Not [!Equals [!Ref VolumeEncryption, '']] + ProvidedRouteTable: !Not [!Equals [!Ref InternalRouteTable, '']] + EnableCloudWatch: !Equals [!Ref CloudWatch, true] + IsBYOL: !Equals [!Select [1, !Split ['-', !Ref StandaloneVersion]], 'BYOL'] +Resources: + ReadyHandle: + Type: AWS::CloudFormation::WaitConditionHandle + Condition: AllocateAddress + Properties: {} + ReadyCondition: + Type: AWS::CloudFormation::WaitCondition + Condition: AllocateAddress + DependsOn: StandaloneInstance + Properties: + Handle: !Ref ReadyHandle + Timeout: 1800 + StandaloneIAMRole: + Condition: EnableCloudWatch + Type: AWS::IAM::Role + Properties: + AssumeRolePolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Principal: + Service: [ ec2.amazonaws.com ] + Action: sts:AssumeRole + Path: / + StandaloneInstanceProfile: + Condition: EnableCloudWatch + Type: AWS::IAM::InstanceProfile + Properties: + Path: / + Roles: [ !Ref StandaloneIAMRole ] + CloudwatchPolicy: + Condition: EnableCloudWatch + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.amazonaws.com/iam/cloudwatch-policy.yaml + Parameters: + PolicyName: !If [ ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName' ] + PolicyRole: !Ref StandaloneIAMRole + AMI: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.amazonaws.com/utils/amis.yaml + Parameters: + Version: !If [IsBYOL, !Join ['-', [!Ref StandaloneVersion,MGMT]], !Ref StandaloneVersion] + ExternalNetworkInterface: + Type: AWS::EC2::NetworkInterface + Properties: + Tags: + - Key: Name + Value: !Join + - _ + - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName'] + - ExternalNetworkInterface + Description: eth0 + SourceDestCheck: false + GroupSet: + - !Ref PermissiveSecurityGroup + SubnetId: !Ref PublicSubnet + InternalNetworkInterface: + Type: AWS::EC2::NetworkInterface + Properties: + Tags: + - Key: Name + Value: !Join + - _ + - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName'] + - InternalNetworkInterface + Description: eth1 + SourceDestCheck: false + GroupSet: + - !Ref PermissiveSecurityGroup + SubnetId: !Ref PrivateSubnet + PermissiveSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + Tags: + - Key: Name + Value: !Join + - _ + - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName'] + - PermissiveSecurityGroup + GroupDescription: Permissive security group. + VpcId: !Ref VPC + SecurityGroupIngress: + - IpProtocol: -1 + CidrIp: 0.0.0.0/0 + InternalDefaultRoute: + Type: AWS::EC2::Route + Condition: ProvidedRouteTable + Properties: + DestinationCidrBlock: 0.0.0.0/0 + NetworkInterfaceId: !Ref InternalNetworkInterface + RouteTableId: !Ref InternalRouteTable + StandaloneInstance: + Type: AWS::EC2::Instance + Properties: + Tags: + - Key: Name + Value: !Ref StandaloneName + ImageId: !GetAtt AMI.Outputs.ImageId + InstanceType: !Ref StandaloneInstanceType + BlockDeviceMappings: + - DeviceName: /dev/xvda + Ebs: + Encrypted: !If [EncryptedVolume, true, false] + KmsKeyId: !If [EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue'] + VolumeType: !Ref VolumeType + VolumeSize: !Ref VolumeSize + IamInstanceProfile: !If [EnableCloudWatch, !Ref StandaloneInstanceProfile, !Ref 'AWS::NoValue'] + DisableApiTermination: !Ref TerminationProtection + UserData: + 'Fn::Base64': + !Join + - |+ + + - - '#cloud-config' + - 'runcmd:' + - ' - |' + - ' set -e' + - !Sub ' admin_shell=${Shell} ; hostname=${StandaloneHostname} ; allow_info=${AllowUploadDownload} ; cw=${CloudWatch} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; eic=${EnableInstanceConnect} ; eip=${AllocatePublicAddress} ; admin_subnet=${AdminCIDR}' + - !If [AllocateAddress, !Sub ' wait_handle=''${ReadyHandle}''',!Ref 'AWS::NoValue'] + - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref StandaloneBootstrapScript, ')"']] + - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref StandalonePasswordHash, ')"']] + - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref StandaloneMaintenancePasswordHash, ')"']] + - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref StandaloneVersion]]}] + - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" installationType=\"standalone\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20240204\" templateName=\"standalone\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" adminSubnet=\"${admin_subnet}\" allocatePublicAddress=\"${eip}\" bootstrapScript64=\"${bootstrap}\"' + KeyName: !Ref KeyName + NetworkInterfaces: + - DeviceIndex: 0 + NetworkInterfaceId: !Ref ExternalNetworkInterface + - DeviceIndex: 1 + NetworkInterfaceId: !Ref InternalNetworkInterface + PublicAddress: + Type: AWS::EC2::EIP + Condition: AllocateAddress + Properties: + Domain: vpc + AddressAssoc: + Type: AWS::EC2::EIPAssociation + DependsOn: StandaloneInstance + Condition: AllocateAddress + Properties: + NetworkInterfaceId: !Ref ExternalNetworkInterface + AllocationId: !GetAtt PublicAddress.AllocationId + PrivateIpAddress: !GetAtt ExternalNetworkInterface.PrimaryPrivateIpAddress +Outputs: + PublicAddress: + Condition: AllocateAddress + Description: The public address of the Check Point instance. + Value: !Ref PublicAddress + SSH: + Condition: AllocateAddress + Description: SSH command to the Check Point instance. + Value: !Join ['', ['ssh -i ', !Ref KeyName, ' admin@', !Ref PublicAddress]] + URL: + Condition: AllocateAddress + Description: URL to the portal. + Value: !Join ['', ['https://', !Ref PublicAddress ]] diff --git a/aws/templates/tgw-asg/README.md b/aws/templates/tgw-asg/README.md new file mode 100644 index 00000000..1ea088d6 --- /dev/null +++ b/aws/templates/tgw-asg/README.md @@ -0,0 +1,26 @@ + +## Transit Gateway Auto Scaling Group + + + + + + + + + + + + + + + + + + + +
DescriptionNotesDirect Launch
+ Deploys and configured the Security Gateways as an AWS Auto Scaling group configured for Transit Gateway.

For more details, refer to AWS Transit Gateway R80.10 and above Deployment Guide. + 		Creates a new VPC and deploys an Auto Scaling group of Security Gateways configured for Transit Gateway into it, and an optional, preconfigured Security Management Server to manage them.
Deploys an Auto Scaling group of Security Gateways configured for Transit Gateway into an existing VPC, and an optional, preconfigured Security Management Server to manage them.
+
+
diff --git a/aws/templates/tgw-asg/tgw-asg-master.yaml b/aws/templates/tgw-asg/tgw-asg-master.yaml new file mode 100644 index 00000000..076e24a7 --- /dev/null +++ b/aws/templates/tgw-asg/tgw-asg-master.yaml @@ -0,0 +1,688 @@ +AWSTemplateFormatVersion: 2010-09-09 +Description: Deploy an Auto Scaling Group of CloudGuard Security Gateways for Transit Gateway with an optional Management Server in a new VPC (20240204) +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: Network Configuration + Parameters: + - AvailabilityZones + - NumberOfAZs + - VPCCIDR + - PublicSubnet1CIDR + - PublicSubnet2CIDR + - PublicSubnet3CIDR + - PublicSubnet4CIDR + - Label: + default: General Settings + Parameters: + - KeyName + - EnableVolumeEncryption + - VolumeSize + - VolumeType + - EnableInstanceConnect + - TerminationProtection + - AllowUploadDownload + - Label: + default: Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration + Parameters: + - GatewayName + - GatewayInstanceType + - GatewaysMinSize + - GatewaysMaxSize + - GatewayVersion + - GatewayPasswordHash + - GatewayMaintenancePasswordHash + - GatewaySICKey + - CloudWatch + - ASN + - AdminEmail + - Label: + default: Check Point CloudGuard IaaS Security Management Server Configuration + Parameters: + - ManagementDeploy + - ManagementInstanceType + - ManagementVersion + - ManagementPasswordHash + - ManagementMaintenancePasswordHash + - ManagementPermissions + - ManagementPredefinedRole + - GatewaysBlades + - AdminCIDR + - GatewayManagement + - GatewaysAddresses + - Label: + default: Automatic Provisioning with Security Management Server Settings + Parameters: + - ControlGatewayOverPrivateOrPublicAddress + - ManagementServer + - ConfigurationTemplate + ParameterLabels: + AvailabilityZones: + default: Availability Zones + NumberOfAZs: + default: Number of AZs + VPCCIDR: + default: VPC CIDR + PublicSubnet1CIDR: + default: Public Subnet 1 + PublicSubnet2CIDR: + default: Public Subnet 2 + PublicSubnet3CIDR: + default: Public Subnet 3 + PublicSubnet4CIDR: + default: Public Subnet 4 + KeyName: + default: Key name + EnableVolumeEncryption: + default: Enable environment volume encryption + VolumeSize: + default: Root volume size (GB) + VolumeType: + default: Volume Type + EnableInstanceConnect: + default: Enable AWS Instance Connect + TerminationProtection: + default: Termination Protection + AllowUploadDownload: + default: Allow upload & download + GatewayName: + default: GatewayName + GatewayInstanceType: + default: Gateways instance type + GatewaysMinSize: + default: Minimum group size + GatewaysMaxSize: + default: Maximum group size + GatewayVersion: + default: Gateways version & license + GatewayPasswordHash: + default: Password hash + GatewayMaintenancePasswordHash: + default: Gateway Maintenance Password hash + GatewaySICKey: + default: SIC key + CloudWatch: + default: CloudWatch metrics + ASN: + default: BGP ASN + AdminEmail: + default: Email address + ManagementDeploy: + default: Deploy Management Server + ManagementInstanceType: + default: Instance type + ManagementVersion: + default: Version & license + ManagementPasswordHash: + default: Password hash + ManagementMaintenancePasswordHash: + default: Management Maintenance Password hash + ManagementPermissions: + default: IAM role + ManagementPredefinedRole: + default: Existing IAM role name + GatewaysBlades: + default: Default Blades + AdminCIDR: + default: Administrator addresses + GatewayManagement: + default: Manage Gateways + GatewaysAddresses: + default: Gateways addresses + ControlGatewayOverPrivateOrPublicAddress: + default: Gateways addresses + ManagementServer: + default: Management Server + ConfigurationTemplate: + default: Configuration template +Parameters: + AvailabilityZones: + Description: List of Availability Zones (AZs) to use for the subnets in the VPC. Select at least two. + Type: List + MinLength: 2 + NumberOfAZs: + Description: Number of Availability Zones to use in the VPC. This must match your selections in the list of Availability Zones parameter. + Type: Number + Default: 2 + MinValue: 2 + MaxValue: 4 + VPCCIDR: + Description: CIDR block for the VPC. + Type: String + Default: 10.0.0.0/16 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PublicSubnet1CIDR: + Description: CIDR block for public subnet 1 located in the 1st Availability Zone. If you choose to deploy a Security Management Server it will be deployed in this subnet. + Type: String + Default: 10.0.10.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PublicSubnet2CIDR: + Description: CIDR block for public subnet 2 located in the 2nd Availability Zone. + Type: String + Default: 10.0.20.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PublicSubnet3CIDR: + Description: CIDR block for public subnet 3 located in the 3rd Availability Zone. + Type: String + Default: 10.0.30.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PublicSubnet4CIDR: + Description: CIDR block for public subnet 4 located in the 4th Availability Zone. + Type: String + Default: 10.0.40.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + KeyName: + Description: The EC2 Key Pair to allow SSH access to the instances created by this stack. + Type: AWS::EC2::KeyPair::KeyName + MinLength: 1 + ConstraintDescription: Must be the name of an existing EC2 KeyPair. + EnableVolumeEncryption: + Description: Encrypt Environment instances volume with default AWS KMS key. + Type: String + Default: true + AllowedValues: + - true + - false + VolumeSize: + Type: Number + MinValue: 100 + Default: 100 + VolumeType: + Description: General Purpose SSD Volume Type + Type: String + Default: gp3 + AllowedValues: + - gp3 + - gp2 + EnableInstanceConnect: + Description: Enable SSH connection over AWS web console. + Type: String + Default: false + AllowedValues: + - true + - false + TerminationProtection: + Description: Prevents an instance from accidental termination. + Type: String + Default: false + AllowedValues: + - true + - false + AllowUploadDownload: + Description: Automatically download updates and share statistical data for product improvement purpose. + Type: String + Default: true + AllowedValues: + - true + - false + GatewayName: + Description: The name tag of the Security Gateway instances. (optional) + Type: String + Default: Check-Point-Gateway + GatewayInstanceType: + Description: The EC2 instance type for the Security Gateways. + Type: String + Default: c5.xlarge + AllowedValues: + - c4.large + - c4.xlarge + - c5.large + - c5.xlarge + - c5.2xlarge + - c5.4xlarge + - c5.9xlarge + - c5.12xlarge + - c5.18xlarge + - c5.24xlarge + - c5n.large + - c5n.xlarge + - c5n.2xlarge + - c5n.4xlarge + - c5n.9xlarge + - c5n.18xlarge + - c5d.large + - c5d.xlarge + - c5d.2xlarge + - c5d.4xlarge + - c5d.9xlarge + - c5d.12xlarge + - c5d.18xlarge + - c5d.24xlarge + - m5.large + - m5.xlarge + - m5.2xlarge + - m5.4xlarge + - m5.8xlarge + - m5.12xlarge + - m5.16xlarge + - m5.24xlarge + - m6i.large + - m6i.xlarge + - m6i.2xlarge + - m6i.4xlarge + - m6i.8xlarge + - m6i.12xlarge + - m6i.16xlarge + - m6i.24xlarge + - m6i.32xlarge + - c6i.large + - c6i.xlarge + - c6i.2xlarge + - c6i.4xlarge + - c6i.8xlarge + - c6i.12xlarge + - c6i.16xlarge + - c6i.24xlarge + - c6i.32xlarge + - c6in.large + - c6in.xlarge + - c6in.2xlarge + - c6in.4xlarge + - c6in.8xlarge + - c6in.12xlarge + - c6in.16xlarge + - c6in.24xlarge + - c6in.32xlarge + - r5.large + - r5.xlarge + - r5.2xlarge + - r5.4xlarge + - r5.8xlarge + - r5.12xlarge + - r5.16xlarge + - r5.24xlarge + - r5a.large + - r5a.xlarge + - r5a.2xlarge + - r5a.4xlarge + - r5a.8xlarge + - r5a.12xlarge + - r5a.16xlarge + - r5a.24xlarge + - r5b.large + - r5b.xlarge + - r5b.2xlarge + - r5b.4xlarge + - r5b.8xlarge + - r5b.12xlarge + - r5b.16xlarge + - r5b.24xlarge + - r5n.large + - r5n.xlarge + - r5n.2xlarge + - r5n.4xlarge + - r5n.8xlarge + - r5n.12xlarge + - r5n.16xlarge + - r5n.24xlarge + - r6i.large + - r6i.xlarge + - r6i.2xlarge + - r6i.4xlarge + - r6i.8xlarge + - r6i.12xlarge + - r6i.16xlarge + - r6i.24xlarge + - r6i.32xlarge + - m6a.large + - m6a.xlarge + - m6a.2xlarge + - m6a.4xlarge + - m6a.8xlarge + - m6a.12xlarge + - m6a.16xlarge + - m6a.24xlarge + - m6a.32xlarge + - m6a.48xlarge + ConstraintDescription: Must be a valid EC2 instance type + GatewaysMinSize: + Description: The minimal number of Security Gateways. + Type: Number + Default: 2 + MinValue: 1 + GatewaysMaxSize: + Description: The maximal number of Security Gateways. + Type: Number + Default: 10 + MinValue: 1 + GatewayVersion: + Description: The version and license to install on the Security Gateways. + Type: String + Default: R81.20-BYOL + AllowedValues: + - R80.40-BYOL + - R80.40-PAYG-NGTP + - R80.40-PAYG-NGTX + - R81-BYOL + - R81-PAYG-NGTP + - R81-PAYG-NGTX + - R81.10-BYOL + - R81.10-PAYG-NGTP + - R81.10-PAYG-NGTX + - R81.20-BYOL + - R81.20-PAYG-NGTP + - R81.20-PAYG-NGTX + GatewayPasswordHash: + Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash). (optional) + Type: String + Default: '' + AllowedPattern: '^[\$\./a-zA-Z0-9]*$' + NoEcho: true + GatewayMaintenancePasswordHash: + Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + GatewaySICKey: + Description: The Secure Internal Communication key creates trusted connections between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters. + Type: String + AllowedPattern: '[a-zA-Z0-9]{8,}' + ConstraintDescription: Secure Internal Communication activation key should contain only alpha numeric characters and be at least 8 characters long. + NoEcho: true + CloudWatch: + Description: Report Check Point specific CloudWatch metrics. + Type: String + Default: false + AllowedValues: + - true + - false + ASN: + Description: The organization Autonomous System Number (ASN) that identifies the routing domain for the Security Gateways. + Type: String + AllowedPattern: '^[0-9]+$' + Default: 65000 + AdminEmail: + Description: Notifications about scaling events will be sent to this email address. (optional) + Type: String + Default: '' + AllowedPattern: '^(([a-zA-Z0-9_\-\.]+)@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.)|(([a-zA-Z0-9\-]+\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})(\]?))?$' + ConstraintDescription: Must be a valid email address. + ManagementDeploy: + Description: Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section. + Type: String + Default: true + AllowedValues: + - true + - false + ManagementInstanceType: + Description: The EC2 instance type of the Security Management Server. + Type: String + Default: m5.xlarge + AllowedValues: + - c5.large + - c5.xlarge + - c5.2xlarge + - c5.4xlarge + - c5.9xlarge + - c5.12xlarge + - c5.18xlarge + - c5.24xlarge + - c5n.large + - c5n.xlarge + - c5n.2xlarge + - c5n.4xlarge + - c5n.9xlarge + - c5n.18xlarge + - c5d.large + - c5d.xlarge + - c5d.2xlarge + - c5d.4xlarge + - c5d.9xlarge + - c5d.12xlarge + - c5d.18xlarge + - c5d.24xlarge + - m5.large + - m5.xlarge + - m5.2xlarge + - m5.4xlarge + - m5.8xlarge + - m5.12xlarge + - m5.16xlarge + - m5.24xlarge + - m6i.large + - m6i.xlarge + - m6i.2xlarge + - m6i.4xlarge + - m6i.8xlarge + - m6i.12xlarge + - m6i.16xlarge + - m6i.24xlarge + - m6i.32xlarge + - c6i.large + - c6i.xlarge + - c6i.2xlarge + - c6i.4xlarge + - c6i.8xlarge + - c6i.12xlarge + - c6i.16xlarge + - c6i.24xlarge + - c6i.32xlarge + - c6in.large + - c6in.xlarge + - c6in.2xlarge + - c6in.4xlarge + - c6in.8xlarge + - c6in.12xlarge + - c6in.16xlarge + - c6in.24xlarge + - c6in.32xlarge + - r5.large + - r5.xlarge + - r5.2xlarge + - r5.4xlarge + - r5.8xlarge + - r5.12xlarge + - r5.16xlarge + - r5.24xlarge + - r5a.large + - r5a.xlarge + - r5a.2xlarge + - r5a.4xlarge + - r5a.8xlarge + - r5a.12xlarge + - r5a.16xlarge + - r5a.24xlarge + - r5b.large + - r5b.xlarge + - r5b.2xlarge + - r5b.4xlarge + - r5b.8xlarge + - r5b.12xlarge + - r5b.16xlarge + - r5b.24xlarge + - r5n.large + - r5n.xlarge + - r5n.2xlarge + - r5n.4xlarge + - r5n.8xlarge + - r5n.12xlarge + - r5n.16xlarge + - r5n.24xlarge + - r6i.large + - r6i.xlarge + - r6i.2xlarge + - r6i.4xlarge + - r6i.8xlarge + - r6i.12xlarge + - r6i.16xlarge + - r6i.24xlarge + - r6i.32xlarge + - m6a.large + - m6a.xlarge + - m6a.2xlarge + - m6a.4xlarge + - m6a.8xlarge + - m6a.12xlarge + - m6a.16xlarge + - m6a.24xlarge + - m6a.32xlarge + - m6a.48xlarge + ConstraintDescription: Must be a valid EC2 instance type + ManagementVersion: + Description: The version and license to install on the Security Management Server. + Type: String + Default: R81.20-BYOL + AllowedValues: + - R80.40-BYOL + - R80.40-PAYG + - R81-BYOL + - R81-PAYG + - R81.10-BYOL + - R81.10-PAYG + - R81.20-BYOL + - R81.20-PAYG + ManagementPasswordHash: + Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash). (optional) + Type: String + Default: '' + AllowedPattern: '^[\$\./a-zA-Z0-9]*$' + NoEcho: true + ManagementMaintenancePasswordHash: + Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + ManagementPermissions: + Description: IAM role to attach to the instance profile. + Type: String + Default: Create with read-write permissions + AllowedValues: + - None (configure later) + - Use existing (specify an existing IAM role name) + - Create with assume role permissions (specify an STS role ARN) + - Create with read permissions + - Create with read-write permissions + ManagementPredefinedRole: + Description: A predefined IAM role to attach to the instance profile. Ignored if IAM role is not set to 'Use existing'. + Type: String + Default: '' + GatewaysBlades: + Description: Turn on the Intrusion Prevention System, Application Control, Anti-Virus and Anti-Bot Blades (these and additional Blades can be manually turned on or off later). + Type: String + Default: true + AllowedValues: + - true + - false + AdminCIDR: + Description: Allow web, SSH, and graphical clients only from this network to communicate with the Security Management Server. + Type: String + AllowedPattern: '^((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2])))?$' + GatewayManagement: + Description: Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address. + Type: String + Default: Locally managed + AllowedValues: + - Locally managed + - Over the internet + GatewaysAddresses: + Description: Allow gateways only from this network to communicate with the Security Management Server. + Type: String + AllowedPattern: '^$|^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$' + ControlGatewayOverPrivateOrPublicAddress: + Description: Determines if the gateways are provisioned using their private or public address. + Type: String + Default: private + AllowedValues: + - private + - public + ManagementServer: + Description: The name that represents the Security Management Server in the automatic provisioning configuration. + Type: String + Default: management-server + MinLength: 1 + ConfigurationTemplate: + Description: A name of a gateway configuration template in the automatic provisioning configuration. + Type: String + Default: TGW-ASG-configuration + MinLength: 1 + MaxLength: 30 +Conditions: + 4AZs: !Equals [!Ref NumberOfAZs, 4] + 3AZs: !Or [!Equals [!Ref NumberOfAZs, 3], !Condition 4AZs] + DeployManagement: !Equals [!Ref ManagementDeploy, true] +Resources: + VPCStack: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.amazonaws.com/utils/vpc.yaml + Parameters: + AvailabilityZones: !Join [',', !Ref AvailabilityZones] + NumberOfAZs: !Ref NumberOfAZs + VPCCIDR: !Ref VPCCIDR + PublicSubnet1CIDR: !Ref PublicSubnet1CIDR + PublicSubnet2CIDR: !Ref PublicSubnet2CIDR + PublicSubnet3CIDR: !Ref PublicSubnet3CIDR + PublicSubnet4CIDR: !Ref PublicSubnet4CIDR + CreatePrivateSubnets: false + MainStack: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.amazonaws.com/autoscale/tgw-asg.yaml + Parameters: + VPC: !GetAtt VPCStack.Outputs.VPCID + GatewaysSubnets: !Join + - ',' + - - !GetAtt VPCStack.Outputs.PublicSubnet1ID + - !GetAtt VPCStack.Outputs.PublicSubnet2ID + - !If [3AZs, !GetAtt VPCStack.Outputs.PublicSubnet3ID, !Ref 'AWS::NoValue'] + - !If [4AZs, !GetAtt VPCStack.Outputs.PublicSubnet4ID, !Ref 'AWS::NoValue'] + KeyName: !Ref KeyName + EnableVolumeEncryption: !Ref EnableVolumeEncryption + VolumeType: !Ref VolumeType + VolumeSize: !Ref VolumeSize + EnableInstanceConnect: !Ref EnableInstanceConnect + TerminationProtection: !Ref TerminationProtection + AllowUploadDownload: !Ref AllowUploadDownload + GatewayName: !Ref GatewayName + GatewayInstanceType: !Ref GatewayInstanceType + GatewaysMinSize: !Ref GatewaysMinSize + GatewaysMaxSize: !Ref GatewaysMaxSize + GatewayVersion: !Ref GatewayVersion + GatewayPasswordHash: !Ref GatewayPasswordHash + GatewayMaintenancePasswordHash: !Ref GatewayMaintenancePasswordHash + GatewaySICKey: !Ref GatewaySICKey + CloudWatch: !Ref CloudWatch + ASN: !Ref ASN + AdminEmail: !Ref AdminEmail + ManagementDeploy: !Ref ManagementDeploy + ManagementInstanceType: !Ref ManagementInstanceType + ManagementVersion: !Ref ManagementVersion + ManagementPasswordHash: !Ref ManagementPasswordHash + ManagementMaintenancePasswordHash: !Ref ManagementMaintenancePasswordHash + ManagementPermissions: !Ref ManagementPermissions + ManagementPredefinedRole: !Ref ManagementPredefinedRole + GatewaysBlades: !Ref GatewaysBlades + AdminCIDR: !Ref AdminCIDR + GatewayManagement: !Ref GatewayManagement + GatewaysAddresses: !Ref GatewaysAddresses + ControlGatewayOverPrivateOrPublicAddress: !Ref ControlGatewayOverPrivateOrPublicAddress + ManagementServer: !Ref ManagementServer + ConfigurationTemplate: !Ref ConfigurationTemplate +Outputs: + ManagementName: + Description: The name that represents the Security Management Server. + Value: !Ref ManagementServer + ConfigurationTemplateName: + Description: The name that represents the configuration template. Configurations required to automatically provision the Gateways in the Auto Scaling Group, such as what Security Policy to install and which Blades to enable, will be placed under this template name. + Value: !Ref ConfigurationTemplate + ControllerName: + Description: The name that represents the controller. Configurations required to connect to your AWS environment, such as credentials and regions, will be placed under this controller name. + Value: !GetAtt MainStack.Outputs.ControllerName + ManagementPublicAddress: + Description: The public address of the management servers. + Value: !GetAtt MainStack.Outputs.ManagementPublicAddress + Condition: DeployManagement +Rules: + GatewayAddressRule: + RuleCondition: !Equals [!Ref ManagementDeploy, 'true'] + Assertions: + - AssertDescription: "Gateway's netowrk to communicate with the Security Management Server must be provided" + Assert: !Not [ !Equals [!Ref GatewaysAddresses, '']] \ No newline at end of file diff --git a/aws/templates/tgw-asg/tgw-asg.yaml b/aws/templates/tgw-asg/tgw-asg.yaml new file mode 100644 index 00000000..c63676e1 --- /dev/null +++ b/aws/templates/tgw-asg/tgw-asg.yaml @@ -0,0 +1,679 @@ +AWSTemplateFormatVersion: '2010-09-09' +Description: Deploy an Auto Scaling Group of CloudGuard Security Gateways for Transit Gateway with an optional Management Server into an existing VPC (20240204) +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: Network Configuration + Parameters: + - VPC + - GatewaysSubnets + - Label: + default: General Settings + Parameters: + - KeyName + - EnableVolumeEncryption + - VolumeSize + - VolumeType + - EnableInstanceConnect + - TerminationProtection + - AllowUploadDownload + - Label: + default: Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration + Parameters: + - GatewayName + - GatewayInstanceType + - GatewaysMinSize + - GatewaysMaxSize + - GatewayVersion + - GatewayPasswordHash + - GatewayMaintenancePasswordHash + - GatewaySICKey + - CloudWatch + - ASN + - AdminEmail + - Label: + default: Check Point CloudGuard IaaS Security Management Server Configuration + Parameters: + - ManagementDeploy + - ManagementInstanceType + - ManagementVersion + - ManagementPasswordHash + - ManagementMaintenancePasswordHash + - ManagementPermissions + - ManagementPredefinedRole + - GatewaysBlades + - AdminCIDR + - GatewayManagement + - GatewaysAddresses + - Label: + default: Automatic Provisioning with Security Management Server Settings + Parameters: + - ControlGatewayOverPrivateOrPublicAddress + - ManagementServer + - ConfigurationTemplate + ParameterLabels: + VPC: + default: VPC + GatewaysSubnets: + default: Subnets + KeyName: + default: Key name + EnableVolumeEncryption: + default: Enable environment volume encryption + VolumeSize: + default: Root volume size (GB) + VolumeType: + default: Volume Type + EnableInstanceConnect: + default: Enable AWS Instance Connect + TerminationProtection: + default: Termination Protection + AllowUploadDownload: + default: Allow upload & download + GatewayName: + default: Name + GatewayInstanceType: + default: Instance type + GatewaysMinSize: + default: Minimum group size + GatewaysMaxSize: + default: Maximum group size + GatewayVersion: + default: Version & license + GatewayPasswordHash: + default: Password hash + GatewayMaintenancePasswordHash: + default: Gateway Maintenance Password hash + GatewaySICKey: + default: SIC key + CloudWatch: + default: CloudWatch metrics + ASN: + default: BGP ASN + AdminEmail: + default: Email address + ManagementDeploy: + default: Deploy Management Server + ManagementInstanceType: + default: Instance type + ManagementVersion: + default: Version & license + ManagementPasswordHash: + default: Password hash + ManagementMaintenancePasswordHash: + default: Management Maintenance Password hash + ManagementPermissions: + default: IAM role + ManagementPredefinedRole: + default: Existing IAM role name + GatewaysBlades: + default: Default Blades + AdminCIDR: + default: Administrator addresses + GatewaysAddresses: + default: Gateways addresses + GatewayManagement: + default: Manage Gateways + ControlGatewayOverPrivateOrPublicAddress: + default: Gateways addresses + ManagementServer: + default: Management Server + ConfigurationTemplate: + default: Configuration template +Parameters: + VPC: + Description: Select an existing VPC. + Type: AWS::EC2::VPC::Id + MinLength: 1 + ConstraintDescription: You must select a VPC. + GatewaysSubnets: + Description: Select at least 2 external subnets in the VPC. If you choose to deploy a Security Management Server it will be deployed in the first subnet. + Type: List + MinLength: 2 + KeyName: + Description: The EC2 Key Pair to allow SSH access to the instances created by this stack. + Type: AWS::EC2::KeyPair::KeyName + MinLength: 1 + ConstraintDescription: Must be the name of an existing EC2 KeyPair. + EnableVolumeEncryption: + Description: Encrypt Environment instances volume with default AWS KMS key. + Type: String + Default: true + AllowedValues: + - true + - false + VolumeSize: + Type: Number + MinValue: 100 + Default: 100 + VolumeType: + Description: General Purpose SSD Volume Type + Type: String + Default: gp3 + AllowedValues: + - gp3 + - gp2 + EnableInstanceConnect: + Description: Enable SSH connection over AWS web console. + Type: String + Default: false + AllowedValues: + - true + - false + TerminationProtection: + Description: Prevents an instance from accidental termination. + Type: String + Default: false + AllowedValues: + - true + - false + AllowUploadDownload: + Description: Automatically download updates and share statistical data for product improvement purpose. + Type: String + Default: true + AllowedValues: + - true + - false + GatewayName: + Description: The name tag of the Security Gateway instances. (optional) + Type: String + Default: Check-Point-Gateway + GatewayInstanceType: + Description: The EC2 instance type for the Security Gateways. + Type: String + Default: c5.xlarge + AllowedValues: + - c4.large + - c4.xlarge + - c5.large + - c5.xlarge + - c5.2xlarge + - c5.4xlarge + - c5.9xlarge + - c5.12xlarge + - c5.18xlarge + - c5.24xlarge + - c5n.large + - c5n.xlarge + - c5n.2xlarge + - c5n.4xlarge + - c5n.9xlarge + - c5n.18xlarge + - c5d.large + - c5d.xlarge + - c5d.2xlarge + - c5d.4xlarge + - c5d.9xlarge + - c5d.12xlarge + - c5d.18xlarge + - c5d.24xlarge + - m5.large + - m5.xlarge + - m5.2xlarge + - m5.4xlarge + - m5.8xlarge + - m5.12xlarge + - m5.16xlarge + - m5.24xlarge + - m6i.large + - m6i.xlarge + - m6i.2xlarge + - m6i.4xlarge + - m6i.8xlarge + - m6i.12xlarge + - m6i.16xlarge + - m6i.24xlarge + - m6i.32xlarge + - c6i.large + - c6i.xlarge + - c6i.2xlarge + - c6i.4xlarge + - c6i.8xlarge + - c6i.12xlarge + - c6i.16xlarge + - c6i.24xlarge + - c6i.32xlarge + - c6in.large + - c6in.xlarge + - c6in.2xlarge + - c6in.4xlarge + - c6in.8xlarge + - c6in.12xlarge + - c6in.16xlarge + - c6in.24xlarge + - c6in.32xlarge + - r5.large + - r5.xlarge + - r5.2xlarge + - r5.4xlarge + - r5.8xlarge + - r5.12xlarge + - r5.16xlarge + - r5.24xlarge + - r5a.large + - r5a.xlarge + - r5a.2xlarge + - r5a.4xlarge + - r5a.8xlarge + - r5a.12xlarge + - r5a.16xlarge + - r5a.24xlarge + - r5b.large + - r5b.xlarge + - r5b.2xlarge + - r5b.4xlarge + - r5b.8xlarge + - r5b.12xlarge + - r5b.16xlarge + - r5b.24xlarge + - r5n.large + - r5n.xlarge + - r5n.2xlarge + - r5n.4xlarge + - r5n.8xlarge + - r5n.12xlarge + - r5n.16xlarge + - r5n.24xlarge + - r6i.large + - r6i.xlarge + - r6i.2xlarge + - r6i.4xlarge + - r6i.8xlarge + - r6i.12xlarge + - r6i.16xlarge + - r6i.24xlarge + - r6i.32xlarge + - m6a.large + - m6a.xlarge + - m6a.2xlarge + - m6a.4xlarge + - m6a.8xlarge + - m6a.12xlarge + - m6a.16xlarge + - m6a.24xlarge + - m6a.32xlarge + - m6a.48xlarge + ConstraintDescription: Must be a valid EC2 instance type + GatewaysMinSize: + Description: The minimal number of Security Gateways. + Type: Number + Default: 2 + MinValue: 1 + GatewaysMaxSize: + Description: The maximal number of Security Gateways. + Type: Number + Default: 10 + MinValue: 1 + GatewayVersion: + Description: The version and license to install on the Security Gateways. + Type: String + Default: R81.20-BYOL + AllowedValues: + - R80.40-BYOL + - R80.40-PAYG-NGTP + - R80.40-PAYG-NGTX + - R81-BYOL + - R81-PAYG-NGTP + - R81-PAYG-NGTX + - R81.10-BYOL + - R81.10-PAYG-NGTP + - R81.10-PAYG-NGTX + - R81.20-BYOL + - R81.20-PAYG-NGTP + - R81.20-PAYG-NGTX + GatewayPasswordHash: + Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash). (optional) + Type: String + Default: '' + AllowedPattern: '^[\$\./a-zA-Z0-9]*$' + NoEcho: true + GatewayMaintenancePasswordHash: + Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + GatewaySICKey: + Description: The Secure Internal Communication key creates trusted connections between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters. + Type: String + AllowedPattern: '[a-zA-Z0-9]{8,}' + ConstraintDescription: Secure Internal Communication activation key should contain only alpha numeric characters and be at least 8 characters long. + NoEcho: true + CloudWatch: + Description: Report Check Point specific CloudWatch metrics. + Type: String + Default: false + AllowedValues: + - true + - false + ASN: + Description: The organization Autonomous System Number (ASN) that identifies the routing domain for the Security Gateways. + Type: String + Default: 65000 + AllowedPattern: '^[0-9]+$' + AdminEmail: + Description: Notifications about scaling events will be sent to this email address. (optional) + Type: String + Default: '' + AllowedPattern: '^(([a-zA-Z0-9_\-\.]+)@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.)|(([a-zA-Z0-9\-]+\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})(\]?))?$' + ConstraintDescription: Must be a valid email address. + ManagementDeploy: + Description: Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section. + Type: String + Default: true + AllowedValues: + - true + - false + ManagementInstanceType: + Description: The EC2 instance type of the Security Management Server. + Type: String + Default: m5.xlarge + AllowedValues: + - c5.large + - c5.xlarge + - c5.2xlarge + - c5.4xlarge + - c5.9xlarge + - c5.12xlarge + - c5.18xlarge + - c5.24xlarge + - c5n.large + - c5n.xlarge + - c5n.2xlarge + - c5n.4xlarge + - c5n.9xlarge + - c5n.18xlarge + - c5d.large + - c5d.xlarge + - c5d.2xlarge + - c5d.4xlarge + - c5d.9xlarge + - c5d.12xlarge + - c5d.18xlarge + - c5d.24xlarge + - m5.large + - m5.xlarge + - m5.2xlarge + - m5.4xlarge + - m5.8xlarge + - m5.12xlarge + - m5.16xlarge + - m5.24xlarge + - m6i.large + - m6i.xlarge + - m6i.2xlarge + - m6i.4xlarge + - m6i.8xlarge + - m6i.12xlarge + - m6i.16xlarge + - m6i.24xlarge + - m6i.32xlarge + - c6i.large + - c6i.xlarge + - c6i.2xlarge + - c6i.4xlarge + - c6i.8xlarge + - c6i.12xlarge + - c6i.16xlarge + - c6i.24xlarge + - c6i.32xlarge + - c6in.large + - c6in.xlarge + - c6in.2xlarge + - c6in.4xlarge + - c6in.8xlarge + - c6in.12xlarge + - c6in.16xlarge + - c6in.24xlarge + - c6in.32xlarge + - r5.large + - r5.xlarge + - r5.2xlarge + - r5.4xlarge + - r5.8xlarge + - r5.12xlarge + - r5.16xlarge + - r5.24xlarge + - r5a.large + - r5a.xlarge + - r5a.2xlarge + - r5a.4xlarge + - r5a.8xlarge + - r5a.12xlarge + - r5a.16xlarge + - r5a.24xlarge + - r5b.large + - r5b.xlarge + - r5b.2xlarge + - r5b.4xlarge + - r5b.8xlarge + - r5b.12xlarge + - r5b.16xlarge + - r5b.24xlarge + - r5n.large + - r5n.xlarge + - r5n.2xlarge + - r5n.4xlarge + - r5n.8xlarge + - r5n.12xlarge + - r5n.16xlarge + - r5n.24xlarge + - r6i.large + - r6i.xlarge + - r6i.2xlarge + - r6i.4xlarge + - r6i.8xlarge + - r6i.12xlarge + - r6i.16xlarge + - r6i.24xlarge + - r6i.32xlarge + - m6a.large + - m6a.xlarge + - m6a.2xlarge + - m6a.4xlarge + - m6a.8xlarge + - m6a.12xlarge + - m6a.16xlarge + - m6a.24xlarge + - m6a.32xlarge + - m6a.48xlarge + ConstraintDescription: Must be a valid EC2 instance type + ManagementVersion: + Description: The version and license to install on the Security Management Server. + Type: String + Default: R81.20-BYOL + AllowedValues: + - R80.40-BYOL + - R80.40-PAYG + - R81-BYOL + - R81-PAYG + - R81.10-BYOL + - R81.10-PAYG + - R81.20-BYOL + - R81.20-PAYG + ManagementPasswordHash: + Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash). (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + ManagementMaintenancePasswordHash: + Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + ManagementPermissions: + Description: IAM role to attach to the instance profile. + Type: String + Default: Create with read-write permissions + AllowedValues: + - None (configure later) + - Use existing (specify an existing IAM role name) + - Create with assume role permissions (specify an STS role ARN) + - Create with read permissions + - Create with read-write permissions + ManagementPredefinedRole: + Description: A predefined IAM role to attach to the instance profile. Ignored if IAM role is not set to 'Use existing'. + Type: String + Default: '' + GatewaysBlades: + Description: Turn on the Intrusion Prevention System, Application Control, Anti-Virus and Anti-Bot Blades (these and additional Blades can be manually turned on or off later). + Type: String + Default: true + AllowedValues: + - true + - false + AdminCIDR: + Description: Allow web, SSH, and graphical clients only from this network to communicate with the Security Management Server. + Type: String + AllowedPattern: '^((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2])))?$' + GatewayManagement: + Description: Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address. + Type: String + Default: Locally managed + AllowedValues: + - Locally managed + - Over the internet + GatewaysAddresses: + Description: Allow gateways only from this network to communicate with the Security Management Server. + Type: String + AllowedPattern: '^$|^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$' + ControlGatewayOverPrivateOrPublicAddress: + Description: Determines if the gateways are provisioned using their private or public address. + Type: String + Default: private + AllowedValues: + - private + - public + ManagementServer: + Description: The name that represents the Security Management Server in the automatic provisioning configuration. + Type: String + Default: management-server + MinLength: 1 + ConfigurationTemplate: + Description: A name of a gateway configuration template in the automatic provisioning configuration. + Type: String + Default: TGW-ASG-configuration + MinLength: 1 + MaxLength: 30 +Conditions: + VolumeEncryption: !Equals [!Ref EnableVolumeEncryption, true] + DeployManagement: !Equals [!Ref ManagementDeploy, true] +Resources: + ManagementStack: + Type: AWS::CloudFormation::Stack + Condition: DeployManagement + Properties: + TemplateURL: https://cgi-cfts.s3.amazonaws.com/management/management.yaml + Parameters: + VPC: !Ref VPC + ManagementSubnet: !Select [0, !Ref GatewaysSubnets] + ManagementName: !Ref ManagementServer + ManagementInstanceType: !Ref ManagementInstanceType + KeyName: !Ref KeyName + AllocatePublicAddress: true + VolumeEncryption: !If [VolumeEncryption, alias/aws/ebs, ''] + VolumeType: !Ref VolumeType + VolumeSize: !Ref VolumeSize + EnableInstanceConnect: !Ref EnableInstanceConnect + TerminationProtection: !Ref TerminationProtection + ManagementPermissions: !Ref ManagementPermissions + ManagementPredefinedRole: !Ref ManagementPredefinedRole + ManagementVersion: !Ref ManagementVersion + ManagementPasswordHash: !Ref ManagementPasswordHash + ManagementMaintenancePasswordHash: !Ref ManagementMaintenancePasswordHash + AllowUploadDownload: !Ref AllowUploadDownload + AdminCIDR: !Ref AdminCIDR + GatewayManagement: !Ref GatewayManagement + GatewaysAddresses: !Ref GatewaysAddresses + ManagementBootstrapScript: !Join + - ';' + - - 'echo -e "\nStarting Bootstrap script\n"' + - 'echo "Setting up bootstrap parameters"' + - !Sub 'conf_template=${ConfigurationTemplate} ; mgmt=${ManagementServer} ; region=${AWS::Region} ; blades=${GatewaysBlades}' + - !Sub ['version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}] + - !Join ['', ['sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ' | base64 -d)"']] + - 'community="tgw-community" ; controller="tgw-controller"' + - 'echo "Adding tgw identifier to cloud-version"' + - 'template="management_tgw_asg"' + - 'cv_path="/etc/cloud-version"' + - 'if test -f ${cv_path}; then sed -i ''/template_name/c\template_name: ''"${template}"'''' /etc/cloud-version; fi' + - 'cv_json_path="/etc/cloud-version.json"' + - 'cv_json_path_tmp="/etc/cloud-version-tmp.json"' + - 'if test -f ${cv_json_path}; then cat ${cv_json_path} | jq ''.template_name = "''"${template}"''"'' > ${cv_json_path_tmp}; mv ${cv_json_path_tmp} ${cv_json_path}; fi' + - 'echo "Configuring VPN community: ${community}"' + - '[[ -d /opt/CPcme/menu/additions ]] && /opt/CPcme/menu/additions/config-community.sh "${community}" || /etc/fw/scripts/autoprovision/config-community.sh "${community}"' + - 'echo "Setting VPN rules"' + - 'mgmt_cli -r true add access-layer name "Inline"' + - 'mgmt_cli -r true add access-rule layer Network position 1 name "${community} VPN Traffic Rule" vpn.directional.1.from "${community}" vpn.directional.1.to "${community}" vpn.directional.2.from "${community}" vpn.directional.2.to External_clear action "Apply Layer" source "Any" destination "Any" service "Any" inline-layer "Inline"' + - 'mgmt_cli -r true add dynamic-object name "LocalGateway"' + - 'mgmt_cli -r true add nat-rule package standard position bottom install-on "Policy Targets" original-source All_Internet translated-source "LocalGateway" method hide' + - 'echo "Setting CME configurations"' + - 'autoprov_cfg -f init AWS -mn "${mgmt}" -tn "${conf_template}" -cn "${controller}" -po Standard -otp "${sic}" -r "${region}" -ver "${version}" -iam -dt TGW' + - 'autoprov_cfg -f set controller AWS -cn "${controller}" -sv -com "${community}"' + - 'autoprov_cfg -f set template -tn "${conf_template}" -vpn -vd "" -con "${community}"' + - '${blades} && autoprov_cfg -f set template -tn "${conf_template}" -ia -ips -appi -av -ab' + - 'echo -e "\nFinished Bootstrap script\n"' + SecurityGatewaysStack: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.amazonaws.com/autoscale/autoscale.yaml + Parameters: + VPC: !Ref VPC + GatewaysSubnets: !Join [',', !Ref GatewaysSubnets] + GatewayName: !Ref GatewayName + GatewayInstanceType: !Ref GatewayInstanceType + KeyName: !Ref KeyName + EnableVolumeEncryption: !Ref EnableVolumeEncryption + VolumeType: !Ref VolumeType + VolumeSize: !Ref VolumeSize + EnableInstanceConnect: !Ref EnableInstanceConnect + GatewaysMinSize: !Ref GatewaysMinSize + GatewaysMaxSize: !Ref GatewaysMaxSize + AdminEmail: !Ref AdminEmail + GatewayVersion: !Ref GatewayVersion + GatewayPasswordHash: !Ref GatewayPasswordHash + GatewayMaintenancePasswordHash: !Ref GatewayMaintenancePasswordHash + GatewaySICKey: !Ref GatewaySICKey + AllowUploadDownload: !Ref AllowUploadDownload + CloudWatch: !Ref CloudWatch + GatewayBootstrapScript: !Join + - ';' + - - 'echo -e "\nStarting Bootstrap script\n"' + - 'echo "Setting up bootstrap parameters"' + - !Sub 'asn=${ASN}' + - 'echo "Adding tgw identifier to cloud-version"' + - 'template="autoscale_tgw"' + - 'cv_path="/etc/cloud-version"' + - 'if test -f ${cv_path}; then sed -i ''/template_name/c\template_name: ''"${template}"'''' /etc/cloud-version; fi' + - 'cv_json_path="/etc/cloud-version.json"' + - 'cv_json_path_tmp="/etc/cloud-version-tmp.json"' + - 'if test -f ${cv_json_path}; then cat ${cv_json_path} | jq ''.template_name = "''"${template}"''"'' > ${cv_json_path_tmp}; mv ${cv_json_path_tmp} ${cv_json_path}; fi' + - 'echo "Setting ASN to: ${asn}"' + - 'clish -c "set as ${asn}" -s' + - 'echo -e "\nFinished Bootstrap script\n"' + ControlGatewayOverPrivateOrPublicAddress: !Ref ControlGatewayOverPrivateOrPublicAddress + ManagementServer: !Ref ManagementServer + ConfigurationTemplate: !Ref ConfigurationTemplate +Outputs: + ManagementName: + Description: The name that represents the Security Management Server. + Value: !Ref ManagementServer + ConfigurationTemplateName: + Description: The name that represents the configuration template. Configurations required to automatically provision the Gateways in the Auto Scaling Group, such as what Security Policy to install and which Blades to enable, will be placed under this template name. + Value: !Ref ConfigurationTemplate + ControllerName: + Description: The name that represents the controller. Configurations required to connect to your AWS environment, such as credentials and regions, will be placed under this controller name. + Value: tgw-controller + ManagementPublicAddress: + Description: The public address of the management servers. + Value: !GetAtt ManagementStack.Outputs.PublicAddress + Condition: DeployManagement +Rules: + GatewayAddressRule: + RuleCondition: !Equals [!Ref ManagementDeploy, 'true'] + Assertions: + - AssertDescription: "Gateway's netowrk to communicate with the Security Management Server must be provided" + Assert: !Not [ !Equals [!Ref GatewaysAddresses, '']] \ No newline at end of file diff --git a/aws/templates/tgw-cross-az-cluster/README.md b/aws/templates/tgw-cross-az-cluster/README.md new file mode 100644 index 00000000..f1a6b492 --- /dev/null +++ b/aws/templates/tgw-cross-az-cluster/README.md @@ -0,0 +1,26 @@ + +## Transit Gateway Cross Availability Zone Cluster + + + + + + + + + + + + + + + + + + + +
DescriptionNotesDirect Launch
+ Deploys two Security Gateways, each in a different Availability Zone, configured for Transit Gateway.

For more details, refer to Cross Availability Zone Cluster for AWS R81.20 Administration Guide. + 		Creates a new VPC and deploys a Cross Availability Zone Cluster of Security Gateways configured for Transit Gateway into it.
Deploys a Cross Availability Zone Cluster of Security Gateways configured for Transit Gateway into an existing VPC.
+
+
\ No newline at end of file diff --git a/aws/templates/tgw-cross-az-cluster/tgw-cross-az-cluster-master.yaml b/aws/templates/tgw-cross-az-cluster/tgw-cross-az-cluster-master.yaml new file mode 100644 index 00000000..076c1390 --- /dev/null +++ b/aws/templates/tgw-cross-az-cluster/tgw-cross-az-cluster-master.yaml @@ -0,0 +1,523 @@ +AWSTemplateFormatVersion: 2010-09-09 +Description: Deploy a Check Point TGW Cross Availabilty Zone Cluster in a new VPC (20240204) +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: VPC Network Configuration + Parameters: + - AvailabilityZones + - VPCCIDR + - PublicSubnet1CIDR + - PublicSubnet2CIDR + - PrivateSubnet1CIDR + - PrivateSubnet2CIDR + - TgwSubnet1CIDR + - TgwSubnet2CIDR + - Label: + default: EC2 Instance Configuration + Parameters: + - GatewayName + - GatewayInstanceType + - KeyName + - AllocatePublicAddress + - VolumeSize + - VolumeType + - VolumeEncryption + - EnableInstanceConnect + - GatewayPredefinedRole + - TerminationProtection + - Label: + default: Check Point Settings + Parameters: + - GatewayVersion + - Shell + - GatewayPasswordHash + - GatewayMaintenancePasswordHash + - GatewaySICKey + - Label: + default: Quick connect to Smart-1 Cloud (Recommended) + Parameters: + - MemberAToken + - MemberBToken + - Label: + default: Advanced Settings + Parameters: + - ResourcesTagName + - GatewayHostname + - AllowUploadDownload + - CloudWatch + - GatewayBootstrapScript + - NTPPrimary + - NTPSecondary + ParameterLabels: + AvailabilityZones: + default: Availability zones + VPCCIDR: + default: VPC CIDR + PublicSubnet1CIDR: + default: Public subnet 1 CIDR + PublicSubnet2CIDR: + default: Public subnet 2 CIDR + PrivateSubnet1CIDR: + default: Private subnet 1 CIDR + PrivateSubnet2CIDR: + default: Private subnet 2 CIDR + TgwSubnet1CIDR: + default: TGW HA subnet 1 CIDR + TgwSubnet2CIDR: + default: TGW HA subnet 2 CIDR + GatewayName: + default: Gateway Name + GatewayInstanceType: + default: Security Gateways instance type + KeyName: + default: Key name + AllocatePublicAddress: + default: Allocate Elastic IPs for cluster members + VolumeSize: + default: Root volume size (GB) + VolumeType: + default: Volume Type + VolumeEncryption: + default: Volume encryption KMS key identifier + EnableInstanceConnect: + default: Enable AWS Instance Connect + GatewayPredefinedRole: + default: Existing IAM role name + TerminationProtection: + default: Termination Protection + GatewayVersion: + default: Gateways version & license + Shell: + default: Admin shell + GatewayPasswordHash: + default: Password hash + GatewayMaintenancePasswordHash: + default: Gateway Maintenance Password hash + GatewaySICKey: + default: SIC key + MemberAToken: + default: Smart-1 Cloud Token for member A + MemberBToken: + default: Smart-1 Cloud Token for member B + ResourcesTagName: + default: Resources prefix tag + GatewayHostname: + default: Gateway Hostname + AllowUploadDownload: + default: Allow upload & download + CloudWatch: + default: CloudWatch metrics + GatewayBootstrapScript: + default: Bootstrap Script + NTPPrimary: + default: Primary NTP server + NTPSecondary: + default: Secondary NTP server +Parameters: + AvailabilityZones: + Description: The Availability Zones (AZs) to use for the subnets in the VPC. Select two (the logical order is preserved). + Type: List + MinLength: 2 + VPCCIDR: + Description: The CIDR block of the provided VPC. + Type: String + Default: 10.0.0.0/16 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PublicSubnet1CIDR: + Description: The 1st external subnet of the cluster. The cluster's public IPs will be generated from this subnet. + Type: String + Default: 10.0.10.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PublicSubnet2CIDR: + Description: The 2nd external subnet of the cluster. The cluster's public IPs will be generated from this subnet. + Type: String + Default: 10.0.20.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PrivateSubnet1CIDR: + Description: The 1st internal subnet of the cluster. The cluster's private IPs will be generated from this subnet. + Type: String + Default: 10.0.11.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PrivateSubnet2CIDR: + Description: The 2nd internal subnet of the cluster. The cluster's private IPs will be generated from this subnet. + Type: String + Default: 10.0.21.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + TgwSubnet1CIDR: + Description: The 1st TGW HA subnet of the TGW VPC attachment. + Type: String + Default: 10.0.12.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + TgwSubnet2CIDR: + Description: The 2nd TGW HA subnet of the TGW VPC attachment. + Type: String + Default: 10.0.22.0/24 + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 + GatewayName: + Description: The name tag of the Security Gateway instances. (optional) + Type: String + Default: Check-Point-Cluster + GatewayInstanceType: + Description: The instance type of the Secutiry Gateway. + Type: String + Default: c5.xlarge + AllowedValues: + - c4.large + - c4.xlarge + - c5.large + - c5.xlarge + - c5.2xlarge + - c5.4xlarge + - c5.9xlarge + - c5.12xlarge + - c5.18xlarge + - c5.24xlarge + - c5n.large + - c5n.xlarge + - c5n.2xlarge + - c5n.4xlarge + - c5n.9xlarge + - c5n.18xlarge + - c5d.large + - c5d.xlarge + - c5d.2xlarge + - c5d.4xlarge + - c5d.9xlarge + - c5d.12xlarge + - c5d.18xlarge + - c5d.24xlarge + - m5.large + - m5.xlarge + - m5.2xlarge + - m5.4xlarge + - m5.8xlarge + - m5.12xlarge + - m5.16xlarge + - m5.24xlarge + - m6i.large + - m6i.xlarge + - m6i.2xlarge + - m6i.4xlarge + - m6i.8xlarge + - m6i.12xlarge + - m6i.16xlarge + - m6i.24xlarge + - m6i.32xlarge + - c6i.large + - c6i.xlarge + - c6i.2xlarge + - c6i.4xlarge + - c6i.8xlarge + - c6i.12xlarge + - c6i.16xlarge + - c6i.24xlarge + - c6i.32xlarge + - c6in.large + - c6in.xlarge + - c6in.2xlarge + - c6in.4xlarge + - c6in.8xlarge + - c6in.12xlarge + - c6in.16xlarge + - c6in.24xlarge + - c6in.32xlarge + - r5.large + - r5.xlarge + - r5.2xlarge + - r5.4xlarge + - r5.8xlarge + - r5.12xlarge + - r5.16xlarge + - r5.24xlarge + - r5a.large + - r5a.xlarge + - r5a.2xlarge + - r5a.4xlarge + - r5a.8xlarge + - r5a.12xlarge + - r5a.16xlarge + - r5a.24xlarge + - r5b.large + - r5b.xlarge + - r5b.2xlarge + - r5b.4xlarge + - r5b.8xlarge + - r5b.12xlarge + - r5b.16xlarge + - r5b.24xlarge + - r5n.large + - r5n.xlarge + - r5n.2xlarge + - r5n.4xlarge + - r5n.8xlarge + - r5n.12xlarge + - r5n.16xlarge + - r5n.24xlarge + - r6i.large + - r6i.xlarge + - r6i.2xlarge + - r6i.4xlarge + - r6i.8xlarge + - r6i.12xlarge + - r6i.16xlarge + - r6i.24xlarge + - r6i.32xlarge + - m6a.large + - m6a.xlarge + - m6a.2xlarge + - m6a.4xlarge + - m6a.8xlarge + - m6a.12xlarge + - m6a.16xlarge + - m6a.24xlarge + - m6a.32xlarge + - m6a.48xlarge + ConstraintDescription: must be a valid EC2 instance type. + KeyName: + Description: The EC2 Key Pair to allow SSH access to the instance. + Type: AWS::EC2::KeyPair::KeyName + MinLength: 1 + AllocatePublicAddress: + Description: Allocate an Elastic IP for each cluster member, in addition to the shared cluster Elastic IP. + Type: String + Default: true + AllowedValues: + - true + - false + VolumeSize: + Type: Number + Default: 100 + MinValue: 100 + VolumeType: + Description: General Purpose SSD Volume Type + Type: String + Default: gp3 + AllowedValues: + - gp3 + - gp2 + VolumeEncryption: + Description: KMS or CMK key Identifier - Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs'). + Type: String + Default: alias/aws/ebs + EnableInstanceConnect: + Description: Enable SSH connection over AWS web console. + Default: false + Type: String + AllowedValues: + - true + - false + GatewayPredefinedRole: + Description: A predefined IAM role to attach to the cluster profile. (optional) + Type: String + Default: '' + TerminationProtection: + Description: Prevents an instance from accidental termination. + Type: String + Default: false + AllowedValues: + - true + - false + GatewayVersion: + Type: String + Default: R81.20-BYOL + AllowedValues: + - R81.20-BYOL + - R81.20-PAYG-NGTP + - R81.20-PAYG-NGTX + Shell: + Description: Change the admin shell to enable advanced command line configuration. + Type: String + Default: /etc/cli.sh + AllowedValues: + - /etc/cli.sh + - /bin/bash + - /bin/csh + - /bin/tcsh + GatewayPasswordHash: + Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" + to get the PASSWORD's hash). (optional) + Type: String + Default: '' + AllowedPattern: '^[\$\./a-zA-Z0-9]*$' + NoEcho: true + GatewayMaintenancePasswordHash: + Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + GatewaySICKey: + Description: The Secure Internal Communication key creates trusted connections + between Check Point components. Choose a random string consisting of at least + 8 alphanumeric characters. + Type: String + AllowedPattern: '^[a-zA-Z0-9]{8,}$' + ConstraintDescription: At least 8 alpha numeric characters. + NoEcho: true + MemberAToken: + Description: Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. + AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)' + Type: String + NoEcho: true + MemberBToken: + Description: Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. + AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)' + Type: String + NoEcho: true + ResourcesTagName: + Description: Name tag prefix of the resources. (optional) + Type: String + Default: '' + GatewayHostname: + Description: The host name will be appended with member-a/b accordingly (optional). The name must not contain reserved words. For details, refer to sk40179. + Type: String + Default: '' + AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z]))?$' + ConstraintDescription: A valid hostname label or an empty string. + AllowUploadDownload: + Description: Automatically download updates and share statistical data for product improvement purpose. + Type: String + Default: true + AllowedValues: + - true + - false + CloudWatch: + Description: Report Check Point specific CloudWatch metrics. + Type: String + Default: false + AllowedValues: + - true + - false + GatewayBootstrapScript: + Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional) + Type: String + Default: '' + NoEcho: true + NTPPrimary: + Description: (optional) + Type: String + Default: 169.254.169.123 + AllowedPattern: '^[\.a-zA-Z0-9\-]*$' + NTPSecondary: + Description: (optional) + Type: String + Default: 0.pool.ntp.org + AllowedPattern: '^[\.a-zA-Z0-9\-]*$' +Conditions: + AllocateAddress: !Equals [!Ref AllocatePublicAddress, true] +Resources: + VPCStack: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.amazonaws.com/utils/vpc.yaml + Parameters: + AvailabilityZones: !Join [',', !Ref AvailabilityZones] + NumberOfAZs: 2 + VPCCIDR: !Ref VPCCIDR + PublicSubnet1CIDR: !Ref PublicSubnet1CIDR + PublicSubnet2CIDR: !Ref PublicSubnet2CIDR + PrivateSubnet1CIDR: !Ref PrivateSubnet1CIDR + PrivateSubnet2CIDR: !Ref PrivateSubnet2CIDR + CreateAttachmentSubnets: true + AttachmentSubnet1CIDR: !Ref TgwSubnet1CIDR + AttachmentSubnet2CIDR: !Ref TgwSubnet2CIDR + InternalRouteTable: + Type: AWS::EC2::RouteTable + DependsOn: VPCStack + Properties: + VpcId: !GetAtt VPCStack.Outputs.VPCID + Tags: + - Key: Name + Value: Private Subnets Route Table + ClusterStack: + Type: AWS::CloudFormation::Stack + DependsOn: VPCStack + Properties: + TemplateURL: https://cgi-cfts.s3.amazonaws.com/cluster/tgw-cross-az-cluster.yaml + Parameters: + VPC: !GetAtt VPCStack.Outputs.VPCID + PublicSubnetA: !GetAtt VPCStack.Outputs.PublicSubnet1ID + PublicSubnetB: !GetAtt VPCStack.Outputs.PublicSubnet2ID + PrivateSubnetA: !GetAtt VPCStack.Outputs.PrivateSubnet1ID + PrivateSubnetB: !GetAtt VPCStack.Outputs.PrivateSubnet2ID + TgwHASubnetA: !GetAtt VPCStack.Outputs.AttachmentSubnet1ID + TgwHASubnetB: !GetAtt VPCStack.Outputs.AttachmentSubnet2ID + InternalRouteTable: !Ref InternalRouteTable + GatewayName: !Ref GatewayName + GatewayInstanceType: !Ref GatewayInstanceType + KeyName: !Ref KeyName + AllocatePublicAddress: !Ref AllocatePublicAddress + VolumeSize: !Ref VolumeSize + VolumeType: !Ref VolumeType + VolumeEncryption: !Ref VolumeEncryption + EnableInstanceConnect: !Ref EnableInstanceConnect + GatewayPredefinedRole: !Ref GatewayPredefinedRole + TerminationProtection: !Ref TerminationProtection + GatewayVersion: !Ref GatewayVersion + Shell: !Ref Shell + GatewayPasswordHash: !Ref GatewayPasswordHash + GatewayMaintenancePasswordHash: !Ref GatewayMaintenancePasswordHash + GatewaySICKey: !Ref GatewaySICKey + MemberAToken: !Ref MemberAToken + MemberBToken: !Ref MemberBToken + ResourcesTagName: !Ref ResourcesTagName + GatewayHostname: !Ref GatewayHostname + AllowUploadDownload: !Ref AllowUploadDownload + CloudWatch: !Ref CloudWatch + GatewayBootstrapScript: !Ref GatewayBootstrapScript + NTPPrimary: !Ref NTPPrimary + NTPSecondary: !Ref NTPSecondary +Outputs: + ClusterPublicAddress: + Description: The public address of the cluster. + Value: !GetAtt ClusterStack.Outputs.ClusterPublicAddress + MemberAPublicAddress: + Condition: AllocateAddress + Description: The public address of member A. + Value: !GetAtt ClusterStack.Outputs.MemberAPublicAddress + MemberASSH: + Condition: AllocateAddress + Description: SSH command to member A. + Value: !GetAtt ClusterStack.Outputs.MemberASSH + MemberAURL: + Condition: AllocateAddress + Description: URL to the member A portal. + Value: !GetAtt ClusterStack.Outputs.MemberAURL + MemberBPublicAddress: + Condition: AllocateAddress + Description: The public address of member B. + Value: !GetAtt ClusterStack.Outputs.MemberBPublicAddress + MemberBSSH: + Condition: AllocateAddress + Description: SSH command to member B. + Value: !GetAtt ClusterStack.Outputs.MemberBSSH + MemberBURL: + Condition: AllocateAddress + Description: URL to the member B portal. + Value: !GetAtt ClusterStack.Outputs.MemberBURL +Rules: + MemberATokenNotProvided: + RuleCondition: !Equals [!Ref MemberAToken, ''] + Assertions: + - AssertDescription: "Smart-1 Cloud Token for member A can not be empty." + Assert: !Equals [!Ref MemberBToken, ''] + MemberBTokenNotProvided: + RuleCondition: !Equals [ !Ref MemberBToken, '' ] + Assertions: + - AssertDescription: "Smart-1 Cloud Token for member B can not be empty." + Assert: !Equals [ !Ref MemberAToken, '' ] + MembersTokenValueEquals: + RuleCondition: !EachMemberEquals [ [ !Ref MemberBToken ], !Ref MemberAToken ] + Assertions: + - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token" + Assert: !Equals [ !Ref MemberAToken, '' ] + - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token" + Assert: !Equals [ !Ref MemberBToken, '' ] diff --git a/aws/templates/tgw-cross-az-cluster/tgw-cross-az-cluster.yaml b/aws/templates/tgw-cross-az-cluster/tgw-cross-az-cluster.yaml new file mode 100644 index 00000000..651a4554 --- /dev/null +++ b/aws/templates/tgw-cross-az-cluster/tgw-cross-az-cluster.yaml @@ -0,0 +1,519 @@ +AWSTemplateFormatVersion: 2010-09-09 +Description: Deploys a Check Point TGW Cross Availabilty Zone Cluster into an existing VPC (20240204) +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: VPC Network Configuration + Parameters: + - VPC + - PublicSubnetA + - PublicSubnetB + - PrivateSubnetA + - PrivateSubnetB + - TgwHASubnetA + - TgwHASubnetB + - InternalRouteTable + - Label: + default: EC2 Instance Configuration + Parameters: + - GatewayName + - GatewayInstanceType + - KeyName + - AllocatePublicAddress + - VolumeSize + - VolumeType + - VolumeEncryption + - EnableInstanceConnect + - GatewayPredefinedRole + - TerminationProtection + - Label: + default: Check Point Settings + Parameters: + - GatewayVersion + - Shell + - GatewayPasswordHash + - GatewayMaintenancePasswordHash + - GatewaySICKey + - Label: + default: Quick connect to Smart-1 Cloud (Recommended) + Parameters: + - MemberAToken + - MemberBToken + - Label: + default: Advanced Settings + Parameters: + - ResourcesTagName + - GatewayHostname + - AllowUploadDownload + - CloudWatch + - GatewayBootstrapScript + - NTPPrimary + - NTPSecondary + ParameterLabels: + VPC: + default: VPC + PublicSubnetA: + default: Public subnet 1 + PublicSubnetB: + default: Public subnet 2 + PrivateSubnetA: + default: Private subnet 1 + PrivateSubnetB: + default: Private subnet 2 + TgwHASubnetA: + default: TGW HA subnet 1 + TgwHASubnetB: + default: TGW HA subnet 2 + InternalRouteTable: + default: Internal route table + GatewayName: + default: Gateway Name + GatewayInstanceType: + default: Security Gateways instance type + KeyName: + default: Key name + AllocatePublicAddress: + default: Allocate Elastic IPs for cluster members + VolumeSize: + default: Root volume size (GB) + VolumeType: + default: Volume Type + VolumeEncryption: + default: Volume encryption KMS key identifier + EnableInstanceConnect: + default: Enable AWS Instance Connect + GatewayPredefinedRole: + default: Existing IAM role name + TerminationProtection: + default: Termination Protection + GatewayVersion: + default: Gateways version & license + Shell: + default: Admin shell + GatewayPasswordHash: + default: Password hash + GatewayMaintenancePasswordHash: + default: Gateway Maintenance Password hash + GatewaySICKey: + default: SIC key + MemberAToken: + default: Smart-1 Cloud Token for member A + MemberBToken: + default: Smart-1 Cloud Token for member B + ResourcesTagName: + default: Resources prefix tag + GatewayHostname: + default: Gateway Hostname + AllowUploadDownload: + default: Allow upload & download + CloudWatch: + default: CloudWatch metrics + GatewayBootstrapScript: + default: Bootstrap Script + NTPPrimary: + default: Primary NTP server + NTPSecondary: + default: Secondary NTP server +Parameters: + VPC: + Description: Select an existing VPC. + Type: AWS::EC2::VPC::Id + MinLength: 1 + ConstraintDescription: you must select a VPC. + PublicSubnetA: + Description: Select a public subnet for the first Security Gateway. + Type: AWS::EC2::Subnet::Id + MinLength: 1 + ConstraintDescription: you must select a public subnet for the first Security Gateway. + PublicSubnetB: + Description: Select a public subnet for the second Security Gateway. + Type: AWS::EC2::Subnet::Id + MinLength: 1 + ConstraintDescription: you must select a public subnet for the second Security Gateway. + PrivateSubnetA: + Description: Select a private subnet for the first Security Gateway. + Type: AWS::EC2::Subnet::Id + MinLength: 1 + ConstraintDescription: you must select a private subnet for the first Security Gateway. + PrivateSubnetB: + Description: Select a private subnet for the second Security Gateway. + Type: AWS::EC2::Subnet::Id + MinLength: 1 + ConstraintDescription: you must select a private subnet for the second Security Gateway. + TgwHASubnetA: + Description: Select a TGW HA subnet for the first Security Gateway. + Type: AWS::EC2::Subnet::Id + MinLength: 1 + ConstraintDescription: you must select a TGW HA subnet for the first Security Gateway. + TgwHASubnetB: + Description: Select a TGW HA subnet for the second Security Gateway. + Type: AWS::EC2::Subnet::Id + MinLength: 1 + ConstraintDescription: you must select a TGW HAsubnet for the second Security Gateway. + InternalRouteTable: + Description: Set 0.0.0.0/0 route to the Active Cluster member instance in this route table (e.g. rtb-12a34567). Route table cannot have an existing 0.0.0.0/0 route. If empty - traffic will not be routed through the Security Cluster, this requires manual configuration in the Route Table. (optional) + Type: String + Default: '' + GatewayName: + Description: The name tag of the Security Gateway instances. (optional) + Type: String + Default: Check-Point-Cluster + GatewayInstanceType: + Description: The instance type of the Secutiry Gateway. + Type: String + Default: c5.xlarge + AllowedValues: + - c4.large + - c4.xlarge + - c5.large + - c5.xlarge + - c5.2xlarge + - c5.4xlarge + - c5.9xlarge + - c5.12xlarge + - c5.18xlarge + - c5.24xlarge + - c5n.large + - c5n.xlarge + - c5n.2xlarge + - c5n.4xlarge + - c5n.9xlarge + - c5n.18xlarge + - c5d.large + - c5d.xlarge + - c5d.2xlarge + - c5d.4xlarge + - c5d.9xlarge + - c5d.12xlarge + - c5d.18xlarge + - c5d.24xlarge + - m5.large + - m5.xlarge + - m5.2xlarge + - m5.4xlarge + - m5.8xlarge + - m5.12xlarge + - m5.16xlarge + - m5.24xlarge + - m6i.large + - m6i.xlarge + - m6i.2xlarge + - m6i.4xlarge + - m6i.8xlarge + - m6i.12xlarge + - m6i.16xlarge + - m6i.24xlarge + - m6i.32xlarge + - c6i.large + - c6i.xlarge + - c6i.2xlarge + - c6i.4xlarge + - c6i.8xlarge + - c6i.12xlarge + - c6i.16xlarge + - c6i.24xlarge + - c6i.32xlarge + - c6in.large + - c6in.xlarge + - c6in.2xlarge + - c6in.4xlarge + - c6in.8xlarge + - c6in.12xlarge + - c6in.16xlarge + - c6in.24xlarge + - c6in.32xlarge + - r5.large + - r5.xlarge + - r5.2xlarge + - r5.4xlarge + - r5.8xlarge + - r5.12xlarge + - r5.16xlarge + - r5.24xlarge + - r5a.large + - r5a.xlarge + - r5a.2xlarge + - r5a.4xlarge + - r5a.8xlarge + - r5a.12xlarge + - r5a.16xlarge + - r5a.24xlarge + - r5b.large + - r5b.xlarge + - r5b.2xlarge + - r5b.4xlarge + - r5b.8xlarge + - r5b.12xlarge + - r5b.16xlarge + - r5b.24xlarge + - r5n.large + - r5n.xlarge + - r5n.2xlarge + - r5n.4xlarge + - r5n.8xlarge + - r5n.12xlarge + - r5n.16xlarge + - r5n.24xlarge + - r6i.large + - r6i.xlarge + - r6i.2xlarge + - r6i.4xlarge + - r6i.8xlarge + - r6i.12xlarge + - r6i.16xlarge + - r6i.24xlarge + - r6i.32xlarge + - m6a.large + - m6a.xlarge + - m6a.2xlarge + - m6a.4xlarge + - m6a.8xlarge + - m6a.12xlarge + - m6a.16xlarge + - m6a.24xlarge + - m6a.32xlarge + - m6a.48xlarge + ConstraintDescription: must be a valid EC2 instance type. + KeyName: + Description: The EC2 Key Pair to allow SSH access to the Security Gateways. + Type: AWS::EC2::KeyPair::KeyName + MinLength: 1 + ConstraintDescription: must be the name of an existing EC2 KeyPair. + AllocatePublicAddress: + Description: Allocate an Elastic IP for each cluster member, in addition to the shared cluster Elastic IP. + Default: true + Type: String + AllowedValues: + - true + - false + VolumeSize: + Type: Number + Default: 100 + MinValue: 100 + VolumeType: + Description: General Purpose SSD Volume Type + Type: String + Default: gp3 + AllowedValues: + - gp3 + - gp2 + VolumeEncryption: + Description: KMS or CMK key Identifier - Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs'). + Type: String + Default: alias/aws/ebs + EnableInstanceConnect: + Description: Enable SSH connection over AWS web console. + Type: String + Default: false + AllowedValues: + - true + - false + GatewayPredefinedRole: + Description: A predefined IAM role to attach to the cluster profile. (optional) + Type: String + Default: '' + TerminationProtection: + Description: Prevents an instance from accidental termination. + Type: String + Default: false + AllowedValues: + - true + - false + GatewayVersion: + Description: The license to install on the Security Gateways. + Type: String + Default: R81.20-BYOL + AllowedValues: + - R81.20-BYOL + - R81.20-PAYG-NGTP + - R81.20-PAYG-NGTX + Shell: + Description: Change the admin shell to enable advanced command line configuration. + Type: String + Default: /etc/cli.sh + AllowedValues: + - /etc/cli.sh + - /bin/bash + - /bin/csh + - /bin/tcsh + GatewayPasswordHash: + Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" + to get the PASSWORD's hash). (optional) + Type: String + Default: '' + AllowedPattern: '^[\$\./a-zA-Z0-9]*$' + NoEcho: true + GatewayMaintenancePasswordHash: + Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + GatewaySICKey: + Description: The Secure Internal Communication key creates trusted connections + between Check Point components. Choose a random string consisting of at least + 8 alphanumeric characters. + Type: String + AllowedPattern: '^[a-zA-Z0-9]{8,}$' + ConstraintDescription: At least 8 alpha numeric characters. + NoEcho: true + MemberAToken: + Description: Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. + AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)' + Type: String + NoEcho: true + MemberBToken: + Description: Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. + AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)' + Type: String + NoEcho: true + ResourcesTagName: + Description: Name tag prefix of the resources. (optional) + Type: String + Default: '' + GatewayHostname: + Description: The host name will be appended with member-a/b accordingly (optional). The name must not contain reserved words. For details, refer to sk40179. + Type: String + Default: '' + AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z]))?$' + ConstraintDescription: A valid hostname label or an empty string. + AllowUploadDownload: + Description: Automatically download updates and share statistical data for product improvement purpose. + Type: String + Default: true + AllowedValues: + - true + - false + CloudWatch: + Description: Report Check Point specific CloudWatch metrics. + Type: String + Default: false + AllowedValues: + - true + - false + GatewayBootstrapScript: + Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional) + Type: String + Default: '' + NoEcho: true + NTPPrimary: + Description: (optional) + Type: String + Default: 169.254.169.123 + AllowedPattern: '^[\.a-zA-Z0-9\-]*$' + NTPSecondary: + Description: (optional) + Type: String + Default: 0.pool.ntp.org + AllowedPattern: '^[\.a-zA-Z0-9\-]*$' +Conditions: + AllocateAddress: !Equals [!Ref AllocatePublicAddress, true] +Resources: + ClusterStack: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.amazonaws.com/cluster/cross-az-cluster.yaml + Parameters: + VPC: !Ref VPC + PublicSubnetA: !Ref PublicSubnetA + PublicSubnetB: !Ref PublicSubnetB + PrivateSubnetA: !Ref PrivateSubnetA + PrivateSubnetB: !Ref PrivateSubnetB + InternalRouteTable: !Ref InternalRouteTable + GatewayName: !Ref GatewayName + GatewayInstanceType: !Ref GatewayInstanceType + KeyName: !Ref KeyName + AllocatePublicAddress: !Ref AllocatePublicAddress + VolumeSize: !Ref VolumeSize + VolumeType: !Ref VolumeType + VolumeEncryption: !Ref VolumeEncryption + EnableInstanceConnect: !Ref EnableInstanceConnect + GatewayPredefinedRole: !Ref GatewayPredefinedRole + TerminationProtection: !Ref TerminationProtection + GatewayVersion: !Ref GatewayVersion + Shell: !Ref Shell + GatewayPasswordHash: !Ref GatewayPasswordHash + GatewayMaintenancePasswordHash: !Ref GatewayMaintenancePasswordHash + GatewaySICKey: !Ref GatewaySICKey + MemberAToken: !Ref MemberAToken + MemberBToken: !Ref MemberBToken + ResourcesTagName: !Ref ResourcesTagName + GatewayHostname: !Ref GatewayHostname + AllowUploadDownload: !Ref AllowUploadDownload + CloudWatch: !Ref CloudWatch + GatewayBootstrapScript: !Ref GatewayBootstrapScript + NTPPrimary: !Ref NTPPrimary + NTPSecondary: !Ref NTPSecondary + TGWRouteTable: + Type: AWS::EC2::RouteTable + Properties: + VpcId: !Ref VPC + Tags: + - Key: Name + Value: TGW Subnets + TGWDefaultRoute: + Type: AWS::EC2::Route + DependsOn: ClusterStack + Properties: + DestinationCidrBlock: 0.0.0.0/0 + NetworkInterfaceId: !GetAtt ClusterStack.Outputs.MemberAExternalInterface + RouteTableId: !Ref TGWRouteTable + TGWNSubnet1RouteAssociation: + Type: AWS::EC2::SubnetRouteTableAssociation + DependsOn: TGWRouteTable + Properties: + RouteTableId: !Ref TGWRouteTable + SubnetId: !Ref TgwHASubnetA + TGWSubnet2RouteAssociation: + Type: AWS::EC2::SubnetRouteTableAssociation + DependsOn: TGWRouteTable + Properties: + RouteTableId: !Ref TGWRouteTable + SubnetId: !Ref TgwHASubnetB +Outputs: + ClusterPublicAddress: + Description: The public address of the cluster. + Value: !GetAtt ClusterStack.Outputs.ClusterPublicAddress + MemberAPublicAddress: + Condition: AllocateAddress + Description: The public address of member A. + Value: !GetAtt ClusterStack.Outputs.MemberAPublicAddress + MemberASSH: + Condition: AllocateAddress + Description: SSH command to member A. + Value: !GetAtt ClusterStack.Outputs.MemberASSH + MemberAURL: + Condition: AllocateAddress + Description: URL to the member A portal. + Value: !GetAtt ClusterStack.Outputs.MemberAURL + MemberBPublicAddress: + Condition: AllocateAddress + Description: The public address of member B. + Value: !GetAtt ClusterStack.Outputs.MemberBPublicAddress + MemberBSSH: + Condition: AllocateAddress + Description: SSH command to member B. + Value: !GetAtt ClusterStack.Outputs.MemberBSSH + MemberBURL: + Condition: AllocateAddress + Description: URL to the member B portal. + Value: !GetAtt ClusterStack.Outputs.MemberBURL +Rules: + MemberATokenNotProvided: + RuleCondition: !Equals [!Ref MemberAToken, ''] + Assertions: + - AssertDescription: "Smart-1 Cloud Token for member A can not be empty." + Assert: !Equals [!Ref MemberBToken, ''] + MemberBTokenNotProvided: + RuleCondition: !Equals [ !Ref MemberBToken, '' ] + Assertions: + - AssertDescription: "Smart-1 Cloud Token for member B can not be empty." + Assert: !Equals [ !Ref MemberAToken, '' ] + MembersTokenValueEquals: + RuleCondition: !EachMemberEquals [ [ !Ref MemberBToken ], !Ref MemberAToken ] + Assertions: + - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token" + Assert: !Equals [ !Ref MemberAToken, '' ] + - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token" + Assert: !Equals [ !Ref MemberBToken, '' ] \ No newline at end of file diff --git a/aws/templates/tgw-ha/README.md b/aws/templates/tgw-ha/README.md new file mode 100644 index 00000000..f069cdd5 --- /dev/null +++ b/aws/templates/tgw-ha/README.md @@ -0,0 +1,26 @@ + +## Transit Gateway Cross Availability Zone Cluster + + + + + + + + + + + + + + + + + + + +
DescriptionNotesDirect Launch
+ Deploys two Security Gateways, each in a different Availability Zone, configured for Transit Gateway.

For more details, refer to CloudGuard Transit Gateway High Availability for AWS R80.40 Administration Guide. + 		Creates a new VPC and deploys a Cross Availability Zone Cluster of Security Gateways configured for Transit Gateway into it.
Deploys a Cross Availability Zone Cluster of Security Gateways configured for Transit Gateway into an existing VPC.
+
+
\ No newline at end of file diff --git a/aws/templates/tgw-ha/tgw-ha-master.yaml b/aws/templates/tgw-ha/tgw-ha-master.yaml new file mode 100644 index 00000000..7eb8db40 --- /dev/null +++ b/aws/templates/tgw-ha/tgw-ha-master.yaml @@ -0,0 +1,525 @@ +AWSTemplateFormatVersion: 2010-09-09 +Description: Deploy a Check Point TGW HA cross AZ Cluster in a new VPC (20240204) +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: VPC Network Configuration + Parameters: + - AvailabilityZones + - VPCCIDR + - PublicSubnet1CIDR + - PublicSubnet2CIDR + - PrivateSubnet1CIDR + - PrivateSubnet2CIDR + - TgwSubnet1CIDR + - TgwSubnet2CIDR + - Label: + default: EC2 Instance Configuration + Parameters: + - GatewayName + - GatewayInstanceType + - KeyName + - AllocatePublicAddress + - VolumeSize + - VolumeType + - VolumeEncryption + - EnableInstanceConnect + - GatewayPredefinedRole + - TerminationProtection + - Label: + default: Check Point Settings + Parameters: + - GatewayVersion + - Shell + - GatewayPasswordHash + - GatewayMaintenancePasswordHash + - GatewaySICKey + - Label: + default: Quick connect to Smart-1 Cloud (Recommended) + Parameters: + - MemberAToken + - MemberBToken + - Label: + default: Advanced Settings + Parameters: + - ResourcesTagName + - GatewayHostname + - AllowUploadDownload + - CloudWatch + - GatewayBootstrapScript + - NTPPrimary + - NTPSecondary + ParameterLabels: + AvailabilityZones: + default: Availability Zones + VPCCIDR: + default: VPC CIDR + PublicSubnet1CIDR: + default: Public subnet 1 CIDR + PublicSubnet2CIDR: + default: Public subnet 2 CIDR + PrivateSubnet1CIDR: + default: Private subnet 1 CIDR + PrivateSubnet2CIDR: + default: Private subnet 2 CIDR + TgwSubnet1CIDR: + default: TGW HA subnet 1 CIDR + TgwSubnet2CIDR: + default: TGW HA subnet 2 CIDR + GatewayName: + default: Gateway Name + GatewayInstanceType: + default: Security Gateways instance type + KeyName: + default: Key name + AllocatePublicAddress: + default: Allocate Elastic IPs for cluster members + VolumeSize: + default: Root volume size (GB) + VolumeType: + default: Volume Type + VolumeEncryption: + default: Volume encryption KMS key identifier + EnableInstanceConnect: + default: Enable AWS Instance Connect + GatewayPredefinedRole: + default: Existing IAM role name + TerminationProtection: + default: Termination Protection + GatewayVersion: + default: Gateways version & license + Shell: + default: Admin shell + GatewayPasswordHash: + default: Password hash + GatewayMaintenancePasswordHash: + default: Gateway Maintenance Password hash + GatewaySICKey: + default: SIC key + MemberAToken: + default: Smart-1 Cloud Token for member A + MemberBToken: + default: Smart-1 Cloud Token for member B + ResourcesTagName: + default: Resources prefix tag + GatewayHostname: + default: Gateway Hostname + AllowUploadDownload: + default: Allow upload & download + CloudWatch: + default: CloudWatch metrics + GatewayBootstrapScript: + default: Bootstrap Script + NTPPrimary: + default: Primary NTP server + NTPSecondary: + default: Secondary NTP server +Parameters: + AvailabilityZones: + Description: The Availability Zones (AZs) to use for the subnets in the VPC. Select two (the logical order is preserved). + Type: List + MinLength: 2 + VPCCIDR: + Description: The CIDR block of the provided VPC. + Type: String + Default: 10.0.0.0/16 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PublicSubnet1CIDR: + Description: CIDR block for public subnet 1 located in the 1st Availability Zone. + Type: String + Default: 10.0.10.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PublicSubnet2CIDR: + Description: CIDR block for public subnet 2 located in the 2nd Availability Zone. + Type: String + Default: 10.0.20.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PrivateSubnet1CIDR: + Description: CIDR block for private subnet 1 located in the 1st Availability Zone. + Type: String + Default: 10.0.11.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PrivateSubnet2CIDR: + Description: CIDR block for private subnet 2 located in the 2nd Availability Zone. + Type: String + Default: 10.0.21.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + TgwSubnet1CIDR: + Description: CIDR block for TGW HA subnet 1 located in the 1st Availability Zone. + Type: String + Default: 10.0.12.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + TgwSubnet2CIDR: + Description: CIDR block for TGW HA subnet 2 located in the 2nd Availability Zone. + Type: String + Default: 10.0.22.0/24 + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + GatewayName: + Description: The name tag of the Security Gateway instances. (optional) + Type: String + Default: Check-Point-Cluster + GatewayInstanceType: + Description: The instance type of the Secutiry Gateway. + Type: String + Default: c5.xlarge + AllowedValues: + - c4.large + - c4.xlarge + - c5.large + - c5.xlarge + - c5.2xlarge + - c5.4xlarge + - c5.9xlarge + - c5.12xlarge + - c5.18xlarge + - c5.24xlarge + - c5n.large + - c5n.xlarge + - c5n.2xlarge + - c5n.4xlarge + - c5n.9xlarge + - c5n.18xlarge + - c5d.large + - c5d.xlarge + - c5d.2xlarge + - c5d.4xlarge + - c5d.9xlarge + - c5d.12xlarge + - c5d.18xlarge + - c5d.24xlarge + - m5.large + - m5.xlarge + - m5.2xlarge + - m5.4xlarge + - m5.8xlarge + - m5.12xlarge + - m5.16xlarge + - m5.24xlarge + - m6i.large + - m6i.xlarge + - m6i.2xlarge + - m6i.4xlarge + - m6i.8xlarge + - m6i.12xlarge + - m6i.16xlarge + - m6i.24xlarge + - m6i.32xlarge + - c6i.large + - c6i.xlarge + - c6i.2xlarge + - c6i.4xlarge + - c6i.8xlarge + - c6i.12xlarge + - c6i.16xlarge + - c6i.24xlarge + - c6i.32xlarge + - c6in.large + - c6in.xlarge + - c6in.2xlarge + - c6in.4xlarge + - c6in.8xlarge + - c6in.12xlarge + - c6in.16xlarge + - c6in.24xlarge + - c6in.32xlarge + - r5.large + - r5.xlarge + - r5.2xlarge + - r5.4xlarge + - r5.8xlarge + - r5.12xlarge + - r5.16xlarge + - r5.24xlarge + - r5a.large + - r5a.xlarge + - r5a.2xlarge + - r5a.4xlarge + - r5a.8xlarge + - r5a.12xlarge + - r5a.16xlarge + - r5a.24xlarge + - r5b.large + - r5b.xlarge + - r5b.2xlarge + - r5b.4xlarge + - r5b.8xlarge + - r5b.12xlarge + - r5b.16xlarge + - r5b.24xlarge + - r5n.large + - r5n.xlarge + - r5n.2xlarge + - r5n.4xlarge + - r5n.8xlarge + - r5n.12xlarge + - r5n.16xlarge + - r5n.24xlarge + - r6i.large + - r6i.xlarge + - r6i.2xlarge + - r6i.4xlarge + - r6i.8xlarge + - r6i.12xlarge + - r6i.16xlarge + - r6i.24xlarge + - r6i.32xlarge + - m6a.large + - m6a.xlarge + - m6a.2xlarge + - m6a.4xlarge + - m6a.8xlarge + - m6a.12xlarge + - m6a.16xlarge + - m6a.24xlarge + - m6a.32xlarge + - m6a.48xlarge + ConstraintDescription: must be a valid EC2 instance type. + KeyName: + Description: The EC2 Key Pair to allow SSH access to the instance. + Type: AWS::EC2::KeyPair::KeyName + MinLength: 1 + AllocatePublicAddress: + Description: Allocate an Elastic IP for each cluster member, in addition to the shared cluster Elastic IP. + Type: String + Default: true + AllowedValues: + - true + - false + VolumeSize: + Type: Number + Default: 100 + MinValue: 100 + VolumeType: + Description: General Purpose SSD Volume Type + Type: String + Default: gp3 + AllowedValues: + - gp3 + - gp2 + VolumeEncryption: + Description: KMS or CMK key Identifier - Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs'). + Type: String + Default: alias/aws/ebs + EnableInstanceConnect: + Description: Enable SSH connection over AWS web console. + Default: false + Type: String + AllowedValues: + - true + - false + GatewayPredefinedRole: + Description: A predefined IAM role to attach to the cluster profile. (optional) + Type: String + Default: '' + TerminationProtection: + Description: Prevents an instance from accidental termination. + Type: String + Default: false + AllowedValues: + - true + - false + GatewayVersion: + Type: String + Default: R81.10-BYOL + AllowedValues: + - R80.40-BYOL + - R80.40-PAYG-NGTP + - R80.40-PAYG-NGTX + - R81-BYOL + - R81-PAYG-NGTP + - R81-PAYG-NGTX + - R81.10-BYOL + - R81.10-PAYG-NGTP + - R81.10-PAYG-NGTX + Shell: + Description: Change the admin shell to enable advanced command line configuration. + Type: String + Default: /etc/cli.sh + AllowedValues: + - /etc/cli.sh + - /bin/bash + - /bin/csh + - /bin/tcsh + GatewayPasswordHash: + Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" + to get the PASSWORD's hash). (optional) + Type: String + Default: '' + AllowedPattern: '^[\$\./a-zA-Z0-9]*$' + NoEcho: true + GatewayMaintenancePasswordHash: + Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + GatewaySICKey: + Description: The Secure Internal Communication key creates trusted connections + between Check Point components. Choose a random string consisting of at least + 8 alphanumeric characters. + Type: String + AllowedPattern: '^[a-zA-Z0-9]{8,}$' + ConstraintDescription: At least 8 alpha numeric characters. + NoEcho: true + MemberAToken: + Description: Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. + AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)' + Type: String + NoEcho: true + MemberBToken: + Description: Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. + AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)' + Type: String + NoEcho: true + ResourcesTagName: + Description: Name tag prefix of the resources. (optional) + Type: String + Default: '' + GatewayHostname: + Description: The host name will be appended with member-a/b accordingly (optional). The name must not contain reserved words. For details, refer to sk40179. + Type: String + Default: '' + AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z]))?$' + ConstraintDescription: A valid hostname label or an empty string. + AllowUploadDownload: + Description: Automatically download updates and share statistical data for product improvement purpose. + Type: String + Default: true + AllowedValues: + - true + - false + CloudWatch: + Description: Report Check Point specific CloudWatch metrics. + Type: String + Default: false + AllowedValues: + - true + - false + GatewayBootstrapScript: + Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional) + Type: String + Default: '' + NoEcho: true + NTPPrimary: + Description: (optional) + Type: String + Default: 169.254.169.123 + AllowedPattern: '^[\.a-zA-Z0-9\-]*$' + NTPSecondary: + Description: (optional) + Type: String + Default: 0.pool.ntp.org + AllowedPattern: '^[\.a-zA-Z0-9\-]*$' +Conditions: + AllocateAddress: !Equals [!Ref AllocatePublicAddress, true] +Resources: + VPCStack: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.amazonaws.com/utils/vpc.yaml + Parameters: + AvailabilityZones: !Join [',', !Ref AvailabilityZones] + NumberOfAZs: 2 + VPCCIDR: !Ref VPCCIDR + PublicSubnet1CIDR: !Ref PublicSubnet1CIDR + PublicSubnet2CIDR: !Ref PublicSubnet2CIDR + PrivateSubnet1CIDR: !Ref PrivateSubnet1CIDR + PrivateSubnet2CIDR: !Ref PrivateSubnet2CIDR + CreateAttachmentSubnets: true + AttachmentSubnet1CIDR: !Ref TgwSubnet1CIDR + AttachmentSubnet2CIDR: !Ref TgwSubnet2CIDR + InternalRouteTable: + Type: AWS::EC2::RouteTable + DependsOn: VPCStack + Properties: + VpcId: !GetAtt VPCStack.Outputs.VPCID + Tags: + - Key: Name + Value: Private Subnets Route Table + ClusterStack: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.amazonaws.com/cluster/tgw-ha.yaml + Parameters: + VPC: !GetAtt VPCStack.Outputs.VPCID + PublicSubnetA: !GetAtt VPCStack.Outputs.PublicSubnet1ID + PublicSubnetB: !GetAtt VPCStack.Outputs.PublicSubnet2ID + PrivateSubnetA: !GetAtt VPCStack.Outputs.PrivateSubnet1ID + PrivateSubnetB: !GetAtt VPCStack.Outputs.PrivateSubnet2ID + TgwHASubnetA: !GetAtt VPCStack.Outputs.AttachmentSubnet1ID + TgwHASubnetB: !GetAtt VPCStack.Outputs.AttachmentSubnet2ID + InternalRouteTable: !Ref InternalRouteTable + GatewayName: !Ref GatewayName + GatewayInstanceType: !Ref GatewayInstanceType + KeyName: !Ref KeyName + AllocatePublicAddress: !Ref AllocatePublicAddress + VolumeSize: !Ref VolumeSize + VolumeType: !Ref VolumeType + VolumeEncryption: !Ref VolumeEncryption + EnableInstanceConnect: !Ref EnableInstanceConnect + GatewayPredefinedRole: !Ref GatewayPredefinedRole + TerminationProtection: !Ref TerminationProtection + GatewayVersion: !Ref GatewayVersion + Shell: !Ref Shell + GatewayPasswordHash: !Ref GatewayPasswordHash + GatewayMaintenancePasswordHash: !Ref GatewayMaintenancePasswordHash + GatewaySICKey: !Ref GatewaySICKey + MemberAToken: !Ref MemberAToken + MemberBToken: !Ref MemberBToken + ResourcesTagName: !Ref ResourcesTagName + GatewayHostname: !Ref GatewayHostname + AllowUploadDownload: !Ref AllowUploadDownload + CloudWatch: !Ref CloudWatch + GatewayBootstrapScript: !Ref GatewayBootstrapScript + NTPPrimary: !Ref NTPPrimary + NTPSecondary: !Ref NTPSecondary +Outputs: + MemberAPublicAddress: + Condition: AllocateAddress + Description: The public address of member A. + Value: !GetAtt ClusterStack.Outputs.MemberAPublicAddress + MemberASSH: + Condition: AllocateAddress + Description: SSH command to member A. + Value: !GetAtt ClusterStack.Outputs.MemberASSH + MemberAURL: + Condition: AllocateAddress + Description: URL to the member A portal. + Value: !GetAtt ClusterStack.Outputs.MemberAURL + MemberBPublicAddress: + Condition: AllocateAddress + Description: The public address of member B. + Value: !GetAtt ClusterStack.Outputs.MemberBPublicAddress + MemberBSSH: + Condition: AllocateAddress + Description: SSH command to member B. + Value: !GetAtt ClusterStack.Outputs.MemberBSSH + MemberBURL: + Condition: AllocateAddress + Description: URL to the member B portal. + Value: !GetAtt ClusterStack.Outputs.MemberBURL +Rules: + MemberATokenNotProvided: + RuleCondition: !Equals [!Ref MemberAToken, ''] + Assertions: + - AssertDescription: "Smart-1 Cloud Token for member A can not be empty." + Assert: !Equals [!Ref MemberBToken, ''] + MemberBTokenNotProvided: + RuleCondition: !Equals [ !Ref MemberBToken, '' ] + Assertions: + - AssertDescription: "Smart-1 Cloud Token for member B can not be empty." + Assert: !Equals [ !Ref MemberAToken, '' ] + MembersTokenValueEquals: + RuleCondition: !EachMemberEquals [ [ !Ref MemberBToken ], !Ref MemberAToken ] + Assertions: + - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token" + Assert: !Equals [ !Ref MemberAToken, '' ] + - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token" + Assert: !Equals [ !Ref MemberBToken, '' ] \ No newline at end of file diff --git a/aws/templates/tgw-ha/tgw-ha.yaml b/aws/templates/tgw-ha/tgw-ha.yaml new file mode 100644 index 00000000..e02d8e5e --- /dev/null +++ b/aws/templates/tgw-ha/tgw-ha.yaml @@ -0,0 +1,522 @@ +AWSTemplateFormatVersion: 2010-09-09 +Description: Deploys a Check Point TGW HA Cluster into an existing VPC (20240204) +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: VPC Network Configuration + Parameters: + - VPC + - PublicSubnetA + - PublicSubnetB + - PrivateSubnetA + - PrivateSubnetB + - TgwHASubnetA + - TgwHASubnetB + - InternalRouteTable + - Label: + default: EC2 Instance Configuration + Parameters: + - GatewayName + - GatewayInstanceType + - KeyName + - AllocatePublicAddress + - VolumeSize + - VolumeType + - VolumeEncryption + - EnableInstanceConnect + - GatewayPredefinedRole + - TerminationProtection + - Label: + default: Check Point Settings + Parameters: + - GatewayVersion + - Shell + - GatewayPasswordHash + - GatewayMaintenancePasswordHash + - GatewaySICKey + - Label: + default: Quick connect to Smart-1 Cloud (Recommended) + Parameters: + - MemberAToken + - MemberBToken + - Label: + default: Advanced Settings + Parameters: + - ResourcesTagName + - GatewayHostname + - AllowUploadDownload + - CloudWatch + - GatewayBootstrapScript + - NTPPrimary + - NTPSecondary + ParameterLabels: + VPC: + default: VPC + PublicSubnetA: + default: Public subnet 1 + PublicSubnetB: + default: Public subnet 2 + PrivateSubnetA: + default: Private subnet 1 + PrivateSubnetB: + default: Private subnet 2 + TgwHASubnetA: + default: TGW HA subnet 1 + TgwHASubnetB: + default: TGW HA subnet 2 + InternalRouteTable: + default: Internal route table + GatewayName: + default: Gateway Name + GatewayInstanceType: + default: Security Gateways instance type + KeyName: + default: Key name + AllocatePublicAddress: + default: Allocate Elastic IPs for cluster members + VolumeSize: + default: Root volume size (GB) + VolumeType: + default: Volume Type + VolumeEncryption: + default: Volume encryption KMS key identifier + EnableInstanceConnect: + default: Enable AWS Instance Connect + GatewayPredefinedRole: + default: Existing IAM role name + TerminationProtection: + default: Termination Protection + GatewayVersion: + default: Gateways version & license + Shell: + default: Admin shell + GatewayPasswordHash: + default: Password hash + GatewayMaintenancePasswordHash: + default: Gateway Maintenance Password hash + GatewaySICKey: + default: SIC key + MemberAToken: + default: Smart-1 Cloud Token for member A + MemberBToken: + default: Smart-1 Cloud Token for member B + ResourcesTagName: + default: Resources prefix tag + GatewayHostname: + default: Gateway Hostname + AllowUploadDownload: + default: Allow upload & download + CloudWatch: + default: CloudWatch metrics + GatewayBootstrapScript: + default: Bootstrap Script + NTPPrimary: + default: Primary NTP server + NTPSecondary: + default: Secondary NTP server +Parameters: + VPC: + Description: Select an existing VPC. + Type: AWS::EC2::VPC::Id + MinLength: 1 + ConstraintDescription: you must select a VPC. + PublicSubnetA: + Description: Select a public subnet for the first Security Gateway. + Type: AWS::EC2::Subnet::Id + MinLength: 1 + ConstraintDescription: you must select a public subnet for the first Security Gateway. + PublicSubnetB: + Description: Select a public subnet for the second Security Gateway. + Type: AWS::EC2::Subnet::Id + MinLength: 1 + ConstraintDescription: you must select a public subnet for the second Security Gateway. + PrivateSubnetA: + Description: Select a private subnet for the first Security Gateway. + Type: AWS::EC2::Subnet::Id + MinLength: 1 + ConstraintDescription: you must select a private subnet for the first Security Gateway. + PrivateSubnetB: + Description: Select a private subnet for the second Security Gateway. + Type: AWS::EC2::Subnet::Id + MinLength: 1 + ConstraintDescription: you must select a private subnet for the second Security Gateway. + TgwHASubnetA: + Description: Select a TGW HA subnet for the first Security Gateway. + Type: AWS::EC2::Subnet::Id + MinLength: 1 + ConstraintDescription: you must select a TGW HA subnet for the first Security Gateway. + TgwHASubnetB: + Description: Select a TGW HA subnet for the second Security Gateway. + Type: AWS::EC2::Subnet::Id + MinLength: 1 + ConstraintDescription: you must select a TGW HAsubnet for the second Security Gateway. + InternalRouteTable: + Description: Set 0.0.0.0/0 route to the Active Cluster member instance in this route table (e.g. rtb-12a34567). Route table cannot have an existing 0.0.0.0/0 route. If empty - traffic will not be routed through the Security Cluster, this requires manual configuration in the Route Table. (optional) + Type: String + Default: '' + GatewayName: + Description: The name tag of the Security Gateway instances. (optional) + Type: String + Default: Check-Point-Cluster + GatewayInstanceType: + Type: String + Default: c5.xlarge + AllowedValues: + - c4.large + - c4.xlarge + - c5.large + - c5.xlarge + - c5.2xlarge + - c5.4xlarge + - c5.9xlarge + - c5.12xlarge + - c5.18xlarge + - c5.24xlarge + - c5n.large + - c5n.xlarge + - c5n.2xlarge + - c5n.4xlarge + - c5n.9xlarge + - c5n.18xlarge + - c5d.large + - c5d.xlarge + - c5d.2xlarge + - c5d.4xlarge + - c5d.9xlarge + - c5d.12xlarge + - c5d.18xlarge + - c5d.24xlarge + - m5.large + - m5.xlarge + - m5.2xlarge + - m5.4xlarge + - m5.8xlarge + - m5.12xlarge + - m5.16xlarge + - m5.24xlarge + - m6i.large + - m6i.xlarge + - m6i.2xlarge + - m6i.4xlarge + - m6i.8xlarge + - m6i.12xlarge + - m6i.16xlarge + - m6i.24xlarge + - m6i.32xlarge + - c6i.large + - c6i.xlarge + - c6i.2xlarge + - c6i.4xlarge + - c6i.8xlarge + - c6i.12xlarge + - c6i.16xlarge + - c6i.24xlarge + - c6i.32xlarge + - c6in.large + - c6in.xlarge + - c6in.2xlarge + - c6in.4xlarge + - c6in.8xlarge + - c6in.12xlarge + - c6in.16xlarge + - c6in.24xlarge + - c6in.32xlarge + - r5.large + - r5.xlarge + - r5.2xlarge + - r5.4xlarge + - r5.8xlarge + - r5.12xlarge + - r5.16xlarge + - r5.24xlarge + - r5a.large + - r5a.xlarge + - r5a.2xlarge + - r5a.4xlarge + - r5a.8xlarge + - r5a.12xlarge + - r5a.16xlarge + - r5a.24xlarge + - r5b.large + - r5b.xlarge + - r5b.2xlarge + - r5b.4xlarge + - r5b.8xlarge + - r5b.12xlarge + - r5b.16xlarge + - r5b.24xlarge + - r5n.large + - r5n.xlarge + - r5n.2xlarge + - r5n.4xlarge + - r5n.8xlarge + - r5n.12xlarge + - r5n.16xlarge + - r5n.24xlarge + - r6i.large + - r6i.xlarge + - r6i.2xlarge + - r6i.4xlarge + - r6i.8xlarge + - r6i.12xlarge + - r6i.16xlarge + - r6i.24xlarge + - r6i.32xlarge + - m6a.large + - m6a.xlarge + - m6a.2xlarge + - m6a.4xlarge + - m6a.8xlarge + - m6a.12xlarge + - m6a.16xlarge + - m6a.24xlarge + - m6a.32xlarge + - m6a.48xlarge + ConstraintDescription: must be a valid EC2 instance type. + KeyName: + Description: The EC2 Key Pair to allow SSH access to the Security Gateways. + Type: AWS::EC2::KeyPair::KeyName + MinLength: 1 + ConstraintDescription: must be the name of an existing EC2 KeyPair. + AllocatePublicAddress: + Description: When choosing "false", make sure the cluster members can connect to an ec2 endpoint. + Default: true + Type: String + AllowedValues: + - true + - false + VolumeSize: + Type: Number + Default: 100 + MinValue: 100 + VolumeType: + Description: General Purpose SSD Volume Type + Type: String + Default: gp3 + AllowedValues: + - gp3 + - gp2 + VolumeEncryption: + Description: KMS or CMK key Identifier - Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs'). + Type: String + Default: alias/aws/ebs + EnableInstanceConnect: + Description: Enable SSH connection over AWS web console. + Type: String + Default: false + AllowedValues: + - true + - false + GatewayPredefinedRole: + Description: A predefined IAM role to attach to the cluster profile. (optional) + Type: String + Default: '' + TerminationProtection: + Description: Prevents an instance from accidental termination. + Type: String + Default: false + AllowedValues: + - true + - false + GatewayVersion: + Description: The license to install on the Security Gateways. + Type: String + Default: R81.10-BYOL + AllowedValues: + - R80.40-BYOL + - R80.40-PAYG-NGTP + - R80.40-PAYG-NGTX + - R81-BYOL + - R81-PAYG-NGTP + - R81-PAYG-NGTX + - R81.10-BYOL + - R81.10-PAYG-NGTP + - R81.10-PAYG-NGTX + Shell: + Description: Change the admin shell to enable advanced command line configuration. + Type: String + Default: /etc/cli.sh + AllowedValues: + - /etc/cli.sh + - /bin/bash + - /bin/csh + - /bin/tcsh + GatewayPasswordHash: + Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to + get the PASSWORD's hash). (optional) + Type: String + Default: '' + AllowedPattern: '^[\$\./a-zA-Z0-9]*$' + NoEcho: true + GatewayMaintenancePasswordHash: + Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + GatewaySICKey: + Description: The Secure Internal Communication key creates trusted connections between + Check Point components. Choose a random string consisting of at least 8 + alphanumeric characters. + Type: String + AllowedPattern: '^[a-zA-Z0-9]{8,}$' + ConstraintDescription: At least 8 alpha numeric characters. + NoEcho: true + MemberAToken: + Description: Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. + AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)' + Type: String + NoEcho: true + MemberBToken: + Description: Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. + AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)' + Type: String + NoEcho: true + ResourcesTagName: + Description: Name tag prefix of the resources. (optional) + Type: String + Default: '' + GatewayHostname: + Description: The host name will be appended with member-a/b accordingly (optional). The name must not contain reserved words. For details, refer to sk40179. + Type: String + Default: '' + AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z]))?$' + ConstraintDescription: A valid hostname label or an empty string. + AllowUploadDownload: + Description: >- + Automatically download updates and share statistical data for product improvement purpose. + Type: String + Default: true + AllowedValues: + - true + - false + CloudWatch: + Description: Report Check Point specific CloudWatch metrics. + Type: String + Default: false + AllowedValues: + - true + - false + GatewayBootstrapScript: + Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional) + Type: String + Default: '' + NoEcho: true + NTPPrimary: + Description: (optional) + Type: String + Default: 169.254.169.123 + AllowedPattern: '^[\.a-zA-Z0-9\-]*$' + NTPSecondary: + Description: (optional) + Type: String + Default: 0.pool.ntp.org + AllowedPattern: '^[\.a-zA-Z0-9\-]*$' +Conditions: + AllocateAddress: !Equals [!Ref AllocatePublicAddress, true] +Resources: + ClusterStack: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.amazonaws.com/cluster/geo-cluster.yaml + Parameters: + VPC: !Ref VPC + PublicSubnetA: !Ref PublicSubnetA + PublicSubnetB: !Ref PublicSubnetB + PrivateSubnetA: !Ref PrivateSubnetA + PrivateSubnetB: !Ref PrivateSubnetB + InternalRouteTable: !Ref InternalRouteTable + GatewayName: !Ref GatewayName + GatewayInstanceType: !Ref GatewayInstanceType + KeyName: !Ref KeyName + AllocatePublicAddress: !Ref AllocatePublicAddress + VolumeSize: !Ref VolumeSize + VolumeType: !Ref VolumeType + VolumeEncryption: !Ref VolumeEncryption + EnableInstanceConnect: !Ref EnableInstanceConnect + GatewayPredefinedRole: !Ref GatewayPredefinedRole + TerminationProtection: !Ref TerminationProtection + GatewayVersion: !Ref GatewayVersion + Shell: !Ref Shell + GatewayPasswordHash: !Ref GatewayPasswordHash + GatewayMaintenancePasswordHash: !Ref GatewayMaintenancePasswordHash + GatewaySICKey: !Ref GatewaySICKey + MemberAToken: !Ref MemberAToken + MemberBToken: !Ref MemberBToken + ResourcesTagName: !Ref ResourcesTagName + GatewayHostname: !Ref GatewayHostname + AllowUploadDownload: !Ref AllowUploadDownload + CloudWatch: !Ref CloudWatch + GatewayBootstrapScript: !Ref GatewayBootstrapScript + NTPPrimary: !Ref NTPPrimary + NTPSecondary: !Ref NTPSecondary + TGWRouteTable: + Type: AWS::EC2::RouteTable + Properties: + VpcId: !Ref VPC + Tags: + - Key: Name + Value: TGW Subnets + TGWDefaultRoute: + Type: AWS::EC2::Route + DependsOn: ClusterStack + Properties: + DestinationCidrBlock: 0.0.0.0/0 + NetworkInterfaceId: !GetAtt ClusterStack.Outputs.MemberAExternalInterface + RouteTableId: !Ref TGWRouteTable + TGWNSubnet1RouteAssociation: + Type: AWS::EC2::SubnetRouteTableAssociation + DependsOn: TGWRouteTable + Properties: + RouteTableId: !Ref TGWRouteTable + SubnetId: !Ref TgwHASubnetA + TGWSubnet2RouteAssociation: + Type: AWS::EC2::SubnetRouteTableAssociation + DependsOn: TGWRouteTable + Properties: + RouteTableId: !Ref TGWRouteTable + SubnetId: !Ref TgwHASubnetB +Outputs: + MemberAPublicAddress: + Condition: AllocateAddress + Description: The public address of member A. + Value: !GetAtt ClusterStack.Outputs.MemberAPublicAddress + MemberASSH: + Condition: AllocateAddress + Description: SSH command to member A. + Value: !GetAtt ClusterStack.Outputs.MemberASSH + MemberAURL: + Condition: AllocateAddress + Description: URL to the member A portal. + Value: !GetAtt ClusterStack.Outputs.MemberAURL + MemberBPublicAddress: + Condition: AllocateAddress + Description: The public address of member B. + Value: !GetAtt ClusterStack.Outputs.MemberBPublicAddress + MemberBSSH: + Condition: AllocateAddress + Description: SSH command to member B. + Value: !GetAtt ClusterStack.Outputs.MemberBSSH + MemberBURL: + Condition: AllocateAddress + Description: URL to the member B portal. + Value: !GetAtt ClusterStack.Outputs.MemberBURL +Rules: + MemberATokenNotProvided: + RuleCondition: !Equals [!Ref MemberAToken, ''] + Assertions: + - AssertDescription: "Smart-1 Cloud Token for member A can not be empty." + Assert: !Equals [!Ref MemberBToken, ''] + MemberBTokenNotProvided: + RuleCondition: !Equals [ !Ref MemberBToken, '' ] + Assertions: + - AssertDescription: "Smart-1 Cloud Token for member B can not be empty." + Assert: !Equals [ !Ref MemberAToken, '' ] + MembersTokenValueEquals: + RuleCondition: !EachMemberEquals [ [ !Ref MemberBToken ], !Ref MemberAToken ] + Assertions: + - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token" + Assert: !Equals [ !Ref MemberAToken, '' ] + - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token" + Assert: !Equals [ !Ref MemberBToken, '' ] \ No newline at end of file diff --git a/azure/misc/azure_ha_test.py b/azure/misc/azure_ha_test.py new file mode 100755 index 00000000..48fcac18 --- /dev/null +++ b/azure/misc/azure_ha_test.py @@ -0,0 +1,424 @@ +#!/usr/bin/env python3 +import contextlib +import json +import os +import re +import socket +import subprocess +import sys +import traceback +import collections +import urllib.parse as _urllib + + +try: + import rest +except ModuleNotFoundError: + import pytest + pytestmark = pytest.mark.skipif(True, reason="Needs refactoring - WIP") + import cloud_connectors.azure as rest + +ARM_VERSIONS = { + 'stack': collections.OrderedDict([ + ('resources', '?api-version=2017-10-01'), + ]), + 'ha': collections.OrderedDict([ + ('resources', '?api-version=2019-07-01'), + ])} + +os.environ['AZURE_NO_DOT'] = 'true' + +azure = None +templateName = None + +conf = {} + + +def set_arm_versions(): + """#TODO fixDocstring""" + global ARM_VERSIONS + log('Setting api versions for "%s" solution\n' % templateName) + if templateName == 'stack-ha': + ARM_VERSIONS = ARM_VERSIONS['stack'] + log('Stack ARM versions are: %s\n' % json.dumps(ARM_VERSIONS, + indent=2)) + return + ARM_VERSIONS = ARM_VERSIONS['ha'] + log('ARM versions are: %s\n' % json.dumps(ARM_VERSIONS, indent=2)) + + +def is_azure(): + """#TODO fixDocstring""" + return os.path.isfile('/etc/in-azure') + + +def log(msg): + """#TODO fixDocstring""" + sys.stderr.write(msg) + + +def test_rw(rid, allow_not_found=False, test_write=True): + """#TODO fixDocstring""" + components = rid.split('/') + log('Id : %s\n' % rid) + log('Subscription : %s\n' % components[2]) + log('Resource group: %s\n' % components[4]) + log('Type : %s/%s\n' % (components[6], components[7])) + log('Name : %s\n' % components[8]) + try: + obj = azure.arm('GET', rid + ARM_VERSIONS['resources'])[1] + except rest.RequestException as e: + if allow_not_found and e.code == 404: + return None + log('Attempting to read - [%s]\n' % e.reason) + raise + log('Attempting to read - [OK]\n') + if test_write: + log('Attempting to write ') + try: + azure.arm('PUT', rid + ARM_VERSIONS['resources'], json.dumps(obj)) + except rest.RequestException as e: + log('- [%s]\n' % e.reason) + raise + log('- [OK]\n') + return obj + + +def get_vm_primary_nic(vm): + """#TODO fixDocstring""" + nis = vm['properties']['networkProfile']['networkInterfaces'] + if len(nis) == 1: + ni = nis[0] + else: + for ni in nis: + if ni['properties'].get('primary'): + break + return azure.arm('GET', ni['id'])[1] + + +def test_cluster_ip(): + """#TODO fixDocstring""" + def test_vip(vip_resource): + if '/' in vip_resource: + cluster_ip_id = vip_resource + else: + cluster_ip_id = conf['baseId'] + \ + 'Microsoft.Network/publicIPAddresses/' + vip_resource + test_rw(cluster_ip_id, allow_not_found=True, test_write=False) + + for interface in conf['clusterNetworkInterfaces']: + if isinstance(conf['clusterNetworkInterfaces'][interface][0], dict): + for vip in conf['clusterNetworkInterfaces'][interface]: + test_vip(vip["pub"]) + else: + if len(conf['clusterNetworkInterfaces'][interface]) > 1: + test_vip(conf['clusterNetworkInterfaces'][interface][1]) + + +def test_load_balancer(): + """#TODO fixDocstring""" + load_balancer_nm = conf.get('lbName', '') + if not load_balancer_nm: + log('An external load balancer name is not configured.\n') + return None + + load_balancer_id = (conf['baseId'] + + 'Microsoft.Network/loadBalancers/' + + load_balancer_nm) + test_rw(load_balancer_id, allow_not_found=True) + + +def vnet_rg(): + """#TODO fixDocstring""" + local_vm = azure.arm('GET', conf['baseId'] + + 'microsoft.compute/virtualmachines/' + + conf['hostname'])[1] + my_nic = get_vm_primary_nic(local_vm) + subnet_id = my_nic['properties']['ipConfigurations'][0][ + 'properties']['subnet']['id'] + return '/'.join(subnet_id.split('/')[:5]) + + +def get_route_table_ids_for_vnet(vnet): + """#TODO fixDocstring""" + route_table_ids = set() + for subnet in vnet['properties'].get('subnets', []): + if subnet['properties'].get('routeTable'): + route_table_ids.add(subnet['properties']['routeTable']['id']) + return route_table_ids + + +def get_vnet_id(): + """#TODO fixDocstring""" + vnet_id = conf.get('vnetId') + if vnet_id: + return vnet_id + me = azure.arm('GET', conf['baseId'] + + 'microsoft.compute/virtualmachines/' + conf['hostname'])[1] + my_nic = get_vm_primary_nic(me) + subnet_id = my_nic['properties']['ipConfigurations'][0][ + 'properties']['subnet']['id'] + vnet_id = '/'.join(subnet_id.split('/')[:-2]) + conf['vnetId'] = vnet_id + return vnet_id + + +def get_route_table_ids_for_peering(vnet): + """#TODO fixDocstring""" + route_table_ids = set() + + for peering in vnet['properties'].get('virtualNetworkPeerings', []): + vnet_id = peering['properties']['remoteVirtualNetwork']['id'] + state = peering['properties']['peeringState'] + if state != 'Connected': + log('peered vnet %s in state %s ignored' % (vnet_id, state)) + continue + try: + vnet = azure.arm('GET', vnet_id)[1] + except Exception: + log('\nFailed to retrieve peered network %s' % vnet_id) + log('\n%s' % traceback.format_exc()) + continue + route_table_ids |= get_route_table_ids_for_vnet(vnet) + + return route_table_ids + + +def get_route_table_ids(): + """#TODO fixDocstring""" + route_table_ids = set() + + vnet_id = get_vnet_id() + vnet = azure.arm('GET', vnet_id)[1] + + route_table_ids |= get_route_table_ids_for_vnet(vnet) + route_table_ids |= get_route_table_ids_for_peering(vnet) + + return route_table_ids + + +def interfaces_test_rw(interface_id): + """#TODO fixDocstring""" + interface = test_rw(interface_id['id']) + if not interface['properties'].get('enableIPForwarding'): + raise Exception( + 'IP forwarding is not enabled on Interface %s' % + interface['name']) + + +def test_cluster_parameters(): + """#TODO fixDocstring""" + path = "/var/opt/fw.boot/modules/fwkern.conf" + text1 = "fwha_dead_timeout_multiplier=20" + text2 = "fwha_if_problem_tolerance=200" + flags = dict.fromkeys(["fwkern_timeout_multiplier", + "fwkern_problem_tolerance", + "output_timeout_multiplier", + "output_problem_tolerance"], + False) + error = 'ClusterXL kernel parameters are not optimized for ' \ + 'Azure. See sk122218 for more information.' + + with open(path) as f: + for line in f: + if text1 in line: + flags['fwkern_timeout_multiplier'] = True + if text2 in line: + flags['fwkern_problem_tolerance'] = True + + command = ['fw', 'ctl', 'get', 'int', 'fwha_dead_timeout_multiplier'] + proc = subprocess.Popen( + command, stdout=subprocess.PIPE, + stderr=subprocess.PIPE) + out, err = proc.communicate() + if out.decode('utf-8').strip() == 'fwha_dead_timeout_multiplier = 20': + flags['output_timeout_multiplier'] = True + + command = ['fw', 'ctl', 'get', 'int', 'fwha_if_problem_tolerance'] + proc = subprocess.Popen( + command, stdout=subprocess.PIPE, + stderr=subprocess.PIPE) + out, err = proc.communicate() + + if out.decode('utf-8').strip() == 'fwha_if_problem_tolerance = 200': + flags['output_problem_tolerance'] = True + + if not all(value is True for value in list(flags.values())): + raise Exception(error) + + +def test(): + """#TODO fixDocstring""" + global conf + + if not is_azure(): + raise Exception('This does not look like an Azure environment\n') + + command = [os.environ['FWDIR'] + '/bin/azure-ha-conf', '--dump'] + proc = subprocess.Popen( + command, stdin=subprocess.PIPE, stdout=subprocess.PIPE, + stderr=subprocess.PIPE) + out, err = proc.communicate() + rc = proc.wait() + if rc: + log('\nfailed to run %s: %s\n%s' % (command, rc, err)) + raise Exception('Failed to load configuration file\n') + conf = json.loads(out) + + for k in ['clusterName', 'resourceGroup', 'subscriptionId']: + if not conf.get(k): + raise Exception( + 'The attribute %s is missing in the configuration' % k) + + proxy = conf.get('proxy', '') + os.environ['https_proxy'] = proxy + os.environ['http_proxy'] = proxy + + credentials = conf.get('credentials') + if credentials: + pass + elif conf.get('password') and conf.get('userName'): + credentials = { + 'username': conf['userName'], + 'password': conf['password']} + else: + raise Exception('Missing credentials') + + environment = conf.get('environment') + + global azure, templateName + azure = rest.Azure(credentials=credentials, + subscription=conf['subscriptionId'], + max_time=20, + environment=environment) + + templateName = conf.get('templateName', '').lower() + set_arm_versions() + + conf['hostname'] = conf.get('hostname', socket.gethostname()) + cluster_name = conf['clusterName'].lower() + if conf['hostname'] not in {cluster_name + '1', cluster_name + '2'}: + raise Exception('The hostname %s should be either \'%s\' or \'%s\'' % ( + conf['hostname'], cluster_name + '1', cluster_name + '2')) + + if 'peername' not in conf: + if conf['hostname'].endswith('1'): + conf['peername'] = conf['hostname'][:-1] + '2' + else: + conf['peername'] = conf['hostname'][:-1] + '1' + + conf['rg_id'] = ('/subscriptions/' + conf['subscriptionId'] + + '/resourcegroups/' + conf['resourceGroup']) + + conf['baseId'] = conf['rg_id'] + '/providers/' + + log('Testing if DNS is configured...\n') + try: + dns = subprocess.check_output( + ['/bin/clish', '-c', 'show dns primary']).decode('utf-8').strip() + except Exception: + traceback.print_exc() + raise + match = re.search(r'(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})', dns) + if not match: + raise Exception('Primary DNS server is not configured\n') + log(' - Primary DNS server is: %s\n' % match.group(1)) + + log('Testing if DNS is working...\n') + if proxy: + host = _urllib.urlparse(proxy).hostname + if host is None: + raise Exception('Failed to get hostname from proxy: %s\n' % proxy) + + port = _urllib.urlparse(proxy).port + if not port: + if _urllib.urlparse(proxy).scheme == 'https': + port = 443 + else: + port = 80 + else: + host = azure.environment.login + port = 443 + try: + socket.gethostbyname(host) + log(' - DNS resolving test was successful\n') + except Exception: + raise Exception('Failed to resolve %s\n' % host) + + log('Testing connectivity to %s:%d...\n' % (host, port)) + with contextlib.closing( + socket.socket(socket.AF_INET, socket.SOCK_STREAM)) as s: + s.settimeout(3) + if s.connect_ex((host, port)): + raise Exception('Unable to connect to %s:%d\n' % (host, port)) + + log('Testing ClusterXL parameters...\n') + test_cluster_parameters() + + log('Testing cluster interface configuration...\n') + try: + cphaconf = json.loads( + subprocess.check_output(['cphaconf', 'aws_mode'])) + except Exception: + raise Exception('''You do not seem to have a valid cluster +configuration +''') + + log('Testing credentials...\n') + with azure.get_token() as token: + token # Do nothing and keep pyflakes happy + + if 'username' in credentials: + log('Testing whether the user credentials can expire...\n') + password_policies = azure.graph('GET', '/me')[1]['passwordPolicies'] + if 'DisablePasswordExpiration' not in password_policies: + raise Exception('The credentials might expire') + + log('Getting information about the environment...\n') + for vmname in [conf['hostname'], conf['peername']]: + log('Getting information about the VM %s...\n' % vmname) + vm = azure.arm('GET', conf['baseId'] + + 'microsoft.compute/virtualmachines/' + vmname)[1] + if templateName != 'stack-ha': + for interface_id in \ + vm['properties']['networkProfile']['networkInterfaces']: + if templateName == 'ha': + rid = interface_id['id'] + interface_name = rid.split('/')[8] + if interface_name.find('eth0') != -1: + interfaces_test_rw(interface_id) + else: + interfaces_test_rw(interface_id) + + if templateName not in ['ha', 'ha_terraform']: + log('Testing authorization on routing tables...\n') + for route_table in get_route_table_ids(): + test_rw(route_table) + if templateName != 'stack-ha': + log('Testing Azure load balancer...\n') + test_load_balancer() + + if templateName != 'stack-ha': + log('Testing cluster public IP address...\n') + test_cluster_ip() + + log('Verifying Azure interface configuration...\n') + for interface in cphaconf['ifs']: + log('- Interface %s: local IP address = %s, peer IP address = %s\n' % ( + interface['name'], interface['ipaddr'], + interface['other_member_if_ip'])) + + log('\nAll tests were successful!\n') + + +def main(): + """#TODO fixDocstring""" + try: + test() + except Exception: + log('Error:\n' + str(sys.exc_info()[1]) + '\n') + sys.exit(1) + + +if __name__ == '__main__': + main() diff --git a/azure/misc/nva_bgp_config.conf b/azure/misc/nva_bgp_config.conf new file mode 100644 index 00000000..8338a780 --- /dev/null +++ b/azure/misc/nva_bgp_config.conf @@ -0,0 +1,38 @@ +set as +set routemap ex_azure id 110 on +set routemap ex_azure id 110 restrict +set routemap ex_azure id 110 match neighbor on +set routemap ex_azure id 110 match protocol bgp +set routemap ex_azure id 120 on +set routemap ex_azure id 120 allow +set routemap ex_azure id 120 action nexthop ip +set routemap im_azure id 100 on +set routemap im_azure id 100 allow +set bgp external remote-as on +set bgp external remote-as export-routemap "ex_azure" preference 10 on +set bgp external remote-as import-routemap "im_azure" preference 10 on +set bgp external remote-as peer on +set bgp external remote-as peer multihop on +set bgp external remote-as peer graceful-restart on + +# For example +# set as 64512 +# set routemap ex_azure id 110 on +# set routemap ex_azure id 110 restrict +# set routemap ex_azure id 110 match neighbor 10.1.32.4 on +# set routemap ex_azure id 110 match neighbor 10.1.32.5 on +# set routemap ex_azure id 110 match protocol bgp +# set routemap ex_azure id 120 on +# set routemap ex_azure id 120 allow +# set routemap ex_azure id 120 action nexthop ip 10.1.112.7 +# set routemap im_azure id 100 on +# set routemap im_azure id 100 allow +# set bgp external remote-as 65515 on +# set bgp external remote-as 65515 export-routemap "ex_azure" preference 10 on +# set bgp external remote-as 65515 import-routemap "im_azure" preference 10 on +# set bgp external remote-as 65515 peer 10.1.32.4 on +# set bgp external remote-as 65515 peer 10.1.32.4 multihop on +# set bgp external remote-as 65515 peer 10.1.32.4 graceful-restart on +# set bgp external remote-as 65515 peer 10.1.32.5 on +# set bgp external remote-as 65515 peer 10.1.32.5 multihop on +# set bgp external remote-as 65515 peer 10.1.32.5 graceful-restart on \ No newline at end of file diff --git a/azure/templates/README.MD b/azure/templates/README.MD new file mode 100644 index 00000000..e5ef10fb --- /dev/null +++ b/azure/templates/README.MD @@ -0,0 +1,69 @@ +# Azure Resource Manager templates +This directory contains the CloudGuard IaaS solution templates published in the [Azure Marketplace](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/checkpoint.vsec?tab=Overview). + +# How to deploy templates manually +To deploy the ARM templates manually without using the Azure Marketplace, follow these instructions: +1. Log in to the [Microsoft Azure Portal](https://portal.azure.com) +2. Click "*Create a resource*" +3. Search for "*Template deployment (deploy using custom templates)*" and click "*Create*" +4. Click "*Build your own template in the editor*" +5. Load the "*mainTemplate.json*" file of the desired template and click "*Save*" +6. Enter the desired template parameters + - Replace the "*_artifacts Location*" property with: + ``` + https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/azure/templates/ + ``` +7. Click *Purchase* to deploy the solution + +# How to deploy a specific version of Azure image +
+Please note that we recommend using the latest image. + +To deploy a specific Azure image, adjust the image version during the manual deployment of ARM templates and follow these instructions: + +1. Determine the desired image version - + - Visit [sk132192 - CloudGuard Network Security for Azure - Latest Updates](https://support.checkpoint.com/results/sk/sk132192#:~:text=CloudGuard%20for%20Azure%20Gateway%20Images%20history) > + Images History sections. + - Find the version of the desired image and change it as follows: + + **Examples:** + + The version on the SK - **R81.10-335.1498** + Converted for the Azure template - **8110.900335.1498** + + The version on the SK - **R81-335.883** + Converted for the Azure template - **8100.900335.0883** + +2. In the "mainTemplate.json" file, change the value of the **“version”** parameter from “latest” to the version you want to deploy. This must be done under the version type of image you want to deploy (sg-byol, sg-ngtp, etc.) + + **Example** for SG-BYOL (Bring your own license): + **Change from:** + + "imageReferenceBYOL":{ + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-byol", + "version": "**latest**" }, + + **to:** + "imageReferenceBYOL":{ + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-byol", + "version": "**8110.900335.1498**" }, + + +3. To confirm the version, run the command on the deployed machine: + **'more /etc/cloud-version'** + + **Output for - R81.20-631.1475:** + release: R81.20 + take: 631 + build: 991001475 + platform: azure + license: byol + deployment_method: ftw + template_name: management + template_version: 20231002 + template_type: marketplace +
diff --git a/azure/templates/marketplace-gateway-load-balancer/README.md b/azure/templates/marketplace-gateway-load-balancer/README.md new file mode 100644 index 00000000..a970e1a3 --- /dev/null +++ b/azure/templates/marketplace-gateway-load-balancer/README.md @@ -0,0 +1,22 @@ +# Check Point CloudGuard Network Security Gateway Load Balancer for Azure + +Check Point CloudGuard Network Security delivers advanced, multi-layered threat prevention to protect customer assets in Azure from malware and sophisticated threats. As a Microsoft Azure certified solution, CloudGuard Network Security enables you to easily and seamlessly secure your workloads while providing secure connectivity across your cloud and on-premises environments. + +Benefits: + +· Advanced threat prevention and traffic inspection + +· Integrated with Azure Security Center and Azure Sentinel + +· Provides consistent security policy management, enforcement, and reporting with a single pane of glass, using Check Point Unified Security Management + + + + Deploy to Azure + + + +To deploy with full control over all the template options use: [Full Control Deployment](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FCheckPointSW%2FCloudGuardIaaS%2Fmaster%2Fazure%2Ftemplates%2Fmarketplace-gateway-load-balancer%2FmainTemplate.json) + + + diff --git a/azure/templates/marketplace-gateway-load-balancer/createUiDefinition.json b/azure/templates/marketplace-gateway-load-balancer/createUiDefinition.json new file mode 100644 index 00000000..54fd25cc --- /dev/null +++ b/azure/templates/marketplace-gateway-load-balancer/createUiDefinition.json @@ -0,0 +1,1516 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", + "handler": "Microsoft.Compute.MultiVm", + "version": "0.1.2-preview", + "parameters": { + "basics": [ + { + "name": "basics settings text block", + "type": "Microsoft.Common.TextBlock", + "visible": true, + "options": { + "text": "Please follow the CloudGuard Network for Azure VMSS Gateway Load Balancer R81.10 and Higher Administration Guide.", + "link": { + "label": "Administration Guide", + "uri": "https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_Azure_VMSS_GWLB/Default.htm" + } + } + }, + { + "name": "gatewayScaleSetNameUi", + "type": "Microsoft.Common.TextBox", + "label": "Gateway scale set name", + "toolTip": "The name of the Check Point Security Gateway Scale Set.", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z]{1,30}$", + "validationMessage": "Only alphanumeric characters are allowed, and the name must be 1-30 characters long." + } + }, + { + "name": "auth", + "type": "Microsoft.Compute.CredentialsCombo", + "label": { + "authenticationType": "Authentication type", + "password": "Password", + "confirmPassword": "Confirm password", + "sshPublicKey": "SSH public key" + }, + "toolTip": { + "password": "The user 'admin' password", + "sshPublicKey": "Paste an OpenSSH public key. You can generate a key pair using ssh-keygen (Linux, OS X, Cygwin) or PuttyGen (Windows)" + }, + "constraints": { + "required": true + }, + "options": { + "hideConfirmation": false, + "hidePassword": false + }, + "osPlatform": "Linux" + } + ], + "steps": [ + { + "name": "autoprovision", + "label": "Check Point VMSS settings", + "subLabel": { + "preValidation": "Configure CloudGuard VMSS settings", + "postValidation": "Done" + }, + "bladeTitle": "CloudGuard VMSS settings", + "elements": [ + { + "name": "upgrading", + "type": "Microsoft.Common.OptionsGroup", + "label": "Are you upgrading your CloudGuard VMSS solution?", + "defaultValue": "No", + "toolTip": "Select 'Yes' if you are upgrading your CloudGuard VMSS solution.", + "constraints": { + "allowedValues": [ + { + "label": "No", + "value": "no" + }, + { + "label": "Yes", + "value": "yes" + } + ] + } + }, + { + "name": "upgradeVmssInfoBox", + "type": "Microsoft.Common.InfoBox", + "visible": "[equals(steps('autoprovision').upgrading, 'yes')]", + "options": { + "icon": "Warning", + "text": "All the configurations below must be similar to the existing CloudGuard VMSS solution.\n\nNote that the target load balancers are the ones connected to your existing CloudGuard VMSS solution.\n\nSee the Deployment Guide for more information." + } + }, + { + "name": "vmCount", + "type": "Microsoft.Common.TextBox", + "label": "Initial number of gateways", + "defaultValue": "2", + "toolTip": "The initial number of gateways", + "constraints": { + "required": true, + "regex": "^[1-9][0-9]{0,1}$", + "validationMessage": "Please enter a number in the range 1-99." + } + }, + { + "name": "maxVmCount", + "type": "Microsoft.Common.TextBox", + "label": "Maximum number of gateways", + "defaultValue": "10", + "toolTip": "The maximum number of gateways", + "constraints": { + "required": true, + "regex": "^[1-9][0-9]{0,1}$", + "validationMessage": "Please enter a number in the range 1-99." + } + }, + { + "name": "numGwsValidation", + "type": "Microsoft.Common.InfoBox", + "visible": "[greater(steps('autoprovision').vmCount, steps('autoprovision').maxVmCount)]", + "options": { + "icon": "Error", + "text": "Maximum number of gateways is lower than initial number of gateways" + } + }, + { + "name": "managementServer", + "type": "Microsoft.Common.TextBox", + "label": "Management name", + "toolTip": "The name of the management server as it appears in the configuration file", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z_\\-]{1,30}$", + "validationMessage": "Field cannot be empty. Only alphanumeric characters or '_'/'-' are allowed, and the name must be 1-30 characters long." + } + }, + { + "name": "configurationTemplateInfoBox", + "type": "Microsoft.Common.InfoBox", + "visible": "[equals(steps('autoprovision').upgrading, 'yes')]", + "options": { + "icon": "Info", + "text": "Use a different configuration template name than in your existing CloudGuard VMSS solution." + } + }, + { + "name": "configurationTemplate", + "type": "Microsoft.Common.TextBox", + "label": "Configuration template name", + "toolTip": "The configuration template name as it appears in the configuration file", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z_\\-]{1,30}$", + "validationMessage": "Field cannot be empty. Only alphanumeric characters or '_'/'-' are allowed, and the name must be 1-30 characters long." + } + }, + { + "name": "adminEmail", + "type": "Microsoft.Common.TextBox", + "label": "Administrator email address", + "defaultValue": "", + "toolTip": "An email address to notify about scaling operations", + "constraints": { + "required": false, + "regex": "^([a-zA-Z0-9_\\-\\.]+)@((\\[[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.)|(([a-zA-Z0-9\\-]+\\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})(\\]?)$", + "validationMessage": "Leave empty or enter a valid email address." + } + }, + { + "name": "appLoadDistribution", + "type": "Microsoft.Common.DropDown", + "label": "Gateway Load Balancer session persistence", + "defaultValue": "None (5-tuple)", + "toolTip": "The load balancing distribution method for the Gateway Load Balancer.", + "visible": true, + "constraints": { + "allowedValues": [ + { + "label": "None (5-tuple)", + "value": "Default" + }, + { + "label": "Client IP (2-tuple)", + "value": "SourceIP" + }, + { + "label": "Client IP and protocol (3-tuple)", + "value": "SourceIPProtocol" + } + ] + } + }, + { + "name": "instanceLevelPublicIP", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy the VMSS with instance level Public IP address", + "defaultValue": "No", + "toolTip": "If selected 'Yes', then each VMSS instance will have its own public IP address.", + "constraints": { + "allowedValues": [ + { + "label": "No", + "value": "no" + }, + { + "label": "Yes", + "value": "yes" + } + ] + } + }, + { + "name": "lbsTargetRGName", + "type": "Microsoft.Common.TextBox", + "visible": "[equals(steps('autoprovision').upgrading, 'yes')]", + "label": "Target load balancers resource group name", + "defaultValue": "", + "toolTip": "The name of the Target Load Balancers Resource Group.", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z_\\-\\.\\/\\(\\)]", + "validationMessage": "Resource Group only allow alphanumeric characters, periods, underscores, hyphens, slash, and parenthesis" + } + }, + { + "name": "lbResourceId", + "type": "Microsoft.Common.TextBox", + "visible": "[equals(steps('autoprovision').upgrading, 'yes')]", + "label": "Target gateway load balancer resource ID", + "defaultValue": "", + "toolTip": "The Resource ID of the Target Gateway Load Balancer.", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z_\\-\\.\\/\\(\\)]", + "validationMessage": "Resource Id only allow alphanumeric characters, periods, underscores, hyphens, slash, and parenthesis" + } + }, + { + "name": "lbInfoBox", + "type": "Microsoft.Common.InfoBox", + "visible": "[equals(steps('autoprovision').upgrading, 'yes')]", + "options": { + "icon": "Info", + "text": "Make sure you have created a new backend address pool for the target gateway load balancer." + } + }, + { + "name": "lbTargetBEAddressPoolName", + "type": "Microsoft.Common.TextBox", + "visible": "[equals(steps('autoprovision').upgrading, 'yes')]", + "label": "Gateway load balancer's new backend pool name", + "toolTip": "The name of the new Target Gateway Load Balancer's Backend Pool.", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z_\\-\\.\\/\\(\\)]", + "validationMessage": "Only alphanumeric characters, periods, underscores, hyphens, slash, and parenthesis are allowed" + } + }, + { + "name": "mgmtInterfaceOpt1", + "type": "Microsoft.Common.DropDown", + "label": "Management interface and IP address", + "defaultValue": "Frontend NIC's public IP address", + "visible": "[equals(steps('autoprovision').instanceLevelPublicIP, 'yes')]", + "toolTip": "Manage the Gateways in the Scale Set via the instance's external (eth0) or internal (eth1) NIC and with public or private IP.", + "constraints": { + "allowedValues": [ + { + "label": "Frontend NIC's public IP address", + "value": "eth0-public" + }, + { + "label": "Frontend NIC's private IP address", + "value": "eth0-private" + } + ] + } + }, + { + "name": "mgmtIPaddress", + "type": "Microsoft.Common.TextBox", + "label": "Management Server IP address", + "toolTip": "The IP address used to manage the VMSS instances.", + "visible": "[equals(steps('autoprovision').mgmtInterfaceOpt1, 'eth0-private')]", + "constraints": { + "regex": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$", + "required": true, + "validationMessage": "Please enter a valid IP address" + } + }, + { + "name": "availabilityZonesNum", + "type": "Microsoft.Common.DropDown", + "label": "Number of Availability Zones to use", + "defaultValue": "None", + "toolTip": "The number of avalability zones to use for the scale set. Note that the load balancers and their IP addresses will be zone redundant in any case.", + "visible": "[contains(' australiaeast brazilsouth canadacentral centralus eastasia eastus eastus2 francecentral germanywestcentral japaneast koreacentral northeurope norwayeast southafricanorth southcentralus southeastasia swedencentral uksouth usgovvirginia westeurope westus2 westus3 switzerlandnorth qatarcentral centralindia uaenorth italynorth ', concat(' ', location(), ' '))]", + "constraints": { + "allowedValues": [ + { + "label": "None", + "value": 0 + }, + { + "label": "One zone", + "value": 1 + }, + { + "label": "Two zones", + "value": 2 + }, + { + "label": "Three zones", + "value": 3 + } + ] + } + }, + { + "name": "customMetrics", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable CloudGuard metrics", + "defaultValue": "Yes", + "toolTip": "Enable CloudGuard metrics in order to send statuses and statistics collected from VMSS instances to the Azure Monitor service.", + "constraints": { + "allowedValues": [ + { + "label": "No", + "value": "no" + }, + { + "label": "Yes", + "value": "yes" + } + ] + }, + "visible": true + } + ] + }, + { + "name": "chkp", + "label": "Check Point CloudGuard settings", + "subLabel": { + "preValidation": "Configure CloudGuard settings", + "postValidation": "Done" + }, + "bladeTitle": "CloudGuard settings", + "elements": [ + { + "name": "cloudGuardVersion", + "type": "Microsoft.Common.DropDown", + "label": "Check Point CloudGuard version", + "defaultValue": "R81.20", + "toolTip": "The version of Check Point CloudGuard.", + "constraints": { + "allowedValues": [ + { + "label": "R81.10", + "value": "R81.10" + }, + { + "label": "R81.20", + "value": "R81.20" + } + ] + } + }, + { + "name": "R80Offer", + "type": "Microsoft.Common.DropDown", + "label": "License type", + "toolTip": "The type of license.", + "defaultValue": "Bring Your Own License", + "visible": true, + "constraints": { + "allowedValues": [ + { + "label": "Bring Your Own License", + "value": "Bring Your Own License" + }, + { + "label": "Pay As You Go (NGTP)", + "value": "Pay As You Go (NGTP)" + }, + { + "label": "Pay As You Go (NGTX)", + "value": "Pay As You Go (NGTX)" + } + ] + } + }, + { + "name": "R8110vmSizeUiBYOL", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R81.10'), contains(steps('chkp').R80Offer, 'Bring Your Own License'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2", + "Standard_DS3_v2" + ], + "constraints": { + "allowedSizes": [ + "Standard_D4_v4", + "Standard_D8_v4", + "Standard_D16_v4", + "Standard_D32_v4", + "Standard_D48_v4", + "Standard_D64_v4", + "Standard_D4s_v4", + "Standard_D8s_v4", + "Standard_D16s_v4", + "Standard_D32s_v4", + "Standard_D48s_v4", + "Standard_D64s_v4", + "Standard_D2_v5", + "Standard_D4_v5", + "Standard_D8_v5", + "Standard_D16_v5", + "Standard_D32_v5", + "Standard_D2s_v5", + "Standard_D4s_v5", + "Standard_D8s_v5", + "Standard_D16s_v5", + "Standard_D2d_v5", + "Standard_D4d_v5", + "Standard_D8d_v5", + "Standard_D16d_v5", + "Standard_D32d_v5", + "Standard_D2ds_v5", + "Standard_D4ds_v5", + "Standard_D8ds_v5", + "Standard_D16ds_v5", + "Standard_D32ds_v5", + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r8110", + "sku": "sg-byol" + }, + "count": "[steps('autoprovision').vmCount]" + }, + { + "name": "R8110vmSizeUiNGTP", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R81.10'), contains(steps('chkp').R80Offer, '(NGTP)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2", + "Standard_DS3_v2" + ], + "constraints": { + "allowedSizes": [ + "Standard_D4_v4", + "Standard_D8_v4", + "Standard_D16_v4", + "Standard_D32_v4", + "Standard_D48_v4", + "Standard_D64_v4", + "Standard_D4s_v4", + "Standard_D8s_v4", + "Standard_D16s_v4", + "Standard_D32s_v4", + "Standard_D48s_v4", + "Standard_D64s_v4", + "Standard_D2_v5", + "Standard_D4_v5", + "Standard_D8_v5", + "Standard_D16_v5", + "Standard_D32_v5", + "Standard_D2s_v5", + "Standard_D4s_v5", + "Standard_D8s_v5", + "Standard_D16s_v5", + "Standard_D2d_v5", + "Standard_D4d_v5", + "Standard_D8d_v5", + "Standard_D16d_v5", + "Standard_D32d_v5", + "Standard_D2ds_v5", + "Standard_D4ds_v5", + "Standard_D8ds_v5", + "Standard_D16ds_v5", + "Standard_D32ds_v5", + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r8110", + "sku": "sg-ngtp" + }, + "count": "[steps('autoprovision').vmCount]" + }, + { + "name": "R8110vmSizeUiNGTX", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R81.10'), contains(steps('chkp').R80Offer, '(NGTX)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2", + "Standard_DS3_v2" + ], + "constraints": { + "allowedSizes": [ + "Standard_D4_v4", + "Standard_D8_v4", + "Standard_D16_v4", + "Standard_D32_v4", + "Standard_D48_v4", + "Standard_D64_v4", + "Standard_D4s_v4", + "Standard_D8s_v4", + "Standard_D16s_v4", + "Standard_D32s_v4", + "Standard_D48s_v4", + "Standard_D64s_v4", + "Standard_D2_v5", + "Standard_D4_v5", + "Standard_D8_v5", + "Standard_D16_v5", + "Standard_D32_v5", + "Standard_D2s_v5", + "Standard_D4s_v5", + "Standard_D8s_v5", + "Standard_D16s_v5", + "Standard_D2d_v5", + "Standard_D4d_v5", + "Standard_D8d_v5", + "Standard_D16d_v5", + "Standard_D32d_v5", + "Standard_D2ds_v5", + "Standard_D4ds_v5", + "Standard_D8ds_v5", + "Standard_D16ds_v5", + "Standard_D32ds_v5", + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r8110", + "sku": "sg-ngtx" + }, + "count": "[steps('autoprovision').vmCount]" + }, + { + "name": "R8120vmSizeUiBYOL", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R81.20'), contains(steps('chkp').R80Offer, 'Bring Your Own License'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D4ds_v5", + "Standard_D4d_v5" + ], + "constraints": { + "allowedSizes": [ + "Standard_D4_v4", + "Standard_D8_v4", + "Standard_D16_v4", + "Standard_D32_v4", + "Standard_D48_v4", + "Standard_D64_v4", + "Standard_D4s_v4", + "Standard_D8s_v4", + "Standard_D16s_v4", + "Standard_D32s_v4", + "Standard_D48s_v4", + "Standard_D64s_v4", + "Standard_D2_v5", + "Standard_D4_v5", + "Standard_D8_v5", + "Standard_D16_v5", + "Standard_D32_v5", + "Standard_D2s_v5", + "Standard_D4s_v5", + "Standard_D8s_v5", + "Standard_D16s_v5", + "Standard_D2d_v5", + "Standard_D4d_v5", + "Standard_D8d_v5", + "Standard_D16d_v5", + "Standard_D32d_v5", + "Standard_D2ds_v5", + "Standard_D4ds_v5", + "Standard_D8ds_v5", + "Standard_D16ds_v5", + "Standard_D32ds_v5", + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r8120", + "sku": "sg-byol" + }, + "count": "[steps('autoprovision').vmCount]" + }, + { + "name": "R8120vmSizeUiNGTP", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R81.20'), contains(steps('chkp').R80Offer, '(NGTP)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D4ds_v5", + "Standard_D4d_v5" + ], + "constraints": { + "allowedSizes": [ + "Standard_D4_v4", + "Standard_D8_v4", + "Standard_D16_v4", + "Standard_D32_v4", + "Standard_D48_v4", + "Standard_D64_v4", + "Standard_D4s_v4", + "Standard_D8s_v4", + "Standard_D16s_v4", + "Standard_D32s_v4", + "Standard_D48s_v4", + "Standard_D64s_v4", + "Standard_D2_v5", + "Standard_D4_v5", + "Standard_D8_v5", + "Standard_D16_v5", + "Standard_D32_v5", + "Standard_D2s_v5", + "Standard_D4s_v5", + "Standard_D8s_v5", + "Standard_D16s_v5", + "Standard_D2d_v5", + "Standard_D4d_v5", + "Standard_D8d_v5", + "Standard_D16d_v5", + "Standard_D32d_v5", + "Standard_D2ds_v5", + "Standard_D4ds_v5", + "Standard_D8ds_v5", + "Standard_D16ds_v5", + "Standard_D32ds_v5", + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r8120", + "sku": "sg-ngtp" + }, + "count": "[steps('autoprovision').vmCount]" + }, + { + "name": "R8120vmSizeUiNGTX", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R81.20'), contains(steps('chkp').R80Offer, '(NGTX)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D4ds_v5", + "Standard_D4d_v5" + ], + "constraints": { + "allowedSizes": [ + "Standard_D4_v4", + "Standard_D8_v4", + "Standard_D16_v4", + "Standard_D32_v4", + "Standard_D48_v4", + "Standard_D64_v4", + "Standard_D4s_v4", + "Standard_D8s_v4", + "Standard_D16s_v4", + "Standard_D32s_v4", + "Standard_D48s_v4", + "Standard_D64s_v4", + "Standard_D2_v5", + "Standard_D4_v5", + "Standard_D8_v5", + "Standard_D16_v5", + "Standard_D32_v5", + "Standard_D2s_v5", + "Standard_D4s_v5", + "Standard_D8s_v5", + "Standard_D16s_v5", + "Standard_D2d_v5", + "Standard_D4d_v5", + "Standard_D8d_v5", + "Standard_D16d_v5", + "Standard_D32d_v5", + "Standard_D2ds_v5", + "Standard_D4ds_v5", + "Standard_D8ds_v5", + "Standard_D16ds_v5", + "Standard_D32ds_v5", + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r8120", + "sku": "sg-ngtx" + }, + "count": "[steps('autoprovision').vmCount]" + }, + { + "name": "adminShell", + "type": "Microsoft.Common.DropDown", + "label": "Default shell for the admin user", + "defaultValue": "/etc/cli.sh", + "toolTip": "The default shell for the admin user", + "constraints": { + "allowedValues": [ + { + "label": "/etc/cli.sh", + "value": "/etc/cli.sh" + }, + { + "label": "/bin/bash", + "value": "/bin/bash" + }, + { + "label": "/bin/csh", + "value": "/bin/csh" + }, + { + "label": "/bin/tcsh", + "value": "/bin/tcsh" + } + ] + } + }, + { + "name": "sicKeyUi", + "type": "Microsoft.Common.PasswordBox", + "label": { + "password": "SIC Key", + "confirmPassword": "Confirm SIC Key" + }, + "toolTip": "Set the Secure Internal Communication one time secret used to set up trust between the gateway and the management server.", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z]{12,30}$", + "validationMessage": "Only alphanumeric characters are allowed, and the value must be 12-30 characters long." + }, + "options": { + "hideConfirmation": false + } + }, + { + "name": "SerialPasswordInfoBox", + "type": "Microsoft.Common.InfoBox", + "visible": "[bool(basics('auth').sshPublicKey)]", + "options": { + "icon": "Info", + "text": "Check Point recommends setting serial console password and maintenance-mode password for recovery purposes. For R81.10 and below the serial console password is used also as maintenance-mode password" + } + }, + { + "visible": "[bool(basics('auth').sshPublicKey)]", + "name": "EnableSerialConsolePassword", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Serial console password", + "defaultValue": "Yes", + "toolTip": "A unique password hash to enable VM connection via serial console.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": true + }, + { + "label": "No", + "value": false + } + ] + } + }, + { + "name": "AdditionalPassword", + "type": "Microsoft.Common.PasswordBox", + "toolTip": "Serial console password hash, used to enable password authentication (using serial console). To generate password hash use the command 'openssl passwd -6 PASSWORD'", + "visible": "[and(bool(basics('auth').sshPublicKey), steps('chkp').EnableSerialConsolePassword)]", + "label": { + "password": "Password hash", + "confirmPassword": "Confirm password" + }, + "constraints": { + "required": true, + "regex": "^.{12,300}$", + "validationMessage": "The value must be the output of the hash command." + }, + "options": { + "hideConfirmation": false + } + }, + { + "name": "MaintenanceModeInfoBox", + "type": "Microsoft.Common.InfoBox", + "visible": "[and(bool(basics('auth').password), not(contains('R81.10', steps('chkp').cloudGuardVersion)))]", + "options": { + "icon": "Info", + "text": "Check Point recommends setting a maintenance-mode password for recovery purposes." + } + }, + { + "visible": "[not(contains('R81.10', steps('chkp').cloudGuardVersion))]", + "name": "EnableMaintenanceMode", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Maintenance Mode", + "defaultValue": "Yes", + "toolTip": "A unique password hash to enable VM maintenance mode.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": true + }, + { + "label": "No", + "value": false + } + ] + } + }, + { + "visible": "[and(not(contains('R81.10', steps('chkp').cloudGuardVersion)), steps('chkp').EnableMaintenanceMode)]", + "name": "MaintenanceModePassword", + "type": "Microsoft.Common.PasswordBox", + "defaultValue": "", + "toolTip": "To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here.", + "label": { + "password": "Maintenance Mode password hash", + "confirmPassword": "Confirm Password" + }, + "constraints": { + "required": true, + "validationMessage": "The value must be the output of the hash command." + }, + "options": { + "hideConfirmation": false + } + }, + { + "name": "bootstrapScript", + "type": "Microsoft.Common.FileUpload", + "label": "Bootstrap script", + "toolTip": "An optional script to run on the initial boot", + "constraints": { + "required": false, + "accept": ".sh,text/plain" + }, + "options": { + "multiple": false, + "uploadMode": "file", + "openMode": "text", + "encoding": "UTF-8" + } + }, + { + "name": "allowUploadDownload", + "type": "Microsoft.Common.OptionsGroup", + "label": "Automatically download updates and share statistical data for product improvement purpose", + "defaultValue": "Yes", + "toolTip": "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "true" + }, + { + "label": "No", + "value": "false" + } + ] + } + }, + { + "name": "VMDiskType", + "type": "Microsoft.Common.OptionsGroup", + "label": "VM disk type", + "toolTip": "Type of CloudGuard disk.", + "visible": "[not(contains('R81.10' , steps('chkp').cloudGuardVersion))]", + "defaultValue": "Premium", + "constraints": { + "allowedValues": [ + { + "label": "Standard", + "value": "Standard_LRS" + }, + { + "label": "Premium", + "value": "Premium_LRS" + } + ] + } + }, + { + "name": "VMDiskTypeOldVersions", + "type": "Microsoft.Common.OptionsGroup", + "label": "VM disk type", + "toolTip": "Type of CloudGuard disk.", + "visible": "[contains('R81.10' , steps('chkp').cloudGuardVersion)]", + "defaultValue": "Standard", + "constraints": { + "allowedValues": [ + { + "label": "Standard", + "value": "Standard_LRS" + }, + { + "label": "Premium", + "value": "Premium_LRS" + } + ] + } + }, + { + "name": "additionalDiskSizeGB", + "type": "Microsoft.Common.TextBox", + "label": "Additional disk space (GB)", + "defaultValue": "0", + "toolTip": "Additional disk space (in GB), initial disk size is 100 GB.", + "constraints": { + "regex": "^([0-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-2][0-9][0-9][0-9]|3[0-8][0-9][0-9]|399[0-5])$", + "validationMessage": "Select a number between 0 and 3995" + }, + "visible": "[not(contains('R81.10 R81.20', steps('chkp').cloudGuardVersion))]" + }, + { + "name": "useCustomImageUri", + "type": "Microsoft.Common.OptionsGroup", + "label": "Use development image uri", + "defaultValue": "No", + "toolTip": "Use custom image URI.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ], + "required": true + }, + "visible": false + }, + { + "name": "sourceImageVhdUri", + "type": "Microsoft.Common.TextBox", + "label": "Development Image URI", + "toolTip": "The URI of the blob containing the development image", + "constraints": { + "required": "[equals(steps('chkp').useCustomImageUri, 'Yes')]", + "regex": "^[a-z0-9A-Z_\\-\\.\\:\\/]{1,500}.vhd$", + "validationMessage": "Only alphanumeric characters and '_','-','.',':','/' are allowed, the value must be 1-500 characters long and must end with .vhd. " + }, + "visible": "[equals(steps('chkp').useCustomImageUri, 'Yes')]" + } + ] + }, + { + "name": "network", + "label": "Network settings", + "subLabel": { + "preValidation": "Configure network settings", + "postValidation": "Done" + }, + "bladeTitle": "Network settings", + "elements": [ + { + "name": "virtualNetwork", + "type": "Microsoft.Network.VirtualNetworkCombo", + "label": { + "virtualNetwork": "Virtual network", + "subnets": "Subnets" + }, + "toolTip": { + "virtualNetwork": "Virtual Network Name", + "subnets": "The subnets to deploy into" + }, + "defaultValue": { + "name": "vnet01", + "addressPrefixSize": "/16" + }, + "constraints": { + "minAddressPrefixSize": "/28" + }, + "options": { + "hideExisting": false + }, + "subnets": { + "subnet1": { + "label": "VMSS Frontend subnet", + "defaultValue": { + "name": "VMSS-Frontend", + "addressPrefixSize": "/24" + }, + "constraints": { + "minAddressPrefixSize": "/29", + "minAddressCount": "[steps('autoprovision').maxVmCount]", + "requireContiguousAddresses": false + } + } + }, + "visible": true + }, + { + "name": "NSG", + "type": "Microsoft.Common.OptionsGroup", + "label": "Network Security Group", + "toolTip": "Choose between using an existing NSG or using a new NSG", + "constraints": { + "allowedValues": [ + { + "label": "Create new", + "value": true + }, + { + "label": "Existing NSG", + "value": false + } + ], + "required": true + }, + "visible": true + }, + { + "name": "nsgSelector", + "type": "Microsoft.Solutions.ResourceSelector", + "label": "Network Security Group", + "defaultValue": "null", + "toolTip": "Choose an existing NSG", + "resourceType": "Microsoft.Network/NetworkSecurityGroups", + "options": { + "filter": { + "subscription": "onBasics", + "location": "onBasics" + } + }, + "constraints": { + "required": true + }, + "visible": "[equals(steps('network').NSG, false)]" + }, + { + "name": "NSGName", + "type": "Microsoft.Common.TextBox", + "label": "Name", + "defaultValue": "[concat(basics('gatewayScaleSetNameUi') , '-nsg')]", + "toolTip": "Insert Name for the new NSG", + "multiLine": false, + "constraints": { + "required": "[steps('network').NSG]", + "regex": "^[a-z0-9A-Z-]{1,30}$", + "validationMessage": "Only alphanumeric characters are allowed, and the name must be 1-30 characters long." + }, + "visible": "[steps('network').NSG]" + }, + { + "name": "addStorageAccountIpRules", + "type": "Microsoft.Common.OptionsGroup", + "defaultValue": "Network access from all networks", + "label": "Storage Account Network Access", + "toolTip": "Select your preferred network access to the Storage Account, for more information - https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-linux#serial-console-security", + "constraints": { + "allowedValues": [ + { + "label": "Network access from all networks", + "value": false + }, + { + "label": "Network access only from Serial Console", + "value": true + } + ], + "required": true + }, + "visible": true + } + ] + }, + { + "name": "tags", + "label": "Tags", + "elements": [ + { + "name": "tagsByResource", + "type": "Microsoft.Common.TagsByResource", + "toolTip": "Create Azure tags for the new resources", + "resources": [ + "Microsoft.Storage/storageAccounts", + "Microsoft.Compute/virtualMachineScaleSets", + "Microsoft.Network/routeTables", + "Microsoft.Network/virtualNetworks", + "Microsoft.Network/networkSecurityGroups", + "Microsoft.Network/loadBalancers" + ] + } + ] + } + ], + "outputs": { + "location": "[location()]", + "authenticationType": "[basics('auth').authenticationType]", + "adminPassword": "[basics('auth').password]", + "sshPublicKey": "[basics('auth').sshPublicKey]", + "upgrading": "[steps('autoprovision').upgrading]", + "vmName": "[basics('gatewayScaleSetNameUi')]", + "instanceCount": "[steps('autoprovision').vmCount]", + "maxInstanceCount": "[steps('autoprovision').maxVmCount]", + "managementServer": "[steps('autoprovision').managementServer]", + "configurationTemplate": "[steps('autoprovision').configurationTemplate]", + "adminEmail": "[steps('autoprovision').adminEmail]", + "instanceLevelPublicIP": "[steps('autoprovision').instanceLevelPublicIP]", + "lbsTargetRGName": "[steps('autoprovision').lbsTargetRGName]", + "lbResourceId": "[steps('autoprovision').lbResourceId]", + "lbTargetBEAddressPoolName": "[steps('autoprovision').lbTargetBEAddressPoolName]", + "mgmtInterfaceOpt1": "[steps('autoprovision').mgmtInterfaceOpt1]", + "mgmtIPaddress": "[steps('autoprovision').mgmtIPaddress]", + "appLoadDistribution": "[steps('autoprovision').appLoadDistribution]", + "availabilityZonesNum": "[coalesce(steps('autoprovision').availabilityZonesNum, int('0'))]", + "customMetrics": "[steps('autoprovision').customMetrics]", + "cloudGuardVersion": "[concat(steps('chkp').cloudGuardVersion, ' - ', coalesce(steps('chkp').R80Offer, 'Bring Your Own License'))]", + "vmSize": "[coalesce(steps('chkp').R8110vmSizeUiBYOL, steps('chkp').R8110vmSizeUiNGTP, steps('chkp').R8110vmSizeUiNGTX, steps('chkp').R8120vmSizeUiBYOL, steps('chkp').R8120vmSizeUiNGTP, steps('chkp').R8120vmSizeUiNGTX)]", + "sicKey": "[steps('chkp').sicKeyUi]", + "bootstrapScript": "[steps('chkp').bootstrapScript]", + "allowDownloadFromUploadToCheckPoint": "[coalesce(steps('chkp').allowUploadDownload, 'true')]", + "additionalDiskSizeGB": "[int(steps('chkp').additionalDiskSizeGB)]", + "diskType": "[if(contains('R81.10' , steps('chkp').cloudGuardVersion) , steps('chkp').VMDiskTypeOldVersions , steps('chkp').VMDiskType)]", + "sourceImageVhdUri": "[coalesce(steps('chkp').sourceImageVhdUri, 'noCustomUri')]", + "virtualNetworkName": "[steps('network').virtualNetwork.name]", + "virtualNetworkAddressPrefix": "[steps('network').virtualNetwork.addressPrefix]", + "vnetNewOrExisting": "[steps('network').virtualNetwork.newOrExisting]", + "virtualNetworkExistingRGName": "[steps('network').virtualNetwork.resourceGroup]", + "subnet1Name": "[steps('network').virtualNetwork.subnets.subnet1.name]", + "subnet1Prefix": "[steps('network').virtualNetwork.subnets.subnet1.addressPrefix]", + "subnet1StartAddress": "[steps('network').virtualNetwork.subnets.subnet1.startAddress]", + "adminShell": "[steps('chkp').adminShell]", + "tagsByResource": "[steps('tags').tagsByResource]", + "deployNewNSG": "[steps('network').NSG]", + "ExistingNSG": "[steps('network').nsgSelector]", + "NewNsgName": "[steps('network').NSGName]", + "addStorageAccountIpRules": "[steps('network').addStorageAccountIpRules]", + "SerialConsolePasswordHash": "[steps('chkp').AdditionalPassword]", + "MaintenanceModePasswordHash": "[steps('chkp').MaintenanceModePassword]" + } + } +} \ No newline at end of file diff --git a/azure/templates/marketplace-gateway-load-balancer/mainTemplate.json b/azure/templates/marketplace-gateway-load-balancer/mainTemplate.json new file mode 100644 index 00000000..f9db5e37 --- /dev/null +++ b/azure/templates/marketplace-gateway-load-balancer/mainTemplate.json @@ -0,0 +1,1169 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "subscriptionId": { + "type": "string", + "defaultValue": "[subscription().subscriptionId]", + "metadata": { + "description": "Subscription ID." + } + }, + "location": { + "type": "string", + "metadata": { + "description": "Deployment location" + }, + "defaultValue": "[resourceGroup().location]" + }, + "cloudGuardVersion": { + "type": "string", + "allowedValues": [ + "R81.10 - Bring Your Own License", + "R81.10 - Pay As You Go (NGTP)", + "R81.10 - Pay As You Go (NGTX)", + "R81.20 - Bring Your Own License", + "R81.20 - Pay As You Go (NGTP)", + "R81.20 - Pay As You Go (NGTX)" + ], + "defaultValue": "R81.20 - Bring Your Own License", + "metadata": { + "description": "Version of Check Point CloudGuard" + } + }, + "instanceCount": { + "defaultValue": "2", + "type": "string", + "metadata": { + "description": "Number of VM instances" + } + }, + "maxInstanceCount": { + "defaultValue": "10", + "type": "string", + "metadata": { + "description": "Maximum number of VM instances" + } + }, + "managementServer": { + "type": "string", + "metadata": { + "description": "The name of the management server as it appears in the configuration file" + } + }, + "configurationTemplate": { + "type": "string", + "metadata": { + "description": "A name of a template as it appears in the configuration file" + } + }, + "adminEmail": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Email address to notify if there are any scaling operations" + } + }, + "authenticationType": { + "type": "string", + "allowedValues": [ + "password", + "sshPublicKey" + ], + "defaultValue": "password", + "metadata": { + "description": "Authentication type" + } + }, + "sshPublicKey": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Administrator SSH public key" + } + }, + "adminPassword": { + "type": "securestring", + "metadata": { + "description": "Administrator password" + }, + "defaultValue": "" + }, + "MaintenanceModePasswordHash": { + "type": "securestring", + "defaultValue": "", + "metadata": { + "Description": "Maintenance mode password hash, relevant only for R81.20 and higher versions" + } + }, + "SerialConsolePasswordHash": { + "type": "securestring", + "defaultValue": "", + "metadata": { + "Description": "Optional parameter, used to enable serial console connection in case of SSH key as authentication type" + } + }, + "vmName": { + "type": "string", + "metadata": { + "description": "Name of the Check Point Security Gateway scale set" + } + }, + "vmSize": { + "type": "string", + "defaultValue": "Standard_D3_v2", + "metadata": { + "description": "Size of the VM" + } + }, + "adminShell": { + "type": "string", + "defaultValue": "/etc/cli.sh", + "allowedValues": [ + "/etc/cli.sh", + "/bin/bash", + "/bin/csh", + "/bin/tcsh" + ], + "metadata": { + "Description": "The default shell for the admin user" + } + }, + "sicKey": { + "type": "securestring", + "metadata": { + "description": "One time key for Secure Internal Communication" + } + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "[concat(resourceGroup().name, '-vnet')]" + }, + "upgrading": { + "type": "string", + "defaultValue": "no", + "allowedValues": [ + "no", + "yes" + ], + "metadata": { + "Description": "Indicates whether the user is upgrading the CloudGuard VMSS solution" + } + }, + "lbsTargetRGName": { + "type": "string", + "metadata": { + "description": "The name of the Target Gateway Load Balancers Resource Group." + }, + "defaultValue": "" + }, + "lbResourceId": { + "type": "string", + "metadata": { + "description": "The Resource ID of the Target Gateway Load Balancer." + }, + "defaultValue": "" + }, + "lbTargetBEAddressPoolName": { + "type": "string", + "metadata": { + "description": "The name of the new Target Gateway Load Balancer's Backend Pool." + }, + "defaultValue": "" + }, + "virtualNetworkAddressPrefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the virtual network" + }, + "defaultValue": "10.0.0.0/16" + }, + "subnet1Name": { + "type": "string", + "metadata": { + "description": "The name of the frontend subnet" + }, + "defaultValue": "Frontend" + }, + "subnet1Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the frontend subnet" + }, + "defaultValue": "10.0.0.0/24" + }, + "subnet1StartAddress": { + "type": "string", + "metadata": { + "description": "The first available address on the subnet" + }, + "defaultValue": "10.0.0.4" + }, + "vnetNewOrExisting": { + "type": "string", + "defaultValue": "new", + "allowedValues": [ + "new", + "existing" + ], + "metadata": { + "Description": "Indicates whether the virtual network is new or existing" + } + }, + "virtualNetworkExistingRGName": { + "type": "string", + "metadata": { + "description": "Resource Group of the existing virtual network" + }, + "defaultValue": "[resourceGroup().name]" + }, + "bootstrapScript": { + "type": "string", + "metadata": { + "description": "Bootstrap script" + }, + "defaultValue": "" + }, + "allowDownloadFromUploadToCheckPoint": { + "type": "string", + "allowedValues": [ + "true", + "false" + ], + "defaultValue": "true", + "metadata": { + "description": "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + } + }, + "instanceLevelPublicIP": { + "type": "string", + "allowedValues": [ + "no", + "yes" + ], + "defaultValue": "no", + "metadata": { + "description": "Deploy the VMSS with instance level Public IP address" + } + }, + "mgmtInterfaceOpt1": { + "type": "string", + "allowedValues": [ + "eth0-public", + "eth0-private" + ], + "defaultValue": "eth0-private", + "metadata": { + "description": "Manage the Gateways in the Scale Set via the instance's external NIC's public or private IP address." + } + }, + "mgmtIPaddress": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "The IP address used to manage the VMSS instances." + } + }, + "additionalDiskSizeGB": { + "type": "int", + "defaultValue": 0, + "metadata": { + "description": "Amount of additional disk space (in GB), not relevant for R81.20 and below" + }, + "minValue": 0, + "maxValue": 3995 + }, + "diskType": { + "type": "string", + "defaultValue": "Standard_LRS", + "metadata": { + "description": "The type of the OS disk. Premium is applicable only to DS machine sizes" + }, + "allowedValues": [ + "Standard_LRS", + "Premium_LRS" + ] + }, + "appLoadDistribution": { + "type": "string", + "allowedValues": [ + "Default", + "SourceIP", + "SourceIPProtocol" + ], + "defaultValue": "Default", + "metadata": { + "description": "The Gateway Load Balancer distribution method" + } + }, + "sourceImageVhdUri": { + "type": "string", + "defaultValue": "noCustomUri", + "metadata": { + "description": "The URI of the blob containing the development image" + } + }, + "availabilityZonesNum": { + "type": "int", + "allowedValues": [ + 0, + 1, + 2, + 3 + ], + "defaultValue": 0, + "metadata": { + "description": "The number of availability zones" + } + }, + "_artifactsLocation": { + "type": "string", + "metadata": { + "description": "Use the following URI when deploying a custom template: https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/azure/templates/" + }, + "defaultValue": "[deployment().properties.templateLink.uri]" + }, + "_artifactsLocationSasToken": { + "type": "securestring", + "metadata": { + "description": "The sasToken required to access _artifactsLocation. When the template is deployed using the accompanying scripts, a sasToken will be automatically generated. Use the defaultValue if the staging location is not secured." + }, + "defaultValue": "" + }, + "customMetrics": { + "type": "string", + "allowedValues": [ + "no", + "yes" + ], + "defaultValue": "yes", + "metadata": { + "Description": "Indicates whether Custom Metrics will be used for VMSS Scaling policy and VM monitoring" + } + }, + "rbacGuid": { + "type": "string", + "defaultValue": "[newGuid()]" + }, + "vxlanTunnelExternalIdentifier": { + "type": "int", + "minValue": 800, + "maxValue": 1000, + "defaultValue": 801, + "metadata": { + "description": "VXLAN tunnel external identifier. A value between 800-1000." + } + }, + "vxlanTunnelExternalPort": { + "type": "int", + "defaultValue": 2001, + "metadata": { + "description": "VXLAN tunnel external port number." + } + }, + "vxlanTunnelInternalIdentifier": { + "type": "int", + "minValue": 800, + "maxValue": 1000, + "defaultValue": 800, + "metadata": { + "description": "VXLAN tunnel internal identifier. A value between 800-1000." + } + }, + "vxlanTunnelInternalPort": { + "type": "int", + "defaultValue": 2000, + "metadata": { + "description": "VXLAN Tunnel Internal port number." + } + }, + "tagsByResource": { + "type": "object", + "defaultValue": {} + }, + "deployNewNSG": { + "type": "bool", + "defaultValue": true + }, + "ExistingNSG": { + "type": "object", + "defaultValue": {} + }, + "NewNsgName": { + "type": "string", + "defaultValue": "[concat(parameters('vmName'),'-nsg')]" + }, + "addStorageAccountIpRules": { + "type": "bool", + "metadata": { + "description": "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, based on https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-linux#use-serial-console-with-custom-boot-diagnostics-storage-account-firewall-enabled" + }, + "defaultValue": false + }, + "storageAccountAdditionalIps": { + "type": "array", + "metadata": { + "description": "IPs/CIDRs that are allowed access to the Storage Account" + }, + "defaultValue": [] + } + }, + "variables": { + "resourceGroup": "[resourceGroup()]", + "templateName": "gwlb", + "templateVersion": "20240716", + "location": "[parameters('location')]", + "offers": { + "R81.10 - Bring Your Own License": "BYOL", + "R81.10 - Pay As You Go (NGTP)": "NGTP", + "R81.10 - Pay As You Go (NGTX)": "NGTX", + "R81.20 - Bring Your Own License": "BYOL", + "R81.20 - Pay As You Go (NGTP)": "NGTP", + "R81.20 - Pay As You Go (NGTX)": "NGTX" + }, + "offer": "[variables('offers')[parameters('cloudGuardVersion')]]", + "osVersions": { + "R81.10 - Bring Your Own License": "R8110", + "R81.10 - Pay As You Go (NGTP)": "R8110", + "R81.10 - Pay As You Go (NGTX)": "R8110", + "R81.20 - Bring Your Own License": "R8120", + "R81.20 - Pay As You Go (NGTP)": "R8120", + "R81.20 - Pay As You Go (NGTX)": "R8120" + }, + "osVersion": "[variables('osVersions')[parameters('cloudGuardVersion')]]", + "SerialConsoleGeographies": { + "eastasia": [ + "20.205.69.28", + "20.195.85.180" + ], + "southeastasia": [ + "20.205.69.28", + "20.195.85.180" + ], + "australiacentral": [ + "20.53.53.224", + "20.70.222.112" + ], + "australiacentral2": [ + "20.53.53.224", + "20.70.222.112" + ], + "australiaeast": [ + "20.53.53.224", + "20.70.222.112" + ], + "australiasoutheast": [ + "20.53.53.224", + "20.70.222.112" + ], + "brazilsouth": [ + "91.234.136.63", + "20.206.0.194" + ], + "brazilsoutheast": [ + "91.234.136.63", + "20.206.0.194" + ], + "canadacentral": [ + "52.228.86.177", + "52.242.40.90" + ], + "canadaeast": [ + "52.228.86.177", + "52.242.40.90" + ], + "northeurope": [ + "52.146.139.220", + "20.105.209.72" + ], + "westeurope": [ + "52.146.139.220", + "20.105.209.72" + ], + "francecentral": [ + "20.111.0.244", + "52.136.191.10" + ], + "francesouth": [ + "20.111.0.244", + "52.136.191.10" + ], + "germanynorth": [ + "51.116.75.88", + "20.52.95.48" + ], + "germanywestcentral": [ + "51.116.75.88", + "20.52.95.48" + ], + "centralindia": [ + "20.192.168.150", + "20.192.153.104" + ], + "southindia": [ + "20.192.168.150", + "20.192.153.104" + ], + "westindia": [ + "20.192.168.150", + "20.192.153.104" + ], + "japaneast": [ + "20.43.70.205", + "20.189.228.222" + ], + "japanwest": [ + "20.43.70.205", + "20.189.228.222" + ], + "koreacentral": [ + "20.200.196.96", + "52.147.119.29" + ], + "koreasouth": [ + "20.200.196.96", + "52.147.119.29" + ], + "norwaywest": [ + "20.100.1.184", + "51.13.138.76" + ], + "norwayeast": [ + "20.100.1.184", + "51.13.138.76" + ], + "switzerlandnorth": [ + "20.208.4.98", + "51.107.251.190" + ], + "switzerlandwest": [ + "20.208.4.98", + "51.107.251.190" + ], + "uaecentral": [ + "20.45.95.66", + "20.38.141.5" + ], + "uaenorth": [ + "20.45.95.66", + "20.38.141.5" + ], + "uksouth": [ + "20.90.132.144", + "20.58.68.62" + ], + "ukwest": [ + "20.90.132.144", + "20.58.68.62" + ], + "swedencentral": [ + "51.12.72.223", + "51.12.22.174" + ], + "swedensouth": [ + "51.12.72.223", + "51.12.22.174" + ], + "centralus": [ + "20.98.146.84", + "20.98.194.64", + "20.69.5.162", + "20.83.222.102" + ], + "eastus2": [ + "20.98.146.84", + "20.98.194.64", + "20.69.5.162", + "20.83.222.102" + ], + "eastus": [ + "20.98.146.84", + "20.98.194.64", + "20.69.5.162", + "20.83.222.102" + ], + "northcentralus": [ + "20.98.146.84", + "20.98.194.64", + "20.69.5.162", + "20.83.222.102" + ], + "southcentralus": [ + "20.98.146.84", + "20.98.194.64", + "20.69.5.162", + "20.83.222.102" + ], + "westus2": [ + "20.98.146.84", + "20.98.194.64", + "20.69.5.162", + "20.83.222.102" + ], + "westus3": [ + "20.98.146.84", + "20.98.194.64", + "20.69.5.162", + "20.83.222.102" + ], + "westcentralus": [ + "20.98.146.84", + "20.98.194.64", + "20.69.5.162", + "20.83.222.102" + ], + "westus": [ + "20.98.146.84", + "20.98.194.64", + "20.69.5.162", + "20.83.222.102" + ], + "eastus2euap": [ + "20.45.242.18", + "20.51.21.252" + ], + "centraluseuap": [ + "20.45.242.18", + "20.51.21.252" + ] + }, + "serialConsoleIps": "[if(contains(variables('serialConsoleGeographies'),variables('location')),variables('serialConsoleGeographies')[variables('location')],createArray())]", + "storageAccountIps": "[concat(variables('SerialConsoleIps'),parameters('storageAccountAdditionalIps'))]", + "isBlink": true, + "subnet1Name": "[parameters('subnet1Name')]", + "storageAccountName": "[concat('bootdiag', uniqueString(variables('resourceGroup').id, deployment().name))]", + "storageAccountType": "Standard_LRS", + "diskSize100GB": 100, + "additionalDiskSizeGB": "[if(contains('R8110 R8120', variables('osVersion')), 0, parameters('additionalDiskSizeGB'))]", + "diskSizeGB": "[add(variables('additionalDiskSizeGB'), variables('diskSize100GB'))]", + "customData": "[concat('#!/usr/bin/python3 /etc/cloud_config.py\n', '\n', 'installationType=\"', variables('installationType'), '\"', '\n', 'allowUploadDownload=\"', variables('allowUploadDownload'), '\"', '\n', 'osVersion=\"', variables('osVersion'), '\"', '\n', 'templateName=\"', variables('templateName'), '\"', '\n', 'isBlink=\"', variables('isBlink'), '\"', '\n', 'templateVersion=\"', variables('templateVersion'), '\"', '\n', 'bootstrapScript64=\"', variables('bootstrapScript64'), '\"', '\n', 'location=\"', variables('location'), '\"', '\n', 'sicKey=\"', variables('sicKey'), '\"', '\n', 'customMetrics=\"', variables('customMetrics'), '\"', '\n', 'adminShell=\"', parameters('adminShell'), '\"', '\n', 'MaintenanceModePassword=\"', parameters('MaintenanceModePasswordHash'), '\"', '\n', 'passwordHash=\"', parameters('SerialConsolePasswordHash'), '\"', '\n')]", + "imageOffer": "[concat('check-point-cg-', toLower(variables('osVersion')))]", + "imagePublisher": "checkpoint", + "imageReferenceBYOL": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-byol", + "version": "latest" + }, + "imageReferenceNGTP": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtp", + "version": "latest" + }, + "imageReferenceNGTP-V2": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtp-v2", + "version": "latest" + }, + "imageReferenceNGTX": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtx", + "version": "latest" + }, + "imageReferenceNGTX-V2": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtx-v2", + "version": "latest" + }, + "imageReferenceMarketplace": "[if(equals(variables('offer'), 'BYOL'), variables('imageReferenceBYOL'), if(equals(variables('offer'), 'NGTP'), variables('imageReferenceNGTP'), if(equals(variables('offer'), 'NGTP-V2'), variables('imageReferenceNGTP-V2'), if(equals(variables('offer'), 'NGTX'), variables('imageReferenceNGTX'), if(equals(variables('offer'), 'NGTX-V2'), variables('imageReferenceNGTX-V2'), json('null'))))))]", + "customImage": "customImage", + "imageReferenceCustomUri": { + "id": "[resourceId('Microsoft.Compute/images', variables('customImage'))]" + }, + "imageReference": "[if(equals(parameters('sourceImageVhdUri'),'noCustomUri'), variables('imageReferenceMarketplace'), variables('imageReferenceCustomUri'))]", + "linuxConfigurationpassword": { + "disablePasswordAuthentication": "false" + }, + "linuxConfigurationsshPublicKey": { + "disablePasswordAuthentication": "true", + "ssh": { + "publicKeys": [ + { + "keyData": "[parameters('sshPublicKey')]", + "path": "/home/notused/.ssh/authorized_keys" + } + ] + } + }, + "linuxConfiguration": "[if(equals(parameters('authenticationType'), 'password'), variables('linuxConfigurationpassword'), variables('linuxConfigurationsshPublicKey'))]", + "planBYOL": { + "name": "sg-byol", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTP": { + "name": "sg-ngtp", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTP-V2": { + "name": "sg-ngtp-v2", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTX": { + "name": "sg-ngtx", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTX-V2": { + "name": "sg-ngtx-v2", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "plan": "[if(equals(variables('offer'), 'BYOL') , variables('planBYOL'), if(equals(variables('offer'), 'NGTP'), variables('planNGTP'), if(equals(variables('offer'), 'NGTP-V2'), variables('planNGTP-V2'), if(equals(variables('offer'), 'NGTX'), variables('planNGTX'), if(equals(variables('offer'), 'NGTX-V2'), variables('planNGTX-V2'), json('null'))))))]", + "vmssID": "[resourceId('Microsoft.Compute/virtualMachineScaleSets', parameters('vmName'))]", + "bootstrapScript64": "[base64(parameters('bootstrapScript'))]", + "allowUploadDownload": "[parameters('allowDownloadFromUploadToCheckPoint')]", + "sicKey": "[parameters('sicKey')]", + "installationType": "gwlb", + "publicIPProperties": { + "name": "instancePublicIP", + "properties": { + "idleTimeoutInMinutes": 15 + } + }, + "upgrading": "[equals(parameters('upgrading'), 'yes')]", + "_artifactsLocation": "[if(contains(parameters('_artifactsLocation'),'raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/azure/templates/marketplace'),'https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/azure/templates/',parameters('_artifactsLocation'))]", + "networkSetupURL": "[uri(variables('_artifactsLocation'), concat('nestedtemplates/vnet-1-subnet-', parameters('vnetNewOrExisting'), '.json', parameters('_artifactsLocationSasToken')))]", + "loadBalacerSetupURL": "[uri(variables('_artifactsLocation'), concat('nestedtemplates/gateway-load-balancers.json', parameters('_artifactsLocationSasToken')))]", + "lbsTargetRGName": "[parameters('lbsTargetRGName')]", + "lbRGName": "[if(variables('upgrading'), variables('lbsTargetRGName'), resourceGroup().name)]", + "loadBalancerSetupId": "[resourceId(variables('lbRGName'), 'Microsoft.Resources/deployments', 'loadBalancerSetup')]", + "vnetRGName": "[if(equals(parameters('vnetNewOrExisting'), 'new'), resourceGroup().name, parameters('virtualNetworkExistingRGName'))]", + "vnetName": "[if(equals(parameters('vnetNewOrExisting'), 'new'), parameters('virtualNetworkName'), parameters('virtualNetworkName'))]", + "vnetID": "[if(equals(parameters('vnetNewOrExisting'), 'new'), resourceId(variables('vnetRGName'),'Microsoft.Resources/deployments', 'networkNewSetup'), resourceId(variables('vnetRGName'),'Microsoft.Resources/deployments', 'networkExistingSetup'))]", + "storageAccountId": "[resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName'))]", + "customImageId": "[variables('imageReferenceCustomUri').id]", + "availabilityZonesLocations": [ + "brazilsouth", + "canadacentral", + "centralus", + "eastus", + "eastus2", + "southcentralus", + "usgovvirginia", + "westus2", + "westus3", + "francecentral", + "germanywestcentral", + "northeurope", + "norwayeast", + "uksouth", + "westeurope", + "swedencentral", + "switzerlandnorth", + "qatarcentral", + "uaenorth", + "southafricanorth", + "australiaeast", + "centralindia", + "japaneast", + "koreacentral", + "southeastasia", + "eastasia", + "italynorth" + ], + "availabilityZonesProperty": "[range(1, parameters('availabilityZonesNum'))]", + "mgmtInterface": "[if(equals(parameters('instanceLevelPublicIP'), 'yes'), parameters('mgmtInterfaceOpt1'), 'eth0-private')]", + "mgmtIpAddressType": "[split(variables('mgmtInterface'), '-')[1]]", + "mgmtIPaddress": "[parameters('mgmtIPaddress')]", + "commomTags": { + "x-chkp-management": "[parameters('managementServer')]", + "x-chkp-template": "[parameters('configurationTemplate')]", + "x-chkp-ip-address": "[variables('mgmtIpAddressType')]", + "x-chkp-management-interface": "eth0", + "x-chkp-topology": "eth0:external", + "x-chkp-anti-spoofing": "eth0:false", + "x-chkp-srcImageUri": "[parameters('sourceImageVhdUri')]" + }, + "uniqueTags": { + "x-chkp-management-address": "[variables('mgmtIPaddress')]" + }, + "vmssTags": "[if(equals(variables('mgmtIPaddress'), ''), variables('commomTags'), union(variables('commomTags'), variables('uniqueTags')))]", + "customMetrics": "[parameters('customMetrics')]", + "monitoringMetricsPublisher": "[concat('/subscriptions/', parameters('subscriptionId'), '/providers/Microsoft.Authorization/roleDefinitions/', '3913510d-42f4-4e42-8a64-420c390055eb')]", + "identity": "[json('{\"type\": \"SystemAssigned\"}')]", + "NewNsgReference": { + "id": "[resourceId(variables('vnetRGName'),'Microsoft.Network/networkSecurityGroups', parameters('NewNsgName'))]" + } + }, + "resources": [ + { + "apiVersion": "2020-06-01", + "name": "pid-5432b4df-d783-57a2-b65f-39f4bca4974a", + "type": "Microsoft.Resources/deployments", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "condition": "[equals(variables('customMetrics'), 'yes')]", + "apiVersion": "2020-04-01-preview", + "type": "Microsoft.Authorization/roleAssignments", + "name": "[parameters('rbacGuid')]", + "properties": { + "roleDefinitionId": "[variables('monitoringMetricsPublisher')]", + "principalId": "[reference(variables('vmssID'), '2019-12-01', 'Full').identity.principalId]", + "scope": "[resourceGroup().id]" + }, + "dependsOn": [ + "[variables('vmssID')]" + ], + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Authorization/roleAssignments'), parameters('tagsByResource')['Microsoft.Authorization/roleAssignments'], json('{}')) ]" + }, + { + "condition": "[equals(parameters('vnetNewOrExisting'), 'new')]", + "name": "networkNewSetup", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "resourceGroup": "[variables('vnetRGName')]", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "[variables('networkSetupURL')]", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "location": { + "value": "[variables('location')]" + }, + "virtualNetworkName": { + "value": "[parameters('virtualNetworkName')]" + }, + "virtualNetworkAddressPrefix": { + "value": "[parameters('virtualNetworkAddressPrefix')]" + }, + "subnet1Name": { + "value": "[parameters('subnet1Name')]" + }, + "subnet1Prefix": { + "value": "[parameters('subnet1Prefix')]" + }, + "vmName": { + "value": "[parameters('vmName')]" + }, + "deployNsg": { + "value": "[parameters('deployNewNSG')]" + }, + "NewNsgName": { + "value": "[parameters('NewNsgName')]" + }, + "deployRouteTable": { + "value": true + }, + "deployGWLB": { + "value": true + }, + "tagsByResource": { + "value": "[parameters('tagsByResource')]" + } + } + } + }, + { + "condition": "[equals(parameters('vnetNewOrExisting'), 'existing')]", + "name": "networkExistingSetup", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "resourceGroup": "[variables('vnetRGName')]", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "[variables('networkSetupURL')]", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "location": { + "value": "[variables('location')]" + }, + "virtualNetworkName": { + "value": "[parameters('virtualNetworkName')]" + }, + "virtualNetworkExistingRGName": { + "value": "[variables('vnetRGName')]" + }, + "vmName": { + "value": "[parameters('vmName')]" + }, + "deployNsg": { + "value": "[parameters('deployNewNSG')]" + }, + "NewNsgName": { + "value": "[parameters('NewNsgName')]" + }, + "tagsByResource": { + "value": "[parameters('tagsByResource')]" + } + } + } + }, + { + "name": "loadBalancerSetup", + "type": "Microsoft.Resources/deployments", + "resourceGroup": "[variables('lbRGName')]", + "apiVersion": "2020-06-01", + "dependsOn": [ + "[variables('vnetID')]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "[variables('loadBalacerSetupURL')]", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "location": { + "value": "[variables('location')]" + }, + "vmName": { + "value": "[parameters('vmName')]" + }, + "appLoadDistribution": { + "value": "[parameters('appLoadDistribution')]" + }, + "subnet1StartAddress": { + "value": "[parameters('subnet1StartAddress')]" + }, + "subnet1Id": { + "value": "[resourceId(variables('vnetRGName'), 'Microsoft.Network/virtualNetworks/subnets', variables('vnetName'), variables('subnet1Name'))]" + }, + "lbResourceId": { + "value": "[parameters('lbResourceId')]" + }, + "lbTargetBEAddressPoolName": { + "value": "[parameters('lbTargetBEAddressPoolName')]" + }, + "upgrading": { + "value": "[variables('upgrading')]" + }, + "vxlanTunnelExternalPort": { + "value": "[parameters('vxlanTunnelExternalPort')]" + }, + "vxlanTunnelExternalIdentifier": { + "value": "[parameters('vxlanTunnelExternalIdentifier')]" + }, + "vxlanTunnelInternalPort": { + "value": "[parameters('vxlanTunnelInternalPort')]" + }, + "vxlanTunnelInternalIdentifier": { + "value": "[parameters('vxlanTunnelInternalIdentifier')]" + }, + "tagsByResource": { + "value": "[parameters('tagsByResource')]" + } + } + } + }, + { + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('storageAccountName')]", + "apiVersion": "2021-06-01", + "properties": { + "supportsHttpsTrafficOnly": true, + "allowBlobPublicAccess": false, + "minimumTlsVersion": "TLS1_2", + "networkAcls": { + "bypass": "None", + "defaultAction": "[if(parameters('addStorageAccountIpRules'), 'Deny', 'Allow')]", + "ipRules": "[if(parameters('addStorageAccountIpRules'), map(variables('storageAccountIps'), lambda('ip',createObject('action','Allow','value',lambdaVariables('ip')))), createArray())]" + } + }, + "location": "[variables('location')]", + "sku": { + "name": "[variables('storageAccountType')]" + }, + "kind": "Storage", + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Storage/storageAccounts'), parameters('tagsByResource')['Microsoft.Storage/storageAccounts'], json('{}')) ]" + }, + { + "condition": "[not(equals(parameters('sourceImageVhdUri'), 'noCustomUri'))]", + "type": "Microsoft.Compute/images", + "apiVersion": "2020-06-01", + "name": "[variables('customImage')]", + "location": "[variables('resourceGroup').location]", + "properties": { + "storageProfile": { + "osDisk": { + "osType": "Linux", + "osState": "Generalized", + "blobUri": "[parameters('sourceImageVhdUri')]", + "storageAccountType": "Standard_LRS" + } + }, + "hyperVGeneration": "V1" + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Compute/images'), parameters('tagsByResource')['Microsoft.Compute/images'], json('{}')) ]" + }, + { + "type": "Microsoft.Compute/virtualMachineScaleSets", + "apiVersion": "2021-07-01", + "name": "[parameters('vmName')]", + "location": "[variables('location')]", + "identity": "[if(equals(variables('customMetrics'), 'yes'), variables('identity'), json('null'))]", + "zones": "[if(and(contains(variables('availabilityZonesLocations'), variables('location')), greater(parameters('availabilityZonesNum'), 0)), variables('availabilityZonesProperty'), json('null'))]", + "tags": "[union(variables('vmssTags'),if(contains(parameters('tagsByResource'), 'Microsoft.Compute/virtualMachineScaleSets'), parameters('tagsByResource')['Microsoft.Compute/virtualMachineScaleSets'], json('{}')))]", + "dependsOn": [ + "[variables('vnetID')]", + "[variables('loadBalancerSetupId')]", + "[variables('storageAccountId')]", + "[variables('customImageId')]" + ], + "sku": { + "name": "[parameters('vmSize')]", + "tier": "Standard", + "capacity": "[parameters('instanceCount')]" + }, + "plan": "[if(equals(parameters('sourceImageVhdUri'),'noCustomUri'), variables('plan'), json('null'))]", + "properties": { + "upgradePolicy": { + "mode": "Manual" + }, + "virtualMachineProfile": { + "UserData": "[base64(concat(variables('customData'), '\n', 'vnet=\"', if(equals(parameters('vnetNewOrExisting'), 'new'), reference('networkNewSetup').outputs.vnetAddressPrefix.value, reference('networkExistingSetup').outputs.vnetAddressPrefix.value), '\"', '\n' ))]", + "storageProfile": { + "osDisk": { + "diskSizeGB": "[variables('diskSizeGB')]", + "caching": "ReadWrite", + "createOption": "FromImage", + "managedDisk": { + "storageAccountType": "[parameters('diskType')]" + } + }, + "imageReference": "[variables('imageReference')]" + }, + "osProfile": { + "adminPassword": "[parameters('adminPassword')]", + "adminUsername": "[concat('not','used')]", + "computerNamePrefix": "[toLower(parameters('vmName'))]", + "customData": "[base64(concat(variables('customData'), '\n', 'vnet=\"', if(equals(parameters('vnetNewOrExisting'), 'new'), reference('networkNewSetup').outputs.vnetAddressPrefix.value, reference('networkExistingSetup').outputs.vnetAddressPrefix.value), '\"', '\n' ))]", + "linuxConfiguration": "[variables('linuxConfiguration')]" + }, + "networkProfile": { + "networkInterfaceConfigurations": [ + { + "name": "eth0", + "properties": { + "primary": true, + "enableIPForwarding": true, + "enableAcceleratedNetworking": true, + "networkSecurityGroup": "[if(parameters('deployNewNSG') , variables('NewNsgReference') , parameters('ExistingNSG'))]", + "ipConfigurations": [ + { + "name": "ipconfig1", + "properties": { + "publicIpAddressConfiguration": "[if(equals(parameters('instanceLevelPublicIP'),'yes'), variables('publicIPProperties'), json('null'))]", + "subnet": { + "id": "[resourceId(variables('vnetRGName'), 'Microsoft.Network/virtualNetworks/subnets', variables('vnetName'), parameters('Subnet1Name'))]" + }, + "loadBalancerBackendAddressPools": "[if(empty(reference('loadBalancerSetup').outputs.lbId.value), json('null'), reference('loadBalancerSetup').outputs.lbBEAddressPoolProperties.value)]" + } + } + ] + } + } + ] + }, + "diagnosticsProfile": { + "bootDiagnostics": { + "enabled": "true", + "storageUri": "[reference(variables('storageAccountId'), '2019-06-01').primaryEndpoints.blob]" + } + } + }, + "overprovision": false + } + }, + { + "type": "Microsoft.Insights/autoscaleSettings", + "apiVersion": "2015-04-01", + "name": "[parameters('vmName')]", + "location": "[variables('location')]", + "dependsOn": [ + "[variables('vmssID')]" + ], + "properties": { + "name": "[parameters('vmName')]", + "targetResourceUri": "[variables('vmssID')]", + "notifications": [ + { + "operation": "Scale", + "email": { + "sendToSubscriptionAdministrator": false, + "sendToSubscriptionCoAdministrators": false, + "customEmails": "[if(empty(parameters('adminEmail')), json('null'), array(parameters('adminEmail')))]" + } + } + ], + "enabled": true, + "profiles": [ + { + "name": "Profile1", + "capacity": { + "minimum": "[parameters('instanceCount')]", + "maximum": "[parameters('maxInstanceCount')]", + "default": "[parameters('instanceCount')]" + }, + "rules": [ + { + "metricTrigger": { + "metricName": "Percentage CPU", + "metricResourceUri": "[variables('vmssID')]", + "timeGrain": "PT1M", + "statistic": "Average", + "timeWindow": "PT5M", + "timeAggregation": "Average", + "operator": "GreaterThan", + "threshold": 80 + }, + "scaleAction": { + "direction": "Increase", + "type": "ChangeCount", + "value": "1", + "cooldown": "PT5M" + } + }, + { + "metricTrigger": { + "metricName": "Percentage CPU", + "metricResourceUri": "[variables('vmssID')]", + "timeGrain": "PT1M", + "statistic": "Average", + "timeWindow": "PT5M", + "timeAggregation": "Average", + "operator": "LessThan", + "threshold": 60 + }, + "scaleAction": { + "direction": "Decrease", + "type": "ChangeCount", + "value": "1", + "cooldown": "PT5M" + } + } + ] + } + ] + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Insights/autoscaleSettings'), parameters('tagsByResource')['Microsoft.Insights/autoscaleSettings'], json('{}')) ]" + } + ], + "outputs": { + "GatewayLoadBalancerId": { + "type": "string", + "value": "[reference('loadBalancerSetup').outputs.lbId.value]" + } + } +} \ No newline at end of file diff --git a/azure/templates/marketplace-ha/README.md b/azure/templates/marketplace-ha/README.md new file mode 100644 index 00000000..e58bd802 --- /dev/null +++ b/azure/templates/marketplace-ha/README.md @@ -0,0 +1,21 @@ +# Check Point CloudGuard Network Security High Availability for Azure + +Check Point CloudGuard Network Security delivers advanced, multi-layered threat prevention to protect customer assets in Azure from malware and sophisticated threats. As a Microsoft Azure certified solution, CloudGuard Network Security enables you to easily and seamlessly secure your workloads while providing secure connectivity across your cloud and on-premises environments. + +Benefits: + +· Advanced threat prevention and traffic inspection + +· Integrated with Azure Security Center and Azure Sentinel + +· Provides consistent security policy management, enforcement, and reporting with a single pane of glass, using Check Point Unified Security Management + + + + Deploy to Azure + + + +To deploy with full control over all the template options use: [Full Control Deployment](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FCheckPointSW%2FCloudGuardIaaS%2Fmaster%2Fazure%2Ftemplates%2Fmarketplace-ha%2FmainTemplate.json) + + diff --git a/azure/templates/marketplace-ha/createUiDefinition.json b/azure/templates/marketplace-ha/createUiDefinition.json new file mode 100644 index 00000000..a547363d --- /dev/null +++ b/azure/templates/marketplace-ha/createUiDefinition.json @@ -0,0 +1,1650 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", + "handler": "Microsoft.Compute.MultiVm", + "version": "0.1.2-preview", + "parameters": { + "basics": [ + { + "name": "basics settings text block", + "type": "Microsoft.Common.TextBlock", + "visible": true, + "options": { + "text": "Please follow the Check Point CloudGuard IaaS High Availability Administration Guide.", + "link": { + "label": "Administration Guide", + "uri": "https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_Network_for_Azure_HA_Cluster/Default.htm" + } + } + }, + { + "name": "clusterObjectNameUi", + "type": "Microsoft.Common.TextBox", + "label": "Cluster Object Name", + "toolTip": "The name of the cluster object.", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z]{1,30}$", + "validationMessage": "Only alphanumeric characters are allowed, and the name must be 1-30 characters long." + } + }, + { + "name": "auth", + "type": "Microsoft.Compute.CredentialsCombo", + "label": { + "authenticationType": "Authentication type", + "password": "Password", + "confirmPassword": "Confirm password", + "sshPublicKey": "SSH public key" + }, + "toolTip": { + "password": "The user 'admin' password", + "sshPublicKey": "Paste an OpenSSH public key. You can generate a key pair using ssh-keygen (Linux, OS X, Cygwin) or PuttyGen (Windows)" + }, + "constraints": { + "required": true + }, + "options": { + "hideConfirmation": false, + "hidePassword": false + }, + "osPlatform": "Linux" + } + ], + "steps": [ + { + "name": "chkp", + "label": "Check Point Cluster Object settings", + "subLabel": { + "preValidation": "Configure Cluster Object settings", + "postValidation": "Done" + }, + "bladeTitle": "Cluster Object settings", + "elements": [ + { + "name": "cloudGuardVersion", + "type": "Microsoft.Common.DropDown", + "label": "Check Point CloudGuard version", + "defaultValue": "R81.20", + "toolTip": "The version of Check Point CloudGuard.", + "constraints": { + "allowedValues": [ + { + "label": "R81.10", + "value": "R81.10" + }, + { + "label": "R81.20", + "value": "R81.20" + } + ] + } + }, + { + "name": "R80Offer", + "type": "Microsoft.Common.DropDown", + "label": "License type", + "toolTip": "The type of license.", + "defaultValue": "Bring Your Own License", + "visible": true, + "constraints": { + "allowedValues": [ + { + "label": "Bring Your Own License", + "value": "Bring Your Own License" + }, + { + "label": "Pay As You Go (NGTP)", + "value": "Pay As You Go (NGTP)" + }, + { + "label": "Pay As You Go (NGTX)", + "value": "Pay As You Go (NGTX)" + } + ] + } + }, + { + "name": "R8110vmSizeUiBYOL", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R81.10'), contains(steps('chkp').R80Offer, 'Bring Your Own License'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2", + "Standard_DS3_v2" + ], + "constraints": { + "allowedSizes": [ + "Standard_D4_v4", + "Standard_D8_v4", + "Standard_D16_v4", + "Standard_D32_v4", + "Standard_D48_v4", + "Standard_D64_v4", + "Standard_D4s_v4", + "Standard_D8s_v4", + "Standard_D16s_v4", + "Standard_D32s_v4", + "Standard_D48s_v4", + "Standard_D64s_v4", + "Standard_D2_v5", + "Standard_D4_v5", + "Standard_D8_v5", + "Standard_D16_v5", + "Standard_D32_v5", + "Standard_D2s_v5", + "Standard_D4s_v5", + "Standard_D8s_v5", + "Standard_D16s_v5", + "Standard_D2d_v5", + "Standard_D4d_v5", + "Standard_D8d_v5", + "Standard_D16d_v5", + "Standard_D32d_v5", + "Standard_D2ds_v5", + "Standard_D4ds_v5", + "Standard_D8ds_v5", + "Standard_D16ds_v5", + "Standard_D32ds_v5", + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r8110", + "sku": "sg-byol" + }, + "count": 2 + }, + { + "name": "R8110vmSizeUiNGTP", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R81.10'), contains(steps('chkp').R80Offer, '(NGTP)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2", + "Standard_DS3_v2" + ], + "constraints": { + "allowedSizes": [ + "Standard_D4_v4", + "Standard_D8_v4", + "Standard_D16_v4", + "Standard_D32_v4", + "Standard_D48_v4", + "Standard_D64_v4", + "Standard_D4s_v4", + "Standard_D8s_v4", + "Standard_D16s_v4", + "Standard_D32s_v4", + "Standard_D48s_v4", + "Standard_D64s_v4", + "Standard_D2_v5", + "Standard_D4_v5", + "Standard_D8_v5", + "Standard_D16_v5", + "Standard_D32_v5", + "Standard_D2s_v5", + "Standard_D4s_v5", + "Standard_D8s_v5", + "Standard_D16s_v5", + "Standard_D2d_v5", + "Standard_D4d_v5", + "Standard_D8d_v5", + "Standard_D16d_v5", + "Standard_D32d_v5", + "Standard_D2ds_v5", + "Standard_D4ds_v5", + "Standard_D8ds_v5", + "Standard_D16ds_v5", + "Standard_D32ds_v5", + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r8110", + "sku": "sg-ngtp" + }, + "count": 2 + }, + { + "name": "R8110vmSizeUiNGTX", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R81.10'), contains(steps('chkp').R80Offer, '(NGTX)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2", + "Standard_DS3_v2" + ], + "constraints": { + "allowedSizes": [ + "Standard_D4_v4", + "Standard_D8_v4", + "Standard_D16_v4", + "Standard_D32_v4", + "Standard_D48_v4", + "Standard_D64_v4", + "Standard_D4s_v4", + "Standard_D8s_v4", + "Standard_D16s_v4", + "Standard_D32s_v4", + "Standard_D48s_v4", + "Standard_D64s_v4", + "Standard_D2_v5", + "Standard_D4_v5", + "Standard_D8_v5", + "Standard_D16_v5", + "Standard_D32_v5", + "Standard_D2s_v5", + "Standard_D4s_v5", + "Standard_D8s_v5", + "Standard_D16s_v5", + "Standard_D2d_v5", + "Standard_D4d_v5", + "Standard_D8d_v5", + "Standard_D16d_v5", + "Standard_D32d_v5", + "Standard_D2ds_v5", + "Standard_D4ds_v5", + "Standard_D8ds_v5", + "Standard_D16ds_v5", + "Standard_D32ds_v5", + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r8110", + "sku": "sg-ngtx" + }, + "count": 2 + }, + { + "name": "R8120vmSizeUiBYOL", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R81.20'), contains(steps('chkp').R80Offer, 'Bring Your Own License'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D4ds_v5", + "Standard_D4d_v5" + ], + "constraints": { + "allowedSizes": [ + "Standard_D4_v4", + "Standard_D8_v4", + "Standard_D16_v4", + "Standard_D32_v4", + "Standard_D48_v4", + "Standard_D64_v4", + "Standard_D4s_v4", + "Standard_D8s_v4", + "Standard_D16s_v4", + "Standard_D32s_v4", + "Standard_D48s_v4", + "Standard_D64s_v4", + "Standard_D2_v5", + "Standard_D4_v5", + "Standard_D8_v5", + "Standard_D16_v5", + "Standard_D32_v5", + "Standard_D2s_v5", + "Standard_D4s_v5", + "Standard_D8s_v5", + "Standard_D16s_v5", + "Standard_D2d_v5", + "Standard_D4d_v5", + "Standard_D8d_v5", + "Standard_D16d_v5", + "Standard_D32d_v5", + "Standard_D2ds_v5", + "Standard_D4ds_v5", + "Standard_D8ds_v5", + "Standard_D16ds_v5", + "Standard_D32ds_v5", + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r8120", + "sku": "sg-byol" + }, + "count": 2 + }, + { + "name": "R8120vmSizeUiNGTP", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R81.20'), contains(steps('chkp').R80Offer, '(NGTP)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D4ds_v5", + "Standard_D4d_v5" + ], + "constraints": { + "allowedSizes": [ + "Standard_D4_v4", + "Standard_D8_v4", + "Standard_D16_v4", + "Standard_D32_v4", + "Standard_D48_v4", + "Standard_D64_v4", + "Standard_D4s_v4", + "Standard_D8s_v4", + "Standard_D16s_v4", + "Standard_D32s_v4", + "Standard_D48s_v4", + "Standard_D64s_v4", + "Standard_D2_v5", + "Standard_D4_v5", + "Standard_D8_v5", + "Standard_D16_v5", + "Standard_D32_v5", + "Standard_D2s_v5", + "Standard_D4s_v5", + "Standard_D8s_v5", + "Standard_D16s_v5", + "Standard_D2d_v5", + "Standard_D4d_v5", + "Standard_D8d_v5", + "Standard_D16d_v5", + "Standard_D32d_v5", + "Standard_D2ds_v5", + "Standard_D4ds_v5", + "Standard_D8ds_v5", + "Standard_D16ds_v5", + "Standard_D32ds_v5", + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r8120", + "sku": "sg-ngtp" + }, + "count": 2 + }, + { + "name": "R8120vmSizeUiNGTX", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R81.20'), contains(steps('chkp').R80Offer, '(NGTX)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D4ds_v5", + "Standard_D4d_v5" + ], + "constraints": { + "allowedSizes": [ + "Standard_D4_v4", + "Standard_D8_v4", + "Standard_D16_v4", + "Standard_D32_v4", + "Standard_D48_v4", + "Standard_D64_v4", + "Standard_D4s_v4", + "Standard_D8s_v4", + "Standard_D16s_v4", + "Standard_D32s_v4", + "Standard_D48s_v4", + "Standard_D64s_v4", + "Standard_D2_v5", + "Standard_D4_v5", + "Standard_D8_v5", + "Standard_D16_v5", + "Standard_D32_v5", + "Standard_D2s_v5", + "Standard_D4s_v5", + "Standard_D8s_v5", + "Standard_D16s_v5", + "Standard_D2d_v5", + "Standard_D4d_v5", + "Standard_D8d_v5", + "Standard_D16d_v5", + "Standard_D32d_v5", + "Standard_D2ds_v5", + "Standard_D4ds_v5", + "Standard_D8ds_v5", + "Standard_D16ds_v5", + "Standard_D32ds_v5", + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r8120", + "sku": "sg-ngtx" + }, + "count": 2 + }, + { + "name": "adminShell", + "type": "Microsoft.Common.DropDown", + "label": "Default shell for the admin user", + "defaultValue": "/etc/cli.sh", + "toolTip": "The default shell for the admin user", + "constraints": { + "allowedValues": [ + { + "label": "/etc/cli.sh", + "value": "/etc/cli.sh" + }, + { + "label": "/bin/bash", + "value": "/bin/bash" + }, + { + "label": "/bin/csh", + "value": "/bin/csh" + }, + { + "label": "/bin/tcsh", + "value": "/bin/tcsh" + } + ] + } + }, + { + "name": "sicKeyUi", + "type": "Microsoft.Common.PasswordBox", + "label": { + "password": "SIC key", + "confirmPassword": "Confirm SIC key" + }, + "toolTip": "Set the Secure Internal Communication one time secret used to set up trust between the cluster object and the management server.", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z]{12,30}$", + "validationMessage": "Only alphanumeric characters are allowed, and the value must be 12-30 characters long." + }, + "options": { + "hideConfirmation": false + }, + "visible": "true" + }, + { + "name": "SerialPasswordInfoBox", + "type": "Microsoft.Common.InfoBox", + "visible": "[bool(basics('auth').sshPublicKey)]", + "options": { + "icon": "Info", + "text": "Check Point recommends setting serial console password and maintenance-mode password for recovery purposes. For R81.10 and below the serial console password is used also as maintenance-mode password" + } + }, + { + "visible": "[bool(basics('auth').sshPublicKey)]", + "name": "EnableSerialConsolePassword", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Serial console password", + "defaultValue": "Yes", + "toolTip": "A unique password hash to enable VM connection via serial console.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": true + }, + { + "label": "No", + "value": false + } + ] + } + }, + { + "name": "AdditionalPassword", + "type": "Microsoft.Common.PasswordBox", + "toolTip": "Serial console password hash, used to enable password authentication (using serial console). To generate password hash use the command 'openssl passwd -6 PASSWORD'", + "visible": "[and(bool(basics('auth').sshPublicKey), steps('chkp').EnableSerialConsolePassword)]", + "label": { + "password": "Password hash", + "confirmPassword": "Confirm password" + }, + "constraints": { + "required": true, + "regex": "^.{12,300}$", + "validationMessage": "The value must be the output of the hash command." + }, + "options": { + "hideConfirmation": false + } + }, + { + "name": "MaintenanceModeInfoBox", + "type": "Microsoft.Common.InfoBox", + "visible": "[and(bool(basics('auth').password), not(contains('R81.10', steps('chkp').cloudGuardVersion)))]", + "options": { + "icon": "Info", + "text": "Check Point recommends setting a maintenance-mode password for recovery purposes." + } + }, + { + "visible": "[not(contains('R81.10', steps('chkp').cloudGuardVersion))]", + "name": "EnableMaintenanceMode", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Maintenance Mode", + "defaultValue": "Yes", + "toolTip": "A unique password hash to enable VM maintenance mode.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": true + }, + { + "label": "No", + "value": false + } + ] + } + }, + { + "visible": "[and(not(contains('R81.10', steps('chkp').cloudGuardVersion)), steps('chkp').EnableMaintenanceMode)]", + "name": "MaintenanceModePassword", + "type": "Microsoft.Common.PasswordBox", + "defaultValue": "", + "toolTip": "To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here.", + "label": { + "password": "Maintenance Mode password hash", + "confirmPassword": "Confirm Password" + }, + "constraints": { + "required": true, + "validationMessage": "The value must be the output of the hash command." + }, + "options": { + "hideConfirmation": false + } + }, + { + "name": "managedSystemAssigned", + "type": "Microsoft.Common.OptionsGroup", + "visible": true, + "label": "Create a System Assigned Identity", + "toolTip": "Automatically create a Service Principal for this deployment.", + "defaultValue": "Yes", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "yes" + }, + { + "label": "No", + "value": "no" + } + ] + } + }, + { + "name": "availabilityOptions", + "type": "Microsoft.Common.DropDown", + "label": "Availability options", + "defaultValue": "Availability Set", + "toolTip": "Use replicated Cluster VMs in Availability Set or Availability Zones. Note that the load balancers and their IP addresses will be zone redundant in any case.", + "visible": "[contains(' australiaeast brazilsouth canadacentral centralus eastasia eastus eastus2 francecentral germanywestcentral japaneast koreacentral northeurope norwayeast southafricanorth southcentralus southeastasia swedencentral uksouth usgovvirginia westeurope westus2 westus3 switzerlandnorth qatarcentral centralindia uaenorth italynorth ', concat(' ', location(), ' '))]", + "constraints": { + "allowedValues": [ + { + "label": "Availability Set", + "value": "Availability Set" + }, + { + "label": "Availability Zones", + "value": "Availability Zones" + } + ] + } + }, + { + "name": "bootstrapScript", + "type": "Microsoft.Common.FileUpload", + "label": "Bootstrap script", + "toolTip": "An optional script to run on the initial boot", + "constraints": { + "required": false, + "accept": ".sh,text/plain" + }, + "options": { + "multiple": false, + "uploadMode": "file", + "openMode": "text", + "encoding": "UTF-8" + } + }, + { + "name": "allowUploadDownload", + "type": "Microsoft.Common.OptionsGroup", + "label": "Automatically download updates and share statistical data for product improvement purpose", + "defaultValue": "Yes", + "toolTip": "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "true" + }, + { + "label": "No", + "value": "false" + } + ] + } + }, + { + "name": "VMDiskType", + "type": "Microsoft.Common.OptionsGroup", + "label": "VM disk type", + "toolTip": "Type of CloudGuard disk.", + "visible": "[not(contains('R81.10' , steps('chkp').cloudGuardVersion))]", + "defaultValue": "Premium", + "constraints": { + "allowedValues": [ + { + "label": "Standard", + "value": "Standard_LRS" + }, + { + "label": "Premium", + "value": "Premium_LRS" + } + ] + } + }, + { + "name": "VMDiskTypeOldVersions", + "type": "Microsoft.Common.OptionsGroup", + "label": "VM disk type", + "toolTip": "Type of CloudGuard disk.", + "visible": "[contains('R81.10' , steps('chkp').cloudGuardVersion)]", + "defaultValue": "Standard", + "constraints": { + "allowedValues": [ + { + "label": "Standard", + "value": "Standard_LRS" + }, + { + "label": "Premium", + "value": "Premium_LRS" + } + ] + } + }, + { + "name": "basics settings text block", + "type": "Microsoft.Common.TextBlock", + "visible": true, + "options": { + "text": "Please follow the Check Point referenced guide for adding disk space.", + "link": { + "label": "Additional disk space in CloudGuard", + "uri": "https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk156552" + } + } + }, + { + "name": "additionalDiskSizeGB", + "type": "Microsoft.Common.TextBox", + "label": "Additional disk space (GB)", + "defaultValue": "0", + "toolTip": "Additional disk space (in GB), initial disk size is 100 GB.", + "constraints": { + "regex": "^([0-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-2][0-9][0-9][0-9]|3[0-8][0-9][0-9]|399[0-5])$", + "validationMessage": "Select a number between 0 and 3995" + } + }, + { + "name": "useCustomImageUri", + "type": "Microsoft.Common.OptionsGroup", + "label": "Use development image uri", + "defaultValue": "No", + "toolTip": "Use custom image URI.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ], + "required": true + }, + "visible": false + }, + { + "name": "sourceImageVhdUri", + "type": "Microsoft.Common.TextBox", + "label": "Development Image URI", + "toolTip": "The URI of the blob containing the development image", + "constraints": { + "required": "[equals(steps('chkp').useCustomImageUri, 'Yes')]", + "regex": "^[a-z0-9A-Z_\\-\\.\\:\\/]{1,500}.vhd$", + "validationMessage": "Only alphanumeric characters and '_','-','.',':','/' are allowed, the value must be 1-500 characters long and must end with .vhd. " + }, + "visible": "[equals(steps('chkp').useCustomImageUri, 'Yes')]" + }, + { + "name": "customMetrics", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable CloudGuard metrics", + "defaultValue": "Yes", + "toolTip": "Enable CloudGuard metrics in order to send statuses and statistics collected from Cluster members to the Azure Monitor service.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "yes" + }, + { + "label": "No", + "value": "no" + } + ] + }, + "visible": true + }, + { + "name": "customMetricsInfoBox", + "type": "Microsoft.Common.InfoBox", + "visible": "[and(equals(steps('chkp').customMetrics, 'yes'), not(equals(steps('chkp').managedSystemAssigned, 'yes')))]", + "options": { + "icon": "Warning", + "text": "CloudGuard metrics can't be used when System Assigned Identity is disabled" + } + }, + { + "name": "floatingIP", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy the Load Balancers with floating IP", + "defaultValue": "No", + "toolTip": "Deploy the Load Balancers with floating IP.", + "constraints": { + "allowedValues": [ + { + "label": "No", + "value": "no" + }, + { + "label": "Yes", + "value": "yes" + } + ] + }, + "visible": true + }, + { + "name": "publicIPPrefix", + "type": "Microsoft.Common.OptionsGroup", + "label": "Use public IP prefix", + "defaultValue": "No", + "toolTip": "Use public IP prefix.", + "constraints": { + "allowedValues": [ + { + "label": "No", + "value": "no" + }, + { + "label": "Yes", + "value": "yes" + } + ] + }, + "visible": true + }, + { + "name": "createNewIPPrefix", + "type": "Microsoft.Common.OptionsGroup", + "label": "Create public IP prefix", + "defaultValue": "No", + "toolTip": "Create new public IP prefix to use.", + "constraints": { + "allowedValues": [ + { + "label": "No", + "value": "no" + }, + { + "label": "Yes", + "value": "yes" + } + ] + }, + "visible": "[equals(steps('chkp').publicIPPrefix, 'yes')]" + }, + { + "name": "ipPrefixExistingResourceId", + "type": "Microsoft.Common.TextBox", + "label": "Public IP prefix resource id", + "defaultValue": "", + "toolTip": "Use an exisiting public IP prefix resource id.", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z -.:/n]{1,}$", + "validationMessage": "Only alphanumeric characters, hyphens, spaces, periods, and colons are allowed." + }, + "visible": "[equals(steps('chkp').createNewIPPrefix, 'no')]" + }, + { + "name": "allowSmart1CloudConnection", + "type": "Microsoft.Common.OptionsGroup", + "label": "Quick connect to Smart-1 Cloud", + "defaultValue": "Yes", + "toolTip": "Automatically connect this Cluster to Smart-1 Cloud - Check Point's Security Management as a Service", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "yes" + }, + { + "label": "No", + "value": "no" + } + ] + }, + "visible": true + }, + { + "name": "smart1CloudTokenTxt", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Follow these instructions to quickly connect this Cluster to Smart-1 Cloud", + "link": { + "label": "SK180501 - Connecting CloudGuard Network Security Public Cloud Gateways to Smart-1 Cloud", + "uri": "https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501" + } + }, + "visible": "[equals(steps('chkp').allowSmart1CloudConnection, 'yes')]" + }, + { + "name": "Smart1CloudTokenA", + "type": "Microsoft.Common.TextBox", + "label": "Smart-1 Cloud Token Member A", + "toolTip": "Paste here the token copied from the Connect Gateway (Member A) screen in Smart-1 Cloud portal", + "constraints": { + "required": true, + "regex": "[\\S\\s]{5,}", + "validationMessage": "Smart1Cloud Token Should contain at lease 5 characters" + }, + "visible": "[equals(steps('chkp').allowSmart1CloudConnection, 'yes')]" + }, + { + "name": "Smart1CloudTokenB", + "type": "Microsoft.Common.TextBox", + "label": "Smart-1 Cloud Token Member B", + "toolTip": "Paste here the token copied from the Connect Gateway (Member B) screen in Smart-1 Cloud portal", + "constraints": { + "required": true, + "regex": "[\\S\\s]{5,}", + "validationMessage": "Smart1Cloud Token Should contain at lease 5 characters" + }, + "visible": "[equals(steps('chkp').allowSmart1CloudConnection, 'yes')]" + } + ] + }, + { + "name": "network", + "label": "Network settings", + "subLabel": { + "preValidation": "Configure network settings", + "postValidation": "Done" + }, + "bladeTitle": "Network settings", + "elements": [ + { + "name": "virtualNetwork", + "type": "Microsoft.Network.VirtualNetworkCombo", + "label": { + "virtualNetwork": "Virtual network", + "subnets": "Subnets" + }, + "toolTip": { + "virtualNetwork": "Virtual Network Name", + "subnets": "List of subnets to deploy into" + }, + "defaultValue": { + "name": "vnet01", + "addressPrefixSize": "/16" + }, + "constraints": { + "minAddressPrefixSize": "/28" + }, + "options": { + "hideExisting": false + }, + "subnets": { + "subnet1": { + "label": "Frontend subnet", + "defaultValue": { + "name": "Frontend", + "addressPrefixSize": "/24" + }, + "constraints": { + "minAddressPrefixSize": "/29", + "minAddressCount": 2, + "requireContiguousAddresses": true + } + }, + "subnet2": { + "label": "Backend subnet", + "defaultValue": { + "name": "Backend", + "addressPrefixSize": "/24" + }, + "constraints": { + "minAddressPrefixSize": "/29", + "minAddressCount": 2, + "requireContiguousAddresses": true + } + } + } + }, + { + "name": "Vips_Number", + "type": "Microsoft.Common.DropDown", + "label": "Number of Virtual IPs (VIP)", + "defaultValue": "1", + "toolTip": "Choose number of Virtual IP addresses to deploy for the cluster's external NIC", + "constraints": { + "allowedValues": [ + { + "label": "1", + "value": "1" + }, + { + "label": "2", + "value": "2" + }, + { + "label": "3", + "value": "3" + }, + { + "label": "4", + "value": "4" + }, + { + "label": "5", + "value": "5" + }, + { + "label": "6", + "value": "6" + }, + { + "label": "7", + "value": "7" + }, + { + "label": "8", + "value": "8" + }, + { + "label": "9", + "value": "9" + }, + { + "label": "10", + "value": "10" + } + ], + "required": true + }, + "visible": true + }, + { + "name": "VIP_Names", + "type": "Microsoft.Common.Section", + "label": "VIPs Names", + "elements": [ + { + "name": "VIP2_Name", + "type": "Microsoft.Common.TextBox", + "label": "VIP 2 name", + "toolTip": "Choose name for VIP number 2", + "visible": "[greater(int(steps('network').Vips_Number), 1)]", + "constraints": { + "validations": [ + { + "regex": "^[a-z0-9A-Z]{1,30}$", + "message": "Only alphanumeric characters are allowed, and the name must be 1-30 characters long." + } + ] + } + }, + { + "name": "VIP3_Name", + "type": "Microsoft.Common.TextBox", + "label": "VIP 3 name", + "toolTip": "Choose name for VIP number 3", + "visible": "[greater(int(steps('network').Vips_Number), 2)]", + "constraints": { + "validations": [ + { + "regex": "^[a-z0-9A-Z]{1,30}$", + "message": "Only alphanumeric characters are allowed, and the name must be 1-30 characters long." + } + ] + } + }, + { + "name": "VIP4_Name", + "type": "Microsoft.Common.TextBox", + "label": "VIP 4 name", + "toolTip": "Choose name for VIP number 4", + "visible": "[greater(int(steps('network').Vips_Number), 3)]", + "constraints": { + "validations": [ + { + "regex": "^[a-z0-9A-Z]{1,30}$", + "message": "Only alphanumeric characters are allowed, and the name must be 1-30 characters long." + } + ] + } + }, + { + "name": "VIP5_Name", + "type": "Microsoft.Common.TextBox", + "label": "VIP 5 name", + "toolTip": "Choose name for VIP number 5", + "visible": "[greater(int(steps('network').Vips_Number), 4)]", + "constraints": { + "validations": [ + { + "regex": "^[a-z0-9A-Z]{1,30}$", + "message": "Only alphanumeric characters are allowed, and the name must be 1-30 characters long." + } + ] + } + }, + { + "name": "VIP6_Name", + "type": "Microsoft.Common.TextBox", + "label": "VIP 6 name", + "toolTip": "Choose name for VIP number 6", + "visible": "[greater(int(steps('network').Vips_Number), 5)]", + "constraints": { + "validations": [ + { + "regex": "^[a-z0-9A-Z]{1,30}$", + "message": "Only alphanumeric characters are allowed, and the name must be 1-30 characters long." + } + ] + } + }, + { + "name": "VIP7_Name", + "type": "Microsoft.Common.TextBox", + "label": "VIP 7 name", + "toolTip": "Choose name for VIP number 7", + "visible": "[greater(int(steps('network').Vips_Number), 6)]", + "constraints": { + "validations": [ + { + "regex": "^[a-z0-9A-Z]{1,30}$", + "message": "Only alphanumeric characters are allowed, and the name must be 1-30 characters long." + } + ] + } + }, + { + "name": "VIP8_Name", + "type": "Microsoft.Common.TextBox", + "label": "VIP 8 name", + "toolTip": "Choose name for VIP number 8", + "visible": "[greater(int(steps('network').Vips_Number), 7)]", + "constraints": { + "validations": [ + { + "regex": "^[a-z0-9A-Z]{1,30}$", + "message": "Only alphanumeric characters are allowed, and the name must be 1-30 characters long." + } + ] + } + }, + { + "name": "VIP9_Name", + "type": "Microsoft.Common.TextBox", + "label": "VIP 9 name", + "toolTip": "Choose name for VIP number 9", + "visible": "[greater(int(steps('network').Vips_Number), 8)]", + "constraints": { + "validations": [ + { + "regex": "^[a-z0-9A-Z]{1,30}$", + "message": "Only alphanumeric characters are allowed, and the name must be 1-30 characters long." + } + ] + } + }, + { + "name": "VIP10_Name", + "type": "Microsoft.Common.TextBox", + "label": "VIP 10 name", + "toolTip": "Choose name for VIP number 10", + "visible": "[greater(int(steps('network').Vips_Number), 9)]", + "constraints": { + "validations": [ + { + "regex": "^[a-z0-9A-Z]{1,30}$", + "message": "Only alphanumeric characters are allowed, and the name must be 1-30 characters long." + } + ] + } + } + ], + "visible": "[greater(int(steps('network').Vips_Number), 1)]" + }, + { + "name": "NSG", + "type": "Microsoft.Common.OptionsGroup", + "label": "Network Security Group", + "toolTip": "Choose between using an existing NSG or using a new NSG", + "constraints": { + "allowedValues": [ + { + "label": "Create new", + "value": true + }, + { + "label": "Existing NSG", + "value": false + } + ], + "required": true + }, + "visible": true + }, + { + "name": "nsgSelector", + "type": "Microsoft.Solutions.ResourceSelector", + "label": "Network Security Group", + "defaultValue": "null", + "toolTip": "Choose an existing NSG", + "resourceType": "Microsoft.Network/NetworkSecurityGroups", + "options": { + "filter": { + "subscription": "onBasics", + "location": "onBasics" + } + }, + "constraints": { + "required": true + }, + "visible": "[equals(steps('network').NSG, false)]" + }, + { + "name": "NSGName", + "type": "Microsoft.Common.TextBox", + "label": "Name", + "defaultValue": "[concat(basics('clusterObjectNameUi') , '-nsg')]", + "toolTip": "Insert Name for the new NSG", + "multiLine": false, + "constraints": { + "required": "[steps('network').NSG]", + "regex": "^[a-z0-9A-Z-]{1,30}$", + "validationMessage": "Only alphanumeric characters are allowed, and the name must be 1-30 characters long." + }, + "visible": "[steps('network').NSG]" + }, + { + "name": "addStorageAccountIpRules", + "type": "Microsoft.Common.OptionsGroup", + "defaultValue": "Network access from all networks", + "label": "Storage Account Network Access", + "toolTip": "Select your preferred network access to the Storage Account, for more information - https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-linux#serial-console-security", + "constraints": { + "allowedValues": [ + { + "label": "Network access from all networks", + "value": false + }, + { + "label": "Network access only from Serial Console", + "value": true + } + ], + "required": true + }, + "visible": true + } + ] + }, + { + "name": "tags", + "label": "Tags", + "elements": [ + { + "name": "tagsByResource", + "type": "Microsoft.Common.TagsByResource", + "toolTip": "Create Azure tags for the new resources", + "resources": [ + "Microsoft.Storage/storageAccounts", + "Microsoft.Compute/availabilitySets", + "Microsoft.Network/publicIPAddresses", + "Microsoft.Network/networkInterfaces", + "Microsoft.Compute/virtualMachines", + "Microsoft.Network/loadBalancers", + "Microsoft.Network/networkSecurityGroups", + "Microsoft.Network/routeTables", + "Microsoft.Network/virtualNetworks" + ] + } + ] + } + ], + "outputs": { + "location": "[location()]", + "cloudGuardVersion": "[concat(steps('chkp').cloudGuardVersion, ' - ', coalesce(steps('chkp').R80Offer, 'Bring Your Own License'))]", + "adminPassword": "[basics('auth').password]", + "authenticationType": "[basics('auth').authenticationType]", + "sshPublicKey": "[basics('auth').sshPublicKey]", + "vmName": "[basics('clusterObjectNameUi')]", + "vmSize": "[coalesce(steps('chkp').R8110vmSizeUiBYOL, steps('chkp').R8110vmSizeUiNGTP, steps('chkp').R8110vmSizeUiNGTX, steps('chkp').R8120vmSizeUiBYOL, steps('chkp').R8120vmSizeUiNGTP, steps('chkp').R8120vmSizeUiNGTX)]", + "sicKey": "[steps('chkp').sicKeyUi]", + "virtualNetworkName": "[steps('network').virtualNetwork.name]", + "virtualNetworkAddressPrefixes": "[steps('network').virtualNetwork.addressPrefixes]", + "subnet1Name": "[steps('network').virtualNetwork.subnets.subnet1.name]", + "subnet1Prefix": "[steps('network').virtualNetwork.subnets.subnet1.addressPrefix]", + "subnet1StartAddress": "[steps('network').virtualNetwork.subnets.subnet1.startAddress]", + "subnet2Name": "[steps('network').virtualNetwork.subnets.subnet2.name]", + "subnet2Prefix": "[steps('network').virtualNetwork.subnets.subnet2.addressPrefix]", + "subnet2StartAddress": "[steps('network').virtualNetwork.subnets.subnet2.startAddress]", + "vnetNewOrExisting": "[steps('network').virtualNetwork.newOrExisting]", + "virtualNetworkExistingRGName": "[steps('network').virtualNetwork.resourceGroup]", + "bootstrapScript": "[steps('chkp').bootstrapScript]", + "allowDownloadFromUploadToCheckPoint": "[coalesce(steps('chkp').allowUploadDownload, 'true')]", + "additionalDiskSizeGB": "[int(steps('chkp').additionalDiskSizeGB)]", + "diskType": "[if(contains('R81.10' , steps('chkp').cloudGuardVersion) , steps('chkp').VMDiskTypeOldVersions , steps('chkp').VMDiskType)]", + "managedSystemAssigned": "[steps('chkp').managedSystemAssigned]", + "sourceImageVhdUri": "[coalesce(steps('chkp').sourceImageVhdUri, 'noCustomUri')]", + "availabilityOptions": "[steps('chkp').availabilityOptions]", + "customMetrics": "[steps('chkp').customMetrics]", + "floatingIP": "[steps('chkp').floatingIP]", + "publicIPPrefix": "[steps('chkp').publicIPPrefix]", + "createNewIPPrefix": "[steps('chkp').createNewIPPrefix]", + "ipPrefixExistingResourceId": "[steps('chkp').ipPrefixExistingResourceId]", + "adminShell": "[steps('chkp').adminShell]", + "smart1CloudTokenA": "[steps('chkp').Smart1CloudTokenA]", + "smart1CloudTokenB": "[steps('chkp').Smart1CloudTokenB]", + "tagsByResource": "[steps('tags').tagsByResource]", + "deployNewNSG": "[steps('network').NSG]", + "ExistingNSG": "[steps('network').nsgSelector]", + "NewNsgName": "[steps('network').NSGName]", + "addStorageAccountIpRules": "[steps('network').addStorageAccountIpRules]", + "VipsNumber": "[int(steps('network').Vips_Number)]", + "VipNames": "[concat(steps('network').VIP_Names.VIP2_Name, ',', steps('network').VIP_Names.VIP3_Name, ',', steps('network').VIP_Names.VIP4_Name, ',', steps('network').VIP_Names.VIP5_Name, ',', steps('network').VIP_Names.VIP6_Name, ',', steps('network').VIP_Names.VIP7_Name, ',', steps('network').VIP_Names.VIP8_Name, ',', steps('network').VIP_Names.VIP9_Name, ',', steps('network').VIP_Names.VIP10_Name)]", + "SerialConsolePasswordHash": "[steps('chkp').AdditionalPassword]", + "MaintenanceModePasswordHash": "[steps('chkp').MaintenanceModePassword]" + } + } +} \ No newline at end of file diff --git a/azure/templates/marketplace-ha/mainTemplate.json b/azure/templates/marketplace-ha/mainTemplate.json new file mode 100644 index 00000000..77c7fbf3 --- /dev/null +++ b/azure/templates/marketplace-ha/mainTemplate.json @@ -0,0 +1,1453 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string", + "metadata": { + "description": "Deployment location" + }, + "defaultValue": "[resourceGroup().location]" + }, + "cloudGuardVersion": { + "type": "string", + "allowedValues": [ + "R81.10 - Bring Your Own License", + "R81.10 - Pay As You Go (NGTP)", + "R81.10 - Pay As You Go (NGTX)", + "R81.20 - Bring Your Own License", + "R81.20 - Pay As You Go (NGTP)", + "R81.20 - Pay As You Go (NGTX)" + ], + "defaultValue": "R81.20 - Bring Your Own License", + "metadata": { + "description": "Check Point CloudGuard version" + } + }, + "authenticationType": { + "type": "string", + "allowedValues": [ + "password", + "sshPublicKey" + ], + "defaultValue": "password", + "metadata": { + "description": "Authentication type" + } + }, + "sshPublicKey": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Administrator SSH public key" + } + }, + "adminPassword": { + "type": "securestring", + "metadata": { + "description": "Administrator password" + }, + "defaultValue": "" + }, + "MaintenanceModePasswordHash": { + "type": "securestring", + "defaultValue": "", + "metadata": { + "Description": "Maintenance mode password hash, relevant only for R81.20 and higher versions" + } + }, + "SerialConsolePasswordHash": { + "type": "securestring", + "defaultValue": "", + "metadata": { + "Description": "Optional parameter, used to enable serial console connection in case of SSH key as authentication type" + } + }, + "floatingIP": { + "type": "string", + "allowedValues": [ + "no", + "yes" + ], + "defaultValue": "no", + "metadata": { + "description": "Deploy the Load Balancers with floating IP" + } + }, + "publicIPPrefix": { + "type": "string", + "allowedValues": [ + "no", + "yes" + ], + "defaultValue": "no", + "metadata": { + "description": "Use public IP prefix" + } + }, + "createNewIPPrefix": { + "type": "string", + "allowedValues": [ + "no", + "yes" + ], + "defaultValue": "no", + "metadata": { + "description": "Create new public IP prefix" + } + }, + "ipPrefixExistingResourceId": { + "type": "string", + "metadata": { + "description": "The resource id of the existing IP prefix" + }, + "defaultValue": "" + }, + "vmName": { + "type": "string", + "defaultValue": "[resourceGroup().name]", + "metadata": { + "description": "Name of the Check Point Cluster object" + } + }, + "vmSize": { + "type": "string", + "defaultValue": "Standard_D3_v2", + "metadata": { + "description": "Size of the VM" + } + }, + "adminShell": { + "type": "string", + "defaultValue": "/etc/cli.sh", + "allowedValues": [ + "/etc/cli.sh", + "/bin/bash", + "/bin/csh", + "/bin/tcsh" + ], + "metadata": { + "Description": "The default shell for the admin user" + } + }, + "sicKey": { + "type": "securestring", + "metadata": { + "description": "One time key for Secure Internal Communication" + } + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "[concat(resourceGroup().name, '-vnet')]" + }, + "virtualNetworkAddressPrefixes": { + "type": "array", + "metadata": { + "description": "The address prefixes of the virtual network" + }, + "defaultValue": [ + "10.0.0.0/16" + ] + }, + "subnet1Name": { + "type": "string", + "metadata": { + "description": "The name of the frontend subnet" + }, + "defaultValue": "Frontend" + }, + "subnet1Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the frontend subnet" + }, + "defaultValue": "10.0.1.0/24" + }, + "subnet1StartAddress": { + "type": "string", + "metadata": { + "description": "The first available address on the 1st subnet" + }, + "defaultValue": "10.0.1.10" + }, + "subnet2Name": { + "type": "string", + "metadata": { + "description": "The name of the backend subnet" + }, + "defaultValue": "Backend" + }, + "subnet2Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the backend subnet" + }, + "defaultValue": "10.0.2.0/24" + }, + "subnet2StartAddress": { + "type": "string", + "metadata": { + "description": "The first available address on the 2nd subnet" + }, + "defaultValue": "10.0.2.10" + }, + "vnetNewOrExisting": { + "type": "string", + "defaultValue": "new", + "allowedValues": [ + "new", + "existing" + ], + "metadata": { + "Description": "Indicates whether the virtual network is new or existing" + } + }, + "virtualNetworkExistingRGName": { + "type": "string", + "metadata": { + "description": "Resource Group of the existing virtual network" + }, + "defaultValue": "[resourceGroup().name]" + }, + "bootstrapScript": { + "type": "string", + "metadata": { + "description": "Bootstrap script" + }, + "defaultValue": "" + }, + "allowDownloadFromUploadToCheckPoint": { + "type": "string", + "allowedValues": [ + "true", + "false" + ], + "defaultValue": "true", + "metadata": { + "description": "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + } + }, + "additionalDiskSizeGB": { + "type": "int", + "defaultValue": 0, + "metadata": { + "description": "Amount of additional disk space (in GB)" + }, + "minValue": 0, + "maxValue": 3995 + }, + "diskType": { + "type": "string", + "defaultValue": "Standard_LRS", + "metadata": { + "description": "The type of the OS disk. Premium is applicable only to DS machine sizes" + }, + "allowedValues": [ + "Standard_LRS", + "Premium_LRS" + ] + }, + "managedSystemAssigned": { + "type": "string", + "allowedValues": [ + "yes", + "no" + ], + "defaultValue": "yes", + "metadata": { + "description": "Automatically create a Service Principal for this deployment." + } + }, + "sourceImageVhdUri": { + "type": "string", + "defaultValue": "noCustomUri", + "metadata": { + "description": "The URI of the blob containing the development image" + } + }, + "availabilityOptions": { + "type": "string", + "allowedValues": [ + "Availability Set", + "Availability Zones" + ], + "defaultValue": "Availability Set", + "metadata": { + "description": "Use replicated Cluster VMs in Availability Set or Availability Zones" + } + }, + "_artifactsLocation": { + "type": "string", + "metadata": { + "description": "Use the following URI when deploying a custom template: https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/azure/templates/" + }, + "defaultValue": "[deployment().properties.templateLink.uri]" + }, + "_artifactsLocationSasToken": { + "type": "securestring", + "metadata": { + "description": "The sasToken required to access _artifactsLocation. When the template is deployed using the accompanying scripts, a sasToken will be automatically generated. Use the defaultValue if the staging location is not secured." + }, + "defaultValue": "" + }, + "customMetrics": { + "type": "string", + "allowedValues": [ + "no", + "yes" + ], + "defaultValue": "yes", + "metadata": { + "Description": "Indicates whether CloudGuard Metrics will be used for Cluster members monitoring" + } + }, + "smart1CloudTokenA": { + "type": "securestring", + "defaultValue": "" + }, + "smart1CloudTokenB": { + "type": "securestring", + "defaultValue": "" + }, + "tagsByResource": { + "type": "object", + "defaultValue": {} + }, + "deployNewNSG": { + "type": "bool", + "defaultValue": true + }, + "ExistingNSG": { + "type": "object", + "defaultValue": {} + }, + "NewNsgName": { + "type": "string", + "defaultValue": "[concat(parameters('vmName'),'-nsg')]" + }, + "VipsNumber": { + "type": "int", + "defaultValue": 1, + "minValue": 1, + "maxValue": 10 + }, + "VipNames": { + "type": "string", + "defaultValue": "" + }, + "addStorageAccountIpRules": { + "type": "bool", + "metadata": { + "description": "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, based on https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-linux#use-serial-console-with-custom-boot-diagnostics-storage-account-firewall-enabled, based on https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-linux#use-serial-console-with-custom-boot-diagnostics-storage-account-firewall-enabled" + }, + "defaultValue": false + }, + "storageAccountAdditionalIps": { + "type": "array", + "metadata": { + "description": "IPs/CIDRs that are allowed access to the Storage Account" + }, + "defaultValue": [] + } + }, + "variables": { + "VIPs_Number": "[int(parameters('VipsNumber'))]", + "Vip_Names": "[split(parameters('VipNames'), ',')]", + "templateName": "ha", + "templateVersion": "20240716", + "location": "[parameters('location')]", + "elbPublicIPName": "frontend-lb-address", + "haPublicIPName": "[parameters('vmName')]", + "offers": { + "R81.10 - Bring Your Own License": "BYOL", + "R81.10 - Pay As You Go (NGTP)": "NGTP", + "R81.10 - Pay As You Go (NGTX)": "NGTX", + "R81.20 - Bring Your Own License": "BYOL", + "R81.20 - Pay As You Go (NGTP)": "NGTP", + "R81.20 - Pay As You Go (NGTX)": "NGTX" + }, + "offer": "[variables('offers')[parameters('cloudGuardVersion')]]", + "osVersions": { + "R81.10 - Bring Your Own License": "R8110", + "R81.10 - Pay As You Go (NGTP)": "R8110", + "R81.10 - Pay As You Go (NGTX)": "R8110", + "R81.20 - Bring Your Own License": "R8120", + "R81.20 - Pay As You Go (NGTP)": "R8120", + "R81.20 - Pay As You Go (NGTX)": "R8120" + }, + "osVersion": "[variables('osVersions')[parameters('cloudGuardVersion')]]", + "SerialConsoleGeographies": { + "eastasia": [ + "20.205.69.28", + "20.195.85.180" + ], + "southeastasia": [ + "20.205.69.28", + "20.195.85.180" + ], + "australiacentral": [ + "20.53.53.224", + "20.70.222.112" + ], + "australiacentral2": [ + "20.53.53.224", + "20.70.222.112" + ], + "australiaeast": [ + "20.53.53.224", + "20.70.222.112" + ], + "australiasoutheast": [ + "20.53.53.224", + "20.70.222.112" + ], + "brazilsouth": [ + "91.234.136.63", + "20.206.0.194" + ], + "brazilsoutheast": [ + "91.234.136.63", + "20.206.0.194" + ], + "canadacentral": [ + "52.228.86.177", + "52.242.40.90" + ], + "canadaeast": [ + "52.228.86.177", + "52.242.40.90" + ], + "northeurope": [ + "52.146.139.220", + "20.105.209.72" + ], + "westeurope": [ + "52.146.139.220", + "20.105.209.72" + ], + "francecentral": [ + "20.111.0.244", + "52.136.191.10" + ], + "francesouth": [ + "20.111.0.244", + "52.136.191.10" + ], + "germanynorth": [ + "51.116.75.88", + "20.52.95.48" + ], + "germanywestcentral": [ + "51.116.75.88", + "20.52.95.48" + ], + "centralindia": [ + "20.192.168.150", + "20.192.153.104" + ], + "southindia": [ + "20.192.168.150", + "20.192.153.104" + ], + "westindia": [ + "20.192.168.150", + "20.192.153.104" + ], + "japaneast": [ + "20.43.70.205", + "20.189.228.222" + ], + "japanwest": [ + "20.43.70.205", + "20.189.228.222" + ], + "koreacentral": [ + "20.200.196.96", + "52.147.119.29" + ], + "koreasouth": [ + "20.200.196.96", + "52.147.119.29" + ], + "norwaywest": [ + "20.100.1.184", + "51.13.138.76" + ], + "norwayeast": [ + "20.100.1.184", + "51.13.138.76" + ], + "switzerlandnorth": [ + "20.208.4.98", + "51.107.251.190" + ], + "switzerlandwest": [ + "20.208.4.98", + "51.107.251.190" + ], + "uaecentral": [ + "20.45.95.66", + "20.38.141.5" + ], + "uaenorth": [ + "20.45.95.66", + "20.38.141.5" + ], + "uksouth": [ + "20.90.132.144", + "20.58.68.62" + ], + "ukwest": [ + "20.90.132.144", + "20.58.68.62" + ], + "swedencentral": [ + "51.12.72.223", + "51.12.22.174" + ], + "swedensouth": [ + "51.12.72.223", + "51.12.22.174" + ], + "centralus": [ + "20.98.146.84", + "20.98.194.64", + "20.69.5.162", + "20.83.222.102" + ], + "eastus2": [ + "20.98.146.84", + "20.98.194.64", + "20.69.5.162", + "20.83.222.102" + ], + "eastus": [ + "20.98.146.84", + "20.98.194.64", + "20.69.5.162", + "20.83.222.102" + ], + "northcentralus": [ + "20.98.146.84", + "20.98.194.64", + "20.69.5.162", + "20.83.222.102" + ], + "southcentralus": [ + "20.98.146.84", + "20.98.194.64", + "20.69.5.162", + "20.83.222.102" + ], + "westus2": [ + "20.98.146.84", + "20.98.194.64", + "20.69.5.162", + "20.83.222.102" + ], + "westus3": [ + "20.98.146.84", + "20.98.194.64", + "20.69.5.162", + "20.83.222.102" + ], + "westcentralus": [ + "20.98.146.84", + "20.98.194.64", + "20.69.5.162", + "20.83.222.102" + ], + "westus": [ + "20.98.146.84", + "20.98.194.64", + "20.69.5.162", + "20.83.222.102" + ], + "eastus2euap": [ + "20.45.242.18", + "20.51.21.252" + ], + "centraluseuap": [ + "20.45.242.18", + "20.51.21.252" + ] + }, + "serialConsoleIps": "[if(contains(variables('serialConsoleGeographies'),variables('location')),variables('serialConsoleGeographies')[variables('location')],createArray())]", + "storageAccountIps": "[concat(variables('SerialConsoleIps'),parameters('storageAccountAdditionalIps'))]", + "isBlink": true, + "storageAccountName": "[concat('bootdiag', uniqueString(resourceGroup().id, deployment().name))]", + "storageAccountType": "Standard_LRS", + "diskSize100GB": 100, + "diskSizeGB": "[add(parameters('additionalDiskSizeGB'), variables('diskSize100GB'))]", + "imageOffer": "[concat('check-point-cg-', toLower(variables('osVersion')))]", + "imagePublisher": "checkpoint", + "imageReferenceBYOL": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-byol", + "version": "latest" + }, + "imageReferenceNGTP": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtp", + "version": "latest" + }, + "imageReferenceNGTP-V2": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtp-v2", + "version": "latest" + }, + "imageReferenceNGTX": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtx", + "version": "latest" + }, + "imageReferenceNGTX-V2": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtx-v2", + "version": "latest" + }, + "imageReferenceMarketplace": "[if(equals(variables('offer'), 'BYOL'), variables('imageReferenceBYOL'), if(equals(variables('offer'), 'NGTP'), variables('imageReferenceNGTP'), if(equals(variables('offer'), 'NGTP-V2'), variables('imageReferenceNGTP-V2'), if(equals(variables('offer'), 'NGTX'), variables('imageReferenceNGTX'), if(equals(variables('offer'), 'NGTX-V2'), variables('imageReferenceNGTX-V2'), json('null'))))))]", + "customImage": "customImage", + "imageReferenceCustomUri": { + "id": "[resourceId('Microsoft.Compute/images/', variables('customImage'))]" + }, + "imageReference": "[if(equals(parameters('sourceImageVhdUri'),'noCustomUri'), variables('imageReferenceMarketplace'), variables('imageReferenceCustomUri'))]", + "enableFloatingIP": "[equals(parameters('floatingIP'), 'yes')]", + "nic1Name": "eth0", + "nic2Name": "eth1", + "elbName": "frontend-lb", + "elbId": "[resourceId('Microsoft.Network/loadBalancers', variables('elbName'))]", + "elbBEAddressPool": "[concat(variables('elbName'), '-pool')]", + "elbBEAddressPoolID": "[resourceId('Microsoft.Network/loadBalancers/backendAddressPools', variables('elbName'), variables('elbBEAddressPool'))]", + "ilbName": "backend-lb", + "ilbId": "[resourceId('Microsoft.Network/loadBalancers', variables('ilbName'))]", + "ilbBEAddressPool": "[concat(variables('ilbName'), '-pool')]", + "ilbBEAddressPoolID": "[resourceId('Microsoft.Network/loadBalancers/backendAddressPools/', variables('ilbName'), variables('ilbBEAddressPool'))]", + "ilbFEIPConfigID": "[resourceId('Microsoft.Network/loadBalancers/frontendIPConfigurations/', variables('ilbName'), variables('ilbName'))]", + "ilbProbeName": "[variables('ilbName')]", + "ilbProbeID": "[resourceId('Microsoft.Network/loadBalancers/probes/', variables('ilbName'), variables('ilbProbeName'))]", + "linuxConfigurationpassword": { + "disablePasswordAuthentication": "false" + }, + "appProbeName": "health_prob_port", + "linuxConfigurationsshPublicKey": { + "disablePasswordAuthentication": "true", + "ssh": { + "publicKeys": [ + { + "keyData": "[parameters('sshPublicKey')]", + "path": "/home/notused/.ssh/authorized_keys" + } + ] + } + }, + "linuxConfiguration": "[if(equals(parameters('authenticationType'), 'password'), variables('linuxConfigurationpassword'), variables('linuxConfigurationsshPublicKey'))]", + "planBYOL": { + "name": "sg-byol", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTP": { + "name": "sg-ngtp", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTP-V2": { + "name": "sg-ngtp-v2", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTX": { + "name": "sg-ngtx", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTX-V2": { + "name": "sg-ngtx-v2", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "plan": "[if(equals(variables('offer'), 'BYOL') , variables('planBYOL'), if(equals(variables('offer'), 'NGTP'), variables('planNGTP'), if(equals(variables('offer'), 'NGTP-V2'), variables('planNGTP-V2'), if(equals(variables('offer'), 'NGTX'), variables('planNGTX'), if(equals(variables('offer'), 'NGTX-V2'), variables('planNGTX-V2'), json('null'))))))]", + "roleDefinitionIds": "[createArray(subscriptionResourceId('Microsoft.Authorization/roleDefinitions/', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c'), subscriptionResourceId('Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7'))]", + "identity": "[json('{\"type\": \"SystemAssigned\"}')]", + "subnet2PrivateAddresses": [ + "[concat(split(parameters('subnet2StartAddress'), '.')[0],'.', split(parameters('subnet2StartAddress'), '.')[1],'.', split(parameters('subnet2StartAddress'), '.')[2],'.', string(add(int(split(parameters('subnet2StartAddress'), '.')[3]),1)))]", + "[concat(split(parameters('subnet2StartAddress'), '.')[0],'.', split(parameters('subnet2StartAddress'), '.')[1],'.', split(parameters('subnet2StartAddress'), '.')[2],'.', string(add(int(split(parameters('subnet2StartAddress'), '.')[3]),2)))]" + ], + "elbPublicIPId": "[resourceId('Microsoft.Network/publicIPAddresses', variables('elbPublicIPName'))]", + "haPublicIPId": "[resourceId('Microsoft.Network/publicIPAddresses', variables('haPublicIPName'))]", + "gwPublicIPIds": [ + "[resourceId('Microsoft.Network/publicIPAddresses', concat(parameters('vmName'), '1'))]", + "[resourceId('Microsoft.Network/publicIPAddresses', concat(parameters('vmName'), '2'))]" + ], + "availabilitySetName": "[concat(parameters('vmName'), '-AvailabilitySet')]", + "count": 2, + "bootstrapScript64": "[base64(parameters('bootstrapScript'))]", + "allowUploadDownload": "[parameters('allowDownloadFromUploadToCheckPoint')]", + "_artifactsLocation": "[if(contains(parameters('_artifactsLocation'),'raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/azure/templates/marketplace'),'https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/azure/templates/',parameters('_artifactsLocation'))]", + "networkSetupURL": "[uri(variables('_artifactsLocation'), concat('nestedtemplates/vnet-2-subnet-ha2-', parameters('vnetNewOrExisting'), '.json', parameters('_artifactsLocationSasToken')))]", + "ExsitingNsgRoleAssignmentURL": "[uri(variables('_artifactsLocation'), concat('nestedtemplates/existing-nsg-RoleAssignment', '.json'))]", + "sicKey": "[parameters('sicKey')]", + "installationType": "cluster", + "internalLBPrivateIPAddress": "[parameters('Subnet2StartAddress')]", + "availabilityZonesLocations": [ + "brazilsouth", + "canadacentral", + "centralus", + "eastus", + "eastus2", + "southcentralus", + "usgovvirginia", + "westus2", + "westus3", + "francecentral", + "germanywestcentral", + "northeurope", + "norwayeast", + "uksouth", + "westeurope", + "swedencentral", + "switzerlandnorth", + "qatarcentral", + "uaenorth", + "southafricanorth", + "australiaeast", + "centralindia", + "japaneast", + "koreacentral", + "southeastasia", + "eastasia", + "italynorth" + ], + "availabilitySetProperty": { + "id": "[resourceId('Microsoft.Compute/availabilitySets', variables('availabilitySetName'))]" + }, + "useAZ": "[and(contains(variables('availabilityZonesLocations'), variables('location')), equals(parameters('availabilityOptions'), 'Availability Zones'))]", + "customMetrics": "[parameters('customMetrics')]", + "emptyString": "none", + "ipPrefixNewName": "[concat(parameters('vmName'), '-ipprefix')]", + "ipPrefixExistingResourceId": "[if(equals(parameters('publicIPPrefix'), 'yes'), parameters('ipPrefixExistingResourceId'), variables('emptyString'))]", + "ipNewPrefixId": "[resourceId('Microsoft.Network/publicIPPrefixes',variables('ipPrefixNewName'))]", + "publicIPNewPrefixId": "[if(equals(parameters('publicIPPrefix'), 'yes'), variables('ipNewPrefixId'), json('null'))]", + "usepublicIPPrefix": "[if(equals(parameters('createNewIPPrefix'),'yes'), variables('publicIPNewPrefixId'), variables('ipPrefixExistingResourceId'))]", + "publicIPPrefixProperty": { + "Id": "[variables('usepublicIPPrefix')]" + }, + "tokens": [ + "[parameters('smart1CloudTokenA')]", + "[parameters('smart1CloudTokenB')]" + ], + "prefixDependsOn": "[if(equals(parameters('publicIPPrefix'), 'yes'), if(equals(parameters('createNewIPPrefix'), 'yes'), variables('publicIPNewPrefixId'), variables('ipNewPrefixId')), variables('ipNewPrefixId'))]", + "deployNewVnet": "[equals(parameters('vnetNewOrExisting'), 'new')]", + "vnetRGName": "[if(variables('deployNewVnet'), resourceGroup().name, parameters('virtualNetworkExistingRGName'))]", + "NewNsgReference": { + "id": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('NewNsgName'))]" + }, + "DefaultIpAddresses": [ + { + "name": "member-ip", + "properties": { + "primary": true, + "privateIPAddress": "[variables('externalPrivateAddresses')[0]]", + "privateIPAllocationMethod": "Static", + "PublicIpAddress": { + "Id": "[variables('gwPublicIPIds')[0]]" + }, + "subnet": { + "id": "[resourceId(variables('vnetRGName'), 'Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('subnet1Name'))]" + }, + "loadBalancerBackendAddressPools": [ + { + "id": "[variables('elbBEAddressPoolID')]" + } + ] + } + }, + { + "name": "cluster-vip", + "properties": { + "primary": false, + "privateIPAddress": "[variables('externalPrivateAddresses')[2]]", + "privateIPAllocationMethod": "Static", + "PublicIpAddress": { + "Id": "[variables('haPublicIPId')]" + }, + "subnet": { + "id": "[resourceId(variables('vnetRGName'), 'Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('subnet1Name'))]" + } + } + } + ], + "copy": [ + { + "name": "externalPrivateAddresses", + "count": "[add(variables('VIPs_Number'),2)]", + "input": "[concat(split(parameters('subnet1StartAddress'), '.')[0],'.', split(parameters('subnet1StartAddress'), '.')[1],'.', split(parameters('subnet1StartAddress'), '.')[2],'.', string(add(int(split(parameters('subnet1StartAddress'), '.')[3]),copyIndex('externalPrivateAddresses'))))]" + }, + { + "name": "Vips", + "count": "[sub(variables('VIPs_Number'), 1)]", + "input": { + "name": "[concat('cluster-vip-', copyIndex('Vips', 1))]", + "properties": { + "primary": false, + "privateIPAddress": "[variables('externalPrivateAddresses')[add(copyIndex('Vips'), 3)]]", + "privateIPAllocationMethod": "Static", + "PublicIpAddress": { + "Id": "[resourceId('Microsoft.Network/publicIPAddresses', variables('Vip_Names')[copyIndex('Vips')])]" + }, + "subnet": { + "id": "[resourceId(variables('vnetRGName'), 'Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('subnet1Name'))]" + } + } + } + }, + { + "name": "VipsInformation", + "count": "[sub(variables('VIPs_Number'), 1)]", + "input": { + "name": "[concat('cluster-vip-', copyIndex('VipsInformation', 1))]", + "privateIPAddress": "[variables('externalPrivateAddresses')[add(copyIndex('VipsInformation'), 3)]]", + "publicIPAddress": "[variables('Vip_Names')[copyIndex('VipsInformation')]]" + } + }, + { + "name": "customData", + "count": "[variables('count')]", + "input": "[concat('#!/usr/bin/python3 /etc/cloud_config.py\n', '\n', 'installationType=\"', variables('installationType'), '\"', '\n', 'allowUploadDownload=\"', variables('allowUploadDownload'), '\"', '\n', 'osVersion=\"', variables('osVersion'), '\"', '\n', 'templateName=\"', variables('templateName'), '\"', '\n', 'isBlink=\"', variables('isBlink'), '\"', '\n', 'templateVersion=\"', variables('templateVersion'), '\"', '\n', 'bootstrapScript64=\"', variables('bootstrapScript64'), '\"', '\n', 'location=\"', variables('location'), '\"', '\n', 'sicKey=\"', variables('sicKey'), '\"', '\n', 'location=\"', variables('location'), '\"', '\n', 'tenantId=\"', subscription().tenantId, '\"', '\n', 'virtualNetwork=\"', parameters('virtualNetworkName'), '\"', '\n', 'clusterName=\"', parameters('vmName'), '\"', '\n', 'customMetrics=\"', variables('customMetrics'), '\"', '\n', 'adminShell=\"', parameters('adminShell'), '\"', '\n', '\n','smart1CloudToken=\"', variables('tokens')[copyIndex('customData')], '\"', '\n', 'Vips=\"', string(variables('VipsInformationForCloudConfig')), '\"', '\n','externalPrivateAddresses=\"', variables('externalPrivateAddresses')[2], '\"', '\n', 'MaintenanceModePassword=\"', parameters('MaintenanceModePasswordHash'), '\"', '\n', 'passwordHash=\"', parameters('SerialConsolePasswordHash'), '\"', '\n')]" + } + ], + "DefaultVipInformation": [ + { + "name": "cluster-vip", + "privateIPAddress": "[variables('externalPrivateAddresses')[2]]", + "publicIPAddress": "[parameters('vmName')]" + } + ], + "VipsInformationForCloudConfig": "[union(variables('DefaultVipInformation'), variables('VipsInformation'))]" + }, + "resources": [ + { + "condition": "[and(equals(parameters('createNewIPPrefix'), 'yes'), equals(parameters('publicIPPrefix'), 'yes'))]", + "apiVersion": "2020-06-01", + "type": "Microsoft.Network/publicIPPrefixes", + "name": "[variables('ipPrefixNewName')]", + "location": "[variables('location')]", + "properties": { + "prefixLength": "[if(greater(variables('VIPs_Number'), 5), '28', if(greater(variables('VIPs_Number'), 1), '29', '30'))]", + "publicIPAddressVersion": "IPv4" + }, + "sku": { + "name": "Standard", + "tier": "Regional" + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/publicIPPrefixes'), parameters('tagsByResource')['Microsoft.Network/publicIPPrefixes'], json('{}')) ]" + }, + { + "apiVersion": "2020-06-01", + "name": "pid-6f13b00a-7546-4ab2-be9f-c66815cc6c8b-partnercenter", + "type": "Microsoft.Resources/deployments", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('storageAccountName')]", + "apiVersion": "2022-09-01", + "properties": { + "supportsHttpsTrafficOnly": true, + "allowBlobPublicAccess": false, + "minimumTlsVersion": "TLS1_2", + "networkAcls": { + "bypass": "None", + "defaultAction": "[if(parameters('addStorageAccountIpRules'), 'Deny', 'Allow')]", + "ipRules": "[if(parameters('addStorageAccountIpRules'), map(variables('storageAccountIps'), lambda('ip',createObject('action','Allow','value',lambdaVariables('ip')))), createArray())]" + } + }, + "location": "[variables('location')]", + "sku": { + "name": "[variables('storageAccountType')]" + }, + "kind": "Storage", + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Storage/storageAccounts'), parameters('tagsByResource')['Microsoft.Storage/storageAccounts'], json('{}')) ]" + }, + { + "condition": "[equals(parameters('vnetNewOrExisting'), 'new')]", + "name": "networkNewSetup", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "[variables('networkSetupURL')]", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "location": { + "value": "[variables('location')]" + }, + "virtualNetworkName": { + "value": "[parameters('virtualNetworkName')]" + }, + "virtualNetworkAddressPrefixes": { + "value": "[parameters('virtualNetworkAddressPrefixes')]" + }, + "subnet1Name": { + "value": "[parameters('subnet1Name')]" + }, + "subnet1Prefix": { + "value": "[parameters('subnet1Prefix')]" + }, + "subnet2Name": { + "value": "[parameters('subnet2Name')]" + }, + "subnet2Prefix": { + "value": "[parameters('subnet2Prefix')]" + }, + "deployNsg": { + "value": "[parameters('deployNewNSG')]" + }, + "NewNsgName": { + "value": "[parameters('NewNsgName')]" + }, + "tagsByResource": { + "value": "[parameters('tagsByResource')]" + } + } + } + }, + { + "condition": "[equals(parameters('vnetNewOrExisting'), 'existing')]", + "name": "networkExistingSetup", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "[variables('networkSetupURL')]", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "location": { + "value": "[variables('location')]" + }, + "virtualNetworkName": { + "value": "[parameters('virtualNetworkName')]" + }, + "virtualNetworkExistingRGName": { + "value": "[variables('vnetRGName')]" + }, + "deployNsg": { + "value": "[parameters('deployNewNSG')]" + }, + "NewNsgName": { + "value": "[parameters('NewNsgName')]" + }, + "tagsByResource": { + "value": "[parameters('tagsByResource')]" + } + } + } + }, + { + "type": "Microsoft.Compute/availabilitySets", + "condition": "[not(variables('useAZ'))]", + "apiVersion": "2020-06-01", + "location": "[variables('location')]", + "name": "[concat(variables('availabilitySetName'))]", + "properties": { + "platformFaultDomainCount": 2 + }, + "sku": { + "name": "Aligned" + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Compute/availabilitySets'), parameters('tagsByResource')['Microsoft.Compute/availabilitySets'], json('{}')) ]" + }, + { + "type": "Microsoft.Network/publicIPAddresses", + "apiVersion": "2020-06-01", + "dependsOn": [ + "[variables('prefixDependsOn')]" + ], + "location": "[variables('location')]", + "name": "[variables('elbPublicIPName')]", + "sku": { + "name": "Standard" + }, + "properties": { + "idleTimeoutInMinutes": 30, + "publicIPAllocationMethod": "Static", + "dnsSettings": { + "domainNameLabel": "[concat(toLower(parameters('vmName')), '-', uniquestring(resourceGroup().id, deployment().name))]" + }, + "publicIPPrefix": "[if(equals(parameters('publicIPPrefix'), 'yes'), variables('publicIPPrefixProperty'), json('null'))]" + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/publicIPAddresses'), parameters('tagsByResource')['Microsoft.Network/publicIPAddresses'], json('{}')) ]" + }, + { + "type": "Microsoft.Network/publicIPAddresses", + "apiVersion": "2020-06-01", + "dependsOn": [ + "[variables('prefixDependsOn')]" + ], + "location": "[variables('location')]", + "name": "[concat(parameters('vmName'), copyIndex(1))]", + "sku": { + "name": "Standard" + }, + "copy": { + "name": "publicAddressCopy", + "count": "[variables('count')]" + }, + "properties": { + "idleTimeoutInMinutes": 30, + "publicIPAllocationMethod": "Static", + "dnsSettings": { + "domainNameLabel": "[concat(toLower(parameters('vmName')), '-', copyIndex(1), '-', uniquestring(resourceGroup().id, deployment().name))]" + }, + "publicIPPrefix": "[if(equals(parameters('publicIPPrefix'), 'yes'), variables('publicIPPrefixProperty'), json('null'))]" + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/publicIPAddresses'), parameters('tagsByResource')['Microsoft.Network/publicIPAddresses'], json('{}')) ]" + }, + { + "type": "Microsoft.Network/publicIPAddresses", + "apiVersion": "2020-06-01", + "dependsOn": [ + "[variables('prefixDependsOn')]" + ], + "location": "[variables('location')]", + "name": "[parameters('vmName')]", + "sku": { + "name": "Standard" + }, + "properties": { + "idleTimeoutInMinutes": 30, + "publicIPAllocationMethod": "Static", + "dnsSettings": { + "domainNameLabel": "[concat(toLower(parameters('vmName')), '-vip-', uniquestring(resourceGroup().id, deployment().name))]" + }, + "publicIPPrefix": "[if(equals(parameters('publicIPPrefix'), 'yes'), variables('publicIPPrefixProperty'), json('null'))]" + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/publicIPAddresses'), parameters('tagsByResource')['Microsoft.Network/publicIPAddresses'], json('{}')) ]" + }, + { + "type": "Microsoft.Network/publicIPAddresses", + "apiVersion": "2020-06-01", + "dependsOn": [ + "[variables('prefixDependsOn')]" + ], + "location": "[variables('location')]", + "name": "[variables('Vip_Names')[copyIndex()]]", + "sku": { + "name": "Standard" + }, + "copy": { + "name": "publicVipCopy", + "count": "[sub(variables('VIPs_Number'), 1)]" + }, + "properties": { + "idleTimeoutInMinutes": 30, + "publicIPAllocationMethod": "Static", + "dnsSettings": { + "domainNameLabel": "[concat(toLower(parameters('vmName')), 'vip', copyIndex(1), '-', uniquestring(resourceGroup().id, deployment().name))]" + }, + "publicIPPrefix": "[if(equals(parameters('publicIPPrefix'), 'yes'), variables('publicIPPrefixProperty'), json('null'))]" + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/publicIPAddresses'), parameters('tagsByResource')['Microsoft.Network/publicIPAddresses'], json('{}')) ]" + }, + { + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "2020-06-01", + "dependsOn": [ + "[coalesce(resourceId('Microsoft.Resources/deployments', 'networkNewSetup'), resourceId('Microsoft.Resources/deployments', 'networkExistingSetup'))]", + "[variables('elbId')]", + "[variables('gwPublicIPIds')[0]]", + "[variables('haPublicIPId')]" + ], + "location": "[variables('location')]", + "name": "[concat(parameters('vmName'), '1-', variables('nic1Name'))]", + "properties": { + "primary": true, + "enableIPForwarding": true, + "enableAcceleratedNetworking": true, + "networkSecurityGroup": "[if(parameters('deployNewNSG') , variables('NewNsgReference') , parameters('ExistingNSG'))]", + "ipConfigurations": "[union(variables('DefaultIpAddresses'),variables('Vips'))]" + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/networkInterfaces'), parameters('tagsByResource')['Microsoft.Network/networkInterfaces'], json('{}')) ]" + }, + { + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "2020-06-01", + "dependsOn": [ + "[coalesce(resourceId('Microsoft.Resources/deployments', 'networkNewSetup'), resourceId('Microsoft.Resources/deployments', 'networkExistingSetup'))]", + "[variables('elbId')]", + "[variables('gwPublicIPIds')[1]]" + ], + "location": "[variables('location')]", + "name": "[concat(parameters('vmName'), '2-', variables('nic1Name'))]", + "properties": { + "primary": true, + "enableIPForwarding": true, + "enableAcceleratedNetworking": true, + "networkSecurityGroup": "[if(parameters('deployNewNSG') , variables('NewNsgReference') , parameters('ExistingNSG'))]", + "ipConfigurations": [ + { + "name": "member-ip", + "properties": { + "primary": true, + "privateIPAddress": "[variables('externalPrivateAddresses')[1]]", + "privateIPAllocationMethod": "Static", + "PublicIpAddress": { + "Id": "[variables('gwPublicIPIds')[1]]" + }, + "subnet": { + "id": "[resourceId(variables('vnetRGName'), 'Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('subnet1Name'))]" + }, + "loadBalancerBackendAddressPools": [ + { + "id": "[variables('elbBEAddressPoolID')]" + } + ] + } + } + ] + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/networkInterfaces'), parameters('tagsByResource')['Microsoft.Network/networkInterfaces'], json('{}')) ]" + }, + { + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "2020-06-01", + "dependsOn": [ + "[coalesce(resourceId('Microsoft.Resources/deployments', 'networkNewSetup'), resourceId('Microsoft.Resources/deployments', 'networkExistingSetup'))]", + "[variables('ilbId')]" + ], + "location": "[variables('location')]", + "name": "[concat(parameters('vmName'), copyIndex(1), '-', variables('nic2Name'))]", + "copy": { + "name": "internalNicCopy", + "count": "[variables('count')]" + }, + "properties": { + "primary": false, + "enableIPForwarding": true, + "enableAcceleratedNetworking": true, + "ipConfigurations": [ + { + "name": "member-ip", + "properties": { + "primary": true, + "privateIPAddress": "[variables('subnet2PrivateAddresses')[copyIndex()]]", + "privateIPAllocationMethod": "Static", + "subnet": { + "id": "[resourceId(variables('vnetRGName'), 'Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('subnet2Name'))]" + }, + "loadBalancerBackendAddressPools": [ + { + "id": "[variables('ilbBEAddressPoolID')]" + } + ] + } + } + ] + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/networkInterfaces'), parameters('tagsByResource')['Microsoft.Network/networkInterfaces'], json('{}')) ]" + }, + { + "condition": "[not(equals(parameters('sourceImageVhdUri'), 'noCustomUri'))]", + "type": "Microsoft.Compute/images", + "apiVersion": "2020-06-01", + "name": "[variables('customImage')]", + "location": "[variables('location')]", + "properties": { + "storageProfile": { + "osDisk": { + "osType": "Linux", + "osState": "Generalized", + "blobUri": "[parameters('sourceImageVhdUri')]", + "storageAccountType": "Standard_LRS" + } + }, + "hyperVGeneration": "V1" + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Compute/images'), parameters('tagsByResource')['Microsoft.Compute/images'], json('{}')) ]" + }, + { + "type": "Microsoft.Compute/virtualMachines", + "apiVersion": "2022-11-01", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]", + "[resourceId('Microsoft.Compute/availabilitySets', variables('availabilitySetName'))]", + "[resourceId('Microsoft.Network/networkInterfaces', concat(parameters('vmName'), copyIndex(1), '-', variables('nic1Name')))]", + "[resourceId('Microsoft.Network/networkInterfaces', concat(parameters('vmName'), copyIndex(1), '-', variables('nic2Name')))]", + "[resourceId('Microsoft.Compute/images/', variables('customImage'))]" + ], + "location": "[variables('location')]", + "name": "[concat(parameters('vmName'), copyIndex(1))]", + "zones": "[if(variables('useAZ'), array(copyIndex(1)), json('null'))]", + "copy": { + "name": "virtualMachineCopy", + "count": "[variables('count')]" + }, + "plan": "[if(equals(parameters('sourceImageVhdUri'),'noCustomUri'), variables('plan'), json('null'))]", + "identity": "[if(equals(parameters('managedSystemAssigned'), 'yes'), variables('identity'), json('null'))]", + "properties": { + "UserData": "[base64(concat(variables('customData')[copyIndex()], 'vnet=\"', if(equals(parameters('vnetNewOrExisting'), 'new'), reference('networkNewSetup').outputs.vnetAddressPrefixes.value[0], reference('networkExistingSetup').outputs.vnetAddressPrefixes.value[0]), '\"', '\n'))]", + "availabilitySet": "[if(not(variables('useAZ')), variables('availabilitySetProperty'), json('null'))]", + "diagnosticsProfile": { + "bootDiagnostics": { + "enabled": "true", + "storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName')), '2022-09-01').primaryEndpoints.blob]" + } + }, + "hardwareProfile": { + "vmSize": "[parameters('vmSize')]" + }, + "networkProfile": { + "networkInterfaces": [ + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', concat(parameters('vmName'), copyIndex(1), '-', variables('nic1Name')))]", + "properties": { + "primary": true + } + }, + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', concat(parameters('vmName'), copyIndex(1), '-', variables('nic2Name')))]", + "properties": { + "primary": false + } + } + ] + }, + "osProfile": { + "adminPassword": "[parameters('adminPassword')]", + "adminUsername": "[concat('not','used')]", + "computername": "[concat(toLower(parameters('vmName')), copyIndex(1))]", + "customData": "[base64(concat(variables('customData')[copyIndex()], 'vnet=\"', if(equals(parameters('vnetNewOrExisting'), 'new'), reference('networkNewSetup').outputs.vnetAddressPrefixes.value[0], reference('networkExistingSetup').outputs.vnetAddressPrefixes.value[0]), '\"', '\n'))]", + "linuxConfiguration": "[variables('linuxConfiguration')]" + }, + "storageProfile": { + "imageReference": "[variables('imageReference')]", + "osDisk": { + "caching": "ReadWrite", + "createOption": "FromImage", + "diskSizeGB": "[variables('diskSizeGB')]", + "name": "[concat(parameters('vmName'), copyIndex(1))]", + "managedDisk": { + "storageAccountType": "[parameters('diskType')]" + } + } + } + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Compute/virtualMachines'), parameters('tagsByResource')['Microsoft.Compute/virtualMachines'], json('{}')) ]" + }, + { + "type": "Microsoft.Network/loadBalancers", + "apiVersion": "2020-06-01", + "dependsOn": [ + "[variables('elbPublicIPId')]" + ], + "name": "[variables('elbName')]", + "location": "[variables('location')]", + "sku": { + "name": "Standard" + }, + "properties": { + "frontendIPConfigurations": [ + { + "name": "LoadBalancerFrontend", + "properties": { + "publicIPAddress": { + "id": "[variables('elbPublicIPId')]", + "publicIPPrefix": { + "id": "[if(equals(parameters('publicIPPrefix'), 'yes'), variables('usepublicIPPrefix'), json('null'))]" + } + } + } + } + ], + "backendAddressPools": [ + { + "name": "[variables('elbBEAddressPool')]" + } + ], + "probes": [ + { + "name": "[variables('appProbeName')]", + "properties": { + "protocol": "tcp", + "port": 8117, + "intervalInSeconds": 5, + "numberOfProbes": 2 + } + } + ] + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/loadBalancers'), parameters('tagsByResource')['Microsoft.Network/loadBalancers'], json('{}')) ]" + }, + { + "condition": "[equals(parameters('managedSystemAssigned'), 'yes')]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2020-04-01-preview", + "name": "[guid(resourceGroup().id, concat(parameters('vmName'), copyIndex(1)))]", + "copy": { + "name": "virtualMachineCopy", + "count": "[mul(length(variables('roleDefinitionIds')), variables('count'))]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Compute/virtualMachines/', concat(parameters('vmName'), if(equals(mod(copyIndex(1), 2), 1), '1', '2')))]" + ], + "properties": { + "roleDefinitionId": "[variables('roleDefinitionIds')[if(greater(copyIndex(1), 2), 1, 0)]]", + "scope": "[resourceGroup().id]", + "principalId": "[reference(resourceId('Microsoft.Compute/virtualMachines/', concat(parameters('vmName'), if(equals(mod(copyIndex(1), 2), 1), '1', '2'))), '2022-11-01', 'Full').identity.principalId]" + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Authorization/roleAssignments'), parameters('tagsByResource')['Microsoft.Authorization/roleAssignments'], json('{}')) ]" + }, + { + "condition": "[and(equals(parameters('managedSystemAssigned'), 'yes'), not(parameters('deployNewNSG')))]", + "dependsOn": [ + "[resourceId('Microsoft.Compute/virtualMachines/', concat(parameters('vmName'), '1'))]" + ], + "name": "[concat('ExistingNsgRoleAssignment', copyIndex())]", + "copy": { + "name": "ExistingNsgRoleAssignmentCopy", + "count": "[length(variables('roleDefinitionIds'))]" + }, + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "resourceGroup": "[if(not(parameters('deployNewNSG')), split(parameters('ExistingNSG').id, '/')[4], '')]", + "subscriptionId": "[subscription().subscriptionId]", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "[variables('ExsitingNsgRoleAssignmentURL')]", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "ExistingNSG": { + "value": "[parameters('ExistingNSG')]" + }, + "vmName": { + "value": "[parameters('vmName')]" + }, + "roleDefinitionId": { + "value": "[variables('roleDefinitionIds')[copyIndex()]]" + }, + "principalId1": { + "value": "[reference(resourceId('Microsoft.Compute/virtualMachines/', concat(parameters('vmName'), '1')), '2022-11-01', 'Full').identity.principalId]" + }, + "principalId2": { + "value": "[reference(resourceId('Microsoft.Compute/virtualMachines/', concat(parameters('vmName'), '2')), '2022-11-01', 'Full').identity.principalId]" + }, + "index": { + "value": "[copyIndex()]" + } + } + } + }, + { + "type": "Microsoft.Network/loadBalancers", + "apiVersion": "2020-06-01", + "dependsOn": [ + "[coalesce(resourceId('Microsoft.Resources/deployments', 'networkNewSetup'), resourceId('Microsoft.Resources/deployments', 'networkExistingSetup'))]" + ], + "name": "[variables('ilbName')]", + "location": "[variables('location')]", + "sku": { + "name": "Standard" + }, + "properties": { + "frontendIPConfigurations": [ + { + "name": "[variables('ilbName')]", + "properties": { + "privateIPAllocationMethod": "Static", + "privateIPAddress": "[variables('internalLBPrivateIPAddress')]", + "subnet": { + "id": "[resourceId(variables('vnetRGName'), 'Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('subnet2Name'))]" + } + } + } + ], + "backendAddressPools": [ + { + "name": "[variables('ilbBEAddressPool')]" + } + ], + "loadBalancingRules": [ + { + "name": "[variables('ilbName')]", + "properties": { + "frontendIPConfiguration": { + "id": "[variables('ilbFEIPConfigID')]" + }, + "backendAddressPool": { + "id": "[variables('ilbBEAddressPoolID')]" + }, + "probe": { + "id": "[variables('ilbProbeID')]" + }, + "protocol": "All", + "frontendPort": 0, + "backendPort": 0, + "loadDistribution": "Default", + "enableFloatingIP": "[variables('enableFloatingIP')]" + } + } + ], + "probes": [ + { + "name": "[variables('ilbProbeName')]", + "properties": { + "protocol": "tcp", + "port": 8117, + "intervalInSeconds": 5, + "numberOfProbes": 2 + } + } + ] + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/loadBalancers'), parameters('tagsByResource')['Microsoft.Network/loadBalancers'], json('{}')) ]" + } + ], + "outputs": { + "HaIPAddr": { + "type": "string", + "value": "[reference(variables('haPublicIPId')).IpAddress]" + }, + "HaFQDN": { + "type": "string", + "value": "[reference(variables('haPublicIPId')).dnsSettings.fqdn]" + }, + "Member1IPAddr": { + "type": "string", + "value": "[reference(variables('gwPublicIPIds')[0]).IpAddress]" + }, + "Member1FQDN": { + "type": "string", + "value": "[reference(variables('gwPublicIPIds')[0]).dnsSettings.fqdn]" + }, + "Member2IPAddr": { + "type": "string", + "value": "[reference(variables('gwPublicIPIds')[1]).IpAddress]" + }, + "Member2FQDN": { + "type": "string", + "value": "[reference(variables('gwPublicIPIds')[1]).dnsSettings.fqdn]" + } + } +} \ No newline at end of file diff --git a/azure/templates/marketplace-management/README.md b/azure/templates/marketplace-management/README.md new file mode 100644 index 00000000..ae636acd --- /dev/null +++ b/azure/templates/marketplace-management/README.md @@ -0,0 +1,21 @@ +# Check Point CloudGuard Network Security Management for Azure + +Check Point CloudGuard Network Security delivers advanced, multi-layered threat prevention to protect customer assets in Azure from malware and sophisticated threats. As a Microsoft Azure certified solution, CloudGuard Network Security enables you to easily and seamlessly secure your workloads while providing secure connectivity across your cloud and on-premises environments. + +Benefits: + +· Advanced threat prevention and traffic inspection + +· Integrated with Azure Security Center and Azure Sentinel + +· Provides consistent security policy management, enforcement, and reporting with a single pane of glass, using Check Point Unified Security Management + + + + Deploy to Azure + + + +To deploy with full control over all the template options use: [Full Control Deployment](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FCheckPointSW%2FCloudGuardIaaS%2Fmaster%2Fazure%2Ftemplates%2Fmarketplace-management%2FmainTemplate.json) + + diff --git a/azure/templates/marketplace-management/createUiDefinition.json b/azure/templates/marketplace-management/createUiDefinition.json new file mode 100644 index 00000000..83dcc85d --- /dev/null +++ b/azure/templates/marketplace-management/createUiDefinition.json @@ -0,0 +1,702 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", + "handler": "Microsoft.Compute.MultiVm", + "version": "0.1.2-preview", + "parameters": { + "basics": [ + { + "name": "chkp refrence architecture", + "type": "Microsoft.Common.TextBlock", + "visible": true, + "options": { + "text": "Please follow the Check Point Reference Architecture for Azure.", + "link": { + "label": "Reference Architecture Guide", + "uri": "https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk109360" + } + } + }, + { + "name": "gatewayNameUi", + "type": "Microsoft.Common.TextBox", + "label": "Server Name", + "toolTip": "The name of the Check Point Security Management Server.", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z]{1,30}$", + "validationMessage": "Only alphanumeric characters are allowed, and the name must be 1-30 characters long." + } + }, + { + "name": "auth", + "type": "Microsoft.Compute.CredentialsCombo", + "label": { + "authenticationType": "Authentication type", + "password": "Password", + "confirmPassword": "Confirm password", + "sshPublicKey": "SSH public key" + }, + "toolTip": { + "password": "The user 'admin' password", + "sshPublicKey": "Paste an OpenSSH public key. You can generate a key pair using ssh-keygen (Linux, OS X, Cygwin) or PuttyGen (Windows)" + }, + "constraints": { + "required": true + }, + "options": { + "hideConfirmation": false, + "hidePassword": false + }, + "osPlatform": "Linux" + } + ], + "steps": [ + { + "name": "chkp", + "label": "Check Point Security Management Server settings", + "subLabel": { + "preValidation": "Configure additional settings", + "postValidation": "Done" + }, + "bladeTitle": "Security Management settings", + "elements": [ + { + "name": "cloudGuardVersion", + "type": "Microsoft.Common.DropDown", + "label": "Check Point CloudGuard version", + "defaultValue": "R81.20", + "toolTip": "The version of Check Point CloudGuard.", + "constraints": { + "allowedValues": [ + { + "label": "R81.10", + "value": "R81.10" + }, + { + "label": "R81.20", + "value": "R81.20" + } + ] + } + }, + { + "name": "R80Offer", + "type": "Microsoft.Common.DropDown", + "label": "License type", + "toolTip": "The type of license.", + "defaultValue": "Bring Your Own License", + "visible": true, + "constraints": { + "allowedValues": [ + { + "label": "Bring Your Own License", + "value": "Bring Your Own License" + }, + { + "label": "Pay As You Go (MGMT25)", + "value": "Pay As You Go (MGMT25)" + } + ] + } + }, + { + "name": "R8110vmSizeUiBYOL", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R81.10'), contains(steps('chkp').R80Offer, 'Bring Your Own License'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Management", + "recommendedSizes": [ + "Standard_D3_v2", + "Standard_DS3_v2" + ], + "constraints": { + "excludedSizes": [ + "Standard_A1_v2", + "Standard_D1_v2", + "Standard_DS1_v2", + "Standard_F1", + "Standard_F1s", + "Standard_G1", + "Standard_GS1" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r8110", + "sku": "mgmt-byol" + }, + "count": 1 + }, + { + "name": "R8110vmSizeUiMGMT25", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R81.10'), contains(steps('chkp').R80Offer, '(MGMT25)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Management", + "recommendedSizes": [ + "Standard_D3_v2", + "Standard_DS3_v2" + ], + "constraints": { + "excludedSizes": [ + "Standard_A1_v2", + "Standard_D1_v2", + "Standard_DS1_v2", + "Standard_F1", + "Standard_F1s", + "Standard_G1", + "Standard_GS1" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r8110", + "sku": "mgmt-25" + }, + "count": 1 + }, + { + "name": "R8120vmSizeUiBYOL", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R81.20'), contains(steps('chkp').R80Offer, 'Bring Your Own License'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Management", + "recommendedSizes": [ + "Standard_D4ds_v5", + "Standard_D4d_v5" + ], + "constraints": { + "excludedSizes": [ + "Standard_A1_v2", + "Standard_D1_v2", + "Standard_DS1_v2", + "Standard_F1", + "Standard_F1s", + "Standard_G1", + "Standard_GS1" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r8120", + "sku": "mgmt-byol" + }, + "count": 1 + }, + { + "name": "R8120vmSizeUiMGMT25", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R81.20'), contains(steps('chkp').R80Offer, '(MGMT25)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Management", + "recommendedSizes": [ + "Standard_D4ds_v5", + "Standard_D4d_v5" + ], + "constraints": { + "excludedSizes": [ + "Standard_A1_v2", + "Standard_D1_v2", + "Standard_DS1_v2", + "Standard_F1", + "Standard_F1s", + "Standard_G1", + "Standard_GS1" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r8120", + "sku": "mgmt-25" + }, + "count": 1 + }, + { + "name": "SerialPasswordInfoBox", + "type": "Microsoft.Common.InfoBox", + "visible": "[bool(basics('auth').sshPublicKey)]", + "options": { + "icon": "Info", + "text": "Check Point recommends setting serial console password and maintenance-mode password for recovery purposes. For R81.10 and below the serial console password is used also as maintenance-mode password" + } + }, + { + "visible": "[bool(basics('auth').sshPublicKey)]", + "name": "EnableSerialConsolePassword", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Serial console password", + "defaultValue": "Yes", + "toolTip": "A unique password hash to enable VM connection via serial console.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": true + }, + { + "label": "No", + "value": false + } + ] + } + }, + { + "name": "AdditionalPassword", + "type": "Microsoft.Common.PasswordBox", + "toolTip": "Serial console password hash, used to enable password authentication (using serial console). To generate password hash use the command 'openssl passwd -6 PASSWORD'", + "visible": "[and(bool(basics('auth').sshPublicKey), steps('chkp').EnableSerialConsolePassword)]", + "label": { + "password": "Password hash", + "confirmPassword": "Confirm password" + }, + "constraints": { + "required": true, + "regex": "^.{12,300}$", + "validationMessage": "The value must be the output of the hash command." + }, + "options": { + "hideConfirmation": false + } + }, + { + "name": "MaintenanceModeInfoBox", + "type": "Microsoft.Common.InfoBox", + "visible": "[and(bool(basics('auth').password), not(contains('R81.10', steps('chkp').cloudGuardVersion)))]", + "options": { + "icon": "Info", + "text": "Check Point recommends setting a maintenance-mode password for recovery purposes." + } + }, + { + "visible": "[not(contains('R81.10', steps('chkp').cloudGuardVersion))]", + "name": "EnableMaintenanceMode", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Maintenance Mode", + "defaultValue": "Yes", + "toolTip": "A unique password hash to enable VM maintenance mode.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": true + }, + { + "label": "No", + "value": false + } + ] + } + }, + { + "visible": "[and(not(contains('R81.10', steps('chkp').cloudGuardVersion)), steps('chkp').EnableMaintenanceMode)]", + "name": "MaintenanceModePassword", + "type": "Microsoft.Common.PasswordBox", + "defaultValue": "", + "toolTip": "To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here.", + "label": { + "password": "Maintenance Mode password hash", + "confirmPassword": "Confirm Password" + }, + "constraints": { + "required": true, + "validationMessage": "The value must be the output of the hash command." + }, + "options": { + "hideConfirmation": false + } + }, + { + "name": "installationType", + "type": "Microsoft.Common.DropDown", + "label": "Installation type", + "defaultValue": "Management", + "toolTip": "Select the type of deployment", + "constraints": { + "allowedValues": [ + { + "label": "Management", + "value": "management" + }, + { + "label": "Configure manually", + "value": "custom" + } + ] + } + }, + { + "name": "adminShell", + "type": "Microsoft.Common.DropDown", + "label": "Default shell for the admin user", + "defaultValue": "/etc/cli.sh", + "toolTip": "The default shell for the admin user", + "constraints": { + "allowedValues": [ + { + "label": "/etc/cli.sh", + "value": "/etc/cli.sh" + }, + { + "label": "/bin/bash", + "value": "/bin/bash" + }, + { + "label": "/bin/csh", + "value": "/bin/csh" + }, + { + "label": "/bin/tcsh", + "value": "/bin/tcsh" + } + ] + } + }, + { + "name": "managementGUIClientNetwork", + "type": "Microsoft.Common.TextBox", + "label": "Allowed GUI clients", + "toolTip": "GUI clients network CIDR", + "constraints": { + "required": true, + "regex": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$", + "validationMessage": "Enter a valid IPv4 network CIDR" + }, + "visible": "[equals(steps('chkp').installationType, 'management')]" + }, + { + "name": "bootstrapScript", + "type": "Microsoft.Common.FileUpload", + "label": "Bootstrap script", + "toolTip": "An optional script to run on the initial boot", + "constraints": { + "required": false, + "accept": ".sh,text/plain" + }, + "options": { + "multiple": false, + "uploadMode": "file", + "openMode": "text", + "encoding": "UTF-8" + } + }, + { + "name": "VMDiskType", + "type": "Microsoft.Common.OptionsGroup", + "label": "VM disk type", + "toolTip": "Type of CloudGuard disk.", + "visible": "[not(contains('R81.10' , steps('chkp').cloudGuardVersion))]", + "defaultValue": "Premium", + "constraints": { + "allowedValues": [ + { + "label": "Standard", + "value": "Standard_LRS" + }, + { + "label": "Premium", + "value": "Premium_LRS" + } + ] + } + }, + { + "name": "VMDiskTypeOldVersions", + "type": "Microsoft.Common.OptionsGroup", + "label": "VM disk type", + "toolTip": "Type of CloudGuard disk.", + "visible": "[contains('R81.10' , steps('chkp').cloudGuardVersion)]", + "defaultValue": "Standard", + "constraints": { + "allowedValues": [ + { + "label": "Standard", + "value": "Standard_LRS" + }, + { + "label": "Premium", + "value": "Premium_LRS" + } + ] + } + }, + { + "name": "enableApi", + "type": "Microsoft.Common.DropDown", + "label": "Accept Management API calls", + "defaultValue": "Management server only", + "toolTip": "Select the type of the Management API calls", + "constraints": { + "allowedValues": [ + { + "label": "Management server only", + "value": "management_only" + }, + { + "label": "All IP Addresses that can be used for GUI clients", + "value": "gui_clients" + }, + { + "label": "All IP addresses", + "value": "all" + } + ] + }, + "visible": true + }, + { + "visible": "[equals(steps('chkp').installationType, 'management')]", + "name": "allowUploadDownload", + "type": "Microsoft.Common.OptionsGroup", + "label": "Automatically download updates and share statistical data for product improvement purpose", + "defaultValue": "Yes", + "toolTip": "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "true" + }, + { + "label": "No", + "value": "false" + } + ] + } + }, + { + "name": "basics settings text block", + "type": "Microsoft.Common.TextBlock", + "visible": true, + "options": { + "text": "Please follow the Check Point referenced guide for adding disk space.", + "link": { + "label": "Additional disk space in CloudGuard", + "uri": "https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk156552" + } + } + }, + { + "name": "additionalDiskSizeGB", + "type": "Microsoft.Common.TextBox", + "label": "Additional disk space (GB)", + "defaultValue": "0", + "toolTip": "Additional disk space (in GB), initial disk size is 100 GB.", + "constraints": { + "regex": "^([0-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-2][0-9][0-9][0-9]|3[0-8][0-9][0-9]|399[0-5])$", + "validationMessage": "Select a number between 0 and 3995" + } + }, + { + "name": "useCustomImageUri", + "type": "Microsoft.Common.OptionsGroup", + "label": "Use development image uri", + "defaultValue": "No", + "toolTip": "Use custom image URI.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ], + "required": true + }, + "visible": false + }, + { + "name": "sourceImageVhdUri", + "type": "Microsoft.Common.TextBox", + "label": "Development Image URI", + "toolTip": "The URI of the blob containing the development image", + "constraints": { + "required": "[equals(steps('chkp').useCustomImageUri, 'Yes')]", + "regex": "^[a-z0-9A-Z_\\-\\.\\:\\/]{1,500}.vhd$", + "validationMessage": "Only alphanumeric characters and '_','-','.',':','/' are allowed, the value must be 1-500 characters long and must end with .vhd. " + }, + "visible": "[equals(steps('chkp').useCustomImageUri, 'Yes')]" + } + ] + }, + { + "name": "network", + "label": "Network settings", + "subLabel": { + "preValidation": "Configure network settings", + "postValidation": "Done" + }, + "bladeTitle": "Network settings", + "elements": [ + { + "name": "virtualNetwork", + "type": "Microsoft.Network.VirtualNetworkCombo", + "label": { + "virtualNetwork": "Virtual network", + "subnets": "Subnet" + }, + "toolTip": { + "virtualNetwork": "Virtual Network Name", + "subnets": "The subnet to deploy into" + }, + "defaultValue": { + "name": "vnet01", + "addressPrefixSize": "/20" + }, + "constraints": { + "minAddressPrefixSize": "/29" + }, + "options": { + "hideExisting": false + }, + "subnets": { + "subnet1": { + "label": "Management subnet", + "defaultValue": { + "name": "Management", + "addressPrefixSize": "/24" + }, + "constraints": { + "minAddressPrefixSize": "/29", + "minAddressCount": 1, + "requireContiguousAddresses": true + } + } + } + }, + { + "name": "NSG", + "type": "Microsoft.Common.OptionsGroup", + "label": "Network Security Group", + "toolTip": "Choose between using an existing NSG or using a new NSG", + "constraints": { + "allowedValues": [ + { + "label": "Create new", + "value": true + }, + { + "label": "Existing NSG", + "value": false + } + ], + "required": true + }, + "visible": true + }, + { + "name": "nsgSelector", + "type": "Microsoft.Solutions.ResourceSelector", + "label": "Network Security Group", + "defaultValue": "null", + "toolTip": "Choose an existing NSG", + "resourceType": "Microsoft.Network/NetworkSecurityGroups", + "options": { + "filter": { + "subscription": "onBasics", + "location": "onBasics" + } + }, + "constraints": { + "required": true + }, + "visible": "[equals(steps('network').NSG, false)]" + }, + { + "name": "NSGName", + "type": "Microsoft.Common.TextBox", + "label": "Name", + "defaultValue": "[concat(basics('gatewayNameUi') , '-nsg')]", + "toolTip": "Insert Name for the new NSG", + "multiLine": false, + "constraints": { + "required": "[steps('network').NSG]", + "regex": "^[a-z0-9A-Z-]{1,30}$", + "validationMessage": "Only alphanumeric characters are allowed, and the name must be 1-30 characters long." + }, + "visible": "[steps('network').NSG]" + }, + { + "name": "addStorageAccountIpRules", + "type": "Microsoft.Common.OptionsGroup", + "defaultValue": "Network access from all networks", + "label": "Storage Account Network Access", + "toolTip": "Select your preferred network access to the Storage Account, for more information - https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-linux#serial-console-security", + "constraints": { + "allowedValues": [ + { + "label": "Network access from all networks", + "value": false + }, + { + "label": "Network access only from Serial Console", + "value": true + } + ], + "required": true + }, + "visible": true + } + ] + }, + { + "name": "tags", + "label": "Tags", + "elements": [ + { + "name": "tagsByResource", + "type": "Microsoft.Common.TagsByResource", + "toolTip": "Create Azure tags for the new resources", + "resources": [ + "Microsoft.Storage/storageAccounts", + "Microsoft.Network/publicIPAddresses", + "Microsoft.Compute/virtualMachines", + "Microsoft.Network/networkSecurityGroups", + "Microsoft.Network/networkInterfaces", + "Microsoft.Network/routeTables", + "Microsoft.Network/virtualNetworks" + ] + } + ] + } + ], + "outputs": { + "location": "[location()]", + "cloudGuardVersion": "[concat(steps('chkp').cloudGuardVersion, ' - ', coalesce(steps('chkp').R80Offer, 'Bring Your Own License'))]", + "adminPassword": "[basics('auth').password]", + "authenticationType": "[basics('auth').authenticationType]", + "sshPublicKey": "[basics('auth').sshPublicKey]", + "vmName": "[basics('gatewayNameUi')]", + "vmSize": "[coalesce(steps('chkp').R8110vmSizeUiBYOL, steps('chkp').R8110vmSizeUiMGMT25, steps('chkp').R8120vmSizeUiBYOL, steps('chkp').R8120vmSizeUiMGMT25)]", + "virtualNetworkName": "[steps('network').virtualNetwork.name]", + "virtualNetworkAddressPrefix": "[steps('network').virtualNetwork.addressPrefix]", + "Subnet1Name": "[steps('network').virtualNetwork.subnets.subnet1.name]", + "Subnet1Prefix": "[steps('network').virtualNetwork.subnets.subnet1.addressPrefix]", + "Subnet1StartAddress": "[steps('network').virtualNetwork.subnets.subnet1.startAddress]", + "vnetNewOrExisting": "[steps('network').virtualNetwork.newOrExisting]", + "virtualNetworkExistingRGName": "[steps('network').virtualNetwork.resourceGroup]", + "managementGUIClientNetwork": "[steps('chkp').managementGUIClientNetwork]", + "installationType": "[steps('chkp').installationType]", + "bootstrapScript": "[steps('chkp').bootstrapScript]", + "allowDownloadFromUploadToCheckPoint": "[coalesce(steps('chkp').allowUploadDownload, 'true')]", + "additionalDiskSizeGB": "[int(steps('chkp').additionalDiskSizeGB)]", + "diskType": "[if(contains('R81.10' , steps('chkp').cloudGuardVersion) , steps('chkp').VMDiskTypeOldVersions , steps('chkp').VMDiskType)]", + "sourceImageVhdUri": "[coalesce(steps('chkp').sourceImageVhdUri, 'noCustomUri')]", + "enableApi": "[steps('chkp').enableApi]", + "adminShell": "[steps('chkp').adminShell]", + "tagsByResource": "[steps('tags').tagsByResource]", + "deployNewNSG": "[steps('network').NSG]", + "ExistingNSG": "[steps('network').nsgSelector]", + "NewNsgName": "[steps('network').NSGName]", + "addStorageAccountIpRules": "[steps('network').addStorageAccountIpRules]", + "SerialConsolePasswordHash": "[steps('chkp').AdditionalPassword]", + "MaintenanceModePasswordHash": "[steps('chkp').MaintenanceModePassword]" + } + } +} \ No newline at end of file diff --git a/azure/templates/marketplace-management/mainTemplate.json b/azure/templates/marketplace-management/mainTemplate.json new file mode 100644 index 00000000..409cb73f --- /dev/null +++ b/azure/templates/marketplace-management/mainTemplate.json @@ -0,0 +1,920 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string", + "metadata": { + "description": "Deployment location" + }, + "defaultValue": "[resourceGroup().location]" + }, + "cloudGuardVersion": { + "type": "string", + "allowedValues": [ + "R81.10 - Bring Your Own License", + "R81.10 - Pay As You Go (MGMT25)", + "R81.20 - Bring Your Own License", + "R81.20 - Pay As You Go (MGMT25)" + ], + "defaultValue": "R81.20 - Bring Your Own License", + "metadata": { + "description": "Version of Check Point CloudGuard" + } + }, + "authenticationType": { + "type": "string", + "allowedValues": [ + "password", + "sshPublicKey" + ], + "defaultValue": "password", + "metadata": { + "description": "Authentication type" + } + }, + "sshPublicKey": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Administrator SSH public key" + } + }, + "adminPassword": { + "type": "securestring", + "metadata": { + "description": "Administrator password" + }, + "defaultValue": "" + }, + "MaintenanceModePasswordHash": { + "type": "securestring", + "defaultValue": "", + "metadata": { + "Description": "Maintenance mode password hash, relevant only for R81.20 and higher versions" + } + }, + "SerialConsolePasswordHash": { + "type": "securestring", + "defaultValue": "", + "metadata": { + "Description": "Optional parameter, used to enable serial console connection in case of SSH key as authentication type" + } + }, + "vmName": { + "type": "string", + "metadata": { + "description": "Name of the Check Point Security Gateway" + } + }, + "vmSize": { + "type": "string", + "defaultValue": "Standard_D3_v2", + "metadata": { + "description": "Size of the VM" + } + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "vnet" + }, + "virtualNetworkAddressPrefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the virtual network" + }, + "defaultValue": "10.0.0.0/16" + }, + "Subnet1Name": { + "type": "string", + "metadata": { + "description": "The name of the 1st subnet" + }, + "defaultValue": "Frontend" + }, + "Subnet1Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 1st subnet" + }, + "defaultValue": "10.0.1.0/24" + }, + "Subnet1StartAddress": { + "type": "string", + "metadata": { + "description": "The first available address on the 1st subnet" + }, + "defaultValue": "10.0.1.10" + }, + "vnetNewOrExisting": { + "type": "string", + "defaultValue": "new", + "allowedValues": [ + "new", + "existing" + ], + "metadata": { + "Description": "Indicates whether the virtual network is new or existing" + } + }, + "virtualNetworkExistingRGName": { + "type": "string", + "metadata": { + "description": "Resource Group of the existing virtual network" + }, + "defaultValue": "[resourceGroup().name]" + }, + "managementGUIClientNetwork": { + "type": "string", + "metadata": { + "description": "Allowed GUI clients" + }, + "defaultValue": "0.0.0.0/0" + }, + "installationType": { + "type": "string", + "metadata": { + "description": "Installation Type" + }, + "defaultValue": "management", + "allowedValues": [ + "management", + "custom" + ] + }, + "adminShell": { + "type": "string", + "defaultValue": "/etc/cli.sh", + "allowedValues": [ + "/etc/cli.sh", + "/bin/bash", + "/bin/csh", + "/bin/tcsh" + ], + "metadata": { + "Description": "The default shell for the admin user" + } + }, + "bootstrapScript": { + "type": "string", + "metadata": { + "description": "Bootstrap script" + }, + "defaultValue": "" + }, + "enableApi": { + "type": "string", + "metadata": { + "description": "Accept Management API calls (NOTE: Works only in version R81.10 and above)" + }, + "defaultValue": "management_only", + "allowedValues": [ + "management_only", + "gui_clients", + "all" + ] + }, + "allowDownloadFromUploadToCheckPoint": { + "type": "string", + "allowedValues": [ + "true", + "false" + ], + "defaultValue": "true", + "metadata": { + "description": "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + } + }, + "additionalDiskSizeGB": { + "type": "int", + "defaultValue": 0, + "metadata": { + "description": "Amount of additional disk space (in GB)" + }, + "minValue": 0, + "maxValue": 3995 + }, + "diskType": { + "type": "string", + "defaultValue": "Standard_LRS", + "metadata": { + "description": "The type of the OS disk. Premium is applicable only to DS machine sizes" + }, + "allowedValues": [ + "Standard_LRS", + "Premium_LRS" + ] + }, + "msi": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Configure managed service identity for the VM" + } + }, + "sourceImageVhdUri": { + "type": "string", + "defaultValue": "noCustomUri", + "metadata": { + "description": "The URI of the blob containing the development image" + } + }, + "_artifactsLocation": { + "type": "string", + "metadata": { + "description": "Use the following URI when deploying a custom template: https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/azure/templates/" + }, + "defaultValue": "[deployment().properties.templateLink.uri]" + }, + "_artifactsLocationSasToken": { + "type": "securestring", + "metadata": { + "description": "The sasToken required to access _artifactsLocation. When the template is deployed using the accompanying scripts, a sasToken will be automatically generated. Use the defaultValue if the staging location is not secured." + }, + "defaultValue": "" + }, + "tagsByResource": { + "type": "object", + "defaultValue": {} + }, + "deployNewNSG": { + "type": "bool", + "defaultValue": true + }, + "ExistingNSG": { + "type": "object", + "defaultValue": {} + }, + "NewNsgName": { + "type": "string", + "defaultValue": "[concat(parameters('vmName'),'-nsg')]" + }, + "addStorageAccountIpRules": { + "type": "bool", + "metadata": { + "description": "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, based on https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-linux#use-serial-console-with-custom-boot-diagnostics-storage-account-firewall-enabled" + }, + "defaultValue": false + }, + "storageAccountAdditionalIps": { + "type": "array", + "metadata": { + "description": "IPs/CIDRs that are allowed access to the Storage Account" + }, + "defaultValue": [] + } + }, + "variables": { + "templateName": "management", + "templateVersion": "20240716", + "location": "[parameters('location')]", + "offers": { + "R81.10 - Bring Your Own License": "BYOL", + "R81.10 - Pay As You Go (MGMT25)": "MGMT25", + "R81.20 - Bring Your Own License": "BYOL", + "R81.20 - Pay As You Go (MGMT25)": "MGMT25" + }, + "offer": "[variables('offers')[parameters('cloudGuardVersion')]]", + "osVersions": { + "R81.10 - Bring Your Own License": "R8110", + "R81.10 - Pay As You Go (MGMT25)": "R8110", + "R81.20 - Bring Your Own License": "R8120", + "R81.20 - Pay As You Go (MGMT25)": "R8120" + }, + "osVersion": "[variables('osVersions')[parameters('cloudGuardVersion')]]", + "SerialConsoleGeographies": { + "eastasia": [ + "20.205.69.28", + "20.195.85.180" + ], + "southeastasia": [ + "20.205.69.28", + "20.195.85.180" + ], + "australiacentral": [ + "20.53.53.224", + "20.70.222.112" + ], + "australiacentral2": [ + "20.53.53.224", + "20.70.222.112" + ], + "australiaeast": [ + "20.53.53.224", + "20.70.222.112" + ], + "australiasoutheast": [ + "20.53.53.224", + "20.70.222.112" + ], + "brazilsouth": [ + "91.234.136.63", + "20.206.0.194" + ], + "brazilsoutheast": [ + "91.234.136.63", + "20.206.0.194" + ], + "canadacentral": [ + "52.228.86.177", + "52.242.40.90" + ], + "canadaeast": [ + "52.228.86.177", + "52.242.40.90" + ], + "northeurope": [ + "52.146.139.220", + "20.105.209.72" + ], + "westeurope": [ + "52.146.139.220", + "20.105.209.72" + ], + "francecentral": [ + "20.111.0.244", + "52.136.191.10" + ], + "francesouth": [ + "20.111.0.244", + "52.136.191.10" + ], + "germanynorth": [ + "51.116.75.88", + "20.52.95.48" + ], + "germanywestcentral": [ + "51.116.75.88", + "20.52.95.48" + ], + "centralindia": [ + "20.192.168.150", + "20.192.153.104" + ], + "southindia": [ + "20.192.168.150", + "20.192.153.104" + ], + "westindia": [ + "20.192.168.150", + "20.192.153.104" + ], + "japaneast": [ + "20.43.70.205", + "20.189.228.222" + ], + "japanwest": [ + "20.43.70.205", + "20.189.228.222" + ], + "koreacentral": [ + "20.200.196.96", + "52.147.119.29" + ], + "koreasouth": [ + "20.200.196.96", + "52.147.119.29" + ], + "norwaywest": [ + "20.100.1.184", + "51.13.138.76" + ], + "norwayeast": [ + "20.100.1.184", + "51.13.138.76" + ], + "switzerlandnorth": [ + "20.208.4.98", + "51.107.251.190" + ], + "switzerlandwest": [ + "20.208.4.98", + "51.107.251.190" + ], + "uaecentral": [ + "20.45.95.66", + "20.38.141.5" + ], + "uaenorth": [ + "20.45.95.66", + "20.38.141.5" + ], + "uksouth": [ + "20.90.132.144", + "20.58.68.62" + ], + "ukwest": [ + "20.90.132.144", + "20.58.68.62" + ], + "swedencentral": [ + "51.12.72.223", + "51.12.22.174" + ], + "swedensouth": [ + "51.12.72.223", + "51.12.22.174" + ], + "centralus": [ + "20.98.146.84", + "20.98.194.64", + "20.69.5.162", + "20.83.222.102" + ], + "eastus2": [ + "20.98.146.84", + "20.98.194.64", + "20.69.5.162", + "20.83.222.102" + ], + "eastus": [ + "20.98.146.84", + "20.98.194.64", + "20.69.5.162", + "20.83.222.102" + ], + "northcentralus": [ + "20.98.146.84", + "20.98.194.64", + "20.69.5.162", + "20.83.222.102" + ], + "southcentralus": [ + "20.98.146.84", + "20.98.194.64", + "20.69.5.162", + "20.83.222.102" + ], + "westus2": [ + "20.98.146.84", + "20.98.194.64", + "20.69.5.162", + "20.83.222.102" + ], + "westus3": [ + "20.98.146.84", + "20.98.194.64", + "20.69.5.162", + "20.83.222.102" + ], + "westcentralus": [ + "20.98.146.84", + "20.98.194.64", + "20.69.5.162", + "20.83.222.102" + ], + "westus": [ + "20.98.146.84", + "20.98.194.64", + "20.69.5.162", + "20.83.222.102" + ], + "eastus2euap": [ + "20.45.242.18", + "20.51.21.252" + ], + "centraluseuap": [ + "20.45.242.18", + "20.51.21.252" + ] + }, + "serialConsoleIps": "[if(contains(variables('serialConsoleGeographies'),variables('location')),variables('serialConsoleGeographies')[variables('location')],createArray())]", + "storageAccountIps": "[concat(variables('SerialConsoleIps'),parameters('storageAccountAdditionalIps'))]", + "isBlink": "[bool('false')]", + "storageAccountName": "[concat('bootdiag', uniqueString(resourceGroup().id, deployment().name))]", + "storageAccountType": "Standard_LRS", + "diskSize100GB": 100, + "diskSizeGB": "[add(parameters('additionalDiskSizeGB'), variables('diskSize100GB'))]", + "customData": "[concat('#!/usr/bin/python3 /etc/cloud_config.py\n', '\n', 'installationType=\"', parameters('installationType'), '\"', '\n', 'allowUploadDownload=\"', variables('allowUploadDownload'), '\"', '\n', 'osVersion=\"', variables('osVersion'), '\"', '\n', 'templateName=\"', variables('templateName'), '\"', '\n', 'isBlink=\"', variables('isBlink'), '\"', '\n', 'templateVersion=\"', variables('templateVersion'), '\"', '\n', 'bootstrapScript64=\"', variables('bootstrapScript64'), '\"', '\n', 'location=\"', variables('location'), '\"', '\n', 'managementGUIClientNetwork=\"', variables('managementGUIClientNetwork'), '\"', '\n', 'enableApi=\"', parameters('enableApi'), '\"', '\n', 'adminShell=\"', parameters('adminShell'), '\"', '\n', 'MaintenanceModePassword=\"', parameters('MaintenanceModePasswordHash'), '\"', '\n', 'passwordHash=\"', parameters('SerialConsolePasswordHash'), '\"', '\n')]", + "customData64": "[base64(variables('customData'))]", + "imageOffer": "[concat('check-point-cg-', toLower(variables('osVersion')))]", + "imagePublisher": "checkpoint", + "imageReferenceBYOL": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "mgmt-byol", + "version": "latest" + }, + "imageReferenceMGMT25": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "mgmt-25", + "version": "latest" + }, + "imageReferenceMarketplace": "[if(equals(variables('offer'), 'BYOL'), variables('imageReferenceBYOL'), variables('imageReferenceMGMT25'))]", + "customImage": "customImage", + "imageReferenceCustomUri": { + "id": "[resourceId('Microsoft.Compute/images/', variables('customImage'))]" + }, + "imageReference": "[if(equals(parameters('sourceImageVhdUri'),'noCustomUri'), variables('imageReferenceMarketplace'), variables('imageReferenceCustomUri'))]", + "nic1Name": "[concat(parameters('vmName'), '-eth0')]", + "linuxConfigurationpassword": { + "disablePasswordAuthentication": "false" + }, + "linuxConfigurationsshPublicKey": { + "disablePasswordAuthentication": "true", + "ssh": { + "publicKeys": [ + { + "keyData": "[parameters('sshPublicKey')]", + "path": "/home/notused/.ssh/authorized_keys" + } + ] + } + }, + "linuxConfiguration": "[if(equals(parameters('authenticationType'), 'password'), variables('linuxConfigurationpassword'), variables('linuxConfigurationsshPublicKey'))]", + "planBYOL": { + "name": "mgmt-byol", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planMGMT25": { + "name": "mgmt-25", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "plan": "[if(equals(variables('offer'), 'BYOL'), variables('planBYOL'), variables('planMGMT25'))]", + "identity": "[if(parameters('msi'), json('{\"type\": \"SystemAssigned\"}'), json('null'))]", + "publicIPAddressName": "[parameters('vmName')]", + "publicIPAddressId": "[resourceId('Microsoft.Network/publicIPAddresses', variables('publicIPAddressName'))]", + "bootstrapScript64": "[base64(parameters('bootstrapScript'))]", + "allowUploadDownload": "[parameters('allowDownloadFromUploadToCheckPoint')]", + "_artifactsLocation": "[if(contains(parameters('_artifactsLocation'),'raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/azure/templates/marketplace'),'https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/azure/templates/',parameters('_artifactsLocation'))]", + "networkSetupURL": "[uri(variables('_artifactsLocation'), concat('nestedtemplates/vnet-1-subnet-', parameters('vnetNewOrExisting'), '.json', parameters('_artifactsLocationSasToken')))]", + "managementGUIClientNetwork": "[parameters('managementGUIClientNetwork')]", + "deployNewVnet": "[equals(parameters('vnetNewOrExisting'), 'new')]", + "vnetRGName": "[if(variables('deployNewVnet'), resourceGroup().name, parameters('virtualNetworkExistingRGName'))]", + "NewNsgReference": { + "id": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('NewNsgName'))]" + } + }, + "resources": [ + { + "apiVersion": "2020-06-01", + "name": "pid-6f13b00a-7546-4ab2-be9f-c66815cc6c8b-partnercenter", + "type": "Microsoft.Resources/deployments", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('storageAccountName')]", + "apiVersion": "2022-09-01", + "properties": { + "supportsHttpsTrafficOnly": true, + "allowBlobPublicAccess": false, + "minimumTlsVersion": "TLS1_2", + "networkAcls": { + "bypass": "None", + "defaultAction": "[if(parameters('addStorageAccountIpRules'), 'Deny', 'Allow')]", + "ipRules": "[if(parameters('addStorageAccountIpRules'), map(variables('storageAccountIps'), lambda('ip',createObject('action','Allow','value',lambdaVariables('ip')))), createArray())]" + } + }, + "location": "[variables('location')]", + "sku": { + "name": "[variables('storageAccountType')]" + }, + "kind": "Storage", + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Storage/storageAccounts'), parameters('tagsByResource')['Microsoft.Storage/storageAccounts'], json('{}')) ]" + }, + { + "condition": "[equals(parameters('vnetNewOrExisting'), 'new')]", + "name": "networkNewSetup", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "[variables('networkSetupURL')]", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "location": { + "value": "[variables('location')]" + }, + "virtualNetworkName": { + "value": "[parameters('virtualNetworkName')]" + }, + "virtualNetworkAddressPrefix": { + "value": "[parameters('virtualNetworkAddressPrefix')]" + }, + "Subnet1Name": { + "value": "[parameters('Subnet1Name')]" + }, + "Subnet1Prefix": { + "value": "[parameters('Subnet1Prefix')]" + }, + "deployNsg": { + "value": false + }, + "NewNsgName": { + "value": "[parameters('NewNsgName')]" + }, + "tagsByResource": { + "value": "[parameters('tagsByResource')]" + } + } + } + }, + { + "condition": "[equals(parameters('vnetNewOrExisting'), 'existing')]", + "name": "networkExistingSetup", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "[variables('networkSetupURL')]", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "location": { + "value": "[variables('location')]" + }, + "virtualNetworkName": { + "value": "[parameters('virtualNetworkName')]" + }, + "virtualNetworkExistingRGName": { + "value": "[variables('vnetRGName')]" + }, + "vmName": { + "value": "[parameters('vmName')]" + }, + "deployNsg": { + "value": false + }, + "NewNsgName": { + "value": "[parameters('NewNsgName')]" + }, + "tagsByResource": { + "value": "[parameters('tagsByResource')]" + } + } + } + }, + { + "type": "Microsoft.Network/publicIPAddresses", + "apiVersion": "2020-06-01", + "location": "[variables('location')]", + "name": "[variables('publicIPAddressName')]", + "sku": { + "name": "Standard" + }, + "properties": { + "idleTimeoutInMinutes": 30, + "publicIPAllocationMethod": "Static", + "dnsSettings": { + "domainNameLabel": "[concat(toLower(parameters('vmName')), '-', uniquestring(resourceGroup().id, deployment().name))]" + } + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/publicIPAddresses'), parameters('tagsByResource')['Microsoft.Network/publicIPAddresses'], json('{}')) ]" + }, + { + "condition": "[parameters('deployNewNSG')]", + "type": "Microsoft.Network/networkSecurityGroups", + "apiVersion": "2020-06-01", + "location": "[variables('location')]", + "name": "[parameters('NewNsgName')]", + "properties": { + "securityRules": [ + { + "name": "SSH", + "properties": { + "description": "Allow inbound SSH connection", + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "22", + "sourceAddressPrefix": "[variables('managementGUIClientNetwork')]", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "100", + "direction": "Inbound" + } + }, + { + "name": "GAiA-portal", + "properties": { + "description": "Allow inbound HTTPS access to the GAiA portal", + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "443", + "sourceAddressPrefix": "[variables('managementGUIClientNetwork')]", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "110", + "direction": "Inbound" + } + }, + { + "name": "SmartConsole-1", + "properties": { + "description": "Allow inbound access using the SmartConsole GUI client", + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "18190", + "sourceAddressPrefix": "[variables('managementGUIClientNetwork')]", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "120", + "direction": "Inbound" + } + }, + { + "name": "SmartConsole-2", + "properties": { + "description": "Allow inbound access using the SmartConsole GUI client", + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "19009", + "sourceAddressPrefix": "[variables('managementGUIClientNetwork')]", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "130", + "direction": "Inbound" + } + }, + { + "name": "Logs", + "properties": { + "description": "Allow inbound logging connections from managed gateways", + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "257", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "140", + "direction": "Inbound" + } + }, + { + "name": "ICA-pull", + "properties": { + "description": "Allow security gateways to pull a SIC certificate", + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "18210", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "150", + "direction": "Inbound" + } + }, + { + "name": "CRL-fetch", + "properties": { + "description": "Allow security gateways to fetch CRLs", + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "18264", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "160", + "direction": "Inbound" + } + }, + { + "name": "Policy-fetch", + "properties": { + "description": "Allow security gateways to fetch policy", + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "18191", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "170", + "direction": "Inbound" + } + } + ] + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/networkSecurityGroups'), parameters('tagsByResource')['Microsoft.Network/networkSecurityGroups'], json('{}')) ]" + }, + { + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "2020-06-01", + "dependsOn": [ + "[coalesce(resourceId('Microsoft.Resources/deployments', 'networkNewSetup'), resourceId('Microsoft.Resources/deployments', 'networkExistingSetup'))]", + "[variables('publicIPAddressId')]" + ], + "location": "[variables('location')]", + "name": "[variables('nic1Name')]", + "properties": { + "enableIPForwarding": false, + "networkSecurityGroup": "[if(parameters('deployNewNSG') , variables('NewNsgReference') , parameters('ExistingNSG'))]", + "ipConfigurations": [ + { + "name": "ipconfig1", + "properties": { + "privateIPAddress": "[parameters('Subnet1StartAddress')]", + "privateIPAllocationMethod": "Static", + "PublicIpAddress": { + "Id": "[variables('publicIPAddressId')]" + }, + "subnet": { + "id": "[resourceId(variables('vnetRGName') ,'Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('Subnet1Name'))]" + } + } + } + ] + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/networkInterfaces'), parameters('tagsByResource')['Microsoft.Network/networkInterfaces'], json('{}')) ]" + }, + { + "condition": "[not(equals(parameters('sourceImageVhdUri'), 'noCustomUri'))]", + "type": "Microsoft.Compute/images", + "apiVersion": "2020-06-01", + "name": "[variables('customImage')]", + "location": "[variables('location')]", + "properties": { + "storageProfile": { + "osDisk": { + "osType": "Linux", + "osState": "Generalized", + "blobUri": "[parameters('sourceImageVhdUri')]", + "storageAccountType": "Standard_LRS" + } + }, + "hyperVGeneration": "V1" + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Compute/images'), parameters('tagsByResource')['Microsoft.Compute/images'], json('{}')) ]" + }, + { + "type": "Microsoft.Compute/virtualMachines", + "apiVersion": "2021-07-01", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]", + "[resourceId('Microsoft.Network/networkInterfaces', variables('nic1Name'))]", + "[resourceId('Microsoft.Compute/images/', variables('customImage'))]" + ], + "location": "[variables('location')]", + "name": "[parameters('vmName')]", + "plan": "[if(equals(parameters('sourceImageVhdUri'),'noCustomUri'), variables('plan'), json('null'))]", + "identity": "[variables('identity')]", + "properties": { + "UserData": "[variables('customData64')]", + "diagnosticsProfile": { + "bootDiagnostics": { + "enabled": "true", + "storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName')), '2022-09-01').primaryEndpoints.blob]" + } + }, + "hardwareProfile": { + "vmSize": "[parameters('vmSize')]" + }, + "networkProfile": { + "networkInterfaces": [ + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', variables('nic1Name'))]", + "properties": { + "primary": true + } + } + ] + }, + "osProfile": { + "adminPassword": "[parameters('adminPassword')]", + "adminUsername": "[concat('not','used')]", + "computerName": "[toLower(parameters('vmName'))]", + "customData": "[variables('customData64')]", + "linuxConfiguration": "[variables('linuxConfiguration')]" + }, + "storageProfile": { + "imageReference": "[variables('imageReference')]", + "osDisk": { + "caching": "ReadWrite", + "createOption": "FromImage", + "diskSizeGB": "[variables('diskSizeGB')]", + "name": "[parameters('vmName')]", + "managedDisk": { + "storageAccountType": "[parameters('diskType')]" + } + } + } + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Compute/virtualMachines'), parameters('tagsByResource')['Microsoft.Compute/virtualMachines'], json('{}')) ]" + } + ], + "outputs": { + "IPAddress": { + "type": "string", + "value": "[reference(variables('publicIPAddressId')).IpAddress]" + }, + "FQDN": { + "type": "string", + "value": "[reference(variables('publicIPAddressId')).dnsSettings.fqdn]" + } + } +} \ No newline at end of file diff --git a/azure/templates/marketplace-mds/README.md b/azure/templates/marketplace-mds/README.md new file mode 100644 index 00000000..83bf14c5 --- /dev/null +++ b/azure/templates/marketplace-mds/README.md @@ -0,0 +1,21 @@ +# Check Point CloudGuard Network Security MDS for Azure + +Check Point CloudGuard Network Security delivers advanced, multi-layered threat prevention to protect customer assets in Azure from malware and sophisticated threats. As a Microsoft Azure certified solution, CloudGuard Network Security enables you to easily and seamlessly secure your workloads while providing secure connectivity across your cloud and on-premises environments. + +Benefits: + +· Advanced threat prevention and traffic inspection + +· Integrated with Azure Security Center and Azure Sentinel + +· Provides consistent security policy management, enforcement, and reporting with a single pane of glass, using Check Point Unified Security Management + + + + Deploy to Azure + + + +To deploy with full control over all the template options use: [Full Control Deployment](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FCheckPointSW%2FCloudGuardIaaS%2Fmaster%2Fazure%2Ftemplates%2Fmarketplace-mds%2FmainTemplate.json) + + diff --git a/azure/templates/marketplace-mds/createUiDefinition.json b/azure/templates/marketplace-mds/createUiDefinition.json new file mode 100644 index 00000000..52056087 --- /dev/null +++ b/azure/templates/marketplace-mds/createUiDefinition.json @@ -0,0 +1,637 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", + "handler": "Microsoft.Compute.MultiVm", + "version": "0.1.2-preview", + "parameters": { + "basics": [ + { + "name": "CloudGuard MDS deployment guide", + "type": "Microsoft.Common.TextBlock", + "visible": true, + "options": { + "text": "Please follow the Check Point MDS Deployment for Azure.", + "link": { + "label": "MDS Deployment Guide", + "uri": "https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk154436&partition=Basic&product=CloudGuard" + } + } + }, + { + "name": "gatewayNameUi", + "type": "Microsoft.Common.TextBox", + "label": "Server Name", + "toolTip": "The name of the Check Point Multi-Domain Server.", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z]{1,30}$", + "validationMessage": "Only alphanumeric characters are allowed, and the name must be 1-30 characters long." + } + }, + { + "name": "auth", + "type": "Microsoft.Compute.CredentialsCombo", + "label": { + "authenticationType": "Authentication type", + "password": "Password", + "confirmPassword": "Confirm password", + "sshPublicKey": "SSH public key" + }, + "toolTip": { + "password": "The user 'admin' password", + "sshPublicKey": "Paste an OpenSSH public key. You can generate a key pair using ssh-keygen (Linux, OS X, Cygwin) or PuttyGen (Windows)" + }, + "constraints": { + "required": true + }, + "options": { + "hideConfirmation": false, + "hidePassword": false + }, + "osPlatform": "Linux" + } + ], + "steps": [ + { + "name": "chkp", + "label": "Check Point Multi-Domain Server settings", + "subLabel": { + "preValidation": "Configure additional settings", + "postValidation": "Done" + }, + "bladeTitle": "Multi-Domain Server settings", + "elements": [ + { + "name": "cloudGuardVersion", + "type": "Microsoft.Common.DropDown", + "label": "Check Point CloudGuard version", + "defaultValue": "R81.20", + "toolTip": "The version of Check Point CloudGuard.", + "constraints": { + "allowedValues": [ + { + "label": "R81.10", + "value": "R81.10" + }, + { + "label": "R81.20", + "value": "R81.20" + } + ] + } + }, + { + "name": "R80Offer", + "type": "Microsoft.Common.DropDown", + "label": "License type", + "toolTip": "The type of license.", + "defaultValue": "Bring Your Own License", + "visible": true, + "constraints": { + "allowedValues": [ + { + "label": "Bring Your Own License", + "value": "Bring Your Own License" + } + ] + } + }, + { + "name": "R8110vmSizeUiBYOL", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R81.10'), contains(steps('chkp').R80Offer, 'Bring Your Own License'))]", + "label": "Virtual machine size", + "toolTip": "The VM size. Minimum of 16 cores and 64 GB RAM is required.", + "recommendedSizes": [ + "Standard_DS5_v2", + "Standard_DS15_v2" + ], + "constraints": { + "excludedSizes": [ + "Standard_A1_v2", + "Standard_D1_v2", + "Standard_DS1_v2", + "Standard_F1", + "Standard_F1s", + "Standard_G1", + "Standard_GS1" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r8110", + "sku": "mgmt-byol" + }, + "count": 1 + }, + { + "name": "R8120vmSizeUiBYOL", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R81.20'), contains(steps('chkp').R80Offer, 'Bring Your Own License'))]", + "label": "Virtual machine size", + "toolTip": "The VM size. Minimum of 16 cores and 64 GB RAM is required.", + "recommendedSizes": [ + "Standard_D4ds_v5", + "Standard_D4d_v5" + ], + "constraints": { + "excludedSizes": [ + "Standard_A1_v2", + "Standard_D1_v2", + "Standard_DS1_v2", + "Standard_F1", + "Standard_F1s", + "Standard_G1", + "Standard_GS1" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r8120", + "sku": "mgmt-byol" + }, + "count": 1 + }, + { + "name": "installationType", + "type": "Microsoft.Common.DropDown", + "label": "Installation type", + "defaultValue": "Primary Multi-Domain Server", + "toolTip": "Select the type of deployment", + "constraints": { + "allowedValues": [ + { + "label": "Primary Multi-Domain Server", + "value": "mds-primary" + }, + { + "label": "Secondary Multi-Domain Server", + "value": "mds-secondary" + }, + { + "label": "Multi-Domain Log Server", + "value": "mds-logserver" + } + ] + } + }, + { + "name": "SerialPasswordInfoBox", + "type": "Microsoft.Common.InfoBox", + "visible": "[bool(basics('auth').sshPublicKey)]", + "options": { + "icon": "Info", + "text": "Check Point recommends setting serial console password and maintenance-mode password for recovery purposes. For R81.10 and below the serial console password is used also as maintenance-mode password" + } + }, + { + "visible": "[bool(basics('auth').sshPublicKey)]", + "name": "EnableSerialConsolePassword", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Serial console password", + "defaultValue": "Yes", + "toolTip": "A unique password hash to enable VM connection via serial console.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": true + }, + { + "label": "No", + "value": false + } + ] + } + }, + { + "name": "AdditionalPassword", + "type": "Microsoft.Common.PasswordBox", + "toolTip": "Serial console password hash, used to enable password authentication (using serial console). To generate password hash use the command 'openssl passwd -6 PASSWORD'", + "visible": "[and(bool(basics('auth').sshPublicKey), steps('chkp').EnableSerialConsolePassword)]", + "label": { + "password": "Password hash", + "confirmPassword": "Confirm password" + }, + "constraints": { + "required": true, + "regex": "^.{12,300}$", + "validationMessage": "The value must be the output of the hash command." + }, + "options": { + "hideConfirmation": false + } + }, + { + "name": "MaintenanceModeInfoBox", + "type": "Microsoft.Common.InfoBox", + "visible": "[and(bool(basics('auth').password), not(contains('R81.10', steps('chkp').cloudGuardVersion)))]", + "options": { + "icon": "Info", + "text": "Check Point recommends setting a maintenance-mode password for recovery purposes." + } + }, + { + "visible": "[not(contains('R81.10', steps('chkp').cloudGuardVersion))]", + "name": "EnableMaintenanceMode", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Maintenance Mode", + "defaultValue": "Yes", + "toolTip": "A unique password hash to enable VM maintenance mode.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": true + }, + { + "label": "No", + "value": false + } + ] + } + }, + { + "visible": "[and(not(contains('R81.10', steps('chkp').cloudGuardVersion)), steps('chkp').EnableMaintenanceMode)]", + "name": "MaintenanceModePassword", + "type": "Microsoft.Common.PasswordBox", + "defaultValue": "", + "toolTip": "To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here.", + "label": { + "password": "Maintenance Mode password hash", + "confirmPassword": "Confirm Password" + }, + "constraints": { + "required": true, + "validationMessage": "The value must be the output of the hash command." + }, + "options": { + "hideConfirmation": false + } + }, + { + "name": "adminShell", + "type": "Microsoft.Common.DropDown", + "label": "Default shell for the admin user", + "defaultValue": "/etc/cli.sh", + "toolTip": "The default shell for the admin user", + "constraints": { + "allowedValues": [ + { + "label": "/etc/cli.sh", + "value": "/etc/cli.sh" + }, + { + "label": "/bin/bash", + "value": "/bin/bash" + }, + { + "label": "/bin/csh", + "value": "/bin/csh" + }, + { + "label": "/bin/tcsh", + "value": "/bin/tcsh" + } + ] + } + }, + { + "name": "managementGUIClientNetwork", + "type": "Microsoft.Common.TextBox", + "label": "Allowed GUI clients", + "toolTip": "GUI clients network CIDR", + "constraints": { + "required": true, + "regex": "(^0\\.0\\.0\\.0\\/0$)|(^(?!0\\.0\\.0\\.0$)(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/32)?$)", + "validationMessage": "Enter a valid IPv4 network CIDR (only 0.0.0.0/0, X.X.X.X/32 or X.X.X.X are acceptable)" + }, + "visible": true + }, + { + "name": "sicKeyUi", + "type": "Microsoft.Common.PasswordBox", + "label": { + "password": "SIC key", + "confirmPassword": "Confirm SIC key" + }, + "toolTip": "Set the Secure Internal Communication one time secret used to set up trust between the primary and secondary servers. SIC key must be provided if installing a secondary Multi-Domain Server.", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z]{12,30}$", + "validationMessage": "Only alphanumeric characters are allowed, and the value must be 12-30 characters long." + }, + "options": { + "hideConfirmation": false + }, + "visible": "[not(equals(steps('chkp').installationType, 'mds-primary'))]" + }, + { + "name": "bootstrapScript", + "type": "Microsoft.Common.FileUpload", + "label": "Bootstrap script", + "toolTip": "An optional script to run on the initial boot", + "constraints": { + "required": false, + "accept": ".sh,text/plain" + }, + "options": { + "multiple": false, + "uploadMode": "file", + "openMode": "text", + "encoding": "UTF-8" + } + }, + { + "name": "allowUploadDownload", + "type": "Microsoft.Common.OptionsGroup", + "label": "Automatically download updates and share statistical data for product improvement purpose", + "defaultValue": "Yes", + "toolTip": "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "true" + }, + { + "label": "No", + "value": "false" + } + ] + } + }, + { + "name": "basics settings text block", + "type": "Microsoft.Common.TextBlock", + "visible": true, + "options": { + "text": "Please follow the Check Point referenced guide for adding disk space.", + "link": { + "label": "Additional disk space in CloudGuard", + "uri": "https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk156552" + } + } + }, + { + "name": "additionalDiskSizeGB", + "type": "Microsoft.Common.TextBox", + "label": "Additional disk space (GB)", + "defaultValue": "0", + "toolTip": "Additional disk space (in GB), initial disk size is 100 GB.", + "constraints": { + "regex": "^([0-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-2][0-9][0-9][0-9]|3[0-8][0-9][0-9]|399[0-5])$", + "validationMessage": "Select a number between 0 and 3995" + } + }, + { + "name": "VMDiskType", + "type": "Microsoft.Common.OptionsGroup", + "label": "VM disk type", + "toolTip": "Type of CloudGuard disk.", + "visible": "[not(contains('R81.10' , steps('chkp').cloudGuardVersion))]", + "defaultValue": "Premium", + "constraints": { + "allowedValues": [ + { + "label": "Standard", + "value": "Standard_LRS" + }, + { + "label": "Premium", + "value": "Premium_LRS" + } + ] + } + }, + { + "name": "VMDiskTypeOldVersions", + "type": "Microsoft.Common.OptionsGroup", + "label": "VM disk type", + "toolTip": "Type of CloudGuard disk.", + "visible": "[contains('R81.10' , steps('chkp').cloudGuardVersion)]", + "defaultValue": "Standard", + "constraints": { + "allowedValues": [ + { + "label": "Standard", + "value": "Standard_LRS" + }, + { + "label": "Premium", + "value": "Premium_LRS" + } + ] + } + }, + { + "name": "useCustomImageUri", + "type": "Microsoft.Common.OptionsGroup", + "label": "Use custom image uri", + "defaultValue": "No", + "toolTip": "Use custom image URI.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ], + "required": true + }, + "visible": false + }, + { + "name": "sourceImageVhdUri", + "type": "Microsoft.Common.TextBox", + "label": "Development Image URI", + "toolTip": "The URI of the blob containing the development image", + "constraints": { + "required": "[equals(steps('chkp').useCustomImageUri, 'Yes')]", + "regex": "^[a-z0-9A-Z_\\-\\.\\:\\/]{1,500}.vhd$", + "validationMessage": "Only alphanumeric characters and '_','-','.',':','/' are allowed, the value must be 1-500 characters long and must end with .vhd. " + }, + "visible": "[equals(steps('chkp').useCustomImageUri, 'Yes')]" + } + ] + }, + { + "name": "network", + "label": "Network settings", + "subLabel": { + "preValidation": "Configure network settings", + "postValidation": "Done" + }, + "bladeTitle": "Network settings", + "elements": [ + { + "name": "virtualNetwork", + "type": "Microsoft.Network.VirtualNetworkCombo", + "label": { + "virtualNetwork": "Virtual network", + "subnets": "Subnet" + }, + "toolTip": { + "virtualNetwork": "Virtual Network Name", + "subnets": "The subnet to deploy into" + }, + "defaultValue": { + "name": "vnet01", + "addressPrefixSize": "/20" + }, + "constraints": { + "minAddressPrefixSize": "/29" + }, + "options": { + "hideExisting": false + }, + "subnets": { + "subnet1": { + "label": "Multi-Domain Server subnet", + "defaultValue": { + "name": "Multi-Domain-Server", + "addressPrefixSize": "/24" + }, + "constraints": { + "minAddressPrefixSize": "/29", + "minAddressCount": 1, + "requireContiguousAddresses": true + } + } + } + }, + { + "name": "NSG", + "type": "Microsoft.Common.OptionsGroup", + "label": "Network Security Group", + "toolTip": "Choose between using an existing NSG or using a new NSG", + "constraints": { + "allowedValues": [ + { + "label": "Create new", + "value": true + }, + { + "label": "Existing NSG", + "value": false + } + ], + "required": true + }, + "visible": true + }, + { + "name": "nsgSelector", + "type": "Microsoft.Solutions.ResourceSelector", + "label": "Network Security Group", + "defaultValue": "null", + "toolTip": "Choose an existing NSG", + "resourceType": "Microsoft.Network/NetworkSecurityGroups", + "options": { + "filter": { + "subscription": "onBasics", + "location": "onBasics" + } + }, + "constraints": { + "required": true + }, + "visible": "[equals(steps('network').NSG, false)]" + }, + { + "name": "NSGName", + "type": "Microsoft.Common.TextBox", + "label": "Name", + "defaultValue": "[concat(basics('gatewayNameUi') , '-nsg')]", + "toolTip": "Insert Name for the new NSG", + "multiLine": false, + "constraints": { + "required": "[steps('network').NSG]", + "regex": "^[a-z0-9A-Z-]{1,30}$", + "validationMessage": "Only alphanumeric characters are allowed, and the name must be 1-30 characters long." + }, + "visible": "[steps('network').NSG]" + }, + { + "name": "addStorageAccountIpRules", + "type": "Microsoft.Common.OptionsGroup", + "defaultValue": "Network access from all networks", + "label": "Storage Account Network Access", + "toolTip": "Select your preferred network access to the Storage Account, for more information - https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-linux#serial-console-security", + "constraints": { + "allowedValues": [ + { + "label": "Network access from all networks", + "value": false + }, + { + "label": "Network access only from Serial Console", + "value": true + } + ], + "required": true + }, + "visible": true + } + ] + }, + { + "name": "tags", + "label": "Tags", + "elements": [ + { + "name": "tagsByResource", + "type": "Microsoft.Common.TagsByResource", + "toolTip": "Create Azure tags for the new resources", + "resources": [ + "Microsoft.Storage/storageAccounts", + "Microsoft.Network/publicIPAddresses", + "Microsoft.Network/networkSecurityGroups", + "Microsoft.Network/networkInterfaces", + "Microsoft.Compute/virtualMachines", + "Microsoft.Network/routeTables", + "Microsoft.Network/virtualNetworks" + ] + } + ] + } + ], + "outputs": { + "location": "[location()]", + "cloudGuardVersion": "[concat(steps('chkp').cloudGuardVersion, ' - ', coalesce(steps('chkp').R80Offer, 'Bring Your Own License'))]", + "adminPassword": "[basics('auth').password]", + "authenticationType": "[basics('auth').authenticationType]", + "sshPublicKey": "[basics('auth').sshPublicKey]", + "vmName": "[basics('gatewayNameUi')]", + "vmSize": "[coalesce(steps('chkp').R8110vmSizeUiBYOL, steps('chkp').R8120vmSizeUiBYOL)]", + "virtualNetworkName": "[steps('network').virtualNetwork.name]", + "virtualNetworkAddressPrefix": "[steps('network').virtualNetwork.addressPrefix]", + "Subnet1Name": "[steps('network').virtualNetwork.subnets.subnet1.name]", + "Subnet1Prefix": "[steps('network').virtualNetwork.subnets.subnet1.addressPrefix]", + "Subnet1StartAddress": "[steps('network').virtualNetwork.subnets.subnet1.startAddress]", + "vnetNewOrExisting": "[steps('network').virtualNetwork.newOrExisting]", + "virtualNetworkExistingRGName": "[steps('network').virtualNetwork.resourceGroup]", + "managementGUIClientNetwork": "[if(contains(steps('chkp').managementGUIClientNetwork, '/'), steps('chkp').managementGUIClientNetwork, concat(steps('chkp').managementGUIClientNetwork, '/32'))]", + "sicKey": "[coalesce(steps('chkp').sicKeyUi, 'notused')]", + "installationType": "[steps('chkp').installationType]", + "bootstrapScript": "[steps('chkp').bootstrapScript]", + "allowDownloadFromUploadToCheckPoint": "[coalesce(steps('chkp').allowUploadDownload, 'true')]", + "additionalDiskSizeGB": "[int(steps('chkp').additionalDiskSizeGB)]", + "diskType": "[if(contains('R81.10' , steps('chkp').cloudGuardVersion) , steps('chkp').VMDiskTypeOldVersions , steps('chkp').VMDiskType)]", + "sourceImageVhdUri": "[coalesce(steps('chkp').sourceImageVhdUri, 'noCustomUri')]", + "adminShell": "[steps('chkp').adminShell]", + "tagsByResource": "[steps('tags').tagsByResource]", + "deployNewNSG": "[steps('network').NSG]", + "ExistingNSG": "[steps('network').nsgSelector]", + "NewNsgName": "[steps('network').NSGName]", + "addStorageAccountIpRules": "[steps('network').addStorageAccountIpRules]", + "SerialConsolePasswordHash": "[steps('chkp').AdditionalPassword]", + "MaintenanceModePasswordHash": "[steps('chkp').MaintenanceModePassword]" + } + } +} \ No newline at end of file diff --git a/azure/templates/marketplace-mds/mainTemplate.json b/azure/templates/marketplace-mds/mainTemplate.json new file mode 100644 index 00000000..91f313fc --- /dev/null +++ b/azure/templates/marketplace-mds/mainTemplate.json @@ -0,0 +1,903 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string", + "metadata": { + "description": "Deployment location" + }, + "defaultValue": "[resourceGroup().location]" + }, + "cloudGuardVersion": { + "type": "string", + "allowedValues": [ + "R81.10 - Bring Your Own License", + "R81.20 - Bring Your Own License" + ], + "defaultValue": "R81.20 - Bring Your Own License", + "metadata": { + "description": "Version of Check Point CloudGuard" + } + }, + "authenticationType": { + "type": "string", + "allowedValues": [ + "password", + "sshPublicKey" + ], + "defaultValue": "password", + "metadata": { + "description": "Authentication type" + } + }, + "sshPublicKey": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Administrator SSH public key" + } + }, + "adminPassword": { + "type": "securestring", + "metadata": { + "description": "Administrator password" + }, + "defaultValue": "" + }, + "MaintenanceModePasswordHash": { + "type": "securestring", + "defaultValue": "", + "metadata": { + "Description": "Maintenance mode password hash, relevant only for R81.20 and higher versions" + } + }, + "SerialConsolePasswordHash": { + "type": "securestring", + "defaultValue": "", + "metadata": { + "Description": "Optional parameter, used to enable serial console connection in case of SSH key as authentication type" + } + }, + "vmName": { + "type": "string", + "metadata": { + "description": "The name of the Check Point Multi-Domain Server." + } + }, + "vmSize": { + "type": "string", + "defaultValue": "Standard_DS5_v2", + "metadata": { + "description": "Size of the VM" + } + }, + "adminShell": { + "type": "string", + "defaultValue": "/etc/cli.sh", + "allowedValues": [ + "/etc/cli.sh", + "/bin/bash", + "/bin/csh", + "/bin/tcsh" + ], + "metadata": { + "Description": "The default shell for the admin user" + } + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "vnet01" + }, + "virtualNetworkAddressPrefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the virtual network" + }, + "defaultValue": "10.0.0.0/16" + }, + "Subnet1Name": { + "type": "string", + "metadata": { + "description": "The name of the subnet" + }, + "defaultValue": "Multi-Domain-Server" + }, + "Subnet1Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the subnet" + }, + "defaultValue": "10.0.1.0/24" + }, + "Subnet1StartAddress": { + "type": "string", + "metadata": { + "description": "The first available address on the subnet" + }, + "defaultValue": "10.0.1.10" + }, + "vnetNewOrExisting": { + "type": "string", + "defaultValue": "new", + "allowedValues": [ + "new", + "existing" + ], + "metadata": { + "Description": "Indicates whether the virtual network is new or existing" + } + }, + "virtualNetworkExistingRGName": { + "type": "string", + "metadata": { + "description": "Resource Group of the existing virtual network" + }, + "defaultValue": "[resourceGroup().name]" + }, + "managementGUIClientNetwork": { + "type": "string", + "metadata": { + "description": "Allowed GUI clients" + }, + "defaultValue": "0.0.0.0/0" + }, + "sicKey": { + "type": "securestring", + "metadata": { + "description": "One time key for Secure Internal Communication" + } + }, + "installationType": { + "type": "string", + "metadata": { + "description": "Installation Type" + }, + "defaultValue": "mds-primary", + "allowedValues": [ + "mds-primary", + "mds-secondary", + "mds-logserver" + ] + }, + "bootstrapScript": { + "type": "string", + "metadata": { + "description": "Bootstrap script" + }, + "defaultValue": "" + }, + "allowDownloadFromUploadToCheckPoint": { + "type": "string", + "allowedValues": [ + "true", + "false" + ], + "defaultValue": "true", + "metadata": { + "description": "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + } + }, + "additionalDiskSizeGB": { + "type": "int", + "defaultValue": 0, + "metadata": { + "description": "Amount of additional disk space (in GB)" + }, + "minValue": 0, + "maxValue": 3995 + }, + "diskType": { + "type": "string", + "defaultValue": "Standard_LRS", + "metadata": { + "description": "The type of the OS disk. Premium is applicable only to DS machine sizes" + }, + "allowedValues": [ + "Standard_LRS", + "Premium_LRS" + ] + }, + "msi": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Configure managed service identity for the VM" + } + }, + "sourceImageVhdUri": { + "type": "string", + "defaultValue": "noCustomUri", + "metadata": { + "description": "The URI of the blob containing the development image" + } + }, + "_artifactsLocation": { + "type": "string", + "metadata": { + "description": "Use the following URI when deploying a custom template: https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/azure/templates/" + }, + "defaultValue": "[deployment().properties.templateLink.uri]" + }, + "_artifactsLocationSasToken": { + "type": "securestring", + "metadata": { + "description": "The sasToken required to access _artifactsLocation. When the template is deployed using the accompanying scripts, a sasToken will be automatically generated. Use the defaultValue if the staging location is not secured." + }, + "defaultValue": "" + }, + "tagsByResource": { + "type": "object", + "defaultValue": {} + }, + "deployNewNSG": { + "type": "bool", + "defaultValue": true + }, + "ExistingNSG": { + "type": "object", + "defaultValue": {} + }, + "NewNsgName": { + "type": "string", + "defaultValue": "[concat(parameters('vmName'),'-nsg')]" + }, + "addStorageAccountIpRules": { + "type": "bool", + "metadata": { + "description": "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, based on https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-linux#use-serial-console-with-custom-boot-diagnostics-storage-account-firewall-enabled" + }, + "defaultValue": false + }, + "storageAccountAdditionalIps": { + "type": "array", + "metadata": { + "description": "IPs/CIDRs that are allowed access to the Storage Account" + }, + "defaultValue": [] + } + }, + "variables": { + "templateName": "mds", + "templateVersion": "20240716", + "location": "[parameters('location')]", + "offers": { + "R81.10 - Bring Your Own License": "BYOL", + "R81.20 - Bring Your Own License": "BYOL" + }, + "offer": "[variables('offers')[parameters('cloudGuardVersion')]]", + "osVersions": { + "R81.10 - Bring Your Own License": "R8110", + "R81.20 - Bring Your Own License": "R8120" + }, + "osVersion": "[variables('osVersions')[parameters('cloudGuardVersion')]]", + "serialConsoleGeographies": { + "astasia": [ + "20.205.69.28" + ], + "southeastasia": [ + "20.205.69.28", + "20.195.85.180" + ], + "eastasia": [ + "20.195.85.180" + ], + "australiacentral": [ + "20.53.53.224", + "20.70.222.112" + ], + "australiacentral2": [ + "20.53.53.224", + "20.70.222.112" + ], + "australiaeast": [ + "20.53.53.224", + "20.70.222.112" + ], + "australiasoutheast": [ + "20.53.53.224", + "20.70.222.112" + ], + "brazilsouth": [ + "91.234.136.63", + "20.206.0.194" + ], + "brazilsoutheast": [ + "91.234.136.63", + "20.206.0.194" + ], + "canadacentral": [ + "52.228.86.177", + "52.242.40.90" + ], + "canadaeast": [ + "52.228.86.177", + "52.242.40.90" + ], + "northeurope": [ + "52.146.139.220", + "20.105.209.72" + ], + "westeurope": [ + "52.146.139.220", + "20.105.209.72" + ], + "francecentral": [ + "20.111.0.244", + "52.136.191.10" + ], + "francesouth": [ + "20.111.0.244", + "52.136.191.10" + ], + "germanynorth": [ + "51.116.75.88", + "20.52.95.48" + ], + "germanywestcentral": [ + "51.116.75.88", + "20.52.95.48" + ], + "centralindia": [ + "20.192.168.150", + "20.192.153.104" + ], + "southindia": [ + "20.192.168.150", + "20.192.153.104" + ], + "westindia": [ + "20.192.168.150", + "20.192.153.104" + ], + "japaneast": [ + "20.43.70.205", + "20.189.228.222" + ], + "japanwest": [ + "20.43.70.205", + "20.189.228.222" + ], + "koreacentral": [ + "20.200.196.96", + "52.147.119.29" + ], + "koreasouth": [ + "20.200.196.96", + "52.147.119.29" + ], + "norwaywest": [ + "20.100.1.184", + "51.13.138.76" + ], + "norwayeast": [ + "20.100.1.184", + "51.13.138.76" + ], + "switzerlandnorth": [ + "20.208.4.98", + "51.107.251.190" + ], + "switzerlandwest": [ + "20.208.4.98", + "51.107.251.190" + ], + "uaecentral": [ + "20.45.95.66", + "20.38.141.5" + ], + "uaenorth": [ + "20.45.95.66", + "20.38.141.5" + ], + "uksouth": [ + "20.90.132.144", + "20.58.68.62" + ], + "ukwest": [ + "20.90.132.144", + "20.58.68.62" + ], + "swedencentral": [ + "51.12.72.223", + "51.12.22.174" + ], + "swedensouth": [ + "51.12.72.223", + "51.12.22.174" + ], + "centralus": [ + "20.98.146.84", + "20.98.194.64", + "20.69.5.162", + "20.83.222.102" + ], + "eastus2": [ + "20.98.146.84", + "20.98.194.64", + "20.69.5.162", + "20.83.222.102" + ], + "eastus": [ + "20.98.146.84", + "20.98.194.64", + "20.69.5.162", + "20.83.222.102" + ], + "northcentralus": [ + "20.98.146.84", + "20.98.194.64", + "20.69.5.162", + "20.83.222.102" + ], + "southcentralus": [ + "20.98.146.84", + "20.98.194.64", + "20.69.5.162", + "20.83.222.102" + ], + "westus2": [ + "20.98.146.84", + "20.98.194.64", + "20.69.5.162", + "20.83.222.102" + ], + "westus3": [ + "20.98.146.84", + "20.98.194.64", + "20.69.5.162", + "20.83.222.102" + ], + "westcentralus": [ + "20.98.146.84", + "20.98.194.64", + "20.69.5.162", + "20.83.222.102" + ], + "westus": [ + "20.98.146.84", + "20.98.194.64", + "20.69.5.162", + "20.83.222.102" + ], + "eastus2euap": [ + "20.45.242.18", + "20.51.21.252" + ], + "centraluseuap": [ + "20.45.242.18", + "20.51.21.252" + ] + }, + "serialConsoleIps": "[if(contains(variables('serialConsoleGeographies'),variables('location')),variables('serialConsoleGeographies')[variables('location')],createArray())]", + "storageAccountIps": "[concat(variables('SerialConsoleIps'),parameters('storageAccountAdditionalIps'))]", + "isBlink": "[bool('false')]", + "primary": "[equals(parameters('installationType'), 'mds-primary')]", + "secondary": "[equals(parameters('installationType'), 'mds-secondary')]", + "logserver": "[equals(parameters('installationType'), 'mds-logserver')]", + "storageAccountName": "[concat('bootdiag', uniqueString(resourceGroup().id, deployment().name))]", + "storageAccountType": "Standard_LRS", + "diskSize100GB": 100, + "diskSizeGB": "[add(parameters('additionalDiskSizeGB'), variables('diskSize100GB'))]", + "customData": "[concat('#!/usr/bin/python3 /etc/cloud_config.py\n', '\n', 'installationType=\"', parameters('installationType'), '\"', '\n', 'allowUploadDownload=\"', variables('allowUploadDownload'), '\"', '\n', 'osVersion=\"', variables('osVersion'), '\"', '\n', 'templateName=\"', variables('templateName'), '\"', '\n', 'isBlink=\"', variables('isBlink'), '\"', '\n', 'templateVersion=\"', variables('templateVersion'), '\"', '\n', 'bootstrapScript64=\"', variables('bootstrapScript64'), '\"', '\n', 'location=\"', variables('location'), '\"', '\n', 'managementGUIClientNetwork=\"', variables('managementGUIClientNetwork'), '\"', '\n', 'sicKey=\"', parameters('sicKey'), '\"', '\n', 'primary=\"', variables('primary'), '\"', '\n', 'secondary=\"', variables('secondary'), '\"', '\n', 'logserver=\"', variables('logserver'), '\"', '\n', 'adminShell=\"', parameters('adminShell'), '\"', '\n', 'MaintenanceModePassword=\"', parameters('MaintenanceModePasswordHash'), '\"', '\n', 'passwordHash=\"', parameters('SerialConsolePasswordHash'), '\"', '\n')]", + "customData64": "[base64(variables('customData'))]", + "imageOffer": "[concat('check-point-cg-', toLower(variables('osVersion')))]", + "imagePublisher": "checkpoint", + "imageReferenceBYOL": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "mgmt-byol", + "version": "latest" + }, + "imageReferenceMarketplace": "[variables('imageReferenceBYOL')]", + "customImage": "customImage", + "imageReferenceCustomUri": { + "id": "[resourceId('Microsoft.Compute/images/', variables('customImage'))]" + }, + "imageReference": "[if(equals(parameters('sourceImageVhdUri'),'noCustomUri'), variables('imageReferenceMarketplace'), variables('imageReferenceCustomUri'))]", + "nic1Name": "[concat(parameters('vmName'), '-eth0')]", + "linuxConfigurationpassword": { + "disablePasswordAuthentication": "false" + }, + "linuxConfigurationsshPublicKey": { + "disablePasswordAuthentication": "true", + "ssh": { + "publicKeys": [ + { + "keyData": "[parameters('sshPublicKey')]", + "path": "/home/notused/.ssh/authorized_keys" + } + ] + } + }, + "linuxConfiguration": "[if(equals(parameters('authenticationType'), 'password'), variables('linuxConfigurationpassword'), variables('linuxConfigurationsshPublicKey'))]", + "planBYOL": { + "name": "mgmt-byol", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "plan": "[if(equals(variables('offer'), 'BYOL'), variables('planBYOL'), variables('planBYOL'))]", + "identity": "[if(parameters('msi'), json('{\"type\": \"SystemAssigned\"}'), json('null'))]", + "publicIPAddressName": "[parameters('vmName')]", + "publicIPAddressId": "[resourceId('Microsoft.Network/publicIPAddresses', variables('publicIPAddressName'))]", + "bootstrapScript64": "[base64(parameters('bootstrapScript'))]", + "allowUploadDownload": "[parameters('allowDownloadFromUploadToCheckPoint')]", + "_artifactsLocation": "[if(contains(parameters('_artifactsLocation'),'raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/azure/templates/marketplace'),'https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/azure/templates/',parameters('_artifactsLocation'))]", + "networkSetupURL": "[uri(variables('_artifactsLocation'), concat('nestedtemplates/vnet-1-subnet-', parameters('vnetNewOrExisting'), '.json', parameters('_artifactsLocationSasToken')))]", + "managementGUIClientNetwork": "[parameters('managementGUIClientNetwork')]", + "deployNewVnet": "[equals(parameters('vnetNewOrExisting'), 'new')]", + "vnetRGName": "[if(variables('deployNewVnet'), resourceGroup().name, parameters('virtualNetworkExistingRGName'))]", + "NewNsgReference": { + "id": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('NewNsgName'))]" + } + }, + "resources": [ + { + "apiVersion": "2020-06-01", + "name": "pid-6f13b00a-7546-4ab2-be9f-c66815cc6c8b-partnercenter", + "type": "Microsoft.Resources/deployments", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('storageAccountName')]", + "apiVersion": "2022-09-01", + "properties": { + "supportsHttpsTrafficOnly": true, + "allowBlobPublicAccess": false, + "minimumTlsVersion": "TLS1_2", + "networkAcls": { + "bypass": "None", + "defaultAction": "[if(parameters('addStorageAccountIpRules'), 'Deny', 'Allow')]", + "ipRules": "[if(parameters('addStorageAccountIpRules'), map(variables('storageAccountIps'), lambda('ip',createObject('action','Allow','value',lambdaVariables('ip')))), createArray())]" + } + }, + "location": "[variables('location')]", + "sku": { + "name": "[variables('storageAccountType')]" + }, + "kind": "Storage", + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Storage/storageAccounts'), parameters('tagsByResource')['Microsoft.Storage/storageAccounts'], json('{}')) ]" + }, + { + "condition": "[equals(parameters('vnetNewOrExisting'), 'new')]", + "name": "networkNewSetup", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "[variables('networkSetupURL')]", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "location": { + "value": "[variables('location')]" + }, + "virtualNetworkName": { + "value": "[parameters('virtualNetworkName')]" + }, + "virtualNetworkAddressPrefix": { + "value": "[parameters('virtualNetworkAddressPrefix')]" + }, + "Subnet1Name": { + "value": "[parameters('Subnet1Name')]" + }, + "Subnet1Prefix": { + "value": "[parameters('Subnet1Prefix')]" + }, + "tagsByResource": { + "value": "[parameters('tagsByResource')]" + }, + "deployNsg": { + "value": false + }, + "NewNsgName": { + "value": "[parameters('NewNsgName')]" + } + } + } + }, + { + "condition": "[equals(parameters('vnetNewOrExisting'), 'existing')]", + "name": "networkExistingSetup", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "[variables('networkSetupURL')]", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "location": { + "value": "[variables('location')]" + }, + "virtualNetworkName": { + "value": "[parameters('virtualNetworkName')]" + }, + "virtualNetworkExistingRGName": { + "value": "[variables('vnetRGName')]" + }, + "vmName": { + "value": "[parameters('vmName')]" + }, + "tagsByResource": { + "value": "[parameters('tagsByResource')]" + }, + "deployNsg": { + "value": false + }, + "NewNsgName": { + "value": "[parameters('NewNsgName')]" + } + } + } + }, + { + "type": "Microsoft.Network/publicIPAddresses", + "apiVersion": "2020-06-01", + "location": "[variables('location')]", + "name": "[variables('publicIPAddressName')]", + "sku": { + "name": "Standard" + }, + "properties": { + "idleTimeoutInMinutes": 30, + "publicIPAllocationMethod": "Static", + "dnsSettings": { + "domainNameLabel": "[concat(toLower(parameters('vmName')), '-', uniquestring(resourceGroup().id, deployment().name))]" + } + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/publicIPAddresses'), parameters('tagsByResource')['Microsoft.Network/publicIPAddresses'], json('{}')) ]" + }, + { + "condition": "[parameters('deployNewNSG')]", + "type": "Microsoft.Network/networkSecurityGroups", + "apiVersion": "2020-06-01", + "location": "[variables('location')]", + "name": "[parameters('NewNsgName')]", + "properties": { + "securityRules": [ + { + "name": "SSH", + "properties": { + "description": "Allow inbound SSH connection", + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "22", + "sourceAddressPrefix": "[variables('managementGUIClientNetwork')]", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "100", + "direction": "Inbound" + } + }, + { + "name": "GAiA-portal", + "properties": { + "description": "Allow inbound HTTPS access to the GAiA portal", + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "443", + "sourceAddressPrefix": "[variables('managementGUIClientNetwork')]", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "110", + "direction": "Inbound" + } + }, + { + "name": "SmartConsole-1", + "properties": { + "description": "Allow inbound access using the SmartConsole GUI client", + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "18190", + "sourceAddressPrefix": "[variables('managementGUIClientNetwork')]", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "120", + "direction": "Inbound" + } + }, + { + "name": "SmartConsole-2", + "properties": { + "description": "Allow inbound access using the SmartConsole GUI client", + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "19009", + "sourceAddressPrefix": "[variables('managementGUIClientNetwork')]", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "130", + "direction": "Inbound" + } + }, + { + "name": "Logs", + "properties": { + "description": "Allow inbound logging connections from managed gateways", + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "257", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "140", + "direction": "Inbound" + } + }, + { + "name": "ICA-pull", + "properties": { + "description": "Allow security gateways to pull a SIC certificate", + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "18210", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "150", + "direction": "Inbound" + } + }, + { + "name": "CRL-fetch", + "properties": { + "description": "Allow security gateways to fetch CRLs", + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "18264", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "160", + "direction": "Inbound" + } + }, + { + "name": "Policy-fetch", + "properties": { + "description": "Allow security gateways to fetch policy", + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "18191", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "170", + "direction": "Inbound" + } + } + ] + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/networkSecurityGroups'), parameters('tagsByResource')['Microsoft.Network/networkSecurityGroups'], json('{}')) ]" + }, + { + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "2020-06-01", + "dependsOn": [ + "[coalesce(resourceId('Microsoft.Resources/deployments', 'networkNewSetup'), resourceId('Microsoft.Resources/deployments', 'networkExistingSetup'))]", + "[variables('publicIPAddressId')]" + ], + "location": "[variables('location')]", + "name": "[variables('nic1Name')]", + "properties": { + "enableIPForwarding": false, + "networkSecurityGroup": "[if(parameters('deployNewNSG') , variables('NewNsgReference') , parameters('ExistingNSG'))]", + "ipConfigurations": [ + { + "name": "ipconfig1", + "properties": { + "privateIPAddress": "[parameters('Subnet1StartAddress')]", + "privateIPAllocationMethod": "Static", + "PublicIpAddress": { + "Id": "[variables('publicIPAddressId')]" + }, + "subnet": { + "id": "[resourceId(variables('vnetRGName') ,'Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('Subnet1Name'))]" + } + } + } + ] + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/networkInterfaces'), parameters('tagsByResource')['Microsoft.Network/networkInterfaces'], json('{}')) ]" + }, + { + "condition": "[not(equals(parameters('sourceImageVhdUri'), 'noCustomUri'))]", + "type": "Microsoft.Compute/images", + "apiVersion": "2020-06-01", + "name": "[variables('customImage')]", + "location": "[variables('location')]", + "properties": { + "storageProfile": { + "osDisk": { + "osType": "Linux", + "osState": "Generalized", + "blobUri": "[parameters('sourceImageVhdUri')]", + "storageAccountType": "Standard_LRS" + } + }, + "hyperVGeneration": "V1" + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Compute/images'), parameters('tagsByResource')['Microsoft.Compute/images'], json('{}')) ]" + }, + { + "type": "Microsoft.Compute/virtualMachines", + "apiVersion": "2021-07-01", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]", + "[resourceId('Microsoft.Network/networkInterfaces', variables('nic1Name'))]", + "[resourceId('Microsoft.Compute/images/', variables('customImage'))]" + ], + "location": "[variables('location')]", + "name": "[parameters('vmName')]", + "plan": "[if(equals(parameters('sourceImageVhdUri'),'noCustomUri'), variables('plan'), json('null'))]", + "identity": "[variables('identity')]", + "properties": { + "UserData": "[variables('customData64')]", + "diagnosticsProfile": { + "bootDiagnostics": { + "enabled": "true", + "storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName')), '2022-09-01').primaryEndpoints.blob]" + } + }, + "hardwareProfile": { + "vmSize": "[parameters('vmSize')]" + }, + "networkProfile": { + "networkInterfaces": [ + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', variables('nic1Name'))]", + "properties": { + "primary": true + } + } + ] + }, + "osProfile": { + "adminPassword": "[parameters('adminPassword')]", + "adminUsername": "[concat('not','used')]", + "computerName": "[toLower(parameters('vmName'))]", + "customData": "[variables('customData64')]", + "linuxConfiguration": "[variables('linuxConfiguration')]" + }, + "storageProfile": { + "imageReference": "[variables('imageReference')]", + "osDisk": { + "caching": "ReadWrite", + "createOption": "FromImage", + "diskSizeGB": "[variables('diskSizeGB')]", + "name": "[parameters('vmName')]", + "managedDisk": { + "storageAccountType": "[parameters('diskType')]" + } + } + } + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Compute/virtualMachines'), parameters('tagsByResource')['Microsoft.Compute/virtualMachines'], json('{}')) ]" + } + ], + "outputs": { + "IPAddress": { + "type": "string", + "value": "[reference(variables('publicIPAddressId')).IpAddress]" + }, + "FQDN": { + "type": "string", + "value": "[reference(variables('publicIPAddressId')).dnsSettings.fqdn]" + } + } +} \ No newline at end of file diff --git a/azure/templates/marketplace-single-waap/createUiDefinition.json b/azure/templates/marketplace-single-waap/createUiDefinition.json new file mode 100755 index 00000000..3ebd285b --- /dev/null +++ b/azure/templates/marketplace-single-waap/createUiDefinition.json @@ -0,0 +1,338 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", + "handler": "Microsoft.Compute.MultiVm", + "version": "0.1.2-preview", + "parameters": { + "basics": [ + { + "name": "gatewayNameUi", + "type": "Microsoft.Common.TextBox", + "label": "VM Name", + "toolTip": "This will determine the hostname prefix of the VM", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z]{1,30}$", + "validationMessage": "Only alphanumeric characters are allowed, and the name must be 1-30 characters long." + } + }, + { + "name": "inboundSources", + "type": "Microsoft.Common.TextBox", + "label": "Allow access from", + "defaultValue": "0.0.0.0/0", + "toolTip": "Specify the client IP addresses that can reach your instance. Can be IP address range in CIDR notation (e.g. for any source use 0.0.0.0/0)", + "constraints": { + "required": true, + "regex": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2])){1,50}$", + "validationMessage": "Only CIDR notation is allowed i.e. X.X.X.X/X" + }, + "visible": true + }, + { + "name": "user", + "type": "Microsoft.Common.TextBlock", + "visible": true, + "options": { + "text": "User is set to 'admin'" + } + }, + { + "name": "auth", + "type": "Microsoft.Compute.CredentialsCombo", + "label": { + "authenticationType": "Authentication type", + "password": "Password", + "confirmPassword": "Confirm password", + "sshPublicKey": "SSH public key" + }, + "toolTip": { + "sshPublicKey": "Paste an OpenSSH public key. You can generate a key pair using ssh-keygen (Linux, OS X, Cygwin) or PuttyGen (Windows)" + }, + "constraints": { + "required": true + }, + "options": { + "hideConfirmation": false, + "hidePassword": false + }, + "osPlatform": "Linux" + }, + { + "name": "waapAgentToken", + "type": "Microsoft.Common.PasswordBox", + "label": { + "password": "Infinity Next Agent Token", + "confirmPassword": "Confirm Infinity Next Agent Token" + }, + "toolTip": "Token can be obtained by logging in to [https://portal.checkpoint.com/](https://portal.checkpoint.com/) –> INFINITY POLICY -> CLOUD -> Profiles", + "constraints": { + "required": true, + "regex": "^cp-[a-z0-9A-Z-]{72,72}$", + "validationMessage": "Token should begin with 'cp-' and must be 75 characters long" + }, + "options": { + "hideConfirmation": false + }, + "visible": true + }, + { + "name": "waapAgentFog", + "type": "Microsoft.Common.TextBox", + "label": "Fog address (optional)", + "toolTip": "Fog address", + "constraints": { + "required": false, + "regex": "^https://", + "validationMessage": "Should begin with https://" + }, + "visible": true + } + ], + "steps": [ + { + "name": "autoprovision", + "label": "VM settings", + "subLabel": { + "preValidation": "Configure VM settings", + "postValidation": "Done" + }, + "bladeTitle": "VM settings", + "elements": [ + { + "name": "vmSizeUiBYOL", + "type": "Microsoft.Compute.SizeSelector", + "visible": true, + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_DS2_v2", + "Standard_DS3_v2" + ], + "constraints": { + "allowedSizes": [ + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "infinity-gw", + "sku": "sg-byol" + }, + "count": 1 + }, + { + "name": "waapPublicIP", + "type": "Microsoft.Common.OptionsGroup", + "label": "Assign public IP address to the gateway", + "toolTip": "Assign public IP address to the gateway", + "defaultValue": "Yes", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "yes" + }, + { + "label": "No", + "value": "no" + } + ] + } + }, + { + "name": "bootstrapScript", + "type": "Microsoft.Common.FileUpload", + "label": "Bootstrap script", + "toolTip": "Bootstrap script", + "constraints": { + "required": false, + "accept": ".sh,text/plain" + }, + "options": { + "multiple": false, + "uploadMode": "file", + "openMode": "text", + "encoding": "UTF-8" + } + }, + { + "name": "useCustomImageUri", + "type": "Microsoft.Common.OptionsGroup", + "label": "Use development image uri", + "defaultValue": "No", + "toolTip": "Use custom image URI.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ], + "required": false + }, + "visible": false + }, + { + "name": "sourceImageVhdUri", + "type": "Microsoft.Common.TextBox", + "label": "Development Image URI", + "toolTip": "The URI of the blob containing the development image", + "constraints": { + "required": "[equals(steps('autoprovision').useCustomImageUri, 'Yes')]", + "regex": "^[a-z0-9A-Z_\\-\\.\\:\\/]{1,500}.vhd$", + "validationMessage": "Only alphanumeric characters and '_','-','.',':','/' are allowed, the value must be 1-500 characters long and must end with .vhd. " + }, + "visible": "[equals(steps('autoprovision').useCustomImageUri, 'Yes')]" + } + ] + }, + { + "name": "network", + "label": "Network settings", + "subLabel": { + "preValidation": "Configure network settings", + "postValidation": "Done" + }, + "bladeTitle": "Network settings", + "elements": [ + { + "name": "virtualNetwork", + "type": "Microsoft.Network.VirtualNetworkCombo", + "label": { + "virtualNetwork": "Virtual network", + "subnets": "Subnets" + }, + "toolTip": { + "virtualNetwork": "Virtual Network Name", + "subnets": "The subnets to deploy into. Please note that the following CIDR range 172.16.0.0/12 is used by the Infinity Next Gateway for internal container communication" + }, + "defaultValue": { + "name": "vnet01", + "addressPrefixSize": "/16" + }, + "constraints": { + "minAddressPrefixSize": "/28" + }, + "options": { + "hideExisting": false + }, + "subnets": { + "subnet1": { + "label": "Gateway external subnet", + "defaultValue": { + "name": "VM-External", + "addressPrefixSize": "/24" + }, + "constraints": { + "minAddressPrefixSize": "/29", + "minAddressCount": 1, + "requireContiguousAddresses": true + } + }, + "subnet2": { + "label": "Gateway internal subnet", + "defaultValue": { + "name": "VM-Internal", + "addressPrefixSize": "/24" + }, + "constraints": { + "minAddressPrefixSize": "/29", + "minAddressCount": 1, + "requireContiguousAddresses": true + } + } + } + } + ] + } + ], + "outputs": { + "location": "[location()]", + "vmName": "[basics('gatewayNameUi')]", + "inboundSources": "[basics('inboundSources')]", + "authenticationType": "[basics('auth').authenticationType]", + "adminPassword": "[basics('auth').password]", + "sshPublicKey": "[basics('auth').sshPublicKey]", + "waapAgentToken": "[basics('waapAgentToken')]", + "waapAgentFog": "[basics('waapAgentFog')]", + "vmSize": "[steps('autoprovision').vmSizeUiBYOL]", + "waapPublicIP": "[steps('autoprovision').waapPublicIP]", + "bootstrapScript": "[steps('autoprovision').bootstrapScript]", + "sourceImageVhdUri": "[coalesce(steps('autoprovision').sourceImageVhdUri, 'noCustomUri')]", + "virtualNetworkName": "[steps('network').virtualNetwork.name]", + "virtualNetworkAddressPrefix": "[steps('network').virtualNetwork.addressPrefix]", + "Subnet1Name": "[steps('network').virtualNetwork.subnets.subnet1.name]", + "Subnet1Prefix": "[steps('network').virtualNetwork.subnets.subnet1.addressPrefix]", + "Subnet1StartAddress": "[steps('network').virtualNetwork.subnets.subnet1.startAddress]", + "Subnet2Name": "[steps('network').virtualNetwork.subnets.subnet2.name]", + "Subnet2Prefix": "[steps('network').virtualNetwork.subnets.subnet2.addressPrefix]", + "Subnet2StartAddress": "[steps('network').virtualNetwork.subnets.subnet2.startAddress]", + "vnetNewOrExisting": "[steps('network').virtualNetwork.newOrExisting]", + "virtualNetworkExistingRGName": "[steps('network').virtualNetwork.resourceGroup]" + } + } +} \ No newline at end of file diff --git a/azure/templates/marketplace-single-waap/mainTemplate.json b/azure/templates/marketplace-single-waap/mainTemplate.json new file mode 100755 index 00000000..1d4f4b84 --- /dev/null +++ b/azure/templates/marketplace-single-waap/mainTemplate.json @@ -0,0 +1,567 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string", + "metadata": { + "description": "Deployment location" + }, + "defaultValue": "[resourceGroup().location]" + }, + "vmName": { + "type": "string", + "metadata": { + "description": "Name of the Infinity Next Gateway" + } + }, + "inboundSources": { + "type": "string", + "defaultValue": "0.0.0.0/0", + "metadata": { + "description": "Specify the client IP addresses that can reach your instance. Can be IP address range in CIDR notation (e.g. for any source use 0.0.0.0/0)" + } + }, + "authenticationType": { + "type": "string", + "allowedValues": [ + "password", + "sshPublicKey" + ], + "defaultValue": "password", + "metadata": { + "description": "Authentication type" + } + }, + "adminPassword": { + "type": "securestring", + "defaultValue": "", + "metadata": { + "description": "User is set to 'admin'" + } + }, + "sshPublicKey": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Administrator SSH public key" + } + }, + "waapAgentToken": { + "type": "securestring", + "minLength": 75, + "maxLength": 75, + "metadata": { + "description": "Infinity Next Agent Token" + } + }, + "waapAgentFog": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Fog address" + } + }, + "vmSize": { + "type": "string", + "defaultValue": "Standard_DS2_v2", + "metadata": { + "description": "The VM size of the Security Gateway" + } + }, + "diskType": { + "type": "string", + "defaultValue": "Standard_LRS", + "metadata": { + "description": "The type of the OS disk. Premium is applicable only to DS machine sizes" + }, + "allowedValues": [ + "Standard_LRS", + "Premium_LRS" + ] + }, + "waapPublicIP": { + "type": "string", + "allowedValues": [ + "no", + "yes" + ], + "defaultValue": "yes", + "metadata": { + "description": "Assign public IP address to the gateway" + } + }, + "vnetNewOrExisting": { + "type": "string", + "defaultValue": "new", + "allowedValues": [ + "new", + "existing" + ], + "metadata": { + "Description": "Indicates whether the virtual network is new or existing" + } + }, + "virtualNetworkExistingRGName": { + "type": "string", + "metadata": { + "description": "Resource Group of the existing virtual network" + }, + "defaultValue": "[resourceGroup().name]" + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "vnet" + }, + "virtualNetworkAddressPrefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the virtual network. Please note that the following CIDR range 172.16.0.0/12 is used by the Infinity Next Gateway for internal container communication" + }, + "defaultValue": "10.0.0.0/16" + }, + "Subnet1Name": { + "type": "string", + "metadata": { + "description": "The name of the Gateway external subnet" + }, + "defaultValue": "VM-External" + }, + "Subnet1Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the Gateway external subnet. Please note that the following CIDR range 172.16.0.0/12 is used by the Infinity Next Gateway for internal container communication" + }, + "defaultValue": "10.0.1.0/24" + }, + "Subnet1StartAddress": { + "type": "string", + "metadata": { + "description": "The first available address on the 1st subnet" + }, + "defaultValue": "10.0.1.10" + }, + "Subnet2Name": { + "type": "string", + "metadata": { + "description": "The name of the Gateway internal subnet" + }, + "defaultValue": "VM-Internal" + }, + "Subnet2Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the Gateway internal subnet. Please note that the following CIDR range 172.16.0.0/12 is used by the Infinity Next Gateway for internal container communication" + }, + "defaultValue": "10.0.2.0/24" + }, + "Subnet2StartAddress": { + "type": "string", + "metadata": { + "description": "The first available address on the 2nd subnet" + }, + "defaultValue": "10.0.2.10" + }, + "bootstrapScript": { + "type": "string", + "metadata": { + "description": "Bootstrap script" + }, + "defaultValue": "" + }, + "sourceImageVhdUri": { + "type": "string", + "defaultValue": "noCustomUri", + "metadata": { + "description": "The URI of the blob containing the development image" + } + }, + "_artifactsLocation": { + "type": "string", + "defaultValue": "[deployment().properties.templateLink.uri]", + "metadata": { + "description": "The base URI where artifacts required by this template are located including a trailing '/'" + } + }, + "adminUsername": { + "type": "string", + "metadata": { + "description": "DO NOT CHANGE" + }, + "defaultValue": "notused" + }, + "_artifactsLocationSasToken": { + "type": "securestring", + "metadata": { + "description": "The sasToken required to access _artifactsLocation. When the template is deployed using the accompanying scripts, a sasToken will be automatically generated. Use the defaultValue if the staging location is not secured." + }, + "defaultValue": "" + } + }, + "variables": { + "templateName": "checkpoint_waap", + "templateVersion": "20210922", + "location": "[parameters('location')]", + "osVersion": "R8040", + "installationType": "waap", + "isBlink": "true", + "storageAccountName": "[concat('bootdiag', uniqueString(resourceGroup().id, deployment().name))]", + "storageAccountType": "Standard_LRS", + "diskSize100GB": 100, + "diskSizeGB": "[variables('diskSize100GB')]", + "customData": "[concat('#!/usr/bin/python3 /etc/cloud_config.py\n', '\n', 'installationType=\"', variables('installationType'), '\"', '\n', 'allowUploadDownload=\"', variables('allowUploadDownload'), '\"', '\n', 'osVersion=\"', variables('osVersion'), '\"', '\n', 'templateName=\"', variables('templateName'), '\"', '\n', 'isBlink=\"', variables('isBlink'), '\"', '\n', 'templateVersion=\"', variables('templateVersion'), '\"', '\n', 'bootstrapScript64=\"', variables('bootstrapScript64'), '\"', '\n', 'location=\"', variables('location'), '\"', '\n', 'sicKey=\"', '', '\"', '\n','waapAgentToken =\"', variables('waapAgentToken'), '\"', '\n', 'waapAgentFog =\"', variables('waapAgentFog'), '\"', '\n')]", + "imageOffer": "infinity-gw", + "imagePublisher": "checkpoint", + "imageSku": "infinity-img", + "imageReferenceBYOL": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "[variables('imageSku')]", + "version": "latest" + }, + "imageReferenceMarketplace": "[variables('imageReferenceBYOL')]", + "customImage": "customImage", + "imageReferenceCustomUri": { + "id": "[resourceId('Microsoft.Compute/images/', variables('customImage'))]" + }, + "imageReference": "[if(equals(parameters('sourceImageVhdUri'),'noCustomUri'), variables('imageReferenceMarketplace'), variables('imageReferenceCustomUri'))]", + "nic1Name": "[concat(parameters('vmName'), '-eth0')]", + "nic2Name": "[concat(parameters('vmName'), '-eth1')]", + "linuxConfigurationpassword": { + "disablePasswordAuthentication": "false" + }, + "linuxConfigurationsshPublicKey": { + "disablePasswordAuthentication": "true", + "ssh": { + "publicKeys": [ + { + "keyData": "[parameters('sshPublicKey')]", + "path": "/home/notused/.ssh/authorized_keys" + } + ] + } + }, + "linuxConfiguration": "[if(equals(parameters('authenticationType'), 'password'), variables('linuxConfigurationpassword'), variables('linuxConfigurationsshPublicKey'))]", + "planBYOL": { + "name": "[variables('imageSku')]", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "plan": "[variables('planBYOL')]", + "publicIPAddressName": "[parameters('vmName')]", + "publicIPAddressId": "[resourceId('Microsoft.Network/publicIPAddresses', variables('publicIPAddressName'))]", + "publicIPAddress": { + "id": "[variables('publicIPAddressId')]" + }, + "bootstrapScript64": "[base64(parameters('bootstrapScript'))]", + "allowUploadDownload": "false", + "networkSetupURL": "[uri(parameters('_artifactsLocation'), concat('nestedtemplates/vnet-', parameters('vnetNewOrExisting'), '.json', parameters('_artifactsLocationSasToken')))]", + "nsgName": "[concat(parameters('vmName'), '-nsg')]", + "nsgId": "[resourceId('Microsoft.Network/networkSecurityGroups', variables('nsgName'))]", + "waapAgentToken": "[parameters('waapAgentToken')]", + "waapAgentFog": "[parameters('waapAgentFog')]", + "inboundSources": "[parameters('inboundSources')]" + }, + "resources": [ + { + "apiVersion": "2020-06-01", + "name": "pid-858bb8ac-3986-4499-adc5-990c43de41c2-partnercenter", + "type": "Microsoft.Resources/deployments", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('storageAccountName')]", + "apiVersion": "2021-04-01", + "location": "[variables('location')]", + "sku": { + "name": "[variables('storageAccountType')]" + }, + "kind": "Storage" + }, + { + "condition": "[equals(parameters('vnetNewOrExisting'), 'new')]", + "name": "networkNewSetup", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "[variables('networkSetupURL')]", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "location": { + "value": "[variables('location')]" + }, + "virtualNetworkName": { + "value": "[parameters('virtualNetworkName')]" + }, + "virtualNetworkAddressPrefix": { + "value": "[parameters('virtualNetworkAddressPrefix')]" + }, + "Subnet1Name": { + "value": "[parameters('Subnet1Name')]" + }, + "Subnet1Prefix": { + "value": "[parameters('Subnet1Prefix')]" + }, + "Subnet1StartAddress": { + "value": "[parameters('Subnet1StartAddress')]" + }, + "Subnet2Name": { + "value": "[parameters('Subnet2Name')]" + }, + "Subnet2Prefix": { + "value": "[parameters('Subnet2Prefix')]" + }, + "Subnet2StartAddress": { + "value": "[parameters('Subnet2StartAddress')]" + } + } + } + }, + { + "condition": "[equals(parameters('vnetNewOrExisting'), 'existing')]", + "name": "networkExistingSetup", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "[variables('networkSetupURL')]", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "virtualNetworkName": { + "value": "[parameters('virtualNetworkName')]" + }, + "virtualNetworkExistingRGName": { + "value": "[parameters('virtualNetworkExistingRGName')]" + } + } + } + }, + { + "condition": "[equals(parameters('waapPublicIP'), 'yes')]", + "type": "Microsoft.Network/publicIPAddresses", + "apiVersion": "2020-06-01", + "location": "[variables('location')]", + "name": "[variables('publicIPAddressName')]", + "properties": { + "idleTimeoutInMinutes": 30, + "publicIPAllocationMethod": "Static", + "dnsSettings": { + "domainNameLabel": "[concat(toLower(parameters('vmName')), '-', uniquestring(resourceGroup().id, deployment().name))]" + } + } + }, + { + "type": "Microsoft.Network/networkSecurityGroups", + "apiVersion": "2020-06-01", + "location": "[variables('location')]", + "name": "[variables('nsgName')]", + "properties": { + "securityRules": [ + { + "name": "SSH", + "properties": { + "description": "Allow inbound SSH connection", + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "22", + "sourceAddressPrefix": "[variables('inboundSources')]", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": 100, + "direction": "Inbound" + } + }, + { + "name": "GAiA-portal", + "properties": { + "description": "Allow inbound HTTPS access to the GAiA portal", + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "30443", + "sourceAddressPrefix": "[variables('inboundSources')]", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": 110, + "direction": "Inbound" + } + }, + { + "name": "HTTPS", + "properties": { + "description": "Allow inbound HTTPS access", + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "443", + "sourceAddressPrefix": "[variables('inboundSources')]", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": 120, + "direction": "Inbound" + } + }, + { + "name": "HTTP", + "properties": { + "description": "Allow inbound HTTP access", + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "80", + "sourceAddressPrefix": "[variables('inboundSources')]", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": 130, + "direction": "Inbound" + } + } + ] + } + }, + { + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "2020-06-01", + "dependsOn": [ + "[coalesce(resourceId('Microsoft.Resources/deployments', 'networkNewSetup'), resourceId('Microsoft.Resources/deployments', 'networkExistingSetup'))]", + "[variables('publicIPAddressId')]" + ], + "location": "[variables('location')]", + "name": "[variables('nic1Name')]", + "properties": { + "enableIPForwarding": true, + "enableAcceleratedNetworking": "[not(equals(variables('osVersion'), 'R8010'))]", + "networkSecurityGroup": { + "id": "[variables('nsgId')]" + }, + "ipConfigurations": [ + { + "name": "ipconfig1", + "properties": { + "privateIPAllocationMethod": "Dynamic", + "publicIPAddress": "[if(equals(parameters('waapPublicIP'),'yes'), variables('publicIPAddress'), json('null'))]", + "subnet": { + "id": "[resourceId(parameters('virtualNetworkExistingRGName'), 'Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('Subnet1Name'))]" + } + } + } + ] + } + }, + { + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "2020-06-01", + "dependsOn": [ + "[coalesce(resourceId('Microsoft.Resources/deployments', 'networkNewSetup'), resourceId('Microsoft.Resources/deployments', 'networkExistingSetup'))]" + ], + "location": "[variables('location')]", + "name": "[variables('nic2Name')]", + "properties": { + "enableIPForwarding": true, + "enableAcceleratedNetworking": "[not(equals(variables('osVersion'), 'R8010'))]", + "ipConfigurations": [ + { + "name": "ipconfig2", + "properties": { + "privateIPAllocationMethod": "Dynamic", + "subnet": { + "id": "[resourceId(parameters('virtualNetworkExistingRGName'), 'Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('Subnet2Name'))]" + } + } + } + ] + } + }, + { + "condition": "[not(equals(parameters('sourceImageVhdUri'), 'noCustomUri'))]", + "type": "Microsoft.Compute/images", + "apiVersion": "2020-06-01", + "name": "[variables('customImage')]", + "location": "[variables('location')]", + "properties": { + "storageProfile": { + "osDisk": { + "osType": "Linux", + "osState": "Generalized", + "blobUri": "[parameters('sourceImageVhdUri')]", + "storageAccountType": "Standard_LRS" + } + }, + "hyperVGeneration": "V1" + } + }, + { + "type": "Microsoft.Compute/virtualMachines", + "apiVersion": "2020-06-01", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]", + "[resourceId('Microsoft.Network/networkInterfaces', variables('nic1Name'))]", + "[resourceId('Microsoft.Network/networkInterfaces', variables('nic2Name'))]", + "[resourceId('Microsoft.Compute/images/', variables('customImage'))]" + ], + "location": "[variables('location')]", + "name": "[parameters('vmName')]", + "plan": "[if(equals(parameters('sourceImageVhdUri'),'noCustomUri'), variables('plan'), json('null'))]", + "properties": { + "diagnosticsProfile": { + "bootDiagnostics": { + "enabled": true, + "storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName')), '2021-06-01').primaryEndpoints.blob]" + } + }, + "hardwareProfile": { + "vmSize": "[parameters('vmSize')]" + }, + "networkProfile": { + "networkInterfaces": [ + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', variables('nic1Name'))]", + "properties": { + "primary": true + } + }, + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', variables('nic2Name'))]", + "properties": { + "primary": false + } + } + ] + }, + "osProfile": { + "adminPassword": "[parameters('adminPassword')]", + "adminUsername": "[parameters('adminUsername')]", + "computerName": "[toLower(parameters('vmName'))]", + "customData": "[base64(variables('customData'))]", + "linuxConfiguration": "[variables('linuxConfiguration')]" + }, + "storageProfile": { + "imageReference": "[variables('imageReference')]", + "osDisk": { + "caching": "ReadWrite", + "createOption": "FromImage", + "diskSizeGB": "[variables('diskSizeGB')]", + "name": "[parameters('vmName')]", + "managedDisk": { + "storageAccountType": "[parameters('diskType')]" + } + } + } + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/azure/templates/marketplace-single/README.md b/azure/templates/marketplace-single/README.md new file mode 100644 index 00000000..e092fdd8 --- /dev/null +++ b/azure/templates/marketplace-single/README.md @@ -0,0 +1,22 @@ +# Check Point CloudGuard Network Security Single Gateway for Azure + +Check Point CloudGuard Network Security delivers advanced, multi-layered threat prevention to protect customer assets in Azure from malware and sophisticated threats. As a Microsoft Azure certified solution, CloudGuard Network Security enables you to easily and seamlessly secure your workloads while providing secure connectivity across your cloud and on-premises environments. + +Benefits: + +· Advanced threat prevention and traffic inspection + +· Integrated with Azure Security Center and Azure Sentinel + +· Provides consistent security policy management, enforcement, and reporting with a single pane of glass, using Check Point Unified Security Management + + + + Deploy to Azure + + + +To deploy with full control over all the template options use: [Full Control Deployment](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FCheckPointSW%2FCloudGuardIaaS%2Fmaster%2Fazure%2Ftemplates%2Fmarketplace-single%2FmainTemplate.json) + + + diff --git a/azure/templates/marketplace-single/createUiDefinition.json b/azure/templates/marketplace-single/createUiDefinition.json new file mode 100644 index 00000000..b02e4ffd --- /dev/null +++ b/azure/templates/marketplace-single/createUiDefinition.json @@ -0,0 +1,1353 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", + "handler": "Microsoft.Compute.MultiVm", + "version": "0.1.2-preview", + "parameters": { + "basics": [ + { + "name": "basics settings text block", + "type": "Microsoft.Common.TextBlock", + "visible": true, + "options": { + "text": "Please follow the Check Point Reference Architecture for Azure.", + "link": { + "label": "Reference Architecture Guide", + "uri": "https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk109360" + } + } + }, + { + "name": "gatewayNameUi", + "type": "Microsoft.Common.TextBox", + "label": "VM Name", + "toolTip": "The name of the Check Point CloudGuard.", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z]{1,30}$", + "validationMessage": "Only alphanumeric characters are allowed, and the name must be 1-30 characters long." + } + }, + { + "name": "auth", + "type": "Microsoft.Compute.CredentialsCombo", + "label": { + "authenticationType": "Authentication type", + "password": "Password", + "confirmPassword": "Confirm password", + "sshPublicKey": "SSH public key" + }, + "toolTip": { + "password": "The user 'admin' password", + "sshPublicKey": "Paste an OpenSSH public key. You can generate a key pair using ssh-keygen (Linux, OS X, Cygwin) or PuttyGen (Windows)" + }, + "constraints": { + "required": true + }, + "options": { + "hideConfirmation": false, + "hidePassword": false + }, + "osPlatform": "Linux" + } + ], + "steps": [ + { + "name": "chkp", + "label": "Check Point CloudGuard settings", + "subLabel": { + "preValidation": "Configure CloudGuard settings", + "postValidation": "Done" + }, + "bladeTitle": "CloudGuard settings", + "elements": [ + { + "name": "cloudGuardVersion", + "type": "Microsoft.Common.DropDown", + "label": "Check Point CloudGuard version", + "defaultValue": "R81.20", + "toolTip": "The version of Check Point CloudGuard.", + "constraints": { + "allowedValues": [ + { + "label": "R81.10", + "value": "R81.10" + }, + { + "label": "R81.20", + "value": "R81.20" + } + ] + } + }, + { + "name": "R80Offer", + "type": "Microsoft.Common.DropDown", + "label": "License type", + "toolTip": "The type of license.", + "defaultValue": "Bring Your Own License", + "visible": true, + "constraints": { + "allowedValues": [ + { + "label": "Bring Your Own License", + "value": "Bring Your Own License" + }, + { + "label": "Pay As You Go (NGTP)", + "value": "Pay As You Go (NGTP)" + }, + { + "label": "Pay As You Go (NGTX)", + "value": "Pay As You Go (NGTX)" + } + ] + } + }, + { + "name": "R8110vmSizeUiBYOL", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R81.10'), contains(steps('chkp').R80Offer, 'Bring Your Own License'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2", + "Standard_DS3_v2" + ], + "constraints": { + "allowedSizes": [ + "Standard_D4_v4", + "Standard_D8_v4", + "Standard_D16_v4", + "Standard_D32_v4", + "Standard_D48_v4", + "Standard_D64_v4", + "Standard_D4s_v4", + "Standard_D8s_v4", + "Standard_D16s_v4", + "Standard_D32s_v4", + "Standard_D48s_v4", + "Standard_D64s_v4", + "Standard_D2_v5", + "Standard_D4_v5", + "Standard_D8_v5", + "Standard_D16_v5", + "Standard_D32_v5", + "Standard_D2s_v5", + "Standard_D4s_v5", + "Standard_D8s_v5", + "Standard_D16s_v5", + "Standard_D2d_v5", + "Standard_D4d_v5", + "Standard_D8d_v5", + "Standard_D16d_v5", + "Standard_D32d_v5", + "Standard_D2ds_v5", + "Standard_D4ds_v5", + "Standard_D8ds_v5", + "Standard_D16ds_v5", + "Standard_D32ds_v5", + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r8110", + "sku": "sg-byol" + }, + "count": 1 + }, + { + "name": "R8110vmSizeUiNGTP", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R81.10'), contains(steps('chkp').R80Offer, '(NGTP)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2", + "Standard_DS3_v2" + ], + "constraints": { + "allowedSizes": [ + "Standard_D4_v4", + "Standard_D8_v4", + "Standard_D16_v4", + "Standard_D32_v4", + "Standard_D48_v4", + "Standard_D64_v4", + "Standard_D4s_v4", + "Standard_D8s_v4", + "Standard_D16s_v4", + "Standard_D32s_v4", + "Standard_D48s_v4", + "Standard_D64s_v4", + "Standard_D2_v5", + "Standard_D4_v5", + "Standard_D8_v5", + "Standard_D16_v5", + "Standard_D32_v5", + "Standard_D2s_v5", + "Standard_D4s_v5", + "Standard_D8s_v5", + "Standard_D16s_v5", + "Standard_D2d_v5", + "Standard_D4d_v5", + "Standard_D8d_v5", + "Standard_D16d_v5", + "Standard_D32d_v5", + "Standard_D2ds_v5", + "Standard_D4ds_v5", + "Standard_D8ds_v5", + "Standard_D16ds_v5", + "Standard_D32ds_v5", + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r8110", + "sku": "sg-ngtp" + }, + "count": 1 + }, + { + "name": "R8110vmSizeUiNGTX", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R81.10'), contains(steps('chkp').R80Offer, '(NGTX)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2", + "Standard_DS3_v2" + ], + "constraints": { + "allowedSizes": [ + "Standard_D4_v4", + "Standard_D8_v4", + "Standard_D16_v4", + "Standard_D32_v4", + "Standard_D48_v4", + "Standard_D64_v4", + "Standard_D4s_v4", + "Standard_D8s_v4", + "Standard_D16s_v4", + "Standard_D32s_v4", + "Standard_D48s_v4", + "Standard_D64s_v4", + "Standard_D2_v5", + "Standard_D4_v5", + "Standard_D8_v5", + "Standard_D16_v5", + "Standard_D32_v5", + "Standard_D2s_v5", + "Standard_D4s_v5", + "Standard_D8s_v5", + "Standard_D16s_v5", + "Standard_D2d_v5", + "Standard_D4d_v5", + "Standard_D8d_v5", + "Standard_D16d_v5", + "Standard_D32d_v5", + "Standard_D2ds_v5", + "Standard_D4ds_v5", + "Standard_D8ds_v5", + "Standard_D16ds_v5", + "Standard_D32ds_v5", + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r8110", + "sku": "sg-ngtx" + }, + "count": 1 + }, + { + "name": "R8120vmSizeUiBYOL", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R81.20'), contains(steps('chkp').R80Offer, 'Bring Your Own License'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D4ds_v5", + "Standard_D4d_v5" + ], + "constraints": { + "allowedSizes": [ + "Standard_D4_v4", + "Standard_D8_v4", + "Standard_D16_v4", + "Standard_D32_v4", + "Standard_D48_v4", + "Standard_D64_v4", + "Standard_D4s_v4", + "Standard_D8s_v4", + "Standard_D16s_v4", + "Standard_D32s_v4", + "Standard_D48s_v4", + "Standard_D64s_v4", + "Standard_D2_v5", + "Standard_D4_v5", + "Standard_D8_v5", + "Standard_D16_v5", + "Standard_D32_v5", + "Standard_D2s_v5", + "Standard_D4s_v5", + "Standard_D8s_v5", + "Standard_D16s_v5", + "Standard_D2d_v5", + "Standard_D4d_v5", + "Standard_D8d_v5", + "Standard_D16d_v5", + "Standard_D32d_v5", + "Standard_D2ds_v5", + "Standard_D4ds_v5", + "Standard_D8ds_v5", + "Standard_D16ds_v5", + "Standard_D32ds_v5", + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r8120", + "sku": "sg-byol" + }, + "count": 1 + }, + { + "name": "R8120vmSizeUiNGTP", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R81.20'), contains(steps('chkp').R80Offer, '(NGTP)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D4ds_v5", + "Standard_D4d_v5" + ], + "constraints": { + "allowedSizes": [ + "Standard_D4_v4", + "Standard_D8_v4", + "Standard_D16_v4", + "Standard_D32_v4", + "Standard_D48_v4", + "Standard_D64_v4", + "Standard_D4s_v4", + "Standard_D8s_v4", + "Standard_D16s_v4", + "Standard_D32s_v4", + "Standard_D48s_v4", + "Standard_D64s_v4", + "Standard_D2_v5", + "Standard_D4_v5", + "Standard_D8_v5", + "Standard_D16_v5", + "Standard_D32_v5", + "Standard_D2s_v5", + "Standard_D4s_v5", + "Standard_D8s_v5", + "Standard_D16s_v5", + "Standard_D2d_v5", + "Standard_D4d_v5", + "Standard_D8d_v5", + "Standard_D16d_v5", + "Standard_D32d_v5", + "Standard_D2ds_v5", + "Standard_D4ds_v5", + "Standard_D8ds_v5", + "Standard_D16ds_v5", + "Standard_D32ds_v5", + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r8120", + "sku": "sg-ngtp" + }, + "count": 1 + }, + { + "name": "R8120vmSizeUiNGTX", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R81.20'), contains(steps('chkp').R80Offer, '(NGTX)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D4ds_v5", + "Standard_D4d_v5" + ], + "constraints": { + "allowedSizes": [ + "Standard_D4_v4", + "Standard_D8_v4", + "Standard_D16_v4", + "Standard_D32_v4", + "Standard_D48_v4", + "Standard_D64_v4", + "Standard_D4s_v4", + "Standard_D8s_v4", + "Standard_D16s_v4", + "Standard_D32s_v4", + "Standard_D48s_v4", + "Standard_D64s_v4", + "Standard_D2_v5", + "Standard_D4_v5", + "Standard_D8_v5", + "Standard_D16_v5", + "Standard_D32_v5", + "Standard_D2s_v5", + "Standard_D4s_v5", + "Standard_D8s_v5", + "Standard_D16s_v5", + "Standard_D2d_v5", + "Standard_D4d_v5", + "Standard_D8d_v5", + "Standard_D16d_v5", + "Standard_D32d_v5", + "Standard_D2ds_v5", + "Standard_D4ds_v5", + "Standard_D8ds_v5", + "Standard_D16ds_v5", + "Standard_D32ds_v5", + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r8120", + "sku": "sg-ngtx" + }, + "count": 1 + }, + { + "name": "installationType", + "type": "Microsoft.Common.DropDown", + "label": "Installation type", + "visible": "[or(equals(equals(steps('chkp').cloudGuardVersion, 'R81.10'), equals(steps('chkp').cloudGuardVersion, 'R81.20'))]", + "defaultValue": "Gateway only", + "toolTip": "Select the type of deployment", + "constraints": { + "allowedValues": [ + { + "label": "Gateway only", + "value": "gateway" + }, + { + "label": "Standalone", + "value": "standalone" + } + ] + } + }, + { + "name": "adminShell", + "type": "Microsoft.Common.DropDown", + "label": "Default shell for the admin user", + "defaultValue": "/etc/cli.sh", + "toolTip": "The default shell for the admin user", + "constraints": { + "allowedValues": [ + { + "label": "/etc/cli.sh", + "value": "/etc/cli.sh" + }, + { + "label": "/bin/bash", + "value": "/bin/bash" + }, + { + "label": "/bin/csh", + "value": "/bin/csh" + }, + { + "label": "/bin/tcsh", + "value": "/bin/tcsh" + } + ] + } + }, + { + "name": "standaloneValidation", + "type": "Microsoft.Common.InfoBox", + "visible": "[and(equals(steps('chkp').installationType, 'standalone'), not(and(equals(steps('chkp').R80Offer, 'Bring Your Own License'),or(equals(equals(steps('chkp').cloudGuardVersion, 'R81.10'), equals(steps('chkp').cloudGuardVersion, 'R81.20')))))]", + "options": { + "icon": "Error", + "text": "Standalone deployment is ONLY supported for CloudGuard versions R81.10 and R81.20 Bring Your Own License." + } + }, + { + "name": "managementGUIClientNetwork", + "type": "Microsoft.Common.TextBox", + "label": "Allowed GUI clients", + "toolTip": "GUI clients network CIDR", + "constraints": { + "required": true, + "regex": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$", + "validationMessage": "Enter a valid IPv4 network CIDR" + }, + "visible": "[and(or(equals(steps('chkp').cloudGuardVersion, 'R81.10'), equals(steps('chkp').cloudGuardVersion, 'R81.20')), equals(steps('chkp').installationType, 'standalone'))]" + }, + { + "name": "sicKeyUi", + "type": "Microsoft.Common.PasswordBox", + "label": { + "password": "SIC key", + "confirmPassword": "Confirm SIC key" + }, + "toolTip": "Set the Secure Internal Communication one time secret used to set up trust between the gateway and the management server.", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z]{12,30}$", + "validationMessage": "Only alphanumeric characters are allowed, and the value must be 12-30 characters long." + }, + "options": { + "hideConfirmation": false + }, + "visible": "[not(equals(steps('chkp').installationType, 'standalone'))]" + }, + { + "name": "SerialPasswordInfoBox", + "type": "Microsoft.Common.InfoBox", + "visible": "[bool(basics('auth').sshPublicKey)]", + "options": { + "icon": "Info", + "text": "Check Point recommends setting serial console password and maintenance-mode password for recovery purposes. For R81.10 and below the serial console password is used also as maintenance-mode password" + } + }, + { + "visible": "[bool(basics('auth').sshPublicKey)]", + "name": "EnableSerialConsolePassword", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Serial console password", + "defaultValue": "Yes", + "toolTip": "A unique password hash to enable VM connection via serial console.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": true + }, + { + "label": "No", + "value": false + } + ] + } + }, + { + "name": "AdditionalPassword", + "type": "Microsoft.Common.PasswordBox", + "toolTip": "Serial console password hash, used to enable password authentication (using serial console). To generate password hash use the command 'openssl passwd -6 PASSWORD'", + "visible": "[and(bool(basics('auth').sshPublicKey), steps('chkp').EnableSerialConsolePassword)]", + "label": { + "password": "Password hash", + "confirmPassword": "Confirm password" + }, + "constraints": { + "required": true, + "regex": "^.{12,300}$", + "validationMessage": "The value must be the output of the hash command." + }, + "options": { + "hideConfirmation": false + } + }, + { + "name": "MaintenanceModeInfoBox", + "type": "Microsoft.Common.InfoBox", + "visible": "[and(bool(basics('auth').password), not(contains('R81.10', steps('chkp').cloudGuardVersion)))]", + "options": { + "icon": "Info", + "text": "Check Point recommends setting a maintenance-mode password for recovery purposes." + } + }, + { + "visible": "[not(contains('R81.10', steps('chkp').cloudGuardVersion))]", + "name": "EnableMaintenanceMode", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Maintenance Mode", + "defaultValue": "Yes", + "toolTip": "A unique password hash to enable VM maintenance mode.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": true + }, + { + "label": "No", + "value": false + } + ] + } + }, + { + "visible": "[and(not(contains('R81.10', steps('chkp').cloudGuardVersion)), steps('chkp').EnableMaintenanceMode)]", + "name": "MaintenanceModePassword", + "type": "Microsoft.Common.PasswordBox", + "defaultValue": "", + "toolTip": "To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here.", + "label": { + "password": "Maintenance Mode password hash", + "confirmPassword": "Confirm Password" + }, + "constraints": { + "required": true, + "validationMessage": "The value must be the output of the hash command." + }, + "options": { + "hideConfirmation": false + } + }, + { + "name": "bootstrapScript", + "type": "Microsoft.Common.FileUpload", + "label": "Bootstrap script", + "toolTip": "An optional script to run on the initial boot", + "constraints": { + "required": false, + "accept": ".sh,text/plain" + }, + "options": { + "multiple": false, + "uploadMode": "file", + "openMode": "text", + "encoding": "UTF-8" + } + }, + { + "visible": "[or(not(equals(steps('chkp').cloudGuardVersion, 'R80.10')), not(equals(steps('chkp').installationType, 'custom')))]", + "name": "allowUploadDownload", + "type": "Microsoft.Common.OptionsGroup", + "label": "Automatically download updates and share statistical data for product improvement purpose", + "defaultValue": "Yes", + "toolTip": "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "true" + }, + { + "label": "No", + "value": "false" + } + ] + } + }, + { + "name": "VMDiskType", + "type": "Microsoft.Common.OptionsGroup", + "label": "VM disk type", + "toolTip": "Type of CloudGuard disk.", + "visible": "[not(contains('R81.10' , steps('chkp').cloudGuardVersion))]", + "defaultValue": "Premium", + "constraints": { + "allowedValues": [ + { + "label": "Standard", + "value": "Standard_LRS" + }, + { + "label": "Premium", + "value": "Premium_LRS" + } + ] + } + }, + { + "name": "VMDiskTypeOldVersions", + "type": "Microsoft.Common.OptionsGroup", + "label": "VM disk type", + "toolTip": "Type of CloudGuard disk.", + "visible": "[contains('R81.10' , steps('chkp').cloudGuardVersion)]", + "defaultValue": "Standard", + "constraints": { + "allowedValues": [ + { + "label": "Standard", + "value": "Standard_LRS" + }, + { + "label": "Premium", + "value": "Premium_LRS" + } + ] + } + }, + { + "name": "basics settings text block", + "type": "Microsoft.Common.TextBlock", + "visible": true, + "options": { + "text": "Please follow the Check Point referenced guide for adding disk space.", + "link": { + "label": "Additional disk space in CloudGuard", + "uri": "https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk156552" + } + } + }, + { + "name": "additionalDiskSizeGB", + "type": "Microsoft.Common.TextBox", + "label": "Additional disk space (GB)", + "defaultValue": "0", + "toolTip": "Additional disk space (in GB), initial disk size is 100 GB.", + "constraints": { + "regex": "^([0-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-2][0-9][0-9][0-9]|3[0-8][0-9][0-9]|399[0-5])$", + "validationMessage": "Select a number between 0 and 3995" + } + }, + { + "name": "useCustomImageUri", + "type": "Microsoft.Common.OptionsGroup", + "label": "Use development image uri", + "defaultValue": "No", + "toolTip": "Use custom image URI.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ], + "required": true + }, + "visible": false + }, + { + "name": "sourceImageVhdUri", + "type": "Microsoft.Common.TextBox", + "label": "Development Image URI", + "toolTip": "The URI of the blob containing the development image", + "constraints": { + "required": "[equals(steps('chkp').useCustomImageUri, 'Yes')]", + "regex": "^[a-z0-9A-Z_\\-\\.\\:\\/]{1,500}.vhd$", + "validationMessage": "Only alphanumeric characters and '_','-','.',':','/' are allowed, the value must be 1-500 characters long and must end with .vhd. " + }, + "visible": "[equals(steps('chkp').useCustomImageUri, 'Yes')]" + }, + { + "name": "customMetrics", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable CloudGuard metrics", + "defaultValue": "Yes", + "toolTip": "Enable CloudGuard metrics in order to send statuses and statistics collected from Gateway or Standalone to the Azure Monitor service.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "yes" + }, + { + "label": "No", + "value": "no" + } + ], + "required": true + }, + "visible": true + }, + { + "name": "allowSmart1CloudConnection", + "type": "Microsoft.Common.OptionsGroup", + "label": "Quick connect to Smart-1 Cloud", + "defaultValue": "Yes", + "toolTip": "Automatically connect this single gateway to Smart-1 Cloud - Check Point's Security Management as a Service", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "yes" + }, + { + "label": "No", + "value": "no" + } + ] + }, + "visible": "[equals(steps('chkp').installationType, 'gateway')]" + }, + { + "name": "smart1CloudTokenTxt", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Follow these instructions to quickly connect this single gateway to Smart-1 Cloud", + "link": { + "label": "SK180501 - Connecting CloudGuard Network Security Public Cloud Gateways to Smart-1 Cloud", + "uri": "https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501" + } + }, + "visible": "[equals(steps('chkp').allowSmart1CloudConnection, 'yes')]" + }, + { + "name": "Smart1CloudToken", + "type": "Microsoft.Common.TextBox", + "label": "Smart-1 Cloud Token", + "toolTip": "Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal", + "constraints": { + "required": true, + "regex": "[\\S\\s]{5,}", + "validationMessage": "Smart1Cloud Token Should contain at lease 5 characters" + }, + "visible": "[equals(steps('chkp').allowSmart1CloudConnection, 'yes')]" + } + ] + }, + { + "name": "network", + "label": "Network settings", + "subLabel": { + "preValidation": "Configure network settings", + "postValidation": "Done" + }, + "bladeTitle": "Network settings", + "elements": [ + { + "name": "virtualNetwork", + "type": "Microsoft.Network.VirtualNetworkCombo", + "label": { + "virtualNetwork": "Virtual network", + "subnets": "Subnets" + }, + "toolTip": { + "virtualNetwork": "Virtual Network Name", + "subnets": "List of subnets to deploy into" + }, + "defaultValue": { + "name": "vnet01", + "addressPrefixSize": "/16" + }, + "constraints": { + "minAddressPrefixSize": "/28" + }, + "options": { + "hideExisting": false + }, + "subnets": { + "subnet1": { + "label": "Frontend subnet", + "defaultValue": { + "name": "Frontend", + "addressPrefixSize": "/24" + }, + "constraints": { + "minAddressPrefixSize": "/29", + "minAddressCount": 1, + "requireContiguousAddresses": true + } + }, + "subnet2": { + "label": "Backend subnet", + "defaultValue": { + "name": "Backend", + "addressPrefixSize": "/24" + }, + "constraints": { + "minAddressPrefixSize": "/29", + "minAddressCount": 1, + "requireContiguousAddresses": true + } + } + } + }, + { + "name": "NSG", + "type": "Microsoft.Common.OptionsGroup", + "label": "Network Security Group", + "toolTip": "Choose between using an existing NSG or using a new NSG", + "constraints": { + "allowedValues": [ + { + "label": "Create new", + "value": true + }, + { + "label": "Existing NSG", + "value": false + } + ], + "required": true + }, + "visible": true + }, + { + "name": "nsgSelector", + "type": "Microsoft.Solutions.ResourceSelector", + "label": "Network Security Group", + "defaultValue": "null", + "toolTip": "Choose an existing NSG", + "resourceType": "Microsoft.Network/NetworkSecurityGroups", + "options": { + "filter": { + "subscription": "onBasics", + "location": "onBasics" + } + }, + "constraints": { + "required": true + }, + "visible": "[equals(steps('network').NSG, false)]" + }, + { + "name": "NSGName", + "type": "Microsoft.Common.TextBox", + "label": "Name", + "defaultValue": "[concat(basics('gatewayNameUi') , '-nsg')]", + "toolTip": "Insert Name for the new NSG", + "multiLine": false, + "constraints": { + "required": "[steps('network').NSG]", + "regex": "^[a-z0-9A-Z-]{1,30}$", + "validationMessage": "Only alphanumeric characters are allowed, and the name must be 1-30 characters long." + }, + "visible": "[steps('network').NSG]" + }, + { + "name": "addStorageAccountIpRules", + "type": "Microsoft.Common.OptionsGroup", + "defaultValue": "Network access from all networks", + "label": "Storage Account Network Access", + "toolTip": "Select your preferred network access to the Storage Account, for more information - https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-linux#serial-console-security", + "constraints": { + "allowedValues": [ + { + "label": "Network access from all networks", + "value": false + }, + { + "label": "Network access only from Serial Console", + "value": true + } + ], + "required": true + }, + "visible": true + } + ] + }, + { + "name": "tags", + "label": "Tags", + "elements": [ + { + "name": "tagsByResource", + "type": "Microsoft.Common.TagsByResource", + "toolTip": "Create Azure tags for the new resources", + "resources": [ + "Microsoft.Storage/storageAccounts", + "Microsoft.Network/publicIPAddresses", + "Microsoft.Network/networkInterfaces", + "Microsoft.Compute/virtualMachines", + "Microsoft.Network/routeTables", + "Microsoft.Network/virtualNetworks" + ] + } + ] + } + ], + "outputs": { + "location": "[location()]", + "cloudGuardVersion": "[concat(steps('chkp').cloudGuardVersion, ' - ', coalesce(steps('chkp').R80Offer, 'Bring Your Own License'))]", + "adminPassword": "[basics('auth').password]", + "SerialConsolePasswordHash": "[steps('chkp').AdditionalPassword]", + "MaintenanceModePasswordHash": "[steps('chkp').MaintenanceModePassword]", + "authenticationType": "[basics('auth').authenticationType]", + "sshPublicKey": "[basics('auth').sshPublicKey]", + "vmName": "[basics('gatewayNameUi')]", + "vmSize": "[coalesce(steps('chkp').R8110vmSizeUiBYOL, steps('chkp').R8110vmSizeUiNGTP, steps('chkp').R8110vmSizeUiNGTX, steps('chkp').R8120vmSizeUiBYOL, steps('chkp').R8120vmSizeUiNGTP, steps('chkp').R8120vmSizeUiNGTX )]", + "sicKey": "[coalesce(steps('chkp').sicKeyUi, 'notused')]", + "virtualNetworkName": "[steps('network').virtualNetwork.name]", + "virtualNetworkAddressPrefix": "[steps('network').virtualNetwork.addressPrefix]", + "Subnet1Name": "[steps('network').virtualNetwork.subnets.subnet1.name]", + "Subnet1Prefix": "[steps('network').virtualNetwork.subnets.subnet1.addressPrefix]", + "Subnet1StartAddress": "[steps('network').virtualNetwork.subnets.subnet1.startAddress]", + "Subnet2Name": "[steps('network').virtualNetwork.subnets.subnet2.name]", + "Subnet2Prefix": "[steps('network').virtualNetwork.subnets.subnet2.addressPrefix]", + "Subnet2StartAddress": "[steps('network').virtualNetwork.subnets.subnet2.startAddress]", + "vnetNewOrExisting": "[steps('network').virtualNetwork.newOrExisting]", + "virtualNetworkExistingRGName": "[steps('network').virtualNetwork.resourceGroup]", + "managementGUIClientNetwork": "[steps('chkp').managementGUIClientNetwork]", + "installationType": "[steps('chkp').installationType]", + "bootstrapScript": "[steps('chkp').bootstrapScript]", + "allowDownloadFromUploadToCheckPoint": "[coalesce(steps('chkp').allowUploadDownload, 'true')]", + "additionalDiskSizeGB": "[int(steps('chkp').additionalDiskSizeGB)]", + "diskType": "[if(contains('R81.10' , steps('chkp').cloudGuardVersion) , steps('chkp').VMDiskTypeOldVersions , steps('chkp').VMDiskType)]", + "sourceImageVhdUri": "[coalesce(steps('chkp').sourceImageVhdUri, 'noCustomUri')]", + "customMetrics": "[steps('chkp').customMetrics]", + "adminShell": "[steps('chkp').adminShell]", + "smart1CloudToken": "[steps('chkp').Smart1CloudToken]", + "tagsByResource": "[steps('tags').tagsByResource]", + "deployNewNSG": "[steps('network').NSG]", + "ExistingNSG": "[steps('network').nsgSelector]", + "NewNsgName": "[steps('network').NSGName]", + "addStorageAccountIpRules": "[steps('network').addStorageAccountIpRules]" + } + } +} \ No newline at end of file diff --git a/azure/templates/marketplace-single/mainTemplate.json b/azure/templates/marketplace-single/mainTemplate.json new file mode 100644 index 00000000..57fea308 --- /dev/null +++ b/azure/templates/marketplace-single/mainTemplate.json @@ -0,0 +1,942 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "subscriptionId": { + "type": "string", + "defaultValue": "[subscription().subscriptionId]", + "metadata": { + "description": "Subscription ID." + } + }, + "location": { + "type": "string", + "metadata": { + "description": "Deployment location" + }, + "defaultValue": "[resourceGroup().location]" + }, + "cloudGuardVersion": { + "type": "string", + "allowedValues": [ + "R81.10 - Bring Your Own License", + "R81.10 - Pay As You Go (NGTP)", + "R81.10 - Pay As You Go (NGTX)", + "R81.20 - Bring Your Own License", + "R81.20 - Pay As You Go (NGTP)", + "R81.20 - Pay As You Go (NGTX)" + ], + "defaultValue": "R81.20 - Bring Your Own License", + "metadata": { + "description": "Version of Check Point CloudGuard" + } + }, + "authenticationType": { + "type": "string", + "allowedValues": [ + "password", + "sshPublicKey" + ], + "defaultValue": "password", + "metadata": { + "description": "Authentication type" + } + }, + "sshPublicKey": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Administrator SSH public key" + } + }, + "adminPassword": { + "type": "securestring", + "metadata": { + "description": "Administrator password" + }, + "defaultValue": "" + }, + "MaintenanceModePasswordHash": { + "type": "securestring", + "defaultValue": "", + "metadata": { + "Description": "Maintenance mode password hash, relevant only for R81.20 and higher versions" + } + }, + "SerialConsolePasswordHash": { + "type": "securestring", + "defaultValue": "", + "metadata": { + "Description": "Optional parameter, used to enable serial console connection in case of SSH key as authentication type" + } + }, + "vmName": { + "type": "string", + "metadata": { + "description": "Name of the Check Point Security Gateway" + } + }, + "vmSize": { + "type": "string", + "defaultValue": "Standard_D3_v2", + "metadata": { + "description": "Size of the VM" + } + }, + "adminShell": { + "type": "string", + "defaultValue": "/etc/cli.sh", + "allowedValues": [ + "/etc/cli.sh", + "/bin/bash", + "/bin/csh", + "/bin/tcsh" + ], + "metadata": { + "Description": "The default shell for the admin user" + } + }, + "sicKey": { + "type": "securestring", + "metadata": { + "description": "One time key for Secure Internal Communication" + } + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "vnet" + }, + "virtualNetworkAddressPrefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the virtual network" + }, + "defaultValue": "10.0.0.0/16" + }, + "Subnet1Name": { + "type": "string", + "metadata": { + "description": "The name of the 1st subnet" + }, + "defaultValue": "Frontend" + }, + "Subnet1Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 1st subnet" + }, + "defaultValue": "10.0.1.0/24" + }, + "Subnet1StartAddress": { + "type": "string", + "metadata": { + "description": "The first available address on the 1st subnet" + }, + "defaultValue": "10.0.1.10" + }, + "Subnet2Name": { + "type": "string", + "metadata": { + "description": "The name of the 2nd subnet" + }, + "defaultValue": "Backend" + }, + "Subnet2Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 2nd subnet" + }, + "defaultValue": "10.0.2.0/24" + }, + "Subnet2StartAddress": { + "type": "string", + "metadata": { + "description": "The first available address on the 2nd subnet" + }, + "defaultValue": "10.0.2.10" + }, + "vnetNewOrExisting": { + "type": "string", + "defaultValue": "new", + "allowedValues": [ + "new", + "existing" + ], + "metadata": { + "Description": "Indicates whether the virtual network is new or existing" + } + }, + "virtualNetworkExistingRGName": { + "type": "string", + "metadata": { + "description": "Resource Group of the existing virtual network" + }, + "defaultValue": "[resourceGroup().name]" + }, + "managementGUIClientNetwork": { + "type": "string", + "metadata": { + "description": "Allowed GUI clients" + }, + "defaultValue": "0.0.0.0/0" + }, + "installationType": { + "type": "string", + "metadata": { + "description": "Installation Type" + }, + "defaultValue": "gateway", + "allowedValues": [ + "standalone", + "gateway", + "custom" + ] + }, + "bootstrapScript": { + "type": "string", + "metadata": { + "description": "Bootstrap script" + }, + "defaultValue": "" + }, + "allowDownloadFromUploadToCheckPoint": { + "type": "string", + "allowedValues": [ + "true", + "false" + ], + "defaultValue": "true", + "metadata": { + "description": "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + } + }, + "additionalDiskSizeGB": { + "type": "int", + "defaultValue": 0, + "metadata": { + "description": "Amount of additional disk space (in GB)" + }, + "minValue": 0, + "maxValue": 3995 + }, + "diskType": { + "type": "string", + "defaultValue": "Standard_LRS", + "metadata": { + "description": "The type of the OS disk. Premium is applicable only to DS machine sizes" + }, + "allowedValues": [ + "Standard_LRS", + "Premium_LRS" + ] + }, + "sourceImageVhdUri": { + "type": "string", + "defaultValue": "noCustomUri", + "metadata": { + "description": "The URI of the blob containing the development image" + } + }, + "_artifactsLocation": { + "type": "string", + "metadata": { + "description": "Use the following URI when deploying a custom template: https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/azure/templates/" + }, + "defaultValue": "[deployment().properties.templateLink.uri]" + }, + "_artifactsLocationSasToken": { + "type": "securestring", + "metadata": { + "description": "The sasToken required to access _artifactsLocation. When the template is deployed using the accompanying scripts, a sasToken will be automatically generated. Use the defaultValue if the staging location is not secured." + }, + "defaultValue": "" + }, + "customMetrics": { + "type": "string", + "allowedValues": [ + "no", + "yes" + ], + "defaultValue": "yes", + "metadata": { + "Description": "Indicates whether CloudGuard Metrics will be used for this VM monitoring" + } + }, + "smart1CloudToken": { + "type": "securestring", + "defaultValue": "" + }, + "rbacGuid": { + "type": "string", + "defaultValue": "[newGuid()]" + }, + "tagsByResource": { + "type": "object", + "defaultValue": {} + }, + "deployNewNSG": { + "type": "bool", + "defaultValue": true + }, + "ExistingNSG": { + "type": "object", + "defaultValue": {} + }, + "NewNsgName": { + "type": "string", + "defaultValue": "[concat(parameters('vmName'),'-nsg')]" + }, + "addStorageAccountIpRules": { + "type": "bool", + "metadata": { + "description": "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, based on https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-linux#use-serial-console-with-custom-boot-diagnostics-storage-account-firewall-enabled" + }, + "defaultValue": false + }, + "storageAccountAdditionalIps": { + "type": "array", + "metadata": { + "description": "IPs/CIDRs that are allowed access to the Storage Account" + }, + "defaultValue": [] + } + }, + "variables": { + "templateName": "single", + "templateVersion": "20240716", + "location": "[parameters('location')]", + "offers": { + "R81.10 - Bring Your Own License": "BYOL", + "R81.10 - Pay As You Go (NGTP)": "NGTP", + "R81.10 - Pay As You Go (NGTX)": "NGTX", + "R81.20 - Bring Your Own License": "BYOL", + "R81.20 - Pay As You Go (NGTP)": "NGTP", + "R81.20 - Pay As You Go (NGTX)": "NGTX" + }, + "offer": "[variables('offers')[parameters('cloudGuardVersion')]]", + "osVersions": { + "R81.10 - Bring Your Own License": "R8110", + "R81.10 - Pay As You Go (NGTP)": "R8110", + "R81.10 - Pay As You Go (NGTX)": "R8110", + "R81.20 - Bring Your Own License": "R8120", + "R81.20 - Pay As You Go (NGTP)": "R8120", + "R81.20 - Pay As You Go (NGTX)": "R8120" + }, + "osVersion": "[variables('osVersions')[parameters('cloudGuardVersion')]]", + "serialConsoleGeographies": { + "eastasia": [ + "20.205.69.28", + "20.195.85.180" + ], + "southeastasia": [ + "20.205.69.28", + "20.195.85.180" + ], + "australiacentral": [ + "20.53.53.224", + "20.70.222.112" + ], + "australiacentral2": [ + "20.53.53.224", + "20.70.222.112" + ], + "australiaeast": [ + "20.53.53.224", + "20.70.222.112" + ], + "australiasoutheast": [ + "20.53.53.224", + "20.70.222.112" + ], + "brazilsouth": [ + "91.234.136.63", + "20.206.0.194" + ], + "brazilsoutheast": [ + "91.234.136.63", + "20.206.0.194" + ], + "canadacentral": [ + "52.228.86.177", + "52.242.40.90" + ], + "canadaeast": [ + "52.228.86.177", + "52.242.40.90" + ], + "northeurope": [ + "52.146.139.220", + "20.105.209.72" + ], + "westeurope": [ + "52.146.139.220", + "20.105.209.72" + ], + "francecentral": [ + "20.111.0.244", + "52.136.191.10" + ], + "francesouth": [ + "20.111.0.244", + "52.136.191.10" + ], + "germanynorth": [ + "51.116.75.88", + "20.52.95.48" + ], + "germanywestcentral": [ + "51.116.75.88", + "20.52.95.48" + ], + "centralindia": [ + "20.192.168.150", + "20.192.153.104" + ], + "southindia": [ + "20.192.168.150", + "20.192.153.104" + ], + "westindia": [ + "20.192.168.150", + "20.192.153.104" + ], + "japaneast": [ + "20.43.70.205", + "20.189.228.222" + ], + "japanwest": [ + "20.43.70.205", + "20.189.228.222" + ], + "koreacentral": [ + "20.200.196.96", + "52.147.119.29" + ], + "koreasouth": [ + "20.200.196.96", + "52.147.119.29" + ], + "norwaywest": [ + "20.100.1.184", + "51.13.138.76" + ], + "norwayeast": [ + "20.100.1.184", + "51.13.138.76" + ], + "switzerlandnorth": [ + "20.208.4.98", + "51.107.251.190" + ], + "switzerlandwest": [ + "20.208.4.98", + "51.107.251.190" + ], + "uaecentral": [ + "20.45.95.66", + "20.38.141.5" + ], + "uaenorth": [ + "20.45.95.66", + "20.38.141.5" + ], + "uksouth": [ + "20.90.132.144", + "20.58.68.62" + ], + "ukwest": [ + "20.90.132.144", + "20.58.68.62" + ], + "swedencentral": [ + "51.12.72.223", + "51.12.22.174" + ], + "swedensouth": [ + "51.12.72.223", + "51.12.22.174" + ], + "centralus": [ + "20.98.146.84", + "20.98.194.64", + "20.69.5.162", + "20.83.222.102" + ], + "eastus2": [ + "20.98.146.84", + "20.98.194.64", + "20.69.5.162", + "20.83.222.102" + ], + "eastus": [ + "20.98.146.84", + "20.98.194.64", + "20.69.5.162", + "20.83.222.102" + ], + "northcentralus": [ + "20.98.146.84", + "20.98.194.64", + "20.69.5.162", + "20.83.222.102" + ], + "southcentralus": [ + "20.98.146.84", + "20.98.194.64", + "20.69.5.162", + "20.83.222.102" + ], + "westus2": [ + "20.98.146.84", + "20.98.194.64", + "20.69.5.162", + "20.83.222.102" + ], + "westus3": [ + "20.98.146.84", + "20.98.194.64", + "20.69.5.162", + "20.83.222.102" + ], + "westcentralus": [ + "20.98.146.84", + "20.98.194.64", + "20.69.5.162", + "20.83.222.102" + ], + "westus": [ + "20.98.146.84", + "20.98.194.64", + "20.69.5.162", + "20.83.222.102" + ], + "eastus2euap": [ + "20.45.242.18", + "20.51.21.252" + ], + "centraluseuap": [ + "20.45.242.18", + "20.51.21.252" + ], + "usgovarizona": [ + "20.141.10.130", + "52.127.55.131" + ], + "usgovvirginia": [ + "20.141.10.130", + "52.127.55.131" + ] + }, + "serialConsoleIps": "[if(contains(variables('serialConsoleGeographies'),variables('location')),variables('serialConsoleGeographies')[variables('location')],createArray())]", + "storageAccountIps": "[concat(variables('SerialConsoleIps'),parameters('storageAccountAdditionalIps'))]", + "installationType": "[parameters('installationType')]", + "isBlink": "[equals(variables('installationType'), 'gateway')]", + "storageAccountName": "[concat('bootdiag', uniqueString(resourceGroup().id, deployment().name))]", + "storageAccountType": "Standard_LRS", + "diskSize100GB": 100, + "diskSizeGB": "[add(parameters('additionalDiskSizeGB'), variables('diskSize100GB'))]", + "customData": "[concat('#!/usr/bin/python3 /etc/cloud_config.py\n', '\n', 'installationType=\"', variables('installationType'), '\"', '\n', 'allowUploadDownload=\"', variables('allowUploadDownload'), '\"', '\n', 'osVersion=\"', variables('osVersion'), '\"', '\n', 'templateName=\"', variables('templateName'), '\"', '\n', 'isBlink=\"', variables('isBlink'), '\"', '\n', 'templateVersion=\"', variables('templateVersion'), '\"', '\n', 'bootstrapScript64=\"', variables('bootstrapScript64'), '\"', '\n', 'location=\"', variables('location'), '\"', '\n', 'sicKey=\"', variables('sicKey'), '\"', '\n', 'managementGUIClientNetwork=\"', variables('managementGUIClientNetwork'), '\"', '\n', 'customMetrics=\"', variables('customMetrics'), '\"', '\n', 'adminShell=\"', parameters('adminShell'), '\"', '\n', 'smart1CloudToken=\"', parameters('smart1CloudToken'), '\"', '\n', 'MaintenanceModePassword=\"', parameters('MaintenanceModePasswordHash'), '\"', '\n', 'passwordHash=\"', parameters('SerialConsolePasswordHash'), '\"', '\n')]", + "imageOffer": "[concat('check-point-cg-', toLower(variables('osVersion')))]", + "imagePublisher": "checkpoint", + "imageSku": "[if(and(equals(parameters('installationType'), 'standalone'), or(equals(variables('osVersion'),'R8110'), equals(variables('osVersion'),'R8120'))), 'mgmt-byol', 'sg-byol')]", + "imageReferenceBYOL": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "[variables('imageSku')]", + "version": "latest" + }, + "imageReferenceNGTP": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtp", + "version": "latest" + }, + "imageReferenceNGTP-V2": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtp-v2", + "version": "latest" + }, + "imageReferenceNGTX": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtx", + "version": "latest" + }, + "imageReferenceNGTX-V2": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtx-v2", + "version": "latest" + }, + "imageReferenceMarketplace": "[if(equals(variables('offer'), 'BYOL'), variables('imageReferenceBYOL'), if(equals(variables('offer'), 'NGTP'), variables('imageReferenceNGTP'), if(equals(variables('offer'), 'NGTP-V2'), variables('imageReferenceNGTP-V2'), if(equals(variables('offer'), 'NGTX'), variables('imageReferenceNGTX'), if(equals(variables('offer'), 'NGTX-V2'), variables('imageReferenceNGTX-V2'), json('null'))))))]", + "customImage": "customImage", + "imageReferenceCustomUri": { + "id": "[resourceId('Microsoft.Compute/images/', variables('customImage'))]" + }, + "imageReference": "[if(equals(parameters('sourceImageVhdUri'),'noCustomUri'), variables('imageReferenceMarketplace'), variables('imageReferenceCustomUri'))]", + "nic1Name": "[concat(parameters('vmName'), '-eth0')]", + "nic2Name": "[concat(parameters('vmName'), '-eth1')]", + "linuxConfigurationpassword": { + "disablePasswordAuthentication": "false" + }, + "linuxConfigurationsshPublicKey": { + "disablePasswordAuthentication": "true", + "ssh": { + "publicKeys": [ + { + "keyData": "[parameters('sshPublicKey')]", + "path": "/home/notused/.ssh/authorized_keys" + } + ] + } + }, + "linuxConfiguration": "[if(equals(parameters('authenticationType'), 'password'), variables('linuxConfigurationpassword'), variables('linuxConfigurationsshPublicKey'))]", + "planBYOL": { + "name": "[variables('imageSku')]", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTP": { + "name": "sg-ngtp", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTP-V2": { + "name": "sg-ngtp-v2", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTX": { + "name": "sg-ngtx", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTX-V2": { + "name": "sg-ngtx-v2", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "plan": "[if(equals(variables('offer'), 'BYOL') , variables('planBYOL'), if(equals(variables('offer'), 'NGTP'), variables('planNGTP'), if(equals(variables('offer'), 'NGTP-V2'), variables('planNGTP-V2'), if(equals(variables('offer'), 'NGTX'), variables('planNGTX'), if(equals(variables('offer'), 'NGTX-V2'), variables('planNGTX-V2'), json('null'))))))]", + "publicIPAddressName": "[parameters('vmName')]", + "publicIPAddressId": "[resourceId('Microsoft.Network/publicIPAddresses/', variables('publicIPAddressName'))]", + "bootstrapScript64": "[base64(parameters('bootstrapScript'))]", + "allowUploadDownload": "[parameters('allowDownloadFromUploadToCheckPoint')]", + "_artifactsLocation": "[if(contains(parameters('_artifactsLocation'),'raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/azure/templates/marketplace'),'https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/azure/templates/',parameters('_artifactsLocation'))]", + "networkSetupURL": "[uri(variables('_artifactsLocation'), concat('nestedtemplates/vnet-', parameters('vnetNewOrExisting'), '.json', parameters('_artifactsLocationSasToken')))]", + "sicKey": "[parameters('sicKey')]", + "managementGUIClientNetwork": "[parameters('managementGUIClientNetwork')]", + "vmID": "[resourceId('Microsoft.Compute/virtualMachines/', parameters('vmName'))]", + "customMetrics": "[parameters('customMetrics')]", + "identity": "[json('{\"type\": \"SystemAssigned\"}')]", + "monitoringMetricsPublisher": "[concat('/subscriptions/', parameters('subscriptionId'), '/providers/Microsoft.Authorization/roleDefinitions/', '3913510d-42f4-4e42-8a64-420c390055eb')]", + "deployNewVnet": "[equals(parameters('vnetNewOrExisting'), 'new')]", + "vnetRGName": "[if(variables('deployNewVnet'), resourceGroup().name, parameters('virtualNetworkExistingRGName'))]", + "NewNsgReference": { + "id": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('NewNsgName'))]" + } + }, + "resources": [ + { + "apiVersion": "2020-06-01", + "name": "pid-6f13b00a-7546-4ab2-be9f-c66815cc6c8b-partnercenter", + "type": "Microsoft.Resources/deployments", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('storageAccountName')]", + "apiVersion": "2022-09-01", + "properties": { + "supportsHttpsTrafficOnly": true, + "allowBlobPublicAccess": false, + "minimumTlsVersion": "TLS1_2", + "networkAcls": { + "bypass": "None", + "defaultAction": "[if(parameters('addStorageAccountIpRules'), 'Deny', 'Allow')]", + "ipRules": "[if(parameters('addStorageAccountIpRules'), map(variables('storageAccountIps'), lambda('ip',createObject('action','Allow','value',lambdaVariables('ip')))), createArray())]" + } + }, + "location": "[variables('location')]", + "sku": { + "name": "[variables('storageAccountType')]" + }, + "kind": "Storage", + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Storage/storageAccounts'), parameters('tagsByResource')['Microsoft.Storage/storageAccounts'], json('{}')) ]" + }, + { + "condition": "[equals(parameters('vnetNewOrExisting'), 'new')]", + "name": "networkNewSetup", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "[variables('networkSetupURL')]", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "location": { + "value": "[variables('location')]" + }, + "virtualNetworkName": { + "value": "[parameters('virtualNetworkName')]" + }, + "virtualNetworkAddressPrefix": { + "value": "[parameters('virtualNetworkAddressPrefix')]" + }, + "Subnet1Name": { + "value": "[parameters('Subnet1Name')]" + }, + "Subnet1Prefix": { + "value": "[parameters('Subnet1Prefix')]" + }, + "Subnet1StartAddress": { + "value": "[parameters('Subnet1StartAddress')]" + }, + "Subnet2Name": { + "value": "[parameters('Subnet2Name')]" + }, + "Subnet2Prefix": { + "value": "[parameters('Subnet2Prefix')]" + }, + "Subnet2StartAddress": { + "value": "[parameters('Subnet2StartAddress')]" + }, + "tagsByResource": { + "value": "[parameters('tagsByResource')]" + }, + "deployNsg": { + "value": "[parameters('deployNewNSG')]" + }, + "NewNsgName": { + "value": "[parameters('NewNsgName')]" + } + } + } + }, + { + "condition": "[equals(parameters('vnetNewOrExisting'), 'existing')]", + "name": "networkExistingSetup", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "[variables('networkSetupURL')]", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "location": { + "value": "[variables('location')]" + }, + "virtualNetworkName": { + "value": "[parameters('virtualNetworkName')]" + }, + "virtualNetworkExistingRGName": { + "value": "[variables('vnetRGName')]" + }, + "tagsByResource": { + "value": "[parameters('tagsByResource')]" + }, + "deployNsg": { + "value": "[parameters('deployNewNSG')]" + }, + "NewNsgName": { + "value": "[parameters('NewNsgName')]" + } + } + } + }, + { + "type": "Microsoft.Network/publicIPAddresses", + "apiVersion": "2020-06-01", + "location": "[variables('location')]", + "name": "[variables('publicIPAddressName')]", + "sku": { + "name": "Standard" + }, + "properties": { + "idleTimeoutInMinutes": 30, + "publicIPAllocationMethod": "Static", + "dnsSettings": { + "domainNameLabel": "[concat(toLower(parameters('vmName')), '-', uniquestring(resourceGroup().id, deployment().name))]" + } + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/publicIPAddresses'), parameters('tagsByResource')['Microsoft.Network/publicIPAddresses'], json('{}')) ]" + }, + { + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "2020-06-01", + "dependsOn": [ + "[coalesce(resourceId('Microsoft.Resources/deployments/', 'networkNewSetup'), resourceId('Microsoft.Resources/deployments', 'networkExistingSetup'))]", + "[variables('publicIPAddressId')]" + ], + "location": "[variables('location')]", + "name": "[variables('nic1Name')]", + "properties": { + "enableIPForwarding": true, + "enableAcceleratedNetworking": true, + "networkSecurityGroup": "[if(parameters('deployNewNSG') , variables('NewNsgReference') , parameters('ExistingNSG'))]", + "ipConfigurations": [ + { + "name": "ipconfig1", + "properties": { + "privateIPAddress": "[parameters('Subnet1StartAddress')]", + "privateIPAllocationMethod": "Static", + "PublicIpAddress": { + "Id": "[variables('publicIPAddressId')]" + }, + "subnet": { + "id": "[resourceId(variables('vnetRGName'), 'Microsoft.Network/virtualNetworks/subnets/', parameters('virtualNetworkName'), parameters('Subnet1Name'))]" + } + } + } + ] + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/networkInterfaces'), parameters('tagsByResource')['Microsoft.Network/networkInterfaces'], json('{}')) ]" + }, + { + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "2020-06-01", + "dependsOn": [ + "[coalesce(resourceId('Microsoft.Resources/deployments/', 'networkNewSetup'), resourceId('Microsoft.Resources/deployments/', 'networkExistingSetup'))]" + ], + "location": "[variables('location')]", + "name": "[variables('nic2Name')]", + "properties": { + "enableIPForwarding": true, + "enableAcceleratedNetworking": true, + "ipConfigurations": [ + { + "name": "ipconfig2", + "properties": { + "privateIPAddress": "[parameters('Subnet2StartAddress')]", + "privateIPAllocationMethod": "Static", + "subnet": { + "id": "[resourceId(variables('vnetRGName'), 'Microsoft.Network/virtualNetworks/subnets/', parameters('virtualNetworkName'), parameters('Subnet2Name'))]" + } + } + } + ] + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/networkInterfaces'), parameters('tagsByResource')['Microsoft.Network/networkInterfaces'], json('{}')) ]" + }, + { + "condition": "[not(equals(parameters('sourceImageVhdUri'), 'noCustomUri'))]", + "type": "Microsoft.Compute/images", + "apiVersion": "2020-06-01", + "name": "[variables('customImage')]", + "location": "[variables('location')]", + "properties": { + "storageProfile": { + "osDisk": { + "osType": "Linux", + "osState": "Generalized", + "blobUri": "[parameters('sourceImageVhdUri')]", + "storageAccountType": "Standard_LRS" + } + }, + "hyperVGeneration": "V1" + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Compute/images'), parameters('tagsByResource')['Microsoft.Compute/images'], json('{}')) ]" + }, + { + "type": "Microsoft.Compute/virtualMachines", + "apiVersion": "2021-07-01", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName'))]", + "[resourceId('Microsoft.Network/networkInterfaces/', variables('nic1Name'))]", + "[resourceId('Microsoft.Network/networkInterfaces/', variables('nic2Name'))]", + "[resourceId('Microsoft.Compute/images/', variables('customImage'))]" + ], + "location": "[variables('location')]", + "name": "[parameters('vmName')]", + "plan": "[if(equals(parameters('sourceImageVhdUri'),'noCustomUri'), variables('plan'), json('null'))]", + "identity": "[if(equals(variables('customMetrics'), 'yes'), variables('identity'), json('null'))]", + "properties": { + "UserData": "[base64(concat(variables('customData'), '\n', 'vnet=\"', if(equals(parameters('vnetNewOrExisting'), 'new'), reference('networkNewSetup').outputs.vnetAddressPrefix.value, reference('networkExistingSetup').outputs.vnetAddressPrefix.value), '\"', '\n' ))]", + "diagnosticsProfile": { + "bootDiagnostics": { + "enabled": "true", + "storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName')), '2022-09-01').primaryEndpoints.blob]" + } + }, + "hardwareProfile": { + "vmSize": "[parameters('vmSize')]" + }, + "networkProfile": { + "networkInterfaces": [ + { + "id": "[resourceId('Microsoft.Network/networkInterfaces/', variables('nic1Name'))]", + "properties": { + "primary": true + } + }, + { + "id": "[resourceId('Microsoft.Network/networkInterfaces/', variables('nic2Name'))]", + "properties": { + "primary": false + } + } + ] + }, + "osProfile": { + "adminPassword": "[parameters('adminPassword')]", + "adminUsername": "[concat('not','used')]", + "computerName": "[toLower(parameters('vmName'))]", + "customData": "[base64(concat(variables('customData'), '\n', 'vnet=\"', if(equals(parameters('vnetNewOrExisting'), 'new'), reference('networkNewSetup').outputs.vnetAddressPrefix.value, reference('networkExistingSetup').outputs.vnetAddressPrefix.value), '\"', '\n' ))]", + "linuxConfiguration": "[variables('linuxConfiguration')]" + }, + "storageProfile": { + "imageReference": "[variables('imageReference')]", + "osDisk": { + "caching": "ReadWrite", + "createOption": "FromImage", + "diskSizeGB": "[variables('diskSizeGB')]", + "name": "[parameters('vmName')]", + "managedDisk": { + "storageAccountType": "[parameters('diskType')]" + } + } + } + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Compute/virtualMachines'), parameters('tagsByResource')['Microsoft.Compute/virtualMachines'], json('{}')) ]" + }, + { + "condition": "[equals(variables('customMetrics'), 'yes')]", + "apiVersion": "2020-04-01-preview", + "type": "Microsoft.Authorization/roleAssignments", + "name": "[parameters('rbacGuid')]", + "properties": { + "roleDefinitionId": "[variables('monitoringMetricsPublisher')]", + "principalId": "[reference(variables('vmID'), '2019-12-01', 'Full').identity.principalId]", + "scope": "[resourceGroup().id]" + }, + "dependsOn": [ + "[variables('vmID')]" + ], + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Authorization/roleAssignments'), parameters('tagsByResource')['Microsoft.Authorization/roleAssignments'], json('{}')) ]" + } + ], + "outputs": { + "GatewayIPAddr": { + "type": "string", + "value": "[reference(variables('publicIPAddressId')).IpAddress]" + }, + "GatewayFQDN": { + "type": "string", + "value": "[reference(variables('publicIPAddressId')).dnsSettings.fqdn]" + } + } +} \ No newline at end of file diff --git a/azure/templates/marketplace-stack-ha/createUiDefinition.json b/azure/templates/marketplace-stack-ha/createUiDefinition.json new file mode 100644 index 00000000..08494d6a --- /dev/null +++ b/azure/templates/marketplace-stack-ha/createUiDefinition.json @@ -0,0 +1,513 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", + "handler": "Microsoft.Azure.CreateUIDef", + "version": "0.1.2-preview", + "parameters": { + "basics": [ + { + "name": "clusterObjectNameUi", + "type": "Microsoft.Common.TextBox", + "label": "Cluster Object Name", + "toolTip": "The name of the Check Point CloudGuard Cluster object.", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z]{1,30}$", + "validationMessage": "Only alphanumeric characters are allowed, and the name must be 1-30 characters long." + } + }, + { + "name": "auth", + "type": "Microsoft.Compute.CredentialsCombo", + "label": { + "authenticationType": "Authentication type", + "password": "Password", + "confirmPassword": "Confirm password", + "sshPublicKey": "SSH public key" + }, + "toolTip": { + "authenticationType": "", + "password": "The user 'admin' password", + "sshPublicKey": "Paste an OpenSSH public key. You can generate a key pair using ssh-keygen (Linux, OS X, Cygwin) or PuttyGen (Windows)" + }, + "constraints": { + "required": true + }, + "options": { + "hideConfirmation": false, + "hidePassword": false + }, + "osPlatform": "Linux" + } + ], + "steps": [ + { + "name": "chkp", + "label": "Check Point CloudGuard Cluster Object settings", + "subLabel": { + "preValidation": "Configure CloudGuard Cluster Object settings", + "postValidation": "Done" + }, + "bladeTitle": "CloudGuard cluster Object settings", + "elements": [ + { + "name": "cloudGuardVersion", + "type": "Microsoft.Common.DropDown", + "label": "Check Point CloudGuard version", + "defaultValue": "R81.10", + "toolTip": "The version of Check Point CloudGuard.", + "constraints": { + "allowedValues": [ + { + "label": "R81.10", + "value": "R81.10" + } + ] + } + }, + { + "name": "R80Offer", + "type": "Microsoft.Common.DropDown", + "label": "License type", + "toolTip": "The type of license.", + "defaultValue": "Bring Your Own License", + "visible": true, + "constraints": { + "allowedValues": [ + { + "label": "Bring Your Own License", + "value": "Bring Your Own License" + } + ] + } + }, + { + "name": "R8110vmSizeUiBYOL", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R81.10'), contains(steps('chkp').R80Offer, 'Bring Your Own License'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2", + "Standard_DS3_v2" + ], + "constraints": { + "allowedSizes": [ + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r8110", + "sku": "sg-byol" + }, + "count": 2 + }, + { + "name": "R8110vmSizeUiNGTP", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R81.10'), contains(steps('chkp').R80Offer, '(NGTP)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2", + "Standard_DS3_v2" + ], + "constraints": { + "allowedSizes": [ + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r8110", + "sku": "sg-ngtp" + }, + "count": 2 + }, + { + "name": "R8110vmSizeUiNGTX", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R81.10'), contains(steps('chkp').R80Offer, '(NGTX)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2", + "Standard_DS3_v2" + ], + "constraints": { + "allowedSizes": [ + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r8110", + "sku": "sg-ngtx" + }, + "count": 2 + }, + { + "name": "sicKeyUi", + "type": "Microsoft.Common.PasswordBox", + "label": { + "password": "SIC key", + "confirmPassword": "Confirm SIC key" + }, + "toolTip": "Set the Secure Internal Communication one time secret used to set up trust between the cluster object and the management server.", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z]{8,30}$", + "validationMessage": "Only alphanumeric characters are allowed, and the value must be 8-30 characters long." + }, + "options": { + "hideConfirmation": true + }, + "visible": "true" + }, + { + "name": "bootstrapScript", + "type": "Microsoft.Common.FileUpload", + "label": "Bootstrap script", + "toolTip": "An optional script to run on the initial boot", + "constraints": { + "required": false, + "accept": ".sh,text/plain" + }, + "options": { + "multiple": false, + "uploadMode": "file", + "openMode": "text", + "encoding": "UTF-8" + } + }, + { + "name": "allowUploadDownload", + "type": "Microsoft.Common.OptionsGroup", + "label": "Allow download from/upload to Check Point", + "defaultValue": "Yes", + "toolTip": "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "true" + }, + { + "label": "No", + "value": "false" + } + ] + } + }, + { + "name": "additionalDiskSizeGB", + "type": "Microsoft.Common.TextBox", + "label": "Additional disk space (GB)", + "defaultValue": "0", + "toolTip": "Additional disk space (in GB), Initial disk size is 100 GB.", + "constraints": { + "regex": "^([0-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-2][0-9][0-9][0-9]|3[0-8][0-9][0-9]|399[0-5])$", + "validationMessage": "Select a number between 0 and 3995" + } + }, + { + "name": "useCustomImageUri", + "type": "Microsoft.Common.OptionsGroup", + "label": "Use development image uri", + "defaultValue": "No", + "toolTip": "", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ], + "required": true + }, + "visible": false + }, + { + "name": "sourceImageVhdUri", + "type": "Microsoft.Common.TextBox", + "label": "Development Image URI", + "toolTip": "The URI of the blob containing the development image", + "constraints": { + "required": "[equals(steps('chkp').useCustomImageUri, 'Yes')]", + "regex": "^[a-z0-9A-Z_\\-\\.\\:\\/]{1,500}.vhd$", + "validationMessage": "Only alphanumeric characters and '_','-','.',':','/' are allowed, the value must be 1-500 characters long and must end with .vhd. " + }, + "visible": "[equals(steps('chkp').useCustomImageUri, 'Yes')]" + } + ] + }, + { + "name": "network", + "label": "Network settings", + "subLabel": { + "preValidation": "Configure network settings", + "postValidation": "Done" + }, + "bladeTitle": "Network settings", + "elements": [ + { + "name": "virtualNetwork", + "type": "Microsoft.Network.VirtualNetworkCombo", + "label": { + "virtualNetwork": "Virtual network", + "subnets": "Subnets" + }, + "toolTip": { + "virtualNetwork": "Virtual Network Name", + "subnets": "List of subnets to deploy into" + }, + "defaultValue": { + "name": "vnet01", + "addressPrefixSize": "/16" + }, + "constraints": { + "minAddressPrefixSize": "/28" + }, + "options": { + "hideExisting": false + }, + "subnets": { + "subnet1": { + "label": "Frontend subnet", + "defaultValue": { + "name": "Frontend", + "addressPrefixSize": "/24" + }, + "constraints": { + "minAddressPrefixSize": "/29", + "minAddressCount": 2, + "requireContiguousAddresses": true + } + }, + "subnet2": { + "label": "Backend subnet", + "defaultValue": { + "name": "Backend", + "addressPrefixSize": "/24" + }, + "constraints": { + "minAddressPrefixSize": "/29", + "minAddressCount": 2, + "requireContiguousAddresses": true + } + } + } + } + ] + } + ], + "outputs": { + "location": "[location()]", + "cloudGuardVersion": "[concat(steps('chkp').cloudGuardVersion, ' - ', coalesce(steps('chkp').R80Offer, 'Bring Your Own License'))]", + "adminPassword": "[basics('auth').password]", + "authenticationType": "[basics('auth').authenticationType]", + "sshPublicKey": "[basics('auth').sshPublicKey]", + "vmName": "[basics('clusterObjectNameUi')]", + "vmSize": "[coalesce(steps('chkp').R8110vmSizeUiBYOL, steps('chkp').R8110vmSizeUiNGTP, steps('chkp').R8110vmSizeUiNGTX)]", + "sicKey": "[steps('chkp').sicKeyUi]", + "virtualNetworkName": "[steps('network').virtualNetwork.name]", + "virtualNetworkAddressPrefixes": "[steps('network').virtualNetwork.addressPrefixes]", + "subnet1Name": "[steps('network').virtualNetwork.subnets.subnet1.name]", + "subnet1Prefix": "[steps('network').virtualNetwork.subnets.subnet1.addressPrefix]", + "subnet1StartAddress": "[steps('network').virtualNetwork.subnets.subnet1.startAddress]", + "subnet2Name": "[steps('network').virtualNetwork.subnets.subnet2.name]", + "subnet2Prefix": "[steps('network').virtualNetwork.subnets.subnet2.addressPrefix]", + "subnet2StartAddress": "[steps('network').virtualNetwork.subnets.subnet2.startAddress]", + "vnetNewOrExisting": "[steps('network').virtualNetwork.newOrExisting]", + "virtualNetworkExistingRGName": "[steps('network').virtualNetwork.resourceGroup]", + "bootstrapScript": "[steps('chkp').bootstrapScript]", + "allowDownloadFromUploadToCheckPoint": "[coalesce(steps('chkp').allowUploadDownload, 'true')]", + "additionalDiskSizeGB": "[int(steps('chkp').additionalDiskSizeGB)]", + "sourceImageVhdUri": "[coalesce(steps('chkp').sourceImageVhdUri, 'noCustomUri')]" + } + } +} \ No newline at end of file diff --git a/azure/templates/marketplace-stack-ha/mainTemplate.json b/azure/templates/marketplace-stack-ha/mainTemplate.json new file mode 100755 index 00000000..932a8714 --- /dev/null +++ b/azure/templates/marketplace-stack-ha/mainTemplate.json @@ -0,0 +1,689 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string", + "metadata": { + "description": "Deployment location" + }, + "defaultValue": "[resourceGroup().location]" + }, + "cloudGuardVersion": { + "type": "string", + "allowedValues": [ + "R81.10 - Bring Your Own License", + "R81.10 - Pay As You Go (NGTP)", + "R81.10 - Pay As You Go (NGTX)" + ], + "defaultValue": "R81.10 - Bring Your Own License", + "metadata": { + "description": "Version of Check Point CloudGuard" + } + }, + "adminPassword": { + "type": "securestring", + "metadata": { + "description": "Administrator password" + }, + "defaultValue": "" + }, + "authenticationType": { + "type": "string", + "allowedValues": [ + "password", + "sshPublicKey" + ], + "defaultValue": "password", + "metadata": { + "description": "Authentication type" + } + }, + "sshPublicKey": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Administrator SSH public key" + } + }, + "vmName": { + "type": "string", + "defaultValue": "[resourceGroup().name]", + "metadata": { + "description": "Name of the Check Point Cluster object" + } + }, + "vmSize": { + "type": "string", + "defaultValue": "Standard_D3_v2", + "metadata": { + "description": "Size of the VM" + } + }, + "sicKey": { + "type": "securestring", + "metadata": { + "description": "One time key for Secure Internal Communication" + } + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "[concat(resourceGroup().name, '-vnet')]" + }, + "virtualNetworkAddressPrefixes": { + "type": "array", + "metadata": { + "description": "The address prefixes of the virtual network" + }, + "defaultValue": [ + "10.0.0.0/16" + ] + }, + "subnet1Name": { + "type": "string", + "metadata": { + "description": "The name of the frontend subnet" + }, + "defaultValue": "Frontend" + }, + "subnet1Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the frontend subnet" + }, + "defaultValue": "10.0.1.0/24" + }, + "subnet1StartAddress": { + "type": "string", + "metadata": { + "description": "The first available address on the frontend subnet" + }, + "defaultValue": "10.0.1.10" + }, + "subnet2Name": { + "type": "string", + "metadata": { + "description": "The name of the backend subnet" + }, + "defaultValue": "Backend" + }, + "subnet2Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the backend subnet" + }, + "defaultValue": "10.0.2.0/24" + }, + "subnet2StartAddress": { + "type": "string", + "metadata": { + "description": "The first available address on the 2nd subnet" + }, + "defaultValue": "10.0.2.10" + }, + "vnetNewOrExisting": { + "type": "string", + "defaultValue": "new", + "allowedValues": [ + "new", + "existing" + ], + "metadata": { + "Description": "Indicates whether the virtual network is new or existing" + } + }, + "virtualNetworkExistingRGName": { + "type": "string", + "metadata": { + "description": "Resource Group of the existing virtual network" + }, + "defaultValue": "" + }, + "_artifactsLocation": { + "type": "string", + "metadata": { + "description": "The base URI where artifacts required by this template are located including a trailing '/'" + }, + "defaultValue": "[deployment().properties.templateLink.uri]" + }, + "_artifactsLocationSasToken": { + "type": "securestring", + "metadata": { + "description": "The sasToken required to access _artifactsLocation. When the template is deployed using the accompanying scripts, a sasToken will be automatically generated. Use the defaultValue if the staging location is not secured." + }, + "defaultValue": "" + }, + "bootstrapScript": { + "type": "string", + "metadata": { + "description": "Bootstrap script" + }, + "defaultValue": "" + }, + "allowDownloadFromUploadToCheckPoint": { + "type": "string", + "allowedValues": [ + "true", + "false" + ], + "defaultValue": "true", + "metadata": { + "description": "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + } + }, + "additionalDiskSizeGB": { + "type": "int", + "defaultValue": 0, + "metadata": { + "description": "Amount of additional disk space (in GB)" + }, + "minValue": 0, + "maxValue": 3995 + }, + "diskType": { + "type": "string", + "defaultValue": "Standard_LRS", + "metadata": { + "description": "The type of the OS disk. Premium is applicable only to DS machine sizes" + }, + "allowedValues": [ + "Standard_LRS", + "Premium_LRS" + ] + }, + "preview": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Deploy the staged image" + }, + "allowedValues": [ + "", + "-preview" + ] + }, + "sourceImageVhdUri": { + "type": "string", + "defaultValue": "noCustomUri", + "metadata": { + "description": "The URI of the blob containing the development image" + } + }, + "Check_PointTags": { + "type": "object", + "defaultValue": { + "provider": "30DE18BC-F9F6-4F22-9D30-54B8E74CFD5F" + } + } + }, + "variables": { + "installationType": "cluster-stack", + "templateName": "stack-ha", + "templateVersion": "20230219", + "location": "[parameters('location')]", + "offers": { + "R81.10 - Bring Your Own License": "BYOL", + "R81.10 - Pay As You Go (NGTP)": "NGTP", + "R81.10 - Pay As You Go (NGTX)": "NGTX" + }, + "offer": "[variables('offers')[parameters('cloudGuardVersion')]]", + "osVersions": { + "R81.10 - Bring Your Own License": "R8110", + "R81.10 - Pay As You Go (NGTP)": "R8110", + "R81.10 - Pay As You Go (NGTX)": "R8110" + }, + "osVersion": "[variables('osVersions')[parameters('cloudGuardVersion')]]", + "isBlink": true, + "computeApiVersion": "2017-03-30", + "storageApiVersion": "2016-01-01", + "networkApiVersion": "2017-10-01", + "deploymentsApiVersion": "2016-02-01", + "storageAccountName": "[concat('bootdiag', uniqueString(resourceGroup().id, deployment().name))]", + "storageAccountType": "Standard_LRS", + "diskSize100GB": 100, + "diskSizeGB": "[add(parameters('additionalDiskSizeGB'), variables('diskSize100GB'))]", + "customData": "[concat('#!/usr/bin/python /etc/cloud_config.py\n', '\n', 'installationType=\"', variables('installationType'), '\"', '\n', 'allowUploadDownload=\"', variables('allowUploadDownload'), '\"', '\n', 'osVersion=\"', variables('osVersion'), '\"', '\n', 'templateName=\"', variables('templateName'), '\"', '\n', 'isBlink=\"', variables('isBlink'), '\"', '\n', 'templateVersion=\"', variables('templateVersion'), '\"', '\n', 'bootstrapScript64=\"', variables('bootstrapScript64'), '\"', '\n', 'location=\"', variables('location'), '\"', '\n', 'sicKey=\"', variables('sicKey'), '\"', '\n', 'managementGUIClientNetwork=\"', variables('managementGUIClientNetwork'), '\"', '\n', 'resourceGroup=\"', resourceGroup().name, '\"', '\n', 'subscriptionId=\"', subscription().subscriptionId, '\"', '\n', 'subnet1Prefix=\"', first(split(parameters('subnet1Prefix'), '/')), '\"', '\n', 'location=\"', variables('location'), '\"', '\n', 'tenantId=\"', subscription().tenantId, '\"', '\n', 'virtualNetwork=\"', parameters('virtualNetworkName'), '\"', '\n', 'clusterName=\"', parameters('vmName'), '\"', '\n')]", + "imageOfferR8110": "check-point-cg-r8110", + "imageOffer": "[concat(variables(concat('imageOffer', variables('osVersion'))), parameters('preview'))]", + "imagePublisher": "checkpoint", + "imageReferenceBYOL": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-byol", + "version": "latest" + }, + "imageReferenceNGTP": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtp", + "version": "latest" + }, + "imageReferenceNGTX": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtx", + "version": "latest" + }, + "imageReferenceMarketplace": "[variables(concat('imageReference', variables('offer')))]", + "customImage": "customImage", + "imageReferenceCustomUri": { + "id": "[resourceId('Microsoft.Compute/images/', variables('customImage'))]" + }, + "imageReference": "[if(equals(parameters('sourceImageVhdUri'),'noCustomUri'), variables('imageReferenceMarketplace'), variables('imageReferenceCustomUri'))]", + "nic1Name": "eth0", + "nic2Name": "eth1", + "linuxConfigurationpassword": {}, + "linuxConfigurationsshPublicKey": { + "disablePasswordAuthentication": "true", + "ssh": { + "publicKeys": [ + { + "keyData": "[parameters('sshPublicKey')]", + "path": "/home/notused/.ssh/authorized_keys" + } + ] + } + }, + "linuxConfiguration": "[variables(concat('linuxConfiguration', parameters('authenticationType')))]", + "planBYOL": { + "name": "sg-byol", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTP": { + "name": "sg-ngtp", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTX": { + "name": "sg-ngtx", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "plan": "[variables(concat('plan', variables('offer')))]", + "publicIPAddressName": "[parameters('vmName')]", + "publicIPAddressId": "[resourceId('Microsoft.Network/publicIPAddresses', variables('publicIPAddressName'))]", + "bootstrapScript64": "[base64(parameters('bootstrapScript'))]", + "allowUploadDownload": "[parameters('allowDownloadFromUploadToCheckPoint')]", + "networkSetupURL": "[uri(parameters('_artifactsLocation'), concat('nestedtemplates/vnet-', parameters('vnetNewOrExisting'), '-stack-ha', '.json', parameters('_artifactsLocationSasToken')))]", + "sicKey": "[parameters('sicKey')]", + "managementGUIClientNetwork": "", + "externalPrivateAddresses": [ + "[parameters('Subnet1StartAddress')]", + "[concat(split(parameters('subnet1StartAddress'), '.')[0],'.', split(parameters('subnet1StartAddress'), '.')[1],'.', split(parameters('subnet1StartAddress'), '.')[2],'.', string(add(int(split(parameters('subnet1StartAddress'), '.')[3]),1)))]" + ], + "Subnet2PrivateAddresses": [ + "[parameters('subnet2StartAddress')]", + "[concat(split(parameters('subnet2StartAddress'), '.')[0],'.', split(parameters('subnet2StartAddress'), '.')[1],'.', split(parameters('subnet2StartAddress'), '.')[2],'.', string(add(int(split(parameters('subnet2StartAddress'), '.')[3]),1)))]" + ], + "publicIPAddressName1": "[concat(parameters('vmName'), 1)]", + "publicIPAddressId1": "[resourceId('Microsoft.Network/publicIPAddresses', variables('publicIPAddressName1'))]", + "publicIPAddressName2": "[concat(parameters('vmName'), 2)]", + "publicIPAddressId2": "[resourceId('Microsoft.Network/publicIPAddresses', variables('publicIPAddressName2'))]", + "availabilitySetName": "[concat(parameters('vmName'), '-AvailabilitySet')]", + "count": 2, + "frontEndIPConfMember1Id": "[concat(variables('lbId'), '/frontendIPConfigurations/LoadBalancerFrontEnd1')]", + "frontEndIPConfMember2Id": "[concat(variables('lbId'), '/frontendIPConfigurations/LoadBalancerFrontEnd2')]", + "member1IPConfigId": "[concat(variables('lbId'), '/frontendIPConfigurations/LoadBalancerFrontEnd1')]", + "member2IPConfigId": "[concat(variables('lbId'), '/frontendIPConfigurations/LoadBalancerFrontEnd2')]", + "elbBEAddressPool": "[concat(variables('lbName'), '-pool')]", + "elbBEAddressPoolID": "[concat(variables('lbId'),'/backendAddressPools/',variables('elbBEAddressPool'))]", + "appProbeName": "health_prob_port", + "elbPublicIPName": "frontend-lb-address", + "elbPublicIPId": "[resourceId('Microsoft.Network/publicIPAddresses', variables('elbPublicIPName'))]", + "lbId": "[resourceId('Microsoft.Network/loadBalancers', variables('lbName'))]", + "lbName": "frontend-lb" + }, + "resources": [ + { + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('storageAccountName')]", + "apiVersion": "[variables('storageApiVersion')]", + "location": "[variables('location')]", + "sku": { + "name": "[variables('storageAccountType')]" + }, + "kind": "Storage", + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "name": "networkSetup", + "type": "Microsoft.Resources/deployments", + "apiVersion": "[variables('deploymentsApiVersion')]", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "[variables('networkSetupURL')]", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "location": { + "value": "[variables('location')]" + }, + "apiVersion": { + "value": "[variables('networkApiVersion')]" + }, + "virtualNetworkName": { + "value": "[parameters('virtualNetworkName')]" + }, + "virtualNetworkAddressPrefixes": { + "value": "[parameters('virtualNetworkAddressPrefixes')]" + }, + "subnet1Name": { + "value": "[parameters('subnet1Name')]" + }, + "subnet1Prefix": { + "value": "[parameters('subnet1Prefix')]" + }, + "subnet1StartAddress": { + "value": "[parameters('subnet1StartAddress')]" + }, + "subnet2Name": { + "value": "[parameters('subnet2Name')]" + }, + "subnet2Prefix": { + "value": "[parameters('subnet2Prefix')]" + }, + "subnet2StartAddress": { + "value": "[parameters('subnet2StartAddress')]" + }, + "vnetNewOrExisting": { + "value": "[parameters('vnetNewOrExisting')]" + }, + "virtualNetworkExistingRGName": { + "value": "[parameters('virtualNetworkExistingRGName')]" + } + } + } + }, + { + "type": "Microsoft.Compute/availabilitySets", + "apiVersion": "[variables('computeApiVersion')]", + "location": "[variables('location')]", + "name": "[concat(variables('availabilitySetName'))]", + "properties": { + "platformFaultDomainCount": 2 + }, + "sku": { + "name": "Aligned" + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "type": "Microsoft.Network/publicIPAddresses", + "apiVersion": "[variables('networkApiVersion')]", + "location": "[variables('location')]", + "name": "[variables('elbPublicIPName')]", + "properties": { + "idleTimeoutInMinutes": 30, + "publicIPAllocationMethod": "Static" + } + }, + { + "type": "Microsoft.Network/publicIPAddresses", + "apiVersion": "[variables('networkApiVersion')]", + "location": "[variables('location')]", + "name": "[concat(parameters('vmName'), copyIndex(1))]", + "copy": { + "name": "publicAddressCopy", + "count": "[variables('count')]" + }, + "properties": { + "idleTimeoutInMinutes": 30, + "publicIPAllocationMethod": "Static" + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "[variables('networkApiVersion')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', 'networkSetup')]", + "[variables('lbId')]", + "[variables('publicIPAddressId1')]" + ], + "location": "[variables('location')]", + "name": "[concat(parameters('vmName'), '1-', variables('nic1Name'))]", + "properties": { + "enableIPForwarding": true, + "ipConfigurations": [ + { + "name": "ipconfig1", + "properties": { + "privateIPAddress": "[variables('externalPrivateAddresses')[0]]", + "privateIPAllocationMethod": "Static", + "PublicIpAddress": { + "Id": "[variables(concat('publicIPAddressId', 1))]" + }, + "subnet": { + "id": "[concat(reference('networkSetup').outputs.vnetId.value, '/subnets/', parameters('Subnet1Name'))]" + }, + "loadBalancerBackendAddressPools": [ + { + "id": "[variables('elbBEAddressPoolID')]" + } + ] + } + } + ] + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "[variables('networkApiVersion')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', 'networkSetup')]", + "[variables('lbId')]", + "[variables('publicIPAddressId2')]" + ], + "location": "[variables('location')]", + "name": "[concat(parameters('vmName'), '2-', variables('nic1Name'))]", + "properties": { + "enableIPForwarding": true, + "ipConfigurations": [ + { + "name": "ipconfig2", + "properties": { + "privateIPAddress": "[variables('externalPrivateAddresses')[1]]", + "privateIPAllocationMethod": "Static", + "PublicIpAddress": { + "Id": "[variables(concat('publicIPAddressId', 2))]" + }, + "subnet": { + "id": "[concat(reference('networkSetup').outputs.vnetId.value, '/subnets/', parameters('Subnet1Name'))]" + }, + "loadBalancerBackendAddressPools": [ + { + "id": "[variables('elbBEAddressPoolID')]" + } + ] + } + } + ] + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "[variables('networkApiVersion')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', 'networkSetup')]" + ], + "location": "[variables('location')]", + "name": "[concat(parameters('vmName'), copyIndex(1), '-', variables('nic2Name'))]", + "copy": { + "name": "interface2Copy", + "count": "[variables('count')]" + }, + "properties": { + "enableIPForwarding": true, + "ipConfigurations": [ + { + "name": "ipconfig2", + "properties": { + "privateIPAddress": "[variables('Subnet2PrivateAddresses')[copyIndex(0)]]", + "privateIPAllocationMethod": "Static", + "subnet": { + "id": "[concat(reference('networkSetup').outputs.vnetId.value, '/subnets/', parameters('Subnet2Name'))]" + } + } + } + ] + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "condition": "[not(equals(parameters('sourceImageVhdUri'), 'noCustomUri'))]", + "type": "Microsoft.Compute/images", + "apiVersion": "2017-12-01", + "name": "[variables('customImage')]", + "location": "[variables('location')]", + "properties": { + "storageProfile": { + "osDisk": { + "osType": "Linux", + "osState": "Generalized", + "blobUri": "[parameters('sourceImageVhdUri')]", + "storageAccountType": "Standard_LRS" + } + } + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "type": "Microsoft.Compute/virtualMachines", + "apiVersion": "[variables('computeApiVersion')]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]", + "[resourceId('Microsoft.Network/networkInterfaces', concat(parameters('vmName'), copyIndex(1), '-', variables('nic1Name')))]", + "[resourceId('Microsoft.Network/networkInterfaces', concat(parameters('vmName'), copyIndex(1), '-', variables('nic2Name')))]", + "[resourceId('Microsoft.Compute/availabilitySets', variables('availabilitySetName'))]", + "[resourceId('Microsoft.Compute/images/', variables('customImage'))]" + ], + "location": "[variables('location')]", + "name": "[concat(parameters('vmName'), copyIndex(1))]", + "copy": { + "name": "virtualMachineCopy", + "count": "[variables('count')]" + }, + "plan": "[if(equals(parameters('sourceImageVhdUri'),'noCustomUri'), variables('plan'), json('null'))]", + "properties": { + "availabilitySet": { + "id": "[resourceId('Microsoft.Compute/availabilitySets', variables('availabilitySetName'))]" + }, + "diagnosticsProfile": { + "bootDiagnostics": { + "enabled": "true", + "storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName')), variables('storageApiVersion')).primaryEndpoints.blob]" + } + }, + "hardwareProfile": { + "vmSize": "[parameters('vmSize')]" + }, + "networkProfile": { + "networkInterfaces": [ + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', concat(parameters('vmName'), copyIndex(1), '-', variables('nic1Name')))]", + "properties": { + "primary": true + } + }, + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', concat(parameters('vmName'), copyIndex(1), '-', variables('nic2Name')))]", + "properties": { + "primary": false + } + } + ] + }, + "osProfile": { + "adminPassword": "[parameters('adminPassword')]", + "adminUsername": "notused", + "computerName": "[concat(toLower(parameters('vmName')), copyIndex(1))]", + "customData": "[base64(variables('customData'))]", + "linuxConfiguration": "[variables('linuxConfiguration')]" + }, + "storageProfile": { + "imageReference": "[variables('imageReference')]", + "osDisk": { + "caching": "ReadWrite", + "createOption": "FromImage", + "diskSizeGB": "[variables('diskSizeGB')]", + "name": "[concat(parameters('vmName'), copyIndex(1))]", + "managedDisk": { + "storageAccountType": "[parameters('diskType')]" + } + } + } + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "type": "Microsoft.Network/loadBalancers", + "apiVersion": "[variables('networkApiVersion')]", + "dependsOn": [ + "[variables('elbPublicIPId')]" + ], + "name": "[variables('lbName')]", + "location": "[variables('location')]", + "properties": { + "frontendIPConfigurations": [ + { + "name": "LoadBalancerFrontend", + "properties": { + "publicIPAddress": { + "id": "[variables('elbPublicIPId')]" + } + } + } + ], + "backendAddressPools": [ + { + "name": "[variables('elbBEAddressPool')]" + } + ], + "probes": [ + { + "name": "[variables('appProbeName')]", + "properties": { + "protocol": "tcp", + "port": 8081, + "intervalInSeconds": 5, + "numberOfProbes": 2 + } + } + ] + } + } + ], + "outputs": { + "Member1IPAddr": { + "type": "string", + "value": "[reference(variables('publicIPAddressId1')).IpAddress]" + }, + "Member2IPAddr": { + "type": "string", + "value": "[reference(variables('publicIPAddressId2')).IpAddress]" + } + } +} \ No newline at end of file diff --git a/azure/templates/marketplace-stack-management/createUiDefinition.json b/azure/templates/marketplace-stack-management/createUiDefinition.json new file mode 100644 index 00000000..3f5a84d7 --- /dev/null +++ b/azure/templates/marketplace-stack-management/createUiDefinition.json @@ -0,0 +1,306 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", + "handler": "Microsoft.Azure.CreateUIDef", + "version": "0.1.2-preview", + "parameters": { + "basics": [ + { + "name": "gatewayNameUi", + "type": "Microsoft.Common.TextBox", + "label": "Server Name", + "toolTip": "The name of the Check Point CloudGuard Security Management Server.", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z]{1,30}$", + "validationMessage": "Only alphanumeric characters are allowed, and the name must be 1-30 characters long." + } + }, + { + "name": "auth", + "type": "Microsoft.Compute.CredentialsCombo", + "label": { + "authenticationType": "Authentication type", + "password": "Password", + "confirmPassword": "Confirm password", + "sshPublicKey": "SSH public key" + }, + "toolTip": { + "authenticationType": "", + "password": "The user 'admin' password", + "sshPublicKey": "Paste an OpenSSH public key. You can generate a key pair using ssh-keygen (Linux, OS X, Cygwin) or PuttyGen (Windows)" + }, + "constraints": { + "required": true + }, + "options": { + "hideConfirmation": false, + "hidePassword": false + }, + "osPlatform": "Linux" + } + ], + "steps": [ + { + "name": "chkp", + "label": "Check Point CloudGuard Security Management Server settings", + "subLabel": { + "preValidation": "Configure CloudGuard Security Management Server settings", + "postValidation": "Done" + }, + "bladeTitle": "CloudGuard Security Management settings", + "elements": [ + { + "name": "cloudGuardVersion", + "type": "Microsoft.Common.DropDown", + "label": "Check Point CloudGuard version", + "defaultValue": "R81.10", + "toolTip": "The version of Check Point CloudGuard.", + "constraints": { + "allowedValues": [ + { + "label": "R81.10", + "value": "R81.10" + } + ] + } + }, + { + "name": "R80Offer", + "type": "Microsoft.Common.DropDown", + "label": "License type", + "toolTip": "The type of license.", + "defaultValue": "Bring Your Own License", + "visible": true, + "constraints": { + "allowedValues": [ + { + "label": "Bring Your Own License", + "value": "Bring Your Own License" + }, + { + "label": "Pay As You Go (MGMT25)", + "value": "Pay As You Go (MGMT25)" + } + ] + } + }, + { + "name": "R8110vmSizeUiBYOL", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R81.10'), contains(steps('chkp').R80Offer, 'Bring Your Own License'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Management", + "recommendedSizes": [ + "Standard_D3_v2" + ], + "constraints": { + "excludedSizes": [ + "Standard_A1_v2", + "Standard_D1_v2", + "Standard_DS1_v2", + "Standard_F1", + "Standard_F1s", + "Standard_G1", + "Standard_GS1" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r8110", + "sku": "mgmt-byol" + }, + "count": 1 + }, + { + "name": "R8110vmSizeUiMGMT25", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R81.10'), contains(steps('chkp').R80Offer, '(MGMT25)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Management", + "recommendedSizes": [ + "Standard_D3_v2" + ], + "constraints": { + "excludedSizes": [ + "Standard_A1_v2", + "Standard_D1_v2", + "Standard_DS1_v2", + "Standard_F1", + "Standard_F1s", + "Standard_G1", + "Standard_GS1" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r8110", + "sku": "mgmt-25" + }, + "count": 1 + }, + { + "name": "managementGUIClientNetwork", + "type": "Microsoft.Common.TextBox", + "label": "Allowed GUI clients", + "toolTip": "GUI clients network CIDR", + "defaultValue": "0.0.0.0/0", + "constraints": { + "required": true, + "regex": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$", + "validationMessage": "Enter a valid IPv4 network CIDR" + } + }, + { + "name": "bootstrapScript", + "type": "Microsoft.Common.FileUpload", + "label": "Bootstrap script", + "toolTip": "An optional script to run on the initial boot", + "constraints": { + "required": false, + "accept": ".sh,text/plain" + }, + "options": { + "multiple": false, + "uploadMode": "file", + "openMode": "text", + "encoding": "UTF-8" + } + }, + { + "name": "allowUploadDownload", + "type": "Microsoft.Common.OptionsGroup", + "label": "Allow download from/upload to Check Point", + "defaultValue": "Yes", + "toolTip": "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "true" + }, + { + "label": "No", + "value": "false" + } + ] + } + }, + { + "name": "additionalDiskSizeGB", + "type": "Microsoft.Common.TextBox", + "label": "Additional disk space (GB)", + "defaultValue": "0", + "toolTip": "Additional disk space (in GB), Initial disk size is 100 GB.", + "constraints": { + "regex": "^([0-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-2][0-9][0-9][0-9]|3[0-8][0-9][0-9]|399[0-5])$", + "validationMessage": "Select a number between 0 and 3995" + } + }, + { + "name": "useCustomImageUri", + "type": "Microsoft.Common.OptionsGroup", + "label": "Use development image uri", + "defaultValue": "No", + "toolTip": "", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ], + "required": true + }, + "visible": false + }, + { + "name": "sourceImageVhdUri", + "type": "Microsoft.Common.TextBox", + "label": "Development Image URI", + "toolTip": "The URI of the blob containing the development image", + "constraints": { + "required": "[equals(steps('chkp').useCustomImageUri, 'Yes')]", + "regex": "^[a-z0-9A-Z_\\-\\.\\:\\/]{1,500}.vhd$", + "validationMessage": "Only alphanumeric characters and '_','-','.',':','/' are allowed, the value must be 1-500 characters long and must end with .vhd. " + }, + "visible": "[equals(steps('chkp').useCustomImageUri, 'Yes')]" + } + ] + }, + { + "name": "network", + "label": "Network settings", + "subLabel": { + "preValidation": "Configure network settings", + "postValidation": "Done" + }, + "bladeTitle": "Network settings", + "elements": [ + { + "name": "virtualNetwork", + "type": "Microsoft.Network.VirtualNetworkCombo", + "label": { + "virtualNetwork": "Virtual network", + "subnets": "Subnet" + }, + "toolTip": { + "virtualNetwork": "Virtual Network Name", + "subnets": "The subnet to deploy into" + }, + "defaultValue": { + "name": "vnet01", + "addressPrefixSize": "/20" + }, + "constraints": { + "minAddressPrefixSize": "/29" + }, + "options": { + "hideExisting": false + }, + "subnets": { + "subnet1": { + "label": "Management subnet", + "defaultValue": { + "name": "Management", + "addressPrefixSize": "/24" + }, + "constraints": { + "minAddressPrefixSize": "/29", + "minAddressCount": 1, + "requireContiguousAddresses": true + } + } + } + } + ] + } + ], + "outputs": { + "location": "[location()]", + "cloudGuardVersion": "[concat(steps('chkp').cloudGuardVersion, ' - ', coalesce(steps('chkp').R80Offer, 'Bring Your Own License'))]", + "adminPassword": "[basics('auth').password]", + "authenticationType": "[basics('auth').authenticationType]", + "sshPublicKey": "[basics('auth').sshPublicKey]", + "vmName": "[basics('gatewayNameUi')]", + "vmSize": "[coalesce(steps('chkp').R8110vmSizeUiBYOL, steps('chkp').R8110vmSizeUiMGMT25)]", + "virtualNetworkName": "[steps('network').virtualNetwork.name]", + "virtualNetworkAddressPrefix": "[steps('network').virtualNetwork.addressPrefix]", + "Subnet1Name": "[steps('network').virtualNetwork.subnets.subnet1.name]", + "Subnet1Prefix": "[steps('network').virtualNetwork.subnets.subnet1.addressPrefix]", + "Subnet1StartAddress": "[steps('network').virtualNetwork.subnets.subnet1.startAddress]", + "vnetNewOrExisting": "[steps('network').virtualNetwork.newOrExisting]", + "virtualNetworkExistingRGName": "[steps('network').virtualNetwork.resourceGroup]", + "managementGUIClientNetwork": "[steps('chkp').managementGUIClientNetwork]", + "bootstrapScript": "[steps('chkp').bootstrapScript]", + "allowDownloadFromUploadToCheckPoint": "[coalesce(steps('chkp').allowUploadDownload, 'true')]", + "additionalDiskSizeGB": "[int(steps('chkp').additionalDiskSizeGB)]", + "sourceImageVhdUri": "[coalesce(steps('chkp').sourceImageVhdUri, 'noCustomUri')]" + } + } +} \ No newline at end of file diff --git a/azure/templates/marketplace-stack-management/mainTemplate.json b/azure/templates/marketplace-stack-management/mainTemplate.json new file mode 100755 index 00000000..e8c36031 --- /dev/null +++ b/azure/templates/marketplace-stack-management/mainTemplate.json @@ -0,0 +1,465 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string", + "metadata": { + "description": "Deployment location" + }, + "defaultValue": "[resourceGroup().location]" + }, + "cloudGuardVersion": { + "type": "string", + "allowedValues": [ + "R81.10 - Bring Your Own License", + "R81.10 - Pay As You Go (MGMT25)" + ], + "defaultValue": "R81.10 - Bring Your Own License", + "metadata": { + "description": "Version of Check Point CloudGuard" + } + }, + "adminPassword": { + "type": "securestring", + "metadata": { + "description": "Administrator password" + }, + "defaultValue": "" + }, + "authenticationType": { + "type": "string", + "allowedValues": [ + "password", + "sshPublicKey" + ], + "defaultValue": "password", + "metadata": { + "description": "Authentication type" + } + }, + "sshPublicKey": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Administrator SSH public key" + } + }, + "vmName": { + "type": "string", + "defaultValue": "[resourceGroup().name]", + "metadata": { + "description": "Name of the Check Point Security Management Server" + } + }, + "vmSize": { + "type": "string", + "defaultValue": "Standard_D3_v2", + "metadata": { + "description": "Size of the VM" + } + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "[concat(resourceGroup().name, '-vnet')]" + }, + "virtualNetworkAddressPrefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the virtual network" + }, + "defaultValue": "10.0.0.0/16" + }, + "Subnet1Name": { + "type": "string", + "metadata": { + "description": "The name of the management subnet" + }, + "defaultValue": "Frontend" + }, + "Subnet1Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the management subnet" + }, + "defaultValue": "10.0.1.0/24" + }, + "Subnet1StartAddress": { + "type": "string", + "metadata": { + "description": "The first available address on the management subnet" + }, + "defaultValue": "10.0.1.10" + }, + "vnetNewOrExisting": { + "type": "string", + "defaultValue": "new", + "allowedValues": [ + "new", + "existing" + ], + "metadata": { + "Description": "Indicates whether the virtual network is new or existing" + } + }, + "virtualNetworkExistingRGName": { + "type": "string", + "metadata": { + "description": "Resource Group of the existing virtual network" + }, + "defaultValue": "" + }, + "managementGUIClientNetwork": { + "type": "string", + "metadata": { + "description": "Allowed GUI clients" + }, + "defaultValue": "0.0.0.0/0" + }, + "_artifactsLocation": { + "type": "string", + "metadata": { + "description": "The base URI where artifacts required by this template are located including a trailing '/'" + }, + "defaultValue": "[deployment().properties.templateLink.uri]" + }, + "_artifactsLocationSasToken": { + "type": "securestring", + "metadata": { + "description": "The sasToken required to access _artifactsLocation. When the template is deployed using the accompanying scripts, a sasToken will be automatically generated. Use the defaultValue if the staging location is not secured." + }, + "defaultValue": "" + }, + "bootstrapScript": { + "type": "string", + "metadata": { + "description": "Bootstrap script" + }, + "defaultValue": "" + }, + "allowDownloadFromUploadToCheckPoint": { + "type": "string", + "allowedValues": [ + "true", + "false" + ], + "defaultValue": "true", + "metadata": { + "description": "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + } + }, + "additionalDiskSizeGB": { + "type": "int", + "defaultValue": 0, + "metadata": { + "description": "Amount of additional disk space (in GB)" + }, + "minValue": 0, + "maxValue": 3995 + }, + "diskType": { + "type": "string", + "defaultValue": "Standard_LRS", + "metadata": { + "description": "The type of the OS disk. Premium is applicable only to DS machine sizes" + }, + "allowedValues": [ + "Standard_LRS", + "Premium_LRS" + ] + }, + "preview": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Deploy the staged image" + }, + "allowedValues": [ + "", + "-preview" + ] + }, + "sourceImageVhdUri": { + "type": "string", + "defaultValue": "noCustomUri", + "metadata": { + "description": "The URI of the blob containing the development image" + } + }, + "Check_PointTags": { + "type": "object", + "defaultValue": { + "provider": "30DE18BC-F9F6-4F22-9D30-54B8E74CFD5F" + } + }, + "msi": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Configure managed service identity for the VM" + } + } + }, + "variables": { + "installationType": "management-stack", + "templateName": "stack-management", + "templateVersion": "20230219", + "location": "[parameters('location')]", + "offers": { + "R81.10 - Bring Your Own License": "BYOL", + "R81.10 - Pay As You Go (MGMT25)": "MGMT25" + }, + "offer": "[variables('offers')[parameters('cloudGuardVersion')]]", + "osVersions": { + "R81.10 - Bring Your Own License": "R8110", + "R81.10 - Pay As You Go (MGMT25)": "R8110" + }, + "osVersion": "[variables('osVersions')[parameters('cloudGuardVersion')]]", + "isBlink": false, + "computeApiVersion": "2017-03-30", + "storageApiVersion": "2016-01-01", + "networkApiVersion": "2017-10-01", + "deploymentsApiVersion": "2016-02-01", + "storageAccountName": "[concat('bootdiag', uniqueString(resourceGroup().id, deployment().name))]", + "storageAccountType": "Standard_LRS", + "diskSize100GB": 100, + "diskSizeGB": "[add(parameters('additionalDiskSizeGB'), variables('diskSize100GB'))]", + "customData": "[concat('#!/usr/bin/python /etc/cloud_config.py\n', '\n', 'installationType=\"', variables('installationType'), '\"', '\n', 'allowUploadDownload=\"', variables('allowUploadDownload'), '\"', '\n', 'osVersion=\"', variables('osVersion'), '\"', '\n', 'templateName=\"', variables('templateName'), '\"', '\n', 'isBlink=\"', variables('isBlink'), '\"', '\n', 'templateVersion=\"', variables('templateVersion'), '\"', '\n', 'bootstrapScript64=\"', variables('bootstrapScript64'), '\"', '\n', 'location=\"', variables('location'), '\"', '\n', 'sicKey=\"', variables('sicKey'), '\"', '\n', 'managementGUIClientNetwork=\"', variables('managementGUIClientNetwork'), '\"', '\n', 'resourceGroup=\"', resourceGroup().name, '\"', '\n', 'subscriptionId=\"', subscription().subscriptionId, '\"', '\n')]", + "imageOfferR8110": "check-point-cg-r8110", + "imageOffer": "[concat(variables(concat('imageOffer', variables('osVersion'))), parameters('preview'))]", + "imagePublisher": "checkpoint", + "imageReferenceBYOL": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "mgmt-byol", + "version": "latest" + }, + "imageReferenceMGMT25": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "mgmt-25", + "version": "latest" + }, + "imageReferenceMarketplace": "[variables(concat('imageReference', variables('offer')))]", + "customImage": "customImage", + "imageReferenceCustomUri": { + "id": "[resourceId('Microsoft.Compute/images/', variables('customImage'))]" + }, + "imageReference": "[if(equals(parameters('sourceImageVhdUri'),'noCustomUri'), variables('imageReferenceMarketplace'), variables('imageReferenceCustomUri'))]", + "nic1Name": "[concat(parameters('vmName'), '-eth0')]", + "linuxConfigurationpassword": {}, + "linuxConfigurationsshPublicKey": { + "disablePasswordAuthentication": "true", + "ssh": { + "publicKeys": [ + { + "keyData": "[parameters('sshPublicKey')]", + "path": "/home/notused/.ssh/authorized_keys" + } + ] + } + }, + "linuxConfiguration": "[variables(concat('linuxConfiguration', parameters('authenticationType')))]", + "planBYOL": { + "name": "mgmt-byol", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planMGMT25": { + "name": "mgmt-25", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "plan": "[variables(concat('plan', variables('offer')))]", + "publicIPAddressName": "[parameters('vmName')]", + "publicIPAddressId": "[resourceId('Microsoft.Network/publicIPAddresses', variables('publicIPAddressName'))]", + "bootstrapScript64": "[base64(parameters('bootstrapScript'))]", + "allowUploadDownload": "[parameters('allowDownloadFromUploadToCheckPoint')]", + "networkSetupURL": "[uri(parameters('_artifactsLocation'), concat('nestedtemplates/vnet-', parameters('vnetNewOrExisting'), '-stack-mgmt.json', parameters('_artifactsLocationSasToken')))]", + "sicKey": "notused", + "managementGUIClientNetwork": "[parameters('managementGUIClientNetwork')]", + "identity": "[if(parameters('msi'), json('{\"type\": \"SystemAssigned\"}'), json('null'))]" + }, + "resources": [ + { + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('storageAccountName')]", + "apiVersion": "[variables('storageApiVersion')]", + "location": "[variables('location')]", + "sku": { + "name": "[variables('storageAccountType')]" + }, + "kind": "Storage", + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "name": "networkSetup", + "type": "Microsoft.Resources/deployments", + "apiVersion": "[variables('deploymentsApiVersion')]", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "[variables('networkSetupURL')]", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "location": { + "value": "[variables('location')]" + }, + "apiVersion": { + "value": "[variables('networkApiVersion')]" + }, + "virtualNetworkName": { + "value": "[parameters('virtualNetworkName')]" + }, + "virtualNetworkAddressPrefix": { + "value": "[parameters('virtualNetworkAddressPrefix')]" + }, + "Subnet1Name": { + "value": "[parameters('Subnet1Name')]" + }, + "Subnet1Prefix": { + "value": "[parameters('Subnet1Prefix')]" + }, + "vnetNewOrExisting": { + "value": "[parameters('vnetNewOrExisting')]" + }, + "virtualNetworkExistingRGName": { + "value": "[parameters('virtualNetworkExistingRGName')]" + } + } + } + }, + { + "type": "Microsoft.Network/publicIPAddresses", + "apiVersion": "[variables('networkApiVersion')]", + "location": "[variables('location')]", + "name": "[variables('publicIPAddressName')]", + "properties": { + "idleTimeoutInMinutes": 30, + "publicIPAllocationMethod": "Static" + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "[variables('networkApiVersion')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', 'networkSetup')]", + "[variables('publicIPAddressId')]" + ], + "location": "[variables('location')]", + "name": "[variables('nic1Name')]", + "properties": { + "enableIPForwarding": false, + "ipConfigurations": [ + { + "name": "ipconfig1", + "properties": { + "privateIPAddress": "[parameters('Subnet1StartAddress')]", + "privateIPAllocationMethod": "Static", + "PublicIpAddress": { + "Id": "[variables('publicIPAddressId')]" + }, + "subnet": { + "id": "[concat(reference('networkSetup').outputs.vnetId.value, '/subnets/', parameters('Subnet1Name'))]" + } + } + } + ] + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "condition": "[not(equals(parameters('sourceImageVhdUri'), 'noCustomUri'))]", + "type": "Microsoft.Compute/images", + "apiVersion": "2017-12-01", + "name": "[variables('customImage')]", + "location": "[variables('location')]", + "properties": { + "storageProfile": { + "osDisk": { + "osType": "Linux", + "osState": "Generalized", + "blobUri": "[parameters('sourceImageVhdUri')]", + "storageAccountType": "Standard_LRS" + } + } + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "type": "Microsoft.Compute/virtualMachines", + "apiVersion": "[variables('computeApiVersion')]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]", + "[resourceId('Microsoft.Network/networkInterfaces', variables('nic1Name'))]", + "[resourceId('Microsoft.Compute/images/', variables('customImage'))]" + ], + "location": "[variables('location')]", + "name": "[parameters('vmName')]", + "plan": "[if(equals(parameters('sourceImageVhdUri'),'noCustomUri'), variables('plan'), json('null'))]", + "identity": "[variables('identity')]", + "properties": { + "diagnosticsProfile": { + "bootDiagnostics": { + "enabled": "true", + "storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName')), variables('storageApiVersion')).primaryEndpoints.blob]" + } + }, + "hardwareProfile": { + "vmSize": "[parameters('vmSize')]" + }, + "networkProfile": { + "networkInterfaces": [ + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', variables('nic1Name'))]", + "properties": { + "primary": true + } + } + ] + }, + "osProfile": { + "adminPassword": "[parameters('adminPassword')]", + "adminUsername": "notused", + "computerName": "[toLower(parameters('vmName'))]", + "customData": "[base64(variables('customData'))]", + "linuxConfiguration": "[variables('linuxConfiguration')]" + }, + "storageProfile": { + "imageReference": "[variables('imageReference')]", + "osDisk": { + "caching": "ReadWrite", + "createOption": "FromImage", + "diskSizeGB": "[variables('diskSizeGB')]", + "name": "[parameters('vmName')]", + "managedDisk": { + "storageAccountType": "[parameters('diskType')]" + } + } + } + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + } + ], + "outputs": { + "IPAddress": { + "type": "string", + "value": "[reference(variables('publicIPAddressId')).IpAddress]" + } + } +} \ No newline at end of file diff --git a/azure/templates/marketplace-stack-single/createUiDefinition.json b/azure/templates/marketplace-stack-single/createUiDefinition.json new file mode 100644 index 00000000..279644a1 --- /dev/null +++ b/azure/templates/marketplace-stack-single/createUiDefinition.json @@ -0,0 +1,513 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", + "handler": "Microsoft.Azure.CreateUIDef", + "version": "0.1.2-preview", + "parameters": { + "basics": [ + { + "name": "gatewayNameUi", + "type": "Microsoft.Common.TextBox", + "label": "VM Name", + "toolTip": "The name of the Check Point CloudGuard Gateway.", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z]{1,30}$", + "validationMessage": "Only alphanumeric characters are allowed, and the name must be 1-30 characters long." + } + }, + { + "name": "auth", + "type": "Microsoft.Compute.CredentialsCombo", + "label": { + "authenticationType": "Authentication type", + "password": "Password", + "confirmPassword": "Confirm password", + "sshPublicKey": "SSH public key" + }, + "toolTip": { + "authenticationType": "", + "password": "The user 'admin' password", + "sshPublicKey": "Paste an OpenSSH public key. You can generate a key pair using ssh-keygen (Linux, OS X, Cygwin) or PuttyGen (Windows)" + }, + "constraints": { + "required": true + }, + "options": { + "hideConfirmation": false, + "hidePassword": false + }, + "osPlatform": "Linux" + } + ], + "steps": [ + { + "name": "chkp", + "label": "Check Point CloudGuard Gateway settings", + "subLabel": { + "preValidation": "Configure CloudGuard Gateway settings", + "postValidation": "Done" + }, + "bladeTitle": "CloudGuard Gateway settings", + "elements": [ + { + "name": "cloudGuardVersion", + "type": "Microsoft.Common.DropDown", + "label": "Check Point CloudGuard version", + "defaultValue": "R81.10", + "toolTip": "The version of Check Point CloudGuard Gateway.", + "constraints": { + "allowedValues": [ + { + "label": "R81.10", + "value": "R81.10" + } + ] + } + }, + { + "name": "R80Offer", + "type": "Microsoft.Common.DropDown", + "label": "License type", + "toolTip": "The type of license.", + "defaultValue": "Bring Your Own License", + "visible": true, + "constraints": { + "allowedValues": [ + { + "label": "Bring Your Own License", + "value": "Bring Your Own License" + } + ] + } + }, + { + "name": "R8110vmSizeUiBYOL", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R81.10'), contains(steps('chkp').R80Offer, 'Bring Your Own License'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2", + "Standard_DS3_v2" + ], + "constraints": { + "allowedSizes": [ + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r8110", + "sku": "sg-byol" + }, + "count": 1 + }, + { + "name": "R8110vmSizeUiNGTP", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R81.10'), contains(steps('chkp').R80Offer, '(NGTP)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2", + "Standard_DS3_v2" + ], + "constraints": { + "allowedSizes": [ + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r8110", + "sku": "sg-ngtp" + }, + "count": 1 + }, + { + "name": "R8110vmSizeUiNGTX", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R81.10'), contains(steps('chkp').R80Offer, '(NGTX)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2", + "Standard_DS3_v2" + ], + "constraints": { + "allowedSizes": [ + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r8110", + "sku": "sg-ngtx" + }, + "count": 1 + }, + { + "name": "sicKeyUi", + "type": "Microsoft.Common.PasswordBox", + "label": { + "password": "SIC key", + "confirmPassword": "Confirm SIC key" + }, + "toolTip": "Set the Secure Internal Communication one time secret used to set up trust between the gateway and the management server.", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z]{8,30}$", + "validationMessage": "Only alphanumeric characters are allowed, and the value must be 8-30 characters long." + }, + "options": { + "hideConfirmation": true + } + }, + { + "name": "bootstrapScript", + "type": "Microsoft.Common.FileUpload", + "label": "Bootstrap script", + "toolTip": "An optional script to run on the initial boot", + "constraints": { + "required": false, + "accept": ".sh,text/plain" + }, + "options": { + "multiple": false, + "uploadMode": "file", + "openMode": "text", + "encoding": "UTF-8" + } + }, + { + "name": "allowUploadDownload", + "type": "Microsoft.Common.OptionsGroup", + "label": "Allow download from/upload to Check Point", + "defaultValue": "Yes", + "toolTip": "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "true" + }, + { + "label": "No", + "value": "false" + } + ] + } + }, + { + "name": "additionalDiskSizeGB", + "type": "Microsoft.Common.TextBox", + "label": "Additional disk space (GB)", + "defaultValue": "0", + "toolTip": "Additional disk space (in GB), Initial disk size is 100 GB.", + "constraints": { + "regex": "^([0-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-2][0-9][0-9][0-9]|3[0-8][0-9][0-9]|399[0-5])$", + "validationMessage": "Select a number between 0 and 3995" + } + }, + { + "name": "useCustomImageUri", + "type": "Microsoft.Common.OptionsGroup", + "label": "Use development image uri", + "defaultValue": "No", + "toolTip": "", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ], + "required": true + }, + "visible": false + }, + { + "name": "sourceImageVhdUri", + "type": "Microsoft.Common.TextBox", + "label": "Development Image URI", + "toolTip": "The URI of the blob containing the development image", + "constraints": { + "required": "[equals(steps('chkp').useCustomImageUri, 'Yes')]", + "regex": "^[a-z0-9A-Z_\\-\\.\\:\\/]{1,500}.vhd$", + "validationMessage": "Only alphanumeric characters and '_','-','.',':','/' are allowed, the value must be 1-500 characters long and must end with .vhd. " + }, + "visible": "[equals(steps('chkp').useCustomImageUri, 'Yes')]" + } + ] + }, + { + "name": "network", + "label": "Network settings", + "subLabel": { + "preValidation": "Configure network settings", + "postValidation": "Done" + }, + "bladeTitle": "Network settings", + "elements": [ + { + "name": "virtualNetwork", + "type": "Microsoft.Network.VirtualNetworkCombo", + "label": { + "virtualNetwork": "Virtual network", + "subnets": "Subnets" + }, + "toolTip": { + "virtualNetwork": "Virtual Network Name", + "subnets": "List of subnets to deploy into" + }, + "defaultValue": { + "name": "vnet01", + "addressPrefixSize": "/16" + }, + "constraints": { + "minAddressPrefixSize": "/28" + }, + "options": { + "hideExisting": false + }, + "subnets": { + "subnet1": { + "label": "Frontend subnet", + "defaultValue": { + "name": "Frontend", + "addressPrefixSize": "/24" + }, + "constraints": { + "minAddressPrefixSize": "/29", + "minAddressCount": 1, + "requireContiguousAddresses": true + } + }, + "subnet2": { + "label": "Backend subnet", + "defaultValue": { + "name": "Backend", + "addressPrefixSize": "/24" + }, + "constraints": { + "minAddressPrefixSize": "/29", + "minAddressCount": 1, + "requireContiguousAddresses": true + } + } + } + } + ] + } + ], + "outputs": { + "location": "[location()]", + "cloudGuardVersion": "[concat(steps('chkp').cloudGuardVersion, ' - ', coalesce(steps('chkp').R80Offer, 'Bring Your Own License'))]", + "adminPassword": "[basics('auth').password]", + "authenticationType": "[basics('auth').authenticationType]", + "sshPublicKey": "[basics('auth').sshPublicKey]", + "vmName": "[basics('gatewayNameUi')]", + "vmSize": "[coalesce(steps('chkp').R8110vmSizeUiBYOL, steps('chkp').R8110vmSizeUiNGTP, steps('chkp').R8110vmSizeUiNGTX )]", + "sicKey": "[coalesce(steps('chkp').sicKeyUi, 'notused')]", + "virtualNetworkName": "[steps('network').virtualNetwork.name]", + "virtualNetworkAddressPrefix": "[steps('network').virtualNetwork.addressPrefix]", + "Subnet1Name": "[steps('network').virtualNetwork.subnets.subnet1.name]", + "Subnet1Prefix": "[steps('network').virtualNetwork.subnets.subnet1.addressPrefix]", + "Subnet1StartAddress": "[steps('network').virtualNetwork.subnets.subnet1.startAddress]", + "Subnet2Name": "[steps('network').virtualNetwork.subnets.subnet2.name]", + "Subnet2Prefix": "[steps('network').virtualNetwork.subnets.subnet2.addressPrefix]", + "Subnet2StartAddress": "[steps('network').virtualNetwork.subnets.subnet2.startAddress]", + "vnetNewOrExisting": "[steps('network').virtualNetwork.newOrExisting]", + "virtualNetworkExistingRGName": "[steps('network').virtualNetwork.resourceGroup]", + "managementGUIClientNetwork": "[steps('chkp').managementGUIClientNetwork]", + "bootstrapScript": "[steps('chkp').bootstrapScript]", + "allowDownloadFromUploadToCheckPoint": "[coalesce(steps('chkp').allowUploadDownload, 'true')]", + "additionalDiskSizeGB": "[int(steps('chkp').additionalDiskSizeGB)]", + "sourceImageVhdUri": "[coalesce(steps('chkp').sourceImageVhdUri, 'noCustomUri')]" + } + } +} \ No newline at end of file diff --git a/azure/templates/marketplace-stack-single/mainTemplate.json b/azure/templates/marketplace-stack-single/mainTemplate.json new file mode 100755 index 00000000..c33ab3e1 --- /dev/null +++ b/azure/templates/marketplace-stack-single/mainTemplate.json @@ -0,0 +1,552 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string", + "metadata": { + "description": "Deployment location" + }, + "defaultValue": "[resourceGroup().location]" + }, + "cloudGuardVersion": { + "type": "string", + "allowedValues": [ + "R81.10 - Bring Your Own License", + "R81.10 - Pay As You Go (NGTP)", + "R81.10 - Pay As You Go (NGTX)" + ], + "defaultValue": "R81.10 - Bring Your Own License", + "metadata": { + "description": "Version of Check Point CloudGuard" + } + }, + "adminPassword": { + "type": "securestring", + "metadata": { + "description": "Administrator password" + }, + "defaultValue": "" + }, + "authenticationType": { + "type": "string", + "allowedValues": [ + "password", + "sshPublicKey" + ], + "defaultValue": "password", + "metadata": { + "description": "Authentication type" + } + }, + "sshPublicKey": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Administrator SSH public key" + } + }, + "vmName": { + "type": "string", + "defaultValue": "[resourceGroup().name]", + "metadata": { + "description": "Name of the Check Point Security Gateway" + } + }, + "vmSize": { + "type": "string", + "defaultValue": "Standard_D3_v2", + "metadata": { + "description": "Size of the VM" + } + }, + "sicKey": { + "type": "securestring", + "metadata": { + "description": "One time key for Secure Internal Communication" + } + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "[concat(resourceGroup().name, '-vnet')]" + }, + "virtualNetworkAddressPrefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the virtual network" + }, + "defaultValue": "10.0.0.0/16" + }, + "Subnet1Name": { + "type": "string", + "metadata": { + "description": "The name of the frontend subnet" + }, + "defaultValue": "Frontend" + }, + "Subnet1Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the frontend subnet" + }, + "defaultValue": "10.0.1.0/24" + }, + "Subnet1StartAddress": { + "type": "string", + "metadata": { + "description": "The first available address on the frontend subnet" + }, + "defaultValue": "10.0.1.10" + }, + "Subnet2Name": { + "type": "string", + "metadata": { + "description": "The name of the backend subnet" + }, + "defaultValue": "Backend" + }, + "Subnet2Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the backend subnet" + }, + "defaultValue": "10.0.2.0/24" + }, + "Subnet2StartAddress": { + "type": "string", + "metadata": { + "description": "The first available address on the backend subnet" + }, + "defaultValue": "10.0.2.10" + }, + "vnetNewOrExisting": { + "type": "string", + "defaultValue": "new", + "allowedValues": [ + "new", + "existing" + ], + "metadata": { + "Description": "Indicates whether the virtual network is new or existing" + } + }, + "virtualNetworkExistingRGName": { + "type": "string", + "metadata": { + "description": "Resource Group of the existing virtual network" + }, + "defaultValue": "" + }, + "managementGUIClientNetwork": { + "type": "string", + "metadata": { + "description": "Allowed GUI clients" + }, + "defaultValue": "0.0.0.0/0" + }, + "_artifactsLocation": { + "type": "string", + "metadata": { + "description": "The base URI where artifacts required by this template are located including a trailing '/'" + }, + "defaultValue": "[deployment().properties.templateLink.uri]" + }, + "_artifactsLocationSasToken": { + "type": "securestring", + "metadata": { + "description": "The sasToken required to access _artifactsLocation. When the template is deployed using the accompanying scripts, a sasToken will be automatically generated. Use the defaultValue if the staging location is not secured." + }, + "defaultValue": "" + }, + "bootstrapScript": { + "type": "string", + "metadata": { + "description": "Bootstrap script" + }, + "defaultValue": "" + }, + "allowDownloadFromUploadToCheckPoint": { + "type": "string", + "allowedValues": [ + "true", + "false" + ], + "defaultValue": "true", + "metadata": { + "description": "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + } + }, + "additionalDiskSizeGB": { + "type": "int", + "defaultValue": 0, + "metadata": { + "description": "Amount of additional disk space (in GB)" + }, + "minValue": 0, + "maxValue": 3995 + }, + "diskType": { + "type": "string", + "defaultValue": "Standard_LRS", + "metadata": { + "description": "The type of the OS disk. Premium is applicable only to DS machine sizes" + }, + "allowedValues": [ + "Standard_LRS", + "Premium_LRS" + ] + }, + "preview": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Deploy the staged image" + }, + "allowedValues": [ + "", + "-preview" + ] + }, + "sourceImageVhdUri": { + "type": "string", + "defaultValue": "noCustomUri", + "metadata": { + "description": "The URI of the blob containing the development image" + } + }, + "Check_PointTags": { + "type": "object", + "defaultValue": { + "provider": "30DE18BC-F9F6-4F22-9D30-54B8E74CFD5F" + } + } + }, + "variables": { + "installationType": "gateway-stack", + "templateName": "stack-single", + "templateVersion": "20230219", + "location": "[parameters('location')]", + "offers": { + "R81.10 - Bring Your Own License": "BYOL", + "R81.10 - Pay As You Go (NGTP)": "NGTP", + "R81.10 - Pay As You Go (NGTX)": "NGTX" + }, + "offer": "[variables('offers')[parameters('cloudGuardVersion')]]", + "osVersions": { + "R81.10 - Bring Your Own License": "R8110", + "R81.10 - Pay As You Go (NGTP)": "R8110", + "R81.10 - Pay As You Go (NGTX)": "R8110" + }, + "osVersion": "[variables('osVersions')[parameters('cloudGuardVersion')]]", + "isBlink": true, + "computeApiVersion": "2017-03-30", + "storageApiVersion": "2016-01-01", + "networkApiVersion": "2017-10-01", + "deploymentsApiVersion": "2016-02-01", + "storageAccountName": "[concat('bootdiag', uniqueString(resourceGroup().id, deployment().name))]", + "storageAccountType": "Standard_LRS", + "diskSize100GB": 100, + "diskSizeGB": "[add(parameters('additionalDiskSizeGB'), variables('diskSize100GB'))]", + "customData": "[concat('#!/usr/bin/python /etc/cloud_config.py\n', '\n', 'installationType=\"', variables('installationType'), '\"', '\n', 'allowUploadDownload=\"', variables('allowUploadDownload'), '\"', '\n', 'osVersion=\"', variables('osVersion'), '\"', '\n', 'templateName=\"', variables('templateName'), '\"', '\n', 'isBlink=\"', variables('isBlink'), '\"', '\n', 'templateVersion=\"', variables('templateVersion'), '\"', '\n', 'bootstrapScript64=\"', variables('bootstrapScript64'), '\"', '\n', 'location=\"', variables('location'), '\"', '\n', 'sicKey=\"', variables('sicKey'), '\"', '\n', 'managementGUIClientNetwork=\"', variables('managementGUIClientNetwork'), '\"', '\n', 'resourceGroup=\"', resourceGroup().name, '\"', '\n', 'subscriptionId=\"', subscription().subscriptionId, '\"', '\n')]", + "imageOfferR8110": "check-point-cg-r8110", + "imageOffer": "[concat(variables(concat('imageOffer', variables('osVersion'))), parameters('preview'))]", + "imagePublisher": "checkpoint", + "imageReferenceBYOL": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-byol", + "version": "latest" + }, + "imageReferenceNGTP": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtp", + "version": "latest" + }, + "imageReferenceNGTX": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtx", + "version": "latest" + }, + "imageReferenceMarketplace": "[variables(concat('imageReference', variables('offer')))]", + "customImage": "customImage", + "imageReferenceCustomUri": { + "id": "[resourceId('Microsoft.Compute/images/', variables('customImage'))]" + }, + "imageReference": "[if(equals(parameters('sourceImageVhdUri'),'noCustomUri'), variables('imageReferenceMarketplace'), variables('imageReferenceCustomUri'))]", + "nic1Name": "[concat(parameters('vmName'), '-eth0')]", + "nic2Name": "[concat(parameters('vmName'), '-eth1')]", + "linuxConfigurationpassword": {}, + "linuxConfigurationsshPublicKey": { + "disablePasswordAuthentication": "true", + "ssh": { + "publicKeys": [ + { + "keyData": "[parameters('sshPublicKey')]", + "path": "/home/notused/.ssh/authorized_keys" + } + ] + } + }, + "linuxConfiguration": "[variables(concat('linuxConfiguration', parameters('authenticationType')))]", + "planBYOL": { + "name": "sg-byol", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTP": { + "name": "sg-ngtp", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTP-V2": { + "name": "sg-ngtp-v2", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTX": { + "name": "sg-ngtx", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "plan": "[variables(concat('plan', variables('offer')))]", + "publicIPAddressName": "[parameters('vmName')]", + "publicIPAddressId": "[resourceId('Microsoft.Network/publicIPAddresses', variables('publicIPAddressName'))]", + "bootstrapScript64": "[base64(parameters('bootstrapScript'))]", + "allowUploadDownload": "[parameters('allowDownloadFromUploadToCheckPoint')]", + "networkSetupURL": "[uri(parameters('_artifactsLocation'), concat('nestedtemplates/vnet-', parameters('vnetNewOrExisting'), '-stack.json', parameters('_artifactsLocationSasToken')))]", + "sicKey": "[parameters('sicKey')]", + "managementGUIClientNetwork": "[parameters('managementGUIClientNetwork')]" + }, + "resources": [ + { + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('storageAccountName')]", + "apiVersion": "[variables('storageApiVersion')]", + "location": "[variables('location')]", + "sku": { + "name": "[variables('storageAccountType')]" + }, + "kind": "Storage", + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "name": "networkSetup", + "type": "Microsoft.Resources/deployments", + "apiVersion": "[variables('deploymentsApiVersion')]", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "[variables('networkSetupURL')]", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "location": { + "value": "[variables('location')]" + }, + "apiVersion": { + "value": "[variables('networkApiVersion')]" + }, + "virtualNetworkName": { + "value": "[parameters('virtualNetworkName')]" + }, + "virtualNetworkAddressPrefix": { + "value": "[parameters('virtualNetworkAddressPrefix')]" + }, + "Subnet1Name": { + "value": "[parameters('Subnet1Name')]" + }, + "Subnet1Prefix": { + "value": "[parameters('Subnet1Prefix')]" + }, + "Subnet1StartAddress": { + "value": "[parameters('Subnet1StartAddress')]" + }, + "Subnet2Name": { + "value": "[parameters('Subnet2Name')]" + }, + "Subnet2Prefix": { + "value": "[parameters('Subnet2Prefix')]" + }, + "Subnet2StartAddress": { + "value": "[parameters('Subnet2StartAddress')]" + }, + "vnetNewOrExisting": { + "value": "[parameters('vnetNewOrExisting')]" + }, + "virtualNetworkExistingRGName": { + "value": "[parameters('virtualNetworkExistingRGName')]" + } + } + } + }, + { + "type": "Microsoft.Network/publicIPAddresses", + "apiVersion": "[variables('networkApiVersion')]", + "name": "[variables('publicIPAddressName')]", + "location": "[variables('location')]", + "sku": { + "name": "Basic" + }, + "properties": { + "idleTimeoutInMinutes": 30, + "publicIPAllocationMethod": "Static" + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "[variables('networkApiVersion')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', 'networkSetup')]", + "[variables('publicIPAddressId')]" + ], + "location": "[variables('location')]", + "name": "[variables('nic1Name')]", + "properties": { + "enableIPForwarding": true, + "ipConfigurations": [ + { + "name": "ipconfig1", + "properties": { + "privateIPAddress": "[parameters('Subnet1StartAddress')]", + "privateIPAllocationMethod": "Static", + "PublicIpAddress": { + "Id": "[variables('publicIPAddressId')]" + }, + "subnet": { + "id": "[concat(reference('networkSetup').outputs.vnetId.value, '/subnets/', parameters('Subnet1Name'))]" + } + } + } + ] + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "[variables('networkApiVersion')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', 'networkSetup')]" + ], + "location": "[variables('location')]", + "name": "[variables('nic2Name')]", + "properties": { + "enableIPForwarding": true, + "ipConfigurations": [ + { + "name": "ipconfig2", + "properties": { + "privateIPAddress": "[parameters('Subnet2StartAddress')]", + "privateIPAllocationMethod": "Static", + "subnet": { + "id": "[concat(reference('networkSetup').outputs.vnetId.value, '/subnets/', parameters('Subnet2Name'))]" + } + } + } + ] + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "condition": "[not(equals(parameters('sourceImageVhdUri'), 'noCustomUri'))]", + "type": "Microsoft.Compute/images", + "apiVersion": "2017-12-01", + "name": "[variables('customImage')]", + "location": "[variables('location')]", + "properties": { + "storageProfile": { + "osDisk": { + "osType": "Linux", + "osState": "Generalized", + "blobUri": "[parameters('sourceImageVhdUri')]", + "storageAccountType": "Standard_LRS" + } + } + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "type": "Microsoft.Compute/virtualMachines", + "apiVersion": "[variables('computeApiVersion')]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]", + "[resourceId('Microsoft.Network/networkInterfaces', variables('nic1Name'))]", + "[resourceId('Microsoft.Network/networkInterfaces', variables('nic2Name'))]", + "[resourceId('Microsoft.Compute/images/', variables('customImage'))]" + ], + "location": "[variables('location')]", + "name": "[parameters('vmName')]", + "plan": "[if(equals(parameters('sourceImageVhdUri'),'noCustomUri'), variables('plan'), json('null'))]", + "properties": { + "diagnosticsProfile": { + "bootDiagnostics": { + "enabled": "true", + "storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName')), variables('storageApiVersion')).primaryEndpoints.blob]" + } + }, + "hardwareProfile": { + "vmSize": "[parameters('vmSize')]" + }, + "networkProfile": { + "networkInterfaces": [ + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', variables('nic1Name'))]", + "properties": { + "primary": true + } + }, + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', variables('nic2Name'))]", + "properties": { + "primary": false + } + } + ] + }, + "osProfile": { + "adminPassword": "[parameters('adminPassword')]", + "adminUsername": "notused", + "computerName": "[toLower(parameters('vmName'))]", + "customData": "[base64(variables('customData'))]", + "linuxConfiguration": "[variables('linuxConfiguration')]" + }, + "storageProfile": { + "imageReference": "[variables('imageReference')]", + "osDisk": { + "caching": "ReadWrite", + "createOption": "FromImage", + "diskSizeGB": "[variables('diskSizeGB')]", + "name": "[parameters('vmName')]", + "managedDisk": { + "storageAccountType": "[parameters('diskType')]" + } + } + } + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + } + ], + "outputs": { + "GatewayIPAddr": { + "type": "string", + "value": "[reference(variables('publicIPAddressId')).IpAddress]" + } + } +} \ No newline at end of file diff --git a/azure/templates/marketplace-vmss-waap/createUiDefinition.json b/azure/templates/marketplace-vmss-waap/createUiDefinition.json new file mode 100755 index 00000000..2ca24a11 --- /dev/null +++ b/azure/templates/marketplace-vmss-waap/createUiDefinition.json @@ -0,0 +1,795 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", + "handler": "Microsoft.Compute.MultiVm", + "version": "0.1.2-preview", + "parameters": { + "basics": [ + { + "name": "gatewayScaleSetNameUi", + "type": "Microsoft.Common.TextBox", + "label": "Scale Set name", + "toolTip": "This will determine the hostname prefix of the VM", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z]{1,30}$", + "validationMessage": "Only alphanumeric characters are allowed, and the name must be 1-30 characters long." + } + }, + { + "name": "inboundSources", + "type": "Microsoft.Common.TextBox", + "label": "Allow access from", + "defaultValue": "0.0.0.0/0", + "toolTip": "Specify the client IP addresses that can reach your instance. Can be IP address range in CIDR notation (e.g. for any source use 0.0.0.0/0)", + "constraints": { + "required": true, + "regex": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2])){1,50}$", + "validationMessage": "Only CIDR notation is allowed i.e. X.X.X.X/X" + }, + "visible": true + }, + { + "name": "user", + "type": "Microsoft.Common.TextBlock", + "visible": true, + "options": { + "text": "User is set to 'admin'" + } + }, + { + "name": "auth", + "type": "Microsoft.Compute.CredentialsCombo", + "label": { + "authenticationType": "Authentication type", + "password": "Password", + "confirmPassword": "Confirm password", + "sshPublicKey": "SSH public key" + }, + "toolTip": { + "sshPublicKey": "Paste an OpenSSH public key. You can generate a key pair using ssh-keygen (Linux, OS X, Cygwin) or PuttyGen (Windows)" + }, + "constraints": { + "required": true + }, + "options": { + "hideConfirmation": false, + "hidePassword": false + }, + "osPlatform": "Linux" + }, + { + "name": "waapAgentToken", + "type": "Microsoft.Common.PasswordBox", + "label": { + "password": "Infinity Next Agent Token", + "confirmPassword": "Confirm Infinity Next Agent Token" + }, + "toolTip": "Token can be obtained by logging in to [https://portal.checkpoint.com/](https://portal.checkpoint.com/) –> INFINITY POLICY -> CLOUD -> Profiles", + "constraints": { + "required": true, + "regex": "^cp-[a-z0-9A-Z-]{72,72}$", + "validationMessage": "Token should begin with 'cp-' and must be 75 characters long" + }, + "options": { + "hideConfirmation": false + }, + "visible": true + }, + { + "name": "waapAgentFog", + "type": "Microsoft.Common.TextBox", + "label": "Fog address (optional)", + "toolTip": "Fog address", + "constraints": { + "required": false, + "regex": "^https://", + "validationMessage": "Should begin with https://" + }, + "visible": true + }, + { + "name": "adminEmail", + "type": "Microsoft.Common.TextBox", + "label": "Administrator email address (optional)", + "defaultValue": "", + "toolTip": "An email address to notify about scaling events", + "constraints": { + "required": false, + "regex": "^([a-zA-Z0-9_\\-\\.]+)@((\\[[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.)|(([a-zA-Z0-9\\-]+\\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})(\\]?){1,100}$", + "validationMessage": "Leave empty or enter a valid email address." + } + } + ], + "steps": [ + { + "name": "autoprovision", + "label": "VMSS settings", + "subLabel": { + "preValidation": "Configure VMSS settings", + "postValidation": "Done" + }, + "bladeTitle": "VMSS settings", + "elements": [ + { + "name": "availabilityZonesNum", + "type": "Microsoft.Common.DropDown", + "label": "Number of Availability Zones to use", + "defaultValue": "Two zones", + "toolTip": "The number of availability zones to use for the scale set. The VMs will be spread equally between the zones", + "visible": "[contains(' australiaeast brazilsouth canadacentral centralindia centralus eastus eastus2 francecentral germanywestcentral japaneast koreacentral northeurope norwayeast southafricanorth southcentralus southeastasia uksouth westeurope westus2 westus3 ', concat(' ', location(), ' '))]", + "constraints": { + "allowedValues": [ + { + "label": "One zone", + "value": 1 + }, + { + "label": "Two zones", + "value": 2 + }, + { + "label": "Three zones", + "value": 3 + } + ] + } + }, + { + "name": "R8040vmSizeUiBYOL", + "type": "Microsoft.Compute.SizeSelector", + "visible": true, + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_DS2_v2", + "Standard_DS3_v2" + ], + "constraints": { + "allowedSizes": [ + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "infinity-gw", + "sku": "sg-byol" + }, + "count": "[steps('autoprovision').vmCount]" + }, + { + "name": "vmCount", + "type": "Microsoft.Common.TextBox", + "label": "Initial number of gateways", + "toolTip": "Initial number of gateways", + "defaultValue": "2", + "constraints": { + "required": true, + "regex": "^[1-9][0-9]{0,1}$", + "validationMessage": "Please enter a number in the range 1-99." + } + }, + { + "name": "maxVmCount", + "type": "Microsoft.Common.TextBox", + "label": "Maximum number of gateways", + "toolTip": "Maximum number of gateways", + "defaultValue": "10", + "constraints": { + "required": true, + "regex": "^[1-9][0-9]{0,1}$", + "validationMessage": "Please enter a number in the range 1-99." + } + }, + { + "name": "numGwsValidation", + "type": "Microsoft.Common.InfoBox", + "visible": "[greater(steps('autoprovision').vmCount, steps('autoprovision').maxVmCount)]", + "options": { + "icon": "Error", + "text": "Maximum number of gateways is lower than initial number of gateways" + } + }, + { + "name": "instanceLevelPublicIP", + "type": "Microsoft.Common.OptionsGroup", + "label": "Assign public IP address to each gateway", + "toolTip": "Each VMSS instance will have its own public IP address", + "defaultValue": "Yes", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "yes" + }, + { + "label": "No", + "value": "no" + } + ] + } + }, + { + "name": "deploymentMode", + "type": "Microsoft.Common.DropDown", + "label": "Network Load Balancer deployment", + "defaultValue": "External", + "visible": true, + "toolTip": "Define which network load balancer will be deployed", + "constraints": { + "allowedValues": [ + { + "label": "External", + "value": "ELBOnly" + }, + { + "label": "Internal", + "value": "ILBOnly" + } + ] + } + }, + { + "name": "appLoadDistribution", + "type": "Microsoft.Common.OptionsGroup", + "label": "Load Balancer session persistence", + "defaultValue": "Client IP", + "toolTip": "The load balancing distribution method", + "visible": true, + "constraints": { + "allowedValues": [ + { + "label": "Client IP", + "value": "SourceIP" + }, + { + "label": "None", + "value": "Default" + } + ] + } + }, + { + "name": "bootstrapScript", + "type": "Microsoft.Common.FileUpload", + "label": "Bootstrap script", + "toolTip": "Bootstrap script", + "constraints": { + "required": false, + "accept": ".sh,text/plain" + }, + "options": { + "multiple": false, + "uploadMode": "file", + "openMode": "text", + "encoding": "UTF-8" + } + }, + { + "name": "useCustomImageUri", + "type": "Microsoft.Common.OptionsGroup", + "label": "Use development image uri", + "toolTip": "Use custom image URI", + "defaultValue": "No", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ], + "required": false + }, + "visible": false + }, + { + "name": "sourceImageVhdUri", + "type": "Microsoft.Common.TextBox", + "label": "Development Image URI", + "toolTip": "The URI of the blob containing the development image", + "constraints": { + "required": "[equals(steps('autoprovision').useCustomImageUri, 'Yes')]", + "regex": "^[a-z0-9A-Z_\\-\\.\\:\\/]{1,500}.vhd$", + "validationMessage": "Only alphanumeric characters and '_','-','.',':','/' are allowed, the value must be 1-500 characters long and must end with .vhd" + }, + "visible": "[equals(steps('autoprovision').useCustomImageUri, 'Yes')]" + } + ] + }, + { + "name": "network", + "label": "Network settings", + "subLabel": { + "preValidation": "Configure network settings", + "postValidation": "Done" + }, + "bladeTitle": "Network settings", + "elements": [ + { + "name": "virtualNetwork", + "type": "Microsoft.Network.VirtualNetworkCombo", + "label": { + "virtualNetwork": "Virtual network", + "subnets": "Subnets" + }, + "toolTip": { + "virtualNetwork": "Virtual Network Name", + "subnets": "The subnets to deploy into. Please note that the following CIDR range 172.16.0.0/12 is used by the Infinity Next Gateway for internal container communication" + }, + "defaultValue": { + "name": "vnet01", + "addressPrefixSize": "/16" + }, + "constraints": { + "minAddressPrefixSize": "/28" + }, + "options": { + "hideExisting": false + }, + "subnets": { + "subnet1": { + "label": "Gateway external subnet", + "defaultValue": { + "name": "VMSS-External", + "addressPrefixSize": "/24" + }, + "constraints": { + "minAddressPrefixSize": "/29", + "minAddressCount": "[steps('autoprovision').maxVmCount]", + "requireContiguousAddresses": false + } + }, + "subnet2": { + "label": "Gateway internal subnet", + "defaultValue": { + "name": "VMSS-Internal", + "addressPrefixSize": "/24" + }, + "constraints": { + "minAddressPrefixSize": "/29", + "minAddressCount": "[steps('autoprovision').maxVmCount]", + "requireContiguousAddresses": false + } + } + } + } + ] + }, + { + "name": "https", + "label": "HTTPS settings", + "subLabel": { + "preValidation": "Configure HTTPS settings", + "postValidation": "Done" + }, + "bladeTitle": "HTTPS settings", + "elements": [ + { + "name": "chooseVault", + "type": "Microsoft.Common.OptionsGroup", + "label": "Certificates", + "toolTip": "Certificates", + "defaultValue": "I don't use HTTPS certificates", + "constraints": { + "allowedValues": [ + { + "label": "I don't use HTTPS certificates", + "value": "none" + }, + { + "label": "Create new Azure Key Vault and upload certificates", + "value": "newVault" + }, + { + "label": "Choose an existing Azure Key Vault", + "value": "existingVault" + } + ], + "required": true + }, + "visible": true + }, + { + "name": "existingKeyVault", + "type": "Microsoft.Solutions.ResourceSelector", + "label": "Choose Key Vault", + "resourceType": "Microsoft.KeyVault/vaults", + "options": { + "filter": { + "subscription": "onBasics", + "location": "onBasics" + } + }, + "toolTip": "The chosen key vault should contain PFX certificates for all the relevant HTTPS based assets in the [Infinity Portal](https://portal.checkpoint.com/)", + "visible": "[equals(steps('https').chooseVault, 'existingVault')]" + }, + { + "name": "keyVaultName", + "type": "Microsoft.Common.TextBox", + "label": "Azure Key Vault name", + "toolTip": "Azure Key Vault name", + "constraints": { + "required": true, + "regex": "^[a-zA-Z0-9-]{3,24}$", + "validationMessage": "A vault's name must be between 3-24 alphanumeric characters. The name must begin with a letter, end with a letter or digit, and not contain consecutive hyphens." + }, + "visible": "[equals(steps('https').chooseVault, 'newVault')]" + }, + { + "name": "numberOfCerts", + "type": "Microsoft.Common.DropDown", + "label": "Number of certificates to upload", + "defaultValue": "1", + "toolTip": "Each certificate will have two entries in the Key Vault secrets - one for certificate and one for its password", + "constraints": { + "required": true, + "allowedValues": [ + { + "label": "1", + "value": 1 + }, + { + "label": "2", + "value": 2 + }, + { + "label": "3", + "value": 3 + }, + { + "label": "4", + "value": 4 + }, + { + "label": "5", + "value": 5 + } + ] + }, + "visible": "[equals(steps('https').chooseVault, 'newVault')]" + }, + { + "name": "firstCertificate", + "type": "Microsoft.Common.FileUpload", + "label": "PFX certificate file", + "toolTip": "A PKCS#12 archive containing the Certificate Authority (CA) certificate and private key", + "constraints": { + "required": true, + "accept": ".pfx,.p12" + }, + "options": { + "multiple": false, + "uploadMode": "file", + "openMode": "binary", + "encoding": "UTF-8" + }, + "visible": "[equals(steps('https').chooseVault, 'newVault')]" + }, + { + "name": "firstCertDescription", + "type": "Microsoft.Common.TextBox", + "label": "Description", + "defaultValue": "", + "toolTip": "Please add a description because the uploaded certificate is stored as 'cert[1-5]' in vault's secrets", + "constraints": { + "required": true, + "regex": "^.{1,100}$", + "validationMessage": "Description must be 1-100 characters long." + }, + "visible": "[equals(steps('https').chooseVault, 'newVault')]" + }, + { + "name": "firstCertPassword", + "type": "Microsoft.Common.PasswordBox", + "label": { + "password": "Certificate password", + "confirmPassword": "Confirm certificate password" + }, + "toolTip": "Password used when exporting the PFX certificate. The password will be encoded to base64 format and stored in the vault", + "constraints": { + "required": true + }, + "options": { + "hideConfirmation": false + }, + "visible": "[equals(steps('https').chooseVault, 'newVault')]" + }, + { + "name": "secondCertificate", + "type": "Microsoft.Common.FileUpload", + "label": "PFX certificate file", + "toolTip": "A PKCS#12 archive containing the Certificate Authority (CA) certificate and private key", + "constraints": { + "required": "[lessOrEquals(2, steps('https').numberOfCerts)]", + "accept": ".pfx,.p12" + }, + "options": { + "multiple": false, + "uploadMode": "file", + "openMode": "binary", + "encoding": "UTF-8" + }, + "visible": "[and(equals(steps('https').chooseVault, 'newVault'), lessOrEquals(2, coalesce(steps('https').numberOfCerts, int('0'))))]" + }, + { + "name": "secondCertDescription", + "type": "Microsoft.Common.TextBox", + "label": "Description", + "defaultValue": "", + "toolTip": "Please add a description because the uploaded certificate is stored as 'cert[1-5]' in vault's secrets", + "constraints": { + "required": "[lessOrEquals(2, steps('https').numberOfCerts)]", + "regex": "^.{1,100}$", + "validationMessage": "Description must be 1-100 characters long." + }, + "visible": "[and(equals(steps('https').chooseVault, 'newVault'), lessOrEquals(2, coalesce(steps('https').numberOfCerts, int('0'))))]" + }, + { + "name": "secondCertPassword", + "type": "Microsoft.Common.PasswordBox", + "label": { + "password": "Certificate password", + "confirmPassword": "Confirm certificate password" + }, + "toolTip": "Password used when exporting the PFX certificate. The password will be encoded to base64 format and stored in the vault", + "constraints": { + "required": "[lessOrEquals(2, steps('https').numberOfCerts)]" + }, + "options": { + "hideConfirmation": false + }, + "visible": "[and(equals(steps('https').chooseVault, 'newVault'), lessOrEquals(2, coalesce(steps('https').numberOfCerts, int('0'))))]" + }, + { + "name": "thirdCertificate", + "type": "Microsoft.Common.FileUpload", + "label": "PFX certificate file", + "toolTip": "A PKCS#12 archive containing the Certificate Authority (CA) certificate and private key", + "constraints": { + "required": "[lessOrEquals(3, steps('https').numberOfCerts)]", + "accept": ".pfx,.p12" + }, + "options": { + "multiple": false, + "uploadMode": "file", + "openMode": "binary", + "encoding": "UTF-8" + }, + "visible": "[and(equals(steps('https').chooseVault, 'newVault'), lessOrEquals(3, coalesce(steps('https').numberOfCerts, int('0'))))]" + }, + { + "name": "thirdCertDescription", + "type": "Microsoft.Common.TextBox", + "label": "Description", + "defaultValue": "", + "toolTip": "Please add a description because the uploaded certificate is stored as 'cert[1-5]' in vault's secrets", + "constraints": { + "required": "[lessOrEquals(3, steps('https').numberOfCerts)]", + "regex": "^.{1,100}$", + "validationMessage": "Description must be 1-100 characters long." + }, + "visible": "[and(equals(steps('https').chooseVault, 'newVault'), lessOrEquals(3, coalesce(steps('https').numberOfCerts, int('0'))))]" + }, + { + "name": "thirdCertPassword", + "type": "Microsoft.Common.PasswordBox", + "label": { + "password": "Certificate password", + "confirmPassword": "Confirm certificate password" + }, + "toolTip": "Password used when exporting the PFX certificate. The password will be encoded to base64 format and stored in the vault", + "constraints": { + "required": "[lessOrEquals(3, steps('https').numberOfCerts)]" + }, + "options": { + "hideConfirmation": false + }, + "visible": "[and(equals(steps('https').chooseVault, 'newVault'), lessOrEquals(3, coalesce(steps('https').numberOfCerts, int('0'))))]" + }, + { + "name": "fourthCertificate", + "type": "Microsoft.Common.FileUpload", + "label": "PFX certificate file", + "toolTip": "A PKCS#12 archive containing the Certificate Authority (CA) certificate and private key", + "constraints": { + "required": "[lessOrEquals(4, steps('https').numberOfCerts)]", + "accept": ".pfx,.p12" + }, + "options": { + "multiple": false, + "uploadMode": "file", + "openMode": "binary", + "encoding": "UTF-8" + }, + "visible": "[and(equals(steps('https').chooseVault, 'newVault'), lessOrEquals(4, coalesce(steps('https').numberOfCerts, int('0'))))]" + }, + { + "name": "fourthCertDescription", + "type": "Microsoft.Common.TextBox", + "label": "Description", + "defaultValue": "", + "toolTip": "Please add a description because the uploaded certificate is stored as 'cert[1-5]' in vault's secrets", + "constraints": { + "required": "[lessOrEquals(4, steps('https').numberOfCerts)]", + "regex": "^.{1,100}$", + "validationMessage": "Description must be 1-100 characters long." + }, + "visible": "[and(equals(steps('https').chooseVault, 'newVault'), lessOrEquals(4, coalesce(steps('https').numberOfCerts, int('0'))))]" + }, + { + "name": "fourthCertPassword", + "type": "Microsoft.Common.PasswordBox", + "label": { + "password": "Certificate password", + "confirmPassword": "Confirm certificate password" + }, + "toolTip": "Password used when exporting the PFX certificate. The password will be encoded to base64 format and stored in the vault", + "constraints": { + "required": "[lessOrEquals(4, steps('https').numberOfCerts)]" + }, + "options": { + "hideConfirmation": false + }, + "visible": "[and(equals(steps('https').chooseVault, 'newVault'), lessOrEquals(4, coalesce(steps('https').numberOfCerts, int('0'))))]" + }, + { + "name": "fifthCertificate", + "type": "Microsoft.Common.FileUpload", + "label": "PFX certificate file", + "toolTip": "A PKCS#12 archive containing the Certificate Authority (CA) certificate and private key", + "constraints": { + "required": "[lessOrEquals(5, steps('https').numberOfCerts)]", + "accept": ".pfx,.p12" + }, + "options": { + "multiple": false, + "uploadMode": "file", + "openMode": "binary", + "encoding": "UTF-8" + }, + "visible": "[and(equals(steps('https').chooseVault, 'newVault'), lessOrEquals(5, coalesce(steps('https').numberOfCerts, int('0'))))]" + }, + { + "name": "fifthCertDescription", + "type": "Microsoft.Common.TextBox", + "label": "Description", + "defaultValue": "", + "toolTip": "Please add a description because the uploaded certificate is stored as 'cert[1-5]' in vault's secrets", + "constraints": { + "required": "[lessOrEquals(5, steps('https').numberOfCerts)]", + "regex": "^.{1,100}$", + "validationMessage": "Description must be 1-100 characters long." + }, + "visible": "[and(equals(steps('https').chooseVault, 'newVault'), lessOrEquals(5, coalesce(steps('https').numberOfCerts, int('0'))))]" + }, + { + "name": "fifthCertPassword", + "type": "Microsoft.Common.PasswordBox", + "label": { + "password": "Certificate password", + "confirmPassword": "Confirm certificate password" + }, + "toolTip": "Password used when exporting the PFX certificate. The password will be encoded to base64 format and stored in the vault", + "constraints": { + "required": "[lessOrEquals(5, steps('https').numberOfCerts)]" + }, + "options": { + "hideConfirmation": false + }, + "visible": "[and(equals(steps('https').chooseVault, 'newVault'), lessOrEquals(5, coalesce(steps('https').numberOfCerts, int('0'))))]" + } + ] + } + ], + "outputs": { + "location": "[location()]", + "authenticationType": "[basics('auth').authenticationType]", + "adminPassword": "[basics('auth').password]", + "sshPublicKey": "[basics('auth').sshPublicKey]", + "vmName": "[basics('gatewayScaleSetNameUi')]", + "instanceCount": "[steps('autoprovision').vmCount]", + "maxInstanceCount": "[steps('autoprovision').maxVmCount]", + "deploymentMode": "[steps('autoprovision').deploymentMode]", + "instanceLevelPublicIP": "[steps('autoprovision').instanceLevelPublicIP]", + "appLoadDistribution": "[steps('autoprovision').appLoadDistribution]", + "availabilityZonesNum": "[coalesce(steps('autoprovision').availabilityZonesNum, int('0'))]", + "vmSize": "[steps('autoprovision').R8040vmSizeUiBYOL]", + "bootstrapScript": "[steps('autoprovision').bootstrapScript]", + "sourceImageVhdUri": "[coalesce(steps('autoprovision').sourceImageVhdUri, 'noCustomUri')]", + "virtualNetworkName": "[steps('network').virtualNetwork.name]", + "virtualNetworkAddressPrefixes": "[steps('network').virtualNetwork.addressPrefixes]", + "vnetNewOrExisting": "[steps('network').virtualNetwork.newOrExisting]", + "virtualNetworkExistingRGName": "[steps('network').virtualNetwork.resourceGroup]", + "subnet1Name": "[steps('network').virtualNetwork.subnets.subnet1.name]", + "subnet1Prefix": "[steps('network').virtualNetwork.subnets.subnet1.addressPrefix]", + "subnet2Name": "[steps('network').virtualNetwork.subnets.subnet2.name]", + "subnet2Prefix": "[steps('network').virtualNetwork.subnets.subnet2.addressPrefix]", + "inboundSources": "[basics('inboundSources')]", + "waapAgentToken": "[basics('waapAgentToken')]", + "waapAgentFog": "[basics('waapAgentFog')]", + "adminEmail": "[basics('adminEmail')]", + "chooseVault": "[steps('https').chooseVault]", + "existingKeyVaultRGName": "[if(empty(steps('https').existingKeyVault), resourceGroup().name, first(skip(split(steps('https').existingKeyVault.id, '/'), 4)))]", + "keyVaultName": "[if(equals(steps('https').chooseVault, 'none'), 'vault', if(empty(steps('https').existingKeyVault), steps('https').keyVaultName, steps('https').existingKeyVault.name))]", + "numberOfCerts": "[coalesce(steps('https').numberOfCerts, int('0'))]", + "firstCertificate": "[steps('https').firstCertificate]", + "firstCertDescription": "[steps('https').firstCertDescription]", + "firstCertPassword": "[steps('https').firstCertPassword]", + "secondCertificate": "[steps('https').secondCertificate]", + "secondCertDescription": "[steps('https').secondCertDescription]", + "secondCertPassword": "[steps('https').secondCertPassword]", + "thirdCertificate": "[steps('https').thirdCertificate]", + "thirdCertDescription": "[steps('https').thirdCertDescription]", + "thirdCertPassword": "[steps('https').thirdCertPassword]", + "fourthCertificate": "[steps('https').fourthCertificate]", + "fourthCertDescription": "[steps('https').fourthCertDescription]", + "fourthCertPassword": "[steps('https').fourthCertPassword]", + "fifthCertificate": "[steps('https').fifthCertificate]", + "fifthCertDescription": "[steps('https').fifthCertDescription]", + "fifthCertPassword": "[steps('https').fifthCertPassword]" + } + } +} \ No newline at end of file diff --git a/azure/templates/marketplace-vmss-waap/mainTemplate.json b/azure/templates/marketplace-vmss-waap/mainTemplate.json new file mode 100755 index 00000000..bd80fffb --- /dev/null +++ b/azure/templates/marketplace-vmss-waap/mainTemplate.json @@ -0,0 +1,1039 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Deployment location" + } + }, + "vmName": { + "type": "string", + "defaultValue": "[resourceGroup().name]", + "metadata": { + "description": "Name of the VM Scale Set" + } + }, + "inboundSources": { + "type": "string", + "defaultValue": "0.0.0.0/0", + "metadata": { + "description": "Specify the client IP addresses that can reach your instance. Can be IP address range in CIDR notation (e.g. for any source use 0.0.0.0/0)" + } + }, + "authenticationType": { + "type": "string", + "allowedValues": [ + "password", + "sshPublicKey" + ], + "defaultValue": "password", + "metadata": { + "description": "Authentication type" + } + }, + "adminPassword": { + "type": "securestring", + "defaultValue": "", + "metadata": { + "description": "User is set to 'admin'" + } + }, + "sshPublicKey": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Administrator SSH public key" + } + }, + "waapAgentToken": { + "type": "securestring", + "minLength": 75, + "maxLength": 75, + "metadata": { + "description": "Infinity Next Agent Token" + } + }, + "waapAgentFog": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Fog address" + } + }, + "adminEmail": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Email address to notify about scaling events" + } + }, + "availabilityZonesNum": { + "type": "int", + "allowedValues": [ + 1, + 2, + 3 + ], + "defaultValue": 2, + "metadata": { + "description": "The number of availability zones to use for the scale set. The VMs will be spread equally between the zones" + } + }, + "vmSize": { + "type": "string", + "defaultValue": "Standard_DS2_v2", + "metadata": { + "description": "The VM size of the Security Gateway" + } + }, + "diskType": { + "type": "string", + "defaultValue": "Standard_LRS", + "metadata": { + "description": "The type of the OS disk. Premium is applicable only to DS machine sizes" + }, + "allowedValues": [ + "Standard_LRS", + "Premium_LRS" + ] + }, + "instanceCount": { + "type": "string", + "defaultValue": "2", + "metadata": { + "description": "Initial number of gateways" + } + }, + "maxInstanceCount": { + "type": "string", + "defaultValue": "10", + "metadata": { + "description": "Maximum number of gateways" + } + }, + "instanceLevelPublicIP": { + "type": "string", + "allowedValues": [ + "yes", + "no" + ], + "defaultValue": "yes", + "metadata": { + "description": "Assign public IP address to each gateway" + } + }, + "elbResourceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "The Resource ID of the Load Balancer." + } + }, + "elbTargetBEAddressPoolName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "The name of the new External Load Balancer's Backend Pool." + } + }, + "deploymentMode": { + "type": "string", + "allowedValues": [ + "ELBOnly", + "ILBOnly" + ], + "defaultValue": "ELBOnly", + "metadata": { + "description": "Load Balancer deployment" + } + }, + "appLoadDistribution": { + "type": "string", + "allowedValues": [ + "Default", + "SourceIP" + ], + "defaultValue": "SourceIP", + "metadata": { + "description": "The load balancing distribution method" + } + }, + "ilbResourceId": { + "type": "string", + "metadata": { + "description": "The Resource ID of the Target Internal Load Balancer." + }, + "defaultValue": "" + }, + "ilbTargetBEAddressPoolName": { + "type": "string", + "metadata": { + "description": "The name of the new Internal Load Balancer's Backend Pool." + }, + "defaultValue": "" + }, + "bootstrapScript": { + "type": "string", + "metadata": { + "description": "Bootstrap script" + }, + "defaultValue": "" + }, + "sourceImageVhdUri": { + "type": "string", + "defaultValue": "noCustomUri", + "metadata": { + "description": "The URI of the blob containing the development image" + } + }, + "_artifactsLocation": { + "type": "string", + "defaultValue": "[deployment().properties.templateLink.uri]", + "metadata": { + "description": "The base URI where artifacts required by this template are located including a trailing '/'" + } + }, + "_artifactsLocationSasToken": { + "type": "securestring", + "defaultValue": "", + "metadata": { + "description": "The sasToken required to access _artifactsLocation. When the template is deployed using the accompanying scripts, a sasToken will be automatically generated. Use the defaultValue if the staging location is not secured" + } + }, + "vnetNewOrExisting": { + "type": "string", + "defaultValue": "new", + "allowedValues": [ + "new", + "existing" + ], + "metadata": { + "Description": "Indicates whether the virtual network is new or existing" + } + }, + "virtualNetworkExistingRGName": { + "type": "string", + "defaultValue": "[resourceGroup().name]", + "metadata": { + "description": "Resource Group of the existing virtual network" + } + }, + "virtualNetworkName": { + "type": "string", + "defaultValue": "[concat(resourceGroup().name, '-vnet')]", + "metadata": { + "description": "The name of the virtual network" + } + }, + "virtualNetworkAddressPrefixes": { + "type": "array", + "metadata": { + "description": "The address prefixes of the virtual network. Please note that the following CIDR range 172.16.0.0/12 is used by the Infinity Next Gateway for internal container communication" + }, + "defaultValue": [ + "10.0.0.0/16" + ] + }, + "subnet1Name": { + "type": "string", + "defaultValue": "VMSS-External", + "metadata": { + "description": "The name of the Gateway external subnet" + } + }, + "subnet1Prefix": { + "type": "string", + "defaultValue": "10.0.1.0/24", + "metadata": { + "description": "The address prefix of the Gateway external subnet. Please note that the following CIDR range 172.16.0.0/12 is used by the Infinity Next Gateway for internal container communication" + } + }, + "subnet2Name": { + "type": "string", + "defaultValue": "VMSS-Internal", + "metadata": { + "description": "The name of the Gateway internal subnet" + } + }, + "subnet2Prefix": { + "type": "string", + "defaultValue": "10.0.2.0/24", + "metadata": { + "description": "The address prefix of the Gateway internal subnet. Please note that the following CIDR range 172.16.0.0/12 is used by the Infinity Next Gateway for internal container communication" + } + }, + "chooseVault": { + "type": "string", + "allowedValues": [ + "none", + "newVault", + "existingVault" + ], + "defaultValue": "none", + "metadata": { + "description": "Choose an existing Azure Key Vault or create new Azure Key Vault and upload certificates. 'none' means you don't use HTTPS certificates." + } + }, + "existingKeyVaultRGName": { + "type": "string", + "defaultValue": "[resourceGroup().name]", + "metadata": { + "description": "Resource group name of the existing key vault - could be on a different resource group" + } + }, + "keyVaultName": { + "type": "string", + "minLength": 3, + "maxLength": 24, + "defaultValue": "vault", + "metadata": { + "description": "A vault's name must be between 3-24 alphanumeric characters. The name must begin with a letter, end with a letter or digit, and not contain consecutive hyphens" + } + }, + "numberOfCerts": { + "type": "int", + "allowedValues": [ + 0, + 1, + 2, + 3, + 4, + 5 + ], + "defaultValue": 0, + "metadata": { + "description": "Number of certificates to upload" + } + }, + "firstCertificate": { + "type": "securestring", + "defaultValue": "", + "metadata": { + "description": "PFX certificate file encoded to base64 format" + } + }, + "firstCertDescription": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "It is recommended to add a description because the uploaded certificate is stored as 'cert[1-5]' in vault's secrets" + } + }, + "firstCertPassword": { + "type": "securestring", + "defaultValue": "", + "metadata": { + "description": "Password used when exporting the PFX certificate. The password will be encoded to base64 format and stored in the vault" + } + }, + "secondCertificate": { + "type": "securestring", + "defaultValue": "" + }, + "secondCertDescription": { + "type": "string", + "defaultValue": "" + }, + "secondCertPassword": { + "type": "securestring", + "defaultValue": "" + }, + "thirdCertificate": { + "type": "securestring", + "defaultValue": "" + }, + "thirdCertDescription": { + "type": "string", + "defaultValue": "" + }, + "thirdCertPassword": { + "type": "securestring", + "defaultValue": "" + }, + "fourthCertificate": { + "type": "securestring", + "defaultValue": "" + }, + "fourthCertDescription": { + "type": "string", + "defaultValue": "" + }, + "fourthCertPassword": { + "type": "securestring", + "defaultValue": "" + }, + "fifthCertificate": { + "type": "securestring", + "defaultValue": "" + }, + "fifthCertDescription": { + "type": "string", + "defaultValue": "" + }, + "fifthCertPassword": { + "type": "securestring", + "defaultValue": "" + }, + "adminUsername": { + "type": "string", + "metadata": { + "description": "DO NOT CHANGE" + }, + "defaultValue": "notused" + } + }, + "variables": { + "templateName": "waap_vmss", + "templateVersion": "20210922", + "location": "[parameters('location')]", + "osVersion": "R8040", + "isBlink": true, + "storageAccountName": "[concat('bootdiag', uniqueString(resourceGroup().id, deployment().name))]", + "storageAccountType": "Standard_LRS", + "customData": "[concat('#!/usr/bin/python3 /etc/cloud_config.py\n', '\n', 'installationType=\"', variables('installationType'), '\"', '\n', 'allowUploadDownload=\"', variables('allowUploadDownload'), '\"', '\n', 'osVersion=\"', variables('osVersion'), '\"', '\n', 'templateName=\"', variables('templateName'), '\"', '\n', 'isBlink=\"', variables('isBlink'), '\"', '\n', 'templateVersion=\"', variables('templateVersion'), '\"', '\n', 'bootstrapScript64=\"', variables('bootstrapScript64'), '\"', '\n', 'location=\"', variables('location'), '\"', '\n', 'sicKey=\"', '', '\"', '\n', 'waapAgentToken =\"', variables('waapAgentToken'), '\"', '\n', 'waapAgentFog =\"', variables('waapAgentFog'), '\"', '\n')]", + "imageOffer": "infinity-gw", + "imagePublisher": "checkpoint", + "imageSku": "infinity-img", + "imageReferenceBYOL": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "[variables('imageSku')]", + "version": "latest" + }, + "imageReferenceMarketplace": "[variables('imageReferenceBYOL')]", + "customImage": "customImage", + "imageReferenceCustomUri": { + "id": "[resourceId('Microsoft.Compute/images/', variables('customImage'))]" + }, + "imageReference": "[if(equals(parameters('sourceImageVhdUri'),'noCustomUri'), variables('imageReferenceMarketplace'), variables('imageReferenceCustomUri'))]", + "linuxConfigurationpassword": { + "disablePasswordAuthentication": "false" + }, + "linuxConfigurationsshPublicKey": { + "disablePasswordAuthentication": "true", + "ssh": { + "publicKeys": [ + { + "keyData": "[parameters('sshPublicKey')]", + "path": "/home/notused/.ssh/authorized_keys" + } + ] + } + }, + "linuxConfiguration": "[if(equals(parameters('authenticationType'), 'password'), variables('linuxConfigurationpassword'), variables('linuxConfigurationsshPublicKey'))]", + "planBYOL": { + "name": "[variables('imageSku')]", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "plan": "[variables('planBYOL')]", + "vmssID": "[resourceId('Microsoft.Compute/virtualMachineScaleSets', parameters('vmName'))]", + "bootstrapScript64": "[base64(parameters('bootstrapScript'))]", + "allowUploadDownload": "false", + "waapAgentToken": "[parameters('waapAgentToken')]", + "waapAgentFog": "[parameters('waapAgentFog')]", + "inboundSources": "[parameters('inboundSources')]", + "installationType": "waap_vmss", + "publicIPProperties": { + "name": "instancePublicIP", + "properties": { + "idleTimeoutInMinutes": 15 + } + }, + "upgrading": false, + "networkSetupURL": "[uri(parameters('_artifactsLocation'), concat('nestedtemplates/vnet-2-subnet-ha-', parameters('vnetNewOrExisting'), '.json', parameters('_artifactsLocationSasToken')))]", + "nsgName": "[concat(parameters('vmName'), '-nsg')]", + "nsgId": "[resourceId('Microsoft.Network/networkSecurityGroups', variables('nsgName'))]", + "loadBalacerSetupURL": "[uri(parameters('_artifactsLocation'), concat('nestedtemplates/load-balancers-waap.json', parameters('_artifactsLocationSasToken')))]", + "lbRGName": "[resourceGroup().name]", + "lbName": "[if(equals(parameters('deploymentMode'),'ELBOnly'), 'External-lb', 'Internal-lb')]", + "loadBalancerSetupId": "[resourceId(variables('lbRGName'), 'Microsoft.Resources/deployments', 'loadBalancerSetup')]", + "vnetID": "[if(equals(parameters('vnetNewOrExisting'), 'new'), resourceId(parameters('virtualNetworkExistingRGName'),'Microsoft.Resources/deployments', 'networkNewSetup'), resourceId(parameters('virtualNetworkExistingRGName'),'Microsoft.Resources/deployments', 'networkExistingSetup'))]", + "storageAccountId": "[resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName'))]", + "customImageId": "[variables('imageReferenceCustomUri').id]", + "availabilityZonesLocations": [ + "australiaeast", + "brazilsouth", + "canadacentral", + "centralindia", + "centralus", + "eastus", + "eastus2", + "francecentral", + "germanywestcentral", + "japaneast", + "koreacentral", + "northeurope", + "norwayeast", + "southafricanorth", + "southcentralus", + "southeastasia", + "uksouth", + "westeurope", + "westus2", + "westus3" + ], + "availabilityZonesProperty": "[range(1, parameters('availabilityZonesNum'))]", + "vaultTags": { + "vault": "[parameters('keyVaultName')]" + }, + "isHttps": "[not(equals(parameters('chooseVault'), 'none'))]", + "vmssTags": "[if(variables('isHttps'), variables('vaultTags'), json('null'))]", + "identity": "[json('{\"type\": \"SystemAssigned\"}')]", + "secretsValueArray": [ + "[parameters('firstCertificate')]", + "[parameters('firstCertPassword')]", + "[parameters('secondCertificate')]", + "[parameters('secondCertPassword')]", + "[parameters('thirdCertificate')]", + "[parameters('thirdCertPassword')]", + "[parameters('fourthCertificate')]", + "[parameters('fourthCertPassword')]", + "[parameters('fifthCertificate')]", + "[parameters('fifthCertPassword')]" + ], + "secretsNameArray": [ + "cert1", + "cert1-pw", + "cert2", + "cert2-pw", + "cert3", + "cert3-pw", + "cert4", + "cert4-pw", + "cert5", + "cert5-pw" + ], + "secretsPasswordDescription": "password", + "secretsDescriptionArray": [ + "[parameters('firstCertDescription')]", + "[variables('secretsPasswordDescription')]", + "[parameters('secondCertDescription')]", + "[variables('secretsPasswordDescription')]", + "[parameters('thirdCertDescription')]", + "[variables('secretsPasswordDescription')]", + "[parameters('fourthCertDescription')]", + "[variables('secretsPasswordDescription')]", + "[parameters('fifthCertDescription')]", + "[variables('secretsPasswordDescription')]" + ], + "numberOfSecrets": "[mul(parameters('numberOfCerts'), 2)]" + }, + "resources": [ + { + "apiVersion": "2020-06-01", + "name": "pid-858bb8ac-3986-4499-adc5-990c43de41c2-partnercenter", + "type": "Microsoft.Resources/deployments", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "condition": "[equals(parameters('vnetNewOrExisting'), 'new')]", + "name": "networkNewSetup", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "resourceGroup": "[parameters('virtualNetworkExistingRGName')]", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "[variables('networkSetupURL')]", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "location": { + "value": "[variables('location')]" + }, + "virtualNetworkName": { + "value": "[parameters('virtualNetworkName')]" + }, + "virtualNetworkAddressPrefixes": { + "value": "[parameters('virtualNetworkAddressPrefixes')]" + }, + "subnet1Name": { + "value": "[parameters('subnet1Name')]" + }, + "subnet1Prefix": { + "value": "[parameters('subnet1Prefix')]" + }, + "subnet2Name": { + "value": "[parameters('subnet2Name')]" + }, + "subnet2Prefix": { + "value": "[parameters('subnet2Prefix')]" + }, + "vmName": { + "value": "[parameters('vmName')]" + }, + "deployNsg": { + "value": false + } + } + } + }, + { + "condition": "[equals(parameters('vnetNewOrExisting'), 'existing')]", + "name": "networkExistingSetup", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "resourceGroup": "[parameters('virtualNetworkExistingRGName')]", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "[variables('networkSetupURL')]", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "location": { + "value": "[variables('location')]" + }, + "virtualNetworkName": { + "value": "[parameters('virtualNetworkName')]" + }, + "virtualNetworkExistingRGName": { + "value": "[parameters('virtualNetworkExistingRGName')]" + }, + "vmName": { + "value": "[parameters('vmName')]" + }, + "deployNsg": { + "value": false + } + } + } + }, + { + "name": "loadBalancerSetup", + "type": "Microsoft.Resources/deployments", + "resourceGroup": "[variables('lbRGName')]", + "apiVersion": "2020-06-01", + "dependsOn": [ + "[variables('vnetID')]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "[variables('loadBalacerSetupURL')]", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "deploymentMode": { + "value": "[parameters('deploymentMode')]" + }, + "location": { + "value": "[variables('location')]" + }, + "vmName": { + "value": "[parameters('vmName')]" + }, + "appLoadDistribution": { + "value": "[parameters('appLoadDistribution')]" + }, + "subnet1Id": { + "value": "[resourceId(parameters('virtualNetworkExistingRGName'), 'Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('subnet1Name'))]" + }, + "elbResourceId": { + "value": "[parameters('elbResourceId')]" + }, + "elbTargetBEAddressPoolName": { + "value": "[parameters('elbTargetBEAddressPoolName')]" + }, + "ilbResourceId": { + "value": "[parameters('ilbResourceId')]" + }, + "ilbTargetBEAddressPoolName": { + "value": "[parameters('ilbTargetBEAddressPoolName')]" + }, + "upgrading": { + "value": "[variables('upgrading')]" + } + } + } + }, + { + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('storageAccountName')]", + "apiVersion": "2021-04-01", + "location": "[variables('location')]", + "sku": { + "name": "[variables('storageAccountType')]" + }, + "kind": "Storage" + }, + { + "condition": "[not(equals(parameters('sourceImageVhdUri'), 'noCustomUri'))]", + "type": "Microsoft.Compute/images", + "apiVersion": "2020-06-01", + "name": "[variables('customImage')]", + "location": "[variables('location')]", + "properties": { + "storageProfile": { + "osDisk": { + "osType": "Linux", + "osState": "Generalized", + "blobUri": "[parameters('sourceImageVhdUri')]", + "storageAccountType": "Standard_LRS" + } + }, + "hyperVGeneration": "V1" + } + }, + { + "type": "Microsoft.Network/networkSecurityGroups", + "apiVersion": "2020-06-01", + "location": "[variables('location')]", + "name": "[variables('nsgName')]", + "properties": { + "securityRules": [ + { + "name": "SSH", + "properties": { + "description": "Allow inbound SSH connection", + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "22", + "sourceAddressPrefix": "[variables('inboundSources')]", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": 100, + "direction": "Inbound" + } + }, + { + "name": "GAiA-portal", + "properties": { + "description": "Allow inbound HTTPS access to the GAiA portal", + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "30443", + "sourceAddressPrefix": "[variables('inboundSources')]", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": 110, + "direction": "Inbound" + } + }, + { + "name": "HTTPS", + "properties": { + "description": "Allow inbound HTTPS access", + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "443", + "sourceAddressPrefix": "[variables('inboundSources')]", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": 120, + "direction": "Inbound" + } + }, + { + "name": "HTTP", + "properties": { + "description": "Allow inbound HTTP access", + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "80", + "sourceAddressPrefix": "[variables('inboundSources')]", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": 130, + "direction": "Inbound" + } + } + ] + } + }, + { + "type": "Microsoft.Compute/virtualMachineScaleSets", + "apiVersion": "2020-06-01", + "name": "[parameters('vmName')]", + "location": "[variables('location')]", + "identity": "[if(variables('isHttps'), variables('identity'), json('null'))]", + "zones": "[if(and(contains(variables('availabilityZonesLocations'), variables('location')), greater(parameters('availabilityZonesNum'), 0)), variables('availabilityZonesProperty'), json('null'))]", + "tags": "[variables('vmssTags')]", + "dependsOn": [ + "[variables('vnetID')]", + "[variables('loadBalancerSetupId')]", + "[variables('storageAccountId')]", + "[variables('customImageId')]", + "[variables('nsgId')]" + ], + "sku": { + "name": "[parameters('vmSize')]", + "tier": "Standard", + "capacity": "[parameters('instanceCount')]" + }, + "plan": "[if(equals(parameters('sourceImageVhdUri'),'noCustomUri'), variables('plan'), json('null'))]", + "properties": { + "upgradePolicy": { + "mode": "Manual" + }, + "virtualMachineProfile": { + "storageProfile": { + "osDisk": { + "caching": "ReadWrite", + "createOption": "FromImage", + "managedDisk": { + "storageAccountType": "[parameters('diskType')]" + } + }, + "imageReference": "[variables('imageReference')]" + }, + "osProfile": { + "adminPassword": "[parameters('adminPassword')]", + "adminUsername": "[parameters('adminUsername')]", + "computerNamePrefix": "[toLower(parameters('vmName'))]", + "customData": "[base64(concat(variables('customData'), '\n', 'vnet=\"', if(equals(parameters('vnetNewOrExisting'), 'new'), reference('networkNewSetup').outputs.vnetAddressPrefixes.value[0], reference('networkExistingSetup').outputs.vnetAddressPrefixes.value[0]), '\"', '\n' ))]", + "linuxConfiguration": "[variables('linuxConfiguration')]" + }, + "networkProfile": { + "healthProbe": { + "id": "[resourceId('Microsoft.Network/loadBalancers/probes', variables('lbName'), reference('loadBalancerSetup').outputs.probeName.value)]" + }, + "networkInterfaceConfigurations": [ + { + "name": "eth0", + "properties": { + "primary": true, + "enableIPForwarding": false, + "enableAcceleratedNetworking": true, + "networkSecurityGroup": { + "id": "[variables('nsgId')]" + }, + "ipConfigurations": [ + { + "name": "ipconfig1", + "properties": { + "publicIpAddressConfiguration": "[if(equals(parameters('instanceLevelPublicIP'),'yes'), variables('publicIPProperties'), json('null'))]", + "subnet": { + "id": "[resourceId(parameters('virtualNetworkExistingRGName'), 'Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('Subnet1Name'))]" + }, + "loadBalancerBackendAddressPools": "[if(empty(reference('loadBalancerSetup').outputs.elbId.value), reference('loadBalancerSetup').outputs.ilbBEAddressPoolProperties.value, reference('loadBalancerSetup').outputs.elbBEAddressPoolProperties.value)]" + } + } + ] + } + }, + { + "name": "eth1", + "properties": { + "primary": false, + "enableIPForwarding": true, + "enableAcceleratedNetworking": true, + "ipConfigurations": [ + { + "name": "ipconfig2", + "properties": { + "subnet": { + "id": "[resourceId(parameters('virtualNetworkExistingRGName'), 'Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('Subnet2Name'))]" + } + } + } + ] + } + } + ] + }, + "diagnosticsProfile": { + "bootDiagnostics": { + "enabled": true, + "storageUri": "[reference(variables('storageAccountId'), '2021-04-01').primaryEndpoints.blob]" + } + } + }, + "overprovision": false + } + }, + { + "type": "Microsoft.Insights/autoscaleSettings", + "apiVersion": "2015-04-01", + "name": "[parameters('vmName')]", + "location": "[variables('location')]", + "dependsOn": [ + "[variables('vmssID')]" + ], + "properties": { + "name": "[parameters('vmName')]", + "targetResourceUri": "[variables('vmssID')]", + "notifications": [ + { + "operation": "Scale", + "email": { + "sendToSubscriptionAdministrator": false, + "sendToSubscriptionCoAdministrators": false, + "customEmails": "[if(empty(parameters('adminEmail')), json('null'), array(parameters('adminEmail')))]" + } + } + ], + "enabled": true, + "profiles": [ + { + "name": "Profile1", + "capacity": { + "minimum": "[parameters('instanceCount')]", + "maximum": "[parameters('maxInstanceCount')]", + "default": "[parameters('instanceCount')]" + }, + "rules": [ + { + "metricTrigger": { + "metricName": "Percentage CPU", + "metricResourceUri": "[variables('vmssID')]", + "timeGrain": "PT1M", + "statistic": "Average", + "timeWindow": "PT5M", + "timeAggregation": "Average", + "operator": "GreaterThan", + "threshold": 80 + }, + "scaleAction": { + "direction": "Increase", + "type": "ChangeCount", + "value": "1", + "cooldown": "PT5M" + } + }, + { + "metricTrigger": { + "metricName": "Percentage CPU", + "metricResourceUri": "[variables('vmssID')]", + "timeGrain": "PT1M", + "statistic": "Average", + "timeWindow": "PT5M", + "timeAggregation": "Average", + "operator": "LessThan", + "threshold": 60 + }, + "scaleAction": { + "direction": "Decrease", + "type": "ChangeCount", + "value": "1", + "cooldown": "PT5M" + } + } + ] + } + ] + } + }, + { + "condition": "[and(variables('isHttps'), equals(parameters('chooseVault'), 'existingVault'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[parameters('keyVaultName')]", + "dependsOn": [ + "[variables('vmssID')]" + ], + "resourceGroup": "[parameters('existingKeyVaultRGName')]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.KeyVault/vaults/accessPolicies", + "name": "[concat(parameters('keyVaultName'), '/add')]", + "apiVersion": "2021-06-01-preview", + "properties": { + "accessPolicies": [ + { + "tenantId": "[subscription().tenantid]", + "objectId": "[reference(variables('vmssID'), '2020-06-01', 'full').identity.principalId]", + "permissions": { + "secrets": [ + "get", + "list" + ], + "certificates": [ + "get", + "list" + ] + } + } + ] + } + } + ], + "outputs": {} + } + } + }, + { + "condition": "[and(variables('isHttps'), equals(parameters('chooseVault'), 'newVault'))]", + "type": "Microsoft.KeyVault/vaults", + "apiVersion": "2021-06-01-preview", + "name": "[parameters('keyVaultName')]", + "dependsOn": [ + "[variables('vmssID')]" + ], + "location": "[variables('location')]", + "properties": { + "tenantId": "[subscription().tenantid]", + "sku": { + "family": "A", + "name": "standard" + }, + "accessPolicies": [ + { + "tenantId": "[subscription().tenantid]", + "objectId": "[reference(variables('vmssID'), '2020-06-01', 'full').identity.principalId]", + "permissions": { + "secrets": [ + "get", + "list" + ], + "certificates": [ + "get", + "list" + ] + } + } + ], + "enabledForDeployment": true, + "enabledForDiskEncryption": false, + "enabledForTemplateDeployment": false, + "enableSoftDelete": true, + "enableRbacAuthorization": false, + "createMode": "default" + } + }, + { + "condition": "[and(variables('isHttps'), equals(parameters('chooseVault'), 'newVault'))]", + "type": "Microsoft.KeyVault/vaults/secrets", + "apiVersion": "2021-06-01-preview", + "name": "[concat(parameters('keyVaultName'), '/', variables('secretsNameArray')[copyIndex()])]", + "location": "[variables('location')]", + "dependsOn": [ + "[resourceId('Microsoft.KeyVault/vaults', parameters('keyVaultName'))]" + ], + "properties": { + "value": "[if(endsWith(variables('secretsNameArray')[copyIndex()], '-pw'), base64(variables('secretsValueArray')[copyIndex()]), variables('secretsValueArray')[copyIndex()])]", + "contentType": "[variables('secretsDescriptionArray')[copyIndex()]]" + }, + "copy": { + "name": "secretscopy", + "count": "[variables('numberOfSecrets')]" + } + } + ], + "outputs": { + "ApplicationAddress": { + "type": "string", + "value": "[reference('loadBalancerSetup').outputs.ApplicationAddress.value]" + }, + "ApplicationFQDN": { + "type": "string", + "value": "[reference('loadBalancerSetup').outputs.ApplicationFQDN.value]" + } + } +} \ No newline at end of file diff --git a/azure/templates/marketplace-vmss/README.md b/azure/templates/marketplace-vmss/README.md new file mode 100644 index 00000000..3c632bf9 --- /dev/null +++ b/azure/templates/marketplace-vmss/README.md @@ -0,0 +1,23 @@ +# Check Point CloudGuard Network Security VMSS for Azure + +Check Point CloudGuard Network Security delivers advanced, multi-layered threat prevention to protect customer assets in Azure from malware and sophisticated threats. As a Microsoft Azure certified solution, CloudGuard Network Security enables you to easily and seamlessly secure your workloads while providing secure connectivity across your cloud and on-premises environments. + +Benefits: + +· Advanced threat prevention and traffic inspection + +· Integrated with Azure Security Center and Azure Sentinel + +· Provides consistent security policy management, enforcement, and reporting with a single pane of glass, using Check Point Unified Security Management + + + + + Deploy to Azure + + + +To deploy with full control over all the template options use: [Full Control Deployment](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FCheckPointSW%2FCloudGuardIaaS%2Fmaster%2Fazure%2Ftemplates%2Fmarketplace-vmss%2FmainTemplate.json) + + + diff --git a/azure/templates/marketplace-vmss/createUiDefinition.json b/azure/templates/marketplace-vmss/createUiDefinition.json new file mode 100644 index 00000000..6b3ebbce --- /dev/null +++ b/azure/templates/marketplace-vmss/createUiDefinition.json @@ -0,0 +1,1752 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", + "handler": "Microsoft.Compute.MultiVm", + "version": "0.1.2-preview", + "parameters": { + "basics": [ + { + "name": "CloudGuard VMSS settings text block", + "type": "Microsoft.Common.TextBlock", + "visible": true, + "options": { + "text": "Please follow the CloudGuard Network for Azure VMSS R80.10 and Higher Administration Guide.", + "link": { + "label": "Administration Guide", + "uri": "https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_VMSS_for_Azure/Default.htm" + } + } + }, + { + "name": "gatewayScaleSetNameUi", + "type": "Microsoft.Common.TextBox", + "label": "Gateway scale set name", + "toolTip": "The name of the Check Point Security Gateway Scale Set.", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z]{1,30}$", + "validationMessage": "Only alphanumeric characters are allowed, and the name must be 1-30 characters long." + } + }, + { + "name": "auth", + "type": "Microsoft.Compute.CredentialsCombo", + "label": { + "authenticationType": "Authentication type", + "password": "Password", + "confirmPassword": "Confirm password", + "sshPublicKey": "SSH public key" + }, + "toolTip": { + "password": "The user 'admin' password", + "sshPublicKey": "Paste an OpenSSH public key. You can generate a key pair using ssh-keygen (Linux, OS X, Cygwin) or PuttyGen (Windows)" + }, + "constraints": { + "required": true + }, + "options": { + "hideConfirmation": false, + "hidePassword": false + }, + "osPlatform": "Linux" + } + ], + "steps": [ + { + "name": "autoprovision", + "label": "Check Point VMSS settings", + "subLabel": { + "preValidation": "Configure CloudGuard VMSS settings", + "postValidation": "Done" + }, + "bladeTitle": "CloudGuard VMSS settings", + "elements": [ + { + "name": "upgrading", + "type": "Microsoft.Common.OptionsGroup", + "label": "Are you upgrading your CloudGuard VMSS solution?", + "defaultValue": "No", + "toolTip": "Select 'Yes' if you are upgrading your CloudGuard VMSS solution.", + "constraints": { + "allowedValues": [ + { + "label": "No", + "value": "no" + }, + { + "label": "Yes", + "value": "yes" + } + ] + } + }, + { + "name": "upgradeVmssInfoBox", + "type": "Microsoft.Common.InfoBox", + "visible": "[equals(steps('autoprovision').upgrading, 'yes')]", + "options": { + "icon": "Warning", + "text": "All the configurations below must be similar to the existing CloudGuard VMSS solution.\n\nNote that the target load balancers are the ones connected to your existing CloudGuard VMSS solution.\n\nSee the Deployment Guide for more information." + } + }, + { + "name": "vmCount", + "type": "Microsoft.Common.TextBox", + "label": "Initial number of gateways", + "defaultValue": "2", + "toolTip": "The initial number of gateways", + "constraints": { + "required": true, + "regex": "^[1-9][0-9]{0,1}$", + "validationMessage": "Please enter a number in the range 1-99." + } + }, + { + "name": "maxVmCount", + "type": "Microsoft.Common.TextBox", + "label": "Maximum number of gateways", + "defaultValue": "10", + "toolTip": "The maximum number of gateways", + "constraints": { + "required": true, + "regex": "^[1-9][0-9]{0,1}$", + "validationMessage": "Please enter a number in the range 1-99." + } + }, + { + "name": "numGwsValidation", + "type": "Microsoft.Common.InfoBox", + "visible": "[greater(steps('autoprovision').vmCount, steps('autoprovision').maxVmCount)]", + "options": { + "icon": "Error", + "text": "Maximum number of gateways is lower than initial number of gateways" + } + }, + { + "name": "managementServer", + "type": "Microsoft.Common.TextBox", + "label": "Management name", + "toolTip": "The name of the management server as it appears in the configuration file", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z_\\-]{1,30}$", + "validationMessage": "Field cannot be empty. Only alphanumeric characters or '_'/'-' are allowed, and the name must be 1-30 characters long." + } + }, + { + "name": "configurationTemplateInfoBox", + "type": "Microsoft.Common.InfoBox", + "visible": "[equals(steps('autoprovision').upgrading, 'yes')]", + "options": { + "icon": "Info", + "text": "Use a different configuration template name than in your existing CloudGuard VMSS solution." + } + }, + { + "name": "configurationTemplate", + "type": "Microsoft.Common.TextBox", + "label": "Configuration template name", + "toolTip": "The configuration template name as it appears in the configuration file", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z_\\-]{1,30}$", + "validationMessage": "Field cannot be empty. Only alphanumeric characters or '_'/'-' are allowed, and the name must be 1-30 characters long." + } + }, + { + "name": "adminEmail", + "type": "Microsoft.Common.TextBox", + "label": "Administrator email address", + "defaultValue": "", + "toolTip": "An email address to notify about scaling operations", + "constraints": { + "required": false, + "regex": "^([a-zA-Z0-9_\\-\\.]+)@((\\[[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.)|(([a-zA-Z0-9\\-]+\\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})(\\]?)$", + "validationMessage": "Leave empty or enter a valid email address." + } + }, + { + "name": "deploymentMode", + "type": "Microsoft.Common.DropDown", + "label": "Load balancers deployment", + "defaultValue": "Standard (External & Internal)", + "toolTip": "Defines which load balancers will be deployed. Note: For outbound inspection it is mandatory to deploy an external load balancer and/or instance level public IP addresses.", + "constraints": { + "allowedValues": [ + { + "label": "Standard (External & Internal)", + "value": "Standard" + }, + { + "label": "External only (Inbound inspection only)", + "value": "ELBOnly" + }, + { + "label": "Internal only (Outbound & E-W inspection only - see tooltip)", + "value": "ILBOnly" + } + ] + } + }, + { + "name": "appLoadDistribution", + "type": "Microsoft.Common.DropDown", + "label": "External Load Balancer session persistence", + "defaultValue": "None (5-tuple)", + "toolTip": "The load balancing distribution method for the External Load Balancer.", + "visible": "[not(equals(steps('autoprovision').deploymentMode, 'ILBOnly'))]", + "constraints": { + "allowedValues": [ + { + "label": "None (5-tuple)", + "value": "Default" + }, + { + "label": "Client IP (2-tuple)", + "value": "SourceIP" + }, + { + "label": "Client IP and protocol (3-tuple)", + "value": "SourceIPProtocol" + } + ] + } + }, + { + "name": "ilbLoadDistribution", + "type": "Microsoft.Common.DropDown", + "label": "Internal Load Balancer session persistence", + "defaultValue": "None (5-tuple)", + "toolTip": "The load balancing distribution method for the Internal Load Balancer.", + "visible": "[not(equals(steps('autoprovision').deploymentMode, 'ELBOnly'))]", + "constraints": { + "allowedValues": [ + { + "label": "None (5-tuple)", + "value": "Default" + }, + { + "label": "Client IP (2-tuple)", + "value": "SourceIP" + }, + { + "label": "Client IP and protocol (3-tuple)", + "value": "SourceIPProtocol" + } + ] + } + }, + { + "name": "floatingIP", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy the Load Balancers with floating IP", + "defaultValue": "No", + "toolTip": "Deploy the Load Balancers with floating IP.", + "constraints": { + "allowedValues": [ + { + "label": "No", + "value": "no" + }, + { + "label": "Yes", + "value": "yes" + } + ] + }, + "visible": true + }, + { + "name": "instanceLevelPublicIP", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy the VMSS with instance level Public IP address", + "defaultValue": "No", + "toolTip": "If selected 'Yes', then each VMSS instance will have its own public IP address.", + "constraints": { + "allowedValues": [ + { + "label": "No", + "value": "no" + }, + { + "label": "Yes", + "value": "yes" + } + ] + } + }, + { + "name": "publicIPPrefix", + "type": "Microsoft.Common.OptionsGroup", + "label": "Public IP prefix", + "defaultValue": "No", + "toolTip": "Define if deploy existsing Public IP Prefix or a new Public IP Prefix.", + "constraints": { + "allowedValues": [ + { + "label": "No", + "value": "no" + }, + { + "label": "Yes", + "value": "yes" + } + ] + }, + "visible": "[equals(steps('autoprovision').instanceLevelPublicIP, 'yes')]" + }, + { + "name": "createNewIPPrefix", + "type": "Microsoft.Common.OptionsGroup", + "label": "Create new IP prefiex", + "toolTip": "Create new or existsing Public IP Prefix", + "defaultValue": "No", + "constraints": { + "allowedValues": [ + { + "label": "No", + "value": "no" + }, + { + "label": "Yes", + "value": "yes" + } + ] + }, + "visible": "[equals(steps('autoprovision').publicIPPrefix, 'yes')]" + }, + { + "name": "IPv4Length", + "type": "Microsoft.Common.DropDown", + "label": "IPv4 IP prefix length", + "defaultValue": "/31 (2 addresses)", + "toolTip": "Choose the length of the IP prefix for IP v4.", + "multiselect": false, + "selectAll": false, + "filter": false, + "multiLine": false, + "constraints": { + "allowedValues": [ + { + "label": "/28 (16 addresses)", + "value": "/28 (16 addresses)" + }, + { + "label": "/29 (8 addresses)", + "value": "/29 (8 addresses)" + }, + { + "label": "/30 (4 addresses)", + "value": "/30 (4 addresses)" + }, + { + "label": "/31 (2 addresses)", + "value": "/31 (2 addresses)" + } + ], + "required": true + }, + "visible": "[equals(steps('autoprovision').createNewIPPrefix, 'yes')]" + }, + { + "name": "ipPrefixLengthWarning", + "type": "Microsoft.Common.InfoBox", + "visible": "[equals(steps('autoprovision').createNewIPPrefix, 'yes')]", + "options": { + "icon": "Warning", + "text": "[concat('NOTE: The VMSS will not be allowed to contain more than ', if(equals(steps('autoprovision').IPv4Length, '/31 (2 addresses)'), '2', if(equals(steps('autoprovision').IPv4Length, '/30 (4 addresses)'), '4', if(equals(steps('autoprovision').IPv4Length, '/29 (8 addresses)'), '8', if(equals(steps('autoprovision').IPv4Length, '/28 (16 addresses)'), '16', '0')))), ' instances')]" + } + }, + { + "name": "ipPrefixExistingResourceId", + "type": "Microsoft.Common.TextBox", + "label": "Enter an existing IP prefix resource id", + "toolTip": "The resource id of an existing public IP prefix.", + "multiLine": false, + "constraints": { + "regex": "^[a-z0-9A-Z -.:/n]{1,}$", + "validationMessage": "Only alphanumeric characters, hyphens, spaces, periods, and colons are allowed.", + "required": true + }, + "visible": "[equals(steps('autoprovision').createNewIPPrefix, 'no')]" + }, + { + "name": "externalCommunicationInfoBox", + "type": "Microsoft.Common.InfoBox", + "visible": "[and(equals(steps('autoprovision').instanceLevelPublicIP, 'no'), equals(steps('autoprovision').deploymentMode, 'ILBOnly'))]", + "options": { + "icon": "Warning", + "text": "For outbound inspection it is mandatory to deploy an external load balancer and/or instance level public IP addresses." + } + }, + { + "name": "lbsTargetRGName", + "type": "Microsoft.Common.TextBox", + "visible": "[equals(steps('autoprovision').upgrading, 'yes')]", + "label": "Target load balancers resource group name", + "defaultValue": "", + "toolTip": "The name of the Target Load Balancers Resource Group.", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z_\\-\\.\\/\\(\\)]", + "validationMessage": "Resource Group only allow alphanumeric characters, periods, underscores, hyphens, slash, and parenthesis" + } + }, + { + "name": "elbResourceId", + "type": "Microsoft.Common.TextBox", + "visible": "[and(equals(steps('autoprovision').upgrading, 'yes'), not(equals(steps('autoprovision').deploymentMode, 'ILBOnly')))]", + "label": "Target external load balancer resource ID", + "defaultValue": "", + "toolTip": "The Resource ID of the Target External Load Balancer.", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z_\\-\\.\\/\\(\\)]", + "validationMessage": "Resource Id only allow alphanumeric characters, periods, underscores, hyphens, slash, and parenthesis" + } + }, + { + "name": "elbBEAddressPoolName", + "type": "Microsoft.Common.TextBox", + "visible": "[and(equals(steps('autoprovision').upgrading, 'yes'), not(equals(steps('autoprovision').deploymentMode, 'ILBOnly')))]", + "label": "Target external load balancer's backend pool name", + "toolTip": "The name of the target external load Balancer's Backend Pool.", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z_\\-\\.\\/\\(\\)]", + "validationMessage": "Only alphanumeric characters, periods, underscores, hyphens, slash, and parenthesis are allowed" + } + }, + { + "name": "ilbResourceId", + "type": "Microsoft.Common.TextBox", + "visible": "[and(equals(steps('autoprovision').upgrading, 'yes'), not(equals(steps('autoprovision').deploymentMode, 'ELBOnly')))]", + "label": "Target internal load balancer resource ID", + "defaultValue": "", + "toolTip": "The Resource ID of the Target Internal Load Balancer.", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z_\\-\\.\\/\\(\\)]", + "validationMessage": "Resource Id only allow alphanumeric characters, periods, underscores, hyphens, slash, and parenthesis" + } + }, + { + "name": "ilbBEAddressPoolName", + "type": "Microsoft.Common.TextBox", + "visible": "[and(equals(steps('autoprovision').upgrading, 'yes'), not(equals(steps('autoprovision').deploymentMode, 'ELBOnly')))]", + "label": "Target internal load balancer's backend pool name", + "toolTip": "The name of the target internal load balancer's backend pool.", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z_\\-\\.\\/\\(\\)]", + "validationMessage": "Only alphanumeric characters, periods, underscores, hyphens, slash, and parenthesis are allowed" + } + }, + { + "name": "mgmtInterfaceOpt1", + "type": "Microsoft.Common.DropDown", + "label": "Management interface and IP address", + "defaultValue": "Backend NIC's private IP address", + "visible": "[equals(steps('autoprovision').instanceLevelPublicIP, 'yes')]", + "toolTip": "Manage the Gateways in the Scale Set via the instance's external (eth0) or internal (eth1) NIC and with public or private IP.", + "constraints": { + "allowedValues": [ + { + "label": "Backend NIC's private IP address", + "value": "eth1-private" + }, + { + "label": "Frontend NIC's public IP address", + "value": "eth0-public" + }, + { + "label": "Frontend NIC's private IP address", + "value": "eth0-private" + } + ] + } + }, + { + "name": "mgmtInterfaceOpt2", + "type": "Microsoft.Common.DropDown", + "label": "Management interface and IP address", + "defaultValue": "Backend NIC's private IP address", + "visible": "[equals(steps('autoprovision').instanceLevelPublicIP, 'no')]", + "toolTip": "Manage the Gateways in the Scale Set via the instance's external (eth0) or internal (eth1) NIC's private IP address.", + "constraints": { + "allowedValues": [ + { + "label": "Backend NIC's private IP address", + "value": "eth1-private" + }, + { + "label": "Frontend NIC's private IP address", + "value": "eth0-private" + } + ] + } + }, + { + "name": "mgmtIPaddress", + "type": "Microsoft.Common.TextBox", + "label": "Management Server IP address", + "toolTip": "The IP address used to manage the VMSS instances.", + "visible": "[or(equals(steps('autoprovision').mgmtInterfaceOpt1, 'eth0-private'), equals(steps('autoprovision').mgmtInterfaceOpt2, 'eth0-private'))]", + "constraints": { + "regex": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$", + "required": true, + "validationMessage": "Please enter a valid IP address" + } + }, + { + "name": "availabilityZonesNum", + "type": "Microsoft.Common.DropDown", + "label": "Number of Availability Zones to use", + "defaultValue": "None", + "toolTip": "The number of avalability zones to use for the scale set. Note that the load balancers and their IP addresses will be zone redundant in any case.", + "visible": "[contains(' australiaeast brazilsouth canadacentral centralus eastasia eastus eastus2 francecentral germanywestcentral japaneast koreacentral northeurope norwayeast southafricanorth southcentralus southeastasia swedencentral uksouth usgovvirginia westeurope westus2 westus3 switzerlandnorth qatarcentral centralindia uaenorth italynorth ', concat(' ', location(), ' '))]", + "constraints": { + "allowedValues": [ + { + "label": "None", + "value": 0 + }, + { + "label": "One zone", + "value": 1 + }, + { + "label": "Two zones", + "value": 2 + }, + { + "label": "Three zones", + "value": 3 + } + ] + } + }, + { + "name": "customMetrics", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable CloudGuard metrics", + "defaultValue": "Yes", + "toolTip": "Enable CloudGuard metrics in order to send statuses and statistics collected from VMSS instances to the Azure Monitor service.", + "constraints": { + "allowedValues": [ + { + "label": "No", + "value": "no" + }, + { + "label": "Yes", + "value": "yes" + } + ] + }, + "visible": true + } + ] + }, + { + "name": "chkp", + "label": "Check Point CloudGuard settings", + "subLabel": { + "preValidation": "Configure CloudGuard settings", + "postValidation": "Done" + }, + "bladeTitle": "CloudGuard settings", + "elements": [ + { + "name": "cloudGuardVersion", + "type": "Microsoft.Common.DropDown", + "label": "Check Point CloudGuard version", + "defaultValue": "R81.20", + "toolTip": "The version of Check Point CloudGuard.", + "constraints": { + "allowedValues": [ + { + "label": "R81.10", + "value": "R81.10" + }, + { + "label": "R81.20", + "value": "R81.20" + } + ] + } + }, + { + "name": "R80Offer", + "type": "Microsoft.Common.DropDown", + "label": "License type", + "toolTip": "The type of license.", + "defaultValue": "Bring Your Own License", + "visible": true, + "constraints": { + "allowedValues": [ + { + "label": "Bring Your Own License", + "value": "Bring Your Own License" + }, + { + "label": "Pay As You Go (NGTP)", + "value": "Pay As You Go (NGTP)" + }, + { + "label": "Pay As You Go (NGTX)", + "value": "Pay As You Go (NGTX)" + } + ] + } + }, + { + "name": "R8110vmSizeUiBYOL", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R81.10'), contains(steps('chkp').R80Offer, 'Bring Your Own License'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2", + "Standard_DS3_v2" + ], + "constraints": { + "allowedSizes": [ + "Standard_D4_v4", + "Standard_D8_v4", + "Standard_D16_v4", + "Standard_D32_v4", + "Standard_D48_v4", + "Standard_D64_v4", + "Standard_D4s_v4", + "Standard_D8s_v4", + "Standard_D16s_v4", + "Standard_D32s_v4", + "Standard_D48s_v4", + "Standard_D64s_v4", + "Standard_D2_v5", + "Standard_D4_v5", + "Standard_D8_v5", + "Standard_D16_v5", + "Standard_D32_v5", + "Standard_D2s_v5", + "Standard_D4s_v5", + "Standard_D8s_v5", + "Standard_D16s_v5", + "Standard_D2d_v5", + "Standard_D4d_v5", + "Standard_D8d_v5", + "Standard_D16d_v5", + "Standard_D32d_v5", + "Standard_D2ds_v5", + "Standard_D4ds_v5", + "Standard_D8ds_v5", + "Standard_D16ds_v5", + "Standard_D32ds_v5", + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r8110", + "sku": "sg-byol" + }, + "count": "[steps('autoprovision').vmCount]" + }, + { + "name": "R8110vmSizeUiNGTP", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R81.10'), contains(steps('chkp').R80Offer, '(NGTP)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2", + "Standard_DS3_v2" + ], + "constraints": { + "allowedSizes": [ + "Standard_D4_v4", + "Standard_D8_v4", + "Standard_D16_v4", + "Standard_D32_v4", + "Standard_D48_v4", + "Standard_D64_v4", + "Standard_D4s_v4", + "Standard_D8s_v4", + "Standard_D16s_v4", + "Standard_D32s_v4", + "Standard_D48s_v4", + "Standard_D64s_v4", + "Standard_D2_v5", + "Standard_D4_v5", + "Standard_D8_v5", + "Standard_D16_v5", + "Standard_D32_v5", + "Standard_D2s_v5", + "Standard_D4s_v5", + "Standard_D8s_v5", + "Standard_D16s_v5", + "Standard_D2d_v5", + "Standard_D4d_v5", + "Standard_D8d_v5", + "Standard_D16d_v5", + "Standard_D32d_v5", + "Standard_D2ds_v5", + "Standard_D4ds_v5", + "Standard_D8ds_v5", + "Standard_D16ds_v5", + "Standard_D32ds_v5", + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r8110", + "sku": "sg-ngtp" + }, + "count": "[steps('autoprovision').vmCount]" + }, + { + "name": "R8110vmSizeUiNGTX", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R81.10'), contains(steps('chkp').R80Offer, '(NGTX)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2", + "Standard_DS3_v2" + ], + "constraints": { + "allowedSizes": [ + "Standard_D4_v4", + "Standard_D8_v4", + "Standard_D16_v4", + "Standard_D32_v4", + "Standard_D48_v4", + "Standard_D64_v4", + "Standard_D4s_v4", + "Standard_D8s_v4", + "Standard_D16s_v4", + "Standard_D32s_v4", + "Standard_D48s_v4", + "Standard_D64s_v4", + "Standard_D2_v5", + "Standard_D4_v5", + "Standard_D8_v5", + "Standard_D16_v5", + "Standard_D32_v5", + "Standard_D2s_v5", + "Standard_D4s_v5", + "Standard_D8s_v5", + "Standard_D16s_v5", + "Standard_D2d_v5", + "Standard_D4d_v5", + "Standard_D8d_v5", + "Standard_D16d_v5", + "Standard_D32d_v5", + "Standard_D2ds_v5", + "Standard_D4ds_v5", + "Standard_D8ds_v5", + "Standard_D16ds_v5", + "Standard_D32ds_v5", + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r8110", + "sku": "sg-ngtx" + }, + "count": "[steps('autoprovision').vmCount]" + }, + { + "name": "R8120vmSizeUiBYOL", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R81.20'), contains(steps('chkp').R80Offer, 'Bring Your Own License'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D4ds_v5", + "Standard_D4d_v5" + ], + "constraints": { + "allowedSizes": [ + "Standard_D4_v4", + "Standard_D8_v4", + "Standard_D16_v4", + "Standard_D32_v4", + "Standard_D48_v4", + "Standard_D64_v4", + "Standard_D4s_v4", + "Standard_D8s_v4", + "Standard_D16s_v4", + "Standard_D32s_v4", + "Standard_D48s_v4", + "Standard_D64s_v4", + "Standard_D2_v5", + "Standard_D4_v5", + "Standard_D8_v5", + "Standard_D16_v5", + "Standard_D32_v5", + "Standard_D2s_v5", + "Standard_D4s_v5", + "Standard_D8s_v5", + "Standard_D16s_v5", + "Standard_D2d_v5", + "Standard_D4d_v5", + "Standard_D8d_v5", + "Standard_D16d_v5", + "Standard_D32d_v5", + "Standard_D2ds_v5", + "Standard_D4ds_v5", + "Standard_D8ds_v5", + "Standard_D16ds_v5", + "Standard_D32ds_v5", + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r8120", + "sku": "sg-byol" + }, + "count": "[steps('autoprovision').vmCount]" + }, + { + "name": "R8120vmSizeUiNGTP", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R81.20'), contains(steps('chkp').R80Offer, '(NGTP)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D4ds_v5", + "Standard_D4d_v5" + ], + "constraints": { + "allowedSizes": [ + "Standard_D4_v4", + "Standard_D8_v4", + "Standard_D16_v4", + "Standard_D32_v4", + "Standard_D48_v4", + "Standard_D64_v4", + "Standard_D4s_v4", + "Standard_D8s_v4", + "Standard_D16s_v4", + "Standard_D32s_v4", + "Standard_D48s_v4", + "Standard_D64s_v4", + "Standard_D2_v5", + "Standard_D4_v5", + "Standard_D8_v5", + "Standard_D16_v5", + "Standard_D32_v5", + "Standard_D2s_v5", + "Standard_D4s_v5", + "Standard_D8s_v5", + "Standard_D16s_v5", + "Standard_D2d_v5", + "Standard_D4d_v5", + "Standard_D8d_v5", + "Standard_D16d_v5", + "Standard_D32d_v5", + "Standard_D2ds_v5", + "Standard_D4ds_v5", + "Standard_D8ds_v5", + "Standard_D16ds_v5", + "Standard_D32ds_v5", + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r8120", + "sku": "sg-ngtp" + }, + "count": "[steps('autoprovision').vmCount]" + }, + { + "name": "R8120vmSizeUiNGTX", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R81.20'), contains(steps('chkp').R80Offer, '(NGTX)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D4ds_v5", + "Standard_D4d_v5" + ], + "constraints": { + "allowedSizes": [ + "Standard_D4_v4", + "Standard_D8_v4", + "Standard_D16_v4", + "Standard_D32_v4", + "Standard_D48_v4", + "Standard_D64_v4", + "Standard_D4s_v4", + "Standard_D8s_v4", + "Standard_D16s_v4", + "Standard_D32s_v4", + "Standard_D48s_v4", + "Standard_D64s_v4", + "Standard_D2_v5", + "Standard_D4_v5", + "Standard_D8_v5", + "Standard_D16_v5", + "Standard_D32_v5", + "Standard_D2s_v5", + "Standard_D4s_v5", + "Standard_D8s_v5", + "Standard_D16s_v5", + "Standard_D2d_v5", + "Standard_D4d_v5", + "Standard_D8d_v5", + "Standard_D16d_v5", + "Standard_D32d_v5", + "Standard_D2ds_v5", + "Standard_D4ds_v5", + "Standard_D8ds_v5", + "Standard_D16ds_v5", + "Standard_D32ds_v5", + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r8120", + "sku": "sg-ngtx" + }, + "count": "[steps('autoprovision').vmCount]" + }, + { + "name": "adminShell", + "type": "Microsoft.Common.DropDown", + "label": "Default shell for the admin user", + "defaultValue": "/etc/cli.sh", + "toolTip": "The default shell for the admin user", + "constraints": { + "allowedValues": [ + { + "label": "/etc/cli.sh", + "value": "/etc/cli.sh" + }, + { + "label": "/bin/bash", + "value": "/bin/bash" + }, + { + "label": "/bin/csh", + "value": "/bin/csh" + }, + { + "label": "/bin/tcsh", + "value": "/bin/tcsh" + } + ] + } + }, + { + "name": "sicKeyUi", + "type": "Microsoft.Common.PasswordBox", + "label": { + "password": "SIC Key", + "confirmPassword": "Confirm SIC Key" + }, + "toolTip": "Set the Secure Internal Communication one time secret used to set up trust between the gateway and the management server.", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z]{12,30}$", + "validationMessage": "Only alphanumeric characters are allowed, and the value must be 12-30 characters long." + }, + "options": { + "hideConfirmation": false + } + }, + { + "name": "SerialPasswordInfoBox", + "type": "Microsoft.Common.InfoBox", + "visible": "[bool(basics('auth').sshPublicKey)]", + "options": { + "icon": "Info", + "text": "Check Point recommends setting serial console password and maintenance-mode password for recovery purposes. For R81.10 and below the serial console password is used also as maintenance-mode password" + } + }, + { + "visible": "[bool(basics('auth').sshPublicKey)]", + "name": "EnableSerialConsolePassword", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Serial console password", + "defaultValue": "Yes", + "toolTip": "A unique password hash to enable VM connection via serial console.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": true + }, + { + "label": "No", + "value": false + } + ] + } + }, + { + "name": "AdditionalPassword", + "type": "Microsoft.Common.PasswordBox", + "toolTip": "Serial console password hash, used to enable password authentication (using serial console). To generate password hash use the command 'openssl passwd -6 PASSWORD'", + "visible": "[and(bool(basics('auth').sshPublicKey), steps('chkp').EnableSerialConsolePassword)]", + "label": { + "password": "Password hash", + "confirmPassword": "Confirm password" + }, + "constraints": { + "required": true, + "regex": "^.{12,300}$", + "validationMessage": "The value must be the output of the hash command." + }, + "options": { + "hideConfirmation": false + } + }, + { + "name": "MaintenanceModeInfoBox", + "type": "Microsoft.Common.InfoBox", + "visible": "[and(bool(basics('auth').password), not(contains('R81.10', steps('chkp').cloudGuardVersion)))]", + "options": { + "icon": "Info", + "text": "Check Point recommends setting a maintenance-mode password for recovery purposes." + } + }, + { + "visible": "[not(contains('R81.10', steps('chkp').cloudGuardVersion))]", + "name": "EnableMaintenanceMode", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Maintenance Mode", + "defaultValue": "Yes", + "toolTip": "A unique password hash to enable VM maintenance mode.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": true + }, + { + "label": "No", + "value": false + } + ] + } + }, + { + "visible": "[and(not(contains('R81.10', steps('chkp').cloudGuardVersion)), steps('chkp').EnableMaintenanceMode)]", + "name": "MaintenanceModePassword", + "type": "Microsoft.Common.PasswordBox", + "defaultValue": "", + "toolTip": "To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here.", + "label": { + "password": "Maintenance Mode password hash", + "confirmPassword": "Confirm Password" + }, + "constraints": { + "required": true, + "validationMessage": "The value must be the output of the hash command." + }, + "options": { + "hideConfirmation": false + } + }, + { + "name": "bootstrapScript", + "type": "Microsoft.Common.FileUpload", + "label": "Bootstrap script", + "toolTip": "An optional script to run on the initial boot", + "constraints": { + "required": false, + "accept": ".sh,text/plain" + }, + "options": { + "multiple": false, + "uploadMode": "file", + "openMode": "text", + "encoding": "UTF-8" + } + }, + { + "name": "allowUploadDownload", + "type": "Microsoft.Common.OptionsGroup", + "label": "Allow download from/upload to Check Point", + "defaultValue": "Yes", + "toolTip": "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "true" + }, + { + "label": "No", + "value": "false" + } + ] + } + }, + { + "name": "VMDiskType", + "type": "Microsoft.Common.OptionsGroup", + "label": "VM disk type", + "toolTip": "Type of CloudGuard disk.", + "visible": "[not(contains('R81.10' , steps('chkp').cloudGuardVersion))]", + "defaultValue": "Premium", + "constraints": { + "allowedValues": [ + { + "label": "Standard", + "value": "Standard_LRS" + }, + { + "label": "Premium", + "value": "Premium_LRS" + } + ] + } + }, + { + "name": "VMDiskTypeOldVersions", + "type": "Microsoft.Common.OptionsGroup", + "label": "VM disk type", + "toolTip": "Type of CloudGuard disk.", + "visible": "[contains('R81.10' , steps('chkp').cloudGuardVersion)]", + "defaultValue": "Standard", + "constraints": { + "allowedValues": [ + { + "label": "Standard", + "value": "Standard_LRS" + }, + { + "label": "Premium", + "value": "Premium_LRS" + } + ] + } + }, + { + "name": "additionalDiskSizeGB", + "type": "Microsoft.Common.TextBox", + "label": "Additional disk space (GB)", + "defaultValue": "0", + "toolTip": "Additional disk space (in GB), initial disk size is 100 GB.", + "constraints": { + "regex": "^([0-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-2][0-9][0-9][0-9]|3[0-8][0-9][0-9]|399[0-5])$", + "validationMessage": "Select a number between 0 and 3995" + }, + "visible": "[not(contains('R81.10 R81.20', steps('chkp').cloudGuardVersion))]" + }, + { + "name": "useCustomImageUri", + "type": "Microsoft.Common.OptionsGroup", + "label": "Use development image uri", + "defaultValue": "No", + "toolTip": "Use custom image URI.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ], + "required": true + }, + "visible": false + }, + { + "name": "sourceImageVhdUri", + "type": "Microsoft.Common.TextBox", + "label": "Development Image URI", + "toolTip": "The URI of the blob containing the development image", + "constraints": { + "required": "[equals(steps('chkp').useCustomImageUri, 'Yes')]", + "regex": "^[a-z0-9A-Z_\\-\\.\\:\\/]{1,500}.vhd$", + "validationMessage": "Only alphanumeric characters and '_','-','.',':','/' are allowed, the value must be 1-500 characters long and must end with .vhd. " + }, + "visible": "[equals(steps('chkp').useCustomImageUri, 'Yes')]" + } + ] + }, + { + "name": "network", + "label": "Network settings", + "subLabel": { + "preValidation": "Configure network settings", + "postValidation": "Done" + }, + "bladeTitle": "Network settings", + "elements": [ + { + "name": "virtualNetwork", + "type": "Microsoft.Network.VirtualNetworkCombo", + "label": { + "virtualNetwork": "Virtual network", + "subnets": "Subnets" + }, + "toolTip": { + "virtualNetwork": "Virtual Network Name", + "subnets": "The subnets to deploy into" + }, + "defaultValue": { + "name": "vnet01", + "addressPrefixSize": "/16" + }, + "constraints": { + "minAddressPrefixSize": "/28" + }, + "options": { + "hideExisting": false + }, + "subnets": { + "subnet1": { + "label": "VMSS Frontend subnet", + "defaultValue": { + "name": "VMSS-Frontend", + "addressPrefixSize": "/24" + }, + "constraints": { + "minAddressPrefixSize": "/29", + "minAddressCount": "[steps('autoprovision').maxVmCount]", + "requireContiguousAddresses": false + } + }, + "subnet2": { + "label": "VMSS Backend subnet", + "defaultValue": { + "name": "VMSS-Backend", + "addressPrefixSize": "/24" + }, + "constraints": { + "minAddressPrefixSize": "/29", + "minAddressCount": "[steps('autoprovision').maxVmCount]", + "requireContiguousAddresses": false + } + } + } + }, + { + "name": "NSG", + "type": "Microsoft.Common.OptionsGroup", + "label": "Network Security Group", + "toolTip": "Choose between using an existing NSG or using a new NSG", + "constraints": { + "allowedValues": [ + { + "label": "Create new", + "value": true + }, + { + "label": "Existing NSG", + "value": false + } + ], + "required": true + }, + "visible": true + }, + { + "name": "nsgSelector", + "type": "Microsoft.Solutions.ResourceSelector", + "label": "Network Security Group", + "defaultValue": "null", + "toolTip": "Choose an existing NSG", + "resourceType": "Microsoft.Network/NetworkSecurityGroups", + "options": { + "filter": { + "subscription": "onBasics", + "location": "onBasics" + } + }, + "constraints": { + "required": true + }, + "visible": "[equals(steps('network').NSG, false)]" + }, + { + "name": "NSGName", + "type": "Microsoft.Common.TextBox", + "label": "Name", + "defaultValue": "[concat(basics('gatewayScaleSetNameUi') , '-nsg')]", + "toolTip": "Insert Name for the new NSG", + "multiLine": false, + "constraints": { + "required": "[steps('network').NSG]", + "regex": "^[a-z0-9A-Z-]{1,30}$", + "validationMessage": "Only alphanumeric characters are allowed, and the name must be 1-30 characters long." + }, + "visible": "[steps('network').NSG]" + }, + { + "name": "addStorageAccountIpRules", + "type": "Microsoft.Common.OptionsGroup", + "defaultValue": "Network access from all networks", + "label": "Storage Account Network Access", + "toolTip": "Select your preferred network access to the Storage Account, for more information - https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-linux#serial-console-security", + "constraints": { + "allowedValues": [ + { + "label": "Network access from all networks", + "value": false + }, + { + "label": "Network access only from Serial Console", + "value": true + } + ], + "required": true + }, + "visible": true + } + ] + }, + { + "name": "tags", + "label": "Tags", + "elements": [ + { + "name": "tagsByResource", + "type": "Microsoft.Common.TagsByResource", + "toolTip": "Create Azure tags for the new resources", + "resources": [ + "Function App", + "Microsoft.Storage/storageAccounts", + "Microsoft.Compute/virtualMachineScaleSets", + "Microsoft.Network/routeTables", + "Microsoft.Network/virtualNetworks", + "Microsoft.Network/networkSecurityGroups", + "Microsoft.Network/publicIPAddresses", + "Microsoft.Network/loadBalancers" + ] + } + ] + } + ], + "outputs": { + "location": "[location()]", + "authenticationType": "[basics('auth').authenticationType]", + "adminPassword": "[basics('auth').password]", + "sshPublicKey": "[basics('auth').sshPublicKey]", + "upgrading": "[steps('autoprovision').upgrading]", + "vmName": "[basics('gatewayScaleSetNameUi')]", + "instanceCount": "[steps('autoprovision').vmCount]", + "maxInstanceCount": "[steps('autoprovision').maxVmCount]", + "managementServer": "[steps('autoprovision').managementServer]", + "configurationTemplate": "[steps('autoprovision').configurationTemplate]", + "adminEmail": "[steps('autoprovision').adminEmail]", + "deploymentMode": "[steps('autoprovision').deploymentMode]", + "instanceLevelPublicIP": "[steps('autoprovision').instanceLevelPublicIP]", + "lbsTargetRGName": "[steps('autoprovision').lbsTargetRGName]", + "elbResourceId": "[steps('autoprovision').elbResourceId]", + "elbTargetBEAddressPoolName": "[steps('autoprovision').elbBEAddressPoolName]", + "ilbResourceId": "[steps('autoprovision').ilbResourceId]", + "ilbTargetBEAddressPoolName": "[steps('autoprovision').ilbBEAddressPoolName]", + "mgmtInterfaceOpt1": "[steps('autoprovision').mgmtInterfaceOpt1]", + "mgmtInterfaceOpt2": "[steps('autoprovision').mgmtInterfaceOpt2]", + "mgmtIPaddress": "[steps('autoprovision').mgmtIPaddress]", + "appLoadDistribution": "[steps('autoprovision').appLoadDistribution]", + "ilbLoadDistribution": "[steps('autoprovision').ilbLoadDistribution]", + "availabilityZonesNum": "[coalesce(steps('autoprovision').availabilityZonesNum, int('0'))]", + "customMetrics": "[steps('autoprovision').customMetrics]", + "cloudGuardVersion": "[concat(steps('chkp').cloudGuardVersion, ' - ', coalesce(steps('chkp').R80Offer, 'Bring Your Own License'))]", + "vmSize": "[coalesce(steps('chkp').R8110vmSizeUiBYOL, steps('chkp').R8110vmSizeUiNGTP, steps('chkp').R8110vmSizeUiNGTX, steps('chkp').R8120vmSizeUiBYOL, steps('chkp').R8120vmSizeUiNGTP, steps('chkp').R8120vmSizeUiNGTX)]", + "sicKey": "[steps('chkp').sicKeyUi]", + "bootstrapScript": "[steps('chkp').bootstrapScript]", + "allowDownloadFromUploadToCheckPoint": "[coalesce(steps('chkp').allowUploadDownload, 'true')]", + "additionalDiskSizeGB": "[int(steps('chkp').additionalDiskSizeGB)]", + "diskType": "[if(contains('R81.10' , steps('chkp').cloudGuardVersion) , steps('chkp').VMDiskTypeOldVersions , steps('chkp').VMDiskType)]", + "sourceImageVhdUri": "[coalesce(steps('chkp').sourceImageVhdUri, 'noCustomUri')]", + "virtualNetworkName": "[steps('network').virtualNetwork.name]", + "virtualNetworkAddressPrefixes": "[steps('network').virtualNetwork.addressPrefixes]", + "vnetNewOrExisting": "[steps('network').virtualNetwork.newOrExisting]", + "virtualNetworkExistingRGName": "[steps('network').virtualNetwork.resourceGroup]", + "subnet1Name": "[steps('network').virtualNetwork.subnets.subnet1.name]", + "subnet1Prefix": "[steps('network').virtualNetwork.subnets.subnet1.addressPrefix]", + "subnet2Name": "[steps('network').virtualNetwork.subnets.subnet2.name]", + "subnet2Prefix": "[steps('network').virtualNetwork.subnets.subnet2.addressPrefix]", + "subnet2StartAddress": "[steps('network').virtualNetwork.subnets.subnet2.startAddress]", + "floatingIP": "[steps('autoprovision').floatingIP]", + "IPv4Length": "[steps('autoprovision').IPv4Length]", + "publicIPPrefix": "[steps('autoprovision').publicIPPrefix]", + "createNewIPPrefix": "[steps('autoprovision').createNewIPPrefix]", + "ipPrefixExistingResourceId": "[steps('autoprovision').ipPrefixExistingResourceId]", + "adminShell": "[steps('chkp').adminShell]", + "tagsByResource": "[steps('tags').tagsByResource]", + "deployNewNSG": "[steps('network').NSG]", + "ExistingNSG": "[steps('network').nsgSelector]", + "NewNsgName": "[steps('network').NSGName]", + "addStorageAccountIpRules": "[steps('network').addStorageAccountIpRules]", + "SerialConsolePasswordHash": "[steps('chkp').AdditionalPassword]", + "MaintenanceModePasswordHash": "[steps('chkp').MaintenanceModePassword]" + } + } +} \ No newline at end of file diff --git a/azure/templates/marketplace-vmss/mainTemplate.json b/azure/templates/marketplace-vmss/mainTemplate.json new file mode 100644 index 00000000..0dd69d8d --- /dev/null +++ b/azure/templates/marketplace-vmss/mainTemplate.json @@ -0,0 +1,1323 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "subscriptionId": { + "type": "string", + "defaultValue": "[subscription().subscriptionId]", + "metadata": { + "description": "Subscription ID." + } + }, + "location": { + "type": "string", + "metadata": { + "description": "Deployment location" + }, + "defaultValue": "[resourceGroup().location]" + }, + "cloudGuardVersion": { + "type": "string", + "allowedValues": [ + "R81.10 - Bring Your Own License", + "R81.10 - Pay As You Go (NGTP)", + "R81.10 - Pay As You Go (NGTX)", + "R81.20 - Bring Your Own License", + "R81.20 - Pay As You Go (NGTP)", + "R81.20 - Pay As You Go (NGTX)" + ], + "defaultValue": "R81.20 - Bring Your Own License", + "metadata": { + "description": "Version of Check Point CloudGuard" + } + }, + "instanceCount": { + "defaultValue": "2", + "type": "string", + "metadata": { + "description": "Number of VM instances" + } + }, + "maxInstanceCount": { + "defaultValue": "10", + "type": "string", + "metadata": { + "description": "Maximum number of VM instances" + } + }, + "managementServer": { + "type": "string", + "metadata": { + "description": "The name of the management server as it appears in the configuration file" + } + }, + "configurationTemplate": { + "type": "string", + "metadata": { + "description": "A name of a template as it appears in the configuration file" + } + }, + "adminEmail": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Email address to notify if there are any scaling operations" + } + }, + "authenticationType": { + "type": "string", + "allowedValues": [ + "password", + "sshPublicKey" + ], + "defaultValue": "password", + "metadata": { + "description": "Authentication type" + } + }, + "sshPublicKey": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Administrator SSH public key" + } + }, + "adminPassword": { + "type": "securestring", + "metadata": { + "description": "Administrator password" + }, + "defaultValue": "" + }, + "MaintenanceModePasswordHash": { + "type": "securestring", + "defaultValue": "", + "metadata": { + "Description": "Maintenance mode password hash, relevant only for R81.20 and higher versions" + } + }, + "SerialConsolePasswordHash": { + "type": "securestring", + "defaultValue": "", + "metadata": { + "Description": "Optional parameter, used to enable serial console connection in case of SSH key as authentication type" + } + }, + "vmName": { + "type": "string", + "metadata": { + "description": "Name of the Check Point Security Gateway scale set" + } + }, + "vmSize": { + "type": "string", + "defaultValue": "Standard_D3_v2", + "metadata": { + "description": "Size of the VM" + } + }, + "adminShell": { + "type": "string", + "defaultValue": "/etc/cli.sh", + "allowedValues": [ + "/etc/cli.sh", + "/bin/bash", + "/bin/csh", + "/bin/tcsh" + ], + "metadata": { + "Description": "The default shell for the admin user" + } + }, + "sicKey": { + "type": "securestring", + "metadata": { + "description": "One time key for Secure Internal Communication" + } + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "[concat(resourceGroup().name, '-vnet')]" + }, + "upgrading": { + "type": "string", + "defaultValue": "no", + "allowedValues": [ + "no", + "yes" + ], + "metadata": { + "Description": "Indicates whether the user in upgrading the CloudGuard VMSS solution" + } + }, + "floatingIP": { + "type": "string", + "defaultValue": "no", + "allowedValues": [ + "no", + "yes" + ], + "metadata": { + "description": "Deploy the Load Balancers with floating IP" + } + }, + "instanceLevelPublicIP": { + "type": "string", + "allowedValues": [ + "no", + "yes" + ], + "defaultValue": "no", + "metadata": { + "description": "Deploy the VMSS with instance level Public IP address" + } + }, + "publicIPPrefix": { + "type": "string", + "defaultValue": "no", + "allowedValues": [ + "no", + "yes" + ], + "metadata": { + "description": "Use public IP prefix." + } + }, + "createNewIPPrefix": { + "type": "string", + "defaultValue": "no", + "allowedValues": [ + "no", + "yes" + ], + "metadata": { + "description": "Create new IP prefix or use an existing one." + } + }, + "IPv4Length": { + "type": "string", + "defaultValue": "/31 (2 addresses)", + "allowedValues": [ + "/28 (16 addresses)", + "/29 (8 addresses)", + "/30 (4 addresses)", + "/31 (2 addresses)" + ], + "metadata": { + "description": "Choose the IP prefix length for IP v4." + } + }, + "ipPrefixExistingResourceId": { + "type": "string", + "metadata": { + "description": "The resource id of the existing IP prefix." + }, + "defaultValue": "" + }, + "lbsTargetRGName": { + "type": "string", + "metadata": { + "description": "The name of the Target Load Balancers Resource Group." + }, + "defaultValue": "" + }, + "elbResourceId": { + "type": "string", + "metadata": { + "description": "The Resource ID of the Target External Load Balancer." + }, + "defaultValue": "" + }, + "elbTargetBEAddressPoolName": { + "type": "string", + "metadata": { + "description": "The name of the new Target External Load Balancer's Backend Pool." + }, + "defaultValue": "" + }, + "ilbResourceId": { + "type": "string", + "metadata": { + "description": "The Resource ID of the Target Internal Load Balancer." + }, + "defaultValue": "" + }, + "ilbTargetBEAddressPoolName": { + "type": "string", + "metadata": { + "description": "The name of the new Target Internal Load Balancer's Backend Pool." + }, + "defaultValue": "" + }, + "virtualNetworkAddressPrefixes": { + "type": "array", + "metadata": { + "description": "The address prefixes of the virtual network" + }, + "defaultValue": [ + "10.0.0.0/16" + ] + }, + "subnet1Name": { + "type": "string", + "metadata": { + "description": "The name of the frontend subnet" + }, + "defaultValue": "Frontend" + }, + "subnet1Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the frontend subnet" + }, + "defaultValue": "10.0.1.0/24" + }, + "subnet2Name": { + "type": "string", + "metadata": { + "description": "The name of the backend subnet" + }, + "defaultValue": "Backend" + }, + "subnet2Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the backend subnet" + }, + "defaultValue": "10.0.2.0/24" + }, + "subnet2StartAddress": { + "type": "string", + "metadata": { + "description": "The first available address on the 2nd subnet" + }, + "defaultValue": "10.0.2.4" + }, + "vnetNewOrExisting": { + "type": "string", + "defaultValue": "new", + "allowedValues": [ + "new", + "existing" + ], + "metadata": { + "Description": "Indicates whether the virtual network is new or existing" + } + }, + "virtualNetworkExistingRGName": { + "type": "string", + "metadata": { + "description": "Resource Group of the existing virtual network" + }, + "defaultValue": "[resourceGroup().name]" + }, + "bootstrapScript": { + "type": "string", + "metadata": { + "description": "Bootstrap script" + }, + "defaultValue": "" + }, + "allowDownloadFromUploadToCheckPoint": { + "type": "string", + "allowedValues": [ + "true", + "false" + ], + "defaultValue": "true", + "metadata": { + "description": "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + } + }, + "mgmtInterfaceOpt1": { + "type": "string", + "allowedValues": [ + "eth0-public", + "eth0-private", + "eth1-private" + ], + "defaultValue": "eth1-private", + "metadata": { + "description": "Manage the Gateways in the Scale Set via the instance's external (eth0) or internal (eth1) NIC's private IP address." + } + }, + "mgmtInterfaceOpt2": { + "type": "string", + "allowedValues": [ + "eth0-private", + "eth1-private" + ], + "defaultValue": "eth1-private", + "metadata": { + "description": "Manage the Gateways in the Scale Set via the instance's external (eth0) or internal (eth1) NIC's private IP address." + } + }, + "mgmtIPaddress": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "The IP address used to manage the VMSS instances." + } + }, + "additionalDiskSizeGB": { + "type": "int", + "defaultValue": 0, + "metadata": { + "description": "Amount of additional disk space (in GB), not relevant for R81.20 and below" + }, + "minValue": 0, + "maxValue": 3995 + }, + "diskType": { + "type": "string", + "defaultValue": "Standard_LRS", + "metadata": { + "description": "The type of the OS disk. Premium is applicable only to DS machine sizes" + }, + "allowedValues": [ + "Standard_LRS", + "Premium_LRS" + ] + }, + "appLoadDistribution": { + "type": "string", + "allowedValues": [ + "Default", + "SourceIP", + "SourceIPProtocol" + ], + "defaultValue": "Default", + "metadata": { + "description": "The External Load Balancer distribution method" + } + }, + "ilbLoadDistribution": { + "type": "string", + "allowedValues": [ + "Default", + "SourceIP", + "SourceIPProtocol" + ], + "defaultValue": "Default", + "metadata": { + "description": "The Internal Load Balancer distribution method" + } + }, + "deploymentMode": { + "type": "string", + "allowedValues": [ + "Standard", + "ILBOnly", + "ELBOnly" + ], + "defaultValue": "Standard", + "metadata": { + "description": "Solution deployment architecture." + } + }, + "sourceImageVhdUri": { + "type": "string", + "defaultValue": "noCustomUri", + "metadata": { + "description": "The URI of the blob containing the development image" + } + }, + "availabilityZonesNum": { + "type": "int", + "allowedValues": [ + 0, + 1, + 2, + 3 + ], + "defaultValue": 0, + "metadata": { + "description": "The number of availability zones" + } + }, + "_artifactsLocation": { + "type": "string", + "metadata": { + "description": "Use the following URI when deploying a custom template: https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/azure/templates/" + }, + "defaultValue": "[deployment().properties.templateLink.uri]" + }, + "_artifactsLocationSasToken": { + "type": "securestring", + "metadata": { + "description": "The sasToken required to access _artifactsLocation. When the template is deployed using the accompanying scripts, a sasToken will be automatically generated. Use the defaultValue if the staging location is not secured." + }, + "defaultValue": "" + }, + "customMetrics": { + "type": "string", + "allowedValues": [ + "no", + "yes" + ], + "defaultValue": "yes", + "metadata": { + "Description": "Indicates whether Custom Metrics will be used for VMSS Scaling policy and VM monitoring" + } + }, + "rbacGuid": { + "type": "string", + "defaultValue": "[newGuid()]" + }, + "tagsByResource": { + "type": "object", + "defaultValue": {} + }, + "deployNewNSG": { + "type": "bool", + "defaultValue": true + }, + "ExistingNSG": { + "type": "object", + "defaultValue": {} + }, + "NewNsgName": { + "type": "string", + "defaultValue": "[concat(parameters('vmName'),'-nsg')]" + }, + "addStorageAccountIpRules": { + "type": "bool", + "metadata": { + "description": "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, based on https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-linux#use-serial-console-with-custom-boot-diagnostics-storage-account-firewall-enabled" + }, + "defaultValue": false + }, + "storageAccountAdditionalIps": { + "type": "array", + "metadata": { + "description": "IPs/CIDRs that are allowed access to the Storage Account" + }, + "defaultValue": [] + } + }, + "variables": { + "resourceGroup": "[resourceGroup()]", + "resourceGroupName": "[resourceGroup().name]", + "templateName": "vmss-v2", + "templateVersion": "20240716", + "location": "[parameters('location')]", + "offers": { + "R81.10 - Bring Your Own License": "BYOL", + "R81.10 - Pay As You Go (NGTP)": "NGTP", + "R81.10 - Pay As You Go (NGTX)": "NGTX", + "R81.20 - Bring Your Own License": "BYOL", + "R81.20 - Pay As You Go (NGTP)": "NGTP", + "R81.20 - Pay As You Go (NGTX)": "NGTX" + }, + "offer": "[variables('offers')[parameters('cloudGuardVersion')]]", + "osVersions": { + "R81.10 - Bring Your Own License": "R8110", + "R81.10 - Pay As You Go (NGTP)": "R8110", + "R81.10 - Pay As You Go (NGTX)": "R8110", + "R81.20 - Bring Your Own License": "R8120", + "R81.20 - Pay As You Go (NGTP)": "R8120", + "R81.20 - Pay As You Go (NGTX)": "R8120" + }, + "osVersion": "[variables('osVersions')[parameters('cloudGuardVersion')]]", + "SerialConsoleGeographies": { + "eastasia": [ + "20.205.69.28", + "20.195.85.180" + ], + "southeastasia": [ + "20.205.69.28", + "20.195.85.180" + ], + "australiacentral": [ + "20.53.53.224", + "20.70.222.112" + ], + "australiacentral2": [ + "20.53.53.224", + "20.70.222.112" + ], + "australiaeast": [ + "20.53.53.224", + "20.70.222.112" + ], + "australiasoutheast": [ + "20.53.53.224", + "20.70.222.112" + ], + "brazilsouth": [ + "91.234.136.63", + "20.206.0.194" + ], + "brazilsoutheast": [ + "91.234.136.63", + "20.206.0.194" + ], + "canadacentral": [ + "52.228.86.177", + "52.242.40.90" + ], + "canadaeast": [ + "52.228.86.177", + "52.242.40.90" + ], + "northeurope": [ + "52.146.139.220", + "20.105.209.72" + ], + "westeurope": [ + "52.146.139.220", + "20.105.209.72" + ], + "francecentral": [ + "20.111.0.244", + "52.136.191.10" + ], + "francesouth": [ + "20.111.0.244", + "52.136.191.10" + ], + "germanynorth": [ + "51.116.75.88", + "20.52.95.48" + ], + "germanywestcentral": [ + "51.116.75.88", + "20.52.95.48" + ], + "centralindia": [ + "20.192.168.150", + "20.192.153.104" + ], + "southindia": [ + "20.192.168.150", + "20.192.153.104" + ], + "westindia": [ + "20.192.168.150", + "20.192.153.104" + ], + "japaneast": [ + "20.43.70.205", + "20.189.228.222" + ], + "japanwest": [ + "20.43.70.205", + "20.189.228.222" + ], + "koreacentral": [ + "20.200.196.96", + "52.147.119.29" + ], + "koreasouth": [ + "20.200.196.96", + "52.147.119.29" + ], + "norwaywest": [ + "20.100.1.184", + "51.13.138.76" + ], + "norwayeast": [ + "20.100.1.184", + "51.13.138.76" + ], + "switzerlandnorth": [ + "20.208.4.98", + "51.107.251.190" + ], + "switzerlandwest": [ + "20.208.4.98", + "51.107.251.190" + ], + "uaecentral": [ + "20.45.95.66", + "20.38.141.5" + ], + "uaenorth": [ + "20.45.95.66", + "20.38.141.5" + ], + "uksouth": [ + "20.90.132.144", + "20.58.68.62" + ], + "ukwest": [ + "20.90.132.144", + "20.58.68.62" + ], + "swedencentral": [ + "51.12.72.223", + "51.12.22.174" + ], + "swedensouth": [ + "51.12.72.223", + "51.12.22.174" + ], + "centralus": [ + "20.98.146.84", + "20.98.194.64", + "20.69.5.162", + "20.83.222.102" + ], + "eastus2": [ + "20.98.146.84", + "20.98.194.64", + "20.69.5.162", + "20.83.222.102" + ], + "eastus": [ + "20.98.146.84", + "20.98.194.64", + "20.69.5.162", + "20.83.222.102" + ], + "northcentralus": [ + "20.98.146.84", + "20.98.194.64", + "20.69.5.162", + "20.83.222.102" + ], + "southcentralus": [ + "20.98.146.84", + "20.98.194.64", + "20.69.5.162", + "20.83.222.102" + ], + "westus2": [ + "20.98.146.84", + "20.98.194.64", + "20.69.5.162", + "20.83.222.102" + ], + "westus3": [ + "20.98.146.84", + "20.98.194.64", + "20.69.5.162", + "20.83.222.102" + ], + "westcentralus": [ + "20.98.146.84", + "20.98.194.64", + "20.69.5.162", + "20.83.222.102" + ], + "westus": [ + "20.98.146.84", + "20.98.194.64", + "20.69.5.162", + "20.83.222.102" + ], + "eastus2euap": [ + "20.45.242.18", + "20.51.21.252" + ], + "centraluseuap": [ + "20.45.242.18", + "20.51.21.252" + ] + }, + "serialConsoleIps": "[if(contains(variables('serialConsoleGeographies'),variables('location')),variables('serialConsoleGeographies')[variables('location')],createArray())]", + "storageAccountIps": "[concat(variables('SerialConsoleIps'),parameters('storageAccountAdditionalIps'))]", + "isBlink": true, + "subnet2Name": "[parameters('subnet2Name')]", + "storageAccountName": "[concat('bootdiag', uniqueString(variables('resourceGroup').id, deployment().name))]", + "storageAccountType": "Standard_LRS", + "diskSize100GB": 100, + "additionalDiskSizeGB": "[if(contains('R8110 R8120', variables('osVersion')), 0, parameters('additionalDiskSizeGB'))]", + "diskSizeGB": "[add(variables('additionalDiskSizeGB'), variables('diskSize100GB'))]", + "enableFloatingIP": "[equals(parameters('floatingIP'), 'yes')]", + "customData": "[concat('#!/usr/bin/python3 /etc/cloud_config.py\n', '\n', 'installationType=\"', variables('installationType'), '\"', '\n', 'allowUploadDownload=\"', variables('allowUploadDownload'), '\"', '\n', 'osVersion=\"', variables('osVersion'), '\"', '\n', 'templateName=\"', variables('templateName'), '\"', '\n', 'isBlink=\"', variables('isBlink'), '\"', '\n', 'templateVersion=\"', variables('templateVersion'), '\"', '\n', 'bootstrapScript64=\"', variables('bootstrapScript64'), '\"', '\n', 'location=\"', variables('location'), '\"', '\n', 'sicKey=\"', variables('sicKey'), '\"', '\n', 'customMetrics=\"', variables('customMetrics'), '\"', '\n', 'adminShell=\"', parameters('adminShell'), '\"', '\n', 'MaintenanceModePassword=\"', parameters('MaintenanceModePasswordHash'), '\"', '\n', 'passwordHash=\"', parameters('SerialConsolePasswordHash'), '\"', '\n')]", + "imageOffer": "[concat('check-point-cg-', toLower(variables('osVersion')))]", + "imagePublisher": "checkpoint", + "imageReferenceBYOL": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-byol", + "version": "latest" + }, + "imageReferenceNGTP": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtp", + "version": "latest" + }, + "imageReferenceNGTP-V2": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtp-v2", + "version": "latest" + }, + "imageReferenceNGTX": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtx", + "version": "latest" + }, + "imageReferenceNGTX-V2": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtx-v2", + "version": "latest" + }, + "imageReferenceMarketplace": "[if(equals(variables('offer'), 'BYOL'), variables('imageReferenceBYOL'), if(equals(variables('offer'), 'NGTP'), variables('imageReferenceNGTP'), if(equals(variables('offer'), 'NGTP-V2'), variables('imageReferenceNGTP-V2'), if(equals(variables('offer'), 'NGTX'), variables('imageReferenceNGTX'), if(equals(variables('offer'), 'NGTX-V2'), variables('imageReferenceNGTX-V2'), json('null'))))))]", + "customImage": "customImage", + "imageReferenceCustomUri": { + "id": "[resourceId('Microsoft.Compute/images', variables('customImage'))]" + }, + "imageReference": "[if(equals(parameters('sourceImageVhdUri'),'noCustomUri'), variables('imageReferenceMarketplace'), variables('imageReferenceCustomUri'))]", + "linuxConfigurationpassword": { + "disablePasswordAuthentication": "false" + }, + "linuxConfigurationsshPublicKey": { + "disablePasswordAuthentication": "true", + "ssh": { + "publicKeys": [ + { + "keyData": "[parameters('sshPublicKey')]", + "path": "/home/notused/.ssh/authorized_keys" + } + ] + } + }, + "linuxConfiguration": "[if(equals(parameters('authenticationType'), 'password'), variables('linuxConfigurationpassword'), variables('linuxConfigurationsshPublicKey'))]", + "planBYOL": { + "name": "sg-byol", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTP": { + "name": "sg-ngtp", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTP-V2": { + "name": "sg-ngtp-v2", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTX": { + "name": "sg-ngtx", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTX-V2": { + "name": "sg-ngtx-v2", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "plan": "[if(equals(variables('offer'), 'BYOL') , variables('planBYOL'), if(equals(variables('offer'), 'NGTP'), variables('planNGTP'), if(equals(variables('offer'), 'NGTP-V2'), variables('planNGTP-V2'), if(equals(variables('offer'), 'NGTX'), variables('planNGTX'), if(equals(variables('offer'), 'NGTX-V2'), variables('planNGTX-V2'), json('null'))))))]", + "vmssID": "[resourceId('Microsoft.Compute/virtualMachineScaleSets', parameters('vmName'))]", + "bootstrapScript64": "[base64(parameters('bootstrapScript'))]", + "allowUploadDownload": "[parameters('allowDownloadFromUploadToCheckPoint')]", + "sicKey": "[parameters('sicKey')]", + "installationType": "vmss", + "upgrading": "[equals(parameters('upgrading'), 'yes')]", + "_artifactsLocation": "[if(contains(parameters('_artifactsLocation'),'raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/azure/templates/marketplace'),'https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/azure/templates/',parameters('_artifactsLocation'))]", + "networkSetupURL": "[uri(variables('_artifactsLocation'), concat('nestedtemplates/vnet-2-subnet-ha-', parameters('vnetNewOrExisting'), '.json', parameters('_artifactsLocationSasToken')))]", + "loadBalacerSetupURL": "[uri(variables('_artifactsLocation'), concat('nestedtemplates/load-balancers.json', parameters('_artifactsLocationSasToken')))]", + "lbsTargetRGName": "[parameters('lbsTargetRGName')]", + "lbRGName": "[if(variables('upgrading'), variables('lbsTargetRGName'), resourceGroup().name)]", + "loadBalancerSetupId": "[resourceId(variables('lbRGName'), 'Microsoft.Resources/deployments', 'loadBalancerSetup')]", + "deployNewVnet": "[equals(parameters('vnetNewOrExisting'), 'new')]", + "vnetRGName": "[if(variables('deployNewVnet'), variables('resourceGroupName'), parameters('virtualNetworkExistingRGName'))]", + "vnetID": "[if(variables('deployNewVnet'), resourceId(variables('vnetRGName'), 'Microsoft.Resources/deployments', 'networkNewSetup'), resourceId(variables('vnetRGName'), 'Microsoft.Resources/deployments', 'networkExistingSetup'))]", + "storageAccountId": "[resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName'))]", + "customImageId": "[variables('imageReferenceCustomUri').id]", + "availabilityZonesLocations": [ + "brazilsouth", + "canadacentral", + "centralus", + "eastus", + "eastus2", + "southcentralus", + "usgovvirginia", + "westus2", + "westus3", + "francecentral", + "germanywestcentral", + "northeurope", + "norwayeast", + "uksouth", + "westeurope", + "swedencentral", + "switzerlandnorth", + "qatarcentral", + "uaenorth", + "southafricanorth", + "australiaeast", + "centralindia", + "japaneast", + "koreacentral", + "southeastasia", + "eastasia", + "italynorth" + ], + "availabilityZonesProperty": "[range(1, parameters('availabilityZonesNum'))]", + "mgmtInterface": "[if(equals(parameters('instanceLevelPublicIP'), 'yes'), parameters('mgmtInterfaceOpt1'), parameters('mgmtInterfaceOpt2'))]", + "mgmtIpAddressType": "[split(variables('mgmtInterface'), '-')[1]]", + "mgmtInterfaceName": "[split(variables('mgmtInterface'), '-')[0]]", + "mgmtIPaddress": "[if(equals(variables('mgmtInterfaceName'), 'eth0'), parameters('mgmtIPaddress'), '')]", + "commomTags": { + "x-chkp-management": "[parameters('managementServer')]", + "x-chkp-template": "[parameters('configurationTemplate')]", + "x-chkp-ip-address": "[variables('mgmtIpAddressType')]", + "x-chkp-management-interface": "[variables('mgmtInterfaceName')]", + "x-chkp-topology": "eth0:external,eth1:internal", + "x-chkp-anti-spoofing": "eth0:false,eth1:false", + "x-chkp-srcImageUri": "[parameters('sourceImageVhdUri')]" + }, + "uniqueTags": { + "x-chkp-management-address": "[variables('mgmtIPaddress')]" + }, + "vmssTags": "[if(equals(variables('mgmtIPaddress'), ''), variables('commomTags'), union(variables('commomTags'), variables('uniqueTags')))]", + "customMetrics": "[parameters('customMetrics')]", + "monitoringMetricsPublisher": "[concat('/subscriptions/', parameters('subscriptionId'), '/providers/Microsoft.Authorization/roleDefinitions/', '3913510d-42f4-4e42-8a64-420c390055eb')]", + "identity": "[json('{\"type\": \"SystemAssigned\"}')]", + "IPv4Lengths": { + "/28 (16 addresses)": "28", + "/29 (8 addresses)": "29", + "/30 (4 addresses)": "30", + "/31 (2 addresses)": "31" + }, + "ipPrefixNewName": "[concat(parameters('vmName'), '-ipprefix')]", + "ipPrefixExistingResourceId": "[if(equals(parameters('publicIPPrefix'), 'yes'), parameters('ipPrefixExistingResourceId'), json('null'))]", + "ipPrefixId": "[resourceId('Microsoft.Network/publicipprefixes',variables('ipPrefixNewName'))]", + "publicIPPrefixId": "[if(equals(parameters('publicIPPrefix'), 'yes'), variables('ipPrefixId'), json('null'))]", + "usePublicIPPrefix": "[if(equals(parameters('createNewIPPrefix'),'yes'), variables('publicIPPrefixId'), variables('ipPrefixExistingResourceId'))]", + "publicIPPropertiesWithPrefix": { + "name": "instancePublicIP", + "properties": { + "idleTimeoutInMinutes": 15, + "PublicIpPrefix": { + "Id": "[if(equals(parameters('publicIPPrefix'), 'yes'), variables('usePublicIPPrefix'), json('null'))]" + } + } + }, + "publicIPPropertiesWithoutPrefix": { + "name": "instancePublicIP", + "properties": { + "idleTimeoutInMinutes": 15 + } + }, + "publicIPPrefixLength": "[variables('IPv4Lengths')[parameters('IPv4Length')]]", + "useIpPrefix": "[if(equals(parameters('publicIPPrefix'), 'yes'), variables('publicIPPropertiesWithPrefix'), variables('publicIPPropertiesWithoutPrefix'))]", + "NewNsgReference": { + "id": "[resourceId(variables('vnetRGName'),'Microsoft.Network/networkSecurityGroups', parameters('NewNsgName'))]" + } + }, + "resources": [ + { + "condition": "[and(equals(parameters('createNewIPPrefix'), 'yes'), equals(parameters('publicIPPrefix'), 'yes'))]", + "apiVersion": "2020-06-01", + "type": "Microsoft.Network/publicipprefixes", + "name": "[variables('ipPrefixNewName')]", + "location": "[variables('location')]", + "properties": { + "prefixLength": "[variables('publicIPPrefixLength')]", + "publicIPAddressVersion": "IPv4" + }, + "sku": { + "name": "Standard", + "tier": "Regional" + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/publicipprefixes'), parameters('tagsByResource')['Microsoft.Network/publicipprefixes'], json('{}')) ]" + }, + { + "apiVersion": "2020-06-01", + "name": "pid-6f13b00a-7546-4ab2-be9f-c66815cc6c8b-partnercenter", + "type": "Microsoft.Resources/deployments", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "condition": "[equals(variables('customMetrics'), 'yes')]", + "apiVersion": "2020-04-01-preview", + "type": "Microsoft.Authorization/roleAssignments", + "name": "[parameters('rbacGuid')]", + "properties": { + "roleDefinitionId": "[variables('monitoringMetricsPublisher')]", + "principalId": "[reference(variables('vmssID'), '2021-07-01', 'Full').identity.principalId]", + "scope": "[resourceGroup().id]" + }, + "dependsOn": [ + "[variables('vmssID')]" + ], + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Authorization/roleAssignments'), parameters('tagsByResource')['Microsoft.Authorization/roleAssignments'], json('{}')) ]" + }, + { + "condition": "[equals(parameters('vnetNewOrExisting'), 'new')]", + "name": "networkNewSetup", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "resourceGroup": "[variables('vnetRGName')]", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "[variables('networkSetupURL')]", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "location": { + "value": "[variables('location')]" + }, + "virtualNetworkName": { + "value": "[parameters('virtualNetworkName')]" + }, + "virtualNetworkAddressPrefixes": { + "value": "[parameters('virtualNetworkAddressPrefixes')]" + }, + "subnet1Name": { + "value": "[parameters('subnet1Name')]" + }, + "subnet1Prefix": { + "value": "[parameters('subnet1Prefix')]" + }, + "subnet2Name": { + "value": "[parameters('subnet2Name')]" + }, + "subnet2Prefix": { + "value": "[parameters('subnet2Prefix')]" + }, + "vmName": { + "value": "[parameters('vmName')]" + }, + "deployNsg": { + "value": "[parameters('deployNewNSG')]" + }, + "NewNsgName": { + "value": "[parameters('NewNsgName')]" + }, + "tagsByResource": { + "value": "[parameters('tagsByResource')]" + } + } + } + }, + { + "condition": "[equals(parameters('vnetNewOrExisting'), 'existing')]", + "name": "networkExistingSetup", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "resourceGroup": "[variables('vnetRGName')]", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "[variables('networkSetupURL')]", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "location": { + "value": "[variables('location')]" + }, + "virtualNetworkName": { + "value": "[parameters('virtualNetworkName')]" + }, + "virtualNetworkExistingRGName": { + "value": "[variables('vnetRGName')]" + }, + "vmName": { + "value": "[parameters('vmName')]" + }, + "deployNsg": { + "value": "[parameters('deployNewNSG')]" + }, + "NewNsgName": { + "value": "[parameters('NewNsgName')]" + }, + "tagsByResource": { + "value": "[parameters('tagsByResource')]" + } + } + } + }, + { + "name": "loadBalancerSetup", + "type": "Microsoft.Resources/deployments", + "resourceGroup": "[variables('lbRGName')]", + "apiVersion": "2020-06-01", + "dependsOn": [ + "[variables('vnetID')]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "[variables('loadBalacerSetupURL')]", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "deploymentMode": { + "value": "[parameters('deploymentMode')]" + }, + "location": { + "value": "[variables('location')]" + }, + "vmName": { + "value": "[parameters('vmName')]" + }, + "appLoadDistribution": { + "value": "[parameters('appLoadDistribution')]" + }, + "subnet2StartAddress": { + "value": "[parameters('subnet2StartAddress')]" + }, + "subnet2Id": { + "value": "[resourceId(variables('vnetRGName'), 'Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), variables('subnet2Name'))]" + }, + "ilbLoadDistribution": { + "value": "[parameters('ilbLoadDistribution')]" + }, + "elbResourceId": { + "value": "[parameters('elbResourceId')]" + }, + "elbTargetBEAddressPoolName": { + "value": "[parameters('elbTargetBEAddressPoolName')]" + }, + "ilbResourceId": { + "value": "[parameters('ilbResourceId')]" + }, + "ilbTargetBEAddressPoolName": { + "value": "[parameters('ilbTargetBEAddressPoolName')]" + }, + "upgrading": { + "value": "[variables('upgrading')]" + }, + "floatingIp": { + "value": "[variables('enableFloatingIP')]" + }, + "tagsByResource": { + "value": "[parameters('tagsByResource')]" + } + } + } + }, + { + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('storageAccountName')]", + "apiVersion": "2021-04-01", + "properties": { + "supportsHttpsTrafficOnly": true, + "allowBlobPublicAccess": false, + "minimumTlsVersion": "TLS1_2", + "networkAcls": { + "bypass": "None", + "defaultAction": "[if(parameters('addStorageAccountIpRules'), 'Deny', 'Allow')]", + "ipRules": "[if(parameters('addStorageAccountIpRules'), map(variables('storageAccountIps'), lambda('ip',createObject('action','Allow','value',lambdaVariables('ip')))), createArray())]" + } + }, + "location": "[variables('location')]", + "sku": { + "name": "[variables('storageAccountType')]" + }, + "kind": "Storage", + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Storage/storageAccounts'), parameters('tagsByResource')['Microsoft.Storage/storageAccounts'], json('{}')) ]" + }, + { + "condition": "[not(equals(parameters('sourceImageVhdUri'), 'noCustomUri'))]", + "type": "Microsoft.Compute/images", + "apiVersion": "2020-06-01", + "name": "[variables('customImage')]", + "location": "[variables('resourceGroup').location]", + "properties": { + "storageProfile": { + "osDisk": { + "osType": "Linux", + "osState": "Generalized", + "blobUri": "[parameters('sourceImageVhdUri')]", + "storageAccountType": "Standard_LRS" + } + }, + "hyperVGeneration": "V1" + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Compute/images'), parameters('tagsByResource')['Microsoft.Compute/images'], json('{}')) ]" + }, + { + "type": "Microsoft.Compute/virtualMachineScaleSets", + "apiVersion": "2021-07-01", + "name": "[parameters('vmName')]", + "location": "[variables('location')]", + "identity": "[if(equals(variables('customMetrics'), 'yes'), variables('identity'), json('null'))]", + "zones": "[if(and(contains(variables('availabilityZonesLocations'), variables('location')), greater(parameters('availabilityZonesNum'), 0)), variables('availabilityZonesProperty'), json('null'))]", + "tags": "[union(variables('vmssTags'),if(contains(parameters('tagsByResource'), 'Microsoft.Compute/virtualMachineScaleSets'), parameters('tagsByResource')['Microsoft.Compute/virtualMachineScaleSets'], json('{}')))]", + "dependsOn": [ + "[variables('vnetID')]", + "[variables('loadBalancerSetupId')]", + "[variables('storageAccountId')]", + "[variables('customImageId')]" + ], + "sku": { + "name": "[parameters('vmSize')]", + "tier": "Standard", + "capacity": "[parameters('instanceCount')]" + }, + "plan": "[if(equals(parameters('sourceImageVhdUri'),'noCustomUri'), variables('plan'), json('null'))]", + "properties": { + "upgradePolicy": { + "mode": "Manual" + }, + "virtualMachineProfile": { + "UserData": "[base64(concat(variables('customData'), '\n', 'vnet=\"', if(equals(parameters('vnetNewOrExisting'), 'new'), reference('networkNewSetup').outputs.vnetAddressPrefixes.value[0], reference('networkExistingSetup').outputs.vnetAddressPrefixes.value[0]), '\"', '\n' ))]", + "storageProfile": { + "osDisk": { + "caching": "ReadWrite", + "createOption": "FromImage", + "diskSizeGB": "[variables('diskSizeGB')]", + "managedDisk": { + "storageAccountType": "[parameters('diskType')]" + } + }, + "imageReference": "[variables('imageReference')]" + }, + "osProfile": { + "adminPassword": "[parameters('adminPassword')]", + "adminUsername": "[concat('not','used')]", + "computerNamePrefix": "[toLower(parameters('vmName'))]", + "customData": "[base64(concat(variables('customData'), '\n', 'vnet=\"', if(equals(parameters('vnetNewOrExisting'), 'new'), reference('networkNewSetup').outputs.vnetAddressPrefixes.value[0], reference('networkExistingSetup').outputs.vnetAddressPrefixes.value[0]), '\"', '\n' ))]", + "linuxConfiguration": "[variables('linuxConfiguration')]" + }, + "networkProfile": { + "networkInterfaceConfigurations": [ + { + "name": "eth0", + "properties": { + "primary": true, + "enableIPForwarding": true, + "enableAcceleratedNetworking": true, + "networkSecurityGroup": "[if(parameters('deployNewNSG') , variables('NewNsgReference') , parameters('ExistingNSG'))]", + "ipConfigurations": [ + { + "name": "ipconfig1", + "properties": { + "publicIpAddressConfiguration": "[if(equals(parameters('instanceLevelPublicIP'),'yes'), variables('useIpPrefix'), json('null'))]", + "subnet": { + "id": "[resourceId(variables('vnetRGName'), 'Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('Subnet1Name'))]" + }, + "loadBalancerBackendAddressPools": "[if(empty(reference('loadBalancerSetup').outputs.elbId.value), json('null'), reference('loadBalancerSetup').outputs.elbBEAddressPoolProperties.value)]" + } + } + ] + } + }, + { + "name": "eth1", + "properties": { + "primary": false, + "enableIPForwarding": true, + "enableAcceleratedNetworking": true, + "ipConfigurations": [ + { + "name": "ipconfig2", + "properties": { + "subnet": { + "id": "[resourceId(variables('vnetRGName'), 'Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('Subnet2Name'))]" + }, + "loadBalancerBackendAddressPools": "[if(empty(reference('loadBalancerSetup').outputs.ilbId.value), json('null'), reference('loadBalancerSetup').outputs.ilbBEAddressPoolProperties.value)]" + } + } + ] + } + } + ] + }, + "diagnosticsProfile": { + "bootDiagnostics": { + "enabled": "true", + "storageUri": "[reference(variables('storageAccountId'), '2021-04-01').primaryEndpoints.blob]" + } + } + }, + "overprovision": false + } + }, + { + "type": "Microsoft.Insights/autoscaleSettings", + "apiVersion": "2015-04-01", + "name": "[parameters('vmName')]", + "location": "[variables('location')]", + "dependsOn": [ + "[variables('vmssID')]" + ], + "properties": { + "name": "[parameters('vmName')]", + "targetResourceUri": "[variables('vmssID')]", + "notifications": [ + { + "operation": "Scale", + "email": { + "sendToSubscriptionAdministrator": false, + "sendToSubscriptionCoAdministrators": false, + "customEmails": "[if(empty(parameters('adminEmail')), json('null'), array(parameters('adminEmail')))]" + } + } + ], + "enabled": true, + "profiles": [ + { + "name": "Profile1", + "capacity": { + "minimum": "[parameters('instanceCount')]", + "maximum": "[parameters('maxInstanceCount')]", + "default": "[parameters('instanceCount')]" + }, + "rules": [ + { + "metricTrigger": { + "metricName": "Percentage CPU", + "metricResourceUri": "[variables('vmssID')]", + "timeGrain": "PT1M", + "statistic": "Average", + "timeWindow": "PT5M", + "timeAggregation": "Average", + "operator": "GreaterThan", + "threshold": 80 + }, + "scaleAction": { + "direction": "Increase", + "type": "ChangeCount", + "value": "1", + "cooldown": "PT5M" + } + }, + { + "metricTrigger": { + "metricName": "Percentage CPU", + "metricResourceUri": "[variables('vmssID')]", + "timeGrain": "PT1M", + "statistic": "Average", + "timeWindow": "PT5M", + "timeAggregation": "Average", + "operator": "LessThan", + "threshold": 60 + }, + "scaleAction": { + "direction": "Decrease", + "type": "ChangeCount", + "value": "1", + "cooldown": "PT5M" + } + } + ] + } + ] + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Insights/autoscaleSettings'), parameters('tagsByResource')['Microsoft.Insights/autoscaleSettings'], json('{}')) ]" + } + ], + "outputs": { + "ApplicationAddress": { + "type": "string", + "value": "[reference('loadBalancerSetup').outputs.ApplicationAddress.value]" + }, + "ApplicationFQDN": { + "type": "string", + "value": "[reference('loadBalancerSetup').outputs.ApplicationFQDN.value]" + } + } +} \ No newline at end of file diff --git a/azure/templates/nestedtemplates/CreateUIDefinition.MultiVm.json b/azure/templates/nestedtemplates/CreateUIDefinition.MultiVm.json new file mode 100644 index 00000000..80610b97 --- /dev/null +++ b/azure/templates/nestedtemplates/CreateUIDefinition.MultiVm.json @@ -0,0 +1 @@ +{"$schema":"http://json-schema.org/schema#","id":"https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#","type":"object","properties":{"handler":{"type":"string","enum":["Microsoft.Compute.MultiVm"]},"version":{"type":"string","enum":["0.1.2-preview"]},"parameters":{"type":"object","properties":{"basics":{"type":"array","items":{"$ref":"CreateUIDefinition.CommonControl.json#"}},"steps":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"label":{"type":"string"},"subLabel":{"type":"object","properties":{"preValidation":{"type":"string"},"postValidation":{"type":"string"}},"additionalProperties":false,"required":["preValidation","postValidation"]},"bladeTitle":{"type":"string"},"bladeSubtitle":{"type":"string"},"elements":{"type":"array","items":{"$ref":"CreateUIDefinition.ProviderControl.json#"}}},"additionalProperties":false,"required":["name","label","subLabel","bladeTitle","elements"]}},"outputs":{"type":"object","additionalProperties":true}},"additionalProperties":false,"required":["basics","steps","outputs"]}},"required":["handler","version","parameters"]} \ No newline at end of file diff --git a/azure/templates/nestedtemplates/azure-func-sami.json b/azure/templates/nestedtemplates/azure-func-sami.json new file mode 100755 index 00000000..04ed9cae --- /dev/null +++ b/azure/templates/nestedtemplates/azure-func-sami.json @@ -0,0 +1,240 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "subscriptionId": { + "type": "string", + "defaultValue": "[subscription().subscriptionId]", + "metadata": { + "description": "The name of the azure function." + } + }, + "appName": { + "type": "string", + "defaultValue": "[resourceGroup().name]", + "metadata": { + "description": "The name of the azure function." + } + }, + "location": { + "type": "string" + }, + "vmssResourceGroupName": { + "type": "string", + "metadata": { + "description": "VMSS resource group name" + } + }, + "vmssName": { + "type": "string", + "metadata": { + "description": "VMSS name" + } + }, + "dnsZoneRecordSetName": { + "type": "string", + "metadata": { + "description": "DNS Zone Record Set name" + } + }, + "numberOfRecordSetEntries": { + "type": "string", + "metadata": { + "description": "Number of records in the DNS Zone Record Set" + } + }, + "dnsZoneResourceId": { + "type": "string", + "metadata": { + "description": "Number of records in the DNS Zone Record Set" + } + }, + "rbacGuid": { + "type": "string", + "defaultValue": "[newGuid()]" + }, + "containerName": { + "type": "string", + "defaultValue": "azure-function" + }, + "tagsByResource": { + "type": "object", + "defaultValue": {} + } + }, + "variables": { + "resourceGroup": "[resourceGroup()]", + "dnsZoneName": "[last(split(parameters('dnsZoneResourceId'), '/'))]", + "functionAppName": "[parameters('appName')]", + "hostingPlanName": "[concat('ASP-',parameters('appName'),'-', substring(uniqueString(variables('resourceGroup').id),0,4))]", + "storageAccountName": "[substring(concat('azurefunction',uniqueString(variables('resourceGroup').id)),0,21)]", + "applicationInsightsName": "[parameters('appName')]", + "Reader": "[concat('/subscriptions/', parameters('subscriptionId'), '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "functionAppId": "[resourceId('Microsoft.Web/sites', parameters('appName'))]", + "workspaceName": "[concat('workspace-',parameters('appName'))]", + "workspaceId" : "[resourceId('Microsoft.OperationalInsights/workspaces', concat('workspace-',parameters('appName')))]" + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces", + "name": "[variables('workspaceName')]", + "apiVersion": "2021-06-01", + "location": "[parameters('location')]", + "properties": { + "sku": { + "name": "pergb2018" + }, + "features": { + "searchVersion": 1, + "legacy": 0, + "enableLogAccessUsingOnlyResourcePermissions": "true" + } + } + }, + { + "apiVersion": "2021-04-01-preview", + "type": "Microsoft.Authorization/roleAssignments", + "name": "[parameters('rbacGuid')]", + "properties": { + "roleDefinitionId": "[variables('Reader')]", + "principalId": "[reference(variables('functionAppId'), '2021-03-01', 'Full').identity.principalId]", + "scope": "[resourceGroup().id]", + "PrincipalType": "ServicePrincipal" + }, + "dependsOn": [ + "[resourceId('Microsoft.Web/sites/', variables('functionAppName'))]" + ] + }, + { + "apiVersion": "2021-02-01", + "name": "[variables('functionAppName')]", + "type": "Microsoft.Web/sites", + "kind": "functionapp,linux", + "location": "[parameters('location')]", + "identity": { + "type": "SystemAssigned" + }, + "dependsOn": [ + "[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]", + "[resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName'))]" + ], + "properties": { + "siteConfig": { + "appSettings": [ + { + "name": "FUNCTIONS_EXTENSION_VERSION", + "value": "~3" + }, + { + "name": "FUNCTIONS_WORKER_RUNTIME", + "value": "python" + }, + { + "name": "AzureWebJobsStorage", + "value": "[concat('DefaultEndpointsProtocol=https;AccountName=',variables('storageAccountName'),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), '2021-06-01').keys[0].value,';EndpointSuffix=', environment().suffixes.storage)]" + }, + { + "name": "WEBSITE_RUN_FROM_PACKAGE", + "value": "" + }, + { + "name": "APPINSIGHTS_INSTRUMENTATIONKEY", + "value": "[reference(resourceId('microsoft.insights/components/', variables('applicationInsightsName')), '2020-02-02').InstrumentationKey]" + }, + { + "name": "APPLICATIONINSIGHTS_CONNECTION_STRING", + "value": "[reference(resourceId('microsoft.insights/components/', variables('applicationInsightsName')), '2020-02-02').ConnectionString]" + }, + { + "name": "SUBSCRIPTION_ID", + "value": "[parameters('subscriptionId')]" + }, + { + "name": "VMSS_RESOURCE_GROUP_NAME", + "value": "[parameters('vmssResourceGroupName')]" + }, + { + "name": "VMSS_NAME", + "value": "[parameters('vmssName')]" + }, + { + "name": "DNS_ZONE_SUBSCRIPTION_ID", + "value": "[reference(parameters('dnsZoneResourceId'),'2018-05-01','Full').subscriptionId]" + }, + { + "name": "DNS_ZONE_RESOURCE_GROUP_NAME", + "value": "[reference(parameters('dnsZoneResourceId'),'2018-05-01','Full').resourceGroupName]" + }, + { + "name": "DNS_ZONE_NAME", + "value": "[variables('dnsZoneName')]" + }, + { + "name": "DNS_ZONE_RECORD_SET_NAME", + "value": "[parameters('dnsZoneRecordSetName')]" + }, + { + "name": "NUMBER_OF_RECORD_SET_ENTRIES", + "value": "[parameters('numberOfRecordSetEntries')]" + } + ], + "linuxFxVersion": "Python|3.7" + }, + "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]", + "reserved": true + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Function App'), parameters('tagsByResource')['Function App'], json('{}')) ]" + }, + { + "type": "Microsoft.Web/serverfarms", + "apiVersion": "2021-02-01", + "name": "[variables('hostingPlanName')]", + "location": "[parameters('location')]", + "sku": { + "name": "S1", + "tier": "Standard", + "size": "S1", + "family": "S", + "capacity": 1 + }, + "kind": "linux", + "properties": { + "reserved": true + } + }, + { + "apiVersion": "2021-06-01", + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('storageAccountName')]", + "location": "[parameters('location')]", + "sku": { + "name": "Standard_LRS" + }, + "properties": { + "allowBlobPublicAccess": false + }, + "resources": [ + { + "type": "blobServices/containers", + "apiVersion": "2021-06-01", + "name": "[concat('default/', parameters('containerName'))]", + "dependsOn": [ + "[variables('storageAccountName')]" + ] + } + ], + "tags": "[ if(contains(parameters('tagsByResource'), 'Function App'), parameters('tagsByResource')['Function App'], json('{}')) ]" + }, + { + "apiVersion": "2020-02-02", + "name": "[variables('functionAppName')]", + "type": "microsoft.insights/components", + "location": "[parameters('location')]", + "properties": { + "Application_Type": "web", + "Request_Source": "IbizaWebAppExtensionCreate", + "WorkspaceResourceId": "[variables('workspaceId')]" + } + } + ] +} diff --git a/azure/templates/nestedtemplates/existing-nsg-RoleAssignment.json b/azure/templates/nestedtemplates/existing-nsg-RoleAssignment.json new file mode 100755 index 00000000..f87d2fac --- /dev/null +++ b/azure/templates/nestedtemplates/existing-nsg-RoleAssignment.json @@ -0,0 +1,48 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "ExistingNSG": { + "type": "object", + "defaultValue": {} + }, + "vmName": { + "type": "string" + }, + "roleDefinitionId": { + "type": "string", + "defaultValue": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]" + }, + "principalId1": { + "type": "string" + }, + "principalId2": { + "type": "string" + }, + "index": { + "type": "int" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[concat('Microsoft.Network/networkSecurityGroups/', parameters('ExistingNSG').name)]", + "name": "[guid(resourceGroup().id, concat(parameters('vmName'), parameters('principalId1'), '1', '-nsg', parameters('index')))]", + "properties": { + "roleDefinitionId": "[parameters('roleDefinitionId')]", + "principalId": "[parameters('principalId1')]" + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[concat('Microsoft.Network/networkSecurityGroups/', parameters('ExistingNSG').name)]", + "name": "[guid(resourceGroup().id, concat(parameters('vmName'), parameters('principalId1'), '2', '-nsg', parameters('index')))]", + "properties": { + "roleDefinitionId": "[parameters('roleDefinitionId')]", + "principalId": "[parameters('principalId2')]" + } + } + ] +} \ No newline at end of file diff --git a/azure/templates/nestedtemplates/gateway-load-balancers.json b/azure/templates/nestedtemplates/gateway-load-balancers.json new file mode 100755 index 00000000..88b7348a --- /dev/null +++ b/azure/templates/nestedtemplates/gateway-load-balancers.json @@ -0,0 +1,153 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "vmName": { + "type": "string" + }, + "appLoadDistribution": { + "type": "string" + }, + "Subnet1StartAddress": { + "type": "string" + }, + "subnet1Id": { + "type": "string" + }, + "upgrading": { + "type": "bool" + }, + "lbResourceId": { + "type": "string" + }, + "lbTargetBEAddressPoolName": { + "type": "string" + }, + "vxlanTunnelExternalPort": { + "type": "int" + }, + "vxlanTunnelExternalIdentifier": { + "type": "int" + }, + "vxlanTunnelInternalPort": { + "type": "int" + }, + "vxlanTunnelInternalIdentifier": { + "type": "int" + }, + "tagsByResource": { + "type": "object", + "defaultValue": {} + } + }, + "variables": { + "appName": "[concat(parameters('vmName'), '-app-1')]", + "appFEName": "[variables('appName')]", + "lbName": "gateway-lb", + "lbID": "[if(parameters('upgrading'), parameters('lBResourceId'), resourceId('Microsoft.Network/loadBalancers', variables('lbName')))]", + "lbBEAddressPool": "[concat(variables('lbName'), '-pool')]", + "lbBEAddressPoolName": "[if(parameters('upgrading'), parameters('lbTargetBEAddressPoolName'), variables('lbBEAddressPool'))]", + "appProbeName": "[variables('appName')]", + "appHealthProtocol": "tcp", + "lbHealthPort": 8117, + "GatewayLBPrivateIPAddress": "[parameters('Subnet1StartAddress')]", + "lbBEAddressPoolProperties": [ + { + "id": "[resourceId('Microsoft.Network/loadBalancers/backendAddressPools', variables('lbName'), variables('lbBEAddressPoolName'))]" + } + ] + }, + "resources": [ + { + "type": "Microsoft.Network/loadBalancers", + "condition": "[not(parameters('upgrading'))]", + "apiVersion": "2020-08-01", + "name": "[variables('lbName')]", + "location": "[parameters('location')]", + "sku": { + "name": "Gateway" + }, + "properties": { + "frontendIPConfigurations": [ + { + "name": "[variables('appFEName')]", + "properties": { + "privateIPAllocationMethod": "Static", + "privateIPAddress": "[variables('GatewayLBPrivateIPAddress')]", + "subnet": { + "id": "[parameters('subnet1Id')]" + } + } + } + ], + "backendAddressPools": [ + { + "name": "[variables('lbBEAddressPool')]", + "properties": { + "tunnelInterfaces": [ + { + "port": "[parameters('vxlanTunnelExternalPort')]", + "Identifier": "[parameters('vxlanTunnelExternalIdentifier')]", + "Protocol": "VxLan", + "Type": "External" + }, + { + "port": "[parameters('vxlanTunnelInternalPort')]", + "Identifier": "[parameters('vxlanTunnelInternalIdentifier')]", + "Protocol": "VxLan", + "Type": "Internal" + } + ] + } + } + ], + "loadBalancingRules": [ + { + "name": "[variables('appName')]", + "properties": { + "frontendIPConfiguration": { + "id": "[resourceId('Microsoft.Network/loadBalancers/frontendIPConfigurations', variables('lbName'), variables('appFEName'))]" + }, + "backendAddressPool": { + "id": "[resourceId('Microsoft.Network/loadBalancers/backendAddressPools', variables('lbName'), variables('lbBEAddressPoolName'))]" + }, + "probe": { + "id": "[resourceId('Microsoft.Network/loadBalancers/probes', variables('lbName'), variables('appProbeName'))]" + }, + "protocol": "All", + "frontendPort": 0, + "backendPort": 0, + "enableFloatingIP": false, + "loadDistribution": "[parameters('appLoadDistribution')]" + } + } + ], + "probes": [ + { + "name": "[variables('appProbeName')]", + "properties": { + "protocol": "[variables('appHealthProtocol')]", + "port": "[variables('lbHealthPort')]", + "intervalInSeconds": "5", + "numberOfProbes": "2" + } + } + ] + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/loadBalancers'), parameters('tagsByResource')['Microsoft.Network/loadBalancers'], json('{}')) ]" + } + ], + "outputs": { + "lbId": { + "value": "[variables('lbId')]", + "type": "string" + }, + "lbBEAddressPoolProperties": { + "value": "[variables('lbBEAddressPoolProperties')]", + "type": "array" + } + } +} diff --git a/azure/templates/nestedtemplates/load-balancers-waap.json b/azure/templates/nestedtemplates/load-balancers-waap.json new file mode 100755 index 00000000..6d6e3a42 --- /dev/null +++ b/azure/templates/nestedtemplates/load-balancers-waap.json @@ -0,0 +1,285 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "deploymentMode": { + "type": "string" + }, + "location": { + "type": "string" + }, + "vmName": { + "type": "string" + }, + "appLoadDistribution": { + "type": "string" + }, + "subnet1Id": { + "type": "string" + }, + "upgrading": { + "type": "bool" + }, + "elbResourceId": { + "type": "string" + }, + "elbTargetBEAddressPoolName": { + "type": "string" + }, + "ilbResourceId": { + "type": "string" + }, + "ilbTargetBEAddressPoolName": { + "type": "string" + } + }, + "variables": { + "deployELB": "[equals(parameters('deploymentMode'),'ELBOnly')]", + "deployILB": "[equals(parameters('deploymentMode'),'ILBOnly')]", + "appName": "[concat(parameters('vmName'), '-app-1')]", + "appAddressName": "[variables('appName')]", + "appAddressId": "[resourceId('Microsoft.Network/publicIPAddresses/', variables('appAddressName'))]", + "appFEName": "[variables('appName')]", + "elbName": "External-lb", + "ilbName": "Internal-lb", + "elbID": "[if(parameters('upgrading'), parameters('elBResourceId'), resourceId('Microsoft.Network/loadBalancers', variables('elbName')))]", + "elbBEAddressPool": "[concat(variables('elbName'), '-pool')]", + "elbBEAddressPoolName": "[if(parameters('upgrading'), parameters('elbTargetBEAddressPoolName'), variables('elbBEAddressPool'))]", + "appFrontEndProtocol": "tcp", + "appHealthProtocol": "tcp", + "lbHealthPort": 8117, + "ilbID": "[if(parameters('upgrading'), parameters('ilbResourceId'), resourceId('Microsoft.Network/loadBalancers', variables('ilbName')))]", + "ilbBEAddressPool": "[concat(variables('ilbName'), '-pool')]", + "ilbBEAddressPoolName": "[if(parameters('upgrading'), parameters('ilbTargetBEAddressPoolName'), variables('ilbBEAddressPool'))]", + "ilbBEAddressPoolProperties": [ + { + "id": "[resourceId('Microsoft.Network/loadBalancers/backendAddressPools', variables('ilbName'), variables('ilbBEAddressPoolName'))]" + } + ], + "elbBEAddressPoolProperties": [ + { + "id": "[resourceId('Microsoft.Network/loadBalancers/backendAddressPools', variables('elbName'), variables('elbBEAddressPoolName'))]" + } + ] + }, + "resources": [ + { + "type": "Microsoft.Network/publicIPAddresses", + "condition": "[and(variables('deployELB'), not(parameters('upgrading')))]", + "apiVersion": "2020-06-01", + "location": "[parameters('location')]", + "name": "[variables('appAddressName')]", + "sku": { + "name": "Standard" + }, + "properties": { + "publicIPAllocationMethod": "Static", + "dnsSettings": { + "domainNameLabel": "[concat(toLower(parameters('vmName')), '-', uniquestring(resourceGroup().id, deployment().name))]" + } + } + }, + { + "type": "Microsoft.Network/loadBalancers", + "condition": "[and(variables('deployELB'), not(parameters('upgrading')))]", + "apiVersion": "2020-06-01", + "name": "[variables('elbName')]", + "location": "[parameters('location')]", + "sku": { + "name": "Standard" + }, + "dependsOn": [ + "[variables('appAddressId')]" + ], + "properties": { + "frontendIPConfigurations": [ + { + "name": "[variables('appFEName')]", + "properties": { + "publicIPAddress": { + "id": "[resourceId('Microsoft.Network/publicIPAddresses/', variables('appAddressName'))]" + } + } + } + ], + "backendAddressPools": [ + { + "name": "[variables('elbBEAddressPool')]" + } + ], + "loadBalancingRules": [ + { + "name": "[concat(parameters('vmName'), '80')]", + "properties": { + "frontendIPConfiguration": { + "id": "[resourceId('Microsoft.Network/loadBalancers/frontendIPConfigurations', variables('elbName'), variables('appFEName'))]" + }, + "backendAddressPool": { + "id": "[resourceId('Microsoft.Network/loadBalancers/backendAddressPools', variables('elbName'), variables('elbBEAddressPoolName'))]" + }, + "probe": { + "id": "[resourceId('Microsoft.Network/loadBalancers/probes', variables('elbName'), variables('elbName'))]" + }, + "protocol": "[variables('appFrontEndProtocol')]", + "frontendPort": 80, + "backendPort": 80, + "enableFloatingIP": false, + "loadDistribution": "[parameters('appLoadDistribution')]" + } + }, + { + "name": "[concat(parameters('vmName'), '443')]", + "properties": { + "frontendIPConfiguration": { + "id": "[resourceId('Microsoft.Network/loadBalancers/frontendIPConfigurations', variables('elbName'), variables('appFEName'))]" + }, + "backendAddressPool": { + "id": "[resourceId('Microsoft.Network/loadBalancers/backendAddressPools', variables('elbName'), variables('elbBEAddressPoolName'))]" + }, + "probe": { + "id": "[resourceId('Microsoft.Network/loadBalancers/probes', variables('elbName'), variables('elbName'))]" + }, + "protocol": "[variables('appFrontEndProtocol')]", + "frontendPort": 443, + "backendPort": 443, + "enableFloatingIP": false, + "loadDistribution": "[parameters('appLoadDistribution')]" + } + } + ], + "probes": [ + { + "name": "[variables('elbName')]", + "properties": { + "protocol": "[variables('appHealthProtocol')]", + "port": "[variables('lbHealthPort')]", + "intervalInSeconds": 5, + "numberOfProbes": 2 + } + } + ] + } + }, + { + "type": "Microsoft.Network/loadBalancers", + "condition": "[and(variables('deployILB'), not(parameters('upgrading')))]", + "apiVersion": "2020-06-01", + "name": "[variables('ilbName')]", + "location": "[parameters('location')]", + "sku": { + "name": "Standard" + }, + "properties": { + "frontendIPConfigurations": [ + { + "name": "[variables('ilbName')]", + "properties": { + "privateIPAllocationMethod": "Dynamic", + "subnet": { + "id": "[parameters('subnet1ID')]" + } + } + } + ], + "backendAddressPools": [ + { + "name": "[variables('ilbBEAddressPool')]" + } + ], + "loadBalancingRules": [ + { + "name": "[concat(parameters('vmName'), '80')]", + "properties": { + "frontendIPConfiguration": { + "id": "[resourceId('Microsoft.Network/loadBalancers/frontendIPConfigurations', variables('ilbName'), variables('ilbName'))]" + }, + "backendAddressPool": { + "id": "[resourceId('Microsoft.Network/loadBalancers/backendAddressPools', variables('ilbName'), variables('ilbBEAddressPoolName'))]" + }, + "probe": { + "id": "[resourceId('Microsoft.Network/loadBalancers/probes', variables('ilbName'), variables('ilbName'))]" + }, + "protocol": "[variables('appFrontEndProtocol')]", + "frontendPort": 80, + "backendPort": 80, + "enableFloatingIP": false, + "loadDistribution": "[parameters('appLoadDistribution')]" + } + }, + { + "name": "[concat(parameters('vmName'), '443')]", + "properties": { + "frontendIPConfiguration": { + "id": "[resourceId('Microsoft.Network/loadBalancers/frontendIPConfigurations', variables('ilbName'), variables('ilbName'))]" + }, + "backendAddressPool": { + "id": "[resourceId('Microsoft.Network/loadBalancers/backendAddressPools', variables('ilbName'), variables('ilbBEAddressPoolName'))]" + }, + "probe": { + "id": "[resourceId('Microsoft.Network/loadBalancers/probes', variables('ilbName'), variables('ilbName'))]" + }, + "protocol": "[variables('appFrontEndProtocol')]", + "frontendPort": 443, + "backendPort": 443, + "enableFloatingIP": false, + "loadDistribution": "[parameters('appLoadDistribution')]" + } + } + ], + "probes": [ + { + "name": "[variables('ilbName')]", + "properties": { + "protocol": "[variables('appHealthProtocol')]", + "port": "[variables('lbHealthPort')]", + "intervalInSeconds": 5, + "numberOfProbes": 2 + } + } + ] + } + } + ], + "outputs": { + "appAddressId": { + "value": "[if(and(variables('deployELB'), not(parameters('upgrading'))), resourceId('Microsoft.Network/publicIPAddresses', variables('appAddressName')), '')]", + "type": "string" + }, + "elbId": { + "value": "[if(variables('deployELB'), variables('elbId'), '')]", + "type": "string" + }, + "probeName": { + "value": "[if(variables('deployELB'), variables('elbName'), variables('ilbName'))]", + "type": "string" + }, + "appHealthProtocol": { + "value": "[variables('appHealthProtocol')]", + "type": "string" + }, + "lbHealthPort": { + "value": "[variables('lbHealthPort')]", + "type": "int" + }, + "ilbId": { + "value": "[if(variables('deployILB'), variables('ilbId'), '')]", + "type": "string" + }, + "ilbBEAddressPoolProperties": { + "value": "[variables('ilbBEAddressPoolProperties')]", + "type": "array" + }, + "elbBEAddressPoolProperties": { + "value": "[variables('elbBEAddressPoolProperties')]", + "type": "array" + }, + "ApplicationAddress": { + "value": "[if(and(variables('deployELB'), not(parameters('upgrading'))), reference(variables('appAddressId'), '2018-11-01').IpAddress, 'no public ip')]", + "type": "string" + }, + "ApplicationFQDN": { + "value": "[if(and(variables('deployELB'), not(parameters('upgrading'))), reference(variables('appAddressId'), '2018-11-01').dnsSettings.fqdn, 'no public ip')]", + "type": "string" + } + } +} diff --git a/azure/templates/nestedtemplates/load-balancers.json b/azure/templates/nestedtemplates/load-balancers.json new file mode 100644 index 00000000..dcdf0ae0 --- /dev/null +++ b/azure/templates/nestedtemplates/load-balancers.json @@ -0,0 +1,259 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "deploymentMode": { + "type": "string" + }, + "location": { + "type": "string" + }, + "vmName": { + "type": "string" + }, + "appLoadDistribution": { + "type": "string" + }, + "Subnet2StartAddress": { + "type": "string" + }, + "subnet2Id": { + "type": "string" + }, + "floatingIP": { + "type": "bool" + }, + "ilbLoadDistribution": { + "type": "string" + }, + "upgrading": { + "type": "bool" + }, + "elbResourceId": { + "type": "string" + }, + "elbTargetBEAddressPoolName": { + "type": "string" + }, + "ilbResourceId": { + "type": "string" + }, + "ilbTargetBEAddressPoolName": { + "type": "string" + }, + "tagsByResource": { + "type": "object", + "defaultValue": {} + } + }, + "variables": { + "resourceGroup": "[resourceGroup()]", + "deployELB": "[or(equals(parameters('deploymentMode'),'Standard'), equals(parameters('deploymentMode'),'ELBOnly'))]", + "deployILB": "[or(equals(parameters('deploymentMode'),'Standard'), equals(parameters('deploymentMode'),'ILBOnly'))]", + "appName": "[concat(parameters('vmName'), '-app-1')]", + "appAddressName": "[variables('appName')]", + "appAddressId": "[resourceId(variables('resourceGroup').name, 'Microsoft.Network/publicIPAddresses/', variables('appAddressName'))]", + "appFEName": "[variables('appName')]", + "elbName": "frontend-lb", + "elbID": "[if(parameters('upgrading'), parameters('elBResourceId'), resourceId('Microsoft.Network/loadBalancers', variables('elbName')))]", + "elbBEAddressPool": "[concat(variables('elbName'), '-pool')]", + "elbBEAddressPoolName": "[if(parameters('upgrading'), parameters('elbTargetBEAddressPoolName'), variables('elbBEAddressPool'))]", + "appProbeName": "[variables('appName')]", + "appFrontEndProtocol": "tcp", + "appFrontEndPort": 80, + "appBackEndPort": 8081, + "appHealthProtocol": "tcp", + "ilbHealthProtocol": "tcp", + "lbHealthPort": 8117, + "ilbName": "['backend-lb']", + "ilbID": "[if(parameters('upgrading'), parameters('ilbResourceId'), resourceId('Microsoft.Network/loadBalancers', variables('ilbName')))]", + "ilbBEAddressPool": "[concat(variables('ilbName'), '-pool')]", + "internalLBPrivateIPAddress": "[parameters('Subnet2StartAddress')]", + "ilbBEAddressPoolName": "[if(parameters('upgrading'), parameters('ilbTargetBEAddressPoolName'), variables('ilbBEAddressPool'))]", + "ilbProbeName": "[variables('ilbName')]", + "ilbBEAddressPoolProperties": [ + { + "id": "[resourceId('Microsoft.Network/loadBalancers/backendAddressPools', variables('ilbName'), variables('ilbBEAddressPoolName'))]" + } + ], + "elbBEAddressPoolProperties": [ + { + "id": "[resourceId('Microsoft.Network/loadBalancers/backendAddressPools', variables('elbName'), variables('elbBEAddressPoolName'))]" + } + ] + }, + "resources": [ + { + "type": "Microsoft.Network/publicIPAddresses", + "condition": "[and(variables('deployELB'), not(parameters('upgrading')))]", + "apiVersion": "2020-06-01", + "location": "[parameters('location')]", + "name": "[variables('appAddressName')]", + "sku": { + "name": "Standard" + }, + "properties": { + "publicIPAllocationMethod": "Static", + "dnsSettings": { + "domainNameLabel": "[concat(toLower(parameters('vmName')), '-', uniquestring(variables('resourceGroup').id, deployment().name))]" + } + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/publicIPAddresses'), parameters('tagsByResource')['Microsoft.Network/publicIPAddresses'], json('{}')) ]" + }, + { + "type": "Microsoft.Network/loadBalancers", + "condition": "[and(variables('deployELB'), not(parameters('upgrading')))]", + "apiVersion": "2020-06-01", + "name": "[variables('elbName')]", + "location": "[parameters('location')]", + "sku": { + "name": "Standard" + }, + "dependsOn": [ + "[variables('appAddressId')]" + ], + "properties": { + "frontendIPConfigurations": [ + { + "name": "[variables('appFEName')]", + "properties": { + "publicIPAddress": { + "id": "[resourceId(variables('resourceGroup').name, 'Microsoft.Network/publicIPAddresses/', variables('appAddressName'))]" + } + } + } + ], + "backendAddressPools": [ + { + "name": "[variables('elbBEAddressPool')]" + } + ], + "loadBalancingRules": [ + { + "name": "[variables('appName')]", + "properties": { + "frontendIPConfiguration": { + "id": "[resourceId('Microsoft.Network/loadBalancers/frontendIPConfigurations', variables('elbName'), variables('appFEName'))]" + }, + "backendAddressPool": { + "id": "[resourceId('Microsoft.Network/loadBalancers/backendAddressPools', variables('elbName'), variables('elbBEAddressPoolName'))]" + }, + "probe": { + "id": "[resourceId('Microsoft.Network/loadBalancers/probes', variables('elbName'), variables('appProbeName'))]" + }, + "protocol": "[variables('appFrontEndProtocol')]", + "frontendPort": "[variables('appFrontEndPort')]", + "backendPort": "[variables('appBackEndPort')]", + "enableFloatingIP": "[parameters('floatingIP')]", + "loadDistribution": "[parameters('appLoadDistribution')]" + } + } + ], + "probes": [ + { + "name": "[variables('appProbeName')]", + "properties": { + "protocol": "[variables('appHealthProtocol')]", + "port": "[variables('lbHealthPort')]", + "intervalInSeconds": "5", + "numberOfProbes": "2" + } + } + ] + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/loadBalancers'), parameters('tagsByResource')['Microsoft.Network/loadBalancers'], json('{}')) ]" + }, + { + "type": "Microsoft.Network/loadBalancers", + "condition": "[and(variables('deployILB'), not(parameters('upgrading')))]", + "apiVersion": "2020-06-01", + "name": "[variables('ilbName')]", + "location": "[parameters('location')]", + "sku": { + "name": "Standard" + }, + "properties": { + "frontendIPConfigurations": [ + { + "name": "[variables('ilbName')]", + "properties": { + "privateIPAllocationMethod": "Static", + "privateIPAddress": "[variables('internalLBPrivateIPAddress')]", + "subnet": { + "id": "[parameters('subnet2ID')]" + } + } + } + ], + "backendAddressPools": [ + { + "name": "[variables('ilbBEAddressPool')]" + } + ], + "loadBalancingRules": [ + { + "name": "[variables('ilbName')]", + "properties": { + "frontendIPConfiguration": { + "id": "[resourceId('Microsoft.Network/loadBalancers/frontendIPConfigurations', variables('ilbName'), variables('ilbName'))]" + }, + "backendAddressPool": { + "id": "[resourceId('Microsoft.Network/loadBalancers/backendAddressPools', variables('ilbName'), variables('ilbBEAddressPoolName'))]" + }, + "probe": { + "id": "[resourceId('Microsoft.Network/loadBalancers/probes', variables('ilbName'), variables('ilbProbeName'))]" + }, + "protocol": "All", + "frontendPort": 0, + "backendPort": 0, + "loadDistribution": "[parameters('ilbLoadDistribution')]", + "enableFloatingIP": "[parameters('floatingIP')]" + } + } + ], + "probes": [ + { + "name": "[variables('ilbProbeName')]", + "properties": { + "protocol": "[variables('ilbHealthProtocol')]", + "port": "[variables('lbHealthPort')]", + "intervalInSeconds": "5", + "numberOfProbes": "2" + } + } + ] + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/loadBalancers'), parameters('tagsByResource')['Microsoft.Network/loadBalancers'], json('{}')) ]" + } + ], + "outputs": { + "appAddressId": { + "value": "[if(and(variables('deployELB'), not(parameters('upgrading'))), resourceId('Microsoft.Network/publicIPAddresses', variables('appAddressName')), '')]", + "type": "string" + }, + "elbId": { + "value": "[if(variables('deployELB'), variables('elbId'), '')]", + "type": "string" + }, + "ilbId": { + "value": "[if(variables('deployILB'), variables('ilbId'), '')]", + "type": "string" + }, + "ilbBEAddressPoolProperties": { + "value": "[variables('ilbBEAddressPoolProperties')]", + "type": "array" + }, + "elbBEAddressPoolProperties": { + "value": "[variables('elbBEAddressPoolProperties')]", + "type": "array" + }, + "ApplicationAddress": { + "value": "[if(and(variables('deployELB'), not(parameters('upgrading'))), reference(variables('appAddressId'), '2018-11-01').IpAddress, 'no public ip')]", + "type": "string" + }, + "ApplicationFQDN": { + "value": "[if(and(variables('deployELB'), not(parameters('upgrading'))), reference(variables('appAddressId'), '2018-11-01').dnsSettings.fqdn, 'no public ip')]", + "type": "string" + } + } +} diff --git a/azure/templates/nestedtemplates/storageAccount-existing.json b/azure/templates/nestedtemplates/storageAccount-existing.json new file mode 100644 index 00000000..21ff090b --- /dev/null +++ b/azure/templates/nestedtemplates/storageAccount-existing.json @@ -0,0 +1,30 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "storageAccountName": { + "type": "string", + "metadata": { + "Description": "The name of the new storage account created to store the VMs disks" + } + }, + "storageAccountType": { + "type": "string", + "metadata": { + "Description": "The type of the Storage Account created" + }, + "defaultValue": "Premium_LRS" + }, + "apiVersion": { + "type": "string" + }, + "tagsByResource": { + "type": "object", + "defaultValue": {} + } + }, + "resources": [] +} diff --git a/azure/templates/nestedtemplates/storageAccount-new.json b/azure/templates/nestedtemplates/storageAccount-new.json new file mode 100644 index 00000000..51820aac --- /dev/null +++ b/azure/templates/nestedtemplates/storageAccount-new.json @@ -0,0 +1,42 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "storageAccountName": { + "type": "string", + "metadata": { + "Description": "The name of the new storage account created to store the VMs disks" + } + }, + "storageAccountType": { + "type": "string", + "metadata": { + "Description": "The type of the Storage Account created" + }, + "defaultValue": "Premium_LRS" + }, + "apiVersion": { + "type": "string" + }, + "tagsByResource": { + "type": "object", + "defaultValue": {} + } + }, + "resources": [ + { + "type": "Microsoft.Storage/storageAccounts", + "name": "[parameters('storageAccountName')]", + "apiVersion": "[parameters('apiVersion')]", + "location": "[parameters('location')]", + "sku": { + "name": "[parameters('storageAccountType')]" + }, + "kind": "Storage", + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Storage/storageAccounts'), parameters('tagsByResource')['Microsoft.Storage/storageAccounts'], json('{}')) ]" + } + ] +} diff --git a/azure/templates/nestedtemplates/vnet-1-subnet-existing.json b/azure/templates/nestedtemplates/vnet-1-subnet-existing.json new file mode 100644 index 00000000..81fc0d5a --- /dev/null +++ b/azure/templates/nestedtemplates/vnet-1-subnet-existing.json @@ -0,0 +1,87 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "vnet" + }, + "virtualNetworkExistingRGName": { + "type": "string", + "metadata": { + "description": "Resource Group of the existing virtual network" + }, + "defaultValue": "" + }, + "vmName": { + "type": "string", + "defaultValue": "[concat(resourceGroup().name, '-vnet')]" + }, + "deployNsg": { + "type": "bool", + "defaultValue": false + }, + "NewNsgName": { + "type": "string", + "defaultValue": "[concat(parameters('vmName'), '-nsg')]" + }, + "tagsByResource": { + "type": "object", + "defaultValue": {} + } + }, + "variables": { + "vnetId": "[resourceId(parameters('virtualNetworkExistingRGName'),'Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]", + "nsgProperties": { + "id": "[resourceId(parameters('virtualNetworkExistingRGName'),'Microsoft.Network/networkSecurityGroups', parameters('NewNsgName'))]" + } + }, + "resources": [ + { + "type": "Microsoft.Network/networkSecurityGroups", + "condition": "[parameters('deployNsg')]", + "apiVersion": "2020-06-01", + "location": "[parameters('location')]", + "name": "[parameters('NewNsgName')]", + "properties": { + "securityRules": [ + { + "name": "AllowAllInBound", + "properties": { + "description": "Allow all inbound connections", + "protocol": "*", + "sourcePortRange": "*", + "destinationPortRange": "*", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "100", + "direction": "Inbound" + } + } + ] + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/networkSecurityGroups'), parameters('tagsByResource')['Microsoft.Network/networkSecurityGroups'], json('{}')) ]" + } + ], + "outputs": { + "vnetId": { + "value": "[variables('vnetId')]", + "type": "string" + }, + "vnetAddressPrefix": { + "value": "[reference(variables('vnetId'),'2018-11-01').addressSpace.addressPrefixes[0]]", + "type": "string" + }, + "nsgProperties": { + "value": "[variables('nsgProperties')]", + "type": "object" + } + } +} diff --git a/azure/templates/nestedtemplates/vnet-1-subnet-new.json b/azure/templates/nestedtemplates/vnet-1-subnet-new.json new file mode 100644 index 00000000..974068a9 --- /dev/null +++ b/azure/templates/nestedtemplates/vnet-1-subnet-new.json @@ -0,0 +1,167 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "vnet" + }, + "virtualNetworkAddressPrefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the virtual network" + } + }, + "Subnet1Name": { + "type": "string", + "metadata": { + "description": "The name of the 1st subnet" + }, + "defaultValue": "Frontend" + }, + "Subnet1Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 1st subnet" + }, + "defaultValue": "10.0.1.0/24" + }, + "vmName": { + "type": "string", + "defaultValue": "[concat(resourceGroup().name, '-vnet')]" + }, + "deployNsg": { + "type": "bool", + "defaultValue": false + }, + "NewNsgName": { + "type": "string", + "defaultValue": "[concat(parameters('vmName'), '-nsg')]" + }, + "deployRouteTable": { + "type": "bool", + "defaultValue": false + }, + "deployGWLB": { + "type": "bool", + "defaultValue": false + }, + "tagsByResource": { + "type": "object", + "defaultValue": {} + } + }, + "variables": { + "localSubnetRoute": [ + { + "name": "Local-Subnet", + "properties": { + "addressPrefix": "[parameters('subnet1Prefix')]", + "nextHopType": "VnetLocal" + } + }, + { + "name": "To-VNet", + "properties": { + "addressPrefix": "[parameters('virtualNetworkAddressPrefix')]", + "nextHopType": "None" + } + } + ], + "routesArray": "[variables('localSubnetRoute')]", + "nsgProperties": { + "id": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('NewNsgName'))]" + }, + "routeTableID": "[resourceId('Microsoft.Network/routeTables', parameters('subnet1Name'))]", + "routeTableProperties": { + "id": "[variables('routeTableID')]" + }, + "deployGWLB": "[parameters('deployGWLB')]", + "vnetProperties": { + "addressSpace": { + "addressPrefixes": [ + "[parameters('virtualNetworkAddressPrefix')]" + ] + }, + "subnets": [ + { + "name": "[parameters('subnet1Name')]", + "properties": { + "addressPrefix": "[parameters('subnet1Prefix')]", + "routeTable": "[if(and(parameters('deployRouteTable'), variables('deployGWLB')), variables('routeTableProperties'), json('null'))]" + } + } + ] + } + }, + "resources": [ + { + "type": "Microsoft.Network/routeTables", + "condition": "[and(parameters('deployRouteTable'), variables('deployGWLB'))]", + "apiVersion": "2020-06-01", + "location": "[parameters('location')]", + "name": "[parameters('subnet1Name')]", + "properties": { + "routes": "[variables('routesArray')]" + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/routeTables'), parameters('tagsByResource')['Microsoft.Network/routeTables'], json('{}')) ]" + }, + { + "type": "Microsoft.Network/virtualNetworks", + "apiVersion": "2020-06-01", + "location": "[parameters('location')]", + "name": "[parameters('virtualNetworkName')]", + "dependsOn": [ + "[variables('routeTableID')]" + ], + "properties": "[variables('vnetProperties')]", + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/virtualNetworks'), parameters('tagsByResource')['Microsoft.Network/virtualNetworks'], json('{}')) ]" + }, + { + "type": "Microsoft.Network/networkSecurityGroups", + "condition": "[parameters('deployNsg')]", + "apiVersion": "2020-06-01", + "location": "[parameters('location')]", + "name": "[parameters('NewNsgName')]", + "properties": { + "securityRules": [ + { + "name": "AllowAllInBound", + "properties": { + "description": "Allow all inbound connections", + "protocol": "*", + "sourcePortRange": "*", + "destinationPortRange": "*", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "100", + "direction": "Inbound" + } + } + ] + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/networkSecurityGroups'), parameters('tagsByResource')['Microsoft.Network/networkSecurityGroups'], json('{}')) ]" + } + ], + "outputs": { + "vnetId": { + "value": "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]", + "type": "string" + }, + "vnetAddressPrefix": { + "value": "[parameters('virtualNetworkAddressPrefix')]", + "type": "string" + }, + "nsgProperties": { + "value": "[variables('nsgProperties')]", + "type": "object" + } + } +} diff --git a/azure/templates/nestedtemplates/vnet-2-subnet-ha-existing.json b/azure/templates/nestedtemplates/vnet-2-subnet-ha-existing.json new file mode 100644 index 00000000..7e466c8b --- /dev/null +++ b/azure/templates/nestedtemplates/vnet-2-subnet-ha-existing.json @@ -0,0 +1,87 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "vnet" + }, + "virtualNetworkExistingRGName": { + "type": "string", + "metadata": { + "description": "Resource Group of the existing virtual network" + }, + "defaultValue": "" + }, + "vmName": { + "type": "string" + }, + "deployNsg": { + "type": "bool", + "defaultValue": false + }, + "NewNsgName": { + "type": "string", + "defaultValue": "[concat(parameters('vmName'),'-nsg')]" + }, + "tagsByResource": { + "type": "object", + "defaultValue": {} + } + }, + "variables": { + "vnetId": "[resourceId(parameters('virtualNetworkExistingRGName'),'Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]", + "nsgName": "[concat(parameters('vmName'), '-nsg')]", + "nsgProperties": { + "id": "[resourceId(parameters('virtualNetworkExistingRGName'),'Microsoft.Network/networkSecurityGroups', variables('nsgName'))]" + } + }, + "resources": [ + { + "type": "Microsoft.Network/networkSecurityGroups", + "condition": "[parameters('deployNsg')]", + "apiVersion": "2020-06-01", + "location": "[parameters('location')]", + "name": "[parameters('NewNsgName')]", + "properties": { + "securityRules": [ + { + "name": "AllowAllInBound", + "properties": { + "description": "Allow all inbound connections", + "protocol": "*", + "sourcePortRange": "*", + "destinationPortRange": "*", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "100", + "direction": "Inbound" + } + } + ] + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/networkSecurityGroups'), parameters('tagsByResource')['Microsoft.Network/networkSecurityGroups'], json('{}')) ]" + } + ], + "outputs": { + "vnetId": { + "value": "[variables('vnetId')]", + "type": "string" + }, + "vnetAddressPrefixes": { + "value": "[reference(variables('vnetId'),'2018-11-01').addressSpace.addressPrefixes]", + "type": "array" + }, + "nsgProperties": { + "value": "[variables('nsgProperties')]", + "type": "object" + } + } +} diff --git a/azure/templates/nestedtemplates/vnet-2-subnet-ha-new.json b/azure/templates/nestedtemplates/vnet-2-subnet-ha-new.json new file mode 100644 index 00000000..ba4eb32c --- /dev/null +++ b/azure/templates/nestedtemplates/vnet-2-subnet-ha-new.json @@ -0,0 +1,200 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "tagsByResource": { + "type": "object", + "defaultValue": {} + }, + "location": { + "type": "string" + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "vnet" + }, + "virtualNetworkAddressPrefixes": { + "type": "array", + "metadata": { + "description": "The address prefixes of the virtual network" + } + }, + "Subnet1Name": { + "type": "string", + "metadata": { + "description": "The name of the 1st subnet" + }, + "defaultValue": "Frontend" + }, + "Subnet1Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 1st subnet" + }, + "defaultValue": "10.0.1.0/24" + }, + "Subnet2Name": { + "type": "string", + "metadata": { + "description": "The name of the 2nd subnet" + }, + "defaultValue": "Backend" + }, + "Subnet2Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 2nd subnet" + }, + "defaultValue": "10.0.2.0/24" + }, + "vmName": { + "type": "string" + }, + "deployNsg": { + "type": "bool", + "defaultValue": false + }, + "NewNsgName": { + "type": "string", + "defaultValue": "[concat(parameters('vmName'),'-nsg')]" + } + }, + "variables": { + "copy": [ + { + "name": "toInternalRoutes", + "count": "[length(parameters('virtualNetworkAddressPrefixes'))]", + "input": { + "name": "[concat('To-Internal-',copyIndex('toInternalRoutes'))]", + "properties": { + "addressPrefix": "[parameters('virtualNetworkAddressPrefixes')[copyIndex('toInternalRoutes')]]", + "nextHopType": "None" + } + } + } + ], + "localSubnetRoute": [ + { + "name": "Local-Subnet", + "properties": { + "addressPrefix": "[parameters('subnet1Prefix')]", + "nextHopType": "VnetLocal" + } + } + ], + "routesArray":"[concat(variables('localSubnetRoute'), variables('toInternalRoutes'))]", + "nsgName": "[concat(parameters('vmName'), '-nsg')]", + "nsgProperties": { + "id": "[resourceId('Microsoft.Network/networkSecurityGroups', variables('nsgName'))]" + } + }, + "resources": [ + { + "type": "Microsoft.Network/routeTables", + "apiVersion": "2020-06-01", + "location": "[parameters('location')]", + "name": "[parameters('subnet1Name')]", + "properties": { + "routes": "[variables('routesArray')]" + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/routeTables'), parameters('tagsByResource')['Microsoft.Network/routeTables'], json('{}')) ]" + }, + { + "type": "Microsoft.Network/routeTables", + "apiVersion": "2020-06-01", + "location": "[parameters('location')]", + "name": "[parameters('subnet2Name')]", + "properties": { + "routes": [ + { + "name": "To-Internet", + "properties": { + "addressPrefix": "0.0.0.0/0", + "nextHopType": "None" + } + } + ] + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/routeTables'), parameters('tagsByResource')['Microsoft.Network/routeTables'], json('{}')) ]" + }, + { + "type": "Microsoft.Network/virtualNetworks", + "apiVersion": "2020-06-01", + "location": "[parameters('location')]", + "name": "[parameters('virtualNetworkName')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/routeTables', parameters('subnet1Name'))]", + "[resourceId('Microsoft.Network/routeTables', parameters('subnet2Name'))]" + ], + "properties": { + "addressSpace": { + "addressPrefixes": "[parameters('virtualNetworkAddressPrefixes')]" + }, + "subnets": [ + { + "name": "[parameters('subnet1Name')]", + "properties": { + "addressPrefix": "[parameters('subnet1Prefix')]", + "routeTable": { + "id": "[resourceId('Microsoft.Network/routeTables', parameters('subnet1Name'))]" + } + } + }, + { + "name": "[parameters('subnet2Name')]", + "properties": { + "addressPrefix": "[parameters('subnet2Prefix')]", + "routeTable": { + "id": "[resourceId('Microsoft.Network/routeTables', parameters('subnet2Name'))]" + } + } + } + ] + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/virtualNetworks'), parameters('tagsByResource')['Microsoft.Network/virtualNetworks'], json('{}')) ]" + }, + { + "type": "Microsoft.Network/networkSecurityGroups", + "condition": "[parameters('deployNsg')]", + "apiVersion": "2020-06-01", + "location": "[parameters('location')]", + "name": "[parameters('NewNsgName')]", + "properties": { + "securityRules": [ + { + "name": "AllowAllInBound", + "properties": { + "description": "Allow all inbound connections", + "protocol": "*", + "sourcePortRange": "*", + "destinationPortRange": "*", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "100", + "direction": "Inbound" + } + } + ] + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/networkSecurityGroups'), parameters('tagsByResource')['Microsoft.Network/networkSecurityGroups'], json('{}')) ]" + } + ], + "outputs": { + "vnetId": { + "value": "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]", + "type": "string" + }, + "vnetAddressPrefixes": { + "value": "[parameters('virtualNetworkAddressPrefixes')]", + "type": "array" + }, + "nsgProperties": { + "value": "[variables('nsgProperties')]", + "type": "object" + } + } +} diff --git a/azure/templates/nestedtemplates/vnet-2-subnet-ha2-existing.json b/azure/templates/nestedtemplates/vnet-2-subnet-ha2-existing.json new file mode 100644 index 00000000..17781d8c --- /dev/null +++ b/azure/templates/nestedtemplates/vnet-2-subnet-ha2-existing.json @@ -0,0 +1,76 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "vnet" + }, + "virtualNetworkExistingRGName": { + "type": "string", + "metadata": { + "description": "Resource Group of the existing virtual network" + }, + "defaultValue": "" + }, + "tagsByResource": { + "type": "object", + "defaultValue": {} + }, + "deployNsg": { + "type": "bool", + "defaultValue": false + }, + "NewNsgName": { + "type": "string", + "defaultValue": "default-nsg" + } + }, + "variables": { + "vnetId": "[resourceId(parameters('virtualNetworkExistingRGName'),'Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]" + }, + "resources": [ + { + "type": "Microsoft.Network/networkSecurityGroups", + "condition": "[parameters('deployNSG')]", + "apiVersion": "2020-06-01", + "location": "[parameters('location')]", + "name": "[parameters('NewNsgName')]", + "properties": { + "securityRules": [ + { + "name": "AllowAllInBound", + "properties": { + "description": "Allow all inbound connections", + "protocol": "*", + "sourcePortRange": "*", + "destinationPortRange": "*", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "100", + "direction": "Inbound" + } + } + ] + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/networkSecurityGroups'), parameters('tagsByResource')['Microsoft.Network/networkSecurityGroups'], json('{}')) ]" + } + ], + "outputs": { + "vnetId": { + "value": "[variables('vnetId')]", + "type": "string" + }, + "vnetAddressPrefixes": { + "value": "[reference(variables('vnetId'),'2018-11-01').addressSpace.addressPrefixes]", + "type": "array" + } + } +} diff --git a/azure/templates/nestedtemplates/vnet-2-subnet-ha2-new.json b/azure/templates/nestedtemplates/vnet-2-subnet-ha2-new.json new file mode 100644 index 00000000..be5ae374 --- /dev/null +++ b/azure/templates/nestedtemplates/vnet-2-subnet-ha2-new.json @@ -0,0 +1,192 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "vnet" + }, + "virtualNetworkAddressPrefixes": { + "type": "array", + "metadata": { + "description": "The address prefixes of the virtual network" + } + }, + "Subnet1Name": { + "type": "string", + "metadata": { + "description": "The name of the 1st subnet" + }, + "defaultValue": "Frontend" + }, + "Subnet1Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 1st subnet" + }, + "defaultValue": "10.0.1.0/24" + }, + "Subnet2Name": { + "type": "string", + "metadata": { + "description": "The name of the 2nd subnet" + }, + "defaultValue": "Backend" + }, + "Subnet2Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 2nd subnet" + }, + "defaultValue": "10.0.2.0/24" + }, + "deployNsg": { + "type": "bool", + "defaultValue": false + }, + "NewNsgName": { + "type": "string", + "defaultValue": "default-nsg", + "metadata": { + "description": "Name of the network security group" + } + }, + "tagsByResource": { + "type": "object", + "defaultValue": {} + } + }, + "variables": { + "copy": [ + { + "name": "toInternalRoutes", + "count": "[length(parameters('virtualNetworkAddressPrefixes'))]", + "input": { + "name": "[concat('To-Internal-',copyIndex('toInternalRoutes'))]", + "properties": { + "addressPrefix": "[parameters('virtualNetworkAddressPrefixes')[copyIndex('toInternalRoutes')]]", + "nextHopType": "None" + } + } + } + ], + "localSubnetRoute": [ + { + "name": "Local-Subnet", + "properties": { + "addressPrefix": "[parameters('Subnet1Prefix')]", + "nextHopType": "VnetLocal" + } + } + ], + "routesArray":"[concat(variables('localSubnetRoute'), variables('toInternalRoutes'))]" + }, + "resources": [ + { + "type": "Microsoft.Network/networkSecurityGroups", + "condition": "[parameters('deployNSG')]", + "apiVersion": "2020-06-01", + "location": "[parameters('location')]", + "name": "[parameters('NewNsgName')]", + "properties": { + "securityRules": [ + { + "name": "AllowAllInBound", + "properties": { + "description": "Allow all inbound connections", + "protocol": "*", + "sourcePortRange": "*", + "destinationPortRange": "*", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "100", + "direction": "Inbound" + } + } + ] + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/networkSecurityGroups'), parameters('tagsByResource')['Microsoft.Network/networkSecurityGroups'], json('{}')) ]" + }, + { + "type": "Microsoft.Network/routeTables", + "apiVersion": "2020-06-01", + "location": "[parameters('location')]", + "name": "[parameters('Subnet1Name')]", + "properties": { + "routes": "[variables('routesArray')]" + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/routeTables'), parameters('tagsByResource')['Microsoft.Network/routeTables'], json('{}')) ]" + }, + { + "type": "Microsoft.Network/routeTables", + "apiVersion": "2020-06-01", + "location": "[parameters('location')]", + "name": "[parameters('Subnet2Name')]", + "properties": { + "routes": [ + { + "name": "To-Internet", + "properties": { + "addressPrefix": "0.0.0.0/0", + "nextHopType": "None" + } + } + ] + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/routeTables'), parameters('tagsByResource')['Microsoft.Network/routeTables'], json('{}')) ]" + }, + { + "type": "Microsoft.Network/virtualNetworks", + "apiVersion": "2020-06-01", + "location": "[parameters('location')]", + "name": "[parameters('virtualNetworkName')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/routeTables', parameters('Subnet1Name'))]", + "[resourceId('Microsoft.Network/routeTables', parameters('Subnet2Name'))]" + ], + "properties": { + "addressSpace": { + "addressPrefixes": "[parameters('virtualNetworkAddressPrefixes')]" + }, + "subnets": [ + { + "name": "[parameters('Subnet1Name')]", + "properties": { + "addressPrefix": "[parameters('Subnet1Prefix')]", + "routeTable": { + "id": "[resourceId('Microsoft.Network/routeTables', parameters('Subnet1Name'))]" + } + } + }, + { + "name": "[parameters('Subnet2Name')]", + "properties": { + "addressPrefix": "[parameters('Subnet2Prefix')]", + "routeTable": { + "id": "[resourceId('Microsoft.Network/routeTables', parameters('Subnet2Name'))]" + } + } + } + ] + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/virtualNetworks'), parameters('tagsByResource')['Microsoft.Network/virtualNetworks'], json('{}')) ]" + } + ], + "outputs": { + "vnetId": { + "value": "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]", + "type": "string" + }, + "vnetAddressPrefixes": { + "value": "[parameters('virtualNetworkAddressPrefixes')]", + "type": "array" + } + } +} diff --git a/azure/templates/nestedtemplates/vnet-4-subnet-existing.json b/azure/templates/nestedtemplates/vnet-4-subnet-existing.json new file mode 100644 index 00000000..78169894 --- /dev/null +++ b/azure/templates/nestedtemplates/vnet-4-subnet-existing.json @@ -0,0 +1,137 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "vnet" + }, + "virtualNetworkAddressPrefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the virtual network" + } + }, + "Subnet1Name": { + "type": "string", + "metadata": { + "description": "The name of the 1st subnet" + }, + "defaultValue": "Frontend" + }, + "Subnet1Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 1st subnet" + }, + "defaultValue": "10.0.1.0/24" + }, + "Subnet1StartAddress": { + "type": "string", + "metadata": { + "description": "The first avaialable address on the 1st subnet" + } + }, + "Subnet2Name": { + "type": "string", + "metadata": { + "description": "The name of the 2nd subnet" + }, + "defaultValue": "Backend" + }, + "Subnet2Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 2nd subnet" + }, + "defaultValue": "10.0.2.0/24" + }, + "Subnet2StartAddress": { + "type": "string", + "metadata": { + "description": "The first avaialable address on the 2nd subnet" + } + }, + "Subnet3Name": { + "type": "string", + "metadata": { + "description": "The name of the 3rd subnet" + }, + "defaultValue": "Internal2" + }, + "Subnet3Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 3rd subnet" + }, + "defaultValue": "10.0.3.0/24" + }, + "Subnet3StartAddress": { + "type": "string", + "metadata": { + "description": "The first avaialable address on the 3rd subnet" + } + }, + "Subnet4Name": { + "type": "string", + "metadata": { + "description": "The name of the 3rd subnet" + }, + "defaultValue": "Internal3" + }, + "Subnet4Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 4th subnet" + }, + "defaultValue": "10.0.4.0/24" + }, + "Subnet4StartAddress": { + "type": "string", + "metadata": { + "description": "The first avaialable address on the 4th subnet" + } + }, + "vnetNewOrExisting": { + "type": "string", + "defaultValue": "new", + "allowedValues": [ + "new", + "existing" + ], + "metadata": { + "Description": "Indicates whether the virtual network is new or existing" + } + }, + "virtualNetworkExistingRGName": { + "type": "string", + "metadata": { + "description": "Resource Group of the existing virtual network" + }, + "defaultValue": "" + }, + "apiVersion": { + "type": "string" + }, + "tagsByResource": { + "type": "object", + "defaultValue": {} + } + }, + "variables": { + "vnetId": "[resourceId(parameters('virtualNetworkExistingRGName'),'Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]" + }, + "resources": [], + "outputs": { + "vnetId": { + "value": "[variables('vnetId')]", + "type": "string" + } + } +} diff --git a/azure/templates/nestedtemplates/vnet-4-subnet-new.json b/azure/templates/nestedtemplates/vnet-4-subnet-new.json new file mode 100644 index 00000000..14f8bad5 --- /dev/null +++ b/azure/templates/nestedtemplates/vnet-4-subnet-new.json @@ -0,0 +1,322 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "vnet" + }, + "virtualNetworkAddressPrefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the virtual network" + } + }, + "Subnet1Name": { + "type": "string", + "metadata": { + "description": "The name of the 1st subnet" + }, + "defaultValue": "Frontend" + }, + "Subnet1Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 1st subnet" + }, + "defaultValue": "10.0.1.0/24" + }, + "Subnet1StartAddress": { + "type": "string", + "metadata": { + "description": "The first avaialable address on the 1st subnet" + } + }, + "Subnet2Name": { + "type": "string", + "metadata": { + "description": "The name of the 2nd subnet" + }, + "defaultValue": "Backend" + }, + "Subnet2Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 2nd subnet" + }, + "defaultValue": "10.0.2.0/24" + }, + "Subnet2StartAddress": { + "type": "string", + "metadata": { + "description": "The first avaialable address on the 2nd subnet" + } + }, + "Subnet3Name": { + "type": "string", + "metadata": { + "description": "The name of the 3rd subnet" + }, + "defaultValue": "Internal2" + }, + "Subnet3Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 3rd subnet" + }, + "defaultValue": "10.0.3.0/24" + }, + "Subnet3StartAddress": { + "type": "string", + "metadata": { + "description": "The first avaialable address on the 3rd subnet" + } + }, + "Subnet4Name": { + "type": "string", + "metadata": { + "description": "The name of the 3rd subnet" + }, + "defaultValue": "Internal3" + }, + "Subnet4Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 4th subnet" + }, + "defaultValue": "10.0.4.0/24" + }, + "Subnet4StartAddress": { + "type": "string", + "metadata": { + "description": "The first avaialable address on the 4th subnet" + } + }, + "vnetNewOrExisting": { + "type": "string", + "defaultValue": "new", + "allowedValues": [ + "new", + "existing" + ], + "metadata": { + "Description": "Indicates whether the virtual network is new or existing" + } + }, + "virtualNetworkExistingRGName": { + "type": "string", + "metadata": { + "description": "Resource Group of the existing virtual network" + }, + "defaultValue": "" + }, + "apiVersion": { + "type": "string" + }, + "tagsByResource": { + "type": "object", + "defaultValue": {} + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/routeTables", + "apiVersion": "[parameters('apiVersion')]", + "location": "[parameters('location')]", + "name": "[parameters('subnet1Name')]", + "properties": { + "routes": [ + { + "name": "Local-Subnet", + "properties": { + "addressPrefix": "[parameters('subnet1Prefix')]", + "nextHopType": "VnetLocal" + } + }, + { + "name": "To-Internal", + "properties": { + "addressPrefix": "[parameters('virtualNetworkAddressPrefix')]", + "nextHopType": "VirtualAppliance", + "nextHopIpAddress": "[parameters('subnet1StartAddress')]" + } + } + ] + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/routeTables'), parameters('tagsByResource')['Microsoft.Network/routeTables'], json('{}')) ]" + }, + { + "type": "Microsoft.Network/routeTables", + "apiVersion": "[parameters('apiVersion')]", + "location": "[parameters('location')]", + "name": "[parameters('subnet2Name')]", + "properties": { + "routes": [ + { + "name": "Local-Subnet", + "properties": { + "addressPrefix": "[parameters('subnet2Prefix')]", + "nextHopType": "VnetLocal" + } + }, + { + "name": "Inside-Vnet", + "properties": { + "addressPrefix": "[parameters('virtualNetworkAddressPrefix')]", + "nextHopType": "VirtualAppliance", + "nextHopIpAddress": "[parameters('subnet2StartAddress')]" + } + }, + { + "name": "To-Internet", + "properties": { + "addressPrefix": "0.0.0.0/0", + "nextHopType": "VirtualAppliance", + "nextHopIpAddress": "[parameters('subnet2StartAddress')]" + } + } + ] + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/routeTables'), parameters('tagsByResource')['Microsoft.Network/routeTables'], json('{}')) ]" + }, + { + "type": "Microsoft.Network/routeTables", + "apiVersion": "[parameters('apiVersion')]", + "location": "[parameters('location')]", + "name": "[parameters('subnet3Name')]", + "properties": { + "routes": [ + { + "name": "Local-Subnet", + "properties": { + "addressPrefix": "[parameters('subnet3Prefix')]", + "nextHopType": "VnetLocal" + } + }, + { + "name": "Inside-Vnet", + "properties": { + "addressPrefix": "[parameters('virtualNetworkAddressPrefix')]", + "nextHopType": "VirtualAppliance", + "nextHopIpAddress": "[parameters('subnet3StartAddress')]" + } + }, + { + "name": "To-Internet", + "properties": { + "addressPrefix": "0.0.0.0/0", + "nextHopType": "VirtualAppliance", + "nextHopIpAddress": "[parameters('subnet3StartAddress')]" + } + } + ] + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/routeTables'), parameters('tagsByResource')['Microsoft.Network/routeTables'], json('{}')) ]" + }, + { + "type": "Microsoft.Network/routeTables", + "apiVersion": "[parameters('apiVersion')]", + "location": "[parameters('location')]", + "name": "[parameters('subnet4Name')]", + "properties": { + "routes": [ + { + "name": "Local-Subnet", + "properties": { + "addressPrefix": "[parameters('subnet4Prefix')]", + "nextHopType": "VnetLocal" + } + }, + { + "name": "Inside-Vnet", + "properties": { + "addressPrefix": "[parameters('virtualNetworkAddressPrefix')]", + "nextHopType": "VirtualAppliance", + "nextHopIpAddress": "[parameters('subnet4StartAddress')]" + } + }, + { + "name": "To-Internet", + "properties": { + "addressPrefix": "0.0.0.0/0", + "nextHopType": "VirtualAppliance", + "nextHopIpAddress": "[parameters('subnet4StartAddress')]" + } + } + ] + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/routeTables'), parameters('tagsByResource')['Microsoft.Network/routeTables'], json('{}')) ]" + }, + { + "type": "Microsoft.Network/virtualNetworks", + "apiVersion": "[parameters('apiVersion')]", + "location": "[parameters('location')]", + "name": "[parameters('virtualNetworkName')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/routeTables', parameters('subnet1Name'))]", + "[resourceId('Microsoft.Network/routeTables', parameters('subnet2Name'))]", + "[resourceId('Microsoft.Network/routeTables', parameters('subnet3Name'))]", + "[resourceId('Microsoft.Network/routeTables', parameters('subnet4Name'))]" + ], + "properties": { + "addressSpace": { + "addressPrefixes": [ + "[parameters('virtualNetworkAddressPrefix')]" + ] + }, + "subnets": [ + { + "name": "[parameters('subnet1Name')]", + "properties": { + "addressPrefix": "[parameters('subnet1Prefix')]", + "routeTable": { + "id": "[resourceId('Microsoft.Network/routeTables', parameters('subnet1Name'))]" + } + } + }, + { + "name": "[parameters('subnet2Name')]", + "properties": { + "addressPrefix": "[parameters('subnet2Prefix')]", + "routeTable": { + "id": "[resourceId('Microsoft.Network/routeTables', parameters('subnet2Name'))]" + } + } + }, + { + "name": "[parameters('subnet3Name')]", + "properties": { + "addressPrefix": "[parameters('subnet3Prefix')]", + "routeTable": { + "id": "[resourceId('Microsoft.Network/routeTables', parameters('subnet3Name'))]" + } + } + }, + { + "name": "[parameters('subnet4Name')]", + "properties": { + "addressPrefix": "[parameters('subnet4Prefix')]", + "routeTable": { + "id": "[resourceId('Microsoft.Network/routeTables', parameters('subnet4Name'))]" + } + } + } + ] + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/virtualNetworks'), parameters('tagsByResource')['Microsoft.Network/virtualNetworks'], json('{}')) ]" + } + ], + "outputs": { + "vnetId": { + "value": "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]", + "type": "string" + } + } +} diff --git a/azure/templates/nestedtemplates/vnet-existing-no-rt.json b/azure/templates/nestedtemplates/vnet-existing-no-rt.json new file mode 100644 index 00000000..a71283fc --- /dev/null +++ b/azure/templates/nestedtemplates/vnet-existing-no-rt.json @@ -0,0 +1,81 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "vnet" + }, + "virtualNetworkAddressPrefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the virtual network" + } + }, + "Subnet1Name": { + "type": "string", + "metadata": { + "description": "The name of the 1st subnet" + }, + "defaultValue": "Frontend" + }, + "Subnet1Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 1st subnet" + }, + "defaultValue": "10.0.1.0/24" + }, + "Subnet2Name": { + "type": "string", + "metadata": { + "description": "The name of the 2nd subnet" + }, + "defaultValue": "Web" + }, + "Subnet2Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 2nd subnet" + }, + "defaultValue": "10.0.2.0/24" + }, + "vnetNewOrExisting": { + "type": "string", + "defaultValue": "new", + "allowedValues": [ + "new", + "existing" + ], + "metadata": { + "Description": "Indicates whether the virtual network is new or existing" + } + }, + "virtualNetworkExistingRGName": { + "type": "string", + "metadata": { + "description": "Resource Group of the existing virtual network" + }, + "defaultValue": "" + }, + "apiVersion": { + "type": "string" + } + }, + "variables": { + "vnetId": "[resourceId(parameters('virtualNetworkExistingRGName'),'Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]" + }, + "resources": [], + "outputs": { + "vnetId": { + "value": "[variables('vnetId')]", + "type": "string" + } + } +} diff --git a/azure/templates/nestedtemplates/vnet-existing-stack-ha.json b/azure/templates/nestedtemplates/vnet-existing-stack-ha.json new file mode 100644 index 00000000..6d7eaf7f --- /dev/null +++ b/azure/templates/nestedtemplates/vnet-existing-stack-ha.json @@ -0,0 +1,93 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "vnet" + }, + "virtualNetworkAddressPrefixes": { + "type": "array", + "metadata": { + "description": "The address prefixes of the virtual network" + } + }, + "subnet1Name": { + "type": "string", + "metadata": { + "description": "The name of the 1st subnet" + }, + "defaultValue": "Frontend" + }, + "subnet1Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 1st subnet" + }, + "defaultValue": "10.0.1.0/24" + }, + "subnet1StartAddress": { + "type": "string", + "metadata": { + "description": "The first avaialable address on the 1st subnet" + } + }, + "subnet2Name": { + "type": "string", + "metadata": { + "description": "The name of the 2nd subnet" + }, + "defaultValue": "Backend" + }, + "subnet2Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 2nd subnet" + }, + "defaultValue": "10.0.2.0/24" + }, + "subnet2StartAddress": { + "type": "string", + "metadata": { + "description": "The first avaialable address on the 2nd subnet" + } + }, + "vnetNewOrExisting": { + "type": "string", + "defaultValue": "new", + "allowedValues": [ + "new", + "existing" + ], + "metadata": { + "Description": "Indicates whether the virtual network is new or existing" + } + }, + "virtualNetworkExistingRGName": { + "type": "string", + "metadata": { + "description": "Resource Group of the existing virtual network" + }, + "defaultValue": "" + }, + "apiVersion": { + "type": "string" + } + }, + "variables": { + "vnetId": "[resourceId(parameters('virtualNetworkExistingRGName'),'Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]" + }, + "resources": [], + "outputs": { + "vnetId": { + "value": "[variables('vnetId')]", + "type": "string" + } + } +} diff --git a/azure/templates/nestedtemplates/vnet-existing-stack-mgmt.json b/azure/templates/nestedtemplates/vnet-existing-stack-mgmt.json new file mode 100644 index 00000000..fd9b75d1 --- /dev/null +++ b/azure/templates/nestedtemplates/vnet-existing-stack-mgmt.json @@ -0,0 +1,67 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "vnet" + }, + "virtualNetworkAddressPrefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the virtual network" + } + }, + "Subnet1Name": { + "type": "string", + "metadata": { + "description": "The name of the 1st subnet" + }, + "defaultValue": "Frontend" + }, + "Subnet1Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 1st subnet" + }, + "defaultValue": "10.0.1.0/24" + }, + "vnetNewOrExisting": { + "type": "string", + "defaultValue": "new", + "allowedValues": [ + "new", + "existing" + ], + "metadata": { + "Description": "Indicates whether the virtual network is new or existing" + } + }, + "virtualNetworkExistingRGName": { + "type": "string", + "metadata": { + "description": "Resource Group of the existing virtual network" + }, + "defaultValue": "" + }, + "apiVersion": { + "type": "string" + } + }, + "variables": { + "vnetId": "[resourceId(parameters('virtualNetworkExistingRGName'),'Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]" + }, + "resources": [], + "outputs": { + "vnetId": { + "value": "[variables('vnetId')]", + "type": "string" + } + } +} diff --git a/azure/templates/nestedtemplates/vnet-existing-stack.json b/azure/templates/nestedtemplates/vnet-existing-stack.json new file mode 100644 index 00000000..967e485d --- /dev/null +++ b/azure/templates/nestedtemplates/vnet-existing-stack.json @@ -0,0 +1,95 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "vnet" + }, + "virtualNetworkAddressPrefix": { + "type": "string", + "metadata": { + "description": "The address prefixes of the virtual network" + } + }, + "subnet1Name": { + "type": "string", + "metadata": { + "description": "The name of the 1st subnet" + }, + "defaultValue": "Frontend" + }, + "subnet1Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 1st subnet" + }, + "defaultValue": "10.0.1.0/24" + }, + "subnet1StartAddress": { + "type": "string", + "metadata": { + "description": "The first avaialable address on the 1st subnet" + }, + "defaultValue": "10.0.1.10" + }, + "subnet2Name": { + "type": "string", + "metadata": { + "description": "The name of the 2nd subnet" + }, + "defaultValue": "Backend" + }, + "subnet2Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 2nd subnet" + }, + "defaultValue": "10.0.2.0/24" + }, + "subnet2StartAddress": { + "type": "string", + "metadata": { + "description": "The first avaialable address on the 2nd subnet" + }, + "defaultValue": "10.0.1.10" + }, + "vnetNewOrExisting": { + "type": "string", + "defaultValue": "new", + "allowedValues": [ + "new", + "existing" + ], + "metadata": { + "Description": "Indicates whether the virtual network is new or existing" + } + }, + "virtualNetworkExistingRGName": { + "type": "string", + "metadata": { + "description": "Resource Group of the existing virtual network" + }, + "defaultValue": "" + }, + "apiVersion": { + "type": "string" + } + }, + "variables": { + "vnetId": "[resourceId(parameters('virtualNetworkExistingRGName'),'Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]" + }, + "resources": [], + "outputs": { + "vnetId": { + "value": "[variables('vnetId')]", + "type": "string" + } + } +} \ No newline at end of file diff --git a/azure/templates/nestedtemplates/vnet-existing.json b/azure/templates/nestedtemplates/vnet-existing.json new file mode 100644 index 00000000..415f5361 --- /dev/null +++ b/azure/templates/nestedtemplates/vnet-existing.json @@ -0,0 +1,76 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "vnet" + }, + "virtualNetworkExistingRGName": { + "type": "string", + "metadata": { + "description": "Resource Group of the existing virtual network" + }, + "defaultValue": "" + }, + "deployNsg": { + "type": "bool", + "defaultValue": false + }, + "NewNsgName": { + "type": "string", + "defaultValue": "default-nsg" + }, + "tagsByResource": { + "type": "object", + "defaultValue": {} + } + }, + "variables": { + "vnetId": "[resourceId(parameters('virtualNetworkExistingRGName'),'Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]" + }, + "resources": [ + { + "type": "Microsoft.Network/networkSecurityGroups", + "condition": "[parameters('deployNsg')]", + "apiVersion": "2020-06-01", + "location": "[parameters('location')]", + "name": "[parameters('NewNsgName')]", + "properties": { + "securityRules": [ + { + "name": "AllowAllInBound", + "properties": { + "description": "Allow all inbound connections", + "protocol": "*", + "sourcePortRange": "*", + "destinationPortRange": "*", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "100", + "direction": "Inbound" + } + } + ] + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/networkSecurityGroups'), parameters('tagsByResource')['Microsoft.Network/networkSecurityGroups'], json('{}')) ]" + } + ], + "outputs": { + "vnetId": { + "value": "[variables('vnetId')]", + "type": "string" + }, + "vnetAddressPrefix": { + "value": "[reference(variables('vnetId'),'2018-11-01').addressSpace.addressPrefixes[0]]", + "type": "string" + } + } +} diff --git a/azure/templates/nestedtemplates/vnet-new-no-rt.json b/azure/templates/nestedtemplates/vnet-new-no-rt.json new file mode 100644 index 00000000..837d88ba --- /dev/null +++ b/azure/templates/nestedtemplates/vnet-new-no-rt.json @@ -0,0 +1,107 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "vnet" + }, + "virtualNetworkAddressPrefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the virtual network" + } + }, + "Subnet1Name": { + "type": "string", + "metadata": { + "description": "The name of the 1st subnet" + }, + "defaultValue": "Frontend" + }, + "Subnet1Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 1st subnet" + }, + "defaultValue": "10.0.1.0/24" + }, + "Subnet2Name": { + "type": "string", + "metadata": { + "description": "The name of the 2nd subnet" + }, + "defaultValue": "Backend" + }, + "Subnet2Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 2nd subnet" + }, + "defaultValue": "10.0.2.0/24" + }, + "vnetNewOrExisting": { + "type": "string", + "defaultValue": "new", + "allowedValues": [ + "new", + "existing" + ], + "metadata": { + "Description": "Indicates whether the virtual network is new or existing" + } + }, + "virtualNetworkExistingRGName": { + "type": "string", + "metadata": { + "description": "Resource Group of the existing virtual network" + }, + "defaultValue": "" + }, + "apiVersion": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/virtualNetworks", + "apiVersion": "[parameters('apiVersion')]", + "location": "[parameters('location')]", + "name": "[parameters('virtualNetworkName')]", + "properties": { + "addressSpace": { + "addressPrefixes": [ + "[parameters('virtualNetworkAddressPrefix')]" + ] + }, + "subnets": [ + { + "name": "[parameters('subnet1Name')]", + "properties": { + "addressPrefix": "[parameters('subnet1Prefix')]" + } + }, + { + "name": "[parameters('subnet2Name')]", + "properties": { + "addressPrefix": "[parameters('subnet2Prefix')]" + } + } + ] + } + } + ], + "outputs": { + "vnetId": { + "value": "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]", + "type": "string" + } + } +} diff --git a/azure/templates/nestedtemplates/vnet-new-stack-ha.json b/azure/templates/nestedtemplates/vnet-new-stack-ha.json new file mode 100644 index 00000000..f941bb4c --- /dev/null +++ b/azure/templates/nestedtemplates/vnet-new-stack-ha.json @@ -0,0 +1,141 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "vnet" + }, + "virtualNetworkAddressPrefixes": { + "type": "array", + "metadata": { + "description": "The address prefixes of the virtual network" + } + }, + "subnet1Name": { + "type": "string", + "metadata": { + "description": "The name of the 1st subnet" + }, + "defaultValue": "Frontend" + }, + "subnet1Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 1st subnet" + }, + "defaultValue": "10.0.1.0/24" + }, + "subnet1StartAddress": { + "type": "string", + "metadata": { + "description": "The first avaialable address on the 1st subnet" + } + }, + "subnet2Name": { + "type": "string", + "metadata": { + "description": "The name of the 2nd subnet" + }, + "defaultValue": "Backend" + }, + "subnet2Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 2nd subnet" + }, + "defaultValue": "10.0.2.0/24" + }, + "subnet2StartAddress": { + "type": "string", + "metadata": { + "description": "The first avaialable address on the 2nd subnet" + } + }, + "vnetNewOrExisting": { + "type": "string", + "defaultValue": "new", + "allowedValues": [ + "new", + "existing" + ], + "metadata": { + "Description": "Indicates whether the virtual network is new or existing" + } + }, + "virtualNetworkExistingRGName": { + "type": "string", + "metadata": { + "description": "Resource Group of the existing virtual network" + }, + "defaultValue": "" + }, + "apiVersion": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/routeTables", + "apiVersion": "[parameters('apiVersion')]", + "location": "[parameters('location')]", + "name": "[parameters('subnet2Name')]", + "properties": { + "routes": [ + { + "name": "To-Internet", + "properties": { + "addressPrefix": "0.0.0.0/0", + "nextHopType": "VirtualAppliance", + "nextHopIpAddress": "[parameters('subnet2StartAddress')]" + } + } + ] + } + }, + { + "type": "Microsoft.Network/virtualNetworks", + "apiVersion": "[parameters('apiVersion')]", + "location": "[parameters('location')]", + "name": "[parameters('virtualNetworkName')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/routeTables', parameters('subnet2Name'))]" + ], + "properties": { + "addressSpace": { + "addressPrefixes": "[parameters('virtualNetworkAddressPrefixes')]" + }, + "subnets": [ + { + "name": "[parameters('subnet1Name')]", + "properties": { + "addressPrefix": "[parameters('subnet1Prefix')]" + } + }, + { + "name": "[parameters('subnet2Name')]", + "properties": { + "addressPrefix": "[parameters('subnet2Prefix')]", + "routeTable": { + "id": "[resourceId('Microsoft.Network/routeTables', parameters('subnet2Name'))]" + } + } + } + ] + } + } + ], + "outputs": { + "vnetId": { + "value": "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]", + "type": "string" + } + } +} diff --git a/azure/templates/nestedtemplates/vnet-new-stack-mgmt.json b/azure/templates/nestedtemplates/vnet-new-stack-mgmt.json new file mode 100644 index 00000000..e443a759 --- /dev/null +++ b/azure/templates/nestedtemplates/vnet-new-stack-mgmt.json @@ -0,0 +1,87 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "vnet" + }, + "virtualNetworkAddressPrefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the virtual network" + } + }, + "Subnet1Name": { + "type": "string", + "metadata": { + "description": "The name of the 1st subnet" + }, + "defaultValue": "Frontend" + }, + "Subnet1Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 1st subnet" + }, + "defaultValue": "10.0.1.0/24" + }, + "vnetNewOrExisting": { + "type": "string", + "defaultValue": "new", + "allowedValues": [ + "new", + "existing" + ], + "metadata": { + "Description": "Indicates whether the virtual network is new or existing" + } + }, + "virtualNetworkExistingRGName": { + "type": "string", + "metadata": { + "description": "Resource Group of the existing virtual network" + }, + "defaultValue": "" + }, + "apiVersion": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/virtualNetworks", + "apiVersion": "[parameters('apiVersion')]", + "location": "[parameters('location')]", + "name": "[parameters('virtualNetworkName')]", + "properties": { + "addressSpace": { + "addressPrefixes": [ + "[parameters('virtualNetworkAddressPrefix')]" + ] + }, + "subnets": [ + { + "name": "[parameters('subnet1Name')]", + "properties": { + "addressPrefix": "[parameters('subnet1Prefix')]" + } + } + ] + } + } + ], + "outputs": { + "vnetId": { + "value": "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]", + "type": "string" + } + } +} diff --git a/azure/templates/nestedtemplates/vnet-new-stack.json b/azure/templates/nestedtemplates/vnet-new-stack.json new file mode 100644 index 00000000..731bd0be --- /dev/null +++ b/azure/templates/nestedtemplates/vnet-new-stack.json @@ -0,0 +1,165 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "vnet" + }, + "virtualNetworkAddressPrefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the virtual network" + } + }, + "Subnet1Name": { + "type": "string", + "metadata": { + "description": "The name of the 1st subnet" + }, + "defaultValue": "Frontend" + }, + "Subnet1Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 1st subnet" + }, + "defaultValue": "10.0.1.0/24" + }, + "Subnet1StartAddress": { + "type": "string", + "metadata": { + "description": "The first avaialable address on the 1st subnet" + } + }, + "Subnet2Name": { + "type": "string", + "metadata": { + "description": "The name of the 2nd subnet" + }, + "defaultValue": "Backend" + }, + "Subnet2Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 2nd subnet" + }, + "defaultValue": "10.0.2.0/24" + }, + "Subnet2StartAddress": { + "type": "string", + "metadata": { + "description": "The first avaialable address on the 2nd subnet" + } + }, + "vnetNewOrExisting": { + "type": "string", + "defaultValue": "new", + "allowedValues": [ + "new", + "existing" + ], + "metadata": { + "Description": "Indicates whether the virtual network is new or existing" + } + }, + "virtualNetworkExistingRGName": { + "type": "string", + "metadata": { + "description": "Resource Group of the existing virtual network" + }, + "defaultValue": "" + }, + "apiVersion": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/routeTables", + "apiVersion": "[parameters('apiVersion')]", + "location": "[parameters('location')]", + "name": "[parameters('subnet1Name')]", + "properties": { + "routes": [ + { + "name": "To-Internal", + "properties": { + "addressPrefix": "[parameters('virtualNetworkAddressPrefix')]", + "nextHopType": "VirtualAppliance", + "nextHopIpAddress": "[parameters('subnet1StartAddress')]" + } + } + ] + } + }, + { + "type": "Microsoft.Network/routeTables", + "apiVersion": "[parameters('apiVersion')]", + "location": "[parameters('location')]", + "name": "[parameters('subnet2Name')]", + "properties": { + "routes": [ + { + "name": "To-Internet", + "properties": { + "addressPrefix": "0.0.0.0/0", + "nextHopType": "VirtualAppliance", + "nextHopIpAddress": "[parameters('subnet2StartAddress')]" + } + } + ] + } + }, + { + "type": "Microsoft.Network/virtualNetworks", + "apiVersion": "[parameters('apiVersion')]", + "location": "[parameters('location')]", + "name": "[parameters('virtualNetworkName')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/routeTables', parameters('subnet1Name'))]", + "[resourceId('Microsoft.Network/routeTables', parameters('subnet2Name'))]" + ], + "properties": { + "addressSpace": { + "addressPrefixes": [ + "[parameters('virtualNetworkAddressPrefix')]" + ] + }, + "subnets": [ + { + "name": "[parameters('subnet1Name')]", + "properties": { + "addressPrefix": "[parameters('subnet1Prefix')]", + "routeTable": { + "id": "[resourceId('Microsoft.Network/routeTables', parameters('subnet1Name'))]" + } + } + }, + { + "name": "[parameters('subnet2Name')]", + "properties": { + "addressPrefix": "[parameters('subnet2Prefix')]", + "routeTable": { + "id": "[resourceId('Microsoft.Network/routeTables', parameters('subnet2Name'))]" + } + } + } + ] + } + } + ], + "outputs": { + "vnetId": { + "value": "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]", + "type": "string" + } + } +} diff --git a/azure/templates/nestedtemplates/vnet-new.json b/azure/templates/nestedtemplates/vnet-new.json new file mode 100644 index 00000000..4c57eacd --- /dev/null +++ b/azure/templates/nestedtemplates/vnet-new.json @@ -0,0 +1,196 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "vnet" + }, + "virtualNetworkAddressPrefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the virtual network" + } + }, + "Subnet1Name": { + "type": "string", + "metadata": { + "description": "The name of the 1st subnet" + }, + "defaultValue": "Frontend" + }, + "Subnet1Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 1st subnet" + }, + "defaultValue": "10.0.1.0/24" + }, + "Subnet1StartAddress": { + "type": "string", + "metadata": { + "description": "The first avaialable address on the 1st subnet" + } + }, + "Subnet2Name": { + "type": "string", + "metadata": { + "description": "The name of the 2nd subnet" + }, + "defaultValue": "Backend" + }, + "Subnet2Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 2nd subnet" + }, + "defaultValue": "10.0.2.0/24" + }, + "Subnet2StartAddress": { + "type": "string", + "metadata": { + "description": "The first avaialable address on the 2nd subnet" + } + }, + "tagsByResource": { + "type": "object", + "defaultValue": {} + }, + "deployNsg": { + "type": "bool", + "defaultValue": false + }, + "NewNsgName": { + "type": "string", + "defaultValue": "default-nsg" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/routeTables", + "apiVersion": "2020-06-01", + "location": "[parameters('location')]", + "name": "[parameters('subnet1Name')]", + "properties": { + "routes": [ + { + "name": "Local-Subnet", + "properties": { + "addressPrefix": "[parameters('subnet1Prefix')]", + "nextHopType": "VnetLocal" + } + }, + { + "name": "To-Internal", + "properties": { + "addressPrefix": "[parameters('virtualNetworkAddressPrefix')]", + "nextHopType": "VirtualAppliance", + "nextHopIpAddress": "[parameters('subnet1StartAddress')]" + } + } + ] + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/routeTables'), parameters('tagsByResource')['Microsoft.Network/routeTables'], json('{}')) ]" + }, + { + "type": "Microsoft.Network/routeTables", + "apiVersion": "2020-06-01", + "location": "[parameters('location')]", + "name": "[parameters('subnet2Name')]", + "properties": { + "routes": [ + { + "name": "To-Internet", + "properties": { + "addressPrefix": "0.0.0.0/0", + "nextHopType": "VirtualAppliance", + "nextHopIpAddress": "[parameters('subnet2StartAddress')]" + } + } + ] + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/routeTables'), parameters('tagsByResource')['Microsoft.Network/routeTables'], json('{}')) ]" + }, + { + "type": "Microsoft.Network/virtualNetworks", + "apiVersion": "2020-06-01", + "location": "[parameters('location')]", + "name": "[parameters('virtualNetworkName')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/routeTables', parameters('subnet1Name'))]", + "[resourceId('Microsoft.Network/routeTables', parameters('subnet2Name'))]" + ], + "properties": { + "addressSpace": { + "addressPrefixes": [ + "[parameters('virtualNetworkAddressPrefix')]" + ] + }, + "subnets": [ + { + "name": "[parameters('subnet1Name')]", + "properties": { + "addressPrefix": "[parameters('subnet1Prefix')]", + "routeTable": { + "id": "[resourceId('Microsoft.Network/routeTables', parameters('subnet1Name'))]" + } + } + }, + { + "name": "[parameters('subnet2Name')]", + "properties": { + "addressPrefix": "[parameters('subnet2Prefix')]", + "routeTable": { + "id": "[resourceId('Microsoft.Network/routeTables', parameters('subnet2Name'))]" + } + } + } + ] + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/virtualNetworks'), parameters('tagsByResource')['Microsoft.Network/virtualNetworks'], json('{}')) ]" + }, + { + "type": "Microsoft.Network/networkSecurityGroups", + "condition": "[parameters('deployNsg')]", + "apiVersion": "2020-06-01", + "location": "[parameters('location')]", + "name": "[parameters('NewNsgName')]", + "properties": { + "securityRules": [ + { + "name": "AllowAllInBound", + "properties": { + "description": "Allow all inbound connections", + "protocol": "*", + "sourcePortRange": "*", + "destinationPortRange": "*", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "100", + "direction": "Inbound" + } + } + ] + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/networkSecurityGroups'), parameters('tagsByResource')['Microsoft.Network/networkSecurityGroups'], json('{}')) ]" + } + ], + "outputs": { + "vnetId": { + "value": "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]", + "type": "string" + }, + "vnetAddressPrefix": { + "value": "[parameters('virtualNetworkAddressPrefix')]", + "type": "string" + } + } +} diff --git a/azure/templates/single-ipv6/README.md b/azure/templates/single-ipv6/README.md new file mode 100755 index 00000000..57e098d6 --- /dev/null +++ b/azure/templates/single-ipv6/README.md @@ -0,0 +1,10 @@ +# IPv6 support for CloudGuard IaaS in Azure +Azure's IPv6 connectivity makes it easy to provide dual stack (IPv4/IPv6) Internet connectivity for applications hosted in Azure. +It allows for simple deployment of VMs with load balanced IPv6 connectivity for both inbound and outbound initiated connections. + +Follow [sk170760](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk170760) instruction to deploy dual stack (IPv4/IPv6) CloudGuard IaaS Security Gateway in Azure. + + + Deploy to Azure + + diff --git a/azure/templates/single-ipv6/mainTemplate.json b/azure/templates/single-ipv6/mainTemplate.json new file mode 100755 index 00000000..3ef03349 --- /dev/null +++ b/azure/templates/single-ipv6/mainTemplate.json @@ -0,0 +1,1038 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string", + "metadata": { + "description": "Deployment location" + }, + "defaultValue": "[resourceGroup().location]" + }, + "cloudGuardVersion": { + "type": "string", + "allowedValues": [ + "R81.10 - Bring Your Own License", + "R81.10 - Pay As You Go (NGTP)", + "R81.10 - Pay As You Go (NGTX)", + "R81.20 - Bring Your Own License", + "R81.20 - Pay As You Go (NGTP)", + "R81.20 - Pay As You Go (NGTX)" + ], + "defaultValue": "R81.20 - Bring Your Own License", + "metadata": { + "description": "Version of Check Point CloudGuard" + } + }, + "adminPassword": { + "type": "securestring", + "metadata": { + "description": "Administrator password" + }, + "defaultValue": "" + }, + "authenticationType": { + "type": "string", + "allowedValues": [ + "password", + "sshPublicKey" + ], + "defaultValue": "password", + "metadata": { + "description": "Authentication type" + } + }, + "sshPublicKey": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Administrator SSH public key" + } + }, + "vmName": { + "type": "string", + "metadata": { + "description": "Name of the Check Point Security Gateway" + } + }, + "vmSize": { + "type": "string", + "defaultValue": "Standard_D3_v2", + "metadata": { + "description": "Size of the VM" + } + }, + "adminShell": { + "type": "string", + "defaultValue": "/etc/cli.sh", + "allowedValues": [ + "/etc/cli.sh", + "/bin/bash", + "/bin/csh", + "/bin/tcsh" + ], + "metadata": { + "Description": "The default shell for the admin user" + } + }, + "sicKey": { + "type": "securestring", + "metadata": { + "description": "One time key for Secure Internal Communication" + } + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "vnet" + }, + "virtualNetworkAddressPrefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the virtual network" + }, + "defaultValue": "10.0.0.0/16" + }, + "virtualNetworkIpv6AddressPrefix": { + "type": "string", + "metadata": { + "description": "The IPv6 address prefix of the virtual network" + }, + "defaultValue": "ace:cab:deca::/48" + }, + "Subnet1Name": { + "type": "string", + "metadata": { + "description": "The name of the 1st subnet" + }, + "defaultValue": "Frontend" + }, + "Subnet1Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 1st subnet" + }, + "defaultValue": "10.0.0.0/24" + }, + "Subnet1Ipv6Prefix": { + "type": "string", + "metadata": { + "description": "The IPv6 address prefix of the 1st subnet" + }, + "defaultValue": "ace:cab:deca:deed::/64" + }, + "Subnet1StartAddress": { + "type": "string", + "metadata": { + "description": "The first available address on the 1st subnet" + }, + "defaultValue": "10.0.0.10" + }, + "Subnet2Name": { + "type": "string", + "metadata": { + "description": "The name of the 2nd subnet" + }, + "defaultValue": "Backend" + }, + "Subnet2Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 2nd subnet" + }, + "defaultValue": "10.0.1.0/24" + }, + "Subnet2Ipv6Prefix": { + "type": "string", + "metadata": { + "description": "The IPv6 address prefix of the 2nd subnet" + }, + "defaultValue": "ace:cab:deca:deee::/64" + }, + "Subnet2StartAddress": { + "type": "string", + "metadata": { + "description": "The first available address on the 2nd subnet" + }, + "defaultValue": "10.0.1.10" + }, + "vnetNewOrExisting": { + "type": "string", + "defaultValue": "new", + "allowedValues": [ + "new", + "existing" + ], + "metadata": { + "Description": "Indicates whether the virtual network is new or existing" + } + }, + "virtualNetworkExistingRGName": { + "type": "string", + "metadata": { + "description": "Resource Group of the existing virtual network" + }, + "defaultValue": "[resourceGroup().name]" + }, + "managementGUIClientNetwork": { + "type": "string", + "metadata": { + "description": "Allowed GUI clients" + }, + "defaultValue": "0.0.0.0/0" + }, + "installationType": { + "type": "string", + "metadata": { + "description": "Installation Type" + }, + "defaultValue": "ipv6Gateway", + "allowedValues": [ + "standalone", + "gateway", + "custom" + ] + }, + "bootstrapScript": { + "type": "string", + "metadata": { + "description": "Bootstrap script" + }, + "defaultValue": "" + }, + "allowDownloadFromUploadToCheckPoint": { + "type": "string", + "allowedValues": [ + "true", + "false" + ], + "defaultValue": "true", + "metadata": { + "description": "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + } + }, + "additionalDiskSizeGB": { + "type": "int", + "defaultValue": 0, + "metadata": { + "description": "Amount of additional disk space (in GB)" + }, + "minValue": 0, + "maxValue": 3995 + }, + "diskType": { + "type": "string", + "defaultValue": "Standard_LRS", + "metadata": { + "description": "The type of the OS disk. Premium is applicable only to DS machine sizes" + }, + "allowedValues": [ + "Standard_LRS", + "Premium_LRS" + ] + }, + "sourceImageVhdUri": { + "type": "string", + "defaultValue": "noCustomUri", + "metadata": { + "description": "The URI of the blob containing the development image" + } + }, + "_artifactsLocation": { + "type": "string", + "metadata": { + "description": "The base URI where artifacts required by this template are located including a trailing '/'" + }, + "defaultValue": "https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/azure/templates/" + }, + "_artifactsLocationSasToken": { + "type": "securestring", + "metadata": { + "description": "The sasToken required to access _artifactsLocation. When the template is deployed using the accompanying scripts, a sasToken will be automatically generated. Use the defaultValue if the staging location is not secured." + }, + "defaultValue": "" + }, + "tagsByResource": { + "type": "object", + "defaultValue": {} + }, + "deployNewNSG": { + "type": "bool", + "defaultValue": true + }, + "ExistingNSG": { + "type": "object", + "defaultValue": {} + }, + "NewNsgName": { + "type": "string", + "defaultValue": "[concat(parameters('vmName'),'-nsg')]" + }, + "addStorageAccountIpRules": { + "type": "bool", + "metadata": { + "description": "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, based on https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-linux#use-serial-console-with-custom-boot-diagnostics-storage-account-firewall-enabled" + }, + "defaultValue": false + }, + "storageAccountAdditionalIps": { + "type": "array", + "metadata": { + "description": "IPs/CIDRs that are allowed access to the Storage Account" + }, + "defaultValue": [] + } + }, + "variables": { + "vnetv4AddressRange": "[parameters('virtualNetworkAddressPrefix')]", + "vnetv6AddressRange": "[parameters('virtualNetworkIPv6AddressPrefix')]", + "subnetv4AddressRange": "[parameters('Subnet1Prefix')]", + "subnet2v4AddressRange": "[parameters('Subnet2Prefix')]", + "subnetv6AddressRange": "[parameters('Subnet1IPv6Prefix')]", + "subnet2v6AddressRange": "[parameters('Subnet2IPv6Prefix')]", + "virtualNetworkName": "[parameters('virtualNetworkName')]", + "subnetName": "[parameters('Subnet1Name')]", + "subnet2Name": "[parameters('Subnet2Name')]", + "templateName": "singleIpv6", + "templateVersion": "20240716", + "location": "[parameters('location')]", + "subnet-id": "[resourceId(parameters('virtualNetworkExistingRGName'), 'Microsoft.Network/virtualNetworks/subnets', variables('virtualNetworkName'), variables('subnetName'))]", + "subnet2-id": "[resourceId(parameters('virtualNetworkExistingRGName'), 'Microsoft.Network/virtualNetworks/subnets', variables('virtualNetworkName'), variables('subnet2Name'))]", + "offers": { + "R81.10 - Bring Your Own License": "BYOL", + "R81.10 - Pay As You Go (NGTP)": "NGTP", + "R81.10 - Pay As You Go (NGTX)": "NGTX", + "R81.20 - Bring Your Own License": "BYOL", + "R81.20 - Pay As You Go (NGTP)": "NGTP", + "R81.20 - Pay As You Go (NGTX)": "NGTX" + }, + "offer": "[variables('offers')[parameters('cloudGuardVersion')]]", + "osVersions": { + "R81.10 - Bring Your Own License": "R8110", + "R81.10 - Pay As You Go (NGTP)": "R8110", + "R81.10 - Pay As You Go (NGTX)": "R8110", + "R81.20 - Bring Your Own License": "R8120", + "R81.20 - Pay As You Go (NGTP)": "R8120", + "R81.20 - Pay As You Go (NGTX)": "R8120" + }, + "osVersion": "[variables('osVersions')[parameters('cloudGuardVersion')]]", + "SerialConsoleGeographies": { + "eastasia": [ + "20.205.69.28", + "20.195.85.180" + ], + "southeastasia": [ + "20.205.69.28", + "20.195.85.180" + ], + "australiacentral": [ + "20.53.53.224", + "20.70.222.112" + ], + "australiacentral2": [ + "20.53.53.224", + "20.70.222.112" + ], + "australiaeast": [ + "20.53.53.224", + "20.70.222.112" + ], + "australiasoutheast": [ + "20.53.53.224", + "20.70.222.112" + ], + "brazilsouth": [ + "91.234.136.63", + "20.206.0.194" + ], + "brazilsoutheast": [ + "91.234.136.63", + "20.206.0.194" + ], + "canadacentral": [ + "52.228.86.177", + "52.242.40.90" + ], + "canadaeast": [ + "52.228.86.177", + "52.242.40.90" + ], + "northeurope": [ + "52.146.139.220", + "20.105.209.72" + ], + "westeurope": [ + "52.146.139.220", + "20.105.209.72" + ], + "francecentral": [ + "20.111.0.244", + "52.136.191.10" + ], + "francesouth": [ + "20.111.0.244", + "52.136.191.10" + ], + "germanynorth": [ + "51.116.75.88", + "20.52.95.48" + ], + "germanywestcentral": [ + "51.116.75.88", + "20.52.95.48" + ], + "centralindia": [ + "20.192.168.150", + "20.192.153.104" + ], + "southindia": [ + "20.192.168.150", + "20.192.153.104" + ], + "westindia": [ + "20.192.168.150", + "20.192.153.104" + ], + "japaneast": [ + "20.43.70.205", + "20.189.228.222" + ], + "japanwest": [ + "20.43.70.205", + "20.189.228.222" + ], + "koreacentral": [ + "20.200.196.96", + "52.147.119.29" + ], + "koreasouth": [ + "20.200.196.96", + "52.147.119.29" + ], + "norwaywest": [ + "20.100.1.184", + "51.13.138.76" + ], + "norwayeast": [ + "20.100.1.184", + "51.13.138.76" + ], + "switzerlandnorth": [ + "20.208.4.98", + "51.107.251.190" + ], + "switzerlandwest": [ + "20.208.4.98", + "51.107.251.190" + ], + "uaecentral": [ + "20.45.95.66", + "20.38.141.5" + ], + "uaenorth": [ + "20.45.95.66", + "20.38.141.5" + ], + "uksouth": [ + "20.90.132.144", + "20.58.68.62" + ], + "ukwest": [ + "20.90.132.144", + "20.58.68.62" + ], + "swedencentral": [ + "51.12.72.223", + "51.12.22.174" + ], + "swedensouth": [ + "51.12.72.223", + "51.12.22.174" + ], + "centralus": [ + "20.98.146.84", + "20.98.194.64", + "20.69.5.162", + "20.83.222.102" + ], + "eastus2": [ + "20.98.146.84", + "20.98.194.64", + "20.69.5.162", + "20.83.222.102" + ], + "eastus": [ + "20.98.146.84", + "20.98.194.64", + "20.69.5.162", + "20.83.222.102" + ], + "northcentralus": [ + "20.98.146.84", + "20.98.194.64", + "20.69.5.162", + "20.83.222.102" + ], + "southcentralus": [ + "20.98.146.84", + "20.98.194.64", + "20.69.5.162", + "20.83.222.102" + ], + "westus2": [ + "20.98.146.84", + "20.98.194.64", + "20.69.5.162", + "20.83.222.102" + ], + "westus3": [ + "20.98.146.84", + "20.98.194.64", + "20.69.5.162", + "20.83.222.102" + ], + "westcentralus": [ + "20.98.146.84", + "20.98.194.64", + "20.69.5.162", + "20.83.222.102" + ], + "westus": [ + "20.98.146.84", + "20.98.194.64", + "20.69.5.162", + "20.83.222.102" + ], + "eastus2euap": [ + "20.45.242.18", + "20.51.21.252" + ], + "centraluseuap": [ + "20.45.242.18", + "20.51.21.252" + ] + }, + "serialConsoleIps": "[if(contains(variables('serialConsoleGeographies'),variables('location')),variables('serialConsoleGeographies')[variables('location')],createArray())]", + "storageAccountIps": "[concat(variables('SerialConsoleIps'),parameters('storageAccountAdditionalIps'))]", + "installationType": "[parameters('installationType')]", + "isBlink": "[equals(variables('installationType'), 'gateway')]", + "storageAccountName": "[concat('bootdiag', uniqueString(resourceGroup().id, deployment().name))]", + "storageAccountType": "Standard_LRS", + "diskSize100GB": 100, + "diskSizeGB": "[add(parameters('additionalDiskSizeGB'), variables('diskSize100GB'))]", + "customData": "[concat('#!/usr/bin/python3 /etc/cloud_config.py\n', '\n', 'installationType=\"', variables('installationType'), '\"', '\n', 'allowUploadDownload=\"', variables('allowUploadDownload'), '\"', '\n', 'osVersion=\"', variables('osVersion'), '\"', '\n', 'templateName=\"', variables('templateName'), '\"', '\n', 'isBlink=\"', variables('isBlink'), '\"', '\n', 'templateVersion=\"', variables('templateVersion'), '\"', '\n', 'bootstrapScript64=\"', variables('bootstrapScript64'), '\"', '\n', 'location=\"', variables('location'), '\"', '\n', 'sicKey=\"', variables('sicKey'), '\"', '\n', 'managementGUIClientNetwork=\"', variables('managementGUIClientNetwork'), '\"', '\n', 'adminShell=\"', parameters('adminShell'), '\"', '\n')]", + "imageOffer": "[concat('check-point-cg-', toLower(variables('osVersion')))]", + "imagePublisher": "checkpoint", + "imageSku": "sg-byol", + "imageReferenceBYOL": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "[variables('imageSku')]", + "version": "latest" + }, + "imageReferenceNGTP": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtp", + "version": "latest" + }, + "imageReferenceNGTP-V2": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtp-v2", + "version": "latest" + }, + "imageReferenceNGTX": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtx", + "version": "latest" + }, + "imageReferenceNGTX-V2": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtx-v2", + "version": "latest" + }, + "imageReferenceMarketplace": "[if(equals(variables('offer'), 'BYOL'), variables('imageReferenceBYOL'), if(equals(variables('offer'), 'NGTP'), variables('imageReferenceNGTP'), if(equals(variables('offer'), 'NGTP-V2'), variables('imageReferenceNGTP-V2'), if(equals(variables('offer'), 'NGTX'), variables('imageReferenceNGTX'), if(equals(variables('offer'), 'NGTX-V2'), variables('imageReferenceNGTX-V2'), json('null'))))))]", + "customImage": "customImage", + "imageReferenceCustomUri": { + "id": "[resourceId('Microsoft.Compute/images/', variables('customImage'))]" + }, + "imageReference": "[if(equals(parameters('sourceImageVhdUri'),'noCustomUri'), variables('imageReferenceMarketplace'), variables('imageReferenceCustomUri'))]", + "nic1Name": "[concat(parameters('vmName'), '-eth0')]", + "nic2Name": "[concat(parameters('vmName'), '-eth1')]", + "linuxConfigurationpassword": { + "disablePasswordAuthentication": "false" + }, + "linuxConfigurationsshPublicKey": { + "disablePasswordAuthentication": "true", + "ssh": { + "publicKeys": [ + { + "keyData": "[parameters('sshPublicKey')]", + "path": "/home/notused/.ssh/authorized_keys" + } + ] + } + }, + "linuxConfiguration": "[if(equals(parameters('authenticationType'), 'password'), variables('linuxConfigurationpassword'), variables('linuxConfigurationsshPublicKey'))]", + "planBYOL": { + "name": "[variables('imageSku')]", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTP": { + "name": "sg-ngtp", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTP-V2": { + "name": "sg-ngtp-v2", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTX": { + "name": "sg-ngtx", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTX-V2": { + "name": "sg-ngtx-v2", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "plan": "[if(equals(variables('offer'), 'BYOL') , variables('planBYOL'), if(equals(variables('offer'), 'NGTP'), variables('planNGTP'), if(equals(variables('offer'), 'NGTP-V2'), variables('planNGTP-V2'), if(equals(variables('offer'), 'NGTX'), variables('planNGTX'), if(equals(variables('offer'), 'NGTX-V2'), variables('planNGTX-V2'), json('null'))))))]", + "bootstrapScript64": "[base64(parameters('bootstrapScript'))]", + "allowUploadDownload": "[parameters('allowDownloadFromUploadToCheckPoint')]", + "networkSetupURL": "[uri(parameters('_artifactsLocation'), concat('nestedtemplates/vnet-', parameters('vnetNewOrExisting'), '.json', parameters('_artifactsLocationSasToken')))]", + "sicKey": "[parameters('sicKey')]", + "managementGUIClientNetwork": "[parameters('managementGUIClientNetwork')]", + "NewNsgReference": { + "id": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('NewNsgName'))]" + } + }, + "resources": [ + { + "apiVersion": "2020-06-01", + "name": "pid-14dc7680-7a2f-483c-b3ec-2c0cfae477aa", + "type": "Microsoft.Resources/deployments", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('storageAccountName')]", + "apiVersion": "2021-06-01", + "properties": { + "supportsHttpsTrafficOnly": true, + "allowBlobPublicAccess": false, + "minimumTlsVersion": "TLS1_2", + "networkAcls": { + "bypass": "None", + "defaultAction": "[if(parameters('addStorageAccountIpRules'), 'Deny', 'Allow')]", + "ipRules": "[if(parameters('addStorageAccountIpRules'), map(variables('storageAccountIps'), lambda('ip',createObject('action','Allow','value',lambdaVariables('ip')))), createArray())]" + } + }, + "location": "[variables('location')]", + "sku": { + "name": "[variables('storageAccountType')]" + }, + "kind": "Storage", + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Storage/storageAccounts'), parameters('tagsByResource')['Microsoft.Storage/storageAccounts'], json('{}')) ]" + }, + { + "apiVersion": "2020-05-01", + "type": "Microsoft.Network/publicIPAddresses", + "name": "lbpublicip-v4", + "location": "[parameters('location')]", + "sku": { + "name": "Standard" + }, + "properties": { + "publicIPAllocationMethod": "Static" + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/publicIPAddresses'), parameters('tagsByResource')['Microsoft.Network/publicIPAddresses'], json('{}')) ]" + }, + { + "apiVersion": "2020-05-01", + "type": "Microsoft.Network/publicIPAddresses", + "name": "lbpublicip-v6", + "location": "[parameters('location')]", + "sku": { + "name": "Standard" + }, + "properties": { + "publicIPAllocationMethod": "Static", + "publicIPAddressVersion": "IPv6" + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/publicIPAddresses'), parameters('tagsByResource')['Microsoft.Network/publicIPAddresses'], json('{}')) ]" + }, + { + "apiVersion": "2020-05-01", + "name": "loadBalancer", + "type": "Microsoft.Network/loadBalancers", + "location": "[parameters('location')]", + "sku": { + "name": "Standard" + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/publicIPAddresses','lbpublicip-v4')]", + "[resourceId('Microsoft.Network/publicIPAddresses','lbpublicip-v6')]" + ], + "properties": { + "frontendIpConfigurations": [ + { + "name": "LB-v4", + "properties": { + "publicIPAddress": { + "id": "[resourceId('Microsoft.Network/publicIPAddresses', 'lbpublicip-v4')]" + } + } + }, + { + "name": "LB-v6", + "properties": { + "publicIPAddress": { + "id": "[resourceId('Microsoft.Network/publicIPAddresses','lbpublicip-v6')]" + } + } + } + ], + "backendAddressPools": [ + { + "name": "LBBAP-v4" + }, + { + "name": "LBBAP-v6" + } + ], + "loadBalancingRules": [ + { + "properties": { + "frontendIPConfiguration": { + "id": "[resourceId('Microsoft.Network/loadBalancers/frontendIpConfigurations', 'loadBalancer', 'LB-v4')]" + }, + "backendAddressPool": { + "id": "[resourceId('Microsoft.Network/loadBalancers/backendAddressPools', 'loadBalancer', 'LBBAP-v4')]" + }, + "probe": { + "id": "[resourceId('Microsoft.Network/loadBalancers/probes', 'loadBalancer', 'lb-probe')]" + }, + "protocol": "Tcp", + "frontendPort": 443, + "backendPort": 443, + "idleTimeoutInMinutes": 4 + }, + "name": "lb-rule-v4" + }, + { + "properties": { + "frontendIPConfiguration": { + "id": "[resourceId('Microsoft.Network/loadBalancers/frontendIpConfigurations', 'loadBalancer', 'LB-v6')]" + }, + "backendAddressPool": { + "id": "[resourceId('Microsoft.Network/loadBalancers/backendAddressPools', 'loadBalancer', 'LBBAP-v6')]" + }, + "probe": { + "id": "[resourceId('Microsoft.Network/loadBalancers/probes', 'loadBalancer', 'lb-probe')]" + }, + "protocol": "Tcp", + "frontendPort": 443, + "backendPort": 443 + }, + "name": "lb-rule-v6" + } + ], + "probes": [ + { + "properties": { + "protocol": "Tcp", + "port": 22, + "intervalInSeconds": 5, + "numberOfProbes": 2 + }, + "name": "lb-probe" + } + ] + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/loadBalancers'), parameters('tagsByResource')['Microsoft.Network/loadBalancers'], json('{}')) ]" + }, + { + "type": "Microsoft.Network/networkSecurityGroups", + "condition": "[and(parameters('deployNewNSG'),equals(parameters('vnetNewOrExisting'), 'new'))]", + "apiVersion": "2020-06-01", + "location": "[parameters('location')]", + "name": "[parameters('NewNsgName')]", + "properties": { + "securityRules": [ + { + "name": "AllowAllInBound", + "properties": { + "description": "Allow all inbound connections", + "protocol": "*", + "sourcePortRange": "*", + "destinationPortRange": "*", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "100", + "direction": "Inbound" + } + } + ] + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/networkSecurityGroups'), parameters('tagsByResource')['Microsoft.Network/networkSecurityGroups'], json('{}')) ]" + }, + { + "condition": "[equals(parameters('vnetNewOrExisting'), 'new')]", + "apiVersion": "2021-05-01", + "type": "Microsoft.Network/virtualNetworks", + "name": "[variables('virtualNetworkName')]", + "location": "[parameters('location')]", + "properties": { + "dhcpOptions": { + "dnsServers": [ + "cafe:43::", + "cafe:45::" + ] + }, + "addressSpace": { + "addressPrefixes": [ + "[variables('vnetv4AddressRange')]", + "[variables('vnetv6AddressRange')]" + ] + }, + "subnets": [ + { + "name": "[variables('subnetName')]", + "properties": { + "addressPrefixes": [ + "[variables('subnetv4AddressRange')]", + "[variables('subnetv6AddressRange')]" + ] + } + }, + { + "name": "[variables('subnet2Name')]", + "properties": { + "addressPrefixes": [ + "[variables('subnet2v4AddressRange')]", + "[variables('subnet2v6AddressRange')]" + ] + } + } + ] + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/virtualNetworks'), parameters('tagsByResource')['Microsoft.Network/virtualNetworks'], json('{}')) ]" + }, + { + "condition": "[equals(parameters('vnetNewOrExisting'), 'existing')]", + "name": "networkExistingSetup", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-05-01", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "[variables('networkSetupURL')]", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "location": { + "value": "[variables('location')]" + }, + "virtualNetworkName": { + "value": "[parameters('virtualNetworkName')]" + }, + "virtualNetworkExistingRGName": { + "value": "[parameters('virtualNetworkExistingRGName')]" + }, + "tagsByResource": { + "value": "[parameters('tagsByResource')]" + }, + "deployNsg": { + "value": "[parameters('deployNewNSG')]" + }, + "NewNsgName": { + "value": "[parameters('NewNsgName')]" + } + } + } + }, + { + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "2020-06-01", + "dependsOn": [ + "[coalesce(resourceId('Microsoft.Network/virtualNetworks', variables('virtualNetworkName')), resourceId('Microsoft.Resources/deployments', 'networkExistingSetup'))]", + "[resourceId('Microsoft.Network/loadBalancers','loadBalancer')]" + ], + "location": "[variables('location')]", + "name": "[variables('nic1Name')]", + "properties": { + "networkSecurityGroup": "[if(parameters('deployNewNSG') , variables('NewNsgReference') , parameters('ExistingNSG'))]", + "enableIPForwarding": true, + "enableAcceleratedNetworking": true, + "ipConfigurations": [ + { + "name": "ipconfig-v4", + "properties": { + "privateIPAddress": "[parameters('Subnet1StartAddress')]", + "privateIPAllocationMethod": "Static", + "privateIPAddressVersion": "IPv4", + "primary": true, + "subnet": { + "id": "[variables('subnet-id')]" + }, + "loadBalancerBackendAddressPools": [ + { + "id": "[resourceId('Microsoft.Network/loadBalancers/backendAddressPools', 'loadBalancer', 'LBBAP-v4')]" + } + ] + } + }, + { + "name": "ipconfig-v6", + "properties": { + "privateIPAllocationMethod": "Dynamic", + "privateIPAddressVersion": "IPv6", + "subnet": { + "id": "[variables('subnet-id')]" + }, + "loadBalancerBackendAddressPools": [ + { + "id": "[resourceId('Microsoft.Network/loadBalancers/backendAddressPools', 'loadBalancer', 'LBBAP-v6')]" + } + ] + } + } + ] + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/networkInterfaces'), parameters('tagsByResource')['Microsoft.Network/networkInterfaces'], json('{}')) ]" + }, + { + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "2020-06-01", + "dependsOn": [ + "[coalesce(resourceId('Microsoft.Network/virtualNetworks', variables('virtualNetworkName')), resourceId('Microsoft.Resources/deployments', 'networkExistingSetup'))]", + "[resourceId('Microsoft.Network/loadBalancers','loadBalancer')]" + ], + "location": "[variables('location')]", + "name": "[variables('nic2Name')]", + "properties": { + "enableIPForwarding": true, + "enableAcceleratedNetworking": true, + "ipConfigurations": [ + { + "name": "ipconfig-v4", + "properties": { + "privateIPAddress": "[parameters('Subnet2StartAddress')]", + "privateIPAllocationMethod": "Static", + "subnet": { + "id": "[variables('subnet2-id')]" + } + } + }, + { + "name": "ipconfig-v6", + "properties": { + "privateIPAllocationMethod": "Dynamic", + "privateIPAddressVersion": "IPv6", + "subnet": { + "id": "[variables('subnet2-id')]" + } + } + } + ] + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/networkInterfaces'), parameters('tagsByResource')['Microsoft.Network/networkInterfaces'], json('{}')) ]" + }, + { + "condition": "[not(equals(parameters('sourceImageVhdUri'), 'noCustomUri'))]", + "type": "Microsoft.Compute/images", + "apiVersion": "2020-06-01", + "name": "[variables('customImage')]", + "location": "[variables('location')]", + "properties": { + "storageProfile": { + "osDisk": { + "osType": "Linux", + "osState": "Generalized", + "blobUri": "[parameters('sourceImageVhdUri')]", + "storageAccountType": "Standard_LRS" + } + }, + "hyperVGeneration": "V1" + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Compute/images'), parameters('tagsByResource')['Microsoft.Compute/images'], json('{}')) ]" + }, + { + "type": "Microsoft.Compute/virtualMachines", + "apiVersion": "2021-07-01", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]", + "[resourceId('Microsoft.Network/networkInterfaces', variables('nic1Name'))]", + "[resourceId('Microsoft.Network/networkInterfaces', variables('nic2Name'))]", + "[resourceId('Microsoft.Compute/images/', variables('customImage'))]" + ], + "location": "[variables('location')]", + "name": "[parameters('vmName')]", + "plan": "[if(equals(parameters('sourceImageVhdUri'),'noCustomUri'), variables('plan'), json('null'))]", + "properties": { + "UserData": "[base64(variables('customData'))]", + "diagnosticsProfile": { + "bootDiagnostics": { + "enabled": "true", + "storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName')), '2021-06-01').primaryEndpoints.blob]" + } + }, + "hardwareProfile": { + "vmSize": "[parameters('vmSize')]" + }, + "networkProfile": { + "networkInterfaces": [ + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', variables('nic1Name'))]", + "properties": { + "primary": true + } + }, + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', variables('nic2Name'))]", + "properties": { + "primary": false + } + } + ] + }, + "osProfile": { + "adminPassword": "[parameters('adminPassword')]", + "adminUsername": "[concat('not','used')]", + "computerName": "[toLower(parameters('vmName'))]", + "customData": "[base64(variables('customData'))]", + "linuxConfiguration": "[variables('linuxConfiguration')]" + }, + "storageProfile": { + "imageReference": "[variables('imageReference')]", + "osDisk": { + "caching": "ReadWrite", + "createOption": "FromImage", + "diskSizeGB": "[variables('diskSizeGB')]", + "name": "[parameters('vmName')]", + "managedDisk": { + "storageAccountType": "[parameters('diskType')]" + } + } + } + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Compute/virtualMachines'), parameters('tagsByResource')['Microsoft.Compute/virtualMachines'], json('{}')) ]" + } + ] +} \ No newline at end of file diff --git a/azure/templates/vmss-ipv6/README.md b/azure/templates/vmss-ipv6/README.md new file mode 100755 index 00000000..6fbc5c3c --- /dev/null +++ b/azure/templates/vmss-ipv6/README.md @@ -0,0 +1,9 @@ +# IPv6 support for CloudGuard IaaS in Azure +Azure's IPv6 connectivity makes it easy to provide dual stack (IPv4/IPv6) Internet connectivity for applications hosted in Azure. +It allows for simple deployment of VMs with load balanced IPv6 connectivity for both inbound and outbound initiated connections. + +Follow [sk170760](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk170760) instruction to deploy CloudGuard IaaS virtual machine scale sets with IPv6 in Azure. + + + Deploy to Azure + diff --git a/azure/templates/vmss-ipv6/mainTemplate.json b/azure/templates/vmss-ipv6/mainTemplate.json new file mode 100755 index 00000000..4c0f3b0a --- /dev/null +++ b/azure/templates/vmss-ipv6/mainTemplate.json @@ -0,0 +1,1367 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "subscriptionId": { + "type": "string", + "defaultValue": "[subscription().subscriptionId]", + "metadata": { + "description": "Subscription ID." + } + }, + "location": { + "type": "string", + "metadata": { + "description": "Deployment location" + }, + "defaultValue": "[resourceGroup().location]" + }, + "cloudGuardVersion": { + "type": "string", + "allowedValues": [ + "R81.10 - Bring Your Own License", + "R81.10 - Pay As You Go (NGTP)", + "R81.10 - Pay As You Go (NGTX)", + "R81.20 - Bring Your Own License", + "R81.20 - Pay As You Go (NGTP)", + "R81.20 - Pay As You Go (NGTX)" + ], + "defaultValue": "R81.20 - Bring Your Own License", + "metadata": { + "description": "Version of Check Point CloudGuard" + } + }, + "instanceCount": { + "defaultValue": "2", + "type": "string", + "metadata": { + "description": "Number of VM instances" + } + }, + "maxInstanceCount": { + "defaultValue": "10", + "type": "string", + "metadata": { + "description": "Maximum number of VM instances" + } + }, + "managementServer": { + "type": "string", + "metadata": { + "description": "The name of the management server as it appears in the configuration file" + } + }, + "configurationTemplate": { + "type": "string", + "metadata": { + "description": "A name of a template as it appears in the configuration file" + } + }, + "adminEmail": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Email address to notify if there are any scaling operations" + } + }, + "adminPassword": { + "type": "securestring", + "metadata": { + "description": "Administrator password" + }, + "defaultValue": "" + }, + "authenticationType": { + "type": "string", + "allowedValues": [ + "password", + "sshPublicKey" + ], + "defaultValue": "password", + "metadata": { + "description": "Authentication type" + } + }, + "sshPublicKey": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Administrator SSH public key" + } + }, + "vmName": { + "type": "string", + "defaultValue": "[resourceGroup().name]", + "metadata": { + "description": "Name of the Check Point Security Gateway scale set" + } + }, + "vmSize": { + "type": "string", + "defaultValue": "Standard_D3_v2", + "metadata": { + "description": "Size of the VM" + } + }, + "adminShell": { + "type": "string", + "defaultValue": "/etc/cli.sh", + "allowedValues": [ + "/etc/cli.sh", + "/bin/bash", + "/bin/csh", + "/bin/tcsh" + ], + "metadata": { + "Description": "The default shell for the admin user" + } + }, + "sicKey": { + "type": "securestring", + "metadata": { + "description": "One time key for Secure Internal Communication" + } + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "[concat(resourceGroup().name, '-vnet')]" + }, + "virtualNetworkAddressPrefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the virtual network" + }, + "defaultValue": "10.0.0.0/16" + }, + "virtualNetworkIpv6AddressPrefix": { + "type": "string", + "metadata": { + "description": "The IPv6 address prefix of the virtual network" + }, + "defaultValue": "ace:cab:deca::/48" + }, + "subnet1Name": { + "type": "string", + "metadata": { + "description": "The name of the frontend subnet" + }, + "defaultValue": "Frontend" + }, + "subnet1Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the frontend subnet" + }, + "defaultValue": "10.0.1.0/24" + }, + "Subnet1Ipv6Prefix": { + "type": "string", + "metadata": { + "description": "The IPv6 address prefix of the 1st subnet" + }, + "defaultValue": "ace:cab:deca:deed::/64" + }, + "subnet2Name": { + "type": "string", + "metadata": { + "description": "The name of the backend subnet" + }, + "defaultValue": "Backend" + }, + "subnet2Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the backend subnet" + }, + "defaultValue": "10.0.2.0/24" + }, + "Subnet2Ipv6Prefix": { + "type": "string", + "metadata": { + "description": "The IPv6 address prefix of the 2nd subnet" + }, + "defaultValue": "ace:cab:deca:deee::/64" + }, + "vnetNewOrExisting": { + "type": "string", + "defaultValue": "new", + "allowedValues": [ + "new", + "existing" + ], + "metadata": { + "Description": "Indicates whether the virtual network is new or existing" + } + }, + "virtualNetworkExistingRGName": { + "type": "string", + "metadata": { + "description": "Resource Group of the existing virtual network" + }, + "defaultValue": "[resourceGroup().name]" + }, + "bootstrapScript": { + "type": "string", + "metadata": { + "description": "Bootstrap script" + }, + "defaultValue": "" + }, + "allowDownloadFromUploadToCheckPoint": { + "type": "string", + "allowedValues": [ + "true", + "false" + ], + "defaultValue": "true", + "metadata": { + "description": "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + } + }, + "instanceLevelPublicIP": { + "type": "string", + "allowedValues": [ + "no", + "yes" + ], + "defaultValue": "no", + "metadata": { + "description": "Deploy the VMSS with instance level Public IP address" + } + }, + "mgmtInterfaceOpt1": { + "type": "string", + "allowedValues": [ + "eth0-public", + "eth0-private", + "eth1-private" + ], + "defaultValue": "eth1-private", + "metadata": { + "description": "Manage the Gateways in the Scale Set via the instance's external (eth0) or internal (eth1) NIC's private IP address." + } + }, + "mgmtInterfaceOpt2": { + "type": "string", + "allowedValues": [ + "eth0-private", + "eth1-private" + ], + "defaultValue": "eth1-private", + "metadata": { + "description": "Manage the Gateways in the Scale Set via the instance's external (eth0) or internal (eth1) NIC's private IP address." + } + }, + "mgmtIpAddress": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "The IP address used to manage the VMSS instances." + } + }, + "additionalDiskSizeGB": { + "type": "int", + "defaultValue": 0, + "metadata": { + "description": "Amount of additional disk space (in GB), not relevant for R81.20 and below" + }, + "minValue": 0, + "maxValue": 3995 + }, + "diskType": { + "type": "string", + "defaultValue": "Standard_LRS", + "metadata": { + "description": "The type of the OS disk. Premium is applicable only to DS machine sizes" + }, + "allowedValues": [ + "Standard_LRS", + "Premium_LRS" + ] + }, + "sourceImageVhdUri": { + "type": "string", + "defaultValue": "noCustomUri", + "metadata": { + "description": "The URI of the blob containing the development image" + } + }, + "availabilityZonesNum": { + "type": "int", + "allowedValues": [ + 0, + 1, + 2, + 3 + ], + "defaultValue": 0, + "metadata": { + "description": "The number of availability zones" + } + }, + "_artifactsLocation": { + "type": "string", + "metadata": { + "description": "The base URI where artifacts required by this template are located including a trailing '/'" + }, + "defaultValue": "https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/azure/templates/" + }, + "_artifactsLocationSasToken": { + "type": "securestring", + "metadata": { + "description": "The sasToken required to access _artifactsLocation. When the template is deployed using the accompanying scripts, a sasToken will be automatically generated. Use the defaultValue if the staging location is not secured." + }, + "defaultValue": "" + }, + "customMetrics": { + "type": "string", + "allowedValues": [ + "no", + "yes" + ], + "defaultValue": "yes", + "metadata": { + "Description": "Indicates whether Custom Metrics will be used for VMSS Scaling policy and VM monitoring" + } + }, + "rbacGuid": { + "type": "string", + "defaultValue": "[newGuid()]" + }, + "tagsByResource": { + "type": "object", + "defaultValue": {} + }, + "deployNewNSG": { + "type": "bool", + "defaultValue": true + }, + "ExistingNSG": { + "type": "object", + "defaultValue": {} + }, + "NewNsgName": { + "type": "string", + "defaultValue": "default-nsg" + }, + "addStorageAccountIpRules": { + "type": "bool", + "metadata": { + "description": "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, based on https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-linux#use-serial-console-with-custom-boot-diagnostics-storage-account-firewall-enabled" + }, + "defaultValue": false + }, + "storageAccountAdditionalIps": { + "type": "array", + "metadata": { + "description": "IPs/CIDRs that are allowed access to the Storage Account" + }, + "defaultValue": [] + } + }, + "variables": { + "vnetv4AddressRange": "[parameters('virtualNetworkAddressPrefix')]", + "vnetv6AddressRange": "[parameters('virtualNetworkIPv6AddressPrefix')]", + "subnetv4AddressRange": "[parameters('Subnet1Prefix')]", + "subnet2v4AddressRange": "[parameters('Subnet2Prefix')]", + "subnetv6AddressRange": "[parameters('Subnet1IPv6Prefix')]", + "subnet2v6AddressRange": "[parameters('Subnet2IPv6Prefix')]", + "virtualNetworkName": "[parameters('virtualNetworkName')]", + "subnetName": "[parameters('Subnet1Name')]", + "subnet2Name": "[parameters('Subnet2Name')]", + "resourceGroup": "[resourceGroup()]", + "templateName": "vmss-v2", + "templateVersion": "20240716", + "location": "[parameters('location')]", + "subnet-id": "[resourceId(parameters('virtualNetworkExistingRGName'), 'Microsoft.Network/virtualNetworks/subnets', variables('virtualNetworkName'), variables('subnetName'))]", + "subnet2-id": "[resourceId(parameters('virtualNetworkExistingRGName'), 'Microsoft.Network/virtualNetworks/subnets', variables('virtualNetworkName'), variables('subnet2Name'))]", + "VMSSFrontend": "VMSS-Frontend", + "VMSSBackend": "VMSS-Backend", + "offers": { + "R81.10 - Bring Your Own License": "BYOL", + "R81.10 - Pay As You Go (NGTP)": "NGTP", + "R81.10 - Pay As You Go (NGTX)": "NGTX", + "R81.20 - Bring Your Own License": "BYOL", + "R81.20 - Pay As You Go (NGTP)": "NGTP", + "R81.20 - Pay As You Go (NGTX)": "NGTX" + }, + "offer": "[variables('offers')[parameters('cloudGuardVersion')]]", + "osVersions": { + "R81.10 - Bring Your Own License": "R8110", + "R81.10 - Pay As You Go (NGTP)": "R8110", + "R81.10 - Pay As You Go (NGTX)": "R8110", + "R81.20 - Bring Your Own License": "R8120", + "R81.20 - Pay As You Go (NGTP)": "R8120", + "R81.20 - Pay As You Go (NGTX)": "R8120" + }, + "osVersion": "[variables('osVersions')[parameters('cloudGuardVersion')]]", + "SerialConsoleGeographies": { + "eastasia": [ + "20.205.69.28", + "20.195.85.180" + ], + "southeastasia": [ + "20.205.69.28", + "20.195.85.180" + ], + "australiacentral": [ + "20.53.53.224", + "20.70.222.112" + ], + "australiacentral2": [ + "20.53.53.224", + "20.70.222.112" + ], + "australiaeast": [ + "20.53.53.224", + "20.70.222.112" + ], + "australiasoutheast": [ + "20.53.53.224", + "20.70.222.112" + ], + "brazilsouth": [ + "91.234.136.63", + "20.206.0.194" + ], + "brazilsoutheast": [ + "91.234.136.63", + "20.206.0.194" + ], + "canadacentral": [ + "52.228.86.177", + "52.242.40.90" + ], + "canadaeast": [ + "52.228.86.177", + "52.242.40.90" + ], + "northeurope": [ + "52.146.139.220", + "20.105.209.72" + ], + "westeurope": [ + "52.146.139.220", + "20.105.209.72" + ], + "francecentral": [ + "20.111.0.244", + "52.136.191.10" + ], + "francesouth": [ + "20.111.0.244", + "52.136.191.10" + ], + "germanynorth": [ + "51.116.75.88", + "20.52.95.48" + ], + "germanywestcentral": [ + "51.116.75.88", + "20.52.95.48" + ], + "centralindia": [ + "20.192.168.150", + "20.192.153.104" + ], + "southindia": [ + "20.192.168.150", + "20.192.153.104" + ], + "westindia": [ + "20.192.168.150", + "20.192.153.104" + ], + "japaneast": [ + "20.43.70.205", + "20.189.228.222" + ], + "japanwest": [ + "20.43.70.205", + "20.189.228.222" + ], + "koreacentral": [ + "20.200.196.96", + "52.147.119.29" + ], + "koreasouth": [ + "20.200.196.96", + "52.147.119.29" + ], + "norwaywest": [ + "20.100.1.184", + "51.13.138.76" + ], + "norwayeast": [ + "20.100.1.184", + "51.13.138.76" + ], + "switzerlandnorth": [ + "20.208.4.98", + "51.107.251.190" + ], + "switzerlandwest": [ + "20.208.4.98", + "51.107.251.190" + ], + "uaecentral": [ + "20.45.95.66", + "20.38.141.5" + ], + "uaenorth": [ + "20.45.95.66", + "20.38.141.5" + ], + "uksouth": [ + "20.90.132.144", + "20.58.68.62" + ], + "ukwest": [ + "20.90.132.144", + "20.58.68.62" + ], + "swedencentral": [ + "51.12.72.223", + "51.12.22.174" + ], + "swedensouth": [ + "51.12.72.223", + "51.12.22.174" + ], + "centralus": [ + "20.98.146.84", + "20.98.194.64", + "20.69.5.162", + "20.83.222.102" + ], + "eastus2": [ + "20.98.146.84", + "20.98.194.64", + "20.69.5.162", + "20.83.222.102" + ], + "eastus": [ + "20.98.146.84", + "20.98.194.64", + "20.69.5.162", + "20.83.222.102" + ], + "northcentralus": [ + "20.98.146.84", + "20.98.194.64", + "20.69.5.162", + "20.83.222.102" + ], + "southcentralus": [ + "20.98.146.84", + "20.98.194.64", + "20.69.5.162", + "20.83.222.102" + ], + "westus2": [ + "20.98.146.84", + "20.98.194.64", + "20.69.5.162", + "20.83.222.102" + ], + "westus3": [ + "20.98.146.84", + "20.98.194.64", + "20.69.5.162", + "20.83.222.102" + ], + "westcentralus": [ + "20.98.146.84", + "20.98.194.64", + "20.69.5.162", + "20.83.222.102" + ], + "westus": [ + "20.98.146.84", + "20.98.194.64", + "20.69.5.162", + "20.83.222.102" + ], + "eastus2euap": [ + "20.45.242.18", + "20.51.21.252" + ], + "centraluseuap": [ + "20.45.242.18", + "20.51.21.252" + ] + }, + "serialConsoleIps": "[if(contains(variables('serialConsoleGeographies'),variables('location')),variables('serialConsoleGeographies')[variables('location')],createArray())]", + "storageAccountIps": "[concat(variables('SerialConsoleIps'),parameters('storageAccountAdditionalIps'))]", + "isBlink": true, + "storageAccountName": "[concat('bootdiag', uniqueString(variables('resourceGroup').id, deployment().name))]", + "storageAccountType": "Standard_LRS", + "diskSize100GB": 100, + "additionalDiskSizeGB": "[if(contains('R8110 R8120', variables('osVersion')), 0, parameters('additionalDiskSizeGB'))]", + "diskSizeGB": "[add(variables('additionalDiskSizeGB'), variables('diskSize100GB'))]", + "customData": "[concat('#!/usr/bin/python3 /etc/cloud_config.py\n', '\n', 'installationType=\"', variables('installationType'), '\"', '\n', 'allowUploadDownload=\"', variables('allowUploadDownload'), '\"', '\n', 'osVersion=\"', variables('osVersion'), '\"', '\n', 'templateName=\"', variables('templateName'), '\"', '\n', 'isBlink=\"', variables('isBlink'), '\"', '\n', 'templateVersion=\"', variables('templateVersion'), '\"', '\n', 'bootstrapScript64=\"', variables('bootstrapScript64'), '\"', '\n', 'location=\"', variables('location'), '\"', '\n', 'sicKey=\"', variables('sicKey'), '\"', '\n', 'customMetrics=\"', variables('customMetrics'), '\"', '\n', 'adminShell=\"', parameters('adminShell'), '\"', '\n')]", + "imageOffer": "[concat('check-point-cg-', toLower(variables('osVersion')))]", + "imagePublisher": "checkpoint", + "imageReferenceBYOL": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-byol", + "version": "latest" + }, + "imageReferenceNGTP": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtp", + "version": "latest" + }, + "imageReferenceNGTP-V2": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtp-v2", + "version": "latest" + }, + "imageReferenceNGTX": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtx", + "version": "latest" + }, + "imageReferenceNGTX-V2": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtx-v2", + "version": "latest" + }, + "imageReferenceMarketplace": "[if(equals(variables('offer'), 'BYOL'), variables('imageReferenceBYOL'), if(equals(variables('offer'), 'NGTP'), variables('imageReferenceNGTP'), if(equals(variables('offer'), 'NGTP-V2'), variables('imageReferenceNGTP-V2'), if(equals(variables('offer'), 'NGTX'), variables('imageReferenceNGTX'), if(equals(variables('offer'), 'NGTX-V2'), variables('imageReferenceNGTX-V2'), json('null'))))))]", + "customImage": "customImage", + "imageReferenceCustomUri": { + "id": "[resourceId('Microsoft.Compute/images', variables('customImage'))]" + }, + "imageReference": "[if(equals(parameters('sourceImageVhdUri'),'noCustomUri'), variables('imageReferenceMarketplace'), variables('imageReferenceCustomUri'))]", + "linuxConfigurationpassword": { + "disablePasswordAuthentication": "false" + }, + "linuxConfigurationsshPublicKey": { + "disablePasswordAuthentication": "true", + "ssh": { + "publicKeys": [ + { + "keyData": "[parameters('sshPublicKey')]", + "path": "/home/notused/.ssh/authorized_keys" + } + ] + } + }, + "linuxConfiguration": "[if(equals(parameters('authenticationType'), 'password'), variables('linuxConfigurationpassword'), variables('linuxConfigurationsshPublicKey'))]", + "planBYOL": { + "name": "sg-byol", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTP": { + "name": "sg-ngtp", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTP-V2": { + "name": "sg-ngtp-v2", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTX": { + "name": "sg-ngtx", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTX-V2": { + "name": "sg-ngtx-v2", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "plan": "[if(equals(variables('offer'), 'BYOL') , variables('planBYOL'), if(equals(variables('offer'), 'NGTP'), variables('planNGTP'), if(equals(variables('offer'), 'NGTP-V2'), variables('planNGTP-V2'), if(equals(variables('offer'), 'NGTX'), variables('planNGTX'), if(equals(variables('offer'), 'NGTX-V2'), variables('planNGTX-V2'), json('null'))))))]", + "vmssID": "[resourceId('Microsoft.Compute/virtualMachineScaleSets', parameters('vmName'))]", + "bootstrapScript64": "[base64(parameters('bootstrapScript'))]", + "allowUploadDownload": "[parameters('allowDownloadFromUploadToCheckPoint')]", + "sicKey": "[parameters('sicKey')]", + "installationType": "vmss", + "publicIPProperties": { + "name": "instancePublicIP", + "properties": { + "idleTimeoutInMinutes": 15 + } + }, + "networkSetupURL": "[uri(parameters('_artifactsLocation'), concat('nestedtemplates/vnet-2-subnet-ha-', parameters('vnetNewOrExisting'), '.json', parameters('_artifactsLocationSasToken')))]", + "azureFunctionSetupURL": "[uri(parameters('_artifactsLocation'), concat('nestedtemplates/azure-func-sami.json', parameters('_artifactsLocationSasToken')))]", + "storageAccountId": "[resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName'))]", + "customImageId": "[variables('imageReferenceCustomUri').id]", + "availabilityZonesLocations": [ + "brazilsouth", + "canadacentral", + "centralus", + "eastus", + "eastus2", + "southcentralus", + "usgovvirginia", + "westus2", + "westus3", + "francecentral", + "germanywestcentral", + "northeurope", + "norwayeast", + "uksouth", + "westeurope", + "swedencentral", + "switzerlandnorth", + "qatarcentral", + "uaenorth", + "southafricanorth", + "australiaeast", + "centralindia", + "japaneast", + "koreacentral", + "southeastasia", + "eastasia", + "italynorth" + ], + "availabilityZonesProperty": "[range(1, parameters('availabilityZonesNum'))]", + "mgmtInterface": "[if(equals(parameters('instanceLevelPublicIP'), 'yes'), parameters('mgmtInterfaceOpt1'), parameters('mgmtInterfaceOpt2'))]", + "mgmtIpAddressType": "[split(variables('mgmtInterface'), '-')[1]]", + "mgmtInterfaceName": "[split(variables('mgmtInterface'), '-')[0]]", + "mgmtIPaddress": "[if(equals(variables('mgmtInterfaceName'), 'eth0'), parameters('mgmtIpAddress'), '')]", + "commomTags": { + "x-chkp-management": "[parameters('managementServer')]", + "x-chkp-template": "[parameters('configurationTemplate')]", + "x-chkp-ip-address": "[variables('mgmtIpAddressType')]", + "x-chkp-management-interface": "[variables('mgmtInterfaceName')]", + "x-chkp-topology": "eth0:external,eth1:internal", + "x-chkp-anti-spoofing": "eth0:false,eth1:false", + "x-chkp-srcImageUri": "[parameters('sourceImageVhdUri')]" + }, + "uniqueTags": { + "x-chkp-management-address": "[variables('mgmtIPaddress')]" + }, + "vmssTags": "[if(equals(variables('mgmtIPaddress'), ''), variables('commomTags'), union(variables('commomTags'), variables('uniqueTags')))]", + "dnsZoneResourceId": "[parameters('dnsZoneResourceId')]", + "dnsZoneRecordSetName": "[parameters('dnsZoneRecordSetName')]", + "numberOfRecordSetEntries": "20", + "customMetrics": "[parameters('customMetrics')]", + "monitoringMetricsPublisher": "[concat('/subscriptions/', parameters('subscriptionId'), '/providers/Microsoft.Authorization/roleDefinitions/', '3913510d-42f4-4e42-8a64-420c390055eb')]", + "identity": "[json('{\"type\": \"SystemAssigned\"}')]", + "NewNsgReference": { + "id": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('NewNsgName'))]" + } + }, + "resources": [ + { + "apiVersion": "2021-01-01", + "name": "pid-23952014-097a-4aed-ade6-0d4b5c278517", + "type": "Microsoft.Resources/deployments", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "apiVersion": "2020-05-01", + "type": "Microsoft.Network/publicIPAddresses", + "name": "lbpublicip-v4", + "location": "[parameters('location')]", + "sku": { + "name": "Standard" + }, + "properties": { + "publicIPAllocationMethod": "Static" + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/publicIPAddresses'), parameters('tagsByResource')['Microsoft.Network/publicIPAddresses'], json('{}')) ]" + }, + { + "apiVersion": "2020-05-01", + "type": "Microsoft.Network/publicIPAddresses", + "name": "lbpublicip-v6", + "location": "[parameters('location')]", + "sku": { + "name": "Standard" + }, + "properties": { + "publicIPAllocationMethod": "Static", + "publicIPAddressVersion": "IPv6" + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/publicIPAddresses'), parameters('tagsByResource')['Microsoft.Network/publicIPAddresses'], json('{}')) ]" + }, + { + "apiVersion": "2020-05-01", + "name": "frontend-lb", + "type": "Microsoft.Network/loadBalancers", + "location": "[parameters('location')]", + "sku": { + "name": "Standard" + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/publicIPAddresses','lbpublicip-v4')]", + "[resourceId('Microsoft.Network/publicIPAddresses','lbpublicip-v6')]" + ], + "properties": { + "frontendIpConfigurations": [ + { + "name": "LB-v4", + "properties": { + "publicIPAddress": { + "id": "[resourceId('Microsoft.Network/publicIPAddresses', 'lbpublicip-v4')]" + } + } + }, + { + "name": "LB-v6", + "properties": { + "publicIPAddress": { + "id": "[resourceId('Microsoft.Network/publicIPAddresses','lbpublicip-v6')]" + } + } + } + ], + "backendAddressPools": [ + { + "name": "frontend-LBBAP-v4" + }, + { + "name": "frontend-LBBAP-v6" + } + ], + "loadBalancingRules": [ + { + "properties": { + "frontendIPConfiguration": { + "id": "[resourceId('Microsoft.Network/loadBalancers/frontendIpConfigurations', 'frontend-lb', 'LB-v4')]" + }, + "backendAddressPool": { + "id": "[resourceId('Microsoft.Network/loadBalancers/backendAddressPools', 'frontend-lb', 'frontend-LBBAP-v4')]" + }, + "probe": { + "id": "[resourceId('Microsoft.Network/loadBalancers/probes', 'frontend-lb', 'lb-probe')]" + }, + "protocol": "Tcp", + "frontendPort": 443, + "backendPort": 443, + "idleTimeoutInMinutes": 4 + }, + "name": "frontend-lb-rule-v4" + }, + { + "properties": { + "frontendIPConfiguration": { + "id": "[resourceId('Microsoft.Network/loadBalancers/frontendIpConfigurations', 'frontend-lb', 'LB-v6')]" + }, + "backendAddressPool": { + "id": "[resourceId('Microsoft.Network/loadBalancers/backendAddressPools', 'frontend-lb', 'frontend-LBBAP-v6')]" + }, + "probe": { + "id": "[resourceId('Microsoft.Network/loadBalancers/probes', 'frontend-lb', 'lb-probe')]" + }, + "protocol": "Tcp", + "frontendPort": 443, + "backendPort": 443 + }, + "name": "frontend-lb-rule-v6" + } + ], + "probes": [ + { + "properties": { + "protocol": "Tcp", + "port": 22, + "intervalInSeconds": 5, + "numberOfProbes": 2 + }, + "name": "lb-probe" + } + ] + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/loadBalancers'), parameters('tagsByResource')['Microsoft.Network/loadBalancers'], json('{}')) ]" + }, + { + "apiVersion": "2021-01-01", + "name": "backend-lb", + "type": "Microsoft.Network/loadBalancers", + "location": "[parameters('location')]", + "sku": { + "name": "Standard" + }, + "dependsOn": [ + "[coalesce(resourceId('Microsoft.Network/virtualNetworks', variables('virtualNetworkName')), resourceId('Microsoft.Resources/deployments', 'networkExistingSetup'))]" + ], + "properties": { + "frontendIpConfigurations": [ + { + "name": "LB-v4", + "properties": { + "subnet": { + "id": "[variables('subnet2-id')]" + } + } + } + ], + "backendAddressPools": [ + { + "name": "backend-LBBAP-v4" + } + ], + "loadBalancingRules": [ + { + "properties": { + "frontendIPConfiguration": { + "id": "[resourceId('Microsoft.Network/loadBalancers/frontendIpConfigurations', 'backend-lb', 'LB-v4')]" + }, + "backendAddressPool": { + "id": "[resourceId('Microsoft.Network/loadBalancers/backendAddressPools', 'backend-lb', 'backend-LBBAP-v4')]" + }, + "probe": { + "id": "[resourceId('Microsoft.Network/loadBalancers/probes', 'backend-lb', 'lb-probe')]" + }, + "protocol": "Tcp", + "frontendPort": 443, + "backendPort": 443, + "idleTimeoutInMinutes": 4 + }, + "name": "backend-lb-rule-v4" + } + ], + "probes": [ + { + "properties": { + "protocol": "Tcp", + "port": 22, + "intervalInSeconds": 5, + "numberOfProbes": 2 + }, + "name": "lb-probe" + } + ] + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/loadBalancers'), parameters('tagsByResource')['Microsoft.Network/loadBalancers'], json('{}')) ]" + }, + { + "condition": "[equals(parameters('vnetNewOrExisting'), 'new')]", + "type": "Microsoft.Network/routeTables", + "name": "[variables('VMSSBackend')]", + "apiVersion": "2021-03-01", + "location": "[parameters('location')]", + "properties": { + "disableBgpRoutePropagation": false, + "routes": [ + { + "name": "To-Internet", + "properties": { + "addressPrefix": "0.0.0.0/0", + "nextHopType": "None" + } + } + ] + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/routeTables'), parameters('tagsByResource')['Microsoft.Network/routeTables'], json('{}')) ]" + }, + { + "condition": "[equals(parameters('vnetNewOrExisting'), 'new')]", + "type": "Microsoft.Network/routeTables", + "name": "[variables('VMSSFrontend')]", + "apiVersion": "2021-03-01", + "location": "[parameters('location')]", + "properties": { + "disableBgpRoutePropagation": false, + "routes": [ + { + "name": "Local-Subnet-v6", + "properties": { + "addressPrefix": "[parameters('Subnet1IPv6Prefix')]", + "nextHopType": "VnetLocal" + } + }, + { + "name": "Local-Subnet-v4", + "properties": { + "addressPrefix": "[variables('subnetv4AddressRange')]", + "nextHopType": "VnetLocal" + } + } + ] + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/routeTables'), parameters('tagsByResource')['Microsoft.Network/routeTables'], json('{}')) ]" + }, + { + "condition": "[equals(parameters('vnetNewOrExisting'), 'new')]", + "apiVersion": "2021-03-01", + "type": "Microsoft.Network/virtualNetworks", + "name": "[variables('virtualNetworkName')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/routeTables', variables('VMSSFrontend'))]", + "[resourceId('Microsoft.Network/routeTables', variables('VMSSBackend'))]" + ], + "properties": { + "dhcpOptions": { + "dnsServers": [ + "cafe:43::", + "cafe:45::" + ] + }, + "addressSpace": { + "addressPrefixes": [ + "[variables('vnetv4AddressRange')]", + "[variables('vnetv6AddressRange')]" + ] + }, + "subnets": [ + { + "name": "[variables('subnetName')]", + "properties": { + "addressPrefixes": [ + "[variables('subnetv4AddressRange')]", + "[variables('subnetv6AddressRange')]" + ], + "routeTable": { + "id": "[resourceId('Microsoft.Network/routeTables', variables('VMSSFrontend'))]" + } + } + }, + { + "name": "[variables('subnet2Name')]", + "properties": { + "addressPrefixes": [ + "[variables('subnet2v4AddressRange')]", + "[variables('subnet2v6AddressRange')]" + ], + "routeTable": { + "id": "[resourceId('Microsoft.Network/routeTables', variables('VMSSBackend'))]" + } + } + } + ] + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/virtualNetworks'), parameters('tagsByResource')['Microsoft.Network/virtualNetworks'], json('{}')) ]" + }, + { + "condition": "[equals(variables('customMetrics'), 'yes')]", + "apiVersion": "2020-04-01-preview", + "type": "Microsoft.Authorization/roleAssignments", + "name": "[parameters('rbacGuid')]", + "properties": { + "roleDefinitionId": "[variables('monitoringMetricsPublisher')]", + "principalId": "[reference(variables('vmssID'), '2021-03-01', 'Full').identity.principalId]", + "scope": "[resourceGroup().id]" + }, + "dependsOn": [ + "[variables('vmssID')]" + ], + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Authorization/roleAssignments'), parameters('tagsByResource')['Microsoft.Authorization/roleAssignments'], json('{}')) ]" + }, + { + "condition": "[equals(parameters('vnetNewOrExisting'), 'existing')]", + "name": "networkExistingSetup", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-01-01", + "resourceGroup": "[parameters('virtualNetworkExistingRGName')]", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "[variables('networkSetupURL')]", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "location": { + "value": "[variables('location')]" + }, + "virtualNetworkName": { + "value": "[parameters('virtualNetworkName')]" + }, + "virtualNetworkExistingRGName": { + "value": "[parameters('virtualNetworkExistingRGName')]" + }, + "vmName": { + "value": "[parameters('vmName')]" + }, + "deployNsg": { + "value": "[parameters('deployNewNSG')]" + }, + "NewNsgName": { + "value": "[parameters('NewNsgName')]" + }, + "tagsByResource": { + "value": "[parameters('tagsByResource')]" + } + } + } + }, + { + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('storageAccountName')]", + "apiVersion": "2021-06-01", + "properties": { + "supportsHttpsTrafficOnly": true, + "allowBlobPublicAccess": false, + "minimumTlsVersion": "TLS1_2", + "networkAcls": { + "bypass": "None", + "defaultAction": "[if(parameters('addStorageAccountIpRules'), 'Deny', 'Allow')]", + "ipRules": "[if(parameters('addStorageAccountIpRules'), map(variables('storageAccountIps'), lambda('ip',createObject('action','Allow','value',lambdaVariables('ip')))), createArray())]" + } + }, + "location": "[variables('location')]", + "sku": { + "name": "[variables('storageAccountType')]" + }, + "kind": "Storage", + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Storage/storageAccounts'), parameters('tagsByResource')['Microsoft.Storage/storageAccounts'], json('{}')) ]" + }, + { + "condition": "[not(equals(parameters('sourceImageVhdUri'), 'noCustomUri'))]", + "type": "Microsoft.Compute/images", + "apiVersion": "2021-07-01", + "name": "[variables('customImage')]", + "location": "[variables('resourceGroup').location]", + "properties": { + "storageProfile": { + "osDisk": { + "osType": "Linux", + "osState": "Generalized", + "blobUri": "[parameters('sourceImageVhdUri')]", + "storageAccountType": "Standard_LRS" + } + } + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Compute/images'), parameters('tagsByResource')['Microsoft.Compute/images'], json('{}')) ]" + }, + { + "type": "Microsoft.Network/networkSecurityGroups", + "condition": "[and(parameters('deployNewNSG'),equals(parameters('vnetNewOrExisting'), 'new'))]", + "apiVersion": "2020-06-01", + "location": "[parameters('location')]", + "name": "[parameters('NewNsgName')]", + "properties": { + "securityRules": [ + { + "name": "AllowAllInBound", + "properties": { + "description": "Allow all inbound connections", + "protocol": "*", + "sourcePortRange": "*", + "destinationPortRange": "*", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "100", + "direction": "Inbound" + } + } + ] + } + }, + { + "type": "Microsoft.Compute/virtualMachineScaleSets", + "apiVersion": "2021-07-01", + "name": "[parameters('vmName')]", + "location": "[variables('location')]", + "identity": "[if(equals(variables('customMetrics'), 'yes'), variables('identity'), json('null'))]", + "zones": "[if(and(contains(variables('availabilityZonesLocations'), variables('location')), greater(parameters('availabilityZonesNum'), 0)), variables('availabilityZonesProperty'), json('null'))]", + "tags": "[union(variables('vmssTags'),if(contains(parameters('tagsByResource'), 'Microsoft.Compute/virtualMachineScaleSets'), parameters('tagsByResource')['Microsoft.Compute/virtualMachineScaleSets'], json('{}')))]", + "dependsOn": [ + "[coalesce(resourceId('Microsoft.Network/virtualNetworks', variables('virtualNetworkName')), resourceId('Microsoft.Resources/deployments', 'networkExistingSetup'))]", + "[resourceId('Microsoft.Network/loadBalancers','frontend-lb')]", + "[resourceId('Microsoft.Network/loadBalancers','backend-lb')]", + "[variables('storageAccountId')]", + "[variables('customImageId')]" + ], + "sku": { + "name": "[parameters('vmSize')]", + "tier": "Standard", + "capacity": "[parameters('instanceCount')]" + }, + "plan": "[if(equals(parameters('sourceImageVhdUri'),'noCustomUri'), variables('plan'), json('null'))]", + "properties": { + "upgradePolicy": { + "mode": "Manual" + }, + "virtualMachineProfile": { + "UserData": "[base64(concat(variables('customData'), '\n', 'vnet=\"', if(equals(parameters('vnetNewOrExisting'), 'new'), split(parameters('virtualNetworkAddressPrefix'), '.')[0], reference('networkExistingSetup').outputs.vnetAddressPrefixes.value[0]), '\"', '\n' ))]", + "storageProfile": { + "osDisk": { + "diskSizeGB": "[variables('diskSizeGB')]", + "caching": "ReadWrite", + "createOption": "FromImage", + "managedDisk": { + "storageAccountType": "[parameters('diskType')]" + } + }, + "imageReference": "[variables('imageReference')]" + }, + "osProfile": { + "adminPassword": "[parameters('adminPassword')]", + "adminUsername": "[concat('not','used')]", + "computerNamePrefix": "[toLower(parameters('vmName'))]", + "customData": "[base64(concat(variables('customData'), '\n', 'vnet=\"', if(equals(parameters('vnetNewOrExisting'), 'new'), split(parameters('virtualNetworkAddressPrefix'), '.')[0], reference('networkExistingSetup').outputs.vnetAddressPrefixes.value[0]), '\"', '\n' ))]", + "linuxConfiguration": "[variables('linuxConfiguration')]" + }, + "networkProfile": { + "networkInterfaceConfigurations": [ + { + "name": "eth0", + "properties": { + "primary": true, + "enableIPForwarding": true, + "enableAcceleratedNetworking": true, + "networkSecurityGroup": "[if(parameters('deployNewNSG') , variables('NewNsgReference') , parameters('ExistingNSG'))]", + "ipConfigurations": [ + { + "name": "ipconfig1IPV6", + "properties": { + "primary": true, + "subnet": { + "id": "[variables('subnet-id')]" + }, + "privateIPAddressVersion": "IPv6", + "loadBalancerBackendAddressPools": [ + { + "id": "[resourceId('Microsoft.Network/loadBalancers/backendAddressPools', 'frontend-lb', 'frontend-LBBAP-v6')]" + } + ] + } + }, + { + "name": "ipconfig1", + "properties": { + "primary": false, + "privateIPAddressVersion": "IPv4", + "publicIpAddressConfiguration": "[if(equals(parameters('instanceLevelPublicIP'),'yes'), variables('publicIPProperties'), json('null'))]", + "subnet": { + "id": "[variables('subnet-id')]" + }, + "loadBalancerBackendAddressPools": [ + { + "id": "[resourceId('Microsoft.Network/loadBalancers/backendAddressPools', 'frontend-lb', 'frontend-LBBAP-v4')]" + } + ] + } + } + ] + } + }, + { + "name": "eth1", + "properties": { + "primary": false, + "enableIPForwarding": true, + "enableAcceleratedNetworking": true, + "ipConfigurations": [ + { + "name": "ipconfig2IPV6", + "properties": { + "primary": true, + "subnet": { + "id": "[variables('subnet2-id')]" + }, + "privateIPAddressVersion": "IPv6" + } + }, + { + "name": "ipconfig2", + "properties": { + "subnet": { + "id": "[variables('subnet2-id')]" + } + } + } + ] + } + } + ] + }, + "diagnosticsProfile": { + "bootDiagnostics": { + "enabled": "true", + "storageUri": "[reference(variables('storageAccountId'), '2021-06-01').primaryEndpoints.blob]" + } + } + }, + "overprovision": false + } + }, + { + "type": "Microsoft.Insights/autoscaleSettings", + "apiVersion": "2015-04-01", + "name": "[parameters('vmName')]", + "location": "[variables('location')]", + "dependsOn": [ + "[variables('vmssID')]" + ], + "properties": { + "name": "[parameters('vmName')]", + "targetResourceUri": "[variables('vmssID')]", + "notifications": [ + { + "operation": "Scale", + "email": { + "sendToSubscriptionAdministrator": false, + "sendToSubscriptionCoAdministrators": false, + "customEmails": "[if(empty(parameters('adminEmail')), json('null'), array(parameters('adminEmail')))]" + } + } + ], + "enabled": true, + "profiles": [ + { + "name": "Profile1", + "capacity": { + "minimum": "[parameters('instanceCount')]", + "maximum": "[parameters('maxInstanceCount')]", + "default": "[parameters('instanceCount')]" + }, + "rules": [ + { + "metricTrigger": { + "metricName": "Percentage CPU", + "metricResourceUri": "[variables('vmssID')]", + "timeGrain": "PT1M", + "statistic": "Average", + "timeWindow": "PT5M", + "timeAggregation": "Average", + "operator": "GreaterThan", + "threshold": 80 + }, + "scaleAction": { + "direction": "Increase", + "type": "ChangeCount", + "value": "1", + "cooldown": "PT5M" + } + }, + { + "metricTrigger": { + "metricName": "Percentage CPU", + "metricResourceUri": "[variables('vmssID')]", + "timeGrain": "PT1M", + "statistic": "Average", + "timeWindow": "PT5M", + "timeAggregation": "Average", + "operator": "LessThan", + "threshold": 60 + }, + "scaleAction": { + "direction": "Decrease", + "type": "ChangeCount", + "value": "1", + "cooldown": "PT5M" + } + } + ] + } + ] + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Insights/autoscaleSettings'), parameters('tagsByResource')['Microsoft.Insights/autoscaleSettings'], json('{}')) ]" + } + ] +} \ No newline at end of file diff --git a/azure/templates/vwan-managed-app/README.md b/azure/templates/vwan-managed-app/README.md new file mode 100644 index 00000000..293238e2 --- /dev/null +++ b/azure/templates/vwan-managed-app/README.md @@ -0,0 +1,85 @@ +# Check Point CloudGuard Network Security for Azure Virtual WAN + + +Microsoft Azure Virtual WAN is a networking service that enables customers to easily establish optimized large-scale branch connectivity with Azure and the Microsoft global network, providing automated branch-to-branch connectivity. + + +## Image version +To retrieve the image version, perform an API GET call using the following URLs: + +For Security Enforcement (NGTP) license: +``` +https://management.azure.com/subscriptions/{subscription_id}/providers/Microsoft.Network/networkVirtualApplianceSkus/checkpoint?api-version=2023-05-01 +``` + +For Full Package (NGTX + S1C) license: +``` +https://management.azure.com/subscriptions/{subscription_id}/providers/Microsoft.Network/networkVirtualApplianceSkus/checkpoint-ngtx?api-version=2023-05-01 +``` + +For Full Package Premium (NGTX + S1C++) license: +``` +https://management.azure.com/subscriptions/{subscription_id}/providers/Microsoft.Network/networkVirtualApplianceSkus/checkpoint-premium?api-version=2023-05-01 +``` + + +## Output example: +``` +{ + "etag": "00000000-0000-0000-0000-000000000000", + "name": "checkpoint", + "properties": { + "availableScaleUnits": [ + { + "instanceCount": "2", + "scaleUnit": "10" + }, + { + "instanceCount": "2", + "scaleUnit": "20" + }, + { + "instanceCount": "2", + "scaleUnit": "2" + }, + { + "instanceCount": "3", + "scaleUnit": "30" + }, + { + "instanceCount": "3", + "scaleUnit": "40" + }, + { + "instanceCount": "2", + "scaleUnit": "4" + }, + { + "instanceCount": "4", + "scaleUnit": "60" + }, + { + "instanceCount": "5", + "scaleUnit": "80" + } + ], + "availableVersions": [ + "8110.900335.1522", + "8120.900631.1522", + "latest" + ], + "marketPlaceLink": "https://aka.ms/Checkpointmarketplace", + "provisioningState": "Succeeded", + "vendor": "checkpoint" + } +} +``` + +From the output, extract the desired image from the "availableVersions" section (e.g., "8120.900631.1433") + +Note: Do not use "latest" + + + + Deploy to Azure + diff --git a/azure/templates/vwan-managed-app/mainTemplate.json b/azure/templates/vwan-managed-app/mainTemplate.json new file mode 100644 index 00000000..5b733a83 --- /dev/null +++ b/azure/templates/vwan-managed-app/mainTemplate.json @@ -0,0 +1,284 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "hubId": { + "type": "String", + "metadata": { + "description": "The Virtual Wan Hub ID. To get the Hub ID, go to your hub, click on JSON view on the right side, and copy the ID field" + } + }, + "tags": { + "defaultValue": {}, + "type": "Object" + }, + "LicenseType": { + "defaultValue": "Security Enforcement (NGTP)", + "allowedValues": [ + "Security Enforcement (NGTP)", + "Full Package (NGTX + S1C)", + "Full Package Premium (NGTX + S1C++)" + ], + "type": "String", + "metadata": { + "description": "License type of Check Point CloudGuard" + } + }, + "imageVersion": { + "defaultValue": "8120.900631.1594", + "type": "String", + "metadata": { + "description": "The image version that will be used to deploy the solution. To get the image version, make API call to https://management.azure.com/subscriptions/{subscription_id}/providers/Microsoft.Network/networkVirtualApplianceSkus/checkpoint?api-version=2023-05-01" + } + }, + "osVersion": { + "defaultValue": "R8120", + "allowedValues": [ + "R8110", + "R8120" + ], + "type": "String", + "metadata": { + "description": "GAIA OS version" + } + }, + "scaleUnit": { + "defaultValue": "2", + "allowedValues": [ + "2", + "4", + "10", + "20", + "30", + "40", + "60", + "80" + ], + "type": "String", + "metadata": { + "description": "The scale unit size to deploy" + } + }, + "bootstrapScript": { + "defaultValue": "", + "type": "String", + "metadata": { + "description": "Bootstrap script" + } + }, + "adminShell": { + "defaultValue": "/etc/cli.sh", + "allowedValues": [ + "/etc/cli.sh", + "/bin/bash", + "/bin/csh", + "/bin/tcsh" + ], + "type": "String", + "metadata": { + "Description": "The default shell for the admin user" + } + }, + "sicKey": { + "type": "SecureString", + "metadata": { + "description": "One-time key for Secure Internal Communication" + } + }, + "sshPublicKey": { + "type": "SecureString", + "metadata": { + "description": "Paste an OpenSSH public key. You can generate a key pair using SSH-keygen (Linux, OS X, Cygwin) or PuttyGen (Windows)" + } + }, + "BGP": { + "defaultValue": "64512", + "type": "String", + "metadata": { + "description": "BGP ASN to peer with Azure Route Service" + } + }, + "NVAName": { + "type": "String", + "metadata": { + "description": "NVA name to deploy in the hub" + } + }, + "customMetrics": { + "defaultValue": "yes", + "allowedValues": [ + "no", + "yes" + ], + "type": "String", + "metadata": { + "Description": "Indicates whether Custom Metrics will be used for VMSS Scaling policy and VM monitoring" + } + }, + "hubASN": { + "type": "Int", + "metadata": { + "description": "ASN from the Hub. To get the Hub ASN, go to your hub, click the JSON view on the right and copy the virtualRouterAsn field" + } + }, + "hubPeers": { + "type": "Array", + "metadata": { + "description": "An array of IP addresses obtained from the Hub object. To get the Hub Peers, go to your hub, click the JSON view on the right and copy the virtualRouterIps field. for example:[\"10.10.32.5\",\"10.10.32.4\"]" + } + }, + "smart1CloudTokenA": { + "defaultValue": "", + "type": "SecureString" + }, + "smart1CloudTokenB": { + "defaultValue": "", + "type": "SecureString" + }, + "smart1CloudTokenC": { + "defaultValue": "", + "type": "SecureString" + }, + "smart1CloudTokenD": { + "defaultValue": "", + "type": "SecureString" + }, + "smart1CloudTokenE": { + "defaultValue": "", + "type": "SecureString" + }, + "applicationResourceName": { + "type": "String" + }, + "managedResourceGroupName": { + "type": "String", + "metadata": { + "description": "Managed app resource group Name" + } + }, + "publicIPIngress": { + "type": "string", + "allowedValues": [ + "no", + "yes" + ], + "defaultValue": "no", + "metadata": { + "description": "Use public IP for ingress traffic" + } + }, + "createNewIPIngress": { + "type": "string", + "allowedValues": [ + "no", + "yes" + ], + "defaultValue": "no", + "metadata": { + "description": "Create new public IP" + } + }, + "ipIngressExistingResourceId": { + "type": "string", + "metadata": { + "description": "The resource id of the public IP" + }, + "defaultValue": "" + } + }, + "variables": { + "managedResourceGroupId": "[concat(subscription().id, '/resourceGroups/', parameters('managedResourceGroupName'))]" + }, + "resources": [ + { + "type": "Microsoft.Solutions/applications", + "apiVersion": "2021-07-01", + "name": "[parameters('applicationResourceName')]", + "location": "[resourceGroup().location]", + "kind": "MarketPlace", + "plan": { + "name": "vwan-app", + "product": "cp-vwan-managed-app", + "publisher": "checkpoint", + "version": "1.0.14" + }, + "properties": { + "managedResourceGroupId": "[variables('managedResourceGroupId')]", + "parameters": { + "hubId": { + "value": "[parameters('hubId')]" + }, + "tags": { + "value": "[parameters('tags')]" + }, + "imageVersion": { + "value": "[parameters('imageVersion')]" + }, + "osVersion": { + "value": "[parameters('osVersion')]" + }, + "LicenseType": { + "value": "[parameters('LicenseType')]" + }, + "scaleUnit": { + "value": "[parameters('scaleUnit')]" + }, + "bootstrapScript": { + "value": "[parameters('bootstrapScript')]" + }, + "adminShell": { + "value": "[parameters('adminShell')]" + }, + "sicKey": { + "value": "[parameters('sicKey')]" + }, + "sshPublicKey": { + "value": "[parameters('sshPublicKey')]" + }, + "BGP": { + "value": "[parameters('BGP')]" + }, + "NVA": { + "value": "[parameters('NVAName')]" + }, + "customMetrics": { + "value": "[parameters('customMetrics')]" + }, + "location": { + "value": "[resourceGroup().location]" + }, + "hubASN": { + "value": "[parameters('hubASN')]" + }, + "hubPeers": { + "value": "[parameters('hubPeers')]" + }, + "smart1CloudTokenA": { + "value": "[parameters('smart1CloudTokenA')]" + }, + "smart1CloudTokenB": { + "value": "[parameters('smart1CloudTokenB')]" + }, + "smart1CloudTokenC": { + "value": "[parameters('smart1CloudTokenC')]" + }, + "smart1CloudTokenD": { + "value": "[parameters('smart1CloudTokenD')]" + }, + "smart1CloudTokenE": { + "value": "[parameters('smart1CloudTokenE')]" + }, + "publicIPIngress": { + "value": "[parameters('publicIPIngress')]" + }, + "createNewIPIngress": { + "value": "[parameters('createNewIPIngress')]" + }, + "ipIngressExistingResourceId": { + "value": "[parameters('ipIngressExistingResourceId')]" + } + } + } + } + ] + } diff --git a/common/central_license_debug_collector.sh b/common/central_license_debug_collector.sh new file mode 100755 index 00000000..cd3e3509 --- /dev/null +++ b/common/central_license_debug_collector.sh @@ -0,0 +1,118 @@ +#!/bin/bash + +# The script collects Central Licenses debug files for troubleshooting purposes. + +# Instructions : + # If you have MDS environment and uses license in domain mode - please run the script with -d + # If your environment acceseses the internet using a configured proxy - please run the script with -p + # Otherwise , run the script directly . + +# Written by: Check Point Software Technologies LTD. +# For additional information please refer to CloudGuard Network Central License Tool Administration Guide. + + +# Licenses_Collector - version 5 + +usage() +{ + echo "Usage: `basename $0` [-p IP_or_HostName:port] [-d domain] [-h]" + echo "output_file: Will be a tar.gz file" + echo "proxy: To be used when checking connectivity with usercenter only" + echo "domain: To be used only on MDS environment. The domain name taken from 'mdsstat'" +} + +while getopts "p:d:h" opt; do + case "$opt" in + d) + DOMAIN_NAME="$OPTARG" + ;; + p) + PROXY_PORT="$OPTARG" + ;; + h) + usage + exit 0 + ;; + *) + usage + exit 1 + esac +done + + +BASEPATH=$VSECDIR +TMPPATH=$BASEPATH/tmp +OUTPUTFILE_NAME=vsec___data.tar +CURL_CLI=curl_cli +USERCENTER=https://usercenter.CheckPoint.com + +log_msg() +{ + echo "$(date) $1" +} + +log_msg "Starting" +log_msg " Creating $TMPPATH" +\rm -rf $TMPPATH +mkdir -p $TMPPATH + +if [ -n "$DOMAIN_NAME" ]; then + log_msg " switch to domain env" + . $MDSDIR/scripts/MDSprofile.sh && mdsenv "$DOMAIN_NAME" +fi + +# checking if there's connectivity with userCenter and if TCP port 18208 is open +log_msg " Checking if TCP port 18208 is open and accessible" +printf " Checking TCP port \n\n" >> $TMPPATH/Sync +netstat -na | grep "18208" >> $TMPPATH/Sync +printf "\n\n" >> $TMPPATH/Sync + + +printf " Checking connecitivty with userCenter\n\n" >> $TMPPATH/Sync + +if [ -n "$PROXY_PORT" ]; then + log_msg " Checking connecitivty with userCenter using proxy" + $CURL_CLI --proxy $PROXY_PORT -v -k $USERCENTER &>> $TMPPATH/Sync +else + log_msg " Checking connecitivty with userCenter without using proxy" + $CURL_CLI -v -k $USERCENTER &>> $TMPPATH/Sync +fi + +printf "the exit code is : %s\n" $? >> $TMPPATH/Sync + +# Collect server logs (cpm.elg*) data +log_msg " Copying $MDS_FWDIR/log/cpm.elg* into $TMPPATH" +cp $MDS_FWDIR/log/cpm.elg* $TMPPATH + +if [ -f "$MDS_FWDIR/log/alignLicensesInDB.elg" ]; then + log_msg " Copying $MDS_FWDIR/log/alignLicensesInDB.elg into $TMPPATH" + cp $MDS_FWDIR/log/alignLicensesInDB.elg $TMPPATH +fi + +#Collect client logs (vseclic.elg*) data +log_msg " Copying $MDS_FWDIR/log/vseclic.elg* into $TMPPATH" +cp $MDS_FWDIR/log/vseclic.elg* $TMPPATH + +# Collect licenses data from DB +log_msg " Collecting licenses with cprlic into $TMPPATH" +cprlic print -all -x -a >> $TMPPATH/attached_licenses + +log_msg " Collecting vsec view into $TMPPATH" +vsec_lic_cli view >> $TMPPATH/view_licenses.txt + +log_msg " Collecting management licenses into $TMPPATH" +cplic print -n -x >> $TMPPATH/management_licenses.txt + +log_msg " Collecting licensepool_data DB into $TMPPATH" +psql_client cpm postgres -c "select * from licensePool_data;" >> $TMPPATH/licensePoolData.txt + +log_msg " Collecting GatewayLicenses_data DB into $TMPPATH" +psql_client cpm postgres -c "select * from GatewayLicenses_data;" >> $TMPPATH/gatewayLicensesData.txt + +log_msg " Compressing $TMPPATH into $OUTPUTFILE_NAME" +tar -cvf $OUTPUTFILE_NAME $TMPPATH > /dev/null 2>&1 + +log_msg " Cleaning up $TMPPATH" +rm -rf $TMPPATH + +log_msg " Done. $OUTPUTFILE_NAME is ready" diff --git a/common/cme_api_postman/CME_API.postman_collection b/common/cme_api_postman/CME_API.postman_collection new file mode 100644 index 00000000..d1af79cc --- /dev/null +++ b/common/cme_api_postman/CME_API.postman_collection @@ -0,0 +1,3255 @@ +{ + "info": { + "_postman_id": "2c69ec16-0fde-440c-90df-1503f55cfca1", + "name": "cme_api", + "schema": "https://schema.getpostman.com/json/collection/v2.1.0/collection.json", + "_exporter_id": "28214663" + }, + "item": [ + { + "name": "Session Management", + "item": [ + { + "name": "login", + "event": [ + { + "listen": "test", + "script": { + "exec": [ + "try {\r", + " var sid = JSON.parse(responseBody).sid;\r", + " postman.setEnvironmentVariable(\"session\", sid);\r", + " tests[\"login session-id = \" + sid] = true;\r", + "} catch (e) {}" + ], + "type": "text/javascript", + "packages": {} + } + } + ], + "request": { + "method": "POST", + "header": [ + { + "key": "Content-Type", + "value": "application/json" + } + ], + "body": { + "mode": "raw", + "raw": "{\r\n \"user\": \"PLEASE ENTER USERNAME\", //\"admin\"\r\n \"password\": \"PLEASE ENTER PASSWORD\" //\"123456\"\r\n}" + }, + "url": { + "raw": "https://{{managementIP}}/web_api/v1.8/login", + "protocol": "https", + "host": [ + "{{managementIP}}" + ], + "path": [ + "web_api", + "v1.8", + "login" + ] + }, + "description": "Login request to receive session token." + }, + "response": [] + }, + { + "name": "login to last session", + "event": [ + { + "listen": "test", + "script": { + "exec": [ + "try {\r", + " var sid = JSON.parse(responseBody).sid;\r", + " postman.setEnvironmentVariable(\"session\", sid);\r", + " tests[\"login session-id = \" + sid] = true;\r", + "} catch (e) {}" + ], + "type": "text/javascript" + } + } + ], + "request": { + "method": "POST", + "header": [ + { + "key": "Content-Type", + "value": "application/json" + } + ], + "body": { + "mode": "raw", + "raw": "{\r\n \"user\": \"\",\r\n \"password\": \"\",\r\n \"continue-last-session\": true\r\n}" + }, + "url": { + "raw": "https://{{managementIP}}/web_api/v1.8/login", + "protocol": "https", + "host": [ + "{{managementIP}}" + ], + "path": [ + "web_api", + "v1.8", + "login" + ] + }, + "description": "Login to the last session" + }, + "response": [] + }, + { + "name": "login to system domain", + "event": [ + { + "listen": "test", + "script": { + "exec": [ + "try {\r", + " var sid = JSON.parse(responseBody).sid;\r", + " postman.setEnvironmentVariable(\"session\", sid);\r", + " tests[\"login session-id = \" + sid] = true;\r", + "} catch (e) {}" + ], + "type": "text/javascript" + } + } + ], + "request": { + "method": "POST", + "header": [ + { + "key": "Content-Type", + "value": "application/json" + } + ], + "body": { + "mode": "raw", + "raw": "{\r\n \"user\": \"\",\r\n \"password\": \"\",\r\n \"domain\": \"System Data\"\r\n}" + }, + "url": { + "raw": "https://{{managementIP}}/web_api/v1.8/login", + "protocol": "https", + "host": [ + "{{managementIP}}" + ], + "path": [ + "web_api", + "v1.8", + "login" + ] + }, + "description": "Login to system domain" + }, + "response": [] + }, + { + "name": "login with API key", + "event": [ + { + "listen": "test", + "script": { + "exec": [ + "try {\r", + " var sid = JSON.parse(responseBody).sid;\r", + " postman.setEnvironmentVariable(\"session\", sid);\r", + " tests[\"login session-id = \" + sid] = true;\r", + "} catch (e) {}" + ], + "type": "text/javascript" + } + } + ], + "request": { + "method": "POST", + "header": [ + { + "key": "Content-Type", + "value": "application/json" + } + ], + "body": { + "mode": "raw", + "raw": "{\"api-key\" : \"\"}" + }, + "url": { + "raw": "https://{{managementIP}}/web_api/v1.8/login", + "protocol": "https", + "host": [ + "{{managementIP}}" + ], + "path": [ + "web_api", + "v1.8", + "login" + ] + }, + "description": "Login with API key without user and password." + }, + "response": [] + }, + { + "name": "publish", + "request": { + "method": "POST", + "header": [ + { + "key": "Content-Type", + "value": "application/json" + }, + { + "key": "X-chkp-sid", + "value": "{{session}}" + } + ], + "body": { + "mode": "raw", + "raw": "{ }" + }, + "url": { + "raw": "https://{{managementIP}}/web_api/v1.7/publish", + "protocol": "https", + "host": [ + "{{managementIP}}" + ], + "path": [ + "web_api", + "v1.7", + "publish" + ] + }, + "description": "Publish the last changes. Use the show-task command to check the progress of the task." + }, + "response": [] + }, + { + "name": "discard", + "request": { + "method": "POST", + "header": [ + { + "key": "Content-Type", + "value": "application/json" + }, + { + "key": "X-chkp-sid", + "value": "{{session}}" + } + ], + "body": { + "mode": "raw", + "raw": "{ }" + }, + "url": { + "raw": "https://{{managementIP}}/web_api/v1.8/discard", + "protocol": "https", + "host": [ + "{{managementIP}}" + ], + "path": [ + "web_api", + "v1.8", + "discard" + ] + }, + "description": "Discard the changes" + }, + "response": [] + }, + { + "name": "logout", + "request": { + "method": "POST", + "header": [ + { + "key": "Content-Type", + "value": "application/json" + }, + { + "key": "X-chkp-sid", + "value": "{{session}}" + } + ], + "body": { + "mode": "raw", + "raw": "{ }" + }, + "url": { + "raw": "https://{{managementIP}}/web_api/v1.8/logout", + "protocol": "https", + "host": [ + "{{managementIP}}" + ], + "path": [ + "web_api", + "v1.8", + "logout" + ] + }, + "description": "Log out from the existing session" + }, + "response": [] + }, + { + "name": "disconnect", + "request": { + "method": "POST", + "header": [ + { + "key": "Content-Type", + "value": "application/json" + }, + { + "key": "X-chkp-sid", + "value": "{{session}}" + } + ], + "body": { + "mode": "raw", + "raw": "{\r\n \"uid\": \"\"\r\n}" + }, + "url": { + "raw": "https://{{managementIP}}/web_api/v1.8/disconnect", + "protocol": "https", + "host": [ + "{{managementIP}}" + ], + "path": [ + "web_api", + "v1.8", + "disconnect" + ] + }, + "description": "Disconnect a private session" + }, + "response": [] + }, + { + "name": "keepalive", + "request": { + "method": "POST", + "header": [ + { + "key": "Content-Type", + "value": "application/json" + }, + { + "key": "X-chkp-sid", + "value": "{{session}}" + } + ], + "body": { + "mode": "raw", + "raw": "{ }" + }, + "url": { + "raw": "https://{{managementIP}}/web_api/v1.8/keepalive", + "protocol": "https", + "host": [ + "{{managementIP}}" + ], + "path": [ + "web_api", + "v1.8", + "keepalive" + ] + }, + "description": "Keep the session alive" + }, + "response": [] + }, + { + "name": "revert-to-revision", + "request": { + "method": "POST", + "header": [ + { + "key": "Content-Type", + "value": "application/json" + }, + { + "key": "X-chkp-sid", + "value": "{{session}}" + } + ], + "body": { + "mode": "raw", + "raw": "{\r\n \"to-session\": \"\"\r\n}" + }, + "url": { + "raw": "https://{{managementIP}}/web_api/v1.8/revert-to-revision", + "protocol": "https", + "host": [ + "{{managementIP}}" + ], + "path": [ + "web_api", + "v1.8", + "revert-to-revision" + ] + }, + "description": "Revert the Management Database to the selected revision." + }, + "response": [] + }, + { + "name": "verify-revert", + "request": { + "method": "POST", + "header": [ + { + "key": "Content-Type", + "value": "application/json" + }, + { + "key": "X-chkp-sid", + "value": "{{session}}" + } + ], + "body": { + "mode": "raw", + "raw": "{\r\n \"to-session\": \"\"\r\n}" + }, + "url": { + "raw": "https://{{managementIP}}/web_api/v1.8/verify-revert", + "protocol": "https", + "host": [ + "{{managementIP}}" + ], + "path": [ + "web_api", + "v1.8", + "verify-revert" + ] + }, + "description": "Verify the Management Database can revert to the selected revision." + }, + "response": [] + }, + { + "name": "add-repository-script", + "event": [ + { + "listen": "test", + "script": { + "exec": [ + "try {\r", + " var sid = JSON.parse(responseBody).sid;\r", + " postman.setEnvironmentVariable(\"session\", sid);\r", + " tests[\"login session-id = \" + sid] = true;\r", + "} catch (e) {}" + ], + "type": "text/javascript" + } + } + ], + "request": { + "method": "POST", + "header": [ + { + "key": "Content-Type", + "value": "application/json" + } + ], + "body": { + "mode": "raw", + "raw": "{\r\n \"name\": \"PLEASE ENTER SCRIPT'S NAME\", //\"repo_script\"\r\n \"script-body\": \"PLEASE ENTER SCRIPT'S CONTENT\" //\"#!/bin/bash clish -c lock database override clish -c set static-route 10.24.2.0/32 nexthop gateway address 10.24.0.0 on clish -c save config\"\"\r\n}" + }, + "url": { + "raw": "https://{{managementIP}}/web_api/v1.9/add-repository-script", + "protocol": "https", + "host": [ + "{{managementIP}}" + ], + "path": [ + "web_api", + "v1.9", + "add-repository-script" + ] + }, + "description": "Add repository script to the script repository." + }, + "response": [] + } + ] + }, + { + "name": "v1", + "item": [ + { + "name": "GCP", + "item": [ + { + "name": "POST add GCP account", + "request": { + "method": "POST", + "header": [ + { + "key": "Content-Type", + "value": "application/json" + }, + { + "key": "X-chkp-sid", + "value": "{{session}}" + } + ], + "body": { + "mode": "raw", + "raw": "{\r\n \"name\": \"PLEASE ENTER ACCOUNT NAME\", //\"account_name\"\r\n \"project_id\": \"PLEASE ENTER PROJECT ID\", //\"gcp_project_id\"\r\n \"credentials_file\": \"PLEASE ENTER CREDENTIAL FILE NAME\", //\"GCP_credentials_file_name\"\r\n \"deletion_tolerance\": \"PLEASE ENTER DELETION TOLERANCE\" // 3\r\n}", + "options": { + "raw": { + "language": "json" + } + } + }, + "url": { + "raw": "https://{{managementIP}}/web_api/v1.8/cme-api/v1/accounts/gcp", + "protocol": "https", + "host": [ + "{{managementIP}}" + ], + "path": [ + "web_api", + "v1.8", + "cme-api", + "v1", + "accounts", + "gcp" + ] + } + }, + "response": [] + }, + { + "name": "PUT set GCP account", + "request": { + "method": "PUT", + "header": [ + { + "key": "Content-Type", + "value": "application/json" + }, + { + "key": "X-chkp-sid", + "value": "{{session}}" + } + ], + "body": { + "mode": "raw", + "raw": "{\r\n \"project_id\": \"PLEASE ENTER PROJECT ID\", //\"gcp_project_id\"\r\n \"credentials_file\": \"PLEASE ENTER CREDENTIAL FILE NAME\", //\"GCP_credentials_file_name\"\r\n \"deletion_tolerance\": \"PLEASE ENTER DELETION TOLERANCE\" // 3\r\n}", + "options": { + "raw": { + "language": "json" + } + } + }, + "url": { + "raw": "https://{{managementIP}}/web_api/v1.8/cme-api/v1/accounts/gcp/", + "protocol": "https", + "host": [ + "{{managementIP}}" + ], + "path": [ + "web_api", + "v1.8", + "cme-api", + "v1", + "accounts", + "gcp", + "" + ] + } + }, + "response": [] + }, + { + "name": "POST add GCP gw configuration", + "request": { + "method": "POST", + "header": [ + { + "key": "X-chkp-sid", + "value": "{{session}}" + }, + { + "key": "Content-Type", + "value": "application/json" + } + ], + "body": { + "mode": "raw", + "raw": "{\r\n \"name\": \"PLEASE ENTER GATEWAY CONFIGURATION NAME\", //\"gcpGwConfiguration\"\r\n \"base64_sic_key\": \"PLEASE ENTER ENCODED BASE64 SIC KEY\", //\"MTIzNDU2Nzg=\"\r\n \"version\": \"PLEASE ENTER GATEWAY VERSION\", //\"R81.20\"\r\n \"policy\": \"PLEASE ENTER POLICY NAME\", //\"Standard\"\r\n \"blades\": {\r\n \"ips\": true,\r\n \"anti-bot\": true,\r\n \"url-filtering\": true,\r\n \"https-inspection\": true\r\n },\r\n \"related_account\": \"PLEASE ENTER RELATED ACCOUNT\" //\"gcp-account\"\r\n}" + }, + "url": { + "raw": "https://{{managementIP}}/web_api/v1.8/cme-api/v1/gwConfigurations/gcp", + "protocol": "https", + "host": [ + "{{managementIP}}" + ], + "path": [ + "web_api", + "v1.8", + "cme-api", + "v1", + "gwConfigurations", + "gcp" + ] + } + }, + "response": [] + }, + { + "name": "PUT set GCP gw configuration", + "request": { + "method": "PUT", + "header": [ + { + "key": "X-chkp-sid", + "value": "{{session}}" + }, + { + "key": "Content-Type", + "value": "application/json" + } + ], + "body": { + "mode": "raw", + "raw": "{\r\n \"base64_sic_key\": \"PLEASE ENTER ENCODED BASE64 SIC KEY\", //\"MTIzNDU2Nzg=\"\r\n \"version\": \"PLEASE ENTER GATEWAY VERSION\", //\"R81.20\"\r\n \"policy\": \"PLEASE ENTER POLICY NAME\", //\"Standard\"\r\n \"blades\": {\r\n \"ips\": true,\r\n \"anti-bot\": true,\r\n \"url-filtering\": true,\r\n \"https-inspection\": true\r\n }\r\n}" + }, + "url": { + "raw": "https://{{managementIP}}/web_api/v1.8/cme-api/v1/gwConfigurations/gcp/", + "protocol": "https", + "host": [ + "{{managementIP}}" + ], + "path": [ + "web_api", + "v1.8", + "cme-api", + "v1", + "gwConfigurations", + "gcp", + "" + ] + } + }, + "response": [] + } + ], + "description": "Operations in GCP cloud." + }, + { + "name": "AWS", + "item": [ + { + "name": "POST add AWS account", + "request": { + "method": "POST", + "header": [ + { + "key": "Content-Type", + "value": "application/json" + }, + { + "key": "X-chkp-sid", + "value": "{{session}}" + } + ], + "body": { + "mode": "raw", + "raw": "{\r\n \"name\": \"PLEASE ENTER ACCOUNT NAME\", //\"myAwsAccount\"\r\n \"regions\": [\r\n \"eu-west-1\",\r\n \"us-east-2\"\r\n ],\r\n \"credentials_file\": \"PLEASE ENTER CREDENTIALS FILE NAME\", //\"IAM\"\r\n \"access_key\": \"PLEASE ENTER ACCESS KEY\",\r\n \"secret_key\": \"PLEASE ENTER SECRET KEY\",\r\n \"sts_role\": \"PLEASE ENTER STS ROLE\",\r\n \"sts_external_id\": \"PLEASE ENTER STS EXTERNAL ID\",\r\n \"scan_gateways\": \"PLEASE SET TRUE OR FALSE\",\r\n \"scan_vpn\": \"PLEASE SET TRUE OR FALSE\",\r\n \"scan_load_balancers\": \"PLEASE SET TRUE OR FALSE\",\r\n \"scan_subnets\": \"PLEASE SET TRUE OR FALSE\",\r\n \"communities\": [\r\n \"community_a\",\r\n \"community_b\"\r\n ],\r\n \"deletion_tolerance\": \"PLEASE ENTER DELETION TOLERANCE\",\r\n \"sub_accounts\": [\r\n {\r\n \"name\": \"sub_account_a\",\r\n \"credentials_file\": \"AWS_credentials_file_name\"\r\n },\r\n {\r\n \"name\": \"sub_account_b\",\r\n \"access_key\": \"PLEASE ENTER ACCESS KEY\",\r\n \"secret_key\": \"PLEASE ENTER SECRET KEY\"\r\n },\r\n {\r\n \"name\": \"sub_account_c\",\r\n \"sts_role\": \"PLEASE ENTER STS ROLE\",\r\n \"sts_external_id\": \"PLEASE ENTER STS EXTERNAL ID\"\r\n }\r\n ]\r\n}", + "options": { + "raw": { + "language": "json" + } + } + }, + "url": { + "raw": "https://{{managementIP}}/web_api/v1.8/cme-api/v1/accounts/aws", + "protocol": "https", + "host": [ + "{{managementIP}}" + ], + "path": [ + "web_api", + "v1.8", + "cme-api", + "v1", + "accounts", + "aws" + ] + } + }, + "response": [] + }, + { + "name": "PUT set AWS account", + "request": { + "method": "PUT", + "header": [ + { + "key": "Content-Type", + "value": "application/json" + }, + { + "key": "X-chkp-sid", + "value": "{{session}}" + } + ], + "body": { + "mode": "raw", + "raw": "{\r\n \"regions\": [\r\n \"eu-west-1\",\r\n \"us-east-2\"\r\n ],\r\n \"credentials_file\": \"PLEASE ENTER CREDENTIALS FILE NAME\", //\"IAM\"\r\n \"access_key\": \"PLEASE ENTER ACCESS KEY\",\r\n \"secret_key\": \"PLEASE ENTER SECRET KEY\",\r\n \"sts_role\": \"PLEASE ENTER STS ROLE\",\r\n \"sts_external_id\": \"PLEASE ENTER STS EXTERNAL ID\",\r\n \"scan_gateways\": \"PLEASE SET TRUE OR FALSE\",\r\n \"scan_vpn\": \"PLEASE SET TRUE OR FALSE\",\r\n \"scan_load_balancers\": \"PLEASE SET TRUE OR FALSE\",\r\n \"scan_subnets\": \"PLEASE SET TRUE OR FALSE\",\r\n \"communities\": [\r\n \"community_a\",\r\n \"community_b\"\r\n ],\r\n \"deletion_tolerance\": \"PLEASE ENTER DELETION TOLERANCE\",\r\n \"sub_accounts\": [\r\n {\r\n \"name\": \"sub_account_a\",\r\n \"credentials_file\": \"AWS_credentials_file_name\"\r\n },\r\n {\r\n \"name\": \"sub_account_b\",\r\n \"access_key\": \"PLEASE ENTER ACCESS KEY\",\r\n \"secret_key\": \"PLEASE ENTER SECRET KEY\"\r\n },\r\n {\r\n \"name\": \"sub_account_c\",\r\n \"sts_role\": \"PLEASE ENTER STS ROLE\",\r\n \"sts_external_id\": \"PLEASE ENTER STS EXTERNAL ID\"\r\n }\r\n ]\r\n}", + "options": { + "raw": { + "language": "json" + } + } + }, + "url": { + "raw": "https://{{managementIP}}/web_api/v1.8/cme-api/v1/accounts/aws/", + "protocol": "https", + "host": [ + "{{managementIP}}" + ], + "path": [ + "web_api", + "v1.8", + "cme-api", + "v1", + "accounts", + "aws", + "" + ] + } + }, + "response": [] + }, + { + "name": "POST add AWS gw configuration", + "request": { + "method": "POST", + "header": [ + { + "key": "X-chkp-sid", + "value": "{{session}}" + }, + { + "key": "Content-Type", + "value": "application/json" + } + ], + "body": { + "mode": "raw", + "raw": "{\r\n \"name\": \"PLEASE ENTER GATEWAY CONFIGURATION NAME\", //\"awsGwConfiguration\"\r\n \"base64_sic_key\": \"PLEASE ENTER ENCODED BASE64 SIC KEY\", //\"MTIzNDU2Nzg=\"\r\n \"version\": \"PLEASE ENTER GATEWAY VERSION\", //\"R81.20\"\r\n \"policy\": \"PLEASE ENTER POLICY NAME\", //\"Standard\"\r\n \"blades\": {\r\n \"ips\": true,\r\n \"anti-bot\": true,\r\n \"url-filtering\": true,\r\n \"https-inspection\": true\r\n },\r\n \"related_account\": \"PLEASE ENTER RELATED ACCOUNT\", //\"aws-account\"\r\n \"vpn_domain\": \"PLEASE ENTER VPN DOMAIN\",\r\n \"vpn_community\": \"PLEASE ENTER VPN COMMUNITY\",\r\n \"deployment_type\": \"PLEASE ENTER DEPLOYMENT TYPE\", //\"TGW\"\r\n \"tgw_static_routes\": \"PLEASE ENTER TGW STATIC ROUTES\", //\"10.0.0.0/16,10.100.0.0/16\"\r\n \"tgw_spoke_routes\": \"PLEASE ENTER TGW SPOKE ROUTES\" //\"192.168.100.0/24,192.168.200.0/24\"\r\n}" + }, + "url": { + "raw": "https://{{managementIP}}/web_api/v1.8/cme-api/v1/gwConfigurations/aws", + "protocol": "https", + "host": [ + "{{managementIP}}" + ], + "path": [ + "web_api", + "v1.8", + "cme-api", + "v1", + "gwConfigurations", + "aws" + ] + } + }, + "response": [] + }, + { + "name": "PUT set AWS gw configuration", + "request": { + "method": "PUT", + "header": [ + { + "key": "X-chkp-sid", + "value": "{{session}}" + }, + { + "key": "Content-Type", + "value": "application/json" + } + ], + "body": { + "mode": "raw", + "raw": "{\r\n \"base64_sic_key\": \"PLEASE ENTER ENCODED BASE64 SIC KEY\", //\"MTIzNDU2Nzg=\"\r\n \"version\": \"PLEASE ENTER GATEWAY VERSION\", //\"R81.20\"\r\n \"policy\": \"PLEASE ENTER POLICY NAME\", //\"Standard\"\r\n \"blades\": {\r\n \"ips\": true,\r\n \"anti-bot\": true,\r\n \"url-filtering\": true,\r\n \"https-inspection\": true\r\n },\r\n \"related_account\": \"PLEASE ENTER RELATED ACCOUNT\", //\"aws-account\"\r\n \"vpn_domain\": \"PLEASE ENTER VPN DOMAIN\",\r\n \"vpn_community\": \"PLEASE ENTER VPN COMMUNITY\",\r\n \"deployment_type\": \"PLEASE ENTER DEPLOYMENT TYPE\", //\"TGW\"\r\n \"tgw_static_routes\": [\r\n \"10.0.0.0/16\",\r\n \"10.100.0.0/16\"\r\n ],\r\n \"tgw_spoke_routes\": [\r\n \"192.168.100.0/24\",\r\n \"192.168.200.0/24\"\r\n ]\r\n}" + }, + "url": { + "raw": "https://{{managementIP}}/web_api/v1.8/cme-api/v1/gwConfigurations/aws/", + "protocol": "https", + "host": [ + "{{managementIP}}" + ], + "path": [ + "web_api", + "v1.8", + "cme-api", + "v1", + "gwConfigurations", + "aws", + "" + ] + } + }, + "response": [] + } + ], + "description": "Operations in AWS cloud." + }, + { + "name": "Gw Configurations", + "item": [ + { + "name": "GET all gw configurations", + "request": { + "method": "GET", + "header": [ + { + "key": "X-chkp-sid", + "value": "{{session}}" + }, + { + "key": "Content-Type", + "value": "application/json" + } + ], + "url": { + "raw": "https://{{managementIP}}/web_api/v1.8/cme-api/v1/gwConfigurations", + "protocol": "https", + "host": [ + "{{managementIP}}" + ], + "path": [ + "web_api", + "v1.8", + "cme-api", + "v1", + "gwConfigurations" + ] + } + }, + "response": [] + }, + { + "name": "GET gw configuration", + "request": { + "method": "GET", + "header": [ + { + "key": "X-chkp-sid", + "value": "{{session}}" + }, + { + "key": "Content-Type", + "value": "application/json" + } + ], + "url": { + "raw": "https://{{managementIP}}/web_api/v1.8/cme-api/v1/gwConfigurations/", + "protocol": "https", + "host": [ + "{{managementIP}}" + ], + "path": [ + "web_api", + "v1.8", + "cme-api", + "v1", + "gwConfigurations", + "" + ] + } + }, + "response": [] + }, + { + "name": "DELETE gw configuration", + "request": { + "method": "DELETE", + "header": [ + { + "key": "X-chkp-sid", + "value": "{{session}}" + }, + { + "key": "Content-Type", + "value": "application/json" + } + ], + "url": { + "raw": "https://{{managementIP}}/web_api/v1.8/cme-api/v1/gwConfigurations/", + "protocol": "https", + "host": [ + "{{managementIP}}" + ], + "path": [ + "web_api", + "v1.8", + "cme-api", + "v1", + "gwConfigurations", + "" + ] + } + }, + "response": [] + } + ], + "description": "Operations for configuring Gw Configurations in CME
(Previously known as \"templates\")." + }, + { + "name": "Accounts", + "item": [ + { + "name": "GET all accounts", + "request": { + "method": "GET", + "header": [ + { + "key": "Content-Type", + "value": "application/json" + }, + { + "key": "X-chkp-sid", + "value": "{{session}}" + } + ], + "url": { + "raw": "https://{{managementIP}}/web_api/v1.8/cme-api/v1/accounts", + "protocol": "https", + "host": [ + "{{managementIP}}" + ], + "path": [ + "web_api", + "v1.8", + "cme-api", + "v1", + "accounts" + ] + } + }, + "response": [] + }, + { + "name": "GET account", + "request": { + "method": "GET", + "header": [ + { + "key": "Content-Type", + "value": "application/json" + }, + { + "key": "X-chkp-sid", + "value": "{{session}}" + } + ], + "url": { + "raw": "https://{{managementIP}}/web_api/v1.8/cme-api/v1/accounts/", + "protocol": "https", + "host": [ + "{{managementIP}}" + ], + "path": [ + "web_api", + "v1.8", + "cme-api", + "v1", + "accounts", + "" + ] + } + }, + "response": [] + }, + { + "name": "DELETE account", + "request": { + "method": "DELETE", + "header": [ + { + "key": "Content-Type", + "value": "application/json" + }, + { + "key": "X-chkp-sid", + "value": "{{session}}" + } + ], + "url": { + "raw": "{{server}}/v1.8/cme-api/v1/accounts/", + "host": [ + "{{server}}" + ], + "path": [ + "v1.8", + "cme-api", + "v1", + "accounts", + "" + ] + } + }, + "response": [] + } + ], + "description": "Operations for configuring Accounts in CME
(Previously known as \"controllers\")." + }, + { + "name": "Management", + "item": [ + { + "name": "GET management", + "request": { + "method": "GET", + "header": [ + { + "key": "X-chkp-sid", + "value": "{{session}}" + }, + { + "key": "Content-Type", + "value": "application/json" + } + ], + "url": { + "raw": "https://{{managementIP}}/web_api/v1.8/cme-api/v1/management", + "protocol": "https", + "host": [ + "{{managementIP}}" + ], + "path": [ + "web_api", + "v1.8", + "cme-api", + "v1", + "management" + ] + } + }, + "response": [] + }, + { + "name": "PUT set management", + "request": { + "method": "PUT", + "header": [ + { + "key": "X-chkp-sid", + "value": "{{session}}" + }, + { + "key": "Content-Type", + "value": "application/json" + } + ], + "body": { + "mode": "raw", + "raw": "{\r\n \"name\": \"PLEASE ENTER MANAGEMENT NAME\" // \"mgmt_name\"\r\n}" + }, + "url": { + "raw": "https://{{managementIP}}/web_api/v1.8/cme-api/v1/management", + "protocol": "https", + "host": [ + "{{managementIP}}" + ], + "path": [ + "web_api", + "v1.8", + "cme-api", + "v1", + "management" + ] + } + }, + "response": [] + } + ], + "description": "Operations for configuring Management." + }, + { + "name": "Azure", + "item": [ + { + "name": "POST Azure account", + "request": { + "method": "POST", + "header": [ + { + "key": "Content-Type", + "value": "application/json" + }, + { + "key": "X-chkp-sid", + "value": "{{session}}" + } + ], + "body": { + "mode": "raw", + "raw": "{\r\n \"name\": \"PLEASE ENTER ACCOUNT NAME\", //\"myAzureAccount\"\r\n \"subscription\": \"PLEASE ENTER SUBSCRIPTION\", //\"aaaa-aaaa-aaaa-aaaa-aaaa\"\r\n \"directory_id\": \"PLEASE ENTER DIRECTORY ID\", //\"bbbb-bbbb-bbbb-bbbb-bbbb\"\r\n \"application_id\": \"PLEASE ENTER APPLICATION ID\", //\"cccc-cccc-cccc-cccc-cccc\"\r\n \"client_secret\": \"PLEASE ENTER CLIENT SECRET\", //\"mySecret\"\r\n \"deletion_tolerance\": \"PLEASE ENTER DELETION TOLERANCE\" // 3\r\n}", + "options": { + "raw": { + "language": "json" + } + } + }, + "url": { + "raw": "{{server}}/v1.8/cme-api/v1/accounts/azure", + "host": [ + "{{server}}" + ], + "path": [ + "v1.8", + "cme-api", + "v1", + "accounts", + "azure" + ] + } + }, + "response": [] + }, + { + "name": "PUT set Azure account", + "request": { + "method": "PUT", + "header": [ + { + "key": "Content-Type", + "value": "application/json" + }, + { + "key": "X-chkp-sid", + "value": "{{session}}" + } + ], + "body": { + "mode": "raw", + "raw": "{\r\n \"subscription\": \"PLEASE ENTER SUBSCRIPTION\", //\"aaaa-aaaa-aaaa-aaaa-aaaa\"\r\n \"directory_id\": \"PLEASE ENTER DIRECTORY ID\", //\"bbbb-bbbb-bbbb-bbbb-bbbb\"\r\n \"application_id\": \"PLEASE ENTER APPLICATION ID\", //\"cccc-cccc-cccc-cccc-cccc\"\r\n \"client_secret\": \"PLEASE ENTER CLIENT SECRET\", //\"mySecret\"\r\n \"deletion_tolerance\": \"PLEASE ENTER DELETION TOLERANCE\" // 3\r\n}", + "options": { + "raw": { + "language": "json" + } + } + }, + "url": { + "raw": "https://{{managementIP}}/web_api/v1.8/cme-api/v1/accounts/azure/", + "protocol": "https", + "host": [ + "{{managementIP}}" + ], + "path": [ + "web_api", + "v1.8", + "cme-api", + "v1", + "accounts", + "azure", + "" + ] + } + }, + "response": [] + }, + { + "name": "POST add Azure gw configuration", + "request": { + "method": "POST", + "header": [ + { + "key": "X-chkp-sid", + "value": "{{session}}" + }, + { + "key": "Content-Type", + "value": "application/json" + } + ], + "body": { + "mode": "raw", + "raw": "{\r\n \"name\": \"PLEASE ENTER GATEWAY CONFIGURATION NAME\", //\"azureGwConfiguration\"\r\n \"base64_sic_key\": \"PLEASE ENTER ENCODED BASE64 SIC KEY\", //\"MTIzNDU2Nzg=\"\r\n \"version\": \"PLEASE ENTER GATEWAY VERSION\", //\"R81.20\"\r\n \"policy\": \"PLEASE ENTER POLICY NAME\", //\"Standard\"\r\n \"blades\": {\r\n \"identity-awareness\": true,\r\n \"application-control\": true\r\n },\r\n \"related_account\": \"PLEASE ENTER RELATED ACCOUNT\" //\"azure-account\"\r\n}" + }, + "url": { + "raw": "https://{{managementIP}}/web_api/v1.8/cme-api/v1/gwConfigurations/azure", + "protocol": "https", + "host": [ + "{{managementIP}}" + ], + "path": [ + "web_api", + "v1.8", + "cme-api", + "v1", + "gwConfigurations", + "azure" + ] + } + }, + "response": [] + }, + { + "name": "PUT set Azure gw configuration", + "request": { + "method": "PUT", + "header": [ + { + "key": "X-chkp-sid", + "value": "{{session}}" + }, + { + "key": "Content-Type", + "value": "application/json" + } + ], + "body": { + "mode": "raw", + "raw": "{\r\n \"base64_sic_key\": \"PLEASE ENTER ENCODED BASE64 SIC KEY\", //\"MTIzNDU2Nzg=\"\r\n \"version\": \"PLEASE ENTER GATEWAY VERSION\", //\"R81.20\"\r\n \"policy\": \"PLEASE ENTER POLICY NAME\", //\"Standard\"\r\n \"blades\": {\r\n \"identity-awareness\": false,\r\n \"anti-virus\": true,\r\n \"https-inspection\": true\r\n }\r\n}" + }, + "url": { + "raw": "https://{{managementIP}}/web_api/v1.8/cme-api/v1/gwConfigurations/azure/", + "protocol": "https", + "host": [ + "{{managementIP}}" + ], + "path": [ + "web_api", + "v1.8", + "cme-api", + "v1", + "gwConfigurations", + "azure", + "" + ] + } + }, + "response": [] + } + ], + "description": "Operations in Azure cloud." + }, + { + "name": "CME General Configuration", + "item": [ + { + "name": "GET delayCycle", + "request": { + "method": "GET", + "header": [ + { + "key": "Content-Type", + "value": "application/json" + }, + { + "key": "X-chkp-sid", + "value": "{{session}}" + } + ], + "url": { + "raw": "https://{{managementIP}}/web_api/v1.8/cme-api/v1/generalConfiguration/delayCycle", + "protocol": "https", + "host": [ + "{{managementIP}}" + ], + "path": [ + "web_api", + "v1.8", + "cme-api", + "v1", + "generalConfiguration", + "delayCycle" + ] + } + }, + "response": [] + }, + { + "name": "PUT set delayCycle", + "request": { + "method": "PUT", + "header": [ + { + "key": "Content-Type", + "value": "application/json" + }, + { + "key": "X-chkp-sid", + "value": "{{session}}" + } + ], + "body": { + "mode": "raw", + "raw": "{\r\n \"delay_cycle\": \"PLEASE ENTER DELAY CYCLE\" // 20 \r\n}", + "options": { + "raw": { + "language": "json" + } + } + }, + "url": { + "raw": "https://{{managementIP}}/web_api/v1.8/cme-api/v1/generalConfiguration/delayCycle", + "protocol": "https", + "host": [ + "{{managementIP}}" + ], + "path": [ + "web_api", + "v1.8", + "cme-api", + "v1", + "generalConfiguration", + "delayCycle" + ] + } + }, + "response": [] + }, + { + "name": "GET cmeVersion", + "request": { + "method": "GET", + "header": [ + { + "key": "Content-Type", + "value": "application/json" + }, + { + "key": "X-chkp-sid", + "value": "{{session}}" + } + ], + "url": { + "raw": "https://{{managementIP}}/web_api/v1.8/cme-api/v1/generalConfiguration/cmeVersion", + "protocol": "https", + "host": [ + "{{managementIP}}" + ], + "path": [ + "web_api", + "v1.8", + "cme-api", + "v1", + "generalConfiguration", + "cmeVersion" + ] + } + }, + "response": [] + } + ], + "description": "Operations for general CME configurations." + } + ] + }, + { + "name": "v1.1", + "item": [ + { + "name": "GCP", + "item": [ + { + "name": "POST add GCP account", + "request": { + "method": "POST", + "header": [ + { + "key": "Content-Type", + "value": "application/json" + }, + { + "key": "X-chkp-sid", + "value": "{{session}}" + } + ], + "body": { + "mode": "raw", + "raw": "{\r\n \"name\": \"PLEASE ENTER ACCOUNT NAME\", //\"account_name\"\r\n \"project_id\": \"PLEASE ENTER PROJECT ID\", //\"gcp_project_id\"\r\n \"credentials_file\": \"PLEASE ENTER CREDENTIALS FILE NAME\", //\"GCP_credentials_file_name\"\r\n \"credentials_data\": \"PLEASE ENTER CREDENTIALS DATA\", //\"ewogICJ0eXBlIjogInNlcnZpY2VfYWNjb3VudCIsCiAgInByb2plY3RfaWQiOiAibXktcHJvamVj...\"\r\n \"deletion_tolerance\": \"PLEASE ENTER DELETION TOLERANCE\", // 3\r\n \"domain\": \"PLEASE ENTER DOMAIN NAME (OPTIONAL IN MDS)\" //\"myDomain\"\r\n}", + "options": { + "raw": { + "language": "json" + } + } + }, + "url": { + "raw": "https://{{managementIP}}/web_api/v1.8/cme-api/v1.1/accounts/gcp", + "protocol": "https", + "host": [ + "{{managementIP}}" + ], + "path": [ + "web_api", + "v1.8", + "cme-api", + "v1.1", + "accounts", + "gcp" + ] + } + }, + "response": [] + }, + { + "name": "PUT set GCP account", + "request": { + "method": "PUT", + "header": [ + { + "key": "Content-Type", + "value": "application/json" + }, + { + "key": "X-chkp-sid", + "value": "{{session}}" + } + ], + "body": { + "mode": "raw", + "raw": "{\r\n \"project_id\": \"PLEASE ENTER PROJECT ID\", //\"gcp_project_id\"\r\n \"credentials_file\": \"PLEASE ENTER CREDENTIALS FILE NAME\", //\"GCP_credentials_file_name\"\r\n \"credentials_data\": \"PLEASE ENTER CREDENTIALS DATA\", //\"ewogICJ0eXBlIjogInNlcnZpY2VfYWNjb3VudCIsCiAgInByb2plY3RfaWQiOiAibXktcHJvamVj...\"\r\n \"deletion_tolerance\": \"PLEASE ENTER DELETION TOLERANCE\", // 3\r\n \"domain\": \"PLEASE ENTER DOMAIN NAME (OPTIONAL IN MDS)\" //\"myDomain\"\r\n}", + "options": { + "raw": { + "language": "json" + } + } + }, + "url": { + "raw": "https://{{managementIP}}/web_api/v1.8/cme-api/v1.1/accounts/gcp/", + "protocol": "https", + "host": [ + "{{managementIP}}" + ], + "path": [ + "web_api", + "v1.8", + "cme-api", + "v1.1", + "accounts", + "gcp", + "" + ] + } + }, + "response": [] + }, + { + "name": "POST add GCP gw configuration", + "request": { + "method": "POST", + "header": [ + { + "key": "X-chkp-sid", + "value": "{{session}}" + }, + { + "key": "Content-Type", + "value": "application/json" + } + ], + "body": { + "mode": "raw", + "raw": "{\r\n \"name\": \"PLEASE ENTER GATEWAY CONFIGURATION NAME\", //\"gcpGwConfiguration\"\r\n \"base64_sic_key\": \"PLEASE ENTER ENCODED BASE64 SIC KEY\", //\"MTIzNDU2Nzg=\"\r\n \"version\": \"PLEASE ENTER GATEWAY VERSION\", //\"R81.20\"\r\n \"policy\": \"PLEASE ENTER POLICY NAME\", //\"Standard\"\r\n \"blades\": {\r\n \"vpn\": true,\r\n \"url-filtering\": true\r\n },\r\n \"related_account\": \"PLEASE ENTER RELATED ACCOUNT\", //\"gcp-account\"\r\n \"repository_gateway_scripts\": [\r\n {\r\n \"name\": \"PLEASE ENTER REPOSITORY GATEWAY SCRIPT NAME\", //\"repo_script\"\r\n \"parameters\": \"PLEASE ENTEAR PARAMETERS SEPARATED BY SPACE\" //\"param1 param2\"\r\n\r\n }\r\n ],\r\n \"send_logs_to_server\": \"PLEASE ENTER PRIMARY LOG SERVERS NAMES\", //\"[\"PLM1\", \"PLM_2\"]\"\r\n \"send_logs_to_backup_server\": \"PLEASE ENTER BACKUP LOG SERVERS NAMES\", //\"[\"BLM1\", \"BLM_2\"]\"\r\n \"send_alerts_to_server\": \"PLEASE ENTER ALERTS SERVERS NAMES\" //\"[\"ALM1\", \"ALM_2\"]\"\r\n}" + }, + "url": { + "raw": "https://{{managementIP}}/web_api/v1.8/cme-api/v1.1/gwConfigurations/gcp", + "protocol": "https", + "host": [ + "{{managementIP}}" + ], + "path": [ + "web_api", + "v1.8", + "cme-api", + "v1.1", + "gwConfigurations", + "gcp" + ] + } + }, + "response": [] + }, + { + "name": "PUT set GCP gw configuration", + "request": { + "method": "PUT", + "header": [ + { + "key": "X-chkp-sid", + "value": "{{session}}" + }, + { + "key": "Content-Type", + "value": "application/json" + } + ], + "body": { + "mode": "raw", + "raw": "{\r\n \"base64_sic_key\": \"PLEASE ENTER ENCODED BASE64 SIC KEY\", //\"MTIzNDU2Nzg=\"\r\n \"version\": \"PLEASE ENTER GATEWAY VERSION\", //\"R81.20\"\r\n \"policy\": \"PLEASE ENTER POLICY NAME\", //\"Standard\"\r\n \"blades\": {\r\n \"vpn\": true,\r\n \"url-filtering\": true\r\n },\r\n \"related_account\": \"PLEASE ENTER RELATED ACCOUNT\", //\"gcp-account\"\r\n \"repository_gateway_scripts\": [\r\n {\r\n \"name\": \"PLEASE ENTER REPOSITORY GATEWAY SCRIPT NAME\", //\"repo_script\"\r\n \"parameters\": \"PLEASE ENTEAR PARAMETERS SEPARATED BY SPACE\" //\"param1 param2\"\r\n\r\n }\r\n ],\r\n \"send_logs_to_server\": \"PLEASE ENTER PRIMARY LOG SERVERS NAMES\", //\"[\"PLM1\", \"PLM_2\"]\"\r\n \"send_logs_to_backup_server\": \"PLEASE ENTER BACKUP LOG SERVERS NAMES\", //\"[\"BLM1\", \"BLM_2\"]\"\r\n \"send_alerts_to_server\": \"PLEASE ENTER ALERTS SERVERS NAMES\" //\"[\"ALM1\", \"ALM_2\"]\"\r\n}" + }, + "url": { + "raw": "https://{{managementIP}}/web_api/v1.8/cme-api/v1.1/gwConfigurations/gcp/", + "protocol": "https", + "host": [ + "{{managementIP}}" + ], + "path": [ + "web_api", + "v1.8", + "cme-api", + "v1.1", + "gwConfigurations", + "gcp", + "" + ] + } + }, + "response": [] + } + ], + "description": "Operations in GCP cloud." + }, + { + "name": "AWS", + "item": [ + { + "name": "POST add AWS account", + "request": { + "method": "POST", + "header": [ + { + "key": "Content-Type", + "value": "application/json" + }, + { + "key": "X-chkp-sid", + "value": "{{session}}" + } + ], + "body": { + "mode": "raw", + "raw": "{\r\n \"name\": \"PLEASE ENTER ACCOUNT NAME\", //\"myAwsAccount\"\r\n \"regions\": [\r\n \"eu-west-1\",\r\n \"us-east-2\"\r\n ],\r\n \"domain\": \"PLEASE ENTER DOMAIN NAME\", //\"myDomain\"\r\n \"credentials_file\": \"PLEASE ENTER CREDENTIALS FILE NAME\", //\"IAM\"\r\n \"access_key\": \"PLEASE ENTER ACCESS KEY\",\r\n \"secret_key\": \"PLEASE ENTER SECRET KEY\",\r\n \"sts_role\": \"PLEASE ENTER STS ROLE\",\r\n \"sts_external_id\": \"PLEASE ENTER STS EXTERNAL ID\",\r\n \"scan_gateways\": \"PLEASE SET TRUE OR FALSE\",\r\n \"scan_vpn\": \"PLEASE SET TRUE OR FALSE\",\r\n \"scan_load_balancers\": \"PLEASE SET TRUE OR FALSE\",\r\n \"scan_subnets\": \"PLEASE SET TRUE OR FALSE\",\r\n \"communities\": [\r\n \"community_a\",\r\n \"community_b\"\r\n ],\r\n \"deletion_tolerance\": \"PLEASE ENTER DELETION TOLERANCE\",\r\n \"sub_accounts\": [\r\n {\r\n \"name\": \"sub_account_a\",\r\n \"credentials_file\": \"AWS_credentials_file_name\"\r\n },\r\n {\r\n \"name\": \"sub_account_b\",\r\n \"access_key\": \"PLEASE ENTER ACCESS KEY\",\r\n \"secret_key\": \"PLEASE ENTER SECRET KEY\"\r\n },\r\n {\r\n \"name\": \"sub_account_c\",\r\n \"sts_role\": \"PLEASE ENTER STS ROLE\",\r\n \"sts_external_id\": \"PLEASE ENTER STS EXTERNAL ID\"\r\n }\r\n ]\r\n}", + "options": { + "raw": { + "language": "json" + } + } + }, + "url": { + "raw": "https://{{managementIP}}/web_api/v1.8/cme-api/v1.1/accounts/aws", + "protocol": "https", + "host": [ + "{{managementIP}}" + ], + "path": [ + "web_api", + "v1.8", + "cme-api", + "v1.1", + "accounts", + "aws" + ] + } + }, + "response": [] + }, + { + "name": "PUT set AWS account", + "request": { + "method": "PUT", + "header": [ + { + "key": "Content-Type", + "value": "application/json" + }, + { + "key": "X-chkp-sid", + "value": "{{session}}" + } + ], + "body": { + "mode": "raw", + "raw": "{\r\n \"regions\": [\r\n \"eu-west-1\",\r\n \"us-east-2\"\r\n ],\r\n \"domain\": \"PLEASE ENTER DOMAIN NAME\", //\"myDomain\"\r\n \"credentials_file\": \"PLEASE ENTER CREDENTIALS FILE NAME\", //\"IAM\"\r\n \"access_key\": \"PLEASE ENTER ACCESS KEY\",\r\n \"secret_key\": \"PLEASE ENTER SECRET KEY\",\r\n \"sts_role\": \"PLEASE ENTER STS ROLE\",\r\n \"sts_external_id\": \"PLEASE ENTER STS EXTERNAL ID\",\r\n \"scan_gateways\": \"PLEASE SET TRUE OR FALSE\",\r\n \"scan_vpn\": \"PLEASE SET TRUE OR FALSE\",\r\n \"scan_load_balancers\": \"PLEASE SET TRUE OR FALSE\",\r\n \"scan_subnets\": \"PLEASE SET TRUE OR FALSE\",\r\n \"communities\": [\r\n \"community_a\",\r\n \"community_b\"\r\n ],\r\n \"deletion_tolerance\": \"PLEASE ENTER DELETION TOLERANCE\",\r\n \"sub_accounts\": [\r\n {\r\n \"name\": \"sub_account_a\",\r\n \"credentials_file\": \"AWS_credentials_file_name\"\r\n },\r\n {\r\n \"name\": \"sub_account_b\",\r\n \"access_key\": \"PLEASE ENTER ACCESS KEY\",\r\n \"secret_key\": \"PLEASE ENTER SECRET KEY\"\r\n },\r\n {\r\n \"name\": \"sub_account_c\",\r\n \"sts_role\": \"PLEASE ENTER STS ROLE\",\r\n \"sts_external_id\": \"PLEASE ENTER STS EXTERNAL ID\"\r\n }\r\n ]\r\n}", + "options": { + "raw": { + "language": "json" + } + } + }, + "url": { + "raw": "https://{{managementIP}}/web_api/v1.8/cme-api/v1.1/accounts/aws/", + "protocol": "https", + "host": [ + "{{managementIP}}" + ], + "path": [ + "web_api", + "v1.8", + "cme-api", + "v1.1", + "accounts", + "aws", + "" + ] + } + }, + "response": [] + }, + { + "name": "POST add AWS gw configuration", + "request": { + "method": "POST", + "header": [ + { + "key": "X-chkp-sid", + "value": "{{session}}" + }, + { + "key": "Content-Type", + "value": "application/json" + } + ], + "body": { + "mode": "raw", + "raw": "{\r\n \"name\": \"PLEASE ENTER GATEWAY CONFIGURATION NAME\", //\"awsGwConfiguration\"\r\n \"base64_sic_key\": \"PLEASE ENTER ENCODED BASE64 SIC KEY\", //\"MTIzNDU2Nzg=\"\r\n \"version\": \"PLEASE ENTER GATEWAY VERSION\", //\"R81.20\"\r\n \"policy\": \"PLEASE ENTER POLICY NAME\", //\"Standard\"\r\n \"blades\": {\r\n \"ips\": true,\r\n \"anti-bot\": true,\r\n \"url-filtering\": true,\r\n \"https-inspection\": true\r\n },\r\n \"related_account\": \"PLEASE ENTER RELATED ACCOUNT\", //\"aws-account\"\r\n \"vpn_domain\": \"PLEASE ENTER VPN DOMAIN\",\r\n \"vpn_community\": \"PLEASE ENTER VPN COMMUNITY\",\r\n \"deployment_type\": \"PLEASE ENTER DEPLOYMENT TYPE\", //\"TGW\"\r\n \"tgw_static_routes\": \"PLEASE ENTER TGW STATIC ROUTES\", //\"10.0.0.0/16,10.100.0.0/16\"\r\n \"tgw_spoke_routes\": \"PLEASE ENTER TGW SPOKE ROUTES\", //\"192.168.100.0/24,192.168.200.0/24\"\r\n \"repository_gateway_scripts\": [\r\n {\r\n \"name\": \"PLEASE ENTER REPOSITORY GATEWAY SCRIPT NAME\", //\"repo_script\"\r\n \"parameters\": \"PLEASE ENTEAR PARAMETERS SEPARATED BY SPACE\" //\"param1 param2\"\r\n\r\n }\r\n ],\r\n \"send_logs_to_server\": \"PLEASE ENTER PRIMARY LOG SERVERS NAMES\", //\"[\"PLM1\", \"PLM_2\"]\"\r\n \"send_logs_to_backup_server\": \"PLEASE ENTER BACKUP LOG SERVERS NAMES\", //\"[\"BLM1\", \"BLM_2\"]\"\r\n \"send_alerts_to_server\": \"PLEASE ENTER ALERTS SERVERS NAMES\" //\"[\"ALM1\", \"ALM_2\"]\"\r\n}" + }, + "url": { + "raw": "https://{{managementIP}}/web_api/v1.8/cme-api/v1.1/gwConfigurations/aws", + "protocol": "https", + "host": [ + "{{managementIP}}" + ], + "path": [ + "web_api", + "v1.8", + "cme-api", + "v1.1", + "gwConfigurations", + "aws" + ] + } + }, + "response": [] + }, + { + "name": "PUT set AWS gw configuration", + "request": { + "method": "PUT", + "header": [ + { + "key": "X-chkp-sid", + "value": "{{session}}" + }, + { + "key": "Content-Type", + "value": "application/json" + } + ], + "body": { + "mode": "raw", + "raw": "{\r\n \"base64_sic_key\": \"PLEASE ENTER ENCODED BASE64 SIC KEY\", //\"MTIzNDU2Nzg=\"\r\n \"version\": \"PLEASE ENTER GATEWAY VERSION\", //\"R81.20\"\r\n \"policy\": \"PLEASE ENTER POLICY NAME\", //\"Standard\"\r\n \"blades\": {\r\n \"ips\": true,\r\n \"anti-bot\": true,\r\n \"url-filtering\": true,\r\n \"https-inspection\": true\r\n },\r\n \"related_account\": \"PLEASE ENTER RELATED ACCOUNT\", //\"aws-account\"\r\n \"vpn_domain\": \"PLEASE ENTER VPN DOMAIN\",\r\n \"vpn_community\": \"PLEASE ENTER VPN COMMUNITY\",\r\n \"deployment_type\": \"PLEASE ENTER DEPLOYMENT TYPE\", //\"TGW\"\r\n \"tgw_static_routes\": [\r\n \"10.0.0.0/16\",\r\n \"10.100.0.0/16\"\r\n ],\r\n \"tgw_spoke_routes\": [\r\n \"192.168.100.0/24\",\r\n \"192.168.200.0/24\"\r\n ],\r\n \"repository_gateway_scripts\": [\r\n {\r\n \"name\": \"PLEASE ENTER REPOSITORY GATEWAY SCRIPT NAME\", //\"repo_script\"\r\n \"parameters\": \"PLEASE ENTEAR PARAMETERS SEPARATED BY SPACE\" //\"param1 param2\"\r\n\r\n }\r\n ],\r\n \"send_logs_to_server\": \"PLEASE ENTER PRIMARY LOG SERVERS NAMES\", //\"[\"PLM1\", \"PLM_2\"]\"\r\n \"send_logs_to_backup_server\": \"PLEASE ENTER BACKUP LOG SERVERS NAMES\", //\"[\"BLM1\", \"BLM_2\"]\"\r\n \"send_alerts_to_server\": \"PLEASE ENTER ALERTS SERVERS NAMES\" //\"[\"ALM1\", \"ALM_2\"]\"\r\n}" + }, + "url": { + "raw": "https://{{managementIP}}/web_api/v1.8/cme-api/v1.1/gwConfigurations/aws/", + "protocol": "https", + "host": [ + "{{managementIP}}" + ], + "path": [ + "web_api", + "v1.8", + "cme-api", + "v1.1", + "gwConfigurations", + "aws", + "" + ] + } + }, + "response": [] + } + ], + "description": "Operations in AWS cloud." + }, + { + "name": "Gw Configurations", + "item": [ + { + "name": "GET all gw configurations", + "request": { + "method": "GET", + "header": [ + { + "key": "X-chkp-sid", + "value": "{{session}}" + }, + { + "key": "Content-Type", + "value": "application/json" + } + ], + "url": { + "raw": "https://{{managementIP}}/web_api/v1.8/cme-api/v1.1/gwConfigurations", + "protocol": "https", + "host": [ + "{{managementIP}}" + ], + "path": [ + "web_api", + "v1.8", + "cme-api", + "v1.1", + "gwConfigurations" + ] + } + }, + "response": [] + }, + { + "name": "GET gw configuration", + "request": { + "method": "GET", + "header": [ + { + "key": "X-chkp-sid", + "value": "{{session}}" + }, + { + "key": "Content-Type", + "value": "application/json" + } + ], + "url": { + "raw": "https://{{managementIP}}/web_api/v1.8/cme-api/v1.1/gwConfigurations/", + "protocol": "https", + "host": [ + "{{managementIP}}" + ], + "path": [ + "web_api", + "v1.8", + "cme-api", + "v1.1", + "gwConfigurations", + "" + ] + } + }, + "response": [] + }, + { + "name": "DELETE gw configuration", + "request": { + "method": "DELETE", + "header": [ + { + "key": "X-chkp-sid", + "value": "{{session}}" + }, + { + "key": "Content-Type", + "value": "application/json" + } + ], + "url": { + "raw": "https://{{managementIP}}/web_api/v1.8/cme-api/v1.1/gwConfigurations/", + "protocol": "https", + "host": [ + "{{managementIP}}" + ], + "path": [ + "web_api", + "v1.8", + "cme-api", + "v1.1", + "gwConfigurations", + "" + ] + } + }, + "response": [] + } + ], + "description": "Operations for configuring Gw Configurations in CME
(Previously known as \"templates\")." + }, + { + "name": "Accounts", + "item": [ + { + "name": "GET all accounts", + "request": { + "method": "GET", + "header": [ + { + "key": "Content-Type", + "value": "application/json" + }, + { + "key": "X-chkp-sid", + "value": "{{session}}" + } + ], + "url": { + "raw": "https://{{managementIP}}/web_api/v1.8/cme-api/v1.1/accounts", + "protocol": "https", + "host": [ + "{{managementIP}}" + ], + "path": [ + "web_api", + "v1.8", + "cme-api", + "v1.1", + "accounts" + ] + } + }, + "response": [] + }, + { + "name": "GET account", + "request": { + "method": "GET", + "header": [ + { + "key": "Content-Type", + "value": "application/json" + }, + { + "key": "X-chkp-sid", + "value": "{{session}}" + } + ], + "url": { + "raw": "https://{{managementIP}}/web_api/v1.8/cme-api/v1.1/accounts/", + "protocol": "https", + "host": [ + "{{managementIP}}" + ], + "path": [ + "web_api", + "v1.8", + "cme-api", + "v1.1", + "accounts", + "" + ] + } + }, + "response": [] + }, + { + "name": "DELETE account", + "request": { + "method": "DELETE", + "header": [ + { + "key": "Content-Type", + "value": "application/json" + }, + { + "key": "X-chkp-sid", + "value": "{{session}}" + } + ], + "url": { + "raw": "https://{{managementIP}}/web_api/v1.8/cme-api/v1.1/accounts/", + "protocol": "https", + "host": [ + "{{managementIP}}" + ], + "path": [ + "web_api", + "v1.8", + "cme-api", + "v1.1", + "accounts", + "" + ] + } + }, + "response": [] + } + ], + "description": "Operations for configuring Accounts in CME
(Previously known as \"controllers\")." + }, + { + "name": "Management", + "item": [ + { + "name": "GET management", + "request": { + "method": "GET", + "header": [ + { + "key": "X-chkp-sid", + "value": "{{session}}" + }, + { + "key": "Content-Type", + "value": "application/json" + } + ], + "url": { + "raw": "https://{{managementIP}}/web_api/v1.8/cme-api/v1.1/management", + "protocol": "https", + "host": [ + "{{managementIP}}" + ], + "path": [ + "web_api", + "v1.8", + "cme-api", + "v1.1", + "management" + ] + } + }, + "response": [] + }, + { + "name": "PUT set management", + "request": { + "method": "PUT", + "header": [ + { + "key": "X-chkp-sid", + "value": "{{session}}" + }, + { + "key": "Content-Type", + "value": "application/json" + } + ], + "body": { + "mode": "raw", + "raw": "{\r\n \"name\": \"PLEASE ENTER MANAGEMENT NAME\", //\"mgmt_name\"\r\n \"domain\": \"PLEASE ENTER DOMAIN NAME\" //\"myDomain\"\r\n}" + }, + "url": { + "raw": "https://{{managementIP}}/web_api/v1.8/cme-api/v1.1/management", + "protocol": "https", + "host": [ + "{{managementIP}}" + ], + "path": [ + "web_api", + "v1.8", + "cme-api", + "v1.1", + "management" + ] + } + }, + "response": [] + } + ], + "description": "Operations for configuring Management." + }, + { + "name": "Azure", + "item": [ + { + "name": "POST Azure account", + "request": { + "method": "POST", + "header": [ + { + "key": "Content-Type", + "value": "application/json" + }, + { + "key": "X-chkp-sid", + "value": "{{session}}" + } + ], + "body": { + "mode": "raw", + "raw": "{\r\n \"name\": \"PLEASE ENTER ACCOUNT NAME\", //\"myAzureAccount\"\r\n \"subscription\": \"PLEASE ENTER SUBSCRIPTION\", //\"aaaa-aaaa-aaaa-aaaa-aaaa\"\r\n \"directory_id\": \"PLEASE ENTER DIRECTORY ID\", //\"bbbb-bbbb-bbbb-bbbb-bbbb\"\r\n \"application_id\": \"PLEASE ENTER APPLICATION ID\", //\"cccc-cccc-cccc-cccc-cccc\"\r\n \"client_secret\": \"PLEASE ENTER CLIENT SECRET\", //\"mySecret\"\r\n \"deletion_tolerance\": \"PLEASE ENTER DELETION TOLERANCE\", // 3\r\n \"domain\": \"PLEASE ENTER DOMAIN NAME\" //\"myDomain\"\r\n}", + "options": { + "raw": { + "language": "json" + } + } + }, + "url": { + "raw": "https://{{managementIP}}/web_api/v1.8/cme-api/v1.1/accounts/azure", + "protocol": "https", + "host": [ + "{{managementIP}}" + ], + "path": [ + "web_api", + "v1.8", + "cme-api", + "v1.1", + "accounts", + "azure" + ], + "query": [ + { + "key": "", + "value": null, + "disabled": true + } + ] + } + }, + "response": [] + }, + { + "name": "PUT set Azure account", + "request": { + "method": "PUT", + "header": [ + { + "key": "Content-Type", + "value": "application/json" + }, + { + "key": "X-chkp-sid", + "value": "{{session}}" + } + ], + "body": { + "mode": "raw", + "raw": "{\r\n \"subscription\": \"PLEASE ENTER SUBSCRIPTION\", //\"aaaa-aaaa-aaaa-aaaa-aaaa\"\r\n \"directory_id\": \"PLEASE ENTER DIRECTORY ID\", //\"bbbb-bbbb-bbbb-bbbb-bbbb\"\r\n \"application_id\": \"PLEASE ENTER APPLICATION ID\", //\"cccc-cccc-cccc-cccc-cccc\"\r\n \"client_secret\": \"PLEASE ENTER CLIENT SECRET\", //\"mySecret\"\r\n \"deletion_tolerance\": \"PLEASE ENTER DELETION TOLERANCE\", // 3\r\n \"domain\": \"PLEASE ENTER DOMAIN NAME\" //\"myDomain\"\r\n}", + "options": { + "raw": { + "language": "json" + } + } + }, + "url": { + "raw": "https://{{managementIP}}/web_api/v1.8/cme-api/v1.1/accounts/azure/", + "protocol": "https", + "host": [ + "{{managementIP}}" + ], + "path": [ + "web_api", + "v1.8", + "cme-api", + "v1.1", + "accounts", + "azure", + "" + ] + } + }, + "response": [] + }, + { + "name": "POST add Azure gw configuration", + "request": { + "method": "POST", + "header": [ + { + "key": "X-chkp-sid", + "value": "{{session}}" + }, + { + "key": "Content-Type", + "value": "application/json" + } + ], + "body": { + "mode": "raw", + "raw": "{\r\n \"name\": \"PLEASE ENTER GATEWAY CONFIGURATION NAME\", //\"azureGwConfiguration\"\r\n \"base64_sic_key\": \"PLEASE ENTER ENCODED BASE64 SIC KEY\", //\"MTIzNDU2Nzg=\"\r\n \"version\": \"PLEASE ENTER GATEWAY VERSION\", //\"R81.20\"\r\n \"policy\": \"PLEASE ENTER POLICY NAME\", //\"Standard\"\r\n \"blades\": {\r\n \"identity-awareness\": true,\r\n \"application-control\": true\r\n },\r\n \"related_account\": \"PLEASE ENTER RELATED ACCOUNT\", //\"azure-account\"\r\n \"repository_gateway_scripts\": [\r\n {\r\n \"name\": \"PLEASE ENTER REPOSITORY GATEWAY SCRIPT NAME\", //\"repo_script\"\r\n \"parameters\": \"PLEASE ENTEAR PARAMETERS SEPARATED BY SPACE\" //\"param1 param2\"\r\n\r\n }\r\n ],\r\n \"send_logs_to_server\": \"PLEASE ENTER PRIMARY LOG SERVERS NAMES\", //\"[\"PLM1\", \"PLM_2\"]\"\r\n \"send_logs_to_backup_server\": \"PLEASE ENTER BACKUP LOG SERVERS NAMES\", //\"[\"BLM1\", \"BLM_2\"]\"\r\n \"send_alerts_to_server\": \"PLEASE ENTER ALERTS SERVERS NAMES\" //\"[\"ALM1\", \"ALM_2\"]\"\r\n}" + }, + "url": { + "raw": "https://{{managementIP}}/web_api/v1.8/cme-api/v1.1/gwConfigurations/azure", + "protocol": "https", + "host": [ + "{{managementIP}}" + ], + "path": [ + "web_api", + "v1.8", + "cme-api", + "v1.1", + "gwConfigurations", + "azure" + ] + } + }, + "response": [] + }, + { + "name": "PUT set Azure gw configuration", + "request": { + "method": "PUT", + "header": [ + { + "key": "X-chkp-sid", + "value": "{{session}}" + }, + { + "key": "Content-Type", + "value": "application/json" + } + ], + "body": { + "mode": "raw", + "raw": "{\r\n \"base64_sic_key\": \"PLEASE ENTER ENCODED BASE64 SIC KEY\", //\"MTIzNDU2Nzg=\"\r\n \"version\": \"PLEASE ENTER GATEWAY VERSION\", //\"R81.20\"\r\n \"policy\": \"PLEASE ENTER POLICY NAME\", //\"Standard\"\r\n \"blades\": {\r\n \"identity-awareness\": false,\r\n \"https-inspection\": true,\r\n \"anti-virus\": true\r\n },\r\n \"repository_gateway_scripts\": [\r\n {\r\n \"name\": \"PLEASE ENTER REPOSITORY GATEWAY SCRIPT NAME\", //\"repo_script\"\r\n \"parameters\": \"PLEASE ENTEAR PARAMETERS SEPARATED BY SPACE\" //\"param1 param2\"\r\n\r\n }\r\n ],\r\n \"send_logs_to_server\": \"PLEASE ENTER PRIMARY LOG SERVERS NAMES\", //\"[\"PLM1\", \"PLM_2\"]\"\r\n \"send_logs_to_backup_server\": \"PLEASE ENTER BACKUP LOG SERVERS NAMES\", //\"[\"BLM1\", \"BLM_2\"]\"\r\n \"send_alerts_to_server\": \"PLEASE ENTER ALERTS SERVERS NAMES\" //\"[\"ALM1\", \"ALM_2\"]\"\r\n}" + }, + "url": { + "raw": "https://{{managementIP}}/web_api/v1.8/cme-api/v1.1/gwConfigurations/azure/", + "protocol": "https", + "host": [ + "{{managementIP}}" + ], + "path": [ + "web_api", + "v1.8", + "cme-api", + "v1.1", + "gwConfigurations", + "azure", + "" + ] + } + }, + "response": [] + } + ], + "description": "Operations in Azure cloud." + }, + { + "name": "CME General Configuration", + "item": [ + { + "name": "GET delayCycle", + "request": { + "method": "GET", + "header": [ + { + "key": "Content-Type", + "value": "application/json" + }, + { + "key": "X-chkp-sid", + "value": "{{session}}" + } + ], + "url": { + "raw": "https://{{managementIP}}/web_api/v1.8/cme-api/v1.1/generalConfiguration/delayCycle", + "protocol": "https", + "host": [ + "{{managementIP}}" + ], + "path": [ + "web_api", + "v1.8", + "cme-api", + "v1.1", + "generalConfiguration", + "delayCycle" + ] + } + }, + "response": [] + }, + { + "name": "PUT set delayCycle", + "request": { + "method": "PUT", + "header": [ + { + "key": "Content-Type", + "value": "application/json" + }, + { + "key": "X-chkp-sid", + "value": "{{session}}" + } + ], + "body": { + "mode": "raw", + "raw": "{\r\n \"delay_cycle\": \"PLEASE ENTER DELAY CYCLE\" // 20 \r\n}", + "options": { + "raw": { + "language": "json" + } + } + }, + "url": { + "raw": "https://{{managementIP}}/web_api/v1.8/cme-api/v1.1/generalConfiguration/delayCycle", + "protocol": "https", + "host": [ + "{{managementIP}}" + ], + "path": [ + "web_api", + "v1.8", + "cme-api", + "v1.1", + "generalConfiguration", + "delayCycle" + ] + } + }, + "response": [] + }, + { + "name": "GET cmeVersion", + "request": { + "method": "GET", + "header": [ + { + "key": "Content-Type", + "value": "application/json" + }, + { + "key": "X-chkp-sid", + "value": "{{session}}" + } + ], + "url": { + "raw": "https://{{managementIP}}/web_api/v1.8/cme-api/v1.1/generalConfiguration/cmeVersion", + "protocol": "https", + "host": [ + "{{managementIP}}" + ], + "path": [ + "web_api", + "v1.8", + "cme-api", + "v1.1", + "generalConfiguration", + "cmeVersion" + ] + } + }, + "response": [] + }, + { + "name": "GET api-versions", + "request": { + "method": "GET", + "header": [ + { + "key": "Content-Type", + "value": "application/json" + }, + { + "key": "X-chkp-sid", + "value": "{{session}}" + } + ], + "url": { + "raw": "https://{{managementIP}}/web_api/v1.8/cme-api/v1.1/api-versions", + "protocol": "https", + "host": [ + "{{managementIP}}" + ], + "path": [ + "web_api", + "v1.8", + "cme-api", + "v1.1", + "api-versions" + ] + } + }, + "response": [] + } + ], + "description": "Operations for general CME configurations." + } + ] + }, + { + "name": "v1.2", + "item": [ + { + "name": "GCP", + "item": [ + { + "name": "POST add GCP account", + "request": { + "method": "POST", + "header": [ + { + "key": "Content-Type", + "value": "application/json" + }, + { + "key": "X-chkp-sid", + "value": "{{session}}" + } + ], + "body": { + "mode": "raw", + "raw": "{\r\n \"name\": \"PLEASE ENTER ACCOUNT NAME\", //\"account_name\"\r\n \"project_id\": \"PLEASE ENTER PROJECT ID\", //\"gcp_project_id\"\r\n \"credentials_file\": \"PLEASE ENTER CREDENTIALS FILE NAME\", //\"GCP_credentials_file_name\"\r\n \"credentials_data\": \"PLEASE ENTER CREDENTIALS DATA\", //\"ewogICJ0eXBlIjogInNlcnZpY2VfYWNjb3VudCIsCiAgInByb2plY3RfaWQiOiAibXktcHJvamVj...\"\r\n \"deletion_tolerance\": \"PLEASE ENTER DELETION TOLERANCE\", // 3\r\n \"domain\": \"PLEASE ENTER DOMAIN NAME (OPTIONAL IN MDS)\" //\"myDomain\"\r\n}", + "options": { + "raw": { + "language": "json" + } + } + }, + "url": { + "raw": "https://{{managementIP}}/web_api/v1.8/cme-api/v1.2/accounts/gcp", + "protocol": "https", + "host": [ + "{{managementIP}}" + ], + "path": [ + "web_api", + "v1.8", + "cme-api", + "v1.2", + "accounts", + "gcp" + ] + } + }, + "response": [] + }, + { + "name": "PUT set GCP account", + "request": { + "method": "PUT", + "header": [ + { + "key": "Content-Type", + "value": "application/json" + }, + { + "key": "X-chkp-sid", + "value": "{{session}}" + } + ], + "body": { + "mode": "raw", + "raw": "{\r\n \"project_id\": \"PLEASE ENTER PROJECT ID\", //\"gcp_project_id\"\r\n \"credentials_file\": \"PLEASE ENTER CREDENTIALS FILE NAME\", //\"GCP_credentials_file_name\"\r\n \"credentials_data\": \"PLEASE ENTER CREDENTIALS DATA\", //\"ewogICJ0eXBlIjogInNlcnZpY2VfYWNjb3VudCIsCiAgInByb2plY3RfaWQiOiAibXktcHJvamVj...\"\r\n \"deletion_tolerance\": \"PLEASE ENTER DELETION TOLERANCE\", // 3\r\n \"domain\": \"PLEASE ENTER DOMAIN NAME (OPTIONAL IN MDS)\" //\"myDomain\"\r\n}", + "options": { + "raw": { + "language": "json" + } + } + }, + "url": { + "raw": "https://{{managementIP}}/web_api/v1.8/cme-api/v1.2/accounts/gcp/", + "protocol": "https", + "host": [ + "{{managementIP}}" + ], + "path": [ + "web_api", + "v1.8", + "cme-api", + "v1.2", + "accounts", + "gcp", + "" + ] + } + }, + "response": [] + }, + { + "name": "POST add GCP gw configuration", + "request": { + "method": "POST", + "header": [ + { + "key": "X-chkp-sid", + "value": "{{session}}" + }, + { + "key": "Content-Type", + "value": "application/json" + } + ], + "body": { + "mode": "raw", + "raw": "{\r\n \"name\": \"PLEASE ENTER GATEWAY CONFIGURATION NAME\", //\"gcpGwConfiguration\"\r\n \"base64_sic_key\": \"PLEASE ENTER ENCODED BASE64 SIC KEY\", //\"MTIzNDU2Nzg=\"\r\n \"version\": \"PLEASE ENTER GATEWAY VERSION\", //\"R81.20\"\r\n \"policy\": \"PLEASE ENTER POLICY NAME\", //\"Standard\"\r\n \"section_name\": \"PLEASE ENTER SECTION NAME\", //\"sectionName\"\r\n \"x_forwarded_for\": \"PLEASE ENTER BOOLEAN VALUE FOR X FORWARDED FOR\", //true / false\r\n \"color\": \"PLEASE ENTER COLOR NAME\", //\"red\"\r\n \"blades\": {\r\n \"vpn\": true,\r\n \"url-filtering\": true\r\n },\r\n \"related_account\": \"PLEASE ENTER RELATED ACCOUNT\", //\"gcp-account\"\r\n \"repository_gateway_scripts\": [\r\n {\r\n \"name\": \"PLEASE ENTER REPOSITORY GATEWAY SCRIPT NAME\", //\"repo_script\"\r\n \"parameters\": \"PLEASE ENTEAR PARAMETERS SEPARATED BY SPACE\" //\"param1 param2\"\r\n\r\n }\r\n ],\r\n \"send_logs_to_server\": \"PLEASE ENTER PRIMARY LOG SERVERS NAMES\", //\"[\"PLM1\", \"PLM_2\"]\"\r\n \"send_logs_to_backup_server\": \"PLEASE ENTER BACKUP LOG SERVERS NAMES\", //\"[\"BLM1\", \"BLM_2\"]\"\r\n \"send_alerts_to_server\": \"PLEASE ENTER ALERTS SERVERS NAMES\", //\"[\"ALM1\", \"ALM_2\"]\"\r\n \"communication_with_servers_behind_nat\": \"PLEASE ENTER MANAGEMENT BEHIND NAT CONFIGURATION\" // \"according-to-topology | original-ip-only | translated-ip-only | use-management-settings\"\r\n}" + }, + "url": { + "raw": "https://{{managementIP}}/web_api/v1.8/cme-api/v1.2/gwConfigurations/gcp", + "protocol": "https", + "host": [ + "{{managementIP}}" + ], + "path": [ + "web_api", + "v1.8", + "cme-api", + "v1.2", + "gwConfigurations", + "gcp" + ] + } + }, + "response": [] + }, + { + "name": "PUT set GCP gw configuration", + "request": { + "method": "PUT", + "header": [ + { + "key": "X-chkp-sid", + "value": "{{session}}" + }, + { + "key": "Content-Type", + "value": "application/json" + } + ], + "body": { + "mode": "raw", + "raw": "{\r\n \"base64_sic_key\": \"PLEASE ENTER ENCODED BASE64 SIC KEY\", //\"MTIzNDU2Nzg=\"\r\n \"version\": \"PLEASE ENTER GATEWAY VERSION\", //\"R81.20\"\r\n \"policy\": \"PLEASE ENTER POLICY NAME\", //\"Standard\"\r\n \"section_name\": \"PLEASE ENTER SECTION NAME\", //\"sectionName\"\r\n \"x_forwarded_for\": \"PLEASE ENTER BOOLEAN VALUE FOR X FORWARDED FOR\", //true / false\r\n \"color\": \"PLEASE ENTER COLOR NAME\", //\"red\"\r\n \"blades\": {\r\n \"vpn\": true,\r\n \"url-filtering\": true\r\n },\r\n \"related_account\": \"PLEASE ENTER RELATED ACCOUNT\", //\"gcp-account\"\r\n \"repository_gateway_scripts\": [\r\n {\r\n \"name\": \"PLEASE ENTER REPOSITORY GATEWAY SCRIPT NAME\", //\"repo_script\"\r\n \"parameters\": \"PLEASE ENTEAR PARAMETERS SEPARATED BY SPACE\" //\"param1 param2\"\r\n\r\n }\r\n ],\r\n \"send_logs_to_server\": \"PLEASE ENTER PRIMARY LOG SERVERS NAMES\", //\"[\"PLM1\", \"PLM_2\"]\"\r\n \"send_logs_to_backup_server\": \"PLEASE ENTER BACKUP LOG SERVERS NAMES\", //\"[\"BLM1\", \"BLM_2\"]\"\r\n \"send_alerts_to_server\": \"PLEASE ENTER ALERTS SERVERS NAMES\", //\"[\"ALM1\", \"ALM_2\"]\"\r\n \"communication_with_servers_behind_nat\": \"PLEASE ENTER MANAGEMENT BEHIND NAT CONFIGURATION\" // \"according-to-topology | original-ip-only | translated-ip-only | use-management-settings\"\r\n}" + }, + "url": { + "raw": "https://{{managementIP}}/web_api/v1.8/cme-api/v1.2/gwConfigurations/gcp/", + "protocol": "https", + "host": [ + "{{managementIP}}" + ], + "path": [ + "web_api", + "v1.8", + "cme-api", + "v1.2", + "gwConfigurations", + "gcp", + "" + ] + } + }, + "response": [] + } + ], + "description": "Operations in GCP cloud." + }, + { + "name": "AWS", + "item": [ + { + "name": "POST add AWS account", + "request": { + "method": "POST", + "header": [ + { + "key": "Content-Type", + "value": "application/json" + }, + { + "key": "X-chkp-sid", + "value": "{{session}}" + } + ], + "body": { + "mode": "raw", + "raw": "{\r\n \"name\": \"PLEASE ENTER ACCOUNT NAME\", //\"myAwsAccount\"\r\n \"regions\": [\r\n \"eu-west-1\",\r\n \"us-east-2\"\r\n ],\r\n \"domain\": \"PLEASE ENTER DOMAIN NAME\", //\"myDomain\"\r\n \"credentials_file\": \"PLEASE ENTER CREDENTIALS FILE NAME\", //\"IAM\"\r\n \"access_key\": \"PLEASE ENTER ACCESS KEY\",\r\n \"secret_key\": \"PLEASE ENTER SECRET KEY\",\r\n \"sts_role\": \"PLEASE ENTER STS ROLE\",\r\n \"sts_external_id\": \"PLEASE ENTER STS EXTERNAL ID\",\r\n \"scan_gateways\": \"PLEASE SET TRUE OR FALSE\",\r\n \"scan_vpn\": \"PLEASE SET TRUE OR FALSE\",\r\n \"scan_load_balancers\": \"PLEASE SET TRUE OR FALSE\",\r\n \"scan_subnets\": \"PLEASE SET TRUE OR FALSE\",\r\n \"communities\": [\r\n \"community_a\",\r\n \"community_b\"\r\n ],\r\n \"deletion_tolerance\": \"PLEASE ENTER DELETION TOLERANCE\",\r\n \"sub_accounts\": [\r\n {\r\n \"name\": \"sub_account_a\",\r\n \"credentials_file\": \"AWS_credentials_file_name\"\r\n },\r\n {\r\n \"name\": \"sub_account_b\",\r\n \"access_key\": \"PLEASE ENTER ACCESS KEY\",\r\n \"secret_key\": \"PLEASE ENTER SECRET KEY\"\r\n },\r\n {\r\n \"name\": \"sub_account_c\",\r\n \"sts_role\": \"PLEASE ENTER STS ROLE\",\r\n \"sts_external_id\": \"PLEASE ENTER STS EXTERNAL ID\"\r\n }\r\n ]\r\n}", + "options": { + "raw": { + "language": "json" + } + } + }, + "url": { + "raw": "https://{{managementIP}}/web_api/v1.8/cme-api/v1.2/accounts/aws", + "protocol": "https", + "host": [ + "{{managementIP}}" + ], + "path": [ + "web_api", + "v1.8", + "cme-api", + "v1.2", + "accounts", + "aws" + ] + } + }, + "response": [] + }, + { + "name": "PUT set AWS account", + "request": { + "method": "PUT", + "header": [ + { + "key": "Content-Type", + "value": "application/json" + }, + { + "key": "X-chkp-sid", + "value": "{{session}}" + } + ], + "body": { + "mode": "raw", + "raw": "{\r\n \"regions\": [\r\n \"eu-west-1\",\r\n \"us-east-2\"\r\n ],\r\n \"domain\": \"PLEASE ENTER DOMAIN NAME\", //\"myDomain\"\r\n \"credentials_file\": \"PLEASE ENTER CREDENTIALS FILE NAME\", //\"IAM\"\r\n \"access_key\": \"PLEASE ENTER ACCESS KEY\",\r\n \"secret_key\": \"PLEASE ENTER SECRET KEY\",\r\n \"sts_role\": \"PLEASE ENTER STS ROLE\",\r\n \"sts_external_id\": \"PLEASE ENTER STS EXTERNAL ID\",\r\n \"scan_gateways\": \"PLEASE SET TRUE OR FALSE\",\r\n \"scan_vpn\": \"PLEASE SET TRUE OR FALSE\",\r\n \"scan_load_balancers\": \"PLEASE SET TRUE OR FALSE\",\r\n \"scan_subnets\": \"PLEASE SET TRUE OR FALSE\",\r\n \"communities\": [\r\n \"community_a\",\r\n \"community_b\"\r\n ],\r\n \"deletion_tolerance\": \"PLEASE ENTER DELETION TOLERANCE\",\r\n \"sub_accounts\": [\r\n {\r\n \"name\": \"sub_account_a\",\r\n \"credentials_file\": \"AWS_credentials_file_name\"\r\n },\r\n {\r\n \"name\": \"sub_account_b\",\r\n \"access_key\": \"PLEASE ENTER ACCESS KEY\",\r\n \"secret_key\": \"PLEASE ENTER SECRET KEY\"\r\n },\r\n {\r\n \"name\": \"sub_account_c\",\r\n \"sts_role\": \"PLEASE ENTER STS ROLE\",\r\n \"sts_external_id\": \"PLEASE ENTER STS EXTERNAL ID\"\r\n }\r\n ]\r\n}", + "options": { + "raw": { + "language": "json" + } + } + }, + "url": { + "raw": "https://{{managementIP}}/web_api/v1.8/cme-api/v1.2/accounts/aws/", + "protocol": "https", + "host": [ + "{{managementIP}}" + ], + "path": [ + "web_api", + "v1.8", + "cme-api", + "v1.2", + "accounts", + "aws", + "" + ] + } + }, + "response": [] + }, + { + "name": "POST add AWS gw configuration", + "request": { + "method": "POST", + "header": [ + { + "key": "X-chkp-sid", + "value": "{{session}}" + }, + { + "key": "Content-Type", + "value": "application/json" + } + ], + "body": { + "mode": "raw", + "raw": "{\r\n \"name\": \"PLEASE ENTER GATEWAY CONFIGURATION NAME\", //\"awsGwConfiguration\"\r\n \"base64_sic_key\": \"PLEASE ENTER ENCODED BASE64 SIC KEY\", //\"MTIzNDU2Nzg=\"\r\n \"version\": \"PLEASE ENTER GATEWAY VERSION\", //\"R81.20\"\r\n \"policy\": \"PLEASE ENTER POLICY NAME\", //\"Standard\"\r\n \"section_name\": \"PLEASE ENTER SECTION NAME\", //\"sectionName\"\r\n \"x_forwarded_for\": \"PLEASE ENTER BOOLEAN VALUE FOR X FORWARDED FOR\", //true / false\r\n \"color\": \"PLEASE ENTER COLOR NAME\", //\"red\"\r\n \"blades\": {\r\n \"ips\": true,\r\n \"anti-bot\": true,\r\n \"url-filtering\": true,\r\n \"https-inspection\": true\r\n },\r\n \"related_account\": \"PLEASE ENTER RELATED ACCOUNT\", //\"aws-account\"\r\n \"vpn_domain\": \"PLEASE ENTER VPN DOMAIN\",\r\n \"vpn_community\": \"PLEASE ENTER VPN COMMUNITY\",\r\n \"deployment_type\": \"PLEASE ENTER DEPLOYMENT TYPE\", //\"TGW\"\r\n \"tgw_static_routes\": \"PLEASE ENTER TGW STATIC ROUTES\", //\"10.0.0.0/16,10.100.0.0/16\"\r\n \"tgw_spoke_routes\": \"PLEASE ENTER TGW SPOKE ROUTES\", //\"192.168.100.0/24,192.168.200.0/24\"\r\n \"repository_gateway_scripts\": [\r\n {\r\n \"name\": \"PLEASE ENTER REPOSITORY GATEWAY SCRIPT NAME\", //\"repo_script\"\r\n \"parameters\": \"PLEASE ENTEAR PARAMETERS SEPARATED BY SPACE\" //\"param1 param2\"\r\n\r\n }\r\n ],\r\n \"send_logs_to_server\": \"PLEASE ENTER PRIMARY LOG SERVERS NAMES\", //\"[\"PLM1\", \"PLM_2\"]\"\r\n \"send_logs_to_backup_server\": \"PLEASE ENTER BACKUP LOG SERVERS NAMES\", //\"[\"BLM1\", \"BLM_2\"]\"\r\n \"send_alerts_to_server\": \"PLEASE ENTER ALERTS SERVERS NAMES\", //\"[\"ALM1\", \"ALM_2\"]\"\r\n \"communication_with_servers_behind_nat\": \"PLEASE ENTER MANAGEMENT BEHIND NAT CONFIGURATION\" // \"according-to-topology | original-ip-only | translated-ip-only | use-management-settings\"\r\n}" + }, + "url": { + "raw": "https://{{managementIP}}/web_api/v1.8/cme-api/v1.2/gwConfigurations/aws", + "protocol": "https", + "host": [ + "{{managementIP}}" + ], + "path": [ + "web_api", + "v1.8", + "cme-api", + "v1.2", + "gwConfigurations", + "aws" + ] + } + }, + "response": [] + }, + { + "name": "PUT set AWS gw configuration", + "request": { + "method": "PUT", + "header": [ + { + "key": "X-chkp-sid", + "value": "{{session}}" + }, + { + "key": "Content-Type", + "value": "application/json" + } + ], + "body": { + "mode": "raw", + "raw": "{\r\n \"base64_sic_key\": \"PLEASE ENTER ENCODED BASE64 SIC KEY\", //\"MTIzNDU2Nzg=\"\r\n \"version\": \"PLEASE ENTER GATEWAY VERSION\", //\"R81.20\"\r\n \"policy\": \"PLEASE ENTER POLICY NAME\", //\"Standard\"\r\n \"section_name\": \"PLEASE ENTER SECTION NAME\", //\"sectionName\"\r\n \"x_forwarded_for\": \"PLEASE ENTER BOOLEAN VALUE FOR X FORWARDED FOR\", //true / false\r\n \"color\": \"PLEASE ENTER COLOR NAME\", //\"red\"\r\n \"blades\": {\r\n \"ips\": true,\r\n \"anti-bot\": true,\r\n \"url-filtering\": true,\r\n \"https-inspection\": true\r\n },\r\n \"related_account\": \"PLEASE ENTER RELATED ACCOUNT\", //\"aws-account\"\r\n \"vpn_domain\": \"PLEASE ENTER VPN DOMAIN\",\r\n \"vpn_community\": \"PLEASE ENTER VPN COMMUNITY\",\r\n \"deployment_type\": \"PLEASE ENTER DEPLOYMENT TYPE\", //\"TGW\"\r\n \"tgw_static_routes\": [\r\n \"10.0.0.0/16\",\r\n \"10.100.0.0/16\"\r\n ],\r\n \"tgw_spoke_routes\": [\r\n \"192.168.100.0/24\",\r\n \"192.168.200.0/24\"\r\n ],\r\n \"repository_gateway_scripts\": [\r\n {\r\n \"name\": \"PLEASE ENTER REPOSITORY GATEWAY SCRIPT NAME\", //\"repo_script\"\r\n \"parameters\": \"PLEASE ENTEAR PARAMETERS SEPARATED BY SPACE\" //\"param1 param2\"\r\n\r\n }\r\n ],\r\n \"send_logs_to_server\": \"PLEASE ENTER PRIMARY LOG SERVERS NAMES\", //\"[\"PLM1\", \"PLM_2\"]\"\r\n \"send_logs_to_backup_server\": \"PLEASE ENTER BACKUP LOG SERVERS NAMES\", //\"[\"BLM1\", \"BLM_2\"]\"\r\n \"send_alerts_to_server\": \"PLEASE ENTER ALERTS SERVERS NAMES\" , //\"[\"ALM1\", \"ALM_2\"]\"\r\n \"communication_with_servers_behind_nat\": \"PLEASE ENTER MANAGEMENT BEHIND NAT CONFIGURATION\" // \"according-to-topology | original-ip-only | translated-ip-only | use-management-settings\"\r\n}" + }, + "url": { + "raw": "https://{{managementIP}}/web_api/v1.8/cme-api/v1.2/gwConfigurations/aws/", + "protocol": "https", + "host": [ + "{{managementIP}}" + ], + "path": [ + "web_api", + "v1.8", + "cme-api", + "v1.2", + "gwConfigurations", + "aws", + "" + ] + } + }, + "response": [] + } + ], + "description": "Operations in AWS cloud." + }, + { + "name": "Azure", + "item": [ + { + "name": "POST Azure account", + "request": { + "method": "POST", + "header": [ + { + "key": "Content-Type", + "value": "application/json" + }, + { + "key": "X-chkp-sid", + "value": "{{session}}" + } + ], + "body": { + "mode": "raw", + "raw": "{\r\n \"name\": \"PLEASE ENTER ACCOUNT NAME\", //\"myAzureAccount\"\r\n \"subscription\": \"PLEASE ENTER SUBSCRIPTION\", //\"aaaa-aaaa-aaaa-aaaa-aaaa\"\r\n \"directory_id\": \"PLEASE ENTER DIRECTORY ID\", //\"bbbb-bbbb-bbbb-bbbb-bbbb\"\r\n \"application_id\": \"PLEASE ENTER APPLICATION ID\", //\"cccc-cccc-cccc-cccc-cccc\"\r\n \"client_secret\": \"PLEASE ENTER CLIENT SECRET\", //\"mySecret\"\r\n \"deletion_tolerance\": \"PLEASE ENTER DELETION TOLERANCE\", // 3\r\n \"domain\": \"PLEASE ENTER DOMAIN NAME\", //\"myDomain\"\r\n \"environment\": \"PLEASE ENTER THE AZURE ENVIRONMENT\" //\"AzureCloud\",\"AzureChinaCloud\",\"AzureUSGovernment\"\r\n}", + "options": { + "raw": { + "language": "json" + } + } + }, + "url": { + "raw": "https://{{managementIP}}/web_api/v1.8/cme-api/v1.2/accounts/azure", + "protocol": "https", + "host": [ + "{{managementIP}}" + ], + "path": [ + "web_api", + "v1.8", + "cme-api", + "v1.2", + "accounts", + "azure" + ], + "query": [ + { + "key": "", + "value": null, + "disabled": true + } + ] + } + }, + "response": [] + }, + { + "name": "PUT set Azure account", + "request": { + "method": "PUT", + "header": [ + { + "key": "Content-Type", + "value": "application/json" + }, + { + "key": "X-chkp-sid", + "value": "{{session}}" + } + ], + "body": { + "mode": "raw", + "raw": "{\r\n \"subscription\": \"PLEASE ENTER SUBSCRIPTION\", //\"aaaa-aaaa-aaaa-aaaa-aaaa\"\r\n \"directory_id\": \"PLEASE ENTER DIRECTORY ID\", //\"bbbb-bbbb-bbbb-bbbb-bbbb\"\r\n \"application_id\": \"PLEASE ENTER APPLICATION ID\", //\"cccc-cccc-cccc-cccc-cccc\"\r\n \"client_secret\": \"PLEASE ENTER CLIENT SECRET\", //\"mySecret\"\r\n \"deletion_tolerance\": \"PLEASE ENTER DELETION TOLERANCE\", // 3\r\n \"domain\": \"PLEASE ENTER DOMAIN NAME\", //\"myDomain\"\r\n \"environment\": \"PLEASE ENTER THE AZURE ENVIRONMENT\" //\"AzureCloud\",\"AzureChinaCloud\",\"AzureUSGovernment\"\r\n}", + "options": { + "raw": { + "language": "json" + } + } + }, + "url": { + "raw": "https://{{managementIP}}/web_api/v1.8/cme-api/v1.2/accounts/azure/", + "protocol": "https", + "host": [ + "{{managementIP}}" + ], + "path": [ + "web_api", + "v1.8", + "cme-api", + "v1.2", + "accounts", + "azure", + "" + ] + } + }, + "response": [] + }, + { + "name": "POST add Azure gw configuration", + "request": { + "method": "POST", + "header": [ + { + "key": "X-chkp-sid", + "value": "{{session}}" + }, + { + "key": "Content-Type", + "value": "application/json" + } + ], + "body": { + "mode": "raw", + "raw": "{\r\n \"name\": \"PLEASE ENTER GATEWAY CONFIGURATION NAME\", //\"azureGwConfiguration\"\r\n \"base64_sic_key\": \"PLEASE ENTER ENCODED BASE64 SIC KEY\", //\"MTIzNDU2Nzg=\"\r\n \"version\": \"PLEASE ENTER GATEWAY VERSION\", //\"R81.20\"\r\n \"policy\": \"PLEASE ENTER POLICY NAME\", //\"Standard\"\r\n \"ipv6\": \"PLEASE ENTER BOLEAN VALUE FOR IPV6\", //true / false\r\n \"section_name\": \"PLEASE ENTER SECTION NAME\", //\"sectionName\"\r\n \"x_forwarded_for\": \"PLEASE ENTER BOOLEAN VALUE FOR X FORWARDED FOR\", //true / false\r\n \"color\": \"PLEASE ENTER COLOR NAME\", //\"red\"\r\n \"blades\": {\r\n \"identity-awareness\": true,\r\n \"application-control\": true\r\n },\r\n \"related_account\": \"PLEASE ENTER RELATED ACCOUNT\", //\"azure-account\"\r\n \"repository_gateway_scripts\": [\r\n {\r\n \"name\": \"PLEASE ENTER REPOSITORY GATEWAY SCRIPT NAME\", //\"repo_script\"\r\n \"parameters\": \"PLEASE ENTEAR PARAMETERS SEPARATED BY SPACE\" //\"param1 param2\"\r\n\r\n }\r\n ],\r\n \"send_logs_to_server\": \"PLEASE ENTER PRIMARY LOG SERVERS NAMES\", //\"[\"PLM1\", \"PLM_2\"]\"\r\n \"send_logs_to_backup_server\": \"PLEASE ENTER BACKUP LOG SERVERS NAMES\", //\"[\"BLM1\", \"BLM_2\"]\"\r\n \"send_alerts_to_server\": \"PLEASE ENTER ALERTS SERVERS NAMES\", //\"[\"ALM1\", \"ALM_2\"]\"\r\n \"communication_with_servers_behind_nat\": \"PLEASE ENTER MANAGEMENT BEHIND NAT CONFIGURATION\" // \"according-to-topology | original-ip-only | translated-ip-only | use-management-settings\"\r\n}" + }, + "url": { + "raw": "https://{{managementIP}}/web_api/v1.8/cme-api/v1.2/gwConfigurations/azure", + "protocol": "https", + "host": [ + "{{managementIP}}" + ], + "path": [ + "web_api", + "v1.8", + "cme-api", + "v1.2", + "gwConfigurations", + "azure" + ] + } + }, + "response": [] + }, + { + "name": "PUT set Azure gw configuration", + "request": { + "method": "PUT", + "header": [ + { + "key": "X-chkp-sid", + "value": "{{session}}" + }, + { + "key": "Content-Type", + "value": "application/json" + } + ], + "body": { + "mode": "raw", + "raw": "{\r\n \"base64_sic_key\": \"PLEASE ENTER ENCODED BASE64 SIC KEY\", //\"MTIzNDU2Nzg=\"\r\n \"version\": \"PLEASE ENTER GATEWAY VERSION\", //\"R81.20\"\r\n \"policy\": \"PLEASE ENTER POLICY NAME\", //\"Standard\"\r\n \"ipv6\": \"PLEASE ENTER BOLEAN VALUE FOR IPV6\", //true / false\r\n \"section_name\": \"PLEASE ENTER SECTION NAME\", //\"sectionName\"\r\n \"x_forwarded_for\": \"PLEASE ENTER BOOLEAN VALUE FOR X FORWARDED FOR\", //true / false\r\n \"color\": \"PLEASE ENTER COLOR NAME\", //\"red\"\r\n \"blades\": {\r\n \"identity-awareness\": false,\r\n \"https-inspection\": true,\r\n \"anti-virus\": true\r\n },\r\n \"related_account\": \"PLEASE ENTER RELATED ACCOUNT\", //\"azure-account\"\r\n \"repository_gateway_scripts\": [\r\n {\r\n \"name\": \"PLEASE ENTER REPOSITORY GATEWAY SCRIPT NAME\", //\"repo_script\"\r\n \"parameters\": \"PLEASE ENTEAR PARAMETERS SEPARATED BY SPACE\" //\"param1 param2\"\r\n\r\n }\r\n ],\r\n \"send_logs_to_server\": \"PLEASE ENTER PRIMARY LOG SERVERS NAMES\", //\"[\"PLM1\", \"PLM_2\"]\"\r\n \"send_logs_to_backup_server\": \"PLEASE ENTER BACKUP LOG SERVERS NAMES\", //\"[\"BLM1\", \"BLM_2\"]\"\r\n \"send_alerts_to_server\": \"PLEASE ENTER ALERTS SERVERS NAMES\", //\"[\"ALM1\", \"ALM_2\"]\"\r\n \"communication_with_servers_behind_nat\": \"PLEASE ENTER MANAGEMENT BEHIND NAT CONFIGURATION\" // \"according-to-topology | original-ip-only | translated-ip-only | use-management-settings\"\r\n}" + }, + "url": { + "raw": "https://{{managementIP}}/web_api/v1.8/cme-api/v1.2/gwConfigurations/azure/", + "protocol": "https", + "host": [ + "{{managementIP}}" + ], + "path": [ + "web_api", + "v1.8", + "cme-api", + "v1.2", + "gwConfigurations", + "azure", + "" + ] + } + }, + "response": [] + } + ], + "description": "Operations in Azure cloud." + }, + { + "name": "Gw Configurations", + "item": [ + { + "name": "GET all gw configurations", + "request": { + "method": "GET", + "header": [ + { + "key": "X-chkp-sid", + "value": "{{session}}" + }, + { + "key": "Content-Type", + "value": "application/json" + } + ], + "url": { + "raw": "https://{{managementIP}}/web_api/v1.8/cme-api/v1.2/gwConfigurations", + "protocol": "https", + "host": [ + "{{managementIP}}" + ], + "path": [ + "web_api", + "v1.8", + "cme-api", + "v1.2", + "gwConfigurations" + ] + } + }, + "response": [] + }, + { + "name": "GET gw configuration", + "request": { + "method": "GET", + "header": [ + { + "key": "X-chkp-sid", + "value": "{{session}}" + }, + { + "key": "Content-Type", + "value": "application/json" + } + ], + "url": { + "raw": "https://{{managementIP}}/web_api/v1.8/cme-api/v1.2/gwConfigurations/", + "protocol": "https", + "host": [ + "{{managementIP}}" + ], + "path": [ + "web_api", + "v1.8", + "cme-api", + "v1.2", + "gwConfigurations", + "" + ] + } + }, + "response": [] + }, + { + "name": "DELETE gw configuration", + "request": { + "method": "DELETE", + "header": [ + { + "key": "X-chkp-sid", + "value": "{{session}}" + }, + { + "key": "Content-Type", + "value": "application/json" + } + ], + "url": { + "raw": "https://{{managementIP}}/web_api/v1.8/cme-api/v1.2/gwConfigurations/", + "protocol": "https", + "host": [ + "{{managementIP}}" + ], + "path": [ + "web_api", + "v1.8", + "cme-api", + "v1.2", + "gwConfigurations", + "" + ] + } + }, + "response": [] + } + ], + "description": "Operations for configuring Gw Configurations in CME
(Previously known as \"templates\")." + }, + { + "name": "Accounts", + "item": [ + { + "name": "GET all accounts", + "request": { + "method": "GET", + "header": [ + { + "key": "Content-Type", + "value": "application/json" + }, + { + "key": "X-chkp-sid", + "value": "{{session}}" + } + ], + "url": { + "raw": "https://{{managementIP}}/web_api/v1.8/cme-api/v1.2/accounts", + "protocol": "https", + "host": [ + "{{managementIP}}" + ], + "path": [ + "web_api", + "v1.8", + "cme-api", + "v1.2", + "accounts" + ] + } + }, + "response": [] + }, + { + "name": "GET account", + "request": { + "method": "GET", + "header": [ + { + "key": "Content-Type", + "value": "application/json" + }, + { + "key": "X-chkp-sid", + "value": "{{session}}" + } + ], + "url": { + "raw": "https://{{managementIP}}/web_api/v1.8/cme-api/v1.2/accounts/", + "protocol": "https", + "host": [ + "{{managementIP}}" + ], + "path": [ + "web_api", + "v1.8", + "cme-api", + "v1.2", + "accounts", + "" + ] + } + }, + "response": [] + }, + { + "name": "DELETE account", + "request": { + "method": "DELETE", + "header": [ + { + "key": "Content-Type", + "value": "application/json" + }, + { + "key": "X-chkp-sid", + "value": "{{session}}" + } + ], + "url": { + "raw": "https://{{managementIP}}/web_api/v1.8/cme-api/v1.2/accounts/", + "protocol": "https", + "host": [ + "{{managementIP}}" + ], + "path": [ + "web_api", + "v1.8", + "cme-api", + "v1.2", + "accounts", + "" + ] + } + }, + "response": [] + } + ], + "description": "Operations for configuring Accounts in CME
(Previously known as \"controllers\")." + }, + { + "name": "Management", + "item": [ + { + "name": "GET management", + "request": { + "method": "GET", + "header": [ + { + "key": "X-chkp-sid", + "value": "{{session}}" + }, + { + "key": "Content-Type", + "value": "application/json" + } + ], + "url": { + "raw": "https://{{managementIP}}/web_api/v1.8/cme-api/v1.2/management", + "protocol": "https", + "host": [ + "{{managementIP}}" + ], + "path": [ + "web_api", + "v1.8", + "cme-api", + "v1.2", + "management" + ] + } + }, + "response": [] + }, + { + "name": "PUT set management", + "request": { + "method": "PUT", + "header": [ + { + "key": "X-chkp-sid", + "value": "{{session}}" + }, + { + "key": "Content-Type", + "value": "application/json" + } + ], + "body": { + "mode": "raw", + "raw": "{\r\n \"name\": \"PLEASE ENTER MANAGEMENT NAME\", //\"mgmt_name\"\r\n \"domain\": \"PLEASE ENTER DOMAIN NAME\" //\"myDomain\"\r\n}" + }, + "url": { + "raw": "https://{{managementIP}}/web_api/v1.8/cme-api/v1.2/management", + "protocol": "https", + "host": [ + "{{managementIP}}" + ], + "path": [ + "web_api", + "v1.8", + "cme-api", + "v1.2", + "management" + ] + } + }, + "response": [] + } + ], + "description": "Operations for configuring Management." + }, + { + "name": "CME General Configuration", + "item": [ + { + "name": "GET delayCycle", + "request": { + "method": "GET", + "header": [ + { + "key": "Content-Type", + "value": "application/json" + }, + { + "key": "X-chkp-sid", + "value": "{{session}}" + } + ], + "url": { + "raw": "https://{{managementIP}}/web_api/v1.8/cme-api/v1.2/generalConfiguration/delayCycle", + "protocol": "https", + "host": [ + "{{managementIP}}" + ], + "path": [ + "web_api", + "v1.8", + "cme-api", + "v1.2", + "generalConfiguration", + "delayCycle" + ] + } + }, + "response": [] + }, + { + "name": "PUT set delayCycle", + "request": { + "method": "PUT", + "header": [ + { + "key": "Content-Type", + "value": "application/json" + }, + { + "key": "X-chkp-sid", + "value": "{{session}}" + } + ], + "body": { + "mode": "raw", + "raw": "{\r\n \"delay_cycle\": \"PLEASE ENTER DELAY CYCLE\" // 20 \r\n}", + "options": { + "raw": { + "language": "json" + } + } + }, + "url": { + "raw": "https://{{managementIP}}/web_api/v1.8/cme-api/v1.2/generalConfiguration/delayCycle", + "protocol": "https", + "host": [ + "{{managementIP}}" + ], + "path": [ + "web_api", + "v1.8", + "cme-api", + "v1.2", + "generalConfiguration", + "delayCycle" + ] + } + }, + "response": [] + }, + { + "name": "GET cmeVersion", + "request": { + "method": "GET", + "header": [ + { + "key": "Content-Type", + "value": "application/json" + }, + { + "key": "X-chkp-sid", + "value": "{{session}}" + } + ], + "url": { + "raw": "https://{{managementIP}}/web_api/v1.8/cme-api/v1.2/generalConfiguration/cmeVersion", + "protocol": "https", + "host": [ + "{{managementIP}}" + ], + "path": [ + "web_api", + "v1.8", + "cme-api", + "v1.2", + "generalConfiguration", + "cmeVersion" + ] + } + }, + "response": [] + }, + { + "name": "GET api-versions", + "request": { + "method": "GET", + "header": [ + { + "key": "Content-Type", + "value": "application/json" + }, + { + "key": "X-chkp-sid", + "value": "{{session}}" + } + ], + "url": { + "raw": "https://{{managementIP}}/web_api/v1.8/cme-api/v1.2/api-versions", + "protocol": "https", + "host": [ + "{{managementIP}}" + ], + "path": [ + "web_api", + "v1.8", + "cme-api", + "v1.2", + "api-versions" + ] + } + }, + "response": [] + } + ], + "description": "Operations for general CME configurations." + } + ] + } + ], + "event": [ + { + "listen": "prerequest", + "script": { + "type": "text/javascript", + "exec": [ + "pm.test(\"Check for collectionVariables\", function () {", + " let vars = ['managementIP', 'user', 'password'];", + " vars.forEach(function (item, index, array) {", + " console.log(item, index);", + " pm.expect(pm.collectionVariables.get(item), item + \" variable not set\").to.not.be.undefined;", + " pm.expect(pm.collectionVariables.get(item), item + \" variable not set\").to.not.be.empty; ", + " });", + "", + " if (!pm.collectionVariables.get(\"session\") || Date.now() > new Date(pm.collectionVariables.get(\"sessionTimeout\") * 1000)) {", + " pm.sendRequest({", + " url: 'https://' + pm.collectionVariables.get(\"managementIP\") + '/web_api/v1.8/login',", + " method: 'POST',", + " header: 'Content-Type: application/json', // Set the Content-Type header to application/json", + " body: {", + " mode: 'raw', // Use raw body mode", + " raw: JSON.stringify({ // Convert the object to JSON string", + " user: pm.collectionVariables.get(\"user\"),", + " password: pm.collectionVariables.get(\"password\")", + " })", + " }", + " }, function (err, res) {", + " if (err) {", + " console.log(err);", + " } else {", + " let resJson = res.json();", + " pm.collectionVariables.set(\"sessionTimeout\", resJson[\"session-timeout\"]);", + " pm.collectionVariables.set(\"session\", resJson.sid);", + " }", + " });", + " }", + "});" + ] + } + }, + { + "listen": "test", + "script": { + "type": "text/javascript", + "exec": [ + "" + ] + } + } + ], + "variable": [ + { + "key": "managementIP", + "value": "" + }, + { + "key": "user", + "value": "", + "type": "string" + }, + { + "key": "password", + "value": "", + "type": "string" + }, + { + "key": "session", + "value": "", + "type": "string" + }, + { + "key": "sessionTimeout", + "value": "600", + "type": "string" + } + ] +} \ No newline at end of file diff --git a/common/cme_api_postman/README.md b/common/cme_api_postman/README.md new file mode 100755 index 00000000..0b513eb0 --- /dev/null +++ b/common/cme_api_postman/README.md @@ -0,0 +1,19 @@ +# CME API Postman +Postman is a popular API client that makes it easy for developers to create, share, test and document APIs. +
Postman can import and export Postman data, including collections, environments, data dumps, and globals. +## How to set CME-API environment in Postman +In order to set your Postman to use CME-API we created a data file for you to import: + +### CME-API collection +1. Open Postman. +2. Click Import in the upper-left corner +
(You can import your data via files, folders, links, raw text, or GitHub repositories) +4. Load the "cme_api.postman_collection.json" file and click "Import" + +## How to use it +After importing the CME-API collection, click on the “cme_api” collection at the left bar and then on the “Variables” tab. +
You need to set the current value of “managementIP", “user” and “password” variables. +
If you used previously the CME_API Environment variables, please go to the Environments tab and uncheck it. + +Now, for each API call you make, a login to your server will be done if needed and the session key will automatically be saved into the session variable, +
All you need to do now is update body values of your requests according to your need. \ No newline at end of file diff --git a/common/cme_xff_inject.sh b/common/cme_xff_inject.sh new file mode 100644 index 00000000..b82f23b1 --- /dev/null +++ b/common/cme_xff_inject.sh @@ -0,0 +1,7 @@ +#! /bin/bash + +# This script activates XFF injection on the gateways +# For more information about XFF injection, see https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk167578&partition=Advanced&product=Security + +fw ctl set int inject_xff_header_activated 1 +echo "inject_xff_header_activated=1" >> $FWDIR/modules/fwkern.conf \ No newline at end of file diff --git a/common/custom-management-script.py b/common/custom-management-script.py new file mode 100755 index 00000000..8b53028c --- /dev/null +++ b/common/custom-management-script.py @@ -0,0 +1,128 @@ +#!/usr/bin/env python3 + +# custom-script version 1 +# Written by: Check Point Software Technologies LTD + +# Instructions: +# In order to use custom management script refer to: Cloud Management Extension R80.10 and Higher Administration Guide +# The script runs on the Security Management server just after the policy is installed when a gateway is provisioned, +# and at the beginning of the deprovisioning process. +# Important: This is a placeholder script, and you should implement __add and __delete functions. + +import collections +import os +import subprocess +import sys +import traceback +import logging +from logging.handlers import RotatingFileHandler + + +class ACTION(set): + ADD = 'add' + DELETE = 'delete' + + +def __get_parent_path(): + full_path = os.path.realpath(__file__) + return f'{os.path.split(full_path)[0]}' + + +# logger variables +LOGGER_PATH = '/var/log/CPcme/custom-script.log' +logger = None + + +def __set_logger(): + """ + Setting logger to write all output to custom-script.log file and to the console at the same time + :return: nothing + """ + global logger + + # create a file handler + handler = RotatingFileHandler(LOGGER_PATH, mode='a', maxBytes=1024, backupCount=2, encoding=None, delay=0) + handler.setLevel(logging.INFO) + + # create a logging format + formatter = logging.Formatter('%(asctime)s %(levelname)s - %(message)s') + handler.setFormatter(formatter) + + logger = logging.getLogger("custom-script-logger") + logger.setLevel(logging.INFO) + + # add the file handler to the logger + logger.addHandler(handler) + + # Print also to the console (will also be printed in /var/log/CPcme/cme.log when run by the CME) + logger.addHandler(logging.StreamHandler(sys.stdout)) + + +def __parse_arguments(args): + logger.info('Starting to parse parameters.') + args_count = len(args) + if args_count < 3: + logger.error('Error: missing action (add/delete) and/or security gateway name') + sys.exit(1) + + action = args[1] + gateway_name = args[2] + + if action != ACTION.ADD and action != ACTION.DELETE: + logger.error(f'Error: unknown action: {action}. action must be add or delete') + + logger.info(f'action: {action}') + logger.info(f'gateway_name: {gateway_name}') + + script_args = args[3:] + for i, arg in enumerate(script_args): + logger.info(f'args[{i}]: {script_args[i]}') + + logger.info('Parsing completed.') + + return action, gateway_name, script_args + + +def __add(gateway_name, script_args: list): + """ + Being called when: + 1. Security Gateway is added + 2. After the following updates: + - Generation value modification in CME template + - Load Balancer configuration change when the auto-nat feature is enabled (enabled by default in AWS) + In the case of the above updates, the __delete function will be called and afterwards the __add function + """ + logger.info(f'Starting add for gateway: {gateway_name}') + # TODO - put your custom add code here + + +def __delete(gateway_name, script_args: list): + """ + Being called when: + 1. Security Gateway is deleted + 2. After the following updates: + - Generation value modification in CME template + - Load Balancer configuration change when the auto-nat feature is enabled (enabled by default in AWS) + In the case of the above updates, the __delete function will be called and afterwards the __add function + """ + logger.info(f'Starting delete for gateway: {gateway_name}') + # TODO - put your custom delete code here + + +def main(): + __set_logger() + action, gateway_name, script_args = __parse_arguments(sys.argv) + + try: + if action == ACTION.ADD: + return __add(gateway_name, script_args) + + if action == ACTION.DELETE: + return __delete(gateway_name, script_args) + except: + logger.error('Error: ' + str(sys.exc_info()[1])) + sys.exit(1) + + +if __name__ == '__main__': + main() diff --git a/common/custom_scripts/README.md b/common/custom_scripts/README.md new file mode 100644 index 00000000..bb1651da --- /dev/null +++ b/common/custom_scripts/README.md @@ -0,0 +1,21 @@ +# Custom Scripts +This folder contains custom scripts that can be uploaded in the "Bootstrap scripts" option when deploying a resource via a template. + +--- +## password_script.sh - Password Change Script + +This script is designed to be used on Check Point's solutions that do not have the option to add a password for the Gaia machine. +It allows you to configure the desired password for logging in to the Gaia Portal, it will be run during the deployment process. + +### Usage + +To use this script, follow these steps: +1. Get the desired password hash by running the following command: `openssl passwd -6 YOUR_PASSWORD` change `YOUR_PASSWORD` to the designed password. +2. Edit the script file and replace the placeholder "" with the hash value from step 1. +3. Save the modified script file. +4. Upload the script file to the "Bootstrap script" option during the deployment process. + +The script will be executed during the deployment process, and the specified password will be set for logging in to the Gaia Portal + +--- + diff --git a/common/custom_scripts/password_script.sh b/common/custom_scripts/password_script.sh new file mode 100644 index 00000000..2b60030a --- /dev/null +++ b/common/custom_scripts/password_script.sh @@ -0,0 +1,10 @@ +#!/bin/bash + +HASHED_PASSWORD="" + +# Unlock Database +clish -c "lock database override" +# Set password +clish -c "set user admin password-hash $HASHED_PASSWORD" -s + + diff --git a/common/maintenance_mode/README.md b/common/maintenance_mode/README.md new file mode 100755 index 00000000..3afd323e --- /dev/null +++ b/common/maintenance_mode/README.md @@ -0,0 +1,19 @@ +# Maintenance mode +The Maintenance Mode boot option is known on UNIX systems as 'single-user mode'. In this mode, a Virtual Machine (VM) boots to run level 1. The local file systems will be mounted, but the network will not be activated. + +## Configuration +The configuration below related to Azure and Google Cloud Platform (GCP). +### How to enter maintenance mode +1. Connect to the VM (with SSH client or serial console). +2. Back up /boot/grub/grub.conf +3. Run: cp /boot/grub/grub.conf /boot/grub/grub.conf.backup +4. Copy grub.conf from this directory and place it in /boot/grub/ +5. Reboot the VM. +6. After it boots, click on Serial Console to enter maintenance mode. + +### How to return to normal mode +1. Connect to the serial console. +2. Rename the backup file as grub.conf +3. Run: mv /boot/grub/grub.conf.backup /boot/grub/grub.conf +4. Reboot the VM. +5. After the boot, your VM is in normal mode. \ No newline at end of file diff --git a/common/maintenance_mode/grub.conf b/common/maintenance_mode/grub.conf new file mode 100755 index 00000000..729d4216 --- /dev/null +++ b/common/maintenance_mode/grub.conf @@ -0,0 +1,11 @@ +default=0 +vmalloc=338M +timeout=10 +serial --unit=0 --speed=115200 --word=8 --parity=no --stop=1 +terminal --timeout=0 serial console +hiddenmenu +menutitle=Check Point Gaia R81 +title Start in maintenance mode 64bit + root (hd0,0) + kernel /vmlinuz-x86_64 ro root=/dev/vg_splat/lv_current vmalloc=338M rootdelay=300 panic=15 console=ttyS0 earlyprintk=ttyS0 numa=off debug 7 single + initrd /initrd-x86_64 diff --git a/common/simulate_cpu_load.sh b/common/simulate_cpu_load.sh new file mode 100644 index 00000000..d0dcb0de --- /dev/null +++ b/common/simulate_cpu_load.sh @@ -0,0 +1,11 @@ +#!/bin/bash +ncores="$(cat /proc/cpuinfo | grep vendor_id | wc -l)" +PIDS=() +for i in $(seq $ncores) + do + taskset ff dd if=/dev/zero of=/dev/null & + PIDS+=($!) + done +echo "Load started" +read -n1 -r -p "Press any key to stop the load..." key +kill ${PIDS[@]} diff --git a/common/static_route_config.sh b/common/static_route_config.sh new file mode 100755 index 00000000..feb3dcd5 --- /dev/null +++ b/common/static_route_config.sh @@ -0,0 +1,13 @@ +#! /bin/bash + +#External Application gateway subnet address, for example 10.1.2.0/24 +EXTERNAL_AGW_SUBNET_CIDR=<> + +#VMSS frontend subnet default gateway. +#For each Azure subnet the IP Address x.x.x.1 is reserved for the default gateway +# https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-faq#are-there-any-restrictions-on-using-ip-addresses-within-these-subnets +EXTERNAL_VMSS_SUBNET_DEFAULT_GATEWAY=<> + +clish -c "lock database override" + +clish -s -c "set static-route $EXTERNAL_AGW_SUBNET_CIDR nexthop gateway address $EXTERNAL_VMSS_SUBNET_DEFAULT_GATEWAY on" diff --git a/common/vwan_postman/README.md b/common/vwan_postman/README.md new file mode 100644 index 00000000..70d250bc --- /dev/null +++ b/common/vwan_postman/README.md @@ -0,0 +1,66 @@ +# Postman Collection for Azure Virtual Network Management + +This Postman collection provides a set of APIs for managing Azure Virtual Network resources. The collection includes the following categories: + +## Virtual WANs + +- **GET All Virtual Wans in resourceGroup**: Retrieves a list of all virtual WANs in a specified resource group. +- **GET All Virtual Wans in subscription**: Retrieves a list of all virtual WANs in a specified subscription. +- **GET Virtual Wan**: Retrieves details of a specific virtual WAN. +- **DEL Virtual Wan**: Deletes a specific virtual WAN. +- **PATCH Update Tags for vWAN**: Updates the tags for a specific virtual WAN. +- **PUT Virtual Wan**: Creates or updates a virtual WAN. + +## Virtual Hubs +- **GET Virtual Hub**: Retrieves details of a specific virtual hub. +- **PUT Virtual Hub - Create Or Update**: Creates or updates a virtual hub. +- **GET All Virtual Hubs in resourceGroup**: Retrieves a list of all virtual hubs in a specified resource group. +- **GET All Virtual Hubs in subscription**: Retrieves a list of all virtual hubs in a specified subscription. +- **PATCH Update Tags for vHub**: Updates the tags for a specific virtual hub. +### Hub Route Tables + +- **GET Route Table**: Retrieves details of a specific route table associated with a virtual hub. +- **PUT Route Table - Create Or Update**: Creates or updates a route table associated with a virtual hub. +- **DEL Route Table**: Deletes a specific route table associated with a virtual hub. +- **GET All Route Tables**: Retrieves a list of all route tables associated with a virtual hub. + +### Hub Virtual Network Connections + +- **GET Virtual Network Connections**: Retrieves details of a specific virtual network connection associated with a virtual hub. +- **PUT Virtual Network Connections - Create Or Update**: Creates or updates a virtual network connection associated with a virtual hub. +- **DEL Virtual Network Connections**: Deletes a specific virtual network connection associated with a virtual hub. +- **GET All Virtual Network Connections**: Retrieves a list of all virtual network connections associated with a virtual hub. + +- **POST Effective Routes**: Creates or updates a ExpressRoute gateway in a specified resource group. + +## Routing Intent + +- **PUT Routing Intent**: Creates or updates a routing intent for a specific virtual hub. +- **GET Routing Intent**: Retrieves the routing intent for a specific virtual hub. +- **DEL Routing Intent**: Deletes a specific routing intent for a specific virtual hub. + +## VPN Sites + +- **GET VPN Site**: Retrieves details of a specific VPN site. +- **GET All VPN Sites in resourceGroup**: Retrieves a list of all VPN sites in a specified resource group. +- **GET All VPN Sites in subscription**: Retrieves a list of all VPN sites in a specified subscription. + +## Network Virtual Appliance (NVA) + +- **DEL NVA**: Deletes a specific Network Virtual Appliance. +- **GET NVA**: Retrieves details of a specific Network Virtual Appliance. +- **GET All NVAs**: Retrieves a list of all Network Virtual Appliances in a resource group. + +## Security Rule + +- **PUT Inbound Security Rule - Create Or Update**: Creates or updates an inbound security rule. + +## Usage + +To use this collection, you will need to set up a Virtual Network environment and have the appropriate credentials in your subscription to manage Virtual Network resources. You will also need to import the collection into Postman and configure the variables in the collection with your Azure credentials. + +Once you have configured the environment variables, you can use the collection to manage your Virtual Network resources. + +## Contributing + +If you find any issues with this collection or would like to suggest an improvement, please feel free to open an issue or submit a pull request. We welcome contributions from the community! \ No newline at end of file diff --git a/common/vwan_postman/vwan.postman_collection.json b/common/vwan_postman/vwan.postman_collection.json new file mode 100755 index 00000000..022302cb --- /dev/null +++ b/common/vwan_postman/vwan.postman_collection.json @@ -0,0 +1,1307 @@ +{ + "info": { + "_postman_id": "f0e0ca41-ec67-4f50-9c4d-930a7f3fcaab", + "name": "Azure Virtual WAN - REST APIs", + "schema": "https://schema.getpostman.com/json/collection/v2.1.0/collection.json", + "_exporter_id": "20296973" + }, + "item": [ + { + "name": "Virtual WANs", + "item": [ + { + "name": "All Virtual Wans in resourceGroup", + "request": { + "method": "GET", + "header": [], + "url": { + "raw": "https://management.azure.com/subscriptions/{{subscriptionId}}/resourceGroups/{{resourceGroupID}}/providers/Microsoft.Network/virtualWans?api-version={{apiVersion}}", + "protocol": "https", + "host": [ + "management", + "azure", + "com" + ], + "path": [ + "subscriptions", + "{{subscriptionId}}", + "resourceGroups", + "{{resourceGroupID}}", + "providers", + "Microsoft.Network", + "virtualWans" + ], + "query": [ + { + "key": "api-version", + "value": "{{apiVersion}}" + } + ] + } + }, + "response": [] + }, + { + "name": "All Virtual Wans in subscription", + "request": { + "method": "GET", + "header": [], + "url": { + "raw": "https://management.azure.com/subscriptions/{{subscriptionId}}/providers/Microsoft.Network/virtualWans?api-version={{apiVersion}}", + "protocol": "https", + "host": [ + "management", + "azure", + "com" + ], + "path": [ + "subscriptions", + "{{subscriptionId}}", + "providers", + "Microsoft.Network", + "virtualWans" + ], + "query": [ + { + "key": "api-version", + "value": "{{apiVersion}}" + } + ] + } + }, + "response": [] + }, + { + "name": "Virtual Wan", + "request": { + "method": "GET", + "header": [], + "url": { + "raw": "https://management.azure.com/subscriptions/{{subscriptionId}}/resourceGroups/{{resourceGroupID}}/providers/Microsoft.Network/virtualWans/{{virtualWan}}?api-version={{apiVersion}}", + "protocol": "https", + "host": [ + "management", + "azure", + "com" + ], + "path": [ + "subscriptions", + "{{subscriptionId}}", + "resourceGroups", + "{{resourceGroupID}}", + "providers", + "Microsoft.Network", + "virtualWans", + "{{virtualWan}}" + ], + "query": [ + { + "key": "api-version", + "value": "{{apiVersion}}" + } + ] + } + }, + "response": [] + }, + { + "name": "Virtual Wan", + "request": { + "method": "DELETE", + "header": [], + "url": { + "raw": "https://management.azure.com/subscriptions/{{subscriptionId}}/resourceGroups/{{resourceGroupID}}/providers/Microsoft.Network/virtualWans/{{virtualWan}}?api-version={{apiVersion}}", + "protocol": "https", + "host": [ + "management", + "azure", + "com" + ], + "path": [ + "subscriptions", + "{{subscriptionId}}", + "resourceGroups", + "{{resourceGroupID}}", + "providers", + "Microsoft.Network", + "virtualWans", + "{{virtualWan}}" + ], + "query": [ + { + "key": "api-version", + "value": "{{apiVersion}}" + } + ] + } + }, + "response": [] + }, + { + "name": "Update Tags for vWAN", + "request": { + "method": "PATCH", + "header": [], + "body": { + "mode": "raw", + "raw": "{\r\n \"tags\": {\r\n \"key1\": \"value1\",\r\n \"key2\": \"value2\"\r\n }\r\n}", + "options": { + "raw": { + "language": "json" + } + } + }, + "url": { + "raw": "https://management.azure.com/subscriptions/{{subscriptionId}}/resourceGroups/{{resourceGroupID}}/providers/Microsoft.Network/virtualWans/{{virtualWan}}?api-version={{apiVersion}}", + "protocol": "https", + "host": [ + "management", + "azure", + "com" + ], + "path": [ + "subscriptions", + "{{subscriptionId}}", + "resourceGroups", + "{{resourceGroupID}}", + "providers", + "Microsoft.Network", + "virtualWans", + "{{virtualWan}}" + ], + "query": [ + { + "key": "api-version", + "value": "{{apiVersion}}" + } + ] + } + }, + "response": [] + }, + { + "name": "Virtual Wan", + "request": { + "method": "PUT", + "header": [], + "body": { + "mode": "raw", + "raw": "{\r\n \"location\": \"West US\",\r\n \"tags\": {\r\n \"key1\": \"value1\"\r\n },\r\n \"properties\": {\r\n \"disableVpnEncryption\": false,\r\n \"type\": \"Basic\"\r\n }\r\n}", + "options": { + "raw": { + "language": "json" + } + } + }, + "url": { + "raw": "https://management.azure.com/subscriptions/{{subscriptionId}}/resourceGroups/{{resourceGroupID}}/providers/Microsoft.Network/virtualWans/{{virtualWan}}?api-version={{apiVersion}}", + "protocol": "https", + "host": [ + "management", + "azure", + "com" + ], + "path": [ + "subscriptions", + "{{subscriptionId}}", + "resourceGroups", + "{{resourceGroupID}}", + "providers", + "Microsoft.Network", + "virtualWans", + "{{virtualWan}}" + ], + "query": [ + { + "key": "api-version", + "value": "{{apiVersion}}" + } + ] + } + }, + "response": [] + } + ] + }, + { + "name": "Virtual Hubs", + "item": [ + { + "name": "Hub Route Tables", + "item": [ + { + "name": "Route Table", + "request": { + "method": "GET", + "header": [], + "url": { + "raw": "https://management.azure.com/subscriptions/{{subscriptionId}}/resourceGroups/{{resourceGroupID}}/providers/Microsoft.Network/virtualHubs/{{hubName}}/hubRouteTables/{{hubRouteTable}}?api-version={{apiVersion}}", + "protocol": "https", + "host": [ + "management", + "azure", + "com" + ], + "path": [ + "subscriptions", + "{{subscriptionId}}", + "resourceGroups", + "{{resourceGroupID}}", + "providers", + "Microsoft.Network", + "virtualHubs", + "{{hubName}}", + "hubRouteTables", + "{{hubRouteTable}}" + ], + "query": [ + { + "key": "api-version", + "value": "{{apiVersion}}" + } + ] + } + }, + "response": [] + }, + { + "name": "Route Table - Create Or Update", + "request": { + "method": "PUT", + "header": [], + "body": { + "mode": "raw", + "raw": "{\r\n \"properties\": {\r\n \"routes\": [\r\n {\r\n \"name\": \"route1\",\r\n \"destinationType\": \"CIDR\",\r\n \"destinations\": [\r\n \"10.0.0.0/8\",\r\n \"20.0.0.0/8\",\r\n \"30.0.0.0/8\"\r\n ],\r\n \"nextHopType\": \"ResourceId\",\r\n \"nextHop\": \"/subscriptions/{{subscriptionId}}/resourcegroups/{{managedAppRG}}/providers/Microsoft.Network/networkVirtualAppliances/{{nvaName}}\"\r\n }\r\n ],\r\n \"labels\": [\r\n \"label1\",\r\n \"label2\"\r\n ]\r\n }\r\n}", + "options": { + "raw": { + "language": "json" + } + } + }, + "url": { + "raw": "https://management.azure.com/subscriptions/{{subscriptionId}}/resourceGroups/{{resourceGroupID}}/providers/Microsoft.Network/virtualHubs/{{hubName}}/hubRouteTables/{{hubRouteTable}}?api-version={{apiVersion}}", + "protocol": "https", + "host": [ + "management", + "azure", + "com" + ], + "path": [ + "subscriptions", + "{{subscriptionId}}", + "resourceGroups", + "{{resourceGroupID}}", + "providers", + "Microsoft.Network", + "virtualHubs", + "{{hubName}}", + "hubRouteTables", + "{{hubRouteTable}}" + ], + "query": [ + { + "key": "api-version", + "value": "{{apiVersion}}" + } + ] + } + }, + "response": [] + }, + { + "name": "Route Table", + "request": { + "method": "DELETE", + "header": [], + "url": { + "raw": "https://management.azure.com/subscriptions/{{subscriptionId}}/resourceGroups/{{resourceGroupID}}/providers/Microsoft.Network/virtualHubs/{{hubName}}/hubRouteTables/{{hubRouteTable}}?api-version={{apiVersion}}", + "protocol": "https", + "host": [ + "management", + "azure", + "com" + ], + "path": [ + "subscriptions", + "{{subscriptionId}}", + "resourceGroups", + "{{resourceGroupID}}", + "providers", + "Microsoft.Network", + "virtualHubs", + "{{hubName}}", + "hubRouteTables", + "{{hubRouteTable}}" + ], + "query": [ + { + "key": "api-version", + "value": "{{apiVersion}}" + } + ] + } + }, + "response": [] + }, + { + "name": "All Route Tables", + "request": { + "method": "GET", + "header": [], + "url": { + "raw": "https://management.azure.com/subscriptions/{{subscriptionId}}/resourceGroups/{{resourceGroupID}}/providers/Microsoft.Network/virtualHubs/{{hubName}}/hubRouteTables?api-version={{apiVersion}}", + "protocol": "https", + "host": [ + "management", + "azure", + "com" + ], + "path": [ + "subscriptions", + "{{subscriptionId}}", + "resourceGroups", + "{{resourceGroupID}}", + "providers", + "Microsoft.Network", + "virtualHubs", + "{{hubName}}", + "hubRouteTables" + ], + "query": [ + { + "key": "api-version", + "value": "{{apiVersion}}" + } + ] + } + }, + "response": [] + } + ] + }, + { + "name": "Hub Virtual Network Connections", + "item": [ + { + "name": "Virtual Network Connections", + "request": { + "method": "GET", + "header": [], + "url": { + "raw": "https://management.azure.com/subscriptions/{{subscriptionId}}/resourceGroups/{{resourceGroupID}}/providers/Microsoft.Network/virtualHubs/{{hubName}}/hubVirtualNetworkConnections/{{hubVirtualNetworkConnection}}?api-version={{apiVersion}}", + "protocol": "https", + "host": [ + "management", + "azure", + "com" + ], + "path": [ + "subscriptions", + "{{subscriptionId}}", + "resourceGroups", + "{{resourceGroupID}}", + "providers", + "Microsoft.Network", + "virtualHubs", + "{{hubName}}", + "hubVirtualNetworkConnections", + "{{hubVirtualNetworkConnection}}" + ], + "query": [ + { + "key": "api-version", + "value": "{{apiVersion}}" + } + ] + } + }, + "response": [] + }, + { + "name": "Virtual Network Connections - Create Or Update", + "request": { + "method": "PUT", + "header": [], + "body": { + "mode": "raw", + "raw": "{\r\n \"properties\": {\r\n \"remoteVirtualNetwork\": {\r\n \"id\": \"/subscriptions/{{remoteVnetSub}}/resourceGroups/{{remoteVnetRG}}/providers/Microsoft.Network/virtualNetworks/{{remoteVnetID}}\"\r\n },\r\n \"enableInternetSecurity\": false,\r\n \"routingConfiguration\": {\r\n \"associatedRouteTable\": {\r\n \"id\": \"/subscriptions/{{subscriptionId}}/resourceGroups/{{resourceGroupID}}//providers/Microsoft.Network/virtualHubs/{{hubName}}/hubRouteTables/{{hubRouteTable}}\"\r\n },\r\n \"propagatedRouteTables\": {\r\n \"labels\": [\r\n \"label1\",\r\n \"label2\"\r\n ],\r\n \"ids\": [\r\n {\r\n \"id\": \"/subscriptions/{{subscriptionId}}/resourceGroups/{{resourceGroupID}}//providers/Microsoft.Network/virtualHubs/{{hubName}}/hubRouteTables/{{hubRouteTable}}\"\r\n }\r\n ]\r\n },\r\n \"vnetRoutes\": {\r\n \"staticRoutesConfig\": {\r\n \"vnetLocalRouteOverrideCriteria\": \"Equal\"\r\n },\r\n \"staticRoutes\": [\r\n {\r\n \"name\": \"route1\",\r\n \"addressPrefixes\": [\r\n \"10.1.0.0/16\",\r\n \"10.2.0.0/16\"\r\n ],\r\n \"nextHopIpAddress\": \"10.0.0.68\"\r\n },\r\n {\r\n \"name\": \"route2\",\r\n \"addressPrefixes\": [\r\n \"10.3.0.0/16\",\r\n \"10.4.0.0/16\"\r\n ],\r\n \"nextHopIpAddress\": \"10.0.0.65\"\r\n }\r\n ]\r\n },\r\n \"inboundRouteMap\": {\r\n \"id\": \"/subscriptions/{{subscriptionId}}/resourceGroups/{{resourceGroupID}}//providers/Microsoft.Network/virtualHubs/{{hubName}}/routeMaps/{{routeMap}}\"\r\n },\r\n \"outboundRouteMap\": {\r\n \"id\": \"/subscriptions/{{subscriptionId}}/resourceGroups/{{resourceGroupID}}//providers/Microsoft.Network/virtualHubs/{{hubName}}/routeMaps/{{routeMap}}\"\r\n }\r\n }\r\n }\r\n}", + "options": { + "raw": { + "language": "json" + } + } + }, + "url": { + "raw": "https://management.azure.com/subscriptions/{{subscriptionId}}/resourceGroups/{{resourceGroupID}}/providers/Microsoft.Network/virtualHubs/{{hubName}}/hubVirtualNetworkConnections/{{hubVirtualNetworkConnection}}?api-version={{apiVersion}}", + "protocol": "https", + "host": [ + "management", + "azure", + "com" + ], + "path": [ + "subscriptions", + "{{subscriptionId}}", + "resourceGroups", + "{{resourceGroupID}}", + "providers", + "Microsoft.Network", + "virtualHubs", + "{{hubName}}", + "hubVirtualNetworkConnections", + "{{hubVirtualNetworkConnection}}" + ], + "query": [ + { + "key": "api-version", + "value": "{{apiVersion}}" + } + ] + } + }, + "response": [] + }, + { + "name": "Virtual Network Connections", + "request": { + "method": "DELETE", + "header": [], + "url": { + "raw": "https://management.azure.com/subscriptions/{{subscriptionId}}/resourceGroups/{{resourceGroupID}}/providers/Microsoft.Network/virtualHubs/{{hubName}}/hubVirtualNetworkConnections/{{hubVirtualNetworkConnection}}?api-version={{apiVersion}}", + "protocol": "https", + "host": [ + "management", + "azure", + "com" + ], + "path": [ + "subscriptions", + "{{subscriptionId}}", + "resourceGroups", + "{{resourceGroupID}}", + "providers", + "Microsoft.Network", + "virtualHubs", + "{{hubName}}", + "hubVirtualNetworkConnections", + "{{hubVirtualNetworkConnection}}" + ], + "query": [ + { + "key": "api-version", + "value": "{{apiVersion}}" + } + ] + } + }, + "response": [] + }, + { + "name": "All Virtual Network Connections", + "request": { + "method": "GET", + "header": [], + "url": { + "raw": "https://management.azure.com/subscriptions/{{subscriptionId}}/resourceGroups/{{resourceGroupID}}/providers/Microsoft.Network/virtualHubs/{{hubName}}/hubVirtualNetworkConnections?api-version={{apiVersion}}", + "protocol": "https", + "host": [ + "management", + "azure", + "com" + ], + "path": [ + "subscriptions", + "{{subscriptionId}}", + "resourceGroups", + "{{resourceGroupID}}", + "providers", + "Microsoft.Network", + "virtualHubs", + "{{hubName}}", + "hubVirtualNetworkConnections" + ], + "query": [ + { + "key": "api-version", + "value": "{{apiVersion}}" + } + ] + } + }, + "response": [] + } + ] + }, + { + "name": "Virtual Hub", + "request": { + "method": "GET", + "header": [], + "url": { + "raw": "https://management.azure.com/subscriptions/{{subscriptionId}}/resourceGroups/{{resourceGroupID}}/providers/Microsoft.Network/virtualHubs/{{hubName}}?api-version={{apiVersion}}", + "protocol": "https", + "host": [ + "management", + "azure", + "com" + ], + "path": [ + "subscriptions", + "{{subscriptionId}}", + "resourceGroups", + "{{resourceGroupID}}", + "providers", + "Microsoft.Network", + "virtualHubs", + "{{hubName}}" + ], + "query": [ + { + "key": "api-version", + "value": "{{apiVersion}}" + } + ] + } + }, + "response": [] + }, + { + "name": "Virtual Hub - Create Or Update", + "request": { + "method": "PUT", + "header": [], + "body": { + "mode": "raw", + "raw": "{\r\n \"location\": \"West US\",\r\n \"tags\": {\r\n \"key1\": \"value1\"\r\n },\r\n \"properties\": {\r\n \"virtualWan\": {\r\n \"id\": \"/subscriptions/{{subscriptionId}}/resourceGroups/{{resourceGroupID}}/providers/Microsoft.Network/virtualWans/{{virtualWan}}\"\r\n },\r\n \"addressPrefix\": \"10.168.0.0/24\",\r\n \"sku\": \"Basic\"\r\n }\r\n}", + "options": { + "raw": { + "language": "json" + } + } + }, + "url": { + "raw": "https://management.azure.com/subscriptions/{{subscriptionId}}/resourceGroups/{{resourceGroupID}}/providers/Microsoft.Network/virtualHubs/{{hubName}}?api-version={{apiVersion}}", + "protocol": "https", + "host": [ + "management", + "azure", + "com" + ], + "path": [ + "subscriptions", + "{{subscriptionId}}", + "resourceGroups", + "{{resourceGroupID}}", + "providers", + "Microsoft.Network", + "virtualHubs", + "{{hubName}}" + ], + "query": [ + { + "key": "api-version", + "value": "{{apiVersion}}" + } + ] + } + }, + "response": [] + }, + { + "name": "Effective Routes", + "request": { + "method": "POST", + "header": [], + "body": { + "mode": "raw", + "raw": "{\r\n \"resourceId\": \"/subscriptions/{{subscriptionId}}/resourceGroups/{{resourceGroupID}}//providers/Microsoft.Network/expressRouteGateways/{{expressRouteGatewayName}}/expressRouteConnections/{{expressRouteConnections}}>\",\r\n \"virtualWanResourceType\": \"ExpressRouteConnection\"\r\n}", + "options": { + "raw": { + "language": "json" + } + } + }, + "url": { + "raw": "https://management.azure.com/subscriptions/{{subscriptionId}}/resourceGroups/{{resourceGroupID}}/providers/Microsoft.Network/virtualHubs/{{hubName}}/effectiveRoutes?api-version={{apiVersion}}", + "protocol": "https", + "host": [ + "management", + "azure", + "com" + ], + "path": [ + "subscriptions", + "{{subscriptionId}}", + "resourceGroups", + "{{resourceGroupID}}", + "providers", + "Microsoft.Network", + "virtualHubs", + "{{hubName}}", + "effectiveRoutes" + ], + "query": [ + { + "key": "api-version", + "value": "{{apiVersion}}" + } + ] + } + }, + "response": [] + }, + { + "name": "All Virtual Hubs in resourceGroup", + "request": { + "method": "GET", + "header": [], + "url": { + "raw": "https://management.azure.com/subscriptions/{{subscriptionId}}/resourceGroups/{{resourceGroupID}}/providers/Microsoft.Network/virtualHubs?api-version={{apiVersion}}", + "protocol": "https", + "host": [ + "management", + "azure", + "com" + ], + "path": [ + "subscriptions", + "{{subscriptionId}}", + "resourceGroups", + "{{resourceGroupID}}", + "providers", + "Microsoft.Network", + "virtualHubs" + ], + "query": [ + { + "key": "api-version", + "value": "{{apiVersion}}" + } + ] + } + }, + "response": [] + }, + { + "name": "All Virtual Hubs in subscription", + "request": { + "method": "GET", + "header": [], + "url": { + "raw": "https://management.azure.com/subscriptions/{{subscriptionId}}/providers/Microsoft.Network/virtualHubs?api-version={{apiVersion}}", + "protocol": "https", + "host": [ + "management", + "azure", + "com" + ], + "path": [ + "subscriptions", + "{{subscriptionId}}", + "providers", + "Microsoft.Network", + "virtualHubs" + ], + "query": [ + { + "key": "api-version", + "value": "{{apiVersion}}" + } + ] + } + }, + "response": [] + }, + { + "name": "Update Tags for vHub", + "request": { + "method": "PATCH", + "header": [], + "body": { + "mode": "raw", + "raw": "{\r\n \"tags\": {\r\n \"key1\": \"value1\",\r\n \"key2\": \"value2\"\r\n }\r\n}", + "options": { + "raw": { + "language": "json" + } + } + }, + "url": { + "raw": "https://management.azure.com/subscriptions/{{subscriptionId}}/resourceGroups/{{resourceGroupID}}/providers/Microsoft.Network/virtualHubs/{{hubName}}?api-version={{apiVersion}}", + "protocol": "https", + "host": [ + "management", + "azure", + "com" + ], + "path": [ + "subscriptions", + "{{subscriptionId}}", + "resourceGroups", + "{{resourceGroupID}}", + "providers", + "Microsoft.Network", + "virtualHubs", + "{{hubName}}" + ], + "query": [ + { + "key": "api-version", + "value": "{{apiVersion}}" + } + ] + } + }, + "response": [] + } + ] + }, + { + "name": "Routing Intent", + "item": [ + { + "name": "Routing Intent", + "request": { + "method": "PUT", + "header": [], + "body": { + "mode": "raw", + "raw": "{\r\n \"properties\": {\r\n \"routingPolicies\": [\r\n {\r\n \"name\": \"InternetTraffic\",\r\n \"destinations\": [\r\n \"Internet\"\r\n ],\r\n \"nextHop\": \"/subscriptions/{{subscriptionId}}/resourcegroups/{{managedAppRG}}/providers/Microsoft.Network/networkVirtualAppliances/{{nvaName}}\"\r\n },\r\n {\r\n \"name\": \"PrivateTrafficPolicy\",\r\n \"destinations\": [\r\n \"PrivateTraffic\"\r\n ],\r\n \"nextHop\": \"/subscriptions/{{subscriptionId}}/resourcegroups/{{managedAppRG}}/providers/Microsoft.Network/networkVirtualAppliances/{{nvaName}}\"\r\n }\r\n ]\r\n }\r\n}", + "options": { + "raw": { + "language": "json" + } + } + }, + "url": { + "raw": "https://management.azure.com/subscriptions/{{subscriptionId}}/resourceGroups/{{resourceGroupID}}/providers/Microsoft.Network/virtualHubs/{{hubName}}/routingIntent/{{routingIntent}}?api-version={{apiVersion}}", + "protocol": "https", + "host": [ + "management", + "azure", + "com" + ], + "path": [ + "subscriptions", + "{{subscriptionId}}", + "resourceGroups", + "{{resourceGroupID}}", + "providers", + "Microsoft.Network", + "virtualHubs", + "{{hubName}}", + "routingIntent", + "{{routingIntent}}" + ], + "query": [ + { + "key": "api-version", + "value": "{{apiVersion}}" + } + ] + } + }, + "response": [] + }, + { + "name": "Routing Intent", + "request": { + "method": "GET", + "header": [], + "url": { + "raw": "https://management.azure.com/subscriptions/{{subscriptionId}}/resourceGroups/{{resourceGroupID}}/providers/Microsoft.Network/virtualHubs/{{hubName}}/routingIntent/{{routingIntent}}?api-version={{apiVersion}}", + "protocol": "https", + "host": [ + "management", + "azure", + "com" + ], + "path": [ + "subscriptions", + "{{subscriptionId}}", + "resourceGroups", + "{{resourceGroupID}}", + "providers", + "Microsoft.Network", + "virtualHubs", + "{{hubName}}", + "routingIntent", + "{{routingIntent}}" + ], + "query": [ + { + "key": "api-version", + "value": "{{apiVersion}}" + } + ] + } + }, + "response": [] + }, + { + "name": "Routing Intent", + "request": { + "method": "DELETE", + "header": [], + "url": { + "raw": "https://management.azure.com/subscriptions/{{subscriptionId}}/resourceGroups/{{resourceGroupID}}/providers/Microsoft.Network/virtualHubs/{{hubName}}/routingIntent/{{routingIntent}}?api-version={{apiVersion}}", + "protocol": "https", + "host": [ + "management", + "azure", + "com" + ], + "path": [ + "subscriptions", + "{{subscriptionId}}", + "resourceGroups", + "{{resourceGroupID}}", + "providers", + "Microsoft.Network", + "virtualHubs", + "{{hubName}}", + "routingIntent", + "{{routingIntent}}" + ], + "query": [ + { + "key": "api-version", + "value": "{{apiVersion}}" + } + ] + } + }, + "response": [] + } + ] + }, + { + "name": "VPN Sites", + "item": [ + { + "name": "VPN Site", + "request": { + "method": "GET", + "header": [], + "url": { + "raw": "https://management.azure.com/subscriptions/{{subscriptionId}}/resourceGroups/{{resourceGroupID}}/providers/Microsoft.Network/vpnSites/{{vpnSiteName}}?api-version={{apiVersion}}", + "protocol": "https", + "host": [ + "management", + "azure", + "com" + ], + "path": [ + "subscriptions", + "{{subscriptionId}}", + "resourceGroups", + "{{resourceGroupID}}", + "providers", + "Microsoft.Network", + "vpnSites", + "{{vpnSiteName}}" + ], + "query": [ + { + "key": "api-version", + "value": "{{apiVersion}}" + } + ] + } + }, + "response": [] + }, + { + "name": "All VPN Sites in resourceGroup", + "request": { + "method": "GET", + "header": [], + "url": { + "raw": "https://management.azure.com/subscriptions/{{subscriptionId}}/resourceGroups/{{resourceGroupID}}/providers/Microsoft.Network/vpnSites?api-version={{apiVersion}}", + "protocol": "https", + "host": [ + "management", + "azure", + "com" + ], + "path": [ + "subscriptions", + "{{subscriptionId}}", + "resourceGroups", + "{{resourceGroupID}}", + "providers", + "Microsoft.Network", + "vpnSites" + ], + "query": [ + { + "key": "api-version", + "value": "{{apiVersion}}" + } + ] + } + }, + "response": [] + }, + { + "name": "All VPN Sites in subscription", + "request": { + "method": "GET", + "header": [], + "url": { + "raw": "https://management.azure.com/subscriptions/{{subscriptionId}}/providers/Microsoft.Network/vpnSites?api-version={{apiVersion}}", + "protocol": "https", + "host": [ + "management", + "azure", + "com" + ], + "path": [ + "subscriptions", + "{{subscriptionId}}", + "providers", + "Microsoft.Network", + "vpnSites" + ], + "query": [ + { + "key": "api-version", + "value": "{{apiVersion}}" + } + ] + } + }, + "response": [] + } + ] + }, + { + "name": "Network Virtual Appliance (NVA)", + "item": [ + { + "name": "NVA", + "request": { + "method": "DELETE", + "header": [], + "url": { + "raw": "https://management.azure.com/subscriptions/{{subscriptionId}}/resourceGroups/{{managedAppRG}}/providers/Microsoft.Network/NetworkVirtualAppliances/{{nvaName}}?api-version={{apiVersion}}", + "protocol": "https", + "host": [ + "management", + "azure", + "com" + ], + "path": [ + "subscriptions", + "{{subscriptionId}}", + "resourceGroups", + "{{managedAppRG}}", + "providers", + "Microsoft.Network", + "NetworkVirtualAppliances", + "{{nvaName}}" + ], + "query": [ + { + "key": "api-version", + "value": "{{apiVersion}}" + } + ] + } + }, + "response": [] + }, + { + "name": "NVA", + "request": { + "method": "GET", + "header": [], + "url": { + "raw": "https://management.azure.com/subscriptions/{{subscriptionId}}/resourceGroups/{{managedAppRG}}/providers/Microsoft.Network/networkVirtualAppliances/{{nvaName}}?api-version=2022-11-01", + "protocol": "https", + "host": [ + "management", + "azure", + "com" + ], + "path": [ + "subscriptions", + "{{subscriptionId}}", + "resourceGroups", + "{{managedAppRG}}", + "providers", + "Microsoft.Network", + "networkVirtualAppliances", + "{{nvaName}}" + ], + "query": [ + { + "key": "api-version", + "value": "2022-11-01" + } + ] + } + }, + "response": [] + }, + { + "name": "All NVAs", + "request": { + "method": "GET", + "header": [], + "url": { + "raw": "https://management.azure.com/subscriptions/{{subscriptionId}}/resourceGroups/{{managedAppRG}}/providers/Microsoft.Network/NetworkVirtualAppliances?api-version={{apiVersion}}", + "protocol": "https", + "host": [ + "management", + "azure", + "com" + ], + "path": [ + "subscriptions", + "{{subscriptionId}}", + "resourceGroups", + "{{managedAppRG}}", + "providers", + "Microsoft.Network", + "NetworkVirtualAppliances" + ], + "query": [ + { + "key": "api-version", + "value": "{{apiVersion}}" + } + ] + } + }, + "response": [] + } + ] + }, + { + "name": "Security Rule", + "item": [ + { + "name": "Inbound Security Rule - Create Or Update", + "request": { + "method": "PUT", + "header": [], + "body": { + "mode": "raw", + "raw": "{\r\n \"properties\": {\r\n \"rules\": [\r\n {\r\n \"protocol\": \"TCP\",\r\n \"sourceAddressPrefix\": \"172.172.172.172/32\",\r\n \"destinationPortRange\": 22\r\n }\r\n ]\r\n }\r\n}\r\n", + "options": { + "raw": { + "language": "json" + } + } + }, + "url": { + "raw": "https://management.azure.com/subscriptions/{{subscriptionId}}/resourceGroups/{{managedAppRG}}/providers/Microsoft.Network/networkVirtualAppliances/{{nvaName}}inboundSecurityRules/{{inboundSecurityRule}}?api-version={{apiVersion}}", + "protocol": "https", + "host": [ + "management", + "azure", + "com" + ], + "path": [ + "subscriptions", + "{{subscriptionId}}", + "resourceGroups", + "{{managedAppRG}}", + "providers", + "Microsoft.Network", + "networkVirtualAppliances", + "{{nvaName}}inboundSecurityRules", + "{{inboundSecurityRule}}" + ], + "query": [ + { + "key": "api-version", + "value": "{{apiVersion}}" + } + ] + } + }, + "response": [] + } + ] + } + ], + "auth": { + "type": "bearer", + "bearer": [ + { + "key": "token", + "value": "{{bearerToken}}", + "type": "string" + } + ] + }, + "event": [ + { + "listen": "prerequest", + "script": { + "type": "text/javascript", + "exec": [ + "pm.test(\"Check for collectionVariables\", function () {", + " let vars = ['clientId', 'clientSecret', 'tenantId', 'subscriptionId'];", + " vars.forEach(function (item, index, array) {", + " console.log(item, index);", + " pm.expect(pm.collectionVariables.get(item), item + \" variable not set\").to.not.be.undefined;", + " pm.expect(pm.collectionVariables.get(item), item + \" variable not set\").to.not.be.empty; ", + " });", + "", + " if (!pm.collectionVariables.get(\"bearerToken\") || Date.now() > new Date(pm.collectionVariables.get(\"bearerTokenExpiresOn\") * 1000)) {", + " pm.sendRequest({", + " url: 'https://login.microsoftonline.com/' + pm.collectionVariables.get(\"tenantId\") + '/oauth2/token',", + " method: 'POST',", + " header: 'Content-Type: application/x-www-form-urlencoded',", + " body: {", + " mode: 'urlencoded',", + " urlencoded: [", + " { key: \"grant_type\", value: \"client_credentials\", disabled: false },", + " { key: \"client_id\", value: pm.collectionVariables.get(\"clientId\"), disabled: false },", + " { key: \"client_secret\", value: pm.collectionVariables.get(\"clientSecret\"), disabled: false },", + " { key: \"resource\", value: pm.collectionVariables.get(\"resource\") || \"https://management.azure.com/\", disabled: false }", + " ]", + " }", + " }, function (err, res) {", + " if (err) {", + " console.log(err);", + " } else {", + " let resJson = res.json();", + " pm.collectionVariables.set(\"bearerTokenExpiresOn\", resJson.expires_on);", + " pm.collectionVariables.set(\"bearerToken\", resJson.access_token);", + " }", + " });", + " }", + "});" + ] + } + }, + { + "listen": "test", + "script": { + "type": "text/javascript", + "exec": [ + "" + ] + } + } + ], + "variable": [ + { + "key": "tenantId", + "value": "" + }, + { + "key": "clientSecret", + "value": "" + }, + { + "key": "clientId", + "value": "", + "type": "string" + }, + { + "key": "subscriptionId", + "value": "" + }, + { + "key": "nvaName", + "value": "", + "type": "string" + }, + { + "key": "managedAppRG", + "value": "", + "type": "string" + }, + { + "key": "resourceGroupID", + "value": "" + }, + { + "key": "virtualWan", + "value": "", + "type": "string" + }, + { + "key": "hubName", + "value": "", + "type": "string" + }, + { + "key": "hubRouteTable", + "value": "", + "type": "string" + }, + { + "key": "hubVirtualNetworkConnection", + "value": "", + "type": "string" + }, + { + "key": "routingIntent", + "value": "", + "type": "string" + }, + { + "key": "vpnSiteName", + "value": "", + "type": "string" + }, + { + "key": "inboundSecurityRule", + "value": "", + "type": "string" + }, + { + "key": "remoteVnetSub", + "value": "", + "type": "string" + }, + { + "key": "remoteVnetRG", + "value": "", + "type": "string" + }, + { + "key": "remoteVnetID", + "value": "", + "type": "string" + }, + { + "key": "routeMap", + "value": "", + "type": "string" + }, + { + "key": "expressRouteGatewayName", + "value": "", + "type": "string" + }, + { + "key": "expressRouteConnections", + "value": "", + "type": "string" + }, + { + "key": "apiVersion", + "value": "2022-09-01", + "type": "string" + }, + { + "key": "bearerToken", + "value": "" + }, + { + "key": "resource", + "value": "https://management.azure.com/" + }, + { + "key": "bearerTokenExpiresOn", + "value": "" + } + ] +} \ No newline at end of file diff --git a/contrib/README.md b/contrib/README.md new file mode 100644 index 00000000..0f096324 --- /dev/null +++ b/contrib/README.md @@ -0,0 +1,2 @@ +## Disclaimer +The content of this directory is released under an as-is, best effort, support policy. It should be seen as community supported and Check Point will contribute its expertise as and when possible. We do not provide technical support in using or troubleshooting the content of this directory through our normal support options. diff --git a/contrib/azure/templates/ha-public-ip-prefix/README.MD b/contrib/azure/templates/ha-public-ip-prefix/README.MD new file mode 100644 index 00000000..44e4da6c --- /dev/null +++ b/contrib/azure/templates/ha-public-ip-prefix/README.MD @@ -0,0 +1,51 @@ +# ARM CloudGuard High Availability public IPs allocated from public IP prefix + +This directory contains the CloudGuard IaaS HA template derived from the ´20201102` version of the template . +This template adds the ability to create a public IP Prefix that is used to allocated the Public IP addresses for the cluster. + +## Changes from Marketplace template +* added parameters: + - `ipPrefix` - Set parameter to `'yes'` to deploy the prefix + - `ipPrefixSize`- Size of the Public IP Prefix, `/30`, `/29` or `/28` + +* added variables: + - `ipPrefixName` : constructs the public IP prefix name + - `publicIPPrefixProperty` : constructs the public IP prefix property that will be added to app Public IPs if the `ipPrefix` parameter is set to 'yes' + +* added resources: + - Public IP Prefix `Microsoft.Network/publicipprefixes`, deployed if the `ipPrefix` parameter is set to 'yes' - https://docs.microsoft.com/en-us/azure/virtual-network/public-ip-address-prefix. + +* changed declarations: + - Added the Public IP prefix resource to the `dependsOn` property on all Public IP addresses. + - Added the `publicIPPrefix` property to all Public IP address resources with an if statement to set the value to variable `publicIPPrefixProperty` if the `ipPrefix` parameter is set to 'yes' + - Changed the default value of the `_artifactsLocation` parameter to point to this GitHub Repo to allow the template to be deployed outside of the marketplace. + +## How to deploy the template: + +Local deployment: download this template and parameter file, edit the parameters and run your deployment tool of choice, e. g. + +``` +az group deployment create -g --template-file ha-publicipprefix.json --parameters @ha-publicipprefix-parameters.json +``` + +### *Extra*: to load the administrator password from an existing keyvault (provided that you declared appropriate permissions), include in the parameters.json file in the parameters section: +``` +"adminPassword": { + "reference": { + "keyVault": { + "id": "/subscriptions/your-subscription-id-here/resourceGroups/your-resource-group-here/providers/Microsoft.KeyVault/vaults/your-keyvault-name-here", + "secretName": "your-secret-name" + } +}, +``` +It might be useful to include also a ssh public key in the parameters section of the ha-publicipprefix-parameters.json file. + +## To deploy the ARM templates manually without using the Azure Marketplace: +1. Log in to the [Microsoft Azure Portal](https://portal.azure.com) +2. Click "*Create a resource*" +3. Search for "*Template deployment (deploy using custom templates)*" and click "*Create*" +4. Click "*Build your own template in the editor*" +5. Load the "*ha-publicipprefix.json*" file of the desired template and click "*Save*" +6. Enter the required and/or optional template parameters +7. Click *Purchase* to deploy the solution +8. Debug the deployment diff --git a/contrib/azure/templates/ha-public-ip-prefix/ha-publicipprefix-parameters.json b/contrib/azure/templates/ha-public-ip-prefix/ha-publicipprefix-parameters.json new file mode 100644 index 00000000..1aa6435c --- /dev/null +++ b/contrib/azure/templates/ha-public-ip-prefix/ha-publicipprefix-parameters.json @@ -0,0 +1,106 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "value": "East US" + }, + "cloudGuardVersion": { + "value": "R80.40 - Bring Your Own License" + }, + "adminPassword": { + "value": "" + }, + "authenticationType": { + "value": "password" + }, + "sshPublicKey": { + "value": "" + }, + "vmName": { + "value": "cloudguard" + }, + "vmSize": { + "value": "Standard_D3_v2" + }, + "sicKey": { + "value": "" + }, + "virtualNetworkName": { + "value": "cloudguard-vnet" + }, + "virtualNetworkAddressPrefixes": { + "value": [ + "10.0.0.0/16" + ] + }, + "subnet1Name": { + "value": "Frontend" + }, + "subnet1Prefix": { + "value": "10.0.1.0/24" + }, + "subnet1StartAddress": { + "value": "10.0.1.10" + }, + "subnet2Name": { + "value": "Backend" + }, + "subnet2Prefix": { + "value": "10.0.2.0/24" + }, + "subnet2StartAddress": { + "value": "10.0.2.10" + }, + "vnetNewOrExisting": { + "value": "new" + }, + "virtualNetworkExistingRGName": { + "value": "" + }, + "ipPrefix": { + "value": "yes" + }, + "ipPrefixSize": { + "value": 28 + }, + "bootstrapScript": { + "value": "" + }, + "allowDownloadFromUploadToCheckPoint": { + "value": "true" + }, + "additionalDiskSizeGB": { + "value": 0 + }, + "diskType": { + "value": "Standard_LRS" + }, + "role": { + "value": "Contributor" + }, + "managedSystemAssigned": { + "value": "yes" + }, + "sourceImageVhdUri": { + "value": "noCustomUri" + }, + "availabilityOptions": { + "value": "Availability Set" + }, + "_artifactsLocation": { + "value": "https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/azure/templates/" + }, + "_artifactsLocationSasToken": { + "value": "" + }, + "Check_PointTags": { + "value": { + "provider": "30DE18BC-F9F6-4F22-9D30-54B8E74CFD5F" + } + }, + "customMetrics": { + "value": "yes" + } + } +} \ No newline at end of file diff --git a/contrib/azure/templates/ha-public-ip-prefix/ha-publicipprefix.json b/contrib/azure/templates/ha-public-ip-prefix/ha-publicipprefix.json new file mode 100644 index 00000000..caaef705 --- /dev/null +++ b/contrib/azure/templates/ha-public-ip-prefix/ha-publicipprefix.json @@ -0,0 +1,1033 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string", + "metadata": { + "description": "Deployment location" + }, + "defaultValue": "[resourceGroup().location]" + }, + "cloudGuardVersion": { + "type": "string", + "allowedValues": [ + "R80.30 - Bring Your Own License", + "R80.30 - Pay As You Go (NGTP)", + "R80.30 - Pay As You Go (NGTX)", + "R80.40 - Bring Your Own License", + "R80.40 - Pay As You Go (NGTP)", + "R80.40 - Pay As You Go (NGTX)", + "R81 - Bring Your Own License", + "R81 - Pay As You Go (NGTP)", + "R81 - Pay As You Go (NGTX)" + ], + "defaultValue": "R80.40 - Bring Your Own License", + "metadata": { + "description": "Check Point CloudGuard version" + } + }, + "adminPassword": { + "type": "securestring", + "metadata": { + "description": "Administrator password" + }, + "defaultValue": "" + }, + "authenticationType": { + "type": "string", + "allowedValues": [ + "password", + "sshPublicKey" + ], + "defaultValue": "password", + "metadata": { + "description": "Authentication type" + } + }, + "sshPublicKey": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Administrator SSH public key" + } + }, + "vmName": { + "type": "string", + "defaultValue": "[resourceGroup().name]", + "metadata": { + "description": "Name of the Check Point Cluster object" + } + }, + "vmSize": { + "type": "string", + "defaultValue": "Standard_D3_v2", + "metadata": { + "description": "Size of the VM" + } + }, + "sicKey": { + "type": "securestring", + "metadata": { + "description": "One time key for Secure Internal Communication" + } + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "[concat(resourceGroup().name, '-vnet')]" + }, + "virtualNetworkAddressPrefixes": { + "type": "array", + "metadata": { + "description": "The address prefixes of the virtual network" + }, + "defaultValue": [ + "10.0.0.0/16" + ] + }, + "subnet1Name": { + "type": "string", + "metadata": { + "description": "The name of the frontend subnet" + }, + "defaultValue": "Frontend" + }, + "subnet1Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the frontend subnet" + }, + "defaultValue": "10.0.1.0/24" + }, + "subnet1StartAddress": { + "type": "string", + "metadata": { + "description": "The first available address on the 1st subnet" + }, + "defaultValue": "10.0.1.10" + }, + "subnet2Name": { + "type": "string", + "metadata": { + "description": "The name of the backend subnet" + }, + "defaultValue": "Backend" + }, + "subnet2Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the backend subnet" + }, + "defaultValue": "10.0.2.0/24" + }, + "subnet2StartAddress": { + "type": "string", + "metadata": { + "description": "The first available address on the 2nd subnet" + }, + "defaultValue": "10.0.2.10" + }, + "vnetNewOrExisting": { + "type": "string", + "defaultValue": "new", + "allowedValues": [ + "new", + "existing" + ], + "metadata": { + "Description": "Indicates whether the virtual network is new or existing" + } + }, + "virtualNetworkExistingRGName": { + "type": "string", + "metadata": { + "description": "Resource Group of the existing virtual network" + }, + "defaultValue": "[resourceGroup().name]" + }, + "ipPrefix": { + "type": "string", + "allowedValues": [ + "yes", + "no" + ], + "defaultValue": "no", + "metadata": { + "description": "Define if a Public IP Prefix should be created or not" + } + }, + "ipPrefixSize": { + "type": "int", + "defaultValue": 30, + "allowedvalues": [ + 28, + 29, + 30 + ], + "metadata": { + "description": "Define the size of the Public IP Prefix" + } + }, + "bootstrapScript": { + "type": "string", + "metadata": { + "description": "Bootstrap script" + }, + "defaultValue": "" + }, + "allowDownloadFromUploadToCheckPoint": { + "type": "string", + "allowedValues": [ + "true", + "false" + ], + "defaultValue": "true", + "metadata": { + "description": "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + } + }, + "additionalDiskSizeGB": { + "type": "int", + "defaultValue": 0, + "metadata": { + "description": "Amount of additional disk space (in GB)" + }, + "minValue": 0, + "maxValue": 3995 + }, + "diskType": { + "type": "string", + "defaultValue": "Standard_LRS", + "metadata": { + "description": "The type of the OS disk. Premium is applicable only to DS machine sizes" + }, + "allowedValues": [ + "Standard_LRS", + "Premium_LRS" + ] + }, + "role": { + "type": "string", + "defaultValue": "Contributor", + "metadata": { + "description": "Role" + } + }, + "managedSystemAssigned": { + "type": "string", + "allowedValues": [ + "yes", + "no" + ], + "defaultValue": "yes", + "metadata": { + "description": "Automatically create a Service Principal for this deployment." + } + }, + "sourceImageVhdUri": { + "type": "string", + "defaultValue": "noCustomUri", + "metadata": { + "description": "The URI of the blob containing the development image" + } + }, + "availabilityOptions": { + "type": "string", + "allowedValues": [ + "Availability Set", + "Availability Zones" + ], + "defaultValue": "Availability Set", + "metadata": { + "description": "Use replicated Cluster VMs in Availability Set or Availability Zones" + } + }, + "_artifactsLocation": { + "type": "string", + "metadata": { + "description": "The base URI where artifacts required by this template are located including a trailing '/'" + }, + "defaultValue": "https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/azure/templates/" + }, + "_artifactsLocationSasToken": { + "type": "securestring", + "metadata": { + "description": "The sasToken required to access _artifactsLocation. When the template is deployed using the accompanying scripts, a sasToken will be automatically generated. Use the defaultValue if the staging location is not secured." + }, + "defaultValue": "" + }, + "Check_PointTags": { + "type": "object", + "defaultValue": { + "provider": "30DE18BC-F9F6-4F22-9D30-54B8E74CFD5F" + } + }, + "customMetrics": { + "type": "string", + "allowedValues": [ + "no", + "yes" + ], + "defaultValue": "yes", + "metadata": { + "Description": "Indicates whether CloudGuard Metrics will be used for Cluster members monitoring" + } + } + }, + "variables": { + "templateName": "ha", + "templateVersion": "20201102", + "location": "[parameters('location')]", + "elbPublicIPName": "frontend-lb-address", + "haPublicIPName": "[parameters('vmName')]", + "offers": { + "R80.30 - Bring Your Own License": "BYOL", + "R80.30 - Pay As You Go (NGTP)": "NGTP-V2", + "R80.30 - Pay As You Go (NGTX)": "NGTX-V2", + "R80.40 - Bring Your Own License": "BYOL", + "R80.40 - Pay As You Go (NGTP)": "NGTP", + "R80.40 - Pay As You Go (NGTX)": "NGTX", + "R81 - Bring Your Own License": "BYOL", + "R81 - Pay As You Go (NGTP)": "NGTP", + "R81 - Pay As You Go (NGTX)": "NGTX" + }, + "offer": "[variables('offers')[parameters('cloudGuardVersion')]]", + "osVersions": { + "R80.30 - Bring Your Own License": "R8030", + "R80.30 - Pay As You Go (NGTP)": "R8030", + "R80.30 - Pay As You Go (NGTX)": "R8030", + "R80.40 - Bring Your Own License": "R8040", + "R80.40 - Pay As You Go (NGTP)": "R8040", + "R80.40 - Pay As You Go (NGTX)": "R8040", + "R81 - Bring Your Own License": "R81", + "R81 - Pay As You Go (NGTP)": "R81", + "R81 - Pay As You Go (NGTX)": "R81" + }, + "osVersion": "[variables('osVersions')[parameters('cloudGuardVersion')]]", + "adminUsername": "notused", + "isBlink": true, + "storageAccountName": "[concat('bootdiag', uniqueString(resourceGroup().id, deployment().name))]", + "storageAccountType": "Standard_LRS", + "diskSize100GB": 100, + "diskSizeGB": "[add(parameters('additionalDiskSizeGB'), variables('diskSize100GB'))]", + "customData": "[concat('#!/usr/bin/python3 /etc/cloud_config.py\n', '\n', 'installationType=\"', variables('installationType'), '\"', '\n', 'allowUploadDownload=\"', variables('allowUploadDownload'), '\"', '\n', 'osVersion=\"', variables('osVersion'), '\"', '\n', 'templateName=\"', variables('templateName'), '\"', '\n', 'isBlink=\"', variables('isBlink'), '\"', '\n', 'templateVersion=\"', variables('templateVersion'), '\"', '\n', 'bootstrapScript64=\"', variables('bootstrapScript64'), '\"', '\n', 'location=\"', variables('location'), '\"', '\n', 'sicKey=\"', variables('sicKey'), '\"', '\n', 'location=\"', variables('location'), '\"', '\n', 'tenantId=\"', subscription().tenantId, '\"', '\n', 'virtualNetwork=\"', parameters('virtualNetworkName'), '\"', '\n', 'clusterName=\"', parameters('vmName'), '\"', '\n', 'externalPrivateAddresses=\"', variables('externalPrivateAddresses')[2], '\"', '\n', 'customMetrics=\"', variables('customMetrics'), '\"', '\n')]", + "imageOffer": "[concat('check-point-cg-', toLower(variables('osVersion')))]", + "imagePublisher": "checkpoint", + "imageReferenceBYOL": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-byol", + "version": "latest" + }, + "imageReferenceNGTP": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtp", + "version": "latest" + }, + "imageReferenceNGTP-V2": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtp-v2", + "version": "latest" + }, + "imageReferenceNGTX": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtx", + "version": "latest" + }, + "imageReferenceNGTX-V2": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtx-v2", + "version": "latest" + }, + "imageReferenceMarketplace": "[if(equals(variables('offer'), 'BYOL'), variables('imageReferenceBYOL'), if(equals(variables('offer'), 'NGTP'), variables('imageReferenceNGTP'), if(equals(variables('offer'), 'NGTP-V2'), variables('imageReferenceNGTP-V2'), if(equals(variables('offer'), 'NGTX'), variables('imageReferenceNGTX'), if(equals(variables('offer'), 'NGTX-V2'), variables('imageReferenceNGTX-V2'), json('null'))))))]", + "customImage": "customImage", + "imageReferenceCustomUri": { + "id": "[resourceId('Microsoft.Compute/images/', variables('customImage'))]" + }, + "imageReference": "[if(equals(parameters('sourceImageVhdUri'),'noCustomUri'), variables('imageReferenceMarketplace'), variables('imageReferenceCustomUri'))]", + "nic1Name": "eth0", + "nic2Name": "eth1", + "elbName": "frontend-lb", + "elbId": "[resourceId('Microsoft.Network/loadBalancers', variables('elbName'))]", + "elbBEAddressPool": "[concat(variables('elbName'), '-pool')]", + "elbBEAddressPoolID": "[resourceId('Microsoft.Network/loadBalancers/backendAddressPools', variables('elbName'), variables('elbBEAddressPool'))]", + "ilbName": "backend-lb", + "ilbId": "[resourceId('Microsoft.Network/loadBalancers', variables('ilbName'))]", + "ilbBEAddressPool": "[concat(variables('ilbName'), '-pool')]", + "ilbBEAddressPoolID": "[resourceId('Microsoft.Network/loadBalancers/backendAddressPools/', variables('ilbName'), variables('ilbBEAddressPool'))]", + "ilbFEIPConfigID": "[resourceId('Microsoft.Network/loadBalancers/frontendIPConfigurations/', variables('ilbName'), variables('ilbName'))]", + "ilbProbeName": "[variables('ilbName')]", + "ilbProbeID": "[resourceId('Microsoft.Network/loadBalancers/probes/', variables('ilbName'), variables('ilbProbeName'))]", + "linuxConfigurationpassword": { + "disablePasswordAuthentication": "false" + }, + "appProbeName": "health_prob_port", + "linuxConfigurationsshPublicKey": { + "disablePasswordAuthentication": "true", + "ssh": { + "publicKeys": [ + { + "keyData": "[parameters('sshPublicKey')]", + "path": "/home/notused/.ssh/authorized_keys" + } + ] + } + }, + "linuxConfiguration": "[if(equals(parameters('authenticationType'), 'password'), variables('linuxConfigurationpassword'), variables('linuxConfigurationsshPublicKey'))]", + "planBYOL": { + "name": "sg-byol", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTP": { + "name": "sg-ngtp", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTP-V2": { + "name": "sg-ngtp-v2", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTX": { + "name": "sg-ngtx", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTX-V2": { + "name": "sg-ngtx-v2", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "plan": "[if(equals(variables('offer'), 'BYOL') , variables('planBYOL'), if(equals(variables('offer'), 'NGTP'), variables('planNGTP'), if(equals(variables('offer'), 'NGTP-V2'), variables('planNGTP-V2'), if(equals(variables('offer'), 'NGTX'), variables('planNGTX'), if(equals(variables('offer'), 'NGTX-V2'), variables('planNGTX-V2'), json('null'))))))]", + "externalPrivateAddresses": [ + "[parameters('Subnet1StartAddress')]", + "[concat(split(parameters('subnet1StartAddress'), '.')[0],'.', split(parameters('subnet1StartAddress'), '.')[1],'.', split(parameters('subnet1StartAddress'), '.')[2],'.', string(add(int(split(parameters('subnet1StartAddress'), '.')[3]),1)))]", + "[concat(split(parameters('subnet1StartAddress'), '.')[0],'.', split(parameters('subnet1StartAddress'), '.')[1],'.', split(parameters('subnet1StartAddress'), '.')[2],'.', string(add(int(split(parameters('subnet1StartAddress'), '.')[3]),2)))]" + ], + "roleDefinitionId": "[if(equals(parameters('role'), 'Contributor'), subscriptionResourceId('Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c'), parameters('role'))]", + "identity": "[json('{\"type\": \"SystemAssigned\"}')]", + "azureCloud": "[not(or(startsWith(variables('location'), 'china'), startsWith(variables('location'), 'germany')))]", + "managedSystemAssigned": "[if(not(variables('azureCloud')), 'no', parameters('managedSystemAssigned'))]", + "subnet2PrivateAddresses": [ + "[concat(split(parameters('subnet2StartAddress'), '.')[0],'.', split(parameters('subnet2StartAddress'), '.')[1],'.', split(parameters('subnet2StartAddress'), '.')[2],'.', string(add(int(split(parameters('subnet2StartAddress'), '.')[3]),1)))]", + "[concat(split(parameters('subnet2StartAddress'), '.')[0],'.', split(parameters('subnet2StartAddress'), '.')[1],'.', split(parameters('subnet2StartAddress'), '.')[2],'.', string(add(int(split(parameters('subnet2StartAddress'), '.')[3]),2)))]" + ], + "nsgName": "[concat(parameters('vmName'), '-nsg')]", + "elbPublicIPId": "[resourceId('Microsoft.Network/publicIPAddresses', variables('elbPublicIPName'))]", + "haPublicIPId": "[resourceId('Microsoft.Network/publicIPAddresses', variables('haPublicIPName'))]", + "gwPublicIPIds": [ + "[resourceId('Microsoft.Network/publicIPAddresses', concat(parameters('vmName'), '1'))]", + "[resourceId('Microsoft.Network/publicIPAddresses', concat(parameters('vmName'), '2'))]" + ], + "availabilitySetName": "[concat(parameters('vmName'), '-AvailabilitySet')]", + "count": 2, + "bootstrapScript64": "[base64(parameters('bootstrapScript'))]", + "allowUploadDownload": "[parameters('allowDownloadFromUploadToCheckPoint')]", + "networkSetupURL": "[uri(parameters('_artifactsLocation'), concat('nestedtemplates/vnet-2-subnet-ha2-', parameters('vnetNewOrExisting'), '.json', parameters('_artifactsLocationSasToken')))]", + "sicKey": "[parameters('sicKey')]", + "installationType": "cluster", + "internalLBPrivateIPAddress": "[parameters('Subnet2StartAddress')]", + "availabilityZonesLocations": [ + "centralus", + "eastus2", + "francecentral", + "northeurope", + "southeastasia", + "westeurope", + "westus2", + "eastus", + "uksouth" + ], + "availabilitySetProperty": { + "id": "[resourceId('Microsoft.Compute/availabilitySets', variables('availabilitySetName'))]" + }, + "useAZ": "[and(contains(variables('availabilityZonesLocations'), variables('location')), equals(parameters('availabilityOptions'), 'Availability Zones'))]", + "customMetrics": "[parameters('customMetrics')]", + "ipPrefixName": "[concat(parameters('vmName'), '-ipprefix')]", + "publicIPPrefixProperty": { + "id": "[resourceId('Microsoft.Network/publicipprefixes',variables('ipPrefixName'))]" + } + }, + "resources": [ + { + "apiVersion": "2020-06-01", + "name": "pid-7fbd7ca2-a62c-5cb5-9b28-3900ca6dba8d", + "type": "Microsoft.Resources/deployments", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('storageAccountName')]", + "apiVersion": "2019-06-01", + "location": "[variables('location')]", + "sku": { + "name": "[variables('storageAccountType')]" + }, + "kind": "Storage", + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "condition": "[equals(parameters('vnetNewOrExisting'), 'new')]", + "name": "networkNewSetup", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "[variables('networkSetupURL')]", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "location": { + "value": "[variables('location')]" + }, + "nsgName": { + "value": "[variables('nsgName')]" + }, + "virtualNetworkName": { + "value": "[parameters('virtualNetworkName')]" + }, + "virtualNetworkAddressPrefixes": { + "value": "[parameters('virtualNetworkAddressPrefixes')]" + }, + "subnet1Name": { + "value": "[parameters('subnet1Name')]" + }, + "subnet1Prefix": { + "value": "[parameters('subnet1Prefix')]" + }, + "subnet2Name": { + "value": "[parameters('subnet2Name')]" + }, + "subnet2Prefix": { + "value": "[parameters('subnet2Prefix')]" + } + } + } + }, + { + "condition": "[equals(parameters('vnetNewOrExisting'), 'existing')]", + "name": "networkExistingSetup", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "[variables('networkSetupURL')]", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "virtualNetworkName": { + "value": "[parameters('virtualNetworkName')]" + }, + "virtualNetworkExistingRGName": { + "value": "[parameters('virtualNetworkExistingRGName')]" + } + } + } + }, + { + "type": "Microsoft.Compute/availabilitySets", + "condition": "[not(variables('useAZ'))]", + "apiVersion": "2020-06-01", + "location": "[variables('location')]", + "name": "[concat(variables('availabilitySetName'))]", + "properties": { + "platformFaultDomainCount": 2 + }, + "sku": { + "name": "Aligned" + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "condition": "[equals(parameters('ipPrefix'), 'yes')]", + "type": "Microsoft.Network/publicipprefixes", + "apiVersion": "2020-06-01", + "name": "[variables('ipPrefixName')]", + "location": "[variables('location')]", + "properties": { + "prefixLength": "[parameters('ipPrefixSize')]", + "publicIPAddressVersion": "IPv4" + }, + "sku": { + "name": "Standard", + "tier": "Regional" + } + }, + { + "type": "Microsoft.Network/publicIPAddresses", + "apiVersion": "2020-06-01", + "dependsOn": [ + "[resourceId('Microsoft.Network/publicipprefixes',variables('ipPrefixName'))]" + ], + "location": "[variables('location')]", + "name": "[variables('elbPublicIPName')]", + "sku": { + "name": "Standard" + }, + "properties": { + "idleTimeoutInMinutes": 30, + "publicIPAllocationMethod": "Static", + "dnsSettings": { + "domainNameLabel": "[concat(toLower(parameters('vmName')), '-', uniquestring(resourceGroup().id, deployment().name))]" + }, + "publicIPPrefix": "[if(equals(parameters('ipPrefix'), 'yes'), variables('publicIPPrefixProperty'), json('null'))]" + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "type": "Microsoft.Network/publicIPAddresses", + "apiVersion": "2020-06-01", + "dependsOn": [ + "[resourceId('Microsoft.Network/publicipprefixes',variables('ipPrefixName'))]" + ], + "location": "[variables('location')]", + "name": "[concat(parameters('vmName'), copyIndex(1))]", + "sku": { + "name": "Standard" + }, + "copy": { + "name": "publicAddressCopy", + "count": "[variables('count')]" + }, + "properties": { + "idleTimeoutInMinutes": 30, + "publicIPAllocationMethod": "Static", + "dnsSettings": { + "domainNameLabel": "[concat(toLower(parameters('vmName')), '-', copyIndex(1), '-', uniquestring(resourceGroup().id, deployment().name))]" + }, + "publicIPPrefix": "[if(equals(parameters('ipPrefix'), 'yes'), variables('publicIPPrefixProperty'), json('null'))]" + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "type": "Microsoft.Network/publicIPAddresses", + "apiVersion": "2020-06-01", + "dependsOn": [ + "[resourceId('Microsoft.Network/publicipprefixes',variables('ipPrefixName'))]" + ], + "location": "[variables('location')]", + "name": "[parameters('vmName')]", + "sku": { + "name": "Standard" + }, + "properties": { + "idleTimeoutInMinutes": 30, + "publicIPAllocationMethod": "Static", + "dnsSettings": { + "domainNameLabel": "[concat(toLower(parameters('vmName')), '-vip-', uniquestring(resourceGroup().id, deployment().name))]" + }, + "publicIPPrefix": "[if(equals(parameters('ipPrefix'), 'yes'), variables('publicIPPrefixProperty'), json('null'))]" + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "2020-06-01", + "dependsOn": [ + "[coalesce(resourceId('Microsoft.Resources/deployments', 'networkNewSetup'), resourceId('Microsoft.Resources/deployments', 'networkExistingSetup'))]", + "[variables('elbId')]", + "[variables('gwPublicIPIds')[0]]", + "[variables('haPublicIPId')]" + ], + "location": "[variables('location')]", + "name": "[concat(parameters('vmName'), '1-', variables('nic1Name'))]", + "properties": { + "primary": true, + "enableIPForwarding": true, + "enableAcceleratedNetworking": "[not(equals(variables('osVersion'), 'R8010'))]", + "ipConfigurations": [ + { + "name": "member-ip", + "properties": { + "primary": true, + "privateIPAddress": "[variables('externalPrivateAddresses')[0]]", + "privateIPAllocationMethod": "Static", + "PublicIpAddress": { + "Id": "[variables('gwPublicIPIds')[0]]" + }, + "subnet": { + "id": "[resourceId(parameters('virtualNetworkExistingRGName'), 'Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('subnet1Name'))]" + }, + "loadBalancerBackendAddressPools": [ + { + "id": "[variables('elbBEAddressPoolID')]" + } + ] + } + }, + { + "name": "cluster-vip", + "properties": { + "primary": false, + "privateIPAddress": "[variables('externalPrivateAddresses')[2]]", + "privateIPAllocationMethod": "Static", + "PublicIpAddress": { + "Id": "[variables('haPublicIPId')]" + }, + "subnet": { + "id": "[resourceId(parameters('virtualNetworkExistingRGName'), 'Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('subnet1Name'))]" + } + } + } + ] + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "2020-06-01", + "dependsOn": [ + "[coalesce(resourceId('Microsoft.Resources/deployments', 'networkNewSetup'), resourceId('Microsoft.Resources/deployments', 'networkExistingSetup'))]", + "[variables('elbId')]", + "[variables('gwPublicIPIds')[1]]" + ], + "location": "[variables('location')]", + "name": "[concat(parameters('vmName'), '2-', variables('nic1Name'))]", + "properties": { + "primary": true, + "enableIPForwarding": true, + "enableAcceleratedNetworking": "[not(equals(variables('osVersion'), 'R8010'))]", + "ipConfigurations": [ + { + "name": "member-ip", + "properties": { + "primary": true, + "privateIPAddress": "[variables('externalPrivateAddresses')[1]]", + "privateIPAllocationMethod": "Static", + "PublicIpAddress": { + "Id": "[variables('gwPublicIPIds')[1]]" + }, + "subnet": { + "id": "[resourceId(parameters('virtualNetworkExistingRGName'), 'Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('subnet1Name'))]" + }, + "loadBalancerBackendAddressPools": [ + { + "id": "[variables('elbBEAddressPoolID')]" + } + ] + } + } + ] + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "2020-06-01", + "dependsOn": [ + "[coalesce(resourceId('Microsoft.Resources/deployments', 'networkNewSetup'), resourceId('Microsoft.Resources/deployments', 'networkExistingSetup'))]", + "[variables('ilbId')]" + ], + "location": "[variables('location')]", + "name": "[concat(parameters('vmName'), copyIndex(1), '-', variables('nic2Name'))]", + "copy": { + "name": "internalNicCopy", + "count": "[variables('count')]" + }, + "properties": { + "primary": false, + "enableIPForwarding": true, + "enableAcceleratedNetworking": "[not(equals(variables('osVersion'), 'R8010'))]", + "ipConfigurations": [ + { + "name": "member-ip", + "properties": { + "primary": true, + "privateIPAddress": "[variables('subnet2PrivateAddresses')[copyIndex()]]", + "privateIPAllocationMethod": "Static", + "subnet": { + "id": "[resourceId(parameters('virtualNetworkExistingRGName'), 'Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('subnet2Name'))]" + }, + "loadBalancerBackendAddressPools": [ + { + "id": "[variables('ilbBEAddressPoolID')]" + } + ] + } + } + ] + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "condition": "[not(equals(parameters('sourceImageVhdUri'), 'noCustomUri'))]", + "type": "Microsoft.Compute/images", + "apiVersion": "2020-06-01", + "name": "[variables('customImage')]", + "location": "[variables('location')]", + "properties": { + "storageProfile": { + "osDisk": { + "osType": "Linux", + "osState": "Generalized", + "blobUri": "[parameters('sourceImageVhdUri')]", + "storageAccountType": "Standard_LRS" + } + }, + "hyperVGeneration": "V1" + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "type": "Microsoft.Compute/virtualMachines", + "apiVersion": "2020-06-01", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]", + "[resourceId('Microsoft.Compute/availabilitySets', variables('availabilitySetName'))]", + "[resourceId('Microsoft.Network/networkInterfaces', concat(parameters('vmName'), copyIndex(1), '-', variables('nic1Name')))]", + "[resourceId('Microsoft.Network/networkInterfaces', concat(parameters('vmName'), copyIndex(1), '-', variables('nic2Name')))]", + "[resourceId('Microsoft.Compute/images/', variables('customImage'))]" + ], + "location": "[variables('location')]", + "name": "[concat(parameters('vmName'), copyIndex(1))]", + "zones": "[if(variables('useAZ'), array(copyIndex(1)), json('null'))]", + "copy": { + "name": "virtualMachineCopy", + "count": "[variables('count')]" + }, + "plan": "[if(equals(parameters('sourceImageVhdUri'),'noCustomUri'), variables('plan'), json('null'))]", + "identity": "[if(equals(variables('managedSystemAssigned'), 'yes'), variables('identity'), json('null'))]", + "properties": { + "availabilitySet": "[if(not(variables('useAZ')), variables('availabilitySetProperty'), json('null'))]", + "diagnosticsProfile": { + "bootDiagnostics": { + "enabled": "true", + "storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName')), '2018-07-01').primaryEndpoints.blob]" + } + }, + "hardwareProfile": { + "vmSize": "[parameters('vmSize')]" + }, + "networkProfile": { + "networkInterfaces": [ + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', concat(parameters('vmName'), copyIndex(1), '-', variables('nic1Name')))]", + "properties": { + "primary": true + } + }, + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', concat(parameters('vmName'), copyIndex(1), '-', variables('nic2Name')))]", + "properties": { + "primary": false + } + } + ] + }, + "osProfile": { + "adminPassword": "[parameters('adminPassword')]", + "adminUsername": "[variables('adminUsername')]", + "computername": "[concat(toLower(parameters('vmName')), copyIndex(1))]", + "customData": "[base64(variables('customData'))]", + "linuxConfiguration": "[variables('linuxConfiguration')]" + }, + "storageProfile": { + "imageReference": "[variables('imageReference')]", + "osDisk": { + "caching": "ReadWrite", + "createOption": "FromImage", + "diskSizeGB": "[variables('diskSizeGB')]", + "name": "[concat(parameters('vmName'), copyIndex(1))]", + "managedDisk": { + "storageAccountType": "[parameters('diskType')]" + } + } + } + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "type": "Microsoft.Network/loadBalancers", + "apiVersion": "2020-06-01", + "dependsOn": [ + "[variables('elbPublicIPId')]" + ], + "name": "[variables('elbName')]", + "location": "[variables('location')]", + "sku": { + "name": "Standard" + }, + "properties": { + "frontendIPConfigurations": [ + { + "name": "LoadBalancerFrontend", + "properties": { + "publicIPAddress": { + "id": "[variables('elbPublicIPId')]" + } + } + } + ], + "backendAddressPools": [ + { + "name": "[variables('elbBEAddressPool')]" + } + ], + "probes": [ + { + "name": "[variables('appProbeName')]", + "properties": { + "protocol": "tcp", + "port": 8117, + "intervalInSeconds": 5, + "numberOfProbes": 2 + } + } + ] + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "condition": "[equals(variables('managedSystemAssigned'), 'yes')]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2020-04-01-preview", + "name": "[guid(resourceGroup().id, concat(parameters('vmName'), copyIndex(1)))]", + "copy": { + "name": "virtualMachineCopy", + "count": "[variables('count')]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Compute/virtualMachines/', concat(parameters('vmName'), copyIndex(1)))]" + ], + "properties": { + "roleDefinitionId": "[variables('roleDefinitionId')]", + "scope": "[resourceGroup().id]", + "principalId": "[reference(resourceId('Microsoft.Compute/virtualMachines/', concat(parameters('vmName'), copyIndex(1))), '2018-10-01', 'Full').identity.principalId]" + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "type": "Microsoft.Network/loadBalancers", + "apiVersion": "2020-06-01", + "dependsOn": [ + "[coalesce(resourceId('Microsoft.Resources/deployments', 'networkNewSetup'), resourceId('Microsoft.Resources/deployments', 'networkExistingSetup'))]" + ], + "name": "[variables('ilbName')]", + "location": "[variables('location')]", + "sku": { + "name": "Standard" + }, + "properties": { + "frontendIPConfigurations": [ + { + "name": "[variables('ilbName')]", + "properties": { + "privateIPAllocationMethod": "Static", + "privateIPAddress": "[variables('internalLBPrivateIPAddress')]", + "subnet": { + "id": "[resourceId(parameters('virtualNetworkExistingRGName'), 'Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('subnet2Name'))]" + } + } + } + ], + "backendAddressPools": [ + { + "name": "[variables('ilbBEAddressPool')]" + } + ], + "loadBalancingRules": [ + { + "name": "[variables('ilbName')]", + "properties": { + "frontendIPConfiguration": { + "id": "[variables('ilbFEIPConfigID')]" + }, + "backendAddressPool": { + "id": "[variables('ilbBEAddressPoolID')]" + }, + "probe": { + "id": "[variables('ilbProbeID')]" + }, + "protocol": "All", + "frontendPort": 0, + "backendPort": 0, + "loadDistribution": "Default", + "enableFloatingIP": false + } + } + ], + "probes": [ + { + "name": "[variables('ilbProbeName')]", + "properties": { + "protocol": "tcp", + "port": 8117, + "intervalInSeconds": 5, + "numberOfProbes": 2 + } + } + ] + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + } + ], + "outputs": { + "HaIPAddr": { + "type": "string", + "value": "[reference(variables('haPublicIPId')).IpAddress]" + }, + "HaFQDN": { + "type": "string", + "value": "[reference(variables('haPublicIPId')).dnsSettings.fqdn]" + }, + "Member1IPAddr": { + "type": "string", + "value": "[reference(variables('gwPublicIPIds')[0]).IpAddress]" + }, + "Member1FQDN": { + "type": "string", + "value": "[reference(variables('gwPublicIPIds')[0]).dnsSettings.fqdn]" + }, + "Member2IPAddr": { + "type": "string", + "value": "[reference(variables('gwPublicIPIds')[1]).IpAddress]" + }, + "Member2FQDN": { + "type": "string", + "value": "[reference(variables('gwPublicIPIds')[1]).dnsSettings.fqdn]" + } + } + } \ No newline at end of file diff --git a/contrib/azure/templates/ha-redeploy-single-member/README.MD b/contrib/azure/templates/ha-redeploy-single-member/README.MD new file mode 100644 index 00000000..d449370f --- /dev/null +++ b/contrib/azure/templates/ha-redeploy-single-member/README.MD @@ -0,0 +1,41 @@ +# ARM CloudGuard High Availability template to redeploy Cluster member + +This directory contains the CloudGuard IaaS HA template derived from the ´20220130` version of the template . + +This template adds the ability to redeploy a single member of a HA cluster into the same Resource Group of an existing Ha cluster withouth the need to redeploy the whole cluster. + +The template is specially useful in the following use cases: +1 - Redeploy/Replace a single memeber of a cluster that has failed on the same version. +2 - Perform an upgrade of the Cluster using MVC (Multi-version cluster) + + +The logic of the template is to simply replace one VM and re-attach the old NIC’s and Public addresses and deploy on the same resource group as the old VM. + +NOTE 1: IAM roles must be configured manually since the template fails to update the resource group. + +NOTE 2: Deploys a new Storage account dedicated to the new deployed VM. + +## How to deploy the template: + +Note: Backup device according to sk169814 (if possible). + +1. Log in to the Microsoft Azure Portal +2. Locate the resource group where the cluster is installed into +3. Proceed to delete failed Virtual Machine. +a. Select to delete associated Disk but to retain existing NIC and Public Addresses +4. Click “Create a Resource” +5. Log in to the Microsoft Azure Portal +6. Search for "Template deployment (deploy using custom templates)" and click "Create" +7. Click "Build your own template in the editor" +8. Load the "ha-redeploy-single-member.json" file of the desired template and click "Save" +9. Enter the desired template parameters. +a. NOTE: Pay close attention to correctly fill the information relevant to the cluster name and member ID and match the resource group and VM size. +b. Specify the Virtual Network name, resource group and cluster-vip of the cluster. +c. Replace the "_artifacts Location" property with: https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/azure/templates/ +10. Click Purchase to deploy the solution +11. Once deployment is completed. Verify IAM roles and permissions of the new VM. +12. Restore any clish backups. +13. Open SmartConsole, re-establishing SIC. + 13.a For Member Recovery: Re-install policy and test failover + 13.b For Upgrades: Perform MVC upgrade process as per documentation and then repeat all steps for second member to be upgraded. + diff --git a/contrib/azure/templates/ha-redeploy-single-member/ha-redeploy-single-member.json b/contrib/azure/templates/ha-redeploy-single-member/ha-redeploy-single-member.json new file mode 100644 index 00000000..c21ed531 --- /dev/null +++ b/contrib/azure/templates/ha-redeploy-single-member/ha-redeploy-single-member.json @@ -0,0 +1,561 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string", + "metadata": { + "description": "Deployment location" + }, + "defaultValue": "[resourceGroup().location]" + }, + "cloudGuardVersion": { + "type": "string", + "allowedValues": [ + "R80.30 - Bring Your Own License", + "R80.30 - Pay As You Go (NGTP)", + "R80.30 - Pay As You Go (NGTX)", + "R80.40 - Bring Your Own License", + "R80.40 - Pay As You Go (NGTP)", + "R80.40 - Pay As You Go (NGTX)", + "R81 - Bring Your Own License", + "R81 - Pay As You Go (NGTP)", + "R81 - Pay As You Go (NGTX)", + "R81.10 - Bring Your Own License", + "R81.10 - Pay As You Go (NGTP)", + "R81.10 - Pay As You Go (NGTX)" + ], + "defaultValue": "R81.10 - Bring Your Own License", + "metadata": { + "description": "Check Point CloudGuard version" + } + }, + "adminPassword": { + "type": "securestring", + "metadata": { + "description": "Administrator password" + }, + "defaultValue": "" + }, + "authenticationType": { + "type": "string", + "allowedValues": [ + "password", + "sshPublicKey" + ], + "defaultValue": "password", + "metadata": { + "description": "Authentication type" + } + }, + "sshPublicKey": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Administrator SSH public key" + } + }, + "vmName": { + "type": "string", + "defaultValue": "[resourceGroup().name]", + "metadata": { + "description": "Name of the Check Point Cluster object" + } + },"memberID": { + "type": "string", + "defaultValue": "1", + "allowedValues": [ + "1", + "2" + ], + "metadata": { + "description": "ID of the Check Point Cluster member that is to be replaced 1 or 2" + } + }, + "vmSize": { + "type": "string", + "defaultValue": "Standard_D3_v2", + "metadata": { + "description": "Size of the VM (must be identical as existing deployed VM)" + } + }, + "adminShell": { + "type": "string", + "defaultValue": "/etc/cli.sh", + "allowedValues": [ + "/etc/cli.sh", + "/bin/bash", + "/bin/csh", + "/bin/tcsh" + ], + "metadata": { + "Description": "The default shell for the admin user" + } + }, + "sicKey": { + "type": "securestring", + "metadata": { + "description": "One time key for Secure Internal Communication" + } + }, + "vnetNewOrExisting": { + "type": "string", + "defaultValue": "existing", + "allowedValues": [ + "existing" + ], + "metadata": { + "Description": "Indicates whether the virtual network is new or existing" + } + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "[concat(resourceGroup().name, '-vnet')]" + }, + "virtualNetworkExistingRGName": { + "type": "string", + "metadata": { + "description": "Resource Group of the existing virtual network" + }, + "defaultValue": "" + }, + "cluster-ip": { + "type": "string", + "metadata": { + "description": "The address of the cluster-ip private address associated with eth0 network interface of the current active member of the cluster" + }, + "defaultValue": "" + }, + "bootstrapScript": { + "type": "string", + "metadata": { + "description": "Bootstrap script" + }, + "defaultValue": "" + }, + "allowDownloadFromUploadToCheckPoint": { + "type": "string", + "allowedValues": [ + "true", + "false" + ], + "defaultValue": "true", + "metadata": { + "description": "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + } + }, + "additionalDiskSizeGB": { + "type": "int", + "defaultValue": 0, + "metadata": { + "description": "Amount of additional disk space (in GB)" + }, + "minValue": 0, + "maxValue": 3995 + }, + "diskType": { + "type": "string", + "defaultValue": "Standard_LRS", + "metadata": { + "description": "The type of the OS disk. Premium is applicable only to DS machine sizes" + }, + "allowedValues": [ + "Standard_LRS", + "Premium_LRS" + ] + }, + "role": { + "type": "string", + "defaultValue": "Contributor", + "metadata": { + "description": "Role" + } + }, + "managedSystemAssigned": { + "type": "string", + "allowedValues": [ + "yes", + "no" + ], + "defaultValue": "yes", + "metadata": { + "description": "Automatically create a Service Principal for this deployment." + } + }, + "sourceImageVhdUri": { + "type": "string", + "defaultValue": "noCustomUri", + "metadata": { + "description": "The URI of the blob containing the development image" + } + }, + "availabilityOptions": { + "type": "string", + "allowedValues": [ + "Availability Set", + "Availability Zones" + ], + "defaultValue": "Availability Set", + "metadata": { + "description": "Use replicated Cluster VMs in Availability Set or Availability Zones (must match existing deployed VM)" + } + }, + "_artifactsLocation": { + "type": "string", + "metadata": { + "description": "Use the following URI when deploying a custom template: https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/azure/templates/" + }, + "defaultValue": "https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/azure/templates/" + }, + "_artifactsLocationSasToken": { + "type": "securestring", + "metadata": { + "description": "The sasToken required to access _artifactsLocation. When the template is deployed using the accompanying scripts, a sasToken will be automatically generated. Use the defaultValue if the staging location is not secured." + }, + "defaultValue": "" + }, + "customMetrics": { + "type": "string", + "allowedValues": [ + "no", + "yes" + ], + "defaultValue": "yes", + "metadata": { + "Description": "Indicates whether CloudGuard Metrics will be used for Cluster members monitoring" + } + } + }, + "variables": { + "templateName": "ha", + "templateVersion": "20220130", + "location": "[parameters('location')]", + "elbPublicIPName": "frontend-lb-address", + "haPublicIPName": "[parameters('vmName')]", + "offers": { + "R80.30 - Bring Your Own License": "BYOL", + "R80.30 - Pay As You Go (NGTP)": "NGTP-V2", + "R80.30 - Pay As You Go (NGTX)": "NGTX-V2", + "R80.40 - Bring Your Own License": "BYOL", + "R80.40 - Pay As You Go (NGTP)": "NGTP", + "R80.40 - Pay As You Go (NGTX)": "NGTX", + "R81 - Bring Your Own License": "BYOL", + "R81 - Pay As You Go (NGTP)": "NGTP", + "R81 - Pay As You Go (NGTX)": "NGTX", + "R81.10 - Bring Your Own License": "BYOL", + "R81.10 - Pay As You Go (NGTP)": "NGTP", + "R81.10 - Pay As You Go (NGTX)": "NGTX" + }, + "offer": "[variables('offers')[parameters('cloudGuardVersion')]]", + "osVersions": { + "R80.30 - Bring Your Own License": "R8030", + "R80.30 - Pay As You Go (NGTP)": "R8030", + "R80.30 - Pay As You Go (NGTX)": "R8030", + "R80.40 - Bring Your Own License": "R8040", + "R80.40 - Pay As You Go (NGTP)": "R8040", + "R80.40 - Pay As You Go (NGTX)": "R8040", + "R81 - Bring Your Own License": "R81", + "R81 - Pay As You Go (NGTP)": "R81", + "R81 - Pay As You Go (NGTX)": "R81", + "R81.10 - Bring Your Own License": "R8110", + "R81.10 - Pay As You Go (NGTP)": "R8110", + "R81.10 - Pay As You Go (NGTX)": "R8110" + }, + "osVersion": "[variables('osVersions')[parameters('cloudGuardVersion')]]", + "adminUsername": "notused", + "isBlink": true, + "storageAccountName": "[concat('bootdiag', uniqueString(resourceGroup().id, deployment().name))]", + "storageAccountType": "Standard_LRS", + "diskSize100GB": 100, + "diskSizeGB": "[add(parameters('additionalDiskSizeGB'), variables('diskSize100GB'))]", + "customData": "[concat('#!/usr/bin/python3 /etc/cloud_config.py\n', '\n', 'installationType=\"', variables('installationType'), '\"', '\n', 'allowUploadDownload=\"', variables('allowUploadDownload'), '\"', '\n', 'osVersion=\"', variables('osVersion'), '\"', '\n', 'templateName=\"', variables('templateName'), '\"', '\n', 'isBlink=\"', variables('isBlink'), '\"', '\n', 'templateVersion=\"', variables('templateVersion'), '\"', '\n', 'bootstrapScript64=\"', variables('bootstrapScript64'), '\"', '\n', 'location=\"', variables('location'), '\"', '\n', 'sicKey=\"', variables('sicKey'), '\"', '\n', 'location=\"', variables('location'), '\"', '\n', 'tenantId=\"', subscription().tenantId, '\"', '\n', 'virtualNetwork=\"', parameters('virtualNetworkName'), '\"', '\n', 'clusterName=\"', parameters('vmName'), '\"', '\n', 'externalPrivateAddresses=\"', variables('externalPrivateAddresses'), '\"', '\n', 'customMetrics=\"', variables('customMetrics'), '\"', '\n', 'adminShell=\"', parameters('adminShell'), '\"', '\n')]", + "imageOffer": "[concat('check-point-cg-', toLower(variables('osVersion')))]", + "imagePublisher": "checkpoint", + "imageReferenceBYOL": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-byol", + "version": "latest" + }, + "imageReferenceNGTP": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtp", + "version": "latest" + }, + "imageReferenceNGTP-V2": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtp-v2", + "version": "latest" + }, + "imageReferenceNGTX": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtx", + "version": "latest" + }, + "imageReferenceNGTX-V2": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtx-v2", + "version": "latest" + }, + "imageReferenceMarketplace": "[if(equals(variables('offer'), 'BYOL'), variables('imageReferenceBYOL'), if(equals(variables('offer'), 'NGTP'), variables('imageReferenceNGTP'), if(equals(variables('offer'), 'NGTP-V2'), variables('imageReferenceNGTP-V2'), if(equals(variables('offer'), 'NGTX'), variables('imageReferenceNGTX'), if(equals(variables('offer'), 'NGTX-V2'), variables('imageReferenceNGTX-V2'), json('null'))))))]", + "customImage": "customImage", + "imageReferenceCustomUri": { + "id": "[resourceId('Microsoft.Compute/images/', variables('customImage'))]" + }, + "imageReference": "[if(equals(parameters('sourceImageVhdUri'),'noCustomUri'), variables('imageReferenceMarketplace'), variables('imageReferenceCustomUri'))]", + "nic1Name": "eth0", + "nic2Name": "eth1", + "elbName": "frontend-lb", + "elbId": "[resourceId('Microsoft.Network/loadBalancers', variables('elbName'))]", + "elbBEAddressPool": "[concat(variables('elbName'), '-pool')]", + "elbBEAddressPoolID": "[resourceId('Microsoft.Network/loadBalancers/backendAddressPools', variables('elbName'), variables('elbBEAddressPool'))]", + "ilbName": "backend-lb", + "ilbId": "[resourceId('Microsoft.Network/loadBalancers', variables('ilbName'))]", + "ilbBEAddressPool": "[concat(variables('ilbName'), '-pool')]", + "ilbBEAddressPoolID": "[resourceId('Microsoft.Network/loadBalancers/backendAddressPools/', variables('ilbName'), variables('ilbBEAddressPool'))]", + "ilbFEIPConfigID": "[resourceId('Microsoft.Network/loadBalancers/frontendIPConfigurations/', variables('ilbName'), variables('ilbName'))]", + "ilbProbeName": "[variables('ilbName')]", + "ilbProbeID": "[resourceId('Microsoft.Network/loadBalancers/probes/', variables('ilbName'), variables('ilbProbeName'))]", + "linuxConfigurationpassword": { + "disablePasswordAuthentication": "false" + }, + "appProbeName": "health_prob_port", + "linuxConfigurationsshPublicKey": { + "disablePasswordAuthentication": "true", + "ssh": { + "publicKeys": [ + { + "keyData": "[parameters('sshPublicKey')]", + "path": "/home/notused/.ssh/authorized_keys" + } + ] + } + }, + "linuxConfiguration": "[if(equals(parameters('authenticationType'), 'password'), variables('linuxConfigurationpassword'), variables('linuxConfigurationsshPublicKey'))]", + "planBYOL": { + "name": "sg-byol", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTP": { + "name": "sg-ngtp", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTP-V2": { + "name": "sg-ngtp-v2", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTX": { + "name": "sg-ngtx", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTX-V2": { + "name": "sg-ngtx-v2", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "plan": "[if(equals(variables('offer'), 'BYOL') , variables('planBYOL'), if(equals(variables('offer'), 'NGTP'), variables('planNGTP'), if(equals(variables('offer'), 'NGTP-V2'), variables('planNGTP-V2'), if(equals(variables('offer'), 'NGTX'), variables('planNGTX'), if(equals(variables('offer'), 'NGTX-V2'), variables('planNGTX-V2'), json('null'))))))]", + "externalPrivateAddresses": "[parameters('cluster-ip')]", + "roleDefinitionId": "[if(equals(parameters('role'), 'Contributor'), subscriptionResourceId('Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c'), parameters('role'))]", + "identity": "[json('{\"type\": \"SystemAssigned\"}')]", + "nsgName": "[concat(parameters('vmName'), '-nsg')]", + "elbPublicIPId": "[resourceId('Microsoft.Network/publicIPAddresses', variables('elbPublicIPName'))]", + "haPublicIPId": "[resourceId('Microsoft.Network/publicIPAddresses', variables('haPublicIPName'))]", + "gwPublicIPIds": [ + "[resourceId('Microsoft.Network/publicIPAddresses', concat(parameters('vmName'), '1'))]", + "[resourceId('Microsoft.Network/publicIPAddresses', concat(parameters('vmName'), '2'))]" + ], + "availabilitySetName": "[concat(parameters('vmName'), '-AvailabilitySet')]", + "count": 2, + "bootstrapScript64": "[base64(parameters('bootstrapScript'))]", + "allowUploadDownload": "[parameters('allowDownloadFromUploadToCheckPoint')]", + "networkSetupURL": "[uri(parameters('_artifactsLocation'), concat('nestedtemplates/vnet-2-subnet-ha2-', parameters('vnetNewOrExisting'), '.json', parameters('_artifactsLocationSasToken')))]", + "sicKey": "[parameters('sicKey')]", + "installationType": "cluster", + "availabilityZonesLocations": [ + "australiaeast", + "brazilsouth", + "canadacentral", + "centralus", + "eastasia", + "eastus", + "eastus2", + "francecentral", + "germanywestcentral", + "japaneast", + "koreacentral", + "northeurope", + "norwayeast", + "southafricanorth", + "southcentralus", + "southeastasia", + "swedencentral", + "uksouth", + "usgovvirginia", + "westeurope", + "westus2", + "westus3" + ], + "availabilitySetProperty": { + "id": "[resourceId('Microsoft.Compute/availabilitySets', variables('availabilitySetName'))]" + }, + "useAZ": "[and(contains(variables('availabilityZonesLocations'), variables('location')), equals(parameters('availabilityOptions'), 'Availability Zones'))]", + "customMetrics": "[parameters('customMetrics')]", + "emptyString": "none", + "deployNewVnet": "[equals(parameters('vnetNewOrExisting'), 'new')]", + "vnetRGName": "[if(variables('deployNewVnet'), resourceGroup().name, parameters('virtualNetworkExistingRGName'))]" + }, + "resources": [ + { + "apiVersion": "2020-06-01", + "name": "pid-6f13b00a-7546-4ab2-be9f-c66815cc6c8b-partnercenter", + "type": "Microsoft.Resources/deployments", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('storageAccountName')]", + "apiVersion": "2021-04-01", + "properties": { + "supportsHttpsTrafficOnly": true, + "allowBlobPublicAccess": false, + "minimumTlsVersion": "TLS1_2" + }, + "location": "[variables('location')]", + "sku": { + "name": "[variables('storageAccountType')]" + }, + "kind": "Storage" + }, + { + "type": "Microsoft.Compute/availabilitySets", + "condition": "[not(variables('useAZ'))]", + "apiVersion": "2020-06-01", + "location": "[variables('location')]", + "name": "[concat(variables('availabilitySetName'))]", + "properties": { + "platformFaultDomainCount": 2 + }, + "sku": { + "name": "Aligned" + } + }, + { + "condition": "[not(equals(parameters('sourceImageVhdUri'), 'noCustomUri'))]", + "type": "Microsoft.Compute/images", + "apiVersion": "2020-06-01", + "name": "[variables('customImage')]", + "location": "[variables('location')]", + "properties": { + "storageProfile": { + "osDisk": { + "osType": "Linux", + "osState": "Generalized", + "blobUri": "[parameters('sourceImageVhdUri')]", + "storageAccountType": "Standard_LRS" + } + }, + "hyperVGeneration": "V1" + } + }, + { + "type": "Microsoft.Compute/virtualMachines", + "apiVersion": "2021-07-01", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]", + "[resourceId('Microsoft.Compute/availabilitySets', variables('availabilitySetName'))]", + "[resourceId('Microsoft.Compute/images/', variables('customImage'))]" + ], + "location": "[variables('location')]", + "name": "[concat(parameters('vmName'), parameters('memberID'))]", + "zones": "[if(variables('useAZ'), array(parameters('memberID')), json('null'))]", + "plan": "[if(equals(parameters('sourceImageVhdUri'),'noCustomUri'), variables('plan'), json('null'))]", + "identity": "[if(equals(parameters('managedSystemAssigned'), 'yes'), variables('identity'), json('null'))]", + "properties": { + "availabilitySet": "[if(not(variables('useAZ')), variables('availabilitySetProperty'), json('null'))]", + "diagnosticsProfile": { + "bootDiagnostics": { + "enabled": "true", + "storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName')), '2021-04-01').primaryEndpoints.blob]" + } + }, + "hardwareProfile": { + "vmSize": "[parameters('vmSize')]" + }, + "networkProfile": { + "networkInterfaces": [ + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', concat(parameters('vmName'), parameters('memberID'), '-', variables('nic1Name')))]", + "properties": { + "primary": true + } + }, + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', concat(parameters('vmName'), parameters('memberID'), '-', variables('nic2Name')))]", + "properties": { + "primary": false + } + } + ] + }, + "osProfile": { + "adminPassword": "[parameters('adminPassword')]", + "adminUsername": "[variables('adminUsername')]", + "computername": "[concat(toLower(parameters('vmName')), parameters('memberID'))]", + "customData": "[base64(variables('customData'))]", + "linuxConfiguration": "[variables('linuxConfiguration')]" + }, + "storageProfile": { + "imageReference": "[variables('imageReference')]", + "osDisk": { + "caching": "ReadWrite", + "createOption": "FromImage", + "diskSizeGB": "[variables('diskSizeGB')]", + "name": "[concat(parameters('vmName'), parameters('memberID'))]", + "managedDisk": { + "storageAccountType": "[parameters('diskType')]" + } + } + } + } + }, + + { + "condition": "[equals(parameters('managedSystemAssigned'), 'yes')]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2020-04-01-preview", + "name": "[guid(resourceGroup().id, concat(parameters('vmName'), parameters('memberID')))]", + "dependsOn": [ + "[resourceId('Microsoft.Compute/virtualMachines/', concat(parameters('vmName'), parameters('memberID')))]" + ], + "properties": { + "roleDefinitionId": "[variables('roleDefinitionId')]", + "scope": "[resourceGroup().id]", + "principalId": "[reference(resourceId('Microsoft.Compute/virtualMachines/', concat(parameters('vmName'), parameters('memberID'))), '2021-07-01', 'Full').identity.principalId]" + } + } + ], + "outputs": { + "DeploymentName": { + "type": "string", + "value": "[concat('bootdiag', resourceGroup().id, '-' ,deployment().name)]" + } + } +} \ No newline at end of file diff --git a/contrib/azure/templates/ha-redeploy-single-member/mainTemplate.json b/contrib/azure/templates/ha-redeploy-single-member/mainTemplate.json new file mode 100644 index 00000000..b1aef4c4 --- /dev/null +++ b/contrib/azure/templates/ha-redeploy-single-member/mainTemplate.json @@ -0,0 +1,1055 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string", + "metadata": { + "description": "Deployment location" + }, + "defaultValue": "[resourceGroup().location]" + }, + "cloudGuardVersion": { + "type": "string", + "allowedValues": [ + "R80.30 - Bring Your Own License", + "R80.30 - Pay As You Go (NGTP)", + "R80.30 - Pay As You Go (NGTX)", + "R80.40 - Bring Your Own License", + "R80.40 - Pay As You Go (NGTP)", + "R80.40 - Pay As You Go (NGTX)", + "R81 - Bring Your Own License", + "R81 - Pay As You Go (NGTP)", + "R81 - Pay As You Go (NGTX)", + "R81.10 - Bring Your Own License", + "R81.10 - Pay As You Go (NGTP)", + "R81.10 - Pay As You Go (NGTX)" + ], + "defaultValue": "R81.10 - Bring Your Own License", + "metadata": { + "description": "Check Point CloudGuard version" + } + }, + "adminPassword": { + "type": "securestring", + "metadata": { + "description": "Administrator password" + }, + "defaultValue": "" + }, + "authenticationType": { + "type": "string", + "allowedValues": [ + "password", + "sshPublicKey" + ], + "defaultValue": "password", + "metadata": { + "description": "Authentication type" + } + }, + "sshPublicKey": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Administrator SSH public key" + } + }, + "floatingIP": { + "type": "string", + "allowedValues": [ + "no", + "yes" + ], + "defaultValue": "no", + "metadata": { + "description": "Deploy the Load Balancers with floating IP" + } + }, + "publicIPPrefix": { + "type": "string", + "allowedValues": [ + "no", + "yes" + ], + "defaultValue": "no", + "metadata": { + "description": "Use public IP prefix" + } + }, + "createNewIPPrefix": { + "type": "string", + "allowedValues": [ + "no", + "yes" + ], + "defaultValue": "no", + "metadata": { + "description": "Create new public IP prefix" + } + }, + "ipPrefixExistingResourceId": { + "type": "string", + "metadata": { + "description": "The resource id of the existing IP prefix" + }, + "defaultValue": "" + }, + "vmName": { + "type": "string", + "defaultValue": "[resourceGroup().name]", + "metadata": { + "description": "Name of the Check Point Cluster object" + } + }, + "vmSize": { + "type": "string", + "defaultValue": "Standard_D3_v2", + "metadata": { + "description": "Size of the VM" + } + }, + "adminShell": { + "type": "string", + "defaultValue": "/etc/cli.sh", + "allowedValues": [ + "/etc/cli.sh", + "/bin/bash", + "/bin/csh", + "/bin/tcsh" + ], + "metadata": { + "Description": "The default shell for the admin user" + } + }, + "sicKey": { + "type": "securestring", + "metadata": { + "description": "One time key for Secure Internal Communication" + } + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "[concat(resourceGroup().name, '-vnet')]" + }, + "virtualNetworkAddressPrefixes": { + "type": "array", + "metadata": { + "description": "The address prefixes of the virtual network" + }, + "defaultValue": [ + "10.0.0.0/16" + ] + }, + "subnet1Name": { + "type": "string", + "metadata": { + "description": "The name of the frontend subnet" + }, + "defaultValue": "Frontend" + }, + "subnet1Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the frontend subnet" + }, + "defaultValue": "10.0.1.0/24" + }, + "subnet1StartAddress": { + "type": "string", + "metadata": { + "description": "The first available address on the 1st subnet" + }, + "defaultValue": "10.0.1.10" + }, + "subnet2Name": { + "type": "string", + "metadata": { + "description": "The name of the backend subnet" + }, + "defaultValue": "Backend" + }, + "subnet2Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the backend subnet" + }, + "defaultValue": "10.0.2.0/24" + }, + "subnet2StartAddress": { + "type": "string", + "metadata": { + "description": "The first available address on the 2nd subnet" + }, + "defaultValue": "10.0.2.10" + }, + "vnetNewOrExisting": { + "type": "string", + "defaultValue": "new", + "allowedValues": [ + "new", + "existing" + ], + "metadata": { + "Description": "Indicates whether the virtual network is new or existing" + } + }, + "virtualNetworkExistingRGName": { + "type": "string", + "metadata": { + "description": "Resource Group of the existing virtual network" + }, + "defaultValue": "[resourceGroup().name]" + }, + "bootstrapScript": { + "type": "string", + "metadata": { + "description": "Bootstrap script" + }, + "defaultValue": "" + }, + "allowDownloadFromUploadToCheckPoint": { + "type": "string", + "allowedValues": [ + "true", + "false" + ], + "defaultValue": "true", + "metadata": { + "description": "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + } + }, + "additionalDiskSizeGB": { + "type": "int", + "defaultValue": 0, + "metadata": { + "description": "Amount of additional disk space (in GB)" + }, + "minValue": 0, + "maxValue": 3995 + }, + "diskType": { + "type": "string", + "defaultValue": "Standard_LRS", + "metadata": { + "description": "The type of the OS disk. Premium is applicable only to DS machine sizes" + }, + "allowedValues": [ + "Standard_LRS", + "Premium_LRS" + ] + }, + "role": { + "type": "string", + "defaultValue": "Contributor", + "metadata": { + "description": "Role" + } + }, + "managedSystemAssigned": { + "type": "string", + "allowedValues": [ + "yes", + "no" + ], + "defaultValue": "yes", + "metadata": { + "description": "Automatically create a Service Principal for this deployment." + } + }, + "sourceImageVhdUri": { + "type": "string", + "defaultValue": "noCustomUri", + "metadata": { + "description": "The URI of the blob containing the development image" + } + }, + "availabilityOptions": { + "type": "string", + "allowedValues": [ + "Availability Set", + "Availability Zones" + ], + "defaultValue": "Availability Set", + "metadata": { + "description": "Use replicated Cluster VMs in Availability Set or Availability Zones" + } + }, + "_artifactsLocation": { + "type": "string", + "metadata": { + "description": "Use the following URI when deploying a custom template: https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/azure/templates/" + }, + "defaultValue": "[deployment().properties.templateLink.uri]" + }, + "_artifactsLocationSasToken": { + "type": "securestring", + "metadata": { + "description": "The sasToken required to access _artifactsLocation. When the template is deployed using the accompanying scripts, a sasToken will be automatically generated. Use the defaultValue if the staging location is not secured." + }, + "defaultValue": "" + }, + "customMetrics": { + "type": "string", + "allowedValues": [ + "no", + "yes" + ], + "defaultValue": "yes", + "metadata": { + "Description": "Indicates whether CloudGuard Metrics will be used for Cluster members monitoring" + } + } + }, + "variables": { + "templateName": "ha", + "templateVersion": "20220130", + "location": "[parameters('location')]", + "elbPublicIPName": "frontend-lb-address", + "haPublicIPName": "[parameters('vmName')]", + "offers": { + "R80.30 - Bring Your Own License": "BYOL", + "R80.30 - Pay As You Go (NGTP)": "NGTP-V2", + "R80.30 - Pay As You Go (NGTX)": "NGTX-V2", + "R80.40 - Bring Your Own License": "BYOL", + "R80.40 - Pay As You Go (NGTP)": "NGTP", + "R80.40 - Pay As You Go (NGTX)": "NGTX", + "R81 - Bring Your Own License": "BYOL", + "R81 - Pay As You Go (NGTP)": "NGTP", + "R81 - Pay As You Go (NGTX)": "NGTX", + "R81.10 - Bring Your Own License": "BYOL", + "R81.10 - Pay As You Go (NGTP)": "NGTP", + "R81.10 - Pay As You Go (NGTX)": "NGTX" + }, + "offer": "[variables('offers')[parameters('cloudGuardVersion')]]", + "osVersions": { + "R80.30 - Bring Your Own License": "R8030", + "R80.30 - Pay As You Go (NGTP)": "R8030", + "R80.30 - Pay As You Go (NGTX)": "R8030", + "R80.40 - Bring Your Own License": "R8040", + "R80.40 - Pay As You Go (NGTP)": "R8040", + "R80.40 - Pay As You Go (NGTX)": "R8040", + "R81 - Bring Your Own License": "R81", + "R81 - Pay As You Go (NGTP)": "R81", + "R81 - Pay As You Go (NGTX)": "R81", + "R81.10 - Bring Your Own License": "R8110", + "R81.10 - Pay As You Go (NGTP)": "R8110", + "R81.10 - Pay As You Go (NGTX)": "R8110" + }, + "osVersion": "[variables('osVersions')[parameters('cloudGuardVersion')]]", + "adminUsername": "notused", + "isBlink": true, + "storageAccountName": "[concat('bootdiag', uniqueString(resourceGroup().id, deployment().name))]", + "storageAccountType": "Standard_LRS", + "diskSize100GB": 100, + "diskSizeGB": "[add(parameters('additionalDiskSizeGB'), variables('diskSize100GB'))]", + "customData": "[concat('#!/usr/bin/python3 /etc/cloud_config.py\n', '\n', 'installationType=\"', variables('installationType'), '\"', '\n', 'allowUploadDownload=\"', variables('allowUploadDownload'), '\"', '\n', 'osVersion=\"', variables('osVersion'), '\"', '\n', 'templateName=\"', variables('templateName'), '\"', '\n', 'isBlink=\"', variables('isBlink'), '\"', '\n', 'templateVersion=\"', variables('templateVersion'), '\"', '\n', 'bootstrapScript64=\"', variables('bootstrapScript64'), '\"', '\n', 'location=\"', variables('location'), '\"', '\n', 'sicKey=\"', variables('sicKey'), '\"', '\n', 'location=\"', variables('location'), '\"', '\n', 'tenantId=\"', subscription().tenantId, '\"', '\n', 'virtualNetwork=\"', parameters('virtualNetworkName'), '\"', '\n', 'clusterName=\"', parameters('vmName'), '\"', '\n', 'externalPrivateAddresses=\"', variables('externalPrivateAddresses')[2], '\"', '\n', 'customMetrics=\"', variables('customMetrics'), '\"', '\n', 'adminShell=\"', parameters('adminShell'), '\"', '\n')]", + "imageOffer": "[concat('check-point-cg-', toLower(variables('osVersion')))]", + "imagePublisher": "checkpoint", + "imageReferenceBYOL": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-byol", + "version": "latest" + }, + "imageReferenceNGTP": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtp", + "version": "latest" + }, + "imageReferenceNGTP-V2": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtp-v2", + "version": "latest" + }, + "imageReferenceNGTX": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtx", + "version": "latest" + }, + "imageReferenceNGTX-V2": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtx-v2", + "version": "latest" + }, + "imageReferenceMarketplace": "[if(equals(variables('offer'), 'BYOL'), variables('imageReferenceBYOL'), if(equals(variables('offer'), 'NGTP'), variables('imageReferenceNGTP'), if(equals(variables('offer'), 'NGTP-V2'), variables('imageReferenceNGTP-V2'), if(equals(variables('offer'), 'NGTX'), variables('imageReferenceNGTX'), if(equals(variables('offer'), 'NGTX-V2'), variables('imageReferenceNGTX-V2'), json('null'))))))]", + "customImage": "customImage", + "imageReferenceCustomUri": { + "id": "[resourceId('Microsoft.Compute/images/', variables('customImage'))]" + }, + "imageReference": "[if(equals(parameters('sourceImageVhdUri'),'noCustomUri'), variables('imageReferenceMarketplace'), variables('imageReferenceCustomUri'))]", + "enableFloatingIP": "[equals(parameters('floatingIP'), 'yes')]", + "nic1Name": "eth0", + "nic2Name": "eth1", + "elbName": "frontend-lb", + "elbId": "[resourceId('Microsoft.Network/loadBalancers', variables('elbName'))]", + "elbBEAddressPool": "[concat(variables('elbName'), '-pool')]", + "elbBEAddressPoolID": "[resourceId('Microsoft.Network/loadBalancers/backendAddressPools', variables('elbName'), variables('elbBEAddressPool'))]", + "ilbName": "backend-lb", + "ilbId": "[resourceId('Microsoft.Network/loadBalancers', variables('ilbName'))]", + "ilbBEAddressPool": "[concat(variables('ilbName'), '-pool')]", + "ilbBEAddressPoolID": "[resourceId('Microsoft.Network/loadBalancers/backendAddressPools/', variables('ilbName'), variables('ilbBEAddressPool'))]", + "ilbFEIPConfigID": "[resourceId('Microsoft.Network/loadBalancers/frontendIPConfigurations/', variables('ilbName'), variables('ilbName'))]", + "ilbProbeName": "[variables('ilbName')]", + "ilbProbeID": "[resourceId('Microsoft.Network/loadBalancers/probes/', variables('ilbName'), variables('ilbProbeName'))]", + "linuxConfigurationpassword": { + "disablePasswordAuthentication": "false" + }, + "appProbeName": "health_prob_port", + "linuxConfigurationsshPublicKey": { + "disablePasswordAuthentication": "true", + "ssh": { + "publicKeys": [ + { + "keyData": "[parameters('sshPublicKey')]", + "path": "/home/notused/.ssh/authorized_keys" + } + ] + } + }, + "linuxConfiguration": "[if(equals(parameters('authenticationType'), 'password'), variables('linuxConfigurationpassword'), variables('linuxConfigurationsshPublicKey'))]", + "planBYOL": { + "name": "sg-byol", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTP": { + "name": "sg-ngtp", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTP-V2": { + "name": "sg-ngtp-v2", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTX": { + "name": "sg-ngtx", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTX-V2": { + "name": "sg-ngtx-v2", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "plan": "[if(equals(variables('offer'), 'BYOL') , variables('planBYOL'), if(equals(variables('offer'), 'NGTP'), variables('planNGTP'), if(equals(variables('offer'), 'NGTP-V2'), variables('planNGTP-V2'), if(equals(variables('offer'), 'NGTX'), variables('planNGTX'), if(equals(variables('offer'), 'NGTX-V2'), variables('planNGTX-V2'), json('null'))))))]", + "externalPrivateAddresses": [ + "[parameters('Subnet1StartAddress')]", + "[concat(split(parameters('subnet1StartAddress'), '.')[0],'.', split(parameters('subnet1StartAddress'), '.')[1],'.', split(parameters('subnet1StartAddress'), '.')[2],'.', string(add(int(split(parameters('subnet1StartAddress'), '.')[3]),1)))]", + "[concat(split(parameters('subnet1StartAddress'), '.')[0],'.', split(parameters('subnet1StartAddress'), '.')[1],'.', split(parameters('subnet1StartAddress'), '.')[2],'.', string(add(int(split(parameters('subnet1StartAddress'), '.')[3]),2)))]" + ], + "roleDefinitionId": "[if(equals(parameters('role'), 'Contributor'), subscriptionResourceId('Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c'), parameters('role'))]", + "identity": "[json('{\"type\": \"SystemAssigned\"}')]", + "subnet2PrivateAddresses": [ + "[concat(split(parameters('subnet2StartAddress'), '.')[0],'.', split(parameters('subnet2StartAddress'), '.')[1],'.', split(parameters('subnet2StartAddress'), '.')[2],'.', string(add(int(split(parameters('subnet2StartAddress'), '.')[3]),1)))]", + "[concat(split(parameters('subnet2StartAddress'), '.')[0],'.', split(parameters('subnet2StartAddress'), '.')[1],'.', split(parameters('subnet2StartAddress'), '.')[2],'.', string(add(int(split(parameters('subnet2StartAddress'), '.')[3]),2)))]" + ], + "nsgName": "[concat(parameters('vmName'), '-nsg')]", + "elbPublicIPId": "[resourceId('Microsoft.Network/publicIPAddresses', variables('elbPublicIPName'))]", + "haPublicIPId": "[resourceId('Microsoft.Network/publicIPAddresses', variables('haPublicIPName'))]", + "gwPublicIPIds": [ + "[resourceId('Microsoft.Network/publicIPAddresses', concat(parameters('vmName'), '1'))]", + "[resourceId('Microsoft.Network/publicIPAddresses', concat(parameters('vmName'), '2'))]" + ], + "availabilitySetName": "[concat(parameters('vmName'), '-AvailabilitySet')]", + "count": 2, + "bootstrapScript64": "[base64(parameters('bootstrapScript'))]", + "allowUploadDownload": "[parameters('allowDownloadFromUploadToCheckPoint')]", + "networkSetupURL": "[uri(parameters('_artifactsLocation'), concat('nestedtemplates/vnet-2-subnet-ha2-', parameters('vnetNewOrExisting'), '.json', parameters('_artifactsLocationSasToken')))]", + "sicKey": "[parameters('sicKey')]", + "installationType": "cluster", + "internalLBPrivateIPAddress": "[parameters('Subnet2StartAddress')]", + "availabilityZonesLocations": [ + "australiaeast", + "brazilsouth", + "canadacentral", + "centralus", + "eastasia", + "eastus", + "eastus2", + "francecentral", + "germanywestcentral", + "japaneast", + "koreacentral", + "northeurope", + "norwayeast", + "southafricanorth", + "southcentralus", + "southeastasia", + "swedencentral", + "uksouth", + "usgovvirginia", + "westeurope", + "westus2", + "westus3" + ], + "availabilitySetProperty": { + "id": "[resourceId('Microsoft.Compute/availabilitySets', variables('availabilitySetName'))]" + }, + "useAZ": "[and(contains(variables('availabilityZonesLocations'), variables('location')), equals(parameters('availabilityOptions'), 'Availability Zones'))]", + "customMetrics": "[parameters('customMetrics')]", + "emptyString": "none", + "ipPrefixNewName": "[concat(parameters('vmName'), '-ipprefix')]", + "ipPrefixExistingResourceId": "[if(equals(parameters('publicIPPrefix'), 'yes'), parameters('ipPrefixExistingResourceId'), variables('emptyString'))]", + "ipNewPrefixId": "[resourceId('Microsoft.Network/publicIPPrefixes',variables('ipPrefixNewName'))]", + "publicIPNewPrefixId": "[if(equals(parameters('publicIPPrefix'), 'yes'), variables('ipNewPrefixId'), json('null'))]", + "usepublicIPPrefix": "[if(equals(parameters('createNewIPPrefix'),'yes'), variables('publicIPNewPrefixId'), variables('ipPrefixExistingResourceId'))]", + "publicIPPrefixProperty": { + "Id": "[variables('usepublicIPPrefix')]" + }, + "prefixDependsOn": "[if(equals(parameters('publicIPPrefix'), 'yes'), if(equals(parameters('createNewIPPrefix'), 'yes'), variables('publicIPNewPrefixId'), variables('ipNewPrefixId')), variables('ipNewPrefixId'))]", + "deployNewVnet": "[equals(parameters('vnetNewOrExisting'), 'new')]", + "vnetRGName": "[if(variables('deployNewVnet'), resourceGroup().name, parameters('virtualNetworkExistingRGName'))]" + }, + "resources": [ + { + "condition": "[and(equals(parameters('createNewIPPrefix'), 'yes'), equals(parameters('publicIPPrefix'), 'yes'))]", + "apiVersion": "2020-06-01", + "type": "Microsoft.Network/publicIPPrefixes", + "name": "[variables('ipPrefixNewName')]", + "location": "[variables('location')]", + "properties": { + "prefixLength": "30", + "publicIPAddressVersion": "IPv4" + }, + "sku": { + "name": "Standard", + "tier": "Regional" + } + }, + { + "apiVersion": "2020-06-01", + "name": "pid-6f13b00a-7546-4ab2-be9f-c66815cc6c8b-partnercenter", + "type": "Microsoft.Resources/deployments", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('storageAccountName')]", + "apiVersion": "2021-04-01", + "properties": { + "supportsHttpsTrafficOnly": true, + "allowBlobPublicAccess": false, + "minimumTlsVersion": "TLS1_2" + }, + "location": "[variables('location')]", + "sku": { + "name": "[variables('storageAccountType')]" + }, + "kind": "Storage" + }, + { + "condition": "[equals(parameters('vnetNewOrExisting'), 'new')]", + "name": "networkNewSetup", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "[variables('networkSetupURL')]", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "location": { + "value": "[variables('location')]" + }, + "nsgName": { + "value": "[variables('nsgName')]" + }, + "virtualNetworkName": { + "value": "[parameters('virtualNetworkName')]" + }, + "virtualNetworkAddressPrefixes": { + "value": "[parameters('virtualNetworkAddressPrefixes')]" + }, + "subnet1Name": { + "value": "[parameters('subnet1Name')]" + }, + "subnet1Prefix": { + "value": "[parameters('subnet1Prefix')]" + }, + "subnet2Name": { + "value": "[parameters('subnet2Name')]" + }, + "subnet2Prefix": { + "value": "[parameters('subnet2Prefix')]" + } + } + } + }, + { + "condition": "[equals(parameters('vnetNewOrExisting'), 'existing')]", + "name": "networkExistingSetup", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "[variables('networkSetupURL')]", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "virtualNetworkName": { + "value": "[parameters('virtualNetworkName')]" + }, + "virtualNetworkExistingRGName": { + "value": "[variables('vnetRGName')]" + } + } + } + }, + { + "type": "Microsoft.Compute/availabilitySets", + "condition": "[not(variables('useAZ'))]", + "apiVersion": "2020-06-01", + "location": "[variables('location')]", + "name": "[concat(variables('availabilitySetName'))]", + "properties": { + "platformFaultDomainCount": 2 + }, + "sku": { + "name": "Aligned" + } + }, + { + "type": "Microsoft.Network/publicIPAddresses", + "apiVersion": "2020-06-01", + "dependsOn": [ + "[variables('prefixDependsOn')]" + ], + "location": "[variables('location')]", + "name": "[variables('elbPublicIPName')]", + "sku": { + "name": "Standard" + }, + "properties": { + "idleTimeoutInMinutes": 30, + "publicIPAllocationMethod": "Static", + "dnsSettings": { + "domainNameLabel": "[concat(toLower(parameters('vmName')), '-', uniquestring(resourceGroup().id, deployment().name))]" + }, + "publicIPPrefix": "[if(equals(parameters('publicIPPrefix'), 'yes'), variables('publicIPPrefixProperty'), json('null'))]" + } + }, + { + "type": "Microsoft.Network/publicIPAddresses", + "apiVersion": "2020-06-01", + "dependsOn": [ + "[variables('prefixDependsOn')]" + ], + "location": "[variables('location')]", + "name": "[concat(parameters('vmName'), copyIndex(1))]", + "sku": { + "name": "Standard" + }, + "copy": { + "name": "publicAddressCopy", + "count": "[variables('count')]" + }, + "properties": { + "idleTimeoutInMinutes": 30, + "publicIPAllocationMethod": "Static", + "dnsSettings": { + "domainNameLabel": "[concat(toLower(parameters('vmName')), '-', copyIndex(1), '-', uniquestring(resourceGroup().id, deployment().name))]" + }, + "publicIPPrefix": "[if(equals(parameters('publicIPPrefix'), 'yes'), variables('publicIPPrefixProperty'), json('null'))]" + } + }, + { + "type": "Microsoft.Network/publicIPAddresses", + "apiVersion": "2020-06-01", + "dependsOn": [ + "[variables('prefixDependsOn')]" + ], + "location": "[variables('location')]", + "name": "[parameters('vmName')]", + "sku": { + "name": "Standard" + }, + "properties": { + "idleTimeoutInMinutes": 30, + "publicIPAllocationMethod": "Static", + "dnsSettings": { + "domainNameLabel": "[concat(toLower(parameters('vmName')), '-vip-', uniquestring(resourceGroup().id, deployment().name))]" + }, + "publicIPPrefix": "[if(equals(parameters('publicIPPrefix'), 'yes'), variables('publicIPPrefixProperty'), json('null'))]" + } + }, + { + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "2020-06-01", + "dependsOn": [ + "[coalesce(resourceId('Microsoft.Resources/deployments', 'networkNewSetup'), resourceId('Microsoft.Resources/deployments', 'networkExistingSetup'))]", + "[variables('elbId')]", + "[variables('gwPublicIPIds')[0]]", + "[variables('haPublicIPId')]" + ], + "location": "[variables('location')]", + "name": "[concat(parameters('vmName'), '1-', variables('nic1Name'))]", + "properties": { + "primary": true, + "enableIPForwarding": true, + "enableAcceleratedNetworking": "[not(equals(variables('osVersion'), 'R8010'))]", + "ipConfigurations": [ + { + "name": "member-ip", + "properties": { + "primary": true, + "privateIPAddress": "[variables('externalPrivateAddresses')[0]]", + "privateIPAllocationMethod": "Static", + "PublicIpAddress": { + "Id": "[variables('gwPublicIPIds')[0]]" + }, + "subnet": { + "id": "[resourceId(variables('vnetRGName'), 'Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('subnet1Name'))]" + }, + "loadBalancerBackendAddressPools": [ + { + "id": "[variables('elbBEAddressPoolID')]" + } + ] + } + }, + { + "name": "cluster-vip", + "properties": { + "primary": false, + "privateIPAddress": "[variables('externalPrivateAddresses')[2]]", + "privateIPAllocationMethod": "Static", + "PublicIpAddress": { + "Id": "[variables('haPublicIPId')]" + }, + "subnet": { + "id": "[resourceId(variables('vnetRGName'), 'Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('subnet1Name'))]" + } + } + } + ] + } + }, + { + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "2020-06-01", + "dependsOn": [ + "[coalesce(resourceId('Microsoft.Resources/deployments', 'networkNewSetup'), resourceId('Microsoft.Resources/deployments', 'networkExistingSetup'))]", + "[variables('elbId')]", + "[variables('gwPublicIPIds')[1]]" + ], + "location": "[variables('location')]", + "name": "[concat(parameters('vmName'), '2-', variables('nic1Name'))]", + "properties": { + "primary": true, + "enableIPForwarding": true, + "enableAcceleratedNetworking": "[not(equals(variables('osVersion'), 'R8010'))]", + "ipConfigurations": [ + { + "name": "member-ip", + "properties": { + "primary": true, + "privateIPAddress": "[variables('externalPrivateAddresses')[1]]", + "privateIPAllocationMethod": "Static", + "PublicIpAddress": { + "Id": "[variables('gwPublicIPIds')[1]]" + }, + "subnet": { + "id": "[resourceId(variables('vnetRGName'), 'Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('subnet1Name'))]" + }, + "loadBalancerBackendAddressPools": [ + { + "id": "[variables('elbBEAddressPoolID')]" + } + ] + } + } + ] + } + }, + { + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "2020-06-01", + "dependsOn": [ + "[coalesce(resourceId('Microsoft.Resources/deployments', 'networkNewSetup'), resourceId('Microsoft.Resources/deployments', 'networkExistingSetup'))]", + "[variables('ilbId')]" + ], + "location": "[variables('location')]", + "name": "[concat(parameters('vmName'), copyIndex(1), '-', variables('nic2Name'))]", + "copy": { + "name": "internalNicCopy", + "count": "[variables('count')]" + }, + "properties": { + "primary": false, + "enableIPForwarding": true, + "enableAcceleratedNetworking": "[not(equals(variables('osVersion'), 'R8010'))]", + "ipConfigurations": [ + { + "name": "member-ip", + "properties": { + "primary": true, + "privateIPAddress": "[variables('subnet2PrivateAddresses')[copyIndex()]]", + "privateIPAllocationMethod": "Static", + "subnet": { + "id": "[resourceId(variables('vnetRGName'), 'Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('subnet2Name'))]" + }, + "loadBalancerBackendAddressPools": [ + { + "id": "[variables('ilbBEAddressPoolID')]" + } + ] + } + } + ] + } + }, + { + "condition": "[not(equals(parameters('sourceImageVhdUri'), 'noCustomUri'))]", + "type": "Microsoft.Compute/images", + "apiVersion": "2020-06-01", + "name": "[variables('customImage')]", + "location": "[variables('location')]", + "properties": { + "storageProfile": { + "osDisk": { + "osType": "Linux", + "osState": "Generalized", + "blobUri": "[parameters('sourceImageVhdUri')]", + "storageAccountType": "Standard_LRS" + } + }, + "hyperVGeneration": "V1" + } + }, + { + "type": "Microsoft.Compute/virtualMachines", + "apiVersion": "2021-07-01", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]", + "[resourceId('Microsoft.Compute/availabilitySets', variables('availabilitySetName'))]", + "[resourceId('Microsoft.Network/networkInterfaces', concat(parameters('vmName'), copyIndex(1), '-', variables('nic1Name')))]", + "[resourceId('Microsoft.Network/networkInterfaces', concat(parameters('vmName'), copyIndex(1), '-', variables('nic2Name')))]", + "[resourceId('Microsoft.Compute/images/', variables('customImage'))]" + ], + "location": "[variables('location')]", + "name": "[concat(parameters('vmName'), copyIndex(1))]", + "zones": "[if(variables('useAZ'), array(copyIndex(1)), json('null'))]", + "copy": { + "name": "virtualMachineCopy", + "count": "[variables('count')]" + }, + "plan": "[if(equals(parameters('sourceImageVhdUri'),'noCustomUri'), variables('plan'), json('null'))]", + "identity": "[if(equals(parameters('managedSystemAssigned'), 'yes'), variables('identity'), json('null'))]", + "properties": { + "availabilitySet": "[if(not(variables('useAZ')), variables('availabilitySetProperty'), json('null'))]", + "diagnosticsProfile": { + "bootDiagnostics": { + "enabled": "true", + "storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName')), '2021-04-01').primaryEndpoints.blob]" + } + }, + "hardwareProfile": { + "vmSize": "[parameters('vmSize')]" + }, + "networkProfile": { + "networkInterfaces": [ + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', concat(parameters('vmName'), copyIndex(1), '-', variables('nic1Name')))]", + "properties": { + "primary": true + } + }, + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', concat(parameters('vmName'), copyIndex(1), '-', variables('nic2Name')))]", + "properties": { + "primary": false + } + } + ] + }, + "osProfile": { + "adminPassword": "[parameters('adminPassword')]", + "adminUsername": "[variables('adminUsername')]", + "computername": "[concat(toLower(parameters('vmName')), copyIndex(1))]", + "customData": "[base64(variables('customData'))]", + "linuxConfiguration": "[variables('linuxConfiguration')]" + }, + "storageProfile": { + "imageReference": "[variables('imageReference')]", + "osDisk": { + "caching": "ReadWrite", + "createOption": "FromImage", + "diskSizeGB": "[variables('diskSizeGB')]", + "name": "[concat(parameters('vmName'), copyIndex(1))]", + "managedDisk": { + "storageAccountType": "[parameters('diskType')]" + } + } + } + } + }, + { + "type": "Microsoft.Network/loadBalancers", + "apiVersion": "2020-06-01", + "dependsOn": [ + "[variables('elbPublicIPId')]" + ], + "name": "[variables('elbName')]", + "location": "[variables('location')]", + "sku": { + "name": "Standard" + }, + "properties": { + "frontendIPConfigurations": [ + { + "name": "LoadBalancerFrontend", + "properties": { + "publicIPAddress": { + "id": "[variables('elbPublicIPId')]", + "publicIPPrefix": { + "id": "[if(equals(parameters('publicIPPrefix'), 'yes'), variables('usepublicIPPrefix'), json('null'))]" + } + } + } + } + ], + "backendAddressPools": [ + { + "name": "[variables('elbBEAddressPool')]" + } + ], + "probes": [ + { + "name": "[variables('appProbeName')]", + "properties": { + "protocol": "tcp", + "port": 8117, + "intervalInSeconds": 5, + "numberOfProbes": 2 + } + } + ] + } + }, + { + "condition": "[equals(parameters('managedSystemAssigned'), 'yes')]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2020-04-01-preview", + "name": "[guid(resourceGroup().id, concat(parameters('vmName'), copyIndex(1)))]", + "copy": { + "name": "virtualMachineCopy", + "count": "[variables('count')]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Compute/virtualMachines/', concat(parameters('vmName'), copyIndex(1)))]" + ], + "properties": { + "roleDefinitionId": "[variables('roleDefinitionId')]", + "scope": "[resourceGroup().id]", + "principalId": "[reference(resourceId('Microsoft.Compute/virtualMachines/', concat(parameters('vmName'), copyIndex(1))), '2021-07-01', 'Full').identity.principalId]" + } + }, + { + "type": "Microsoft.Network/loadBalancers", + "apiVersion": "2020-06-01", + "dependsOn": [ + "[coalesce(resourceId('Microsoft.Resources/deployments', 'networkNewSetup'), resourceId('Microsoft.Resources/deployments', 'networkExistingSetup'))]" + ], + "name": "[variables('ilbName')]", + "location": "[variables('location')]", + "sku": { + "name": "Standard" + }, + "properties": { + "frontendIPConfigurations": [ + { + "name": "[variables('ilbName')]", + "properties": { + "privateIPAllocationMethod": "Static", + "privateIPAddress": "[variables('internalLBPrivateIPAddress')]", + "subnet": { + "id": "[resourceId(variables('vnetRGName'), 'Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('subnet2Name'))]" + } + } + } + ], + "backendAddressPools": [ + { + "name": "[variables('ilbBEAddressPool')]" + } + ], + "loadBalancingRules": [ + { + "name": "[variables('ilbName')]", + "properties": { + "frontendIPConfiguration": { + "id": "[variables('ilbFEIPConfigID')]" + }, + "backendAddressPool": { + "id": "[variables('ilbBEAddressPoolID')]" + }, + "probe": { + "id": "[variables('ilbProbeID')]" + }, + "protocol": "All", + "frontendPort": 0, + "backendPort": 0, + "loadDistribution": "Default", + "enableFloatingIP": "[variables('enableFloatingIP')]" + } + } + ], + "probes": [ + { + "name": "[variables('ilbProbeName')]", + "properties": { + "protocol": "tcp", + "port": 8117, + "intervalInSeconds": 5, + "numberOfProbes": 2 + } + } + ] + } + } + ], + "outputs": { + "HaIPAddr": { + "type": "string", + "value": "[reference(variables('haPublicIPId')).IpAddress]" + }, + "HaFQDN": { + "type": "string", + "value": "[reference(variables('haPublicIPId')).dnsSettings.fqdn]" + }, + "Member1IPAddr": { + "type": "string", + "value": "[reference(variables('gwPublicIPIds')[0]).IpAddress]" + }, + "Member1FQDN": { + "type": "string", + "value": "[reference(variables('gwPublicIPIds')[0]).dnsSettings.fqdn]" + }, + "Member2IPAddr": { + "type": "string", + "value": "[reference(variables('gwPublicIPIds')[1]).IpAddress]" + }, + "Member2FQDN": { + "type": "string", + "value": "[reference(variables('gwPublicIPIds')[1]).dnsSettings.fqdn]" + } + } +} \ No newline at end of file diff --git a/contrib/azure/templates/vmss-publicipprefixinstances/README.MD b/contrib/azure/templates/vmss-publicipprefixinstances/README.MD new file mode 100644 index 00000000..eec923c4 --- /dev/null +++ b/contrib/azure/templates/vmss-publicipprefixinstances/README.MD @@ -0,0 +1,47 @@ +# ARM CloudGuard IaaS Scale Set with instances' public IPs allocated from an existing public IP prefix + +This directory contains the CloudGuard IaaS VMSS template derived from the 20191003 vmss-v2 Marketplace scale set template. +This template adds the ability to allocate IP addresses for instances from an existing public IP prefix. +The VM scale set is deployed in the same existing resource group which includes the public IP prefix. + +## Changes from Marketplace template +* added parameters: + - `existingPublicIPprefixGroupName` + - `existingPublicIPprefixName` + +* added variables: + - `existingPublicIPprefixResID` : constructs the public IP prefix ID from the parameters declared above, ID to be referenced in `publicIPProperties` existing variable + +* changed declarations: + - `publicIPProperties` + - hardcoded main template URL in existing parameter `_artifactsLocation` referenced by `networkSetupURL` and `loadBalacerSetupURL` to locate the nested templates + +## How to deploy the template: + +Local deployment: download this template, construct a parameters.json file and run your deployment tool of choice, e. g. + +``` +az group deployment create -g --template-file vmss-publicipprefix-instances.json --parameters @parameters.json --debug +``` + +### *Extra*: to load the administrator password from an existing keyvault (provided that you declared appropriate permissions), include in the parameters.json file in the parameters section: +``` +"adminPassword": { + "reference": { + "keyVault": { + "id": "/subscriptions/your-subscription-id-here/resourceGroups/your-resource-group-here/providers/Microsoft.KeyVault/vaults/your-keyvault-name-here", + "secretName": "your-secret-name" + } +}, +``` +It might be useful to include also a ssh public key in the parameters section of the parameters.json file. + +## To deploy the ARM templates manually without using the Azure Marketplace: +1. Log in to the [Microsoft Azure Portal](https://portal.azure.com) +2. Click "*Create a resource*" +3. Search for "*Template deployment (deploy using custom templates)*" and click "*Create*" +4. Click "*Build your own template in the editor*" +5. Load the "*vmss-publicipprefix-instances.json*" file of the desired template and click "*Save*" +6. Enter the required and/or optional template parameters +7. Click *Purchase* to deploy the solution +8. Debug the deployment diff --git a/contrib/azure/templates/vmss-publicipprefixinstances/vmss-publicipprefix-instances.json b/contrib/azure/templates/vmss-publicipprefixinstances/vmss-publicipprefix-instances.json new file mode 100644 index 00000000..cb0ae439 --- /dev/null +++ b/contrib/azure/templates/vmss-publicipprefixinstances/vmss-publicipprefix-instances.json @@ -0,0 +1,891 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string", + "metadata": { + "description": "Deployment location" + }, + "defaultValue": "[resourceGroup().location]" + }, + "cloudGuardVersion": { + "type": "string", + "allowedValues": [ + "R80.10 - Bring Your Own License", + "R80.10 - Pay As You Go (NGTP)", + "R80.10 - Pay As You Go (NGTX)", + "R80.20 - Bring Your Own License", + "R80.20 - Pay As You Go (NGTP)", + "R80.20 - Pay As You Go (NGTX)", + "R80.30 - Bring Your Own License", + "R80.30 - Pay As You Go (NGTP)", + "R80.30 - Pay As You Go (NGTX)" + ], + "defaultValue": "R80.30 - Bring Your Own License", + "metadata": { + "description": "Version of Check Point CloudGuard" + } + }, + "existingPublicIPprefixGroupName": { + "type": "string", + "metadata": { + "description": "The name of the group where an existing Public IP Prefix for instance-level public IPs is declared" + } + }, + "existingPublicIPprefixName": { + "type": "string", + "metadata": { + "description": "The name of existing Public IP Prefix for instance-level public IPs" + } + }, + "instanceCount": { + "defaultValue": "1", + "type": "string", + "metadata": { + "description": "Number of VM instances" + } + }, + "maxInstanceCount": { + "defaultValue": "2", + "type": "string", + "metadata": { + "description": "Maximum number of VM instances" + } + }, + "managementServer": { + "type": "string", + "metadata": { + "description": "The name of the management server as it appears in the configuration file" + } + }, + "configurationTemplate": { + "type": "string", + "metadata": { + "description": "The name of a template as it appears in the configuration file of CloudGuard controller" + } + }, + "adminEmail": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Email address to notify if there are any scaling operations" + } + }, + "adminPassword": { + "type": "securestring", + "metadata": { + "description": "Administrator password" + }, + "defaultValue": "" + }, + "authenticationType": { + "type": "string", + "allowedValues": [ + "password", + "sshPublicKey" + ], + "defaultValue": "password", + "metadata": { + "description": "Authentication type" + } + }, + "sshPublicKey": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Administrator SSH public key as generated by ssh-keygen" + } + }, + "vmName": { + "type": "string", + "defaultValue": "[concat(resourceGroup().name, '-vmss')]", + "metadata": { + "description": "Name of the Check Point Security Gateway scale set" + } + }, + "vmSize": { + "type": "string", + "defaultValue": "Standard_D2_v2", + "metadata": { + "description": "Size of the VM" + } + }, + "sicKey": { + "type": "securestring", + "metadata": { + "description": "One time key for Secure Internal Communication" + } + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "[concat(resourceGroup().name, '-vnet')]" + }, + "upgrading": { + "type": "string", + "defaultValue": "no", + "allowedValues": [ + "no", + "yes" + ], + "metadata": { + "Description": "Indicates whether the user is upgrading the CloudGuard VMSS solution" + } + }, + "lbsTargetRGName": { + "type": "string", + "metadata": { + "description": "The name of the Target Load Balancers Resource Group." + }, + "defaultValue": "" + }, + "elbResourceId": { + "type": "string", + "metadata": { + "description": "The Resource ID of the Target External Load Balancer." + }, + "defaultValue": "" + }, + "elbTargetBEAddressPoolName": { + "type": "string", + "metadata": { + "description": "The name of the new Target External Load Balancer's Backend Pool." + }, + "defaultValue": "" + }, + "ilbResourceId": { + "type": "string", + "metadata": { + "description": "The Resource ID of the Target Internal Load Balancer." + }, + "defaultValue": "" + }, + "ilbTargetBEAddressPoolName": { + "type": "string", + "metadata": { + "description": "The name of the new Target Internal Load Balancer's Backend Pool." + }, + "defaultValue": "" + }, + "virtualNetworkAddressPrefixes": { + "type": "array", + "metadata": { + "description": "The address prefixes of the virtual network" + }, + "defaultValue": [ + "10.0.0.0/16" + ] + }, + "subnet1Name": { + "type": "string", + "metadata": { + "description": "The name of the frontend subnet" + }, + "defaultValue": "Frontend" + }, + "subnet1Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the frontend subnet" + }, + "defaultValue": "10.0.1.0/24" + }, + "subnet2Name": { + "type": "string", + "metadata": { + "description": "The name of the backend subnet" + }, + "defaultValue": "Backend" + }, + "subnet2Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the backend subnet" + }, + "defaultValue": "10.0.2.0/24" + }, + "subnet2StartAddress": { + "type": "string", + "metadata": { + "description": "The first available address on the 2nd subnet" + }, + "defaultValue": "10.0.2.4" + }, + "vnetNewOrExisting": { + "type": "string", + "defaultValue": "existing", + "allowedValues": [ + "new", + "existing" + ], + "metadata": { + "Description": "Indicates whether the virtual network is new or existing" + } + }, + "virtualNetworkExistingRGName": { + "type": "string", + "metadata": { + "description": "Resource Group of the existing virtual network" + }, + "defaultValue": "[resourceGroup().name]" + }, + "bootstrapScript": { + "type": "string", + "metadata": { + "description": "Bootstrap script" + }, + "defaultValue": "" + }, + "allowDownloadFromUploadToCheckPoint": { + "type": "string", + "allowedValues": [ + "true", + "false" + ], + "defaultValue": "true", + "metadata": { + "description": "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + } + }, + "instanceLevelPublicIP": { + "type": "string", + "allowedValues": [ + "no", + "yes" + ], + "defaultValue": "yes", + "metadata": { + "description": "Deploy the VMSS with instance level Public IP address" + } + }, + "mgmtInterfaceOpt1": { + "type": "string", + "allowedValues": [ + "eth0-public", + "eth0-private", + "eth1-private" + ], + "defaultValue": "eth0-public", + "metadata": { + "description": "Manage the Gateways in the Scale Set via the instance's external (eth0) or internal (eth1) NIC's private IP address." + } + }, + "mgmtInterfaceOpt2": { + "type": "string", + "allowedValues": [ + "eth0-private", + "eth1-private" + ], + "defaultValue": "eth1-private", + "metadata": { + "description": "Manage the Gateways in the Scale Set via the instance's external (eth0) or internal (eth1) NIC's private IP address." + } + }, + "mgmtIPaddress": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "The IP address used to manage the VMSS instances." + } + }, + "diskType": { + "type": "string", + "defaultValue": "Standard_LRS", + "metadata": { + "description": "The type of the OS disk. Premium is applicable only to DS machine sizes" + }, + "allowedValues": [ + "Standard_LRS", + "Premium_LRS" + ] + }, + "appLoadDistribution": { + "type": "string", + "allowedValues": [ + "Default", + "SourceIP", + "SourceIPProtocol" + ], + "defaultValue": "Default", + "metadata": { + "description": "The External Load Balancer distribution method" + } + }, + "ilbLoadDistribution": { + "type": "string", + "allowedValues": [ + "Default", + "SourceIP", + "SourceIPProtocol" + ], + "defaultValue": "Default", + "metadata": { + "description": "The Internal Load Balancer distribution method" + } + }, + "deploymentMode": { + "type": "string", + "allowedValues": [ + "Standard", + "ILBOnly", + "ELBOnly" + ], + "defaultValue": "Standard", + "metadata": { + "description": "Solution deployment architecture." + } + }, + "sourceImageVhdUri": { + "type": "string", + "defaultValue": "noCustomUri", + "metadata": { + "description": "The URI of the blob containing the development image" + } + }, + "availabilityZonesNum": { + "type": "int", + "allowedValues": [ + 0, + 1, + 2, + 3 + ], + "defaultValue": 0, + "metadata": { + "description": "The number of avalability zones" + } + }, + "_artifactsLocation": { + "type": "string", + "metadata": { + "description": "The base URI where artifacts required by this template are located including a trailing '/'" + }, + "defaultValue": "https://catalogartifact.azureedge.net/publicartifacts/checkpoint.vsec-b5bcf577-339b-44df-a901-2dd353948955-autoscale-v2/Artifacts/mainTemplate.json" + }, + "_artifactsLocationSasToken": { + "type": "securestring", + "metadata": { + "description": "The sasToken required to access _artifactsLocation. When the template is deployed using the accompanying scripts, a sasToken will be automatically generated. Use the defaultValue if the staging location is not secured." + }, + "defaultValue": "" + }, + "Check_PointTags": { + "type": "object", + "defaultValue": { + "provider": "30DE18BC-F9F6-4F22-9D30-54B8E74CFD5F" + } + } + }, + "variables": { + "resourceGroup": "[resourceGroup()]", + "templateName": "vmss-v2", + "templateVersion": "20200113", + "location": "[parameters('location')]", + "offers": { + "R80.10 - Bring Your Own License": "BYOL", + "R80.10 - Pay As You Go (NGTP)": "NGTP-V2", + "R80.10 - Pay As You Go (NGTX)": "NGTX", + "R80.20 - Bring Your Own License": "BYOL", + "R80.20 - Pay As You Go (NGTP)": "NGTP", + "R80.20 - Pay As You Go (NGTX)": "NGTX", + "R80.30 - Bring Your Own License": "BYOL", + "R80.30 - Pay As You Go (NGTP)": "NGTP", + "R80.30 - Pay As You Go (NGTX)": "NGTX" + }, + "offer": "[variables('offers')[parameters('cloudGuardVersion')]]", + "osVersions": { + "R80.10 - Bring Your Own License": "R8010", + "R80.10 - Pay As You Go (NGTP)": "R8010", + "R80.10 - Pay As You Go (NGTX)": "R8010", + "R80.20 - Bring Your Own License": "R8020", + "R80.20 - Pay As You Go (NGTP)": "R8020", + "R80.20 - Pay As You Go (NGTX)": "R8020", + "R80.30 - Bring Your Own License": "R8030", + "R80.30 - Pay As You Go (NGTP)": "R8030", + "R80.30 - Pay As You Go (NGTX)": "R8030" + }, + "osVersion": "[variables('osVersions')[parameters('cloudGuardVersion')]]", + "isBlink": true, + "computeApiVersion": "2017-12-01", + "storageApiVersion": "2017-10-01", + "networkApiVersion": "2018-01-01", + "deploymentsApiVersion": "2017-08-01", + "insightsApiVersion": "2015-04-01", + "storageAccountName": "[concat('bootdiag', uniqueString(variables('resourceGroup').id, deployment().name))]", + "storageAccountType": "Standard_LRS", + "existingPublicIPprefixResID": "[resourceId(parameters('existingPublicIPprefixGroupName'), 'Microsoft.Network/publicIPPrefixes', parameters('existingPublicIPprefixName'))]", + "customData": "[concat('#!/usr/bin/python /etc/cloud_config.py\n', '\n', 'installationType=\"', variables('installationType'), '\"', '\n', 'allowUploadDownload=\"', variables('allowUploadDownload'), '\"', '\n', 'osVersion=\"', variables('osVersion'), '\"', '\n', 'templateName=\"', variables('templateName'), '\"', '\n', 'isBlink=\"', variables('isBlink'), '\"', '\n', 'templateVersion=\"', variables('templateVersion'), '\"', '\n', 'bootstrapScript64=\"', variables('bootstrapScript64'), '\"', '\n', 'location=\"', variables('location'), '\"', '\n', 'sicKey=\"', variables('sicKey'), '\"', '\n', 'managementGUIClientNetwork=\"', variables('managementGUIClientNetwork'), '\"', '\n')]", + "imageOfferR8010": "check-point-vsec-r80-blink-v2", + "imageOfferR8020": "check-point-cg-r8020-blink-v2", + "imageOfferR8030": "check-point-cg-r8030", + "imageOffer": "[concat(variables(concat('imageOffer', variables('osVersion'))))]", + "imagePublisher": "checkpoint", + "imageReferenceBYOL": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-byol", + "version": "latest" + }, + "imageReferenceNGTP": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtp", + "version": "latest" + }, + "imageReferenceNGTP-V2": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtp-v2", + "version": "latest" + }, + "imageReferenceNGTX": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtx", + "version": "latest" + }, + "imageReferenceMarketplace": "[variables(concat('imageReference', variables('offer')))]", + "customImage": "customImage", + "imageReferenceCustomUri": { + "id": "[concat(variables('resourceGroup').id, '/providers/Microsoft.Compute/images/', variables('customImage'))]" + }, + "imageReference": "[if(equals(parameters('sourceImageVhdUri'),'noCustomUri'), variables('imageReferenceMarketplace'), variables('imageReferenceCustomUri'))]", + "linuxConfigurationpassword": {}, + "linuxConfigurationsshPublicKey": { + "disablePasswordAuthentication": "false", + "ssh": { + "publicKeys": [ + { + "keyData": "[parameters('sshPublicKey')]", + "path": "/home/notused/.ssh/authorized_keys" + } + ] + } + }, + "linuxConfiguration": "[variables(concat('linuxConfiguration', parameters('authenticationType')))]", + "planBYOL": { + "name": "sg-byol", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTP": { + "name": "sg-ngtp", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTP-V2": { + "name": "sg-ngtp-v2", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTX": { + "name": "sg-ngtx", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "plan": "[variables(concat('plan', variables('offer')))]", + "vmssID": "[concat(variables('resourceGroup').id, '/providers/Microsoft.Compute/virtualMachineScaleSets/', parameters('vmName'))]", + "emailSelector": [ + [], + [ + "[parameters('adminEmail')]" + ] + ], + "customEmails": "[variables('emailSelector')[length(take(parameters('adminEmail'), 1))]]", + "bootstrapScript64": "[base64(parameters('bootstrapScript'))]", + "allowUploadDownload": "[parameters('allowDownloadFromUploadToCheckPoint')]", + "sicKey": "[parameters('sicKey')]", + "managementGUIClientNetwork": "", + "installationType": "vmss", + "publicIPProperties": { + "name": "[concat(parameters('vmName'), '-eth0')]", + "properties": { + "idleTimeoutInMinutes": "15", + "publicIPPrefix": { + "id": "[variables('existingPublicIPprefixResID')]" + }, + "dnsSettings": { + "domainNameLabel": "[concat(toLower(parameters('vmName')), '-', uniquestring(variables('resourceGroup').id, deployment().name))]" + } + } + }, + "upgrading": "[equals(parameters('upgrading'), 'yes')]", + "networkSetupURL": "[uri(parameters('_artifactsLocation'), concat('nestedtemplates/vnet-2-subnet-ha-', parameters('vnetNewOrExisting'), '.json', parameters('_artifactsLocationSasToken')))]", + "loadBalacerSetupURL": "[uri(parameters('_artifactsLocation'), concat('nestedtemplates/load-balancers.json', parameters('_artifactsLocationSasToken')))]", + "networkSetupId": "[resourceId(parameters('virtualNetworkExistingRGName'), 'Microsoft.Resources/deployments', 'networkSetup')]", + "lbRGName": "[if(variables('upgrading'), parameters('lbsTargetRGName'), resourceGroup().name)]", + "loadBalancerSetupId": "[resourceId(variables('lbRGName'), 'Microsoft.Resources/deployments', 'loadBalancerSetup')]", + "storageAccountId": "[concat(variables('resourceGroup').id, '/providers/Microsoft.Storage/storageAccounts/', variables('storageAccountName'))]", + "customImageId": "[variables('imageReferenceCustomUri').id]", + "availabilityZonesLocations": [ + "centralus", + "eastus2", + "francecentral", + "northeurope", + "southeastasia", + "westeurope", + "westus2", + "eastus", + "uksouth" + ], + "availabilityZonesProperty": "[range(1, parameters('availabilityZonesNum'))]", + "mgmtInterface": "[if(equals(parameters('instanceLevelPublicIP'), 'yes'), parameters('mgmtInterfaceOpt1'), parameters('mgmtInterfaceOpt2'))]", + "mgmtIpAddressType": "[split(variables('mgmtInterface'), '-')[1]]", + "mgmtInterfaceName": "[split(variables('mgmtInterface'), '-')[0]]", + "mgmtIPaddress": "[if(equals(variables('mgmtInterfaceName'), 'eth0'), parameters('mgmtIPaddress'), '')]", + "commomTags": { + "x-chkp-management": "[parameters('managementServer')]", + "x-chkp-template": "[parameters('configurationTemplate')]", + "x-chkp-ip-address": "[variables('mgmtIpAddressType')]", + "x-chkp-management-interface": "[variables('mgmtInterfaceName')]", + "x-chkp-topology": "eth0:external,eth1:internal", + "x-chkp-anti-spoofing": "eth0:false,eth1:false", + "x-chkp-srcImageUri": "[parameters('sourceImageVhdUri')]", + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + }, + "uniqueTags": { + "x-chkp-management-address": "[variables('mgmtIPaddress')]" + }, + "vmssTags": "[if(equals(variables('mgmtIPaddress'), ''), variables('commomTags'), union(variables('commomTags'), variables('uniqueTags')))]" + }, + "resources": [ + { + "apiVersion": "2018-02-01", + "name": "pid-5432b4df-d783-57a2-b65f-39f4bca4974a", + "type": "Microsoft.Resources/deployments", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "name": "networkSetup", + "type": "Microsoft.Resources/deployments", + "apiVersion": "[variables('deploymentsApiVersion')]", + "resourceGroup": "[parameters('virtualNetworkExistingRGName')]", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "[variables('networkSetupURL')]", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "location": { + "value": "[variables('location')]" + }, + "apiVersion": { + "value": "[variables('networkApiVersion')]" + }, + "virtualNetworkName": { + "value": "[parameters('virtualNetworkName')]" + }, + "virtualNetworkAddressPrefixes": { + "value": "[parameters('virtualNetworkAddressPrefixes')]" + }, + "subnet1Name": { + "value": "[parameters('subnet1Name')]" + }, + "subnet1Prefix": { + "value": "[parameters('subnet1Prefix')]" + }, + "subnet2Name": { + "value": "[parameters('subnet2Name')]" + }, + "subnet2Prefix": { + "value": "[parameters('subnet2Prefix')]" + }, + "virtualNetworkExistingRGName": { + "value": "[parameters('virtualNetworkExistingRGName')]" + }, + "vmName": { + "value": "[parameters('vmName')]" + }, + "deployNsg": { + "value": true + } + } + } + }, + { + "name": "loadBalancerSetup", + "type": "Microsoft.Resources/deployments", + "resourceGroup": "[variables('lbRGName')]", + "apiVersion": "[variables('deploymentsApiVersion')]", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "[variables('loadBalacerSetupURL')]", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "deploymentMode": { + "value": "[parameters('deploymentMode')]" + }, + "networkApiVersion": { + "value": "[variables('networkApiVersion')]" + }, + "location": { + "value": "[variables('location')]" + }, + "vmName": { + "value": "[parameters('vmName')]" + }, + "appLoadDistribution": { + "value": "[parameters('appLoadDistribution')]" + }, + "subnet2StartAddress": { + "value": "[parameters('subnet2StartAddress')]" + }, + "subnet2Name": { + "value": "[parameters('subnet2Name')]" + }, + "subnet2Id": { + "value": "[concat(reference('networkSetup').outputs.vnetId.value, '/subnets/', parameters('subnet2Name'))]" + }, + "ilbLoadDistribution": { + "value": "[parameters('ilbLoadDistribution')]" + }, + "lbsTargetRGName": { + "value": "[parameters('lbsTargetRGName')]" + }, + "elbResourceId": { + "value": "[parameters('elbResourceId')]" + }, + "elbTargetBEAddressPoolName": { + "value": "[parameters('elbTargetBEAddressPoolName')]" + }, + "ilbResourceId": { + "value": "[parameters('ilbResourceId')]" + }, + "ilbTargetBEAddressPoolName": { + "value": "[parameters('ilbTargetBEAddressPoolName')]" + }, + "upgrading": { + "value": "[variables('upgrading')]" + } + } + } + }, + { + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('storageAccountName')]", + "apiVersion": "[variables('storageApiVersion')]", + "location": "[variables('location')]", + "sku": { + "name": "[variables('storageAccountType')]" + }, + "kind": "Storage", + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "condition": "[not(equals(parameters('sourceImageVhdUri'), 'noCustomUri'))]", + "type": "Microsoft.Compute/images", + "apiVersion": "2017-12-01", + "name": "[variables('customImage')]", + "location": "[variables('resourceGroup').location]", + "properties": { + "storageProfile": { + "osDisk": { + "osType": "Linux", + "osState": "Generalized", + "blobUri": "[parameters('sourceImageVhdUri')]", + "storageAccountType": "Standard_LRS" + } + } + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "type": "Microsoft.Compute/virtualMachineScaleSets", + "apiVersion": "[variables('computeApiVersion')]", + "name": "[parameters('vmName')]", + "location": "[variables('location')]", + "tags": "[variables('vmssTags')]", + "dependsOn": [ + "[variables('networkSetupId')]", + "[variables('loadBalancerSetupId')]", + "[variables('storageAccountId')]", + "[variables('customImageId')]" + ], + "sku": { + "name": "[parameters('vmSize')]", + "tier": "Standard", + "capacity": "[parameters('instanceCount')]" + }, + "plan": "[if(equals(parameters('sourceImageVhdUri'),'noCustomUri'), variables('plan'), json('null'))]", + "properties": { + "upgradePolicy": { + "mode": "Manual" + }, + "virtualMachineProfile": { + "storageProfile": { + "osDisk": { + "caching": "ReadWrite", + "createOption": "FromImage", + "managedDisk": { + "storageAccountType": "[parameters('diskType')]" + } + }, + "imageReference": "[variables('imageReference')]" + }, + "osProfile": { + "adminPassword": "[parameters('adminPassword')]", + "adminUsername": "notused", + "computerNamePrefix": "[toLower(parameters('vmName'))]", + "customData": "[base64(concat(variables('customData'), '\n', 'vnet=\"', reference('networkSetup').outputs.vnetAddressPrefixes.value[0], '\"', '\n' ))]", + "linuxConfiguration": "[variables('linuxConfiguration')]" + }, + "networkProfile": { + "networkInterfaceConfigurations": [ + { + "name": "eth0", + "properties": { + "primary": true, + "enableIPForwarding": false, + "enableAcceleratedNetworking": "[not(equals(variables('osVersion'), 'R8010'))]", + "networkSecurityGroup": "[reference('networkSetup').outputs.nsgProperties.value]", + "ipConfigurations": [ + { + "name": "ipconfig1", + "properties": { + "publicIpAddressConfiguration": "[if(equals(parameters('instanceLevelPublicIP'),'yes'), variables('publicIPProperties'), json('null'))]", + "subnet": { + "id": "[concat(reference('networkSetup').outputs.vnetId.value, '/subnets/', parameters('subnet1Name'))]" + }, + "loadBalancerBackendAddressPools": "[if(empty(reference('loadBalancerSetup').outputs.elbId.value), json('null'), reference('loadBalancerSetup').outputs.elbBEAddressPoolProperties.value)]" + } + } + ] + } + }, + { + "name": "eth1", + "properties": { + "primary": false, + "enableIPForwarding": true, + "enableAcceleratedNetworking": "[not(equals(variables('osVersion'), 'R8010'))]", + "ipConfigurations": [ + { + "name": "ipconfig2", + "properties": { + "subnet": { + "id": "[concat(reference('networkSetup').outputs.vnetId.value, '/subnets/', parameters('subnet2Name'))]" + }, + "loadBalancerBackendAddressPools": "[if(empty(reference('loadBalancerSetup').outputs.ilbId.value), json('null'), reference('loadBalancerSetup').outputs.ilbBEAddressPoolProperties.value)]" + } + } + ] + } + } + ] + }, + "diagnosticsProfile": { + "bootDiagnostics": { + "enabled": "true", + "storageUri": "[reference(variables('storageAccountId'), variables('storageApiVersion')).primaryEndpoints.blob]" + } + } + }, + "overprovision": false + } + }, + { + "type": "Microsoft.Insights/autoscaleSettings", + "apiVersion": "[variables('insightsApiVersion')]", + "name": "[parameters('vmName')]", + "location": "[variables('location')]", + "dependsOn": [ + "[variables('vmssID')]" + ], + "properties": { + "name": "[parameters('vmName')]", + "targetResourceUri": "[variables('vmssID')]", + "notifications": [ + { + "operation": "Scale", + "email": { + "sendToSubscriptionAdministrator": false, + "sendToSubscriptionCoAdministrators": false, + "customEmails": "[variables('customEmails')]" + } + } + ], + "enabled": true, + "profiles": [ + { + "name": "Profile1", + "capacity": { + "minimum": "[parameters('instanceCount')]", + "maximum": "[parameters('maxInstanceCount')]", + "default": "[parameters('instanceCount')]" + }, + "rules": [ + { + "metricTrigger": { + "metricName": "Percentage CPU", + "metricNamespace": "", + "metricResourceUri": "[variables('vmssID')]", + "timeGrain": "PT1M", + "statistic": "Average", + "timeWindow": "PT5M", + "timeAggregation": "Average", + "operator": "GreaterThan", + "threshold": 80 + }, + "scaleAction": { + "direction": "Increase", + "type": "ChangeCount", + "value": "1", + "cooldown": "PT5M" + } + }, + { + "metricTrigger": { + "metricName": "Percentage CPU", + "metricNamespace": "", + "metricResourceUri": "[variables('vmssID')]", + "timeGrain": "PT1M", + "statistic": "Average", + "timeWindow": "PT5M", + "timeAggregation": "Average", + "operator": "LessThan", + "threshold": 60 + }, + "scaleAction": { + "direction": "Decrease", + "type": "ChangeCount", + "value": "1", + "cooldown": "PT5M" + } + } + ] + } + ] + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + } + ], + "outputs": { + "ApplicationAddress": { + "type": "string", + "value": "[reference('loadBalancerSetup').outputs.ApplicationAddress.value]" + }, + "ApplicationFQDN": { + "type": "string", + "value": "[reference('loadBalancerSetup').outputs.ApplicationFQDN.value]" + } + } +} \ No newline at end of file diff --git a/contrib/azure/templates/vmss-publicipprefixinstanceselb/README.MD b/contrib/azure/templates/vmss-publicipprefixinstanceselb/README.MD new file mode 100644 index 00000000..a1839a60 --- /dev/null +++ b/contrib/azure/templates/vmss-publicipprefixinstanceselb/README.MD @@ -0,0 +1,51 @@ +# ARM CloudGuard IaaS Scale Set with instances' public IPs and external load balancer public IP allocated from an existing public IP prefix + +This directory contains the CloudGuard IaaS VMSS template derived from the `vmss-v2` Check Point CloudGuard IaaS Scale Set Marketplace template version `20191003`. + +This template adds the ability to allocate IP addresses for instances and for external load balancer from an existing public IP prefix - the public IP prefix for instances and for external load balancer could be the same or different, defined in the resource group allocated for VMSS or in a different resource group. + +The VM scale set deployment was tested in the same existing resource group which includes the public IP prefix and public IP address for external load balancer. + +## Changes from Marketplace template +* new parameters: + * `mainTemplate.json`: + - `existingPublicIPprefixGroupName` + - `existingPublicIPprefixName` + - `elbUsePublicIP` + - `elbPublicIPAddressGroupName` + - `elbPublicIPAddressName` + * `load-balancers.json` nested template: + - `elbUsePublicIP` + - `elbPublicIPAddressId` +* new variables: + * `mainTemplate.json`: + - `existingPublicIPaddressResID` : constructs the public IP prefix ID from the parameters declared above, ID to be referenced in `publicIPProperties` existing variable + * `load-balancers.json`: + - `newAppAddressId`: automatically constructs external load balancer public IP if existing public IP is not used - previous declaration of `appAddressId` variable + - `existingAppAddressId`: existing public IP address Id, referenced from resource group and public IP address names passed as parameters +* changed declarations: + - `mainTemplate.json`: `publicIPProperties` + - `load-balancers.json`: `appAddressId`: conditionally resolves the external load balancer public IP id based on utilization of existing public IP address + - hardcoded main template URL in existing parameter `_artifactsLocation` referenced by `networkSetupURL` and `loadBalacerSetupURL` to locate the nested templates + *Please verify and change accordingly to the raw github URI the `_artifactsLocation` value before deployment !* + - removed `dependsOn: [variables('appAddressId')]` in `load-balancers.json` to allow reference to resorce not declared in template + +## How to deploy the template: + +Construct a parameters.json file and run your deployment tool of choice, e. g. + +``` +az group deployment create -g CPSM-OMV --template-uri https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/contrib/azure/templates/vmss-publicipprefixinstanceselb/mainTemplate.json --parameters @parameters.json --debug +``` + +### *Extra*: to load the administrator password from an existing keyvault (provided that you declared appropriate permissions), include in the parameters.json file in the parameters section: +``` +"adminPassword": { + "reference": { + "keyVault": { + "id": "/subscriptions/your-subscription-id-here/resourceGroups/your-resource-group-here/providers/Microsoft.KeyVault/vaults/your-keyvault-name-here", + "secretName": "your-secret-name" + } +}, +``` +Additional logic have to be implemented to select admin password source. \ No newline at end of file diff --git a/contrib/azure/templates/vmss-publicipprefixinstanceselb/mainTemplate.json b/contrib/azure/templates/vmss-publicipprefixinstanceselb/mainTemplate.json new file mode 100644 index 00000000..47f1c2f0 --- /dev/null +++ b/contrib/azure/templates/vmss-publicipprefixinstanceselb/mainTemplate.json @@ -0,0 +1,922 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string", + "metadata": { + "description": "Deployment location" + }, + "defaultValue": "[resourceGroup().location]" + }, + "cloudGuardVersion": { + "type": "string", + "allowedValues": [ + "R80.10 - Bring Your Own License", + "R80.10 - Pay As You Go (NGTP)", + "R80.10 - Pay As You Go (NGTX)", + "R80.20 - Bring Your Own License", + "R80.20 - Pay As You Go (NGTP)", + "R80.20 - Pay As You Go (NGTX)", + "R80.30 - Bring Your Own License", + "R80.30 - Pay As You Go (NGTP)", + "R80.30 - Pay As You Go (NGTX)" + ], + "defaultValue": "R80.30 - Bring Your Own License", + "metadata": { + "description": "Version of Check Point CloudGuard" + } + }, + "existingPublicIPprefixGroupName": { + "type": "string", + "metadata": { + "description": "The name of the group where an existing Public IP Prefix for instance-level public IPs is declared" + } + }, + "existingPublicIPprefixName": { + "type": "string", + "metadata": { + "description": "The name of existing Public IP Prefix for instance-level public IPs" + } + }, + "elbUsePublicIP": { + "type": "string", + "allowedValues": [ + "no", + "yes" + ], + "defaultValue": "yes", + "metadata": { + "description": "Assign an existing public IP address to the external load balancer" + } + }, + "elbPublicIPAddressGroupName": { + "type": "string", + "metadata": { + "description": "The name of the group where an existing Public IP address to be assigned to external load balancer is declared" + } + }, + "elbPublicIPAddressName": { + "type": "string", + "metadata": { + "description": "The name (not resource ID) of existing Public IP address to be assign to external load balancer" + } + }, + "instanceCount": { + "defaultValue": "1", + "type": "string", + "metadata": { + "description": "Number of VM instances" + } + }, + "maxInstanceCount": { + "defaultValue": "2", + "type": "string", + "metadata": { + "description": "Maximum number of VM instances" + } + }, + "managementServer": { + "type": "string", + "metadata": { + "description": "The name of the management server as it appears in the configuration file" + } + }, + "configurationTemplate": { + "type": "string", + "metadata": { + "description": "The name of a template as it appears in the configuration file of CloudGuard controller" + } + }, + "adminEmail": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Email address to notify if there are any scaling operations" + } + }, + "adminPassword": { + "type": "securestring", + "metadata": { + "description": "Administrator password" + }, + "defaultValue": "" + }, + "authenticationType": { + "type": "string", + "allowedValues": [ + "password", + "sshPublicKey" + ], + "defaultValue": "password", + "metadata": { + "description": "Authentication type" + } + }, + "sshPublicKey": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Administrator SSH public key as generated by ssh-keygen" + } + }, + "vmName": { + "type": "string", + "defaultValue": "[concat(resourceGroup().name, '-vmss')]", + "metadata": { + "description": "Name of the Check Point Security Gateway scale set" + } + }, + "vmSize": { + "type": "string", + "defaultValue": "Standard_D2_v2", + "metadata": { + "description": "Size of the VM" + } + }, + "sicKey": { + "type": "securestring", + "metadata": { + "description": "One time key for Secure Internal Communication" + } + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "[concat(resourceGroup().name, '-vnet')]" + }, + "upgrading": { + "type": "string", + "defaultValue": "no", + "allowedValues": [ + "no", + "yes" + ], + "metadata": { + "Description": "Indicates whether the user is upgrading the CloudGuard VMSS solution" + } + }, + "lbsTargetRGName": { + "type": "string", + "metadata": { + "description": "The name of the Target Load Balancers Resource Group." + }, + "defaultValue": "" + }, + "elbResourceId": { + "type": "string", + "metadata": { + "description": "The Resource ID of the Target External Load Balancer." + }, + "defaultValue": "" + }, + "elbTargetBEAddressPoolName": { + "type": "string", + "metadata": { + "description": "The name of the new Target External Load Balancer's Backend Pool." + }, + "defaultValue": "" + }, + "ilbResourceId": { + "type": "string", + "metadata": { + "description": "The Resource ID of the Target Internal Load Balancer." + }, + "defaultValue": "" + }, + "ilbTargetBEAddressPoolName": { + "type": "string", + "metadata": { + "description": "The name of the new Target Internal Load Balancer's Backend Pool." + }, + "defaultValue": "" + }, + "virtualNetworkAddressPrefixes": { + "type": "array", + "metadata": { + "description": "The address prefixes of the virtual network" + }, + "defaultValue": [ + "10.0.0.0/16" + ] + }, + "subnet1Name": { + "type": "string", + "metadata": { + "description": "The name of the frontend subnet" + }, + "defaultValue": "Frontend" + }, + "subnet1Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the frontend subnet" + }, + "defaultValue": "10.0.1.0/24" + }, + "subnet2Name": { + "type": "string", + "metadata": { + "description": "The name of the backend subnet" + }, + "defaultValue": "Backend" + }, + "subnet2Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the backend subnet" + }, + "defaultValue": "10.0.2.0/24" + }, + "subnet2StartAddress": { + "type": "string", + "metadata": { + "description": "The first available address on the 2nd subnet" + }, + "defaultValue": "10.0.2.4" + }, + "vnetNewOrExisting": { + "type": "string", + "defaultValue": "existing", + "allowedValues": [ + "new", + "existing" + ], + "metadata": { + "Description": "Indicates whether the virtual network is new or existing" + } + }, + "virtualNetworkExistingRGName": { + "type": "string", + "metadata": { + "description": "Resource Group of the existing virtual network" + }, + "defaultValue": "[resourceGroup().name]" + }, + "bootstrapScript": { + "type": "string", + "metadata": { + "description": "Bootstrap script" + }, + "defaultValue": "" + }, + "allowDownloadFromUploadToCheckPoint": { + "type": "string", + "allowedValues": [ + "true", + "false" + ], + "defaultValue": "true", + "metadata": { + "description": "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + } + }, + "instanceLevelPublicIP": { + "type": "string", + "allowedValues": [ + "no", + "yes" + ], + "defaultValue": "yes", + "metadata": { + "description": "Deploy the VMSS with instance level Public IP address" + } + }, + "mgmtInterfaceOpt1": { + "type": "string", + "allowedValues": [ + "eth0-public", + "eth0-private", + "eth1-private" + ], + "defaultValue": "eth0-public", + "metadata": { + "description": "Manage the Gateways in the Scale Set via the instance's external (eth0) or internal (eth1) NIC's private IP address." + } + }, + "mgmtInterfaceOpt2": { + "type": "string", + "allowedValues": [ + "eth0-private", + "eth1-private" + ], + "defaultValue": "eth1-private", + "metadata": { + "description": "Manage the Gateways in the Scale Set via the instance's external (eth0) or internal (eth1) NIC's private IP address." + } + }, + "mgmtIPaddress": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "The IP address used to manage the VMSS instances." + } + }, + "diskType": { + "type": "string", + "defaultValue": "Standard_LRS", + "metadata": { + "description": "The type of the OS disk. Premium is applicable only to DS machine sizes" + }, + "allowedValues": [ + "Standard_LRS", + "Premium_LRS" + ] + }, + "appLoadDistribution": { + "type": "string", + "allowedValues": [ + "Default", + "SourceIP", + "SourceIPProtocol" + ], + "defaultValue": "Default", + "metadata": { + "description": "The External Load Balancer distribution method" + } + }, + "ilbLoadDistribution": { + "type": "string", + "allowedValues": [ + "Default", + "SourceIP", + "SourceIPProtocol" + ], + "defaultValue": "Default", + "metadata": { + "description": "The Internal Load Balancer distribution method" + } + }, + "deploymentMode": { + "type": "string", + "allowedValues": [ + "Standard", + "ILBOnly", + "ELBOnly" + ], + "defaultValue": "Standard", + "metadata": { + "description": "Solution deployment architecture." + } + }, + "sourceImageVhdUri": { + "type": "string", + "defaultValue": "noCustomUri", + "metadata": { + "description": "The URI of the blob containing the development image" + } + }, + "availabilityZonesNum": { + "type": "int", + "allowedValues": [ + 0, + 1, + 2, + 3 + ], + "defaultValue": 0, + "metadata": { + "description": "The number of avalability zones" + } + }, + "_artifactsLocation": { + "type": "string", + "metadata": { + "description": "The base URI where artifacts required by this template are located including a trailing '/'" + }, + "defaultValue": "https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/contrib/azure/templates/vmss-publicipprefixinstanceselb/mainTemplate.json" + }, + "_artifactsLocationSasToken": { + "type": "securestring", + "metadata": { + "description": "The sasToken required to access _artifactsLocation. When the template is deployed using the accompanying scripts, a sasToken will be automatically generated. Use the defaultValue if the staging location is not secured." + }, + "defaultValue": "" + }, + "Check_PointTags": { + "type": "object", + "defaultValue": { + "provider": "30DE18BC-F9F6-4F22-9D30-54B8E74CFD5F" + } + } + }, + "variables": { + "resourceGroup": "[resourceGroup()]", + "templateName": "vmss-v2", + "templateVersion": "20200114", + "location": "[parameters('location')]", + "offers": { + "R80.10 - Bring Your Own License": "BYOL", + "R80.10 - Pay As You Go (NGTP)": "NGTP-V2", + "R80.10 - Pay As You Go (NGTX)": "NGTX", + "R80.20 - Bring Your Own License": "BYOL", + "R80.20 - Pay As You Go (NGTP)": "NGTP", + "R80.20 - Pay As You Go (NGTX)": "NGTX", + "R80.30 - Bring Your Own License": "BYOL", + "R80.30 - Pay As You Go (NGTP)": "NGTP", + "R80.30 - Pay As You Go (NGTX)": "NGTX" + }, + "offer": "[variables('offers')[parameters('cloudGuardVersion')]]", + "osVersions": { + "R80.10 - Bring Your Own License": "R8010", + "R80.10 - Pay As You Go (NGTP)": "R8010", + "R80.10 - Pay As You Go (NGTX)": "R8010", + "R80.20 - Bring Your Own License": "R8020", + "R80.20 - Pay As You Go (NGTP)": "R8020", + "R80.20 - Pay As You Go (NGTX)": "R8020", + "R80.30 - Bring Your Own License": "R8030", + "R80.30 - Pay As You Go (NGTP)": "R8030", + "R80.30 - Pay As You Go (NGTX)": "R8030" + }, + "osVersion": "[variables('osVersions')[parameters('cloudGuardVersion')]]", + "isBlink": true, + "computeApiVersion": "2017-12-01", + "storageApiVersion": "2017-10-01", + "networkApiVersion": "2018-01-01", + "deploymentsApiVersion": "2017-08-01", + "insightsApiVersion": "2015-04-01", + "storageAccountName": "[concat('bootdiag', uniqueString(variables('resourceGroup').id, deployment().name))]", + "storageAccountType": "Standard_LRS", + "existingPublicIPprefixResID": "[resourceId(parameters('existingPublicIPprefixGroupName'), 'Microsoft.Network/publicIPPrefixes', parameters('existingPublicIPprefixName'))]", + "existingPublicIPaddressResID": "[resourceId(parameters('elbPublicIPAddressGroupName'), 'Microsoft.Network/publicIPAddresses', parameters('elbPublicIPAddressName'))]", + "customData": "[concat('#!/usr/bin/python /etc/cloud_config.py\n', '\n', 'installationType=\"', variables('installationType'), '\"', '\n', 'allowUploadDownload=\"', variables('allowUploadDownload'), '\"', '\n', 'osVersion=\"', variables('osVersion'), '\"', '\n', 'templateName=\"', variables('templateName'), '\"', '\n', 'isBlink=\"', variables('isBlink'), '\"', '\n', 'templateVersion=\"', variables('templateVersion'), '\"', '\n', 'bootstrapScript64=\"', variables('bootstrapScript64'), '\"', '\n', 'location=\"', variables('location'), '\"', '\n', 'sicKey=\"', variables('sicKey'), '\"', '\n', 'managementGUIClientNetwork=\"', variables('managementGUIClientNetwork'), '\"', '\n')]", + "imageOfferR8010": "check-point-vsec-r80-blink-v2", + "imageOfferR8020": "check-point-cg-r8020-blink-v2", + "imageOfferR8030": "check-point-cg-r8030", + "imageOffer": "[concat(variables(concat('imageOffer', variables('osVersion'))))]", + "imagePublisher": "checkpoint", + "imageReferenceBYOL": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-byol", + "version": "latest" + }, + "imageReferenceNGTP": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtp", + "version": "latest" + }, + "imageReferenceNGTP-V2": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtp-v2", + "version": "latest" + }, + "imageReferenceNGTX": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtx", + "version": "latest" + }, + "imageReferenceMarketplace": "[variables(concat('imageReference', variables('offer')))]", + "customImage": "customImage", + "imageReferenceCustomUri": { + "id": "[concat(variables('resourceGroup').id, '/providers/Microsoft.Compute/images/', variables('customImage'))]" + }, + "imageReference": "[if(equals(parameters('sourceImageVhdUri'),'noCustomUri'), variables('imageReferenceMarketplace'), variables('imageReferenceCustomUri'))]", + "linuxConfigurationpassword": {}, + "linuxConfigurationsshPublicKey": { + "disablePasswordAuthentication": "false", + "ssh": { + "publicKeys": [ + { + "keyData": "[parameters('sshPublicKey')]", + "path": "/home/notused/.ssh/authorized_keys" + } + ] + } + }, + "linuxConfiguration": "[variables(concat('linuxConfiguration', parameters('authenticationType')))]", + "planBYOL": { + "name": "sg-byol", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTP": { + "name": "sg-ngtp", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTP-V2": { + "name": "sg-ngtp-v2", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTX": { + "name": "sg-ngtx", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "plan": "[variables(concat('plan', variables('offer')))]", + "vmssID": "[concat(variables('resourceGroup').id, '/providers/Microsoft.Compute/virtualMachineScaleSets/', parameters('vmName'))]", + "emailSelector": [ + [], + [ + "[parameters('adminEmail')]" + ] + ], + "customEmails": "[variables('emailSelector')[length(take(parameters('adminEmail'), 1))]]", + "bootstrapScript64": "[base64(parameters('bootstrapScript'))]", + "allowUploadDownload": "[parameters('allowDownloadFromUploadToCheckPoint')]", + "sicKey": "[parameters('sicKey')]", + "managementGUIClientNetwork": "", + "installationType": "vmss", + "publicIPProperties": { + "name": "[concat(parameters('vmName'), '-eth0')]", + "properties": { + "idleTimeoutInMinutes": "15", + "publicIPPrefix": { + "id": "[variables('existingPublicIPprefixResID')]" + }, + "dnsSettings": { + "domainNameLabel": "[concat(toLower(parameters('vmName')), '-', uniquestring(variables('resourceGroup').id, deployment().name))]" + } + } + }, + "upgrading": "[equals(parameters('upgrading'), 'yes')]", + "elbUsePublic": "[equals(parameters('elbUsePublicIP'), 'yes')]", + "networkSetupURL": "[uri(parameters('_artifactsLocation'), concat('nestedtemplates/vnet-2-subnet-ha-', parameters('vnetNewOrExisting'), '.json', parameters('_artifactsLocationSasToken')))]", + "loadBalacerSetupURL": "[uri(parameters('_artifactsLocation'), concat('nestedtemplates/load-balancers.json', parameters('_artifactsLocationSasToken')))]", + "networkSetupId": "[resourceId(parameters('virtualNetworkExistingRGName'), 'Microsoft.Resources/deployments', 'networkSetup')]", + "lbRGName": "[if(variables('upgrading'), parameters('lbsTargetRGName'), resourceGroup().name)]", + "loadBalancerSetupId": "[resourceId(variables('lbRGName'), 'Microsoft.Resources/deployments', 'loadBalancerSetup')]", + "storageAccountId": "[concat(variables('resourceGroup').id, '/providers/Microsoft.Storage/storageAccounts/', variables('storageAccountName'))]", + "customImageId": "[variables('imageReferenceCustomUri').id]", + "availabilityZonesLocations": [ + "centralus", + "eastus2", + "francecentral", + "northeurope", + "southeastasia", + "westeurope", + "westus2", + "eastus", + "uksouth" + ], + "availabilityZonesProperty": "[range(1, parameters('availabilityZonesNum'))]", + "mgmtInterface": "[if(equals(parameters('instanceLevelPublicIP'), 'yes'), parameters('mgmtInterfaceOpt1'), parameters('mgmtInterfaceOpt2'))]", + "mgmtIpAddressType": "[split(variables('mgmtInterface'), '-')[1]]", + "mgmtInterfaceName": "[split(variables('mgmtInterface'), '-')[0]]", + "mgmtIPaddress": "[if(equals(variables('mgmtInterfaceName'), 'eth0'), parameters('mgmtIPaddress'), '')]", + "commomTags": { + "x-chkp-management": "[parameters('managementServer')]", + "x-chkp-template": "[parameters('configurationTemplate')]", + "x-chkp-ip-address": "[variables('mgmtIpAddressType')]", + "x-chkp-management-interface": "[variables('mgmtInterfaceName')]", + "x-chkp-topology": "eth0:external,eth1:internal", + "x-chkp-anti-spoofing": "eth0:false,eth1:false", + "x-chkp-srcImageUri": "[parameters('sourceImageVhdUri')]", + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + }, + "uniqueTags": { + "x-chkp-management-address": "[variables('mgmtIPaddress')]" + }, + "vmssTags": "[if(equals(variables('mgmtIPaddress'), ''), variables('commomTags'), union(variables('commomTags'), variables('uniqueTags')))]" + }, + "resources": [ + { + "apiVersion": "2018-02-01", + "name": "pid-5432b4df-d783-57a2-b65f-39f4bca4974a", + "type": "Microsoft.Resources/deployments", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "name": "networkSetup", + "type": "Microsoft.Resources/deployments", + "apiVersion": "[variables('deploymentsApiVersion')]", + "resourceGroup": "[parameters('virtualNetworkExistingRGName')]", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "[variables('networkSetupURL')]", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "location": { + "value": "[variables('location')]" + }, + "apiVersion": { + "value": "[variables('networkApiVersion')]" + }, + "virtualNetworkName": { + "value": "[parameters('virtualNetworkName')]" + }, + "virtualNetworkAddressPrefixes": { + "value": "[parameters('virtualNetworkAddressPrefixes')]" + }, + "subnet1Name": { + "value": "[parameters('subnet1Name')]" + }, + "subnet1Prefix": { + "value": "[parameters('subnet1Prefix')]" + }, + "subnet2Name": { + "value": "[parameters('subnet2Name')]" + }, + "subnet2Prefix": { + "value": "[parameters('subnet2Prefix')]" + }, + "virtualNetworkExistingRGName": { + "value": "[parameters('virtualNetworkExistingRGName')]" + }, + "vmName": { + "value": "[parameters('vmName')]" + }, + "deployNsg": { + "value": true + } + } + } + }, + { + "name": "loadBalancerSetup", + "type": "Microsoft.Resources/deployments", + "resourceGroup": "[variables('lbRGName')]", + "apiVersion": "[variables('deploymentsApiVersion')]", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "[variables('loadBalacerSetupURL')]", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "deploymentMode": { + "value": "[parameters('deploymentMode')]" + }, + "networkApiVersion": { + "value": "[variables('networkApiVersion')]" + }, + "location": { + "value": "[variables('location')]" + }, + "vmName": { + "value": "[parameters('vmName')]" + }, + "appLoadDistribution": { + "value": "[parameters('appLoadDistribution')]" + }, + "subnet2StartAddress": { + "value": "[parameters('subnet2StartAddress')]" + }, + "subnet2Name": { + "value": "[parameters('subnet2Name')]" + }, + "subnet2Id": { + "value": "[concat(reference('networkSetup').outputs.vnetId.value, '/subnets/', parameters('subnet2Name'))]" + }, + "ilbLoadDistribution": { + "value": "[parameters('ilbLoadDistribution')]" + }, + "lbsTargetRGName": { + "value": "[parameters('lbsTargetRGName')]" + }, + "elbResourceId": { + "value": "[parameters('elbResourceId')]" + }, + "elbTargetBEAddressPoolName": { + "value": "[parameters('elbTargetBEAddressPoolName')]" + }, + "ilbResourceId": { + "value": "[parameters('ilbResourceId')]" + }, + "ilbTargetBEAddressPoolName": { + "value": "[parameters('ilbTargetBEAddressPoolName')]" + }, + "upgrading": { + "value": "[variables('upgrading')]" + }, + "elbUsePublicIP": { + "value": "[variables('elbUsePublic')]" + }, + "elbPublicIPAddressId": { + "value": "[variables('existingPublicIPaddressResID')]" + } + } + } + }, + { + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('storageAccountName')]", + "apiVersion": "[variables('storageApiVersion')]", + "location": "[variables('location')]", + "sku": { + "name": "[variables('storageAccountType')]" + }, + "kind": "Storage", + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "condition": "[not(equals(parameters('sourceImageVhdUri'), 'noCustomUri'))]", + "type": "Microsoft.Compute/images", + "apiVersion": "2017-12-01", + "name": "[variables('customImage')]", + "location": "[variables('resourceGroup').location]", + "properties": { + "storageProfile": { + "osDisk": { + "osType": "Linux", + "osState": "Generalized", + "blobUri": "[parameters('sourceImageVhdUri')]", + "storageAccountType": "Standard_LRS" + } + } + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "type": "Microsoft.Compute/virtualMachineScaleSets", + "apiVersion": "[variables('computeApiVersion')]", + "name": "[parameters('vmName')]", + "location": "[variables('location')]", + "tags": "[variables('vmssTags')]", + "dependsOn": [ + "[variables('networkSetupId')]", + "[variables('loadBalancerSetupId')]", + "[variables('storageAccountId')]", + "[variables('customImageId')]" + ], + "sku": { + "name": "[parameters('vmSize')]", + "tier": "Standard", + "capacity": "[parameters('instanceCount')]" + }, + "plan": "[if(equals(parameters('sourceImageVhdUri'),'noCustomUri'), variables('plan'), json('null'))]", + "properties": { + "upgradePolicy": { + "mode": "Manual" + }, + "virtualMachineProfile": { + "storageProfile": { + "osDisk": { + "caching": "ReadWrite", + "createOption": "FromImage", + "managedDisk": { + "storageAccountType": "[parameters('diskType')]" + } + }, + "imageReference": "[variables('imageReference')]" + }, + "osProfile": { + "adminPassword": "[parameters('adminPassword')]", + "adminUsername": "notused", + "computerNamePrefix": "[toLower(parameters('vmName'))]", + "customData": "[base64(concat(variables('customData'), '\n', 'vnet=\"', reference('networkSetup').outputs.vnetAddressPrefixes.value[0], '\"', '\n' ))]", + "linuxConfiguration": "[variables('linuxConfiguration')]" + }, + "networkProfile": { + "networkInterfaceConfigurations": [ + { + "name": "eth0", + "properties": { + "primary": true, + "enableIPForwarding": false, + "enableAcceleratedNetworking": "[not(equals(variables('osVersion'), 'R8010'))]", + "networkSecurityGroup": "[reference('networkSetup').outputs.nsgProperties.value]", + "ipConfigurations": [ + { + "name": "ipconfig1", + "properties": { + "publicIpAddressConfiguration": "[if(equals(parameters('instanceLevelPublicIP'),'yes'), variables('publicIPProperties'), json('null'))]", + "subnet": { + "id": "[concat(reference('networkSetup').outputs.vnetId.value, '/subnets/', parameters('subnet1Name'))]" + }, + "loadBalancerBackendAddressPools": "[if(empty(reference('loadBalancerSetup').outputs.elbId.value), json('null'), reference('loadBalancerSetup').outputs.elbBEAddressPoolProperties.value)]" + } + } + ] + } + }, + { + "name": "eth1", + "properties": { + "primary": false, + "enableIPForwarding": true, + "enableAcceleratedNetworking": "[not(equals(variables('osVersion'), 'R8010'))]", + "ipConfigurations": [ + { + "name": "ipconfig2", + "properties": { + "subnet": { + "id": "[concat(reference('networkSetup').outputs.vnetId.value, '/subnets/', parameters('subnet2Name'))]" + }, + "loadBalancerBackendAddressPools": "[if(empty(reference('loadBalancerSetup').outputs.ilbId.value), json('null'), reference('loadBalancerSetup').outputs.ilbBEAddressPoolProperties.value)]" + } + } + ] + } + } + ] + }, + "diagnosticsProfile": { + "bootDiagnostics": { + "enabled": "true", + "storageUri": "[reference(variables('storageAccountId'), variables('storageApiVersion')).primaryEndpoints.blob]" + } + } + }, + "overprovision": false + } + }, + { + "type": "Microsoft.Insights/autoscaleSettings", + "apiVersion": "[variables('insightsApiVersion')]", + "name": "[parameters('vmName')]", + "location": "[variables('location')]", + "dependsOn": [ + "[variables('vmssID')]" + ], + "properties": { + "name": "[parameters('vmName')]", + "targetResourceUri": "[variables('vmssID')]", + "notifications": [ + { + "operation": "Scale", + "email": { + "sendToSubscriptionAdministrator": false, + "sendToSubscriptionCoAdministrators": false, + "customEmails": "[variables('customEmails')]" + } + } + ], + "enabled": true, + "profiles": [ + { + "name": "Profile1", + "capacity": { + "minimum": "[parameters('instanceCount')]", + "maximum": "[parameters('maxInstanceCount')]", + "default": "[parameters('instanceCount')]" + }, + "rules": [ + { + "metricTrigger": { + "metricName": "Percentage CPU", + "metricNamespace": "", + "metricResourceUri": "[variables('vmssID')]", + "timeGrain": "PT1M", + "statistic": "Average", + "timeWindow": "PT5M", + "timeAggregation": "Average", + "operator": "GreaterThan", + "threshold": 80 + }, + "scaleAction": { + "direction": "Increase", + "type": "ChangeCount", + "value": "1", + "cooldown": "PT5M" + } + }, + { + "metricTrigger": { + "metricName": "Percentage CPU", + "metricNamespace": "", + "metricResourceUri": "[variables('vmssID')]", + "timeGrain": "PT1M", + "statistic": "Average", + "timeWindow": "PT5M", + "timeAggregation": "Average", + "operator": "LessThan", + "threshold": 60 + }, + "scaleAction": { + "direction": "Decrease", + "type": "ChangeCount", + "value": "1", + "cooldown": "PT5M" + } + } + ] + } + ] + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + } + ], + "outputs": { + "ApplicationAddress": { + "type": "string", + "value": "[reference('loadBalancerSetup').outputs.ApplicationAddress.value]" + }, + "ApplicationFQDN": { + "type": "string", + "value": "[reference('loadBalancerSetup').outputs.ApplicationFQDN.value]" + } + } +} \ No newline at end of file diff --git a/contrib/azure/templates/vmss-publicipprefixinstanceselb/nestedtemplates/load-balancers.json b/contrib/azure/templates/vmss-publicipprefixinstanceselb/nestedtemplates/load-balancers.json new file mode 100644 index 00000000..cebba5fc --- /dev/null +++ b/contrib/azure/templates/vmss-publicipprefixinstanceselb/nestedtemplates/load-balancers.json @@ -0,0 +1,283 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": { + "deploymentMode": { + "type": "string" + }, + "networkApiVersion": { + "type": "string" + }, + "location": { + "type": "string" + }, + "vmName": { + "type": "string" + }, + "appLoadDistribution": { + "type": "string" + }, + "Subnet2StartAddress": { + "type": "string" + }, + "subnet2Name": { + "type": "string" + }, + "subnet2Id": { + "type": "string" + }, + "ilbLoadDistribution": { + "type": "string" + }, + "upgrading": { + "type": "bool" + }, + "lbsTargetRGName": { + "type": "string" + }, + "elbResourceId": { + "type": "string" + }, + "elbTargetBEAddressPoolName": { + "type": "string" + }, + "ilbResourceId": { + "type": "string" + }, + "ilbTargetBEAddressPoolName": { + "type": "string" + }, + "elbUsePublicIP": { + "type": "bool" + }, + "elbPublicIPAddressId": { + "type": "string" + }, + "Check_PointTags": { + "type": "object", + "defaultValue": { + "provider": "30DE18BC-F9F6-4F22-9D30-54B8E74CFD5F" + } + } + }, + "variables": { + "resourceGroup": "[resourceGroup()]", + "deployELB": "[or(equals(parameters('deploymentMode'),'Standard'), equals(parameters('deploymentMode'),'ELBOnly'))]", + "deployILB": "[or(equals(parameters('deploymentMode'),'Standard'), equals(parameters('deploymentMode'),'ILBOnly'))]", + "appName": "[concat(parameters('vmName'), '-app-1')]", + "appAddressName": "[variables('appName')]", + "newAppAddressId": "[concat(variables('resourceGroup').id, '/providers/Microsoft.Network/publicIPAddresses/', variables('appAddressName'))]", + "appAddressId": "[if(parameters('elbUsePublicIP'), parameters('elbPublicIPAddressId'), variables('newAppAddressId'))]", + "appFEName": "[variables('appName')]", + "elbName": "frontend-lb", + "elbID": "[if(parameters('upgrading'), parameters('elBResourceId'), resourceId('Microsoft.Network/loadBalancers', variables('elbName')))]", + "elbBEAddressPool": "[concat(variables('elbName'), '-pool')]", + "elbBEAddressPoolName": "[if(parameters('upgrading'), parameters('elbTargetBEAddressPoolName'), variables('elbBEAddressPool'))]", + "elbBEAddressPoolID": "[concat(variables('elbID'), '/backendAddressPools/', variables('elbBEAddressPoolName'))]", + "appFEIPConfigID": "[concat(variables('elbID'), '/frontendIPConfigurations/', variables('appFEName'))]", + "appProbeName": "[variables('appName')]", + "appProbeID": "[concat(variables('elbID'),'/probes/',variables('appProbeName'))]", + "appFrontEndProtocol": "tcp", + "appFrontEndPort": 80, + "appBackEndPort": 8081, + "appHealthProtocol": "tcp", + "ilbHealthProtocol": "tcp", + "lbHealthPort": 8117, + "ilbName": "['backend-lb']", + "ilbID": "[if(parameters('upgrading'), parameters('ilbResourceId'), resourceId('Microsoft.Network/loadBalancers', variables('ilbName')))]", + "ilbBEAddressPool": "[concat(variables('ilbName'), '-pool')]", + "ilbFEIPConfigID": "[concat(variables('ilbID'), '/frontendIPConfigurations/', variables('ilbName'))]", + "internalLBPrivateIPAddress": "[parameters('Subnet2StartAddress')]", + "ilbBEAddressPoolName": "[if(parameters('upgrading'), parameters('ilbTargetBEAddressPoolName'), variables('ilbBEAddressPool'))]", + "ilbBEAddressPoolID": "[concat(variables('ilbID'), '/backendAddressPools/', variables('ilbBEAddressPoolName'))]", + "ilbProbeName": "[variables('ilbName')]", + "ilbProbeID": "[concat(variables('ilbID'), '/probes/', variables('ilbProbeName'))]", + "ilbBEAddressPoolProperties": [ + { + "id": "[variables('ilbBEAddressPoolID')]" + } + ], + "elbBEAddressPoolProperties": [ + { + "id": "[variables('elbBEAddressPoolID')]" + } + ] + }, + "resources": [ + { + "type": "Microsoft.Network/publicIPAddresses", + "condition": "[and(variables('deployELB'), not(parameters('upgrading')), not(parameters('elbUsePublicIP')))]", + "apiVersion": "[parameters('networkApiVersion')]", + "location": "[parameters('location')]", + "name": "[variables('appAddressName')]", + "sku": { + "name": "Standard" + }, + "properties": { + "publicIPAllocationMethod": "Static", + "dnsSettings": { + "domainNameLabel": "[concat(toLower(parameters('vmName')), '-', uniquestring(variables('resourceGroup').id, deployment().name))]" + } + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "type": "Microsoft.Network/loadBalancers", + "condition": "[and(variables('deployELB'), not(parameters('upgrading')))]", + "apiVersion": "[parameters('networkApiVersion')]", + "name": "[variables('elbName')]", + "location": "[parameters('location')]", + "sku": { + "name": "Standard" + }, + "properties": { + "frontendIPConfigurations": [ + { + "name": "[variables('appFEName')]", + "properties": { + "publicIPAddress": { + "id": "[variables('appAddressId')]" + } + } + } + ], + "backendAddressPools": [ + { + "name": "[variables('elbBEAddressPool')]" + } + ], + "loadBalancingRules": [ + { + "name": "[variables('appName')]", + "properties": { + "frontendIPConfiguration": { + "id": "[variables('appFEIPConfigID')]" + }, + "backendAddressPool": { + "id": "[variables('elbBEAddressPoolID')]" + }, + "probe": { + "id": "[variables('appProbeID')]" + }, + "protocol": "[variables('appFrontEndProtocol')]", + "frontendPort": "[variables('appFrontEndPort')]", + "backendPort": "[variables('appBackEndPort')]", + "enableFloatingIP": false, + "loadDistribution": "[parameters('appLoadDistribution')]" + } + } + ], + "probes": [ + { + "name": "[variables('appProbeName')]", + "properties": { + "protocol": "[variables('appHealthProtocol')]", + "port": "[variables('lbHealthPort')]", + "intervalInSeconds": "5", + "numberOfProbes": "2" + } + } + ] + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "type": "Microsoft.Network/loadBalancers", + "condition": "[and(variables('deployILB'), not(parameters('upgrading')))]", + "apiVersion": "[parameters('networkApiVersion')]", + "name": "[variables('ilbName')]", + "location": "[parameters('location')]", + "sku": { + "name": "Standard" + }, + "properties": { + "frontendIPConfigurations": [ + { + "name": "[variables('ilbName')]", + "properties": { + "privateIPAllocationMethod": "Static", + "privateIPAddress": "[variables('internalLBPrivateIPAddress')]", + "subnet": { + "id": "[parameters('subnet2ID')]" + } + } + } + ], + "backendAddressPools": [ + { + "name": "[variables('ilbBEAddressPool')]" + } + ], + "loadBalancingRules": [ + { + "name": "[variables('ilbName')]", + "properties": { + "frontendIPConfiguration": { + "id": "[variables('ilbFEIPConfigID')]" + }, + "backendAddressPool": { + "id": "[variables('ilbBEAddressPoolID')]" + }, + "probe": { + "id": "[variables('ilbProbeID')]" + }, + "protocol": "All", + "frontendPort": 0, + "backendPort": 0, + "loadDistribution": "[parameters('ilbLoadDistribution')]", + "enableFloatingIP": false + } + } + ], + "probes": [ + { + "name": "[variables('ilbProbeName')]", + "properties": { + "protocol": "[variables('ilbHealthProtocol')]", + "port": "[variables('lbHealthPort')]", + "intervalInSeconds": "5", + "numberOfProbes": "2" + } + } + ] + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + } + ], + "outputs": { + "appAddressId": { + "value": "[if(and(variables('deployELB'), not(parameters('upgrading'))), resourceId('Microsoft.Network/publicIPAddresses', variables('appAddressName')), '')]", + "type": "string" + }, + "elbId": { + "value": "[if(variables('deployELB'), variables('elbId'), '')]", + "type": "string" + }, + "ilbId": { + "value": "[if(variables('deployILB'), variables('ilbId'), '')]", + "type": "string" + }, + "ilbBEAddressPoolProperties": { + "value": "[variables('ilbBEAddressPoolProperties')]", + "type": "array" + }, + "elbBEAddressPoolProperties": { + "value": "[variables('elbBEAddressPoolProperties')]", + "type": "array" + }, + "ApplicationAddress": { + "value": "[if(and(variables('deployELB'), not(parameters('upgrading'))), reference(variables('appAddressId'), parameters('networkApiVersion')).IpAddress, 'no public ip')]", + "type": "string" + }, + "ApplicationFQDN": { + "value": "[if(and(variables('deployELB'), not(parameters('upgrading'))), reference(variables('appAddressId'), parameters('networkApiVersion')).dnsSettings.fqdn, 'no public ip')]", + "type": "string" + } + } +} diff --git a/contrib/azure/templates/vmss-publicipprefixinstanceselb/nestedtemplates/vnet-2-subnet-ha-existing.json b/contrib/azure/templates/vmss-publicipprefixinstanceselb/nestedtemplates/vnet-2-subnet-ha-existing.json new file mode 100644 index 00000000..286d1927 --- /dev/null +++ b/contrib/azure/templates/vmss-publicipprefixinstanceselb/nestedtemplates/vnet-2-subnet-ha-existing.json @@ -0,0 +1,124 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "vnet" + }, + "virtualNetworkAddressPrefixes": { + "type": "array", + "metadata": { + "description": "The address prefixes of the virtual network" + } + }, + "Subnet1Name": { + "type": "string", + "metadata": { + "description": "The name of the 1st subnet" + }, + "defaultValue": "Frontend" + }, + "Subnet1Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 1st subnet" + }, + "defaultValue": "10.0.1.0/24" + }, + "Subnet2Name": { + "type": "string", + "metadata": { + "description": "The name of the 2nd subnet" + }, + "defaultValue": "Backend" + }, + "Subnet2Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 2nd subnet" + }, + "defaultValue": "10.0.2.0/24" + }, + "virtualNetworkExistingRGName": { + "type": "string", + "metadata": { + "description": "Resource Group of the existing virtual network" + }, + "defaultValue": "" + }, + "apiVersion": { + "type": "string" + }, + "vmName": { + "type": "string" + }, + "deployNsg": { + "type": "bool", + "defaultValue": "true" + }, + "Check_PointTags": { + "type": "object", + "defaultValue": { + "provider": "30DE18BC-F9F6-4F22-9D30-54B8E74CFD5F" + } + } + }, + "variables": { + "vnetId": "[resourceId(parameters('virtualNetworkExistingRGName'),'Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]", + "nsgName": "[concat(parameters('vmName'), '-nsg')]", + "nsgProperties": { + "id": "[resourceId(parameters('virtualNetworkExistingRGName'),'Microsoft.Network/networkSecurityGroups', variables('nsgName'))]" + } + }, + "resources": [ + { + "type": "Microsoft.Network/networkSecurityGroups", + "condition": "[parameters('deployNsg')]", + "apiVersion": "[parameters('apiVersion')]", + "location": "[parameters('location')]", + "name": "[variables('nsgName')]", + "properties": { + "securityRules": [ + { + "name": "AllowAllInBound", + "properties": { + "description": "Allow all inbound connections", + "protocol": "*", + "sourcePortRange": "*", + "destinationPortRange": "*", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "100", + "direction": "Inbound" + } + } + ] + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + } + ], + "outputs": { + "vnetId": { + "value": "[variables('vnetId')]", + "type": "string" + }, + "vnetAddressPrefixes": { + "value": "[reference(variables('vnetId'),parameters('apiVersion')).addressSpace.addressPrefixes]", + "type": "array" + }, + "nsgProperties": { + "value": "[variables('nsgProperties')]", + "type": "object" + } + } +} diff --git a/contrib/cme/examples/README.md b/contrib/cme/examples/README.md new file mode 100644 index 00000000..d1cc1c10 --- /dev/null +++ b/contrib/cme/examples/README.md @@ -0,0 +1,2 @@ +This directory contains examples of CME configuration and usage.
+Refer to each subdirectorie's README.md file for more information. diff --git a/contrib/terraform-azure-gwlb/README.md b/contrib/terraform-azure-gwlb/README.md new file mode 100644 index 00000000..45c0f2d3 --- /dev/null +++ b/contrib/terraform-azure-gwlb/README.md @@ -0,0 +1,70 @@ +# CloudGuard GWLB Deployment on Azure +This Terraform project is intended to be used as a template in a demonstration or to build a test environment. +What it does is creating an infrastructure composed of three directly exposed application, and protect them with a VMSS CloudGuard deployment by using the newly launched Azure GWLB service. These applications will have then the East-West traffic protected by a CloudGuard HA Cluster. + +## Disclaimer +Please note that GWLB service is today in Preview and therefore not reccomanded for production workload. +You can review the support statement at: +1. Microsoft Azure public documentation: [Documentation Link](https://docs.microsoft.com/en-us/azure/load-balancer/gateway-overview) +2. Check Point public documentation: [Documentation Link](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_Azure_VMSS_GWLB/Content/Topics-Azure-VMSS-GWLB/Public-Preview-Disclaimer.htm?tocpath=_____3#Public_Preview_Disclaimer) + +## Do you want to see more? +Check out other CloudGuard examples at [Github/gbrembati](https://github.com/gbrembati/) + +## Which are the components created? +The project creates the following resources and combine them: +1. **Resource Groups**: for the vnets, the management and the spokes +2. **Vnet**: north / south / mgmt / spokes +3. **Subnets**: inside the vNets +4. **Vnet peerings** (as shown in the design below) +5. **Routing table**: associated with the network in the spokes +6. **Rules** for the routing tables created +7. **Network Security Groups**: associated with nets and VMs +8. **NSG Rules** inside the differents NSGs: to prevent undesired connections +9. **Check Point Instances**: A Check Point R80.40 Cluster, R81.10 Management, R81.10 VMSS GWLB +10. **Public IPs**: associated with the management and the spoke VMs) +11. **Create DNS zone**: used later on to have the application easily accessible +12. **Created 3 web application**: it builds three application directly accessible with Public IPs or Public LBs +13. **Integrates GWLB with Application**: the deployed GWLB is set to protect the web applications + +## How to use it +The only thing that you need to do is changing the __*terraform.tfvars*__ file located in this directory. + +```hcl +# Set in this file your deployment variables +# Specify the Azure values +azure-client-id = "xxxxx-xxxxx-xxxxx-xxxxx" +azure-client-secret = "xxxxx-xxxxx-xxxxx-xxxxx" +azure-subscription = "xxxxx-xxxxx-xxxxx-xxxxx" +azure-tenant = "xxxxx-xxxxx-xxxxx-xxxxx" + +# Specify where you want to deploy it and where you are coming from +location = "France Central" +my-pub-ip = "x.x.x.x/32" + +# Management details +mgmt-sku-enabled = false # Have you ever deployed a R81.10 CKP management? Set to false if not +mgmt-dns-suffix = "xxxxx" +mgmt-admin-pwd = "xxxxx" + +# VMspoke details +vmspoke-sku-enabled = false # Have you ever deployed a Nginx VM before? set to false if not +vmspoke-usr = "xxxxx" +vmspoke-pwd = "xxxxx" + +# Cluster Details +cpcluster-sku-enabled = false # Have you ever deployed a R80.40 CKP cluster? set to false if not" +admin_username = "xxxxx" +admin_password = "xxxxx" +sic_key = "xxxxx" + +# GWLB VMSS Details +gwlb-vmss-agreement = false # Have you ever deployed a GWLB VMSS? set to false if not +chkp-admin-pwd = "xxxxx" +chkp-sic = "xxxxx" +``` +If you want (or need) to further customize other project details, you can change defaults in the different __*name-variables.tf*__ files. +Here you will also able to find the descriptions that explains what each variable is used for. + +## The infrastruction created with the following design: +![Architectural Design](/contrib/terraform-azure-gwlb/zimages/azure-gwlb-design.jpg) \ No newline at end of file diff --git a/contrib/terraform-azure-gwlb/app-main.tf b/contrib/terraform-azure-gwlb/app-main.tf new file mode 100644 index 00000000..be91a9f7 --- /dev/null +++ b/contrib/terraform-azure-gwlb/app-main.tf @@ -0,0 +1,382 @@ +# Accept the agreement for the mgmt-byol for vmspoke image +resource "azurerm_marketplace_agreement" "vmspoke-agreement" { + count = var.vmspoke-sku-enabled ? 0 : 1 + publisher = var.vmspoke-publisher + offer = var.vmspoke-offer + plan = var.vmspoke-sku +} + +resource "azurerm_resource_group" "rg-app-A" { + name = "rg-${var.app-name-con}" + location = var.location +} +resource "azurerm_public_ip" "publicip-app-A" { + name = "pub-${var.app-name-con}" + sku = "Standard" + location = azurerm_resource_group.rg-app-A.location + resource_group_name = azurerm_resource_group.rg-app-A.name + allocation_method = "Static" + domain_name_label = "pub-${var.app-name-con}-${var.mgmt-dns-suffix}" +} +resource "azurerm_lb" "lb-app-A" { + name = "lb-${var.app-name-con}" + sku = "Standard" + location = azurerm_resource_group.rg-app-A.location + resource_group_name = azurerm_resource_group.rg-app-A.name + + frontend_ip_configuration { + name = "PublicIPAddress" + public_ip_address_id = azurerm_public_ip.publicip-app-A.id + gateway_load_balancer_frontend_ip_configuration_id = data.azurerm_lb.gateway-lb.frontend_ip_configuration.0.id + } + depends_on = [azurerm_resource_group_template_deployment.template-deployment-gwlb] +} +resource "azurerm_lb_backend_address_pool" "lb-backend-pool" { + loadbalancer_id = azurerm_lb.lb-app-A.id + name = "BackEndAddressPool" + depends_on = [azurerm_lb.lb-app-A] +} +resource "azurerm_lb_backend_address_pool_address" "lb-backend-pool-addr" { + name = "BackEndAddressPoolAddr" + backend_address_pool_id = azurerm_lb_backend_address_pool.lb-backend-pool.id + virtual_network_id = azurerm_virtual_network.vnet-spoke[0].id + ip_address = "10.0.0.4" + depends_on = [azurerm_lb_backend_address_pool.lb-backend-pool] +} +resource "azurerm_lb_probe" "lb-backend-probe" { + resource_group_name = azurerm_resource_group.rg-app-A.name + loadbalancer_id = azurerm_lb.lb-app-A.id + name = "http-running-probe" + port = 3000 + + depends_on = [azurerm_lb.lb-app-A] +} + +resource "azurerm_lb_rule" "lb-rule-3000" { + resource_group_name = azurerm_resource_group.rg-app-A.name + loadbalancer_id = azurerm_lb.lb-app-A.id + name = "LBRule3000" + protocol = "Tcp" + frontend_port = 3000 + backend_port = 3000 + frontend_ip_configuration_name = "PublicIPAddress" + backend_address_pool_ids = [azurerm_lb_backend_address_pool.lb-backend-pool.id] + probe_id = azurerm_lb_probe.lb-backend-probe.id + + depends_on = [azurerm_lb.lb-app-A] +} +resource "azurerm_lb_rule" "lb-rule-80" { + resource_group_name = azurerm_resource_group.rg-app-A.name + loadbalancer_id = azurerm_lb.lb-app-A.id + name = "LBRule80" + protocol = "Tcp" + frontend_port = 80 + backend_port = 80 + frontend_ip_configuration_name = "PublicIPAddress" + backend_address_pool_ids = [azurerm_lb_backend_address_pool.lb-backend-pool.id] + probe_id = azurerm_lb_probe.lb-backend-probe.id + + depends_on = [azurerm_lb.lb-app-A] +} + +resource "azurerm_network_profile" "profile-app-juiceshop" { + name = "net-profile-juiceshop-${var.app-name-con}" + location = azurerm_resource_group.rg-app-A.location + resource_group_name = azurerm_resource_group.rg-app-A.name + + container_network_interface { + name = "container-nic-${var.app-name-con}" + + ip_configuration { + name = "nic-ipconfig-${var.app-name-con}" + subnet_id = azurerm_subnet.net-spoke-0-web.id + } + } + depends_on = [azurerm_subnet.net-spoke-0-web] +} + +resource "azurerm_container_group" "container-app-juiceshop" { + name = "juiceshop-${var.app-name-con}" + location = azurerm_resource_group.rg-app-A.location + resource_group_name = azurerm_resource_group.rg-app-A.name + os_type = "Linux" + ip_address_type = "private" + network_profile_id = azurerm_network_profile.profile-app-juiceshop.id + + container { + name = "juiceshop${var.app-name-con}" + image = "${var.docker-image}:latest" + cpu = "1" + memory = "1.5" + + ports { + port = 3000 + protocol = "TCP" + } + ports { + port = 80 + protocol = "TCP" + } + } + depends_on = [azurerm_network_profile.profile-app-juiceshop] +} + +# Building the second app +resource "azurerm_resource_group" "rg-app-B" { + name = "rg-${var.app-name-vm}" + location = var.location +} +resource "azurerm_public_ip" "publicip-app-B" { + name = "pub-${var.app-name-vm}" + sku = "Standard" + location = azurerm_resource_group.rg-app-B.location + resource_group_name = azurerm_resource_group.rg-app-B.name + allocation_method = "Static" + domain_name_label = "pub-${var.app-name-vm}-${var.mgmt-dns-suffix}" +} +resource "azurerm_lb" "lb-app-B" { + name = "lb-${var.app-name-vm}" + sku = "Standard" + location = azurerm_resource_group.rg-app-B.location + resource_group_name = azurerm_resource_group.rg-app-B.name + + frontend_ip_configuration { + name = "PublicIPAddress" + public_ip_address_id = azurerm_public_ip.publicip-app-B.id + gateway_load_balancer_frontend_ip_configuration_id = data.azurerm_lb.gateway-lb.frontend_ip_configuration.0.id + } + depends_on = [azurerm_resource_group_template_deployment.template-deployment-gwlb] +} +resource "azurerm_lb_backend_address_pool" "lb-backend-pool-B" { + loadbalancer_id = azurerm_lb.lb-app-B.id + name = "BackEndAddressPool" + depends_on = [azurerm_lb.lb-app-B] +} +resource "azurerm_lb_backend_address_pool_address" "lb-backend-pool-B-addr" { + name = "BackEndAddressPoolAddr" + backend_address_pool_id = azurerm_lb_backend_address_pool.lb-backend-pool-B.id + virtual_network_id = azurerm_virtual_network.vnet-spoke[1].id + ip_address = "10.0.4.4" + depends_on = [azurerm_lb_backend_address_pool.lb-backend-pool-B] +} +resource "azurerm_lb_probe" "lb-backend-probe-B" { + resource_group_name = azurerm_resource_group.rg-app-B.name + loadbalancer_id = azurerm_lb.lb-app-B.id + name = "http-running-probe" + port = 80 + + depends_on = [azurerm_lb.lb-app-B] +} + +resource "azurerm_lb_rule" "lb-rule-B-80" { + resource_group_name = azurerm_resource_group.rg-app-B.name + loadbalancer_id = azurerm_lb.lb-app-B.id + name = "LBRule80" + protocol = "Tcp" + frontend_port = 80 + backend_port = 80 + frontend_ip_configuration_name = "PublicIPAddress" + backend_address_pool_ids = [azurerm_lb_backend_address_pool.lb-backend-pool-B.id] + probe_id = azurerm_lb_probe.lb-backend-probe-B.id + + depends_on = [azurerm_lb.lb-app-B] +} + +# VM-Spoke Network interface +resource "azurerm_network_interface" "nic-vmspoke" { + name = "${var.app-name-vm}-eth0" + location = azurerm_resource_group.rg-app-B.location + resource_group_name = azurerm_resource_group.rg-app-B.name + enable_ip_forwarding = "false" + + ip_configuration { + name = "${var.app-name-vm}-eth0-config" + subnet_id = azurerm_subnet.net-spoke-1-web.id + private_ip_address_allocation = "Dynamic" + primary = true + } + depends_on = [azurerm_subnet.net-spoke-1-web] +} + +# Create NSG for the vmspoke +resource "azurerm_network_security_group" "nsg-vmspoke" { + name = "nsg-vmspoke" + location = azurerm_resource_group.rg-app-B.location + resource_group_name = azurerm_resource_group.rg-app-B.name +} + +# Create the NSG rules for the vmspoke +resource "azurerm_network_security_rule" "nsg-vmspoke-rl-http-s" { + priority = 110 + name = "http-s-access" + + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_ranges = ["80","443"] + source_address_prefix = "*" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.rg-app-B.name + network_security_group_name = azurerm_network_security_group.nsg-vmspoke.name + depends_on = [azurerm_network_security_group.nsg-vmspoke] +} + +resource "azurerm_network_interface_security_group_association" "nsg-assoc-nic-vmspoke" { + network_interface_id = azurerm_network_interface.nic-vmspoke.id + network_security_group_id = azurerm_network_security_group.nsg-vmspoke.id + depends_on = [azurerm_network_interface.nic-vmspoke,azurerm_network_security_group.nsg-vmspoke] +} + + +# Accept the agreement for the mgmt-byol for vmspoke image +resource "azurerm_marketplace_agreement" "vmspoke-agreement" { + count = var.vmspoke-sku-enabled ? 0 : 1 + publisher = var.vmspoke-publisher + offer = var.vmspoke-offer + plan = var.vmspoke-sku +} + +# VM-Spoke Virtual Machine +resource "azurerm_virtual_machine" "vm-spoke" { + name = "${var.app-name-vm}" + location = azurerm_resource_group.rg-app-B.location + resource_group_name = azurerm_resource_group.rg-app-B.name + network_interface_ids = [azurerm_network_interface.nic-vmspoke.id] + vm_size = "Standard_A1_v2" + + plan { + publisher = var.vmspoke-publisher + product = var.vmspoke-offer + name = var.vmspoke-sku + } + storage_image_reference { + publisher = var.vmspoke-publisher + offer = var.vmspoke-offer + sku = var.vmspoke-sku + version = "latest" + } + storage_os_disk { + name = "disk-${var.app-name-vm}" + caching = "ReadWrite" + create_option = "FromImage" + managed_disk_type = "Standard_LRS" + } + os_profile { + computer_name = "${var.app-name-vm}" + admin_username = var.chkp-admin-usr + admin_password = var.chkp-admin-pwd + } + os_profile_linux_config { + disable_password_authentication = false + } + depends_on = [azurerm_marketplace_agreement.vmspoke-agreement,azurerm_network_interface.nic-vmspoke] +} + +resource "azurerm_resource_group" "rg-app-C" { + name = "rg-${var.app-name-direct}" + location = var.location +} + +resource "azurerm_public_ip" "publicip-app-C" { + name = "pub-${var.app-name-direct}" + sku = "Standard" + location = azurerm_resource_group.rg-app-C.location + resource_group_name = azurerm_resource_group.rg-app-C.name + allocation_method = "Static" + domain_name_label = "pub-${var.app-name-direct}-${var.mgmt-dns-suffix}" +} +resource "azurerm_network_interface" "nic-vmspoke-C" { + name = "${var.app-name-direct}-eth0" + location = azurerm_resource_group.rg-app-C.location + resource_group_name = azurerm_resource_group.rg-app-C.name + enable_ip_forwarding = "false" + + ip_configuration { + name = "${var.app-name-direct}-eth0-config" + subnet_id = azurerm_subnet.net-spoke-1-web.id + private_ip_address_allocation = "Dynamic" + primary = true + public_ip_address_id = azurerm_public_ip.publicip-app-C.id + gateway_load_balancer_frontend_ip_configuration_id = data.azurerm_lb.gateway-lb.frontend_ip_configuration.0.id + } + depends_on = [azurerm_subnet.net-spoke-1-web] +} + +resource "azurerm_network_interface_security_group_association" "nsg-assoc-nic-vmspoke-C" { + network_interface_id = azurerm_network_interface.nic-vmspoke-C.id + network_security_group_id = azurerm_network_security_group.nsg-vmspoke.id + depends_on = [azurerm_network_interface.nic-vmspoke-C,azurerm_network_security_group.nsg-vmspoke] +} + +# VM-Spoke Virtual Machine +resource "azurerm_virtual_machine" "vm-spoke-C" { + name = var.app-name-direct + location = azurerm_resource_group.rg-app-C.location + resource_group_name = azurerm_resource_group.rg-app-C.name + network_interface_ids = [azurerm_network_interface.nic-vmspoke-C.id] + vm_size = "Standard_A1_v2" + + plan { + publisher = var.vmspoke-publisher + product = var.vmspoke-offer + name = var.vmspoke-sku + } + storage_image_reference { + publisher = var.vmspoke-publisher + offer = var.vmspoke-offer + sku = var.vmspoke-sku + version = "latest" + } + storage_os_disk { + name = "disk-${var.app-name-direct}" + caching = "ReadWrite" + create_option = "FromImage" + managed_disk_type = "Standard_LRS" + } + os_profile { + computer_name = "${var.app-name-direct}" + admin_username = var.chkp-admin-usr + admin_password = var.chkp-admin-pwd + } + os_profile_linux_config { + disable_password_authentication = false + } + depends_on = [azurerm_marketplace_agreement.vmspoke-agreement,azurerm_network_interface.nic-vmspoke-C] +} + +resource "azurerm_dns_a_record" "publicip-app-A-dns-record" { + name = var.app-name-con + zone_name = azurerm_dns_zone.mydns-public-zone.name + resource_group_name = azurerm_resource_group.rg-dns-myzone.name + ttl = 300 + target_resource_id = azurerm_public_ip.publicip-app-A.id + depends_on = [azurerm_public_ip.publicip-app-A] +} +output "webapp-A-public-fqdn" { + value = "http://${azurerm_dns_a_record.publicip-app-A-dns-record.name}.${azurerm_dns_zone.mydns-public-zone.name}:3000/" +} + +resource "azurerm_dns_a_record" "publicip-app-B-dns-record" { + name = var.app-name-vm + zone_name = azurerm_dns_zone.mydns-public-zone.name + resource_group_name = azurerm_resource_group.rg-dns-myzone.name + ttl = 300 + target_resource_id = azurerm_public_ip.publicip-app-B.id + depends_on = [azurerm_public_ip.publicip-app-B] +} +output "webapp-B-public-fqdn" { + value = "http://${azurerm_dns_a_record.publicip-app-B-dns-record.name}.${azurerm_dns_zone.mydns-public-zone.name}/" +} + +resource "azurerm_dns_a_record" "publicip-app-C-dns-record" { + name = var.app-name-direct + zone_name = azurerm_dns_zone.mydns-public-zone.name + resource_group_name = azurerm_resource_group.rg-dns-myzone.name + ttl = 300 + target_resource_id = azurerm_public_ip.publicip-app-C.id + depends_on = [azurerm_public_ip.publicip-app-C] +} +output "webapp-C-public-fqdn" { + value = "http://${azurerm_dns_a_record.publicip-app-C-dns-record.name}.${azurerm_dns_zone.mydns-public-zone.name}/" +} \ No newline at end of file diff --git a/contrib/terraform-azure-gwlb/app-variables.tf b/contrib/terraform-azure-gwlb/app-variables.tf new file mode 100644 index 00000000..4cc907a3 --- /dev/null +++ b/contrib/terraform-azure-gwlb/app-variables.tf @@ -0,0 +1,26 @@ +variable "app-name-con" { + default = "webapp-con" +} +variable "docker-image" { + default = "bkimminich/juice-shop" +} +variable "app-name-direct" { + default = "webapp-direct" +} +variable "app-name-vm" { + default = "webapp-vm" +} +variable "vmspoke-publisher" { + default = "bitnami" +} +variable "vmspoke-offer" { + default = "nginxstack" +} +variable "vmspoke-sku" { + default = "1-9" +} +variable "vmspoke-sku-enabled" { + description = "Have you ever deployed this vm spoke before? set to false if not" + type = bool + default = true +} \ No newline at end of file diff --git a/contrib/terraform-azure-gwlb/cpcluster-main.tf b/contrib/terraform-azure-gwlb/cpcluster-main.tf new file mode 100644 index 00000000..dc622c82 --- /dev/null +++ b/contrib/terraform-azure-gwlb/cpcluster-main.tf @@ -0,0 +1,461 @@ +//********************** Basic Configuration **************************// +module "common" { + source = "./modules/common" + resource_group_name = var.resource_group_name + location = var.location + admin_password = var.admin_password + installation_type = var.installation_type + template_name = var.template_name + template_version = var.template_version + number_of_vm_instances = var.number_of_vm_instances + allow_upload_download = var.allow_upload_download + vm_size = var.vm_size + disk_size = var.disk_size + is_blink = var.is_blink + os_version = var.os_version + vm_os_sku = var.vm_os_sku + vm_os_offer = var.vm_os_offer + authentication_type = var.authentication_type +} + +//********************** Networking **************************// +data "azurerm_subnet" "frontend" { + name = azurerm_subnet.net-south-frontend.name + virtual_network_name = azurerm_virtual_network.vnet-south.name + resource_group_name = azurerm_virtual_network.vnet-south.resource_group_name +} + +data "azurerm_subnet" "backend" { + name = azurerm_subnet.net-south-backend.name + virtual_network_name = azurerm_virtual_network.vnet-south.name + resource_group_name = azurerm_virtual_network.vnet-south.resource_group_name +} + +resource "azurerm_public_ip" "public-ip" { + count = 2 + name = "${var.cluster_name}${count.index+1}_IP" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + allocation_method = var.vnet_allocation_method + sku = var.sku +} + +resource "azurerm_public_ip" "cluster-vip" { + name = var.cluster_name + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + allocation_method = var.vnet_allocation_method + sku = var.sku +} + +resource "azurerm_network_interface" "nic_vip" { + depends_on = [ + azurerm_public_ip.cluster-vip, + azurerm_public_ip.public-ip] + name = "${var.cluster_name}1-eth0" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + enable_ip_forwarding = true + enable_accelerated_networking = true + + ip_configuration { + name = "ipconfig1" + primary = true + subnet_id = data.azurerm_subnet.frontend.id + private_ip_address_allocation = var.vnet_allocation_method + private_ip_address = cidrhost(data.azurerm_subnet.frontend.address_prefix, var.frontend_IP_addresses[0]) + public_ip_address_id = azurerm_public_ip.public-ip.0.id + } + ip_configuration { + name = "cluster-vip" + subnet_id = data.azurerm_subnet.frontend.id + primary = false + private_ip_address_allocation = var.vnet_allocation_method + private_ip_address = cidrhost(data.azurerm_subnet.frontend.address_prefix, var.frontend_IP_addresses[2]) + public_ip_address_id = azurerm_public_ip.cluster-vip.id + } + lifecycle { + ignore_changes = [ + # Ignore changes to ip_configuration when Re-applying, e.g. because a cluster failover and associating the cluster- vip with the other member. + # updates these based on some ruleset managed elsewhere. + ip_configuration + ] + } +} + +resource "azurerm_network_interface_backend_address_pool_association" "nic_vip_lb_association" { + depends_on = [azurerm_network_interface.nic_vip, azurerm_lb_backend_address_pool.frontend-lb-pool] + network_interface_id = azurerm_network_interface.nic_vip.id + ip_configuration_name = "ipconfig1" + backend_address_pool_id = azurerm_lb_backend_address_pool.frontend-lb-pool.id +} + +resource "azurerm_network_interface" "nic" { + depends_on = [ + azurerm_public_ip.public-ip, + azurerm_lb.frontend-lb] + name = "${var.cluster_name}2-eth0" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + enable_ip_forwarding = true + enable_accelerated_networking = true + + ip_configuration { + name = "ipconfig1" + primary = true + subnet_id = data.azurerm_subnet.frontend.id + private_ip_address_allocation = var.vnet_allocation_method + private_ip_address = cidrhost(data.azurerm_subnet.frontend.address_prefix, var.frontend_IP_addresses[1]) + public_ip_address_id = azurerm_public_ip.public-ip.1.id + } + lifecycle { + ignore_changes = [ + # Ignore changes to ip_configuration when Re-applying, e.g. because a cluster failover and associating the cluster- vip with the other member. + # updates these based on some ruleset managed elsewhere. + ip_configuration + ] + } +} + +resource "azurerm_network_interface_backend_address_pool_association" "nic_lb_association" { + depends_on = [azurerm_network_interface.nic, azurerm_lb_backend_address_pool.frontend-lb-pool] + network_interface_id = azurerm_network_interface.nic.id + ip_configuration_name = "ipconfig1" + backend_address_pool_id = azurerm_lb_backend_address_pool.frontend-lb-pool.id +} + +resource "azurerm_network_interface" "nic1" { + depends_on = [ + azurerm_lb.backend-lb] + count = 2 + name = "${var.cluster_name}${count.index+1}-eth1" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + enable_ip_forwarding = true + enable_accelerated_networking = true + + ip_configuration { + name = "ipconfig2" + subnet_id = data.azurerm_subnet.backend.id + private_ip_address_allocation = var.vnet_allocation_method + private_ip_address = cidrhost(data.azurerm_subnet.backend.address_prefix, var.backend_IP_addresses[count.index+1]) + } +} + +resource "azurerm_network_interface_backend_address_pool_association" "nic1_lb_association" { + depends_on = [azurerm_network_interface.nic1, azurerm_lb_backend_address_pool.backend-lb-pool] + count = 2 + network_interface_id = azurerm_network_interface.nic1[count.index].id + ip_configuration_name = "ipconfig2" + backend_address_pool_id = azurerm_lb_backend_address_pool.backend-lb-pool.id +} + +//********************** Load Balancers **************************// +resource "azurerm_public_ip" "public-ip-lb" { + name = "frontend_lb_ip" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + allocation_method = var.vnet_allocation_method + sku = var.sku +} + +resource "azurerm_lb" "frontend-lb" { + depends_on = [azurerm_public_ip.public-ip-lb] + name = "lb-cluster-frontend" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + sku = var.sku + + frontend_ip_configuration { + name = "LoadBalancerFrontend" + public_ip_address_id = azurerm_public_ip.public-ip-lb.id + } +} + +resource "azurerm_lb_backend_address_pool" "frontend-lb-pool" { +# resource_group_name = module.common.resource_group_name + loadbalancer_id = azurerm_lb.frontend-lb.id + name = "frontend-lb-pool" +} + +resource "azurerm_lb" "backend-lb" { + name = "lb-cluster-backend" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + sku = var.sku + frontend_ip_configuration { + name = "backend-lb" + subnet_id = data.azurerm_subnet.backend.id + private_ip_address_allocation = var.vnet_allocation_method + private_ip_address = cidrhost(data.azurerm_subnet.backend.address_prefix, var.backend_IP_addresses[0]) + } +} + +resource "azurerm_lb_backend_address_pool" "backend-lb-pool" { + name = "backend-lb-pool" + loadbalancer_id = azurerm_lb.backend-lb.id + # resource_group_name = module.common.resource_group_name +} + +resource "azurerm_lb_probe" "azure_lb_healprob" { + count = 2 + resource_group_name = module.common.resource_group_name + loadbalancer_id = count.index == 0 ? azurerm_lb.frontend-lb.id : azurerm_lb.backend-lb.id + name = var.lb_probe_name + protocol = var.lb_probe_protocol + port = var.lb_probe_port + interval_in_seconds = var.lb_probe_interval + number_of_probes = var.lb_probe_unhealthy_threshold +} + +//********************** Availability Set **************************// +locals { + availability_set_condition = var.availability_type == "Availability Set" ? true : false + SSH_authentication_type_condition = var.authentication_type == "SSH Public Key" ? true : false +} +resource "azurerm_availability_set" "availability-set" { + count = local.availability_set_condition ? 1 : 0 + name = "${var.cluster_name}-AvailabilitySet" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + platform_fault_domain_count = 2 + platform_update_domain_count = 5 + managed = true +} + +//********************** Storage accounts **************************// +// Generate random text for a unique storage account name +resource "random_id" "clusterrandomId" { + keepers = { + # Generate a new ID only when a new resource group is defined + resource_group = module.common.resource_group_name + } + byte_length = 8 +} +resource "azurerm_storage_account" "vm-boot-diagnostics-storage" { + name = "bootdiag${random_id.clusterrandomId.hex}" + resource_group_name = module.common.resource_group_name + location = module.common.resource_group_location + account_tier = module.common.storage_account_tier + account_replication_type = module.common.account_replication_type +} + +//********************** Virtual Machines **************************// +locals { + custom_image_condition = var.source_image_vhd_uri == "noCustomUri" ? false : true +} + +resource "azurerm_image" "custom-image" { + count = local.custom_image_condition ? 1 : 0 + name = "custom-image" + location = var.location + resource_group_name = module.common.resource_group_name + + os_disk { + os_type = "Linux" + os_state = "Generalized" + blob_uri = var.source_image_vhd_uri + } +} + +# Accept the agreement for the cluster-byol for R80.40 +resource "azurerm_marketplace_agreement" "cpcluster-agreement" { + count = var.cpcluster-sku-enabled ? 0 : 1 + publisher = "checkpoint" + offer = var.vm_os_offer + plan = var.vm_os_sku +} + +resource "azurerm_virtual_machine" "vm-instance-availability-set" { + depends_on = [ + azurerm_network_interface.nic, + azurerm_network_interface.nic1, + azurerm_network_interface.nic_vip] + count = local.availability_set_condition ? module.common.number_of_vm_instances : 0 + name = "${var.cluster_name}${count.index+1}" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + availability_set_id = local.availability_set_condition ? azurerm_availability_set.availability-set[0].id : "" + vm_size = module.common.vm_size + network_interface_ids = count.index == 0 ? [ + azurerm_network_interface.nic_vip.id, + azurerm_network_interface.nic1.0.id] : [ + azurerm_network_interface.nic.id, + azurerm_network_interface.nic1.1.id] + delete_os_disk_on_termination = module.common.delete_os_disk_on_termination + primary_network_interface_id = count.index == 0 ? azurerm_network_interface.nic_vip.id : azurerm_network_interface.nic.id + identity { + type = module.common.vm_instance_identity + } + storage_image_reference { + id = local.custom_image_condition ? azurerm_image.custom-image[0].id : null + publisher = local.custom_image_condition ? null : module.common.publisher + offer = module.common.vm_os_offer + sku = module.common.vm_os_sku + version = module.common.vm_os_version + } + + storage_os_disk { + name = "${var.cluster_name}-${count.index+1}" + create_option = module.common.storage_os_disk_create_option + caching = module.common.storage_os_disk_caching + managed_disk_type = module.common.storage_account_type + disk_size_gb = module.common.disk_size + } + + dynamic "plan" { + for_each = local.custom_image_condition ? [ + ] : [1] + content { + name = module.common.vm_os_sku + publisher = module.common.publisher + product = module.common.vm_os_offer + } + } + + os_profile { + computer_name = "${var.cluster_name}${count.index+1}" + admin_username = module.common.admin_username + admin_password = module.common.admin_password + custom_data = templatefile("${path.module}/cloud-init.sh", { + installation_type = module.common.installation_type + allow_upload_download = module.common.allow_upload_download + os_version = module.common.os_version + template_name = module.common.template_name + template_version = module.common.template_version + is_blink = module.common.is_blink + bootstrap_script64 = base64encode(var.bootstrap_script) + location = module.common.resource_group_location + sic_key = var.sic_key + tenant_id = var.azure-tenant + virtual_network = azurerm_virtual_network.vnet-south.name + cluster_name = var.cluster_name + external_private_addresses = azurerm_network_interface.nic_vip.ip_configuration[1].private_ip_address + enable_custom_metrics=var.enable_custom_metrics ? "yes" : "no" + }) + } + + os_profile_linux_config { + disable_password_authentication = local.SSH_authentication_type_condition + + dynamic "ssh_keys" { + for_each = local.SSH_authentication_type_condition ? [ + 1] : [] + content { + path = "/home/notused/.ssh/authorized_keys" + key_data = file("${path.module}/azure_public_key") + } + } + } + + boot_diagnostics { + enabled = module.common.boot_diagnostics + storage_uri = module.common.boot_diagnostics ? join(",", azurerm_storage_account.vm-boot-diagnostics-storage.*.primary_blob_endpoint) : "" + } +} + +resource "azurerm_virtual_machine" "vm-instance-availability-zone" { + depends_on = [ + azurerm_network_interface.nic, + azurerm_network_interface.nic1, + azurerm_network_interface.nic_vip] + count = local.availability_set_condition ? 0 : module.common.number_of_vm_instances + name = "${var.cluster_name}${count.index+1}" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + zones = [ + count.index+1] + vm_size = module.common.vm_size + network_interface_ids = count.index == 0 ? [ + azurerm_network_interface.nic_vip.id, + azurerm_network_interface.nic1.0.id] : [ + azurerm_network_interface.nic.id, + azurerm_network_interface.nic1.1.id] + delete_os_disk_on_termination = module.common.delete_os_disk_on_termination + primary_network_interface_id = count.index == 0 ? azurerm_network_interface.nic_vip.id : azurerm_network_interface.nic.id + identity { + type = module.common.vm_instance_identity + } + storage_image_reference { + id = local.custom_image_condition ? azurerm_image.custom-image[0].id : null + publisher = local.custom_image_condition ? null : module.common.publisher + offer = module.common.vm_os_offer + sku = module.common.vm_os_sku + version = module.common.vm_os_version + } + + storage_os_disk { + name = "${var.cluster_name}-${count.index+1}" + create_option = module.common.storage_os_disk_create_option + caching = module.common.storage_os_disk_caching + managed_disk_type = module.common.storage_account_type + disk_size_gb = module.common.disk_size + } + + dynamic "plan" { + for_each = local.custom_image_condition ? [ + ] : [1] + content { + name = module.common.vm_os_sku + publisher = module.common.publisher + product = module.common.vm_os_offer + } + } + + os_profile { + computer_name = "${var.cluster_name}${count.index+1}" + admin_username = module.common.admin_username + admin_password = module.common.admin_password + custom_data = templatefile("${path.module}/cloud-init.sh", { + installation_type = module.common.installation_type + allow_upload_download = module.common.allow_upload_download + os_version = module.common.os_version + template_name = module.common.template_name + template_version = module.common.template_version + is_blink = module.common.is_blink + bootstrap_script64 = base64encode(var.bootstrap_script) + location = module.common.resource_group_location + sic_key = var.sic_key + tenant_id = var.azure-tenant + virtual_network = azurerm_virtual_network.vnet-south.name + cluster_name = var.cluster_name + external_private_addresses = azurerm_network_interface.nic_vip.ip_configuration[1].private_ip_address + enable_custom_metrics=var.enable_custom_metrics ? "yes" : "no" + }) + } + + os_profile_linux_config { + disable_password_authentication = local.SSH_authentication_type_condition + + dynamic "ssh_keys" { + for_each = local.SSH_authentication_type_condition ? [ + 1] : [] + content { + path = "/home/notused/.ssh/authorized_keys" + key_data = file("${path.module}/azure_public_key") + } + } + } + + boot_diagnostics { + enabled = module.common.boot_diagnostics + storage_uri = module.common.boot_diagnostics ? join(",", azurerm_storage_account.vm-boot-diagnostics-storage.*.primary_blob_endpoint) : "" + } +} +//********************** Role Assigments **************************// +data "azurerm_role_definition" "role_definition" { + name = module.common.role_definition +} +data "azurerm_client_config" "client_config" { +} +resource "azurerm_role_assignment" "cluster_assigment" { + count = 2 + lifecycle { + ignore_changes = [ + role_definition_id, principal_id + ] + } + scope = module.common.resource_group_id + role_definition_id = data.azurerm_role_definition.role_definition.id + principal_id = local.availability_set_condition ? lookup(azurerm_virtual_machine.vm-instance-availability-set[count.index].identity[0], "principal_id") : lookup(azurerm_virtual_machine.vm-instance-availability-zone[count.index].identity[0], "principal_id") +} diff --git a/contrib/terraform-azure-gwlb/cpcluster-variables.tf b/contrib/terraform-azure-gwlb/cpcluster-variables.tf new file mode 100644 index 00000000..a11c5e29 --- /dev/null +++ b/contrib/terraform-azure-gwlb/cpcluster-variables.tf @@ -0,0 +1,201 @@ +//********************** Basic Configuration Variables **************************// +variable "cluster_name" { + description = "Cluster name" + type = string + default = "cpcluster" +} + +variable "resource_group_name" { + description = "Azure Resource Group name to build into" + type = string + default = "rg-cpcluster" +} + +//********************** Virtual Machine Instances Variables **************************// +variable "availability_type" { + description = "Specifies whether to deploy the solution based on Azure Availability Set or based on Azure Availability Zone." + type = string + default = "Availability Zone" +} + +locals { // locals for 'availability_type' allowed values + availability_type_allowed_values = [ + "Availability Zone", + "Availability Set" + ] + // will fail if [var.availability_type] is invalid: + validate_availability_type_value = index(local.availability_type_allowed_values, var.availability_type) +} + +variable "source_image_vhd_uri" { + type = string + description = "The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images." + default = "noCustomUri" +} + +variable "admin_username" { + description = "Administrator username of deployed VM. Due to Azure limitations 'notused' name can be used" + default = "cpadmin" +} + +variable "admin_password" { + description = "Administrator password of deployed Virtual Macine. The password must meet the complexity requirements of Azure" + type = string +} + +variable "sic_key" { + description = "Secure Internal Communication(SIC) key" + type = string +} +resource "null_resource" "sic_key_invalid" { + count = length(var.sic_key) >= 12 ? 0 : "SIC key must be at least 12 characters long" +} + +variable "template_name" { + description = "Template name. Should be defined according to deployment type(ha, vmss)" + type = string + default = "ha_terraform" +} + +variable "template_version" { + description = "Template version. It is reccomended to always use the latest template version" + type = string + default = "20210111" +} + +variable "installation_type" { + description = "Installaiton type" + type = string + default = "cluster" +} + +variable "number_of_vm_instances" { + description = "Number of VM instances to deploy " + type = string + default = "2" +} + +variable "vm_size" { + description = "Specifies size of Virtual Machine" + type = string + default = "Standard_D2_v2" +} + +variable "disk_size" { + description = "Storage data disk size size(GB).Select a number between 100 and 3995" + type = string + default = "110" +} + +variable "os_version" { + description = "GAIA OS version" + type = string + default = "R80.40" +} + +variable "vm_os_sku" { + description = "The sku of the image to be deployed." + type = string + default = "sg-byol" +} + +variable "vm_os_offer" { + description = "The name of the image offer to be deployed.Choose from: check-point-cg-r8030, check-point-cg-r8040, check-point-cg-r81" + type = string + default = "check-point-cg-r8040" +} + +variable "authentication_type" { + description = "Specifies whether a password authentication or SSH Public Key authentication should be used" + type = string + default = "Password" +} +locals { // locals for 'authentication_type' allowed values + authentication_type_allowed_values = [ + "Password", + "SSH Public Key" + ] + // will fail if [var.authentication_type] is invalid: + validate_authentication_type_value = index(local.authentication_type_allowed_values, var.authentication_type) +} + +variable "allow_upload_download" { + description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + type = bool + default = true +} + +variable "is_blink" { + description = "Define if blink image is used for deployment" + default = true +} + +//********************** Natworking Variables **************************// +variable "frontend_IP_addresses" { + description = "A list of three whole numbers representing the private ip addresses of the members eth0 NICs and the cluster vip ip addresses. The numbers can be represented as binary integers with no more than the number of digits remaining in the address after the given frontend subnet prefix. The IP addresses are defined by their position in the frontend subnet." + type = list(number) + default = [5, 6, 7] +} + +variable "backend_IP_addresses" { + description = "A list of three whole numbers representing the private ip addresses of the members eth1 NICs and the backend lb ip addresses. The numbers can be represented as binary integers with no more than the number of digits remaining in the address after the given backend subnet prefix. The IP addresses are defined by their position in the backend subnet." + type = list(number) + default = [5, 6, 7] +} + +variable "vnet_allocation_method" { + description = "IP address allocation method" + type = string + default = "Static" +} + +variable "lb_probe_name" { + description = "Name to be used for lb health probe" + default = "health_prob_port" +} + +variable "lb_probe_port" { + description = "Port to be used for load balancer health probes and rules" + default = "8117" +} + +variable "lb_probe_protocol" { + description = "Protocols to be used for load balancer health probes and rules" + default = "tcp" +} + +variable "lb_probe_unhealthy_threshold" { + description = "Number of times load balancer health probe has an unsuccessful attempt before considering the endpoint unhealthy." + default = 2 +} + +variable "lb_probe_interval" { + description = "Interval in seconds load balancer health probe rule perfoms a check" + default = 5 +} + +variable "bootstrap_script" { + description = "An optional script to run on the initial boot" + default = "" + #example: + #"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" +} + +//********************** Credentials **************************// +variable "sku" { + description = "SKU" + type = string + default = "Standard" +} + +variable "enable_custom_metrics" { + description = "Indicates whether CloudGuard Metrics will be use for Cluster members monitoring." + type = bool + default = true +} + +variable "cpcluster-sku-enabled" { + description = "Have you ever deployed a ckp cluster before? set to false if not" + type = bool + default = true +} \ No newline at end of file diff --git a/contrib/terraform-azure-gwlb/cpmgmt-main.tf b/contrib/terraform-azure-gwlb/cpmgmt-main.tf new file mode 100644 index 00000000..8dabd6ab --- /dev/null +++ b/contrib/terraform-azure-gwlb/cpmgmt-main.tf @@ -0,0 +1,189 @@ +# Accept the agreement for the mgmt-byol for R80.40 +resource "azurerm_marketplace_agreement" "cpmgmt-agreement" { + count = var.mgmt-sku-enabled ? 0 : 1 + publisher = "checkpoint" + offer = "check-point-cg-${var.mgmt-version}" + plan = var.mgmt-sku +} +# Create management resource group +resource "azurerm_resource_group" "rg-ckpmgmt" { + name = "rg-${var.mgmt-name}" + location = var.location +} +# Create NSG for the management +resource "azurerm_network_security_group" "nsg-ckpmgmt" { + name = "nsg-${var.mgmt-name}" + location = azurerm_resource_group.rg-ckpmgmt.location + resource_group_name = azurerm_resource_group.rg-ckpmgmt.name + depends_on = [azurerm_resource_group.rg-ckpmgmt] +} + +# Create the NSG rules for the management +resource "azurerm_network_security_rule" "nsg-ckpmgmt-rl-ssh" { + priority = 100 + name = "ssh-access" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + + source_port_range = "*" + destination_port_range = "22" + source_address_prefix = var.my-pub-ip + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.rg-ckpmgmt.name + network_security_group_name = azurerm_network_security_group.nsg-ckpmgmt.name + depends_on = [azurerm_network_security_group.nsg-ckpmgmt] +} +resource "azurerm_network_security_rule" "nsg-ckpmgmt-rl-https" { + priority = 110 + name = "https-access" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + + source_port_range = "*" + destination_port_range = "443" + source_address_prefix = var.my-pub-ip + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.rg-ckpmgmt.name + network_security_group_name = azurerm_network_security_group.nsg-ckpmgmt.name + depends_on = [azurerm_network_security_group.nsg-ckpmgmt] +} +resource "azurerm_network_security_rule" "nsg-ckpmgmt-rl-smartconsole" { + priority = 120 + name = "smartconsole-access" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + + source_port_range = "*" + destination_port_ranges = ["18190","19009"] + source_address_prefix = var.my-pub-ip + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.rg-ckpmgmt.name + network_security_group_name = azurerm_network_security_group.nsg-ckpmgmt.name + depends_on = [azurerm_network_security_group.nsg-ckpmgmt] +} +resource "azurerm_network_security_rule" "nsg-ckpmgmt-rl-exposedsrvc" { + priority = 130 + name = "log-ICA-CRL-Policy-access" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + + source_port_range = "*" + destination_port_ranges = ["257","18210","18264","18191"] + source_address_prefix = "*" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.rg-ckpmgmt.name + network_security_group_name = azurerm_network_security_group.nsg-ckpmgmt.name + depends_on = [azurerm_network_security_group.nsg-ckpmgmt] +} + +# Create Public IP +resource "azurerm_public_ip" "pub-ckpmgmt" { + name = "pub-${var.mgmt-name}" + location = azurerm_resource_group.rg-ckpmgmt.location + resource_group_name = azurerm_resource_group.rg-ckpmgmt.name + allocation_method = "Dynamic" + domain_name_label = "pub-${var.mgmt-name}-${var.mgmt-dns-suffix}" + depends_on = [azurerm_resource_group.rg-ckpmgmt] +} +# Create NIC +resource "azurerm_network_interface" "nic-ckpmgmt" { + name = "${var.mgmt-name}-eth0" + location = azurerm_resource_group.rg-ckpmgmt.location + resource_group_name = azurerm_resource_group.rg-ckpmgmt.name + enable_ip_forwarding = "false" + + ip_configuration { + name = "${var.mgmt-name}-eth0-config" + subnet_id = azurerm_subnet.net-secmgmt.id + primary = true + private_ip_address = "172.16.8.4" + private_ip_address_allocation = "Static" + public_ip_address_id = azurerm_public_ip.pub-ckpmgmt.id + } + depends_on = [azurerm_public_ip.pub-ckpmgmt,azurerm_subnet.net-secmgmt,azurerm_network_security_group.nsg-ckpmgmt] +} +resource "azurerm_network_interface_security_group_association" "nsg-assoc-nic-ckpmgmt" { + network_interface_id = azurerm_network_interface.nic-ckpmgmt.id + network_security_group_id = azurerm_network_security_group.nsg-ckpmgmt.id + depends_on = [azurerm_network_interface.nic-ckpmgmt,azurerm_network_security_group.nsg-ckpmgmt] +} + +# Generate random text for a unique storage account name +resource "random_id" "randomId" { + keepers = { + # Generate a new ID only when a new resource group is defined + resource_group = azurerm_resource_group.rg-ckpmgmt.name + } + byte_length = 8 + depends_on = [azurerm_resource_group.rg-ckpmgmt] +} + +# Create storage account for boot diagnostics +resource "azurerm_storage_account" "ckp-storageaccount" { + name = "diag${random_id.randomId.hex}" + resource_group_name = azurerm_resource_group.rg-ckpmgmt.name + location = azurerm_resource_group.rg-ckpmgmt.location + account_tier = "Standard" + account_replication_type = "LRS" + depends_on = [random_id.randomId,azurerm_resource_group.rg-ckpmgmt] +} + +# Create virtual machine +resource "azurerm_virtual_machine" "ckpmgmt" { + name = var.mgmt-name + location = azurerm_resource_group.rg-ckpmgmt.location + resource_group_name = azurerm_resource_group.rg-ckpmgmt.name + network_interface_ids = [azurerm_network_interface.nic-ckpmgmt.id] + primary_network_interface_id = azurerm_network_interface.nic-ckpmgmt.id + vm_size = var.mgmt-size + + # parameters = { "installationType" = "management" } + + storage_os_disk { + name = "disk-${var.mgmt-name}" + caching = "ReadWrite" + create_option = "FromImage" + managed_disk_type = "Standard_LRS" + } + storage_image_reference { + publisher = "checkpoint" + offer = "check-point-cg-${var.mgmt-version}" + sku = var.mgmt-sku + version = "latest" + } + plan { + name = var.mgmt-sku + publisher = "checkpoint" + product = "check-point-cg-${var.mgmt-version}" + } + os_profile { + computer_name = var.mgmt-name + admin_username = var.chkp-admin-usr + admin_password = var.chkp-admin-pwd + custom_data = file("customdata.sh") + } + os_profile_linux_config { + disable_password_authentication = false + } + boot_diagnostics { + enabled = "true" + storage_uri = azurerm_storage_account.ckp-storageaccount.primary_blob_endpoint + } + depends_on = [azurerm_marketplace_agreement.cpmgmt-agreement,azurerm_resource_group.rg-ckpmgmt,azurerm_network_interface.nic-ckpmgmt,azurerm_storage_account.ckp-storageaccount] +} + +resource "azurerm_dns_a_record" "mgmt-dns-record" { + name = "ckpmgmt" + zone_name = azurerm_dns_zone.mydns-public-zone.name + resource_group_name = azurerm_resource_group.rg-dns-myzone.name + ttl = 300 + target_resource_id = azurerm_public_ip.pub-ckpmgmt.id + depends_on = [azurerm_public_ip.pub-ckpmgmt] +} +output "ckpmgmt-public-fqdn" { + value = "https://${azurerm_dns_a_record.mgmt-dns-record.name}.${azurerm_dns_zone.mydns-public-zone.name}/" +} \ No newline at end of file diff --git a/contrib/terraform-azure-gwlb/cpmgmt-variables.tf b/contrib/terraform-azure-gwlb/cpmgmt-variables.tf new file mode 100644 index 00000000..ee9cc6a7 --- /dev/null +++ b/contrib/terraform-azure-gwlb/cpmgmt-variables.tf @@ -0,0 +1,28 @@ +variable "mgmt-name" { + description = "Choose the name of the management" + default = "ckpmgmt" +} +variable "mgmt-sku" { + description = "Choose the plan to deploy" + default = "mgmt-byol" +} +variable "mgmt-version" { + description = "Choose the version to deploy: either r8040, r81 or r8110" + default = "r8110" +} +variable "mgmt-size" { + description = "Choose the vm-size to deploy" + default = "Standard_D3_v2" +} +variable "chkp-admin-usr" { + default = "cpadmin" +} +variable "mgmt-sku-enabled" { + description = "Have you ever deployed a ckp management before? set to false if not" + type = bool + default = true +} +variable "mgmt-dns-suffix" { + description = "This is the public DNS suffix of your mgmt FQDN" + default = "testing" +} \ No newline at end of file diff --git a/contrib/terraform-azure-gwlb/customdata.sh b/contrib/terraform-azure-gwlb/customdata.sh new file mode 100644 index 00000000..fe4840c0 --- /dev/null +++ b/contrib/terraform-azure-gwlb/customdata.sh @@ -0,0 +1,17 @@ +#!/bin/bash +clish -c 'set user admin shell /bin/bash' -s +config_system -s 'install_security_gw=false&install_ppak=false&gateway_cluster_member=false&install_security_managment=true&install_mgmt_primary=true&install_mgmt_secondary=false&download_info=true&hostname=ckpmgmt&mgmt_gui_clients_radio=any&mgmt_admin_radio=gaia_admin' +while true; do + status=`api status |grep 'API readiness test SUCCESSFUL. The server is up and ready to receive connections' |wc -l` + echo "Checking if the API is ready" + if [[ ! $status == 0 ]]; then + break + fi + sleep 15 + done +echo "API ready " `date` +sleep 5 +echo "Set R80 API to accept all ip addresses" +mgmt_cli -r true set api-settings accepted-api-calls-from "All IP addresses" --domain 'System Data' +echo "Restarting API Server" +api restart \ No newline at end of file diff --git a/contrib/terraform-azure-gwlb/deployment-variables.tf b/contrib/terraform-azure-gwlb/deployment-variables.tf new file mode 100644 index 00000000..0f74cb33 --- /dev/null +++ b/contrib/terraform-azure-gwlb/deployment-variables.tf @@ -0,0 +1,29 @@ +variable "azure-client-id" { + description = "Insert your application client-id" +} +variable "azure-client-secret" { + description = "Insert your application client-secret" +} +variable "azure-subscription" { + description = "Insert your subscription-id" +} +variable "azure-tenant" { + description = "Insert your active-directory-id" +} +variable "location" { + description = "Choose where to deploy the environment" + default = "France Central" +} +variable "mydns-zone" { + description = "Specify your dns zone" + type = string +} +variable "my-pub-ip" { + description = "Put your public-ip" +} +variable "chkp-admin-pwd" { + description = "Choose your admin password" +} +variable "chkp-sic" { + description = "Choose your gateway sic" +} \ No newline at end of file diff --git a/contrib/terraform-azure-gwlb/files/azure-gwlb-template.json b/contrib/terraform-azure-gwlb/files/azure-gwlb-template.json new file mode 100644 index 00000000..edcc730c --- /dev/null +++ b/contrib/terraform-azure-gwlb/files/azure-gwlb-template.json @@ -0,0 +1,849 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "subscriptionId": { + "type": "string", + "defaultValue": "[subscription().subscriptionId]", + "metadata": { + "description": "Subscription ID." + } + }, + "location": { + "type": "string", + "metadata": { + "description": "Deployment location" + }, + "defaultValue": "[resourceGroup().location]" + }, + "cloudGuardVersion": { + "type": "string", + "allowedValues": [ + "R81.10 - Bring Your Own License", + "R81.10 - Pay As You Go (NGTP)", + "R81.10 - Pay As You Go (NGTX)" + ], + "defaultValue": "R81.10 - Bring Your Own License", + "metadata": { + "description": "Version of Check Point CloudGuard" + } + }, + "instanceCount": { + "defaultValue": "2", + "type": "string", + "metadata": { + "description": "Number of VM instances" + } + }, + "maxInstanceCount": { + "defaultValue": "10", + "type": "string", + "metadata": { + "description": "Maximum number of VM instances" + } + }, + "managementServer": { + "type": "string", + "metadata": { + "description": "The name of the management server as it appears in the configuration file" + } + }, + "configurationTemplate": { + "type": "string", + "metadata": { + "description": "A name of a template as it appears in the configuration file" + } + }, + "adminEmail": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Email address to notify if there are any scaling operations" + } + }, + "adminPassword": { + "type": "securestring", + "metadata": { + "description": "Administrator password" + }, + "defaultValue": "" + }, + "authenticationType": { + "type": "string", + "allowedValues": [ + "password", + "sshPublicKey" + ], + "defaultValue": "password", + "metadata": { + "description": "Authentication type" + } + }, + "sshPublicKey": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Administrator SSH public key" + } + }, + "vmName": { + "type": "string", + "metadata": { + "description": "Name of the Check Point Security Gateway scale set" + } + }, + "vmSize": { + "type": "string", + "defaultValue": "Standard_D3_v2", + "metadata": { + "description": "Size of the VM" + } + }, + "sicKey": { + "type": "securestring", + "metadata": { + "description": "One time key for Secure Internal Communication" + } + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "[concat(resourceGroup().name, '-vnet')]" + }, + "upgrading": { + "type": "string", + "defaultValue": "no", + "allowedValues": [ + "no", + "yes" + ], + "metadata": { + "Description": "Indicates whether the user is upgrading the CloudGuard VMSS solution" + } + }, + "lbsTargetRGName": { + "type": "string", + "metadata": { + "description": "The name of the Target Gateway Load Balancers Resource Group." + }, + "defaultValue": "" + }, + "lbResourceId": { + "type": "string", + "metadata": { + "description": "The Resource ID of the Target Gateway Load Balancer." + }, + "defaultValue": "" + }, + "lbTargetBEAddressPoolName": { + "type": "string", + "metadata": { + "description": "The name of the new Target Gateway Load Balancer's Backend Pool." + }, + "defaultValue": "" + }, + "virtualNetworkAddressPrefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the virtual network" + }, + "defaultValue": "10.0.0.0/16" + }, + "subnet1Name": { + "type": "string", + "metadata": { + "description": "The name of the frontend subnet" + }, + "defaultValue": "Frontend" + }, + "subnet1Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the frontend subnet" + }, + "defaultValue": "10.0.0.0/24" + }, + "subnet1StartAddress": { + "type": "string", + "metadata": { + "description": "The first available address on the subnet" + }, + "defaultValue": "10.0.0.4" + }, + "vnetNewOrExisting": { + "type": "string", + "defaultValue": "new", + "allowedValues": [ + "new", + "existing" + ], + "metadata": { + "Description": "Indicates whether the virtual network is new or existing" + } + }, + "virtualNetworkExistingRGName": { + "type": "string", + "metadata": { + "description": "Resource Group of the existing virtual network" + }, + "defaultValue": "[resourceGroup().name]" + }, + "bootstrapScript": { + "type": "string", + "metadata": { + "description": "Bootstrap script" + }, + "defaultValue": "" + }, + "allowDownloadFromUploadToCheckPoint": { + "type": "string", + "allowedValues": [ + "true", + "false" + ], + "defaultValue": "true", + "metadata": { + "description": "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + } + }, + "instanceLevelPublicIP": { + "type": "string", + "allowedValues": [ + "no", + "yes" + ], + "defaultValue": "no", + "metadata": { + "description": "Deploy the VMSS with instance level Public IP address" + } + }, + "mgmtInterfaceOpt1": { + "type": "string", + "allowedValues": [ + "eth0-public", + "eth0-private" + ], + "defaultValue": "eth0-private", + "metadata": { + "description": "Manage the Gateways in the Scale Set via the instance's external NIC's public or private IP address." + } + }, + "mgmtIPaddress": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "The IP address used to manage the VMSS instances." + } + }, + "diskType": { + "type": "string", + "defaultValue": "Standard_LRS", + "metadata": { + "description": "The type of the OS disk. Premium is applicable only to DS machine sizes" + }, + "allowedValues": [ + "Standard_LRS", + "Premium_LRS" + ] + }, + "appLoadDistribution": { + "type": "string", + "allowedValues": [ + "Default", + "SourceIP", + "SourceIPProtocol" + ], + "defaultValue": "Default", + "metadata": { + "description": "The Gateway Load Balancer distribution method" + } + }, + "sourceImageVhdUri": { + "type": "string", + "defaultValue": "noCustomUri", + "metadata": { + "description": "The URI of the blob containing the development image" + } + }, + "availabilityZonesNum": { + "type": "int", + "allowedValues": [ + 0, + 1, + 2, + 3 + ], + "defaultValue": 0, + "metadata": { + "description": "The number of availability zones" + } + }, + "_artifactsLocation": { + "type": "string", + "metadata": { + "description": "Use the following URI when deploying a custom template: https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/azure/templates/" + }, + "defaultValue": "https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/azure/templates/" + }, + "_artifactsLocationSasToken": { + "type": "securestring", + "metadata": { + "description": "The sasToken required to access _artifactsLocation. When the template is deployed using the accompanying scripts, a sasToken will be automatically generated. Use the defaultValue if the staging location is not secured." + }, + "defaultValue": "" + }, + "customMetrics": { + "type": "string", + "allowedValues": [ + "no", + "yes" + ], + "defaultValue": "yes", + "metadata": { + "Description": "Indicates whether Custom Metrics will be used for VMSS Scaling policy and VM monitoring" + } + }, + "rbacGuid": { + "type": "string", + "defaultValue": "[newGuid()]" + }, + "vxlanTunnelExternalIdentifier": { + "type": "int", + "minValue": 800, + "maxValue": 1000, + "defaultValue": 801, + "metadata": { + "description": "VXLAN tunnel external identifier. A value between 800-1000." + } + }, + "vxlanTunnelExternalPort": { + "type": "int", + "defaultValue": 2001, + "metadata": { + "description": "VXLAN tunnel external port number." + } + }, + "vxlanTunnelInternalIdentifier": { + "type": "int", + "minValue": 800, + "maxValue": 1000, + "defaultValue": 800, + "metadata": { + "description": "VXLAN tunnel internal identifier. A value between 800-1000." + } + }, + "vxlanTunnelInternalPort": { + "type": "int", + "defaultValue": 2000, + "metadata": { + "description": "VXLAN Tunnel Internal port number." + } + } + }, + "variables": { + "resourceGroup": "[resourceGroup()]", + "templateName": "gwlb", + "templateVersion": "20211101", + "location": "[parameters('location')]", + "offers": { + "R81.10 - Bring Your Own License": "BYOL", + "R81.10 - Pay As You Go (NGTP)": "NGTP", + "R81.10 - Pay As You Go (NGTX)": "NGTX" + }, + "offer": "[variables('offers')[parameters('cloudGuardVersion')]]", + "osVersions": { + "R81.10 - Bring Your Own License": "R8110", + "R81.10 - Pay As You Go (NGTP)": "R8110", + "R81.10 - Pay As You Go (NGTX)": "R8110" + }, + "osVersion": "[variables('osVersions')[parameters('cloudGuardVersion')]]", + "adminUsername": "notused", + "isBlink": true, + "subnet1Name": "[parameters('subnet1Name')]", + "storageAccountName": "[concat('bootdiag', uniqueString(variables('resourceGroup').id, deployment().name))]", + "storageAccountType": "Standard_LRS", + "customData": "[concat('#!/usr/bin/python3 /etc/cloud_config.py\n', '\n', 'installationType=\"', variables('installationType'), '\"', '\n', 'allowUploadDownload=\"', variables('allowUploadDownload'), '\"', '\n', 'osVersion=\"', variables('osVersion'), '\"', '\n', 'templateName=\"', variables('templateName'), '\"', '\n', 'isBlink=\"', variables('isBlink'), '\"', '\n', 'templateVersion=\"', variables('templateVersion'), '\"', '\n', 'bootstrapScript64=\"', variables('bootstrapScript64'), '\"', '\n', 'location=\"', variables('location'), '\"', '\n', 'sicKey=\"', variables('sicKey'), '\"', '\n', 'customMetrics=\"', variables('customMetrics'), '\"', '\n')]", + "imageOffer": "[concat('check-point-cg-', toLower(variables('osVersion')))]", + "imagePublisher": "checkpoint", + "imageReferenceBYOL": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-byol", + "version": "latest" + }, + "imageReferenceNGTP": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtp", + "version": "latest" + }, + "imageReferenceNGTP-V2": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtp-v2", + "version": "latest" + }, + "imageReferenceNGTX": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtx", + "version": "latest" + }, + "imageReferenceNGTX-V2": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtx-v2", + "version": "latest" + }, + "imageReferenceMarketplace": "[if(equals(variables('offer'), 'BYOL'), variables('imageReferenceBYOL'), if(equals(variables('offer'), 'NGTP'), variables('imageReferenceNGTP'), if(equals(variables('offer'), 'NGTP-V2'), variables('imageReferenceNGTP-V2'), if(equals(variables('offer'), 'NGTX'), variables('imageReferenceNGTX'), if(equals(variables('offer'), 'NGTX-V2'), variables('imageReferenceNGTX-V2'), json('null'))))))]", + "customImage": "customImage", + "imageReferenceCustomUri": { + "id": "[resourceId('Microsoft.Compute/images', variables('customImage'))]" + }, + "imageReference": "[if(equals(parameters('sourceImageVhdUri'),'noCustomUri'), variables('imageReferenceMarketplace'), variables('imageReferenceCustomUri'))]", + "linuxConfigurationpassword": { + "disablePasswordAuthentication": "false" + }, + "linuxConfigurationsshPublicKey": { + "disablePasswordAuthentication": "true", + "ssh": { + "publicKeys": [ + { + "keyData": "[parameters('sshPublicKey')]", + "path": "/home/notused/.ssh/authorized_keys" + } + ] + } + }, + "linuxConfiguration": "[if(equals(parameters('authenticationType'), 'password'), variables('linuxConfigurationpassword'), variables('linuxConfigurationsshPublicKey'))]", + "planBYOL": { + "name": "sg-byol", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTP": { + "name": "sg-ngtp", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTP-V2": { + "name": "sg-ngtp-v2", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTX": { + "name": "sg-ngtx", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTX-V2": { + "name": "sg-ngtx-v2", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "plan": "[if(equals(variables('offer'), 'BYOL') , variables('planBYOL'), if(equals(variables('offer'), 'NGTP'), variables('planNGTP'), if(equals(variables('offer'), 'NGTP-V2'), variables('planNGTP-V2'), if(equals(variables('offer'), 'NGTX'), variables('planNGTX'), if(equals(variables('offer'), 'NGTX-V2'), variables('planNGTX-V2'), json('null'))))))]", + "vmssID": "[resourceId('Microsoft.Compute/virtualMachineScaleSets', parameters('vmName'))]", + "bootstrapScript64": "[base64(parameters('bootstrapScript'))]", + "allowUploadDownload": "[parameters('allowDownloadFromUploadToCheckPoint')]", + "sicKey": "[parameters('sicKey')]", + "installationType": "gwlb", + "publicIPProperties": { + "name": "instancePublicIP", + "properties": { + "idleTimeoutInMinutes": 15 + } + }, + "upgrading": "[equals(parameters('upgrading'), 'yes')]", + "networkSetupURL": "[uri(parameters('_artifactsLocation'), concat('nestedtemplates/vnet-1-subnet-', parameters('vnetNewOrExisting'), '.json', parameters('_artifactsLocationSasToken')))]", + "loadBalacerSetupURL": "[uri(parameters('_artifactsLocation'), concat('nestedtemplates/gateway-load-balancers.json', parameters('_artifactsLocationSasToken')))]", + "lbsTargetRGName": "[parameters('lbsTargetRGName')]", + "lbRGName": "[if(variables('upgrading'), variables('lbsTargetRGName'), resourceGroup().name)]", + "loadBalancerSetupId": "[resourceId(variables('lbRGName'), 'Microsoft.Resources/deployments', 'loadBalancerSetup')]", + "vnetRGName": "[if(equals(parameters('vnetNewOrExisting'), 'new'), resourceGroup().name, parameters('virtualNetworkExistingRGName'))]", + "vnetName": "[if(equals(parameters('vnetNewOrExisting'), 'new'), parameters('virtualNetworkName'), parameters('virtualNetworkName'))]", + "vnetID": "[if(equals(parameters('vnetNewOrExisting'), 'new'), resourceId(variables('vnetRGName'),'Microsoft.Resources/deployments', 'networkNewSetup'), resourceId(variables('vnetRGName'),'Microsoft.Resources/deployments', 'networkExistingSetup'))]", + "storageAccountId": "[resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName'))]", + "customImageId": "[variables('imageReferenceCustomUri').id]", + "availabilityZonesLocations": [ + "centralus", + "eastus2", + "francecentral", + "northeurope", + "southeastasia", + "westeurope", + "westus2", + "eastus", + "uksouth", + "southafricanorth", + "southcentralus", + "germanywestcentral", + "canadacentral", + "japaneast" + ], + "availabilityZonesProperty": "[range(1, parameters('availabilityZonesNum'))]", + "mgmtInterface": "[if(equals(parameters('instanceLevelPublicIP'), 'yes'), parameters('mgmtInterfaceOpt1'), 'eth0-private')]", + "mgmtIpAddressType": "[split(variables('mgmtInterface'), '-')[1]]", + "mgmtIPaddress": "[parameters('mgmtIPaddress')]", + "commomTags": { + "x-chkp-management": "[parameters('managementServer')]", + "x-chkp-template": "[parameters('configurationTemplate')]", + "x-chkp-ip-address": "[variables('mgmtIpAddressType')]", + "x-chkp-management-interface": "eth0", + "x-chkp-topology": "eth0:external", + "x-chkp-anti-spoofing": "eth0:false", + "x-chkp-srcImageUri": "[parameters('sourceImageVhdUri')]" + }, + "uniqueTags": { + "x-chkp-management-address": "[variables('mgmtIPaddress')]" + }, + "vmssTags": "[if(equals(variables('mgmtIPaddress'), ''), variables('commomTags'), union(variables('commomTags'), variables('uniqueTags')))]", + "customMetrics": "[parameters('customMetrics')]", + "monitoringMetricsPublisher": "[concat('/subscriptions/', parameters('subscriptionId'), '/providers/Microsoft.Authorization/roleDefinitions/', '3913510d-42f4-4e42-8a64-420c390055eb')]", + "identity": "[json('{\"type\": \"SystemAssigned\"}')]" + }, + "resources": [ + { + "apiVersion": "2020-06-01", + "name": "pid-5432b4df-d783-57a2-b65f-39f4bca4974a", + "type": "Microsoft.Resources/deployments", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "condition": "[equals(variables('customMetrics'), 'yes')]", + "apiVersion": "2020-04-01-preview", + "type": "Microsoft.Authorization/roleAssignments", + "name": "[parameters('rbacGuid')]", + "properties": { + "roleDefinitionId": "[variables('monitoringMetricsPublisher')]", + "principalId": "[reference(variables('vmssID'), '2019-12-01', 'Full').identity.principalId]", + "scope": "[resourceGroup().id]" + }, + "dependsOn": [ + "[variables('vmssID')]" + ] + }, + { + "condition": "[equals(parameters('vnetNewOrExisting'), 'new')]", + "name": "networkNewSetup", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "resourceGroup": "[variables('vnetRGName')]", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "[variables('networkSetupURL')]", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "location": { + "value": "[variables('location')]" + }, + "virtualNetworkName": { + "value": "[parameters('virtualNetworkName')]" + }, + "virtualNetworkAddressPrefix": { + "value": "[parameters('virtualNetworkAddressPrefix')]" + }, + "subnet1Name": { + "value": "[parameters('subnet1Name')]" + }, + "subnet1Prefix": { + "value": "[parameters('subnet1Prefix')]" + }, + "vmName": { + "value": "[parameters('vmName')]" + }, + "deployNsg": { + "value": true + }, + "deployRouteTable": { + "value": true + }, + "deployGWLB": { + "value": true + } + } + } + }, + { + "condition": "[equals(parameters('vnetNewOrExisting'), 'existing')]", + "name": "networkExistingSetup", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "resourceGroup": "[variables('vnetRGName')]", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "[variables('networkSetupURL')]", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "location": { + "value": "[variables('location')]" + }, + "virtualNetworkName": { + "value": "[parameters('virtualNetworkName')]" + }, + "virtualNetworkExistingRGName": { + "value": "[variables('vnetRGName')]" + }, + "vmName": { + "value": "[parameters('vmName')]" + }, + "deployNsg": { + "value": true + }, + "deployGWLB": { + "value": true + } + } + } + }, + { + "name": "loadBalancerSetup", + "type": "Microsoft.Resources/deployments", + "resourceGroup": "[variables('lbRGName')]", + "apiVersion": "2020-06-01", + "dependsOn": [ + "[variables('vnetID')]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "[variables('loadBalacerSetupURL')]", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "location": { + "value": "[variables('location')]" + }, + "vmName": { + "value": "[parameters('vmName')]" + }, + "appLoadDistribution": { + "value": "[parameters('appLoadDistribution')]" + }, + "subnet1StartAddress": { + "value": "[parameters('subnet1StartAddress')]" + }, + "subnet1Id": { + "value": "[resourceId(variables('vnetRGName'), 'Microsoft.Network/virtualNetworks/subnets', variables('vnetName'), variables('subnet1Name'))]" + }, + "lbResourceId": { + "value": "[parameters('lbResourceId')]" + }, + "lbTargetBEAddressPoolName": { + "value": "[parameters('lbTargetBEAddressPoolName')]" + }, + "upgrading": { + "value": "[variables('upgrading')]" + }, + "vxlanTunnelExternalPort": { + "value": "[parameters('vxlanTunnelExternalPort')]" + }, + "vxlanTunnelExternalIdentifier": { + "value": "[parameters('vxlanTunnelExternalIdentifier')]" + }, + "vxlanTunnelInternalPort": { + "value": "[parameters('vxlanTunnelInternalPort')]" + }, + "vxlanTunnelInternalIdentifier": { + "value": "[parameters('vxlanTunnelInternalIdentifier')]" + } + } + } + }, + { + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('storageAccountName')]", + "apiVersion": "2021-06-01", + "location": "[variables('location')]", + "sku": { + "name": "[variables('storageAccountType')]" + }, + "kind": "Storage" + }, + { + "condition": "[not(equals(parameters('sourceImageVhdUri'), 'noCustomUri'))]", + "type": "Microsoft.Compute/images", + "apiVersion": "2020-06-01", + "name": "[variables('customImage')]", + "location": "[variables('resourceGroup').location]", + "properties": { + "storageProfile": { + "osDisk": { + "osType": "Linux", + "osState": "Generalized", + "blobUri": "[parameters('sourceImageVhdUri')]", + "storageAccountType": "Standard_LRS" + } + }, + "hyperVGeneration": "V1" + } + }, + { + "type": "Microsoft.Compute/virtualMachineScaleSets", + "apiVersion": "2020-06-01", + "name": "[parameters('vmName')]", + "location": "[variables('location')]", + "identity": "[if(equals(variables('customMetrics'), 'yes'), variables('identity'), json('null'))]", + "zones": "[if(and(contains(variables('availabilityZonesLocations'), variables('location')), greater(parameters('availabilityZonesNum'), 0)), variables('availabilityZonesProperty'), json('null'))]", + "tags": "[variables('vmssTags')]", + "dependsOn": [ + "[variables('vnetID')]", + "[variables('loadBalancerSetupId')]", + "[variables('storageAccountId')]", + "[variables('customImageId')]" + ], + "sku": { + "name": "[parameters('vmSize')]", + "tier": "Standard", + "capacity": "[parameters('instanceCount')]" + }, + "plan": "[if(equals(parameters('sourceImageVhdUri'),'noCustomUri'), variables('plan'), json('null'))]", + "properties": { + "upgradePolicy": { + "mode": "Manual" + }, + "virtualMachineProfile": { + "storageProfile": { + "osDisk": { + "caching": "ReadWrite", + "createOption": "FromImage", + "managedDisk": { + "storageAccountType": "[parameters('diskType')]" + } + }, + "imageReference": "[variables('imageReference')]" + }, + "osProfile": { + "adminPassword": "[parameters('adminPassword')]", + "adminUsername": "[variables('adminUsername')]", + "computerNamePrefix": "[toLower(parameters('vmName'))]", + "customData": "[base64(concat(variables('customData'), '\n', 'vnet=\"', if(equals(parameters('vnetNewOrExisting'), 'new'), reference('networkNewSetup').outputs.vnetAddressPrefix.value, reference('networkExistingSetup').outputs.vnetAddressPrefix.value), '\"', '\n' ))]", + "linuxConfiguration": "[variables('linuxConfiguration')]" + }, + "networkProfile": { + "networkInterfaceConfigurations": [ + { + "name": "eth0", + "properties": { + "primary": true, + "enableIPForwarding": false, + "enableAcceleratedNetworking": true, + "networkSecurityGroup": "[if(equals(parameters('vnetNewOrExisting'), 'new'), reference('networkNewSetup').outputs.nsgProperties.value, reference('networkExistingSetup').outputs.nsgProperties.value)]", + "ipConfigurations": [ + { + "name": "ipconfig1", + "properties": { + "publicIpAddressConfiguration": "[if(equals(parameters('instanceLevelPublicIP'),'yes'), variables('publicIPProperties'), json('null'))]", + "subnet": { + "id": "[resourceId(variables('vnetRGName'), 'Microsoft.Network/virtualNetworks/subnets', variables('vnetName'), parameters('Subnet1Name'))]" + }, + "loadBalancerBackendAddressPools": "[if(empty(reference('loadBalancerSetup').outputs.lbId.value), json('null'), reference('loadBalancerSetup').outputs.lbBEAddressPoolProperties.value)]" + } + } + ] + } + } + ] + }, + "diagnosticsProfile": { + "bootDiagnostics": { + "enabled": "true", + "storageUri": "[reference(variables('storageAccountId'), '2019-06-01').primaryEndpoints.blob]" + } + } + }, + "overprovision": false + } + }, + { + "type": "Microsoft.Insights/autoscaleSettings", + "apiVersion": "2015-04-01", + "name": "[parameters('vmName')]", + "location": "[variables('location')]", + "dependsOn": [ + "[variables('vmssID')]" + ], + "properties": { + "name": "[parameters('vmName')]", + "targetResourceUri": "[variables('vmssID')]", + "notifications": [ + { + "operation": "Scale", + "email": { + "sendToSubscriptionAdministrator": false, + "sendToSubscriptionCoAdministrators": false, + "customEmails": "[if(empty(parameters('adminEmail')), json('null'), array(parameters('adminEmail')))]" + } + } + ], + "enabled": true, + "profiles": [ + { + "name": "Profile1", + "capacity": { + "minimum": "[parameters('instanceCount')]", + "maximum": "[parameters('maxInstanceCount')]", + "default": "[parameters('instanceCount')]" + }, + "rules": [ + { + "metricTrigger": { + "metricName": "Percentage CPU", + "metricResourceUri": "[variables('vmssID')]", + "timeGrain": "PT1M", + "statistic": "Average", + "timeWindow": "PT5M", + "timeAggregation": "Average", + "operator": "GreaterThan", + "threshold": 80 + }, + "scaleAction": { + "direction": "Increase", + "type": "ChangeCount", + "value": "1", + "cooldown": "PT5M" + } + }, + { + "metricTrigger": { + "metricName": "Percentage CPU", + "metricResourceUri": "[variables('vmssID')]", + "timeGrain": "PT1M", + "statistic": "Average", + "timeWindow": "PT5M", + "timeAggregation": "Average", + "operator": "LessThan", + "threshold": 60 + }, + "scaleAction": { + "direction": "Decrease", + "type": "ChangeCount", + "value": "1", + "cooldown": "PT5M" + } + } + ] + } + ] + } + } + ], + "outputs": { + "GatewayLoadBalancerId": { + "type": "string", + "value": "[reference('loadBalancerSetup').outputs.lbId.value]" + } + } +} \ No newline at end of file diff --git a/contrib/terraform-azure-gwlb/gwlb-main.tf b/contrib/terraform-azure-gwlb/gwlb-main.tf new file mode 100644 index 00000000..cd6c4cc7 --- /dev/null +++ b/contrib/terraform-azure-gwlb/gwlb-main.tf @@ -0,0 +1,156 @@ +# Accept the agreement for the mgmt-byol for R80.40 +resource "azurerm_marketplace_agreement" "gwlb-vmss-agreement" { + count = var.gwlb-vmss-agreement ? 0 : 1 + publisher = "checkpoint" + offer = "check-point-cg-r8110" + plan = "sg-byol" +} + +# Create gwlb resource group +resource "azurerm_resource_group" "rg-gwlb-vmss" { + name = "rg-${var.gwlb-name}" + location = var.location +} +resource "azurerm_resource_group_template_deployment" "template-deployment-gwlb" { + name = "${var.gwlb-name}-deploy" + resource_group_name = azurerm_resource_group.rg-gwlb-vmss.name + deployment_mode = "Complete" + + template_content = file("files/azure-gwlb-template.json") + parameters_content = <= 100 && tonumber(var.disk_size) <= 3995 ? 0 : "variable disk_size must be a number between 100 and 3995" +} + +//************** Storage OS disk variables **************// +variable "storage_os_disk_create_option" { + description = "The method to use when creating the managed disk" + type = string + default = "FromImage" +} + +variable "storage_os_disk_caching" { + description = "Specifies the caching requirements for the OS Disk" + default = "ReadWrite" +} + +variable "managed_disk_type" { + description = "Specifies the type of managed disk to create. Possible values are either Standard_LRS, StandardSSD_LRS, Premium_LRS" + type = string + default = "Standard_LRS" +} + +locals { // locals for 'managed_disk_type' allowed values + managed_disk_type_allowed_values = [ + "Standard_LRS", + "Premium_LRS" + ] + // will fail if [var.managed_disk_type] is invalid: + validate_managed_disk_type_value = index(local.managed_disk_type_allowed_values, var.managed_disk_type) +} + +variable "authentication_type" { + description = "Specifies whether a password authentication or SSH Public Key authentication should be used" + type = string +} +locals { // locals for 'authentication_type' allowed values + authentication_type_allowed_values = [ + "Password", + "SSH Public Key" + ] + // will fail if [var.authentication_type] is invalid: + validate_authentication_type_value = index(local.authentication_type_allowed_values, var.authentication_type) +} + + +//********************** Role Assigments variables**************************// +variable "role_definition" { + description = "Role definition. The full list of Azure Built-in role descriptions can be found at https://docs.microsoft.com/bs-latn-ba/azure/role-based-access-control/built-in-roles" + type = string + default = "Contributor" +} \ No newline at end of file diff --git a/contrib/terraform-azure-gwlb/modules/common/versions.tf b/contrib/terraform-azure-gwlb/modules/common/versions.tf new file mode 100644 index 00000000..0ec4dcca --- /dev/null +++ b/contrib/terraform-azure-gwlb/modules/common/versions.tf @@ -0,0 +1,3 @@ +terraform { + required_version = ">= 0.14.3" +} \ No newline at end of file diff --git a/contrib/terraform-azure-gwlb/modules/network-security-group/main.tf b/contrib/terraform-azure-gwlb/modules/network-security-group/main.tf new file mode 100644 index 00000000..1beeaf14 --- /dev/null +++ b/contrib/terraform-azure-gwlb/modules/network-security-group/main.tf @@ -0,0 +1,23 @@ +resource "azurerm_network_security_group" "nsg" { + name = var.security_group_name + location = var.location + resource_group_name = var.resource_group_name + tags = var.tags + } + +//************ Security Rule Example **************// +resource "azurerm_network_security_rule" "security_rule" { + count = length(var.security_rules) + name = lookup(var.security_rules[count.index], "name") + priority = lookup(var.security_rules[count.index], "priority", 4096 - length(var.security_rules) + count.index) + direction = lookup(var.security_rules[count.index], "direction") + access = lookup(var.security_rules[count.index], "access") + protocol = lookup(var.security_rules[count.index], "protocol") + source_port_range = lookup(var.security_rules[count.index], "source_port_ranges") + destination_port_range = lookup(var.security_rules[count.index], "destination_port_ranges") + description = lookup(var.security_rules[count.index], "description") + source_address_prefix = lookup(var.security_rules[count.index], "source_address_prefix") + destination_address_prefix = lookup(var.security_rules[count.index], "destination_address_prefix") + resource_group_name = var.resource_group_name + network_security_group_name = azurerm_network_security_group.nsg.name +} diff --git a/contrib/terraform-azure-gwlb/modules/network-security-group/output.tf b/contrib/terraform-azure-gwlb/modules/network-security-group/output.tf new file mode 100644 index 00000000..c1aa127d --- /dev/null +++ b/contrib/terraform-azure-gwlb/modules/network-security-group/output.tf @@ -0,0 +1,7 @@ +output "network_security_group_id" { + value = azurerm_network_security_group.nsg.id +} + +output "network_security_group_name" { + value = azurerm_network_security_group.nsg.name +} \ No newline at end of file diff --git a/contrib/terraform-azure-gwlb/modules/network-security-group/variables.tf b/contrib/terraform-azure-gwlb/modules/network-security-group/variables.tf new file mode 100644 index 00000000..363489e3 --- /dev/null +++ b/contrib/terraform-azure-gwlb/modules/network-security-group/variables.tf @@ -0,0 +1,43 @@ +variable "resource_group_name" { + description = "Azure Resource Group name to build into" + type = string +} + +variable "location" { + type = string + description = "The location/region where Network Security Group will be created. The full list of Azure regions can be found at https://azure.microsoft.com/regions" +} + +variable "security_group_name" { + description = "Network Security Group name" + default = "nsg" +} + +variable "tags" { + description = "The tags to associate with Network Security Group" + type = map(string) + default = {} +} + +# Security Rules definition + +variable "security_rules" { + description = "Security rules for the Network Security Group using this format name = [priority, direction, access, protocol, source_port_range, destination_port_range, source_address_prefix, destination_address_prefix, description]" + type = list(any) + default = [] +} + +variable "source_address_prefix" { + description = "Source address prefix to be applied to all rules" + type = list(string) + default = ["*"] + # Example ["10.0.3.0/24"] or ["VirtualNetwork"] +} + +variable "destination_address_prefix" { + description = "Destination address prefix to be applied to all rules" + type = list(string) + default = ["*"] + # Example ["10.0.3.0/32","10.0.3.128/32"] or ["VirtualNetwork"] +} + diff --git a/contrib/terraform-azure-gwlb/modules/network-security-group/versions.tf b/contrib/terraform-azure-gwlb/modules/network-security-group/versions.tf new file mode 100644 index 00000000..0ec4dcca --- /dev/null +++ b/contrib/terraform-azure-gwlb/modules/network-security-group/versions.tf @@ -0,0 +1,3 @@ +terraform { + required_version = ">= 0.14.3" +} \ No newline at end of file diff --git a/contrib/terraform-azure-gwlb/modules/vnet/main.tf b/contrib/terraform-azure-gwlb/modules/vnet/main.tf new file mode 100644 index 00000000..4f9a318b --- /dev/null +++ b/contrib/terraform-azure-gwlb/modules/vnet/main.tf @@ -0,0 +1,80 @@ +resource "azurerm_virtual_network" "vnet" { + name = var.vnet_name + location = var.location + address_space = [var.address_space] + resource_group_name = var.resource_group_name + dns_servers = var.dns_servers + tags = var.tags +} + +resource "azurerm_subnet" "subnet" { + depends_on = [azurerm_virtual_network.vnet] + count = length(var.subnet_names) + name = var.subnet_names[count.index] + virtual_network_name = azurerm_virtual_network.vnet.name + resource_group_name = var.resource_group_name + address_prefixes = [var.subnet_prefixes[count.index]] +} + +resource "azurerm_subnet_network_security_group_association" "security_group_frontend_association" { + depends_on = [azurerm_virtual_network.vnet, azurerm_subnet.subnet[0]] + subnet_id = azurerm_subnet.subnet[0].id + network_security_group_id = var.nsg_id +} +resource "azurerm_subnet_network_security_group_association" "security_group_backend_association" { + count = length(var.subnet_names) >= 2 ? 1 : 0 + depends_on = [azurerm_virtual_network.vnet, azurerm_subnet.subnet[1]] + subnet_id = azurerm_subnet.subnet[1].id + network_security_group_id = var.nsg_id +} + +locals { // locals for 'next_hop_type' allowed values + next_hop_type_allowed_values = [ + "VirtualNetworkGateway", + "VnetLocal", + "Internet", + "VirtualAppliance", + "None" + ] +} + +resource "azurerm_route_table" "frontend" { + name = azurerm_subnet.subnet[0].name + location = var.location + resource_group_name = var.resource_group_name + + route { + name = "Local-Subnet" + address_prefix = azurerm_subnet.subnet[0].address_prefix + next_hop_type = local.next_hop_type_allowed_values[1] + } + route { + name = "To-Internal" + address_prefix = var.address_space + next_hop_type = local.next_hop_type_allowed_values[4] + } +} + +resource "azurerm_subnet_route_table_association" "frontend_association" { + subnet_id = azurerm_subnet.subnet[0].id + route_table_id = azurerm_route_table.frontend.id +} + +resource "azurerm_route_table" "backend" { + count = length(var.subnet_names) >= 2 ? 1 : 0 + name = azurerm_subnet.subnet[1].name + location = var.location + resource_group_name = var.resource_group_name + + route { + name = "To-Internet" + address_prefix = "0.0.0.0/0" + next_hop_type = local.next_hop_type_allowed_values[4] + } +} + +resource "azurerm_subnet_route_table_association" "backend_association" { + count = length(var.subnet_names) >= 2 ? 1 : 0 + subnet_id = azurerm_subnet.subnet[1].id + route_table_id = azurerm_route_table.backend[count.index].id +} diff --git a/contrib/terraform-azure-gwlb/modules/vnet/outputs.tf b/contrib/terraform-azure-gwlb/modules/vnet/outputs.tf new file mode 100644 index 00000000..9dc8e206 --- /dev/null +++ b/contrib/terraform-azure-gwlb/modules/vnet/outputs.tf @@ -0,0 +1,27 @@ +output "vnet_id" { + value = azurerm_virtual_network.vnet.id +} + +output "vnet_name" { + value = azurerm_virtual_network.vnet.name +} + +output "vnet_location" { + value = azurerm_virtual_network.vnet.location +} + +output "vnet_address_space" { + value = azurerm_virtual_network.vnet.address_space +} + +output "vnet_subnets" { + value = azurerm_subnet.subnet.*.id +} + +output "subnet_prefixes" { + value = var.subnet_prefixes +} + +output "allocation_method" { + value = var.allocation_method +} \ No newline at end of file diff --git a/contrib/terraform-azure-gwlb/modules/vnet/variables.tf b/contrib/terraform-azure-gwlb/modules/vnet/variables.tf new file mode 100644 index 00000000..d40a6bba --- /dev/null +++ b/contrib/terraform-azure-gwlb/modules/vnet/variables.tf @@ -0,0 +1,63 @@ +variable "vnet_name" { + description = "Name of Virtual Network" + type = string + default = "vnet01" +} + +variable "resource_group_name" { + description = "Azure Resource Group name to build into" + type = string +} + +variable "location" { + description = "The location/region where the core network will be created. The full list of Azure regions can be found at https://azure.microsoft.com/regions" + type = string +} + +variable "address_space" { + description = "The address prefixes of the virtual network" + type = string + default = "10.0.0.0/16" +} + +variable "dns_servers" { + description = " DNS servers to be used with a Virtual Network. If no values specified, this defaults to Azure DNS" + type = list(string) + default = [] +} + +variable "subnet_prefixes" { + description = "The address prefixes to be used for subnets" + type = list(string) + default = ["10.0.0.0/24","10.0.1.0/24"] +} + +variable "subnet_names" { + description = "A list of subnets's names in a Virtual Network" + type = list(string) + default = ["Frontend","Backend"] +} + +variable "tags" { + description = "Tags to be associated with Virual Network and subnets" + type = map(string) + default = {} +} +variable "nsg_id" { + description = "Network security group to be associated with a Virual Network and subnets" + type = string +} + +variable "allocation_method" { + description = "IP address allocation method" + type = string + default = "Static" +} + +locals { // locals for 'allocation_method' allowed values + allocation_method_allowed_values = [ + "Static" + ] + // will fail if [var.allocation_method] is invalid: + validate_method_allowed_value = index(local.allocation_method_allowed_values, var.allocation_method) +} \ No newline at end of file diff --git a/contrib/terraform-azure-gwlb/modules/vnet/versions.tf b/contrib/terraform-azure-gwlb/modules/vnet/versions.tf new file mode 100644 index 00000000..0ec4dcca --- /dev/null +++ b/contrib/terraform-azure-gwlb/modules/vnet/versions.tf @@ -0,0 +1,3 @@ +terraform { + required_version = ">= 0.14.3" +} \ No newline at end of file diff --git a/contrib/terraform-azure-gwlb/net-main.tf b/contrib/terraform-azure-gwlb/net-main.tf new file mode 100644 index 00000000..18b53a4a --- /dev/null +++ b/contrib/terraform-azure-gwlb/net-main.tf @@ -0,0 +1,261 @@ +# Creation of DNS Zone +resource "azurerm_resource_group" "rg-dns-myzone" { + name = "rg-dns-myzone" + location = var.location +} +resource "azurerm_dns_zone" "mydns-public-zone" { + name = var.mydns-zone + resource_group_name = azurerm_resource_group.rg-dns-myzone.name +} + +# Creation of the Management Hub +resource "azurerm_resource_group" "rg-vnet-secmgmt" { + name = "rg-v${var.net-secmgmt}" + location = var.location +} +resource "azurerm_network_security_group" "nsg-vnet-secmgmt" { + name = "nsg-v${var.net-secmgmt}" + location = azurerm_resource_group.rg-vnet-secmgmt.location + resource_group_name = azurerm_resource_group.rg-vnet-secmgmt.name + depends_on = [azurerm_resource_group.rg-vnet-secmgmt] +} +resource "azurerm_virtual_network" "vnet-secmgmt" { + name = "v${var.net-secmgmt}" + address_space = ["172.16.8.0/22"] + location = azurerm_resource_group.rg-vnet-secmgmt.location + resource_group_name = azurerm_resource_group.rg-vnet-secmgmt.name + depends_on = [azurerm_resource_group.rg-vnet-secmgmt] +} +resource "azurerm_subnet" "net-secmgmt" { + name = var.net-secmgmt + address_prefixes = ["172.16.8.0/24"] + virtual_network_name = azurerm_virtual_network.vnet-secmgmt.name + resource_group_name = azurerm_resource_group.rg-vnet-secmgmt.name + depends_on = [azurerm_virtual_network.vnet-secmgmt] +} + +# Creation of the Northbound Hub +resource "azurerm_resource_group" "rg-vnet-north" { + name = "rg-v${var.net-north}" + location = var.location +} +resource "azurerm_network_security_group" "nsg-vnet-north" { + name = "nsg-v${var.net-north}" + location = azurerm_resource_group.rg-vnet-north.location + resource_group_name = azurerm_resource_group.rg-vnet-north.name + depends_on = [azurerm_resource_group.rg-vnet-north] +} +resource "azurerm_virtual_network" "vnet-north" { + name = "v${var.net-north}" + address_space = ["172.16.0.0/22"] + location = azurerm_resource_group.rg-vnet-north.location + resource_group_name = azurerm_resource_group.rg-vnet-north.name + depends_on = [azurerm_resource_group.rg-vnet-north] +} +resource "azurerm_subnet" "net-north-gateways" { + name = "${var.net-north}-gateways" + address_prefixes = ["172.16.0.0/24"] + virtual_network_name = azurerm_virtual_network.vnet-north.name + resource_group_name = azurerm_resource_group.rg-vnet-north.name + depends_on = [azurerm_virtual_network.vnet-north] +} + +# Peering from/to Management Hub to Nouthbound Hub +resource "azurerm_virtual_network_peering" "vnet-secmgmt-to-vnet-north" { + name = "v${var.net-secmgmt}-to-${data.azurerm_virtual_network.vnet-north-gwlb.name}" + resource_group_name = "rg-v${var.net-secmgmt}" + virtual_network_name = azurerm_virtual_network.vnet-secmgmt.name + remote_virtual_network_id = data.azurerm_virtual_network.vnet-north-gwlb.id + allow_virtual_network_access = true + allow_forwarded_traffic = true + allow_gateway_transit = false + depends_on = [azurerm_subnet.net-secmgmt,azurerm_subnet.net-north-gateways] +} +resource "azurerm_virtual_network_peering" "vnet-north-to-vnet-secmgmt" { + name = "${data.azurerm_virtual_network.vnet-north-gwlb.name}-to-v${var.net-secmgmt}" + resource_group_name = azurerm_resource_group.rg-gwlb-vmss.name + virtual_network_name = data.azurerm_virtual_network.vnet-north-gwlb.name + remote_virtual_network_id = azurerm_virtual_network.vnet-secmgmt.id + allow_virtual_network_access = true + allow_forwarded_traffic = true + allow_gateway_transit = false + depends_on = [azurerm_subnet.net-secmgmt,azurerm_subnet.net-north-gateways] +} + +# Creation of the Spoke Num +resource "azurerm_resource_group" "rg-vnet-spoke" { + count = length(var.num-spoke) + name = "rg-v${var.net-spoke}-${count.index}" + location = var.location +} +resource "azurerm_network_security_group" "nsg-vnet-spoke" { + count = length(var.num-spoke) + name = "nsg-v${var.net-spoke}-${count.index}" + location = var.location + resource_group_name = "rg-v${var.net-spoke}-${count.index}" + depends_on = [azurerm_resource_group.rg-vnet-spoke] +} +resource "azurerm_virtual_network" "vnet-spoke" { + count = length(var.num-spoke) + name = "v${var.net-spoke}-${count.index}" + location = var.location + address_space = ["${lookup(var.num-spoke, count.index)[0]}/22"] + resource_group_name = "rg-v${var.net-spoke}-${count.index}" + depends_on = [azurerm_resource_group.rg-vnet-spoke] +} +resource "azurerm_subnet" "net-spoke-0-web" { + name = "${var.net-spoke}-0-web" + virtual_network_name = "v${var.net-spoke}-0" + resource_group_name = "rg-v${var.net-spoke}-0" + address_prefixes = ["${lookup(var.num-spoke, 0)[0]}/24"] + + delegation { + name = "delegation" + service_delegation { + name = "Microsoft.ContainerInstance/containerGroups" + actions = ["Microsoft.Network/virtualNetworks/subnets/action"] + } + } + depends_on = [azurerm_virtual_network.vnet-spoke] +} +resource "azurerm_subnet" "net-spoke-1-web" { + name = "${var.net-spoke}-1-web" + virtual_network_name = "v${var.net-spoke}-1" + resource_group_name = "rg-v${var.net-spoke}-1" + address_prefixes = ["${lookup(var.num-spoke, 1)[0]}/24"] + + depends_on = [azurerm_virtual_network.vnet-spoke] +} +resource "azurerm_subnet" "net-spoke-db" { + count = length(var.num-spoke) + name = "${var.net-spoke}-${count.index}-db" + + virtual_network_name = "v${var.net-spoke}-${count.index}" + resource_group_name = "rg-v${var.net-spoke}-${count.index}" + address_prefixes = ["${lookup(var.num-spoke, count.index)[1]}/24"] + depends_on = [azurerm_virtual_network.vnet-spoke] +} +# Routing Tables for Spoke +locals { // locals for 'next_hop_type' allowed values + next_hop_type_allowed_values = ["VirtualNetworkGateway","VnetLocal","Internet","VirtualAppliance","None"] +} + resource "azurerm_route_table" "rt-vnet-spoke" { + count = length(var.num-spoke) + name = "rt-v${var.net-spoke}-${count.index}" + location = var.location + resource_group_name = "rg-v${var.net-spoke}-${count.index}" + depends_on = [azurerm_resource_group.rg-vnet-spoke] + + route { + name = "route-to-internet" + address_prefix = "0.0.0.0/0" + next_hop_type = local.next_hop_type_allowed_values[2] + # next_hop_type = local.next_hop_type_allowed_values[3] + # next_hop_in_ip_address = var.spokes-default-gateway + } + route { + name = "route-to-vnet-addrspace" + address_prefix = azurerm_virtual_network.vnet-spoke[count.index].address_space[0] + next_hop_type = local.next_hop_type_allowed_values[1] + } + route { + name = "route-to-internal-networks" + address_prefix = "10.0.0.0/16" + next_hop_type = local.next_hop_type_allowed_values[3] + next_hop_in_ip_address = var.spokes-default-gateway + } +} +resource "azurerm_subnet_route_table_association" "rt-assoc-net-spoke-db" { + count = length(var.num-spoke) + subnet_id = azurerm_subnet.net-spoke-db[count.index].id + route_table_id = azurerm_route_table.rt-vnet-spoke[count.index].id + depends_on = [azurerm_subnet.net-spoke-db,azurerm_route_table.rt-vnet-spoke] +} +resource "azurerm_subnet_route_table_association" "rt-assoc-net-spoke-0-web" { + subnet_id = azurerm_subnet.net-spoke-0-web.id + route_table_id = azurerm_route_table.rt-vnet-spoke[0].id + depends_on = [azurerm_subnet.net-spoke-0-web,azurerm_route_table.rt-vnet-spoke] +} +resource "azurerm_subnet_route_table_association" "rt-assoc-net-spoke-1-web" { + subnet_id = azurerm_subnet.net-spoke-1-web.id + route_table_id = azurerm_route_table.rt-vnet-spoke[1].id + depends_on = [azurerm_subnet.net-spoke-1-web,azurerm_route_table.rt-vnet-spoke] +} + +# Creation of the Southbound Hub +resource "azurerm_resource_group" "rg-vnet-south" { + name = "rg-v${var.net-south}" + location = var.location +} +resource "azurerm_network_security_group" "nsg-vnet-south" { + name = "nsg-v${var.net-south}" + location = var.location + resource_group_name = "rg-v${var.net-south}" + depends_on = [azurerm_resource_group.rg-vnet-south] +} +resource "azurerm_virtual_network" "vnet-south" { + name = "v${var.net-south}" + address_space = ["172.16.4.0/22"] + location = var.location + resource_group_name = "rg-v${var.net-south}" + tags = { + environment = "south" + } + depends_on = [azurerm_resource_group.rg-vnet-south] +} +resource "azurerm_subnet" "net-south-frontend" { + name = "${var.net-south}-frontend" + address_prefixes = ["172.16.4.0/24"] + virtual_network_name = "v${var.net-south}" + resource_group_name = "rg-v${var.net-south}" + depends_on = [azurerm_virtual_network.vnet-south] +} +resource "azurerm_subnet" "net-south-backend" { + name = "${var.net-south}-backend" + address_prefixes = ["172.16.5.0/24"] + virtual_network_name = "v${var.net-south}" + resource_group_name = "rg-v${var.net-south}" + depends_on = [azurerm_virtual_network.vnet-south] +} +# Peering from/to Management Hub to Southbound Hub +resource "azurerm_virtual_network_peering" "vnet-secmgmt-to-vnet-south" { + name = "v${var.net-secmgmt}-to-v${var.net-south}" + resource_group_name = "rg-v${var.net-secmgmt}" + virtual_network_name = "v${var.net-secmgmt}" + remote_virtual_network_id = azurerm_virtual_network.vnet-south.id + allow_virtual_network_access = true + allow_forwarded_traffic = true + allow_gateway_transit = false + depends_on = [azurerm_subnet.net-secmgmt,azurerm_subnet.net-south-backend,azurerm_subnet.net-south-frontend] +} +resource "azurerm_virtual_network_peering" "vnet-south-to-vnet-secmgmt" { + name = "v${var.net-south}-to-v${var.net-secmgmt}" + resource_group_name = "rg-v${var.net-south}" + virtual_network_name = "v${var.net-south}" + remote_virtual_network_id = azurerm_virtual_network.vnet-secmgmt.id + allow_virtual_network_access = true + allow_forwarded_traffic = true + allow_gateway_transit = false + depends_on = [azurerm_subnet.net-secmgmt,azurerm_subnet.net-south-backend,azurerm_subnet.net-south-frontend] +} +# Peering from/to spoke to south +resource "azurerm_virtual_network_peering" "vnet-spoke-to-vnet-south" { + count = length(var.num-spoke) + name = "v${var.net-spoke}-${count.index}-to-v${var.net-south}" + resource_group_name = "rg-v${var.net-spoke}-${count.index}" + virtual_network_name = "v${var.net-spoke}-${count.index}" + remote_virtual_network_id = azurerm_virtual_network.vnet-south.id + allow_virtual_network_access = true + allow_forwarded_traffic = true + allow_gateway_transit = false +} +resource "azurerm_virtual_network_peering" "vnet-south-to-vnet-spoke" { + count = length(var.num-spoke) + name = "v${var.net-south}-to-v${var.net-spoke}-${count.index}" + resource_group_name = "rg-v${var.net-south}" + virtual_network_name = "v${var.net-south}" + remote_virtual_network_id = azurerm_virtual_network.vnet-spoke[count.index].id + allow_virtual_network_access = true + allow_forwarded_traffic = true + allow_gateway_transit = false +} \ No newline at end of file diff --git a/contrib/terraform-azure-gwlb/net-variables.tf b/contrib/terraform-azure-gwlb/net-variables.tf new file mode 100644 index 00000000..7e1b00c3 --- /dev/null +++ b/contrib/terraform-azure-gwlb/net-variables.tf @@ -0,0 +1,26 @@ +variable "net-north" { + description = "resources in the north" + default = "net-north" +} +variable "net-south" { + description = "resources in the south" + default = "net-south" +} +variable "net-secmgmt" { + description = "resources in the management" + default = "net-mgmt" +} +variable "net-spoke" { + description = "resources in the spoke" + default = "net-spoke" +} +variable "num-spoke" { + default = { + "0" = ["10.0.0.0","10.0.1.0"] + "1" = ["10.0.4.0","10.0.5.0"] + } +} +variable "spokes-default-gateway" { + type = string + default = "172.16.5.5" +} \ No newline at end of file diff --git a/contrib/terraform-azure-gwlb/terraform.tfvars b/contrib/terraform-azure-gwlb/terraform.tfvars new file mode 100644 index 00000000..f35851c3 --- /dev/null +++ b/contrib/terraform-azure-gwlb/terraform.tfvars @@ -0,0 +1,31 @@ +# Set in this file your deployment variables +# Specify the Azure values +azure-client-id = "xxxxx-xxxxx-xxxxx-xxxxx" +azure-client-secret = "xxxxx-xxxxx-xxxxx-xxxxx" +azure-subscription = "xxxxx-xxxxx-xxxxx-xxxxx" +azure-tenant = "xxxxx-xxxxx-xxxxx-xxxxx" + +# Specify where you want to deploy it and where you are coming from +location = "France Central" +my-pub-ip = "x.x.x.x/32" + +# Management details +mgmt-sku-enabled = false # Have you ever deployed a R81.10 CKP management? Set to false if not +mgmt-dns-suffix = "xxxxx" +mgmt-admin-pwd = "xxxxx" + +# VMspoke details +vmspoke-sku-enabled = false # Have you ever deployed a Nginx VM before? set to false if not +vmspoke-usr = "xxxxx" +vmspoke-pwd = "xxxxx" + +# Cluster Details +cpcluster-sku-enabled = false # Have you ever deployed a R80.40 CKP cluster? set to false if not" +admin_username = "xxxxx" +admin_password = "xxxxx" +sic_key = "xxxxx" + +# GWLB VMSS Details +gwlb-vmss-agreement = false # Have you ever deployed a GWLB VMSS? set to false if not +chkp-admin-pwd = "xxxxx" +chkp-sic = "xxxxx" diff --git a/contrib/terraform-azure-gwlb/tfc-project.tf b/contrib/terraform-azure-gwlb/tfc-project.tf new file mode 100644 index 00000000..937c0e2b --- /dev/null +++ b/contrib/terraform-azure-gwlb/tfc-project.tf @@ -0,0 +1,20 @@ +terraform { + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = ">= 2.92.0" + } + random = { + version = ">= 2.2.1" + } + } +} + +# Configuration of Terraform with Azure environment variables +provider "azurerm" { + features { } + client_id = var.azure-client-id + client_secret = var.azure-client-secret + subscription_id = var.azure-subscription + tenant_id = var.azure-tenant +} \ No newline at end of file diff --git a/contrib/terraform-azure-gwlb/zimages/azure-gwlb-design.jpg b/contrib/terraform-azure-gwlb/zimages/azure-gwlb-design.jpg new file mode 100644 index 0000000000000000000000000000000000000000..fcd13c4f64bdea40b9eeddfde8f468150571a772 GIT binary patch literal 329545 zcmeFY2UJsE^ez}hK$>)r8Wj+v{^*^E2nq;D??jq3>AfY20!oW?=}MIv>7CFK5KwyW z(n~@KffQbT|2OmgYrUCSQ`XFzwPwxDJu53K_a^7NXP*L}lAN6EHZ>(RH5DZl70n$6I+{E5cc`f7 zSm@{(nV6ZGscBj7vM}9cU}9$a_eXA!5bwD~N94Eq#|BWPY1YpgM{SfEs}qGO}sjs z_&wkjJt@O|aaA%#eOvMe-b@nj62IN%c~afQZ14xkD{1EwK|#sFdY6rz?;*dyBS9%? z8Cf}b1+}N@8qc0V;<^DK`LD448?yfn7d;Wz&0DufZjt|s>&DGMVk4oyMS5SHj6qeO+}4}% zfyBGpOivQORd-SFNE#rS?R@@FvhYf+@uB{O_8-Xpj{%GLzl7|+0sBu}^8jj+8^pmQ zp$C8fc*Fb{0l`u&l{-^P>#H{$DtQHiW?;~QRT7a z>`Xi({5A5`a+zjY25=jzYRlU3dM>Sr=e21^ggp+S=TW=-O`kPBDr+;ovyokgE%2;? zqaFr98yAc-?y&hS1f)Rjc$FZfFYzeJ4Y4>CNjDov^LHJexNE@9m4AoH?b_eG_J}vx z$%`|#tMJ+Fb!fcEMl-wM&U6iRMN3`&&1Y4k;A;REd_n-3OGT<@(ov;B;R&D(FaH_*1yc5q6p3Az z8YKI)9x4w9M%Fbwr1)}0>O}>-@CCD5Ujw>S2oDw(j$`$Idw|(alD1w#-hS!CyA5>Q z3u8nLbZ3xYqE%adyboYFQPRAjGJanu@6A>{jCND*8nCpAlF2KBzSl$~OQh3nV`!J{ zy=J1V*>Q$0VSldH)FFP5v1>qs4FZYYTX>GLI^8F*^YUlhU-5TUHvV*(0`()@3dG<3 zT|Z3A=!_1jO84hN=LOzPqxz_8Jb7^q*bmqRQ)D?bRpjQ!I|j8EHb6IVu(lz|3Q=#J zq1d`KR4Dw^#_>uZzl~&tQXv2B|KI*U@C=0dAE%|!SE)P<+FMt{w~I!<9{5`~PSI%0oi#8DWsyE_22*d;J{PRkq6-Iu z)mw3GV~Hbjc_gVLD!x-RLn$Qn#wI?ZuvTm4%*xWeW;XM`K}x0<3--g zdx;tF+8Y*krnT^WfHD0x$Rbdyw{h9s`u=NB^HTig-(dju>5Q z4^iGk%j^@1?aV7hG%3a>^P*QruXpB$N3`18+az%Au;v>GQd8V>>8poSLPgz8TA2Bo z?VMK2KmJR{Cm_ZCt<)ems~V}6(&vtrm8rA2H{q;US;BA&sB7uriow*qXam%TGIq<7 zm&4A_uK}jC#R@EY!8>yBp!^t|CtDmmp<;iXFBr5pTmy3KTHSdi&>zJu6GN!N{wTY+ z3U4TNk}f)IGYv?7r1>g`q@Z+?pHQpJI!HdF6be1q zM#9YSc}hazPU~QnIqTipe=YnE<~ ze0S>oxp#RlVkEm^0k^P}mukJs(la=xu$j!G>d>;qMqFKMPT|0h!PQVod{UHY&g)r$ zwOYy;x>M7vL&(@RWP8K-^hNrk0d2j0|GSvWtY`Y0BYXo z0v`%MF=Y$Cah_`{jQ_A}v=_U^;};a0{(_Q{!SUz3vJ4A9Yt(sq_k7syMu6Byttg(Q zFIFAzAV%2LU_z&%XUuI`*MNtRi9g^kc~sChv>$;q+ff|x>TQ~Zk8V`dKa=6{YUFcEN}4HK;dgZDgg%H-V9M@(gzENKi5}hy3vF4y#^%lqsR$;hicaV%|iG< zCO!(YeGTB%Tc^dx&PNlHHNi0Hs{zt$KD}*E*rne$Ly{k~1yvHIk|=VSuu%AW8EcK;S03kW+6i4T}8z>nI?dvqf68 z@Q{VTxsbfbygDbtx6YqeCekk)*{Ymd^Z!y9hSi$bsxukWG3l!Vm`tt#(H%fcLEm)p zlCurR)Ooox$D3Lgw8Us)wiETwLXw2w3d&Tu!KMa^z%<|P&ijRl)HvvY+gi*zO2`O8GQ^|f@I(Zp5d``i3~ zV~A9vTGE%A{D3>>v+yqHM*~Z$NF@KK%*CoTfj>u-_A`p&F{A#rdK*bL#dW(zT$ZmdB^-J*4bHV34WJ%vY|HmNww_xsn4(k55-dBFB{A(!z zlFK`}L`#WP3=op;&$AUq^>;c%IT+mNBG2tFHjI}Zk#(@TF9=JcJpS34A0znjKRf#W z;%bW5#m7K5=fa3{*fa0SQW;`4vln<^NOVBMt1H;BYry#2{+iq{z8km!zIp*etimtv z>fvaw0a~Aqh!zD=fQ&P5f$E<1-|e6ZlWm(ebjYmRK4|e1`|0w9QyjSTk_z~hYk#8r z^cp~*q+g%&7yHC67CkjK=Qn&q{KYk3*xW1$dYr0trOQ3Mk@1?Yz;Mk1p+2#70LxnE z>^AqXHmC=E+Gz)alUkL4-5snb(16}YZF|>o*O0AJNgd_MgXb@GZ8SM*U`Uc5@ZaDM zD>dZrR5)f;`OrDEpXw_}M2?E?2K5ANoc#@dKq|3utgqZy?CYDF-XX1-iVDQX3&>&FGC zsxuj-NH5uI1imUO;QO+AV;`J_s82tI)>&M}rPBN|6ebqyeaj|k$O-b;Mc5)-eeI(8<& z&%lx=Hd3SfY{Ct(HT8e5#HMf&MAtkG8~hIk)u_b0VQs&5{7JZei4t{C&tbZl(0(`2 zgljV4wzAuum`~l(57wmpF4Uj+l<>(ZO4ouc2;?}Mi4N(YI}V59Eo6Wvqbu=qrud!RL)|?CP9BcIX;`$G>js@<#3{`6Pot{vHDF# zbfQ=tMHXGWFSF7+jjb%koeWCI`qSrs{{ES*oCh5B;|Ps?ixTJRr%rj zuIc-@bPdS6=sx|v31hEQgV?F`06W)5TrK$j1obkGBvNzhrQ z7A_b*ff2(mHyOD?qP3=rrs>@1q`ya= zZma)I7dlZ4$4Ml4&u~&+diEigEHSkfF=rCX&%zZ(d9mH9JY-`XzSepN*MMsPUr#3# z&0c>E_)~6W76zk=EUcDV*wzmWgq*KmSX!1{awjM%_pJ*~cI!NwJ2e*)3m6|C3*EiU zvmh)YC~@W}(*YZrYGm;z?+QJd_#Q3$`NUqTV%eXYg4^V5JaTgI&ni4&tSET5Ndvbq z65pScuB0yRm&OlTV$k^2+BCYj%~gKnxnPL?h|=pS`Yi>gY-5oP$<$QJj7t=Tvlj@= zeqV*lZ+;H1p3XwGS|+cT94KA`C?1yH0?kXB&8>*5cUN>fm^g55$a{8ugy#-Pa=s>~ zh&1>R9`|>6Cd*to)ZzjQD;||tWU+ z7{#@f7?}`{YFm`4>F+Qd((cHHblte9c{K{2#IP@uRpN0sgWsU5Doh!tOH2w1zYUVR z$y^pWy`Ir)TkAsBv)8$VI;n)jT*O#ax3m~^R9-o>c9 zo}ce`NF0^yMYEee z{ryXuEuXAI;ES|HT9Cj7cm0bQj+oxj1Z!Op)rXhx%BgXaxvQOErjxiktW=yD zjt1Jf1~GpdvMY<1u3RQ8xqFB+2Sp5XrPtwDs=;eOAZM_gz=-oezAZQEmOzxw{FKuJx1|p2F0Y9j(0aq%NSGbidtVE*7*hHL%+97>J%e-O5h|3Jz%JxYhxqR| zuf`n_EpCbnmS)}RJSn0zk(^|gW}N;%m3{Q!80;FjbCw_l4w~p&maL2I)z_ivy%IU9 z_T>hySu}F*IK0Vsj+Hv88B?6mWs%y z!5fFiLXW~wtI#?4I=DBSPg;khJJ8gEnD>-7=bBX}>F-6ET5l}*2=T1*cR@MA1c*LX z5P3eG%sKETklMt|yjk&SVw%qEt;10-p+nGuB07fXP2%->mf4XGKb#Mx^X7|Muu?v$ zkN+}AnUX%{ump(}i;wuJkfQun>IM$d*C}wuo+K+&p{*{(3HO+bB4r08;Ey{~l)OKC zzv~N)RUYV%6F+}6FsnH~6E+4|HuOHRla*Iu z0-w4+dog~BZhhxXZKou90th5cScbfGI|R;p*s!Vp{v;ytZUIRgKQ)w zqoBhG6NXR{cru8DWKK~ih4n%6a%ir>UO45GA4Rj?9Czi$sm8G!9P$8hOGor?` zuM(;bGp(z)V-2RNj|9Mjg5eUl|p`ncvDk+$;m9&UO>`!GE?&9cG^SX z5z{n=y8CQHoPTNqYz(luOS%y^w-E( z^t%*Yp(si6Tg(F9-ZC5g#4LCh%sjKBcQ}SB?}t)W;Y6I)+?}w3D~63Ntga&8(tpj{ zlVs4xAV(&++)n3Pf?TU4I>@BOB@ALQ)(dGzxDf)&j<2^mCl_^C>6+aJpNFGE0kVIw zH0%;SW4{N*@WZ3ebnMsr%LBg;FkR*5m0Zq;`MeFN_JTjy#-z|m66WAVXNY(NeZAPc z0k*TC>m~fd!NSFShGtmrhi{L>(^YKl#@(XIEdV_lh=Ba-`!=5c#WYs#CA(zWq`bxo zdky~3qQ9M~sfRlSB-Z)g+kW@{3>}No8bHTj+^S@Ipp2T|_BC5>Wd_lWyjjhuKs6lj zyz9C1nE$Thy|A=!1IB@=Ojun^OsogGc*Po2ez_CwbZ4TJvm=|cJ-bMj&&}6J-=Y#) z9t{;LTnGn`Lp^}-_b*W&=XD)PT*c6e~w6o#jV5Ba3;Ki(=sgim%h%6p^hT&OViOvPI z1g%Y-3-B7NUIRotSR|#kPkAB6msl(hPWc)T8H<|eL67%s&AL?iE5daW>5PE(_v7q; zXI_<{qmjVAJf<)RvgA{n&|0(D8HoB)%<~?iK6ca&yWQRP?X6?C5BU&K$> z(fo+I!UY$hx$no@6V>}(i-KzcCcjE2e3QImG-apc-2?0ERrK){D%`YDLZReCqxeo8Dk?7FXy z_^foYs}-Uxln3&lJ|&7(5vla0XOBnn&X?4(ut)oC!STVN8ByZ^%l?m~3R1yT87dnI!S__(S~!l+pkQG#CJ6 zi$X21JZSN2K(Y}k9Un$4tL#eov*H-T$dLSTs%+%?adgoAR9!KpUfYeh6no%eQxRf* z`HEn|Ld(-*$4#DTfF}m#GV?y=(;d@Cu{mVIlrtPxLB*LZiY2)+O^B} zt<*u|R8+zq>)qTlr85r#Sxr~I(aoZ!Xc6ce0)#DkigfaBb9#}6SEB5DfD8%m3tWH{ z{yqqYJv*m3}*bC?jtX_w4%G`3FoZe|pO_3t(tMLBkV24H`Y zlOe=~W(R%cUmF$g@r{r>x#wjzZ#ZQbNwlQkv%+dk>pJ+B6rDrh2k>hEKh>%y_BJj4 zM)?G2H6M6lRkwl#5QCwe%l%)(@Cte<2PT2eK8Ehl*koJ-Na={7;ostGz%1FyHQ?Ep zRTJ!z`!~^TA|%7aa34{ijdv&KZ!oewtTxi9*RZeVv}cuCM~Y^nl69@5i{Vi|;gR;H zlL(|9A{v2A3NvX(iS$}lDuG;Iym^Le(@p^o-ikhf2Xe)j35&c?!wOylRPsWVsPC|t zE$S#q1tx3bRt8){36y-uvt4e5KT6h~EF$Nj_HJH7ZNVr%-m98_NC?fDxQlzG)Z8*m?fK~qkxQ8Y zxm9DMGnaWqC{nf!FKNDmY~>G!9K~=dKK~^!_-U|54we)5YRV7mwg4v25UH{=&wo8x z$&~Wyww&ZmIi3hftC@I^(=`AXraa}REZfU|<461S7FHz>IKP@cn(R}xSn$Kf8iL}2 z)SrV7>^D4P^O)-Sny13AN} z0Dei0p(3;&gU$rp%CiXi{h$MO#Fdrc{Tw^K^fhk}@vTy6*7nL^5$P2@N$`P^EV?}m zk!kh0cr!P>{pVW9vU&U(6bV;{xea zjFtYN$XE3eI+%A^6!K!~D5SDD=9Iqk2CpTH)isQN-z@D^`iF}qd>G4zi6+nk=Sb_v zYGdICy_23#NgFPsWCN+PIh{PMOvj+K5V4>I!wx*7`J7l`s{q`G%+d`36{& zjZ^)z#9$;3wdTF-WK(VF{;A#>Eqb((%zpLDtK-ZF`mlN10-HTiZjtP;ds46Tyc-(bp1x`=_2Eo=EYW(1g z&KC;G=%rzB$6LGby{2ME0m31=|7bo}cs2!|Vi6N!dVKOVv7$DNKm)HQm4 zD~67yXizP>Fx!DygYU-gvr_1Z}D<>AShkLPFQeL^^AwwNJ#7`;AjPNe5S;98}9UyB}k zJDQlmOZwWPosX0jYXk{LPndu7>G3zX)y5>H3M)BsJM4)l9+!;SzyDyFAlQ~%YxEcH zZi2Xn(L+ggBO0DXNDo{4cJ04O^Z23X={M|E-frpECo^@wll=1yPG7Jzq_^dT1?{1F zrORhM^mpM(vC4vM=&-tGq8j9$6N(r|-@#d7+)=GPEi>bau8K%4@KwfmTki?R1A5dFIN0r9aa$U`(n zCt7424?<^V0-+~KpHUG5Gf?H#t3E{gi59rZ z+os++A=fHG96=g&Eha|g$iXy%CDPm$;=x%&+YgYkdg zk?(F!&a>>l+bKthW}8ZJ z7Pz&V%Q~%iq$%xgVkl?LO}i$O{Wc3k9a4|R+d^Hh7B5{_&^nk}f4GhFpCE-bcqNbK zYhtCNkzT;FMQP$;_sT&O|9pEZ`YB4b7ZDBNKtZCv;-t6*Swaem7Aq@M9i|%v-*HO- zRbI=`wjPf?Xs1R0#uv7kA_J{{p8+Y_*uyS}g+8~hwNcJq={3BQM!?rjR+qk~JjD2>csuKY<7mZu>OPLc5 z9VPWq!~X!q5^RylnIH%+60YR;LAjCg5A>#-6bZ;8idgV=GSroaW5Qs0uDPl zZ?baQw};HejR850-#olS@0x8d)Ot9SWua`-;_gwBswXtuQK`q4P^viUlaNMu4R6R< zCOp4<)(s_V1Fs`KG6bnis5ZGn7Q}o@78NYpoC`g8e-0`9GoZ9-FMZy4$c1H`y#{p4 z7vx29(|R7-`l#<+16(=pHgE#ZK2={-Uj%Q}BHqB5_Q8}OXAo6TUiVCFk!$+Z^SWIB zD0!;yUm_@5Qg@7;*e=7%ClT&?u@GU5_A2zw9yj9@w5ICl_?M(6+PQc!*HA|M!9Seu z#@i}%9lzM^y>hdik0}ioBi50D(v2{W*4$#C(C`m!V03Q@zh3I{pO#ottHycDQ@=lE zxY1_coJ?)A72Bij}P|UP_?}?EeUNkKx!9Kr5$^_ zsJ+*J?H1)J0enAvhu+QbbV}1a*)W+D_4L@3w6+?W(7q4w2;i;m+(^=ay#H5M6{Cq1 z>lL4;6NA=oFD10b(Ys5ZH6MvKP>JN2De9^Fk7F0kR7@Xq{T_IovNK|nvrxO2)WSOvao$tEx&O+WBV_UG}a%2hj5*FC!xW&A46`rWARqEjpa877L^M&{Wx zPAN&vgW?Jr$#s*~mz-2QklxJQG(GP|SHC96!#VMJm4v$%m|^SajR!hh6<#Tk4pYDQKuZ4og}=P(2+u74 zFzhowSzy4-xd1z689~S#?p1~YO{4o?2Nw!r*(P3Ufm@QM_%>4sf%PLRQCScPLidHj zd#f*stC$K1vj)Kqx*eQ;(`?qc&?{oNXZ9OI)$ zx)<_gj*VTXK7Uc}R^$@ZKZ^jll>v_uX4GXQvng9bdbMwgyURoTh-~;ZVAW4$LKrS6 z$9XHfrG$0FZ#?Ykpf!9SQql*m+kRJ<7Y*XTX@A?XwV$}3Byac5QbjL=;ivu8%>nM& zs%LA3F0#E)%7F*Mi5->B6%`V%Dp!}+SA-=*$A%eTLW7Zr^@sIq+Kt$!SK$L`No5-&Pe?Q{ht1}?ii|Obey};( zb#!yF8q{sIJhd@3@OyJ}V`DNmYVbkR6+PIHmTH$2>nE;7 zq0DkoZMILc<&FN5K9XOaM>mF#F(}DKr&_6-`!;EKh{uUQ@P0Mz9nZFaAKUmVFxu8x z>eGG;Ig-Ya4a$|j961?($DNZ`bJG8;IyJ(l69jhVw^9ohF&aC23i+CR6*8x4GWwL! zuN{1<-&)K26l^h{^W&JrdZu-pRz>^^;-!r{+#Wji+dLpyy|{1Yz1wy*Qv{j02C&z! zL?CGWhR5#kwT0vs`Jz>WmF(0!I?U~cN+RY+jvYeT=e)@t)(Z>&IGd3+<(+7+s&rGC zUpij+wUvHn&3UHpNxP=NcpPtL{h`p3^oq7fYsWw*f)3;a`_m z*-CdiiRas;o!swTB2wAE|^Gd?OI6~piFNDNH%nS6Wu!J;r-GWFcuW@x4K^zIw@4Q+~Nj9*4I zr`**w=6Mem+OGk3w#Oi}m}kW3iaV%byN6vST529&;mM0;y^}WnwCu6_vYY5_VL7E! zbBGjDw-I^Vn;t^`@ePO0RAsb*PX9w$e0saSpOtx1nCXc4x@^)-brByL3T-Yi9rlaXK009XE z9Z(L_i~x8+(bV4ZO!q;JZl6nfUWo0kmoWAoh~lGir@^#&qu_b=XJ9_ zdpTKIl{rVk{e3!BXvM6{MY=@(I|eJ|=Fc}D-!)hu^Ab<;BG=jg z*-Fwh1{JT*@4DZTW$93F>D!DJrMBlXa=$B*wx8to$SI@H#U!hQcCl4E z+`q8}j%hrRNl;H2D!Pp|CtTVHX;+FJD~461;om?4EapeTeVN1f_4@I{#iFEoh&I+AnYdeI58M1$aAwWncsvQz%BpNjVK*qVYYP{ z$gD|AxRN_ZxN{uIdl6`9gu&Bg+G((dW%H%x^GoO2`5mo5iZBff*GArlYD?{P1g({e z$puY~5KKZoUnK5ug+n5$lmFKC`(3a(juam!6|c6Y^39u=08z-|_zc_NuZTwQf;P#{ zkiOU804VO+Cb{1i0FglPUIW;Ojx_5UKEP}P`TWAamDm9h_egG-}A4M zL1^@Z+s}zrTIRt;4m;91S|R*f7CEPG;Zr8&N?C$9<+ulZ$lT{^uCQ4ob|4%oe zb4BzcVo}8r>51=v?!Gy{viNLj;;2$=`E^b5Pp}P_)#8?5bX$wMv z@PhnJ`s&O?N%?crt>eQbTal81tWVio=@#K_)%cq!1ZTIim<}yGg1|Zg53B^h@Cwh%e0+Xcj=hHqf4_PSh~1u$E`0%EpQfxBKT)si z`H&7=+Kd`_!#xWh*S2gDJG5(V$W)9CPEqoG+LbsN7jb*_{k}O$1#C+CWwMm-XwpOT zYHwyR6WL*_&5>?c!g_3|B@*JCH^NB7c)~x!mdlHhNnNAi-Y}VluTDtq`!DhJ^&ILS z9_hW3S1#Z5`~*h6%nH^1RN*q`bg2Ac`4NN-T{i1QN*kAhFM+hyFR65|sXS zw=&6fU|YJTVuN0Ps#3!zd8zIw>_R=9$Wu}ap$rLOe#f{wS{I&gLDeS7tNUtIVNatL zjHZmzw8_1u(}qBwu<{#9xUV7T9@gFr50>QbWu+Z|TpIC#vfWw+NZo2Wj2u~j&PTS*q}lc8+sRawmk7ihEus34NSyHLchSc-{8uv;v4;Jxwso_x z7KBoWQzN1DPet}WK|hVYcZ}v0Koc(m)dRt79rSxEq&RoquddLJ7r_nbF-_WEG!?Dx z3`E>MP`#R=0*7kUE2+y(6&|y>W+08fPxefv3YLv0#1m!LmUolpm-Os?nfvO-Ef=45 zZKTNv{_NbOd!`2d3a*ho)aLK~IMK~5)MU8++euWCb{@qylU@U?0UQTJ~0WPLaXj;_hS;3;`pSd&9QkRs@JI7 zBtArRJhp{^AUOjLAZS6a$Kn;LQAPxXi8{B1UpijXA-`DSy}aa;*xm^)`bHY)*|-h0 zc~{{$kz@U|ALavlwyPt0o=&A%o0{D^cs1Uu8XA2KFk^Mg-Yk3H#rf{Uoq5f+=2^6h z($l|pi&HEojNL=$lxe^AIh8ZBfy%ojQ{lYz%U1#I^-j|uHy*KIBH(Ev{grwFx}V*Mju{uPr$3=9i_&+OY@GVeW0TVhEh#-f9I%^;_hguFY1 z`(gC3wZPu2S*ad(+BxH6$A8qkDLZyD99MaYnO-I4e2v?DTaFY%TO;4dS|ohiXbMxk zdEeIg>dY{auxAmO2y4&@lU7%M0lTQp;wev!j?Ut(#x_NxM zXgsefnS@q@4{5*Q_@?V~NP2zi6W*6UuT>2pZYkJe17}lzu4vUb>eC3~g_%uua1(|J z^eEJPZPLBWRSY-7A7%&wszpGffK; z@#mPWTq^jdpQ)^tI^p()vS9Q942A6px#-E!Tg&Tp*Xked<_L%x-!N`6v&)=na;9nq zNHCt9W^=0?hH0v+hebr)pGny~*6$;7JpE|5W9gz^vlx}0B%zD2vprO)c_k z@vPp5)fl>gY095F-&4c-e>hiqVS;}5^w6}#8HF2|i1*n!e(Ig*(ZzAFUr`sGfGeGVb^OdCN)8L&q1$+MyUGgONm< z?5_>X+J@$H2eHDK_b-sghrqRVL*q$zzY&>7RdMO* z$-*zcx&<3+E7Fl^k|ZyheuYed7|vMm-`hmib9fAEXU;|hMO1 z1ov#eUu$qtL&Snn3|qEBgu!z&Hpx_Q3Se$y9wEDvUpsWtm)dPqpg*L{xZ650eU+ZM z1(VKp9Zj*9ZUwtNtv_pso&!~{9P+J+(O|fb*H#iI=={hAiUM>)-_esb+r^$-o=WJMD5$75Tifmm9AJ~O_!)k=FV(>+71d1so zHPO_P7vCUL;g2RZnqI1r$C%us{s$=h)(PkrH?!@TP}eT@6jj_>vXdUI|L4&2b=2s= z&l$I%7?m;yjOajWVywnb= z+MZkak@r!F5xLO~5k|>=4AUvtZK?kiu`DFiI$O|m@<3;^Op;7-uDWycEBw(U)O{?D zRUvY6x_Q;G}@OGC6BfecRuOi}AI4~%zxNC?QEX?-XE`h%}Vtw5A`;w~bp}%iU-;O(jIxK7P)Y@M87JCgo(u zE#|kiEXryX3K~Q{yQ^z8t!eIAQjCaDwouZs$lf(B)zS5eg-LoGp{F{oJUc3`oQNr# z2ol;!AWb(%diFjfJ_Gh6DVg|+c^g)f!9XDfvJLFqfXewX8p@zT4;fz}IcsO^w-KoR zE&4S9Sl8tZWlrsD|K(EGrU6b(iI~0jPtU8>1d#krRavtTT!XIMM%OD{%CTrBy*OH0 z`1~bYu+CXsL;r7zf9=%%{={$mBP6sJ7STb2v0R5!1c7>69CIq;>w6uK;ViNpIqUL% zqN*uLfT1`)s(ztgpjW_;%gjj6_c(L+by@}&12fy_Z`Ax%ppPNzwFw+_fQP-&)+6|4N% z<}u!=MzdY7=_m6A;*$~>DTJ;=CM0{W!x&W8DoqA;88%)f^lwdl5&QCXNalIr_f4|h z*-g`Jcjn!VnkM`3?8!xbJr|Ml#nT_b?Js!umMOi;QR;{7GfQ~C#wjqD3I~n^6N)T< z3G24uf%WE!rTii03`f*9`J7eh9dGIRNQz8=4KN z8QGc9zhGkb{B`yN6Qe&Q^gE^fQcFaPH)tt*1gnD6K*Bm#=1ff{iM#yc2;%M9v41Dj z4|II^L9Oqo&6hfj?Zo@Hl!ewZg<8cspNZ#x*ENZs2-x?CzGMDHTevsej$T(&3jU`9 zG2^=kTC49M);@m!y#}PTiV-Bi>R}$3#MQBcyqY*x*4#(GzoOo-{BTv%OSBjxYvh{)sSHtL(Hw&{69Bu&9j)|io!hwy6u!;tNPZ7tBJt?l`RYx zN~qgH@4&XoIdJ*mxNv=O%@mKd!a7>+h%H<5hp^*&nZusDoLe0l7`=_%4pyATZzV%& zu(N{u&&0J+>cr0`>g3e|ziwPqX~m#_T)HbM?GLt=RULv<@;o0&fPjF2fCxwly(1wJk=~T5 zv`7=Fk=_$J3JOv~5kf-m2_*zb;@#hQ=l*fOan5<;-gn-4_m1Zu8H}+v+1c6ol{M#@ zYp#v!Kgo$EUbSd6+QvFBn-S2W{02orDsd4o4uZAt3jYJ$f~hut_SLbm{YT9%WpR}b zPQOBncd2VT@zERKw?{ubVDt9$fPE`p#`o?h*!wyd+}F~UmQv}*&BG(95O5W4y@9&` z<)m^u^y!G(h3kPapVdA;P5$aG#eNcW+&ECghfl=x9rYMxx*(vCT#u!C5(JJQ=bkv5 z81*na%S)W~{LFSu(=yU>>b(E_B3e7QnPPXn#>}`xqCY<{5UDnw@Zb}|;OL4$0q=v% zxhV*!_N_28?>j9?D)Y2Tm1_Z#1V%t9gRiIFDqE>zZ=qGM6{vdiHPlAl zztZ_ml0C!g7-J5hn$AacpjeXTX2Y{)A(4mq{I_##PCU|dFF*Ok`#iHC=^@;5e6eT0hXy&1 z*wcz)T$@yHDRjmr;jDr`@yRad`ZDw}hvP2Vrfg)_bfwz|AlFx`=M0St#f7LywS%k= zR<2=zDNKn4{MQrYCf9sN>6YaK9+co5_>UQWQV1m}KLDlwrTMtl^P#PpJ98FVr!Vwc z)QYk6fo^snlYLOaSd60-55amP3J+$BsUD_E;;_C9+K&8 zEorGOUY~mJx=5o6-49G zFs802Ru;?$(+0FmA!Sa73)OcubU#x*VW`H6d8|^Ch z8^peH_tHpuLWbboxOKnvmHE%T5jIV4HMod0uCj-zSr2RM%iU9a*IK@t1R1};Og6`4 z)agegAMub+k@mx3LM5>KcY*2S)57BRBd5+)dt1>{dJO3|H18mgR`?kuOhiP=_E}H% zPnl&H)Wm2COD4|azTGT6F6z;#)tu?t*6$r_8aHSudF^%QSm%!7NOX*4X(H|1-HH4) z8z=lz;~a6x!zOy+D54IPAj`@XaMbQ^B{a4>?JIT7;(L;Qqs|-k9WSmAXF#N31=L3+ zPXh9_b#+e%?JOmxn{58@_O{e=t*f4Z;^+Bs<2;`vv3Si{?^loaA?eAcS=U}?bo|U? zDwj_3ORU-RclcZ%T{u=k5Z9J60VXtg-#Be=(J|n)BCqd;wz9N(+C!ZWCS&UT<|0cr z3Jk@BmI$&5Eq7{GCb}H^=rweJ#W{q1`-+}jRB~43MQ?bPn#@WsNo>T343guLA~Je}k$tdUQGnrlf2n{^+QC$L&(h z=*2IIFE;JM@p=Nvnve7ibrt9QyO3dUW?JSRI07v|GOn#s8171W!|fehmT|7RIr8?o zr9|ZjXX-&N+SOy-T~F=?N3zJUf!|7P;Rq0_59#?{h-G4PvBT?{8Uu- zRD-#r0H@}0q;u-sxTxUqqB`*r(9}u>bDqhhq$EA=;k>HGhNanCy%TWua&|Ud zy~91-5=&S@HRKsC#!7$)AYYgTUY~32rCWl7Sf4K=xnS~MV$}JbtHrWtg)b#4}|x)e6gro|n zW73H?5D1p)%6o&|B^M(^MP3DhVn^u5C=N#oFfP(r6{$K(476m%37;S0R?`GUNqkXX zh(3At$7_%4GaYgVM{2gF7ksad7M=YoZ$m|_tUMJcEofdY=wu7ye_R+I+miLmJy?2+ zZtb~&t4Zt8(T}%gyU;i!`c76zngRM^SQ?vgO{dqiIQ$Ms*yCd+`@J1-1oo#>whD1{ zVWi|_8M@F_wi5G~T8hpMGKha^8TGLPFJa?B>M$IVcyjRT#m#a>wrjc$TRMl}n5f3P5bezu$UVlh&ml0m1#8<nJqaXSUXiKF)kiG`+gnLwuF{_0 z3AkEYnbZXRNyfc_RNF7TK{!gFMJOTWtI8%?wj*Q5db=)wJvauLKAn1bS#kvxDSV8U ziB^P0bYT(aU3N2$I!!XC)^3yIZgXCd;aoMdaAbJZqOgcjxq>p{N@}lpVwz(xlx!+B zM{Oyi!8MY?`il(;4dX8|m0mtbPuua=A2?h?z-W0&fYh>`E<#MrB6gFN)iq-PZHA?) z|E1n0w}jqS zd<%U$)4N}CJADXIIjwqIKF|%7@Kg{x46cdTP{kwS>1;oJ%9!;=*Eg@Z{rFz?xr_aR zu-Q`yE#9Q0UreMO!4fvZfV+<}3%)J{;$}>%^nQcV5-Zm2Khz4RcaLRW5DsWl=iaw0 zPp?~A+zd*HLSKhT($e8fmK10!|6XcSu|8*sbE>~nz?Nd%r@;Ay1>V`Y*bUHGp9RQs za3r7`OKXF0K7nRm9+HKw$SEwuPd!3MpApin*5)&Q&wj@6&ZZ>3QL=)#Az@SeGev#D zpin}2cYGm%eKh=XT!3M8oY=_oTCDdfavVvH{fXwPEyKHW4UmNdj6S%zZbfs)^VPnw zPXfIyJq{ahof=>i9hZfKW2*FDQ5}^$p>vj3wWREhEYTUXx)Vf;uL>-J5+BYmzRj;? zz2Ax&aF&FbXz}kYMHZMm{xw?Qirl05DtH9Wf1w1}lo-Tmw#_I_p(tQ1G$>)iiL^L1 zhfJ8w(9+`Qn0%<~3e=up-&ff$h!%&pzhb@fNbihDaLbV>>|O-Hzm;~JKrB7X4%b5} zYV}EWHyLaPz5n19Jc+p`31|>c(8q+?{+_CRv#4`U=HIQZW)B%B9%|-1Q5lt1?Q7P2 zvcbr_y)^&G)5^~~xiHPJZFY7lHl?|)3El!5(7)6VCYL?*yXhpMh8uv2H7%FT*C~b0 zVLJ^-;JHstsDr8Xlf>7fA-ypHk$;JfhfVLshD^uplx{_8nD&@mu)8AAnr%Xw)j|R1TAIV-c}6Zo;x)?#XF~H!3RJ+ zF0Nt0qO0RCw?8jj)wWp0-K;HL%=VNp=zJ7*rCTo0$NW<7SYQ9-!8FpFVolJ0Q--jS z%sTGQ;l#F9R$$pKTZ@jgah1JpUSt8u>7y0lIpE7qvvwxuZ}G7pIgvkoW~IW?|L zykj4$y6lqt?Z%dw!mt>Wpqi8M8%~bpT5}8fX&~=7;`ML4`}}*ZKmUuz;f3%n$hHfb zt1V>i;< zCisNEiT{o2TdE?xjetjz@@csj(N6VEIkNes13wZbb;t%|Djch(ce}&fZx`Xu@HY1G zrzZA6+O7yiIIIlck?VxX(DGpZ#P}PoxzMwRjtcbt7VEpL!5_DgM0UwN&lEeu(wvlV zrgv}E0-iO)M8TTwcjE7o)~ZfINRu>0hOT7jqbDviX?M5mwpNkW za{J)-w)NUA{99bf#`D4Dqb>X^^Yop?06>|TD=hb91QH?317GL1L3VrxWD^~o%?`go z5BkG?gWh2%jfF=B@IE>>g=JQe^}JJBl!Buj(wJaIcZYNM(YsQ?wqxX#`9OE7l1?{b z_u8`cfdG)m&Z7%onu8p2`^Zq^euKKOMTm}O7{_mr>Zyj`pkTG%piTooBSj+W)6ViQ z(e?n761JzmK~M3JgFTAo${~{bH)sIYEe-@E|M&(FJi!W}ZgLzR{04o+Q7vDl{g3ww zCT@XG0Mt%fIRa;ZAaMqJzxfSX!s12#gKN&gCFv8{Hz*}|zGg+KtoRrwkJ(>Zg&!Dt zL+NIT-{FQHdUxlB|4u#s503>X>Eebw3$kQw^M9ETD#xN@GUghYv@Wm4n#J3{pj)g0 zpY?AO(kw5PmJb^RwpVRa6IVs?ou3O`&*}?)rkC8FbMQ%TvX;`1DH*~z;9^X1jC3)l z#%dYabf0n&Ox2qNTzk*kV- zke`K@kt7MX(@OfB#H<8{+}Kwax799)*A?Hn|FtgAgfJZBOF;-oow$9)nw?}YG-8*d~Rd95Yo-( zl~^I}@!-^rF|;$P5isdNE7jH!aS>E7XEC;p2k<`0%{G)Z`D@^)D+9dAPcdoE=JQOo zU_5^Ruq;i1{s6|JL(}gyhrmofu{N9^(Mp#@i|!lY zx|onYu}Qx{c_)KCtrKmlRuxoiA`7%5Zn@q*DD$@;P8p{;oa`8_%EYjml))e8*)_P^ z`(r;?Z$i#HqNY|QGiZLlL7x#+K$lZ<7c%007zHFNAxE~PQ_(bZZo=LaJqM69yVFPh zocr@!{)~w~^Wo20@Mn$uvp@XV8~?-we`2CPvEu&+aWX~^VFPBHf+DNRQ|ymxCob>T znaH2Icf6|l(=2D3f@RXjCB_T&-DeKD(N6$+#v6#|*~b9G92+FySzT5VbF-h@H+94f zDPEOqwcm1(X6J7oDEW2gu9NW+`Cal(j7E(=Bl-UPQ$AEQ(X5w<4`~l>&fUIAw$&Jw~)|QUJuS z+7k&O+ROh2aXrOG!XTdmOf6c5F|bhih>#-5|B&?UM8Kq#$B& z(Q77GrMiv9(svwO0k`fZ0uPN<7?9|;CF7{ZU}6*c0^%o$z)I!Q1#rD7hnndK5x27m z@e*Hqk32Y#Y00Yl$K4nMPA64M8#Rd8@$Q(po@T6UduLa%+s*0wNne9|_G6H+1UTqG zJDSk7aOawgV?Tyms=3zH_B#NBMudxQ0{3EgdWIFoNUQdm%O9z`Xl7s`m3c8UsQjw$NnO47~V_o4aMiQ)R6kAal`naf_J?NVhg6H7ZG^r=91`(Mpj>hiw<@tY}QCWhA zXxuASyuu3#GU4Jhoo;6<RDOaOi4{&5uXsT-huxsh70^@6~#}WgMC!#ZH0OR4H zMMV%45xmga(rmtAdz@RM3{O?jEa+u!w$`#{Pq`8memCASBK30BAY3Nb%4PRDFaJdR z#XHW-rWEP21JO0qL=65H@+|%Avbp_txJiyj_~C|To0-^>(>`;J{!z_pwSo2b`pmyb z#!FV8wp}qFXbNE+9n23nB{nz{4**+_LUBjfObs$KrTVV|~V?fvB2^&5T|hUiV8(3kggY z9~_&X1DO4}|w~S4bfF5_|Kuz*}FiU=4X{OFeo4vwtC|XGp zPAUSq%IPS6d>JTz`hXheh}|gy{3mbCX~dw}+ejR3lTtG%e38|Y7^kH0`q*xd&dzgG zhx${MFz}Hn%!#5FNDdb7L0=rUny!^A_%Zx7rY`Q2#Lc{wXb}CaBdQ1a8YlubLkR@H z9bMsK0bT>0WWHmlYNC{M^2?2*Sj5RgEMOVhDl@r*M{J1Nl>rqgY#oru^%~Ikw$H<+P=1rUDzh?ODJL+S}R)+Xwz1 zSMp$et4&F|+Iwqr@$l_E;MeR|MIzvK+27+DRPY<&6CoWvvl!OAbFqz2fxB6j8-B7fmTp=9x_?YS zQ$uq$_F_USQ+u6IN7}xu+zw(sZkZ@}fC-Kq{)Wg<5vN=@IyL>n+r0#)_Re)9Il_{C zOm{%Mx>ANoIXN*{Eg1D_rM6KytR*h4*)P>^Sv36g4iS{X6XgRL3ERK`h{q1wP~2~Js_9Q`7gGCi;lDv4J1LY1nLP26 zDt?$0dCCR_>26@nIzh+cxLoa7RNm!Sbu)g??EA^ve_{`qu#YcufETK=tZC*@cTi63%%g58juyYlAC%N9?5j>7) z*&(dK&l*Kn!yoZVQ-KVw%6?x~3&&^2T40@dSG_#bt2BnX4Kg3+ZUW64xK93;B$WQ$ zwiN%139A3;>lul?yAYSHemeT*_a4x(k#tam;YgXRtI8ssz9=9m={V`MDem#E8#w(v z0Ca8;e+%ClS1(!}c*kqe!Tr*Xe zyvZqZhi`5dOJ^!L(yD7ig%;C*ES`%g#X$7VgC@K0AAk32%%Sd+D^WV5SwMAo$ zfM3N}1riC=AZFcfRS>!aU=kpT{+7NBA+rIV0fQ-IIS~9fz1Lp_>u|sn-mNH@;L853c`rl% zva(()LspkjDg(o!Ucfxlo<2nqKt7mr>0@C2W<_U_z)Lz(o;FY6L=sDnQ2%X?wd#Gj zJq;>HC^->QExx{IBV6c9PT-`tl&2KADFi;2*?a-n5^00Xn0#aftX-a4Q?BN%rrowW zO&Rri`!rJ(N+>*bObL{B?<}y`>q53r<}~Hk0h>ATj&^3x->K$DwxuKk1*@y4QT<5D z6;molj5=xTLlI1a0+co91*A^O*N@2BO>y$S0^ic&ofT^dSf=-&5&__G6R<7mOJG_h zLr$YFu3A(pMsObr7y0%0X6DaYG=UFZ^n?veEBPpa;En$~M!Tj!w4jFoa378q3uG== zgZweTrPy83%-A|SP!V*ML`67^yK zKKw)#tt})_uJlmfNpaA-d4cW}i|9g>Kj6)A@w-f!KCSwIDo%~NVU7R$(!k1T#kPA) zjq}le^g6{8*X)`PQzHIYY$>;7)>Rqx`Vm`Ifj7|b6MrSSvqsqO{(+c#ks~*j=X*P5 zb{xq)`Ba}?#rV2|ZmzW%U^Trn3?IR8*->&x{7W4qJzHX7_`Lnw?g@^5jAX-}La$7% zK8elhI!qP%nf2nnzL9gL>O8gbFLdY_#vcDG{?1*4E|a)b9cyA?O*77F3jEIDps(9F zl|Qpg*NJ|)t_9t@g4<5hK+BsxpKQPJY2wOF-HSUC_eWCK4t#zXjLAvJ#VmfPtYA%* z9hf#4CYALCF*65Ww1oyP1lP@*H1b|}OzpV%StbHWaa*7N4f6A(K{t}~{0818U%hi> z3#;Ec@FiVG;QdnMhK~XmZ^=R~Qc}BQDDC2=jz2r+VMNu*Zsz~o$XqV}bh2>F#@w&b zwP|JBqR(I8z;)@x`6nT<;1weUwWf5#LPLojThmr6*)gS)r7RBZ@|9-O(kg>C7jS~# zXk*rM)+4?r_>Vef2fBrB%`t|nZPZR#8vZ(g{vwqcHsHA$!N|CJH`F?tG(9=)ZGX%O zu~bccx63s`RU}PgI|g`GW+a9?;2YGEHRC(%-MBym+t=M^EUfC_bV}Wy0RP}%3 z%S>8TaVJaBKVnS zcMsg3*107J)1lPNXZfUkRjj-vo>S0`^$_J|4X zjn)wxyEHBzW$B4)>l>TZ?$681B5I;(gYn@gXW3$wlV4%+!0~#>`;V+WLNat_WfFYM5{u>`X02=FmNk=* z-?gFNAg{sVGmz4=TYMMHhmwao2OmK#beS+iUH*L|i|PfK(G@EEcwZ5~}^ zO1JPjybZ0uGUEQdS8{cLa%rF)!ayk@>kRrTL)#9yQJ>Ly0cHNdg{rcp46(<*=g*ps z*8&FhXP)P{QhD&p_f{5GJXmRouOOT%SAZx?MUm=F^ee%;s_G4WBGOUEYU*n$2mRAn zVxJ{;p7*#f`1)jkMjJ)|_Jqh9UEX|yxMhTu)jz*xcqzH|u8m{4xCic+&UC44m{AgG*4?fa190LHyTbt(vTr{#~qFV;P~v-9p1qUZaY zB>Eo6u!;t7g-}eaS4P75wvxZ9U|m$5vRU{Q%g8xedJioJuyRANLtfy*I(qgeKV_A+ zK|M->+zSF@$&SCS6^x&a8)syQji&Vy%Q1{G%`*8=zkC5#?ID4$kqQTP_d0fE1M1ov z-Q$&HiYbUEwK^>_Mzx7Ui+rb4yI1dn%RsOcAXfcGD;1;VpjnZuYx{6SELA$n-BT2q zy*ia|B)Df2R~mc|(q;X^6!>vFlr2nv>58Dw=oVN#T*;esww|af_{Qv6sHZ*wIcfJc zs0_Z@aaEsPOMo%1)!yc-$gV61Xv+G(S36dKMLq-U`(ipk^;AVTf_Ay~|JugIA;327 zPVWZ%VRq9eTh?W$F*mHLe}l+#tzC$(!_0Jkuo?RftA}+hE)KAmKSg+zm$s@?_i`SJ;jdfZ4xl^W?_4Ovm8hWAd7nUNs=lHTzeMK z;Iyl}`tKpezx7x0Ev1RjLzM3Tb3iNZ#1s0v)k6}TBB#J~l|IYh0K~?JTN*^xCu(A6 z+*}PBHkKq2a$L&`Bes#<1_e?DV#tC4$c?gVD(7mRZ1L8%xWG;-D%XY{zr`W98|Nu` zqmPS`ISD6zxe<4U%0Eig#mkW-Mr7l})#P>U$z_JbduT_?sh1pI>FN!Z_SebG6D|bs z`++^w3;W-oSjAfK-fbjJ+?lq|XI{W-MAqv!)IrBD;h&guuIa%CEgwixN8>e~0%lxL z7LcpQe*)QKNm?kNH zDQfEz%J+^R%{x+B!ve0j39K6K7mif&d{TM*HokkSN{sjR{fze>@Q@sViB-aGCCzyb zTCZ>9Ob$e7LkCzdfzD)}Ft|z1yYwo@O)UtX%KX(%~bX2}n64r(%o#V<+ zPiW3ZmA~^c@!MV-KL8x%2i@d?pAS5YJkijYCG}S8Eko5wzTJ7O5tNASWS%>qf*p=e zLk)V#{co?|Agb8bhlDX?X8NFvNQL3+a{4?#MU_>^d0nvONZF5#Mnqr1@>@Ot$uz5i zKa1yZ)(OiFQ<;y{DcwsZ;buNfOO3;uR;+s!V(Ib;*H` z2`-<5dHFZmO~@ltWPr(&l$*zDta=l!9Pvkac~Li!>A?w=2s;R;PAN<-Lpw7`I>GB_ z4p0P&$UzuzDo%R*s_tgR&x>+Yx+rg){N_S&+g3Bo7H2LuW2h|#A$x%+?vBy@NcEV3W zwlf{Lme4n7`EW6q1VyKaszyR}DC$Tl$T0`x{M@K<#nz^J36&{#L{2boNkn4Z50Y~h4b+lyl$?Td?d(<0btL`;%bMd`>9U`J zkF}3M;sNM-x_paba^W1L+LKn$V2N2u+k`J21v{%0M6L;^t<=ej(^CrJO)RFL$iapO z^*b`uG;50Z&uY_n`T#*_U!-`ILXmGX4r>i$q{?aZdV|J_UMIM=avk3(yw zwu(+1%Y2NhhHRX1C4zN+8nT>P>w;e0ddm$mwQ~Dg4AU_T5du zTE#a4ikrmhZ@&yAudUa~raygQl@{(`iDY};_&!3)Z(pCXyBdR$vLk!_aZ z(z_|y6r08{68g?^xOc6Px4nNwdC0srQIG68rK9|kxAd{{;%-%K|K>OO0#w1?da$n= zY=gu~Zb<8ZaKPkd2bd`Q`#ouJv7bB^Lj}XAyjQvn8P6f_b8HiybKgvz3#rDk+8+f` zBAyU2QSLqiuU{_Al;QaW_j&qjpos*Xp*ifIbuu>6=8LjB;PR*!H-FhRx)sQo2}CM z?2=Pu%-jIn-9^Hi5Rg$bj_pDi+XSf{KYX(@SoCnVs z$M#kAHnH7(t1Xzs2bSO!2{jUAaZ)zvA29aay0Q_pxe<&SsjcbOdyUZakZDUphW<28Hx^!_la_r55id)b zGIuWBHxEQw4q7V&?2sEs8)*rfK)6LY>Wf zkz1*<4sOe$4q_(N6O}vUBo+`FXb+ zHIwF&8*pruV&j$Ecm1#$Abh(Q&YOMwH8e&g?|cl7b6T@BU2Gt(aalmG=_g zkM%5;Sy-$I1{k6fgT&$hQ?e|P`{K6Uh~b>UTmQ>iH~jD8xM9!_uiEqq^#IjAzhZ`ZsUR}q` zMrWVpcW(y^Qa%jtH-0J;%Ke7Khf8$^!G_Xlf~YveY!d&qm-_48x!*He$b~^(^Vvu3 z2r(|QG2p|a@h?J`KeEeTZ)r%Q!MP;x|Z5=blgmmEE2G5T^?K zSIQDSTyp&-WsZIZkUU&=&jD=3w08g%1Q%Hu#C6~bJkdtt%UUF{r|Wb~gILpW0c__r z`(NNZ?5Zw|1vvYDFb_@p-~%Otn=7&S@tF+5Tkyg?;fIU7^1lIGsosi!VD8TB(pf)nnRH`y14g(nF81c6`J*kEL=~;qCl{MFHz| zohN=Z>o=X`6R*rRJA98!TC2%Kw5kQ;j?PgZLbxG-L+9aqC7(Nc>yxKdg2M-ol8mX2QryG3F<91pSi z+Y$RFnt5K3t+F1{M^=pE-}Z~;Is|Z+`x)xhAv%r_=QgDs6>_6X)Ggh`PqW($bFAm( z1Q8Qi2D8LxiCR{$GfNrv3yh!WtLgL-@%?qv!=poKxT>cAgH4Hgbf-4U{U&i&fpw&j zVf2-J@Bb}wF@M9I6H9-?oigB8?|{&gEKEoCfYdDq5=hHnHTjzxT9AB3#i z0O?Y#a_H*IeNXG{Ywd@B^R)WNb^xDo(fJWa9zco;55D&wttnjdxEl3H!2ODTCC=0* zmDJ-`FQn99@cuUlccEm=xwfEiYIQPrH15}PsKw`WK3lig*wfG8AJbRcO%H1?X8DrM z5#9}b(Rq8B%G#_Om(ja$gH_2T^OdT2)%y$JVs_S*=zW>fW-Bu{X_>af#(<;;LvoSS zd)P&x=QOFR^AT?9FSl_yC^=HZYj-6Mf~$MGX~ma@ih74yKi(Z9%9Eg*t~O6c%bJsF z$LAc})%Z}$S4ZaJ3eFg1m5wCghIb%m@)T^Ye$(S=^n~slEC>0Axxgfe@&b3BLkg|c4eBg{t>lG!;uBi4 z281}UHYJqg-{q1mHVl|r6(&M;`nn+wS#@Wn_fA|9Nvb~#!e;b9d7xnsFcRG!dV)M%ug5|K~QMUq~i(kFbF%q5peCuGPP}f2^sG~OBv<=5fDYn3H ztlZtqDRHWFs-5(UQK*mI>e&)=0o^7Gzu8BDUkiS1_Wz;%C1v%xbEijkhZynd@=vm~ zQF23p)XbD)wQ7;k;C%dW=V6sYU;2}>q~WW4K!J*?`JqZZDiqDE z!azZMavGAJ>ani2bU>w3-%-xWP){|PQ!Q?HmRj8{d$JKEqgJ>KFG>9w;Bx7%*UTh! zPpOHpw7!Ce#O#w_c5O}VLb#uZr`Zr(nO4eVHq^CReer2Y+h0T%?{q_D^eH-XGHfs@ zQrauJ7$rlW6c(Q2LiXeDyp6DLa?CnC?GZXZ6IUIs*W?w5vi~eoN*F0Emy+hJ=I9>O zEbh`W;T1W5Ur_ktV!cX*>BN!b%5YzKg73C6*XbiQBh(%S@qs7mw2v@8qNFK>(PlP_$LQzg3}Fb@!&278 zdBa@)g1?N*{p7mu)R1lsmRMw!3O`kb*aHwEO!x7q(@r{h%U`~37gY9%6?$h@@x1%+ zK513o=BKHVRloRc-y2+4ADn4_+9*e@s~X($o7r&Q@*ck7uGc_W-n zJUkP1YoKdE-aGqsT?=)+lci#!VuVSpLbo)71uF#WhdC=g3Uhuy9~nx7bl{@+!Be8c zyMX7{wBm+ahV+H7#|bwX`6gRwVTswas-wEAUDGIzxJy*6`!WmNcou zDc6BGAP9CK)OE^C>R6Em;(-oHcx3@AqJ4LG#kjMlm2#*8Q^nW&r?hS~>|b1OGss+Q z(18GpX0;HeRh)*z;Li*~Dn3kp57;_#lMykOT{NP{B*@l@IS3v4qgoux6E?KdWgLW! z`|QioBwdxae82CzsuaE3GbVYfxcUwq<|B2Wy^W4zsVcTZfZah%J5aGD-l6Q({;izK zhew@2v_qtecRI_K#NQX64XR7LZ}c|bd#p<7BvG+@Qaa{He`>~Y<{?@ZJ#zVH+Qy^0 zDfTBXo(!CWHK!TuY;*^rN|wt5ZHxP*Z`PKi0eu0NjO9?WfbJ` zfF`m%rNEcyKN}tgd4mMnc15@>MRdX$^w}h6BzjS~cyj~jtSbNFdYg_`ohRdoSbo~s+$JmUNRQ-e zW#aIrouZ8(x3VCs$)`*4r!wvJv@o8)aBK+jn;Fwxg_Yt?G&=$M3M3E&V1S*FV2o#F z)wM1A6ng`ewwA%J! zSf~T1h}P?Q&$1=HkO1pwc4r7jGt}YYfRk?#_;QE-TftDMV}xD61wFmZ$Jg76fliu; zE^s`YpVBug!|r&f5z(yZ3s|7(nxCor=KtE-XI0EA&r6;4>l?Q_EMw@1+%EyWm1(l2 z8+DGWS%j3tshXOX0_w@O#QmmCYQ}0p8l7ha%&(+N+<@~?=2{!A!(@4tly66P5;XTB zH|K%0y2kath;85-hbCXIux^a+OGa*4c7-FlUgUqK3niUf3LZmwCJlca2|&SsiC4$)d~ zgV!w-j{gnv2}H0wAwvB{|i?=f?lh= z1Z1l$&Xp(=WBcX|L}1Nb=VVb`mlX8hv@gfK-01%t6&`9pIf%}rJm)vMiK%FY;3?Gu zH^LfcI+T)JzD=5?+VgeaWul!$eZx&K-XDhP9;pTB=#I&*S(@r0H{h;WyUemTU8_H& zd0iL5zY-Pwe5%p0TT1Jj3%s!Hi69y+0FLb$H0I(h5~E$l{n*YM#Ng+U?3iUnyfyVi z1CU9NhWzuuQ39P)zr*@aJR1NyZI^%`kWGVn1sRUn)mH+f5U+LI=@*gJh15cg!>)GR z?lr0bafzzrO)#Z_sKEJGX#f?k@y`R+oEoc5#p>zK80M|bFpZAtPF#v22 zma_v)f!H<`M^zIZLT*R=xz|6>_0JgiGY0;Qfj?v5|Hv^gf&;YkQMdjg)kfhT@o8t8 zKivm(Y0(Fvx+5srpk)~s>B5TUkh(5US5XZy*VWR~A~eZ8`qr#|2cq&v6@DqKZr!!X zN5^GJ2(3*?nB7`u0Gc}m@<+sOLhu|z87$;`C(?#w7zN<#X5g7`jKwA+t438rJ(EO0 zdG4{n&l_F6T&iR$H9R^%n2@YP@Q0`yH^x4G^@Y7`;srn`VeZy%?T*(W*S01)W* z_u$C0K^3TQ|9H9{(IjH4U+ba6M6y?ZuIU5>R0z&pZVq+DDFpw@G)T?qHs)pz=NYsEqsimZ>YY7>v08J zwsRRzTm4yK=|_rmW(RzfG@X~KgdO$fN-gqq5cL;!xeve>HGbd$Q!YbdL`nMVPP0B{ z=4L(v)hk18t4t3UG-%s>X5fo(XFyo-3_gk6Wg}VBIShab3gtlk4K`BG+9EdSpMM1u#-2Nu)%etMO7xAM8^;(cdSF(2X#d|Q~9qx?OMFiM^NRkTf#+eVel0Y zm){^DJ5MsDa{x$dTNw^eh;8CP0QzJ1A?rbu74WQGOaqA#}+(yD;!iK8xSiXK2NeBE1u2qPS2CM5|D zA(#sE6-#JRfWwBtcaBFx?2`}$RTsrhZSU8=USM(z!au#0>dp2R0&in>dnof)yqcD&V9Wn256to=hnRulG^anAym80768I-*Vg5D|0-b{bAeU z4oz|tGh3d0&6<_|b^oPDW{+p->R9UMlF<}qZCu1=&k|q+L}e@Nxa9W#ZMMzZN;~xWlG2hw`L~fzLw*fMZvLIW6s;N5ON*`&Tax`ehl~B{+@=!} z5&wim|4TTjf}9LkWmDYuV!|-XW|Tbq03~3l6LoluVhSXJqycqv!aon7fob_qSOjo! z;&>E|V*pT7&L&O)maln}M)XHO=aPC0dKfZVMesK$A|9sw8}tzjU@7*$8GQg<{qvCI zCgh*k2u#d{^8*TcB_fJ`MhZiTRxW@nu>QH-KTr41VE8lD{;Ujt*4=-h(Ee-_fBP=} z&kqKPK_JT2K#QH>M2F#DJfya{y4@EYr+u8;M%5$me^KRrgK`4_Dwf>>LE<7gP&q~0 zgawIK6|?z7a!A3lgr~dD3(K3mik=r(xS3BFWZKQCd@4VexzN`e^g&uaysFvfy6pA> zkK`&f36VoyY6nL$lZ^1?A%ueJ+v0|GJHj|Wyg>MsR^d6XOz=Zf8!P!EFydP+MU>vM z2qfsEpc9gb+Cxs@_!r4G;XQ;ah9_LKjpD(wHj>MX`E_%QDH5+yBv zYORs|3Q)W8=IS|?5mE6z#-rAG)JXgRm`@4IbH4d{QFU`%WPKfT#YD*b;nIldDpx>V zH(~;*K}ivtM5nIhQj)3N`1{-CfU+h#`YxEeOMuC zBPW2!zPx*Y6(zcWofrKkbuak5%N-yl4{W1GB*qHOm3HUzk;cUkr7XT7Sds}eZ!n5! zELLlwWAitt_v7n3#vwPighMpTXbc@MQPC)+IMIiVBQG{D#D1|Z5f6q|jH9-{*dg;X1$*um?X^ zRb+hqPuyMc_;OV_-xEt4ox{}xvvO*k&=Pd4=zeuIH})jME6}>+&iA!Qky+xnyx*?Z zZ;;H+Q9?s+rIW-}N($5kGeC_1tO5?&$oT)8a=QPh)b9WBIqMWeg$y-wD-^N;U{B3L z)TlPKgcgOEUxEQe1n!taHDzA|%4K+68**E`AF+m|Pd%nR22wxC)c@BzvmRv7ndFIG zbP4!Zx@`4p?(BV?IJp>KgZ^i(1M!fh4=)c)>8DFbRtmBSf-r@qG@kRl>0OyFFN=;V zygFp#qe6GL9(}1Bb&+-{Czx%x**e-sbsGc$_9Ov(pW+f{a*0nK} zD?fK>wmJ>*J9?N9Y1d6r1v63Kv!$%{7r&sT0xrr#Su;~j@mjAWN}c?L=d6|}pASt>V0^IACG}>Z@I=fWYDk-^1*Dk_sjBX85H;`u zypZ$biWrNk`r#KGwXJD4+n5 zXCLnv`~L3lj`98B2n2aqS?^lU`#f{aXU;=EOUtp8vDQ(i#=8@rnB#i$7{8!i0(H{g zu!=B%Rx=6yjaN)|qv>6XwAHoKNXEU%hNHrVqmJ>pOOeFjM>=OWpRW_ZfDbGa0n}QW~sz<06=N1(F4H{iL?4P;{tQXkg+z ziOleD^4Mb*_W`2-`=@Ez?^r+}BJQ84fjN9ZArNRQ9zG&zAo7j6qmeX=|gse-hdx z%0i=Rs(Ipjo#io)hiv>WG|jQATmsLYjjIe~6n9p16ACZWo-LGO31+{ilLH?o#gPFb zW}6&9L2k|RQ@46ry)R@x-i;;PY_gmBAl%35Y?wgb+a5pMHFHsVq3dR@ES9{}xQYlf znKO(+R;IRzM)k@x&V2TQ@lyoslI|LD{3K)mZBK`+x!q=W18UI91j(Fm7tA z8!lb8aoMbxngyS0g$qib)_fM!8A8kG|A z2LnSkfKXNx0upc%4f^{M{SLeSd!ifZsbwbUa{H z+gM=#b&|e*^9NCdMk@r^$eWTnz+@e#m>=}|0v{GYgkp{U{ta{0zrO%Y-K`n9t+ z&-n;|2?S!H#fZ$)n2tgRas&=oAV{n`KYI_{b55TI%l;}4;7m0Dbf1U~9nfLcGzj-3E$L771 z#KHP#l;LBTxSyWtf7=h9hXOD=DiKJVe`%>OMgCKs>YpjJ|1N*@9|a8pen9qk9yU7v!9eJI z30yt?GcQdEOm1Cye&J&SC-#@P_pg5-3m`Q9J%{$sdU`-7dl+xIgh zpL;-uZmJHw)^h%IV4&POyAiB74*#kl^Vx0fQT1tupMqCQO8PpmhA(bH-MA~nK0V9Q z5`B^XvmoED*bT3XF?YWaqXs!*yln=2x>BXTea!!BuYaHS1r?YtK-TmC2Ale9KQ$1z z;}=&8;+hq9&;T1c9^?tE6%2VIcO?fAZNzHaEbud)G`BQ2zHNy;1nKqXWq4*$ zE1q)3;r$p2evf#Sl1$vSBi1(3`{=`!P`65dJGbQb@JSDaq0d?#GeQ(mpydpRXY9iRZ~G*?EWC6IIf@xFHfip5KNA*G)mevnuTmn_d=K6QA9f^K(?PHmjM`?zS(%=(s z%47T2h#y#juMU?5^P4uFFzS?)U5!T}XRG!~avM!J-rUd1>!rpgE>wfn3_d=GOjk=P z?KQ4WOzSp?QFWlc=*z^>2p~rcGoN7%Y3p9nK?iC}RlY57n>=?ZgyWJ9lcZ#>@mbNz z3*ckk?4pPkdBlJcaxHERIDI|Xz)IUWzFQ#emRGwyb!@aCx~(l0Ez@O*irxW zdMAE{khO+Olmhyrc&mLloqbIxRk(%H8vB06q`Mz3-4+*-zj_sQ>Y%U^CU&2KD{L*W zu8vat>NOcCe+;@Br6a=N-leDlost_P*7@3`2)+zK`X%!I{>2c6$)xbBX>xYMg! zsp{&QWifwR{sNqERn^|`(6zoR9nc6;?pl35ROB3>6Bz~%Pzm#j}e$lQyQ;V z_5t#@9d$mqpd0QM=@d!19QXD?>4+TnBdH}WHU=Njs}tJCC0{7?`ePzW8m^Oa$*)Mf zFN$flMSkE`JH9W~nR9fGz1NM?({0@)>>0r~UO&4s6c?l}_X3a!T|+Qn&B_NGbiDKZ zf~b!Qb7!n?iAT;dh(J`YN%Juro?{eV0f$2vHg-0`89PPTNEu@<8;oS~%Ia%kyVZZl zeiT+|n`dohaFkq+RUeRO{FuCsflv@brSnFpm)UP0N*a_^WUm_-`IxxMRCDvXRa8VR z)KwBZdud?6F$lt_p-VDvwdyMjoa{59or15>xraMeA-0%{~tt z>+}~RvA60=U|SdQZUW1x03!_NiK4g zS%R~>b%)FhfX?@~Ly|o4ynq8TM$n#Q7qYNCDwW@qmO3fZ|6~3-p8z6N;9{cv6OixC z!A8bepmT|!XPAiVf2E-_8@0i{yg!=EWd*8KS~HHSikv=yJssV4d^tsO(e9XmQZdlq zp?RZY5^sK_rlx7QtfkrNwShnvHQt48${XP6&MoOEO5RM?r@ zV)8O2D)O#p9DV2gN)|ik+Mb6+)5U%oIqk)@2zUtuPahQ0!MCdD&ur_#zOnCmp3i!f zaM1xd+RrwA#&Y3xNf4IY2C6m1_USon$eF|*Udt)YXH0?!J1C+R@#D*dEp)vcm7V$Ftn?g1L^= zNxA228e{cK?xvgzHmUBF)uu}96A7Ebyts_M^x1$6M`KcZaocE}cS%;{_pZ|)j@y2} zXo5*q_jxUOES;V3_-J)2@)R@;^9tpK<@mW@_S3`9+tt`Hg%tiH;sV1dZCx0q<(Xjg zniHZNNtPLF(Z%4-Y+-PRf>&5E4=2eRYD#wj7e|nt@)D&yb40IAv}_s`UV#ys)W`E@ z)sl|YiZnX<9?df!DmnE)t#*sa=3s{1wbC##7dhRVOV>NF3GWGe|KWs=-ZW+gLMgLp zEMD8Qi%RcL`#BHdqomuB3<(kb-hljBFOJm+&bfe2SDN>|d6;yv?(6%@XB!V4;g~>Y zqeLjaL`h3xZriekH(pd|$`50it^<>BP|n~knCr9Texv=Y;P9O5iSrTD6OEw}l} ze=wvwMr7bGJiKzs@5y_I`H+WPyFDeTf?Ce2n|AUeAJUwetNZt26^4}`rTC+ilmQDE4!;oW>fC$?}P-#Sshc7&6OU&y30J%wt*r_9c5T~gA= za&_S?x9kM}QS&5)Q{QYYXp=AdRhKd=cbHlXDdN~R!zhvC0}Uq5b8#%~A6LkwGgf7K z8pV|zx9v|cG|h8l9#`5;rEzVMpa=5cu%5ZI zl}bC!L@tP(mZhJhBoK8ZcI%1MJ5#4Uo>VgpZ?1r6vRH&w=*MI5DQ^xic-Po?#1Qj| z_w*vEPR!Fdilic@%(rDyl&62rqT!mW(vecCw2urMvse|Oy?<9zeQZ7E-}){AHMvBG zUu|^&CUvXl8o);SiXq;m_D@LRMAAuY{hb3pc~9H+p0-j7(Oam{e=!*ny}ykbHk^Rs zG_gPuH-57{lYRJn+`UnQutwL@8Yg6Dub=T|x;nM|2Sc1WQ0O#EVCMV0Ak-5x0A=VQ zy2JalloU%L3&%Cl?)iZV1&yaC%My-jYRNYylF<~4AU65{U6a_PtrrkzU|Af3=s#ij zju%%swuw4dU7kXC_aIXDPQK6aoG)3A5@VZuvyM9$uNP!XcQTk)!C4P7gOn+AR%Ig~ zA&Ntrls9u&m|3|_RjhKqk?N&v`hJPRET*j%!~(F*ccbt_(mN@GB`H2%hR<4_%}|qn zqjMzqS%8qp$N?Xmh0=;c#$s8v-T3?r9>e4}&!z`4PJCs+GQS*1BJGKUzR;K>YYzfu z!0fFOJ##Q}NIu`k!=w1o8~ZPx#!5UotjyOhhBSu$wEB0+tK%ib571R9GmCudG7H8D zT9-m~j4xkj3O-KIFDSLM$ru%+QB=00Jfw15H$=HrI4!sU?_poUI*FGry!f2zj#F@K8Sri z?x1X-3ha!*9C$+Jr3$K>8F$cEfNDh65U54~Et-i(+eTU*$b_SQ8w42=qa7vi6Ga4e zn7StK5_G9_$Thty)=+-t`dP2N;W>33u_Hc8Yo-erQ4o&{l3Njb+AfSY^`R-n}?Ynqc1O&eB6JMCK)-StmUqNCh~yO`JW1fbf}g%;B`81S#U>+TjBE7YF&Tm z4(#yCx{TP(NXwanw^FyXYR)Jyc&2nriD-G1!P&<|++t>l;OOoUDGD>S7HB7+Dx)fEhUy+_sBpcXNQd|gxoRRzzEmF+Xt0A@6Xy<-Ad98fxQG6oD=?_G;;hz%lZE-Qj3LRtmTsrdA$49PY%o*Z1yvEdCx{U=S<5J7ML znQ(|R)5{*VY`}Dk1};NJo+aLxX6JA&B%Sihqts0K%X)2j_+6e8tn!_%)-1KIa|5af zJeJR8Mv27KCgY%E8(>GIWeNq0vbD>N!|Yx479sD_ec0GB8ndb%aS+5?`R-u<_u{phE3+~z_!o9xB3gYm^CD}+J?ZM^RNbvNbQ%MnML=wRsWIILo zZnp~>pE*%lTX%X{M1sm1o3;O#o>%u|RsEvbjga0X5QA%$tikbF5h=!IFauh`3W{Zs zAjy{EBD|1{6>qF3mz|%TPdOIS!`8PNB6(c-MK-@`KevO)K{{N|AGjOr!Nycw0aUog zb%{c#f}Y%)c%^T~uRRymS*zqPb4ADZKQFwQ4&bw|M=-~*U(beo%^!(Tt5i*N*UwiM zUs9Zz*ldlT#C%%|x)3yw35Y+|`r^XZln9RIdW^oF60hyYF6Q3q+3Zn2d=hnLp7CYK z)O`T#%dF0$M9nh2@)kCuubK=?hMLGs&-Y4~aVWmv@d4C+g)&FJ`Gw5J#d%>OCYB;J zIE#NOr({YD5!SrDN6(~L%6u~lZ%e^l<|7F6z09m7VByRZ-#oYi1^mHJ&$OmG4G@(& zmjdN=;GY)za>?@k_Jd(I7q1vqYx7+CGyvPpc1YJ{nx6D?mQ=ly{(PEtdU3G3OLyF| zzEEL4#5hCk{bQ|CVW_FHYMyu?k}6JMK;ETWgc zd-sCdtZY;!o@6^0T7mA{T6`;O`}V1jq5C%O8zKe@U^P?Pu0Sn)c|ktsZ} z-FW4B^wX+cmDV$%rahPJ=b|?iV*TFMd_q;%uLcy-F|T7>^dyU^1qs2Qr~Fk-bGW){J8H zlcib^dmER+ybJXjLF8eB9#b9jrz9_v`5a^e_1sV)CnRX_LMO%`7X>;EVbp6 ztfN2p+pgg@CiRUo_5;b9V$Il!>em|gXT)RI$1I4&V_}4#=|E?^6em=E(gF1Bnnm*R z#@D&{`x?SjQ$O<#5%EFA&;gp>2Ue%}Pb&hWZ(#%_#^^W+{Z1e4<6nh!JdS$uV9Mj7 z;O+%}t2UH~VyD$&=)NfVXaVK(Y>*IL`65=41^6XL-oiPIq1H{k@=SnzV=EiTDd6E}!!e3Im&v z>0JPKL+Aup1};5tr|MIzCUKdKb19`GeTmsFupFBkU)q-{KHiE>f+#rK)Tm0cDRjDM z1XAz%`QrXyh;nOCQVzrGLoF-HV-JeAZLiv-ye?1WbARzxFbXDmxx>FR!7q_)NlEs` z$?;Pp?~KtdXL5`x`Hsp=tf;>XXw1>s%y@ArQaSGJG4a?Y5`hQITxku7$&@68Oj%|q z-2a|6hq0*eE6P&Yr)`Y1_G3FN&|k(4&Ly~jBepo$&J z){=pevxq*aK)J}gN`A94K_XpwkhA<;3z-q9dNYC{`U^EIq~Gpck>Pk$XDafPQhy}x z(DaI@r9@*{-_U(|=@j=phb#WB2;Y!5_ubz>-+TuuNl{@xl@>7bx|cAdb*=-=0^Pm{ zcMJsK)$_&0UGJZMBsI4ltGo2VFqd}nmnm+T?~D?fq@0uM;yZJ8xFdUUIgj))k&mUG z51yrbZJ~@od>&un!r@WAu~!%*5XWzLvDLn?mC5LientB8Wz&hCl+k%3Uv%|z=iDLy z1dky83H*dGA)56t^QyCQ`(%Lf@ckpI0Xn-ux#&v^`-QvPjUo5BOdHu_M6&?)dlHwX zBp|$ZdtZeN0+Lx6QRg6_7qFH+JyvEOL+`|H!hUI&p!_l0AFarD`VgET2Mr+SDUqV1 zfwbq&1AwI>a^aty4g5dIQaSX$2`B#_|Ns9th!Rr08jq>Ea779NZ@4BL(4LZF_2rCa zU8gkKNb^W^cn|-)=-XJf=jJ&=bFr11;I*DPm+*eT(8NU0l38kVQz)A$`;?{ z^C}v~{;hELOSYzNXK%t>q3=)Bo~Tyx!glF>sChoWVPdjJt1jrt4o14dj8N!oD{9rO z;d@USMj>T}(5s;u$8tdy%Xra=$?@bEZjy50 z9D?7^a~9H;p$6t#*;NY*r8)AXJ}9=a;b}PKKk(pD5Ndc{gzffnyVs@*V9hH>a%i6s zEhX92&sj`14N)SGdw0F=DPFnVjkaKbL6T^Z>T~Z;+7$Ge4*^;L#kplnR@Y zwMuingmrS+AQYjndP!=we;kW9Z)0`COTGp~3~^`cM$Qf23cFuEqT&3&uRKKX@@40_ zr&aTp`@ZwNxa`;KjX2_sq*$ep(=st6q}>qQxnv4rG3{s2ci_OYTK3p96f2nJWomh( zrb#NKs~}lLa8K;19!WD7Vlh>G-ioL3;jUZO7?u>4sk1RR9Xy1=wupnh>r z5B8O%X%<%(JsL;ejRMZU!O>{;D7@zI>7UPYVyfQZ*-zUcHBUd|&ko4QeQ*ZGrp@)9 z)_ALCymIoF6SsInpYyZ!+h`ptjjr)RJuQN;)XbzO6h;`ZpbA71A>-^Fa(K7ntK@`L zfsRtpySzQw{f=y&&ko;Qd^!Voc)a=+nHXYzbX+!UG`g@^FRBpN+xL6J9o7*HH&3Y#dFdk5*Tsh)1wsv<6 z#Eld4nNO+GJS0iCe9wME&3t)*>kuWGstI5VI-pBIJ|k8y>K_b`<^#-^ARQ3OxxR8| z#a*Da=K(DLn(oEVs|EH+0VnQpyS1CW03{xTB4$6*1r9zaS_9{09puUDl$ev@Rd<`u z43nA?Bs7>b=Tzoy321Mrl^aXU31x(+UM%)dPsg1u0GJNQ6ySp|< z6$u*PL2%Ke@B}d&z4(z=ul5YZ)+PPv_kyqdWslEn9{S3V`TQQ!ui-eOd4xsr2!Nmj z<3F`(#`?gc$$jbCxUpf~RZ*hA4w51cSu2NrqN$GrU7)1uM=q|mx$EXSf0^pw3k+ND zrfA-ZN!~TxMHPUb#*IgUC(3ap5x82(*p>jzC!>2yZ#Lf?HpAV2xf}iT$J%Xf!i)fM z9f=cVcdnC2bV;##lHn#?T-o5jEaddzK6}$WCR{&_3rZHR1!_+(xIV5>_X#DSxVzW2 zJ0}!*Wqz`DP5pzWj7FkA@Mzg%mymGM94=Rjb zj+-`&6lGOpkD?zPp^4!GjtqO*8gR0FuRenC9tP62i_J`>+!S+?BmD%GB-JchagPH1 z;8bn3_B=Y&R>~w)VZH~7+(`gW$2s9P{WKNguZcF!h?0&W@x^Sd7K3hQhZTE%8sjHc zj!h+WG;!Mp9#_h?69Z>6XZ$m;rikN}4+dJxkmvFcQQ4IfakJa^TNn(ED zf_?^{iyWsN*SWR%LF#nO56~GuyVW+<4>$4p=V0!-WFa~0RWa=_5;%S(6s$62g<&)@Rz)arEEilASm88uK$^5BoE zNwLY!*%K=gM~F6Qk8bg`;m-}&6{6q{ThZ2Sy80qzQ1+kgG0$kczZxvyLP zUc(4Vc|zA?%Zi2yI6ta0!Daq!<^m}U073cSmZZ3_1}Xe1gxNXGF2cDWt7Z^imu#CY z{m{7eMH}tgWcY+~Y-Ko75ZJn_dK7-Pu;Otifz;^YoeMjH5z?pen#3cAO>cg+XZ&)n zS=XMO`x0xt4Df^m`W<;3*o0A6JAy_}DESsOj;u|a_O9j)N@FML$R@S`|$a zNyf8UwdxNTWIrgNB(^f@oSVNLF`pdqPWZ|hL<8R|*CY>WiQZ$nIqe;0zc}Vu(%e;b zT`iY`)y-AGoZN=$^3CtmW92)B9L`okqed=P8JS3#?UtDl+1%S{c$2}atsJ#+yW0A2 z)Z8jKLM?2KiVx`Z#0Mo8HRt=mU9gWU2eV@DM=^9AhJiKi3dyAf*$F#JLBK*2w8{yP9+zl}X*fP^>JfZaEe2{`WvjzC_?M0_3N{(}Jm)MPoA zKSo|+=lVyI=6`!n3UE*PkFx84eafG0V^?&3cSO1GA^@Mjcmp%cfa{_)ZDB`bc2Lnok$M+fjvx)ov>-(r~%#T#M zfp0UCOa&@old+YYAX9o9X4CT**QgqMa4xehkH!hMp6%b`TmtU^5Cg0rr~s(FyMu23 zZSMYeU%C5NA?$D|yuPupo*A((uE6E;Tu(#emq_PCVdeUZVj>-NCogO%<{En;l~fgJ z6_=F&b_|`DWZT==QH^U9v#6;Se2{vtG}1TR@v8C4?WIAKA+A?q)p%%!zoPzPC99_G z)Adi)+9~4}um^(iNk^Xf#K&7Hnn+EWmc=QQ)md!^930%e*uaEKPq$umZczW!KW}c{8nA^H<4GpnUgS{K&!LDWB+vFr17M^UtCnIskZvk9URI!&(3<*JUgGsAmAKG!OHT-DE%!As!@_r?ia1BOW9FI)dYLL*NcXB1)OK)br z+*5J4W^&zd*2Bi^MPrL5OTMlmvXZSn`6NSwEVDpvec&!fNL4@?WGgm!>3cLk5! zUvdQ2a;f=>(*IS|2Ope|#26JJ<~p$STGS@@i1qBteJmfqVNC^M z4+=qr$pZ|?TEnixe=9rE#i5E%V+($^LjR3qt)&*pusJPAhES}5=Pb`nysdgO*{7~S zJ^~;AD5;a{#k~A2NRKhQ*vZS!jk~CqX)>uDOl=#ps}iFuSSNY6#BO;<^=S2mh9zYE zSlW)jrP`d&^&*A6}4D$sUKyC>;GIdqgGTR8Hu$gISfH`edA%;Y`bm z*S7UlC5JTfm}bfpk-|aoKKE|df zS;i_~PCjpCQ&u^qP+nQ=9SD2uI;!*DPlxOcz_QjdE<;+x#>yOYC9^doyGMG)OGowY z*ELiBpEXNmxMQm-)luB$%L%ot--|-jUdYsgCsZ$E@ zoWq+RpWmIz)!ed$gW0#45dxw-TDj8C_l7!>$vN>&JRe%a+XAZC-!f*@65gBN)RL;V z{=j{OQdfE}-%9^{cVeQCZA!gU#pKOz-iG73xRP?5Iy%+x;-j05NX1b`O*ggYHDy}-<8eOLw` zoYNV={2jlz!R=4zrNG{v+@g4Ldjh_ut`1raybN{xV<`kkL8-6_50 zzA0^o14Im@(8RD#2(Mopu0K*kCy-cZHQ=o;Df;;PI?GJZhj`@l;!#)4lSnnE-5Lh0ge@^Z2;&@Y)#&1! zx;>`;(9E9s{RA6>>WZ2Ax z^88qvDR+G3qO^Qv)nW?Tw{cs|jGZsPM#E$g2JK?eY;YsI`o?Rk z(WnCFt5n&rXHT|vSfc40m!;g-if!zEXG}vC#<5bz->0`q1~x7`=aw|?2z`0mb>V!Z z%Ov&7m@RpzDl8OkbC9L+n7G@*?SBJA5?CdJ|rV`8Xq{M}m*EFCx zUYSltkTl;be2dp?i}9>F|Ae8oH*1zLGdsr{!V7j{=ZCA2lG2nTh+(#*m-^x?rz4fG%Jh(Y_7 zY2k49U4-W<4Q4lF{C9ZTMqG$@I?iRiCQLhVY)pMjb_$M#-`AE@Y#sD1GV7 zUCgh(=K0M3vJv~w&9OVim`lH`?e|o%#}Jbn^ms$t`#~p=#Y9J1#1?XY2XNjR0hEJilehemM1;#Y0QYr zLaV}qh**HS{b6}OH+*(jHXB`|{Jr^eN5Y-k#_i$0*DDy*ce%g+pxqv*WDhN+tf-3H zp4i3`Z2Piqe+j3x9Pd+MINtF*wvvP;xU*m?L;>9NsGqv_+ltE+k0tA)$2*qKI*T!_ zE@*>iy~A)D(ISR4&Q8mr2{+1HYdcZ)g2b(-Dc9u|7Ruu&tdiaaFq)oQV<&(+9(7bh zbnjAYG24k)Kn%#$kkNt$9@KD9j=(<}s8rvppcsyynJLpQ`1VbM22-zTmRxYXiUQc2 zB(N66k+@Iou*y$^of{QTiqbMmxVKjDlJWA9gw}lS&82okFu;k&ei4bu4QCiu)Pn}X zI-jk#f2O4XKnWU}OsOOtLqtHz5Y2Hc6TOQrcIVO6Lpcl!Zzn~?m*~eFl#1{hYVOl_ zF2c7lSkJ4vR-7rlx|ozIYTTC~R@%ew=&KYZxE_wOai&b6>*;swIq|Q{(V-{5sUG3z zziAgJNywPRtYL*#PC0|l)|U}qxB2XDHA7EWGJkt$7XB{O+#@k%vU9;sn0kRyiDt5< zc@baJKBz?!J@lS)uvYFRq@w>7z`IcO4sTF(%OCH_37>G{~nKl`9jFr6$EBy)wvsza4rRzVy_IO{WA8y0^Q)}ARCI_oye zlyLqnd!FC?^_}8clfnxJ=~B-t7TjujtMY;7BFsl;6$W5_T=j4M3im$-$Inl86?TX=2i#{LR)T|B1Pu z@mhZ{1e*UyPN1BbA=uJ(Xhqh8o{{6~fmovJ?;JD*SqA-+#+A(_G9F-hz9ktRc$NdF zlNN>mto zmR?|1C$<2~iOA{?r0i{x!+?BhaM&lnN;*PR`%g4f66Ob$u3z0Oy0f7|PtvpNvh2q@ zese@_DzziVx&Tp$yFj1|Y5%8j?jOLi`Ky0APyPSa#+n#6zKR2f(?w_ol-6RXS?To$ zczt_2=YFB?#oM&i+%AR%gYyRLsLFswcrW!5bRx5ulsHGIBxn2jyE&r52_I@QKHcUe z@MgOlewKYQoALW|^C6|RC*2?0yG)(ybzq=xFp7w*!E%F;t@yB;%nm{bHJN9gO!GL% z)=(ibQ90?S1%=JFsMh_P;PP{k`e^gidY?T`{w;I9exT3RxWRg^2+aP75<$#wZ~%Sa zsjJHeiCSNVSJ!M6*Q7Gg>S>uZvuUkzxpzKGTq)+guIUrZ| z!pau*TNcr@40Y>tQY{`!9HE~E8ei0bT_;IZx1zUD-F^i1&)+0x>~;9;)dRiZP2~g& zkwXWy8Yf7+9ae^+71NS!_aH7N$Im9LOdO4{2=-`yBF?7H2)Si+uW+{ZNd}W|04T6N zFax$(>&70t7-Bk-TvDsDL9W2`b@tIgzpey;y;jwsl`@iTCRpckK8b|UiDMCO89Z`6 zABhck35fLk*06xIkPXe8a^jw^S^W|gGY)i3erw?ecvtbeR=55df_18*JoIC$U*2{Oni?xjqT z+$b)9n;4=c1DMprgN$OtgTU%Fu;b=gssU|I9X?%;n6)Gqu`|%8GLKNA=42#Wty~lF z7vw50zB<+A4LjUcbY1mf`DrHMm#B{y@=S>~QOkR;!dm{Kbum@n}w6D2(yeHwIPXp~E_wO~6y*cSePB{ul;1 z+H)jNz0h`R1G~12$awjHG&ST}SKgQ^F^wJt2C#?y7p_lCk-cWF$_Q4bYH4+bhIt*n zkAARL8}y|Xg^@HEU8K4CRnwFZuP`_RfRxxp?;FK@K~IuJ%lA$lr38mngE9x!0#>`jM_!M{9VAHLz5&M!X+GOZ2G+#d2GvTbMY^uce|!N-4$_ z>j6t;cj9TsiBFYPFF!tE5XyIcDV8~F28fye*Ml;z7`TZFUI@M~JW{f^yFvEC^fi5< ztUFiRTF&$&x?-Wg--mC^ivC)49Pr1VC{TT1)g2}0Tn^@!EzYt?4wsZRdw6Z`i=rQu zJWrGa4s~2+1cob+9EO3PzuBkhSvv_x*dOXnd3#!Q{b(SE7G(6Y$WZ#qM#`k;&PEWV zr7aM0nQVixuo=T9=0ZJ#R5YyV0+<#EF&BY*1ax3QAwM86D*HGsJZK1WwGXS}ily)b z7XD87f&PrV#0}?_9?DwZaO|&kD=$Wy%iu^;-(Bi}lU<1e`e^Fjk3DQB_E#Vi_Ukbt zj^+S?EP$ZwaAeSG^4fp`1Ka(IruhD6Qi$If(}dH9v1X6vOKdA+aOy5q4YFi!0ryp$ zEGgP}+*R#X3H*7GFOmIMNDN2I55ko`FN4knQ;pwVXGt~tE`6tsGezpk8TTIoKpT#S zA17`sy3&o+#mX=|7d`akvi|wv3Rcd`3=4X9PYCTEMu&gu{jcW|@;l@Hy}1k=cFnVh zX8$i{bM9X^n<^&aX;&TO#EP66EyEdt6xAq_eCMxEThZwU^giIuakF?NO}0s?Pfkr% zHB3w{crIanBU)wu&H#Vjb``6M*5!)2Bm(%Kg2Qvy3->!1C$<7@Hz!?#8aH|<7IB4( zB0Z_AQfbspFM_LE$5Ip^Ze~u=qjPQ0q>*a`D3zIjc|ZlnvrqUg@lP%i03ol#{gw89 zOux2C8-(8(BrxQKtNUZE4u`G+TZxZl3Hy2cvFUKcaM%<*y|%}aQCZI4VK zdslZaG=S98Sk2AM>gKVSiC>QpQH|f(b3mT@8{-Plc6Rb68eF~;Qdfxu{rd#-hzj>A zuNJD0d%z|MP`Bj%3>xFFg^8Dou0XOn*BORqp@%=8x_N%2g86jmk%h=_w}pI;#r;O0 z2Ob&!Hldz>o>1ohIiZN(829hZCx_MzAjtg}v#Cz`jR^Lev#HOeMv=AnwOTijK|mDK zqpdLmDMq^YNXA;NGJ#xK-M!RD|BYlt=Qkp~`2d&cfx{t!D!OD3Rt>h>U7$(pjBK$# z?%8?W8@Q+DQ>`)wv}523Y3Bh6W?wpwA=#($;58Zh1qzWo?Pc@Ev@D3D<2*RAxCZPI_x#~4F!8MI=~!kC z?MkbA^X_-Lx_4c5K~cGe@A~;2zU<@;7J{8VE%;_PfpMo6lJeu-NAaM)QiX9??^ng|nh8m^Hg}!0>5> zdq*>X|CJ-(gS~}-A+y0zo57*}VN%)n4U@J_?a{oA;`KcTRB9Fglg?#+{bzlrzkc@r z0!#{?sK@PewqXE2^+D<4M-9W-5pL46uT^euwl%lp2_;;6+(h4bzQBDtPQKJVRXP!L z{vb3+h|)vn;i<>>3;tC59H*2L2mK{Y;xgXlYRhd3GCFevclO@x^`+5<1fZ?MpR`OF zK>((%3Pp$(CVzb1M*2PK5zM1gQXtXZj&H|5Js8VlEDlN=u=WffA>BId+`jdsP9>Q` zTJ?gobs{y?VR*NbD|K8ykLDb_uX@H=-b)u`7l)oc&b;h<#_P$o8wn4zm&(n7+~)*M0K*={PjP6C{9vs= zgbTjw`{u$7f=3!5uzDd!)JF(8W-XWeLvIEN-Wh^4i@w920t3LPs1B*MEr@NfL7}K? zHX{H4Ez4X^{pcPo=%QP+xZ?+rbO9_NS;3oYy)vrc zJkgiqu5>Wn`0ere=+cRo!<%evCLu#g>)S?FeKzZh?s1pC089Aj(f`riV|48weJz>- zsph4PSR=*YB2MQ8YaNE0202Pa_K-Dka3C=MC>nO zzM7l51v9O}9RQ}G4U!HpMF|yMKmRrG|6i2Le@3~~u%0!KpmCPaZcz%IaR}Dlk1qQ` z1?NUl;_#?F+G_mbg{fyM(z#hweBI@b90@NZ&@TNzUWjJUAm&tq z)+`oajUK7!ij8 zlo;wWtvpI@Gm`km?+!a-Qsk=97X=Gupcs-^G~s_ER(sN)VV>;}Djj~ED2G=>mK(Mf zT7%i3@jrkrVzp1ZX_DlVD=NB--7~j(9y~L3qsi$+eo&_yOR&o&Crn};-JXE%SR5R@cmpt z{TK0h2$x={DJ4)j7d34_z}44h$joQjSf`kkpZDktI_5CHt-5TgggCmA$xRw-?dPEY znL7`LWCC!XiKrsQS3^&?+oJN)UPfIFBiHl`p zXyAyVN!BkiKB;k9P8@AwRKHn{`A9|2)R8tqpL#W_o79qc65T$p7?h6N=>?u{_4;zz= zho-u9T=uj@$9LO305u~24=(hR!{&O!K^Juj!J(tPH844yk+3O>N)3bmd(X%d8t} z!iia$yq~O38=MyNF5Y$R@~X|atL66i;tl08L)6yf`hxy$xu#(=xS}_?vt2F{BuvUI z#r3l~X9|wUC>}`QSC(ORtG%!4k2yb@*m!g03mf}QyUilun-^I=J>vMPM63?SIM&c? zOM*ty`pSv>FvI(RBo#%wWPQ6jL6^@;wfEhBWADAAn%vrbQ4|#w5CrKZN)aVA=^{l% zKtKpZdWnjN5Q_8`$U+393n-|RsDMZfE!05h2nZ-G5_;%82`xZ~=UuyuyYF(J`>iw1 zz2}~N#`gzLM609R3qt?-TzR^DU=(}vonT;ziV>d+R9z4P-!i9?{kAPtJ913`HlBw#kow%Ta zsj-0Dd<}}hk+nVv*A+bE-+dJ0dv#lPIhn5c&=8QXNS}r9!*3^y%~a*OJyS5RDRX0J zN*!zubS=phQz`YRJY(tQ5T_XQOqSszpL**$;1^2W^9qe1aw?;!ng4r-0ivLhrW_%mh2fUoVq0${(&5ujD^9-0(i z=lqT}clzSa-O^04`(g{=AKG3lLglUVHMS73&Fdj!jn)3nqmn-B3(xINVKl@ zo`tZCt{5%jcsJ5deN-rfYB`I}!N6mv$#+H>Z#(_y=|>v*C>2Dm4)u$aO~PiRb!c>c zUaJSlr7BAVgOglGu2m&oVCNw?-(F`C={etgeI{VxGev9~8J#6W1jHXX1Jass(m>2; zeii_}GvIq@ac2nr<>$9UsQY%(bFXuJB2Q`&6-$RKZtE&yZYqV+b^eepXg+RzalIi; z+6KA^@Rx!o>p+i}5L}ougoq(NZ4xTV*Ku$L7TfAj&@59G9lF(p?rRt5d2kjp#fkw7 zCg!g666^$gip}qbLmHJxr=>-_Zi`6QyT-NgpA^aPgk}M^m;P1|F9?65xo#3Y-2l`5 z@pw>yQS$D10Owe1RcXCVMq6kfBqQSO$>ayQWldi%dcavIh!We-0ZtHu!j<06@J9BP zv`L}Lq-Y^Cq=RM0WL%^Lz&koFQ24pZ;&!I)Z3T}WLI0(U6#Hu9DkQ9XGc`*w=flE` zM{wH0fM;l$oBGJ+$362D5&d5 zCS>_u>rrqEqSEozpgPZL9VBY@(5Ei-Bcb;kW8n7kWAlAC^p%$|%IH@k5mWRtoiB$Q zm?C#xZmSNNG+AeLWZupS`o_|bFaMx<#h-`NMS)`mF1`x+GHfwmr8aw^K`JE|`V)m6%<5t<|oLg+`*4Qq>#5&UDxSbeo|setjxqL5&p zlFgZ@C?7XAwI5UXsa3Dfi{u>Ud6X}71-89*&JH5{ai{1`V4+&t-CuNe&@RxixK4;- z;Z6`sYVyP$txh^!8FC_E&z_=7P`q9KmZQpUxx5TNJLJc_q(erb0Of_^8y!Isyr0vQ z-{XzHE`6OCj(P-cYP=kP(84`9zHoqp49^;T*OiNq!cKVXdQYJPox;?wx@2THGRmw9d$tNIf?Tw-v=a+31_Te+)UeDfF*ko^?HdGMGWAJIW_I0Gh z+E)`BV*?B9+I5Wdt}q#Q*sH396#Dk^2n03k(=6 z(GEhp^S4`>J*Ig8p@tuN(*s(>QhC5tE!dZXph0Z>^G1}*>E1f*;&o;8tUtQD1mFdER@s5sNWu+jC!HLA+ZhR zqiWR=JD(Rh3~!>(OI6}%QVGiM5sKb#@4Y(dI6goIRIV12kPznRY<@){*;uzPqvQs) zd0g%YGHm`)MTSI~WuSIWvZ00T8-+cnp`Ggv6;itNcP1vL|6gXN8ub5~n$j_$5{Sp4 zLyas%uH92e&!hZY-N2(VA%G9s98q_Jb#{Zch@;>eJ~v(`aqLAa0D{E8Ih!pZbEZDf zC*=B?b^_e$X|J+lEg$t8bIswc*@uUjfwLpOPnXpn9gk#6I#$$prkC8UY;E zg`IV5CBwQd$*C!5ICCS*$4ywf(I5#wHeurud7YJcH0c6I->qX&d!+%hbJ9^XwP6}J zrLMKDj;XA<&~iWPUUG+said~d=@SWZC^>w+q3G-!VuoHbI;-a;5ib zd;aAVbB}LFIiDJJDO`t|R0EvqWqkij33*9hX{2J7Uo|WjW1KIp8<+1;v!^`Gbj~Y8 z_%9n5X8(Si2;m@5ZhuRzW2U^w(U#e{)-c`E{aVJGkzIJ*=+fWZoQM8(r%YP-FS%9z zGwA)t$opS8=>2mf|2dL>^SJ%bgXll66#x5PDN39X0t(1=15pLknNcfe>jLt7nqegDYrZe^w} zeg(Ie)eQ8xQ$L{E@}HJ8|E0|Nr_|U9AX%3z3LtiWwrbE)Y%Bn4i%u##l6E&00QER9 z{h~WCaI@d#qG`QFStAZTrypVGoFf2j6Ub5NK^A~BII-9AZz?P-faF;=h)Gv zU^KwqA7uTD7|UM`8}~e+WQmpo;OaUCLAD^i4sy_V5r@x!B-ae+=Klbqo-lPB1DVeB zCy2G%Ko}|RZtNC=JI0*oK;b!P|DtW;HSO83T1Pd8DUNl8)rInf_AWAcSpY<_a6ima zHx|6dZ=s=BJ`CN@ovLcKmn4mVqRQcSDEB9?A&p|~?Cv93ir=c+j0cX4>;DmIM}yct zGYB?-F9TU;t~Nn11x>tR{9`-4Si4gP$J|aOUY@T?T<3JF?SJ^f`xo6Y`EoSRqffc& zX3j2|jXkT2rCU~d%DT#}?r5A&nKT)aUd*C{-7c8#fQO4cU`k*&zloRe%D1XH zp6qP_q>EAsfPO&-enUh7mrf=MxGhVRbSnOHNSYN%WZAP|Ql8wsC-ujR!?oLgoH=Ge z=alPv-%Q&i#zhMEV}FM_@W@#YX9GJ50d#Qg$Nl+ESBnh`co)i?XN~}YGwkbI&aRQV z{JZpnLxaX%F4rtvO_F2W)?Q+65g1t*ow<0k@}5Zx0l5G+oWGwcXoi-G(9|+q93EGdLX8QN7d`~0td%TDD{BE zsjxbG8TnIiuc6hSN`BG$C;1@Vbn971t2_6Q5+7f8v$w;ngQe%8IB4=psPFqH9NrvP z9s=1WfvGKoU8Cz(-KP3k2O7Kf&Y=jh7nU|imCIjI8rjWvd=@YFf{7$!*0o}&Vqr&M z5wxUA)`W1iRw?dr5t*xlBEEJ>C)^KFui@C?UdG%JWP84lk=7-(j=T}6_aarOVm=N! zd3XsamC-fhZ(1KHOP!#ja0F2&EUdCyPswIj!@&J)-o!1ee(>Z;vT6g%A?R(iP6(p z2EYRf`v zFN~MkOsJ*Ly$M#yde^B<1uw`Ip;$5vvs)?)TYu4AHmALzLG(el-aO$b|JrV0ktpS3s@3cP0@#nK>$mO**4Rkoq2(2 zCM~I?+K?|f$5NHM_L>eXK8*O}4;tCVY9?Oo@#+pxRuz?B?lJTAcS4yVu%?N?bh|zc zIyg^N0y3qs2%1nL#Wd>}kO>5}A}CjY?UVp6{e+%NbohCYz(otu0d@)KoF`Ct%~PcZ z5{(*>z)NEQRnle*z&pL0G`58)z)vRuv<_9v?}BlcVDk>YH1!~nb{zY47RdA(1~AZG zAeaG%_fJ#5=w4>iE-e0mSkfU*(auT&42+nyE7{3v;Va6}{T&eXBqFKv_a^I5ulCac zY1_mZEcJp7kgMeQX{;j>%rNu}yS1W0ISZ&%{=H@;+}&mQGJ{wgLJ&DYEf-9Hg z@w{kEt7f?MsisL;jHMPf(+Baa=(HC8(e$y7DZPV)M*pLC)DQxQ3vNl7`n;-w?)d1C z4SO^NdH(3^n9kxv$?)uF;ak8Il1BHL?{>Q-q2~t*@X#5pNwT%KxG64wvsM~elbKlS2OXyapde;JF z-DI^ZniBHT4mI26*iQTFNOH6WWV(SjuO(RpoIO~>jiRC97^~+jZ>2P^;#PAEQ8#O zwLX!zs;So_T-8}v^nCNQ6=U4+;KwBg0!n}Fz2Db?ZDOZJ{2*1G;*_)6$nzX$I*jg# zg@uSuE?dpM?WTVm;V3r0Eu0KyzfULi7?| zoJmneO%Le1eS068aztet59a4)ro;3{yK&o8Ydb@glpbeYt--`m|9Nvgw=Y!(cBrr0 z$bY=xFu;;_mgZAx^5B3Q&^ia)B$9U=zDwpsnhcBuev%XU`N~~Pna_`$_oY3AdB(up z&cEeAJy+!uB+!YuEtdO|rpl>{kF#V$V0s++kEA{dytXgE>#c_x9>oGd%jwbMY{TSX zZ)snbl3|)(9l7G#Z`;dndnn0HZubjLT3yk`nQi&K7gY^2lJ{NG*UU=&`=0S9vQ6kj z?u5?7QV_{{sxoo?Bmo&tlOZmo&m4gu!^Q6FV%Ua+Wf8eRqgT)#@oD(n)MX8uk zt9qX5|6V#SH>I~GllyDg={MgyH0fA+`);A^QMc3cjC-}kEpW;*du%oX$n3+9anH^+Z-hpOL%9@X_dWGfm>$&cQNalhfJ$ zB(X1#!0f&*;ghL2vEl9x`Xm&Wbt9|kobJW5)CCIcFc>aQ#I3UskQYEFSL*EF5p)v7 zhTlJ(OCECCOXl;1)(c1Yx0dl4()*xb^x^G~uJ+C>Z;6f_;C_IziHqDnX5i<9Ppk_% z202S!m`EARMdKj;-wro$)5zA<86`{&xbbd3QkTt(5!KgX}hg=_a+6hj31qKhJv`*RaI` zCrQD(`%Rr{Frh;N5D>Q;&b3-&NYznp@*%h0N$i~2dCE39|N2$Sb;fnC(-)^R&YOQx z`V=*DtOM1J(%xjW;Bu&KR)(@QVi^=1s?vnjImizTy z!YzoJFwTR!q=Y|w^<$$dBRdaGSk$eOsxW%#dtBzzUw9b8AuF2@?-0KwvGC@?$qXMd zKv4J_M_8ZtRb>tzmaBOa@`63`oOi!I&RW?pi@EaJ_sNrs$2MU7s_ekIpRsdmQZcP? zKgibN)$&MP??Fgvk4fFD8dhuFOHj3D%~yXM&3AYkD*GE>*XGg>Ic|B6->uhBoOTyD z0{_F~x8YuA7SEv5@W*-po(NM+;`esB)*Hg6@Y?;1&RfnSeAPL|2mGG*i$lQym-kvd z2z&_cCHAE=;!XG>>l|j6a=DZDWh3$2$#gtjA}06whBd1V4?~Vl5d)Mr4K=(j{f#Hk zHzDms%G<>2F>AI38N4`fy*3Wj@(#J+24l|`fr8W_nHAwwE*Co# z*|f@y=_^EZ8zyyQgA}jaWs;T6OL}kLY3OdJM!ynpV{BAsL!0Zb`_1p+-yU&zhxTJc z<1F=tP=L1uaW{`J7NXZNvZz&CXXO;hlXrIleh0%wxoiL z*;cz@SBt+mD7C}=s5Z@iVvJqpNx$nk7_>k?8PG=eugXmJn1Ax}pyZ5h^I-e{#BmsX zAp1AsmnjUyfnlE+Tb4jWxtDky=e&z6#wJ}}X$p0B^EilqJN+n!wc+l?;Y>NeZ^^eX z-kMpX4X;K$Fho>3ps_L9uZgD$04xs$=9LdaFa+BqD{(+wx#+{{AfDju+zZEK%q{s8E0f zv|(s%8_WLm;LT*}8EkbWHpWWwTE>1s(Y+9s$xcl(9|YhIP2z~m3&{=WX+6kHO^wt) zOjk2GlU-?aMiLBu^#@&`tB-sz1FDwd{}W-_JUQ8|;U)BsSI5<2QufUDBWiU5RW=(E z?}+Iub65Ws|3|S{Kbb!1xo1YqihP4fkL_SFnpuTBWmH;wOM=V1yeLU8>Q#65-3K9B zY#+N(S8V1O8N!3aJr9$<{hjXqX>0|Y_@V#2hyF8Z@PA7O{jW|MaBvJIx5MOGS>HR} zHjy3EEahjKjmz53<;f9pIq-l=Bg}G z*=*0mN&LZ|hR3jmFla8@2a2ux1_E2;!e*yA?PT(5t76@tbF!^YKAd**V#pWil<&!> z#&>AqGpW*NPIq{@48$b+9ZI&_Eq~fe{Y95u{dUFCGncpT{QMjIo<^FLGi=$-M=kgt z9>7W-&Cagp{-SGVVG2-cwSG!scd2qPsUH%qB@@cf4|qg`9o!{Uq$~=ydhI9*q}OoU z8j_FZ-9MeHULed;?)Bs0n;Oo-h;h5xPQy@iCD6zDBw>uK>g$UXDtX%zxxO1#KQrHO5z~}d4K2xIhMNw6VA{2d0$k_ zfym$*wAJnkL-MR`Z-$k_b<4|XKPq{>T+TQxu1VHEy_SZ5c1wgk{5#1?pCclsU<_Jk zk(v%x8na`^A60|Xq;>~d$vRo$>t5T3n343A`fQtj++D&=$jUdUcp57uu|xAtFtg6B z7%Qo5U8!oBG0kcJ?)HmL z)D#MESvOlj2M_^oix^!i-y99&(c$n7^>XESqQUB5NAFs z5;7z?iGRF_j+9k9y~6V7WT*;Umk1!cS~Ub<>O4cQV~bU0K261)VK2C=_D-+#0JqKz ze+Zpn;Kzopj{-S{){^qV$SZ`m-$5J!0jM>zD!G55MUAL4NA7 zsNO$~B&#3tSIRMnAfDZl%-RFGN;0%x|JHr6x zT+(MQs)ELD>k43*f?=Qfcik~{fRp?DuQf*BDN+v1FdZhT#^VYWaO_;%~>u3QSsD`~v6_RxtLZ4PaQ z58J5Eu%Eqev|^JB2K^H7A#cZssTGxVjs5YYor9<+WE zThN>L6BaaDHS{3vD%bh_-B@%v3wKf{_hCn41d5Zg%F;TjE(90%;O_sTRZ>y_i5mF^ zlH5>T1w2$VqySr*66MR;U{A|0wXN^0t*w92Ic}4udc5xq8_bA&RJRCN4Gzi0^?Tg- zx%(dI#q5!P@5R6MeG8i~$%iFLw@%y^P@4;UWPBBU^O}sgxmv}m3)3vn+#pefLb#gq z!@}E@{;`maYbafdTyYb;E($|I%%I{VsiH+U>~0o&JUii`I5nxYq1K=kEEc2c;W%R_ zJ3_mYyup|{#%IIo-Qk@abRR09e(I=jT~LHLkKNo)CbwMLJ9>O;b>+qmiY~>vK3ymA zUb4xqr~X1mJe4_)KRDQ8_5Sih?@3!A$*H_U!=A$Q_liT#zutOSAWg)s9_W-?!rcZu zP!FnM`d?3!uz!11GThYxQ3JQA%RBoAvBdi-=V_mx_=Y=wFX(QZmkc6Pbg1QYG)=gP zV_D-Y+(0_sovStID7U1{k%?Kt#I8f|&RAGnRzoOyZJH5z$-%d3-TU@*J`Rdkv_FKgHHzkQ4zV0HaFw2&&UU!=`ZsAZ0vmBT& zI_jS7kA$DvOjzK0u|If>yt=X_)OhUO4*T$dqBN)B&~ub9hglfkSbe|(I`6( zkDabFd_Ea~Y~K{L4(K$G0duqBN9WDgQ2o-VA0Z60w(;1P(yrS!#Zo+R=KdxUDFs9* zJstbfx~WvNvBa6Y{=wnb%A zbMf`OUYEf69=EQZ4tQc0VW+X-p_fTwO~G#BQ|-KoFG@B(r>;9hXpahq)SKLU*mRMd zTza^8sfL3b)z%*tDoZhytE$bd`03uVlKQyEbzd2zE}N4T){?Re&5PBQzv{`}E-sN& z_vW$Zt0v+tf%Z_*x4@ksRVd)y@>NADS}g+?PJEYnMJiC+Q&%jw_(uEko+TxC8q^Ft z4nJHi>V7p56}}UICs@)3i|y^To;}k!`N*V3pdOcvXq8{VZeN0{0QJKJ;5^f2@jaCN z`!?v@PaqxZhwtnAYI{T1!y$~{E5qZM&gmd{HurXM-CQK+*{gE*Sk6u_Kg=I2cGeY1 z*HiRZijp2HFy@)4v9zkk5sklB$na>t?m$O-`erxBw7t^yoLZ8HrP z07bkA;ws?zrIH4eGIgkOhJ`>)k*gI&<099T18#H0Wt8kY3!ZM3HD)>BnH%D+=8I%o{lL{-5n6}7~Y@DBi2{`)LW zLIHBlexjmn%EdBDmZN#5KF9)pzU=AutQ>l%Z0G=zEFUmMYrBixCcu_!5JR1`C7Rj1 zaZKD?+D`3gl5r#-Pjt3{m6UySNI_<@#TE!SX*}Ewv)yZxK0QV`Y&uwsD!EBUgLNgz zh=>?!F;LTNspAFn4rSYCU(T$hKf-Rr91vp2 z8s)?HRG$qmek++*f_XP4hDbi$!-|hSg%9(;F>Tdn7SHH5R2mG>68YHpUetetJg~7k z(;G}U(RleN7Gpe*UMqdNM-tXH*DZWSzXEf9oc>%ZMA|0oz1e)gax=8NO2 zJmZ?K8hfdJXoT|SXnSt;sP+Z2g0{H)O1<@&DI2n(oSj)!@+t|Mi){VAjGLrC`q0P+ z2O^nM`S+ck`d*=#NX?(N+B~d+^8$}eq0fG3`964tHO&);kK6+#u?{0PW_J&@5iakq(5?J_jW*DWJSG)q=c&G zRwH=T+tMqflv%=)6D={>pM&Hj^c% zH=awuLB0au(*fa{k$F4PPV3h*C#&ZDw&7!LdHGvBubs_``Ko;z>JjgD#acmUd!{ua z8`+6NTaw@Kib>9SsyzeRkr(1hcSXG|;EprF8hioz)Af*sl}hi#bU=ATSOzy$MDCJ0bBMSH zGbPWi?9Fs-@bl&q9oP61d8?VuTe#nR;F-~2x@$)%`~<&BahrKbJ^v}7dd)m-Ip}$a za(`}*=d;ImbUmgsRdY;^ky8R4l^@WFZJ&#Q;&&=Bro&h?F1`P7({8uk!BSZ=eN-y* zg4r%@g-q5^R$z$?y+U-`Tl+Di<~_5JK8phC)tBqUh*@PJ?iVv6nF<$5lO+l`9Q$I84F?=$)$uk*F^bjRr8X5TBYoLg3@%Fc7)!rNu8 z)84O(z8P+>)0HfgU4Ih&vYQRVR`ZomO&d-3^h(@PY9zm&e81GNX{RKUaQs>wL|>%Q zC{E!JnObkVZ#vz-mO@}mq+9tB5M@IWYdNzceSTuqj|L*1!&EIhGUfA1Vv>bqm7x-^ zxagd!Z`lt{gJQQqcs}TmR4DIKsN%p*aZo?Na^A?z*RHOUzjk_yJ1$Wn6OK)Lc-BzK zoriu+4;;No*y?ZU_L`uLMUFi)4(x7+*gIX3_x`Je7-%S_VA;y% z@yo2U8AGqrM~>?9rKYCbH#T;0nq3%QA~E#)d+8Vq-|W=c@u!o5RSnUVnT9yC1YHlm zl9^{;viG#OXCH@!t=!^R#ImcOrQnPxjI$_UE_U#S*28kgbn+=qHix`FC#?dd(K zG<+jQd82O1GR~a?FV__oIGbAo;)Z!H=6(l}NMAlpwc;Ut2~%Mv**cj^Vf?Jx;J!%l zT>01Xx}WPt3tdnZej|9bs&bX13{h~u9c>Ze-|I4h&B|-G=4wXrQavcg97&h9gMmXs zVcR6Qn)D=lrm(BMp)v2_@k$x1G>_L(%^3In(9jU^;LTAe0TkURNVOi4P-XZ;RmGA7 zI#LwVrtLJ0B4#ululPHNJbY-LlJVeJ#-adZlGiWOIeU3`M3J*})XGM?wAsyrJ3%?y zI6})vrhty_SW~+tN_Sz$L2+42)Mw;CgfKAKD`mNX`W(*>KFM=SyRg0j(nrN@S$D1B z-Vt#L>MYbplro^cV>R3eYMxm)ZMWwebd_Hh7x2Pw%C=sYikC9hbmJ=zwPmGef4_&N zI38WloH6|fn-rn=x@8x6>3^cg9?7rrjfUM`_h!?+Q{;D2G9#%Y7>72tt@s9$&pz=f z4Ypfte&Da7j$$CyA5iOU$~9Cmx`*Oao#ffJI#tBkN&))~4{jFLG3qThlTnY)Rj?dy z_b;>GPMUgN%CtCE%026s*v>NQK{!=`g5UdIOyi;iwnU&VC#=IHzYYy4|sYQ&RoCIV0VBBuA?1J0vJ&e zLz~Aai!I5qzq98Mb$XN%ZarLiBsJAimpPZZE??g6o`0jGZ$B*dO4p;>9U=4v!g1Zd zIZJuSoqBRQo~`v>9p%x1$g94GHu}Z)zePPJMNVA0k|!%89*ho2(sDS;f9W~rp>KmC zlh;G>2dSl%g9}yFSlYeZ1Hk5EkK%DCM>Vair=$diOmo9!-f#XG+6&`O?yjBe7kxAWpQ>l?_TWzEu&RvB}AqOT#I2pFYoS zU6G8Y!^^c=jLMr0_ZAMj%aMx_g7oy)x8GFd$`F@1>e4AqcMRXs^$Ah_od z<(d#IJBjC8rxRK5OF(J_SF|=Axn)xG>g#^Q@Sp^SC4{)wiiZN| z#S;Nf^dYCJ;sfbOd@BV|gUs;22W|Vww>RdiueKccaIE@R2)H`xZP+eb8&p+U_~Yu) z+x329uqhXLVJ*$1)eFg?dQ*~aCGU?$DD1#))7i$@|C}aFyheFAgFU`l`jq*zSgh;L z-MREO*^tjXdS8W)y%Di|%PwWf$&FV!Tl<;Tr>;s8U5r!sqR#ddappcn=&-fwKrk_X z>>j>-=!0t#Ub5^9pN_1+Xov2K`sSy4$8=npV(cV#%hx<4XxCqVEysaL9S^HZ#r~lxVqRvApBgA4yrwGt? zJHajyeGh);eBaz6=cf83YIWylrEiFnC@T^m#s>wI+789=lt&wV0=H=^%|10gdwh+9 zfij|$m77nV%zh8HsDs%v68EB|i#B~j81D^ByY{WZV#kyhlIdT0#dYhEkImNPqdl0O z;&+DQ`|@&rt|)P`1&*ZHjftS#0kli%iI3A>G65W0q#iL|g{NCo`<20&h`IHJ^~-4n z!aw(y=F!gP#pW3!1-8+sh<>Z;NwRJ(SzYrewekjPbaD1%=W|sXkFzfJmj@*`e2(;y zm>B)B#|Hwf37@a6fIW82fM!Ih3YWmmt8j4LoTt@tl+QCCql_D4Cg%9wI%<}RI3<8r zm`z*iq-p_8`2454ybAP4=3Nr0>#zK^zn#&1b)9<&e0Fvk_lLB!XnhS)DRQws zRZ}9RE61iXVQ#MM(L0eWZ|i|(v(|28h0FIvy*cZ>4RzdQgnXGjm;q8prJLV)&D6GR&eu}X+z^#aHfnT7dar_5d zDJQ_?#>?$^@gBVdf_au>dG*~p<$@*6H+ux-1|*6g$8T zfGSYbSJ>kKk>)bX(FqI3F9A^P;mTXtP-jl1_sUvv&U>6)qBUk6!{o1HVPRnjGUAiS zJp8hvjFsh>rjwKVb7i;n+4G&eVSf~ScyMe9jL(hoDdQ-}+vpy#L%&AOUIyenqO@5g zQ`stAt_Bwr1`J_i7(|M*R+a8C#t0U|id8o4%%3OKC0o z<4WU6pzdM;CG{u5O`j+PD7?Uop!?OySB1DOXVZF4vS(0hT*=%Ph1ykiTKQV)PrD`6 zeDzZ|a8*?)6)VG;mCEz{23k+nG9JI*F)81-7hkQwdea*om7rTcQfLBBGZ}b>c=*MU zc#WuyokO$dmhLPY^GZdWB1Xp~Gr~GWGMLo3c6Y0X)Y&QZ?bU)zjQIf$_sa%R^2JJa z&uKj73tIP+`D$KwUZSh+R_>mC)~92|vZguhIRj#Sx)-z=>#L@3+faqABPr~n7FJqp zyh8iT-QEh?8_MRP;7rc|e|lhADh&YV(lITf+Tu&hLxS`L7ZtPNwXBQ7pOOiXihJof zTNyfiz2Cgrh{tEc%pixdIs3fm`E$#n0arc597&r6gZ4ixRz0KS1-m`65lppydK=WL zszdcn52K?>G=veT*RXyf`L}}mnF119>ReU61*zgOO2-fStWq!1eD0cYbMn|KeGZz{ z*E}l!G(a^jc1EzPa)l84Mh10gQxy%h^#*rrf9@A@?%Mc1O031ro&35e;*cR711cL= zfiz>IcWJD(B%mKX3Bgy~*jC%{b>riK#@|Y+mL=+se`waY)=w`oZIJ`#IeO>A@`5IU zY)9Z5g>Y0|-@MORVkFKlxQ>o-)`iLA+U9Caz7heexa(c>lijBCI5+8#R9s4V!;b&z zoU^OJ02V4)Qav~_QZe@J>)Da znVy0_yz3ggXBXEHxRGht?CQ=-U~CZdjr6QjOt`xzEAw-uO{P=TY*hUe z#h=FBE7$(4VZL}W{e$jIJxtl|WVv+(IAkEAI{pKFJ@*YX^o7+NY83YHoilR zugG)@u82HI))2MuPph@M6KCOX*WkGXt&Hl-Z#=PNt<_%j0-xDY?7OSHxq10eF)gpG ziOt^jA*OP_W_F>O=R%giQ5qaPlgTpk`3>v~jLn8}dwiu?$?`%~$@9}Vj29d8AS>{5GUEIMV^>Uf+uLdm`W_>{g4wW6`A1^UeeW-| zP8clvZ-VP#{!TFaHlu_~x5QDC&VE0}pl04(K8QG)D8&cMB1G!T{zR$6b@CQfg}2!Y zzS7KFPFB4+X49rvmMQS2=}o4M*hfNX+V1xug&qTO&>5;y9Z9E|})#M&H(Ifp z?R-k7_X;dPpZ-b#nhWnT<_!Bh5Q0xgtusIc&FLu+_AegT)BMqmFf(eg&CC=FaPF-V zr$oa=-8918eTtp#lUyfRhJ98G=f(8vVx+H)+8IUTPU`TfAPpaqEY_2xquhKKtBLXl z=#liQms7`d2RaHbg-jo{8#nsiJE zaI@Yzcn)iVa~+-!05=@~fn?_fl$Fv#lV+JjFQj~SvF^l66un6r{*b`-*0PU^ob66b z=Q$-)6DO)9o*a=o=vOy6rZ6zxXAR9a%O81tUl?5MQ64Ov7Cb7I_2g8mt8Q(iqMcf27d<|wwp~0}wFvc`6d)a^S{vhUR zaN#?77&x>2MUu_>*GtjD5`n4<)fT&^#AJ%w_N^~4=wk#IqU8y+Kla<9$6FEd*1SXa z*Tb5LL_+bzy)s>EKm)e~LlZ$&*9Sj+G88$+t?eL+eYALZR&}rw(Gu- z$nvLIGDNrDBCb$S9d6y6Q$OtO+@CS*m_KLVO*${{&SM1Wv9q9PfG|XTSkRNRlEpg= zS1Mjk^?ydOXg6vk$uF0E!bXbeXl^l>nZ7zZ=OjEzbv_iOXmna+DPbCi(5p6Bj)|X8 zTZluztA>nS7xOccKXu*+i)4=N&pj%0{nOv^)EEWQ9>mf4l4?_cibhFDqXjfgh8$`z zfo|OLZVQzQxt8y&zVmzPaftMAE>+-#} zm-gY+b(>)%@b16}oRN_Dl9LzF(zAKqS&*T&+Rn)`$|90`ruw~z?dC6ex zyN*QcOG(<5R?m>aPt-eP4fH+JJ51{L9x0IJc*dF*Lun!4LgG{l=yZTZn`uByrzVgT ze31|w;Fddb`Q{#k-%~>GWB)kcd9VCRHd$@hdxcU@BY2uKcylwjtZ@?(wCg!Cp`c<5 z)9tYvFP^Jyn1cHI0H`h2MoDKRvpSoLy2gma=7YhtB9oo9$8noz>&n(+!89=j_^45nP(Y{e%= zt2!3h4JPDbw(5qnhZ-OzLbpf!v|m9d6#qA`x1!U zMK8#Qd>ykfeG~&{Z9Gdl7ZzAV$+oD+ZLCWxNVBfIPaa?KKZUwTfij(T|-lmQwZ1)yiJczfkrfhI=+(_~R*AGvcCXEK^v!Z?J2f68Z+f zwbXTEZde^{3>gb{apZm^Dv}G9yrG0ag-8%*dC!Yl5;y6pE;!M#xKMx50YIG> z@RQ$ZB5=KG99*uT-GhJy+@6X(WG+waGHJKtL?1Jflb*|PedM1F`zDL2=3ZT3GtMoD zO$%P8gp6g>EL$Y7N$sYlRnL07`+;ayz`7u~sP~7_n{<>O6J#3~CnpFW6q@g&X;>x^ z&7Y+Ai!KQA-m<%_3nU{F{~=@@$^jJfuZNy|3T5<}K$s)V6HQ6QWB_D+C4z0_r=lm1 zm=sS{sw)$RaoBL

~$}69$3kRADLS!C-}o5VtKAFB+n-6Mv%=fSvWKu>vqNy8qr6 z3Xn_4_(ey)gT@|mJN>Db;PP*J3Escxy4Xg3(XBm1{-V<@E}R5n?biy9RR~~Ys>)*lSZ~hC%0Myh42SB(1*!mopKnDii{|cHiP6R+xVn=Z@h-HP| z5QzN-7!Y%SS|bmgw~6(^=lmF6csT?XBWrEeI#~X@y%~Fq1Hnat8HjbrFTPAaK3J@R6X? zsqa3mR52}fEX^jbmOOd+my<;7YDCGmbv=j0gl1#|}r8bD7%-E8~ZMJ0de&{z8P^_cP&-9WM)(#o~fLM*Vx_6TA& zp&bxqMXtp=e2d{8eb4y9q=~-EoIa~|aT5Em&0*3r)q7eY=&DWunO3c{;6p@?)@p-rQrmtER?V}|Ys0uvu^~17vh=BAKAP_|a zrA0+SY1xQ~)CdG3H3C8q1f+LD?8V?zjJN;1I|9t@6yZ z=6vQ{&$@UJZ&DKS*%L5tSA4 zcI)~``1#APi{S=!Dg%THZfHMGz|FQr3GKqFvuS^5+`9M3V{PVuE-!*XY~FhQkCMH# zB(OO(4T#6tSVNg&-YP@BQ81VN?h9TB%LSoRGZG8(=PnN@1Ya>0b3alwxc6S4ze+G! zCK#HP9DuYL=|uo7=CZ@73M%#y?ui&gw!AkoU`?A1HtwT-h8zQ*Y&oQuELE2U^h^4c za}(^Z7Xw?Jo+$~hX`Tl!11Ar}7xqIRkd2HGsB_JK^6Nu8WsutILIa*2-=Z5ZNK$P} z{Ygl)Nqs%Ljt&n%@~~bGLbf1K2Ce%Fp0TpEfwXtkC!uqmI_;CC9Ow%Rke_OplXO%4 z4e^U(l4&w^hp*o*?@~08(5gv}#C0)^KY(%kQa9CX>DL#BOy;h#9c!3q!wD}UYb_|g zgfQRs{g#4kCgYa{&WTU4^M3Flh<+V(O#Cayxvw0Ph;YN_gSts2CtX zyN4d{{FUPrl&Ce-IV^QSrBM_9syPH1**Z2(`D=CSoo}}FGXIW%SXz)m;0hr z?sHIT^=EDf3@+d2_cDslCd*SlVc^$^*&UR;SkzUWMw$7WTaUkGhibP(bwbcxxCIeT{L{_x3IALWT zi~twn)2}Z0$lQupP9}W@h3NkdXcVnt<4Moo5slcI!_c!czzE1nt%t2a*eq^NI~c8! zh%Fb}ckkGTf{l65_oTxDqpSpT0M8$Utc`m2v7(EP`7q8R;2)ic{V^hf^}2|IWPJO8 zK4RG6WK=b$o#ki!r#y75g*okeH2bMWc>~m=j{+coh%fZ!&KBH(!S9FXb)&V_8 z2sV&|kb`JGe}3h7`Az-0EgFP=>&U$!1JKZhED%^LN8f)whxAePGm2ky^ z$}9|094HA2>YKfL@f_?PQ(hO){YPVfE=`fLb4tC0HodKiGB+h{E$MLJba8YpsSsNX zrF$^xGIRYuOAv!}=#Q(F{*|NC^aGv8-)|!gZ360Kkx)mh2`gr*QRC0fx^nl==V+Rb z?kx)x+z&5Kt57|`P+{JozycRCY(c`gzZNGL_S*1CxqE+?Y^2;1&Ij&-UTf|uiiyY0 zo3n)^G9D%@J~9jt^YN)qJ--k#<35mfiv}2X!?5#p1|v&X< z>MI2aR4(Qo1NNE*)tEiem@b@(!TgM3&6_(zWsB_DMl=vm&%uPsqNjm249uR%nX%le zAzS}$%p+~+nrjf!nD~60HJfC`!ayyjOR_*(ONt~Im;9dNvOiTi2eqaYl1vLFJeQOgj)mQsx%BKS2O`5>N_U1;To1{~z{l{T#=Dx-%M&`WPn_#SDAuBe$x9{AKcLE`kl^(E6I%{p ziUap;+3c*#r)n4Q{WMe4LKW(gvinAZy1@sI9CiUUPwpfj86IDTlb=d3rBiMpB&Yw@+I!mEVS%2vo*N}P#I6z zrVj4#pA^-9^2XXiejc&eEPzl~MQ0ApS9KlFU0JQ*8i&_-x=5N($i2{lTXnFg_%82o z2^*`3&_SLIea{lShr#TO`bgTZZy{c!!0u5@oNF<+J)tb+$q_7@f;I!!U2;;c2gx&2eUwj+kys^&;*8)?=>Y zWv3RRc?-{1<~EQt3}e?-osb_V_ReQx!I9-?$$Q3OEKfzlL&_d@NCSl%ZW(i`I6PLd{Rp@xLp7+hZAfP_JQHrX$1SYlU2TW~)EWfeH3faYNjB=MG*@PadZ;Mna5c2Jw;X%|2e2cMiXFNbfHQm%o1U zppxFRrBVsFal}YV_RCbc{j3;oQer2=ccL@)MB1YO;oCYD%Pt_!Xn3+n{567xqm#=s z;DdZ2f7(JfHGS|F@5orI+>)1)U?QN?200438L`R9NpsCY-(U(2wqkAFc*H$gp>qn(gWyZ$4nE5-JAmRUv8X7vNE@ z*fX8K7Z@4-)`+#rP%9^w78QuViRZD`v@$36MO(MKsa&0tRw^%%9IReoFEwVd>oHkW zk`YLyMb5_fpbiu*wRbMJ;i;-k_<0kIbQ@cH**?GJr=1R1-4E`Mxzx`?_5_Jrs5NxA zEvRjPknfq&xX#Yq@wY`ee3>?_e?KVwGACkl8-sA6)A;6~V)^8ip4p6^=Y@9;WSpLq*x%HO>O!`}hy|5b0{ z=Vx%*Bq)|E4jPsP!l@0sgu8CAgH;EUsnc6qiWuR?$77U^7NZIm5`PCgM!@##+Zm4O zr@wO4c-Df0rq^f69y!^?5Vcu7Xu!p9W?uL20T#>mFI=R;uN=PvBYVkg=U9uyREMS3 znd%jUZm~2~d3FHWD`BdwU$_Ed{oio%^Wnc2RX9P&HE?0nm;{*!oLmN!ZKx-l?Gl@? zm}=YFI#aje(VxDW^S%YMBACUwjB(c38&a z=S=H;!?1BaD9c(Elw8W(G-`+t*%kL2fE^(HI95Z{Zy_inDN^@DsCuqWFTJPZn=>0~ zXYCS@%&4%lvGx4s?*5j4FY#LeMJDIZ@tIhpuKqL70h7+24iY}U>FtF)&)u4+BF~b@ zWOoPlsCf|X|9U`b`7Z*}+`j_S|5iYHpSDbfR(PX8u?l*v5kg!y=zQb;_bq)9CvlN> z`GY!B76v%v(_MFu=kIrt$Y8~Qn+k}UKJd07nvW)PD&`|U)P|v5|EEb;ewXW!gL*eE zscV?uwZ?jvy@8wWz8ZY>Rg*`ycXB3sHph5oy z!@nlgu_~*qx;N@CTKyk2p8ulN|52d&e>1HP!_)c)Cet4F-7ocC+jOpUha%JZ&gaj% z92{Do#B)7=)9ANA#-mr3vkPNs2QJxkeAlp&YVLzJlyromX^2w7n7jpR# zCoMfQH81qkBDk`zp752!q6hYs345fn9JXMWm2?_%S)14uk7Fh!Q6bKpAd4_?s+&8_OIYQ_C z%FecO!abm*z!QXp<}8LlbG-P~FKg%cHlHI&r074tB^oy9^*fp~y5vGG4tKJ`fsI1v)z*NAy8ZUKzi=$puFoWpEaFN3P~CYa(Fz~-a%e5bw!x%s~be-Bn;zr63UAFAJ+-3nRIM@j(k zQV_+?abI+yT>zBiVL(Y%19z!6?n0!MV%Z6Lu9naEZNPjLwX7R3}C)B1u1ZNY_97q()s6Fj+6|h_#KWFy=tqpaSv1JT9iGLSN9IrC41x9!7G=jn zKU~5K3J(C!sQofTC4^}yeyj4!3(HJQPIEh_=lNh#gV9%Nd4Ltdr z3`hxsw}2`a0+dmK`~L)X+iUs(9b^RPAV&$ngnPShyrmE5ptLK%BMfUPWb}B0Djo2+ z$ZxDTpn5hV9lo>il)#Yh>4&n_?1QP+x9o%Eq9X9YrxU)B+&vkiC6y%eC_GiY3=j&^ zAotJ)au1!iL2c1b2IBcU&l3!E<`nZNf(f zn9)WiFr!t{5InUY{XKKAX*F?R|2=U4T;XC?I&|y}%@9;$CW5C*1;wJufCHTc9OzyH z;IJ=D?D(7v9B6~LfCvx*QBA>udh)9x(*fdx5{2)46QW$>d%`ARHD6=@`g^|SH+Bl* zgfk#uy1qw~g)1>jNwJLMly3mY3S0wGJ{CmzxCXc+>Zh*Gmi*4XW@AMLjDPwHJ0=Yvaw-Xo-rFoiwmVuBI?%!5+EF=m+wy68fF1ggywLANVkg zPz^d{ESnRQDpbj8$pir6biNZKr&oEAuJhk{k>6M|bn_rcqU3!i5I!b`dmG{E2a4V(L z`t)24JDb}*Bz$pG%CxLu$ZzbxhMXYz3Tj4yj7LmAoVgwiUd6o~4&SJIiC!URXXj;1 z!WTBZ)jl3;A;2<8EMCAlWRQ9%zko-JD2~6gbAU@Qzg{s&3K5VM_M2C8fzvBFC;CD$ zA&a^bKX2?ZjT!+VaeR};%0o*(_SLS0meubV*7+?dX@0cfJ83d@b(J%*`No-KBt?~h zh&KyFyuAj1!dx7)6s`sl@1iZ>?iv6K;ghTn%$<)0TWM;QB`!JI@I6De`|4_f?Dn?= zSti#{M^S@t$qv9V1Otv?4)AiG$(Q~*G)a7`ho(8_0PG=2h`DCqyewurQoC_c^Q^j? zvQ+HaL`c7s^xfeGx5Z5r!AB{ABn&lTqdP>_EdP$;UdMlz?*H zYr0|7d5^izjYXkzIS$shYIf+lz%smHWm2c-FE?WcBL{pQXC2-&Qy=c#HgCB779zcF z(KOpsx~8VSP_@Gl5sb%t+HTwFkV0-UyMOJ=%>F<{lA8Vpw?@`iwa^+{o4yAdWym0Ib z^_jEmvYSn>35nfP+*&J}Ubpm;U@iEhyw0$sTKV7a-(i0A?;QVk`F9iE;86OF0}doQ ze!aD%`z1pxr;BkiOgyryD;H#+x+WVznxh?X=~gSL_h^uM2Yv&nQ2u8}G?Vc=Cw*Qd zd_&z)dWC||q?fTNp|C9>)b()n4opib;9@mFxx-8x%;r^55Y?i&WWR0v8bZ{7|Fwf9 z1+gI<`FVls84Az0!y^w|74wRCdSZFg;>0{t%qST#?eXA!J=Y|V*d8p$bPzfr+?u-u5TVx;&WHw zEmnI^xO40Pnx?C&#EM~oxP0UKC@POa6~nO0a;~VhFwe0ktbJ6V?ht4MveF2svLK_! zS6cbXkiuBR8F~ujsjtSo|QI0DGp6*VWkmNhhN1?BVB}B-3~;7O3=t2_DUllbPGVOG&0JH zn$lZoq>yS~IprK{y^G_op8OByq=8KW*DiCIB(Z6@J-T}S*gs(DS0MO1mPqY_a4PCQ z7Ds-z122?S=^T4$4FDoB2%4k&9g%Bfo=~xQ#9^-&Jvko#gcIc;=6*qV``W(&$n#8(W^EZ^p&vyOQ zk^laTn7WUUc$xhD5B>Nj@-Anf1KsN74|h(GU|ZjP8re6yy>gAD)~6?RLXE`-AFtDE z$*ol=r`9;9+VU0H7eXVmdp>9Fy|HoA=4~hL>Z*mAXYL%RLnqlq_VVLfW)pMpf{STd zyIL#V3M00zUAvXT>0CEr_h<%(+cv~td6a>t;bWjo7~RA>R&|CU0UvmZ`2a6wLfQP4-hYps!mehsRgSvaQ| zMYAcP%@H5!O^j4|`fE&8(iD-%^54$Z7u+_2}{Yw|o|YKJ+h{?-L|mb9I=8R2%kN_(fGr?51Y`@yF^>x}=H zq)Ga}>;Y1gi#(hW*AlA^Y3#=pbWtCQWrtbD*i_G6dVfb$(_8OXla$W6he8aJPM^W< zZCl9Ckn&)?Ld;s;?(cRgY?tR3zZaj|hvF^Sim_gqg%sw0tl~B0AMpH(P9DB%N?SE*Cj>C+e=$rx z_Nq~Livpw0{chAx|8DdegjJ)q;aV|jhgGA#@(*}+Ts3NwQ!7Sox@y!d2mfyLAEbUU z#@q~tgyOv5f!-_ey*GDgNnR8XIahUEYwh+r4Hxr6WLRK&5zm13?S*NTv)TDs5z`8M z)WZRrLJdx*uDKC3A~L5qlFQ_AbhPWk@|4=RQ@e~77;eFn7BHo?w!GAMLoqI{H@7(* za*!GWQYvNMa+PVR-M*1!B*&NXmA-{94)vcBkL0}9i%WY%Yslc?LCUtuaavfXZa`ud z%udV5bA7HN93Qe4s9O5t@%j)-Vrj`f28!yJMMb~sJn!qw4mm#c;8=0VO@T@+PVvq# z{z0w#NDWYIH^s7?hFIX9(g#_5RvnuxeUMcrLc`a?ay^>$IUhCn$s!a!!X4T5t?CU_ zq4P4C(1u%PkKZWZKi^lZ>buF%d&Rs>c6?YuVqwyK6Q|^#!mpuTeJPofu$qi!A!o1WiOcU)0Gz428nlK!(so}018T(3YPa8C@*ZR_UV5B<(MvkMWl-#1 z#I)uwC$iA?5SS(Pm08m9mYueoUSHj+4P58dSyK2mORm$JkG?I4T|=@RrVG-cj|Km#a9OQ2&);F?)ztl$tNG^>aa$> z4QuQ73EH``v}fBAbz9ZH+{w6Ej9Fb+*KZ5U1tuD^GSLT%1wFE;_pR&>0PlKro@2hv zv(on!gRQLCPV+DoBgU!h+^1C3>U!0FTQ6aT0V$x!CJ`~I1N0)!6fxXiySxyD9Ud%y zU?8^j&jl;yq{Dm6gQZUQS>^#kN2g5_60^;$!u4e*9CuOPF$Pmuh<@gD?4(F8a+Yy| z#`RHsJ1vVsxZLU%6Q)iyZmp=qsD4M75?YJw%#OEC>B! z(kI#kAB2Zxg!rm&d?;ZL!FUuJhQA2oVy-pB22e3qKF*m&HV{ycOi1c19)5wTlKcmw z1i4{5d$I~?7`)Z3u}jZfX&NGl1eE!+0OWD-Jc73)i~lWn7=EDlFfEJqgmIY${Qz$l z^d(Z?JU=i>{TRZISkE^$bp~C?z`zG>snOIEfQ2oeuWWsjkuj5>gpEoVw8{#wel+xa zR*$4@JV%5<^+&+vQ@RxCk@{X*+PS7g<6I#UCsCwG>WJ3J(dLbN`1ZJo=5~u$ka+hU z0p2ODdFy)U&@qtqB--I9sB-ic1Y>ISqw<0H^w#A$^8wXt>$hB)E9u!<@H&PPQWi)^ zE9iXXC=p`Xjrztm$ApmRQ}qYE9MmHZX55i%)SuVZ#^)rf#rUZCh@vR>sR0yBfS-tM zXKu28(w9srW?aF8#p#UZV-7EO&4ep$mOsP0d+eO}T|4VilyH$*It_Zd`5+DD{#M7` zV(qM_V@gMb@Ki$@{}mgBBUwtDyg2$=979Ms#Ii|LkT))Bn-OB)_MsU7K6?~0J{fXs z8QSNb)ko@R>kp0R`4X?jquZ8fw_(#ndXPe5&9#e8&hxApXt7x)uX-xR+v;eH5& ztpai{{jnv2s4p>ZzH*Sb*|Mk~CMYBlkD3Gt8kG_(xR72C(g^oJ?%~<49~;tQO7rld z8csAr$<8Y)0rE4<6H(f5`B9A*1qnVX=@Kf&z%Fs~qfqGD;!2TY0N2cuNcgucl_ zB?r;XNzHqobUzXGcyaA{CD%1;s0kg)7O3e@W^F8RWRXdO=Gv4&>gAx1QKCXP^49yw zW0NBn-8W}5w)1bF>S;k!`VPrGKp41nlIRPnTNvx&3~EwOX}>Hn+o{9U&OKDDKzoi? zbbLU-ug^;Kl2@0_VRzzo!>2c2N^waHH%5TPCBpKtNZJDmy+(%y;|Wncn(;P+`Kqy&cZ#koKc;_>wOXsMxM zD{wEt8?%L})?`VkEcQv8^dvYI8>_YjT1GubQ}C(O4{S3Z%ntDTqN{#Up894Q`zrVS z!FTEX+V}}yyC<|lGRBw&890|KrEGkw;bsJD2SeZxYV=ug4!SgGfNSF*j1SFk%ZHEG z^Vi5TdVP^uc>mY|-+W%?^b4yOokk<6=PTIoQNPh^1W$yHt*=#LdlzyCZD)#Y=PrBc z1gFx@f$IWzoWGpp$;xfQ_d=~F?8 z?U_-1T$MV1)R!&AucgFDddrofa=L3UQfFdu_Th#jHS4F&4>_B^Aml9FQw2GFUg@-q z8tDg)dG4ku+fJVna~RkzXXO~MtUbV6^XBL~xK2wa4 znunX>`8+}m3OeiGlh6=Ete%z>)sn&>d=3hFGisoa`n%0j`s@V zit++#T)A7 zW3fPYZ`AC;{#YND&muO8U`^N7s&YcGTCH#g2ZCfR>IyL&ld%@K-k_ zT;Tw6hhGdQgvI?UEu6aBANgQ!0@IdYtHejHk2_aUZ6cn{2MEwYwUhsul*WJK-#K5< z60kiq!~WzD_rgEYeBX@odqz(0o6+0vRG6vd{9M@Z1VbLdFrZ<`hUFy(+e8n`Y0u)8 zYuDb8Rgty|b1E*mVlq*(A4pE%%L%*MC)x-d(Pnke-MM>aPEZjhd_3aJb?2cETroNI zK?^*anUF8C^_wSA9T6{p1}ci4q3uKM<&jHgLLfv1U=>U>nnm z#?K~lOMKfZAhq8`5 zEmjVO{~@Z+?mxqnnA^1MIKVq3i28`#X=Vl!$xR1r!sqPT69MNM>>uZx5ar<5aUPo@ zQLSo9w!Yee)XT7?%RG{jrMX8q9+(bHPSkjN)+!JxC8BVAdimraSG=p9iS&7wSmP1C zydz<9r&Vh&&`pA82fh+q9s;k~Zss;E zr)PBc8q{dRc}m}WI(R@+@%`2d*Z=T#S!2Ff!k1*!_NLoAGsS)ObH=3mgx8DoTdtC7 zXWtccEQE}Ab*j*f>7p5Zun-atw4aN-)XqHh>b3`_qm`{2<(yKM-I4sP(83A6_p!w} zwF-wH$KWL%0JX;Ojk9+)NJ-1ha(BYkg>FCZsPMpkCjOvNGp|j^$mtEGsDVnKRs!=7 zd>86VZ9j^+Z<;_Gwl;7#J1-|nXwx?_`rNM{jBp59MlD;6VaRyoX5eNf2cgJzTwgi( zwU|<*Kft}J@qQ9huoS$o*A@qSrw0@*)|Os=@Hc4?XoTziG)cy;Eo}JYtQ>vD`76gs z5*_xHLsD%gn{W0WYRrv1%jUigu4j#bL$Z8^V zb0WNmilQ^hC-aFcPSiM*`ECJ5GhLC-OlT@6(B$re8vn!}Mle|idi6v9Bos_&hHnw} zH|*g=zm1Kpm(SY!^lK}gdD6_?7&<66pBRmw173`mUWK(jGOMfyBx4B7ceG^c=hi!N z;QF)JM|`K%VqT)vevf<7_6LnE@0gz5DsY}_?RJ{sxLj04J*QMG2d%06!^7rn?nY`* z61IlaY0@C+cihg2m}XNjaKv|Rp2!R4yPN&F@~FXw z*(LMj*-Rkpzzxa~LBU;l1GL`(>?=XAtw2wzm4_{j{&4}Y04WcEo*7-BNCxB~%<$kz zr9}2FAha@ei%ei|_aHG{!o3MKEZ_dc?m_lF!UBeEa||I;W7$aq+SRFG!)no z;5rG<*`F}{;~0u&f9N0jCyXmieC3c?TncJ)Mbp;<(T{(pC2D<}X!8FL4H4`kKS3oP zyJC9?Ur$AF`P`8u4lXx}KKc>D;5yPj9~NGuAGQj}&k$eT@Ob`$Go|`3IRDdG`_s8H zpRt+R&90zCW+fpaE7i0#gV~4-cQZ-Qtz( zu(WTW-2~bnl0~O+>gTrQvOEUtZ$Ms3xxI|vpwEhYY%wIFxU6+!x8Xt2T(1kYW)OjL zuS!&K=D2PYF3BT5X{O8kDZ^koZC(L&o2PT5s&E9tvph$#VB!9qrNdP?u6K(O%f5Ey z3(&x&6SqB==%Mz`sokY}{WrpnOl=i-#NG$VY+OGl*Vg?9S{x^H7$kR+M4q4&k64|Io$e)vQE`5c>2K+P^mXR?AiehiGY~QK+1+5ZSY| ziOCD(HdPG=vh&t{IA&MGcja2Fu&~3eJ!{xYS+P%H@!7}fi>h8olI~q|qr=!I|<_L&fsbVNGPCvJA ziJ(Dhn`i2N-k&5`griRQZU&n1)5QNMa`{_G0+>r~8sj5$yWh@<&ZtN3c40T@QVw=* z@k9PKyZw9o$;wtQ*m4V?Xmtv3ESr|tyuFFwXBXoPV>815rozxxx9(JZ;b{piU$ znm3te+73$E8*Xq(n`+6J8}kyl@XSf}*=XH#fhVEZfn zo`xRTp{Pgef!EU7GHZbvG7eq@aROd+y#%PQfs=uXTNh8t*sEYN47u{=*2P)@Fdp<9>mONLG+ zb^|Jibgu2t3iq zPxKRIXTLt8()YBKyZdFNdfxSAN9R#fXX!P|p37>^rE&tM!4(>H!qtt9Z48;@NVaM8 ztyIU22R630NrAvIgdWpEUodX1(31#$0!XLJgts^>69R{j%xHqw8e($E(oe@uu zeNdb=%XL>%(huRgM$7DH9!O@rBAFNF#hZRK zO^(($Vsg^V4(wQyDC!JAm`jLyFZ6OSs!KTDXLKF>LctTeNya*(e}run75mY zocn7<=d^*Zy3NKz!FdqLuaHIDH}uExq0_y%a0AQ~jQ6MNM_soF!?LW#GOlFcFQgYH#pt+a36 z+=ddAgK*MZjf#8VZtTTnMpn#R7cXfdx2Q35U0HY{|M7%fZ#JnFun-cKm2h z6v!Y`CoVe14^%6OyyFnKk^c?RwsS-A4`QFTjX zV(4Nf{(m+Xzv{>TW*q!)9{c$egjl(EZgW(0;JqaCYwv|-r0=}?W`I`T?31J5mj*73 zaMddE(f)P{8R~&kh(D`x^6`f1$f~M6Y&p|Qqf))z9QjV4Qgd7_3_`qQmJk-Yl z-Sn&7dCe0FXN9Q1N-3^+L$1sYo6c+VMzvc)_K!7bii*u|z<5u01qF3D1QDA}#u1 zTWRn!O*bjJQEYT_*FL%0YSW@e!_vfKg$`ylfu)NX#aiE7644ou>ZY4bH@_gMRXlT1 zS#ddBoH!s4e$`(NImmyFwol006n0oY;0PzTy~LU6UkUm2mE)28pW`wwUv6W5nc3o$ zjG%LxIsDf@QBeX5@-zMwyvqLX&!X&WFu+8*7Q>0mscyoMR2` z(wbkLIH2}R)`y5&@f)q&f#2xtBkYjR5t?!*)SqYY7pLA|W0(0);rZ9P|CgTL|3l2D zy_<}-uS}7C$(LYvFlm$5Q{&gww=@)&gRS=V*CwA&bMrky8oXH$VAw!R ztNn8-LRb67=1OtS`r`}Y!&f@J%EHU;suT?P@sn)YNaRRR)HaUlh=)Ct?gvF?=WP5M zj&_td#>_ZWEo*V|b{Xy@moRjJ5O)Bc0o7)Io7v68DV%){ae{z*gfnPaM{B*M;+d&I*C~{W{a>rb=$#p7myIUh2o$El|lK` z6(&sTBAk=kCzadZH;umFz#m&)vd{M#f3ywcWFL6HxXS4~|*-07KOjP^7Qa`qelkiSwIrN_dqltvK=U36ap)%^JZ3{^FZ9ieV8=6DKI z$e4xofzqgD%K?7oYq9<)R!9?StoSrw5iE~}4sL;}V!drUO=_Y|yy)@rriU&d;?H%q zh%6S9B;Ds0Rvu???NBwOe#XT!sCOsnkk7~n%L$pCO>)0 zU(SnoBcM^LO#;PpUSB~a+aaD(cZ|VW11b;LYbL% zNi@rW%>+KA963H8l{4KLA7SGIjVv_${B)PchpFSlVCwz})GZCu9xB>&($8qzv2`?r z7sj}(%U;ScG1Yd}Hl;6QH5tBS`sLCh-21v@X=a|>n1}1=0z)rOp30jW>V_iI^GU-C z0)vz0FX6{QUiV~fvDPV?LgF=>s3jA(X>7TWw#|vN6*|SAj$C-`{8*978*g~NwX*R| zh6lT`U^(;6%iODHI1OH7Zt4O|nBjg{w{rwi1l>D2(l?kIFJH1R`}vV=5$DHJ z-W1q2!XJfZPh5HXzOJaz-gacRO`AlXblgJ@0{7RAnMxE5%tN5cK%!L+LfShY6dl=< zH;6g9*@`Q6Q8QEKJeg-&duxjI0T33Vx4>@Xh+WeV!CAx~Eq8*9oq2kq+ZTvy9AY;@ zx&5}BdGl$IhtI@D>@rNgVf+4kuf*v+=dN~HGmMDEUZe_aS6V-*tXBJj4V5MrCh@U+ z`m(J-{b6mDea0FeHtt*|C?9`Ox@ChBZ^owfg0KR_?Gle^My_2_s)@0E_WZugP5ye9 zv2s;}xZbv&$xJHYl{{M-p*>iaHF#Ls4}xer{iR6JBJ6Vgr3Zp~dmu`mawGgvoy>J6 zzcWxQtcVi+#IkQ3sV~>Wy-8wcid@~U7cgppK=y;(wySEC@k!j`C{Oh+!4*x@=_^&a+^%C9bDTZXKJDQlhuMH*O{)m zX;6np^p%d*U0O72Efj$V0M(L$`u_T0N#>bBZlG#csj!<}*(}wsw+=77eAo1l>S(H* zvp4K6%GStTTSQdYaA?;67&N#V|~XDpH=-GT7rnZ!0sGAX71YlW8{};d(Bw^OQlyW!t|Ni`{nS zrllC~Jp7}hzq$-f+uBOu;pMs!A#~Jq^fmPUKVUOE#*)r+DvEJsDaz3$uE_>q!%N>q6aj{s6VrtEU9 zTyD%M;bXM|>zZngT#8*B*7Wrnhl|tFN|nJ&HIx%Dih9gW+jwCc<9*L*-Ju(9@85&O zhCc4ux`w!xN4J$=kJ()DXHkK9)Z1>`sTbj$!`t_15e=M(dwjOUdeqqs9>=6wHK$on zdZ&8B)U)uqEDv$+sWHtwgx6zHI*rRn!#{z@=lJ>`i%6;xf%J(=_`UMD1uLy_Vr{gdpmUA7&&u$oTORPC+I!4R zw&_q3?_Pb?-F1H2UZ5YtSG1QhXh6ANPoA%g-g>{Euum?$j=t80@1(kGgq=87D3WwH z&2Jk}dzgdh3{o717zrm!a&f!(cRLWR}!?`ZF^oX{E z|C@1!Ni=S@UShn1I)lLf+YAb>+i*eY*}xF%nHqRnT{bU{@Y$ti?}2sGwmt+>WC6(> zWFQdM74;jDUahKD2kOgb1;*2Xo2&LGe$)W7{+yYzbV!1Lde`JaE)2-!?YRtBYFx$GxR&m?wv=y zBV=cmkcO;3GoVj<9Z1wX2V(I`Z5?wT(D7Q}p`Bv4fQm0XU8|klgHd6t@1Iw&W=A^` z^CT|hCc@V#6`Vg`Yy0Y{_Hzc_)D!_QM6+<@;u| z1jhN=L7DCCG{^qRN1m_RNwwT@EpxK#5o^QuIhl`hK26Jv_&7<=xVn z0YYWZ36qvv&62V@cT8=*oZGb-!DQrizUK_pydTSI(2rs~OEYvElv|5?PRHSL%oyln ztYMSgD4Rn{_;mY5sYy46hl1+f0ZdpMW-C(9YXHJEmM3})Po&CY9FM<{MvQ*mH+*+g z&CD*O5$VggT$^f4M3G75+l+8k_#H%7ft#W4y0z#wLtCiO3v`d*ha=lVBIrdBg@`8I z_@(;Hq#EhiXZ)>4q~VH_8H-DPX0oa$21Y~tRL9uIpLX>x`QxNq%l&tE$jEJcVs(7` ze5lY{8W#)mu?4#Ukv!-=T8`OejtDBHO9h46Q&?fiU7z1?TVOEly8mcuo3Br(?T%O5)_yZ~VIJ6D86J{9qk=@UT<~1R-&{ zO;vGk*wgt-FZuNMLKI62(05TCOdX#%-n7qqCXQeXlV5c<=FHRZ$Bpl_D8MG=91Nz5$~dOUWmZLJz-k=&0U{CyswJ@qimcY%Evp&_Yvk@%-f5;V9h;nH^ZcQcZcT|Z#k_B)*d zN(q=Y%c(?I`x$LJYflGymwADpucmqHRo|k;k|+bi=^2u4H0GF%x;iW6R*U2y0f6

fP@+^|XQ^cEK7cac6@{`xwiy?;}qhqi4 zXnlZAu@4s41-FcBbLWMnH8t4V7%wwTUrOfL#w0IBgB=smWBO{z!`DsKv`q9ct;dTz zTEQQ`m+Ti}F(`yYS=vzN5BraXBg>?Xwz{^ozAqLhl5!=XP3)tk_Ny25vTu_GhN9Me3ntGQPn_X&>53E}Z4vDH$p7ix4Md|Qt zq2&*d(8|!z*LgJGzKqS+$bEtG+O?-|8ea@R4z8b2Ujt4Nik#i=^s4wxaQ$Q!RWEsJ zZ&GefA>P*>YsRgfC}Ve|q}Q9IohCtDa!l5Ny})50e$6?yk2V! zVv-8m+0kB{YUsw5phAi^pGd3Lb`0v>^d+}`>jul4Ma>5_o>ghp9R-vago@f}KB{3m zzd<=Txn+DT50}nlOMQ+smD6dW*Xo#f7CB@z_!O!ah)VVI>|#0;(Od^Y>bKFL8t*7! zCD1G!!|Pe8D^cBoUy@5{V)B}K#Ncdar2XYOkf97@@Aj{Fqwzjc4vZummwa6LktakS$joUff;GmZr{$RZG$L~fMi z=H;J1fb$Tz`uqxb0`ugZn^%0Dl`ljm@OX4~^mHt?c1|r!*enVh$xfZD?_I&MnOfI) zL0iIn=5LJg>hIW>UH4?Qst)5k!n&+r^rO^~nHqzqqaWz1-mR~{ly5(8;U>wq=1qH>Ek{qH5KFL^ppm3}iasOj;ONOHmHG9dMloj(kv+-MN^rd7g zMI$+kdEgZ-xJ>C)c1wCf$vx>^k|DxCO_Adqcc4Hi)TI3_eJ)8U#iHMXo}8>LHe)z$pr#*_3t+RlFmg3pcrY=v5(PE_`RmctLvJL&U2BlcO@kCd*ll~t40Wl}% z_lT`K5lX-REw;sMKxocWlgOxtj;eZ8*zQi7%V(_mS&6KJJMbqz#TRjbXJfjQsnJA{ zsr=iFLtWj54QYkN?xZ(qXYTOijbNv(P`+JPrqXdu_Ku0o110jOq}oa`qUBrcWgBnv zk3FeOdikR390!N{{x*JwP^th;mz8%QNbmR~_@gRosFA<^0zo(o}h5IJg-4@%P z(BUd+_h5SNRcn?zG-rQ$zVEBHjAg5)+=A}93mEEaGm=71WMpG^Ln~{xk@yBYj5!!z z_5EQ?j{oeZVH6TnhNGdNX1cvU2{kscC^$EZhEqoS;0$3|EK9`rDotSM7HQ_H8uSX3 z3jXgC2)I)8ZU$6&BwaR4HhjUZhtG*kK&T?1jASA8!otL1rgh=niMsETF0z#DDLIeT< z0z~OWKstmHdJiO&5Fp{*)3w&O$6o($kG}((R<213f(Iu&;Om#W<_ASxOzwPQ04pZ1VSk*)-*3aXZDWLHK5QlT$0t-tk35s0r zntC)@7jN<+22ZwZ*E3>7@VE&p>D} zlP@hSSmXryFfj_J=}7c<%*sAV=@ve$7^)wLIK=vu5O!L|Gu1POky-I#V{WR7%D3P7Cyeu)zYz>v@aH(rKssTOSyv2^s!dia= z!ntkY$xAD6C=jk_VRC*^m(ko=d*@>{pY2^k8WKB}!Wxc0Wg^qxGRjL*(<~|zieneV z-qzxe4}KDaG5sM%jC(PSJ_6bD z0W5kzp!tsx6XaIy{}`)b|L;>ZB=i1lss^xY?434AJ8Xr1k;J8XLqZRMWZbtkpw^x` zfx4)YRzlF$?wGla|2EwX;gVaM=A>*WM>5^VOvGoOR5a_z^vrWT6u=fWxd$%$dJGi7 zy#E+d>MR5%}17jS*EtW6PteK+%QT-WnG(b%6S7)LS4GMZU+s} zZ6OIT5<1equ6qWmgk^iA{YHeA%A{<7jYIXyUCohZ4Y0uwm-efbmXbVA^eh+HXL3r# zfu{0pFy=-G?vJVLKVt#^5o!;37!4vB{U&kLRCQ^RkW<(uB8k$+SHb$>8@@DnY&^%p zeCs&y5E%9R4_=)*5ZMA#6G^>_y8yW3<)M`Kz${+XJjy)+;P6nhUjQ*ZaRoV#H)_=G zlvoAIN`Dl+N622jSG#N+X6%{ZX$F=l8Bp$s+JIvN!DY zY*S|rcGVXD2|FwCpYU{n0v-kcyEHl{TV{?d6c2GwG7spOyu4S=mjSo8t@8HcpF8dT;f}zTi)1FT?ZC`ufC7#e~W_@Bey0-aIfc)?a^ zVs$urx59k~I2$6!E1nJ{qDZGh{`g-ay+dQy}+$*@p=tfF(=mQ=4xz zd=E9`1>LycFvBOLK}FMZy?r-Hsz}81q>AZ0jFaYF`&zy~wt<~=Tdt4u>M|+1sWK{o zFZ)tav$j((n-eVH`A=Sgr~e9QMwG0TBsksaHzAoGpeEu|(Na0~5*2J8?17~Sb>fA_ z_>cEi{*S?|Es$e=MGKPR+6}{aUw*^>mQ|yyEz;wer@|0#DaJ{z=S;O{?mYc+q1&Nw z?c|)HKx0`}@D7GT3n|tzCvE3bm0?n2QxLKW42a$TH!-?cXSn0PEWUAGbvkU3wIw^& zwt+U*)$6O%|7|!pz{q9&waVQC{03@ISgTNu!@opQTOP-$*MR+i+2`sM&Ab4v2&Q!)O-n|w`(Ut7R!+`7@76y)LcO!DP za12%>!>?CIpLr=<{p`tsa5C7-Z7}Q~KpMq?+gFhB@Xy|*&>O1!@0-^L*;1eNp3E}i zew@d@?Oi!SgwCHZ9!Yqk9)!r*9>f_1-;v;9IuCare&u~xXPsd(uV*gd(oR9hz#?RF zu@ibRL?sgubt$XlF6hNLk6OYeN03~ZPL`G^H%;8}iwjix;tIHZb4?m{MHpbe04CiS zZkq=`=>)#U9Q|5l2CEd@H2dHn$>SMgj&kz}wXivqKkbW@a2ODE+n&NT9qwvMQZ|lP zNy?2xM^aX?I<@`REJutC^T)bpJyq{yg$90Iz0|tgeSnaq=0crHPWh&L5zaE|oe?iX z8XY9YB)~HeQ_;LXfrNd|E%YL@Xd8%eKVGB9dF;eM=iSEe>)H6mZ1VoA_c$3`McIyBTLi?#3qHDEfFja+8?dL{R6DQR*5N$9CIn0K^FtU#0)Qt>|`6d41 zZ~YAB7p-@^Blx2b^n2bvmc~czYEf}M8OUtj*4KUf9o76e?DCVYm+v$sKZyr%NL^Cr z)JSz8xl^+MK%n_}dyYiS-!$Mm$(;rn&=G&O2b!2QOzX(rp=ZakugoO;p{e69l>26H z7)&a5N&Bf<=>p&Lonvm;A9X|Bt3#J4g>rX-s6MG)S3H#HlWYPqd=?UwpTuamuCcXU z>3Jsx{ogB%LA!Ft3pob56ORk%bGD6)-491LO43YDe*kO#r~6ls zrfqs9Nu!@*r>7p(d;%Pv{~kWk(7;Wd=;2Uu%h)L(3Cdss_~-wnB(gdDC)jFW$wyWz z_jtmpiV9BKUhT~I?#d)soNswd8dcwP8xSw^3spPG`R{S?fn_#V`OBg*c+zAH_gv9@ zt0C}1Roz2YVAa{i;ej#>XD8M9Pi~bNW-`*4oKzY>e`*)Q_&W1=!%O1q3YLp^Yt~dd z>`AI={EFd&fhFW>X^X;%iClT(T zJl4Ar{1M6LyNs-XAbJr=pGsOH9P|%UJY223Z8bI$!7#AgS`6R|5W;ErQzIy}3!q3l z#shbywg!Wa#84@eLW`Cc&C9r-9^dNJWy>`$91Ax8`CjM(C<+67Prt39rlT^H1EtUa z_R?~U)AINkz%Tm?%5yB(6t{>C4MWtT6b@=};yH>2TbSy#6W-k^{hhtav019jv`zwmve2Kiewc+SrDt(K!+LT$}u04ido_oSYUr!G33iF!PxE4Fs z5H)fJ@x9d;d_JPJEwiq1I8!;bw{z7-;|WWHr`YRIa6xcQP)2(7aW6@BB|Zi~sre9(7q94}5}YO`e~BMADB27N7&C(ICQMQj{vxZr}O#-LxV)*{=T zMNq(41{is~6q*WvS(QU#oIk(9DQWuqgKo|}N4x&Jg$MI*79N)(gFnt3 z_I{^-H}H6bZEtHB{b;B01E2-hF5E2TA=Nw0Hwo;Sj@-CxY1QGFc7K8eY%;-OqGc3U zB*Ilzt5@n;8zd4p-Vi>b==U*x$UrsROkim|DgZ@lCiExDe{?1(sZ3SqW+z?z>x7L7 z)YI%wMiUdw$t7^LsF| z{MdRWR0>mDbNHDlz-qeaPt@AHm!|r_aRJF`aT+sjl7$g@<-RJlU5UO@0dYUM%GoHu=~CcRb!%N508tEJreig0jk>;tF15rB6Kkp1i`O5y zUC`NJZ-y+;g?wEUPFaQWhX~DQ>yyffV~GpWGyww(ailQrVf;RVtlKvH)N1;?nR(!> z(xbCM)%4uLc!VFfkBG&Da zos(__vl*O-uM04evxQL&eJkmnj>VF{W__Zs!mmA;-1X|_6+E~jJ|1)AWI#Mc;;J6O zXboCL6B%Lvp!XZCX-TZjsh{R5ETvv=LScI<;>g17fHwQnMR0mYI2Pyc3CYC(ms=6U%_n-E!oc}BU**v1k)s z(W9jVvPKOHK4~!u>O6o4Uv*CR(x1c8t{>}LtH>}( z%Go;fBYO-bq>pDH)6lre0TZ6}jv{&AmW zh^+aP{FcyN?%tk|H;=b^Ak`>kM3bzIy7a9Ir|htskbiJBY%u2>!QxyLDw%v=)6#kKHkP&b;`-HW9;~nZ6MMdtLwJADY6r&pWd@F z)TXDbt%J9k+N?#tLJaK~7(31GTYw0`PX|ME35b@U#7M}Ff&rVm;u)8~Vi~s#2h$4| zi)dv%_kvf@7k0(8hQEA0R^>NcDb+IY)zW5P1qo;X7NeFb0^ecU7JZ2y?qxN@7iBuY z8}lX(R-x`Dhh~Z>i9=je7YWpxFK+!dQrJD@7b@t z(_)_vP+GKzQ)79ZXkQMNpjn1{eD1vx?5?hPk>>}LeuFqWjaC1qUlu@_eD3tPr>H1w zF$o_N900OS%S7mu%`7K|0l!NbP3v7V4(t12+x_XoV(XCj3XwAOd* zzS><>3xp7Pe`bc&oM-J8bI-XBATyTvZXY`p)fj7XF1(81evuaql=c^(0Et5M_XdzJ zbZX%a6C&!w&rziez;>fs@&+ohw6m@jw;&f%esg-!P&PR>7Y^S_gebW$h{Jfuez?{{ z*}&VbLmS^E%d4Jc$KDDppB6YXK;P_2?k;o@(4aP|G0j6jTIY5?Tq8`6HyCCW&rQy{ z((9OCjNk40$uOfi!xsc3=xZb2Qh4XG8RlnG=QJ7D(oZ36Znq#Ik`BU;r)Fm4d9@p( zy!kYqOSozQh|`Z=-uT}?hKtu)yh2752E|2wjUD2^X`Sp=yOBswE3GiKMw}legOncL z=rX^Oh* zo+I+(Dx+A52-h58LXGFBmt;g1T7aCR=o1eU4iF43b{Bns{`|OOvyiN8 zv`qijBKr|;aVG-rb^@X())TJ^yo4`eqBw#`-{Bvh&IY#K+Sc@W9LzU@)u=3W)8HJ& zyx5F>>25pRKIDR`c6<+FxfeDj+_hf+`b`jx>NtdC%4a8W5SJNR@6bCSed3F$YhP5h zO0nIvusQHrwo?E#O`Ob1N6%h@wZtz(Q7pf8&lfx|vb1@4<>h(R2YaYjU249YCQ~6= zgqqcGTwCp_$dD*u;cQ>IF7%4kO$NG*_pg3v91xURA@5L{9MG3`^y{-A3}N4DC47Nu zV*H)36HR}@Zzhy}@$HEZ9nHj@nIyEsyp0?wnygwzmb(k+n2{P+$>XiFvU=N% zO7fdhv8A|n&OWx%*A6cpebT-&nd4>kX&1}t^)PQpPhBy72yNYTXi+`*sghmlQ(n`l z*Hf(2lrNQ~UQK$DnV|#wY$QY#zK%VG)fHj)(RJI;r&TKUg3s6ebbb~W! zWdeX8tRnh#5y<)F?i|C!qU144&@L1!zL?sXppdaId1F40aFDlkLoTuAj#}lx;~ zRv@cy6UPuqf->OT$MkmV(j4^RQBRESBl7>&R*R^ICzjH63VHjOq3mIP6~`g z+6+w^D)xbzRTDjvY_h{%tTl}8MAoQ=-Z!jI9@?FG-zi}bVJyA_dIw^kCzs4C)Tg|# zYARv1ZD|adnE!FQ8TNto5d{%d=d!H7dB<;A?{HRgrEx$zH|7?Mp1qCw9t<1{v>%dpA7>v9p6yY$s?#Mv_*3XaH|C}!$k4Q zdyNC=!)BYN;9=U@3eovcQZ}G|FhWRS>A-c!@3wgp_aoBrSD3R_j+$4t{@^bET<%ZF zx$~#w+{bJUh_-RQo`&Yj|9j2Zcc}CtB=2nu4IXHoCSgGHMD%Y@j6e3ME_>?Ap`utT zxlg`v4UP;8#o}#Mp38#>tag6^BZL6uJv}YRJ$8N^BN1W(Sj6`+Jw5F_np_ zoyy+D6R_%yJI&vKq5cIbOh2mv6`A^`ucpNd)uqVD~TDY z01(jz)EcVTsY~{scVm_%yJosqq`IAh@4h+LrhlRI0bo0#IaOE%)jH-M;;NnEuGL29 zM`vvXJ47?dv@g-kvDn)nesbC3<}h!br}8LYX*~|Ay7SXmGLMdRVjOW3vo+D1W$0fB z>*Wsy6f@^;sOv+%%oBwQ6uF=XqOs~`D|uo8SSNE>$^J#Q0jsUX0cCnAW(i#7i|z$C zZvQd|H>!x$ZBoqsv|zQOe_F5?WT!&sW^Po($|%`&$|3+k~d_aMx<`&G8P3ACNF%;ft7 zW9WG@&-NxjJ&Tf3aKl{K6c9wFEtMm#3*lpuS|+zoVPQ@eeheq{VaF(J%~O*>fdco7PJh8JAsPcPY`!cEa6}^Hxpbf>HP2HlKl!eG zs$yV{33FWc$It3P<6XygTi(Ry%t}uZ77cV@^GCGvQ@muBDHc*vgA_FIq{_hzJnKFm z`3*7XDt>`GP4IoA4XI}P$UWHFhCR!CYqI8%q*�GA?YViE3qVlpi9!kT}WNc`8Uv z-w#&ML6Q?f%tYgS-I#2&C6{s*bYDBfEP4Eu^tiL;=yC58tmsxBk<*y0Ps|bDVIWsc zb!Z3;mzU$M+ievq$CgIa>SHg9JXqKz-2`oNz2l|jTHU9QnR$6I;wWHNhOtpF?6qkc zscHT|HRc=4o*6G}K=~IQy01Gdfg^#nB21KAw0PKxU<*M13g-Uk%u@1PeFx~ zPm+QBL|y-TP21lJ0 z=5VH?w9HpY_Mca;J(_Giw@i2uO<}goo178B5i5$q3~PsxX8&( zvb8zE;s=Py8N2+U;bnc*@*nRedY>1lJi$*5G==&FsO*G}!mi>Fj}(=hfeT`csa zz6aR33DPT_S{^V&vco3fV3WOoLE~tar0xL(c1$%{9LUi`vqpZ6Z&D4|VvTFoKSGdo zdldn(*Fw;g?Ton#KwM^+MU%zx?hZP`l=}rUE)DSb+M*(x>oLKq zUFJ_--XFE$y8Ppq)im)PMQuD&Ve&V!)i<|e(8ZgYpiVm9#hOMx_4)1NtKprr{Nh8c z3wb(UO6q10@ne$G4F;M?y;iX$!aJyn!&pj+o!lO1Ub9m(c2e@E@%^(2i{VYJQ3x+UJd09+Gra_ z(|1*j4?U*O(0}oxpk4n-1@cT?*+jhAHF&=xEvX@mUJn#E~>9nuzOwF#yKAzQja| z_B@WhuxSBpBX!aiMi*Qh9+A_dU#+Lv$Gc6p!$;G+(wN!qQwPy>jgq(Hx1s0^Un8i= z+(+PSMV5x%Ud=Girm=kZC4P1SZln&sW*w4IT)Gyy};-_#IU z!bLIqu?Dg?@fIK6(r~P(3Gl9H*m`LxQ?FKd{{`4Pr7v#EZ5(TcBW=XZb7ZcfNGc(> z2Lx$o%#%!IXldUCUs&5rzun%-sc=(g4C4WBj&={eKL2{RwKElsCreT-_c#-gS?d@G zG~$prIjtUNMOPv+)Yc&kkpj$C6F)R>Q##?HsZZ8jv_ zSRen5-sGBo)op6Tv&2LMJUH9svq}ON)H#`oMP;s}QDI4)X{D|Ku$NQR#ip@=G!>~$ zcSG+59hg1fQX?89z=Nq71=H&mk7s5VHJ!r0J==x;Fijy_D4(d2p?3+GpH$jMgk}`* zx^RRuU^NCx+-dt~JcTrA2YaO{^vJOPAFi{T?LckX^Azh1mq)cq0%Z$dJ_flcU=W%$ zZcQ;7M!`Z^TykT?yVT$OR~%V{IQ5%{VC8R$P^h<{_2eYEOuw$aF6mvqOgT=jQjJD# zWW3arb4(FikY9^RBic+oRP4UE#?KeTuErDHnJLNlWLmY|epN@RFK-1$PthMe1x;-5 z*rWtVn<7(;(dd{JFozbCY_HsdGd4wZ^apT&tLZF#89I;%xE=`AfRqr0FafGsyE)wP zRUc^zM=S6{1)kLf%umez%{4o+B(Qx(SNIy1n|;C{>W&%$U%KdA$X3(Nt+jGF{INUm zuUE@ES37}9ifs84_@^w+5r;cxg#dXQVNEF2nnRmo zc4Z`NZ`b)@A`}cB6H% zixqu(p&SReG5zbH|I8D1Zc=V7o^VzTxktrvLfFwAKIUCyCOvHn9&dP6npU||EwQLbi)n$ zuQwr=ECYDt8q$C6oSm5=JLxu{>wdoy$qXzP^iRUhFv-b0P1X}m8CRG9G`0V9Z`@$4 z7fxqGhQ@aGl)k;|bJV%Sl_f47qK^3i3=1P#kaCHTa0+dyYmhJE{X*mWo(WR3P|T@T zgQ-aryH*(ES^&3tnO%z}GCleL!nlSSR}5ncj?KFHGPQvCRB_uf&shI2)6f0jn|f2j zHNF_WQx=N)s0N3dA2we_^S#82U9~_9-sD$@*diBD4E^EF17cN8@TPs)Cu)nEQXs40 zRL$y{{bh>#-W|mMz{}&-vs6aGjZgc9>M8+DN5mhd<43jXe|Z1^3o_yzk%2-cgMjw! zjwU(gK$C2C$_&6=b?*Vu(N~%j0}!E%!V84j62kv1Ur=(UG60cRIyht)@rE7)ogaYZ zq}}W709{ej{YH64WQg(!ec*f?-#!_5DK$Xqng>jZpxA?XtR2cqupsrKi8^^M-vY9< z>KZVgKj`B*=s%&*KV)@FZov+BVQ2D>e#H*; zH=^ryT4c~XCZd^l9rv8DodhY;xyvFb<(NJ*y_`i<=)M;p(1)G`aVNc~KLv3cSHri~ z>lKF&>uYf7j$y}|Lc6U%i+Z(sAu&qLSA9IZ@H=5U+R5v0nrF44D!kFPUf=Qq&7xi! zd!syLwZq{uHIVJ;2@> z@(8#+o|Nn4tVMAcn*m4l*IC<#h8zj9>|e?Z ziKn$&o`2KSFhn<+%|YKCuSQe&{YmZ?_hnpVJM0sTJl*+XoT4JlI~;IbKe^^&j{I$@ zNHvIOSwN2s8}Y@EnpLa=VP(`QtO0C;hwqIHT&EvF-EQ za3`IZCpYe{3*K%Ozcu%ck&b88o@_nW>lVs33p&3hqxG$4*v05Z#(5i!dsDGL&Mw># zO*Uar8wXt7^J^WW>)vi;)v!wQU9WAw@gn0~>PWrak^2$)aJZ6a(E-NVEnp%~r33O> zd358DI2PCiT_^UYoHBuU2uHopJ%n&|U!Xs2M>$|n?yOQgvsT32MouD%x8*RB*NMHh zLt!FoP-cbC`=OjhDjwh5AOXj1l@ns80O_+aQpO9JetfO=!hPTTCI zKZd}H1+bLzfx8q_k#@gdL=qz{HsuK!JePRcR(-Z)4#%=#0T%X_Kg@i}Rv$3_;+5sc z>>i9*&ezxCwP_BKAD%ZQgVR$dC4FO?OZzGCNx1Y22MKjUm*8=*yPZM$y3h7u5R5g% zhgw1LEwFOI=0q-bHAkDDCX4M zMh`%Z^_7$wSZEF>pul$Y69F-kz6L7TxdETGEfN8le+47{B@*(<-KamT0kE)O&IPnS zwx$NR@LWQLeb4f381drBdg zq`{9FdY;B)LR&3S`XqI2g63L>%5a1d{X$B9Dq=`FGz~jdr1b4lcmTQt_W+J-=zP>00Z>BY7}35n1arDB()0T1ZVUz>_gQx|#fZ5OT;wsd-E1sda(w!N|pPW_&aZ_D{w;>>c%VvPJx+_Q$MjtiZYgwTBiNM&Hc9mT2MB zlaoqxb;FEC`Y0^3`8K(40UFCZUj{sZ5WU|^I3mvwRytDVNh|;Mmyfnr^&Y+bP=20o z$5_MTyc&ykBe`iYopi_Q&U4xA8dR>k>aA z?g$kiIKqZtmwh$aoHNZ<+hB|#pkTZ6ljMlNooA>KN#C*(xn?fM*`DV|0k^A_yQeUy z30tW@HFDJ1>43ZztaS9b<`5V@RD%~GuI_gf;|X((eGIG;eYX69;((^Prc~*?QBv6H zS$JP?qIB-&2X^WN7Z+39GgFgaw>K`E$xAIoe5mMu_A5KsqR}oyolsE% zA1I#*=Zt^Qxdk^){|GI^+2i+TS zrZzk7(_8BeEAev}wh;S44UUa8fh(wSNDbWSAu{Q}y4y0=S_e@j^5k^2ODQ>jzPfW5 z!>7U6N^H?T!GpEgUy9eqO7--1 z+v&skhmdAy<%gX;&`VG^xW}Fy`F?T0q1|wZ=+}VQ7SthXGoaGi8ti}dL@@QmM|ztz z^t*_kvv<@il;@xcFwWCkWayk_8JSXTz9T( ze9P~7PV{Zb(0S<9&Z16u0OY~w;_zqnWZZ=Iof`W$7wtc73DIsZ7AS!MG1lgWyOcHP z;u^_#{pHK=!NKSA-0sWVaA0LRXG3P9;$&=3P=Cmmx?B+`(y z@9DQUg}3uw#6&=mPKk*LAs{E|_ITQbP)rO`m8x@SIONkCVAtxU?fUX=AFD8hoOp#M zK$*K7Lq{>Cep7plqt_#6=L20GlWadp*iuc2mRW9Va7T%jF0iVqMAdMjmCwBsT&t!| zKm$T_=CM0diwZ}q!tN(@3V7K5ZN=3CwyQ>sp!=DXPQdQla_mnMom5lGxB8pLKAQ94 z?yKkEEyAK()NM?|^c_{1q_GB(&-V3M;q0XwdDu`%N2i+`HLfb#_IwJ~BDb2GY)|ny zr(lDcK@f*c*s!fi6BCq6mDdGnN_bJ-1cRZpVD<%NKjVn`F!bnJ>A*gx7S-Q2OgiE z%uByLFp#p5J^YyiLJz-0hu+gy-meqjtcPNh?|qgP*olK#5QsReWwrZdtAlk8zPFFt!BH6uUO3mMdBHd`wy$ecN7YTktV z|0eh90qqD>Nq4snUJ}@{#;Ea zkLhaj>993qi`-c0kM_r&#dl_*0Yp!*+De01_u_il9TOY#o<5fb>&e1{Z8Wc%T7l2f z0YxEg2I&$4^IpYaV;7fZ>B&&KoQuR80N+hB3Lm0cyy+$H@99i`FQnTkj!*m=?Q+N& zbmp!!8zqdG17msHD8$eSy3h$Jvvt+;C0d`zPGeJ14`!~jRx^2Cmt_}LoIdw+CdtmO zn{d)H^kjnso`>^q9Yk9#8l&9K$N3NOIj-2$B_+`7zaWU!jJLq(X35WSt^NWmzeNdn zG$ist`lGjSK@UT7HuRaLef~bDNTBv?*D>9Jlk9puN+?oz090b;>MN$&VLmhyjOnvf zYN#0`Hpiamgjf>&KT!A!*9C45O_?0+bmDNya7)S zl9^g>W7kN7WPd&VP#&=AqwrVH8K0Add}uv{Ua`s6sb$72&Ub#OKvH#DAWUo3Pd1cb zSkBrZ7Xs44!qQ~5r{MLjqv_78T2t?K-%gp<4u6u^xW$nA=&_6MFXW(7VbAnl%V??+ zyJB{BO_0sQ8Q*Hp(M{*0>O4SUSxtQOM|h3d7~|cv1j0x9v4I~ug^h1I`U=rq4tgiP z07-;aSCkM|&D{N4WNep0cAzkt9x1 zd5%9REo1;0cze488tIfyUIFH;|3kND)6-F%JJ`}ID;6_o-0H}#Z2GNdF3PP*Q!n6< zbYPT{c#rz)|Cf>W$2rYUfSwVUuGY;q2F$^k56LVB2l+Q|-@oR)+=Q*bJ&xQYBu7uWDGN6v?5Tj8I*^n?)6Q%+EZrF}>s$K2Z<^^i*zWZIntM(Re z*VM(=ONo%Twqk^r7~+)$I4mMW;YMVc3${4YveB;#lht1@@a!l-cgIr9o<7F?U8D74xhBgCax|f&(Lv)IM?*u22FUt$ z2&!%mUYAZoK~r+-<}&~7L?ZLgiG&5wZO$(*Z(YeMJ|VG!H}+`Gpw}IQm6-C*X+6Js zde+6!RkmIGVMyuFsA_2X_<;RN)u-3Vo{@5mKCXY$xcKbimO?q7f@3I}#T%Mz6vk3( z>kN6S5^zxLmL8NS{p*9+YeT~aoivM0exq$vdxKZ0Z(wGo6M&^vVE@_t zNo`MW<}YkuPcf~F4&L2D=gb81b5iZB#v~}}`7;|qA2!_`U9K3&_Xn8K3XlH)@nD>p ztrwc%5;FQCiILBt`@!t5JZK2J4m&cGNQiM_Ubol7qjvMJN6%2{Yv}4t5Np^7jD@24 znjlpmRU&q9LMJkQdVI%(e8m<-JR!vlpNa%{4CwsMZLC4LG)`fVVii=3rw(IRx9G;X zz}k|z0p_&^^DH<261(;V{a)adGR#b|;)eanN1AD_>-`I!NpWWG;Q54#SwW&gPPC(E z@xo4g641%~DU zq&i)zCl_&(yPqjh9$vSh{&Mcom9Pc13p?e_7i;2F+&1yP_SX|1*Ehf8h@X63``5MW z+-IVn7b$nBcs@9e(|#q-^JxQJyAQ5vo`rquw{y+mwz)^LR#()MSc($9{Gd(Vy>2jT{u_?2Wxh22p2h?8MT{Nbj%k%626JIvBP*XxYfnNmEjU?ae z$)QqqVu}s}pL9&aK({I4E4-TF0ykjBwaD~`$wGn>_=YDxpXeDiF4y%F;|@gQ#!_K% z3W;w|HO9*+>V6l^4kzwFBVls zmd0@7SdTAopW*%B+|~0VPpd7gDTAvPptB*$fkZn?BDF0Y#Zw6X25e30zK+6C?mSa| z3-`8W>K3_Y;`}OD^r%s%pfxC+f^>MTztxDzB22-X+-?(yhmBZzHLDM&$2VkyAQsuMEFLMs)1_ zMVLj7)pEXWXKRa=(6$!pH8VWl1q=;rGBV@y5EQ#*u%65Ly>Kd|p<1*hjC}~;=x58d z9`k2Dap8Hz=M3;JQbyfUtqlurUUw#8kBKU5J$VkmUMkSM52VzkCJ(5skTgBw4mb3-Gh zURa)P?=k`h<1Fn0Dn!m$E3N~o@h%mvPp4lb++nD6Q6Tc|k%j$YB8O|H$UsD+x{Fuq zUk$%~FtXhdYi~tf$cp8#_j=cPTLVKS2ScCdJm zxMWj@1i8myNs%S*f9fc(pKrIU=}Fy!FV)oSAPiAzF`ZAFhViq!F29Vbqc2@$N9Z^0t=R^M(_<@CLJK*3#bBDSAaNO4l2I z+)ZAAO5Kn1>D0oav+nHU1^N|!&(~EN+yJpkq75`N1bcbfa-5&hGxD9V1?KyV|N4G- zcxz9!Y3S7YR2A@aX|jyez^$xH#*Tx->t6}yJ~ry-`p*1AU2oH*dr{I=N5YqpULTZX zruz$R{f1`A_W*HstWn6b;z@6*+i|IzlFa(C!{jV>+fI?&L#@2G>Aqa}fM`y(tDXk? zI_L$_)N>NoaU8sH1NS&{L*brez3G$Y{d(?;t!MPE@|3qS_S7#_AO~Hlnh+kF1;?jq4EEQoKctcx#iB(N}zv-bg` z(ZzE&dA`7&kK9Pqeh*IiG)wa`b2+b-wtCsL*R$VCxq@W@MftSD{x{8p@#5b!ItmOL zw;m5T_tFi=Ss5O?c$mX6I?aYt_+!b7-JU$%SIU#V_cZXmQ`agQ{|P!DrtD_NbZ|ab zwj26QF6_8Pr;FymdGFAAU!Cf<9ZG9kMO2J;DP13CiWM(zOM0OCe&YCYfY6AECU1Y0 zgpPrcceAs4!Li1#`0(52v3c7a^U2AzXu;TIY4NYqr7mY*AL6CSMSLXiw z*1Td~Q;HwPd%3{yO2|+Q1d{%&f)fa^{7pj_;yv^VIl$+vS7B)hCS?U+7o0D8xr=8H zs#J2RGyYsmIOlI_{`gBtx8bEeU+c7?WEVJhPr%f?Q#jC!@EE2qFpEIS<;%Jhm~NW8 zT)#YUDWp)q`j)C!n90ZB_m8J2*9oDBwoOEor}M|6xQg=j57?rN8!I2&kNi9)F0t#( zp})&~@wAC&e+d7p-ZZ;r69;YXp>BbNZ8uT#r6)PXyUb1`U9#Q+h#nhYVnpy!vf?k8 zJ{%*cFLwnLW}qJS-c0#*Cedsrfr0Nr+8zl^)(a(U<9<|;1zS&9V}lcGI-PiX5^i)1 zOMj^lk+OK#UUirDE5a(b=6F_cjFdck(sXisl)P>N$!ND5ZeHalV1Ogi_hC$HfGj0_ zxAwQsk?`J&2l}c#opC(p8VEg$`1rExYz}Z z6F1l)>b@Ed(f{jF*lbS{8gRd{`fGLX^BdecNRL-a%ZVt;n5K4``7yC zs8BZGSZh$=XweSa`ZJ8ZF4$TWW>*i`jV`MJ8-Y6`aM=3hy{-Ks%M>?7YktPWV0fQ% zcm*B)En&R^#dY}FQ1Oyy&cR|c^DsrZkjzTaTi}F0kKO^7U%O0iu^{smO`(t{Ub@ECflGu?GBV0fDEiH68rrcSGr1nlvjW#7gee)|Z^6fqX zUlJmnyJnG=Skwsr3TtPbgD^4@Bb6E%X?kuU_Ee%QbF8(E%pSc6Btj)Z&a-u!c z(WV^(zE$1fUH68DF7sl^$WODv{2kuSvT?Jp_?@YqS#3%Gw#%+*D@<;}m65+J|8l+> zu6p)619!*Pm*8=?6D4x9-37|y;YBw0+7T^eYA{MQiT6SZ|z)!UCdmRwHd06@l%q8A6=lk_Z z&KCe^B?N2d_Az( z*?&dV4h@~x^q>45*nJPsD+v}n)9GtXti3zKnm&0(X7+V2~KLZX%p}PZ>jiGq!6`$SGaBJloiNC zoXBnAPmBK8g>nCG7aj$v0i6y-x_KCZnU_2r09xZ}HP~gFR?pLqL)2XR>JXgL^i0xj z0=@V@^cCObuK|Wp$&ne_G+4=%M2zv6PgcA}r{!3C2Tbk9x%$Kbw0rNsqX&S0Onfco z2uE@v9!7=O5FHl7vdTBcdBPLo;jy6_j8Wq5AebN8BH?p91BK24@qq+0ZQHd@8^l1P zt#BGt7EbQ1=KAnejKZ>;J3$qR9QRtSf0*8^Ut zZ;OtVADp6>Qg@7S`j)$$U`@cxF5ao0(x>Ud62*gP!M!^bBx*!2#T#~Ror1AKvoQ5v zMzt0~n&O%3VO->QJMA#$5YY;|trNeZe5~!ja>eMLa5(>W)r*x2^+48&w>1+K8^*GE z431W4Cyd2<0uUnCgfo}%b@A!%JojWvfoyMC9vMZ0w<^yoDkzk)iNl(w3`f&6i+K~qIyLnn|>7AcLXlY18F^<7Aet&_hyskTV>A9A4g zM*~oJyM+OU0Hyia?BGS{MWvYi5``!8G2Kt3y5rs0yd-*6%+*# zr7I;?5D`(NNR3D*KtwtriGqOAA|N0jM5IZL^iHHVAyNaO_ZmnjA&}yoto428u3gSv zYmf8&aqhVLkC-sVG@0{l&-*^lujJW3ze2m#6l^fdP<`0u^}yWnzE|LIxuJQ@J#tnr zdF<_~igeapg!OsClc3vMR_2TK-Gvt=yFTdkghuzMcsW|qMjJD>c!FX?vO|pBHo&Ier_O|?@TY&u$*a5ykV0LO-u_9GYfq=|Jyt7#Yx11L zkX97|8#sw25=-3|U$`wbyPFWPS%wn;pcruQ0q`P+Q8$2NHi!fvhoDjsXwu+1Zfa6T z)&sSW&VWBJQIod!^qH$e2`rQxRqflHeFulZ_Mv<K)7SN!dDJRJRM&KGb|AhSh-FL6jVBa$ng7{rR!kH?H#-NI& zeVQg`Y!DT_@$vr1-t#_W5dd1|xI~1`N`vebdyu1m;MnR^VHupS=#Z{f+Plzuqht+`!O_&7LhUFFvi7rVwnwOWo_&|uj}_JdY0h_C+wc8V8}dTES^pzUJdk9MVgGd z(W4>_pyulCCf}r@3l~jpte2YJ!++m++5U@dPY$7A=S}q(DiP}Z39Gd;bXyY+AswWT z&WUz2y<d6pw zlC_zXfB5qHHG?IF{CwXmsHpVSCh8q#A46jz_wa?eK3Gl1bn_)YdF9K`BMO>duca6| zvqvrIRi_krr+C7R%*@6zGV8yGrD{$DK)2LFcDkVK607WOC2ko$g-M8$jELX%WFhNnR(_=BzXEp2nUvIk&!&Z`j) zp0}?4#a0tUdkoYUQ<^~=GQdO_yUmd7WR0wv8NOz4mMc~*ECw2`QIkYgieoTE8r&Fyrx)zCS&w@Q~-!vp#lV|+fu8{4RBqx zLGw5$C>h8p&8%F8L85#?mKT4qS^Ml+cHP8^0z_l15m};o)ZiD}eRhyTh+o`7H5{R? zQSJTFXVB(6vh!##Li!|jfoZy!sbYO${l4>P4(2bPKx3$SiLetW$U6ejO z@0$AcXRA|2HWBzcKxFBf0$j*psMTcFNmSiDrI~r86u0#g2qsg$s%eXA61`L3dZdW6 zGuuQiHsMzBSCXSuATqa34~a2?)FDY`nDRZhxtG$itj+;KszrxO&CulOZ7w)#9+$_t z!C12PP+t=4-`*ntV*Jyu@>EXYUi0qUZ}VU}-;Q19;a!UZ)l{!{mR41z&A4f%>7aqWqm)8KxcS82f=0*LU zfRPDXry77@M;lnXdKhB`A|D*~!WGa}{dxMjtu)uW8NG@Wb*^K*T9 z@*(rZ<+srVU$YP}-h6Z7uQmd-oHJa>)WPsnvFAbsu~t{u7_rP1RjZ z$9;3Z*dosX;bfp5%!)EGtOl^A5jK+j7}l^CA9h>70#&~oGSxDGO?a&;`5#rpz5j_( zYz%lj1+;djNQch%48W#B<9Cv(hYcAaS89sE)SfvqW=*aU6$pGU5YD|ceu|u+t1`|} zcl077<0>;j(DKFTL zfHX@|7kU1+C<$SAKO<~GgNrxl1ZYq3Zyqe}>(eCf4EoPhHzztZl(El@O>Z{u>$P^4 zXI6=Q5N}%*hQW#|wn=kvk)D5H4J^i|`CnH96S+!v^;*;B zt-B5mB+U%$)e%M^aL92$b%JYfujy^oeEqNkqgDoc?qgQn&(@d* z&yD73xUAmWn2EWSdQxa4x_jsjDSfPu$(?cuu(hQ_xCa-tbBwFT26yfj+JC=VW>``_ za#{UqSXH=phgmtrHpmeh5KIeinw7e{*$6GW6R7Os`K``s+m)d*F66oZQEXPMHqy-G zpr4I$TCb_DG;&)2<`&|ZVn~s&c3x3t)y-$67t`${Ix;_4mzKqIpkU$CTw^>z9mse_Fid$GTHG9OYk7hB{S~55oxgQa$Cx60h^Apo$t4$cxou<9K;G{y zj`|deuuqxKO`rxZFWU8M!;PQvz0$7sgNY7Qx@;fTK!>w_w7WGt7lK&ZP_?W|Jj~Ut zMkRh0C!!iX#)cG1zKsppYww?Fnm8edy3`WK_K7?&62c%A!~?+ch@5SV#dX;C$%YS~9k@>tX^qONng{xCO5vMx*#`QnC zLg^@IPhQ%Dl$e6l8(A}+&F5{OS!|#mgjR|vozM>^KZ0@nFsU$m_3B;!`X_qRM>^WUif?LEr|N$C+i6d{bu5g6Yus|z8_dtmuvU;UVcQECuA4V}w$zF{X({!{%YDU( zx1aX4lwS19ct+^(>z!lK*%b}IUzdyo6ZCz-o?x|6Z;c3B+~@NzpALbl~xrJ;tdi0 zaBmOzE4K6LtYm*2U1NXKvF{I|p5mxT1J$5fk&EO;yx&-Tl6YBlQAv;iT3@5UzeDzG zXcL(^@hu`$@oZ@k=K6~Fw#p7hV*#*II8W?!c7~Cb0ihf1%HlYu+tqDDCfk<| zuWWN1D|_iRm20g@5v|`6IrhT&a?evU0jG0PNc_iv1e~gsjPp2;Qq%QdGHq@v`)bF% z&T9`vq~u0p7Aqt@mI&nh4Pio)_HSd4q8^tdJgP$Im=*Rr=S+t@H#+!QMnbsZnvJC& z+xU@Q$*I+YCav~PoHIXgHicE;oDZF@nGWHlzDFB9x4E{hco}{oo-)QsL+Md$Qey<} zh7z`%0BxEH({Z1upWLpH8#G0#c8pax?6^aqg3@`s4qL>sl?A#5DTf9LGoz!^HiL83 zhzc78-6N;s=XZwZ7&j@d8s!A3O+ooGObg`}^o&^O87~7qLt(GymdrqRy`r7&>_1v187v~1|79rEujTo_7-HG_s#t|>JRqZ8pV9?BgwBdH%M>a z)2NrG^8zBAT|NN-7_7;Hzljg&ZNAZ0R2(Z;w7#k0Sn}utMJ1v*OL+-i^K@xues^Cy zSKx&u#o4QF0Xd_Cfc^2L4P9hl^41R*?>$O;2MnQPb>32%^f+IddiWhOD=8=Zie89a z?LH6rDEd9$8-2)A3|8AYH6_ zzMG1Y^1#N4T_C+4utxJNYxc5!1eaCtr?Q-`vVWLrNL^D(niyBYIZD&ObbO3tdj?3v% z>wWHmHM%HK$Q44jHJ_cHbJ1o=a}(u&LfSbYc}44U*mMB-cje2MiZU%_ql_r!v+5p0 z1U4%|XD;35>53A$xK_B(E9DoP6*foBWN-A8>^bp(jE?r2OxR-AW{|({<4hXrQMi=a zgj4tI(|*W^=qdgtnVX`S3+5vf4f7iEYCy+mB6x5`WkZ|JQ+BPT{x`|>q-JVwesOha zVwL2Jx@$ZwyxE-x!Nb^Flr6?de+>%K&yD7L4B^ajXsyxO5Dlf&!3iNDbrog7uA!GJ zNVF}rsXbA%y;q_$A98A9Jx9&q(By^E*q37?TCP_O;tej(Jh~vZsRS7R>dCJMF%+z0 znTLA-RbBv#N8uUtm0*6k#1f~)ZCG`s_oS@}xJP6h-&+*wzZUAwlpHj+Lq|8fVA%&{ zNNi@x^JIJKY^r)x+m2&HGw3cqozv{kxJg6Hrc=1?qo2zl@>k8Z%@phPBN*-}Z&_Q3 zQRo|~m>&7&urz@(?@TvCIvOmMd!4W1WspH^mTeEvi%2hI#h*J9&~Yf%s^$iC9NZ-j zjrQ;0?^KtSCV{Jk-t8^;wzY3B&2U%8A;W-@0q8hDug`2$BxSk+Iu47jv53+qXXoa# zQpkBzlNwYVh9vIfFE*GrZU8c92!XB1&LS|aFhv;MMA34z96vb6ItHda*26~ z#Tyf*=rYO~pZJRnblf|k5O6?JoB||r8k_0YwW7@3S535D0tfh^mNl_7W*RR(Lv#z4 zyPcAYcB-bg ztKh98={I7nEa*pSK_H0n)^!T(B<*&cB4$_f=eGAGy1=Wc=YFK1G&c#fa3#9pz=O?k zl?>J(p@@(XMl~%`{p7SFxd5%K_T6#t_5wjWAjCEny`;3D$Zf5EN64_L_M#Fv2u2GT$^yO`bORcOY*=4&o*;5jUTd{z zyJO#TIpxdNVK1s{^o;v2XHc!8W2K9XH*uFLJW5UCG@r0~Ln>#fFT05*@z=+ycb;w# zcbjzZztyA^^pK!#WjELs#A`NSrfuyG8ldXH&V&&Z-|r1%7d;KAm=qHJUaovBwmp{r z?%KNXxe~-R^Fde6CATAX4K<20Aiu-!)|A}Y@?jzf$3U~Tj@%8@s-TIScmzgBe$#VD@_cy z6Zza7t{B#Ytf|aV1Ig5YNv!`4D|*uDg_rA{GCG(jufX=!V_3btcGFrP2#baq$!mocofacvWzh93KrC)zwO;%aED6xb(&#xmo z9bR*vj;e-pf5)RsAY9K8lECf_p(9b{Hn871zV%63nA)qa z=2Q4g?;x_~qGMf`I66!o<$oKNGVp%8%^_UAC5m(Y*aA3MReVJ zziDRPKYZjju46u!Y|Dkwn%fuZd!wx#j5D%HTM4!j?&r9SM;8lAHTrjur7C#(?Xk_2 z-GB06B-RE3H;U7s+F~}*vKz6$PO1YSYzJ;?0mGp9U)Q;_%VGHMz8DL%1;h*kLUEW&Pd?3r2C#l^ zF`=&1S5<2)d9PO2p2tz!1Pl|n$&_z$zt{%tQGwt{Febm46r6>t`o$(Y2DTM^?K;JI zSLcV?_vR$jOse}vWAWxlb)_1<=uS!)DUd2yxxTbSCQC*r^UzXB` z5ZBDPh`-oOM3T&mkB1a%X}Yagd4-tw79Wb2%OLqdL^A4b9Qarch zS1~8lz%sZ1*5)*+s?VPZ01XJQiQaml48Dt_ywuga8m z`R!;`bb_-RVf8HX zg`2z_fxQ2}lh1LA#xsdM0R6>w zOif~tW?Qdo=TnlH_0~P1*)e3hYAIrt`{UHCrq0bRp!i&evcz?2G$C2&`o_( zO1oscmI+DOeztghSaME>2>o7jngVIWz9xpFQ%4*WuB(+fOV7Pllqy2m6*_gokBDMu zhp=Ck=CDM=N#3_rf)vPjOx%~nLVK#fXo*uXpXlMc4M@ZnlB0iH=gu0oM37^rp1nH>k@}sGXVV^x@l#v zH`40N6Tg=))s@(VcfnDONKmgk=pAxjpH%LTcw_=lXDx28)`*?G#iJxHE@t`4WwgqF zQ2B3(ZvPWQg#s{Cojnf|b|n`jKXv|rpc-b54F4{rxQ-nXp8)D4N7Z2_+WJW9vG-o52~D6P*s`ZPGud@gXU|a1&mT=%iTw8r z)K#Lm9YHHeiPdcAZkmZoT3}GGi*7;nBmnEhIM20cT{JG_=}^?`UUkzdE$(#^|5koG zFmP5@ko$YzjVYC5@hO{MTQ$v<1+N0>$wFTanxHpDZQQ|dR!f?zj&5u{vGUaY9<$n{ zw7*>E4S280U5X$ipI5+XCMbyUW5nTjlckw|WM)#1&k?sy=!RCE8gF6u#uC)T#Hyr+ z^yu!9gIAI@9AbRMk5PDgEjAs+u#Z=^W*~Fhh(_>1ujBPMx+n5`9H)BRXsl(IJlPd^ z)Cv?^njhH9`Bnz}cFn=1dGG6+XKsp(AJ&*$`;Z}iv9d(JuNW%Du3gqEFZeYl$LVLQ zRKp6-F%4bKyxTxZi%$+L0%^3jS>3l~(1Eh%`965A@$37h^M`$Y`#vt>F~0SE`}U-5 zSg{TfK2;q1+RbFpuufsi+~lC zYCw5Hc2wK@uG8q;g7uT~ZqmyA{7}ivmS>XSS~ck&1{_dyg>+A^U&1CI&rr!^ol{$U z$z7J)M&qy3o1T!jDYBj4SX56vIlhvVxy>2op`QI|+){4w!q-cG4uDf?(!L5swES^l zo%+%TXT1rCs%hKSIB)eGTmNNkq?uP`oiX-x)ot%DPzAK@SL1R`QRkqp4_ms|*vqhl z;B`zW;Mg9R?xqR&@9fq-&fV*G!!)~{ zf0MrzF-0HViC@!s<)iwGjl@sCV@_)~MgRELGsC+k`ZDk%j zQD0?R##ey#)on&x+>(J9E#6mHX?MQhvSlQ5K=q1-G4six$Z=6a`sHl%zBw=p*u!>l;DP=nr-RS!Dx2;v?W`@HlLAx_ z`~Q4$wxre9D@dGehVH9^4@;g?VctsHA(H`+CQ5V=r!Q;=?HdG($9?d zvAu78#z@?C$2AZ*MgmQopZxm#4Cz9Lrnk(~yy~ScwPU_l`_v?tfD>R*NA(*%X#1>b zj@G>DQz|ITmZm(;jrO%Zi$LEfD=dX=`}E!{4dsR;MA7y_;EdBW3(Ij3$Dp0ZeSQnG zEk(Y1os0BNlnDE0o=e+~TW>RGHq2DyK4ewP5n?-7Z;Q!u6XDV0BWG2?8bu~h7gmYK ztY!keb3~I$BANR`GwSUQG_<3r)udb=G z$6P8G*{dd$kLwdJ0y~md!o(D|c5-YlY#p!Z3kI!{9<6lr9D4m}+B=9;PWb|t15A9A zO)Ex5_Q&el9UA$@Y*Auujf(cba=kI6{p7KyG<~w|cOSNV_ivt&03@#Rq25@_O^go39aVMXg3$xPANsj#)N@yR;=WT+~G^=FA{oFOT9DMG> z3T#!{oiLRvk3OL)G?KAjmu6grI3JYqsK{#*CM#r@Wvc3u?B4`R#B`5%APidqNBfnX zMxTDS{A38Ye=4(h4Tk{q^CXaKKlr<1GS%Z3+ml@kH0-~FfhGVdzyGLU(|1{%Oli7o zD`o$%B4~m04;tq>qGRyS4jf~@J8&$Z29p4`=LB%*yZ46&2P|R5xn)~p@5%4~qniBx z5!K|vT0l@3P)(+d)pJf(OK2M?JufieD6l-zpxG+SV~YBo4Q!7AyovOiq_eaRGX6oA zuk4W%V?&D+^XtP8&O)Rt;{H%g#$TdBOw&kd?ShM|P~RN^n{9;?o6SYeaz9GslvbnbPwhHVyk!S!FY-y_iMdvq!B=Nxo zcJc~~0Zo|Evn6Ztg7;S5Bf9I4;8wm(BY76bui_7#PsN_{0#uv}4`%S%OQ9p=SGV^p zf;UOxEI()~*aF(l&BeG#8=QpZo~kz~`?>tA#!rx@-}@nWhC1zc1rd+}zA9~%U={KdAd007m&tna{iB6Z7s)u8c7lf_IcLI`yVeLHY% zXFy2RtG~2rqBIk5EkcpbSW@bynvRY6Dv>)s%Bh~!zAp=N&Ydm5RJ^R>PBUP}0?eFj zX*A|Ua{!hl=w*Aqlzx%`u`4MxbWAoq!qddHNWs&@R~aYNTMtf7n_(=M%)aT7qtgIqg8_|Xe(;sb_L3au4k&VZS!X7zS3);Tgeuji zFJ&gWZW=tH5lkp>y~>}g6EuSEw?q;wXG3c!#CwX~)$(3hlKaICaKKAQ0XouQB4Hfpc9-?i~p)t;SQiY53yC@V=k*KVK$9Go~Xp05=lVZ0X7)>9eJ9J zX~c#Lgy*LYFHo;Hm0XtFo;8*FfkX^B>pXsU6d*$csPo*NaN+Fi>?){Xtu6fLy2EyV zOLzFs^Ktj{c1SZ(dt0D_v%w z1*Pq`Sn8a{eF3ilFgBZCDg+5c@T%2Anq_jmK+}P z^=vaLec_ac=iyMkL!tr4UWtBfQ6cDEv?F{kS@`X{aOuPU&K6mPRLlUE^y@?p~cDquOZSp2C3v2ZQf;!jrj zs+vkm5R3P7U9Bm)G8r8m&LudNPlh8<7@r3XJ`~>EmmA`sVZU+5Grcf7AJukey`2Kqtu6woE>|bo=7g0Zz zf$57I2T8J0fMVxo0NVKq!1945f3Xz}oVh_NdVhb;PyGez$#yr&4o)aR)m;SCxKvlb zt5c{jggae^_T*j_%>q!-vQA_UD@LiWjhLjO2VY(Ko)ju!DAcnAP(E96^v5;q**(W` zWDskBF$m;*frRuZ4uYFtC(kiCb|9=h8hNu?ldS zfZLMZ6e(rylV-594$WZ-9-(Nq81`5L1G@~zE6oQcb-5=G$}jZ}Og**KyQ_CsP+#vE z5IZjRZF@-I`dxS=iNhV0K9#^}%8qHm{V-s)EfNQp+{I~UJo<0ov;Rqh*s~3x-y2rN zHp2up&K5Z_(?r?og@leG-vG0A9RT9`FoSwkGI(Ptj5!V;y7 z(<~uC!WE?jH2eiXC^(*}!`bv<{!xJV&C-*xje{on+s@+t68+fg`3+*JLo|5h7Wg!( zNOi&RiCw4uARr!~G#+|v+i+?1KYSC7x5->EeyNc--Cv+7Tol_=rFnwq?rl+?!|XRh zT}*0}GJ3dxww0zG;CQ{b*?`?`%k?p8P&J4svbn{*oG<~`peU5XvQ2J(T`e>^tJTtw z>`}HaY_NHhXX8Kq9IsIKQV@#9%h;pFp4)R2=w6!mG&k^d2w-gOBY7q~r1S=uw95>B zb$oH}gcUMnoo7?$KiqWpw;m_CY}DDdenBM}llIckv(uYOdwHg9hV_rMv#VUPTU$3V z8MDCv;Kw#E<8+hIKneX1<*>Be3Mekl2FP*axqtfoGsj(JLVW~aR)8^jcom3g0Zsr0 zB!HPMp2$qY$dW`JDCc7)24`5;0BaJUxNCu9qXkV6>JTQ{l*>^rDPvl>9WUOSzT!{0 zV)E6Q`$0B$UA6IHux{S)@+ybqD#dLVqaE?~<<925WOw_KAy^Pri>2_tz#lkk?p^dr z-X@4<02r+dK!^q2V??8MwXW&fq^jb{Ogvpvaa=kl$2=mtnV0Ss)xxqzwE7c-lS~;79>q41{Yk z`m>rf^TTGfh90ezvNK9$Ev|5A`)a^WuFK{~QbW3m_b5FMFlYa~flbeDtl96CT?@$k z0sD{=BtN+~UL-fe;ft^hW#}vmc7590e^zNb^2txc4mEyr-N)BMdecv|$=b{?LKYuQ?QBq{`=8Wi95xK6W4sFTu_%}ncQM@4Ly{p%bjA20n) z$H}$TJ&arA+`P0Y_`%Ptrplg8jwSm1Ry+7pL_toh(NF-uAdG>2vV7ga<`Z^i&c7v3 z@-D4weC!wkM+ZNpYYaGv)d1(?yKx@3K8}vb9GMb*9Ys^8f~mJKz%Wy_K5s*Y|VtOQuquzPKfF ztiG!meRXT<8y`=$5cG({+bdaD_Ph8h^nE zexV~62RTTX2q%Si2mpp|qKgoL-C9fN4Wn4Ai(#bo)15L({A#_Soy4lGsbWmXCM?Kv z2jZ7&fPg##+1Mw!hqMH|9{rv#6tNcSHj>om`qwx7*9};4LEp^lVhykVCwDhrUvT%j!>5Dzz&*Zrn8GCcTD} z>ziY=a^^?H3ZfdRAKy0H3$|UJVqYngh(1y^@ou3xT`i%zM%oM1DCO(8d0~|^AT_ph zf6k1E>BX>)KOS3UBi#;nN`-w=x)cC-Egl{IN7Gz11e)d_*QoVv$Q8Ecpr~P1!;JX* zBgMKsJHy+-!(jGUl=V;hC#2wRdi(Vf*7 zprnyBKvesEcn<$DJn_XZYz7v+W6n+5_e{gw;UimvA~9OAeQo5BLk8HQ$AiRvvr<%l zkkeh4>*Biu;~iE#F$eK^(6|*2{$p6o{yr?Y5MR60qB9wqHNK7ExxDq5_6aQ#a%BPmeD-T z=3sVWO2gmx4k6`XzuHg7T&rpf^OW`AVM|xv7TM5ncD3F;Lyt`#zWaS*LAx@bAUg$v z0(1Ny^Q!!hd4+MvwWKV4H}-#UmLeo!@h%;9o&R}Tc(Ui$;bC%ijOy#pT&&NoL2)D%^~Xs5qq~IYkH7ftPPzCEdtx(@Gdd?004)7J<(&VRa&yF2$_|q6 z{_@$?|LSJhNFwqPFBbWHu5{dFCICr36+@Aad0Kzje*%BiEqe>X4^Hrf%j;~ZOWgn0 zJnwYPd0*LXq$CaDX69_t*u&_HODRfdTj#&|-O~TP>?faBaDAu0>Own=fQsPc`Dy`= ze5$`S^xX0b_-62iUUMeokL5^~AL?Vj<&*)7ahXwS5 z_ispsDb^a_8qWREG-=x_9W1Nx+pDMQ&1_sBR}fHtS~YonGNTdCg-@S`HNPqmu*3I3F`H*GK=p>D;st^aw4)>~MC4?!P z#3DRhr%(AL!apj&rZRoJxu4IKTZEo6p?iE(Id{b7wU*+pPh=b#J~8l z-oI?HuRmlDZ%0F5Z%gHKzvO#68{L*j+4Pm)h9S&YQzc*i1;2om+k8k2p8O*K9IFvP z7E;mqz*6vUBO2ykG=D?1X*1&pGno01d1zW0-_yD#e#2{4{K|1R9!F}j?Y$v9 z!qYJSS0gFqFJ}?pBW-x%|9Cv~?inyOZhWcc-pbnY`8)~=agmhd#sUZz9{gW+-ru-K zx5x8GC9MZBL&bKt_jxRp$RAdw69oSScRi$MXzn?fMpwG+@@@OM?k(qL{$`~P7vf(n zEq}S{-9R5C2Q6cA?J=h;DRbfOB(UMV6=T-Z+(>oXgsc~aE7{McnC~U~)WiWN(Y*Z6 zkooHwK`I)Pl9FY?nmmC)F97=u{^%ReUfjg*J3PPff4o*#w+-f+nmsjWNFP4_xNzqF zkR$rHKpic1b+;=q_npdJFWanEui)_*PA`pS95-MWw#4EmXT0;R6ihjXB^I?lo(>Un ze1AbST1iQ@1NnhwYa#-~XG|6%X0l=ARzY!Yug$gRVlP88-rsCtNPhau_W8@GFyAQ~ z`|0Ipg)MudT7U{Os42CxDcX1rG&ap*g z4@S9zj)Tt(5vuE~SCWuMB2Fi(tkhN&eYTrHHLz~bY(YocGW(KH_W53TjW_wTC^mvgaW z$uTZGD*Nrq*A^;kFdiAZ{OoCwmVcKq+Jm0r-ahG$+o529oog}j1*`cN+ZwPvDnc<| z0n{DMm8A`M6KL(i5^8e_%nET}Y%$+3WD!$3e!tj6e8K4w3MpCk-v)oZve{n-4L*DIko3XTJkbNiUT*wDY&f^k$yZN?IqbqM$+aXuXNUOgATOB<0>iP?4SMJ*s=^SG%z1+FvF@xgs*}zAf=p1_B7aL25w;r^~1Zpv< z1fC^Kp*SN|a1zW!K`}c9P!lSg8HN<|RbnP@=nSP{r*ev1-3uE z_I{#8Fr#)8JB{F>Q5YZ#txp(Ygl=PO*GxKwSp6LXTf0el0KKonI>~wsWYxh$+{7uM z6if#V70#iW8%GiGRbA?{Pd0&tB>{P8}UR$l8ch;mS%Gj%1%Q zja^Qea5AZdu=z@*Kx2+C#HW=KtCozKgcZ#mEMc+=Fiq7@zXB&H&Gn_u>Y)W^!{5RG zcRt~YzLd*NBR7k2a&EXOm}vjf9C|QglKpL!1t6&95tp-AxOht7a*0$C?OfB49fMv> zEEB#ez=f)ioc95QoHfat$g{rsYFvn$n>|@*+P(d=zWFY5roY&-TIhfsWMaNLPoss) zp}Li>!jjRorEWTMPw*43D%sFwtYkKkwFDGjSmJ-^2$cQ1ar)2f<^S$|4^p&{H=d@JrhX)qQl`AT0}X@=08 z8HBr?Sk2-1dgGZyLs9FDu2B~^Y+E#KuX^oNaDG6Krz7uVPJ4u}%>3R8`ksDFpsW&j*+ zv{sp2=p!`RB-GXk)L#s#ZG~mMV4E@CA!6;hAFEW={96Ho`Mb=sq*nxhdd4qRbHwWa ze~Mii8n8@OaXx5m0chj+|LoTwodXn(CQ!AoV_ulsc7}TSba15eKb6^VZL<}yK#|jx zfa?k55Y%&qlbV)lY(C6KaM+H#6+R#w_>^M)AyH?!B^zGTwS<7R3rp<`ub<5X=sKDs z>u~wBqEfkH9DF0c2aqnBO8NYRHQEYI(70pMPn$fNWSR#Kuc3sYJDAX-^^9|G zN<1#rrkdq+oaeeBE_7skidY>86dO@29{Mjfd=734s3iutvwkb@WgO^f-v24~lELY4 zi?)!vTi~~H_uAfceHX${z$P*RRfj`uQ)5|73>lj-|Cu|nO8U#9$g%#jy^g0NY;NdB ze{sso$il$LSUWO4gbOEHFCW_fBx_~6KtJfV|7(1)o7^AjCVws${*Tg0-~T9`Jm_*a zDx!13OcaQr#{$kyg4Mb_N^VXaSDFHO{a>wga`&X}Keq{co51!cq7)F8nSvToI^-Wo zR|)c(myZZMQ1lzDdVAVCBf+D2f=5HpyTfh?!&{}5Jx*Ujrw%w&h(x=(|7O1) z6ulyq@Jwd^*}G4gdc?eI`LHQzercCfu6dj3xEBo(wX;?ABOh{WyT@92_er+N$9q09 zG%VG_y3eIXmsFSyZeW-3bWJD(BoE^sSghH*tGdrRmi?h1W>V_8>V5t^u2q?HkxG4< z+S!R|K|ij0b~Dp(c0eSx#T;tSy*Zw1*yzVswLM+xURqd!{&5fRn|V=Nl5c;YSKmhE z6WbxI0`1}if_IX)P6^37f1SH=)j!7PY@^%GOk)OBcr^K{)a)?@t5KtOHl{BWUVs1X zD{{aXnG0wnqyvgcBL09Ig+XQ(F{?f=M6u7zxAN-@*fH@+?b{a9GcAu7;^RO1a0~OP zD?HSExkTOsjK=ziTPCI#dK1z*6nhYIgu775h5mlr?IlibT^6y+jd{C$4M~6rvCK(B zo);W#_bPRm=W&d~LeEjK^{OIkFfQomsrZ929UH&cjz3LM{@j(7iMkZEc3erd*`OlH_KmQEak>Vau*Xwhh? z`t+V%ST?B-V5q4}E3`m{U!$ha(k{_@lItx|mU+ zZ?rI>RSURfF30PPp^@7PtzB=dT4elRhJJE3jWV5UM*D+L)JQW>WS}M*RNO}f1^J3+ zXn9&riWiplR*l@USsU4(-E#eI*We2-msY;@T=ofe0IhntdFpcXgas(vx$42UMIYO@ z?*|wB0d>_(jkyzYVrVB-uzM_*=*(Y#7C9v5!*VKk+%U9$&wLs&+Qfw zn{i&hY6K!^ax|GD(cjcGG?5-PLGQTl;i|gzE-x*-yHD@8J@;Nm48A*U$@Xk|1ABm( z#Nww#vjov^)YNEvqrznUzLeIiC0$y{=!%*8d_kegJ6Oq$&iZSdYXKae4i{2zXDa;8>mB*l;dxP_o6YdWNGXgXD!%HjgiNFQQ5T&% zCDVwR^J(c7Yt(|x;1ik4!|@*dTR54XJ5k2Cx~=?CRtpX!k0I`zU}b00{O=WYZ-$8) zBxsf)yrN?h<=lkhAnES;25-Y%rbt8G!BiTd*`_y=_b=6?aLC%2qrS}eD z9tY2BnoT|q9BGwmKh*)3^8PrZ{oE!~ETy|cek+~Owld^){YvM755#3T-yAZG9vcH<(S9Ozfh5(cldsdD^v6ot>lf(Sgy4s&v zjk`CBu=|Y?YRy4`olB(thz05bCn3gi{k?iJ#D3=Gl@~rX9|heT7S%g zZ=agZ&gEp@guSy?khqt!q0{i!X2mXG0r}*K)xh|s&yJTiZ*oVmLcZRe{k|Q?J8K#` zbxmaa5xdi$LqIUCgK`T$j;|L+H7WMbuBpm!QU-Gp1ZEAMBIjId+#08WY_HtbBi4j8%PnNf&~#!dJQ%}KtMo1 zYE(o@ga`-(2*d^`Eh+*^RS_a3L`n!Xk***jHPR9Y0#ZT}N)kx%ySVT3%$)Bz=bhVk z&NJ`#&AiVaOdRK$D?5Abz4qE`{nqctIcI5gigNoAQ*6jd{LD4SDW&_#Bq;+^+LPCa zvz%nAQH)?aLklI^eBM?-CiVqC_L4pqnI^hpzuJX&;}oNVx1z=`Vt31MLh)Y9C5zdT7i&} zk@HkJ9rI`!G<0A1+lJsD z9X_{dxDxRY?N=2k?UUitcUlnr0PCz{uU2(FynOtZP>Y)qRU0*#ITxjw(M0p~^L$C^ zxacp{ap4(ut9j(2POA_dd;+1%)NTYlSR*|`94g>UQ?rQ^E-#lKml)Uw4poHT3@k7^ z`mFivjmL@#3ljlbN-<0w=Tps%=?@?~pAej&bp6T^+adO#YkQ)T`JUutsM~F^EG@mx^xXZViWA#s8v58H{d$ee-GoC+l5a*_?zC=g zH4a}vq;Ze&)PSrDaPmGO9ObyEyn63T7U>&DIrr3EPF0@V)_B4iW>8pbpEUB`qdOuM zi&6U0W|wPTm?TSz&Mxm`EGPew?Px5pBEq>?!00E zJ`$N!j)_kMhusqi0{FRy)3RSa6XR`lEQq#&yPgj!uegmR*3|@80@Ly1MrNw&ju$Fe zrCN9L+#o=$d;d>{ZkxGmWok||2xxR&Z|{%b6VX87+;hejK>2!nqRgmI`o}CwafyUw z!Dis{p9(&NY(EE{7COpd?p#cVNj19$Q zbg>Phx-PW^P;|E-Z+Do{iMP5W&-(31+pGPZ)wV~%BmUF2k8+K*kO!ygi491hmJ=F* z$6}XPZU#Jf=VG!|zO*=J=sb0E5d%L)1b}~U!{qIN>tizOF&o_#w9hZ)Qx|Z5gv5aV z`9QCNmq@z{vd)I>8{k~^5l`lWU=}oUBjirO!pbc@8leFkJ-zC;IJCT90BkkdOrT0wh!WiR)tFACXeTpXedvSR)%)4%lzuN=00AV%kU&ind(<30P(R656qa znIVXaL<@GP0&?QZs6iO(G}F2P6vvi3#T0wIJbKm4OG8F^2lnLii|rQbdZ=?jpA|@? zOt!pW-9Za(<58t{{{Hw1+W70CeYng%d}>(GXQ{BN-*n} zkUZFHke9j?0@$=X#BeT?pN$;f3*6$3ULzaDSXhoRu?O77nqQ?bna5t$8ZGxm8J4;i zy8;~7)tb}pD;0Ppz*8pHp$?k^B-eEoQjaX8Vm;#tO@Wa7-_5P}N&G*XQ zu{0UK+@%GQ@7UdDZ(YI9qQ(g8!W&`A9o`gTGX|Cu^~l38jdZGxJynPCBW#J_)dquO z|Jz0KkL%9=>QlJMz=avqtY<`nj$va5dR$ODeQPeHrJb%g*nV?chzaP!m)*>j6>Jbz zf@%H8Kt61pgTGlj`#ASlf}cjgp)!V`TadiX<@L=jcj0yLzPZ zax^GRNatFh+BQ&Pgke}0O|%3a+JxM)!Z&S6SBF1rV(@cldVyNKTK@7^rsZ=}{E1C& ztBC4=7Z6p=JX!tOiq-5W54qdo-b;aGHBu!C@+^;GI|c1}7$sa)l`@^}wxQAN$g_C$ zQhY+H!lIesTt!LHcs(nt5Fj_eO`&exr5&9x$EAPmOuDqI;)F-SV$|$YJyuE5hi3hO z3>*&msyo&pcT>bqqWo8+H%!di{RGDdJL7(ov?W%<0#(k>wY#=8*01??9moOT4-mhL z6kXiU!7eGa^vTI)|#uTihT04NoO_u;lO*I3O^TzdR&Ikfuc48ZGePRy$d)H zg_ATgGSnsoJDyj5*g_|Gd&{#s_gl^8-2VVnMirTY3}$(Y-~hwne!(c*j!Gls>?|rA z95y>bNYe;n)uXPj(sBcX1Xw zs9;lf&+ptBp$#Sxj^C_er0iIw7L<4&x0w#hO8lImI3Q+RUcPj~zG(k()iP42d4SDK zk1}OxHe5R%P_2j|?`9CtB^DFPVwYoDTULaj=-Jes5$ipbU8AZmwf7!dXgj$7P*8gL z7!pO^z+^vM2JQY1&o#$a47`gOB8$|Y8@=UHz1!{f=!Hij_atu}v~cXm*@(QQZ$|Vm zk~sUGr;CrJ9xZ?tnV=ne8X>i-Nq!&IN+zX}j=EmEskAe!#DAip<_o3Vx)H#Mit*%` zJL3yDVlClrEaKbz$I7r3Q~dpn?0^eZKJ2XA2+`(;*_)xT_t$mNW|pItCTq@L*Z6$% z0_Td`Jq{JiBu81oFQFwcJ-L-E8^d)dPlojLEM0tZtj}*~@$``wx3!hN)Rs#>`=or& z_{Jd5nSqVdkPT!vx*z{mX9<1dI_TD%|{@SDW0W#13kS8epa8l+WCq#o-iOi%N zMv)^vx!GCnxklpt7H6RRe(7po+d=Q9eO~sq0xN1z#qO_SQd||DCXGsnPVe@r!*p0)SK=ptcwL^=_PfQf}B!vDLb8*0E@C857to^NRf*o#vSJxSpGu3NS zw1|rm(!X5tT>!UY$o|2D%?s#krF?z@ z!myCz!g6D%Bx8K==_Um*AGJ=8NZ|&93nS)dZeEkJ+G>zQB^Y!^?d4f2@@&#T$AvBM{#{ zt4P1O5NKQAGW+6$Hr+`#+<9@8zElQ&$ANKgxbV#RZ!}@C5@3nvvPZjN;4Z2up?wrr ze!`*>bn<%WX&HP@?P`R?L#78nG)YqEz6+6pBOM3icR;K^^dHO~58=BXTcLiOIj0Yp&Fz_Lc14#T>45)cX5B{umvU^By z2;L<1DK=#BbeH)ea*)n?S;|QsUj>*V1`xV$I7x1S>`NbdCTd*5{BvX69@{D^sLV&u z#J_a)%(rOp-N);ns5O@RsoIZtW*FC>YoB;LMLrFwzlMM4W?!jIG^<5%*KO+5FHJAJJ}~_rtH-aY(+}I2FRiXFy36+WIG*@4lYl%S12k}q6H3rhIXzZfBfWXHx2>BnQ}6{ zn#lP%zC3MUCV(YsD|U3268LbkL(YmM)gYyFxV(b$m@GSB5LC?3>#|v@GtF%f?O#bt zKD>ImU0nvIR9c=C*PO(`#@;2y45_vdWum^2C7FlaT)iEUqQY*2!=q;YD)xt;JPOpf zdD^nUMJUN0dj2fOgV8olq0s>M8-voyDe#qWU}x_=$xeFiUI$~v?vO0#>J*euO6oMU zzzhfpo;uZ9t6mDv1x`981WOv;E?u&qeY=Bmpc|gou8OyU&3Vwnl@^Ij0Ab5=t@U8n zM~cW%OJf7S*YGuRq-{gRYNL}0i~==Nbc?V0^jdUKVYv`g*;)#HkMQT*FF)H`f!Z^Z zeWlWID6tiHwBXK@J*8D;yK>4}q@$0q@BI;@+hsZatlgfUoKYTFUO5vuF^caFNycFuUYXo?=pqOGVxHs6Kv~kLAU8Rgk@yJNCNFbLL<>VW9NUYx)`$kDYT@O zE?x*9!`sW%2Plk(KyescXomCo6K+>s+7z_9W4F5B=ur~d*3~XKCa351MR0&T;)|@r z$Iw+KeHKch?>>@e1`cSI>76+J{NQyoPxw7eHOY>VXL%pWaN3+kocl*&)BN~^hFr5&$Y%RihFx-+Y-4on#qOWvU&3J% z=m$|iQ`ODLT)`d}rQt4`Y6XpJG)M}es9vYklJ2y^pLZa|=8OK^w2z}$C0~q+!Pv<{gDsfc&%X-s`PL9|^0aZ_Z3QLW3)f^x?U%K03U#(=#&;B$sMu!5EwBbCH2`TA zJ8R89_{7Q)u(9l22SQq4fh-MQJ3L9DuPH6!CsJ#vk;rlEM~g0THz#+v1afj*q+ z#iTcnxG`ZwMvS77u`yyBK(0w9eBwX&QJc&{l<(zaH?=rG-@6@&9!Q7nI5iw2bImSP z+VYX#nE#f99qCsy3&uYz)Mn9+$yRjZh>@yLzrL^8npX;>ef8h5>Ef!jdE8}i9B@%< zFg*C1jar1qe?16-$5K^+jxJlK3MQZ!VvOnZPab*dFg1UF#;0gw!;+tCSALYhnZ z_`zx+b(3rO%Oi5H96-^LyMMcU-Wosy6CH{^u*d)0w-tiXsy=jXe*_G6{^4}@b*8&Y(&u;A>KnsQtg1rKhmsrO7yB`2e zW?R>U|99H77&(LVan;8JIm9JS0|x5AXu3|dbanUXJkUNlu~d?Ca?7YriVhgvQ$JLH zsbi4u$(0H+=^kKnPpqvP8dMq-V~6LGJoIPH z>KrSD6HQg!%yZ-%$@i`)9*T^?V>0|qwl+Qs0Ofesx*TLaIS_!VgI+=pMFxV~M+Q>4 z2sHxPCG6F-T*qu6i!@oMMVUy%FHt_NNmS)Xz$0w?qK?4#+vD&{cL7~`3N-DDJ)k&m z4-l6P9$elc%XGs5fRoS79ArzBT3>KcgrD8VoI&Y`)FoA7<)NI8#^+#TDcyrR^}ICT zfBT5$u+62N$C?C6%+y?r%dl_uM!~1v5&Wx2e(4T@`@Uz3$3K4-3h33%{rg8shT?>% z2qP*{%2%(y9*~N+o=-IF2uq_3@9LTyHv=6`__MZ|Zt(Yy(B8lP_n_4O&(G8%WKYus zkQOuSiqW**ifmLzQ^c1vVKg0oUSfg*sKzZ1zfYt=66jEyyJB;3Lp4m6a}KuOY`j#w zIbA!Ne#I(~)IVh@<3r)#2qmi{{xl+t3w?tz)tnO1i9WMV+Y!X-4qth8emg)vp zpe%!&k{3qt=8C>^AcTz8vJSd^|J)jod2=9T-#w)aPQ2fHcewWDc#EEsD|1teyn3U{ z_TESM)Z{Al<71vN*7o8(HfIi8WI_^%J z`s&kRRl{t8TYbbg1IGzfj;ZB1<6(9itMl-2qk|G#ZY9HL|fU7crYGD+Fe!2CKdurH@B zKq2_}F5S^96}7P<$#%gP4k_ z$RV1$-VF^9V>jf2V?1K}Ut9ztd#PC7A%GHKm^cL7P{b;|I=H4;L4qQqCgRr_fLMOq z)nWgxOck1pz8@WshQp7AN#-4kZ_?CPYM*5hYglf6L~4X35S9K_sf`B>g4PSQoA~$9 zBS>E#TX*E`i^Q2z*Zq^4b-2Xp6@eB|rUi;Sjqm!2>tJpMC)T<$Qq}zVH}5jgaz?_R zS`>G~{?ekD@rXnzgFJZg8OS&~F{Sd`A_F{}POKcxTBI?C4D09wAX(xFP_hBE<>Uk3 zcrJj%XAc74uZgK}SuY}7x${>MVK3@cilbnY8>lH#tId=XIt~?8*XzKa{TLn}Pj$)| zpNsDft8S;NvsgMLs~M(@TLtWo1nToc-QD5^8BOxP-fyt_O=z(M34x;gq;Wx;hi0; zw{obg?Dyl9-ifb%^YoPW4`IT9y$(IW@i|9$Jg03q!cD)?{WKHy&>tb@*Z_CtRBr+G_`& zV^JB__js06%ueJ^c#}gdqouK>$l{&P2CB%#LGkFO&r_SO5^j4wzFn{y@Oddxn`O+Y zjvNE-w2I6v@dn3^HDdN&PMT3Y>F2+>JZMMYE8AlZ{GOYcH}{wxz@Pt#;p%XnWw4$Y z`S%d1)YgK$C>CU7w=Xm5mk=AN`sE`pgTpJT$vat@;jj8ifmR||-UBnf)td~>OS)gXbui^TxOzUWbaX$DR+xZsiNK5}bY}fO> zp4@)X@`LSCfv@A{qU58#lVvz=RHZr5paz1z<>AJ=_&TP6o`_bm@M)XW%qoQq9}$IN zW4EehgIG{bV%{)fYkwW62=0lnVX#g0EJyUZhNRoa3@h$@V!rItZEgK{DCnt`uJ|NH z*611tgm7T86IP=8d5Q%sMI*R@tim}*y~lkTD`S{KQyIyP=Ve0og*1E;S|+C)C<|6> zeTUhX7aAH$2l716X9;uqS35hzI~0!;{V4lcPl@;?bQI8a#6!-^LZoA3qx9fIJxk4c zDXfQY;2Q8J6_Oem*SEi|boO4T>sENK_Q0Uh-YTf3kY~il8;CIXwh*Mh(e5I}eaxsA zj+yo2{1k@2lP?xkk0-gc1r@YE|HCz5v#u1H3K}Ff*WjD2K~M(8$HEKC10uagw*7KW z7oG$^(5~7&X1uTs#`1Y8=!`moY9f|*-Y4`R=&_-@ItuX_DuWL`${!XR<+T}62HPfG zpCxT-QLL>!GW@QDMY0Fg^>^$pidzu;Z0v|sSxuCMv4$BEvD6HjmZf^jerJ`O_ef6) zr-pRVN5e%Q)377Z)qgDJ-~q)0N&TgvTzif$C;>=J`T>`lEJ(9fXvhFbZKmd0_Q2>d zd(W!pX8>*#rTX*gLT3#&=we?X&H{~9lca;pDSSl!3`mUU_-0l*GwpK#HDdI}kYMYN z$j+@UW)4S1l4InL5nr#N#!(HUkOq(}L5cHqVXD_B#8wXkBEts~aHfn990H;PQyz^DYcRAo?NoYq;@owLt< z!du^X=03rkl!9DKb-M6!cexjgnT4L5$!?k;Hq?7jV-vyqpwe#riS@)symRTeS$F-S z&s&9+B>JwoBqdylAZ-fZs&Mil(SX>AftIEyh(-pJR8|bt&T9~^oNmATK65q9LB=X1 zMpjod1~lvc!mx5yU`>tdAI1$9_d|SFWs@g)Xk^=q`KW_YBzHh_i#i7rlT~fbmam3N z;`D2C#Af_LH|O{qT0K_f_p#6;^WJxmjVs|H*V%V1hh|fPIGy%!XvsVE^F9YQV@7Ps z_|OgMsZceVi;3`$rz%zel~pHKo_C%TT>$ss%3NmnXKIXUwRRgAD}>&GI=eo7?Ic?K zL3~f{uI7`Y+6VmR++(#HAdjU%G!+BnI3IehiXkWh1nKlf!V4`~V;`O)I_^BY9&!+r zc~1>);Lx7EVOKZV(jt^JUtb}pzjWl}rQ{xp2(LPAWvDroSm_ue)8_0LvjQ+>Pd9y- zt$Ey2tT_rj2ldmM9V@+Z;RRu$DhUh;y5D)3iKcarp*C`2TciyHvdkp3b_@*MQ8eNc zekPmTd1`C6*~a@0hs}g_ZWkfyw=uGW1>5KoT(KwaAm-7$BDjTZ&PAp&p;U#yc24%K zd9f|G^pU02h4Xy6u} z@il>D?csG|A<5;Q6XJuZ&X1&tXRg{jb*~odSiw<7T6~l&l&}x7%LQ)I)mYPlewbzWnKIOU?&{Gz*$G)^?j;yKDQ*SKR0PhB}F zBfkqhv>G_{bFoV~Gf?6r^=MYQZSBivb;+F}E8~s{@(uy-==(^U^oI2MczY` zk7{le_yH0{0|Bv?Bs;z7*1l3NfT{cvdhq?D(J5XVCQ{#Bib{#kJ_Ot)p^!}oaOLw6c#wUMLS1#@o6U9yEy_;u zW3Hi4SWHA#gw(_L zuR=^exH*9*W_psyknZLTZp1@2BO-R3uIM#;4SBmR$m!vCQ0R}oWLL;M%p)jY&?(qe zS%*&@7zYp5NPWvKfgO`SxTtebppmyp`ns1B`tYO%LbuTBMnxH+u*lJy6fUo#2 zuQ8FspvyG?1`c4P+&}8%+UXSp`p&Y19Wr$#pV=uHsG|_2`O|ZRE@NyLlBVGo#Wu}) zrE^j|)W+T5c|9JN)peHR@_JpCDd*8$x3d!ZeC>{lI>}VpPu+gYm1u(K*awV{8I^jp6~_~N|_EHMxW>r;J;0vaDs1X^$UT@s-#zQeymEg>7PBK ze^+4s2QYG@qxPx6;f{cS6K6MGya{MHop^iyd2_aqaD7m?bqfH&f9P1*Q$dvUmQF1Q z7OH;G+H3c~Y4TCY_~FB)w`}Vcge9kndFOEH+>hWRc>I&;s*Fq3NjkZOI+xN$3 z1!f$_tC3hlFsVJrWjDXGhK(d})^PM!l*> z+k(AW50sXMsYV}F<<2wrx21yRyLleE{kT;uZ3QLDGr*A&o>ts{`z%-@UHA1zA<1v| zPA?cosu4x03>d96xPXjMCk|*3clk(^4#G1ob$dLQHM+cUl@!>48o3yD^b%bmsk$>9 zrqX1GmeR}oYUAHwX=@#dc0{Lr4zk#5-yUFtS8^thaLZgicxg^HqIu0IdK{PL++Te6 zaY@OZo>BUO?WT0Eub-Zl%4B`Glbf8R7*C~b!xfDlfI5fu&%fU9=&)hd2)xzWOwM58 ziV^wX_SIY}X&w~}V;pNs4|z3#l7rJ-(#bM>HPAjNXh?KZXZb6;`LV;a&`E38AC6zw z*fC&rv(0(TC{jbVJP<+SsT;%7VzA2^r5RnlG-t9TCLhjPNZ1l%GV*bU_)3YdROEqk zh?HPQ^EJ0Y9Xf?p3XSZ9=O677lZ$6ow^Vz9{et!AH61D68GF^0#6Gv}#2URlo z6XKQqxB3rSIDJys^*n8;?O>9ahpSktHA;ccoYb1=l z7X9exd6KxTV|zQMH`!saUuoIuv*8+#qQTT$L4Wq@K;|efFNX*BBT(O9BAkvh%+~Z^ z&`xMN?6C%8Ng#W{IBe)>Ma<@!Ib1Row=AYroC zqJeHPuQR{fPVX2W)ed4{k>hT&MhpzG!sr7LcXNqYQ9c!!`#Cm5ou_X=Y}2G^E)nOo z$3VMydK~K_AHoqpp)F!2xVmJI$WvjBTOz@t4Kpd%IgUkVO=so#VuV1KO^lSYXD>KN}Kb4lkOiSSS`8NPR0$U(X&ILY)x#zheTnB4?t_9d@$lztD zhfz~`2QTPP_0!*~Y`T~D<{t2~-?pT*FiKyV4U@8X@j)YV{1dIr0pIZ&z|jDQyCXmu zX@y)p>`dV&sQ(h0(ZoesuX9G~{u27}1d3#x>H_#82KwpOkw2W`R?t9tUv9G!P-28I z`hXInSiw(#G}0Qe-juZd2QXJ|KfTUed10NoQjCAJ8e1?26h)7>0Y%Zhf>ueR<@70_ zCK?J#qjd<=l5KZ}~zj%f`Q-&5;5dxsWNNZVf)z$24m8 zt>EaW?r^Qw$F`p;`nW8YvfRHe7%L7}hj5-S9lDyp(#hxhD`;2F7nAjGLOQ2iQKt}X zAT{%FF`|2~I{~VKaLqueJnJ4_b@b@B^yR(GaIUv zzi?X7Tl(nb!%wxO_guW5loj^A!!Tzcm*({eqYQ&aU`e65N*b)3D`{ouuXI`E2yQ#S z(iy8xd5@Lg6ph0Yhbr9ValO?c5X1XO9iLSOnT`$Q$@E z7VAI8pk|!;ODI9ZE#PRGVt)KqdqhUkS575L>6cJsq!Q2;^iN~ZFjakoJ|1}^9fzwc zrVo$K^c{I+bt*xCu_3QHYdg^C!9M}EQ#ih5eHQxPG8haH@N)6-vTcPKKkW(K0j+N8 zen~@E(rKLVERrcdFr0C zTf-SceY{60`1;-gng)<#KC(XXa&C73Y)`ASN>#GczFy-;CkU2pUI-V{lwU#wLdr*= zSK^-sA)nT0_X4nm^AOn~l(w)uyXOm9(gf-7o*t1Wal`URi^D;H9g43!P{=xCCD2UT?r+m zCid5IN5esO-R{av$3}__&b!XQU<1PRV) zZbu0S1nd&h9_Zn8?+?+ApR4BS@!pF>HmRp{?L{Q2lJ$+aIJyM$A6TMzz_1p>T+nrW zq-L55NdR5-s|L&tI9)6fDz>Ib036{*Z$J)Wb1gk?{pCf* zd^?d)b8G05Dp^2xPpK&5m;}TQDArP3+S^Bgx!d9K%Ifk9V3#-#IctZ~=yzu$EXApm zzcuL{qyI93$CHc~lYkW*D)A{<+=zO;N9BsGyL0*r^(hu6v!ncldcfWPt9;c}zBw4k zczZ)u{a5jLXc)Z|Ps*e5Q6I91=^bg%UqYI^$`Qcmz~SLY#KrRWQGjC1mJDyB z|CFD8@{s+azrH?o$N5=s}i z_yZ;fa6w9xp(a5bEE>s>HWHjI;r`Cv_d7}0oq2sF&YwN7ScV6D=XuE~yB9}*-QiG~ znmEdh7}d+}1-$Oxo;|K&|MdNDbrDB&&(H1a$6zMCqR4csHz(Tz9(k?!Cb4_EYw*Yj z?D^SnU{C*sFSTK$0eiC|EVyX`5U2C5p<3Rwvy|9XxT-Ci#q^VN6s)Z|7}=sqS>&Pp z0vCcGZHOE(@3%4&f%KR^2Ae9I1R5hdk;-_$;6Q*PPN!W5+Um3$i5yYTFQJ2^$luxe zm8lS*M{=!2J7O-($pvtmZxVtO+xGywL&?R$WPxA5kY()yINZNAXvvoUGJ@^{ggu#W zR^ogI1{TYSuu$~nR8O5o^);Mn#Ekc-3$dQ`X2lTL)W6|MkN?i$3o0=E&V~7j019*z zEfx)C$kJL{t|ykV_TrbE0%^!8V(Ktp^>zH&b~ft+z($)f4&iMEXuqC93BMDnxLBw@ z@{)|akx{==SBwEX=eJhf7n9qpXZyu5dAXrcWVRK+#RjOD{Hv;ZI-u&hd-t%bkzJR{{z4RC-24 z2tJ!D^Y6Io|K_-A9jST?31|;A8cBe)XPv($2cW;t>3y&2oqj2VKfTKKs}7s_OIQcS z`;Ake$Vdnv4Krf=Il=4@A0~BsT+3WLteB` z{k7E|*P10C1+GgT`+Msn`gIl;zE0Mec?i63`crOcsDY@Hq8ia)*(D zpRex_c`n^~HC#^1MbZSGZRWlryNm;*c9vEErawSn{r^|8F3Xg%wMUT@WY(O2W|74j z<$U{pP4GcZ{~qJyJ%Ae+$82lLG8r)1d6iRS2OPKNy%nQoagFRl<^>-0M$z9R#|IM1 zDo$~R?0uEq0ovuuJ9-{5bxu?i)N0lJ60)=s#I43&VzOzLDtX>%MA14`(PZ-nVSAKT=laYeNm&0jIZ_gPsVcH&OPH;i!f+<=A-4 zM?uR6{Hsga#}2GMa{X{%t%f9?59hM-(`+j&C^6*yF`x6!8axS-n@spHV!Gz@V+Ttk zH}$KP#Zc3zV2xxkL*ccZ{JQ&cR6Dw!|JetFqX|rV`+&lWJJYKz64WXNW3U^XhXY6O6l)ri~q|Vx^X7;D-)fl`QVrnNcub=-q=?z+ydzs~4^~#>2H+jAXD; za-967<|wi5+Xim_TUg4`b?w)yb*8@@p1e2RKTw5HZ=>KeYEs_1^RyUsT9zla{jhk+ zKIs`lHR`oK=vA6`pfWJfeL#-R9;ks>{Suney>%zi>j3g{T3I5*N7N6kMyMZ{ z9gP6cP~N6P?WpqXG}5zSt1hpotn~!I^V%&@@l(sKr*}uKJ?%_Vs*glQsEl?60`X7-L6I{W!C<#&XUj99;;&QZ?iiKcR-UpG z{oDq=zW?MFa0#x(CmYN!$m_%GVUOdZ$IE;!TOW39tM)jly<3nTCTy5^e6l?GIqL%( zNx=220lDkb9qNy+fXWK!$UtYPUj!iKu_8WB++XL!q?j@v4)Y8d4zVSi&`*h}^vka# z>=eJQG}NH(w=o1qi#fkx*z&bU^)Gz67omQ-DJu(jhq>=0?m6(lmB`FxLS52ONQD0K z0uXX9?R+&sA4+#K?^cbHfxF8bP1(43Wt zhtp#bj|cr%wmtJy%cQ%?yyqN1icz7Csg_r+@G*w|^e!2nQGtn)#>4#Ch!g1=n9oXc zgCPqMDdJSJDAT%ijuJ~ytYd;6F1v{Bce&4xzYbG->2IaGw6*%0?n-cp(%(25A5-Pb z%rsnVEq|pXt(Ul(gPX z0}j;Ses*h3S3LP7hn~x6pb6wSO6P&5-ybF&q3CW>vgSdC#gL(!3D%uHG19gNaligtb*x4(=;7FcNlzd%j zYMVuQ?=i{R!Zc2>)KqEQiQ*O~wN)l{p)$hW!8%nOaBTeEG9oY~x5V$Vs5;riYrJ zX4Iyu(;`E;6%khYT+InhF_pwOp^)vtj)&|)R&lso2ANy0o2LuJ0 zD~(dfC@7os!?hf7VBdjve41k|m?dxnd;N9R0NJq#)mZSUNYDk2aS8lu%e5q%LZ7MY zyKjB9`+*O5hN6egI3Q%0q!#i~;IzrvMd6(osIauYC^Y1qwi%{x^XaSnm+j;cB?shS zRgS0hfNRMBJD23AimdnPBXO-oXrAZj>Dt6vm5e#4Q8MYxUk48DI#YscTTz+8ieefU z+nGPBTOjFs*nX7ItvIk_`u)uMk%JPbae^kcbT3;!a-L3@ci1{9ou7Scx5Vv9utlhp zq<|fjQq&$0@V-E&sFoOKXt0XuYw?oQwF|zIbHWF)cW$yHXaqJ2&t6q)v79 z5%C2&-4w^2TRiaZ1^PeQ@c&+*|ECuyl$x^@ZnDJ6V;~>H3~X4|fS9T6dCzfvF8}Br z{F%?$bz5ElwLCq5oD9`MmLsiL57#zGk3@m`lJ29u7o9&BDHkU~s~X@V9eCfYp2D&0 zs+E>VU6bqkCCBMtSU^axlMk9wQiD=?{-RVOR+SElyqi?RAM$zg1#y|Qz*A!Mw$zN? zw87;)R5Ukn& zIjwIQAndGb>I3ey_kR0tDQ8H=oxzTY5}R8~i>t7s%5D}b=c6qh8Zv^LeKUXD4FnpZ z{=k}GPxJE-TZ#}?oMTiYQE!_zm7+)%?8wo7Ab6HnZHn;1pH~XqyN3+AYwL?kO6a|P z<848FTWpzQ+R0)}M6JG3@Uk8;hP@V5z@RshYK))t-Yv>HF#xqV9K?b)ZH2Ntg=^AR_qMapk1Zn(3>@Q)JGSb~}hLXxpV-K5(B6uZ0(AKBI3 zICSdlmN$hIS)MT!wH={I(u8cjYEi&RrF`NZDb~UScGbZ9nbM2jO@i7kdEvry}dKj>93H;~>Q;Gg^MZApsY_{!2$sj5yxp>I+0q(5cjT38^ZV0jV<{ZDe{sB|%e z7NhOSNrE`kxwWWBT?Dgvq;qj z@@LrtPZ2^)!+D9NI-8MJl8mSQ4dDc5xvf&O;Vb!NnJ({Vju+)2;|vk2#TH*r`KA{F z#18ldaJDOcHc}U;XT*c`IJHd_(Yn)A3)N`nfzra+FO73&@#%fg~j5A$!Buq%uZy9{x`Tu*NeoBHpOwX{5TELFx zL?Bg&^1#(fgk#1%3-6*HOL)_b!#-LsS+onKfD zcAzn=(P_$SIaW6A%0Lc_pu%7`!FIr(cZ@sWihXO!Pt|<$`$CS&xfhnaOFig*|9;Gs z-x*Ueu{;3WZeLvO5y9=AA*9u=!oHEXb|N$n6MDJ>zE-6c3RTVMEm(Nr_$9oJ=EmG> z*-ytDx>H*Aa1{H#lPMB3KBX%@PSCA7Ai*CYBYJ{?V!| zwsFUbVK~X__YCfH61{)RK59K}f4v-uj{fra-wySEd`kV>q5j*U{@bDc+oAqn>`;G? zw#V~#BCb$S89KHiXD31xUV#;v%NA3o7_h_L>&n6kbdye*Ydntb^?ki#-;NmB#L$jy z26CIR_y={FVa@>|IC{CC`_H9`1ax9s&syE+TlAOo=k+wd9;*SbG5}z^gzov1h6v0Q zYX(#`D)Xpr&J$M&@h<73$EpvOwI0M@tK0eNmQiBlZlLM;_+KpIq3?lgTczNepi$7D z{8iA?^@@c$D*L^QF~9gr=m4pLRFq!TA!FZoppdHxMbyZd*yjB|?7eqXQ}4DmiWLHxh9~O z_*XyB5e)ZMA`YMc=l{vGWdMg7k^V!kuYW&uQ|MteFn&dC3i`z&^ii0t0%p|B`vJM| z5z4>k!P-E}=(9+4^WjeLqHQp6Qd|K0OQrrl_WBMtpud&yEf@j(B--e`zo?B&nZN$~ zS74~(dEmA&a0#UrdME(Id`l0u=*u4qt*cM|g6~dNPiSqLvDP*dsB}B`BoLD2Ul!2H zI=kQ(okNeGSg)pXdWVFPnb9L>rya~pslpk~+n;3Y!wX!UgBq9?rJRcpK4tuoDpAV1 zfEz_tXnv%*dBz*!alLGJqU*2e_h|pC{~siQ|31U_Pse&voA^#2LdG$Y@<`@Uoh^k346S7t7Gq3=8J>%B9Qna=P&!-np8SAk#qc!gUal>>HV(7^)}V% zS}s|$Rqpi#gPpAv5|Fz$k!DWaSc@b1l8)HirI_~(MtLUB$F2pGz;vtM&VaXbHRhlq zr6<1~Zn7yeWVC^O?u8Wk9YPcC2jLm2q4K)$!e6~kx|07hFjdm|Vm@PyXez~R^;-xQDvUz%3 zYi@O@LCoHtT>$&Yv>oRo3I(Xp5^<=z6laT@S=6sl-i2>v&QOE;?PCNN^?JD9!*Nwq zNn9VhsEd-{A#@JI$V{WCl~`End+1wk5CMk$U*u}P^mqQ3RMP(V?*)S7AB&OvY#+x>9C1ZH4O_v8tnnj4<qIFaA1Xj^ z#l!edwWU7yP3*EuKp=Exb;o&2Ubf_oeeR+A-9BQO@4^CuN!ROYXO0D!C>HRU^#l*h zc@6ubl4IHbr+L@2gpF7iZ?`6q75pfP)|!_2t#MdRj<8SL;?yr;KCfTGd~?4RXQmj4 zEvntbGU!qhzLM! zK5uib6Y|3In05yvO~rCIoOCGHBet^z$KGAFvUz#pOtWrsS9IFCML-AmLX7IZQmYDt z2y9TdAT3Jina|;2wg~O$YRf7_G3ddHp0tpI9YRDVz9)X9>h_Gb7-en?TSw%xnG@1A z=qm8cGtZZQ*)cHYcs~fh*Qf3N9<4hp?(>x;ROKPh z%YdUFOlNkP;&cbM*a!IYE^vG5IJQPl462~H%N&$u$WhZqbZHr>9ubNbf(O8MW0fm) z#w0N^4>k`LXv2Jsux-uFth!h3=L;2D0sWmkjeX9F?WB1Yp9(OuGb?{1r$T2=)6@DV zPhkz~V)$y|Gool|Ok}!*uy+XD%kqg3>(1lWYm^bGk?RA*9c_LJPe|`g`AqJ^bh<1v zI_t*IKFrZ60~iG@FU_F)5j6n!vlk6x(jB0mIpny}wcueTBYb?f<9DHXvEc4=b+p0{ z0G&@i0-*C@MgZUI!RzN)!Gt?u9+sIKGD2qcLW{yd-SSOz;CnyXwXnc_!aSgs@Rf?0 zMLMgy>uK8>1NPRKnSHJ5{VAM436i~G9uLE=AElvL-T>J+hWy28W-h5MN zfo8dlJ|s>$0ga*iA)L=Z&*_=Mog20P_e8HiB6u`IYUM^Lgmvt}Po6GV@>cq<(VPE( zqc+^2EAq8lzs9K`m|FC=Zb7ann)L)gk7H6-0y44#Y*jcRrkZx21aHGTn- zyg`&#rNS&bD#m{RC%2v$URioXz`4G7>*$Te)-m_TEd7u7eKR)1%2yymO%kv)ni5rI zqC*f_r`NeI6*O}4hde@2NTf{jH?&I*{W){|- zP`;{YW@Y(Ww7xWDOz^d@gydE0pKhy=l6` zQ8Nji$Nwm{PBNiF0BC#Aqq(Dx;cD}pRQi`u-wDE}5v7&(y2)U-DufK@yIWuN$8bqG zzUDojG%Cv|%4OvoPh!$H7+-`@YWk^xk=8^FsB7|I2MXJszKin_?>k<2%t=E#gQi(; zu`6n-woVo6Ns=@!PA?eDzyHAh^HvY#AkhgbfmCZuE{OOTaF{OeQeJ-QP(vZ{!*si zJZ_z~SYemNn9Ij+%m>VkLdmeE^mFvk_>6h*4*bn`W+PVemz;eJ+@>tg&QmLUb$F`; z@(t*Gj08Fyv~ZrL9ou)_Syfd6H{|1#izdEkHZz*g7>@C#KScaU1JktH5)u-)eQB2~m5qgX3;m2mE+XRrJsnH-vJKydAq9d6T8A%WEZEx?iravk}WiyaeW=es2HQVX1D&x zamlXBVZywRE9`QsyZxNJGH}N4SC{{jU43C1@{^Lx$SZhcq{LWkfD9>KY8fTGRvthfQ zLpXuzB52SMQ7YELe`B5+mpW`_-Xa}gTZCh#u?BM7{^%k0L#()APQrV2EKd(sQsHqg=X(>l?9e<%@6+HcN~vBguO$F@8P$ zOyM5_F5C&AcVJHY0AxZ4=y*6?C9yn^R6E(mNcvm$s_v2+d=gU;twAd7yxw5zdqObG z)TC-Uv7Ax>Afo-YZq6R@^;Mb!?oImCZcE?gp3UwWVks#GWIVB7R<{Smi;TEZg#Tjp zxMwMOqNUuZchD<0QovivB4u2dDmPKMo7rvL>Dlqj<^=szNa}~nWtKXamM>yghpOOa zb~4e&)(YP{=537}A$xGl-3MKr5F;DJBs*}Qz@Bic(H2*Bp z2MXW3;bvwmf(}$5Yzm9AH!}(sgK!7Ikd-38;mf@mkC@8HbM7=d#cMY zC{UQ1CX3Q3b>8Sy%yXrlBI&kpyCvoN*wR^Z3Rta%^th?M@$sGna-D0#V<}I&%j;~p zk4(Pt{fK(ZfxZpn!_6n&0wRd1p~=Vd%3gwEtDbZ`ITu!keyJm5AZGb0msZ0^uajl2#D>5dz#NAw?!yaS7gh zFKT7e_Khd+^j7Rzq2ot`iTTjMwp+q&1FPt+8ip1?gBG4b%ZWC2RQA$C?hs>zQ9iMj|gN3eZ zNBrbj&>jZp7f@1zOr0KsGv@1h!W;44S2?|mjb&)=BRpFv=>9@mTeD@t`fAd8c`_#D zA)>y&66wNAnIvjYQp+$$SXVeHX>(MR%IaG_*R&)fcB+y0m9{ zpvdUEosgQONBbS#iq4w>+>@npm%m)qX;x6mTP{QmN@2&c?>vi39V!^?BP)^-uB;G% zg$HXs11?nyD^(Hh_o2hPhrfih4?Qxqocjn6D45zB&`l#B;o02Ndm$M>_X|#}Jz4FN{8192!L8WgRDxVI3vjZ90 zm>edluF{KB<&xaDZ2au39YV+C$<-}@2T{7#U~HmL;OH#&+F@T=Bkqr|#jmST>8{kO z>XPJfkTL5lTb_=4QCKz%1MUvqi^yDcRRotRW{mXj(7bmy>{fpCS6MV4NPlc$Y4HV0& zzl*EH6tL^wOw?c-s&)RZ)BS=|7ClG8z2jrm^Sl$CF z`6GEd?=_A@ei{v4FSz~(E9W$Fj`Nx;gdD6lB`=kYq08rSUA{PBDYCHPvdgx#oHK?s z5(k#gM{%g_Jt(q-9q@-Kat}PCu!qq%U zS>c%F9k{*!I<9KNrU{xCU_(0{oZW$)N2$=3($KDhr^~8(AB39?b|$1AM3p%P+@i%J zkqdPV8fSkzPuBwqd!;8>=L04jQmR~+U8cXp2%=ihd?5I^9M#8yMjZ6AoC6I;#8CON zH_Cb1dtRRzJ@C}z1GfV#KpI;>iaQ>ol~@IS>JKcR;J98Lp7u@IicTrI{`W6lG||3I zvr&kYWNyPzS_1C7D2olHNmgWEwZ$R_>ncOm>s&(nNG8wp9wBZTyX!HIR^l3#w>xS? zZlSOf&;xTM2DKPwS#7c>E2>(={44K*RTxm$d<4++p!n&#LMt+umWzH_ksn|{8*iy1 z#V$GwcKbf}csKq}%-FOw(H|0yJyoT%0W<;U!$ejer?-w_J5VcSM4H$LSJzcr2C0V! zd5r-oa)W>yHoYaE*f#plzDLtOU;mtJSB8FD@HU0Q!k}{ev zFy?;IYXbzB5i+>w_Jitl8&fYDB3_l~^Ln{ZF?KL(okevYDp7Q_IA5MhZrNBs_$*aN z6HS=aqXxW&7)TErHa4um9WFP3`Q&~*T7=7xyL_DE{DT=gcA7>fg@t<>z26Ip&jH3S zuQMKOHg>3a504DAxk>)PHp#!qNk>T)*7eaY|F|&r_zTPYGYj6dH56R+eN}B;LhWIg zI5AP^^)gm97ME7WDo~McP4LBTyDHwWGt(qM@^qaks>x33& z^AVEh<*06Yc_23@r+aO4WHBy;S}B#)q}e7OFJ_vEew@C%iF>OS(zXDK$; z(m4Hv4f0gQW2+yfws7^bgyp`G$=&=MAbEWhn-US?vlcsc&;GxQoWGqbj%o{Xg=}c%lsMckE+0E4T=1- zM$F(lbkjvFt)y|}B!T2r$j8AM6XM&xeBu76jPZZKPu05?%`>|Ts%TEtK9`zE6{Gy* z*&M#%KhJkExJJTOIpe(%rr#9(eUvi>I`$MyIQH)Dnx6YB76YWK{JBq?N_IiThq^fvI8TD>-i$Wx(a{ z$$X!*qSs@EMb2&ex-Ld=qi-gPPyfknM7T!sU$%9#o-lD&8nI>WNF?-d* zqVXW34{3Y!Cet9SYf>e=?W(?2u@6N9|az=a-OhW0Rf->UFsGlt*s9q*6lc{h6g80!mupi|tVR3P?9wY;+Qu)eh4xx6^Y=TBb0 zaiqloN-SAmPR8Mdyh@u?Eyb=^-u{SX2j{&vOWae_;vSa18=vs^LBWIM{=MS8V=dVO zCP&Gyrc^RCIKKf zQMb>7PbT=a0XEH6|Lr zNtMjCe+z5wW+b_{ucWO{b!mDMh=B!`Ksv>zBh;M&q*L%E4ylOrJM3if&y&{z=|9;a z*}rpLcPEloYP-_brn^*E%ZXl%S#Le=&_l|m0H37K0`A-8cX(OxH)RXbiQnR7<>f!f zUyWC$(!0lVnq51q0ntA>i^hNfY%$Ymm4eSluy=0|V+UjYd3X;*jAKGd!8@DB2UMyw zt9R~RDU`?R#f=5Y6`#xugSXW2tn*&}+IaFe@7_j&bpzG5!5~9JKH&xT;%MISM_)-O z59u8*aY&eoL#IWYf5-&IsRngp@9^>^jnfZhoQsQ^>XoU0FVNMnh;QTHiv~h>@PV#j zMJ%+$ypv2}0cT;9PG{fr!aQaxqmr2*k(K#)(BNtOQJHvz?KaT2nJSD;Cha`0)MK_9 z4HBw-WVUZar0X;;dJ-rc#wn2%q2k}_au|!e+bg67+64rVrgdk>2KhY8dXhHczf(}_ zRTbLr&;qvI)xI&|C^7c6FU$-tiSjhJi&i$JwE330<{L^0?gN{*BLk|DqmptR6Y?9v z!3-owNTkxxd&-*lc9{riGWz=MtkHcTCt+%yF*A!z9A4p8nr&73zsR@s{TO@VU94}~1eOKG7+*kD3Z1t9CUrkiP%DtwC(r=pf zWD_6vZUW3$AYk;eJ0I+tv%;$GxJqvdW2;T%pGNb;rpcaFR{2%8^Dg2XV!qh+$4tdS z55p|Lk>E#=m$AeBEhG!;ubiImd!BK{SH*)%V!n$X`dWC8PO2-E8VR^Zur#fHGYq$yx=`cap)L$Z;I2mzQ0eLhLpFe)}(^z@GH4|Io*&q(5< z-xg+%iL=Cvj#%z`SqFYN{AsITo?~3FrLyAC=&*LS?>)#%chT99=|E|1=crNo7Q>oG zgqQ;~NWBjXNbeud`B)hDmVaEjnsmn`zw|MA3@1D7Kn+yLL+|V?D!jv0QBJR z6$;@cYj@zJ;W0|63tnq%L1~dA*@2FQPvfi9sx$-I8=}qMtoW14QjF>z zq|)9vM;lJxD^CQ>mGU;Qk7D%W8~t)*dm1Rv@3vAxQ$Jz4YGcTSK4D>*z`cTOaf55U>!;z+0d_Dmq?dh~E_HOzbiUoNtN`P-5nfD(z!m zqD4n!BY}#o6Z+$vP@>Pi+;alc0$C>XX_^kvt!AQsfh9l&!mi7x-jA0N zK4&uC^*ykBT`$Glz^Q@<2NNYb`m6@M z0mN#14@Q5rp6N(01y4-seiNfnl2f{`A}*6rL+V9_7N>F?4~wl ztcQ7JPnW-TZ%3}QU=?v)YAd+vjW>Za-QuJYRzLa5Bbj)v7#T-hj))qr|UImEJ z59AY>l^LVpzb;#+uA)Zk3*sb`6Dmq8!SF9h-(RdlM{f0RMT$DBxw z#(REkcXXiI`5}C?u6XA=Hell6$y1(Cz{D%cV%k%IKJ<<$*$oOzB5w&<;L!vIa-5$$ zFE7lU9oO2yy6Ktc=JXf z8SpK}m@^p_ll}D*Jcyw-jVWETs@kY#tPBmNNKvV+0uBp`@G6VJ%|&4Egv`+fx#0o; zr?40NCr?9PK?RVV*$7+e^aU7wm^--w*661=AFP{^-RSn%-}-IRt<5*-?~OSxm)-$X zG=B1o|IP0|VfBJ@B;j)ZNpw51GBCP?u8$4_9lcyyMs8LFOxX`LT)pjnm(()Fiox3q~IMJzD z(yV*BZ>wd*1UMV)_UZs|3$2o@S~8v{tS211+1JRr8!Dv^CZxP^wb7N1cKm??_GW{D zd!-VvH?7D`Gk4@w_BgD>vzE)EdpAI)>VIO&G24Ct8?H!m4l%S;V6m?!zb&hi1+OPO z(#_?r=rr{_=u@p>iLFA&eu~zt5tgqjye)>omoTJ!&MoPpC9 zfJIY8c29SaTSj~~P!k!ySrQXdwh|*nTDyS(Tjd@4ae0<2 zTrpR?`lfYu}#X3zwz#=e`3nIPk-|K`c0m zRY3%>Gfh>CHoGJCUlUWnvcL|(_CGM?j2iS`jy2TX88Mc>gQZd?=i%gu8gx^7 zduX1Bk1bk1rV{m8yOG_^NRLQDZ4gE*Q#|ZA)fKjj9Q!sL%o42?LHUOm()-(BT?nW` zhn{5uthCn&%lT7$Bkhyj_0yF%OUsJ^9e2u?*|p!SNWy;%&bivZjT(j9Ia!1qY+MAa-%HMy2$KmTJwaJgd7gqDoO|nrDi|>m56$`20Z*_t% zzd!kcK%D8`FmmrR>4y1N{^WVPzWcXfMO5I|=FKTEy$NjIyc9F`Ttn!4e(pVVAft#( zmU^sNL_p|N=TzhXpr2q_-Rkzb)Bvn?-<^nUt0Kx&G$_$r||pIBj8~ ziK+?cLK|f2<{nc z;M=?Py;*lsJTuzx`LG4FkH2-HPT<@BJz+EFAGWXLjeqUmU*PM%BT^?!MD&VYWOe|7!=)NbsTvO_tsAU9iy z{uG2lTSXCfWau*kRXjadmQPG?SpG*0==@u(O?r#2JIX%xljptKPo8s0M7CdLq4;0e zOQtCk`(jOiD%h3Zko5+@UN-lyODQ#OIoJ9S>s~mB@TonAT&Of!9W+DP}!hXLgdU%kb~JJZ%%+ z6l2z{W}dKydEK?Gn1-~BdUR=1lq=qFJR+wtYUc6$8vElzjjMZRdBojnWBk_8QJCW5 zA!Hb&&-3LlNX5y1S863{+E?MjGnHtSs5fz@&XIBM2O#Pb1Kfkm5`(1crL?st*FPFK z91P!MyY29e9l1Yw%7(U90^QcvoV!}xNl=B2T>bGRvw}XLJI-!((LndDgImq?a@?W5 zL##`vY6Q?qw(P%z^si4p*!i)XRuJn8NVo?t(gv=-%8MD}J*JR4lNz78YFRl=#3Ehm zN1T1!1_rka2ZZHlJr$2%)RLR#@G^YqX)!VRQ4MX`o$vw^G<9c+(n&d2p3@h_N4-WJ zata~LP1>pjeIslU{W$!wK{7`zM~uu0f%@FEz;~v+qUQrWn_f@-0Ggu}k@0 z>wQbZTWjF!*n5>3O2e6bty_zJ2f_-SxH3h;$@W7&i4Eb)k!#Y~$5#aI2;_T=$dcG% z<3g3R#4;ZTA4bunfrIMpI6uXu@PS74o#J-MHB4UGh6PO^453pcb8TzI9$iw)>N{l^ zlsIcPxi%5h=8LLgfsie%rj66Uz}x$wAs`x)_p2>S>%i-eHtI*Fr;2+Wou3vd6Ia-` zb_TUh^o3zR;!KyjvvYe2&t2e<;Y-AVnYe)4OxSqL0HP_8aFRyt>BuO}w1C=4^Ts1C zi;D-XJ-B%O>W=y4=V(d17X5ndrTI3G-SIxyTKisw0{cDXx$hER71gZJ_73-ZHQb~p zHCQ~_l9&mV9Ffo~m{?gdv8|AXa+TgohVd52wP^1~wMq?CHs^ z^$M)i~2xa_?YxEceu ziOGE6*d8i+G*>3sVucMp4k$jnSlR~&-0bc6rN9RqsuhKzIj772O@U7q3@Gp+xQ!w| zdDfE2)r(5(hzmBrt6@yk0F)iwd|Xis%XVE0n1tQC3^Z!~HQX-+=m6?~Cto^Z80P`9 zg-nvly4J5D*QWkM%gYK+LYKu(W!)E@Ttvcp2;FMh9i@#A6+@53e8;U+hz zL#IumbtJc=UiZ+q%)aK0CEvG+e5~vH<<&I96RF;dDA`%EP}aECJqb0v?xivVorkq@ znwLeLFg!)%@V%FL;)8yOadB( z_|v;VsV?_W>j5`eVn2DBJCN78l{V-(ne{CU)VJ~2ux;=Y$W56otT#~xh5q_R${X3M zTIL4JFoCSv0*oZnvh%>lzm0)g?I$%x2|$?5ymgjU{tE`qGkWlc(!)ix_@^&)HZnTKQGUUWsQ|5gCcEx+;b5QT-!4ecB?(utuEWf`%X=*iV^y{Z_9F zzh9)%;V>G1R8 z@y8!)hI5uUa<7;{ETILdL(0%d6SZVQit~sZU9h}5qxh}0QS&u|^*3_n?pA?U<(E?F z;p?1qYdN{n!s;!5eK>qbYdLY4`MO9oGCyx_dP0_He@bwbRcUR<={}`N2oiVS`l7@`L0Um-uJ^OZ4s)yb&7kb+WD-9$Q=--&zO?XfG&^> zjF%(V0)=(E+ZwaHXK%Me9JtbQ@akq!`t!;AWTl!s4jp8fgMAe*aWl>Uuz*`Rdi4ArG^y+02_p9~yIeO;ZD2u&)vdH8W`+bF6>Zo7xS_k>kXv|B(8Kl5h?-9Ws z&nl%ONK^BoKKPyd>A+|wg|A{(9}@TJ@dmYDXmnS>iWAbzDx53g{Hjj1immmYRhMC% z0Droj`e~6W=Tx{6D8|h%noK{*`MAUuWZhSwGLk0pr~-zx{rMc?vqcyC^d-Kq)Dlo) z5JUH*&N0oy7oJ^orZhpw4_nP>q#DEv$wR$m-vTb>GINAhx*_H!)AOee6k9a!bl3>< zOBh()?iLv-x-PXRK!P4Zr1BFF<8S(W0Fyz&yF+|;C$9>uO}){V(<#7TCpjrpebn_^ z2?R5=m|+=g8K(6+r{s+=dA9E8Po5*zFshFlMk~+N*X9)8RGylAP|)C0vu95(m8p+b zyqkJ7;aaIYwA_uYDtsH6VPlxn${;{(VN>~?^CLolS#BE_*oSPj?D^1#KR$A3fK!yk zjDe_<`ow1IHjQPzu3yMo9mLbb&r41)1vZ_w+mQj1xK6 z!p)P1mLJrd8E(I*VVX3IYSg~SOaLnW;ag$#;KQ?@k%Nu34Ymk@t7ktK2}R}~tpDQ8 zZ+x}m_yMd+FH>_=w*f2^U_mR4LMg)11z#iYw9gOf7t>PJc2EUCHuvM&ySD}7n0M_i zH)^il&v-hS5?O}x$(XF1>K?%_rBUq*-{$7Lzf6qW249gm+c@L0O zTYll@L>}$*YO`0?^!I*t$UVNa?Vtlx&C%f7o$E)QUG5N!p8)t9{J)|F@TTKL0mxX# zF_=bJs3e%G(^(qpA&6HHZDxeVf8STcQ**fC&ea;}8Cy&ocRJ%YkF>+%(H%p$7^7?f}627a-+O{P(y-S{!9$CyYqX(jF`L5E)PDIBKvQ&`kTbfQchr>v{*_WWYtpA)y}ShFfJyn~u+^=GB}OO0^eCsB5Xz zdUt#K%IxsajWdb@|*`C)REHvzsTuq@vS1A_QgX-?cYZ8?8rHtW+l)B;bUSODg0hB0?cbm zjdjL7@r#9C+4?e0;`{5XZcC>%xL1Q;q|yzX7d^*vbgCWirM@*CDjj`;AP9BpBK$0l_2`?D#a}ZO>Y%m zXkTAj%r&auj6g;TgSaXIf+X#o$XwDD(o!j_wKYYCprx@nRjqThCdqN;ipU0fSY#Xfu3gxr*J zfNe>2;tfMv&e5hc?&s=U2)`4*G!C45;1amrF0Al(1Ol#W(N#%t+S1<=Np^btYRvHH z;qQ=lJjvFxm8l8zYb!5>3}_jZEFY@OoWd`Y37$y$d8l^XDEcWZqClEXGi!$~k$Qb586I zr9~FFPt#7)ZmrRy!+D)J0Pun_y(XlBwGYu<^WTBEC*$;{)#&qTcRwQwrp)^HOc~#M zFZ@p8QXlbQlilYd&C;@a&lznz{8W%!oz581>S#QFnZH(K@dH-aL~<={IN7_Byp`jv zjR#DOUcz|yA^Z%_Km2SHDbG1BR5PoQOl#nL#tTvQDdK%NX$67l6d=EN?z;vpspDiY zme1=>zF-f(om8W+2yD|z)8;Nzliw<;n@CG6DEbJbKt+LWAmh^^l@K81aF*u}s$Cqw zeLvAmN$)SbzDpc5b?Sw;KGagnZoZc~9UX8ZS4TLr01)le1i#Kl%caRi5?y0yL!4eGVV(AZ~`Lfy_Rgf0J*MKo44Y};-V+< zFmmF4@7iRa!Ww0-6Wsqvxj_`}@L9RC1OBNjQw2AcDl!oc0H9)FG9-n5*j(!NX>;!y z(V<4rPo7~m@d9^08)ZC26hc2R@M%2Elrk-X?p+`k#E+$D?J(?O>$_#&eAIO%=mxFX zv9kqY7+TYGxdU=LO1{!{UuH6SYlK?6T$Zn(wz;nE3^^j{dJ`Q^IV(e84zmf6VkU;= z+3+_Wc{~qEVJlJ2F`3%j^d@S(dlEo{obl9zs8U1*H z#7E{5J_!;$b}cj*|Gk<_iQw@1!?HfG&Kvp25t! z6;a=^JN^?)^lJI%swBtL$EM_cE`t^C3l7)Vy@JFzflH*KQAe4Gamvf}R?5EFN&`~x zy4>R*0Y?=lN(paj>a7j4 zjUHCz)vT-LY%NYU-XV9vMw)>6D#YDgLM-WqFNvBJ$R>{6csz1=(87G%zCB;nCnu7> z^`L=StB5UhSbzgi-htA80HK?AwJm_R;q$u#vQdW?RL9rQG z-Av-!koY5a^{>0}d=r#KV5}foctn7X$|msl;vMWVqm<0L)-BVnD(8ioJ~khV8*F)N zIgNPrRNKWP5@XC%U@0)|>d<_i7y%{)0D?gXFFEz4(+ABhTC)f0rnNneP&VV9wd8zp z5D|9^ul00ij`a+sqz!jbeabd0Vazp?+=tfsrxC@KI_Sci zDb)`big0pjl%~6v8|Sx-#yXzKb48iFbt6Z+ho?$9KiL*Vn`^HH9aNlHa>F#1H0TSg zJD&32fZ0kslM*fKnCTJ<>cmJG$u>-hJZqTR zw>Gbgy~EIFwU!YNB;9HKk^Lcjb9HS;9DO+k&X#hRYAO%BZOrM>dX4t2CZ_pPo`H_| zOjPTwr#;k@{6?65eA%fVy=Tp^JLVl@5fCMy!BFxVsU#PdDa~n|`jDC1Q~$FZO@AM6 z2Ay0de!j8jrfA5Gt54r~@|Y6Et;HoJuJh&VDL@gYIOrNS*H`C~`geOvWs~;?tXFsD zp(AKgBB`>D-}^_V;mM}MJh|cLj~;lsFYu^oP{qca%%^7nJKO(Lclr1F%YXGJ^eqv` z+W>Swn^6QaJ6#-Bm7xb*OJbZhAAOPW?O+}}!rhj>zGZuIuk<7JZJ`IcuCn(`nl_-z zmKQ0s<*~wAzG`$`x|9a0kTEOGGJ+0$_pXu{IDD&Sh9pv0FqX`8J~ms~T%jcmGgs?f z;QE(LeEAqEd+2H0hpy*=b2b}JE{PcJ6zS=X0nGSBfEcqZ3wGp|(X9%wZBG(zU?`G! zedCxMy?G#deXBjX_+0U4d)rqn?t9h?fjVM;(kM6xrG$jmU$?D3C7<&5xY= zn4BYVstjWc4`88mW%rEHm7iGkih9m`@~NC%#wMY^(_;q3CIr~$(9eZmI)D=j7E(%C z5?KDHF(WPD;pV1$yY6PLkIVx@&cSW3G7Ss ziFzTw!WU)vsNqjkZpW?yjN86z!ETQqhze=Gl$Hh8YRRo)#!Ty?)SAHJrNrIP4xa-_ z02Fovs`H<|9@XA+>h{c(R2@{|YQs&;fcTE^)+d_=Ub~0JE9RZL+M9ifp@A$+HfAU4 zj0O7v)9wQ@o$}DYL#XwO5!Y-;sr6)_+IAhk9HWt{%2lPHpFBLCkf(kqtlc|ja>IH8 zJ5O_PKK|y(rsHDzr@wXY3jN`cx(L0!MjlTn*z^YP`cBAOZ^0PCyIkp&B_(q!{c=(b zBl2DNy<<_3dX1@8^EpwM{T@C~KI1=L?y*mKD0iV|ZFl*(#Ij5aX0R@yYx#ruV&Q{0 zGV;wMkZYEiRQ73X&uT(pPP0`2f_5{Pd7e-uhOT{>{`k4{GgGyfQ!n*-vb}kpABH-L ze4YNXEWjm8?ZO+4D@a}I2Kn2&0lFxMyLRK!&$pZ9W?a${Qj>Wg_v(%gue7!j>ms*} za)>QQ-=_|I^Vp97flQlO!r?Eh`xndlzkG>}WSXAZ^CH*wS*oB!)V)riTNW(V&jlt+ z_k&IcDDc}Tb%AV!iqNh&)xq)SHh-IjDr@&?8|l_O?5}A$R+zDszWvfLq z=l7yM=dOL3so;3DvcL%&m@wC_8URoC33Tec@FmJ6Calmz@AmSf;golNLXM4F?z&~e zkmBd6O(T_TbiGD|hDD@3B-!2n?%kMz)0Ae(r(7bjr}?LdCX{Q`tm}-xz_DaS0aEJ- zT=xCEE4Hn8X52_ZCanq~=)Jju)!_c{xg)3%3%B6zGkBFv3^^lYTF8Vm3g>riIpX? z!pbd=D4#cD4fY2pY}@S4ji(F~z7;8J+*fQq^^e}?()dt-8s z?#Fb97gk9yZ-B5DAyR^x8ZwqAO!2wKbLoTl3yBv^!uIh`^$u%4c-L`<5Dr+%p=2S{ zF?gyZ&GPXwJ~-hmLv^vX57xh)WGmc%#KJuJM7Atnu%s+k-HuaJf;b36n)a|!NU>Hi z1b3JbnC^G>40UV1bGFgwdlf&|T}vd#CpXUERO50KdzRe0N~3me@om#|!Y=9=ezh4I zT6t65TTnWEi^jj^Cb-H}v=Q$rGb|;j5@9*B5MHRWQ?WLDbez0b>%4fE7aC+y?3_O5 zC#>E5h`YYGY4dG^=dmW|UCY(^$v}-Vm$M&vjHZGQsWKmvHIlye;xg`IXPd-1!Huu4 zJgEf>dT|HUvkT`|#eTt&V)%|ug>q!3t%O`OCPE^mdWze2FRgFdnwMoH)Fk_QinO^d zrGR7|#khPGA`ErFhN)o$kp2bJ>(XH?J#e7%H*Iqq=@7PZa@dwwLRlC~I%aYA)Xw7g zP1>G~Piu$a?HKKIabeXjEvwRZseE=Nx%v7{cZ*&qnPD1VB@g+0t`^C}ww{Zf?!h8> zJ7ul2-SX|qOOrIi{bO#0IXyqA5%csz6!)Pim9L8-9Bn`P96h^~;fD2tUFcL6t`?dy zFKKACfobR|osU|0BXOE(=zrq`S464D*60WLTj-DjMShS5E6ihseT_-GQ?lxI_4ef} z7m}*0jy}OoXw*p@891=_@lB;Dc&m3fG;$SFQjkm&f zT1}j|vu15TsZ?nSc@+|Wt@fmmN9(AIst>Xh*%v@s@2QA)3FJQ|3-yJURZJRL%^7~< zs+$gqI(_5J!L3zpqiS_8l&>XQeKwCBwEh$;_}+=vW-fY!12ax-)&I+P-rx0Wd9Lx2 zO3GbucRZ*AIaS9LBC5Q(RTjR0HzzDOZlR8iYWT%UcCT!^x^fO8>$UIx0J>xrx|c$> zJeYsaGCJ zow-BCjFB&4wSWS)l$RjcsQbE3MjfC2sXdzj4n)f=Ym6)C2+j!DN^8`Ib-Z7Tb{S~w za$JPCGFDhQ!ww;jZIKr$tQ8hNT^rPDEIoL+)hZ%mo)nP10`H(va+;883|Hc#(0sUl z+djxiVSoRVsg-2y>Pof-bIX3Su@mtp;!jO2*+iaD{q|vasH~icXsb(#dyI zhcD~y=d%1w&w(Hl7|1K0`o=XL3P;nA1CWu?*Slzk9={g0k_EywVq0Z7=byuxkX@5wPlf%1Tx^N@8@PnbJvJ4pE+rher#3~GY@ z59tNDn7Yt)@?LbaVgeGhc_;@lq-U(BjE9^ZHs83E$2g-fCft_H+z(Qtg$y+g8M<5= zK;vZ`^JR5MGegmo{6O?P=n`?Hb(qWq19bJzEzmGaMt1ndZ(OG^8^Ddlrt@>QteI-p z{{J^w|J@fOI|U_?IYtYMoLW`<`d)1MuRpMt2FdbBUYg=3nkRPcz$g^Nge5@R>j$pr zk8xuVCU+g+0O!qXfOF{fauQ;MMG;3+4d zl7H>>@t6NU(FB6M&;rgL&PfaL_W90*CoB7BRhzZsTFxFjI{e@aSCqPV@$~ED@QML7 zi<=wn-#dQHDedX+783p6sIdK`YWDx?d#J0NkC-Jd+kHUzJRHwHl7u(STWX@8`^FWQ zM#Zp^U`xy>_pYbFd>bK)AOiXUe+sgp2ECvH1*`oipj*JWgBZV9%m3k@4Qow+%^?Ez z8u=AC>s4;!JR2Ykpf{q&pCCc_^PR6T*qKgqBOQ#RQ>+9wFQ?%PbouopZj1q*RPyY| z6g#}amlLOFV-5}3w}KM~1Ht6hIC`Fd;Baj1Fl`%ae}G*7RM;D22Wr6#+6w_7#xF+C)J@NIi5P3wteH0IxoxG zx%4{l51%UsYrj0*DuP?FVbIOmpxceg35&*26GEedf(};tH3Rpe9^Fs!al4`7giYe8 zfw(1vp*PCA?QE9wTfgo);%J*nUwMX$v!u`QIvG8=`YJ#nm=oQ$6X(IYO^YZ$$mFfsgwESQly?JLdK6W!DSPGeNRY8wWw+~OX+op_u-fjJLM(BwL`?Jj@Lh!>o31i<6ewITXho+s zR6Gqgs2;>QW_^ZfA}_JCs%%DJkpk%5RRYuk6Nt-!0Ih)DPt91}8_hdUnU+XK1lN#0 z7y5dQsr0kt*%?|AG|0$S3~l!kotJw?fKR&$yh*|dQhwF+gpiWNo~)Rf4hfM>PgN6k zS2@cJRA_n|%>_E8^v+YfbHs=u3n?qM)mR)!Gc{lLW)=|ik`6|XNE)FH(Yx1BZuG*T z^9WT(;i^H>iPW`RAN;;5QS?Y?l>uV3ZTDE++xG_EekDh(J_|m5Wp#tJq4j8uw*E?i zo1;!gS;sr9vKPVgHR$Hs02PtD<88uY?dPzp$ZtKHG~KyaAVCw&EPorv_15g>#ie_C z3;U*~GQ9vGuG*e8B%eY6(l`ho0^)}JWbX}wT`f zTuq82i8wM9-JIgh-{x02>iCcYDXCzjHv~X{mhL|8-W5T_#h<-NlgHb&b2C7vnyO9k z*Um}LhSaG88a~+#ath>cb)($4pf#Me*4)x2u3fRc*T)gOI7d&erG_B0ULLR zP>nj)_>lI%y9lC}&4WTf5@YCzu@&~*`NCLD_v6Xq5VXB4B7>q*C5q|-gt-Squ z9OL9#@(L5YsYf_&2VgEC8QAGIoRRU+#GvwY77=&oj<00yy>a#{c0T-gfBk zco5ibbd4T#ylfgxSEvCFKuu*8@&U6Z4o=PUHr@E;B#qe|mO3V%CcuhabL?2sOgfrY zZqm&A1Uj5a{%Qq$xd+Mj{Ed< zSMDuekCSIkjlSpI0?KuA9B8mcjsOB`b~Xd4(W52%$}iVXRNig>Kwkf2j4-lh-=jk! z4-abREguP6;# z-osMML7v1@hl<4B1$n!TT6XaX8zygy*GhJB)l=B2#@*Dy)nO|;=OTN@!rfG$t!@9a z_~P#T#jH8Bsf-`@m6FuPgFmXB_mrIvy`5rOs{yM`hK3{^c;!8e<_Z6}aK~$KH)PL%p7MKf zpLg$XByNcsHiRUe5*)T1Dz?~PbYa=SpvlQ=df8>My~}6bO-@dlB0OXhh$tJtu0mc2 z;5TS_XQNu@1VZMK*W5*P)H(e<%0{r7x6Xv0AcxN?3&8-jLhvSc1iyu5aOYNMFX$s3 zsbsnjV?j|#t&)I)5f@7PDOXS$iAD3w{ot5 zODUv?*pzZ+iH&=Vg!$o#kGaQ8?T<<=;?k88> zxhzwM)2Jx(t$I`U<7~}G75kewe2@@mF$bH?(kRE%g2vvYV502AF#ZC1u(R99*-*SVrdX`_*qbzVwmzW zwJHD=eHSNG)?3_K!iP`hpI0pIZ=2j`HL3JI(L>v$AI*oqg@1$>)G`4&3IgFsVYghk zuDKY+wLqSD`sXb};xT83xpZ#$ad}~lI<=s$8J4<*UCM!i%54fQhj&$HzOj=C-KKj< z!}8~^F78=I-Qkng`SL|3ZHt+GVRJd3-g-{Px(ycE26(W^yalAIdBe{a?WnE~#WL*= zyvWXfwA0gJbFe;TVs8PXH&p7u%X=Q4QLjt0({L^xQ*m*#0e7P%%>sdWzjXDFLhqLC z=rTMjd63M0gg`G#z|Q~b1KUP06B0s@QP_*oDcF*HJ^C?6Z!c(GGyt5LbR(3$7kFA- z%P-!vDb_wu&N&Q-G=4b`Ve`Z62$p-%AG^wOSuxFZ=%r(?roVBi@~>Gk!J)pHl zJ!dm`(mf1+5GGmxfrpIG1ap&-dbS&gOeD7IpkoF;|7C?B&A}m4rrY&(H*y2&spd6O zYYqpW!Ggyoc1l330!x3csR99!kKM`SN9{plGqYo~zYe_jWK^x`h z!Zxia38rri9u=H=j9d1|cFUoP(Mv@0a9<-WFi_|U*T#X?a(h(O}K?}L)ZBut-f*n9Gna=!g4xCxOJ4k-mFY! z31p(40>+Yb8oE;$?6VJMz+XYXyNnyVJpLP3=Vml7=Ug3gn+hl%dxVE@^jSlI6urbK z`Nnl-7XZIoX7pHUi4E9wZf870@dEoWU`&~Sn844f7$9|*!`Tn0&fi_6>?D4jD|+M` z*T)e0ZumE@v)fUiYGbV$WXvXLaLxlEH_pzkXoj0&IBa=OH=1f2zYg98cWUT2uG0t* z^Vwj^0&DMA*Kl<}FK>W=jU2-}FGAo1^RWO?@@wGVKQDwj1UrDAJ`9Lj!_~6OA)LM1 z`#ATAXwJqg#^qmMfHMF}*QPf@fr$}^d^v?>^GE>};F8|t>fb*sbfgL=kM2Bc1Qu3+ z^r*+19ipX>6k8}QF{`KP`7dwU5x0nGB5 zVk1o>hHR#xvmG3MnDFxzYHhaulEUtj+l;qO*nAP`kZT;Z3%PorwK5NhysfGCe`y`ipE0emHsEC@Kf&T< z;a@lS^^^Y==KR+T^Uj0J)_=krx9LJ`26*t_5AuuA{%*~& zC4ckOzXp&Ve*=(P{{|q-emxTO`&IX^SFav@;cw9A&&B(nu=3Bvd+yK0``1&@pO*JO z519Y+mbV-h3M-M0=E(WkE%WY$SzUL=%3Qo6d@i!=*vD}m!mRH1hq$Sw0>)_iXda(_A^Sm%K$yXeS4;>%`VF_bNLa4@WYZ4l(?2rk7$O8k`3veKw_P`U} ze2{>jhbnU7NQ7RmuZwF32`d7;U=tREyaEBR(lU_6i@;OBFork&lErfZ)qr|nPq=Xg zEz3AWGDzc{1Zg}dTmC`SS@$v;W%Z<~mo$Aj%{K7wI#gRI7M4tzxeFNb#c#Zt-%Xb#BH2$6rcHwabdt&w7de2ULIsp5wE-B=|k87 zGSZa!3_JZ|#W5JP(fY;}qNB)g&SRba%rX>Rd{m4%4uj>tnZ0pz({ZO4n_tu&V^%#l zk+kS#bi1S8NW)ih% zzN$USg9c}6tzD?KZElKX$wE~~?;Em)W6}*+k^VUhuhwCQH!ehh5c#U@nPh8)#4%x$ zox-6+{#_D-*K@9&ZX`>J&@fi3GPgQYEO+pAzsR>@9vfo9yzAzGxu`s6WN7{lDC!);bvSJ4tv$DT#a>g~;!vgiO9dly8a}ev zBt&d~PnF@Q=E&>mBrg=AxBL8(Km4gu$p-u8O%O9r>#f|DLR^nXJ<*O-q`NWNXx0tneN{ViG5mw%0hgq- zrZ@dA9Gz~d($vA1d2fVH^(*gAe=6X<<|n8^(#lP7Hks|Vc+j`7K4f88h>O7y)ezo} zlJ1~Cfl{9ESA@fOa@S&B;o>;z=PUc}$93Ul2xDc9ynIN5-W6*Y-;nc=cri^R;q6R7 zNVHd*no-pL=ZgKw`WX8bp9$m#R$Qt+Hj5+XY%9fxVOk-tS}#7)Io4ea**2Tx(1r#eR+IV9I(T;n#0%6;kRAEE@fxKhs42Rjp}F=1BFAGL z9|&>_tib6Y2z7B377UP>*Bp+&2Vdg#%3TUe)CxV!9!HcA?u6ynEJld+b`z!$nCL2h zEQ^<6B3c%WJoDOxNUm><6biD{BqX4VwBin(t$I3}E^J=-b1v;ee!g{+m_R%xFjJWDi8SyQWPqOT-gYGSwb@$6EBOFv6wR7cl?WJ& z+7eGz*Q{283dR%1gJ`-aG)t|5wly1d*ssZmQItKcVH`gaw<{$TJNBhY|0zs^Kd`xL z`w_EHW7YAE!jq)vXTIdOzR`;%2+u~8U@yxipMf=hS5{n}U_FT170~2)a8oPX|A1;9 z3;*8z8L21bOMB@xnY%eEnoE+z6_)afxL|{Vb>l!gIdP3NF@t`aofbypJq<`ET>p-r ze=ouN-*Lykj43;TXB^F9J!MOC>Zs@$?S>!&m^_HB=|aatW}tM)LqIxTkRAL8V1>h3 zmfn33zxh~zXXrzRUy_&3doMD1TLA!}udLW0L9}o4B*@JuVbNbuFgDQT$eo!YFDYSX z6@XukvEe;i2SByknkwudnuOsb)YyW=+~&{UxRRp3aor`eE3j_t68v~S5;z-I^t$yH zzYx|wJ&p^MU5BR6Ru4c}aaS=kZ2PwR5#TE6J2~6d%yh_rFE+x9|Bgg`H0|CW`ulG< zbN`6mof};zv4YzMo}>*uN8pf@R<48{Eihd={hw5}Un@NP%ipnp?4O+?0L#hkhQ!$KT z_Y5x0kmEJgT89+rFBQb(i&(YLNeyd&?pz4?^>g?ZBi z>H7ogeFZt-Zml~rKC6hz0P6Yq*uy(#2o}wtG3$v(C*I1K-Efb%D|;c#*dq`R#oWDY zcuN-!-xc{rwXd_u&20zwSg_QNCqLhix&MKS=Z57m-Wog?i4lW5D{!BsCh+6{OxxS6 zOTM8qjyY)Aawz+-<89dKdtJQ zC5?HoyC+W``1qko>t-1U`tmrfpU=s0@zF4fOvubBQ~@mk3-wg`&y?^KY`va6>?*w} z)A_SePcrBlb4TP|H6^F*EVZMCPWL$w<7avj}8k{VsgYUC!>rnIXZ#&v&XqxfLgC zTvc0|1P2DAfEq}}gPOyUU z!qYr{-OF&n;=I|kX-58*^)>G$u-@Od{k!;@|29tMAF)6G;TSk;V0gmN&AeUcc_>hx z9I)((|IM+qdLWu}-V9prcM#+b!a(@s(Zhd`duqY_=3JT@1UOY1oHTIyT;uOt)`HT3 zd5d$PC9;8mn7P9b>J^M2YuUgW>;m+sTsrv28Wb!v!sy^6lKIy13A#oZJ(>QEYd{T{ zs=PsPAZ}IxW=@DT>?hc9fK0%)E*e%>V|SG?$m0+Gy+v!X?Hox|r|kxYZZ2^KCr%yXB6 zqDB#)7i23>G=A{Ndf?d*AcYKPp1XdX$mt#8jqPp%^{{~D^T_p*3W;$j>1b23!lgH# zauQ~mJ2IWQb2OEv3*~UZ4&h$zyRx%etTdtCu#DTB>9T%^iJx?1g<`!4PrqMC9RWiW z(w_XfrQ;dRjW{2Qe z|NM?y@Hm{xjgMok2M-Q=UXQ}iG#gPz*vTv@m8R&d?nTn|iU*F#*K9NvI77#IpOr0S z?rr20im2*czlrTvEeL!&B2zMRcAs%tgtYYjl!f?-+solh&G!uf*GLNplX@$Qa8G-; z>{%Zl0fD8p12Hz&CEeVmS0#AP_|OlkDCFl_I|bNGrUy#LIXdnfFgbLEWUnjN#Km`a z!|+Dq zHg8!N7AhdLkm9y$>QM(|heXu%KB6K{V4Q+pYeiv9mC6Brgx8j6;@KUDXxR zJ+(0}S6Z0n6$Y~3xNP;R!$z(vh(*lh#=2;A%}`YoZ_2$I#>!>zWI{A2^t|0ayN^U4kW_Qh$SArw)gE_Zb{6@!3H1BLE2=IJCNd4 zyTS;6<6=?Kmmg?p zwF<^WN=0|q?E0D$g&rI^Dk@uld7wFC)+gYlPj|^1ilfFw@fYqDsxroeg9lANe$3yo zwvR5_rQ9Z6FQ$FJ$~yP@T*7(-`yG|tmnJHT4%pT{|N7~4nw`%u_nI`VTZp(<4@HBqHG`XO~4OaZS& z_K~QHT=Z_~IixP&K;W)@WkpT?pJVbL@CqA+TlE*`r%Doi`?Tj?b1&ud8FEi7(zl zo3t#p^kvda34Piq3g_b5zF~*52&DB`kVMUpAZ=@YdP9!Q)|bw!v9&Qjb2XnZKXglc zMf>g+ROt-e;Pni>&s{lMw91gLxZURCB`&$9SikYqk|j0PzA2DRp(_Tvv4XPCgtu9$ zCZSd)5WP5G$m08^E@%LAD`x*#dT3*yP~ce;OTq$aQDFP9dV}ku}m(Pq9D!p0E;*=W+4Fzbz}rCFoz2BRz7s_C&`z=W^=Z+`zCU4419nYoh?d zdFt!T>@TxICG{4qqK|u?`nOweuXH}h^=^E*8T%PVf{pO9doV@1Ukt_%H_(OKj4LrSb-I6fu znFRgPRc~gPB&0HAqr(qutKRf8kt!s)jJZ;^@-h)fT^$!tbC{UwbPH)fB{U|=rw zAvKWay*}^rvpA|82YIgdOmXMh>(lSo?(&`*oa>x{I~6T!u#QpOOOE^P$fPaXJqlEvht(Z)rJ}mp9vmu*vknmG)E_WK5Tp9ta4|aj^5v*1uU) zR{mapyxcwFjZ3|NR@ByjFh`b@kQzw3e1Q?^P*SQT5n80vg>eR&VE73~A2RYL&W@et z&3h1z-{G|=%6M2KKV0orgE~~wbEC}2LYSUF_Q-qd^kLJ~trpCJW2XN+Mo9><(%;nNhcc#KrcLK@SgYZv=DibBrE zwSEaqjy5k?Q4qSHI?pYPoO9>nC$Bo*6x;okVxt(sIf1<6#^pD3@Qt@31#VHIapc`7 zVu!YPVDt%kt5B_Vi$51LOfZgoYGd>*W}Nk-xuztq+@^TLxFH|J>vZXoHyO;K7P?Md z8Xn3~^dmK->adfL=ZH<=lQ_&d!r?OfyXww3lj<8JRXvT37OHwY9~!Oi4ig4+wsd<3 zN!ONIBrQI%YzTORx`DB@)~B3Xi+RHCxs^+~A`n&S;jh9MB2(QVtMqXqeq_Wd)BM<} z3tBmb^VyYyndw(-QgaD}L{!+(HytnjX?vjxhzdwj zw)8wbY0y;d?^_Rx6g!?g+Qm|1Akv-H)+yCb@jWHGd<+hBb*ajh=tlsdMbkzU^@COn z4kMU6g1)zTMvi$VuVGPf)yfzEMPc&WJEBDvd)xACN{kayB%!SIQ z{`Uf22Si(0yinYk+;}oM>+(@;o6Ph%R0qrk*I>UEn^94Tj^h>#6TQ}ZQ=i1#nfrGGfaQuus+iou# z#RfXTDk04rVaL>(seV3kspydTO+RA2NNPO10aBb*XR?LymI1#;Lu4itzTwm7@u;Y; zzqKvKEKN*r$S&-ZL&=i_>!b^)S}z$-xU5GDeNNVT(a{+(Oxf5`FCesn3wd2ra9yFf zM4cjG{lfBo@Uva@$h;cukW7V;kzG6M)C34ZI-yz4N@RSpuY6?2-IBWTlrDa*@>Vrz zsNXt4Y79%W+V@u#xE+b8liZ+mx#$Mbr0$Tu!HntP5c ztO5HNtZm4a*Qz$>tsd?+sp>Xc~!NRQwMESPOms^iu?Jt1VjZe~L-e#)pwjOG4 zKLLj?#M3QH*}NCxKuAxDu+Iw3J+1ggvh{AoL+7W-kDrQ!@F4~S_i&$Tcj=A3hdl8b z-Zkfg66r#y+6;U}n2-%-<#ARh7-sw5)V2Gq- z3~#!^;2m29LHf|tLzSPklt!(CEX_*JC+JIrnYC=(aO?J^f(;V!()orF73oo>n@(Ks z%0G`9H5xkk*~@iKm-K2{`LeFT1mq?9Ut@Bd2!Le2qlD9I%5aBTk1DQ7Ep=eVeZjyU znAm?>%I&AuNP&!%VriRg;sP;_sXMNv_%a-@bQj2?hITKIx{ zZMW_lAJ1EK05u39p64`jXy_4k=R08s|DfbOeg1s}ai9yn>`DrsJje zk1q;nxlcU2^T9LfNr~kM%qKSE;qtaPI-pzf>vZ#AR_t{6ij~?>&!w@=t)AfS< zVF)n+ab?MnH&jgULBngGvM@uZR!N7bPIPDVA^Y-mLU*z0wU@nmrv0Y9Qm*#(vGc{ zbNr=3>Z5ti-0ar0ZjdT=h&|cl1fAANDKkSe>hFMf?=C`sdS zz08gBv1mEr+nZi`>0+JJiW3};spB1ZeVO4l@>uj&rKoG%Ias*q5QkOVx9$VtsdYMg z8HQu+(PKv!P=^?Vp9o0x!!foUCXWx89)=wLSQ32?O=Ruzs3^OKcDYt!*es_b>34JI zffvM~WAf>8F$tPyfI=1GGerm^q#R;nO;?CHx}A zZGXb&1pQXgpFv%q*y$$Em4faD&H=`tKXs~>juN8*{=yK;}}n^$dv>&BM?eQH<7rMx>WB z9*)`Uw4n|M>jrA;?7w#L5i&%)PiF&gK2(*K*`W>WoZG#Ml5auJ-zRcbj&Q$>(ul(I zS1H@r+)GjeQ+m=NwVh9nVYLxHvsUE{U;ML8JHj1M*5GRadOfUz3pYdB}O> zze%*CuhK+-VLj$ORfpNx&j@T3k`IYMd}SA9U;pX#&Q$fKn$jDmn$B6#lVlBUUx^E+ zUs^@KFXOR%W_-NQu-k?C7b8Bjh>loRux+}suz6dopVb5 zXe{w$^FjM!$g;#o!39*wGG%|?pN8`X45vvrj-S)5bHv8c1iA+)d*mT{>J0r9B`(?b z;}`PuId=EMjxm_oXLFIRyScNumv9)nYu33okQXOga@u3lW_wEUu9m*jWb<)9;~eVZ z*w$!jNR6!+6&AWIzpq}%Oq_iAeJsD~Qe$4p<{Koni@d|IM$8X+$ARfLLw2W3raGc1V zk66d7+VEpfqo0mjHGP0mP+QAwe%};fvz#)DPUS{r6=vmL7>FrNwP8k1-1X{(B23Q@ zu1y35;s&D+{D}F_#sA1HRkw$=&MnceWX_M||7A{RTvH;^MPn3uOQMOPbNf7H@XjKk z{Of_=_omK2WZZ4Lb)Dr}uDGLG#1>Z%R9J(8vq?vh!o8-peOcA)HRt?g3P&#(DM3wa zN`W+99$=lJ6+A9r+&wE^or>8Z_xdNDvoUZ87ZAE;2u*nZt|h{yq$Pct%+*M3NzIY< zI8XHVU678i={94R7zz7M#jh+deYC89$oS{7e(0W7HDndBt^F4gi-OAt@i5zt%nBbB zPDgY}B+OY`K1;Kx%)1D0JN3!x_dTjj){hwXKqIh1j~O&Dj|SogtY#2^?DgWM$46bG zK&#Z%)rr?--DPWH2Y+aT{TTd&DW_e8in2xQr%Y*q`Bw`-lnI_$vdFpZ-g=l{h2j!OCMP73jmhJFjK9`~VVYZ89_6=1(fSO&fKXOM{&$PmIR`s)-Ky`SKzxm4ix^dz!N zs${~&NlC{s=ex#|4^3FwOF^rF( zP^s~Q4;oDP!`$i0WM$izIr95_L5jM)Swwwa^7wmmMYqcy&G1j8zRMN?dDs?8>J%uO zX@eO5tD1-((Y`T<1nbQq|B*7CMNf$=0%BB&uYQ4;r`+_Pd{H4TlW<$-!$x>5QkrSx zm)LZYI9ma!4RTriuqpsYh*g!vgudWO=1C*CPF{Xsz;n8$c{E42)xN8C;>*ihQWg=G za=wU0nMDVG6(35PB}(s1I;R=3eHpU1AKoXne@Vq!Go$*!81p=(^kRXiwez!_IEJg=)_?&BILh>;Yp1+p7fy5*tsCtjfsUH=Tska#6Y}Q_ha6Jz7q2_6l6w z?^GI4xhK!gJ^QT4c+Aty4rLzNIo{YOsr#veZ4Ef=Xppes`!X~Cv}$~qKqzeC0MCbP z?a(>%Hl6upXt7ecfg#Bpk*_^7h{eNMfPO~zVt59Pbucb2Xeqj>Jz=d>FzwrpnI1j0 z+nzj;uz6ETb>0Q?Flc+okuVthsC@Jl?Rr?t`Xi5zY7VM=_Jc+4wmT8cEBSd?Q9swl zq1w@@dJXd`p$A3%t@861%4G7&BW{(7Y#AR@7wJiYMilezbyjjoGA@5T8*odribT?U zKlxZSqIBwt*$od5zf6CT!iL+f0`V7KmW~fuOpp@0O+pZ=QZ%*T;*NuUC?LYqhp=E8 z;-1vGyMAgB<-Ht#C_4L4*jO?h$pC-do%kVg@V7sU~-xyIF=PKwXzt=+1iQJEP!uo5HezEDD$fH z9ME{g*Y!uFS5n(=Hh*hda36ymgTH z@e^rM1T|qimMUA_hZ1L))+J>GxaR-z_IqwMwraNhboBO}}4DWrP<<(tOY3nq(Ozxi=8HyRUIa|}0Do`3-SMe~^HJ>L|>B8`XH@D<& zeIy?DbthI}w=fjXGXh7F6?y#vJ~|V%pWAJD8#CTt-cOqJxH|D7T5{zz+*XI$6uclr zwxEf{Www`&Qqrn%VF&gk5Ty=37fr_53@SCq6QWou4kHZjx#&GJmz+Fr=;pKr@{x2r zBMTFV0b(KVa#mBPc3G7NA32bBtmS0 zZSX{hH;aVNzR7r?6Yr9-M0EFoUjoU^J^!fQ?tf)H9sd%R@`84D)VHRxP1uTBP*}+i0Z11fnF*pE!By(}iJ8M``#*-XS12 zm_BXQoqs=jv0Pe1#(2b`DnvY zQl4+1^Ew7|7iDMUIoxCYEIEE%$^nOewa{}}7j+Aj_OERIf9G#V%2)>%>kL(~sTC8N zx}|fTWrxU{Y0jFp(pt@Nl)3X|lVtSL{U_b2=t46~c8SX=-(gp(h!d`c(v^ zw!2@UpOLquV6gd4;q3$SCwX5Ks&78bH5|5%3hO57H1(Kv%$d>=U5_%kmpoNu-+R1Y zsx*+jMw~f@$e}rg;T@x&49PIuX@-{)>q-;EBxu2TcD~y}5Q?wt5F$Jc;TJA6UR`_i zQp{%xC)>?AjD!#rai^@{Nn1mCG&cHaeAV+u3<+Ac+Z_#)Pkv}Wc~Jx*md?K{wV$1? zirF_Nqq)?e=x^2D_sni5(q=zDwtzCQb_9A)N1+IGet&qbm^!b@Io63Z*_xI8#*_5s z={d=iRFmU6g2Q!BGvXc(Q^q1ePiH088JH-8TJwtWupXF7u^ff8chk1=rCq}gzK+|q zl~+;P*dw${al-be)dG9<4OgG=%ITlIvtqvsYgX85F)-5Z9WLIHj%L z@x{xOUO2FTw2t)F#ukOBsVq9*nU#rx^5=i5^t3j%pVB@%JoV%iBbkae>-G}9y4<#{ zju3!)J#@=J#6vqh?OcnXQcev1-rnX@i&vpVm|EBqTOLOIuJ+6kGD8$}&OHEUd-|Yl|4S^1)W0tI!p-h1rphO@!i5Wd?!iwPy!O#_E$m>R;-ew#T zlRic`#{gM0wI7Oe!igXr#OV>F$|nARqi5`>5=m{O1!fl{wqh zsF;<9RC*FMS^z0c6T>oX{Unt*9HS->x47s+$mTRM<`=ryFSXNi{MSTBP zGkW2~suTj@ix5a*dTYI@BQAB*FHf$H1SvWM!Qv~IwTA#{Q*OmXmYuDI$VX~21V-KV zFao|Zp;wETYB8P@l9g(M=K$L={*;B?$3;*t-7>VKW~7a8Y#x*W_I%lRnB*?3xUDzd zlC#AIQWvCCrw_Vz!*?k#nI;!Yy7F(7;5I>=9^084K!-1EV8N&FGTz(WJ=XZlK~3$= zJkHU+DlYoCmF`&9*A$vawe#`)m;xlb#FLHRjT&;wfXv`S0P2f#hq*(jtCI^Msz zhcmdN4CCHtql7pjfL%pBLrQ~O4n=~A=IkR2I#rNUZkb+W^2p$Ho78<9iv4XdL+h5s zpRYq~6W`Hw+7B$Yl$YU{Am7`$2!ak}bWWEq<r9ixfLhmZ?^YXY2yC zHirm7G<%TWC_&HjGERd;!gQ+9QzH{fXP*D6h(ot(mmMI{`_6!v4MMKnbJ`CLqnTN`DJvkdsGXtgWD+=P7(P;AoVi zdb=q|X_bA6jIUHkwUaC0dt^t+4J>1NRN{RJt?x$3f81nUWe3$C33iA7xzb=4QRcMe1>4KI4fgx>>aL8Zl(^c+xTbnn2 z-7^GftrtJTUd+4;rDD-=-t}WRe(**?QR>=OTvpnXNzaH0sDp`h(35`a!kJ0FmXV|9 z#fVvz=rY;L)gUBDv;4?Q)%%e<0KuhbLgsu>bkXC=r2@nv4#?*ytNyvN{>e7{b7lQv zF8;Tztd3R8ew?zO<5gUDNpxswz@tvl2Sx%WC4LWAw`7!DA71APBorV684Npk^iIaj zF(tm6Rrp6sS+BxQYSQI2yhN72MsH_ngx;|VvX%e(|FQSpaZPn=-ZxfM5LBcJL~uTw*pdPh=@Rd6dNF2KtMr=i1ZREAyOkBFddQIPli zE7gAfA!8XkUbgcsTDjkE^PMjaof>-S0{ACyO-pU#9-8ck$tU{xGMgE za;8C_uDwgD;m)`~R>acltAm>k`!eLs00aiGFge*09R_mR=NG(YGq=#wnnpSv@Oq2I zDLnlU7Tpi&d)Q!lycD(Ok0drgw;>H`al7@!p~#3jQ198aH(76rLR8-YODW?C2uLjn zcj_{D*psfYC`pHYpt^#jNlvS|_ven^Deh@%RXlk*$B31n5W63hBCx!qVSVj3)BWo0 zQX^Y%%*uSecKNFl58Y%b4F=eW2)BNm2~fEHUH(w6^q3lYn>CUE6P$2(s+y2Nq3FaMhIX5p) z=BiwKjQicD63v!mD%V3rxcf%t1LJYkh`nEPrWSI8NWr_*J9obtzxN4zgtAXdT2SsX zZ2Ii6uAH29`W+9cw(8dHHc^>dyJGq+qKu)J^KzD0q!P(m{?;3k(Y^!an{V;75Uz)q+eWwLV z8pwb>uRO>Ue1Z{}Oj2Y7Wa|as@>~^e6qa?4-9Wf?WM{sGZ@CdZEAd$&JSLZheab(| z|H^x>F1j80aK@+;ulA@c?0AQeJz~puSKD->hrd~Diikl@RxqJ%?WPpc40$|iRM;$I z`j~6aIAIV^N9WRq`15|CjVM*Xsw>O{Dy-!<_BD~*JzeUednw3M)75Y%i;q?}ff5Q=pS!Bm8QZZN zM_xX*KO&%|!GiBSn;WvbuJ`Q)c&Fizsx<-TJvL_Sqmj&*4=h*68bX4G!x95)(1_p4 z+qieqiwhM?wV$LNC4MVIryM?ULKq*O)D5l2Z0b@UM2yPE<#83sC`UX{sZx?qGjxFP zQSwB;!C}->x6`jt<(Z#nh%TS;r5P!d$|`x)T$ym!sKPRKs$WUwTp}HlXc71&Ui5Rq z%nyNZ(9T&de59Va_00$NRw1LZ?Cg6!;p!rrFEvdjZC)DG zxygVAhqxrEkUkX{gD*p-RB8R7*j7iajkLo$fr=t$UtYmiPNq-_T$ovsrgKmvfbe^Paijolmme_@}k`t>FqHbuNiDQeSn1+*B;zwFqo_ zGF^1Tis0?Yjna6!CC zk}hD123CTQmek?AzhvThz>Chzm6`7^u6U&Ds$FqxY0%0nF^cqg*_4Q$ zPd7God0!4da3L7o8TnJ;{WQ_1MXI7T0n*a*>Z_5ddp0Zx3uS64@o=@400hTjr3T(A z53d;^1t{fPC&I^~#!s|L*%#rK+P_N8>c=RnBxFo+Y7$-F04f|p`cNBBkr+J0x1J~XQxoItYExGQ~VBp$eeg8eJA_pJ{bJZ&= zNC2SuRxyniW9rR`>VddWxe@=3{rQS)t$Cx9RkUPCO*+%l3ZU2>JK{5EU0o?eMSQwv zfBq6(9H6n8ru8#mfW|IotUOx+G!mo+oH$OVpWa-Q7;qnpe)w)NJiHsgv41|q7SQVe zp9yu@sg{1KGBFOaGza4)1AL}ki*LW3fg@(#(XArF<9#K7W1~4YYqIPN?l7n|V!b&n z#S33Oq?|%eQcTyJzlVB(t^znV4Hrhn0ywtM$h_brk$>_NfMes_PrXq6G}?4{?A(N$ zT(+TOK}ay`;|i&=sACOKR5-0Q{vaxWWe)JKMz-*D?1Ele@H&sJ%3jPtHtHZ==~4U^9-XJe%H3Sh5e?u=CDq;YB*q%OuF<^{-hu5j zP_+NJW@ha$Xkbd|Y*)e{`=R>0+Qlo!T+{P2vt0+GDieF$8afGeTzfX$g$Wy}Cya!= z%j$U$jW{j3d>Y@pk1xCx9V9ms{40;%IvNLIPFOKtc~N(v#FL#dvM0W@`lNpgJMvQW zO0%b*ntsCs;xT5= zjQklk-hS9@b8KnI5FvMHY`pI}PCJ5=Y{hvg=*#nLQ`b=wcJ`9FoUpOq%Ib4$+rl~IqAlSw z?G9{x%=N;IAr{|b zmgdU5^b_Bg1GL>QTn0efF%b=k_VqXVfs#%O|77-q8U?*^+$r_&Yw+6ua#77m4~|zTAbA%M?HWqjp#W~D&&#~it)}pijTi}$sf+*N3d@C`YUXZE>~%1qz=!J>;^ea8+^BcPYu64@^1W7XWU@T%j9@WctVj z)?kHA?-rizZ#wktPSS}67w}X{)X84-(VPOelythwWHd<^j>iG4-3M_Ev)-<5f}0`K zWQJ%zMNtNDyPwaBSpaVL^E1k+Oa{Qk$_^Q*i6dI)IB{yAhjU(^tX}bUxwt&MkvG&h z=qEpM2^Gjx9&MmYGe%o0D%gJSc1q)IC}d=c-y2!EIw3{NYc^ZQ^PaWT!iHJ3;{R-d@4`<{rcdct&t!W~^W=2I`S8fNL^do<**{^+`6O zj`62?q1~EWBj`XZvX!KP$zOM1Di@k?Un=)b=Y0c(lpTG23bm z5vw8uYSiI-^VwKagRm;$9MzP~yL@H7@II8Ivr%enRhpXEBz(toEZAwmxYn<8q9piC zymD`JChv_n!keOp$X&Hh zB|(x@%)xX+ol3;LqT<-`SmHb;_N?ows0FV=BkXuhZRs@XVAmWMG!o_o7qjkp-#xN@ zgJJDe=EX1aH!mDj{(SSZ!~`JFg&OnbfI{$3v3vOPfO{5%$QRSYpglMS98IwOqEawa zxoHvW6QR71c--4*lT^-wn>ClcYqPT(DhHb0Oi?spt(6U_*0-XrCKQ)eoGF~2u-6$4 zq*tYLm6@GvvrCL+T#$wk8XA0#eE8$jdNxd6qM!#pxB05L;*~jM5bN=F=`Wk8XNOdH(Vn)@OYA#`pN&qI zAELExY|!;uYk4!$??A-08W)NeSXjLuY~8fqO;?^Ub0gN;L_NW<$^5vRTYglTk&(wk z%Fu!hWi9V$&h1oLFIMqZ^276~C zuzs;$4|#HXh>1&6am6?N36?$ZB5EhpUwIW`i`&HS<{uz2=lxOIqa=Udh{p$*_aEv% z%P`EUK@n9VR}&6hyng5IhX;My`*(K*lR?D~DtWjiY7mtX_=oUb7#5BJ)aiG0EH4GL+rw{d%ZxyuI*yOoc`YlrU^pafsBKNG_;1;!9 zk1oQhTP|a$$D7zlmBdAU*9WnwqSZKx-zXs_Hd-kNb%!Qrf2pt?rM;K7{Wxy+`Im2F zRt7Rh2U^Z;im+KS4Z{@=K)37OM;(BT`0YeM^Yeo_mXOxHHZB&dvL5d^;kXUPHBVZ) zuU|Rl-m)b^nqSMZJHgb9D8GoZ)W_jrlyF?O^IA;B%f%(5>?@&nYJ6~&qDcl{S07(e z3&G{flJ;<6lA&}IG<7QJNJ-~#VfT1fIUqf4Gi12OU(8_3*E^eb35+B>-s(F(YIZ#P ztVto|qzSh_6hctV-k8d$~@E+B!yzJ4?^jI^5)!|pq_K!y5x5nw82Je+u5O%fj@`rNEq z*(*#jK3%ZUnl#U)+jU8=lDm7pY(;U)>u3xjrNBo{#)ReYkxA495hlGk2 zV_FP0$&R54rd3_gJRl{vdur;d6M^q5DIQW7?K_ng%a_NKnCetU*96Ilx_5?uoL9g< z2u0$mz2$e11O0Oje(F#v51+k!vHX-VsB!w7;C_)&Ss+5AfdsKmwoX6=Jsr^i;JQyd zN5ed$IWWIdvb_x!6YK5B&X8>a1i16^N=QP<+;6TWgih}6wGS&yxl9xN5{ z)nPs6y$i=F^2Hb*#*HsUM0=w*e0`B5d?S(ztdGx%_#&sdCrXHnm~ZpjOUP-x_Wo9w zNjGV^2PUWExivwb;*&tU2vKFt6zqE*)YPoLj+Rhy7JBBv%OOL=siwVQvRU5BDR-VM zZ>@lhT+Z~&oa$-z^w4Nh$r4X{St9F42Gt;*`u2pPY@O1nl&|*bPR*sbhf(?X>nBW= z9_yWsU$J!>m3&sY(+(Vf0+0L}9=ErYt9-2dAX7^dsLOLj$Ph*;OtyLJE`LP{NFO4wvYJ6gQc=W$kJza%}H%CkY-1 zwA(P#;6Di#CE(}@YD54YD?t!LH(l+lsXcbL>)W0keR-%)3R82!prMCc z(NYmw)%Bo;b1`nNySzu8ILnRLr+TZ4sozZGH2CG>R36!qDgH<&`Ua*)Em)-T5cfd4 zx{GQ@LoKDGuuH=ELZQKgO?o5tIn8NeYRYcHPLi0=YKtOjeBB69`xlkUH_q$&$@i(KQ)_wuGw7D8YClx%pRczKf3rSxOrLi*mSd-l2*8aqDn$P zFS1Oj*V5oNxWRPwAaoaY)~*Y@6n}NHCT-@Nl9T7^TXt;B_7df6@Rt;hE_(+w04%s9 zD%_kwneMRSrD(<~zILFxE8>poCos@e_{(@vUN9EW_TC39{BUa!JwN|P_jbQ>C%hV@ zyvk#hm603HK#nwRIe*>4WOu<(W0TSP_C)z&`=1W-FX*J|o@RY!m(W1ZKs(i&5j8g< zb!hkOx_fkwZ850g04H7f)i58t2VR1g%{?#zlHuxf=Ac|?fCp{Sr)8`0;1y^1;G!&S>D@N-|w{McjRp6CRl6^{ze z!$Hl zAaGH~O~G+^tsn~+mh2QZBE8oIB*Im_lS;+9OvRR(=SUDg+tYXD9LrSVZvPD&=F>or zadOYVG*_w-2~UmQP-p$_`U@4_UD)_QP;WzC&v57|2ug|}eEM>`5h!qJ2|2K|K;6FgE$VCdBEx}B1cE%@@QBc|!)XsOohusqr~!Yvtd#AX1g zKWbGR@-wjO3R1^$a-##vFy2bRKSzn+%bPM+` z+bD~Bu!lmv=a+bR=5WXAWeIaZ9mq%bdV{uLu4#~#-QKkPz1>sPxdn_ZZi(-=J1|zR zUI9pp;{NTUWnH@$33-*3Nv_wwg?E2xCN2peb2EY5Uy zO0{z>*6cZT`+~cRka0~uJeR1r%S3x7w5QeZL3?TGNei==jStQ(<4eGfR7oVhUS6oQ zl&R3R2ApGY3^2ITp@AJIEYa@6`- zS>90LIyfyt3=%+=+ODeNV5hoaauz(1PGswcns5-g08Bb7A@8 zCnqf24D$k*FnF@dPk;56`$2x8%9c&vT7*L^JX93Gjmv@%mpae`bIsZW#upE@38Oo2?X9I>CRtJ76vV=TH5J7f3*@czuXM>j4ZCkp<(z3spJ?Y~xk zy7x~_l>XgxEK~(s1?X9S4}xJ?Ct3l|4089f9x5MjzyM^-qYmW))JhGQ9}Tgr@CVE? z?kSUT`~jpCepTiUwq_mJ(N71QE~@nYB4EC0EP{Qcfg7nR#;=zGUd-c_>FcHuDWHXm zMW!67-`71O;@6TY1}wQDCn^bGR_6o*x1e5!4FHY{bOO?#?LU;$TDR8%w$nB07_Bv= zy)&Xt67S+MF`iyzzvj{QbIEgBm^$|}cU2nqovg2!R}gm6MIRFt;CEm}^p)8D>R@4Z2*>Cal44He?EGeJ zE^S|Wr5li=Q)cd286gumhDgh5`9q9rz)c?Hx$|gRaTi{}Fqh_ksmTYvPge8f7lXzJ zx8(H?w8J;-%e&zo;>}o*ux*Rgt{+l7b9{WW zDLuuBbI3>2qp-V5vlD_QrwT3NG!0-wJw1d7y-HqzzUUOON5WfQZDCIJyK}1PY*P*4 z)yvBlwEzOFo&Agzz{ZXM+I2}sx|V_6G-n$!rplA09Ju)L6y{QB0r0|noGZ=W&ebVR zGE8Gg1{{vRe0;$$1#uZN2Wz)tR-?jk?c!<=f0>Uf;}4*~gNO&QdwbBG@T zx7+f%xdJ(3D#gsPPdDCEjEs}w~c$6 zrbbu2G3sJLoz*<)c*`+-O2K?|#>$&oY*58Jvqo!~sN>t#m51#GGUQ0Ff~aj@0tF)} z6+*wUp~KW2t{Z`}VMeTf3ia44NgGUp@E(7?%ipg*a0RwWH}mBNO%*$lLN#K>3X(pG z?YVE>1btO}^*!3yNQD*7%xrRm+xsnZ&JgctjVCqR+*-|>|B&kzyMjm0IU#?gt1@(d zdLgzJ$qZ_>O>u2d9wbJwt8h0DUm=-3rwP7`apt9{WBptILTFSi3RnW=`6<)O5+uUgR=4l zu9MtzoC_#0gY^87>0Vdg9|C+F>>}zz*AXSBhS2 zGLy}U=bAyK`zvL&E$9yO}$B&0QYbwm&L1zYc8tu zJwtQ~1@Gbtgavf{K%?=lyeWBZeUVxnufqY3ucn~ej6v{c{pX)R$3BCIXtFuYz zyH%4KciWEkKj|!((RE;(R~2GV(19pdeLv*l1!m6JyQkME0&LK7^A0-n^Nx<2O$d3b zmO;;O^3>eQd|S)OZ*+YZGm`P4iZ#w)8N@6G5VcccjMA_#%m6Ex7o;MBL0BpT`*ENy z=0>c}hcL^C+&e$Hcb8N*jbNXlj%En)#Hwv1B2Zb^ZC%#xpSZerd0*tYs;tvoF}Am- zZnW{Rny|5YsO|UY%f#Ve>t+l)>kt@qQXEX5(d*QG`;+ zP{m3~B2ARC4@gM)a~0krQ_On!&B-up&X%6uJW$K$ud5QL)|2oX-~IeDJb&T&xaBKY z{X<|Y+w8jJn$q(kRr%Fh?@BwDdVha)bXxP^vuD;Gzw5oK=v$nD+ar{xu(rnV*M3%< zw(lKlSNUG#p?G;eG{*r2>O|zJ%%PxT1CTH6S8;uDfv}_dLti}bk;?`o%;`G;Ub33M zyIuE2CXnL1*G9@sj+?r$gZ)1 z;{1v=UIOIfTMyHFxyMjF-W?W1Bfp-?mDASjg@Jr!aZ?I;+ zL_euOvuP<$#S(;$KIz^H)SWgG1EvdK2tkqkyNjUWIctC9g*+(#)x6N(|9>#xT>O)A zY7`K@ZvnJxqo}|-v$sr;|7xIT0J{QMOxx1i9l!7GNO=RX8; zK!HU)&)H=oYA*;8l!+>Ra52%pTr<^WkM-cS&Lfe3WMaBPn?d>$K+&~e;dmz9v1#rq zg)&D`(_u~fSO*fu(q~he=d0K38rMk5-jja70NPnkCpiI8EXRTkWk71}l-elb-71*Y z?+Gtf(px?D!eizaO7ap$0$&{GS~Gg8Z3b5_pfg=0;)q){D3uN`Q;G%e#Ohjt|GSbj zzKA~bdHs1(%QDf#Je7w?9y6c-T&dB}inc@?P+nckftaNL%b;(1>oOsK@k-cOoSF%l zT!Rntz9$){=9ubsz*Pz2MkhaSekd1!L#VUVEy$;{{WV^yOPnA~>%#$P5nI`X*2IpYTzk6Z%D(bXn5I*1l+*~7$0B=^ zOkH(#m?>42DrERluCf)!oL4`898~Zvp*YjNY5yjFrD#f->yb@C|NlIUsR-AFfe2m> zK`UP+W4f{KWsQNeg@@@`RtsMQhUL=n#ei4%`Z!t;5Fe&|8z_YBP1{B|DqqW7 zV|5Dzw9L9#DZrkKjP5>Kt}E5BV>yE0Di*uDhGiY?)ve;=An+hPlWt4cyP*~U2n?Q~ z%yS`AXYKM?x#u5NYyHhoE$d|fZ`bv~%(fwRJgTs#+dLn8{N%ohI7FlDX=q5o{n1I zA337nyI!il zIu(?9=pM!cNCp}L$w1~l>%pxholb{x@YN&tpcf`bKXH9`L%mVTT}921k=DTD>RzF} z=m5n_5ugL+I~v^wPVDDAvqZs$bCqa!P9gf+R>W$S9~_G5am~( zlAxK!&B}Fr!4!VKO4Vxe zj6SI>!`+6=w7Ql!Qw~oO58w5FP-W7#7ZjKEcD(ZQQiT2cPdN5X{!V}diRSomK>Wj0 z7{{BU-wikwa8}?{;=D(wJtgAjOngU)9bQVvk>}N#~jQM34 zUcWb;GcYQ}O0E=QYj7`mj;2hQb1eHYe?JuK{cMDiWWd-jW*Q7yvRU|IUJ4!XXr_|9 z2054&t$Mu-#8duG>~1;a7c0-F{N9tEf4Fa^ZR;=deXyKw~O@N!snEyU}Y7kHCG=b2-XaxH1avc#Dbzn3*@ye z|LsMAX=akTw{ONBkLocULvv=G624v#JUr5z^T?ZzWYJ3imFF9F=Vt#jW%+Ns7D?vH z3wRcgZjUYoCUssw9{3fZ+h8PejS9$>e7Z+k29{6oH*1*yiE(sw|6hs=|B;{nr-_pN z{ci4@@>_Ofo>~A#j-77hr$yM@xs;twQMbxqQxV$XX89204;YC5ymUNLw=Ul!AW6XvVh%y{dIGd*Kdw+08;p8IaC z%5Rn0{6;iB`_(XaRJp-s91Ft-$V}8lY+!pBwiSIKD-xM!aA*xuy)wgq(N0}@2Y9W#~=$x}Afi%QMgZC8Iq(^t;nT}@pqZW$-ly?%!p%1oC zS+}JGBnlpjDyo>vYHU1HN*J7@XZ2@JnkQcAy1HX#kkn$V=WA`ftfyQ9E>^0dN*m@G zq#$V>EL)il*vywYLiLHK`)v$D)$N;iYyg)H*4^a22ITA2g!!Fk-BNjPKrFYC^egof zMuRG4`xm9}#x*-fnlMTzr!1540=zds2^i=FMuJ^3oM==(B*A?30O?9bsuJKv4Y4+{ ziCbs9Lhhe25{OZ_|9CIB$-l*`2hC7m`H>MAS$4{ZW*uomjoP#K-DzF-30FMxG!Cxp zJV?`$b_hWTj^BAZDl49$9^xaw)x865*5Xkn0W8w*`&6-^9Pjh<*jnEk@^6 zT6Vs%MUyduOnV^X?aer2d=@N=jHjNDyWZND?CcnCATV6q8~Nh8>Ck>r-&Cdo3kOh> zvD7OGb#^BUJEJY0xaGuZjg|N$--&spa%6TF>#l%4VHhhCYSc+;dShto!Qjd4IO=WDi-P28;zDUkUD5xcG%k?>d+<@%D&-g%wJEN7l0#BiknLy@PnT#@JL&0w7CD zfLT8O@CxBjTt-Jfs+_+Ba7KaM{L{QteQ6-G>lR6?@UEATC>6;oE8=848`zgTP#>AC zvmx@WS`$_L4Upy<9g*~Zl&Em4TNmyGyOZ5}CjAaL@^r{+@#>St84pLobxEWe6zOO~ zYdmT(T?OC?JVih*=^4*gs&%Vls zrErfhlL*Yk5z8=7>ei{V8cA`<(}o$4slxNDHFVcP+2!Ev!gJ<)m)#GnO1^AOv$`e= zYVh>oW#9u7Vj#A3kl(G<9KvCZ83M)@E*}B;l*Y~Vo~w9N*#L3k+(+%|Qd8G~U|;y& zC(3kgDLS`z;3WK=(E?^Tnqr$&p^Ttu($6tkM@({k(%1>L0WAylT4Uwm{idbm62U(N zJX)L&y6<+Y`l6(3*=!RyOB}_r9RU*&F#;o|6q$01SvJi&lRrSo^fN80{klII(_QPz zzFGD7OM@2v5PNlW#uhwEtany>pJ2wQ?d+||p7Qk$%_#yGe~_3e)g*ojn<%;e{oX*H zf$Vr`hGXwFb32<;aAoRH*la~2fe=?uF8j1JC00xRkdRRZF{l_XoAKN`TWp#)Psi`V z^g*|Bm0cX&vyl`bsrg5f8ZgJG#t9U;aF0Udu1h6_MPt7WeEKSIi=ssLXCP{mj++ISF-QB^&i!mc{=BhA_9*tN#d*){WeB`p1XWZ8gRn)t3&#~obyqNmN8 zMCC)a-!S$C2&m47iN2uVxd+=^<+m_XD7SID4yW(Y2!ZsU+SXjc8;yOq^|FBM_a)Hf zo;RUkQl)NB+v`6m%YU(TxC>ikVo*fO&7SULm$Ub&70u-j})5+iSEo^1`L zfB+M}{8eyY$)bMy_hzCNUoOdMGXWQweFJzup%N|X z0wg6G^&S98iA{eT4$w=eCy6Z0fMk#<{N1X@^(?gCS5Wq$s-+)C;LM%C3>jAZY6ySF z&JR==XzL^A`zmv4X|@>2ll>PvPCyH9hYoM5zrvlFqAW9a!!`xRY0OQe#iPJ_D31IY zdBbt37YjCxGBfzPh0dl=fMDQv`7i%S)ba~$H>@`NO0sLDm3?G_8_N^r*Y$#z(#9)C z*V=UBUP!4oKia_792_XNTzL@4nn6`o`34?;9&1^CtJEbgOMwyKKp6+`l^auq z&U?P9#(%4pL;$G$xI@eKe<6rE&1pkNnU>E~!LFu)la`e-Q8V>DHn*a!W~wS7&gTck zr1zCQk0Wx6@KDt_l`KyA(09HK0*@$XE@~~FkC|xVeDUrX>IYJG?sWAVmwW_2BJuxO zKqx1IV$?t(0*U{pLkF4q0d0Ai_AIR8fI)@6-|Lk7cx+7bBdW0OId58PK;<6teB(a4 z(Uqc#Pbc%b7Zv^GKI#bP(<*|_;`$;jR?sQrHEQfx$Z`p-&Wzs`T{g~w8M(N*z%VOQ z_G!Rf)}Z(9Z&F{I#2O??eU&?yTl$CrvyiEkJ-nnb&AP+Ay>!pHbSZ_l_F+FNU2O{z zGYhG4KCaI3!L;5_I2iHB)$2X$#@h{(N0@cGEy=0Gm}yviM#t7K zvwqu>I#PaxV^n1aDwAMPgu?WPpoRU1zoZPxBxY2+auV>}@jJZz(t{*5c2MRdUxmn+ z^B+lPN~DnuuE!Y9dS%PnImK>s5_BJY8-B9E?!n`^$-KjyI?O3zdr?^eVk0_>KibT( zjbN1@Wf|veM18-r5{{e-l~F6V990ICkV}dgNz(2o=Y(r)sADK?fcVp;(IU2H-@wA`cN+VAaX8c7;5NwIAvKG6q~ zOXIw}29Dic&SCNf{f8$w4Z4r&cdoC&#D1ZjJa^-AV=f(K&Q6iAP~!F1d6 z@^_%)V0YGgB5=JY*01m|=eFYL7U2F}>3v?s>;3-eul@e#P1-il zNV{FnB5Fw+T`YR!Z3EJQQglL1zUiB>YH4i+h0POBPY;#3F2X%**?_g*-j#yHL_=wY%Lf0gnwci@@^CmHQe;N0m^xiLY@ChAP8b)X`u!gi# z9j!IgH+>kS!&5R%XnwMIn%LMYUH<@G^?v;+dUmPP4bI&TBr!eIC^^{T1EvM^`|A(L zgY^d_5Am77ZW?K=0gFso@OSZhyA(9Ru7MmADc#U--`*xx5d~+F4SLR-$Ql37L;2^2 z`-M+@CqfCPA%JK1h`Q~Waq4HBYnRd~URDF=?q1Gua`pP-E%KMg`zK8V=>I&af0+pX zxAxRG#!zyGYrJYjOLpoH0ek4zvTyl|WUQL-Z>wFue-}U(26uh{a`DEJv*0~k?+kQh z{V1IZz-E`8!aMtCpX2AvK!<0?e6+>;Eq|$%8L)|SRN!v{5@0hiq9|dCgun)@F#87d zLTxr@9_pyAS6mMOp7wqQpWrqC4r+GNG-^oF0YJYM2Hk?vFOC{OdYE@8mY0MjZ#CO* zRB(b9@OwlAJ{QsM)3eXNi%(c+kr1P zphe8enO*C?M!6K*hAle0m>Ut-YWhY2#5mie%7R+kQFPmjiU|Cs;-u15H`p5vG>c?^ z+}iH!5Y+_=)$p9i|0Dbe%=inJ`0xGvC#(2VR`DkgVqW+sY&dS=;<_JrZ$$=nNx~2PkX&TEN!iQ^8BczAHN>zbPCUg&i#;9JQr; zd*_DVFTN4GxY(yk8e)Gaqg;r9@Y)iO&aoC}k4JF^c4~3`8tt z7x7~K<++hV^dADM$`n{N*On1oYtukS4C7u%w0$0u?I;RTnR9e`{PN1pSpl(3>3Dr~ zYpP$W@9TNTrVD+Id|D+Dko9Ux3ygWfD(~iffX|n?z_JaXdWZ~Qc`%j)eBb-WQ)cE6 zdH4KW)n3ngS{oDXG?@uCOynpH^n`mF?cuTY4U!mjwYWu`sOa}H8tjIsjT>V(UxvJVr=0crjQ| zE>Oq88Uwv$FL*^;-r8TR;OS{RWc`lgi8o_p;Zu=q7W?%#O zr30B-X4X=Qf!ecj_fw`^5HG)Wdek9j63-RlZ0{BgNz$khFWu>f0Qdox z3S?honDhVUDE62}{oT;j7cS1Qr;z3p?i7I>1HS$29q8+0BOfHe%2p|Ur503aZbC((T~C8 zdo3bHRoOHdsAUs&@&G^*0H?hqbsGn+H%N*VGu4JH8cfEq5^-E!)eixzB-feW3BdKZ zPvCg~?Fz&AxyUOp8Yp0zOX@UDm^Y)tCW=-iS8-?h`5^8|wk7l6DfNh5Fp#UAO^Z*m z;p1h>-S2+ESj#3Tw-(F=lG(+l>K%RNHh5T8TYHa}a(6HFuwv4=ybHjG39`H6nFlyW z*cSm;%m25B`*`tgX{Bt-dxvAj7Um9xX}+ajA2`AqFT_8q$r7oQ&yG_zOy7sVYW6ax z?kbmN#kit~#@RY_gxcwDV5!Y)z4Dg@_a6)G&-w@0A;3br6Q%KC04CWEdoZ9Y@ma#E zR&oaF^E2`sdKZ9#6Y#KJ*SX5r0fHDXIc$Xkxu?Aj28TTJff=Am~3%g1oPbAa51 zU;w7~59cELk+e6tY*!;BK2HOgGnjX04?ec-+r%^KNxa6KCyh$L0<-lfG|<;GB24$j z4}op5aq`)+?RNB?m3M?c8?;@CU=jD0;T;<_dm>O0Ek=%gCBZ$I=xV=^6629382 zOLjz8Do=H+`2y9Nc6X+M@4x-&M#Mk(@Bh0ElPw!9sYH#4C;XFaKqOMFQ`lE8{2iIR zR`EiGxxZnpxAdbR_>{+E{hL0TQYH6&S21Rx&9+yDM_PvSI)(r=nWw3ri{H-lu7>W0 zfe5WnQCK)a2#L7bp;%b@Chf+-FE<%~oudE})gNX1o;`Xw#G*~Z$QEkyYQ#I)9BHKO90P88AaOR0hRA0`w16~V&N!ztyT#Szb+aT4q#5J?k zvag8btwSXqC!PLYh^&uF7rtoQeMR|x=Xl48t^DMgD^Q0cyBwj-OD@+-MrIH5NvX($ z+w!vQ$MsuTVaAUS$`N-LFwoZK*kSW_u4d<~dPE>b;$z1=sc5Om_83_RGJKNt!b1F3 zG=K9uP<{C*tFiD?7x*4kvY%3Q=-WI?FaNxMU%t-T&Z!YK zYreW}+Z^w}rS?B->%ku(&Gt4Wn0Tk*n&kXey>y+wVqF?#<2f36M0RRALVp4V+{!Qg z4*ZRB%T}duHEbbDoF-I=*x5_$oIAwPYeWPa=jT&q22D;FB&U2{AyMphFnGPhfVSH% ztOZ_D-3Kt9GypU~ z?dTO?JiFfx0Y!Y+YH;Uv7NQWH&R<*97Y{89UGW8n5Bm{7BNknojL9apN% z4KkHdJ*c~M(WzWb#=u&A#zd28>=Cp1<^z)y8|K&VXGchZG% za`%3EB-dbopLi5x9>riOXt}unR=i*NhMxM>Jz!_3fb%J-38t{-9*3tY?Gv(o84Al; zYnJpwj1`N7Mq?j%KY4olK`3W34{XCe7HkQ=cw01X!MZDvGl;POn-uY`c3KdO682>v zRBcEs1<*sqWOrjokwd_1w>A9lw`~8_@7G47 zKj*<{lC^S5Bg8<*Zi35$XJY|?3YN9*>yf=!yT_Jw*gchcNE}V$TmDzCHMdu$U+=h% znStm@d6;s)9R^(vT)p5HJ+@y_4+Z;vhUbdT&O%*dBn4{5plQa(DbUsN6~nTHW}_6; zZvdeCVPUBmYf>4lwJ=h08PTMTZ|GZ@#pcqL+X_yqa4BEj}Z(pjg z8K6w>@)^2+shc(TruX58XEmF8*6%p3B!iza0u6}QkIRN6*q#^FX?{^!IoPQqa_c4X zci)vf%4=Cue|6|bt`T!6nZ?-`K}0{}No*&YA`149Dz2dt3S+*1w}jvRl}78+`jz!l z`^(oqYo*rLBmZ1~{B-^Ce^ss2|6=bwqnhg0c3~716)_^96d@`oN~j{BQevfu$fF=p zT2!RQ5Rn!j5F4Vj2nYxWQ4tUjA~o~~p$G^_ml}$60tqDq65^Tc_uc#K{XFM8@BYSj z&N$;6y}f3t?>^Z|>{A zLGap;%WDrel|TjbDcP>;9Yq($=Z(|F$3gZTr~R6K(f1XX<(#0jLhe zn$}o$C$2|-bY4pwYv~zXlv`-)k1BY0!as8W_6y2BCYOLyQNa6AEor<+4c|C#rXz1B zaqS`jet>=zJ{rV}38pcYNsnoROcmZvJm*X&qnj(r88UrQfc!sTBgs(`)>`L+@fu09%*2^)h~?> z91*sxvYi=(A^p5jQ-Q{GXWy7`rXh3CR-@Wmtt>?1iq-&J^&sJb?X9U>(Bxj_@;f8C z3hicX^9MUl&J=Z_{4$;S>lB1vHBg_xr0OIu#Ri{DZJk?A2s`cy`F?+H-*Icax17jR zdK2zAxKto>JTHTdtkV-KEm5D6H1ArmaMLqB-!{KH!@Vl;(P&OfmN#CiLYz&rU}vRU z*L-x5e5++9kXJ;uh!9rY95x`b#pBdFR_Mpiv4F~{#h;*Q(A^8@Yj3ajl^aG5zAKchfL_d~VW%}9hp#e*|l6++E^ghUeRy7L?=}J6%<#fb}Aakyb)1@v>{V)_Dk&0ys>{vEY z-`QrHe)FXjQ{IrG01GS$xt)9E$GqLci2757Z}2{H+J^9#&}e@%j(q(%?hqNXh9j;9 zFHfRkyYPcSW9kddijA@{j^@e6hF8^5jW-8m>cIq$#NPRPz-Oz(L4a~>IS8n{)9_XG zydS(OUMHcR*VGcnA{<2**D+=n;Rg`;-Oa!G$nuYH7nu8p^`cVQD5Ih-l@DFRMOdXr zia9ToMalB1w+u#Yv(1wg(ML`%WX>gKEl&DK?wmUS0*=e+RLdmnV&IA$?#hK2E5kx`Z~x zY#{-n_D0Pr8~F!2Za7P2WLxY|NV)Mhrd~Sg2t7LF+)?>poq5>NfjDt_SNhKh@$3&3 ze(TwwbE>Xp4_m&LD3s4GfXZME%+-7Q>Q6pcWwpIG8l}l9JkoEkpWJ;qJ5=Y;^^8D+ zdvl}-w91$tvf-Ec!#`ZLNmJ|7tVQzs=71j{JKj1UxTJfWxA#H{n`{wP-NtrZkUrlv z(P;JJgEFJ`9Kn6UX;(^Y(mI)rcR5{lZItkMUxhR|CzeXtlZBa6kr}qhR*D~_eP8$y zv{T~VuCQXOxwm#%58^Sibt4oZEQICLuH-T7m(Ir52+#12CD7IQMI&8(`Xi~|dz+?~ZcMGfGJ*EF+FYUN&xClk@W;a&B>DJM|7j z_${%cro`%6d~R08#|o>aw>~Jnmg7VnG$ax`V@(0j!$!ScTu%i{_`1)8WyOI#-50G1 z%Jmlwd(v>?<`=%Ci+in>1h4vih3B+X&jYn3YK3Gs4h}$yJy<(q<`zU|x^snY9=T2U z(pR^KC#P;ZYbiv2=ig>my2YU)j%@|-Dkuc+0(lu5$+i@1;m0 zl-}unnJdmH)Ig(}c!DWA;NPd^riBIAvd>K9I!Be+UUB>Z%R$87J7rXwh zLVOUFB+ct*-Yd&lBRkVziD&G+|+G`doxT4;k1k+~4tVcAbGrX&KGHm0N>|hB3V&aQsd-nvVZwXrZ>+Drg1L|mSEb) z@r?|kO2^{eobq|DxCI?HT6V5_PosJ*6K{Gdq%ZMMv9TrMNKm>#j{ z)pU)aLchVt9I=QR5i+0#sFFLf@}&^v9cRf&$L~Deq;xQB6yeF|c|$koI&4f@i*;9{LY-z1#$*2p`A%b`(X8Rv?j{~=^>_&+1L|quh%#Jbl z(`9rhO!;SJ&f7}8hsrNpXrJerj5bQUo*ulhNvU(MD7F&wW}koN)1=}oh1;rXVF<~R zI{PN*m?>|tvtX_#)1^e%RM__V#}sL)&YqRR0mXvS62}5;H;c-M$r{qNvS6b};k#`H zrx2Dn?^wyPn0H-nN7`Qn<6e+sZ-3^K*hz&Hme5{63&>T-Kwnn!dp4<7bM0zQT0YF( zp^LoNFx7l8@VtIsZU0`xp@*9eM%bE;5+CWQbinVzx8dMzWxC=_n-^{Ii&w)(22}~7 z8H-Ve+@$t+@4ax~?WkP00i;qlV01LLu0`0^Nwq13O+1_5p6{1_?{OG4E8WPhmi|ra znE>{W2ar>r?G5;4JiR)s>GQBszmo-pZDsMT^seTW%Qs)vyE|j4$+@oADYn7gea&^L z*i2S1+k0q0{$htGbgw?Ecc8emosvgStB4%uD~-PqzQz0JCW*VM+VSHK>jeRVR#@eh znn?D@_9a+jv0~OZO6t8_ZmsCIeNfo-D2hiBCU8)EhDc@hI zrHbt9WoJ__#2-@X(kvKjYs4ImHha;o^0rXF)n=I#Q~(KuZsJM0&~^k!OkdW~Bd>X8 zHN}S5wJ)0}k76N;-uHJQR1Ll7rF`W1otnIKNRaKd9~0ajx=dfYT;C*53b@%r&zy~_ zygOaL(AyHNeR9Puq%bjij-0#LK97X3pI&8J1l{>OwLii|(uTXk4ehz3!B}cnCgiS= z6GE6_dX5Qwt|!7qUS@g}nqecm>SfE(dPl;gM|BiF34Z;0xWf@g zqZiCy86LJxKGo|Uu0Es*=qxk9XkH?AXlkhZnY=jcXgg&*;0D;GiRKUTRWU{769AwwNSQ*%5T2?fN%esuUCNgSWgvn zKg8kLCF|xN2%q)9(k#4R44m*aZ-VDIhWyK6kgAs6J$vDKIv{+0EP`j=0IX%`P5-C7 z!^*Jiy|Mqeo)zaj{)c)kg)I#K%_nBSRiO2X@E#`tNaO2Ez;ep?@0Sw+M4hv*EB@nh ze?AO8Y{C0MT-wDX@wS-$=Bq(Wr-=IBVL{k0-VoQeq^!Uf;R?VB>|YN8;Ob5?>)CI< zcaC9r#$h~9fpX(m@(kn)zWQP{cnU{Uih&ByDu{aibXb{RwZ&RuYWXLtne#&~jAo`y zR-cGM!^cbk`L|EDPqb0csPO@LmK4Lku3E^iCP}e`SWT8pN^$$7oMaGz-X8}u6nm1` ztUq+-kmuhp98w}b}-iq%9Mu7 zVTO^-(++VLLk<~#<-7XP!D)3xFS_Sh`sI(HpXi?&^#V+5`%Ux?MjyXcRjc_{gM4xo zlSPZ{Mr$Y0LHHPq>lw%A#}W!KfnYk9T^jKhdT(>RZkA_MMDWF}sOk3ry%<>hRE0S9 z$$Sk_2zMll_FAhqCc@e8ft^j}xY17S+g=iOH9*HBUn?kIMGSZpFM(RkQ)>K?x*lF@ z`j;&i3P&_;A(;v!?#>eU^ELnH5sdk&E=ijeR#F@)#j+BG+ospLvnnGJ|MfLLyE}C~ zwnKJ~!=1PC7_&rnt;v}ClUUEn=iMWm1Ik*gFa-r?&H#EIwez1rFEt%Ezx9M6(jJ=x ztZPjL(M_di&J1@Q9TwhgJMH#FS4c*noY%%c1kKfyX+9Y>CCARP>T{2+=%=};*h_qs zc|teo;cky{3sK*x40ym%P1AxM1*j9-m((Hq6Pv2)!$6r;l-T zbMFW1wx;)n^yohjc$d0u!0l8UeAv@bi_%A95SFU^6J}}7zxgW4ntt;=*PSW+p8=tO z0dwu9o+dLp8WgLjWXrBRw_mrup4n}yuPbce1)m7ke?8Uwx$_i^{6T-&!4{if(Eh8( zGvjBUo?9X6^@X)~c2q4?hKpuqR!2<6%jG(IA+C$lXO-+18h44r-5b@}YT%)ZwbCB*$l%Z9=`2tOEQP(MYm22*kie7W7j?xpJ~ z0Y|jL%lzF?=u@$VZS`dGLf}FIyVGELNfmEKy#NV{RR}Jm5oQ*(J=k8Kn`KtB z8tP;TdIwA6?(GeEuT_5)q#t;a7Hbe@?i=uv``e$0BB z^7lIH+396RWxRZ}=bfUoXrcJN$+P0J-MvHxVPtCy6)*MEC8u~_O|_OA3w!fX&)S24 z4@FJXY<<{;t3T!nP}0}u25!7-e}8Lk$L*cTXWkw3UVZZi>iRR6KcWwq7bh#pH2TBM zmMVHjv`ew$FUbanpPSLIcQ?ZY@Xjr}>yn*Ij#jvy?E7@rFreocMDW$-Ul9!x(zOCv z{vs$(A$l25;`qogd>?7}^TZe3?XsUT;R(!DS9zsRQzHkv9b4Bk;*~<6+;mC7$k#PcyM8kJNG&+$tfzxk8?4N{5Y7 zf-QU6aEG?^+LtAim7;`8#yWQ2`bDqPxeYP1wac=`Hq;u|Yxop64Yt{ni%@ZI-~94a z%rMfu{KVkPM}OA-r>G92yD01uS6fb4@E6?BR)Oc~d zc7!!*p2(`b8&}qS_YD8r@rboC9e4+WnH=Pz7FnRWn;Oh7b-I9DIb0E~xnU~4I+L;zHrYhSdas?-z)`{~a`LZ%7KlK!f8B<-nrgWoZ z{hd;&4r&=s%vU(Ych%b?VUp69ry=SMCGje%>Hd+zMNeN{g`CpWJuYd`XKot#0j=$e zPUca*_jKy)_fGCJ*66GjEEGPW5IJ}^MzE4!V%G!rNmM&fBzxJ0y-;iPe!v)f4_UXK z`Q2n5pjA<4R!m7U(W859Ob*k1KDxE`R_pxG1K3qzFCD5b%x<>YZ zhc$!tSYvY8V9`NV$Vw3IXuJEwZ08dIL64szKGl=%z#V6F8?+TT={0?_S{=M^^$&P_ zchG;r<8#TwZ~%`-XY{Sd@Mz78hXzSxk7jDLoQ${(#Fw7_xEjc~b0F0e>1ik?r-Oy?O}%?f=F>9UByaNBM=eO!evu3j8ON}!wV-%%dxiu+efx+KhzT?Z0^ zG;>;MtD}8|6Ycp30uH&JQO3{kbSR{BJkQKJ__fWW?Z_LgM7{oWAvnJ#6xA``-98$=Ci#;&F4sGPNp1jU;0dXmS^3TK-!7R zZ^Oh}B3oVO+ZqNPC(Feq@QhZd;BUUkcUaKEwCx(6X^y8}#DVYf!{cEZSK<-~$SiQV zv$)@UEC+2K4g_eM@V|VI{9FI=TBCC1dR#alAAtDpD{@ul2g*$U?|%MAI&mG#3w2x(BF`{}448VLwPVc$ZOhuvyYz-+iRZWt-KG3;24SL* z>H3$oBv2UNvQqV*l`Y8sKq#)_CZN}a;_LUe!e{S*pui{___wdPAr};@);a)iWJ;{U ze`^=xN#Z#V0HtUcdUm5S^#AlDM&){JsM;|Fcr|puLNWT7J+h%TJHmDZYO|g}c_Dw8 zz%Q4SqE7$j>ui<{BsRK28h%!ezRwQTcFC7Scq8LlUK;&~cWr1{&}n3Wq$$dtfmyG> zPu*Xh6PtkN0h>EEfq_5E6g{Jx{Zx9QS1s-5qeCI~)e+nx{_Li@@Xx5$%w*NqDPdX1 zGqsM}V9>TfnpWaAG0-_ z)rCzpu++C+y8xj};!7>auFjZoY!51R;w8(OG^kCZD0X#5b`sl z|LF9`sb~M@o03KRTxJruqUTLYJb_l5A60UN7g6BbnpX;h*$%`;Mglwo z8hpL$gf3KDuHhi4g3g#Wb+8ML_lo?Q*FNER8`4B9Z5jRpcY~e63>wi2In4H9!fPc% zMJ!!l&hGY^hO*>>H(zWPo{8TsZl2RWEsdJOvt_&B!wxvG$b7j(<`GcYm zr-hW5pSl(7T+$m#Ob~x^-!6O;c(t2Ia?A7S%cR+-9M}{zcb+=s!SS1?CwiOTE9zLj zBpznC}MUy(+$TOm>bT?{Oy#@o`C_#SliTlQYQ6EkiUtgd>w1 z${rj_+Rh>cBWMH{4q^llgmf8p!$hvEFPObkSuSX_l3mn^U7`Ek`?~c~D_|CLS52>* z`o?*{uMI8V_#-RXoHWmRo*Sn5qwjrGo;+3}JmcA}$yIt=uQ5iFx)h%_#rRIEmKxU-F77;yl^bb!ZX8%7CVa>W?52 zvWuiRxD(*{LHBz|-xcA|MR?on*OH$jgM=QEj8l4@)eT7Lc zejyT*(^dkYwq#0VKl^^&$*kDBZX)l4CcFZFk=Ex!>OFF8F?L-6U>B~ufbX9A&9^(h zpo=TmtO=CcpU_QeuJhVlq!W zZ4|z~gR*K47KG8xA)vzf6S5`_KE5MBP_zZVZucENX#?jb{N{TFH~U0tg#LLHV2j;l z#w7Bd(YP76@XTp==d8f`u0vpn22=MAFJ~OOq)g<2D}IBfcOb?HTs6~L{F(@UA>IBr zU)?8=5+7%`{N_84;oVTAu$Q6JEPmeeJ%9#_Uj;zc%|*!CelX9$P5**)Ov4uH{&mD1 zc&aEDP&MCcfudjxlIu%Y_S^KE@4|NcFADb!{mP~MH{OCy^po>N8n`7;0s9J6?m5pl@|zB!+Odp|MHn&Zq8o@`nyWQUAgz!2r8*F3arZGGvBqN9wgaxIhm z*4f)RUkaYrHVkZe&}XGD8?GTOX3odQ5?l5BFGh}7fBM92jMo}if#klSbSe6;Qt}+} z9KV12z5UCB`_1>i_TCdO1%M#n&#&q)Q;A2q4WGON;ex3d1z9G5_x~QOmJ1l(+4ZX* zD2n($zpcN_CBzr#l4=kSWLot>Yjtn%KT7bcU}hZrw`P9_{-5VQ^?&!&PtV~s!lj1J z9SGRp(JFdd0ePNp?XD%fvtN+y#=v|3Z2}$D#ofYngMIQFG(&Xb<2eDo8I`qto=7ev z1lR(%f>}XfHu3@!5x{*0)Y3-t@tJQ-*LDXDgGV5+)&v%ecRP4+?#s3Rd<81phv2C? z-T)Cgo5H3;8DJ$jK$*PNiD&4k@U#uqil2f1G8q8nzQTY0*|Nq*90gY={>P{Lf3N<3 zpZx!?W*zbn&@3Jy4wGszB5bSbwNsQI_er6uwl{HP)l^Y#!_^+X`nj|jBq-rf|MX?} z$On5!BdU0ZD%uLZ$rW~H-CLNu6HU#nIJ0+$z#_>`Y4|(;+tD-3jQAec0-Aoy{*xp3 zE6?vuJ8y33SDuuB5)G)p>99$|@Zk8H6^z;fbox8K`kk6R?^)Pp3A`}jGE+qcB2^cPw+eRWZ4{BaydgOW%+H)0{$EN z2+9fFtdIBaC(LDA0d*lp(=zE9PaC_xszUFj4w9+oe|$Wjd82IemO}Cl&o_nxi^NC_ z@wWW;Ux?V34U_gaGBPxDQ-(DfS;?vMDY5meE6ZPs3vj(*@|MKB{Gru?vDmVF8&}qJ zX}&)Uln1^--@k>|Ql8@(MFA2hy*<1(-Zx(B0=`{`pxwAI9*!(7b|#Gx8hIxX# zmH;{SHB5%(AlIZ5XKb(cR#6e{dN}6P5_cD@I@O!s>FcKRL%R#+L=pZvUWcOvo`;s# z&ZFeB6D=v1Iu@sIt1i0S3JGZ@%OgOvL)4J6PSKX(0I! z1F(oN*2e=AT+;pQYQjCGY|H8^0lnOSWnfIKC6GPZV#$h!rQRx3b`LW+f*l;31+?+L zLcDs+X}#ThqEFTIT2Lr@Nw{vLY)!>p?oOsRwa2rzt3qMMR!uT6qVO@MnmQYfAIoq} z&V#oZ$6*cKD|YR?f!x(Cxwr$vlCH|F z<>jl(i{quMNlHw_5F(`F;HBZQ){V0ZpFzJWEJg{daZpT7ci$OYzf37X*NJV+fYs0- z_T5sJ?941|waY&J-mMf7NG`}`W712!S1aD=Ez?h0zI5KP8FW-9s7K- zj!vqZN8X=WeBe8$vrKaSP#A*_c{_To-d2lTDnnt>iQjAg^0X%A1-TMT(<1E8H0iqpsW? zlse~@*4N1LyVoP?muyzBKR0v;a?V;j^wJgc^%R8nWb9C+!TTWU^{RIBDVT~TZKTiP z|4Ti_J<$M-+#1jgT7-`>5!Eko@GT#meI*ufU$8#k)<>akEB=K;6-yh2@18k>e2lXtcjeWv%D2H1oUCFOEY=P-~#?XzB%?LVj97;YL0K-e=uNCsUY{^L;som z7ux$S{kT7`m|ui1G`rNw$i4NM@Dd|&4;`8osrlq*vk;CosM6(d#wW_6{M8hjBY}Dj zcdS**BgVd)nnENqn<=c73SNJQUZ0%9z9NqCYUr~G=lc^96QTr#($tCBLr|$g)d&ez%M59Hs3zBHP^CM>a<>kj}&ph(=e8)(%-X>k8;r55?3Db%;Oj=fnjIeDdN1N+f z!Z=#IEhNMGWRgtTtD|zKIk2clGn2*BaGCOl1(+UUZSOt5VRC+lzzTYT8gON+&tSpu zfEm>r>e%VQ3EAPN$c%3Ju>=nk=rB)@nRtEV`3>2V9MCz6Uee>S8%HPDc8u7XB;_Y! zr3r@ZN6Vfc~%YB?SOj*t%UGvLxqD;!dO;?@Xs1vQT! zPfAompu0{YLn)8~f&lxm99rG%h5r1G&4zFG)F0lveb?tr64IHOVqw&-%*#5l&#bNH zI+H!}Ei85CGhHX7cWNA*(43`dRIE5Gdr!4GC+oNaG(B%VSZBwF`VkY;QGrmLssGWa zho1f_h!U$X&9S6`-+Ubx&#G>H_<6g0VBH04`PnpP8CG!EbargWE?H`xedTsX6#X}! z%L1?dmoaQ3;m0-g)D2quEs=~E^0T8%erlf8t(o6^Qp*Gpwo6qP%1TK(|BX@+)>e*l zv7u&ev%t4q`nSwkpO543mX<<;kb)jz{3E-1At3?Ka;h^=j$jyWAK~b50%oNX=(}gz z%_W@!OcI&e)F3u}T>q-}(a6gh*C#9XA0t=9!#=ua+(5{^-xnXc;@w#ifC)gX{VX1# z^qrwq1xT=?Gfjt&r(w2Z!{NIxiTXatur(Y)#~4X$?n}M8L;KNa5-Nz@$wA<*1PvjA za5lsEZBPi(7M1hU_DXztGbWZc_=pcxNC#?5#Q#uTn~ z-i#YKKRxZA&o1^HWR3Nq=O1E%iG`jMRe_AckaV_W7X<3kCG=@v@=Q?h=g(*l_S4s! zNGa8>v*yF*?oX%w=nv>GTuI_%KwjXqhy3P+kyw&>Q7giLOnGVlWZ}rEOHs~7!U>p` z=uJ}I=mPl~%+Hd=kq?P@}_4z$BWb1mW_WDbl533OMJHfZum8)((J27 z&U;>c`&2KcitWn1mR9dMRPKs)F!G=XSxvp7#ctWMpwwgc;_)NvZA#>bi}*a<*Vb80 z-hS?MZ}JKn<)6K76x&ryRPHZ9#s=6H&NTH6e|`j2 zf08CNO?H#ct#nrW?-2d%QELwAL$TnHO0E(Wl~bq^(benM&5ySu+Th+wtN#e zJrs%59$1@V=XLS+euwAs4yvAtz-hSUuhb>%n{O+@3-%z{u~iSIc!&JnVQ@wtdgqG2 z;q%JO6zt&CFARTJEly>GZd~OXNt^P9I~MKb%yC;?JdePUBck72M_7z-?@}OrWuBB#;jp1!{TJCn1sSK|h zT)=8dkL-D%3HGSkQIk#8)>E(9AIy*laVRXFm{=s6P~DLO4KLz#v(rS-7Dc{ z*|lL#w$RZk#^HSyCGAI_R+>KCJE+>)ub=zPA*^}$(bd7)Y+FEsgcr^q%>6N3>Qs=h zeQ(d4q@0>=M9d|}iJdoH<+BCEeyQRvb`LZ9CSjkxv`b5>%hU{v<+(ahM<1N;j}{P1 z2d-0?nkXRi_pbA8`P-bvO@^;dM~K{2-&5@Vg+6imz;!L`uKSq!lQHF%1E~qQrX@7v z$rk;tGTmXiynd(WxBNtvKk&0s#y=zZRr7BpjeT$o-7B@_*wD&Hc7$EpWB`A+2U^?o zd9$Dp!o>8Qp&!m%IkDG$ zvKXD_>Fi&{YQrz_HSGy&?x5#-LcUqmjyg@$Sj_B-0o%n z(p0Yl=?58K8Gha9D^X1+TekJrGcVM|zm+*ieu3;chh}LTg_zzS7u%tjvAvgy5}mss z5<&Y0K>Y|kx!-)P)!0nlYB4}Q8&;q@ohWzMv7_Y|=qxR$D@R~WQN%TgcJBz@_sy!7 zBdq>gc5nGE%{wnDQ$OXC2G#KKjtRky40dhey@Arp#tW#N5t>-QR&43W7F!t`sgdl0 zVUg4xK~zkR2(*v_E%(n$YpR?nTI?b`qiim-VX$o63P>Ow4Ap;s5B<)HsmhThuDT?o z;S;8w&fB(Mg3}L}=B$->tFY|`IY0ycCA_BygINyI!!R%RS)uwcvcUi9p6N^YlA8=* zB38KKS5K7A2XCC4xmg9G9L7XgGG4ad4=iZB`I69wBn(#cw2u!h_xsF%v!fOJ_Mfgz zjx57qymayOK6qT{L)?Kw3T`3!S@-~doz?6LgAm-2jl?x5cP11t`|<;IKov=7GVg(6!o@C%qiq>j!lV{G=($v&dZSGBP;T0mpciohO^jn?Bw` z3vkY3&iq`(Ev-hX0hlyvfo8uPO;5)D-3wOUajf{%^qb(5{;B(LdDla(PFW2iI#>NU z&;z);>w!4;p>0JSI&h-I{%aaFCWc=Uyz;ra}WDJya{D)|jHuFt5po|ZD2*IiH!5^k=xUmbDj1lF6! zv&J(s;KO}`Isnj(qEc2C08$%%sqMY69nF7Li0S^YlQ%xyvLYd=N18o z7*IaQWj>%tA|HgGAFBfb7o=9nW2{9$!M(Mz2>!jvV8Z*~xQ?iwPZ0N_B4-s`_fhg< zDNnk5v}H{~M;k~(D8t#EPzHTo2LGden8sOk1IqWAOZvgOWmMkbeg0e~z@M+Jf>?F; zAai1USCTZ4=ZJ-F=ym+-SZ}P!UXmFEWfWmSJsuV?B#v?CKo2zryU2TP3K$c#MgmX6 z;7@~H7ydxNfa1Z6Kq6iT&kzmp{>vRF|9P+hFIo-AZ}8RUTPR6z_D;Aq-1hjV zmE!~`0ljBA9| z!vp{n>PjV6E74Ie>$_^+2vM3!nLuo3LmSl0C`BCYPbnq5R3UI; zKrvtt-u;z)2<(yn?wmWJC+DOzLJA5v-nw@Lrqz+3nW<6qcH~s(t6U6*r9Vr&Vt zJ67o6&B!}Z{?(DVk87C9m2JS%5B_H|N9!B?Yqecw-Y(Zmd*|k@4)oklRutQD?$#;& zMn9O6%HOm*-V>;WvCz1Zlf8xQj~@$P^t$6I1!3hYXeCdlnTf2wSF($$9(g=jGb`F&XOF*-Kff)Ki67pbK04q|wUuSiUJ?RvChw#k zqp)4ho>Fq(ggYbH&FW8E%<9hTUMWmD<4G%sRd9QY$%=YyiO6;B_9v*ENV}f0bvF5X z$9tHwSF+qdc3XL@MHrEfE6fn6Ds3#K2w=4@F`AnC@4{Z@m&!d(Ir~s7`0*=qzm%e2gz z=J0w^@zUvZs^Ik*UO5;aHIg01fY-_hl*OR>j0#Za>m-^%>Vq-lZoKl)b+ zhuo9*A6-c2wSZV{Tp8+V%CiWFeaaM((2svEyXmx5hDY~svyTID)Ks+oZi#MqUV6Rr z*ec8(qn>+T2i>cUNWrPDztK52(inm&50E%%Bc&a8Z)D`$WG46YGCbPXA(kOKGX6X` z9$$l2s5iguBO{t;wi=kF!UlLXh%P4cLBunxf#QiFdzQ|OfZ8-@uR1$i!(=I6d#!qN zN89)S4=k{2w`Ogn8T6pQd_Nl%lR_&im`C3MC%D_Y`^<;mX{ z%L?!HVjcbw=nKk@r9>^NrAcj$|30!1wetQZ`_OX_Qi^p?G{7a-4*%^q{}F&sfa8p* zmIbv0e`T^zY0Ley4xyC~YJ8+mWZ-wQPT-xF*Ys-pyW2RpS!{7jF0UnvPHIG>DGd{? zfXIcN$lsu%0Z;nJ8=myr^dz0*Y0p2BgV#n8!A-s6!V0VCUCmhCMajhtKY9*gBM8x8 zd#BxGx7R=!FP+_{bDG5Fe)Ns+`Mw3WmI;9TM;lHERz3b#35sY~^IRWSvpcI`Nhd?5 zd!}GD1>3t1(Kk|&sFIdGj1-64flt$7asF@~_^KRjqLkL(r@Xu2b$a|}#mvG(!`?bh z=Uo0Z>rS^DGgYF~P4)ULig6z|Jmb`5ao?!)%R7}V%1gj29|wC*w%O;uGsFIO|Ati= z%=!;yS&cXpk0SSePC8uHq1^P{LL@Ba%hK0lyYK1Xg?rssPy?T`GsH94wwOCwGWL$H zbw_1)To7xd52ZBBk@}xB)Y44yo_Dnk!mMtZ%l&cwv9PGe&g4hBf!H8GtYZUWT{cc+ zl!L-rQGGXvbsbG7UhX>|`-m^m@O$gxoIh+Ja~%0^)z~OXtlUI|N#?@Um2P9y;^HZF zxV`wb8zQLQ^Ih$>_L$g+rB2Y~tVWjsrr|jK4p1qAc5@LQ&!OBufltVB;X{SKlWCmW z0mlaxW-HdCTigjL*yn*vcUCe}IVf#<4MQdD?4RllEc5ni_nEG^cm3GC`x=w73g;^M z*1E~OAA|gumqY;&TL>LZLnRli^f3K!ZoB-HWuwORII6nevI)Z#PjE2MFVhRNuJQF4 zQ0V&J|JD6Kg|$LL_j*()!OoTk6$zr=j`B!86K*Y0kW2B7vj;MP z7!O!Y{f5@}UtG8!GDW--XVp?Pv7KEUCD_iPY?RhQW+GU6bw5Fj(d5`v&gpAJhtoba z_Hi&6ZM;&qau?5Pb-ozXq7+qnsl1o5fq2GIIPYpU=ieAZd1`R)t!GD0wM;K{l2TF} z19&S}pQ|-GieHA_`ZSNmNM(Ah_%7>Mff8$g77*I*1N`A6HvCenPQu|e$Da-si*u)| z^px*aE%D~NilFS9$bz7C5tW@FioAm7CL+yRFS>8ne@N_{D(y4A+%Ql+SAPE1{ju%T z84WQ~)~I&?Z~kgf2<|4+w3aT*;pgp95tuBYCEkOYaXcC-F4aj~Z2InFOBq~iWe{uN zQU!Q`s@`j{U`4D;=MO=L%Zc~9H`yw9sGFS_~1Hytgx1L zEtbq09Q5K@W!q$N$%{1iF{$|%wEPZD#9kClNatAmUj3$kCI!Q-MbPpim!<|5Tt@}; zo>xTuSH5A`krj?srR~8|O~ycozupKkuRoRju}?}myS!s`i?5{4e^HXN53c@fY+@Fw z#7!qP<=s~n8@}6~d7QQy@5PDKoOxLr0brcW)8#x+n0tm#6`7?ua7@>i$1z;Bd7Fa& zdH+-BoVE+MWIee|MCB3C35%>rcB0QITe5lx`oY(&?Iw+o>>Z>IOQuS%-_TC31ET|B z>H4kABsEjY!Y(ioa&(_=@h_RWpYg)WWg2l*rP_eiUJ(ln*>T+)uGMzEz(FeB#LB4r zhbJryeyt$BVQrwn7;{F<-Wi7^#$~fwv3zXb&EgF}ttpOGeeJ-s<;< zpJ-GC^7Cz)vJu~Omhbj;__n6JSqrr0$5rR0;Jyiv6dAUVf6#|3?|-9No5!A~niNKk zkJgi)sKrKJ*~;G^Z{lv5#~38|WlXDQ6@iW#+SMn-pi7fq8sBuz``QKpx})fZ=5w31_r%wqDQ zXUk%;O>>PAY^ale17fk+SnbP9p|>&Qt_bU|zxjMmzdl0*zb~)Ouwd)~ zmC$@E%JvzA1KQ4XzzwCC6`Qo}{+E?wbqjZ>2c@kCjgdeNVi2cFjZ4f4lVbRcl+#m~GE;#0HX~(~aK?fTW989#b`ICMwnG z+!xF}>->rj8uQDOx@!oK-9dOe+4#yI@7nTK>OReCT!qtghWuG-|Wr z@vWaP?>lBEWqxduPkO6|%X{;!;{5MK2~~@(2W!S7of~6_hNN!F*f0AF!|d2?2xb40 z8xg6!XNzG4{p`Y#vc5j29-TJI;neDLjP{_Qj z{GD}TwyxJKEv&LB+uox+k5~FOjY`=Cf3hT{EBdY7z;Sa`~zIemn%Ezlw-Yc%Vf}p3x3k zq^$6{w7%8Bd)ohKk>ale>)Z)QLd9Vu&YD50A&6LW)flY6krxHq=`vi~!Alh#AFb@p zKOZ@20oQ)GUBOI1`_Z(XA~tQ*D`NdIkg3`Kbjb$OoC`@`FR@1+9u58AFs?&F&I3_Y zMrsHP`Z7SfLyuRg|Bx ztV=KxPzcBLnYddyl=peHlK?1<`L{N4fHU3+=z=a?DT9HwCN+@$cmk*ZeV|JCZQ8Q0 zE32(7myGcvnI-+7-x~>k-opW>g&@jxZG(S-4{v4!gk-IDom+;JuVntRc6)uLzb<-a zeLl<2L@YmV`(-z<(Ptu!FE_8R&n51%i)mJUt(SLguy;_)fnCR$IzX9K8xjhZSL0v8|q*d+Q`uboZM7Xm;3;Wb)!)+ILD#0`-TnT01f59vw zI{s#gu(hh;8@(U=mCYCKfyO%4G{7Xd$9UcA={V>pjlQl&5 zziJ<9Y$8%TuImWLB%*PT-nB=*Ym#eTW$LU)?Bb17X)kZjWcE_a_%ha zf*^j!{NLN80H^FPaMwmR)K>A0{-O`~pHu-}ly!H<^4tjJ*R8;1P`WB4!T~)tA{E9x z3C=wP1c<8i{-ta2&xzH)XM#2ZtkT|*gDZel+C}3RpJ~_IvOjl?xW5=ValXEs(j%4Y zABZ-H?X4rCGT(HMv&?=CHV+n_Zt0n*6XqJQ;qS1)(lXuW!WZe{?Xze1)Z~sB@~k&? zJB-#@XiRo)v@|_R0aOnBS;qI?u2iHWm%4h?%kX&!>F>jaju`L^bxxO-c}JnT<&^@OPIXYCeY5JLP_P z+1E(bgZ$WLjmy|)p7H%Bs=Q1fccP>)tMCaLGO4SpmR|I)S%L+M0 zXQKPbi0k<)dvm-aRuxV7u-@E5w58^XH|wuiQ-cy+`JcBs&2Rl7{mlcQs9*wF{=yGS zJulEX)vYJi5jaQGidNRljfnPKk}Y}%Np{MHQK7=!H_L*X=YCo>$?uRuM=MP|{kD!O z_(zoT4`jE@ibVpt9ex`i$yM-2)cX7N!1YXM)OrF@oi1~w&z&&bGahh?=K3)4;YhC-C>->R;*KlMo@{Tv}dq2q(+I$zOOO`lotxTfv=k99?tE0b=YuV>;P z?&SzAL;*K0duZ>*fgAy+RhX;lXj?<3fZ#FB=*3h>c&C4lQVj3Pkf<6PB~eG?uUX*B z-YgI%a$Kp)v&r1H1@2YU@{r_nI2l$M;i4tH6B~r~K|7sTf?wy%NtK>=8CscGUe&Tw z$YZ{L;pLhBqq;JB8iRD$=K2ilx{~8YoiX5u@Rdk7mPFu(w$F9h0C(-(@03m zo*&x<7o^fbZdrp?+n3zk1KfEt>3&+pO{435RI|D5DY&dN9Fm;s5LxpV2fYATn^j^N z8L}}r5+KMM-9r&4A&dmsNCH*XbZ9uxt3X?@XJGXwzB1OjkJgS0b>Rt zT@8!4C&YYi03AHU9t9Gj*;?D)C_a>(Ycn2wLua6AP8VH@7_plSIZC}G4!ETBwd&U@ zf(d9TU+hv~X^al$638=Tq(r(e-G)Fe?dj3uCT9Kk7cx8Wec#J}6yW=h?kMH{v2EkR zfl46GVILqlo~~!78BJGQ!_-NLqXwR&nkAj>0M>`|2@d-TSq;G##^fv12#h8pK+j59%3EM5J_;os-mg@u?ewM0LTNiOjUe5^2Fln0#D4}E_KVYA)M z&d~0w6}!(JmzHO{7z}%W9U=X=a&b$nA8FC$?|a)Rs?#fQZ96K?2y0q%pY15yf&D2_ zSG0&k0zR8~GENW?Ici7H%JA^hkJ)r6ZT4DjN?^?f%QgY+WVhm}0TA}(1SN2K<1ze* z)AS7#r+`-Qn=fWz4d-@;%Eto@uGiH-i(+|Avlip#vTW~;d=on2sF?nZ!ut#(ds0+i z3!o#J$$uYLx^_}TUmnOAUczCrw=~qGR9CA+6jMkY**(60vdOf4ML2aV4^U|6i4D}< zw%@abi@-w+I`XaRF61RJc;cf|ND4bPDXD7d;=C6mKbz8Hra_iYCaeJ1J zBa2z*dS?hO@WaXaLDzd;(F?wUrfUP5A*JXDhJ7H`W**2KC>p!c_$>sMm@M=}QRKid z_ybIocKstmut%mMQ}lMftkmU>_nGY7qWJ){e~ZIJkLH{ehP6; zauK%=rqx#~m_6#M;ryzsm-KXm$M9lOqM=rzsW}vTcL1~$zI)V9G+Hp7=p!g)Y;dvq zasBMOOtmu=X4htr+$=zv;>jJvM9W5MNX5!U{hoUJZjiz)#6Z*9AJgbZ% z+biQA13|3_0C;FXH~!qg^N*t3QJtbBAXflM03$iR`4?W=&L3+QQ(at&}>h*o%kNJ1p*i(*V z{;0gDrY?=jibV7B4ddL(iIkQ5jl)_UQhsu8(%sGKrtz^uNrrXXE1C36_!%<@N9Z#z zor4U`e46Rh$M{^g%0JnhaoCO8uK`7*am7!whU^jSVL;Rqkb6W6Fe4+Ij74q^xU)JC zp7TMk*1-5`m;3FBTpV2Nb^iTdreWeAn32RFre8T|k2Lo0eC)7N$}yJtNpc6PWf8aO@E&3@6djm1-9|M4Ah&y%g?p~sBBSYd zQjz#mvb(qVY_m%_L2IjUL~PM0bhz`9`gN{uL7VhSZ1r49y+dSdO6$oiu|#m40bJUp zLr9CM`^)Jud-;IBur09uci@Uo8$nm@&5WsI;^Kfn4&iYuC=*!ye%1ctL(~;%<4VvkWfFrJH@5FnnP|<~d zUCaF&73yFA?Qe2m#=zq)c$+VHZZpB)wBcOHhqhA^h$1y)7b0ts_AI?)Cpwl}ty$vauF z(u5dp6R=C=Xpt)1W}$jyM$nv95dSvJUZH(S*Z8Ja*~rq`hm;g!(k1_1n^nhBFR$w8`f67{0HEnVt_g*6 z74b}5I``to$+0U1l2aXAqtVkmVRQ)8M!%}~x)-@x=ag7DtM&2Jbr&sixvfrm{@GdL zxm8Cw+qgGa;@YU~^g#j%{NYhO-=I?&&BuK@TI9$?qxAXL1p8{GRJDXxWh;WW!|#7T zekmF3A+Ee;kkRKZoUv4~VS~S&rSMkN+*rp8v;43R%Q_%~S0qJAPD4)0lJ@1WdK^S( z&LVANZ6&T?fwCnCIbsp0hEJ>9yRZ(lt*O!Rk-ha@J?FxHr z^*!fq3m8W?uAa-xe)<+HBYHGn_q64iDvZ_KD9JBsDP1+(AviIweMmO%0iEg!c=%<2 zX{XU+uV}pY#l3+eeIu@&U}(@xbCw(g22e^Ni+-QoCqf(#C_OwDA^CMN*@6b{0mwrb z1VfTQ0|y5%q>v=86+Bftfw#`}uk4Zk zD1`iX{Ve&5CEmrty*{6!h7=@5ENoMfa2zmeLH}aPPZFdn&U?I!i5+h=!n16^=#-8W zOZbGRH$qx<2s;tD^ET-H&5c>+jOOy1dmiF5HT^F^LTjEHK^BDFqUoS%uF9JBLg@PL zXgu+S(}>qur2O{C(^WlR#PQA3QxG5rrpIPZvhU-fRprCE18-*6r|wMPR^C1c5!jH$ z+p>&PTOm|nW0U&{>_wJk-AHX(qw@mN1M_lR-AjGMNJ6S=4M{j=vxhv`4cFwFi3qhH0JVjb+K3H&sjFE}32e&r54UdY7w z#8vbxzjVxH|9f(O;L@sWnQyslwgklYHPfPr24OIb4Qj_eUQ@uatvSuiS5c zFLYQtq-R<-R`@tMs}z)4xGdsa|6Dv#wycvj_C8YLx$n6xK!`sBEZp=c*$wrl2gQ1~ z?44GyKf)FCsMbiq*K)JBIHysnu5(%*UbwbAQU8z(At@3w z06vER2vgveU`P&V2|d@ZC7nIWOyOSt_|)v)=Z$A;o*I_PSEa7b<9QL#*pTV%CTVj( zem~4`OpvWL$k%h4>fVp1S+xf_=$=ud-+Erz(823Wd?LKH+$NpBWRWX=ajt@ZnDsa5 z@>@v3s$Y5;W#OvYzJ+)914E4k)>GxEqRdBHfmbZlpRny`sQ^7EClp;1Ajw2;b9HczN~_37(%RD3KEc`~s+_`!%3T~6 zmu?y=fAH8H$wj665BCh-JZkLUS6E{Nsik_JggqjAKHqw|SqHvLm)<;oD*>M3(mKnb zen<2@J33hF@4wN@l^;IGei!@6yA=PE7a`>X5i$?3Z*)Ok3*x0w#|1WW{1G=t+dhjjs*r zlQF>H{X-4;li%p)x9xxC99@9$NuOkD9ae_BeJ9*DOB3zu9D2pEuF_e`Hs+-D#9I@b z0|tx>zXKW=P@Ze0cALrV5EeCH6OXylGV86r0PT&d$JvB`cGLd;=pJ&{WAg(2f8-o* z03H#BlvP64Gb9hOP8Qtn$)e61Vkm}yhd5Su;_zHLp?zfim52w4@k(tz3R%HRQl+p@ zUWW!3BiXYDYER}V-Ph6+i*|Pp?Ww);rBc2kZKB2h55v}AFzku)>=oT_>P1BrsI2G! zTnbB{vw~N3+deDyPd0}dVa!jaW`h^?N`b14!Ogo4MaA%x-4h>g)ORQny(7*Rp8OFu zR0j<_(43kjM+SwVmIQvUK2FVbIzBdP*Ih@l{vjWmaV$|WE^I*q90o;H3Rg`MUO4df z)>@M@?vlHKzSn}|vbToN%6tL=uRd8SSm#UgU3$8cp{CBZS-dzUF_^#5;9!(HG=;)R zJ}=T$8n9v#^g~2`azQ^CS6g^9yNLPI|KM-!-+!C^B-ys9Ix-x@zcA{s=gpyMttm+V zyAt#SAb0)>I`h}~nqU5-9sz`ghMqw{S$o*bH7X0~$xO{PbYaGeB67Nus|A0!tg`5R zG=aL0^>=CEf3k@mrUASr$4$bn>}_Oz)D(DV%K*cZmNYHaShRMMmQ82B)2D2qlHgn+LON2r>@>U4H+Q3r z!CBS;PaOnT#w)o?OC!oid8m5Z^tsTXCG>Dd3OEjn9R&|{*$1tJ7z2gA`%C|67UHk6 z6aQbwO#BYJ@x%15`l6ogo8q|KTzl*2wC|$Po#9C#h%&{b70GOr2r&;RSG>@n%DMsK z$R*$VeSYtf%BvaQVMaHfk0lQvXUv#cutNk67T1EX0NiBgE>xuAA+>pqUv zq=z}g{y$~d>U)rGfO}$Vvkh3Or(Cl)uwJO%GXv~f;K(4OS~O^?sFSs!y9k= ze!)1Xo6FjU9K560cQ;Cgn%>tXB*fkMNau_e|8$9-FO#>Wnx{0h-QNAN@)eiY`7^Kb znIc7lYMeD&qJV`EDb`J^i- zZ$Kw8cwSK_+ySnmm_)neLeAO{?A%V|@B#(xEDu|#ulAArO_3;J4vN)>>d@%v@nd&! z&N7vi028}R$#?51aqZwROrLC0GX=k`N)1K3 zNWX63>tV&7{i7rhwMlbIn+v@ou0^j5$d@Hss5s@qFW&QbvxpdNyBw=~<{43BqpQQ+Bl5ix3+*5s5({w`nLOFtGf+^X)dT3EM?%lA zen5`9Gt?)CD5=j@YY%+r;BYNCCKy(1Rnz8j4YX>Trj>q)U=O!l1KPqiJcxlgfqPZ~f(CU${;JGl$^@c2oez0i| z%=SH$cO`dlu*p0k=w_VZ(HN71=70AscX+)_bW?9j{BAp{;%PgM$BlWR3-#q;%gNfx zeZLQ+=Kjeh%1+IqfeRT>8vk_s!3C^}fBMIQvyvP`tIJ1UXQ^{eM|G;{s#$#Fo&hN` zWBjgiDzs(*VxXU zeCt^M_V3=@UwNKOTg4sU9X&{0Oreytvt*ZFeVw3t-mE`qbk_qmI~_l~ zW=nC7Z_AhQ6H*Ybg%;Sj)r)+NvktKC_TbAlrsI<4)OJ)EIZSbw4jo7tzDAC3=#VAZ zE3Da&2~piqT1Idwz|)a;Yc}2De6_`NtNO&Si3YsV zQZX$z^Nn+ZW>VNk>*A_902{0Dsou>HX@~6=4e6|8m=_f8m9P8C&WRON*FeNQ(P&Tjzv-mKw2yWxS4hcLLKiH}>pOG>;&ZX<7%|0C& zre&FrLVloObq8ffj7mx(ayizM&n9y7y*=vCh?YzhEn9aE3ASt3T3YK8(uS?ky#v{s zbxww!Uexf6sK|(Q+?DnajC?k{zk~1Dl#zF^^XpLMrBo3?kkF`|(Qhnma{*KKNc0bl()RlD(z-1cQ&}`Vkr` zkT@Z^9P1#d3Vri?(QJjH`s8*ev@0Yt5KDsWt*nNoCNiA>QxT%^Qf^yen-aL@y62ng zawj*IisxAe05*E2r}LJER%r!Vv&NH*cc>itv7R3SK@H6%6CYVaJfn7f>$CRyI^F~W zf8PF|?dv!_z4pBR!k`Wm`5TQjI>AGpNX{{I@l(9@LGM-WB%7GIq7sabyt(bRliHR( zk43xJdvooNj^66*%!_?uLP7PIf@a@Ww+0Gx+?s7q|R zhTECC51!kvFcm{-wzFgZl=e(D-AjA^$2&IWbsl-{!!~z^?E*&3BnwQ>D1C)iSFaYK zoqF=yh6wzP@C?|1Ot=Q(rUgv7bE6#VG(3`_4?XUw$3bMcjh9*9S`A9khIEnqRzmYU zoFyn3z=yqm_>9c961^jjtP2LS*R*+5*R%ube2n@<9DIPMk>p{Ed%EA}fLSHWYHWGEMZ4u*ZFF5&rohKrjmUG|*ymG_b>D zuw>QG6mSef7Z+?hOId9ZT#6D`clu}Uy$W28G5eK+ZnL}FwKX$kAwz)75N}K_=_*0K zKubAeORMVqZ#X9R=le?(>nmoRSwDE23@8>_&UsL)ZH+vj_KDftl%Bf_ln|TP(~{4@ zmb~R|X!*5X`L&~#ltu##Is}For&HDmQ^LtP3nHg$?@WmG{>GcaqmhNKxrVK`;#fD> z-%!Qt^{RmXevO#A`UHg?sOpTKg2b0GjQdtu0!yi0u04yp&XqWo_ZNfR-VAli6`SRA zbkD(N5-n?7xHnBB8RA4~O&e_0fK~t#o%h~Tp^Yxgr`1_-VBR9(*)<|c-r(nlICN7h zFPnR3m=pXMgE)d`cMae)FEBGRiya&fajTy%V2=#tT~zIJ6~012Jco&TQH0eTL%N_Q zeP(GM-20O_dS&09aXR*ShE1{oXsNx$`e7d03$(YNxl~Paoi%V}zHm=8z8*mJ`n++> zeT0ScgwqvA0sCbW>kK6&v&436DNB)=|;iVhI5o5zU-eLg1ULP z{q=*H!~kRKr9?QdN9#s5e^UasZvgKED1=BZnnkOPKgQFiFmR0yG1Z-Lj;CtL1*Ms@ zf6o*BEv(JXG5+U=d^QRDFFV&Cnr@OWe{B%`+EHv2$P0{+>NMo3QV}#>rpbbi7@Zo< z>s+7Wc$<*$%%_2W(vBBNt`$K8%)g4-Z?fnbjfDMZ=%u+H{ZAU}1!i^3X2q2O~%FkSNY)6oItx|^C}RcbGfmdkISzxHKY%gUg|Gio%T={WEAHznWm)GiEu6}J16 zEvW8HfX*N2r1WkGEw=yy4cOMqO;SrS3wPAGz}c=55;D}{!Z0+t5?`L@V$toqJhv;0 zL}x^`(0RWZI~a`pFcs>T@8XD-Qn=!qa9E;U|JrYU+?QafWC+oIsHy8}U_kRj(-k<~ z5_ze3I4gUA%L|{s$~Abx&cKhu=lX>Xjwqpvx<|_rUR@K?3sJX%8mPQ0?CU8R@}vo+ z^+YxsoD?kC{cscL30a72!W~zFt4)k7T^7+~ikW6~J>5{mwh!~SK7lu&Mr*?w5@>`e z^fM))qxgoGsBhdg9bQVo6>^7jf^ra&9Go|->=IfH+1@^^Ys%l+m3%o^3nof(f6_oa z)v4$lERg=f8jg@H@ARn_c>|*d?nJUHK^-J1$x*{XI$w~Z521HbCJ~RX^N!4^k8^c` z;I*)(uyi(3K1$4n0*NWM`m)ISjn$`UlY>1#cjT+@mjAvGdVhmNoI88Arz8;FY9)CO zX!+WYa7`;Qw|&Yi<$$=nnfKL^+o4i6I5{63s6>TK^S+SP5}UL~Soc-nOPp?(mZpce zgW7r0p)W0u+!#1>s=1PVe;EeNO>1v?%!!;dB`GQw8a>geJRiNXadtIwP6RXoy5GSEYH7#ldXFIc8OnvR zqK#Oe1&!*!K}qPvdc-NCAkm%pvoFg#Tz05s``+pwGCaGD;AM$IS=u!ER1K1wAxcXs zf~kWPr|Gx4 z+!DvQNG}}eT5X!|cOtv7@o%2^K&~;1=RrZeV7tM}l({m-slL)VxY4+mMevA@wkNG} zZGx&sQk_a=NOhlC0HR=~q-Ysart;@%0Mnbyyg6Mc{qccqFi(i>!O{&B%Lk%zmtjod zYKDv+>TVS|70Ly>on%60_Cz+OU(T2cx>$yJc<(r=6ZO@`VIP}JKidgIZt7*sG>-pn z$U^t_sGBWik zb!>oHIkuMS8PP+Uhj0Ct`!>q{f8WOcfp3HB7(t#XV{Xf6*-e_;aF8>eD^bhB=Tg^Bv)W+=p$_3EO3l zKw4l11=>jbb*1Y6*F(?F9$*;c~@m#xD3wy8P)&H9Yx(g^lZxK(N;ZN~{=D@ppu z1bPBciWNlGMVKgHP{tqAl;v5}866x?rVGa=wSGkdRA$NPpov4&UtYp~;`ZBoJlewIPz(dmFc zL~C0Ma+?_k;#x}GR>eA;*zoXhcFj$qn~**HFP47EIFJ|&)u@oQCrP}G)hSP@ zne6%(hezR+Q(B4MT;IzMdE~8~c8Jw;m1^Rb0Za74YC^hAjeQm4?4QLe#PXrsnFDBh z-~J7eeXK4BCy0+0r5(`ZaF*3I;1v78HXdu&5q>{H@IgXq0_kpbd z5NZ$&G409zsGhsOf~#UdL;iAW9|?P8Ch1kE-z!BwoxpVTq|QjuR2$&_FhJ3uO~{ez zVy_A#FY0pIlVZ81$B7E-+C_c&`MXrfgg$E7Y(RBQdHptcxgVE5r9J?07Iub$EdAVz zNqz69cYkuZ)zZIkJ)3S4xo?~BoRoSW82wYPX>HKY-S6 zbfgFeOi#FG3eAalxK!HOBi)8aIX8Z4I$n08<14k;{yJ5Src($Rn-~wg-c?nV{4vFp zq}fn4oY=PiF{k08Lyw;F8{(aDJsZ1jqYX`#W01#@1`FTw?HH^ChA9>Fy^gNM(4nY? zRX~m|*|3lL3h^a5xl-}Z*A2hwXnf_bM%EgG$s#KQWa3o(i|iqo@>KWAxRu)IrO$M~ z&d*kS_bUzggMM@ot+-5}>-M8DC~`mHjGeWvy;tcT09j&BPBp zVvuIjoosIl)%0BmtpCaNqN0D{dg=tC3Lf%(^RBW=n#E592SeY>cYHFNGt1`g!c}9I zQR!Juzwn&!{%r23Ff)FrHlS)|m8#gw`2Hu`n=IRBPwtE#_AYU6FF_ay`~1S(V##2q zE5p=iPSaPm2*(3`=&F`+Dla`i<32Ln5q$26`VIz|U_WjVhZb**&_O%YHrPL4Vu=}? zx^-4eqX+;dmAJH{N-&w#zW+sYohkiRXdkiZ0N96ex#2(41@JG68(24vz5 zF0veMk)Ldp71BoEoYg*DnOfTqmH|)=a70&t!G|6_Zv?k(^YY~Jdo*(Yk~2CZ-PHFr<^2ZF zVTb^EAMq&soqDm(s9TdQ>K4Kk=P=&;1Avlh$!FWnTc-3nVVL4%ysEy1U#^Z~I7h z{4~E{&GS?&qXMw`9iap?LQX6_A`gy{!g^{Ck23Sc~>fZM3wGv#@6wCvt6=+UA;n`#;c2?% z@wk+u-0aSPAdv-~-e8@Juoby)$l6+5L=2Vf;B-`Zqo_uSBD^zqh8VW+>FyI9Ma$-x z%?&jdd%S*64==rt{VceU#?>4>Eu>*4lx}VCxKTMyDDk2kNmpnuBFV82V=SHU?6omzxR^3I(= zgh;c5>2YCKi2v@^mP>SG%-k5hugK;5ga$=RV|=qzCF|3eZF^62c+#cUr{wf?n3e>_ zVcM41GnorNw!Yce@7Hhk5lQLx8-Nz+S@~X4Xfq;}W&Jt9iBsPzDP|g*Ys%Z?*9%QF+xdvIWO^7c-(Mo2 z=Ry;0$MpPu1LTyhJvk*dOj4Zxx0C%R&B0%B?4gPfnD{_jc&)j8h3;^aQ;JHJP7vHl zyUio}vyLtB9|Jtkl5dn>zYu9CdawO2{pL3?iQfu(9Z+I=gSYH)lm0HfKhOe{YC_>f zz)CWzq5E%oSoisi=Mn9?Ab!MfohmE3Uveq<*SBjS{Lk~Q+}|NWEvyE&?Rtkg zeo)GW8x@<^Z*J$Wb1hSMWN(+_f?PKekIs@2 zH%c{x=B?K=sltB~1qhBS2;R7MQko_6DGu^!%?{)?co^|LF4D`xy*`Q3CzY%_4MO3~;u@ zny9$x3CWJ2ds!FLkKD;g`1(G%Kjy@>rNbnf9%Oj|Kh^ckU>?b}9qBtX5r|v?Uh;Cs zB!LbC+(RSFW0Lb+e5?+T+#tiO0763$WvZr*3r{;;s(<;hMZtDdd@29b>=}+3a&{v0 zqbZP-0trJ;5&<->yB|8VSIg{WeedaWJCNmVccKX5>?YcipX2g{@@9#pjpWhU)SAxK zt;))E!uzSoLPv7HQ$&i;=-bCgCHShPvol^@}wiM!u-M z=H#N5;x4o3vW~igIN(uzKWsH`(S-Jtu0&gF6;>GV%Ty!=yr@;bAEcVbnfj=F$ExEG z6%;;~kEnHJ8JN}XG=`X%7NcxEJEZA0LmMl;a3B7aDpuhR8tQZ1W4o@l26?^5K?=FQ z)(*!GX=s~9Rg5k>FmnR4Ps4LAUt7lwt>RljEcHd;TzmTiPvJn*RsoaJe8v+B?+dBN z^QXFU$E8@7?eUZDL$~DM{Y(iS-lIen%F!jNUD*)USa!~~#j*cg3jfIHTDnGn?XstA z!lp6zMq4x2NM2j093`cwco8XBt2fng>|5GxAl z3gw_DP$a(&Y0b^S3CQ_kE9rKxKo{o_(4%Gd>P3W38c7NKec}K!tu|;%htE}`HJj4Z z>~OBM{H>8ns&DxYSVHG1)?Th*+hQ{hc9oe93m|gwyH$TrqtrAzoc&ar(HUt}Va+IV z{vrr=?~U=wI^$Qg`|7bmnQ*{O)$|R3R?i1VCRG)=l$(AI5 zqMSOpOjBc64rbUx2^H~Y96c+Ze+7YenfSmqLYuZE64>x`5xbAjnhXb(MdE}nP!7hv zowly1$wjtTnK6!6FGg@xBXe~dr|ce1oVR!ANU@1_mKgE4*xmk6wZQ0R9u=RL z4|`Wr5E8QnWR>NQe4wS!*K03C%1z@K_leSA>pqZbV02RoZ&J{!MgM4>6xRI*O z;uIU>Fo^#+XkE5CUCQQni{|P|x{lXOP}f)CTzY|Ju%i@jh7f{XB&xa(S`tD{n2s@~ zzDi>UP$Q5UPd++rKG%o!OYeF9T|3Dbe6wWHhxDqbSlRMh{*ad25HtvMFt93= z6BicWV(*F>tfSwc=wGJaxD_^wK#yZ%;0&MM$neJehGN|s%#c*YTAytYETZ%-R=i~@ zGkIkvyQFeCm%(zW=z(Yka#0^r=ASd}=PV1vw{e{eeAfEiOKQ}U?F?Id6mE7UJ zB+~Ag?nWLhWmxcSVQq2 zQ#YiiOWkf8ajcL6x`Z@Kwy>#RcP~fn5U1H!`iMBbzz)kn-|pCn3*_1GnTZD)_8+=u zZDrU-Ydl^%#gMa0JjDQVxopD_*$W7$QmG!o0ky?ug6ol2F!UC^k`j-L3%*VMY{{qm z0_d6FW9xHKNs2s(xgPjVC-FP(Z;7`Iqy0c&t1T+p zi~4HaM>PhR7Dq_xpt34=oD`M>g>;u9hvc(5kW1)vDppBlEd<|DwW$rOq8o?yHC?ks z9;Sg7K=~t4bo20Xsz<9DK*mqWj7D%>+kg`+$&f~OL=%G3w#fz=k1-B0bCtQf9I)S1 z=kcdnH=GhGRR0NaZYlfeV0{2Bfc%g+*&Q$1Uu)^?S!id|ZZin7xokIiD`(4NQly5E zl{IJ--VoxJ>}E8o29w8UbUS20f;P??r4i+Z-OS8owLyhppIy%yvNU9g}tvf^7 zohuF&Sc)G*T`n)JJ8y;8zLXk3*%hbPnRac5=Jxs7YCHDZ4clK2@@U(Ca0HRyTtR;q=88gixUTzr?{4auZ0_e{OnA#P|u+2m@@;^^J7h8YNqbOl`u zwNLCU<7LJYnX#ya?LX;urUZ7#y{@6@@oDa{_TdeU73~PM={f{4GRzOjA9%)k!Q&zh zn<;kU#?-+tN57y<*mUGX)y{&S8pw4@STx@ZgsQ)1aqQ@XO27_M|Li_F|7seb!*Sm*=HMrM&K=53e4!hJEs% zk=U2jv?Q=zn$@Z#Zk}tK_1(rg2MzV8#@B$>4v^*@O5FOjkqQx5;~FvF6;>CiY_H+h z2mdeY$p5kLzt|hJ>sAZ2B1@2+^GJr1%%j^)=JtW3%Qq9DLV>Cs?uTtZIEe;4Nu&ag zbMo?R*=#Z-AY%;KVZ24!&H}jzKQgb~K?HH`(($f@)xYAY&r!Mdx`+-DPJ;mMi-57o zkO6e9e40v|=A+sfh;_oL_d*i(cH6(vz`$<1!m282bFtd8B(3U?Id#})OI0*oj9<95 zwu1_EP9!-~Qkhl2GW{|47!2SOC0-)aSuG?Tpcs{nb~FR_bbc%i_ag*wT!2YH5&l39cJ8-xDsrY;dyC%ptThtbJ4sLe}_knjl55J zj&+b(9D0gzlM*A$O$OqvF~-4xwF~a%;;(MjsJ@E(dh(5o;ne_+vvHhSqrPqfCU+)B zZATm?^3W2m!mGwn!Q|s zZXsw2*_2c=iR5Sf5ZG=UCai3y_>^R2hP=en^`|VmI&HOHU09Ej8|#j2wZg_7JFVO$ z;4wId&+{XMMtGxd@|q|1;OB>Td7}0TDrRJCqX>uLv=7jySz=PeE7=&|L?eYz$jR#2*&t*<$ z7GD?sl3s9s`P%399*=?0%jk1oL6je%0MzI=O#BI(u{KZim}AF{Q(t~%!X?FZfA{F6;(A3n}| z9}&dI8k}G!2Q-=ZUYz3mDI8K{>o8E4-c61mB3?lTR`; zJ?MZD@jN^ZNq&U)80zi#06+-Kl`&Ax=ZsHowQaX%p&CcTwX^QCGbch}Pkd|~RGA+^d<^yS9u(s`@tEK-?T6ouubWgI zyVzrY^{J7Pr@$wt4HU2XV>0J)=Pf&fYG%fEWzVuZX$H;lf5*b!muR|uSfaELd>ILALImXJRiMQ{xqilHO74-4sB~=cmd{mPav!wp?BONYZ zQ$aV7Jhp)|s_1^aWzsw8Q0$FxDXU-zlNkQOR9T_!@+4Xlup0`$b&ovs?Rv^siK?eV?Ir*ExH zk2%Qu_>QNAGc;Cmx{V}HUTY$7G9WzYDZyo-8%xya z2Tnd(W*#q)8p_EAPryfqwY?yB`p^+Y5wq07?>DKz%0)JWzSUBtW!>_`Fq|YdwX5-K_vS2Kwu0fi?o?ShRn#_n?82Y-`$0E#@2(7?V3`NK<=3!MET*3j@X z7B`Pr3q_=MS>q37 z@EgGQAaO<1Um@d2+__!(OIf^6{e;vL`C;TT&TFF3m{YaFhlvw7YcfHrapqGB=LZiH z>gw(q(^uW?M^HGouEK0$z`BbLS$O()n&hpCEMDKkc2@1$KUZ_BxoXu+tSU&U;Hgs?F+0?QtnJ@NFgUJNJ*u z2h3Vkt>E~8{cSH1`x&BmM@PB7DI&%tv5lVBhnq@RB9t8*dg(&`{x1EGgj#jMD}56l zHS4f1Sp|K=XNh$|5TKFqnN4I1>3*%=^yM_)gGoML+qi-!na!Kmetg>H^og%{{MdaH zujVd&K5lgM%*hsxo7`qszp!yWs}9t;Q1aZYt!#dC}Y&Xzu(Ao+P=0KXCF-Rp_b)d^4r@xT}n+5X1w&2(GDTg9X-+g8b3V8YPt{^M{ z)To+mfRg~yKQGj~_t&cc+yZb!s0!mYdHw~aM5J+)_xZg(-y*2y;=LDcr+&xso<3;B zm!i<9&Ah55u=$B5?kKKNXl1xOi@}jEuhj8(o0sLOHK3zCagZuE_=etIv?J~;LzUJ* zmRUl)s28KWMx3aStSPZI8bqZSS*B>7)PQH5d#AU-efGgy@1P5{*Qa#abfPEZX)mWp zk7?=a+TLr;M?B%VOQG6*(knIxKy8)AJoZVV;XBt4N!@6Fb_1=OWu#HEekV4uj!HL= zxAlu2!c?f`zR{Pnc;+L(9ilYN@&fLow7o*$1pr635TGn8ojTDPY=5E;3}kgFLdvR*cVBi=9xJi zelB1kC@-~bRQE)F-7Gr_dCJse5z(}z8gU+@LL|3C0cKV`6U}@CPt^;3#JI}*P-`DR zwwOAe8p+U`j_ld8C7BFa403Cj z(S$=Hw&fl=Ldb$v=zqFm<^cl(n!&Hz!U2Oq0mmA8isCszek4VKLk zAkisQ0^EPNdzox97^1p;`A;@eoWUR=yC2*razZ(}POK5h#n2&d5OFVHVAp)u@7SIh z%DH~4^|=Z0l4~LUnW09nav2S;uF4!zNDlX!5)ndS=vQfuIL_twK&l2^cw# z`E(=e%Xsb9A0)o@7wi3nnIm7?)C{ETP~Q28HcOc+Z>^#Jow$JNJ z4A1D*hQZH2U_rSypFB)WBMK0!4|`O!)HpCsXb#E%nA0mCHG=A!8%kqz8c+jZ_E8KAT>O z`q?%K<^sMS5g9!6p_b3&&P*Qr!?^T**J;=G*hd@sHcH(GOX~+grvhJ+=C3Q~L`n;X z8m5+uuNeHvc6X@q(P-C4TwY6v^Ock%?9+LlMN7HaUuvm3PiHExteqAuynzc=**f%r zoEKgK6U~j*H2-eonFwAYEtC3kgK3?XXPqyZ-yHDwA3@E3d$8l6D%N6j+{A9!Dgzw4 z32`0|6$&7@6)g#b*QdHj5A+uutTn0{uij@RsoE@X9R1R_;IT{-U(SreTkiWkk-fF) zusG#^4Cq0hN|s3LQSOFoF*(twg->lrpNs?4!>gJ{5zlKyoB?b@gPYbjNSX&9tXE`#{k|<`iRjf+z#Z9y zvVl@IT)sW161t^r@Mcb7zPTHH1J%J8`q1YM0BZQ?SNB$e|I=T;T3`>sz&eOso@Qax z4Vu?S1B9P&hRRc^#F668^Zx5=tcSNIk;y@#G=tm_e#iWI@JIzNK$C!#!6~+O2`L|S z=uxGAwHbwWmH@)FGEmiu3lVz@WV)zBA_#k#E+^}gpeX6ok&XK>MUI+P(fGN^O~Pld z{-X;l!R4?P5l)75aY>HV0khr`kCq&frKyec;9=Yf>WOx^53)k_5B#)C0~66?STMRk zf>U7*gtOO$J6_D}#MgInc}r%~Jl`RYGBnARQA6?$nW{H2<*IUL+hkLZegt0o0a0{# zD2Ex}@8mh{QxD|JB-dhbX|rh0tsMvr7L9G`T${(##vtPy1p8smWS7=mo&-;79oW1F zRpRcxT^N*Dd#kYKO*sEW?;G4xDhRe(Gbi4aihJZ0m35koP&!>txjI8(&@KL}=fuO? zBkS7_Hr62E9_!mJcbZUl@gXcuo!4pO=C9pg_UUvI>jq=6ni(4^wg@^uz|e%h3v6l$ zJy|zodz)87EdKE(NxLVPv+SFb7H5~lmYCKn`99^%=Rm`nYc^{D;Nd?Y$7lfdkpI=* zmxn{$_xo$L-9oY#6pXP}U@5zq4k~HiKcNtl2|MW-yHG z+aP0@rQf&vch0%4-+AuqIz88OpXc|SbNP3!neTkRpYLaRFR!IcVh)w4y8V98{>kD& zamVO{tls2fUTy7B?(CZUwm18%tCg(=Ul~Ur7GkYEI!o#FBA8pDbEBF?XNV=xHLGPH}UUMO|@%4p6<&`sW zA)MoB_R$`XabmGe9^rw@xw&(!6RY9R7!XjErs_LV)AXoS-MecUbEfwar*6bg$Msxp zmlE9ECzz&uan)wCekBNlt}ek2ZEekl%gda$lyPt@E=~lr=2fSH-Mq-@R{;x&_*Eo? zMkFKoXh8;)Gnh#Q3F6IxdM%;flbpPNE1QOB+S|z+necy2d-5dRBP?SV4M*mU#&Iwp zle}!hG<{u4Mr1&Cm)+2KL&6*4GfPWj5%are3-3f7X?_U#ddQg7U*IIjK^TJ4ixQd) zfm@DQGKA?BXa9x z%DMMjH!sI>w#y8+ZxPw^7h!1tFDK=eu3p z!lIWhwX2JE2Wx0w?Q+Fc)NKw?9%7l9q)ovMi{YY%mARGEbL+7)QyvMRvxrte$_}@< zv?|;LW``f6S_d_IS{4Bzx(m?tab9y5{4naJWYU<-Ym|wQ%c-Y<$>O~PjS0nw6Mb2k z07E70jJ$`UgavdFfAj4vS)mb#ZSv(k8L-(vS^GEUmDBKU)bcW^;ef$PpBu|ci1M8< zb)(auig3d=&HNK>rbUtmq`=UmC9DP_x!@Z8prf-m{@sVZxcm6KNg6WSquNv+MRhzb zKW6;?@V9X*3S{vkId-rA0M#Rc+(Ux)GX(NnJzcjWIwg}lJkPnu-cvvDLH(GedGzn; z)f-cSSzU##va)j8umwM7HMs>hsgp37($a4bZmt*ubP0)cs-3wkySZgSi*1pt6ppQi zJOxX@wd}H>#Cc%eM-y#6FWD>$>SG*IM0f4IASKWLUee{$%pqLW$&ay-B%x}>a3p`R zrh1Vx;@H3gcX=Pl-)Md<6boB|yYE*D=?&qysAv7Iw7XvIl5Tyb5S0>xmbEH{P%Lev7;C|YRM>$EBX=3hX8j;-!X zEIJ2WBuX!xlh!->V9$FwklsSdEFj9;Id+crgq%rG@Lo{!?vxa9*#=X!h<9|##~=>` zb9GJcwI^C*k}qvlek!YQemk8o!pzbGXZm**1*s`CW(XY`OvE5~aLn4wV{kAHxoX=? zk_3pey)9s#D$<@g3Gu!al^6ZJ=4ed(n+vUr0wOy0&$P$Pr$=-}x2X|wu>vprlZ40# z3B_fDwLTt24t>ABv+2eVk%rmkPqn65tq04 zfkMu3O6z%aj^J`i&ak^ zjj6Y17by#E`kdcXQ)^gPFWoR~MO{N6@%eEay8Dc37pabe|eA$pOO%-&{V^N`Q8SHwmNxUPC~Psg#vY+5Si@VDrn zp1!=AfDAFMhSu5oN(CYLY|G`atG#7oJpGNXk%;v2gPC{j>Qaju;^J;+I=D5|q)^pQ z_Ih4D7<%p2S++gD7d1Mltjph7-8j~%hsh;%Z)q`@fWNQU#u3L7iO3p@uf(~;hgMdX zk5m_PNJWUemd$$d7_hQ|XbWz(OBcuf6cW7q_d;QQaxmnP_Yr`m4Mmu`Khu+0kgFHK zEI$sw-adxbY4A-hvu5x#LPH)<a$GHJ_OWG&C7lrUD>7=Q@?o+ID2?pEeuv z|JP=N3o@#fuqBb*kLs}2j*85Q_f6amPPV0->k(AH`>ha_?f;;RI_W+N@dofxZCWq? zyTYmedD6T81zK#s!Eb(i^|!M+4@H>veUSa|6Eh^2K7arO3Uw&mq;M60SL~b!lBkz= z_fB=YD6({7gw1VrAIC7;p17WU-c_cjZ^*Vsv=3v$lqk00DeF3zi$ZVQt1Ji#XOQJ> z*pH&S&wU_z@yYIfSu<{*d*2!^PT|>nA>6DAVyBF@Vk;Fo<}2oemb_(dbA6IIjd^&K zZ}`)343}(zWy`4Es|lgvp)g6tQLGriD|_dk$>Lvw>_wS&%YaJ*bZ#6(@zw*9O;6FUoHPADp6Asc-pIDj^tJ!QGxH8Sz$@g z%uOg=pu-K6q1b?l*-QL$szUr)S-U>VYy18d#8r~VkfWGIPGEX@U08gdA9!=)&sn>e z5$^L7dYaiR$);RwT-nk{j_;*;5r}?YSn@(y*PZe{qWzmHn(cTu7&0KQ0GE0TwQ%vf zLTwy6azQYnf80AohWi-;(p96mQ560WbOe^}IzB6ASu-?g;bVztlc3WYUvsJxlTG9V zcdebhz5?~WHE%Gs6cQ2hX)9?Gxd@ePUJ-V=ND7BT@@a-V8v549kBHG5hpbvN_sX_} z$9aGb?w{o}N@Lrv-kS{|eJ;-BqN;Wn7hxiz&_gVo~KqbS`P0&-VFnV%jk zHQG(Qop?)Jv$@@DYO;7}0K#SJ+QbwjCdfh7H{U|Np-5FY0h zmy+v_gGXT;QGUywiRr#%v++m6nzvmu4=_%b8sr!h_}lAzInmdVenGzkblU1u>4hzs z*IWLC8e-JlK=Z5Gj|$@r=Wq*CzDpD3Y!FeJTWlfG+^Id@Hp4_P`RJ0 z9#p3vW{tP*O$1NaumG1UV>lqQ`M3`d7U%IJ3BnatF=mlXO&<_v`@GG=KAkA^cxy%n ztR20(tKQf)Fvl9?2+k!_$vwtV%mgh(s+1FAp)9WVa4G+@w@ZaVL-a>=Xs3ZLz-bFB zL>tZSER~d`HEH7y!j7jnzYjHUuUTA)bY8=4;`;&rNpnE7ig}2{1^7>@AQ?~p@Sjv~ zeUw>|UxICZP%`Yj>*wG^+L@hG-_4TJN;cb1cXwD`7I@&`VBk555e<_7+Wr2jkGxc$~XaXEln* zI*<s-KI3vnHeJ90@lS z$5<;i2}>$w{arJsTM-=@Np${7oDcp}tNIppux|Fp%rt}2RkNC=|~Xr zF~I>-eu$N_B>NVuEDbv8TOu4D{+MBxHCx8>(!hjtrGy$8b8arxg~>Nndr7FlTLVn^*N&FavGczS7m8IN9kj`U+rkb=6~$ zMn`%qokWcECc)g$j3bbLWIpBor}-51s7B{tII3U;y3{d0nh8;E0qkvohlxE?14mBs z2;b2wj&R9p6tq1tS&3E11~MU%?G3=T?LSXwz_yLQYeuvKcm*gre+AlMpi3s9@m7>p zHN$kf9q8DMpcp@|8D7*K{&BwXg_qexgkr2SxP6+2TCZ+U1y`5sxw5=5r`u@D4R`OG!t=%gvu@$V`8Wd=iz`Ln zMtuERsse233v++?zRm>!zONJRjH1+_6&!yfU*XVS5DON|RV?yKxusRw%&~in-!J557 zzp_C*`P(}H4AXR#)0|ENFM+tI(=nO^Ih$zCdF3p1P>ZYvx+DJN6!kWJMn?_p~%%bzW^dh>3msb1m6SDmnHUIqdwIH9Zfp!gr$5 z@%A5fV{kj5ccYH~Ij9s1iV1G#Sm)W##zjV*rib#+ zxTunf^l=7p%ix15;Ha@v0}N#^%4D0^{!EVYJw_Q52Td@Udp6@TD?eReE~f^5FZhK3 zXq1@=5+X5VXh@;>f_X@AfP5bL`cp^odmkLtm^JNM?I#+})u$PrQK_X=y_Pxj9Z-24 z`Wel!QP0-snSE;+@_I%vkJWH-aYOxJdpZp-2WocIU>YFq!oA)E=EENI&%A`kRk%%8 zDcrMCug?qf(Kdnlf1a3@e&rPsIL@{0WiVLmQ{>|M3}Gsp5# zW+3fvmLC#NXo&<;XSD;pAFh)*I&OHH-hCByu)@UeYPbwX%?*>n3sV=i zQsOJ{WstQ+#AEzVvRdZT`l~<5YAY`^4GBU;dGmR06744crlFj10CYdfm%cHFT?pP*QS)VEPq`vN zKIYDowWvMq-_K7?RplRc%|9{TpHx`okcabJnD%)q&s!a09QhFK6rgLZ;U26Gw8A2S zp8Q!N`d55r3)r`+0|Dg=7?OGx04L@Q4Q^=tnKE-jD8OQKlpD%qjrfa{ZHd_-n*e6m z15iFtMf<2l`L`7KRR2$$TE5K?M0e?@K#^(R5gJnyuU8{o7MehD|pi0@!Xc#eP zM4rV~gQ){El*~1i7GxN3U7%3uulxD$=DGf=-t@o9_uw0=0~5S0v4U{3eoaftN=qH$ z2~SK43aia*#@r-Mk4#IRxc>D}f{ulg6lz!5Tj$cQGqV0SGWt2S#0IS`w+{Q)%PYNR zrV*|3vn%V?btA6=5q2l#QSe2Gh;zxRV3}WA(R1^~PLG5wE@rBDIfiAqxo~IY30#1F z{i}bIUd^g*Gw*?U8;O_+tL^@wQ6bBFEScN#_)Hq#HXcaeZ+eO9D92WWHz40v;oQfp zWAq%#U%yp^fqhAC3+_zDO6@wnS#ck$FC{7Z{7;ewy@_BO_U*N}oJI|Q?u!dCBB{DF z>MW@t^f4f@n4+nJ(oaUIn9(Ben90FrIjRG?gAt18j{Z9OgH4{k0i0vuZ}b}Zs1G;Y zsDh)IO`Of7}kFx30|U46mTt5b`#0nq_l{vA=p)O>~uB+pEz}1>x!3`qZVV zueCd)`j1c6ol)JHt2;Zu&c3>{ul}_`z|Ow<->|O=+)Sj@SJbr~JniVGX1eE<-lALv zP%ccE;H7CVG4uhu2D29c2y?3G`P;!CY*lu2>6kmeo2L3U>hG>$f7fPpET*7St@X8} zGD|ymTR~+_TVFB1oAYAjouaML^lHq?G^uNK<(J|g_g|SU)}u2mE4y7bBb|IEZ4VHw ztBDre0o4`KIB;d@L0XGNY?N+6zDHQfb+#!F+ReUwZ`Q)moW5|^I(h#?ENTTJ8Q=IR$ud=1P z_J+uPIbItUcp{AslYXu|*ub_k#>#UqG4UcF4)@Z@49yRG4l*;d;7svTGP8yiaG=e}BYSKil z%>Is^<-IQV46?&c^lkMZpKp|W`jw~qOeFg~O}bQzheWCPlDcYc76Q@sV5R$LWHU33j9UAJC@Qni%(Q42-`Etx=Wc;b= zVS~W(D5)!;Y20qi)Jk51;@G!(LD@&?dS;moKC2ixYm*7O)b6=Srp?e|t?R!lTMs z6#~sgCoZ3|2Kx8%q3Jz~N9qMWbCoMDiLwKnKxYqOnsUp<#HSN0T(jHf(-~qJZyzdH z=O;fuwWfFUiWVCiJ!Q^kRThJ26gDEpS(Zpd5O6em!I135J6hHHr#%4ECk7zWz_^%b z_bW+KsoyW9KQQ7(>|vTm6H7AIdQkIn?p)pBh~kv=sYOrdS-XVeW_NS=2Qpj>XzAlq zlro0&OiPLgWoSH;2qxTO#(LiUJ%EV1U%sczIASv9LYaJjHhUN8tCeb>Oa3d}YZcq> zw~|nqbxFj)+`)yiRL!Sk;SgXXy7gOAN_wBcgC~|0n;zZZNk|{z=xO7=%BSuB{S`?XnloWz+H;1NN-?AKUUsf%6hQ)dxL7LjpP>}jj!4*B?+Ykdn+OQ zq6d%5B|5ZeJZ?R;y<~ZX-^9*&m=p(dUnb?V0mOtwh!X=)Vs2Wo`E7WARsmJX4$gzJ?y$nmQS*0*N?8fXlijntHVNRil~^mFowb`*7{uds2`M&LcLz-k6l9V`^9YzH zXW1=9A979}K2ZJD{~`mfOM|{0TM+tOgRgQvQICFpt{F}{^y%rVD~xYGJsLytEhcHf z^>dfCORbM4GR-p`oem#5ZS`8VyB*{Z(7xm*x#?qW4S9)GgZmF5G+>`;${&64irIRq ziRITgl5Rcpca&@rX}ttWP5qsF$(9=nI3rM31e zQIi9^Yw5@ksd0&l?bc9vJb&l0wG{`p`cn`-lv=CC4>sX%?71+Z6sI=QK2(yzz?@au zfy%I`{Yq+k-Pz)5IqoUN;b&ok04<11ikW35olHA~ z6-Rn)6K!UU#=$QxLYhyxi$m7$rHsU0;Qa90t{#q$M`L*GX|a<@;hM^1_I`KJfc$$@ z`*i58>%@UlLyd8SkK{+7(D;xc8@53L^x$w9LfOO5Te9!YT`6>b@F+k!<7uuJ=mIlY z0d761zVQxz)iaMUsy96{EK~EcQnKEtlc#o}11-&zTa&HmVPzW(7*X+?sOsu<~Sqa8Errx?y2y8s3yMKc>u#14-+_`~>dId7)R1?Trk+!sqX;mF6^`GyY8i zk&hJc&nIUCf)XU2>ZJ?BMx2X1nOo}ynA9mjs}#F;LGJjwH^EbTE7IaZ)PP>C?+W$# z7jZ~kWJhJ}o3uyrZJQsL+cxF~@~hw~G@o1mBov+ZBq!YYUT3FDCc?!~RU;_vfCk$> zL~a`S-Hr5%gIUr zw_pC5TGe0inK^*J_znacj!39hbu7#3gOw;FPhZM$Q(w_^SNE@zRYT$WURevt0RGDdIxp4N$6A)xQwn+PibtoM?NYkx-&}Ll zFim?m&cGDSA^G6D4uYSz5WL`U4#Q-&Dc@=04sPV*yT+&>GpQi%W_ z#H!-+YAuBa$Lp>=myRp`uw1t;a&{zOtM2YA@MY)HS|>r7)B16+>CH;3P15!dE%?ge z`ub7Uj2q@b32_-c9sWX7d6iw4Cb}v$AqJOU4P_OnMoC)5T2u|xcZ2keeYoXxk80$2 zRW2VdXZtn@vmenk9_N6cqa{m5GER() zXuLit((6$+Ta2rg$-1Ra#+KPQw<-=y+$^}8eFoM*U8_pN2BO!%s^>|=*yTy;U0QjO zVpHTCLaK8T8kv4>l73w03t`0in$h?cyjQ;9 zMKk8=Zv_*cPa~|2$0eiSmK65MZhW{V@SCf8t7l5`=K;GQx8~j4IWePOdK!lfrJP!? z955VV(-~n!8CliOqgBDO(+%6iNouMMetMyyYW=vHh)%~g6ezeq+>+BuO!`8@UH+nJ zx@u32u@yx(c?kPMu1WHGc>5EZ#XQ6G&g{jYmTnXENTEDocXOUZtgmn)dXgkWX(#Dw z^8{oQrW@RLfu&qogFlnif8Y9wII^mi)cCILCVnv8W_w>MGCM4VL(qegJV|)H z#&I-+_olhE_9L=Vf3s1vPzlU$w$^vpxlUa7K(^%&1mVF*9%X@_2o4sj4y{2)bO80u z1pkryd_m^VX-yvisu8cx^$oYWD74QBRa*PvtOMUSPNPdt67 zC_5^Q{oV2WebE^QtjU|!y^c!f-8sgunr@CKYU$eqg z7p@5-+L3v6j<}&EV>;m7X)V#M@Zfj-An!S`10bAL^_}WmLsJ>q8-25}(0veoeIAZ` z`Q1heR{bm60C!dUh?jZz<$iY`&OyQ{0Z)roy+!tEShJ~5W@LtRJF~kOX?&y(X$CHP ze>mt%Tyc5D#c&-F2fLS-7hOw}a)xJ7IHz({4B)yHgXA^f6wPx0&naeRnD^Jk;%uVWS{Gs+?Q6eaUvp|FI^1Hv{fd8{=>>T?4Ttm5kkpSVJ5?K97@VL_@zx2Pp zQ~%FE4E!0^;>*V0stnsug<0Bf%B+xd&+&V>Z!Q2Fg9pNV4}fq_mF?YZ{5S3n@1KAz z{*V}nLbf05125V=1ys&TVe^5Tp0;c9joUx-9Y|&)^3#AIOAJYW2#_o$BrpBFjIo{X zYqR|;j=^6mR;|fS?Wft2k&(9C-VIWXDNfYV>;sj8BQKd*r#$&Wd=!#Jb;o=}dIGlb z3IP0z`wy(11Ax`z1h9JXMe~7jgzV%x6RGfY5d&>hZ9EpUh_`PlOOUOedLHWXv0Zx0 z3YF?1JObp~Lc&XSKiIByHsWXkl0Vo^8vXh8AWPSgpB2D$wv0H*VdWoezt`d5$SnaN zH@C0_SRw+7KUpF-k&JX*hP)!7iS;5W6iGP&W*L?h0HOG8$?x2d?pODOI)dv zw?0ZKZS{K@BCE0_xSs"sg-ngtp-v2" - NGTP PAYG license for R80.30 only;
"sg-ngtx-v2" - NGTX PAYG license for R80.30 only;
"sg-ngtp" - NGTP PAYG license for R80.40 only;
"sg-ngtx" - NGTX PAYG license for R80.40 only | + | | | | | | + | **vm_os_offer** | Storage data disk size size(GB) | string | "check-point-cg-r8030";
"check-point-cg-r8040"; | + | | | | | | + | **os_version** | GAIA OS version | string | "R80.30";
"R80.40"; | + | | | | | | + | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | + | | | | | | + | **allow_upload_download** | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | boolean | true;
false; | + | | | | | | + | **disable_password_authentication** | Specifies whether password authentication should be disabled | boolean | true;
false; | + | | | | | | + | **availability_zones_num** | A list of a single item of the Availability Zone which the Virtual Machine should be allocated in | string | "centralus", "eastus2", "francecentral", "northeurope", "southeastasia", "westeurope", "westus2", "eastus", "uksouth" | + | | | | | | + | **minimum_number_of_vm_instances** | The minimum number of VMSS instances for this resource | number | Valid values are in the range 0 - 10 | + | | | | | | + | **maximum_number_of_vm_instances** | The maximum number of VMSS instances for this resource | number | Valid values are in the range 0 - 10 | + | | | | | | + | **management_name** | The name of the management server as it appears in the configuration file | string | Field cannot be empty. Only alphanumeric characters or '_'/'-' are allowed, and the name must be 1-30 characters long | + | | | | | | + | **management_IP** | The IP address used to manage the VMSS instances | string | A valid IP address | + | | | | | | + | **mgmt_vnet_name** | The name of the vNET in which the management server is deployed in | string | Field cannot be empty. Only alphanumeric characters or '_'/'-' are allowed, and the name must be 1-30 characters long | + | | | | | | + | **mgmt_resource_group_name** | The of the Resource Group in which the management server is deployed in | string | Field cannot be empty. Only alphanumeric characters or '_'/'-' are allowed, and the name must be 1-30 characters long | + | | | | | | + | **management_interface** | Manages the Gateways in the VMSS | string | "eth0" - An instance's external NIC's private IP address;
"eth1" - an instance's internal NIC's private IP address | + | | | | | | + | **configuration_template_name** | The configuration template name as it appears in the configuration file | string | Field cannot be empty. Only alphanumeric characters or '_'/'-' are allowed, and the name must be 1-30 characters long | + | | | | | | + | **frontend_load_distribution** | The load balancing distribution method for the External Load Balancer | string | "Default" - None(5-tuple);
"SourceIP" - ClientIP(2-tuple);
"SourceIPProtocol" - ClientIP and protocol(3-tuple) | + | | | | | | + | **backend_load_distribution** | The load balancing distribution method for the Internal Load Balancer | string | "Default" - None(5-tuple);
"SourceIP" - ClientIP(2-tuple);
"SourceIPProtocol" - ClientIP and protocol(3-tuple) | + | | | | | | + | **notification_email** | An email address to notify about scaling operations | string | Leave empty double quotes or enter a valid email address | + + +## Example + resource_group_name = "checkpoint-vmss-terraform" + location = "eastus" + vmss_name = "checkpoint-vmss-terraform" + vnet_name = "checkpoint-vmss-vnet" + address_space = "10.0.0.0/16" + subnet_prefixes = ["10.0.1.0/24","10.0.2.0/24"] + backend_lb_IP_address = 4 + admin_password = "xxxxxxxxxxxx" + sic_key = "xxxxxxxxxxxx" + vm_size = "Standard_D3_v2" + disk_size = "110" + vm_os_sku = "sg-byol" + vm_os_offer = "check-point-cg-r8030" + os_version = "R80.30" + bootstrap_script = "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" + allow_upload_download = true + disable_password_authentication = true + availability_zones_num = "1" + minimum_number_of_vm_instances = 2 + maximum_number_of_vm_instances = 10 + management_name = "mgmt" + management_IP = "1.2.3.4" + management_interface = "eth0" + configuration_template_name = "vmss_template" + notification_email = "" + frontend_load_distribution = "Default" + backend_load_distribution = "Default" + mgmt_vnet_name = "mgmt_vnet" + mgmt_resource_group_name = "management" +## License + +See the [LICENSE](../../LICENSE) file for details + diff --git a/contrib/terraform/azure/vmss-new-vnet-with-peer/azure_public_key b/contrib/terraform/azure/vmss-new-vnet-with-peer/azure_public_key new file mode 100755 index 00000000..e69de29b diff --git a/contrib/terraform/azure/vmss-new-vnet-with-peer/cloud-init.sh b/contrib/terraform/azure/vmss-new-vnet-with-peer/cloud-init.sh new file mode 100755 index 00000000..905304fc --- /dev/null +++ b/contrib/terraform/azure/vmss-new-vnet-with-peer/cloud-init.sh @@ -0,0 +1,12 @@ +#!/usr/bin/python3 /etc/cloud_config.py + +installationType="${installation_type}" +allowUploadDownload="${allow_upload_download}" +osVersion= "${os_version}" +templateName="${template_name}" +templateVersion="${template_version}" +isBlink="${is_blink}" +bootstrapScript64="${bootstrap_script64}" +location="${location}" +sicKey="${sic_key}" +vnet="${vnet}" \ No newline at end of file diff --git a/contrib/terraform/azure/vmss-new-vnet-with-peer/images/Topology-2.JPG b/contrib/terraform/azure/vmss-new-vnet-with-peer/images/Topology-2.JPG new file mode 100644 index 0000000000000000000000000000000000000000..ec9fa4413a32e5f84c3c379c2de4abae45faf207 GIT binary patch literal 51157 zcmeFY1z256wk|peP9Q*VC%6+lcnHCRyNBQq+;t%Vf?I$DcbDK2G&lse0Kp-++rk!i zrn_JF-raqq-?``9_rALqUqRKR)~p(TjT$v-$o=>GWdKW7QbrPhgM$NJgFnFi3Kmqt z-O>yI92LgW}@CO2aAn-Q? zIG=Jp6?n=mz`;k!!7aeUDZtGK{Ih2OAO_d~mVh%r38(_bfCXUtr_7hq?%bz(Czv3q06W^8A}?rvny&cXJS9S{L7jHg%?aV`^?`D@=d*rH!7_ z(nOeElSlrkyuG-og{8Eoqp7N=f|{|XwK2a5y{HHVnvlDIyN$h#sk0HKyUkl$Cjob1 zsz1G50IdId%uXdD1kFFnAPFx6k?;^yYY=ElWl=V;E(!Ozdn{*;rQlam$f z!Rq8;>uluCYU@P(mlwP=buxCew0E|&v!(p?LZdf!F3!SKE-scP0%k^LJa0@)cv#;U zahb4kaF`ge8kul$u$pjjneg#&JmWOuctiD<;Z2PHI=a1!~${ipDQG=hBu#2rnIoK0VXMda5avp(f!<=|8Me-@sN=NYdM z```5wV*drkZzlS`cjo^ov_ynVj0KE;&E3xN&%>*lI{epG`>mzO?-lDm(+NKQa|Ij# z$mySukkOJ65K^&G(K0YHvoI4=vU9OBands}GyQrA95My2XoDjGfkArUbx9X$gh6E_bp-!pyz@s|>kQqnTAs%q*Qnp)aA#wMm_<`$M#PR=f_ zZtfnQf$xHXL*9pm#l?R}NKE?pDLFeQH!r`Su&B7Ix~8_SzM-+{YiCz?Pj6rU!1%=E z)bz~v*}0X~we^jkn_JsE$0w&}=NFgItLtBM!2$4pChM=1{T*G{AYBg-5a1Dzf6)c^ zzzr<$*a(PEIFKHTDI*&>;81b;qu{=X&8qA`rRGvO!h7R5hK5hWy+V8Zi?lyc_Mamx z;Qtk6eyAi8w+Gc4@Rbp*3pR#!c~5b_&-_j zbWW8kCt`J#n(J#dpQ#EJ`$uQ?7vgjgbBAE>OtU~{8^!OeKA2366L3lf;oIePoy_av2zc5MUSsp=(KG#Lx^{GK*KR<~; zM;XPuln@E)ue)UG2hox?lE77h`yVV1I7@t%F(*~Y=TMPof_cd!{3bsr+cU^#ZWB=K zo_%2yo?E~?D}=0&RYj)|G*#L5EUqL--2!n1$9N?YhBe7MiY#74$?DxBa}_KVbOaby z{dG3}awTk%%g_2YWBvD-6{<=_*WXOt1N+f1KWmM!41$F#1XnbM?99x618sQb7x%!& z=sU>Z9kWJN4g1ymdtm0aZM@cM$NSaCJzQl8F|q$ag#LatkkmtNBXrvCD(`_&46Eti zwWcPQ*4wCzKPyY%A^uyuPozU|+XdN$8E)&;CS*arNx|ASUyK85nK*Nqr9(p4A6U*#=D+ICO#_ zC`wAo61c$sp#qm+bPrJDSKI?{A!qR50{p(|!gs~q_wTb9l19)yz(H|+4 zo?_nv6<3fvtEoxoCywtRC;=cs|HV^{nW8J5rsildov!g)^?gJ3or)a;y*Q zIe4ypscQ;sDz4I%CDu*8A*Ad@dMM3T2+HNC=5HL@NvDGxn(zZf=jOXbIO9a?_ZM&# zzK3-SBe{Yl`=4_)Sv{>&|isuxrmd(Y_rkrtt(u$G&29V-2A(a644<{Ac&Xe>)FzYQ?!5 zFiNh+%6=Z^#6-%_hEX;rDI5(Kc)fj|JU6VJ!@|kO^!V9zn6i97&0|Z6ItP{8$48U# zf_D|F^4}Du5`{30PMph@P@(X0M=n#{J)ayrn14`85LgD^vo3nwQK{3YjCgXzdZ*P)G1Qyiay5;pX5ocQ zPEeX&4LZDu^A5@#a}>B(6f134cTvn4%eqMF&bKMpd6bppP{21~2%5B#7`d8eTFd(4=QaN)JhTof#P;ne)I00S?0mf9 z7q$+rZyQGoRL~x4O0PKEy-UUqDV?{{Nb(FHdV4cw8jBWx_zwBJeC{V=Q*Gknix;v% zgcV9C-7*q*%xcAx`3GOq(44c^5KTs&{oO2^qEVrOibpPGUBo6coOzug#`XhUSR6gL z8h3au9O^q#iH=QN1@E$C^+v;9wI7=Y*4zVxbMqZVLr#x%8(nz!ie;!tH{>1ffuo#T zzI#Blsp9S~`W}d!$r+OnQulP&cvl*b|2Rn7NrACS&;oyYn%TXd@iBtRf;2o{*RCik zH>;C&<7D~4Id1aCWm7j5BJw9uB_qe01|x~itc z3@0C&fe3%|ShVHyEk9W8xV3;9@y|%7{DqoOjDfeV@BP}nOt7!j=NQtg;*(R;=1`Oh z6dqw~ygH4BD#J+bfs6%B7_9dm=-I72nh9YQV$ESoDd^{pDX9)l^M9M(0#M{xE32#G z>6ChyGiNgzS*RrOJey5z3m1aRgZAt!uBkROhwhJNhr6jG;G{d|SF*M~ba$QJVO(pO zdf2rx$z8b|<8(K0CcxN9V1T_Ik^Cb4(YuWihWxM1C!5RlA-3gt>2eE7Lgo4agXD1Z zqCYCcv$GRCKiKUplv`>9F->2@wnQ0z^##Un$y^*9^7Ra4FHx|AI!ge!5kh4h1KOjF zf-q;Z2^UnlD0~;k(We-(6NS`gWmXIcR&ho9B$r>_S*S*enk9Yt{*NR#jnx!#3lq=F z*I1I1n0$|9M0|hQ4u4isqpsdHU0SB1NtZ|*N#N;F+3WsqaivvV7A)!JXZpMXL z(D3J~ZZ7##$wpiHg(xt+GVkHqH-ecV5EZL~_I=da&yYTq-xVmklx8 zZ}xTWqOyE2HU@E6UiH0vY{~pc&-C zO1`NSXSYvkm&h|;P4*O3G}1`w$Xudo;%A28w5@A*5@%->tpxd(Kuz6y;2}c!!H-IA66+p{kv!4~y4iyF`RmDBmVoeZ8#zva0HNN2Z_TY7TH(~Y%PKSxV7V>&Of z$<-%BhG{!G1r0yKl#nAaP)*{IqX$>fPvAQf_B#*Dg))L$3TkTU(bp*o0%@gg%21~l zIQsKKxerr%lp9w3NHjO@0s4XhcWeFVu2!A`;#!bhGUa9-U0AeaMlDHe;W|I* zN9=b{8~mC6@jt2Y{P$}p%v@d5Cks$T&APgXe(q^5DPnewH}BxCrqigKdP#&L@Ni8( zMFHeBIrKzy0m>@juYUTHZeMz8`f=~FN+Q=ch7T=~oa+s&`@SRI-j0Y1((D!b`fUnkCe&CW+;yiPGjz z0SOpCzu0>o$>8O9m?LGGvzE>v{CXZGb8RZRumjF@URCGD$(t} zBw=cC!h(+?h!ivE5g_eF9Y&2lm&{kRcHfet$@VF#l{Zdp?}6CSX)pIcNlB*bmawW+ zEL$Zkh`_qH{ITrPR~S#j=wZ#O&B{21@{L_a$tH0;H|pQ)1%^jgWt3g>wJ=+1oc5E4lPYKC>QCx-Y~H(nNcybob1-)s zFDx*j`nkezCAQcoQI}{gy4e;Z)Cz zN6QseE4FX0z)#WmWlK`c_-z~WI|J(PH~mi6Up%a>VMv#^G&=NmNZj|pEt=wS$kU0ss~?kWL|Toxk+_#oyfZhqZ#g$&_og+l>u$N6=gQ;Ptl)|8hvCp+vj>i zmuuSS)|48h1Ej-66HbdPrt%CIN;r$2$RHg1IdYA(g^7?^5({s>cNWwwX{^~5_d#PJ zklAFgNr`FNH${I@jUIFup-vmTJ~fy!rgIN?V63&|hY8gm9NIO_2&;cmmg7e&=9GB` zXt@0z6^CY>;Pg0z`2L3XytBp@8P<;?O5qth*0E3y1GOMW6}MdX!1IyYk4g7HSYh5C z&qdj7*>&|R@ou`7fbc`tne|WgmJoB_(rG?>z2a1k;OEN}-pXze^Vh{QGxoa7q>RbW z{W9K85-WrhSUAX#C)usjL^k$Zyv=}Ob6d@krG{qZqM1s>UU#CXDDF$TWw& zlDh}GHN{D-(Pc=DQNr*fJ>e88Dko<7PV2Y&JDXMQ<_pWGZD5wTKf#6YNG6F?8DLae zi9Nv9R&1b4vnjQ#ulC^ejLhrGH8)W$;T7?lcG(O#!+3F`Tk-{y(^A)|K8>>f8mU_@ zAF3!Z&W<>pX1e|jx6qDfK5!;Ly2KizKPQPVyB2oJeY`lKPOf|DR=;4KT&;*#!^+bY ziYv`Iyoaae6|eSt!J^w-9jH{DIK3~_XR2S`NKL)NUn=^0n$*VCSZ}5e*OPVzyM%P& zF3?y#>e^_AcCEj7efQoKd|ysA%-6M&B&w{ezvGIJUgG0p^Y$BOwq*h;`7C#`ZIXG; zY`DGv1szs*zyWLjZa>YGjc%u>Mk9-(Rbs1G&ljbus0NCo$4th1E%{|9x8-{2;65t) zwU2hKVF=-?7)0NhtS(r-*#nI)WNvp~G;ZA@uQcSzP)~f`>iBSVVlQ=z)aDCw(psJ5J+x5}?$~VoYX+O(dl;TzNk*QN4ZA?Vb#YGjWnXC^b9#N|w z%WFFpi6$?4n>3TeH>w{ww!_tr9y^F7tW3<>@J#SQ)Xx?-mGQmva4ze@&dnEE9QxfJ zWc&!kphg}9S;@FYf~5f`gaN^pW`Io zN0tuo6`suhe2df3OHYQFkkFcDPFD8e1p_q#)uTXq(QlLIBg}^KQ4Ob#zG0>dU%sS*RZ7D4fm>zZbjZ_yyNR>_u@}ZS6gPQ;;3TjPp7>v!y0P zY2tw8Ajz2kn_Gpw_;UwEYz6jRimmzB&tvld_U~8Ml9?vY7dq(p+RwgOL6!~9;0|gu zV`1Z-^V>^kQJ-vO8m8H)YSj#z)yVdvyKy1y#r1nbrTs2PKM%#fAhJ2@Za?9uSChKx zfh_yJzGZ-)wWz?m%Rm40=1Aew$`{hw#YXQ!YBGHsWQxmqDT9iY7Gm~CP{UVanf!7O zwe~w9URHjJtCAM*3SnR4d&zOa&SnQ!eTdisZJzRGVcGle9t>MMXzPnVK`-S*;YUz< zFs7|j5#}wL^{Ud^^Wal~bSG1iTWpu~H3ztqQ0X(pJ-4a0I`Gig`+nSdx-YX{E=}6% z8YNBUHHwsgx3Y)^?Xqiq>Ym@(WxzZ^eYDXE_MA@CqI$pj9BI~_J)!@mrzJySa*rn* zw`H8YtfI_>hUTK0rLykPBO)1Ogg1Vyf2Rlj59oUo-AgAlyBQac8t#EH8(ln2wa@yh zQq2?VPQ?1{M_h&dN&}jrWw>(@6F%L_{9<|EfBJ%8^mC54?bpMiJolKHJ9Th@d8a7P;S>gNBh%1Ysk8giKW7E z93!&fb#e5Tb#8H!Z=QMae9g7bSG|{IpR1gafwgm7Nhh@p+#1)mfeR|1wF{b1NNiF-?(L#eiBq4Dahd53 z1>zZooMLrVL)+wSxS~)`ZadV{-11W}G^z*v`;QbEB{&*Qo6;SJtvRxvd7NB%xvb1g z=Wo$hn|TeRTPaToyYsh0$$gc!sj-BIk241Rgk@l)+lnq1LCurYAFMP5;%c0j5)$2$ z={g?90B%7|P$Sa*unNqFQU6_^}jA zUxI1Ke&VgDMNsSZ8@@tGe%nugOEY8K@Yp@zXy65;3sT+@wV{OX{x5P7iV~5I>EyCI#{p zc1&>#wG_QPP=xVI-LfBoX3&w~_pe^5&La=BfO|{iNRHH-JJ>259{=mqW2<_qRkHvhzv8#~n5_p|PD@xYC2`fi_)b4PG zSE*(2u)1O5mfF?#SLZ4>&W~PW3q!Z0X<#0v^aXn4oX;NnBM7yUgG%WRkEY_ zT+z~EZL22Bm;_$vXU(7;j(gxM&W*0tV)VkSd-=Doo0+Hf1Qhzmpd@xVNLXvDas9;U zE-HJh9}r#V?xY;HVo2dad*B_{MgB2c2&{afOJm8lUhi&Obedc^G}RXmvqLxNxUC1177z)-P?Co1GgopP7R;$=qV5HvKqZoJX6Fgp~(G=DrNjwdgw&bE&z2gn+ zvm?r_uzSxrO{x zDHc7{5`MU^05PEGt#5)=gWVpD7J z#GSff>HUuY$r1!uC-=~W|S)7lOhQCH@P>-+}PFa{gY7ElBNoPt^ zuTiTwt!<+Q!%WJJYZ$U~(pO0=ZU;XZ2XRG?KUKa;MvC{Ol4Y!vBRyt`Y3hp{s3Hx7 zP88zzimokP(a#;;xetQZs^p`#Kpmg-g0<=TN!IMfkUbUNezm8=>zl~C2HU^ucr5Cl zaiW|8Yo-N7M4X@SAPnp95oGjnFYK0;;wZ%33Fen5dbwh46$W&Jdq%J`;|u}xp|(Ag zx_z=p3JygZeFxQ<24|^7Y+aNSOnWmf-J#~Xp1kI5v&LY<{Vq_vEm$`^k!gIsul&t( z{&jNHzK-iNN+oBbqjL@%rGOtJ$4FVr3;6qGtj)saJ`O}({>JJrg?skMrAUpB`?{T$ zj^ZrAt75E_Z0}9RomHvdXdV39k!W~%PO7CtWyuj^H8mgL2Pf8b2vt=BK(C5l^!=oTtyH1@@Bwzb9! zpt=XF170A#=(*w_@{I1>cd3=f*{f&K@e;3g5URR>a<|qn^5L~jc!DE$Z&cMorF?H?*jX}*?0%Di1Llojs#XcxI7`mBj zAM^}a5`Nh>AA^2*05@VFOuJ8AIZmeiL1MMH1USJ~&<<?Z~7U_eeiB zi!_wmXcbJ=AW{%3(Bwb52VgI4L}7D~t?BZp@*3eZ8S!fC1FlZ>i^(S%(?4bIc7BS6 zx2?;}i0+X&+ymKjm9XDxs5^G0tCP;VDa8=S7cjEr&EkAPjD~q z+92)w&pTXwtlZp@*D0bXY4WknSnhYuI}cLLOTJb11viOPE>n6%uGa3H@NiPeeA!UK zq#1wqo9Ct?YY0A4JdR;N*HJ}a4F$rsqvayu#B|TJ%&Xx5shH{*BsqTiOtKxj$L_{b z$FAXY@vF>FyiBQ?Yb0j*Rb#{%5qyzqEi%zZFx}l`kMcv1Vpnc>sw@2}qbT>jv&cQx z4yBLtOm1xW)<(GBPhZM>YZ&Ik88oIZI{3BKmhE83-p?j0l210j zPVX|4#v+V={d5mF5VCLUyM||O8<0+@Dvp*?ey$OZ#YMq2pS;d+8nRG+PFfJ=OX$wm zlT_rfs{e>&@PkseX`FPb|0uqsiqs5GZKgX!?x;2VQGDiXSy}|q$%={sr=x-lO`M{N zwd6mB1`K=#`7vDc9;g$&hAY$gyJl0$ZPNOy|58v$R5;DsI0h4=U=1P!PnBu&&~n*9P4tkC1IE$(oA#cnyq3AXu{W0_8* z9J&Dy@9ZTNIN}s_q$a;cvXDJH&D|jLsNJnkF;kBYugyTW$e2~x-bW9lBVxn;kV#L! zL7m&2fi_AcFdkpUoW|Mg%A}3cyut4P(w0er!k)J{QaCJ`6JcrKtYEJIitzZ$&%4vU9!%Sew}thZjc3{MOIT`e-yZJdk_j z8X@&HyKf*aWRUy zQyt=em~)q9$xxe3&DbS8^r!azHuU(5F?{C2Qhk}x_FPSqm*|JezACszTK&No$4A2N zOGcql7tg$FIX2&9I%YgY`vN(`LLOD}Nn(}$qB`chKRO=Rc@oW2zW!2rCAM9I-%KsW z@7a08=CifMyyl}Tf-=MyZ<_qar%yXS$4JHcxA&8hr{@>8g&xwKib(?rXs_vi^u3ne zEPAw*rd>0`qdT~AVeOo5&i}mkCh^InhDgwT3mn%T%)qkMrqT&`{a)p6U$tV4BP{cL`A0ZkVBefyv$;TS#79K zzM75<`EM-8aE%?nEeDnrQI9%Kjbyt9qH2Xw}hRyV_HDzLQOr8;%+((`Cs z@mpm-JJEcqmC?rq^0=35K7{a|^meYAJd0$~H#m9t(2#8at2=Kv zHOw9tr=8|(U+gD&r19|=-LcvmeZf_}pn1u#?axWlL@!PwzrQ_DPL~$)BtC=SLgVGe zrUh9w7UhDPR2#9y;GC9dAh8C>rMm`Cpu4Msn2#cv$S7`ja=jAb6c=CeF*QE%<0r+) zG#B=1ndzDlA*zlWz{Gk<>teXzUD~aguOR4fC^iukVXDn2(MH=i0L}S|Kf3GrdK@#! zuBf%WIhLqz-MsFR!=AOl4m--0PC{L%L%zq!0511lR$byVggB?eZmk)W9YtcO@46hx z_8!!avS(aUMx>FjcjEMCGiWfU#TUKIf_;c~jVO4pRKVXB)Iy;lc*EvkVQ+)Ftc)>I4?zkh! z{$O^&aG+8gvEUO;l>1911;x(~K6OV$*L)qXU=Q889hO?1=??X!__0lF7Fi%wyep9U zQBK40>8CkN(v6RPBA`1htBgM6mY%J8l`1A&&`{v8e~{sIIU`p47GN)=%-1PTWO9wTDR@0IQ9@He~~J%U$zPFJV;hI>acP?Btu zO-y@a@S+1My1XSzbF8owC$l|eTPpYPN10ElMa#5`FE6c)@_#G}BCneVI&1IlgHKYYshyl96t}kIV*Ct4TqzPE+R}z*C&HevII(wI&6}cp zaMciXc4y*ijEqAYM-~l6`QXysTvE5ixI34Q^kj8i#xqbwQ%wA!A@vn%61dWuM0(up z$e#AWg)(|c)L556YG>HTBWc0RY?HmT(0Rjd)7hm)S;8^xKO1)W-x?xWdJkY}4;Dhr zRjcZNAt!Sdj^Jk`pHN8eGrkl@>cO81-|2o78d@Q- zzsfZuy+bJvF8SxilWKJpl@CAizL<^)n;lYLXoFSehRVbt+Q#eLePL>q>pA zs8cxpGmj~0ZV8l4eFOPVUNkezuPPqZU!^6eOxw{o-OkC6zJPZM&9q$W&;9Ej!E#<7lbDt- z$#dGsYwcET@-`OI-q%!lOwrh!WFMH)1MH;B_kft*kFwQh)NT8+xvZ*>D{oR+ipwJQ zJJx*!R7A?WgiIN}&<+)_-q_fQ##R(t4X(+nOtDhAJC`7zmfPkN0*@58o{@Q!J1Sx= zU=og$TUMHUl2JG5V~%(Y!?U#zQeTb4S_nF2p{6N)8ua|T&m$&`_(Jw#b28&m`!HHyaihPSkfWZ>0uAsXDOhQ~Ru z$A^!=+o^3Y3{)7Pqc$OBOnBqtSp>WK}fM6LW6A(Q*` z(e3{GTF34+t$Eyqqp$t`RVvLb@XUse`HB+T3lyV%_31&_^^0tt#`YTJ< z7+Uwh5*Ra1Eae~7JA%V3C4F%ZaH&&9i8kfzcoZ>H{C@Uh_W-I}2xN;7ymdlmZY_j5 zHKeH%q+@XdJ67XR@E3(+k1~%qMm;tD0}zmdes```uGqkX6A6AdRvW#Sa=170SqzqP zVSWNxCoX|illWeec^+$n(RPRXJQNfj7X%!7-4_-;(2q|?giJI?|L)$29OEs0G~Bpi z7fx&*B}9^^zw^L#Xrm<+QHL}*eEZy417^&y4~z+Na7?SIR$mG0PcoC$jX?J~$LRBgMX& zdI$+pX31RGsh~1Xh{DQ+(PV5$UrxP+FCf<*U^Sf4Kg^5p(eM!RSwqR1P@bOSMr{dM zcjEz$3n{P)O>L6aPM$6bNvVdW@?Kz5ZME_m9xg8su zA}N9Ip!J-62<}$_4im z*~<+XpMeeu6KL6-D3Y}z37*TuCewhu*vWiyAJmXL{+4fiJzXkJ^0expEBahTIz51J@u4 zSAqsnDYvz!yoc=z_4z&}LE|F4w<0qx;ri^d$H*C8Zj@n!t=;xtzMm0Uv{QtZiq1Xk zX#%a@w-ot??%+H2G;x;R=R)ZC`REfj307Xg0UHE8qdzDnln}) zQQi`(qT#;$V=igp`^3HpE-bG0SJ(v~N(3`W62wFq;NvXdX9_FQZY7SzS8)wV&ohvr z+AGbE_v$~_CnL;SbyK^3`pC9cW49c~Kl})&P&yh;TT{ds@_?+35Y2(nry4fY#)@*T z{xj%9AK;mA`3#!L8Q>eTn-x1-S)n1vt_NV0{#Tu#ig(R?b{xSZMQ^8fR+pnM3^%qU z9U{z$o^cOZ_lgKZWhy{D@+f^#2O8h$c5+3p5-_Pd1n*URoNBU`>Sr&83%7r!8Sm|L zJlwcEf@G-^9mIoe$vSn?bIQUo*vdu13)oA&hLlO=(RUw`d{49CnHNRU8Gblxxiq`& zME&F@U&B`|cKaUi4g=2TmU=OBrQ$Y9C=%+V>m)-U+nFy?=zpVT8ObXQ!^|XQ*lM_F?Pv1wuOA zJz(lbEpmI7`S8Op+ZI?%wIF@nph0V%;trTD`+ZAa9wvA4?`Jr`{U+Z-`!{JIE+TZG z^`rOL?KV_k^DeMl^h{TyTg=BCKc_%%RxiM)F*GZNv16`1aAb50m0^gNDb_JidZYEX zCa^uG;Lsc$cZgKrtBJs}8j?C>o8F&qdNYc6e9N1sWUG>A>-w^g6+XPalwoiGWx$|F z>hyeB=QJG8HEfFR=Le@wxOq3XSh`Q3S3R?rzN^UgMh4y7bDtle*kOn$W^$BU83&!R zIFST8kCVD8?7o7H9Bp#OW7?2+LhL@}JKw%e4+!sJnWn})D7>Wc6REAx)9fC3v?Ia* zH7~NfX0hhEuF=H$x zYh2J<`9)0mL-tkn-tcMH5_WH3D;-p`U4*o@=INqz_RY|veKcvP(z~afKC5o##Zx1Q z(2O1fK7Cg&>$`^vA+M%wxxcT)%O<1Fm~Opvwg4jD}xu({YFxDRTCo8_%m z;FfJ`?BX@(f0oL4o*HddW*6)xf*GKQpMm54(ULE)n;;^F0&DOMk;p5)4^^4AZWvvp zYeZ|fsP*)2je9VbYJreY|= zH8cT_#0V=m^55Bu9+jrR0>GQnQZ%fE;US;ub6mLp zU_zu=P_s4vVoK0}h**Ge*BGiY~WLnZ&c$KKDZxzA_iyh3#XvW^2vD?J=g zA;$fPZ;>4){ttO0Ipy-SZ6UQp%Z_oq*33DNieEg&FaW*4HAzim=cR<4BQ`Xa@&0kS zn46jkKX&fEmFSNrv0a$C1st;RV4}?GEy_;3f|+gF7Ce4Rky$p^dz7Bykn3(R-gCx~ z%z6`$8m0e!bIbZoP1m!g35U6ZC67c5d84A@3<9Q>%a&S3YYmKI3*z7mlJ|=TbJBR< z?ejjALv(VM@6f^>cln$PwOMa06m+?U|+3us_kLYR(4p|cjk6q zP!aC`0bPPMgLnC{y7R-S)uE%ARivQfK>g#4cWljkR6Fm-SafoJm@0>Htn%!B>=leA zYXOAwo0%`lkzsfjQTFyc&r!i8P|*Z6K!P?{5ootpn7)i|#;`fY?09V9S=0J*s7|Y# ziU{jl=8B)N6pis{dYT1%_C%EP7d^-bD6mE)+!Z^hNY;A0stPCCA& zEi2bH>@48Dv7vqyn)qErY!JVLn$iS2-j6Ga0Y2(3b2V{k*)GtiQ9~vtZh=N)hfo&` zyXH9~PwuEGkyJr>`UJu4O2R#9U;iEe-RV;Iz~@YGwH0*?$d3%W4N)xybD@e|bF>Fh zV@0(-Zy3FAc&G(cEhyK7Y-t?Y$r#|N6}y-A3kq98RqC!G*D}g8SX3uIp<>WCjdnpz z>|s2jVFrTrqs>}Ed_H(Nt7nfg(c1-A?iMt zNy80?U#tS-C)d+&?K!m5S)lSoqS2x&d{D2l-W=;Vw)u~?)Jt}bPvI6KVq=gbA4wwz z_5&gMQ0=v)$6HAPlJ&=``x*qY_!eLisy`nfMp_cU51&#S!D`gjbfZ6M zpDhn&0-dG;L>Ey6^z`ug77x1rlCeyrL2<%ibq`#C67o4uiT3ZCnyQev+t8>E30yVY zKl#1>q96RW{@c{R>E9&{>MMrElLZu6YwqW55eH`xqmqx$$xIP0bEvaMkC#s?hK=PO znbpJ=ncIli7w6Dqur_2TD_DxG7S07)R}uuC&w9(P2ny@CtDv&+{p64Vr zesA_*X%UibhY^xqs;gNk6_mTv3!dqzRcgZNRO2eUQ?AYdl^j$#*QE7-@F`oBXXMXr zYwROs*d`ux*)gS|wiDeUsxcLgrHNeJvYBeUD+n#n7N*LB&fkWsDN8t|`Tr#c_kjS* zd*yahqX0|?t)UfR#*Z0nV)3KW?q$Uc@HjARGUl5&@DS>hx}_4(yrcykzQJ`{nU8#K zxw0kaP2Plz<#)RucKH~qjd~lgM){RqSU={B#g32TzY6kDdo@j=jL^X@)lBFbl@rZ>RmLn&4-~4S0F!6o;?#S z%{`El-ZYrvUcPTy*BBv#-e(+3lEX+yeNtF+Co&;h88xWj&$^#I+&7WE9tTm8*C}oZ z%$vTvB@|GcFK%I(S^Z@8%Y~Zx&vJrSe3@@~C~$6tE%V9Lw#}xu^iX|AHf^u8UDq7% z0k3i|O&dFcSQ}i*gOgDA@YuY|dFnvaOWi!Ok zn=C8*Rb?YQ$yg_By_H}H6sj0!jr6hWvCVs5DrsO>H_5wJ#htU09|Ua5UhO)g&1huIaL!5R&k8zkM`aL1eYN<^>i4;SgzxVB`?c2NA0qhI0(~p#8%+| z&zpt)x~+|F)vf{ibaEM;ON9%!db2uqDXO8zGDHIc!KzW2)3lqB+!!J!y1Jlwkj)~+ zx+4Bb$8}J*EmJXr8l1W$01u$$@rLC7cr~GC>8diY$#Q5L@y(|n5BDyK>mqc1pr>~F zNw*h%#q{?4kwr;9v|3{75V1VXYx9-bXG6vr|Cua15uI;;*k8`l2qc7*Xc%S3$i zA!B1Og#T#|p*ku#6pwW%uVqg}exq3v+gyMF#u83f}t*kyAZb)S?b( zcnA#yv*_T#gd|Y;?e~B{lYdk@Cpsu`!sIK{9sYwCmdWTKu60YLA&|N_@^K&+#$h{iOdB7;o@d9%m zI1Cx*11Dlo3QKP-Gpz_>b>t^YwKYoJLtyDH-iqKdn%yjo+6dc`HywBVe@+Mw_7#m&CsdK?RfP#h^0 zquH}9L@;XSvk(`k&5Pb9fhOY6^3Vi**#`8|r(#41U^WYN6a5|B8OURZibsXHTh{xk zSGwntAA`bdypZu0x7+%&t`!;!tYc;9k{mX3ZEA;m^eCWMxK?vN)3Ulrlk<9G;&>+o ziK-yWl#>^U_^xP!#+Haxm4hh8D5#g+1g`jQJ0(7rhyz6fp*fG>E{50_yyQXPK{2ad zN!~L9Lcip42>qDxcasd}$G3=+9#)>@Om#u3z6Vywz+5s+(73eB1PQVz{@ZqS(I*p* z1G6UHrwVk_-F*q)Hv!QO@mQ0GS8Pt4KDY-4lj-Jm*Zb^!vm8{mTUo|jygIB446Y{d zSO^AOmR;8Um?r1Q;~lu<9r9-7m{Y4;nz%SFX;jNOY{{g&}J6PNLNv z{YYkX@+>ht;F2TT=W*C*GxzejXk^`3C-zCL*RA@r*)j2n@me+I}>0hj0&^ z7#PCnnozUCe&PqO(j?Lonz*2s3U?G!{Emb)zcf2{O84E*Ws#zw_!m*dU$Yot9yb(EZA9Ux!Ayv%l=+26-&(3$- z;X75)pf!TAy@#(px0zb+l7NY1L0m7&pI`J9MOR%U7Yv>>I%-85AJmR)?QiBCLO)?c zPdgn4VtWfW76J-SXx20Sv^iTT#$p5MV&9Y&P==czPz=;ClD*;f(bj(vZ((TdG8t3RM)NxqoRnQC`~#jAW}sj zbcl+8fbAeL)?xSyDx^OtXVhxnbS!R;D= z$-&(Caem-aPN83T_YBP1EAG2&+qx1vwlcMLa@^2j@MpLUB*HDs^G#>>E07mgBY!)W z&wXK&aj>dc1$b2NV=Z6ROw;Hp6g=Nt1`YU_yU>O6SJmgzrEk-Z`1VA1zR~0spR~T% z8QGOW%z7uv#g>t<&N9)#ZzYbDmsSiT+8fhgw~LsfnSFUfV@BreRc6;}4f7vL=H`sg zh!S(^KP#hP@MBsi|GlPX6Lvufl}A1s`my_**;e?$6R6S2 zb)bbnCZ7bbWp~9+K{%;`Qo7kX%Ngh|yf1L25pHJ#N!krUuSw{blWj%u`~ee9C)&$( zzMlkhqZ2aX)9*n3RQaLI+`+O&$TX_TcW9a$`yk?`3Dv8GX9bx9SH2av0#Lw8T0i?d zsGyMg-7C?arY_&s_+%{KY}U+5V3%tgkLp9CifzSyb`9g0-5{DH4@yf$#V5Z^T0xK8 zA@*l+S8L_6Uok~Pm3}U&eYa1>7kE*z3M)l z(w3^^n4G*Spzi;~BLNlV%qpf!S(BdWw%wY_G;%#6D(^C5Dc?BtW$3q!-p3TBc^JxC ztu)Z#MWbc~QLXHRp2ZoSqT>v8kbG66;E=_cOIp#(AW}U&mbVL%0RtbBoqAT8&U^{i zi@Cqnp*%gSO;V|EFo>w|l^ihbSXy#ex`en~yhtjT-v%b{=hB}&%bjq)v9)1ac^D`p#wyaV+hag`0%*>}-qTz=iIT?C9RIpuFo(&tWBU%eeYmSeuI zdISxW6J~5SxQ+|W#zZq?Jgid|zqVAi5j{{{sYuz~SI;6W2D5Gruj8{PDDzfZ(^oNdO# zH3f5%_;=-D(cT^!YDc=~8aOS1LTts6qSyA>JqttNVHLzn))Ho+(G=w7~3+6 zVWKl>^OxeYmdA|dRm9|t9X85Jjta?@%91xFqi2{ZMo_f#yvn zdA~r@=E>oAioY3SPH$ca26&0tr|`RxfM?wQ?HN&jGM(JvN+JV@a^P8uk>G^$G%c31 z+WY2>Joq2oIzqwIf}4A2W{7Go@Tq?U%dG+lJi1#2#Q{w~LV?A-9MarAM)S#ZT=lEyn#bIK?C8N#!l zWNjk6xq3t(i8lWuUbjSorr9Z;n1k)z1qWIx0w4uQ_sfYh1_ zDsc&h9@RWK(VYQ|^=m&){>Lx8Hi+R`nN0V? zKp854^(>oh`lt8H&sy8~9r#{^7Ge+n$D}+xyB}PUM%v6Z!8$u(65w02H_iL1fA@+^ z-GVh+tBSNB%Js-%S}!dMraQ9Zx!f@bKAQA^Ge^}s(uvxn6vuh z`^woCW!5QfwRP7X{$yw^1$-My{U^1TqH|F@jE;sfO``R?J$KuaySz^vGGtY>k2Xb< z7YS&nix0vDihS;mGW$}PyYTClN{k2Zm&q-~jGzzZQ12XL#%Wx%?6h?e4F%TH-AhZQ z;_)nda^le*BZu_$y^b*QwVOIBqJCre@3IO#G4C{+N+NI+#6QRf1y9Vw<`;av=bkw+ z1O99#6d`B-bhuJlyOJuwwYNo|?czWg)1YyFSJ6P`RA5?CuZB5VGmIo!+{Oyn!6M=?OoDzI2f_Oo-SY3X;UX}Al}kscyO6*+Ow&_;*bj5uG8X{Uxh z=hCv;b^a#TS3k7XFIO{CBVy z1)z=eiQ*UDrKcQVwTX2A9{%)-5db!+NIN6Ur5{M`kcLfFQ`i(hjrMMo z0fX)K3-92b)<*W0BO(k*3h!#NKUBWF4MP@7wWaMnnetZug(s!Eu_2mv3s*-Y$dzr?BF_v4>g6TXL%!z~3i<+THvF%w#lL#b|0mXLC-2#hoPc?l zSly9v>TAmaKdw%TIS4_%r7lTurE@Aq><16zp>#vvFWmQkN3>+8m&#=CBIdPw1^&GLj7ZuP6}Z{2kfP`Vl;eQDvgYcJPn!MlRwej? z>N`A%W{|^scKR0{erRuL?f2g#HhQ_D(~IZX-&Vj?om{Or?dJ1wl8Y-2aQRM#E5lKK z()J>6hOzfrg@JDGKpMK@LHX#x&nlh9G{?K^WY4U-0jL%`^DjL5!lm3H$OZVj{_v)9 zdOM$>^Mk;?qP}t&3ML|xA4~XbpOplvs_=Lz?2SOQjUp`^Un&U#} z*zNCI8rIgp;?4iNa;Sf6hj9FHUjVuMVcSp=OP7dXHXO03n7uk)8G7pY`cn%FV{_aF zc9=2T0YzhW6qRo&d+uXeQ;L#9%bElS(;?Z?o{xckT6QWMU41dp<|t?RAjmaZ(oEbq zQVAA03YsOd^ayhuqoj%5D#&Xd*VLou_mu;O!_*fZ($W`aI*m2njKDmjSPi76y7RtN z{SsDF%&bwZhrDsR+cLls3@FLf$=~kn;6!EQwlo#D1a1Ov(l+w9*ZD_$wt0TYf+fVv zNb^?JYWMWhnT^W(-n6a(GORF1bcMCE0@3!#UIVK77hbViA)HyW*qIj9UI!fzO=xhn(XZ`e&{E;1shYcAx32P*Jk_0q~Bp4=o z-f*eS)Ln_3HBtn+jI&&AK5;(fE{y@4hXAVNQ_G+BmI=%cTRV#SQ(&(#0kc zOs&R|x|D~OS;zb>(%e#N%k^@*#(N*f^*SAeD_?x-l7xuK-l(ZTUf4omT)i1TCm-Ja z{^pkUhfTWGJ;bW#mltSi!8&V#zys`~3EF&<8h-)D?|2-PO8!79;yPB1)JBTq29h*R zyif^z(kw&PJa4It4l^T*pC%rN248TVZR)$ektWxY4)_Pke*f3k8UHgms%#q$mmtCDhVPZjaV!-NZoAk z2e?5HV=yo;I+Xv2@aJ#;@yEdDk5~Uq!XS}zYsq2N0j`Y3s)%{~d!Nd9>|7$^(#chu zN!#&ZbQZjMq3?nEpynTQ?|+-lX#6qP8B>^A)uT29%8^k%i1-kU7+@`P0nyCD7 z*zxl2?YC>@^g5AW_P%bxuS7o+bv?$~>`v-RA0=&sePkk_?$k25cr2Fo&GgfqobXJZ z&(VtFY0#$X=IR<|+R{M{_^mswyCN*njt-o@k^Hx>z4E4gt>?aNWBcx{p_~nyyNE=B zJImv>8$LDS=oE4Yzja-?Q&AD%QXc%H?B}1gXC!fco_E!NQfqt)9c>7-03;8J#w|om z6V75YgiYu?YBs;RJ}UF#lx)cFwJ(G*uEi&CT+jYslnC0~^jJEBBr7a7h{7o((-##K z)@cTNCZK~abHp4-AXBZ}ow+AOXQ+M~dR37(>2PHY*I6yPgTwQ#x4bMIr#`P-eFn{|4rj@_L@HBhsYkPtrK zL0pi5ekX}s55EU;taNlulDT2HQgwdz{#{hl-nwU)tV=^b%;**twSiL{ zZRyFLGJ$d$cx;X#ZR->>A~?v0)Z!Ml&DU#vQgD~92O*q&;CVMUTbx&=(fJ|JFQO~n zkQp@|6M$LE51PKRQTO2bdgIzGek8hvW4=%ol21$TR4M=yQ;+MdfY1YEfm)$}%J^Yt zBG~#P4G1^B1%x0MLU2$pA=KVLq>r|)m{d@depKWAaj4_N^W)Z-Gj(nGEjkR(Wb|$< z`6*r8kyrtT*cUV!trvWSo%FtO!>enc)wG>@aiGO0sf)Zk1F94e8bht42)H@z&)Vt` z4QnhbEHzTv*iE@Z6dq=6!#4b&CYXDQnJ7S$B`TG-Ba+gs^S91<{aLaQpmQFpYE#g5 zm%mS2?Fb~1TZU@*=`)j7euO&qOgexh!&`QCW-m@Hn~pJHoQPqNwdk~NyFJwd)@K;n zJp6Yl`VzW=M^TmS3isqIFO!iboPXbYFrK@cOQXtA?jTtc#-I9Fw`3F7FPEd#_$Vgd zr^#Vxv=8^1E<-t>T|Qy?1XRB15+cB%T&2%Al(o~@rc82@)+RHiSW*{wq#X>+2?R|Q zc3t-)o0{`PV*=cUS7Yf>yk~t3nj++*N1_t6G6qjs65S<-;r4#^4l+U}8F@Hz`k(~| zIX0zym}n6VL%3tUK~d!GGF#`5SKB;IKb(yb0X?eLR`~uh&_tij1C;re&6ENxk7Jn~ zbw7s)(1b0U46YTW-FAx@ZWral=z2NI5{WVCjNItj7>GJU+lGq6vrj}ZGqdWb`navT zwMkA|c-JBvS~3JI<#WpwW;XQ;hr_`ZvvpIL$4K$2li~Tv!o05$y&5E({%V7=@8vp= zHwM-UUu4sIO2Yy;4hoINdyZ~#_Vf4%oB)FA+AL*&p!zaZk?Pzh`^&S*owUe59Ki5QO4IY>lP-_X7`(`0#?}Vhi*{ zTt?TYshk6yXT$`Jgp3GBAJ&tkOgB9pYax}Y#%MEXhXI)YI}c|&xcq0;e35EtgN#+f z6k+!6asJYbY6IGZnSf%L;DmK{PDYG=V;j`u+1K;=?n}<9niOkmv+7TzQ4d^*Mu7Ui zJcu1cUC5hjn4(?teEOmMzqh~47N4iTWzX#;zuX37&*!Q1IRM%7-9V5tZ{>PtqJ0^E zZfLreeo3^|Y(}QuXPS8g+Twc;-(V2!`$J}={pm>D_rDA|xc*PW=Kd`uSgerT>2 zXiKH7iJsN#dRsIOCr(-t(#!tfdcFBx&lGd@T`o>#5^Z2)jV7I zdud+mG}GDLT#35TOm5+hM^>FGOSMv$I8$lklz!c!IIVD>H&eQ~=EsaOa;@I?KY)zaNbzz@;W|?W$c-R>&dN^6fq(YEBXb791WyDN`9iwz(2eVUB+A$54O+hv|i#d1l zw>#ZSTMw?Rk1fxk!;$UQ94p^@FXIZ@#X8McE3<-0zBr+*v`9aH%IhW&8@G?Je@6d< zqR)-3&DH18(DoJ*A)Psife3~Y>hp2gXb_x!wmD>4ln^eC_`Apdh%ZY2!i(|WCAswb z-CjT;Ws8WE37esdh1+D@-@`$hS8w>|O?<_tCO}@4Gp5*%DLu@x6s|sy^X^)1RgVL) z@|4+b11UP>>B!$wxWDrG$HeZBSO2Iq?^?eA3_7;B(j+Fu6i{(M^gya2rNoXzsdKM* zPmfk^n|o`uGEgDOx`i;6*O0sQc4Z{zCp_T|^+7$&LaeUKIO{RhVD@GVWEyoGtNwB* z(}G%{7X(1gcJA5u^+fGAj77#JIhsZ&DS3>6-~@j41m3p~n*yw`Jf_5ym{z3#D)YQ4 z!Bkjz4)uagJY^hy5#QaCDcRwj{G5escTQwACwsMSa*dIv(aykp5daW@DOc*jZu4Q# z*I9~GCObk1S(5R7E=Bv~)O}{v!7hHeLi8{Y@35IVcMziGlx=HH3$)6axg^A2(jJYH zH(@7zik3l7J|-$9(_Ov)U z1f>?l8cTmZdr+E~8LBCgqS@WxR_!nMiF*+nsJ(J?R%V^bhpkA8m^->B=2Y~9 zc|5DgbdW+D!;_Mo={DY3DM#kl*|9AJ&+rzLOAr_i6AsJlDesxFODp|!ox$ZWEYH#9 zle1(iFj)n3i#eDZ>G!Jn`O_ReC2*5L9J#8N#{YbIrq*F3{$<5Tqt>NPhyI1q5L2{; zbmevuwHba#fP*l=$d_Lh=g+Y?`_ZbqZpfI_B43}du#cJy_C z-nAk(AI+pCf*<&7{zW;5znOJ40p9%6`&v6a?mo%^^)bYh1Cyu;{fb9~;%#0*`19j^ zGSp2UQ&w$JnqVx95ld3)oh=Crqxj_||FGm}nB|-Gb`De>{Ch&LiN`*Y-7tX#P=^DU zp<@U2()ubSY5Q10{CzfkSd?*+w5?x+gadRPRWObqm%R&W49`XykK1)m7ED z0p!pf+p+DDedIN_%$F5rg9liSl{N!?>Z=tU-a}14n9J+pMXUe;f$nby?91BROJABf zY2uljzx`g3BI?!-GQDU(NsTv`rW*`pnVjh9_Ia`|j6BixV7oZOFdk#UC$%$xFk3L! zg`BNG)zf~OmS*kOUrAr}Q$4C&Ls)90Kc2V?J)1ocSsQHca4po7b6G|$x|q88wZ;3; zq5}2SR-@j%EqI{vipe}VN*laWaiDy9I0D|DfbTj_3`&c}GSe#EZqoDlpc}!X-oR17 ziQ)#fF(**9&tw{^8?VdO7?I8++~kv3P-SbVff zi`1hT3xKwBs4shC;iGgj!HX$EMk4{?$@ih`YU6R_JOqQ`)|R^dx>`vRhb?u|SGSDc zQ!-DoXcjz9&acU(8h2^hFwVX;n6s$nn&7Fo(}b}%`op6RS$K>#HsyqF2*f?)f{?za zWnNRXK!Za;oZ-wZ$F6AUmxERlIu0Vv1d-{8w6da6QI&FAz$&G_c$<(=Ya&(U*@et# zt@q!xQz*;UL?26))~4Oi!DdG7@bYPpU0{|SdU&{VJnlv(Yb2;&9d7?*aDq8+<+OhI z!wfGahfA>J!5utcm2(p;>m9DrJh@0_`v~8pOFO&W;2~lAF_*@MLqZMiA+j^dsw&r; zm3R(l@lpJrg;f8nY&isP{|C*A%gHJ7+wiM51`@YAw6O$MbRULmE;a@>5=wTGkJ3mh z!DOKC*0-@`-%0|+Vn0xIOMsWZTx{eOC%;}~V=!7a@{Z6KV7<;`Q)attSInsnDDbpr z!T~*E_QJ}d&@_^E$AvmY`&{Sf3Ff;WuT*}x-3On8XN!Yg4Ldk&P&OWzhi8fo`Uc5K zU&M@z0qwBZt$#-keO#1AiV>oD7qUOWW6DM5A~`1k^b`twI-MD!bu`$@#c#=!__mvdOr^!q-rWOl=Ui;mA~=TQ1YR!0AQCbZb7(apb`0Xax8O9=3z3lI`2^Ka&4t`G)|h0CmdN5V5)!O%L%8L zu&};Xk?@rI<=5~6Je#M$Zg&YYtVSr~6ez=i7LoNuPC=`BxGXDAlByNxuv6 zdoF&xv<%2?LpTsVui4{?5igXjz~QTSly>hrM1rFC8gq+PwHxUGl=4Tc4z`?baPh~7 zGh|csF`|HkFI!|d#(y*sFeTrsNi0wSMY;ldsyDG=zU(6^qX))zXWtrkyz4uaB1DR8 zXw#l5Sh0mMT4qcbte^OheEM>3KJjY*#_SVY{ngyX!~>DJkQIW!dCFHyv^v^$(hlGq z|0(xhcqX_(+f7^kALo)vn`hqOKF*b09j`^9&EZ&GC}(!hEK<3vMa6X>Gy8eo$siMM zBtqC}QtQ;Kl0$!yR#rk{qdt%dJO3(O`qjW2fGI`(9A9gIh4*16orz^Z7#{oKhVf1) z32pbjBEY#Q4vY%_or^5|OM}n%=xA2CJQ}m78A8>elY{~WzJ5~cB*j~xC{g_0WSgjX zVNHLdC<)pRdD{;W46iei49ZhAR506pqU)<-OG#9{-xK>2eihu(K>K`b^FqqxDD)9i zep{5#OxPLY?$>&ytBur-iqL7ASXF6)n-G!RYk(Z86mA^A3yl^>X6&QGvHFIjzJ;IA1u7gHDsHdmIV_^Ob0;D;h1#gWyY$p{9*KK%YV@4pLH~cUy4c z2UYE4ThtASS1LE)@};V(`HGcO=rDcujweo0ozO;_5pExDOB_?2$@%r^#8xtbUdpQv zx&Xcu$OR)%`@~^0{UHB&X)KqI8y9SZrJ}idoX;(6LQ^T)zx_d%xc5fK;UQ?(beZGNW zqn=AvA;<=(yw1(@X@r=>Nxh_~+=*`crJ%_bYc-cu0_wwNB-c(_E7q~y@aC|Wv`{+< z8E{tmBzK=R5*~0Zy0WUet5tFAArr-vv>6lX2D(Am zt9TcmS9m?ue}KSXXSE}3C++0na2wbd*MBb6)nvY3KV3(MoSCTU;~%OGIX#|(xAtTE z18WV7y^Izb!2CTvt#9&AwPv}pOx_KT(e3vsdS8FWpm+YvtxBlTS5D>FdZb8s=OS7w4R+bu zlux8^cXZv5DjyAI6wPha9_$gCM_s`VIJ5nvgYciLz`Gwt;#yPy(|DrCz_cTB;zmePGSXcZg3enJ*Q<~uG^o&A|GkMOKQa@53Qn5Y}7mv(s_s*Vfb%*j!)9na5 z*>6hY>16!NCiTzSfXFijD^8rhR9YaI^-c$5xxX>;Bk35=m*E_B`YuTe1}`=i(8&2y zU2uu6PSN1w*Sv2Zil?2>LQM2D{pZHSrrGw^Oyunny+YrO_2;P*-xKKNe;KGrbw|VI z+Q!N7T9KlzvSaK>B?(P?zEa}5C^Jw-)x)T%8*eahH*lP@lNLCn(lOo5@Lc7!dz9?Q z{mVVOrhG(!hPvG2Y@2EC*Ci)VnM`>b{eDEn!5{@_n-=OpK5O>&*fni`8?W0aAA7O! zeistKvP+-r5~T;q;y9mH*m|;_D(0wP6_ry((_`03cX)u%^PCpC zHKyJw!p->Ekdo&a6NCL`+u4$q?D*ifp_XoixE_V#rk!?8Pa#bW)R#2oOmkPmr<159 zix34?lhsN2pC;d82pG}=pv~}{=QgF%TpZu&snLQ2_A*z>!>~(Et4IoQS6!l7@iN(N zv5T%yeur_E#e96a!$p*?mKeReWeuzC7unW{(!mR9YgfXjZB#5@lb1z>!UvCrQ zEvnjMDMiW1;4`*CK2A;ll#JqXnNjP~Cy9SZ9gE*7d`Ob0e8(+fqjkdf$F+FWTl|65 zZLTjeV~r84*=g!i8_WtdV`ihcPLAtPeXxyIM|*oqd^Dn#iJodf%GhOltUcb6Hs573>BV z1v*9*I3@r!NCddfMgV|C4^#>!;+&NP?UaEGam5kR(o=C7rz6`9vTf%pPGViEwIa!H z`!rp)qCK#zadt;}zsSJmxV^+uT7a8pXl2;qp`7-Oe*0sfauXf$QBx%;fx}1HM81Mv z-ZC*s3xk079*8Iksq7Zj#uDbQQ>skxzty?dY{rmz9CQj%6^XK5;(ZK#5gp<|7I9rN zghNx4B{9VC!wbLc`}c)74_%t(qT1omi|0V}M41Ng`Xg~-dNYhQV>a9?k`K#$hn{_t zDJgjnD8ja4IhIk8|4}`X!yf{;pzl2qcQkUpV|ok~3w>U3CXLnGXRo>57+bBcr#F6Y ziX1t@Ioq};wpticHZ+BO;DT0(1OFaDfN?aW&&1qHNOGsrA!r+NS!*#t_f~UP#@r1p zrpRCr3CD^AZlx2S%M3$q&Ms!cqX}( zVvNsk=0*Ma6jOd7tZ=r>EB1G-QD#Xz>6M$`x-vqm5~)- zWDjrdCsdEaq<(MNy*?Xkz4d^Bei&Q4!0|eqA5UZT>nXY{MgxF8e{OsiU{cQPGJaq9 z=o0JV1kreU>*?~5y$`Bs#Z8mfAzuij1q0StmzC8IQi0&o9^c+%tmK#6-@>D-$rep} zcBv15eZ>L3CV04Z7-Kt+kQ{3lGGq!iJ@=k^K`rN%uR?AIo+Hv79sHP26Tu@vYUChN za*(Ykr%?DWMNg5T-^EUfIis@Ui$0^n%lo(yq&Jdw=eQY6?k2ga3McfE6}1xepRp>f z3LHJx8u4NnX}mV<2nm>}@b)9a8Sf;urV%}<O_BU5{7< zGa6!!Vbpqp=cH2C%Srig@>Nue%z2lbxg(O4+LpiYh@B#DTGE6MrLew%d7euxb(M7l zynJuE=+wrJ(Nm)Z#hXG?qUz}t0KJ`32AUZ{-N9+N3d_fADuke!(zTzteB!LW#-t3rb?-UK?w$6T}2@H6{nIH%ew4dql z|Apryg6D0Yre<-C?I>dekn!**Q5bxCxr|HCXO_CU_r0Kq@Y>}n;KHsVjR!U(lIAZ( z+rMd5R)&yX>AUrn9)4@yOKitwsI}exB(vRPdOHNvWxu5Cc2)KY{Vf^3EBMhO-};{Q zgPIom@z!U+Ls%?`HmO&nXk{O3Q?xwJqGm!(cMs?G@V!u_B1fy%k1oc4`C;tjswye~qvQ%uJrGPM0jdXD@k7!jsqH2qbCGeAcXz>OtB=Nimz)je*t9 zH>)3W((h-F9#$ocnIr*|&j=KT)B9B}fbA+mt0}x9AB4Ptp>)CMz6%q#1P8|kUfXTA zRaMt&kVmhsFC{G5`nL`>_os$H*XwL;wff`y;>1UGe;9Tz%m$!6mM3S|V~9BO@0c3Y zL`ZE!bkqn--nCq@(w~{^NSOe=1IH8W7dc68#X|#=MY1_1J8t-8&cKdaCfeOpzp&cY zQ5}Nk4a+mUz(bo4wNmdn@`yy+Ctu$GieMyidpp~j_;#W-o@vXS%4- zd-(M!Np(pI0}<&~$1Mk0hR~nML*iUE=4$oH&^p~NgSC*cE`6a1hY=2_PQk0)9QS}qS=zZvH7iNK>qb5nX^G7U=*yfV|tn}6%R z{e*~web{KoO>2~keYx8co%jVgvi9S_!l%aXCCSN#FU>67;Ln-{w;n~G>(`8+rElf) zT0Q7jjR!SIJ1gJUwO@+SIxt#tKiIpF;0Vc5uf-jt%}s}49hIs_orbN=^AvJ>w1v_r zUGc>1WcQ10ad*9KaX}JNdvKhH0fIdLZNX3^7ei_=&Z6LihAMb}Li*o)Ge%JWM1e$pI8$whaCw_$(H{JK0P;+rjyK86e{#LzZGnO5n06PuBr^iWrs2YMx56zyf9Z&m&4gtbr2~4bve)F@LgZ$i+CtdMnzWqm z{s6S)9KX#kL`h}d3A@=PaQ0(o`y%8Fa_Qa*#I(1Disd@vl_Vl%Vw2Z9lnZ2^yjkep z!m(QVP{SXFit(L|HpttjZuL~ZxhA%j)SLx`Zl-h+?XPKG7xB^V37I11=umKou+38 z+w%0Ah+Px9A}a?YE#tL4;`*uf|^`Aw@(O)qmU_|KV$Bm>3E)Uz=DTz4&&?Euamr0;|eogT~fYSjdwMhki zi35Ss>ON8m!7+5C$hj4B-jxZN$iV^!D*<)dQo(=U_xP6``#<{rpSFvCfG%|LTsV8r z$5lnWD|@drOi8PKHwe!e2zdSW5NG>;S|PRe64)xR;JyN`EZF@^`opN-WrSaIL?03mB>(5;fpme?v zu-uonQ{Dz~xlcMV)%u3HU4Tb*@cmpMo!>!`NbW9Uz%RVgijBwCTw9eXfW*Q!Na2SW zbJ(-(YU5%4vlFfob$f?g=aC0>!E6AZJym{ zNs__S_=Trk&6ZeL1PI}EjLz4L3N#39dIZLB9p_uFlTJ>hv>Q21UFQt6?xB{W(jOow zQ#E`t&+RG6G_uqt2h?40F|7D-c3|d zzeOG(&UiwDu7ql7(&}HvHHhAm7Z~#CuWLg7ubTA#tik>7=xzV38r?la1(Dqt5%Jr1 zRM4xp+dRm|N-hfI=baGdDoKlmsH|RBX6@&1%cO0Td%{1uGae87I8SShLVJ?r8iwHR z;T)xTNeb`ArYQOi)`ad$f=kg-9FvoJR9zA}5xbEWUW_fkiQLeUIKe58oW>o53`Mm1 z+VClGAcTXp+HHZx0BedLGjsS3$vk3d_23jo_yim{MD98uP&I1;1gT>%X_$O%F0C-z z27I3v84w5E=O~Mewww(yGZ0khcKXSv9{ixr?0ac?PyPYj@4#kyJJfh2#6s5~`$x{e z%jlBZsf*i@%Lc3zcMH;mcr-3jJK`)vV@E-Ph*8~NcnNC`i8kqrI?j*D)Q7mzE8ex0 zG5hvN$ZnJD6=yg;oa{1I846$}KVYM~IbLDhpDi>LIydr6yL&-(B_{Ee{`v4isWQKU3f{cbLU=1rsmpmPyNN0+bs zWi+-vN$VmiYJn)lWoCwKeo~lciR)!3KOVV>ucTQKBNqG-d~g+jdTf^h1VUJ4Mu=O$ z&An>rv)PN5symwI-wS#q1OR&YC7)klfb>UTDquQbL!5Cn7Nq4VL0|=$~d!y>{{*x>g=-8a2j>KseH~S$GF`t@Ki^i&sqU$J@jb#%lL5#{b=uNkM4t0NL`vbj^b;=fNc5;(&xm-%sqi? z@Lpn$t67KopFBKP>O-^(L~@=E`Btcn8#ww1p>m2^H#FCV?19s2T$+{=E+livnt~4| z!6)ZmT)J!2pdZE`Y&TQU`^cP%?yjRPbOjNP*+sP->8`ep)wNmbfhw0-eM--9D=rQ` zMoO-b@f(q1uS?yBNFMhSH=~zPes$M!@HV!Uc7j6tlDpsJ*9iJAh>%d$VW%2gE~A3v?&A~Z=2TD7bzRxEg)lQ4kDsHvO6 zi%<{fbUY5)N6 znv#Ao7no5BO&CW=521(AMOW**nT%p>bV8v~hO7``=A`QOtDJ!B3H=Fcd^t|M@h!;{ zoaT+BJU6s~JpRZ*=woZ@Qm&74Ws$1qtrvxb8ToHXgPxQ}7Nah@+(blEhbMYHConTf z*89|dEWX<5W}cjD4x5!Fys8Xf?Jy*a(>L~O-Y3cSxK1I!d4AuSd^YVuM7xL$4dG1A zs2W7r&aB4?0u zgTj4GRZX1VMZKK=z*J1IY)7ZBYz;PMki|4R~&PyU1$mOLG4s3u9=Sdd~w|-QK?{d8PCG~NH zChdR&{7Yelre;wA=VR7&_&x;(Pf}fyPZc0N7qQEez1VADmbudrYU2K;^i{m;l~7l@ zuBM(siwR_#du5WvA>x`6s>Hl)ubqi26a)5vM-^j2V0U9h+?h83f5Zm>WcNMgJfOB+ z5zE z!@O8OnZd-AP-w*lj5_XHfc4M2y%BP)D0nslSN$$18&T&bt5ntaB{?{L{{5}$xv<*f zGxQ~SL&j0^Md9$*%a|jt@zZE>&eL<~&ERaihO&j&z9${5xwjX`xO>_>s`T&4G2&dt z+~My>H9%)u7f5bTO+sGUBLLBdO>Bz^fa>#iPNcjesgh4xRWYQHJD z!zXJw8>Ce==w+KXJ?;G!oBAxDkjkp`d|ZOVTX((QwO~RjTd$ij8nGf?-Qp`N?#&s) z$U(JbSsD_qHyICx8DJ49sPnFH5LM;($^FM`wSWjSY3HUPRT*mJH2`K&60baB9c!|I zmF%PdKiO;*-*2B#ObO$7--6yEeAmykAcH+Xgwx7Y4suaW47zWy_&cnQpaZ<)4QM`l zky~iWbvt9~kv>VZ9saSgQ?t3sUEP1z_9Fg+g=`ogib=Mb`@JcD=NNEibrx*k#z}M2 z7`(8inNYO6iQOLO7gwb#5c&$x&H43bgPor+=x%T`1`6oW_TCP8Szb-7SG^*Q)BHK8 zek+9EVOhC*Q-58gS@sJO)U;$*D_FS8VEt}F0`_beu}QrvUiymY;aTKN+7hg)2C9YD zs#4jBQrLyq9dtlYSZ)3KD5VhK5cMZ~mrqeIO ztD(pPH=)~DOhevvWcpQtqd>gYH`b~edGlmfMF_lP8f202~ z7;mPQzvr^9+wL(}L3PoOYE)v#Z%7+{DDAq~2>$z)W-v-Yj(IFNrG6-oFE=k^0Id>(g%lHSz8s=r%lUVV}JBIQpP0A2IDzqBuxQg!?OM`ZMc=KJl+|PJp+<) zoy5Q5@BensKhN*~y9Dx2u)3~YlAyVwDwMuqfOuJ$g#{eoL~?ZY>F3f&Lb+V@Iz3d5^) z3mXzRB@aGlxyF7p{-;Wv25_D+26%=OdI(X-GAg6BTAPt0BWIN*|x=P~cx zQw`xVvoz4WT zx9|8zzQYGqjwkQ(zFnaz9{=LyfzJ`i`P;v*mOFn$Y?uF``|^=-XU%qOdVN~t*0Jd& z+fJ{ld?I#NnLXlq)`Z(`mt-_vMKsh(KH|-~f4EL||F!%{k-BRXDxXF;0MCx}V3=V1 zRcZdBtPR<>*ygXkxui3HMbz<9p;HW{;QSb83OZpwbf&!eSCr3HCfYF^zuL8K~x{c=cnQ-t$_ ze6CEXC-XT=Z?7!fX=AE#HZir}yTQi5qlf>j5lU5Wy|d$-*`GU~<=Nk=Z~6GWO>fKH z`orCN3-gul-+FmHeDmEn{ppjxO-;CX?A4vGj*|-KX)wRi(mraRex4)ax%1?s!499Z znZCWcr`8fg4-elXG6#aww;I-+7F;PFfo!cs6Y>JLAJG7>U&zVVFq4`|)f<+C+c{Sz> z?_~>SU9U2mZ?}~1zSgJckj%x$eJrKhtP?KXtEhLoVyaOp{a5MGt6!`)MbCUY@yTt^ zhc#{vPd?cCW&m$#2>ua%_pdRTg&j!ZQ`Oug{yC?bXF_vj5OL z**3F2U1o2W>ikVcYv&}GNS>eKX7{Y}_GR0Zmn)JTcbc(1cDcONDkCr{?vmMWjhI}) zCp9x}?YP~OP!+aRgmET+TZwl4roZ!DFE9En)2qAfv`f6=?e|6rHEXITo?Q9xlF9At z+q+NK+FjG0eTRGHCD!mA2M*jjkh+17tvFm`0nc6K!?Wbu|Ga-AEA4;T=I_4z8*78) zjq?h3XGj7s*?pC9xyEu)#`oa6nNoK16AKIf?TU^L>3sU!-Y|gk`8<#xRxf`!P0Dxu z%`K~?vn9;MKdoIDalP=#91UjmYiqIGtwL-agscv=214bLS|3?Sub3awvf*>k*PD~= z4R{#Ykl3Ap3>)U!2pLLCooK6*)vph+^k`lHz6Mlb9 zSSqZwgiedRFPSatc=g@eiBB9`rliK!^%%H6$lCr*1voKweA&ho2duTdHuL}KSW_Q$ zbo6y0rao>6T#NWY*NhZ*Ki~x$@=lzi%ypo4CJbU3A}47hl8| zqLjz6`-E2}~@XnucKJQYKZA0nt*CGE- zuiJkAYEJv#;th#^o|>+9jhgIrf061@W9{F@!S!Evy?OomN%WEZzl65Rf9Q_}4k^lC z7oWawwe8^?`;ZvTKdxC9{cm|MC|YEp`*3Sx; /home/admin/bootstrap.txt" +} + +variable "notification_email" { + description = "Specifies a list of custom email addresses to which the email notifications will be sent" + type = string +} + +//********************** Credentials **************************// +//variable "tenant_id" {} + +//variable "subscription_id" {} + +//variable "client_id" {} + +//variable "client_secret" {} + +variable "sku" { + description = "SKU" + type = string + default = "Standard" +} diff --git a/deprecated/README.md b/deprecated/README.md new file mode 100644 index 00000000..8a7296cf --- /dev/null +++ b/deprecated/README.md @@ -0,0 +1,2 @@ +## Disclaimer +The content of this directory is released under an as-is, best effort, support policy. We do not provide technical support in using or troubleshooting the content of this directory through our normal support options. diff --git a/deprecated/aws/templates/README.md b/deprecated/aws/templates/README.md new file mode 100644 index 00000000..0ccf274d --- /dev/null +++ b/deprecated/aws/templates/README.md @@ -0,0 +1,13 @@ +# Deprecated AWS CloudFormation templates +This directory contains deprecated CloudGuard IaaS solution templates. + +# How to manually deploy the templates +To deploy a CloudFormation template, follow these instructions: +1. Log in and navigate to the [AWS CloudForamtion page](https://console.aws.amazon.com/cloudformation/) +2. Click "*Create stack*" +3. Click "*With new resources (standard)*" +4. Select "*Upload a template file*" and then "*Choose file*" +5. Load your template file from selected directory in this repository and click "*Next*" +6. Enter the desired template parameters +7. Click *Next* until you can review the configurations. +8. After you've reviewed the configuraitons, click "*Create stack*". diff --git a/deprecated/aws/templates/asg-r8030/README.md b/deprecated/aws/templates/asg-r8030/README.md new file mode 100644 index 00000000..224d91c4 --- /dev/null +++ b/deprecated/aws/templates/asg-r8030/README.md @@ -0,0 +1,22 @@ + +## Security Gateway Auto Scaling + + + + + + + + + + + + + + + +
DescriptionNotesDirect Launch
+ Deploys and configures the Security Gateways as an AWS Auto Scaling group.

For more details, refer to the CloudGuard Network Auto Scaling for AWS R80.20 and Higher Deployment Guide . + 		Deploys an Auto Scaling group of Security Gateways into an existing VPC.
+
+
\ No newline at end of file diff --git a/deprecated/aws/templates/asg-r8030/autoscale.json b/deprecated/aws/templates/asg-r8030/autoscale.json new file mode 100755 index 00000000..4940ee3b --- /dev/null +++ b/deprecated/aws/templates/asg-r8030/autoscale.json @@ -0,0 +1,1188 @@ +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Create an Auto Scaling group of Check Point gateways (20211212)", + "Metadata": { + "AWS::CloudFormation::Interface": { + "ParameterGroups": [ + { + "Label": { + "default": "VPC Network Configuration" + }, + "Parameters": [ + "VPC", + "Subnets" + ] + }, + { + "Label": { + "default": "Automatic Provisioning with Security Management Server Settings" + }, + "Parameters": [ + "ControlGatewayOverPrivateOrPublicAddress", + "ManagementServer", + "ConfigurationTemplate" + ] + }, + { + "Label": { + "default": "EC2 Instances Configuration" + }, + "Parameters": [ + "Name", + "InstanceType", + "KeyName", + "VolumeSize", + "VolumeEncryption", + "EnableInstanceConnect" + ] + }, + { + "Label": { + "default": "Auto Scaling Configuration" + }, + "Parameters": [ + "MinSize", + "MaxSize", + "AdminEmail", + "LoadBalancers", + "TargetGroups" + ] + }, + { + "Label": { + "default": "Check Point Settings" + }, + "Parameters": [ + "License", + "Shell", + "PasswordHash", + "SICKey", + "AllowUploadDownload", + "EnableCloudWatch", + "BootstrapScript" + ] + }, + { + "Label": { + "default": "Proxy Configuration (optional)" + }, + "Parameters": [ + "ELBType", + "ELBPort", + "ELBClients" + ] + } + ], + "ParameterLabels": { + "VPC": { + "default": "VPC" + }, + "Subnets": { + "default": "Subnets" + }, + "ELBType": { + "default": "Proxy type" + }, + "ELBPort": { + "default": "Proxy port" + }, + "ELBClients": { + "default": "Allowed proxy clients" + }, + "AdminEmail": { + "default": "Email address" + }, + "LoadBalancers": { + "default": "Load Balancers" + }, + "TargetGroups": { + "default": "Target Groups" + }, + "MinSize": { + "default": "Minimum group size" + }, + "MaxSize": { + "default": "Maximum group size" + }, + "ControlGatewayOverPrivateOrPublicAddress": { + "default": "Gateways addresses" + }, + "ManagementServer": { + "default": "Management Server" + }, + "ConfigurationTemplate": { + "default": "Configuration template" + }, + "Name": { + "default": "Name" + }, + "InstanceType": { + "default": "Instance type" + }, + "KeyName": { + "default": "Key name" + }, + "EnableInstanceConnect": { + "default": "Enable AWS Instance Connect" + }, + "SICKey": { + "default": "SIC key" + }, + "VolumeSize": { + "default": "Root volume size (GB)" + }, + "VolumeEncryption": { + "default": "Enable volume encryption" + }, + "License": { + "default": "Version & license" + }, + "Shell": { + "default": "Admin shell" + }, + "PasswordHash": { + "default": "Password hash" + }, + "AllowUploadDownload": { + "default": "Allow upload & download" + }, + "EnableCloudWatch": { + "default": "CloudWatch metrics" + }, + "BootstrapScript": { + "default": "Bootstrap Script" + } + } + } + }, + "Parameters": { + "VPC": { + "Description": "Select an existing VPC", + "Type": "AWS::EC2::VPC::Id", + "MinLength": "1" + }, + "Subnets": { + "Description": "Select at least 2 subnets in the VPC", + "Type": "List", + "MinLength": "1" + }, + "ControlGatewayOverPrivateOrPublicAddress": { + "Description": "Determines if the gateways are provisioned using their private or public address", + "Default": "private", + "Type": "String", + "AllowedValues": [ + "private", + "public" + ] + }, + "ELBPort": { + "Default": "8080", + "Type": "Number" + }, + "ELBType": { + "Default": "none", + "AllowedValues": [ + "none", + "internal", + "internet-facing" + ], + "Type": "String" + }, + "ELBClients": { + "Type": "String", + "Default": "0.0.0.0/0", + "AllowedPattern": "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})" + }, + "MinSize": { + "Description": "The minimal number of gateways in the Auto Scaling group", + "Default": "2", + "Type": "Number", + "MinValue": "1" + }, + "MaxSize": { + "Description": "The maximal number of gateways in the Auto Scaling group", + "Default": "10", + "Type": "Number", + "MinValue": "1" + }, + "ManagementServer": { + "Description": "The name that represents the Security Management Server in the automatic provisioning configuration", + "Type": "String", + "MinLength": "1" + }, + "ConfigurationTemplate": { + "Description": "A name of a gateway configuration template in the automatic provisioning configuration", + "Type": "String", + "MinLength": "1" + }, + "Name": { + "Type": "String", + "Default": "Check-Point-Gateway" + }, + "InstanceType": { + "Description": "c4 and t2 instance types are supported only up to version R80.10 and c5 are supported only with R80.20 and above", + "Type": "String", + "Default": "c5.xlarge", + "AllowedValues": [ + "c4.large", + "c4.xlarge", + "c4.2xlarge", + "c4.4xlarge", + "c4.8xlarge", + "c5.large", + "c5.xlarge", + "c5.2xlarge", + "c5.4xlarge", + "c5.9xlarge", + "c5.18xlarge", + "c5n.large", + "c5n.xlarge", + "c5n.2xlarge", + "c5n.4xlarge", + "c5n.9xlarge", + "c5n.18xlarge", + "t2.xlarge", + "t2.2xlarge" + ], + "ConstraintDescription": "must be a valid EC2 instance type." + }, + "AdminEmail": { + "Description": "Notifications about scaling events will be sent to this email address (optional)", + "Type": "String", + "Default": "", + "AllowedPattern": "(|([a-zA-Z0-9_\\-\\.]+)@((\\[[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.)|(([a-zA-Z0-9\\-]+\\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})(\\]?))", + "ConstraintDescription": "must be a valid email address." + }, + "LoadBalancers": { + "Description": "An optional list of Classic Load Balancers associated with this Auto Scaling group (comma separated list of LB names, without spaces)", + "Type": "String", + "Default": "" + }, + "VolumeSize": { + "Type": "Number", + "MinValue": "100", + "Default": "100" + }, + "VolumeEncryption": { + "Description": "Encrypt Auto Scaling instances volume with default AWS KMS key. Will be ignored for versions lower than R80.30", + "Default": "true", + "Type": "String", + "AllowedValues": [ + "true", + "false" + ] + }, + "TargetGroups": { + "Description": "An optional list of Target Groups to associate with the Auto Scaling group (comma separated list of ARNs, without spaces)", + "Type": "String", + "Default": "" + }, + "KeyName": { + "Description": "The EC2 Key Pair to allow SSH access to the instances", + "Type": "AWS::EC2::KeyPair::KeyName", + "MinLength": "1", + "ConstraintDescription": "must be the name of an existing EC2 KeyPair." + }, + "EnableInstanceConnect": { + "Description": "Ec2 Instance Connect is not supported with versions prior to R80.40", + "Default": "false", + "Type": "String", + "AllowedValues": [ + "true", + "false" + ] + }, + "PasswordHash": { + "Description": "Admin user's password hash (use command \"openssl passwd -1 PASSWORD\" to get the PASSWORD's hash) (optional)", + "Type": "String", + "Default": "", + "AllowedPattern": "[\\$\\./a-zA-Z0-9]*", + "NoEcho": "true" + }, + "AllowUploadDownload": { + "Description": "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point", + "Type": "String", + "Default": "true", + "AllowedValues": [ + "true", + "false" + ] + }, + "SICKey": { + "Description": "The Secure Internal Communication key creates trusted connections between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters", + "NoEcho": "true", + "MinLength": "8", + "Type": "String", + "AllowedPattern": "[a-zA-Z0-9]*", + "ConstraintDescription": "At least 8 alpha numeric characters" + }, + "License": { + "Type": "String", + "Default": "R80.30-PAYG-NGTP", + "AllowedValues": [ + "R77.30-BYOL", + "R77.30-PAYG-NGTP", + "R80.10-BYOL", + "R80.10-PAYG-NGTP", + "R80.10-PAYG-NGTX", + "R80.20-BYOL", + "R80.20-PAYG-NGTP", + "R80.20-PAYG-NGTX", + "R80.30-BYOL", + "R80.30-PAYG-NGTP", + "R80.30-PAYG-NGTX", + "R80.40-BYOL", + "R80.40-PAYG-NGTP", + "R80.40-PAYG-NGTX" + ] + }, + "Shell": { + "Description": "Change the admin shell to enable advanced command line configuration", + "Type": "String", + "Default": "/etc/cli.sh", + "AllowedValues": [ + "/etc/cli.sh", + "/bin/bash", + "/bin/csh", + "/bin/tcsh" + ] + }, + "EnableCloudWatch": { + "Description": "Report Check Point specific CloudWatch metrics", + "Type": "String", + "AllowedValues": [ + "true", + "false" + ], + "Default": "false" + }, + "BootstrapScript": { + "Description": "An optional script with comma separated commands to run on the initial boot", + "Type": "CommaDelimitedList", + "Default": "", + "NoEcho": "true" + } + }, + "Conditions": { + "R80.30": { + "Fn::Equals": [ + { + "Fn::Select": [ + 0, + { + "Fn::Split": [ + "-", + { + "Ref": "License" + } + ] + } + ] + }, + "R80.30" + ] + }, + "R80.40": { + "Fn::Equals": [ + { + "Fn::Select": [ + 0, + { + "Fn::Split": [ + "-", + { + "Ref": "License" + } + ] + } + ] + }, + "R80.40" + ] + }, + "EnableEncryptedVolume": { + "Fn::And": [ + { + "Fn::Equals": [ + { + "Ref": "VolumeEncryption" + }, + "true" + ] + }, + { + "Fn::Or": [ + { + "Condition": "R80.30" + }, + { + "Condition": "R80.40" + } + ] + } + ] + }, + "AdminEmail": { + "Fn::Not": [ + { + "Fn::Equals": [ + { + "Ref": "AdminEmail" + }, + "" + ] + } + ] + }, + "CreateELB": { + "Fn::Not": [ + { + "Fn::Equals": [ + { + "Ref": "ELBType" + }, + "none" + ] + } + ] + }, + "EnableInstanceConnect": { + "Fn::Equals": [ + { + "Ref": "EnableInstanceConnect" + }, + "true" + ] + }, + "ProvidedLoadBalancers": { + "Fn::Not": [ + { + "Fn::Equals": [ + { + "Ref": "LoadBalancers" + }, + "" + ] + } + ] + }, + "ProvidedTargetGroups": { + "Fn::Not": [ + { + "Fn::Equals": [ + { + "Ref": "TargetGroups" + }, + "" + ] + } + ] + }, + "EnableCloudWatch": { + "Fn::Equals": [ + { + "Ref": "EnableCloudWatch" + }, + "true" + ] + }, + "ProvidedPassHash": { + "Fn::Not": [ + { + "Fn::Equals": [ + { + "Ref": "PasswordHash" + }, + "" + ] + } + ] + }, + "BlinkConfig": { + "Fn::Not": [ + { + "Fn::Equals": [ + { + "Fn::Select": [ + 0, + { + "Fn::Split": [ + "-", + { + "Ref": "License" + } + ] + } + ] + }, + "R77.30" + ] + } + ] + } + }, + "Resources": { + "CheckPointGateway": { + "Type": "AWS::IAM::Role", + "Condition": "EnableCloudWatch", + "Properties": { + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Service": [ + "ec2.amazonaws.com" + ] + }, + "Action": [ + "sts:AssumeRole" + ] + } + ] + }, + "Path": "/", + "Policies": [ + { + "PolicyName": "CheckPointGateway", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "cloudwatch:PutMetricData" + ], + "Resource": "*" + } + ] + } + } + ] + } + }, + "InstanceProfile": { + "Type": "AWS::IAM::InstanceProfile", + "Condition": "EnableCloudWatch", + "Properties": { + "Path": "/", + "Roles": [ + { + "Ref": "CheckPointGateway" + } + ] + } + }, + "AMI": { + "Type": "AWS::CloudFormation::Stack", + "Properties": { + "TemplateURL": "https://cgi-cfts.s3.amazonaws.com/deprecated/utils/amis-deprecated.yaml", + "Parameters": { + "Version": { + "Fn::If": [ + "BlinkConfig", + { + "Fn::Join": [ + "-", + [ + { + "Ref": "License" + }, + "GW" + ] + ] + }, + { + "Ref": "License" + } + ] + } + } + } + }, + "NotificationTopic": { + "Type": "AWS::SNS::Topic", + "Condition": "AdminEmail", + "Properties": { + "Subscription": [ + { + "Endpoint": { + "Ref": "AdminEmail" + }, + "Protocol": "email" + } + ] + } + }, + "ElasticLoadBalancer": { + "Type": "AWS::ElasticLoadBalancing::LoadBalancer", + "Condition": "CreateELB", + "Properties": { + "CrossZone": "true", + "Listeners": [ + { + "LoadBalancerPort": { + "Ref": "ELBPort" + }, + "InstancePort": { + "Ref": "ELBPort" + }, + "Protocol": "TCP" + } + ], + "HealthCheck": { + "Target": { + "Fn::Join": [ + ":", + [ + "TCP", + { + "Ref": "ELBPort" + } + ] + ] + }, + "HealthyThreshold": "3", + "UnhealthyThreshold": "5", + "Interval": "30", + "Timeout": "5" + }, + "Scheme": { + "Ref": "ELBType" + }, + "Subnets": { + "Ref": "Subnets" + }, + "Policies": [ + { + "PolicyName": "EnableProxyProtocol", + "PolicyType": "ProxyProtocolPolicyType", + "Attributes": [ + { + "Name": "ProxyProtocol", + "Value": "true" + } + ], + "InstancePorts": [ + { + "Ref": "ELBPort" + } + ] + } + ], + "SecurityGroups": [ + { + "Ref": "ELBSecurityGroup" + } + ] + } + }, + "PermissiveSecurityGroup": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "Tags": [ + { + "Key": "Name", + "Value": { + "Fn::Join": [ + "_", + [ + { + "Ref": "AWS::StackName" + }, + "PermissiveSecurityGroup" + ] + ] + } + } + ], + "GroupDescription": "Permissive security group", + "VpcId": { + "Ref": "VPC" + }, + "SecurityGroupIngress": [ + { + "IpProtocol": "-1", + "CidrIp": "0.0.0.0/0" + } + ] + } + }, + "GatewayGroup": { + "Type": "AWS::AutoScaling::AutoScalingGroup", + "Properties": { + "VPCZoneIdentifier": { + "Ref": "Subnets" + }, + "LaunchConfigurationName": { + "Ref": "LaunchConfig" + }, + "MinSize": { + "Ref": "MinSize" + }, + "MaxSize": { + "Ref": "MaxSize" + }, + "LoadBalancerNames": { + "Fn::If": [ + "ProvidedLoadBalancers", + { + "Fn::If": [ + "CreateELB", + { + "Fn::Split": [ + ",", + { + "Fn::Join": [ + ",", + [ + { + "Ref": "LoadBalancers" + }, + { + "Ref": "ElasticLoadBalancer" + } + ] + ] + } + ] + }, + { + "Fn::Split": [ + ",", + { + "Ref": "LoadBalancers" + } + ] + } + ] + }, + { + "Fn::If": [ + "CreateELB", + [ + { + "Ref": "ElasticLoadBalancer" + } + ], + [ + { + "Ref": "AWS::NoValue" + } + ] + ] + } + ] + }, + "TargetGroupARNs": { + "Fn::If": [ + "ProvidedTargetGroups", + { + "Fn::Split": [ + ",", + { + "Ref": "TargetGroups" + } + ] + }, + { + "Ref": "AWS::NoValue" + } + ] + }, + "NotificationConfiguration": { + "Fn::If": [ + "AdminEmail", + { + "TopicARN": { + "Ref": "NotificationTopic" + }, + "NotificationTypes": [ + "autoscaling:EC2_INSTANCE_LAUNCH", + "autoscaling:EC2_INSTANCE_LAUNCH_ERROR", + "autoscaling:EC2_INSTANCE_TERMINATE", + "autoscaling:EC2_INSTANCE_TERMINATE_ERROR" + ] + }, + { + "Ref": "AWS::NoValue" + } + ] + }, + "Tags": [ + { + "Key": "Name", + "Value": { + "Ref": "Name" + }, + "PropagateAtLaunch": "true" + }, + { + "Key": "x-chkp-tags", + "Value": { + "Fn::Join": [ + ":", + [ + { + "Fn::Join": [ + "=", + [ + "management", + { + "Ref": "ManagementServer" + } + ] + ] + }, + { + "Fn::Join": [ + "=", + [ + "template", + { + "Ref": "ConfigurationTemplate" + } + ] + ] + }, + { + "Fn::Join": [ + "=", + [ + "ip-address", + { + "Ref": "ControlGatewayOverPrivateOrPublicAddress" + } + ] + ] + } + ] + ] + }, + "PropagateAtLaunch": "true" + } + ] + } + }, + "LaunchConfig": { + "Type": "AWS::AutoScaling::LaunchConfiguration", + "Properties": { + "AssociatePublicIpAddress": "true", + "KeyName": { + "Ref": "KeyName" + }, + "ImageId": { + "Fn::GetAtt": [ + "AMI", + "Outputs.ImageId" + ] + }, + "SecurityGroups": [ + { + "Ref": "PermissiveSecurityGroup" + } + ], + "InstanceType": { + "Ref": "InstanceType" + }, + "BlockDeviceMappings": [ + { + "DeviceName": "/dev/xvda", + "Ebs": { + "Encrypted": { + "Fn::If": [ + "EnableEncryptedVolume", + "true", + "false" + ] + }, + "VolumeType": "gp2", + "VolumeSize": { + "Ref": "VolumeSize" + } + } + } + ], + "IamInstanceProfile": { + "Fn::If": [ + "EnableCloudWatch", + { + "Ref": "InstanceProfile" + }, + { + "Ref": "AWS::NoValue" + } + ] + }, + "UserData": { + "Fn::Base64": { + "Fn::Join": [ + "\n", + [ + "#!/bin/bash", + "logfile=/var/log/aws-user-data.log", + "> ${logfile}", + "exec 1>>${logfile} 2>>${logfile}", + "echo template_name: autoscale >> /etc/cloud-version", + "echo template_version: 20211212 >> /etc/cloud-version", + { + "Fn::If": [ + "ProvidedPassHash", + { + "Fn::Join": [ + "\n", + [ + { + "Fn::Join": [ + "", + [ + "pwd_hash='", + { + "Ref": "PasswordHash" + }, + "'" + ] + ] + }, + "echo \"set admin password\"", + "clish -c \"set user admin password-hash $pwd_hash\" -s" + ] + ] + }, + "pwd_hash=\"$(dd if=/dev/urandom count=1 2>/dev/null | sha1sum | cut -c -28)\"" + ] + }, + { + "Fn::Sub": "enable_cloudwatch=${EnableCloudWatch}" + }, + { + "Fn::Sub": "clish -c \"set user admin shell ${Shell}\" -s" + }, + { + "Fn::Join": [ + "", + [ + "sic=$(echo '", + { + "Fn::Base64": { + "Ref": "SICKey" + } + }, + "' | base64 --decode)" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "enable_eic='", + { + "Fn::If": [ + "EnableInstanceConnect", + { + "Ref": "EnableInstanceConnect" + }, + { + "Ref": "AWS::NoValue" + } + ] + }, + "'" + ] + ] + }, + { + "Fn::If": [ + "BlinkConfig", + { + "Fn::Sub": "blink_config -s \"gateway_cluster_member=false&ftw_sic_key='$sic'&upload_info=${AllowUploadDownload}&download_info=${AllowUploadDownload}&admin_hash='$pwd_hash'\"" + }, + { + "Fn::Sub": "config_system -s \"install_security_gw=true&install_ppak=true&gateway_cluster_member=false&install_security_managment=false&ftw_sic_key='$sic'&upload_info=${AllowUploadDownload}&download_info=${AllowUploadDownload}\"" + } + ] + }, + "addr=\"$(ip addr show dev eth0 | awk \"/inet/{print \\$2; exit}\" | cut -d / -f 1)\"", + "dynamic_objects -n LocalGateway -r \"$addr\" \"$addr\" -a", + "if \"$enable_cloudwatch\"; then", + " echo '{\"version\":\"1\"}' > $FWDIR/conf/cloudwatch.json", + " cloudwatch start", + "fi", + { + "Fn::Join": [ + "", + [ + "bootstrap=$(echo '", + { + "Fn::Base64": { + "Fn::Join": [ + "; ", + { + "Ref": "BootstrapScript" + } + ] + } + }, + "' | base64 --decode)" + ] + ] + }, + "eval $bootstrap", + "test -z \"$enable_eic\" || {", + "echo \"enabling ec2 instance connect\"", + "if [ -d \"/etc/ec2-instance-connect\" ]; then", + " ec2-instance-connect-config on", + "else", + " echo \"Could not enable eic, not supported in versions R80.30 and below\"", + "fi", + "}", + { + "Fn::If": [ + "BlinkConfig", + { + "Ref": "AWS::NoValue" + }, + [ + "echo \"Rebooting...\"", + "shutdown -r now" + ] + ] + }, + "" + ] + ] + } + } + } + }, + "SecurityGatewayScaleUpPolicy": { + "Type": "AWS::AutoScaling::ScalingPolicy", + "Properties": { + "AdjustmentType": "ChangeInCapacity", + "AutoScalingGroupName": { + "Ref": "GatewayGroup" + }, + "Cooldown": "300", + "ScalingAdjustment": "1" + } + }, + "SecurityGatewayScaleDownPolicy": { + "Type": "AWS::AutoScaling::ScalingPolicy", + "Properties": { + "AdjustmentType": "ChangeInCapacity", + "AutoScalingGroupName": { + "Ref": "GatewayGroup" + }, + "Cooldown": "300", + "ScalingAdjustment": "-1" + } + }, + "CPUAlarmHigh": { + "Type": "AWS::CloudWatch::Alarm", + "Properties": { + "AlarmDescription": "Scale-up if CPU > 80% for 10 minutes", + "MetricName": "CPUUtilization", + "Namespace": "AWS/EC2", + "Statistic": "Average", + "Period": "300", + "EvaluationPeriods": "2", + "Threshold": "80", + "AlarmActions": [ + { + "Ref": "SecurityGatewayScaleUpPolicy" + } + ], + "Dimensions": [ + { + "Name": "AutoScalingGroupName", + "Value": { + "Ref": "GatewayGroup" + } + } + ], + "ComparisonOperator": "GreaterThanThreshold" + } + }, + "CPUAlarmLow": { + "Type": "AWS::CloudWatch::Alarm", + "Properties": { + "AlarmDescription": "Scale-down if CPU < 60% for 10 minutes", + "MetricName": "CPUUtilization", + "Namespace": "AWS/EC2", + "Statistic": "Average", + "Period": "300", + "EvaluationPeriods": "2", + "Threshold": "60", + "AlarmActions": [ + { + "Ref": "SecurityGatewayScaleDownPolicy" + } + ], + "Dimensions": [ + { + "Name": "AutoScalingGroupName", + "Value": { + "Ref": "GatewayGroup" + } + } + ], + "ComparisonOperator": "LessThanThreshold" + } + }, + "ELBSecurityGroup": { + "Type": "AWS::EC2::SecurityGroup", + "Condition": "CreateELB", + "Properties": { + "GroupDescription": "ELB security group", + "VpcId": { + "Ref": "VPC" + }, + "SecurityGroupIngress": [ + { + "IpProtocol": "tcp", + "CidrIp": { + "Ref": "ELBClients" + }, + "FromPort": { + "Ref": "ELBPort" + }, + "ToPort": { + "Ref": "ELBPort" + } + } + ] + } + } + }, + "Outputs": { + "URL": { + "Description": "The URL of the Proxy", + "Condition": "CreateELB", + "Value": { + "Fn::Join": [ + "", + [ + "http://", + { + "Fn::GetAtt": [ + "ElasticLoadBalancer", + "DNSName" + ] + } + ] + ] + } + }, + "SecurityGroup": { + "Description": "The Security Group of the Auto Scaling group", + "Value": { + "Fn::GetAtt": [ + "PermissiveSecurityGroup", + "GroupId" + ] + } + } + } +} diff --git a/deprecated/aws/templates/cluster-r8030/README.md b/deprecated/aws/templates/cluster-r8030/README.md new file mode 100644 index 00000000..282d3075 --- /dev/null +++ b/deprecated/aws/templates/cluster-r8030/README.md @@ -0,0 +1,25 @@ +## Security Cluster + + + + + + + + + + + + + + + + + + + +
DescriptionNotesDirect Launch
+ Deploys and configures two Security Gateways as a Cluster.

For more details, refer to the CloudGuard Network for AWS Security Cluster R80.20 and Higher Deployment Guide. + 		Creates a new VPC and deploys a Cluster into it.
Deploys a Cluster into an existing VPC.
+
+
\ No newline at end of file diff --git a/deprecated/aws/templates/cluster-r8030/cluster-into-vpc.json b/deprecated/aws/templates/cluster-r8030/cluster-into-vpc.json new file mode 100644 index 00000000..cf5405d0 --- /dev/null +++ b/deprecated/aws/templates/cluster-r8030/cluster-into-vpc.json @@ -0,0 +1,1313 @@ +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Deploys a Check Point Cluster into an existing VPC (20211212)", + "Metadata": { + "AWS::CloudFormation::Interface": { + "ParameterGroups": [ + { + "Label": { + "default": "VPC Network Configuration" + }, + "Parameters": [ + "VPC", + "AvailabilityZone", + "ExternalSubnet", + "InternalSubnet" + ] + }, + { + "Label": { + "default": "Cluster Network Configuration" + }, + "Parameters": [ + "ClusterExternalAddr", + "MemberAExternalAddr", + "MemberBExternalAddr", + "ClusterInternalAddr", + "MemberAInternalAddr", + "MemberBInternalAddr" + ] + }, + { + "Label": { + "default": "EC2 Instance Configuration" + }, + "Parameters": [ + "InstanceType", + "KeyName", + "PredefinedRole", + "VolumeSize", + "VolumeEncryption", + "EnableInstanceConnect" + ] + }, + { + "Label": { + "default": "Check Point Settings" + }, + "Parameters": [ + "Version", + "Shell", + "PasswordHash", + "SICKey", + "AllowUploadDownload", + "NTPPrimary", + "NTPSecondary" + ] + } + ], + "ParameterLabels": { + "VPC": { + "default": "VPC" + }, + "AvailabilityZone": { + "default": "Availability zone" + }, + "ExternalSubnet": { + "default": "External subnet" + }, + "InternalSubnet": { + "default": "Internal subnet" + }, + "ClusterExternalAddr": { + "default": "Cluster external address" + }, + "MemberAExternalAddr": { + "default": "Member A external address" + }, + "MemberBExternalAddr": { + "default": "Member B external address" + }, + "ClusterInternalAddr": { + "default": "Cluster internal address" + }, + "MemberAInternalAddr": { + "default": "Member A internal address" + }, + "MemberBInternalAddr": { + "default": "Member B internal address" + }, + "InstanceType": { + "default": "Instance type" + }, + "KeyName": { + "default": "Key name" + }, + "Version": { + "default": "Version & license" + }, + "PredefinedRole": { + "default": "Existing IAM role name" + }, + "EnableInstanceConnect": { + "default": "Enable AWS Instance Connect" + }, + "SICKey": { + "default": "SIC key" + }, + "VolumeSize": { + "default": "Root volume size (GB)" + }, + "VolumeEncryption": { + "default": "Volume encryption KMS key identifier" + }, + "Shell": { + "default": "Admin shell" + }, + "PasswordHash": { + "default": "Password hash" + }, + "AllowUploadDownload": { + "default": "Allow upload & download" + }, + "NTPPrimary": { + "default": "Primary NTP server" + }, + "NTPSecondary": { + "default": "Secondary NTP server" + } + } + } + }, + "Parameters": { + "InstanceType": { + "Description": "c4 and t2 instance types are supported only up to version R80.10 and c5 are supported only with R80.20 and above", + "Type": "String", + "Default": "c5.xlarge", + "AllowedValues": [ + "c4.large", + "c4.xlarge", + "c4.2xlarge", + "c4.4xlarge", + "c4.8xlarge", + "c5.large", + "c5.xlarge", + "c5.2xlarge", + "c5.4xlarge", + "c5.9xlarge", + "c5.18xlarge", + "c5n.large", + "c5n.xlarge", + "c5n.2xlarge", + "c5n.4xlarge", + "c5n.9xlarge", + "c5n.18xlarge", + "t2.xlarge", + "t2.2xlarge" + ], + "ConstraintDescription": "must be a valid EC2 instance type." + }, + "VPC": { + "Type": "AWS::EC2::VPC::Id", + "MinLength": "1" + }, + "ExternalSubnet": { + "Description": "The external subnet of the cluster. The subnet's route table must have 0.0.0.0/0 route to Internet Gateway", + "Type": "AWS::EC2::Subnet::Id", + "MinLength": "1" + }, + "InternalSubnet": { + "Description": "The internal subnet of the cluster", + "Type": "AWS::EC2::Subnet::Id", + "MinLength": "1" + }, + "AvailabilityZone": { + "Description": "The availability zone in which to deploy the cluster", + "Type": "AWS::EC2::AvailabilityZone::Name", + "MinLength": "1" + }, + "ClusterExternalAddr": { + "Description": "The private address of the cluster on the external subnet", + "Type": "String", + "AllowedPattern": "^([0-9]{1,3}\\.){3}[0-9]{1,3}$", + "ConstraintDescription": "must be a valid IP address" + }, + "MemberAExternalAddr": { + "Description": "The private address of member A on the external subnet", + "Type": "String", + "AllowedPattern": "^([0-9]{1,3}\\.){3}[0-9]{1,3}$", + "ConstraintDescription": "must be a valid IP address" + }, + "MemberBExternalAddr": { + "Description": "The private address of member B on the external subnet", + "Type": "String", + "AllowedPattern": "^([0-9]{1,3}\\.){3}[0-9]{1,3}$", + "ConstraintDescription": "must be a valid IP address" + }, + "ClusterInternalAddr": { + "Description": "The private address of the cluster on the internal subnet", + "Type": "String", + "AllowedPattern": "^([0-9]{1,3}\\.){3}[0-9]{1,3}$", + "ConstraintDescription": "must be a valid IP address" + }, + "MemberAInternalAddr": { + "Description": "The private address of member A on the internal subnet", + "Type": "String", + "AllowedPattern": "^([0-9]{1,3}\\.){3}[0-9]{1,3}$", + "ConstraintDescription": "must be a valid IP address" + }, + "MemberBInternalAddr": { + "Description": "The private address of member B on the internal subnet", + "Type": "String", + "AllowedPattern": "^([0-9]{1,3}\\.){3}[0-9]{1,3}$", + "ConstraintDescription": "must be a valid IP address" + }, + "KeyName": { + "Description": "The EC2 Key Pair to allow SSH access to the instance", + "Type": "AWS::EC2::KeyPair::KeyName", + "MinLength": "1", + "ConstraintDescription": "must be the name of an existing EC2 KeyPair." + }, + "Version": { + "Type": "String", + "Default": "R80.30-PAYG-NGTP", + "AllowedValues": [ + "R77.30-BYOL", + "R77.30-PAYG-NGTP", + "R80.10-BYOL", + "R80.10-PAYG-NGTP", + "R80.10-PAYG-NGTX", + "R80.20-BYOL", + "R80.20-PAYG-NGTP", + "R80.20-PAYG-NGTX", + "R80.30-BYOL", + "R80.30-PAYG-NGTP", + "R80.30-PAYG-NGTX", + "R80.40-BYOL", + "R80.40-PAYG-NGTP", + "R80.40-PAYG-NGTX" + ] + }, + "PasswordHash": { + "Description": "Admin user's password hash (use command \"openssl passwd -1 PASSWORD\" to get the PASSWORD's hash) (optional)", + "NoEcho": "true", + "Type": "String", + "Default": "", + "AllowedPattern": "[\\$\\./a-zA-Z0-9]*" + }, + "PredefinedRole": { + "Description": "A predefined IAM role to attach to the cluster profile (optional)", + "Type": "String", + "Default": "" + }, + "EnableInstanceConnect": { + "Description": "Ec2 Instance Connect is not supported with versions prior to R80.40", + "Default": "false", + "Type": "String", + "AllowedValues": [ + "true", + "false" + ] + }, + "SICKey": { + "Description": "The Secure Internal Communication key creates trusted connections between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters", + "NoEcho": "true", + "MinLength": "8", + "Type": "String", + "AllowedPattern": "[a-zA-Z0-9]*", + "ConstraintDescription": "At least 8 alpha numeric characters" + }, + "VolumeSize": { + "Type": "Number", + "MinValue": "100", + "Default": "100" + }, + "VolumeEncryption": { + "Description": "KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs'). Will be ignored for versions lower than R80.30", + "Type": "String", + "Default": "alias/aws/ebs" + }, + "Shell": { + "Description": "Change the admin shell to enable advanced command line configuration", + "Type": "String", + "Default": "/etc/cli.sh", + "AllowedValues": [ + "/etc/cli.sh", + "/bin/bash", + "/bin/csh", + "/bin/tcsh" + ] + }, + "AllowUploadDownload": { + "Description": "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point", + "Type": "String", + "Default": "true", + "AllowedValues": [ + "true", + "false" + ] + }, + "NTPPrimary": { + "Description": "(optional)", + "Type": "String", + "Default": "169.254.169.123", + "AllowedPattern": "[\\.a-zA-Z0-9\\-]*" + }, + "NTPSecondary": { + "Description": "(optional)", + "Type": "String", + "Default": "0.pool.ntp.org", + "AllowedPattern": "[\\.a-zA-Z0-9\\-]*" + } + }, + "Conditions": { + "R80.30": { + "Fn::Equals": [ + { + "Fn::Select": [ + 0, + { + "Fn::Split": [ + "-", + { + "Ref": "Version" + } + ] + } + ] + }, + "R80.30" + ] + }, + "R80.40": { + "Fn::Equals": [ + { + "Fn::Select": [ + 0, + { + "Fn::Split": [ + "-", + { + "Ref": "Version" + } + ] + } + ] + }, + "R80.40" + ] + }, + "EnableEncryptedVolume": { + "Fn::And": [ + { + "Fn::Not": [ + { + "Fn::Equals": [ + { + "Ref": "VolumeEncryption" + }, + "" + ] + } + ] + }, + { + "Fn::Or": [ + { + "Condition": "R80.30" + }, + { + "Condition": "R80.40" + } + ] + } + ] + }, + "ProvidedPassHash": { + "Fn::Not": [ + { + "Fn::Equals": [ + { + "Ref": "PasswordHash" + }, + "" + ] + } + ] + }, + "CreateRole": { + "Fn::Equals": [ + { + "Ref": "PredefinedRole" + }, + "" + ] + }, + "EnableInstanceConnect": { + "Fn::Equals": [ + { + "Ref": "EnableInstanceConnect" + }, + "true" + ] + }, + "BlinkConfig": { + "Fn::Not": [ + { + "Fn::Equals": [ + { + "Fn::Select": [ + 0, + { + "Fn::Split": [ + "-", + { + "Ref": "Version" + } + ] + } + ] + }, + "R77.30" + ] + } + ] + } + }, + "Resources": { + "ClusterReadyHandle": { + "Type": "AWS::CloudFormation::WaitConditionHandle", + "Properties": {} + }, + "ClusterReadyCondition": { + "Type": "AWS::CloudFormation::WaitCondition", + "DependsOn": [ + "MemberAInstance", + "MemberBInstance" + ], + "Properties": { + "Count": "2", + "Handle": { + "Ref": "ClusterReadyHandle" + }, + "Timeout": "1800" + } + }, + "AMI": { + "Type": "AWS::CloudFormation::Stack", + "Properties": { + "TemplateURL": "https://cgi-cfts.s3.amazonaws.com/deprecated/utils/amis-deprecated.yaml", + "Parameters": { + "Version": { + "Fn::If": [ + "BlinkConfig", + { + "Fn::Join": [ + "-", + [ + { + "Ref": "Version" + }, + "GW" + ] + ] + }, + { + "Ref": "Version" + } + ] + } + } + } + }, + "ClusterRole": { + "Type": "AWS::IAM::Role", + "Condition": "CreateRole", + "Properties": { + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Service": [ + "ec2.amazonaws.com" + ] + }, + "Action": [ + "sts:AssumeRole" + ] + } + ] + }, + "Path": "/", + "Policies": [ + { + "PolicyName": "Cluster", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "ec2:DescribeRouteTables", + "ec2:ReplaceRoute", + "ec2:AssignPrivateIpAddresses", + "ec2:DescribeNetworkInterfaces", + "ec2:CreateRoute" + ], + "Resource": "*" + } + ] + } + } + ] + } + }, + "ClusterInstanceProfile": { + "Type": "AWS::IAM::InstanceProfile", + "Properties": { + "Path": "/", + "Roles": [ + { + "Fn::If": [ + "CreateRole", + { + "Ref": "ClusterRole" + }, + { + "Ref": "PredefinedRole" + } + ] + } + ] + } + }, + "InternalRoutingTable": { + "Type": "AWS::EC2::RouteTable", + "Properties": { + "VpcId": { + "Ref": "VPC" + } + } + }, + "InternalDefaultRoute": { + "Type": "AWS::EC2::Route", + "Properties": { + "DestinationCidrBlock": "0.0.0.0/0", + "NetworkInterfaceId": { + "Ref": "MemberAInternalInterface" + }, + "RouteTableId": { + "Ref": "InternalRoutingTable" + } + } + }, + "InternalNetworkRouteAssociation": { + "Type": "AWS::EC2::SubnetRouteTableAssociation", + "Properties": { + "RouteTableId": { + "Ref": "InternalRoutingTable" + }, + "SubnetId": { + "Ref": "InternalSubnet" + } + } + }, + "MemberAExternalInterface": { + "Type": "AWS::EC2::NetworkInterface", + "Properties": { + "Description": "External", + "PrivateIpAddresses": [ + { + "PrivateIpAddress": { + "Ref": "MemberAExternalAddr" + }, + "Primary": "true" + }, + { + "PrivateIpAddress": { + "Ref": "ClusterExternalAddr" + }, + "Primary": "false" + } + ], + "SourceDestCheck": "false", + "GroupSet": [ + { + "Ref": "InstanceSecurityGroup" + } + ], + "SubnetId": { + "Ref": "ExternalSubnet" + } + } + }, + "MemberBExternalInterface": { + "Type": "AWS::EC2::NetworkInterface", + "Properties": { + "Description": "External", + "PrivateIpAddresses": [ + { + "PrivateIpAddress": { + "Ref": "MemberBExternalAddr" + }, + "Primary": "true" + } + ], + "SourceDestCheck": "false", + "GroupSet": [ + { + "Ref": "InstanceSecurityGroup" + } + ], + "SubnetId": { + "Ref": "ExternalSubnet" + } + } + }, + "MemberAInternalInterface": { + "Type": "AWS::EC2::NetworkInterface", + "Properties": { + "Description": "Internal", + "PrivateIpAddresses": [ + { + "PrivateIpAddress": { + "Ref": "MemberAInternalAddr" + }, + "Primary": "true" + }, + { + "PrivateIpAddress": { + "Ref": "ClusterInternalAddr" + }, + "Primary": "false" + } + ], + "GroupSet": [ + { + "Ref": "InstanceSecurityGroup" + } + ], + "SourceDestCheck": "false", + "SubnetId": { + "Ref": "InternalSubnet" + } + } + }, + "MemberBInternalInterface": { + "Type": "AWS::EC2::NetworkInterface", + "Properties": { + "Description": "Internal", + "PrivateIpAddress": { + "Ref": "MemberBInternalAddr" + }, + "GroupSet": [ + { + "Ref": "InstanceSecurityGroup" + } + ], + "SourceDestCheck": "false", + "SubnetId": { + "Ref": "InternalSubnet" + } + } + }, + "InstanceSecurityGroup": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Permissive security group", + "VpcId": { + "Ref": "VPC" + }, + "SecurityGroupIngress": [ + { + "IpProtocol": "-1", + "CidrIp": "0.0.0.0/0" + } + ] + } + }, + "ClusterPublicAddress": { + "Type": "AWS::EC2::EIP", + "Properties": { + "Domain": "vpc" + } + }, + "MemberAPublicAddress": { + "Type": "AWS::EC2::EIP", + "Properties": { + "Domain": "vpc" + } + }, + "MemberBPublicAddress": { + "Type": "AWS::EC2::EIP", + "Properties": { + "Domain": "vpc" + } + }, + "MemberAInstance": { + "Type": "AWS::EC2::Instance", + "Properties": { + "AvailabilityZone": { + "Ref": "AvailabilityZone" + }, + "Tags": [ + { + "Key": "Name", + "Value": "Member A" + } + ], + "ImageId": { + "Fn::GetAtt": [ + "AMI", + "Outputs.ImageId" + ] + }, + "InstanceType": { + "Ref": "InstanceType" + }, + "BlockDeviceMappings": [ + { + "DeviceName": "/dev/xvda", + "Ebs": { + "Encrypted": { + "Fn::If": [ + "EnableEncryptedVolume", + "true", + "false" + ] + }, + "KmsKeyId": { + "Fn::If": [ + "EnableEncryptedVolume", + { + "Ref": "VolumeEncryption" + }, + { + "Ref": "AWS::NoValue" + } + ] + }, + "VolumeType": "gp2", + "VolumeSize": { + "Ref": "VolumeSize" + } + } + } + ], + "KeyName": { + "Ref": "KeyName" + }, + "NetworkInterfaces": [ + { + "DeviceIndex": "0", + "NetworkInterfaceId": { + "Ref": "MemberAExternalInterface" + } + }, + { + "DeviceIndex": "1", + "NetworkInterfaceId": { + "Ref": "MemberAInternalInterface" + } + } + ], + "IamInstanceProfile": { + "Ref": "ClusterInstanceProfile" + }, + "UserData": { + "Fn::Base64": { + "Fn::Join": [ + "\n", + [ + "#!/bin/bash", + "logfile=/var/log/aws-user-data.log", + "> ${logfile}", + "exec 1>>${logfile} 2>>${logfile}", + "echo template_name: cluster >> /etc/cloud-version", + "echo template_version: 20211212 >> /etc/cloud-version", + "clish -c 'delete interface eth0 alias eth0:1' -s || true", + { + "Fn::Join": [ + "", + [ + "clish -c 'add interface eth0 alias ", + { + "Ref": "MemberAPublicAddress" + }, + "/32' -s" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "wait_handle='", + { + "Ref": "ClusterReadyHandle" + }, + "'" + ] + ] + }, + "echo \"Generating TOKEN\"", + "TOKEN=`curl_cli -X PUT \"http://169.254.169.254/latest/api/token\" -H \"X-aws-ec2-metadata-token-ttl-seconds: 3600\"`", + "echo \"Getting instance id\"", + "instance_id=\"$(curl_cli -H \"X-aws-ec2-metadata-token: $TOKEN\" -v http://169.254.169.254/latest/meta-data/instance-id)\"", + { + "Fn::If": [ + "ProvidedPassHash", + { + "Fn::Join": [ + "\n", + [ + { + "Fn::Join": [ + "", + [ + "pwd_hash='", + { + "Ref": "PasswordHash" + }, + "'" + ] + ] + }, + "echo \"set admin password\"", + "clish -c \"set user admin password-hash $pwd_hash\" -s" + ] + ] + }, + "pwd_hash=\"$(dd if=/dev/urandom count=1 2>/dev/null | sha1sum | cut -c -28)\"" + ] + }, + { + "Fn::Join": [ + "", + [ + "enable_eic='", + { + "Fn::If": [ + "EnableInstanceConnect", + { + "Ref": "EnableInstanceConnect" + }, + { + "Ref": "AWS::NoValue" + } + ] + }, + "'" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "ntp1='", + { + "Ref": "NTPPrimary" + }, + "'" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "ntp2='", + { + "Ref": "NTPSecondary" + }, + "'" + ] + ] + }, + "test -z \"$ntp1\" || {", + " echo \"set primary NTP server\"", + " clish -c \"set ntp server primary $ntp1 version 4\" -s", + " test -z \"$ntp2\" || {", + " echo \"set secondary NTP server\"", + " clish -c \"set ntp server secondary $ntp2 version 4\" -s", + " }", + " clish -c \"set ntp active on\" -s", + "}", + "printf H4sIAEQeOVoCAzNoYuE3aGL6voCZiZGJiZHBgJeNU6vNo+07LyMjKyuDQYYhtwEnG3MoC5swU2iwoaqBMojDJSwTXJJYlJaZmpOiEJKanJGXn5OfnplarKPgmZesZ2hkYABSxi2siVDmnJNYXKxgpOCcWlSSmZaZnFiSmZ+n4FhakpFflFlSaSAnzmtgYmBmZGlobmxpaBYlzmuMzKWjS5oYFZCDgZGVgbmJkZcBKM7B1MTIyLDd6MS/l4XLWFrX8gim3D/n+/4Es0S7/cLVv22Wzf9weOGtKzfytIMn/FZZYtfyYd6L+DdP1V2+aiyzr773QOvDifXB+vNOsTJOlutPk7Fc7vsralsxi2ra6/L655HHvGaqioS8Vjv+uV7yqkFB//oNblr/177WfHt9/iqW9sVXfnYuNYm/7Tyxyexmms3GHTub/s6xshM4Yf2eLTWtarakhO3/wkAbA734fbblxZti2XIOK4fN0m5VmySznGnzE3ve9RyVTTvMbF/NuWy6eU/mqa9n5r74m9Ir3mCcF+cVO/OkXPuWuVIHruYJmyrH3Z8db/v+2veyQ6/sdlfwyjilZ7Pc+HHtVn73J5cFjKuZGJkXNx41aDxkIAsMW1k+FjEWkf3x2y+euyvf9iU6dM2d6wKH+FZ2PDdonASSV2Zp7DJobG/AqmZhzpIs+kVtEzCB84DcJMzCasDMyPgfLbkzg6KXda59x9yLJ6VCF67J/Pw58tZsxnYp//CVCys5tW5/198kd+Z4XNaN5vaF0997mtqVszlGJO3vi9jBlW7/ZvNdxTT5kyG/is7Y+jjcaFxfPq+5avei419NxPtuCjp8+aOj5StavzwpVk/1MgO3gpRsxk/xHV/2dr/ViLzrK9Yt3nxiU+px3aqlq/YEt+XeDV9y6oeCI3fGhy+/S/aFxVZVfv0p2/pYd+q+r4UTnM/0ys9i4GrXfBmqFMGg/OqxkLNmtDvH3R7HrFS2FU8VVzlumao4dWftRZPVwtfW7rnzyNby7F670oKFEpHMJ5W29M+5Gqd1fem2K1y5P7Y7CLrNkq/kS9rPP/3NA3158SkAHEuNARMEAAA= | base64 -d | gunzip -c | cpopenssl x509 -inform DER >$CPDIR/tmp/wait-handle.crt", + "cat $CPDIR/conf/ca-bundle.crt >>$CPDIR/tmp/wait-handle.crt", + { + "Fn::Sub": "clish -c \"set user admin shell ${Shell}\" -s" + }, + { + "Fn::Join": [ + "", + [ + "sic=$(echo '", + { + "Fn::Base64": { + "Ref": "SICKey" + } + }, + "' | base64 --decode)" + ] + ] + }, + { + "Fn::If": [ + "BlinkConfig", + { + "Fn::Sub": "blink_config -s \"gateway_cluster_member=true&ftw_sic_key='$sic'&upload_info=${AllowUploadDownload}&download_info=${AllowUploadDownload}&admin_hash='$pwd_hash'\"" + }, + { + "Fn::Sub": "config_system -s \"install_security_gw=true&install_ppak=true&gateway_cluster_member=true&install_security_managment=false&ftw_sic_key='$sic'&upload_info=${AllowUploadDownload}&download_info=${AllowUploadDownload}\"" + } + ] + }, + "rc=$?", + "test -z \"$enable_eic\" || {", + "echo \"enabling ec2 instance connect\"", + "if [ -d \"/etc/ec2-instance-connect\" ]; then", + " ec2-instance-connect-config on", + "else", + " echo \"Could not enable eic, not supported in versions R80.30 and below\"", + "fi", + "}", + "if test -n \"$wait_handle\"; then", + " if test $rc -ne 0; then", + " curl_cli -s -S --cacert $CPDIR/tmp/wait-handle.crt -X PUT -H 'Content-Type:' --data-binary '{\"Status\" : \"FAILURE\", \"Reason\" : \"Security Gateway configuration failed\", \"UniqueId\" : \"'$instance_id'\", \"Data\" : \"None\"}' \"$wait_handle\"", + " else", + " curl_cli -s -S --cacert $CPDIR/tmp/wait-handle.crt -X PUT -H 'Content-Type:' --data-binary '{\"Status\" : \"SUCCESS\", \"Reason\" : \"Security Gateway configuration complete\", \"UniqueId\" : \"'$instance_id'\", \"Data\" : \"Configuration completed.\"}' \"$wait_handle\"", + " fi", + "fi", + "echo \"Rebooting...\"", + "shutdown -r now", + "" + ] + ] + } + } + } + }, + "MemberBInstance": { + "Type": "AWS::EC2::Instance", + "Properties": { + "AvailabilityZone": { + "Ref": "AvailabilityZone" + }, + "Tags": [ + { + "Key": "Name", + "Value": "Member B" + } + ], + "ImageId": { + "Fn::GetAtt": [ + "AMI", + "Outputs.ImageId" + ] + }, + "InstanceType": { + "Ref": "InstanceType" + }, + "BlockDeviceMappings": [ + { + "DeviceName": "/dev/xvda", + "Ebs": { + "Encrypted": { + "Fn::If": [ + "EnableEncryptedVolume", + "true", + "false" + ] + }, + "KmsKeyId": { + "Fn::If": [ + "EnableEncryptedVolume", + { + "Ref": "VolumeEncryption" + }, + { + "Ref": "AWS::NoValue" + } + ] + }, + "VolumeType": "gp2", + "VolumeSize": { + "Ref": "VolumeSize" + } + } + } + ], + "KeyName": { + "Ref": "KeyName" + }, + "NetworkInterfaces": [ + { + "DeviceIndex": "0", + "NetworkInterfaceId": { + "Ref": "MemberBExternalInterface" + } + }, + { + "DeviceIndex": "1", + "NetworkInterfaceId": { + "Ref": "MemberBInternalInterface" + } + } + ], + "IamInstanceProfile": { + "Ref": "ClusterInstanceProfile" + }, + "UserData": { + "Fn::Base64": { + "Fn::Join": [ + "\n", + [ + "#!/bin/bash", + "logfile=/var/log/aws-user-data.log", + "> ${logfile}", + "exec 1>>${logfile} 2>>${logfile}", + "echo template_name: cluster >> /etc/cloud-version", + "echo template_version: 20211212 >> /etc/cloud-version", + { + "Fn::Join": [ + "", + [ + "wait_handle='", + { + "Ref": "ClusterReadyHandle" + }, + "'" + ] + ] + }, + "echo \"Generating TOKEN\"", + "TOKEN=`curl_cli -X PUT \"http://169.254.169.254/latest/api/token\" -H \"X-aws-ec2-metadata-token-ttl-seconds: 3600\"`", + "echo \"Getting instance id\"", + "instance_id=\"$(curl_cli -H \"X-aws-ec2-metadata-token: $TOKEN\" -v http://169.254.169.254/latest/meta-data/instance-id)\"", + { + "Fn::If": [ + "ProvidedPassHash", + { + "Fn::Join": [ + "\n", + [ + { + "Fn::Join": [ + "", + [ + "pwd_hash='", + { + "Ref": "PasswordHash" + }, + "'" + ] + ] + }, + "echo \"set admin password\"", + "clish -c \"set user admin password-hash $pwd_hash\" -s" + ] + ] + }, + "pwd_hash=\"$(dd if=/dev/urandom count=1 2>/dev/null | sha1sum | cut -c -28)\"" + ] + }, + { + "Fn::Join": [ + "", + [ + "enable_eic='", + { + "Fn::If": [ + "EnableInstanceConnect", + { + "Ref": "EnableInstanceConnect" + }, + { + "Ref": "AWS::NoValue" + } + ] + }, + "'" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "ntp1='", + { + "Ref": "NTPPrimary" + }, + "'" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "ntp2='", + { + "Ref": "NTPSecondary" + }, + "'" + ] + ] + }, + "test -z \"$ntp1\" || {", + " echo \"set primary NTP server\"", + " clish -c \"set ntp server primary $ntp1 version 4\" -s", + " test -z \"$ntp2\" || {", + " echo \"set secondary NTP server\"", + " clish -c \"set ntp server secondary $ntp2 version 4\" -s", + " }", + " clish -c \"set ntp active on\" -s", + "}", + "printf H4sIAEQeOVoCAzNoYuE3aGL6voCZiZGJiZHBgJeNU6vNo+07LyMjKyuDQYYhtwEnG3MoC5swU2iwoaqBMojDJSwTXJJYlJaZmpOiEJKanJGXn5OfnplarKPgmZesZ2hkYABSxi2siVDmnJNYXKxgpOCcWlSSmZaZnFiSmZ+n4FhakpFflFlSaSAnzmtgYmBmZGlobmxpaBYlzmuMzKWjS5oYFZCDgZGVgbmJkZcBKM7B1MTIyLDd6MS/l4XLWFrX8gim3D/n+/4Es0S7/cLVv22Wzf9weOGtKzfytIMn/FZZYtfyYd6L+DdP1V2+aiyzr773QOvDifXB+vNOsTJOlutPk7Fc7vsralsxi2ra6/L655HHvGaqioS8Vjv+uV7yqkFB//oNblr/177WfHt9/iqW9sVXfnYuNYm/7Tyxyexmms3GHTub/s6xshM4Yf2eLTWtarakhO3/wkAbA734fbblxZti2XIOK4fN0m5VmySznGnzE3ve9RyVTTvMbF/NuWy6eU/mqa9n5r74m9Ir3mCcF+cVO/OkXPuWuVIHruYJmyrH3Z8db/v+2veyQ6/sdlfwyjilZ7Pc+HHtVn73J5cFjKuZGJkXNx41aDxkIAsMW1k+FjEWkf3x2y+euyvf9iU6dM2d6wKH+FZ2PDdonASSV2Zp7DJobG/AqmZhzpIs+kVtEzCB84DcJMzCasDMyPgfLbkzg6KXda59x9yLJ6VCF67J/Pw58tZsxnYp//CVCys5tW5/198kd+Z4XNaN5vaF0997mtqVszlGJO3vi9jBlW7/ZvNdxTT5kyG/is7Y+jjcaFxfPq+5avei419NxPtuCjp8+aOj5StavzwpVk/1MgO3gpRsxk/xHV/2dr/ViLzrK9Yt3nxiU+px3aqlq/YEt+XeDV9y6oeCI3fGhy+/S/aFxVZVfv0p2/pYd+q+r4UTnM/0ys9i4GrXfBmqFMGg/OqxkLNmtDvH3R7HrFS2FU8VVzlumao4dWftRZPVwtfW7rnzyNby7F670oKFEpHMJ5W29M+5Gqd1fem2K1y5P7Y7CLrNkq/kS9rPP/3NA3158SkAHEuNARMEAAA= | base64 -d | gunzip -c | cpopenssl x509 -inform DER >$CPDIR/tmp/wait-handle.crt", + "cat $CPDIR/conf/ca-bundle.crt >>$CPDIR/tmp/wait-handle.crt", + { + "Fn::Sub": "clish -c \"set user admin shell ${Shell}\" -s" + }, + { + "Fn::Join": [ + "", + [ + "sic=$(echo '", + { + "Fn::Base64": { + "Ref": "SICKey" + } + }, + "' | base64 --decode)" + ] + ] + }, + { + "Fn::If": [ + "BlinkConfig", + { + "Fn::Sub": "blink_config -s \"gateway_cluster_member=true&ftw_sic_key='$sic'&upload_info=${AllowUploadDownload}&download_info=${AllowUploadDownload}&admin_hash='$pwd_hash'\"" + }, + { + "Fn::Sub": "config_system -s \"install_security_gw=true&install_ppak=true&gateway_cluster_member=true&install_security_managment=false&ftw_sic_key='$sic'&upload_info=${AllowUploadDownload}&download_info=${AllowUploadDownload}\"" + } + ] + }, + "rc=$?", + "test -z \"$enable_eic\" || {", + "echo \"enabling ec2 instance connect\"", + "if [ -d \"/etc/ec2-instance-connect\" ]; then", + " ec2-instance-connect-config on", + "else", + " echo \"Could not enable eic, not supported in versions R80.30 and below\"", + "fi", + "}", + "if test -n \"$wait_handle\"; then", + " if test $rc -ne 0; then", + " curl_cli -s -S --cacert $CPDIR/tmp/wait-handle.crt -X PUT -H 'Content-Type:' --data-binary '{\"Status\" : \"FAILURE\", \"Reason\" : \"Security Gateway configuration failed\", \"UniqueId\" : \"'$instance_id'\", \"Data\" : \"None\"}' \"$wait_handle\"", + " else", + " curl_cli -s -S --cacert $CPDIR/tmp/wait-handle.crt -X PUT -H 'Content-Type:' --data-binary '{\"Status\" : \"SUCCESS\", \"Reason\" : \"Security Gateway configuration complete\", \"UniqueId\" : \"'$instance_id'\", \"Data\" : \"Configuration completed.\"}' \"$wait_handle\"", + " fi", + "fi", + "echo \"Rebooting...\"", + "shutdown -r now", + "" + ] + ] + } + } + } + }, + "ClusterAddressAssoc": { + "Type": "AWS::EC2::EIPAssociation", + "DependsOn": "MemberAInstance", + "Properties": { + "NetworkInterfaceId": { + "Ref": "MemberAExternalInterface" + }, + "AllocationId": { + "Fn::GetAtt": [ + "ClusterPublicAddress", + "AllocationId" + ] + }, + "PrivateIpAddress": { + "Ref": "ClusterExternalAddr" + } + } + }, + "MemberAAddressAssoc": { + "Type": "AWS::EC2::EIPAssociation", + "DependsOn": "MemberAInstance", + "Properties": { + "NetworkInterfaceId": { + "Ref": "MemberAExternalInterface" + }, + "AllocationId": { + "Fn::GetAtt": [ + "MemberAPublicAddress", + "AllocationId" + ] + }, + "PrivateIpAddress": { + "Fn::GetAtt": [ + "MemberAExternalInterface", + "PrimaryPrivateIpAddress" + ] + } + } + }, + "MemberBAddressAssoc": { + "Type": "AWS::EC2::EIPAssociation", + "DependsOn": "MemberBInstance", + "Properties": { + "NetworkInterfaceId": { + "Ref": "MemberBExternalInterface" + }, + "AllocationId": { + "Fn::GetAtt": [ + "MemberBPublicAddress", + "AllocationId" + ] + }, + "PrivateIpAddress": { + "Fn::GetAtt": [ + "MemberBExternalInterface", + "PrimaryPrivateIpAddress" + ] + } + } + } + }, + "Outputs": { + "ClusterPublicAddress": { + "Description": "The public address of the cluster", + "Value": { + "Ref": "ClusterPublicAddress" + } + }, + "MemberAPublicAddress": { + "Description": "The public address of member A", + "Value": { + "Ref": "MemberAPublicAddress" + } + }, + "MemberASSH": { + "Description": "SSH command to member A", + "Value": { + "Fn::Join": [ + "", + [ + "ssh admin@", + { + "Ref": "MemberAPublicAddress" + } + ] + ] + } + }, + "MemberAURL": { + "Description": "URL to the member A portal", + "Value": { + "Fn::Join": [ + "", + [ + "https://", + { + "Ref": "MemberAPublicAddress" + } + ] + ] + } + }, + "MemberBPublicAddress": { + "Description": "The public address of member B", + "Value": { + "Ref": "MemberBPublicAddress" + } + }, + "MemberBSSH": { + "Description": "SSH command to member B", + "Value": { + "Fn::Join": [ + "", + [ + "ssh admin@", + { + "Ref": "MemberBPublicAddress" + } + ] + ] + } + }, + "MemberBURL": { + "Description": "URL to the member B portal", + "Value": { + "Fn::Join": [ + "", + [ + "https://", + { + "Ref": "MemberBPublicAddress" + } + ] + ] + } + } + } +} diff --git a/deprecated/aws/templates/cluster-r8030/cluster.json b/deprecated/aws/templates/cluster-r8030/cluster.json new file mode 100644 index 00000000..08869f9c --- /dev/null +++ b/deprecated/aws/templates/cluster-r8030/cluster.json @@ -0,0 +1,515 @@ +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Deploy a Check Point Cluster in a new VPC (20211212)", + "Metadata": { + "AWS::CloudFormation::Interface": { + "ParameterGroups": [ + { + "Label": { + "default": "VPC Network Configuration" + }, + "Parameters": [ + "AvailabilityZone", + "VpcCidr", + "ExternalSubnetCidr", + "InternalSubnetCidr" + ] + }, + { + "Label": { + "default": "Cluster Network Configuration" + }, + "Parameters": [ + "ClusterExternalAddr", + "MemberAExternalAddr", + "MemberBExternalAddr", + "ClusterInternalAddr", + "MemberAInternalAddr", + "MemberBInternalAddr" + ] + }, + { + "Label": { + "default": "EC2 Instance Configuration" + }, + "Parameters": [ + "InstanceType", + "KeyName", + "PredefinedRole", + "VolumeSize", + "VolumeEncryption", + "EnableInstanceConnect" + ] + }, + { + "Label": { + "default": "Check Point Settings" + }, + "Parameters": [ + "Version", + "Shell", + "PasswordHash", + "SICKey", + "AllowUploadDownload", + "NTPPrimary", + "NTPSecondary" + ] + } + ], + "ParameterLabels": { + "AvailabilityZone": { + "default": "Availability zone" + }, + "VpcCidr": { + "default": "VPC CIDR" + }, + "ExternalSubnetCidr": { + "default": "External subnet CIDR" + }, + "InternalSubnetCidr": { + "default": "Internal subnet CIDR" + }, + "ClusterExternalAddr": { + "default": "Cluster external address" + }, + "MemberAExternalAddr": { + "default": "Member A external address" + }, + "MemberBExternalAddr": { + "default": "Member B external address" + }, + "ClusterInternalAddr": { + "default": "Cluster internal address" + }, + "MemberAInternalAddr": { + "default": "Member A internal address" + }, + "MemberBInternalAddr": { + "default": "Member B internal address" + }, + "InstanceType": { + "default": "Instance type" + }, + "KeyName": { + "default": "Key name" + }, + "Version": { + "default": "Version & license" + }, + "PredefinedRole": { + "default": "Existing IAM role name" + }, + "EnableInstanceConnect": { + "default": "Enable AWS Instance Connect" + }, + "SICKey": { + "default": "SIC key" + }, + "VolumeSize": { + "default": "Root volume size (GB)" + }, + "VolumeEncryption": { + "default": "Volume encryption KMS key identifier" + }, + "Shell": { + "default": "Admin shell" + }, + "PasswordHash": { + "default": "Password hash" + }, + "AllowUploadDownload": { + "default": "Allow upload & download" + }, + "NTPPrimary": { + "default": "Primary NTP server" + }, + "NTPSecondary": { + "default": "Secondary NTP server" + } + } + } + }, + "Parameters": { + "InstanceType": { + "Description": "c4 and t2 instance types are supported only up to version R80.10 and c5 are supported only with R80.20 and above", + "Type": "String", + "Default": "c5.xlarge", + "AllowedValues": [ + "c4.large", + "c4.xlarge", + "c4.2xlarge", + "c4.4xlarge", + "c4.8xlarge", + "c5.large", + "c5.xlarge", + "c5.2xlarge", + "c5.4xlarge", + "c5.9xlarge", + "c5.18xlarge", + "c5n.large", + "c5n.xlarge", + "c5n.2xlarge", + "c5n.4xlarge", + "c5n.9xlarge", + "c5n.18xlarge", + "t2.xlarge", + "t2.2xlarge" + ], + "ConstraintDescription": "must be a valid EC2 instance type." + }, + "VpcCidr": { + "Description": "The CIDR block for your VPC", + "Type": "String", + "Default": "10.0.0.0/16" + }, + "AvailabilityZone": { + "Description": "The availability zone in which to deploy the cluster", + "Type": "AWS::EC2::AvailabilityZone::Name", + "MinLength": "1" + }, + "ExternalSubnetCidr": { + "Description": "The external subnet of the cluster", + "Type": "String", + "Default": "10.0.0.0/24" + }, + "ClusterExternalAddr": { + "Description": "The private address of the cluster on the external subnet", + "Type": "String", + "Default": "10.0.0.10" + }, + "MemberAExternalAddr": { + "Description": "The private address of member A on the external subnet", + "Type": "String", + "Default": "10.0.0.20" + }, + "MemberBExternalAddr": { + "Description": "The private address of member B on the external subnet", + "Type": "String", + "Default": "10.0.0.30" + }, + "ClusterInternalAddr": { + "Description": "The private address of the cluster on the internal subnet", + "Type": "String", + "Default": "10.0.1.10" + }, + "MemberAInternalAddr": { + "Description": "The private address of member A on the internal subnet", + "Type": "String", + "Default": "10.0.1.20" + }, + "MemberBInternalAddr": { + "Description": "The private address of member B on the internal subnet", + "Type": "String", + "Default": "10.0.1.30" + }, + "InternalSubnetCidr": { + "Description": "The internal subnet of the cluster", + "Type": "String", + "Default": "10.0.1.0/24" + }, + "KeyName": { + "Description": "The EC2 Key Pair to allow SSH access to the instance", + "Type": "AWS::EC2::KeyPair::KeyName", + "MinLength": "1" + }, + "Version": { + "Type": "String", + "Default": "R80.30-PAYG-NGTP", + "AllowedValues": [ + "R77.30-BYOL", + "R77.30-PAYG-NGTP", + "R80.10-BYOL", + "R80.10-PAYG-NGTP", + "R80.10-PAYG-NGTX", + "R80.20-BYOL", + "R80.20-PAYG-NGTP", + "R80.20-PAYG-NGTX", + "R80.30-BYOL", + "R80.30-PAYG-NGTP", + "R80.30-PAYG-NGTX", + "R80.40-BYOL", + "R80.40-PAYG-NGTP", + "R80.40-PAYG-NGTX" + ] + }, + "PasswordHash": { + "Description": "Admin user's password hash (use command \"openssl passwd -1 PASSWORD\" to get the PASSWORD's hash) (optional)", + "NoEcho": "true", + "Type": "String", + "Default": "", + "AllowedPattern": "[\\$\\./a-zA-Z0-9]*" + }, + "PredefinedRole": { + "Description": "A predefined IAM role to attach to the cluster profile (optional)", + "Type": "String", + "Default": "" + }, + "EnableInstanceConnect": { + "Description": "Ec2 Instance Connect is not supported with versions prior to R80.40", + "Default": "false", + "Type": "String", + "AllowedValues": [ + "true", + "false" + ] + }, + "SICKey": { + "Description": "The Secure Internal Communication key creates trusted connections between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters", + "NoEcho": "true", + "MinLength": "8", + "Type": "String", + "AllowedPattern": "[a-zA-Z0-9]*", + "ConstraintDescription": "At least 8 alpha numeric characters" + }, + "VolumeSize": { + "Type": "Number", + "MinValue": "100", + "Default": "100" + }, + "VolumeEncryption": { + "Description": "KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs'). Will be ignored for versions lower than R80.30", + "Type": "String", + "Default": "alias/aws/ebs" + }, + "Shell": { + "Description": "Change the admin shell to enable advanced command line configuration", + "Type": "String", + "Default": "/etc/cli.sh", + "AllowedValues": [ + "/etc/cli.sh", + "/bin/bash", + "/bin/csh", + "/bin/tcsh" + ] + }, + "AllowUploadDownload": { + "Description": "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point", + "Type": "String", + "Default": "true", + "AllowedValues": [ + "true", + "false" + ] + }, + "NTPPrimary": { + "Description": "(optional)", + "Type": "String", + "Default": "169.254.169.123", + "AllowedPattern": "[\\.a-zA-Z0-9\\-]*" + }, + "NTPSecondary": { + "Description": "(optional)", + "Type": "String", + "Default": "0.pool.ntp.org", + "AllowedPattern": "[\\.a-zA-Z0-9\\-]*" + } + }, + "Resources": { + "InfraStack": { + "Type": "AWS::CloudFormation::Stack", + "Properties": { + "TemplateURL": "https://cgi-cfts.s3.amazonaws.com/deprecated/utils/infrastructure.json", + "Parameters": { + "VpcCidr": { + "Ref": "VpcCidr" + }, + "AvailabilityZone": { + "Ref": "AvailabilityZone" + }, + "ExternalSubnetCidr": { + "Ref": "ExternalSubnetCidr" + }, + "InternalSubnetCidr": { + "Ref": "InternalSubnetCidr" + }, + "ResourcesTagName": { + "Ref": "AWS::StackName" + } + } + } + }, + "ClusterStack": { + "Type": "AWS::CloudFormation::Stack", + "Properties": { + "TemplateURL": "https://cgi-cfts.s3.amazonaws.com/deprecated/cluster/cluster-into-vpc.json", + "Parameters": { + "InstanceType": { + "Ref": "InstanceType" + }, + "VPC": { + "Fn::GetAtt": [ + "InfraStack", + "Outputs.VPC" + ] + }, + "ExternalSubnet": { + "Fn::GetAtt": [ + "InfraStack", + "Outputs.ExternalSubnet" + ] + }, + "InternalSubnet": { + "Fn::GetAtt": [ + "InfraStack", + "Outputs.InternalSubnet" + ] + }, + "AvailabilityZone": { + "Ref": "AvailabilityZone" + }, + "ClusterExternalAddr": { + "Ref": "ClusterExternalAddr" + }, + "MemberAExternalAddr": { + "Ref": "MemberAExternalAddr" + }, + "MemberBExternalAddr": { + "Ref": "MemberBExternalAddr" + }, + "ClusterInternalAddr": { + "Ref": "ClusterInternalAddr" + }, + "MemberAInternalAddr": { + "Ref": "MemberAInternalAddr" + }, + "MemberBInternalAddr": { + "Ref": "MemberBInternalAddr" + }, + "KeyName": { + "Ref": "KeyName" + }, + "Version": { + "Ref": "Version" + }, + "PasswordHash": { + "Ref": "PasswordHash" + }, + "PredefinedRole": { + "Ref": "PredefinedRole" + }, + "EnableInstanceConnect": { + "Ref": "EnableInstanceConnect" + }, + "SICKey": { + "Ref": "SICKey" + }, + "VolumeSize": { + "Ref": "VolumeSize" + }, + "VolumeEncryption": { + "Ref": "VolumeEncryption" + }, + "Shell": { + "Ref": "Shell" + }, + "AllowUploadDownload": { + "Ref": "AllowUploadDownload" + }, + "NTPPrimary": { + "Ref": "NTPPrimary" + }, + "NTPSecondary": { + "Ref": "NTPSecondary" + } + } + } + } + }, + "Outputs": { + "ClusterPublicAddress": { + "Description": "The public address of the cluster", + "Value": { + "Fn::GetAtt": [ + "ClusterStack", + "Outputs.ClusterPublicAddress" + ] + } + }, + "MemberAPublicAddress": { + "Description": "The public address of member A", + "Value": { + "Fn::GetAtt": [ + "ClusterStack", + "Outputs.MemberAPublicAddress" + ] + } + }, + "MemberASSH": { + "Description": "SSH command to member A", + "Value": { + "Fn::Join": [ + "", + [ + "ssh admin@", + { + "Fn::GetAtt": [ + "ClusterStack", + "Outputs.MemberAPublicAddress" + ] + } + ] + ] + } + }, + "MemberAURL": { + "Description": "URL to the member A portal", + "Value": { + "Fn::Join": [ + "", + [ + "https://", + { + "Fn::GetAtt": [ + "ClusterStack", + "Outputs.MemberAPublicAddress" + ] + } + ] + ] + } + }, + "MemberBPublicAddress": { + "Description": "The public address of member B", + "Value": { + "Fn::GetAtt": [ + "ClusterStack", + "Outputs.MemberBPublicAddress" + ] + } + }, + "MemberBSSH": { + "Description": "SSH command to member B", + "Value": { + "Fn::Join": [ + "", + [ + "ssh admin@", + { + "Fn::GetAtt": [ + "ClusterStack", + "Outputs.MemberBPublicAddress" + ] + } + ] + ] + } + }, + "MemberBURL": { + "Description": "URL to the member B portal", + "Value": { + "Fn::Join": [ + "", + [ + "https://", + { + "Fn::GetAtt": [ + "ClusterStack", + "Outputs.MemberBPublicAddress" + ] + } + ] + ] + } + } + } +} diff --git a/deprecated/aws/templates/gateway-r7730/README.md b/deprecated/aws/templates/gateway-r7730/README.md new file mode 100644 index 00000000..36ce0e36 --- /dev/null +++ b/deprecated/aws/templates/gateway-r7730/README.md @@ -0,0 +1,21 @@ +# R77.30 Security Gateway + + + + + + + + + + + + + + + +
DescriptionNotesDirect Launch
+ Deploys an externally managed R77.30 Security Gateway into an existing VPC. This template will run the First Time Configuration Wizard automatically and configure the machine as a Security Gateway. + ---
+
+
diff --git a/deprecated/aws/templates/gateway-r7730/gateway-2-nic-existing-vpc.json b/deprecated/aws/templates/gateway-r7730/gateway-2-nic-existing-vpc.json new file mode 100755 index 00000000..d8de1f1d --- /dev/null +++ b/deprecated/aws/templates/gateway-r7730/gateway-2-nic-existing-vpc.json @@ -0,0 +1,486 @@ +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Deploys a Check Point Gateway with two NICs and runs the First Time Wizard (20180821)", + "Metadata": { + "AWS::CloudFormation::Interface": { + "ParameterGroups": [ + { + "Label": { + "default": "Network Configuration" + }, + "Parameters": [ + "VPC", + "Subnet", + "PrivateAddr", + "Subnet2", + "PrivateAddr2", + "HasInternet" + ] + }, + { + "Label": { + "default": "Check Point Settings" + }, + "Parameters": [ + "InstanceType", + "Version", + "KeyName", + "SICKey", + "Shell", + "PasswordHash", + "AllowUploadDownload", + "Name" + ] + } + ], + "ParameterLabels": { + "VPC": { + "default": "VPC" + }, + "Subnet": { + "default": "External Subnet" + }, + "Subnet2": { + "default": "Internal Subnet" + }, + "PrivateAddr": { + "default": "External private IP address" + }, + "PrivateAddr2": { + "default": "Internal private IP address" + }, + "HasInternet": { + "default": "Allocate an Elastic IP address for the instance" + }, + "InstanceType": { + "default": "Instance type" + }, + "Version": { + "default": "Version" + }, + "KeyName": { + "default": "Key name" + }, + "SICKey": { + "default": "SIC key" + }, + "Shell": { + "default": "Admin shell" + }, + "PasswordHash": { + "default": "Password hash" + }, + "AllowUploadDownload": { + "default": "Allow upload and download" + }, + "Name": { + "default": "Gateway instance Name" + } + } + } + }, + "Parameters": { + "VPC": { + "Description": "Select an existing VPC", + "Type": "AWS::EC2::VPC::Id", + "MinLength": "1" + }, + "Subnet": { + "Description": "The gateway's external subnet", + "Type": "AWS::EC2::Subnet::Id", + "MinLength": "1" + }, + "Subnet2": { + "Description": "The gateway's internal subnet. Should be in the same AZ as the external subnet", + "Type": "AWS::EC2::Subnet::Id", + "MinLength": "1" + }, + "PrivateAddr": { + "Description": "IP address in the External Subnet", + "Type": "String", + "AllowedPattern": "^([0-9]{1,3}\\.){3}[0-9]{1,3}$" + }, + "PrivateAddr2": { + "Description": "IP address in the Internal Subnet", + "Type": "String", + "AllowedPattern": "^([0-9]{1,3}\\.){3}[0-9]{1,3}$" + }, + "HasInternet": { + "Description": "Is the VPC connected to the Internet", + "Default": "true", + "Type": "String", + "AllowedValues": [ + "true", + "false" + ] + }, + "InstanceType": { + "Description": "EC2 instance type", + "Type": "String", + "Default": "c4.xlarge", + "AllowedValues": [ + "m3.medium", + "c4.large", + "c4.xlarge", + "c4.2xlarge", + "c4.4xlarge" + ], + "ConstraintDescription": "must be a valid EC2 instance type." + }, + "KeyName": { + "Description": "The EC2 Key Pair to allow SSH access to the instance", + "Type": "AWS::EC2::KeyPair::KeyName" + }, + "Version": { + "Description": "Security Gateway version", + "Type": "String", + "Default": "BYOL", + "AllowedValues": [ + "BYOL", + "PAYG" + ] + }, + "PasswordHash": { + "Description": "The admin user password hash (hint, use \"openssl passwd -1\")", + "MinLength": "1", + "Type": "String", + "AllowedPattern": "[\\$\\./a-zA-Z0-9]*" + }, + "AllowUploadDownload": { + "Description": "Improve product experience by sending data to Check Point. Automatically download Blade Contracts and other important data", + "Type": "String", + "Default": "true", + "AllowedValues": [ + "true", + "false" + ] + }, + "SICKey": { + "Description": "The Secure Internal Communication key creates trusted connections between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters", + "NoEcho": "true", + "Default": "", + "Type": "String", + "AllowedPattern": "(|[a-zA-Z0-9]{8,})" + }, + "Shell": { + "Description": "The user admin shell", + "Type": "String", + "Default": "/etc/cli.sh", + "AllowedValues": [ + "/etc/cli.sh", + "/bin/bash", + "/bin/csh", + "/bin/tcsh" + ] + }, + "Name": { + "Description": "The name for the instance", + "Type": "String", + "Default": "Check Point SG" + } + }, + "Conditions": { + "HasInternet": { + "Fn::Equals": [ + { + "Ref": "HasInternet" + }, + "true" + ] + } + }, + "Resources": { + "AMI": { + "Type": "AWS::CloudFormation::Stack", + "Properties": { + "TemplateURL": "https://s3.amazonaws.com/CloudFormationTemplate/amis.json", + "Parameters": { + "Version": { + "Ref": "Version" + } + } + } + }, + "ReadyHandle": { + "Type": "AWS::CloudFormation::WaitConditionHandle", + "Condition": "HasInternet", + "Properties": {} + }, + "ReadyCondition": { + "Type": "AWS::CloudFormation::WaitCondition", + "Condition": "HasInternet", + "DependsOn": [ + "Instance" + ], + "Properties": { + "Handle": { + "Ref": "ReadyHandle" + }, + "Timeout": "3600" + } + }, + "NetworkInterface": { + "Type": "AWS::EC2::NetworkInterface", + "Properties": { + "Description": "eth0", + "PrivateIpAddresses": [ + { + "PrivateIpAddress": { + "Ref": "PrivateAddr" + }, + "Primary": "true" + } + ], + "SourceDestCheck": "false", + "GroupSet": [ + { + "Ref": "InstanceSecurityGroup" + } + ], + "SubnetId": { + "Ref": "Subnet" + } + } + }, + "NetworkInterface2": { + "Type": "AWS::EC2::NetworkInterface", + "Properties": { + "Description": "eth1", + "PrivateIpAddress": { + "Ref": "PrivateAddr2" + }, + "SourceDestCheck": "false", + "GroupSet": [ + { + "Ref": "InstanceSecurityGroup" + } + ], + "SubnetId": { + "Ref": "Subnet2" + } + } + }, + "InstanceSecurityGroup": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Permissive security group", + "VpcId": { + "Ref": "VPC" + }, + "SecurityGroupIngress": [ + { + "IpProtocol": "-1", + "CidrIp": "0.0.0.0/0" + } + ] + } + }, + "Instance": { + "Type": "AWS::EC2::Instance", + "Properties": { + "Tags": [ + { + "Key": "Name", + "Value": { + "Ref": "Name" + } + } + ], + "ImageId": { + "Fn::GetAtt": [ + "AMI", + "Outputs.ImageId" + ] + }, + "InstanceType": { + "Ref": "InstanceType" + }, + "UserData": { + "Fn::Base64": { + "Fn::Join": [ + "\n", + [ + "#!/bin/bash", + "echo template_name: gateway-2-nic-existing-vpc >> /etc/cloud-version", + "echo template_version: 20180821 >> /etc/cloud-version", + { + "Fn::Join": [ + "", + [ + "pwd_hash='", + { + "Ref": "PasswordHash" + }, + "'" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "sic=$(echo '", + { + "Fn::Base64": { + "Ref": "SICKey" + } + }, + "' | base64 --decode)" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "wait_handle='", + { + "Fn::If": [ + "HasInternet", + { + "Ref": "ReadyHandle" + }, + { + "Ref": "AWS::NoValue" + } + ] + }, + "'" + ] + ] + }, + "instance_id=\"$(curl_cli -s -S 169.254.169.254/latest/meta-data/instance-id)\"", + { + "Fn::Join": [ + "", + [ + "shell='", + { + "Ref": "Shell" + }, + "'" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "allow_upload_download='", + { + "Ref": "AllowUploadDownload" + }, + "'" + ] + ] + }, + "printf H4sIAEQeOVoCAzNoYuE3aGL6voCZiZGJiZHBgJeNU6vNo+07LyMjKyuDQYYhtwEnG3MoC5swU2iwoaqBMojDJSwTXJJYlJaZmpOiEJKanJGXn5OfnplarKPgmZesZ2hkYABSxi2siVDmnJNYXKxgpOCcWlSSmZaZnFiSmZ+n4FhakpFflFlSaSAnzmtgYmBmZGlobmxpaBYlzmuMzKWjS5oYFZCDgZGVgbmJkZcBKM7B1MTIyLDd6MS/l4XLWFrX8gim3D/n+/4Es0S7/cLVv22Wzf9weOGtKzfytIMn/FZZYtfyYd6L+DdP1V2+aiyzr773QOvDifXB+vNOsTJOlutPk7Fc7vsralsxi2ra6/L655HHvGaqioS8Vjv+uV7yqkFB//oNblr/177WfHt9/iqW9sVXfnYuNYm/7Tyxyexmms3GHTub/s6xshM4Yf2eLTWtarakhO3/wkAbA734fbblxZti2XIOK4fN0m5VmySznGnzE3ve9RyVTTvMbF/NuWy6eU/mqa9n5r74m9Ir3mCcF+cVO/OkXPuWuVIHruYJmyrH3Z8db/v+2veyQ6/sdlfwyjilZ7Pc+HHtVn73J5cFjKuZGJkXNx41aDxkIAsMW1k+FjEWkf3x2y+euyvf9iU6dM2d6wKH+FZ2PDdonASSV2Zp7DJobG/AqmZhzpIs+kVtEzCB84DcJMzCasDMyPgfLbkzg6KXda59x9yLJ6VCF67J/Pw58tZsxnYp//CVCys5tW5/198kd+Z4XNaN5vaF0997mtqVszlGJO3vi9jBlW7/ZvNdxTT5kyG/is7Y+jjcaFxfPq+5avei419NxPtuCjp8+aOj5StavzwpVk/1MgO3gpRsxk/xHV/2dr/ViLzrK9Yt3nxiU+px3aqlq/YEt+XeDV9y6oeCI3fGhy+/S/aFxVZVfv0p2/pYd+q+r4UTnM/0ys9i4GrXfBmqFMGg/OqxkLNmtDvH3R7HrFS2FU8VVzlumao4dWftRZPVwtfW7rnzyNby7F670oKFEpHMJ5W29M+5Gqd1fem2K1y5P7Y7CLrNkq/kS9rPP/3NA3158SkAHEuNARMEAAA= | base64 -d | gunzip -c | cpopenssl x509 -inform DER >$CPDIR/tmp/wait-handle.crt", + "cat $CPDIR/conf/ca-bundle.crt >>$CPDIR/tmp/wait-handle.crt", + "test -z \"$pwd_hash\" || {", + " echo \"set admin password\"", + " clish -c \"set user admin password-hash $pwd_hash\" -s", + "}", + "clish -c \"set user admin shell $shell\" -s", + "config_system -s \"install_security_gw=true&install_ppak=true&gateway_cluster_member=false&install_security_managment=false&ftw_sic_key='$sic'&upload_info=${allow_upload_download}&download_info=${allow_upload_download}\"", + "rc=$?", + "if test -n \"$wait_handle\"; then", + " if test $rc -ne 0; then", + " curl_cli -s -S --cacert $CPDIR/tmp/wait-handle.crt -X PUT -H 'Content-Type:' --data-binary '{\"Status\" : \"FAILURE\", \"Reason\" : \"First time wizard failed\", \"UniqueId\" : \"'$instance_id'\", \"Data\" : \"None\"}' \"$wait_handle\"", + " else", + " curl_cli -s -S --cacert $CPDIR/tmp/wait-handle.crt -X PUT -H 'Content-Type:' --data-binary '{\"Status\" : \"SUCCESS\", \"Reason\" : \"Instance Configuration Complete\", \"UniqueId\" : \"'$instance_id'\", \"Data\" : \"Configuration completed.\"}' \"$wait_handle\"", + " fi", + "fi", + "shutdown -r now", + "" + ] + ] + } + }, + "KeyName": { + "Ref": "KeyName" + }, + "NetworkInterfaces": [ + { + "DeviceIndex": "0", + "NetworkInterfaceId": { + "Ref": "NetworkInterface" + } + }, + { + "DeviceIndex": "1", + "NetworkInterfaceId": { + "Ref": "NetworkInterface2" + } + } + ] + } + }, + "PublicAddress": { + "Type": "AWS::EC2::EIP", + "Condition": "HasInternet", + "Properties": { + "Domain": "vpc" + } + }, + "AddressAssoc": { + "Type": "AWS::EC2::EIPAssociation", + "Condition": "HasInternet", + "Properties": { + "NetworkInterfaceId": { + "Ref": "NetworkInterface" + }, + "AllocationId": { + "Fn::GetAtt": [ + "PublicAddress", + "AllocationId" + ] + }, + "PrivateIpAddress": { + "Fn::GetAtt": [ + "NetworkInterface", + "PrimaryPrivateIpAddress" + ] + } + } + } + }, + "Outputs": { + "PublicAddress": { + "Description": "The public address of the gateway", + "Value": { + "Ref": "PublicAddress" + }, + "Condition": "HasInternet" + }, + "SSH": { + "Description": "SSH command", + "Value": { + "Fn::Join": [ + "", + [ + "ssh admin@", + { + "Ref": "PublicAddress" + } + ] + ] + }, + "Condition": "HasInternet" + }, + "URL": { + "Description": "URL to the portal", + "Value": { + "Fn::Join": [ + "", + [ + "https://", + { + "Ref": "PublicAddress" + } + ] + ] + }, + "Condition": "HasInternet" + } + } +} diff --git a/deprecated/aws/templates/gateways-r7730/README.md b/deprecated/aws/templates/gateways-r7730/README.md new file mode 100644 index 00000000..4e1ace22 --- /dev/null +++ b/deprecated/aws/templates/gateways-r7730/README.md @@ -0,0 +1,21 @@ +# R77.30 Security Gateways + + + + + + + + + + + + + + + +
DescriptionNotesDirect Launch
+ Creates a new VPC and deploys two R77.30 Security Gateways in it. Each Security Gateway is deployed in a different Availability Zone. This template will run the First Time Configuration Wizard automatically and configure the machines as Security Gateways. + Refer to sk108281.
+
+
diff --git a/deprecated/aws/templates/gateways-r7730/inter-az-cluster.json b/deprecated/aws/templates/gateways-r7730/inter-az-cluster.json new file mode 100755 index 00000000..6181664c --- /dev/null +++ b/deprecated/aws/templates/gateways-r7730/inter-az-cluster.json @@ -0,0 +1,505 @@ +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description" : "Deploy 2 Check Point Gateways in 2 AZs in a VPC (20180821)", + "Metadata" : { + "AWS::CloudFormation::Interface" : { + "ParameterGroups" : [ + { + "Label" : { "default" : "Network Configuration" }, + "Parameters" : [ + "VpcCidr", + "OnPremiseNetworkCIDR" + ] + }, + { + "Label" : { "default" : "1st Availability Zone Configuration" }, + "Parameters" : [ + "AZ1", + "PublicSubnetCidr1", + "ExternalAddress1", + "PrivateSubnetCidr1", + "PrivateAddress1" + ] + }, + { + "Label" : { "default" : "2nd Availability Zone Configuration" }, + "Parameters" : [ + "AZ2", + "PublicSubnetCidr2", + "ExternalAddress2", + "PrivateSubnetCidr2", + "PrivateAddress2" + ] + }, + { + "Label" : { "default" : "Gateway Settings" }, + "Parameters" : [ + "InstanceType", + "KeyName", + "Version", + "SICKey", + "Shell", + "PasswordHash", + "AllowUploadDownload" + ] + } + ], + "ParameterLabels" : { + + "VpcCidr" : { "default" : "VPC CIDR" }, + "OnPremiseNetworkCIDR" : { "default" : "On premise CIDR" }, + + "AZ1" : { "default" : "Availability zone" }, + "PublicSubnetCidr1" : { "default" : "Public subnet CIDR" }, + "ExternalAddress1" : { "default" : "External address" }, + "PrivateSubnetCidr1" : { "default" : "Private subnet CIDR" }, + "PrivateAddress1" : { "default" : "Internal address" }, + + "AZ2" : { "default" : "Availability zone" }, + "PublicSubnetCidr2" : { "default" : "Public subnet CIDR" }, + "ExternalAddress2" : { "default" : "External address" }, + "PrivateSubnetCidr2" : { "default" : "Private subnet CIDR" }, + "PrivateAddress2" : { "default" : "Internal address" }, + + "InstanceType" : { "default" : "Instance type" }, + "KeyName" : { "default" : "Key name" }, + "Version" : { "default" : "Version" }, + "SICKey" : { "default" : "SIC key" }, + "Shell" : { "default" : "Admin shell" }, + "PasswordHash" : { "default" : "Password hash" }, + "AllowUploadDownload": { "default": "Allow upload and download" } + } + } + }, + + "Parameters" : { + "InstanceType" : { + "Description" : "Check Point Security Gateway instance type", + "Type" : "String", + "Default" : "c4.xlarge", + "AllowedValues" : [ "m3.medium","c4.large","c4.xlarge","c4.2xlarge","c4.4xlarge","c4.8xlarge"], + "ConstraintDescription" : "must be a valid EC2 instance type." + }, + "VpcCidr" : { + "Description" : "The CIDR block for your VPC", + "Type": "String", + "Default" : "10.0.0.0/16" + }, + "AZ1" : { + "Description" : "The 1st availability zone in which to deploy", + "Type": "AWS::EC2::AvailabilityZone::Name", + "MinLength": "1" + }, + "AZ2" : { + "Description" : "The 2nd availability zone in which to deploy", + "Type": "AWS::EC2::AvailabilityZone::Name", + "MinLength": "1" + }, + "OnPremiseNetworkCIDR" : { + "Description" : "The on premise network", + "Type": "String", + "Default": "0.0.0.0/0" + }, + "PublicSubnetCidr1" : { + "Description" : "The public subnet of the 1st AZ", + "Type": "String", + "Default": "10.0.0.0/24" + }, + "PublicSubnetCidr2" : { + "Description" : "The public subnet of the 2nd AZ", + "Type": "String", + "Default": "10.0.1.0/24" + }, + "PrivateSubnetCidr1" : { + "Description" : "The private subnet of the 1st AZ", + "Type": "String", + "Default": "10.0.2.0/24" + }, + "PrivateSubnetCidr2" : { + "Description" : "The private subnet of the 2nd AZ", + "Type": "String", + "Default": "10.0.3.0/24" + }, + "ExternalAddress1" : { + "Description" : "The external address of the 1st gateway", + "Type": "String", + "Default": "10.0.0.10" + }, + "ExternalAddress2" : { + "Description" : "The external address of the 2nd gateway", + "Type": "String", + "Default": "10.0.1.10" + }, + "PrivateAddress1" : { + "Description" : "The internal address of the 1st gateway", + "Type": "String", + "Default": "10.0.2.10" + }, + "PrivateAddress2" : { + "Description" : "The internal address of the 2nd gateway", + "Type": "String", + "Default": "10.0.3.10" + }, + "KeyName" : { + "Description" : "SSH Key Pair", + "Type" : "AWS::EC2::KeyPair::KeyName", + "MinLength": "1" + }, + "Version" : { + "Description" : "Security Gateway version", + "Type" : "String", + "Default": "BYOL", + "AllowedValues" : [ "BYOL", "PAYG" ] + }, + "PasswordHash" : { + "Description" : "(optional) The admin user password hash (hint, use \"openssl passwd -1\")", + "Default": "", + "Type" : "String", + "AllowedPattern": "[\\$\\./a-zA-Z0-9]*" + }, + "AllowUploadDownload": { + "Description": "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point", + "Type": "String", + "Default": "true", + "AllowedValues": [ + "true", + "false" + ] + }, + "SICKey" : { + "Description" : "The Secure Internal Communication key creates trusted connections between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters", + "NoEcho" : "true", + "MinLength": "8", + "Type" : "String", + "AllowedPattern" : "[a-zA-Z0-9]*", + "ConstraintDescription": "At least 8 alpha numeric characters" + }, + "Shell" : { + "Description" : "The user admin shell", + "Type" : "String", + "Default" : "/etc/cli.sh", + "AllowedValues" : [ "/etc/cli.sh", "/bin/bash", "/bin/csh", "/bin/tcsh"] + } + }, + "Resources" : { + "VPC" : { + "Type" : "AWS::EC2::VPC", + "Properties" : { + "CidrBlock" : { "Ref" : "VpcCidr" } + } + }, + "InternetGateway" : { + "Type" : "AWS::EC2::InternetGateway" + }, + "AttachGateway" : { + "Type" : "AWS::EC2::VPCGatewayAttachment", + "Properties" : { + "VpcId" : { "Ref" : "VPC" }, + "InternetGatewayId" : { "Ref" : "InternetGateway" } + } + }, + "PublicSubnet1" : { + "Type" : "AWS::EC2::Subnet", + "Properties" : { + "AvailabilityZone" : { "Ref" : "AZ1" }, + "CidrBlock" : { "Ref" : "PublicSubnetCidr1" }, + "VpcId" : { "Ref" : "VPC" } + } + }, + "PrivateSubnet1" : { + "Type" : "AWS::EC2::Subnet", + "Properties" : { + "AvailabilityZone" : { "Ref" : "AZ1" }, + "CidrBlock" : { "Ref" : "PrivateSubnetCidr1" }, + "VpcId" : { "Ref" : "VPC" } + } + }, + "PublicSubnet2" : { + "Type" : "AWS::EC2::Subnet", + "Properties" : { + "AvailabilityZone" : { "Ref" : "AZ2" }, + "CidrBlock" : { "Ref" : "PublicSubnetCidr2" }, + "VpcId" : { "Ref" : "VPC" } + } + }, + "PrivateSubnet2" : { + "Type" : "AWS::EC2::Subnet", + "Properties" : { + "AvailabilityZone" : { "Ref" : "AZ2" }, + "CidrBlock" : { "Ref" : "PrivateSubnetCidr2" }, + "VpcId" : { "Ref" : "VPC" } + } + }, + "PublicRoutingTable" : { + "Type" : "AWS::EC2::RouteTable", + "Properties" : { + "VpcId" : { "Ref" : "VPC" } + } + }, + "DefaultRoute" : { + "Type" : "AWS::EC2::Route", + "Properties" : { + "DestinationCidrBlock" : "0.0.0.0/0", + "GatewayId" : { "Ref" : "InternetGateway" }, + "RouteTableId" : { "Ref" : "PublicRoutingTable" } + } + }, + "PublicNetworkRouteAssociation1" : { + "Type" : "AWS::EC2::SubnetRouteTableAssociation", + "Properties" : { + "RouteTableId" : { "Ref" : "PublicRoutingTable" }, + "SubnetId" : { "Ref" : "PublicSubnet1" } + } + }, + "PublicNetworkRouteAssociation2" : { + "Type" : "AWS::EC2::SubnetRouteTableAssociation", + "Properties" : { + "RouteTableId" : { "Ref" : "PublicRoutingTable" }, + "SubnetId" : { "Ref" : "PublicSubnet2" } + } + }, + "AMI" : { + "Type" : "AWS::CloudFormation::Stack", + "Properties" : { + "TemplateURL" : "https://s3.amazonaws.com/CloudFormationTemplate/amis.json", + "Parameters" : { + "Version" : { "Ref" : "Version" } + } + } + }, + "PrivateRoutingTable1" : { + "Type" : "AWS::EC2::RouteTable", + "Properties" : { + "VpcId" : { "Ref" : "VPC" } + } + }, + "PrivateDefaultRoute1" : { + "Type" : "AWS::EC2::Route", + "Properties" : { + "DestinationCidrBlock" : {"Ref" : "OnPremiseNetworkCIDR" }, + "NetworkInterfaceId" : { "Ref" : "PrivateInterface1" }, + "RouteTableId" : { "Ref" : "PrivateRoutingTable1" } + } + }, + "PrivateNetworkRouteAssociation1" : { + "Type" : "AWS::EC2::SubnetRouteTableAssociation", + "Properties" : { + "RouteTableId" : { "Ref" : "PrivateRoutingTable1" }, + "SubnetId" : { "Ref" : "PrivateSubnet1" } + } + }, + "PrivateRoutingTable2" : { + "Type" : "AWS::EC2::RouteTable", + "Properties" : { + "VpcId" : { "Ref" : "VPC" } + } + }, + "PrivateDefaultRoute2" : { + "Type" : "AWS::EC2::Route", + "Properties" : { + "DestinationCidrBlock" : {"Ref" : "OnPremiseNetworkCIDR" }, + "NetworkInterfaceId" : { "Ref" : "PrivateInterface2" }, + "RouteTableId" : { "Ref" : "PrivateRoutingTable2" } + } + }, + "PrivateNetworkRouteAssociation2" : { + "Type" : "AWS::EC2::SubnetRouteTableAssociation", + "Properties" : { + "RouteTableId" : { "Ref" : "PrivateRoutingTable2" }, + "SubnetId" : { "Ref" : "PrivateSubnet2" } + } + }, + "PublicInterface1" : { + "Type" : "AWS::EC2::NetworkInterface", + "Properties" : { + "PrivateIpAddresses": [ + { "PrivateIpAddress" : { "Ref" : "ExternalAddress1" }, "Primary" : "true" } + ], + "SourceDestCheck": "false", + "GroupSet" : [{ "Ref" : "InstanceSecurityGroup" }], + "SubnetId": { "Ref" : "PublicSubnet1" } + } + }, + "PublicInterface2" : { + "Type" : "AWS::EC2::NetworkInterface", + "Properties" : { + "PrivateIpAddresses": [ + { "PrivateIpAddress" : { "Ref" : "ExternalAddress2" }, "Primary" : "true" } + ], + "SourceDestCheck": "false", + "GroupSet" : [{ "Ref" : "InstanceSecurityGroup" }], + "SubnetId": { "Ref" : "PublicSubnet2" } + } + }, + "PrivateInterface1" : { + "Type" : "AWS::EC2::NetworkInterface", + "Properties" : { + "PrivateIpAddress": { "Ref" : "PrivateAddress1"}, + "GroupSet" : [{ "Ref" : "InstanceSecurityGroup" }], + "SourceDestCheck": "false", + "SubnetId": { "Ref" : "PrivateSubnet1" } + } + }, + "PrivateInterface2" : { + "Type" : "AWS::EC2::NetworkInterface", + "Properties" : { + "PrivateIpAddress": { "Ref" : "PrivateAddress2"}, + "GroupSet" : [{ "Ref" : "InstanceSecurityGroup" }], + "SourceDestCheck": "false", + "SubnetId": { "Ref" : "PrivateSubnet2" } + } + }, + "InstanceSecurityGroup" : { + "Type" : "AWS::EC2::SecurityGroup", + "Properties" : { + "GroupDescription" : "Permissive security group", + "VpcId" : { "Ref" : "VPC" }, + "SecurityGroupIngress" : [ { "IpProtocol" : "-1", "CidrIp" : "0.0.0.0/0" } ] + } + }, + "Instance1" : { + "Type" : "AWS::EC2::Instance", + "Properties" : { + "AvailabilityZone" : { "Ref" : "AZ1" }, + "Tags" : [ + { "Key" : "Name", "Value" : "Security Gateway 1" } + ], + "ImageId" : { "Fn::GetAtt" : [ "AMI", "Outputs.ImageId" ] }, + "InstanceType" : { "Ref" : "InstanceType" }, + "KeyName" : { "Ref" : "KeyName" }, + "NetworkInterfaces" : [ + { "DeviceIndex" : "0", "NetworkInterfaceId" : {"Ref" : "PublicInterface1"} }, + { "DeviceIndex" : "1", "NetworkInterfaceId" : {"Ref" : "PrivateInterface1"} } + ], + "UserData" : { "Fn::Base64" : + { "Fn::Join" : [ "\n", + [ "#!/bin/bash", + "echo template_name: inter-az-cluster >> /etc/cloud-version", + "echo template_version: 20180821 >> /etc/cloud-version", + {"Fn::Join" : [ "", ["pwd_hash='", {"Ref" : "PasswordHash"}, "'"]]}, + "test -z \"$pwd_hash\" || {", + " echo \"set admin password\"", + " clish -c \"set user admin password-hash $pwd_hash\" -s", + "}", + {"Fn::Join" : [ "", ["sic_key=$(echo '", {"Fn::Base64": {"Ref" : "SICKey"}}, "' | base64 --decode)"]]}, + {"Fn::Join" : [ "", ["shell='", {"Ref" : "Shell"}, "'"]]}, + {"Fn::Join" : [ "", ["allow_upload_download='", {"Ref" : "AllowUploadDownload"}, "'"]]}, + "clish -c \"set user admin shell $shell\" -s", + "config_system -s \"install_security_gw=true&install_ppak=true&gateway_cluster_member=false&install_security_managment=false&ftw_sic_key=${sic_key}&upload_info=${allow_upload_download}&download_info=${allow_upload_download}\"", + "shutdown -r now", + "" + ] + ] + } + } + } + }, + "Instance2" : { + "Type" : "AWS::EC2::Instance", + "Properties" : { + "AvailabilityZone" : { "Ref" : "AZ2" }, + "Tags" : [ + { "Key" : "Name", "Value" : "Security Gateway 2" } + ], + "ImageId" : { "Fn::GetAtt" : [ "AMI", "Outputs.ImageId" ] }, + "InstanceType" : { "Ref" : "InstanceType" }, + "KeyName" : { "Ref" : "KeyName" }, + "NetworkInterfaces" : [ + { "DeviceIndex" : "0", "NetworkInterfaceId" : {"Ref" : "PublicInterface2"} }, + { "DeviceIndex" : "1", "NetworkInterfaceId" : {"Ref" : "PrivateInterface2"} } + ], + "UserData" : { "Fn::Base64" : + { "Fn::Join" : [ "\n", + [ "#!/bin/bash", + "echo template_name: inter-az-cluster >> /etc/cloud-version", + "echo template_version: 20180821 >> /etc/cloud-version", + {"Fn::Join" : [ "", ["pwd_hash='", {"Ref" : "PasswordHash"}, "'"]]}, + "test -z \"$pwd_hash\" || {", + " echo \"set admin password\"", + " clish -c \"set user admin password-hash $pwd_hash\" -s", + "}", + {"Fn::Join" : [ "", ["sic_key=$(echo '", {"Fn::Base64": {"Ref" : "SICKey"}}, "' | base64 --decode)"]]}, + {"Fn::Join" : [ "", ["shell='", {"Ref" : "Shell"}, "'"]]}, + {"Fn::Join" : [ "", ["allow_upload_download='", {"Ref" : "AllowUploadDownload"}, "'"]]}, + "clish -c \"set user admin shell $shell\" -s", + "config_system -s \"install_security_gw=true&install_ppak=true&gateway_cluster_member=false&install_security_managment=false&ftw_sic_key=${sic_key}&upload_info=${allow_upload_download}&download_info=${allow_upload_download}\"", + "shutdown -r now", + "" + ] + ] + } + } + } + }, + "PublicAddress1" : { + "Type" : "AWS::EC2::EIP", + "Properties" : { + "Domain" : "vpc" + } + }, + "PublicAddress2" : { + "Type" : "AWS::EC2::EIP", + "Properties" : { + "Domain" : "vpc" + } + }, + "AddressAssoc1" : { + "Type" : "AWS::EC2::EIPAssociation", + "Properties" : { + "NetworkInterfaceId" : { "Ref" : "PublicInterface1" }, + "AllocationId" : { "Fn::GetAtt" : [ "PublicAddress1" , "AllocationId" ] }, + "PrivateIpAddress" : { "Fn::GetAtt" : ["PublicInterface1", "PrimaryPrivateIpAddress" ]} + } + }, + "AddressAssoc2" : { + "Type" : "AWS::EC2::EIPAssociation", + "Properties" : { + "NetworkInterfaceId" : { "Ref" : "PublicInterface2" }, + "AllocationId" : { "Fn::GetAtt" : [ "PublicAddress2" , "AllocationId" ] }, + "PrivateIpAddress" : { "Fn::GetAtt" : ["PublicInterface2", "PrimaryPrivateIpAddress" ]} + } + } + }, + "Outputs" : { + "PublicAddress1" : { + "Description" : "The public address of the 1st gateway", + "Value" : { "Ref" : "PublicAddress1" } + }, + "SSH1" : { + "Description" : "SSH command to the 1st gateway", + "Value" : { "Fn::Join" : [ "", [ "ssh admin@", { "Ref" : "PublicAddress1" }]]} + }, + "URL1" : { + "Description" : "URL to the 1st gateway", + "Value" : { "Fn::Join" : [ "", [ "https://", { "Ref" : "PublicAddress1" }]]} + }, + "RouteTable1" : { + "Description" : "A routing table pointing to the 1st gateway", + "Value" : { "Ref" : "PrivateRoutingTable1" } + }, + "Subnet1" : { + "Description" : "A private subnet behind the 1st gateway", + "Value" : { "Ref" : "PrivateSubnet1" } + }, + "PublicAddress2" : { + "Description" : "The public address of the 2nd gateway", + "Value" : { "Ref" : "PublicAddress2" } + }, + "SSH2" : { + "Description" : "SSH command to the 2nd gateway", + "Value" : { "Fn::Join" : [ "", [ "ssh admin@", { "Ref" : "PublicAddress2" }]]} + }, + "URL2" : { + "Description" : "URL to the 2nd gateway", + "Value" : { "Fn::Join" : [ "", [ "https://", { "Ref" : "PublicAddress2" }]]} + }, + "RouteTable2" : { + "Description" : "A routing table pointing to the 2nd gateway", + "Value" : { "Ref" : "PrivateRoutingTable2" } + }, + "Subnet2" : { + "Description" : "A private subnet behind the 2nd gateway", + "Value" : { "Ref" : "PrivateSubnet2" } + } + } +} diff --git a/deprecated/aws/templates/instance-r7730/README.md b/deprecated/aws/templates/instance-r7730/README.md new file mode 100644 index 00000000..b07628e5 --- /dev/null +++ b/deprecated/aws/templates/instance-r7730/README.md @@ -0,0 +1,21 @@ +# R77.30 Instance + + + + + + + + + + + + + + + +
DescriptionNotesDirect Launch
+ Creates a new VPC and deploys an R77.30 instance. This template does not run the First Time Configuration Wizard. + Does not run the First Time Configuration Wizard.
+
+
diff --git a/deprecated/aws/templates/instance-r7730/gwinvpc.json b/deprecated/aws/templates/instance-r7730/gwinvpc.json new file mode 100755 index 00000000..071f56a6 --- /dev/null +++ b/deprecated/aws/templates/instance-r7730/gwinvpc.json @@ -0,0 +1,269 @@ +{ + "Description" : "Deploy a Check Point Security Gateway in VPC", + "Metadata" : { + "AWS::CloudFormation::Interface" : { + "ParameterGroups" : [ + { + "Label" : { "default" : "VPC Network Configuration" }, + "Parameters" : [ + "AvailabilityZone", + "VpcCidr", + "ExternalSubnetCidr", + "InternalSubnetCidr" + ] + }, + { + "Label" : { "default" : "Gateway Network Configuration" }, + "Parameters" : [ + "GWExternalPrivateAddr", + "GWInternalPrivateAddr", + "GWExternalSecondaryPrivateAddr" + ] + }, + { + "Label" : { "default" : "Gateway Settings" }, + "Parameters" : [ + "GWInstanceType", + "KeyName", + "Version", + "Shell", + "PasswordHash", + "TagNameFirewall" + ] + } + ], + "ParameterLabels" : { + "VpcCidr" : { "default" : "VPC CIDR" }, + "AvailabilityZone" : { "default" : "Availability zone" }, + "ExternalSubnetCidr" : { "default" : "External subnet CIDR" }, + "InternalSubnetCidr" : { "default" : "Internal subnet CIDR" }, + + "GWExternalPrivateAddr" : { "default" : "Gateway external address" }, + "GWInternalPrivateAddr" : { "default" : "Gateway internal address" }, + "GWExternalSecondaryPrivateAddr" : { "default" : "Gateway secondary external address" }, + + "GWInstanceType" : { "default" : "Instance type" }, + + "KeyName" : { "default" : "Key name" }, + "Version" : { "default" : "Version" }, + + "Shell" : { "default" : "Admin shell" }, + "PasswordHash" : { "default" : "Password hash" }, + "TagNameFirewall" : { "default" : "Tag" } + } + } + }, + + + "Parameters" : { + "GWInstanceType" : { + "Description" : "Check Point Security Gateway instance type", + "Type" : "String", + "Default" : "c4.xlarge", + "AllowedValues" : [ "m3.medium","c4.large","c4.xlarge","c4.2xlarge","c4.4xlarge","c4.8xlarge"], + "ConstraintDescription" : "must be a valid EC2 instance type." + }, + "VpcCidr" : { + "Description" : "The CIDR block for your VPC", + "Type": "String", + "Default" : "10.0.0.0/16" + }, + "AvailabilityZone" : { + "Description" : "The availability zone in which to deploy the gateway", + "Type": "AWS::EC2::AvailabilityZone::Name", + "MinLength": "1" + }, + "ExternalSubnetCidr" : { + "Description" : "The external subnet of the security gateway", + "Type": "String", + "Default": "10.0.0.0/24" + }, + "GWExternalPrivateAddr" : { + "Description" : "The private address of the gateway on the external subnet", + "Type": "String", + "Default": "10.0.0.10" + }, + "GWExternalSecondaryPrivateAddr" : { + "Description" : "A secondary address of the gateway on the external subnet", + "Type": "String", + "Default": "10.0.0.11" + }, + "GWInternalPrivateAddr" : { + "Description" : "The private address of the gateway on the internal subnet", + "Type": "String", + "Default": "10.0.1.10" + }, + "InternalSubnetCidr" : { + "Description" : "The internal subnet of the security gateway", + "Type": "String", + "Default": "10.0.1.0/24" + }, + "KeyName" : { + "Description" : "SSH Key Pair", + "Type" : "AWS::EC2::KeyPair::KeyName", + "MinLength": "1" + }, + "TagNameFirewall" : { + "Description" : "Firewall Name in Console", + "Type" : "String", + "Default" : "Firewall" + }, + "Version" : { + "Description" : "Security Gateway version", + "Type" : "String", + "Default": "BYOL", + "AllowedValues" : [ "BYOL", "PAYG" ] + }, + "PasswordHash" : { + "Description" : "(optional) The admin user password hash (hint, use \"openssl passwd -1\")", + "Default": "", + "Type" : "String", + "AllowedPattern": "[\\$\\./a-zA-Z0-9]*" + }, + "Shell" : { + "Description" : "The user admin shell", + "Type" : "String", + "Default" : "/etc/cli.sh", + "AllowedValues" : [ "/etc/cli.sh", "/bin/bash", "/bin/csh", "/bin/tcsh"] + } + }, + "Resources" : { + "AMI" : { + "Type" : "AWS::CloudFormation::Stack", + "Properties" : { + "TemplateURL" : "https://s3.amazonaws.com/CloudFormationTemplate/amis.json", + "Parameters" : { + "Version" : { "Ref" : "Version" } + } + } + }, + "InfraStack" : { + "Type" : "AWS::CloudFormation::Stack", + "Properties" : { + "TemplateURL" : "https://s3.amazonaws.com/CloudFormationTemplate/infrastructure.json", + "Parameters" : { + "VpcCidr" : { "Ref" : "VpcCidr" }, + "AvailabilityZone" : { "Ref" : "AvailabilityZone" }, + "ExternalSubnetCidr" : { "Ref" : "ExternalSubnetCidr" }, + "InternalSubnetCidr" : { "Ref" : "InternalSubnetCidr" }, + "ResourcesTagName" : { "Ref" : "AWS::StackName" } + } + } + }, + "InternalRoutingTable" : { + "Type" : "AWS::EC2::RouteTable", + "Properties" : { + "VpcId" : { "Fn::GetAtt" : [ "InfraStack", "Outputs.VPC" ] } + } + }, + "InternalDefaultRoute" : { + "Type" : "AWS::EC2::Route", + "Properties" : { + "DestinationCidrBlock" : "0.0.0.0/0", + "NetworkInterfaceId" : { "Ref" : "SecurityGatewayInternalInterface" }, + "RouteTableId" : { "Ref" : "InternalRoutingTable" } + } + }, + "InternalNetworkRouteAssociation" : { + "Type" : "AWS::EC2::SubnetRouteTableAssociation", + "Properties" : { + "RouteTableId" : { "Ref" : "InternalRoutingTable" }, + "SubnetId" : { "Fn::GetAtt" : [ "InfraStack", "Outputs.InternalSubnet" ] } + } + }, + "SecurityGatewayExternalInterface" : { + "Type" : "AWS::EC2::NetworkInterface", + "Properties" : { + "Description": "External", + "PrivateIpAddresses": [ + { "PrivateIpAddress" : { "Ref" : "GWExternalPrivateAddr" }, "Primary" : "true" }, + { "PrivateIpAddress" : { "Ref" : "GWExternalSecondaryPrivateAddr" }, "Primary" : "false" } + ], + "SourceDestCheck": "false", + "GroupSet" : [{ "Ref" : "InstanceSecurityGroup" }], + "SubnetId": { "Fn::GetAtt" : [ "InfraStack", "Outputs.ExternalSubnet" ] } + } + }, + "SecurityGatewayInternalInterface" : { + "Type" : "AWS::EC2::NetworkInterface", + "Properties" : { + "Description": "Internal", + "PrivateIpAddress": { "Ref" : "GWInternalPrivateAddr"}, + "GroupSet" : [{ "Ref" : "InstanceSecurityGroup" }], + "SourceDestCheck": "false", + "SubnetId": { "Fn::GetAtt" : [ "InfraStack", "Outputs.InternalSubnet" ] } + } + }, + "InstanceSecurityGroup" : { + "Type" : "AWS::EC2::SecurityGroup", + "Properties" : { + "GroupDescription" : "Permissive security group", + "VpcId" : { "Fn::GetAtt" : [ "InfraStack", "Outputs.VPC" ] }, + "SecurityGroupIngress" : [ { "IpProtocol" : "-1", "CidrIp" : "0.0.0.0/0" } ] + } + }, + "SecurityGatewayInstance" : { + "Type" : "AWS::EC2::Instance", + "Properties" : { + "AvailabilityZone" : { "Ref" : "AvailabilityZone" }, + "Tags" : [ + { "Key" : "Name", "Value" : { "Ref" : "TagNameFirewall" } } + ], + "ImageId" : { "Fn::GetAtt" : [ "AMI", "Outputs.ImageId" ] }, + "InstanceType" : { "Ref" : "GWInstanceType" }, + "KeyName" : { "Ref" : "KeyName" }, + "NetworkInterfaces" : [ + { "DeviceIndex" : "0", "NetworkInterfaceId" : {"Ref" : "SecurityGatewayExternalInterface"} }, + { "DeviceIndex" : "1", "NetworkInterfaceId" : {"Ref" : "SecurityGatewayInternalInterface"} } + ], + "UserData" : { "Fn::Base64" : + { "Fn::Join" : [ "\n", + [ "#!/bin/bash", + "echo template_name: gwinvpc >> /etc/cloud-version", + "echo template_version: 20170621 >> /etc/cloud-version", + {"Fn::Join" : [ "", ["pwd_hash='", {"Ref" : "PasswordHash"}, "'"]]}, + "test -z \"$pwd_hash\" || {", + " echo \"set admin password\"", + " clish -c \"set user admin password-hash $pwd_hash\" -s", + "}", + {"Fn::Join" : [ "", ["shell='", {"Ref" : "Shell"}, "'"]]}, + "clish -c \"set user admin shell $shell\" -s", + "" + ] + ] + } + } + } + }, + "GatewayPublicAddress" : { + "Type" : "AWS::EC2::EIP", + "Properties" : { + "Domain" : "vpc" + } + }, + "GatewayAddressAssoc" : { + "Type" : "AWS::EC2::EIPAssociation", + "Properties" : { + "NetworkInterfaceId" : { "Ref" : "SecurityGatewayExternalInterface" }, + "AllocationId" : { "Fn::GetAtt" : [ "GatewayPublicAddress" , "AllocationId" ] }, + "PrivateIpAddress" : { "Fn::GetAtt" : ["SecurityGatewayExternalInterface", "PrimaryPrivateIpAddress" ]} + } + } + }, + "Outputs" : { + "GatewayPublicAddress" : { + "Description" : "The public address of your gateway", + "Value" : { "Ref" : "GatewayPublicAddress" } + }, + + "SSH" : { + "Description" : "SSH command", + "Value" : { "Fn::Join" : [ "", [ "ssh admin@", { "Ref" : "GatewayPublicAddress" }]]} + }, + + "URL" : { + "Description" : "URL to the Gateway portal", + "Value" : { "Fn::Join" : [ "", [ "https://", { "Ref" : "GatewayPublicAddress" }]]} + } + } +} \ No newline at end of file diff --git a/deprecated/aws/templates/management-r7730/README.md b/deprecated/aws/templates/management-r7730/README.md new file mode 100644 index 00000000..87ca8284 --- /dev/null +++ b/deprecated/aws/templates/management-r7730/README.md @@ -0,0 +1,21 @@ +# R77.30 Security Management Server + + + + + + + + + + + + + + + +
DescriptionNotesDirect Launch
+ Deploys an R77.30 Security Management Server / Multi-Domain Security Management Server. This template will run the First Time Configuration Wizard automatically and configure the machine as a Security Management server. + User should connect to the machine and configure the Administrator and password for SmartDashboard GUI applications using the "cpconfig" command. The "Password hash" input parameter that the user can provide in the template is only used for the Gaia Portal login.
+
+
diff --git a/deprecated/aws/templates/management-r7730/r7730-management.json b/deprecated/aws/templates/management-r7730/r7730-management.json new file mode 100755 index 00000000..4ac0e7dc --- /dev/null +++ b/deprecated/aws/templates/management-r7730/r7730-management.json @@ -0,0 +1,656 @@ +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Deploys a Check Point R77.30 management server (20180821)", + "Metadata": { + "AWS::CloudFormation::Interface": { + "ParameterGroups": [ + { + "Label": { + "default": "Network Configuration" + }, + "Parameters": [ + "VPC", + "Subnet" + ] + }, + { + "Label": { + "default": "Check Point management Settings" + }, + "Parameters": [ + "InstanceType", + "KeyName", + "AdminSubnet", + "GatewaysAddresses" + ] + }, + { + "Label": { + "default": "Advanced" + }, + "Parameters": [ + "Primary", + "PasswordHash", + "SICKey", + "Shell", + "Hostname", + "AllocatePublicAddress", + "VolumeSize", + "AllowUploadDownload", + "NTPPrimary", + "NTPSecondary" + ] + } + ], + "ParameterLabels": { + "VPC": { + "default": "VPC" + }, + "Subnet": { + "default": "Subnet" + }, + "InstanceType": { + "default": "Instance type" + }, + "KeyName": { + "default": "Key name" + }, + "AdminSubnet": { + "default": "Allowed GUI clients" + }, + "GatewaysAddresses": { + "default": "Gateways network" + }, + "Hostname": { + "default": "Hostname" + }, + "AllocatePublicAddress": { + "default": "Allocate an EIP" + }, + "SICKey": { + "default": "SIC key" + }, + "Shell": { + "default": "Admin shell" + }, + "PasswordHash": { + "default": "Password hash" + }, + "Primary": { + "default": "Primary management" + }, + "VolumeSize": { + "default": "Volume size" + }, + "AllowUploadDownload": { + "default": "Allow upload and download" + }, + "NTPPrimary": { + "default": "Primary NTP" + }, + "NTPSecondary": { + "default": "Secondary NTP" + } + } + } + }, + "Parameters": { + "VPC": { + "Description": "Select an existing VPC", + "Type": "AWS::EC2::VPC::Id", + "MinLength": "1" + }, + "Subnet": { + "Description": "Select a subnet in the VPC", + "Type": "AWS::EC2::Subnet::Id", + "MinLength": "1" + }, + "InstanceType": { + "Description": "EC2 instance type", + "Type": "String", + "Default": "m4.large", + "AllowedValues": [ + "m4.large", + "c3.large", + "c3.xlarge", + "c3.2xlarge", + "c3.4xlarge", + "c3.8xlarge", + "c4.large", + "c4.xlarge", + "c4.2xlarge", + "c4.4xlarge", + "c4.8xlarge" + ], + "ConstraintDescription": "must be a valid EC2 instance type." + }, + "KeyName": { + "Description": "The EC2 Key Pair to allow SSH access to the instance", + "Type": "AWS::EC2::KeyPair::KeyName", + "ConstraintDescription": "must be the name of an existing EC2 KeyPair." + }, + "AdminSubnet": { + "Description": "Allow only web and graphical clients from this network to communicate with the management", + "Type": "String", + "Default": "0.0.0.0/0", + "AllowedPattern": "^([0-9]{1,3}\\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])$" + }, + "GatewaysAddresses": { + "Description": "Allow only gateways from this network to communicate with the management", + "Type": "String", + "Default": "0.0.0.0/0", + "AllowedPattern": "^([0-9]{1,3}\\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])$" + }, + "PasswordHash": { + "Description": "(optional) The admin user password hash (hint, use \"openssl passwd -1\")", + "Type": "String", + "AllowedPattern": "[\\$\\./a-zA-Z0-9]*" + }, + "Hostname": { + "Description": "(optional) The hostname", + "AllowedPattern": "^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$", + "ConstraintDescription": "A valid hostname label or an empty string", + "Type": "String" + }, + "AllocatePublicAddress": { + "Description": "Allocate an Elastic IP address for the management server", + "Default": "true", + "Type": "String", + "AllowedValues": [ + "true", + "false" + ] + }, + "SICKey": { + "Description": "Mandatory only if deploying a secondary Management Server, the Secure Internal Communication key creates trusted connections between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters", + "NoEcho": "true", + "Default": "", + "Type": "String", + "AllowedPattern": "(|[a-zA-Z0-9]{8,})", + "ConstraintDescription": "Can be empty if this is a primary management server. Otherwise, at least 8 alpha numeric characters" + }, + "Shell": { + "Description": "The user admin shell", + "Type": "String", + "Default": "/etc/cli.sh", + "AllowedValues": [ + "/etc/cli.sh", + "/bin/bash", + "/bin/csh", + "/bin/tcsh" + ] + }, + "Primary": { + "Description": "Determines if this is the primary management server or not", + "Type": "String", + "Default": "true", + "AllowedValues": [ + "true", + "false" + ] + }, + "NTPPrimary": { + "Description": "(optional) Primary NTP server", + "Type": "String", + "Default": "169.254.169.123", + "AllowedPattern": "[\\.a-zA-Z0-9\\-]*" + }, + "NTPSecondary": { + "Description": "(optional) Secondary NTP server", + "Type": "String", + "Default": "0.pool.ntp.org", + "AllowedPattern": "[\\.a-zA-Z0-9\\-]*" + }, + "VolumeSize": { + "Description": "(optional) Size of the root volume", + "Type": "Number", + "MinValue": "50", + "Default": "50" + }, + "AllowUploadDownload": { + "Description": "Improve product experience by sending data to Check Point. Automatically download Blade Contracts and other important data", + "Type": "String", + "Default": "true", + "AllowedValues": [ + "true", + "false" + ] + } + }, + "Conditions": { + "HostnameGiven": { + "Fn::Not": [ + { + "Fn::Equals": [ + { + "Ref": "Hostname" + }, + "" + ] + } + ] + }, + "AllocatePublicAddress": { + "Fn::Equals": [ + { + "Ref": "AllocatePublicAddress" + }, + "true" + ] + } + }, + "Resources": { + "AMI": { + "Type": "AWS::CloudFormation::Stack", + "Properties": { + "TemplateURL": "https://s3.amazonaws.com/CloudFormationTemplate/amis.json", + "Parameters": { + "Version": "BYOL" + } + } + }, + "ReadyHandle": { + "Type": "AWS::CloudFormation::WaitConditionHandle", + "Condition": "AllocatePublicAddress", + "Properties": {} + }, + "ReadyCondition": { + "Type": "AWS::CloudFormation::WaitCondition", + "Condition": "AllocatePublicAddress", + "DependsOn": [ + "Instance" + ], + "Properties": { + "Handle": { + "Ref": "ReadyHandle" + }, + "Timeout": "3600" + } + }, + "InstanceSecurityGroup": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Management security group", + "VpcId": { + "Ref": "VPC" + }, + "SecurityGroupIngress": [ + { + "CidrIp": { + "Ref": "GatewaysAddresses" + }, + "IpProtocol": "tcp", + "FromPort": 257, + "ToPort": 257 + }, + { + "CidrIp": { + "Ref": "GatewaysAddresses" + }, + "IpProtocol": "tcp", + "FromPort": 18191, + "ToPort": 18191 + }, + { + "CidrIp": { + "Ref": "GatewaysAddresses" + }, + "IpProtocol": "tcp", + "FromPort": 18210, + "ToPort": 18210 + }, + { + "CidrIp": { + "Ref": "GatewaysAddresses" + }, + "IpProtocol": "tcp", + "FromPort": 18264, + "ToPort": 18264 + }, + { + "CidrIp": { + "Ref": "AdminSubnet" + }, + "IpProtocol": "tcp", + "FromPort": 22, + "ToPort": 22 + }, + { + "CidrIp": { + "Ref": "AdminSubnet" + }, + "IpProtocol": "tcp", + "FromPort": 443, + "ToPort": 443 + }, + { + "CidrIp": { + "Ref": "AdminSubnet" + }, + "IpProtocol": "tcp", + "FromPort": 18190, + "ToPort": 18190 + } + ] + } + }, + "Instance": { + "Type": "AWS::EC2::Instance", + "Properties": { + "Tags": [ + { + "Fn::If": [ + "HostnameGiven", + { + "Key": "Name", + "Value": { + "Ref": "Hostname" + } + }, + { + "Ref": "AWS::NoValue" + } + ] + } + ], + "ImageId": { + "Fn::GetAtt": [ + "AMI", + "Outputs.ImageId" + ] + }, + "InstanceType": { + "Ref": "InstanceType" + }, + "KeyName": { + "Ref": "KeyName" + }, + "NetworkInterfaces": [ + { + "DeviceIndex": "0", + "AssociatePublicIpAddress": "false", + "Description": "eth0", + "GroupSet": [ + { + "Ref": "InstanceSecurityGroup" + } + ], + "DeleteOnTermination": "true", + "SubnetId": { + "Ref": "Subnet" + } + } + ], + "BlockDeviceMappings": [ + { + "DeviceName": "/dev/xvda", + "Ebs": { + "VolumeType": "gp2", + "VolumeSize": { + "Ref": "VolumeSize" + } + } + } + ], + "UserData": { + "Fn::Base64": { + "Fn::Join": [ + "\n", + [ + "#!/bin/bash", + "echo template_name: r7730-management >> /etc/cloud-version", + "echo template_version: 20180821 >> /etc/cloud-version", + { + "Fn::Join": [ + "", + [ + "primary='", + { + "Ref": "Primary" + }, + "'" + ] + ] + }, + "secondary=false", + "$primary || secondary=true", + { + "Fn::Join": [ + "", + [ + "sic=$(echo '", + { + "Fn::Base64": { + "Ref": "SICKey" + } + }, + "' | base64 --decode)" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "hname='", + { + "Ref": "Hostname" + }, + "'" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "wait_handle='", + { + "Fn::If": [ + "AllocatePublicAddress", + { + "Ref": "ReadyHandle" + }, + { + "Ref": "AWS::NoValue" + } + ] + }, + "'" + ] + ] + }, + "instance_id=\"$(curl_cli -s -S 169.254.169.254/latest/meta-data/instance-id)\"", + { + "Fn::Join": [ + "", + [ + "pwd_hash='", + { + "Ref": "PasswordHash" + }, + "'" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "ntp1='", + { + "Ref": "NTPPrimary" + }, + "'" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "ntp2='", + { + "Ref": "NTPSecondary" + }, + "'" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "shell='", + { + "Ref": "Shell" + }, + "'" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "allow_upload_download='", + { + "Ref": "AllowUploadDownload" + }, + "'" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "admin_subnet='", + { + "Ref": "AdminSubnet" + }, + "'" + ] + ] + }, + "printf H4sIAEQeOVoCAzNoYuE3aGL6voCZiZGJiZHBgJeNU6vNo+07LyMjKyuDQYYhtwEnG3MoC5swU2iwoaqBMojDJSwTXJJYlJaZmpOiEJKanJGXn5OfnplarKPgmZesZ2hkYABSxi2siVDmnJNYXKxgpOCcWlSSmZaZnFiSmZ+n4FhakpFflFlSaSAnzmtgYmBmZGlobmxpaBYlzmuMzKWjS5oYFZCDgZGVgbmJkZcBKM7B1MTIyLDd6MS/l4XLWFrX8gim3D/n+/4Es0S7/cLVv22Wzf9weOGtKzfytIMn/FZZYtfyYd6L+DdP1V2+aiyzr773QOvDifXB+vNOsTJOlutPk7Fc7vsralsxi2ra6/L655HHvGaqioS8Vjv+uV7yqkFB//oNblr/177WfHt9/iqW9sVXfnYuNYm/7Tyxyexmms3GHTub/s6xshM4Yf2eLTWtarakhO3/wkAbA734fbblxZti2XIOK4fN0m5VmySznGnzE3ve9RyVTTvMbF/NuWy6eU/mqa9n5r74m9Ir3mCcF+cVO/OkXPuWuVIHruYJmyrH3Z8db/v+2veyQ6/sdlfwyjilZ7Pc+HHtVn73J5cFjKuZGJkXNx41aDxkIAsMW1k+FjEWkf3x2y+euyvf9iU6dM2d6wKH+FZ2PDdonASSV2Zp7DJobG/AqmZhzpIs+kVtEzCB84DcJMzCasDMyPgfLbkzg6KXda59x9yLJ6VCF67J/Pw58tZsxnYp//CVCys5tW5/198kd+Z4XNaN5vaF0997mtqVszlGJO3vi9jBlW7/ZvNdxTT5kyG/is7Y+jjcaFxfPq+5avei419NxPtuCjp8+aOj5StavzwpVk/1MgO3gpRsxk/xHV/2dr/ViLzrK9Yt3nxiU+px3aqlq/YEt+XeDV9y6oeCI3fGhy+/S/aFxVZVfv0p2/pYd+q+r4UTnM/0ys9i4GrXfBmqFMGg/OqxkLNmtDvH3R7HrFS2FU8VVzlumao4dWftRZPVwtfW7rnzyNby7F670oKFEpHMJ5W29M+5Gqd1fem2K1y5P7Y7CLrNkq/kS9rPP/3NA3158SkAHEuNARMEAAA= | base64 -d | gunzip -c | cpopenssl x509 -inform DER >$CPDIR/tmp/wait-handle.crt", + "cat $CPDIR/conf/ca-bundle.crt >>$CPDIR/tmp/wait-handle.crt", + "if $primary; then", + " sic=notused", + "elif test -z \"$sic\"; then", + " curl_cli -s -S --cacert $CPDIR/tmp/wait-handle.crt -X PUT -H 'Content-Type:' --data-binary '{\"Status\" : \"FAILURE\", \"Reason\" : \"SIC key must be provided if installing a non primary management server\", \"UniqueId\" : \"'$instance_id'\", \"Data\" : \"None\"}' \"$wait_handle\"", + " exit 1", + "fi", + "test -z \"$pwd_hash\" || {", + " echo \"set admin password\"", + " clish -c \"set user admin password-hash $pwd_hash\" -s", + "}", + "test -z \"$hname\" || {", + " echo \"set hostname\"", + " clish -c \"set hostname $hname\" -s", + "}", + "test -z \"$ntp1\" || {", + " echo \"set primary NTP server\"", + " clish -c \"set ntp server primary $ntp1 version 4\" -s", + " test -z \"$ntp2\" || {", + " echo \"set secondary NTP server\"", + " clish -c \"set ntp server secondary $ntp2 version 4\" -s", + " }", + " clish -c \"set ntp active on\" -s", + "}", + "pass=\"$(dd if=/dev/urandom count=1 2>/dev/null | sha1sum | cut -c -28)\"", + "admin_subnet_ip=\"$(echo $admin_subnet | cut -d '/' -f 1)\"", + "admin_subnet_bits=\"$(echo $admin_subnet | cut -d '/' -f 2)\"", + "echo \"set admin shell\"", + "clish -c \"set user admin shell $shell\" -s", + "conf=\"install_security_gw=false\"", + "conf=\"${conf}&install_security_managment=true\"", + "conf=\"${conf}&install_mgmt_primary=$primary\"", + "conf=\"${conf}&install_mgmt_secondary=$secondary\"", + "conf=\"${conf}&mgmt_admin_name=admin\"", + "conf=\"${conf}&mgmt_admin_passwd=$pass\"", + "conf=\"${conf}&mgmt_gui_clients_radio=network\"", + "conf=\"${conf}&mgmt_gui_clients_ip_field=${admin_subnet_ip}\"", + "conf=\"${conf}&mgmt_gui_clients_subnet_field=${admin_subnet_bits}\"", + "conf=\"${conf}&ftw_sic_key=$sic\"", + "conf=\"${conf}&download_info=$allow_upload_download\"", + "conf=\"${conf}&upload_info=$allow_upload_download\"", + "config_system -s \"$conf\"", + "rc=$?", + "if test -n \"$wait_handle\"; then", + " if test $rc -ne 0; then", + " curl_cli -s -S --cacert $CPDIR/tmp/wait-handle.crt -X PUT -H 'Content-Type:' --data-binary '{\"Status\" : \"FAILURE\", \"Reason\" : \"First time wizard failed\", \"UniqueId\" : \"'$instance_id'\", \"Data\" : \"None\"}' \"$wait_handle\"", + " else", + " curl_cli -s -S --cacert $CPDIR/tmp/wait-handle.crt -X PUT -H 'Content-Type:' --data-binary '{\"Status\" : \"SUCCESS\", \"Reason\" : \"Instance Configuration Complete\", \"UniqueId\" : \"'$instance_id'\", \"Data\" : \"Configuration completed.\"}' \"$wait_handle\"", + " fi", + "fi", + "" + ] + ] + } + } + } + }, + "PublicAddress": { + "Type": "AWS::EC2::EIP", + "Condition": "AllocatePublicAddress", + "Properties": { + "Domain": "vpc" + } + }, + "AddressAssoc": { + "Type": "AWS::EC2::EIPAssociation", + "Condition": "AllocatePublicAddress", + "Properties": { + "InstanceId": { + "Ref": "Instance" + }, + "AllocationId": { + "Fn::GetAtt": [ + "PublicAddress", + "AllocationId" + ] + } + } + } + }, + "Outputs": { + "PublicAddress": { + "Condition": "AllocatePublicAddress", + "Description": "The public address of the management server", + "Value": { + "Ref": "PublicAddress" + } + }, + "SSH": { + "Condition": "AllocatePublicAddress", + "Description": "SSH command", + "Value": { + "Fn::Join": [ + "", + [ + "ssh admin@", + { + "Ref": "PublicAddress" + } + ] + ] + } + }, + "URL": { + "Condition": "AllocatePublicAddress", + "Description": "URL to the portal", + "Value": { + "Fn::Join": [ + "", + [ + "https://", + { + "Ref": "PublicAddress" + } + ] + ] + } + } + } +} diff --git a/deprecated/aws/templates/management-r80/README.md b/deprecated/aws/templates/management-r80/README.md new file mode 100644 index 00000000..b3203063 --- /dev/null +++ b/deprecated/aws/templates/management-r80/README.md @@ -0,0 +1,21 @@ +# R80 Security Management Server + + + + + + + + + + + + + + + +
DescriptionNotesDirect Launch
+ Deploys an R80 Security Management Server / Multi-Domain Security Management Server. This template will run the First Time Configuration Wizard automatically and configure the machine as a Security Management Server. + The AWS marketplace listing for R80 is available only for customers that are already subscribed. New customers should use R80.10 listing.
+
+
diff --git a/deprecated/aws/templates/management-r80/r80.json b/deprecated/aws/templates/management-r80/r80.json new file mode 100755 index 00000000..b6a64d51 --- /dev/null +++ b/deprecated/aws/templates/management-r80/r80.json @@ -0,0 +1,725 @@ +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Deploys a Check Point R80 management server (20180821)", + "Metadata": { + "AWS::CloudFormation::Interface": { + "ParameterGroups": [ + { + "Label": { + "default": "Network Configuration" + }, + "Parameters": [ + "VPC", + "Subnet" + ] + }, + { + "Label": { + "default": "Check Point management Settings" + }, + "Parameters": [ + "InstanceType", + "KeyName", + "AdminSubnet", + "GatewaysAddresses", + "PasswordHash" + ] + }, + { + "Label": { + "default": "Advanced" + }, + "Parameters": [ + "Primary", + "SICKey", + "Shell", + "Hostname", + "AllocatePublicAddress", + "VolumeSize", + "AllowUploadDownload", + "NTPPrimary", + "NTPSecondary" + ] + } + ], + "ParameterLabels": { + "VPC": { + "default": "VPC" + }, + "Subnet": { + "default": "Subnet" + }, + "InstanceType": { + "default": "Instance type" + }, + "KeyName": { + "default": "Key name" + }, + "AdminSubnet": { + "default": "Administrator Addresses" + }, + "GatewaysAddresses": { + "default": "Gateways Addresses" + }, + "Hostname": { + "default": "Hostname" + }, + "AllocatePublicAddress": { + "default": "Allocate an EIP" + }, + "SICKey": { + "default": "SIC key" + }, + "Shell": { + "default": "Admin shell" + }, + "PasswordHash": { + "default": "Password hash" + }, + "Primary": { + "default": "Primary management" + }, + "VolumeSize": { + "default": "Volume size" + }, + "AllowUploadDownload": { + "default": "Allow upload and download" + }, + "NTPPrimary": { + "default": "Primary NTP" + }, + "NTPSecondary": { + "default": "Secondary NTP" + } + } + } + }, + "Parameters": { + "VPC": { + "Description": "Select an existing VPC", + "Type": "AWS::EC2::VPC::Id", + "MinLength": "1" + }, + "Subnet": { + "Description": "Select a subnet in the VPC", + "Type": "AWS::EC2::Subnet::Id", + "MinLength": "1" + }, + "InstanceType": { + "Description": "EC2 instance type", + "Type": "String", + "Default": "m4.xlarge", + "AllowedValues": [ + "m4.large", + "m4.xlarge", + "m4.2xlarge", + "m4.4xlarge", + "m4.10xlarge", + "m3.large", + "m3.xlarge", + "m3.2xlarge" + ], + "ConstraintDescription": "must be a valid EC2 instance type." + }, + "KeyName": { + "Description": "The EC2 Key Pair to allow SSH access to the instance", + "Type": "AWS::EC2::KeyPair::KeyName", + "ConstraintDescription": "must be the name of an existing EC2 KeyPair." + }, + "AdminSubnet": { + "Description": "Addresses of allowed SmartConsole, WebUI and SSH clients in CIDR notation", + "Type": "String", + "AllowedPattern": "^([0-9]{1,3}\\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])$" + }, + "GatewaysAddresses": { + "Description": "Addresses of Check Point gateways in CIDR notation", + "Type": "String", + "Default": "0.0.0.0/0", + "AllowedPattern": "^([0-9]{1,3}\\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])$" + }, + "PasswordHash": { + "Description": "The admin user password hash (hint, use \"openssl passwd -1\")", + "MinLength": "1", + "Type": "String", + "AllowedPattern": "[\\$\\./a-zA-Z0-9]*" + }, + "Hostname": { + "Description": "(optional) The hostname", + "AllowedPattern": "^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$", + "ConstraintDescription": "A valid hostname label or an empty string", + "Type": "String" + }, + "AllocatePublicAddress": { + "Description": "Allocate an Elastic IP address for the management server. Note: make sure the subnet has a route to the internet", + "Default": "true", + "Type": "String", + "AllowedValues": [ + "true", + "false" + ] + }, + "SICKey": { + "Description": "Mandatory only if deploying a secondary Management Server, the Secure Internal Communication key creates trusted connections between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters", + "NoEcho": "true", + "Default": "", + "Type": "String", + "AllowedPattern": "(|[a-zA-Z0-9]{8,})", + "ConstraintDescription": "Can be empty if this is a primary management server. Otherwise, at least 8 alpha numeric characters" + }, + "Shell": { + "Description": "The user admin shell", + "Type": "String", + "Default": "/etc/cli.sh", + "AllowedValues": [ + "/etc/cli.sh", + "/bin/bash", + "/bin/csh", + "/bin/tcsh" + ] + }, + "Primary": { + "Description": "Determines if this is the primary management server or not", + "Type": "String", + "Default": "true", + "AllowedValues": [ + "true", + "false" + ] + }, + "NTPPrimary": { + "Description": "(optional) Primary NTP server", + "Type": "String", + "Default": "0.pool.ntp.org", + "AllowedPattern": "[\\.a-zA-Z0-9\\-]*" + }, + "NTPSecondary": { + "Description": "(optional) Secondary NTP server", + "Type": "String", + "Default": "1.pool.ntp.org", + "AllowedPattern": "[\\.a-zA-Z0-9\\-]*" + }, + "VolumeSize": { + "Description": "(optional) Size of the root volume", + "Type": "Number", + "MinValue": "100", + "Default": "100" + }, + "AllowUploadDownload": { + "Description": "Automatically download Blade Contracts and other important data from Check Point and improve product by sending data", + "Type": "String", + "Default": "true", + "AllowedValues": [ + "true", + "false" + ] + } + }, + "Conditions": { + "HostnameGiven": { + "Fn::Not": [ + { + "Fn::Equals": [ + { + "Ref": "Hostname" + }, + "" + ] + } + ] + }, + "AllocatePublicAddress": { + "Fn::Equals": [ + { + "Ref": "AllocatePublicAddress" + }, + "true" + ] + } + }, + "Resources": { + "AMI": { + "Type": "AWS::CloudFormation::Stack", + "Properties": { + "TemplateURL": "https://s3.amazonaws.com/CloudFormationTemplate/amis.json", + "Parameters": { + "Version": "R80" + } + } + }, + "ReadyHandle": { + "Type": "AWS::CloudFormation::WaitConditionHandle", + "Condition": "AllocatePublicAddress", + "Properties": {} + }, + "ReadyCondition": { + "Type": "AWS::CloudFormation::WaitCondition", + "Condition": "AllocatePublicAddress", + "DependsOn": [ + "Instance" + ], + "Properties": { + "Handle": { + "Ref": "ReadyHandle" + }, + "Timeout": "3600" + } + }, + "InstanceSecurityGroup": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Management security group", + "VpcId": { + "Ref": "VPC" + }, + "SecurityGroupIngress": [ + { + "CidrIp": { + "Ref": "GatewaysAddresses" + }, + "IpProtocol": "tcp", + "FromPort": 257, + "ToPort": 257 + }, + { + "CidrIp": { + "Ref": "GatewaysAddresses" + }, + "IpProtocol": "tcp", + "FromPort": 18191, + "ToPort": 18191 + }, + { + "CidrIp": { + "Ref": "GatewaysAddresses" + }, + "IpProtocol": "tcp", + "FromPort": 18210, + "ToPort": 18210 + }, + { + "CidrIp": { + "Ref": "GatewaysAddresses" + }, + "IpProtocol": "tcp", + "FromPort": 18264, + "ToPort": 18264 + }, + { + "CidrIp": { + "Ref": "AdminSubnet" + }, + "IpProtocol": "tcp", + "FromPort": 22, + "ToPort": 22 + }, + { + "CidrIp": { + "Ref": "AdminSubnet" + }, + "IpProtocol": "tcp", + "FromPort": 443, + "ToPort": 443 + }, + { + "CidrIp": { + "Ref": "AdminSubnet" + }, + "IpProtocol": "tcp", + "FromPort": 18190, + "ToPort": 18190 + }, + { + "CidrIp": { + "Ref": "AdminSubnet" + }, + "IpProtocol": "tcp", + "FromPort": 19009, + "ToPort": 19009 + } + ] + } + }, + "CheckPointManagementRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Service": [ + "ec2.amazonaws.com" + ] + }, + "Action": [ + "sts:AssumeRole" + ] + } + ] + }, + "Path": "/", + "Policies": [ + { + "PolicyName": "CheckPointManagement", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "ec2:DescribeInstances", + "ec2:DescribeNetworkInterfaces", + "ec2:DescribeSubnets", + "ec2:DescribeVpcs", + "ec2:DescribeSecurityGroups", + "elasticloadbalancing:DescribeLoadBalancers", + "elasticloadbalancing:DescribeTags", + "elasticloadbalancing:DescribeListeners", + "elasticloadbalancing:DescribeTargetGroups", + "elasticloadbalancing:DescribeRules", + "elasticloadbalancing:DescribeTargetHealth", + "autoscaling:DescribeAutoScalingGroups" + ], + "Resource": "*" + } + ] + } + } + ] + } + }, + "InstanceProfile": { + "Type": "AWS::IAM::InstanceProfile", + "Properties": { + "Path": "/", + "Roles": [ + { + "Ref": "CheckPointManagementRole" + } + ] + } + }, + "Instance": { + "Type": "AWS::EC2::Instance", + "Properties": { + "Tags": [ + { + "Fn::If": [ + "HostnameGiven", + { + "Key": "Name", + "Value": { + "Ref": "Hostname" + } + }, + { + "Ref": "AWS::NoValue" + } + ] + } + ], + "ImageId": { + "Fn::GetAtt": [ + "AMI", + "Outputs.ImageId" + ] + }, + "InstanceType": { + "Ref": "InstanceType" + }, + "IamInstanceProfile": { + "Ref": "InstanceProfile" + }, + "KeyName": { + "Ref": "KeyName" + }, + "NetworkInterfaces": [ + { + "DeviceIndex": "0", + "AssociatePublicIpAddress": "false", + "Description": "eth0", + "GroupSet": [ + { + "Ref": "InstanceSecurityGroup" + } + ], + "DeleteOnTermination": "true", + "SubnetId": { + "Ref": "Subnet" + } + } + ], + "BlockDeviceMappings": [ + { + "DeviceName": "/dev/xvda", + "Ebs": { + "VolumeType": "gp2", + "VolumeSize": { + "Ref": "VolumeSize" + } + } + } + ], + "UserData": { + "Fn::Base64": { + "Fn::Join": [ + "\n", + [ + "#!/bin/bash", + "echo template_name: r80 >> /etc/cloud-version", + "echo template_version: 20180821 >> /etc/cloud-version", + { + "Fn::Join": [ + "", + [ + "primary='", + { + "Ref": "Primary" + }, + "'" + ] + ] + }, + "secondary=false", + "$primary || secondary=true", + { + "Fn::Join": [ + "", + [ + "sic=$(echo '", + { + "Fn::Base64": { + "Ref": "SICKey" + } + }, + "' | base64 --decode)" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "hname='", + { + "Ref": "Hostname" + }, + "'" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "wait_handle='", + { + "Fn::If": [ + "AllocatePublicAddress", + { + "Ref": "ReadyHandle" + }, + { + "Ref": "AWS::NoValue" + } + ] + }, + "'" + ] + ] + }, + "instance_id=\"$(curl_cli -s -S 169.254.169.254/latest/meta-data/instance-id)\"", + { + "Fn::Join": [ + "", + [ + "pwd_hash='", + { + "Ref": "PasswordHash" + }, + "'" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "allow_upload_download='", + { + "Ref": "AllowUploadDownload" + }, + "'" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "ntp1='", + { + "Ref": "NTPPrimary" + }, + "'" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "ntp2='", + { + "Ref": "NTPSecondary" + }, + "'" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "shell='", + { + "Ref": "Shell" + }, + "'" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "admin_subnet='", + { + "Ref": "AdminSubnet" + }, + "'" + ] + ] + }, + "printf H4sIAEQeOVoCAzNoYuE3aGL6voCZiZGJiZHBgJeNU6vNo+07LyMjKyuDQYYhtwEnG3MoC5swU2iwoaqBMojDJSwTXJJYlJaZmpOiEJKanJGXn5OfnplarKPgmZesZ2hkYABSxi2siVDmnJNYXKxgpOCcWlSSmZaZnFiSmZ+n4FhakpFflFlSaSAnzmtgYmBmZGlobmxpaBYlzmuMzKWjS5oYFZCDgZGVgbmJkZcBKM7B1MTIyLDd6MS/l4XLWFrX8gim3D/n+/4Es0S7/cLVv22Wzf9weOGtKzfytIMn/FZZYtfyYd6L+DdP1V2+aiyzr773QOvDifXB+vNOsTJOlutPk7Fc7vsralsxi2ra6/L655HHvGaqioS8Vjv+uV7yqkFB//oNblr/177WfHt9/iqW9sVXfnYuNYm/7Tyxyexmms3GHTub/s6xshM4Yf2eLTWtarakhO3/wkAbA734fbblxZti2XIOK4fN0m5VmySznGnzE3ve9RyVTTvMbF/NuWy6eU/mqa9n5r74m9Ir3mCcF+cVO/OkXPuWuVIHruYJmyrH3Z8db/v+2veyQ6/sdlfwyjilZ7Pc+HHtVn73J5cFjKuZGJkXNx41aDxkIAsMW1k+FjEWkf3x2y+euyvf9iU6dM2d6wKH+FZ2PDdonASSV2Zp7DJobG/AqmZhzpIs+kVtEzCB84DcJMzCasDMyPgfLbkzg6KXda59x9yLJ6VCF67J/Pw58tZsxnYp//CVCys5tW5/198kd+Z4XNaN5vaF0997mtqVszlGJO3vi9jBlW7/ZvNdxTT5kyG/is7Y+jjcaFxfPq+5avei419NxPtuCjp8+aOj5StavzwpVk/1MgO3gpRsxk/xHV/2dr/ViLzrK9Yt3nxiU+px3aqlq/YEt+XeDV9y6oeCI3fGhy+/S/aFxVZVfv0p2/pYd+q+r4UTnM/0ys9i4GrXfBmqFMGg/OqxkLNmtDvH3R7HrFS2FU8VVzlumao4dWftRZPVwtfW7rnzyNby7F670oKFEpHMJ5W29M+5Gqd1fem2K1y5P7Y7CLrNkq/kS9rPP/3NA3158SkAHEuNARMEAAA= | base64 -d | gunzip -c | cpopenssl x509 -inform DER >$CPDIR/tmp/wait-handle.crt", + "cat $CPDIR/conf/ca-bundle.crt >>$CPDIR/tmp/wait-handle.crt", + "if $primary; then", + " sic=notused", + "elif test -z \"$sic\"; then", + " curl_cli -s -S --cacert $CPDIR/tmp/wait-handle.crt -X PUT -H 'Content-Type:' --data-binary '{\"Status\" : \"FAILURE\", \"Reason\" : \"SIC key must be provided if installing a non primary management server\", \"UniqueId\" : \"'$instance_id'\", \"Data\" : \"None\"}' \"$wait_handle\"", + " exit 1", + "fi", + "test -z \"$pwd_hash\" || {", + " echo \"set admin password\"", + " clish -c \"set user admin password-hash $pwd_hash\" -s", + "}", + "test -z \"$hname\" || {", + " echo \"set hostname\"", + " clish -c \"set hostname $hname\" -s", + "}", + "test -z \"$ntp1\" || {", + " echo \"set primary NTP server\"", + " clish -c \"set ntp server primary $ntp1 version 4\" -s", + " test -z \"$ntp2\" || {", + " echo \"set secondary NTP server\"", + " clish -c \"set ntp server secondary $ntp2 version 4\" -s", + " }", + " clish -c \"set ntp active on\" -s", + "}", + "admin_subnet_ip=\"$(echo $admin_subnet | cut -d '/' -f 1)\"", + "admin_subnet_bits=\"$(echo $admin_subnet | cut -d '/' -f 2)\"", + "echo \"set admin shell\"", + "clish -c \"set user admin shell $shell\" -s", + "conf=\"install_security_gw=false\"", + "conf=\"${conf}&install_security_managment=true\"", + "conf=\"${conf}&install_mgmt_primary=$primary\"", + "conf=\"${conf}&install_mgmt_secondary=$secondary\"", + "conf=\"${conf}&mgmt_admin_radio=gaia_admin\"", + "conf=\"${conf}&mgmt_gui_clients_radio=network\"", + "conf=\"${conf}&mgmt_gui_clients_ip_field=${admin_subnet_ip}\"", + "conf=\"${conf}&mgmt_gui_clients_subnet_field=${admin_subnet_bits}\"", + "conf=\"${conf}&ftw_sic_key=$sic\"", + "conf=\"${conf}&download_info=$allow_upload_download\"", + "conf=\"${conf}&upload_info=$allow_upload_download\"", + "config_system -s \"$conf\"", + "rc=$?", + "if test -n \"$wait_handle\"; then", + " if test $rc -ne 0; then", + " curl_cli -s -S --cacert $CPDIR/tmp/wait-handle.crt -X PUT -H 'Content-Type:' --data-binary '{\"Status\" : \"FAILURE\", \"Reason\" : \"First time wizard failed\", \"UniqueId\" : \"'$instance_id'\", \"Data\" : \"None\"}' \"$wait_handle\"", + " else", + " curl_cli -s -S --cacert $CPDIR/tmp/wait-handle.crt -X PUT -H 'Content-Type:' --data-binary '{\"Status\" : \"SUCCESS\", \"Reason\" : \"Instance Configuration Complete\", \"UniqueId\" : \"'$instance_id'\", \"Data\" : \"Configuration completed.\"}' \"$wait_handle\"", + " fi", + "fi", + "chkconfig --add autoprovision", + "service autoprovision start", + "" + ] + ] + } + } + } + }, + "PublicAddress": { + "Type": "AWS::EC2::EIP", + "Condition": "AllocatePublicAddress", + "Properties": { + "Domain": "vpc" + } + }, + "AddressAssoc": { + "Type": "AWS::EC2::EIPAssociation", + "Condition": "AllocatePublicAddress", + "Properties": { + "InstanceId": { + "Ref": "Instance" + }, + "AllocationId": { + "Fn::GetAtt": [ + "PublicAddress", + "AllocationId" + ] + } + } + } + }, + "Outputs": { + "PublicAddress": { + "Condition": "AllocatePublicAddress", + "Description": "The public address of the management server", + "Value": { + "Ref": "PublicAddress" + } + }, + "SSH": { + "Condition": "AllocatePublicAddress", + "Description": "SSH command", + "Value": { + "Fn::Join": [ + "", + [ + "ssh admin@", + { + "Ref": "PublicAddress" + } + ] + ] + } + }, + "URL": { + "Condition": "AllocatePublicAddress", + "Description": "URL to the portal", + "Value": { + "Fn::Join": [ + "", + [ + "https://", + { + "Ref": "PublicAddress" + } + ] + ] + } + } + } +} diff --git a/deprecated/aws/templates/management-r8030/README.md b/deprecated/aws/templates/management-r8030/README.md new file mode 100644 index 00000000..2d0dc89d --- /dev/null +++ b/deprecated/aws/templates/management-r8030/README.md @@ -0,0 +1,22 @@ + +## Security Management Server + + + + + + + + + + + + + + + +
DescriptionNotesDirect Launch
+ Deploys and configures a Security Management Server.

For more details, refer to sk130372. + 		Deploys a Security Management Server into an existing VPC.
+
+
\ No newline at end of file diff --git a/deprecated/aws/templates/management-r8030/management.json b/deprecated/aws/templates/management-r8030/management.json new file mode 100755 index 00000000..dd926219 --- /dev/null +++ b/deprecated/aws/templates/management-r8030/management.json @@ -0,0 +1,1323 @@ +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Deploys a Check Point Management Server (20211212)", + "Metadata": { + "AWS::CloudFormation::Interface": { + "ParameterGroups": [ + { + "Label": { + "default": "VPC Network Configuration" + }, + "Parameters": [ + "VPC", + "Subnet" + ] + }, + { + "Label": { + "default": "EC2 Instance Configuration" + }, + "Parameters": [ + "Name", + "InstanceType", + "KeyName", + "AllocatePublicAddress", + "VolumeSize", + "VolumeEncryption", + "EnableInstanceConnect" + ] + }, + { + "Label": { + "default": "IAM Permissions (ignored when the installation is not Primary Management Server)" + }, + "Parameters": [ + "Permissions", + "PredefinedRole", + "STSRoles" + ] + }, + { + "Label": { + "default": "Check Point Settings" + }, + "Parameters": [ + "Version", + "Shell", + "PasswordHash" + ] + }, + { + "Label": { + "default": "Security Management Server Settings" + }, + "Parameters": [ + "Hostname", + "Primary", + "SICKey", + "AllowUploadDownload", + "AdminSubnet", + "GatewayManagement", + "GatewaysAddresses", + "NTPPrimary", + "NTPSecondary", + "BootstrapScript" + ] + } + ], + "ParameterLabels": { + "VPC": { + "default": "VPC" + }, + "Subnet": { + "default": "Subnet" + }, + "Name": { + "default": "Name" + }, + "Version": { + "default": "Version & license" + }, + "InstanceType": { + "default": "Instance type" + }, + "KeyName": { + "default": "Key name" + }, + "AdminSubnet": { + "default": "Administrator addresses" + }, + "GatewaysAddresses": { + "default": "Gateways addresses" + }, + "Hostname": { + "default": "Hostname" + }, + "AllocatePublicAddress": { + "default": "Allocate an Elastic IP" + }, + "EnableInstanceConnect": { + "default": "Enable AWS Instance Connect" + }, + "SICKey": { + "default": "SIC key" + }, + "Shell": { + "default": "Admin shell" + }, + "PasswordHash": { + "default": "Password hash" + }, + "GatewayManagement": { + "default": "Gateways management" + }, + "Primary": { + "default": "Primary management" + }, + "VolumeSize": { + "default": "Root volume size (GB)" + }, + "VolumeEncryption": { + "default": "Volume encryption KMS key identifier" + }, + "AllowUploadDownload": { + "default": "Allow upload & download" + }, + "NTPPrimary": { + "default": "Primary NTP server" + }, + "NTPSecondary": { + "default": "Secondary NTP server" + }, + "STSRoles": { + "default": "STS roles" + }, + "PredefinedRole": { + "default": "Existing IAM role name" + }, + "Permissions": { + "default": "IAM role" + }, + "BootstrapScript": { + "default": "Bootstrap script" + } + } + } + }, + "Parameters": { + "VPC": { + "Description": "Select an existing VPC", + "Type": "AWS::EC2::VPC::Id", + "MinLength": "1" + }, + "Subnet": { + "Description": "To access the instance from the internet, make sure the subnet has a route to the internet", + "Type": "AWS::EC2::Subnet::Id", + "MinLength": "1" + }, + "Version": { + "Type": "String", + "Default": "R80.30-PAYG-MGMT", + "AllowedValues": [ + "R80.10-BYOL", + "R80.10-PAYG-MGMT", + "R80.20-BYOL", + "R80.20-PAYG-MGMT", + "R80.30-BYOL", + "R80.30-PAYG-MGMT", + "R80.40-BYOL", + "R80.40-PAYG-MGMT" + ] + }, + "InstanceType": { + "Description": "m4 and t2 instance types are supported only with version R80.10 and m5 are supported only with R80.20 and above", + "Type": "String", + "Default": "m5.xlarge", + "AllowedValues": [ + "m4.large", + "m4.xlarge", + "m4.2xlarge", + "m4.4xlarge", + "m4.10xlarge", + "m4.16xlarge", + "m5.large", + "m5.xlarge", + "m5.2xlarge", + "m5.4xlarge", + "m5.12xlarge", + "m5.24xlarge", + "t2.xlarge", + "t2.2xlarge" + ], + "ConstraintDescription": "must be a valid EC2 instance type." + }, + "Name": { + "Default": "Check-Point-Management", + "Type": "String" + }, + "KeyName": { + "Description": "The EC2 Key Pair to allow SSH access to the instance", + "Type": "AWS::EC2::KeyPair::KeyName", + "MinLength": "1", + "ConstraintDescription": "must be the name of an existing EC2 KeyPair." + }, + "AdminSubnet": { + "Description": "Allow web, SSH, and graphical clients only from this network to communicate with the Management Server", + "Type": "String", + "Default": "0.0.0.0/0", + "AllowedPattern": "^([0-9]{1,3}\\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])$" + }, + "GatewaysAddresses": { + "Description": "Allow gateways only from this network to communicate with the Management Server", + "Type": "String", + "Default": "0.0.0.0/0", + "AllowedPattern": "^([0-9]{1,3}\\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])$" + }, + "PasswordHash": { + "Description": "Admin user's password hash (use command \"openssl passwd -1 PASSWORD\" to get the PASSWORD's hash) (optional)", + "Type": "String", + "Default": "", + "AllowedPattern": "[\\$\\./a-zA-Z0-9]*", + "NoEcho": "true" + }, + "GatewayManagement": { + "Description": "Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address", + "Type": "String", + "Default": "Locally managed", + "AllowedValues": [ + "Locally managed", + "Over the internet" + ] + }, + "Hostname": { + "Description": "(optional)", + "AllowedPattern": "^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$", + "ConstraintDescription": "A valid hostname label or an empty string", + "Type": "String", + "Default": "mgmt-aws" + }, + "AllocatePublicAddress": { + "Default": "true", + "Type": "String", + "AllowedValues": [ + "true", + "false" + ] + }, + "EnableInstanceConnect": { + "Description": "Ec2 Instance Connect is not supported with versions prior to R80.40", + "Default": "false", + "Type": "String", + "AllowedValues": [ + "true", + "false" + ] + }, + "SICKey": { + "Description": "Mandatory only if deploying a secondary Management Server, the Secure Internal Communication key creates trusted connections between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters", + "NoEcho": "true", + "Default": "", + "Type": "String", + "AllowedPattern": "(|[a-zA-Z0-9]{8,})", + "ConstraintDescription": "Can be empty if this is a primary management server. Otherwise, at least 8 alpha numeric characters" + }, + "Shell": { + "Description": "Change the admin shell to enable advanced command line configuration", + "Type": "String", + "Default": "/etc/cli.sh", + "AllowedValues": [ + "/etc/cli.sh", + "/bin/bash", + "/bin/csh", + "/bin/tcsh" + ] + }, + "Primary": { + "Description": "Determines if this is the primary management server or not", + "Type": "String", + "Default": "true", + "AllowedValues": [ + "true", + "false" + ] + }, + "NTPPrimary": { + "Description": "(optional)", + "Type": "String", + "Default": "169.254.169.123", + "AllowedPattern": "[\\.a-zA-Z0-9\\-]*" + }, + "NTPSecondary": { + "Description": "(optional)", + "Type": "String", + "Default": "0.pool.ntp.org", + "AllowedPattern": "[\\.a-zA-Z0-9\\-]*" + }, + "VolumeSize": { + "Type": "Number", + "MinValue": "100", + "Default": "100" + }, + "VolumeEncryption": { + "Description": "KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs'). Will be ignored for versions lower than R80.30", + "Type": "String", + "Default": "alias/aws/ebs" + }, + "AllowUploadDownload": { + "Description": "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point", + "Type": "String", + "Default": "true", + "AllowedValues": [ + "true", + "false" + ] + }, + "Permissions": { + "Description": "IAM role to attach to the instance profile", + "Type": "String", + "Default": "Create with read permissions", + "AllowedValues": [ + "None (configure later)", + "Use existing (specify an existing IAM role name)", + "Create with assume role permissions (specify an STS role ARN)", + "Create with read permissions", + "Create with read-write permissions" + ] + }, + "STSRoles": { + "Description": "The IAM role will be able to assume these STS Roles (comma separated list of ARNs, without spaces). Ignored if IAM role is set to 'None' or 'Use existing'", + "Type": "CommaDelimitedList", + "Default": "" + }, + "PredefinedRole": { + "Description": "A predefined IAM role to attach to the instance profile. Ignored if IAM role is not set to 'Use existing'", + "Type": "String", + "Default": "" + }, + "BootstrapScript": { + "Description": "An optional script with comma separated commands to run on the initial boot", + "Type": "CommaDelimitedList", + "Default": "", + "NoEcho": "true" + } + }, + "Conditions": { + "EnableEncryptedVolume": { + "Fn::And": [ + { + "Fn::Not": [ + { + "Fn::Equals": [ + { + "Ref": "VolumeEncryption" + }, + "" + ] + } + ] + }, + { + "Fn::Or": [ + { + "Condition": "R80.30" + }, + { + "Condition": "R80.40" + } + ] + } + ] + }, + "AllocatePublicAddress": { + "Fn::Equals": [ + { + "Ref": "AllocatePublicAddress" + }, + "true" + ] + }, + "EnableInstanceConnect": { + "Fn::Equals": [ + { + "Ref": "EnableInstanceConnect" + }, + "true" + ] + }, + "ManageOverInternet": { + "Fn::Equals": [ + { + "Ref": "GatewayManagement" + }, + "Over the internet" + ] + }, + "ManageOverInternetAndAllocatePublicAddress": { + "Fn::And": [ + { + "Condition": "AllocatePublicAddress" + }, + { + "Condition": "ManageOverInternet" + } + ] + }, + "STSRoles": { + "Fn::Not": [ + { + "Fn::Equals": [ + { + "Fn::Join": [ + ",", + { + "Ref": "STSRoles" + } + ] + }, + "" + ] + } + ] + }, + "CreateRole": { + "Fn::Or": [ + { + "Fn::Equals": [ + { + "Ref": "Permissions" + }, + "Create with assume role permissions (specify an STS role ARN)" + ] + }, + { + "Fn::Equals": [ + { + "Ref": "Permissions" + }, + "Create with read permissions" + ] + }, + { + "Fn::Equals": [ + { + "Ref": "Permissions" + }, + "Create with read-write permissions" + ] + } + ] + }, + "UsePredefinedRole": { + "Fn::Equals": [ + { + "Ref": "Permissions" + }, + "Use existing (specify an existing IAM role name)" + ] + }, + "UseRole": { + "Fn::Not": [ + { + "Fn::Equals": [ + { + "Ref": "Permissions" + }, + "None (configure later)" + ] + } + ] + }, + "AnyAdminSubnet": { + "Fn::Equals": [ + { + "Ref": "AdminSubnet" + }, + "0.0.0.0/0" + ] + }, + "R80.10": { + "Fn::Equals": [ + { + "Fn::Select": [ + 0, + { + "Fn::Split": [ + "-", + { + "Ref": "Version" + } + ] + } + ] + }, + "R80.10" + ] + }, + "R80.20": { + "Fn::Equals": [ + { + "Fn::Select": [ + 0, + { + "Fn::Split": [ + "-", + { + "Ref": "Version" + } + ] + } + ] + }, + "R80.20" + ] + }, + "R80.30": { + "Fn::Equals": [ + { + "Fn::Select": [ + 0, + { + "Fn::Split": [ + "-", + { + "Ref": "Version" + } + ] + } + ] + }, + "R80.30" + ] + }, + "R80.40": { + "Fn::Equals": [ + { + "Fn::Select": [ + 0, + { + "Fn::Split": [ + "-", + { + "Ref": "Version" + } + ] + } + ] + }, + "R80.40" + ] + }, + "NoSIC": { + "Fn::Equals": [ + { + "Ref": "SICKey" + }, + "" + ] + }, + "Primary": { + "Fn::Equals": [ + { + "Ref": "Primary" + }, + "true" + ] + }, + "SecondaryAndNoSIC": { + "Fn::And": [ + { + "Fn::Not": [ + { + "Condition": "Primary" + } + ] + }, + { + "Condition": "NoSIC" + } + ] + }, + "m4t2InstanceType": { + "Fn::Or": [ + { + "Fn::Equals": [ + { + "Fn::Select": [ + 0, + { + "Fn::Split": [ + ".", + { + "Ref": "InstanceType" + } + ] + } + ] + }, + "m4" + ] + }, + { + "Fn::Equals": [ + { + "Fn::Select": [ + 0, + { + "Fn::Split": [ + ".", + { + "Ref": "InstanceType" + } + ] + } + ] + }, + "t2" + ] + } + ] + }, + "m5InstanceType": { + "Fn::Equals": [ + { + "Fn::Select": [ + 0, + { + "Fn::Split": [ + ".", + { + "Ref": "InstanceType" + } + ] + } + ] + }, + "m5" + ] + }, + "R8020Andm4t2": { + "Fn::And": [ + { + "Condition": "R80.20" + }, + { + "Condition": "m4t2InstanceType" + } + ] + }, + "R8030Andm4t2": { + "Fn::And": [ + { + "Condition": "R80.30" + }, + { + "Condition": "m4t2InstanceType" + } + ] + }, + "R8040Andm4t2": { + "Fn::And": [ + { + "Condition": "R80.30" + }, + { + "Condition": "m4t2InstanceType" + } + ] + }, + "R8010Andm5": { + "Fn::And": [ + { + "Condition": "R80.10" + }, + { + "Condition": "m5InstanceType" + } + ] + }, + "AddMGMTVersionSuffix": { + "Fn::Or": [ + { + "Fn::Equals": [ + { + "Ref": "Version" + }, + "R80.20-BYOL" + ] + }, + { + "Fn::Equals": [ + { + "Ref": "Version" + }, + "R80.30-BYOL" + ] + }, + { + "Fn::Equals": [ + { + "Ref": "Version" + }, + "R80.40-BYOL" + ] + } + ] + } + }, + "Resources": { + "AMI": { + "Type": "AWS::CloudFormation::Stack", + "Properties": { + "TemplateURL": "https://cgi-cfts.s3.amazonaws.com/deprecated/utils/amis-deprecated.yaml", + "Parameters": { + "Version": { + "Fn::If": [ + "AddMGMTVersionSuffix", + { + "Fn::Join": [ + "-", + [ + { + "Ref": "Version" + }, + "MGMT" + ] + ] + }, + { + "Ref": "Version" + } + ] + } + } + } + }, + "ReadyHandle": { + "Type": "AWS::CloudFormation::WaitConditionHandle", + "Condition": "AllocatePublicAddress", + "Properties": {} + }, + "ReadyCondition": { + "Type": "AWS::CloudFormation::WaitCondition", + "Condition": "AllocatePublicAddress", + "DependsOn": [ + "Instance" + ], + "Properties": { + "Handle": { + "Ref": "ReadyHandle" + }, + "Timeout": "3600" + } + }, + "InstanceSecurityGroup": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Management security group", + "VpcId": { + "Ref": "VPC" + }, + "SecurityGroupIngress": [ + { + "CidrIp": { + "Ref": "GatewaysAddresses" + }, + "IpProtocol": "tcp", + "FromPort": 257, + "ToPort": 257 + }, + { + "CidrIp": { + "Ref": "GatewaysAddresses" + }, + "IpProtocol": "tcp", + "FromPort": 8211, + "ToPort": 8211 + }, + { + "CidrIp": { + "Ref": "GatewaysAddresses" + }, + "IpProtocol": "tcp", + "FromPort": 18191, + "ToPort": 18191 + }, + { + "CidrIp": { + "Ref": "GatewaysAddresses" + }, + "IpProtocol": "tcp", + "FromPort": 18192, + "ToPort": 18192 + }, + { + "CidrIp": { + "Ref": "GatewaysAddresses" + }, + "IpProtocol": "tcp", + "FromPort": 18210, + "ToPort": 18210 + }, + { + "CidrIp": { + "Ref": "GatewaysAddresses" + }, + "IpProtocol": "tcp", + "FromPort": 18211, + "ToPort": 18211 + }, + { + "CidrIp": { + "Ref": "GatewaysAddresses" + }, + "IpProtocol": "tcp", + "FromPort": 18221, + "ToPort": 18221 + }, + { + "CidrIp": { + "Ref": "GatewaysAddresses" + }, + "IpProtocol": "tcp", + "FromPort": 18264, + "ToPort": 18264 + }, + { + "CidrIp": { + "Ref": "AdminSubnet" + }, + "IpProtocol": "tcp", + "FromPort": 22, + "ToPort": 22 + }, + { + "CidrIp": { + "Ref": "AdminSubnet" + }, + "IpProtocol": "tcp", + "FromPort": 443, + "ToPort": 443 + }, + { + "CidrIp": { + "Ref": "AdminSubnet" + }, + "IpProtocol": "tcp", + "FromPort": 18190, + "ToPort": 18190 + }, + { + "CidrIp": { + "Ref": "AdminSubnet" + }, + "IpProtocol": "tcp", + "FromPort": 19009, + "ToPort": 19009 + } + ] + } + }, + "CheckPointManagementRoleStack": { + "Type": "AWS::CloudFormation::Stack", + "Condition": "CreateRole", + "Properties": { + "TemplateURL": "https://cgi-cfts.s3.amazonaws.com/iam/cme-iam-role.yaml", + "Parameters": { + "Permissions": { + "Ref": "Permissions" + }, + "STSRoles": { + "Fn::Join": [ + ",", + { + "Ref": "STSRoles" + } + ] + } + } + } + }, + "InstanceProfile": { + "Type": "AWS::IAM::InstanceProfile", + "Condition": "UseRole", + "Properties": { + "Path": "/", + "Roles": [ + { + "Fn::If": [ + "CreateRole", + { + "Fn::GetAtt": [ + "CheckPointManagementRoleStack", + "Outputs.CMEIAMRole" + ] + }, + { + "Ref": "PredefinedRole" + } + ] + } + ] + } + }, + "Instance": { + "Type": "AWS::EC2::Instance", + "Properties": { + "Tags": [ + { + "Key": "Name", + "Value": { + "Ref": "Name" + } + } + ], + "ImageId": { + "Fn::GetAtt": [ + "AMI", + "Outputs.ImageId" + ] + }, + "InstanceType": { + "Ref": "InstanceType" + }, + "IamInstanceProfile": { + "Fn::If": [ + "UseRole", + { + "Ref": "InstanceProfile" + }, + { + "Ref": "AWS::NoValue" + } + ] + }, + "KeyName": { + "Ref": "KeyName" + }, + "NetworkInterfaces": [ + { + "DeviceIndex": "0", + "AssociatePublicIpAddress": "false", + "Description": "eth0", + "GroupSet": [ + { + "Ref": "InstanceSecurityGroup" + } + ], + "DeleteOnTermination": "true", + "SubnetId": { + "Ref": "Subnet" + } + } + ], + "BlockDeviceMappings": [ + { + "DeviceName": "/dev/xvda", + "Ebs": { + "Encrypted": { + "Fn::If": [ + "EnableEncryptedVolume", + "true", + "false" + ] + }, + "KmsKeyId": { + "Fn::If": [ + "EnableEncryptedVolume", + { + "Ref": "VolumeEncryption" + }, + { + "Ref": "AWS::NoValue" + } + ] + }, + "VolumeType": "gp2", + "VolumeSize": { + "Ref": "VolumeSize" + } + } + } + ], + "UserData": { + "Fn::Base64": { + "Fn::Join": [ + "\n", + [ + "#!/bin/bash", + "logfile=/var/log/aws-user-data.log", + "> ${logfile}", + "exec 1>>${logfile} 2>>${logfile}", + "echo template_name: management >> /etc/cloud-version", + "echo template_version: 20211212 >> /etc/cloud-version", + { + "Fn::If": [ + "Primary", + { + "Fn::Join": [ + "\n", + [ + "primary=true", + "secondary=false", + "sic=notused" + ] + ] + }, + { + "Fn::Join": [ + "\n", + [ + "primary=false", + "secondary=true", + { + "Fn::Join": [ + "", + [ + "sic=$(echo '", + { + "Fn::Base64": { + "Ref": "SICKey" + } + }, + "' | base64 --decode)" + ] + ] + } + ] + ] + } + ] + }, + { + "Fn::Join": [ + "", + [ + "enable_eic='", + { + "Fn::If": [ + "EnableInstanceConnect", + { + "Ref": "EnableInstanceConnect" + }, + { + "Ref": "AWS::NoValue" + } + ] + }, + "'" + ] + ] + }, + { + "Fn::Sub": "hname='${Hostname}'" + }, + { + "Fn::Sub": "pwd_hash='${PasswordHash}'" + }, + { + "Fn::Sub": "allow_upload_download='${AllowUploadDownload}'" + }, + { + "Fn::Sub": "ntp1='${NTPPrimary}'" + }, + { + "Fn::Sub": "ntp2='${NTPSecondary}'" + }, + { + "Fn::Sub": "shell='${Shell}'" + }, + { + "Fn::Sub": "admin_subnet='${AdminSubnet}'" + }, + "test -z \"$hname\" || {", + " echo \"set hostname\"", + " clish -c \"set hostname $hname\" -s", + "}", + "test -z \"$ntp1\" || {", + " echo \"set primary NTP server\"", + " clish -c \"set ntp server primary $ntp1 version 4\" -s", + " test -z \"$ntp2\" || {", + " echo \"set secondary NTP server\"", + " clish -c \"set ntp server secondary $ntp2 version 4\" -s", + " }", + " clish -c \"set ntp active on\" -s", + "}", + "test -z \"$pwd_hash\" || {", + " echo \"set admin password\"", + " clish -c \"set user admin password-hash $pwd_hash\" -s", + "}", + "echo \"set admin shell\"", + "clish -c \"set user admin shell $shell\" -s", + "conf=\"install_security_gw=false\"", + { + "Fn::If": [ + "AnyAdminSubnet", + "conf=\"${conf}&mgmt_gui_clients_radio=any\"", + { + "Fn::Join": [ + "\n", + [ + "admin_subnet_ip=\"$(echo $admin_subnet | cut -d / -f 1)\"", + "admin_subnet_bits=\"$(echo $admin_subnet | cut -d / -f 2)\"", + "conf=\"${conf}&mgmt_gui_clients_radio=network\"", + "conf=\"${conf}&mgmt_gui_clients_ip_field=${admin_subnet_ip}\"", + "conf=\"${conf}&mgmt_gui_clients_subnet_field=${admin_subnet_bits}\"" + ] + ] + } + ] + }, + "conf=\"${conf}&install_security_managment=true\"", + "conf=\"${conf}&install_mgmt_primary=$primary\"", + "conf=\"${conf}&install_mgmt_secondary=$secondary\"", + "conf=\"${conf}&mgmt_admin_radio=gaia_admin\"", + "conf=\"${conf}&ftw_sic_key=$sic\"", + "conf=\"${conf}&download_info=$allow_upload_download\"", + "conf=\"${conf}&upload_info=$allow_upload_download\"", + "config_system -s \"$conf\"", + "rc=$?", + "if test \"$rc\" -eq 0 && $primary ; then", + " until mgmt_cli -r true discard ; do", + " sleep 30", + " done", + "fi", + "chkconfig --add autoprovision", + "service autoprovision start", + { + "Fn::If": [ + "AllocatePublicAddress", + { + "Fn::Join": [ + "\n", + [ + { + "Fn::Sub": "wait_handle='${ReadyHandle}'" + }, + "echo \"Generating TOKEN\"", + "TOKEN=`curl_cli -X PUT \"http://169.254.169.254/latest/api/token\" -H \"X-aws-ec2-metadata-token-ttl-seconds: 3600\"`", + "echo \"Getting instance id\"", + "instance_id=\"$(curl_cli -H \"X-aws-ec2-metadata-token: $TOKEN\" -v http://169.254.169.254/latest/meta-data/instance-id)\"", + "printf H4sIAEQeOVoCAzNoYuE3aGL6voCZiZGJiZHBgJeNU6vNo+07LyMjKyuDQYYhtwEnG3MoC5swU2iwoaqBMojDJSwTXJJYlJaZmpOiEJKanJGXn5OfnplarKPgmZesZ2hkYABSxi2siVDmnJNYXKxgpOCcWlSSmZaZnFiSmZ+n4FhakpFflFlSaSAnzmtgYmBmZGlobmxpaBYlzmuMzKWjS5oYFZCDgZGVgbmJkZcBKM7B1MTIyLDd6MS/l4XLWFrX8gim3D/n+/4Es0S7/cLVv22Wzf9weOGtKzfytIMn/FZZYtfyYd6L+DdP1V2+aiyzr773QOvDifXB+vNOsTJOlutPk7Fc7vsralsxi2ra6/L655HHvGaqioS8Vjv+uV7yqkFB//oNblr/177WfHt9/iqW9sVXfnYuNYm/7Tyxyexmms3GHTub/s6xshM4Yf2eLTWtarakhO3/wkAbA734fbblxZti2XIOK4fN0m5VmySznGnzE3ve9RyVTTvMbF/NuWy6eU/mqa9n5r74m9Ir3mCcF+cVO/OkXPuWuVIHruYJmyrH3Z8db/v+2veyQ6/sdlfwyjilZ7Pc+HHtVn73J5cFjKuZGJkXNx41aDxkIAsMW1k+FjEWkf3x2y+euyvf9iU6dM2d6wKH+FZ2PDdonASSV2Zp7DJobG/AqmZhzpIs+kVtEzCB84DcJMzCasDMyPgfLbkzg6KXda59x9yLJ6VCF67J/Pw58tZsxnYp//CVCys5tW5/198kd+Z4XNaN5vaF0997mtqVszlGJO3vi9jBlW7/ZvNdxTT5kyG/is7Y+jjcaFxfPq+5avei419NxPtuCjp8+aOj5StavzwpVk/1MgO3gpRsxk/xHV/2dr/ViLzrK9Yt3nxiU+px3aqlq/YEt+XeDV9y6oeCI3fGhy+/S/aFxVZVfv0p2/pYd+q+r4UTnM/0ys9i4GrXfBmqFMGg/OqxkLNmtDvH3R7HrFS2FU8VVzlumao4dWftRZPVwtfW7rnzyNby7F670oKFEpHMJ5W29M+5Gqd1fem2K1y5P7Y7CLrNkq/kS9rPP/3NA3158SkAHEuNARMEAAA= | base64 -d | gunzip -c | cpopenssl x509 -inform DER >$CPDIR/tmp/wait-handle.crt", + "cat $CPDIR/conf/ca-bundle.crt >>$CPDIR/tmp/wait-handle.crt", + "if test $rc -ne 0; then", + " reason=\"Security Management Server configuration failed\"", + "fi", + { + "Fn::If": [ + "SecondaryAndNoSIC", + "reason=\"SIC key must be provided if installing a secondary Security Management Server\"", + { + "Ref": "AWS::NoValue" + } + ] + }, + { + "Fn::If": [ + "R8040Andm4t2", + "reason=\"m4 and t2 instance types are not supported with R80.40\"", + { + "Ref": "AWS::NoValue" + } + ] + }, + { + "Fn::If": [ + "R8030Andm4t2", + "reason=\"m4 and t2 instance types are not supported with R80.30\"", + { + "Ref": "AWS::NoValue" + } + ] + }, + { + "Fn::If": [ + "R8020Andm4t2", + "reason=\"m4 and t2 instance types are not supported with R80.20\"", + { + "Ref": "AWS::NoValue" + } + ] + }, + { + "Fn::If": [ + "R8010Andm5", + "reason=\"m5 instance types are not supported with R80.10\"", + { + "Ref": "AWS::NoValue" + } + ] + }, + "if test -n \"$reason\"; then", + " message=\"$reason\"", + " status=FAILURE", + "else", + " message=\"Security Management Server configuration completed\"", + " status=SUCCESS", + "fi", + "curl_cli -s -S --cacert $CPDIR/tmp/wait-handle.crt -X PUT -H 'Content-Type:' --data-binary '{\"Status\" : \"'$status'\", \"Reason\" : \"'\"$message\"'\", \"UniqueId\" : \"'$instance_id'\", \"Data\" : \"None\"}' \"$wait_handle\"" + ] + ] + }, + { + "Ref": "AWS::NoValue" + } + ] + }, + { + "Fn::If": [ + "ManageOverInternetAndAllocatePublicAddress", + { + "Fn::Join": [ + "\n", + [ + "addr=\"$(ip addr show dev eth0 | sed -n -e 's|^ *inet \\([^/]*\\)/.* eth0$|\\1|p')\"", + "pub_addr=\"$(ip addr show dev eth0 | sed -n -e 's|^ *inet \\([^/]*\\)/.* eth0:1$|\\1|p')\"", + "uid=\"$(mgmt_cli -r true show-generic-objects class-name com.checkpoint.objects.classes.dummy.CpmiHostCkp details-level full -f json | jq -r '.objects[] | select(.ipaddr == \"'\"$addr\"'\") | .uid')\"", + "test -z \"$uid\" || test -z \"$pub_addr\" || mgmt_cli -r true set-generic-object uid \"$uid\" ipaddr \"$pub_addr\"" + ] + ] + }, + { + "Ref": "AWS::NoValue" + } + ] + }, + { + "Fn::Join": [ + "", + [ + "bootstrap=$(echo '", + { + "Fn::Base64": { + "Fn::Join": [ + "; ", + { + "Ref": "BootstrapScript" + } + ] + } + }, + "' | base64 --decode)" + ] + ] + }, + "eval $bootstrap", + "test -z \"$enable_eic\" || {", + "echo \"enabling ec2 instance connect\"", + "if [ -d \"/etc/ec2-instance-connect\" ]; then", + " ec2-instance-connect-config on", + "else", + " echo \"Could not enable eic, not supported in versions R80.30 and below\"", + "fi", + "}", + "" + ] + ] + } + } + } + }, + "PublicAddress": { + "Type": "AWS::EC2::EIP", + "Condition": "AllocatePublicAddress", + "Properties": { + "Domain": "vpc" + } + }, + "AddressAssoc": { + "Type": "AWS::EC2::EIPAssociation", + "DependsOn": "Instance", + "Condition": "AllocatePublicAddress", + "Properties": { + "InstanceId": { + "Ref": "Instance" + }, + "AllocationId": { + "Fn::GetAtt": [ + "PublicAddress", + "AllocationId" + ] + } + } + } + }, + "Outputs": { + "PublicAddress": { + "Condition": "AllocatePublicAddress", + "Description": "The public address of the management server", + "Value": { + "Ref": "PublicAddress" + } + }, + "SSH": { + "Condition": "AllocatePublicAddress", + "Description": "SSH command", + "Value": { + "Fn::Join": [ + "", + [ + "ssh admin@", + { + "Ref": "PublicAddress" + } + ] + ] + } + }, + "URL": { + "Condition": "AllocatePublicAddress", + "Description": "URL to the portal", + "Value": { + "Fn::Join": [ + "", + [ + "https://", + { + "Ref": "PublicAddress" + } + ] + ] + } + } + } +} diff --git a/deprecated/aws/templates/mds-r8030/README.md b/deprecated/aws/templates/mds-r8030/README.md new file mode 100644 index 00000000..d1900d51 --- /dev/null +++ b/deprecated/aws/templates/mds-r8030/README.md @@ -0,0 +1,23 @@ + + +## Multi-Domain Management Server + + + + + + + + + + + + + + + +
DescriptionNotesDirect Launch
+ Deploys and configures a Multi-Domain Security Management Server.

For more details, refer to sk143213. + 		Deploys a Multi-Domain Security Management Server into an existing VPC.
+
+
\ No newline at end of file diff --git a/deprecated/aws/templates/mds-r8030/mds.json b/deprecated/aws/templates/mds-r8030/mds.json new file mode 100755 index 00000000..dd598c80 --- /dev/null +++ b/deprecated/aws/templates/mds-r8030/mds.json @@ -0,0 +1,1270 @@ +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Deploys a Check Point Multi-Domain Server (20211212)", + "Metadata": { + "AWS::CloudFormation::Interface": { + "ParameterGroups": [ + { + "Label": { + "default": "VPC Network Configuration" + }, + "Parameters": [ + "VPC", + "Subnet" + ] + }, + { + "Label": { + "default": "EC2 Instance Configuration" + }, + "Parameters": [ + "Name", + "InstanceType", + "KeyName", + "VolumeSize", + "VolumeEncryption", + "EnableInstanceConnect" + ] + }, + { + "Label": { + "default": "IAM Permissions (ignored when the installation type is not Primary Multi-Domain Server)" + }, + "Parameters": [ + "Permissions", + "PredefinedRole", + "STSRoles" + ] + }, + { + "Label": { + "default": "Check Point Settings" + }, + "Parameters": [ + "Version", + "Shell", + "PasswordHash" + ] + }, + { + "Label": { + "default": "Security Management Server Settings" + }, + "Parameters": [ + "Hostname", + "InstallationType", + "SICKey", + "AllowUploadDownload", + "AdminSubnet", + "GatewaysAddresses", + "NTPPrimary", + "NTPSecondary", + "BootstrapScript" + ] + } + ], + "ParameterLabels": { + "VPC": { + "default": "VPC" + }, + "Subnet": { + "default": "Subnet" + }, + "Name": { + "default": "Name" + }, + "Version": { + "default": "Version & license" + }, + "InstanceType": { + "default": "Instance type" + }, + "KeyName": { + "default": "Key name" + }, + "AdminSubnet": { + "default": "Administrator addresses" + }, + "GatewaysAddresses": { + "default": "Gateways addresses" + }, + "Hostname": { + "default": "Hostname" + }, + "SICKey": { + "default": "SIC key" + }, + "Shell": { + "default": "Admin shell" + }, + "PasswordHash": { + "default": "Password hash" + }, + "InstallationType": { + "default": "Installation Type" + }, + "VolumeSize": { + "default": "Root volume size (GB)" + }, + "VolumeEncryption": { + "default": "Volume encryption KMS key identifier" + }, + "EnableInstanceConnect": { + "default": "Enable AWS Instance Connect" + }, + "AllowUploadDownload": { + "default": "Allow upload & download" + }, + "NTPPrimary": { + "default": "Primary NTP server" + }, + "NTPSecondary": { + "default": "Secondary NTP server" + }, + "STSRoles": { + "default": "STS roles" + }, + "PredefinedRole": { + "default": "Existing IAM role name" + }, + "Permissions": { + "default": "IAM role" + }, + "BootstrapScript": { + "default": "Bootstrap script" + } + } + } + }, + "Parameters": { + "VPC": { + "Description": "Select an existing VPC", + "Type": "AWS::EC2::VPC::Id", + "MinLength": "1" + }, + "Subnet": { + "Description": "To access the instance from the internet, make sure the subnet has a route to the internet", + "Type": "AWS::EC2::Subnet::Id", + "MinLength": "1" + }, + "Version": { + "Type": "String", + "Default": "R80.30-BYOL", + "AllowedValues": [ + "R80.10-BYOL", + "R80.20-BYOL", + "R80.30-BYOL", + "R80.40-BYOL" + ] + }, + "InstanceType": { + "Description": "m4 instance types are supported only with version R80.10 and m5 are supported only with R80.20 and above", + "Type": "String", + "Default": "m5.12xlarge", + "AllowedValues": [ + "m4.4xlarge", + "m4.10xlarge", + "m4.16xlarge", + "m5.4xlarge", + "m5.12xlarge", + "m5.24xlarge" + ], + "ConstraintDescription": "must be a valid EC2 instance type." + }, + "Name": { + "Default": "Check-Point-MDS", + "Type": "String" + }, + "KeyName": { + "Description": "The EC2 Key Pair to allow SSH access to the instance", + "Type": "AWS::EC2::KeyPair::KeyName", + "MinLength": "1", + "ConstraintDescription": "must be the name of an existing EC2 KeyPair." + }, + "EnableInstanceConnect": { + "Description": "Ec2 Instance Connect is not supported with versions prior to R80.40", + "Default": "false", + "Type": "String", + "AllowedValues": [ + "true", + "false" + ] + }, + "AdminSubnet": { + "Description": "Allow web, SSH, and graphical clients only from this network to communicate with the Management Server", + "Type": "String", + "Default": "0.0.0.0/0", + "AllowedPattern": "^([0-9]{1,3}\\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])$" + }, + "GatewaysAddresses": { + "Description": "Allow gateways only from this network to communicate with the Management Server", + "Type": "String", + "Default": "0.0.0.0/0", + "AllowedPattern": "^([0-9]{1,3}\\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])$" + }, + "PasswordHash": { + "Description": "Admin user's password hash (use command \"openssl passwd -1 PASSWORD\" to get the PASSWORD's hash) (optional)", + "Type": "String", + "Default": "", + "AllowedPattern": "[\\$\\./a-zA-Z0-9]*", + "NoEcho": "true" + }, + "Hostname": { + "Description": "(optional)", + "AllowedPattern": "^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$", + "ConstraintDescription": "A valid hostname label or an empty string", + "Type": "String", + "Default": "" + }, + "SICKey": { + "Description": "Mandatory if deploying a Secondary Multi-Domain Server or Multi-Domain Log Server, the Secure Internal Communication key creates trusted connections between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters", + "NoEcho": "true", + "Default": "", + "Type": "String", + "AllowedPattern": "(|[a-zA-Z0-9]{8,})", + "ConstraintDescription": "Can be empty if this is a Primary Multi-Domain Server. Otherwise, at least 8 alpha numeric characters" + }, + "Shell": { + "Description": "Change the admin shell to enable advanced command line configuration", + "Type": "String", + "Default": "/etc/cli.sh", + "AllowedValues": [ + "/etc/cli.sh", + "/bin/bash", + "/bin/csh", + "/bin/tcsh" + ] + }, + "InstallationType": { + "Type": "String", + "Default": "Primary Multi-Domain Server", + "AllowedValues": [ + "Primary Multi-Domain Server", + "Secondary Multi-Domain Server", + "Multi-Domain Log Server" + ] + }, + "NTPPrimary": { + "Description": "(optional)", + "Type": "String", + "Default": "169.254.169.123", + "AllowedPattern": "[\\.a-zA-Z0-9\\-]*" + }, + "NTPSecondary": { + "Description": "(optional)", + "Type": "String", + "Default": "0.pool.ntp.org", + "AllowedPattern": "[\\.a-zA-Z0-9\\-]*" + }, + "VolumeSize": { + "Type": "Number", + "MinValue": "100", + "Default": "100" + }, + "VolumeEncryption": { + "Description": "KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs')", + "Type": "String", + "Default": "alias/aws/ebs" + }, + "AllowUploadDownload": { + "Description": "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point", + "Type": "String", + "Default": "true", + "AllowedValues": [ + "true", + "false" + ] + }, + "Permissions": { + "Description": "IAM role to attach to the instance profile", + "Type": "String", + "Default": "Create with read permissions", + "AllowedValues": [ + "None (configure later)", + "Use existing (specify an existing IAM role name)", + "Create with assume role permissions (specify an STS role ARN)", + "Create with read permissions", + "Create with read-write permissions" + ] + }, + "STSRoles": { + "Description": "The IAM role will be able to assume these STS Roles (comma separated list of ARNs, without spaces). Ignored if IAM role is set to 'None' or 'Use existing'", + "Type": "CommaDelimitedList", + "Default": "" + }, + "PredefinedRole": { + "Description": "A predefined IAM role to attach to the instance profile. Ignored if IAM role is not set to 'Use existing'", + "Type": "String", + "Default": "" + }, + "BootstrapScript": { + "Description": "An optional script with comma separated commands to run on the initial boot", + "Type": "CommaDelimitedList", + "Default": "", + "NoEcho": "true" + } + }, + "Conditions": { + "EnableEncryptedVolume": { + "Fn::And": [ + { + "Fn::Not": [ + { + "Fn::Equals": [ + { + "Ref": "VolumeEncryption" + }, + "" + ] + } + ] + }, + { + "Condition": "R80.30" + } + ] + }, + "AllocatePublicAddress": { + "Fn::Equals": [ + "1", + "0" + ] + }, + "EnableInstanceConnect": { + "Fn::Equals": [ + { + "Ref": "EnableInstanceConnect" + }, + "true" + ] + }, + "STSRoles": { + "Fn::And": [ + { + "Condition": "Primary" + }, + { + "Fn::Not": [ + { + "Fn::Equals": [ + { + "Fn::Join": [ + ",", + { + "Ref": "STSRoles" + } + ] + }, + "" + ] + } + ] + } + ] + }, + "CreateRole": { + "Fn::And": [ + { + "Fn::Or": [ + { + "Condition": "Primary" + }, + { + "Condition": "Secondary" + } + ] + }, + { + "Fn::Or": [ + { + "Fn::Equals": [ + { + "Ref": "Permissions" + }, + "Create with assume role permissions (specify an STS role ARN)" + ] + }, + { + "Fn::Equals": [ + { + "Ref": "Permissions" + }, + "Create with read permissions" + ] + }, + { + "Fn::Equals": [ + { + "Ref": "Permissions" + }, + "Create with read-write permissions" + ] + } + ] + } + ] + }, + "UseRole": { + "Fn::And": [ + { + "Fn::Or": [ + { + "Condition": "Primary" + }, + { + "Condition": "Secondary" + } + ] + }, + { + "Fn::Not": [ + { + "Fn::Equals": [ + { + "Ref": "Permissions" + }, + "None (configure later)" + ] + } + ] + } + ] + }, + "AnyAdminSubnet": { + "Fn::Equals": [ + { + "Ref": "AdminSubnet" + }, + "0.0.0.0/0" + ] + }, + "R80.10": { + "Fn::Equals": [ + { + "Fn::Select": [ + 0, + { + "Fn::Split": [ + "-", + { + "Ref": "Version" + } + ] + } + ] + }, + "R80.10" + ] + }, + "R80.20": { + "Fn::Equals": [ + { + "Fn::Select": [ + 0, + { + "Fn::Split": [ + "-", + { + "Ref": "Version" + } + ] + } + ] + }, + "R80.20" + ] + }, + "R80.30": { + "Fn::Equals": [ + { + "Fn::Select": [ + 0, + { + "Fn::Split": [ + "-", + { + "Ref": "Version" + } + ] + } + ] + }, + "R80.30" + ] + }, + "R80.40": { + "Fn::Equals": [ + { + "Fn::Select": [ + 0, + { + "Fn::Split": [ + "-", + { + "Ref": "Version" + } + ] + } + ] + }, + "R80.40" + ] + }, + "NoSIC": { + "Fn::Equals": [ + { + "Ref": "SICKey" + }, + "" + ] + }, + "Primary": { + "Fn::Equals": [ + { + "Ref": "InstallationType" + }, + "Primary Multi-Domain Server" + ] + }, + "Secondary": { + "Fn::Equals": [ + { + "Ref": "InstallationType" + }, + "Secondary Multi-Domain Server" + ] + }, + "LogServer": { + "Fn::Equals": [ + { + "Ref": "InstallationType" + }, + "Multi-Domain Log Server" + ] + }, + "SecondaryAndNoSIC": { + "Fn::And": [ + { + "Condition": "Secondary" + }, + { + "Condition": "NoSIC" + } + ] + }, + "m4InstanceType": { + "Fn::Equals": [ + { + "Fn::Select": [ + 0, + { + "Fn::Split": [ + ".", + { + "Ref": "InstanceType" + } + ] + } + ] + }, + "m4" + ] + }, + "m5InstanceType": { + "Fn::Equals": [ + { + "Fn::Select": [ + 0, + { + "Fn::Split": [ + ".", + { + "Ref": "InstanceType" + } + ] + } + ] + }, + "m5" + ] + }, + "R8020Andm4": { + "Fn::And": [ + { + "Condition": "R80.20" + }, + { + "Condition": "m4InstanceType" + } + ] + }, + "R8030Andm4": { + "Fn::And": [ + { + "Condition": "R80.30" + }, + { + "Condition": "m4InstanceType" + } + ] + }, + "R8010Andm5": { + "Fn::And": [ + { + "Condition": "R80.10" + }, + { + "Condition": "m5InstanceType" + } + ] + }, + "AddMGMTVersionSuffix": { + "Fn::Or": [ + { + "Fn::Equals": [ + { + "Ref": "Version" + }, + "R80.20-BYOL" + ] + }, + { + "Fn::Equals": [ + { + "Ref": "Version" + }, + "R80.30-BYOL" + ] + }, + { + "Fn::Equals": [ + { + "Ref": "Version" + }, + "R80.40-BYOL" + ] + } + ] + } + }, + "Resources": { + "AMI": { + "Type": "AWS::CloudFormation::Stack", + "Properties": { + "TemplateURL": "https://cgi-cfts.s3.amazonaws.com/deprecated/utils/amis-deprecated.yaml", + "Parameters": { + "Version": { + "Fn::If": [ + "AddMGMTVersionSuffix", + { + "Fn::Join": [ + "-", + [ + { + "Ref": "Version" + }, + "MGMT" + ] + ] + }, + { + "Ref": "Version" + } + ] + } + } + } + }, + "ReadyHandle": { + "Type": "AWS::CloudFormation::WaitConditionHandle", + "Condition": "AllocatePublicAddress", + "Properties": {} + }, + "ReadyCondition": { + "Type": "AWS::CloudFormation::WaitCondition", + "Condition": "AllocatePublicAddress", + "DependsOn": [ + "Instance" + ], + "Properties": { + "Handle": { + "Ref": "ReadyHandle" + }, + "Timeout": "3600" + } + }, + "InstanceSecurityGroup": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Management security group", + "VpcId": { + "Ref": "VPC" + }, + "SecurityGroupIngress": [ + { + "CidrIp": { + "Ref": "GatewaysAddresses" + }, + "IpProtocol": "tcp", + "FromPort": 257, + "ToPort": 257 + }, + { + "CidrIp": { + "Ref": "GatewaysAddresses" + }, + "IpProtocol": "tcp", + "FromPort": 8211, + "ToPort": 8211 + }, + { + "CidrIp": { + "Ref": "GatewaysAddresses" + }, + "IpProtocol": "tcp", + "FromPort": 18191, + "ToPort": 18191 + }, + { + "CidrIp": { + "Ref": "GatewaysAddresses" + }, + "IpProtocol": "tcp", + "FromPort": 18192, + "ToPort": 18192 + }, + { + "CidrIp": { + "Ref": "GatewaysAddresses" + }, + "IpProtocol": "tcp", + "FromPort": 18210, + "ToPort": 18210 + }, + { + "CidrIp": { + "Ref": "GatewaysAddresses" + }, + "IpProtocol": "tcp", + "FromPort": 18211, + "ToPort": 18211 + }, + { + "CidrIp": { + "Ref": "GatewaysAddresses" + }, + "IpProtocol": "tcp", + "FromPort": 18221, + "ToPort": 18221 + }, + { + "CidrIp": { + "Ref": "GatewaysAddresses" + }, + "IpProtocol": "tcp", + "FromPort": 18264, + "ToPort": 18264 + }, + { + "CidrIp": { + "Ref": "AdminSubnet" + }, + "IpProtocol": "tcp", + "FromPort": 22, + "ToPort": 22 + }, + { + "CidrIp": { + "Ref": "AdminSubnet" + }, + "IpProtocol": "tcp", + "FromPort": 443, + "ToPort": 443 + }, + { + "CidrIp": { + "Ref": "AdminSubnet" + }, + "IpProtocol": "tcp", + "FromPort": 18190, + "ToPort": 18190 + }, + { + "CidrIp": { + "Ref": "AdminSubnet" + }, + "IpProtocol": "tcp", + "FromPort": 19009, + "ToPort": 19009 + } + ] + } + }, + "CheckPointManagementRoleStack": { + "Type": "AWS::CloudFormation::Stack", + "Condition": "CreateRole", + "Properties": { + "TemplateURL": "https://cgi-cfts.s3.amazonaws.com/iam/cme-iam-role.yaml", + "Parameters": { + "Permissions": { + "Ref": "Permissions" + }, + "STSRoles": { + "Fn::Join": [ + ",", + { + "Ref": "STSRoles" + } + ] + } + } + } + }, + "InstanceProfile": { + "Type": "AWS::IAM::InstanceProfile", + "Condition": "UseRole", + "Properties": { + "Path": "/", + "Roles": [ + { + "Fn::If": [ + "CreateRole", + { + "Fn::GetAtt": [ + "CheckPointManagementRoleStack", + "Outputs.CMEIAMRole" + ] + }, + { + "Ref": "PredefinedRole" + } + ] + } + ] + } + }, + "Instance": { + "Type": "AWS::EC2::Instance", + "Properties": { + "Tags": [ + { + "Key": "Name", + "Value": { + "Ref": "Name" + } + } + ], + "ImageId": { + "Fn::GetAtt": [ + "AMI", + "Outputs.ImageId" + ] + }, + "InstanceType": { + "Ref": "InstanceType" + }, + "IamInstanceProfile": { + "Fn::If": [ + "UseRole", + { + "Ref": "InstanceProfile" + }, + { + "Ref": "AWS::NoValue" + } + ] + }, + "KeyName": { + "Ref": "KeyName" + }, + "NetworkInterfaces": [ + { + "DeviceIndex": "0", + "AssociatePublicIpAddress": "false", + "Description": "eth0", + "GroupSet": [ + { + "Ref": "InstanceSecurityGroup" + } + ], + "DeleteOnTermination": "true", + "SubnetId": { + "Ref": "Subnet" + } + } + ], + "BlockDeviceMappings": [ + { + "DeviceName": "/dev/xvda", + "Ebs": { + "Encrypted": { + "Fn::If": [ + "EnableEncryptedVolume", + "true", + "false" + ] + }, + "KmsKeyId": { + "Fn::If": [ + "EnableEncryptedVolume", + { + "Ref": "VolumeEncryption" + }, + { + "Ref": "AWS::NoValue" + } + ] + }, + "VolumeType": "gp2", + "VolumeSize": { + "Ref": "VolumeSize" + } + } + } + ], + "UserData": { + "Fn::Base64": { + "Fn::Join": [ + "\n", + [ + "#!/bin/bash", + "logfile=/var/log/aws-user-data.log", + "> ${logfile}", + "exec 1>>${logfile} 2>>${logfile}", + "echo template_name: mds >> /etc/cloud-version", + "echo template_version: 20211212 >> /etc/cloud-version", + { + "Fn::If": [ + "Primary", + { + "Fn::Join": [ + "\n", + [ + "primary=true", + "secondary=false", + "logServer=false", + "sic=notused" + ] + ] + }, + { + "Fn::If": [ + "Secondary", + { + "Fn::Join": [ + "\n", + [ + "primary=false", + "secondary=true", + "logServer=false", + { + "Fn::Join": [ + "", + [ + "sic=$(echo '", + { + "Fn::Base64": { + "Ref": "SICKey" + } + }, + "' | base64 --decode)" + ] + ] + } + ] + ] + }, + { + "Fn::Join": [ + "\n", + [ + "primary=false", + "secondary=false", + "logServer=true", + { + "Fn::Join": [ + "", + [ + "sic=$(echo '", + { + "Fn::Base64": { + "Ref": "SICKey" + } + }, + "' | base64 --decode)" + ] + ] + } + ] + ] + } + ] + } + ] + }, + { + "Fn::Join": [ + "", + [ + "enable_eic='", + { + "Fn::If": [ + "EnableInstanceConnect", + { + "Ref": "EnableInstanceConnect" + }, + { + "Ref": "AWS::NoValue" + } + ] + }, + "'" + ] + ] + }, + { + "Fn::Sub": "hname='${Hostname}'" + }, + { + "Fn::Sub": "pwd_hash='${PasswordHash}'" + }, + { + "Fn::Sub": "allow_upload_download='${AllowUploadDownload}'" + }, + { + "Fn::Sub": "ntp1='${NTPPrimary}'" + }, + { + "Fn::Sub": "ntp2='${NTPSecondary}'" + }, + { + "Fn::Sub": "shell='${Shell}'" + }, + { + "Fn::Sub": "admin_subnet='${AdminSubnet}'" + }, + "test -z \"$hname\" || {", + " echo \"set hostname\"", + " clish -c \"set hostname $hname\" -s", + "}", + "test -z \"$ntp1\" || {", + " echo \"set primary NTP server\"", + " clish -c \"set ntp server primary $ntp1 version 4\" -s", + " test -z \"$ntp2\" || {", + " echo \"set secondary NTP server\"", + " clish -c \"set ntp server secondary $ntp2 version 4\" -s", + " }", + " clish -c \"set ntp active on\" -s", + "}", + "test -z \"$pwd_hash\" || {", + " echo \"set admin password\"", + " clish -c \"set user admin password-hash $pwd_hash\" -s", + "}", + "echo \"set admin shell\"", + "clish -c \"set user admin shell $shell\" -s", + "conf=\"install_security_gw=false\"", + { + "Fn::If": [ + "AnyAdminSubnet", + "conf=\"${conf}&mgmt_gui_clients_radio=any\"", + { + "Fn::Join": [ + "\n", + [ + "admin_subnet_ip=\"$(echo $admin_subnet | cut -d / -f 1)\"", + "admin_subnet_bits=\"$(echo $admin_subnet | cut -d / -f 2)\"", + "conf=\"${conf}&mgmt_gui_clients_radio=network\"", + "conf=\"${conf}&mgmt_gui_clients_ip_field=${admin_subnet_ip}\"", + "conf=\"${conf}&mgmt_gui_clients_subnet_field=${admin_subnet_bits}\"" + ] + ] + } + ] + }, + "conf=\"${conf}&install_mds_primary=$primary\"", + "conf=\"${conf}&install_mds_secondary=$secondary\"", + "conf=\"${conf}&install_mlm=$logServer\"", + "conf=\"${conf}&install_mds_interface=eth0\"", + "conf=\"${conf}&mgmt_admin_radio=gaia_admin\"", + "conf=\"${conf}&ftw_sic_key=$sic\"", + "conf=\"${conf}&download_info=$allow_upload_download\"", + "conf=\"${conf}&upload_info=$allow_upload_download\"", + "config_system -s \"$conf\"", + "rc=$?", + "test -z \"$enable_eic\" || {", + "echo \"enabling ec2 instance connect\"", + "if [ -d \"/etc/ec2-instance-connect\" ]; then", + " ec2-instance-connect-config on", + "else", + " echo \"Could not enable eic, not supported in versions R80.30 and below\"", + "fi", + "}", + "if test \"$rc\" -eq 0 && $primary ; then", + " until mgmt_cli -r true discard ; do", + " sleep 30", + " done", + "fi", + "chkconfig --add autoprovision", + "service autoprovision start", + { + "Fn::If": [ + "AllocatePublicAddress", + { + "Fn::Join": [ + "\n", + [ + { + "Fn::Sub": "wait_handle='${ReadyHandle}'" + }, + "echo \"Generating TOKEN\"", + "TOKEN=`curl_cli -X PUT \"http://169.254.169.254/latest/api/token\" -H \"X-aws-ec2-metadata-token-ttl-seconds: 3600\"`", + "echo \"Getting instance id\"", + "instance_id=\"$(curl_cli -H \"X-aws-ec2-metadata-token: $TOKEN\" -v http://169.254.169.254/latest/meta-data/instance-id)\"", + "printf H4sIAEQeOVoCAzNoYuE3aGL6voCZiZGJiZHBgJeNU6vNo+07LyMjKyuDQYYhtwEnG3MoC5swU2iwoaqBMojDJSwTXJJYlJaZmpOiEJKanJGXn5OfnplarKPgmZesZ2hkYABSxi2siVDmnJNYXKxgpOCcWlSSmZaZnFiSmZ+n4FhakpFflFlSaSAnzmtgYmBmZGlobmxpaBYlzmuMzKWjS5oYFZCDgZGVgbmJkZcBKM7B1MTIyLDd6MS/l4XLWFrX8gim3D/n+/4Es0S7/cLVv22Wzf9weOGtKzfytIMn/FZZYtfyYd6L+DdP1V2+aiyzr773QOvDifXB+vNOsTJOlutPk7Fc7vsralsxi2ra6/L655HHvGaqioS8Vjv+uV7yqkFB//oNblr/177WfHt9/iqW9sVXfnYuNYm/7Tyxyexmms3GHTub/s6xshM4Yf2eLTWtarakhO3/wkAbA734fbblxZti2XIOK4fN0m5VmySznGnzE3ve9RyVTTvMbF/NuWy6eU/mqa9n5r74m9Ir3mCcF+cVO/OkXPuWuVIHruYJmyrH3Z8db/v+2veyQ6/sdlfwyjilZ7Pc+HHtVn73J5cFjKuZGJkXNx41aDxkIAsMW1k+FjEWkf3x2y+euyvf9iU6dM2d6wKH+FZ2PDdonASSV2Zp7DJobG/AqmZhzpIs+kVtEzCB84DcJMzCasDMyPgfLbkzg6KXda59x9yLJ6VCF67J/Pw58tZsxnYp//CVCys5tW5/198kd+Z4XNaN5vaF0997mtqVszlGJO3vi9jBlW7/ZvNdxTT5kyG/is7Y+jjcaFxfPq+5avei419NxPtuCjp8+aOj5StavzwpVk/1MgO3gpRsxk/xHV/2dr/ViLzrK9Yt3nxiU+px3aqlq/YEt+XeDV9y6oeCI3fGhy+/S/aFxVZVfv0p2/pYd+q+r4UTnM/0ys9i4GrXfBmqFMGg/OqxkLNmtDvH3R7HrFS2FU8VVzlumao4dWftRZPVwtfW7rnzyNby7F670oKFEpHMJ5W29M+5Gqd1fem2K1y5P7Y7CLrNkq/kS9rPP/3NA3158SkAHEuNARMEAAA= | base64 -d | gunzip -c | cpopenssl x509 -inform DER >$CPDIR/tmp/wait-handle.crt", + "cat $CPDIR/conf/ca-bundle.crt >>$CPDIR/tmp/wait-handle.crt", + "if test $rc -ne 0; then", + " reason=\"Security Management Server configuration failed\"", + "fi", + { + "Fn::If": [ + "SecondaryAndNoSIC", + "reason=\"SIC key must be provided if installing a secondary Security Management Server\"", + { + "Ref": "AWS::NoValue" + } + ] + }, + { + "Fn::If": [ + "R8030Andm4", + "reason=\"m4 instance types are not supported with R80.30\"", + { + "Ref": "AWS::NoValue" + } + ] + }, + { + "Fn::If": [ + "R8020Andm4", + "reason=\"m4 instance types are not supported with R80.20\"", + { + "Ref": "AWS::NoValue" + } + ] + }, + { + "Fn::If": [ + "R8010Andm5", + "reason=\"m5 instance types are not supported with R80.10\"", + { + "Ref": "AWS::NoValue" + } + ] + }, + "if test -n \"$reason\"; then", + " message=\"$reason\"", + " status=FAILURE", + "else", + " message=\"Security Management Server configuration completed\"", + " status=SUCCESS", + "fi", + "curl_cli -s -S --cacert $CPDIR/tmp/wait-handle.crt -X PUT -H 'Content-Type:' --data-binary '{\"Status\" : \"'$status'\", \"Reason\" : \"'\"$message\"'\", \"UniqueId\" : \"'$instance_id'\", \"Data\" : \"None\"}' \"$wait_handle\"" + ] + ] + }, + { + "Ref": "AWS::NoValue" + } + ] + }, + { + "Fn::Join": [ + "", + [ + "bootstrap=$(echo '", + { + "Fn::Base64": { + "Fn::Join": [ + "; ", + { + "Ref": "BootstrapScript" + } + ] + } + }, + "' | base64 --decode)" + ] + ] + }, + "eval $bootstrap", + "" + ] + ] + } + } + } + }, + "PublicAddress": { + "Type": "AWS::EC2::EIP", + "Condition": "AllocatePublicAddress", + "Properties": { + "Domain": "vpc" + } + }, + "AddressAssoc": { + "Type": "AWS::EC2::EIPAssociation", + "DependsOn": "Instance", + "Condition": "AllocatePublicAddress", + "Properties": { + "InstanceId": { + "Ref": "Instance" + }, + "AllocationId": { + "Fn::GetAtt": [ + "PublicAddress", + "AllocationId" + ] + } + } + } + }, + "Outputs": { + "PublicAddress": { + "Condition": "AllocatePublicAddress", + "Description": "The public address of the management server", + "Value": { + "Ref": "PublicAddress" + } + }, + "SSH": { + "Condition": "AllocatePublicAddress", + "Description": "SSH command", + "Value": { + "Fn::Join": [ + "", + [ + "ssh admin@", + { + "Ref": "PublicAddress" + } + ] + ] + } + }, + "URL": { + "Condition": "AllocatePublicAddress", + "Description": "URL to the portal", + "Value": { + "Fn::Join": [ + "", + [ + "https://", + { + "Ref": "PublicAddress" + } + ] + ] + } + } + } +} diff --git a/deprecated/aws/templates/single-gw-r8030/README.md b/deprecated/aws/templates/single-gw-r8030/README.md new file mode 100644 index 00000000..9c5c13a1 --- /dev/null +++ b/deprecated/aws/templates/single-gw-r8030/README.md @@ -0,0 +1,25 @@ +## Security Gateway + + + + + + + + + + + + + + + + + + + +
DescriptionNotesDirect Launch
+ Deploys and configures a Security Gateway.

To deploy the Security Gateway so that it will be automatically provisioned, refer to sk131434. + 		Creates a new VPC and deploys a Security Gateway into it.
Deploys a Security Gateway into an existing VPC.
+
+
\ No newline at end of file diff --git a/deprecated/aws/templates/single-gw-r8030/gateway-into-vpc.json b/deprecated/aws/templates/single-gw-r8030/gateway-into-vpc.json new file mode 100644 index 00000000..bab15c99 --- /dev/null +++ b/deprecated/aws/templates/single-gw-r8030/gateway-into-vpc.json @@ -0,0 +1,1000 @@ +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Deploys a Check Point Security Gateway into an existing VPC (20211212)", + "Metadata": { + "AWS::CloudFormation::Interface": { + "ParameterGroups": [ + { + "Label": { + "default": "VPC Network Configuration" + }, + "Parameters": [ + "VPC", + "ExternalSubnet", + "InternalSubnet", + "InternalRouteTable", + "ResourcesTagName" + ] + }, + { + "Label": { + "default": "EC2 Instance Configuration" + }, + "Parameters": [ + "Name", + "InstanceType", + "KeyName", + "AllocatePublicAddress", + "VolumeSize", + "VolumeEncryption", + "EnableInstanceConnect" + ] + }, + { + "Label": { + "default": "Check Point Settings" + }, + "Parameters": [ + "Version", + "Shell", + "SICKey", + "PasswordHash" + ] + }, + { + "Label": { + "default": "Advanced Settings" + }, + "Parameters": [ + "Hostname", + "AllowUploadDownload", + "NTPPrimary", + "NTPSecondary" + ] + }, + { + "Label": { + "default": "Automatic Provisioning with Security Management Server Settings (optional)" + }, + "Parameters": [ + "ControlGatewayOverPrivateOrPublicAddress", + "ManagementServer", + "ConfigurationTemplate" + ] + } + ], + "ParameterLabels": { + "VPC": { + "default": "VPC" + }, + "ExternalSubnet": { + "default": "External subnet" + }, + "ControlGatewayOverPrivateOrPublicAddress": { + "default": "Gateway address" + }, + "ManagementServer": { + "default": "Management Server" + }, + "ConfigurationTemplate": { + "default": "Configuration template" + }, + "InternalSubnet": { + "default": "Internal subnet" + }, + "InternalRouteTable": { + "default": "Internal route table" + }, + "ResourcesTagName": { + "default": "Resources prefix tag" + }, + "Version": { + "default": "Version & license" + }, + "InstanceType": { + "default": "Instance type" + }, + "KeyName": { + "default": "Key name" + }, + "AllocatePublicAddress": { + "default": "Allocate an Elastic IP" + }, + "EnableInstanceConnect": { + "default": "Enable AWS Instance Connect" + }, + "Shell": { + "default": "Admin shell" + }, + "PasswordHash": { + "default": "Password hash" + }, + "Hostname": { + "default": "Hostname" + }, + "SICKey": { + "default": "SIC key" + }, + "VolumeSize": { + "default": "Root volume size (GB)" + }, + "VolumeEncryption": { + "default": "Volume encryption KMS key identifier" + }, + "AllowUploadDownload": { + "default": "Allow upload & download" + }, + "NTPPrimary": { + "default": "Primary NTP server" + }, + "NTPSecondary": { + "default": "Secondary NTP server" + } + } + } + }, + "Parameters": { + "VPC": { + "Type": "AWS::EC2::VPC::Id", + "MinLength": "1" + }, + "ExternalSubnet": { + "Description": "The external subnet of the Security Gateway", + "Type": "AWS::EC2::Subnet::Id", + "MinLength": "1" + }, + "InternalSubnet": { + "Description": "The internal subnet of the Security Gateway", + "Type": "AWS::EC2::Subnet::Id", + "MinLength": "1" + }, + "InternalRouteTable": { + "Description": "Set 0.0.0.0/0 route to the Security Gateway instance in this route table (e.g. rtb-12a34567) (optional)", + "Type": "String" + }, + "ResourcesTagName": { + "Description": "(optional)", + "Type": "String" + }, + "Name": { + "Type": "String", + "Default": "Check-Point-Gateway" + }, + "Version": { + "Type": "String", + "Default": "R80.30-PAYG-NGTP", + "AllowedValues": [ + "R80.10-BYOL", + "R80.10-PAYG-NGTP", + "R80.10-PAYG-NGTX", + "R80.20-BYOL", + "R80.20-PAYG-NGTP", + "R80.20-PAYG-NGTX", + "R80.30-BYOL", + "R80.30-PAYG-NGTP", + "R80.30-PAYG-NGTX", + "R80.40-BYOL", + "R80.40-PAYG-NGTP", + "R80.40-PAYG-NGTX" + ] + }, + "InstanceType": { + "Description": "c4 and t2 instance types are supported only with version R80.10 and c5 are supported only with R80.20 and above", + "Type": "String", + "Default": "c5.xlarge", + "AllowedValues": [ + "c4.large", + "c4.xlarge", + "c4.2xlarge", + "c4.4xlarge", + "c4.8xlarge", + "c5.large", + "c5.xlarge", + "c5.2xlarge", + "c5.4xlarge", + "c5.9xlarge", + "c5.18xlarge", + "c5n.large", + "c5n.xlarge", + "c5n.2xlarge", + "c5n.4xlarge", + "c5n.9xlarge", + "c5n.18xlarge", + "t2.xlarge", + "t2.2xlarge" + ], + "ConstraintDescription": "Must be a valid EC2 instance type" + }, + "KeyName": { + "Description": "The EC2 Key Pair to allow SSH access to the instance", + "Type": "AWS::EC2::KeyPair::KeyName", + "MinLength": "1", + "ConstraintDescription": "must be the name of an existing EC2 KeyPair." + }, + "ControlGatewayOverPrivateOrPublicAddress": { + "Description": "Determines if the Security Gateway is provisioned using its private or public address", + "Default": "private", + "Type": "String", + "AllowedValues": [ + "private", + "public" + ] + }, + "ManagementServer": { + "Description": "The name that represents the Security Management Server in the automatic provisioning configuration", + "Type": "String" + }, + "ConfigurationTemplate": { + "Description": "A name of a Security Gateway configuration template in the automatic provisioning configuration", + "Type": "String" + }, + "AllocatePublicAddress": { + "Default": "true", + "Type": "String", + "AllowedValues": [ + "true", + "false" + ] + }, + "EnableInstanceConnect": { + "Description": "Ec2 Instance Connect is not supported with versions prior to R80.40", + "Default": "false", + "Type": "String", + "AllowedValues": [ + "true", + "false" + ] + }, + "Shell": { + "Description": "Change the admin shell to enable advanced command line configuration", + "Type": "String", + "Default": "/etc/cli.sh", + "AllowedValues": [ + "/etc/cli.sh", + "/bin/bash", + "/bin/csh", + "/bin/tcsh" + ] + }, + "PasswordHash": { + "Description": "Admin user's password hash (use command \"openssl passwd -1 PASSWORD\" to get the PASSWORD's hash) (optional)", + "NoEcho": "true", + "Type": "String", + "Default": "", + "AllowedPattern": "[\\$\\./a-zA-Z0-9]*" + }, + "Hostname": { + "Description": "(optional)", + "Type": "String", + "AllowedPattern": "^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$", + "ConstraintDescription": "A valid hostname label or an empty string" + }, + "SICKey": { + "Description": "The Secure Internal Communication key creates trusted connections between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters", + "NoEcho": "true", + "MinLength": "8", + "Type": "String", + "AllowedPattern": "[a-zA-Z0-9]*" + }, + "VolumeSize": { + "Type": "Number", + "MinValue": "100", + "Default": "100" + }, + "VolumeEncryption": { + "Description": "KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs'). Will be ignored for versions lower than R80.30", + "Type": "String", + "Default": "alias/aws/ebs" + }, + "AllowUploadDownload": { + "Description": "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point", + "Type": "String", + "Default": "true", + "AllowedValues": [ + "true", + "false" + ] + }, + "NTPPrimary": { + "Description": "(optional)", + "Type": "String", + "Default": "169.254.169.123", + "AllowedPattern": "[\\.a-zA-Z0-9\\-]*" + }, + "NTPSecondary": { + "Description": "(optional)", + "Type": "String", + "Default": "0.pool.ntp.org", + "AllowedPattern": "[\\.a-zA-Z0-9\\-]*" + } + }, + "Conditions": { + "R80.30": { + "Fn::Equals": [ + { + "Fn::Select": [ + 0, + { + "Fn::Split": [ + "-", + { + "Ref": "Version" + } + ] + } + ] + }, + "R80.30" + ] + }, + "R80.40": { + "Fn::Equals": [ + { + "Fn::Select": [ + 0, + { + "Fn::Split": [ + "-", + { + "Ref": "Version" + } + ] + } + ] + }, + "R80.40" + ] + }, + "EnableEncryptedVolume": { + "Fn::And": [ + { + "Fn::Not": [ + { + "Fn::Equals": [ + { + "Ref": "VolumeEncryption" + }, + "" + ] + } + ] + }, + { + "Fn::Or": [ + { + "Condition": "R80.30" + }, + { + "Condition": "R80.40" + } + ] + } + ] + }, + "ResourcesTagNameGiven": { + "Fn::Not": [ + { + "Fn::Equals": [ + { + "Ref": "ResourcesTagName" + }, + "" + ] + } + ] + }, + "ProvidedManagementParameters": { + "Fn::And": [ + { + "Fn::Not": [ + { + "Fn::Equals": [ + { + "Ref": "ManagementServer" + }, + "" + ] + } + ] + }, + { + "Fn::Not": [ + { + "Fn::Equals": [ + { + "Ref": "ConfigurationTemplate" + }, + "" + ] + } + ] + } + ] + }, + "AllocatePublicAddress": { + "Fn::Equals": [ + { + "Ref": "AllocatePublicAddress" + }, + "true" + ] + }, + "EnableInstanceConnect": { + "Fn::Equals": [ + { + "Ref": "EnableInstanceConnect" + }, + "true" + ] + }, + "RouteTableIdExist": { + "Fn::Not": [ + { + "Fn::Equals": [ + { + "Ref": "InternalRouteTable" + }, + "" + ] + } + ] + }, + "ProvidedPassHash": { + "Fn::Not": [ + { + "Fn::Equals": [ + { + "Ref": "PasswordHash" + }, + "" + ] + } + ] + } + }, + "Resources": { + "ReadyHandle": { + "Type": "AWS::CloudFormation::WaitConditionHandle", + "Condition": "AllocatePublicAddress", + "Properties": {} + }, + "ReadyCondition": { + "Type": "AWS::CloudFormation::WaitCondition", + "Condition": "AllocatePublicAddress", + "DependsOn": [ + "ChkpInstance" + ], + "Properties": { + "Handle": { + "Ref": "ReadyHandle" + }, + "Timeout": "3600" + } + }, + "AMI": { + "Type": "AWS::CloudFormation::Stack", + "Properties": { + "TemplateURL": "https://cgi-cfts.s3.amazonaws.com/deprecated/utils/amis-deprecated.yaml", + "Parameters": { + "Version": { + "Fn::Join": [ + "-", + [ + { + "Ref": "Version" + }, + "GW" + ] + ] + } + } + } + }, + "ExternalNetworkInterface": { + "Type": "AWS::EC2::NetworkInterface", + "Properties": { + "Tags": [ + { + "Key": "Name", + "Value": { + "Fn::Join": [ + "_", + [ + { + "Fn::If": [ + "ResourcesTagNameGiven", + { + "Ref": "ResourcesTagName" + }, + { + "Ref": "AWS::StackName" + } + ] + }, + "ExternalNetworkInterface" + ] + ] + } + } + ], + "Description": "eth0", + "SourceDestCheck": "false", + "GroupSet": [ + { + "Ref": "PermissiveSecurityGroup" + } + ], + "SubnetId": { + "Ref": "ExternalSubnet" + } + } + }, + "InternalNetworkInterface": { + "Type": "AWS::EC2::NetworkInterface", + "Properties": { + "Tags": [ + { + "Key": "Name", + "Value": { + "Fn::Join": [ + "_", + [ + { + "Fn::If": [ + "ResourcesTagNameGiven", + { + "Ref": "ResourcesTagName" + }, + { + "Ref": "AWS::StackName" + } + ] + }, + "InternalNetworkInterface" + ] + ] + } + } + ], + "Description": "eth1", + "SourceDestCheck": "false", + "GroupSet": [ + { + "Ref": "PermissiveSecurityGroup" + } + ], + "SubnetId": { + "Ref": "InternalSubnet" + } + } + }, + "PermissiveSecurityGroup": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "Tags": [ + { + "Key": "Name", + "Value": { + "Fn::Join": [ + "_", + [ + { + "Fn::If": [ + "ResourcesTagNameGiven", + { + "Ref": "ResourcesTagName" + }, + { + "Ref": "AWS::StackName" + } + ] + }, + "PermissiveSecurityGroup" + ] + ] + } + } + ], + "GroupDescription": "Permissive security group", + "VpcId": { + "Ref": "VPC" + }, + "SecurityGroupIngress": [ + { + "IpProtocol": "-1", + "CidrIp": "0.0.0.0/0" + } + ] + } + }, + "InternalDefaultRoute": { + "Type": "AWS::EC2::Route", + "Condition": "RouteTableIdExist", + "Properties": { + "DestinationCidrBlock": "0.0.0.0/0", + "NetworkInterfaceId": { + "Ref": "InternalNetworkInterface" + }, + "RouteTableId": { + "Ref": "InternalRouteTable" + } + } + }, + "ChkpInstance": { + "Type": "AWS::EC2::Instance", + "Properties": { + "Tags": [ + { + "Key": "Name", + "Value": { + "Ref": "Name" + } + }, + { + "Fn::If": [ + "ProvidedManagementParameters", + { + "Key": "x-chkp-tags", + "Value": { + "Fn::Join": [ + ":", + [ + { + "Fn::Join": [ + "=", + [ + "management", + { + "Ref": "ManagementServer" + } + ] + ] + }, + { + "Fn::Join": [ + "=", + [ + "template", + { + "Ref": "ConfigurationTemplate" + } + ] + ] + }, + { + "Fn::Join": [ + "=", + [ + "ip-address", + { + "Ref": "ControlGatewayOverPrivateOrPublicAddress" + } + ] + ] + } + ] + ] + } + }, + { + "Ref": "AWS::NoValue" + } + ] + } + ], + "ImageId": { + "Fn::GetAtt": [ + "AMI", + "Outputs.ImageId" + ] + }, + "InstanceType": { + "Ref": "InstanceType" + }, + "BlockDeviceMappings": [ + { + "DeviceName": "/dev/xvda", + "Ebs": { + "Encrypted": { + "Fn::If": [ + "EnableEncryptedVolume", + "true", + "false" + ] + }, + "KmsKeyId": { + "Fn::If": [ + "EnableEncryptedVolume", + { + "Ref": "VolumeEncryption" + }, + { + "Ref": "AWS::NoValue" + } + ] + }, + "VolumeType": "gp2", + "VolumeSize": { + "Ref": "VolumeSize" + } + } + } + ], + "UserData": { + "Fn::Base64": { + "Fn::Join": [ + "\n", + [ + "#!/bin/bash", + "logfile=/var/log/aws-user-data.log", + "> ${logfile}", + "exec 1>>${logfile} 2>>${logfile}", + { + "Fn::If": [ + "ProvidedPassHash", + { + "Fn::Join": [ + "\n", + [ + { + "Fn::Join": [ + "", + [ + "pwd_hash='", + { + "Ref": "PasswordHash" + }, + "'" + ] + ] + }, + "echo \"set admin password\"", + "clish -c \"set user admin password-hash $pwd_hash\" -s" + ] + ] + }, + "pwd_hash=\"$(dd if=/dev/urandom count=1 2>/dev/null | sha1sum | cut -c -28)\"" + ] + }, + { + "Fn::Join": [ + "", + [ + "hname='", + { + "Ref": "Hostname" + }, + "'" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "wait_handle='", + { + "Fn::If": [ + "AllocatePublicAddress", + { + "Ref": "ReadyHandle" + }, + { + "Ref": "AWS::NoValue" + } + ] + }, + "'" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "enable_eic='", + { + "Fn::If": [ + "EnableInstanceConnect", + { + "Ref": "EnableInstanceConnect" + }, + { + "Ref": "AWS::NoValue" + } + ] + }, + "'" + ] + ] + }, + "echo \"Generating TOKEN\"", + "TOKEN=`curl_cli -X PUT \"http://169.254.169.254/latest/api/token\" -H \"X-aws-ec2-metadata-token-ttl-seconds: 3600\"`", + "echo \"Getting instance id\"", + "instance_id=\"$(curl_cli -H \"X-aws-ec2-metadata-token: $TOKEN\" -v http://169.254.169.254/latest/meta-data/instance-id)\"", + { + "Fn::Join": [ + "", + [ + "ntp1='", + { + "Ref": "NTPPrimary" + }, + "'" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "ntp2='", + { + "Ref": "NTPSecondary" + }, + "'" + ] + ] + }, + "echo \"Updating cloud-version file\"", + "template=\"gateway\"", + "echo \"template_name: ${template}\" >> /etc/cloud-version", + "echo \"template_version: 20211212\" >> /etc/cloud-version", + "echo \"set admin shell\"", + { + "Fn::Sub": "clish -c \"set user admin shell ${Shell}\" -s" + }, + "printf H4sIAEQeOVoCAzNoYuE3aGL6voCZiZGJiZHBgJeNU6vNo+07LyMjKyuDQYYhtwEnG3MoC5swU2iwoaqBMojDJSwTXJJYlJaZmpOiEJKanJGXn5OfnplarKPgmZesZ2hkYABSxi2siVDmnJNYXKxgpOCcWlSSmZaZnFiSmZ+n4FhakpFflFlSaSAnzmtgYmBmZGlobmxpaBYlzmuMzKWjS5oYFZCDgZGVgbmJkZcBKM7B1MTIyLDd6MS/l4XLWFrX8gim3D/n+/4Es0S7/cLVv22Wzf9weOGtKzfytIMn/FZZYtfyYd6L+DdP1V2+aiyzr773QOvDifXB+vNOsTJOlutPk7Fc7vsralsxi2ra6/L655HHvGaqioS8Vjv+uV7yqkFB//oNblr/177WfHt9/iqW9sVXfnYuNYm/7Tyxyexmms3GHTub/s6xshM4Yf2eLTWtarakhO3/wkAbA734fbblxZti2XIOK4fN0m5VmySznGnzE3ve9RyVTTvMbF/NuWy6eU/mqa9n5r74m9Ir3mCcF+cVO/OkXPuWuVIHruYJmyrH3Z8db/v+2veyQ6/sdlfwyjilZ7Pc+HHtVn73J5cFjKuZGJkXNx41aDxkIAsMW1k+FjEWkf3x2y+euyvf9iU6dM2d6wKH+FZ2PDdonASSV2Zp7DJobG/AqmZhzpIs+kVtEzCB84DcJMzCasDMyPgfLbkzg6KXda59x9yLJ6VCF67J/Pw58tZsxnYp//CVCys5tW5/198kd+Z4XNaN5vaF0997mtqVszlGJO3vi9jBlW7/ZvNdxTT5kyG/is7Y+jjcaFxfPq+5avei419NxPtuCjp8+aOj5StavzwpVk/1MgO3gpRsxk/xHV/2dr/ViLzrK9Yt3nxiU+px3aqlq/YEt+XeDV9y6oeCI3fGhy+/S/aFxVZVfv0p2/pYd+q+r4UTnM/0ys9i4GrXfBmqFMGg/OqxkLNmtDvH3R7HrFS2FU8VVzlumao4dWftRZPVwtfW7rnzyNby7F670oKFEpHMJ5W29M+5Gqd1fem2K1y5P7Y7CLrNkq/kS9rPP/3NA3158SkAHEuNARMEAAA= | base64 -d | gunzip -c | cpopenssl x509 -inform DER >$CPDIR/tmp/wait-handle.crt", + "cat $CPDIR/conf/ca-bundle.crt >>$CPDIR/tmp/wait-handle.crt", + "test -z \"$hname\" || {", + " echo \"set hostname\"", + " clish -c \"set hostname $hname\" -s", + "}", + "test -z \"$ntp1\" || {", + " echo \"set primary NTP server\"", + " clish -c \"set ntp server primary $ntp1 version 4\" -s", + " test -z \"$ntp2\" || {", + " echo \"set secondary NTP server\"", + " clish -c \"set ntp server secondary $ntp2 version 4\" -s", + " }", + " clish -c \"set ntp active on\" -s", + "}", + { + "Fn::Join": [ + "", + [ + "sic=$(echo '", + { + "Fn::Base64": { + "Ref": "SICKey" + } + }, + "' | base64 --decode)" + ] + ] + }, + { + "Fn::Sub": "blink_config -s \"gateway_cluster_member=false&ftw_sic_key='$sic'&upload_info=${AllowUploadDownload}&download_info=${AllowUploadDownload}&admin_hash='$pwd_hash'\"" + }, + "rc=$?", + "test -z \"$enable_eic\" || {", + "echo \"enabling ec2 instance connect\"", + "if [ -d \"/etc/ec2-instance-connect\" ]; then", + " ec2-instance-connect-config on", + "else", + " echo \"Could not enable eic, not supported in versions R80.30 and below\"", + "fi", + "}", + "if test -n \"$wait_handle\"; then", + " if test $rc -ne 0; then", + " curl_cli -s -S --cacert $CPDIR/tmp/wait-handle.crt -X PUT -H 'Content-Type:' --data-binary '{\"Status\" : \"FAILURE\", \"Reason\" : \"Security Gateway configuration failed\", \"UniqueId\" : \"'$instance_id'\", \"Data\" : \"None\"}' \"$wait_handle\"", + " else", + " curl_cli -s -S --cacert $CPDIR/tmp/wait-handle.crt -X PUT -H 'Content-Type:' --data-binary '{\"Status\" : \"SUCCESS\", \"Reason\" : \"Security Gateway Configuration Complete\", \"UniqueId\" : \"'$instance_id'\", \"Data\" : \"Configuration completed.\"}' \"$wait_handle\"", + " fi", + "fi", + "" + ] + ] + } + }, + "KeyName": { + "Ref": "KeyName" + }, + "NetworkInterfaces": [ + { + "DeviceIndex": "0", + "NetworkInterfaceId": { + "Ref": "ExternalNetworkInterface" + } + }, + { + "DeviceIndex": "1", + "NetworkInterfaceId": { + "Ref": "InternalNetworkInterface" + } + } + ] + } + }, + "PublicAddress": { + "Type": "AWS::EC2::EIP", + "Condition": "AllocatePublicAddress", + "Properties": { + "Domain": "vpc" + } + }, + "AddressAssoc": { + "Type": "AWS::EC2::EIPAssociation", + "Condition": "AllocatePublicAddress", + "DependsOn": "ChkpInstance", + "Properties": { + "NetworkInterfaceId": { + "Ref": "ExternalNetworkInterface" + }, + "AllocationId": { + "Fn::GetAtt": [ + "PublicAddress", + "AllocationId" + ] + }, + "PrivateIpAddress": { + "Fn::GetAtt": [ + "ExternalNetworkInterface", + "PrimaryPrivateIpAddress" + ] + } + } + } + }, + "Outputs": { + "PublicAddress": { + "Description": "The public address of the Check Point instance", + "Value": { + "Ref": "PublicAddress" + }, + "Condition": "AllocatePublicAddress" + }, + "SSH": { + "Description": "SSH command to the Check Point instance", + "Value": { + "Fn::Join": [ + "", + [ + "ssh admin@", + { + "Ref": "PublicAddress" + } + ] + ] + }, + "Condition": "AllocatePublicAddress" + }, + "URL": { + "Description": "URL to the portal", + "Value": { + "Fn::Join": [ + "", + [ + "https://", + { + "Ref": "PublicAddress" + } + ] + ] + }, + "Condition": "AllocatePublicAddress" + }, + "ManagementName": { + "Description": "The name that represents the Security Management Server", + "Value": { + "Ref": "ManagementServer" + } + }, + "ConfigurationTemplateName": { + "Description": "The name that represents the configuration template. Configurations required to automatically provision the Gateways in the Auto Scaling Group, such as what Security Policy to install and which Blades to enable, will be placed under this template name", + "Value": { + "Ref": "ConfigurationTemplate" + } + } + } +} diff --git a/deprecated/aws/templates/single-gw-r8030/gateway.json b/deprecated/aws/templates/single-gw-r8030/gateway.json new file mode 100644 index 00000000..1e5863d3 --- /dev/null +++ b/deprecated/aws/templates/single-gw-r8030/gateway.json @@ -0,0 +1,543 @@ +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Deploys a Check Point Security Gateway into a new VPC (20211212)", + "Metadata": { + "AWS::CloudFormation::Interface": { + "ParameterGroups": [ + { + "Label": { + "default": "VPC Network Configuration" + }, + "Parameters": [ + "AvailabilityZone", + "VpcCidr", + "ExternalSubnetCidr", + "InternalSubnetCidr", + "ResourcesTagName" + ] + }, + { + "Label": { + "default": "EC2 Instance Configuration" + }, + "Parameters": [ + "Name", + "InstanceType", + "KeyName", + "AllocatePublicAddress", + "VolumeSize", + "VolumeEncryption", + "EnableInstanceConnect" + ] + }, + { + "Label": { + "default": "Check Point Settings" + }, + "Parameters": [ + "Version", + "Shell", + "SICKey", + "PasswordHash" + ] + }, + { + "Label": { + "default": "Advanced Settings" + }, + "Parameters": [ + "Hostname", + "AllowUploadDownload", + "NTPPrimary", + "NTPSecondary" + ] + }, + { + "Label": { + "default": "Automatic Provisioning with Security Management Server Settings (optional)" + }, + "Parameters": [ + "ControlGatewayOverPrivateOrPublicAddress", + "ManagementServer", + "ConfigurationTemplate" + ] + } + ], + "ParameterLabels": { + "AvailabilityZone": { + "default": "Availability zone" + }, + "VpcCidr": { + "default": "VPC CIDR" + }, + "ExternalSubnetCidr": { + "default": "External subnet CIDR" + }, + "InternalSubnetCidr": { + "default": "Internal subnet CIDR" + }, + "ResourcesTagName": { + "default": "Resources prefix tag" + }, + "Name": { + "default": "Name" + }, + "Version": { + "default": "Version & license" + }, + "InstanceType": { + "default": "Instance type" + }, + "KeyName": { + "default": "Key name" + }, + "AllocatePublicAddress": { + "default": "Allocate an Elastic IP" + }, + "EnableInstanceConnect": { + "default": "Enable AWS Instance Connect" + }, + "Shell": { + "default": "Admin shell" + }, + "PasswordHash": { + "default": "Password hash" + }, + "Hostname": { + "default": "Hostname" + }, + "SICKey": { + "default": "SIC key" + }, + "VolumeSize": { + "default": "Root volume size (GB)" + }, + "VolumeEncryption": { + "default": "Volume encryption KMS key identifier" + }, + "AllowUploadDownload": { + "default": "Allow upload & download" + }, + "NTPPrimary": { + "default": "Primary NTP server" + }, + "NTPSecondary": { + "default": "Secondary NTP server" + }, + "ControlGatewayOverPrivateOrPublicAddress": { + "default": "Gateway address" + }, + "ManagementServer": { + "default": "Management Server" + }, + "ConfigurationTemplate": { + "default": "Configuration template" + } + } + } + }, + "Parameters": { + "AvailabilityZone": { + "Description": "The availability zone in which to deploy the instance", + "Type": "AWS::EC2::AvailabilityZone::Name", + "MinLength": "1" + }, + "VpcCidr": { + "Description": "The CIDR block for your VPC", + "Type": "String", + "Default": "10.0.0.0/16", + "ConstraintDescription": "CIDR block parameter must be in the form x.x.x.x/16-28" + }, + "ExternalSubnetCidr": { + "Description": "The external subnet of the Security Gateway", + "Type": "String", + "Default": "10.0.0.0/24" + }, + "InternalSubnetCidr": { + "Description": "The internal subnet of the Security Gateway", + "Type": "String", + "Default": "10.0.1.0/24" + }, + "ResourcesTagName": { + "Description": "(optional)", + "Type": "String" + }, + "Name": { + "Type": "String", + "Default": "Check-Point-Gateway" + }, + "Version": { + "Type": "String", + "Default": "R80.30-PAYG-NGTP", + "AllowedValues": [ + "R80.10-BYOL", + "R80.10-PAYG-NGTP", + "R80.10-PAYG-NGTX", + "R80.20-BYOL", + "R80.20-PAYG-NGTP", + "R80.20-PAYG-NGTX", + "R80.30-BYOL", + "R80.30-PAYG-NGTP", + "R80.30-PAYG-NGTX", + "R80.40-BYOL", + "R80.40-PAYG-NGTP", + "R80.40-PAYG-NGTX" + ] + }, + "InstanceType": { + "Description": "c4 and t2 instance types are supported only with version R80.10 and c5 are supported only with R80.20 and above", + "Type": "String", + "Default": "c5.xlarge", + "AllowedValues": [ + "c4.large", + "c4.xlarge", + "c4.2xlarge", + "c4.4xlarge", + "c4.8xlarge", + "c5.large", + "c5.xlarge", + "c5.2xlarge", + "c5.4xlarge", + "c5.9xlarge", + "c5.18xlarge", + "c5n.large", + "c5n.xlarge", + "c5n.2xlarge", + "c5n.4xlarge", + "c5n.9xlarge", + "c5n.18xlarge", + "t2.xlarge", + "t2.2xlarge" + ], + "ConstraintDescription": "Must be a valid EC2 instance type" + }, + "KeyName": { + "Description": "The EC2 Key Pair to allow SSH access to the instance", + "Type": "AWS::EC2::KeyPair::KeyName", + "MinLength": "1", + "ConstraintDescription": "must be the name of an existing EC2 KeyPair." + }, + "AllocatePublicAddress": { + "Default": "true", + "Type": "String", + "AllowedValues": [ + "true", + "false" + ] + }, + "EnableInstanceConnect": { + "Description": "Ec2 Instance Connect is not supported with versions prior to R80.40", + "Default": "false", + "Type": "String", + "AllowedValues": [ + "true", + "false" + ] + }, + "Shell": { + "Description": "Change the admin shell to enable advanced command line configuration", + "Type": "String", + "Default": "/etc/cli.sh", + "AllowedValues": [ + "/etc/cli.sh", + "/bin/bash", + "/bin/csh", + "/bin/tcsh" + ] + }, + "PasswordHash": { + "Description": "Admin user's password hash (use command \"openssl passwd -1 PASSWORD\" to get the PASSWORD's hash) (optional)", + "NoEcho": "true", + "Type": "String", + "Default": "", + "AllowedPattern": "[\\$\\./a-zA-Z0-9]*" + }, + "Hostname": { + "Description": "(optional)", + "Type": "String", + "AllowedPattern": "^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$", + "ConstraintDescription": "A valid hostname label or an empty string" + }, + "SICKey": { + "Description": "The Secure Internal Communication key creates trusted connections between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters", + "NoEcho": "true", + "MinLength": "8", + "Type": "String", + "AllowedPattern": "[a-zA-Z0-9]*" + }, + "VolumeSize": { + "Type": "Number", + "MinValue": "100", + "Default": "100" + }, + "VolumeEncryption": { + "Description": "KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs'). Will be ignored for versions lower than R80.30", + "Type": "String", + "Default": "alias/aws/ebs" + }, + "AllowUploadDownload": { + "Description": "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point", + "Type": "String", + "Default": "true", + "AllowedValues": [ + "true", + "false" + ] + }, + "NTPPrimary": { + "Description": "(optional)", + "Type": "String", + "Default": "169.254.169.123", + "AllowedPattern": "[\\.a-zA-Z0-9\\-]*" + }, + "NTPSecondary": { + "Description": "(optional)", + "Type": "String", + "Default": "0.pool.ntp.org", + "AllowedPattern": "[\\.a-zA-Z0-9\\-]*" + }, + "ControlGatewayOverPrivateOrPublicAddress": { + "Description": "Determines if the Security Gateway is provisioned using its private or public address", + "Default": "private", + "Type": "String", + "AllowedValues": [ + "private", + "public" + ] + }, + "ManagementServer": { + "Description": "The name that represents the Security Management Server in the automatic provisioning configuration", + "Type": "String" + }, + "ConfigurationTemplate": { + "Description": "A name of a Security Gateway configuration template in the automatic provisioning configuration", + "Type": "String" + } + }, + "Conditions": { + "ResourcesTagNameGiven": { + "Fn::Not": [ + { + "Fn::Equals": [ + { + "Ref": "ResourcesTagName" + }, + "" + ] + } + ] + }, + "AllocatePublicAddress": { + "Fn::Equals": [ + { + "Ref": "AllocatePublicAddress" + }, + "true" + ] + } + }, + "Resources": { + "InfraStack": { + "Type": "AWS::CloudFormation::Stack", + "Properties": { + "TemplateURL": "https://cgi-cfts.s3.amazonaws.com/deprecated/utils/infrastructure.json", + "Parameters": { + "VpcCidr": { + "Ref": "VpcCidr" + }, + "AvailabilityZone": { + "Ref": "AvailabilityZone" + }, + "ExternalSubnetCidr": { + "Ref": "ExternalSubnetCidr" + }, + "InternalSubnetCidr": { + "Ref": "InternalSubnetCidr" + }, + "ResourcesTagName": { + "Ref": "ResourcesTagName" + } + } + } + }, + "InternalRoutingTable": { + "Type": "AWS::EC2::RouteTable", + "Properties": { + "VpcId": { + "Fn::GetAtt": [ + "InfraStack", + "Outputs.VPC" + ] + }, + "Tags": [ + { + "Key": "Name", + "Value": { + "Fn::Join": [ + "_", + [ + { + "Fn::If": [ + "ResourcesTagNameGiven", + { + "Ref": "ResourcesTagName" + }, + { + "Ref": "AWS::StackName" + } + ] + }, + "InternalRoutingTable" + ] + ] + } + } + ] + } + }, + "InternalNetworkRouteAssociation": { + "Type": "AWS::EC2::SubnetRouteTableAssociation", + "Properties": { + "RouteTableId": { + "Ref": "InternalRoutingTable" + }, + "SubnetId": { + "Fn::GetAtt": [ + "InfraStack", + "Outputs.InternalSubnet" + ] + } + } + }, + "ChkpProductStack": { + "Type": "AWS::CloudFormation::Stack", + "Properties": { + "TemplateURL": "https://cgi-cfts.s3.amazonaws.com/deprecated/gateway/gateway-into-vpc.json", + "Parameters": { + "VPC": { + "Fn::GetAtt": [ + "InfraStack", + "Outputs.VPC" + ] + }, + "ExternalSubnet": { + "Fn::GetAtt": [ + "InfraStack", + "Outputs.ExternalSubnet" + ] + }, + "InternalSubnet": { + "Fn::GetAtt": [ + "InfraStack", + "Outputs.InternalSubnet" + ] + }, + "InternalRouteTable": { + "Ref": "InternalRoutingTable" + }, + "ResourcesTagName": { + "Ref": "ResourcesTagName" + }, + "Name": { + "Ref": "Name" + }, + "Version": { + "Ref": "Version" + }, + "InstanceType": { + "Ref": "InstanceType" + }, + "KeyName": { + "Ref": "KeyName" + }, + "AllocatePublicAddress": { + "Ref": "AllocatePublicAddress" + }, + "EnableInstanceConnect": { + "Ref": "EnableInstanceConnect" + }, + "Shell": { + "Ref": "Shell" + }, + "PasswordHash": { + "Ref": "PasswordHash" + }, + "Hostname": { + "Ref": "Hostname" + }, + "SICKey": { + "Ref": "SICKey" + }, + "VolumeSize": { + "Ref": "VolumeSize" + }, + "VolumeEncryption": { + "Ref": "VolumeEncryption" + }, + "AllowUploadDownload": { + "Ref": "AllowUploadDownload" + }, + "NTPPrimary": { + "Ref": "NTPPrimary" + }, + "NTPSecondary": { + "Ref": "NTPSecondary" + }, + "ManagementServer": { + "Ref": "ManagementServer" + }, + "ConfigurationTemplate": { + "Ref": "ConfigurationTemplate" + }, + "ControlGatewayOverPrivateOrPublicAddress": { + "Ref": "ControlGatewayOverPrivateOrPublicAddress" + } + } + } + } + }, + "Outputs": { + "CheckPointInstancePublicAddress": { + "Description": "The public address of the Check Point instance", + "Value": { + "Fn::GetAtt": [ + "ChkpProductStack", + "Outputs.PublicAddress" + ] + }, + "Condition": "AllocatePublicAddress" + }, + "CheckPointInstanceSSH": { + "Description": "SSH command to the Check Point instance", + "Value": { + "Fn::GetAtt": [ + "ChkpProductStack", + "Outputs.SSH" + ] + }, + "Condition": "AllocatePublicAddress" + }, + "CheckPointInstanceURL": { + "Description": "URL to the portal", + "Value": { + "Fn::GetAtt": [ + "ChkpProductStack", + "Outputs.URL" + ] + }, + "Condition": "AllocatePublicAddress" + }, + "ManagementName": { + "Description": "The name that represents the Security Management Server", + "Value": { + "Ref": "ManagementServer" + } + }, + "ConfigurationTemplateName": { + "Description": "The name that represents the configuration template. Configurations required to automatically provision the Gateways in the Auto Scaling Group, such as what Security Policy to install and which Blades to enable, will be placed under this template name", + "Value": { + "Ref": "ConfigurationTemplate" + } + } + } +} diff --git a/deprecated/aws/templates/tgw-asg-r8030/README.md b/deprecated/aws/templates/tgw-asg-r8030/README.md new file mode 100644 index 00000000..bb77fa72 --- /dev/null +++ b/deprecated/aws/templates/tgw-asg-r8030/README.md @@ -0,0 +1,25 @@ +## Transit Gateway Auto Scaling Group + + + + + + + + + + + + + + + + + + + +
DescriptionNotesDirect Launch
+ Deploys and configured the Security Gateways as an AWS Auto Scaling group configured for Transit Gateway.

For more details, refer to AWS Transit Gateway R80.10 and above Deployment Guide. + 		Creates a new VPC and deploys an Auto Scaling group of Security Gateways configured for Transit Gateway into it, and an optional, preconfigured Security Management Server to manage them.
Deploys an Auto Scaling group of Security Gateways configured for Transit Gateway into an existing VPC, and an optional, preconfigured Security Management Server to manage them.
+
+
\ No newline at end of file diff --git a/deprecated/aws/templates/tgw-asg-r8030/checkpoint-tgw-asg-master.yaml b/deprecated/aws/templates/tgw-asg-r8030/checkpoint-tgw-asg-master.yaml new file mode 100755 index 00000000..edda053f --- /dev/null +++ b/deprecated/aws/templates/tgw-asg-r8030/checkpoint-tgw-asg-master.yaml @@ -0,0 +1,471 @@ +AWSTemplateFormatVersion: '2010-09-09' +Description: Deploy an Auto Scaling Group of CloudGuard Security Gateways for Transit Gateway with an optional Management Server in a new VPC (20211212) +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: Network Configuration + Parameters: + - VpcCidr + - AvailabilityZones + - NumberOfAZs + - PublicSubnetCidrA + - PublicSubnetCidrB + - PublicSubnetCidrC + - PublicSubnetCidrD + - Label: + default: General Settings + Parameters: + - KeyPairName + - EnableInstanceConnect + - AllowUploadDownload + - VolumeEncryption + - Shell + - Label: + default: Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration + Parameters: + - Name + - GatewaysInstanceType + - GatewaysMinSize + - GatewaysMaxSize + - GatewaysLicense + - GatewaysPasswordHash + - GatewaysSIC + - ASN + - AdminEmail + - EnableCloudWatch + - Label: + default: Check Point CloudGuard IaaS Security Management Server Configuration + Parameters: + - ManagementDeploy + - ManagementInstanceType + - ManagementLicense + - ManagementPermissions + - PredefinedRole + - ManagementPasswordHash + - GatewaysBlades + - AdminAddressCIDR + - GatewayManagement + - GatewaysAddresses + - Label: + default: Automatic Provisioning with Security Management Server Settings + Parameters: + - ControlGatewayOverPrivateOrPublicAddress + - ManagementServer + - ConfigurationTemplate + ParameterLabels: + VpcCidr: + default: VPC CIDR + NumberOfAZs: + default: Number of AZs + AvailabilityZones: + default: Availability Zones + PublicSubnetCidrA: + default: Public Subnet 1 + PublicSubnetCidrB: + default: Public Subnet 2 + PublicSubnetCidrC: + default: Public Subnet 3 + PublicSubnetCidrD: + default: Public Subnet 4 + ManagementDeploy: + default: Deploy Management Server + ManagementInstanceType: + default: Instance type + ManagementLicense: + default: Version & license + ManagementPermissions: + default: IAM role + PredefinedRole: + default: Existing IAM role name + KeyPairName: + default: Key name + EnableInstanceConnect: + default: Enable AWS Instance Connect + ManagementPasswordHash: + default: Password hash + AdminAddressCIDR: + default: Administrator addresses + GatewaysAddresses: + default: Gateways addresses + GatewayManagement: + default: Manage Gateways + GatewaysInstanceType: + default: Instance type + GatewaysMinSize: + default: Minimum group size + GatewaysMaxSize: + default: Maximum group size + AdminEmail: + default: Email address + GatewaysBlades: + default: Default Blades + GatewaysLicense: + default: Version & license + GatewaysPasswordHash: + default: Password hash + GatewaysSIC: + default: SIC key + EnableCloudWatch: + default: CloudWatch metrics + ASN: + default: BGP ASN + ControlGatewayOverPrivateOrPublicAddress: + default: Gateways addresses + ManagementServer: + default: Management Server + ConfigurationTemplate: + default: Configuration template + Name: + default: Name + Shell: + default: Admin shell + AllowUploadDownload: + default: Allow upload & download + VolumeEncryption: + default: Enable environment volume encryption +Parameters: + VpcCidr: + Description: CIDR block for the VPC + Type: String + AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) + Default: 10.0.0.0/16 + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 + AvailabilityZones: + Description: List of Availability Zones (AZs) to use for the subnets in the VPC. Select at least two + Type: List + MinLength: 1 + NumberOfAZs: + Description: Number of Availability Zones to use in the VPC. This must match your selections in the list of Availability Zones parameter + Type: String + Default: 2 + AllowedValues: + - 2 + - 3 + - 4 + PublicSubnetCidrA: + Description: CIDR block for public subnet 1 located in the 1st Availability Zone. If you choose to deploy a Security Management Server it will be deployed in this subnet + Type: String + AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ + Default: 10.0.0.0/24 + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 + PublicSubnetCidrB: + Description: CIDR block for public subnet 2 located in the 2nd Availability Zone + Type: String + AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ + Default: 10.0.2.0/24 + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 + PublicSubnetCidrC: + Description: CIDR block for public subnet 3 located in the 3rd Availability Zone + Type: String + AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ + Default: 10.0.4.0/24 + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 + PublicSubnetCidrD: + Description: CIDR block for public subnet 4 located in the 4th Availability Zone + Type: String + AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ + Default: 10.0.6.0/24 + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 + ManagementDeploy: + Description: Select 'No' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section + Type: String + Default: 'Yes' + AllowedValues: + - 'Yes' + - 'No' + ManagementInstanceType: + Type: String + Default: m5.xlarge + AllowedValues: + - m5.large + - m5.xlarge + - m5.2xlarge + - m5.4xlarge + - m5.12xlarge + - m5.24xlarge + ConstraintDescription: Must be a valid EC2 instance type + ManagementLicense: + Type: String + Default: R80.30-PAYG-MGMT + AllowedValues: + - R80.20-BYOL + - R80.20-PAYG-MGMT + - R80.30-BYOL + - R80.30-PAYG-MGMT + - R80.40-BYOL + - R80.40-PAYG-MGMT + ManagementPermissions: + Type: String + Default: Create with read permissions + AllowedValues: + - None (configure later) + - Use existing (specify an existing IAM role name) + - Create with assume role permissions (specify an STS role ARN) + - Create with read permissions + - Create with read-write permissions + PredefinedRole: + Type: String + Default: "" + Description: A predefined IAM role to attach to the instance profile. Ignored if IAM role is not set to 'Use existing' + KeyPairName: + Description: The EC2 Key Pair to allow SSH access to the instances created by this stack + Type: AWS::EC2::KeyPair::KeyName + MinLength: 1 + ConstraintDescription: Must be the name of an existing EC2 KeyPair + EnableInstanceConnect: + Description: Ec2 Instance Connect is not supported with versions prior to R80.40 + Type: String + Default: 'false' + AllowedValues: + - 'true' + - 'false' + ManagementPasswordHash: + Description: Admin user's password hash (use command "openssl passwd -1 PASSWORD" to get the PASSWORD's hash) (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + AdminAddressCIDR: + Description: Allow web, SSH, and graphical clients only from this network to communicate with the Security Management Server + Type: String + Default: 0.0.0.0/0 + AllowedPattern: ^(([0-9]{1,3}\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2]))?$ + GatewaysAddresses: + Description: Allow gateways only from this network to communicate with the Security Management Server + Type: String + Default: 10.0.0.0/16 + AllowedPattern: ^([0-9]{1,3}\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])$ + GatewayManagement: + Description: Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address + Type: String + Default: Locally managed + AllowedValues: + - Locally managed + - Over the internet + GatewaysInstanceType: + Type: String + Default: c5.xlarge + AllowedValues: + - c5.large + - c5.xlarge + - c5.2xlarge + - c5.4xlarge + - c5.9xlarge + - c5.18xlarge + - c5n.large + - c5n.xlarge + - c5n.2xlarge + - c5n.4xlarge + - c5n.9xlarge + - c5n.18xlarge + ConstraintDescription: Must be a valid EC2 instance type + GatewaysMinSize: + Description: The minimal number of Security Gateways + Default: 2 + Type: Number + MinValue: 1 + GatewaysMaxSize: + Description: The maximal number of Security Gateways + Default: 5 + Type: Number + MinValue: 1 + AdminEmail: + Description: Notifications about scaling events will be sent to this email address (optional) + Type: String + Default: '' + AllowedPattern: (|([a-zA-Z0-9_\-\.]+)@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.)|(([a-zA-Z0-9\-]+\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})(\]?)) + ConstraintDescription: Must be a valid email address + GatewaysBlades: + Description: Turn on/off the Identity Awareness, CloudGuard Controller, Intrusion Prevention System, Application Control, Anti-Virus and Anti-Bot Blades (these and additional Blades can be manually turned on or off later) + Type: String + AllowedValues: + - 'On' + - 'Off' + Default: 'On' + GatewaysLicense: + Type: String + Default: R80.30-PAYG-NGTP + AllowedValues: + - R80.20-BYOL + - R80.20-PAYG-NGTP + - R80.20-PAYG-NGTX + - R80.30-BYOL + - R80.30-PAYG-NGTP + - R80.30-PAYG-NGTX + - R80.40-BYOL + - R80.40-PAYG-NGTP + - R80.40-PAYG-NGTX + GatewaysPasswordHash: + Description: Admin user's password hash (use command "openssl passwd -1 PASSWORD" to get the PASSWORD's hash) (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + GatewaysSIC: + Description: The Secure Internal Communication key creates trusted connections between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters + NoEcho: true + MinLength: 8 + Type: String + AllowedPattern: '[a-zA-Z0-9]*' + ConstraintDescription: Secure Internal Communication activation key should contain only alpha numeric characters and be at least 8 characters long + EnableCloudWatch: + Description: Report Check Point specific CloudWatch metrics + Type: String + AllowedValues: + - true + - false + Default: false + ASN: + Description: The organization Autonomous System Number (ASN) that identifies the routing domain for the Security Gateways + Type: String + AllowedPattern: '[0-9]*' + Default: 65000 + ControlGatewayOverPrivateOrPublicAddress: + Description: Determines if the gateways are provisioned using their private or public address + Default: private + Type: String + AllowedValues: + - private + - public + ManagementServer: + Description: The name that represents the Security Management Server in the automatic provisioning configuration + Type: String + Default: management-server + MinLength: '1' + ConfigurationTemplate: + Description: A name of a gateway configuration template in the automatic provisioning configuration + Type: String + Default: TGW-ASG-configuration + MinLength: '1' + Name: + Description: (optional) + Type: String + Default: Check-Point-Gateway + Shell: + Description: Change the admin shell to enable advanced command line configuration + Type: String + Default: /etc/cli.sh + AllowedValues: + - /etc/cli.sh + - /bin/bash + - /bin/csh + - /bin/tcsh + AllowUploadDownload: + Description: Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point + Type: String + Default: 'Yes' + AllowedValues: + - 'Yes' + - 'No' + VolumeEncryption: + Description: Encrypt Environment instances volume with default AWS KMS key + Type: String + Default: 'true' + AllowedValues: + - 'true' + - 'false' +Conditions: + 3AZs: !Or + - !Equals + - !Ref NumberOfAZs + - 3 + - !Equals + - !Ref NumberOfAZs + - 4 + 4AZs: !Equals + - !Ref NumberOfAZs + - 4 + DeployManagement: !Equals + - !Ref ManagementDeploy + - 'Yes' +Resources: + VPCStack: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.amazonaws.com/utils/vpc.yaml + Parameters: + VPCCIDR: !Ref VpcCidr + AvailabilityZones: !Join + - ',' + - !Ref AvailabilityZones + NumberOfAZs: !Ref NumberOfAZs + PublicSubnet1CIDR: !Ref PublicSubnetCidrA + PublicSubnet2CIDR: !Ref PublicSubnetCidrB + PublicSubnet3CIDR: !Ref PublicSubnetCidrC + PublicSubnet4CIDR: !Ref PublicSubnetCidrD + CreatePrivateSubnets: false + MainStack: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.amazonaws.com/deprecated/autoscale/checkpoint-tgw-asg.yaml + Parameters: + VPC: !GetAtt + - VPCStack + - Outputs.VPCID + AdminEmail: !Ref AdminEmail + KeyPairName: !Ref KeyPairName + EnableInstanceConnect: !Ref EnableInstanceConnect + ManagementDeploy: !Ref ManagementDeploy + ManagementPermissions: !Ref ManagementPermissions + PredefinedRole: !Ref PredefinedRole + Subnets: !Join + - ',' + - - !GetAtt + - VPCStack + - Outputs.PublicSubnet1ID + - !GetAtt + - VPCStack + - Outputs.PublicSubnet2ID + - !If + - 3AZs + - !GetAtt + - VPCStack + - Outputs.PublicSubnet3ID + - !Ref AWS::NoValue + - !If + - 4AZs + - !GetAtt + - VPCStack + - Outputs.PublicSubnet4ID + - !Ref AWS::NoValue + GatewaysInstanceType: !Ref GatewaysInstanceType + GatewaysMinSize: !Ref GatewaysMinSize + GatewaysMaxSize: !Ref GatewaysMaxSize + GatewaysBlades: !Ref GatewaysBlades + GatewaysLicense: !Ref GatewaysLicense + GatewaysPasswordHash: !Ref GatewaysPasswordHash + GatewaysSIC: !Ref GatewaysSIC + EnableCloudWatch: !Ref EnableCloudWatch + AllowUploadDownload: !Ref AllowUploadDownload + VolumeEncryption: !Ref VolumeEncryption + ManagementInstanceType: !Ref ManagementInstanceType + ManagementLicense: !Ref ManagementLicense + ManagementPasswordHash: !Ref ManagementPasswordHash + AdminAddressCIDR: !Ref AdminAddressCIDR + GatewaysAddresses: !Ref GatewaysAddresses + GatewayManagement: !Ref GatewayManagement + ManagementServer: !Ref ManagementServer + ConfigurationTemplate: !Ref ConfigurationTemplate + Shell: !Ref Shell + Name: !Ref Name + ControlGatewayOverPrivateOrPublicAddress: !Ref ControlGatewayOverPrivateOrPublicAddress + ASN: !Ref ASN +Outputs: + ManagementName: + Description: The name that represents the Security Management Server + Value: !Ref ManagementServer + ConfigurationTemplateName: + Description: The name that represents the configuration template. Configurations required to automatically provision the Gateways in the Auto Scaling Group, such as what Security Policy to install and which Blades to enable, will be placed under this template name + Value: !Ref ConfigurationTemplate + ControllerName: + Description: The name that represents the controller. Configurations required to connect to your AWS environment, such as credentials and regions, will be placed under this controller name + Value: !GetAtt + - MainStack + - Outputs.ControllerName + ManagementPublicAddress: + Description: The public address of the management servers + Value: !GetAtt + - MainStack + - Outputs.ManagementPublicAddress + Condition: DeployManagement diff --git a/deprecated/aws/templates/tgw-asg-r8030/checkpoint-tgw-asg.yaml b/deprecated/aws/templates/tgw-asg-r8030/checkpoint-tgw-asg.yaml new file mode 100755 index 00000000..2083d9d8 --- /dev/null +++ b/deprecated/aws/templates/tgw-asg-r8030/checkpoint-tgw-asg.yaml @@ -0,0 +1,488 @@ +AWSTemplateFormatVersion: '2010-09-09' +Description: Deploy an Auto Scaling Group of CloudGuard Security Gateways for Transit Gateway with an optional Management Server into an existing VPC (20211212) +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: Network Configuration + Parameters: + - VPC + - Subnets + - Label: + default: General Settings + Parameters: + - KeyPairName + - EnableInstanceConnect + - AllowUploadDownload + - VolumeEncryption + - Shell + - Label: + default: Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration + Parameters: + - Name + - GatewaysInstanceType + - GatewaysMinSize + - GatewaysMaxSize + - GatewaysLicense + - GatewaysPasswordHash + - GatewaysSIC + - ASN + - AdminEmail + - EnableCloudWatch + - Label: + default: Check Point CloudGuard IaaS Security Management Server Configuration + Parameters: + - ManagementDeploy + - ManagementInstanceType + - ManagementLicense + - ManagementPermissions + - PredefinedRole + - ManagementPasswordHash + - GatewaysBlades + - AdminAddressCIDR + - GatewayManagement + - GatewaysAddresses + - Label: + default: Automatic Provisioning with Security Management Server Settings + Parameters: + - ControlGatewayOverPrivateOrPublicAddress + - ManagementServer + - ConfigurationTemplate + ParameterLabels: + VPC: + default: VPC + AdminEmail: + default: Email address + KeyPairName: + default: Key name + EnableInstanceConnect: + default: Enable AWS Instance Connect + ManagementDeploy: + default: Deploy Management Server + Subnets: + default: Subnets + GatewaysInstanceType: + default: Instance type + GatewaysMinSize: + default: Minimum group size + GatewaysMaxSize: + default: Maximum group size + GatewaysLicense: + default: Version & license + GatewaysPasswordHash: + default: Password hash + GatewaysSIC: + default: SIC key + EnableCloudWatch: + default: CloudWatch metrics + ASN: + default: BGP ASN + ControlGatewayOverPrivateOrPublicAddress: + default: Gateways addresses + ManagementServer: + default: Management Server + ConfigurationTemplate: + default: Configuration template + Name: + default: Name + Shell: + default: Admin shell + AllowUploadDownload: + default: Allow upload & download + VolumeEncryption: + default: Enable environment volume encryption + ManagementInstanceType: + default: Instance type + ManagementLicense: + default: Version & license + ManagementPermissions: + default: IAM role + PredefinedRole: + default: Existing IAM role name + ManagementPasswordHash: + default: Password hash + AdminAddressCIDR: + default: Administrator addresses + GatewaysAddresses: + default: Gateways addresses + GatewayManagement: + default: Manage Gateways + GatewaysBlades: + default: Default Blades +Parameters: + VPC: + Description: Select an existing VPC + Type: AWS::EC2::VPC::Id + MinLength: 1 + ConstraintDescription: You must select a VPC + Subnets: + Description: Select at least 2 external subnets in the VPC. If you choose to deploy a Security Management Server it will be deployed in the first subnet + Type: List + MinLength: '1' + AdminEmail: + Description: Notifications about scaling events will be sent to this email address (optional) + Type: String + Default: '' + AllowedPattern: (|([a-zA-Z0-9_\-\.]+)@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.)|(([a-zA-Z0-9\-]+\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})(\]?)) + ConstraintDescription: Must be a valid email address + KeyPairName: + Description: The EC2 Key Pair to allow SSH access to the instances created by this stack + Type: AWS::EC2::KeyPair::KeyName + MinLength: 1 + ConstraintDescription: Must be the name of an existing EC2 KeyPair + EnableInstanceConnect: + Description: Ec2 Instance Connect is not supported with versions prior to R80.40 + Type: String + Default: 'false' + AllowedValues: + - 'true' + - 'false' + ManagementDeploy: + Description: Select 'No' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section + Type: String + Default: 'Yes' + AllowedValues: + - 'Yes' + - 'No' + GatewaysInstanceType: + Type: String + Default: c5.xlarge + AllowedValues: + - c5.large + - c5.xlarge + - c5.2xlarge + - c5.4xlarge + - c5.9xlarge + - c5.18xlarge + - c5n.large + - c5n.xlarge + - c5n.2xlarge + - c5n.4xlarge + - c5n.9xlarge + - c5n.18xlarge + ConstraintDescription: Must be a valid EC2 instance type + GatewaysMinSize: + Description: The minimal number of Security Gateways + Default: 2 + Type: Number + MinValue: 1 + GatewaysMaxSize: + Description: The maximal number of Security Gateways + Default: 5 + Type: Number + MinValue: 1 + GatewaysLicense: + Type: String + Default: R80.30-PAYG-NGTP + AllowedValues: + - R80.20-BYOL + - R80.20-PAYG-NGTP + - R80.20-PAYG-NGTX + - R80.30-BYOL + - R80.30-PAYG-NGTP + - R80.30-PAYG-NGTX + - R80.40-BYOL + - R80.40-PAYG-NGTP + - R80.40-PAYG-NGTX + GatewaysPasswordHash: + Description: Admin user's password hash (use command "openssl passwd -1 PASSWORD" to get the PASSWORD's hash) (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + GatewaysSIC: + Description: The Secure Internal Communication key creates trusted connections between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters + NoEcho: true + MinLength: 8 + Type: String + AllowedPattern: '[a-zA-Z0-9]*' + ConstraintDescription: Secure Internal Communication activation key should contain only alpha numeric characters and be at least 8 characters long + EnableCloudWatch: + Description: Report Check Point specific CloudWatch metrics + Type: String + AllowedValues: + - true + - false + Default: false + ASN: + Description: The organization Autonomous System Number (ASN) that identifies the routing domain for the Security Gateways + Type: String + AllowedPattern: '[0-9]*' + Default: 65000 + ControlGatewayOverPrivateOrPublicAddress: + Description: Determines if the gateways are provisioned using their private or public address + Default: private + Type: String + AllowedValues: + - private + - public + ManagementServer: + Description: The name that represents the Security Management Server in the automatic provisioning configuration + Type: String + Default: management-server + MinLength: '1' + ConfigurationTemplate: + Description: A name of a gateway configuration template in the automatic provisioning configuration + Type: String + Default: TGW-ASG-configuration + MinLength: '1' + Name: + Description: (optional) + Type: String + Default: Check-Point-Gateway + Shell: + Description: Change the admin shell to enable advanced command line configuration + Type: String + Default: /etc/cli.sh + AllowedValues: + - /etc/cli.sh + - /bin/bash + - /bin/csh + - /bin/tcsh + AllowUploadDownload: + Description: Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point + Type: String + Default: 'Yes' + AllowedValues: + - 'Yes' + - 'No' + VolumeEncryption: + Description: Encrypt Environment instances volume with default AWS KMS key. Will be ignored for versions lower than R80.30 + Type: String + Default: 'true' + AllowedValues: + - 'true' + - 'false' + ManagementInstanceType: + Type: String + Default: m5.xlarge + AllowedValues: + - m5.large + - m5.xlarge + - m5.2xlarge + - m5.4xlarge + - m5.12xlarge + - m5.24xlarge + ConstraintDescription: Must be a valid EC2 instance type + ManagementLicense: + Type: String + Default: R80.30-PAYG-MGMT + AllowedValues: + - R80.20-BYOL + - R80.20-PAYG-MGMT + - R80.30-BYOL + - R80.30-PAYG-MGMT + - R80.40-BYOL + - R80.40-PAYG-MGMT + ManagementPermissions: + Type: String + Default: Create with read permissions + AllowedValues: + - None (configure later) + - Use existing (specify an existing IAM role name) + - Create with assume role permissions (specify an STS role ARN) + - Create with read permissions + - Create with read-write permissions + PredefinedRole: + Type: String + Default: "" + Description: A predefined IAM role to attach to the instance profile. Ignored if IAM role is not set to 'Use existing' + ManagementPasswordHash: + Description: Admin user's password hash (use command "openssl passwd -1 PASSWORD" to get the PASSWORD's hash) (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + AdminAddressCIDR: + Description: Allow web, SSH, and graphical clients only from this network to communicate with the Security Management Server + Type: String + Default: 0.0.0.0/0 + AllowedPattern: ^(([0-9]{1,3}\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2]))?$ + GatewaysAddresses: + Description: Allow gateways only from this network to communicate with the Security Management Server + Type: String + AllowedPattern: ^([0-9]{1,3}\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])$ + Default: 0.0.0.0/0 + GatewayManagement: + Description: Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address + Type: String + Default: Locally managed + AllowedValues: + - Locally managed + - Over the internet + GatewaysBlades: + Description: Turn on/off the Identity Awareness, CloudGuard Controller, Intrusion Prevention System, Application Control, Anti-Virus and Anti-Bot Blades (additional Blades can be manually turned on later) + Type: String + AllowedValues: + - 'On' + - 'Off' + Default: 'On' +Conditions: + GatewaysR80.30: !Equals + - !Select + - 0 + - !Split + - '-' + - !Ref GatewaysLicense + - 'R80.30' + ManagementR80.30: !Equals + - !Select + - 0 + - !Split + - '-' + - !Ref ManagementLicense + - 'R80.30' + GatewaysR80.40: !Equals + - !Select + - 0 + - !Split + - '-' + - !Ref GatewaysLicense + - 'R80.40' + ManagementR80.40: !Equals + - !Select + - 0 + - !Split + - '-' + - !Ref ManagementLicense + - 'R80.40' + EncVolEnv: !Or + - !And + - !Condition GatewaysR80.30 + - !Condition ManagementR80.30 + - !And + - !Condition GatewaysR80.40 + - !Condition ManagementR80.30 + - !And + - !Condition GatewaysR80.30 + - !Condition ManagementR80.40 + - !And + - !Condition GatewaysR80.40 + - !Condition ManagementR80.40 + EnableVolumeEncryption: !And + - !Equals + - !Ref VolumeEncryption + - 'true' + - !Condition EncVolEnv + EnableInstanceConnect: !Equals + - !Ref EnableInstanceConnect + - 'true' + EnableBlades: !Equals + - !Ref GatewaysBlades + - 'On' + DeployManagement: !Equals + - !Ref ManagementDeploy + - 'Yes' + AllowUploadDownload: !Equals + - !Ref AllowUploadDownload + - 'Yes' +Resources: + ManagementStack: + Type: AWS::CloudFormation::Stack + Condition: DeployManagement + Properties: + TemplateURL: https://cgi-cfts.s3.amazonaws.com/deprecated/management/management.json + Parameters: + VPC: !Ref VPC + Subnet: !Select + - 0 + - !Ref Subnets + Version: !Ref ManagementLicense + InstanceType: !Ref ManagementInstanceType + Name: !Ref ManagementServer + Permissions: !Ref ManagementPermissions + PredefinedRole: !Ref PredefinedRole + EnableInstanceConnect: !Ref EnableInstanceConnect + KeyName: !Ref KeyPairName + PasswordHash: !Ref ManagementPasswordHash + VolumeEncryption: !If + - EnableVolumeEncryption + - 'alias/aws/ebs' + - '' + BootstrapScript: !Sub + - | + sed -i '/template_name/c\template_name: tgw-asg' /etc/cloud-version ; + if test -d /opt/CPcme/menu/additions ; then + /opt/CPcme/menu/additions/config-community.sh tgw-community ; + else + /etc/fw/scripts/autoprovision/config-community.sh tgw-community ; + fi ; + mgmt_cli -r true add access-layer name "Inline" ; + mgmt_cli -r true add access-rule layer Network position 1 name "tgw-community VPN Traffic Rule" vpn.directional.1.from tgw-community vpn.directional.1.to tgw-community vpn.directional.2.from tgw-community vpn.directional.2.to External_clear action "Apply Layer" inline-layer "Inline" ; + mgmt_cli -r true add nat-rule package standard position bottom install-on "Policy Targets" original-source All_Internet translated-source All_Internet method hide ; + autoprov_cfg -f init AWS -mn ${ManagementServer} -tn ${ConfigurationTemplate} -cn tgw-controller -po Standard -otp ${GatewaysSIC} -r ${AWS::Region} -ver ${version} -iam -dt TGW ; + autoprov_cfg -f set controller AWS -cn tgw-controller -sg -sv -com tgw-community ; + autoprov_cfg -f set template -tn ${ConfigurationTemplate} -vpn -vd "" -con tgw-community ; + enable_blades=${GatewaysBlades} ; + if [ "$enable_blades" == "On" ] ; then + autoprov-cfg -f set template -tn ${ConfigurationTemplate} -ia -ips -appi -av -ab ; + if test -d /opt/CPsuite-R80.30 ; then + /opt/CPvsec-R80.30/bin/vsec on ; + elif test -d /opt/CPsuite-R80.20 ; then + /opt/CPvsec-R80.20/bin/vsec on ; + else + /opt/CPvsec-R80/bin/vsec on ; + fi ; + fi + - version: !Select + - 0 + - !Split + - '-' + - !Ref GatewaysLicense + AdminSubnet: !Ref AdminAddressCIDR + GatewaysAddresses: !Ref GatewaysAddresses + GatewayManagement: !Ref GatewayManagement + Shell: !Ref Shell + AllowUploadDownload: !If + - AllowUploadDownload + - 'true' + - 'false' + AllocatePublicAddress: true + Hostname: mgmt-aws + SecurityGatewaysStack: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.amazonaws.com/deprecated/autoscale/autoscale.json + Parameters: + VPC: !Ref VPC + Subnets: !Join + - ',' + - !Ref Subnets + MinSize: !Ref GatewaysMinSize + MaxSize: !Ref GatewaysMaxSize + ManagementServer: !Ref ManagementServer + ConfigurationTemplate: !Ref ConfigurationTemplate + Name: !Ref Name + InstanceType: !Ref GatewaysInstanceType + AdminEmail: !Ref AdminEmail + KeyName: !Ref KeyPairName + EnableInstanceConnect: !Ref EnableInstanceConnect + PasswordHash: !Ref GatewaysPasswordHash + SICKey: !Ref GatewaysSIC + Shell: !Ref Shell + License: !Ref GatewaysLicense + AllowUploadDownload: !If + - AllowUploadDownload + - 'true' + - 'false' + VolumeEncryption: !Ref VolumeEncryption + ControlGatewayOverPrivateOrPublicAddress: !Ref ControlGatewayOverPrivateOrPublicAddress + EnableCloudWatch: !Ref EnableCloudWatch + BootstrapScript: !Sub + | + sed -i '/template_name/c\template_name: autoscale-tgw' /etc/cloud-version ; + clish -c "set as ${ASN}" -s ; +Outputs: + ManagementName: + Description: The name that represents the Security Management Server + Value: !Ref ManagementServer + ConfigurationTemplateName: + Description: The name that represents the configuration template. Configurations required to automatically provision the Gateways in the Auto Scaling Group, such as what Security Policy to install and which Blades to enable, will be placed under this template name + Value: !Ref ConfigurationTemplate + ControllerName: + Description: The name that represents the controller. Configurations required to connect to your AWS environment, such as credentials and regions, will be placed under this controller name + Value: tgw-controller + ManagementPublicAddress: + Description: The public address of the management servers + Value: !GetAtt ManagementStack.Outputs.PublicAddress + Condition: DeployManagement diff --git a/deprecated/aws/templates/transit-vpc-r8030/README.md b/deprecated/aws/templates/transit-vpc-r8030/README.md new file mode 100644 index 00000000..ea177968 --- /dev/null +++ b/deprecated/aws/templates/transit-vpc-r8030/README.md @@ -0,0 +1,34 @@ + +## Security Transit VPC + + + + + + + + + + + + + + + + + + + + + + + + + + + +
DescriptionNotesDirect Launch
+ Deploys two Security Gateways, each in a different Availability Zone, configured for Transit VPC.

For more details, refer to Transit VPC for AWS Deployment Guide . + 		Creates a new VPC and deploys two Check Point Gateways for a Transit VPC hub into it, and an optional, preconfigured Security Management Server to manage them.
Deploys two Check Point Gateways for a Transit VPC hub into an existing VPC, and an optional, preconfigured Security Management Server to manage them.
Creates a new VPC and deploys two Security Gateways into it.
Deploys two Security Gateways into an existing VPC.
+
+
\ No newline at end of file diff --git a/deprecated/aws/templates/transit-vpc-r8030/checkpoint-transit-master.yaml b/deprecated/aws/templates/transit-vpc-r8030/checkpoint-transit-master.yaml new file mode 100755 index 00000000..8aca1f28 --- /dev/null +++ b/deprecated/aws/templates/transit-vpc-r8030/checkpoint-transit-master.yaml @@ -0,0 +1,354 @@ +AWSTemplateFormatVersion: '2010-09-09' +Description: Deploy Check Point Gateways for a transit VPC hub (20211212) +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: General Settings + Parameters: + - VpcCidr + - AvailabilityZones + - PublicSubnetCidrA + - PublicSubnetCidrB + - PrivateSubnetCidrA + - PrivateSubnetCidrB + - KeyPairName + - Tag + - AllowUploadDownload + - Label: + default: Check Point CloudGuard IaaS Transit Security Gateways Configuration + Parameters: + - GatewaysInstanceType + - ASN + - GatewaysLicense + - GatewaysPasswordHash + - GatewaysSIC + - Label: + default: Check Point CloudGuard IaaS Security Management Server Configuration + Parameters: + - ManagementDeploy + - ManagementAction + - ManagementInstanceType + - ManagementLicense + - EnableInstanceConnect + - ManagementPermissions + - PredefinedRole + - ManagementPasswordHash + - GatewaysBlades + - AdminAddressCIDR + - GatewaysAddresses + ParameterLabels: + VpcCidr: + default: VPC CIDR + AvailabilityZones: + default: Availability Zones + PublicSubnetCidrA: + default: Public subnet 1 + PublicSubnetCidrB: + default: Public subnet 2 + PrivateSubnetCidrA: + default: Private subnet 1 + PrivateSubnetCidrB: + default: Private subnet 2 + KeyPairName: + default: Key name + Tag: + default: Transit tag + AllowUploadDownload: + default: Allow upload & download + EnableInstanceConnect: + default: Enable AWS Instance Connect + GatewaysInstanceType: + default: Instance type + ASN: + default: BGP ASN + GatewaysLicense: + default: Version & license + GatewaysPasswordHash: + default: Password hash + GatewaysSIC: + default: SIC key + ManagementDeploy: + default: Deploy Management Server + ManagementAction: + default: Default VPN access + ManagementInstanceType: + default: Instance type + ManagementLicense: + default: Version & license + ManagementPermissions: + default: IAM role + PredefinedRole: + default: Existing IAM role name + ManagementPasswordHash: + default: Password hash + GatewaysBlades: + default: Default Blades + AdminAddressCIDR: + default: Administrator addresses + GatewaysAddresses: + default: Gateways addresses +Parameters: + VpcCidr: + Description: CIDR block for the VPC + Type: String + AllowedPattern: "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$" + Default: '10.0.0.0/16' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 + AvailabilityZones: + Description: The Availability Zones (AZs) to use for the subnets in the VPC. Select two (the logical order is preserved) + Type: List + MinLength: 1 + PublicSubnetCidrA: + Description: CIDR block for public subnet 1 located in the 1st Availability Zone. If you choose to deploy a Security Management Server it will be deployed in this subnet + Type: String + AllowedPattern: "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$" + Default: '10.0.0.0/24' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 + PublicSubnetCidrB: + Description: CIDR block for public subnet 2 located in the 2nd Availability Zone + Type: String + AllowedPattern: "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$" + Default: '10.0.2.0/24' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 + PrivateSubnetCidrA: + Description: CIDR block for private subnet 1 located in the 1st Availability Zone + Type: String + AllowedPattern: "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$" + Default: '10.0.1.0/24' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 + PrivateSubnetCidrB: + Description: CIDR block for private subnet 2 located in the 2nd Availability Zone + Type: String + AllowedPattern: "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$" + Default: '10.0.3.0/24' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 + KeyPairName: + Description: The EC2 Key Pair to allow SSH access to the instances created by this stack + Type: AWS::EC2::KeyPair::KeyName + MinLength: '1' + Tag: + Description: The tag is used by the Security Management Server to automatically provision the Security Gateways. Must be up to 12 alphanumeric characters and unique for each environment + Type: String + Default: Transit + AllowedPattern: "^[a-zA-Z0-9-]*$" + MinLength: 1 + MaxLength: 12 + ConstraintDescription: The tag must be up to 12 alphanumeric character + AllowUploadDownload: + Description: Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point + Type: String + Default: 'true' + AllowedValues: + - 'true' + - 'false' + GatewaysInstanceType: + Description: c4 and t2 instance types are supported only with version R80.10 and c5 are supported only with R80.20 and R80.30 + Type: String + Default: c5.xlarge + AllowedValues: + - c4.large + - c4.xlarge + - c4.2xlarge + - c4.4xlarge + - c4.8xlarge + - c5.large + - c5.xlarge + - c5.2xlarge + - c5.4xlarge + - c5.9xlarge + - c5.18xlarge + - t2.xlarge + - t2.2xlarge + ASN: + Description: The organization Autonomous System Number (ASN) that identifies the routing domain for the Security Gateways + Type: String + AllowedPattern: '[0-9]*' + Default: 65000 + GatewaysLicense: + Description: The license to install on the Security Gateways + Type: String + Default: R80.30-PAYG-NGTP + AllowedValues: + - R80.10-BYOL + - R80.10-PAYG-NGTP + - R80.10-PAYG-NGTX + - R80.20-BYOL + - R80.20-PAYG-NGTP + - R80.20-PAYG-NGTX + - R80.30-BYOL + - R80.30-PAYG-NGTP + - R80.30-PAYG-NGTX + GatewaysPasswordHash: + Description: Admin user's password hash (use command "openssl passwd -1 PASSWORD" to get the PASSWORD's hash) (optional) + Default: '' + Type: String + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + EnableInstanceConnect: + Description: Ec2 Instance Connect is not supported with versions prior to R80.40 + Type: String + Default: 'false' + AllowedValues: + - 'true' + - 'false' + GatewaysSIC: + Description: The Secure Internal Communication key creates trusted connections between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters + NoEcho: 'true' + MinLength: '8' + Type: String + AllowedPattern: '[a-zA-Z0-9]*' + ConstraintDescription: Secure Internal Communication activation key should contain only alpha numeric characters and be at least 8 characters long + ManagementDeploy: + Description: Select 'No' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section + Type: String + Default: 'Yes' + AllowedValues: + - 'Yes' + - 'No' + ManagementAction: + Description: If the Spoke VPCs are trusted, select 'accept' to allow all traffic between the Spoke VPCs + Type: String + Default: 'accept' + AllowedValues: + - 'drop' + - 'accept' + ManagementInstanceType: + Description: m4 and t2 instance types are supported only with version R80.10 and m5 are supported only with R80.20 and above + Type: String + Default: m5.xlarge + AllowedValues: + - m4.large + - m4.xlarge + - m4.2xlarge + - m4.4xlarge + - m4.10xlarge + - m4.16xlarge + - m5.large + - m5.xlarge + - m5.2xlarge + - m5.4xlarge + - m5.12xlarge + - m5.24xlarge + - t2.xlarge + - t2.2xlarge + ConstraintDescription: Must be a valid EC2 instance type + ManagementLicense: + Type: String + Default: R80.30-PAYG-MGMT + AllowedValues: + - R80.10-BYOL + - R80.10-PAYG-MGMT + - R80.20-BYOL + - R80.20-PAYG-MGMT + - R80.30-BYOL + - R80.30-PAYG-MGMT + - R80.40-BYOL + - R80.40-PAYG-MGMT + ManagementPermissions: + Type: String + Default: Create with read permissions + AllowedValues: + - None (configure later) + - Use existing (specify an existing IAM role name) + - Create with assume role permissions (specify an STS role ARN) + - Create with read permissions + - Create with read-write permissions + PredefinedRole: + Type: String + Default: "" + Description: A predefined IAM role to attach to the instance profile. Ignored if IAM role is not set to 'Use existing' + ManagementPasswordHash: + Description: Admin user's password hash (use command "openssl passwd -1 PASSWORD" to get the PASSWORD's hash) (optional) + Type: String + Default: '' + AllowedPattern: "[\\$\\./a-zA-Z0-9]*" + NoEcho: true + GatewaysBlades: + Description: Turn on/off the Intrusion Prevention System, URL filtering, Application Control, Anti-Virus and Anti-Bot Blades (these and additional Blades can be manually turned on or off later) + Type: String + AllowedValues: + - 'On' + - 'Off' + Default: 'On' + AdminAddressCIDR: + Description: Allow web, SSH, and graphical clients only from this network to communicate with the Security Management Server + Type: String + AllowedPattern: "^(([0-9]{1,3}\\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2]))?$" + Default: 0.0.0.0/0 + GatewaysAddresses: + Description: Allow gateways only from this network to communicate with the Security Management Server + Type: String + Default: 10.0.0.0/16 +Conditions: + DeployManagement: !Equals [!Ref ManagementDeploy, 'Yes'] +Resources: + VPCStack: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.amazonaws.com/utils/vpc.yaml + Parameters: + VPCCIDR: !Ref VpcCidr + AvailabilityZones: !Join + - ',' + - !Ref AvailabilityZones + NumberOfAZs: 2 + PublicSubnet1CIDR: !Ref PublicSubnetCidrA + PublicSubnet2CIDR: !Ref PublicSubnetCidrB + PrivateSubnet1CIDR: !Ref PrivateSubnetCidrA + PrivateSubnet2CIDR: !Ref PrivateSubnetCidrB + TransitStack: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.amazonaws.com/deprecated/cluster/checkpoint-transit.yaml + Parameters: + ManagementDeploy: !Ref ManagementDeploy + ManagementPermissions: !Ref ManagementPermissions + PredefinedRole: !Ref PredefinedRole + VPC: !GetAtt VPCStack.Outputs.VPCID + PublicSubnetA: !GetAtt VPCStack.Outputs.PublicSubnet1ID + PublicSubnetB: !GetAtt VPCStack.Outputs.PublicSubnet2ID + PrivateSubnetA: !GetAtt VPCStack.Outputs.PrivateSubnet1ID + PrivateSubnetB: !GetAtt VPCStack.Outputs.PrivateSubnet2ID + GatewaysInstanceType: !Ref GatewaysInstanceType + KeyPairName: !Ref KeyPairName + EnableInstanceConnect: !Ref EnableInstanceConnect + ASN: !Ref ASN + GatewaysLicense: !Ref GatewaysLicense + GatewaysSIC: !Ref GatewaysSIC + Tag: !Ref Tag + GatewaysPasswordHash: !Ref GatewaysPasswordHash + AllowUploadDownload: !Ref AllowUploadDownload + GatewaysAddresses: !Ref GatewaysAddresses + ManagementInstanceType: !Ref ManagementInstanceType + ManagementLicense: !Ref ManagementLicense + ManagementPasswordHash: !Ref ManagementPasswordHash + GatewaysBlades: !Ref GatewaysBlades + AdminAddressCIDR: !Ref AdminAddressCIDR + ManagementAction: !Ref ManagementAction +Outputs: + PublicAddressA: + Description: The public address of the 1st gateway + Value: !GetAtt TransitStack.Outputs.PublicAddressA + PublicAddressB: + Description: The public address of the 2nd gateway + Value: !GetAtt TransitStack.Outputs.PublicAddressB + ManagementPublicAddress: + Description: The public address of the management servers + Value: !GetAtt TransitStack.Outputs.ManagementPublicAddress + Condition: DeployManagement + SpokeTag: + Description: The tag to put on the spoke VPC + Value: !Sub 'Key: x-chkp-vpn | value: ${Tag}-management/${Tag}-community' + ManagementName: + Description: The name that represents the Security Management Server + Value: !Sub ${Tag}-management + ConfigurationTemplateName: + Description: The name that represents the configuration template. Configurations required to automatically provision the Gateways in the Auto Scaling Group, such as what Security Policy to install and which Blades to enable, will be placed under this template name + Value: !Sub ${Tag}-template + ControllerName: + Description: The name that represents the controller. Configurations required to connect to your AWS environment, such as credentials and regions, will be placed under this controller name + Value: !Sub ${Tag}-controller + CommunityName: + Description: The name of the VPN community created in the Security Management Server + Value: !Sub ${Tag}-community diff --git a/deprecated/aws/templates/transit-vpc-r8030/checkpoint-transit.yaml b/deprecated/aws/templates/transit-vpc-r8030/checkpoint-transit.yaml new file mode 100755 index 00000000..2a481149 --- /dev/null +++ b/deprecated/aws/templates/transit-vpc-r8030/checkpoint-transit.yaml @@ -0,0 +1,361 @@ +AWSTemplateFormatVersion: '2010-09-09' +Description: Deploy Check Point Gateways for a transit VPC hub (20211212) +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: General Settings + Parameters: + - VPC + - PublicSubnetA + - PublicSubnetB + - PrivateSubnetA + - PrivateSubnetB + - KeyPairName + - Tag + - AllowUploadDownload + - Label: + default: Check Point CloudGuard IaaS Transit Security Gateways Configuration + Parameters: + - GatewaysInstanceType + - ASN + - GatewaysLicense + - GatewaysPasswordHash + - GatewaysSIC + - Label: + default: Check Point CloudGuard IaaS Security Management Server Configuration + Parameters: + - ManagementDeploy + - ManagementAction + - ManagementInstanceType + - ManagementLicense + - EnableInstanceConnect + - ManagementPermissions + - PredefinedRole + - ManagementPasswordHash + - GatewaysBlades + - AdminAddressCIDR + - GatewaysAddresses + ParameterLabels: + PublicSubnetA: + default: Public subnet 1 + PublicSubnetB: + default: Public subnet 2 + PrivateSubnetA: + default: Private subnet 1 + PrivateSubnetB: + default: Private subnet 2 + KeyPairName: + default: Key name + Tag: + default: Transit tag + AllowUploadDownload: + default: Allow upload & download + EnableInstanceConnect: + default: Enable AWS Instance Connect + GatewaysInstanceType: + default: Instance type + ASN: + default: BGP ASN + GatewaysLicense: + default: Version & license + GatewaysPasswordHash: + default: Password hash + GatewaysSIC: + default: SIC key + ManagementDeploy: + default: Deploy Management Server + ManagementAction: + default: Default VPN access + ManagementInstanceType: + default: Instance type + ManagementLicense: + default: Version & license + ManagementPermissions: + default: IAM role + PredefinedRole: + default: Existing IAM role name + ManagementPasswordHash: + default: Password hash + GatewaysBlades: + default: Default Blades + AdminAddressCIDR: + default: Administrator addresses + GatewaysAddresses: + default: Gateways addresses +Parameters: + VPC: + Type: AWS::EC2::VPC::Id + MinLength: 1 + ConstraintDescription: you must select a VPC. + PublicSubnetA: + Description: Select a public subnet for the first Security Gateway. If you choose to deploy a Security Management Server it will be deployed in this subnet + Type: AWS::EC2::Subnet::Id + MinLength: 1 + ConstraintDescription: you must select a public subnet for the first Security Gateway + PublicSubnetB: + Description: Select a public subnet for the second Security Gateway + Type: AWS::EC2::Subnet::Id + MinLength: 1 + ConstraintDescription: you must select a public subnet for the second Security Gateway + PrivateSubnetA: + Description: Select a private subnet for the first Security Gateway + Type: AWS::EC2::Subnet::Id + MinLength: 1 + ConstraintDescription: you must select a private subnet for the first Security Gateway + PrivateSubnetB: + Description: Select a private subnet for the second Security Gateway + Type: AWS::EC2::Subnet::Id + MinLength: 1 + ConstraintDescription: you must select a private subnet for the second Security Gateway + KeyPairName: + Description: The EC2 Key Pair to allow SSH access to the instances created by this stack + Type: AWS::EC2::KeyPair::KeyName + MinLength: '1' + Tag: + Description: The tag is used by the Security Management Server to automatically provision the Security Gateways. Must be up to 12 alphanumeric characters and unique for each environment + Type: String + Default: Transit + AllowedPattern: "^[a-zA-Z0-9-]*$" + MinLength: 1 + MaxLength: 12 + ConstraintDescription: The tag must be up to 12 alphanumeric character + AllowUploadDownload: + Description: Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point + Type: String + Default: 'true' + AllowedValues: + - 'true' + - 'false' + GatewaysInstanceType: + Description: c4 and t2 instance types are supported only with version R80.10 and c5 are supported only with R80.20 and R80.30 + Type: String + Default: c5.xlarge + AllowedValues: + - c4.large + - c4.xlarge + - c4.2xlarge + - c4.4xlarge + - c4.8xlarge + - c5.large + - c5.xlarge + - c5.2xlarge + - c5.4xlarge + - c5.9xlarge + - c5.18xlarge + - t2.xlarge + - t2.2xlarge + ConstraintDescription: must be a valid EC2 instance type. + ASN: + Description: The organization Autonomous System Number (ASN) that identifies the routing domain for the Security Gateways + Type: String + AllowedPattern: '[0-9]*' + Default: 65000 + GatewaysLicense: + Description: The license to install on the Security Gateways + Type: String + Default: R80.30-PAYG-NGTP + AllowedValues: + - R80.10-BYOL + - R80.10-PAYG-NGTP + - R80.10-PAYG-NGTX + - R80.20-BYOL + - R80.20-PAYG-NGTP + - R80.20-PAYG-NGTX + - R80.30-BYOL + - R80.30-PAYG-NGTP + - R80.30-PAYG-NGTX + GatewaysPasswordHash: + Description: Admin user's password hash (use command "openssl passwd -1 PASSWORD" to get the PASSWORD's hash) (optional) + Default: '' + Type: String + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + EnableInstanceConnect: + Description: Ec2 Instance Connect is not supported with versions prior to R80.40 + Type: String + Default: 'false' + AllowedValues: + - 'true' + - 'false' + GatewaysSIC: + Description: The Secure Internal Communication key creates trusted connections between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters + NoEcho: 'true' + MinLength: '8' + Type: String + AllowedPattern: '[a-zA-Z0-9]*' + ConstraintDescription: Secure Internal Communication activation key should contain only alpha numeric characters and be at least 8 characters long + ManagementDeploy: + Description: Select 'No' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section + Type: String + Default: 'Yes' + AllowedValues: + - 'Yes' + - 'No' + ManagementAction: + Description: If the Spoke VPCs are trusted, select 'accept' to allow all traffic between the Spoke VPCs + Type: String + Default: 'accept' + AllowedValues: + - 'drop' + - 'accept' + ManagementInstanceType: + Description: m4 and t2 instance types are supported only with version R80.10 and m5 are supported only with R80.20 and above + Type: String + Default: m5.xlarge + AllowedValues: + - m4.large + - m4.xlarge + - m4.2xlarge + - m4.4xlarge + - m4.10xlarge + - m4.16xlarge + - m5.large + - m5.xlarge + - m5.2xlarge + - m5.4xlarge + - m5.12xlarge + - m5.24xlarge + - t2.xlarge + - t2.2xlarge + ConstraintDescription: Must be a valid EC2 instance type + ManagementLicense: + Type: String + Default: R80.30-PAYG-MGMT + AllowedValues: + - R80.10-BYOL + - R80.10-PAYG-MGMT + - R80.20-BYOL + - R80.20-PAYG-MGMT + - R80.30-BYOL + - R80.30-PAYG-MGMT + - R80.40-BYOL + - R80.40-PAYG-MGMT + ManagementPermissions: + Type: String + Default: Create with read permissions + AllowedValues: + - None (configure later) + - Use existing (specify an existing IAM role name) + - Create with assume role permissions (specify an STS role ARN) + - Create with read permissions + - Create with read-write permissions + PredefinedRole: + Type: String + Default: "" + Description: A predefined IAM role to attach to the instance profile. Ignored if IAM role is not set to 'Use existing' + ManagementPasswordHash: + Description: Admin user's password hash (use command "openssl passwd -1 PASSWORD" to get the PASSWORD's hash) (optional) + Type: String + Default: '' + AllowedPattern: "[\\$\\./a-zA-Z0-9]*" + NoEcho: true + GatewaysBlades: + Description: Turn on/off the Intrusion Prevention System, URL filtering, Application Control, Anti-Virus and Anti-Bot Blades (these and additional Blades can be manually turned on or off later) + Type: String + AllowedValues: + - 'On' + - 'Off' + Default: 'On' + AdminAddressCIDR: + Description: Allow web, SSH, and graphical clients only from this network to communicate with the Security Management Server + Type: String + AllowedPattern: "^(([0-9]{1,3}\\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2]))?$" + Default: 0.0.0.0/0 + GatewaysAddresses: + Description: Allow gateways only from this network to communicate with the Security Management Server + Type: String + Default: 10.0.0.0/16 +Conditions: + DeployManagement: !Equals [!Ref ManagementDeploy, 'Yes'] + EnableBlades: !Equals [!Ref GatewaysBlades, 'On'] + UseCME: !Or [!Equals [!Select [0, !Split [-, !Ref ManagementLicense]], R80.30], !Equals [!Select [0, !Split [-, !Ref ManagementLicense]], R80.40]] +Resources: + Transit: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.amazonaws.com/deprecated/cluster/transit.yaml + Parameters: + GatewayName: !Sub ${Tag}-transit-gateway + InstanceType: !Ref GatewaysInstanceType + KeyPairName: !Ref KeyPairName + VPC: !Ref VPC + PublicSubnetA: !Ref PublicSubnetA + PrivateSubnetA: !Ref PrivateSubnetA + PublicSubnetB: !Ref PublicSubnetB + PrivateSubnetB: !Ref PrivateSubnetB + License: !Ref GatewaysLicense + ASN: !Ref ASN + ControlGatewayOverPrivateOrPublicAddress: private + ManagementServer: !Sub ${Tag}-management + ConfigurationTemplate: !Sub ${Tag}-template + PasswordHash: !Ref GatewaysPasswordHash + SICKey: !Ref GatewaysSIC + AllowUploadDownload: !Ref AllowUploadDownload + ManagementStack: + Type: AWS::CloudFormation::Stack + Condition: DeployManagement + Properties: + TemplateURL: https://cgi-cfts.s3.amazonaws.com/deprecated/management/management.json + Parameters: + VPC: !Ref VPC + Subnet: !Ref PublicSubnetA + Version: !Ref ManagementLicense + InstanceType: !Ref ManagementInstanceType + Name: !Sub ${Tag}-Management + Permissions: !Ref ManagementPermissions + PredefinedRole: !Ref PredefinedRole + Hostname: !Sub ${Tag}-Management + KeyName: !Ref KeyPairName + PasswordHash: !Ref ManagementPasswordHash + AllowUploadDownload: !Ref AllowUploadDownload + EnableInstanceConnect: !Ref EnableInstanceConnect + BootstrapScript: !Join + - ',' + - - "sed -i '/template_name/c\template_name: transit-management' /etc/cloud-version" + - !If + - UseCME + - !Sub '/opt/CPcme/menu/additions/config-community.sh ${Tag}-community' + - !Sub '/etc/fw/scripts/autoprovision/config-community.sh ${Tag}-community' + - !Sub 'mgmt_cli -r true add access-rule layer "Network" position 1 name "${Tag}-community VPN Traffic Rule" vpn.directional.1.from ${Tag}-community vpn.directional.1.to ${Tag}-community vpn.directional.2.from ${Tag}-community vpn.directional.2.to Internal_clear vpn.directional.3.from Internal_clear vpn.directional.3.to ${Tag}-community action ${ManagementAction}' + - !Sub + - 'autoprov_cfg -f init AWS -mn ${Tag}-management -tn ${Tag}-template -cn ${Tag}-controller -po Standard -otp ${GatewaysSIC} -r ${AWS::Region} -ver ${version} -iam' + - version: !Select + - 0 + - !Split + - '-' + - !Ref GatewaysLicense + - !Sub 'autoprov_cfg -f set controller AWS -cn ${Tag}-controller -sg -sv -com ${Tag}-community' + - !Sub 'autoprov_cfg -f set template -tn ${Tag}-template -vpn -vd "" -con ${Tag}-community' + - !If + - EnableBlades + - !Sub autoprov-cfg -f set template -tn ${Tag}-template -ips -appi -av -ab + - !Ref AWS::NoValue + AdminSubnet: !Ref AdminAddressCIDR + GatewaysAddresses: !Ref GatewaysAddresses +Outputs: + PublicAddressA: + Description: The public address of the 1st gateway + Value: !GetAtt Transit.Outputs.PublicAddressA + PublicAddressB: + Description: The public address of the 2nd gateway + Value: !GetAtt Transit.Outputs.PublicAddressB + ManagementPublicAddress: + Description: The public address of the management servers + Value: !GetAtt ManagementStack.Outputs.PublicAddress + Condition: DeployManagement + SpokeTag: + Description: The tag to put on the spoke VPC + Value: !Sub 'Key: x-chkp-vpn | value: ${Tag}-management/${Tag}-community' + ManagementName: + Description: The name that represents the Security Management Server + Value: !Sub ${Tag}-management + ConfigurationTemplateName: + Description: The name that represents the configuration template. Configurations required to automatically provision the Gateways in the Auto Scaling Group, such as what Security Policy to install and which Blades to enable, will be placed under this template name + Value: !Sub ${Tag}-template + ControllerName: + Description: The name that represents the controller. Configurations required to connect to your AWS environment, such as credentials and regions, will be placed under this controller name + Value: !Sub ${Tag}-controller + CommunityName: + Description: The name of the VPN community created in the Security Management Server + Value: !Sub ${Tag}-community diff --git a/deprecated/aws/templates/transit-vpc-r8030/transit-master.yaml b/deprecated/aws/templates/transit-vpc-r8030/transit-master.yaml new file mode 100755 index 00000000..fa243895 --- /dev/null +++ b/deprecated/aws/templates/transit-vpc-r8030/transit-master.yaml @@ -0,0 +1,241 @@ +AWSTemplateFormatVersion: '2010-09-09' +Description: Deploy Check Point Gateways for a transit VPC hub (20211212) +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: Network Configuration + Parameters: + - VpcCidr + - AvailabilityZones + - PublicSubnetCidrA + - PublicSubnetCidrB + - PrivateSubnetCidrA + - PrivateSubnetCidrB + - Label: + default: EC2 Instances Configuration + Parameters: + - GatewayName + - InstanceType + - KeyPairName + - Label: + default: Check Point Settings + Parameters: + - ASN + - License + - SICKey + - Shell + - PasswordHash + - AllowUploadDownload + - Label: + default: Automatic Provisioning with Security Management Server Settings (optional) + Parameters: + - ControlGatewayOverPrivateOrPublicAddress + - ManagementServer + - ConfigurationTemplate + ParameterLabels: + AvailabilityZones: + default: Availability Zones + VpcCidr: + default: VPC CIDR + PublicSubnetCidrA: + default: Public subnet 1 CIDR + PublicSubnetCidrB: + default: Public subnet 2 CIDR + PrivateSubnetCidrA: + default: Private subnet 1 CIDR + PrivateSubnetCidrB: + default: Private subnet 2 CIDR + ASN: + default: BGP ASN + GatewayName: + default: Gateway Name + InstanceType: + default: Instance type + KeyPairName: + default: Key name + License: + default: Version & license + SICKey: + default: SIC key + Shell: + default: Admin shell + PasswordHash: + default: Password hash + AllowUploadDownload: + default: Allow upload & download + ControlGatewayOverPrivateOrPublicAddress: + default: Gateways addresses + ManagementServer: + default: Management Server + ConfigurationTemplate: + default: Configuration template +Parameters: + VpcCidr: + Description: CIDR block for the VPC + Type: String + AllowedPattern: "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$" + Default: '10.0.0.0/16' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 + AvailabilityZones: + Description: The Availability Zones (AZs) to use for the subnets in the VPC. Select two (the logical order is preserved) + Type: List + MinLength: 1 + PublicSubnetCidrA: + Description: CIDR block for public subnet 1 located in the 1st Availability Zone + Type: String + AllowedPattern: "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$" + Default: '10.0.0.0/24' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 + PublicSubnetCidrB: + Description: CIDR block for public subnet 2 located in the 2nd Availability Zone + Type: String + AllowedPattern: "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$" + Default: '10.0.2.0/24' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 + PrivateSubnetCidrA: + Description: CIDR block for private subnet 1 located in the 1st Availability Zone + Type: String + AllowedPattern: "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$" + Default: '10.0.1.0/24' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 + PrivateSubnetCidrB: + Description: CIDR block for private subnet 2 located in the 2nd Availability Zone + Type: String + AllowedPattern: "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$" + Default: '10.0.3.0/24' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 + GatewayName: + Description: The value for the name tag of the gateway instance + Type: String + Default: transit-gateway + InstanceType: + Description: c4 and t2 instance types are supported only with version R80.10 and c5 are supported only with R80.20 and R80.30 + Type: String + Default: c5.xlarge + AllowedValues: + - c4.large + - c4.xlarge + - c4.2xlarge + - c4.4xlarge + - c4.8xlarge + - c5.large + - c5.xlarge + - c5.2xlarge + - c5.4xlarge + - c5.9xlarge + - c5.18xlarge + - t2.xlarge + - t2.2xlarge + ConstraintDescription: must be a valid EC2 instance type. + KeyPairName: + Description: The EC2 Key Pair to allow SSH access to the Security Gateways + Type: AWS::EC2::KeyPair::KeyName + MinLength: '1' + ASN: + Description: The organization Autonomous System Number (ASN) that identifies the routing domain for the Security Gateways + Type: String + AllowedPattern: '[0-9]*' + Default: 65000 + License: + Description: The license to install on the Security Gateways + Type: String + Default: R80.30-PAYG-NGTP + AllowedValues: + - R80.10-BYOL + - R80.10-PAYG-NGTP + - R80.10-PAYG-NGTX + - R80.20-BYOL + - R80.20-PAYG-NGTP + - R80.20-PAYG-NGTX + - R80.30-BYOL + - R80.30-PAYG-NGTP + - R80.30-PAYG-NGTX + SICKey: + Description: The Secure Internal Communication key creates trusted connections between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters + NoEcho: 'true' + MinLength: '8' + Type: String + AllowedPattern: '[a-zA-Z0-9]*' + ConstraintDescription: At least 8 alpha numeric characters + Shell: + Description: Change the admin shell to enable advanced command line configuration + Type: String + Default: /etc/cli.sh + AllowedValues: + - /etc/cli.sh + - /bin/bash + - /bin/csh + - /bin/tcsh + PasswordHash: + Description: Admin user's password hash (use command "openssl passwd -1 PASSWORD" to get the PASSWORD's hash) (optional) + Default: '' + Type: String + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + AllowUploadDownload: + Description: Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point + Type: String + Default: 'true' + AllowedValues: + - 'true' + - 'false' + ControlGatewayOverPrivateOrPublicAddress: + Description: Determines if the gateways are provisioned using their private or public address + Default: public + Type: String + AllowedValues: + - private + - public + ManagementServer: + Description: The name that represents the Security Management Server in the automatic provisioning configuration + Type: String + Default: '' + ConfigurationTemplate: + Description: A name of a gateway configuration template in the automatic provisioning configuration + Type: String + Default: '' +Resources: + VPCStack: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.amazonaws.com/utils/vpc.yaml + Parameters: + VPCCIDR: !Ref VpcCidr + AvailabilityZones: !Join + - ',' + - !Ref AvailabilityZones + NumberOfAZs: 2 + PublicSubnet1CIDR: !Ref PublicSubnetCidrA + PublicSubnet2CIDR: !Ref PublicSubnetCidrB + PrivateSubnet1CIDR: !Ref PrivateSubnetCidrA + PrivateSubnet2CIDR: !Ref PrivateSubnetCidrB + TransitStack: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.amazonaws.com/deprecated/cluster/transit.yaml + Parameters: + VPC: !GetAtt VPCStack.Outputs.VPCID + PublicSubnetA: !GetAtt VPCStack.Outputs.PublicSubnet1ID + PublicSubnetB: !GetAtt VPCStack.Outputs.PublicSubnet2ID + PrivateSubnetA: !GetAtt VPCStack.Outputs.PrivateSubnet1ID + PrivateSubnetB: !GetAtt VPCStack.Outputs.PrivateSubnet2ID + GatewayName: !Ref GatewayName + InstanceType: !Ref InstanceType + KeyPairName: !Ref KeyPairName + ASN: !Ref ASN + License: !Ref License + SICKey: !Ref SICKey + Shell: !Ref Shell + PasswordHash: !Ref PasswordHash + AllowUploadDownload: !Ref AllowUploadDownload + ControlGatewayOverPrivateOrPublicAddress: !Ref ControlGatewayOverPrivateOrPublicAddress + ManagementServer: !Ref ManagementServer + ConfigurationTemplate: !Ref ConfigurationTemplate +Outputs: + PublicAddressA: + Description: The public address of the 1st gateway + Value: !GetAtt TransitStack.Outputs.PublicAddressA + PublicAddressB: + Description: The public address of the 2nd gateway + Value: !GetAtt TransitStack.Outputs.PublicAddressB diff --git a/deprecated/aws/templates/transit-vpc-r8030/transit.yaml b/deprecated/aws/templates/transit-vpc-r8030/transit.yaml new file mode 100755 index 00000000..ef775adf --- /dev/null +++ b/deprecated/aws/templates/transit-vpc-r8030/transit.yaml @@ -0,0 +1,230 @@ +AWSTemplateFormatVersion: '2010-09-09' +Description: Deploy Check Point Gateways for a transit VPC hub (20211212) +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: Network Configuration + Parameters: + - VPC + - PublicSubnetA + - PublicSubnetB + - PrivateSubnetA + - PrivateSubnetB + - Label: + default: EC2 Instances Configuration + Parameters: + - GatewayName + - InstanceType + - KeyPairName + - Label: + default: Check Point Settings + Parameters: + - ASN + - License + - SICKey + - Shell + - PasswordHash + - AllowUploadDownload + - Label: + default: Automatic Provisioning with Security Management Server Settings (optional) + Parameters: + - ControlGatewayOverPrivateOrPublicAddress + - ManagementServer + - ConfigurationTemplate + ParameterLabels: + PublicSubnetA: + default: Public subnet 1 + PublicSubnetB: + default: Public subnet 2 + PrivateSubnetA: + default: Private subnet 1 + PrivateSubnetB: + default: Private subnet 2 + ASN: + default: BGP ASN + GatewayName: + default: Gateway Name + InstanceType: + default: Instance type + KeyPairName: + default: Key name + License: + default: Version & license + SICKey: + default: SIC key + Shell: + default: Admin shell + PasswordHash: + default: Password hash + AllowUploadDownload: + default: Allow upload & download + ControlGatewayOverPrivateOrPublicAddress: + default: Gateways addresses + ManagementServer: + default: Management Server + ConfigurationTemplate: + default: Configuration template +Parameters: + VPC: + Type: AWS::EC2::VPC::Id + MinLength: 1 + ConstraintDescription: you must select a VPC. + PublicSubnetA: + Description: Select a public subnet for the first Security Gateway + Type: AWS::EC2::Subnet::Id + MinLength: 1 + ConstraintDescription: you must select a public subnet for the first Security Gateway + PublicSubnetB: + Description: Select a public subnet for the second Security Gateway + Type: AWS::EC2::Subnet::Id + MinLength: 1 + ConstraintDescription: you must select a public subnet for the second Security Gateway + PrivateSubnetA: + Description: Select a private subnet for the first Security Gateway + Type: AWS::EC2::Subnet::Id + MinLength: 1 + ConstraintDescription: you must select a private subnet for the first Security Gateway + PrivateSubnetB: + Description: Select a private subnet for the second Security Gateway + Type: AWS::EC2::Subnet::Id + MinLength: 1 + ConstraintDescription: you must select a private subnet for the second Security Gateway + GatewayName: + Description: The value for the name tag of the gateway instance + Type: String + Default: transit-gateway + InstanceType: + Description: c4 and t2 instance types are supported only with version R80.10 and c5 are supported only with R80.20 and R80.30 + Type: String + Default: c5.xlarge + AllowedValues: + - c4.large + - c4.xlarge + - c4.2xlarge + - c4.4xlarge + - c4.8xlarge + - c5.large + - c5.xlarge + - c5.2xlarge + - c5.4xlarge + - c5.9xlarge + - c5.18xlarge + - t2.xlarge + - t2.2xlarge + ConstraintDescription: must be a valid EC2 instance type. + KeyPairName: + Description: The EC2 Key Pair to allow SSH access to the Security Gateways + Type: AWS::EC2::KeyPair::KeyName + MinLength: '1' + ASN: + Description: The organization Autonomous System Number (ASN) that identifies the routing domain for the Security Gateways + Type: String + AllowedPattern: '[0-9]*' + Default: 65000 + License: + Description: The license to install on the Security Gateways + Type: String + Default: R80.30-PAYG-NGTP + AllowedValues: + - R80.10-BYOL + - R80.10-PAYG-NGTP + - R80.10-PAYG-NGTX + - R80.20-BYOL + - R80.20-PAYG-NGTP + - R80.20-PAYG-NGTX + - R80.30-BYOL + - R80.30-PAYG-NGTP + - R80.30-PAYG-NGTX + SICKey: + Description: The Secure Internal Communication key creates trusted connections between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters + NoEcho: 'true' + MinLength: '8' + Type: String + AllowedPattern: '[a-zA-Z0-9]*' + ConstraintDescription: At least 8 alpha numeric characters + Shell: + Description: Change the admin shell to enable advanced command line configuration + Type: String + Default: /etc/cli.sh + AllowedValues: + - /etc/cli.sh + - /bin/bash + - /bin/csh + - /bin/tcsh + PasswordHash: + Description: Admin user's password hash (use command "openssl passwd -1 PASSWORD" to get the PASSWORD's hash) (optional) + Default: '' + Type: String + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + AllowUploadDownload: + Description: Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point + Type: String + Default: 'true' + AllowedValues: + - 'true' + - 'false' + ControlGatewayOverPrivateOrPublicAddress: + Description: Determines if the gateways are provisioned using their private or public address + Default: public + Type: String + AllowedValues: + - private + - public + ManagementServer: + Description: The name that represents the Security Management Server in the automatic provisioning configuration + Type: String + Default: '' + ConfigurationTemplate: + Description: A name of a gateway configuration template in the automatic provisioning configuration + Type: String + Default: '' +Resources: + GatewayA: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.amazonaws.com/deprecated/cluster/transit-gateway.yaml + Parameters: + GatewayName: !Ref GatewayName + InstanceType: !Ref InstanceType + KeyPairName: !Ref KeyPairName + VPC: !Ref VPC + PublicSubnetId: !Ref PublicSubnetA + PrivateSubnetId: !Ref PrivateSubnetA + License: !Ref License + ASN: !Ref ASN + ControlGatewayOverPrivateOrPublicAddress: !Ref ControlGatewayOverPrivateOrPublicAddress + ManagementServer: !Ref ManagementServer + ConfigurationTemplate: !Ref ConfigurationTemplate + PasswordHash: !Ref PasswordHash + Shell: !Ref Shell + SICKey: !Ref SICKey + AllowUploadDownload: !Ref AllowUploadDownload + GatewayB: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.amazonaws.com/deprecated/cluster/transit-gateway.yaml + Parameters: + GatewayName: !Ref GatewayName + InstanceType: !Ref InstanceType + KeyPairName: !Ref KeyPairName + VPC: !Ref VPC + PublicSubnetId: !Ref PublicSubnetB + PrivateSubnetId: !Ref PrivateSubnetB + License: !Ref License + ASN: !Ref ASN + ControlGatewayOverPrivateOrPublicAddress: !Ref ControlGatewayOverPrivateOrPublicAddress + ManagementServer: !Ref ManagementServer + ConfigurationTemplate: !Ref ConfigurationTemplate + PasswordHash: !Ref PasswordHash + Shell: !Ref Shell + SICKey: !Ref SICKey + AllowUploadDownload: !Ref AllowUploadDownload +Outputs: + PublicAddressA: + Description: The public address of the 1st gateway + Value: !GetAtt GatewayA.Outputs.PublicAddress + PublicAddressB: + Description: The public address of the 2nd gateway + Value: !GetAtt GatewayB.Outputs.PublicAddress diff --git a/deprecated/azure/misc/azure_ha_test_python2.py b/deprecated/azure/misc/azure_ha_test_python2.py new file mode 100644 index 00000000..86d9bef5 --- /dev/null +++ b/deprecated/azure/misc/azure_ha_test_python2.py @@ -0,0 +1,414 @@ +#!/usr/bin/env python +import contextlib +import json +import os +import re +import socket +import subprocess +import sys +import traceback +import urlparse +import collections +import rest + +ARM_VERSIONS = { + 'stack': collections.OrderedDict([ + ('resources', '?api-version=2017-10-01'), + ]), + 'ha': collections.OrderedDict([ + ('resources', '?api-version=2018-01-01'), + ])} + +os.environ['AZURE_NO_DOT'] = 'true' + +azure = None +templateName = None + +conf = {} + + +def set_arm_versions(): + global ARM_VERSIONS + log('Setting api versions for "%s" solution\n' % templateName) + if templateName == 'stack-ha': + ARM_VERSIONS = ARM_VERSIONS['stack'] + log('Stack ARM versions are: %s\n' % json.dumps(ARM_VERSIONS, + indent=2)) + return + ARM_VERSIONS = ARM_VERSIONS['ha'] + log('ARM versions are: %s\n' % json.dumps(ARM_VERSIONS, indent=2)) + + +def is_azure(): + return os.path.isfile('/etc/in-azure') + + +def log(msg): + sys.stderr.write(msg) + + +def test_rw(rid, allow_not_found=False): + components = rid.split('/') + log('Id : %s\n' % rid) + log('Subscription : %s\n' % components[2]) + log('Resource group: %s\n' % components[4]) + log('Type : %s/%s\n' % (components[6], components[7])) + log('Name : %s\n' % components[8]) + try: + obj = azure.arm('GET', rid + ARM_VERSIONS['resources'])[1] + except rest.RequestException as e: + if allow_not_found and e.code == 404: + return None + log('Attempting to read - [%s]\n' % e.reason) + raise + log('Attempting to read - [OK]\n') + + log('Attempting to write ') + try: + azure.arm('PUT', rid, json.dumps(obj)) + except rest.RequestException as e: + log('- [%s]\n' % e.reason) + raise + log('- [OK]\n') + return obj + + +def get_vm_primary_nic(vm): + nis = vm['properties']['networkProfile']['networkInterfaces'] + if len(nis) == 1: + ni = nis[0] + else: + for ni in nis: + if ni['properties'].get('primary'): + break + return azure.arm('GET', ni['id'])[1] + + +def test_cluster_ip(): + cluster_ip_id = (conf['baseId'] + + 'Microsoft.Network/publicIPAddresses/' + + conf['clusterName']) + + test_rw(cluster_ip_id, allow_not_found=True) + + +def test_load_balancer(): + load_balancer_nm = conf.get('lbName', '') + if not load_balancer_nm: + log('An external load balancer name is not configured.\n') + return None + + load_balancer_id = (conf['baseId'] + + 'Microsoft.Network/loadBalancers/' + + load_balancer_nm) + test_rw(load_balancer_id, allow_not_found=True) + + +def vnet_rg(): + local_vm = azure.arm('GET', conf['baseId'] + + 'microsoft.compute/virtualmachines/' + + conf['hostname'])[1] + my_nic = get_vm_primary_nic(local_vm) + subnet_id = my_nic['properties']['ipConfigurations'][0][ + 'properties']['subnet']['id'] + return '/'.join(subnet_id.split('/')[:5]) + + +def get_route_table_ids_for_vnet(vnet): + route_table_ids = set() + for subnet in vnet['properties'].get('subnets', []): + if subnet['properties'].get('routeTable'): + route_table_ids.add(subnet['properties']['routeTable']['id']) + return route_table_ids + + +def get_vnet_id(): + vnet_id = conf.get('vnetId') + if vnet_id: + return vnet_id + me = azure.arm('GET', conf['baseId'] + + 'microsoft.compute/virtualmachines/' + conf['hostname'])[1] + my_nic = get_vm_primary_nic(me) + subnet_id = my_nic['properties']['ipConfigurations'][0][ + 'properties']['subnet']['id'] + vnet_id = '/'.join(subnet_id.split('/')[:-2]) + conf['vnetId'] = vnet_id + return vnet_id + + +def get_route_table_ids_for_peering(vnet): + route_table_ids = set() + + for peering in vnet['properties'].get('virtualNetworkPeerings', []): + vnet_id = peering['properties']['remoteVirtualNetwork']['id'] + state = peering['properties']['peeringState'] + if state != 'Connected': + log('peered vnet %s in state %s ignored' % (vnet_id, state)) + continue + try: + vnet = azure.arm('GET', vnet_id)[1] + except: + log('\nFailed to retrieve peered network %s' % vnet_id) + log('\n%s' % traceback.format_exc()) + continue + route_table_ids |= get_route_table_ids_for_vnet(vnet) + + return route_table_ids + + +def get_route_table_ids(): + route_table_ids = set() + + vnet_id = get_vnet_id() + vnet = azure.arm('GET', vnet_id)[1] + + route_table_ids |= get_route_table_ids_for_vnet(vnet) + route_table_ids |= get_route_table_ids_for_peering(vnet) + + return route_table_ids + + +def interfaces_test_rw(interface_id): + interface = test_rw(interface_id['id']) + if not interface['properties'].get('enableIPForwarding'): + raise Exception( + 'IP forwarding is not enabled on Interface %s' % + interface['name']) + + +def test_cluster_parameters(): + path = "/var/opt/fw.boot/modules/fwkern.conf" + text1 = "fwha_dead_timeout_multiplier=200" + text2 = "fwha_if_problem_tolerance=200" + flags = dict.fromkeys(["fwkern_timeout_multiplier", + "fwkern_problem_tolerance", + "output_timeout_multiplier", + "output_problem_tolerance"], + False) + error = 'ClusterXL kernel parameters are not optimized for Azure. ' \ + 'See sk122218 for more information.' + + with open(path) as f: + for line in f: + if text1 in line: + flags['fwkern_timeout_multiplier'] = True + if text2 in line: + flags['fwkern_problem_tolerance'] = True + + command = ['fw', 'ctl', 'get', 'int', 'fwha_dead_timeout_multiplier'] + proc = subprocess.Popen( + command, stdout=subprocess.PIPE, + stderr=subprocess.PIPE) + out, err = proc.communicate() + + if out.strip() == 'fwha_dead_timeout_multiplier = 200': + flags['output_timeout_multiplier'] = True + + command = ['fw', 'ctl', 'get', 'int', 'fwha_if_problem_tolerance'] + proc = subprocess.Popen( + command, stdout=subprocess.PIPE, + stderr=subprocess.PIPE) + out, err = proc.communicate() + + if out.strip() == 'fwha_if_problem_tolerance = 200': + flags['output_problem_tolerance'] = True + + if not all(value is True for value in flags.values()): + raise Exception(error) + + +def test(): + global conf + + if not is_azure(): + raise Exception('This does not look like an Azure environment\n') + + with open('/etc/in-azure', 'r') as content_file: + content = content_file.read() + + image_version = content.split('.')[:2][0] + log('Image version is: %s\n' % image_version) + + take_number = int(image_version.split('-')[1]) + branch = image_version.split('-')[0] + + if branch == "gey_hvm": + raise Exception('The version of this GAIA is not supported\n') + + log('Reading configuration file...\n') + if take_number <= 13 and branch == "ogu": + confpath = os.environ['FWDIR'] + '/conf/azure-ha.json' + try: + with open(confpath) as f: + conf = json.load(f) + except: + raise Exception( + 'Failed to read configuration file: %s\n' % confpath) + + else: + command = [os.environ['FWDIR'] + '/bin/azure-ha-conf', '--dump'] + proc = subprocess.Popen( + command, stdin=subprocess.PIPE, stdout=subprocess.PIPE, + stderr=subprocess.PIPE) + out, err = proc.communicate() + rc = proc.wait() + if rc: + log('\nfailed to run %s: %s\n%s' % (command, rc, err)) + raise Exception('Failed to load configuration file\n') + conf = json.loads(out) + + for k in ['clusterName', 'resourceGroup', 'subscriptionId']: + if not conf.get(k): + raise Exception( + 'The attribute %s is missing in the configuration' % k) + + proxy = conf.get('proxy', '') + os.environ['https_proxy'] = proxy + os.environ['http_proxy'] = proxy + + credentials = conf.get('credentials') + if credentials: + pass + elif conf.get('password') and conf.get('userName'): + credentials = { + 'username': conf['userName'], + 'password': conf['password']} + else: + raise Exception('Missing credentials') + + environment = conf.get('environment') + + global azure, templateName + azure = rest.Azure(credentials=credentials, + subscription=conf['subscriptionId'], + max_time=20, + environment=environment) + + templateName = conf.get('templateName', '').lower() + set_arm_versions() + + conf['hostname'] = conf.get('hostname', socket.gethostname()) + cluster_name = conf['clusterName'].lower() + if conf['hostname'] not in {cluster_name + '1', cluster_name + '2'}: + raise Exception('The hostname %s should be either \'%s\' or \'%s\'' % ( + conf['hostname'], cluster_name + '1', cluster_name + '2')) + + if 'peername' not in conf: + if conf['hostname'].endswith('1'): + conf['peername'] = conf['hostname'][:-1] + '2' + else: + conf['peername'] = conf['hostname'][:-1] + '1' + + conf['rg_id'] = ('/subscriptions/' + conf['subscriptionId'] + + '/resourcegroups/' + conf['resourceGroup']) + + conf['baseId'] = conf['rg_id'] + '/providers/' + + log('Testing if DNS is configured...\n') + try: + dns = subprocess.check_output( + ['/bin/clish', '-c', 'show dns primary']).strip() + except: + traceback.print_exc() + raise + match = re.search(r'(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})', dns) + if not match: + raise Exception('Primary DNS server is not configured\n') + log(' - Primary DNS server is: %s\n' % match.group(1)) + + log('Testing if DNS is working...\n') + if proxy: + host = urlparse.urlparse(proxy).hostname + if host is None: + raise Exception('Failed to get hostname from proxy: %s\n' % proxy) + + port = urlparse.urlparse(proxy).port + if not port: + if urlparse.urlparse(proxy).scheme == 'https': + port = 443 + else: + port = 80 + else: + host = azure.environment.login + port = 443 + try: + socket.gethostbyname(host) + log(' - DNS resolving test was successful\n') + except: + raise Exception('Failed to resolve %s\n' % host) + + log('Testing connectivity to %s:%d...\n' % (host, port)) + with contextlib.closing( + socket.socket(socket.AF_INET, socket.SOCK_STREAM)) as s: + s.settimeout(3) + if s.connect_ex((host, port)): + raise Exception('Unable to connect to %s:%d\n' % (host, port)) + + log('Testing ClusterXL parameters...\n') + test_cluster_parameters() + + log('Testing cluster interface configuration...\n') + try: + cphaconf = json.loads( + subprocess.check_output(['cphaconf', 'aws_mode'])) + except: + raise Exception('''You do not seem to have a valid cluster +configuration +''') + + log('Testing credentials...\n') + with azure.get_token() as token: + token # Do nothing and keep pyflakes happy + + if 'username' in credentials: + log('Testing whether the user credentials can expire...\n') + password_policies = azure.graph('GET', '/me')[1]['passwordPolicies'] + if 'DisablePasswordExpiration' not in password_policies: + raise Exception('The credentials might expire') + + log('Getting information about the environment...\n') + for vmname in [conf['hostname'], conf['peername']]: + log('Getting information about the VM %s...\n' % vmname) + vm = azure.arm('GET', conf['baseId'] + + 'microsoft.compute/virtualmachines/' + vmname)[1] + if templateName != 'stack-ha': + for interface_id in vm['properties'][ + 'networkProfile']['networkInterfaces']: + if templateName == 'ha': + rid = interface_id['id'] + interface_name = rid.split('/')[8] + if interface_name.find('eth0') != -1: + interfaces_test_rw(interface_id) + else: + interfaces_test_rw(interface_id) + + if templateName != 'ha': + log('Testing authorization on routing tables...\n') + for route_table in get_route_table_ids(): + test_rw(route_table) + if templateName != 'stack-ha': + log('Testing Azure load balancer...\n') + test_load_balancer() + + if templateName != 'stack-ha': + log('Testing cluster public IP address...\n') + test_cluster_ip() + + log('Verifying Azure interface configuration...\n') + for interface in cphaconf['ifs']: + log('- Interface %s: local IP address = %s, peer IP address = %s\n' % ( + interface['name'], interface['ipaddr'], + interface['other_member_if_ip'])) + + log('\nAll tests were successful!\n') + + +def main(): + try: + test() + except: + log('Error:\n' + str(sys.exc_info()[1]) + '\n') + sys.exit(1) + +if __name__ == '__main__': + main() diff --git a/deprecated/azure/templates/R7730/cluster-r7730/README.MD b/deprecated/azure/templates/R7730/cluster-r7730/README.MD new file mode 100644 index 00000000..645bfdc2 --- /dev/null +++ b/deprecated/azure/templates/R7730/cluster-r7730/README.MD @@ -0,0 +1,13 @@ +# How to deploy this template +To deploy this ARM template, follow these instructions: +1. Log in to the [Microsoft Azure Portal](https://portal.azure.com) +2. Click "*Create a resource*" +3. Search for "*Template deployment (deploy using custom templates)*" and click "*Create*" +4. Click "*Build your own template in the editor*" +5. Load the "*mainTemplate.json*" file from this directory and click "*Save*" +6. Enter the desired template parameters + - Replace the "*Base Url*" property with: + ``` + https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/deprecated/azure/templates/cluster-r7730 + ``` +7. Click *Purchase* to deploy the solution diff --git a/deprecated/azure/templates/R7730/cluster-r7730/createUiDefinition.json b/deprecated/azure/templates/R7730/cluster-r7730/createUiDefinition.json new file mode 100644 index 00000000..f02935d6 --- /dev/null +++ b/deprecated/azure/templates/R7730/cluster-r7730/createUiDefinition.json @@ -0,0 +1,348 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", + "handler": "Microsoft.Compute.MultiVm", + "version": "0.1.2-preview", + "parameters": { + "basics": [ + { + "name": "clusterNameUi", + "type": "Microsoft.Common.TextBox", + "label": "Cluster Name", + "toolTip": "The name of the cluster.", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z]{1,30}$", + "validationMessage": "Only alphanumeric characters are allowed, and the name must be 1-30 characters long." + } + }, + { + "name": "auth", + "type": "Microsoft.Compute.CredentialsCombo", + "label": { + "authenticationType": "Authentication type", + "password": "Password", + "confirmPassword": "Confirm password", + "sshPublicKey": "SSH public key" + }, + "toolTip": { + "authenticationType": "", + "password": "The user 'admin' password", + "sshPublicKey": "Paste an OpenSSH public key. You can generate a key pair using ssh-keygen (Linux, OS X, Cygwin) or PuttyGen (Windows)" + }, + "constraints": { + "required": true + }, + "options": { + "hideConfirmation": false, + "hidePassword": false + }, + "osPlatform": "Linux" + } + ], + "steps": [ + { + "name": "chkp", + "label": "Check Point Cluster settings", + "subLabel": { + "preValidation": "Configure Cluster settings", + "postValidation": "Done" + }, + "bladeTitle": "Cluster settings", + "elements": [ + { + "name": "cloudGuardVersion", + "type": "Microsoft.Common.DropDown", + "label": "Check Point CloudGuard version", + "defaultValue": "R77.30", + "toolTip": "The version of Check Point CloudGuard.", + "constraints": { + "allowedValues": [ + { + "label": "R77.30", + "value": "R77.30" + } + ] + } + }, + { + "name": "R7730Offer", + "type": "Microsoft.Common.DropDown", + "label": "License type", + "toolTip": "The type of license.", + "defaultValue": "Bring Your Own License", + "visible": "[equals(steps('chkp').cloudGuardVersion, 'R77.30')]", + "constraints": { + "allowedValues": [ + { + "label": "Bring Your Own License", + "value": "Bring Your Own License" + }, + { + "label": "Pay As You Go (NGTP)", + "value": "Pay As You Go (NGTP)" + } + ] + } + }, + { + "name": "R7730vmSizeUiBYOL", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R77.30'), contains(steps('chkp').R7730Offer, 'Bring Your Own License'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2" + ], + "constraints": { + "excludedSizes": [ + "Standard_A1_v2", + "Standard_D1_v2", + "Standard_DS1_v2", + "Standard_F1", + "Standard_F1s", + "Standard_G1", + "Standard_GS1" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-r77-10", + "sku": "sg-byol" + }, + "count": 2 + }, + { + "name": "R7730vmSizeUiNGTP", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R77.30'), contains(steps('chkp').R7730Offer, '(NGTP)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2" + ], + "constraints": { + "excludedSizes": [ + "Standard_A1_v2", + "Standard_D1_v2", + "Standard_DS1_v2", + "Standard_F1", + "Standard_F1s", + "Standard_G1", + "Standard_GS1" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-r77-10", + "sku": "sg-ngtp" + }, + "count": 2 + }, + { + "name": "sicKeyUi", + "type": "Microsoft.Common.PasswordBox", + "label": { + "password": "SIC key", + "confirmPassword": "Confirm SIC key" + }, + "toolTip": "Set the Secure Internal Communication one time secret used to set up trust between the cluster and the management server.", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z]{8,30}$", + "validationMessage": "Only alphanumeric characters are allowed, and the value must be 8-30 characters long." + }, + "options": { + "hideConfirmation": true + }, + "visible": "true" + }, + { + "name": "bootstrapScript", + "type": "Microsoft.Common.FileUpload", + "label": "Bootstrap script", + "toolTip": "An optional script to run on the initial boot", + "constraints": { + "required": false, + "accept": ".sh,text/plain" + }, + "options": { + "multiple": false, + "uploadMode": "file", + "openMode": "text", + "encoding": "UTF-8" + } + }, + { + "name": "allowUploadDownload", + "type": "Microsoft.Common.OptionsGroup", + "label": "Allow download from/upload to Check Point", + "defaultValue": "Yes", + "toolTip": "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "true" + }, + { + "label": "No", + "value": "false" + } + ] + } + }, + { + "name": "additionalDiskSizeGB", + "type": "Microsoft.Common.TextBox", + "label": "Additional disk space (GB)", + "defaultValue": "0", + "toolTip": "Additional disk space (in GB), Initial disk size is 100 GB.", + "constraints": { + "regex": "^([0-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-2][0-9][0-9][0-9]|3[0-8][0-9][0-9]|399[0-5])$", + "validationMessage": "Select a number between 0 and 3995" + } + }, + { + "name": "VMDiskType", + "type": "Microsoft.Common.OptionsGroup", + "label": "VM disk type", + "toolTip": "Type of CloudGuard disk.", + "visible": "[or(contains(steps('chkp').R7730vmSizeUiBYOL, 'DS'), contains(steps('chkp').R7730vmSizeUiNGTP, 'DS'))]", + "defaultValue": "Standard", + "constraints": { + "allowedValues": [ + { + "label": "Standard", + "value": "Standard_LRS" + }, + { + "label": "Premium", + "value": "Premium_LRS" + } + ] + } + }, + { + "name": "useCustomImageUri", + "type": "Microsoft.Common.OptionsGroup", + "label": "Use development image uri", + "defaultValue": "No", + "toolTip": "", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ], + "required": true + }, + "visible": false + }, + { + "name": "sourceImageVhdUri", + "type": "Microsoft.Common.TextBox", + "label": "Development Image URI", + "toolTip": "The URI of the blob containing the development image", + "constraints": { + "required": "[equals(steps('chkp').useCustomImageUri, 'Yes')]", + "regex": "^[a-z0-9A-Z_\\-\\.\\:\\/]{1,500}.vhd$", + "validationMessage": "Only alphanumeric characters and '_','-','.',':','/' are allowed, the value must be 1-500 characters long and must end with .vhd. " + }, + "visible": "[equals(steps('chkp').useCustomImageUri, 'Yes')]" + } + ] + }, + { + "name": "network", + "label": "Network settings", + "subLabel": { + "preValidation": "Configure network settings", + "postValidation": "Done" + }, + "bladeTitle": "Network settings", + "elements": [ + { + "name": "virtualNetwork", + "type": "Microsoft.Network.VirtualNetworkCombo", + "label": { + "virtualNetwork": "Virtual network", + "subnets": "Subnets" + }, + "toolTip": { + "virtualNetwork": "Virtual Network Name", + "subnets": "List of subnets to deploy into" + }, + "defaultValue": { + "name": "vnet01", + "addressPrefixSize": "/16" + }, + "constraints": { + "minAddressPrefixSize": "/28" + }, + "options": { + "hideExisting": false + }, + "subnets": { + "subnet1": { + "label": "Frontend subnet", + "defaultValue": { + "name": "Frontend", + "addressPrefixSize": "/24" + }, + "constraints": { + "minAddressPrefixSize": "/29", + "minAddressCount": 2, + "requireContiguousAddresses": true + } + }, + "subnet2": { + "label": "Backend subnet", + "defaultValue": { + "name": "Backend", + "addressPrefixSize": "/24" + }, + "constraints": { + "minAddressPrefixSize": "/29", + "minAddressCount": 2, + "requireContiguousAddresses": true + } + } + } + } + ] + } + ], + "outputs": { + "location": "[location()]", + "cloudGuardVersion": "[concat(steps('chkp').cloudGuardVersion, ' - ', coalesce(steps('chkp').R7730Offer, 'Bring Your Own License'))]", + "adminPassword": "[basics('auth').password]", + "authenticationType": "[basics('auth').authenticationType]", + "sshPublicKey": "[basics('auth').sshPublicKey]", + "vmName": "[basics('clusterNameUi')]", + "vmSize": "[coalesce(steps('chkp').R7730vmSizeUiBYOL, steps('chkp').R7730vmSizeUiNGTP)]", + "sicKey": "[steps('chkp').sicKeyUi]", + "virtualNetworkName": "[steps('network').virtualNetwork.name]", + "virtualNetworkAddressPrefix": "[steps('network').virtualNetwork.addressPrefix]", + "Subnet1Name": "[steps('network').virtualNetwork.subnets.subnet1.name]", + "Subnet1Prefix": "[steps('network').virtualNetwork.subnets.subnet1.addressPrefix]", + "Subnet1StartAddress": "[steps('network').virtualNetwork.subnets.subnet1.startAddress]", + "Subnet2Name": "[steps('network').virtualNetwork.subnets.subnet2.name]", + "Subnet2Prefix": "[steps('network').virtualNetwork.subnets.subnet2.addressPrefix]", + "Subnet2StartAddress": "[steps('network').virtualNetwork.subnets.subnet2.startAddress]", + "vnetNewOrExisting": "[steps('network').virtualNetwork.newOrExisting]", + "virtualNetworkExistingRGName": "[steps('network').virtualNetwork.resourceGroup]", + "bootstrapScript": "[steps('chkp').bootstrapScript]", + "allowDownloadFromUploadToCheckPoint": "[coalesce(steps('chkp').allowUploadDownload, 'true')]", + "additionalDiskSizeGB": "[int(steps('chkp').additionalDiskSizeGB)]", + "diskType": "[coalesce(steps('chkp').VMDiskType, 'Standard_LRS')]", + "sourceImageVhdUri": "[coalesce(steps('chkp').sourceImageVhdUri, 'noCustomUri')]" + } + } +} diff --git a/deprecated/azure/templates/R7730/cluster-r7730/mainTemplate.json b/deprecated/azure/templates/R7730/cluster-r7730/mainTemplate.json new file mode 100644 index 00000000..c8370390 --- /dev/null +++ b/deprecated/azure/templates/R7730/cluster-r7730/mainTemplate.json @@ -0,0 +1,684 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string", + "metadata": { + "description": "Deployment location" + } + }, + "cloudGuardVersion": { + "type": "string", + "allowedValues": [ + "R77.30 - Bring Your Own License", + "R77.30 - Pay As You Go (NGTP)" + ], + "defaultValue": "R77.30 - Bring Your Own License", + "metadata": { + "description": "Version of Check Point CloudGuard" + } + }, + "adminPassword": { + "type": "securestring", + "metadata": { + "description": "Administrator password" + }, + "defaultValue": "" + }, + "authenticationType": { + "type": "string", + "allowedValues": [ + "password", + "sshPublicKey" + ], + "defaultValue": "password", + "metadata": { + "description": "Authentication type" + } + }, + "sshPublicKey": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Administrator SSH public key" + } + }, + "vmName": { + "type": "string", + "metadata": { + "description": "Name of the Check Point Cluster" + } + }, + "vmSize": { + "type": "string", + "defaultValue": "Standard_D3_v2", + "metadata": { + "description": "Size of the VM" + } + }, + "sicKey": { + "type": "securestring", + "metadata": { + "description": "One time key for Secure Internal Communication" + } + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "vnet" + }, + "virtualNetworkAddressPrefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the virtual network" + }, + "defaultValue": "10.0.0.0/16" + }, + "Subnet1Name": { + "type": "string", + "metadata": { + "description": "The name of the 1st subnet" + }, + "defaultValue": "Frontend" + }, + "Subnet1Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 1st subnet" + }, + "defaultValue": "10.0.1.0/24" + }, + "Subnet1StartAddress": { + "type": "string", + "metadata": { + "description": "The first available address on the 1st subnet" + }, + "defaultValue": "10.0.1.10" + }, + "Subnet2Name": { + "type": "string", + "metadata": { + "description": "The name of the 2nd subnet" + }, + "defaultValue": "Backend" + }, + "Subnet2Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 2nd subnet" + }, + "defaultValue": "10.0.2.0/24" + }, + "Subnet2StartAddress": { + "type": "string", + "metadata": { + "description": "The first available address on the 2nd subnet" + }, + "defaultValue": "10.0.2.10" + }, + "vnetNewOrExisting": { + "type": "string", + "defaultValue": "new", + "allowedValues": [ + "new", + "existing" + ], + "metadata": { + "Description": "Indicates whether the virtual network is new or existing" + } + }, + "virtualNetworkExistingRGName": { + "type": "string", + "metadata": { + "description": "Resource Group of the existing virtual network" + }, + "defaultValue": "" + }, + "bootstrapScript": { + "type": "string", + "metadata": { + "description": "Bootstrap script" + }, + "defaultValue": "" + }, + "allowDownloadFromUploadToCheckPoint": { + "type": "string", + "allowedValues": [ + "true", + "false" + ], + "defaultValue": "true", + "metadata": { + "description": "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + } + }, + "additionalDiskSizeGB": { + "type": "int", + "defaultValue": 0, + "metadata": { + "description": "Amount of additional disk space (in GB)" + }, + "minValue": 0, + "maxValue": 3995 + }, + "diskType": { + "type": "string", + "defaultValue": "Standard_LRS", + "metadata": { + "description": "The type of the OS disk. Premium is applicable only to DS machine sizes" + }, + "allowedValues": [ + "Standard_LRS", + "Premium_LRS" + ] + }, + "preview": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Deploy the staged image" + }, + "allowedValues": [ + "", + "-preview" + ] + }, + "role": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Role" + } + }, + "sourceImageVhdUri": { + "type": "string", + "defaultValue": "noCustomUri", + "metadata": { + "description": "The URI of the blob containing the development image" + } + }, + "baseUrl": { + "type": "string", + "metadata": { + "artifactsBaseUrl": "" + }, + "defaultValue": "https://s3-us-west-2.amazonaws.com/azure.templates/marketplace-cluster" + } + }, + "variables": { + "templateName": "cluster", + "templateVersion": "", + "location": "[parameters('location')]", + "offers": { + "R77.30 - Bring Your Own License": "BYOL", + "R77.30 - Pay As You Go (NGTP)": "NGTP" + }, + "offer": "[variables('offers')[parameters('cloudGuardVersion')]]", + "osVersions": { + "R77.30 - Bring Your Own License": "R7730", + "R77.30 - Pay As You Go (NGTP)": "R7730" + }, + "isBlink": "[equals(variables('osVersion'), 'R8010')]", + "osVersion": "[variables('osVersions')[parameters('cloudGuardVersion')]]", + "computeApiVersion": "2017-03-30", + "storageApiVersion": "2016-01-01", + "networkApiVersion": "2016-06-01", + "authorizationApiVersion": "2017-05-01", + "deploymentsApiVersion": "2016-02-01", + "storageAccountName": "[concat('bootdiag', uniqueString(resourceGroup().id, deployment().name))]", + "storageAccountType": "Standard_LRS", + "diskSizeGBR7730": 50, + "diskSizeGB": "[add(parameters('additionalDiskSizeGB'), variables(concat('diskSizeGB', variables('osVersion'))))]", + "customData": "[concat('#!/bin/bash\\n', '\\n', 'LOG_FILE=/var/log/custom-data.log\\n', 'exec >>$LOG_FILE 2>&1\\n', '\\n', '# description: echo instance metadata\\n', '# args :\\n', '# optional: string contatining api version date.\\n', '# default is to \\\"2017-08-01\\\".\\n', '# usage :\\n', '# getInstanceMetadata \\\"2017-12-01\\\"\\n', 'function getInstanceMetadata {\\n', ' # get instance metadata using Azure Instance Metadata service:\\n', ' if test -z \\\"$#\\\" ; then\\n', ' api_version=\\\"$1\\\"\\n', ' else\\n', ' api_version=\\\"2017-08-01\\\"\\n', ' fi\\n', ' metadata=\\\"$(get-cloud-data.sh \\\"metadata/instance/?api-version=$api_version\\\" | jq \\\".\\\")\\\"\\n', '\\n', '\\n', ' echo \\\"$metadata\\\"\\n', ' log-data \\\"Instance metadata retrieved using api version: $api_version\\\" >&2\\n', '}\\n', '\\n', '# description: echo $@ to std output wrapped with date and additional data\\n', '# args :\\n', '# add \\\"-w\\\" before the content to log warning message.\\n', '# add \\\"-e\\\" before the content to log error message.\\n', '# default is to log info message.\\n', '# usage :\\n', '# log-data \\\"-w\\\" \\\"my message\\\"\\n', 'function log-data {\\n', ' test -z \\\"$1\\\" && echo \\\"$(date +\\\"%F %T\\\") CUSTOM-DATA [INFO]\\\" || {\\n', ' if [[ \\\"$1\\\" == \\\"-w\\\" ]] ; then\\n', ' prefix=\\\"[WARNING] \\\"\\n', ' shift\\n', ' elif [[ \\\"$1\\\" == \\\"-e\\\" ]] ; then\\n', ' prefix=\\\"[ERROR] \\\"\\n', ' shift\\n', ' else\\n', ' prefix=\\\"[INFO] \\\"\\n', ' fi\\n', ' for i in \\\"$@\\\"; do\\n', ' echo -e \\\"$(date +\\\"%F %T\\\") CUSTOM-DATA $prefix$i\\\"\\n', ' shift\\n', ' done\\n', ' }\\n', '}\\n', '\\n', '# description: wrapper to command to enable retries\\n', '# args :\\n', '# To specify return codes:\\n', '# \\\"-rc\\\" followed by string of numbers seperated by a space: \\\"int1 int2\\\".\\n', '# default is \\\"0\\\".\\n', '# To specify maximum duration for retries:\\n', '# \\\"-md\\\" followed by a number: 5.\\n', '# default is 8.\\n', '# To specift sleep time between retries:\\n', '# \\\"-st\\\" followed by a number: 1.\\n', '# default is 2.\\n', '# usage :\\n', '# runcmd -rc \\\"19 0 3\\\" \\\"-md\\\" 6 \\\"-st\\\" 1 my-command\\n', 'function runcmd {\\n', ' expected_returnval=()\\n', ' if [ \\\"$1\\\" == \\\"-rc\\\" ] ; then\\n', ' shift\\n', ' for val in $1\\n', ' do\\n', ' expected_returnval[\\\"$val\\\"]=\\\"1\\\"\\n', ' done\\n', ' shift\\n', ' else\\n', ' expected_returnval[\\\"0\\\"]=\\\"1\\\"\\n', ' fi\\n', ' if [ \\\"$1\\\" == \\\"-md\\\" ] ; then\\n', ' shift\\n', ' MAX_DURATION=$1\\n', ' shift\\n', ' else\\n', ' MAX_DURATION=8\\n', ' fi\\n', ' if [ \\\"$1\\\" == \\\"-st\\\" ] ; then\\n', ' shift\\n', ' SLEEP_TIME=$1\\n', ' shift\\n', ' else\\n', ' SLEEP_TIME=2\\n', ' fi\\n', ' cmd=\\\"$@\\\"\\n', ' log-data \\\"Executing $cmd\\\" \\\" Allowed return values : $(echo ${!expected_returnval[@]})\\\" \\\" Maximum retries duration : $MAX_DURATION\\\" \\\" Sleep time between retries: $SLEEP_TIME\\\" >&2\\n', '\\n', '\\n', '\\n', ' SECONDS=0\\n', ' while [ \\\"$SECONDS\\\" -lt \\\"$MAX_DURATION\\\" ] ; do\\n', ' returnmsg=\\\"$(\\\"$@\\\" 2>&1)\\\"\\n', ' returnval=\\\"$?\\\"\\n', ' if [[ ${expected_returnval[$returnval]} ]] ; then\\n', ' log-data \\\"Success executing: $cmd\\n', '\\\\\\\\tReturn Value : $(echo $returnval)\\n', '\\\\\\\\tReturn message: $(echo $returnmsg)\\\" >&2\\n', ' return 0\\n', ' fi\\n', ' log-data \\\"-w\\\" \\\"Retrying to execute command: $cmd\\n', '\\\\\\\\tReturn Value : $(echo $returnval)\\n', '\\\\\\\\tReturn message: $(echo $returnmsg)\\\" >&2\\n', ' sleep \\\"$SLEEP_TIME\\\"\\n', ' done\\n', ' log-data \\\"-e\\\" \\\"Failed to execute command: $cmd\\n', '\\\\\\\\tReturn Value : $(echo $returnval) (expected: $expected_returnval)\\n', '\\\\\\\\tReturn message: $(echo $returnmsg)\\n', '\\\\\\\\tTotal run time: $SECONDS [seconds]\\\" >&2\\n', ' return 1\\n', '}\\n', '\\n', 'log-data \\\"Start of custom-data.sh\\\"\\n', 'log-data \\\"Time Zone: $(date +\\\"%Z %:z\\\")\\\"\\n', 'log-data \\\"Instance metadata at beginning: \\\\\\\\n$(getInstanceMetadata)\\\"\\n', 'log-data \\\"Contents of $FWDIR/boot/modules/fwkern.conf at beginning: \\\\\\\\n$(cat \\\"$FWDIR/boot/modules/fwkern.conf\\\")\\\"\\n', '\\n', 'installationType=\\\"', variables('installationType'), '\\\"', '\\n', 'allowUploadDownload=\\\"', variables('allowUploadDownload'), '\\\"', '\\n', 'osVersion=\\\"', variables('osVersion'), '\\\"', '\\n', 'templateName=\\\"', variables('templateName'), '\\\"', '\\n', 'isBlink=\\\"', variables('isBlink'), '\\\"', '\\n', 'templateVersion=\\\"', variables('templateVersion'), '\\\"', '\\n', '\\n', 'if [ -z \\\"${isBlink}\\\" ]; then\\n', ' isBlink=\\\"False\\\"\\n', 'fi\\n', '\\n', 'log-data \\\"isBlink val: $isBlink\\\"\\n', '\\n', 'log-data \\\"templateName: $templateName\\\" \\\"templateVersion: $templateVersion\\\" \\\"installationType: $installationType\\\" \\\"osVersion: $osVersion\\\"\\n', '\\n', '\\n', '\\n', '\\n', 'echo \\\"template_name: $templateName\\\" >> /etc/cloud-version\\n', 'echo \\\"template_version: $templateVersion\\\" >> /etc/cloud-version\\n', '\\n', 'log-data \\\"Executing bootstrap script:\\\"\\n', 'bootstrap=\\\"$(dirname \\\"$0\\\")/bootstrap\\\"\\n', 'cat <<<\\\"', variables('bootstrapScript64'), '\\\" | tr -d \\\"\\\\n\\\" | base64 -d >\\\"$bootstrap\\\"', '\\n', 'dos2unix \\\"$bootstrap\\\"\\n', 'chmod +x \\\"$bootstrap\\\"\\n', 'cp \\\"$bootstrap\\\" \\\"/var/log/custom-data-bootstrap\\\"\\n', '\\\"$bootstrap\\\"\\n', '\\n', 'function has_iam {\\n', ' local url\\n', ' local out\\n', ' url=\\\"http://169.254.169.254/metadata/identity/oauth2/token\\\"\\n', ' url=\\\"$url?api-version=2018-02-01&resource=https://no-such-domain/\\\"\\n', ' for i in 1 2 3 ; do\\n', ' out=\\\"$(curl_cli --header metadata:true --url \\\"$url\\\" --max-time 10)\\\"\\n', ' if test \\\"$(echo \\\"$out\\\" | jq -r .error)\\\" = \\\"invalid_resource\\\" ; then\\n', ' echo true\\n', ' return\\n', ' fi\\n', ' if test \\\"$(echo \\\"$out\\\" | jq -r .error_description)\\\" = \\\"Identity not found\\\" ; then\\n', '\\n', ' break\\n', ' fi\\n', ' done\\n', ' echo false\\n', '}\\n', '\\n', '# description: create file $FWDIR/conf/azure-ha.json\\n', '# args : no args\\n', '# usage : cluster\\n', 'function cluster {\\n', ' log-data \\\"Cluster - Executing cluster function\\\"\\n', ' subscriptionId=\\\"', subscription().subscriptionId, '\\\"', '\\n', ' tenantId=\\\"', subscription().tenantId, '\\\"', '\\n', ' resourceGroup=\\\"', resourceGroup().name, '\\\"', '\\n', ' virtualNetwork=\\\"', parameters('virtualNetworkName'), '\\\"', '\\n', ' clusterName=\\\"', parameters('vmName'), '\\\"', '\\n', ' lbName=\\\"frontend-lb\\\"\\n', ' location=\\\"', variables('location'), '\\\"', '\\n', ' has_iam=false\\n', '\\n', ' case \\\"$location\\\" in\\n', ' us*)\\n', ' environment=\\\"AzureUSGovernment\\\"\\n', ' ;;\\n', ' china*)\\n', ' environment=\\\"AzureChinaCloud\\\"\\n', ' ;;\\n', ' germany*)\\n', ' environment=\\\"AzureGermanCloud\\\"\\n', ' ;;\\n', ' *)\\n', ' environment=\\\"AzureCloud\\\"\\n', ' has_iam=\\\"$(has_iam)\\\"\\n', ' ;;\\n', ' esac\\n', '\\n', ' cat <\\\"$FWDIR/conf/azure-ha.json\\\"\\n', '{\\n', ' \\\"subscriptionId\\\": \\\"$subscriptionId\\\",\\n', ' \\\"location\\\": \\\"$location\\\",\\n', ' \\\"environment\\\": \\\"$environment\\\",\\n', ' \\\"resourceGroup\\\": \\\"$resourceGroup\\\",\\n', 'EOF\\n', ' if $has_iam ; then\\n', ' cat <>\\\"$FWDIR/conf/azure-ha.json\\\"\\n', ' \\\"credentials\\\": \\\"IAM\\\",\\n', ' \\\"tenant\\\": \\\"$tenantId\\\",\\n', 'EOF\\n', ' else\\n', ' cat <>\\\"$FWDIR/conf/azure-ha.json\\\"\\n', ' \\\"credentials\\\": {\\n', ' \\\"tenant\\\": \\\"$tenantId\\\",\\n', ' \\\"grant_type\\\": \\\"client_credentials\\\",\\n', ' \\\"client_id\\\": \\\"\\\",\\n', ' \\\"client_secret\\\": \\\"\\\"\\n', ' },\\n', 'EOF\\n', ' fi\\n', ' cat <>\\\"$FWDIR/conf/azure-ha.json\\\"\\n', ' \\\"proxy\\\": \\\"\\\",\\n', ' \\\"virtualNetwork\\\": \\\"$virtualNetwork\\\",\\n', ' \\\"clusterName\\\": \\\"$clusterName\\\",\\n', ' \\\"templateName\\\": \\\"$templateName\\\",\\n', 'EOF\\n', '\\n', ' cat <>\\\"$FWDIR/conf/azure-ha.json\\\"\\n', ' \\\"clusterNetworkInterfaces\\\": {\\n', ' \\\"eth0\\\": [\\\"', variables('externalPrivateAddresses')[2], '\\\", \\\"$clusterName\\\"]', '\\n', ' },\\n', 'EOF\\n', '\\n', '\\n', '\\n', '\\n', '\\n', '\\n', '\\n', ' cat <>\\\"$FWDIR/conf/azure-ha.json\\\"\\n', ' \\\"lbName\\\": \\\"$lbName\\\",\\n', 'EOF\\n', '\\n', '\\n', ' cat <>\\\"$FWDIR/conf/azure-ha.json\\\"\\n', ' \\\"debug\\\": false\\n', '}\\n', 'EOF\\n', '\\n', ' log-data \\\"Cluster - Write cluster values to $FWDIR/conf/azure-ha.json\\\"\\n', ' log-data \\\"File content: \\\\\\\\n$(cat \\\"$FWDIR/conf/azure-ha.json\\\")\\\"\\n', '}\\n', '\\n', '# description:\\n', '# check if an alias exists on VM, in case there is no alias,\\n', '# try to retrieve it from instance metadata & add it\\n', '# args : no args.\\n', '# usage : pub_addr=\\\"$(checkPublicAddress)\\\"\\n', 'function checkPublicAddress {\\n', ' log-data \\\"Executing checkPublicAddress function\\\" >&2\\n', ' ipaddr=\\\"$(ip addr show dev eth0)\\\"\\n', ' pub_addr=\\\"$(echo \\\"$ipaddr\\\" | sed -n -e \\\"s|^ *inet \\\\\\\\([^/]*\\\\\\\\)/.* eth0:1\\\\$|\\\\\\\\1|p\\\")\\\"\\n', '\\n', ' log-data \\\"At start - \\\" \\\"ip addr show dev eth0: \\\\\\\\n$ipaddr\\\" \\\"pub_addr: $pub_addr\\\" >&2\\n', ' if test -z \\\"$pub_addr\\\" ; then\\n', ' log-data \\\"Trying to set alias for public ip address\\\" >&2\\n', ' pub_addr=\\\"$(get-cloud-data.sh \\\"metadata/instance/network/interface?api-version=2017-04-02\\\" | jq -r \\\".[].ipv4.ipAddress[].publicIpAddress\\\" | grep --max-count 1 .)\\\"\\n', '\\n', '\\n', '\\n', ' log-data \\\"Public Address from instance metadata: $pub_addr\\\" >&2\\n', ' test -z \\\"$pub_addr\\\" || {\\n', ' runcmd -rc \\\"1 0\\\" clish -c \\\"lock database override\\\" >&2\\n', ' runcmd clish -s -c \\\"add interface eth0 alias $pub_addr/32\\\" >&2\\n', ' if [ \\\"$?\\\" -eq \\\"0\\\" ] ; then\\n', ' log-data \\\"Setting alias for eth0 completed successfuly\\\" >&2\\n', ' else\\n', ' log-data \\\"Failed to set alias for eth0\\\" >&2\\n', ' fi\\n', ' }\\n', ' fi\\n', ' log-data \\\"Interfaces at end: \\\\\\\\n$(ifconfig)\\\" >&2\\n', ' test -z \\\"$pub_addr\\\" || echo \\\"$pub_addr\\\"\\n', '}\\n', '\\n', 'case \\\"$installationType\\\" in\\n', 'gateway)\\n', ' installSecurityGateway=true\\n', ' gateway_cluster_member=false\\n', ' installSecurityManagement=false\\n', ' sicKey=\\\"', variables('sicKey'), '\\\"', '\\n', ' ;;\\n', 'cluster)\\n', ' installSecurityGateway=true\\n', ' gateway_cluster_member=true\\n', ' installSecurityManagement=false\\n', ' sicKey=\\\"', variables('sicKey'), '\\\"', '\\n', ' cluster\\n', ' ;;\\n', 'vmss)\\n', ' installSecurityGateway=true\\n', ' gateway_cluster_member=false\\n', ' installSecurityManagement=false\\n', ' sicKey=\\\"', variables('sicKey'), '\\\"', '\\n', ' ;;\\n', 'management)\\n', ' installSecurityGateway=false\\n', ' installSecurityManagement=true\\n', ' sicKey=notused\\n', ' ;;\\n', 'custom)\\n', ' pub_addr=\\\"$(checkPublicAddress)\\\"\\n', ' log-data \\\"Instance metadata at end: \\\\\\\\n$(getInstanceMetadata)\\\"\\n', ' exit 0\\n', ' ;;\\n', 'standalone | *)\\n', ' installSecurityGateway=true\\n', ' installSecurityManagement=true\\n', ' gateway_cluster_member=false\\n', ' sicKey=notused\\n', ' ;;\\n', 'esac\\n', '\\n', 'log-data \\\"installSecurityGateway: $installSecurityGateway\\\" \\\"gateway_cluster_member: $gateway_cluster_member\\\" \\\"installSecurityManagement: $installSecurityManagement\\\"\\n', '\\n', '\\n', '\\n', 'if [ \\\"$isBlink\\\" == \\\"True\\\" ]; then\\n', ' if \\\"$installSecurityManagement\\\"; then\\n', ' conf=\\\"mgmt_admin_radio=gaia_admin\\\"\\n', ' else\\n', ' conf=\\\"gateway_cluster_member=$gateway_cluster_member\\\"\\n', ' fi\\n', ' conf=\\\"${conf}&download_info=$allowUploadDownload\\\"\\n', ' conf=\\\"${conf}&upload_info=$allowUploadDownload\\\"\\n', ' log-data \\\"conf: $conf\\\"\\n', '\\n', ' conf=\\\"${conf}&ftw_sic_key=$sicKey\\\"\\n', '\\n', ' log-data \\\"Running blink config\\\"\\n', ' blink_config -s \\\"$conf\\\"\\n', 'else\\n', ' conf=\\\"install_security_gw=$installSecurityGateway\\\"\\n', ' if \\\"$installSecurityGateway\\\"; then\\n', ' conf=\\\"${conf}&install_ppak=true\\\"\\n', ' conf=\\\"${conf}&gateway_cluster_member=$gateway_cluster_member\\\"\\n', ' fi\\n', ' conf=\\\"${conf}&install_security_managment=$installSecurityManagement\\\"\\n', ' if \\\"$installSecurityManagement\\\"; then\\n', ' if [ \\\"R7730\\\" == \\\"$osVersion\\\" ]; then\\n', ' managementAdminPassword=\\\"$(dd if=/dev/urandom count=1 2>/dev/null | sha1sum | cut -c -28)\\\"\\n', ' conf=\\\"${conf}&mgmt_admin_name=admin\\\"\\n', ' conf=\\\"${conf}&mgmt_admin_passwd=${managementAdminPassword}\\\"\\n', ' else\\n', ' conf=\\\"${conf}&mgmt_admin_radio=gaia_admin\\\"\\n', ' fi\\n', '\\n', ' managementGUIClientNetwork=\\\"', variables('managementGUIClientNetwork'), '\\\"', '\\n', ' conf=\\\"${conf}&install_mgmt_primary=true\\\"\\n', '\\n', ' if [ \\\"0.0.0.0/0\\\" = \\\"$managementGUIClientNetwork\\\" ]; then\\n', ' conf=\\\"${conf}&mgmt_gui_clients_radio=any\\\"\\n', ' else\\n', ' conf=\\\"${conf}&mgmt_gui_clients_radio=network\\\"\\n', ' ManagementGUIClientBase=\\\"$(echo \\\"$managementGUIClientNetwork\\\" | cut -d / -f 1)\\\"\\n', ' ManagementGUIClientMaskLength=\\\"$(echo \\\"$managementGUIClientNetwork\\\" | cut -d / -f 2)\\\"\\n', ' conf=\\\"${conf}&mgmt_gui_clients_ip_field=$ManagementGUIClientBase\\\"\\n', ' conf=\\\"${conf}&mgmt_gui_clients_subnet_field=$ManagementGUIClientMaskLength\\\"\\n', ' fi\\n', ' fi\\n', '\\n', ' conf=\\\"${conf}&download_info=$allowUploadDownload\\\"\\n', ' conf=\\\"${conf}&upload_info=$allowUploadDownload\\\"\\n', ' log-data \\\"conf: $conf\\\"\\n', ' # add sicKey value after loging the rest of conf parameters in order not to save the SIC key.\\n', ' conf=\\\"${conf}&ftw_sic_key=$sicKey\\\"\\n', '\\n', ' #since DA process is running parallel to FTW and may cause to problems like SIM (TaskId=72815)\\n', ' #the DA is being stoped before FTW is running, and restart again after FTW is finished.\\n', ' log-data \\\"Stop DA process: $(/opt/CPda/bin/dastop)\\\"\\n', '\\n', ' log-data \\\"Running first time wizard\\\"\\n', ' config_system -s \\\"$conf\\\"\\n', '\\n', ' log-data \\\"Start DA process: $(/opt/CPda/bin/dastart)\\\"\\n', 'fi\\n', '\\n', 'pub_addr=\\\"$(checkPublicAddress)\\\"\\n', 'log-data \\\"VM public address is: $pub_addr\\\"\\n', '\\n', '# set the main IP of the management object in SmartConsole to be the public IP:\\n', 'if [ \\\"$installationType\\\" = \\\"management\\\" ] && [ \\\"R7730\\\" != \\\"$osVersion\\\" ]; then\\n', ' until mgmt_cli -r true discard ; do\\n', ' sleep 30\\n', ' done\\n', ' addr=\\\"$(ip addr show dev eth0 | sed -n -e \\\"s|^ *inet \\\\\\\\([^/]*\\\\\\\\)/.* eth0\\\\$|\\\\\\\\1|p\\\")\\\"\\n', '\\n', ' uid=\\\"$(mgmt_cli -r true show-generic-objects class-name com.checkpoint.objects.classes.dummy.CpmiHostCkp details-level full -f json | jq -r \\\".objects[] | select(.ipaddr == \\\\\\\"$addr\\\\\\\") | .uid\\\")\\\"\\n', '\\n', '\\n', '\\n', ' test -z \\\"$uid\\\" || test -z \\\"$pub_addr\\\" || mgmt_cli -r true set-generic-object uid \\\"$uid\\\" ipaddr \\\"$pub_addr\\\"\\n', '\\n', ' log-data \\\"Management - Set management object in SmartConsole IP address to $pub_addr\\\"\\n', 'fi\\n', 'if \\\"$installSecurityManagement\\\" && [ \\\"R7730\\\" != \\\"$osVersion\\\" ]; then\\n', ' chkconfig --add autoprovision\\n', ' log-data \\\"Add autoprovision service to chkconfig\\\"\\n', 'fi\\n', '\\n', 'if [ \\\"$installationType\\\" = \\\"vmss\\\" ] || [ \\\"$installationType\\\" = \\\"cluster\\\" ]; then\\n', ' # add dynamic objects to represent the GWs external NICs in management:\\n', ' dynamic_object_names=\\\"$(dynamic_objects -l | awk \\\"/object/{print \\\\$4}\\\")\\\"\\n', ' log-data \\\"dynamic object names before are: $dynamic_object_names\\\"\\n', ' ExtAddr=\\\"$(ip addr show dev eth0 | awk \\\"/inet/{print \\\\$2; exit}\\\" | cut -d / -f 1)\\\"\\n', ' runcmd -rc \\\"19 0 3\\\" dynamic_objects -n LocalGatewayExternal -r \\\"$ExtAddr\\\" \\\"$ExtAddr\\\" -a\\n', ' if [ \\\"$?\\\" -eq \\\"0\\\" ] ; then\\n', ' log-data \\\"Created dynamic object for eth0\\\"\\n', ' else\\n', ' log-data \\\"Failed to create dynamic object for eth0\\\"\\n', ' fi\\n', ' log-data \\\"Set dynamic objects: (Ext: $ExtAddr) \\\\\\\\n$(dynamic_objects -l)\\\"\\n', '\\n', ' # Disable anti-spoofing feature in SecureXL for unknown connections.\\n', ' # To prevent anti-spoofing on eth1 to drop the health probe queries.\\n', ' if [ \\\"R7730\\\" != \\\"$osVersion\\\" ]; then\\n', ' if [ -f /opt/CPshared/5.0/tmp/.CPprofile.sh ]; then\\n', ' log-data \\\"/opt/CPshared/5.0/tmp/.CPprofile.sh exists and is a regular file.\\\"\\n', ' . /opt/CPshared/5.0/tmp/.CPprofile.sh\\n', ' log-data \\\"add sim_anti_spoofing_enabled=0 to $PPKDIR/boot/modules/simkern.conf\\\"\\n', ' echo \\\"sim_anti_spoofing_enabled=0\\\" >> \\\"$PPKDIR/boot/modules/simkern.conf\\\"\\n', ' log-data \\\"\\\\$PPKDIR/boot/modules/simkern.conf: \\\\\\\\n$(cat $PPKDIR/boot/modules/simkern.conf)\\\"\\n', ' fi\\n', ' fi\\n', 'fi\\n', '\\n', 'if [ \\\"$installationType\\\" == \\\"vmss\\\" ]; then\\n', ' # add dynamic objects to represent the GWs internal NICs in management:\\n', ' IntAddr=\\\"$(ip addr show dev eth1 | awk \\\"/inet/{print \\\\$2; exit}\\\" | cut -d / -f 1)\\\"\\n', ' runcmd -rc \\\"19 0 3\\\" dynamic_objects -n LocalGatewayInternal -r \\\"$IntAddr\\\" \\\"$IntAddr\\\" -a\\n', ' if [ \\\"$?\\\" -eq \\\"0\\\" ] ; then\\n', ' log-data \\\"VMSS - created dynamic object for eth1\\\"\\n', ' else\\n', ' log-data \\\"VMSS - failed to create dynamic object for eth1\\\"\\n', ' fi\\n', ' log-data \\\"VMSS - Set dynamic objects: (Int: $IntAddr) \\\\\\\\n$(dynamic_objects -l)\\\"\\n', '\\n', ' # add static route for all vnet but Frontend to use eth1:\\n', ' subnet2Prefix=\\\"$(getInstanceMetadata | jq -r \\\".network.interface[1].ipv4.subnet[].address\\\")\\\"\\n', ' firstThreeOctats=\\\"$(echo $subnet2Prefix | cut -d / -f 1 | cut -d . -f 1,2,3)\\\"\\n', ' forthOctats=\\\"$(echo $subnet2Prefix | cut -d / -f 1 | cut -d . -f 4)\\\"\\n', ' forthOctats=\\\"$(( forthOctats + 1 ))\\\"\\n', ' router=\\\"$firstThreeOctats.$forthOctats\\\"\\n', ' log-data \\\"Vnet CIDR: $vnet\\\" \\\"Internal subnet CIDR: $subnet2Prefix\\\" \\\"Internal subnet gateway: $router\\\"\\n', ' vnets=(\\\"$vnet\\\" \\\"10.0.0.0/8\\\" \\\"172.16.0.0/12\\\" \\\"192.168.0.0/16\\\")\\n', ' runcmd -rc \\\"1 0\\\" clish -c \\\"lock database override\\\" >&2\\n', ' for vnet in \\\"${vnets[@]}\\\"; do\\n', ' runcmd clish -s -c \\\"set static-route $vnet nexthop gateway address $router on\\\"\\n', ' if [ \\\"$?\\\" == \\\"0\\\" ] ; then\\n', ' log-data \\\"Set static-route for vnet: $vnet to router: $router\\\"\\n', ' else\\n', ' log-data \\\"Failed to set static-route for vnet: $vnet to router: $router\\\"\\n', ' fi\\n', ' done\\n', 'fi\\n', '\\n', 'log-data \\\"VM static routes: \\\\\\\\n$(route)\\\"\\n', 'log-data \\\"Contents of $FWDIR/boot/modules/fwkern.conf at end: \\\\\\\\n$(cat \\\"$FWDIR/boot/modules/fwkern.conf\\\")\\\"\\n', '\\n', 'if \\\"$installSecurityGateway\\\"; then\\n', ' log-data \\\"Instance metadata at end: \\\\\\\\n$(getInstanceMetadata)\\\"\\n', ' if [ \\\"$isBlink\\\" == \\\"False\\\" ] || [ \\\"$installationType\\\" == \\\"cluster\\\" ]; then\\n', ' log-data \\\"VM is shuting down\\\"\\n', ' shutdown -r now\\n', ' fi\\n', 'else\\n', ' if \\\"$installSecurityManagement\\\" && [ \\\"R7730\\\" != \\\"$osVersion\\\" ]; then\\n', ' service autoprovision start\\n', ' log-data \\\"Instance metadata at end: \\\\\\\\n$(getInstanceMetadata)\\\"\\n', ' log-data \\\"Start service autoprovision\\\"\\n', ' fi\\n', 'fi\\n')]", + "imageOfferR7730": "check-point-r77-10", + "imageOffer": "[concat(variables(concat('imageOffer', variables('osVersion'))), parameters('preview'))]", + "imagePublisher": "checkpoint", + "imageReferenceBYOL": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-byol", + "version": "latest" + }, + "imageReferenceNGTP": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtp", + "version": "latest" + }, + "imageReferenceNGTP-V2": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtp-v2", + "version": "latest" + }, + "imageReferenceNGTX": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtx", + "version": "latest" + }, + "imageReferenceMarketplace": "[variables(concat('imageReference', variables('offer')))]", + "customImage": "customImage", + "imageReferenceCustomUri": { + "id": "[resourceId('Microsoft.Compute/images/', variables('customImage'))]" + }, + "imageReference": "[if(equals(parameters('sourceImageVhdUri'),'noCustomUri'), variables('imageReferenceMarketplace'), variables('imageReferenceCustomUri'))]", + "nic1Name": "eth0", + "nic2Name": "eth1", + "lbId": "[resourceId('Microsoft.Network/loadBalancers', variables('lbName'))]", + "lbName": "frontend-lb", + "linuxConfigurationpassword": {}, + "linuxConfigurationsshPublicKey": { + "disablePasswordAuthentication": "true", + "ssh": { + "publicKeys": [ + { + "keyData": "[parameters('sshPublicKey')]", + "path": "/home/notused/.ssh/authorized_keys" + } + ] + } + }, + "linuxConfiguration": "[variables(concat('linuxConfiguration', parameters('authenticationType')))]", + "planBYOL": { + "name": "sg-byol", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTP": { + "name": "sg-ngtp", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTP-V2": { + "name": "sg-ngtp-v2", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTX": { + "name": "sg-ngtx", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "plan": "[variables(concat('plan', variables('offer')))]", + "roleDefinitionId": "[if(equals(parameters('role'), 'Contributor'), concat('/subscriptions/',subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c'), parameters('role'))]", + "identity": "[if(empty(variables('roleDefinitionId')), json('null'), json('{\"type\": \"SystemAssigned\"}'))]", + "externalPrivateAddresses": [ + "[parameters('Subnet1StartAddress')]", + "[concat(split(parameters('Subnet1StartAddress'), '.')[0],'.', split(parameters('Subnet1StartAddress'), '.')[1],'.', split(parameters('Subnet1StartAddress'), '.')[2],'.', string(add(int(split(parameters('Subnet1StartAddress'), '.')[3]),1)))]", + "[concat(split(parameters('Subnet1StartAddress'), '.')[0],'.', split(parameters('Subnet1StartAddress'), '.')[1],'.', split(parameters('Subnet1StartAddress'), '.')[2],'.', string(add(int(split(parameters('Subnet1StartAddress'), '.')[3]),2)))]" + ], + "Subnet2PrivateAddresses": [ + "[parameters('Subnet2StartAddress')]", + "[concat(split(parameters('Subnet2StartAddress'), '.')[0],'.', split(parameters('Subnet2StartAddress'), '.')[1],'.', split(parameters('Subnet2StartAddress'), '.')[2],'.', string(add(int(split(parameters('Subnet2StartAddress'), '.')[3]),1)))]", + "[concat(split(parameters('Subnet2StartAddress'), '.')[0],'.', split(parameters('Subnet2StartAddress'), '.')[1],'.', split(parameters('Subnet2StartAddress'), '.')[2],'.', string(add(int(split(parameters('Subnet2StartAddress'), '.')[3]),2)))]" + ], + "publicIPAddressId": "[resourceId('Microsoft.Network/publicIPAddresses', parameters('vmName'))]", + "publicIPAddressIds": [ + "[resourceId('Microsoft.Network/publicIPAddresses', concat(parameters('vmName'), '1'))]", + "[resourceId('Microsoft.Network/publicIPAddresses', concat(parameters('vmName'), '2'))]"], + "availabilitySetName": "[concat(parameters('vmName'), '-AvailabilitySet')]", + "count": 2, + "frontEndIPConfMember1Id": "[concat(variables('lbId'), '/frontendIPConfigurations/LoadBalancerFrontEnd1')]", + "frontEndIPConfMember2Id": "[concat(variables('lbId'), '/frontendIPConfigurations/LoadBalancerFrontEnd2')]", + "member1IPConfigId": "[concat(variables('lbId'), '/frontendIPConfigurations/LoadBalancerFrontEnd1')]", + "member2IPConfigId": "[concat(variables('lbId'), '/frontendIPConfigurations/LoadBalancerFrontEnd2')]", + "bootstrapScript64": "[base64(parameters('bootstrapScript'))]", + "allowUploadDownload": "[parameters('allowDownloadFromUploadToCheckPoint')]", + "networkSetupURL": "[concat(parameters('baseUrl'), '/vnet-', parameters('vnetNewOrExisting'), '.json')]", + "sicKey": "[parameters('sicKey')]", + "managementGUIClientNetwork": "", + "installationType": "cluster" + }, + "resources": [ + { + "apiVersion": "2018-02-01", + "name": "pid-02f0149c-45d1-561e-bd46-1121af3376e0", + "type": "Microsoft.Resources/deployments", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('storageAccountName')]", + "apiVersion": "[variables('storageApiVersion')]", + "location": "[variables('location')]", + "sku": { + "name": "[variables('storageAccountType')]" + }, + "kind": "Storage" + }, + { + "name": "networkSetup", + "type": "Microsoft.Resources/deployments", + "apiVersion": "[variables('deploymentsApiVersion')]", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "[variables('networkSetupURL')]", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "location": { + "value": "[variables('location')]" + }, + "apiVersion": { + "value": "[variables('networkApiVersion')]" + }, + "virtualNetworkName": { + "value": "[parameters('virtualNetworkName')]" + }, + "virtualNetworkAddressPrefix": { + "value": "[parameters('virtualNetworkAddressPrefix')]" + }, + "Subnet1Name": { + "value": "[parameters('Subnet1Name')]" + }, + "Subnet1Prefix": { + "value": "[parameters('Subnet1Prefix')]" + }, + "Subnet1StartAddress": { + "value": "[parameters('Subnet1StartAddress')]" + }, + "Subnet2Name": { + "value": "[parameters('Subnet2Name')]" + }, + "Subnet2Prefix": { + "value": "[parameters('Subnet2Prefix')]" + }, + "Subnet2StartAddress": { + "value": "[parameters('Subnet2StartAddress')]" + }, + "vnetNewOrExisting": { + "value": "[parameters('vnetNewOrExisting')]" + }, + "virtualNetworkExistingRGName": { + "value": "[parameters('virtualNetworkExistingRGName')]" + } + } + } + }, + { + "type": "Microsoft.Compute/availabilitySets", + "apiVersion": "[variables('computeApiVersion')]", + "location": "[variables('location')]", + "name": "[concat(variables('availabilitySetName'))]", + "properties": { + "platformFaultDomainCount": 2 + }, + "sku": { + "name": "Aligned" + } + }, + { + "type": "Microsoft.Network/publicIPAddresses", + "apiVersion": "[variables('networkApiVersion')]", + "location": "[variables('location')]", + "name": "[parameters('vmName')]", + "properties": { + "idleTimeoutInMinutes": 30, + "publicIPAllocationMethod": "Static", + "dnsSettings": { + "domainNameLabel": "[concat(toLower(parameters('vmName')), '-', uniquestring(resourceGroup().id, deployment().name))]" + } + } + }, + { + "type": "Microsoft.Network/publicIPAddresses", + "apiVersion": "[variables('networkApiVersion')]", + "location": "[variables('location')]", + "name": "[concat(parameters('vmName'), copyIndex(1))]", + "copy": { + "name": "publicAddressCopy", + "count": "[variables('count')]" + }, + "properties": { + "idleTimeoutInMinutes": 30, + "publicIPAllocationMethod": "Static", + "dnsSettings": { + "domainNameLabel": "[concat(toLower(parameters('vmName')), '-', copyIndex(1), '-', uniquestring(resourceGroup().id, deployment().name))]" + } + } + }, + { + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "[variables('networkApiVersion')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', 'networkSetup')]", + "[variables('publicIPAddressIds')[0]]", + "[variables('publicIPAddressId')]" + ], + "location": "[variables('location')]", + "name": "[concat(parameters('vmName'), '1-', variables('nic1Name'))]", + "properties": { + "enableIPForwarding": true, + "ipConfigurations": [ + { + "name": "member-ip", + "properties": { + "primary": true, + "privateIPAddress": "[variables('externalPrivateAddresses')[0]]", + "privateIPAllocationMethod": "Static", + "PublicIpAddress": { + "Id": "[variables('publicIPAddressIds')[0]]" + }, + "subnet": { + "id": "[concat(reference('networkSetup').outputs.vnetId.value, '/subnets/', parameters('Subnet1Name'))]" + } + } + }, + { + "name": "cluster-vip", + "properties": { + "primary": false, + "privateIPAddress": "[variables('externalPrivateAddresses')[2]]", + "privateIPAllocationMethod": "Static", + "PublicIpAddress": { + "Id": "[variables('publicIPAddressId')]" + }, + "subnet": { + "id": "[concat(reference('networkSetup').outputs.vnetId.value, '/subnets/', parameters('Subnet1Name'))]" + } + } + } + ] + } + }, + { + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "[variables('networkApiVersion')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', 'networkSetup')]", + "[variables('publicIPAddressIds')[1]]" + ], + "location": "[variables('location')]", + "name": "[concat(parameters('vmName'), '2-', variables('nic1Name'))]", + "properties": { + "enableIPForwarding": true, + "ipConfigurations": [ + { + "name": "member-ip", + "properties": { + "primary": true, + "privateIPAddress": "[variables('externalPrivateAddresses')[1]]", + "privateIPAllocationMethod": "Static", + "PublicIpAddress": { + "Id": "[variables('publicIPAddressIds')[1]]" + }, + "subnet": { + "id": "[concat(reference('networkSetup').outputs.vnetId.value, '/subnets/', parameters('Subnet1Name'))]" + } + } + } + ] + } + }, + { + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "[variables('networkApiVersion')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', 'networkSetup')]" + ], + "copy": { + "name": "nic2Copy", + "count": "[variables('count')]" + }, + "location": "[variables('location')]", + "name": "[concat(parameters('vmName'), copyIndex(1), '-', variables('nic2Name'))]", + "properties": { + "enableIPForwarding": true, + "ipConfigurations": [ + { + "name": "member-ip", + "properties": { + "primary": true, + "privateIPAddress": "[variables('Subnet2PrivateAddresses')[copyIndex()]]", + "privateIPAllocationMethod": "Static", + "subnet": { + "id": "[concat(reference('networkSetup').outputs.vnetId.value, '/subnets/', parameters('Subnet2Name'))]" + } + } + } + ] + } + }, + { + "condition": "[not(equals(parameters('sourceImageVhdUri'), 'noCustomUri'))]", + "type": "Microsoft.Compute/images", + "apiVersion": "2017-12-01", + "name": "[variables('customImage')]", + "location": "[variables('location')]", + "properties": { + "storageProfile": { + "osDisk": { + "osType": "Linux", + "osState": "Generalized", + "blobUri": "[parameters('sourceImageVhdUri')]", + "storageAccountType": "Standard_LRS" + } + } + } + }, + { + "type": "Microsoft.Compute/virtualMachines", + "apiVersion": "[variables('computeApiVersion')]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]", + "[resourceId('Microsoft.Compute/availabilitySets', variables('availabilitySetName'))]", + "[resourceId('Microsoft.Network/networkInterfaces', concat(parameters('vmName'), copyIndex(1), '-', variables('nic1Name')))]", + "[resourceId('Microsoft.Network/networkInterfaces', concat(parameters('vmName'), copyIndex(1), '-', variables('nic2Name')))]", + "[resourceId('Microsoft.Compute/images/', variables('customImage'))]" + ], + "location": "[variables('location')]", + "name": "[concat(parameters('vmName'), copyIndex(1))]", + "copy": { + "name": "virtualMachineCopy", + "count": "[variables('count')]" + }, + "plan": "[if(equals(parameters('sourceImageVhdUri'),'noCustomUri'), variables('plan'), json('null'))]", + "identity": "[variables('identity')]", + "properties": { + "availabilitySet": { + "id": "[resourceId('Microsoft.Compute/availabilitySets', variables('availabilitySetName'))]" + }, + "diagnosticsProfile": { + "bootDiagnostics": { + "enabled": "true", + "storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName')), variables('storageApiVersion')).primaryEndpoints.blob]" + } + }, + "hardwareProfile": { + "vmSize": "[parameters('vmSize')]" + }, + "networkProfile": { + "networkInterfaces": [ + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', concat(parameters('vmName'), copyIndex(1), '-', variables('nic1Name')))]", + "properties": { + "primary": true + } + }, + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', concat(parameters('vmName'), copyIndex(1), '-', variables('nic2Name')))]", + "properties": { + "primary": false + } + } + ] + }, + "osProfile": { + "adminPassword": "[parameters('adminPassword')]", + "adminUsername": "notused", + "computername": "[concat(toLower(parameters('vmName')), copyIndex(1))]", + "customData": "[base64(variables('customData'))]", + "linuxConfiguration": "[variables('linuxConfiguration')]" + }, + "storageProfile": { + "imageReference": "[variables('imageReference')]", + "osDisk": { + "caching": "ReadWrite", + "createOption": "FromImage", + "diskSizeGB": "[variables('diskSizeGB')]", + "name": "[concat(parameters('vmName'), copyIndex(1))]", + "managedDisk": { + "storageAccountType": "[parameters('diskType')]" + } + } + } + } + }, + { + "condition": "[not(empty(variables('roleDefinitionId')))]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "[variables('authorizationApiVersion')]", + "name": "[guid(resourceGroup().id, concat(parameters('vmName'), copyIndex(1)))]", + "copy": { + "name": "virtualMachineCopy", + "count": "[variables('count')]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Compute/virtualMachines/', concat(parameters('vmName'), copyIndex(1)))]" + ], + "properties": { + "roleDefinitionId": "[variables('roleDefinitionId')]", + "scope": "[resourceGroup().id]", + "principalId": "[reference(concat('Microsoft.Compute/virtualMachines/', concat(parameters('vmName'), copyIndex(1))), variables('computeApiVersion'), 'Full').identity.principalId]" + } + } + ], + "outputs": { + "ClusterIPAddr": { + "type": "string", + "value": "[reference(variables('publicIPAddressId')).IpAddress]" + }, + "ClusterFQDN": { + "type": "string", + "value": "[reference(variables('publicIPAddressId')).dnsSettings.fqdn]" + }, + "Member1IPAddr": { + "type": "string", + "value": "[reference(variables('publicIPAddressIds')[0]).IpAddress]" + }, + "Member1FQDN": { + "type": "string", + "value": "[reference(variables('publicIPAddressIds')[0]).dnsSettings.fqdn]" + }, + "Member2IPAddr": { + "type": "string", + "value": "[reference(variables('publicIPAddressIds')[1]).IpAddress]" + }, + "Member2FQDN": { + "type": "string", + "value": "[reference(variables('publicIPAddressIds')[1]).dnsSettings.fqdn]" + } + } +} diff --git a/deprecated/azure/templates/R7730/cluster-r7730/vnet-existing.json b/deprecated/azure/templates/R7730/cluster-r7730/vnet-existing.json new file mode 100644 index 00000000..c48485e9 --- /dev/null +++ b/deprecated/azure/templates/R7730/cluster-r7730/vnet-existing.json @@ -0,0 +1,93 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "vnet" + }, + "virtualNetworkAddressPrefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the virtual network" + } + }, + "Subnet1Name": { + "type": "string", + "metadata": { + "description": "The name of the 1st subnet" + }, + "defaultValue": "Frontend" + }, + "Subnet1Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 1st subnet" + }, + "defaultValue": "10.0.1.0/24" + }, + "Subnet1StartAddress": { + "type": "string", + "metadata": { + "description": "The first avaialable address on the 1st subnet" + } + }, + "Subnet2Name": { + "type": "string", + "metadata": { + "description": "The name of the 2nd subnet" + }, + "defaultValue": "Web" + }, + "Subnet2Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 2nd subnet" + }, + "defaultValue": "10.0.2.0/24" + }, + "Subnet2StartAddress": { + "type": "string", + "metadata": { + "description": "The first avaialable address on the 2nd subnet" + } + }, + "vnetNewOrExisting": { + "type": "string", + "defaultValue": "new", + "allowedValues": [ + "new", + "existing" + ], + "metadata": { + "Description": "Indicates whether the virtual network is new or existing" + } + }, + "virtualNetworkExistingRGName": { + "type": "string", + "metadata": { + "description": "Resource Group of the existing virtual network" + }, + "defaultValue": "" + }, + "apiVersion": { + "type": "string" + } + }, + "variables": { + "vnetId": "[resourceId(parameters('virtualNetworkExistingRGName'),'Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]" + }, + "resources": [], + "outputs": { + "vnetId": { + "value": "[variables('vnetId')]", + "type": "string" + } + } +} diff --git a/deprecated/azure/templates/R7730/cluster-r7730/vnet-new.json b/deprecated/azure/templates/R7730/cluster-r7730/vnet-new.json new file mode 100644 index 00000000..68adc232 --- /dev/null +++ b/deprecated/azure/templates/R7730/cluster-r7730/vnet-new.json @@ -0,0 +1,172 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "vnet" + }, + "virtualNetworkAddressPrefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the virtual network" + } + }, + "Subnet1Name": { + "type": "string", + "metadata": { + "description": "The name of the 1st subnet" + }, + "defaultValue": "Frontend" + }, + "Subnet1Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 1st subnet" + }, + "defaultValue": "10.0.1.0/24" + }, + "Subnet1StartAddress": { + "type": "string", + "metadata": { + "description": "The first avaialable address on the 1st subnet" + } + }, + "Subnet2Name": { + "type": "string", + "metadata": { + "description": "The name of the 2nd subnet" + }, + "defaultValue": "Backend" + }, + "Subnet2Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 2nd subnet" + }, + "defaultValue": "10.0.2.0/24" + }, + "Subnet2StartAddress": { + "type": "string", + "metadata": { + "description": "The first avaialable address on the 2nd subnet" + } + }, + "vnetNewOrExisting": { + "type": "string", + "defaultValue": "new", + "allowedValues": [ + "new", + "existing" + ], + "metadata": { + "Description": "Indicates whether the virtual network is new or existing" + } + }, + "virtualNetworkExistingRGName": { + "type": "string", + "metadata": { + "description": "Resource Group of the existing virtual network" + }, + "defaultValue": "" + }, + "apiVersion": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/routeTables", + "apiVersion": "[parameters('apiVersion')]", + "location": "[parameters('location')]", + "name": "[parameters('subnet1Name')]", + "properties": { + "routes": [ + { + "name": "Local-Subnet", + "properties": { + "addressPrefix": "[parameters('subnet1Prefix')]", + "nextHopType": "VnetLocal" + } + }, + { + "name": "To-Internal", + "properties": { + "addressPrefix": "[parameters('virtualNetworkAddressPrefix')]", + "nextHopType": "VirtualAppliance", + "nextHopIpAddress": "[parameters('subnet1StartAddress')]" + } + } + ] + } + }, + { + "type": "Microsoft.Network/routeTables", + "apiVersion": "[parameters('apiVersion')]", + "location": "[parameters('location')]", + "name": "[parameters('subnet2Name')]", + "properties": { + "routes": [ + { + "name": "To-Internet", + "properties": { + "addressPrefix": "0.0.0.0/0", + "nextHopType": "VirtualAppliance", + "nextHopIpAddress": "[parameters('subnet2StartAddress')]" + } + } + ] + } + }, + { + "type": "Microsoft.Network/virtualNetworks", + "apiVersion": "[parameters('apiVersion')]", + "location": "[parameters('location')]", + "name": "[parameters('virtualNetworkName')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/routeTables', parameters('subnet1Name'))]", + "[resourceId('Microsoft.Network/routeTables', parameters('subnet2Name'))]" + ], + "properties": { + "addressSpace": { + "addressPrefixes": [ + "[parameters('virtualNetworkAddressPrefix')]" + ] + }, + "subnets": [ + { + "name": "[parameters('subnet1Name')]", + "properties": { + "addressPrefix": "[parameters('subnet1Prefix')]", + "routeTable": { + "id": "[resourceId('Microsoft.Network/routeTables', parameters('subnet1Name'))]" + } + } + }, + { + "name": "[parameters('subnet2Name')]", + "properties": { + "addressPrefix": "[parameters('subnet2Prefix')]", + "routeTable": { + "id": "[resourceId('Microsoft.Network/routeTables', parameters('subnet2Name'))]" + } + } + } + ] + } + } + ], + "outputs": { + "vnetId": { + "value": "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]", + "type": "string" + } + } +} diff --git a/deprecated/azure/templates/R7730/mgmt-r7730/README.MD b/deprecated/azure/templates/R7730/mgmt-r7730/README.MD new file mode 100644 index 00000000..e85d7ee1 --- /dev/null +++ b/deprecated/azure/templates/R7730/mgmt-r7730/README.MD @@ -0,0 +1,13 @@ +# How to deploy this template +To deploy this ARM template, follow these instructions: +1. Log in to the [Microsoft Azure Portal](https://portal.azure.com) +2. Click "*Create a resource*" +3. Search for "*Template deployment (deploy using custom templates)*" and click "*Create*" +4. Click "*Build your own template in the editor*" +5. Load the "*mainTemplate.json*" file from this directory and click "*Save*" +6. Enter the desired template parameters + - Replace the "*Base Url*" property with: + ``` + https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/deprecated/azure/templates/mgmt-r7730 + ``` +7. Click *Purchase* to deploy the solution diff --git a/deprecated/azure/templates/R7730/mgmt-r7730/createUiDefinition.json b/deprecated/azure/templates/R7730/mgmt-r7730/createUiDefinition.json new file mode 100644 index 00000000..50a96c0a --- /dev/null +++ b/deprecated/azure/templates/R7730/mgmt-r7730/createUiDefinition.json @@ -0,0 +1,281 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", + "handler": "Microsoft.Compute.MultiVm", + "version": "0.1.2-preview", + "parameters": { + "basics": [ + { + "name": "gatewayNameUi", + "type": "Microsoft.Common.TextBox", + "label": "Server Name", + "toolTip": "The name of the Check Point Security Management Server.", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z]{1,30}$", + "validationMessage": "Only alphanumeric characters are allowed, and the name must be 1-30 characters long." + } + }, + { + "name": "auth", + "type": "Microsoft.Compute.CredentialsCombo", + "label": { + "authenticationType": "Authentication type", + "password": "Password", + "confirmPassword": "Confirm password", + "sshPublicKey": "SSH public key" + }, + "toolTip": { + "authenticationType": "", + "password": "The user 'admin' password", + "sshPublicKey": "Paste an OpenSSH public key. You can generate a key pair using ssh-keygen (Linux, OS X, Cygwin) or PuttyGen (Windows)" + }, + "constraints": { + "required": true + }, + "options": { + "hideConfirmation": false, + "hidePassword": false + }, + "osPlatform": "Linux" + } + ], + "steps": [ + { + "name": "chkp", + "label": "Check Point Security Management Server settings", + "subLabel": { + "preValidation": "Configure additional settings", + "postValidation": "Done" + }, + "bladeTitle": "Security Management settings", + "elements": [ + { + "name": "cloudGuardVersion", + "type": "Microsoft.Common.DropDown", + "label": "Check Point CloudGuard version", + "defaultValue": "R77.30", + "toolTip": "The version of Check Point CloudGuard.", + "constraints": { + "allowedValues": [ + { + "label": "R77.30", + "value": "R77.30" + } + ] + } + }, + { + "name": "R7730vmSizeUiBYOL", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[equals(steps('chkp').cloudGuardVersion, 'R77.30')]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Management", + "recommendedSizes": [ + "Standard_D3_v2", + "Standard_D3", + "Standard_DS3" + ], + "constraints": { + "excludedSizes": [ + "Basic_A0", + "Basic_A1", + "Basic_A2", + "Basic_A3", + "Standard_A0", + "Standard_A1", + "Standard_A1_v2", + "Standard_A2", + "Standard_A5", + "Standard_D1", + "Standard_D1_v2", + "Standard_DS1", + "Standard_DS1_v2", + "Standard_F1", + "Standard_F1s", + "Standard_G1", + "Standard_GS1" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-r77-10", + "sku": "sg-byol" + }, + "count": 1 + }, + { + "name": "installationType", + "type": "Microsoft.Common.DropDown", + "label": "Installation type", + "visible": "[not(equals(steps('chkp').cloudGuardVersion, 'R80.20'))]", + "defaultValue": "Management", + "toolTip": "Select the type of deployment", + "constraints": { + "allowedValues": [ + { + "label": "Management", + "value": "management" + }, + { + "label": "Configure manually", + "value": "custom" + } + ] + } + }, + { + "name": "managementGUIClientNetwork", + "type": "Microsoft.Common.TextBox", + "label": "Allowed GUI clients", + "toolTip": "GUI clients network CIDR", + "defaultValue": "0.0.0.0/0", + "constraints": { + "required": true, + "regex": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$", + "validationMessage": "Enter a valid IPv4 network CIDR" + }, + "visible": "[or(equals(steps('chkp').installationType, 'management'), equals(steps('chkp').cloudGuardVersion, 'R80.20'))]" + }, + { + "name": "bootstrapScript", + "type": "Microsoft.Common.FileUpload", + "label": "Bootstrap script", + "toolTip": "An optional script to run on the initial boot", + "constraints": { + "required": false, + "accept": ".sh,text/plain" + }, + "options": { + "multiple": false, + "uploadMode": "file", + "openMode": "text", + "encoding": "UTF-8" + } + }, + { + "visible": "[or(equals(steps('chkp').cloudGuardVersion, 'R80.20'), not(equals(steps('chkp').installationType, 'custom')))]", + "name": "allowUploadDownload", + "type": "Microsoft.Common.OptionsGroup", + "label": "Allow download from/upload to Check Point", + "defaultValue": "Yes", + "toolTip": "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "true" + }, + { + "label": "No", + "value": "false" + } + ] + } + }, + { + "name": "additionalDiskSizeGB", + "type": "Microsoft.Common.TextBox", + "label": "Additional disk space (GB)", + "defaultValue": "0", + "toolTip": "Amount of additional disk space (in GB), Initial disk size is 50 GB for R77.30", + "constraints": { + "regex": "^([0-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-2][0-9][0-9][0-9]|3[0-8][0-9][0-9]|399[0-5])$", + "validationMessage": "Select a number between 0 and 3995" + } + }, + { + "name": "VMDiskType", + "type": "Microsoft.Common.OptionsGroup", + "label": "VM disk type", + "toolTip": "Type of CloudGuard disk.", + "visible": "[and(not(equals(substring(location(), 0, 2), 'us')), or(contains(steps('chkp').R7730vmSizeUiBYOL, 'DS'), contains(steps('chkp').R8010vmSizeUiBYOL, 'DS'), contains(steps('chkp').R8010vmSizeUiMGMT5, 'DS'), contains(steps('chkp').R8020vmSizeUiBYOL, 'DS'), contains(steps('chkp').R8020vmSizeUiMGMT5, 'DS')))]", + "defaultValue": "Standard", + "constraints": { + "allowedValues": [ + { + "label": "Standard", + "value": "Standard_LRS" + }, + { + "label": "Premium", + "value": "Premium_LRS" + } + ] + } + } + ] + }, + { + "name": "network", + "label": "Network settings", + "subLabel": { + "preValidation": "Configure network settings", + "postValidation": "Done" + }, + "bladeTitle": "Network settings", + "elements": [ + { + "name": "virtualNetwork", + "type": "Microsoft.Network.VirtualNetworkCombo", + "label": { + "virtualNetwork": "Virtual network", + "subnets": "Subnet" + }, + "toolTip": { + "virtualNetwork": "Virtual Network Name", + "subnets": "The subnet to deploy into" + }, + "defaultValue": { + "name": "vnet01", + "addressPrefixSize": "/20" + }, + "constraints": { + "minAddressPrefixSize": "/29" + }, + "options": { + "hideExisting": false + }, + "subnets": { + "subnet1": { + "label": "Management subnet", + "defaultValue": { + "name": "Management", + "addressPrefixSize": "/24" + }, + "constraints": { + "minAddressPrefixSize": "/29", + "minAddressCount": 1, + "requireContiguousAddresses": true + } + } + } + } + ] + } + ], + "outputs": { + "location": "[location()]", + "cloudGuardVersion": "[concat(steps('chkp').cloudGuardVersion, ' - ', coalesce(steps('chkp').R80Offer, 'Bring Your Own License'))]", + "adminPassword": "[basics('auth').password]", + "authenticationType": "[basics('auth').authenticationType]", + "sshPublicKey": "[basics('auth').sshPublicKey]", + "vmName": "[basics('gatewayNameUi')]", + "vmSize": "[coalesce(steps('chkp').R7730vmSizeUiBYOL, steps('chkp').R8010vmSizeUiBYOL, steps('chkp').R8010vmSizeUiMGMT5, steps('chkp').R8020vmSizeUiBYOL, steps('chkp').R8020vmSizeUiMGMT5)]", + "virtualNetworkName": "[steps('network').virtualNetwork.name]", + "virtualNetworkAddressPrefix": "[steps('network').virtualNetwork.addressPrefix]", + "Subnet1Name": "[steps('network').virtualNetwork.subnets.subnet1.name]", + "Subnet1Prefix": "[steps('network').virtualNetwork.subnets.subnet1.addressPrefix]", + "Subnet1StartAddress": "[steps('network').virtualNetwork.subnets.subnet1.startAddress]", + "vnetNewOrExisting": "[steps('network').virtualNetwork.newOrExisting]", + "virtualNetworkExistingRGName": "[steps('network').virtualNetwork.resourceGroup]", + "managementGUIClientNetwork": "[steps('chkp').managementGUIClientNetwork]", + "installationType": "[steps('chkp').installationType]", + "bootstrapScript": "[steps('chkp').bootstrapScript]", + "allowDownloadFromUploadToCheckPoint": "[coalesce(steps('chkp').allowUploadDownload, 'true')]", + "additionalDiskSizeGB": "[int(steps('chkp').additionalDiskSizeGB)]", + "diskType": "[coalesce(steps('chkp').VMDiskType, 'Standard_LRS')]" + } + } +} + diff --git a/deprecated/azure/templates/R7730/mgmt-r7730/mainTemplate.json b/deprecated/azure/templates/R7730/mgmt-r7730/mainTemplate.json new file mode 100644 index 00000000..ff33f6d6 --- /dev/null +++ b/deprecated/azure/templates/R7730/mgmt-r7730/mainTemplate.json @@ -0,0 +1,553 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string", + "metadata": { + "description": "Deployment location" + }, + "defaultValue": "[resourceGroup().location]" + }, + "cloudGuardVersion": { + "type": "string", + "allowedValues": [ + "R77.30 - Bring Your Own License" + ], + "defaultValue": "R77.30 - Bring Your Own License", + "metadata": { + "description": "Version of Check Point vSEC" + } + }, + "adminPassword": { + "type": "securestring", + "metadata": { + "description": "Administrator password" + }, + "defaultValue": "" + }, + "authenticationType": { + "type": "string", + "allowedValues": [ + "password", + "sshPublicKey" + ], + "defaultValue": "password", + "metadata": { + "description": "Authentication type" + } + }, + "sshPublicKey": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Administrator SSH public key" + } + }, + "vmName": { + "type": "string", + "metadata": { + "description": "Name of the Check Point Security Gateway" + } + }, + "vmSize": { + "type": "string", + "defaultValue": "Standard_D3_v2", + "metadata": { + "description": "Size of the VM" + } + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "vnet" + }, + "virtualNetworkAddressPrefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the virtual network" + }, + "defaultValue": "10.0.0.0/16" + }, + "Subnet1Name": { + "type": "string", + "metadata": { + "description": "The name of the 1st subnet" + }, + "defaultValue": "Frontend" + }, + "Subnet1Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 1st subnet" + }, + "defaultValue": "10.0.1.0/24" + }, + "Subnet1StartAddress": { + "type": "string", + "metadata": { + "description": "The first available address on the 1st subnet" + }, + "defaultValue": "10.0.1.10" + }, + "vnetNewOrExisting": { + "type": "string", + "defaultValue": "new", + "allowedValues": [ + "new", + "existing" + ], + "metadata": { + "Description": "Indicates whether the virtual network is new or existing" + } + }, + "virtualNetworkExistingRGName": { + "type": "string", + "metadata": { + "description": "Resource Group of the existing virtual network" + }, + "defaultValue": "" + }, + "managementGUIClientNetwork": { + "type": "string", + "metadata": { + "description": "Allowed GUI clients" + }, + "defaultValue": "0.0.0.0/0" + }, + "installationType": { + "type": "string", + "metadata": { + "description": "Installation Type" + }, + "defaultValue": "management", + "allowedValues": [ + "management", + "custom" + ] + }, + "bootstrapScript": { + "type": "string", + "metadata": { + "description": "Bootstrap script" + }, + "defaultValue": "" + }, + "allowDownloadFromUploadToCheckPoint": { + "type": "string", + "allowedValues": [ + "true", + "false" + ], + "defaultValue": "true", + "metadata": { + "description": "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + } + }, + "additionalDiskSizeGB": { + "type": "int", + "defaultValue": 0, + "metadata": { + "description": "Amount of additional disk space (in GB)" + }, + "minValue": 0, + "maxValue": 3995 + }, + "diskType": { + "type": "string", + "defaultValue": "Standard_LRS", + "metadata": { + "description": "The type of the OS disk. Premium is applicable only to DS machine sizes" + }, + "allowedValues": [ + "Standard_LRS", + "Premium_LRS" + ] + }, + "preview": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Deploy the staged image" + }, + "allowedValues": [ + "", + "-preview" + ] + }, + "baseUrl": { + "type": "string", + "metadata": { + "artifactsBaseUrl": "" + }, + "defaultValue": "https://s3-us-west-2.amazonaws.com/azure.templates/marketplace-management" + } + }, + "variables": { + "templateName": "management", + "templateVersion": "20181107", + "location": "[parameters('location')]", + "offers": { + "R77.30 - Bring Your Own License": "BYOL" + }, + "offer": "[variables('offers')[parameters('cloudGuardVersion')]]", + "osVersions": { + "R77.30 - Bring Your Own License": "R7730" + }, + "osVersion": "[variables('osVersions')[parameters('cloudGuardVersion')]]", + "installationType": "[if(equals(variables('osVersion'), 'R8020'), 'management', parameters('installationType'))]", + "isBlink": "[bool('false')]", + "computeApiVersion": "2017-03-30", + "storageApiVersion": "2016-01-01", + "networkApiVersion": "2016-06-01", + "deploymentsApiVersion": "2016-02-01", + "storageAccountName": "[concat('bootdiag', uniqueString(resourceGroup().id, deployment().name))]", + "storageAccountType": "Standard_LRS", + "diskSizeGBR7730": 50, + "diskSizeGB": "[add(parameters('additionalDiskSizeGB'), variables(concat('diskSizeGB', variables('osVersion'))))]", + "customData": "[concat('#!/bin/bash\n', '\n', 'LOG_FILE=/var/log/custom-data.log\n', 'exec >>$LOG_FILE 2>&1\n', '\n', '# description: echo instance metadata\n', '# args :\n', '# optional: string contatining api version date.\n', '# default is to \"2017-08-01\".\n', '# usage :\n', '# getInstanceMetadata \"2017-12-01\"\n', 'function getInstanceMetadata {\n', ' # get instance metadata using Azure Instance Metadata service:\n', ' if test -z \"$#\" ; then\n', ' api_version=\"$1\"\n', ' else\n', ' api_version=\"2017-08-01\"\n', ' fi\n', ' metadata=\"$(get-cloud-data.sh \"metadata/instance/?api-version=$api_version\" | jq \".\")\"\n', '\n', '\n', ' echo \"$metadata\"\n', ' log-data \"Instance metadata retrieved using api version: $api_version\" >&2\n', '}\n', '\n', '# description: echo $@ to std output wrapped with date and additional data\n', '# args :\n', '# add \"-w\" before the content to log warning message.\n', '# add \"-e\" before the content to log error message.\n', '# default is to log info message.\n', '# usage :\n', '# log-data \"-w\" \"my message\"\n', 'function log-data {\n', ' test -z \"$1\" && echo \"$(date +\"%F %T\") CUSTOM-DATA [INFO]\" || {\n', ' if [[ \"$1\" == \"-w\" ]] ; then\n', ' prefix=\"[WARNING] \"\n', ' shift\n', ' elif [[ \"$1\" == \"-e\" ]] ; then\n', ' prefix=\"[ERROR] \"\n', ' shift\n', ' else\n', ' prefix=\"[INFO] \"\n', ' fi\n', ' for i in \"$@\"; do\n', ' echo -e \"$(date +\"%F %T\") CUSTOM-DATA $prefix$i\"\n', ' shift\n', ' done\n', ' }\n', '}\n', '\n', '# description: wrapper to command to enable retries\n', '# args :\n', '# To specify return codes:\n', '# \"-rc\" followed by string of numbers seperated by a space: \"int1 int2\".\n', '# default is \"0\".\n', '# To specify maximum duration for retries:\n', '# \"-md\" followed by a number: 5.\n', '# default is 8.\n', '# To specift sleep time between retries:\n', '# \"-st\" followed by a number: 1.\n', '# default is 2.\n', '# usage :\n', '# runcmd -rc \"19 0 3\" \"-md\" 6 \"-st\" 1 my-command\n', 'function runcmd {\n', ' expected_returnval=()\n', ' if [ \"$1\" == \"-rc\" ] ; then\n', ' shift\n', ' for val in $1\n', ' do\n', ' expected_returnval[\"$val\"]=\"1\"\n', ' done\n', ' shift\n', ' else\n', ' expected_returnval[\"0\"]=\"1\"\n', ' fi\n', ' if [ \"$1\" == \"-md\" ] ; then\n', ' shift\n', ' MAX_DURATION=$1\n', ' shift\n', ' else\n', ' MAX_DURATION=8\n', ' fi\n', ' if [ \"$1\" == \"-st\" ] ; then\n', ' shift\n', ' SLEEP_TIME=$1\n', ' shift\n', ' else\n', ' SLEEP_TIME=2\n', ' fi\n', ' cmd=\"$@\"\n', ' log-data \"Executing $cmd\" \" Allowed return values : $(echo ${!expected_returnval[@]})\" \" Maximum retries duration : $MAX_DURATION\" \" Sleep time between retries: $SLEEP_TIME\" >&2\n', '\n', '\n', '\n', ' SECONDS=0\n', ' while [ \"$SECONDS\" -lt \"$MAX_DURATION\" ] ; do\n', ' returnmsg=\"$(\"$@\" 2>&1)\"\n', ' returnval=\"$?\"\n', ' if [[ ${expected_returnval[$returnval]} ]] ; then\n', ' log-data \"Success executing: $cmd\n', '\\\\tReturn Value : $(echo $returnval)\n', '\\\\tReturn message: $(echo $returnmsg)\" >&2\n', ' return 0\n', ' fi\n', ' log-data \"-w\" \"Retrying to execute command: $cmd\n', '\\\\tReturn Value : $(echo $returnval)\n', '\\\\tReturn message: $(echo $returnmsg)\" >&2\n', ' sleep \"$SLEEP_TIME\"\n', ' done\n', ' log-data \"-e\" \"Failed to execute command: $cmd\n', '\\\\tReturn Value : $(echo $returnval) (expected: $expected_returnval)\n', '\\\\tReturn message: $(echo $returnmsg)\n', '\\\\tTotal run time: $SECONDS [seconds]\" >&2\n', ' return 1\n', '}\n', '\n', 'log-data \"Start of custom-data.sh\"\n', 'log-data \"Time Zone: $(date +\"%Z %:z\")\"\n', 'log-data \"Instance metadata at beginning: \\\\n$(getInstanceMetadata)\"\n', 'log-data \"Contents of $FWDIR/boot/modules/fwkern.conf at beginning: \\\\n$(cat \"$FWDIR/boot/modules/fwkern.conf\")\"\n', '\n', 'installationType=\"', variables('installationType'), '\"', '\n', 'allowUploadDownload=\"', variables('allowUploadDownload'), '\"', '\n', 'osVersion=\"', variables('osVersion'), '\"', '\n', 'templateName=\"', variables('templateName'), '\"', '\n', 'isBlink=\"', variables('isBlink'), '\"', '\n', 'templateVersion=\"', variables('templateVersion'), '\"', '\n', '\n', 'if [ -z \"${isBlink}\" ]; then\n', ' isBlink=\"False\"\n', 'fi\n', '\n', 'log-data \"isBlink val: $isBlink\"\n', '\n', 'log-data \"templateName: $templateName\" \"templateVersion: $templateVersion\" \"installationType: $installationType\" \"osVersion: $osVersion\"\n', '\n', '\n', '\n', '\n', 'echo \"template_name: $templateName\" >> /etc/cloud-version\n', 'echo \"template_version: $templateVersion\" >> /etc/cloud-version\n', '\n', 'log-data \"Executing bootstrap script:\"\n', 'bootstrap=\"$(dirname \"$0\")/bootstrap\"\n', 'cat <<<\"', variables('bootstrapScript64'), '\" | tr -d \"\\n\" | base64 -d >\"$bootstrap\"', '\n', 'dos2unix \"$bootstrap\"\n', 'chmod +x \"$bootstrap\"\n', 'cp \"$bootstrap\" \"/var/log/custom-data-bootstrap\"\n', '\"$bootstrap\"\n', '\n', 'function has_iam {\n', ' local url\n', ' local out\n', ' url=\"http://169.254.169.254/metadata/identity/oauth2/token\"\n', ' url=\"$url?api-version=2018-02-01&resource=https://no-such-domain/\"\n', ' for i in 1 2 3 ; do\n', ' out=\"$(curl_cli --header metadata:true --url \"$url\" --max-time 10)\"\n', ' if test \"$(echo \"$out\" | jq -r .error)\" = \"invalid_resource\" ; then\n', ' echo true\n', ' return\n', ' fi\n', ' if test \"$(echo \"$out\" | jq -r .error_description)\" = \"Identity not found\" ; then\n', '\n', ' break\n', ' fi\n', ' done\n', ' echo false\n', '}\n', '\n', '# description: create file $FWDIR/conf/azure-ha.json\n', '# args : no args\n', '# usage : cluster\n', 'function cluster {\n', ' log-data \"Cluster - Executing cluster function\"\n', ' subscriptionId=\"', subscription().subscriptionId, '\"', '\n', ' tenantId=\"', subscription().tenantId, '\"', '\n', ' resourceGroup=\"', resourceGroup().name, '\"', '\n', ' virtualNetwork=\"', parameters('virtualNetworkName'), '\"', '\n', ' clusterName=\"', parameters('vmName'), '\"', '\n', ' lbName=\"frontend-lb\"\n', ' location=\"', variables('location'), '\"', '\n', ' has_iam=false\n', '\n', ' case \"$location\" in\n', ' us*)\n', ' environment=\"AzureUSGovernment\"\n', ' ;;\n', ' china*)\n', ' environment=\"AzureChinaCloud\"\n', ' ;;\n', ' germany*)\n', ' environment=\"AzureGermanCloud\"\n', ' ;;\n', ' *)\n', ' environment=\"AzureCloud\"\n', ' has_iam=\"$(has_iam)\"\n', ' ;;\n', ' esac\n', '\n', ' cat <\"$FWDIR/conf/azure-ha.json\"\n', '{\n', ' \"subscriptionId\": \"$subscriptionId\",\n', ' \"location\": \"$location\",\n', ' \"environment\": \"$environment\",\n', ' \"resourceGroup\": \"$resourceGroup\",\n', 'EOF\n', ' if $has_iam ; then\n', ' cat <>\"$FWDIR/conf/azure-ha.json\"\n', ' \"credentials\": \"IAM\",\n', ' \"tenant\": \"$tenantId\",\n', 'EOF\n', ' else\n', ' cat <>\"$FWDIR/conf/azure-ha.json\"\n', ' \"credentials\": {\n', ' \"tenant\": \"$tenantId\",\n', ' \"grant_type\": \"client_credentials\",\n', ' \"client_id\": \"\",\n', ' \"client_secret\": \"\"\n', ' },\n', 'EOF\n', ' fi\n', ' cat <>\"$FWDIR/conf/azure-ha.json\"\n', ' \"proxy\": \"\",\n', ' \"virtualNetwork\": \"$virtualNetwork\",\n', ' \"clusterName\": \"$clusterName\",\n', ' \"templateName\": \"$templateName\",\n', 'EOF\n', ' cat <>\"$FWDIR/conf/azure-ha.json\"\n', ' \"lbName\": \"$lbName\",\n', 'EOF\n', '\n', '\n', ' cat <>\"$FWDIR/conf/azure-ha.json\"\n', ' \"debug\": false\n', '}\n', 'EOF\n', '\n', ' log-data \"Cluster - Write cluster values to $FWDIR/conf/azure-ha.json\"\n', ' log-data \"File content: \\\\n$(cat \"$FWDIR/conf/azure-ha.json\")\"\n', '}\n', '\n', '# description:\n', '# check if an alias exists on VM, in case there is no alias,\n', '# try to retrieve it from instance metadata & add it\n', '# args : no args.\n', '# usage : pub_addr=\"$(checkPublicAddress)\"\n', 'function checkPublicAddress {\n', ' log-data \"Executing checkPublicAddress function\" >&2\n', ' ipaddr=\"$(ip addr show dev eth0)\"\n', ' pub_addr=\"$(echo \"$ipaddr\" | sed -n -e \"s|^ *inet \\\\([^/]*\\\\)/.* eth0:1\\$|\\\\1|p\")\"\n', '\n', ' log-data \"At start - \" \"ip addr show dev eth0: \\\\n$ipaddr\" \"pub_addr: $pub_addr\" >&2\n', ' if test -z \"$pub_addr\" ; then\n', ' log-data \"Trying to set alias for public ip address\" >&2\n', ' pub_addr=\"$(get-cloud-data.sh \"metadata/instance/network/interface?api-version=2017-04-02\" | jq -r \".[].ipv4.ipAddress[].publicIpAddress\" | grep --max-count 1 .)\"\n', '\n', '\n', '\n', ' log-data \"Public Address from instance metadata: $pub_addr\" >&2\n', ' test -z \"$pub_addr\" || {\n', ' runcmd -rc \"1 0\" clish -c \"lock database override\" >&2\n', ' runcmd clish -s -c \"add interface eth0 alias $pub_addr/32\" >&2\n', ' if [ \"$?\" -eq \"0\" ] ; then\n', ' log-data \"Setting alias for eth0 completed successfuly\" >&2\n', ' else\n', ' log-data \"Failed to set alias for eth0\" >&2\n', ' fi\n', ' }\n', ' fi\n', ' log-data \"Interfaces at end: \\\\n$(ifconfig)\" >&2\n', ' test -z \"$pub_addr\" || echo \"$pub_addr\"\n', '}\n', '\n', 'case \"$installationType\" in\n', 'gateway)\n', ' installSecurityGateway=true\n', ' gateway_cluster_member=false\n', ' installSecurityManagement=false\n', ' sicKey=\"', variables('sicKey'), '\"', '\n', ' ;;\n', 'cluster)\n', ' installSecurityGateway=true\n', ' gateway_cluster_member=true\n', ' installSecurityManagement=false\n', ' sicKey=\"', variables('sicKey'), '\"', '\n', ' cluster\n', ' ;;\n', 'vmss)\n', ' installSecurityGateway=true\n', ' gateway_cluster_member=false\n', ' installSecurityManagement=false\n', ' sicKey=\"', variables('sicKey'), '\"', '\n', ' ;;\n', 'management)\n', ' installSecurityGateway=false\n', ' installSecurityManagement=true\n', ' sicKey=notused\n', ' ;;\n', 'custom)\n', ' pub_addr=\"$(checkPublicAddress)\"\n', ' log-data \"Instance metadata at end: \\\\n$(getInstanceMetadata)\"\n', ' exit 0\n', ' ;;\n', 'standalone | *)\n', ' installSecurityGateway=true\n', ' installSecurityManagement=true\n', ' gateway_cluster_member=false\n', ' sicKey=notused\n', ' ;;\n', 'esac\n', '\n', 'log-data \"installSecurityGateway: $installSecurityGateway\" \"gateway_cluster_member: $gateway_cluster_member\" \"installSecurityManagement: $installSecurityManagement\"\n', '\n', '\n', '\n', 'if [ \"$isBlink\" == \"True\" ]; then\n', ' if \"$installSecurityManagement\"; then\n', ' conf=\"mgmt_admin_radio=gaia_admin\"\n', ' else\n', ' conf=\"gateway_cluster_member=$gateway_cluster_member\"\n', ' fi\n', ' conf=\"${conf}&download_info=$allowUploadDownload\"\n', ' conf=\"${conf}&upload_info=$allowUploadDownload\"\n', ' log-data \"conf: $conf\"\n', '\n', ' conf=\"${conf}&ftw_sic_key=$sicKey\"\n', ' # temporary variable as blink config demands password (for now) this way the blink_config command works and does not override admin password\n', ' if [ \"$osVersion\" == \"R8010\" ]; then\n', ' conf=\"${conf}&admin_password_regular=1\"\n', ' fi\n', ' log-data \"Running blink config\"\n', ' blink_config -s \"$conf\"\n', 'else\n', ' conf=\"install_security_gw=$installSecurityGateway\"\n', ' if \"$installSecurityGateway\"; then\n', ' conf=\"${conf}&install_ppak=true\"\n', ' conf=\"${conf}&gateway_cluster_member=$gateway_cluster_member\"\n', ' fi\n', ' conf=\"${conf}&install_security_managment=$installSecurityManagement\"\n', ' if \"$installSecurityManagement\"; then\n', ' if [ \"R7730\" == \"$osVersion\" ]; then\n', ' managementAdminPassword=\"$(dd if=/dev/urandom count=1 2>/dev/null | sha1sum | cut -c -28)\"\n', ' conf=\"${conf}&mgmt_admin_name=admin\"\n', ' conf=\"${conf}&mgmt_admin_passwd=${managementAdminPassword}\"\n', ' else\n', ' conf=\"${conf}&mgmt_admin_radio=gaia_admin\"\n', ' fi\n', '\n', ' managementGUIClientNetwork=\"', variables('managementGUIClientNetwork'), '\"', '\n', ' conf=\"${conf}&install_mgmt_primary=true\"\n', '\n', ' if [ \"0.0.0.0/0\" = \"$managementGUIClientNetwork\" ]; then\n', ' conf=\"${conf}&mgmt_gui_clients_radio=any\"\n', ' else\n', ' conf=\"${conf}&mgmt_gui_clients_radio=network\"\n', ' ManagementGUIClientBase=\"$(echo \"$managementGUIClientNetwork\" | cut -d / -f 1)\"\n', ' ManagementGUIClientMaskLength=\"$(echo \"$managementGUIClientNetwork\" | cut -d / -f 2)\"\n', ' conf=\"${conf}&mgmt_gui_clients_ip_field=$ManagementGUIClientBase\"\n', ' conf=\"${conf}&mgmt_gui_clients_subnet_field=$ManagementGUIClientMaskLength\"\n', ' fi\n', ' fi\n', '\n', ' conf=\"${conf}&download_info=$allowUploadDownload\"\n', ' conf=\"${conf}&upload_info=$allowUploadDownload\"\n', ' log-data \"conf: $conf\"\n', ' # add sicKey value after loging the rest of conf parameters in order not to save the SIC key.\n', ' conf=\"${conf}&ftw_sic_key=$sicKey\"\n', '\n', ' #since DA process is running parallel to FTW and may cause to problems like SIM (TaskId=72815)\n', ' #the DA is being stoped before FTW is running, and restart again after FTW is finished.\n', ' log-data \"Stop DA process: $(/opt/CPda/bin/dastop)\"\n', '\n', ' log-data \"Running first time wizard\"\n', ' config_system -s \"$conf\"\n', '\n', ' log-data \"Start DA process: $(/opt/CPda/bin/dastart)\"\n', 'fi\n', '\n', 'pub_addr=\"$(checkPublicAddress)\"\n', 'log-data \"VM public address is: $pub_addr\"\n', '\n', '# set the main IP of the management object in SmartConsole to be the public IP:\n', 'if [ \"$installationType\" = \"management\" ] && [ \"R7730\" != \"$osVersion\" ]; then\n', ' until mgmt_cli -r true discard ; do\n', ' sleep 30\n', ' done\n', ' addr=\"$(ip addr show dev eth0 | sed -n -e \"s|^ *inet \\\\([^/]*\\\\)/.* eth0\\$|\\\\1|p\")\"\n', '\n', ' uid=\"$(mgmt_cli -r true show-generic-objects class-name com.checkpoint.objects.classes.dummy.CpmiHostCkp details-level full -f json | jq -r \".objects[] | select(.ipaddr == \\\"$addr\\\") | .uid\")\"\n', '\n', '\n', '\n', ' test -z \"$uid\" || test -z \"$pub_addr\" || mgmt_cli -r true set-generic-object uid \"$uid\" ipaddr \"$pub_addr\"\n', '\n', ' log-data \"Management - Set management object in SmartConsole IP address to $pub_addr\"\n', 'fi\n', 'if \"$installSecurityManagement\" && [ \"R7730\" != \"$osVersion\" ]; then\n', ' chkconfig --add autoprovision\n', ' log-data \"Add autoprovision service to chkconfig\"\n', 'fi\n', '\n', 'if [ \"$installationType\" = \"vmss\" ] || [ \"$installationType\" = \"cluster\" ]; then\n', ' # add dynamic objects to represent the GWs external NICs in management:\n', ' dynamic_object_names=\"$(dynamic_objects -l | awk \"/object/{print \\$4}\")\"\n', ' log-data \"dynamic object names before are: $dynamic_object_names\"\n', ' ExtAddr=\"$(ip addr show dev eth0 | awk \"/inet/{print \\$2; exit}\" | cut -d / -f 1)\"\n', ' runcmd -rc \"19 0 3\" dynamic_objects -n LocalGatewayExternal -r \"$ExtAddr\" \"$ExtAddr\" -a\n', ' if [ \"$?\" -eq \"0\" ] ; then\n', ' log-data \"Created dynamic object for eth0\"\n', ' else\n', ' log-data \"Failed to create dynamic object for eth0\"\n', ' fi\n', ' log-data \"Set dynamic objects: (Ext: $ExtAddr) \\\\n$(dynamic_objects -l)\"\n', '\n', ' # Disable anti-spoofing feature in SecureXL for unknown connections.\n', ' # To prevent anti-spoofing on eth1 to drop the health probe queries.\n', ' if [ \"R7730\" != \"$osVersion\" ]; then\n', ' if [ -f /opt/CPshared/5.0/tmp/.CPprofile.sh ]; then\n', ' log-data \"/opt/CPshared/5.0/tmp/.CPprofile.sh exists and is a regular file.\"\n', ' . /opt/CPshared/5.0/tmp/.CPprofile.sh\n', ' log-data \"add sim_anti_spoofing_enabled=0 to $PPKDIR/boot/modules/simkern.conf\"\n', ' echo \"sim_anti_spoofing_enabled=0\" >> \"$PPKDIR/boot/modules/simkern.conf\"\n', ' log-data \"\\$PPKDIR/boot/modules/simkern.conf: \\\\n$(cat $PPKDIR/boot/modules/simkern.conf)\"\n', ' fi\n', ' fi\n', 'fi\n', '\n', 'if [ \"$installationType\" == \"vmss\" ]; then\n', ' # add dynamic objects to represent the GWs internal NICs in management:\n', ' IntAddr=\"$(ip addr show dev eth1 | awk \"/inet/{print \\$2; exit}\" | cut -d / -f 1)\"\n', ' runcmd -rc \"19 0 3\" dynamic_objects -n LocalGatewayInternal -r \"$IntAddr\" \"$IntAddr\" -a\n', ' if [ \"$?\" -eq \"0\" ] ; then\n', ' log-data \"VMSS - created dynamic object for eth1\"\n', ' else\n', ' log-data \"VMSS - failed to create dynamic object for eth1\"\n', ' fi\n', ' log-data \"VMSS - Set dynamic objects: (Int: $IntAddr) \\\\n$(dynamic_objects -l)\"\n', '\n', ' # add static route for all vnet but Frontend to use eth1:\n', ' subnet2Prefix=\"$(getInstanceMetadata | jq -r \".network.interface[1].ipv4.subnet[].address\")\"\n', ' firstThreeOctats=\"$(echo $subnet2Prefix | cut -d / -f 1 | cut -d . -f 1,2,3)\"\n', ' forthOctats=\"$(echo $subnet2Prefix | cut -d / -f 1 | cut -d . -f 4)\"\n', ' forthOctats=\"$(( forthOctats + 1 ))\"\n', ' router=\"$firstThreeOctats.$forthOctats\"\n', ' log-data \"Vnet CIDR: $vnet\" \"Internal subnet CIDR: $subnet2Prefix\" \"Internal subnet gateway: $router\"\n', ' vnets=(\"$vnet\" \"10.0.0.0/8\" \"172.16.0.0/12\" \"192.168.0.0/16\")\n', ' runcmd -rc \"1 0\" clish -c \"lock database override\" >&2\n', ' for vnet in \"${vnets[@]}\"; do\n', ' runcmd clish -s -c \"set static-route $vnet nexthop gateway address $router on\"\n', ' if [ \"$?\" == \"0\" ] ; then\n', ' log-data \"Set static-route for vnet: $vnet to router: $router\"\n', ' else\n', ' log-data \"Failed to set static-route for vnet: $vnet to router: $router\"\n', ' fi\n', ' done\n', 'fi\n', '\n', 'log-data \"VM static routes: \\\\n$(route)\"\n', 'log-data \"Contents of $FWDIR/boot/modules/fwkern.conf at end: \\\\n$(cat \"$FWDIR/boot/modules/fwkern.conf\")\"\n', '\n', 'if \"$installSecurityGateway\"; then\n', ' log-data \"Instance metadata at end: \\\\n$(getInstanceMetadata)\"\n', ' if [ \"$isBlink\" == \"False\" ] || [ \"$installationType\" == \"cluster\" ]; then\n', ' log-data \"VM is shuting down\"\n', ' shutdown -r now\n', ' fi\n', 'else\n', ' if \"$installSecurityManagement\" && [ \"R7730\" != \"$osVersion\" ]; then\n', ' service autoprovision start\n', ' log-data \"Instance metadata at end: \\\\n$(getInstanceMetadata)\"\n', ' log-data \"Start service autoprovision\"\n', ' fi\n', 'fi\n')]", + "imageOfferR7730": "check-point-r77-10", + "imageOffer": "[concat(variables(concat('imageOffer', variables('osVersion'))), parameters('preview'))]", + "imagePublisher": "checkpoint", + "imageReferenceBYOL": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "[concat(if(equals(variables('osVersion'), 'R8020'), 'mgmt', 'sg'),'-byol')]", + "version": "latest" + }, + "imageReferenceMGMT5": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "mgmt-5", + "version": "latest" + }, + "imageReference": "[variables(concat('imageReference', variables('offer')))]", + "nic1Name": "[concat(parameters('vmName'), '-eth0')]", + "linuxConfigurationpassword": {}, + "linuxConfigurationsshPublicKey": { + "disablePasswordAuthentication": "true", + "ssh": { + "publicKeys": [ + { + "keyData": "[parameters('sshPublicKey')]", + "path": "/home/notused/.ssh/authorized_keys" + } + ] + } + }, + "linuxConfiguration": "[variables(concat('linuxConfiguration',parameters('authenticationType')))]", + "planBYOL": { + "name": "[concat(if(equals(variables('osVersion'), 'R8020'), 'mgmt', 'sg'),'-byol')]", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planMGMT5": { + "name": "mgmt-5", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "plan": "[variables(concat('plan', variables('offer')))]", + "publicIPAddressName": "[parameters('vmName')]", + "publicIPAddressId": "[resourceId('Microsoft.Network/publicIPAddresses', variables('publicIPAddressName'))]", + "nsgName": "[concat(parameters('vmName'), '-nsg')]", + "nsgId": "[resourceId('Microsoft.Network/networkSecurityGroups', variables('nsgName'))]", + "bootstrapScript64": "[base64(parameters('bootstrapScript'))]", + "allowUploadDownload": "[parameters('allowDownloadFromUploadToCheckPoint')]", + "networkSetupURL": "[concat(parameters('baseUrl'),'/vnet-1-subnet-', parameters('vnetNewOrExisting'), '.json')]", + "sicKey": "notused", + "managementGUIClientNetwork": "[parameters('managementGUIClientNetwork')]" + }, + "resources": [ + { + "apiVersion": "2018-02-01", + "name": "pid-cad9cfed-843e-554d-a348-a42352708fab", + "type": "Microsoft.Resources/deployments", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('storageAccountName')]", + "apiVersion": "[variables('storageApiVersion')]", + "location": "[variables('location')]", + "sku": { + "name": "[variables('storageAccountType')]" + }, + "kind": "Storage" + }, + { + "name": "networkSetup", + "type": "Microsoft.Resources/deployments", + "apiVersion": "[variables('deploymentsApiVersion')]", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "[variables('networkSetupURL')]", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "location": { + "value": "[variables('location')]" + }, + "apiVersion": { + "value": "[variables('networkApiVersion')]" + }, + "virtualNetworkName": { + "value": "[parameters('virtualNetworkName')]" + }, + "virtualNetworkAddressPrefix": { + "value": "[parameters('virtualNetworkAddressPrefix')]" + }, + "Subnet1Name": { + "value": "[parameters('Subnet1Name')]" + }, + "Subnet1Prefix": { + "value": "[parameters('Subnet1Prefix')]" + }, + "vnetNewOrExisting": { + "value": "[parameters('vnetNewOrExisting')]" + }, + "virtualNetworkExistingRGName": { + "value": "[parameters('virtualNetworkExistingRGName')]" + } + } + } + }, + { + "type": "Microsoft.Network/publicIPAddresses", + "apiVersion": "[variables('networkApiVersion')]", + "location": "[variables('location')]", + "name": "[variables('publicIPAddressName')]", + "properties": { + "idleTimeoutInMinutes": 30, + "publicIPAllocationMethod": "Static", + "dnsSettings": { + "domainNameLabel": "[concat(toLower(parameters('vmName')), '-', uniquestring(resourceGroup().id, deployment().name))]" + } + } + }, + { + "type": "Microsoft.Network/networkSecurityGroups", + "apiVersion": "[variables('networkApiVersion')]", + "location": "[variables('location')]", + "name": "[variables('nsgName')]", + "properties": { + "securityRules": [ + { + "name": "SSH", + "properties": { + "description": "Allow inbound SSH connection", + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "22", + "sourceAddressPrefix": "[variables('managementGUIClientNetwork')]", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "100", + "direction": "Inbound" + } + }, + { + "name": "GAiA-portal", + "properties": { + "description": "Allow inbound HTTPS access to the GAiA portal", + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "443", + "sourceAddressPrefix": "[variables('managementGUIClientNetwork')]", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "110", + "direction": "Inbound" + } + }, + { + "name": "SmartConsole-1", + "properties": { + "description": "Allow inbound access using the SmartConsole GUI client", + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "18190", + "sourceAddressPrefix": "[variables('managementGUIClientNetwork')]", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "120", + "direction": "Inbound" + } + }, + { + "name": "SmartConsole-2", + "properties": { + "description": "Allow inbound access using the SmartConsole GUI client", + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "19009", + "sourceAddressPrefix": "[variables('managementGUIClientNetwork')]", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "130", + "direction": "Inbound" + } + }, + { + "name": "Logs", + "properties": { + "description": "Allow inbound logging connections from managed gateways", + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "257", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "140", + "direction": "Inbound" + } + }, + { + "name": "ICA-pull", + "properties": { + "description": "Allow security gateways to pull a SIC certificate", + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "18210", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "150", + "direction": "Inbound" + } + }, + { + "name": "CRL-fetch", + "properties": { + "description": "Allow security gateways to fetch CRLs", + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "18264", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "160", + "direction": "Inbound" + } + }, + { + "name": "Policy-fetch", + "properties": { + "description": "Allow security gateways to fetch policy", + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "18191", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "170", + "direction": "Inbound" + } + } + ] + } + }, + { + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "[variables('networkApiVersion')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', 'networkSetup')]", + "[variables('nsgId')]", + "[variables('publicIPAddressId')]" + ], + "location": "[variables('location')]", + "name": "[variables('nic1Name')]", + "properties": { + "enableIPForwarding": false, + "networkSecurityGroup": { + "id": "[variables('nsgId')]" + }, + "ipConfigurations": [ + { + "name": "ipconfig1", + "properties": { + "privateIPAddress": "[parameters('Subnet1StartAddress')]", + "privateIPAllocationMethod": "Static", + "PublicIpAddress": { + "Id": "[variables('publicIPAddressId')]" + }, + "subnet": { + "id": "[concat(reference('networkSetup').outputs.vnetId.value, '/subnets/', parameters('Subnet1Name'))]" + } + } + } + ] + } + }, + { + "type": "Microsoft.Compute/virtualMachines", + "apiVersion": "[variables('computeApiVersion')]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]", + "[resourceId('Microsoft.Network/networkInterfaces', variables('nic1Name'))]" + ], + "location": "[variables('location')]", + "name": "[parameters('vmName')]", + "plan": "[variables('plan')]", + "properties": { + "diagnosticsProfile": { + "bootDiagnostics": { + "enabled": "true", + "storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName')), variables('storageApiVersion')).primaryEndpoints.blob]" + } + }, + "hardwareProfile": { + "vmSize": "[parameters('vmSize')]" + }, + "networkProfile": { + "networkInterfaces": [ + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', variables('nic1Name'))]", + "properties": { + "primary": true + } + } + ] + }, + "osProfile": { + "adminPassword": "[parameters('adminPassword')]", + "adminUsername": "notused", + "computerName": "[toLower(parameters('vmName'))]", + "customData": "[base64(variables('customData'))]", + "linuxConfiguration": "[variables('linuxConfiguration')]" + }, + "storageProfile": { + "imageReference": "[variables('imageReference')]", + "osDisk": { + "caching": "ReadWrite", + "createOption": "FromImage", + "diskSizeGB": "[variables('diskSizeGB')]", + "name": "[parameters('vmName')]", + "managedDisk": { + "storageAccountType": "[parameters('diskType')]" + } + } + } + } + } + ], + "outputs": { + "IPAddress": { + "type": "string", + "value": "[reference(variables('publicIPAddressId')).IpAddress]" + }, + "FQDN": { + "type": "string", + "value": "[reference(variables('publicIPAddressId')).dnsSettings.fqdn]" + } + } +} diff --git a/deprecated/azure/templates/R7730/mgmt-r7730/vnet-1-subnet-existing.json b/deprecated/azure/templates/R7730/mgmt-r7730/vnet-1-subnet-existing.json new file mode 100644 index 00000000..a82ecbb9 --- /dev/null +++ b/deprecated/azure/templates/R7730/mgmt-r7730/vnet-1-subnet-existing.json @@ -0,0 +1,73 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "vnet" + }, + "virtualNetworkAddressPrefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the virtual network" + } + }, + "Subnet1Name": { + "type": "string", + "metadata": { + "description": "The name of the 1st subnet" + }, + "defaultValue": "Frontend" + }, + "Subnet1Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 1st subnet" + }, + "defaultValue": "10.0.1.0/24" + }, + "vnetNewOrExisting": { + "type": "string", + "defaultValue": "new", + "allowedValues": [ + "new", + "existing" + ], + "metadata": { + "Description": "Indicates whether the virtual network is new or existing" + } + }, + "virtualNetworkExistingRGName": { + "type": "string", + "metadata": { + "description": "Resource Group of the existing virtual network" + }, + "defaultValue": "" + }, + "apiVersion": { + "type": "string" + }, + "Check_PointTags": { + "type": "object", + "defaultValue": { + "provider": "30DE18BC-F9F6-4F22-9D30-54B8E74CFD5F" + } + } + }, + "variables": { + "vnetId": "[resourceId(parameters('virtualNetworkExistingRGName'),'Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]" + }, + "resources": [], + "outputs": { + "vnetId": { + "value": "[variables('vnetId')]", + "type": "string" + } + } +} diff --git a/deprecated/azure/templates/R7730/mgmt-r7730/vnet-1-subnet-new.json b/deprecated/azure/templates/R7730/mgmt-r7730/vnet-1-subnet-new.json new file mode 100644 index 00000000..ba4bb568 --- /dev/null +++ b/deprecated/azure/templates/R7730/mgmt-r7730/vnet-1-subnet-new.json @@ -0,0 +1,96 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "vnet" + }, + "virtualNetworkAddressPrefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the virtual network" + } + }, + "Subnet1Name": { + "type": "string", + "metadata": { + "description": "The name of the 1st subnet" + }, + "defaultValue": "Frontend" + }, + "Subnet1Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 1st subnet" + }, + "defaultValue": "10.0.1.0/24" + }, + "vnetNewOrExisting": { + "type": "string", + "defaultValue": "new", + "allowedValues": [ + "new", + "existing" + ], + "metadata": { + "Description": "Indicates whether the virtual network is new or existing" + } + }, + "virtualNetworkExistingRGName": { + "type": "string", + "metadata": { + "description": "Resource Group of the existing virtual network" + }, + "defaultValue": "" + }, + "apiVersion": { + "type": "string" + }, + "Check_PointTags": { + "type": "object", + "defaultValue": { + "provider": "30DE18BC-F9F6-4F22-9D30-54B8E74CFD5F" + } + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/virtualNetworks", + "apiVersion": "[parameters('apiVersion')]", + "location": "[parameters('location')]", + "name": "[parameters('virtualNetworkName')]", + "properties": { + "addressSpace": { + "addressPrefixes": [ + "[parameters('virtualNetworkAddressPrefix')]" + ] + }, + "subnets": [ + { + "name": "[parameters('subnet1Name')]", + "properties": { + "addressPrefix": "[parameters('subnet1Prefix')]" + } + } + ] + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + } + ], + "outputs": { + "vnetId": { + "value": "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]", + "type": "string" + } + } +} diff --git a/deprecated/azure/templates/R7730/single-r7730/README.MD b/deprecated/azure/templates/R7730/single-r7730/README.MD new file mode 100644 index 00000000..340d95b1 --- /dev/null +++ b/deprecated/azure/templates/R7730/single-r7730/README.MD @@ -0,0 +1,13 @@ +# How to deploy this template +To deploy this ARM template, follow these instructions: +1. Log in to the [Microsoft Azure Portal](https://portal.azure.com) +2. Click "*Create a resource*" +3. Search for "*Template deployment (deploy using custom templates)*" and click "*Create*" +4. Click "*Build your own template in the editor*" +5. Load the "*mainTemplate.json*" file from this directory and click "*Save*" +6. Enter the desired template parameters + - Replace the "*Base Url*" property with: + ``` + https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/deprecated/azure/templates/single-r7730 + ``` +7. Click *Purchase* to deploy the solution diff --git a/deprecated/azure/templates/R7730/single-r7730/createUiDefinition.json b/deprecated/azure/templates/R7730/single-r7730/createUiDefinition.json new file mode 100644 index 00000000..8ccf677a --- /dev/null +++ b/deprecated/azure/templates/R7730/single-r7730/createUiDefinition.json @@ -0,0 +1,379 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", + "handler": "Microsoft.Compute.MultiVm", + "version": "0.1.2-preview", + "parameters": { + "basics": [ + { + "name": "gatewayNameUi", + "type": "Microsoft.Common.TextBox", + "label": "VM Name", + "toolTip": "The name of the Check Point CloudGuard.", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z]{1,30}$", + "validationMessage": "Only alphanumeric characters are allowed, and the name must be 1-30 characters long." + } + }, + { + "name": "auth", + "type": "Microsoft.Compute.CredentialsCombo", + "label": { + "authenticationType": "Authentication type", + "password": "Password", + "confirmPassword": "Confirm password", + "sshPublicKey": "SSH public key" + }, + "toolTip": { + "authenticationType": "", + "password": "The user 'admin' password", + "sshPublicKey": "Paste an OpenSSH public key. You can generate a key pair using ssh-keygen (Linux, OS X, Cygwin) or PuttyGen (Windows)" + }, + "constraints": { + "required": true + }, + "options": { + "hideConfirmation": false, + "hidePassword": false + }, + "osPlatform": "Linux" + } + ], + "steps": [ + { + "name": "chkp", + "label": "Check Point CloudGuard settings", + "subLabel": { + "preValidation": "Configure CloudGuard settings", + "postValidation": "Done" + }, + "bladeTitle": "CloudGuard settings", + "elements": [ + { + "name": "cloudGuardVersion", + "type": "Microsoft.Common.DropDown", + "label": "Check Point CloudGuard version", + "defaultValue": "R77.30", + "toolTip": "The version of Check Point CloudGuard.", + "constraints": { + "allowedValues": [ + { + "label": "R77.30", + "value": "R77.30" + } + ] + } + }, + { + "name": "R7730Offer", + "type": "Microsoft.Common.DropDown", + "label": "License type", + "toolTip": "The type of license.", + "defaultValue": "Bring Your Own License", + "visible": "[and(not(equals(substring(location(), 0, 2), 'us')), equals(steps('chkp').cloudGuardVersion, 'R77.30'))]", + "constraints": { + "allowedValues": [ + { + "label": "Bring Your Own License", + "value": "Bring Your Own License" + }, + { + "label": "Pay As You Go (NGTP)", + "value": "Pay As You Go (NGTP)" + } + ] + } + }, + { + "name": "R7730vmSizeUiBYOL", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R77.30'), or(equals(substring(location(), 0, 2), 'us'), contains(steps('chkp').R7730Offer, 'Bring Your Own License')))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2", + "Standard_D3", + "Standard_DS3" + ], + "constraints": { + "excludedSizes": [ + "Basic_A0", + "Basic_A1", + "Basic_A2", + "Basic_A3", + "Standard_A0", + "Standard_A1", + "Standard_A1_v2", + "Standard_A2", + "Standard_A5", + "Standard_D1", + "Standard_D1_v2", + "Standard_DS1", + "Standard_DS1_v2", + "Standard_F1", + "Standard_F1s", + "Standard_G1", + "Standard_GS1" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-r77-10", + "sku": "sg-byol" + }, + "count": 1 + }, + { + "name": "R7730vmSizeUiNGTP", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R77.30'), contains(steps('chkp').R7730Offer, '(NGTP)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2", + "Standard_D3", + "Standard_DS3" + ], + "constraints": { + "excludedSizes": [ + "Basic_A0", + "Basic_A1", + "Basic_A2", + "Basic_A3", + "Standard_A0", + "Standard_A1", + "Standard_A1_v2", + "Standard_A2", + "Standard_A5", + "Standard_D1", + "Standard_D1_v2", + "Standard_DS1", + "Standard_DS1_v2", + "Standard_F1", + "Standard_F1s", + "Standard_G1", + "Standard_GS1" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-r77-10", + "sku": "sg-ngtp" + }, + "count": 1 + }, + { + "name": "installationType", + "type": "Microsoft.Common.DropDown", + "label": "Installation type", + "visible": "[not(equals(steps('chkp').cloudGuardVersion, 'R80.20'))]", + "defaultValue": "Gateway and Management (Standalone)", + "toolTip": "Select the type of deployment", + "constraints": { + "allowedValues": [ + { + "label": "Gateway only", + "value": "gateway" + }, + { + "label": "Gateway and Management (Standalone)", + "value": "standalone" + }, + { + "label": "Configure manually", + "value": "custom" + } + ] + } + }, + { + "name": "managementGUIClientNetwork", + "type": "Microsoft.Common.TextBox", + "label": "Allowed GUI clients", + "toolTip": "GUI clients network CIDR", + "defaultValue": "0.0.0.0/0", + "constraints": { + "required": true, + "regex": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$", + "validationMessage": "Enter a valid IPv4 network CIDR" + }, + "visible": "[and(not(equals(steps('chkp').cloudGuardVersion, 'R80.20')), equals(steps('chkp').installationType, 'standalone'))]" + }, + { + "name": "sicKeyUi", + "type": "Microsoft.Common.PasswordBox", + "label": { + "password": "SIC key", + "confirmPassword": "Confirm SIC key" + }, + "toolTip": "Set the Secure Internal Communication one time secret used to set up trust between the gateway and the management server.", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z]{8,30}$", + "validationMessage": "Only alphanumeric characters are allowed, and the value must be 8-30 characters long." + }, + "options": { + "hideConfirmation": true + }, + "visible": "[or(equals(steps('chkp').installationType, 'gateway'), equals(steps('chkp').cloudGuardVersion, 'R80.20'))]" + }, + { + "name": "bootstrapScript", + "type": "Microsoft.Common.FileUpload", + "label": "Bootstrap script", + "toolTip": "An optional script to run on the initial boot", + "constraints": { + "required": false, + "accept": ".sh,text/plain" + }, + "options": { + "multiple": false, + "uploadMode": "file", + "openMode": "text", + "encoding": "UTF-8" + } + }, + { + "visible": "[or(equals(steps('chkp').cloudGuardVersion, 'R80.20'), not(equals(steps('chkp').installationType, 'custom')))]", + "name": "allowUploadDownload", + "type": "Microsoft.Common.OptionsGroup", + "label": "Allow download from/upload to Check Point", + "defaultValue": "Yes", + "toolTip": "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "true" + }, + { + "label": "No", + "value": "false" + } + ] + } + }, + { + "name": "additionalDiskSizeGB", + "type": "Microsoft.Common.TextBox", + "label": "Additional disk space (GB)", + "defaultValue": "0", + "toolTip": "Amount of additional disk space (in GB), Initial disk size is 50 GB for R77.30", + "constraints": { + "regex": "^([0-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-2][0-9][0-9][0-9]|3[0-8][0-9][0-9]|399[0-5])$", + "validationMessage": "Select a number between 0 and 3995" + } + }, + { + "name": "VMDiskType", + "type": "Microsoft.Common.OptionsGroup", + "label": "VM disk type", + "toolTip": "Type of CloudGuard disk.", + "visible": "[and(not(equals(substring(location(), 0, 2), 'us')), or(contains(steps('chkp').R7730vmSizeUiBYOL, 'DS'), contains(steps('chkp').R7730vmSizeUiNGTP, 'DS')))]", + "defaultValue": "Standard", + "constraints": { + "allowedValues": [ + { + "label": "Standard", + "value": "Standard_LRS" + }, + { + "label": "Premium", + "value": "Premium_LRS" + } + ] + } + } + ] + }, + { + "name": "network", + "label": "Network settings", + "subLabel": { + "preValidation": "Configure network settings", + "postValidation": "Done" + }, + "bladeTitle": "Network settings", + "elements": [ + { + "name": "virtualNetwork", + "type": "Microsoft.Network.VirtualNetworkCombo", + "label": { + "virtualNetwork": "Virtual network", + "subnets": "Subnets" + }, + "toolTip": { + "virtualNetwork": "Virtual Network Name", + "subnets": "List of subnets to deploy into" + }, + "defaultValue": { + "name": "vnet01", + "addressPrefixSize": "/16" + }, + "constraints": { + "minAddressPrefixSize": "/28" + }, + "options": { + "hideExisting": false + }, + "subnets": { + "subnet1": { + "label": "Frontend subnet", + "defaultValue": { + "name": "Frontend", + "addressPrefixSize": "/24" + }, + "constraints": { + "minAddressPrefixSize": "/29", + "minAddressCount": 1, + "requireContiguousAddresses": true + } + }, + "subnet2": { + "label": "Backend subnet", + "defaultValue": { + "name": "Backend", + "addressPrefixSize": "/24" + }, + "constraints": { + "minAddressPrefixSize": "/29", + "minAddressCount": 1, + "requireContiguousAddresses": true + } + } + } + } + ] + } + ], + "outputs": { + "location": "[location()]", + "cloudGuardVersion": "[concat(steps('chkp').cloudGuardVersion, ' - ', coalesce(steps('chkp').R7730Offer, steps('chkp').R80Offer, 'Bring Your Own License'))]", + "adminPassword": "[basics('auth').password]", + "authenticationType": "[basics('auth').authenticationType]", + "sshPublicKey": "[basics('auth').sshPublicKey]", + "vmName": "[basics('gatewayNameUi')]", + "vmSize": "[coalesce(steps('chkp').R7730vmSizeUiBYOL, steps('chkp').R7730vmSizeUiNGTP)]", + "sicKey": "[coalesce(steps('chkp').sicKeyUi, 'notused')]", + "virtualNetworkName": "[steps('network').virtualNetwork.name]", + "virtualNetworkAddressPrefix": "[steps('network').virtualNetwork.addressPrefix]", + "Subnet1Name": "[steps('network').virtualNetwork.subnets.subnet1.name]", + "Subnet1Prefix": "[steps('network').virtualNetwork.subnets.subnet1.addressPrefix]", + "Subnet1StartAddress": "[steps('network').virtualNetwork.subnets.subnet1.startAddress]", + "Subnet2Name": "[steps('network').virtualNetwork.subnets.subnet2.name]", + "Subnet2Prefix": "[steps('network').virtualNetwork.subnets.subnet2.addressPrefix]", + "Subnet2StartAddress": "[steps('network').virtualNetwork.subnets.subnet2.startAddress]", + "vnetNewOrExisting": "[steps('network').virtualNetwork.newOrExisting]", + "virtualNetworkExistingRGName": "[steps('network').virtualNetwork.resourceGroup]", + "managementGUIClientNetwork": "[steps('chkp').managementGUIClientNetwork]", + "installationType": "[steps('chkp').installationType]", + "bootstrapScript": "[steps('chkp').bootstrapScript]", + "allowDownloadFromUploadToCheckPoint": "[coalesce(steps('chkp').allowUploadDownload, 'true')]", + "additionalDiskSizeGB": "[int(steps('chkp').additionalDiskSizeGB)]", + "diskType": "[coalesce(steps('chkp').VMDiskType, 'Standard_LRS')]" + } + } +} + diff --git a/deprecated/azure/templates/R7730/single-r7730/mainTemplate.json b/deprecated/azure/templates/R7730/single-r7730/mainTemplate.json new file mode 100644 index 00000000..6610c3d1 --- /dev/null +++ b/deprecated/azure/templates/R7730/single-r7730/mainTemplate.json @@ -0,0 +1,524 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string", + "metadata": { + "description": "Deployment location" + }, + "defaultValue": "[resourceGroup().location]" + }, + "cloudGuardVersion": { + "type": "string", + "allowedValues": [ + "R77.30 - Bring Your Own License", + "R77.30 - Pay As You Go (NGTP)" + ], + "defaultValue": "R77.30 - Bring Your Own License", + "metadata": { + "description": "Version of Check Point vSEC" + } + }, + "adminPassword": { + "type": "securestring", + "metadata": { + "description": "Administrator password" + }, + "defaultValue": "" + }, + "authenticationType": { + "type": "string", + "allowedValues": [ + "password", + "sshPublicKey" + ], + "defaultValue": "password", + "metadata": { + "description": "Authentication type" + } + }, + "sshPublicKey": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Administrator SSH public key" + } + }, + "vmName": { + "type": "string", + "metadata": { + "description": "Name of the Check Point Security Gateway" + } + }, + "vmSize": { + "type": "string", + "defaultValue": "Standard_D3_v2", + "metadata": { + "description": "Size of the VM" + } + }, + "sicKey": { + "type": "securestring", + "metadata": { + "description": "One time key for Secure Internal Communication" + } + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "vnet" + }, + "virtualNetworkAddressPrefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the virtual network" + }, + "defaultValue": "10.0.0.0/16" + }, + "Subnet1Name": { + "type": "string", + "metadata": { + "description": "The name of the 1st subnet" + }, + "defaultValue": "Frontend" + }, + "Subnet1Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 1st subnet" + }, + "defaultValue": "10.0.1.0/24" + }, + "Subnet1StartAddress": { + "type": "string", + "metadata": { + "description": "The first available address on the 1st subnet" + }, + "defaultValue": "10.0.1.10" + }, + "Subnet2Name": { + "type": "string", + "metadata": { + "description": "The name of the 2nd subnet" + }, + "defaultValue": "Backend" + }, + "Subnet2Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 2nd subnet" + }, + "defaultValue": "10.0.2.0/24" + }, + "Subnet2StartAddress": { + "type": "string", + "metadata": { + "description": "The first available address on the 2nd subnet" + }, + "defaultValue": "10.0.2.10" + }, + "vnetNewOrExisting": { + "type": "string", + "defaultValue": "new", + "allowedValues": [ + "new", + "existing" + ], + "metadata": { + "Description": "Indicates whether the virtual network is new or existing" + } + }, + "virtualNetworkExistingRGName": { + "type": "string", + "metadata": { + "description": "Resource Group of the existing virtual network" + }, + "defaultValue": "" + }, + "managementGUIClientNetwork": { + "type": "string", + "metadata": { + "description": "Allowed GUI clients" + }, + "defaultValue": "0.0.0.0/0" + }, + "installationType": { + "type": "string", + "metadata": { + "description": "Installation Type" + }, + "defaultValue": "standalone", + "allowedValues": [ + "standalone", + "gateway", + "custom" + ] + }, + "baseUrl": { + "type": "string", + "metadata": { + "artifactsBaseUrl": "" + }, + "defaultValue": "https://s3-us-west-2.amazonaws.com/azure.templates/marketplace-single" + }, + "bootstrapScript": { + "type": "string", + "metadata": { + "description": "Bootstrap script" + }, + "defaultValue": "" + }, + "allowDownloadFromUploadToCheckPoint": { + "type": "string", + "allowedValues": [ + "true", + "false" + ], + "defaultValue": "true", + "metadata": { + "description": "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + } + }, + "additionalDiskSizeGB": { + "type": "int", + "defaultValue": 0, + "metadata": { + "description": "Amount of additional disk space (in GB)" + }, + "minValue": 0, + "maxValue": 3995 + }, + "diskType": { + "type": "string", + "defaultValue": "Standard_LRS", + "metadata": { + "description": "The type of the OS disk. Premium is applicable only to DS machine sizes" + }, + "allowedValues": [ + "Standard_LRS", + "Premium_LRS" + ] + }, + "preview": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Deploy the staged image" + }, + "allowedValues": [ + "", + "-preview" + ] + } + }, + "variables": { + "templateName": "single", + "templateVersion": "20181206", + "location": "[parameters('location')]", + "offers": { + "R77.30 - Bring Your Own License": "BYOL", + "R77.30 - Pay As You Go (NGTP)": "NGTP" + }, + "offer": "[variables('offers')[parameters('cloudGuardVersion')]]", + "osVersions": { + "R77.30 - Bring Your Own License": "R7730", + "R77.30 - Pay As You Go (NGTP)": "R7730" + }, + "osVersion": "[variables('osVersions')[parameters('cloudGuardVersion')]]", + "installationType": "[if(equals(variables('osVersion'), 'R8020'), 'gateway', parameters('installationType'))]", + "isBlink": "[and(or(equals(variables('osVersion'), 'R8010'), equals(variables('osVersion'), 'R8020')), equals(variables('installationType'), 'gateway'))]", + "computeApiVersion": "2017-03-30", + "storageApiVersion": "2016-01-01", + "networkApiVersion": "2018-01-01", + "deploymentsApiVersion": "2016-02-01", + "storageAccountName": "[concat('bootdiag', uniqueString(resourceGroup().id, deployment().name))]", + "storageAccountType": "Standard_LRS", + "diskSizeGBR7730": 50, + "diskSizeGB": "[add(parameters('additionalDiskSizeGB'), variables(concat('diskSizeGB', variables('osVersion'))))]", + "customData": "[concat('#!/bin/bash\n', '\n', 'LOG_FILE=/var/log/custom-data.log\n', 'exec >>$LOG_FILE 2>&1\n', '\n', '# description: echo instance metadata\n', '# args :\n', '# optional: string contatining api version date.\n', '# default is to \"2017-08-01\".\n', '# usage :\n', '# getInstanceMetadata \"2017-12-01\"\n', 'function getInstanceMetadata {\n', ' # get instance metadata using Azure Instance Metadata service:\n', ' if test -z \"$#\" ; then\n', ' api_version=\"$1\"\n', ' else\n', ' api_version=\"2017-08-01\"\n', ' fi\n', ' metadata=\"$(get-cloud-data.sh \"metadata/instance/?api-version=$api_version\" | jq \".\")\"\n', '\n', '\n', ' echo \"$metadata\"\n', ' log-data \"Instance metadata retrieved using api version: $api_version\" >&2\n', '}\n', '\n', '# description: echo $@ to std output wrapped with date and additional data\n', '# args :\n', '# add \"-w\" before the content to log warning message.\n', '# add \"-e\" before the content to log error message.\n', '# default is to log info message.\n', '# usage :\n', '# log-data \"-w\" \"my message\"\n', 'function log-data {\n', ' test -z \"$1\" && echo \"$(date +\"%F %T\") CUSTOM-DATA [INFO]\" || {\n', ' if [[ \"$1\" == \"-w\" ]] ; then\n', ' prefix=\"[WARNING] \"\n', ' shift\n', ' elif [[ \"$1\" == \"-e\" ]] ; then\n', ' prefix=\"[ERROR] \"\n', ' shift\n', ' else\n', ' prefix=\"[INFO] \"\n', ' fi\n', ' for i in \"$@\"; do\n', ' echo -e \"$(date +\"%F %T\") CUSTOM-DATA $prefix$i\"\n', ' shift\n', ' done\n', ' }\n', '}\n', '\n', '# description: wrapper to command to enable retries\n', '# args :\n', '# To specify return codes:\n', '# \"-rc\" followed by string of numbers seperated by a space: \"int1 int2\".\n', '# default is \"0\".\n', '# To specify maximum duration for retries:\n', '# \"-md\" followed by a number: 5.\n', '# default is 8.\n', '# To specift sleep time between retries:\n', '# \"-st\" followed by a number: 1.\n', '# default is 2.\n', '# usage :\n', '# runcmd -rc \"19 0 3\" \"-md\" 6 \"-st\" 1 my-command\n', 'function runcmd {\n', ' expected_returnval=()\n', ' if [ \"$1\" == \"-rc\" ] ; then\n', ' shift\n', ' for val in $1\n', ' do\n', ' expected_returnval[\"$val\"]=\"1\"\n', ' done\n', ' shift\n', ' else\n', ' expected_returnval[\"0\"]=\"1\"\n', ' fi\n', ' if [ \"$1\" == \"-md\" ] ; then\n', ' shift\n', ' MAX_DURATION=$1\n', ' shift\n', ' else\n', ' MAX_DURATION=8\n', ' fi\n', ' if [ \"$1\" == \"-st\" ] ; then\n', ' shift\n', ' SLEEP_TIME=$1\n', ' shift\n', ' else\n', ' SLEEP_TIME=2\n', ' fi\n', ' cmd=\"$@\"\n', ' log-data \"Executing $cmd\" \" Allowed return values : $(echo ${!expected_returnval[@]})\" \" Maximum retries duration : $MAX_DURATION\" \" Sleep time between retries: $SLEEP_TIME\" >&2\n', '\n', '\n', '\n', ' SECONDS=0\n', ' while [ \"$SECONDS\" -lt \"$MAX_DURATION\" ] ; do\n', ' returnmsg=\"$(\"$@\" 2>&1)\"\n', ' returnval=\"$?\"\n', ' if [[ ${expected_returnval[$returnval]} ]] ; then\n', ' log-data \"Success executing: $cmd\n', '\\\\tReturn Value : $(echo $returnval)\n', '\\\\tReturn message: $(echo $returnmsg)\" >&2\n', ' return 0\n', ' fi\n', ' log-data \"-w\" \"Retrying to execute command: $cmd\n', '\\\\tReturn Value : $(echo $returnval)\n', '\\\\tReturn message: $(echo $returnmsg)\" >&2\n', ' sleep \"$SLEEP_TIME\"\n', ' done\n', ' log-data \"-e\" \"Failed to execute command: $cmd\n', '\\\\tReturn Value : $(echo $returnval) (expected: $expected_returnval)\n', '\\\\tReturn message: $(echo $returnmsg)\n', '\\\\tTotal run time: $SECONDS [seconds]\" >&2\n', ' return 1\n', '}\n', '\n', 'log-data \"Start of custom-data.sh\"\n', 'log-data \"Time Zone: $(date +\"%Z %:z\")\"\n', 'log-data \"Instance metadata at beginning: \\\\n$(getInstanceMetadata)\"\n', 'log-data \"Contents of $FWDIR/boot/modules/fwkern.conf at beginning: \\\\n$(cat \"$FWDIR/boot/modules/fwkern.conf\")\"\n', '\n', 'installationType=\"', variables('installationType'), '\"', '\n', 'allowUploadDownload=\"', variables('allowUploadDownload'), '\"', '\n', 'osVersion=\"', variables('osVersion'), '\"', '\n', 'templateName=\"', variables('templateName'), '\"', '\n', 'isBlink=\"', variables('isBlink'), '\"', '\n', 'templateVersion=\"', variables('templateVersion'), '\"', '\n', '\n', 'if [ -z \"${isBlink}\" ]; then\n', ' isBlink=\"False\"\n', 'fi\n', '\n', 'log-data \"isBlink val: $isBlink\"\n', '\n', 'log-data \"templateName: $templateName\" \"templateVersion: $templateVersion\" \"installationType: $installationType\" \"osVersion: $osVersion\"\n', '\n', '\n', '\n', '\n', 'echo \"template_name: $templateName\" >> /etc/cloud-version\n', 'echo \"template_version: $templateVersion\" >> /etc/cloud-version\n', '\n', 'log-data \"Executing bootstrap script:\"\n', 'bootstrap=\"$(dirname \"$0\")/bootstrap\"\n', 'cat <<<\"', variables('bootstrapScript64'), '\" | tr -d \"\\n\" | base64 -d >\"$bootstrap\"', '\n', 'dos2unix \"$bootstrap\"\n', 'chmod +x \"$bootstrap\"\n', 'cp \"$bootstrap\" \"/var/log/custom-data-bootstrap\"\n', '\"$bootstrap\"\n', '\n', 'function has_iam {\n', ' local url\n', ' local out\n', ' url=\"http://169.254.169.254/metadata/identity/oauth2/token\"\n', ' url=\"$url?api-version=2018-02-01&resource=https://no-such-domain/\"\n', ' for i in 1 2 3 ; do\n', ' out=\"$(curl_cli --header metadata:true --url \"$url\" --max-time 10)\"\n', ' if test \"$(echo \"$out\" | jq -r .error)\" = \"invalid_resource\" ; then\n', ' echo true\n', ' return\n', ' fi\n', ' if test \"$(echo \"$out\" | jq -r .error_description)\" = \"Identity not found\" ; then\n', '\n', ' break\n', ' fi\n', ' done\n', ' echo false\n', '}\n', '\n', '# description: create file $FWDIR/conf/azure-ha.json\n', '# args : no args\n', '# usage : cluster\n', 'function cluster {\n', ' log-data \"Cluster - Executing cluster function\"\n', ' subscriptionId=\"', subscription().subscriptionId, '\"', '\n', ' tenantId=\"', subscription().tenantId, '\"', '\n', ' resourceGroup=\"', resourceGroup().name, '\"', '\n', ' virtualNetwork=\"', parameters('virtualNetworkName'), '\"', '\n', ' clusterName=\"', parameters('vmName'), '\"', '\n', ' lbName=\"frontend-lb\"\n', ' location=\"', variables('location'), '\"', '\n', ' has_iam=false\n', '\n', ' case \"$location\" in\n', ' us*)\n', ' environment=\"AzureUSGovernment\"\n', ' ;;\n', ' china*)\n', ' environment=\"AzureChinaCloud\"\n', ' ;;\n', ' germany*)\n', ' environment=\"AzureGermanCloud\"\n', ' ;;\n', ' *)\n', ' environment=\"AzureCloud\"\n', ' has_iam=\"$(has_iam)\"\n', ' ;;\n', ' esac\n', '\n', ' cat <\"$FWDIR/conf/azure-ha.json\"\n', '{\n', ' \"subscriptionId\": \"$subscriptionId\",\n', ' \"location\": \"$location\",\n', ' \"environment\": \"$environment\",\n', ' \"resourceGroup\": \"$resourceGroup\",\n', 'EOF\n', ' if $has_iam ; then\n', ' cat <>\"$FWDIR/conf/azure-ha.json\"\n', ' \"credentials\": \"IAM\",\n', ' \"tenant\": \"$tenantId\",\n', 'EOF\n', ' else\n', ' cat <>\"$FWDIR/conf/azure-ha.json\"\n', ' \"credentials\": {\n', ' \"tenant\": \"$tenantId\",\n', ' \"grant_type\": \"client_credentials\",\n', ' \"client_id\": \"\",\n', ' \"client_secret\": \"\"\n', ' },\n', 'EOF\n', ' fi\n', ' cat <>\"$FWDIR/conf/azure-ha.json\"\n', ' \"proxy\": \"\",\n', ' \"virtualNetwork\": \"$virtualNetwork\",\n', ' \"clusterName\": \"$clusterName\",\n', ' \"templateName\": \"$templateName\",\n', 'EOF\n', ' cat <>\"$FWDIR/conf/azure-ha.json\"\n', ' \"lbName\": \"$lbName\",\n', 'EOF\n', '\n', '\n', ' cat <>\"$FWDIR/conf/azure-ha.json\"\n', ' \"debug\": false\n', '}\n', 'EOF\n', '\n', ' log-data \"Cluster - Write cluster values to $FWDIR/conf/azure-ha.json\"\n', ' log-data \"File content: \\\\n$(cat \"$FWDIR/conf/azure-ha.json\")\"\n', '}\n', '\n', '# description:\n', '# check if an alias exists on VM, in case there is no alias,\n', '# try to retrieve it from instance metadata & add it\n', '# args : no args.\n', '# usage : pub_addr=\"$(checkPublicAddress)\"\n', 'function checkPublicAddress {\n', ' log-data \"Executing checkPublicAddress function\" >&2\n', ' ipaddr=\"$(ip addr show dev eth0)\"\n', ' pub_addr=\"$(echo \"$ipaddr\" | sed -n -e \"s|^ *inet \\\\([^/]*\\\\)/.* eth0:1\\$|\\\\1|p\")\"\n', '\n', ' log-data \"At start - \" \"ip addr show dev eth0: \\\\n$ipaddr\" \"pub_addr: $pub_addr\" >&2\n', ' if test -z \"$pub_addr\" ; then\n', ' log-data \"Trying to set alias for public ip address\" >&2\n', ' pub_addr=\"$(get-cloud-data.sh \"metadata/instance/network/interface?api-version=2017-04-02\" | jq -r \".[].ipv4.ipAddress[].publicIpAddress\" | grep --max-count 1 .)\"\n', '\n', '\n', '\n', ' log-data \"Public Address from instance metadata: $pub_addr\" >&2\n', ' test -z \"$pub_addr\" || {\n', ' runcmd -rc \"1 0\" clish -c \"lock database override\" >&2\n', ' runcmd clish -s -c \"add interface eth0 alias $pub_addr/32\" >&2\n', ' if [ \"$?\" -eq \"0\" ] ; then\n', ' log-data \"Setting alias for eth0 completed successfuly\" >&2\n', ' else\n', ' log-data \"Failed to set alias for eth0\" >&2\n', ' fi\n', ' }\n', ' fi\n', ' log-data \"Interfaces at end: \\\\n$(ifconfig)\" >&2\n', ' test -z \"$pub_addr\" || echo \"$pub_addr\"\n', '}\n', '\n', 'case \"$installationType\" in\n', 'gateway)\n', ' installSecurityGateway=true\n', ' gateway_cluster_member=false\n', ' installSecurityManagement=false\n', ' sicKey=\"', variables('sicKey'), '\"', '\n', ' ;;\n', 'cluster)\n', ' installSecurityGateway=true\n', ' gateway_cluster_member=true\n', ' installSecurityManagement=false\n', ' sicKey=\"', variables('sicKey'), '\"', '\n', ' cluster\n', ' ;;\n', 'vmss)\n', ' installSecurityGateway=true\n', ' gateway_cluster_member=false\n', ' installSecurityManagement=false\n', ' sicKey=\"', variables('sicKey'), '\"', '\n', ' ;;\n', 'management)\n', ' installSecurityGateway=false\n', ' installSecurityManagement=true\n', ' sicKey=notused\n', ' ;;\n', 'custom)\n', ' pub_addr=\"$(checkPublicAddress)\"\n', ' log-data \"Instance metadata at end: \\\\n$(getInstanceMetadata)\"\n', ' exit 0\n', ' ;;\n', 'standalone | *)\n', ' installSecurityGateway=true\n', ' installSecurityManagement=true\n', ' gateway_cluster_member=false\n', ' sicKey=notused\n', ' ;;\n', 'esac\n', '\n', 'log-data \"installSecurityGateway: $installSecurityGateway\" \"gateway_cluster_member: $gateway_cluster_member\" \"installSecurityManagement: $installSecurityManagement\"\n', '\n', '\n', '\n', 'if [ \"$isBlink\" == \"True\" ]; then\n', ' if \"$installSecurityManagement\"; then\n', ' conf=\"mgmt_admin_radio=gaia_admin\"\n', ' else\n', ' conf=\"gateway_cluster_member=$gateway_cluster_member\"\n', ' fi\n', ' conf=\"${conf}&download_info=$allowUploadDownload\"\n', ' conf=\"${conf}&upload_info=$allowUploadDownload\"\n', ' log-data \"conf: $conf\"\n', '\n', ' conf=\"${conf}&ftw_sic_key=$sicKey\"\n', '\n', ' log-data \"Running blink config\"\n', ' blink_config -s \"$conf\"\n', 'else\n', ' conf=\"install_security_gw=$installSecurityGateway\"\n', ' if \"$installSecurityGateway\"; then\n', ' conf=\"${conf}&install_ppak=true\"\n', ' conf=\"${conf}&gateway_cluster_member=$gateway_cluster_member\"\n', ' fi\n', ' conf=\"${conf}&install_security_managment=$installSecurityManagement\"\n', ' if \"$installSecurityManagement\"; then\n', ' if [ \"R7730\" == \"$osVersion\" ]; then\n', ' managementAdminPassword=\"$(dd if=/dev/urandom count=1 2>/dev/null | sha1sum | cut -c -28)\"\n', ' conf=\"${conf}&mgmt_admin_name=admin\"\n', ' conf=\"${conf}&mgmt_admin_passwd=${managementAdminPassword}\"\n', ' else\n', ' conf=\"${conf}&mgmt_admin_radio=gaia_admin\"\n', ' fi\n', '\n', ' managementGUIClientNetwork=\"', variables('managementGUIClientNetwork'), '\"', '\n', ' conf=\"${conf}&install_mgmt_primary=true\"\n', '\n', ' if [ \"0.0.0.0/0\" = \"$managementGUIClientNetwork\" ]; then\n', ' conf=\"${conf}&mgmt_gui_clients_radio=any\"\n', ' else\n', ' conf=\"${conf}&mgmt_gui_clients_radio=network\"\n', ' ManagementGUIClientBase=\"$(echo \"$managementGUIClientNetwork\" | cut -d / -f 1)\"\n', ' ManagementGUIClientMaskLength=\"$(echo \"$managementGUIClientNetwork\" | cut -d / -f 2)\"\n', ' conf=\"${conf}&mgmt_gui_clients_ip_field=$ManagementGUIClientBase\"\n', ' conf=\"${conf}&mgmt_gui_clients_subnet_field=$ManagementGUIClientMaskLength\"\n', ' fi\n', ' fi\n', '\n', ' conf=\"${conf}&download_info=$allowUploadDownload\"\n', ' conf=\"${conf}&upload_info=$allowUploadDownload\"\n', ' log-data \"conf: $conf\"\n', ' # add sicKey value after loging the rest of conf parameters in order not to save the SIC key.\n', ' conf=\"${conf}&ftw_sic_key=$sicKey\"\n', '\n', ' #since DA process is running parallel to FTW and may cause to problems like SIM (TaskId=72815)\n', ' #the DA is being stoped before FTW is running, and restart again after FTW is finished.\n', ' log-data \"Stop DA process: $(/opt/CPda/bin/dastop)\"\n', '\n', ' log-data \"Running first time wizard\"\n', ' config_system -s \"$conf\"\n', '\n', ' log-data \"Start DA process: $(/opt/CPda/bin/dastart)\"\n', 'fi\n', '\n', 'pub_addr=\"$(checkPublicAddress)\"\n', 'log-data \"VM public address is: $pub_addr\"\n', '\n', '# set the main IP of the management object in SmartConsole to be the public IP:\n', 'if [ \"$installationType\" = \"management\" ] && [ \"R7730\" != \"$osVersion\" ]; then\n', ' until mgmt_cli -r true discard ; do\n', ' sleep 30\n', ' done\n', ' addr=\"$(ip addr show dev eth0 | sed -n -e \"s|^ *inet \\\\([^/]*\\\\)/.* eth0\\$|\\\\1|p\")\"\n', '\n', ' uid=\"$(mgmt_cli -r true show-generic-objects class-name com.checkpoint.objects.classes.dummy.CpmiHostCkp details-level full -f json | jq -r \".objects[] | select(.ipaddr == \\\"$addr\\\") | .uid\")\"\n', '\n', '\n', '\n', ' test -z \"$uid\" || test -z \"$pub_addr\" || mgmt_cli -r true set-generic-object uid \"$uid\" ipaddr \"$pub_addr\"\n', '\n', ' log-data \"Management - Set management object in SmartConsole IP address to $pub_addr\"\n', 'fi\n', 'if \"$installSecurityManagement\" && [ \"R7730\" != \"$osVersion\" ]; then\n', ' chkconfig --add autoprovision\n', ' log-data \"Add autoprovision service to chkconfig\"\n', 'fi\n', '\n', 'if [ \"$installationType\" = \"vmss\" ] || [ \"$installationType\" = \"cluster\" ]; then\n', ' # add dynamic objects to represent the GWs external NICs in management:\n', ' dynamic_object_names=\"$(dynamic_objects -l | awk \"/object/{print \\$4}\")\"\n', ' log-data \"dynamic object names before are: $dynamic_object_names\"\n', ' ExtAddr=\"$(ip addr show dev eth0 | awk \"/inet/{print \\$2; exit}\" | cut -d / -f 1)\"\n', ' runcmd -rc \"19 0 3\" dynamic_objects -n LocalGatewayExternal -r \"$ExtAddr\" \"$ExtAddr\" -a\n', ' if [ \"$?\" -eq \"0\" ] ; then\n', ' log-data \"Created dynamic object for eth0\"\n', ' else\n', ' log-data \"Failed to create dynamic object for eth0\"\n', ' fi\n', ' log-data \"Set dynamic objects: (Ext: $ExtAddr) \\\\n$(dynamic_objects -l)\"\n', '\n', ' # Disable anti-spoofing feature in SecureXL for unknown connections.\n', ' # To prevent anti-spoofing on eth1 to drop the health probe queries.\n', ' if [ \"R7730\" != \"$osVersion\" ]; then\n', ' if [ -f /opt/CPshared/5.0/tmp/.CPprofile.sh ]; then\n', ' log-data \"/opt/CPshared/5.0/tmp/.CPprofile.sh exists and is a regular file.\"\n', ' . /opt/CPshared/5.0/tmp/.CPprofile.sh\n', ' log-data \"add sim_anti_spoofing_enabled=0 to $PPKDIR/boot/modules/simkern.conf\"\n', ' echo \"sim_anti_spoofing_enabled=0\" >> \"$PPKDIR/boot/modules/simkern.conf\"\n', ' log-data \"\\$PPKDIR/boot/modules/simkern.conf: \\\\n$(cat $PPKDIR/boot/modules/simkern.conf)\"\n', ' fi\n', ' fi\n', 'fi\n', '\n', 'if [ \"$installationType\" == \"vmss\" ]; then\n', ' # add dynamic objects to represent the GWs internal NICs in management:\n', ' IntAddr=\"$(ip addr show dev eth1 | awk \"/inet/{print \\$2; exit}\" | cut -d / -f 1)\"\n', ' runcmd -rc \"19 0 3\" dynamic_objects -n LocalGatewayInternal -r \"$IntAddr\" \"$IntAddr\" -a\n', ' if [ \"$?\" -eq \"0\" ] ; then\n', ' log-data \"VMSS - created dynamic object for eth1\"\n', ' else\n', ' log-data \"VMSS - failed to create dynamic object for eth1\"\n', ' fi\n', ' log-data \"VMSS - Set dynamic objects: (Int: $IntAddr) \\\\n$(dynamic_objects -l)\"\n', '\n', ' # add static route for all vnet but Frontend to use eth1:\n', ' subnet2Prefix=\"$(getInstanceMetadata | jq -r \".network.interface[1].ipv4.subnet[].address\")\"\n', ' firstThreeOctats=\"$(echo $subnet2Prefix | cut -d / -f 1 | cut -d . -f 1,2,3)\"\n', ' forthOctats=\"$(echo $subnet2Prefix | cut -d / -f 1 | cut -d . -f 4)\"\n', ' forthOctats=\"$(( forthOctats + 1 ))\"\n', ' router=\"$firstThreeOctats.$forthOctats\"\n', ' log-data \"Vnet CIDR: $vnet\" \"Internal subnet CIDR: $subnet2Prefix\" \"Internal subnet gateway: $router\"\n', ' vnets=(\"$vnet\" \"10.0.0.0/8\" \"172.16.0.0/12\" \"192.168.0.0/16\")\n', ' runcmd -rc \"1 0\" clish -c \"lock database override\" >&2\n', ' for vnet in \"${vnets[@]}\"; do\n', ' runcmd clish -s -c \"set static-route $vnet nexthop gateway address $router on\"\n', ' if [ \"$?\" == \"0\" ] ; then\n', ' log-data \"Set static-route for vnet: $vnet to router: $router\"\n', ' else\n', ' log-data \"Failed to set static-route for vnet: $vnet to router: $router\"\n', ' fi\n', ' done\n', 'fi\n', '\n', 'log-data \"VM static routes: \\\\n$(route)\"\n', 'log-data \"Contents of $FWDIR/boot/modules/fwkern.conf at end: \\\\n$(cat \"$FWDIR/boot/modules/fwkern.conf\")\"\n', '\n', 'if \"$installSecurityGateway\"; then\n', ' log-data \"Instance metadata at end: \\\\n$(getInstanceMetadata)\"\n', ' if [ \"$isBlink\" == \"False\" ] || [ \"$installationType\" == \"cluster\" ]; then\n', ' log-data \"VM is shuting down\"\n', ' shutdown -r now\n', ' fi\n', 'else\n', ' if \"$installSecurityManagement\" && [ \"R7730\" != \"$osVersion\" ]; then\n', ' service autoprovision start\n', ' log-data \"Instance metadata at end: \\\\n$(getInstanceMetadata)\"\n', ' log-data \"Start service autoprovision\"\n', ' fi\n', 'fi\n')]", + "imageOfferR7730": "check-point-r77-10", + "imageOffer": "[concat(variables(concat('imageOffer', variables('osVersion'))), parameters('preview'))]", + "imagePublisher": "checkpoint", + "imageReferenceBYOL": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-byol", + "version": "latest" + }, + "imageReferenceNGTP": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtp", + "version": "latest" + }, + "imageReferenceNGTP-V2": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtp-v2", + "version": "latest" + }, + "imageReferenceNGTX": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtx", + "version": "latest" + }, + "imageReference": "[variables(concat('imageReference', variables('offer')))]", + "nic1Name": "[concat(parameters('vmName'), '-eth0')]", + "nic2Name": "[concat(parameters('vmName'), '-eth1')]", + "linuxConfigurationpassword": {}, + "linuxConfigurationsshPublicKey": { + "disablePasswordAuthentication": "true", + "ssh": { + "publicKeys": [ + { + "keyData": "[parameters('sshPublicKey')]", + "path": "/home/notused/.ssh/authorized_keys" + } + ] + } + }, + "linuxConfiguration": "[variables(concat('linuxConfiguration',parameters('authenticationType')))]", + "planBYOL": { + "name": "sg-byol", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTP": { + "name": "sg-ngtp", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTP-V2": { + "name": "sg-ngtp-v2", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTX": { + "name": "sg-ngtx", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "plan": "[variables(concat('plan', variables('offer')))]", + "publicIPAddressName": "[parameters('vmName')]", + "publicIPAddressId": "[resourceId('Microsoft.Network/publicIPAddresses', variables('publicIPAddressName'))]", + "bootstrapScript64": "[base64(parameters('bootstrapScript'))]", + "allowUploadDownload": "[parameters('allowDownloadFromUploadToCheckPoint')]", + "networkSetupURL": "[concat(parameters('baseUrl'), '/vnet-', parameters('vnetNewOrExisting'), '.json')]", + "sicKey": "[parameters('sicKey')]", + "managementGUIClientNetwork": "[parameters('managementGUIClientNetwork')]" + }, + "resources": [ + { + "apiVersion": "2018-02-01", + "name": "pid-769ae546-3d1f-5beb-87f2-918ac09137c0", + "type": "Microsoft.Resources/deployments", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('storageAccountName')]", + "apiVersion": "[variables('storageApiVersion')]", + "location": "[variables('location')]", + "sku": { + "name": "[variables('storageAccountType')]" + }, + "kind": "Storage" + }, + { + "name": "networkSetup", + "type": "Microsoft.Resources/deployments", + "apiVersion": "[variables('deploymentsApiVersion')]", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "[variables('networkSetupURL')]", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "location": { + "value": "[variables('location')]" + }, + "apiVersion": { + "value": "[variables('networkApiVersion')]" + }, + "virtualNetworkName": { + "value": "[parameters('virtualNetworkName')]" + }, + "virtualNetworkAddressPrefix": { + "value": "[parameters('virtualNetworkAddressPrefix')]" + }, + "Subnet1Name": { + "value": "[parameters('Subnet1Name')]" + }, + "Subnet1Prefix": { + "value": "[parameters('Subnet1Prefix')]" + }, + "Subnet1StartAddress": { + "value": "[parameters('Subnet1StartAddress')]" + }, + "Subnet2Name": { + "value": "[parameters('Subnet2Name')]" + }, + "Subnet2Prefix": { + "value": "[parameters('Subnet2Prefix')]" + }, + "Subnet2StartAddress": { + "value": "[parameters('Subnet2StartAddress')]" + }, + "vnetNewOrExisting": { + "value": "[parameters('vnetNewOrExisting')]" + }, + "virtualNetworkExistingRGName": { + "value": "[parameters('virtualNetworkExistingRGName')]" + } + } + } + }, + { + "type": "Microsoft.Network/publicIPAddresses", + "apiVersion": "[variables('networkApiVersion')]", + "location": "[variables('location')]", + "name": "[variables('publicIPAddressName')]", + "properties": { + "idleTimeoutInMinutes": 30, + "publicIPAllocationMethod": "Static", + "dnsSettings": { + "domainNameLabel": "[concat(toLower(parameters('vmName')), '-', uniquestring(resourceGroup().id, deployment().name))]" + } + } + }, + { + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "[variables('networkApiVersion')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', 'networkSetup')]", + "[variables('publicIPAddressId')]" + ], + "location": "[variables('location')]", + "name": "[variables('nic1Name')]", + "properties": { + "enableIPForwarding": true, + "enableAcceleratedNetworking": "[equals(variables('osVersion'), 'R8020')]", + "ipConfigurations": [ + { + "name": "ipconfig1", + "properties": { + "privateIPAddress": "[parameters('Subnet1StartAddress')]", + "privateIPAllocationMethod": "Static", + "PublicIpAddress": { + "Id": "[variables('publicIPAddressId')]" + }, + "subnet": { + "id": "[concat(reference('networkSetup').outputs.vnetId.value, '/subnets/', parameters('Subnet1Name'))]" + } + } + } + ] + } + }, + { + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "[variables('networkApiVersion')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', 'networkSetup')]" + ], + "location": "[variables('location')]", + "name": "[variables('nic2Name')]", + "properties": { + "enableIPForwarding": true, + "enableAcceleratedNetworking": "[equals(variables('osVersion'), 'R8020')]", + "ipConfigurations": [ + { + "name": "ipconfig2", + "properties": { + "privateIPAddress": "[parameters('Subnet2StartAddress')]", + "privateIPAllocationMethod": "Static", + "subnet": { + "id": "[concat(reference('networkSetup').outputs.vnetId.value, '/subnets/', parameters('Subnet2Name'))]" + } + } + } + ] + } + }, + { + "type": "Microsoft.Compute/virtualMachines", + "apiVersion": "[variables('computeApiVersion')]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]", + "[resourceId('Microsoft.Network/networkInterfaces', variables('nic1Name'))]", + "[resourceId('Microsoft.Network/networkInterfaces', variables('nic2Name'))]" + ], + "location": "[variables('location')]", + "name": "[parameters('vmName')]", + "plan": "[variables('plan')]", + "properties": { + "diagnosticsProfile": { + "bootDiagnostics": { + "enabled": "true", + "storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName')), variables('storageApiVersion')).primaryEndpoints.blob]" + } + }, + "hardwareProfile": { + "vmSize": "[parameters('vmSize')]" + }, + "networkProfile": { + "networkInterfaces": [ + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', variables('nic1Name'))]", + "properties": { + "primary": true + } + }, + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', variables('nic2Name'))]", + "properties": { + "primary": false + } + } + ] + }, + "osProfile": { + "adminPassword": "[parameters('adminPassword')]", + "adminUsername": "notused", + "computerName": "[toLower(parameters('vmName'))]", + "customData": "[base64(variables('customData'))]", + "linuxConfiguration": "[variables('linuxConfiguration')]" + }, + "storageProfile": { + "imageReference": "[variables('imageReference')]", + "osDisk": { + "caching": "ReadWrite", + "createOption": "FromImage", + "diskSizeGB": "[variables('diskSizeGB')]", + "name": "[parameters('vmName')]", + "managedDisk": { + "storageAccountType": "[parameters('diskType')]" + } + } + } + } + } + ], + "outputs": { + "GatewayIPAddr": { + "type": "string", + "value": "[reference(variables('publicIPAddressId')).IpAddress]" + }, + "GatewayFQDN": { + "type": "string", + "value": "[reference(variables('publicIPAddressId')).dnsSettings.fqdn]" + } + } +} diff --git a/deprecated/azure/templates/R7730/single-r7730/vnet-existing.json b/deprecated/azure/templates/R7730/single-r7730/vnet-existing.json new file mode 100644 index 00000000..e8e5bd2f --- /dev/null +++ b/deprecated/azure/templates/R7730/single-r7730/vnet-existing.json @@ -0,0 +1,99 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "vnet" + }, + "virtualNetworkAddressPrefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the virtual network" + } + }, + "Subnet1Name": { + "type": "string", + "metadata": { + "description": "The name of the 1st subnet" + }, + "defaultValue": "Frontend" + }, + "Subnet1Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 1st subnet" + }, + "defaultValue": "10.0.1.0/24" + }, + "Subnet1StartAddress": { + "type": "string", + "metadata": { + "description": "The first avaialable address on the 1st subnet" + } + }, + "Subnet2Name": { + "type": "string", + "metadata": { + "description": "The name of the 2nd subnet" + }, + "defaultValue": "Web" + }, + "Subnet2Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 2nd subnet" + }, + "defaultValue": "10.0.2.0/24" + }, + "Subnet2StartAddress": { + "type": "string", + "metadata": { + "description": "The first avaialable address on the 2nd subnet" + } + }, + "vnetNewOrExisting": { + "type": "string", + "defaultValue": "new", + "allowedValues": [ + "new", + "existing" + ], + "metadata": { + "Description": "Indicates whether the virtual network is new or existing" + } + }, + "virtualNetworkExistingRGName": { + "type": "string", + "metadata": { + "description": "Resource Group of the existing virtual network" + }, + "defaultValue": "" + }, + "apiVersion": { + "type": "string" + }, + "Check_PointTags": { + "type": "object", + "defaultValue": { + "provider": "30DE18BC-F9F6-4F22-9D30-54B8E74CFD5F" + } + } + }, + "variables": { + "vnetId": "[resourceId(parameters('virtualNetworkExistingRGName'),'Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]" + }, + "resources": [], + "outputs": { + "vnetId": { + "value": "[variables('vnetId')]", + "type": "string" + } + } +} diff --git a/deprecated/azure/templates/R7730/single-r7730/vnet-new.json b/deprecated/azure/templates/R7730/single-r7730/vnet-new.json new file mode 100644 index 00000000..169a4a3d --- /dev/null +++ b/deprecated/azure/templates/R7730/single-r7730/vnet-new.json @@ -0,0 +1,187 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "vnet" + }, + "virtualNetworkAddressPrefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the virtual network" + } + }, + "Subnet1Name": { + "type": "string", + "metadata": { + "description": "The name of the 1st subnet" + }, + "defaultValue": "Frontend" + }, + "Subnet1Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 1st subnet" + }, + "defaultValue": "10.0.1.0/24" + }, + "Subnet1StartAddress": { + "type": "string", + "metadata": { + "description": "The first avaialable address on the 1st subnet" + } + }, + "Subnet2Name": { + "type": "string", + "metadata": { + "description": "The name of the 2nd subnet" + }, + "defaultValue": "Backend" + }, + "Subnet2Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 2nd subnet" + }, + "defaultValue": "10.0.2.0/24" + }, + "Subnet2StartAddress": { + "type": "string", + "metadata": { + "description": "The first avaialable address on the 2nd subnet" + } + }, + "vnetNewOrExisting": { + "type": "string", + "defaultValue": "new", + "allowedValues": [ + "new", + "existing" + ], + "metadata": { + "Description": "Indicates whether the virtual network is new or existing" + } + }, + "virtualNetworkExistingRGName": { + "type": "string", + "metadata": { + "description": "Resource Group of the existing virtual network" + }, + "defaultValue": "" + }, + "apiVersion": { + "type": "string" + }, + "Check_PointTags": { + "type": "object", + "defaultValue": { + "provider": "30DE18BC-F9F6-4F22-9D30-54B8E74CFD5F" + } + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/routeTables", + "apiVersion": "[parameters('apiVersion')]", + "location": "[parameters('location')]", + "name": "[parameters('subnet1Name')]", + "properties": { + "routes": [ + { + "name": "Local-Subnet", + "properties": { + "addressPrefix": "[parameters('subnet1Prefix')]", + "nextHopType": "VnetLocal" + } + }, + { + "name": "To-Internal", + "properties": { + "addressPrefix": "[parameters('virtualNetworkAddressPrefix')]", + "nextHopType": "VirtualAppliance", + "nextHopIpAddress": "[parameters('subnet1StartAddress')]" + } + } + ] + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "type": "Microsoft.Network/routeTables", + "apiVersion": "[parameters('apiVersion')]", + "location": "[parameters('location')]", + "name": "[parameters('subnet2Name')]", + "properties": { + "routes": [ + { + "name": "To-Internet", + "properties": { + "addressPrefix": "0.0.0.0/0", + "nextHopType": "VirtualAppliance", + "nextHopIpAddress": "[parameters('subnet2StartAddress')]" + } + } + ] + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "type": "Microsoft.Network/virtualNetworks", + "apiVersion": "[parameters('apiVersion')]", + "location": "[parameters('location')]", + "name": "[parameters('virtualNetworkName')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/routeTables', parameters('subnet1Name'))]", + "[resourceId('Microsoft.Network/routeTables', parameters('subnet2Name'))]" + ], + "properties": { + "addressSpace": { + "addressPrefixes": [ + "[parameters('virtualNetworkAddressPrefix')]" + ] + }, + "subnets": [ + { + "name": "[parameters('subnet1Name')]", + "properties": { + "addressPrefix": "[parameters('subnet1Prefix')]", + "routeTable": { + "id": "[resourceId('Microsoft.Network/routeTables', parameters('subnet1Name'))]" + } + } + }, + { + "name": "[parameters('subnet2Name')]", + "properties": { + "addressPrefix": "[parameters('subnet2Prefix')]", + "routeTable": { + "id": "[resourceId('Microsoft.Network/routeTables', parameters('subnet2Name'))]" + } + } + } + ] + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + } + ], + "outputs": { + "vnetId": { + "value": "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]", + "type": "string" + } + } +} diff --git a/deprecated/azure/templates/R7730/vmss-r7730/README.MD b/deprecated/azure/templates/R7730/vmss-r7730/README.MD new file mode 100644 index 00000000..34881c98 --- /dev/null +++ b/deprecated/azure/templates/R7730/vmss-r7730/README.MD @@ -0,0 +1,13 @@ +# How to deploy this template +To deploy this ARM template, follow these instructions: +1. Log in to the [Microsoft Azure Portal](https://portal.azure.com) +2. Click "*Create a resource*" +3. Search for "*Template deployment (deploy using custom templates)*" and click "*Create*" +4. Click "*Build your own template in the editor*" +5. Load the "*mainTemplate.json*" file from this directory and click "*Save*" +6. Enter the desired template parameters + - Replace the "*Base Url*" property with: + ``` + https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/deprecated/azure/templates/vmss-r7730 + ``` +7. Click *Purchase* to deploy the solution diff --git a/deprecated/azure/templates/R7730/vmss-r7730/createUiDefinition.json b/deprecated/azure/templates/R7730/vmss-r7730/createUiDefinition.json new file mode 100644 index 00000000..4c3c4b53 --- /dev/null +++ b/deprecated/azure/templates/R7730/vmss-r7730/createUiDefinition.json @@ -0,0 +1,385 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", + "handler": "Microsoft.Compute.MultiVm", + "version": "0.1.2-preview", + "parameters": { + "basics": [ + { + "name": "gatewayScaleSetNameUi", + "type": "Microsoft.Common.TextBox", + "label": "Gateway scale set name", + "toolTip": "The name of the Check Point Security Gateway Scale Set.", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z]{1,30}$", + "validationMessage": "Only alphanumeric characters are allowed, and the name must be 1-30 characters long." + } + }, + { + "name": "auth", + "type": "Microsoft.Compute.CredentialsCombo", + "label": { + "authenticationType": "Authentication type", + "password": "Password", + "confirmPassword": "Confirm password", + "sshPublicKey": "SSH public key" + }, + "toolTip": { + "authenticationType": "", + "password": "The user 'admin' password", + "sshPublicKey": "Paste an OpenSSH public key. You can generate a key pair using ssh-keygen (Linux, OS X, Cygwin) or PuttyGen (Windows)" + }, + "constraints": { + "required": true + }, + "options": { + "hideConfirmation": false, + "hidePassword": false + }, + "osPlatform": "Linux" + }, + { + "name": "vmCount", + "type": "Microsoft.Common.TextBox", + "label": "Initial number of gateways", + "defaultValue": "2", + "toolTip": "The initial number of gateways", + "constraints": { + "required": true, + "regex": "^[1-9][0-9]{0,1}$", + "validationMessage": "Please enter a number in the range 1-99." + } + }, + { + "name": "maxVmCount", + "type": "Microsoft.Common.TextBox", + "label": "Maximum number of gateways", + "defaultValue": "10", + "toolTip": "The maxiumum number of gateways", + "constraints": { + "required": true, + "regex": "^[1-9][0-9]{0,1}$", + "validationMessage": "Please enter a number in the range 1-99." + } + }, + { + "name": "managementServer", + "type": "Microsoft.Common.TextBox", + "label": "Management name", + "toolTip": "The name of the management server as it appears in the configuration file", + "constraints": { + "required": true, + "validationMessage": "Field cannot be empty." + } + }, + { + "name": "configurationTemplate", + "type": "Microsoft.Common.TextBox", + "label": "Policy template name", + "toolTip": "A name of a template as it appears in the configuration file", + "constraints": { + "required": true, + "validationMessage": "Field cannot be empty." + } + }, + { + "name": "adminEmail", + "type": "Microsoft.Common.TextBox", + "label": "Administrator email address", + "defaultValue": "", + "toolTip": "An email address to notify about scaling operations", + "constraints": { + "required": false, + "regex": "^([a-zA-Z0-9_\\-\\.]+)@((\\[[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.)|(([a-zA-Z0-9\\-]+\\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})(\\]?)$", + "validationMessage": "Leave empty or enter a valid email address." + } + } + ], + "steps": [ + { + "name": "chkp", + "label": "Check Point CloudGuard settings", + "subLabel": { + "preValidation": "Configure CloudGuard settings", + "postValidation": "Done" + }, + "bladeTitle": "CloudGuard settings", + "elements": [ + { + "name": "vsecVersion", + "type": "Microsoft.Common.DropDown", + "label": "Check Point CloudGuard version", + "defaultValue": "R77.30", + "toolTip": "The version of Check Point CloudGuard.", + "constraints": { + "allowedValues": [ + { + "label": "R77.30", + "value": "R77.30" + } + ] + } + }, + { + "name": "R7730Offer", + "type": "Microsoft.Common.DropDown", + "label": "License type", + "toolTip": "The type of license.", + "defaultValue": "Bring Your Own License", + "visible": "[and(not(or(equals(substring(location(), 0, 5), 'usgov'), equals(substring(location(), 0, 5), 'usdod'))), equals(steps('chkp').vsecVersion, 'R77.30'))]", + "constraints": { + "allowedValues": [ + { + "label": "Bring Your Own License", + "value": "Bring Your Own License" + }, + { + "label": "Pay As You Go (NGTP)", + "value": "Pay As You Go (NGTP)" + } + ] + } + }, + { + "name": "R7730vmSizeUiBYOL", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').vsecVersion, 'R77.30'), or(or(equals(substring(location(), 0, 5), 'usgov'), equals(substring(location(), 0, 5), 'usdod')), contains(steps('chkp').R7730Offer, 'Bring Your Own License')))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2", + "Standard_D3", + "Standard_DS3" + ], + "constraints": { + "excludedSizes": [ + "Basic_A0", + "Basic_A1", + "Basic_A2", + "Basic_A3", + "Standard_A0", + "Standard_A1", + "Standard_A1_v2", + "Standard_A2", + "Standard_A5", + "Standard_G1", + "Standard_GS1", + "Standard_H8", + "Standard_H16", + "Standard_H8m", + "Standard_H16m", + "Standard_H16", + "Standard_H16m", + "Standard_NV6", + "Standard_NV12", + "Standard_NV24", + "Standard_NC6", + "Standard_NC12", + "Standard_NC24", + "Standard_NC24" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-r77-10", + "sku": "sg-byol" + }, + "count": "[basics('vmCount')]" + }, + { + "name": "R7730vmSizeUiNGTP", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').vsecVersion, 'R77.30'), contains(steps('chkp').R7730Offer, '(NGTP)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2", + "Standard_D3", + "Standard_DS3" + ], + "constraints": { + "excludedSizes": [ + "Basic_A0", + "Basic_A1", + "Basic_A2", + "Basic_A3", + "Standard_A0", + "Standard_A1", + "Standard_A1_v2", + "Standard_A2", + "Standard_A5", + "Standard_G1", + "Standard_GS1", + "Standard_H8", + "Standard_H16", + "Standard_H8m", + "Standard_H16m", + "Standard_H16", + "Standard_H16m", + "Standard_NV6", + "Standard_NV12", + "Standard_NV24", + "Standard_NC6", + "Standard_NC12", + "Standard_NC24", + "Standard_NC24" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-r77-10", + "sku": "sg-ngtp" + }, + "count": "[basics('vmCount')]" + }, + { + "name": "sicKeyUi", + "type": "Microsoft.Common.PasswordBox", + "label": { + "password": "SIC Key", + "confirmPassword": "Confirm SIC Key" + }, + "toolTip": "Set the Secure Internal Communication one time secret used to set up trust between the gateway and the management server.", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z]{8,30}$", + "validationMessage": "Only alphanumeric characters are allowed, and the value must be 8-30 characters long." + }, + "options": { + "hideConfirmation": true + } + }, + { + "name": "bootstrapScript", + "type": "Microsoft.Common.FileUpload", + "label": "Bootstrap script", + "toolTip": "An optional script to run on the initial boot", + "constraints": { + "required": false, + "accept": ".sh,text/plain" + }, + "options": { + "multiple": false, + "uploadMode": "file", + "openMode": "text", + "encoding": "UTF-8" + } + }, + { + "name": "allowUploadDownload", + "type": "Microsoft.Common.OptionsGroup", + "label": "Allow download from/upload to Check Point", + "defaultValue": "Yes", + "toolTip": "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "true" + }, + { + "label": "No", + "value": "false" + } + ] + } + }, + { + "name": "VMDiskType", + "type": "Microsoft.Common.OptionsGroup", + "label": "VM disk type", + "toolTip": "Type of vSEC disk.", + "visible": "[and(not(or(equals(substring(location(), 0, 5), 'usgov'), equals(substring(location(), 0, 5), 'usdod'))), or(contains(steps('chkp').R7730vmSizeUiBYOL, 'DS'), contains(steps('chkp').R7730vmSizeUiNGTP, 'DS')))]", + "defaultValue": "Standard", + "constraints": { + "allowedValues": [ + { + "label": "Standard", + "value": "Standard_LRS" + }, + { + "label": "Premium", + "value": "Premium_LRS" + } + ] + } + } + ] + }, + { + "name": "network", + "label": "Network settings", + "subLabel": { + "preValidation": "Configure network settings", + "postValidation": "Done" + }, + "bladeTitle": "Network settings", + "elements": [ + { + "name": "virtualNetwork", + "type": "Microsoft.Network.VirtualNetworkCombo", + "label": { + "virtualNetwork": "Virtual network", + "subnets": "Subnet" + }, + "toolTip": { + "virtualNetwork": "Virtual Network Name", + "subnets": "The subnet to deploy into" + }, + "defaultValue": { + "name": "vnet01", + "addressPrefixSize": "/16" + }, + "constraints": { + "minAddressPrefixSize": "/25" + }, + "options": { + "hideExisting": false + }, + "subnets": { + "subnet1": { + "label": "VMSS subnet", + "defaultValue": { + "name": "VMSS-Subnet", + "addressPrefixSize": "/24" + }, + "constraints": { + "minAddressPrefixSize": "/29", + "minAddressCount": "[basics('maxVmCount')]", + "requireContiguousAddresses": false + } + } + } + } + ] + } + ], + "outputs": { + "location": "[location()]", + "instanceCount": "[basics('vmCount')]", + "maxInstanceCount": "[basics('maxVmCount')]", + "managementServer": "[basics('managementServer')]", + "configurationTemplate": "[basics('configurationTemplate')]", + "adminEmail": "[basics('adminEmail')]", + "vsecVersion": "[concat(steps('chkp').vsecVersion, ' - ', coalesce(steps('chkp').R7730Offer, 'Bring Your Own License'))]", + "adminPassword": "[basics('auth').password]", + "authenticationType": "[basics('auth').authenticationType]", + "sshPublicKey": "[basics('auth').sshPublicKey]", + "vmName": "[basics('gatewayScaleSetNameUi')]", + "vmSize": "[coalesce(steps('chkp').R7730vmSizeUiBYOL, steps('chkp').R7730vmSizeUiNGTP)]", + "sicKey": "[steps('chkp').sicKeyUi]", + "virtualNetworkName": "[steps('network').virtualNetwork.name]", + "virtualNetworkAddressPrefix": "[steps('network').virtualNetwork.addressPrefix]", + "subnet1Name": "[steps('network').virtualNetwork.subnets.subnet1.name]", + "subnet1Prefix": "[steps('network').virtualNetwork.subnets.subnet1.addressPrefix]", + "vnetNewOrExisting": "[steps('network').virtualNetwork.newOrExisting]", + "virtualNetworkExistingRGName": "[steps('network').virtualNetwork.resourceGroup]", + "bootstrapScript": "[steps('chkp').bootstrapScript]", + "allowDownloadFromUploadToCheckPoint": "[coalesce(steps('chkp').allowUploadDownload, 'true')]", + "diskType": "[coalesce(steps('chkp').VMDiskType, 'Standard_LRS')]" + } + } +} + diff --git a/deprecated/azure/templates/R7730/vmss-r7730/mainTemplate.json b/deprecated/azure/templates/R7730/vmss-r7730/mainTemplate.json new file mode 100644 index 00000000..67b0aef5 --- /dev/null +++ b/deprecated/azure/templates/R7730/vmss-r7730/mainTemplate.json @@ -0,0 +1,678 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string", + "metadata": { + "description": "Deployment location" + } + }, + "vsecVersion": { + "type": "string", + "allowedValues": [ + "R77.30 - Bring Your Own License", + "R77.30 - Pay As You Go (NGTP)" + ], + "defaultValue": "R77.30 - Bring Your Own License", + "metadata": { + "description": "Version of Check Point vSEC" + } + }, + "instanceCount": { + "defaultValue": "2", + "type": "string", + "metadata": { + "description": "Number of VM instances" + } + }, + "maxInstanceCount": { + "defaultValue": "10", + "type": "string", + "metadata": { + "description": "Maximum number of VM instances" + } + }, + "managementServer": { + "type": "string", + "metadata": { + "description": "The name of the management server as it appears in the configuration file" + } + }, + "configurationTemplate": { + "type": "string", + "metadata": { + "description": "A name of a template as it appears in the configuration file" + } + }, + "adminEmail": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Email address to notify if there are any scaling operations" + } + }, + "adminPassword": { + "type": "securestring", + "metadata": { + "description": "Administrator password" + }, + "defaultValue": "" + }, + "authenticationType": { + "type": "string", + "allowedValues": [ + "password", + "sshPublicKey" + ], + "defaultValue": "password", + "metadata": { + "description": "Authentication type" + } + }, + "sshPublicKey": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Administrator SSH public key" + } + }, + "vmName": { + "type": "string", + "defaultValue": "[resourceGroup().name]", + "metadata": { + "description": "Name of the Check Point Security Gateway scale set" + } + }, + "vmSize": { + "type": "string", + "defaultValue": "Standard_D3_v2", + "metadata": { + "description": "Size of the VM" + } + }, + "sicKey": { + "type": "securestring", + "metadata": { + "description": "One time key for Secure Internal Communication" + } + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "[concat(resourceGroup().name, '-vn')]" + }, + "virtualNetworkAddressPrefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the virtual network" + }, + "defaultValue": "10.0.0.0/16" + }, + "subnet1Name": { + "type": "string", + "metadata": { + "description": "The name of the subnet" + }, + "defaultValue": "vSEC" + }, + "subnet1Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 1st subnet" + }, + "defaultValue": "10.0.1.0/24" + }, + "vnetNewOrExisting": { + "type": "string", + "defaultValue": "new", + "allowedValues": [ + "new", + "existing" + ], + "metadata": { + "Description": "Indicates whether the virtual network is new or existing" + } + }, + "virtualNetworkExistingRGName": { + "type": "string", + "metadata": { + "description": "Resource Group of the existing virtual network" + }, + "defaultValue": "" + }, + "baseUrl": { + "type": "string", + "metadata": { + "artifactsBaseUrl": "" + }, + "defaultValue": "https://s3-us-west-2.amazonaws.com/azure.templates/marketplace-vmss-r7730" + }, + "bootstrapScript": { + "type": "string", + "metadata": { + "description": "Bootstrap script" + }, + "defaultValue": "" + }, + "allowDownloadFromUploadToCheckPoint": { + "type": "string", + "allowedValues": [ + "true", + "false" + ], + "defaultValue": "true", + "metadata": { + "description": "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + } + }, + "diskType": { + "type": "string", + "defaultValue": "Standard_LRS", + "metadata": { + "description": "The type of the OS disk. Premium is applicable only to DS machine sizes" + }, + "allowedValues": [ + "Standard_LRS", + "Premium_LRS" + ] + }, + "preview": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Deploy the staged image" + }, + "allowedValues": [ + "", + "-preview" + ] + } + }, + "variables": { + "templateName": "vmss", + "templateVersion": "", + "location": "[parameters('location')]", + "govCloud": "[or(startsWith(variables('location'), 'usgov'), startsWith(variables('location'), 'usdod'))]", + "offers": { + "R77.30 - Bring Your Own License": "BYOL", + "R77.30 - Pay As You Go (NGTP)": "NGTP", + "R80.10 - Bring Your Own License": "BYOL", + "R80.10 - Pay As You Go (NGTP)": "NGTP-V2", + "R80.10 - Pay As You Go (NGTX)": "NGTX" + }, + "offer": "[variables('offers')[parameters('vsecVersion')]]", + "osVersions": { + "R77.30 - Bring Your Own License": "R7730", + "R77.30 - Pay As You Go (NGTP)": "R7730", + "R80.10 - Bring Your Own License": "R8010", + "R80.10 - Pay As You Go (NGTP)": "R8010", + "R80.10 - Pay As You Go (NGTX)": "R8010" + }, + "osVersion": "[variables('osVersions')[parameters('vsecVersion')]]", + "isBlink": "[bool('false')]", + "computeApiVersion": "2017-03-30", + "storageApiVersion": "2016-01-01", + "networkApiVersion": "2016-06-01", + "deploymentsApiVersion": "2016-02-01", + "insightsApiVersion": "2015-04-01", + "storageAccountName": "[concat('bootdiag', uniqueString(resourceGroup().id, deployment().name))]", + "storageAccountType": "Standard_LRS", + "customData": "[concat('#!/bin/bash\\n', '\\n', 'LOG_FILE=/var/log/custom-data.log\\n', 'exec >>$LOG_FILE 2>&1\\n', '\\n', '# description: echo instance metadata\\n', '# args :\\n', '# optional: string contatining api version date.\\n', '# default is to \\\"2017-08-01\\\".\\n', '# usage :\\n', '# getInstanceMetadata \\\"2017-12-01\\\"\\n', 'function getInstanceMetadata {\\n', ' # get instance metadata using Azure Instance Metadata service:\\n', ' if test -z \\\"$#\\\" ; then\\n', ' api_version=\\\"$1\\\"\\n', ' else\\n', ' api_version=\\\"2017-08-01\\\"\\n', ' fi\\n', ' metadata=\\\"$(get-cloud-data.sh \\\"metadata/instance/?api-version=$api_version\\\" | jq \\\".\\\")\\\"\\n', '\\n', '\\n', ' echo \\\"$metadata\\\"\\n', ' log-data \\\"Instance metadata retrieved using api version: $api_version\\\" >&2\\n', '}\\n', '\\n', '# description: echo $@ to std output wrapped with date and additional data\\n', '# args :\\n', '# add \\\"-w\\\" before the content to log warning message.\\n', '# add \\\"-e\\\" before the content to log error message.\\n', '# default is to log info message.\\n', '# usage :\\n', '# log-data \\\"-w\\\" \\\"my message\\\"\\n', 'function log-data {\\n', ' test -z \\\"$1\\\" && echo \\\"$(date +\\\"%F %T\\\") CUSTOM-DATA [INFO]\\\" || {\\n', ' if [[ \\\"$1\\\" == \\\"-w\\\" ]] ; then\\n', ' prefix=\\\"[WARNING] \\\"\\n', ' shift\\n', ' elif [[ \\\"$1\\\" == \\\"-e\\\" ]] ; then\\n', ' prefix=\\\"[ERROR] \\\"\\n', ' shift\\n', ' else\\n', ' prefix=\\\"[INFO] \\\"\\n', ' fi\\n', ' for i in \\\"$@\\\"; do\\n', ' echo -e \\\"$(date +\\\"%F %T\\\") CUSTOM-DATA $prefix$i\\\"\\n', ' shift\\n', ' done\\n', ' }\\n', '}\\n', '\\n', '# description: wrapper to command to enable retries\\n', '# args :\\n', '# To specify return codes:\\n', '# \\\"-rc\\\" followed by string of numbers seperated by a space: \\\"int1 int2\\\".\\n', '# default is \\\"0\\\".\\n', '# To specify maximum duration for retries:\\n', '# \\\"-md\\\" followed by a number: 5.\\n', '# default is 8.\\n', '# To specift sleep time between retries:\\n', '# \\\"-st\\\" followed by a number: 1.\\n', '# default is 2.\\n', '# usage :\\n', '# runcmd -rc \\\"19 0 3\\\" \\\"-md\\\" 6 \\\"-st\\\" 1 my-command\\n', 'function runcmd {\\n', ' expected_returnval=()\\n', ' if [ \\\"$1\\\" == \\\"-rc\\\" ] ; then\\n', ' shift\\n', ' for val in $1\\n', ' do\\n', ' expected_returnval[\\\"$val\\\"]=\\\"1\\\"\\n', ' done\\n', ' shift\\n', ' else\\n', ' expected_returnval[\\\"0\\\"]=\\\"1\\\"\\n', ' fi\\n', ' if [ \\\"$1\\\" == \\\"-md\\\" ] ; then\\n', ' shift\\n', ' MAX_DURATION=$1\\n', ' shift\\n', ' else\\n', ' MAX_DURATION=8\\n', ' fi\\n', ' if [ \\\"$1\\\" == \\\"-st\\\" ] ; then\\n', ' shift\\n', ' SLEEP_TIME=$1\\n', ' shift\\n', ' else\\n', ' SLEEP_TIME=2\\n', ' fi\\n', ' cmd=\\\"$@\\\"\\n', ' log-data \\\"Executing $cmd\\\" \\\" Allowed return values : $(echo ${!expected_returnval[@]})\\\" \\\" Maximum retries duration : $MAX_DURATION\\\" \\\" Sleep time between retries: $SLEEP_TIME\\\" >&2\\n', '\\n', '\\n', '\\n', ' SECONDS=0\\n', ' while [ \\\"$SECONDS\\\" -lt \\\"$MAX_DURATION\\\" ] ; do\\n', ' returnmsg=\\\"$(\\\"$@\\\" 2>&1)\\\"\\n', ' returnval=\\\"$?\\\"\\n', ' if [[ ${expected_returnval[$returnval]} ]] ; then\\n', ' log-data \\\"Success executing: $cmd\\n', '\\\\\\\\tReturn Value : $(echo $returnval)\\n', '\\\\\\\\tReturn message: $(echo $returnmsg)\\\" >&2\\n', ' return 0\\n', ' fi\\n', ' log-data \\\"-w\\\" \\\"Retrying to execute command: $cmd\\n', '\\\\\\\\tReturn Value : $(echo $returnval)\\n', '\\\\\\\\tReturn message: $(echo $returnmsg)\\\" >&2\\n', ' sleep \\\"$SLEEP_TIME\\\"\\n', ' done\\n', ' log-data \\\"-e\\\" \\\"Failed to execute command: $cmd\\n', '\\\\\\\\tReturn Value : $(echo $returnval) (expected: $expected_returnval)\\n', '\\\\\\\\tReturn message: $(echo $returnmsg)\\n', '\\\\\\\\tTotal run time: $SECONDS [seconds]\\\" >&2\\n', ' return 1\\n', '}\\n', '\\n', 'log-data \\\"Start of custom-data.sh\\\"\\n', 'log-data \\\"Time Zone: $(date +\\\"%Z %:z\\\")\\\"\\n', 'log-data \\\"Instance metadata at beginning: \\\\\\\\n$(getInstanceMetadata)\\\"\\n', 'log-data \\\"Contents of $FWDIR/boot/modules/fwkern.conf at beginning: \\\\\\\\n$(cat \\\"$FWDIR/boot/modules/fwkern.conf\\\")\\\"\\n', '\\n', 'installationType=\\\"', variables('installationType'), '\\\"', '\\n', 'allowUploadDownload=\\\"', variables('allowUploadDownload'), '\\\"', '\\n', 'osVersion=\\\"', variables('osVersion'), '\\\"', '\\n', 'templateName=\\\"', variables('templateName'), '\\\"', '\\n', 'isBlink=\\\"', variables('isBlink'), '\\\"', '\\n', 'templateVersion=\\\"', variables('templateVersion'), '\\\"', '\\n', '\\n', 'if [ -z \\\"${isBlink}\\\" ]; then\\n', ' isBlink=\\\"False\\\"\\n', 'fi\\n', '\\n', 'log-data \\\"isBlink val: $isBlink\\\"\\n', '\\n', 'log-data \\\"templateName: $templateName\\\" \\\"templateVersion: $templateVersion\\\" \\\"installationType: $installationType\\\" \\\"osVersion: $osVersion\\\"\\n', '\\n', '\\n', '\\n', '\\n', 'echo \\\"template_name: $templateName\\\" >> /etc/cloud-version\\n', 'echo \\\"template_version: $templateVersion\\\" >> /etc/cloud-version\\n', '\\n', 'log-data \\\"Executing bootstrap script:\\\"\\n', 'bootstrap=\\\"$(dirname \\\"$0\\\")/bootstrap\\\"\\n', 'cat <<<\\\"', variables('bootstrapScript64'), '\\\" | tr -d \\\"\\\\n\\\" | base64 -d >\\\"$bootstrap\\\"', '\\n', 'dos2unix \\\"$bootstrap\\\"\\n', 'chmod +x \\\"$bootstrap\\\"\\n', 'cp \\\"$bootstrap\\\" \\\"/var/log/custom-data-bootstrap\\\"\\n', '\\\"$bootstrap\\\"\\n', '\\n', 'function has_iam {\\n', ' local url\\n', ' local out\\n', ' url=\\\"http://169.254.169.254/metadata/identity/oauth2/token\\\"\\n', ' url=\\\"$url?api-version=2018-02-01&resource=https://no-such-domain/\\\"\\n', ' for i in 1 2 3 ; do\\n', ' out=\\\"$(curl_cli --header metadata:true --url \\\"$url\\\" --max-time 10)\\\"\\n', ' if test \\\"$(echo \\\"$out\\\" | jq -r .error)\\\" = \\\"invalid_resource\\\" ; then\\n', ' echo true\\n', ' return\\n', ' fi\\n', ' if test \\\"$(echo \\\"$out\\\" | jq -r .error_description)\\\" = \\\"Identity not found\\\" ; then\\n', '\\n', ' break\\n', ' fi\\n', ' done\\n', ' echo false\\n', '}\\n', '\\n', '# description: create file $FWDIR/conf/azure-ha.json\\n', '# args : no args\\n', '# usage : cluster\\n', 'function cluster {\\n', ' log-data \\\"Cluster - Executing cluster function\\\"\\n', ' subscriptionId=\\\"', subscription().subscriptionId, '\\\"', '\\n', ' tenantId=\\\"', subscription().tenantId, '\\\"', '\\n', ' resourceGroup=\\\"', resourceGroup().name, '\\\"', '\\n', ' virtualNetwork=\\\"', parameters('virtualNetworkName'), '\\\"', '\\n', ' clusterName=\\\"', parameters('vmName'), '\\\"', '\\n', ' lbName=\\\"frontend-lb\\\"\\n', ' location=\\\"', variables('location'), '\\\"', '\\n', ' has_iam=false\\n', '\\n', ' case \\\"$location\\\" in\\n', ' us*)\\n', ' environment=\\\"AzureUSGovernment\\\"\\n', ' ;;\\n', ' china*)\\n', ' environment=\\\"AzureChinaCloud\\\"\\n', ' ;;\\n', ' germany*)\\n', ' environment=\\\"AzureGermanCloud\\\"\\n', ' ;;\\n', ' *)\\n', ' environment=\\\"AzureCloud\\\"\\n', ' has_iam=\\\"$(has_iam)\\\"\\n', ' ;;\\n', ' esac\\n', '\\n', ' cat <\\\"$FWDIR/conf/azure-ha.json\\\"\\n', '{\\n', ' \\\"subscriptionId\\\": \\\"$subscriptionId\\\",\\n', ' \\\"location\\\": \\\"$location\\\",\\n', ' \\\"environment\\\": \\\"$environment\\\",\\n', ' \\\"resourceGroup\\\": \\\"$resourceGroup\\\",\\n', 'EOF\\n', ' if $has_iam ; then\\n', ' cat <>\\\"$FWDIR/conf/azure-ha.json\\\"\\n', ' \\\"credentials\\\": \\\"IAM\\\",\\n', ' \\\"tenant\\\": \\\"$tenantId\\\",\\n', 'EOF\\n', ' else\\n', ' cat <>\\\"$FWDIR/conf/azure-ha.json\\\"\\n', ' \\\"credentials\\\": {\\n', ' \\\"tenant\\\": \\\"$tenantId\\\",\\n', ' \\\"grant_type\\\": \\\"client_credentials\\\",\\n', ' \\\"client_id\\\": \\\"\\\",\\n', ' \\\"client_secret\\\": \\\"\\\"\\n', ' },\\n', 'EOF\\n', ' fi\\n', ' cat <>\\\"$FWDIR/conf/azure-ha.json\\\"\\n', ' \\\"proxy\\\": \\\"\\\",\\n', ' \\\"virtualNetwork\\\": \\\"$virtualNetwork\\\",\\n', ' \\\"clusterName\\\": \\\"$clusterName\\\",\\n', ' \\\"templateName\\\": \\\"$templateName\\\",\\n', 'EOF\\n', ' cat <>\\\"$FWDIR/conf/azure-ha.json\\\"\\n', ' \\\"lbName\\\": \\\"$lbName\\\",\\n', 'EOF\\n', '\\n', '\\n', ' cat <>\\\"$FWDIR/conf/azure-ha.json\\\"\\n', ' \\\"debug\\\": false\\n', '}\\n', 'EOF\\n', '\\n', ' log-data \\\"Cluster - Write cluster values to $FWDIR/conf/azure-ha.json\\\"\\n', ' log-data \\\"File content: \\\\\\\\n$(cat \\\"$FWDIR/conf/azure-ha.json\\\")\\\"\\n', '}\\n', '\\n', '# description:\\n', '# check if an alias exists on VM, in case there is no alias,\\n', '# try to retrieve it from instance metadata & add it\\n', '# args : no args.\\n', '# usage : pub_addr=\\\"$(checkPublicAddress)\\\"\\n', 'function checkPublicAddress {\\n', ' log-data \\\"Executing checkPublicAddress function\\\" >&2\\n', ' ipaddr=\\\"$(ip addr show dev eth0)\\\"\\n', ' pub_addr=\\\"$(echo \\\"$ipaddr\\\" | sed -n -e \\\"s|^ *inet \\\\\\\\([^/]*\\\\\\\\)/.* eth0:1\\\\$|\\\\\\\\1|p\\\")\\\"\\n', '\\n', ' log-data \\\"At start - \\\" \\\"ip addr show dev eth0: \\\\\\\\n$ipaddr\\\" \\\"pub_addr: $pub_addr\\\" >&2\\n', ' if test -z \\\"$pub_addr\\\" ; then\\n', ' log-data \\\"Trying to set alias for public ip address\\\" >&2\\n', ' pub_addr=\\\"$(get-cloud-data.sh \\\"metadata/instance/network/interface?api-version=2017-04-02\\\" | jq -r \\\".[].ipv4.ipAddress[].publicIpAddress\\\" | grep --max-count 1 .)\\\"\\n', '\\n', '\\n', '\\n', ' log-data \\\"Public Address from instance metadata: $pub_addr\\\" >&2\\n', ' test -z \\\"$pub_addr\\\" || {\\n', ' runcmd -rc \\\"1 0\\\" clish -c \\\"lock database override\\\" >&2\\n', ' runcmd clish -s -c \\\"add interface eth0 alias $pub_addr/32\\\" >&2\\n', ' if [ \\\"$?\\\" -eq \\\"0\\\" ] ; then\\n', ' log-data \\\"Setting alias for eth0 completed successfuly\\\" >&2\\n', ' else\\n', ' log-data \\\"Failed to set alias for eth0\\\" >&2\\n', ' fi\\n', ' }\\n', ' fi\\n', ' log-data \\\"Interfaces at end: \\\\\\\\n$(ifconfig)\\\" >&2\\n', ' test -z \\\"$pub_addr\\\" || echo \\\"$pub_addr\\\"\\n', '}\\n', '\\n', 'case \\\"$installationType\\\" in\\n', 'gateway)\\n', ' installSecurityGateway=true\\n', ' gateway_cluster_member=false\\n', ' installSecurityManagement=false\\n', ' sicKey=\\\"', variables('sicKey'), '\\\"', '\\n', ' ;;\\n', 'cluster)\\n', ' installSecurityGateway=true\\n', ' gateway_cluster_member=true\\n', ' installSecurityManagement=false\\n', ' sicKey=\\\"', variables('sicKey'), '\\\"', '\\n', ' cluster\\n', ' ;;\\n', 'vmss)\\n', ' installSecurityGateway=true\\n', ' gateway_cluster_member=false\\n', ' installSecurityManagement=false\\n', ' sicKey=\\\"', variables('sicKey'), '\\\"', '\\n', ' ;;\\n', 'management)\\n', ' installSecurityGateway=false\\n', ' installSecurityManagement=true\\n', ' sicKey=notused\\n', ' ;;\\n', 'custom)\\n', ' pub_addr=\\\"$(checkPublicAddress)\\\"\\n', ' log-data \\\"Instance metadata at end: \\\\\\\\n$(getInstanceMetadata)\\\"\\n', ' exit 0\\n', ' ;;\\n', 'standalone | *)\\n', ' installSecurityGateway=true\\n', ' installSecurityManagement=true\\n', ' gateway_cluster_member=false\\n', ' sicKey=notused\\n', ' ;;\\n', 'esac\\n', '\\n', 'log-data \\\"installSecurityGateway: $installSecurityGateway\\\" \\\"gateway_cluster_member: $gateway_cluster_member\\\" \\\"installSecurityManagement: $installSecurityManagement\\\"\\n', '\\n', '\\n', '\\n', 'if [ \\\"$isBlink\\\" == \\\"True\\\" ]; then\\n', ' if \\\"$installSecurityManagement\\\"; then\\n', ' conf=\\\"mgmt_admin_radio=gaia_admin\\\"\\n', ' else\\n', ' conf=\\\"gateway_cluster_member=$gateway_cluster_member\\\"\\n', ' fi\\n', ' conf=\\\"${conf}&download_info=$allowUploadDownload\\\"\\n', ' conf=\\\"${conf}&upload_info=$allowUploadDownload\\\"\\n', ' log-data \\\"conf: $conf\\\"\\n', '\\n', ' conf=\\\"${conf}&ftw_sic_key=$sicKey\\\"\\n', ' # temporary variable as blink config demands password (for now) this way the blink_config command works and does not override admin password\\n', ' if [ \\\"$osVersion\\\" == \\\"R8010\\\" ]; then\\n', ' conf=\\\"${conf}&admin_password_regular=1\\\"\\n', ' fi\\n', ' log-data \\\"Running blink config\\\"\\n', ' blink_config -s \\\"$conf\\\"\\n', 'else\\n', ' conf=\\\"install_security_gw=$installSecurityGateway\\\"\\n', ' if \\\"$installSecurityGateway\\\"; then\\n', ' conf=\\\"${conf}&install_ppak=true\\\"\\n', ' conf=\\\"${conf}&gateway_cluster_member=$gateway_cluster_member\\\"\\n', ' fi\\n', ' conf=\\\"${conf}&install_security_managment=$installSecurityManagement\\\"\\n', ' if \\\"$installSecurityManagement\\\"; then\\n', ' if [ \\\"R7730\\\" == \\\"$osVersion\\\" ]; then\\n', ' managementAdminPassword=\\\"$(dd if=/dev/urandom count=1 2>/dev/null | sha1sum | cut -c -28)\\\"\\n', ' conf=\\\"${conf}&mgmt_admin_name=admin\\\"\\n', ' conf=\\\"${conf}&mgmt_admin_passwd=${managementAdminPassword}\\\"\\n', ' else\\n', ' conf=\\\"${conf}&mgmt_admin_radio=gaia_admin\\\"\\n', ' fi\\n', '\\n', ' managementGUIClientNetwork=\\\"', variables('managementGUIClientNetwork'), '\\\"', '\\n', ' conf=\\\"${conf}&install_mgmt_primary=true\\\"\\n', '\\n', ' if [ \\\"0.0.0.0/0\\\" = \\\"$managementGUIClientNetwork\\\" ]; then\\n', ' conf=\\\"${conf}&mgmt_gui_clients_radio=any\\\"\\n', ' else\\n', ' conf=\\\"${conf}&mgmt_gui_clients_radio=network\\\"\\n', ' ManagementGUIClientBase=\\\"$(echo \\\"$managementGUIClientNetwork\\\" | cut -d / -f 1)\\\"\\n', ' ManagementGUIClientMaskLength=\\\"$(echo \\\"$managementGUIClientNetwork\\\" | cut -d / -f 2)\\\"\\n', ' conf=\\\"${conf}&mgmt_gui_clients_ip_field=$ManagementGUIClientBase\\\"\\n', ' conf=\\\"${conf}&mgmt_gui_clients_subnet_field=$ManagementGUIClientMaskLength\\\"\\n', ' fi\\n', ' fi\\n', '\\n', ' conf=\\\"${conf}&download_info=$allowUploadDownload\\\"\\n', ' conf=\\\"${conf}&upload_info=$allowUploadDownload\\\"\\n', ' log-data \\\"conf: $conf\\\"\\n', ' # add sicKey value after loging the rest of conf parameters in order not to save the SIC key.\\n', ' conf=\\\"${conf}&ftw_sic_key=$sicKey\\\"\\n', '\\n', ' #since DA process is running parallel to FTW and may cause to problems like SIM (TaskId=72815)\\n', ' #the DA is being stoped before FTW is running, and restart again after FTW is finished.\\n', ' log-data \\\"Stop DA process: $(/opt/CPda/bin/dastop)\\\"\\n', '\\n', ' log-data \\\"Running first time wizard\\\"\\n', ' config_system -s \\\"$conf\\\"\\n', '\\n', ' log-data \\\"Start DA process: $(/opt/CPda/bin/dastart)\\\"\\n', 'fi\\n', '\\n', 'pub_addr=\\\"$(checkPublicAddress)\\\"\\n', 'log-data \\\"VM public address is: $pub_addr\\\"\\n', '\\n', '# set the main IP of the management object in SmartConsole to be the public IP:\\n', 'if [ \\\"$installationType\\\" = \\\"management\\\" ] && [ \\\"R7730\\\" != \\\"$osVersion\\\" ]; then\\n', ' until mgmt_cli -r true discard ; do\\n', ' sleep 30\\n', ' done\\n', ' addr=\\\"$(ip addr show dev eth0 | sed -n -e \\\"s|^ *inet \\\\\\\\([^/]*\\\\\\\\)/.* eth0\\\\$|\\\\\\\\1|p\\\")\\\"\\n', '\\n', ' uid=\\\"$(mgmt_cli -r true show-generic-objects class-name com.checkpoint.objects.classes.dummy.CpmiHostCkp details-level full -f json | jq -r \\\".objects[] | select(.ipaddr == \\\\\\\"$addr\\\\\\\") | .uid\\\")\\\"\\n', '\\n', '\\n', '\\n', ' test -z \\\"$uid\\\" || test -z \\\"$pub_addr\\\" || mgmt_cli -r true set-generic-object uid \\\"$uid\\\" ipaddr \\\"$pub_addr\\\"\\n', '\\n', ' log-data \\\"Management - Set management object in SmartConsole IP address to $pub_addr\\\"\\n', 'fi\\n', 'if \\\"$installSecurityManagement\\\" && [ \\\"R7730\\\" != \\\"$osVersion\\\" ]; then\\n', ' chkconfig --add autoprovision\\n', ' log-data \\\"Add autoprovision service to chkconfig\\\"\\n', 'fi\\n', '\\n', 'if [ \\\"$installationType\\\" = \\\"vmss\\\" ] || [ \\\"$installationType\\\" = \\\"cluster\\\" ]; then\\n', ' # add dynamic objects to represent the GWs external NICs in management:\\n', ' dynamic_object_names=\\\"$(dynamic_objects -l | awk \\\"/object/{print \\\\$4}\\\")\\\"\\n', ' log-data \\\"dynamic object names before are: $dynamic_object_names\\\"\\n', ' ExtAddr=\\\"$(ip addr show dev eth0 | awk \\\"/inet/{print \\\\$2; exit}\\\" | cut -d / -f 1)\\\"\\n', ' runcmd -rc \\\"19 0 3\\\" dynamic_objects -n LocalGatewayExternal -r \\\"$ExtAddr\\\" \\\"$ExtAddr\\\" -a\\n', ' if [ \\\"$?\\\" -eq \\\"0\\\" ] ; then\\n', ' log-data \\\"Created dynamic object for eth0\\\"\\n', ' else\\n', ' log-data \\\"Failed to create dynamic object for eth0\\\"\\n', ' fi\\n', ' log-data \\\"Set dynamic objects: (Ext: $ExtAddr) \\\\\\\\n$(dynamic_objects -l)\\\"\\n', '\\n', ' # Disable anti-spoofing feature in SecureXL for unknown connections.\\n', ' # To prevent anti-spoofing on eth1 to drop the health probe queries.\\n', ' if [ \\\"R7730\\\" != \\\"$osVersion\\\" ]; then\\n', ' if [ -f /opt/CPshared/5.0/tmp/.CPprofile.sh ]; then\\n', ' log-data \\\"/opt/CPshared/5.0/tmp/.CPprofile.sh exists and is a regular file.\\\"\\n', ' . /opt/CPshared/5.0/tmp/.CPprofile.sh\\n', ' log-data \\\"add sim_anti_spoofing_enabled=0 to $PPKDIR/boot/modules/simkern.conf\\\"\\n', ' echo \\\"sim_anti_spoofing_enabled=0\\\" >> \\\"$PPKDIR/boot/modules/simkern.conf\\\"\\n', ' log-data \\\"\\\\$PPKDIR/boot/modules/simkern.conf: \\\\\\\\n$(cat $PPKDIR/boot/modules/simkern.conf)\\\"\\n', ' fi\\n', ' fi\\n', 'fi\\n', '\\n', 'if [ \\\"$installationType\\\" == \\\"vmss\\\" ]; then\\n', ' # add dynamic objects to represent the GWs internal NICs in management:\\n', ' IntAddr=\\\"$(ip addr show dev eth1 | awk \\\"/inet/{print \\\\$2; exit}\\\" | cut -d / -f 1)\\\"\\n', ' runcmd -rc \\\"19 0 3\\\" dynamic_objects -n LocalGatewayInternal -r \\\"$IntAddr\\\" \\\"$IntAddr\\\" -a\\n', ' if [ \\\"$?\\\" -eq \\\"0\\\" ] ; then\\n', ' log-data \\\"VMSS - created dynamic object for eth1\\\"\\n', ' else\\n', ' log-data \\\"VMSS - failed to create dynamic object for eth1\\\"\\n', ' fi\\n', ' log-data \\\"VMSS - Set dynamic objects: (Int: $IntAddr) \\\\\\\\n$(dynamic_objects -l)\\\"\\n', '\\n', ' # add static route for all vnet but Frontend to use eth1:\\n', ' subnet2Prefix=\\\"$(getInstanceMetadata | jq -r \\\".network.interface[1].ipv4.subnet[].address\\\")\\\"\\n', ' firstThreeOctats=\\\"$(echo $subnet2Prefix | cut -d / -f 1 | cut -d . -f 1,2,3)\\\"\\n', ' forthOctats=\\\"$(echo $subnet2Prefix | cut -d / -f 1 | cut -d . -f 4)\\\"\\n', ' forthOctats=\\\"$(( forthOctats + 1 ))\\\"\\n', ' router=\\\"$firstThreeOctats.$forthOctats\\\"\\n', ' log-data \\\"Vnet CIDR: $vnet\\\" \\\"Internal subnet CIDR: $subnet2Prefix\\\" \\\"Internal subnet gateway: $router\\\"\\n', ' vnets=(\\\"$vnet\\\" \\\"10.0.0.0/8\\\" \\\"172.16.0.0/12\\\" \\\"192.168.0.0/16\\\")\\n', ' runcmd -rc \\\"1 0\\\" clish -c \\\"lock database override\\\" >&2\\n', ' for vnet in \\\"${vnets[@]}\\\"; do\\n', ' runcmd clish -s -c \\\"set static-route $vnet nexthop gateway address $router on\\\"\\n', ' if [ \\\"$?\\\" == \\\"0\\\" ] ; then\\n', ' log-data \\\"Set static-route for vnet: $vnet to router: $router\\\"\\n', ' else\\n', ' log-data \\\"Failed to set static-route for vnet: $vnet to router: $router\\\"\\n', ' fi\\n', ' done\\n', 'fi\\n', '\\n', 'log-data \\\"VM static routes: \\\\\\\\n$(route)\\\"\\n', 'log-data \\\"Contents of $FWDIR/boot/modules/fwkern.conf at end: \\\\\\\\n$(cat \\\"$FWDIR/boot/modules/fwkern.conf\\\")\\\"\\n', '\\n', 'if \\\"$installSecurityGateway\\\"; then\\n', ' log-data \\\"Instance metadata at end: \\\\\\\\n$(getInstanceMetadata)\\\"\\n', ' if [ \\\"$isBlink\\\" == \\\"False\\\" ] || [ \\\"$installationType\\\" == \\\"cluster\\\" ]; then\\n', ' log-data \\\"VM is shuting down\\\"\\n', ' shutdown -r now\\n', ' fi\\n', 'else\\n', ' if \\\"$installSecurityManagement\\\" && [ \\\"R7730\\\" != \\\"$osVersion\\\" ]; then\\n', ' service autoprovision start\\n', ' log-data \\\"Instance metadata at end: \\\\\\\\n$(getInstanceMetadata)\\\"\\n', ' log-data \\\"Start service autoprovision\\\"\\n', ' fi\\n', 'fi\\n')]", + "imageOfferR7730": "check-point-r77-10", + "imageOfferR8010": "check-point-vsec-r80", + "imageOffer": "[concat(variables(concat('imageOffer', variables('osVersion'))), parameters('preview'))]", + "imagePublisher": "checkpoint", + "imageReferenceBYOL": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-byol", + "version": "latest" + }, + "imageReferenceNGTP": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtp", + "version": "latest" + }, + "imageReferenceNGTP-V2": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtp-v2", + "version": "latest" + }, + "imageReferenceNGTX": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtx", + "version": "latest" + }, + "imageReference": "[variables(concat('imageReference', variables('offer')))]", + "lbName": "[concat(parameters('vmName'), '-lb')]", + "lbID": "[resourceId('Microsoft.Network/loadBalancers',variables('lbName'))]", + "proxySubnet": "[parameters('subnet1Name')]", + "lbBEAddressPool": "[concat(parameters('vmName'), '-pool')]", + "lbBEAddressPoolID": "[concat(variables('lbID'),'/backendAddressPools/',variables('lbBEAddressPool'))]", + "linuxConfigurationpassword": {}, + "linuxConfigurationsshPublicKey": { + "disablePasswordAuthentication": "true", + "ssh": { + "publicKeys": [ + { + "keyData": "[parameters('sshPublicKey')]", + "path": "/home/notused/.ssh/authorized_keys" + } + ] + } + }, + "linuxConfiguration": "[variables(concat('linuxConfiguration', parameters('authenticationType')))]", + "planBYOL": { + "name": "sg-byol", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTP": { + "name": "sg-ngtp", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTP-V2": { + "name": "sg-ngtp-v2", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTX": { + "name": "sg-ngtx", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "plan": "[variables(concat('plan', variables('offer')))]", + "appName": "[concat(parameters('vmName'), '-app-1')]", + "appAddressName": "[variables('appName')]", + "appAddressId": "[resourceId('Microsoft.Network/publicIPAddresses', variables('appAddressName'))]", + "appProtocol": "http", + "appFrontEndPort": 80, + "appBackEndPort": 8081, + "appFEName": "[variables('appName')]", + "appFEIPConfigID": "[concat(variables('lbID'),'/frontendIPConfigurations/',variables('appFEName'))]", + "appProbeName": "[variables('appName')]", + "appProbeID": "[concat(variables('lbID'),'/probes/',variables('appProbeName'))]", + "proxyName": "[concat(parameters('vmName'), '-proxy')]", + "proxyID": "[resourceId('Microsoft.Network/loadBalancers', variables('proxyName'))]", + "proxyBEAddressPool": "[concat(parameters('vmName'), '-proxy')]", + "proxyBEAddressPoolID": "[concat(variables('proxyID'), '/backendAddressPools/', variables('proxyBEAddressPool'))]", + "proxyPort": 8080, + "proxyFEIPConfigID": "[concat(variables('proxyID'), '/frontendIPConfigurations/', variables('proxyName'))]", + "proxyProbeName": "[variables('proxyName')]", + "proxyProbeID": "[concat(variables('proxyID'), '/probes/', variables('proxyProbeName'))]", + "vmssID": "[resourceId('Microsoft.Compute/virtualMachineScaleSets', parameters('vmName'))]", + "emailSelector": [ + [], + [ + "[parameters('adminEmail')]" + ] + ], + "customEmails": "[variables('emailSelector')[length(take(parameters('adminEmail'), 1))]]", + "bootstrapScript64": "[base64(parameters('bootstrapScript'))]", + "allowUploadDownload": "[parameters('allowDownloadFromUploadToCheckPoint')]", + "networkSetupURL": "[concat(parameters('baseUrl'),'/vnet-1-subnet-', parameters('vnetNewOrExisting'), '.json')]", + "sicKey": "[parameters('sicKey')]", + "managementGUIClientNetwork": "", + "installationType": "vmss" + }, + "resources": [ + { + "apiVersion": "2018-02-01", + "name": "pid-dec47419-7c4a-5b38-94eb-1fd4e71be091", + "type": "Microsoft.Resources/deployments", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "name": "networkSetup", + "type": "Microsoft.Resources/deployments", + "apiVersion": "[variables('deploymentsApiVersion')]", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "[variables('networkSetupURL')]", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "location": { + "value": "[variables('location')]" + }, + "apiVersion": { + "value": "[variables('networkApiVersion')]" + }, + "virtualNetworkName": { + "value": "[parameters('virtualNetworkName')]" + }, + "virtualNetworkAddressPrefix": { + "value": "[parameters('virtualNetworkAddressPrefix')]" + }, + "subnet1Name": { + "value": "[parameters('subnet1Name')]" + }, + "subnet1Prefix": { + "value": "[parameters('subnet1Prefix')]" + }, + "vnetNewOrExisting": { + "value": "[parameters('vnetNewOrExisting')]" + }, + "virtualNetworkExistingRGName": { + "value": "[parameters('virtualNetworkExistingRGName')]" + } + } + } + }, + { + "type": "Microsoft.Network/publicIPAddresses", + "apiVersion": "[variables('networkApiVersion')]", + "location": "[variables('location')]", + "name": "[variables('appAddressName')]", + "properties": { + "publicIPAllocationMethod": "Static", + "dnsSettings": { + "domainNameLabel": "[concat(toLower(parameters('vmName')), '-', uniquestring(resourceGroup().id, deployment().name))]" + } + } + }, + { + "apiVersion": "[variables('networkApiVersion')]", + "name": "[variables('lbName')]", + "type": "Microsoft.Network/loadBalancers", + "location": "[variables('location')]", + "dependsOn": [ + "[variables('appAddressId')]" + ], + "properties": { + "frontendIPConfigurations": [ + { + "name": "[variables('appFEName')]", + "properties": { + "publicIPAddress": { + "id": "[variables('appAddressId')]" + } + } + } + ], + "backendAddressPools": [ + { + "name": "[variables('lbBEAddressPool')]" + } + ], + "loadBalancingRules": [ + { + "name": "[variables('appName')]", + "properties": { + "frontendIPConfiguration": { + "id": "[variables('appFEIPConfigID')]" + }, + "backendAddressPool": { + "id": "[variables('lbBEAddressPoolID')]" + }, + "probe": { + "id": "[variables('appProbeID')]" + }, + "protocol": "tcp", + "frontendPort": "[variables('appFrontEndPort')]", + "backendPort": "[variables('appBackEndPort')]", + "enableFloatingIP": false + } + } + ], + "probes": [ + { + "name": "[variables('appProbeName')]", + "properties": { + "protocol": "[variables('appProtocol')]", + "port": "[variables('appBackEndPort')]", + "intervalInSeconds": "15", + "numberOfProbes": "5", + "requestPath": "/" + } + } + ] + } + }, + { + "apiVersion": "[variables('networkApiVersion')]", + "name": "[variables('proxyName')]", + "type": "Microsoft.Network/loadBalancers", + "location": "[variables('location')]", + "properties": { + "frontendIPConfigurations": [ + { + "name": "[variables('proxyName')]", + "properties": { + "subnet": { + "id": "[concat(reference('networkSetup').outputs.vnetId.value, '/subnets/', variables('proxySubnet'))]" + } + } + } + ], + "backendAddressPools": [ + { + "name": "[variables('proxyBEAddressPool')]" + } + ], + "loadBalancingRules": [ + { + "name": "[variables('proxyName')]", + "properties": { + "frontendIPConfiguration": { + "id": "[variables('proxyFEIPConfigID')]" + }, + "backendAddressPool": { + "id": "[variables('proxyBEAddressPoolID')]" + }, + "probe": { + "id": "[variables('proxyProbeID')]" + }, + "protocol": "tcp", + "frontendPort": "[variables('proxyPort')]", + "backendPort": "[variables('proxyPort')]", + "enableFloatingIP": false + } + } + ], + "probes": [ + { + "name": "[variables('proxyProbeName')]", + "properties": { + "protocol": "tcp", + "port": "[variables('proxyPort')]", + "intervalInSeconds": "15", + "numberOfProbes": "5" + } + } + ] + } + }, + { + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('storageAccountName')]", + "apiVersion": "[variables('storageApiVersion')]", + "location": "[variables('location')]", + "sku": { + "name": "[variables('storageAccountType')]" + }, + "kind": "Storage" + }, + { + "type": "Microsoft.Compute/virtualMachineScaleSets", + "apiVersion": "[variables('computeApiVersion')]", + "name": "[parameters('vmName')]", + "location": "[variables('location')]", + "tags": { + "x-chkp-management": "[parameters('managementServer')]", + "x-chkp-template": "[parameters('configurationTemplate')]", + "x-chkp-ip-address": "private" + }, + "dependsOn": [ + "[variables('lbID')]", + "[variables('proxyID')]", + "[resourceId('Microsoft.Resources/deployments', 'networkSetup')]", + "[resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName'))]" + ], + "sku": { + "name": "[parameters('vmSize')]", + "tier": "Standard", + "capacity": "[parameters('instanceCount')]" + }, + "plan": "[variables('plan')]", + "properties": { + "upgradePolicy": { + "mode": "Manual" + }, + "virtualMachineProfile": { + "storageProfile": { + "osDisk": { + "caching": "ReadWrite", + "createOption": "FromImage", + "managedDisk": { + "storageAccountType": "[parameters('diskType')]" + } + }, + "imageReference": "[variables('imageReference')]" + }, + "osProfile": { + "adminPassword": "[parameters('adminPassword')]", + "adminUsername": "notused", + "computerNamePrefix": "[toLower(parameters('vmName'))]", + "customData": "[base64(variables('customData'))]", + "linuxConfiguration": "[variables('linuxConfiguration')]" + }, + "networkProfile": { + "networkInterfaceConfigurations": [ + { + "name": "eth0", + "properties": { + "primary": true, + "ipConfigurations": [ + { + "name": "ipconfig1", + "properties": { + "subnet": { + "id": "[concat(reference('networkSetup').outputs.vnetId.value, '/subnets/', parameters('subnet1Name'))]" + }, + "loadBalancerBackendAddressPools": [ + { + "id": "[variables('lbBEAddressPoolID')]" + }, + { + "id": "[variables('proxyBEAddressPoolID')]" + } + ] + } + } + ] + } + } + ] + }, + "diagnosticsProfile": { + "bootDiagnostics": { + "enabled": "true", + "storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName')), variables('storageApiVersion')).primaryEndpoints.blob]" + } + } + }, + "overprovision": false + } + }, + { + "type": "Microsoft.Insights/autoscaleSettings", + "apiVersion": "[variables('insightsApiVersion')]", + "name": "[parameters('vmName')]", + "location": "[variables('location')]", + "dependsOn": [ + "[variables('vmssID')]" + ], + "properties": { + "name": "[parameters('vmName')]", + "targetResourceUri": "[variables('vmssID')]", + "notifications": [ + { + "operation": "Scale", + "email": { + "sendToSubscriptionAdministrator": false, + "sendToSubscriptionCoAdministrators": false, + "customEmails": "[variables('customEmails')]" + } + } + ], + "enabled": true, + "profiles": [ + { + "name": "Profile1", + "capacity": { + "minimum": "[parameters('instanceCount')]", + "maximum": "[parameters('maxInstanceCount')]", + "default": "[parameters('instanceCount')]" + }, + "rules": [ + { + "metricTrigger": { + "metricName": "Percentage CPU", + "metricNamespace": "", + "metricResourceUri": "[variables('vmssID')]", + "timeGrain": "PT1M", + "statistic": "Average", + "timeWindow": "PT5M", + "timeAggregation": "Average", + "operator": "GreaterThan", + "threshold": 80 + }, + "scaleAction": { + "direction": "Increase", + "type": "ChangeCount", + "value": "1", + "cooldown": "PT5M" + } + }, + { + "metricTrigger": { + "metricName": "Percentage CPU", + "metricNamespace": "", + "metricResourceUri": "[variables('vmssID')]", + "timeGrain": "PT1M", + "statistic": "Average", + "timeWindow": "PT5M", + "timeAggregation": "Average", + "operator": "LessThan", + "threshold": 60 + }, + "scaleAction": { + "direction": "Decrease", + "type": "ChangeCount", + "value": "1", + "cooldown": "PT5M" + } + } + ] + } + ] + } + } + ], + "outputs": { + "ApplicationAddress": { + "type": "string", + "value": "[reference(variables('appAddressId')).IpAddress]" + }, + "ApplicationFQDN": { + "type": "string", + "value": "[reference(variables('appAddressId')).dnsSettings.fqdn]" + } + } +} diff --git a/deprecated/azure/templates/R7730/vmss-r7730/vnet-1-subnet-existing.json b/deprecated/azure/templates/R7730/vmss-r7730/vnet-1-subnet-existing.json new file mode 100644 index 00000000..fd9b75d1 --- /dev/null +++ b/deprecated/azure/templates/R7730/vmss-r7730/vnet-1-subnet-existing.json @@ -0,0 +1,67 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "vnet" + }, + "virtualNetworkAddressPrefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the virtual network" + } + }, + "Subnet1Name": { + "type": "string", + "metadata": { + "description": "The name of the 1st subnet" + }, + "defaultValue": "Frontend" + }, + "Subnet1Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 1st subnet" + }, + "defaultValue": "10.0.1.0/24" + }, + "vnetNewOrExisting": { + "type": "string", + "defaultValue": "new", + "allowedValues": [ + "new", + "existing" + ], + "metadata": { + "Description": "Indicates whether the virtual network is new or existing" + } + }, + "virtualNetworkExistingRGName": { + "type": "string", + "metadata": { + "description": "Resource Group of the existing virtual network" + }, + "defaultValue": "" + }, + "apiVersion": { + "type": "string" + } + }, + "variables": { + "vnetId": "[resourceId(parameters('virtualNetworkExistingRGName'),'Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]" + }, + "resources": [], + "outputs": { + "vnetId": { + "value": "[variables('vnetId')]", + "type": "string" + } + } +} diff --git a/deprecated/azure/templates/R7730/vmss-r7730/vnet-1-subnet-new.json b/deprecated/azure/templates/R7730/vmss-r7730/vnet-1-subnet-new.json new file mode 100644 index 00000000..e443a759 --- /dev/null +++ b/deprecated/azure/templates/R7730/vmss-r7730/vnet-1-subnet-new.json @@ -0,0 +1,87 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "vnet" + }, + "virtualNetworkAddressPrefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the virtual network" + } + }, + "Subnet1Name": { + "type": "string", + "metadata": { + "description": "The name of the 1st subnet" + }, + "defaultValue": "Frontend" + }, + "Subnet1Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 1st subnet" + }, + "defaultValue": "10.0.1.0/24" + }, + "vnetNewOrExisting": { + "type": "string", + "defaultValue": "new", + "allowedValues": [ + "new", + "existing" + ], + "metadata": { + "Description": "Indicates whether the virtual network is new or existing" + } + }, + "virtualNetworkExistingRGName": { + "type": "string", + "metadata": { + "description": "Resource Group of the existing virtual network" + }, + "defaultValue": "" + }, + "apiVersion": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/virtualNetworks", + "apiVersion": "[parameters('apiVersion')]", + "location": "[parameters('location')]", + "name": "[parameters('virtualNetworkName')]", + "properties": { + "addressSpace": { + "addressPrefixes": [ + "[parameters('virtualNetworkAddressPrefix')]" + ] + }, + "subnets": [ + { + "name": "[parameters('subnet1Name')]", + "properties": { + "addressPrefix": "[parameters('subnet1Prefix')]" + } + } + ] + } + } + ], + "outputs": { + "vnetId": { + "value": "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]", + "type": "string" + } + } +} diff --git a/deprecated/azure/templates/R8010-R8020/cluster-r8010/README.MD b/deprecated/azure/templates/R8010-R8020/cluster-r8010/README.MD new file mode 100644 index 00000000..3dcafb5c --- /dev/null +++ b/deprecated/azure/templates/R8010-R8020/cluster-r8010/README.MD @@ -0,0 +1,13 @@ +# How to deploy this template +To deploy this ARM template, follow these instructions: +1. Log in to the [Microsoft Azure Portal](https://portal.azure.com) +2. Click "*Create a resource*" +3. Search for "*Template deployment (deploy using custom templates)*" and click "*Create*" +4. Click "*Build your own template in the editor*" +5. Load the "*mainTemplate.json*" file from this directory and click "*Save*" +6. Enter the desired template parameters + - Replace the "*_artifacts Location*" property with: + ``` + https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/deprecated/azure/templates/cluster-r8010/ + ``` +7. Click *Purchase* to deploy the solution diff --git a/deprecated/azure/templates/R8010-R8020/cluster-r8010/createUiDefinition.json b/deprecated/azure/templates/R8010-R8020/cluster-r8010/createUiDefinition.json new file mode 100644 index 00000000..13032428 --- /dev/null +++ b/deprecated/azure/templates/R8010-R8020/cluster-r8010/createUiDefinition.json @@ -0,0 +1,380 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", + "handler": "Microsoft.Compute.MultiVm", + "version": "0.1.2-preview", + "parameters": { + "basics": [ + { + "name": "clusterNameUi", + "type": "Microsoft.Common.TextBox", + "label": "Cluster Name", + "toolTip": "The name of the cluster.", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z]{1,30}$", + "validationMessage": "Only alphanumeric characters are allowed, and the name must be 1-30 characters long." + } + }, + { + "name": "auth", + "type": "Microsoft.Compute.CredentialsCombo", + "label": { + "authenticationType": "Authentication type", + "password": "Password", + "confirmPassword": "Confirm password", + "sshPublicKey": "SSH public key" + }, + "toolTip": { + "authenticationType": "", + "password": "The user 'admin' password", + "sshPublicKey": "Paste an OpenSSH public key. You can generate a key pair using ssh-keygen (Linux, OS X, Cygwin) or PuttyGen (Windows)" + }, + "constraints": { + "required": true + }, + "options": { + "hideConfirmation": false, + "hidePassword": false + }, + "osPlatform": "Linux" + } + ], + "steps": [ + { + "name": "chkp", + "label": "Check Point Cluster settings", + "subLabel": { + "preValidation": "Configure Cluster settings", + "postValidation": "Done" + }, + "bladeTitle": "Cluster settings", + "elements": [ + { + "name": "cloudGuardVersion", + "type": "Microsoft.Common.DropDown", + "label": "Check Point CloudGuard version", + "defaultValue": "R80.10", + "toolTip": "The version of Check Point CloudGuard.", + "constraints": { + "allowedValues": [ + { + "label": "R80.10", + "value": "R80.10" + } + ] + } + }, + { + "name": "R8010Offer", + "type": "Microsoft.Common.DropDown", + "label": "License type", + "toolTip": "The type of license.", + "defaultValue": "Bring Your Own License", + "visible": "[equals(steps('chkp').cloudGuardVersion, 'R80.10')]", + "constraints": { + "allowedValues": [ + { + "label": "Bring Your Own License", + "value": "Bring Your Own License" + }, + { + "label": "Pay As You Go (NGTP)", + "value": "Pay As You Go (NGTP)" + }, + { + "label": "Pay As You Go (NGTX)", + "value": "Pay As You Go (NGTX)" + } + ] + } + }, + { + "name": "R8010vmSizeUiBYOL", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R80.10'), contains(steps('chkp').R8010Offer, 'Bring Your Own License'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2" + ], + "constraints": { + "excludedSizes": [ + "Standard_A1_v2", + "Standard_D1_v2", + "Standard_DS1_v2", + "Standard_F1", + "Standard_F1s", + "Standard_G1", + "Standard_GS1" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-vsec-r80-blink-v2", + "sku": "sg-byol" + }, + "count": 2 + }, + { + "name": "R8010vmSizeUiNGTP", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R80.10'), contains(steps('chkp').R8010Offer, '(NGTP)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2" + ], + "constraints": { + "excludedSizes": [ + "Standard_A1_v2", + "Standard_D1_v2", + "Standard_DS1_v2", + "Standard_F1", + "Standard_F1s", + "Standard_G1", + "Standard_GS1" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-vsec-r80-blink-v2", + "sku": "sg-ngtp-v2" + }, + "count": 2 + }, + { + "name": "R8010vmSizeUiNGTX", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R80.10'), contains(steps('chkp').R8010Offer, '(NGTX)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2" + ], + "constraints": { + "excludedSizes": [ + "Standard_A1_v2", + "Standard_D1_v2", + "Standard_DS1_v2", + "Standard_F1", + "Standard_F1s", + "Standard_G1", + "Standard_GS1" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-vsec-r80-blink-v2", + "sku": "sg-ngtx" + }, + "count": 2 + }, + { + "name": "sicKeyUi", + "type": "Microsoft.Common.PasswordBox", + "label": { + "password": "SIC key", + "confirmPassword": "Confirm SIC key" + }, + "toolTip": "Set the Secure Internal Communication one time secret used to set up trust between the cluster and the management server.", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z]{8,30}$", + "validationMessage": "Only alphanumeric characters are allowed, and the value must be 8-30 characters long." + }, + "options": { + "hideConfirmation": true + }, + "visible": "true" + }, + { + "name": "bootstrapScript", + "type": "Microsoft.Common.FileUpload", + "label": "Bootstrap script", + "toolTip": "An optional script to run on the initial boot", + "constraints": { + "required": false, + "accept": ".sh,text/plain" + }, + "options": { + "multiple": false, + "uploadMode": "file", + "openMode": "text", + "encoding": "UTF-8" + } + }, + { + "name": "allowUploadDownload", + "type": "Microsoft.Common.OptionsGroup", + "label": "Allow download from/upload to Check Point", + "defaultValue": "Yes", + "toolTip": "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "true" + }, + { + "label": "No", + "value": "false" + } + ] + } + }, + { + "name": "additionalDiskSizeGB", + "type": "Microsoft.Common.TextBox", + "label": "Additional disk space (GB)", + "defaultValue": "0", + "toolTip": "Additional disk space (in GB), Initial disk size is 100 GB.", + "constraints": { + "regex": "^([0-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-2][0-9][0-9][0-9]|3[0-8][0-9][0-9]|399[0-5])$", + "validationMessage": "Select a number between 0 and 3995" + } + }, + { + "name": "VMDiskType", + "type": "Microsoft.Common.OptionsGroup", + "label": "VM disk type", + "toolTip": "Type of CloudGuard disk.", + "visible": "[or(contains(steps('chkp').R8010vmSizeUiBYOL, 'DS'), contains(steps('chkp').R8010vmSizeUiNGTP, 'DS'), contains(steps('chkp').R8010vmSizeUiNGTX, 'DS'))]", + "defaultValue": "Standard", + "constraints": { + "allowedValues": [ + { + "label": "Standard", + "value": "Standard_LRS" + }, + { + "label": "Premium", + "value": "Premium_LRS" + } + ] + } + }, + { + "name": "useCustomImageUri", + "type": "Microsoft.Common.OptionsGroup", + "label": "Use development image uri", + "defaultValue": "No", + "toolTip": "", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ], + "required": true + }, + "visible": false + }, + { + "name": "sourceImageVhdUri", + "type": "Microsoft.Common.TextBox", + "label": "Development Image URI", + "toolTip": "The URI of the blob containing the development image", + "constraints": { + "required": "[equals(steps('chkp').useCustomImageUri, 'Yes')]", + "regex": "^[a-z0-9A-Z_\\-\\.\\:\\/]{1,500}.vhd$", + "validationMessage": "Only alphanumeric characters and '_','-','.',':','/' are allowed, the value must be 1-500 characters long and must end with .vhd. " + }, + "visible": "[equals(steps('chkp').useCustomImageUri, 'Yes')]" + } + ] + }, + { + "name": "network", + "label": "Network settings", + "subLabel": { + "preValidation": "Configure network settings", + "postValidation": "Done" + }, + "bladeTitle": "Network settings", + "elements": [ + { + "name": "virtualNetwork", + "type": "Microsoft.Network.VirtualNetworkCombo", + "label": { + "virtualNetwork": "Virtual network", + "subnets": "Subnets" + }, + "toolTip": { + "virtualNetwork": "Virtual Network Name", + "subnets": "List of subnets to deploy into" + }, + "defaultValue": { + "name": "vnet01", + "addressPrefixSize": "/16" + }, + "constraints": { + "minAddressPrefixSize": "/28" + }, + "options": { + "hideExisting": false + }, + "subnets": { + "subnet1": { + "label": "Frontend subnet", + "defaultValue": { + "name": "Frontend", + "addressPrefixSize": "/24" + }, + "constraints": { + "minAddressPrefixSize": "/29", + "minAddressCount": 2, + "requireContiguousAddresses": true + } + }, + "subnet2": { + "label": "Backend subnet", + "defaultValue": { + "name": "Backend", + "addressPrefixSize": "/24" + }, + "constraints": { + "minAddressPrefixSize": "/29", + "minAddressCount": 2, + "requireContiguousAddresses": true + } + } + } + } + ] + } + ], + "outputs": { + "location": "[location()]", + "cloudGuardVersion": "[concat(steps('chkp').cloudGuardVersion, ' - ', coalesce(steps('chkp').R7730Offer, steps('chkp').R8010Offer, 'Bring Your Own License'))]", + "adminPassword": "[basics('auth').password]", + "authenticationType": "[basics('auth').authenticationType]", + "sshPublicKey": "[basics('auth').sshPublicKey]", + "vmName": "[basics('clusterNameUi')]", + "vmSize": "[coalesce(steps('chkp').R8010vmSizeUiBYOL, steps('chkp').R8010vmSizeUiNGTP, steps('chkp').R8010vmSizeUiNGTX)]", + "sicKey": "[steps('chkp').sicKeyUi]", + "virtualNetworkName": "[steps('network').virtualNetwork.name]", + "virtualNetworkAddressPrefix": "[steps('network').virtualNetwork.addressPrefix]", + "Subnet1Name": "[steps('network').virtualNetwork.subnets.subnet1.name]", + "Subnet1Prefix": "[steps('network').virtualNetwork.subnets.subnet1.addressPrefix]", + "Subnet1StartAddress": "[steps('network').virtualNetwork.subnets.subnet1.startAddress]", + "Subnet2Name": "[steps('network').virtualNetwork.subnets.subnet2.name]", + "Subnet2Prefix": "[steps('network').virtualNetwork.subnets.subnet2.addressPrefix]", + "Subnet2StartAddress": "[steps('network').virtualNetwork.subnets.subnet2.startAddress]", + "vnetNewOrExisting": "[steps('network').virtualNetwork.newOrExisting]", + "virtualNetworkExistingRGName": "[steps('network').virtualNetwork.resourceGroup]", + "bootstrapScript": "[steps('chkp').bootstrapScript]", + "allowDownloadFromUploadToCheckPoint": "[coalesce(steps('chkp').allowUploadDownload, 'true')]", + "additionalDiskSizeGB": "[int(steps('chkp').additionalDiskSizeGB)]", + "diskType": "[coalesce(steps('chkp').VMDiskType, 'Standard_LRS')]", + "sourceImageVhdUri": "[coalesce(steps('chkp').sourceImageVhdUri, 'noCustomUri')]" + } + } +} diff --git a/deprecated/azure/templates/R8010-R8020/cluster-r8010/mainTemplate.json b/deprecated/azure/templates/R8010-R8020/cluster-r8010/mainTemplate.json new file mode 100644 index 00000000..4b0a5d83 --- /dev/null +++ b/deprecated/azure/templates/R8010-R8020/cluster-r8010/mainTemplate.json @@ -0,0 +1,731 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string", + "metadata": { + "description": "Deployment location" + } + }, + "cloudGuardVersion": { + "type": "string", + "allowedValues": [ + "R80.10 - Bring Your Own License", + "R80.10 - Pay As You Go (NGTP)", + "R80.10 - Pay As You Go (NGTX)" + ], + "defaultValue": "R80.10 - Bring Your Own License", + "metadata": { + "description": "Version of Check Point CloudGuard" + } + }, + "adminPassword": { + "type": "securestring", + "metadata": { + "description": "Administrator password" + }, + "defaultValue": "" + }, + "authenticationType": { + "type": "string", + "allowedValues": [ + "password", + "sshPublicKey" + ], + "defaultValue": "password", + "metadata": { + "description": "Authentication type" + } + }, + "sshPublicKey": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Administrator SSH public key" + } + }, + "vmName": { + "type": "string", + "metadata": { + "description": "Name of the Check Point Cluster" + } + }, + "vmSize": { + "type": "string", + "defaultValue": "Standard_D3_v2", + "metadata": { + "description": "Size of the VM" + } + }, + "sicKey": { + "type": "securestring", + "metadata": { + "description": "One time key for Secure Internal Communication" + } + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "vnet" + }, + "virtualNetworkAddressPrefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the virtual network" + }, + "defaultValue": "10.0.0.0/16" + }, + "Subnet1Name": { + "type": "string", + "metadata": { + "description": "The name of the 1st subnet" + }, + "defaultValue": "Frontend" + }, + "Subnet1Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 1st subnet" + }, + "defaultValue": "10.0.1.0/24" + }, + "Subnet1StartAddress": { + "type": "string", + "metadata": { + "description": "The first available address on the 1st subnet" + }, + "defaultValue": "10.0.1.10" + }, + "Subnet2Name": { + "type": "string", + "metadata": { + "description": "The name of the 2nd subnet" + }, + "defaultValue": "Backend" + }, + "Subnet2Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 2nd subnet" + }, + "defaultValue": "10.0.2.0/24" + }, + "Subnet2StartAddress": { + "type": "string", + "metadata": { + "description": "The first available address on the 2nd subnet" + }, + "defaultValue": "10.0.2.10" + }, + "vnetNewOrExisting": { + "type": "string", + "defaultValue": "new", + "allowedValues": [ + "new", + "existing" + ], + "metadata": { + "Description": "Indicates whether the virtual network is new or existing" + } + }, + "virtualNetworkExistingRGName": { + "type": "string", + "metadata": { + "description": "Resource Group of the existing virtual network" + }, + "defaultValue": "" + }, + "bootstrapScript": { + "type": "string", + "metadata": { + "description": "Bootstrap script" + }, + "defaultValue": "" + }, + "allowDownloadFromUploadToCheckPoint": { + "type": "string", + "allowedValues": [ + "true", + "false" + ], + "defaultValue": "true", + "metadata": { + "description": "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + } + }, + "additionalDiskSizeGB": { + "type": "int", + "defaultValue": 0, + "metadata": { + "description": "Amount of additional disk space (in GB)" + }, + "minValue": 0, + "maxValue": 3995 + }, + "diskType": { + "type": "string", + "defaultValue": "Standard_LRS", + "metadata": { + "description": "The type of the OS disk. Premium is applicable only to DS machine sizes" + }, + "allowedValues": [ + "Standard_LRS", + "Premium_LRS" + ] + }, + "preview": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Deploy the staged image" + }, + "allowedValues": [ + "", + "-preview" + ] + }, + "role": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Role" + } + }, + "sourceImageVhdUri": { + "type": "string", + "defaultValue": "noCustomUri", + "metadata": { + "description": "The URI of the blob containing the development image" + } + }, + "_artifactsLocation": { + "type": "string", + "metadata": { + "description": "The base URI where artifacts required by this template are located including a trailing '/'" + }, + "defaultValue": "[deployment().properties.templateLink.uri]" + }, + "_artifactsLocationSasToken": { + "type": "securestring", + "metadata": { + "description": "The sasToken required to access _artifactsLocation. When the template is deployed using the accompanying scripts, a sasToken will be automatically generated. Use the defaultValue if the staging location is not secured." + }, + "defaultValue": "" + }, + "Check_PointTags": { + "type": "object", + "defaultValue": { + "provider": "30DE18BC-F9F6-4F22-9D30-54B8E74CFD5F" + } + } + }, + "variables": { + "templateName": "cluster", + "templateVersion": "20191118", + "location": "[parameters('location')]", + "offers": { + "R80.10 - Bring Your Own License": "BYOL", + "R80.10 - Pay As You Go (NGTP)": "NGTP-V2", + "R80.10 - Pay As You Go (NGTX)": "NGTX" + }, + "offer": "[variables('offers')[parameters('cloudGuardVersion')]]", + "osVersions": { + "R80.10 - Bring Your Own License": "R8010", + "R80.10 - Pay As You Go (NGTP)": "R8010", + "R80.10 - Pay As You Go (NGTX)": "R8010" + }, + "isBlink": "[equals(variables('osVersion'), 'R8010')]", + "osVersion": "[variables('osVersions')[parameters('cloudGuardVersion')]]", + "computeApiVersion": "2017-03-30", + "storageApiVersion": "2016-01-01", + "networkApiVersion": "2016-06-01", + "authorizationApiVersion": "2017-05-01", + "deploymentsApiVersion": "2016-02-01", + "storageAccountName": "[concat('bootdiag', uniqueString(resourceGroup().id, deployment().name))]", + "storageAccountType": "Standard_LRS", + "diskSizeGBR8010": 100, + "diskSizeGB": "[add(parameters('additionalDiskSizeGB'), variables(concat('diskSizeGB', variables('osVersion'))))]", + "customData": "[concat('#!/usr/bin/python /etc/cloud_config.py\n', '\n', 'installationType=\"', variables('installationType'), '\"', '\n', 'allowUploadDownload=\"', variables('allowUploadDownload'), '\"', '\n', 'osVersion=\"', variables('osVersion'), '\"', '\n', 'templateName=\"', variables('templateName'), '\"', '\n', 'isBlink=\"', variables('isBlink'), '\"', '\n', 'templateVersion=\"', variables('templateVersion'), '\"', '\n', 'bootstrapScript64=\"', variables('bootstrapScript64'), '\"', '\n', 'location=\"', variables('location'), '\"', '\n', 'sicKey=\"', variables('sicKey'), '\"', '\n', 'managementGUIClientNetwork=\"', variables('managementGUIClientNetwork'), '\"', '\n', 'location=\"', variables('location'), '\"', '\n', 'tenantId=\"', subscription().tenantId, '\"', '\n', 'virtualNetwork=\"', parameters('virtualNetworkName'), '\"', '\n', 'clusterName=\"', parameters('vmName'), '\"', '\n', 'externalPrivateAddresses=\"', variables('externalPrivateAddresses')[2], '\"', '\n')]", + "imageOfferR8010": "check-point-vsec-r80-blink-v2", + "imageOffer": "[concat(variables(concat('imageOffer', variables('osVersion'))), parameters('preview'))]", + "imagePublisher": "checkpoint", + "imageReferenceBYOL": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-byol", + "version": "latest" + }, + "imageReferenceNGTP": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtp", + "version": "latest" + }, + "imageReferenceNGTP-V2": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtp-v2", + "version": "latest" + }, + "imageReferenceNGTX": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtx", + "version": "latest" + }, + "imageReferenceMarketplace": "[variables(concat('imageReference', variables('offer')))]", + "customImage": "customImage", + "imageReferenceCustomUri": { + "id": "[resourceId('Microsoft.Compute/images/', variables('customImage'))]" + }, + "imageReference": "[if(equals(parameters('sourceImageVhdUri'),'noCustomUri'), variables('imageReferenceMarketplace'), variables('imageReferenceCustomUri'))]", + "nic1Name": "eth0", + "nic2Name": "eth1", + "lbId": "[resourceId('Microsoft.Network/loadBalancers', variables('lbName'))]", + "lbName": "frontend-lb", + "linuxConfigurationpassword": {}, + "linuxConfigurationsshPublicKey": { + "disablePasswordAuthentication": "true", + "ssh": { + "publicKeys": [ + { + "keyData": "[parameters('sshPublicKey')]", + "path": "/home/notused/.ssh/authorized_keys" + } + ] + } + }, + "linuxConfiguration": "[variables(concat('linuxConfiguration', parameters('authenticationType')))]", + "planBYOL": { + "name": "sg-byol", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTP": { + "name": "sg-ngtp", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTP-V2": { + "name": "sg-ngtp-v2", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTX": { + "name": "sg-ngtx", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "plan": "[variables(concat('plan', variables('offer')))]", + "roleDefinitionId": "[if(equals(parameters('role'), 'Contributor'), concat('/subscriptions/',subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c'), parameters('role'))]", + "identity": "[if(empty(variables('roleDefinitionId')), json('null'), json('{\"type\": \"SystemAssigned\"}'))]", + "externalPrivateAddresses": [ + "[parameters('Subnet1StartAddress')]", + "[concat(split(parameters('Subnet1StartAddress'), '.')[0],'.', split(parameters('Subnet1StartAddress'), '.')[1],'.', split(parameters('Subnet1StartAddress'), '.')[2],'.', string(add(int(split(parameters('Subnet1StartAddress'), '.')[3]),1)))]", + "[concat(split(parameters('Subnet1StartAddress'), '.')[0],'.', split(parameters('Subnet1StartAddress'), '.')[1],'.', split(parameters('Subnet1StartAddress'), '.')[2],'.', string(add(int(split(parameters('Subnet1StartAddress'), '.')[3]),2)))]" + ], + "Subnet2PrivateAddresses": [ + "[parameters('Subnet2StartAddress')]", + "[concat(split(parameters('Subnet2StartAddress'), '.')[0],'.', split(parameters('Subnet2StartAddress'), '.')[1],'.', split(parameters('Subnet2StartAddress'), '.')[2],'.', string(add(int(split(parameters('Subnet2StartAddress'), '.')[3]),1)))]", + "[concat(split(parameters('Subnet2StartAddress'), '.')[0],'.', split(parameters('Subnet2StartAddress'), '.')[1],'.', split(parameters('Subnet2StartAddress'), '.')[2],'.', string(add(int(split(parameters('Subnet2StartAddress'), '.')[3]),2)))]" + ], + "publicIPAddressId": "[resourceId('Microsoft.Network/publicIPAddresses', parameters('vmName'))]", + "publicIPAddressIds": [ + "[resourceId('Microsoft.Network/publicIPAddresses', concat(parameters('vmName'), '1'))]", + "[resourceId('Microsoft.Network/publicIPAddresses', concat(parameters('vmName'), '2'))]" + ], + "availabilitySetName": "[concat(parameters('vmName'), '-AvailabilitySet')]", + "count": 2, + "frontEndIPConfMember1Id": "[concat(variables('lbId'), '/frontendIPConfigurations/LoadBalancerFrontEnd1')]", + "frontEndIPConfMember2Id": "[concat(variables('lbId'), '/frontendIPConfigurations/LoadBalancerFrontEnd2')]", + "member1IPConfigId": "[concat(variables('lbId'), '/frontendIPConfigurations/LoadBalancerFrontEnd1')]", + "member2IPConfigId": "[concat(variables('lbId'), '/frontendIPConfigurations/LoadBalancerFrontEnd2')]", + "bootstrapScript64": "[base64(parameters('bootstrapScript'))]", + "allowUploadDownload": "[parameters('allowDownloadFromUploadToCheckPoint')]", + "networkSetupURL": "[uri(parameters('_artifactsLocation'), concat('nestedtemplates/vnet-', parameters('vnetNewOrExisting'), '.json', parameters('_artifactsLocationSasToken')))]", + "sicKey": "[parameters('sicKey')]", + "managementGUIClientNetwork": "", + "installationType": "cluster" + }, + "resources": [ + { + "apiVersion": "2018-02-01", + "name": "pid-02f0149c-45d1-561e-bd46-1121af3376e0", + "type": "Microsoft.Resources/deployments", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('storageAccountName')]", + "apiVersion": "[variables('storageApiVersion')]", + "location": "[variables('location')]", + "sku": { + "name": "[variables('storageAccountType')]" + }, + "kind": "Storage", + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "name": "networkSetup", + "type": "Microsoft.Resources/deployments", + "apiVersion": "[variables('deploymentsApiVersion')]", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "[variables('networkSetupURL')]", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "location": { + "value": "[variables('location')]" + }, + "apiVersion": { + "value": "[variables('networkApiVersion')]" + }, + "virtualNetworkName": { + "value": "[parameters('virtualNetworkName')]" + }, + "virtualNetworkAddressPrefix": { + "value": "[parameters('virtualNetworkAddressPrefix')]" + }, + "Subnet1Name": { + "value": "[parameters('Subnet1Name')]" + }, + "Subnet1Prefix": { + "value": "[parameters('Subnet1Prefix')]" + }, + "Subnet1StartAddress": { + "value": "[parameters('Subnet1StartAddress')]" + }, + "Subnet2Name": { + "value": "[parameters('Subnet2Name')]" + }, + "Subnet2Prefix": { + "value": "[parameters('Subnet2Prefix')]" + }, + "Subnet2StartAddress": { + "value": "[parameters('Subnet2StartAddress')]" + }, + "vnetNewOrExisting": { + "value": "[parameters('vnetNewOrExisting')]" + }, + "virtualNetworkExistingRGName": { + "value": "[parameters('virtualNetworkExistingRGName')]" + } + } + } + }, + { + "type": "Microsoft.Compute/availabilitySets", + "apiVersion": "[variables('computeApiVersion')]", + "location": "[variables('location')]", + "name": "[concat(variables('availabilitySetName'))]", + "properties": { + "platformFaultDomainCount": 2 + }, + "sku": { + "name": "Aligned" + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "type": "Microsoft.Network/publicIPAddresses", + "apiVersion": "[variables('networkApiVersion')]", + "location": "[variables('location')]", + "name": "[parameters('vmName')]", + "properties": { + "idleTimeoutInMinutes": 30, + "publicIPAllocationMethod": "Static", + "dnsSettings": { + "domainNameLabel": "[concat(toLower(parameters('vmName')), '-', uniquestring(resourceGroup().id, deployment().name))]" + } + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "type": "Microsoft.Network/publicIPAddresses", + "apiVersion": "[variables('networkApiVersion')]", + "location": "[variables('location')]", + "name": "[concat(parameters('vmName'), copyIndex(1))]", + "copy": { + "name": "publicAddressCopy", + "count": "[variables('count')]" + }, + "properties": { + "idleTimeoutInMinutes": 30, + "publicIPAllocationMethod": "Static", + "dnsSettings": { + "domainNameLabel": "[concat(toLower(parameters('vmName')), '-', copyIndex(1), '-', uniquestring(resourceGroup().id, deployment().name))]" + } + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "[variables('networkApiVersion')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', 'networkSetup')]", + "[variables('publicIPAddressIds')[0]]", + "[variables('publicIPAddressId')]" + ], + "location": "[variables('location')]", + "name": "[concat(parameters('vmName'), '1-', variables('nic1Name'))]", + "properties": { + "enableIPForwarding": true, + "ipConfigurations": [ + { + "name": "member-ip", + "properties": { + "primary": true, + "privateIPAddress": "[variables('externalPrivateAddresses')[0]]", + "privateIPAllocationMethod": "Static", + "PublicIpAddress": { + "Id": "[variables('publicIPAddressIds')[0]]" + }, + "subnet": { + "id": "[concat(reference('networkSetup').outputs.vnetId.value, '/subnets/', parameters('Subnet1Name'))]" + } + } + }, + { + "name": "cluster-vip", + "properties": { + "primary": false, + "privateIPAddress": "[variables('externalPrivateAddresses')[2]]", + "privateIPAllocationMethod": "Static", + "PublicIpAddress": { + "Id": "[variables('publicIPAddressId')]" + }, + "subnet": { + "id": "[concat(reference('networkSetup').outputs.vnetId.value, '/subnets/', parameters('Subnet1Name'))]" + } + } + } + ] + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "[variables('networkApiVersion')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', 'networkSetup')]", + "[variables('publicIPAddressIds')[1]]" + ], + "location": "[variables('location')]", + "name": "[concat(parameters('vmName'), '2-', variables('nic1Name'))]", + "properties": { + "enableIPForwarding": true, + "ipConfigurations": [ + { + "name": "member-ip", + "properties": { + "primary": true, + "privateIPAddress": "[variables('externalPrivateAddresses')[1]]", + "privateIPAllocationMethod": "Static", + "PublicIpAddress": { + "Id": "[variables('publicIPAddressIds')[1]]" + }, + "subnet": { + "id": "[concat(reference('networkSetup').outputs.vnetId.value, '/subnets/', parameters('Subnet1Name'))]" + } + } + } + ] + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "[variables('networkApiVersion')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', 'networkSetup')]" + ], + "copy": { + "name": "nic2Copy", + "count": "[variables('count')]" + }, + "location": "[variables('location')]", + "name": "[concat(parameters('vmName'), copyIndex(1), '-', variables('nic2Name'))]", + "properties": { + "enableIPForwarding": true, + "ipConfigurations": [ + { + "name": "member-ip", + "properties": { + "primary": true, + "privateIPAddress": "[variables('Subnet2PrivateAddresses')[copyIndex()]]", + "privateIPAllocationMethod": "Static", + "subnet": { + "id": "[concat(reference('networkSetup').outputs.vnetId.value, '/subnets/', parameters('Subnet2Name'))]" + } + } + } + ] + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "condition": "[not(equals(parameters('sourceImageVhdUri'), 'noCustomUri'))]", + "type": "Microsoft.Compute/images", + "apiVersion": "2017-12-01", + "name": "[variables('customImage')]", + "location": "[variables('location')]", + "properties": { + "storageProfile": { + "osDisk": { + "osType": "Linux", + "osState": "Generalized", + "blobUri": "[parameters('sourceImageVhdUri')]", + "storageAccountType": "Standard_LRS" + } + } + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "type": "Microsoft.Compute/virtualMachines", + "apiVersion": "[variables('computeApiVersion')]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]", + "[resourceId('Microsoft.Compute/availabilitySets', variables('availabilitySetName'))]", + "[resourceId('Microsoft.Network/networkInterfaces', concat(parameters('vmName'), copyIndex(1), '-', variables('nic1Name')))]", + "[resourceId('Microsoft.Network/networkInterfaces', concat(parameters('vmName'), copyIndex(1), '-', variables('nic2Name')))]", + "[resourceId('Microsoft.Compute/images/', variables('customImage'))]" + ], + "location": "[variables('location')]", + "name": "[concat(parameters('vmName'), copyIndex(1))]", + "copy": { + "name": "virtualMachineCopy", + "count": "[variables('count')]" + }, + "plan": "[if(equals(parameters('sourceImageVhdUri'),'noCustomUri'), variables('plan'), json('null'))]", + "identity": "[variables('identity')]", + "properties": { + "availabilitySet": { + "id": "[resourceId('Microsoft.Compute/availabilitySets', variables('availabilitySetName'))]" + }, + "diagnosticsProfile": { + "bootDiagnostics": { + "enabled": "true", + "storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName')), variables('storageApiVersion')).primaryEndpoints.blob]" + } + }, + "hardwareProfile": { + "vmSize": "[parameters('vmSize')]" + }, + "networkProfile": { + "networkInterfaces": [ + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', concat(parameters('vmName'), copyIndex(1), '-', variables('nic1Name')))]", + "properties": { + "primary": true + } + }, + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', concat(parameters('vmName'), copyIndex(1), '-', variables('nic2Name')))]", + "properties": { + "primary": false + } + } + ] + }, + "osProfile": { + "adminPassword": "[parameters('adminPassword')]", + "adminUsername": "notused", + "computername": "[concat(toLower(parameters('vmName')), copyIndex(1))]", + "customData": "[base64(variables('customData'))]", + "linuxConfiguration": "[variables('linuxConfiguration')]" + }, + "storageProfile": { + "imageReference": "[variables('imageReference')]", + "osDisk": { + "caching": "ReadWrite", + "createOption": "FromImage", + "diskSizeGB": "[variables('diskSizeGB')]", + "name": "[concat(parameters('vmName'), copyIndex(1))]", + "managedDisk": { + "storageAccountType": "[parameters('diskType')]" + } + } + } + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "condition": "[not(empty(variables('roleDefinitionId')))]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "[variables('authorizationApiVersion')]", + "name": "[guid(resourceGroup().id, concat(parameters('vmName'), copyIndex(1)))]", + "copy": { + "name": "virtualMachineCopy", + "count": "[variables('count')]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Compute/virtualMachines/', concat(parameters('vmName'), copyIndex(1)))]" + ], + "properties": { + "roleDefinitionId": "[variables('roleDefinitionId')]", + "scope": "[resourceGroup().id]", + "principalId": "[reference(concat('Microsoft.Compute/virtualMachines/', concat(parameters('vmName'), copyIndex(1))), variables('computeApiVersion'), 'Full').identity.principalId]" + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + } + ], + "outputs": { + "ClusterIPAddr": { + "type": "string", + "value": "[reference(variables('publicIPAddressId')).IpAddress]" + }, + "ClusterFQDN": { + "type": "string", + "value": "[reference(variables('publicIPAddressId')).dnsSettings.fqdn]" + }, + "Member1IPAddr": { + "type": "string", + "value": "[reference(variables('publicIPAddressIds')[0]).IpAddress]" + }, + "Member1FQDN": { + "type": "string", + "value": "[reference(variables('publicIPAddressIds')[0]).dnsSettings.fqdn]" + }, + "Member2IPAddr": { + "type": "string", + "value": "[reference(variables('publicIPAddressIds')[1]).IpAddress]" + }, + "Member2FQDN": { + "type": "string", + "value": "[reference(variables('publicIPAddressIds')[1]).dnsSettings.fqdn]" + } + } +} diff --git a/deprecated/azure/templates/R8010-R8020/cluster-r8010/nestedtemplates/vnet-existing.json b/deprecated/azure/templates/R8010-R8020/cluster-r8010/nestedtemplates/vnet-existing.json new file mode 100644 index 00000000..e8e5bd2f --- /dev/null +++ b/deprecated/azure/templates/R8010-R8020/cluster-r8010/nestedtemplates/vnet-existing.json @@ -0,0 +1,99 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "vnet" + }, + "virtualNetworkAddressPrefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the virtual network" + } + }, + "Subnet1Name": { + "type": "string", + "metadata": { + "description": "The name of the 1st subnet" + }, + "defaultValue": "Frontend" + }, + "Subnet1Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 1st subnet" + }, + "defaultValue": "10.0.1.0/24" + }, + "Subnet1StartAddress": { + "type": "string", + "metadata": { + "description": "The first avaialable address on the 1st subnet" + } + }, + "Subnet2Name": { + "type": "string", + "metadata": { + "description": "The name of the 2nd subnet" + }, + "defaultValue": "Web" + }, + "Subnet2Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 2nd subnet" + }, + "defaultValue": "10.0.2.0/24" + }, + "Subnet2StartAddress": { + "type": "string", + "metadata": { + "description": "The first avaialable address on the 2nd subnet" + } + }, + "vnetNewOrExisting": { + "type": "string", + "defaultValue": "new", + "allowedValues": [ + "new", + "existing" + ], + "metadata": { + "Description": "Indicates whether the virtual network is new or existing" + } + }, + "virtualNetworkExistingRGName": { + "type": "string", + "metadata": { + "description": "Resource Group of the existing virtual network" + }, + "defaultValue": "" + }, + "apiVersion": { + "type": "string" + }, + "Check_PointTags": { + "type": "object", + "defaultValue": { + "provider": "30DE18BC-F9F6-4F22-9D30-54B8E74CFD5F" + } + } + }, + "variables": { + "vnetId": "[resourceId(parameters('virtualNetworkExistingRGName'),'Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]" + }, + "resources": [], + "outputs": { + "vnetId": { + "value": "[variables('vnetId')]", + "type": "string" + } + } +} diff --git a/deprecated/azure/templates/R8010-R8020/cluster-r8010/nestedtemplates/vnet-new.json b/deprecated/azure/templates/R8010-R8020/cluster-r8010/nestedtemplates/vnet-new.json new file mode 100644 index 00000000..169a4a3d --- /dev/null +++ b/deprecated/azure/templates/R8010-R8020/cluster-r8010/nestedtemplates/vnet-new.json @@ -0,0 +1,187 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "vnet" + }, + "virtualNetworkAddressPrefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the virtual network" + } + }, + "Subnet1Name": { + "type": "string", + "metadata": { + "description": "The name of the 1st subnet" + }, + "defaultValue": "Frontend" + }, + "Subnet1Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 1st subnet" + }, + "defaultValue": "10.0.1.0/24" + }, + "Subnet1StartAddress": { + "type": "string", + "metadata": { + "description": "The first avaialable address on the 1st subnet" + } + }, + "Subnet2Name": { + "type": "string", + "metadata": { + "description": "The name of the 2nd subnet" + }, + "defaultValue": "Backend" + }, + "Subnet2Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 2nd subnet" + }, + "defaultValue": "10.0.2.0/24" + }, + "Subnet2StartAddress": { + "type": "string", + "metadata": { + "description": "The first avaialable address on the 2nd subnet" + } + }, + "vnetNewOrExisting": { + "type": "string", + "defaultValue": "new", + "allowedValues": [ + "new", + "existing" + ], + "metadata": { + "Description": "Indicates whether the virtual network is new or existing" + } + }, + "virtualNetworkExistingRGName": { + "type": "string", + "metadata": { + "description": "Resource Group of the existing virtual network" + }, + "defaultValue": "" + }, + "apiVersion": { + "type": "string" + }, + "Check_PointTags": { + "type": "object", + "defaultValue": { + "provider": "30DE18BC-F9F6-4F22-9D30-54B8E74CFD5F" + } + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/routeTables", + "apiVersion": "[parameters('apiVersion')]", + "location": "[parameters('location')]", + "name": "[parameters('subnet1Name')]", + "properties": { + "routes": [ + { + "name": "Local-Subnet", + "properties": { + "addressPrefix": "[parameters('subnet1Prefix')]", + "nextHopType": "VnetLocal" + } + }, + { + "name": "To-Internal", + "properties": { + "addressPrefix": "[parameters('virtualNetworkAddressPrefix')]", + "nextHopType": "VirtualAppliance", + "nextHopIpAddress": "[parameters('subnet1StartAddress')]" + } + } + ] + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "type": "Microsoft.Network/routeTables", + "apiVersion": "[parameters('apiVersion')]", + "location": "[parameters('location')]", + "name": "[parameters('subnet2Name')]", + "properties": { + "routes": [ + { + "name": "To-Internet", + "properties": { + "addressPrefix": "0.0.0.0/0", + "nextHopType": "VirtualAppliance", + "nextHopIpAddress": "[parameters('subnet2StartAddress')]" + } + } + ] + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "type": "Microsoft.Network/virtualNetworks", + "apiVersion": "[parameters('apiVersion')]", + "location": "[parameters('location')]", + "name": "[parameters('virtualNetworkName')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/routeTables', parameters('subnet1Name'))]", + "[resourceId('Microsoft.Network/routeTables', parameters('subnet2Name'))]" + ], + "properties": { + "addressSpace": { + "addressPrefixes": [ + "[parameters('virtualNetworkAddressPrefix')]" + ] + }, + "subnets": [ + { + "name": "[parameters('subnet1Name')]", + "properties": { + "addressPrefix": "[parameters('subnet1Prefix')]", + "routeTable": { + "id": "[resourceId('Microsoft.Network/routeTables', parameters('subnet1Name'))]" + } + } + }, + { + "name": "[parameters('subnet2Name')]", + "properties": { + "addressPrefix": "[parameters('subnet2Prefix')]", + "routeTable": { + "id": "[resourceId('Microsoft.Network/routeTables', parameters('subnet2Name'))]" + } + } + } + ] + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + } + ], + "outputs": { + "vnetId": { + "value": "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]", + "type": "string" + } + } +} diff --git a/deprecated/azure/templates/R8010-R8020/ha-r8010-r8020/README.MD b/deprecated/azure/templates/R8010-R8020/ha-r8010-r8020/README.MD new file mode 100644 index 00000000..06bcde28 --- /dev/null +++ b/deprecated/azure/templates/R8010-R8020/ha-r8010-r8020/README.MD @@ -0,0 +1,13 @@ +# How to deploy this template +To deploy this ARM template, follow these instructions: +1. Log in to the [Microsoft Azure Portal](https://portal.azure.com) +2. Click "*Create a resource*" +3. Search for "*Template deployment (deploy using custom templates)*" and click "*Create*" +4. Click "*Build your own template in the editor*" +5. Load the "*mainTemplate.json*" file from this directory and click "*Save*" +6. Enter the desired template parameters + - Replace the "*_artifacts Location*" property with: + ``` + https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/deprecated/azure/templates/ha-r8010-r8020/ + ``` +7. Click *Purchase* to deploy the solution diff --git a/deprecated/azure/templates/R8010-R8020/ha-r8010-r8020/createUiDefinition.json b/deprecated/azure/templates/R8010-R8020/ha-r8010-r8020/createUiDefinition.json new file mode 100644 index 00000000..d5510237 --- /dev/null +++ b/deprecated/azure/templates/R8010-R8020/ha-r8010-r8020/createUiDefinition.json @@ -0,0 +1,1284 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", + "handler": "Microsoft.Compute.MultiVm", + "version": "0.1.2-preview", + "parameters": { + "basics": [ + { + "name": "basics settings text block", + "type": "Microsoft.Common.TextBlock", + "visible": true, + "options": { + "text": "Please follow the Check Point CloudGuard IaaS High Availability Administration Guide.", + "link": { + "label": "Administration Guide", + "uri": "https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_IaaS_HighAvailability_for_Azure/html_frameset.htm" + } + } + }, + { + "name": "clusterObjectNameUi", + "type": "Microsoft.Common.TextBox", + "label": "Cluster Object Name", + "toolTip": "The name of the cluster object.", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z]{1,30}$", + "validationMessage": "Only alphanumeric characters are allowed, and the name must be 1-30 characters long." + } + }, + { + "name": "auth", + "type": "Microsoft.Compute.CredentialsCombo", + "label": { + "authenticationType": "Authentication type", + "password": "Password", + "confirmPassword": "Confirm password", + "sshPublicKey": "SSH public key" + }, + "toolTip": { + "authenticationType": "", + "password": "The user 'admin' password", + "sshPublicKey": "Paste an OpenSSH public key. You can generate a key pair using ssh-keygen (Linux, OS X, Cygwin) or PuttyGen (Windows)" + }, + "constraints": { + "required": true + }, + "options": { + "hideConfirmation": false, + "hidePassword": false + }, + "osPlatform": "Linux" + } + ], + "steps": [ + { + "name": "chkp", + "label": "Check Point Cluster Object settings", + "subLabel": { + "preValidation": "Configure Cluster Object settings", + "postValidation": "Done" + }, + "bladeTitle": "Cluster Object settings", + "elements": [ + { + "name": "cloudGuardVersion", + "type": "Microsoft.Common.DropDown", + "label": "Check Point CloudGuard version", + "defaultValue": "R80.20", + "toolTip": "The version of Check Point CloudGuard. For R80.20 license is BYOL.", + "constraints": { + "allowedValues": [ + { + "label": "R80.10", + "value": "R80.10" + }, + { + "label": "R80.20", + "value": "R80.20" + } + ] + } + }, + { + "name": "R80Offer", + "type": "Microsoft.Common.DropDown", + "label": "License type", + "toolTip": "The type of license.", + "defaultValue": "Bring Your Own License", + "visible": true, + "constraints": { + "allowedValues": [ + { + "label": "Bring Your Own License", + "value": "Bring Your Own License" + }, + { + "label": "Pay As You Go (NGTP)", + "value": "Pay As You Go (NGTP)" + }, + { + "label": "Pay As You Go (NGTX)", + "value": "Pay As You Go (NGTX)" + } + ] + } + }, + { + "name": "R8010vmSizeUiBYOL", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R80.10'), contains(steps('chkp').R80Offer, 'Bring Your Own License'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2", + "Standard_DS3_v2" + ], + "constraints": { + "allowedSizes": [ + "Standard_D2s_v3", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_DC2s", + "Standard_DC4s", + "Standard_F2s_v2", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_E2s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ts", + "Standard_M32ls", + "Standard_M32ms", + "Standard_M64s", + "Standard_M64ls", + "Standard_M64ms", + "Standard_M64", + "Standard_M64m", + "Standard_GS2", + "Standard_GS3", + "Standard_GS4", + "Standard_GS5", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2", + "Standard_NC6s_v2", + "Standard_NC12s_v2", + "Standard_NC24s_v2", + "Standard_NC24rs_v2", + "Standard_NC6s_v3", + "Standard_NC12s_v3", + "Standard_NC24s_v3", + "Standard_NC24rs_v3", + "Standard_ND6s", + "Standard_ND12s", + "Standard_ND24s", + "Standard_ND24rs", + "Standard_NV6s_v2", + "Standard_NV12s_v2", + "Standard_NV24s_v2", + "Standard_B1s", + "Standard_B1ms", + "Standard_B2s", + "Standard_B2ms", + "Standard_B4ms", + "Standard_B8ms", + "Standard_D2_v3", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_A2_v2", + "Standard_A4_v2", + "Standard_A8_v2", + "Standard_A2m_v2", + "Standard_A4m_v2", + "Standard_A8m_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_E2_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_G2", + "Standard_G3", + "Standard_G4", + "Standard_G5", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_L4s", + "Standard_L8s", + "Standard_L16s", + "Standard_L32s", + "Standard_NC6", + "Standard_NC12", + "Standard_NC24", + "Standard_NC24r", + "Standard_NV6", + "Standard_NV12", + "Standard_NV24", + "Standard_H8", + "Standard_H16", + "Standard_H8m", + "Standard_H16m", + "Standard_H16r", + "Standard_H16mr" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-vsec-r80-blink-v2", + "sku": "sg-byol" + }, + "count": 2 + }, + { + "name": "R8010vmSizeUiNGTP", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R80.10'), contains(steps('chkp').R80Offer, '(NGTP)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2", + "Standard_DS3_v2" + ], + "constraints": { + "allowedSizes": [ + "Standard_D2s_v3", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_DC2s", + "Standard_DC4s", + "Standard_F2s_v2", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_E2s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ts", + "Standard_M32ls", + "Standard_M32ms", + "Standard_M64s", + "Standard_M64ls", + "Standard_M64ms", + "Standard_M64", + "Standard_M64m", + "Standard_GS2", + "Standard_GS3", + "Standard_GS4", + "Standard_GS5", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2", + "Standard_NC6s_v2", + "Standard_NC12s_v2", + "Standard_NC24s_v2", + "Standard_NC24rs_v2", + "Standard_NC6s_v3", + "Standard_NC12s_v3", + "Standard_NC24s_v3", + "Standard_NC24rs_v3", + "Standard_ND6s", + "Standard_ND12s", + "Standard_ND24s", + "Standard_ND24rs", + "Standard_NV6s_v2", + "Standard_NV12s_v2", + "Standard_NV24s_v2", + "Standard_B1s", + "Standard_B1ms", + "Standard_B2s", + "Standard_B2ms", + "Standard_B4ms", + "Standard_B8ms", + "Standard_D2_v3", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_A2_v2", + "Standard_A4_v2", + "Standard_A8_v2", + "Standard_A2m_v2", + "Standard_A4m_v2", + "Standard_A8m_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_E2_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_G2", + "Standard_G3", + "Standard_G4", + "Standard_G5", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_L4s", + "Standard_L8s", + "Standard_L16s", + "Standard_L32s", + "Standard_NC6", + "Standard_NC12", + "Standard_NC24", + "Standard_NC24r", + "Standard_NV6", + "Standard_NV12", + "Standard_NV24", + "Standard_H8", + "Standard_H16", + "Standard_H8m", + "Standard_H16m", + "Standard_H16r", + "Standard_H16mr" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-vsec-r80-blink-v2", + "sku": "sg-ngtp-v2" + }, + "count": 2 + }, + { + "name": "R8010vmSizeUiNGTX", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R80.10'), contains(steps('chkp').R80Offer, '(NGTX)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2", + "Standard_DS3_v2" + ], + "constraints": { + "allowedSizes": [ + "Standard_D2s_v3", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_DC2s", + "Standard_DC4s", + "Standard_F2s_v2", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_E2s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ts", + "Standard_M32ls", + "Standard_M32ms", + "Standard_M64s", + "Standard_M64ls", + "Standard_M64ms", + "Standard_M64", + "Standard_M64m", + "Standard_GS2", + "Standard_GS3", + "Standard_GS4", + "Standard_GS5", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2", + "Standard_NC6s_v2", + "Standard_NC12s_v2", + "Standard_NC24s_v2", + "Standard_NC24rs_v2", + "Standard_NC6s_v3", + "Standard_NC12s_v3", + "Standard_NC24s_v3", + "Standard_NC24rs_v3", + "Standard_ND6s", + "Standard_ND12s", + "Standard_ND24s", + "Standard_ND24rs", + "Standard_NV6s_v2", + "Standard_NV12s_v2", + "Standard_NV24s_v2", + "Standard_B1s", + "Standard_B1ms", + "Standard_B2s", + "Standard_B2ms", + "Standard_B4ms", + "Standard_B8ms", + "Standard_D2_v3", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_A2_v2", + "Standard_A4_v2", + "Standard_A8_v2", + "Standard_A2m_v2", + "Standard_A4m_v2", + "Standard_A8m_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_E2_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_G2", + "Standard_G3", + "Standard_G4", + "Standard_G5", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_L4s", + "Standard_L8s", + "Standard_L16s", + "Standard_L32s", + "Standard_NC6", + "Standard_NC12", + "Standard_NC24", + "Standard_NC24r", + "Standard_NV6", + "Standard_NV12", + "Standard_NV24", + "Standard_H8", + "Standard_H16", + "Standard_H8m", + "Standard_H16m", + "Standard_H16r", + "Standard_H16mr" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-vsec-r80-blink-v2", + "sku": "sg-ngtx" + }, + "count": 2 + }, + { + "name": "R8020vmSizeUiBYOL", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R80.20'), contains(steps('chkp').R80Offer, 'Bring Your Own License'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2", + "Standard_DS3_v2" + ], + "constraints": { + "allowedSizes": [ + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r8020-blink-v2", + "sku": "sg-byol" + }, + "count": 2 + }, + { + "name": "R8020vmSizeUiNGTP", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R80.20'), contains(steps('chkp').R80Offer, '(NGTP)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2", + "Standard_DS3_v2" + ], + "constraints": { + "allowedSizes": [ + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r8020-blink-v2", + "sku": "sg-ngtp" + }, + "count": 2 + }, + { + "name": "R8020vmSizeUiNGTX", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R80.20'), contains(steps('chkp').R80Offer, '(NGTX)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2", + "Standard_DS3_v2" + ], + "constraints": { + "allowedSizes": [ + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r8020-blink-v2", + "sku": "sg-ngtx" + }, + "count": 2 + }, + { + "name": "R8030vmSizeUiBYOL", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R80.30'), equals(coalesce(steps('chkp').R80Offer, 'Bring Your Own License'), 'Bring Your Own License'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2", + "Standard_DS3_v2" + ], + "constraints": { + "allowedSizes": [ + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r8030", + "sku": "sg-byol" + }, + "count": 2 + }, + { + "name": "R8030vmSizeUiNGTP", + "type": "Microsoft.Compute.SizeSelector", + "visible": false, + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2", + "Standard_DS3_v2" + ], + "constraints": { + "allowedSizes": [ + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r8030", + "sku": "sg-ngtp" + }, + "count": 2 + }, + { + "name": "R8030vmSizeUiNGTX", + "type": "Microsoft.Compute.SizeSelector", + "visible": false, + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2", + "Standard_DS3_v2" + ], + "constraints": { + "allowedSizes": [ + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r8030", + "sku": "sg-ngtx" + }, + "count": 2 + }, + { + "name": "sicKeyUi", + "type": "Microsoft.Common.PasswordBox", + "label": { + "password": "SIC key", + "confirmPassword": "Confirm SIC key" + }, + "toolTip": "Set the Secure Internal Communication one time secret used to set up trust between the cluster object and the management server.", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z]{8,30}$", + "validationMessage": "Only alphanumeric characters are allowed, and the value must be 8-30 characters long." + }, + "options": { + "hideConfirmation": true + }, + "visible": "true" + }, + { + "name": "managedSystemAssigned", + "type": "Microsoft.Common.OptionsGroup", + "visible": "[not(or(equals(substring(location(), 0, 2), 'us'), equals(substring(location(), 0, 5), 'china'), equals(substring(location(), 0, 7), 'germany')))]", + "label": "Create a System Assigned Identity", + "toolTip": "Automatically create a Service Principal for this deployment.", + "defaultValue": "Yes", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "yes" + }, + { + "label": "No", + "value": "no" + } + ] + } + }, + { + "name": "availabilityOptions", + "type": "Microsoft.Common.DropDown", + "label": "Availability options", + "defaultValue": "Availability Set", + "toolTip": "Use replicated Cluster VMs in Availability Set or Availability Zones. Note that the load balancers and their IP addresses will be zone redundant in any case.", + "visible": "[contains(' centralus eastus2 francecentral northeurope southeastasia westeurope westus2 eastus uksouth ', concat(' ', location(), ' '))]", + "constraints": { + "allowedValues": [ + { + "label": "Availability Set", + "value": "Availability Set" + }, + { + "label": "Availability Zones", + "value": "Availability Zones" + } + ] + } + }, + { + "name": "bootstrapScript", + "type": "Microsoft.Common.FileUpload", + "label": "Bootstrap script", + "toolTip": "An optional script to run on the initial boot", + "constraints": { + "required": false, + "accept": ".sh,text/plain" + }, + "options": { + "multiple": false, + "uploadMode": "file", + "openMode": "text", + "encoding": "UTF-8" + } + }, + { + "name": "allowUploadDownload", + "type": "Microsoft.Common.OptionsGroup", + "label": "Allow download from/upload to Check Point", + "defaultValue": "Yes", + "toolTip": "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "true" + }, + { + "label": "No", + "value": "false" + } + ] + } + }, + { + "name": "additionalDiskSizeGB", + "type": "Microsoft.Common.TextBox", + "label": "Additional disk space (GB)", + "defaultValue": "0", + "toolTip": "Additional disk space (in GB), Initial disk size is 100 GB.", + "constraints": { + "regex": "^([0-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-2][0-9][0-9][0-9]|3[0-8][0-9][0-9]|399[0-5])$", + "validationMessage": "Select a number between 0 and 3995" + } + }, + { + "name": "VMDiskType", + "type": "Microsoft.Common.OptionsGroup", + "label": "VM disk type", + "toolTip": "Type of CloudGuard disk.", + "visible": "[or(contains(steps('chkp').R8010vmSizeUiBYOL, 'DS'), contains(steps('chkp').R8010vmSizeUiNGTP, 'DS'), contains(steps('chkp').R8010vmSizeUiNGTX, 'DS'), contains(steps('chkp').R8020vmSizeUiBYOL, 'DS'), contains(steps('chkp').R8020vmSizeUiNGTP, 'DS'), contains(steps('chkp').R8020vmSizeUiNGTX, 'DS'), contains(steps('chkp').R8030vmSizeUiBYOL, 'DS'), contains(steps('chkp').R8030vmSizeUiNGTP, 'DS'), contains(steps('chkp').R8030vmSizeUiNGTX, 'DS'))]", + "defaultValue": "Standard", + "constraints": { + "allowedValues": [ + { + "label": "Standard", + "value": "Standard_LRS" + }, + { + "label": "Premium", + "value": "Premium_LRS" + } + ] + } + }, + { + "name": "useCustomImageUri", + "type": "Microsoft.Common.OptionsGroup", + "label": "Use development image uri", + "defaultValue": "No", + "toolTip": "", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ], + "required": true + }, + "visible": false + }, + { + "name": "sourceImageVhdUri", + "type": "Microsoft.Common.TextBox", + "label": "Development Image URI", + "toolTip": "The URI of the blob containing the development image", + "constraints": { + "required": "[equals(steps('chkp').useCustomImageUri, 'Yes')]", + "regex": "^[a-z0-9A-Z_\\-\\.\\:\\/]{1,500}.vhd$", + "validationMessage": "Only alphanumeric characters and '_','-','.',':','/' are allowed, the value must be 1-500 characters long and must end with .vhd. " + }, + "visible": "[equals(steps('chkp').useCustomImageUri, 'Yes')]" + } + ] + }, + { + "name": "network", + "label": "Network settings", + "subLabel": { + "preValidation": "Configure network settings", + "postValidation": "Done" + }, + "bladeTitle": "Network settings", + "elements": [ + { + "name": "virtualNetwork", + "type": "Microsoft.Network.VirtualNetworkCombo", + "label": { + "virtualNetwork": "Virtual network", + "subnets": "Subnets" + }, + "toolTip": { + "virtualNetwork": "Virtual Network Name", + "subnets": "List of subnets to deploy into" + }, + "defaultValue": { + "name": "vnet01", + "addressPrefixSize": "/16" + }, + "constraints": { + "minAddressPrefixSize": "/28" + }, + "options": { + "hideExisting": false + }, + "subnets": { + "subnet1": { + "label": "Frontend subnet", + "defaultValue": { + "name": "Frontend", + "addressPrefixSize": "/24" + }, + "constraints": { + "minAddressPrefixSize": "/29", + "minAddressCount": 2, + "requireContiguousAddresses": true + } + }, + "subnet2": { + "label": "Backend subnet", + "defaultValue": { + "name": "Backend", + "addressPrefixSize": "/24" + }, + "constraints": { + "minAddressPrefixSize": "/29", + "minAddressCount": 2, + "requireContiguousAddresses": true + } + } + } + } + ] + } + ], + "outputs": { + "location": "[location()]", + "cloudGuardVersion": "[concat(steps('chkp').cloudGuardVersion, ' - ', coalesce(steps('chkp').R80Offer, 'Bring Your Own License'))]", + "adminPassword": "[basics('auth').password]", + "authenticationType": "[basics('auth').authenticationType]", + "sshPublicKey": "[basics('auth').sshPublicKey]", + "vmName": "[basics('clusterObjectNameUi')]", + "vmSize": "[coalesce(steps('chkp').R8010vmSizeUiBYOL, steps('chkp').R8010vmSizeUiNGTP, steps('chkp').R8010vmSizeUiNGTX, steps('chkp').R8020vmSizeUiBYOL, steps('chkp').R8020vmSizeUiNGTP, steps('chkp').R8020vmSizeUiNGTX, steps('chkp').R8030vmSizeUiBYOL, steps('chkp').R8030vmSizeUiNGTP, steps('chkp').R8030vmSizeUiNGTX)]", + "sicKey": "[steps('chkp').sicKeyUi]", + "virtualNetworkName": "[steps('network').virtualNetwork.name]", + "virtualNetworkAddressPrefixes": "[steps('network').virtualNetwork.addressPrefixes]", + "subnet1Name": "[steps('network').virtualNetwork.subnets.subnet1.name]", + "subnet1Prefix": "[steps('network').virtualNetwork.subnets.subnet1.addressPrefix]", + "subnet1StartAddress": "[steps('network').virtualNetwork.subnets.subnet1.startAddress]", + "subnet2Name": "[steps('network').virtualNetwork.subnets.subnet2.name]", + "subnet2Prefix": "[steps('network').virtualNetwork.subnets.subnet2.addressPrefix]", + "subnet2StartAddress": "[steps('network').virtualNetwork.subnets.subnet2.startAddress]", + "vnetNewOrExisting": "[steps('network').virtualNetwork.newOrExisting]", + "virtualNetworkExistingRGName": "[steps('network').virtualNetwork.resourceGroup]", + "bootstrapScript": "[steps('chkp').bootstrapScript]", + "allowDownloadFromUploadToCheckPoint": "[coalesce(steps('chkp').allowUploadDownload, 'true')]", + "additionalDiskSizeGB": "[int(steps('chkp').additionalDiskSizeGB)]", + "diskType": "[coalesce(steps('chkp').VMDiskType, 'Standard_LRS')]", + "managedSystemAssigned": "[steps('chkp').managedSystemAssigned]", + "sourceImageVhdUri": "[coalesce(steps('chkp').sourceImageVhdUri, 'noCustomUri')]", + "availabilityOptions": "[steps('chkp').availabilityOptions]" + } + } +} \ No newline at end of file diff --git a/deprecated/azure/templates/R8010-R8020/ha-r8010-r8020/mainTemplate.json b/deprecated/azure/templates/R8010-R8020/ha-r8010-r8020/mainTemplate.json new file mode 100644 index 00000000..7ec20a9e --- /dev/null +++ b/deprecated/azure/templates/R8010-R8020/ha-r8010-r8020/mainTemplate.json @@ -0,0 +1,960 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string", + "metadata": { + "description": "Deployment location" + }, + "defaultValue": "[resourceGroup().location]" + }, + "cloudGuardVersion": { + "type": "string", + "allowedValues": [ + "R80.10 - Bring Your Own License", + "R80.10 - Pay As You Go (NGTP)", + "R80.10 - Pay As You Go (NGTX)", + "R80.20 - Bring Your Own License", + "R80.20 - Pay As You Go (NGTP)", + "R80.20 - Pay As You Go (NGTX)" + ], + "defaultValue": "R80.20 - Bring Your Own License", + "metadata": { + "description": "Check Point CloudGuard version" + } + }, + "adminPassword": { + "type": "securestring", + "metadata": { + "description": "Administrator password" + }, + "defaultValue": "" + }, + "authenticationType": { + "type": "string", + "allowedValues": [ + "password", + "sshPublicKey" + ], + "defaultValue": "password", + "metadata": { + "description": "Authentication type" + } + }, + "sshPublicKey": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Administrator SSH public key" + } + }, + "vmName": { + "type": "string", + "defaultValue": "[resourceGroup().name]", + "metadata": { + "description": "Name of the Check Point Cluster object" + } + }, + "vmSize": { + "type": "string", + "defaultValue": "Standard_D3_v2", + "metadata": { + "description": "Size of the VM" + } + }, + "sicKey": { + "type": "securestring", + "metadata": { + "description": "One time key for Secure Internal Communication" + } + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "[concat(resourceGroup().name, '-vnet')]" + }, + "virtualNetworkAddressPrefixes": { + "type": "array", + "metadata": { + "description": "The address prefixes of the virtual network" + }, + "defaultValue": [ + "10.0.0.0/16" + ] + }, + "subnet1Name": { + "type": "string", + "metadata": { + "description": "The name of the frontend subnet" + }, + "defaultValue": "Frontend" + }, + "subnet1Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the frontend subnet" + }, + "defaultValue": "10.0.1.0/24" + }, + "subnet1StartAddress": { + "type": "string", + "metadata": { + "description": "The first available address on the 1st subnet" + }, + "defaultValue": "10.0.1.10" + }, + "subnet2Name": { + "type": "string", + "metadata": { + "description": "The name of the backend subnet" + }, + "defaultValue": "Backend" + }, + "subnet2Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the backend subnet" + }, + "defaultValue": "10.0.2.0/24" + }, + "subnet2StartAddress": { + "type": "string", + "metadata": { + "description": "The first available address on the 2nd subnet" + }, + "defaultValue": "10.0.2.10" + }, + "vnetNewOrExisting": { + "type": "string", + "defaultValue": "new", + "allowedValues": [ + "new", + "existing" + ], + "metadata": { + "Description": "Indicates whether the virtual network is new or existing" + } + }, + "virtualNetworkExistingRGName": { + "type": "string", + "metadata": { + "description": "Resource Group of the existing virtual network" + }, + "defaultValue": "" + }, + "bootstrapScript": { + "type": "string", + "metadata": { + "description": "Bootstrap script" + }, + "defaultValue": "" + }, + "allowDownloadFromUploadToCheckPoint": { + "type": "string", + "allowedValues": [ + "true", + "false" + ], + "defaultValue": "true", + "metadata": { + "description": "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + } + }, + "additionalDiskSizeGB": { + "type": "int", + "defaultValue": 0, + "metadata": { + "description": "Amount of additional disk space (in GB)" + }, + "minValue": 0, + "maxValue": 3995 + }, + "diskType": { + "type": "string", + "defaultValue": "Standard_LRS", + "metadata": { + "description": "The type of the OS disk. Premium is applicable only to DS machine sizes" + }, + "allowedValues": [ + "Standard_LRS", + "Premium_LRS" + ] + }, + "preview": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Deploy the staged image" + }, + "allowedValues": [ + "", + "-preview" + ] + }, + "role": { + "type": "string", + "defaultValue": "Contributor", + "metadata": { + "description": "Role" + } + }, + "managedSystemAssigned": { + "type": "string", + "allowedValues": [ + "yes", + "no" + ], + "defaultValue": "yes", + "metadata": { + "description": "Automatically create a Service Principal for this deployment." + } + }, + "sourceImageVhdUri": { + "type": "string", + "defaultValue": "noCustomUri", + "metadata": { + "description": "The URI of the blob containing the development image" + } + }, + "availabilityOptions": { + "type": "string", + "allowedValues": [ + "Availability Set", + "Availability Zones" + ], + "defaultValue": "Availability Set", + "metadata": { + "description": "Use replicated Cluster VMs in Availability Set or Availability Zones" + } + }, + "_artifactsLocation": { + "type": "string", + "metadata": { + "description": "The base URI where artifacts required by this template are located including a trailing '/'" + }, + "defaultValue": "[deployment().properties.templateLink.uri]" + }, + "_artifactsLocationSasToken": { + "type": "securestring", + "metadata": { + "description": "The sasToken required to access _artifactsLocation. When the template is deployed using the accompanying scripts, a sasToken will be automatically generated. Use the defaultValue if the staging location is not secured." + }, + "defaultValue": "" + }, + "Check_PointTags": { + "type": "object", + "defaultValue": { + "provider": "30DE18BC-F9F6-4F22-9D30-54B8E74CFD5F" + } + } + }, + "variables": { + "templateName": "ha", + "templateVersion": "20191114", + "location": "[parameters('location')]", + "elbPublicIPName": "frontend-lb-address", + "haPublicIPName": "[parameters('vmName')]", + "offers": { + "R80.10 - Bring Your Own License": "BYOL", + "R80.10 - Pay As You Go (NGTP)": "NGTP-V2", + "R80.10 - Pay As You Go (NGTX)": "NGTX", + "R80.20 - Bring Your Own License": "BYOL", + "R80.20 - Pay As You Go (NGTP)": "NGTP", + "R80.20 - Pay As You Go (NGTX)": "NGTX", + "R80.30 - Bring Your Own License": "BYOL", + "R80.30 - Pay As You Go (NGTP)": "NGTP", + "R80.30 - Pay As You Go (NGTX)": "NGTX" + }, + "offer": "[variables('offers')[parameters('cloudGuardVersion')]]", + "osVersions": { + "R80.10 - Bring Your Own License": "R8010", + "R80.10 - Pay As You Go (NGTP)": "R8010", + "R80.10 - Pay As You Go (NGTX)": "R8010", + "R80.20 - Bring Your Own License": "R8020", + "R80.20 - Pay As You Go (NGTP)": "R8020", + "R80.20 - Pay As You Go (NGTX)": "R8020", + "R80.30 - Bring Your Own License": "R8030", + "R80.30 - Pay As You Go (NGTP)": "R8030", + "R80.30 - Pay As You Go (NGTX)": "R8030" + }, + "osVersion": "[variables('osVersions')[parameters('cloudGuardVersion')]]", + "isBlink": true, + "computeApiVersion": "2017-12-01", + "storageApiVersion": "2017-10-01", + "networkApiVersion": "2018-01-01", + "authorizationApiVersion": "2017-05-01", + "deploymentsApiVersion": "2017-08-01", + "storageAccountName": "[concat('bootdiag', uniqueString(resourceGroup().id, deployment().name))]", + "storageAccountType": "Standard_LRS", + "diskSizeGBR8010": 100, + "diskSizeGBR8020": 100, + "diskSizeGBR8030": 100, + "diskSizeGB": "[add(parameters('additionalDiskSizeGB'), variables(concat('diskSizeGB', variables('osVersion'))))]", + "customData": "[concat('#!/usr/bin/python /etc/cloud_config.py\n', '\n', 'installationType=\"', variables('installationType'), '\"', '\n', 'allowUploadDownload=\"', variables('allowUploadDownload'), '\"', '\n', 'osVersion=\"', variables('osVersion'), '\"', '\n', 'templateName=\"', variables('templateName'), '\"', '\n', 'isBlink=\"', variables('isBlink'), '\"', '\n', 'templateVersion=\"', variables('templateVersion'), '\"', '\n', 'bootstrapScript64=\"', variables('bootstrapScript64'), '\"', '\n', 'location=\"', variables('location'), '\"', '\n', 'sicKey=\"', variables('sicKey'), '\"', '\n', 'managementGUIClientNetwork=\"', variables('managementGUIClientNetwork'), '\"', '\n', 'location=\"', variables('location'), '\"', '\n', 'tenantId=\"', subscription().tenantId, '\"', '\n', 'virtualNetwork=\"', parameters('virtualNetworkName'), '\"', '\n', 'clusterName=\"', parameters('vmName'), '\"', '\n', 'externalPrivateAddresses=\"', variables('externalPrivateAddresses')[2], '\"', '\n')]", + "imageOfferR8010": "check-point-vsec-r80-blink-v2", + "imageOfferR8020": "check-point-cg-r8020-blink-v2", + "imageOfferR8030": "check-point-cg-r8030", + "imageOffer": "[concat(variables(concat('imageOffer', variables('osVersion'))), parameters('preview'))]", + "imagePublisher": "checkpoint", + "imageReferenceBYOL": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-byol", + "version": "latest" + }, + "imageReferenceNGTP": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtp", + "version": "latest" + }, + "imageReferenceNGTP-V2": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtp-v2", + "version": "latest" + }, + "imageReferenceNGTX": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtx", + "version": "latest" + }, + "imageReferenceMarketplace": "[variables(concat('imageReference', variables('offer')))]", + "customImage": "customImage", + "imageReferenceCustomUri": { + "id": "[resourceId('Microsoft.Compute/images/', variables('customImage'))]" + }, + "imageReference": "[if(equals(parameters('sourceImageVhdUri'),'noCustomUri'), variables('imageReferenceMarketplace'), variables('imageReferenceCustomUri'))]", + "nic1Name": "eth0", + "nic2Name": "eth1", + "elbName": "frontend-lb", + "elbId": "[resourceId('Microsoft.Network/loadBalancers', variables('elbName'))]", + "elbBEAddressPool": "[concat(variables('elbName'), '-pool')]", + "elbBEAddressPoolID": "[concat(variables('elbId'),'/backendAddressPools/',variables('elbBEAddressPool'))]", + "ilbName": "backend-lb", + "ilbId": "[resourceId('Microsoft.Network/loadBalancers', variables('ilbName'))]", + "ilbBEAddressPool": "[concat(variables('ilbName'), '-pool')]", + "ilbBEAddressPoolID": "[concat(variables('ilbID'), '/backendAddressPools/', variables('ilbBEAddressPool'))]", + "ilbFEIPConfigID": "[concat(variables('ilbID'), '/frontendIPConfigurations/', variables('ilbName'))]", + "ilbProbeName": "[variables('ilbName')]", + "ilbProbeID": "[concat(variables('ilbID'), '/probes/', variables('ilbProbeName'))]", + "appProbeName": "health_prob_port", + "appProbeID": "[concat(variables('elbId'),'/probes/',variables('appProbeName'))]", + "linuxConfigurationpassword": {}, + "linuxConfigurationsshPublicKey": { + "disablePasswordAuthentication": "true", + "ssh": { + "publicKeys": [ + { + "keyData": "[parameters('sshPublicKey')]", + "path": "/home/notused/.ssh/authorized_keys" + } + ] + } + }, + "linuxConfiguration": "[variables(concat('linuxConfiguration', parameters('authenticationType')))]", + "planBYOL": { + "name": "sg-byol", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTP": { + "name": "sg-ngtp", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTP-V2": { + "name": "sg-ngtp-v2", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTX": { + "name": "sg-ngtx", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "plan": "[variables(concat('plan', variables('offer')))]", + "externalPrivateAddresses": [ + "[parameters('Subnet1StartAddress')]", + "[concat(split(parameters('subnet1StartAddress'), '.')[0],'.', split(parameters('subnet1StartAddress'), '.')[1],'.', split(parameters('subnet1StartAddress'), '.')[2],'.', string(add(int(split(parameters('subnet1StartAddress'), '.')[3]),1)))]", + "[concat(split(parameters('subnet1StartAddress'), '.')[0],'.', split(parameters('subnet1StartAddress'), '.')[1],'.', split(parameters('subnet1StartAddress'), '.')[2],'.', string(add(int(split(parameters('subnet1StartAddress'), '.')[3]),2)))]" + ], + "roleDefinitionId": "[if(equals(parameters('role'), 'Contributor'), concat('/subscriptions/',subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c'), parameters('role'))]", + "identity": "[json('{\"type\": \"SystemAssigned\"}')]", + "azureCloud": "[not(or(startsWith(variables('location'), 'us'), startsWith(variables('location'), 'china'), startsWith(variables('location'), 'germany')))]", + "managedSystemAssigned": "[if(not(variables('azureCloud')), 'no', parameters('managedSystemAssigned'))]", + "subnet2PrivateAddresses": [ + "[concat(split(parameters('subnet2StartAddress'), '.')[0],'.', split(parameters('subnet2StartAddress'), '.')[1],'.', split(parameters('subnet2StartAddress'), '.')[2],'.', string(add(int(split(parameters('subnet2StartAddress'), '.')[3]),1)))]", + "[concat(split(parameters('subnet2StartAddress'), '.')[0],'.', split(parameters('subnet2StartAddress'), '.')[1],'.', split(parameters('subnet2StartAddress'), '.')[2],'.', string(add(int(split(parameters('subnet2StartAddress'), '.')[3]),2)))]" + ], + "nsgName": "[concat(parameters('vmName'), '-nsg')]", + "elbPublicIPId": "[resourceId('Microsoft.Network/publicIPAddresses', variables('elbPublicIPName'))]", + "haPublicIPId": "[resourceId('Microsoft.Network/publicIPAddresses', variables('haPublicIPName'))]", + "gwPublicIPIds": [ + "[resourceId('Microsoft.Network/publicIPAddresses', concat(parameters('vmName'), '1'))]", + "[resourceId('Microsoft.Network/publicIPAddresses', concat(parameters('vmName'), '2'))]" + ], + "availabilitySetName": "[concat(parameters('vmName'), '-AvailabilitySet')]", + "count": 2, + "frontEndIPConfMember1Id": "[concat(variables('elbId'), '/frontendIPConfigurations/LoadBalancerFrontEnd1')]", + "frontEndIPConfMember2Id": "[concat(variables('elbId'), '/frontendIPConfigurations/LoadBalancerFrontEnd2')]", + "member1IPConfigId": "[concat(variables('elbId'), '/frontendIPConfigurations/LoadBalancerFrontEnd1')]", + "member2IPConfigId": "[concat(variables('elbId'), '/frontendIPConfigurations/LoadBalancerFrontEnd2')]", + "bootstrapScript64": "[base64(parameters('bootstrapScript'))]", + "allowUploadDownload": "[parameters('allowDownloadFromUploadToCheckPoint')]", + "networkSetupURL": "[uri(parameters('_artifactsLocation'), concat('nestedtemplates/vnet-2-subnet-ha2-', parameters('vnetNewOrExisting'), '.json', parameters('_artifactsLocationSasToken')))]", + "sicKey": "[parameters('sicKey')]", + "managementGUIClientNetwork": "", + "installationType": "cluster", + "internalLBPrivateIPAddress": "[parameters('Subnet2StartAddress')]", + "availabilityZonesLocations": [ + "centralus", + "eastus2", + "francecentral", + "northeurope", + "southeastasia", + "westeurope", + "westus2", + "eastus", + "uksouth" + ], + "availabilitySetProperty": { + "id": "[concat(resourceGroup().id, '/providers/Microsoft.Compute/availabilitySets/', variables('availabilitySetName'))]" + }, + "useAZ": "[and(contains(variables('availabilityZonesLocations'), variables('location')), equals(parameters('availabilityOptions'), 'Availability Zones'))]" + }, + "resources": [ + { + "apiVersion": "2018-02-01", + "name": "pid-7fbd7ca2-a62c-5cb5-9b28-3900ca6dba8d", + "type": "Microsoft.Resources/deployments", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('storageAccountName')]", + "apiVersion": "[variables('storageApiVersion')]", + "location": "[variables('location')]", + "sku": { + "name": "[variables('storageAccountType')]" + }, + "kind": "Storage", + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "name": "networkSetup", + "type": "Microsoft.Resources/deployments", + "apiVersion": "[variables('deploymentsApiVersion')]", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "[variables('networkSetupURL')]", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "location": { + "value": "[variables('location')]" + }, + "apiVersion": { + "value": "[variables('networkApiVersion')]" + }, + "nsgName": { + "value": "[variables('nsgName')]" + }, + "virtualNetworkName": { + "value": "[parameters('virtualNetworkName')]" + }, + "virtualNetworkAddressPrefixes": { + "value": "[parameters('virtualNetworkAddressPrefixes')]" + }, + "subnet1Name": { + "value": "[parameters('subnet1Name')]" + }, + "subnet1Prefix": { + "value": "[parameters('subnet1Prefix')]" + }, + "subnet2Name": { + "value": "[parameters('subnet2Name')]" + }, + "subnet2Prefix": { + "value": "[parameters('subnet2Prefix')]" + }, + "vnetNewOrExisting": { + "value": "[parameters('vnetNewOrExisting')]" + }, + "virtualNetworkExistingRGName": { + "value": "[parameters('virtualNetworkExistingRGName')]" + } + } + } + }, + { + "type": "Microsoft.Compute/availabilitySets", + "condition": "[not(variables('useAZ'))]", + "apiVersion": "[variables('computeApiVersion')]", + "location": "[variables('location')]", + "name": "[concat(variables('availabilitySetName'))]", + "properties": { + "platformFaultDomainCount": 2 + }, + "sku": { + "name": "Aligned" + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "type": "Microsoft.Network/publicIPAddresses", + "apiVersion": "[variables('networkApiVersion')]", + "location": "[variables('location')]", + "name": "[variables('elbPublicIPName')]", + "sku": { + "name": "Standard" + }, + "properties": { + "idleTimeoutInMinutes": 30, + "publicIPAllocationMethod": "Static", + "dnsSettings": { + "domainNameLabel": "[concat(toLower(parameters('vmName')), '-', uniquestring(resourceGroup().id, deployment().name))]" + } + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "type": "Microsoft.Network/publicIPAddresses", + "apiVersion": "[variables('networkApiVersion')]", + "location": "[variables('location')]", + "name": "[concat(parameters('vmName'), copyIndex(1))]", + "sku": { + "name": "Standard" + }, + "copy": { + "name": "publicAddressCopy", + "count": "[variables('count')]" + }, + "properties": { + "idleTimeoutInMinutes": 30, + "publicIPAllocationMethod": "Static", + "dnsSettings": { + "domainNameLabel": "[concat(toLower(parameters('vmName')), '-', copyIndex(1), '-', uniquestring(resourceGroup().id, deployment().name))]" + } + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "type": "Microsoft.Network/publicIPAddresses", + "apiVersion": "[variables('networkApiVersion')]", + "location": "[variables('location')]", + "name": "[parameters('vmName')]", + "sku": { + "name": "Standard" + }, + "properties": { + "idleTimeoutInMinutes": 30, + "publicIPAllocationMethod": "Static", + "dnsSettings": { + "domainNameLabel": "[concat(toLower(parameters('vmName')), '-vip-', uniquestring(resourceGroup().id, deployment().name))]" + } + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "[variables('networkApiVersion')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', 'networkSetup')]", + "[variables('elbId')]", + "[variables('gwPublicIPIds')[0]]", + "[variables('haPublicIPId')]" + ], + "location": "[variables('location')]", + "name": "[concat(parameters('vmName'), '1-', variables('nic1Name'))]", + "properties": { + "primary": true, + "enableIPForwarding": true, + "enableAcceleratedNetworking": "[not(equals(variables('osVersion'), 'R8010'))]", + "ipConfigurations": [ + { + "name": "member-ip", + "properties": { + "primary": true, + "privateIPAddress": "[variables('externalPrivateAddresses')[0]]", + "privateIPAllocationMethod": "Static", + "PublicIpAddress": { + "Id": "[variables('gwPublicIPIds')[0]]" + }, + "subnet": { + "id": "[concat(reference('networkSetup').outputs.vnetId.value, '/subnets/', parameters('subnet1Name'))]" + }, + "loadBalancerBackendAddressPools": [ + { + "id": "[variables('elbBEAddressPoolID')]" + } + ] + } + }, + { + "name": "cluster-vip", + "properties": { + "primary": false, + "privateIPAddress": "[variables('externalPrivateAddresses')[2]]", + "privateIPAllocationMethod": "Static", + "PublicIpAddress": { + "Id": "[variables('haPublicIPId')]" + }, + "subnet": { + "id": "[concat(reference('networkSetup').outputs.vnetId.value, '/subnets/', parameters('subnet1Name'))]" + } + } + } + ] + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "[variables('networkApiVersion')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', 'networkSetup')]", + "[variables('elbId')]", + "[variables('gwPublicIPIds')[1]]" + ], + "location": "[variables('location')]", + "name": "[concat(parameters('vmName'), '2-', variables('nic1Name'))]", + "properties": { + "primary": true, + "enableIPForwarding": true, + "enableAcceleratedNetworking": "[not(equals(variables('osVersion'), 'R8010'))]", + "ipConfigurations": [ + { + "name": "member-ip", + "properties": { + "primary": true, + "privateIPAddress": "[variables('externalPrivateAddresses')[1]]", + "privateIPAllocationMethod": "Static", + "PublicIpAddress": { + "Id": "[variables('gwPublicIPIds')[1]]" + }, + "subnet": { + "id": "[concat(reference('networkSetup').outputs.vnetId.value, '/subnets/', parameters('subnet1Name'))]" + }, + "loadBalancerBackendAddressPools": [ + { + "id": "[variables('elbBEAddressPoolID')]" + } + ] + } + } + ] + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "[variables('networkApiVersion')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', 'networkSetup')]", + "[variables('ilbId')]" + ], + "location": "[variables('location')]", + "name": "[concat(parameters('vmName'), copyIndex(1), '-', variables('nic2Name'))]", + "copy": { + "name": "internalNicCopy", + "count": "[variables('count')]" + }, + "properties": { + "primary": false, + "enableIPForwarding": true, + "enableAcceleratedNetworking": "[not(equals(variables('osVersion'), 'R8010'))]", + "ipConfigurations": [ + { + "name": "member-ip", + "properties": { + "primary": true, + "privateIPAddress": "[variables('subnet2PrivateAddresses')[copyIndex()]]", + "privateIPAllocationMethod": "Static", + "subnet": { + "id": "[concat(reference('networkSetup').outputs.vnetId.value, '/subnets/', parameters('subnet2Name'))]" + }, + "loadBalancerBackendAddressPools": [ + { + "id": "[variables('ilbBEAddressPoolID')]" + } + ] + } + } + ] + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "condition": "[not(equals(parameters('sourceImageVhdUri'), 'noCustomUri'))]", + "type": "Microsoft.Compute/images", + "apiVersion": "2017-12-01", + "name": "[variables('customImage')]", + "location": "[variables('location')]", + "properties": { + "storageProfile": { + "osDisk": { + "osType": "Linux", + "osState": "Generalized", + "blobUri": "[parameters('sourceImageVhdUri')]", + "storageAccountType": "Standard_LRS" + } + } + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "type": "Microsoft.Compute/virtualMachines", + "apiVersion": "[variables('computeApiVersion')]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]", + "[resourceId('Microsoft.Compute/availabilitySets', variables('availabilitySetName'))]", + "[resourceId('Microsoft.Network/networkInterfaces', concat(parameters('vmName'), copyIndex(1), '-', variables('nic1Name')))]", + "[resourceId('Microsoft.Network/networkInterfaces', concat(parameters('vmName'), copyIndex(1), '-', variables('nic2Name')))]", + "[resourceId('Microsoft.Compute/images/', variables('customImage'))]" + ], + "location": "[variables('location')]", + "name": "[concat(parameters('vmName'), copyIndex(1))]", + "zones": "[if(variables('useAZ'), array(copyIndex(1)), json('null'))]", + "copy": { + "name": "virtualMachineCopy", + "count": "[variables('count')]" + }, + "plan": "[if(equals(parameters('sourceImageVhdUri'),'noCustomUri'), variables('plan'), json('null'))]", + "identity": "[if(equals(variables('managedSystemAssigned'), 'yes'), variables('identity'), json('null'))]", + "properties": { + "availabilitySet": "[if(not(variables('useAZ')), variables('availabilitySetProperty'), json('null'))]", + "diagnosticsProfile": { + "bootDiagnostics": { + "enabled": "true", + "storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName')), variables('storageApiVersion')).primaryEndpoints.blob]" + } + }, + "hardwareProfile": { + "vmSize": "[parameters('vmSize')]" + }, + "networkProfile": { + "networkInterfaces": [ + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', concat(parameters('vmName'), copyIndex(1), '-', variables('nic1Name')))]", + "properties": { + "primary": true + } + }, + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', concat(parameters('vmName'), copyIndex(1), '-', variables('nic2Name')))]", + "properties": { + "primary": false + } + } + ] + }, + "osProfile": { + "adminPassword": "[parameters('adminPassword')]", + "adminUsername": "notused", + "computername": "[concat(toLower(parameters('vmName')), copyIndex(1))]", + "customData": "[base64(variables('customData'))]", + "linuxConfiguration": "[variables('linuxConfiguration')]" + }, + "storageProfile": { + "imageReference": "[variables('imageReference')]", + "osDisk": { + "caching": "ReadWrite", + "createOption": "FromImage", + "diskSizeGB": "[variables('diskSizeGB')]", + "name": "[concat(parameters('vmName'), copyIndex(1))]", + "managedDisk": { + "storageAccountType": "[parameters('diskType')]" + } + } + } + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "type": "Microsoft.Network/loadBalancers", + "apiVersion": "[variables('networkApiVersion')]", + "dependsOn": [ + "[variables('elbPublicIPId')]" + ], + "name": "[variables('elbName')]", + "location": "[variables('location')]", + "sku": { + "name": "Standard" + }, + "properties": { + "frontendIPConfigurations": [ + { + "name": "LoadBalancerFrontend", + "properties": { + "publicIPAddress": { + "id": "[variables('elbPublicIPId')]" + } + } + } + ], + "backendAddressPools": [ + { + "name": "[variables('elbBEAddressPool')]" + } + ], + "probes": [ + { + "name": "[variables('appProbeName')]", + "properties": { + "protocol": "tcp", + "port": 8117, + "intervalInSeconds": 5, + "numberOfProbes": 2 + } + } + ] + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "condition": "[equals(variables('managedSystemAssigned'), 'yes')]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "[variables('authorizationApiVersion')]", + "name": "[guid(resourceGroup().id, concat(parameters('vmName'), copyIndex(1)))]", + "copy": { + "name": "virtualMachineCopy", + "count": "[variables('count')]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Compute/virtualMachines/', concat(parameters('vmName'), copyIndex(1)))]" + ], + "properties": { + "roleDefinitionId": "[variables('roleDefinitionId')]", + "scope": "[resourceGroup().id]", + "principalId": "[reference(concat('Microsoft.Compute/virtualMachines/', concat(parameters('vmName'), copyIndex(1))), variables('computeApiVersion'), 'Full').identity.principalId]" + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "type": "Microsoft.Network/loadBalancers", + "apiVersion": "[variables('networkApiVersion')]", + "name": "[variables('ilbName')]", + "location": "[variables('location')]", + "sku": { + "name": "Standard" + }, + "properties": { + "frontendIPConfigurations": [ + { + "name": "[variables('ilbName')]", + "properties": { + "privateIPAllocationMethod": "Static", + "privateIPAddress": "[variables('internalLBPrivateIPAddress')]", + "subnet": { + "id": "[concat(reference('networkSetup').outputs.vnetId.value, '/subnets/', parameters('subnet2Name'))]" + } + } + } + ], + "backendAddressPools": [ + { + "name": "[variables('ilbBEAddressPool')]" + } + ], + "loadBalancingRules": [ + { + "name": "[variables('ilbName')]", + "properties": { + "frontendIPConfiguration": { + "id": "[variables('ilbFEIPConfigID')]" + }, + "backendAddressPool": { + "id": "[variables('ilbBEAddressPoolID')]" + }, + "probe": { + "id": "[variables('ilbProbeID')]" + }, + "protocol": "All", + "frontendPort": 0, + "backendPort": 0, + "loadDistribution": "Default", + "enableFloatingIP": false + } + } + ], + "probes": [ + { + "name": "[variables('ilbProbeName')]", + "properties": { + "protocol": "tcp", + "port": 8117, + "intervalInSeconds": 5, + "numberOfProbes": 2 + } + } + ] + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + } + ], + "outputs": { + "HaIPAddr": { + "type": "string", + "value": "[reference(variables('haPublicIPId')).IpAddress]" + }, + "HaFQDN": { + "type": "string", + "value": "[reference(variables('haPublicIPId')).dnsSettings.fqdn]" + }, + "Member1IPAddr": { + "type": "string", + "value": "[reference(variables('gwPublicIPIds')[0]).IpAddress]" + }, + "Member1FQDN": { + "type": "string", + "value": "[reference(variables('gwPublicIPIds')[0]).dnsSettings.fqdn]" + }, + "Member2IPAddr": { + "type": "string", + "value": "[reference(variables('gwPublicIPIds')[1]).IpAddress]" + }, + "Member2FQDN": { + "type": "string", + "value": "[reference(variables('gwPublicIPIds')[1]).dnsSettings.fqdn]" + } + } +} \ No newline at end of file diff --git a/deprecated/azure/templates/R8010-R8020/ha-r8010-r8020/nestedtemplates/vnet-2-subnet-ha2-existing.json b/deprecated/azure/templates/R8010-R8020/ha-r8010-r8020/nestedtemplates/vnet-2-subnet-ha2-existing.json new file mode 100644 index 00000000..c06ec0ba --- /dev/null +++ b/deprecated/azure/templates/R8010-R8020/ha-r8010-r8020/nestedtemplates/vnet-2-subnet-ha2-existing.json @@ -0,0 +1,93 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "vnet" + }, + "virtualNetworkAddressPrefixes": { + "type": "array", + "metadata": { + "description": "The address prefixes of the virtual network" + } + }, + "Subnet1Name": { + "type": "string", + "metadata": { + "description": "The name of the 1st subnet" + }, + "defaultValue": "Frontend" + }, + "Subnet1Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 1st subnet" + }, + "defaultValue": "10.0.1.0/24" + }, + "Subnet2Name": { + "type": "string", + "metadata": { + "description": "The name of the 2nd subnet" + }, + "defaultValue": "Backend" + }, + "Subnet2Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 2nd subnet" + }, + "defaultValue": "10.0.2.0/24" + }, + "vnetNewOrExisting": { + "type": "string", + "defaultValue": "new", + "allowedValues": [ + "new", + "existing" + ], + "metadata": { + "Description": "Indicates whether the virtual network is new or existing" + } + }, + "virtualNetworkExistingRGName": { + "type": "string", + "metadata": { + "description": "Resource Group of the existing virtual network" + }, + "defaultValue": "" + }, + "apiVersion": { + "type": "string" + }, + "nsgName": { + "type": "string", + "metadata": { + "description": "Name of the network security group" + } + }, + "Check_PointTags": { + "type": "object", + "defaultValue": { + "provider": "30DE18BC-F9F6-4F22-9D30-54B8E74CFD5F" + } + } + }, + "variables": { + "vnetId": "[resourceId(parameters('virtualNetworkExistingRGName'),'Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]" + }, + "resources": [], + "outputs": { + "vnetId": { + "value": "[variables('vnetId')]", + "type": "string" + } + } +} diff --git a/deprecated/azure/templates/R8010-R8020/ha-r8010-r8020/nestedtemplates/vnet-2-subnet-ha2-new.json b/deprecated/azure/templates/R8010-R8020/ha-r8010-r8020/nestedtemplates/vnet-2-subnet-ha2-new.json new file mode 100644 index 00000000..39971172 --- /dev/null +++ b/deprecated/azure/templates/R8010-R8020/ha-r8010-r8020/nestedtemplates/vnet-2-subnet-ha2-new.json @@ -0,0 +1,217 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "vnet" + }, + "virtualNetworkAddressPrefixes": { + "type": "array", + "metadata": { + "description": "The address prefixes of the virtual network" + } + }, + "Subnet1Name": { + "type": "string", + "metadata": { + "description": "The name of the 1st subnet" + }, + "defaultValue": "Frontend" + }, + "Subnet1Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 1st subnet" + }, + "defaultValue": "10.0.1.0/24" + }, + "Subnet2Name": { + "type": "string", + "metadata": { + "description": "The name of the 2nd subnet" + }, + "defaultValue": "Backend" + }, + "Subnet2Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 2nd subnet" + }, + "defaultValue": "10.0.2.0/24" + }, + "vnetNewOrExisting": { + "type": "string", + "defaultValue": "new", + "allowedValues": [ + "new", + "existing" + ], + "metadata": { + "Description": "Indicates whether the virtual network is new or existing" + } + }, + "virtualNetworkExistingRGName": { + "type": "string", + "metadata": { + "description": "Resource Group of the existing virtual network" + }, + "defaultValue": "" + }, + "apiVersion": { + "type": "string" + }, + "nsgName": { + "type": "string", + "metadata": { + "description": "Name of the network security group" + } + }, + "Check_PointTags": { + "type": "object", + "defaultValue": { + "provider": "30DE18BC-F9F6-4F22-9D30-54B8E74CFD5F" + } + } + }, + "variables": { + "copy": [ + { + "name": "toInternalRoutes", + "count": "[length(parameters('virtualNetworkAddressPrefixes'))]", + "input": { + "name": "[concat('To-Internal-',copyIndex('toInternalRoutes'))]", + "properties": { + "addressPrefix": "[parameters('virtualNetworkAddressPrefixes')[copyIndex('toInternalRoutes')]]", + "nextHopType": "None" + } + } + } + ], + "localSubnetRoute": [ + { + "name": "Local-Subnet", + "properties": { + "addressPrefix": "[parameters('Subnet1Prefix')]", + "nextHopType": "VnetLocal" + } + } + ], + "routesArray": "[concat(variables('localSubnetRoute'), variables('toInternalRoutes'))]" + }, + "resources": [ + { + "type": "Microsoft.Network/networkSecurityGroups", + "apiVersion": "[parameters('apiVersion')]", + "location": "[parameters('location')]", + "name": "[parameters('nsgName')]", + "properties": { + "securityRules": [ + { + "name": "AllowAllInBound", + "properties": { + "description": "Allow all inbound connections", + "protocol": "*", + "sourcePortRange": "*", + "destinationPortRange": "*", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "100", + "direction": "Inbound" + } + } + ] + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "type": "Microsoft.Network/routeTables", + "apiVersion": "[parameters('apiVersion')]", + "location": "[parameters('location')]", + "name": "[parameters('Subnet1Name')]", + "properties": { + "routes": "[variables('routesArray')]" + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "type": "Microsoft.Network/routeTables", + "apiVersion": "[parameters('apiVersion')]", + "location": "[parameters('location')]", + "name": "[parameters('Subnet2Name')]", + "properties": { + "routes": [ + { + "name": "To-Internet", + "properties": { + "addressPrefix": "0.0.0.0/0", + "nextHopType": "None" + } + } + ] + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "type": "Microsoft.Network/virtualNetworks", + "apiVersion": "[parameters('apiVersion')]", + "location": "[parameters('location')]", + "name": "[parameters('virtualNetworkName')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('nsgName'))]", + "[resourceId('Microsoft.Network/routeTables', parameters('Subnet1Name'))]", + "[resourceId('Microsoft.Network/routeTables', parameters('Subnet2Name'))]" + ], + "properties": { + "addressSpace": { + "addressPrefixes": "[parameters('virtualNetworkAddressPrefixes')]" + }, + "subnets": [ + { + "name": "[parameters('Subnet1Name')]", + "properties": { + "networkSecurityGroup": { + "id": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('nsgName'))]" + }, + "addressPrefix": "[parameters('Subnet1Prefix')]", + "routeTable": { + "id": "[resourceId('Microsoft.Network/routeTables', parameters('Subnet1Name'))]" + } + } + }, + { + "name": "[parameters('Subnet2Name')]", + "properties": { + "addressPrefix": "[parameters('Subnet2Prefix')]", + "routeTable": { + "id": "[resourceId('Microsoft.Network/routeTables', parameters('Subnet2Name'))]" + } + } + } + ] + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + } + ], + "outputs": { + "vnetId": { + "value": "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]", + "type": "string" + } + } +} diff --git a/deprecated/azure/templates/R8010-R8020/mgmt-r8010-r8020/README.MD b/deprecated/azure/templates/R8010-R8020/mgmt-r8010-r8020/README.MD new file mode 100644 index 00000000..e30aa5a0 --- /dev/null +++ b/deprecated/azure/templates/R8010-R8020/mgmt-r8010-r8020/README.MD @@ -0,0 +1,13 @@ +# How to deploy this template +To deploy this ARM template, follow these instructions: +1. Log in to the [Microsoft Azure Portal](https://portal.azure.com) +2. Click "*Create a resource*" +3. Search for "*Template deployment (deploy using custom templates)*" and click "*Create*" +4. Click "*Build your own template in the editor*" +5. Load the "*mainTemplate.json*" file from this directory and click "*Save*" +6. Enter the desired template parameters + - Replace the "*_artifacts Location*" property with: + ``` + https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/deprecated/azure/templates/mgmt-r8010-r8020/ + ``` +7. Click *Purchase* to deploy the solution diff --git a/deprecated/azure/templates/R8010-R8020/mgmt-r8010-r8020/createUiDefinition.json b/deprecated/azure/templates/R8010-R8020/mgmt-r8010-r8020/createUiDefinition.json new file mode 100644 index 00000000..8c33f9c2 --- /dev/null +++ b/deprecated/azure/templates/R8010-R8020/mgmt-r8010-r8020/createUiDefinition.json @@ -0,0 +1,409 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", + "handler": "Microsoft.Compute.MultiVm", + "version": "0.1.2-preview", + "parameters": { + "basics": [ + { + "name": "gatewayNameUi", + "type": "Microsoft.Common.TextBox", + "label": "Server Name", + "toolTip": "The name of the Check Point Security Management Server.", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z]{1,30}$", + "validationMessage": "Only alphanumeric characters are allowed, and the name must be 1-30 characters long." + } + }, + { + "name": "auth", + "type": "Microsoft.Compute.CredentialsCombo", + "label": { + "authenticationType": "Authentication type", + "password": "Password", + "confirmPassword": "Confirm password", + "sshPublicKey": "SSH public key" + }, + "toolTip": { + "authenticationType": "", + "password": "The user 'admin' password", + "sshPublicKey": "Paste an OpenSSH public key. You can generate a key pair using ssh-keygen (Linux, OS X, Cygwin) or PuttyGen (Windows)" + }, + "constraints": { + "required": true + }, + "options": { + "hideConfirmation": false, + "hidePassword": false + }, + "osPlatform": "Linux" + } + ], + "steps": [ + { + "name": "chkp", + "label": "Check Point Security Management Server settings", + "subLabel": { + "preValidation": "Configure additional settings", + "postValidation": "Done" + }, + "bladeTitle": "Security Management settings", + "elements": [ + { + "name": "cloudGuardVersion", + "type": "Microsoft.Common.DropDown", + "label": "Check Point CloudGuard version", + "defaultValue": "R80.20", + "toolTip": "The version of Check Point CloudGuard.", + "constraints": { + "allowedValues": [ + { + "label": "R80.10", + "value": "R80.10" + }, + { + "label": "R80.20", + "value": "R80.20" + } + ] + } + }, + { + "name": "R80Offer", + "type": "Microsoft.Common.DropDown", + "label": "License type", + "toolTip": "The type of license.", + "defaultValue": "Bring Your Own License", + "visible": true, + "constraints": { + "allowedValues": [ + { + "label": "Bring Your Own License", + "value": "Bring Your Own License" + }, + { + "label": "Pay As You Go (MGMT25)", + "value": "Pay As You Go (MGMT25)" + } + ] + } + }, + { + "name": "R8010vmSizeUiBYOL", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R80.10'), contains(steps('chkp').R80Offer, 'Bring Your Own License'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Management", + "recommendedSizes": [ + "Standard_D3_v2" + ], + "constraints": { + "excludedSizes": [ + "Standard_A1_v2", + "Standard_D1_v2", + "Standard_DS1_v2", + "Standard_F1", + "Standard_F1s", + "Standard_G1", + "Standard_GS1" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-vsec-r80", + "sku": "sg-byol" + }, + "count": 1 + }, + { + "name": "R8010vmSizeUiMGMT25", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R80.10'), contains(steps('chkp').R80Offer, '(MGMT25)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Management", + "recommendedSizes": [ + "Standard_D3_v2" + ], + "constraints": { + "excludedSizes": [ + "Standard_A1_v2", + "Standard_D1_v2", + "Standard_DS1_v2", + "Standard_F1", + "Standard_F1s", + "Standard_G1", + "Standard_GS1" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-vsec-r80-4qa-preview", + "sku": "mgmt-25" + }, + "count": 1 + }, + { + "name": "R8020vmSizeUiBYOL", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R80.20'), contains(steps('chkp').R80Offer, 'Bring Your Own License'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Management", + "recommendedSizes": [ + "Standard_D3_v2" + ], + "constraints": { + "excludedSizes": [ + "Standard_A1_v2", + "Standard_D1_v2", + "Standard_DS1_v2", + "Standard_F1", + "Standard_F1s", + "Standard_G1", + "Standard_GS1" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r8020-blink-v2", + "sku": "mgmt-byol" + }, + "count": 1 + }, + { + "name": "R8020vmSizeUiMGMT25", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R80.20'), contains(steps('chkp').R80Offer, '(MGMT25)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Management", + "recommendedSizes": [ + "Standard_D3_v2" + ], + "constraints": { + "excludedSizes": [ + "Standard_A1_v2", + "Standard_D1_v2", + "Standard_DS1_v2", + "Standard_F1", + "Standard_F1s", + "Standard_G1", + "Standard_GS1" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r8020-blink-v2", + "sku": "mgmt-25" + }, + "count": 1 + }, + { + "name": "installationType", + "type": "Microsoft.Common.DropDown", + "label": "Installation type", + "defaultValue": "Management", + "toolTip": "Select the type of deployment", + "constraints": { + "allowedValues": [ + { + "label": "Management", + "value": "management" + }, + { + "label": "Configure manually", + "value": "custom" + } + ] + } + }, + { + "name": "managementGUIClientNetwork", + "type": "Microsoft.Common.TextBox", + "label": "Allowed GUI clients", + "toolTip": "GUI clients network CIDR", + "defaultValue": "0.0.0.0/0", + "constraints": { + "required": true, + "regex": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$", + "validationMessage": "Enter a valid IPv4 network CIDR" + }, + "visible": "[equals(steps('chkp').installationType, 'management')]" + }, + { + "name": "bootstrapScript", + "type": "Microsoft.Common.FileUpload", + "label": "Bootstrap script", + "toolTip": "An optional script to run on the initial boot", + "constraints": { + "required": false, + "accept": ".sh,text/plain" + }, + "options": { + "multiple": false, + "uploadMode": "file", + "openMode": "text", + "encoding": "UTF-8" + } + }, + { + "visible": "[equals(steps('chkp').installationType, 'management')]", + "name": "allowUploadDownload", + "type": "Microsoft.Common.OptionsGroup", + "label": "Allow download from/upload to Check Point", + "defaultValue": "Yes", + "toolTip": "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "true" + }, + { + "label": "No", + "value": "false" + } + ] + } + }, + { + "name": "additionalDiskSizeGB", + "type": "Microsoft.Common.TextBox", + "label": "Additional disk space (GB)", + "defaultValue": "0", + "toolTip": "Additional disk space (in GB), Initial disk size is 100 GB.", + "constraints": { + "regex": "^([0-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-2][0-9][0-9][0-9]|3[0-8][0-9][0-9]|399[0-5])$", + "validationMessage": "Select a number between 0 and 3995" + } + }, + { + "name": "VMDiskType", + "type": "Microsoft.Common.OptionsGroup", + "label": "VM disk type", + "toolTip": "Type of CloudGuard disk.", + "visible": "[or(contains(steps('chkp').R8010vmSizeUiBYOL, 'DS'), contains(steps('chkp').R8010vmSizeUiMGMT25, 'DS'), contains(steps('chkp').R8020vmSizeUiBYOL, 'DS'), contains(steps('chkp').R8020vmSizeUiMGMT25, 'DS'))]", + "defaultValue": "Standard", + "constraints": { + "allowedValues": [ + { + "label": "Standard", + "value": "Standard_LRS" + }, + { + "label": "Premium", + "value": "Premium_LRS" + } + ] + } + }, + { + "name": "useCustomImageUri", + "type": "Microsoft.Common.OptionsGroup", + "label": "Use development image uri", + "defaultValue": "No", + "toolTip": "", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ], + "required": true + }, + "visible": false + }, + { + "name": "sourceImageVhdUri", + "type": "Microsoft.Common.TextBox", + "label": "Development Image URI", + "toolTip": "The URI of the blob containing the development image", + "constraints": { + "required": "[equals(steps('chkp').useCustomImageUri, 'Yes')]", + "regex": "^[a-z0-9A-Z_\\-\\.\\:\\/]{1,500}.vhd$", + "validationMessage": "Only alphanumeric characters and '_','-','.',':','/' are allowed, the value must be 1-500 characters long and must end with .vhd. " + }, + "visible": "[equals(steps('chkp').useCustomImageUri, 'Yes')]" + } + ] + }, + { + "name": "network", + "label": "Network settings", + "subLabel": { + "preValidation": "Configure network settings", + "postValidation": "Done" + }, + "bladeTitle": "Network settings", + "elements": [ + { + "name": "virtualNetwork", + "type": "Microsoft.Network.VirtualNetworkCombo", + "label": { + "virtualNetwork": "Virtual network", + "subnets": "Subnet" + }, + "toolTip": { + "virtualNetwork": "Virtual Network Name", + "subnets": "The subnet to deploy into" + }, + "defaultValue": { + "name": "vnet01", + "addressPrefixSize": "/20" + }, + "constraints": { + "minAddressPrefixSize": "/29" + }, + "options": { + "hideExisting": false + }, + "subnets": { + "subnet1": { + "label": "Management subnet", + "defaultValue": { + "name": "Management", + "addressPrefixSize": "/24" + }, + "constraints": { + "minAddressPrefixSize": "/29", + "minAddressCount": 1, + "requireContiguousAddresses": true + } + } + } + } + ] + } + ], + "outputs": { + "location": "[location()]", + "cloudGuardVersion": "[concat(steps('chkp').cloudGuardVersion, ' - ', coalesce(steps('chkp').R80Offer, 'Bring Your Own License'))]", + "adminPassword": "[basics('auth').password]", + "authenticationType": "[basics('auth').authenticationType]", + "sshPublicKey": "[basics('auth').sshPublicKey]", + "vmName": "[basics('gatewayNameUi')]", + "vmSize": "[coalesce(steps('chkp').R8010vmSizeUiBYOL, steps('chkp').R8010vmSizeUiMGMT25, steps('chkp').R8020vmSizeUiBYOL, steps('chkp').R8020vmSizeUiMGMT25)]", + "virtualNetworkName": "[steps('network').virtualNetwork.name]", + "virtualNetworkAddressPrefix": "[steps('network').virtualNetwork.addressPrefix]", + "Subnet1Name": "[steps('network').virtualNetwork.subnets.subnet1.name]", + "Subnet1Prefix": "[steps('network').virtualNetwork.subnets.subnet1.addressPrefix]", + "Subnet1StartAddress": "[steps('network').virtualNetwork.subnets.subnet1.startAddress]", + "vnetNewOrExisting": "[steps('network').virtualNetwork.newOrExisting]", + "virtualNetworkExistingRGName": "[steps('network').virtualNetwork.resourceGroup]", + "managementGUIClientNetwork": "[steps('chkp').managementGUIClientNetwork]", + "installationType": "[steps('chkp').installationType]", + "bootstrapScript": "[steps('chkp').bootstrapScript]", + "allowDownloadFromUploadToCheckPoint": "[coalesce(steps('chkp').allowUploadDownload, 'true')]", + "additionalDiskSizeGB": "[int(steps('chkp').additionalDiskSizeGB)]", + "diskType": "[coalesce(steps('chkp').VMDiskType, 'Standard_LRS')]", + "sourceImageVhdUri": "[coalesce(steps('chkp').sourceImageVhdUri, 'noCustomUri')]" + } + } +} \ No newline at end of file diff --git a/deprecated/azure/templates/R8010-R8020/mgmt-r8010-r8020/mainTemplate.json b/deprecated/azure/templates/R8010-R8020/mgmt-r8010-r8020/mainTemplate.json new file mode 100644 index 00000000..6e20c8dc --- /dev/null +++ b/deprecated/azure/templates/R8010-R8020/mgmt-r8010-r8020/mainTemplate.json @@ -0,0 +1,633 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string", + "metadata": { + "description": "Deployment location" + }, + "defaultValue": "[resourceGroup().location]" + }, + "cloudGuardVersion": { + "type": "string", + "allowedValues": [ + "R80.10 - Bring Your Own License", + "R80.10 - Pay As You Go (MGMT25)", + "R80.20 - Bring Your Own License", + "R80.20 - Pay As You Go (MGMT25)" + ], + "defaultValue": "R80.20 - Bring Your Own License", + "metadata": { + "description": "Version of Check Point vSEC" + } + }, + "adminPassword": { + "type": "securestring", + "metadata": { + "description": "Administrator password" + }, + "defaultValue": "" + }, + "authenticationType": { + "type": "string", + "allowedValues": [ + "password", + "sshPublicKey" + ], + "defaultValue": "password", + "metadata": { + "description": "Authentication type" + } + }, + "sshPublicKey": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Administrator SSH public key" + } + }, + "vmName": { + "type": "string", + "metadata": { + "description": "Name of the Check Point Security Gateway" + } + }, + "vmSize": { + "type": "string", + "defaultValue": "Standard_D3_v2", + "metadata": { + "description": "Size of the VM" + } + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "vnet" + }, + "virtualNetworkAddressPrefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the virtual network" + }, + "defaultValue": "10.0.0.0/16" + }, + "Subnet1Name": { + "type": "string", + "metadata": { + "description": "The name of the 1st subnet" + }, + "defaultValue": "Frontend" + }, + "Subnet1Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 1st subnet" + }, + "defaultValue": "10.0.1.0/24" + }, + "Subnet1StartAddress": { + "type": "string", + "metadata": { + "description": "The first available address on the 1st subnet" + }, + "defaultValue": "10.0.1.10" + }, + "vnetNewOrExisting": { + "type": "string", + "defaultValue": "new", + "allowedValues": [ + "new", + "existing" + ], + "metadata": { + "Description": "Indicates whether the virtual network is new or existing" + } + }, + "virtualNetworkExistingRGName": { + "type": "string", + "metadata": { + "description": "Resource Group of the existing virtual network" + }, + "defaultValue": "" + }, + "managementGUIClientNetwork": { + "type": "string", + "metadata": { + "description": "Allowed GUI clients" + }, + "defaultValue": "0.0.0.0/0" + }, + "installationType": { + "type": "string", + "metadata": { + "description": "Installation Type" + }, + "defaultValue": "management", + "allowedValues": [ + "management", + "custom" + ] + }, + "bootstrapScript": { + "type": "string", + "metadata": { + "description": "Bootstrap script" + }, + "defaultValue": "" + }, + "allowDownloadFromUploadToCheckPoint": { + "type": "string", + "allowedValues": [ + "true", + "false" + ], + "defaultValue": "true", + "metadata": { + "description": "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + } + }, + "additionalDiskSizeGB": { + "type": "int", + "defaultValue": 0, + "metadata": { + "description": "Amount of additional disk space (in GB)" + }, + "minValue": 0, + "maxValue": 3995 + }, + "diskType": { + "type": "string", + "defaultValue": "Standard_LRS", + "metadata": { + "description": "The type of the OS disk. Premium is applicable only to DS machine sizes" + }, + "allowedValues": [ + "Standard_LRS", + "Premium_LRS" + ] + }, + "preview": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Deploy the staged image" + }, + "allowedValues": [ + "", + "-preview" + ] + }, + "msi": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Configure managed service identity for the VM" + } + }, + "sourceImageVhdUri": { + "type": "string", + "defaultValue": "noCustomUri", + "metadata": { + "description": "The URI of the blob containing the development image" + } + }, + "_artifactsLocation": { + "type": "string", + "metadata": { + "description": "The base URI where artifacts required by this template are located including a trailing '/'" + }, + "defaultValue": "[deployment().properties.templateLink.uri]" + }, + "_artifactsLocationSasToken": { + "type": "securestring", + "metadata": { + "description": "The sasToken required to access _artifactsLocation. When the template is deployed using the accompanying scripts, a sasToken will be automatically generated. Use the defaultValue if the staging location is not secured." + }, + "defaultValue": "" + }, + "Check_PointTags": { + "type": "object", + "defaultValue": { + "provider": "30DE18BC-F9F6-4F22-9D30-54B8E74CFD5F" + } + } + }, + "variables": { + "templateName": "management", + "templateVersion": "20191118", + "location": "[parameters('location')]", + "offers": { + "R80.10 - Bring Your Own License": "BYOL", + "R80.10 - Pay As You Go (MGMT25)": "MGMT25", + "R80.20 - Bring Your Own License": "BYOL", + "R80.20 - Pay As You Go (MGMT25)": "MGMT25" + }, + "offer": "[variables('offers')[parameters('cloudGuardVersion')]]", + "osVersions": { + "R80.10 - Bring Your Own License": "R8010", + "R80.10 - Pay As You Go (MGMT25)": "R8010", + "R80.20 - Bring Your Own License": "R8020", + "R80.20 - Pay As You Go (MGMT25)": "R8020" + }, + "osVersion": "[variables('osVersions')[parameters('cloudGuardVersion')]]", + "isBlink": "[bool('false')]", + "computeApiVersion": "2017-03-30", + "storageApiVersion": "2016-01-01", + "networkApiVersion": "2016-06-01", + "deploymentsApiVersion": "2016-02-01", + "storageAccountName": "[concat('bootdiag', uniqueString(resourceGroup().id, deployment().name))]", + "storageAccountType": "Standard_LRS", + "diskSizeGBR8010": 100, + "diskSizeGBR8020": 100, + "diskSizeGB": "[add(parameters('additionalDiskSizeGB'), variables(concat('diskSizeGB', variables('osVersion'))))]", + "customData": "[concat('#!/usr/bin/python /etc/cloud_config.py\n', '\n', 'installationType=\"', parameters('installationType'), '\"', '\n', 'allowUploadDownload=\"', variables('allowUploadDownload'), '\"', '\n', 'osVersion=\"', variables('osVersion'), '\"', '\n', 'templateName=\"', variables('templateName'), '\"', '\n', 'isBlink=\"', variables('isBlink'), '\"', '\n', 'templateVersion=\"', variables('templateVersion'), '\"', '\n', 'bootstrapScript64=\"', variables('bootstrapScript64'), '\"', '\n', 'location=\"', variables('location'), '\"', '\n', 'sicKey=\"', variables('sicKey'), '\"', '\n', 'managementGUIClientNetwork=\"', variables('managementGUIClientNetwork'), '\"', '\n')]", + "imageOfferR8010": "check-point-vsec-r80", + "imageOfferR8020": "check-point-cg-r8020-blink-v2", + "imageOffer": "[concat(variables(concat('imageOffer', variables('osVersion'))), parameters('preview'))]", + "imagePublisher": "checkpoint", + "imageReferenceBYOL": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "[concat(if(equals(variables('osVersion'), 'R8010'), 'sg', 'mgmt'),'-byol')]", + "version": "latest" + }, + "imageReferenceMGMT25": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "mgmt-25", + "version": "latest" + }, + "imageReferenceMarketplace": "[variables(concat('imageReference', variables('offer')))]", + "customImage": "customImage", + "imageReferenceCustomUri": { + "id": "[resourceId('Microsoft.Compute/images/', variables('customImage'))]" + }, + "imageReference": "[if(equals(parameters('sourceImageVhdUri'),'noCustomUri'), variables('imageReferenceMarketplace'), variables('imageReferenceCustomUri'))]", + "nic1Name": "[concat(parameters('vmName'), '-eth0')]", + "linuxConfigurationpassword": {}, + "linuxConfigurationsshPublicKey": { + "disablePasswordAuthentication": "true", + "ssh": { + "publicKeys": [ + { + "keyData": "[parameters('sshPublicKey')]", + "path": "/home/notused/.ssh/authorized_keys" + } + ] + } + }, + "linuxConfiguration": "[variables(concat('linuxConfiguration',parameters('authenticationType')))]", + "planBYOL": { + "name": "[concat(if(equals(variables('osVersion'), 'R8010'), 'sg', 'mgmt'),'-byol')]", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planMGMT25": { + "name": "mgmt-25", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "plan": "[variables(concat('plan', variables('offer')))]", + "identity": "[if(parameters('msi'), json('{\"type\": \"SystemAssigned\"}'), json('null'))]", + "publicIPAddressName": "[parameters('vmName')]", + "publicIPAddressId": "[resourceId('Microsoft.Network/publicIPAddresses', variables('publicIPAddressName'))]", + "nsgName": "[concat(parameters('vmName'), '-nsg')]", + "nsgId": "[resourceId('Microsoft.Network/networkSecurityGroups', variables('nsgName'))]", + "bootstrapScript64": "[base64(parameters('bootstrapScript'))]", + "allowUploadDownload": "[parameters('allowDownloadFromUploadToCheckPoint')]", + "networkSetupURL": "[uri(parameters('_artifactsLocation'), concat('nestedtemplates/vnet-1-subnet-', parameters('vnetNewOrExisting'), '.json', parameters('_artifactsLocationSasToken')))]", + "sicKey": "notused", + "managementGUIClientNetwork": "[parameters('managementGUIClientNetwork')]" + }, + "resources": [ + { + "apiVersion": "2018-02-01", + "name": "pid-cad9cfed-843e-554d-a348-a42352708fab", + "type": "Microsoft.Resources/deployments", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('storageAccountName')]", + "apiVersion": "[variables('storageApiVersion')]", + "location": "[variables('location')]", + "sku": { + "name": "[variables('storageAccountType')]" + }, + "kind": "Storage", + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "name": "networkSetup", + "type": "Microsoft.Resources/deployments", + "apiVersion": "[variables('deploymentsApiVersion')]", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "[variables('networkSetupURL')]", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "location": { + "value": "[variables('location')]" + }, + "apiVersion": { + "value": "[variables('networkApiVersion')]" + }, + "virtualNetworkName": { + "value": "[parameters('virtualNetworkName')]" + }, + "virtualNetworkAddressPrefix": { + "value": "[parameters('virtualNetworkAddressPrefix')]" + }, + "Subnet1Name": { + "value": "[parameters('Subnet1Name')]" + }, + "Subnet1Prefix": { + "value": "[parameters('Subnet1Prefix')]" + }, + "vnetNewOrExisting": { + "value": "[parameters('vnetNewOrExisting')]" + }, + "virtualNetworkExistingRGName": { + "value": "[parameters('virtualNetworkExistingRGName')]" + } + } + } + }, + { + "type": "Microsoft.Network/publicIPAddresses", + "apiVersion": "[variables('networkApiVersion')]", + "location": "[variables('location')]", + "name": "[variables('publicIPAddressName')]", + "properties": { + "idleTimeoutInMinutes": 30, + "publicIPAllocationMethod": "Static", + "dnsSettings": { + "domainNameLabel": "[concat(toLower(parameters('vmName')), '-', uniquestring(resourceGroup().id, deployment().name))]" + } + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "type": "Microsoft.Network/networkSecurityGroups", + "apiVersion": "[variables('networkApiVersion')]", + "location": "[variables('location')]", + "name": "[variables('nsgName')]", + "properties": { + "securityRules": [ + { + "name": "SSH", + "properties": { + "description": "Allow inbound SSH connection", + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "22", + "sourceAddressPrefix": "[variables('managementGUIClientNetwork')]", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "100", + "direction": "Inbound" + } + }, + { + "name": "GAiA-portal", + "properties": { + "description": "Allow inbound HTTPS access to the GAiA portal", + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "443", + "sourceAddressPrefix": "[variables('managementGUIClientNetwork')]", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "110", + "direction": "Inbound" + } + }, + { + "name": "SmartConsole-1", + "properties": { + "description": "Allow inbound access using the SmartConsole GUI client", + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "18190", + "sourceAddressPrefix": "[variables('managementGUIClientNetwork')]", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "120", + "direction": "Inbound" + } + }, + { + "name": "SmartConsole-2", + "properties": { + "description": "Allow inbound access using the SmartConsole GUI client", + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "19009", + "sourceAddressPrefix": "[variables('managementGUIClientNetwork')]", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "130", + "direction": "Inbound" + } + }, + { + "name": "Logs", + "properties": { + "description": "Allow inbound logging connections from managed gateways", + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "257", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "140", + "direction": "Inbound" + } + }, + { + "name": "ICA-pull", + "properties": { + "description": "Allow security gateways to pull a SIC certificate", + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "18210", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "150", + "direction": "Inbound" + } + }, + { + "name": "CRL-fetch", + "properties": { + "description": "Allow security gateways to fetch CRLs", + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "18264", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "160", + "direction": "Inbound" + } + }, + { + "name": "Policy-fetch", + "properties": { + "description": "Allow security gateways to fetch policy", + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "18191", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "170", + "direction": "Inbound" + } + } + ] + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "[variables('networkApiVersion')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', 'networkSetup')]", + "[variables('nsgId')]", + "[variables('publicIPAddressId')]" + ], + "location": "[variables('location')]", + "name": "[variables('nic1Name')]", + "properties": { + "enableIPForwarding": false, + "networkSecurityGroup": { + "id": "[variables('nsgId')]" + }, + "ipConfigurations": [ + { + "name": "ipconfig1", + "properties": { + "privateIPAddress": "[parameters('Subnet1StartAddress')]", + "privateIPAllocationMethod": "Static", + "PublicIpAddress": { + "Id": "[variables('publicIPAddressId')]" + }, + "subnet": { + "id": "[concat(reference('networkSetup').outputs.vnetId.value, '/subnets/', parameters('Subnet1Name'))]" + } + } + } + ] + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "condition": "[not(equals(parameters('sourceImageVhdUri'), 'noCustomUri'))]", + "type": "Microsoft.Compute/images", + "apiVersion": "2017-12-01", + "name": "[variables('customImage')]", + "location": "[variables('location')]", + "properties": { + "storageProfile": { + "osDisk": { + "osType": "Linux", + "osState": "Generalized", + "blobUri": "[parameters('sourceImageVhdUri')]", + "storageAccountType": "Standard_LRS" + } + } + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "type": "Microsoft.Compute/virtualMachines", + "apiVersion": "[variables('computeApiVersion')]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]", + "[resourceId('Microsoft.Network/networkInterfaces', variables('nic1Name'))]", + "[resourceId('Microsoft.Compute/images/', variables('customImage'))]" + ], + "location": "[variables('location')]", + "name": "[parameters('vmName')]", + "plan": "[if(equals(parameters('sourceImageVhdUri'),'noCustomUri'), variables('plan'), json('null'))]", + "identity": "[variables('identity')]", + "properties": { + "diagnosticsProfile": { + "bootDiagnostics": { + "enabled": "true", + "storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName')), variables('storageApiVersion')).primaryEndpoints.blob]" + } + }, + "hardwareProfile": { + "vmSize": "[parameters('vmSize')]" + }, + "networkProfile": { + "networkInterfaces": [ + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', variables('nic1Name'))]", + "properties": { + "primary": true + } + } + ] + }, + "osProfile": { + "adminPassword": "[parameters('adminPassword')]", + "adminUsername": "notused", + "computerName": "[toLower(parameters('vmName'))]", + "customData": "[base64(variables('customData'))]", + "linuxConfiguration": "[variables('linuxConfiguration')]" + }, + "storageProfile": { + "imageReference": "[variables('imageReference')]", + "osDisk": { + "caching": "ReadWrite", + "createOption": "FromImage", + "diskSizeGB": "[variables('diskSizeGB')]", + "name": "[parameters('vmName')]", + "managedDisk": { + "storageAccountType": "[parameters('diskType')]" + } + } + } + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + } + ], + "outputs": { + "IPAddress": { + "type": "string", + "value": "[reference(variables('publicIPAddressId')).IpAddress]" + }, + "FQDN": { + "type": "string", + "value": "[reference(variables('publicIPAddressId')).dnsSettings.fqdn]" + } + } +} \ No newline at end of file diff --git a/deprecated/azure/templates/R8010-R8020/mgmt-r8010-r8020/nestedtemplates/vnet-1-subnet-existing.json b/deprecated/azure/templates/R8010-R8020/mgmt-r8010-r8020/nestedtemplates/vnet-1-subnet-existing.json new file mode 100644 index 00000000..a82ecbb9 --- /dev/null +++ b/deprecated/azure/templates/R8010-R8020/mgmt-r8010-r8020/nestedtemplates/vnet-1-subnet-existing.json @@ -0,0 +1,73 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "vnet" + }, + "virtualNetworkAddressPrefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the virtual network" + } + }, + "Subnet1Name": { + "type": "string", + "metadata": { + "description": "The name of the 1st subnet" + }, + "defaultValue": "Frontend" + }, + "Subnet1Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 1st subnet" + }, + "defaultValue": "10.0.1.0/24" + }, + "vnetNewOrExisting": { + "type": "string", + "defaultValue": "new", + "allowedValues": [ + "new", + "existing" + ], + "metadata": { + "Description": "Indicates whether the virtual network is new or existing" + } + }, + "virtualNetworkExistingRGName": { + "type": "string", + "metadata": { + "description": "Resource Group of the existing virtual network" + }, + "defaultValue": "" + }, + "apiVersion": { + "type": "string" + }, + "Check_PointTags": { + "type": "object", + "defaultValue": { + "provider": "30DE18BC-F9F6-4F22-9D30-54B8E74CFD5F" + } + } + }, + "variables": { + "vnetId": "[resourceId(parameters('virtualNetworkExistingRGName'),'Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]" + }, + "resources": [], + "outputs": { + "vnetId": { + "value": "[variables('vnetId')]", + "type": "string" + } + } +} diff --git a/deprecated/azure/templates/R8010-R8020/mgmt-r8010-r8020/nestedtemplates/vnet-1-subnet-new.json b/deprecated/azure/templates/R8010-R8020/mgmt-r8010-r8020/nestedtemplates/vnet-1-subnet-new.json new file mode 100644 index 00000000..ba4bb568 --- /dev/null +++ b/deprecated/azure/templates/R8010-R8020/mgmt-r8010-r8020/nestedtemplates/vnet-1-subnet-new.json @@ -0,0 +1,96 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "vnet" + }, + "virtualNetworkAddressPrefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the virtual network" + } + }, + "Subnet1Name": { + "type": "string", + "metadata": { + "description": "The name of the 1st subnet" + }, + "defaultValue": "Frontend" + }, + "Subnet1Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 1st subnet" + }, + "defaultValue": "10.0.1.0/24" + }, + "vnetNewOrExisting": { + "type": "string", + "defaultValue": "new", + "allowedValues": [ + "new", + "existing" + ], + "metadata": { + "Description": "Indicates whether the virtual network is new or existing" + } + }, + "virtualNetworkExistingRGName": { + "type": "string", + "metadata": { + "description": "Resource Group of the existing virtual network" + }, + "defaultValue": "" + }, + "apiVersion": { + "type": "string" + }, + "Check_PointTags": { + "type": "object", + "defaultValue": { + "provider": "30DE18BC-F9F6-4F22-9D30-54B8E74CFD5F" + } + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/virtualNetworks", + "apiVersion": "[parameters('apiVersion')]", + "location": "[parameters('location')]", + "name": "[parameters('virtualNetworkName')]", + "properties": { + "addressSpace": { + "addressPrefixes": [ + "[parameters('virtualNetworkAddressPrefix')]" + ] + }, + "subnets": [ + { + "name": "[parameters('subnet1Name')]", + "properties": { + "addressPrefix": "[parameters('subnet1Prefix')]" + } + } + ] + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + } + ], + "outputs": { + "vnetId": { + "value": "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]", + "type": "string" + } + } +} diff --git a/deprecated/azure/templates/R8010-R8020/single-r8010-r8020/README.MD b/deprecated/azure/templates/R8010-R8020/single-r8010-r8020/README.MD new file mode 100644 index 00000000..70787f21 --- /dev/null +++ b/deprecated/azure/templates/R8010-R8020/single-r8010-r8020/README.MD @@ -0,0 +1,13 @@ +# How to deploy this template +To deploy this ARM template, follow these instructions: +1. Log in to the [Microsoft Azure Portal](https://portal.azure.com) +2. Click "*Create a resource*" +3. Search for "*Template deployment (deploy using custom templates)*" and click "*Create*" +4. Click "*Build your own template in the editor*" +5. Load the "*mainTemplate.json*" file from this directory and click "*Save*" +6. Enter the desired template parameters + - Replace the "*_artifacts Location*" property with: + ``` + https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/deprecated/azure/templates/single-r8010-r8020/ + ``` +7. Click *Purchase* to deploy the solution diff --git a/deprecated/azure/templates/R8010-R8020/single-r8010-r8020/createUiDefinition.json b/deprecated/azure/templates/R8010-R8020/single-r8010-r8020/createUiDefinition.json new file mode 100644 index 00000000..f33d78a1 --- /dev/null +++ b/deprecated/azure/templates/R8010-R8020/single-r8010-r8020/createUiDefinition.json @@ -0,0 +1,754 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", + "handler": "Microsoft.Compute.MultiVm", + "version": "0.1.2-preview", + "parameters": { + "basics": [ + { + "name": "gatewayNameUi", + "type": "Microsoft.Common.TextBox", + "label": "VM Name", + "toolTip": "The name of the Check Point CloudGuard.", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z]{1,30}$", + "validationMessage": "Only alphanumeric characters are allowed, and the name must be 1-30 characters long." + } + }, + { + "name": "auth", + "type": "Microsoft.Compute.CredentialsCombo", + "label": { + "authenticationType": "Authentication type", + "password": "Password", + "confirmPassword": "Confirm password", + "sshPublicKey": "SSH public key" + }, + "toolTip": { + "authenticationType": "", + "password": "The user 'admin' password", + "sshPublicKey": "Paste an OpenSSH public key. You can generate a key pair using ssh-keygen (Linux, OS X, Cygwin) or PuttyGen (Windows)" + }, + "constraints": { + "required": true + }, + "options": { + "hideConfirmation": false, + "hidePassword": false + }, + "osPlatform": "Linux" + } + ], + "steps": [ + { + "name": "chkp", + "label": "Check Point CloudGuard settings", + "subLabel": { + "preValidation": "Configure CloudGuard settings", + "postValidation": "Done" + }, + "bladeTitle": "CloudGuard settings", + "elements": [ + { + "name": "cloudGuardVersion", + "type": "Microsoft.Common.DropDown", + "label": "Check Point CloudGuard version", + "defaultValue": "R80.20", + "toolTip": "The version of Check Point CloudGuard. For R80.20 license is BYOL.", + "constraints": { + "allowedValues": [ + { + "label": "R80.10", + "value": "R80.10" + }, + { + "label": "R80.20", + "value": "R80.20" + } + ] + } + }, + { + "name": "R80Offer", + "type": "Microsoft.Common.DropDown", + "label": "License type", + "toolTip": "The type of license.", + "defaultValue": "Bring Your Own License", + "visible": true, + "constraints": { + "allowedValues": [ + { + "label": "Bring Your Own License", + "value": "Bring Your Own License" + }, + { + "label": "Pay As You Go (NGTP)", + "value": "Pay As You Go (NGTP)" + }, + { + "label": "Pay As You Go (NGTX)", + "value": "Pay As You Go (NGTX)" + } + ] + } + }, + { + "name": "R8010vmSizeUiBYOL", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R80.10'), not(equals(steps('chkp').installationType, 'gateway')), contains(steps('chkp').R80Offer, 'Bring Your Own License'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2" + ], + "constraints": { + "excludedSizes": [ + "Standard_A1_v2", + "Standard_D1_v2", + "Standard_DS1_v2", + "Standard_F1", + "Standard_F1s", + "Standard_G1", + "Standard_GS1" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-vsec-r80", + "sku": "sg-byol" + }, + "count": 1 + }, + { + "name": "R8010vmSizeUiNGTP", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R80.10'), not(equals(steps('chkp').installationType, 'gateway')), contains(steps('chkp').R80Offer, '(NGTP)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2" + ], + "constraints": { + "excludedSizes": [ + "Standard_A1_v2", + "Standard_D1_v2", + "Standard_DS1_v2", + "Standard_F1", + "Standard_F1s", + "Standard_G1", + "Standard_GS1" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-vsec-r80", + "sku": "sg-ngtp-v2" + }, + "count": 1 + }, + { + "name": "R8010vmSizeUiNGTX", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R80.10'), not(equals(steps('chkp').installationType, 'gateway')), contains(steps('chkp').R80Offer, '(NGTX)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2" + ], + "constraints": { + "excludedSizes": [ + "Standard_A1_v2", + "Standard_D1_v2", + "Standard_DS1_v2", + "Standard_F1", + "Standard_F1s", + "Standard_G1", + "Standard_GS1" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-vsec-r80", + "sku": "sg-ngtx" + }, + "count": 1 + }, + { + "name": "R8010vmSizeUiBYOLBlink", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R80.10'), equals(steps('chkp').installationType, 'gateway'), contains(steps('chkp').R80Offer, 'Bring Your Own License'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2" + ], + "constraints": { + "excludedSizes": [ + "Standard_A1_v2", + "Standard_D1_v2", + "Standard_DS1_v2", + "Standard_F1", + "Standard_F1s", + "Standard_G1", + "Standard_GS1" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-vsec-r80-blink-v2", + "sku": "sg-byol" + }, + "count": 1 + }, + { + "name": "R8010vmSizeUiNGTPBlink", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R80.10'), equals(steps('chkp').installationType, 'gateway'), contains(steps('chkp').R80Offer, '(NGTP)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2" + ], + "constraints": { + "excludedSizes": [ + "Standard_A1_v2", + "Standard_D1_v2", + "Standard_DS1_v2", + "Standard_F1", + "Standard_F1s", + "Standard_G1", + "Standard_GS1" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-vsec-r80-blink-v2", + "sku": "sg-ngtp-v2" + }, + "count": 1 + }, + { + "name": "R8010vmSizeUiNGTXBlink", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R80.10'), equals(steps('chkp').installationType, 'gateway'), contains(steps('chkp').R80Offer, '(NGTX)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2" + ], + "constraints": { + "excludedSizes": [ + "Standard_A1_v2", + "Standard_D1_v2", + "Standard_DS1_v2", + "Standard_F1", + "Standard_F1s", + "Standard_G1", + "Standard_GS1" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-vsec-r80-blink-v2", + "sku": "sg-ngtx" + }, + "count": 1 + }, + { + "name": "R8020vmSizeUiBYOL", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R80.20'), contains(steps('chkp').R80Offer, 'Bring Your Own License'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2", + "Standard_DS3_v2" + ], + "constraints": { + "allowedSizes": [ + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r8020-blink-v2", + "sku": "sg-byol" + }, + "count": 1 + }, + { + "name": "R8020vmSizeUiNGTP", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R80.20'), contains(steps('chkp').R80Offer, '(NGTP)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2", + "Standard_DS3_v2" + ], + "constraints": { + "allowedSizes": [ + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r8020-blink-v2", + "sku": "sg-ngtp" + }, + "count": 1 + }, + { + "name": "R8020vmSizeUiNGTX", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R80.20'), contains(steps('chkp').R80Offer, '(NGTX)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2", + "Standard_DS3_v2" + ], + "constraints": { + "allowedSizes": [ + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r8020-blink-v2", + "sku": "sg-ngtx" + }, + "count": 1 + }, + { + "name": "installationType", + "type": "Microsoft.Common.DropDown", + "label": "Installation type", + "visible": "[equals(steps('chkp').cloudGuardVersion, 'R80.10')]", + "defaultValue": "Gateway and Management (Standalone)", + "toolTip": "Select the type of deployment", + "constraints": { + "allowedValues": [ + { + "label": "Gateway only", + "value": "gateway" + }, + { + "label": "Gateway and Management (Standalone)", + "value": "standalone" + }, + { + "label": "Configure manually", + "value": "custom" + } + ] + } + }, + { + "name": "managementGUIClientNetwork", + "type": "Microsoft.Common.TextBox", + "label": "Allowed GUI clients", + "toolTip": "GUI clients network CIDR", + "defaultValue": "0.0.0.0/0", + "constraints": { + "required": true, + "regex": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$", + "validationMessage": "Enter a valid IPv4 network CIDR" + }, + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R80.10'), equals(steps('chkp').installationType, 'standalone'))]" + }, + { + "name": "sicKeyUi", + "type": "Microsoft.Common.PasswordBox", + "label": { + "password": "SIC key", + "confirmPassword": "Confirm SIC key" + }, + "toolTip": "Set the Secure Internal Communication one time secret used to set up trust between the gateway and the management server.", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z]{8,30}$", + "validationMessage": "Only alphanumeric characters are allowed, and the value must be 8-30 characters long." + }, + "options": { + "hideConfirmation": true + }, + "visible": "[or(equals(steps('chkp').installationType, 'gateway'), not(equals(steps('chkp').cloudGuardVersion, 'R80.10')))]" + }, + { + "name": "bootstrapScript", + "type": "Microsoft.Common.FileUpload", + "label": "Bootstrap script", + "toolTip": "An optional script to run on the initial boot", + "constraints": { + "required": false, + "accept": ".sh,text/plain" + }, + "options": { + "multiple": false, + "uploadMode": "file", + "openMode": "text", + "encoding": "UTF-8" + } + }, + { + "visible": "[or(not(equals(steps('chkp').cloudGuardVersion, 'R80.10')), not(equals(steps('chkp').installationType, 'custom')))]", + "name": "allowUploadDownload", + "type": "Microsoft.Common.OptionsGroup", + "label": "Allow download from/upload to Check Point", + "defaultValue": "Yes", + "toolTip": "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "true" + }, + { + "label": "No", + "value": "false" + } + ] + } + }, + { + "name": "additionalDiskSizeGB", + "type": "Microsoft.Common.TextBox", + "label": "Additional disk space (GB)", + "defaultValue": "0", + "toolTip": "Additional disk space (in GB), Initial disk size is 100 GB.", + "constraints": { + "regex": "^([0-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-2][0-9][0-9][0-9]|3[0-8][0-9][0-9]|399[0-5])$", + "validationMessage": "Select a number between 0 and 3995" + } + }, + { + "name": "VMDiskType", + "type": "Microsoft.Common.OptionsGroup", + "label": "VM disk type", + "toolTip": "Type of CloudGuard disk.", + "visible": "[or(contains(steps('chkp').R8010vmSizeUiBYOL, 'DS'), contains(steps('chkp').R8010vmSizeUiNGTP, 'DS'), contains(steps('chkp').R8010vmSizeUiNGTX, 'DS'), contains(steps('chkp').R8010vmSizeUiBYOLBlink, 'DS'), contains(steps('chkp').R8010vmSizeUiNGTPBlink, 'DS'), contains(steps('chkp').R8010vmSizeUiNGTXBlink, 'DS'), contains(steps('chkp').R8020vmSizeUiBYOL, 'DS'), contains(steps('chkp').R8020vmSizeUiNGTP, 'DS'), contains(steps('chkp').R8020vmSizeUiNGTX, 'DS'))]", + "defaultValue": "Standard", + "constraints": { + "allowedValues": [ + { + "label": "Standard", + "value": "Standard_LRS" + }, + { + "label": "Premium", + "value": "Premium_LRS" + } + ] + } + }, + { + "name": "useCustomImageUri", + "type": "Microsoft.Common.OptionsGroup", + "label": "Use development image uri", + "defaultValue": "No", + "toolTip": "", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ], + "required": true + }, + "visible": false + }, + { + "name": "sourceImageVhdUri", + "type": "Microsoft.Common.TextBox", + "label": "Development Image URI", + "toolTip": "The URI of the blob containing the development image", + "constraints": { + "required": "[equals(steps('chkp').useCustomImageUri, 'Yes')]", + "regex": "^[a-z0-9A-Z_\\-\\.\\:\\/]{1,500}.vhd$", + "validationMessage": "Only alphanumeric characters and '_','-','.',':','/' are allowed, the value must be 1-500 characters long and must end with .vhd. " + }, + "visible": "[equals(steps('chkp').useCustomImageUri, 'Yes')]" + } + ] + }, + { + "name": "network", + "label": "Network settings", + "subLabel": { + "preValidation": "Configure network settings", + "postValidation": "Done" + }, + "bladeTitle": "Network settings", + "elements": [ + { + "name": "virtualNetwork", + "type": "Microsoft.Network.VirtualNetworkCombo", + "label": { + "virtualNetwork": "Virtual network", + "subnets": "Subnets" + }, + "toolTip": { + "virtualNetwork": "Virtual Network Name", + "subnets": "List of subnets to deploy into" + }, + "defaultValue": { + "name": "vnet01", + "addressPrefixSize": "/16" + }, + "constraints": { + "minAddressPrefixSize": "/28" + }, + "options": { + "hideExisting": false + }, + "subnets": { + "subnet1": { + "label": "Frontend subnet", + "defaultValue": { + "name": "Frontend", + "addressPrefixSize": "/24" + }, + "constraints": { + "minAddressPrefixSize": "/29", + "minAddressCount": 1, + "requireContiguousAddresses": true + } + }, + "subnet2": { + "label": "Backend subnet", + "defaultValue": { + "name": "Backend", + "addressPrefixSize": "/24" + }, + "constraints": { + "minAddressPrefixSize": "/29", + "minAddressCount": 1, + "requireContiguousAddresses": true + } + } + } + } + ] + } + ], + "outputs": { + "location": "[location()]", + "cloudGuardVersion": "[concat(steps('chkp').cloudGuardVersion, ' - ', coalesce(steps('chkp').R80Offer, 'Bring Your Own License'))]", + "adminPassword": "[basics('auth').password]", + "authenticationType": "[basics('auth').authenticationType]", + "sshPublicKey": "[basics('auth').sshPublicKey]", + "vmName": "[basics('gatewayNameUi')]", + "vmSize": "[coalesce(steps('chkp').R8010vmSizeUiBYOL, steps('chkp').R8010vmSizeUiNGTP, steps('chkp').R8010vmSizeUiNGTX, steps('chkp').R8010vmSizeUiBYOLBlink, steps('chkp').R8010vmSizeUiNGTPBlink, steps('chkp').R8010vmSizeUiNGTXBlink, steps('chkp').R8020vmSizeUiBYOL, steps('chkp').R8020vmSizeUiNGTP, steps('chkp').R8020vmSizeUiNGTX)]", + "sicKey": "[coalesce(steps('chkp').sicKeyUi, 'notused')]", + "virtualNetworkName": "[steps('network').virtualNetwork.name]", + "virtualNetworkAddressPrefix": "[steps('network').virtualNetwork.addressPrefix]", + "Subnet1Name": "[steps('network').virtualNetwork.subnets.subnet1.name]", + "Subnet1Prefix": "[steps('network').virtualNetwork.subnets.subnet1.addressPrefix]", + "Subnet1StartAddress": "[steps('network').virtualNetwork.subnets.subnet1.startAddress]", + "Subnet2Name": "[steps('network').virtualNetwork.subnets.subnet2.name]", + "Subnet2Prefix": "[steps('network').virtualNetwork.subnets.subnet2.addressPrefix]", + "Subnet2StartAddress": "[steps('network').virtualNetwork.subnets.subnet2.startAddress]", + "vnetNewOrExisting": "[steps('network').virtualNetwork.newOrExisting]", + "virtualNetworkExistingRGName": "[steps('network').virtualNetwork.resourceGroup]", + "managementGUIClientNetwork": "[steps('chkp').managementGUIClientNetwork]", + "installationType": "[steps('chkp').installationType]", + "bootstrapScript": "[steps('chkp').bootstrapScript]", + "allowDownloadFromUploadToCheckPoint": "[coalesce(steps('chkp').allowUploadDownload, 'true')]", + "additionalDiskSizeGB": "[int(steps('chkp').additionalDiskSizeGB)]", + "diskType": "[coalesce(steps('chkp').VMDiskType, 'Standard_LRS')]", + "sourceImageVhdUri": "[coalesce(steps('chkp').sourceImageVhdUri, 'noCustomUri')]" + } + } +} \ No newline at end of file diff --git a/deprecated/azure/templates/R8010-R8020/single-r8010-r8020/mainTemplate.json b/deprecated/azure/templates/R8010-R8020/single-r8010-r8020/mainTemplate.json new file mode 100644 index 00000000..d181ad96 --- /dev/null +++ b/deprecated/azure/templates/R8010-R8020/single-r8010-r8020/mainTemplate.json @@ -0,0 +1,599 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string", + "metadata": { + "description": "Deployment location" + }, + "defaultValue": "[resourceGroup().location]" + }, + "cloudGuardVersion": { + "type": "string", + "allowedValues": [ + "R80.10 - Bring Your Own License", + "R80.10 - Pay As You Go (NGTP)", + "R80.10 - Pay As You Go (NGTX)", + "R80.20 - Bring Your Own License", + "R80.20 - Pay As You Go (NGTP)", + "R80.20 - Pay As You Go (NGTX)" + ], + "defaultValue": "R80.20 - Bring Your Own License", + "metadata": { + "description": "Version of Check Point vSEC" + } + }, + "adminPassword": { + "type": "securestring", + "metadata": { + "description": "Administrator password" + }, + "defaultValue": "" + }, + "authenticationType": { + "type": "string", + "allowedValues": [ + "password", + "sshPublicKey" + ], + "defaultValue": "password", + "metadata": { + "description": "Authentication type" + } + }, + "sshPublicKey": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Administrator SSH public key" + } + }, + "vmName": { + "type": "string", + "metadata": { + "description": "Name of the Check Point Security Gateway" + } + }, + "vmSize": { + "type": "string", + "defaultValue": "Standard_D3_v2", + "metadata": { + "description": "Size of the VM" + } + }, + "sicKey": { + "type": "securestring", + "metadata": { + "description": "One time key for Secure Internal Communication" + } + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "vnet" + }, + "virtualNetworkAddressPrefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the virtual network" + }, + "defaultValue": "10.0.0.0/16" + }, + "Subnet1Name": { + "type": "string", + "metadata": { + "description": "The name of the 1st subnet" + }, + "defaultValue": "Frontend" + }, + "Subnet1Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 1st subnet" + }, + "defaultValue": "10.0.1.0/24" + }, + "Subnet1StartAddress": { + "type": "string", + "metadata": { + "description": "The first available address on the 1st subnet" + }, + "defaultValue": "10.0.1.10" + }, + "Subnet2Name": { + "type": "string", + "metadata": { + "description": "The name of the 2nd subnet" + }, + "defaultValue": "Backend" + }, + "Subnet2Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 2nd subnet" + }, + "defaultValue": "10.0.2.0/24" + }, + "Subnet2StartAddress": { + "type": "string", + "metadata": { + "description": "The first available address on the 2nd subnet" + }, + "defaultValue": "10.0.2.10" + }, + "vnetNewOrExisting": { + "type": "string", + "defaultValue": "new", + "allowedValues": [ + "new", + "existing" + ], + "metadata": { + "Description": "Indicates whether the virtual network is new or existing" + } + }, + "virtualNetworkExistingRGName": { + "type": "string", + "metadata": { + "description": "Resource Group of the existing virtual network" + }, + "defaultValue": "" + }, + "managementGUIClientNetwork": { + "type": "string", + "metadata": { + "description": "Allowed GUI clients" + }, + "defaultValue": "0.0.0.0/0" + }, + "installationType": { + "type": "string", + "metadata": { + "description": "Installation Type" + }, + "defaultValue": "standalone", + "allowedValues": [ + "standalone", + "gateway", + "custom" + ] + }, + "bootstrapScript": { + "type": "string", + "metadata": { + "description": "Bootstrap script" + }, + "defaultValue": "" + }, + "allowDownloadFromUploadToCheckPoint": { + "type": "string", + "allowedValues": [ + "true", + "false" + ], + "defaultValue": "true", + "metadata": { + "description": "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + } + }, + "additionalDiskSizeGB": { + "type": "int", + "defaultValue": 0, + "metadata": { + "description": "Amount of additional disk space (in GB)" + }, + "minValue": 0, + "maxValue": 3995 + }, + "diskType": { + "type": "string", + "defaultValue": "Standard_LRS", + "metadata": { + "description": "The type of the OS disk. Premium is applicable only to DS machine sizes" + }, + "allowedValues": [ + "Standard_LRS", + "Premium_LRS" + ] + }, + "preview": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Deploy the staged image" + }, + "allowedValues": [ + "", + "-preview" + ] + }, + "sourceImageVhdUri": { + "type": "string", + "defaultValue": "noCustomUri", + "metadata": { + "description": "The URI of the blob containing the development image" + } + }, + "_artifactsLocation": { + "type": "string", + "metadata": { + "description": "The base URI where artifacts required by this template are located including a trailing '/'" + }, + "defaultValue": "[deployment().properties.templateLink.uri]" + }, + "_artifactsLocationSasToken": { + "type": "securestring", + "metadata": { + "description": "The sasToken required to access _artifactsLocation. When the template is deployed using the accompanying scripts, a sasToken will be automatically generated. Use the defaultValue if the staging location is not secured." + }, + "defaultValue": "" + }, + "Check_PointTags": { + "type": "object", + "defaultValue": { + "provider": "30DE18BC-F9F6-4F22-9D30-54B8E74CFD5F" + } + } + }, + "variables": { + "templateName": "single", + "templateVersion": "20191118", + "location": "[parameters('location')]", + "offers": { + "R80.10 - Bring Your Own License": "BYOL", + "R80.10 - Pay As You Go (NGTP)": "NGTP-V2", + "R80.10 - Pay As You Go (NGTX)": "NGTX", + "R80.20 - Bring Your Own License": "BYOL", + "R80.20 - Pay As You Go (NGTP)": "NGTP", + "R80.20 - Pay As You Go (NGTX)": "NGTX" + }, + "offer": "[variables('offers')[parameters('cloudGuardVersion')]]", + "osVersions": { + "R80.10 - Bring Your Own License": "R8010", + "R80.10 - Pay As You Go (NGTP)": "R8010", + "R80.10 - Pay As You Go (NGTX)": "R8010", + "R80.20 - Bring Your Own License": "R8020", + "R80.20 - Pay As You Go (NGTP)": "R8020", + "R80.20 - Pay As You Go (NGTX)": "R8020" + }, + "osVersion": "[variables('osVersions')[parameters('cloudGuardVersion')]]", + "installationType": "[if(not(equals(variables('osVersion'), 'R8010')), 'gateway', parameters('installationType'))]", + "isBlink": "[equals(variables('installationType'), 'gateway')]", + "computeApiVersion": "2017-03-30", + "storageApiVersion": "2016-01-01", + "networkApiVersion": "2018-01-01", + "deploymentsApiVersion": "2016-02-01", + "storageAccountName": "[concat('bootdiag', uniqueString(resourceGroup().id, deployment().name))]", + "storageAccountType": "Standard_LRS", + "diskSizeGBR8010": 100, + "diskSizeGBR8020": 100, + "diskSizeGB": "[add(parameters('additionalDiskSizeGB'), variables(concat('diskSizeGB', variables('osVersion'))))]", + "customData": "[concat('#!/usr/bin/python /etc/cloud_config.py\n', '\n', 'installationType=\"', variables('installationType'), '\"', '\n', 'allowUploadDownload=\"', variables('allowUploadDownload'), '\"', '\n', 'osVersion=\"', variables('osVersion'), '\"', '\n', 'templateName=\"', variables('templateName'), '\"', '\n', 'isBlink=\"', variables('isBlink'), '\"', '\n', 'templateVersion=\"', variables('templateVersion'), '\"', '\n', 'bootstrapScript64=\"', variables('bootstrapScript64'), '\"', '\n', 'location=\"', variables('location'), '\"', '\n', 'sicKey=\"', variables('sicKey'), '\"', '\n', 'managementGUIClientNetwork=\"', variables('managementGUIClientNetwork'), '\"', '\n')]", + "imageOfferR8010": "[if(variables('isBlink'), 'check-point-vsec-r80-blink-v2', 'check-point-vsec-r80')]", + "imageOfferR8020": "check-point-cg-r8020-blink-v2", + "imageOffer": "[concat(variables(concat('imageOffer', variables('osVersion'))), parameters('preview'))]", + "imagePublisher": "checkpoint", + "imageReferenceBYOL": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-byol", + "version": "latest" + }, + "imageReferenceNGTP": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtp", + "version": "latest" + }, + "imageReferenceNGTP-V2": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtp-v2", + "version": "latest" + }, + "imageReferenceNGTX": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtx", + "version": "latest" + }, + "imageReferenceMarketplace": "[variables(concat('imageReference', variables('offer')))]", + "customImage": "customImage", + "imageReferenceCustomUri": { + "id": "[resourceId('Microsoft.Compute/images/', variables('customImage'))]" + }, + "imageReference": "[if(equals(parameters('sourceImageVhdUri'),'noCustomUri'), variables('imageReferenceMarketplace'), variables('imageReferenceCustomUri'))]", + "nic1Name": "[concat(parameters('vmName'), '-eth0')]", + "nic2Name": "[concat(parameters('vmName'), '-eth1')]", + "linuxConfigurationpassword": {}, + "linuxConfigurationsshPublicKey": { + "disablePasswordAuthentication": "true", + "ssh": { + "publicKeys": [ + { + "keyData": "[parameters('sshPublicKey')]", + "path": "/home/notused/.ssh/authorized_keys" + } + ] + } + }, + "linuxConfiguration": "[variables(concat('linuxConfiguration',parameters('authenticationType')))]", + "planBYOL": { + "name": "sg-byol", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTP": { + "name": "sg-ngtp", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTP-V2": { + "name": "sg-ngtp-v2", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTX": { + "name": "sg-ngtx", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "plan": "[variables(concat('plan', variables('offer')))]", + "publicIPAddressName": "[parameters('vmName')]", + "publicIPAddressId": "[resourceId('Microsoft.Network/publicIPAddresses', variables('publicIPAddressName'))]", + "bootstrapScript64": "[base64(parameters('bootstrapScript'))]", + "allowUploadDownload": "[parameters('allowDownloadFromUploadToCheckPoint')]", + "networkSetupURL": "[uri(parameters('_artifactsLocation'), concat('nestedtemplates/vnet-', parameters('vnetNewOrExisting'), '.json', parameters('_artifactsLocationSasToken')))]", + "sicKey": "[parameters('sicKey')]", + "managementGUIClientNetwork": "[parameters('managementGUIClientNetwork')]" + }, + "resources": [ + { + "apiVersion": "2018-02-01", + "name": "pid-769ae546-3d1f-5beb-87f2-918ac09137c0", + "type": "Microsoft.Resources/deployments", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('storageAccountName')]", + "apiVersion": "[variables('storageApiVersion')]", + "location": "[variables('location')]", + "sku": { + "name": "[variables('storageAccountType')]" + }, + "kind": "Storage", + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "name": "networkSetup", + "type": "Microsoft.Resources/deployments", + "apiVersion": "[variables('deploymentsApiVersion')]", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "[variables('networkSetupURL')]", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "location": { + "value": "[variables('location')]" + }, + "apiVersion": { + "value": "[variables('networkApiVersion')]" + }, + "virtualNetworkName": { + "value": "[parameters('virtualNetworkName')]" + }, + "virtualNetworkAddressPrefix": { + "value": "[parameters('virtualNetworkAddressPrefix')]" + }, + "Subnet1Name": { + "value": "[parameters('Subnet1Name')]" + }, + "Subnet1Prefix": { + "value": "[parameters('Subnet1Prefix')]" + }, + "Subnet1StartAddress": { + "value": "[parameters('Subnet1StartAddress')]" + }, + "Subnet2Name": { + "value": "[parameters('Subnet2Name')]" + }, + "Subnet2Prefix": { + "value": "[parameters('Subnet2Prefix')]" + }, + "Subnet2StartAddress": { + "value": "[parameters('Subnet2StartAddress')]" + }, + "vnetNewOrExisting": { + "value": "[parameters('vnetNewOrExisting')]" + }, + "virtualNetworkExistingRGName": { + "value": "[parameters('virtualNetworkExistingRGName')]" + } + } + } + }, + { + "type": "Microsoft.Network/publicIPAddresses", + "apiVersion": "[variables('networkApiVersion')]", + "location": "[variables('location')]", + "name": "[variables('publicIPAddressName')]", + "properties": { + "idleTimeoutInMinutes": 30, + "publicIPAllocationMethod": "Static", + "dnsSettings": { + "domainNameLabel": "[concat(toLower(parameters('vmName')), '-', uniquestring(resourceGroup().id, deployment().name))]" + } + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "[variables('networkApiVersion')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', 'networkSetup')]", + "[variables('publicIPAddressId')]" + ], + "location": "[variables('location')]", + "name": "[variables('nic1Name')]", + "properties": { + "enableIPForwarding": true, + "enableAcceleratedNetworking": "[not(equals(variables('osVersion'), 'R8010'))]", + "ipConfigurations": [ + { + "name": "ipconfig1", + "properties": { + "privateIPAddress": "[parameters('Subnet1StartAddress')]", + "privateIPAllocationMethod": "Static", + "PublicIpAddress": { + "Id": "[variables('publicIPAddressId')]" + }, + "subnet": { + "id": "[concat(reference('networkSetup').outputs.vnetId.value, '/subnets/', parameters('Subnet1Name'))]" + } + } + } + ] + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "[variables('networkApiVersion')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', 'networkSetup')]" + ], + "location": "[variables('location')]", + "name": "[variables('nic2Name')]", + "properties": { + "enableIPForwarding": true, + "enableAcceleratedNetworking": "[not(equals(variables('osVersion'), 'R8010'))]", + "ipConfigurations": [ + { + "name": "ipconfig2", + "properties": { + "privateIPAddress": "[parameters('Subnet2StartAddress')]", + "privateIPAllocationMethod": "Static", + "subnet": { + "id": "[concat(reference('networkSetup').outputs.vnetId.value, '/subnets/', parameters('Subnet2Name'))]" + } + } + } + ] + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "condition": "[not(equals(parameters('sourceImageVhdUri'), 'noCustomUri'))]", + "type": "Microsoft.Compute/images", + "apiVersion": "2017-12-01", + "name": "[variables('customImage')]", + "location": "[variables('location')]", + "properties": { + "storageProfile": { + "osDisk": { + "osType": "Linux", + "osState": "Generalized", + "blobUri": "[parameters('sourceImageVhdUri')]", + "storageAccountType": "Standard_LRS" + } + } + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "type": "Microsoft.Compute/virtualMachines", + "apiVersion": "[variables('computeApiVersion')]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]", + "[resourceId('Microsoft.Network/networkInterfaces', variables('nic1Name'))]", + "[resourceId('Microsoft.Network/networkInterfaces', variables('nic2Name'))]", + "[resourceId('Microsoft.Compute/images/', variables('customImage'))]" + ], + "location": "[variables('location')]", + "name": "[parameters('vmName')]", + "plan": "[if(equals(parameters('sourceImageVhdUri'),'noCustomUri'), variables('plan'), json('null'))]", + "properties": { + "diagnosticsProfile": { + "bootDiagnostics": { + "enabled": "true", + "storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName')), variables('storageApiVersion')).primaryEndpoints.blob]" + } + }, + "hardwareProfile": { + "vmSize": "[parameters('vmSize')]" + }, + "networkProfile": { + "networkInterfaces": [ + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', variables('nic1Name'))]", + "properties": { + "primary": true + } + }, + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', variables('nic2Name'))]", + "properties": { + "primary": false + } + } + ] + }, + "osProfile": { + "adminPassword": "[parameters('adminPassword')]", + "adminUsername": "notused", + "computerName": "[toLower(parameters('vmName'))]", + "customData": "[base64(variables('customData'))]", + "linuxConfiguration": "[variables('linuxConfiguration')]" + }, + "storageProfile": { + "imageReference": "[variables('imageReference')]", + "osDisk": { + "caching": "ReadWrite", + "createOption": "FromImage", + "diskSizeGB": "[variables('diskSizeGB')]", + "name": "[parameters('vmName')]", + "managedDisk": { + "storageAccountType": "[parameters('diskType')]" + } + } + } + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + } + ], + "outputs": { + "GatewayIPAddr": { + "type": "string", + "value": "[reference(variables('publicIPAddressId')).IpAddress]" + }, + "GatewayFQDN": { + "type": "string", + "value": "[reference(variables('publicIPAddressId')).dnsSettings.fqdn]" + } + } +} \ No newline at end of file diff --git a/deprecated/azure/templates/R8010-R8020/single-r8010-r8020/nestedtemplates/vnet-existing.json b/deprecated/azure/templates/R8010-R8020/single-r8010-r8020/nestedtemplates/vnet-existing.json new file mode 100644 index 00000000..e8e5bd2f --- /dev/null +++ b/deprecated/azure/templates/R8010-R8020/single-r8010-r8020/nestedtemplates/vnet-existing.json @@ -0,0 +1,99 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "vnet" + }, + "virtualNetworkAddressPrefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the virtual network" + } + }, + "Subnet1Name": { + "type": "string", + "metadata": { + "description": "The name of the 1st subnet" + }, + "defaultValue": "Frontend" + }, + "Subnet1Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 1st subnet" + }, + "defaultValue": "10.0.1.0/24" + }, + "Subnet1StartAddress": { + "type": "string", + "metadata": { + "description": "The first avaialable address on the 1st subnet" + } + }, + "Subnet2Name": { + "type": "string", + "metadata": { + "description": "The name of the 2nd subnet" + }, + "defaultValue": "Web" + }, + "Subnet2Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 2nd subnet" + }, + "defaultValue": "10.0.2.0/24" + }, + "Subnet2StartAddress": { + "type": "string", + "metadata": { + "description": "The first avaialable address on the 2nd subnet" + } + }, + "vnetNewOrExisting": { + "type": "string", + "defaultValue": "new", + "allowedValues": [ + "new", + "existing" + ], + "metadata": { + "Description": "Indicates whether the virtual network is new or existing" + } + }, + "virtualNetworkExistingRGName": { + "type": "string", + "metadata": { + "description": "Resource Group of the existing virtual network" + }, + "defaultValue": "" + }, + "apiVersion": { + "type": "string" + }, + "Check_PointTags": { + "type": "object", + "defaultValue": { + "provider": "30DE18BC-F9F6-4F22-9D30-54B8E74CFD5F" + } + } + }, + "variables": { + "vnetId": "[resourceId(parameters('virtualNetworkExistingRGName'),'Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]" + }, + "resources": [], + "outputs": { + "vnetId": { + "value": "[variables('vnetId')]", + "type": "string" + } + } +} diff --git a/deprecated/azure/templates/R8010-R8020/single-r8010-r8020/nestedtemplates/vnet-new.json b/deprecated/azure/templates/R8010-R8020/single-r8010-r8020/nestedtemplates/vnet-new.json new file mode 100644 index 00000000..169a4a3d --- /dev/null +++ b/deprecated/azure/templates/R8010-R8020/single-r8010-r8020/nestedtemplates/vnet-new.json @@ -0,0 +1,187 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "vnet" + }, + "virtualNetworkAddressPrefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the virtual network" + } + }, + "Subnet1Name": { + "type": "string", + "metadata": { + "description": "The name of the 1st subnet" + }, + "defaultValue": "Frontend" + }, + "Subnet1Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 1st subnet" + }, + "defaultValue": "10.0.1.0/24" + }, + "Subnet1StartAddress": { + "type": "string", + "metadata": { + "description": "The first avaialable address on the 1st subnet" + } + }, + "Subnet2Name": { + "type": "string", + "metadata": { + "description": "The name of the 2nd subnet" + }, + "defaultValue": "Backend" + }, + "Subnet2Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 2nd subnet" + }, + "defaultValue": "10.0.2.0/24" + }, + "Subnet2StartAddress": { + "type": "string", + "metadata": { + "description": "The first avaialable address on the 2nd subnet" + } + }, + "vnetNewOrExisting": { + "type": "string", + "defaultValue": "new", + "allowedValues": [ + "new", + "existing" + ], + "metadata": { + "Description": "Indicates whether the virtual network is new or existing" + } + }, + "virtualNetworkExistingRGName": { + "type": "string", + "metadata": { + "description": "Resource Group of the existing virtual network" + }, + "defaultValue": "" + }, + "apiVersion": { + "type": "string" + }, + "Check_PointTags": { + "type": "object", + "defaultValue": { + "provider": "30DE18BC-F9F6-4F22-9D30-54B8E74CFD5F" + } + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/routeTables", + "apiVersion": "[parameters('apiVersion')]", + "location": "[parameters('location')]", + "name": "[parameters('subnet1Name')]", + "properties": { + "routes": [ + { + "name": "Local-Subnet", + "properties": { + "addressPrefix": "[parameters('subnet1Prefix')]", + "nextHopType": "VnetLocal" + } + }, + { + "name": "To-Internal", + "properties": { + "addressPrefix": "[parameters('virtualNetworkAddressPrefix')]", + "nextHopType": "VirtualAppliance", + "nextHopIpAddress": "[parameters('subnet1StartAddress')]" + } + } + ] + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "type": "Microsoft.Network/routeTables", + "apiVersion": "[parameters('apiVersion')]", + "location": "[parameters('location')]", + "name": "[parameters('subnet2Name')]", + "properties": { + "routes": [ + { + "name": "To-Internet", + "properties": { + "addressPrefix": "0.0.0.0/0", + "nextHopType": "VirtualAppliance", + "nextHopIpAddress": "[parameters('subnet2StartAddress')]" + } + } + ] + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "type": "Microsoft.Network/virtualNetworks", + "apiVersion": "[parameters('apiVersion')]", + "location": "[parameters('location')]", + "name": "[parameters('virtualNetworkName')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/routeTables', parameters('subnet1Name'))]", + "[resourceId('Microsoft.Network/routeTables', parameters('subnet2Name'))]" + ], + "properties": { + "addressSpace": { + "addressPrefixes": [ + "[parameters('virtualNetworkAddressPrefix')]" + ] + }, + "subnets": [ + { + "name": "[parameters('subnet1Name')]", + "properties": { + "addressPrefix": "[parameters('subnet1Prefix')]", + "routeTable": { + "id": "[resourceId('Microsoft.Network/routeTables', parameters('subnet1Name'))]" + } + } + }, + { + "name": "[parameters('subnet2Name')]", + "properties": { + "addressPrefix": "[parameters('subnet2Prefix')]", + "routeTable": { + "id": "[resourceId('Microsoft.Network/routeTables', parameters('subnet2Name'))]" + } + } + } + ] + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + } + ], + "outputs": { + "vnetId": { + "value": "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]", + "type": "string" + } + } +} diff --git a/deprecated/azure/templates/R8010-R8020/vmss-r8010-r8020/README.MD b/deprecated/azure/templates/R8010-R8020/vmss-r8010-r8020/README.MD new file mode 100644 index 00000000..90c0ad70 --- /dev/null +++ b/deprecated/azure/templates/R8010-R8020/vmss-r8010-r8020/README.MD @@ -0,0 +1,13 @@ +# How to deploy this template +To deploy this ARM template, follow these instructions: +1. Log in to the [Microsoft Azure Portal](https://portal.azure.com) +2. Click "*Create a resource*" +3. Search for "*Template deployment (deploy using custom templates)*" and click "*Create*" +4. Click "*Build your own template in the editor*" +5. Load the "*mainTemplate.json*" file from this directory and click "*Save*" +6. Enter the desired template parameters + - Replace the "*_artifacts Location*" property with: + ``` + https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/deprecated/azure/templates/vmss-r8010-r8020/ + ``` +7. Click *Purchase* to deploy the solution diff --git a/deprecated/azure/templates/R8010-R8020/vmss-r8010-r8020/createUiDefinition.json b/deprecated/azure/templates/R8010-R8020/vmss-r8010-r8020/createUiDefinition.json new file mode 100644 index 00000000..cc375f8b --- /dev/null +++ b/deprecated/azure/templates/R8010-R8020/vmss-r8010-r8020/createUiDefinition.json @@ -0,0 +1,1056 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", + "handler": "Microsoft.Compute.MultiVm", + "version": "0.1.2-preview", + "parameters": { + "basics": [ + { + "name": "basics settings text block", + "type": "Microsoft.Common.TextBlock", + "visible": true, + "options": { + "text": "Please follow the Check Point CloudGuard IaaS Scale Set Administration Guide.", + "link": { + "label": "Administration Guide", + "uri": "https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_VMSS_for_Azure/html_frameset.htm" + } + } + }, + { + "name": "gatewayScaleSetNameUi", + "type": "Microsoft.Common.TextBox", + "label": "Gateway scale set name", + "toolTip": "The name of the Check Point Security Gateway Scale Set.", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z]{1,30}$", + "validationMessage": "Only alphanumeric characters are allowed, and the name must be 1-30 characters long." + } + }, + { + "name": "auth", + "type": "Microsoft.Compute.CredentialsCombo", + "label": { + "authenticationType": "Authentication type", + "password": "Password", + "confirmPassword": "Confirm password", + "sshPublicKey": "SSH public key" + }, + "toolTip": { + "authenticationType": "", + "password": "The user 'admin' password", + "sshPublicKey": "Paste an OpenSSH public key. You can generate a key pair using ssh-keygen (Linux, OS X, Cygwin) or PuttyGen (Windows)" + }, + "constraints": { + "required": true + }, + "options": { + "hideConfirmation": false, + "hidePassword": false + }, + "osPlatform": "Linux" + } + ], + "steps": [ + { + "name": "autoprovision", + "label": "Check Point VMSS settings", + "subLabel": { + "preValidation": "Configure CloudGuard VMSS settings", + "postValidation": "Done" + }, + "bladeTitle": "CloudGuard VMSS settings", + "elements": [ + { + "name": "CloudGuard VMSS settings text block", + "type": "Microsoft.Common.TextBlock", + "visible": true, + "options": { + "text": "Please provide the configuration values according to the Deployment Guide.", + "link": { + "label": "Deployment Guide", + "uri": "https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_VMSS_for_Azure/html_frameset.htm" + } + } + }, + { + "name": "upgrading", + "type": "Microsoft.Common.OptionsGroup", + "label": "Are you upgrading your CloudGuard VMSS solution?", + "defaultValue": "No", + "toolTip": "Select 'Yes' if you are upgrading your CloudGuard VMSS solution.", + "constraints": { + "allowedValues": [ + { + "label": "No", + "value": "no" + }, + { + "label": "Yes", + "value": "yes" + } + ] + } + }, + { + "name": "upgradeVmssInfoBox", + "type": "Microsoft.Common.InfoBox", + "visible": "[equals(steps('autoprovision').upgrading, 'yes')]", + "options": { + "icon": "Warning", + "text": "All the configurations below must be similar to the existing CloudGuard VMSS solution.\n\nNote that the target load balancers are the ones connected to your existing CloudGuard VMSS solution.\n\nSee the Deployment Guide for more information." + } + }, + { + "name": "vmCount", + "type": "Microsoft.Common.TextBox", + "label": "Initial number of gateways", + "defaultValue": "2", + "toolTip": "The initial number of gateways", + "constraints": { + "required": true, + "regex": "^[1-9][0-9]{0,1}$", + "validationMessage": "Please enter a number in the range 1-99." + } + }, + { + "name": "maxVmCount", + "type": "Microsoft.Common.TextBox", + "label": "Maximum number of gateways", + "defaultValue": "10", + "toolTip": "The maximum number of gateways", + "constraints": { + "required": true, + "regex": "^[1-9][0-9]{0,1}$", + "validationMessage": "Please enter a number in the range 1-99." + } + }, + { + "name": "numGwsValidation", + "type": "Microsoft.Common.InfoBox", + "visible": "[greater(steps('autoprovision').vmCount, steps('autoprovision').maxVmCount)]", + "options": { + "icon": "Error", + "text": "Maximum number of gateways is lower than initial number of gateways" + } + }, + { + "name": "managementServer", + "type": "Microsoft.Common.TextBox", + "label": "Management name", + "toolTip": "The name of the management server as it appears in the configuration file", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z_\\-]{1,30}$", + "validationMessage": "Field cannot be empty. Only alphanumeric characters or '_'/'-' are allowed, and the name must be 1-30 characters long." + } + }, + { + "name": "configurationTemplateInfoBox", + "type": "Microsoft.Common.InfoBox", + "visible": "[equals(steps('autoprovision').upgrading, 'yes')]", + "options": { + "icon": "Info", + "text": "Use a different configuration template name than in your existing CloudGuard VMSS solution." + } + }, + { + "name": "configurationTemplate", + "type": "Microsoft.Common.TextBox", + "label": "Configuration template name", + "toolTip": "The configuration template name as it appears in the configuration file", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z_\\-]{1,30}$", + "validationMessage": "Field cannot be empty. Only alphanumeric characters or '_'/'-' are allowed, and the name must be 1-30 characters long." + } + }, + { + "name": "adminEmail", + "type": "Microsoft.Common.TextBox", + "label": "Administrator email address", + "defaultValue": "", + "toolTip": "An email address to notify about scaling operations", + "constraints": { + "required": false, + "regex": "^([a-zA-Z0-9_\\-\\.]+)@((\\[[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.)|(([a-zA-Z0-9\\-]+\\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})(\\]?)$", + "validationMessage": "Leave empty or enter a valid email address." + } + }, + { + "name": "deploymentMode", + "type": "Microsoft.Common.DropDown", + "label": "Load balancers deployment", + "defaultValue": "Standard (External & Internal)", + "toolTip": "Defines which load balancers will be deployed. Note: For outbound inspection it is mandatory to deploy an external load balancer and/or instance level public IP addresses.", + "constraints": { + "allowedValues": [ + { + "label": "Standard (External & Internal)", + "value": "Standard" + }, + { + "label": "External only (Inbound inspection only)", + "value": "ELBOnly" + }, + { + "label": "Internal only (Outbound & E-W inspection only - see tooltip)", + "value": "ILBOnly" + } + ] + } + }, + { + "name": "appLoadDistribution", + "type": "Microsoft.Common.DropDown", + "label": "External Load Balancer session persistence", + "defaultValue": "None (5-tuple)", + "toolTip": "The load balancing distribution method for the External Load Balancer.", + "visible": "[not(equals(steps('autoprovision').deploymentMode, 'ILBOnly'))]", + "constraints": { + "allowedValues": [ + { + "label": "None (5-tuple)", + "value": "Default" + }, + { + "label": "Client IP (2-tuple)", + "value": "SourceIP" + }, + { + "label": "Client IP and protocol (3-tuple)", + "value": "SourceIPProtocol" + } + ] + } + }, + { + "name": "ilbLoadDistribution", + "type": "Microsoft.Common.DropDown", + "label": "Internal Load Balancer session persistence", + "defaultValue": "None (5-tuple)", + "toolTip": "The load balancing distribution method for the Internal Load Balancer.", + "visible": "[not(equals(steps('autoprovision').deploymentMode, 'ELBOnly'))]", + "constraints": { + "allowedValues": [ + { + "label": "None (5-tuple)", + "value": "Default" + }, + { + "label": "Client IP (2-tuple)", + "value": "SourceIP" + }, + { + "label": "Client IP and protocol (3-tuple)", + "value": "SourceIPProtocol" + } + ] + } + }, + { + "name": "instanceLevelPublicIP", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy the VMSS with instance level Public IP address", + "defaultValue": "No", + "toolTip": "If selected 'Yes', then each VMSS instance will have its own public IP address.", + "constraints": { + "allowedValues": [ + { + "label": "No", + "value": "no" + }, + { + "label": "Yes", + "value": "yes" + } + ] + } + }, + { + "name": "externalCommunicationInfoBox", + "type": "Microsoft.Common.InfoBox", + "visible": "[and(equals(steps('autoprovision').instanceLevelPublicIP, 'no'), equals(steps('autoprovision').deploymentMode, 'ILBOnly'))]", + "options": { + "icon": "Warning", + "text": "For outbound inspection it is mandatory to deploy an external load balancer and/or instance level public IP addresses." + } + }, + { + "name": "lbsTargetRGName", + "type": "Microsoft.Common.TextBox", + "visible": "[equals(steps('autoprovision').upgrading, 'yes')]", + "label": "Target load balancers resource group name", + "defaultValue": "", + "toolTip": "The name of the Target Load Balancers Resource Group.", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z_\\-\\.\\/\\(\\)]", + "validationMessage": "Resource Group only allow alphanumeric characters, periods, underscores, hyphens, slash, and parenthesis" + } + }, + { + "name": "elbResourceId", + "type": "Microsoft.Common.TextBox", + "visible": "[and(equals(steps('autoprovision').upgrading, 'yes'), not(equals(steps('autoprovision').deploymentMode, 'ILBOnly')))]", + "label": "Target external load balancer resource ID", + "defaultValue": "", + "toolTip": "The Resource ID of the Target External Load Balancer.", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z_\\-\\.\\/\\(\\)]", + "validationMessage": "Resource Id only allow alphanumeric characters, periods, underscores, hyphens, slash, and parenthesis" + } + }, + { + "name": "elbInfoBox", + "type": "Microsoft.Common.InfoBox", + "visible": "[and(equals(steps('autoprovision').upgrading, 'yes'), not(equals(steps('autoprovision').deploymentMode, 'ILBOnly')))]", + "options": { + "icon": "Info", + "text": "Make sure you have created a new backend address pool for the target external load balancer." + } + }, + { + "name": "elbBEAddressPoolName", + "type": "Microsoft.Common.TextBox", + "visible": "[and(equals(steps('autoprovision').upgrading, 'yes'), not(equals(steps('autoprovision').deploymentMode, 'ILBOnly')))]", + "label": "External load balancer's new backend pool name", + "toolTip": "The name of the new Target External Load Balancer's Backend Pool.", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z_\\-\\.\\/\\(\\)]", + "validationMessage": "Only alphanumeric characters, periods, underscores, hyphens, slash, and parenthesis are allowed" + } + }, + { + "name": "ilbResourceId", + "type": "Microsoft.Common.TextBox", + "visible": "[and(equals(steps('autoprovision').upgrading, 'yes'), not(equals(steps('autoprovision').deploymentMode, 'ELBOnly')))]", + "label": "Target internal load balancer resource ID", + "defaultValue": "", + "toolTip": "The Resource ID of the Target Internal Load Balancer.", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z_\\-\\.\\/\\(\\)]", + "validationMessage": "Resource Id only allow alphanumeric characters, periods, underscores, hyphens, slash, and parenthesis" + } + }, + { + "name": "ilbInfoBox", + "type": "Microsoft.Common.InfoBox", + "visible": "[and(equals(steps('autoprovision').upgrading, 'yes'), not(equals(steps('autoprovision').deploymentMode, 'ELBOnly')))]", + "options": { + "icon": "Info", + "text": "Make sure you have created a new backend address pool for the target internal load balancer." + } + }, + { + "name": "ilbBEAddressPoolName", + "type": "Microsoft.Common.TextBox", + "visible": "[and(equals(steps('autoprovision').upgrading, 'yes'), not(equals(steps('autoprovision').deploymentMode, 'ELBOnly')))]", + "label": "Internal load balancer's new backend pool name", + "toolTip": "The name of the new target internal load balancer's backend pool.", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z_\\-\\.\\/\\(\\)]", + "validationMessage": "Only alphanumeric characters, periods, underscores, hyphens, slash, and parenthesis are allowed" + } + }, + { + "name": "mgmtInterfaceOpt1", + "type": "Microsoft.Common.DropDown", + "label": "Management interface and IP address", + "defaultValue": "Backend NIC's private IP address", + "visible": "[equals(steps('autoprovision').instanceLevelPublicIP, 'yes')]", + "toolTip": "Manage the Gateways in the Scale Set via the instance's external (eth0) or internal (eth1) NIC and with public or private IP.", + "constraints": { + "allowedValues": [ + { + "label": "Backend NIC's private IP address", + "value": "eth1-private" + }, + { + "label": "Frontend NIC's public IP address", + "value": "eth0-public" + }, + { + "label": "Frontend NIC's private IP address", + "value": "eth0-private" + } + ] + } + }, + { + "name": "mgmtInterfaceOpt2", + "type": "Microsoft.Common.DropDown", + "label": "Management interface and IP address", + "defaultValue": "Backend NIC's private IP address", + "visible": "[equals(steps('autoprovision').instanceLevelPublicIP, 'no')]", + "toolTip": "Manage the Gateways in the Scale Set via the instance's external (eth0) or internal (eth1) NIC's private IP address.", + "constraints": { + "allowedValues": [ + { + "label": "Backend NIC's private IP address", + "value": "eth1-private" + }, + { + "label": "Frontend NIC's private IP address", + "value": "eth0-private" + } + ] + } + }, + { + "name": "mgmtIPaddress", + "type": "Microsoft.Common.TextBox", + "label": "Management Server IP address", + "toolTip": "The IP address used to manage the VMSS instances.", + "visible": "[or(equals(steps('autoprovision').mgmtInterfaceOpt1, 'eth0-private'), equals(steps('autoprovision').mgmtInterfaceOpt2, 'eth0-private'))]", + "constraints": { + "regex": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$", + "required": true, + "validationMessage": "Please enter a valid IP address" + } + }, + { + "name": "availabilityZonesNum", + "type": "Microsoft.Common.DropDown", + "label": "Number of Availability Zones to use", + "defaultValue": "None", + "toolTip": "The number of avalability zones to use for the scale set. Note that the load balancers and their IP addresses will be zone redundant in any case.", + "visible": "[contains(' centralus eastus2 francecentral northeurope southeastasia westeurope westus2 eastus uksouth ', concat(' ', location(), ' '))]", + "constraints": { + "allowedValues": [ + { + "label": "None", + "value": 0 + }, + { + "label": "One zone", + "value": 1 + }, + { + "label": "Two zones", + "value": 2 + }, + { + "label": "Three zones", + "value": 3 + } + ] + } + } + ] + }, + { + "name": "chkp", + "label": "Check Point CloudGuard settings", + "subLabel": { + "preValidation": "Configure CloudGuard settings", + "postValidation": "Done" + }, + "bladeTitle": "CloudGuard settings", + "elements": [ + { + "name": "cloudGuardVersion", + "type": "Microsoft.Common.DropDown", + "label": "Check Point CloudGuard version", + "defaultValue": "R80.20", + "toolTip": "The version of Check Point CloudGuard. For R80.20 license is BYOL.", + "constraints": { + "allowedValues": [ + { + "label": "R80.10", + "value": "R80.10" + }, + { + "label": "R80.20", + "value": "R80.20" + } + ] + } + }, + { + "name": "R80Offer", + "type": "Microsoft.Common.DropDown", + "label": "License type", + "toolTip": "The type of license.", + "defaultValue": "Bring Your Own License", + "visible": true, + "constraints": { + "allowedValues": [ + { + "label": "Bring Your Own License", + "value": "Bring Your Own License" + }, + { + "label": "Pay As You Go (NGTP)", + "value": "Pay As You Go (NGTP)" + }, + { + "label": "Pay As You Go (NGTX)", + "value": "Pay As You Go (NGTX)" + } + ] + } + }, + { + "name": "R8010vmSizeUiBYOL", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R80.10'), contains(steps('chkp').R80Offer, 'Bring Your Own License'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2" + ], + "constraints": { + "excludedSizes": [ + "Standard_A1_v2", + "Standard_G1", + "Standard_GS1", + "Standard_H8", + "Standard_H16", + "Standard_H8m", + "Standard_H16m", + "Standard_NV6", + "Standard_NV12", + "Standard_NV24", + "Standard_NC6", + "Standard_NC12", + "Standard_NC24" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-vsec-r80-blink-v2", + "sku": "sg-byol" + }, + "count": "[steps('autoprovision').vmCount]" + }, + { + "name": "R8010vmSizeUiNGTP", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R80.10'), contains(steps('chkp').R80Offer, '(NGTP)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2" + ], + "constraints": { + "excludedSizes": [ + "Standard_A1_v2", + "Standard_G1", + "Standard_GS1", + "Standard_H8", + "Standard_H16", + "Standard_H8m", + "Standard_H16m", + "Standard_NV6", + "Standard_NV12", + "Standard_NV24", + "Standard_NC6", + "Standard_NC12", + "Standard_NC24" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-vsec-r80-blink-v2", + "sku": "sg-ngtp-v2" + }, + "count": "[steps('autoprovision').vmCount]" + }, + { + "name": "R8010vmSizeUiNGTX", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R80.10'), contains(steps('chkp').R80Offer, '(NGTX)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2" + ], + "constraints": { + "excludedSizes": [ + "Standard_A1_v2", + "Standard_G1", + "Standard_GS1", + "Standard_H8", + "Standard_H16", + "Standard_H8m", + "Standard_H16m", + "Standard_NV6", + "Standard_NV12", + "Standard_NV24", + "Standard_NC6", + "Standard_NC12", + "Standard_NC24" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-vsec-r80-blink-v2", + "sku": "sg-ngtx" + }, + "count": "[steps('autoprovision').vmCount]" + }, + { + "name": "R8020vmSizeUiBYOL", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R80.20'), contains(steps('chkp').R80Offer, 'Bring Your Own License'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2", + "Standard_DS3_v2" + ], + "constraints": { + "allowedSizes": [ + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r8020-blink-v2", + "sku": "sg-byol" + }, + "count": "[steps('autoprovision').vmCount]" + }, + { + "name": "R8020vmSizeUiNGTP", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R80.20'), contains(steps('chkp').R80Offer, '(NGTP)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2", + "Standard_DS3_v2" + ], + "constraints": { + "allowedSizes": [ + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r8020-blink-v2", + "sku": "sg-ngtp" + }, + "count": "[steps('autoprovision').vmCount]" + }, + { + "name": "R8020vmSizeUiNGTX", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R80.20'), contains(steps('chkp').R80Offer, '(NGTX)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2", + "Standard_DS3_v2" + ], + "constraints": { + "allowedSizes": [ + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r8020-blink-v2", + "sku": "sg-ngtx" + }, + "count": "[steps('autoprovision').vmCount]" + }, + { + "name": "sicKeyUi", + "type": "Microsoft.Common.PasswordBox", + "label": { + "password": "SIC Key", + "confirmPassword": "Confirm SIC Key" + }, + "toolTip": "Set the Secure Internal Communication one time secret used to set up trust between the gateway and the management server.", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z]{8,30}$", + "validationMessage": "Only alphanumeric characters are allowed, and the value must be 8-30 characters long." + }, + "options": { + "hideConfirmation": true + } + }, + { + "name": "bootstrapScript", + "type": "Microsoft.Common.FileUpload", + "label": "Bootstrap script", + "toolTip": "An optional script to run on the initial boot", + "constraints": { + "required": false, + "accept": ".sh,text/plain" + }, + "options": { + "multiple": false, + "uploadMode": "file", + "openMode": "text", + "encoding": "UTF-8" + } + }, + { + "name": "allowUploadDownload", + "type": "Microsoft.Common.OptionsGroup", + "label": "Allow download from/upload to Check Point", + "defaultValue": "Yes", + "toolTip": "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "true" + }, + { + "label": "No", + "value": "false" + } + ] + } + }, + { + "name": "VMDiskType", + "type": "Microsoft.Common.OptionsGroup", + "label": "VM disk type", + "toolTip": "Type of CloudGuard disk.", + "visible": "[or(contains(steps('chkp').R8010vmSizeUiBYOL, 'DS'), contains(steps('chkp').R8010vmSizeUiNGTP, 'DS'), contains(steps('chkp').R8010vmSizeUiNGTX, 'DS'), contains(steps('chkp').R8020vmSizeUiBYOL, 'DS'), contains(steps('chkp').R8020vmSizeUiNGTP, 'DS'), contains(steps('chkp').R8020vmSizeUiNGTX, 'DS'))]", + "defaultValue": "Standard", + "constraints": { + "allowedValues": [ + { + "label": "Standard", + "value": "Standard_LRS" + }, + { + "label": "Premium", + "value": "Premium_LRS" + } + ] + } + }, + { + "name": "useCustomImageUri", + "type": "Microsoft.Common.OptionsGroup", + "label": "Use development image uri", + "defaultValue": "No", + "toolTip": "", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ], + "required": true + }, + "visible": false + }, + { + "name": "sourceImageVhdUri", + "type": "Microsoft.Common.TextBox", + "label": "Development Image URI", + "toolTip": "The URI of the blob containing the development image", + "constraints": { + "required": "[equals(steps('chkp').useCustomImageUri, 'Yes')]", + "regex": "^[a-z0-9A-Z_\\-\\.\\:\\/]{1,500}.vhd$", + "validationMessage": "Only alphanumeric characters and '_','-','.',':','/' are allowed, the value must be 1-500 characters long and must end with .vhd. " + }, + "visible": "[equals(steps('chkp').useCustomImageUri, 'Yes')]" + } + ] + }, + { + "name": "network", + "label": "Network settings", + "subLabel": { + "preValidation": "Configure network settings", + "postValidation": "Done" + }, + "bladeTitle": "Network settings", + "elements": [ + { + "name": "virtualNetwork", + "type": "Microsoft.Network.VirtualNetworkCombo", + "label": { + "virtualNetwork": "Virtual network", + "subnets": "Subnets" + }, + "toolTip": { + "virtualNetwork": "Virtual Network Name", + "subnets": "The subnets to deploy into" + }, + "defaultValue": { + "name": "vnet01", + "addressPrefixSize": "/16" + }, + "constraints": { + "minAddressPrefixSize": "/28" + }, + "options": { + "hideExisting": false + }, + "subnets": { + "subnet1": { + "label": "VMSS Frontend subnet", + "defaultValue": { + "name": "VMSS-Frontend", + "addressPrefixSize": "/24" + }, + "constraints": { + "minAddressPrefixSize": "/29", + "minAddressCount": "[steps('autoprovision').maxVmCount]", + "requireContiguousAddresses": false + } + }, + "subnet2": { + "label": "VMSS Backend subnet", + "defaultValue": { + "name": "VMSS-Backend", + "addressPrefixSize": "/24" + }, + "constraints": { + "minAddressPrefixSize": "/29", + "minAddressCount": "[steps('autoprovision').maxVmCount]", + "requireContiguousAddresses": false + } + } + } + } + ] + } + ], + "outputs": { + "location": "[location()]", + "authenticationType": "[basics('auth').authenticationType]", + "adminPassword": "[basics('auth').password]", + "sshPublicKey": "[basics('auth').sshPublicKey]", + "upgrading": "[steps('autoprovision').upgrading]", + "vmName": "[basics('gatewayScaleSetNameUi')]", + "instanceCount": "[steps('autoprovision').vmCount]", + "maxInstanceCount": "[steps('autoprovision').maxVmCount]", + "managementServer": "[steps('autoprovision').managementServer]", + "configurationTemplate": "[steps('autoprovision').configurationTemplate]", + "adminEmail": "[steps('autoprovision').adminEmail]", + "deploymentMode": "[steps('autoprovision').deploymentMode]", + "instanceLevelPublicIP": "[steps('autoprovision').instanceLevelPublicIP]", + "lbsTargetRGName": "[steps('autoprovision').lbsTargetRGName]", + "elbResourceId": "[steps('autoprovision').elbResourceId]", + "elbTargetBEAddressPoolName": "[steps('autoprovision').elbBEAddressPoolName]", + "ilbResourceId": "[steps('autoprovision').ilbResourceId]", + "ilbTargetBEAddressPoolName": "[steps('autoprovision').ilbBEAddressPoolName]", + "mgmtInterfaceOpt1": "[steps('autoprovision').mgmtInterfaceOpt1]", + "mgmtInterfaceOpt2": "[steps('autoprovision').mgmtInterfaceOpt2]", + "mgmtIPaddress": "[steps('autoprovision').mgmtIPaddress]", + "appLoadDistribution": "[steps('autoprovision').appLoadDistribution]", + "ilbLoadDistribution": "[steps('autoprovision').ilbLoadDistribution]", + "availabilityZonesNum": "[coalesce(steps('autoprovision').availabilityZonesNum, int('0'))]", + "cloudGuardVersion": "[concat(steps('chkp').cloudGuardVersion, ' - ', coalesce(steps('chkp').R80Offer, 'Bring Your Own License'))]", + "vmSize": "[coalesce(steps('chkp').R8010vmSizeUiBYOL, steps('chkp').R8010vmSizeUiNGTP, steps('chkp').R8010vmSizeUiNGTX, steps('chkp').R8020vmSizeUiBYOL, steps('chkp').R8020vmSizeUiNGTP, steps('chkp').R8020vmSizeUiNGTX)]", + "sicKey": "[steps('chkp').sicKeyUi]", + "bootstrapScript": "[steps('chkp').bootstrapScript]", + "allowDownloadFromUploadToCheckPoint": "[coalesce(steps('chkp').allowUploadDownload, 'true')]", + "diskType": "[coalesce(steps('chkp').VMDiskType, 'Standard_LRS')]", + "sourceImageVhdUri": "[coalesce(steps('chkp').sourceImageVhdUri, 'noCustomUri')]", + "virtualNetworkName": "[steps('network').virtualNetwork.name]", + "virtualNetworkAddressPrefixes": "[steps('network').virtualNetwork.addressPrefixes]", + "vnetNewOrExisting": "[steps('network').virtualNetwork.newOrExisting]", + "virtualNetworkExistingRGName": "[steps('network').virtualNetwork.resourceGroup]", + "subnet1Name": "[steps('network').virtualNetwork.subnets.subnet1.name]", + "subnet1Prefix": "[steps('network').virtualNetwork.subnets.subnet1.addressPrefix]", + "subnet2Name": "[steps('network').virtualNetwork.subnets.subnet2.name]", + "subnet2Prefix": "[steps('network').virtualNetwork.subnets.subnet2.addressPrefix]", + "subnet2StartAddress": "[steps('network').virtualNetwork.subnets.subnet2.startAddress]" + } + } +} \ No newline at end of file diff --git a/deprecated/azure/templates/R8010-R8020/vmss-r8010-r8020/mainTemplate.json b/deprecated/azure/templates/R8010-R8020/vmss-r8010-r8020/mainTemplate.json new file mode 100644 index 00000000..0bdfc0b1 --- /dev/null +++ b/deprecated/azure/templates/R8010-R8020/vmss-r8010-r8020/mainTemplate.json @@ -0,0 +1,874 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string", + "metadata": { + "description": "Deployment location" + }, + "defaultValue": "[resourceGroup().location]" + }, + "cloudGuardVersion": { + "type": "string", + "allowedValues": [ + "R80.10 - Bring Your Own License", + "R80.10 - Pay As You Go (NGTP)", + "R80.10 - Pay As You Go (NGTX)", + "R80.20 - Bring Your Own License", + "R80.20 - Pay As You Go (NGTP)", + "R80.20 - Pay As You Go (NGTX)" + ], + "defaultValue": "R80.20 - Bring Your Own License", + "metadata": { + "description": "Version of Check Point CloudGuard" + } + }, + "instanceCount": { + "defaultValue": "2", + "type": "string", + "metadata": { + "description": "Number of VM instances" + } + }, + "maxInstanceCount": { + "defaultValue": "10", + "type": "string", + "metadata": { + "description": "Maximum number of VM instances" + } + }, + "managementServer": { + "type": "string", + "metadata": { + "description": "The name of the management server as it appears in the configuration file" + } + }, + "configurationTemplate": { + "type": "string", + "metadata": { + "description": "A name of a template as it appears in the configuration file" + } + }, + "adminEmail": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Email address to notify if there are any scaling operations" + } + }, + "adminPassword": { + "type": "securestring", + "metadata": { + "description": "Administrator password" + }, + "defaultValue": "" + }, + "authenticationType": { + "type": "string", + "allowedValues": [ + "password", + "sshPublicKey" + ], + "defaultValue": "password", + "metadata": { + "description": "Authentication type" + } + }, + "sshPublicKey": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Administrator SSH public key" + } + }, + "vmName": { + "type": "string", + "defaultValue": "[resourceGroup().name]", + "metadata": { + "description": "Name of the Check Point Security Gateway scale set" + } + }, + "vmSize": { + "type": "string", + "defaultValue": "Standard_D3_v2", + "metadata": { + "description": "Size of the VM" + } + }, + "sicKey": { + "type": "securestring", + "metadata": { + "description": "One time key for Secure Internal Communication" + } + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "[concat(resourceGroup().name, '-vnet')]" + }, + "upgrading": { + "type": "string", + "defaultValue": "no", + "allowedValues": [ + "no", + "yes" + ], + "metadata": { + "Description": "Indicates whether the user in upgrading the CloudGuard VMSS solution" + } + }, + "lbsTargetRGName": { + "type": "string", + "metadata": { + "description": "The name of the Target Load Balancers Resource Group." + }, + "defaultValue": "" + }, + "elbResourceId": { + "type": "string", + "metadata": { + "description": "The Resource ID of the Target External Load Balancer." + }, + "defaultValue": "" + }, + "elbTargetBEAddressPoolName": { + "type": "string", + "metadata": { + "description": "The name of the new Target External Load Balancer's Backend Pool." + }, + "defaultValue": "" + }, + "ilbResourceId": { + "type": "string", + "metadata": { + "description": "The Resource ID of the Target Internal Load Balancer." + }, + "defaultValue": "" + }, + "ilbTargetBEAddressPoolName": { + "type": "string", + "metadata": { + "description": "The name of the new Target Internal Load Balancer's Backend Pool." + }, + "defaultValue": "" + }, + "virtualNetworkAddressPrefixes": { + "type": "array", + "metadata": { + "description": "The address prefixes of the virtual network" + }, + "defaultValue": [ + "10.0.0.0/16" + ] + }, + "subnet1Name": { + "type": "string", + "metadata": { + "description": "The name of the frontend subnet" + }, + "defaultValue": "Frontend" + }, + "subnet1Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the frontend subnet" + }, + "defaultValue": "10.0.1.0/24" + }, + "subnet2Name": { + "type": "string", + "metadata": { + "description": "The name of the backend subnet" + }, + "defaultValue": "Backend" + }, + "subnet2Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the backend subnet" + }, + "defaultValue": "10.0.2.0/24" + }, + "subnet2StartAddress": { + "type": "string", + "metadata": { + "description": "The first available address on the 2nd subnet" + }, + "defaultValue": "10.0.2.4" + }, + "vnetNewOrExisting": { + "type": "string", + "defaultValue": "new", + "allowedValues": [ + "new", + "existing" + ], + "metadata": { + "Description": "Indicates whether the virtual network is new or existing" + } + }, + "virtualNetworkExistingRGName": { + "type": "string", + "metadata": { + "description": "Resource Group of the existing virtual network" + }, + "defaultValue": "[resourceGroup().name]" + }, + "bootstrapScript": { + "type": "string", + "metadata": { + "description": "Bootstrap script" + }, + "defaultValue": "" + }, + "allowDownloadFromUploadToCheckPoint": { + "type": "string", + "allowedValues": [ + "true", + "false" + ], + "defaultValue": "true", + "metadata": { + "description": "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + } + }, + "instanceLevelPublicIP": { + "type": "string", + "allowedValues": [ + "no", + "yes" + ], + "defaultValue": "no", + "metadata": { + "description": "Deploy the VMSS with instance level Public IP address" + } + }, + "mgmtInterfaceOpt1": { + "type": "string", + "allowedValues": [ + "eth0-public", + "eth0-private", + "eth1-private" + ], + "defaultValue": "eth1-private", + "metadata": { + "description": "Manage the Gateways in the Scale Set via the instance's external (eth0) or internal (eth1) NIC's private IP address." + } + }, + "mgmtInterfaceOpt2": { + "type": "string", + "allowedValues": [ + "eth0-private", + "eth1-private" + ], + "defaultValue": "eth1-private", + "metadata": { + "description": "Manage the Gateways in the Scale Set via the instance's external (eth0) or internal (eth1) NIC's private IP address." + } + }, + "mgmtIPaddress": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "The IP address used to manage the VMSS instances." + } + }, + "diskType": { + "type": "string", + "defaultValue": "Standard_LRS", + "metadata": { + "description": "The type of the OS disk. Premium is applicable only to DS machine sizes" + }, + "allowedValues": [ + "Standard_LRS", + "Premium_LRS" + ] + }, + "appLoadDistribution": { + "type": "string", + "allowedValues": [ + "Default", + "SourceIP", + "SourceIPProtocol" + ], + "defaultValue": "Default", + "metadata": { + "description": "The External Load Balancer distribution method" + } + }, + "ilbLoadDistribution": { + "type": "string", + "allowedValues": [ + "Default", + "SourceIP", + "SourceIPProtocol" + ], + "defaultValue": "Default", + "metadata": { + "description": "The Internal Load Balancer distribution method" + } + }, + "preview": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Deploy the staged image" + }, + "allowedValues": [ + "", + "-preview" + ] + }, + "deploymentMode": { + "type": "string", + "allowedValues": [ + "Standard", + "ILBOnly", + "ELBOnly" + ], + "defaultValue": "Standard", + "metadata": { + "description": "Solution deployment architecture." + } + }, + "sourceImageVhdUri": { + "type": "string", + "defaultValue": "noCustomUri", + "metadata": { + "description": "The URI of the blob containing the development image" + } + }, + "availabilityZonesNum": { + "type": "int", + "allowedValues": [ + 0, + 1, + 2, + 3 + ], + "defaultValue": 0, + "metadata": { + "description": "The number of avalability zones" + } + }, + "_artifactsLocation": { + "type": "string", + "metadata": { + "description": "The base URI where artifacts required by this template are located including a trailing '/'" + }, + "defaultValue": "[deployment().properties.templateLink.uri]" + }, + "_artifactsLocationSasToken": { + "type": "securestring", + "metadata": { + "description": "The sasToken required to access _artifactsLocation. When the template is deployed using the accompanying scripts, a sasToken will be automatically generated. Use the defaultValue if the staging location is not secured." + }, + "defaultValue": "" + }, + "Check_PointTags": { + "type": "object", + "defaultValue": { + "provider": "30DE18BC-F9F6-4F22-9D30-54B8E74CFD5F" + } + } + }, + "variables": { + "resourceGroup": "[resourceGroup()]", + "templateName": "vmss-v2", + "templateVersion": "20191118", + "location": "[parameters('location')]", + "offers": { + "R80.10 - Bring Your Own License": "BYOL", + "R80.10 - Pay As You Go (NGTP)": "NGTP-V2", + "R80.10 - Pay As You Go (NGTX)": "NGTX", + "R80.20 - Bring Your Own License": "BYOL", + "R80.20 - Pay As You Go (NGTP)": "NGTP", + "R80.20 - Pay As You Go (NGTX)": "NGTX" + }, + "offer": "[variables('offers')[parameters('cloudGuardVersion')]]", + "osVersions": { + "R80.10 - Bring Your Own License": "R8010", + "R80.10 - Pay As You Go (NGTP)": "R8010", + "R80.10 - Pay As You Go (NGTX)": "R8010", + "R80.20 - Bring Your Own License": "R8020", + "R80.20 - Pay As You Go (NGTP)": "R8020", + "R80.20 - Pay As You Go (NGTX)": "R8020" + }, + "osVersion": "[variables('osVersions')[parameters('cloudGuardVersion')]]", + "isBlink": true, + "computeApiVersion": "2017-12-01", + "storageApiVersion": "2017-10-01", + "networkApiVersion": "2018-01-01", + "deploymentsApiVersion": "2017-08-01", + "insightsApiVersion": "2015-04-01", + "storageAccountName": "[concat('bootdiag', uniqueString(variables('resourceGroup').id, deployment().name))]", + "storageAccountType": "Standard_LRS", + "customData": "[concat('#!/usr/bin/python /etc/cloud_config.py\n', '\n', 'installationType=\"', variables('installationType'), '\"', '\n', 'allowUploadDownload=\"', variables('allowUploadDownload'), '\"', '\n', 'osVersion=\"', variables('osVersion'), '\"', '\n', 'templateName=\"', variables('templateName'), '\"', '\n', 'isBlink=\"', variables('isBlink'), '\"', '\n', 'templateVersion=\"', variables('templateVersion'), '\"', '\n', 'bootstrapScript64=\"', variables('bootstrapScript64'), '\"', '\n', 'location=\"', variables('location'), '\"', '\n', 'sicKey=\"', variables('sicKey'), '\"', '\n', 'managementGUIClientNetwork=\"', variables('managementGUIClientNetwork'), '\"', '\n')]", + "imageOfferR8010": "check-point-vsec-r80-blink-v2", + "imageOfferR8020": "check-point-cg-r8020-blink-v2", + "imageOffer": "[concat(variables(concat('imageOffer', variables('osVersion'))), parameters('preview'))]", + "imagePublisher": "checkpoint", + "imageReferenceBYOL": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-byol", + "version": "latest" + }, + "imageReferenceNGTP": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtp", + "version": "latest" + }, + "imageReferenceNGTP-V2": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtp-v2", + "version": "latest" + }, + "imageReferenceNGTX": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtx", + "version": "latest" + }, + "imageReferenceMarketplace": "[variables(concat('imageReference', variables('offer')))]", + "customImage": "customImage", + "imageReferenceCustomUri": { + "id": "[concat(variables('resourceGroup').id, '/providers/Microsoft.Compute/images/', variables('customImage'))]" + }, + "imageReference": "[if(equals(parameters('sourceImageVhdUri'),'noCustomUri'), variables('imageReferenceMarketplace'), variables('imageReferenceCustomUri'))]", + "linuxConfigurationpassword": {}, + "linuxConfigurationsshPublicKey": { + "disablePasswordAuthentication": "true", + "ssh": { + "publicKeys": [ + { + "keyData": "[parameters('sshPublicKey')]", + "path": "/home/notused/.ssh/authorized_keys" + } + ] + } + }, + "linuxConfiguration": "[variables(concat('linuxConfiguration', parameters('authenticationType')))]", + "planBYOL": { + "name": "sg-byol", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTP": { + "name": "sg-ngtp", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTP-V2": { + "name": "sg-ngtp-v2", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTX": { + "name": "sg-ngtx", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "plan": "[variables(concat('plan', variables('offer')))]", + "vmssID": "[concat(variables('resourceGroup').id, '/providers/Microsoft.Compute/virtualMachineScaleSets/', parameters('vmName'))]", + "emailSelector": [ + [], + [ + "[parameters('adminEmail')]" + ] + ], + "customEmails": "[variables('emailSelector')[length(take(parameters('adminEmail'), 1))]]", + "bootstrapScript64": "[base64(parameters('bootstrapScript'))]", + "allowUploadDownload": "[parameters('allowDownloadFromUploadToCheckPoint')]", + "sicKey": "[parameters('sicKey')]", + "managementGUIClientNetwork": "", + "installationType": "vmss", + "publicIPProperties": { + "name": "instancePublicIP", + "properties": { + "idleTimeoutInMinutes": 15 + } + }, + "upgrading": "[equals(parameters('upgrading'), 'yes')]", + "networkSetupURL": "[uri(parameters('_artifactsLocation'), concat('nestedtemplates/vnet-2-subnet-ha-', parameters('vnetNewOrExisting'), '.json', parameters('_artifactsLocationSasToken')))]", + "loadBalacerSetupURL": "[uri(parameters('_artifactsLocation'), concat('nestedtemplates/load-balancers.json', parameters('_artifactsLocationSasToken')))]", + "networkSetupId": "[resourceId(parameters('virtualNetworkExistingRGName'), 'Microsoft.Resources/deployments', 'networkSetup')]", + "lbRGName": "[if(variables('upgrading'), parameters('lbsTargetRGName'), resourceGroup().name)]", + "loadBalancerSetupId": "[resourceId(variables('lbRGName'), 'Microsoft.Resources/deployments', 'loadBalancerSetup')]", + "storageAccountId": "[concat(variables('resourceGroup').id, '/providers/Microsoft.Storage/storageAccounts/', variables('storageAccountName'))]", + "customImageId": "[variables('imageReferenceCustomUri').id]", + "availabilityZonesLocations": [ + "centralus", + "eastus2", + "francecentral", + "northeurope", + "southeastasia", + "westeurope", + "westus2", + "eastus", + "uksouth" + ], + "availabilityZonesProperty": "[range(1, parameters('availabilityZonesNum'))]", + "mgmtInterface": "[if(equals(parameters('instanceLevelPublicIP'), 'yes'), parameters('mgmtInterfaceOpt1'), parameters('mgmtInterfaceOpt2'))]", + "mgmtIpAddressType": "[split(variables('mgmtInterface'), '-')[1]]", + "mgmtInterfaceName": "[split(variables('mgmtInterface'), '-')[0]]", + "mgmtIPaddress": "[if(equals(variables('mgmtInterfaceName'), 'eth0'), parameters('mgmtIPaddress'), '')]", + "commomTags": { + "x-chkp-management": "[parameters('managementServer')]", + "x-chkp-template": "[parameters('configurationTemplate')]", + "x-chkp-ip-address": "[variables('mgmtIpAddressType')]", + "x-chkp-management-interface": "[variables('mgmtInterfaceName')]", + "x-chkp-topology": "eth0:external,eth1:internal", + "x-chkp-anti-spoofing": "eth0:false,eth1:false", + "x-chkp-srcImageUri": "[parameters('sourceImageVhdUri')]", + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + }, + "uniqueTags": { + "x-chkp-management-address": "[variables('mgmtIPaddress')]" + }, + "vmssTags": "[if(equals(variables('mgmtIPaddress'), ''), variables('commomTags'), union(variables('commomTags'), variables('uniqueTags')))]" + }, + "resources": [ + { + "apiVersion": "2018-02-01", + "name": "pid-5432b4df-d783-57a2-b65f-39f4bca4974a", + "type": "Microsoft.Resources/deployments", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "name": "networkSetup", + "type": "Microsoft.Resources/deployments", + "apiVersion": "[variables('deploymentsApiVersion')]", + "resourceGroup": "[parameters('virtualNetworkExistingRGName')]", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "[variables('networkSetupURL')]", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "location": { + "value": "[variables('location')]" + }, + "apiVersion": { + "value": "[variables('networkApiVersion')]" + }, + "virtualNetworkName": { + "value": "[parameters('virtualNetworkName')]" + }, + "virtualNetworkAddressPrefixes": { + "value": "[parameters('virtualNetworkAddressPrefixes')]" + }, + "subnet1Name": { + "value": "[parameters('subnet1Name')]" + }, + "subnet1Prefix": { + "value": "[parameters('subnet1Prefix')]" + }, + "subnet2Name": { + "value": "[parameters('subnet2Name')]" + }, + "subnet2Prefix": { + "value": "[parameters('subnet2Prefix')]" + }, + "virtualNetworkExistingRGName": { + "value": "[parameters('virtualNetworkExistingRGName')]" + }, + "vmName": { + "value": "[parameters('vmName')]" + }, + "deployNsg": { + "value": true + } + } + } + }, + { + "name": "loadBalancerSetup", + "type": "Microsoft.Resources/deployments", + "resourceGroup": "[variables('lbRGName')]", + "apiVersion": "[variables('deploymentsApiVersion')]", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "[variables('loadBalacerSetupURL')]", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "deploymentMode": { + "value": "[parameters('deploymentMode')]" + }, + "networkApiVersion": { + "value": "[variables('networkApiVersion')]" + }, + "location": { + "value": "[variables('location')]" + }, + "vmName": { + "value": "[parameters('vmName')]" + }, + "appLoadDistribution": { + "value": "[parameters('appLoadDistribution')]" + }, + "subnet2StartAddress": { + "value": "[parameters('subnet2StartAddress')]" + }, + "subnet2Name": { + "value": "[parameters('subnet2Name')]" + }, + "subnet2Id": { + "value": "[concat(reference('networkSetup').outputs.vnetId.value, '/subnets/', parameters('subnet2Name'))]" + }, + "ilbLoadDistribution": { + "value": "[parameters('ilbLoadDistribution')]" + }, + "lbsTargetRGName": { + "value": "[parameters('lbsTargetRGName')]" + }, + "elbResourceId": { + "value": "[parameters('elbResourceId')]" + }, + "elbTargetBEAddressPoolName": { + "value": "[parameters('elbTargetBEAddressPoolName')]" + }, + "ilbResourceId": { + "value": "[parameters('ilbResourceId')]" + }, + "ilbTargetBEAddressPoolName": { + "value": "[parameters('ilbTargetBEAddressPoolName')]" + }, + "upgrading": { + "value": "[variables('upgrading')]" + } + } + } + }, + { + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('storageAccountName')]", + "apiVersion": "[variables('storageApiVersion')]", + "location": "[variables('location')]", + "sku": { + "name": "[variables('storageAccountType')]" + }, + "kind": "Storage", + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "condition": "[not(equals(parameters('sourceImageVhdUri'), 'noCustomUri'))]", + "type": "Microsoft.Compute/images", + "apiVersion": "2017-12-01", + "name": "[variables('customImage')]", + "location": "[variables('resourceGroup').location]", + "properties": { + "storageProfile": { + "osDisk": { + "osType": "Linux", + "osState": "Generalized", + "blobUri": "[parameters('sourceImageVhdUri')]", + "storageAccountType": "Standard_LRS" + } + } + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "type": "Microsoft.Compute/virtualMachineScaleSets", + "apiVersion": "[variables('computeApiVersion')]", + "name": "[parameters('vmName')]", + "location": "[variables('location')]", + "zones": "[if(and(contains(variables('availabilityZonesLocations'), variables('location')), greater(parameters('availabilityZonesNum'), 0)), variables('availabilityZonesProperty'), json('null'))]", + "tags": "[variables('vmssTags')]", + "dependsOn": [ + "[variables('networkSetupId')]", + "[variables('loadBalancerSetupId')]", + "[variables('storageAccountId')]", + "[variables('customImageId')]" + ], + "sku": { + "name": "[parameters('vmSize')]", + "tier": "Standard", + "capacity": "[parameters('instanceCount')]" + }, + "plan": "[if(equals(parameters('sourceImageVhdUri'),'noCustomUri'), variables('plan'), json('null'))]", + "properties": { + "upgradePolicy": { + "mode": "Manual" + }, + "virtualMachineProfile": { + "storageProfile": { + "osDisk": { + "caching": "ReadWrite", + "createOption": "FromImage", + "managedDisk": { + "storageAccountType": "[parameters('diskType')]" + } + }, + "imageReference": "[variables('imageReference')]" + }, + "osProfile": { + "adminPassword": "[parameters('adminPassword')]", + "adminUsername": "notused", + "computerNamePrefix": "[toLower(parameters('vmName'))]", + "customData": "[base64(concat(variables('customData'), '\n', 'vnet=\"', reference('networkSetup').outputs.vnetAddressPrefixes.value[0], '\"', '\n' ))]", + "linuxConfiguration": "[variables('linuxConfiguration')]" + }, + "networkProfile": { + "networkInterfaceConfigurations": [ + { + "name": "eth0", + "properties": { + "primary": true, + "enableIPForwarding": false, + "enableAcceleratedNetworking": "[not(equals(variables('osVersion'), 'R8010'))]", + "networkSecurityGroup": "[reference('networkSetup').outputs.nsgProperties.value]", + "ipConfigurations": [ + { + "name": "ipconfig1", + "properties": { + "publicIpAddressConfiguration": "[if(equals(parameters('instanceLevelPublicIP'),'yes'), variables('publicIPProperties'), json('null'))]", + "subnet": { + "id": "[concat(reference('networkSetup').outputs.vnetId.value, '/subnets/', parameters('subnet1Name'))]" + }, + "loadBalancerBackendAddressPools": "[if(empty(reference('loadBalancerSetup').outputs.elbId.value), json('null'), reference('loadBalancerSetup').outputs.elbBEAddressPoolProperties.value)]" + } + } + ] + } + }, + { + "name": "eth1", + "properties": { + "primary": false, + "enableIPForwarding": true, + "enableAcceleratedNetworking": "[not(equals(variables('osVersion'), 'R8010'))]", + "ipConfigurations": [ + { + "name": "ipconfig2", + "properties": { + "subnet": { + "id": "[concat(reference('networkSetup').outputs.vnetId.value, '/subnets/', parameters('subnet2Name'))]" + }, + "loadBalancerBackendAddressPools": "[if(empty(reference('loadBalancerSetup').outputs.ilbId.value), json('null'), reference('loadBalancerSetup').outputs.ilbBEAddressPoolProperties.value)]" + } + } + ] + } + } + ] + }, + "diagnosticsProfile": { + "bootDiagnostics": { + "enabled": "true", + "storageUri": "[reference(variables('storageAccountId'), variables('storageApiVersion')).primaryEndpoints.blob]" + } + } + }, + "overprovision": false + } + }, + { + "type": "Microsoft.Insights/autoscaleSettings", + "apiVersion": "[variables('insightsApiVersion')]", + "name": "[parameters('vmName')]", + "location": "[variables('location')]", + "dependsOn": [ + "[variables('vmssID')]" + ], + "properties": { + "name": "[parameters('vmName')]", + "targetResourceUri": "[variables('vmssID')]", + "notifications": [ + { + "operation": "Scale", + "email": { + "sendToSubscriptionAdministrator": false, + "sendToSubscriptionCoAdministrators": false, + "customEmails": "[variables('customEmails')]" + } + } + ], + "enabled": true, + "profiles": [ + { + "name": "Profile1", + "capacity": { + "minimum": "[parameters('instanceCount')]", + "maximum": "[parameters('maxInstanceCount')]", + "default": "[parameters('instanceCount')]" + }, + "rules": [ + { + "metricTrigger": { + "metricName": "Percentage CPU", + "metricNamespace": "", + "metricResourceUri": "[variables('vmssID')]", + "timeGrain": "PT1M", + "statistic": "Average", + "timeWindow": "PT5M", + "timeAggregation": "Average", + "operator": "GreaterThan", + "threshold": 80 + }, + "scaleAction": { + "direction": "Increase", + "type": "ChangeCount", + "value": "1", + "cooldown": "PT5M" + } + }, + { + "metricTrigger": { + "metricName": "Percentage CPU", + "metricNamespace": "", + "metricResourceUri": "[variables('vmssID')]", + "timeGrain": "PT1M", + "statistic": "Average", + "timeWindow": "PT5M", + "timeAggregation": "Average", + "operator": "LessThan", + "threshold": 60 + }, + "scaleAction": { + "direction": "Decrease", + "type": "ChangeCount", + "value": "1", + "cooldown": "PT5M" + } + } + ] + } + ] + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + } + ], + "outputs": { + "ApplicationAddress": { + "type": "string", + "value": "[reference('loadBalancerSetup').outputs.ApplicationAddress.value]" + }, + "ApplicationFQDN": { + "type": "string", + "value": "[reference('loadBalancerSetup').outputs.ApplicationFQDN.value]" + } + } +} \ No newline at end of file diff --git a/deprecated/azure/templates/R8010-R8020/vmss-r8010-r8020/nestedtemplates/load-balancers.json b/deprecated/azure/templates/R8010-R8020/vmss-r8010-r8020/nestedtemplates/load-balancers.json new file mode 100644 index 00000000..401925e0 --- /dev/null +++ b/deprecated/azure/templates/R8010-R8020/vmss-r8010-r8020/nestedtemplates/load-balancers.json @@ -0,0 +1,279 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": { + "deploymentMode": { + "type": "string" + }, + "networkApiVersion": { + "type": "string" + }, + "location": { + "type": "string" + }, + "vmName": { + "type": "string" + }, + "appLoadDistribution": { + "type": "string" + }, + "Subnet2StartAddress": { + "type": "string" + }, + "subnet2Name": { + "type": "string" + }, + "subnet2Id": { + "type": "string" + }, + "ilbLoadDistribution": { + "type": "string" + }, + "upgrading": { + "type": "bool" + }, + "lbsTargetRGName": { + "type": "string" + }, + "elbResourceId": { + "type": "string" + }, + "elbTargetBEAddressPoolName": { + "type": "string" + }, + "ilbResourceId": { + "type": "string" + }, + "ilbTargetBEAddressPoolName": { + "type": "string" + }, + "Check_PointTags": { + "type": "object", + "defaultValue": { + "provider": "30DE18BC-F9F6-4F22-9D30-54B8E74CFD5F" + } + } + }, + "variables": { + "resourceGroup": "[resourceGroup()]", + "deployELB": "[or(equals(parameters('deploymentMode'),'Standard'), equals(parameters('deploymentMode'),'ELBOnly'))]", + "deployILB": "[or(equals(parameters('deploymentMode'),'Standard'), equals(parameters('deploymentMode'),'ILBOnly'))]", + "appName": "[concat(parameters('vmName'), '-app-1')]", + "appAddressName": "[variables('appName')]", + "appAddressId": "[concat(variables('resourceGroup').id, '/providers/Microsoft.Network/publicIPAddresses/', variables('appAddressName'))]", + "appFEName": "[variables('appName')]", + "elbName": "frontend-lb", + "elbID": "[if(parameters('upgrading'), parameters('elBResourceId'), resourceId('Microsoft.Network/loadBalancers', variables('elbName')))]", + "elbBEAddressPool": "[concat(variables('elbName'), '-pool')]", + "elbBEAddressPoolName": "[if(parameters('upgrading'), parameters('elbTargetBEAddressPoolName'), variables('elbBEAddressPool'))]", + "elbBEAddressPoolID": "[concat(variables('elbID'), '/backendAddressPools/', variables('elbBEAddressPoolName'))]", + "appFEIPConfigID": "[concat(variables('elbID'), '/frontendIPConfigurations/', variables('appFEName'))]", + "appProbeName": "[variables('appName')]", + "appProbeID": "[concat(variables('elbID'),'/probes/',variables('appProbeName'))]", + "appFrontEndProtocol": "tcp", + "appFrontEndPort": 80, + "appBackEndPort": 8081, + "appHealthProtocol": "tcp", + "ilbHealthProtocol": "tcp", + "lbHealthPort": 8117, + "ilbName": "['backend-lb']", + "ilbID": "[if(parameters('upgrading'), parameters('ilbResourceId'), resourceId('Microsoft.Network/loadBalancers', variables('ilbName')))]", + "ilbBEAddressPool": "[concat(variables('ilbName'), '-pool')]", + "ilbFEIPConfigID": "[concat(variables('ilbID'), '/frontendIPConfigurations/', variables('ilbName'))]", + "internalLBPrivateIPAddress": "[parameters('Subnet2StartAddress')]", + "ilbBEAddressPoolName": "[if(parameters('upgrading'), parameters('ilbTargetBEAddressPoolName'), variables('ilbBEAddressPool'))]", + "ilbBEAddressPoolID": "[concat(variables('ilbID'), '/backendAddressPools/', variables('ilbBEAddressPoolName'))]", + "ilbProbeName": "[variables('ilbName')]", + "ilbProbeID": "[concat(variables('ilbID'), '/probes/', variables('ilbProbeName'))]", + "ilbBEAddressPoolProperties": [ + { + "id": "[variables('ilbBEAddressPoolID')]" + } + ], + "elbBEAddressPoolProperties": [ + { + "id": "[variables('elbBEAddressPoolID')]" + } + ] + }, + "resources": [ + { + "type": "Microsoft.Network/publicIPAddresses", + "condition": "[and(variables('deployELB'), not(parameters('upgrading')))]", + "apiVersion": "[parameters('networkApiVersion')]", + "location": "[parameters('location')]", + "name": "[variables('appAddressName')]", + "sku": { + "name": "Standard" + }, + "properties": { + "publicIPAllocationMethod": "Static", + "dnsSettings": { + "domainNameLabel": "[concat(toLower(parameters('vmName')), '-', uniquestring(variables('resourceGroup').id, deployment().name))]" + } + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "type": "Microsoft.Network/loadBalancers", + "condition": "[and(variables('deployELB'), not(parameters('upgrading')))]", + "apiVersion": "[parameters('networkApiVersion')]", + "name": "[variables('elbName')]", + "location": "[parameters('location')]", + "sku": { + "name": "Standard" + }, + "dependsOn": [ + "[variables('appAddressId')]" + ], + "properties": { + "frontendIPConfigurations": [ + { + "name": "[variables('appFEName')]", + "properties": { + "publicIPAddress": { + "id": "[variables('appAddressId')]" + } + } + } + ], + "backendAddressPools": [ + { + "name": "[variables('elbBEAddressPool')]" + } + ], + "loadBalancingRules": [ + { + "name": "[variables('appName')]", + "properties": { + "frontendIPConfiguration": { + "id": "[variables('appFEIPConfigID')]" + }, + "backendAddressPool": { + "id": "[variables('elbBEAddressPoolID')]" + }, + "probe": { + "id": "[variables('appProbeID')]" + }, + "protocol": "[variables('appFrontEndProtocol')]", + "frontendPort": "[variables('appFrontEndPort')]", + "backendPort": "[variables('appBackEndPort')]", + "enableFloatingIP": false, + "loadDistribution": "[parameters('appLoadDistribution')]" + } + } + ], + "probes": [ + { + "name": "[variables('appProbeName')]", + "properties": { + "protocol": "[variables('appHealthProtocol')]", + "port": "[variables('lbHealthPort')]", + "intervalInSeconds": "5", + "numberOfProbes": "2" + } + } + ] + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "type": "Microsoft.Network/loadBalancers", + "condition": "[and(variables('deployILB'), not(parameters('upgrading')))]", + "apiVersion": "[parameters('networkApiVersion')]", + "name": "[variables('ilbName')]", + "location": "[parameters('location')]", + "sku": { + "name": "Standard" + }, + "properties": { + "frontendIPConfigurations": [ + { + "name": "[variables('ilbName')]", + "properties": { + "privateIPAllocationMethod": "Static", + "privateIPAddress": "[variables('internalLBPrivateIPAddress')]", + "subnet": { + "id": "[parameters('subnet2ID')]" + } + } + } + ], + "backendAddressPools": [ + { + "name": "[variables('ilbBEAddressPool')]" + } + ], + "loadBalancingRules": [ + { + "name": "[variables('ilbName')]", + "properties": { + "frontendIPConfiguration": { + "id": "[variables('ilbFEIPConfigID')]" + }, + "backendAddressPool": { + "id": "[variables('ilbBEAddressPoolID')]" + }, + "probe": { + "id": "[variables('ilbProbeID')]" + }, + "protocol": "All", + "frontendPort": 0, + "backendPort": 0, + "loadDistribution": "[parameters('ilbLoadDistribution')]", + "enableFloatingIP": false + } + } + ], + "probes": [ + { + "name": "[variables('ilbProbeName')]", + "properties": { + "protocol": "[variables('ilbHealthProtocol')]", + "port": "[variables('lbHealthPort')]", + "intervalInSeconds": "5", + "numberOfProbes": "2" + } + } + ] + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + } + ], + "outputs": { + "appAddressId": { + "value": "[if(and(variables('deployELB'), not(parameters('upgrading'))), resourceId('Microsoft.Network/publicIPAddresses', variables('appAddressName')), '')]", + "type": "string" + }, + "elbId": { + "value": "[if(variables('deployELB'), variables('elbId'), '')]", + "type": "string" + }, + "ilbId": { + "value": "[if(variables('deployILB'), variables('ilbId'), '')]", + "type": "string" + }, + "ilbBEAddressPoolProperties": { + "value": "[variables('ilbBEAddressPoolProperties')]", + "type": "array" + }, + "elbBEAddressPoolProperties": { + "value": "[variables('elbBEAddressPoolProperties')]", + "type": "array" + }, + "ApplicationAddress": { + "value": "[if(and(variables('deployELB'), not(parameters('upgrading'))), reference(variables('appAddressId'), parameters('networkApiVersion')).IpAddress, 'no public ip')]", + "type": "string" + }, + "ApplicationFQDN": { + "value": "[if(and(variables('deployELB'), not(parameters('upgrading'))), reference(variables('appAddressId'), parameters('networkApiVersion')).dnsSettings.fqdn, 'no public ip')]", + "type": "string" + } + } +} diff --git a/deprecated/azure/templates/R8010-R8020/vmss-r8010-r8020/nestedtemplates/vnet-2-subnet-ha-existing.json b/deprecated/azure/templates/R8010-R8020/vmss-r8010-r8020/nestedtemplates/vnet-2-subnet-ha-existing.json new file mode 100644 index 00000000..286d1927 --- /dev/null +++ b/deprecated/azure/templates/R8010-R8020/vmss-r8010-r8020/nestedtemplates/vnet-2-subnet-ha-existing.json @@ -0,0 +1,124 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "vnet" + }, + "virtualNetworkAddressPrefixes": { + "type": "array", + "metadata": { + "description": "The address prefixes of the virtual network" + } + }, + "Subnet1Name": { + "type": "string", + "metadata": { + "description": "The name of the 1st subnet" + }, + "defaultValue": "Frontend" + }, + "Subnet1Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 1st subnet" + }, + "defaultValue": "10.0.1.0/24" + }, + "Subnet2Name": { + "type": "string", + "metadata": { + "description": "The name of the 2nd subnet" + }, + "defaultValue": "Backend" + }, + "Subnet2Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 2nd subnet" + }, + "defaultValue": "10.0.2.0/24" + }, + "virtualNetworkExistingRGName": { + "type": "string", + "metadata": { + "description": "Resource Group of the existing virtual network" + }, + "defaultValue": "" + }, + "apiVersion": { + "type": "string" + }, + "vmName": { + "type": "string" + }, + "deployNsg": { + "type": "bool", + "defaultValue": "true" + }, + "Check_PointTags": { + "type": "object", + "defaultValue": { + "provider": "30DE18BC-F9F6-4F22-9D30-54B8E74CFD5F" + } + } + }, + "variables": { + "vnetId": "[resourceId(parameters('virtualNetworkExistingRGName'),'Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]", + "nsgName": "[concat(parameters('vmName'), '-nsg')]", + "nsgProperties": { + "id": "[resourceId(parameters('virtualNetworkExistingRGName'),'Microsoft.Network/networkSecurityGroups', variables('nsgName'))]" + } + }, + "resources": [ + { + "type": "Microsoft.Network/networkSecurityGroups", + "condition": "[parameters('deployNsg')]", + "apiVersion": "[parameters('apiVersion')]", + "location": "[parameters('location')]", + "name": "[variables('nsgName')]", + "properties": { + "securityRules": [ + { + "name": "AllowAllInBound", + "properties": { + "description": "Allow all inbound connections", + "protocol": "*", + "sourcePortRange": "*", + "destinationPortRange": "*", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "100", + "direction": "Inbound" + } + } + ] + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + } + ], + "outputs": { + "vnetId": { + "value": "[variables('vnetId')]", + "type": "string" + }, + "vnetAddressPrefixes": { + "value": "[reference(variables('vnetId'),parameters('apiVersion')).addressSpace.addressPrefixes]", + "type": "array" + }, + "nsgProperties": { + "value": "[variables('nsgProperties')]", + "type": "object" + } + } +} diff --git a/deprecated/azure/templates/R8010-R8020/vmss-r8010-r8020/nestedtemplates/vnet-2-subnet-ha-new.json b/deprecated/azure/templates/R8010-R8020/vmss-r8010-r8020/nestedtemplates/vnet-2-subnet-ha-new.json new file mode 100644 index 00000000..3a9a8c8c --- /dev/null +++ b/deprecated/azure/templates/R8010-R8020/vmss-r8010-r8020/nestedtemplates/vnet-2-subnet-ha-new.json @@ -0,0 +1,216 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "vnet" + }, + "virtualNetworkAddressPrefixes": { + "type": "array", + "metadata": { + "description": "The address prefixes of the virtual network" + } + }, + "Subnet1Name": { + "type": "string", + "metadata": { + "description": "The name of the 1st subnet" + }, + "defaultValue": "Frontend" + }, + "Subnet1Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 1st subnet" + }, + "defaultValue": "10.0.1.0/24" + }, + "Subnet2Name": { + "type": "string", + "metadata": { + "description": "The name of the 2nd subnet" + }, + "defaultValue": "Backend" + }, + "Subnet2Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 2nd subnet" + }, + "defaultValue": "10.0.2.0/24" + }, + "virtualNetworkExistingRGName": { + "type": "string", + "metadata": { + "description": "Resource Group of the existing virtual network" + }, + "defaultValue": "" + }, + "apiVersion": { + "type": "string" + }, + "vmName": { + "type": "string" + }, + "deployNsg": { + "type": "bool", + "defaultValue": "true" + }, + "Check_PointTags": { + "type": "object", + "defaultValue": { + "provider": "30DE18BC-F9F6-4F22-9D30-54B8E74CFD5F" + } + } + }, + "variables": { + "copy": [ + { + "name": "toInternalRoutes", + "count": "[length(parameters('virtualNetworkAddressPrefixes'))]", + "input": { + "name": "[concat('To-Internal-',copyIndex('toInternalRoutes'))]", + "properties": { + "addressPrefix": "[parameters('virtualNetworkAddressPrefixes')[copyIndex('toInternalRoutes')]]", + "nextHopType": "None" + } + } + } + ], + "localSubnetRoute": [ + { + "name": "Local-Subnet", + "properties": { + "addressPrefix": "[parameters('subnet1Prefix')]", + "nextHopType": "VnetLocal" + } + } + ], + "routesArray": "[concat(variables('localSubnetRoute'), variables('toInternalRoutes'))]", + "nsgName": "[concat(parameters('vmName'), '-nsg')]", + "nsgProperties": { + "id": "[resourceId('Microsoft.Network/networkSecurityGroups', variables('nsgName'))]" + } + }, + "resources": [ + { + "type": "Microsoft.Network/routeTables", + "apiVersion": "[parameters('apiVersion')]", + "location": "[parameters('location')]", + "name": "[parameters('subnet1Name')]", + "properties": { + "routes": "[variables('routesArray')]" + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "type": "Microsoft.Network/routeTables", + "apiVersion": "[parameters('apiVersion')]", + "location": "[parameters('location')]", + "name": "[parameters('subnet2Name')]", + "properties": { + "routes": [ + { + "name": "To-Internet", + "properties": { + "addressPrefix": "0.0.0.0/0", + "nextHopType": "None" + } + } + ] + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "type": "Microsoft.Network/virtualNetworks", + "apiVersion": "[parameters('apiVersion')]", + "location": "[parameters('location')]", + "name": "[parameters('virtualNetworkName')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/routeTables', parameters('subnet1Name'))]", + "[resourceId('Microsoft.Network/routeTables', parameters('subnet2Name'))]" + ], + "properties": { + "addressSpace": { + "addressPrefixes": "[parameters('virtualNetworkAddressPrefixes')]" + }, + "subnets": [ + { + "name": "[parameters('subnet1Name')]", + "properties": { + "addressPrefix": "[parameters('subnet1Prefix')]", + "routeTable": { + "id": "[resourceId('Microsoft.Network/routeTables', parameters('subnet1Name'))]" + } + } + }, + { + "name": "[parameters('subnet2Name')]", + "properties": { + "addressPrefix": "[parameters('subnet2Prefix')]", + "routeTable": { + "id": "[resourceId('Microsoft.Network/routeTables', parameters('subnet2Name'))]" + } + } + } + ] + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "type": "Microsoft.Network/networkSecurityGroups", + "condition": "[parameters('deployNsg')]", + "apiVersion": "[parameters('apiVersion')]", + "location": "[parameters('location')]", + "name": "[variables('nsgName')]", + "properties": { + "securityRules": [ + { + "name": "AllowAllInBound", + "properties": { + "description": "Allow all inbound connections", + "protocol": "*", + "sourcePortRange": "*", + "destinationPortRange": "*", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "100", + "direction": "Inbound" + } + } + ] + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + } + ], + "outputs": { + "vnetId": { + "value": "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]", + "type": "string" + }, + "vnetAddressPrefixes": { + "value": "[parameters('virtualNetworkAddressPrefixes')]", + "type": "array" + }, + "nsgProperties": { + "value": "[variables('nsgProperties')]", + "type": "object" + } + } +} diff --git a/deprecated/azure/templates/R8030/ha-r8030/README.MD b/deprecated/azure/templates/R8030/ha-r8030/README.MD new file mode 100644 index 00000000..61102a27 --- /dev/null +++ b/deprecated/azure/templates/R8030/ha-r8030/README.MD @@ -0,0 +1,13 @@ +# How to deploy this template +To deploy this ARM template, follow these instructions: +1. Log in to the [Microsoft Azure Portal](https://portal.azure.com) +2. Click "*Create a resource*" +3. Search for "*Template deployment (deploy using custom templates)*" and click "*Create*" +4. Click "*Build your own template in the editor*" +5. Load the "*mainTemplate.json*" file from this directory and click "*Save*" +6. Enter the desired template parameters + - Replace the "*_artifacts Location*" property with: + ``` + https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/deprecated/azure/templates/ha-r8030/ + ``` +7. Click *Purchase* to deploy the solution diff --git a/deprecated/azure/templates/R8030/ha-r8030/createUiDefinition.json b/deprecated/azure/templates/R8030/ha-r8030/createUiDefinition.json new file mode 100644 index 00000000..efa3c5a4 --- /dev/null +++ b/deprecated/azure/templates/R8030/ha-r8030/createUiDefinition.json @@ -0,0 +1,730 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", + "handler": "Microsoft.Compute.MultiVm", + "version": "0.1.2-preview", + "parameters": { + "basics": [ + { + "name": "basics settings text block", + "type": "Microsoft.Common.TextBlock", + "visible": true, + "options": { + "text": "Please follow the Check Point CloudGuard IaaS High Availability Administration Guide.", + "link": { + "label": "Administration Guide", + "uri": "https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_IaaS_HighAvailability_for_Azure/Default.htm" + } + } + }, + { + "name": "clusterObjectNameUi", + "type": "Microsoft.Common.TextBox", + "label": "Cluster Object Name", + "toolTip": "The name of the cluster object.", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z]{1,30}$", + "validationMessage": "Only alphanumeric characters are allowed, and the name must be 1-30 characters long." + } + }, + { + "name": "auth", + "type": "Microsoft.Compute.CredentialsCombo", + "label": { + "authenticationType": "Authentication type", + "password": "Password", + "confirmPassword": "Confirm password", + "sshPublicKey": "SSH public key" + }, + "toolTip": { + "password": "The user 'admin' password", + "sshPublicKey": "Paste an OpenSSH public key. You can generate a key pair using ssh-keygen (Linux, OS X, Cygwin) or PuttyGen (Windows)" + }, + "constraints": { + "required": true + }, + "options": { + "hideConfirmation": false, + "hidePassword": false + }, + "osPlatform": "Linux" + } + ], + "steps": [ + { + "name": "chkp", + "label": "Check Point Cluster Object settings", + "subLabel": { + "preValidation": "Configure Cluster Object settings", + "postValidation": "Done" + }, + "bladeTitle": "Cluster Object settings", + "elements": [ + { + "name": "cloudGuardVersion", + "type": "Microsoft.Common.DropDown", + "label": "Check Point CloudGuard version", + "defaultValue": "R80.30", + "toolTip": "The version of Check Point CloudGuard.", + "constraints": { + "allowedValues": [ + { + "label": "R80.30", + "value": "R80.30" + } + ] + } + }, + { + "name": "R80Offer", + "type": "Microsoft.Common.DropDown", + "label": "License type", + "toolTip": "The type of license.", + "defaultValue": "Bring Your Own License", + "visible": true, + "constraints": { + "allowedValues": [ + { + "label": "Bring Your Own License", + "value": "Bring Your Own License" + }, + { + "label": "Pay As You Go (NGTP)", + "value": "Pay As You Go (NGTP)" + }, + { + "label": "Pay As You Go (NGTX)", + "value": "Pay As You Go (NGTX)" + } + ] + } + }, + { + "name": "R8030vmSizeUiBYOL", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R80.30'), equals(coalesce(steps('chkp').R80Offer, 'Bring Your Own License'), 'Bring Your Own License'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2", + "Standard_DS3_v2" + ], + "constraints": { + "allowedSizes": [ + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r8030", + "sku": "sg-byol" + }, + "count": 2 + }, + { + "name": "R8030vmSizeUiNGTP", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R80.30'), contains(steps('chkp').R80Offer, '(NGTP)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2", + "Standard_DS3_v2" + ], + "constraints": { + "allowedSizes": [ + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r8030", + "sku": "sg-ngtp-v2" + }, + "count": 2 + }, + { + "name": "R8030vmSizeUiNGTX", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R80.30'), contains(steps('chkp').R80Offer, '(NGTX)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2", + "Standard_DS3_v2" + ], + "constraints": { + "allowedSizes": [ + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r8030", + "sku": "sg-ngtx-v2" + }, + "count": 2 + }, + { + "name": "adminShell", + "type": "Microsoft.Common.DropDown", + "label": "Default shell for the admin user", + "defaultValue": "/etc/cli.sh", + "toolTip": "The default shell for the admin user", + "constraints": { + "allowedValues": [ + { + "label": "/etc/cli.sh", + "value": "/etc/cli.sh" + }, + { + "label": "/bin/bash", + "value": "/bin/bash" + }, + { + "label": "/bin/csh", + "value": "/bin/csh" + }, + { + "label": "/bin/tcsh", + "value": "/bin/tcsh" + } + ] + } + }, + { + "name": "sicKeyUi", + "type": "Microsoft.Common.PasswordBox", + "label": { + "password": "SIC key", + "confirmPassword": "Confirm SIC key" + }, + "toolTip": "Set the Secure Internal Communication one time secret used to set up trust between the cluster object and the management server.", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z]{12,30}$", + "validationMessage": "Only alphanumeric characters are allowed, and the value must be 12-30 characters long." + }, + "options": { + "hideConfirmation": false + }, + "visible": "true" + }, + { + "name": "managedSystemAssigned", + "type": "Microsoft.Common.OptionsGroup", + "visible": true, + "label": "Create a System Assigned Identity", + "toolTip": "Automatically create a Service Principal for this deployment.", + "defaultValue": "Yes", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "yes" + }, + { + "label": "No", + "value": "no" + } + ] + } + }, + { + "name": "availabilityOptions", + "type": "Microsoft.Common.DropDown", + "label": "Availability options", + "defaultValue": "Availability Set", + "toolTip": "Use replicated Cluster VMs in Availability Set or Availability Zones. Note that the load balancers and their IP addresses will be zone redundant in any case.", + "visible": "[contains(' australiaeast brazilsouth canadacentral centralus eastasia eastus eastus2 francecentral germanywestcentral japaneast koreacentral northeurope norwayeast southafricanorth southcentralus southeastasia swedencentral uksouth usgovvirginia westeurope westus2 westus3 ', concat(' ', location(), ' '))]", + "constraints": { + "allowedValues": [ + { + "label": "Availability Set", + "value": "Availability Set" + }, + { + "label": "Availability Zones", + "value": "Availability Zones" + } + ] + } + }, + { + "name": "bootstrapScript", + "type": "Microsoft.Common.FileUpload", + "label": "Bootstrap script", + "toolTip": "An optional script to run on the initial boot", + "constraints": { + "required": false, + "accept": ".sh,text/plain" + }, + "options": { + "multiple": false, + "uploadMode": "file", + "openMode": "text", + "encoding": "UTF-8" + } + }, + { + "name": "allowUploadDownload", + "type": "Microsoft.Common.OptionsGroup", + "label": "Automatically download updates and share statistical data for product improvement purpose", + "defaultValue": "Yes", + "toolTip": "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "true" + }, + { + "label": "No", + "value": "false" + } + ] + } + }, + { + "name": "additionalDiskSizeGB", + "type": "Microsoft.Common.TextBox", + "label": "Additional disk space (GB)", + "defaultValue": "0", + "toolTip": "Additional disk space (in GB), Initial disk size is 100 GB.", + "constraints": { + "regex": "^([0-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-2][0-9][0-9][0-9]|3[0-8][0-9][0-9]|399[0-5])$", + "validationMessage": "Select a number between 0 and 3995" + } + }, + { + "name": "VMDiskType", + "type": "Microsoft.Common.OptionsGroup", + "label": "VM disk type", + "toolTip": "Type of CloudGuard disk.", + "visible": "[or(contains(steps('chkp').R8030vmSizeUiBYOL, 'DS'), contains(steps('chkp').R8030vmSizeUiNGTP, 'DS'), contains(steps('chkp').R8030vmSizeUiNGTX, 'DS'))]", + "defaultValue": "Standard", + "constraints": { + "allowedValues": [ + { + "label": "Standard", + "value": "Standard_LRS" + }, + { + "label": "Premium", + "value": "Premium_LRS" + } + ] + } + }, + { + "name": "useCustomImageUri", + "type": "Microsoft.Common.OptionsGroup", + "label": "Use development image uri", + "defaultValue": "No", + "toolTip": "Use custom image URI.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ], + "required": true + }, + "visible": false + }, + { + "name": "sourceImageVhdUri", + "type": "Microsoft.Common.TextBox", + "label": "Development Image URI", + "toolTip": "The URI of the blob containing the development image", + "constraints": { + "required": "[equals(steps('chkp').useCustomImageUri, 'Yes')]", + "regex": "^[a-z0-9A-Z_\\-\\.\\:\\/]{1,500}.vhd$", + "validationMessage": "Only alphanumeric characters and '_','-','.',':','/' are allowed, the value must be 1-500 characters long and must end with .vhd. " + }, + "visible": "[equals(steps('chkp').useCustomImageUri, 'Yes')]" + }, + { + "name": "customMetrics", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable CloudGuard metrics", + "defaultValue": "Yes", + "toolTip": "Enable CloudGuard metrics in order to send statuses and statistics collected from Cluster members to the Azure Monitor service.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "yes" + }, + { + "label": "No", + "value": "no" + } + ] + }, + "visible": true + }, + { + "name": "customMetricsInfoBox", + "type": "Microsoft.Common.InfoBox", + "visible": "[and(equals(steps('chkp').customMetrics, 'yes'), not(equals(steps('chkp').managedSystemAssigned, 'yes')))]", + "options": { + "icon": "Warning", + "text": "CloudGuard metrics can't be used when System Assigned Identity is disabled" + } + }, + { + "name": "floatingIP", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy the Load Balancers with floating IP", + "defaultValue": "No", + "toolTip": "Deploy the Load Balancers with floating IP.", + "constraints": { + "allowedValues": [ + { + "label": "No", + "value": "no" + }, + { + "label": "Yes", + "value": "yes" + } + ] + }, + "visible": true + }, + { + "name": "publicIPPrefix", + "type": "Microsoft.Common.OptionsGroup", + "label": "Use public IP prefix", + "defaultValue": "No", + "toolTip": "Use public IP prefix.", + "constraints": { + "allowedValues": [ + { + "label": "No", + "value": "no" + }, + { + "label": "Yes", + "value": "yes" + } + ] + }, + "visible": true + }, + { + "name": "createNewIPPrefix", + "type": "Microsoft.Common.OptionsGroup", + "label": "Create public IP prefix", + "defaultValue": "No", + "toolTip": "Create new public IP prefix to use.", + "constraints": { + "allowedValues": [ + { + "label": "No", + "value": "no" + }, + { + "label": "Yes", + "value": "yes" + } + ] + }, + "visible": "[equals(steps('chkp').publicIPPrefix, 'yes')]" + }, + { + "name": "ipPrefixExistingResourceId", + "type": "Microsoft.Common.TextBox", + "label": "Public IP prefix resource id", + "defaultValue": "", + "toolTip": "Use an exisiting public IP prefix resource id.", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z -.:/n]{1,}$", + "validationMessage": "Only alphanumeric characters, hyphens, spaces, periods, and colons are allowed." + }, + "visible": "[equals(steps('chkp').createNewIPPrefix, 'no')]" + } + ] + }, + { + "name": "network", + "label": "Network settings", + "subLabel": { + "preValidation": "Configure network settings", + "postValidation": "Done" + }, + "bladeTitle": "Network settings", + "elements": [ + { + "name": "virtualNetwork", + "type": "Microsoft.Network.VirtualNetworkCombo", + "label": { + "virtualNetwork": "Virtual network", + "subnets": "Subnets" + }, + "toolTip": { + "virtualNetwork": "Virtual Network Name", + "subnets": "List of subnets to deploy into" + }, + "defaultValue": { + "name": "vnet01", + "addressPrefixSize": "/16" + }, + "constraints": { + "minAddressPrefixSize": "/28" + }, + "options": { + "hideExisting": false + }, + "subnets": { + "subnet1": { + "label": "Frontend subnet", + "defaultValue": { + "name": "Frontend", + "addressPrefixSize": "/24" + }, + "constraints": { + "minAddressPrefixSize": "/29", + "minAddressCount": 2, + "requireContiguousAddresses": true + } + }, + "subnet2": { + "label": "Backend subnet", + "defaultValue": { + "name": "Backend", + "addressPrefixSize": "/24" + }, + "constraints": { + "minAddressPrefixSize": "/29", + "minAddressCount": 2, + "requireContiguousAddresses": true + } + } + } + } + ] + } + ], + "outputs": { + "location": "[location()]", + "cloudGuardVersion": "[concat(steps('chkp').cloudGuardVersion, ' - ', coalesce(steps('chkp').R80Offer, 'Bring Your Own License'))]", + "adminPassword": "[basics('auth').password]", + "authenticationType": "[basics('auth').authenticationType]", + "sshPublicKey": "[basics('auth').sshPublicKey]", + "vmName": "[basics('clusterObjectNameUi')]", + "vmSize": "[coalesce(steps('chkp').R8030vmSizeUiBYOL, steps('chkp').R8030vmSizeUiNGTP, steps('chkp').R8030vmSizeUiNGTX)]", + "sicKey": "[steps('chkp').sicKeyUi]", + "virtualNetworkName": "[steps('network').virtualNetwork.name]", + "virtualNetworkAddressPrefixes": "[steps('network').virtualNetwork.addressPrefixes]", + "subnet1Name": "[steps('network').virtualNetwork.subnets.subnet1.name]", + "subnet1Prefix": "[steps('network').virtualNetwork.subnets.subnet1.addressPrefix]", + "subnet1StartAddress": "[steps('network').virtualNetwork.subnets.subnet1.startAddress]", + "subnet2Name": "[steps('network').virtualNetwork.subnets.subnet2.name]", + "subnet2Prefix": "[steps('network').virtualNetwork.subnets.subnet2.addressPrefix]", + "subnet2StartAddress": "[steps('network').virtualNetwork.subnets.subnet2.startAddress]", + "vnetNewOrExisting": "[steps('network').virtualNetwork.newOrExisting]", + "virtualNetworkExistingRGName": "[steps('network').virtualNetwork.resourceGroup]", + "bootstrapScript": "[steps('chkp').bootstrapScript]", + "allowDownloadFromUploadToCheckPoint": "[coalesce(steps('chkp').allowUploadDownload, 'true')]", + "additionalDiskSizeGB": "[int(steps('chkp').additionalDiskSizeGB)]", + "diskType": "[coalesce(steps('chkp').VMDiskType, 'Standard_LRS')]", + "managedSystemAssigned": "[steps('chkp').managedSystemAssigned]", + "sourceImageVhdUri": "[coalesce(steps('chkp').sourceImageVhdUri, 'noCustomUri')]", + "availabilityOptions": "[steps('chkp').availabilityOptions]", + "customMetrics": "[steps('chkp').customMetrics]", + "floatingIP": "[steps('chkp').floatingIP]", + "publicIPPrefix": "[steps('chkp').publicIPPrefix]", + "createNewIPPrefix": "[steps('chkp').createNewIPPrefix]", + "ipPrefixExistingResourceId": "[steps('chkp').ipPrefixExistingResourceId]", + "adminShell": "[steps('chkp').adminShell]" + } + } +} \ No newline at end of file diff --git a/deprecated/azure/templates/R8030/ha-r8030/mainTemplate.json b/deprecated/azure/templates/R8030/ha-r8030/mainTemplate.json new file mode 100644 index 00000000..29f398e5 --- /dev/null +++ b/deprecated/azure/templates/R8030/ha-r8030/mainTemplate.json @@ -0,0 +1,1029 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string", + "metadata": { + "description": "Deployment location" + }, + "defaultValue": "[resourceGroup().location]" + }, + "cloudGuardVersion": { + "type": "string", + "allowedValues": [ + "R80.30 - Bring Your Own License", + "R80.30 - Pay As You Go (NGTP)", + "R80.30 - Pay As You Go (NGTX)" + ], + "defaultValue": "R80.30 - Bring Your Own License", + "metadata": { + "description": "Check Point CloudGuard version" + } + }, + "adminPassword": { + "type": "securestring", + "metadata": { + "description": "Administrator password" + }, + "defaultValue": "" + }, + "authenticationType": { + "type": "string", + "allowedValues": [ + "password", + "sshPublicKey" + ], + "defaultValue": "password", + "metadata": { + "description": "Authentication type" + } + }, + "sshPublicKey": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Administrator SSH public key" + } + }, + "floatingIP": { + "type": "string", + "allowedValues": [ + "no", + "yes" + ], + "defaultValue": "no", + "metadata": { + "description": "Deploy the Load Balancers with floating IP" + } + }, + "publicIPPrefix": { + "type": "string", + "allowedValues": [ + "no", + "yes" + ], + "defaultValue": "no", + "metadata": { + "description": "Use public IP prefix" + } + }, + "createNewIPPrefix": { + "type": "string", + "allowedValues": [ + "no", + "yes" + ], + "defaultValue": "no", + "metadata": { + "description": "Create new public IP prefix" + } + }, + "ipPrefixExistingResourceId": { + "type": "string", + "metadata": { + "description": "The resource id of the existing IP prefix" + }, + "defaultValue": "" + }, + "vmName": { + "type": "string", + "defaultValue": "[resourceGroup().name]", + "metadata": { + "description": "Name of the Check Point Cluster object" + } + }, + "vmSize": { + "type": "string", + "defaultValue": "Standard_D3_v2", + "metadata": { + "description": "Size of the VM" + } + }, + "adminShell": { + "type": "string", + "defaultValue": "/etc/cli.sh", + "allowedValues": [ + "/etc/cli.sh", + "/bin/bash", + "/bin/csh", + "/bin/tcsh" + ], + "metadata": { + "Description": "The default shell for the admin user" + } + }, + "sicKey": { + "type": "securestring", + "metadata": { + "description": "One time key for Secure Internal Communication" + } + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "[concat(resourceGroup().name, '-vnet')]" + }, + "virtualNetworkAddressPrefixes": { + "type": "array", + "metadata": { + "description": "The address prefixes of the virtual network" + }, + "defaultValue": [ + "10.0.0.0/16" + ] + }, + "subnet1Name": { + "type": "string", + "metadata": { + "description": "The name of the frontend subnet" + }, + "defaultValue": "Frontend" + }, + "subnet1Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the frontend subnet" + }, + "defaultValue": "10.0.1.0/24" + }, + "subnet1StartAddress": { + "type": "string", + "metadata": { + "description": "The first available address on the 1st subnet" + }, + "defaultValue": "10.0.1.10" + }, + "subnet2Name": { + "type": "string", + "metadata": { + "description": "The name of the backend subnet" + }, + "defaultValue": "Backend" + }, + "subnet2Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the backend subnet" + }, + "defaultValue": "10.0.2.0/24" + }, + "subnet2StartAddress": { + "type": "string", + "metadata": { + "description": "The first available address on the 2nd subnet" + }, + "defaultValue": "10.0.2.10" + }, + "vnetNewOrExisting": { + "type": "string", + "defaultValue": "new", + "allowedValues": [ + "new", + "existing" + ], + "metadata": { + "Description": "Indicates whether the virtual network is new or existing" + } + }, + "virtualNetworkExistingRGName": { + "type": "string", + "metadata": { + "description": "Resource Group of the existing virtual network" + }, + "defaultValue": "[resourceGroup().name]" + }, + "bootstrapScript": { + "type": "string", + "metadata": { + "description": "Bootstrap script" + }, + "defaultValue": "" + }, + "allowDownloadFromUploadToCheckPoint": { + "type": "string", + "allowedValues": [ + "true", + "false" + ], + "defaultValue": "true", + "metadata": { + "description": "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + } + }, + "additionalDiskSizeGB": { + "type": "int", + "defaultValue": 0, + "metadata": { + "description": "Amount of additional disk space (in GB)" + }, + "minValue": 0, + "maxValue": 3995 + }, + "diskType": { + "type": "string", + "defaultValue": "Standard_LRS", + "metadata": { + "description": "The type of the OS disk. Premium is applicable only to DS machine sizes" + }, + "allowedValues": [ + "Standard_LRS", + "Premium_LRS" + ] + }, + "role": { + "type": "string", + "defaultValue": "Contributor", + "metadata": { + "description": "Role" + } + }, + "managedSystemAssigned": { + "type": "string", + "allowedValues": [ + "yes", + "no" + ], + "defaultValue": "yes", + "metadata": { + "description": "Automatically create a Service Principal for this deployment." + } + }, + "sourceImageVhdUri": { + "type": "string", + "defaultValue": "noCustomUri", + "metadata": { + "description": "The URI of the blob containing the development image" + } + }, + "availabilityOptions": { + "type": "string", + "allowedValues": [ + "Availability Set", + "Availability Zones" + ], + "defaultValue": "Availability Set", + "metadata": { + "description": "Use replicated Cluster VMs in Availability Set or Availability Zones" + } + }, + "_artifactsLocation": { + "type": "string", + "metadata": { + "description": "Use the following URI when deploying a custom template: https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/azure/templates/" + }, + "defaultValue": "[deployment().properties.templateLink.uri]" + }, + "_artifactsLocationSasToken": { + "type": "securestring", + "metadata": { + "description": "The sasToken required to access _artifactsLocation. When the template is deployed using the accompanying scripts, a sasToken will be automatically generated. Use the defaultValue if the staging location is not secured." + }, + "defaultValue": "" + }, + "customMetrics": { + "type": "string", + "allowedValues": [ + "no", + "yes" + ], + "defaultValue": "yes", + "metadata": { + "Description": "Indicates whether CloudGuard Metrics will be used for Cluster members monitoring" + } + } + }, + "variables": { + "templateName": "ha", + "templateVersion": "20220130", + "location": "[parameters('location')]", + "elbPublicIPName": "frontend-lb-address", + "haPublicIPName": "[parameters('vmName')]", + "offers": { + "R80.30 - Bring Your Own License": "BYOL", + "R80.30 - Pay As You Go (NGTP)": "NGTP-V2", + "R80.30 - Pay As You Go (NGTX)": "NGTX-V2" + }, + "offer": "[variables('offers')[parameters('cloudGuardVersion')]]", + "osVersions": { + "R80.30 - Bring Your Own License": "R8030", + "R80.30 - Pay As You Go (NGTP)": "R8030", + "R80.30 - Pay As You Go (NGTX)": "R8030" + }, + "osVersion": "[variables('osVersions')[parameters('cloudGuardVersion')]]", + "adminUsername": "notused", + "isBlink": true, + "storageAccountName": "[concat('bootdiag', uniqueString(resourceGroup().id, deployment().name))]", + "storageAccountType": "Standard_LRS", + "diskSize100GB": 100, + "diskSizeGB": "[add(parameters('additionalDiskSizeGB'), variables('diskSize100GB'))]", + "customData": "[concat('#!/usr/bin/python3 /etc/cloud_config.py\n', '\n', 'installationType=\"', variables('installationType'), '\"', '\n', 'allowUploadDownload=\"', variables('allowUploadDownload'), '\"', '\n', 'osVersion=\"', variables('osVersion'), '\"', '\n', 'templateName=\"', variables('templateName'), '\"', '\n', 'isBlink=\"', variables('isBlink'), '\"', '\n', 'templateVersion=\"', variables('templateVersion'), '\"', '\n', 'bootstrapScript64=\"', variables('bootstrapScript64'), '\"', '\n', 'location=\"', variables('location'), '\"', '\n', 'sicKey=\"', variables('sicKey'), '\"', '\n', 'location=\"', variables('location'), '\"', '\n', 'tenantId=\"', subscription().tenantId, '\"', '\n', 'virtualNetwork=\"', parameters('virtualNetworkName'), '\"', '\n', 'clusterName=\"', parameters('vmName'), '\"', '\n', 'externalPrivateAddresses=\"', variables('externalPrivateAddresses')[2], '\"', '\n', 'customMetrics=\"', variables('customMetrics'), '\"', '\n', 'adminShell=\"', parameters('adminShell'), '\"', '\n')]", + "imageOffer": "[concat('check-point-cg-', toLower(variables('osVersion')))]", + "imagePublisher": "checkpoint", + "imageReferenceBYOL": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-byol", + "version": "latest" + }, + "imageReferenceNGTP": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtp", + "version": "latest" + }, + "imageReferenceNGTP-V2": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtp-v2", + "version": "latest" + }, + "imageReferenceNGTX": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtx", + "version": "latest" + }, + "imageReferenceNGTX-V2": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtx-v2", + "version": "latest" + }, + "imageReferenceMarketplace": "[if(equals(variables('offer'), 'BYOL'), variables('imageReferenceBYOL'), if(equals(variables('offer'), 'NGTP'), variables('imageReferenceNGTP'), if(equals(variables('offer'), 'NGTP-V2'), variables('imageReferenceNGTP-V2'), if(equals(variables('offer'), 'NGTX'), variables('imageReferenceNGTX'), if(equals(variables('offer'), 'NGTX-V2'), variables('imageReferenceNGTX-V2'), json('null'))))))]", + "customImage": "customImage", + "imageReferenceCustomUri": { + "id": "[resourceId('Microsoft.Compute/images/', variables('customImage'))]" + }, + "imageReference": "[if(equals(parameters('sourceImageVhdUri'),'noCustomUri'), variables('imageReferenceMarketplace'), variables('imageReferenceCustomUri'))]", + "enableFloatingIP": "[equals(parameters('floatingIP'), 'yes')]", + "nic1Name": "eth0", + "nic2Name": "eth1", + "elbName": "frontend-lb", + "elbId": "[resourceId('Microsoft.Network/loadBalancers', variables('elbName'))]", + "elbBEAddressPool": "[concat(variables('elbName'), '-pool')]", + "elbBEAddressPoolID": "[resourceId('Microsoft.Network/loadBalancers/backendAddressPools', variables('elbName'), variables('elbBEAddressPool'))]", + "ilbName": "backend-lb", + "ilbId": "[resourceId('Microsoft.Network/loadBalancers', variables('ilbName'))]", + "ilbBEAddressPool": "[concat(variables('ilbName'), '-pool')]", + "ilbBEAddressPoolID": "[resourceId('Microsoft.Network/loadBalancers/backendAddressPools/', variables('ilbName'), variables('ilbBEAddressPool'))]", + "ilbFEIPConfigID": "[resourceId('Microsoft.Network/loadBalancers/frontendIPConfigurations/', variables('ilbName'), variables('ilbName'))]", + "ilbProbeName": "[variables('ilbName')]", + "ilbProbeID": "[resourceId('Microsoft.Network/loadBalancers/probes/', variables('ilbName'), variables('ilbProbeName'))]", + "linuxConfigurationpassword": { + "disablePasswordAuthentication": "false" + }, + "appProbeName": "health_prob_port", + "linuxConfigurationsshPublicKey": { + "disablePasswordAuthentication": "true", + "ssh": { + "publicKeys": [ + { + "keyData": "[parameters('sshPublicKey')]", + "path": "/home/notused/.ssh/authorized_keys" + } + ] + } + }, + "linuxConfiguration": "[if(equals(parameters('authenticationType'), 'password'), variables('linuxConfigurationpassword'), variables('linuxConfigurationsshPublicKey'))]", + "planBYOL": { + "name": "sg-byol", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTP": { + "name": "sg-ngtp", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTP-V2": { + "name": "sg-ngtp-v2", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTX": { + "name": "sg-ngtx", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTX-V2": { + "name": "sg-ngtx-v2", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "plan": "[if(equals(variables('offer'), 'BYOL') , variables('planBYOL'), if(equals(variables('offer'), 'NGTP'), variables('planNGTP'), if(equals(variables('offer'), 'NGTP-V2'), variables('planNGTP-V2'), if(equals(variables('offer'), 'NGTX'), variables('planNGTX'), if(equals(variables('offer'), 'NGTX-V2'), variables('planNGTX-V2'), json('null'))))))]", + "externalPrivateAddresses": [ + "[parameters('Subnet1StartAddress')]", + "[concat(split(parameters('subnet1StartAddress'), '.')[0],'.', split(parameters('subnet1StartAddress'), '.')[1],'.', split(parameters('subnet1StartAddress'), '.')[2],'.', string(add(int(split(parameters('subnet1StartAddress'), '.')[3]),1)))]", + "[concat(split(parameters('subnet1StartAddress'), '.')[0],'.', split(parameters('subnet1StartAddress'), '.')[1],'.', split(parameters('subnet1StartAddress'), '.')[2],'.', string(add(int(split(parameters('subnet1StartAddress'), '.')[3]),2)))]" + ], + "roleDefinitionId": "[if(equals(parameters('role'), 'Contributor'), subscriptionResourceId('Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c'), parameters('role'))]", + "identity": "[json('{\"type\": \"SystemAssigned\"}')]", + "subnet2PrivateAddresses": [ + "[concat(split(parameters('subnet2StartAddress'), '.')[0],'.', split(parameters('subnet2StartAddress'), '.')[1],'.', split(parameters('subnet2StartAddress'), '.')[2],'.', string(add(int(split(parameters('subnet2StartAddress'), '.')[3]),1)))]", + "[concat(split(parameters('subnet2StartAddress'), '.')[0],'.', split(parameters('subnet2StartAddress'), '.')[1],'.', split(parameters('subnet2StartAddress'), '.')[2],'.', string(add(int(split(parameters('subnet2StartAddress'), '.')[3]),2)))]" + ], + "nsgName": "[concat(parameters('vmName'), '-nsg')]", + "elbPublicIPId": "[resourceId('Microsoft.Network/publicIPAddresses', variables('elbPublicIPName'))]", + "haPublicIPId": "[resourceId('Microsoft.Network/publicIPAddresses', variables('haPublicIPName'))]", + "gwPublicIPIds": [ + "[resourceId('Microsoft.Network/publicIPAddresses', concat(parameters('vmName'), '1'))]", + "[resourceId('Microsoft.Network/publicIPAddresses', concat(parameters('vmName'), '2'))]" + ], + "availabilitySetName": "[concat(parameters('vmName'), '-AvailabilitySet')]", + "count": 2, + "bootstrapScript64": "[base64(parameters('bootstrapScript'))]", + "allowUploadDownload": "[parameters('allowDownloadFromUploadToCheckPoint')]", + "networkSetupURL": "[uri(parameters('_artifactsLocation'), concat('nestedtemplates/vnet-2-subnet-ha2-', parameters('vnetNewOrExisting'), '.json', parameters('_artifactsLocationSasToken')))]", + "sicKey": "[parameters('sicKey')]", + "installationType": "cluster", + "internalLBPrivateIPAddress": "[parameters('Subnet2StartAddress')]", + "availabilityZonesLocations": [ + "australiaeast", + "brazilsouth", + "canadacentral", + "centralus", + "eastasia", + "eastus", + "eastus2", + "francecentral", + "germanywestcentral", + "japaneast", + "koreacentral", + "northeurope", + "norwayeast", + "southafricanorth", + "southcentralus", + "southeastasia", + "swedencentral", + "uksouth", + "usgovvirginia", + "westeurope", + "westus2", + "westus3" + ], + "availabilitySetProperty": { + "id": "[resourceId('Microsoft.Compute/availabilitySets', variables('availabilitySetName'))]" + }, + "useAZ": "[and(contains(variables('availabilityZonesLocations'), variables('location')), equals(parameters('availabilityOptions'), 'Availability Zones'))]", + "customMetrics": "[parameters('customMetrics')]", + "emptyString": "none", + "ipPrefixNewName": "[concat(parameters('vmName'), '-ipprefix')]", + "ipPrefixExistingResourceId": "[if(equals(parameters('publicIPPrefix'), 'yes'), parameters('ipPrefixExistingResourceId'), variables('emptyString'))]", + "ipNewPrefixId": "[resourceId('Microsoft.Network/publicIPPrefixes',variables('ipPrefixNewName'))]", + "publicIPNewPrefixId": "[if(equals(parameters('publicIPPrefix'), 'yes'), variables('ipNewPrefixId'), json('null'))]", + "usepublicIPPrefix": "[if(equals(parameters('createNewIPPrefix'),'yes'), variables('publicIPNewPrefixId'), variables('ipPrefixExistingResourceId'))]", + "publicIPPrefixProperty": { + "Id": "[variables('usepublicIPPrefix')]" + }, + "prefixDependsOn": "[if(equals(parameters('publicIPPrefix'), 'yes'), if(equals(parameters('createNewIPPrefix'), 'yes'), variables('publicIPNewPrefixId'), variables('ipNewPrefixId')), variables('ipNewPrefixId'))]", + "deployNewVnet": "[equals(parameters('vnetNewOrExisting'), 'new')]", + "vnetRGName": "[if(variables('deployNewVnet'), resourceGroup().name, parameters('virtualNetworkExistingRGName'))]" + }, + "resources": [ + { + "condition": "[and(equals(parameters('createNewIPPrefix'), 'yes'), equals(parameters('publicIPPrefix'), 'yes'))]", + "apiVersion": "2020-06-01", + "type": "Microsoft.Network/publicIPPrefixes", + "name": "[variables('ipPrefixNewName')]", + "location": "[variables('location')]", + "properties": { + "prefixLength": "30", + "publicIPAddressVersion": "IPv4" + }, + "sku": { + "name": "Standard", + "tier": "Regional" + } + }, + { + "apiVersion": "2020-06-01", + "name": "pid-6f13b00a-7546-4ab2-be9f-c66815cc6c8b-partnercenter", + "type": "Microsoft.Resources/deployments", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('storageAccountName')]", + "apiVersion": "2021-04-01", + "properties": { + "supportsHttpsTrafficOnly": true, + "allowBlobPublicAccess": false, + "minimumTlsVersion": "TLS1_2" + }, + "location": "[variables('location')]", + "sku": { + "name": "[variables('storageAccountType')]" + }, + "kind": "Storage" + }, + { + "condition": "[equals(parameters('vnetNewOrExisting'), 'new')]", + "name": "networkNewSetup", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "[variables('networkSetupURL')]", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "location": { + "value": "[variables('location')]" + }, + "nsgName": { + "value": "[variables('nsgName')]" + }, + "virtualNetworkName": { + "value": "[parameters('virtualNetworkName')]" + }, + "virtualNetworkAddressPrefixes": { + "value": "[parameters('virtualNetworkAddressPrefixes')]" + }, + "subnet1Name": { + "value": "[parameters('subnet1Name')]" + }, + "subnet1Prefix": { + "value": "[parameters('subnet1Prefix')]" + }, + "subnet2Name": { + "value": "[parameters('subnet2Name')]" + }, + "subnet2Prefix": { + "value": "[parameters('subnet2Prefix')]" + } + } + } + }, + { + "condition": "[equals(parameters('vnetNewOrExisting'), 'existing')]", + "name": "networkExistingSetup", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "[variables('networkSetupURL')]", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "virtualNetworkName": { + "value": "[parameters('virtualNetworkName')]" + }, + "virtualNetworkExistingRGName": { + "value": "[variables('vnetRGName')]" + } + } + } + }, + { + "type": "Microsoft.Compute/availabilitySets", + "condition": "[not(variables('useAZ'))]", + "apiVersion": "2020-06-01", + "location": "[variables('location')]", + "name": "[concat(variables('availabilitySetName'))]", + "properties": { + "platformFaultDomainCount": 2 + }, + "sku": { + "name": "Aligned" + } + }, + { + "type": "Microsoft.Network/publicIPAddresses", + "apiVersion": "2020-06-01", + "dependsOn": [ + "[variables('prefixDependsOn')]" + ], + "location": "[variables('location')]", + "name": "[variables('elbPublicIPName')]", + "sku": { + "name": "Standard" + }, + "properties": { + "idleTimeoutInMinutes": 30, + "publicIPAllocationMethod": "Static", + "dnsSettings": { + "domainNameLabel": "[concat(toLower(parameters('vmName')), '-', uniquestring(resourceGroup().id, deployment().name))]" + }, + "publicIPPrefix": "[if(equals(parameters('publicIPPrefix'), 'yes'), variables('publicIPPrefixProperty'), json('null'))]" + } + }, + { + "type": "Microsoft.Network/publicIPAddresses", + "apiVersion": "2020-06-01", + "dependsOn": [ + "[variables('prefixDependsOn')]" + ], + "location": "[variables('location')]", + "name": "[concat(parameters('vmName'), copyIndex(1))]", + "sku": { + "name": "Standard" + }, + "copy": { + "name": "publicAddressCopy", + "count": "[variables('count')]" + }, + "properties": { + "idleTimeoutInMinutes": 30, + "publicIPAllocationMethod": "Static", + "dnsSettings": { + "domainNameLabel": "[concat(toLower(parameters('vmName')), '-', copyIndex(1), '-', uniquestring(resourceGroup().id, deployment().name))]" + }, + "publicIPPrefix": "[if(equals(parameters('publicIPPrefix'), 'yes'), variables('publicIPPrefixProperty'), json('null'))]" + } + }, + { + "type": "Microsoft.Network/publicIPAddresses", + "apiVersion": "2020-06-01", + "dependsOn": [ + "[variables('prefixDependsOn')]" + ], + "location": "[variables('location')]", + "name": "[parameters('vmName')]", + "sku": { + "name": "Standard" + }, + "properties": { + "idleTimeoutInMinutes": 30, + "publicIPAllocationMethod": "Static", + "dnsSettings": { + "domainNameLabel": "[concat(toLower(parameters('vmName')), '-vip-', uniquestring(resourceGroup().id, deployment().name))]" + }, + "publicIPPrefix": "[if(equals(parameters('publicIPPrefix'), 'yes'), variables('publicIPPrefixProperty'), json('null'))]" + } + }, + { + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "2020-06-01", + "dependsOn": [ + "[coalesce(resourceId('Microsoft.Resources/deployments', 'networkNewSetup'), resourceId('Microsoft.Resources/deployments', 'networkExistingSetup'))]", + "[variables('elbId')]", + "[variables('gwPublicIPIds')[0]]", + "[variables('haPublicIPId')]" + ], + "location": "[variables('location')]", + "name": "[concat(parameters('vmName'), '1-', variables('nic1Name'))]", + "properties": { + "primary": true, + "enableIPForwarding": true, + "enableAcceleratedNetworking": "[not(equals(variables('osVersion'), 'R8010'))]", + "ipConfigurations": [ + { + "name": "member-ip", + "properties": { + "primary": true, + "privateIPAddress": "[variables('externalPrivateAddresses')[0]]", + "privateIPAllocationMethod": "Static", + "PublicIpAddress": { + "Id": "[variables('gwPublicIPIds')[0]]" + }, + "subnet": { + "id": "[resourceId(variables('vnetRGName'), 'Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('subnet1Name'))]" + }, + "loadBalancerBackendAddressPools": [ + { + "id": "[variables('elbBEAddressPoolID')]" + } + ] + } + }, + { + "name": "cluster-vip", + "properties": { + "primary": false, + "privateIPAddress": "[variables('externalPrivateAddresses')[2]]", + "privateIPAllocationMethod": "Static", + "PublicIpAddress": { + "Id": "[variables('haPublicIPId')]" + }, + "subnet": { + "id": "[resourceId(variables('vnetRGName'), 'Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('subnet1Name'))]" + } + } + } + ] + } + }, + { + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "2020-06-01", + "dependsOn": [ + "[coalesce(resourceId('Microsoft.Resources/deployments', 'networkNewSetup'), resourceId('Microsoft.Resources/deployments', 'networkExistingSetup'))]", + "[variables('elbId')]", + "[variables('gwPublicIPIds')[1]]" + ], + "location": "[variables('location')]", + "name": "[concat(parameters('vmName'), '2-', variables('nic1Name'))]", + "properties": { + "primary": true, + "enableIPForwarding": true, + "enableAcceleratedNetworking": "[not(equals(variables('osVersion'), 'R8010'))]", + "ipConfigurations": [ + { + "name": "member-ip", + "properties": { + "primary": true, + "privateIPAddress": "[variables('externalPrivateAddresses')[1]]", + "privateIPAllocationMethod": "Static", + "PublicIpAddress": { + "Id": "[variables('gwPublicIPIds')[1]]" + }, + "subnet": { + "id": "[resourceId(variables('vnetRGName'), 'Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('subnet1Name'))]" + }, + "loadBalancerBackendAddressPools": [ + { + "id": "[variables('elbBEAddressPoolID')]" + } + ] + } + } + ] + } + }, + { + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "2020-06-01", + "dependsOn": [ + "[coalesce(resourceId('Microsoft.Resources/deployments', 'networkNewSetup'), resourceId('Microsoft.Resources/deployments', 'networkExistingSetup'))]", + "[variables('ilbId')]" + ], + "location": "[variables('location')]", + "name": "[concat(parameters('vmName'), copyIndex(1), '-', variables('nic2Name'))]", + "copy": { + "name": "internalNicCopy", + "count": "[variables('count')]" + }, + "properties": { + "primary": false, + "enableIPForwarding": true, + "enableAcceleratedNetworking": "[not(equals(variables('osVersion'), 'R8010'))]", + "ipConfigurations": [ + { + "name": "member-ip", + "properties": { + "primary": true, + "privateIPAddress": "[variables('subnet2PrivateAddresses')[copyIndex()]]", + "privateIPAllocationMethod": "Static", + "subnet": { + "id": "[resourceId(variables('vnetRGName'), 'Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('subnet2Name'))]" + }, + "loadBalancerBackendAddressPools": [ + { + "id": "[variables('ilbBEAddressPoolID')]" + } + ] + } + } + ] + } + }, + { + "condition": "[not(equals(parameters('sourceImageVhdUri'), 'noCustomUri'))]", + "type": "Microsoft.Compute/images", + "apiVersion": "2020-06-01", + "name": "[variables('customImage')]", + "location": "[variables('location')]", + "properties": { + "storageProfile": { + "osDisk": { + "osType": "Linux", + "osState": "Generalized", + "blobUri": "[parameters('sourceImageVhdUri')]", + "storageAccountType": "Standard_LRS" + } + }, + "hyperVGeneration": "V1" + } + }, + { + "type": "Microsoft.Compute/virtualMachines", + "apiVersion": "2021-07-01", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]", + "[resourceId('Microsoft.Compute/availabilitySets', variables('availabilitySetName'))]", + "[resourceId('Microsoft.Network/networkInterfaces', concat(parameters('vmName'), copyIndex(1), '-', variables('nic1Name')))]", + "[resourceId('Microsoft.Network/networkInterfaces', concat(parameters('vmName'), copyIndex(1), '-', variables('nic2Name')))]", + "[resourceId('Microsoft.Compute/images/', variables('customImage'))]" + ], + "location": "[variables('location')]", + "name": "[concat(parameters('vmName'), copyIndex(1))]", + "zones": "[if(variables('useAZ'), array(copyIndex(1)), json('null'))]", + "copy": { + "name": "virtualMachineCopy", + "count": "[variables('count')]" + }, + "plan": "[if(equals(parameters('sourceImageVhdUri'),'noCustomUri'), variables('plan'), json('null'))]", + "identity": "[if(equals(parameters('managedSystemAssigned'), 'yes'), variables('identity'), json('null'))]", + "properties": { + "UserData": "[base64(concat(variables('customData'), '\n', 'vnet=\"', if(equals(parameters('vnetNewOrExisting'), 'new'), reference('networkNewSetup').outputs.vnetAddressPrefixes.value[0], reference('networkExistingSetup').outputs.vnetAddressPrefixes.value[0]), '\"', '\n' ))]", + "availabilitySet": "[if(not(variables('useAZ')), variables('availabilitySetProperty'), json('null'))]", + "diagnosticsProfile": { + "bootDiagnostics": { + "enabled": "true", + "storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName')), '2021-04-01').primaryEndpoints.blob]" + } + }, + "hardwareProfile": { + "vmSize": "[parameters('vmSize')]" + }, + "networkProfile": { + "networkInterfaces": [ + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', concat(parameters('vmName'), copyIndex(1), '-', variables('nic1Name')))]", + "properties": { + "primary": true + } + }, + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', concat(parameters('vmName'), copyIndex(1), '-', variables('nic2Name')))]", + "properties": { + "primary": false + } + } + ] + }, + "osProfile": { + "adminPassword": "[parameters('adminPassword')]", + "adminUsername": "[variables('adminUsername')]", + "computername": "[concat(toLower(parameters('vmName')), copyIndex(1))]", + "customData": "[base64(concat(variables('customData'), '\n', 'vnet=\"', if(equals(parameters('vnetNewOrExisting'), 'new'), reference('networkNewSetup').outputs.vnetAddressPrefixes.value[0], reference('networkExistingSetup').outputs.vnetAddressPrefixes.value[0]), '\"', '\n' ))]", + "linuxConfiguration": "[variables('linuxConfiguration')]" + }, + "storageProfile": { + "imageReference": "[variables('imageReference')]", + "osDisk": { + "caching": "ReadWrite", + "createOption": "FromImage", + "diskSizeGB": "[variables('diskSizeGB')]", + "name": "[concat(parameters('vmName'), copyIndex(1))]", + "managedDisk": { + "storageAccountType": "[parameters('diskType')]" + } + } + } + } + }, + { + "type": "Microsoft.Network/loadBalancers", + "apiVersion": "2020-06-01", + "dependsOn": [ + "[variables('elbPublicIPId')]" + ], + "name": "[variables('elbName')]", + "location": "[variables('location')]", + "sku": { + "name": "Standard" + }, + "properties": { + "frontendIPConfigurations": [ + { + "name": "LoadBalancerFrontend", + "properties": { + "publicIPAddress": { + "id": "[variables('elbPublicIPId')]", + "publicIPPrefix": { + "id": "[if(equals(parameters('publicIPPrefix'), 'yes'), variables('usepublicIPPrefix'), json('null'))]" + } + } + } + } + ], + "backendAddressPools": [ + { + "name": "[variables('elbBEAddressPool')]" + } + ], + "probes": [ + { + "name": "[variables('appProbeName')]", + "properties": { + "protocol": "tcp", + "port": 8117, + "intervalInSeconds": 5, + "numberOfProbes": 2 + } + } + ] + } + }, + { + "condition": "[equals(parameters('managedSystemAssigned'), 'yes')]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2020-04-01-preview", + "name": "[guid(resourceGroup().id, concat(parameters('vmName'), copyIndex(1)))]", + "copy": { + "name": "virtualMachineCopy", + "count": "[variables('count')]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Compute/virtualMachines/', concat(parameters('vmName'), copyIndex(1)))]" + ], + "properties": { + "roleDefinitionId": "[variables('roleDefinitionId')]", + "scope": "[resourceGroup().id]", + "principalId": "[reference(resourceId('Microsoft.Compute/virtualMachines/', concat(parameters('vmName'), copyIndex(1))), '2021-07-01', 'Full').identity.principalId]" + } + }, + { + "type": "Microsoft.Network/loadBalancers", + "apiVersion": "2020-06-01", + "dependsOn": [ + "[coalesce(resourceId('Microsoft.Resources/deployments', 'networkNewSetup'), resourceId('Microsoft.Resources/deployments', 'networkExistingSetup'))]" + ], + "name": "[variables('ilbName')]", + "location": "[variables('location')]", + "sku": { + "name": "Standard" + }, + "properties": { + "frontendIPConfigurations": [ + { + "name": "[variables('ilbName')]", + "properties": { + "privateIPAllocationMethod": "Static", + "privateIPAddress": "[variables('internalLBPrivateIPAddress')]", + "subnet": { + "id": "[resourceId(variables('vnetRGName'), 'Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('subnet2Name'))]" + } + } + } + ], + "backendAddressPools": [ + { + "name": "[variables('ilbBEAddressPool')]" + } + ], + "loadBalancingRules": [ + { + "name": "[variables('ilbName')]", + "properties": { + "frontendIPConfiguration": { + "id": "[variables('ilbFEIPConfigID')]" + }, + "backendAddressPool": { + "id": "[variables('ilbBEAddressPoolID')]" + }, + "probe": { + "id": "[variables('ilbProbeID')]" + }, + "protocol": "All", + "frontendPort": 0, + "backendPort": 0, + "loadDistribution": "Default", + "enableFloatingIP": "[variables('enableFloatingIP')]" + } + } + ], + "probes": [ + { + "name": "[variables('ilbProbeName')]", + "properties": { + "protocol": "tcp", + "port": 8117, + "intervalInSeconds": 5, + "numberOfProbes": 2 + } + } + ] + } + } + ], + "outputs": { + "HaIPAddr": { + "type": "string", + "value": "[reference(variables('haPublicIPId')).IpAddress]" + }, + "HaFQDN": { + "type": "string", + "value": "[reference(variables('haPublicIPId')).dnsSettings.fqdn]" + }, + "Member1IPAddr": { + "type": "string", + "value": "[reference(variables('gwPublicIPIds')[0]).IpAddress]" + }, + "Member1FQDN": { + "type": "string", + "value": "[reference(variables('gwPublicIPIds')[0]).dnsSettings.fqdn]" + }, + "Member2IPAddr": { + "type": "string", + "value": "[reference(variables('gwPublicIPIds')[1]).IpAddress]" + }, + "Member2FQDN": { + "type": "string", + "value": "[reference(variables('gwPublicIPIds')[1]).dnsSettings.fqdn]" + } + } +} \ No newline at end of file diff --git a/deprecated/azure/templates/R8030/ha-r8030/nestedtemplates/vnet-2-subnet-ha2-existing.json b/deprecated/azure/templates/R8030/ha-r8030/nestedtemplates/vnet-2-subnet-ha2-existing.json new file mode 100644 index 00000000..561fcd21 --- /dev/null +++ b/deprecated/azure/templates/R8030/ha-r8030/nestedtemplates/vnet-2-subnet-ha2-existing.json @@ -0,0 +1,30 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "vnet" + }, + "virtualNetworkExistingRGName": { + "type": "string", + "metadata": { + "description": "Resource Group of the existing virtual network" + }, + "defaultValue": "" + } + }, + "variables": { + "vnetId": "[resourceId(parameters('virtualNetworkExistingRGName'),'Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]" + }, + "resources": [], + "outputs": { + "vnetId": { + "value": "[variables('vnetId')]", + "type": "string" + } + } +} \ No newline at end of file diff --git a/deprecated/azure/templates/R8030/ha-r8030/nestedtemplates/vnet-2-subnet-ha2-new.json b/deprecated/azure/templates/R8030/ha-r8030/nestedtemplates/vnet-2-subnet-ha2-new.json new file mode 100644 index 00000000..88e8796d --- /dev/null +++ b/deprecated/azure/templates/R8030/ha-r8030/nestedtemplates/vnet-2-subnet-ha2-new.json @@ -0,0 +1,178 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "vnet" + }, + "virtualNetworkAddressPrefixes": { + "type": "array", + "metadata": { + "description": "The address prefixes of the virtual network" + } + }, + "Subnet1Name": { + "type": "string", + "metadata": { + "description": "The name of the 1st subnet" + }, + "defaultValue": "Frontend" + }, + "Subnet1Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 1st subnet" + }, + "defaultValue": "10.0.1.0/24" + }, + "Subnet2Name": { + "type": "string", + "metadata": { + "description": "The name of the 2nd subnet" + }, + "defaultValue": "Backend" + }, + "Subnet2Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 2nd subnet" + }, + "defaultValue": "10.0.2.0/24" + }, + "nsgName": { + "type": "string", + "metadata": { + "description": "Name of the network security group" + } + } + }, + "variables": { + "copy": [ + { + "name": "toInternalRoutes", + "count": "[length(parameters('virtualNetworkAddressPrefixes'))]", + "input": { + "name": "[concat('To-Internal-',copyIndex('toInternalRoutes'))]", + "properties": { + "addressPrefix": "[parameters('virtualNetworkAddressPrefixes')[copyIndex('toInternalRoutes')]]", + "nextHopType": "None" + } + } + } + ], + "localSubnetRoute": [ + { + "name": "Local-Subnet", + "properties": { + "addressPrefix": "[parameters('Subnet1Prefix')]", + "nextHopType": "VnetLocal" + } + } + ], + "routesArray": "[concat(variables('localSubnetRoute'), variables('toInternalRoutes'))]" + }, + "resources": [ + { + "type": "Microsoft.Network/networkSecurityGroups", + "apiVersion": "2020-06-01", + "location": "[parameters('location')]", + "name": "[parameters('nsgName')]", + "properties": { + "securityRules": [ + { + "name": "AllowAllInBound", + "properties": { + "description": "Allow all inbound connections", + "protocol": "*", + "sourcePortRange": "*", + "destinationPortRange": "*", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "100", + "direction": "Inbound" + } + } + ] + } + }, + { + "type": "Microsoft.Network/routeTables", + "apiVersion": "2020-06-01", + "location": "[parameters('location')]", + "name": "[parameters('Subnet1Name')]", + "properties": { + "routes": "[variables('routesArray')]" + } + }, + { + "type": "Microsoft.Network/routeTables", + "apiVersion": "2020-06-01", + "location": "[parameters('location')]", + "name": "[parameters('Subnet2Name')]", + "properties": { + "routes": [ + { + "name": "To-Internet", + "properties": { + "addressPrefix": "0.0.0.0/0", + "nextHopType": "None" + } + } + ] + } + }, + { + "type": "Microsoft.Network/virtualNetworks", + "apiVersion": "2020-06-01", + "location": "[parameters('location')]", + "name": "[parameters('virtualNetworkName')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('nsgName'))]", + "[resourceId('Microsoft.Network/routeTables', parameters('Subnet1Name'))]", + "[resourceId('Microsoft.Network/routeTables', parameters('Subnet2Name'))]" + ], + "properties": { + "addressSpace": { + "addressPrefixes": "[parameters('virtualNetworkAddressPrefixes')]" + }, + "subnets": [ + { + "name": "[parameters('Subnet1Name')]", + "properties": { + "networkSecurityGroup": { + "id": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('nsgName'))]" + }, + "addressPrefix": "[parameters('Subnet1Prefix')]", + "routeTable": { + "id": "[resourceId('Microsoft.Network/routeTables', parameters('Subnet1Name'))]" + } + } + }, + { + "name": "[parameters('Subnet2Name')]", + "properties": { + "addressPrefix": "[parameters('Subnet2Prefix')]", + "routeTable": { + "id": "[resourceId('Microsoft.Network/routeTables', parameters('Subnet2Name'))]" + } + } + } + ] + } + } + ], + "outputs": { + "vnetId": { + "value": "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]", + "type": "string" + } + } +} \ No newline at end of file diff --git a/deprecated/azure/templates/R8030/mds-r8030/README.MD b/deprecated/azure/templates/R8030/mds-r8030/README.MD new file mode 100644 index 00000000..c61e7e85 --- /dev/null +++ b/deprecated/azure/templates/R8030/mds-r8030/README.MD @@ -0,0 +1,13 @@ +# How to deploy this template +To deploy this ARM template, follow these instructions: +1. Log in to the [Microsoft Azure Portal](https://portal.azure.com) +2. Click "*Create a resource*" +3. Search for "*Template deployment (deploy using custom templates)*" and click "*Create*" +4. Click "*Build your own template in the editor*" +5. Load the "*mainTemplate.json*" file from this directory and click "*Save*" +6. Enter the desired template parameters + - Replace the "*_artifacts Location*" property with: + ``` + https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/deprecated/azure/templates/mds-r8030/ + ``` +7. Click *Purchase* to deploy the solution diff --git a/deprecated/azure/templates/R8030/mds-r8030/createUiDefinition.json b/deprecated/azure/templates/R8030/mds-r8030/createUiDefinition.json new file mode 100644 index 00000000..4f4f0df1 --- /dev/null +++ b/deprecated/azure/templates/R8030/mds-r8030/createUiDefinition.json @@ -0,0 +1,377 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", + "handler": "Microsoft.Compute.MultiVm", + "version": "0.1.2-preview", + "parameters": { + "basics": [ + { + "name": "CloudGuard MDS deployment guide", + "type": "Microsoft.Common.TextBlock", + "visible": true, + "options": { + "text": "Please follow the Check Point MDS Deployment for Azure.", + "link": { + "label": "MDS Deployment Guide", + "uri": "https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk154436&partition=Basic&product=CloudGuard" + } + } + }, + { + "name": "gatewayNameUi", + "type": "Microsoft.Common.TextBox", + "label": "Server Name", + "toolTip": "The name of the Check Point Multi-Domain Server.", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z]{1,30}$", + "validationMessage": "Only alphanumeric characters are allowed, and the name must be 1-30 characters long." + } + }, + { + "name": "auth", + "type": "Microsoft.Compute.CredentialsCombo", + "label": { + "authenticationType": "Authentication type", + "password": "Password", + "confirmPassword": "Confirm password", + "sshPublicKey": "SSH public key" + }, + "toolTip": { + "password": "The user 'admin' password", + "sshPublicKey": "Paste an OpenSSH public key. You can generate a key pair using ssh-keygen (Linux, OS X, Cygwin) or PuttyGen (Windows)" + }, + "constraints": { + "required": true + }, + "options": { + "hideConfirmation": false, + "hidePassword": false + }, + "osPlatform": "Linux" + } + ], + "steps": [ + { + "name": "chkp", + "label": "Check Point Multi-Domain Server settings", + "subLabel": { + "preValidation": "Configure additional settings", + "postValidation": "Done" + }, + "bladeTitle": "Multi-Domain Server settings", + "elements": [ + { + "name": "cloudGuardVersion", + "type": "Microsoft.Common.DropDown", + "label": "Check Point CloudGuard version", + "defaultValue": "R80.30", + "toolTip": "The version of Check Point CloudGuard.", + "constraints": { + "allowedValues": [ + { + "label": "R80.30", + "value": "R80.30" + } + ] + } + }, + { + "name": "R80Offer", + "type": "Microsoft.Common.DropDown", + "label": "License type", + "toolTip": "The type of license.", + "defaultValue": "Bring Your Own License", + "visible": true, + "constraints": { + "allowedValues": [ + { + "label": "Bring Your Own License", + "value": "Bring Your Own License" + } + ] + } + }, + { + "name": "R8030vmSizeUiBYOL", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R80.30'), contains(steps('chkp').R80Offer, 'Bring Your Own License'))]", + "label": "Virtual machine size", + "toolTip": "The VM size. Minimum of 16 cores and 64 GB RAM is required.", + "recommendedSizes": [ + "Standard_DS5_v2", + "Standard_DS15_v2" + ], + "constraints": { + "excludedSizes": [ + "Standard_A1_v2", + "Standard_D1_v2", + "Standard_DS1_v2", + "Standard_F1", + "Standard_F1s", + "Standard_G1", + "Standard_GS1" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r8030", + "sku": "mgmt-byol" + }, + "count": 1 + }, + { + "name": "installationType", + "type": "Microsoft.Common.DropDown", + "label": "Installation type", + "defaultValue": "Primary Multi-Domain Server", + "toolTip": "Select the type of deployment", + "constraints": { + "allowedValues": [ + { + "label": "Primary Multi-Domain Server", + "value": "mds-primary" + }, + { + "label": "Secondary Multi-Domain Server", + "value": "mds-secondary" + }, + { + "label": "Multi-Domain Log Server", + "value": "mds-logserver" + } + ] + } + }, + { + "name": "adminShell", + "type": "Microsoft.Common.DropDown", + "label": "Default shell for the admin user", + "defaultValue": "/etc/cli.sh", + "toolTip": "The default shell for the admin user", + "constraints": { + "allowedValues": [ + { + "label": "/etc/cli.sh", + "value": "/etc/cli.sh" + }, + { + "label": "/bin/bash", + "value": "/bin/bash" + }, + { + "label": "/bin/csh", + "value": "/bin/csh" + }, + { + "label": "/bin/tcsh", + "value": "/bin/tcsh" + } + ] + } + }, + { + "name": "managementGUIClientNetwork", + "type": "Microsoft.Common.TextBox", + "label": "Allowed GUI clients", + "toolTip": "GUI clients network CIDR", + "constraints": { + "required": true, + "regex": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(0|32))?$", + "validationMessage": "Enter a valid IPv4 network CIDR" + } + }, + { + "name": "sicKeyUi", + "type": "Microsoft.Common.PasswordBox", + "label": { + "password": "SIC key", + "confirmPassword": "Confirm SIC key" + }, + "toolTip": "Set the Secure Internal Communication one time secret used to set up trust between the primary and secondary servers. SIC key must be provided if installing a secondary Multi-Domain Server.", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z]{12,30}$", + "validationMessage": "Only alphanumeric characters are allowed, and the value must be 12-30 characters long." + }, + "options": { + "hideConfirmation": false + }, + "visible": "[not(equals(steps('chkp').installationType, 'mds-primary'))]" + }, + { + "name": "bootstrapScript", + "type": "Microsoft.Common.FileUpload", + "label": "Bootstrap script", + "toolTip": "An optional script to run on the initial boot", + "constraints": { + "required": false, + "accept": ".sh,text/plain" + }, + "options": { + "multiple": false, + "uploadMode": "file", + "openMode": "text", + "encoding": "UTF-8" + } + }, + { + "name": "allowUploadDownload", + "type": "Microsoft.Common.OptionsGroup", + "label": "Automatically download updates and share statistical data for product improvement purpose", + "defaultValue": "Yes", + "toolTip": "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "true" + }, + { + "label": "No", + "value": "false" + } + ] + } + }, + { + "name": "additionalDiskSizeGB", + "type": "Microsoft.Common.TextBox", + "label": "Additional disk space (GB)", + "defaultValue": "0", + "toolTip": "Additional disk space (in GB), Initial disk size is 100 GB.", + "constraints": { + "regex": "^([0-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-2][0-9][0-9][0-9]|3[0-8][0-9][0-9]|399[0-5])$", + "validationMessage": "Select a number between 0 and 3995" + } + }, + { + "name": "VMDiskType", + "type": "Microsoft.Common.OptionsGroup", + "label": "VM disk type", + "toolTip": "Type of CloudGuard disk.", + "visible": "[or(contains(steps('chkp').R8030vmSizeUiBYOL, 'DS'), contains(steps('chkp').R8040vmSizeUiBYOL, 'DS'))]", + "defaultValue": "Standard", + "constraints": { + "allowedValues": [ + { + "label": "Standard", + "value": "Standard_LRS" + }, + { + "label": "Premium", + "value": "Premium_LRS" + } + ] + } + }, + { + "name": "useCustomImageUri", + "type": "Microsoft.Common.OptionsGroup", + "label": "Use custom image uri", + "defaultValue": "No", + "toolTip": "Use custom image URI.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ], + "required": true + }, + "visible": false + }, + { + "name": "sourceImageVhdUri", + "type": "Microsoft.Common.TextBox", + "label": "Development Image URI", + "toolTip": "The URI of the blob containing the development image", + "constraints": { + "required": "[equals(steps('chkp').useCustomImageUri, 'Yes')]", + "regex": "^[a-z0-9A-Z_\\-\\.\\:\\/]{1,500}.vhd$", + "validationMessage": "Only alphanumeric characters and '_','-','.',':','/' are allowed, the value must be 1-500 characters long and must end with .vhd. " + }, + "visible": "[equals(steps('chkp').useCustomImageUri, 'Yes')]" + } + ] + }, + { + "name": "network", + "label": "Network settings", + "subLabel": { + "preValidation": "Configure network settings", + "postValidation": "Done" + }, + "bladeTitle": "Network settings", + "elements": [ + { + "name": "virtualNetwork", + "type": "Microsoft.Network.VirtualNetworkCombo", + "label": { + "virtualNetwork": "Virtual network", + "subnets": "Subnet" + }, + "toolTip": { + "virtualNetwork": "Virtual Network Name", + "subnets": "The subnet to deploy into" + }, + "defaultValue": { + "name": "vnet01", + "addressPrefixSize": "/20" + }, + "constraints": { + "minAddressPrefixSize": "/29" + }, + "options": { + "hideExisting": false + }, + "subnets": { + "subnet1": { + "label": "Multi-Domain Server subnet", + "defaultValue": { + "name": "Multi-Domain-Server", + "addressPrefixSize": "/24" + }, + "constraints": { + "minAddressPrefixSize": "/29", + "minAddressCount": 1, + "requireContiguousAddresses": true + } + } + } + } + ] + } + ], + "outputs": { + "location": "[location()]", + "cloudGuardVersion": "[concat(steps('chkp').cloudGuardVersion, ' - ', coalesce(steps('chkp').R80Offer, 'Bring Your Own License'))]", + "adminPassword": "[basics('auth').password]", + "authenticationType": "[basics('auth').authenticationType]", + "sshPublicKey": "[basics('auth').sshPublicKey]", + "vmName": "[basics('gatewayNameUi')]", + "vmSize": "[steps('chkp').R8030vmSizeUiBYOL]", + "virtualNetworkName": "[steps('network').virtualNetwork.name]", + "virtualNetworkAddressPrefix": "[steps('network').virtualNetwork.addressPrefix]", + "Subnet1Name": "[steps('network').virtualNetwork.subnets.subnet1.name]", + "Subnet1Prefix": "[steps('network').virtualNetwork.subnets.subnet1.addressPrefix]", + "Subnet1StartAddress": "[steps('network').virtualNetwork.subnets.subnet1.startAddress]", + "vnetNewOrExisting": "[steps('network').virtualNetwork.newOrExisting]", + "virtualNetworkExistingRGName": "[steps('network').virtualNetwork.resourceGroup]", + "managementGUIClientNetwork": "[if(contains(steps('chkp').managementGUIClientNetwork, '/'), steps('chkp').managementGUIClientNetwork, concat(steps('chkp').managementGUIClientNetwork, '/32'))]", + "sicKey": "[coalesce(steps('chkp').sicKeyUi, 'notused')]", + "installationType": "[steps('chkp').installationType]", + "bootstrapScript": "[steps('chkp').bootstrapScript]", + "allowDownloadFromUploadToCheckPoint": "[coalesce(steps('chkp').allowUploadDownload, 'true')]", + "additionalDiskSizeGB": "[int(steps('chkp').additionalDiskSizeGB)]", + "diskType": "[coalesce(steps('chkp').VMDiskType, 'Standard_LRS')]", + "sourceImageVhdUri": "[coalesce(steps('chkp').sourceImageVhdUri, 'noCustomUri')]", + "adminShell": "[steps('chkp').adminShell]" + } + } +} \ No newline at end of file diff --git a/deprecated/azure/templates/R8030/mds-r8030/mainTemplate.json b/deprecated/azure/templates/R8030/mds-r8030/mainTemplate.json new file mode 100644 index 00000000..b59710f4 --- /dev/null +++ b/deprecated/azure/templates/R8030/mds-r8030/mainTemplate.json @@ -0,0 +1,625 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string", + "metadata": { + "description": "Deployment location" + }, + "defaultValue": "[resourceGroup().location]" + }, + "cloudGuardVersion": { + "type": "string", + "allowedValues": [ + "R80.30 - Bring Your Own License" + ], + "defaultValue": "R80.30 - Bring Your Own License", + "metadata": { + "description": "Version of Check Point CloudGuard" + } + }, + "adminPassword": { + "type": "securestring", + "metadata": { + "description": "Administrator password" + }, + "defaultValue": "" + }, + "authenticationType": { + "type": "string", + "allowedValues": [ + "password", + "sshPublicKey" + ], + "defaultValue": "password", + "metadata": { + "description": "Authentication type" + } + }, + "sshPublicKey": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Administrator SSH public key" + } + }, + "vmName": { + "type": "string", + "metadata": { + "description": "The name of the Check Point Multi-Domain Server." + } + }, + "vmSize": { + "type": "string", + "defaultValue": "Standard_DS5_v2", + "metadata": { + "description": "Size of the VM" + } + }, + "adminShell": { + "type": "string", + "defaultValue": "/etc/cli.sh", + "allowedValues": [ + "/etc/cli.sh", + "/bin/bash", + "/bin/csh", + "/bin/tcsh" + ], + "metadata": { + "Description": "The default shell for the admin user" + } + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "vnet01" + }, + "virtualNetworkAddressPrefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the virtual network" + }, + "defaultValue": "10.0.0.0/16" + }, + "Subnet1Name": { + "type": "string", + "metadata": { + "description": "The name of the subnet" + }, + "defaultValue": "Multi-Domain-Server" + }, + "Subnet1Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the subnet" + }, + "defaultValue": "10.0.1.0/24" + }, + "Subnet1StartAddress": { + "type": "string", + "metadata": { + "description": "The first available address on the subnet" + }, + "defaultValue": "10.0.1.10" + }, + "vnetNewOrExisting": { + "type": "string", + "defaultValue": "new", + "allowedValues": [ + "new", + "existing" + ], + "metadata": { + "Description": "Indicates whether the virtual network is new or existing" + } + }, + "virtualNetworkExistingRGName": { + "type": "string", + "metadata": { + "description": "Resource Group of the existing virtual network" + }, + "defaultValue": "[resourceGroup().name]" + }, + "managementGUIClientNetwork": { + "type": "string", + "metadata": { + "description": "Allowed GUI clients" + }, + "defaultValue": "0.0.0.0/0" + }, + "sicKey": { + "type": "securestring", + "metadata": { + "description": "One time key for Secure Internal Communication" + } + }, + "installationType": { + "type": "string", + "metadata": { + "description": "Installation Type" + }, + "defaultValue": "mds-primary", + "allowedValues": [ + "mds-primary", + "mds-secondary", + "mds-logserver" + ] + }, + "bootstrapScript": { + "type": "string", + "metadata": { + "description": "Bootstrap script" + }, + "defaultValue": "" + }, + "allowDownloadFromUploadToCheckPoint": { + "type": "string", + "allowedValues": [ + "true", + "false" + ], + "defaultValue": "true", + "metadata": { + "description": "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + } + }, + "additionalDiskSizeGB": { + "type": "int", + "defaultValue": 0, + "metadata": { + "description": "Amount of additional disk space (in GB)" + }, + "minValue": 0, + "maxValue": 3995 + }, + "diskType": { + "type": "string", + "defaultValue": "Standard_LRS", + "metadata": { + "description": "The type of the OS disk. Premium is applicable only to DS machine sizes" + }, + "allowedValues": [ + "Standard_LRS", + "Premium_LRS" + ] + }, + "msi": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Configure managed service identity for the VM" + } + }, + "sourceImageVhdUri": { + "type": "string", + "defaultValue": "noCustomUri", + "metadata": { + "description": "The URI of the blob containing the development image" + } + }, + "_artifactsLocation": { + "type": "string", + "metadata": { + "description": "Use the following URI when deploying a custom template: https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/azure/templates/" + }, + "defaultValue": "[deployment().properties.templateLink.uri]" + }, + "_artifactsLocationSasToken": { + "type": "securestring", + "metadata": { + "description": "The sasToken required to access _artifactsLocation. When the template is deployed using the accompanying scripts, a sasToken will be automatically generated. Use the defaultValue if the staging location is not secured." + }, + "defaultValue": "" + } + }, + "variables": { + "templateName": "mds", + "templateVersion": "20220130", + "location": "[parameters('location')]", + "offers": { + "R80.30 - Bring Your Own License": "BYOL" + }, + "offer": "[variables('offers')[parameters('cloudGuardVersion')]]", + "osVersions": { + "R80.30 - Bring Your Own License": "R8030" + }, + "osVersion": "[variables('osVersions')[parameters('cloudGuardVersion')]]", + "adminUsername": "notused", + "isBlink": "[bool('false')]", + "primary": "[equals(parameters('installationType'), 'mds-primary')]", + "secondary": "[equals(parameters('installationType'), 'mds-secondary')]", + "logserver": "[equals(parameters('installationType'), 'mds-logserver')]", + "storageAccountName": "[concat('bootdiag', uniqueString(resourceGroup().id, deployment().name))]", + "storageAccountType": "Standard_LRS", + "diskSize100GB": 100, + "diskSizeGB": "[add(parameters('additionalDiskSizeGB'), variables('diskSize100GB'))]", + "customData": "[concat('#!/usr/bin/python3 /etc/cloud_config.py\n', '\n', 'installationType=\"', parameters('installationType'), '\"', '\n', 'allowUploadDownload=\"', variables('allowUploadDownload'), '\"', '\n', 'osVersion=\"', variables('osVersion'), '\"', '\n', 'templateName=\"', variables('templateName'), '\"', '\n', 'isBlink=\"', variables('isBlink'), '\"', '\n', 'templateVersion=\"', variables('templateVersion'), '\"', '\n', 'bootstrapScript64=\"', variables('bootstrapScript64'), '\"', '\n', 'location=\"', variables('location'), '\"', '\n', 'managementGUIClientNetwork=\"', variables('managementGUIClientNetwork'), '\"', '\n', 'sicKey=\"', parameters('sicKey'), '\"', '\n', 'primary=\"', variables('primary'), '\"', '\n', 'secondary=\"', variables('secondary'), '\"', '\n', 'logserver=\"', variables('logserver'), '\"', '\n', 'adminShell=\"', parameters('adminShell'), '\"', '\n')]", + "customData64": "[base64(variables('customData'))]", + "imageOffer": "[concat('check-point-cg-', toLower(variables('osVersion')))]", + "imagePublisher": "checkpoint", + "imageReferenceBYOL": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "mgmt-byol", + "version": "latest" + }, + "imageReferenceMarketplace": "[variables('imageReferenceBYOL')]", + "customImage": "customImage", + "imageReferenceCustomUri": { + "id": "[resourceId('Microsoft.Compute/images/', variables('customImage'))]" + }, + "imageReference": "[if(equals(parameters('sourceImageVhdUri'),'noCustomUri'), variables('imageReferenceMarketplace'), variables('imageReferenceCustomUri'))]", + "nic1Name": "[concat(parameters('vmName'), '-eth0')]", + "linuxConfigurationpassword": { + "disablePasswordAuthentication": "false" + }, + "linuxConfigurationsshPublicKey": { + "disablePasswordAuthentication": "true", + "ssh": { + "publicKeys": [ + { + "keyData": "[parameters('sshPublicKey')]", + "path": "/home/notused/.ssh/authorized_keys" + } + ] + } + }, + "linuxConfiguration": "[if(equals(parameters('authenticationType'), 'password'), variables('linuxConfigurationpassword'), variables('linuxConfigurationsshPublicKey'))]", + "planBYOL": { + "name": "mgmt-byol", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "plan": "[if(equals(variables('offer'), 'BYOL'), variables('planBYOL'), variables('planBYOL'))]", + "identity": "[if(parameters('msi'), json('{\"type\": \"SystemAssigned\"}'), json('null'))]", + "publicIPAddressName": "[parameters('vmName')]", + "publicIPAddressId": "[resourceId('Microsoft.Network/publicIPAddresses', variables('publicIPAddressName'))]", + "nsgName": "[concat(parameters('vmName'), '-nsg')]", + "nsgId": "[resourceId('Microsoft.Network/networkSecurityGroups', variables('nsgName'))]", + "bootstrapScript64": "[base64(parameters('bootstrapScript'))]", + "allowUploadDownload": "[parameters('allowDownloadFromUploadToCheckPoint')]", + "networkSetupURL": "[uri(parameters('_artifactsLocation'), concat('nestedtemplates/vnet-1-subnet-', parameters('vnetNewOrExisting'), '.json', parameters('_artifactsLocationSasToken')))]", + "managementGUIClientNetwork": "[parameters('managementGUIClientNetwork')]", + "deployNewVnet": "[equals(parameters('vnetNewOrExisting'), 'new')]", + "vnetRGName": "[if(variables('deployNewVnet'), resourceGroup().name, parameters('virtualNetworkExistingRGName'))]" + }, + "resources": [ + { + "apiVersion": "2020-06-01", + "name": "pid-6f13b00a-7546-4ab2-be9f-c66815cc6c8b-partnercenter", + "type": "Microsoft.Resources/deployments", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('storageAccountName')]", + "apiVersion": "2021-04-01", + "properties": { + "supportsHttpsTrafficOnly": true, + "allowBlobPublicAccess": false, + "minimumTlsVersion": "TLS1_2" + }, + "location": "[variables('location')]", + "sku": { + "name": "[variables('storageAccountType')]" + }, + "kind": "Storage" + }, + { + "condition": "[equals(parameters('vnetNewOrExisting'), 'new')]", + "name": "networkNewSetup", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "[variables('networkSetupURL')]", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "location": { + "value": "[variables('location')]" + }, + "virtualNetworkName": { + "value": "[parameters('virtualNetworkName')]" + }, + "virtualNetworkAddressPrefix": { + "value": "[parameters('virtualNetworkAddressPrefix')]" + }, + "Subnet1Name": { + "value": "[parameters('Subnet1Name')]" + }, + "Subnet1Prefix": { + "value": "[parameters('Subnet1Prefix')]" + } + } + } + }, + { + "condition": "[equals(parameters('vnetNewOrExisting'), 'existing')]", + "name": "networkExistingSetup", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "[variables('networkSetupURL')]", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "location": { + "value": "[variables('location')]" + }, + "virtualNetworkName": { + "value": "[parameters('virtualNetworkName')]" + }, + "virtualNetworkExistingRGName": { + "value": "[variables('vnetRGName')]" + }, + "vmName": { + "value": "[parameters('vmName')]" + } + } + } + }, + { + "type": "Microsoft.Network/publicIPAddresses", + "apiVersion": "2020-06-01", + "location": "[variables('location')]", + "name": "[variables('publicIPAddressName')]", + "properties": { + "idleTimeoutInMinutes": 30, + "publicIPAllocationMethod": "Static", + "dnsSettings": { + "domainNameLabel": "[concat(toLower(parameters('vmName')), '-', uniquestring(resourceGroup().id, deployment().name))]" + } + } + }, + { + "type": "Microsoft.Network/networkSecurityGroups", + "apiVersion": "2020-06-01", + "location": "[variables('location')]", + "name": "[variables('nsgName')]", + "properties": { + "securityRules": [ + { + "name": "SSH", + "properties": { + "description": "Allow inbound SSH connection", + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "22", + "sourceAddressPrefix": "[variables('managementGUIClientNetwork')]", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "100", + "direction": "Inbound" + } + }, + { + "name": "GAiA-portal", + "properties": { + "description": "Allow inbound HTTPS access to the GAiA portal", + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "443", + "sourceAddressPrefix": "[variables('managementGUIClientNetwork')]", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "110", + "direction": "Inbound" + } + }, + { + "name": "SmartConsole-1", + "properties": { + "description": "Allow inbound access using the SmartConsole GUI client", + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "18190", + "sourceAddressPrefix": "[variables('managementGUIClientNetwork')]", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "120", + "direction": "Inbound" + } + }, + { + "name": "SmartConsole-2", + "properties": { + "description": "Allow inbound access using the SmartConsole GUI client", + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "19009", + "sourceAddressPrefix": "[variables('managementGUIClientNetwork')]", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "130", + "direction": "Inbound" + } + }, + { + "name": "Logs", + "properties": { + "description": "Allow inbound logging connections from managed gateways", + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "257", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "140", + "direction": "Inbound" + } + }, + { + "name": "ICA-pull", + "properties": { + "description": "Allow security gateways to pull a SIC certificate", + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "18210", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "150", + "direction": "Inbound" + } + }, + { + "name": "CRL-fetch", + "properties": { + "description": "Allow security gateways to fetch CRLs", + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "18264", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "160", + "direction": "Inbound" + } + }, + { + "name": "Policy-fetch", + "properties": { + "description": "Allow security gateways to fetch policy", + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "18191", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "170", + "direction": "Inbound" + } + } + ] + } + }, + { + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "2020-06-01", + "dependsOn": [ + "[coalesce(resourceId('Microsoft.Resources/deployments', 'networkNewSetup'), resourceId('Microsoft.Resources/deployments', 'networkExistingSetup'))]", + "[variables('nsgId')]", + "[variables('publicIPAddressId')]" + ], + "location": "[variables('location')]", + "name": "[variables('nic1Name')]", + "properties": { + "enableIPForwarding": false, + "networkSecurityGroup": { + "id": "[variables('nsgId')]" + }, + "ipConfigurations": [ + { + "name": "ipconfig1", + "properties": { + "privateIPAddress": "[parameters('Subnet1StartAddress')]", + "privateIPAllocationMethod": "Static", + "PublicIpAddress": { + "Id": "[variables('publicIPAddressId')]" + }, + "subnet": { + "id": "[resourceId(variables('vnetRGName') ,'Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('Subnet1Name'))]" + } + } + } + ] + } + }, + { + "condition": "[not(equals(parameters('sourceImageVhdUri'), 'noCustomUri'))]", + "type": "Microsoft.Compute/images", + "apiVersion": "2020-06-01", + "name": "[variables('customImage')]", + "location": "[variables('location')]", + "properties": { + "storageProfile": { + "osDisk": { + "osType": "Linux", + "osState": "Generalized", + "blobUri": "[parameters('sourceImageVhdUri')]", + "storageAccountType": "Standard_LRS" + } + }, + "hyperVGeneration": "V1" + } + }, + { + "type": "Microsoft.Compute/virtualMachines", + "apiVersion": "2021-07-01", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]", + "[resourceId('Microsoft.Network/networkInterfaces', variables('nic1Name'))]", + "[resourceId('Microsoft.Compute/images/', variables('customImage'))]" + ], + "location": "[variables('location')]", + "name": "[parameters('vmName')]", + "plan": "[if(equals(parameters('sourceImageVhdUri'),'noCustomUri'), variables('plan'), json('null'))]", + "identity": "[variables('identity')]", + "properties": { + "UserData": "[variables('customData64')]", + "diagnosticsProfile": { + "bootDiagnostics": { + "enabled": "true", + "storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName')), '2021-06-01').primaryEndpoints.blob]" + } + }, + "hardwareProfile": { + "vmSize": "[parameters('vmSize')]" + }, + "networkProfile": { + "networkInterfaces": [ + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', variables('nic1Name'))]", + "properties": { + "primary": true + } + } + ] + }, + "osProfile": { + "adminPassword": "[parameters('adminPassword')]", + "adminUsername": "[variables('adminUsername')]", + "computerName": "[toLower(parameters('vmName'))]", + "customData": "[variables('customData64')]", + "linuxConfiguration": "[variables('linuxConfiguration')]" + }, + "storageProfile": { + "imageReference": "[variables('imageReference')]", + "osDisk": { + "caching": "ReadWrite", + "createOption": "FromImage", + "diskSizeGB": "[variables('diskSizeGB')]", + "name": "[parameters('vmName')]", + "managedDisk": { + "storageAccountType": "[parameters('diskType')]" + } + } + } + } + } + ], + "outputs": { + "IPAddress": { + "type": "string", + "value": "[reference(variables('publicIPAddressId')).IpAddress]" + }, + "FQDN": { + "type": "string", + "value": "[reference(variables('publicIPAddressId')).dnsSettings.fqdn]" + } + } +} diff --git a/deprecated/azure/templates/R8030/mds-r8030/nestedtemplates/vnet-1-subnet-existing.json b/deprecated/azure/templates/R8030/mds-r8030/nestedtemplates/vnet-1-subnet-existing.json new file mode 100644 index 00000000..d36ab635 --- /dev/null +++ b/deprecated/azure/templates/R8030/mds-r8030/nestedtemplates/vnet-1-subnet-existing.json @@ -0,0 +1,78 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "vnet" + }, + "virtualNetworkExistingRGName": { + "type": "string", + "metadata": { + "description": "Resource Group of the existing virtual network" + }, + "defaultValue": "" + }, + "vmName": { + "type": "string" + }, + "deployNsg": { + "type": "bool", + "defaultValue": false + } + }, + "variables": { + "vnetId": "[resourceId(parameters('virtualNetworkExistingRGName'),'Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]", + "nsgName": "[concat(parameters('vmName'), '-nsg')]", + "nsgProperties": { + "id": "[resourceId(parameters('virtualNetworkExistingRGName'),'Microsoft.Network/networkSecurityGroups', variables('nsgName'))]" + } + }, + "resources": [ + { + "type": "Microsoft.Network/networkSecurityGroups", + "condition": "[parameters('deployNsg')]", + "apiVersion": "2020-06-01", + "location": "[parameters('location')]", + "name": "[variables('nsgName')]", + "properties": { + "securityRules": [ + { + "name": "AllowAllInBound", + "properties": { + "description": "Allow all inbound connections", + "protocol": "*", + "sourcePortRange": "*", + "destinationPortRange": "*", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "100", + "direction": "Inbound" + } + } + ] + } + } + ], + "outputs": { + "vnetId": { + "value": "[variables('vnetId')]", + "type": "string" + }, + "vnetAddressPrefix": { + "value": "[reference(variables('vnetId'),'2018-11-01').addressSpace.addressPrefixes[0]]", + "type": "string" + }, + "nsgProperties": { + "value": "[variables('nsgProperties')]", + "type": "object" + } + } +} \ No newline at end of file diff --git a/deprecated/azure/templates/R8030/mds-r8030/nestedtemplates/vnet-1-subnet-new.json b/deprecated/azure/templates/R8030/mds-r8030/nestedtemplates/vnet-1-subnet-new.json new file mode 100644 index 00000000..479e15d1 --- /dev/null +++ b/deprecated/azure/templates/R8030/mds-r8030/nestedtemplates/vnet-1-subnet-new.json @@ -0,0 +1,157 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "vnet" + }, + "virtualNetworkAddressPrefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the virtual network" + } + }, + "Subnet1Name": { + "type": "string", + "metadata": { + "description": "The name of the 1st subnet" + }, + "defaultValue": "Frontend" + }, + "Subnet1Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 1st subnet" + }, + "defaultValue": "10.0.1.0/24" + }, + "vmName": { + "type": "string", + "defaultValue": "[concat(resourceGroup().name, '-vnet')]" + }, + "deployNsg": { + "type": "bool", + "defaultValue": false + }, + "deployRouteTable": { + "type": "bool", + "defaultValue": false + }, + "deployGWLB": { + "type": "bool", + "defaultValue": false + } + }, + "variables": { + "localSubnetRoute": [ + { + "name": "Local-Subnet", + "properties": { + "addressPrefix": "[parameters('subnet1Prefix')]", + "nextHopType": "VnetLocal" + } + }, + { + "name": "To-VNet", + "properties": { + "addressPrefix": "[parameters('virtualNetworkAddressPrefix')]", + "nextHopType": "None" + } + } + ], + "routesArray": "[variables('localSubnetRoute')]", + "nsgName": "[concat(parameters('vmName'), '-nsg')]", + "nsgProperties": { + "id": "[resourceId('Microsoft.Network/networkSecurityGroups', variables('nsgName'))]" + }, + "routeTableID": "[resourceId('Microsoft.Network/routeTables', parameters('subnet1Name'))]", + "routeTableProperties": { + "id": "[variables('routeTableID')]" + }, + "deployGWLB": "[parameters('deployGWLB')]", + "vnetProperties": { + "addressSpace": { + "addressPrefixes": [ + "[parameters('virtualNetworkAddressPrefix')]" + ] + }, + "subnets": [ + { + "name": "[parameters('subnet1Name')]", + "properties": { + "addressPrefix": "[parameters('subnet1Prefix')]", + "routeTable": "[if(and(parameters('deployRouteTable'), variables('deployGWLB')), variables('routeTableProperties'), json('null'))]" + } + } + ] + } + }, + "resources": [ + { + "type": "Microsoft.Network/routeTables", + "condition": "[and(parameters('deployRouteTable'), variables('deployGWLB'))]", + "apiVersion": "2020-06-01", + "location": "[parameters('location')]", + "name": "[parameters('subnet1Name')]", + "properties": { + "routes": "[variables('routesArray')]" + } + }, + { + "type": "Microsoft.Network/virtualNetworks", + "apiVersion": "2020-06-01", + "location": "[parameters('location')]", + "name": "[parameters('virtualNetworkName')]", + "dependsOn": [ + "[variables('routeTableID')]" + ], + "properties": "[variables('vnetProperties')]" + }, + { + "type": "Microsoft.Network/networkSecurityGroups", + "condition": "[parameters('deployNsg')]", + "apiVersion": "2020-06-01", + "location": "[parameters('location')]", + "name": "[variables('nsgName')]", + "properties": { + "securityRules": [ + { + "name": "AllowAllInBound", + "properties": { + "description": "Allow all inbound connections", + "protocol": "*", + "sourcePortRange": "*", + "destinationPortRange": "*", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "100", + "direction": "Inbound" + } + } + ] + } + } + ], + "outputs": { + "vnetId": { + "value": "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]", + "type": "string" + }, + "vnetAddressPrefix": { + "value": "[parameters('virtualNetworkAddressPrefix')]", + "type": "string" + }, + "nsgProperties": { + "value": "[variables('nsgProperties')]", + "type": "object" + } + } +} \ No newline at end of file diff --git a/deprecated/azure/templates/R8030/mgmt-r8030/README.MD b/deprecated/azure/templates/R8030/mgmt-r8030/README.MD new file mode 100644 index 00000000..a848a86d --- /dev/null +++ b/deprecated/azure/templates/R8030/mgmt-r8030/README.MD @@ -0,0 +1,13 @@ +# How to deploy this template +To deploy this ARM template, follow these instructions: +1. Log in to the [Microsoft Azure Portal](https://portal.azure.com) +2. Click "*Create a resource*" +3. Search for "*Template deployment (deploy using custom templates)*" and click "*Create*" +4. Click "*Build your own template in the editor*" +5. Load the "*mainTemplate.json*" file from this directory and click "*Save*" +6. Enter the desired template parameters + - Replace the "*_artifacts Location*" property with: + ``` + https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/deprecated/azure/templates/mgmt-r8030/ + ``` +7. Click *Purchase* to deploy the solution diff --git a/deprecated/azure/templates/R8030/mgmt-r8030/createUiDefinition.json b/deprecated/azure/templates/R8030/mgmt-r8030/createUiDefinition.json new file mode 100644 index 00000000..aeb0a4c9 --- /dev/null +++ b/deprecated/azure/templates/R8030/mgmt-r8030/createUiDefinition.json @@ -0,0 +1,387 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", + "handler": "Microsoft.Compute.MultiVm", + "version": "0.1.2-preview", + "parameters": { + "basics": [ + { + "name": "chkp refrence architecture", + "type": "Microsoft.Common.TextBlock", + "visible": true, + "options": { + "text": "Please follow the Check Point Reference Architecture for Azure.", + "link": { + "label": "Reference Architecture Guide", + "uri": "https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk109360" + } + } + }, + { + "name": "gatewayNameUi", + "type": "Microsoft.Common.TextBox", + "label": "Server Name", + "toolTip": "The name of the Check Point Security Management Server.", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z]{1,30}$", + "validationMessage": "Only alphanumeric characters are allowed, and the name must be 1-30 characters long." + } + }, + { + "name": "auth", + "type": "Microsoft.Compute.CredentialsCombo", + "label": { + "authenticationType": "Authentication type", + "password": "Password", + "confirmPassword": "Confirm password", + "sshPublicKey": "SSH public key" + }, + "toolTip": { + "password": "The user 'admin' password", + "sshPublicKey": "Paste an OpenSSH public key. You can generate a key pair using ssh-keygen (Linux, OS X, Cygwin) or PuttyGen (Windows)" + }, + "constraints": { + "required": true + }, + "options": { + "hideConfirmation": false, + "hidePassword": false + }, + "osPlatform": "Linux" + } + ], + "steps": [ + { + "name": "chkp", + "label": "Check Point Security Management Server settings", + "subLabel": { + "preValidation": "Configure additional settings", + "postValidation": "Done" + }, + "bladeTitle": "Security Management settings", + "elements": [ + { + "name": "cloudGuardVersion", + "type": "Microsoft.Common.DropDown", + "label": "Check Point CloudGuard version", + "defaultValue": "R80.30", + "toolTip": "The version of Check Point CloudGuard.", + "constraints": { + "allowedValues": [ + { + "label": "R80.30", + "value": "R80.30" + } + ] + } + }, + { + "name": "R80Offer", + "type": "Microsoft.Common.DropDown", + "label": "License type", + "toolTip": "The type of license.", + "defaultValue": "Bring Your Own License", + "visible": true, + "constraints": { + "allowedValues": [ + { + "label": "Bring Your Own License", + "value": "Bring Your Own License" + }, + { + "label": "Pay As You Go (MGMT25)", + "value": "Pay As You Go (MGMT25)" + } + ] + } + }, + { + "name": "R8030vmSizeUiBYOL", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R80.30'), contains(steps('chkp').R80Offer, 'Bring Your Own License'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Management", + "recommendedSizes": [ + "Standard_D3_v2" + ], + "constraints": { + "excludedSizes": [ + "Standard_A1_v2", + "Standard_D1_v2", + "Standard_DS1_v2", + "Standard_F1", + "Standard_F1s", + "Standard_G1", + "Standard_GS1" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r8030", + "sku": "mgmt-byol" + }, + "count": 1 + }, + { + "name": "R8030vmSizeUiMGMT25", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R80.30'), contains(steps('chkp').R80Offer, '(MGMT25)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Management", + "recommendedSizes": [ + "Standard_D3_v2" + ], + "constraints": { + "excludedSizes": [ + "Standard_A1_v2", + "Standard_D1_v2", + "Standard_DS1_v2", + "Standard_F1", + "Standard_F1s", + "Standard_G1", + "Standard_GS1" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r8030", + "sku": "mgmt-25" + }, + "count": 1 + }, + { + "name": "installationType", + "type": "Microsoft.Common.DropDown", + "label": "Installation type", + "defaultValue": "Management", + "toolTip": "Select the type of deployment", + "constraints": { + "allowedValues": [ + { + "label": "Management", + "value": "management" + }, + { + "label": "Configure manually", + "value": "custom" + } + ] + } + }, + { + "name": "adminShell", + "type": "Microsoft.Common.DropDown", + "label": "Default shell for the admin user", + "defaultValue": "/etc/cli.sh", + "toolTip": "The default shell for the admin user", + "constraints": { + "allowedValues": [ + { + "label": "/etc/cli.sh", + "value": "/etc/cli.sh" + }, + { + "label": "/bin/bash", + "value": "/bin/bash" + }, + { + "label": "/bin/csh", + "value": "/bin/csh" + }, + { + "label": "/bin/tcsh", + "value": "/bin/tcsh" + } + ] + } + }, + { + "name": "managementGUIClientNetwork", + "type": "Microsoft.Common.TextBox", + "label": "Allowed GUI clients", + "toolTip": "GUI clients network CIDR", + "constraints": { + "required": true, + "regex": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$", + "validationMessage": "Enter a valid IPv4 network CIDR" + }, + "visible": "[equals(steps('chkp').installationType, 'management')]" + }, + { + "name": "bootstrapScript", + "type": "Microsoft.Common.FileUpload", + "label": "Bootstrap script", + "toolTip": "An optional script to run on the initial boot", + "constraints": { + "required": false, + "accept": ".sh,text/plain" + }, + "options": { + "multiple": false, + "uploadMode": "file", + "openMode": "text", + "encoding": "UTF-8" + } + }, + { + "visible": "[equals(steps('chkp').installationType, 'management')]", + "name": "allowUploadDownload", + "type": "Microsoft.Common.OptionsGroup", + "label": "Automatically download updates and share statistical data for product improvement purpose", + "defaultValue": "Yes", + "toolTip": "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "true" + }, + { + "label": "No", + "value": "false" + } + ] + } + }, + { + "name": "additionalDiskSizeGB", + "type": "Microsoft.Common.TextBox", + "label": "Additional disk space (GB)", + "defaultValue": "0", + "toolTip": "Additional disk space (in GB), Initial disk size is 100 GB.", + "constraints": { + "regex": "^([0-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-2][0-9][0-9][0-9]|3[0-8][0-9][0-9]|399[0-5])$", + "validationMessage": "Select a number between 0 and 3995" + } + }, + { + "name": "VMDiskType", + "type": "Microsoft.Common.OptionsGroup", + "label": "VM disk type", + "toolTip": "Type of CloudGuard disk.", + "visible": "[or(contains(steps('chkp').R8030vmSizeUiBYOL, 'DS'), contains(steps('chkp').R8030vmSizeUiMGMT25, 'DS'))]", + "defaultValue": "Standard", + "constraints": { + "allowedValues": [ + { + "label": "Standard", + "value": "Standard_LRS" + }, + { + "label": "Premium", + "value": "Premium_LRS" + } + ] + } + }, + { + "name": "useCustomImageUri", + "type": "Microsoft.Common.OptionsGroup", + "label": "Use development image uri", + "defaultValue": "No", + "toolTip": "Use custom image URI.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ], + "required": true + }, + "visible": false + }, + { + "name": "sourceImageVhdUri", + "type": "Microsoft.Common.TextBox", + "label": "Development Image URI", + "toolTip": "The URI of the blob containing the development image", + "constraints": { + "required": "[equals(steps('chkp').useCustomImageUri, 'Yes')]", + "regex": "^[a-z0-9A-Z_\\-\\.\\:\\/]{1,500}.vhd$", + "validationMessage": "Only alphanumeric characters and '_','-','.',':','/' are allowed, the value must be 1-500 characters long and must end with .vhd. " + }, + "visible": "[equals(steps('chkp').useCustomImageUri, 'Yes')]" + } + ] + }, + { + "name": "network", + "label": "Network settings", + "subLabel": { + "preValidation": "Configure network settings", + "postValidation": "Done" + }, + "bladeTitle": "Network settings", + "elements": [ + { + "name": "virtualNetwork", + "type": "Microsoft.Network.VirtualNetworkCombo", + "label": { + "virtualNetwork": "Virtual network", + "subnets": "Subnet" + }, + "toolTip": { + "virtualNetwork": "Virtual Network Name", + "subnets": "The subnet to deploy into" + }, + "defaultValue": { + "name": "vnet01", + "addressPrefixSize": "/20" + }, + "constraints": { + "minAddressPrefixSize": "/29" + }, + "options": { + "hideExisting": false + }, + "subnets": { + "subnet1": { + "label": "Management subnet", + "defaultValue": { + "name": "Management", + "addressPrefixSize": "/24" + }, + "constraints": { + "minAddressPrefixSize": "/29", + "minAddressCount": 1, + "requireContiguousAddresses": true + } + } + } + } + ] + } + ], + "outputs": { + "location": "[location()]", + "cloudGuardVersion": "[concat(steps('chkp').cloudGuardVersion, ' - ', coalesce(steps('chkp').R80Offer, 'Bring Your Own License'))]", + "adminPassword": "[basics('auth').password]", + "authenticationType": "[basics('auth').authenticationType]", + "sshPublicKey": "[basics('auth').sshPublicKey]", + "vmName": "[basics('gatewayNameUi')]", + "vmSize": "[coalesce(steps('chkp').R8030vmSizeUiBYOL, steps('chkp').R8030vmSizeUiMGMT25)]", + "virtualNetworkName": "[steps('network').virtualNetwork.name]", + "virtualNetworkAddressPrefix": "[steps('network').virtualNetwork.addressPrefix]", + "Subnet1Name": "[steps('network').virtualNetwork.subnets.subnet1.name]", + "Subnet1Prefix": "[steps('network').virtualNetwork.subnets.subnet1.addressPrefix]", + "Subnet1StartAddress": "[steps('network').virtualNetwork.subnets.subnet1.startAddress]", + "vnetNewOrExisting": "[steps('network').virtualNetwork.newOrExisting]", + "virtualNetworkExistingRGName": "[steps('network').virtualNetwork.resourceGroup]", + "managementGUIClientNetwork": "[steps('chkp').managementGUIClientNetwork]", + "installationType": "[steps('chkp').installationType]", + "bootstrapScript": "[steps('chkp').bootstrapScript]", + "allowDownloadFromUploadToCheckPoint": "[coalesce(steps('chkp').allowUploadDownload, 'true')]", + "additionalDiskSizeGB": "[int(steps('chkp').additionalDiskSizeGB)]", + "diskType": "[coalesce(steps('chkp').VMDiskType, 'Standard_LRS')]", + "sourceImageVhdUri": "[coalesce(steps('chkp').sourceImageVhdUri, 'noCustomUri')]", + "adminShell": "[steps('chkp').adminShell]" + } + } +} \ No newline at end of file diff --git a/deprecated/azure/templates/R8030/mgmt-r8030/mainTemplate.json b/deprecated/azure/templates/R8030/mgmt-r8030/mainTemplate.json new file mode 100644 index 00000000..4aab7e4d --- /dev/null +++ b/deprecated/azure/templates/R8030/mgmt-r8030/mainTemplate.json @@ -0,0 +1,629 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string", + "metadata": { + "description": "Deployment location" + }, + "defaultValue": "[resourceGroup().location]" + }, + "cloudGuardVersion": { + "type": "string", + "allowedValues": [ + "R80.30 - Bring Your Own License", + "R80.30 - Pay As You Go (MGMT25)" + ], + "defaultValue": "R80.30 - Bring Your Own License", + "metadata": { + "description": "Version of Check Point CloudGuard" + } + }, + "adminPassword": { + "type": "securestring", + "metadata": { + "description": "Administrator password" + }, + "defaultValue": "" + }, + "authenticationType": { + "type": "string", + "allowedValues": [ + "password", + "sshPublicKey" + ], + "defaultValue": "password", + "metadata": { + "description": "Authentication type" + } + }, + "sshPublicKey": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Administrator SSH public key" + } + }, + "vmName": { + "type": "string", + "metadata": { + "description": "Name of the Check Point Security Gateway" + } + }, + "vmSize": { + "type": "string", + "defaultValue": "Standard_D3_v2", + "metadata": { + "description": "Size of the VM" + } + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "vnet" + }, + "virtualNetworkAddressPrefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the virtual network" + }, + "defaultValue": "10.0.0.0/16" + }, + "Subnet1Name": { + "type": "string", + "metadata": { + "description": "The name of the 1st subnet" + }, + "defaultValue": "Frontend" + }, + "Subnet1Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 1st subnet" + }, + "defaultValue": "10.0.1.0/24" + }, + "Subnet1StartAddress": { + "type": "string", + "metadata": { + "description": "The first available address on the 1st subnet" + }, + "defaultValue": "10.0.1.10" + }, + "vnetNewOrExisting": { + "type": "string", + "defaultValue": "new", + "allowedValues": [ + "new", + "existing" + ], + "metadata": { + "Description": "Indicates whether the virtual network is new or existing" + } + }, + "virtualNetworkExistingRGName": { + "type": "string", + "metadata": { + "description": "Resource Group of the existing virtual network" + }, + "defaultValue": "[resourceGroup().name]" + }, + "managementGUIClientNetwork": { + "type": "string", + "metadata": { + "description": "Allowed GUI clients" + }, + "defaultValue": "0.0.0.0/0" + }, + "installationType": { + "type": "string", + "metadata": { + "description": "Installation Type" + }, + "defaultValue": "management", + "allowedValues": [ + "management", + "custom" + ] + }, + "adminShell": { + "type": "string", + "defaultValue": "/etc/cli.sh", + "allowedValues": [ + "/etc/cli.sh", + "/bin/bash", + "/bin/csh", + "/bin/tcsh" + ], + "metadata": { + "Description": "The default shell for the admin user" + } + }, + "bootstrapScript": { + "type": "string", + "metadata": { + "description": "Bootstrap script" + }, + "defaultValue": "" + }, + "allowDownloadFromUploadToCheckPoint": { + "type": "string", + "allowedValues": [ + "true", + "false" + ], + "defaultValue": "true", + "metadata": { + "description": "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + } + }, + "additionalDiskSizeGB": { + "type": "int", + "defaultValue": 0, + "metadata": { + "description": "Amount of additional disk space (in GB)" + }, + "minValue": 0, + "maxValue": 3995 + }, + "diskType": { + "type": "string", + "defaultValue": "Standard_LRS", + "metadata": { + "description": "The type of the OS disk. Premium is applicable only to DS machine sizes" + }, + "allowedValues": [ + "Standard_LRS", + "Premium_LRS" + ] + }, + "msi": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Configure managed service identity for the VM" + } + }, + "sourceImageVhdUri": { + "type": "string", + "defaultValue": "noCustomUri", + "metadata": { + "description": "The URI of the blob containing the development image" + } + }, + "_artifactsLocation": { + "type": "string", + "metadata": { + "description": "Use the following URI when deploying a custom template: https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/azure/templates/" + }, + "defaultValue": "[deployment().properties.templateLink.uri]" + }, + "_artifactsLocationSasToken": { + "type": "securestring", + "metadata": { + "description": "The sasToken required to access _artifactsLocation. When the template is deployed using the accompanying scripts, a sasToken will be automatically generated. Use the defaultValue if the staging location is not secured." + }, + "defaultValue": "" + } + }, + "variables": { + "templateName": "management", + "templateVersion": "20220130", + "location": "[parameters('location')]", + "offers": { + "R80.30 - Bring Your Own License": "BYOL", + "R80.30 - Pay As You Go (MGMT25)": "MGMT25" + }, + "offer": "[variables('offers')[parameters('cloudGuardVersion')]]", + "osVersions": { + "R80.30 - Bring Your Own License": "R8030", + "R80.30 - Pay As You Go (MGMT25)": "R8030" + }, + "osVersion": "[variables('osVersions')[parameters('cloudGuardVersion')]]", + "adminUsername": "notused", + "isBlink": "[bool('false')]", + "storageAccountName": "[concat('bootdiag', uniqueString(resourceGroup().id, deployment().name))]", + "storageAccountType": "Standard_LRS", + "diskSize100GB": 100, + "diskSizeGB": "[add(parameters('additionalDiskSizeGB'), variables('diskSize100GB'))]", + "customData": "[concat('#!/usr/bin/python3 /etc/cloud_config.py\n', '\n', 'installationType=\"', parameters('installationType'), '\"', '\n', 'allowUploadDownload=\"', variables('allowUploadDownload'), '\"', '\n', 'osVersion=\"', variables('osVersion'), '\"', '\n', 'templateName=\"', variables('templateName'), '\"', '\n', 'isBlink=\"', variables('isBlink'), '\"', '\n', 'templateVersion=\"', variables('templateVersion'), '\"', '\n', 'bootstrapScript64=\"', variables('bootstrapScript64'), '\"', '\n', 'location=\"', variables('location'), '\"', '\n', 'managementGUIClientNetwork=\"', variables('managementGUIClientNetwork'), '\"', '\n', 'adminShell=\"', parameters('adminShell'), '\"', '\n')]", + "customData64": "[base64(variables('customData'))]", + "imageOffer": "[concat('check-point-cg-', toLower(variables('osVersion')))]", + "imagePublisher": "checkpoint", + "imageReferenceBYOL": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "mgmt-byol", + "version": "latest" + }, + "imageReferenceMGMT25": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "mgmt-25", + "version": "latest" + }, + "imageReferenceMarketplace": "[if(equals(variables('offer'), 'BYOL'), variables('imageReferenceBYOL'), variables('imageReferenceMGMT25'))]", + "customImage": "customImage", + "imageReferenceCustomUri": { + "id": "[resourceId('Microsoft.Compute/images/', variables('customImage'))]" + }, + "imageReference": "[if(equals(parameters('sourceImageVhdUri'),'noCustomUri'), variables('imageReferenceMarketplace'), variables('imageReferenceCustomUri'))]", + "nic1Name": "[concat(parameters('vmName'), '-eth0')]", + "linuxConfigurationpassword": { + "disablePasswordAuthentication": "false" + }, + "linuxConfigurationsshPublicKey": { + "disablePasswordAuthentication": "true", + "ssh": { + "publicKeys": [ + { + "keyData": "[parameters('sshPublicKey')]", + "path": "/home/notused/.ssh/authorized_keys" + } + ] + } + }, + "linuxConfiguration": "[if(equals(parameters('authenticationType'), 'password'), variables('linuxConfigurationpassword'), variables('linuxConfigurationsshPublicKey'))]", + "planBYOL": { + "name": "mgmt-byol", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planMGMT25": { + "name": "mgmt-25", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "plan": "[if(equals(variables('offer'), 'BYOL'), variables('planBYOL'), variables('planMGMT25'))]", + "identity": "[if(parameters('msi'), json('{\"type\": \"SystemAssigned\"}'), json('null'))]", + "publicIPAddressName": "[parameters('vmName')]", + "publicIPAddressId": "[resourceId('Microsoft.Network/publicIPAddresses', variables('publicIPAddressName'))]", + "nsgName": "[concat(parameters('vmName'), '-nsg')]", + "nsgId": "[resourceId('Microsoft.Network/networkSecurityGroups', variables('nsgName'))]", + "bootstrapScript64": "[base64(parameters('bootstrapScript'))]", + "allowUploadDownload": "[parameters('allowDownloadFromUploadToCheckPoint')]", + "networkSetupURL": "[uri(parameters('_artifactsLocation'), concat('nestedtemplates/vnet-1-subnet-', parameters('vnetNewOrExisting'), '.json', parameters('_artifactsLocationSasToken')))]", + "managementGUIClientNetwork": "[parameters('managementGUIClientNetwork')]", + "deployNewVnet": "[equals(parameters('vnetNewOrExisting'), 'new')]", + "vnetRGName": "[if(variables('deployNewVnet'), resourceGroup().name, parameters('virtualNetworkExistingRGName'))]" + }, + "resources": [ + { + "apiVersion": "2020-06-01", + "name": "pid-6f13b00a-7546-4ab2-be9f-c66815cc6c8b-partnercenter", + "type": "Microsoft.Resources/deployments", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('storageAccountName')]", + "apiVersion": "2021-04-01", + "properties": { + "supportsHttpsTrafficOnly": true, + "allowBlobPublicAccess": false, + "minimumTlsVersion": "TLS1_2" + }, + "location": "[variables('location')]", + "sku": { + "name": "[variables('storageAccountType')]" + }, + "kind": "Storage" + }, + { + "condition": "[equals(parameters('vnetNewOrExisting'), 'new')]", + "name": "networkNewSetup", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "[variables('networkSetupURL')]", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "location": { + "value": "[variables('location')]" + }, + "virtualNetworkName": { + "value": "[parameters('virtualNetworkName')]" + }, + "virtualNetworkAddressPrefix": { + "value": "[parameters('virtualNetworkAddressPrefix')]" + }, + "Subnet1Name": { + "value": "[parameters('Subnet1Name')]" + }, + "Subnet1Prefix": { + "value": "[parameters('Subnet1Prefix')]" + } + } + } + }, + { + "condition": "[equals(parameters('vnetNewOrExisting'), 'existing')]", + "name": "networkExistingSetup", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "[variables('networkSetupURL')]", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "location": { + "value": "[variables('location')]" + }, + "virtualNetworkName": { + "value": "[parameters('virtualNetworkName')]" + }, + "virtualNetworkExistingRGName": { + "value": "[variables('vnetRGName')]" + }, + "vmName": { + "value": "[parameters('vmName')]" + } + } + } + }, + { + "type": "Microsoft.Network/publicIPAddresses", + "apiVersion": "2020-06-01", + "location": "[variables('location')]", + "name": "[variables('publicIPAddressName')]", + "properties": { + "idleTimeoutInMinutes": 30, + "publicIPAllocationMethod": "Static", + "dnsSettings": { + "domainNameLabel": "[concat(toLower(parameters('vmName')), '-', uniquestring(resourceGroup().id, deployment().name))]" + } + } + }, + { + "type": "Microsoft.Network/networkSecurityGroups", + "apiVersion": "2020-06-01", + "location": "[variables('location')]", + "name": "[variables('nsgName')]", + "properties": { + "securityRules": [ + { + "name": "SSH", + "properties": { + "description": "Allow inbound SSH connection", + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "22", + "sourceAddressPrefix": "[variables('managementGUIClientNetwork')]", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "100", + "direction": "Inbound" + } + }, + { + "name": "GAiA-portal", + "properties": { + "description": "Allow inbound HTTPS access to the GAiA portal", + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "443", + "sourceAddressPrefix": "[variables('managementGUIClientNetwork')]", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "110", + "direction": "Inbound" + } + }, + { + "name": "SmartConsole-1", + "properties": { + "description": "Allow inbound access using the SmartConsole GUI client", + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "18190", + "sourceAddressPrefix": "[variables('managementGUIClientNetwork')]", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "120", + "direction": "Inbound" + } + }, + { + "name": "SmartConsole-2", + "properties": { + "description": "Allow inbound access using the SmartConsole GUI client", + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "19009", + "sourceAddressPrefix": "[variables('managementGUIClientNetwork')]", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "130", + "direction": "Inbound" + } + }, + { + "name": "Logs", + "properties": { + "description": "Allow inbound logging connections from managed gateways", + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "257", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "140", + "direction": "Inbound" + } + }, + { + "name": "ICA-pull", + "properties": { + "description": "Allow security gateways to pull a SIC certificate", + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "18210", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "150", + "direction": "Inbound" + } + }, + { + "name": "CRL-fetch", + "properties": { + "description": "Allow security gateways to fetch CRLs", + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "18264", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "160", + "direction": "Inbound" + } + }, + { + "name": "Policy-fetch", + "properties": { + "description": "Allow security gateways to fetch policy", + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "18191", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "170", + "direction": "Inbound" + } + } + ] + } + }, + { + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "2020-06-01", + "dependsOn": [ + "[coalesce(resourceId('Microsoft.Resources/deployments', 'networkNewSetup'), resourceId('Microsoft.Resources/deployments', 'networkExistingSetup'))]", + "[variables('nsgId')]", + "[variables('publicIPAddressId')]" + ], + "location": "[variables('location')]", + "name": "[variables('nic1Name')]", + "properties": { + "enableIPForwarding": false, + "networkSecurityGroup": { + "id": "[variables('nsgId')]" + }, + "ipConfigurations": [ + { + "name": "ipconfig1", + "properties": { + "privateIPAddress": "[parameters('Subnet1StartAddress')]", + "privateIPAllocationMethod": "Static", + "PublicIpAddress": { + "Id": "[variables('publicIPAddressId')]" + }, + "subnet": { + "id": "[resourceId(variables('vnetRGName') ,'Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('Subnet1Name'))]" + } + } + } + ] + } + }, + { + "condition": "[not(equals(parameters('sourceImageVhdUri'), 'noCustomUri'))]", + "type": "Microsoft.Compute/images", + "apiVersion": "2020-06-01", + "name": "[variables('customImage')]", + "location": "[variables('location')]", + "properties": { + "storageProfile": { + "osDisk": { + "osType": "Linux", + "osState": "Generalized", + "blobUri": "[parameters('sourceImageVhdUri')]", + "storageAccountType": "Standard_LRS" + } + }, + "hyperVGeneration": "V1" + } + }, + { + "type": "Microsoft.Compute/virtualMachines", + "apiVersion": "2021-07-01", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]", + "[resourceId('Microsoft.Network/networkInterfaces', variables('nic1Name'))]", + "[resourceId('Microsoft.Compute/images/', variables('customImage'))]" + ], + "location": "[variables('location')]", + "name": "[parameters('vmName')]", + "plan": "[if(equals(parameters('sourceImageVhdUri'),'noCustomUri'), variables('plan'), json('null'))]", + "identity": "[variables('identity')]", + "properties": { + "UserData": "[variables('customData64')]", + "diagnosticsProfile": { + "bootDiagnostics": { + "enabled": "true", + "storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName')), '2021-06-01').primaryEndpoints.blob]" + } + }, + "hardwareProfile": { + "vmSize": "[parameters('vmSize')]" + }, + "networkProfile": { + "networkInterfaces": [ + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', variables('nic1Name'))]", + "properties": { + "primary": true + } + } + ] + }, + "osProfile": { + "adminPassword": "[parameters('adminPassword')]", + "adminUsername": "[variables('adminUsername')]", + "computerName": "[toLower(parameters('vmName'))]", + "customData": "[variables('customData64')]", + "linuxConfiguration": "[variables('linuxConfiguration')]" + }, + "storageProfile": { + "imageReference": "[variables('imageReference')]", + "osDisk": { + "caching": "ReadWrite", + "createOption": "FromImage", + "diskSizeGB": "[variables('diskSizeGB')]", + "name": "[parameters('vmName')]", + "managedDisk": { + "storageAccountType": "[parameters('diskType')]" + } + } + } + } + } + ], + "outputs": { + "IPAddress": { + "type": "string", + "value": "[reference(variables('publicIPAddressId')).IpAddress]" + }, + "FQDN": { + "type": "string", + "value": "[reference(variables('publicIPAddressId')).dnsSettings.fqdn]" + } + } +} \ No newline at end of file diff --git a/deprecated/azure/templates/R8030/mgmt-r8030/nestedtemplates/vnet-1-subnet-existing.json b/deprecated/azure/templates/R8030/mgmt-r8030/nestedtemplates/vnet-1-subnet-existing.json new file mode 100644 index 00000000..d36ab635 --- /dev/null +++ b/deprecated/azure/templates/R8030/mgmt-r8030/nestedtemplates/vnet-1-subnet-existing.json @@ -0,0 +1,78 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "vnet" + }, + "virtualNetworkExistingRGName": { + "type": "string", + "metadata": { + "description": "Resource Group of the existing virtual network" + }, + "defaultValue": "" + }, + "vmName": { + "type": "string" + }, + "deployNsg": { + "type": "bool", + "defaultValue": false + } + }, + "variables": { + "vnetId": "[resourceId(parameters('virtualNetworkExistingRGName'),'Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]", + "nsgName": "[concat(parameters('vmName'), '-nsg')]", + "nsgProperties": { + "id": "[resourceId(parameters('virtualNetworkExistingRGName'),'Microsoft.Network/networkSecurityGroups', variables('nsgName'))]" + } + }, + "resources": [ + { + "type": "Microsoft.Network/networkSecurityGroups", + "condition": "[parameters('deployNsg')]", + "apiVersion": "2020-06-01", + "location": "[parameters('location')]", + "name": "[variables('nsgName')]", + "properties": { + "securityRules": [ + { + "name": "AllowAllInBound", + "properties": { + "description": "Allow all inbound connections", + "protocol": "*", + "sourcePortRange": "*", + "destinationPortRange": "*", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "100", + "direction": "Inbound" + } + } + ] + } + } + ], + "outputs": { + "vnetId": { + "value": "[variables('vnetId')]", + "type": "string" + }, + "vnetAddressPrefix": { + "value": "[reference(variables('vnetId'),'2018-11-01').addressSpace.addressPrefixes[0]]", + "type": "string" + }, + "nsgProperties": { + "value": "[variables('nsgProperties')]", + "type": "object" + } + } +} \ No newline at end of file diff --git a/deprecated/azure/templates/R8030/mgmt-r8030/nestedtemplates/vnet-1-subnet-new.json b/deprecated/azure/templates/R8030/mgmt-r8030/nestedtemplates/vnet-1-subnet-new.json new file mode 100644 index 00000000..479e15d1 --- /dev/null +++ b/deprecated/azure/templates/R8030/mgmt-r8030/nestedtemplates/vnet-1-subnet-new.json @@ -0,0 +1,157 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "vnet" + }, + "virtualNetworkAddressPrefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the virtual network" + } + }, + "Subnet1Name": { + "type": "string", + "metadata": { + "description": "The name of the 1st subnet" + }, + "defaultValue": "Frontend" + }, + "Subnet1Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 1st subnet" + }, + "defaultValue": "10.0.1.0/24" + }, + "vmName": { + "type": "string", + "defaultValue": "[concat(resourceGroup().name, '-vnet')]" + }, + "deployNsg": { + "type": "bool", + "defaultValue": false + }, + "deployRouteTable": { + "type": "bool", + "defaultValue": false + }, + "deployGWLB": { + "type": "bool", + "defaultValue": false + } + }, + "variables": { + "localSubnetRoute": [ + { + "name": "Local-Subnet", + "properties": { + "addressPrefix": "[parameters('subnet1Prefix')]", + "nextHopType": "VnetLocal" + } + }, + { + "name": "To-VNet", + "properties": { + "addressPrefix": "[parameters('virtualNetworkAddressPrefix')]", + "nextHopType": "None" + } + } + ], + "routesArray": "[variables('localSubnetRoute')]", + "nsgName": "[concat(parameters('vmName'), '-nsg')]", + "nsgProperties": { + "id": "[resourceId('Microsoft.Network/networkSecurityGroups', variables('nsgName'))]" + }, + "routeTableID": "[resourceId('Microsoft.Network/routeTables', parameters('subnet1Name'))]", + "routeTableProperties": { + "id": "[variables('routeTableID')]" + }, + "deployGWLB": "[parameters('deployGWLB')]", + "vnetProperties": { + "addressSpace": { + "addressPrefixes": [ + "[parameters('virtualNetworkAddressPrefix')]" + ] + }, + "subnets": [ + { + "name": "[parameters('subnet1Name')]", + "properties": { + "addressPrefix": "[parameters('subnet1Prefix')]", + "routeTable": "[if(and(parameters('deployRouteTable'), variables('deployGWLB')), variables('routeTableProperties'), json('null'))]" + } + } + ] + } + }, + "resources": [ + { + "type": "Microsoft.Network/routeTables", + "condition": "[and(parameters('deployRouteTable'), variables('deployGWLB'))]", + "apiVersion": "2020-06-01", + "location": "[parameters('location')]", + "name": "[parameters('subnet1Name')]", + "properties": { + "routes": "[variables('routesArray')]" + } + }, + { + "type": "Microsoft.Network/virtualNetworks", + "apiVersion": "2020-06-01", + "location": "[parameters('location')]", + "name": "[parameters('virtualNetworkName')]", + "dependsOn": [ + "[variables('routeTableID')]" + ], + "properties": "[variables('vnetProperties')]" + }, + { + "type": "Microsoft.Network/networkSecurityGroups", + "condition": "[parameters('deployNsg')]", + "apiVersion": "2020-06-01", + "location": "[parameters('location')]", + "name": "[variables('nsgName')]", + "properties": { + "securityRules": [ + { + "name": "AllowAllInBound", + "properties": { + "description": "Allow all inbound connections", + "protocol": "*", + "sourcePortRange": "*", + "destinationPortRange": "*", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "100", + "direction": "Inbound" + } + } + ] + } + } + ], + "outputs": { + "vnetId": { + "value": "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]", + "type": "string" + }, + "vnetAddressPrefix": { + "value": "[parameters('virtualNetworkAddressPrefix')]", + "type": "string" + }, + "nsgProperties": { + "value": "[variables('nsgProperties')]", + "type": "object" + } + } +} \ No newline at end of file diff --git a/deprecated/azure/templates/R8030/single-r8030/README.MD b/deprecated/azure/templates/R8030/single-r8030/README.MD new file mode 100644 index 00000000..8c2376fb --- /dev/null +++ b/deprecated/azure/templates/R8030/single-r8030/README.MD @@ -0,0 +1,13 @@ +# How to deploy this template +To deploy this ARM template, follow these instructions: +1. Log in to the [Microsoft Azure Portal](https://portal.azure.com) +2. Click "*Create a resource*" +3. Search for "*Template deployment (deploy using custom templates)*" and click "*Create*" +4. Click "*Build your own template in the editor*" +5. Load the "*mainTemplate.json*" file from this directory and click "*Save*" +6. Enter the desired template parameters + - Replace the "*_artifacts Location*" property with: + ``` + https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/deprecated/azure/templates/single-r8030/ + ``` +7. Click *Purchase* to deploy the solution diff --git a/deprecated/azure/templates/R8030/single-r8030/createUiDefinition.json b/deprecated/azure/templates/R8030/single-r8030/createUiDefinition.json new file mode 100644 index 00000000..f96d6430 --- /dev/null +++ b/deprecated/azure/templates/R8030/single-r8030/createUiDefinition.json @@ -0,0 +1,603 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", + "handler": "Microsoft.Compute.MultiVm", + "version": "0.1.2-preview", + "parameters": { + "basics": [ + { + "name": "basics settings text block", + "type": "Microsoft.Common.TextBlock", + "visible": true, + "options": { + "text": "Please follow the Check Point Reference Architecture for Azure.", + "link": { + "label": "Reference Architecture Guide", + "uri": "https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk109360" + } + } + }, + { + "name": "gatewayNameUi", + "type": "Microsoft.Common.TextBox", + "label": "VM Name", + "toolTip": "The name of the Check Point CloudGuard.", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z]{1,30}$", + "validationMessage": "Only alphanumeric characters are allowed, and the name must be 1-30 characters long." + } + }, + { + "name": "auth", + "type": "Microsoft.Compute.CredentialsCombo", + "label": { + "authenticationType": "Authentication type", + "password": "Password", + "confirmPassword": "Confirm password", + "sshPublicKey": "SSH public key" + }, + "toolTip": { + "password": "The user 'admin' password", + "sshPublicKey": "Paste an OpenSSH public key. You can generate a key pair using ssh-keygen (Linux, OS X, Cygwin) or PuttyGen (Windows)" + }, + "constraints": { + "required": true + }, + "options": { + "hideConfirmation": false, + "hidePassword": false + }, + "osPlatform": "Linux" + } + ], + "steps": [ + { + "name": "chkp", + "label": "Check Point CloudGuard settings", + "subLabel": { + "preValidation": "Configure CloudGuard settings", + "postValidation": "Done" + }, + "bladeTitle": "CloudGuard settings", + "elements": [ + { + "name": "cloudGuardVersion", + "type": "Microsoft.Common.DropDown", + "label": "Check Point CloudGuard version", + "defaultValue": "R80.30", + "toolTip": "The version of Check Point CloudGuard.", + "constraints": { + "allowedValues": [ + { + "label": "R80.30", + "value": "R80.30" + } + ] + } + }, + { + "name": "R80Offer", + "type": "Microsoft.Common.DropDown", + "label": "License type", + "toolTip": "The type of license.", + "defaultValue": "Bring Your Own License", + "visible": true, + "constraints": { + "allowedValues": [ + { + "label": "Bring Your Own License", + "value": "Bring Your Own License" + }, + { + "label": "Pay As You Go (NGTP)", + "value": "Pay As You Go (NGTP)" + }, + { + "label": "Pay As You Go (NGTX)", + "value": "Pay As You Go (NGTX)" + } + ] + } + }, + { + "name": "R8030vmSizeUiBYOL", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R80.30'), equals(coalesce(steps('chkp').R80Offer, 'Bring Your Own License'), 'Bring Your Own License'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2", + "Standard_DS3_v2" + ], + "constraints": { + "allowedSizes": [ + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r8030", + "sku": "sg-byol" + }, + "count": 1 + }, + { + "name": "R8030vmSizeUiNGTP", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R80.30'), contains(steps('chkp').R80Offer, '(NGTP)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2", + "Standard_DS3_v2" + ], + "constraints": { + "allowedSizes": [ + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r8030", + "sku": "sg-ngtp-v2" + }, + "count": 1 + }, + { + "name": "R8030vmSizeUiNGTX", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R80.30'), contains(steps('chkp').R80Offer, '(NGTX)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2", + "Standard_DS3_v2" + ], + "constraints": { + "allowedSizes": [ + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r8030", + "sku": "sg-ngtx-v2" + }, + "count": 1 + }, + { + "name": "adminShell", + "type": "Microsoft.Common.DropDown", + "label": "Default shell for the admin user", + "defaultValue": "/etc/cli.sh", + "toolTip": "The default shell for the admin user", + "constraints": { + "allowedValues": [ + { + "label": "/etc/cli.sh", + "value": "/etc/cli.sh" + }, + { + "label": "/bin/bash", + "value": "/bin/bash" + }, + { + "label": "/bin/csh", + "value": "/bin/csh" + }, + { + "label": "/bin/tcsh", + "value": "/bin/tcsh" + } + ] + } + }, + { + "name": "sicKeyUi", + "type": "Microsoft.Common.PasswordBox", + "label": { + "password": "SIC key", + "confirmPassword": "Confirm SIC key" + }, + "toolTip": "Set the Secure Internal Communication one time secret used to set up trust between the gateway and the management server.", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z]{12,30}$", + "validationMessage": "Only alphanumeric characters are allowed, and the value must be 12-30 characters long." + }, + "options": { + "hideConfirmation": false + } + }, + { + "name": "bootstrapScript", + "type": "Microsoft.Common.FileUpload", + "label": "Bootstrap script", + "toolTip": "An optional script to run on the initial boot", + "constraints": { + "required": false, + "accept": ".sh,text/plain" + }, + "options": { + "multiple": false, + "uploadMode": "file", + "openMode": "text", + "encoding": "UTF-8" + } + }, + { + "visible": "[not(equals(steps('chkp').cloudGuardVersion, 'R80.10'))]", + "name": "allowUploadDownload", + "type": "Microsoft.Common.OptionsGroup", + "label": "Allow download from/upload to Check Point", + "defaultValue": "Yes", + "toolTip": "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "true" + }, + { + "label": "No", + "value": "false" + } + ] + } + }, + { + "name": "additionalDiskSizeGB", + "type": "Microsoft.Common.TextBox", + "label": "Additional disk space (GB)", + "defaultValue": "0", + "toolTip": "Additional disk space (in GB), Initial disk size is 100 GB.", + "constraints": { + "regex": "^([0-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-2][0-9][0-9][0-9]|3[0-8][0-9][0-9]|399[0-5])$", + "validationMessage": "Select a number between 0 and 3995" + } + }, + { + "name": "VMDiskType", + "type": "Microsoft.Common.OptionsGroup", + "label": "VM disk type", + "toolTip": "Type of CloudGuard disk.", + "visible": "[or(contains(steps('chkp').R8030vmSizeUiBYOL, 'DS'), contains(steps('chkp').R8030vmSizeUiNGTP, 'DS'), contains(steps('chkp').R8030vmSizeUiNGTX, 'DS'))]", + "defaultValue": "Standard", + "constraints": { + "allowedValues": [ + { + "label": "Standard", + "value": "Standard_LRS" + }, + { + "label": "Premium", + "value": "Premium_LRS" + } + ] + } + }, + { + "name": "useCustomImageUri", + "type": "Microsoft.Common.OptionsGroup", + "label": "Use development image uri", + "defaultValue": "No", + "toolTip": "Use custom image URI.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ], + "required": true + }, + "visible": false + }, + { + "name": "sourceImageVhdUri", + "type": "Microsoft.Common.TextBox", + "label": "Development Image URI", + "toolTip": "The URI of the blob containing the development image", + "constraints": { + "required": "[equals(steps('chkp').useCustomImageUri, 'Yes')]", + "regex": "^[a-z0-9A-Z_\\-\\.\\:\\/]{1,500}.vhd$", + "validationMessage": "Only alphanumeric characters and '_','-','.',':','/' are allowed, the value must be 1-500 characters long and must end with .vhd. " + }, + "visible": "[equals(steps('chkp').useCustomImageUri, 'Yes')]" + }, + { + "name": "customMetrics", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable CloudGuard metrics", + "defaultValue": "Yes", + "toolTip": "Enable CloudGuard metrics in order to send statuses and statistics collected from Gateway or Standalone to the Azure Monitor service.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "yes" + }, + { + "label": "No", + "value": "no" + } + ], + "required": true + }, + "visible": true + } + ] + }, + { + "name": "network", + "label": "Network settings", + "subLabel": { + "preValidation": "Configure network settings", + "postValidation": "Done" + }, + "bladeTitle": "Network settings", + "elements": [ + { + "name": "virtualNetwork", + "type": "Microsoft.Network.VirtualNetworkCombo", + "label": { + "virtualNetwork": "Virtual network", + "subnets": "Subnets" + }, + "toolTip": { + "virtualNetwork": "Virtual Network Name", + "subnets": "List of subnets to deploy into" + }, + "defaultValue": { + "name": "vnet01", + "addressPrefixSize": "/16" + }, + "constraints": { + "minAddressPrefixSize": "/28" + }, + "options": { + "hideExisting": false + }, + "subnets": { + "subnet1": { + "label": "Frontend subnet", + "defaultValue": { + "name": "Frontend", + "addressPrefixSize": "/24" + }, + "constraints": { + "minAddressPrefixSize": "/29", + "minAddressCount": 1, + "requireContiguousAddresses": true + } + }, + "subnet2": { + "label": "Backend subnet", + "defaultValue": { + "name": "Backend", + "addressPrefixSize": "/24" + }, + "constraints": { + "minAddressPrefixSize": "/29", + "minAddressCount": 1, + "requireContiguousAddresses": true + } + } + } + } + ] + } + ], + "outputs": { + "location": "[location()]", + "cloudGuardVersion": "[concat(steps('chkp').cloudGuardVersion, ' - ', coalesce(steps('chkp').R80Offer, 'Bring Your Own License'))]", + "adminPassword": "[basics('auth').password]", + "authenticationType": "[basics('auth').authenticationType]", + "sshPublicKey": "[basics('auth').sshPublicKey]", + "vmName": "[basics('gatewayNameUi')]", + "vmSize": "[coalesce(steps('chkp').R8030vmSizeUiBYOL, steps('chkp').R8030vmSizeUiNGTP, steps('chkp').R8030vmSizeUiNGTX)]", + "sicKey": "[coalesce(steps('chkp').sicKeyUi, 'notused')]", + "virtualNetworkName": "[steps('network').virtualNetwork.name]", + "virtualNetworkAddressPrefix": "[steps('network').virtualNetwork.addressPrefix]", + "Subnet1Name": "[steps('network').virtualNetwork.subnets.subnet1.name]", + "Subnet1Prefix": "[steps('network').virtualNetwork.subnets.subnet1.addressPrefix]", + "Subnet1StartAddress": "[steps('network').virtualNetwork.subnets.subnet1.startAddress]", + "Subnet2Name": "[steps('network').virtualNetwork.subnets.subnet2.name]", + "Subnet2Prefix": "[steps('network').virtualNetwork.subnets.subnet2.addressPrefix]", + "Subnet2StartAddress": "[steps('network').virtualNetwork.subnets.subnet2.startAddress]", + "vnetNewOrExisting": "[steps('network').virtualNetwork.newOrExisting]", + "virtualNetworkExistingRGName": "[steps('network').virtualNetwork.resourceGroup]", + "bootstrapScript": "[steps('chkp').bootstrapScript]", + "allowDownloadFromUploadToCheckPoint": "[coalesce(steps('chkp').allowUploadDownload, 'true')]", + "additionalDiskSizeGB": "[int(steps('chkp').additionalDiskSizeGB)]", + "diskType": "[coalesce(steps('chkp').VMDiskType, 'Standard_LRS')]", + "sourceImageVhdUri": "[coalesce(steps('chkp').sourceImageVhdUri, 'noCustomUri')]", + "customMetrics": "[steps('chkp').customMetrics]", + "adminShell": "[steps('chkp').adminShell]" + } + } +} \ No newline at end of file diff --git a/deprecated/azure/templates/R8030/single-r8030/mainTemplate.json b/deprecated/azure/templates/R8030/single-r8030/mainTemplate.json new file mode 100644 index 00000000..0e9e6f06 --- /dev/null +++ b/deprecated/azure/templates/R8030/single-r8030/mainTemplate.json @@ -0,0 +1,638 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "subscriptionId": { + "type": "string", + "defaultValue": "[subscription().subscriptionId]", + "metadata": { + "description": "Subscription ID." + } + }, + "location": { + "type": "string", + "metadata": { + "description": "Deployment location" + }, + "defaultValue": "[resourceGroup().location]" + }, + "cloudGuardVersion": { + "type": "string", + "allowedValues": [ + "R80.30 - Bring Your Own License", + "R80.30 - Pay As You Go (NGTP)", + "R80.30 - Pay As You Go (NGTX)" + ], + "defaultValue": "R80.30 - Bring Your Own License", + "metadata": { + "description": "Version of Check Point CloudGuard" + } + }, + "adminPassword": { + "type": "securestring", + "metadata": { + "description": "Administrator password" + }, + "defaultValue": "" + }, + "authenticationType": { + "type": "string", + "allowedValues": [ + "password", + "sshPublicKey" + ], + "defaultValue": "password", + "metadata": { + "description": "Authentication type" + } + }, + "sshPublicKey": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Administrator SSH public key" + } + }, + "vmName": { + "type": "string", + "metadata": { + "description": "Name of the Check Point Security Gateway" + } + }, + "vmSize": { + "type": "string", + "defaultValue": "Standard_D3_v2", + "metadata": { + "description": "Size of the VM" + } + }, + "adminShell": { + "type": "string", + "defaultValue": "/etc/cli.sh", + "allowedValues": [ + "/etc/cli.sh", + "/bin/bash", + "/bin/csh", + "/bin/tcsh" + ], + "metadata": { + "Description": "The default shell for the admin user" + } + }, + "sicKey": { + "type": "securestring", + "metadata": { + "description": "One time key for Secure Internal Communication" + } + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "vnet" + }, + "virtualNetworkAddressPrefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the virtual network" + }, + "defaultValue": "10.0.0.0/16" + }, + "Subnet1Name": { + "type": "string", + "metadata": { + "description": "The name of the 1st subnet" + }, + "defaultValue": "Frontend" + }, + "Subnet1Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 1st subnet" + }, + "defaultValue": "10.0.1.0/24" + }, + "Subnet1StartAddress": { + "type": "string", + "metadata": { + "description": "The first available address on the 1st subnet" + }, + "defaultValue": "10.0.1.10" + }, + "Subnet2Name": { + "type": "string", + "metadata": { + "description": "The name of the 2nd subnet" + }, + "defaultValue": "Backend" + }, + "Subnet2Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 2nd subnet" + }, + "defaultValue": "10.0.2.0/24" + }, + "Subnet2StartAddress": { + "type": "string", + "metadata": { + "description": "The first available address on the 2nd subnet" + }, + "defaultValue": "10.0.2.10" + }, + "vnetNewOrExisting": { + "type": "string", + "defaultValue": "new", + "allowedValues": [ + "new", + "existing" + ], + "metadata": { + "Description": "Indicates whether the virtual network is new or existing" + } + }, + "virtualNetworkExistingRGName": { + "type": "string", + "metadata": { + "description": "Resource Group of the existing virtual network" + }, + "defaultValue": "[resourceGroup().name]" + }, + "managementGUIClientNetwork": { + "type": "string", + "metadata": { + "description": "Allowed GUI clients" + }, + "defaultValue": "0.0.0.0/0" + }, + "installationType": { + "type": "string", + "metadata": { + "description": "Installation Type" + }, + "defaultValue": "gateway", + "allowedValues": [ + "standalone", + "gateway", + "custom" + ] + }, + "bootstrapScript": { + "type": "string", + "metadata": { + "description": "Bootstrap script" + }, + "defaultValue": "" + }, + "allowDownloadFromUploadToCheckPoint": { + "type": "string", + "allowedValues": [ + "true", + "false" + ], + "defaultValue": "true", + "metadata": { + "description": "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + } + }, + "additionalDiskSizeGB": { + "type": "int", + "defaultValue": 0, + "metadata": { + "description": "Amount of additional disk space (in GB)" + }, + "minValue": 0, + "maxValue": 3995 + }, + "diskType": { + "type": "string", + "defaultValue": "Standard_LRS", + "metadata": { + "description": "The type of the OS disk. Premium is applicable only to DS machine sizes" + }, + "allowedValues": [ + "Standard_LRS", + "Premium_LRS" + ] + }, + "sourceImageVhdUri": { + "type": "string", + "defaultValue": "noCustomUri", + "metadata": { + "description": "The URI of the blob containing the development image" + } + }, + "_artifactsLocation": { + "type": "string", + "metadata": { + "description": "Use the following URI when deploying a custom template: https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/azure/templates/" + }, + "defaultValue": "[deployment().properties.templateLink.uri]" + }, + "_artifactsLocationSasToken": { + "type": "securestring", + "metadata": { + "description": "The sasToken required to access _artifactsLocation. When the template is deployed using the accompanying scripts, a sasToken will be automatically generated. Use the defaultValue if the staging location is not secured." + }, + "defaultValue": "" + }, + "customMetrics": { + "type": "string", + "allowedValues": [ + "no", + "yes" + ], + "defaultValue": "yes", + "metadata": { + "Description": "Indicates whether CloudGuard Metrics will be used for this VM monitoring" + } + }, + "rbacGuid": { + "type": "string", + "defaultValue": "[newGuid()]" + } + }, + "variables": { + "templateName": "single", + "templateVersion": "20220130", + "location": "[parameters('location')]", + "offers": { + "R80.30 - Bring Your Own License": "BYOL", + "R80.30 - Pay As You Go (NGTP)": "NGTP-V2", + "R80.30 - Pay As You Go (NGTX)": "NGTX-V2" + }, + "offer": "[variables('offers')[parameters('cloudGuardVersion')]]", + "osVersions": { + "R80.30 - Bring Your Own License": "R8030", + "R80.30 - Pay As You Go (NGTP)": "R8030", + "R80.30 - Pay As You Go (NGTX)": "R8030" + }, + "osVersion": "[variables('osVersions')[parameters('cloudGuardVersion')]]", + "installationType": "[parameters('installationType')]", + "adminUsername": "notused", + "isBlink": "[equals(variables('installationType'), 'gateway')]", + "storageAccountName": "[concat('bootdiag', uniqueString(resourceGroup().id, deployment().name))]", + "storageAccountType": "Standard_LRS", + "diskSize100GB": 100, + "diskSizeGB": "[add(parameters('additionalDiskSizeGB'), variables('diskSize100GB'))]", + "customData": "[concat('#!/usr/bin/python3 /etc/cloud_config.py\n', '\n', 'installationType=\"', variables('installationType'), '\"', '\n', 'allowUploadDownload=\"', variables('allowUploadDownload'), '\"', '\n', 'osVersion=\"', variables('osVersion'), '\"', '\n', 'templateName=\"', variables('templateName'), '\"', '\n', 'isBlink=\"', variables('isBlink'), '\"', '\n', 'templateVersion=\"', variables('templateVersion'), '\"', '\n', 'bootstrapScript64=\"', variables('bootstrapScript64'), '\"', '\n', 'location=\"', variables('location'), '\"', '\n', 'sicKey=\"', variables('sicKey'), '\"', '\n', 'managementGUIClientNetwork=\"', variables('managementGUIClientNetwork'), '\"', '\n', 'customMetrics=\"', variables('customMetrics'), '\"', '\n', 'adminShell=\"', parameters('adminShell'), '\"', '\n')]", + "imageOffer": "[concat('check-point-cg-', toLower(variables('osVersion')))]", + "imagePublisher": "checkpoint", + "imageSku": "sg-byol", + "imageReferenceBYOL": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "[variables('imageSku')]", + "version": "latest" + }, + "imageReferenceNGTP": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtp", + "version": "latest" + }, + "imageReferenceNGTP-V2": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtp-v2", + "version": "latest" + }, + "imageReferenceNGTX": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtx", + "version": "latest" + }, + "imageReferenceNGTX-V2": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtx-v2", + "version": "latest" + }, + "imageReferenceMarketplace": "[if(equals(variables('offer'), 'BYOL'), variables('imageReferenceBYOL'), if(equals(variables('offer'), 'NGTP'), variables('imageReferenceNGTP'), if(equals(variables('offer'), 'NGTP-V2'), variables('imageReferenceNGTP-V2'), if(equals(variables('offer'), 'NGTX'), variables('imageReferenceNGTX'), if(equals(variables('offer'), 'NGTX-V2'), variables('imageReferenceNGTX-V2'), json('null'))))))]", + "customImage": "customImage", + "imageReferenceCustomUri": { + "id": "[resourceId('Microsoft.Compute/images/', variables('customImage'))]" + }, + "imageReference": "[if(equals(parameters('sourceImageVhdUri'),'noCustomUri'), variables('imageReferenceMarketplace'), variables('imageReferenceCustomUri'))]", + "nic1Name": "[concat(parameters('vmName'), '-eth0')]", + "nic2Name": "[concat(parameters('vmName'), '-eth1')]", + "linuxConfigurationpassword": { + "disablePasswordAuthentication": "false" + }, + "linuxConfigurationsshPublicKey": { + "disablePasswordAuthentication": "true", + "ssh": { + "publicKeys": [ + { + "keyData": "[parameters('sshPublicKey')]", + "path": "/home/notused/.ssh/authorized_keys" + } + ] + } + }, + "linuxConfiguration": "[if(equals(parameters('authenticationType'), 'password'), variables('linuxConfigurationpassword'), variables('linuxConfigurationsshPublicKey'))]", + "planBYOL": { + "name": "[variables('imageSku')]", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTP": { + "name": "sg-ngtp", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTP-V2": { + "name": "sg-ngtp-v2", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTX": { + "name": "sg-ngtx", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTX-V2": { + "name": "sg-ngtx-v2", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "plan": "[if(equals(variables('offer'), 'BYOL') , variables('planBYOL'), if(equals(variables('offer'), 'NGTP'), variables('planNGTP'), if(equals(variables('offer'), 'NGTP-V2'), variables('planNGTP-V2'), if(equals(variables('offer'), 'NGTX'), variables('planNGTX'), if(equals(variables('offer'), 'NGTX-V2'), variables('planNGTX-V2'), json('null'))))))]", + "publicIPAddressName": "[parameters('vmName')]", + "publicIPAddressId": "[resourceId('Microsoft.Network/publicIPAddresses/', variables('publicIPAddressName'))]", + "bootstrapScript64": "[base64(parameters('bootstrapScript'))]", + "allowUploadDownload": "[parameters('allowDownloadFromUploadToCheckPoint')]", + "networkSetupURL": "[uri(parameters('_artifactsLocation'), concat('nestedtemplates/vnet-', parameters('vnetNewOrExisting'), '.json', parameters('_artifactsLocationSasToken')))]", + "sicKey": "[parameters('sicKey')]", + "managementGUIClientNetwork": "[parameters('managementGUIClientNetwork')]", + "vmID": "[resourceId('Microsoft.Compute/virtualMachines/', parameters('vmName'))]", + "customMetrics": "[parameters('customMetrics')]", + "identity": "[json('{\"type\": \"SystemAssigned\"}')]", + "monitoringMetricsPublisher": "[concat('/subscriptions/', parameters('subscriptionId'), '/providers/Microsoft.Authorization/roleDefinitions/', '3913510d-42f4-4e42-8a64-420c390055eb')]", + "deployNewVnet": "[equals(parameters('vnetNewOrExisting'), 'new')]", + "vnetRGName": "[if(variables('deployNewVnet'), resourceGroup().name, parameters('virtualNetworkExistingRGName'))]" + }, + "resources": [ + { + "apiVersion": "2020-06-01", + "name": "pid-6f13b00a-7546-4ab2-be9f-c66815cc6c8b-partnercenter", + "type": "Microsoft.Resources/deployments", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('storageAccountName')]", + "apiVersion": "2021-04-01", + "properties": { + "supportsHttpsTrafficOnly": true, + "allowBlobPublicAccess": false, + "minimumTlsVersion": "TLS1_2" + }, + "location": "[variables('location')]", + "sku": { + "name": "[variables('storageAccountType')]" + }, + "kind": "Storage" + }, + { + "condition": "[equals(parameters('vnetNewOrExisting'), 'new')]", + "name": "networkNewSetup", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "[variables('networkSetupURL')]", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "location": { + "value": "[variables('location')]" + }, + "virtualNetworkName": { + "value": "[parameters('virtualNetworkName')]" + }, + "virtualNetworkAddressPrefix": { + "value": "[parameters('virtualNetworkAddressPrefix')]" + }, + "Subnet1Name": { + "value": "[parameters('Subnet1Name')]" + }, + "Subnet1Prefix": { + "value": "[parameters('Subnet1Prefix')]" + }, + "Subnet1StartAddress": { + "value": "[parameters('Subnet1StartAddress')]" + }, + "Subnet2Name": { + "value": "[parameters('Subnet2Name')]" + }, + "Subnet2Prefix": { + "value": "[parameters('Subnet2Prefix')]" + }, + "Subnet2StartAddress": { + "value": "[parameters('Subnet2StartAddress')]" + } + } + } + }, + { + "condition": "[equals(parameters('vnetNewOrExisting'), 'existing')]", + "name": "networkExistingSetup", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "[variables('networkSetupURL')]", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "virtualNetworkName": { + "value": "[parameters('virtualNetworkName')]" + }, + "virtualNetworkExistingRGName": { + "value": "[variables('vnetRGName')]" + } + } + } + }, + { + "type": "Microsoft.Network/publicIPAddresses", + "apiVersion": "2020-06-01", + "location": "[variables('location')]", + "name": "[variables('publicIPAddressName')]", + "properties": { + "idleTimeoutInMinutes": 30, + "publicIPAllocationMethod": "Static", + "dnsSettings": { + "domainNameLabel": "[concat(toLower(parameters('vmName')), '-', uniquestring(resourceGroup().id, deployment().name))]" + } + } + }, + { + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "2020-06-01", + "dependsOn": [ + "[coalesce(resourceId('Microsoft.Resources/deployments/', 'networkNewSetup'), resourceId('Microsoft.Resources/deployments', 'networkExistingSetup'))]", + "[variables('publicIPAddressId')]" + ], + "location": "[variables('location')]", + "name": "[variables('nic1Name')]", + "properties": { + "enableIPForwarding": true, + "enableAcceleratedNetworking": "[not(equals(variables('osVersion'), 'R8010'))]", + "ipConfigurations": [ + { + "name": "ipconfig1", + "properties": { + "privateIPAddress": "[parameters('Subnet1StartAddress')]", + "privateIPAllocationMethod": "Static", + "PublicIpAddress": { + "Id": "[variables('publicIPAddressId')]" + }, + "subnet": { + "id": "[resourceId(variables('vnetRGName'), 'Microsoft.Network/virtualNetworks/subnets/', parameters('virtualNetworkName'), parameters('Subnet1Name'))]" + } + } + } + ] + } + }, + { + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "2020-06-01", + "dependsOn": [ + "[coalesce(resourceId('Microsoft.Resources/deployments/', 'networkNewSetup'), resourceId('Microsoft.Resources/deployments/', 'networkExistingSetup'))]" + ], + "location": "[variables('location')]", + "name": "[variables('nic2Name')]", + "properties": { + "enableIPForwarding": true, + "enableAcceleratedNetworking": "[not(equals(variables('osVersion'), 'R8010'))]", + "ipConfigurations": [ + { + "name": "ipconfig2", + "properties": { + "privateIPAddress": "[parameters('Subnet2StartAddress')]", + "privateIPAllocationMethod": "Static", + "subnet": { + "id": "[resourceId(variables('vnetRGName'), 'Microsoft.Network/virtualNetworks/subnets/', parameters('virtualNetworkName'), parameters('Subnet2Name'))]" + } + } + } + ] + } + }, + { + "condition": "[not(equals(parameters('sourceImageVhdUri'), 'noCustomUri'))]", + "type": "Microsoft.Compute/images", + "apiVersion": "2020-06-01", + "name": "[variables('customImage')]", + "location": "[variables('location')]", + "properties": { + "storageProfile": { + "osDisk": { + "osType": "Linux", + "osState": "Generalized", + "blobUri": "[parameters('sourceImageVhdUri')]", + "storageAccountType": "Standard_LRS" + } + }, + "hyperVGeneration": "V1" + } + }, + { + "type": "Microsoft.Compute/virtualMachines", + "apiVersion": "2021-07-01", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName'))]", + "[resourceId('Microsoft.Network/networkInterfaces/', variables('nic1Name'))]", + "[resourceId('Microsoft.Network/networkInterfaces/', variables('nic2Name'))]", + "[resourceId('Microsoft.Compute/images/', variables('customImage'))]" + ], + "location": "[variables('location')]", + "name": "[parameters('vmName')]", + "plan": "[if(equals(parameters('sourceImageVhdUri'),'noCustomUri'), variables('plan'), json('null'))]", + "identity": "[if(equals(variables('customMetrics'), 'yes'), variables('identity'), json('null'))]", + "properties": { + "diagnosticsProfile": { + "bootDiagnostics": { + "enabled": "true", + "storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName')), '2021-06-01').primaryEndpoints.blob]" + } + }, + "hardwareProfile": { + "vmSize": "[parameters('vmSize')]" + }, + "networkProfile": { + "networkInterfaces": [ + { + "id": "[resourceId('Microsoft.Network/networkInterfaces/', variables('nic1Name'))]", + "properties": { + "primary": true + } + }, + { + "id": "[resourceId('Microsoft.Network/networkInterfaces/', variables('nic2Name'))]", + "properties": { + "primary": false + } + } + ] + }, + "osProfile": { + "adminPassword": "[parameters('adminPassword')]", + "adminUsername": "[variables('adminUsername')]", + "computerName": "[toLower(parameters('vmName'))]", + "customData": "[base64(variables('customData'))]", + "linuxConfiguration": "[variables('linuxConfiguration')]" + }, + "storageProfile": { + "imageReference": "[variables('imageReference')]", + "osDisk": { + "caching": "ReadWrite", + "createOption": "FromImage", + "diskSizeGB": "[variables('diskSizeGB')]", + "name": "[parameters('vmName')]", + "managedDisk": { + "storageAccountType": "[parameters('diskType')]" + } + } + } + } + }, + { + "condition": "[equals(variables('customMetrics'), 'yes')]", + "apiVersion": "2020-04-01-preview", + "type": "Microsoft.Authorization/roleAssignments", + "name": "[parameters('rbacGuid')]", + "properties": { + "roleDefinitionId": "[variables('monitoringMetricsPublisher')]", + "principalId": "[reference(variables('vmID'), '2019-12-01', 'Full').identity.principalId]", + "scope": "[resourceGroup().id]" + }, + "dependsOn": [ + "[variables('vmID')]" + ] + } + ], + "outputs": { + "GatewayIPAddr": { + "type": "string", + "value": "[reference(variables('publicIPAddressId')).IpAddress]" + }, + "GatewayFQDN": { + "type": "string", + "value": "[reference(variables('publicIPAddressId')).dnsSettings.fqdn]" + } + } +} \ No newline at end of file diff --git a/deprecated/azure/templates/R8030/single-r8030/nestedtemplates/vnet-existing.json b/deprecated/azure/templates/R8030/single-r8030/nestedtemplates/vnet-existing.json new file mode 100644 index 00000000..561fcd21 --- /dev/null +++ b/deprecated/azure/templates/R8030/single-r8030/nestedtemplates/vnet-existing.json @@ -0,0 +1,30 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "vnet" + }, + "virtualNetworkExistingRGName": { + "type": "string", + "metadata": { + "description": "Resource Group of the existing virtual network" + }, + "defaultValue": "" + } + }, + "variables": { + "vnetId": "[resourceId(parameters('virtualNetworkExistingRGName'),'Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]" + }, + "resources": [], + "outputs": { + "vnetId": { + "value": "[variables('vnetId')]", + "type": "string" + } + } +} \ No newline at end of file diff --git a/deprecated/azure/templates/R8030/single-r8030/nestedtemplates/vnet-new.json b/deprecated/azure/templates/R8030/single-r8030/nestedtemplates/vnet-new.json new file mode 100644 index 00000000..d46b15bb --- /dev/null +++ b/deprecated/azure/templates/R8030/single-r8030/nestedtemplates/vnet-new.json @@ -0,0 +1,151 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "vnet" + }, + "virtualNetworkAddressPrefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the virtual network" + } + }, + "Subnet1Name": { + "type": "string", + "metadata": { + "description": "The name of the 1st subnet" + }, + "defaultValue": "Frontend" + }, + "Subnet1Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 1st subnet" + }, + "defaultValue": "10.0.1.0/24" + }, + "Subnet1StartAddress": { + "type": "string", + "metadata": { + "description": "The first avaialable address on the 1st subnet" + } + }, + "Subnet2Name": { + "type": "string", + "metadata": { + "description": "The name of the 2nd subnet" + }, + "defaultValue": "Backend" + }, + "Subnet2Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 2nd subnet" + }, + "defaultValue": "10.0.2.0/24" + }, + "Subnet2StartAddress": { + "type": "string", + "metadata": { + "description": "The first avaialable address on the 2nd subnet" + } + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/routeTables", + "apiVersion": "2020-06-01", + "location": "[parameters('location')]", + "name": "[parameters('subnet1Name')]", + "properties": { + "routes": [ + { + "name": "Local-Subnet", + "properties": { + "addressPrefix": "[parameters('subnet1Prefix')]", + "nextHopType": "VnetLocal" + } + }, + { + "name": "To-Internal", + "properties": { + "addressPrefix": "[parameters('virtualNetworkAddressPrefix')]", + "nextHopType": "VirtualAppliance", + "nextHopIpAddress": "[parameters('subnet1StartAddress')]" + } + } + ] + } + }, + { + "type": "Microsoft.Network/routeTables", + "apiVersion": "2020-06-01", + "location": "[parameters('location')]", + "name": "[parameters('subnet2Name')]", + "properties": { + "routes": [ + { + "name": "To-Internet", + "properties": { + "addressPrefix": "0.0.0.0/0", + "nextHopType": "VirtualAppliance", + "nextHopIpAddress": "[parameters('subnet2StartAddress')]" + } + } + ] + } + }, + { + "type": "Microsoft.Network/virtualNetworks", + "apiVersion": "2020-06-01", + "location": "[parameters('location')]", + "name": "[parameters('virtualNetworkName')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/routeTables', parameters('subnet1Name'))]", + "[resourceId('Microsoft.Network/routeTables', parameters('subnet2Name'))]" + ], + "properties": { + "addressSpace": { + "addressPrefixes": [ + "[parameters('virtualNetworkAddressPrefix')]" + ] + }, + "subnets": [ + { + "name": "[parameters('subnet1Name')]", + "properties": { + "addressPrefix": "[parameters('subnet1Prefix')]", + "routeTable": { + "id": "[resourceId('Microsoft.Network/routeTables', parameters('subnet1Name'))]" + } + } + }, + { + "name": "[parameters('subnet2Name')]", + "properties": { + "addressPrefix": "[parameters('subnet2Prefix')]", + "routeTable": { + "id": "[resourceId('Microsoft.Network/routeTables', parameters('subnet2Name'))]" + } + } + } + ] + } + } + ], + "outputs": { + "vnetId": { + "value": "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]", + "type": "string" + } + } +} \ No newline at end of file diff --git a/deprecated/azure/templates/R8030/vmss-r8030/README.MD b/deprecated/azure/templates/R8030/vmss-r8030/README.MD new file mode 100644 index 00000000..ce4af645 --- /dev/null +++ b/deprecated/azure/templates/R8030/vmss-r8030/README.MD @@ -0,0 +1,13 @@ +# How to deploy this template +To deploy this ARM template, follow these instructions: +1. Log in to the [Microsoft Azure Portal](https://portal.azure.com) +2. Click "*Create a resource*" +3. Search for "*Template deployment (deploy using custom templates)*" and click "*Create*" +4. Click "*Build your own template in the editor*" +5. Load the "*mainTemplate.json*" file from this directory and click "*Save*" +6. Enter the desired template parameters + - Replace the "*_artifacts Location*" property with: + ``` + https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/deprecated/azure/templates/vmss-r8030/ + ``` +7. Click *Purchase* to deploy the solution diff --git a/deprecated/azure/templates/R8030/vmss-r8030/createUiDefinition.json b/deprecated/azure/templates/R8030/vmss-r8030/createUiDefinition.json new file mode 100644 index 00000000..3b6e0907 --- /dev/null +++ b/deprecated/azure/templates/R8030/vmss-r8030/createUiDefinition.json @@ -0,0 +1,1106 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", + "handler": "Microsoft.Compute.MultiVm", + "version": "0.1.2-preview", + "parameters": { + "basics": [ + { + "name": "CloudGuard VMSS settings text block", + "type": "Microsoft.Common.TextBlock", + "visible": true, + "options": { + "text": "Please follow the CloudGuard Network for Azure VMSS R80.10 and Higher Administration Guide.", + "link": { + "label": "Administration Guide", + "uri": "https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_VMSS_for_Azure/Default.htm" + } + } + }, + { + "name": "gatewayScaleSetNameUi", + "type": "Microsoft.Common.TextBox", + "label": "Gateway scale set name", + "toolTip": "The name of the Check Point Security Gateway Scale Set.", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z]{1,30}$", + "validationMessage": "Only alphanumeric characters are allowed, and the name must be 1-30 characters long." + } + }, + { + "name": "auth", + "type": "Microsoft.Compute.CredentialsCombo", + "label": { + "authenticationType": "Authentication type", + "password": "Password", + "confirmPassword": "Confirm password", + "sshPublicKey": "SSH public key" + }, + "toolTip": { + "password": "The user 'admin' password", + "sshPublicKey": "Paste an OpenSSH public key. You can generate a key pair using ssh-keygen (Linux, OS X, Cygwin) or PuttyGen (Windows)" + }, + "constraints": { + "required": true + }, + "options": { + "hideConfirmation": false, + "hidePassword": false + }, + "osPlatform": "Linux" + } + ], + "steps": [ + { + "name": "autoprovision", + "label": "Check Point VMSS settings", + "subLabel": { + "preValidation": "Configure CloudGuard VMSS settings", + "postValidation": "Done" + }, + "bladeTitle": "CloudGuard VMSS settings", + "elements": [ + { + "name": "upgrading", + "type": "Microsoft.Common.OptionsGroup", + "label": "Are you upgrading your CloudGuard VMSS solution?", + "defaultValue": "No", + "toolTip": "Select 'Yes' if you are upgrading your CloudGuard VMSS solution.", + "constraints": { + "allowedValues": [ + { + "label": "No", + "value": "no" + }, + { + "label": "Yes", + "value": "yes" + } + ] + } + }, + { + "name": "upgradeVmssInfoBox", + "type": "Microsoft.Common.InfoBox", + "visible": "[equals(steps('autoprovision').upgrading, 'yes')]", + "options": { + "icon": "Warning", + "text": "All the configurations below must be similar to the existing CloudGuard VMSS solution.\n\nNote that the target load balancers are the ones connected to your existing CloudGuard VMSS solution.\n\nSee the Deployment Guide for more information." + } + }, + { + "name": "vmCount", + "type": "Microsoft.Common.TextBox", + "label": "Initial number of gateways", + "defaultValue": "2", + "toolTip": "The initial number of gateways", + "constraints": { + "required": true, + "regex": "^[1-9][0-9]{0,1}$", + "validationMessage": "Please enter a number in the range 1-99." + } + }, + { + "name": "maxVmCount", + "type": "Microsoft.Common.TextBox", + "label": "Maximum number of gateways", + "defaultValue": "10", + "toolTip": "The maximum number of gateways", + "constraints": { + "required": true, + "regex": "^[1-9][0-9]{0,1}$", + "validationMessage": "Please enter a number in the range 1-99." + } + }, + { + "name": "numGwsValidation", + "type": "Microsoft.Common.InfoBox", + "visible": "[greater(steps('autoprovision').vmCount, steps('autoprovision').maxVmCount)]", + "options": { + "icon": "Error", + "text": "Maximum number of gateways is lower than initial number of gateways" + } + }, + { + "name": "managementServer", + "type": "Microsoft.Common.TextBox", + "label": "Management name", + "toolTip": "The name of the management server as it appears in the configuration file", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z_\\-]{1,30}$", + "validationMessage": "Field cannot be empty. Only alphanumeric characters or '_'/'-' are allowed, and the name must be 1-30 characters long." + } + }, + { + "name": "configurationTemplateInfoBox", + "type": "Microsoft.Common.InfoBox", + "visible": "[equals(steps('autoprovision').upgrading, 'yes')]", + "options": { + "icon": "Info", + "text": "Use a different configuration template name than in your existing CloudGuard VMSS solution." + } + }, + { + "name": "configurationTemplate", + "type": "Microsoft.Common.TextBox", + "label": "Configuration template name", + "toolTip": "The configuration template name as it appears in the configuration file", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z_\\-]{1,30}$", + "validationMessage": "Field cannot be empty. Only alphanumeric characters or '_'/'-' are allowed, and the name must be 1-30 characters long." + } + }, + { + "name": "adminEmail", + "type": "Microsoft.Common.TextBox", + "label": "Administrator email address", + "defaultValue": "", + "toolTip": "An email address to notify about scaling operations", + "constraints": { + "required": false, + "regex": "^([a-zA-Z0-9_\\-\\.]+)@((\\[[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.)|(([a-zA-Z0-9\\-]+\\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})(\\]?)$", + "validationMessage": "Leave empty or enter a valid email address." + } + }, + { + "name": "deploymentMode", + "type": "Microsoft.Common.DropDown", + "label": "Load balancers deployment", + "defaultValue": "Standard (External & Internal)", + "toolTip": "Defines which load balancers will be deployed. Note: For outbound inspection it is mandatory to deploy an external load balancer and/or instance level public IP addresses.", + "constraints": { + "allowedValues": [ + { + "label": "Standard (External & Internal)", + "value": "Standard" + }, + { + "label": "External only (Inbound inspection only)", + "value": "ELBOnly" + }, + { + "label": "Internal only (Outbound & E-W inspection only - see tooltip)", + "value": "ILBOnly" + } + ] + } + }, + { + "name": "appLoadDistribution", + "type": "Microsoft.Common.DropDown", + "label": "External Load Balancer session persistence", + "defaultValue": "None (5-tuple)", + "toolTip": "The load balancing distribution method for the External Load Balancer.", + "visible": "[not(equals(steps('autoprovision').deploymentMode, 'ILBOnly'))]", + "constraints": { + "allowedValues": [ + { + "label": "None (5-tuple)", + "value": "Default" + }, + { + "label": "Client IP (2-tuple)", + "value": "SourceIP" + }, + { + "label": "Client IP and protocol (3-tuple)", + "value": "SourceIPProtocol" + } + ] + } + }, + { + "name": "ilbLoadDistribution", + "type": "Microsoft.Common.DropDown", + "label": "Internal Load Balancer session persistence", + "defaultValue": "None (5-tuple)", + "toolTip": "The load balancing distribution method for the Internal Load Balancer.", + "visible": "[not(equals(steps('autoprovision').deploymentMode, 'ELBOnly'))]", + "constraints": { + "allowedValues": [ + { + "label": "None (5-tuple)", + "value": "Default" + }, + { + "label": "Client IP (2-tuple)", + "value": "SourceIP" + }, + { + "label": "Client IP and protocol (3-tuple)", + "value": "SourceIPProtocol" + } + ] + } + }, + { + "name": "floatingIP", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy the Load Balancers with floating IP", + "defaultValue": "No", + "toolTip": "Deploy the Load Balancers with floating IP.", + "constraints": { + "allowedValues": [ + { + "label": "No", + "value": "no" + }, + { + "label": "Yes", + "value": "yes" + } + ] + }, + "visible": true + }, + { + "name": "instanceLevelPublicIP", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy the VMSS with instance level Public IP address", + "defaultValue": "No", + "toolTip": "If selected 'Yes', then each VMSS instance will have its own public IP address.", + "constraints": { + "allowedValues": [ + { + "label": "No", + "value": "no" + }, + { + "label": "Yes", + "value": "yes" + } + ] + } + }, + { + "name": "publicIPPrefix", + "type": "Microsoft.Common.OptionsGroup", + "label": "Public IP prefix", + "defaultValue": "No", + "toolTip": "Define if deploy existsing Public IP Prefix or a new Public IP Prefix.", + "constraints": { + "allowedValues": [ + { + "label": "No", + "value": "no" + }, + { + "label": "Yes", + "value": "yes" + } + ] + }, + "visible": "[equals(steps('autoprovision').instanceLevelPublicIP, 'yes')]" + }, + { + "name": "createNewIPPrefix", + "type": "Microsoft.Common.OptionsGroup", + "label": "Create new IP prefiex", + "toolTip": "Create new or existsing Public IP Prefix", + "defaultValue": "No", + "constraints": { + "allowedValues": [ + { + "label": "No", + "value": "no" + }, + { + "label": "Yes", + "value": "yes" + } + ] + }, + "visible": "[equals(steps('autoprovision').publicIPPrefix, 'yes')]" + }, + { + "name": "IPv4Length", + "type": "Microsoft.Common.DropDown", + "label": "IPv4 IP prefix length", + "defaultValue": "/31 (2 addresses)", + "toolTip": "Choose the length of the IP prefix for IP v4.", + "multiselect": false, + "selectAll": false, + "filter": false, + "multiLine": false, + "constraints": { + "allowedValues": [ + { + "label": "/28 (16 addresses)", + "value": "/28 (16 addresses)" + }, + { + "label": "/29 (8 addresses)", + "value": "/29 (8 addresses)" + }, + { + "label": "/30 (4 addresses)", + "value": "/30 (4 addresses)" + }, + { + "label": "/31 (2 addresses)", + "value": "/31 (2 addresses)" + } + ], + "required": true + }, + "visible": "[equals(steps('autoprovision').createNewIPPrefix, 'yes')]" + }, + { + "name": "ipPrefixLengthWarning", + "type": "Microsoft.Common.InfoBox", + "visible": "[equals(steps('autoprovision').createNewIPPrefix, 'yes')]", + "options": { + "icon": "Warning", + "text": "[concat('NOTE: The VMSS will not be allowed to contain more than ', if(equals(steps('autoprovision').IPv4Length, '/31 (2 addresses)'), '2', if(equals(steps('autoprovision').IPv4Length, '/30 (4 addresses)'), '4', if(equals(steps('autoprovision').IPv4Length, '/29 (8 addresses)'), '8', if(equals(steps('autoprovision').IPv4Length, '/28 (16 addresses)'), '16', '0')))), ' instances')]" + } + }, + { + "name": "ipPrefixExistingResourceId", + "type": "Microsoft.Common.TextBox", + "label": "Enter an existing IP prefix resource id", + "toolTip": "The resource id of an existing public IP prefix.", + "multiLine": false, + "constraints": { + "regex": "^[a-z0-9A-Z -.:/n]{1,}$", + "validationMessage": "Only alphanumeric characters, hyphens, spaces, periods, and colons are allowed.", + "required": true + }, + "visible": "[equals(steps('autoprovision').createNewIPPrefix, 'no')]" + }, + { + "name": "externalCommunicationInfoBox", + "type": "Microsoft.Common.InfoBox", + "visible": "[and(equals(steps('autoprovision').instanceLevelPublicIP, 'no'), equals(steps('autoprovision').deploymentMode, 'ILBOnly'))]", + "options": { + "icon": "Warning", + "text": "For outbound inspection it is mandatory to deploy an external load balancer and/or instance level public IP addresses." + } + }, + { + "name": "lbsTargetRGName", + "type": "Microsoft.Common.TextBox", + "visible": "[equals(steps('autoprovision').upgrading, 'yes')]", + "label": "Target load balancers resource group name", + "defaultValue": "", + "toolTip": "The name of the Target Load Balancers Resource Group.", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z_\\-\\.\\/\\(\\)]", + "validationMessage": "Resource Group only allow alphanumeric characters, periods, underscores, hyphens, slash, and parenthesis" + } + }, + { + "name": "elbResourceId", + "type": "Microsoft.Common.TextBox", + "visible": "[and(equals(steps('autoprovision').upgrading, 'yes'), not(equals(steps('autoprovision').deploymentMode, 'ILBOnly')))]", + "label": "Target external load balancer resource ID", + "defaultValue": "", + "toolTip": "The Resource ID of the Target External Load Balancer.", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z_\\-\\.\\/\\(\\)]", + "validationMessage": "Resource Id only allow alphanumeric characters, periods, underscores, hyphens, slash, and parenthesis" + } + }, + { + "name": "elbInfoBox", + "type": "Microsoft.Common.InfoBox", + "visible": "[and(equals(steps('autoprovision').upgrading, 'yes'), not(equals(steps('autoprovision').deploymentMode, 'ILBOnly')))]", + "options": { + "icon": "Info", + "text": "Make sure you have created a new backend address pool for the target external load balancer." + } + }, + { + "name": "elbBEAddressPoolName", + "type": "Microsoft.Common.TextBox", + "visible": "[and(equals(steps('autoprovision').upgrading, 'yes'), not(equals(steps('autoprovision').deploymentMode, 'ILBOnly')))]", + "label": "External load balancer's new backend pool name", + "toolTip": "The name of the new Target External Load Balancer's Backend Pool.", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z_\\-\\.\\/\\(\\)]", + "validationMessage": "Only alphanumeric characters, periods, underscores, hyphens, slash, and parenthesis are allowed" + } + }, + { + "name": "ilbResourceId", + "type": "Microsoft.Common.TextBox", + "visible": "[and(equals(steps('autoprovision').upgrading, 'yes'), not(equals(steps('autoprovision').deploymentMode, 'ELBOnly')))]", + "label": "Target internal load balancer resource ID", + "defaultValue": "", + "toolTip": "The Resource ID of the Target Internal Load Balancer.", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z_\\-\\.\\/\\(\\)]", + "validationMessage": "Resource Id only allow alphanumeric characters, periods, underscores, hyphens, slash, and parenthesis" + } + }, + { + "name": "ilbInfoBox", + "type": "Microsoft.Common.InfoBox", + "visible": "[and(equals(steps('autoprovision').upgrading, 'yes'), not(equals(steps('autoprovision').deploymentMode, 'ELBOnly')))]", + "options": { + "icon": "Info", + "text": "Make sure you have created a new backend address pool for the target internal load balancer." + } + }, + { + "name": "ilbBEAddressPoolName", + "type": "Microsoft.Common.TextBox", + "visible": "[and(equals(steps('autoprovision').upgrading, 'yes'), not(equals(steps('autoprovision').deploymentMode, 'ELBOnly')))]", + "label": "Internal load balancer's new backend pool name", + "toolTip": "The name of the new target internal load balancer's backend pool.", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z_\\-\\.\\/\\(\\)]", + "validationMessage": "Only alphanumeric characters, periods, underscores, hyphens, slash, and parenthesis are allowed" + } + }, + { + "name": "mgmtInterfaceOpt1", + "type": "Microsoft.Common.DropDown", + "label": "Management interface and IP address", + "defaultValue": "Backend NIC's private IP address", + "visible": "[equals(steps('autoprovision').instanceLevelPublicIP, 'yes')]", + "toolTip": "Manage the Gateways in the Scale Set via the instance's external (eth0) or internal (eth1) NIC and with public or private IP.", + "constraints": { + "allowedValues": [ + { + "label": "Backend NIC's private IP address", + "value": "eth1-private" + }, + { + "label": "Frontend NIC's public IP address", + "value": "eth0-public" + }, + { + "label": "Frontend NIC's private IP address", + "value": "eth0-private" + } + ] + } + }, + { + "name": "mgmtInterfaceOpt2", + "type": "Microsoft.Common.DropDown", + "label": "Management interface and IP address", + "defaultValue": "Backend NIC's private IP address", + "visible": "[equals(steps('autoprovision').instanceLevelPublicIP, 'no')]", + "toolTip": "Manage the Gateways in the Scale Set via the instance's external (eth0) or internal (eth1) NIC's private IP address.", + "constraints": { + "allowedValues": [ + { + "label": "Backend NIC's private IP address", + "value": "eth1-private" + }, + { + "label": "Frontend NIC's private IP address", + "value": "eth0-private" + } + ] + } + }, + { + "name": "mgmtIPaddress", + "type": "Microsoft.Common.TextBox", + "label": "Management Server IP address", + "toolTip": "The IP address used to manage the VMSS instances.", + "visible": "[or(equals(steps('autoprovision').mgmtInterfaceOpt1, 'eth0-private'), equals(steps('autoprovision').mgmtInterfaceOpt2, 'eth0-private'))]", + "constraints": { + "regex": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$", + "required": true, + "validationMessage": "Please enter a valid IP address" + } + }, + { + "name": "availabilityZonesNum", + "type": "Microsoft.Common.DropDown", + "label": "Number of Availability Zones to use", + "defaultValue": "None", + "toolTip": "The number of avalability zones to use for the scale set. Note that the load balancers and their IP addresses will be zone redundant in any case.", + "visible": "[contains(' australiaeast brazilsouth canadacentral centralus eastasia eastus eastus2 francecentral germanywestcentral japaneast koreacentral northeurope norwayeast southafricanorth southcentralus southeastasia swedencentral uksouth usgovvirginia westeurope westus2 westus3 ', concat(' ', location(), ' '))]", + "constraints": { + "allowedValues": [ + { + "label": "None", + "value": 0 + }, + { + "label": "One zone", + "value": 1 + }, + { + "label": "Two zones", + "value": 2 + }, + { + "label": "Three zones", + "value": 3 + } + ] + } + }, + { + "name": "customMetrics", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable CloudGuard metrics", + "defaultValue": "Yes", + "toolTip": "Enable CloudGuard metrics in order to send statuses and statistics collected from VMSS instances to the Azure Monitor service.", + "constraints": { + "allowedValues": [ + { + "label": "No", + "value": "no" + }, + { + "label": "Yes", + "value": "yes" + } + ] + }, + "visible": true + } + ] + }, + { + "name": "chkp", + "label": "Check Point CloudGuard settings", + "subLabel": { + "preValidation": "Configure CloudGuard settings", + "postValidation": "Done" + }, + "bladeTitle": "CloudGuard settings", + "elements": [ + { + "name": "cloudGuardVersion", + "type": "Microsoft.Common.DropDown", + "label": "Check Point CloudGuard version", + "defaultValue": "R80.30", + "toolTip": "The version of Check Point CloudGuard.", + "constraints": { + "allowedValues": [ + { + "label": "R80.30", + "value": "R80.30" + } + ] + } + }, + { + "name": "R80Offer", + "type": "Microsoft.Common.DropDown", + "label": "License type", + "toolTip": "The type of license.", + "defaultValue": "Bring Your Own License", + "visible": true, + "constraints": { + "allowedValues": [ + { + "label": "Bring Your Own License", + "value": "Bring Your Own License" + }, + { + "label": "Pay As You Go (NGTP)", + "value": "Pay As You Go (NGTP)" + }, + { + "label": "Pay As You Go (NGTX)", + "value": "Pay As You Go (NGTX)" + } + ] + } + }, + { + "name": "R8030vmSizeUiBYOL", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R80.30'), equals(coalesce(steps('chkp').R80Offer, 'Bring Your Own License'), 'Bring Your Own License'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2", + "Standard_DS3_v2" + ], + "constraints": { + "allowedSizes": [ + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r8030", + "sku": "sg-byol" + }, + "count": "[steps('autoprovision').vmCount]" + }, + { + "name": "R8030vmSizeUiNGTP", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R80.30'), contains(steps('chkp').R80Offer, '(NGTP)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2", + "Standard_DS3_v2" + ], + "constraints": { + "allowedSizes": [ + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r8030", + "sku": "sg-ngtp-v2" + }, + "count": "[steps('autoprovision').vmCount]" + }, + { + "name": "R8030vmSizeUiNGTX", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R80.30'), contains(steps('chkp').R80Offer, '(NGTX)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2", + "Standard_DS3_v2" + ], + "constraints": { + "allowedSizes": [ + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r8030", + "sku": "sg-ngtx-v2" + }, + "count": "[steps('autoprovision').vmCount]" + }, + { + "name": "adminShell", + "type": "Microsoft.Common.DropDown", + "label": "Default shell for the admin user", + "defaultValue": "/etc/cli.sh", + "toolTip": "The default shell for the admin user", + "constraints": { + "allowedValues": [ + { + "label": "/etc/cli.sh", + "value": "/etc/cli.sh" + }, + { + "label": "/bin/bash", + "value": "/bin/bash" + }, + { + "label": "/bin/csh", + "value": "/bin/csh" + }, + { + "label": "/bin/tcsh", + "value": "/bin/tcsh" + } + ] + } + }, + { + "name": "sicKeyUi", + "type": "Microsoft.Common.PasswordBox", + "label": { + "password": "SIC Key", + "confirmPassword": "Confirm SIC Key" + }, + "toolTip": "Set the Secure Internal Communication one time secret used to set up trust between the gateway and the management server.", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z]{12,30}$", + "validationMessage": "Only alphanumeric characters are allowed, and the value must be 12-30 characters long." + }, + "options": { + "hideConfirmation": false + } + }, + { + "name": "bootstrapScript", + "type": "Microsoft.Common.FileUpload", + "label": "Bootstrap script", + "toolTip": "An optional script to run on the initial boot", + "constraints": { + "required": false, + "accept": ".sh,text/plain" + }, + "options": { + "multiple": false, + "uploadMode": "file", + "openMode": "text", + "encoding": "UTF-8" + } + }, + { + "name": "allowUploadDownload", + "type": "Microsoft.Common.OptionsGroup", + "label": "Allow download from/upload to Check Point", + "defaultValue": "Yes", + "toolTip": "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "true" + }, + { + "label": "No", + "value": "false" + } + ] + } + }, + { + "name": "VMDiskType", + "type": "Microsoft.Common.OptionsGroup", + "label": "VM disk type", + "toolTip": "Type of CloudGuard disk.", + "visible": "[or(contains(steps('chkp').R8030vmSizeUiBYOL, 'DS'), contains(steps('chkp').R8030vmSizeUiNGTP, 'DS'), contains(steps('chkp').R8030vmSizeUiNGTX, 'DS'))]", + "defaultValue": "Standard", + "constraints": { + "allowedValues": [ + { + "label": "Standard", + "value": "Standard_LRS" + }, + { + "label": "Premium", + "value": "Premium_LRS" + } + ] + } + }, + { + "name": "useCustomImageUri", + "type": "Microsoft.Common.OptionsGroup", + "label": "Use development image uri", + "defaultValue": "No", + "toolTip": "Use custom image URI.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ], + "required": true + }, + "visible": false + }, + { + "name": "sourceImageVhdUri", + "type": "Microsoft.Common.TextBox", + "label": "Development Image URI", + "toolTip": "The URI of the blob containing the development image", + "constraints": { + "required": "[equals(steps('chkp').useCustomImageUri, 'Yes')]", + "regex": "^[a-z0-9A-Z_\\-\\.\\:\\/]{1,500}.vhd$", + "validationMessage": "Only alphanumeric characters and '_','-','.',':','/' are allowed, the value must be 1-500 characters long and must end with .vhd. " + }, + "visible": "[equals(steps('chkp').useCustomImageUri, 'Yes')]" + } + ] + }, + { + "name": "network", + "label": "Network settings", + "subLabel": { + "preValidation": "Configure network settings", + "postValidation": "Done" + }, + "bladeTitle": "Network settings", + "elements": [ + { + "name": "virtualNetwork", + "type": "Microsoft.Network.VirtualNetworkCombo", + "label": { + "virtualNetwork": "Virtual network", + "subnets": "Subnets" + }, + "toolTip": { + "virtualNetwork": "Virtual Network Name", + "subnets": "The subnets to deploy into" + }, + "defaultValue": { + "name": "vnet01", + "addressPrefixSize": "/16" + }, + "constraints": { + "minAddressPrefixSize": "/28" + }, + "options": { + "hideExisting": false + }, + "subnets": { + "subnet1": { + "label": "VMSS Frontend subnet", + "defaultValue": { + "name": "VMSS-Frontend", + "addressPrefixSize": "/24" + }, + "constraints": { + "minAddressPrefixSize": "/29", + "minAddressCount": "[steps('autoprovision').maxVmCount]", + "requireContiguousAddresses": false + } + }, + "subnet2": { + "label": "VMSS Backend subnet", + "defaultValue": { + "name": "VMSS-Backend", + "addressPrefixSize": "/24" + }, + "constraints": { + "minAddressPrefixSize": "/29", + "minAddressCount": "[steps('autoprovision').maxVmCount]", + "requireContiguousAddresses": false + } + } + } + } + ] + } + ], + "outputs": { + "location": "[location()]", + "authenticationType": "[basics('auth').authenticationType]", + "adminPassword": "[basics('auth').password]", + "sshPublicKey": "[basics('auth').sshPublicKey]", + "upgrading": "[steps('autoprovision').upgrading]", + "vmName": "[basics('gatewayScaleSetNameUi')]", + "instanceCount": "[steps('autoprovision').vmCount]", + "maxInstanceCount": "[steps('autoprovision').maxVmCount]", + "managementServer": "[steps('autoprovision').managementServer]", + "configurationTemplate": "[steps('autoprovision').configurationTemplate]", + "adminEmail": "[steps('autoprovision').adminEmail]", + "deploymentMode": "[steps('autoprovision').deploymentMode]", + "instanceLevelPublicIP": "[steps('autoprovision').instanceLevelPublicIP]", + "lbsTargetRGName": "[steps('autoprovision').lbsTargetRGName]", + "elbResourceId": "[steps('autoprovision').elbResourceId]", + "elbTargetBEAddressPoolName": "[steps('autoprovision').elbBEAddressPoolName]", + "ilbResourceId": "[steps('autoprovision').ilbResourceId]", + "ilbTargetBEAddressPoolName": "[steps('autoprovision').ilbBEAddressPoolName]", + "mgmtInterfaceOpt1": "[steps('autoprovision').mgmtInterfaceOpt1]", + "mgmtInterfaceOpt2": "[steps('autoprovision').mgmtInterfaceOpt2]", + "mgmtIPaddress": "[steps('autoprovision').mgmtIPaddress]", + "appLoadDistribution": "[steps('autoprovision').appLoadDistribution]", + "ilbLoadDistribution": "[steps('autoprovision').ilbLoadDistribution]", + "availabilityZonesNum": "[coalesce(steps('autoprovision').availabilityZonesNum, int('0'))]", + "customMetrics": "[steps('autoprovision').customMetrics]", + "cloudGuardVersion": "[concat(steps('chkp').cloudGuardVersion, ' - ', coalesce(steps('chkp').R80Offer, 'Bring Your Own License'))]", + "vmSize": "[coalesce(steps('chkp').R8030vmSizeUiBYOL, steps('chkp').R8030vmSizeUiNGTP, steps('chkp').R8030vmSizeUiNGTX)]", + "sicKey": "[steps('chkp').sicKeyUi]", + "bootstrapScript": "[steps('chkp').bootstrapScript]", + "allowDownloadFromUploadToCheckPoint": "[coalesce(steps('chkp').allowUploadDownload, 'true')]", + "diskType": "[coalesce(steps('chkp').VMDiskType, 'Standard_LRS')]", + "sourceImageVhdUri": "[coalesce(steps('chkp').sourceImageVhdUri, 'noCustomUri')]", + "virtualNetworkName": "[steps('network').virtualNetwork.name]", + "virtualNetworkAddressPrefixes": "[steps('network').virtualNetwork.addressPrefixes]", + "vnetNewOrExisting": "[steps('network').virtualNetwork.newOrExisting]", + "virtualNetworkExistingRGName": "[steps('network').virtualNetwork.resourceGroup]", + "subnet1Name": "[steps('network').virtualNetwork.subnets.subnet1.name]", + "subnet1Prefix": "[steps('network').virtualNetwork.subnets.subnet1.addressPrefix]", + "subnet2Name": "[steps('network').virtualNetwork.subnets.subnet2.name]", + "subnet2Prefix": "[steps('network').virtualNetwork.subnets.subnet2.addressPrefix]", + "subnet2StartAddress": "[steps('network').virtualNetwork.subnets.subnet2.startAddress]", + "floatingIP": "[steps('autoprovision').floatingIP]", + "IPv4Length": "[steps('autoprovision').IPv4Length]", + "publicIPPrefix": "[steps('autoprovision').publicIPPrefix]", + "createNewIPPrefix": "[steps('autoprovision').createNewIPPrefix]", + "ipPrefixExistingResourceId": "[steps('autoprovision').ipPrefixExistingResourceId]", + "adminShell": "[steps('chkp').adminShell]" + } + } +} \ No newline at end of file diff --git a/deprecated/azure/templates/R8030/vmss-r8030/mainTemplate.json b/deprecated/azure/templates/R8030/vmss-r8030/mainTemplate.json new file mode 100644 index 00000000..3f9f2c64 --- /dev/null +++ b/deprecated/azure/templates/R8030/vmss-r8030/mainTemplate.json @@ -0,0 +1,1026 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "subscriptionId": { + "type": "string", + "defaultValue": "[subscription().subscriptionId]", + "metadata": { + "description": "Subscription ID." + } + }, + "location": { + "type": "string", + "metadata": { + "description": "Deployment location" + }, + "defaultValue": "[resourceGroup().location]" + }, + "cloudGuardVersion": { + "type": "string", + "allowedValues": [ + "R80.30 - Bring Your Own License", + "R80.30 - Pay As You Go (NGTP)", + "R80.30 - Pay As You Go (NGTX)" + ], + "defaultValue": "R80.30 - Bring Your Own License", + "metadata": { + "description": "Version of Check Point CloudGuard" + } + }, + "instanceCount": { + "defaultValue": "2", + "type": "string", + "metadata": { + "description": "Number of VM instances" + } + }, + "maxInstanceCount": { + "defaultValue": "10", + "type": "string", + "metadata": { + "description": "Maximum number of VM instances" + } + }, + "managementServer": { + "type": "string", + "metadata": { + "description": "The name of the management server as it appears in the configuration file" + } + }, + "configurationTemplate": { + "type": "string", + "metadata": { + "description": "A name of a template as it appears in the configuration file" + } + }, + "adminEmail": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Email address to notify if there are any scaling operations" + } + }, + "adminPassword": { + "type": "securestring", + "metadata": { + "description": "Administrator password" + }, + "defaultValue": "" + }, + "authenticationType": { + "type": "string", + "allowedValues": [ + "password", + "sshPublicKey" + ], + "defaultValue": "password", + "metadata": { + "description": "Authentication type" + } + }, + "sshPublicKey": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Administrator SSH public key" + } + }, + "vmName": { + "type": "string", + "metadata": { + "description": "Name of the Check Point Security Gateway scale set" + } + }, + "vmSize": { + "type": "string", + "defaultValue": "Standard_D3_v2", + "metadata": { + "description": "Size of the VM" + } + }, + "adminShell": { + "type": "string", + "defaultValue": "/etc/cli.sh", + "allowedValues": [ + "/etc/cli.sh", + "/bin/bash", + "/bin/csh", + "/bin/tcsh" + ], + "metadata": { + "Description": "The default shell for the admin user" + } + }, + "sicKey": { + "type": "securestring", + "metadata": { + "description": "One time key for Secure Internal Communication" + } + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "[concat(resourceGroup().name, '-vnet')]" + }, + "upgrading": { + "type": "string", + "defaultValue": "no", + "allowedValues": [ + "no", + "yes" + ], + "metadata": { + "Description": "Indicates whether the user in upgrading the CloudGuard VMSS solution" + } + }, + "floatingIP": { + "type": "string", + "defaultValue": "no", + "allowedValues": [ + "no", + "yes" + ], + "metadata": { + "description": "Deploy the Load Balancers with floating IP" + } + }, + "instanceLevelPublicIP": { + "type": "string", + "allowedValues": [ + "no", + "yes" + ], + "defaultValue": "no", + "metadata": { + "description": "Deploy the VMSS with instance level Public IP address" + } + }, + "publicIPPrefix": { + "type": "string", + "defaultValue": "no", + "allowedValues": [ + "no", + "yes" + ], + "metadata": { + "description": "Use public IP prefix." + } + }, + "createNewIPPrefix": { + "type": "string", + "defaultValue": "no", + "allowedValues": [ + "no", + "yes" + ], + "metadata": { + "description": "Create new IP prefix or use an existing one." + } + }, + "IPv4Length": { + "type": "string", + "defaultValue": "/31 (2 addresses)", + "allowedValues": [ + "/28 (16 addresses)", + "/29 (8 addresses)", + "/30 (4 addresses)", + "/31 (2 addresses)" + ], + "metadata": { + "description": "Choose the IP prefix length for IP v4." + } + }, + "ipPrefixExistingResourceId": { + "type": "string", + "metadata": { + "description": "The resource id of the existing IP prefix." + }, + "defaultValue": "" + }, + "lbsTargetRGName": { + "type": "string", + "metadata": { + "description": "The name of the Target Load Balancers Resource Group." + }, + "defaultValue": "" + }, + "elbResourceId": { + "type": "string", + "metadata": { + "description": "The Resource ID of the Target External Load Balancer." + }, + "defaultValue": "" + }, + "elbTargetBEAddressPoolName": { + "type": "string", + "metadata": { + "description": "The name of the new Target External Load Balancer's Backend Pool." + }, + "defaultValue": "" + }, + "ilbResourceId": { + "type": "string", + "metadata": { + "description": "The Resource ID of the Target Internal Load Balancer." + }, + "defaultValue": "" + }, + "ilbTargetBEAddressPoolName": { + "type": "string", + "metadata": { + "description": "The name of the new Target Internal Load Balancer's Backend Pool." + }, + "defaultValue": "" + }, + "virtualNetworkAddressPrefixes": { + "type": "array", + "metadata": { + "description": "The address prefixes of the virtual network" + }, + "defaultValue": [ + "10.0.0.0/16" + ] + }, + "subnet1Name": { + "type": "string", + "metadata": { + "description": "The name of the frontend subnet" + }, + "defaultValue": "Frontend" + }, + "subnet1Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the frontend subnet" + }, + "defaultValue": "10.0.1.0/24" + }, + "subnet2Name": { + "type": "string", + "metadata": { + "description": "The name of the backend subnet" + }, + "defaultValue": "Backend" + }, + "subnet2Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the backend subnet" + }, + "defaultValue": "10.0.2.0/24" + }, + "subnet2StartAddress": { + "type": "string", + "metadata": { + "description": "The first available address on the 2nd subnet" + }, + "defaultValue": "10.0.2.4" + }, + "vnetNewOrExisting": { + "type": "string", + "defaultValue": "new", + "allowedValues": [ + "new", + "existing" + ], + "metadata": { + "Description": "Indicates whether the virtual network is new or existing" + } + }, + "virtualNetworkExistingRGName": { + "type": "string", + "metadata": { + "description": "Resource Group of the existing virtual network" + }, + "defaultValue": "[resourceGroup().name]" + }, + "bootstrapScript": { + "type": "string", + "metadata": { + "description": "Bootstrap script" + }, + "defaultValue": "" + }, + "allowDownloadFromUploadToCheckPoint": { + "type": "string", + "allowedValues": [ + "true", + "false" + ], + "defaultValue": "true", + "metadata": { + "description": "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + } + }, + "mgmtInterfaceOpt1": { + "type": "string", + "allowedValues": [ + "eth0-public", + "eth0-private", + "eth1-private" + ], + "defaultValue": "eth1-private", + "metadata": { + "description": "Manage the Gateways in the Scale Set via the instance's external (eth0) or internal (eth1) NIC's private IP address." + } + }, + "mgmtInterfaceOpt2": { + "type": "string", + "allowedValues": [ + "eth0-private", + "eth1-private" + ], + "defaultValue": "eth1-private", + "metadata": { + "description": "Manage the Gateways in the Scale Set via the instance's external (eth0) or internal (eth1) NIC's private IP address." + } + }, + "mgmtIPaddress": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "The IP address used to manage the VMSS instances." + } + }, + "diskType": { + "type": "string", + "defaultValue": "Standard_LRS", + "metadata": { + "description": "The type of the OS disk. Premium is applicable only to DS machine sizes" + }, + "allowedValues": [ + "Standard_LRS", + "Premium_LRS" + ] + }, + "appLoadDistribution": { + "type": "string", + "allowedValues": [ + "Default", + "SourceIP", + "SourceIPProtocol" + ], + "defaultValue": "Default", + "metadata": { + "description": "The External Load Balancer distribution method" + } + }, + "ilbLoadDistribution": { + "type": "string", + "allowedValues": [ + "Default", + "SourceIP", + "SourceIPProtocol" + ], + "defaultValue": "Default", + "metadata": { + "description": "The Internal Load Balancer distribution method" + } + }, + "deploymentMode": { + "type": "string", + "allowedValues": [ + "Standard", + "ILBOnly", + "ELBOnly" + ], + "defaultValue": "Standard", + "metadata": { + "description": "Solution deployment architecture." + } + }, + "sourceImageVhdUri": { + "type": "string", + "defaultValue": "noCustomUri", + "metadata": { + "description": "The URI of the blob containing the development image" + } + }, + "availabilityZonesNum": { + "type": "int", + "allowedValues": [ + 0, + 1, + 2, + 3 + ], + "defaultValue": 0, + "metadata": { + "description": "The number of availability zones" + } + }, + "_artifactsLocation": { + "type": "string", + "metadata": { + "description": "Use the following URI when deploying a custom template: https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/azure/templates/" + }, + "defaultValue": "[deployment().properties.templateLink.uri]" + }, + "_artifactsLocationSasToken": { + "type": "securestring", + "metadata": { + "description": "The sasToken required to access _artifactsLocation. When the template is deployed using the accompanying scripts, a sasToken will be automatically generated. Use the defaultValue if the staging location is not secured." + }, + "defaultValue": "" + }, + "customMetrics": { + "type": "string", + "allowedValues": [ + "no", + "yes" + ], + "defaultValue": "yes", + "metadata": { + "Description": "Indicates whether Custom Metrics will be used for VMSS Scaling policy and VM monitoring" + } + }, + "rbacGuid": { + "type": "string", + "defaultValue": "[newGuid()]" + } + }, + "variables": { + "resourceGroup": "[resourceGroup()]", + "resourceGroupName": "[resourceGroup().name]", + "templateName": "vmss-v2", + "templateVersion": "20220512", + "location": "[parameters('location')]", + "offers": { + "R80.30 - Bring Your Own License": "BYOL", + "R80.30 - Pay As You Go (NGTP)": "NGTP-V2", + "R80.30 - Pay As You Go (NGTX)": "NGTX-V2" + }, + "offer": "[variables('offers')[parameters('cloudGuardVersion')]]", + "osVersions": { + "R80.30 - Bring Your Own License": "R8030", + "R80.30 - Pay As You Go (NGTP)": "R8030", + "R80.30 - Pay As You Go (NGTX)": "R8030" + }, + "osVersion": "[variables('osVersions')[parameters('cloudGuardVersion')]]", + "adminUsername": "notused", + "isBlink": true, + "subnet2Name": "[parameters('subnet2Name')]", + "storageAccountName": "[concat('bootdiag', uniqueString(variables('resourceGroup').id, deployment().name))]", + "storageAccountType": "Standard_LRS", + "enableFloatingIP": "[equals(parameters('floatingIP'), 'yes')]", + "customData": "[concat('#!/usr/bin/python3 /etc/cloud_config.py\n', '\n', 'installationType=\"', variables('installationType'), '\"', '\n', 'allowUploadDownload=\"', variables('allowUploadDownload'), '\"', '\n', 'osVersion=\"', variables('osVersion'), '\"', '\n', 'templateName=\"', variables('templateName'), '\"', '\n', 'isBlink=\"', variables('isBlink'), '\"', '\n', 'templateVersion=\"', variables('templateVersion'), '\"', '\n', 'bootstrapScript64=\"', variables('bootstrapScript64'), '\"', '\n', 'location=\"', variables('location'), '\"', '\n', 'sicKey=\"', variables('sicKey'), '\"', '\n', 'customMetrics=\"', variables('customMetrics'), '\"', '\n', 'adminShell=\"', parameters('adminShell'), '\"', '\n')]", + "imageOffer": "[concat('check-point-cg-', toLower(variables('osVersion')))]", + "imagePublisher": "checkpoint", + "imageReferenceBYOL": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-byol", + "version": "latest" + }, + "imageReferenceNGTP": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtp", + "version": "latest" + }, + "imageReferenceNGTP-V2": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtp-v2", + "version": "latest" + }, + "imageReferenceNGTX": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtx", + "version": "latest" + }, + "imageReferenceNGTX-V2": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtx-v2", + "version": "latest" + }, + "imageReferenceMarketplace": "[if(equals(variables('offer'), 'BYOL'), variables('imageReferenceBYOL'), if(equals(variables('offer'), 'NGTP'), variables('imageReferenceNGTP'), if(equals(variables('offer'), 'NGTP-V2'), variables('imageReferenceNGTP-V2'), if(equals(variables('offer'), 'NGTX'), variables('imageReferenceNGTX'), if(equals(variables('offer'), 'NGTX-V2'), variables('imageReferenceNGTX-V2'), json('null'))))))]", + "customImage": "customImage", + "imageReferenceCustomUri": { + "id": "[resourceId('Microsoft.Compute/images', variables('customImage'))]" + }, + "imageReference": "[if(equals(parameters('sourceImageVhdUri'),'noCustomUri'), variables('imageReferenceMarketplace'), variables('imageReferenceCustomUri'))]", + "linuxConfigurationpassword": { + "disablePasswordAuthentication": "false" + }, + "linuxConfigurationsshPublicKey": { + "disablePasswordAuthentication": "true", + "ssh": { + "publicKeys": [ + { + "keyData": "[parameters('sshPublicKey')]", + "path": "/home/notused/.ssh/authorized_keys" + } + ] + } + }, + "linuxConfiguration": "[if(equals(parameters('authenticationType'), 'password'), variables('linuxConfigurationpassword'), variables('linuxConfigurationsshPublicKey'))]", + "planBYOL": { + "name": "sg-byol", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTP": { + "name": "sg-ngtp", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTP-V2": { + "name": "sg-ngtp-v2", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTX": { + "name": "sg-ngtx", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTX-V2": { + "name": "sg-ngtx-v2", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "plan": "[if(equals(variables('offer'), 'BYOL') , variables('planBYOL'), if(equals(variables('offer'), 'NGTP'), variables('planNGTP'), if(equals(variables('offer'), 'NGTP-V2'), variables('planNGTP-V2'), if(equals(variables('offer'), 'NGTX'), variables('planNGTX'), if(equals(variables('offer'), 'NGTX-V2'), variables('planNGTX-V2'), json('null'))))))]", + "vmssID": "[resourceId('Microsoft.Compute/virtualMachineScaleSets', parameters('vmName'))]", + "bootstrapScript64": "[base64(parameters('bootstrapScript'))]", + "allowUploadDownload": "[parameters('allowDownloadFromUploadToCheckPoint')]", + "sicKey": "[parameters('sicKey')]", + "installationType": "vmss", + "upgrading": "[equals(parameters('upgrading'), 'yes')]", + "networkSetupURL": "[uri(parameters('_artifactsLocation'), concat('nestedtemplates/vnet-2-subnet-ha-', parameters('vnetNewOrExisting'), '.json', parameters('_artifactsLocationSasToken')))]", + "loadBalacerSetupURL": "[uri(parameters('_artifactsLocation'), concat('nestedtemplates/load-balancers.json', parameters('_artifactsLocationSasToken')))]", + "lbsTargetRGName": "[parameters('lbsTargetRGName')]", + "lbRGName": "[if(variables('upgrading'), variables('lbsTargetRGName'), resourceGroup().name)]", + "loadBalancerSetupId": "[resourceId(variables('lbRGName'), 'Microsoft.Resources/deployments', 'loadBalancerSetup')]", + "deployNewVnet": "[equals(parameters('vnetNewOrExisting'), 'new')]", + "vnetRGName": "[if(variables('deployNewVnet'), variables('resourceGroupName'), parameters('virtualNetworkExistingRGName'))]", + "vnetID": "[if(variables('deployNewVnet'), resourceId(variables('vnetRGName'), 'Microsoft.Resources/deployments', 'networkNewSetup'), resourceId(variables('vnetRGName'), 'Microsoft.Resources/deployments', 'networkExistingSetup'))]", + "storageAccountId": "[resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName'))]", + "customImageId": "[variables('imageReferenceCustomUri').id]", + "availabilityZonesLocations": [ + "australiaeast", + "brazilsouth", + "canadacentral", + "centralus", + "eastasia", + "eastus", + "eastus2", + "francecentral", + "germanywestcentral", + "japaneast", + "koreacentral", + "northeurope", + "norwayeast", + "southafricanorth", + "southcentralus", + "southeastasia", + "swedencentral", + "uksouth", + "usgovvirginia", + "westeurope", + "westus2", + "westus3" + ], + "availabilityZonesProperty": "[range(1, parameters('availabilityZonesNum'))]", + "mgmtInterface": "[if(equals(parameters('instanceLevelPublicIP'), 'yes'), parameters('mgmtInterfaceOpt1'), parameters('mgmtInterfaceOpt2'))]", + "mgmtIpAddressType": "[split(variables('mgmtInterface'), '-')[1]]", + "mgmtInterfaceName": "[split(variables('mgmtInterface'), '-')[0]]", + "mgmtIPaddress": "[if(equals(variables('mgmtInterfaceName'), 'eth0'), parameters('mgmtIPaddress'), '')]", + "commomTags": { + "x-chkp-management": "[parameters('managementServer')]", + "x-chkp-template": "[parameters('configurationTemplate')]", + "x-chkp-ip-address": "[variables('mgmtIpAddressType')]", + "x-chkp-management-interface": "[variables('mgmtInterfaceName')]", + "x-chkp-topology": "eth0:external,eth1:internal", + "x-chkp-anti-spoofing": "eth0:false,eth1:false", + "x-chkp-srcImageUri": "[parameters('sourceImageVhdUri')]" + }, + "uniqueTags": { + "x-chkp-management-address": "[variables('mgmtIPaddress')]" + }, + "vmssTags": "[if(equals(variables('mgmtIPaddress'), ''), variables('commomTags'), union(variables('commomTags'), variables('uniqueTags')))]", + "numberOfRecordSetEntries": "20", + "customMetrics": "[parameters('customMetrics')]", + "monitoringMetricsPublisher": "[concat('/subscriptions/', parameters('subscriptionId'), '/providers/Microsoft.Authorization/roleDefinitions/', '3913510d-42f4-4e42-8a64-420c390055eb')]", + "identity": "[json('{\"type\": \"SystemAssigned\"}')]", + "IPv4Lengths": { + "/28 (16 addresses)": "28", + "/29 (8 addresses)": "29", + "/30 (4 addresses)": "30", + "/31 (2 addresses)": "31" + }, + "ipPrefixNewName": "[concat(parameters('vmName'), '-ipprefix')]", + "ipPrefixExistingResourceId": "[if(equals(parameters('publicIPPrefix'), 'yes'), parameters('ipPrefixExistingResourceId'), json('null'))]", + "ipPrefixId": "[resourceId('Microsoft.Network/publicipprefixes',variables('ipPrefixNewName'))]", + "publicIPPrefixId": "[if(equals(parameters('publicIPPrefix'), 'yes'), variables('ipPrefixId'), json('null'))]", + "usePublicIPPrefix": "[if(equals(parameters('createNewIPPrefix'),'yes'), variables('publicIPPrefixId'), variables('ipPrefixExistingResourceId'))]", + "publicIPPropertiesWithPrefix": { + "name": "instancePublicIP", + "properties": { + "idleTimeoutInMinutes": 15, + "PublicIpPrefix": { + "Id": "[if(equals(parameters('publicIPPrefix'), 'yes'), variables('usePublicIPPrefix'), json('null'))]" + } + } + }, + "publicIPPropertiesWithoutPrefix": { + "name": "instancePublicIP", + "properties": { + "idleTimeoutInMinutes": 15 + } + }, + "publicIPPrefixLength": "[variables('IPv4Lengths')[parameters('IPv4Length')]]", + "useIpPrefix": "[if(equals(parameters('publicIPPrefix'), 'yes'), variables('publicIPPropertiesWithPrefix'), variables('publicIPPropertiesWithoutPrefix'))]" + }, + "resources": [ + { + "condition": "[and(equals(parameters('createNewIPPrefix'), 'yes'), equals(parameters('publicIPPrefix'), 'yes'))]", + "apiVersion": "2020-06-01", + "type": "Microsoft.Network/publicipprefixes", + "name": "[variables('ipPrefixNewName')]", + "location": "[variables('location')]", + "properties": { + "prefixLength": "[variables('publicIPPrefixLength')]", + "publicIPAddressVersion": "IPv4" + }, + "sku": { + "name": "Standard", + "tier": "Regional" + } + }, + { + "apiVersion": "2020-06-01", + "name": "pid-6f13b00a-7546-4ab2-be9f-c66815cc6c8b-partnercenter", + "type": "Microsoft.Resources/deployments", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "condition": "[equals(variables('customMetrics'), 'yes')]", + "apiVersion": "2020-04-01-preview", + "type": "Microsoft.Authorization/roleAssignments", + "name": "[parameters('rbacGuid')]", + "properties": { + "roleDefinitionId": "[variables('monitoringMetricsPublisher')]", + "principalId": "[reference(variables('vmssID'), '2021-07-01', 'Full').identity.principalId]", + "scope": "[resourceGroup().id]" + }, + "dependsOn": [ + "[variables('vmssID')]" + ] + }, + { + "condition": "[equals(parameters('vnetNewOrExisting'), 'new')]", + "name": "networkNewSetup", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "resourceGroup": "[variables('vnetRGName')]", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "[variables('networkSetupURL')]", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "location": { + "value": "[variables('location')]" + }, + "virtualNetworkName": { + "value": "[parameters('virtualNetworkName')]" + }, + "virtualNetworkAddressPrefixes": { + "value": "[parameters('virtualNetworkAddressPrefixes')]" + }, + "subnet1Name": { + "value": "[parameters('subnet1Name')]" + }, + "subnet1Prefix": { + "value": "[parameters('subnet1Prefix')]" + }, + "subnet2Name": { + "value": "[parameters('subnet2Name')]" + }, + "subnet2Prefix": { + "value": "[parameters('subnet2Prefix')]" + }, + "vmName": { + "value": "[parameters('vmName')]" + }, + "deployNsg": { + "value": true + } + } + } + }, + { + "condition": "[equals(parameters('vnetNewOrExisting'), 'existing')]", + "name": "networkExistingSetup", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "resourceGroup": "[variables('vnetRGName')]", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "[variables('networkSetupURL')]", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "location": { + "value": "[variables('location')]" + }, + "virtualNetworkName": { + "value": "[parameters('virtualNetworkName')]" + }, + "virtualNetworkExistingRGName": { + "value": "[variables('vnetRGName')]" + }, + "vmName": { + "value": "[parameters('vmName')]" + }, + "deployNsg": { + "value": false + } + } + } + }, + { + "name": "loadBalancerSetup", + "type": "Microsoft.Resources/deployments", + "resourceGroup": "[variables('lbRGName')]", + "apiVersion": "2020-06-01", + "dependsOn": [ + "[variables('vnetID')]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "[variables('loadBalacerSetupURL')]", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "deploymentMode": { + "value": "[parameters('deploymentMode')]" + }, + "location": { + "value": "[variables('location')]" + }, + "vmName": { + "value": "[parameters('vmName')]" + }, + "appLoadDistribution": { + "value": "[parameters('appLoadDistribution')]" + }, + "subnet2StartAddress": { + "value": "[parameters('subnet2StartAddress')]" + }, + "subnet2Id": { + "value": "[resourceId(variables('vnetRGName'), 'Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), variables('subnet2Name'))]" + }, + "ilbLoadDistribution": { + "value": "[parameters('ilbLoadDistribution')]" + }, + "elbResourceId": { + "value": "[parameters('elbResourceId')]" + }, + "elbTargetBEAddressPoolName": { + "value": "[parameters('elbTargetBEAddressPoolName')]" + }, + "ilbResourceId": { + "value": "[parameters('ilbResourceId')]" + }, + "ilbTargetBEAddressPoolName": { + "value": "[parameters('ilbTargetBEAddressPoolName')]" + }, + "upgrading": { + "value": "[variables('upgrading')]" + }, + "floatingIp": { + "value": "[variables('enableFloatingIP')]" + } + } + } + }, + { + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('storageAccountName')]", + "apiVersion": "2021-04-01", + "properties": { + "supportsHttpsTrafficOnly": true, + "allowBlobPublicAccess": false, + "minimumTlsVersion": "TLS1_2" + }, + "location": "[variables('location')]", + "sku": { + "name": "[variables('storageAccountType')]" + }, + "kind": "Storage" + }, + { + "condition": "[not(equals(parameters('sourceImageVhdUri'), 'noCustomUri'))]", + "type": "Microsoft.Compute/images", + "apiVersion": "2020-06-01", + "name": "[variables('customImage')]", + "location": "[variables('resourceGroup').location]", + "properties": { + "storageProfile": { + "osDisk": { + "osType": "Linux", + "osState": "Generalized", + "blobUri": "[parameters('sourceImageVhdUri')]", + "storageAccountType": "Standard_LRS" + } + }, + "hyperVGeneration": "V1" + } + }, + { + "type": "Microsoft.Compute/virtualMachineScaleSets", + "apiVersion": "2021-07-01", + "name": "[parameters('vmName')]", + "location": "[variables('location')]", + "identity": "[if(equals(variables('customMetrics'), 'yes'), variables('identity'), json('null'))]", + "zones": "[if(and(contains(variables('availabilityZonesLocations'), variables('location')), greater(parameters('availabilityZonesNum'), 0)), variables('availabilityZonesProperty'), json('null'))]", + "tags": "[variables('vmssTags')]", + "dependsOn": [ + "[variables('vnetID')]", + "[variables('loadBalancerSetupId')]", + "[variables('storageAccountId')]", + "[variables('customImageId')]" + ], + "sku": { + "name": "[parameters('vmSize')]", + "tier": "Standard", + "capacity": "[parameters('instanceCount')]" + }, + "plan": "[if(equals(parameters('sourceImageVhdUri'),'noCustomUri'), variables('plan'), json('null'))]", + "properties": { + "upgradePolicy": { + "mode": "Manual" + }, + "virtualMachineProfile": { + "storageProfile": { + "osDisk": { + "caching": "ReadWrite", + "createOption": "FromImage", + "managedDisk": { + "storageAccountType": "[parameters('diskType')]" + } + }, + "imageReference": "[variables('imageReference')]" + }, + "osProfile": { + "adminPassword": "[parameters('adminPassword')]", + "adminUsername": "[variables('adminUsername')]", + "computerNamePrefix": "[toLower(parameters('vmName'))]", + "customData": "[base64(concat(variables('customData'), '\n', 'vnet=\"', if(equals(parameters('vnetNewOrExisting'), 'new'), reference('networkNewSetup').outputs.vnetAddressPrefixes.value[0], reference('networkExistingSetup').outputs.vnetAddressPrefixes.value[0]), '\"', '\n' ))]", + "linuxConfiguration": "[variables('linuxConfiguration')]" + }, + "networkProfile": { + "networkInterfaceConfigurations": [ + { + "name": "eth0", + "properties": { + "primary": true, + "enableIPForwarding": false, + "enableAcceleratedNetworking": "[not(equals(variables('osVersion'), 'R8010'))]", + "networkSecurityGroup": "[if(equals(parameters('vnetNewOrExisting'), 'new'), reference('networkNewSetup').outputs.nsgProperties.value, reference('networkExistingSetup').outputs.nsgProperties.value)]", + "ipConfigurations": [ + { + "name": "ipconfig1", + "properties": { + "publicIpAddressConfiguration": "[if(equals(parameters('instanceLevelPublicIP'),'yes'), variables('useIpPrefix'), json('null'))]", + "subnet": { + "id": "[resourceId(variables('vnetRGName'), 'Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('Subnet1Name'))]" + }, + "loadBalancerBackendAddressPools": "[if(empty(reference('loadBalancerSetup').outputs.elbId.value), json('null'), reference('loadBalancerSetup').outputs.elbBEAddressPoolProperties.value)]" + } + } + ] + } + }, + { + "name": "eth1", + "properties": { + "primary": false, + "enableIPForwarding": true, + "enableAcceleratedNetworking": "[not(equals(variables('osVersion'), 'R8010'))]", + "ipConfigurations": [ + { + "name": "ipconfig2", + "properties": { + "subnet": { + "id": "[resourceId(variables('vnetRGName'), 'Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('Subnet2Name'))]" + }, + "loadBalancerBackendAddressPools": "[if(empty(reference('loadBalancerSetup').outputs.ilbId.value), json('null'), reference('loadBalancerSetup').outputs.ilbBEAddressPoolProperties.value)]" + } + } + ] + } + } + ] + }, + "diagnosticsProfile": { + "bootDiagnostics": { + "enabled": "true", + "storageUri": "[reference(variables('storageAccountId'), '2021-04-01').primaryEndpoints.blob]" + } + } + }, + "overprovision": false + } + }, + { + "type": "Microsoft.Insights/autoscaleSettings", + "apiVersion": "2015-04-01", + "name": "[parameters('vmName')]", + "location": "[variables('location')]", + "dependsOn": [ + "[variables('vmssID')]" + ], + "properties": { + "name": "[parameters('vmName')]", + "targetResourceUri": "[variables('vmssID')]", + "notifications": [ + { + "operation": "Scale", + "email": { + "sendToSubscriptionAdministrator": false, + "sendToSubscriptionCoAdministrators": false, + "customEmails": "[if(empty(parameters('adminEmail')), json('null'), array(parameters('adminEmail')))]" + } + } + ], + "enabled": true, + "profiles": [ + { + "name": "Profile1", + "capacity": { + "minimum": "[parameters('instanceCount')]", + "maximum": "[parameters('maxInstanceCount')]", + "default": "[parameters('instanceCount')]" + }, + "rules": [ + { + "metricTrigger": { + "metricName": "Percentage CPU", + "metricResourceUri": "[variables('vmssID')]", + "timeGrain": "PT1M", + "statistic": "Average", + "timeWindow": "PT5M", + "timeAggregation": "Average", + "operator": "GreaterThan", + "threshold": 80 + }, + "scaleAction": { + "direction": "Increase", + "type": "ChangeCount", + "value": "1", + "cooldown": "PT5M" + } + }, + { + "metricTrigger": { + "metricName": "Percentage CPU", + "metricResourceUri": "[variables('vmssID')]", + "timeGrain": "PT1M", + "statistic": "Average", + "timeWindow": "PT5M", + "timeAggregation": "Average", + "operator": "LessThan", + "threshold": 60 + }, + "scaleAction": { + "direction": "Decrease", + "type": "ChangeCount", + "value": "1", + "cooldown": "PT5M" + } + } + ] + } + ] + } + } + ], + "outputs": { + "ApplicationAddress": { + "type": "string", + "value": "[reference('loadBalancerSetup').outputs.ApplicationAddress.value]" + }, + "ApplicationFQDN": { + "type": "string", + "value": "[reference('loadBalancerSetup').outputs.ApplicationFQDN.value]" + } + } +} diff --git a/deprecated/azure/templates/R8030/vmss-r8030/nestedtemplates/load-balancers.json b/deprecated/azure/templates/R8030/vmss-r8030/nestedtemplates/load-balancers.json new file mode 100644 index 00000000..ada64a6a --- /dev/null +++ b/deprecated/azure/templates/R8030/vmss-r8030/nestedtemplates/load-balancers.json @@ -0,0 +1,252 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "deploymentMode": { + "type": "string" + }, + "location": { + "type": "string" + }, + "vmName": { + "type": "string" + }, + "appLoadDistribution": { + "type": "string" + }, + "Subnet2StartAddress": { + "type": "string" + }, + "subnet2Id": { + "type": "string" + }, + "floatingIP": { + "type": "bool" + }, + "ilbLoadDistribution": { + "type": "string" + }, + "upgrading": { + "type": "bool" + }, + "elbResourceId": { + "type": "string" + }, + "elbTargetBEAddressPoolName": { + "type": "string" + }, + "ilbResourceId": { + "type": "string" + }, + "ilbTargetBEAddressPoolName": { + "type": "string" + } + }, + "variables": { + "resourceGroup": "[resourceGroup()]", + "deployELB": "[or(equals(parameters('deploymentMode'),'Standard'), equals(parameters('deploymentMode'),'ELBOnly'))]", + "deployILB": "[or(equals(parameters('deploymentMode'),'Standard'), equals(parameters('deploymentMode'),'ILBOnly'))]", + "appName": "[concat(parameters('vmName'), '-app-1')]", + "appAddressName": "[variables('appName')]", + "appAddressId": "[resourceId(variables('resourceGroup').name, 'Microsoft.Network/publicIPAddresses/', variables('appAddressName'))]", + "appFEName": "[variables('appName')]", + "elbName": "frontend-lb", + "elbID": "[if(parameters('upgrading'), parameters('elBResourceId'), resourceId('Microsoft.Network/loadBalancers', variables('elbName')))]", + "elbBEAddressPool": "[concat(variables('elbName'), '-pool')]", + "elbBEAddressPoolName": "[if(parameters('upgrading'), parameters('elbTargetBEAddressPoolName'), variables('elbBEAddressPool'))]", + "appProbeName": "[variables('appName')]", + "appFrontEndProtocol": "tcp", + "appFrontEndPort": 80, + "appBackEndPort": 8081, + "appHealthProtocol": "tcp", + "ilbHealthProtocol": "tcp", + "lbHealthPort": 8117, + "ilbName": "['backend-lb']", + "ilbID": "[if(parameters('upgrading'), parameters('ilbResourceId'), resourceId('Microsoft.Network/loadBalancers', variables('ilbName')))]", + "ilbBEAddressPool": "[concat(variables('ilbName'), '-pool')]", + "internalLBPrivateIPAddress": "[parameters('Subnet2StartAddress')]", + "ilbBEAddressPoolName": "[if(parameters('upgrading'), parameters('ilbTargetBEAddressPoolName'), variables('ilbBEAddressPool'))]", + "ilbProbeName": "[variables('ilbName')]", + "ilbBEAddressPoolProperties": [ + { + "id": "[resourceId('Microsoft.Network/loadBalancers/backendAddressPools', variables('ilbName'), variables('ilbBEAddressPoolName'))]" + } + ], + "elbBEAddressPoolProperties": [ + { + "id": "[resourceId('Microsoft.Network/loadBalancers/backendAddressPools', variables('elbName'), variables('elbBEAddressPoolName'))]" + } + ] + }, + "resources": [ + { + "type": "Microsoft.Network/publicIPAddresses", + "condition": "[and(variables('deployELB'), not(parameters('upgrading')))]", + "apiVersion": "2020-06-01", + "location": "[parameters('location')]", + "name": "[variables('appAddressName')]", + "sku": { + "name": "Standard" + }, + "properties": { + "publicIPAllocationMethod": "Static", + "dnsSettings": { + "domainNameLabel": "[concat(toLower(parameters('vmName')), '-', uniquestring(variables('resourceGroup').id, deployment().name))]" + } + } + }, + { + "type": "Microsoft.Network/loadBalancers", + "condition": "[and(variables('deployELB'), not(parameters('upgrading')))]", + "apiVersion": "2020-06-01", + "name": "[variables('elbName')]", + "location": "[parameters('location')]", + "sku": { + "name": "Standard" + }, + "dependsOn": [ + "[variables('appAddressId')]" + ], + "properties": { + "frontendIPConfigurations": [ + { + "name": "[variables('appFEName')]", + "properties": { + "publicIPAddress": { + "id": "[resourceId(variables('resourceGroup').name, 'Microsoft.Network/publicIPAddresses/', variables('appAddressName'))]" + } + } + } + ], + "backendAddressPools": [ + { + "name": "[variables('elbBEAddressPool')]" + } + ], + "loadBalancingRules": [ + { + "name": "[variables('appName')]", + "properties": { + "frontendIPConfiguration": { + "id": "[resourceId('Microsoft.Network/loadBalancers/frontendIPConfigurations', variables('elbName'), variables('appFEName'))]" + }, + "backendAddressPool": { + "id": "[resourceId('Microsoft.Network/loadBalancers/backendAddressPools', variables('elbName'), variables('elbBEAddressPoolName'))]" + }, + "probe": { + "id": "[resourceId('Microsoft.Network/loadBalancers/probes', variables('elbName'), variables('appProbeName'))]" + }, + "protocol": "[variables('appFrontEndProtocol')]", + "frontendPort": "[variables('appFrontEndPort')]", + "backendPort": "[variables('appBackEndPort')]", + "enableFloatingIP": "[parameters('floatingIP')]", + "loadDistribution": "[parameters('appLoadDistribution')]" + } + } + ], + "probes": [ + { + "name": "[variables('appProbeName')]", + "properties": { + "protocol": "[variables('appHealthProtocol')]", + "port": "[variables('lbHealthPort')]", + "intervalInSeconds": "5", + "numberOfProbes": "2" + } + } + ] + } + }, + { + "type": "Microsoft.Network/loadBalancers", + "condition": "[and(variables('deployILB'), not(parameters('upgrading')))]", + "apiVersion": "2020-06-01", + "name": "[variables('ilbName')]", + "location": "[parameters('location')]", + "sku": { + "name": "Standard" + }, + "properties": { + "frontendIPConfigurations": [ + { + "name": "[variables('ilbName')]", + "properties": { + "privateIPAllocationMethod": "Static", + "privateIPAddress": "[variables('internalLBPrivateIPAddress')]", + "subnet": { + "id": "[parameters('subnet2ID')]" + } + } + } + ], + "backendAddressPools": [ + { + "name": "[variables('ilbBEAddressPool')]" + } + ], + "loadBalancingRules": [ + { + "name": "[variables('ilbName')]", + "properties": { + "frontendIPConfiguration": { + "id": "[resourceId('Microsoft.Network/loadBalancers/frontendIPConfigurations', variables('ilbName'), variables('ilbName'))]" + }, + "backendAddressPool": { + "id": "[resourceId('Microsoft.Network/loadBalancers/backendAddressPools', variables('ilbName'), variables('ilbBEAddressPoolName'))]" + }, + "probe": { + "id": "[resourceId('Microsoft.Network/loadBalancers/probes', variables('ilbName'), variables('ilbProbeName'))]" + }, + "protocol": "All", + "frontendPort": 0, + "backendPort": 0, + "loadDistribution": "[parameters('ilbLoadDistribution')]", + "enableFloatingIP": "[parameters('floatingIP')]" + } + } + ], + "probes": [ + { + "name": "[variables('ilbProbeName')]", + "properties": { + "protocol": "[variables('ilbHealthProtocol')]", + "port": "[variables('lbHealthPort')]", + "intervalInSeconds": "5", + "numberOfProbes": "2" + } + } + ] + } + } + ], + "outputs": { + "appAddressId": { + "value": "[if(and(variables('deployELB'), not(parameters('upgrading'))), resourceId('Microsoft.Network/publicIPAddresses', variables('appAddressName')), '')]", + "type": "string" + }, + "elbId": { + "value": "[if(variables('deployELB'), variables('elbId'), '')]", + "type": "string" + }, + "ilbId": { + "value": "[if(variables('deployILB'), variables('ilbId'), '')]", + "type": "string" + }, + "ilbBEAddressPoolProperties": { + "value": "[variables('ilbBEAddressPoolProperties')]", + "type": "array" + }, + "elbBEAddressPoolProperties": { + "value": "[variables('elbBEAddressPoolProperties')]", + "type": "array" + }, + "ApplicationAddress": { + "value": "[if(and(variables('deployELB'), not(parameters('upgrading'))), reference(variables('appAddressId'), '2018-11-01').IpAddress, 'no public ip')]", + "type": "string" + }, + "ApplicationFQDN": { + "value": "[if(and(variables('deployELB'), not(parameters('upgrading'))), reference(variables('appAddressId'), '2018-11-01').dnsSettings.fqdn, 'no public ip')]", + "type": "string" + } + } +} \ No newline at end of file diff --git a/deprecated/azure/templates/R8030/vmss-r8030/nestedtemplates/vnet-2-subnet-ha-existing.json b/deprecated/azure/templates/R8030/vmss-r8030/nestedtemplates/vnet-2-subnet-ha-existing.json new file mode 100644 index 00000000..ef49724a --- /dev/null +++ b/deprecated/azure/templates/R8030/vmss-r8030/nestedtemplates/vnet-2-subnet-ha-existing.json @@ -0,0 +1,78 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "vnet" + }, + "virtualNetworkExistingRGName": { + "type": "string", + "metadata": { + "description": "Resource Group of the existing virtual network" + }, + "defaultValue": "" + }, + "vmName": { + "type": "string" + }, + "deployNsg": { + "type": "bool", + "defaultValue": false + } + }, + "variables": { + "vnetId": "[resourceId(parameters('virtualNetworkExistingRGName'),'Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]", + "nsgName": "[concat(parameters('vmName'), '-nsg')]", + "nsgProperties": { + "id": "[resourceId(parameters('virtualNetworkExistingRGName'),'Microsoft.Network/networkSecurityGroups', variables('nsgName'))]" + } + }, + "resources": [ + { + "type": "Microsoft.Network/networkSecurityGroups", + "condition": "[parameters('deployNsg')]", + "apiVersion": "2020-06-01", + "location": "[parameters('location')]", + "name": "[variables('nsgName')]", + "properties": { + "securityRules": [ + { + "name": "AllowAllInBound", + "properties": { + "description": "Allow all inbound connections", + "protocol": "*", + "sourcePortRange": "*", + "destinationPortRange": "*", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "100", + "direction": "Inbound" + } + } + ] + } + } + ], + "outputs": { + "vnetId": { + "value": "[variables('vnetId')]", + "type": "string" + }, + "vnetAddressPrefixes": { + "value": "[reference(variables('vnetId'),'2018-11-01').addressSpace.addressPrefixes]", + "type": "array" + }, + "nsgProperties": { + "value": "[variables('nsgProperties')]", + "type": "object" + } + } +} \ No newline at end of file diff --git a/deprecated/azure/templates/R8030/vmss-r8030/nestedtemplates/vnet-2-subnet-ha-new.json b/deprecated/azure/templates/R8030/vmss-r8030/nestedtemplates/vnet-2-subnet-ha-new.json new file mode 100644 index 00000000..e9100c9c --- /dev/null +++ b/deprecated/azure/templates/R8030/vmss-r8030/nestedtemplates/vnet-2-subnet-ha-new.json @@ -0,0 +1,188 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "vnet" + }, + "virtualNetworkAddressPrefixes": { + "type": "array", + "metadata": { + "description": "The address prefixes of the virtual network" + } + }, + "Subnet1Name": { + "type": "string", + "metadata": { + "description": "The name of the 1st subnet" + }, + "defaultValue": "Frontend" + }, + "Subnet1Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 1st subnet" + }, + "defaultValue": "10.0.1.0/24" + }, + "Subnet2Name": { + "type": "string", + "metadata": { + "description": "The name of the 2nd subnet" + }, + "defaultValue": "Backend" + }, + "Subnet2Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 2nd subnet" + }, + "defaultValue": "10.0.2.0/24" + }, + "vmName": { + "type": "string" + }, + "deployNsg": { + "type": "bool", + "defaultValue": "true" + } + }, + "variables": { + "copy": [ + { + "name": "toInternalRoutes", + "count": "[length(parameters('virtualNetworkAddressPrefixes'))]", + "input": { + "name": "[concat('To-Internal-',copyIndex('toInternalRoutes'))]", + "properties": { + "addressPrefix": "[parameters('virtualNetworkAddressPrefixes')[copyIndex('toInternalRoutes')]]", + "nextHopType": "None" + } + } + } + ], + "localSubnetRoute": [ + { + "name": "Local-Subnet", + "properties": { + "addressPrefix": "[parameters('subnet1Prefix')]", + "nextHopType": "VnetLocal" + } + } + ], + "routesArray": "[concat(variables('localSubnetRoute'), variables('toInternalRoutes'))]", + "nsgName": "[concat(parameters('vmName'), '-nsg')]", + "nsgProperties": { + "id": "[resourceId('Microsoft.Network/networkSecurityGroups', variables('nsgName'))]" + } + }, + "resources": [ + { + "type": "Microsoft.Network/routeTables", + "apiVersion": "2020-06-01", + "location": "[parameters('location')]", + "name": "[parameters('subnet1Name')]", + "properties": { + "routes": "[variables('routesArray')]" + } + }, + { + "type": "Microsoft.Network/routeTables", + "apiVersion": "2020-06-01", + "location": "[parameters('location')]", + "name": "[parameters('subnet2Name')]", + "properties": { + "routes": [ + { + "name": "To-Internet", + "properties": { + "addressPrefix": "0.0.0.0/0", + "nextHopType": "None" + } + } + ] + } + }, + { + "type": "Microsoft.Network/virtualNetworks", + "apiVersion": "2020-06-01", + "location": "[parameters('location')]", + "name": "[parameters('virtualNetworkName')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/routeTables', parameters('subnet1Name'))]", + "[resourceId('Microsoft.Network/routeTables', parameters('subnet2Name'))]" + ], + "properties": { + "addressSpace": { + "addressPrefixes": "[parameters('virtualNetworkAddressPrefixes')]" + }, + "subnets": [ + { + "name": "[parameters('subnet1Name')]", + "properties": { + "addressPrefix": "[parameters('subnet1Prefix')]", + "routeTable": { + "id": "[resourceId('Microsoft.Network/routeTables', parameters('subnet1Name'))]" + } + } + }, + { + "name": "[parameters('subnet2Name')]", + "properties": { + "addressPrefix": "[parameters('subnet2Prefix')]", + "routeTable": { + "id": "[resourceId('Microsoft.Network/routeTables', parameters('subnet2Name'))]" + } + } + } + ] + } + }, + { + "type": "Microsoft.Network/networkSecurityGroups", + "condition": "[parameters('deployNsg')]", + "apiVersion": "2020-06-01", + "location": "[parameters('location')]", + "name": "[variables('nsgName')]", + "properties": { + "securityRules": [ + { + "name": "AllowAllInBound", + "properties": { + "description": "Allow all inbound connections", + "protocol": "*", + "sourcePortRange": "*", + "destinationPortRange": "*", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "100", + "direction": "Inbound" + } + } + ] + } + } + ], + "outputs": { + "vnetId": { + "value": "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]", + "type": "string" + }, + "vnetAddressPrefixes": { + "value": "[parameters('virtualNetworkAddressPrefixes')]", + "type": "array" + }, + "nsgProperties": { + "value": "[variables('nsgProperties')]", + "type": "object" + } + } +} \ No newline at end of file diff --git a/deprecated/azure/templates/R8040-R81/ha-r8040-r81/README.md b/deprecated/azure/templates/R8040-R81/ha-r8040-r81/README.md new file mode 100644 index 00000000..e58bd802 --- /dev/null +++ b/deprecated/azure/templates/R8040-R81/ha-r8040-r81/README.md @@ -0,0 +1,21 @@ +# Check Point CloudGuard Network Security High Availability for Azure + +Check Point CloudGuard Network Security delivers advanced, multi-layered threat prevention to protect customer assets in Azure from malware and sophisticated threats. As a Microsoft Azure certified solution, CloudGuard Network Security enables you to easily and seamlessly secure your workloads while providing secure connectivity across your cloud and on-premises environments. + +Benefits: + +· Advanced threat prevention and traffic inspection + +· Integrated with Azure Security Center and Azure Sentinel + +· Provides consistent security policy management, enforcement, and reporting with a single pane of glass, using Check Point Unified Security Management + + + + Deploy to Azure + + + +To deploy with full control over all the template options use: [Full Control Deployment](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FCheckPointSW%2FCloudGuardIaaS%2Fmaster%2Fazure%2Ftemplates%2Fmarketplace-ha%2FmainTemplate.json) + + diff --git a/deprecated/azure/templates/R8040-R81/ha-r8040-r81/createUiDefinition.json b/deprecated/azure/templates/R8040-R81/ha-r8040-r81/createUiDefinition.json new file mode 100644 index 00000000..31bbc503 --- /dev/null +++ b/deprecated/azure/templates/R8040-R81/ha-r8040-r81/createUiDefinition.json @@ -0,0 +1,1602 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", + "handler": "Microsoft.Compute.MultiVm", + "version": "0.1.2-preview", + "parameters": { + "basics": [ + { + "name": "basics settings text block", + "type": "Microsoft.Common.TextBlock", + "visible": true, + "options": { + "text": "Please follow the Check Point CloudGuard IaaS High Availability Administration Guide.", + "link": { + "label": "Administration Guide", + "uri": "https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_Network_for_Azure_HA_Cluster/Default.htm" + } + } + }, + { + "name": "clusterObjectNameUi", + "type": "Microsoft.Common.TextBox", + "label": "Cluster Object Name", + "toolTip": "The name of the cluster object.", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z]{1,30}$", + "validationMessage": "Only alphanumeric characters are allowed, and the name must be 1-30 characters long." + } + }, + { + "name": "auth", + "type": "Microsoft.Compute.CredentialsCombo", + "label": { + "authenticationType": "Authentication type", + "password": "Password", + "confirmPassword": "Confirm password", + "sshPublicKey": "SSH public key" + }, + "toolTip": { + "password": "The user 'admin' password", + "sshPublicKey": "Paste an OpenSSH public key. You can generate a key pair using ssh-keygen (Linux, OS X, Cygwin) or PuttyGen (Windows)" + }, + "constraints": { + "required": true + }, + "options": { + "hideConfirmation": false, + "hidePassword": false + }, + "osPlatform": "Linux" + } + ], + "steps": [ + { + "name": "chkp", + "label": "Check Point Cluster Object settings", + "subLabel": { + "preValidation": "Configure Cluster Object settings", + "postValidation": "Done" + }, + "bladeTitle": "Cluster Object settings", + "elements": [ + { + "name": "cloudGuardVersion", + "type": "Microsoft.Common.DropDown", + "label": "Check Point CloudGuard version", + "defaultValue": "R81", + "toolTip": "The version of Check Point CloudGuard.", + "constraints": { + "allowedValues": [ + { + "label": "R80.40", + "value": "R80.40" + }, + { + "label": "R81", + "value": "R81" + } + ] + } + }, + { + "name": "R80Offer", + "type": "Microsoft.Common.DropDown", + "label": "License type", + "toolTip": "The type of license.", + "defaultValue": "Bring Your Own License", + "visible": true, + "constraints": { + "allowedValues": [ + { + "label": "Bring Your Own License", + "value": "Bring Your Own License" + }, + { + "label": "Pay As You Go (NGTP)", + "value": "Pay As You Go (NGTP)" + }, + { + "label": "Pay As You Go (NGTX)", + "value": "Pay As You Go (NGTX)" + } + ] + } + }, + { + "name": "R8040vmSizeUiBYOL", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R80.40'), contains(steps('chkp').R80Offer, 'Bring Your Own License'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2", + "Standard_DS3_v2" + ], + "constraints": { + "allowedSizes": [ + "Standard_D4_v4", + "Standard_D8_v4", + "Standard_D16_v4", + "Standard_D32_v4", + "Standard_D48_v4", + "Standard_D64_v4", + "Standard_D4s_v4", + "Standard_D8s_v4", + "Standard_D16s_v4", + "Standard_D32s_v4", + "Standard_D48s_v4", + "Standard_D64s_v4", + "Standard_D2_v5", + "Standard_D4_v5", + "Standard_D8_v5", + "Standard_D16_v5", + "Standard_D32_v5", + "Standard_D2s_v5", + "Standard_D4s_v5", + "Standard_D8s_v5", + "Standard_D16s_v5", + "Standard_D2d_v5", + "Standard_D4d_v5", + "Standard_D8d_v5", + "Standard_D16d_v5", + "Standard_D32d_v5", + "Standard_D2ds_v5", + "Standard_D4ds_v5", + "Standard_D8ds_v5", + "Standard_D16ds_v5", + "Standard_D32ds_v5", + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r8040", + "sku": "sg-byol" + }, + "count": 2 + }, + { + "name": "R8040vmSizeUiNGTP", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R80.40'), contains(steps('chkp').R80Offer, '(NGTP)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2", + "Standard_DS3_v2" + ], + "constraints": { + "allowedSizes": [ + "Standard_D4_v4", + "Standard_D8_v4", + "Standard_D16_v4", + "Standard_D32_v4", + "Standard_D48_v4", + "Standard_D64_v4", + "Standard_D4s_v4", + "Standard_D8s_v4", + "Standard_D16s_v4", + "Standard_D32s_v4", + "Standard_D48s_v4", + "Standard_D64s_v4", + "Standard_D2_v5", + "Standard_D4_v5", + "Standard_D8_v5", + "Standard_D16_v5", + "Standard_D32_v5", + "Standard_D2s_v5", + "Standard_D4s_v5", + "Standard_D8s_v5", + "Standard_D16s_v5", + "Standard_D2d_v5", + "Standard_D4d_v5", + "Standard_D8d_v5", + "Standard_D16d_v5", + "Standard_D32d_v5", + "Standard_D2ds_v5", + "Standard_D4ds_v5", + "Standard_D8ds_v5", + "Standard_D16ds_v5", + "Standard_D32ds_v5", + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r8040", + "sku": "sg-ngtp" + }, + "count": 2 + }, + { + "name": "R8040vmSizeUiNGTX", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R80.40'), contains(steps('chkp').R80Offer, '(NGTX)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2", + "Standard_DS3_v2" + ], + "constraints": { + "allowedSizes": [ + "Standard_D4_v4", + "Standard_D8_v4", + "Standard_D16_v4", + "Standard_D32_v4", + "Standard_D48_v4", + "Standard_D64_v4", + "Standard_D4s_v4", + "Standard_D8s_v4", + "Standard_D16s_v4", + "Standard_D32s_v4", + "Standard_D48s_v4", + "Standard_D64s_v4", + "Standard_D2_v5", + "Standard_D4_v5", + "Standard_D8_v5", + "Standard_D16_v5", + "Standard_D32_v5", + "Standard_D2s_v5", + "Standard_D4s_v5", + "Standard_D8s_v5", + "Standard_D16s_v5", + "Standard_D2d_v5", + "Standard_D4d_v5", + "Standard_D8d_v5", + "Standard_D16d_v5", + "Standard_D32d_v5", + "Standard_D2ds_v5", + "Standard_D4ds_v5", + "Standard_D8ds_v5", + "Standard_D16ds_v5", + "Standard_D32ds_v5", + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r8040", + "sku": "sg-ngtx" + }, + "count": 2 + }, + { + "name": "R81vmSizeUiBYOL", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R81'), contains(steps('chkp').R80Offer, 'Bring Your Own License'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2", + "Standard_DS3_v2" + ], + "constraints": { + "allowedSizes": [ + "Standard_D4_v4", + "Standard_D8_v4", + "Standard_D16_v4", + "Standard_D32_v4", + "Standard_D48_v4", + "Standard_D64_v4", + "Standard_D4s_v4", + "Standard_D8s_v4", + "Standard_D16s_v4", + "Standard_D32s_v4", + "Standard_D48s_v4", + "Standard_D64s_v4", + "Standard_D2_v5", + "Standard_D4_v5", + "Standard_D8_v5", + "Standard_D16_v5", + "Standard_D32_v5", + "Standard_D2s_v5", + "Standard_D4s_v5", + "Standard_D8s_v5", + "Standard_D16s_v5", + "Standard_D2d_v5", + "Standard_D4d_v5", + "Standard_D8d_v5", + "Standard_D16d_v5", + "Standard_D32d_v5", + "Standard_D2ds_v5", + "Standard_D4ds_v5", + "Standard_D8ds_v5", + "Standard_D16ds_v5", + "Standard_D32ds_v5", + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r81", + "sku": "sg-byol" + }, + "count": 2 + }, + { + "name": "R81vmSizeUiNGTP", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R81'), contains(steps('chkp').R80Offer, '(NGTP)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2", + "Standard_DS3_v2" + ], + "constraints": { + "allowedSizes": [ + "Standard_D4_v4", + "Standard_D8_v4", + "Standard_D16_v4", + "Standard_D32_v4", + "Standard_D48_v4", + "Standard_D64_v4", + "Standard_D4s_v4", + "Standard_D8s_v4", + "Standard_D16s_v4", + "Standard_D32s_v4", + "Standard_D48s_v4", + "Standard_D64s_v4", + "Standard_D2_v5", + "Standard_D4_v5", + "Standard_D8_v5", + "Standard_D16_v5", + "Standard_D32_v5", + "Standard_D2s_v5", + "Standard_D4s_v5", + "Standard_D8s_v5", + "Standard_D16s_v5", + "Standard_D2d_v5", + "Standard_D4d_v5", + "Standard_D8d_v5", + "Standard_D16d_v5", + "Standard_D32d_v5", + "Standard_D2ds_v5", + "Standard_D4ds_v5", + "Standard_D8ds_v5", + "Standard_D16ds_v5", + "Standard_D32ds_v5", + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r81", + "sku": "sg-ngtp" + }, + "count": 2 + }, + { + "name": "R81vmSizeUiNGTX", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R81'), contains(steps('chkp').R80Offer, '(NGTX)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2", + "Standard_DS3_v2" + ], + "constraints": { + "allowedSizes": [ + "Standard_D4_v4", + "Standard_D8_v4", + "Standard_D16_v4", + "Standard_D32_v4", + "Standard_D48_v4", + "Standard_D64_v4", + "Standard_D4s_v4", + "Standard_D8s_v4", + "Standard_D16s_v4", + "Standard_D32s_v4", + "Standard_D48s_v4", + "Standard_D64s_v4", + "Standard_D2_v5", + "Standard_D4_v5", + "Standard_D8_v5", + "Standard_D16_v5", + "Standard_D32_v5", + "Standard_D2s_v5", + "Standard_D4s_v5", + "Standard_D8s_v5", + "Standard_D16s_v5", + "Standard_D2d_v5", + "Standard_D4d_v5", + "Standard_D8d_v5", + "Standard_D16d_v5", + "Standard_D32d_v5", + "Standard_D2ds_v5", + "Standard_D4ds_v5", + "Standard_D8ds_v5", + "Standard_D16ds_v5", + "Standard_D32ds_v5", + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r81", + "sku": "sg-ngtx" + }, + "count": 2 + }, + { + "name": "adminShell", + "type": "Microsoft.Common.DropDown", + "label": "Default shell for the admin user", + "defaultValue": "/etc/cli.sh", + "toolTip": "The default shell for the admin user", + "constraints": { + "allowedValues": [ + { + "label": "/etc/cli.sh", + "value": "/etc/cli.sh" + }, + { + "label": "/bin/bash", + "value": "/bin/bash" + }, + { + "label": "/bin/csh", + "value": "/bin/csh" + }, + { + "label": "/bin/tcsh", + "value": "/bin/tcsh" + } + ] + } + }, + { + "name": "sicKeyUi", + "type": "Microsoft.Common.PasswordBox", + "label": { + "password": "SIC key", + "confirmPassword": "Confirm SIC key" + }, + "toolTip": "Set the Secure Internal Communication one time secret used to set up trust between the cluster object and the management server.", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z]{12,30}$", + "validationMessage": "Only alphanumeric characters are allowed, and the value must be 12-30 characters long." + }, + "options": { + "hideConfirmation": false + }, + "visible": "true" + }, + { + "name": "SerialPasswordInfoBox", + "type": "Microsoft.Common.InfoBox", + "visible": "[bool(basics('auth').sshPublicKey)]", + "options": { + "icon": "Info", + "text": "Check Point recommends setting serial console password and maintenance-mode password for recovery purposes. For R81.10 and below the serial console password is used also as maintenance-mode password" + } + }, + { + "visible": "[bool(basics('auth').sshPublicKey)]", + "name": "EnableSerialConsolePassword", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Serial console password", + "defaultValue": "Yes", + "toolTip": "A unique password hash to enable VM connection via serial console.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": true + }, + { + "label": "No", + "value": false + } + ] + } + }, + { + "name": "AdditionalPassword", + "type": "Microsoft.Common.PasswordBox", + "toolTip": "Serial console password hash, used to enable password authentication (using serial console). To generate password hash use the command 'openssl passwd -6 PASSWORD'", + "visible": "[and(bool(basics('auth').sshPublicKey), steps('chkp').EnableSerialConsolePassword)]", + "label": { + "password": "Password hash", + "confirmPassword": "Confirm password" + }, + "constraints": { + "required": true, + "regex": "^.{12,300}$", + "validationMessage": "The value must be the output of the hash command." + }, + "options": { + "hideConfirmation": false + } + }, + { + "name": "managedSystemAssigned", + "type": "Microsoft.Common.OptionsGroup", + "visible": true, + "label": "Create a System Assigned Identity", + "toolTip": "Automatically create a Service Principal for this deployment.", + "defaultValue": "Yes", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "yes" + }, + { + "label": "No", + "value": "no" + } + ] + } + }, + { + "name": "availabilityOptions", + "type": "Microsoft.Common.DropDown", + "label": "Availability options", + "defaultValue": "Availability Set", + "toolTip": "Use replicated Cluster VMs in Availability Set or Availability Zones. Note that the load balancers and their IP addresses will be zone redundant in any case.", + "visible": "[contains(' australiaeast brazilsouth canadacentral centralus eastasia eastus eastus2 francecentral germanywestcentral japaneast koreacentral northeurope norwayeast southafricanorth southcentralus southeastasia swedencentral uksouth usgovvirginia westeurope westus2 westus3 switzerlandnorth qatarcentral centralindia uaenorth italynorth \\ ', concat(' ', location(), ' '))]", + "constraints": { + "allowedValues": [ + { + "label": "Availability Set", + "value": "Availability Set" + }, + { + "label": "Availability Zones", + "value": "Availability Zones" + } + ] + } + }, + { + "name": "bootstrapScript", + "type": "Microsoft.Common.FileUpload", + "label": "Bootstrap script", + "toolTip": "An optional script to run on the initial boot", + "constraints": { + "required": false, + "accept": ".sh,text/plain" + }, + "options": { + "multiple": false, + "uploadMode": "file", + "openMode": "text", + "encoding": "UTF-8" + } + }, + { + "name": "allowUploadDownload", + "type": "Microsoft.Common.OptionsGroup", + "label": "Automatically download updates and share statistical data for product improvement purpose", + "defaultValue": "Yes", + "toolTip": "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "true" + }, + { + "label": "No", + "value": "false" + } + ] + } + }, + { + "name": "VMDiskType", + "type": "Microsoft.Common.OptionsGroup", + "label": "VM disk type", + "toolTip": "Type of CloudGuard disk.", + "visible": "[not(contains('R80.40 R81 ' , steps('chkp').cloudGuardVersion))]", + "defaultValue": "Premium", + "constraints": { + "allowedValues": [ + { + "label": "Standard", + "value": "Standard_LRS" + }, + { + "label": "Premium", + "value": "Premium_LRS" + } + ] + } + }, + { + "name": "VMDiskTypeOldVersions", + "type": "Microsoft.Common.OptionsGroup", + "label": "VM disk type", + "toolTip": "Type of CloudGuard disk.", + "visible": "[contains('R80.40 R81 ' , steps('chkp').cloudGuardVersion)]", + "defaultValue": "Standard", + "constraints": { + "allowedValues": [ + { + "label": "Standard", + "value": "Standard_LRS" + }, + { + "label": "Premium", + "value": "Premium_LRS" + } + ] + } + }, + { + "name": "basics settings text block", + "type": "Microsoft.Common.TextBlock", + "visible": true, + "options": { + "text": "Please follow the Check Point referenced guide for adding disk space.", + "link": { + "label": "Additional disk space in CloudGuard", + "uri": "https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk156552" + } + } + }, + { + "name": "additionalDiskSizeGB", + "type": "Microsoft.Common.TextBox", + "label": "Additional disk space (GB)", + "defaultValue": "0", + "toolTip": "Additional disk space (in GB), initial disk size is 100 GB.", + "constraints": { + "regex": "^([0-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-2][0-9][0-9][0-9]|3[0-8][0-9][0-9]|399[0-5])$", + "validationMessage": "Select a number between 0 and 3995" + } + }, + { + "name": "useCustomImageUri", + "type": "Microsoft.Common.OptionsGroup", + "label": "Use development image uri", + "defaultValue": "No", + "toolTip": "Use custom image URI.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ], + "required": true + }, + "visible": false + }, + { + "name": "sourceImageVhdUri", + "type": "Microsoft.Common.TextBox", + "label": "Development Image URI", + "toolTip": "The URI of the blob containing the development image", + "constraints": { + "required": "[equals(steps('chkp').useCustomImageUri, 'Yes')]", + "regex": "^[a-z0-9A-Z_\\-\\.\\:\\/]{1,500}.vhd$", + "validationMessage": "Only alphanumeric characters and '_','-','.',':','/' are allowed, the value must be 1-500 characters long and must end with .vhd. " + }, + "visible": "[equals(steps('chkp').useCustomImageUri, 'Yes')]" + }, + { + "name": "customMetrics", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable CloudGuard metrics", + "defaultValue": "Yes", + "toolTip": "Enable CloudGuard metrics in order to send statuses and statistics collected from Cluster members to the Azure Monitor service.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "yes" + }, + { + "label": "No", + "value": "no" + } + ] + }, + "visible": true + }, + { + "name": "customMetricsInfoBox", + "type": "Microsoft.Common.InfoBox", + "visible": "[and(equals(steps('chkp').customMetrics, 'yes'), not(equals(steps('chkp').managedSystemAssigned, 'yes')))]", + "options": { + "icon": "Warning", + "text": "CloudGuard metrics can't be used when System Assigned Identity is disabled" + } + }, + { + "name": "floatingIP", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy the Load Balancers with floating IP", + "defaultValue": "No", + "toolTip": "Deploy the Load Balancers with floating IP.", + "constraints": { + "allowedValues": [ + { + "label": "No", + "value": "no" + }, + { + "label": "Yes", + "value": "yes" + } + ] + }, + "visible": true + }, + { + "name": "publicIPPrefix", + "type": "Microsoft.Common.OptionsGroup", + "label": "Use public IP prefix", + "defaultValue": "No", + "toolTip": "Use public IP prefix.", + "constraints": { + "allowedValues": [ + { + "label": "No", + "value": "no" + }, + { + "label": "Yes", + "value": "yes" + } + ] + }, + "visible": true + }, + { + "name": "createNewIPPrefix", + "type": "Microsoft.Common.OptionsGroup", + "label": "Create public IP prefix", + "defaultValue": "No", + "toolTip": "Create new public IP prefix to use.", + "constraints": { + "allowedValues": [ + { + "label": "No", + "value": "no" + }, + { + "label": "Yes", + "value": "yes" + } + ] + }, + "visible": "[equals(steps('chkp').publicIPPrefix, 'yes')]" + }, + { + "name": "ipPrefixExistingResourceId", + "type": "Microsoft.Common.TextBox", + "label": "Public IP prefix resource id", + "defaultValue": "", + "toolTip": "Use an exisiting public IP prefix resource id.", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z -.:/n]{1,}$", + "validationMessage": "Only alphanumeric characters, hyphens, spaces, periods, and colons are allowed." + }, + "visible": "[equals(steps('chkp').createNewIPPrefix, 'no')]" + }, + { + "name": "allowSmart1CloudConnection", + "type": "Microsoft.Common.OptionsGroup", + "label": "Quick connect to Smart-1 Cloud", + "defaultValue": "Yes", + "toolTip": "Automatically connect this Cluster to Smart-1 Cloud - Check Point's Security Management as a Service", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "yes" + }, + { + "label": "No", + "value": "no" + } + ] + }, + "visible": true + }, + { + "name": "smart1CloudTokenTxt", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Follow these instructions to quickly connect this Cluster to Smart-1 Cloud", + "link": { + "label": "SK180501 - Connecting CloudGuard Network Security Public Cloud Gateways to Smart-1 Cloud", + "uri": "https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501" + } + }, + "visible": "[equals(steps('chkp').allowSmart1CloudConnection, 'yes')]" + }, + { + "name": "Smart1CloudTokenA", + "type": "Microsoft.Common.TextBox", + "label": "Smart-1 Cloud Token Member A", + "toolTip": "Paste here the token copied from the Connect Gateway (Member A) screen in Smart-1 Cloud portal", + "constraints": { + "required": true, + "regex": "[\\S\\s]{5,}", + "validationMessage": "Smart1Cloud Token Should contain at lease 5 characters" + }, + "visible": "[equals(steps('chkp').allowSmart1CloudConnection, 'yes')]" + }, + { + "name": "Smart1CloudTokenB", + "type": "Microsoft.Common.TextBox", + "label": "Smart-1 Cloud Token Member B", + "toolTip": "Paste here the token copied from the Connect Gateway (Member B) screen in Smart-1 Cloud portal", + "constraints": { + "required": true, + "regex": "[\\S\\s]{5,}", + "validationMessage": "Smart1Cloud Token Should contain at lease 5 characters" + }, + "visible": "[equals(steps('chkp').allowSmart1CloudConnection, 'yes')]" + } + ] + }, + { + "name": "network", + "label": "Network settings", + "subLabel": { + "preValidation": "Configure network settings", + "postValidation": "Done" + }, + "bladeTitle": "Network settings", + "elements": [ + { + "name": "virtualNetwork", + "type": "Microsoft.Network.VirtualNetworkCombo", + "label": { + "virtualNetwork": "Virtual network", + "subnets": "Subnets" + }, + "toolTip": { + "virtualNetwork": "Virtual Network Name", + "subnets": "List of subnets to deploy into" + }, + "defaultValue": { + "name": "vnet01", + "addressPrefixSize": "/16" + }, + "constraints": { + "minAddressPrefixSize": "/28" + }, + "options": { + "hideExisting": false + }, + "subnets": { + "subnet1": { + "label": "Frontend subnet", + "defaultValue": { + "name": "Frontend", + "addressPrefixSize": "/24" + }, + "constraints": { + "minAddressPrefixSize": "/29", + "minAddressCount": 2, + "requireContiguousAddresses": true + } + }, + "subnet2": { + "label": "Backend subnet", + "defaultValue": { + "name": "Backend", + "addressPrefixSize": "/24" + }, + "constraints": { + "minAddressPrefixSize": "/29", + "minAddressCount": 2, + "requireContiguousAddresses": true + } + } + } + }, + { + "name": "Vips_Number", + "type": "Microsoft.Common.DropDown", + "label": "Number of Virtual IPs (VIP)", + "defaultValue": "1", + "toolTip": "Choose number of Virtual IP addresses to deploy for the cluster's external NIC", + "constraints": { + "allowedValues": [ + { + "label": "1", + "value": "1" + }, + { + "label": "2", + "value": "2" + }, + { + "label": "3", + "value": "3" + }, + { + "label": "4", + "value": "4" + }, + { + "label": "5", + "value": "5" + }, + { + "label": "6", + "value": "6" + }, + { + "label": "7", + "value": "7" + }, + { + "label": "8", + "value": "8" + }, + { + "label": "9", + "value": "9" + }, + { + "label": "10", + "value": "10" + } + ], + "required": true + }, + "visible": true + }, + { + "name": "VIP_Names", + "type": "Microsoft.Common.Section", + "label": "VIPs Names", + "elements": [ + { + "name": "VIP2_Name", + "type": "Microsoft.Common.TextBox", + "label": "VIP 2 name", + "toolTip": "Choose name for VIP number 2", + "visible": "[greater(int(steps('network').Vips_Number), 1)]", + "constraints": { + "validations": [ + { + "regex": "^[a-z0-9A-Z]{1,30}$", + "message": "Only alphanumeric characters are allowed, and the name must be 1-30 characters long." + } + ] + } + }, + { + "name": "VIP3_Name", + "type": "Microsoft.Common.TextBox", + "label": "VIP 3 name", + "toolTip": "Choose name for VIP number 3", + "visible": "[greater(int(steps('network').Vips_Number), 2)]", + "constraints": { + "validations": [ + { + "regex": "^[a-z0-9A-Z]{1,30}$", + "message": "Only alphanumeric characters are allowed, and the name must be 1-30 characters long." + } + ] + } + }, + { + "name": "VIP4_Name", + "type": "Microsoft.Common.TextBox", + "label": "VIP 4 name", + "toolTip": "Choose name for VIP number 4", + "visible": "[greater(int(steps('network').Vips_Number), 3)]", + "constraints": { + "validations": [ + { + "regex": "^[a-z0-9A-Z]{1,30}$", + "message": "Only alphanumeric characters are allowed, and the name must be 1-30 characters long." + } + ] + } + }, + { + "name": "VIP5_Name", + "type": "Microsoft.Common.TextBox", + "label": "VIP 5 name", + "toolTip": "Choose name for VIP number 5", + "visible": "[greater(int(steps('network').Vips_Number), 4)]", + "constraints": { + "validations": [ + { + "regex": "^[a-z0-9A-Z]{1,30}$", + "message": "Only alphanumeric characters are allowed, and the name must be 1-30 characters long." + } + ] + } + }, + { + "name": "VIP6_Name", + "type": "Microsoft.Common.TextBox", + "label": "VIP 6 name", + "toolTip": "Choose name for VIP number 6", + "visible": "[greater(int(steps('network').Vips_Number), 5)]", + "constraints": { + "validations": [ + { + "regex": "^[a-z0-9A-Z]{1,30}$", + "message": "Only alphanumeric characters are allowed, and the name must be 1-30 characters long." + } + ] + } + }, + { + "name": "VIP7_Name", + "type": "Microsoft.Common.TextBox", + "label": "VIP 7 name", + "toolTip": "Choose name for VIP number 7", + "visible": "[greater(int(steps('network').Vips_Number), 6)]", + "constraints": { + "validations": [ + { + "regex": "^[a-z0-9A-Z]{1,30}$", + "message": "Only alphanumeric characters are allowed, and the name must be 1-30 characters long." + } + ] + } + }, + { + "name": "VIP8_Name", + "type": "Microsoft.Common.TextBox", + "label": "VIP 8 name", + "toolTip": "Choose name for VIP number 8", + "visible": "[greater(int(steps('network').Vips_Number), 7)]", + "constraints": { + "validations": [ + { + "regex": "^[a-z0-9A-Z]{1,30}$", + "message": "Only alphanumeric characters are allowed, and the name must be 1-30 characters long." + } + ] + } + }, + { + "name": "VIP9_Name", + "type": "Microsoft.Common.TextBox", + "label": "VIP 9 name", + "toolTip": "Choose name for VIP number 9", + "visible": "[greater(int(steps('network').Vips_Number), 8)]", + "constraints": { + "validations": [ + { + "regex": "^[a-z0-9A-Z]{1,30}$", + "message": "Only alphanumeric characters are allowed, and the name must be 1-30 characters long." + } + ] + } + }, + { + "name": "VIP10_Name", + "type": "Microsoft.Common.TextBox", + "label": "VIP 10 name", + "toolTip": "Choose name for VIP number 10", + "visible": "[greater(int(steps('network').Vips_Number), 9)]", + "constraints": { + "validations": [ + { + "regex": "^[a-z0-9A-Z]{1,30}$", + "message": "Only alphanumeric characters are allowed, and the name must be 1-30 characters long." + } + ] + } + } + ], + "visible": "[greater(int(steps('network').Vips_Number), 1)]" + }, + { + "name": "NSG", + "type": "Microsoft.Common.OptionsGroup", + "label": "Network Security Group", + "toolTip": "Choose between using an existing NSG or using a new NSG", + "constraints": { + "allowedValues": [ + { + "label": "Create new", + "value": true + }, + { + "label": "Existing NSG", + "value": false + } + ], + "required": true + }, + "visible": true + }, + { + "name": "nsgSelector", + "type": "Microsoft.Solutions.ResourceSelector", + "label": "Network Security Group", + "defaultValue": "null", + "toolTip": "Choose an existing NSG", + "resourceType": "Microsoft.Network/NetworkSecurityGroups", + "options": { + "filter": { + "subscription": "onBasics", + "location": "onBasics" + } + }, + "constraints": { + "required": true + }, + "visible": "[equals(steps('network').NSG, false)]" + }, + { + "name": "NSGName", + "type": "Microsoft.Common.TextBox", + "label": "Name", + "defaultValue": "[concat(basics('clusterObjectNameUi') , '-nsg')]", + "toolTip": "Insert Name for the new NSG", + "multiLine": false, + "constraints": { + "required": "[steps('network').NSG]", + "regex": "^[a-z0-9A-Z-]{1,30}$", + "validationMessage": "Only alphanumeric characters are allowed, and the name must be 1-30 characters long." + }, + "visible": "[steps('network').NSG]" + }, + { + "name": "addStorageAccountIpRules", + "type": "Microsoft.Common.OptionsGroup", + "defaultValue": "Network access from all networks", + "label": "Storage Account Network Access", + "toolTip": "Select your preferred network access to the Storage Account, for more information - https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-linux#serial-console-security", + "constraints": { + "allowedValues": [ + { + "label": "Network access from all networks", + "value": false + }, + { + "label": "Network access only from Serial Console", + "value": true + } + ], + "required": true + }, + "visible": true + } + ] + }, + { + "name": "tags", + "label": "Tags", + "elements": [ + { + "name": "tagsByResource", + "type": "Microsoft.Common.TagsByResource", + "toolTip": "Create Azure tags for the new resources", + "resources": [ + "Microsoft.Storage/storageAccounts", + "Microsoft.Compute/availabilitySets", + "Microsoft.Network/publicIPAddresses", + "Microsoft.Network/networkInterfaces", + "Microsoft.Compute/virtualMachines", + "Microsoft.Network/loadBalancers", + "Microsoft.Network/networkSecurityGroups", + "Microsoft.Network/routeTables", + "Microsoft.Network/virtualNetworks" + ] + } + ] + } + ], + "outputs": { + "location": "[location()]", + "cloudGuardVersion": "[concat(steps('chkp').cloudGuardVersion, ' - ', coalesce(steps('chkp').R80Offer, 'Bring Your Own License'))]", + "adminPassword": "[basics('auth').password]", + "authenticationType": "[basics('auth').authenticationType]", + "sshPublicKey": "[basics('auth').sshPublicKey]", + "vmName": "[basics('clusterObjectNameUi')]", + "vmSize": "[coalesce(steps('chkp').R8040vmSizeUiBYOL, steps('chkp').R8040vmSizeUiNGTP, steps('chkp').R8040vmSizeUiNGTX, steps('chkp').R81vmSizeUiBYOL, steps('chkp').R81vmSizeUiNGTP, steps('chkp').R81vmSizeUiNGTX)]", + "sicKey": "[steps('chkp').sicKeyUi]", + "virtualNetworkName": "[steps('network').virtualNetwork.name]", + "virtualNetworkAddressPrefixes": "[steps('network').virtualNetwork.addressPrefixes]", + "subnet1Name": "[steps('network').virtualNetwork.subnets.subnet1.name]", + "subnet1Prefix": "[steps('network').virtualNetwork.subnets.subnet1.addressPrefix]", + "subnet1StartAddress": "[steps('network').virtualNetwork.subnets.subnet1.startAddress]", + "subnet2Name": "[steps('network').virtualNetwork.subnets.subnet2.name]", + "subnet2Prefix": "[steps('network').virtualNetwork.subnets.subnet2.addressPrefix]", + "subnet2StartAddress": "[steps('network').virtualNetwork.subnets.subnet2.startAddress]", + "vnetNewOrExisting": "[steps('network').virtualNetwork.newOrExisting]", + "virtualNetworkExistingRGName": "[steps('network').virtualNetwork.resourceGroup]", + "bootstrapScript": "[steps('chkp').bootstrapScript]", + "allowDownloadFromUploadToCheckPoint": "[coalesce(steps('chkp').allowUploadDownload, 'true')]", + "additionalDiskSizeGB": "[int(steps('chkp').additionalDiskSizeGB)]", + "diskType": "[if(contains('R80.40 R81 ' , steps('chkp').cloudGuardVersion) , steps('chkp').VMDiskTypeOldVersions , steps('chkp').VMDiskType)]", + "managedSystemAssigned": "[steps('chkp').managedSystemAssigned]", + "sourceImageVhdUri": "[coalesce(steps('chkp').sourceImageVhdUri, 'noCustomUri')]", + "availabilityOptions": "[steps('chkp').availabilityOptions]", + "customMetrics": "[steps('chkp').customMetrics]", + "floatingIP": "[steps('chkp').floatingIP]", + "publicIPPrefix": "[steps('chkp').publicIPPrefix]", + "createNewIPPrefix": "[steps('chkp').createNewIPPrefix]", + "ipPrefixExistingResourceId": "[steps('chkp').ipPrefixExistingResourceId]", + "adminShell": "[steps('chkp').adminShell]", + "smart1CloudTokenA": "[steps('chkp').Smart1CloudTokenA]", + "smart1CloudTokenB": "[steps('chkp').Smart1CloudTokenB]", + "tagsByResource": "[steps('tags').tagsByResource]", + "deployNewNSG": "[steps('network').NSG]", + "ExistingNSG": "[steps('network').nsgSelector]", + "NewNsgName": "[steps('network').NSGName]", + "addStorageAccountIpRules":"[steps('network').addStorageAccountIpRules]", + "VipsNumber": "[int(steps('network').Vips_Number)]", + "VipNames": "[concat(steps('network').VIP_Names.VIP2_Name, ',', steps('network').VIP_Names.VIP3_Name, ',', steps('network').VIP_Names.VIP4_Name, ',', steps('network').VIP_Names.VIP5_Name, ',', steps('network').VIP_Names.VIP6_Name, ',', steps('network').VIP_Names.VIP7_Name, ',', steps('network').VIP_Names.VIP8_Name, ',', steps('network').VIP_Names.VIP9_Name, ',', steps('network').VIP_Names.VIP10_Name)]", + "SerialConsolePasswordHash": "[steps('chkp').AdditionalPassword]" + } + } +} \ No newline at end of file diff --git a/deprecated/azure/templates/R8040-R81/ha-r8040-r81/mainTemplate.json b/deprecated/azure/templates/R8040-R81/ha-r8040-r81/mainTemplate.json new file mode 100644 index 00000000..59952e87 --- /dev/null +++ b/deprecated/azure/templates/R8040-R81/ha-r8040-r81/mainTemplate.json @@ -0,0 +1,1294 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string", + "metadata": { + "description": "Deployment location" + }, + "defaultValue": "[resourceGroup().location]" + }, + "cloudGuardVersion": { + "type": "string", + "allowedValues": [ + "R80.40 - Bring Your Own License", + "R80.40 - Pay As You Go (NGTP)", + "R80.40 - Pay As You Go (NGTX)", + "R81 - Bring Your Own License", + "R81 - Pay As You Go (NGTP)", + "R81 - Pay As You Go (NGTX)", + ], + "defaultValue": "R81 - Bring Your Own License", + "metadata": { + "description": "Check Point CloudGuard version" + } + }, + "authenticationType": { + "type": "string", + "allowedValues": [ + "password", + "sshPublicKey" + ], + "defaultValue": "password", + "metadata": { + "description": "Authentication type" + } + }, + "sshPublicKey": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Administrator SSH public key" + } + }, + "adminPassword": { + "type": "securestring", + "metadata": { + "description": "Administrator password" + }, + "defaultValue": "" + }, + "SerialConsolePasswordHash": { + "type": "securestring", + "defaultValue": "", + "metadata": { + "Description": "Optional parameter, used to enable serial console connection in case of SSH key as authentication type" + } + }, + "floatingIP": { + "type": "string", + "allowedValues": [ + "no", + "yes" + ], + "defaultValue": "no", + "metadata": { + "description": "Deploy the Load Balancers with floating IP" + } + }, + "publicIPPrefix": { + "type": "string", + "allowedValues": [ + "no", + "yes" + ], + "defaultValue": "no", + "metadata": { + "description": "Use public IP prefix" + } + }, + "createNewIPPrefix": { + "type": "string", + "allowedValues": [ + "no", + "yes" + ], + "defaultValue": "no", + "metadata": { + "description": "Create new public IP prefix" + } + }, + "ipPrefixExistingResourceId": { + "type": "string", + "metadata": { + "description": "The resource id of the existing IP prefix" + }, + "defaultValue": "" + }, + "vmName": { + "type": "string", + "defaultValue": "[resourceGroup().name]", + "metadata": { + "description": "Name of the Check Point Cluster object" + } + }, + "vmSize": { + "type": "string", + "defaultValue": "Standard_D3_v2", + "metadata": { + "description": "Size of the VM" + } + }, + "adminShell": { + "type": "string", + "defaultValue": "/etc/cli.sh", + "allowedValues": [ + "/etc/cli.sh", + "/bin/bash", + "/bin/csh", + "/bin/tcsh" + ], + "metadata": { + "Description": "The default shell for the admin user" + } + }, + "sicKey": { + "type": "securestring", + "metadata": { + "description": "One time key for Secure Internal Communication" + } + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "[concat(resourceGroup().name, '-vnet')]" + }, + "virtualNetworkAddressPrefixes": { + "type": "array", + "metadata": { + "description": "The address prefixes of the virtual network" + }, + "defaultValue": [ + "10.0.0.0/16" + ] + }, + "subnet1Name": { + "type": "string", + "metadata": { + "description": "The name of the frontend subnet" + }, + "defaultValue": "Frontend" + }, + "subnet1Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the frontend subnet" + }, + "defaultValue": "10.0.1.0/24" + }, + "subnet1StartAddress": { + "type": "string", + "metadata": { + "description": "The first available address on the 1st subnet" + }, + "defaultValue": "10.0.1.10" + }, + "subnet2Name": { + "type": "string", + "metadata": { + "description": "The name of the backend subnet" + }, + "defaultValue": "Backend" + }, + "subnet2Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the backend subnet" + }, + "defaultValue": "10.0.2.0/24" + }, + "subnet2StartAddress": { + "type": "string", + "metadata": { + "description": "The first available address on the 2nd subnet" + }, + "defaultValue": "10.0.2.10" + }, + "vnetNewOrExisting": { + "type": "string", + "defaultValue": "new", + "allowedValues": [ + "new", + "existing" + ], + "metadata": { + "Description": "Indicates whether the virtual network is new or existing" + } + }, + "virtualNetworkExistingRGName": { + "type": "string", + "metadata": { + "description": "Resource Group of the existing virtual network" + }, + "defaultValue": "[resourceGroup().name]" + }, + "bootstrapScript": { + "type": "string", + "metadata": { + "description": "Bootstrap script" + }, + "defaultValue": "" + }, + "allowDownloadFromUploadToCheckPoint": { + "type": "string", + "allowedValues": [ + "true", + "false" + ], + "defaultValue": "true", + "metadata": { + "description": "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + } + }, + "additionalDiskSizeGB": { + "type": "int", + "defaultValue": 0, + "metadata": { + "description": "Amount of additional disk space (in GB)" + }, + "minValue": 0, + "maxValue": 3995 + }, + "diskType": { + "type": "string", + "defaultValue": "Standard_LRS", + "metadata": { + "description": "The type of the OS disk. Premium is applicable only to DS machine sizes" + }, + "allowedValues": [ + "Standard_LRS", + "Premium_LRS" + ] + }, + "managedSystemAssigned": { + "type": "string", + "allowedValues": [ + "yes", + "no" + ], + "defaultValue": "yes", + "metadata": { + "description": "Automatically create a Service Principal for this deployment." + } + }, + "sourceImageVhdUri": { + "type": "string", + "defaultValue": "noCustomUri", + "metadata": { + "description": "The URI of the blob containing the development image" + } + }, + "availabilityOptions": { + "type": "string", + "allowedValues": [ + "Availability Set", + "Availability Zones" + ], + "defaultValue": "Availability Set", + "metadata": { + "description": "Use replicated Cluster VMs in Availability Set or Availability Zones" + } + }, + "_artifactsLocation": { + "type": "string", + "metadata": { + "description": "Use the following URI when deploying a custom template: https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/azure/templates/" + }, + "defaultValue": "[deployment().properties.templateLink.uri]" + }, + "_artifactsLocationSasToken": { + "type": "securestring", + "metadata": { + "description": "The sasToken required to access _artifactsLocation. When the template is deployed using the accompanying scripts, a sasToken will be automatically generated. Use the defaultValue if the staging location is not secured." + }, + "defaultValue": "" + }, + "customMetrics": { + "type": "string", + "allowedValues": [ + "no", + "yes" + ], + "defaultValue": "yes", + "metadata": { + "Description": "Indicates whether CloudGuard Metrics will be used for Cluster members monitoring" + } + }, + "smart1CloudTokenA": { + "type": "securestring", + "defaultValue": "" + }, + "smart1CloudTokenB": { + "type": "securestring", + "defaultValue": "" + }, + "tagsByResource": { + "type": "object", + "defaultValue": {} + }, + "deployNewNSG": { + "type": "bool", + "defaultValue": true + }, + "ExistingNSG": { + "type": "object", + "defaultValue": {} + }, + "NewNsgName": { + "type": "string", + "defaultValue": "[concat(parameters('vmName'),'-nsg')]" + }, + "VipsNumber": { + "type": "int", + "defaultValue": 1, + "minValue": 1, + "maxValue": 10 + }, + "VipNames": { + "type": "string", + "defaultValue": "" + }, + "addStorageAccountIpRules": { + "type": "bool", + "metadata": { + "description": "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, based on https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-linux#use-serial-console-with-custom-boot-diagnostics-storage-account-firewall-enabled, based on https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-linux#use-serial-console-with-custom-boot-diagnostics-storage-account-firewall-enabled" + }, + "defaultValue" : false + }, + "storageAccountAdditionalIps":{ + "type": "array", + "metadata": { + "description": "IPs/CIDRs that are allowed access to the Storage Account" + }, + "defaultValue" : [] + } + + }, + "variables": { + "VIPs_Number": "[int(parameters('VipsNumber'))]", + "Vip_Names": "[split(parameters('VipNames'), ',')]", + "templateName": "ha", + "templateVersion": "20230910", + "location": "[parameters('location')]", + "elbPublicIPName": "frontend-lb-address", + "haPublicIPName": "[parameters('vmName')]", + "offers": { + "R80.40 - Bring Your Own License": "BYOL", + "R80.40 - Pay As You Go (NGTP)": "NGTP", + "R80.40 - Pay As You Go (NGTX)": "NGTX", + "R81 - Bring Your Own License": "BYOL", + "R81 - Pay As You Go (NGTP)": "NGTP", + "R81 - Pay As You Go (NGTX)": "NGTX", + }, + "offer": "[variables('offers')[parameters('cloudGuardVersion')]]", + "osVersions": { + "R80.40 - Bring Your Own License": "R8040", + "R80.40 - Pay As You Go (NGTP)": "R8040", + "R80.40 - Pay As You Go (NGTX)": "R8040", + "R81 - Bring Your Own License": "R81", + "R81 - Pay As You Go (NGTP)": "R81", + "R81 - Pay As You Go (NGTX)": "R81", + }, + "osVersion": "[variables('osVersions')[parameters('cloudGuardVersion')]]", + "SerialConsoleGeographies": { + "eastasia" : ["20.205.69.28", "20.195.85.180"], + "southeastasia" : ["20.205.69.28", "20.195.85.180"], + "australiacentral" : ["20.53.53.224", "20.70.222.112"], + "australiacentral2" : ["20.53.53.224", "20.70.222.112"], + "australiaeast" : ["20.53.53.224", "20.70.222.112"], + "australiasoutheast" : ["20.53.53.224", "20.70.222.112"], + "brazilsouth" : ["91.234.136.63", "20.206.0.194"], + "brazilsoutheast" : ["91.234.136.63", "20.206.0.194"], + "canadacentral" : ["52.228.86.177", "52.242.40.90"], + "canadaeast" : ["52.228.86.177", "52.242.40.90"], + "northeurope" : ["52.146.139.220", "20.105.209.72"], + "westeurope" : ["52.146.139.220", "20.105.209.72"], + "francecentral" : ["20.111.0.244", "52.136.191.10"], + "francesouth" : ["20.111.0.244", "52.136.191.10"], + "germanynorth" : ["51.116.75.88", "20.52.95.48"], + "germanywestcentral" : ["51.116.75.88", "20.52.95.48"], + "centralindia" : ["20.192.168.150", "20.192.153.104"], + "southindia" : ["20.192.168.150", "20.192.153.104"], + "westindia" : ["20.192.168.150", "20.192.153.104"], + "japaneast" : ["20.43.70.205", "20.189.228.222"], + "japanwest" : ["20.43.70.205", "20.189.228.222"], + "koreacentral" : ["20.200.196.96", "52.147.119.29"], + "koreasouth" : ["20.200.196.96", "52.147.119.29"], + "norwaywest" : ["20.100.1.184", "51.13.138.76"], + "norwayeast" : ["20.100.1.184", "51.13.138.76"], + "switzerlandnorth" : ["20.208.4.98", "51.107.251.190"], + "switzerlandwest" : ["20.208.4.98", "51.107.251.190"], + "uaecentral" : ["20.45.95.66", "20.38.141.5"], + "uaenorth" : ["20.45.95.66", "20.38.141.5"], + "uksouth" : ["20.90.132.144", "20.58.68.62"], + "ukwest" : ["20.90.132.144", "20.58.68.62"], + "swedencentral" : ["51.12.72.223", "51.12.22.174"], + "swedensouth" : ["51.12.72.223", "51.12.22.174"], + "centralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "eastus2" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "eastus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "northcentralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "southcentralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "westus2" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "westus3" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "westcentralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "westus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "eastus2euap" : ["20.45.242.18", "20.51.21.252"], + "centraluseuap" : ["20.45.242.18", "20.51.21.252"]}, + "serialConsoleIps": "[if(contains(variables('serialConsoleGeographies'),variables('location')),variables('serialConsoleGeographies')[variables('location')],createArray())]", + "storageAccountIps" : "[concat(variables('SerialConsoleIps'),parameters('storageAccountAdditionalIps'))]", + "isBlink": true, + "storageAccountName": "[concat('bootdiag', uniqueString(resourceGroup().id, deployment().name))]", + "storageAccountType": "Standard_LRS", + "diskSize100GB": 100, + "diskSizeGB": "[add(parameters('additionalDiskSizeGB'), variables('diskSize100GB'))]", + "imageOffer": "[concat('check-point-cg-', toLower(variables('osVersion')))]", + "imagePublisher": "checkpoint", + "imageReferenceBYOL": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-byol", + "version": "latest" + }, + "imageReferenceNGTP": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtp", + "version": "latest" + }, + "imageReferenceNGTP-V2": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtp-v2", + "version": "latest" + }, + "imageReferenceNGTX": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtx", + "version": "latest" + }, + "imageReferenceNGTX-V2": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtx-v2", + "version": "latest" + }, + "imageReferenceMarketplace": "[if(equals(variables('offer'), 'BYOL'), variables('imageReferenceBYOL'), if(equals(variables('offer'), 'NGTP'), variables('imageReferenceNGTP'), if(equals(variables('offer'), 'NGTP-V2'), variables('imageReferenceNGTP-V2'), if(equals(variables('offer'), 'NGTX'), variables('imageReferenceNGTX'), if(equals(variables('offer'), 'NGTX-V2'), variables('imageReferenceNGTX-V2'), json('null'))))))]", + "customImage": "customImage", + "imageReferenceCustomUri": { + "id": "[resourceId('Microsoft.Compute/images/', variables('customImage'))]" + }, + "imageReference": "[if(equals(parameters('sourceImageVhdUri'),'noCustomUri'), variables('imageReferenceMarketplace'), variables('imageReferenceCustomUri'))]", + "enableFloatingIP": "[equals(parameters('floatingIP'), 'yes')]", + "nic1Name": "eth0", + "nic2Name": "eth1", + "elbName": "frontend-lb", + "elbId": "[resourceId('Microsoft.Network/loadBalancers', variables('elbName'))]", + "elbBEAddressPool": "[concat(variables('elbName'), '-pool')]", + "elbBEAddressPoolID": "[resourceId('Microsoft.Network/loadBalancers/backendAddressPools', variables('elbName'), variables('elbBEAddressPool'))]", + "ilbName": "backend-lb", + "ilbId": "[resourceId('Microsoft.Network/loadBalancers', variables('ilbName'))]", + "ilbBEAddressPool": "[concat(variables('ilbName'), '-pool')]", + "ilbBEAddressPoolID": "[resourceId('Microsoft.Network/loadBalancers/backendAddressPools/', variables('ilbName'), variables('ilbBEAddressPool'))]", + "ilbFEIPConfigID": "[resourceId('Microsoft.Network/loadBalancers/frontendIPConfigurations/', variables('ilbName'), variables('ilbName'))]", + "ilbProbeName": "[variables('ilbName')]", + "ilbProbeID": "[resourceId('Microsoft.Network/loadBalancers/probes/', variables('ilbName'), variables('ilbProbeName'))]", + "linuxConfigurationpassword": { + "disablePasswordAuthentication": "false" + }, + "appProbeName": "health_prob_port", + "linuxConfigurationsshPublicKey": { + "disablePasswordAuthentication": "true", + "ssh": { + "publicKeys": [ + { + "keyData": "[parameters('sshPublicKey')]", + "path": "/home/notused/.ssh/authorized_keys" + } + ] + } + }, + "linuxConfiguration": "[if(equals(parameters('authenticationType'), 'password'), variables('linuxConfigurationpassword'), variables('linuxConfigurationsshPublicKey'))]", + "planBYOL": { + "name": "sg-byol", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTP": { + "name": "sg-ngtp", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTP-V2": { + "name": "sg-ngtp-v2", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTX": { + "name": "sg-ngtx", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTX-V2": { + "name": "sg-ngtx-v2", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "plan": "[if(equals(variables('offer'), 'BYOL') , variables('planBYOL'), if(equals(variables('offer'), 'NGTP'), variables('planNGTP'), if(equals(variables('offer'), 'NGTP-V2'), variables('planNGTP-V2'), if(equals(variables('offer'), 'NGTX'), variables('planNGTX'), if(equals(variables('offer'), 'NGTX-V2'), variables('planNGTX-V2'), json('null'))))))]", + "roleDefinitionIds": "[createArray(subscriptionResourceId('Microsoft.Authorization/roleDefinitions/', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c'), subscriptionResourceId('Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7'))]", + "identity": "[json('{\"type\": \"SystemAssigned\"}')]", + "subnet2PrivateAddresses": [ + "[concat(split(parameters('subnet2StartAddress'), '.')[0],'.', split(parameters('subnet2StartAddress'), '.')[1],'.', split(parameters('subnet2StartAddress'), '.')[2],'.', string(add(int(split(parameters('subnet2StartAddress'), '.')[3]),1)))]", + "[concat(split(parameters('subnet2StartAddress'), '.')[0],'.', split(parameters('subnet2StartAddress'), '.')[1],'.', split(parameters('subnet2StartAddress'), '.')[2],'.', string(add(int(split(parameters('subnet2StartAddress'), '.')[3]),2)))]" + ], + "elbPublicIPId": "[resourceId('Microsoft.Network/publicIPAddresses', variables('elbPublicIPName'))]", + "haPublicIPId": "[resourceId('Microsoft.Network/publicIPAddresses', variables('haPublicIPName'))]", + "gwPublicIPIds": [ + "[resourceId('Microsoft.Network/publicIPAddresses', concat(parameters('vmName'), '1'))]", + "[resourceId('Microsoft.Network/publicIPAddresses', concat(parameters('vmName'), '2'))]" + ], + "availabilitySetName": "[concat(parameters('vmName'), '-AvailabilitySet')]", + "count": 2, + "bootstrapScript64": "[base64(parameters('bootstrapScript'))]", + "allowUploadDownload": "[parameters('allowDownloadFromUploadToCheckPoint')]", + "_artifactsLocation": "[if(contains(parameters('_artifactsLocation'),'raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/azure/templates/marketplace'),'https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/azure/templates/',parameters('_artifactsLocation'))]", + "networkSetupURL": "[uri(variables('_artifactsLocation'), concat('nestedtemplates/vnet-2-subnet-ha2-', parameters('vnetNewOrExisting'), '.json', parameters('_artifactsLocationSasToken')))]", + "ExsitingNsgRoleAssignmentURL": "[uri(variables('_artifactsLocation'), concat('nestedtemplates/existing-nsg-RoleAssignment', '.json'))]", + "sicKey": "[parameters('sicKey')]", + "installationType": "cluster", + "internalLBPrivateIPAddress": "[parameters('Subnet2StartAddress')]", + "availabilityZonesLocations": [ + "brazilsouth", + "canadacentral", + "centralus", + "eastus", + "eastus2", + "southcentralus", + "usgovvirginia", + "westus2", + "westus3", + "francecentral", + "germanywestcentral", + "northeurope", + "norwayeast", + "uksouth", + "westeurope", + "swedencentral", + "switzerlandnorth", + "qatarcentral", + "uaenorth", + "southafricanorth", + "australiaeast", + "centralindia", + "japaneast", + "koreacentral", + "southeastasia", + "eastasia", + "italynorth" + ], + "availabilitySetProperty": { + "id": "[resourceId('Microsoft.Compute/availabilitySets', variables('availabilitySetName'))]" + }, + "useAZ": "[and(contains(variables('availabilityZonesLocations'), variables('location')), equals(parameters('availabilityOptions'), 'Availability Zones'))]", + "customMetrics": "[parameters('customMetrics')]", + "emptyString": "none", + "ipPrefixNewName": "[concat(parameters('vmName'), '-ipprefix')]", + "ipPrefixExistingResourceId": "[if(equals(parameters('publicIPPrefix'), 'yes'), parameters('ipPrefixExistingResourceId'), variables('emptyString'))]", + "ipNewPrefixId": "[resourceId('Microsoft.Network/publicIPPrefixes',variables('ipPrefixNewName'))]", + "publicIPNewPrefixId": "[if(equals(parameters('publicIPPrefix'), 'yes'), variables('ipNewPrefixId'), json('null'))]", + "usepublicIPPrefix": "[if(equals(parameters('createNewIPPrefix'),'yes'), variables('publicIPNewPrefixId'), variables('ipPrefixExistingResourceId'))]", + "publicIPPrefixProperty": { + "Id": "[variables('usepublicIPPrefix')]" + }, + "tokens":[ + "[parameters('smart1CloudTokenA')]", + "[parameters('smart1CloudTokenB')]" + ], + "prefixDependsOn": "[if(equals(parameters('publicIPPrefix'), 'yes'), if(equals(parameters('createNewIPPrefix'), 'yes'), variables('publicIPNewPrefixId'), variables('ipNewPrefixId')), variables('ipNewPrefixId'))]", + "deployNewVnet": "[equals(parameters('vnetNewOrExisting'), 'new')]", + "vnetRGName": "[if(variables('deployNewVnet'), resourceGroup().name, parameters('virtualNetworkExistingRGName'))]", + "NewNsgReference": {"id": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('NewNsgName'))]"}, + "DefaultIpAddresses": + [{ + "name": "member-ip", + "properties": { + "primary": true, + "privateIPAddress": "[variables('externalPrivateAddresses')[0]]", + "privateIPAllocationMethod": "Static", + "PublicIpAddress": { + "Id": "[variables('gwPublicIPIds')[0]]" + }, + "subnet": { + "id": "[resourceId(variables('vnetRGName'), 'Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('subnet1Name'))]" + }, + "loadBalancerBackendAddressPools": [ + { + "id": "[variables('elbBEAddressPoolID')]" + } + ] + } + }, + { + "name": "cluster-vip", + "properties": { + "primary": false, + "privateIPAddress": "[variables('externalPrivateAddresses')[2]]", + "privateIPAllocationMethod": "Static", + "PublicIpAddress": { + "Id": "[variables('haPublicIPId')]" + }, + "subnet": { + "id": "[resourceId(variables('vnetRGName'), 'Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('subnet1Name'))]" + } + } + }], + "copy": + [ + { + "name": "externalPrivateAddresses", + "count": "[add(variables('VIPs_Number'),2)]", + "input": "[concat(split(parameters('subnet1StartAddress'), '.')[0],'.', split(parameters('subnet1StartAddress'), '.')[1],'.', split(parameters('subnet1StartAddress'), '.')[2],'.', string(add(int(split(parameters('subnet1StartAddress'), '.')[3]),copyIndex('externalPrivateAddresses'))))]" + }, + { + "name": "Vips", + "count": "[sub(variables('VIPs_Number'), 1)]", + "input": { + "name": "[concat('cluster-vip-', copyIndex('Vips', 1))]", + "properties": { + "primary": false, + "privateIPAddress": "[variables('externalPrivateAddresses')[add(copyIndex('Vips'), 3)]]", + "privateIPAllocationMethod": "Static", + "PublicIpAddress": { + "Id": "[resourceId('Microsoft.Network/publicIPAddresses', variables('Vip_Names')[copyIndex('Vips')])]" + }, + "subnet": { + "id": "[resourceId(variables('vnetRGName'), 'Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('subnet1Name'))]" + } + } + } + }, + { + "name": "VipsInformation", + "count": "[sub(variables('VIPs_Number'), 1)]", + "input": { + "name": "[concat('cluster-vip-', copyIndex('VipsInformation', 1))]", + "privateIPAddress": "[variables('externalPrivateAddresses')[add(copyIndex('VipsInformation'), 3)]]", + "publicIPAddress": "[variables('Vip_Names')[copyIndex('VipsInformation')]]" + } + }, + { + "name": "customData", + "count": "[variables('count')]", + "input": "[concat('#!/usr/bin/python3 /etc/cloud_config.py\n', '\n', 'installationType=\"', variables('installationType'), '\"', '\n', 'allowUploadDownload=\"', variables('allowUploadDownload'), '\"', '\n', 'osVersion=\"', variables('osVersion'), '\"', '\n', 'templateName=\"', variables('templateName'), '\"', '\n', 'isBlink=\"', variables('isBlink'), '\"', '\n', 'templateVersion=\"', variables('templateVersion'), '\"', '\n', 'bootstrapScript64=\"', variables('bootstrapScript64'), '\"', '\n', 'location=\"', variables('location'), '\"', '\n', 'sicKey=\"', variables('sicKey'), '\"', '\n', 'location=\"', variables('location'), '\"', '\n', 'tenantId=\"', subscription().tenantId, '\"', '\n', 'virtualNetwork=\"', parameters('virtualNetworkName'), '\"', '\n', 'clusterName=\"', parameters('vmName'), '\"', '\n', 'customMetrics=\"', variables('customMetrics'), '\"', '\n', 'adminShell=\"', parameters('adminShell'), '\"', '\n', '\n','smart1CloudToken=\"', variables('tokens')[copyIndex('customData')], '\"', '\n', 'Vips=\"', string(variables('VipsInformationForCloudConfig')), '\"', '\n','externalPrivateAddresses=\"', variables('externalPrivateAddresses')[2], '\"', '\n', 'passwordHash=\"', parameters('SerialConsolePasswordHash'), '\"', '\n')]" + } + ], + "DefaultVipInformation": [ + { + "name": "cluster-vip", + "privateIPAddress": "[variables('externalPrivateAddresses')[2]]", + "publicIPAddress": "[parameters('vmName')]" + } + ], + "VipsInformationForCloudConfig": "[union(variables('DefaultVipInformation'), variables('VipsInformation'))]" + }, + "resources": [ + { + "condition": "[and(equals(parameters('createNewIPPrefix'), 'yes'), equals(parameters('publicIPPrefix'), 'yes'))]", + "apiVersion": "2020-06-01", + "type": "Microsoft.Network/publicIPPrefixes", + "name": "[variables('ipPrefixNewName')]", + "location": "[variables('location')]", + "properties": { + "prefixLength": "[if(greater(variables('VIPs_Number'), 5), '28', if(greater(variables('VIPs_Number'), 1), '29', '30'))]", + "publicIPAddressVersion": "IPv4" + }, + "sku": { + "name": "Standard", + "tier": "Regional" + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/publicIPPrefixes'), parameters('tagsByResource')['Microsoft.Network/publicIPPrefixes'], json('{}')) ]" + }, + { + "apiVersion": "2020-06-01", + "name": "pid-6f13b00a-7546-4ab2-be9f-c66815cc6c8b-partnercenter", + "type": "Microsoft.Resources/deployments", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('storageAccountName')]", + "apiVersion": "2022-09-01", + "properties": { + "supportsHttpsTrafficOnly": true, + "allowBlobPublicAccess": false, + "minimumTlsVersion": "TLS1_2", + "networkAcls": { + "bypass": "None", + "defaultAction": "[if(parameters('addStorageAccountIpRules'), 'Deny', 'Allow')]", + "ipRules": "[if(parameters('addStorageAccountIpRules'), map(variables('storageAccountIps'), lambda('ip',createObject('action','Allow','value',lambdaVariables('ip')))), createArray())]" + } + }, + "location": "[variables('location')]", + "sku": { + "name": "[variables('storageAccountType')]" + }, + "kind": "Storage", + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Storage/storageAccounts'), parameters('tagsByResource')['Microsoft.Storage/storageAccounts'], json('{}')) ]" + }, + { + "condition": "[equals(parameters('vnetNewOrExisting'), 'new')]", + "name": "networkNewSetup", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "[variables('networkSetupURL')]", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "location": { + "value": "[variables('location')]" + }, + "virtualNetworkName": { + "value": "[parameters('virtualNetworkName')]" + }, + "virtualNetworkAddressPrefixes": { + "value": "[parameters('virtualNetworkAddressPrefixes')]" + }, + "subnet1Name": { + "value": "[parameters('subnet1Name')]" + }, + "subnet1Prefix": { + "value": "[parameters('subnet1Prefix')]" + }, + "subnet2Name": { + "value": "[parameters('subnet2Name')]" + }, + "subnet2Prefix": { + "value": "[parameters('subnet2Prefix')]" + }, + "deployNsg": { + "value": "[parameters('deployNewNSG')]" + }, + "NewNsgName": + { + "value":"[parameters('NewNsgName')]" + }, + "tagsByResource": { + "value": "[parameters('tagsByResource')]" + } + } + } + }, + { + "condition": "[equals(parameters('vnetNewOrExisting'), 'existing')]", + "name": "networkExistingSetup", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "[variables('networkSetupURL')]", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "location": { + "value": "[variables('location')]" + }, + "virtualNetworkName": { + "value": "[parameters('virtualNetworkName')]" + }, + "virtualNetworkExistingRGName": { + "value": "[variables('vnetRGName')]" + }, + "deployNsg": { + "value": "[parameters('deployNewNSG')]" + }, + "NewNsgName": + { + "value":"[parameters('NewNsgName')]" + }, + "tagsByResource": { + "value": "[parameters('tagsByResource')]" + } + } + } + }, + { + "type": "Microsoft.Compute/availabilitySets", + "condition": "[not(variables('useAZ'))]", + "apiVersion": "2020-06-01", + "location": "[variables('location')]", + "name": "[concat(variables('availabilitySetName'))]", + "properties": { + "platformFaultDomainCount": 2 + }, + "sku": { + "name": "Aligned" + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Compute/availabilitySets'), parameters('tagsByResource')['Microsoft.Compute/availabilitySets'], json('{}')) ]" + }, + { + "type": "Microsoft.Network/publicIPAddresses", + "apiVersion": "2020-06-01", + "dependsOn": [ + "[variables('prefixDependsOn')]" + ], + "location": "[variables('location')]", + "name": "[variables('elbPublicIPName')]", + "sku": { + "name": "Standard" + }, + "properties": { + "idleTimeoutInMinutes": 30, + "publicIPAllocationMethod": "Static", + "dnsSettings": { + "domainNameLabel": "[concat(toLower(parameters('vmName')), '-', uniquestring(resourceGroup().id, deployment().name))]" + }, + "publicIPPrefix": "[if(equals(parameters('publicIPPrefix'), 'yes'), variables('publicIPPrefixProperty'), json('null'))]" + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/publicIPAddresses'), parameters('tagsByResource')['Microsoft.Network/publicIPAddresses'], json('{}')) ]" + }, + { + "type": "Microsoft.Network/publicIPAddresses", + "apiVersion": "2020-06-01", + "dependsOn": [ + "[variables('prefixDependsOn')]" + ], + "location": "[variables('location')]", + "name": "[concat(parameters('vmName'), copyIndex(1))]", + "sku": { + "name": "Standard" + }, + "copy": { + "name": "publicAddressCopy", + "count": "[variables('count')]" + }, + "properties": { + "idleTimeoutInMinutes": 30, + "publicIPAllocationMethod": "Static", + "dnsSettings": { + "domainNameLabel": "[concat(toLower(parameters('vmName')), '-', copyIndex(1), '-', uniquestring(resourceGroup().id, deployment().name))]" + }, + "publicIPPrefix": "[if(equals(parameters('publicIPPrefix'), 'yes'), variables('publicIPPrefixProperty'), json('null'))]" + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/publicIPAddresses'), parameters('tagsByResource')['Microsoft.Network/publicIPAddresses'], json('{}')) ]" + }, + { + "type": "Microsoft.Network/publicIPAddresses", + "apiVersion": "2020-06-01", + "dependsOn": [ + "[variables('prefixDependsOn')]" + ], + "location": "[variables('location')]", + "name": "[parameters('vmName')]", + "sku": { + "name": "Standard" + }, + "properties": { + "idleTimeoutInMinutes": 30, + "publicIPAllocationMethod": "Static", + "dnsSettings": { + "domainNameLabel": "[concat(toLower(parameters('vmName')), '-vip-', uniquestring(resourceGroup().id, deployment().name))]" + }, + "publicIPPrefix": "[if(equals(parameters('publicIPPrefix'), 'yes'), variables('publicIPPrefixProperty'), json('null'))]" + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/publicIPAddresses'), parameters('tagsByResource')['Microsoft.Network/publicIPAddresses'], json('{}')) ]" + }, + { + "type": "Microsoft.Network/publicIPAddresses", + "apiVersion": "2020-06-01", + "dependsOn": [ + "[variables('prefixDependsOn')]" + ], + "location": "[variables('location')]", + "name": "[variables('Vip_Names')[copyIndex()]]", + "sku": { + "name": "Standard" + }, + "copy": { + "name": "publicVipCopy", + "count": "[sub(variables('VIPs_Number'), 1)]" + }, + "properties": { + "idleTimeoutInMinutes": 30, + "publicIPAllocationMethod": "Static", + "dnsSettings": { + "domainNameLabel": "[concat(toLower(parameters('vmName')), 'vip', copyIndex(1), '-', uniquestring(resourceGroup().id, deployment().name))]" + }, + "publicIPPrefix": "[if(equals(parameters('publicIPPrefix'), 'yes'), variables('publicIPPrefixProperty'), json('null'))]" + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/publicIPAddresses'), parameters('tagsByResource')['Microsoft.Network/publicIPAddresses'], json('{}')) ]" + }, + { + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "2020-06-01", + "dependsOn": [ + "[coalesce(resourceId('Microsoft.Resources/deployments', 'networkNewSetup'), resourceId('Microsoft.Resources/deployments', 'networkExistingSetup'))]", + "[variables('elbId')]", + "[variables('gwPublicIPIds')[0]]", + "[variables('haPublicIPId')]" + ], + "location": "[variables('location')]", + "name": "[concat(parameters('vmName'), '1-', variables('nic1Name'))]", + "properties": { + "primary": true, + "enableIPForwarding": true, + "enableAcceleratedNetworking": true, + "networkSecurityGroup":"[if(parameters('deployNewNSG') , variables('NewNsgReference') , parameters('ExistingNSG'))]", + "ipConfigurations":"[union(variables('DefaultIpAddresses'),variables('Vips'))]" + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/networkInterfaces'), parameters('tagsByResource')['Microsoft.Network/networkInterfaces'], json('{}')) ]" + }, + { + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "2020-06-01", + "dependsOn": [ + "[coalesce(resourceId('Microsoft.Resources/deployments', 'networkNewSetup'), resourceId('Microsoft.Resources/deployments', 'networkExistingSetup'))]", + "[variables('elbId')]", + "[variables('gwPublicIPIds')[1]]" + ], + "location": "[variables('location')]", + "name": "[concat(parameters('vmName'), '2-', variables('nic1Name'))]", + "properties": { + "primary": true, + "enableIPForwarding": true, + "enableAcceleratedNetworking": true, + "networkSecurityGroup":"[if(parameters('deployNewNSG') , variables('NewNsgReference') , parameters('ExistingNSG'))]", + "ipConfigurations": [ + { + "name": "member-ip", + "properties": { + "primary": true, + "privateIPAddress": "[variables('externalPrivateAddresses')[1]]", + "privateIPAllocationMethod": "Static", + "PublicIpAddress": { + "Id": "[variables('gwPublicIPIds')[1]]" + }, + "subnet": { + "id": "[resourceId(variables('vnetRGName'), 'Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('subnet1Name'))]" + }, + "loadBalancerBackendAddressPools": [ + { + "id": "[variables('elbBEAddressPoolID')]" + } + ] + } + } + ] + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/networkInterfaces'), parameters('tagsByResource')['Microsoft.Network/networkInterfaces'], json('{}')) ]" + }, + { + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "2020-06-01", + "dependsOn": [ + "[coalesce(resourceId('Microsoft.Resources/deployments', 'networkNewSetup'), resourceId('Microsoft.Resources/deployments', 'networkExistingSetup'))]", + "[variables('ilbId')]" + ], + "location": "[variables('location')]", + "name": "[concat(parameters('vmName'), copyIndex(1), '-', variables('nic2Name'))]", + "copy": { + "name": "internalNicCopy", + "count": "[variables('count')]" + }, + "properties": { + "primary": false, + "enableIPForwarding": true, + "enableAcceleratedNetworking": true, + "ipConfigurations": [ + { + "name": "member-ip", + "properties": { + "primary": true, + "privateIPAddress": "[variables('subnet2PrivateAddresses')[copyIndex()]]", + "privateIPAllocationMethod": "Static", + "subnet": { + "id": "[resourceId(variables('vnetRGName'), 'Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('subnet2Name'))]" + }, + "loadBalancerBackendAddressPools": [ + { + "id": "[variables('ilbBEAddressPoolID')]" + } + ] + } + } + ] + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/networkInterfaces'), parameters('tagsByResource')['Microsoft.Network/networkInterfaces'], json('{}')) ]" + }, + { + "condition": "[not(equals(parameters('sourceImageVhdUri'), 'noCustomUri'))]", + "type": "Microsoft.Compute/images", + "apiVersion": "2020-06-01", + "name": "[variables('customImage')]", + "location": "[variables('location')]", + "properties": { + "storageProfile": { + "osDisk": { + "osType": "Linux", + "osState": "Generalized", + "blobUri": "[parameters('sourceImageVhdUri')]", + "storageAccountType": "Standard_LRS" + } + }, + "hyperVGeneration": "V1" + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Compute/images'), parameters('tagsByResource')['Microsoft.Compute/images'], json('{}')) ]" + }, + { + "type": "Microsoft.Compute/virtualMachines", + "apiVersion": "2022-11-01", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]", + "[resourceId('Microsoft.Compute/availabilitySets', variables('availabilitySetName'))]", + "[resourceId('Microsoft.Network/networkInterfaces', concat(parameters('vmName'), copyIndex(1), '-', variables('nic1Name')))]", + "[resourceId('Microsoft.Network/networkInterfaces', concat(parameters('vmName'), copyIndex(1), '-', variables('nic2Name')))]", + "[resourceId('Microsoft.Compute/images/', variables('customImage'))]" + ], + "location": "[variables('location')]", + "name": "[concat(parameters('vmName'), copyIndex(1))]", + "zones": "[if(variables('useAZ'), array(copyIndex(1)), json('null'))]", + "copy": { + "name": "virtualMachineCopy", + "count": "[variables('count')]" + }, + "plan": "[if(equals(parameters('sourceImageVhdUri'),'noCustomUri'), variables('plan'), json('null'))]", + "identity": "[if(equals(parameters('managedSystemAssigned'), 'yes'), variables('identity'), json('null'))]", + "properties": { + "UserData": "[base64(concat(variables('customData')[copyIndex()], 'vnet=\"', if(equals(parameters('vnetNewOrExisting'), 'new'), reference('networkNewSetup').outputs.vnetAddressPrefixes.value[0], reference('networkExistingSetup').outputs.vnetAddressPrefixes.value[0]), '\"', '\n'))]", + "availabilitySet": "[if(not(variables('useAZ')), variables('availabilitySetProperty'), json('null'))]", + "diagnosticsProfile": { + "bootDiagnostics": { + "enabled": "true", + "storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName')), '2022-09-01').primaryEndpoints.blob]" + } + }, + "hardwareProfile": { + "vmSize": "[parameters('vmSize')]" + }, + "networkProfile": { + "networkInterfaces": [ + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', concat(parameters('vmName'), copyIndex(1), '-', variables('nic1Name')))]", + "properties": { + "primary": true + } + }, + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', concat(parameters('vmName'), copyIndex(1), '-', variables('nic2Name')))]", + "properties": { + "primary": false + } + } + ] + }, + "osProfile": { + "adminPassword": "[parameters('adminPassword')]", + "adminUsername": "[concat('not','used')]", + "computername": "[concat(toLower(parameters('vmName')), copyIndex(1))]", + "customData": "[base64(concat(variables('customData')[copyIndex()], 'vnet=\"', if(equals(parameters('vnetNewOrExisting'), 'new'), reference('networkNewSetup').outputs.vnetAddressPrefixes.value[0], reference('networkExistingSetup').outputs.vnetAddressPrefixes.value[0]), '\"', '\n'))]", + "linuxConfiguration": "[variables('linuxConfiguration')]" + }, + "storageProfile": { + "imageReference": "[variables('imageReference')]", + "osDisk": { + "caching": "ReadWrite", + "createOption": "FromImage", + "diskSizeGB": "[variables('diskSizeGB')]", + "name": "[concat(parameters('vmName'), copyIndex(1))]", + "managedDisk": { + "storageAccountType": "[parameters('diskType')]" + } + } + } + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Compute/virtualMachines'), parameters('tagsByResource')['Microsoft.Compute/virtualMachines'], json('{}')) ]" + }, + { + "type": "Microsoft.Network/loadBalancers", + "apiVersion": "2020-06-01", + "dependsOn": [ + "[variables('elbPublicIPId')]" + ], + "name": "[variables('elbName')]", + "location": "[variables('location')]", + "sku": { + "name": "Standard" + }, + "properties": { + "frontendIPConfigurations": [ + { + "name": "LoadBalancerFrontend", + "properties": { + "publicIPAddress": { + "id": "[variables('elbPublicIPId')]", + "publicIPPrefix": { + "id": "[if(equals(parameters('publicIPPrefix'), 'yes'), variables('usepublicIPPrefix'), json('null'))]" + } + } + } + } + ], + "backendAddressPools": [ + { + "name": "[variables('elbBEAddressPool')]" + } + ], + "probes": [ + { + "name": "[variables('appProbeName')]", + "properties": { + "protocol": "tcp", + "port": 8117, + "intervalInSeconds": 5, + "numberOfProbes": 2 + } + } + ] + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/loadBalancers'), parameters('tagsByResource')['Microsoft.Network/loadBalancers'], json('{}')) ]" + }, + { + "condition": "[equals(parameters('managedSystemAssigned'), 'yes')]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2020-04-01-preview", + "name": "[guid(resourceGroup().id, concat(parameters('vmName'), copyIndex(1)))]", + "copy": { + "name": "virtualMachineCopy", + "count": "[mul(length(variables('roleDefinitionIds')), variables('count'))]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Compute/virtualMachines/', concat(parameters('vmName'), if(equals(mod(copyIndex(1), 2), 1), '1', '2')))]" + ], + "properties": { + "roleDefinitionId": "[variables('roleDefinitionIds')[if(greater(copyIndex(1), 2), 1, 0)]]", + "scope": "[resourceGroup().id]", + "principalId": "[reference(resourceId('Microsoft.Compute/virtualMachines/', concat(parameters('vmName'), if(equals(mod(copyIndex(1), 2), 1), '1', '2'))), '2022-11-01', 'Full').identity.principalId]" + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Authorization/roleAssignments'), parameters('tagsByResource')['Microsoft.Authorization/roleAssignments'], json('{}')) ]" + }, + { + "condition": "[and(equals(parameters('managedSystemAssigned'), 'yes'), not(parameters('deployNewNSG')))]", + "dependsOn": ["[resourceId('Microsoft.Compute/virtualMachines/', concat(parameters('vmName'), '1'))]"], + "name": "[concat('ExistingNsgRoleAssignment', copyIndex())]", + "copy": { + "name": "ExistingNsgRoleAssignmentCopy", + "count": "[length(variables('roleDefinitionIds'))]" + }, + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "resourceGroup": "[if(not(parameters('deployNewNSG')), split(parameters('ExistingNSG').id, '/')[4], '')]", + "subscriptionId": "[subscription().subscriptionId]", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "[variables('ExsitingNsgRoleAssignmentURL')]", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "ExistingNSG": { + "value": "[parameters('ExistingNSG')]" + }, + "vmName": { + "value": "[parameters('vmName')]" + }, + "roleDefinitionId": { + "value": "[variables('roleDefinitionIds')[copyIndex()]]" + }, + "principalId1": { + "value": "[reference(resourceId('Microsoft.Compute/virtualMachines/', concat(parameters('vmName'), '1')), '2022-11-01', 'Full').identity.principalId]" + }, + "principalId2": { + "value": "[reference(resourceId('Microsoft.Compute/virtualMachines/', concat(parameters('vmName'), '2')), '2022-11-01', 'Full').identity.principalId]" + }, + "index": { + "value": "[copyIndex()]" + } + } + } + }, + { + "type": "Microsoft.Network/loadBalancers", + "apiVersion": "2020-06-01", + "dependsOn": [ + "[coalesce(resourceId('Microsoft.Resources/deployments', 'networkNewSetup'), resourceId('Microsoft.Resources/deployments', 'networkExistingSetup'))]" + ], + "name": "[variables('ilbName')]", + "location": "[variables('location')]", + "sku": { + "name": "Standard" + }, + "properties": { + "frontendIPConfigurations": [ + { + "name": "[variables('ilbName')]", + "properties": { + "privateIPAllocationMethod": "Static", + "privateIPAddress": "[variables('internalLBPrivateIPAddress')]", + "subnet": { + "id": "[resourceId(variables('vnetRGName'), 'Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('subnet2Name'))]" + } + } + } + ], + "backendAddressPools": [ + { + "name": "[variables('ilbBEAddressPool')]" + } + ], + "loadBalancingRules": [ + { + "name": "[variables('ilbName')]", + "properties": { + "frontendIPConfiguration": { + "id": "[variables('ilbFEIPConfigID')]" + }, + "backendAddressPool": { + "id": "[variables('ilbBEAddressPoolID')]" + }, + "probe": { + "id": "[variables('ilbProbeID')]" + }, + "protocol": "All", + "frontendPort": 0, + "backendPort": 0, + "loadDistribution": "Default", + "enableFloatingIP": "[variables('enableFloatingIP')]" + } + } + ], + "probes": [ + { + "name": "[variables('ilbProbeName')]", + "properties": { + "protocol": "tcp", + "port": 8117, + "intervalInSeconds": 5, + "numberOfProbes": 2 + } + } + ] + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/loadBalancers'), parameters('tagsByResource')['Microsoft.Network/loadBalancers'], json('{}')) ]" + } + ], + "outputs": { + "HaIPAddr": { + "type": "string", + "value": "[reference(variables('haPublicIPId')).IpAddress]" + }, + "HaFQDN": { + "type": "string", + "value": "[reference(variables('haPublicIPId')).dnsSettings.fqdn]" + }, + "Member1IPAddr": { + "type": "string", + "value": "[reference(variables('gwPublicIPIds')[0]).IpAddress]" + }, + "Member1FQDN": { + "type": "string", + "value": "[reference(variables('gwPublicIPIds')[0]).dnsSettings.fqdn]" + }, + "Member2IPAddr": { + "type": "string", + "value": "[reference(variables('gwPublicIPIds')[1]).IpAddress]" + }, + "Member2FQDN": { + "type": "string", + "value": "[reference(variables('gwPublicIPIds')[1]).dnsSettings.fqdn]" + } + } +} diff --git a/deprecated/azure/templates/R8040-R81/mds-r8040-r81/README.md b/deprecated/azure/templates/R8040-R81/mds-r8040-r81/README.md new file mode 100644 index 00000000..83bf14c5 --- /dev/null +++ b/deprecated/azure/templates/R8040-R81/mds-r8040-r81/README.md @@ -0,0 +1,21 @@ +# Check Point CloudGuard Network Security MDS for Azure + +Check Point CloudGuard Network Security delivers advanced, multi-layered threat prevention to protect customer assets in Azure from malware and sophisticated threats. As a Microsoft Azure certified solution, CloudGuard Network Security enables you to easily and seamlessly secure your workloads while providing secure connectivity across your cloud and on-premises environments. + +Benefits: + +· Advanced threat prevention and traffic inspection + +· Integrated with Azure Security Center and Azure Sentinel + +· Provides consistent security policy management, enforcement, and reporting with a single pane of glass, using Check Point Unified Security Management + + + + Deploy to Azure + + + +To deploy with full control over all the template options use: [Full Control Deployment](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FCheckPointSW%2FCloudGuardIaaS%2Fmaster%2Fazure%2Ftemplates%2Fmarketplace-mds%2FmainTemplate.json) + + diff --git a/deprecated/azure/templates/R8040-R81/mds-r8040-r81/createUiDefinition.json b/deprecated/azure/templates/R8040-R81/mds-r8040-r81/createUiDefinition.json new file mode 100644 index 00000000..cb81c79e --- /dev/null +++ b/deprecated/azure/templates/R8040-R81/mds-r8040-r81/createUiDefinition.json @@ -0,0 +1,589 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", + "handler": "Microsoft.Compute.MultiVm", + "version": "0.1.2-preview", + "parameters": { + "basics": [ + { + "name": "CloudGuard MDS deployment guide", + "type": "Microsoft.Common.TextBlock", + "visible": true, + "options": { + "text": "Please follow the Check Point MDS Deployment for Azure.", + "link": { + "label": "MDS Deployment Guide", + "uri": "https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk154436&partition=Basic&product=CloudGuard" + } + } + }, + { + "name": "gatewayNameUi", + "type": "Microsoft.Common.TextBox", + "label": "Server Name", + "toolTip": "The name of the Check Point Multi-Domain Server.", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z]{1,30}$", + "validationMessage": "Only alphanumeric characters are allowed, and the name must be 1-30 characters long." + } + }, + { + "name": "auth", + "type": "Microsoft.Compute.CredentialsCombo", + "label": { + "authenticationType": "Authentication type", + "password": "Password", + "confirmPassword": "Confirm password", + "sshPublicKey": "SSH public key" + }, + "toolTip": { + "password": "The user 'admin' password", + "sshPublicKey": "Paste an OpenSSH public key. You can generate a key pair using ssh-keygen (Linux, OS X, Cygwin) or PuttyGen (Windows)" + }, + "constraints": { + "required": true + }, + "options": { + "hideConfirmation": false, + "hidePassword": false + }, + "osPlatform": "Linux" + } + ], + "steps": [ + { + "name": "chkp", + "label": "Check Point Multi-Domain Server settings", + "subLabel": { + "preValidation": "Configure additional settings", + "postValidation": "Done" + }, + "bladeTitle": "Multi-Domain Server settings", + "elements": [ + { + "name": "cloudGuardVersion", + "type": "Microsoft.Common.DropDown", + "label": "Check Point CloudGuard version", + "defaultValue": "R81", + "toolTip": "The version of Check Point CloudGuard.", + "constraints": { + "allowedValues": [ + { + "label": "R80.40", + "value": "R80.40" + }, + { + "label": "R81", + "value": "R81" + } + ] + } + }, + { + "name": "R80Offer", + "type": "Microsoft.Common.DropDown", + "label": "License type", + "toolTip": "The type of license.", + "defaultValue": "Bring Your Own License", + "visible": true, + "constraints": { + "allowedValues": [ + { + "label": "Bring Your Own License", + "value": "Bring Your Own License" + } + ] + } + }, + { + "name": "R8040vmSizeUiBYOL", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R80.40'), contains(steps('chkp').R80Offer, 'Bring Your Own License'))]", + "label": "Virtual machine size", + "toolTip": "The VM size. Minimum of 16 cores and 64 GB RAM is required.", + "recommendedSizes": [ + "Standard_DS5_v2", + "Standard_DS15_v2" + ], + "constraints": { + "excludedSizes": [ + "Standard_A1_v2", + "Standard_D1_v2", + "Standard_DS1_v2", + "Standard_F1", + "Standard_F1s", + "Standard_G1", + "Standard_GS1" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r8040", + "sku": "mgmt-byol" + }, + "count": 1 + }, + { + "name": "R81vmSizeUiBYOL", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R81'), contains(steps('chkp').R80Offer, 'Bring Your Own License'))]", + "label": "Virtual machine size", + "toolTip": "The VM size. Minimum of 16 cores and 64 GB RAM is required.", + "recommendedSizes": [ + "Standard_DS5_v2", + "Standard_DS15_v2" + ], + "constraints": { + "excludedSizes": [ + "Standard_A1_v2", + "Standard_D1_v2", + "Standard_DS1_v2", + "Standard_F1", + "Standard_F1s", + "Standard_G1", + "Standard_GS1" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r81", + "sku": "mgmt-byol" + }, + "count": 1 + }, + { + "name": "installationType", + "type": "Microsoft.Common.DropDown", + "label": "Installation type", + "defaultValue": "Primary Multi-Domain Server", + "toolTip": "Select the type of deployment", + "constraints": { + "allowedValues": [ + { + "label": "Primary Multi-Domain Server", + "value": "mds-primary" + }, + { + "label": "Secondary Multi-Domain Server", + "value": "mds-secondary" + }, + { + "label": "Multi-Domain Log Server", + "value": "mds-logserver" + } + ] + } + }, + { + "name": "SerialPasswordInfoBox", + "type": "Microsoft.Common.InfoBox", + "visible": "[bool(basics('auth').sshPublicKey)]", + "options": { + "icon": "Info", + "text": "Check Point recommends setting serial console password and maintenance-mode password for recovery purposes. For R81.10 and below the serial console password is used also as maintenance-mode password" + } + }, + { + "visible": "[bool(basics('auth').sshPublicKey)]", + "name": "EnableSerialConsolePassword", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Serial console password", + "defaultValue": "Yes", + "toolTip": "A unique password hash to enable VM connection via serial console.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": true + }, + { + "label": "No", + "value": false + } + ] + } + }, + { + "name": "AdditionalPassword", + "type": "Microsoft.Common.PasswordBox", + "toolTip": "Serial console password hash, used to enable password authentication (using serial console). To generate password hash use the command 'openssl passwd -6 PASSWORD'", + "visible": "[and(bool(basics('auth').sshPublicKey), steps('chkp').EnableSerialConsolePassword)]", + "label": { + "password": "Password hash", + "confirmPassword": "Confirm password" + }, + "constraints": { + "required": true, + "regex": "^.{12,300}$", + "validationMessage": "The value must be the output of the hash command." + }, + "options": { + "hideConfirmation": false + } + }, + { + "name": "adminShell", + "type": "Microsoft.Common.DropDown", + "label": "Default shell for the admin user", + "defaultValue": "/etc/cli.sh", + "toolTip": "The default shell for the admin user", + "constraints": { + "allowedValues": [ + { + "label": "/etc/cli.sh", + "value": "/etc/cli.sh" + }, + { + "label": "/bin/bash", + "value": "/bin/bash" + }, + { + "label": "/bin/csh", + "value": "/bin/csh" + }, + { + "label": "/bin/tcsh", + "value": "/bin/tcsh" + } + ] + } + }, + { + "name": "managementGUIClientNetwork", + "type": "Microsoft.Common.TextBox", + "label": "Allowed GUI clients", + "toolTip": "GUI clients network CIDR", + "constraints": { + "required": true, + "regex": "(^0\\.0\\.0\\.0\\/0$)|(^(?!0\\.0\\.0\\.0$)(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/32)?$)", + "validationMessage": "Enter a valid IPv4 network CIDR (only 0.0.0.0/0, X.X.X.X/32 or X.X.X.X are acceptable)" + }, + "visible": true + }, + { + "name": "sicKeyUi", + "type": "Microsoft.Common.PasswordBox", + "label": { + "password": "SIC key", + "confirmPassword": "Confirm SIC key" + }, + "toolTip": "Set the Secure Internal Communication one time secret used to set up trust between the primary and secondary servers. SIC key must be provided if installing a secondary Multi-Domain Server.", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z]{12,30}$", + "validationMessage": "Only alphanumeric characters are allowed, and the value must be 12-30 characters long." + }, + "options": { + "hideConfirmation": false + }, + "visible": "[not(equals(steps('chkp').installationType, 'mds-primary'))]" + }, + { + "name": "bootstrapScript", + "type": "Microsoft.Common.FileUpload", + "label": "Bootstrap script", + "toolTip": "An optional script to run on the initial boot", + "constraints": { + "required": false, + "accept": ".sh,text/plain" + }, + "options": { + "multiple": false, + "uploadMode": "file", + "openMode": "text", + "encoding": "UTF-8" + } + }, + { + "name": "allowUploadDownload", + "type": "Microsoft.Common.OptionsGroup", + "label": "Automatically download updates and share statistical data for product improvement purpose", + "defaultValue": "Yes", + "toolTip": "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "true" + }, + { + "label": "No", + "value": "false" + } + ] + } + }, + { + "name": "basics settings text block", + "type": "Microsoft.Common.TextBlock", + "visible": true, + "options": { + "text": "Please follow the Check Point referenced guide for adding disk space.", + "link": { + "label": "Additional disk space in CloudGuard", + "uri": "https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk156552" + } + } + }, + { + "name": "additionalDiskSizeGB", + "type": "Microsoft.Common.TextBox", + "label": "Additional disk space (GB)", + "defaultValue": "0", + "toolTip": "Additional disk space (in GB), initial disk size is 100 GB.", + "constraints": { + "regex": "^([0-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-2][0-9][0-9][0-9]|3[0-8][0-9][0-9]|399[0-5])$", + "validationMessage": "Select a number between 0 and 3995" + } + }, + { + "name": "VMDiskType", + "type": "Microsoft.Common.OptionsGroup", + "label": "VM disk type", + "toolTip": "Type of CloudGuard disk.", + "visible": "[not(contains('R80.40 R81' , steps('chkp').cloudGuardVersion))]", + "defaultValue": "Premium", + "constraints": { + "allowedValues": [ + { + "label": "Standard", + "value": "Standard_LRS" + }, + { + "label": "Premium", + "value": "Premium_LRS" + } + ] + } + }, + { + "name": "VMDiskTypeOldVersions", + "type": "Microsoft.Common.OptionsGroup", + "label": "VM disk type", + "toolTip": "Type of CloudGuard disk.", + "visible": "[contains('R80.40 R81' , steps('chkp').cloudGuardVersion)]", + "defaultValue": "Standard", + "constraints": { + "allowedValues": [ + { + "label": "Standard", + "value": "Standard_LRS" + }, + { + "label": "Premium", + "value": "Premium_LRS" + } + ] + } + }, + { + "name": "useCustomImageUri", + "type": "Microsoft.Common.OptionsGroup", + "label": "Use custom image uri", + "defaultValue": "No", + "toolTip": "Use custom image URI.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ], + "required": true + }, + "visible": false + }, + { + "name": "sourceImageVhdUri", + "type": "Microsoft.Common.TextBox", + "label": "Development Image URI", + "toolTip": "The URI of the blob containing the development image", + "constraints": { + "required": "[equals(steps('chkp').useCustomImageUri, 'Yes')]", + "regex": "^[a-z0-9A-Z_\\-\\.\\:\\/]{1,500}.vhd$", + "validationMessage": "Only alphanumeric characters and '_','-','.',':','/' are allowed, the value must be 1-500 characters long and must end with .vhd. " + }, + "visible": "[equals(steps('chkp').useCustomImageUri, 'Yes')]" + } + ] + }, + { + "name": "network", + "label": "Network settings", + "subLabel": { + "preValidation": "Configure network settings", + "postValidation": "Done" + }, + "bladeTitle": "Network settings", + "elements": [ + { + "name": "virtualNetwork", + "type": "Microsoft.Network.VirtualNetworkCombo", + "label": { + "virtualNetwork": "Virtual network", + "subnets": "Subnet" + }, + "toolTip": { + "virtualNetwork": "Virtual Network Name", + "subnets": "The subnet to deploy into" + }, + "defaultValue": { + "name": "vnet01", + "addressPrefixSize": "/20" + }, + "constraints": { + "minAddressPrefixSize": "/29" + }, + "options": { + "hideExisting": false + }, + "subnets": { + "subnet1": { + "label": "Multi-Domain Server subnet", + "defaultValue": { + "name": "Multi-Domain-Server", + "addressPrefixSize": "/24" + }, + "constraints": { + "minAddressPrefixSize": "/29", + "minAddressCount": 1, + "requireContiguousAddresses": true + } + } + } + }, + { + "name": "NSG", + "type": "Microsoft.Common.OptionsGroup", + "label": "Network Security Group", + "toolTip": "Choose between using an existing NSG or using a new NSG", + "constraints": { + "allowedValues": [ + { + "label": "Create new", + "value": true + }, + { + "label": "Existing NSG", + "value": false + } + ], + "required": true + }, + "visible": true + }, + { + "name": "nsgSelector", + "type": "Microsoft.Solutions.ResourceSelector", + "label": "Network Security Group", + "defaultValue": "null", + "toolTip": "Choose an existing NSG", + "resourceType": "Microsoft.Network/NetworkSecurityGroups", + "options": { + "filter": { + "subscription": "onBasics", + "location": "onBasics" + } + }, + "constraints": { + "required": true + }, + "visible": "[equals(steps('network').NSG, false)]" + }, + { + "name": "NSGName", + "type": "Microsoft.Common.TextBox", + "label": "Name", + "defaultValue": "[concat(basics('gatewayNameUi') , '-nsg')]", + "toolTip": "Insert Name for the new NSG", + "multiLine": false, + "constraints": { + "required": "[steps('network').NSG]", + "regex": "^[a-z0-9A-Z-]{1,30}$", + "validationMessage": "Only alphanumeric characters are allowed, and the name must be 1-30 characters long." + }, + "visible": "[steps('network').NSG]" + }, + { + "name": "addStorageAccountIpRules", + "type": "Microsoft.Common.OptionsGroup", + "defaultValue": "Network access from all networks", + "label": "Storage Account Network Access", + "toolTip": "Select your preferred network access to the Storage Account, for more information - https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-linux#serial-console-security", + "constraints": { + "allowedValues": [ + { + "label": "Network access from all networks", + "value": false + }, + { + "label": "Network access only from Serial Console", + "value": true + } + ], + "required": true + }, + "visible": true + } + ] + }, + { + "name": "tags", + "label": "Tags", + "elements": [ + { + "name": "tagsByResource", + "type": "Microsoft.Common.TagsByResource", + "toolTip": "Create Azure tags for the new resources", + "resources": [ + "Microsoft.Storage/storageAccounts", + "Microsoft.Network/publicIPAddresses", + "Microsoft.Network/networkSecurityGroups", + "Microsoft.Network/networkInterfaces", + "Microsoft.Compute/virtualMachines", + "Microsoft.Network/routeTables", + "Microsoft.Network/virtualNetworks" + ] + } + ] + } + ], + "outputs": { + "location": "[location()]", + "cloudGuardVersion": "[concat(steps('chkp').cloudGuardVersion, ' - ', coalesce(steps('chkp').R80Offer, 'Bring Your Own License'))]", + "adminPassword": "[basics('auth').password]", + "authenticationType": "[basics('auth').authenticationType]", + "sshPublicKey": "[basics('auth').sshPublicKey]", + "vmName": "[basics('gatewayNameUi')]", + "vmSize": "[coalesce(steps('chkp').R8040vmSizeUiBYOL, steps('chkp').R81vmSizeUiBYOL)]", + "virtualNetworkName": "[steps('network').virtualNetwork.name]", + "virtualNetworkAddressPrefix": "[steps('network').virtualNetwork.addressPrefix]", + "Subnet1Name": "[steps('network').virtualNetwork.subnets.subnet1.name]", + "Subnet1Prefix": "[steps('network').virtualNetwork.subnets.subnet1.addressPrefix]", + "Subnet1StartAddress": "[steps('network').virtualNetwork.subnets.subnet1.startAddress]", + "vnetNewOrExisting": "[steps('network').virtualNetwork.newOrExisting]", + "virtualNetworkExistingRGName": "[steps('network').virtualNetwork.resourceGroup]", + "managementGUIClientNetwork": "[if(contains(steps('chkp').managementGUIClientNetwork, '/'), steps('chkp').managementGUIClientNetwork, concat(steps('chkp').managementGUIClientNetwork, '/32'))]", + "sicKey": "[coalesce(steps('chkp').sicKeyUi, 'notused')]", + "installationType": "[steps('chkp').installationType]", + "bootstrapScript": "[steps('chkp').bootstrapScript]", + "allowDownloadFromUploadToCheckPoint": "[coalesce(steps('chkp').allowUploadDownload, 'true')]", + "additionalDiskSizeGB": "[int(steps('chkp').additionalDiskSizeGB)]", + "diskType": "[if(contains('R80.40 R81' , steps('chkp').cloudGuardVersion) , steps('chkp').VMDiskTypeOldVersions , steps('chkp').VMDiskType)]", + "sourceImageVhdUri": "[coalesce(steps('chkp').sourceImageVhdUri, 'noCustomUri')]", + "adminShell": "[steps('chkp').adminShell]", + "tagsByResource": "[steps('tags').tagsByResource]", + "deployNewNSG": "[steps('network').NSG]", + "ExistingNSG": "[steps('network').nsgSelector]", + "NewNsgName": "[steps('network').NSGName]", + "addStorageAccountIpRules":"[steps('network').addStorageAccountIpRules]", + "SerialConsolePasswordHash": "[steps('chkp').AdditionalPassword]" + } + } +} \ No newline at end of file diff --git a/deprecated/azure/templates/R8040-R81/mds-r8040-r81/mainTemplate.json b/deprecated/azure/templates/R8040-R81/mds-r8040-r81/mainTemplate.json new file mode 100644 index 00000000..c9800935 --- /dev/null +++ b/deprecated/azure/templates/R8040-R81/mds-r8040-r81/mainTemplate.json @@ -0,0 +1,746 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string", + "metadata": { + "description": "Deployment location" + }, + "defaultValue": "[resourceGroup().location]" + }, + "cloudGuardVersion": { + "type": "string", + "allowedValues": [ + "R80.40 - Bring Your Own License", + "R81 - Bring Your Own License", + ], + "defaultValue": "R81.20 - Bring Your Own License", + "metadata": { + "description": "Version of Check Point CloudGuard" + } + }, + "authenticationType": { + "type": "string", + "allowedValues": [ + "password", + "sshPublicKey" + ], + "defaultValue": "password", + "metadata": { + "description": "Authentication type" + } + }, + "sshPublicKey": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Administrator SSH public key" + } + }, + "adminPassword": { + "type": "securestring", + "metadata": { + "description": "Administrator password" + }, + "defaultValue": "" + }, + "SerialConsolePasswordHash": { + "type": "securestring", + "defaultValue": "", + "metadata": { + "Description": "Optional parameter, used to enable serial console connection in case of SSH key as authentication type" + } + }, + "vmName": { + "type": "string", + "metadata": { + "description": "The name of the Check Point Multi-Domain Server." + } + }, + "vmSize": { + "type": "string", + "defaultValue": "Standard_DS5_v2", + "metadata": { + "description": "Size of the VM" + } + }, + "adminShell": { + "type": "string", + "defaultValue": "/etc/cli.sh", + "allowedValues": [ + "/etc/cli.sh", + "/bin/bash", + "/bin/csh", + "/bin/tcsh" + ], + "metadata": { + "Description": "The default shell for the admin user" + } + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "vnet01" + }, + "virtualNetworkAddressPrefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the virtual network" + }, + "defaultValue": "10.0.0.0/16" + }, + "Subnet1Name": { + "type": "string", + "metadata": { + "description": "The name of the subnet" + }, + "defaultValue": "Multi-Domain-Server" + }, + "Subnet1Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the subnet" + }, + "defaultValue": "10.0.1.0/24" + }, + "Subnet1StartAddress": { + "type": "string", + "metadata": { + "description": "The first available address on the subnet" + }, + "defaultValue": "10.0.1.10" + }, + "vnetNewOrExisting": { + "type": "string", + "defaultValue": "new", + "allowedValues": [ + "new", + "existing" + ], + "metadata": { + "Description": "Indicates whether the virtual network is new or existing" + } + }, + "virtualNetworkExistingRGName": { + "type": "string", + "metadata": { + "description": "Resource Group of the existing virtual network" + }, + "defaultValue": "[resourceGroup().name]" + }, + "managementGUIClientNetwork": { + "type": "string", + "metadata": { + "description": "Allowed GUI clients" + }, + "defaultValue": "0.0.0.0/0" + }, + "sicKey": { + "type": "securestring", + "metadata": { + "description": "One time key for Secure Internal Communication" + } + }, + "installationType": { + "type": "string", + "metadata": { + "description": "Installation Type" + }, + "defaultValue": "mds-primary", + "allowedValues": [ + "mds-primary", + "mds-secondary", + "mds-logserver" + ] + }, + "bootstrapScript": { + "type": "string", + "metadata": { + "description": "Bootstrap script" + }, + "defaultValue": "" + }, + "allowDownloadFromUploadToCheckPoint": { + "type": "string", + "allowedValues": [ + "true", + "false" + ], + "defaultValue": "true", + "metadata": { + "description": "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + } + }, + "additionalDiskSizeGB": { + "type": "int", + "defaultValue": 0, + "metadata": { + "description": "Amount of additional disk space (in GB)" + }, + "minValue": 0, + "maxValue": 3995 + }, + "diskType": { + "type": "string", + "defaultValue": "Standard_LRS", + "metadata": { + "description": "The type of the OS disk. Premium is applicable only to DS machine sizes" + }, + "allowedValues": [ + "Standard_LRS", + "Premium_LRS" + ] + }, + "msi": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Configure managed service identity for the VM" + } + }, + "sourceImageVhdUri": { + "type": "string", + "defaultValue": "noCustomUri", + "metadata": { + "description": "The URI of the blob containing the development image" + } + }, + "_artifactsLocation": { + "type": "string", + "metadata": { + "description": "Use the following URI when deploying a custom template: https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/azure/templates/" + }, + "defaultValue": "[deployment().properties.templateLink.uri]" + }, + "_artifactsLocationSasToken": { + "type": "securestring", + "metadata": { + "description": "The sasToken required to access _artifactsLocation. When the template is deployed using the accompanying scripts, a sasToken will be automatically generated. Use the defaultValue if the staging location is not secured." + }, + "defaultValue": "" + }, + "tagsByResource": { + "type": "object", + "defaultValue": {} + }, + "deployNewNSG": { + "type": "bool", + "defaultValue": true + }, + "ExistingNSG": { + "type": "object", + "defaultValue": {} + }, + "NewNsgName": { + "type": "string", + "defaultValue": "[concat(parameters('vmName'),'-nsg')]" + }, + "addStorageAccountIpRules": { + "type": "bool", + "metadata": { + "description": "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, based on https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-linux#use-serial-console-with-custom-boot-diagnostics-storage-account-firewall-enabled" + }, + "defaultValue" : false + }, + "storageAccountAdditionalIps":{ + "type": "array", + "metadata": { + "description": "IPs/CIDRs that are allowed access to the Storage Account" + }, + "defaultValue" : [] + } + + }, + "variables": { + "templateName": "mds", + "templateVersion": "20230910", + "location": "[parameters('location')]", + "offers": { + "R80.40 - Bring Your Own License": "BYOL", + "R81 - Bring Your Own License": "BYOL" + }, + "offer": "[variables('offers')[parameters('cloudGuardVersion')]]", + "osVersions": { + "R80.40 - Bring Your Own License": "R8040", + "R81 - Bring Your Own License": "R81" + }, + "osVersion": "[variables('osVersions')[parameters('cloudGuardVersion')]]", + "serialConsoleGeographies": { + "astasia" : ["20.205.69.28"], + "southeastasia" : ["20.205.69.28", "20.195.85.180"], + "eastasia" : ["20.195.85.180"], + "australiacentral" : ["20.53.53.224", "20.70.222.112"], + "australiacentral2" : ["20.53.53.224", "20.70.222.112"], + "australiaeast" : ["20.53.53.224", "20.70.222.112"], + "australiasoutheast" : ["20.53.53.224", "20.70.222.112"], + "brazilsouth" : ["91.234.136.63", "20.206.0.194"], + "brazilsoutheast" : ["91.234.136.63", "20.206.0.194"], + "canadacentral" : ["52.228.86.177", "52.242.40.90"], + "canadaeast" : ["52.228.86.177", "52.242.40.90"], + "northeurope" : ["52.146.139.220", "20.105.209.72"], + "westeurope" : ["52.146.139.220", "20.105.209.72"], + "francecentral" : ["20.111.0.244", "52.136.191.10"], + "francesouth" : ["20.111.0.244", "52.136.191.10"], + "germanynorth" : ["51.116.75.88", "20.52.95.48"], + "germanywestcentral" : ["51.116.75.88", "20.52.95.48"], + "centralindia" : ["20.192.168.150", "20.192.153.104"], + "southindia" : ["20.192.168.150", "20.192.153.104"], + "westindia" : ["20.192.168.150", "20.192.153.104"], + "japaneast" : ["20.43.70.205", "20.189.228.222"], + "japanwest" : ["20.43.70.205", "20.189.228.222"], + "koreacentral" : ["20.200.196.96", "52.147.119.29"], + "koreasouth" : ["20.200.196.96", "52.147.119.29"], + "norwaywest" : ["20.100.1.184", "51.13.138.76"], + "norwayeast" : ["20.100.1.184", "51.13.138.76"], + "switzerlandnorth" : ["20.208.4.98", "51.107.251.190"], + "switzerlandwest" : ["20.208.4.98", "51.107.251.190"], + "uaecentral" : ["20.45.95.66", "20.38.141.5"], + "uaenorth" : ["20.45.95.66", "20.38.141.5"], + "uksouth" : ["20.90.132.144", "20.58.68.62"], + "ukwest" : ["20.90.132.144", "20.58.68.62"], + "swedencentral" : ["51.12.72.223", "51.12.22.174"], + "swedensouth" : ["51.12.72.223", "51.12.22.174"], + "centralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "eastus2" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "eastus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "northcentralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "southcentralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "westus2" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "westus3" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "westcentralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "westus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "eastus2euap" : ["20.45.242.18", "20.51.21.252"], + "centraluseuap" : ["20.45.242.18", "20.51.21.252"] + }, + "serialConsoleIps": "[if(contains(variables('serialConsoleGeographies'),variables('location')),variables('serialConsoleGeographies')[variables('location')],createArray())]", + "storageAccountIps" : "[concat(variables('SerialConsoleIps'),parameters('storageAccountAdditionalIps'))]", + "isBlink": "[bool('false')]", + "primary": "[equals(parameters('installationType'), 'mds-primary')]", + "secondary": "[equals(parameters('installationType'), 'mds-secondary')]", + "logserver": "[equals(parameters('installationType'), 'mds-logserver')]", + "storageAccountName": "[concat('bootdiag', uniqueString(resourceGroup().id, deployment().name))]", + "storageAccountType": "Standard_LRS", + "diskSize100GB": 100, + "diskSizeGB": "[add(parameters('additionalDiskSizeGB'), variables('diskSize100GB'))]", + "customData": "[concat('#!/usr/bin/python3 /etc/cloud_config.py\n', '\n', 'installationType=\"', parameters('installationType'), '\"', '\n', 'allowUploadDownload=\"', variables('allowUploadDownload'), '\"', '\n', 'osVersion=\"', variables('osVersion'), '\"', '\n', 'templateName=\"', variables('templateName'), '\"', '\n', 'isBlink=\"', variables('isBlink'), '\"', '\n', 'templateVersion=\"', variables('templateVersion'), '\"', '\n', 'bootstrapScript64=\"', variables('bootstrapScript64'), '\"', '\n', 'location=\"', variables('location'), '\"', '\n', 'managementGUIClientNetwork=\"', variables('managementGUIClientNetwork'), '\"', '\n', 'sicKey=\"', parameters('sicKey'), '\"', '\n', 'primary=\"', variables('primary'), '\"', '\n', 'secondary=\"', variables('secondary'), '\"', '\n', 'logserver=\"', variables('logserver'), '\"', '\n', 'adminShell=\"', parameters('adminShell'), '\"', '\n', 'passwordHash=\"', parameters('SerialConsolePasswordHash'), '\"', '\n')]", + "customData64": "[base64(variables('customData'))]", + "imageOffer": "[concat('check-point-cg-', toLower(variables('osVersion')))]", + "imagePublisher": "checkpoint", + "imageReferenceBYOL": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "mgmt-byol", + "version": "latest" + }, + "imageReferenceMarketplace": "[variables('imageReferenceBYOL')]", + "customImage": "customImage", + "imageReferenceCustomUri": { + "id": "[resourceId('Microsoft.Compute/images/', variables('customImage'))]" + }, + "imageReference": "[if(equals(parameters('sourceImageVhdUri'),'noCustomUri'), variables('imageReferenceMarketplace'), variables('imageReferenceCustomUri'))]", + "nic1Name": "[concat(parameters('vmName'), '-eth0')]", + "linuxConfigurationpassword": { + "disablePasswordAuthentication": "false" + }, + "linuxConfigurationsshPublicKey": { + "disablePasswordAuthentication": "true", + "ssh": { + "publicKeys": [ + { + "keyData": "[parameters('sshPublicKey')]", + "path": "/home/notused/.ssh/authorized_keys" + } + ] + } + }, + "linuxConfiguration": "[if(equals(parameters('authenticationType'), 'password'), variables('linuxConfigurationpassword'), variables('linuxConfigurationsshPublicKey'))]", + "planBYOL": { + "name": "mgmt-byol", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "plan": "[if(equals(variables('offer'), 'BYOL'), variables('planBYOL'), variables('planBYOL'))]", + "identity": "[if(parameters('msi'), json('{\"type\": \"SystemAssigned\"}'), json('null'))]", + "publicIPAddressName": "[parameters('vmName')]", + "publicIPAddressId": "[resourceId('Microsoft.Network/publicIPAddresses', variables('publicIPAddressName'))]", + "bootstrapScript64": "[base64(parameters('bootstrapScript'))]", + "allowUploadDownload": "[parameters('allowDownloadFromUploadToCheckPoint')]", + "_artifactsLocation": "[if(contains(parameters('_artifactsLocation'),'raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/azure/templates/marketplace'),'https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/azure/templates/',parameters('_artifactsLocation'))]", + "networkSetupURL": "[uri(variables('_artifactsLocation'), concat('nestedtemplates/vnet-1-subnet-', parameters('vnetNewOrExisting'), '.json', parameters('_artifactsLocationSasToken')))]", + "managementGUIClientNetwork": "[parameters('managementGUIClientNetwork')]", + "deployNewVnet": "[equals(parameters('vnetNewOrExisting'), 'new')]", + "vnetRGName": "[if(variables('deployNewVnet'), resourceGroup().name, parameters('virtualNetworkExistingRGName'))]", + "NewNsgReference": {"id": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('NewNsgName'))]"} + }, + "resources": [ + { + "apiVersion": "2020-06-01", + "name": "pid-6f13b00a-7546-4ab2-be9f-c66815cc6c8b-partnercenter", + "type": "Microsoft.Resources/deployments", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('storageAccountName')]", + "apiVersion": "2022-09-01", + "properties": { + "supportsHttpsTrafficOnly": true, + "allowBlobPublicAccess": false, + "minimumTlsVersion": "TLS1_2", + "networkAcls": { + "bypass": "None", + "defaultAction": "[if(parameters('addStorageAccountIpRules'), 'Deny', 'Allow')]", + "ipRules": "[if(parameters('addStorageAccountIpRules'), map(variables('storageAccountIps'), lambda('ip',createObject('action','Allow','value',lambdaVariables('ip')))), createArray())]" + } + }, + "location": "[variables('location')]", + "sku": { + "name": "[variables('storageAccountType')]" + }, + "kind": "Storage", + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Storage/storageAccounts'), parameters('tagsByResource')['Microsoft.Storage/storageAccounts'], json('{}')) ]" + }, + { + "condition": "[equals(parameters('vnetNewOrExisting'), 'new')]", + "name": "networkNewSetup", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "[variables('networkSetupURL')]", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "location": { + "value": "[variables('location')]" + }, + "virtualNetworkName": { + "value": "[parameters('virtualNetworkName')]" + }, + "virtualNetworkAddressPrefix": { + "value": "[parameters('virtualNetworkAddressPrefix')]" + }, + "Subnet1Name": { + "value": "[parameters('Subnet1Name')]" + }, + "Subnet1Prefix": { + "value": "[parameters('Subnet1Prefix')]" + }, + "tagsByResource": { + "value": "[parameters('tagsByResource')]" + }, + "deployNsg": { + "value": false + }, + "NewNsgName": + { + "value":"[parameters('NewNsgName')]" + } + } + } + }, + { + "condition": "[equals(parameters('vnetNewOrExisting'), 'existing')]", + "name": "networkExistingSetup", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "[variables('networkSetupURL')]", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "location": { + "value": "[variables('location')]" + }, + "virtualNetworkName": { + "value": "[parameters('virtualNetworkName')]" + }, + "virtualNetworkExistingRGName": { + "value": "[variables('vnetRGName')]" + }, + "vmName": { + "value": "[parameters('vmName')]" + }, + "tagsByResource": { + "value": "[parameters('tagsByResource')]" + }, + "deployNsg": { + "value": false + }, + "NewNsgName": + { + "value":"[parameters('NewNsgName')]" + } + } + } + }, + { + "type": "Microsoft.Network/publicIPAddresses", + "apiVersion": "2020-06-01", + "location": "[variables('location')]", + "name": "[variables('publicIPAddressName')]", + "sku": { + "name": "Standard" + }, + "properties": { + "idleTimeoutInMinutes": 30, + "publicIPAllocationMethod": "Static", + "dnsSettings": { + "domainNameLabel": "[concat(toLower(parameters('vmName')), '-', uniquestring(resourceGroup().id, deployment().name))]" + } + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/publicIPAddresses'), parameters('tagsByResource')['Microsoft.Network/publicIPAddresses'], json('{}')) ]" + }, + { + "condition": "[parameters('deployNewNSG')]", + "type": "Microsoft.Network/networkSecurityGroups", + "apiVersion": "2020-06-01", + "location": "[variables('location')]", + "name": "[parameters('NewNsgName')]", + "properties": { + "securityRules": [ + { + "name": "SSH", + "properties": { + "description": "Allow inbound SSH connection", + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "22", + "sourceAddressPrefix": "[variables('managementGUIClientNetwork')]", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "100", + "direction": "Inbound" + } + }, + { + "name": "GAiA-portal", + "properties": { + "description": "Allow inbound HTTPS access to the GAiA portal", + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "443", + "sourceAddressPrefix": "[variables('managementGUIClientNetwork')]", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "110", + "direction": "Inbound" + } + }, + { + "name": "SmartConsole-1", + "properties": { + "description": "Allow inbound access using the SmartConsole GUI client", + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "18190", + "sourceAddressPrefix": "[variables('managementGUIClientNetwork')]", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "120", + "direction": "Inbound" + } + }, + { + "name": "SmartConsole-2", + "properties": { + "description": "Allow inbound access using the SmartConsole GUI client", + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "19009", + "sourceAddressPrefix": "[variables('managementGUIClientNetwork')]", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "130", + "direction": "Inbound" + } + }, + { + "name": "Logs", + "properties": { + "description": "Allow inbound logging connections from managed gateways", + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "257", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "140", + "direction": "Inbound" + } + }, + { + "name": "ICA-pull", + "properties": { + "description": "Allow security gateways to pull a SIC certificate", + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "18210", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "150", + "direction": "Inbound" + } + }, + { + "name": "CRL-fetch", + "properties": { + "description": "Allow security gateways to fetch CRLs", + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "18264", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "160", + "direction": "Inbound" + } + }, + { + "name": "Policy-fetch", + "properties": { + "description": "Allow security gateways to fetch policy", + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "18191", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "170", + "direction": "Inbound" + } + } + ] + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/networkSecurityGroups'), parameters('tagsByResource')['Microsoft.Network/networkSecurityGroups'], json('{}')) ]" + }, + { + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "2020-06-01", + "dependsOn": [ + "[coalesce(resourceId('Microsoft.Resources/deployments', 'networkNewSetup'), resourceId('Microsoft.Resources/deployments', 'networkExistingSetup'))]", + "[variables('publicIPAddressId')]" + ], + "location": "[variables('location')]", + "name": "[variables('nic1Name')]", + "properties": { + "enableIPForwarding": false, + "networkSecurityGroup":"[if(parameters('deployNewNSG') , variables('NewNsgReference') , parameters('ExistingNSG'))]", + "ipConfigurations": [ + { + "name": "ipconfig1", + "properties": { + "privateIPAddress": "[parameters('Subnet1StartAddress')]", + "privateIPAllocationMethod": "Static", + "PublicIpAddress": { + "Id": "[variables('publicIPAddressId')]" + }, + "subnet": { + "id": "[resourceId(variables('vnetRGName') ,'Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('Subnet1Name'))]" + } + } + } + ] + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/networkInterfaces'), parameters('tagsByResource')['Microsoft.Network/networkInterfaces'], json('{}')) ]" + }, + { + "condition": "[not(equals(parameters('sourceImageVhdUri'), 'noCustomUri'))]", + "type": "Microsoft.Compute/images", + "apiVersion": "2020-06-01", + "name": "[variables('customImage')]", + "location": "[variables('location')]", + "properties": { + "storageProfile": { + "osDisk": { + "osType": "Linux", + "osState": "Generalized", + "blobUri": "[parameters('sourceImageVhdUri')]", + "storageAccountType": "Standard_LRS" + } + }, + "hyperVGeneration": "V1" + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Compute/images'), parameters('tagsByResource')['Microsoft.Compute/images'], json('{}')) ]" + }, + { + "type": "Microsoft.Compute/virtualMachines", + "apiVersion": "2021-07-01", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]", + "[resourceId('Microsoft.Network/networkInterfaces', variables('nic1Name'))]", + "[resourceId('Microsoft.Compute/images/', variables('customImage'))]" + ], + "location": "[variables('location')]", + "name": "[parameters('vmName')]", + "plan": "[if(equals(parameters('sourceImageVhdUri'),'noCustomUri'), variables('plan'), json('null'))]", + "identity": "[variables('identity')]", + "properties": { + "UserData": "[variables('customData64')]", + "diagnosticsProfile": { + "bootDiagnostics": { + "enabled": "true", + "storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName')), '2022-09-01').primaryEndpoints.blob]" + } + }, + "hardwareProfile": { + "vmSize": "[parameters('vmSize')]" + }, + "networkProfile": { + "networkInterfaces": [ + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', variables('nic1Name'))]", + "properties": { + "primary": true + } + } + ] + }, + "osProfile": { + "adminPassword": "[parameters('adminPassword')]", + "adminUsername": "[concat('not','used')]", + "computerName": "[toLower(parameters('vmName'))]", + "customData": "[variables('customData64')]", + "linuxConfiguration": "[variables('linuxConfiguration')]" + }, + "storageProfile": { + "imageReference": "[variables('imageReference')]", + "osDisk": { + "caching": "ReadWrite", + "createOption": "FromImage", + "diskSizeGB": "[variables('diskSizeGB')]", + "name": "[parameters('vmName')]", + "managedDisk": { + "storageAccountType": "[parameters('diskType')]" + } + } + } + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Compute/virtualMachines'), parameters('tagsByResource')['Microsoft.Compute/virtualMachines'], json('{}')) ]" + } + ], + "outputs": { + "IPAddress": { + "type": "string", + "value": "[reference(variables('publicIPAddressId')).IpAddress]" + }, + "FQDN": { + "type": "string", + "value": "[reference(variables('publicIPAddressId')).dnsSettings.fqdn]" + } + } +} \ No newline at end of file diff --git a/deprecated/azure/templates/R8040-R81/mgmt-r840-r81/README.md b/deprecated/azure/templates/R8040-R81/mgmt-r840-r81/README.md new file mode 100644 index 00000000..ae636acd --- /dev/null +++ b/deprecated/azure/templates/R8040-R81/mgmt-r840-r81/README.md @@ -0,0 +1,21 @@ +# Check Point CloudGuard Network Security Management for Azure + +Check Point CloudGuard Network Security delivers advanced, multi-layered threat prevention to protect customer assets in Azure from malware and sophisticated threats. As a Microsoft Azure certified solution, CloudGuard Network Security enables you to easily and seamlessly secure your workloads while providing secure connectivity across your cloud and on-premises environments. + +Benefits: + +· Advanced threat prevention and traffic inspection + +· Integrated with Azure Security Center and Azure Sentinel + +· Provides consistent security policy management, enforcement, and reporting with a single pane of glass, using Check Point Unified Security Management + + + + Deploy to Azure + + + +To deploy with full control over all the template options use: [Full Control Deployment](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FCheckPointSW%2FCloudGuardIaaS%2Fmaster%2Fazure%2Ftemplates%2Fmarketplace-management%2FmainTemplate.json) + + diff --git a/deprecated/azure/templates/R8040-R81/mgmt-r840-r81/createUiDefinition.json b/deprecated/azure/templates/R8040-R81/mgmt-r840-r81/createUiDefinition.json new file mode 100644 index 00000000..e2bdf52e --- /dev/null +++ b/deprecated/azure/templates/R8040-R81/mgmt-r840-r81/createUiDefinition.json @@ -0,0 +1,654 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", + "handler": "Microsoft.Compute.MultiVm", + "version": "0.1.2-preview", + "parameters": { + "basics": [ + { + "name": "chkp refrence architecture", + "type": "Microsoft.Common.TextBlock", + "visible": true, + "options": { + "text": "Please follow the Check Point Reference Architecture for Azure.", + "link": { + "label": "Reference Architecture Guide", + "uri": "https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk109360" + } + } + }, + { + "name": "gatewayNameUi", + "type": "Microsoft.Common.TextBox", + "label": "Server Name", + "toolTip": "The name of the Check Point Security Management Server.", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z]{1,30}$", + "validationMessage": "Only alphanumeric characters are allowed, and the name must be 1-30 characters long." + } + }, + { + "name": "auth", + "type": "Microsoft.Compute.CredentialsCombo", + "label": { + "authenticationType": "Authentication type", + "password": "Password", + "confirmPassword": "Confirm password", + "sshPublicKey": "SSH public key" + }, + "toolTip": { + "password": "The user 'admin' password", + "sshPublicKey": "Paste an OpenSSH public key. You can generate a key pair using ssh-keygen (Linux, OS X, Cygwin) or PuttyGen (Windows)" + }, + "constraints": { + "required": true + }, + "options": { + "hideConfirmation": false, + "hidePassword": false + }, + "osPlatform": "Linux" + } + ], + "steps": [ + { + "name": "chkp", + "label": "Check Point Security Management Server settings", + "subLabel": { + "preValidation": "Configure additional settings", + "postValidation": "Done" + }, + "bladeTitle": "Security Management settings", + "elements": [ + { + "name": "cloudGuardVersion", + "type": "Microsoft.Common.DropDown", + "label": "Check Point CloudGuard version", + "defaultValue": "R81", + "toolTip": "The version of Check Point CloudGuard.", + "constraints": { + "allowedValues": [ + { + "label": "R80.40", + "value": "R80.40" + }, + { + "label": "R81", + "value": "R81" + } + ] + } + }, + { + "name": "R80Offer", + "type": "Microsoft.Common.DropDown", + "label": "License type", + "toolTip": "The type of license.", + "defaultValue": "Bring Your Own License", + "visible": true, + "constraints": { + "allowedValues": [ + { + "label": "Bring Your Own License", + "value": "Bring Your Own License" + }, + { + "label": "Pay As You Go (MGMT25)", + "value": "Pay As You Go (MGMT25)" + } + ] + } + }, + { + "name": "R8040vmSizeUiBYOL", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R80.40'), contains(steps('chkp').R80Offer, 'Bring Your Own License'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Management", + "recommendedSizes": [ + "Standard_D3_v2", + "Standard_DS3_v2" + ], + "constraints": { + "excludedSizes": [ + "Standard_A1_v2", + "Standard_D1_v2", + "Standard_DS1_v2", + "Standard_F1", + "Standard_F1s", + "Standard_G1", + "Standard_GS1" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r8040", + "sku": "mgmt-byol" + }, + "count": 1 + }, + { + "name": "R8040vmSizeUiMGMT25", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R80.40'), contains(steps('chkp').R80Offer, '(MGMT25)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Management", + "recommendedSizes": [ + "Standard_D3_v2", + "Standard_DS3_v2" + ], + "constraints": { + "excludedSizes": [ + "Standard_A1_v2", + "Standard_D1_v2", + "Standard_DS1_v2", + "Standard_F1", + "Standard_F1s", + "Standard_G1", + "Standard_GS1" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r8040", + "sku": "mgmt-25" + }, + "count": 1 + }, + { + "name": "R81vmSizeUiBYOL", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R81'), contains(steps('chkp').R80Offer, 'Bring Your Own License'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Management", + "recommendedSizes": [ + "Standard_D3_v2", + "Standard_DS3_v2" + ], + "constraints": { + "excludedSizes": [ + "Standard_A1_v2", + "Standard_D1_v2", + "Standard_DS1_v2", + "Standard_F1", + "Standard_F1s", + "Standard_G1", + "Standard_GS1" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r81", + "sku": "mgmt-byol" + }, + "count": 1 + }, + { + "name": "R81vmSizeUiMGMT25", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R81'), contains(steps('chkp').R80Offer, '(MGMT25)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Management", + "recommendedSizes": [ + "Standard_D3_v2", + "Standard_DS3_v2" + ], + "constraints": { + "excludedSizes": [ + "Standard_A1_v2", + "Standard_D1_v2", + "Standard_DS1_v2", + "Standard_F1", + "Standard_F1s", + "Standard_G1", + "Standard_GS1" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r81", + "sku": "mgmt-25" + }, + "count": 1 + }, + { + "name": "SerialPasswordInfoBox", + "type": "Microsoft.Common.InfoBox", + "visible": "[bool(basics('auth').sshPublicKey)]", + "options": { + "icon": "Info", + "text": "Check Point recommends setting serial console password and maintenance-mode password for recovery purposes. For R81.10 and below the serial console password is used also as maintenance-mode password" + } + }, + { + "visible": "[bool(basics('auth').sshPublicKey)]", + "name": "EnableSerialConsolePassword", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Serial console password", + "defaultValue": "Yes", + "toolTip": "A unique password hash to enable VM connection via serial console.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": true + }, + { + "label": "No", + "value": false + } + ] + } + }, + { + "name": "AdditionalPassword", + "type": "Microsoft.Common.PasswordBox", + "toolTip": "Serial console password hash, used to enable password authentication (using serial console). To generate password hash use the command 'openssl passwd -6 PASSWORD'", + "visible": "[and(bool(basics('auth').sshPublicKey), steps('chkp').EnableSerialConsolePassword)]", + "label": { + "password": "Password hash", + "confirmPassword": "Confirm password" + }, + "constraints": { + "required": true, + "regex": "^.{12,300}$", + "validationMessage": "The value must be the output of the hash command." + }, + "options": { + "hideConfirmation": false + } + }, + { + "name": "installationType", + "type": "Microsoft.Common.DropDown", + "label": "Installation type", + "defaultValue": "Management", + "toolTip": "Select the type of deployment", + "constraints": { + "allowedValues": [ + { + "label": "Management", + "value": "management" + }, + { + "label": "Configure manually", + "value": "custom" + } + ] + } + }, + { + "name": "adminShell", + "type": "Microsoft.Common.DropDown", + "label": "Default shell for the admin user", + "defaultValue": "/etc/cli.sh", + "toolTip": "The default shell for the admin user", + "constraints": { + "allowedValues": [ + { + "label": "/etc/cli.sh", + "value": "/etc/cli.sh" + }, + { + "label": "/bin/bash", + "value": "/bin/bash" + }, + { + "label": "/bin/csh", + "value": "/bin/csh" + }, + { + "label": "/bin/tcsh", + "value": "/bin/tcsh" + } + ] + } + }, + { + "name": "managementGUIClientNetwork", + "type": "Microsoft.Common.TextBox", + "label": "Allowed GUI clients", + "toolTip": "GUI clients network CIDR", + "constraints": { + "required": true, + "regex": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$", + "validationMessage": "Enter a valid IPv4 network CIDR" + }, + "visible": "[equals(steps('chkp').installationType, 'management')]" + }, + { + "name": "bootstrapScript", + "type": "Microsoft.Common.FileUpload", + "label": "Bootstrap script", + "toolTip": "An optional script to run on the initial boot", + "constraints": { + "required": false, + "accept": ".sh,text/plain" + }, + "options": { + "multiple": false, + "uploadMode": "file", + "openMode": "text", + "encoding": "UTF-8" + } + }, + { + "name": "VMDiskType", + "type": "Microsoft.Common.OptionsGroup", + "label": "VM disk type", + "toolTip": "Type of CloudGuard disk.", + "visible": "[not(contains('R80.40 R81' , steps('chkp').cloudGuardVersion))]", + "defaultValue": "Premium", + "constraints": { + "allowedValues": [ + { + "label": "Standard", + "value": "Standard_LRS" + }, + { + "label": "Premium", + "value": "Premium_LRS" + } + ] + } + }, + { + "name": "VMDiskTypeOldVersions", + "type": "Microsoft.Common.OptionsGroup", + "label": "VM disk type", + "toolTip": "Type of CloudGuard disk.", + "visible": "[contains('R80.40 R81' , steps('chkp').cloudGuardVersion)]", + "defaultValue": "Standard", + "constraints": { + "allowedValues": [ + { + "label": "Standard", + "value": "Standard_LRS" + }, + { + "label": "Premium", + "value": "Premium_LRS" + } + ] + } + }, + { + "name": "enableApi", + "type": "Microsoft.Common.DropDown", + "label": "Accept Management API calls", + "defaultValue": "Management server only", + "toolTip": "Select the type of the Management API calls", + "constraints": { + "allowedValues": [ + { + "label": "Management server only", + "value": "management_only" + }, + { + "label": "All IP Addresses that can be used for GUI clients", + "value": "gui_clients" + }, + { + "label": "All IP addresses", + "value": "all" + } + ] + }, + "visible": "[not(or(equals(steps('chkp').cloudGuardVersion, 'R81'), equals(steps('chkp').cloudGuardVersion, 'R80.40'))))]" + }, + { + "visible": "[equals(steps('chkp').installationType, 'management')]", + "name": "allowUploadDownload", + "type": "Microsoft.Common.OptionsGroup", + "label": "Automatically download updates and share statistical data for product improvement purpose", + "defaultValue": "Yes", + "toolTip": "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "true" + }, + { + "label": "No", + "value": "false" + } + ] + } + }, + { + "name": "basics settings text block", + "type": "Microsoft.Common.TextBlock", + "visible": true, + "options": { + "text": "Please follow the Check Point referenced guide for adding disk space.", + "link": { + "label": "Additional disk space in CloudGuard", + "uri": "https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk156552" + } + } + }, + { + "name": "additionalDiskSizeGB", + "type": "Microsoft.Common.TextBox", + "label": "Additional disk space (GB)", + "defaultValue": "0", + "toolTip": "Additional disk space (in GB), initial disk size is 100 GB.", + "constraints": { + "regex": "^([0-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-2][0-9][0-9][0-9]|3[0-8][0-9][0-9]|399[0-5])$", + "validationMessage": "Select a number between 0 and 3995" + } + }, + { + "name": "useCustomImageUri", + "type": "Microsoft.Common.OptionsGroup", + "label": "Use development image uri", + "defaultValue": "No", + "toolTip": "Use custom image URI.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ], + "required": true + }, + "visible": false + }, + { + "name": "sourceImageVhdUri", + "type": "Microsoft.Common.TextBox", + "label": "Development Image URI", + "toolTip": "The URI of the blob containing the development image", + "constraints": { + "required": "[equals(steps('chkp').useCustomImageUri, 'Yes')]", + "regex": "^[a-z0-9A-Z_\\-\\.\\:\\/]{1,500}.vhd$", + "validationMessage": "Only alphanumeric characters and '_','-','.',':','/' are allowed, the value must be 1-500 characters long and must end with .vhd. " + }, + "visible": "[equals(steps('chkp').useCustomImageUri, 'Yes')]" + } + ] + }, + { + "name": "network", + "label": "Network settings", + "subLabel": { + "preValidation": "Configure network settings", + "postValidation": "Done" + }, + "bladeTitle": "Network settings", + "elements": [ + { + "name": "virtualNetwork", + "type": "Microsoft.Network.VirtualNetworkCombo", + "label": { + "virtualNetwork": "Virtual network", + "subnets": "Subnet" + }, + "toolTip": { + "virtualNetwork": "Virtual Network Name", + "subnets": "The subnet to deploy into" + }, + "defaultValue": { + "name": "vnet01", + "addressPrefixSize": "/20" + }, + "constraints": { + "minAddressPrefixSize": "/29" + }, + "options": { + "hideExisting": false + }, + "subnets": { + "subnet1": { + "label": "Management subnet", + "defaultValue": { + "name": "Management", + "addressPrefixSize": "/24" + }, + "constraints": { + "minAddressPrefixSize": "/29", + "minAddressCount": 1, + "requireContiguousAddresses": true + } + } + } + }, + { + "name": "NSG", + "type": "Microsoft.Common.OptionsGroup", + "label": "Network Security Group", + "toolTip": "Choose between using an existing NSG or using a new NSG", + "constraints": { + "allowedValues": [ + { + "label": "Create new", + "value": true + }, + { + "label": "Existing NSG", + "value": false + } + ], + "required": true + }, + "visible": true + }, + { + "name": "nsgSelector", + "type": "Microsoft.Solutions.ResourceSelector", + "label": "Network Security Group", + "defaultValue": "null", + "toolTip": "Choose an existing NSG", + "resourceType": "Microsoft.Network/NetworkSecurityGroups", + "options": { + "filter": { + "subscription": "onBasics", + "location": "onBasics" + } + }, + "constraints": { + "required": true + }, + "visible": "[equals(steps('network').NSG, false)]" + }, + { + "name": "NSGName", + "type": "Microsoft.Common.TextBox", + "label": "Name", + "defaultValue": "[concat(basics('gatewayNameUi') , '-nsg')]", + "toolTip": "Insert Name for the new NSG", + "multiLine": false, + "constraints": { + "required": "[steps('network').NSG]", + "regex": "^[a-z0-9A-Z-]{1,30}$", + "validationMessage": "Only alphanumeric characters are allowed, and the name must be 1-30 characters long." + }, + "visible": "[steps('network').NSG]" + }, + { + "name": "addStorageAccountIpRules", + "type": "Microsoft.Common.OptionsGroup", + "defaultValue": "Network access from all networks", + "label": "Storage Account Network Access", + "toolTip": "Select your preferred network access to the Storage Account, for more information - https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-linux#serial-console-security", + "constraints": { + "allowedValues": [ + { + "label": "Network access from all networks", + "value": false + }, + { + "label": "Network access only from Serial Console", + "value": true + } + ], + "required": true + }, + "visible": true + } + ] + }, + { + "name": "tags", + "label": "Tags", + "elements": [ + { + "name": "tagsByResource", + "type": "Microsoft.Common.TagsByResource", + "toolTip": "Create Azure tags for the new resources", + "resources": [ + "Microsoft.Storage/storageAccounts", + "Microsoft.Network/publicIPAddresses", + "Microsoft.Compute/virtualMachines", + "Microsoft.Network/networkSecurityGroups", + "Microsoft.Network/networkInterfaces", + "Microsoft.Network/routeTables", + "Microsoft.Network/virtualNetworks" + ] + } + ] + } + ], + "outputs": { + "location": "[location()]", + "cloudGuardVersion": "[concat(steps('chkp').cloudGuardVersion, ' - ', coalesce(steps('chkp').R80Offer, 'Bring Your Own License'))]", + "adminPassword": "[basics('auth').password]", + "authenticationType": "[basics('auth').authenticationType]", + "sshPublicKey": "[basics('auth').sshPublicKey]", + "vmName": "[basics('gatewayNameUi')]", + "vmSize": "[coalesce(steps('chkp').R8040vmSizeUiBYOL, steps('chkp').R8040vmSizeUiMGMT25, steps('chkp').R81vmSizeUiBYOL, steps('chkp').R81vmSizeUiMGMT25)]", + "virtualNetworkName": "[steps('network').virtualNetwork.name]", + "virtualNetworkAddressPrefix": "[steps('network').virtualNetwork.addressPrefix]", + "Subnet1Name": "[steps('network').virtualNetwork.subnets.subnet1.name]", + "Subnet1Prefix": "[steps('network').virtualNetwork.subnets.subnet1.addressPrefix]", + "Subnet1StartAddress": "[steps('network').virtualNetwork.subnets.subnet1.startAddress]", + "vnetNewOrExisting": "[steps('network').virtualNetwork.newOrExisting]", + "virtualNetworkExistingRGName": "[steps('network').virtualNetwork.resourceGroup]", + "managementGUIClientNetwork": "[steps('chkp').managementGUIClientNetwork]", + "installationType": "[steps('chkp').installationType]", + "bootstrapScript": "[steps('chkp').bootstrapScript]", + "allowDownloadFromUploadToCheckPoint": "[coalesce(steps('chkp').allowUploadDownload, 'true')]", + "additionalDiskSizeGB": "[int(steps('chkp').additionalDiskSizeGB)]", + "diskType": "[if(contains('R80.40 R81' , steps('chkp').cloudGuardVersion) , steps('chkp').VMDiskTypeOldVersions , steps('chkp').VMDiskType)]", + "sourceImageVhdUri": "[coalesce(steps('chkp').sourceImageVhdUri, 'noCustomUri')]", + "enableApi": "[steps('chkp').enableApi]", + "adminShell": "[steps('chkp').adminShell]", + "tagsByResource": "[steps('tags').tagsByResource]", + "deployNewNSG": "[steps('network').NSG]", + "ExistingNSG": "[steps('network').nsgSelector]", + "NewNsgName": "[steps('network').NSGName]", + "addStorageAccountIpRules":"[steps('network').addStorageAccountIpRules]", + "SerialConsolePasswordHash": "[steps('chkp').AdditionalPassword]" + } + } +} \ No newline at end of file diff --git a/deprecated/azure/templates/R8040-R81/mgmt-r840-r81/mainTemplate.json b/deprecated/azure/templates/R8040-R81/mgmt-r840-r81/mainTemplate.json new file mode 100644 index 00000000..44f62298 --- /dev/null +++ b/deprecated/azure/templates/R8040-R81/mgmt-r840-r81/mainTemplate.json @@ -0,0 +1,751 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string", + "metadata": { + "description": "Deployment location" + }, + "defaultValue": "[resourceGroup().location]" + }, + "cloudGuardVersion": { + "type": "string", + "allowedValues": [ + "R80.40 - Bring Your Own License", + "R80.40 - Pay As You Go (MGMT25)", + "R81 - Bring Your Own License", + "R81 - Pay As You Go (MGMT25)" + ], + "defaultValue": "R81.20 - Bring Your Own License", + "metadata": { + "description": "Version of Check Point CloudGuard" + } + }, + "authenticationType": { + "type": "string", + "allowedValues": [ + "password", + "sshPublicKey" + ], + "defaultValue": "password", + "metadata": { + "description": "Authentication type" + } + }, + "sshPublicKey": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Administrator SSH public key" + } + }, + "adminPassword": { + "type": "securestring", + "metadata": { + "description": "Administrator password" + }, + "defaultValue": "" + }, + "SerialConsolePasswordHash": { + "type": "securestring", + "defaultValue": "", + "metadata": { + "Description": "Optional parameter, used to enable serial console connection in case of SSH key as authentication type" + } + }, + "vmName": { + "type": "string", + "metadata": { + "description": "Name of the Check Point Security Gateway" + } + }, + "vmSize": { + "type": "string", + "defaultValue": "Standard_D3_v2", + "metadata": { + "description": "Size of the VM" + } + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "vnet" + }, + "virtualNetworkAddressPrefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the virtual network" + }, + "defaultValue": "10.0.0.0/16" + }, + "Subnet1Name": { + "type": "string", + "metadata": { + "description": "The name of the 1st subnet" + }, + "defaultValue": "Frontend" + }, + "Subnet1Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 1st subnet" + }, + "defaultValue": "10.0.1.0/24" + }, + "Subnet1StartAddress": { + "type": "string", + "metadata": { + "description": "The first available address on the 1st subnet" + }, + "defaultValue": "10.0.1.10" + }, + "vnetNewOrExisting": { + "type": "string", + "defaultValue": "new", + "allowedValues": [ + "new", + "existing" + ], + "metadata": { + "Description": "Indicates whether the virtual network is new or existing" + } + }, + "virtualNetworkExistingRGName": { + "type": "string", + "metadata": { + "description": "Resource Group of the existing virtual network" + }, + "defaultValue": "[resourceGroup().name]" + }, + "managementGUIClientNetwork": { + "type": "string", + "metadata": { + "description": "Allowed GUI clients" + }, + "defaultValue": "0.0.0.0/0" + }, + "installationType": { + "type": "string", + "metadata": { + "description": "Installation Type" + }, + "defaultValue": "management", + "allowedValues": [ + "management", + "custom" + ] + }, + "adminShell": { + "type": "string", + "defaultValue": "/etc/cli.sh", + "allowedValues": [ + "/etc/cli.sh", + "/bin/bash", + "/bin/csh", + "/bin/tcsh" + ], + "metadata": { + "Description": "The default shell for the admin user" + } + }, + "bootstrapScript": { + "type": "string", + "metadata": { + "description": "Bootstrap script" + }, + "defaultValue": "" + }, + "allowDownloadFromUploadToCheckPoint": { + "type": "string", + "allowedValues": [ + "true", + "false" + ], + "defaultValue": "true", + "metadata": { + "description": "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + } + }, + "additionalDiskSizeGB": { + "type": "int", + "defaultValue": 0, + "metadata": { + "description": "Amount of additional disk space (in GB)" + }, + "minValue": 0, + "maxValue": 3995 + }, + "diskType": { + "type": "string", + "defaultValue": "Standard_LRS", + "metadata": { + "description": "The type of the OS disk. Premium is applicable only to DS machine sizes" + }, + "allowedValues": [ + "Standard_LRS", + "Premium_LRS" + ] + }, + "msi": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Configure managed service identity for the VM" + } + }, + "sourceImageVhdUri": { + "type": "string", + "defaultValue": "noCustomUri", + "metadata": { + "description": "The URI of the blob containing the development image" + } + }, + "_artifactsLocation": { + "type": "string", + "metadata": { + "description": "Use the following URI when deploying a custom template: https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/azure/templates/" + }, + "defaultValue": "[deployment().properties.templateLink.uri]" + }, + "_artifactsLocationSasToken": { + "type": "securestring", + "metadata": { + "description": "The sasToken required to access _artifactsLocation. When the template is deployed using the accompanying scripts, a sasToken will be automatically generated. Use the defaultValue if the staging location is not secured." + }, + "defaultValue": "" + }, + "tagsByResource": { + "type": "object", + "defaultValue": {} + }, + "deployNewNSG": { + "type": "bool", + "defaultValue": true + }, + "ExistingNSG": { + "type": "object", + "defaultValue": {} + }, + "NewNsgName": { + "type": "string", + "defaultValue": "[concat(parameters('vmName'),'-nsg')]" + }, + "addStorageAccountIpRules": { + "type": "bool", + "metadata": { + "description": "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, based on https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-linux#use-serial-console-with-custom-boot-diagnostics-storage-account-firewall-enabled" + }, + "defaultValue" : false + }, + "storageAccountAdditionalIps":{ + "type": "array", + "metadata": { + "description": "IPs/CIDRs that are allowed access to the Storage Account" + }, + "defaultValue" : [] + } + + }, + "variables": { + "templateName": "management", + "templateVersion": "20230910", + "location": "[parameters('location')]", + "offers": { + "R80.40 - Bring Your Own License": "BYOL", + "R80.40 - Pay As You Go (MGMT25)": "MGMT25", + "R81 - Bring Your Own License": "BYOL", + "R81 - Pay As You Go (MGMT25)": "MGMT25" + }, + "offer": "[variables('offers')[parameters('cloudGuardVersion')]]", + "osVersions": { + "R80.40 - Bring Your Own License": "R8040", + "R80.40 - Pay As You Go (MGMT25)": "R8040", + "R81 - Bring Your Own License": "R81", + "R81 - Pay As You Go (MGMT25)": "R81" + }, + "osVersion": "[variables('osVersions')[parameters('cloudGuardVersion')]]", + "SerialConsoleGeographies": { + "eastasia" : ["20.205.69.28", "20.195.85.180"], + "southeastasia" : ["20.205.69.28", "20.195.85.180"], + "australiacentral" : ["20.53.53.224", "20.70.222.112"], + "australiacentral2" : ["20.53.53.224", "20.70.222.112"], + "australiaeast" : ["20.53.53.224", "20.70.222.112"], + "australiasoutheast" : ["20.53.53.224", "20.70.222.112"], + "brazilsouth" : ["91.234.136.63", "20.206.0.194"], + "brazilsoutheast" : ["91.234.136.63", "20.206.0.194"], + "canadacentral" : ["52.228.86.177", "52.242.40.90"], + "canadaeast" : ["52.228.86.177", "52.242.40.90"], + "northeurope" : ["52.146.139.220", "20.105.209.72"], + "westeurope" : ["52.146.139.220", "20.105.209.72"], + "francecentral" : ["20.111.0.244", "52.136.191.10"], + "francesouth" : ["20.111.0.244", "52.136.191.10"], + "germanynorth" : ["51.116.75.88", "20.52.95.48"], + "germanywestcentral" : ["51.116.75.88", "20.52.95.48"], + "centralindia" : ["20.192.168.150", "20.192.153.104"], + "southindia" : ["20.192.168.150", "20.192.153.104"], + "westindia" : ["20.192.168.150", "20.192.153.104"], + "japaneast" : ["20.43.70.205", "20.189.228.222"], + "japanwest" : ["20.43.70.205", "20.189.228.222"], + "koreacentral" : ["20.200.196.96", "52.147.119.29"], + "koreasouth" : ["20.200.196.96", "52.147.119.29"], + "norwaywest" : ["20.100.1.184", "51.13.138.76"], + "norwayeast" : ["20.100.1.184", "51.13.138.76"], + "switzerlandnorth" : ["20.208.4.98", "51.107.251.190"], + "switzerlandwest" : ["20.208.4.98", "51.107.251.190"], + "uaecentral" : ["20.45.95.66", "20.38.141.5"], + "uaenorth" : ["20.45.95.66", "20.38.141.5"], + "uksouth" : ["20.90.132.144", "20.58.68.62"], + "ukwest" : ["20.90.132.144", "20.58.68.62"], + "swedencentral" : ["51.12.72.223", "51.12.22.174"], + "swedensouth" : ["51.12.72.223", "51.12.22.174"], + "centralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "eastus2" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "eastus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "northcentralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "southcentralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "westus2" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "westus3" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "westcentralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "westus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "eastus2euap" : ["20.45.242.18", "20.51.21.252"], + "centraluseuap" : ["20.45.242.18", "20.51.21.252"]}, + "serialConsoleIps": "[if(contains(variables('serialConsoleGeographies'),variables('location')),variables('serialConsoleGeographies')[variables('location')],createArray())]", + "storageAccountIps" : "[concat(variables('SerialConsoleIps'),parameters('storageAccountAdditionalIps'))]", + "isBlink": "[bool('false')]", + "storageAccountName": "[concat('bootdiag', uniqueString(resourceGroup().id, deployment().name))]", + "storageAccountType": "Standard_LRS", + "diskSize100GB": 100, + "diskSizeGB": "[add(parameters('additionalDiskSizeGB'), variables('diskSize100GB'))]", + "customData": "[concat('#!/usr/bin/python3 /etc/cloud_config.py\n', '\n', 'installationType=\"', parameters('installationType'), '\"', '\n', 'allowUploadDownload=\"', variables('allowUploadDownload'), '\"', '\n', 'osVersion=\"', variables('osVersion'), '\"', '\n', 'templateName=\"', variables('templateName'), '\"', '\n', 'isBlink=\"', variables('isBlink'), '\"', '\n', 'templateVersion=\"', variables('templateVersion'), '\"', '\n', 'bootstrapScript64=\"', variables('bootstrapScript64'), '\"', '\n', 'location=\"', variables('location'), '\"', '\n', 'managementGUIClientNetwork=\"', variables('managementGUIClientNetwork'), '\"', '\n', 'enableApi=\"', parameters('enableApi'), '\"', '\n', 'adminShell=\"', parameters('adminShell'), '\"', '\n', 'passwordHash=\"', parameters('SerialConsolePasswordHash'), '\"', '\n')]", + "customData64": "[base64(variables('customData'))]", + "imageOffer": "[concat('check-point-cg-', toLower(variables('osVersion')))]", + "imagePublisher": "checkpoint", + "imageReferenceBYOL": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "mgmt-byol", + "version": "latest" + }, + "imageReferenceMGMT25": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "mgmt-25", + "version": "latest" + }, + "imageReferenceMarketplace": "[if(equals(variables('offer'), 'BYOL'), variables('imageReferenceBYOL'), variables('imageReferenceMGMT25'))]", + "customImage": "customImage", + "imageReferenceCustomUri": { + "id": "[resourceId('Microsoft.Compute/images/', variables('customImage'))]" + }, + "imageReference": "[if(equals(parameters('sourceImageVhdUri'),'noCustomUri'), variables('imageReferenceMarketplace'), variables('imageReferenceCustomUri'))]", + "nic1Name": "[concat(parameters('vmName'), '-eth0')]", + "linuxConfigurationpassword": { + "disablePasswordAuthentication": "false" + }, + "linuxConfigurationsshPublicKey": { + "disablePasswordAuthentication": "true", + "ssh": { + "publicKeys": [ + { + "keyData": "[parameters('sshPublicKey')]", + "path": "/home/notused/.ssh/authorized_keys" + } + ] + } + }, + "linuxConfiguration": "[if(equals(parameters('authenticationType'), 'password'), variables('linuxConfigurationpassword'), variables('linuxConfigurationsshPublicKey'))]", + "planBYOL": { + "name": "mgmt-byol", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planMGMT25": { + "name": "mgmt-25", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "plan": "[if(equals(variables('offer'), 'BYOL'), variables('planBYOL'), variables('planMGMT25'))]", + "identity": "[if(parameters('msi'), json('{\"type\": \"SystemAssigned\"}'), json('null'))]", + "publicIPAddressName": "[parameters('vmName')]", + "publicIPAddressId": "[resourceId('Microsoft.Network/publicIPAddresses', variables('publicIPAddressName'))]", + "bootstrapScript64": "[base64(parameters('bootstrapScript'))]", + "allowUploadDownload": "[parameters('allowDownloadFromUploadToCheckPoint')]", + "_artifactsLocation": "[if(contains(parameters('_artifactsLocation'),'raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/azure/templates/marketplace'),'https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/azure/templates/',parameters('_artifactsLocation'))]", + "networkSetupURL": "[uri(variables('_artifactsLocation'), concat('nestedtemplates/vnet-1-subnet-', parameters('vnetNewOrExisting'), '.json', parameters('_artifactsLocationSasToken')))]", + "managementGUIClientNetwork": "[parameters('managementGUIClientNetwork')]", + "deployNewVnet": "[equals(parameters('vnetNewOrExisting'), 'new')]", + "vnetRGName": "[if(variables('deployNewVnet'), resourceGroup().name, parameters('virtualNetworkExistingRGName'))]", + "NewNsgReference": {"id": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('NewNsgName'))]"} + }, + "resources": [ + { + "apiVersion": "2020-06-01", + "name": "pid-6f13b00a-7546-4ab2-be9f-c66815cc6c8b-partnercenter", + "type": "Microsoft.Resources/deployments", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('storageAccountName')]", + "apiVersion": "2022-09-01", + "properties": { + "supportsHttpsTrafficOnly": true, + "allowBlobPublicAccess": false, + "minimumTlsVersion": "TLS1_2", + "networkAcls": { + "bypass": "None", + "defaultAction": "[if(parameters('addStorageAccountIpRules'), 'Deny', 'Allow')]", + "ipRules": "[if(parameters('addStorageAccountIpRules'), map(variables('storageAccountIps'), lambda('ip',createObject('action','Allow','value',lambdaVariables('ip')))), createArray())]" + } + }, + "location": "[variables('location')]", + "sku": { + "name": "[variables('storageAccountType')]" + }, + "kind": "Storage", + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Storage/storageAccounts'), parameters('tagsByResource')['Microsoft.Storage/storageAccounts'], json('{}')) ]" + }, + { + "condition": "[equals(parameters('vnetNewOrExisting'), 'new')]", + "name": "networkNewSetup", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "[variables('networkSetupURL')]", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "location": { + "value": "[variables('location')]" + }, + "virtualNetworkName": { + "value": "[parameters('virtualNetworkName')]" + }, + "virtualNetworkAddressPrefix": { + "value": "[parameters('virtualNetworkAddressPrefix')]" + }, + "Subnet1Name": { + "value": "[parameters('Subnet1Name')]" + }, + "Subnet1Prefix": { + "value": "[parameters('Subnet1Prefix')]" + }, + "deployNsg": { + "value": false + }, + "NewNsgName": + { + "value":"[parameters('NewNsgName')]" + }, + "tagsByResource": { + "value": "[parameters('tagsByResource')]" + } + } + } + }, + { + "condition": "[equals(parameters('vnetNewOrExisting'), 'existing')]", + "name": "networkExistingSetup", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "[variables('networkSetupURL')]", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "location": { + "value": "[variables('location')]" + }, + "virtualNetworkName": { + "value": "[parameters('virtualNetworkName')]" + }, + "virtualNetworkExistingRGName": { + "value": "[variables('vnetRGName')]" + }, + "vmName": { + "value": "[parameters('vmName')]" + }, + "deployNsg": { + "value": false + }, + "NewNsgName": + { + "value":"[parameters('NewNsgName')]" + }, + "tagsByResource": { + "value": "[parameters('tagsByResource')]" + } + } + } + }, + { + "type": "Microsoft.Network/publicIPAddresses", + "apiVersion": "2020-06-01", + "location": "[variables('location')]", + "name": "[variables('publicIPAddressName')]", + "sku": { + "name": "Standard" + }, + "properties": { + "idleTimeoutInMinutes": 30, + "publicIPAllocationMethod": "Static", + "dnsSettings": { + "domainNameLabel": "[concat(toLower(parameters('vmName')), '-', uniquestring(resourceGroup().id, deployment().name))]" + } + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/publicIPAddresses'), parameters('tagsByResource')['Microsoft.Network/publicIPAddresses'], json('{}')) ]" + }, + { + "condition": "[parameters('deployNewNSG')]", + "type": "Microsoft.Network/networkSecurityGroups", + "apiVersion": "2020-06-01", + "location": "[variables('location')]", + "name": "[parameters('NewNsgName')]", + "properties": { + "securityRules": [ + { + "name": "SSH", + "properties": { + "description": "Allow inbound SSH connection", + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "22", + "sourceAddressPrefix": "[variables('managementGUIClientNetwork')]", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "100", + "direction": "Inbound" + } + }, + { + "name": "GAiA-portal", + "properties": { + "description": "Allow inbound HTTPS access to the GAiA portal", + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "443", + "sourceAddressPrefix": "[variables('managementGUIClientNetwork')]", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "110", + "direction": "Inbound" + } + }, + { + "name": "SmartConsole-1", + "properties": { + "description": "Allow inbound access using the SmartConsole GUI client", + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "18190", + "sourceAddressPrefix": "[variables('managementGUIClientNetwork')]", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "120", + "direction": "Inbound" + } + }, + { + "name": "SmartConsole-2", + "properties": { + "description": "Allow inbound access using the SmartConsole GUI client", + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "19009", + "sourceAddressPrefix": "[variables('managementGUIClientNetwork')]", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "130", + "direction": "Inbound" + } + }, + { + "name": "Logs", + "properties": { + "description": "Allow inbound logging connections from managed gateways", + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "257", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "140", + "direction": "Inbound" + } + }, + { + "name": "ICA-pull", + "properties": { + "description": "Allow security gateways to pull a SIC certificate", + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "18210", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "150", + "direction": "Inbound" + } + }, + { + "name": "CRL-fetch", + "properties": { + "description": "Allow security gateways to fetch CRLs", + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "18264", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "160", + "direction": "Inbound" + } + }, + { + "name": "Policy-fetch", + "properties": { + "description": "Allow security gateways to fetch policy", + "protocol": "TCP", + "sourcePortRange": "*", + "destinationPortRange": "18191", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "170", + "direction": "Inbound" + } + } + ] + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/networkSecurityGroups'), parameters('tagsByResource')['Microsoft.Network/networkSecurityGroups'], json('{}')) ]" + }, + { + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "2020-06-01", + "dependsOn": [ + "[coalesce(resourceId('Microsoft.Resources/deployments', 'networkNewSetup'), resourceId('Microsoft.Resources/deployments', 'networkExistingSetup'))]", + "[variables('publicIPAddressId')]" + ], + "location": "[variables('location')]", + "name": "[variables('nic1Name')]", + "properties": { + "enableIPForwarding": false, + "networkSecurityGroup":"[if(parameters('deployNewNSG') , variables('NewNsgReference') , parameters('ExistingNSG'))]", + "ipConfigurations": [ + { + "name": "ipconfig1", + "properties": { + "privateIPAddress": "[parameters('Subnet1StartAddress')]", + "privateIPAllocationMethod": "Static", + "PublicIpAddress": { + "Id": "[variables('publicIPAddressId')]" + }, + "subnet": { + "id": "[resourceId(variables('vnetRGName') ,'Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('Subnet1Name'))]" + } + } + } + ] + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/networkInterfaces'), parameters('tagsByResource')['Microsoft.Network/networkInterfaces'], json('{}')) ]" + }, + { + "condition": "[not(equals(parameters('sourceImageVhdUri'), 'noCustomUri'))]", + "type": "Microsoft.Compute/images", + "apiVersion": "2020-06-01", + "name": "[variables('customImage')]", + "location": "[variables('location')]", + "properties": { + "storageProfile": { + "osDisk": { + "osType": "Linux", + "osState": "Generalized", + "blobUri": "[parameters('sourceImageVhdUri')]", + "storageAccountType": "Standard_LRS" + } + }, + "hyperVGeneration": "V1" + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Compute/images'), parameters('tagsByResource')['Microsoft.Compute/images'], json('{}')) ]" + }, + { + "type": "Microsoft.Compute/virtualMachines", + "apiVersion": "2021-07-01", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]", + "[resourceId('Microsoft.Network/networkInterfaces', variables('nic1Name'))]", + "[resourceId('Microsoft.Compute/images/', variables('customImage'))]" + ], + "location": "[variables('location')]", + "name": "[parameters('vmName')]", + "plan": "[if(equals(parameters('sourceImageVhdUri'),'noCustomUri'), variables('plan'), json('null'))]", + "identity": "[variables('identity')]", + "properties": { + "UserData": "[variables('customData64')]", + "diagnosticsProfile": { + "bootDiagnostics": { + "enabled": "true", + "storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName')), '2022-09-01').primaryEndpoints.blob]" + } + }, + "hardwareProfile": { + "vmSize": "[parameters('vmSize')]" + }, + "networkProfile": { + "networkInterfaces": [ + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', variables('nic1Name'))]", + "properties": { + "primary": true + } + } + ] + }, + "osProfile": { + "adminPassword": "[parameters('adminPassword')]", + "adminUsername": "[concat('not','used')]", + "computerName": "[toLower(parameters('vmName'))]", + "customData": "[variables('customData64')]", + "linuxConfiguration": "[variables('linuxConfiguration')]" + }, + "storageProfile": { + "imageReference": "[variables('imageReference')]", + "osDisk": { + "caching": "ReadWrite", + "createOption": "FromImage", + "diskSizeGB": "[variables('diskSizeGB')]", + "name": "[parameters('vmName')]", + "managedDisk": { + "storageAccountType": "[parameters('diskType')]" + } + } + } + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Compute/virtualMachines'), parameters('tagsByResource')['Microsoft.Compute/virtualMachines'], json('{}')) ]" + } + ], + "outputs": { + "IPAddress": { + "type": "string", + "value": "[reference(variables('publicIPAddressId')).IpAddress]" + }, + "FQDN": { + "type": "string", + "value": "[reference(variables('publicIPAddressId')).dnsSettings.fqdn]" + } + } +} \ No newline at end of file diff --git a/deprecated/azure/templates/R8040-R81/single-ipv6-r8040-r81/README.md b/deprecated/azure/templates/R8040-R81/single-ipv6-r8040-r81/README.md new file mode 100644 index 00000000..57e098d6 --- /dev/null +++ b/deprecated/azure/templates/R8040-R81/single-ipv6-r8040-r81/README.md @@ -0,0 +1,10 @@ +# IPv6 support for CloudGuard IaaS in Azure +Azure's IPv6 connectivity makes it easy to provide dual stack (IPv4/IPv6) Internet connectivity for applications hosted in Azure. +It allows for simple deployment of VMs with load balanced IPv6 connectivity for both inbound and outbound initiated connections. + +Follow [sk170760](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk170760) instruction to deploy dual stack (IPv4/IPv6) CloudGuard IaaS Security Gateway in Azure. + + + Deploy to Azure + + diff --git a/deprecated/azure/templates/R8040-R81/single-ipv6-r8040-r81/mainTemplate.json b/deprecated/azure/templates/R8040-R81/single-ipv6-r8040-r81/mainTemplate.json new file mode 100644 index 00000000..2a322a31 --- /dev/null +++ b/deprecated/azure/templates/R8040-R81/single-ipv6-r8040-r81/mainTemplate.json @@ -0,0 +1,887 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string", + "metadata": { + "description": "Deployment location" + }, + "defaultValue": "[resourceGroup().location]" + }, + "cloudGuardVersion": { + "type": "string", + "allowedValues": [ + "R80.40 - Bring Your Own License", + "R80.40 - Pay As You Go (NGTP)", + "R80.40 - Pay As You Go (NGTX)", + "R81 - Bring Your Own License", + "R81 - Pay As You Go (NGTP)", + "R81 - Pay As You Go (NGTX)" + ], + "defaultValue": "R81.20 - Bring Your Own License", + "metadata": { + "description": "Version of Check Point CloudGuard" + } + }, + "adminPassword": { + "type": "securestring", + "metadata": { + "description": "Administrator password" + }, + "defaultValue": "" + }, + "authenticationType": { + "type": "string", + "allowedValues": [ + "password", + "sshPublicKey" + ], + "defaultValue": "password", + "metadata": { + "description": "Authentication type" + } + }, + "sshPublicKey": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Administrator SSH public key" + } + }, + "vmName": { + "type": "string", + "metadata": { + "description": "Name of the Check Point Security Gateway" + } + }, + "vmSize": { + "type": "string", + "defaultValue": "Standard_D3_v2", + "metadata": { + "description": "Size of the VM" + } + }, + "adminShell": { + "type": "string", + "defaultValue": "/etc/cli.sh", + "allowedValues": [ + "/etc/cli.sh", + "/bin/bash", + "/bin/csh", + "/bin/tcsh" + ], + "metadata": { + "Description": "The default shell for the admin user" + } + }, + "sicKey": { + "type": "securestring", + "metadata": { + "description": "One time key for Secure Internal Communication" + } + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "vnet" + }, + "virtualNetworkAddressPrefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the virtual network" + }, + "defaultValue": "10.0.0.0/16" + }, + "virtualNetworkIpv6AddressPrefix": { + "type": "string", + "metadata": { + "description": "The IPv6 address prefix of the virtual network" + }, + "defaultValue": "ace:cab:deca::/48" + }, + "Subnet1Name": { + "type": "string", + "metadata": { + "description": "The name of the 1st subnet" + }, + "defaultValue": "Frontend" + }, + "Subnet1Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 1st subnet" + }, + "defaultValue": "10.0.0.0/24" + }, + "Subnet1Ipv6Prefix": { + "type": "string", + "metadata": { + "description": "The IPv6 address prefix of the 1st subnet" + }, + "defaultValue": "ace:cab:deca:deed::/64" + }, + "Subnet1StartAddress": { + "type": "string", + "metadata": { + "description": "The first available address on the 1st subnet" + }, + "defaultValue": "10.0.0.10" + }, + "Subnet2Name": { + "type": "string", + "metadata": { + "description": "The name of the 2nd subnet" + }, + "defaultValue": "Backend" + }, + "Subnet2Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 2nd subnet" + }, + "defaultValue": "10.0.1.0/24" + }, + "Subnet2Ipv6Prefix": { + "type": "string", + "metadata": { + "description": "The IPv6 address prefix of the 2nd subnet" + }, + "defaultValue": "ace:cab:deca:deee::/64" + }, + "Subnet2StartAddress": { + "type": "string", + "metadata": { + "description": "The first available address on the 2nd subnet" + }, + "defaultValue": "10.0.1.10" + }, + "vnetNewOrExisting": { + "type": "string", + "defaultValue": "new", + "allowedValues": [ + "new", + "existing" + ], + "metadata": { + "Description": "Indicates whether the virtual network is new or existing" + } + }, + "virtualNetworkExistingRGName": { + "type": "string", + "metadata": { + "description": "Resource Group of the existing virtual network" + }, + "defaultValue": "[resourceGroup().name]" + }, + "managementGUIClientNetwork": { + "type": "string", + "metadata": { + "description": "Allowed GUI clients" + }, + "defaultValue": "0.0.0.0/0" + }, + "installationType": { + "type": "string", + "metadata": { + "description": "Installation Type" + }, + "defaultValue": "ipv6Gateway", + "allowedValues": [ + "standalone", + "gateway", + "custom" + ] + }, + "bootstrapScript": { + "type": "string", + "metadata": { + "description": "Bootstrap script" + }, + "defaultValue": "" + }, + "allowDownloadFromUploadToCheckPoint": { + "type": "string", + "allowedValues": [ + "true", + "false" + ], + "defaultValue": "true", + "metadata": { + "description": "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + } + }, + "additionalDiskSizeGB": { + "type": "int", + "defaultValue": 0, + "metadata": { + "description": "Amount of additional disk space (in GB)" + }, + "minValue": 0, + "maxValue": 3995 + }, + "diskType": { + "type": "string", + "defaultValue": "Standard_LRS", + "metadata": { + "description": "The type of the OS disk. Premium is applicable only to DS machine sizes" + }, + "allowedValues": [ + "Standard_LRS", + "Premium_LRS" + ] + }, + "sourceImageVhdUri": { + "type": "string", + "defaultValue": "noCustomUri", + "metadata": { + "description": "The URI of the blob containing the development image" + } + }, + "_artifactsLocation": { + "type": "string", + "metadata": { + "description": "The base URI where artifacts required by this template are located including a trailing '/'" + }, + "defaultValue": "https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/azure/templates/" + }, + "_artifactsLocationSasToken": { + "type": "securestring", + "metadata": { + "description": "The sasToken required to access _artifactsLocation. When the template is deployed using the accompanying scripts, a sasToken will be automatically generated. Use the defaultValue if the staging location is not secured." + }, + "defaultValue": "" + }, + "tagsByResource": { + "type": "object", + "defaultValue": {} + }, + "deployNewNSG": { + "type": "bool", + "defaultValue": true + }, + "ExistingNSG": { + "type": "object", + "defaultValue": {} + }, + "NewNsgName": { + "type": "string", + "defaultValue": "[concat(parameters('vmName'),'-nsg')]" + }, + "addStorageAccountIpRules": { + "type": "bool", + "metadata": { + "description": "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, based on https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-linux#use-serial-console-with-custom-boot-diagnostics-storage-account-firewall-enabled" + }, + "defaultValue" : false + }, + "storageAccountAdditionalIps":{ + "type": "array", + "metadata": { + "description": "IPs/CIDRs that are allowed access to the Storage Account" + }, + "defaultValue" : [] + } + + }, + "variables": { + "vnetv4AddressRange": "[parameters('virtualNetworkAddressPrefix')]", + "vnetv6AddressRange": "[parameters('virtualNetworkIPv6AddressPrefix')]", + "subnetv4AddressRange": "[parameters('Subnet1Prefix')]", + "subnet2v4AddressRange": "[parameters('Subnet2Prefix')]", + "subnetv6AddressRange": "[parameters('Subnet1IPv6Prefix')]", + "subnet2v6AddressRange": "[parameters('Subnet2IPv6Prefix')]", + "virtualNetworkName": "[parameters('virtualNetworkName')]", + "subnetName": "[parameters('Subnet1Name')]", + "subnet2Name": "[parameters('Subnet2Name')]", + "templateName": "singleIpv6", + "templateVersion": "20230910", + "location": "[parameters('location')]", + "subnet-id": "[resourceId(parameters('virtualNetworkExistingRGName'), 'Microsoft.Network/virtualNetworks/subnets', variables('virtualNetworkName'), variables('subnetName'))]", + "subnet2-id": "[resourceId(parameters('virtualNetworkExistingRGName'), 'Microsoft.Network/virtualNetworks/subnets', variables('virtualNetworkName'), variables('subnet2Name'))]", + "offers": { + "R80.40 - Bring Your Own License": "BYOL", + "R80.40 - Pay As You Go (NGTP)": "NGTP", + "R80.40 - Pay As You Go (NGTX)": "NGTX", + "R81 - Bring Your Own License": "BYOL", + "R81 - Pay As You Go (NGTP)": "NGTP", + "R81 - Pay As You Go (NGTX)": "NGTX" + }, + "offer": "[variables('offers')[parameters('cloudGuardVersion')]]", + "osVersions": { + "R80.40 - Bring Your Own License": "R8040", + "R80.40 - Pay As You Go (NGTP)": "R8040", + "R80.40 - Pay As You Go (NGTX)": "R8040", + "R81 - Bring Your Own License": "R81", + "R81 - Pay As You Go (NGTP)": "R81", + "R81 - Pay As You Go (NGTX)": "R81" + }, + "osVersion": "[variables('osVersions')[parameters('cloudGuardVersion')]]", + "SerialConsoleGeographies": { + "eastasia" : ["20.205.69.28", "20.195.85.180"], + "southeastasia" : ["20.205.69.28", "20.195.85.180"], + "australiacentral" : ["20.53.53.224", "20.70.222.112"], + "australiacentral2" : ["20.53.53.224", "20.70.222.112"], + "australiaeast" : ["20.53.53.224", "20.70.222.112"], + "australiasoutheast" : ["20.53.53.224", "20.70.222.112"], + "brazilsouth" : ["91.234.136.63", "20.206.0.194"], + "brazilsoutheast" : ["91.234.136.63", "20.206.0.194"], + "canadacentral" : ["52.228.86.177", "52.242.40.90"], + "canadaeast" : ["52.228.86.177", "52.242.40.90"], + "northeurope" : ["52.146.139.220", "20.105.209.72"], + "westeurope" : ["52.146.139.220", "20.105.209.72"], + "francecentral" : ["20.111.0.244", "52.136.191.10"], + "francesouth" : ["20.111.0.244", "52.136.191.10"], + "germanynorth" : ["51.116.75.88", "20.52.95.48"], + "germanywestcentral" : ["51.116.75.88", "20.52.95.48"], + "centralindia" : ["20.192.168.150", "20.192.153.104"], + "southindia" : ["20.192.168.150", "20.192.153.104"], + "westindia" : ["20.192.168.150", "20.192.153.104"], + "japaneast" : ["20.43.70.205", "20.189.228.222"], + "japanwest" : ["20.43.70.205", "20.189.228.222"], + "koreacentral" : ["20.200.196.96", "52.147.119.29"], + "koreasouth" : ["20.200.196.96", "52.147.119.29"], + "norwaywest" : ["20.100.1.184", "51.13.138.76"], + "norwayeast" : ["20.100.1.184", "51.13.138.76"], + "switzerlandnorth" : ["20.208.4.98", "51.107.251.190"], + "switzerlandwest" : ["20.208.4.98", "51.107.251.190"], + "uaecentral" : ["20.45.95.66", "20.38.141.5"], + "uaenorth" : ["20.45.95.66", "20.38.141.5"], + "uksouth" : ["20.90.132.144", "20.58.68.62"], + "ukwest" : ["20.90.132.144", "20.58.68.62"], + "swedencentral" : ["51.12.72.223", "51.12.22.174"], + "swedensouth" : ["51.12.72.223", "51.12.22.174"], + "centralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "eastus2" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "eastus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "northcentralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "southcentralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "westus2" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "westus3" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "westcentralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "westus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "eastus2euap" : ["20.45.242.18", "20.51.21.252"], + "centraluseuap" : ["20.45.242.18", "20.51.21.252"]}, + "serialConsoleIps": "[if(contains(variables('serialConsoleGeographies'),variables('location')),variables('serialConsoleGeographies')[variables('location')],createArray())]", + "storageAccountIps" : "[concat(variables('SerialConsoleIps'),parameters('storageAccountAdditionalIps'))]", + "installationType": "[parameters('installationType')]", + "isBlink": "[equals(variables('installationType'), 'gateway')]", + "storageAccountName": "[concat('bootdiag', uniqueString(resourceGroup().id, deployment().name))]", + "storageAccountType": "Standard_LRS", + "diskSize100GB": 100, + "diskSizeGB": "[add(parameters('additionalDiskSizeGB'), variables('diskSize100GB'))]", + "customData": "[concat('#!/usr/bin/python3 /etc/cloud_config.py\n', '\n', 'installationType=\"', variables('installationType'), '\"', '\n', 'allowUploadDownload=\"', variables('allowUploadDownload'), '\"', '\n', 'osVersion=\"', variables('osVersion'), '\"', '\n', 'templateName=\"', variables('templateName'), '\"', '\n', 'isBlink=\"', variables('isBlink'), '\"', '\n', 'templateVersion=\"', variables('templateVersion'), '\"', '\n', 'bootstrapScript64=\"', variables('bootstrapScript64'), '\"', '\n', 'location=\"', variables('location'), '\"', '\n', 'sicKey=\"', variables('sicKey'), '\"', '\n', 'managementGUIClientNetwork=\"', variables('managementGUIClientNetwork'), '\"', '\n', 'adminShell=\"', parameters('adminShell'), '\"', '\n')]", + "imageOffer": "[concat('check-point-cg-', toLower(variables('osVersion')))]", + "imagePublisher": "checkpoint", + "imageSku": "[if(and(equals(parameters('installationType'), 'standalone'), or(equals(variables('osVersion'),'R8040'), equals(variables('osVersion'),'R81'))), 'mgmt-byol', 'sg-byol')]", + "imageReferenceBYOL": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "[variables('imageSku')]", + "version": "latest" + }, + "imageReferenceNGTP": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtp", + "version": "latest" + }, + "imageReferenceNGTP-V2": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtp-v2", + "version": "latest" + }, + "imageReferenceNGTX": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtx", + "version": "latest" + }, + "imageReferenceNGTX-V2": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtx-v2", + "version": "latest" + }, + "imageReferenceMarketplace": "[if(equals(variables('offer'), 'BYOL'), variables('imageReferenceBYOL'), if(equals(variables('offer'), 'NGTP'), variables('imageReferenceNGTP'), if(equals(variables('offer'), 'NGTP-V2'), variables('imageReferenceNGTP-V2'), if(equals(variables('offer'), 'NGTX'), variables('imageReferenceNGTX'), if(equals(variables('offer'), 'NGTX-V2'), variables('imageReferenceNGTX-V2'), json('null'))))))]", + "customImage": "customImage", + "imageReferenceCustomUri": { + "id": "[resourceId('Microsoft.Compute/images/', variables('customImage'))]" + }, + "imageReference": "[if(equals(parameters('sourceImageVhdUri'),'noCustomUri'), variables('imageReferenceMarketplace'), variables('imageReferenceCustomUri'))]", + "nic1Name": "[concat(parameters('vmName'), '-eth0')]", + "nic2Name": "[concat(parameters('vmName'), '-eth1')]", + "linuxConfigurationpassword": { + "disablePasswordAuthentication": "false" + }, + "linuxConfigurationsshPublicKey": { + "disablePasswordAuthentication": "true", + "ssh": { + "publicKeys": [ + { + "keyData": "[parameters('sshPublicKey')]", + "path": "/home/notused/.ssh/authorized_keys" + } + ] + } + }, + "linuxConfiguration": "[if(equals(parameters('authenticationType'), 'password'), variables('linuxConfigurationpassword'), variables('linuxConfigurationsshPublicKey'))]", + "planBYOL": { + "name": "[variables('imageSku')]", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTP": { + "name": "sg-ngtp", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTP-V2": { + "name": "sg-ngtp-v2", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTX": { + "name": "sg-ngtx", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTX-V2": { + "name": "sg-ngtx-v2", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "plan": "[if(equals(variables('offer'), 'BYOL') , variables('planBYOL'), if(equals(variables('offer'), 'NGTP'), variables('planNGTP'), if(equals(variables('offer'), 'NGTP-V2'), variables('planNGTP-V2'), if(equals(variables('offer'), 'NGTX'), variables('planNGTX'), if(equals(variables('offer'), 'NGTX-V2'), variables('planNGTX-V2'), json('null'))))))]", + "bootstrapScript64": "[base64(parameters('bootstrapScript'))]", + "allowUploadDownload": "[parameters('allowDownloadFromUploadToCheckPoint')]", + "networkSetupURL": "[uri(parameters('_artifactsLocation'), concat('nestedtemplates/vnet-', parameters('vnetNewOrExisting'), '.json', parameters('_artifactsLocationSasToken')))]", + "sicKey": "[parameters('sicKey')]", + "managementGUIClientNetwork": "[parameters('managementGUIClientNetwork')]", + "NewNsgReference": {"id": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('NewNsgName'))]"} + }, + "resources": [ + { + "apiVersion": "2020-06-01", + "name": "pid-14dc7680-7a2f-483c-b3ec-2c0cfae477aa", + "type": "Microsoft.Resources/deployments", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('storageAccountName')]", + "apiVersion": "2021-06-01", + "properties": { + "supportsHttpsTrafficOnly": true, + "allowBlobPublicAccess": false, + "minimumTlsVersion": "TLS1_2", + "networkAcls": { + "bypass": "None", + "defaultAction": "[if(parameters('addStorageAccountIpRules'), 'Deny', 'Allow')]", + "ipRules": "[if(parameters('addStorageAccountIpRules'), map(variables('storageAccountIps'), lambda('ip',createObject('action','Allow','value',lambdaVariables('ip')))), createArray())]" + } + }, + "location": "[variables('location')]", + "sku": { + "name": "[variables('storageAccountType')]" + }, + "kind": "Storage", + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Storage/storageAccounts'), parameters('tagsByResource')['Microsoft.Storage/storageAccounts'], json('{}')) ]" + }, + { + "apiVersion": "2020-05-01", + "type": "Microsoft.Network/publicIPAddresses", + "name": "lbpublicip-v4", + "location": "[parameters('location')]", + "sku": { + "name": "Standard" + }, + "properties": { + "publicIPAllocationMethod": "Static" + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/publicIPAddresses'), parameters('tagsByResource')['Microsoft.Network/publicIPAddresses'], json('{}')) ]" + }, + { + "apiVersion": "2020-05-01", + "type": "Microsoft.Network/publicIPAddresses", + "name": "lbpublicip-v6", + "location": "[parameters('location')]", + "sku": { + "name": "Standard" + }, + "properties": { + "publicIPAllocationMethod": "Static", + "publicIPAddressVersion": "IPv6" + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/publicIPAddresses'), parameters('tagsByResource')['Microsoft.Network/publicIPAddresses'], json('{}')) ]" + }, + { + "apiVersion": "2020-05-01", + "name": "loadBalancer", + "type": "Microsoft.Network/loadBalancers", + "location": "[parameters('location')]", + "sku": { + "name": "Standard" + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/publicIPAddresses','lbpublicip-v4')]", + "[resourceId('Microsoft.Network/publicIPAddresses','lbpublicip-v6')]" + ], + "properties": { + "frontendIpConfigurations": [ + { + "name": "LB-v4", + "properties": { + "publicIPAddress": { + "id": "[resourceId('Microsoft.Network/publicIPAddresses', 'lbpublicip-v4')]" + } + } + }, + { + "name": "LB-v6", + "properties": { + "publicIPAddress": { + "id": "[resourceId('Microsoft.Network/publicIPAddresses','lbpublicip-v6')]" + } + } + } + ], + "backendAddressPools": [ + { + "name": "LBBAP-v4" + }, + { + "name": "LBBAP-v6" + } + ], + "loadBalancingRules": [ + { + "properties": { + "frontendIPConfiguration": { + "id": "[resourceId('Microsoft.Network/loadBalancers/frontendIpConfigurations', 'loadBalancer', 'LB-v4')]" + }, + "backendAddressPool": { + "id": "[resourceId('Microsoft.Network/loadBalancers/backendAddressPools', 'loadBalancer', 'LBBAP-v4')]" + }, + "probe": { + "id": "[resourceId('Microsoft.Network/loadBalancers/probes', 'loadBalancer', 'lb-probe')]" + }, + "protocol": "Tcp", + "frontendPort": 443, + "backendPort": 443, + "idleTimeoutInMinutes": 4 + }, + "name": "lb-rule-v4" + }, + { + "properties": { + "frontendIPConfiguration": { + "id": "[resourceId('Microsoft.Network/loadBalancers/frontendIpConfigurations', 'loadBalancer', 'LB-v6')]" + }, + "backendAddressPool": { + "id": "[resourceId('Microsoft.Network/loadBalancers/backendAddressPools', 'loadBalancer', 'LBBAP-v6')]" + }, + "probe": { + "id": "[resourceId('Microsoft.Network/loadBalancers/probes', 'loadBalancer', 'lb-probe')]" + }, + "protocol": "Tcp", + "frontendPort": 443, + "backendPort": 443 + }, + "name": "lb-rule-v6" + } + ], + "probes": [ + { + "properties": { + "protocol": "Tcp", + "port": 22, + "intervalInSeconds": 5, + "numberOfProbes": 2 + }, + "name": "lb-probe" + } + ] + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/loadBalancers'), parameters('tagsByResource')['Microsoft.Network/loadBalancers'], json('{}')) ]" + }, + { + "type": "Microsoft.Network/networkSecurityGroups", + "condition": "[and(parameters('deployNewNSG'),equals(parameters('vnetNewOrExisting'), 'new'))]", + "apiVersion": "2020-06-01", + "location": "[parameters('location')]", + "name": "[parameters('NewNsgName')]", + "properties": { + "securityRules": [ + { + "name": "AllowAllInBound", + "properties": { + "description": "Allow all inbound connections", + "protocol": "*", + "sourcePortRange": "*", + "destinationPortRange": "*", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "100", + "direction": "Inbound" + } + } + ] + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/networkSecurityGroups'), parameters('tagsByResource')['Microsoft.Network/networkSecurityGroups'], json('{}')) ]" + }, + { + "condition": "[equals(parameters('vnetNewOrExisting'), 'new')]", + "apiVersion": "2021-05-01", + "type": "Microsoft.Network/virtualNetworks", + "name": "[variables('virtualNetworkName')]", + "location": "[parameters('location')]", + "properties": { + "dhcpOptions": { + "dnsServers": [ + "cafe:43::", + "cafe:45::" + ] + }, + "addressSpace": { + "addressPrefixes": [ + "[variables('vnetv4AddressRange')]", + "[variables('vnetv6AddressRange')]" + ] + }, + "subnets": [ + { + "name": "[variables('subnetName')]", + "properties": { + "addressPrefixes": [ + "[variables('subnetv4AddressRange')]", + "[variables('subnetv6AddressRange')]" + ] + } + }, + { + "name": "[variables('subnet2Name')]", + "properties": { + "addressPrefixes": [ + "[variables('subnet2v4AddressRange')]", + "[variables('subnet2v6AddressRange')]" + ] + } + } + ] + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/virtualNetworks'), parameters('tagsByResource')['Microsoft.Network/virtualNetworks'], json('{}')) ]" + }, + { + "condition": "[equals(parameters('vnetNewOrExisting'), 'existing')]", + "name": "networkExistingSetup", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-05-01", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "[variables('networkSetupURL')]", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "location": { + "value": "[variables('location')]" + }, + "virtualNetworkName": { + "value": "[parameters('virtualNetworkName')]" + }, + "virtualNetworkExistingRGName": { + "value": "[parameters('virtualNetworkExistingRGName')]" + }, + "tagsByResource": { + "value": "[parameters('tagsByResource')]" + }, + "deployNsg": { + "value": "[parameters('deployNewNSG')]" + }, + "NewNsgName": + { + "value":"[parameters('NewNsgName')]" + } + } + } + }, + { + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "2020-06-01", + "dependsOn": [ + "[coalesce(resourceId('Microsoft.Network/virtualNetworks', variables('virtualNetworkName')), resourceId('Microsoft.Resources/deployments', 'networkExistingSetup'))]", + "[resourceId('Microsoft.Network/loadBalancers','loadBalancer')]" + ], + "location": "[variables('location')]", + "name": "[variables('nic1Name')]", + "properties": { + "networkSecurityGroup":"[if(parameters('deployNewNSG') , variables('NewNsgReference') , parameters('ExistingNSG'))]", + "enableIPForwarding": true, + "enableAcceleratedNetworking": true, + "ipConfigurations": [ + { + "name": "ipconfig-v4", + "properties": { + "privateIPAddress": "[parameters('Subnet1StartAddress')]", + "privateIPAllocationMethod": "Static", + "privateIPAddressVersion": "IPv4", + "primary": true, + "subnet": { + "id": "[variables('subnet-id')]" + }, + "loadBalancerBackendAddressPools": [ + { + "id": "[resourceId('Microsoft.Network/loadBalancers/backendAddressPools', 'loadBalancer', 'LBBAP-v4')]" + } + ] + } + }, + { + "name": "ipconfig-v6", + "properties": { + "privateIPAllocationMethod": "Dynamic", + "privateIPAddressVersion": "IPv6", + "subnet": { + "id": "[variables('subnet-id')]" + }, + "loadBalancerBackendAddressPools": [ + { + "id": "[resourceId('Microsoft.Network/loadBalancers/backendAddressPools', 'loadBalancer', 'LBBAP-v6')]" + } + ] + } + } + ] + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/networkInterfaces'), parameters('tagsByResource')['Microsoft.Network/networkInterfaces'], json('{}')) ]" + }, + { + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "2020-06-01", + "dependsOn": [ + "[coalesce(resourceId('Microsoft.Network/virtualNetworks', variables('virtualNetworkName')), resourceId('Microsoft.Resources/deployments', 'networkExistingSetup'))]", + "[resourceId('Microsoft.Network/loadBalancers','loadBalancer')]" + ], + "location": "[variables('location')]", + "name": "[variables('nic2Name')]", + "properties": { + "enableIPForwarding": true, + "enableAcceleratedNetworking": true, + "ipConfigurations": [ + { + "name": "ipconfig-v4", + "properties": { + "privateIPAddress": "[parameters('Subnet2StartAddress')]", + "privateIPAllocationMethod": "Static", + "subnet": { + "id": "[variables('subnet2-id')]" + } + } + }, + { + "name": "ipconfig-v6", + "properties": { + "privateIPAllocationMethod": "Dynamic", + "privateIPAddressVersion": "IPv6", + "subnet": { + "id": "[variables('subnet2-id')]" + } + } + } + ] + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/networkInterfaces'), parameters('tagsByResource')['Microsoft.Network/networkInterfaces'], json('{}')) ]" + }, + { + "condition": "[not(equals(parameters('sourceImageVhdUri'), 'noCustomUri'))]", + "type": "Microsoft.Compute/images", + "apiVersion": "2020-06-01", + "name": "[variables('customImage')]", + "location": "[variables('location')]", + "properties": { + "storageProfile": { + "osDisk": { + "osType": "Linux", + "osState": "Generalized", + "blobUri": "[parameters('sourceImageVhdUri')]", + "storageAccountType": "Standard_LRS" + } + }, + "hyperVGeneration": "V1" + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Compute/images'), parameters('tagsByResource')['Microsoft.Compute/images'], json('{}')) ]" + }, + { + "type": "Microsoft.Compute/virtualMachines", + "apiVersion": "2021-07-01", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]", + "[resourceId('Microsoft.Network/networkInterfaces', variables('nic1Name'))]", + "[resourceId('Microsoft.Network/networkInterfaces', variables('nic2Name'))]", + "[resourceId('Microsoft.Compute/images/', variables('customImage'))]" + ], + "location": "[variables('location')]", + "name": "[parameters('vmName')]", + "plan": "[if(equals(parameters('sourceImageVhdUri'),'noCustomUri'), variables('plan'), json('null'))]", + "properties": { + "UserData": "[base64(variables('customData'))]", + "diagnosticsProfile": { + "bootDiagnostics": { + "enabled": "true", + "storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName')), '2021-06-01').primaryEndpoints.blob]" + } + }, + "hardwareProfile": { + "vmSize": "[parameters('vmSize')]" + }, + "networkProfile": { + "networkInterfaces": [ + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', variables('nic1Name'))]", + "properties": { + "primary": true + } + }, + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', variables('nic2Name'))]", + "properties": { + "primary": false + } + } + ] + }, + "osProfile": { + "adminPassword": "[parameters('adminPassword')]", + "adminUsername": "[concat('not','used')]", + "computerName": "[toLower(parameters('vmName'))]", + "customData": "[base64(variables('customData'))]", + "linuxConfiguration": "[variables('linuxConfiguration')]" + }, + "storageProfile": { + "imageReference": "[variables('imageReference')]", + "osDisk": { + "caching": "ReadWrite", + "createOption": "FromImage", + "diskSizeGB": "[variables('diskSizeGB')]", + "name": "[parameters('vmName')]", + "managedDisk": { + "storageAccountType": "[parameters('diskType')]" + } + } + } + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Compute/virtualMachines'), parameters('tagsByResource')['Microsoft.Compute/virtualMachines'], json('{}')) ]" + } + ] +} \ No newline at end of file diff --git a/deprecated/azure/templates/R8040-R81/single-r8040-r81/README.md b/deprecated/azure/templates/R8040-R81/single-r8040-r81/README.md new file mode 100644 index 00000000..e092fdd8 --- /dev/null +++ b/deprecated/azure/templates/R8040-R81/single-r8040-r81/README.md @@ -0,0 +1,22 @@ +# Check Point CloudGuard Network Security Single Gateway for Azure + +Check Point CloudGuard Network Security delivers advanced, multi-layered threat prevention to protect customer assets in Azure from malware and sophisticated threats. As a Microsoft Azure certified solution, CloudGuard Network Security enables you to easily and seamlessly secure your workloads while providing secure connectivity across your cloud and on-premises environments. + +Benefits: + +· Advanced threat prevention and traffic inspection + +· Integrated with Azure Security Center and Azure Sentinel + +· Provides consistent security policy management, enforcement, and reporting with a single pane of glass, using Check Point Unified Security Management + + + + Deploy to Azure + + + +To deploy with full control over all the template options use: [Full Control Deployment](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FCheckPointSW%2FCloudGuardIaaS%2Fmaster%2Fazure%2Ftemplates%2Fmarketplace-single%2FmainTemplate.json) + + + diff --git a/deprecated/azure/templates/R8040-R81/single-r8040-r81/createUiDefinition.json b/deprecated/azure/templates/R8040-R81/single-r8040-r81/createUiDefinition.json new file mode 100644 index 00000000..0cc7cd29 --- /dev/null +++ b/deprecated/azure/templates/R8040-R81/single-r8040-r81/createUiDefinition.json @@ -0,0 +1,1305 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", + "handler": "Microsoft.Compute.MultiVm", + "version": "0.1.2-preview", + "parameters": { + "basics": [ + { + "name": "basics settings text block", + "type": "Microsoft.Common.TextBlock", + "visible": true, + "options": { + "text": "Please follow the Check Point Reference Architecture for Azure.", + "link": { + "label": "Reference Architecture Guide", + "uri": "https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk109360" + } + } + }, + { + "name": "gatewayNameUi", + "type": "Microsoft.Common.TextBox", + "label": "VM Name", + "toolTip": "The name of the Check Point CloudGuard.", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z]{1,30}$", + "validationMessage": "Only alphanumeric characters are allowed, and the name must be 1-30 characters long." + } + }, + { + "name": "auth", + "type": "Microsoft.Compute.CredentialsCombo", + "label": { + "authenticationType": "Authentication type", + "password": "Password", + "confirmPassword": "Confirm password", + "sshPublicKey": "SSH public key" + }, + "toolTip": { + "password": "The user 'admin' password", + "sshPublicKey": "Paste an OpenSSH public key. You can generate a key pair using ssh-keygen (Linux, OS X, Cygwin) or PuttyGen (Windows)" + }, + "constraints": { + "required": true + }, + "options": { + "hideConfirmation": false, + "hidePassword": false + }, + "osPlatform": "Linux" + } + ], + "steps": [ + { + "name": "chkp", + "label": "Check Point CloudGuard settings", + "subLabel": { + "preValidation": "Configure CloudGuard settings", + "postValidation": "Done" + }, + "bladeTitle": "CloudGuard settings", + "elements": [ + { + "name": "cloudGuardVersion", + "type": "Microsoft.Common.DropDown", + "label": "Check Point CloudGuard version", + "defaultValue": "R81", + "toolTip": "The version of Check Point CloudGuard.", + "constraints": { + "allowedValues": [ + { + "label": "R80.40", + "value": "R80.40" + }, + { + "label": "R81", + "value": "R81" + } + ] + } + }, + { + "name": "R80Offer", + "type": "Microsoft.Common.DropDown", + "label": "License type", + "toolTip": "The type of license.", + "defaultValue": "Bring Your Own License", + "visible": true, + "constraints": { + "allowedValues": [ + { + "label": "Bring Your Own License", + "value": "Bring Your Own License" + }, + { + "label": "Pay As You Go (NGTP)", + "value": "Pay As You Go (NGTP)" + }, + { + "label": "Pay As You Go (NGTX)", + "value": "Pay As You Go (NGTX)" + } + ] + } + }, + { + "name": "R8040vmSizeUiBYOL", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R80.40'), contains(steps('chkp').R80Offer, 'Bring Your Own License'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2", + "Standard_DS3_v2" + ], + "constraints": { + "allowedSizes": [ + "Standard_D4_v4", + "Standard_D8_v4", + "Standard_D16_v4", + "Standard_D32_v4", + "Standard_D48_v4", + "Standard_D64_v4", + "Standard_D4s_v4", + "Standard_D8s_v4", + "Standard_D16s_v4", + "Standard_D32s_v4", + "Standard_D48s_v4", + "Standard_D64s_v4", + "Standard_D2_v5", + "Standard_D4_v5", + "Standard_D8_v5", + "Standard_D16_v5", + "Standard_D32_v5", + "Standard_D2s_v5", + "Standard_D4s_v5", + "Standard_D8s_v5", + "Standard_D16s_v5", + "Standard_D2d_v5", + "Standard_D4d_v5", + "Standard_D8d_v5", + "Standard_D16d_v5", + "Standard_D32d_v5", + "Standard_D2ds_v5", + "Standard_D4ds_v5", + "Standard_D8ds_v5", + "Standard_D16ds_v5", + "Standard_D32ds_v5", + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r8040", + "sku": "sg-byol" + }, + "count": 1 + }, + { + "name": "R8040vmSizeUiNGTP", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R80.40'), contains(steps('chkp').R80Offer, '(NGTP)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2", + "Standard_DS3_v2" + ], + "constraints": { + "allowedSizes": [ + "Standard_D4_v4", + "Standard_D8_v4", + "Standard_D16_v4", + "Standard_D32_v4", + "Standard_D48_v4", + "Standard_D64_v4", + "Standard_D4s_v4", + "Standard_D8s_v4", + "Standard_D16s_v4", + "Standard_D32s_v4", + "Standard_D48s_v4", + "Standard_D64s_v4", + "Standard_D2_v5", + "Standard_D4_v5", + "Standard_D8_v5", + "Standard_D16_v5", + "Standard_D32_v5", + "Standard_D2s_v5", + "Standard_D4s_v5", + "Standard_D8s_v5", + "Standard_D16s_v5", + "Standard_D2d_v5", + "Standard_D4d_v5", + "Standard_D8d_v5", + "Standard_D16d_v5", + "Standard_D32d_v5", + "Standard_D2ds_v5", + "Standard_D4ds_v5", + "Standard_D8ds_v5", + "Standard_D16ds_v5", + "Standard_D32ds_v5", + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r8040", + "sku": "sg-ngtp" + }, + "count": 1 + }, + { + "name": "R8040vmSizeUiNGTX", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R80.40'), contains(steps('chkp').R80Offer, '(NGTX)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2", + "Standard_DS3_v2" + ], + "constraints": { + "allowedSizes": [ + "Standard_D4_v4", + "Standard_D8_v4", + "Standard_D16_v4", + "Standard_D32_v4", + "Standard_D48_v4", + "Standard_D64_v4", + "Standard_D4s_v4", + "Standard_D8s_v4", + "Standard_D16s_v4", + "Standard_D32s_v4", + "Standard_D48s_v4", + "Standard_D64s_v4", + "Standard_D2_v5", + "Standard_D4_v5", + "Standard_D8_v5", + "Standard_D16_v5", + "Standard_D32_v5", + "Standard_D2s_v5", + "Standard_D4s_v5", + "Standard_D8s_v5", + "Standard_D16s_v5", + "Standard_D2d_v5", + "Standard_D4d_v5", + "Standard_D8d_v5", + "Standard_D16d_v5", + "Standard_D32d_v5", + "Standard_D2ds_v5", + "Standard_D4ds_v5", + "Standard_D8ds_v5", + "Standard_D16ds_v5", + "Standard_D32ds_v5", + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r8040", + "sku": "sg-ngtx" + }, + "count": 1 + }, + { + "name": "R81vmSizeUiBYOL", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R81'), contains(steps('chkp').R80Offer, 'Bring Your Own License'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2", + "Standard_DS3_v2" + ], + "constraints": { + "allowedSizes": [ + "Standard_D4_v4", + "Standard_D8_v4", + "Standard_D16_v4", + "Standard_D32_v4", + "Standard_D48_v4", + "Standard_D64_v4", + "Standard_D4s_v4", + "Standard_D8s_v4", + "Standard_D16s_v4", + "Standard_D32s_v4", + "Standard_D48s_v4", + "Standard_D64s_v4", + "Standard_D2_v5", + "Standard_D4_v5", + "Standard_D8_v5", + "Standard_D16_v5", + "Standard_D32_v5", + "Standard_D2s_v5", + "Standard_D4s_v5", + "Standard_D8s_v5", + "Standard_D16s_v5", + "Standard_D2d_v5", + "Standard_D4d_v5", + "Standard_D8d_v5", + "Standard_D16d_v5", + "Standard_D32d_v5", + "Standard_D2ds_v5", + "Standard_D4ds_v5", + "Standard_D8ds_v5", + "Standard_D16ds_v5", + "Standard_D32ds_v5", + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r81", + "sku": "sg-byol" + }, + "count": 1 + }, + { + "name": "R81vmSizeUiNGTP", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R81'), contains(steps('chkp').R80Offer, '(NGTP)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2", + "Standard_DS3_v2" + ], + "constraints": { + "allowedSizes": [ + "Standard_D4_v4", + "Standard_D8_v4", + "Standard_D16_v4", + "Standard_D32_v4", + "Standard_D48_v4", + "Standard_D64_v4", + "Standard_D4s_v4", + "Standard_D8s_v4", + "Standard_D16s_v4", + "Standard_D32s_v4", + "Standard_D48s_v4", + "Standard_D64s_v4", + "Standard_D2_v5", + "Standard_D4_v5", + "Standard_D8_v5", + "Standard_D16_v5", + "Standard_D32_v5", + "Standard_D2s_v5", + "Standard_D4s_v5", + "Standard_D8s_v5", + "Standard_D16s_v5", + "Standard_D2d_v5", + "Standard_D4d_v5", + "Standard_D8d_v5", + "Standard_D16d_v5", + "Standard_D32d_v5", + "Standard_D2ds_v5", + "Standard_D4ds_v5", + "Standard_D8ds_v5", + "Standard_D16ds_v5", + "Standard_D32ds_v5", + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r81", + "sku": "sg-ngtp" + }, + "count": 1 + }, + { + "name": "R81vmSizeUiNGTX", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R81'), contains(steps('chkp').R80Offer, '(NGTX)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2", + "Standard_DS3_v2" + ], + "constraints": { + "allowedSizes": [ + "Standard_D4_v4", + "Standard_D8_v4", + "Standard_D16_v4", + "Standard_D32_v4", + "Standard_D48_v4", + "Standard_D64_v4", + "Standard_D4s_v4", + "Standard_D8s_v4", + "Standard_D16s_v4", + "Standard_D32s_v4", + "Standard_D48s_v4", + "Standard_D64s_v4", + "Standard_D2_v5", + "Standard_D4_v5", + "Standard_D8_v5", + "Standard_D16_v5", + "Standard_D32_v5", + "Standard_D2s_v5", + "Standard_D4s_v5", + "Standard_D8s_v5", + "Standard_D16s_v5", + "Standard_D2d_v5", + "Standard_D4d_v5", + "Standard_D8d_v5", + "Standard_D16d_v5", + "Standard_D32d_v5", + "Standard_D2ds_v5", + "Standard_D4ds_v5", + "Standard_D8ds_v5", + "Standard_D16ds_v5", + "Standard_D32ds_v5", + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r81", + "sku": "sg-ngtx" + }, + "count": 1 + }, + { + "name": "installationType", + "type": "Microsoft.Common.DropDown", + "label": "Installation type", + "visible": "[or(equals(steps('chkp').cloudGuardVersion, 'R80.40'), equals(steps('chkp').cloudGuardVersion, 'R81'))]", + "defaultValue": "Gateway only", + "toolTip": "Select the type of deployment", + "constraints": { + "allowedValues": [ + { + "label": "Gateway only", + "value": "gateway" + }, + { + "label": "Standalone", + "value": "standalone" + } + ] + } + }, + { + "name": "adminShell", + "type": "Microsoft.Common.DropDown", + "label": "Default shell for the admin user", + "defaultValue": "/etc/cli.sh", + "toolTip": "The default shell for the admin user", + "constraints": { + "allowedValues": [ + { + "label": "/etc/cli.sh", + "value": "/etc/cli.sh" + }, + { + "label": "/bin/bash", + "value": "/bin/bash" + }, + { + "label": "/bin/csh", + "value": "/bin/csh" + }, + { + "label": "/bin/tcsh", + "value": "/bin/tcsh" + } + ] + } + }, + { + "name": "standaloneValidation", + "type": "Microsoft.Common.InfoBox", + "visible": "[and(equals(steps('chkp').installationType, 'standalone'), not(and(equals(steps('chkp').R80Offer, 'Bring Your Own License'),or(equals(steps('chkp').cloudGuardVersion, 'R80.40'), equals(steps('chkp').cloudGuardVersion, 'R81')))))]", + "options": { + "icon": "Error", + "text": "Standalone deployment is ONLY supported for CloudGuard versions R80.40, R81 Bring Your Own License." + } + }, + { + "name": "managementGUIClientNetwork", + "type": "Microsoft.Common.TextBox", + "label": "Allowed GUI clients", + "toolTip": "GUI clients network CIDR", + "constraints": { + "required": true, + "regex": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$", + "validationMessage": "Enter a valid IPv4 network CIDR" + }, + "visible": "[and(or(equals(steps('chkp').cloudGuardVersion, 'R80.40'), equals(steps('chkp').cloudGuardVersion, 'R81')), equals(steps('chkp').installationType, 'standalone'))]" + }, + { + "name": "sicKeyUi", + "type": "Microsoft.Common.PasswordBox", + "label": { + "password": "SIC key", + "confirmPassword": "Confirm SIC key" + }, + "toolTip": "Set the Secure Internal Communication one time secret used to set up trust between the gateway and the management server.", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z]{12,30}$", + "validationMessage": "Only alphanumeric characters are allowed, and the value must be 12-30 characters long." + }, + "options": { + "hideConfirmation": false + }, + "visible": "[not(equals(steps('chkp').installationType, 'standalone'))]" + }, + { + "name": "SerialPasswordInfoBox", + "type": "Microsoft.Common.InfoBox", + "visible": "[bool(basics('auth').sshPublicKey)]", + "options": { + "icon": "Info", + "text": "Check Point recommends setting serial console password and maintenance-mode password for recovery purposes. For R81.10 and below the serial console password is used also as maintenance-mode password" + } + }, + { + "visible": "[bool(basics('auth').sshPublicKey)]", + "name": "EnableSerialConsolePassword", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Serial console password", + "defaultValue": "Yes", + "toolTip": "A unique password hash to enable VM connection via serial console.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": true + }, + { + "label": "No", + "value": false + } + ] + } + }, + { + "name": "AdditionalPassword", + "type": "Microsoft.Common.PasswordBox", + "toolTip": "Serial console password hash, used to enable password authentication (using serial console). To generate password hash use the command 'openssl passwd -6 PASSWORD'", + "visible": "[and(bool(basics('auth').sshPublicKey), steps('chkp').EnableSerialConsolePassword)]", + "label": { + "password": "Password hash", + "confirmPassword": "Confirm password" + }, + "constraints": { + "required": true, + "regex": "^.{12,300}$", + "validationMessage": "The value must be the output of the hash command." + }, + "options": { + "hideConfirmation": false + } + }, + { + "name": "bootstrapScript", + "type": "Microsoft.Common.FileUpload", + "label": "Bootstrap script", + "toolTip": "An optional script to run on the initial boot", + "constraints": { + "required": false, + "accept": ".sh,text/plain" + }, + "options": { + "multiple": false, + "uploadMode": "file", + "openMode": "text", + "encoding": "UTF-8" + } + }, + { + "visible": "[or(not(equals(steps('chkp').cloudGuardVersion, 'R80.10')), not(equals(steps('chkp').installationType, 'custom')))]", + "name": "allowUploadDownload", + "type": "Microsoft.Common.OptionsGroup", + "label": "Automatically download updates and share statistical data for product improvement purpose", + "defaultValue": "Yes", + "toolTip": "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "true" + }, + { + "label": "No", + "value": "false" + } + ] + } + }, + { + "name": "VMDiskType", + "type": "Microsoft.Common.OptionsGroup", + "label": "VM disk type", + "toolTip": "Type of CloudGuard disk.", + "visible": "[not(contains('R80.40 R81' , steps('chkp').cloudGuardVersion))]", + "defaultValue": "Premium", + "constraints": { + "allowedValues": [ + { + "label": "Standard", + "value": "Standard_LRS" + }, + { + "label": "Premium", + "value": "Premium_LRS" + } + ] + } + }, + { + "name": "VMDiskTypeOldVersions", + "type": "Microsoft.Common.OptionsGroup", + "label": "VM disk type", + "toolTip": "Type of CloudGuard disk.", + "visible": "[contains('R80.40 R81' , steps('chkp').cloudGuardVersion)]", + "defaultValue": "Standard", + "constraints": { + "allowedValues": [ + { + "label": "Standard", + "value": "Standard_LRS" + }, + { + "label": "Premium", + "value": "Premium_LRS" + } + ] + } + }, + { + "name": "basics settings text block", + "type": "Microsoft.Common.TextBlock", + "visible": true, + "options": { + "text": "Please follow the Check Point referenced guide for adding disk space.", + "link": { + "label": "Additional disk space in CloudGuard", + "uri": "https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk156552" + } + } + }, + { + "name": "additionalDiskSizeGB", + "type": "Microsoft.Common.TextBox", + "label": "Additional disk space (GB)", + "defaultValue": "0", + "toolTip": "Additional disk space (in GB), initial disk size is 100 GB.", + "constraints": { + "regex": "^([0-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-2][0-9][0-9][0-9]|3[0-8][0-9][0-9]|399[0-5])$", + "validationMessage": "Select a number between 0 and 3995" + } + }, + { + "name": "useCustomImageUri", + "type": "Microsoft.Common.OptionsGroup", + "label": "Use development image uri", + "defaultValue": "No", + "toolTip": "Use custom image URI.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ], + "required": true + }, + "visible": false + }, + { + "name": "sourceImageVhdUri", + "type": "Microsoft.Common.TextBox", + "label": "Development Image URI", + "toolTip": "The URI of the blob containing the development image", + "constraints": { + "required": "[equals(steps('chkp').useCustomImageUri, 'Yes')]", + "regex": "^[a-z0-9A-Z_\\-\\.\\:\\/]{1,500}.vhd$", + "validationMessage": "Only alphanumeric characters and '_','-','.',':','/' are allowed, the value must be 1-500 characters long and must end with .vhd. " + }, + "visible": "[equals(steps('chkp').useCustomImageUri, 'Yes')]" + }, + { + "name": "customMetrics", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable CloudGuard metrics", + "defaultValue": "Yes", + "toolTip": "Enable CloudGuard metrics in order to send statuses and statistics collected from Gateway or Standalone to the Azure Monitor service.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "yes" + }, + { + "label": "No", + "value": "no" + } + ], + "required": true + }, + "visible": true + }, + { + "name": "allowSmart1CloudConnection", + "type": "Microsoft.Common.OptionsGroup", + "label": "Quick connect to Smart-1 Cloud", + "defaultValue": "Yes", + "toolTip": "Automatically connect this single gateway to Smart-1 Cloud - Check Point's Security Management as a Service", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "yes" + }, + { + "label": "No", + "value": "no" + } + ] + }, + "visible": "[equals(steps('chkp').installationType, 'gateway')]" + }, + { + "name": "smart1CloudTokenTxt", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Follow these instructions to quickly connect this single gateway to Smart-1 Cloud", + "link": { + "label": "SK180501 - Connecting CloudGuard Network Security Public Cloud Gateways to Smart-1 Cloud", + "uri": "https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501" + } + }, + "visible": "[equals(steps('chkp').allowSmart1CloudConnection, 'yes')]" + }, + { + "name": "Smart1CloudToken", + "type": "Microsoft.Common.TextBox", + "label": "Smart-1 Cloud Token", + "toolTip": "Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal", + "constraints": { + "required": true, + "regex": "[\\S\\s]{5,}", + "validationMessage": "Smart1Cloud Token Should contain at lease 5 characters" + }, + "visible": "[equals(steps('chkp').allowSmart1CloudConnection, 'yes')]" + } + ] + }, + { + "name": "network", + "label": "Network settings", + "subLabel": { + "preValidation": "Configure network settings", + "postValidation": "Done" + }, + "bladeTitle": "Network settings", + "elements": [ + { + "name": "virtualNetwork", + "type": "Microsoft.Network.VirtualNetworkCombo", + "label": { + "virtualNetwork": "Virtual network", + "subnets": "Subnets" + }, + "toolTip": { + "virtualNetwork": "Virtual Network Name", + "subnets": "List of subnets to deploy into" + }, + "defaultValue": { + "name": "vnet01", + "addressPrefixSize": "/16" + }, + "constraints": { + "minAddressPrefixSize": "/28" + }, + "options": { + "hideExisting": false + }, + "subnets": { + "subnet1": { + "label": "Frontend subnet", + "defaultValue": { + "name": "Frontend", + "addressPrefixSize": "/24" + }, + "constraints": { + "minAddressPrefixSize": "/29", + "minAddressCount": 1, + "requireContiguousAddresses": true + } + }, + "subnet2": { + "label": "Backend subnet", + "defaultValue": { + "name": "Backend", + "addressPrefixSize": "/24" + }, + "constraints": { + "minAddressPrefixSize": "/29", + "minAddressCount": 1, + "requireContiguousAddresses": true + } + } + } + }, + { + "name": "NSG", + "type": "Microsoft.Common.OptionsGroup", + "label": "Network Security Group", + "toolTip": "Choose between using an existing NSG or using a new NSG", + "constraints": { + "allowedValues": [ + { + "label": "Create new", + "value": true + }, + { + "label": "Existing NSG", + "value": false + } + ], + "required": true + }, + "visible": true + }, + { + "name": "nsgSelector", + "type": "Microsoft.Solutions.ResourceSelector", + "label": "Network Security Group", + "defaultValue": "null", + "toolTip": "Choose an existing NSG", + "resourceType": "Microsoft.Network/NetworkSecurityGroups", + "options": { + "filter": { + "subscription": "onBasics", + "location": "onBasics" + } + }, + "constraints": { + "required": true + }, + "visible": "[equals(steps('network').NSG, false)]" + }, + { + "name": "NSGName", + "type": "Microsoft.Common.TextBox", + "label": "Name", + "defaultValue": "[concat(basics('gatewayNameUi') , '-nsg')]", + "toolTip": "Insert Name for the new NSG", + "multiLine": false, + "constraints": { + "required": "[steps('network').NSG]", + "regex": "^[a-z0-9A-Z-]{1,30}$", + "validationMessage": "Only alphanumeric characters are allowed, and the name must be 1-30 characters long." + }, + "visible": "[steps('network').NSG]" + }, + { + "name": "addStorageAccountIpRules", + "type": "Microsoft.Common.OptionsGroup", + "defaultValue": "Network access from all networks", + "label": "Storage Account Network Access", + "toolTip": "Select your preferred network access to the Storage Account, for more information - https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-linux#serial-console-security", + "constraints": { + "allowedValues": [ + { + "label": "Network access from all networks", + "value": false + }, + { + "label": "Network access only from Serial Console", + "value": true + } + ], + "required": true + }, + "visible": true + } + ] + }, + { + "name": "tags", + "label": "Tags", + "elements": [ + { + "name": "tagsByResource", + "type": "Microsoft.Common.TagsByResource", + "toolTip": "Create Azure tags for the new resources", + "resources": [ + "Microsoft.Storage/storageAccounts", + "Microsoft.Network/publicIPAddresses", + "Microsoft.Network/networkInterfaces", + "Microsoft.Compute/virtualMachines", + "Microsoft.Network/routeTables", + "Microsoft.Network/virtualNetworks" + ] + } + ] + } + ], + "outputs": { + "location": "[location()]", + "cloudGuardVersion": "[concat(steps('chkp').cloudGuardVersion, ' - ', coalesce(steps('chkp').R80Offer, 'Bring Your Own License'))]", + "adminPassword": "[basics('auth').password]", + "SerialConsolePasswordHash": "[steps('chkp').AdditionalPassword]", + "authenticationType": "[basics('auth').authenticationType]", + "sshPublicKey": "[basics('auth').sshPublicKey]", + "vmName": "[basics('gatewayNameUi')]", + "vmSize": "[coalesce(steps('chkp').R8040vmSizeUiBYOL, steps('chkp').R8040vmSizeUiNGTP, steps('chkp').R8040vmSizeUiNGTX,steps('chkp').R81vmSizeUiBYOL, steps('chkp').R81vmSizeUiNGTP, steps('chkp').R81vmSizeUiNGTX)]", + "sicKey": "[coalesce(steps('chkp').sicKeyUi, 'notused')]", + "virtualNetworkName": "[steps('network').virtualNetwork.name]", + "virtualNetworkAddressPrefix": "[steps('network').virtualNetwork.addressPrefix]", + "Subnet1Name": "[steps('network').virtualNetwork.subnets.subnet1.name]", + "Subnet1Prefix": "[steps('network').virtualNetwork.subnets.subnet1.addressPrefix]", + "Subnet1StartAddress": "[steps('network').virtualNetwork.subnets.subnet1.startAddress]", + "Subnet2Name": "[steps('network').virtualNetwork.subnets.subnet2.name]", + "Subnet2Prefix": "[steps('network').virtualNetwork.subnets.subnet2.addressPrefix]", + "Subnet2StartAddress": "[steps('network').virtualNetwork.subnets.subnet2.startAddress]", + "vnetNewOrExisting": "[steps('network').virtualNetwork.newOrExisting]", + "virtualNetworkExistingRGName": "[steps('network').virtualNetwork.resourceGroup]", + "managementGUIClientNetwork": "[steps('chkp').managementGUIClientNetwork]", + "installationType": "[steps('chkp').installationType]", + "bootstrapScript": "[steps('chkp').bootstrapScript]", + "allowDownloadFromUploadToCheckPoint": "[coalesce(steps('chkp').allowUploadDownload, 'true')]", + "additionalDiskSizeGB": "[int(steps('chkp').additionalDiskSizeGB)]", + "diskType": "[if(contains('R80.40 R81' , steps('chkp').cloudGuardVersion) , steps('chkp').VMDiskTypeOldVersions , steps('chkp').VMDiskType)]", + "sourceImageVhdUri": "[coalesce(steps('chkp').sourceImageVhdUri, 'noCustomUri')]", + "customMetrics": "[steps('chkp').customMetrics]", + "adminShell": "[steps('chkp').adminShell]", + "smart1CloudToken": "[steps('chkp').Smart1CloudToken]", + "tagsByResource": "[steps('tags').tagsByResource]", + "deployNewNSG": "[steps('network').NSG]", + "ExistingNSG": "[steps('network').nsgSelector]", + "NewNsgName": "[steps('network').NSGName]", + "addStorageAccountIpRules":"[steps('network').addStorageAccountIpRules]" + } + } +} diff --git a/deprecated/azure/templates/R8040-R81/single-r8040-r81/mainTemplate.json b/deprecated/azure/templates/R8040-R81/single-r8040-r81/mainTemplate.json new file mode 100644 index 00000000..911b8572 --- /dev/null +++ b/deprecated/azure/templates/R8040-R81/single-r8040-r81/mainTemplate.json @@ -0,0 +1,779 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "subscriptionId": { + "type": "string", + "defaultValue": "[subscription().subscriptionId]", + "metadata": { + "description": "Subscription ID." + } + }, + "location": { + "type": "string", + "metadata": { + "description": "Deployment location" + }, + "defaultValue": "[resourceGroup().location]" + }, + "cloudGuardVersion": { + "type": "string", + "allowedValues": [ + "R80.40 - Bring Your Own License", + "R80.40 - Pay As You Go (NGTP)", + "R80.40 - Pay As You Go (NGTX)", + "R81 - Bring Your Own License", + "R81 - Pay As You Go (NGTP)", + "R81 - Pay As You Go (NGTX)", + ], + "defaultValue": "R81.20 - Bring Your Own License", + "metadata": { + "description": "Version of Check Point CloudGuard" + } + }, + "authenticationType": { + "type": "string", + "allowedValues": [ + "password", + "sshPublicKey" + ], + "defaultValue": "password", + "metadata": { + "description": "Authentication type" + } + }, + "sshPublicKey": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Administrator SSH public key" + } + }, + "adminPassword": { + "type": "securestring", + "metadata": { + "description": "Administrator password" + }, + "defaultValue": "" + }, + "SerialConsolePasswordHash": { + "type": "securestring", + "defaultValue": "", + "metadata": { + "Description": "Optional parameter, used to enable serial console connection in case of SSH key as authentication type" + } + }, + "vmName": { + "type": "string", + "metadata": { + "description": "Name of the Check Point Security Gateway" + } + }, + "vmSize": { + "type": "string", + "defaultValue": "Standard_D3_v2", + "metadata": { + "description": "Size of the VM" + } + }, + "adminShell": { + "type": "string", + "defaultValue": "/etc/cli.sh", + "allowedValues": [ + "/etc/cli.sh", + "/bin/bash", + "/bin/csh", + "/bin/tcsh" + ], + "metadata": { + "Description": "The default shell for the admin user" + } + }, + "sicKey": { + "type": "securestring", + "metadata": { + "description": "One time key for Secure Internal Communication" + } + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "vnet" + }, + "virtualNetworkAddressPrefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the virtual network" + }, + "defaultValue": "10.0.0.0/16" + }, + "Subnet1Name": { + "type": "string", + "metadata": { + "description": "The name of the 1st subnet" + }, + "defaultValue": "Frontend" + }, + "Subnet1Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 1st subnet" + }, + "defaultValue": "10.0.1.0/24" + }, + "Subnet1StartAddress": { + "type": "string", + "metadata": { + "description": "The first available address on the 1st subnet" + }, + "defaultValue": "10.0.1.10" + }, + "Subnet2Name": { + "type": "string", + "metadata": { + "description": "The name of the 2nd subnet" + }, + "defaultValue": "Backend" + }, + "Subnet2Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the 2nd subnet" + }, + "defaultValue": "10.0.2.0/24" + }, + "Subnet2StartAddress": { + "type": "string", + "metadata": { + "description": "The first available address on the 2nd subnet" + }, + "defaultValue": "10.0.2.10" + }, + "vnetNewOrExisting": { + "type": "string", + "defaultValue": "new", + "allowedValues": [ + "new", + "existing" + ], + "metadata": { + "Description": "Indicates whether the virtual network is new or existing" + } + }, + "virtualNetworkExistingRGName": { + "type": "string", + "metadata": { + "description": "Resource Group of the existing virtual network" + }, + "defaultValue": "[resourceGroup().name]" + }, + "managementGUIClientNetwork": { + "type": "string", + "metadata": { + "description": "Allowed GUI clients" + }, + "defaultValue": "0.0.0.0/0" + }, + "installationType": { + "type": "string", + "metadata": { + "description": "Installation Type" + }, + "defaultValue": "gateway", + "allowedValues": [ + "standalone", + "gateway", + "custom" + ] + }, + "bootstrapScript": { + "type": "string", + "metadata": { + "description": "Bootstrap script" + }, + "defaultValue": "" + }, + "allowDownloadFromUploadToCheckPoint": { + "type": "string", + "allowedValues": [ + "true", + "false" + ], + "defaultValue": "true", + "metadata": { + "description": "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + } + }, + "additionalDiskSizeGB": { + "type": "int", + "defaultValue": 0, + "metadata": { + "description": "Amount of additional disk space (in GB)" + }, + "minValue": 0, + "maxValue": 3995 + }, + "diskType": { + "type": "string", + "defaultValue": "Standard_LRS", + "metadata": { + "description": "The type of the OS disk. Premium is applicable only to DS machine sizes" + }, + "allowedValues": [ + "Standard_LRS", + "Premium_LRS" + ] + }, + "sourceImageVhdUri": { + "type": "string", + "defaultValue": "noCustomUri", + "metadata": { + "description": "The URI of the blob containing the development image" + } + }, + "_artifactsLocation": { + "type": "string", + "metadata": { + "description": "Use the following URI when deploying a custom template: https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/azure/templates/" + }, + "defaultValue": "[deployment().properties.templateLink.uri]" + }, + "_artifactsLocationSasToken": { + "type": "securestring", + "metadata": { + "description": "The sasToken required to access _artifactsLocation. When the template is deployed using the accompanying scripts, a sasToken will be automatically generated. Use the defaultValue if the staging location is not secured." + }, + "defaultValue": "" + }, + "customMetrics": { + "type": "string", + "allowedValues": [ + "no", + "yes" + ], + "defaultValue": "yes", + "metadata": { + "Description": "Indicates whether CloudGuard Metrics will be used for this VM monitoring" + } + }, + "smart1CloudToken": { + "type": "securestring", + "defaultValue": "" + }, + "rbacGuid": { + "type": "string", + "defaultValue": "[newGuid()]" + }, + "tagsByResource": { + "type": "object", + "defaultValue": {} + }, + "deployNewNSG": { + "type": "bool", + "defaultValue": true + }, + "ExistingNSG": { + "type": "object", + "defaultValue": {} + }, + "NewNsgName": { + "type": "string", + "defaultValue": "[concat(parameters('vmName'),'-nsg')]" + }, + "addStorageAccountIpRules": { + "type": "bool", + "metadata": { + "description": "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, based on https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-linux#use-serial-console-with-custom-boot-diagnostics-storage-account-firewall-enabled" + }, + "defaultValue" : false + }, + "storageAccountAdditionalIps":{ + "type": "array", + "metadata": { + "description": "IPs/CIDRs that are allowed access to the Storage Account" + }, + "defaultValue" : [] + } + }, + "variables": { + "templateName": "single", + "templateVersion": "20230910", + "location": "[parameters('location')]", + "offers": { + "R80.40 - Bring Your Own License": "BYOL", + "R80.40 - Pay As You Go (NGTP)": "NGTP", + "R80.40 - Pay As You Go (NGTX)": "NGTX", + "R81 - Bring Your Own License": "BYOL", + "R81 - Pay As You Go (NGTP)": "NGTP", + "R81 - Pay As You Go (NGTX)": "NGTX" + }, + "offer": "[variables('offers')[parameters('cloudGuardVersion')]]", + "osVersions": { + "R80.40 - Bring Your Own License": "R8040", + "R80.40 - Pay As You Go (NGTP)": "R8040", + "R80.40 - Pay As You Go (NGTX)": "R8040", + "R81 - Bring Your Own License": "R81", + "R81 - Pay As You Go (NGTP)": "R81", + "R81 - Pay As You Go (NGTX)": "R81" + }, + "osVersion": "[variables('osVersions')[parameters('cloudGuardVersion')]]", + "serialConsoleGeographies": { + "eastasia" : ["20.205.69.28", "20.195.85.180"], + "southeastasia" : ["20.205.69.28", "20.195.85.180"], + "australiacentral" : ["20.53.53.224", "20.70.222.112"], + "australiacentral2" : ["20.53.53.224", "20.70.222.112"], + "australiaeast" : ["20.53.53.224", "20.70.222.112"], + "australiasoutheast" : ["20.53.53.224", "20.70.222.112"], + "brazilsouth" : ["91.234.136.63", "20.206.0.194"], + "brazilsoutheast" : ["91.234.136.63", "20.206.0.194"], + "canadacentral" : ["52.228.86.177", "52.242.40.90"], + "canadaeast" : ["52.228.86.177", "52.242.40.90"], + "northeurope" : ["52.146.139.220", "20.105.209.72"], + "westeurope" : ["52.146.139.220", "20.105.209.72"], + "francecentral" : ["20.111.0.244", "52.136.191.10"], + "francesouth" : ["20.111.0.244", "52.136.191.10"], + "germanynorth" : ["51.116.75.88", "20.52.95.48"], + "germanywestcentral" : ["51.116.75.88", "20.52.95.48"], + "centralindia" : ["20.192.168.150", "20.192.153.104"], + "southindia" : ["20.192.168.150", "20.192.153.104"], + "westindia" : ["20.192.168.150", "20.192.153.104"], + "japaneast" : ["20.43.70.205", "20.189.228.222"], + "japanwest" : ["20.43.70.205", "20.189.228.222"], + "koreacentral" : ["20.200.196.96", "52.147.119.29"], + "koreasouth" : ["20.200.196.96", "52.147.119.29"], + "norwaywest" : ["20.100.1.184", "51.13.138.76"], + "norwayeast" : ["20.100.1.184", "51.13.138.76"], + "switzerlandnorth" : ["20.208.4.98", "51.107.251.190"], + "switzerlandwest" : ["20.208.4.98", "51.107.251.190"], + "uaecentral" : ["20.45.95.66", "20.38.141.5"], + "uaenorth" : ["20.45.95.66", "20.38.141.5"], + "uksouth" : ["20.90.132.144", "20.58.68.62"], + "ukwest" : ["20.90.132.144", "20.58.68.62"], + "swedencentral" : ["51.12.72.223", "51.12.22.174"], + "swedensouth" : ["51.12.72.223", "51.12.22.174"], + "centralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "eastus2" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "eastus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "northcentralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "southcentralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "westus2" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "westus3" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "westcentralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "westus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "eastus2euap" : ["20.45.242.18", "20.51.21.252"], + "centraluseuap" : ["20.45.242.18", "20.51.21.252"], + "usgovarizona" : ["20.141.10.130", "52.127.55.131"], + "usgovvirginia" : ["20.141.10.130", "52.127.55.131"] + }, + "serialConsoleIps": "[if(contains(variables('serialConsoleGeographies'),variables('location')),variables('serialConsoleGeographies')[variables('location')],createArray())]", + "storageAccountIps" : "[concat(variables('SerialConsoleIps'),parameters('storageAccountAdditionalIps'))]", + "installationType": "[parameters('installationType')]", + "isBlink": "[equals(variables('installationType'), 'gateway')]", + "storageAccountName": "[concat('bootdiag', uniqueString(resourceGroup().id, deployment().name))]", + "storageAccountType": "Standard_LRS", + "diskSize100GB": 100, + "diskSizeGB": "[add(parameters('additionalDiskSizeGB'), variables('diskSize100GB'))]", + "customData": "[concat('#!/usr/bin/python3 /etc/cloud_config.py\n', '\n', 'installationType=\"', variables('installationType'), '\"', '\n', 'allowUploadDownload=\"', variables('allowUploadDownload'), '\"', '\n', 'osVersion=\"', variables('osVersion'), '\"', '\n', 'templateName=\"', variables('templateName'), '\"', '\n', 'isBlink=\"', variables('isBlink'), '\"', '\n', 'templateVersion=\"', variables('templateVersion'), '\"', '\n', 'bootstrapScript64=\"', variables('bootstrapScript64'), '\"', '\n', 'location=\"', variables('location'), '\"', '\n', 'sicKey=\"', variables('sicKey'), '\"', '\n', 'managementGUIClientNetwork=\"', variables('managementGUIClientNetwork'), '\"', '\n', 'customMetrics=\"', variables('customMetrics'), '\"', '\n', 'adminShell=\"', parameters('adminShell'), '\"', '\n', 'smart1CloudToken=\"', parameters('smart1CloudToken'), '\"', '\n', 'passwordHash=\"', parameters('SerialConsolePasswordHash'), '\"', '\n')]", + "imageOffer": "[concat('check-point-cg-', toLower(variables('osVersion')))]", + "imagePublisher": "checkpoint", + "imageSku": "[if(and(equals(parameters('installationType'), 'standalone'), or(equals(variables('osVersion'),'R8040'), equals(variables('osVersion'),'R81'))), 'mgmt-byol', 'sg-byol')]", + "imageReferenceBYOL": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "[variables('imageSku')]", + "version": "latest" + }, + "imageReferenceNGTP": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtp", + "version": "latest" + }, + "imageReferenceNGTP-V2": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtp-v2", + "version": "latest" + }, + "imageReferenceNGTX": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtx", + "version": "latest" + }, + "imageReferenceNGTX-V2": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtx-v2", + "version": "latest" + }, + "imageReferenceMarketplace": "[if(equals(variables('offer'), 'BYOL'), variables('imageReferenceBYOL'), if(equals(variables('offer'), 'NGTP'), variables('imageReferenceNGTP'), if(equals(variables('offer'), 'NGTP-V2'), variables('imageReferenceNGTP-V2'), if(equals(variables('offer'), 'NGTX'), variables('imageReferenceNGTX'), if(equals(variables('offer'), 'NGTX-V2'), variables('imageReferenceNGTX-V2'), json('null'))))))]", + "customImage": "customImage", + "imageReferenceCustomUri": { + "id": "[resourceId('Microsoft.Compute/images/', variables('customImage'))]" + }, + "imageReference": "[if(equals(parameters('sourceImageVhdUri'),'noCustomUri'), variables('imageReferenceMarketplace'), variables('imageReferenceCustomUri'))]", + "nic1Name": "[concat(parameters('vmName'), '-eth0')]", + "nic2Name": "[concat(parameters('vmName'), '-eth1')]", + "linuxConfigurationpassword": { + "disablePasswordAuthentication": "false" + }, + "linuxConfigurationsshPublicKey": { + "disablePasswordAuthentication": "true", + "ssh": { + "publicKeys": [ + { + "keyData": "[parameters('sshPublicKey')]", + "path": "/home/notused/.ssh/authorized_keys" + } + ] + } + }, + "linuxConfiguration": "[if(equals(parameters('authenticationType'), 'password'), variables('linuxConfigurationpassword'), variables('linuxConfigurationsshPublicKey'))]", + "planBYOL": { + "name": "[variables('imageSku')]", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTP": { + "name": "sg-ngtp", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTP-V2": { + "name": "sg-ngtp-v2", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTX": { + "name": "sg-ngtx", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTX-V2": { + "name": "sg-ngtx-v2", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "plan": "[if(equals(variables('offer'), 'BYOL') , variables('planBYOL'), if(equals(variables('offer'), 'NGTP'), variables('planNGTP'), if(equals(variables('offer'), 'NGTP-V2'), variables('planNGTP-V2'), if(equals(variables('offer'), 'NGTX'), variables('planNGTX'), if(equals(variables('offer'), 'NGTX-V2'), variables('planNGTX-V2'), json('null'))))))]", + "publicIPAddressName": "[parameters('vmName')]", + "publicIPAddressId": "[resourceId('Microsoft.Network/publicIPAddresses/', variables('publicIPAddressName'))]", + "bootstrapScript64": "[base64(parameters('bootstrapScript'))]", + "allowUploadDownload": "[parameters('allowDownloadFromUploadToCheckPoint')]", + "_artifactsLocation": "[if(contains(parameters('_artifactsLocation'),'raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/azure/templates/marketplace'),'https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/azure/templates/',parameters('_artifactsLocation'))]", + "networkSetupURL": "[uri(variables('_artifactsLocation'), concat('nestedtemplates/vnet-', parameters('vnetNewOrExisting'), '.json', parameters('_artifactsLocationSasToken')))]", + "sicKey": "[parameters('sicKey')]", + "managementGUIClientNetwork": "[parameters('managementGUIClientNetwork')]", + "vmID": "[resourceId('Microsoft.Compute/virtualMachines/', parameters('vmName'))]", + "customMetrics": "[parameters('customMetrics')]", + "identity": "[json('{\"type\": \"SystemAssigned\"}')]", + "monitoringMetricsPublisher": "[concat('/subscriptions/', parameters('subscriptionId'), '/providers/Microsoft.Authorization/roleDefinitions/', '3913510d-42f4-4e42-8a64-420c390055eb')]", + "deployNewVnet": "[equals(parameters('vnetNewOrExisting'), 'new')]", + "vnetRGName": "[if(variables('deployNewVnet'), resourceGroup().name, parameters('virtualNetworkExistingRGName'))]", + "NewNsgReference": {"id": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('NewNsgName'))]"} + }, + "resources": [ + { + "apiVersion": "2020-06-01", + "name": "pid-6f13b00a-7546-4ab2-be9f-c66815cc6c8b-partnercenter", + "type": "Microsoft.Resources/deployments", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('storageAccountName')]", + "apiVersion": "2022-09-01", + "properties": { + "supportsHttpsTrafficOnly": true, + "allowBlobPublicAccess": false, + "minimumTlsVersion": "TLS1_2", + "networkAcls": { + "bypass": "None", + "defaultAction": "[if(parameters('addStorageAccountIpRules'), 'Deny', 'Allow')]", + "ipRules": "[if(parameters('addStorageAccountIpRules'), map(variables('storageAccountIps'), lambda('ip',createObject('action','Allow','value',lambdaVariables('ip')))), createArray())]" + } + }, + "location": "[variables('location')]", + "sku": { + "name": "[variables('storageAccountType')]" + }, + "kind": "Storage", + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Storage/storageAccounts'), parameters('tagsByResource')['Microsoft.Storage/storageAccounts'], json('{}')) ]" + }, + { + "condition": "[equals(parameters('vnetNewOrExisting'), 'new')]", + "name": "networkNewSetup", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "[variables('networkSetupURL')]", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "location": { + "value": "[variables('location')]" + }, + "virtualNetworkName": { + "value": "[parameters('virtualNetworkName')]" + }, + "virtualNetworkAddressPrefix": { + "value": "[parameters('virtualNetworkAddressPrefix')]" + }, + "Subnet1Name": { + "value": "[parameters('Subnet1Name')]" + }, + "Subnet1Prefix": { + "value": "[parameters('Subnet1Prefix')]" + }, + "Subnet1StartAddress": { + "value": "[parameters('Subnet1StartAddress')]" + }, + "Subnet2Name": { + "value": "[parameters('Subnet2Name')]" + }, + "Subnet2Prefix": { + "value": "[parameters('Subnet2Prefix')]" + }, + "Subnet2StartAddress": { + "value": "[parameters('Subnet2StartAddress')]" + }, + "tagsByResource": { + "value": "[parameters('tagsByResource')]" + }, + "deployNsg": { + "value": "[parameters('deployNewNSG')]" + }, + "NewNsgName": + { + "value":"[parameters('NewNsgName')]" + } + } + } + }, + { + "condition": "[equals(parameters('vnetNewOrExisting'), 'existing')]", + "name": "networkExistingSetup", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "[variables('networkSetupURL')]", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "location": { + "value": "[variables('location')]" + }, + "virtualNetworkName": { + "value": "[parameters('virtualNetworkName')]" + }, + "virtualNetworkExistingRGName": { + "value": "[variables('vnetRGName')]" + }, + "tagsByResource": { + "value": "[parameters('tagsByResource')]" + }, + "deployNsg": { + "value": "[parameters('deployNewNSG')]" + }, + "NewNsgName": + { + "value":"[parameters('NewNsgName')]" + } + } + } + }, + { + "type": "Microsoft.Network/publicIPAddresses", + "apiVersion": "2020-06-01", + "location": "[variables('location')]", + "name": "[variables('publicIPAddressName')]", + "sku": { + "name": "Standard" + }, + "properties": { + "idleTimeoutInMinutes": 30, + "publicIPAllocationMethod": "Static", + "dnsSettings": { + "domainNameLabel": "[concat(toLower(parameters('vmName')), '-', uniquestring(resourceGroup().id, deployment().name))]" + } + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/publicIPAddresses'), parameters('tagsByResource')['Microsoft.Network/publicIPAddresses'], json('{}')) ]" + }, + { + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "2020-06-01", + "dependsOn": [ + "[coalesce(resourceId('Microsoft.Resources/deployments/', 'networkNewSetup'), resourceId('Microsoft.Resources/deployments', 'networkExistingSetup'))]", + "[variables('publicIPAddressId')]" + ], + "location": "[variables('location')]", + "name": "[variables('nic1Name')]", + "properties": { + "enableIPForwarding": true, + "enableAcceleratedNetworking": true, + "networkSecurityGroup":"[if(parameters('deployNewNSG') , variables('NewNsgReference') , parameters('ExistingNSG'))]", + "ipConfigurations": [ + { + "name": "ipconfig1", + "properties": { + "privateIPAddress": "[parameters('Subnet1StartAddress')]", + "privateIPAllocationMethod": "Static", + "PublicIpAddress": { + "Id": "[variables('publicIPAddressId')]" + }, + "subnet": { + "id": "[resourceId(variables('vnetRGName'), 'Microsoft.Network/virtualNetworks/subnets/', parameters('virtualNetworkName'), parameters('Subnet1Name'))]" + } + } + } + ] + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/networkInterfaces'), parameters('tagsByResource')['Microsoft.Network/networkInterfaces'], json('{}')) ]" + }, + { + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "2020-06-01", + "dependsOn": [ + "[coalesce(resourceId('Microsoft.Resources/deployments/', 'networkNewSetup'), resourceId('Microsoft.Resources/deployments/', 'networkExistingSetup'))]" + ], + "location": "[variables('location')]", + "name": "[variables('nic2Name')]", + "properties": { + "enableIPForwarding": true, + "enableAcceleratedNetworking": true, + "ipConfigurations": [ + { + "name": "ipconfig2", + "properties": { + "privateIPAddress": "[parameters('Subnet2StartAddress')]", + "privateIPAllocationMethod": "Static", + "subnet": { + "id": "[resourceId(variables('vnetRGName'), 'Microsoft.Network/virtualNetworks/subnets/', parameters('virtualNetworkName'), parameters('Subnet2Name'))]" + } + } + } + ] + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/networkInterfaces'), parameters('tagsByResource')['Microsoft.Network/networkInterfaces'], json('{}')) ]" + }, + { + "condition": "[not(equals(parameters('sourceImageVhdUri'), 'noCustomUri'))]", + "type": "Microsoft.Compute/images", + "apiVersion": "2020-06-01", + "name": "[variables('customImage')]", + "location": "[variables('location')]", + "properties": { + "storageProfile": { + "osDisk": { + "osType": "Linux", + "osState": "Generalized", + "blobUri": "[parameters('sourceImageVhdUri')]", + "storageAccountType": "Standard_LRS" + } + }, + "hyperVGeneration": "V1" + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Compute/images'), parameters('tagsByResource')['Microsoft.Compute/images'], json('{}')) ]" + }, + { + "type": "Microsoft.Compute/virtualMachines", + "apiVersion": "2021-07-01", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName'))]", + "[resourceId('Microsoft.Network/networkInterfaces/', variables('nic1Name'))]", + "[resourceId('Microsoft.Network/networkInterfaces/', variables('nic2Name'))]", + "[resourceId('Microsoft.Compute/images/', variables('customImage'))]" + ], + "location": "[variables('location')]", + "name": "[parameters('vmName')]", + "plan": "[if(equals(parameters('sourceImageVhdUri'),'noCustomUri'), variables('plan'), json('null'))]", + "identity": "[if(equals(variables('customMetrics'), 'yes'), variables('identity'), json('null'))]", + "properties": { + "UserData": "[base64(concat(variables('customData'), '\n', 'vnet=\"', if(equals(parameters('vnetNewOrExisting'), 'new'), reference('networkNewSetup').outputs.vnetAddressPrefix.value, reference('networkExistingSetup').outputs.vnetAddressPrefix.value), '\"', '\n' ))]", + "diagnosticsProfile": { + "bootDiagnostics": { + "enabled": "true", + "storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName')), '2022-09-01').primaryEndpoints.blob]" + } + }, + "hardwareProfile": { + "vmSize": "[parameters('vmSize')]" + }, + "networkProfile": { + "networkInterfaces": [ + { + "id": "[resourceId('Microsoft.Network/networkInterfaces/', variables('nic1Name'))]", + "properties": { + "primary": true + } + }, + { + "id": "[resourceId('Microsoft.Network/networkInterfaces/', variables('nic2Name'))]", + "properties": { + "primary": false + } + } + ] + }, + "osProfile": { + "adminPassword": "[parameters('adminPassword')]", + "adminUsername": "[concat('not','used')]", + "computerName": "[toLower(parameters('vmName'))]", + "customData": "[base64(concat(variables('customData'), '\n', 'vnet=\"', if(equals(parameters('vnetNewOrExisting'), 'new'), reference('networkNewSetup').outputs.vnetAddressPrefix.value, reference('networkExistingSetup').outputs.vnetAddressPrefix.value), '\"', '\n' ))]", + "linuxConfiguration": "[variables('linuxConfiguration')]" + }, + "storageProfile": { + "imageReference": "[variables('imageReference')]", + "osDisk": { + "caching": "ReadWrite", + "createOption": "FromImage", + "diskSizeGB": "[variables('diskSizeGB')]", + "name": "[parameters('vmName')]", + "managedDisk": { + "storageAccountType": "[parameters('diskType')]" + } + } + } + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Compute/virtualMachines'), parameters('tagsByResource')['Microsoft.Compute/virtualMachines'], json('{}')) ]" + }, + { + "condition": "[equals(variables('customMetrics'), 'yes')]", + "apiVersion": "2020-04-01-preview", + "type": "Microsoft.Authorization/roleAssignments", + "name": "[parameters('rbacGuid')]", + "properties": { + "roleDefinitionId": "[variables('monitoringMetricsPublisher')]", + "principalId": "[reference(variables('vmID'), '2019-12-01', 'Full').identity.principalId]", + "scope": "[resourceGroup().id]" + }, + "dependsOn": [ + "[variables('vmID')]" + ], + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Authorization/roleAssignments'), parameters('tagsByResource')['Microsoft.Authorization/roleAssignments'], json('{}')) ]" + } + ], + "outputs": { + "GatewayIPAddr": { + "type": "string", + "value": "[reference(variables('publicIPAddressId')).IpAddress]" + }, + "GatewayFQDN": { + "type": "string", + "value": "[reference(variables('publicIPAddressId')).dnsSettings.fqdn]" + } + } +} \ No newline at end of file diff --git a/deprecated/azure/templates/R8040-R81/vmss-ipv6-r8040-r81/README.md b/deprecated/azure/templates/R8040-R81/vmss-ipv6-r8040-r81/README.md new file mode 100644 index 00000000..6fbc5c3c --- /dev/null +++ b/deprecated/azure/templates/R8040-R81/vmss-ipv6-r8040-r81/README.md @@ -0,0 +1,9 @@ +# IPv6 support for CloudGuard IaaS in Azure +Azure's IPv6 connectivity makes it easy to provide dual stack (IPv4/IPv6) Internet connectivity for applications hosted in Azure. +It allows for simple deployment of VMs with load balanced IPv6 connectivity for both inbound and outbound initiated connections. + +Follow [sk170760](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk170760) instruction to deploy CloudGuard IaaS virtual machine scale sets with IPv6 in Azure. + + + Deploy to Azure + diff --git a/deprecated/azure/templates/R8040-R81/vmss-ipv6-r8040-r81/mainTemplate.json b/deprecated/azure/templates/R8040-R81/vmss-ipv6-r8040-r81/mainTemplate.json new file mode 100644 index 00000000..fe55976d --- /dev/null +++ b/deprecated/azure/templates/R8040-R81/vmss-ipv6-r8040-r81/mainTemplate.json @@ -0,0 +1,1209 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "subscriptionId": { + "type": "string", + "defaultValue": "[subscription().subscriptionId]", + "metadata": { + "description": "Subscription ID." + } + }, + "location": { + "type": "string", + "metadata": { + "description": "Deployment location" + }, + "defaultValue": "[resourceGroup().location]" + }, + "cloudGuardVersion": { + "type": "string", + "allowedValues": [ + "R80.40 - Bring Your Own License", + "R80.40 - Pay As You Go (NGTP)", + "R80.40 - Pay As You Go (NGTX)", + "R81 - Bring Your Own License", + "R81 - Pay As You Go (NGTP)", + "R81 - Pay As You Go (NGTX)" + ], + "defaultValue": "R81 - Bring Your Own License", + "metadata": { + "description": "Version of Check Point CloudGuard" + } + }, + "instanceCount": { + "defaultValue": "2", + "type": "string", + "metadata": { + "description": "Number of VM instances" + } + }, + "maxInstanceCount": { + "defaultValue": "10", + "type": "string", + "metadata": { + "description": "Maximum number of VM instances" + } + }, + "managementServer": { + "type": "string", + "metadata": { + "description": "The name of the management server as it appears in the configuration file" + } + }, + "configurationTemplate": { + "type": "string", + "metadata": { + "description": "A name of a template as it appears in the configuration file" + } + }, + "adminEmail": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Email address to notify if there are any scaling operations" + } + }, + "adminPassword": { + "type": "securestring", + "metadata": { + "description": "Administrator password" + }, + "defaultValue": "" + }, + "authenticationType": { + "type": "string", + "allowedValues": [ + "password", + "sshPublicKey" + ], + "defaultValue": "password", + "metadata": { + "description": "Authentication type" + } + }, + "sshPublicKey": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Administrator SSH public key" + } + }, + "vmName": { + "type": "string", + "defaultValue": "[resourceGroup().name]", + "metadata": { + "description": "Name of the Check Point Security Gateway scale set" + } + }, + "vmSize": { + "type": "string", + "defaultValue": "Standard_D3_v2", + "metadata": { + "description": "Size of the VM" + } + }, + "adminShell": { + "type": "string", + "defaultValue": "/etc/cli.sh", + "allowedValues": [ + "/etc/cli.sh", + "/bin/bash", + "/bin/csh", + "/bin/tcsh" + ], + "metadata": { + "Description": "The default shell for the admin user" + } + }, + "sicKey": { + "type": "securestring", + "metadata": { + "description": "One time key for Secure Internal Communication" + } + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "[concat(resourceGroup().name, '-vnet')]" + }, + "virtualNetworkAddressPrefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the virtual network" + }, + "defaultValue": "10.0.0.0/16" + }, + "virtualNetworkIpv6AddressPrefix": { + "type": "string", + "metadata": { + "description": "The IPv6 address prefix of the virtual network" + }, + "defaultValue": "ace:cab:deca::/48" + }, + "subnet1Name": { + "type": "string", + "metadata": { + "description": "The name of the frontend subnet" + }, + "defaultValue": "Frontend" + }, + "subnet1Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the frontend subnet" + }, + "defaultValue": "10.0.1.0/24" + }, + "Subnet1Ipv6Prefix": { + "type": "string", + "metadata": { + "description": "The IPv6 address prefix of the 1st subnet" + }, + "defaultValue": "ace:cab:deca:deed::/64" + }, + "subnet2Name": { + "type": "string", + "metadata": { + "description": "The name of the backend subnet" + }, + "defaultValue": "Backend" + }, + "subnet2Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the backend subnet" + }, + "defaultValue": "10.0.2.0/24" + }, + "Subnet2Ipv6Prefix": { + "type": "string", + "metadata": { + "description": "The IPv6 address prefix of the 2nd subnet" + }, + "defaultValue": "ace:cab:deca:deee::/64" + }, + "vnetNewOrExisting": { + "type": "string", + "defaultValue": "new", + "allowedValues": [ + "new", + "existing" + ], + "metadata": { + "Description": "Indicates whether the virtual network is new or existing" + } + }, + "virtualNetworkExistingRGName": { + "type": "string", + "metadata": { + "description": "Resource Group of the existing virtual network" + }, + "defaultValue": "[resourceGroup().name]" + }, + "bootstrapScript": { + "type": "string", + "metadata": { + "description": "Bootstrap script" + }, + "defaultValue": "" + }, + "allowDownloadFromUploadToCheckPoint": { + "type": "string", + "allowedValues": [ + "true", + "false" + ], + "defaultValue": "true", + "metadata": { + "description": "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + } + }, + "instanceLevelPublicIP": { + "type": "string", + "allowedValues": [ + "no", + "yes" + ], + "defaultValue": "no", + "metadata": { + "description": "Deploy the VMSS with instance level Public IP address" + } + }, + "mgmtInterfaceOpt1": { + "type": "string", + "allowedValues": [ + "eth0-public", + "eth0-private", + "eth1-private" + ], + "defaultValue": "eth1-private", + "metadata": { + "description": "Manage the Gateways in the Scale Set via the instance's external (eth0) or internal (eth1) NIC's private IP address." + } + }, + "mgmtInterfaceOpt2": { + "type": "string", + "allowedValues": [ + "eth0-private", + "eth1-private" + ], + "defaultValue": "eth1-private", + "metadata": { + "description": "Manage the Gateways in the Scale Set via the instance's external (eth0) or internal (eth1) NIC's private IP address." + } + }, + "mgmtIpAddress": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "The IP address used to manage the VMSS instances." + } + }, + "diskType": { + "type": "string", + "defaultValue": "Standard_LRS", + "metadata": { + "description": "The type of the OS disk. Premium is applicable only to DS machine sizes" + }, + "allowedValues": [ + "Standard_LRS", + "Premium_LRS" + ] + }, + "sourceImageVhdUri": { + "type": "string", + "defaultValue": "noCustomUri", + "metadata": { + "description": "The URI of the blob containing the development image" + } + }, + "availabilityZonesNum": { + "type": "int", + "allowedValues": [ + 0, + 1, + 2, + 3 + ], + "defaultValue": 0, + "metadata": { + "description": "The number of availability zones" + } + }, + "_artifactsLocation": { + "type": "string", + "metadata": { + "description": "The base URI where artifacts required by this template are located including a trailing '/'" + }, + "defaultValue": "https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/azure/templates/" + }, + "_artifactsLocationSasToken": { + "type": "securestring", + "metadata": { + "description": "The sasToken required to access _artifactsLocation. When the template is deployed using the accompanying scripts, a sasToken will be automatically generated. Use the defaultValue if the staging location is not secured." + }, + "defaultValue": "" + }, + "customMetrics": { + "type": "string", + "allowedValues": [ + "no", + "yes" + ], + "defaultValue": "yes", + "metadata": { + "Description": "Indicates whether Custom Metrics will be used for VMSS Scaling policy and VM monitoring" + } + }, + "rbacGuid": { + "type": "string", + "defaultValue": "[newGuid()]" + }, + "tagsByResource": { + "type": "object", + "defaultValue": {} + }, + "deployNewNSG": { + "type": "bool", + "defaultValue": true + }, + "ExistingNSG": { + "type": "object", + "defaultValue": {} + }, + "NewNsgName": { + "type": "string", + "defaultValue": "default-nsg" + }, + "addStorageAccountIpRules": { + "type": "bool", + "metadata": { + "description": "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, based on https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-linux#use-serial-console-with-custom-boot-diagnostics-storage-account-firewall-enabled" + }, + "defaultValue" : false + }, + "storageAccountAdditionalIps":{ + "type": "array", + "metadata": { + "description": "IPs/CIDRs that are allowed access to the Storage Account" + }, + "defaultValue" : [] + } + + }, + "variables": { + "vnetv4AddressRange": "[parameters('virtualNetworkAddressPrefix')]", + "vnetv6AddressRange": "[parameters('virtualNetworkIPv6AddressPrefix')]", + "subnetv4AddressRange": "[parameters('Subnet1Prefix')]", + "subnet2v4AddressRange": "[parameters('Subnet2Prefix')]", + "subnetv6AddressRange": "[parameters('Subnet1IPv6Prefix')]", + "subnet2v6AddressRange": "[parameters('Subnet2IPv6Prefix')]", + "virtualNetworkName": "[parameters('virtualNetworkName')]", + "subnetName": "[parameters('Subnet1Name')]", + "subnet2Name": "[parameters('Subnet2Name')]", + "resourceGroup": "[resourceGroup()]", + "templateName": "vmss-v2", + "templateVersion": "20230910", + "location": "[parameters('location')]", + "subnet-id": "[resourceId(parameters('virtualNetworkExistingRGName'), 'Microsoft.Network/virtualNetworks/subnets', variables('virtualNetworkName'), variables('subnetName'))]", + "subnet2-id": "[resourceId(parameters('virtualNetworkExistingRGName'), 'Microsoft.Network/virtualNetworks/subnets', variables('virtualNetworkName'), variables('subnet2Name'))]", + "VMSSFrontend": "VMSS-Frontend", + "VMSSBackend": "VMSS-Backend", + "offers": { + "R80.40 - Bring Your Own License": "BYOL", + "R80.40 - Pay As You Go (NGTP)": "NGTP", + "R80.40 - Pay As You Go (NGTX)": "NGTX", + "R81 - Bring Your Own License": "BYOL", + "R81 - Pay As You Go (NGTP)": "NGTP", + "R81 - Pay As You Go (NGTX)": "NGTX" + }, + "offer": "[variables('offers')[parameters('cloudGuardVersion')]]", + "osVersions": { + "R80.40 - Bring Your Own License": "R8040", + "R80.40 - Pay As You Go (NGTP)": "R8040", + "R80.40 - Pay As You Go (NGTX)": "R8040", + "R81 - Bring Your Own License": "R81", + "R81 - Pay As You Go (NGTP)": "R81", + "R81 - Pay As You Go (NGTX)": "R81" + }, + "osVersion": "[variables('osVersions')[parameters('cloudGuardVersion')]]", + "SerialConsoleGeographies": { + "eastasia" : ["20.205.69.28", "20.195.85.180"], + "southeastasia" : ["20.205.69.28", "20.195.85.180"], + "australiacentral" : ["20.53.53.224", "20.70.222.112"], + "australiacentral2" : ["20.53.53.224", "20.70.222.112"], + "australiaeast" : ["20.53.53.224", "20.70.222.112"], + "australiasoutheast" : ["20.53.53.224", "20.70.222.112"], + "brazilsouth" : ["91.234.136.63", "20.206.0.194"], + "brazilsoutheast" : ["91.234.136.63", "20.206.0.194"], + "canadacentral" : ["52.228.86.177", "52.242.40.90"], + "canadaeast" : ["52.228.86.177", "52.242.40.90"], + "northeurope" : ["52.146.139.220", "20.105.209.72"], + "westeurope" : ["52.146.139.220", "20.105.209.72"], + "francecentral" : ["20.111.0.244", "52.136.191.10"], + "francesouth" : ["20.111.0.244", "52.136.191.10"], + "germanynorth" : ["51.116.75.88", "20.52.95.48"], + "germanywestcentral" : ["51.116.75.88", "20.52.95.48"], + "centralindia" : ["20.192.168.150", "20.192.153.104"], + "southindia" : ["20.192.168.150", "20.192.153.104"], + "westindia" : ["20.192.168.150", "20.192.153.104"], + "japaneast" : ["20.43.70.205", "20.189.228.222"], + "japanwest" : ["20.43.70.205", "20.189.228.222"], + "koreacentral" : ["20.200.196.96", "52.147.119.29"], + "koreasouth" : ["20.200.196.96", "52.147.119.29"], + "norwaywest" : ["20.100.1.184", "51.13.138.76"], + "norwayeast" : ["20.100.1.184", "51.13.138.76"], + "switzerlandnorth" : ["20.208.4.98", "51.107.251.190"], + "switzerlandwest" : ["20.208.4.98", "51.107.251.190"], + "uaecentral" : ["20.45.95.66", "20.38.141.5"], + "uaenorth" : ["20.45.95.66", "20.38.141.5"], + "uksouth" : ["20.90.132.144", "20.58.68.62"], + "ukwest" : ["20.90.132.144", "20.58.68.62"], + "swedencentral" : ["51.12.72.223", "51.12.22.174"], + "swedensouth" : ["51.12.72.223", "51.12.22.174"], + "centralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "eastus2" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "eastus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "northcentralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "southcentralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "westus2" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "westus3" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "westcentralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "westus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "eastus2euap" : ["20.45.242.18", "20.51.21.252"], + "centraluseuap" : ["20.45.242.18", "20.51.21.252"]}, + "serialConsoleIps": "[if(contains(variables('serialConsoleGeographies'),variables('location')),variables('serialConsoleGeographies')[variables('location')],createArray())]", + "storageAccountIps" : "[concat(variables('SerialConsoleIps'),parameters('storageAccountAdditionalIps'))]", + "isBlink": true, + "storageAccountName": "[concat('bootdiag', uniqueString(variables('resourceGroup').id, deployment().name))]", + "storageAccountType": "Standard_LRS", + "diskSize100GB": 100, + "additionalDiskSizeGB": "[if(contains('R8040 R81', variables('osVersion')), 0, parameters('additionalDiskSizeGB'))]", + "diskSizeGB": "[add(variables('additionalDiskSizeGB'), variables('diskSize100GB'))]", + "customData": "[concat('#!/usr/bin/python3 /etc/cloud_config.py\n', '\n', 'installationType=\"', variables('installationType'), '\"', '\n', 'allowUploadDownload=\"', variables('allowUploadDownload'), '\"', '\n', 'osVersion=\"', variables('osVersion'), '\"', '\n', 'templateName=\"', variables('templateName'), '\"', '\n', 'isBlink=\"', variables('isBlink'), '\"', '\n', 'templateVersion=\"', variables('templateVersion'), '\"', '\n', 'bootstrapScript64=\"', variables('bootstrapScript64'), '\"', '\n', 'location=\"', variables('location'), '\"', '\n', 'sicKey=\"', variables('sicKey'), '\"', '\n', 'customMetrics=\"', variables('customMetrics'), '\"', '\n', 'adminShell=\"', parameters('adminShell'), '\"', '\n')]", + "imageOffer": "[concat('check-point-cg-', toLower(variables('osVersion')))]", + "imagePublisher": "checkpoint", + "imageReferenceBYOL": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-byol", + "version": "latest" + }, + "imageReferenceNGTP": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtp", + "version": "latest" + }, + "imageReferenceNGTP-V2": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtp-v2", + "version": "latest" + }, + "imageReferenceNGTX": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtx", + "version": "latest" + }, + "imageReferenceNGTX-V2": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtx-v2", + "version": "latest" + }, + "imageReferenceMarketplace": "[if(equals(variables('offer'), 'BYOL'), variables('imageReferenceBYOL'), if(equals(variables('offer'), 'NGTP'), variables('imageReferenceNGTP'), if(equals(variables('offer'), 'NGTP-V2'), variables('imageReferenceNGTP-V2'), if(equals(variables('offer'), 'NGTX'), variables('imageReferenceNGTX'), if(equals(variables('offer'), 'NGTX-V2'), variables('imageReferenceNGTX-V2'), json('null'))))))]", + "customImage": "customImage", + "imageReferenceCustomUri": { + "id": "[resourceId('Microsoft.Compute/images', variables('customImage'))]" + }, + "imageReference": "[if(equals(parameters('sourceImageVhdUri'),'noCustomUri'), variables('imageReferenceMarketplace'), variables('imageReferenceCustomUri'))]", + "linuxConfigurationpassword": { + "disablePasswordAuthentication": "false" + }, + "linuxConfigurationsshPublicKey": { + "disablePasswordAuthentication": "true", + "ssh": { + "publicKeys": [ + { + "keyData": "[parameters('sshPublicKey')]", + "path": "/home/notused/.ssh/authorized_keys" + } + ] + } + }, + "linuxConfiguration": "[if(equals(parameters('authenticationType'), 'password'), variables('linuxConfigurationpassword'), variables('linuxConfigurationsshPublicKey'))]", + "planBYOL": { + "name": "sg-byol", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTP": { + "name": "sg-ngtp", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTP-V2": { + "name": "sg-ngtp-v2", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTX": { + "name": "sg-ngtx", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTX-V2": { + "name": "sg-ngtx-v2", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "plan": "[if(equals(variables('offer'), 'BYOL') , variables('planBYOL'), if(equals(variables('offer'), 'NGTP'), variables('planNGTP'), if(equals(variables('offer'), 'NGTP-V2'), variables('planNGTP-V2'), if(equals(variables('offer'), 'NGTX'), variables('planNGTX'), if(equals(variables('offer'), 'NGTX-V2'), variables('planNGTX-V2'), json('null'))))))]", + "vmssID": "[resourceId('Microsoft.Compute/virtualMachineScaleSets', parameters('vmName'))]", + "bootstrapScript64": "[base64(parameters('bootstrapScript'))]", + "allowUploadDownload": "[parameters('allowDownloadFromUploadToCheckPoint')]", + "sicKey": "[parameters('sicKey')]", + "installationType": "vmss", + "publicIPProperties": { + "name": "instancePublicIP", + "properties": { + "idleTimeoutInMinutes": 15 + } + }, + "networkSetupURL": "[uri(parameters('_artifactsLocation'), concat('nestedtemplates/vnet-2-subnet-ha-', parameters('vnetNewOrExisting'), '.json', parameters('_artifactsLocationSasToken')))]", + "azureFunctionSetupURL": "[uri(parameters('_artifactsLocation'), concat('nestedtemplates/azure-func-sami.json', parameters('_artifactsLocationSasToken')))]", + "storageAccountId": "[resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName'))]", + "customImageId": "[variables('imageReferenceCustomUri').id]", + "availabilityZonesLocations": [ + "brazilsouth", + "canadacentral", + "centralus", + "eastus", + "eastus2", + "southcentralus", + "usgovvirginia", + "westus2", + "westus3", + "francecentral", + "germanywestcentral", + "northeurope", + "norwayeast", + "uksouth", + "westeurope", + "swedencentral", + "switzerlandnorth", + "qatarcentral", + "uaenorth", + "southafricanorth", + "australiaeast", + "centralindia", + "japaneast", + "koreacentral", + "southeastasia", + "eastasia", + "italynorth" + ], + "availabilityZonesProperty": "[range(1, parameters('availabilityZonesNum'))]", + "mgmtInterface": "[if(equals(parameters('instanceLevelPublicIP'), 'yes'), parameters('mgmtInterfaceOpt1'), parameters('mgmtInterfaceOpt2'))]", + "mgmtIpAddressType": "[split(variables('mgmtInterface'), '-')[1]]", + "mgmtInterfaceName": "[split(variables('mgmtInterface'), '-')[0]]", + "mgmtIPaddress": "[if(equals(variables('mgmtInterfaceName'), 'eth0'), parameters('mgmtIpAddress'), '')]", + "commomTags": { + "x-chkp-management": "[parameters('managementServer')]", + "x-chkp-template": "[parameters('configurationTemplate')]", + "x-chkp-ip-address": "[variables('mgmtIpAddressType')]", + "x-chkp-management-interface": "[variables('mgmtInterfaceName')]", + "x-chkp-topology": "eth0:external,eth1:internal", + "x-chkp-anti-spoofing": "eth0:false,eth1:false", + "x-chkp-srcImageUri": "[parameters('sourceImageVhdUri')]" + }, + "uniqueTags": { + "x-chkp-management-address": "[variables('mgmtIPaddress')]" + }, + "vmssTags": "[if(equals(variables('mgmtIPaddress'), ''), variables('commomTags'), union(variables('commomTags'), variables('uniqueTags')))]", + "dnsZoneResourceId": "[parameters('dnsZoneResourceId')]", + "dnsZoneRecordSetName": "[parameters('dnsZoneRecordSetName')]", + "numberOfRecordSetEntries": "20", + "customMetrics": "[parameters('customMetrics')]", + "monitoringMetricsPublisher": "[concat('/subscriptions/', parameters('subscriptionId'), '/providers/Microsoft.Authorization/roleDefinitions/', '3913510d-42f4-4e42-8a64-420c390055eb')]", + "identity": "[json('{\"type\": \"SystemAssigned\"}')]", + "NewNsgReference": {"id": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('NewNsgName'))]"} + }, + "resources": [ + { + "apiVersion": "2021-01-01", + "name": "pid-23952014-097a-4aed-ade6-0d4b5c278517", + "type": "Microsoft.Resources/deployments", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "apiVersion": "2020-05-01", + "type": "Microsoft.Network/publicIPAddresses", + "name": "lbpublicip-v4", + "location": "[parameters('location')]", + "sku": { + "name": "Standard" + }, + "properties": { + "publicIPAllocationMethod": "Static" + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/publicIPAddresses'), parameters('tagsByResource')['Microsoft.Network/publicIPAddresses'], json('{}')) ]" + }, + { + "apiVersion": "2020-05-01", + "type": "Microsoft.Network/publicIPAddresses", + "name": "lbpublicip-v6", + "location": "[parameters('location')]", + "sku": { + "name": "Standard" + }, + "properties": { + "publicIPAllocationMethod": "Static", + "publicIPAddressVersion": "IPv6" + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/publicIPAddresses'), parameters('tagsByResource')['Microsoft.Network/publicIPAddresses'], json('{}')) ]" + }, + { + "apiVersion": "2020-05-01", + "name": "frontend-lb", + "type": "Microsoft.Network/loadBalancers", + "location": "[parameters('location')]", + "sku": { + "name": "Standard" + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/publicIPAddresses','lbpublicip-v4')]", + "[resourceId('Microsoft.Network/publicIPAddresses','lbpublicip-v6')]" + ], + "properties": { + "frontendIpConfigurations": [ + { + "name": "LB-v4", + "properties": { + "publicIPAddress": { + "id": "[resourceId('Microsoft.Network/publicIPAddresses', 'lbpublicip-v4')]" + } + } + }, + { + "name": "LB-v6", + "properties": { + "publicIPAddress": { + "id": "[resourceId('Microsoft.Network/publicIPAddresses','lbpublicip-v6')]" + } + } + } + ], + "backendAddressPools": [ + { + "name": "frontend-LBBAP-v4" + }, + { + "name": "frontend-LBBAP-v6" + } + ], + "loadBalancingRules": [ + { + "properties": { + "frontendIPConfiguration": { + "id": "[resourceId('Microsoft.Network/loadBalancers/frontendIpConfigurations', 'frontend-lb', 'LB-v4')]" + }, + "backendAddressPool": { + "id": "[resourceId('Microsoft.Network/loadBalancers/backendAddressPools', 'frontend-lb', 'frontend-LBBAP-v4')]" + }, + "probe": { + "id": "[resourceId('Microsoft.Network/loadBalancers/probes', 'frontend-lb', 'lb-probe')]" + }, + "protocol": "Tcp", + "frontendPort": 443, + "backendPort": 443, + "idleTimeoutInMinutes": 4 + }, + "name": "frontend-lb-rule-v4" + }, + { + "properties": { + "frontendIPConfiguration": { + "id": "[resourceId('Microsoft.Network/loadBalancers/frontendIpConfigurations', 'frontend-lb', 'LB-v6')]" + }, + "backendAddressPool": { + "id": "[resourceId('Microsoft.Network/loadBalancers/backendAddressPools', 'frontend-lb', 'frontend-LBBAP-v6')]" + }, + "probe": { + "id": "[resourceId('Microsoft.Network/loadBalancers/probes', 'frontend-lb', 'lb-probe')]" + }, + "protocol": "Tcp", + "frontendPort": 443, + "backendPort": 443 + }, + "name": "frontend-lb-rule-v6" + } + ], + "probes": [ + { + "properties": { + "protocol": "Tcp", + "port": 22, + "intervalInSeconds": 5, + "numberOfProbes": 2 + }, + "name": "lb-probe" + } + ] + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/loadBalancers'), parameters('tagsByResource')['Microsoft.Network/loadBalancers'], json('{}')) ]" + }, + { + "apiVersion": "2021-01-01", + "name": "backend-lb", + "type": "Microsoft.Network/loadBalancers", + "location": "[parameters('location')]", + "sku": { + "name": "Standard" + }, + "dependsOn": [ + "[coalesce(resourceId('Microsoft.Network/virtualNetworks', variables('virtualNetworkName')), resourceId('Microsoft.Resources/deployments', 'networkExistingSetup'))]" + ], + "properties": { + "frontendIpConfigurations": [ + { + "name": "LB-v4", + "properties": { + "subnet": { + "id": "[variables('subnet2-id')]" + } + } + } + ], + "backendAddressPools": [ + { + "name": "backend-LBBAP-v4" + } + ], + "loadBalancingRules": [ + { + "properties": { + "frontendIPConfiguration": { + "id": "[resourceId('Microsoft.Network/loadBalancers/frontendIpConfigurations', 'backend-lb', 'LB-v4')]" + }, + "backendAddressPool": { + "id": "[resourceId('Microsoft.Network/loadBalancers/backendAddressPools', 'backend-lb', 'backend-LBBAP-v4')]" + }, + "probe": { + "id": "[resourceId('Microsoft.Network/loadBalancers/probes', 'backend-lb', 'lb-probe')]" + }, + "protocol": "Tcp", + "frontendPort": 443, + "backendPort": 443, + "idleTimeoutInMinutes": 4 + }, + "name": "backend-lb-rule-v4" + } + ], + "probes": [ + { + "properties": { + "protocol": "Tcp", + "port": 22, + "intervalInSeconds": 5, + "numberOfProbes": 2 + }, + "name": "lb-probe" + } + ] + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/loadBalancers'), parameters('tagsByResource')['Microsoft.Network/loadBalancers'], json('{}')) ]" + }, + { + "condition": "[equals(parameters('vnetNewOrExisting'), 'new')]", + "type": "Microsoft.Network/routeTables", + "name": "[variables('VMSSBackend')]", + "apiVersion": "2021-03-01", + "location": "[parameters('location')]", + "properties": { + "disableBgpRoutePropagation": false, + "routes": [ + { + "name": "To-Internet", + "properties": { + "addressPrefix": "0.0.0.0/0", + "nextHopType": "None" + } + } + ] + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/routeTables'), parameters('tagsByResource')['Microsoft.Network/routeTables'], json('{}')) ]" + }, + { + "condition": "[equals(parameters('vnetNewOrExisting'), 'new')]", + "type": "Microsoft.Network/routeTables", + "name": "[variables('VMSSFrontend')]", + "apiVersion": "2021-03-01", + "location": "[parameters('location')]", + "properties": { + "disableBgpRoutePropagation": false, + "routes": [ + { + "name": "Local-Subnet-v6", + "properties": { + "addressPrefix": "[parameters('Subnet1IPv6Prefix')]", + "nextHopType": "VnetLocal" + } + }, + { + "name": "Local-Subnet-v4", + "properties": { + "addressPrefix": "[variables('subnetv4AddressRange')]", + "nextHopType": "VnetLocal" + } + } + ] + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/routeTables'), parameters('tagsByResource')['Microsoft.Network/routeTables'], json('{}')) ]" + }, + { + "condition": "[equals(parameters('vnetNewOrExisting'), 'new')]", + "apiVersion": "2021-03-01", + "type": "Microsoft.Network/virtualNetworks", + "name": "[variables('virtualNetworkName')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/routeTables', variables('VMSSFrontend'))]", + "[resourceId('Microsoft.Network/routeTables', variables('VMSSBackend'))]" + ], + "properties": { + "dhcpOptions": { + "dnsServers": [ + "cafe:43::", + "cafe:45::" + ] + }, + "addressSpace": { + "addressPrefixes": [ + "[variables('vnetv4AddressRange')]", + "[variables('vnetv6AddressRange')]" + ] + }, + "subnets": [ + { + "name": "[variables('subnetName')]", + "properties": { + "addressPrefixes": [ + "[variables('subnetv4AddressRange')]", + "[variables('subnetv6AddressRange')]" + ], + "routeTable": { + "id": "[resourceId('Microsoft.Network/routeTables', variables('VMSSFrontend'))]" + } + } + }, + { + "name": "[variables('subnet2Name')]", + "properties": { + "addressPrefixes": [ + "[variables('subnet2v4AddressRange')]", + "[variables('subnet2v6AddressRange')]" + ], + "routeTable": { + "id": "[resourceId('Microsoft.Network/routeTables', variables('VMSSBackend'))]" + } + } + } + ] + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/virtualNetworks'), parameters('tagsByResource')['Microsoft.Network/virtualNetworks'], json('{}')) ]" + }, + { + "condition": "[equals(variables('customMetrics'), 'yes')]", + "apiVersion": "2020-04-01-preview", + "type": "Microsoft.Authorization/roleAssignments", + "name": "[parameters('rbacGuid')]", + "properties": { + "roleDefinitionId": "[variables('monitoringMetricsPublisher')]", + "principalId": "[reference(variables('vmssID'), '2021-03-01', 'Full').identity.principalId]", + "scope": "[resourceGroup().id]" + }, + "dependsOn": [ + "[variables('vmssID')]" + ], + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Authorization/roleAssignments'), parameters('tagsByResource')['Microsoft.Authorization/roleAssignments'], json('{}')) ]" + }, + { + "condition": "[equals(parameters('vnetNewOrExisting'), 'existing')]", + "name": "networkExistingSetup", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-01-01", + "resourceGroup": "[parameters('virtualNetworkExistingRGName')]", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "[variables('networkSetupURL')]", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "location": { + "value": "[variables('location')]" + }, + "virtualNetworkName": { + "value": "[parameters('virtualNetworkName')]" + }, + "virtualNetworkExistingRGName": { + "value": "[parameters('virtualNetworkExistingRGName')]" + }, + "vmName": { + "value": "[parameters('vmName')]" + }, + "deployNsg": { + "value": "[parameters('deployNewNSG')]" + }, + "NewNsgName": + { + "value":"[parameters('NewNsgName')]" + }, + "tagsByResource": { + "value": "[parameters('tagsByResource')]" + } + } + } + }, + { + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('storageAccountName')]", + "apiVersion": "2021-06-01", + "properties": { + "supportsHttpsTrafficOnly": true, + "allowBlobPublicAccess": false, + "minimumTlsVersion": "TLS1_2", + "networkAcls": { + "bypass": "None", + "defaultAction": "[if(parameters('addStorageAccountIpRules'), 'Deny', 'Allow')]", + "ipRules": "[if(parameters('addStorageAccountIpRules'), map(variables('storageAccountIps'), lambda('ip',createObject('action','Allow','value',lambdaVariables('ip')))), createArray())]" + } + }, + "location": "[variables('location')]", + "sku": { + "name": "[variables('storageAccountType')]" + }, + "kind": "Storage", + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Storage/storageAccounts'), parameters('tagsByResource')['Microsoft.Storage/storageAccounts'], json('{}')) ]" + }, + { + "condition": "[not(equals(parameters('sourceImageVhdUri'), 'noCustomUri'))]", + "type": "Microsoft.Compute/images", + "apiVersion": "2021-07-01", + "name": "[variables('customImage')]", + "location": "[variables('resourceGroup').location]", + "properties": { + "storageProfile": { + "osDisk": { + "osType": "Linux", + "osState": "Generalized", + "blobUri": "[parameters('sourceImageVhdUri')]", + "storageAccountType": "Standard_LRS" + } + } + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Compute/images'), parameters('tagsByResource')['Microsoft.Compute/images'], json('{}')) ]" + }, + + { + "type": "Microsoft.Network/networkSecurityGroups", + "condition": "[and(parameters('deployNewNSG'),equals(parameters('vnetNewOrExisting'), 'new'))]", + "apiVersion": "2020-06-01", + "location": "[parameters('location')]", + "name": "[parameters('NewNsgName')]", + "properties": { + "securityRules": [ + { + "name": "AllowAllInBound", + "properties": { + "description": "Allow all inbound connections", + "protocol": "*", + "sourcePortRange": "*", + "destinationPortRange": "*", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "100", + "direction": "Inbound" + } + } + ] + } + }, + { + "type": "Microsoft.Compute/virtualMachineScaleSets", + "apiVersion": "2021-07-01", + "name": "[parameters('vmName')]", + "location": "[variables('location')]", + "identity": "[if(equals(variables('customMetrics'), 'yes'), variables('identity'), json('null'))]", + "zones": "[if(and(contains(variables('availabilityZonesLocations'), variables('location')), greater(parameters('availabilityZonesNum'), 0)), variables('availabilityZonesProperty'), json('null'))]", + "tags": "[union(variables('vmssTags'),if(contains(parameters('tagsByResource'), 'Microsoft.Compute/virtualMachineScaleSets'), parameters('tagsByResource')['Microsoft.Compute/virtualMachineScaleSets'], json('{}')))]", + "dependsOn": [ + "[coalesce(resourceId('Microsoft.Network/virtualNetworks', variables('virtualNetworkName')), resourceId('Microsoft.Resources/deployments', 'networkExistingSetup'))]", + "[resourceId('Microsoft.Network/loadBalancers','frontend-lb')]", + "[resourceId('Microsoft.Network/loadBalancers','backend-lb')]", + "[variables('storageAccountId')]", + "[variables('customImageId')]" + ], + "sku": { + "name": "[parameters('vmSize')]", + "tier": "Standard", + "capacity": "[parameters('instanceCount')]" + }, + "plan": "[if(equals(parameters('sourceImageVhdUri'),'noCustomUri'), variables('plan'), json('null'))]", + "properties": { + "upgradePolicy": { + "mode": "Manual" + }, + "virtualMachineProfile": { + "UserData": "[base64(concat(variables('customData'), '\n', 'vnet=\"', if(equals(parameters('vnetNewOrExisting'), 'new'), split(parameters('virtualNetworkAddressPrefix'), '.')[0], reference('networkExistingSetup').outputs.vnetAddressPrefixes.value[0]), '\"', '\n' ))]", + "storageProfile": { + "osDisk": + { + "diskSizeGB": "[variables('diskSizeGB')]", + "caching": "ReadWrite", + "createOption": "FromImage", + "managedDisk": { + "storageAccountType": "[parameters('diskType')]" + } + }, + "imageReference": "[variables('imageReference')]" + }, + "osProfile": { + "adminPassword": "[parameters('adminPassword')]", + "adminUsername": "[concat('not','used')]", + "computerNamePrefix": "[toLower(parameters('vmName'))]", + "customData": "[base64(concat(variables('customData'), '\n', 'vnet=\"', if(equals(parameters('vnetNewOrExisting'), 'new'), split(parameters('virtualNetworkAddressPrefix'), '.')[0], reference('networkExistingSetup').outputs.vnetAddressPrefixes.value[0]), '\"', '\n' ))]", + "linuxConfiguration": "[variables('linuxConfiguration')]" + }, + "networkProfile": { + "networkInterfaceConfigurations": [ + { + "name": "eth0", + "properties": { + "primary": true, + "enableIPForwarding": true, + "enableAcceleratedNetworking": true, + "networkSecurityGroup": "[if(parameters('deployNewNSG') , variables('NewNsgReference') , parameters('ExistingNSG'))]", + "ipConfigurations": [ + { + "name": "ipconfig1IPV6", + "properties": { + "primary": true, + "subnet": { + "id": "[variables('subnet-id')]" + }, + "privateIPAddressVersion": "IPv6", + "loadBalancerBackendAddressPools": [ + { + "id": "[resourceId('Microsoft.Network/loadBalancers/backendAddressPools', 'frontend-lb', 'frontend-LBBAP-v6')]" + } + ] + } + }, + { + "name": "ipconfig1", + "properties": { + "primary": false, + "privateIPAddressVersion": "IPv4", + "publicIpAddressConfiguration": "[if(equals(parameters('instanceLevelPublicIP'),'yes'), variables('publicIPProperties'), json('null'))]", + "subnet": { + "id": "[variables('subnet-id')]" + }, + "loadBalancerBackendAddressPools": [ + { + "id": "[resourceId('Microsoft.Network/loadBalancers/backendAddressPools', 'frontend-lb', 'frontend-LBBAP-v4')]" + } + ] + } + } + ] + } + }, + { + "name": "eth1", + "properties": { + "primary": false, + "enableIPForwarding": true, + "enableAcceleratedNetworking": true, + "ipConfigurations": [ + { + "name": "ipconfig2IPV6", + "properties": { + "primary": true, + "subnet": { + "id": "[variables('subnet2-id')]" + }, + "privateIPAddressVersion": "IPv6" + } + }, + { + "name": "ipconfig2", + "properties": { + "subnet": { + "id": "[variables('subnet2-id')]" + } + } + } + ] + } + } + ] + }, + "diagnosticsProfile": { + "bootDiagnostics": { + "enabled": "true", + "storageUri": "[reference(variables('storageAccountId'), '2021-06-01').primaryEndpoints.blob]" + } + } + }, + "overprovision": false + } + }, + { + "type": "Microsoft.Insights/autoscaleSettings", + "apiVersion": "2015-04-01", + "name": "[parameters('vmName')]", + "location": "[variables('location')]", + "dependsOn": [ + "[variables('vmssID')]" + ], + "properties": { + "name": "[parameters('vmName')]", + "targetResourceUri": "[variables('vmssID')]", + "notifications": [ + { + "operation": "Scale", + "email": { + "sendToSubscriptionAdministrator": false, + "sendToSubscriptionCoAdministrators": false, + "customEmails": "[if(empty(parameters('adminEmail')), json('null'), array(parameters('adminEmail')))]" + } + } + ], + "enabled": true, + "profiles": [ + { + "name": "Profile1", + "capacity": { + "minimum": "[parameters('instanceCount')]", + "maximum": "[parameters('maxInstanceCount')]", + "default": "[parameters('instanceCount')]" + }, + "rules": [ + { + "metricTrigger": { + "metricName": "Percentage CPU", + "metricResourceUri": "[variables('vmssID')]", + "timeGrain": "PT1M", + "statistic": "Average", + "timeWindow": "PT5M", + "timeAggregation": "Average", + "operator": "GreaterThan", + "threshold": 80 + }, + "scaleAction": { + "direction": "Increase", + "type": "ChangeCount", + "value": "1", + "cooldown": "PT5M" + } + }, + { + "metricTrigger": { + "metricName": "Percentage CPU", + "metricResourceUri": "[variables('vmssID')]", + "timeGrain": "PT1M", + "statistic": "Average", + "timeWindow": "PT5M", + "timeAggregation": "Average", + "operator": "LessThan", + "threshold": 60 + }, + "scaleAction": { + "direction": "Decrease", + "type": "ChangeCount", + "value": "1", + "cooldown": "PT5M" + } + } + ] + } + ] + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Insights/autoscaleSettings'), parameters('tagsByResource')['Microsoft.Insights/autoscaleSettings'], json('{}')) ]" + } + ] +} \ No newline at end of file diff --git a/deprecated/azure/templates/R8040-R81/vmss-r8040-r81/README.md b/deprecated/azure/templates/R8040-R81/vmss-r8040-r81/README.md new file mode 100644 index 00000000..3c632bf9 --- /dev/null +++ b/deprecated/azure/templates/R8040-R81/vmss-r8040-r81/README.md @@ -0,0 +1,23 @@ +# Check Point CloudGuard Network Security VMSS for Azure + +Check Point CloudGuard Network Security delivers advanced, multi-layered threat prevention to protect customer assets in Azure from malware and sophisticated threats. As a Microsoft Azure certified solution, CloudGuard Network Security enables you to easily and seamlessly secure your workloads while providing secure connectivity across your cloud and on-premises environments. + +Benefits: + +· Advanced threat prevention and traffic inspection + +· Integrated with Azure Security Center and Azure Sentinel + +· Provides consistent security policy management, enforcement, and reporting with a single pane of glass, using Check Point Unified Security Management + + + + + Deploy to Azure + + + +To deploy with full control over all the template options use: [Full Control Deployment](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FCheckPointSW%2FCloudGuardIaaS%2Fmaster%2Fazure%2Ftemplates%2Fmarketplace-vmss%2FmainTemplate.json) + + + diff --git a/deprecated/azure/templates/R8040-R81/vmss-r8040-r81/createUiDefinition.json b/deprecated/azure/templates/R8040-R81/vmss-r8040-r81/createUiDefinition.json new file mode 100644 index 00000000..c8b71304 --- /dev/null +++ b/deprecated/azure/templates/R8040-R81/vmss-r8040-r81/createUiDefinition.json @@ -0,0 +1,1732 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", + "handler": "Microsoft.Compute.MultiVm", + "version": "0.1.2-preview", + "parameters": { + "basics": [ + { + "name": "CloudGuard VMSS settings text block", + "type": "Microsoft.Common.TextBlock", + "visible": true, + "options": { + "text": "Please follow the CloudGuard Network for Azure VMSS R80.10 and Higher Administration Guide.", + "link": { + "label": "Administration Guide", + "uri": "https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_VMSS_for_Azure/Default.htm" + } + } + }, + { + "name": "warning reserved words InfoBox", + "type": "Microsoft.Common.InfoBox", + "visible": true, + "options": { + "icon": "Warning", + "text": "Note: Resource group and Gateway scale set names must be without reserved words according to: sk40179", + "uri": "https://support.checkpoint.com/results/sk/sk40179" + } + }, + { + "name": "gatewayScaleSetNameUi", + "type": "Microsoft.Common.TextBox", + "label": "Gateway scale set name", + "toolTip": "The name of the Check Point Security Gateway Scale Set", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z]{1,30}$", + "validationMessage": "Only alphanumeric characters are allowed, and the name must be 1-30 characters long." + } + }, + { + "name": "auth", + "type": "Microsoft.Compute.CredentialsCombo", + "label": { + "authenticationType": "Authentication type", + "password": "Password", + "confirmPassword": "Confirm password", + "sshPublicKey": "SSH public key" + }, + "toolTip": { + "password": "The user 'admin' password", + "sshPublicKey": "Paste an OpenSSH public key. You can generate a key pair using ssh-keygen (Linux, OS X, Cygwin) or PuttyGen (Windows)" + }, + "constraints": { + "required": true + }, + "options": { + "hideConfirmation": false, + "hidePassword": false + }, + "osPlatform": "Linux" + } + ], + "steps": [ + { + "name": "autoprovision", + "label": "Check Point VMSS settings", + "subLabel": { + "preValidation": "Configure CloudGuard VMSS settings", + "postValidation": "Done" + }, + "bladeTitle": "CloudGuard VMSS settings", + "elements": [ + { + "name": "upgrading", + "type": "Microsoft.Common.OptionsGroup", + "label": "Are you upgrading your CloudGuard VMSS solution?", + "defaultValue": "No", + "toolTip": "Select 'Yes' if you are upgrading your CloudGuard VMSS solution.", + "constraints": { + "allowedValues": [ + { + "label": "No", + "value": "no" + }, + { + "label": "Yes", + "value": "yes" + } + ] + } + }, + { + "name": "upgradeVmssInfoBox", + "type": "Microsoft.Common.InfoBox", + "visible": "[equals(steps('autoprovision').upgrading, 'yes')]", + "options": { + "icon": "Warning", + "text": "All the configurations below must be similar to the existing CloudGuard VMSS solution.\n\nNote that the target load balancers are the ones connected to your existing CloudGuard VMSS solution.\n\nSee the Deployment Guide for more information." + } + }, + { + "name": "vmCount", + "type": "Microsoft.Common.TextBox", + "label": "Initial number of gateways", + "defaultValue": "2", + "toolTip": "The initial number of gateways", + "constraints": { + "required": true, + "regex": "^[1-9][0-9]{0,1}$", + "validationMessage": "Please enter a number in the range 1-99." + } + }, + { + "name": "maxVmCount", + "type": "Microsoft.Common.TextBox", + "label": "Maximum number of gateways", + "defaultValue": "10", + "toolTip": "The maximum number of gateways", + "constraints": { + "required": true, + "regex": "^[1-9][0-9]{0,1}$", + "validationMessage": "Please enter a number in the range 1-99." + } + }, + { + "name": "numGwsValidation", + "type": "Microsoft.Common.InfoBox", + "visible": "[greater(steps('autoprovision').vmCount, steps('autoprovision').maxVmCount)]", + "options": { + "icon": "Error", + "text": "Maximum number of gateways is lower than initial number of gateways" + } + }, + { + "name": "managementServer", + "type": "Microsoft.Common.TextBox", + "label": "Management name", + "toolTip": "The name of the management server as it appears in the configuration file", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z_\\-]{1,30}$", + "validationMessage": "Field cannot be empty. Only alphanumeric characters or '_'/'-' are allowed, and the name must be 1-30 characters long." + } + }, + { + "name": "configurationTemplateInfoBox", + "type": "Microsoft.Common.InfoBox", + "visible": "[equals(steps('autoprovision').upgrading, 'yes')]", + "options": { + "icon": "Info", + "text": "Use a different configuration template name than in your existing CloudGuard VMSS solution." + } + }, + { + "name": "configurationTemplate", + "type": "Microsoft.Common.TextBox", + "label": "Configuration template name", + "toolTip": "The configuration template name as it appears in the configuration file", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z_\\-]{1,30}$", + "validationMessage": "Field cannot be empty. Only alphanumeric characters or '_'/'-' are allowed, and the name must be 1-30 characters long." + } + }, + { + "name": "adminEmail", + "type": "Microsoft.Common.TextBox", + "label": "Administrator email address", + "defaultValue": "", + "toolTip": "An email address to notify about scaling operations", + "constraints": { + "required": false, + "regex": "^([a-zA-Z0-9_\\-\\.]+)@((\\[[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.)|(([a-zA-Z0-9\\-]+\\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})(\\]?)$", + "validationMessage": "Leave empty or enter a valid email address." + } + }, + { + "name": "deploymentMode", + "type": "Microsoft.Common.DropDown", + "label": "Load balancers deployment", + "defaultValue": "Standard (External & Internal)", + "toolTip": "Defines which load balancers will be deployed. Note: For outbound inspection it is mandatory to deploy an external load balancer and/or instance level public IP addresses.", + "constraints": { + "allowedValues": [ + { + "label": "Standard (External & Internal)", + "value": "Standard" + }, + { + "label": "External only (Inbound inspection only)", + "value": "ELBOnly" + }, + { + "label": "Internal only (Outbound & E-W inspection only - see tooltip)", + "value": "ILBOnly" + } + ] + } + }, + { + "name": "appLoadDistribution", + "type": "Microsoft.Common.DropDown", + "label": "External Load Balancer session persistence", + "defaultValue": "None (5-tuple)", + "toolTip": "The load balancing distribution method for the External Load Balancer.", + "visible": "[not(equals(steps('autoprovision').deploymentMode, 'ILBOnly'))]", + "constraints": { + "allowedValues": [ + { + "label": "None (5-tuple)", + "value": "Default" + }, + { + "label": "Client IP (2-tuple)", + "value": "SourceIP" + }, + { + "label": "Client IP and protocol (3-tuple)", + "value": "SourceIPProtocol" + } + ] + } + }, + { + "name": "ilbLoadDistribution", + "type": "Microsoft.Common.DropDown", + "label": "Internal Load Balancer session persistence", + "defaultValue": "None (5-tuple)", + "toolTip": "The load balancing distribution method for the Internal Load Balancer.", + "visible": "[not(equals(steps('autoprovision').deploymentMode, 'ELBOnly'))]", + "constraints": { + "allowedValues": [ + { + "label": "None (5-tuple)", + "value": "Default" + }, + { + "label": "Client IP (2-tuple)", + "value": "SourceIP" + }, + { + "label": "Client IP and protocol (3-tuple)", + "value": "SourceIPProtocol" + } + ] + } + }, + { + "name": "floatingIP", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy the Load Balancers with floating IP", + "defaultValue": "No", + "toolTip": "Deploy the Load Balancers with floating IP.", + "constraints": { + "allowedValues": [ + { + "label": "No", + "value": "no" + }, + { + "label": "Yes", + "value": "yes" + } + ] + }, + "visible": true + }, + { + "name": "instanceLevelPublicIP", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy the VMSS with instance level Public IP address", + "defaultValue": "No", + "toolTip": "If selected 'Yes', then each VMSS instance will have its own public IP address.", + "constraints": { + "allowedValues": [ + { + "label": "No", + "value": "no" + }, + { + "label": "Yes", + "value": "yes" + } + ] + } + }, + { + "name": "publicIPPrefix", + "type": "Microsoft.Common.OptionsGroup", + "label": "Public IP prefix", + "defaultValue": "No", + "toolTip": "Define if deploy existsing Public IP Prefix or a new Public IP Prefix.", + "constraints": { + "allowedValues": [ + { + "label": "No", + "value": "no" + }, + { + "label": "Yes", + "value": "yes" + } + ] + }, + "visible": "[equals(steps('autoprovision').instanceLevelPublicIP, 'yes')]" + }, + { + "name": "createNewIPPrefix", + "type": "Microsoft.Common.OptionsGroup", + "label": "Create new IP prefiex", + "toolTip": "Create new or existsing Public IP Prefix", + "defaultValue": "No", + "constraints": { + "allowedValues": [ + { + "label": "No", + "value": "no" + }, + { + "label": "Yes", + "value": "yes" + } + ] + }, + "visible": "[equals(steps('autoprovision').publicIPPrefix, 'yes')]" + }, + { + "name": "IPv4Length", + "type": "Microsoft.Common.DropDown", + "label": "IPv4 IP prefix length", + "defaultValue": "/31 (2 addresses)", + "toolTip": "Choose the length of the IP prefix for IP v4.", + "multiselect": false, + "selectAll": false, + "filter": false, + "multiLine": false, + "constraints": { + "allowedValues": [ + { + "label": "/28 (16 addresses)", + "value": "/28 (16 addresses)" + }, + { + "label": "/29 (8 addresses)", + "value": "/29 (8 addresses)" + }, + { + "label": "/30 (4 addresses)", + "value": "/30 (4 addresses)" + }, + { + "label": "/31 (2 addresses)", + "value": "/31 (2 addresses)" + } + ], + "required": true + }, + "visible": "[equals(steps('autoprovision').createNewIPPrefix, 'yes')]" + }, + { + "name": "ipPrefixLengthWarning", + "type": "Microsoft.Common.InfoBox", + "visible": "[equals(steps('autoprovision').createNewIPPrefix, 'yes')]", + "options": { + "icon": "Warning", + "text": "[concat('NOTE: The VMSS will not be allowed to contain more than ', if(equals(steps('autoprovision').IPv4Length, '/31 (2 addresses)'), '2', if(equals(steps('autoprovision').IPv4Length, '/30 (4 addresses)'), '4', if(equals(steps('autoprovision').IPv4Length, '/29 (8 addresses)'), '8', if(equals(steps('autoprovision').IPv4Length, '/28 (16 addresses)'), '16', '0')))), ' instances')]" + } + }, + { + "name": "ipPrefixExistingResourceId", + "type": "Microsoft.Common.TextBox", + "label": "Enter an existing IP prefix resource id", + "toolTip": "The resource id of an existing public IP prefix.", + "multiLine": false, + "constraints": { + "regex": "^[a-z0-9A-Z -.:/n]{1,}$", + "validationMessage": "Only alphanumeric characters, hyphens, spaces, periods, and colons are allowed.", + "required": true + }, + "visible": "[equals(steps('autoprovision').createNewIPPrefix, 'no')]" + }, + { + "name": "externalCommunicationInfoBox", + "type": "Microsoft.Common.InfoBox", + "visible": "[and(equals(steps('autoprovision').instanceLevelPublicIP, 'no'), equals(steps('autoprovision').deploymentMode, 'ILBOnly'))]", + "options": { + "icon": "Warning", + "text": "For outbound inspection it is mandatory to deploy an external load balancer and/or instance level public IP addresses." + } + }, + { + "name": "lbsTargetRGName", + "type": "Microsoft.Common.TextBox", + "visible": "[equals(steps('autoprovision').upgrading, 'yes')]", + "label": "Target load balancers resource group name", + "defaultValue": "", + "toolTip": "The name of the Target Load Balancers Resource Group.", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z_\\-\\.\\/\\(\\)]", + "validationMessage": "Resource Group only allow alphanumeric characters, periods, underscores, hyphens, slash, and parenthesis" + } + }, + { + "name": "elbResourceId", + "type": "Microsoft.Common.TextBox", + "visible": "[and(equals(steps('autoprovision').upgrading, 'yes'), not(equals(steps('autoprovision').deploymentMode, 'ILBOnly')))]", + "label": "Target external load balancer resource ID", + "defaultValue": "", + "toolTip": "The Resource ID of the Target External Load Balancer.", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z_\\-\\.\\/\\(\\)]", + "validationMessage": "Resource Id only allow alphanumeric characters, periods, underscores, hyphens, slash, and parenthesis" + } + }, + { + "name": "elbInfoBox", + "type": "Microsoft.Common.InfoBox", + "visible": "[and(equals(steps('autoprovision').upgrading, 'yes'), not(equals(steps('autoprovision').deploymentMode, 'ILBOnly')))]", + "options": { + "icon": "Info", + "text": "Make sure you have created a new backend address pool for the target external load balancer." + } + }, + { + "name": "elbBEAddressPoolName", + "type": "Microsoft.Common.TextBox", + "visible": "[and(equals(steps('autoprovision').upgrading, 'yes'), not(equals(steps('autoprovision').deploymentMode, 'ILBOnly')))]", + "label": "External load balancer's new backend pool name", + "toolTip": "The name of the new Target External Load Balancer's Backend Pool.", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z_\\-\\.\\/\\(\\)]", + "validationMessage": "Only alphanumeric characters, periods, underscores, hyphens, slash, and parenthesis are allowed" + } + }, + { + "name": "ilbResourceId", + "type": "Microsoft.Common.TextBox", + "visible": "[and(equals(steps('autoprovision').upgrading, 'yes'), not(equals(steps('autoprovision').deploymentMode, 'ELBOnly')))]", + "label": "Target internal load balancer resource ID", + "defaultValue": "", + "toolTip": "The Resource ID of the Target Internal Load Balancer.", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z_\\-\\.\\/\\(\\)]", + "validationMessage": "Resource Id only allow alphanumeric characters, periods, underscores, hyphens, slash, and parenthesis" + } + }, + { + "name": "ilbInfoBox", + "type": "Microsoft.Common.InfoBox", + "visible": "[and(equals(steps('autoprovision').upgrading, 'yes'), not(equals(steps('autoprovision').deploymentMode, 'ELBOnly')))]", + "options": { + "icon": "Info", + "text": "Make sure you have created a new backend address pool for the target internal load balancer." + } + }, + { + "name": "ilbBEAddressPoolName", + "type": "Microsoft.Common.TextBox", + "visible": "[and(equals(steps('autoprovision').upgrading, 'yes'), not(equals(steps('autoprovision').deploymentMode, 'ELBOnly')))]", + "label": "Internal load balancer's new backend pool name", + "toolTip": "The name of the new target internal load balancer's backend pool.", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z_\\-\\.\\/\\(\\)]", + "validationMessage": "Only alphanumeric characters, periods, underscores, hyphens, slash, and parenthesis are allowed" + } + }, + { + "name": "mgmtInterfaceOpt1", + "type": "Microsoft.Common.DropDown", + "label": "Management interface and IP address", + "defaultValue": "Backend NIC's private IP address", + "visible": "[equals(steps('autoprovision').instanceLevelPublicIP, 'yes')]", + "toolTip": "Manage the Gateways in the Scale Set via the instance's external (eth0) or internal (eth1) NIC and with public or private IP.", + "constraints": { + "allowedValues": [ + { + "label": "Backend NIC's private IP address", + "value": "eth1-private" + }, + { + "label": "Frontend NIC's public IP address", + "value": "eth0-public" + }, + { + "label": "Frontend NIC's private IP address", + "value": "eth0-private" + } + ] + } + }, + { + "name": "mgmtInterfaceOpt2", + "type": "Microsoft.Common.DropDown", + "label": "Management interface and IP address", + "defaultValue": "Backend NIC's private IP address", + "visible": "[equals(steps('autoprovision').instanceLevelPublicIP, 'no')]", + "toolTip": "Manage the Gateways in the Scale Set via the instance's external (eth0) or internal (eth1) NIC's private IP address.", + "constraints": { + "allowedValues": [ + { + "label": "Backend NIC's private IP address", + "value": "eth1-private" + }, + { + "label": "Frontend NIC's private IP address", + "value": "eth0-private" + } + ] + } + }, + { + "name": "mgmtIPaddress", + "type": "Microsoft.Common.TextBox", + "label": "Management Server IP address", + "toolTip": "The IP address used to manage the VMSS instances.", + "visible": "[or(equals(steps('autoprovision').mgmtInterfaceOpt1, 'eth0-private'), equals(steps('autoprovision').mgmtInterfaceOpt2, 'eth0-private'))]", + "constraints": { + "regex": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$", + "required": true, + "validationMessage": "Please enter a valid IP address" + } + }, + { + "name": "availabilityZonesNum", + "type": "Microsoft.Common.DropDown", + "label": "Number of Availability Zones to use", + "defaultValue": "None", + "toolTip": "The number of avalability zones to use for the scale set. Note that the load balancers and their IP addresses will be zone redundant in any case.", + "visible": "[contains(' australiaeast brazilsouth canadacentral centralus eastasia eastus eastus2 francecentral germanywestcentral japaneast koreacentral northeurope norwayeast southafricanorth southcentralus southeastasia swedencentral uksouth usgovvirginia westeurope westus2 westus3 switzerlandnorth qatarcentral centralindia uaenorth italynorth ', concat(' ', location(), ' '))]", + "constraints": { + "allowedValues": [ + { + "label": "None", + "value": 0 + }, + { + "label": "One zone", + "value": 1 + }, + { + "label": "Two zones", + "value": 2 + }, + { + "label": "Three zones", + "value": 3 + } + ] + } + }, + { + "name": "customMetrics", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable CloudGuard metrics", + "defaultValue": "Yes", + "toolTip": "Enable CloudGuard metrics in order to send statuses and statistics collected from VMSS instances to the Azure Monitor service.", + "constraints": { + "allowedValues": [ + { + "label": "No", + "value": "no" + }, + { + "label": "Yes", + "value": "yes" + } + ] + }, + "visible": true + } + ] + }, + { + "name": "chkp", + "label": "Check Point CloudGuard settings", + "subLabel": { + "preValidation": "Configure CloudGuard settings", + "postValidation": "Done" + }, + "bladeTitle": "CloudGuard settings", + "elements": [ + { + "name": "cloudGuardVersion", + "type": "Microsoft.Common.DropDown", + "label": "Check Point CloudGuard version", + "defaultValue": "R81", + "toolTip": "The version of Check Point CloudGuard.", + "constraints": { + "allowedValues": [ + { + "label": "R80.40", + "value": "R80.40" + }, + { + "label": "R81", + "value": "R81" + } + ] + } + }, + { + "name": "R80Offer", + "type": "Microsoft.Common.DropDown", + "label": "License type", + "toolTip": "The type of license.", + "defaultValue": "Bring Your Own License", + "visible": true, + "constraints": { + "allowedValues": [ + { + "label": "Bring Your Own License", + "value": "Bring Your Own License" + }, + { + "label": "Pay As You Go (NGTP)", + "value": "Pay As You Go (NGTP)" + }, + { + "label": "Pay As You Go (NGTX)", + "value": "Pay As You Go (NGTX)" + } + ] + } + }, + { + "name": "R8040vmSizeUiBYOL", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R80.40'), contains(steps('chkp').R80Offer, 'Bring Your Own License'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2", + "Standard_DS3_v2" + ], + "constraints": { + "allowedSizes": [ + "Standard_D4_v4", + "Standard_D8_v4", + "Standard_D16_v4", + "Standard_D32_v4", + "Standard_D48_v4", + "Standard_D64_v4", + "Standard_D4s_v4", + "Standard_D8s_v4", + "Standard_D16s_v4", + "Standard_D32s_v4", + "Standard_D48s_v4", + "Standard_D64s_v4", + "Standard_D2_v5", + "Standard_D4_v5", + "Standard_D8_v5", + "Standard_D16_v5", + "Standard_D32_v5", + "Standard_D2s_v5", + "Standard_D4s_v5", + "Standard_D8s_v5", + "Standard_D16s_v5", + "Standard_D2d_v5", + "Standard_D4d_v5", + "Standard_D8d_v5", + "Standard_D16d_v5", + "Standard_D32d_v5", + "Standard_D2ds_v5", + "Standard_D4ds_v5", + "Standard_D8ds_v5", + "Standard_D16ds_v5", + "Standard_D32ds_v5", + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r8040", + "sku": "sg-byol" + }, + "count": "[steps('autoprovision').vmCount]" + }, + { + "name": "R8040vmSizeUiNGTP", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R80.40'), contains(steps('chkp').R80Offer, '(NGTP)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2", + "Standard_DS3_v2" + ], + "constraints": { + "allowedSizes": [ + "Standard_D4_v4", + "Standard_D8_v4", + "Standard_D16_v4", + "Standard_D32_v4", + "Standard_D48_v4", + "Standard_D64_v4", + "Standard_D4s_v4", + "Standard_D8s_v4", + "Standard_D16s_v4", + "Standard_D32s_v4", + "Standard_D48s_v4", + "Standard_D64s_v4", + "Standard_D2_v5", + "Standard_D4_v5", + "Standard_D8_v5", + "Standard_D16_v5", + "Standard_D32_v5", + "Standard_D2s_v5", + "Standard_D4s_v5", + "Standard_D8s_v5", + "Standard_D16s_v5", + "Standard_D2d_v5", + "Standard_D4d_v5", + "Standard_D8d_v5", + "Standard_D16d_v5", + "Standard_D32d_v5", + "Standard_D2ds_v5", + "Standard_D4ds_v5", + "Standard_D8ds_v5", + "Standard_D16ds_v5", + "Standard_D32ds_v5", + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r8040", + "sku": "sg-ngtp" + }, + "count": "[steps('autoprovision').vmCount]" + }, + { + "name": "R8040vmSizeUiNGTX", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R80.40'), contains(steps('chkp').R80Offer, '(NGTX)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2", + "Standard_DS3_v2" + ], + "constraints": { + "allowedSizes": [ + "Standard_D4_v4", + "Standard_D8_v4", + "Standard_D16_v4", + "Standard_D32_v4", + "Standard_D48_v4", + "Standard_D64_v4", + "Standard_D4s_v4", + "Standard_D8s_v4", + "Standard_D16s_v4", + "Standard_D32s_v4", + "Standard_D48s_v4", + "Standard_D64s_v4", + "Standard_D2_v5", + "Standard_D4_v5", + "Standard_D8_v5", + "Standard_D16_v5", + "Standard_D32_v5", + "Standard_D2s_v5", + "Standard_D4s_v5", + "Standard_D8s_v5", + "Standard_D16s_v5", + "Standard_D2d_v5", + "Standard_D4d_v5", + "Standard_D8d_v5", + "Standard_D16d_v5", + "Standard_D32d_v5", + "Standard_D2ds_v5", + "Standard_D4ds_v5", + "Standard_D8ds_v5", + "Standard_D16ds_v5", + "Standard_D32ds_v5", + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r8040", + "sku": "sg-ngtx" + }, + "count": "[steps('autoprovision').vmCount]" + }, + { + "name": "R81vmSizeUiBYOL", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R81'), contains(steps('chkp').R80Offer, 'Bring Your Own License'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2", + "Standard_DS3_v2" + ], + "constraints": { + "allowedSizes": [ + "Standard_D4_v4", + "Standard_D8_v4", + "Standard_D16_v4", + "Standard_D32_v4", + "Standard_D48_v4", + "Standard_D64_v4", + "Standard_D4s_v4", + "Standard_D8s_v4", + "Standard_D16s_v4", + "Standard_D32s_v4", + "Standard_D48s_v4", + "Standard_D64s_v4", + "Standard_D2_v5", + "Standard_D4_v5", + "Standard_D8_v5", + "Standard_D16_v5", + "Standard_D32_v5", + "Standard_D2s_v5", + "Standard_D4s_v5", + "Standard_D8s_v5", + "Standard_D16s_v5", + "Standard_D2d_v5", + "Standard_D4d_v5", + "Standard_D8d_v5", + "Standard_D16d_v5", + "Standard_D32d_v5", + "Standard_D2ds_v5", + "Standard_D4ds_v5", + "Standard_D8ds_v5", + "Standard_D16ds_v5", + "Standard_D32ds_v5", + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r81", + "sku": "sg-byol" + }, + "count": "[steps('autoprovision').vmCount]" + }, + { + "name": "R81vmSizeUiNGTP", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R81'), contains(steps('chkp').R80Offer, '(NGTP)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2", + "Standard_DS3_v2" + ], + "constraints": { + "allowedSizes": [ + "Standard_D4_v4", + "Standard_D8_v4", + "Standard_D16_v4", + "Standard_D32_v4", + "Standard_D48_v4", + "Standard_D64_v4", + "Standard_D4s_v4", + "Standard_D8s_v4", + "Standard_D16s_v4", + "Standard_D32s_v4", + "Standard_D48s_v4", + "Standard_D64s_v4", + "Standard_D2_v5", + "Standard_D4_v5", + "Standard_D8_v5", + "Standard_D16_v5", + "Standard_D32_v5", + "Standard_D2s_v5", + "Standard_D4s_v5", + "Standard_D8s_v5", + "Standard_D16s_v5", + "Standard_D2d_v5", + "Standard_D4d_v5", + "Standard_D8d_v5", + "Standard_D16d_v5", + "Standard_D32d_v5", + "Standard_D2ds_v5", + "Standard_D4ds_v5", + "Standard_D8ds_v5", + "Standard_D16ds_v5", + "Standard_D32ds_v5", + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r81", + "sku": "sg-ngtp" + }, + "count": "[steps('autoprovision').vmCount]" + }, + { + "name": "R81vmSizeUiNGTX", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R81'), contains(steps('chkp').R80Offer, '(NGTX)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2", + "Standard_DS3_v2" + ], + "constraints": { + "allowedSizes": [ + "Standard_D4_v4", + "Standard_D8_v4", + "Standard_D16_v4", + "Standard_D32_v4", + "Standard_D48_v4", + "Standard_D64_v4", + "Standard_D4s_v4", + "Standard_D8s_v4", + "Standard_D16s_v4", + "Standard_D32s_v4", + "Standard_D48s_v4", + "Standard_D64s_v4", + "Standard_D2_v5", + "Standard_D4_v5", + "Standard_D8_v5", + "Standard_D16_v5", + "Standard_D32_v5", + "Standard_D2s_v5", + "Standard_D4s_v5", + "Standard_D8s_v5", + "Standard_D16s_v5", + "Standard_D2d_v5", + "Standard_D4d_v5", + "Standard_D8d_v5", + "Standard_D16d_v5", + "Standard_D32d_v5", + "Standard_D2ds_v5", + "Standard_D4ds_v5", + "Standard_D8ds_v5", + "Standard_D16ds_v5", + "Standard_D32ds_v5", + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r81", + "sku": "sg-ngtx" + }, + "count": "[steps('autoprovision').vmCount]" + }, + { + "name": "adminShell", + "type": "Microsoft.Common.DropDown", + "label": "Default shell for the admin user", + "defaultValue": "/etc/cli.sh", + "toolTip": "The default shell for the admin user", + "constraints": { + "allowedValues": [ + { + "label": "/etc/cli.sh", + "value": "/etc/cli.sh" + }, + { + "label": "/bin/bash", + "value": "/bin/bash" + }, + { + "label": "/bin/csh", + "value": "/bin/csh" + }, + { + "label": "/bin/tcsh", + "value": "/bin/tcsh" + } + ] + } + }, + { + "name": "sicKeyUi", + "type": "Microsoft.Common.PasswordBox", + "label": { + "password": "SIC Key", + "confirmPassword": "Confirm SIC Key" + }, + "toolTip": "Set the Secure Internal Communication one time secret used to set up trust between the gateway and the management server.", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z]{12,30}$", + "validationMessage": "Only alphanumeric characters are allowed, and the value must be 12-30 characters long." + }, + "options": { + "hideConfirmation": false + } + }, + { + "name": "SerialPasswordInfoBox", + "type": "Microsoft.Common.InfoBox", + "visible": "[bool(basics('auth').sshPublicKey)]", + "options": { + "icon": "Info", + "text": "Check Point recommends setting serial console password and maintenance-mode password for recovery purposes. For R81.10 and below the serial console password is used also as maintenance-mode password" + } + }, + { + "visible": "[bool(basics('auth').sshPublicKey)]", + "name": "EnableSerialConsolePassword", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Serial console password", + "defaultValue": "Yes", + "toolTip": "A unique password hash to enable VM connection via serial console.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": true + }, + { + "label": "No", + "value": false + } + ] + } + }, + { + "name": "AdditionalPassword", + "type": "Microsoft.Common.PasswordBox", + "toolTip": "Serial console password hash, used to enable password authentication (using serial console). To generate password hash use the command 'openssl passwd -6 PASSWORD'", + "visible": "[and(bool(basics('auth').sshPublicKey), steps('chkp').EnableSerialConsolePassword)]", + "label": { + "password": "Password hash", + "confirmPassword": "Confirm password" + }, + "constraints": { + "required": true, + "regex": "^.{12,300}$", + "validationMessage": "The value must be the output of the hash command." + }, + "options": { + "hideConfirmation": false + } + }, + { + "name": "bootstrapScript", + "type": "Microsoft.Common.FileUpload", + "label": "Bootstrap script", + "toolTip": "An optional script to run on the initial boot", + "constraints": { + "required": false, + "accept": ".sh,text/plain" + }, + "options": { + "multiple": false, + "uploadMode": "file", + "openMode": "text", + "encoding": "UTF-8" + } + }, + { + "name": "allowUploadDownload", + "type": "Microsoft.Common.OptionsGroup", + "label": "Allow download from/upload to Check Point", + "defaultValue": "Yes", + "toolTip": "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "true" + }, + { + "label": "No", + "value": "false" + } + ] + } + }, + { + "name": "VMDiskType", + "type": "Microsoft.Common.OptionsGroup", + "label": "VM disk type", + "toolTip": "Type of CloudGuard disk.", + "visible": "[not(contains('R80.40 R81' , steps('chkp').cloudGuardVersion))]", + "defaultValue": "Premium", + "constraints": { + "allowedValues": [ + { + "label": "Standard", + "value": "Standard_LRS" + }, + { + "label": "Premium", + "value": "Premium_LRS" + } + ] + } + }, + { + "name": "VMDiskTypeOldVersions", + "type": "Microsoft.Common.OptionsGroup", + "label": "VM disk type", + "toolTip": "Type of CloudGuard disk.", + "visible": "[contains('R80.40 R81' , steps('chkp').cloudGuardVersion)]", + "defaultValue": "Standard", + "constraints": { + "allowedValues": [ + { + "label": "Standard", + "value": "Standard_LRS" + }, + { + "label": "Premium", + "value": "Premium_LRS" + } + ] + } + }, + { + "name": "additionalDiskSizeGB", + "type": "Microsoft.Common.TextBox", + "label": "Additional disk space (GB)", + "defaultValue": "0", + "toolTip": "Additional disk space (in GB), initial disk size is 100 GB.", + "constraints": { + "regex": "^([0-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-2][0-9][0-9][0-9]|3[0-8][0-9][0-9]|399[0-5])$", + "validationMessage": "Select a number between 0 and 3995" + }, + "visible": "[not(contains('R80.40 R81', steps('chkp').cloudGuardVersion))]" + }, + { + "name": "useCustomImageUri", + "type": "Microsoft.Common.OptionsGroup", + "label": "Use development image uri", + "defaultValue": "No", + "toolTip": "Use custom image URI.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ], + "required": true + }, + "visible": false + }, + { + "name": "sourceImageVhdUri", + "type": "Microsoft.Common.TextBox", + "label": "Development Image URI", + "toolTip": "The URI of the blob containing the development image", + "constraints": { + "required": "[equals(steps('chkp').useCustomImageUri, 'Yes')]", + "regex": "^[a-z0-9A-Z_\\-\\.\\:\\/]{1,500}.vhd$", + "validationMessage": "Only alphanumeric characters and '_','-','.',':','/' are allowed, the value must be 1-500 characters long and must end with .vhd. " + }, + "visible": "[equals(steps('chkp').useCustomImageUri, 'Yes')]" + } + ] + }, + { + "name": "network", + "label": "Network settings", + "subLabel": { + "preValidation": "Configure network settings", + "postValidation": "Done" + }, + "bladeTitle": "Network settings", + "elements": [ + { + "name": "virtualNetwork", + "type": "Microsoft.Network.VirtualNetworkCombo", + "label": { + "virtualNetwork": "Virtual network", + "subnets": "Subnets" + }, + "toolTip": { + "virtualNetwork": "Virtual Network Name", + "subnets": "The subnets to deploy into" + }, + "defaultValue": { + "name": "vnet01", + "addressPrefixSize": "/16" + }, + "constraints": { + "minAddressPrefixSize": "/28" + }, + "options": { + "hideExisting": false + }, + "subnets": { + "subnet1": { + "label": "VMSS Frontend subnet", + "defaultValue": { + "name": "VMSS-Frontend", + "addressPrefixSize": "/24" + }, + "constraints": { + "minAddressPrefixSize": "/29", + "minAddressCount": "[steps('autoprovision').maxVmCount]", + "requireContiguousAddresses": false + } + }, + "subnet2": { + "label": "VMSS Backend subnet", + "defaultValue": { + "name": "VMSS-Backend", + "addressPrefixSize": "/24" + }, + "constraints": { + "minAddressPrefixSize": "/29", + "minAddressCount": "[steps('autoprovision').maxVmCount]", + "requireContiguousAddresses": false + } + } + } + }, + { + "name": "NSG", + "type": "Microsoft.Common.OptionsGroup", + "label": "Network Security Group", + "toolTip": "Choose between using an existing NSG or using a new NSG", + "constraints": { + "allowedValues": [ + { + "label": "Create new", + "value": true + }, + { + "label": "Existing NSG", + "value": false + } + ], + "required": true + }, + "visible": true + }, + { + "name": "nsgSelector", + "type": "Microsoft.Solutions.ResourceSelector", + "label": "Network Security Group", + "defaultValue": "null", + "toolTip": "Choose an existing NSG", + "resourceType": "Microsoft.Network/NetworkSecurityGroups", + "options": { + "filter": { + "subscription": "onBasics", + "location": "onBasics" + } + }, + "constraints": { + "required": true + }, + "visible": "[equals(steps('network').NSG, false)]" + }, + { + "name": "NSGName", + "type": "Microsoft.Common.TextBox", + "label": "Name", + "defaultValue": "[concat(basics('gatewayScaleSetNameUi') , '-nsg')]", + "toolTip": "Insert Name for the new NSG", + "multiLine": false, + "constraints": { + "required": "[steps('network').NSG]", + "regex": "^[a-z0-9A-Z-]{1,30}$", + "validationMessage": "Only alphanumeric characters are allowed, and the name must be 1-30 characters long." + }, + "visible": "[steps('network').NSG]" + }, + { + "name": "addStorageAccountIpRules", + "type": "Microsoft.Common.OptionsGroup", + "defaultValue": "Network access from all networks", + "label": "Storage Account Network Access", + "toolTip": "Select your preferred network access to the Storage Account, for more information - https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-linux#serial-console-security", + "constraints": { + "allowedValues": [ + { + "label": "Network access from all networks", + "value": false + }, + { + "label": "Network access only from Serial Console", + "value": true + } + ], + "required": true + }, + "visible": true + } + ] + }, + { + "name": "tags", + "label": "Tags", + "elements": [ + { + "name": "tagsByResource", + "type": "Microsoft.Common.TagsByResource", + "toolTip": "Create Azure tags for the new resources", + "resources": [ + "Function App", + "Microsoft.Storage/storageAccounts", + "Microsoft.Compute/virtualMachineScaleSets", + "Microsoft.Network/routeTables", + "Microsoft.Network/virtualNetworks", + "Microsoft.Network/networkSecurityGroups", + "Microsoft.Network/publicIPAddresses", + "Microsoft.Network/loadBalancers" + ] + } + ] + } + ], + "outputs": { + "location": "[location()]", + "authenticationType": "[basics('auth').authenticationType]", + "adminPassword": "[basics('auth').password]", + "sshPublicKey": "[basics('auth').sshPublicKey]", + "upgrading": "[steps('autoprovision').upgrading]", + "vmName": "[basics('gatewayScaleSetNameUi')]", + "instanceCount": "[steps('autoprovision').vmCount]", + "maxInstanceCount": "[steps('autoprovision').maxVmCount]", + "managementServer": "[steps('autoprovision').managementServer]", + "configurationTemplate": "[steps('autoprovision').configurationTemplate]", + "adminEmail": "[steps('autoprovision').adminEmail]", + "deploymentMode": "[steps('autoprovision').deploymentMode]", + "instanceLevelPublicIP": "[steps('autoprovision').instanceLevelPublicIP]", + "lbsTargetRGName": "[steps('autoprovision').lbsTargetRGName]", + "elbResourceId": "[steps('autoprovision').elbResourceId]", + "elbTargetBEAddressPoolName": "[steps('autoprovision').elbBEAddressPoolName]", + "ilbResourceId": "[steps('autoprovision').ilbResourceId]", + "ilbTargetBEAddressPoolName": "[steps('autoprovision').ilbBEAddressPoolName]", + "mgmtInterfaceOpt1": "[steps('autoprovision').mgmtInterfaceOpt1]", + "mgmtInterfaceOpt2": "[steps('autoprovision').mgmtInterfaceOpt2]", + "mgmtIPaddress": "[steps('autoprovision').mgmtIPaddress]", + "appLoadDistribution": "[steps('autoprovision').appLoadDistribution]", + "ilbLoadDistribution": "[steps('autoprovision').ilbLoadDistribution]", + "availabilityZonesNum": "[coalesce(steps('autoprovision').availabilityZonesNum, int('0'))]", + "customMetrics": "[steps('autoprovision').customMetrics]", + "cloudGuardVersion": "[concat(steps('chkp').cloudGuardVersion, ' - ', coalesce(steps('chkp').R80Offer, 'Bring Your Own License'))]", + "vmSize": "[coalesce(steps('chkp').R8040vmSizeUiBYOL, steps('chkp').R8040vmSizeUiNGTP, steps('chkp').R8040vmSizeUiNGTX, steps('chkp').R81vmSizeUiBYOL, steps('chkp').R81vmSizeUiNGTP, steps('chkp').R81vmSizeUiNGTX)]", + "sicKey": "[steps('chkp').sicKeyUi]", + "bootstrapScript": "[steps('chkp').bootstrapScript]", + "allowDownloadFromUploadToCheckPoint": "[coalesce(steps('chkp').allowUploadDownload, 'true')]", + "additionalDiskSizeGB": "[int(steps('chkp').additionalDiskSizeGB)]", + "diskType": "[if(contains('R80.40 R81' , steps('chkp').cloudGuardVersion) , steps('chkp').VMDiskTypeOldVersions , steps('chkp').VMDiskType)]", + "sourceImageVhdUri": "[coalesce(steps('chkp').sourceImageVhdUri, 'noCustomUri')]", + "virtualNetworkName": "[steps('network').virtualNetwork.name]", + "virtualNetworkAddressPrefixes": "[steps('network').virtualNetwork.addressPrefixes]", + "vnetNewOrExisting": "[steps('network').virtualNetwork.newOrExisting]", + "virtualNetworkExistingRGName": "[steps('network').virtualNetwork.resourceGroup]", + "subnet1Name": "[steps('network').virtualNetwork.subnets.subnet1.name]", + "subnet1Prefix": "[steps('network').virtualNetwork.subnets.subnet1.addressPrefix]", + "subnet2Name": "[steps('network').virtualNetwork.subnets.subnet2.name]", + "subnet2Prefix": "[steps('network').virtualNetwork.subnets.subnet2.addressPrefix]", + "subnet2StartAddress": "[steps('network').virtualNetwork.subnets.subnet2.startAddress]", + "floatingIP": "[steps('autoprovision').floatingIP]", + "IPv4Length": "[steps('autoprovision').IPv4Length]", + "publicIPPrefix": "[steps('autoprovision').publicIPPrefix]", + "createNewIPPrefix": "[steps('autoprovision').createNewIPPrefix]", + "ipPrefixExistingResourceId": "[steps('autoprovision').ipPrefixExistingResourceId]", + "adminShell": "[steps('chkp').adminShell]", + "tagsByResource": "[steps('tags').tagsByResource]", + "deployNewNSG": "[steps('network').NSG]", + "ExistingNSG": "[steps('network').nsgSelector]", + "NewNsgName": "[steps('network').NSGName]", + "addStorageAccountIpRules":"[steps('network').addStorageAccountIpRules]", + "SerialConsolePasswordHash": "[steps('chkp').AdditionalPassword]" + } + } +} diff --git a/deprecated/azure/templates/R8040-R81/vmss-r8040-r81/mainTemplate.json b/deprecated/azure/templates/R8040-R81/vmss-r8040-r81/mainTemplate.json new file mode 100644 index 00000000..b343976c --- /dev/null +++ b/deprecated/azure/templates/R8040-R81/vmss-r8040-r81/mainTemplate.json @@ -0,0 +1,1156 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "subscriptionId": { + "type": "string", + "defaultValue": "[subscription().subscriptionId]", + "metadata": { + "description": "Subscription ID." + } + }, + "location": { + "type": "string", + "metadata": { + "description": "Deployment location" + }, + "defaultValue": "[resourceGroup().location]" + }, + "cloudGuardVersion": { + "type": "string", + "allowedValues": [ + "R80.40 - Bring Your Own License", + "R80.40 - Pay As You Go (NGTP)", + "R80.40 - Pay As You Go (NGTX)", + "R81 - Bring Your Own License", + "R81 - Pay As You Go (NGTP)", + "R81 - Pay As You Go (NGTX)" + ], + "defaultValue": "R81 - Bring Your Own License", + "metadata": { + "description": "Version of Check Point CloudGuard" + } + }, + "instanceCount": { + "defaultValue": "2", + "type": "string", + "metadata": { + "description": "Number of VM instances" + } + }, + "maxInstanceCount": { + "defaultValue": "10", + "type": "string", + "metadata": { + "description": "Maximum number of VM instances" + } + }, + "managementServer": { + "type": "string", + "metadata": { + "description": "The name of the management server as it appears in the configuration file" + } + }, + "configurationTemplate": { + "type": "string", + "metadata": { + "description": "A name of a template as it appears in the configuration file" + } + }, + "adminEmail": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Email address to notify if there are any scaling operations" + } + }, + "authenticationType": { + "type": "string", + "allowedValues": [ + "password", + "sshPublicKey" + ], + "defaultValue": "password", + "metadata": { + "description": "Authentication type" + } + }, + "sshPublicKey": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Administrator SSH public key" + } + }, + "adminPassword": { + "type": "securestring", + "metadata": { + "description": "Administrator password" + }, + "defaultValue": "" + }, + "SerialConsolePasswordHash": { + "type": "securestring", + "defaultValue": "", + "metadata": { + "Description": "Optional parameter, used to enable serial console connection in case of SSH key as authentication type" + } + }, + "vmName": { + "type": "string", + "metadata": { + "description": "Name of the Check Point Security Gateway scale set" + } + }, + "vmSize": { + "type": "string", + "defaultValue": "Standard_D3_v2", + "metadata": { + "description": "Size of the VM" + } + }, + "adminShell": { + "type": "string", + "defaultValue": "/etc/cli.sh", + "allowedValues": [ + "/etc/cli.sh", + "/bin/bash", + "/bin/csh", + "/bin/tcsh" + ], + "metadata": { + "Description": "The default shell for the admin user" + } + }, + "sicKey": { + "type": "securestring", + "metadata": { + "description": "One time key for Secure Internal Communication" + } + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "[concat(resourceGroup().name, '-vnet')]" + }, + "upgrading": { + "type": "string", + "defaultValue": "no", + "allowedValues": [ + "no", + "yes" + ], + "metadata": { + "Description": "Indicates whether the user in upgrading the CloudGuard VMSS solution" + } + }, + "floatingIP": { + "type": "string", + "defaultValue": "no", + "allowedValues": [ + "no", + "yes" + ], + "metadata": { + "description": "Deploy the Load Balancers with floating IP" + } + }, + "instanceLevelPublicIP": { + "type": "string", + "allowedValues": [ + "no", + "yes" + ], + "defaultValue": "no", + "metadata": { + "description": "Deploy the VMSS with instance level Public IP address" + } + }, + "publicIPPrefix": { + "type": "string", + "defaultValue": "no", + "allowedValues": [ + "no", + "yes" + ], + "metadata": { + "description": "Use public IP prefix." + } + }, + "createNewIPPrefix": { + "type": "string", + "defaultValue": "no", + "allowedValues": [ + "no", + "yes" + ], + "metadata": { + "description": "Create new IP prefix or use an existing one." + } + }, + "IPv4Length": { + "type": "string", + "defaultValue": "/31 (2 addresses)", + "allowedValues": [ + "/28 (16 addresses)", + "/29 (8 addresses)", + "/30 (4 addresses)", + "/31 (2 addresses)" + ], + "metadata": { + "description": "Choose the IP prefix length for IP v4." + } + }, + "ipPrefixExistingResourceId": { + "type": "string", + "metadata": { + "description": "The resource id of the existing IP prefix." + }, + "defaultValue": "" + }, + "lbsTargetRGName": { + "type": "string", + "metadata": { + "description": "The name of the Target Load Balancers Resource Group." + }, + "defaultValue": "" + }, + "elbResourceId": { + "type": "string", + "metadata": { + "description": "The Resource ID of the Target External Load Balancer." + }, + "defaultValue": "" + }, + "elbTargetBEAddressPoolName": { + "type": "string", + "metadata": { + "description": "The name of the new Target External Load Balancer's Backend Pool." + }, + "defaultValue": "" + }, + "ilbResourceId": { + "type": "string", + "metadata": { + "description": "The Resource ID of the Target Internal Load Balancer." + }, + "defaultValue": "" + }, + "ilbTargetBEAddressPoolName": { + "type": "string", + "metadata": { + "description": "The name of the new Target Internal Load Balancer's Backend Pool." + }, + "defaultValue": "" + }, + "virtualNetworkAddressPrefixes": { + "type": "array", + "metadata": { + "description": "The address prefixes of the virtual network" + }, + "defaultValue": [ + "10.0.0.0/16" + ] + }, + "subnet1Name": { + "type": "string", + "metadata": { + "description": "The name of the frontend subnet" + }, + "defaultValue": "Frontend" + }, + "subnet1Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the frontend subnet" + }, + "defaultValue": "10.0.1.0/24" + }, + "subnet2Name": { + "type": "string", + "metadata": { + "description": "The name of the backend subnet" + }, + "defaultValue": "Backend" + }, + "subnet2Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the backend subnet" + }, + "defaultValue": "10.0.2.0/24" + }, + "subnet2StartAddress": { + "type": "string", + "metadata": { + "description": "The first available address on the 2nd subnet" + }, + "defaultValue": "10.0.2.4" + }, + "vnetNewOrExisting": { + "type": "string", + "defaultValue": "new", + "allowedValues": [ + "new", + "existing" + ], + "metadata": { + "Description": "Indicates whether the virtual network is new or existing" + } + }, + "virtualNetworkExistingRGName": { + "type": "string", + "metadata": { + "description": "Resource Group of the existing virtual network" + }, + "defaultValue": "[resourceGroup().name]" + }, + "bootstrapScript": { + "type": "string", + "metadata": { + "description": "Bootstrap script" + }, + "defaultValue": "" + }, + "allowDownloadFromUploadToCheckPoint": { + "type": "string", + "allowedValues": [ + "true", + "false" + ], + "defaultValue": "true", + "metadata": { + "description": "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + } + }, + "mgmtInterfaceOpt1": { + "type": "string", + "allowedValues": [ + "eth0-public", + "eth0-private", + "eth1-private" + ], + "defaultValue": "eth1-private", + "metadata": { + "description": "Manage the Gateways in the Scale Set via the instance's external (eth0) or internal (eth1) NIC's private IP address." + } + }, + "mgmtInterfaceOpt2": { + "type": "string", + "allowedValues": [ + "eth0-private", + "eth1-private" + ], + "defaultValue": "eth1-private", + "metadata": { + "description": "Manage the Gateways in the Scale Set via the instance's external (eth0) or internal (eth1) NIC's private IP address." + } + }, + "mgmtIPaddress": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "The IP address used to manage the VMSS instances." + } + }, + "diskType": { + "type": "string", + "defaultValue": "Standard_LRS", + "metadata": { + "description": "The type of the OS disk. Premium is applicable only to DS machine sizes" + }, + "allowedValues": [ + "Standard_LRS", + "Premium_LRS" + ] + }, + "appLoadDistribution": { + "type": "string", + "allowedValues": [ + "Default", + "SourceIP", + "SourceIPProtocol" + ], + "defaultValue": "Default", + "metadata": { + "description": "The External Load Balancer distribution method" + } + }, + "ilbLoadDistribution": { + "type": "string", + "allowedValues": [ + "Default", + "SourceIP", + "SourceIPProtocol" + ], + "defaultValue": "Default", + "metadata": { + "description": "The Internal Load Balancer distribution method" + } + }, + "deploymentMode": { + "type": "string", + "allowedValues": [ + "Standard", + "ILBOnly", + "ELBOnly" + ], + "defaultValue": "Standard", + "metadata": { + "description": "Solution deployment architecture." + } + }, + "sourceImageVhdUri": { + "type": "string", + "defaultValue": "noCustomUri", + "metadata": { + "description": "The URI of the blob containing the development image" + } + }, + "availabilityZonesNum": { + "type": "int", + "allowedValues": [ + 0, + 1, + 2, + 3 + ], + "defaultValue": 0, + "metadata": { + "description": "The number of availability zones" + } + }, + "_artifactsLocation": { + "type": "string", + "metadata": { + "description": "Use the following URI when deploying a custom template: https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/azure/templates/" + }, + "defaultValue": "[deployment().properties.templateLink.uri]" + }, + "_artifactsLocationSasToken": { + "type": "securestring", + "metadata": { + "description": "The sasToken required to access _artifactsLocation. When the template is deployed using the accompanying scripts, a sasToken will be automatically generated. Use the defaultValue if the staging location is not secured." + }, + "defaultValue": "" + }, + "customMetrics": { + "type": "string", + "allowedValues": [ + "no", + "yes" + ], + "defaultValue": "yes", + "metadata": { + "Description": "Indicates whether Custom Metrics will be used for VMSS Scaling policy and VM monitoring" + } + }, + "rbacGuid": { + "type": "string", + "defaultValue": "[newGuid()]" + }, + "tagsByResource": { + "type": "object", + "defaultValue": {} + }, + "deployNewNSG": { + "type": "bool", + "defaultValue": true + }, + "ExistingNSG": { + "type": "object", + "defaultValue": {} + }, + "NewNsgName": { + "type": "string", + "defaultValue": "[concat(parameters('vmName'),'-nsg')]" + }, + "addStorageAccountIpRules": { + "type": "bool", + "metadata": { + "description": "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, based on https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-linux#use-serial-console-with-custom-boot-diagnostics-storage-account-firewall-enabled" + }, + "defaultValue" : false + }, + "storageAccountAdditionalIps":{ + "type": "array", + "metadata": { + "description": "IPs/CIDRs that are allowed access to the Storage Account" + }, + "defaultValue" : [] + } + }, + "variables": { + "resourceGroup": "[resourceGroup()]", + "resourceGroupName": "[resourceGroup().name]", + "templateName": "vmss-v2", + "templateVersion": "20230910", + "location": "[parameters('location')]", + "offers": { + "R80.40 - Bring Your Own License": "BYOL", + "R80.40 - Pay As You Go (NGTP)": "NGTP", + "R80.40 - Pay As You Go (NGTX)": "NGTX", + "R81 - Bring Your Own License": "BYOL", + "R81 - Pay As You Go (NGTP)": "NGTP", + "R81 - Pay As You Go (NGTX)": "NGTX" + }, + "offer": "[variables('offers')[parameters('cloudGuardVersion')]]", + "osVersions": { + "R80.40 - Bring Your Own License": "R8040", + "R80.40 - Pay As You Go (NGTP)": "R8040", + "R80.40 - Pay As You Go (NGTX)": "R8040", + "R81 - Bring Your Own License": "R81", + "R81 - Pay As You Go (NGTP)": "R81", + "R81 - Pay As You Go (NGTX)": "R81" + }, + "osVersion": "[variables('osVersions')[parameters('cloudGuardVersion')]]", + "SerialConsoleGeographies": { + "eastasia" : ["20.205.69.28", "20.195.85.180"], + "southeastasia" : ["20.205.69.28", "20.195.85.180"], + "australiacentral" : ["20.53.53.224", "20.70.222.112"], + "australiacentral2" : ["20.53.53.224", "20.70.222.112"], + "australiaeast" : ["20.53.53.224", "20.70.222.112"], + "australiasoutheast" : ["20.53.53.224", "20.70.222.112"], + "brazilsouth" : ["91.234.136.63", "20.206.0.194"], + "brazilsoutheast" : ["91.234.136.63", "20.206.0.194"], + "canadacentral" : ["52.228.86.177", "52.242.40.90"], + "canadaeast" : ["52.228.86.177", "52.242.40.90"], + "northeurope" : ["52.146.139.220", "20.105.209.72"], + "westeurope" : ["52.146.139.220", "20.105.209.72"], + "francecentral" : ["20.111.0.244", "52.136.191.10"], + "francesouth" : ["20.111.0.244", "52.136.191.10"], + "germanynorth" : ["51.116.75.88", "20.52.95.48"], + "germanywestcentral" : ["51.116.75.88", "20.52.95.48"], + "centralindia" : ["20.192.168.150", "20.192.153.104"], + "southindia" : ["20.192.168.150", "20.192.153.104"], + "westindia" : ["20.192.168.150", "20.192.153.104"], + "japaneast" : ["20.43.70.205", "20.189.228.222"], + "japanwest" : ["20.43.70.205", "20.189.228.222"], + "koreacentral" : ["20.200.196.96", "52.147.119.29"], + "koreasouth" : ["20.200.196.96", "52.147.119.29"], + "norwaywest" : ["20.100.1.184", "51.13.138.76"], + "norwayeast" : ["20.100.1.184", "51.13.138.76"], + "switzerlandnorth" : ["20.208.4.98", "51.107.251.190"], + "switzerlandwest" : ["20.208.4.98", "51.107.251.190"], + "uaecentral" : ["20.45.95.66", "20.38.141.5"], + "uaenorth" : ["20.45.95.66", "20.38.141.5"], + "uksouth" : ["20.90.132.144", "20.58.68.62"], + "ukwest" : ["20.90.132.144", "20.58.68.62"], + "swedencentral" : ["51.12.72.223", "51.12.22.174"], + "swedensouth" : ["51.12.72.223", "51.12.22.174"], + "centralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "eastus2" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "eastus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "northcentralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "southcentralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "westus2" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "westus3" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "westcentralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "westus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "eastus2euap" : ["20.45.242.18", "20.51.21.252"], + "centraluseuap" : ["20.45.242.18", "20.51.21.252"]}, + "serialConsoleIps": "[if(contains(variables('serialConsoleGeographies'),variables('location')),variables('serialConsoleGeographies')[variables('location')],createArray())]", + "storageAccountIps" : "[concat(variables('SerialConsoleIps'),parameters('storageAccountAdditionalIps'))]", + "isBlink": true, + "subnet2Name": "[parameters('subnet2Name')]", + "storageAccountName": "[concat('bootdiag', uniqueString(variables('resourceGroup').id, deployment().name))]", + "storageAccountType": "Standard_LRS", + "diskSize100GB": 100, + "additionalDiskSizeGB": "[if(contains('R8040 R81', variables('osVersion')), 0, parameters('additionalDiskSizeGB'))]", + "diskSizeGB": "[add(variables('additionalDiskSizeGB'), variables('diskSize100GB'))]", + "enableFloatingIP": "[equals(parameters('floatingIP'), 'yes')]", + "customData": "[concat('#!/usr/bin/python3 /etc/cloud_config.py\n', '\n', 'installationType=\"', variables('installationType'), '\"', '\n', 'allowUploadDownload=\"', variables('allowUploadDownload'), '\"', '\n', 'osVersion=\"', variables('osVersion'), '\"', '\n', 'templateName=\"', variables('templateName'), '\"', '\n', 'isBlink=\"', variables('isBlink'), '\"', '\n', 'templateVersion=\"', variables('templateVersion'), '\"', '\n', 'bootstrapScript64=\"', variables('bootstrapScript64'), '\"', '\n', 'location=\"', variables('location'), '\"', '\n', 'sicKey=\"', variables('sicKey'), '\"', '\n', 'customMetrics=\"', variables('customMetrics'), '\"', '\n', 'adminShell=\"', parameters('adminShell'), '\"', '\n', 'MaintenanceModePassword=\"', parameters('MaintenanceModePasswordHash'), '\"', '\n', 'passwordHash=\"', parameters('SerialConsolePasswordHash'), '\"', '\n')]", + "imageOffer": "[concat('check-point-cg-', toLower(variables('osVersion')))]", + "imagePublisher": "checkpoint", + "imageReferenceBYOL": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-byol", + "version": "latest" + }, + "imageReferenceNGTP": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtp", + "version": "latest" + }, + "imageReferenceNGTP-V2": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtp-v2", + "version": "latest" + }, + "imageReferenceNGTX": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtx", + "version": "latest" + }, + "imageReferenceNGTX-V2": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtx-v2", + "version": "latest" + }, + "imageReferenceMarketplace": "[if(equals(variables('offer'), 'BYOL'), variables('imageReferenceBYOL'), if(equals(variables('offer'), 'NGTP'), variables('imageReferenceNGTP'), if(equals(variables('offer'), 'NGTP-V2'), variables('imageReferenceNGTP-V2'), if(equals(variables('offer'), 'NGTX'), variables('imageReferenceNGTX'), if(equals(variables('offer'), 'NGTX-V2'), variables('imageReferenceNGTX-V2'), json('null'))))))]", + "customImage": "customImage", + "imageReferenceCustomUri": { + "id": "[resourceId('Microsoft.Compute/images', variables('customImage'))]" + }, + "imageReference": "[if(equals(parameters('sourceImageVhdUri'),'noCustomUri'), variables('imageReferenceMarketplace'), variables('imageReferenceCustomUri'))]", + "linuxConfigurationpassword": { + "disablePasswordAuthentication": "false" + }, + "linuxConfigurationsshPublicKey": { + "disablePasswordAuthentication": "true", + "ssh": { + "publicKeys": [ + { + "keyData": "[parameters('sshPublicKey')]", + "path": "/home/notused/.ssh/authorized_keys" + } + ] + } + }, + "linuxConfiguration": "[if(equals(parameters('authenticationType'), 'password'), variables('linuxConfigurationpassword'), variables('linuxConfigurationsshPublicKey'))]", + "planBYOL": { + "name": "sg-byol", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTP": { + "name": "sg-ngtp", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTP-V2": { + "name": "sg-ngtp-v2", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTX": { + "name": "sg-ngtx", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTX-V2": { + "name": "sg-ngtx-v2", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "plan": "[if(equals(variables('offer'), 'BYOL') , variables('planBYOL'), if(equals(variables('offer'), 'NGTP'), variables('planNGTP'), if(equals(variables('offer'), 'NGTP-V2'), variables('planNGTP-V2'), if(equals(variables('offer'), 'NGTX'), variables('planNGTX'), if(equals(variables('offer'), 'NGTX-V2'), variables('planNGTX-V2'), json('null'))))))]", + "vmssID": "[resourceId('Microsoft.Compute/virtualMachineScaleSets', parameters('vmName'))]", + "bootstrapScript64": "[base64(parameters('bootstrapScript'))]", + "allowUploadDownload": "[parameters('allowDownloadFromUploadToCheckPoint')]", + "sicKey": "[parameters('sicKey')]", + "installationType": "vmss", + "upgrading": "[equals(parameters('upgrading'), 'yes')]", + "_artifactsLocation": "[if(contains(parameters('_artifactsLocation'),'raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/azure/templates/marketplace'),'https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/azure/templates/',parameters('_artifactsLocation'))]", + "networkSetupURL": "[uri(variables('_artifactsLocation'), concat('nestedtemplates/vnet-2-subnet-ha-', parameters('vnetNewOrExisting'), '.json', parameters('_artifactsLocationSasToken')))]", + "loadBalacerSetupURL": "[uri(variables('_artifactsLocation'), concat('nestedtemplates/load-balancers.json', parameters('_artifactsLocationSasToken')))]", + "lbsTargetRGName": "[parameters('lbsTargetRGName')]", + "lbRGName": "[if(variables('upgrading'), variables('lbsTargetRGName'), resourceGroup().name)]", + "loadBalancerSetupId": "[resourceId(variables('lbRGName'), 'Microsoft.Resources/deployments', 'loadBalancerSetup')]", + "deployNewVnet": "[equals(parameters('vnetNewOrExisting'), 'new')]", + "vnetRGName": "[if(variables('deployNewVnet'), variables('resourceGroupName'), parameters('virtualNetworkExistingRGName'))]", + "vnetID": "[if(variables('deployNewVnet'), resourceId(variables('vnetRGName'), 'Microsoft.Resources/deployments', 'networkNewSetup'), resourceId(variables('vnetRGName'), 'Microsoft.Resources/deployments', 'networkExistingSetup'))]", + "storageAccountId": "[resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName'))]", + "customImageId": "[variables('imageReferenceCustomUri').id]", + "availabilityZonesLocations": [ + "brazilsouth", + "canadacentral", + "centralus", + "eastus", + "eastus2", + "southcentralus", + "usgovvirginia", + "westus2", + "westus3", + "francecentral", + "germanywestcentral", + "northeurope", + "norwayeast", + "uksouth", + "westeurope", + "swedencentral", + "switzerlandnorth", + "qatarcentral", + "uaenorth", + "southafricanorth", + "australiaeast", + "centralindia", + "japaneast", + "koreacentral", + "southeastasia", + "eastasia", + "italynorth" + ], + "availabilityZonesProperty": "[range(1, parameters('availabilityZonesNum'))]", + "mgmtInterface": "[if(equals(parameters('instanceLevelPublicIP'), 'yes'), parameters('mgmtInterfaceOpt1'), parameters('mgmtInterfaceOpt2'))]", + "mgmtIpAddressType": "[split(variables('mgmtInterface'), '-')[1]]", + "mgmtInterfaceName": "[split(variables('mgmtInterface'), '-')[0]]", + "mgmtIPaddress": "[if(equals(variables('mgmtInterfaceName'), 'eth0'), parameters('mgmtIPaddress'), '')]", + "commomTags": { + "x-chkp-management": "[parameters('managementServer')]", + "x-chkp-template": "[parameters('configurationTemplate')]", + "x-chkp-ip-address": "[variables('mgmtIpAddressType')]", + "x-chkp-management-interface": "[variables('mgmtInterfaceName')]", + "x-chkp-topology": "eth0:external,eth1:internal", + "x-chkp-anti-spoofing": "eth0:false,eth1:false", + "x-chkp-srcImageUri": "[parameters('sourceImageVhdUri')]" + }, + "uniqueTags": { + "x-chkp-management-address": "[variables('mgmtIPaddress')]" + }, + "vmssTags": "[if(equals(variables('mgmtIPaddress'), ''), variables('commomTags'), union(variables('commomTags'), variables('uniqueTags')))]", + "customMetrics": "[parameters('customMetrics')]", + "monitoringMetricsPublisher": "[concat('/subscriptions/', parameters('subscriptionId'), '/providers/Microsoft.Authorization/roleDefinitions/', '3913510d-42f4-4e42-8a64-420c390055eb')]", + "identity": "[json('{\"type\": \"SystemAssigned\"}')]", + "IPv4Lengths": { + "/28 (16 addresses)": "28", + "/29 (8 addresses)": "29", + "/30 (4 addresses)": "30", + "/31 (2 addresses)": "31" + }, + "ipPrefixNewName": "[concat(parameters('vmName'), '-ipprefix')]", + "ipPrefixExistingResourceId": "[if(equals(parameters('publicIPPrefix'), 'yes'), parameters('ipPrefixExistingResourceId'), json('null'))]", + "ipPrefixId": "[resourceId('Microsoft.Network/publicipprefixes',variables('ipPrefixNewName'))]", + "publicIPPrefixId": "[if(equals(parameters('publicIPPrefix'), 'yes'), variables('ipPrefixId'), json('null'))]", + "usePublicIPPrefix": "[if(equals(parameters('createNewIPPrefix'),'yes'), variables('publicIPPrefixId'), variables('ipPrefixExistingResourceId'))]", + "publicIPPropertiesWithPrefix": { + "name": "instancePublicIP", + "properties": { + "idleTimeoutInMinutes": 15, + "PublicIpPrefix": { + "Id": "[if(equals(parameters('publicIPPrefix'), 'yes'), variables('usePublicIPPrefix'), json('null'))]" + } + } + }, + "publicIPPropertiesWithoutPrefix": { + "name": "instancePublicIP", + "properties": { + "idleTimeoutInMinutes": 15 + } + }, + "publicIPPrefixLength": "[variables('IPv4Lengths')[parameters('IPv4Length')]]", + "useIpPrefix": "[if(equals(parameters('publicIPPrefix'), 'yes'), variables('publicIPPropertiesWithPrefix'), variables('publicIPPropertiesWithoutPrefix'))]", + "NewNsgReference": {"id": "[resourceId(variables('vnetRGName'),'Microsoft.Network/networkSecurityGroups', parameters('NewNsgName'))]"} + }, + "resources": [ + { + "condition": "[and(equals(parameters('createNewIPPrefix'), 'yes'), equals(parameters('publicIPPrefix'), 'yes'))]", + "apiVersion": "2020-06-01", + "type": "Microsoft.Network/publicipprefixes", + "name": "[variables('ipPrefixNewName')]", + "location": "[variables('location')]", + "properties": { + "prefixLength": "[variables('publicIPPrefixLength')]", + "publicIPAddressVersion": "IPv4" + }, + "sku": { + "name": "Standard", + "tier": "Regional" + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Network/publicipprefixes'), parameters('tagsByResource')['Microsoft.Network/publicipprefixes'], json('{}')) ]" + }, + { + "apiVersion": "2020-06-01", + "name": "pid-6f13b00a-7546-4ab2-be9f-c66815cc6c8b-partnercenter", + "type": "Microsoft.Resources/deployments", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "condition": "[equals(variables('customMetrics'), 'yes')]", + "apiVersion": "2020-04-01-preview", + "type": "Microsoft.Authorization/roleAssignments", + "name": "[parameters('rbacGuid')]", + "properties": { + "roleDefinitionId": "[variables('monitoringMetricsPublisher')]", + "principalId": "[reference(variables('vmssID'), '2021-07-01', 'Full').identity.principalId]", + "scope": "[resourceGroup().id]" + }, + "dependsOn": [ + "[variables('vmssID')]" + ], + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Authorization/roleAssignments'), parameters('tagsByResource')['Microsoft.Authorization/roleAssignments'], json('{}')) ]" + }, + { + "condition": "[equals(parameters('vnetNewOrExisting'), 'new')]", + "name": "networkNewSetup", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "resourceGroup": "[variables('vnetRGName')]", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "[variables('networkSetupURL')]", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "location": { + "value": "[variables('location')]" + }, + "virtualNetworkName": { + "value": "[parameters('virtualNetworkName')]" + }, + "virtualNetworkAddressPrefixes": { + "value": "[parameters('virtualNetworkAddressPrefixes')]" + }, + "subnet1Name": { + "value": "[parameters('subnet1Name')]" + }, + "subnet1Prefix": { + "value": "[parameters('subnet1Prefix')]" + }, + "subnet2Name": { + "value": "[parameters('subnet2Name')]" + }, + "subnet2Prefix": { + "value": "[parameters('subnet2Prefix')]" + }, + "vmName": { + "value": "[parameters('vmName')]" + }, + "deployNsg": { + "value": "[parameters('deployNewNSG')]" + }, + "NewNsgName": + { + "value":"[parameters('NewNsgName')]" + }, + "tagsByResource": { + "value": "[parameters('tagsByResource')]" + } + } + } + }, + { + "condition": "[equals(parameters('vnetNewOrExisting'), 'existing')]", + "name": "networkExistingSetup", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "resourceGroup": "[variables('vnetRGName')]", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "[variables('networkSetupURL')]", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "location": { + "value": "[variables('location')]" + }, + "virtualNetworkName": { + "value": "[parameters('virtualNetworkName')]" + }, + "virtualNetworkExistingRGName": { + "value": "[variables('vnetRGName')]" + }, + "vmName": { + "value": "[parameters('vmName')]" + }, + "deployNsg": { + "value": "[parameters('deployNewNSG')]" + }, + "NewNsgName": + { + "value":"[parameters('NewNsgName')]" + }, + "tagsByResource": { + "value": "[parameters('tagsByResource')]" + } + } + } + }, + { + "name": "loadBalancerSetup", + "type": "Microsoft.Resources/deployments", + "resourceGroup": "[variables('lbRGName')]", + "apiVersion": "2020-06-01", + "dependsOn": [ + "[variables('vnetID')]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "[variables('loadBalacerSetupURL')]", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "deploymentMode": { + "value": "[parameters('deploymentMode')]" + }, + "location": { + "value": "[variables('location')]" + }, + "vmName": { + "value": "[parameters('vmName')]" + }, + "appLoadDistribution": { + "value": "[parameters('appLoadDistribution')]" + }, + "subnet2StartAddress": { + "value": "[parameters('subnet2StartAddress')]" + }, + "subnet2Id": { + "value": "[resourceId(variables('vnetRGName'), 'Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), variables('subnet2Name'))]" + }, + "ilbLoadDistribution": { + "value": "[parameters('ilbLoadDistribution')]" + }, + "elbResourceId": { + "value": "[parameters('elbResourceId')]" + }, + "elbTargetBEAddressPoolName": { + "value": "[parameters('elbTargetBEAddressPoolName')]" + }, + "ilbResourceId": { + "value": "[parameters('ilbResourceId')]" + }, + "ilbTargetBEAddressPoolName": { + "value": "[parameters('ilbTargetBEAddressPoolName')]" + }, + "upgrading": { + "value": "[variables('upgrading')]" + }, + "floatingIp": { + "value": "[variables('enableFloatingIP')]" + }, + "tagsByResource": { + "value": "[parameters('tagsByResource')]" + } + } + } + }, + { + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('storageAccountName')]", + "apiVersion": "2021-04-01", + "properties": { + "supportsHttpsTrafficOnly": true, + "allowBlobPublicAccess": false, + "minimumTlsVersion": "TLS1_2", + "networkAcls": { + "bypass": "None", + "defaultAction": "[if(parameters('addStorageAccountIpRules'), 'Deny', 'Allow')]", + "ipRules": "[if(parameters('addStorageAccountIpRules'), map(variables('storageAccountIps'), lambda('ip',createObject('action','Allow','value',lambdaVariables('ip')))), createArray())]" + } + }, + "location": "[variables('location')]", + "sku": { + "name": "[variables('storageAccountType')]" + }, + "kind": "Storage", + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Storage/storageAccounts'), parameters('tagsByResource')['Microsoft.Storage/storageAccounts'], json('{}')) ]" + }, + { + "condition": "[not(equals(parameters('sourceImageVhdUri'), 'noCustomUri'))]", + "type": "Microsoft.Compute/images", + "apiVersion": "2020-06-01", + "name": "[variables('customImage')]", + "location": "[variables('resourceGroup').location]", + "properties": { + "storageProfile": { + "osDisk": { + "osType": "Linux", + "osState": "Generalized", + "blobUri": "[parameters('sourceImageVhdUri')]", + "storageAccountType": "Standard_LRS" + } + }, + "hyperVGeneration": "V1" + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Compute/images'), parameters('tagsByResource')['Microsoft.Compute/images'], json('{}')) ]" + }, + { + "type": "Microsoft.Compute/virtualMachineScaleSets", + "apiVersion": "2021-07-01", + "name": "[parameters('vmName')]", + "location": "[variables('location')]", + "identity": "[if(equals(variables('customMetrics'), 'yes'), variables('identity'), json('null'))]", + "zones": "[if(and(contains(variables('availabilityZonesLocations'), variables('location')), greater(parameters('availabilityZonesNum'), 0)), variables('availabilityZonesProperty'), json('null'))]", + "tags": "[union(variables('vmssTags'),if(contains(parameters('tagsByResource'), 'Microsoft.Compute/virtualMachineScaleSets'), parameters('tagsByResource')['Microsoft.Compute/virtualMachineScaleSets'], json('{}')))]", + "dependsOn": [ + "[variables('vnetID')]", + "[variables('loadBalancerSetupId')]", + "[variables('storageAccountId')]", + "[variables('customImageId')]" + ], + "sku": { + "name": "[parameters('vmSize')]", + "tier": "Standard", + "capacity": "[parameters('instanceCount')]" + }, + "plan": "[if(equals(parameters('sourceImageVhdUri'),'noCustomUri'), variables('plan'), json('null'))]", + "properties": { + "upgradePolicy": { + "mode": "Manual" + }, + "virtualMachineProfile": { + "UserData": "[base64(concat(variables('customData'), '\n', 'vnet=\"', if(equals(parameters('vnetNewOrExisting'), 'new'), reference('networkNewSetup').outputs.vnetAddressPrefixes.value[0], reference('networkExistingSetup').outputs.vnetAddressPrefixes.value[0]), '\"', '\n' ))]", + "storageProfile": { + "osDisk": { + "caching": "ReadWrite", + "createOption": "FromImage", + "diskSizeGB": "[variables('diskSizeGB')]", + "managedDisk": { + "storageAccountType": "[parameters('diskType')]" + } + }, + "imageReference": "[variables('imageReference')]" + }, + "osProfile": { + "adminPassword": "[parameters('adminPassword')]", + "adminUsername": "[concat('not','used')]", + "computerNamePrefix": "[toLower(parameters('vmName'))]", + "customData": "[base64(concat(variables('customData'), '\n', 'vnet=\"', if(equals(parameters('vnetNewOrExisting'), 'new'), reference('networkNewSetup').outputs.vnetAddressPrefixes.value[0], reference('networkExistingSetup').outputs.vnetAddressPrefixes.value[0]), '\"', '\n' ))]", + "linuxConfiguration": "[variables('linuxConfiguration')]" + }, + "networkProfile": { + "networkInterfaceConfigurations": [ + { + "name": "eth0", + "properties": { + "primary": true, + "enableIPForwarding": true, + "enableAcceleratedNetworking": true, + "networkSecurityGroup":"[if(parameters('deployNewNSG') , variables('NewNsgReference') , parameters('ExistingNSG'))]", + "ipConfigurations": [ + { + "name": "ipconfig1", + "properties": { + "publicIpAddressConfiguration": "[if(equals(parameters('instanceLevelPublicIP'),'yes'), variables('useIpPrefix'), json('null'))]", + "subnet": { + "id": "[resourceId(variables('vnetRGName'), 'Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('Subnet1Name'))]" + }, + "loadBalancerBackendAddressPools": "[if(empty(reference('loadBalancerSetup').outputs.elbId.value), json('null'), reference('loadBalancerSetup').outputs.elbBEAddressPoolProperties.value)]" + } + } + ] + } + }, + { + "name": "eth1", + "properties": { + "primary": false, + "enableIPForwarding": true, + "enableAcceleratedNetworking": true, + "ipConfigurations": [ + { + "name": "ipconfig2", + "properties": { + "subnet": { + "id": "[resourceId(variables('vnetRGName'), 'Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('Subnet2Name'))]" + }, + "loadBalancerBackendAddressPools": "[if(empty(reference('loadBalancerSetup').outputs.ilbId.value), json('null'), reference('loadBalancerSetup').outputs.ilbBEAddressPoolProperties.value)]" + } + } + ] + } + } + ] + }, + "diagnosticsProfile": { + "bootDiagnostics": { + "enabled": "true", + "storageUri": "[reference(variables('storageAccountId'), '2021-04-01').primaryEndpoints.blob]" + } + } + }, + "overprovision": false + } + }, + { + "type": "Microsoft.Insights/autoscaleSettings", + "apiVersion": "2015-04-01", + "name": "[parameters('vmName')]", + "location": "[variables('location')]", + "dependsOn": [ + "[variables('vmssID')]" + ], + "properties": { + "name": "[parameters('vmName')]", + "targetResourceUri": "[variables('vmssID')]", + "notifications": [ + { + "operation": "Scale", + "email": { + "sendToSubscriptionAdministrator": false, + "sendToSubscriptionCoAdministrators": false, + "customEmails": "[if(empty(parameters('adminEmail')), json('null'), array(parameters('adminEmail')))]" + } + } + ], + "enabled": true, + "profiles": [ + { + "name": "Profile1", + "capacity": { + "minimum": "[parameters('instanceCount')]", + "maximum": "[parameters('maxInstanceCount')]", + "default": "[parameters('instanceCount')]" + }, + "rules": [ + { + "metricTrigger": { + "metricName": "Percentage CPU", + "metricResourceUri": "[variables('vmssID')]", + "timeGrain": "PT1M", + "statistic": "Average", + "timeWindow": "PT5M", + "timeAggregation": "Average", + "operator": "GreaterThan", + "threshold": 80 + }, + "scaleAction": { + "direction": "Increase", + "type": "ChangeCount", + "value": "1", + "cooldown": "PT5M" + } + }, + { + "metricTrigger": { + "metricName": "Percentage CPU", + "metricResourceUri": "[variables('vmssID')]", + "timeGrain": "PT1M", + "statistic": "Average", + "timeWindow": "PT5M", + "timeAggregation": "Average", + "operator": "LessThan", + "threshold": 60 + }, + "scaleAction": { + "direction": "Decrease", + "type": "ChangeCount", + "value": "1", + "cooldown": "PT5M" + } + } + ] + } + ] + }, + "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Insights/autoscaleSettings'), parameters('tagsByResource')['Microsoft.Insights/autoscaleSettings'], json('{}')) ]" + } + ], + "outputs": { + "ApplicationAddress": { + "type": "string", + "value": "[reference('loadBalancerSetup').outputs.ApplicationAddress.value]" + }, + "ApplicationFQDN": { + "type": "string", + "value": "[reference('loadBalancerSetup').outputs.ApplicationFQDN.value]" + } + } +} \ No newline at end of file diff --git a/deprecated/azure/templates/README.MD b/deprecated/azure/templates/README.MD new file mode 100644 index 00000000..54bccf0a --- /dev/null +++ b/deprecated/azure/templates/README.MD @@ -0,0 +1,5 @@ +# Deprecated Azure Resource Manager templates +This directory contains deprecated CloudGuard IaaS solution templates. + +# How to deploy the templates +To deploy the ARM templates follow the instructions in the README.MD file in each directory. diff --git a/deprecated/azure/templates/stack-R8030/stack-ha/createUiDefinition.json b/deprecated/azure/templates/stack-R8030/stack-ha/createUiDefinition.json new file mode 100644 index 00000000..5f68c32c --- /dev/null +++ b/deprecated/azure/templates/stack-R8030/stack-ha/createUiDefinition.json @@ -0,0 +1,438 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", + "handler": "Microsoft.Compute.MultiVm", + "version": "0.1.2-preview", + "parameters": { + "basics": [ + { + "name": "clusterObjectNameUi", + "type": "Microsoft.Common.TextBox", + "label": "Cluster Object Name", + "toolTip": "The name of the Check Point CloudGuard Cluster object.", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z]{1,30}$", + "validationMessage": "Only alphanumeric characters are allowed, and the name must be 1-30 characters long." + } + }, + { + "name": "auth", + "type": "Microsoft.Compute.CredentialsCombo", + "label": { + "authenticationType": "Authentication type", + "password": "Password", + "confirmPassword": "Confirm password", + "sshPublicKey": "SSH public key" + }, + "toolTip": { + "authenticationType": "", + "password": "The user 'admin' password", + "sshPublicKey": "Paste an OpenSSH public key. You can generate a key pair using ssh-keygen (Linux, OS X, Cygwin) or PuttyGen (Windows)" + }, + "constraints": { + "required": true + }, + "options": { + "hideConfirmation": false, + "hidePassword": false + }, + "osPlatform": "Linux" + } + ], + "steps": [ + { + "name": "chkp", + "label": "Check Point CloudGuard Cluster Object settings", + "subLabel": { + "preValidation": "Configure CloudGuard Cluster Object settings", + "postValidation": "Done" + }, + "bladeTitle": "CloudGuard cluster Object settings", + "elements": [ + { + "name": "cloudGuardVersion", + "type": "Microsoft.Common.DropDown", + "label": "Check Point CloudGuard version", + "defaultValue": "R80.30", + "toolTip": "The version of Check Point CloudGuard.", + "constraints": { + "allowedValues": [ + { + "label": "R80.30", + "value": "R80.30" + } + ] + } + }, + { + "name": "R8030Offer", + "type": "Microsoft.Common.DropDown", + "label": "License type", + "toolTip": "The type of license.", + "defaultValue": "Bring Your Own License", + "visible": "[equals(steps('chkp').cloudGuardVersion, 'R80.30')]", + "constraints": { + "allowedValues": [ + { + "label": "Bring Your Own License", + "value": "Bring Your Own License" + } + ] + } + }, + { + "name": "R8030vmSizeUiBYOL", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R80.30'), contains(steps('chkp').R8030Offer, 'Bring Your Own License'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2" + ], + "constraints": { + "allowedSizes": [ + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-stack-r8030", + "sku": "sg-byol" + }, + "count": 2 + }, + { + "name": "R8030vmSizeUiNGTP", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R80.30'), contains(steps('chkp').R8030Offer, '(NGTP)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2" + ], + "constraints": { + "allowedSizes": [ + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-stack-r8030", + "sku": "sg-ngtp" + }, + "count": 2 + }, + { + "name": "R8030vmSizeUiNGTX", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R80.30'), contains(steps('chkp').R8030Offer, '(NGTX)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2" + ], + "constraints": { + "allowedSizes": [ + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-stack-r8030", + "sku": "sg-ngtx" + }, + "count": 2 + }, + { + "name": "sicKeyUi", + "type": "Microsoft.Common.PasswordBox", + "label": { + "password": "SIC key", + "confirmPassword": "Confirm SIC key" + }, + "toolTip": "Set the Secure Internal Communication one time secret used to set up trust between the cluster object and the management server.", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z]{8,30}$", + "validationMessage": "Only alphanumeric characters are allowed, and the value must be 8-30 characters long." + }, + "options": { + "hideConfirmation": true + }, + "visible": "true" + }, + { + "name": "bootstrapScript", + "type": "Microsoft.Common.FileUpload", + "label": "Bootstrap script", + "toolTip": "An optional script to run on the initial boot", + "constraints": { + "required": false, + "accept": ".sh,text/plain" + }, + "options": { + "multiple": false, + "uploadMode": "file", + "openMode": "text", + "encoding": "UTF-8" + } + }, + { + "name": "allowUploadDownload", + "type": "Microsoft.Common.OptionsGroup", + "label": "Allow download from/upload to Check Point", + "defaultValue": "Yes", + "toolTip": "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "true" + }, + { + "label": "No", + "value": "false" + } + ] + } + }, + { + "name": "additionalDiskSizeGB", + "type": "Microsoft.Common.TextBox", + "label": "Additional disk space (GB)", + "defaultValue": "0", + "toolTip": "Additional disk space (in GB), Initial disk size is 100 GB.", + "constraints": { + "regex": "^([0-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-2][0-9][0-9][0-9]|3[0-8][0-9][0-9]|399[0-5])$", + "validationMessage": "Select a number between 0 and 3995" + } + }, + { + "name": "VMDiskType", + "type": "Microsoft.Common.OptionsGroup", + "label": "VM disk type", + "toolTip": "Type of CloudGuard disk.", + "visible": "[or(contains(steps('chkp').R8030vmSizeUiBYOL, 'DS'), contains(steps('chkp').R8030vmSizeUiNGTP, 'DS'), contains(steps('chkp').R8030vmSizeUiNGTX, 'DS'))]", + "defaultValue": "Standard", + "constraints": { + "allowedValues": [ + { + "label": "Standard", + "value": "Standard_LRS" + }, + { + "label": "Premium", + "value": "Premium_LRS" + } + ] + } + }, + { + "name": "useCustomImageUri", + "type": "Microsoft.Common.OptionsGroup", + "label": "Use development image uri", + "defaultValue": "No", + "toolTip": "", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ], + "required": true + }, + "visible": false + }, + { + "name": "sourceImageVhdUri", + "type": "Microsoft.Common.TextBox", + "label": "Development Image URI", + "toolTip": "The URI of the blob containing the development image", + "constraints": { + "required": "[equals(steps('chkp').useCustomImageUri, 'Yes')]", + "regex": "^[a-z0-9A-Z_\\-\\.\\:\\/]{1,500}.vhd$", + "validationMessage": "Only alphanumeric characters and '_','-','.',':','/' are allowed, the value must be 1-500 characters long and must end with .vhd. " + }, + "visible": "[equals(steps('chkp').useCustomImageUri, 'Yes')]" + } + ] + }, + { + "name": "network", + "label": "Network settings", + "subLabel": { + "preValidation": "Configure network settings", + "postValidation": "Done" + }, + "bladeTitle": "Network settings", + "elements": [ + { + "name": "virtualNetwork", + "type": "Microsoft.Network.VirtualNetworkCombo", + "label": { + "virtualNetwork": "Virtual network", + "subnets": "Subnets" + }, + "toolTip": { + "virtualNetwork": "Virtual Network Name", + "subnets": "List of subnets to deploy into" + }, + "defaultValue": { + "name": "vnet01", + "addressPrefixSize": "/16" + }, + "constraints": { + "minAddressPrefixSize": "/28" + }, + "options": { + "hideExisting": false + }, + "subnets": { + "subnet1": { + "label": "Frontend subnet", + "defaultValue": { + "name": "Frontend", + "addressPrefixSize": "/24" + }, + "constraints": { + "minAddressPrefixSize": "/29", + "minAddressCount": 2, + "requireContiguousAddresses": true + } + }, + "subnet2": { + "label": "Backend subnet", + "defaultValue": { + "name": "Backend", + "addressPrefixSize": "/24" + }, + "constraints": { + "minAddressPrefixSize": "/29", + "minAddressCount": 2, + "requireContiguousAddresses": true + } + } + } + } + ] + } + ], + "outputs": { + "location": "[location()]", + "cloudGuardVersion": "[concat(steps('chkp').cloudGuardVersion, ' - ', coalesce(steps('chkp').R8030Offer, 'Bring Your Own License'))]", + "adminPassword": "[basics('auth').password]", + "authenticationType": "[basics('auth').authenticationType]", + "sshPublicKey": "[basics('auth').sshPublicKey]", + "vmName": "[basics('clusterObjectNameUi')]", + "vmSize": "[coalesce(steps('chkp').R8030vmSizeUiBYOL, steps('chkp').R8030vmSizeUiNGTP, steps('chkp').R8030vmSizeUiNGTX)]", + "sicKey": "[steps('chkp').sicKeyUi]", + "virtualNetworkName": "[steps('network').virtualNetwork.name]", + "virtualNetworkAddressPrefixes": "[steps('network').virtualNetwork.addressPrefixes]", + "subnet1Name": "[steps('network').virtualNetwork.subnets.subnet1.name]", + "subnet1Prefix": "[steps('network').virtualNetwork.subnets.subnet1.addressPrefix]", + "subnet1StartAddress": "[steps('network').virtualNetwork.subnets.subnet1.startAddress]", + "subnet2Name": "[steps('network').virtualNetwork.subnets.subnet2.name]", + "subnet2Prefix": "[steps('network').virtualNetwork.subnets.subnet2.addressPrefix]", + "subnet2StartAddress": "[steps('network').virtualNetwork.subnets.subnet2.startAddress]", + "vnetNewOrExisting": "[steps('network').virtualNetwork.newOrExisting]", + "virtualNetworkExistingRGName": "[steps('network').virtualNetwork.resourceGroup]", + "bootstrapScript": "[steps('chkp').bootstrapScript]", + "allowDownloadFromUploadToCheckPoint": "[coalesce(steps('chkp').allowUploadDownload, 'true')]", + "additionalDiskSizeGB": "[int(steps('chkp').additionalDiskSizeGB)]", + "diskType": "[coalesce(steps('chkp').VMDiskType, 'Standard_LRS')]", + "sourceImageVhdUri": "[coalesce(steps('chkp').sourceImageVhdUri, 'noCustomUri')]" + } + } +} diff --git a/deprecated/azure/templates/stack-R8030/stack-ha/mainTemplate.json b/deprecated/azure/templates/stack-R8030/stack-ha/mainTemplate.json new file mode 100644 index 00000000..7e65c2fa --- /dev/null +++ b/deprecated/azure/templates/stack-R8030/stack-ha/mainTemplate.json @@ -0,0 +1,703 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string", + "metadata": { + "description": "Deployment location" + }, + "defaultValue": "[resourceGroup().location]" + }, + "cloudGuardVersion": { + "type": "string", + "allowedValues": [ + "R80.30 - Bring Your Own License", + "R80.30 - Pay As You Go (NGTP)", + "R80.30 - Pay As You Go (NGTX)" + ], + "defaultValue": "R80.30 - Bring Your Own License", + "metadata": { + "description": "Version of Check Point CloudGuard" + } + }, + "adminPassword": { + "type": "securestring", + "metadata": { + "description": "Administrator password" + }, + "defaultValue": "" + }, + "authenticationType": { + "type": "string", + "allowedValues": [ + "password", + "sshPublicKey" + ], + "defaultValue": "password", + "metadata": { + "description": "Authentication type" + } + }, + "sshPublicKey": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Administrator SSH public key" + } + }, + "vmName": { + "type": "string", + "defaultValue": "[resourceGroup().name]", + "metadata": { + "description": "Name of the Check Point Cluster object" + } + }, + "vmSize": { + "type": "string", + "defaultValue": "Standard_D3_v2", + "metadata": { + "description": "Size of the VM" + } + }, + "sicKey": { + "type": "securestring", + "metadata": { + "description": "One time key for Secure Internal Communication" + } + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "[concat(resourceGroup().name, '-vnet')]" + }, + "virtualNetworkAddressPrefixes": { + "type": "array", + "metadata": { + "description": "The address prefixes of the virtual network" + }, + "defaultValue": [ + "10.0.0.0/16" + ] + }, + "subnet1Name": { + "type": "string", + "metadata": { + "description": "The name of the frontend subnet" + }, + "defaultValue": "Frontend" + }, + "subnet1Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the frontend subnet" + }, + "defaultValue": "10.0.1.0/24" + }, + "subnet1StartAddress": { + "type": "string", + "metadata": { + "description": "The first available address on the frontend subnet" + }, + "defaultValue": "10.0.1.10" + }, + "subnet2Name": { + "type": "string", + "metadata": { + "description": "The name of the backend subnet" + }, + "defaultValue": "Backend" + }, + "subnet2Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the backend subnet" + }, + "defaultValue": "10.0.2.0/24" + }, + "subnet2StartAddress": { + "type": "string", + "metadata": { + "description": "The first available address on the 2nd subnet" + }, + "defaultValue": "10.0.2.10" + }, + "vnetNewOrExisting": { + "type": "string", + "defaultValue": "new", + "allowedValues": [ + "new", + "existing" + ], + "metadata": { + "Description": "Indicates whether the virtual network is new or existing" + } + }, + "virtualNetworkExistingRGName": { + "type": "string", + "metadata": { + "description": "Resource Group of the existing virtual network" + }, + "defaultValue": "" + }, + "_artifactsLocation": { + "type": "string", + "metadata": { + "description": "The base URI where artifacts required by this template are located including a trailing '/'" + }, + "defaultValue": "[deployment().properties.templateLink.uri]" + }, + "_artifactsLocationSasToken": { + "type": "securestring", + "metadata": { + "description": "The sasToken required to access _artifactsLocation. When the template is deployed using the accompanying scripts, a sasToken will be automatically generated. Use the defaultValue if the staging location is not secured." + }, + "defaultValue": "" + }, + "bootstrapScript": { + "type": "string", + "metadata": { + "description": "Bootstrap script" + }, + "defaultValue": "" + }, + "allowDownloadFromUploadToCheckPoint": { + "type": "string", + "allowedValues": [ + "true", + "false" + ], + "defaultValue": "true", + "metadata": { + "description": "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + } + }, + "additionalDiskSizeGB": { + "type": "int", + "defaultValue": 0, + "metadata": { + "description": "Amount of additional disk space (in GB)" + }, + "minValue": 0, + "maxValue": 3995 + }, + "diskType": { + "type": "string", + "defaultValue": "Standard_LRS", + "metadata": { + "description": "The type of the OS disk. Premium is applicable only to DS machine sizes" + }, + "allowedValues": [ + "Standard_LRS", + "Premium_LRS" + ] + }, + "preview": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Deploy the staged image" + }, + "allowedValues": [ + "", + "-preview" + ] + }, + "sourceImageVhdUri": { + "type": "string", + "defaultValue": "noCustomUri", + "metadata": { + "description": "The URI of the blob containing the development image" + } + }, + "Check_PointTags": { + "type": "object", + "defaultValue": { + "provider": "30DE18BC-F9F6-4F22-9D30-54B8E74CFD5F" + } + } + }, + "variables": { + "installationType": "cluster-stack", + "templateName": "stack-ha", + "templateVersion": "20190626", + "location": "[parameters('location')]", + "offers": { + "R80.30 - Bring Your Own License": "BYOL", + "R80.30 - Pay As You Go (NGTP)": "NGTP", + "R80.30 - Pay As You Go (NGTX)": "NGTX" + }, + "offer": "[variables('offers')[parameters('cloudGuardVersion')]]", + "osVersions": { + "R80.30 - Bring Your Own License": "R8030", + "R80.30 - Pay As You Go (NGTP)": "R8030", + "R80.30 - Pay As You Go (NGTX)": "R8030" + }, + "osVersion": "[variables('osVersions')[parameters('cloudGuardVersion')]]", + "isBlink": true, + "computeApiVersion": "2017-03-30", + "storageApiVersion": "2016-01-01", + "networkApiVersion": "2017-10-01", + "deploymentsApiVersion": "2016-02-01", + "storageAccountName": "[concat('bootdiag', uniqueString(resourceGroup().id, deployment().name))]", + "storageAccountType": "Standard_LRS", + "diskSizeGBR8030": 100, + "diskSizeGB": "[add(parameters('additionalDiskSizeGB'), variables(concat('diskSizeGB', variables('osVersion'))))]", + "customData": "[concat('#!/usr/bin/python /etc/cloud_config.py\n', '\n', 'installationType=\"', variables('installationType'), '\"', '\n', 'allowUploadDownload=\"', variables('allowUploadDownload'), '\"', '\n', 'osVersion=\"', variables('osVersion'), '\"', '\n', 'templateName=\"', variables('templateName'), '\"', '\n', 'isBlink=\"', variables('isBlink'), '\"', '\n', 'templateVersion=\"', variables('templateVersion'), '\"', '\n', 'bootstrapScript64=\"', variables('bootstrapScript64'), '\"', '\n', 'location=\"', variables('location'), '\"', '\n', 'sicKey=\"', variables('sicKey'), '\"', '\n', 'managementGUIClientNetwork=\"', variables('managementGUIClientNetwork'), '\"', '\n', 'resourceGroup=\"', resourceGroup().name, '\"', '\n', 'subscriptionId=\"', subscription().subscriptionId, '\"', '\n', 'subnet1Prefix=\"', first(split(parameters('subnet1Prefix'), '/')), '\"', '\n', 'location=\"', variables('location'), '\"', '\n', 'tenantId=\"', subscription().tenantId, '\"', '\n', 'virtualNetwork=\"', parameters('virtualNetworkName'), '\"', '\n', 'clusterName=\"', parameters('vmName'), '\"', '\n')]", + "imageOfferR8030": "check-point-cg-stack-r8030", + "imageOffer": "[concat(variables(concat('imageOffer', variables('osVersion'))), parameters('preview'))]", + "imagePublisher": "checkpoint", + "imageReferenceBYOL": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-byol", + "version": "latest" + }, + "imageReferenceNGTP": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtp", + "version": "latest" + }, + "imageReferenceNGTX": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtx", + "version": "latest" + }, + "imageReferenceMarketplace": "[variables(concat('imageReference', variables('offer')))]", + "customImage": "customImage", + "imageReferenceCustomUri": { + "id": "[resourceId('Microsoft.Compute/images/', variables('customImage'))]" + }, + "imageReference": "[if(equals(parameters('sourceImageVhdUri'),'noCustomUri'), variables('imageReferenceMarketplace'), variables('imageReferenceCustomUri'))]", + "nic1Name": "eth0", + "nic2Name": "eth1", + "linuxConfigurationpassword": {}, + "linuxConfigurationsshPublicKey": { + "disablePasswordAuthentication": "true", + "ssh": { + "publicKeys": [ + { + "keyData": "[parameters('sshPublicKey')]", + "path": "/home/notused/.ssh/authorized_keys" + } + ] + } + }, + "linuxConfiguration": "[variables(concat('linuxConfiguration', parameters('authenticationType')))]", + "planBYOL": { + "name": "sg-byol", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTP": { + "name": "sg-ngtp", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTX": { + "name": "sg-ngtx", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "plan": "[variables(concat('plan', variables('offer')))]", + "publicIPAddressName": "[parameters('vmName')]", + "publicIPAddressId": "[resourceId('Microsoft.Network/publicIPAddresses', variables('publicIPAddressName'))]", + "bootstrapScript64": "[base64(parameters('bootstrapScript'))]", + "allowUploadDownload": "[parameters('allowDownloadFromUploadToCheckPoint')]", + "networkSetupURL": "[uri(parameters('_artifactsLocation'), concat('nestedtemplates/vnet-', parameters('vnetNewOrExisting'), '-stack-ha', '.json', parameters('_artifactsLocationSasToken')))]", + "sicKey": "[parameters('sicKey')]", + "managementGUIClientNetwork": "", + "externalPrivateAddresses": [ + "[parameters('Subnet1StartAddress')]", + "[concat(split(parameters('subnet1StartAddress'), '.')[0],'.', split(parameters('subnet1StartAddress'), '.')[1],'.', split(parameters('subnet1StartAddress'), '.')[2],'.', string(add(int(split(parameters('subnet1StartAddress'), '.')[3]),1)))]" + ], + "Subnet2PrivateAddresses": [ + "[parameters('subnet2StartAddress')]", + "[concat(split(parameters('subnet2StartAddress'), '.')[0],'.', split(parameters('subnet2StartAddress'), '.')[1],'.', split(parameters('subnet2StartAddress'), '.')[2],'.', string(add(int(split(parameters('subnet2StartAddress'), '.')[3]),1)))]" + ], + "publicIPAddressName1": "[concat(parameters('vmName'), 1)]", + "publicIPAddressId1": "[resourceId('Microsoft.Network/publicIPAddresses', variables('publicIPAddressName1'))]", + "publicIPAddressName2": "[concat(parameters('vmName'), 2)]", + "publicIPAddressId2": "[resourceId('Microsoft.Network/publicIPAddresses', variables('publicIPAddressName2'))]", + "availabilitySetName": "[concat(parameters('vmName'), '-AvailabilitySet')]", + "count": 2, + "frontEndIPConfMember1Id": "[concat(variables('lbId'), '/frontendIPConfigurations/LoadBalancerFrontEnd1')]", + "frontEndIPConfMember2Id": "[concat(variables('lbId'), '/frontendIPConfigurations/LoadBalancerFrontEnd2')]", + "member1IPConfigId": "[concat(variables('lbId'), '/frontendIPConfigurations/LoadBalancerFrontEnd1')]", + "member2IPConfigId": "[concat(variables('lbId'), '/frontendIPConfigurations/LoadBalancerFrontEnd2')]", + "elbBEAddressPool": "[concat(variables('lbName'), '-pool')]", + "elbBEAddressPoolID": "[concat(variables('lbId'),'/backendAddressPools/',variables('elbBEAddressPool'))]", + "appProbeName": "health_prob_port", + "elbPublicIPName": "frontend-lb-address", + "elbPublicIPId": "[resourceId('Microsoft.Network/publicIPAddresses', variables('elbPublicIPName'))]", + "lbId": "[resourceId('Microsoft.Network/loadBalancers', variables('lbName'))]", + "lbName": "frontend-lb" + }, + "resources": [ + { + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('storageAccountName')]", + "apiVersion": "[variables('storageApiVersion')]", + "location": "[variables('location')]", + "sku": { + "name": "[variables('storageAccountType')]" + }, + "kind": "Storage", + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "name": "networkSetup", + "type": "Microsoft.Resources/deployments", + "apiVersion": "[variables('deploymentsApiVersion')]", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "[variables('networkSetupURL')]", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "location": { + "value": "[variables('location')]" + }, + "apiVersion": { + "value": "[variables('networkApiVersion')]" + }, + "virtualNetworkName": { + "value": "[parameters('virtualNetworkName')]" + }, + "virtualNetworkAddressPrefixes": { + "value": "[parameters('virtualNetworkAddressPrefixes')]" + }, + "subnet1Name": { + "value": "[parameters('subnet1Name')]" + }, + "subnet1Prefix": { + "value": "[parameters('subnet1Prefix')]" + }, + "subnet1StartAddress": { + "value": "[parameters('subnet1StartAddress')]" + }, + "subnet2Name": { + "value": "[parameters('subnet2Name')]" + }, + "subnet2Prefix": { + "value": "[parameters('subnet2Prefix')]" + }, + "subnet2StartAddress": { + "value": "[parameters('subnet2StartAddress')]" + }, + "vnetNewOrExisting": { + "value": "[parameters('vnetNewOrExisting')]" + }, + "virtualNetworkExistingRGName": { + "value": "[parameters('virtualNetworkExistingRGName')]" + } + } + } + }, + { + "type": "Microsoft.Compute/availabilitySets", + "apiVersion": "[variables('computeApiVersion')]", + "location": "[variables('location')]", + "name": "[concat(variables('availabilitySetName'))]", + "properties": { + "platformFaultDomainCount": 2 + }, + "sku": { + "name": "Aligned" + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "type": "Microsoft.Network/publicIPAddresses", + "apiVersion": "[variables('networkApiVersion')]", + "location": "[variables('location')]", + "name": "[variables('elbPublicIPName')]", + "properties": { + "idleTimeoutInMinutes": 30, + "publicIPAllocationMethod": "Static", + "dnsSettings": { + "domainNameLabel": "[concat(toLower(parameters('vmName')), '-', uniquestring(resourceGroup().id, deployment().name))]" + } + } + }, + { + "type": "Microsoft.Network/publicIPAddresses", + "apiVersion": "[variables('networkApiVersion')]", + "location": "[variables('location')]", + "name": "[concat(parameters('vmName'), copyIndex(1))]", + "copy": { + "name": "publicAddressCopy", + "count": "[variables('count')]" + }, + "properties": { + "idleTimeoutInMinutes": 30, + "publicIPAllocationMethod": "Static", + "dnsSettings": { + "domainNameLabel": "[concat(toLower(parameters('vmName')), '-', copyIndex(1), '-', uniquestring(resourceGroup().id, deployment().name))]" + } + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "[variables('networkApiVersion')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', 'networkSetup')]", + "[variables('lbId')]", + "[variables('publicIPAddressId1')]" + ], + "location": "[variables('location')]", + "name": "[concat(parameters('vmName'), '1-', variables('nic1Name'))]", + "properties": { + "enableIPForwarding": true, + "ipConfigurations": [ + { + "name": "ipconfig1", + "properties": { + "privateIPAddress": "[variables('externalPrivateAddresses')[0]]", + "privateIPAllocationMethod": "Static", + "PublicIpAddress": { + "Id": "[variables(concat('publicIPAddressId', 1))]" + }, + "subnet": { + "id": "[concat(reference('networkSetup').outputs.vnetId.value, '/subnets/', parameters('Subnet1Name'))]" + }, + "loadBalancerBackendAddressPools": [ + { + "id": "[variables('elbBEAddressPoolID')]" + } + ] + } + } + ] + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "[variables('networkApiVersion')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', 'networkSetup')]", + "[variables('lbId')]", + "[variables('publicIPAddressId2')]" + ], + "location": "[variables('location')]", + "name": "[concat(parameters('vmName'), '2-', variables('nic1Name'))]", + "properties": { + "enableIPForwarding": true, + "ipConfigurations": [ + { + "name": "ipconfig2", + "properties": { + "privateIPAddress": "[variables('externalPrivateAddresses')[1]]", + "privateIPAllocationMethod": "Static", + "PublicIpAddress": { + "Id": "[variables(concat('publicIPAddressId', 2))]" + }, + "subnet": { + "id": "[concat(reference('networkSetup').outputs.vnetId.value, '/subnets/', parameters('Subnet1Name'))]" + }, + "loadBalancerBackendAddressPools": [ + { + "id": "[variables('elbBEAddressPoolID')]" + } + ] + } + } + ] + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "[variables('networkApiVersion')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', 'networkSetup')]" + ], + "location": "[variables('location')]", + "name": "[concat(parameters('vmName'), copyIndex(1), '-', variables('nic2Name'))]", + "copy": { + "name": "interface2Copy", + "count": "[variables('count')]" + }, + "properties": { + "enableIPForwarding": true, + "ipConfigurations": [ + { + "name": "ipconfig2", + "properties": { + "privateIPAddress": "[variables('Subnet2PrivateAddresses')[copyIndex(0)]]", + "privateIPAllocationMethod": "Static", + "subnet": { + "id": "[concat(reference('networkSetup').outputs.vnetId.value, '/subnets/', parameters('Subnet2Name'))]" + } + } + } + ] + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "condition": "[not(equals(parameters('sourceImageVhdUri'), 'noCustomUri'))]", + "type": "Microsoft.Compute/images", + "apiVersion": "2017-12-01", + "name": "[variables('customImage')]", + "location": "[variables('location')]", + "properties": { + "storageProfile": { + "osDisk": { + "osType": "Linux", + "osState": "Generalized", + "blobUri": "[parameters('sourceImageVhdUri')]", + "storageAccountType": "Standard_LRS" + } + } + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "type": "Microsoft.Compute/virtualMachines", + "apiVersion": "[variables('computeApiVersion')]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]", + "[resourceId('Microsoft.Network/networkInterfaces', concat(parameters('vmName'), copyIndex(1), '-', variables('nic1Name')))]", + "[resourceId('Microsoft.Network/networkInterfaces', concat(parameters('vmName'), copyIndex(1), '-', variables('nic2Name')))]", + "[resourceId('Microsoft.Compute/availabilitySets', variables('availabilitySetName'))]", + "[resourceId('Microsoft.Compute/images/', variables('customImage'))]" + ], + "location": "[variables('location')]", + "name": "[concat(parameters('vmName'), copyIndex(1))]", + "copy": { + "name": "virtualMachineCopy", + "count": "[variables('count')]" + }, + "plan": "[if(equals(parameters('sourceImageVhdUri'),'noCustomUri'), variables('plan'), json('null'))]", + "properties": { + "availabilitySet": { + "id": "[resourceId('Microsoft.Compute/availabilitySets', variables('availabilitySetName'))]" + }, + "diagnosticsProfile": { + "bootDiagnostics": { + "enabled": "true", + "storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName')), variables('storageApiVersion')).primaryEndpoints.blob]" + } + }, + "hardwareProfile": { + "vmSize": "[parameters('vmSize')]" + }, + "networkProfile": { + "networkInterfaces": [ + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', concat(parameters('vmName'), copyIndex(1), '-', variables('nic1Name')))]", + "properties": { + "primary": true + } + }, + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', concat(parameters('vmName'), copyIndex(1), '-', variables('nic2Name')))]", + "properties": { + "primary": false + } + } + ] + }, + "osProfile": { + "adminPassword": "[parameters('adminPassword')]", + "adminUsername": "notused", + "computerName": "[concat(toLower(parameters('vmName')), copyIndex(1))]", + "customData": "[base64(variables('customData'))]", + "linuxConfiguration": "[variables('linuxConfiguration')]" + }, + "storageProfile": { + "imageReference": "[variables('imageReference')]", + "osDisk": { + "caching": "ReadWrite", + "createOption": "FromImage", + "diskSizeGB": "[variables('diskSizeGB')]", + "name": "[concat(parameters('vmName'), copyIndex(1))]", + "managedDisk": { + "storageAccountType": "[parameters('diskType')]" + } + } + } + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "type": "Microsoft.Network/loadBalancers", + "apiVersion": "[variables('networkApiVersion')]", + "dependsOn": [ + "[variables('elbPublicIPId')]" + ], + "name": "[variables('lbName')]", + "location": "[variables('location')]", + "properties": { + "frontendIPConfigurations": [ + { + "name": "LoadBalancerFrontend", + "properties": { + "publicIPAddress": { + "id": "[variables('elbPublicIPId')]" + } + } + } + ], + "backendAddressPools": [ + { + "name": "[variables('elbBEAddressPool')]" + } + ], + "probes": [ + { + "name": "[variables('appProbeName')]", + "properties": { + "protocol": "tcp", + "port": 8081, + "intervalInSeconds": 5, + "numberOfProbes": 2 + } + } + ] + } + } + ], + "outputs": { + "Member1IPAddr": { + "type": "string", + "value": "[reference(variables('publicIPAddressId1')).IpAddress]" + }, + "Member1FQDN": { + "type": "string", + "value": "[reference(variables('publicIPAddressId1')).dnsSettings.fqdn]" + }, + "Member2IPAddr": { + "type": "string", + "value": "[reference(variables('publicIPAddressId2')).IpAddress]" + }, + "Member2FQDN": { + "type": "string", + "value": "[reference(variables('publicIPAddressId2')).dnsSettings.fqdn]" + } + } +} diff --git a/deprecated/azure/templates/stack-R8030/stack-mgmt/createUiDefinition.json b/deprecated/azure/templates/stack-R8030/stack-mgmt/createUiDefinition.json new file mode 100644 index 00000000..ec280647 --- /dev/null +++ b/deprecated/azure/templates/stack-R8030/stack-mgmt/createUiDefinition.json @@ -0,0 +1,371 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", + "handler": "Microsoft.Compute.MultiVm", + "version": "0.1.2-preview", + "parameters": { + "basics": [ + { + "name": "gatewayNameUi", + "type": "Microsoft.Common.TextBox", + "label": "Server Name", + "toolTip": "The name of the Check Point CloudGuard Security Management Server.", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z]{1,30}$", + "validationMessage": "Only alphanumeric characters are allowed, and the name must be 1-30 characters long." + } + }, + { + "name": "auth", + "type": "Microsoft.Compute.CredentialsCombo", + "label": { + "authenticationType": "Authentication type", + "password": "Password", + "confirmPassword": "Confirm password", + "sshPublicKey": "SSH public key" + }, + "toolTip": { + "authenticationType": "", + "password": "The user 'admin' password", + "sshPublicKey": "Paste an OpenSSH public key. You can generate a key pair using ssh-keygen (Linux, OS X, Cygwin) or PuttyGen (Windows)" + }, + "constraints": { + "required": true + }, + "options": { + "hideConfirmation": false, + "hidePassword": false + }, + "osPlatform": "Linux" + } + ], + "steps": [ + { + "name": "chkp", + "label": "Check Point CloudGuard Security Management Server settings", + "subLabel": { + "preValidation": "Configure CloudGuard Security Management Server settings", + "postValidation": "Done" + }, + "bladeTitle": "CloudGuard Security Management settings", + "elements": [ + { + "name": "cloudGuardVersion", + "type": "Microsoft.Common.DropDown", + "label": "Check Point CloudGuard version", + "defaultValue": "R80.30", + "toolTip": "The version of Check Point CloudGuard.", + "constraints": { + "allowedValues": [ + { + "label": "R80.30", + "value": "R80.30" + } + ] + } + }, + { + "name": "R80Offer", + "type": "Microsoft.Common.DropDown", + "label": "License type", + "toolTip": "The type of license.", + "defaultValue": "Bring Your Own License", + "visible": "[equals(substring(steps('chkp').cloudGuardVersion,0,3), 'R80')]", + "constraints": { + "allowedValues": [ + { + "label": "Bring Your Own License", + "value": "Bring Your Own License" + }, + { + "label": "Pay As You Go (MGMT25)", + "value": "Pay As You Go (MGMT25)" + } + ] + } + }, + { + "name": "R8030vmSizeUiBYOL", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R80.30'), contains(steps('chkp').R80Offer, 'Bring Your Own License'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Management", + "recommendedSizes": [ + "Standard_D3_v2" + ], + "constraints": { + "allowedSizes": [ + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-stack-r8030", + "sku": "mgmt-byol" + }, + "count": 1 + }, + { + "name": "R8030vmSizeUiMGMT25", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R80.30'), contains(steps('chkp').R80Offer, '(MGMT25)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Management", + "recommendedSizes": [ + "Standard_D3_v2" + ], + "constraints": { + "allowedSizes": [ + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-stack-r8030", + "sku": "mgmt-25" + }, + "count": 1 + }, + { + "name": "managementGUIClientNetwork", + "type": "Microsoft.Common.TextBox", + "label": "Allowed GUI clients", + "toolTip": "GUI clients network CIDR", + "defaultValue": "0.0.0.0/0", + "constraints": { + "required": true, + "regex": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$", + "validationMessage": "Enter a valid IPv4 network CIDR" + } + }, + { + "name": "bootstrapScript", + "type": "Microsoft.Common.FileUpload", + "label": "Bootstrap script", + "toolTip": "An optional script to run on the initial boot", + "constraints": { + "required": false, + "accept": ".sh,text/plain" + }, + "options": { + "multiple": false, + "uploadMode": "file", + "openMode": "text", + "encoding": "UTF-8" + } + }, + { + "name": "allowUploadDownload", + "type": "Microsoft.Common.OptionsGroup", + "label": "Allow download from/upload to Check Point", + "defaultValue": "Yes", + "toolTip": "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "true" + }, + { + "label": "No", + "value": "false" + } + ] + } + }, + { + "name": "additionalDiskSizeGB", + "type": "Microsoft.Common.TextBox", + "label": "Additional disk space (GB)", + "defaultValue": "0", + "toolTip": "Additional disk space (in GB), Initial disk size is 100 GB.", + "constraints": { + "regex": "^([0-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-2][0-9][0-9][0-9]|3[0-8][0-9][0-9]|399[0-5])$", + "validationMessage": "Select a number between 0 and 3995" + } + }, + { + "name": "VMDiskType", + "type": "Microsoft.Common.OptionsGroup", + "label": "VM disk type", + "toolTip": "Type of CloudGuard disk.", + "visible": "[or(contains(steps('chkp').R8030vmSizeUiBYOL, 'DS'), contains(steps('chkp').R8030vmSizeUiMGMT25, 'DS'))]", + "defaultValue": "Standard", + "constraints": { + "allowedValues": [ + { + "label": "Standard", + "value": "Standard_LRS" + }, + { + "label": "Premium", + "value": "Premium_LRS" + } + ] + } + }, + { + "name": "useCustomImageUri", + "type": "Microsoft.Common.OptionsGroup", + "label": "Use development image uri", + "defaultValue": "No", + "toolTip": "", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ], + "required": true + }, + "visible": false + }, + { + "name": "sourceImageVhdUri", + "type": "Microsoft.Common.TextBox", + "label": "Development Image URI", + "toolTip": "The URI of the blob containing the development image", + "constraints": { + "required": "[equals(steps('chkp').useCustomImageUri, 'Yes')]", + "regex": "^[a-z0-9A-Z_\\-\\.\\:\\/]{1,500}.vhd$", + "validationMessage": "Only alphanumeric characters and '_','-','.',':','/' are allowed, the value must be 1-500 characters long and must end with .vhd. " + }, + "visible": "[equals(steps('chkp').useCustomImageUri, 'Yes')]" + } + ] + }, + { + "name": "network", + "label": "Network settings", + "subLabel": { + "preValidation": "Configure network settings", + "postValidation": "Done" + }, + "bladeTitle": "Network settings", + "elements": [ + { + "name": "virtualNetwork", + "type": "Microsoft.Network.VirtualNetworkCombo", + "label": { + "virtualNetwork": "Virtual network", + "subnets": "Subnet" + }, + "toolTip": { + "virtualNetwork": "Virtual Network Name", + "subnets": "The subnet to deploy into" + }, + "defaultValue": { + "name": "vnet01", + "addressPrefixSize": "/20" + }, + "constraints": { + "minAddressPrefixSize": "/29" + }, + "options": { + "hideExisting": false + }, + "subnets": { + "subnet1": { + "label": "Management subnet", + "defaultValue": { + "name": "Management", + "addressPrefixSize": "/24" + }, + "constraints": { + "minAddressPrefixSize": "/29", + "minAddressCount": 1, + "requireContiguousAddresses": true + } + } + } + } + ] + } + ], + "outputs": { + "location": "[location()]", + "cloudGuardVersion": "[concat(steps('chkp').cloudGuardVersion, ' - ', coalesce(steps('chkp').R80Offer, 'Bring Your Own License'))]", + "adminPassword": "[basics('auth').password]", + "authenticationType": "[basics('auth').authenticationType]", + "sshPublicKey": "[basics('auth').sshPublicKey]", + "vmName": "[basics('gatewayNameUi')]", + "vmSize": "[coalesce(steps('chkp').R8030vmSizeUiBYOL, steps('chkp').R8030vmSizeUiMGMT25)]", + "virtualNetworkName": "[steps('network').virtualNetwork.name]", + "virtualNetworkAddressPrefix": "[steps('network').virtualNetwork.addressPrefix]", + "Subnet1Name": "[steps('network').virtualNetwork.subnets.subnet1.name]", + "Subnet1Prefix": "[steps('network').virtualNetwork.subnets.subnet1.addressPrefix]", + "Subnet1StartAddress": "[steps('network').virtualNetwork.subnets.subnet1.startAddress]", + "vnetNewOrExisting": "[steps('network').virtualNetwork.newOrExisting]", + "virtualNetworkExistingRGName": "[steps('network').virtualNetwork.resourceGroup]", + "managementGUIClientNetwork": "[steps('chkp').managementGUIClientNetwork]", + "bootstrapScript": "[steps('chkp').bootstrapScript]", + "allowDownloadFromUploadToCheckPoint": "[coalesce(steps('chkp').allowUploadDownload, 'true')]", + "additionalDiskSizeGB": "[int(steps('chkp').additionalDiskSizeGB)]", + "diskType": "[coalesce(steps('chkp').VMDiskType, 'Standard_LRS')]", + "sourceImageVhdUri": "[coalesce(steps('chkp').sourceImageVhdUri, 'noCustomUri')]" + } + } +} diff --git a/deprecated/azure/templates/stack-R8030/stack-mgmt/mainTemplate.json b/deprecated/azure/templates/stack-R8030/stack-mgmt/mainTemplate.json new file mode 100644 index 00000000..f639f774 --- /dev/null +++ b/deprecated/azure/templates/stack-R8030/stack-mgmt/mainTemplate.json @@ -0,0 +1,472 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string", + "metadata": { + "description": "Deployment location" + }, + "defaultValue": "[resourceGroup().location]" + }, + "cloudGuardVersion": { + "type": "string", + "allowedValues": [ + "R80.30 - Bring Your Own License", + "R80.30 - Pay As You Go (MGMT25)" + ], + "defaultValue": "R80.30 - Bring Your Own License", + "metadata": { + "description": "Version of Check Point CloudGuard" + } + }, + "adminPassword": { + "type": "securestring", + "metadata": { + "description": "Administrator password" + }, + "defaultValue": "" + }, + "authenticationType": { + "type": "string", + "allowedValues": [ + "password", + "sshPublicKey" + ], + "defaultValue": "password", + "metadata": { + "description": "Authentication type" + } + }, + "sshPublicKey": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Administrator SSH public key" + } + }, + "vmName": { + "type": "string", + "defaultValue": "[resourceGroup().name]", + "metadata": { + "description": "Name of the Check Point Security Management Server" + } + }, + "vmSize": { + "type": "string", + "defaultValue": "Standard_D3_v2", + "metadata": { + "description": "Size of the VM" + } + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "[concat(resourceGroup().name, '-vnet')]" + }, + "virtualNetworkAddressPrefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the virtual network" + }, + "defaultValue": "10.0.0.0/16" + }, + "Subnet1Name": { + "type": "string", + "metadata": { + "description": "The name of the management subnet" + }, + "defaultValue": "Frontend" + }, + "Subnet1Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the management subnet" + }, + "defaultValue": "10.0.1.0/24" + }, + "Subnet1StartAddress": { + "type": "string", + "metadata": { + "description": "The first available address on the management subnet" + }, + "defaultValue": "10.0.1.10" + }, + "vnetNewOrExisting": { + "type": "string", + "defaultValue": "new", + "allowedValues": [ + "new", + "existing" + ], + "metadata": { + "Description": "Indicates whether the virtual network is new or existing" + } + }, + "virtualNetworkExistingRGName": { + "type": "string", + "metadata": { + "description": "Resource Group of the existing virtual network" + }, + "defaultValue": "" + }, + "managementGUIClientNetwork": { + "type": "string", + "metadata": { + "description": "Allowed GUI clients" + }, + "defaultValue": "0.0.0.0/0" + }, + "_artifactsLocation": { + "type": "string", + "metadata": { + "description": "The base URI where artifacts required by this template are located including a trailing '/'" + }, + "defaultValue": "[deployment().properties.templateLink.uri]" + }, + "_artifactsLocationSasToken": { + "type": "securestring", + "metadata": { + "description": "The sasToken required to access _artifactsLocation. When the template is deployed using the accompanying scripts, a sasToken will be automatically generated. Use the defaultValue if the staging location is not secured." + }, + "defaultValue": "" + }, + "bootstrapScript": { + "type": "string", + "metadata": { + "description": "Bootstrap script" + }, + "defaultValue": "" + }, + "allowDownloadFromUploadToCheckPoint": { + "type": "string", + "allowedValues": [ + "true", + "false" + ], + "defaultValue": "true", + "metadata": { + "description": "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + } + }, + "additionalDiskSizeGB": { + "type": "int", + "defaultValue": 0, + "metadata": { + "description": "Amount of additional disk space (in GB)" + }, + "minValue": 0, + "maxValue": 3995 + }, + "diskType": { + "type": "string", + "defaultValue": "Standard_LRS", + "metadata": { + "description": "The type of the OS disk. Premium is applicable only to DS machine sizes" + }, + "allowedValues": [ + "Standard_LRS", + "Premium_LRS" + ] + }, + "preview": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Deploy the staged image" + }, + "allowedValues": [ + "", + "-preview" + ] + }, + "sourceImageVhdUri": { + "type": "string", + "defaultValue": "noCustomUri", + "metadata": { + "description": "The URI of the blob containing the development image" + } + }, + "Check_PointTags": { + "type": "object", + "defaultValue": { + "provider": "30DE18BC-F9F6-4F22-9D30-54B8E74CFD5F" + } + }, + "msi": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Configure managed service identity for the VM" + } + } + }, + "variables": { + "installationType": "management-stack", + "templateName": "stack-management", + "templateVersion": "20190626", + "location": "[parameters('location')]", + "offers": { + "R80.30 - Bring Your Own License": "BYOL", + "R80.30 - Pay As You Go (MGMT25)": "MGMT25" + }, + "offer": "[variables('offers')[parameters('cloudGuardVersion')]]", + "osVersions": { + "R80.30 - Bring Your Own License": "R8030", + "R80.30 - Pay As You Go (MGMT25)": "R8030" + }, + "osVersion": "[variables('osVersions')[parameters('cloudGuardVersion')]]", + "isBlink": false, + "computeApiVersion": "2017-03-30", + "storageApiVersion": "2016-01-01", + "networkApiVersion": "2017-10-01", + "deploymentsApiVersion": "2016-02-01", + "storageAccountName": "[concat('bootdiag', uniqueString(resourceGroup().id, deployment().name))]", + "storageAccountType": "Standard_LRS", + "diskSizeGBR8030": 100, + "diskSizeGB": "[add(parameters('additionalDiskSizeGB'), variables(concat('diskSizeGB', variables('osVersion'))))]", + "customData": "[concat('#!/usr/bin/python /etc/cloud_config.py\n', '\n', 'installationType=\"', variables('installationType'), '\"', '\n', 'allowUploadDownload=\"', variables('allowUploadDownload'), '\"', '\n', 'osVersion=\"', variables('osVersion'), '\"', '\n', 'templateName=\"', variables('templateName'), '\"', '\n', 'isBlink=\"', variables('isBlink'), '\"', '\n', 'templateVersion=\"', variables('templateVersion'), '\"', '\n', 'bootstrapScript64=\"', variables('bootstrapScript64'), '\"', '\n', 'location=\"', variables('location'), '\"', '\n', 'sicKey=\"', variables('sicKey'), '\"', '\n', 'managementGUIClientNetwork=\"', variables('managementGUIClientNetwork'), '\"', '\n', 'resourceGroup=\"', resourceGroup().name, '\"', '\n', 'subscriptionId=\"', subscription().subscriptionId, '\"', '\n')]", + "imageOfferR8030": "check-point-cg-stack-r8030", + "imageOffer": "[concat(variables(concat('imageOffer', variables('osVersion'))), parameters('preview'))]", + "imagePublisher": "checkpoint", + "imageReferenceBYOL": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "mgmt-byol", + "version": "latest" + }, + "imageReferenceMGMT25": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "mgmt-25", + "version": "latest" + }, + "imageReferenceMarketplace": "[variables(concat('imageReference', variables('offer')))]", + "customImage": "customImage", + "imageReferenceCustomUri": { + "id": "[resourceId('Microsoft.Compute/images/', variables('customImage'))]" + }, + "imageReference": "[if(equals(parameters('sourceImageVhdUri'),'noCustomUri'), variables('imageReferenceMarketplace'), variables('imageReferenceCustomUri'))]", + "nic1Name": "[concat(parameters('vmName'), '-eth0')]", + "linuxConfigurationpassword": {}, + "linuxConfigurationsshPublicKey": { + "disablePasswordAuthentication": "true", + "ssh": { + "publicKeys": [ + { + "keyData": "[parameters('sshPublicKey')]", + "path": "/home/notused/.ssh/authorized_keys" + } + ] + } + }, + "linuxConfiguration": "[variables(concat('linuxConfiguration', parameters('authenticationType')))]", + "planBYOL": { + "name": "mgmt-byol", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planMGMT25": { + "name": "mgmt-25", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "plan": "[variables(concat('plan', variables('offer')))]", + "publicIPAddressName": "[parameters('vmName')]", + "publicIPAddressId": "[resourceId('Microsoft.Network/publicIPAddresses', variables('publicIPAddressName'))]", + "bootstrapScript64": "[base64(parameters('bootstrapScript'))]", + "allowUploadDownload": "[parameters('allowDownloadFromUploadToCheckPoint')]", + "networkSetupURL": "[uri(parameters('_artifactsLocation'), concat('nestedtemplates/vnet-1-subnet-', parameters('vnetNewOrExisting'), '.json', parameters('_artifactsLocationSasToken')))]", + "sicKey": "notused", + "managementGUIClientNetwork": "[parameters('managementGUIClientNetwork')]", + "identity": "[if(parameters('msi'), json('{\"type\": \"SystemAssigned\"}'), json('null'))]" + }, + "resources": [ + { + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('storageAccountName')]", + "apiVersion": "[variables('storageApiVersion')]", + "location": "[variables('location')]", + "sku": { + "name": "[variables('storageAccountType')]" + }, + "kind": "Storage", + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "name": "networkSetup", + "type": "Microsoft.Resources/deployments", + "apiVersion": "[variables('deploymentsApiVersion')]", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "[variables('networkSetupURL')]", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "location": { + "value": "[variables('location')]" + }, + "apiVersion": { + "value": "[variables('networkApiVersion')]" + }, + "virtualNetworkName": { + "value": "[parameters('virtualNetworkName')]" + }, + "virtualNetworkAddressPrefix": { + "value": "[parameters('virtualNetworkAddressPrefix')]" + }, + "Subnet1Name": { + "value": "[parameters('Subnet1Name')]" + }, + "Subnet1Prefix": { + "value": "[parameters('Subnet1Prefix')]" + }, + "vnetNewOrExisting": { + "value": "[parameters('vnetNewOrExisting')]" + }, + "virtualNetworkExistingRGName": { + "value": "[parameters('virtualNetworkExistingRGName')]" + } + } + } + }, + { + "type": "Microsoft.Network/publicIPAddresses", + "apiVersion": "[variables('networkApiVersion')]", + "location": "[variables('location')]", + "name": "[variables('publicIPAddressName')]", + "properties": { + "idleTimeoutInMinutes": 30, + "publicIPAllocationMethod": "Static", + "dnsSettings": { + "domainNameLabel": "[concat(toLower(parameters('vmName')), '-', uniquestring(resourceGroup().id, deployment().name))]" + } + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "[variables('networkApiVersion')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', 'networkSetup')]", + "[variables('publicIPAddressId')]" + ], + "location": "[variables('location')]", + "name": "[variables('nic1Name')]", + "properties": { + "enableIPForwarding": false, + "ipConfigurations": [ + { + "name": "ipconfig1", + "properties": { + "privateIPAddress": "[parameters('Subnet1StartAddress')]", + "privateIPAllocationMethod": "Static", + "PublicIpAddress": { + "Id": "[variables('publicIPAddressId')]" + }, + "subnet": { + "id": "[concat(reference('networkSetup').outputs.vnetId.value, '/subnets/', parameters('Subnet1Name'))]" + } + } + } + ] + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "condition": "[not(equals(parameters('sourceImageVhdUri'), 'noCustomUri'))]", + "type": "Microsoft.Compute/images", + "apiVersion": "2017-12-01", + "name": "[variables('customImage')]", + "location": "[variables('location')]", + "properties": { + "storageProfile": { + "osDisk": { + "osType": "Linux", + "osState": "Generalized", + "blobUri": "[parameters('sourceImageVhdUri')]", + "storageAccountType": "Standard_LRS" + } + } + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "type": "Microsoft.Compute/virtualMachines", + "apiVersion": "[variables('computeApiVersion')]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]", + "[resourceId('Microsoft.Network/networkInterfaces', variables('nic1Name'))]", + "[resourceId('Microsoft.Compute/images/', variables('customImage'))]" + ], + "location": "[variables('location')]", + "name": "[parameters('vmName')]", + "plan": "[if(equals(parameters('sourceImageVhdUri'),'noCustomUri'), variables('plan'), json('null'))]", + "identity": "[variables('identity')]", + "properties": { + "diagnosticsProfile": { + "bootDiagnostics": { + "enabled": "true", + "storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName')), variables('storageApiVersion')).primaryEndpoints.blob]" + } + }, + "hardwareProfile": { + "vmSize": "[parameters('vmSize')]" + }, + "networkProfile": { + "networkInterfaces": [ + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', variables('nic1Name'))]", + "properties": { + "primary": true + } + } + ] + }, + "osProfile": { + "adminPassword": "[parameters('adminPassword')]", + "adminUsername": "notused", + "computerName": "[toLower(parameters('vmName'))]", + "customData": "[base64(variables('customData'))]", + "linuxConfiguration": "[variables('linuxConfiguration')]" + }, + "storageProfile": { + "imageReference": "[variables('imageReference')]", + "osDisk": { + "caching": "ReadWrite", + "createOption": "FromImage", + "diskSizeGB": "[variables('diskSizeGB')]", + "name": "[parameters('vmName')]", + "managedDisk": { + "storageAccountType": "[parameters('diskType')]" + } + } + } + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + } + ], + "outputs": { + "IPAddress": { + "type": "string", + "value": "[reference(variables('publicIPAddressId')).IpAddress]" + }, + "FQDN": { + "type": "string", + "value": "[reference(variables('publicIPAddressId')).dnsSettings.fqdn]" + } + } +} diff --git a/deprecated/azure/templates/stack-R8030/stack-single/createUiDefinition.json b/deprecated/azure/templates/stack-R8030/stack-single/createUiDefinition.json new file mode 100644 index 00000000..4227b4f5 --- /dev/null +++ b/deprecated/azure/templates/stack-R8030/stack-single/createUiDefinition.json @@ -0,0 +1,441 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", + "handler": "Microsoft.Compute.MultiVm", + "version": "0.1.2-preview", + "parameters": { + "basics": [ + { + "name": "gatewayNameUi", + "type": "Microsoft.Common.TextBox", + "label": "VM Name", + "toolTip": "The name of the Check Point CloudGuard Gateway.", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z]{1,30}$", + "validationMessage": "Only alphanumeric characters are allowed, and the name must be 1-30 characters long." + } + }, + { + "name": "auth", + "type": "Microsoft.Compute.CredentialsCombo", + "label": { + "authenticationType": "Authentication type", + "password": "Password", + "confirmPassword": "Confirm password", + "sshPublicKey": "SSH public key" + }, + "toolTip": { + "authenticationType": "", + "password": "The user 'admin' password", + "sshPublicKey": "Paste an OpenSSH public key. You can generate a key pair using ssh-keygen (Linux, OS X, Cygwin) or PuttyGen (Windows)" + }, + "constraints": { + "required": true + }, + "options": { + "hideConfirmation": false, + "hidePassword": false + }, + "osPlatform": "Linux" + } + ], + "steps": [ + { + "name": "chkp", + "label": "Check Point CloudGuard Gateway settings", + "subLabel": { + "preValidation": "Configure CloudGuard Gateway settings", + "postValidation": "Done" + }, + "bladeTitle": "CloudGuard Gateway settings", + "elements": [ + { + "name": "cloudGuardVersion", + "type": "Microsoft.Common.DropDown", + "label": "Check Point CloudGuard version", + "defaultValue": "R80.30", + "toolTip": "The version of Check Point CloudGuard.", + "constraints": { + "allowedValues": [ + { + "label": "R80.30", + "value": "R80.30" + } + ] + } + }, + { + "name": "R80Offer", + "type": "Microsoft.Common.DropDown", + "label": "License type", + "toolTip": "The type of license.", + "defaultValue": "Bring Your Own License", + "visible": "[equals(substring(steps('chkp').cloudGuardVersion,0,3), 'R80')]", + "constraints": { + "allowedValues": [ + { + "label": "Bring Your Own License", + "value": "Bring Your Own License" + } + ] + } + }, + { + "name": "R8030vmSizeUiBYOL", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R80.30'), contains(steps('chkp').R80Offer, 'Bring Your Own License'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2", + "Standard_DS3_v2" + ], + "constraints": { + "allowedSizes": [ + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-stack-r8030", + "sku": "sg-byol" + }, + "count": 1 + }, + { + "name": "R8030vmSizeUiNGTP", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R80.30'), contains(steps('chkp').R80Offer, '(NGTP)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2", + "Standard_DS3_v2" + ], + "constraints": { + "allowedSizes": [ + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-stack-r8030", + "sku": "sg-ngtp" + }, + "count": 1 + }, + { + "name": "R8030vmSizeUiNGTX", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R80.30'), contains(steps('chkp').R80Offer, '(NGTX)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2", + "Standard_DS3_v2" + ], + "constraints": { + "allowedSizes": [ + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-stack-r8030", + "sku": "sg-ngtx" + }, + "count": 1 + }, + { + "name": "sicKeyUi", + "type": "Microsoft.Common.PasswordBox", + "label": { + "password": "SIC key", + "confirmPassword": "Confirm SIC key" + }, + "toolTip": "Set the Secure Internal Communication one time secret used to set up trust between the gateway and the management server.", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z]{8,30}$", + "validationMessage": "Only alphanumeric characters are allowed, and the value must be 8-30 characters long." + }, + "options": { + "hideConfirmation": true + } + }, + { + "name": "bootstrapScript", + "type": "Microsoft.Common.FileUpload", + "label": "Bootstrap script", + "toolTip": "An optional script to run on the initial boot", + "constraints": { + "required": false, + "accept": ".sh,text/plain" + }, + "options": { + "multiple": false, + "uploadMode": "file", + "openMode": "text", + "encoding": "UTF-8" + } + }, + { + "name": "allowUploadDownload", + "type": "Microsoft.Common.OptionsGroup", + "label": "Allow download from/upload to Check Point", + "defaultValue": "Yes", + "toolTip": "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "true" + }, + { + "label": "No", + "value": "false" + } + ] + } + }, + { + "name": "additionalDiskSizeGB", + "type": "Microsoft.Common.TextBox", + "label": "Additional disk space (GB)", + "defaultValue": "0", + "toolTip": "Additional disk space (in GB), Initial disk size is 100 GB.", + "constraints": { + "regex": "^([0-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-2][0-9][0-9][0-9]|3[0-8][0-9][0-9]|399[0-5])$", + "validationMessage": "Select a number between 0 and 3995" + } + }, + { + "name": "VMDiskType", + "type": "Microsoft.Common.OptionsGroup", + "label": "VM disk type", + "toolTip": "Type of CloudGuard disk.", + "visible": "[or(contains(steps('chkp').R8030vmSizeUiBYOL, 'DS'), contains(steps('chkp').R8030vmSizeUiNGTP, 'DS'), contains(steps('chkp').R8030vmSizeUiNGTX, 'DS'))]", + "defaultValue": "Standard", + "constraints": { + "allowedValues": [ + { + "label": "Standard", + "value": "Standard_LRS" + }, + { + "label": "Premium", + "value": "Premium_LRS" + } + ] + } + }, + { + "name": "useCustomImageUri", + "type": "Microsoft.Common.OptionsGroup", + "label": "Use development image uri", + "defaultValue": "No", + "toolTip": "", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ], + "required": true + }, + "visible": false + }, + { + "name": "sourceImageVhdUri", + "type": "Microsoft.Common.TextBox", + "label": "Development Image URI", + "toolTip": "The URI of the blob containing the development image", + "constraints": { + "required": "[equals(steps('chkp').useCustomImageUri, 'Yes')]", + "regex": "^[a-z0-9A-Z_\\-\\.\\:\\/]{1,500}.vhd$", + "validationMessage": "Only alphanumeric characters and '_','-','.',':','/' are allowed, the value must be 1-500 characters long and must end with .vhd. " + }, + "visible": "[equals(steps('chkp').useCustomImageUri, 'Yes')]" + } + ] + }, + { + "name": "network", + "label": "Network settings", + "subLabel": { + "preValidation": "Configure network settings", + "postValidation": "Done" + }, + "bladeTitle": "Network settings", + "elements": [ + { + "name": "virtualNetwork", + "type": "Microsoft.Network.VirtualNetworkCombo", + "label": { + "virtualNetwork": "Virtual network", + "subnets": "Subnets" + }, + "toolTip": { + "virtualNetwork": "Virtual Network Name", + "subnets": "List of subnets to deploy into" + }, + "defaultValue": { + "name": "vnet01", + "addressPrefixSize": "/16" + }, + "constraints": { + "minAddressPrefixSize": "/28" + }, + "options": { + "hideExisting": false + }, + "subnets": { + "subnet1": { + "label": "Frontend subnet", + "defaultValue": { + "name": "Frontend", + "addressPrefixSize": "/24" + }, + "constraints": { + "minAddressPrefixSize": "/29", + "minAddressCount": 1, + "requireContiguousAddresses": true + } + }, + "subnet2": { + "label": "Backend subnet", + "defaultValue": { + "name": "Backend", + "addressPrefixSize": "/24" + }, + "constraints": { + "minAddressPrefixSize": "/29", + "minAddressCount": 1, + "requireContiguousAddresses": true + } + } + } + } + ] + } + ], + "outputs": { + "location": "[location()]", + "cloudGuardVersion": "[concat(steps('chkp').cloudGuardVersion, ' - ', coalesce(steps('chkp').R80Offer, 'Bring Your Own License'))]", + "adminPassword": "[basics('auth').password]", + "authenticationType": "[basics('auth').authenticationType]", + "sshPublicKey": "[basics('auth').sshPublicKey]", + "vmName": "[basics('gatewayNameUi')]", + "vmSize": "[coalesce(steps('chkp').R8030vmSizeUiBYOL, steps('chkp').R8030vmSizeUiNGTP, steps('chkp').R8030vmSizeUiNGTX)]", + "sicKey": "[coalesce(steps('chkp').sicKeyUi, 'notused')]", + "virtualNetworkName": "[steps('network').virtualNetwork.name]", + "virtualNetworkAddressPrefix": "[steps('network').virtualNetwork.addressPrefix]", + "Subnet1Name": "[steps('network').virtualNetwork.subnets.subnet1.name]", + "Subnet1Prefix": "[steps('network').virtualNetwork.subnets.subnet1.addressPrefix]", + "Subnet1StartAddress": "[steps('network').virtualNetwork.subnets.subnet1.startAddress]", + "Subnet2Name": "[steps('network').virtualNetwork.subnets.subnet2.name]", + "Subnet2Prefix": "[steps('network').virtualNetwork.subnets.subnet2.addressPrefix]", + "Subnet2StartAddress": "[steps('network').virtualNetwork.subnets.subnet2.startAddress]", + "vnetNewOrExisting": "[steps('network').virtualNetwork.newOrExisting]", + "virtualNetworkExistingRGName": "[steps('network').virtualNetwork.resourceGroup]", + "managementGUIClientNetwork": "[steps('chkp').managementGUIClientNetwork]", + "bootstrapScript": "[steps('chkp').bootstrapScript]", + "allowDownloadFromUploadToCheckPoint": "[coalesce(steps('chkp').allowUploadDownload, 'true')]", + "additionalDiskSizeGB": "[int(steps('chkp').additionalDiskSizeGB)]", + "diskType": "[coalesce(steps('chkp').VMDiskType, 'Standard_LRS')]", + "sourceImageVhdUri": "[coalesce(steps('chkp').sourceImageVhdUri, 'noCustomUri')]" + } + } +} diff --git a/deprecated/azure/templates/stack-R8030/stack-single/mainTemplate.json b/deprecated/azure/templates/stack-R8030/stack-single/mainTemplate.json new file mode 100644 index 00000000..1d88f17c --- /dev/null +++ b/deprecated/azure/templates/stack-R8030/stack-single/mainTemplate.json @@ -0,0 +1,556 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string", + "metadata": { + "description": "Deployment location" + }, + "defaultValue": "[resourceGroup().location]" + }, + "cloudGuardVersion": { + "type": "string", + "allowedValues": [ + "R80.30 - Bring Your Own License", + "R80.30 - Pay As You Go (NGTP)", + "R80.30 - Pay As You Go (NGTX)" + ], + "defaultValue": "R80.30 - Bring Your Own License", + "metadata": { + "description": "Version of Check Point CloudGuard" + } + }, + "adminPassword": { + "type": "securestring", + "metadata": { + "description": "Administrator password" + }, + "defaultValue": "" + }, + "authenticationType": { + "type": "string", + "allowedValues": [ + "password", + "sshPublicKey" + ], + "defaultValue": "password", + "metadata": { + "description": "Authentication type" + } + }, + "sshPublicKey": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Administrator SSH public key" + } + }, + "vmName": { + "type": "string", + "defaultValue": "[resourceGroup().name]", + "metadata": { + "description": "Name of the Check Point Security Gateway" + } + }, + "vmSize": { + "type": "string", + "defaultValue": "Standard_D3_v2", + "metadata": { + "description": "Size of the VM" + } + }, + "sicKey": { + "type": "securestring", + "metadata": { + "description": "One time key for Secure Internal Communication" + } + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "[concat(resourceGroup().name, '-vnet')]" + }, + "virtualNetworkAddressPrefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the virtual network" + }, + "defaultValue": "10.0.0.0/16" + }, + "Subnet1Name": { + "type": "string", + "metadata": { + "description": "The name of the frontend subnet" + }, + "defaultValue": "Frontend" + }, + "Subnet1Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the frontend subnet" + }, + "defaultValue": "10.0.1.0/24" + }, + "Subnet1StartAddress": { + "type": "string", + "metadata": { + "description": "The first available address on the frontend subnet" + }, + "defaultValue": "10.0.1.10" + }, + "Subnet2Name": { + "type": "string", + "metadata": { + "description": "The name of the backend subnet" + }, + "defaultValue": "Backend" + }, + "Subnet2Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the backend subnet" + }, + "defaultValue": "10.0.2.0/24" + }, + "Subnet2StartAddress": { + "type": "string", + "metadata": { + "description": "The first available address on the backend subnet" + }, + "defaultValue": "10.0.2.10" + }, + "vnetNewOrExisting": { + "type": "string", + "defaultValue": "new", + "allowedValues": [ + "new", + "existing" + ], + "metadata": { + "Description": "Indicates whether the virtual network is new or existing" + } + }, + "virtualNetworkExistingRGName": { + "type": "string", + "metadata": { + "description": "Resource Group of the existing virtual network" + }, + "defaultValue": "" + }, + "managementGUIClientNetwork": { + "type": "string", + "metadata": { + "description": "Allowed GUI clients" + }, + "defaultValue": "0.0.0.0/0" + }, + "_artifactsLocation": { + "type": "string", + "metadata": { + "description": "The base URI where artifacts required by this template are located including a trailing '/'" + }, + "defaultValue": "[deployment().properties.templateLink.uri]" + }, + "_artifactsLocationSasToken": { + "type": "securestring", + "metadata": { + "description": "The sasToken required to access _artifactsLocation. When the template is deployed using the accompanying scripts, a sasToken will be automatically generated. Use the defaultValue if the staging location is not secured." + }, + "defaultValue": "" + }, + "bootstrapScript": { + "type": "string", + "metadata": { + "description": "Bootstrap script" + }, + "defaultValue": "" + }, + "allowDownloadFromUploadToCheckPoint": { + "type": "string", + "allowedValues": [ + "true", + "false" + ], + "defaultValue": "true", + "metadata": { + "description": "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + } + }, + "additionalDiskSizeGB": { + "type": "int", + "defaultValue": 0, + "metadata": { + "description": "Amount of additional disk space (in GB)" + }, + "minValue": 0, + "maxValue": 3995 + }, + "diskType": { + "type": "string", + "defaultValue": "Standard_LRS", + "metadata": { + "description": "The type of the OS disk. Premium is applicable only to DS machine sizes" + }, + "allowedValues": [ + "Standard_LRS", + "Premium_LRS" + ] + }, + "preview": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Deploy the staged image" + }, + "allowedValues": [ + "", + "-preview" + ] + }, + "sourceImageVhdUri": { + "type": "string", + "defaultValue": "noCustomUri", + "metadata": { + "description": "The URI of the blob containing the development image" + } + }, + "Check_PointTags": { + "type": "object", + "defaultValue": { + "provider": "30DE18BC-F9F6-4F22-9D30-54B8E74CFD5F" + } + } + }, + "variables": { + "installationType": "gateway-stack", + "templateName": "stack-single", + "templateVersion": "20190626", + "location": "[parameters('location')]", + "offers": { + "R80.30 - Bring Your Own License": "BYOL", + "R80.30 - Pay As You Go (NGTP)": "NGTP", + "R80.30 - Pay As You Go (NGTX)": "NGTX" + }, + "offer": "[variables('offers')[parameters('cloudGuardVersion')]]", + "osVersions": { + "R80.30 - Bring Your Own License": "R8030", + "R80.30 - Pay As You Go (NGTP)": "R8030", + "R80.30 - Pay As You Go (NGTX)": "R8030" + }, + "osVersion": "[variables('osVersions')[parameters('cloudGuardVersion')]]", + "isBlink": true, + "computeApiVersion": "2017-03-30", + "storageApiVersion": "2016-01-01", + "networkApiVersion": "2017-10-01", + "deploymentsApiVersion": "2016-02-01", + "storageAccountName": "[concat('bootdiag', uniqueString(resourceGroup().id, deployment().name))]", + "storageAccountType": "Standard_LRS", + "diskSizeGBR8030": 100, + "diskSizeGB": "[add(parameters('additionalDiskSizeGB'), variables(concat('diskSizeGB', variables('osVersion'))))]", + "customData": "[concat('#!/usr/bin/python /etc/cloud_config.py\n', '\n', 'installationType=\"', variables('installationType'), '\"', '\n', 'allowUploadDownload=\"', variables('allowUploadDownload'), '\"', '\n', 'osVersion=\"', variables('osVersion'), '\"', '\n', 'templateName=\"', variables('templateName'), '\"', '\n', 'isBlink=\"', variables('isBlink'), '\"', '\n', 'templateVersion=\"', variables('templateVersion'), '\"', '\n', 'bootstrapScript64=\"', variables('bootstrapScript64'), '\"', '\n', 'location=\"', variables('location'), '\"', '\n', 'sicKey=\"', variables('sicKey'), '\"', '\n', 'managementGUIClientNetwork=\"', variables('managementGUIClientNetwork'), '\"', '\n', 'resourceGroup=\"', resourceGroup().name, '\"', '\n', 'subscriptionId=\"', subscription().subscriptionId, '\"', '\n')]", + "imageOfferR8030": "check-point-cg-stack-r8030", + "imageOffer": "[concat(variables(concat('imageOffer', variables('osVersion'))), parameters('preview'))]", + "imagePublisher": "checkpoint", + "imageReferenceBYOL": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-byol", + "version": "latest" + }, + "imageReferenceNGTP": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtp", + "version": "latest" + }, + "imageReferenceNGTX": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtx", + "version": "latest" + }, + "imageReferenceMarketplace": "[variables(concat('imageReference', variables('offer')))]", + "customImage": "customImage", + "imageReferenceCustomUri": { + "id": "[resourceId('Microsoft.Compute/images/', variables('customImage'))]" + }, + "imageReference": "[if(equals(parameters('sourceImageVhdUri'),'noCustomUri'), variables('imageReferenceMarketplace'), variables('imageReferenceCustomUri'))]", + "nic1Name": "[concat(parameters('vmName'), '-eth0')]", + "nic2Name": "[concat(parameters('vmName'), '-eth1')]", + "linuxConfigurationpassword": {}, + "linuxConfigurationsshPublicKey": { + "disablePasswordAuthentication": "true", + "ssh": { + "publicKeys": [ + { + "keyData": "[parameters('sshPublicKey')]", + "path": "/home/notused/.ssh/authorized_keys" + } + ] + } + }, + "linuxConfiguration": "[variables(concat('linuxConfiguration', parameters('authenticationType')))]", + "planBYOL": { + "name": "sg-byol", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTP": { + "name": "sg-ngtp", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTP-V2": { + "name": "sg-ngtp-v2", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTX": { + "name": "sg-ngtx", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "plan": "[variables(concat('plan', variables('offer')))]", + "publicIPAddressName": "[parameters('vmName')]", + "publicIPAddressId": "[resourceId('Microsoft.Network/publicIPAddresses', variables('publicIPAddressName'))]", + "bootstrapScript64": "[base64(parameters('bootstrapScript'))]", + "allowUploadDownload": "[parameters('allowDownloadFromUploadToCheckPoint')]", + "networkSetupURL": "[uri(parameters('_artifactsLocation'), concat('nestedtemplates/vnet-', parameters('vnetNewOrExisting'), '.json', parameters('_artifactsLocationSasToken')))]", + "sicKey": "[parameters('sicKey')]", + "managementGUIClientNetwork": "[parameters('managementGUIClientNetwork')]" + }, + "resources": [ + { + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('storageAccountName')]", + "apiVersion": "[variables('storageApiVersion')]", + "location": "[variables('location')]", + "sku": { + "name": "[variables('storageAccountType')]" + }, + "kind": "Storage", + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "name": "networkSetup", + "type": "Microsoft.Resources/deployments", + "apiVersion": "[variables('deploymentsApiVersion')]", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "[variables('networkSetupURL')]", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "location": { + "value": "[variables('location')]" + }, + "apiVersion": { + "value": "[variables('networkApiVersion')]" + }, + "virtualNetworkName": { + "value": "[parameters('virtualNetworkName')]" + }, + "virtualNetworkAddressPrefix": { + "value": "[parameters('virtualNetworkAddressPrefix')]" + }, + "Subnet1Name": { + "value": "[parameters('Subnet1Name')]" + }, + "Subnet1Prefix": { + "value": "[parameters('Subnet1Prefix')]" + }, + "Subnet1StartAddress": { + "value": "[parameters('Subnet1StartAddress')]" + }, + "Subnet2Name": { + "value": "[parameters('Subnet2Name')]" + }, + "Subnet2Prefix": { + "value": "[parameters('Subnet2Prefix')]" + }, + "Subnet2StartAddress": { + "value": "[parameters('Subnet2StartAddress')]" + }, + "vnetNewOrExisting": { + "value": "[parameters('vnetNewOrExisting')]" + }, + "virtualNetworkExistingRGName": { + "value": "[parameters('virtualNetworkExistingRGName')]" + } + } + } + }, + { + "type": "Microsoft.Network/publicIPAddresses", + "apiVersion": "[variables('networkApiVersion')]", + "location": "[variables('location')]", + "name": "[variables('publicIPAddressName')]", + "properties": { + "idleTimeoutInMinutes": 30, + "publicIPAllocationMethod": "Static", + "dnsSettings": { + "domainNameLabel": "[concat(toLower(parameters('vmName')), '-', uniquestring(resourceGroup().id, deployment().name))]" + } + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "[variables('networkApiVersion')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', 'networkSetup')]", + "[variables('publicIPAddressId')]" + ], + "location": "[variables('location')]", + "name": "[variables('nic1Name')]", + "properties": { + "enableIPForwarding": true, + "ipConfigurations": [ + { + "name": "ipconfig1", + "properties": { + "privateIPAddress": "[parameters('Subnet1StartAddress')]", + "privateIPAllocationMethod": "Static", + "PublicIpAddress": { + "Id": "[variables('publicIPAddressId')]" + }, + "subnet": { + "id": "[concat(reference('networkSetup').outputs.vnetId.value, '/subnets/', parameters('Subnet1Name'))]" + } + } + } + ] + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "[variables('networkApiVersion')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', 'networkSetup')]" + ], + "location": "[variables('location')]", + "name": "[variables('nic2Name')]", + "properties": { + "enableIPForwarding": true, + "ipConfigurations": [ + { + "name": "ipconfig2", + "properties": { + "privateIPAddress": "[parameters('Subnet2StartAddress')]", + "privateIPAllocationMethod": "Static", + "subnet": { + "id": "[concat(reference('networkSetup').outputs.vnetId.value, '/subnets/', parameters('Subnet2Name'))]" + } + } + } + ] + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "condition": "[not(equals(parameters('sourceImageVhdUri'), 'noCustomUri'))]", + "type": "Microsoft.Compute/images", + "apiVersion": "2017-12-01", + "name": "[variables('customImage')]", + "location": "[variables('location')]", + "properties": { + "storageProfile": { + "osDisk": { + "osType": "Linux", + "osState": "Generalized", + "blobUri": "[parameters('sourceImageVhdUri')]", + "storageAccountType": "Standard_LRS" + } + } + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "type": "Microsoft.Compute/virtualMachines", + "apiVersion": "[variables('computeApiVersion')]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]", + "[resourceId('Microsoft.Network/networkInterfaces', variables('nic1Name'))]", + "[resourceId('Microsoft.Network/networkInterfaces', variables('nic2Name'))]", + "[resourceId('Microsoft.Compute/images/', variables('customImage'))]" + ], + "location": "[variables('location')]", + "name": "[parameters('vmName')]", + "plan": "[if(equals(parameters('sourceImageVhdUri'),'noCustomUri'), variables('plan'), json('null'))]", + "properties": { + "diagnosticsProfile": { + "bootDiagnostics": { + "enabled": "true", + "storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName')), variables('storageApiVersion')).primaryEndpoints.blob]" + } + }, + "hardwareProfile": { + "vmSize": "[parameters('vmSize')]" + }, + "networkProfile": { + "networkInterfaces": [ + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', variables('nic1Name'))]", + "properties": { + "primary": true + } + }, + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', variables('nic2Name'))]", + "properties": { + "primary": false + } + } + ] + }, + "osProfile": { + "adminPassword": "[parameters('adminPassword')]", + "adminUsername": "notused", + "computerName": "[toLower(parameters('vmName'))]", + "customData": "[base64(variables('customData'))]", + "linuxConfiguration": "[variables('linuxConfiguration')]" + }, + "storageProfile": { + "imageReference": "[variables('imageReference')]", + "osDisk": { + "caching": "ReadWrite", + "createOption": "FromImage", + "diskSizeGB": "[variables('diskSizeGB')]", + "name": "[parameters('vmName')]", + "managedDisk": { + "storageAccountType": "[parameters('diskType')]" + } + } + } + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + } + ], + "outputs": { + "GatewayIPAddr": { + "type": "string", + "value": "[reference(variables('publicIPAddressId')).IpAddress]" + }, + "GatewayFQDN": { + "type": "string", + "value": "[reference(variables('publicIPAddressId')).dnsSettings.fqdn]" + } + } +} diff --git a/deprecated/azure/templates/stack-R8040-R81/stack-ha-r8040-r81/createUiDefinition.json b/deprecated/azure/templates/stack-R8040-R81/stack-ha-r8040-r81/createUiDefinition.json new file mode 100644 index 00000000..e8491d12 --- /dev/null +++ b/deprecated/azure/templates/stack-R8040-R81/stack-ha-r8040-r81/createUiDefinition.json @@ -0,0 +1,763 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", + "handler": "Microsoft.Azure.CreateUIDef", + "version": "0.1.2-preview", + "parameters": { + "basics": [ + { + "name": "clusterObjectNameUi", + "type": "Microsoft.Common.TextBox", + "label": "Cluster Object Name", + "toolTip": "The name of the Check Point CloudGuard Cluster object.", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z]{1,30}$", + "validationMessage": "Only alphanumeric characters are allowed, and the name must be 1-30 characters long." + } + }, + { + "name": "auth", + "type": "Microsoft.Compute.CredentialsCombo", + "label": { + "authenticationType": "Authentication type", + "password": "Password", + "confirmPassword": "Confirm password", + "sshPublicKey": "SSH public key" + }, + "toolTip": { + "authenticationType": "", + "password": "The user 'admin' password", + "sshPublicKey": "Paste an OpenSSH public key. You can generate a key pair using ssh-keygen (Linux, OS X, Cygwin) or PuttyGen (Windows)" + }, + "constraints": { + "required": true + }, + "options": { + "hideConfirmation": false, + "hidePassword": false + }, + "osPlatform": "Linux" + } + ], + "steps": [ + { + "name": "chkp", + "label": "Check Point CloudGuard Cluster Object settings", + "subLabel": { + "preValidation": "Configure CloudGuard Cluster Object settings", + "postValidation": "Done" + }, + "bladeTitle": "CloudGuard cluster Object settings", + "elements": [ + { + "name": "cloudGuardVersion", + "type": "Microsoft.Common.DropDown", + "label": "Check Point CloudGuard version", + "defaultValue": "R81", + "toolTip": "The version of Check Point CloudGuard.", + "constraints": { + "allowedValues": [ + { + "label": "R80.40", + "value": "R80.40" + }, + { + "label": "R81", + "value": "R81" + } + ] + } + }, + { + "name": "R80Offer", + "type": "Microsoft.Common.DropDown", + "label": "License type", + "toolTip": "The type of license.", + "defaultValue": "Bring Your Own License", + "visible": true, + "constraints": { + "allowedValues": [ + { + "label": "Bring Your Own License", + "value": "Bring Your Own License" + } + ] + } + }, + { + "name": "R8040vmSizeUiBYOL", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R80.40'), contains(steps('chkp').R80Offer, 'Bring Your Own License'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2", + "Standard_DS3_v2" + ], + "constraints": { + "allowedSizes": [ + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r8040", + "sku": "sg-byol" + }, + "count": 2 + }, + { + "name": "R8040vmSizeUiNGTP", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R80.40'), contains(steps('chkp').R80Offer, '(NGTP)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2", + "Standard_DS3_v2" + ], + "constraints": { + "allowedSizes": [ + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r8040", + "sku": "sg-ngtp" + }, + "count": 2 + }, + { + "name": "R8040vmSizeUiNGTX", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R80.40'), contains(steps('chkp').R80Offer, '(NGTX)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2", + "Standard_DS3_v2" + ], + "constraints": { + "allowedSizes": [ + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r8040", + "sku": "sg-ngtx" + }, + "count": 2 + }, + { + "name": "R81vmSizeUiBYOL", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R81'), contains(steps('chkp').R80Offer, 'Bring Your Own License'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2", + "Standard_DS3_v2" + ], + "constraints": { + "allowedSizes": [ + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r81", + "sku": "sg-byol" + }, + "count": 2 + }, + { + "name": "R81vmSizeUiNGTP", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R81'), contains(steps('chkp').R80Offer, '(NGTP)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2", + "Standard_DS3_v2" + ], + "constraints": { + "allowedSizes": [ + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r81", + "sku": "sg-ngtp" + }, + "count": 2 + }, + { + "name": "R81vmSizeUiNGTX", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R81'), contains(steps('chkp').R80Offer, '(NGTX)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2", + "Standard_DS3_v2" + ], + "constraints": { + "allowedSizes": [ + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r81", + "sku": "sg-ngtx" + }, + "count": 2 + }, + { + "name": "sicKeyUi", + "type": "Microsoft.Common.PasswordBox", + "label": { + "password": "SIC key", + "confirmPassword": "Confirm SIC key" + }, + "toolTip": "Set the Secure Internal Communication one time secret used to set up trust between the cluster object and the management server.", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z]{8,30}$", + "validationMessage": "Only alphanumeric characters are allowed, and the value must be 8-30 characters long." + }, + "options": { + "hideConfirmation": true + }, + "visible": "true" + }, + { + "name": "bootstrapScript", + "type": "Microsoft.Common.FileUpload", + "label": "Bootstrap script", + "toolTip": "An optional script to run on the initial boot", + "constraints": { + "required": false, + "accept": ".sh,text/plain" + }, + "options": { + "multiple": false, + "uploadMode": "file", + "openMode": "text", + "encoding": "UTF-8" + } + }, + { + "name": "allowUploadDownload", + "type": "Microsoft.Common.OptionsGroup", + "label": "Allow download from/upload to Check Point", + "defaultValue": "Yes", + "toolTip": "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "true" + }, + { + "label": "No", + "value": "false" + } + ] + } + }, + { + "name": "additionalDiskSizeGB", + "type": "Microsoft.Common.TextBox", + "label": "Additional disk space (GB)", + "defaultValue": "0", + "toolTip": "Additional disk space (in GB), Initial disk size is 100 GB.", + "constraints": { + "regex": "^([0-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-2][0-9][0-9][0-9]|3[0-8][0-9][0-9]|399[0-5])$", + "validationMessage": "Select a number between 0 and 3995" + } + }, + { + "name": "useCustomImageUri", + "type": "Microsoft.Common.OptionsGroup", + "label": "Use development image uri", + "defaultValue": "No", + "toolTip": "", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ], + "required": true + }, + "visible": false + }, + { + "name": "sourceImageVhdUri", + "type": "Microsoft.Common.TextBox", + "label": "Development Image URI", + "toolTip": "The URI of the blob containing the development image", + "constraints": { + "required": "[equals(steps('chkp').useCustomImageUri, 'Yes')]", + "regex": "^[a-z0-9A-Z_\\-\\.\\:\\/]{1,500}.vhd$", + "validationMessage": "Only alphanumeric characters and '_','-','.',':','/' are allowed, the value must be 1-500 characters long and must end with .vhd. " + }, + "visible": "[equals(steps('chkp').useCustomImageUri, 'Yes')]" + } + ] + }, + { + "name": "network", + "label": "Network settings", + "subLabel": { + "preValidation": "Configure network settings", + "postValidation": "Done" + }, + "bladeTitle": "Network settings", + "elements": [ + { + "name": "virtualNetwork", + "type": "Microsoft.Network.VirtualNetworkCombo", + "label": { + "virtualNetwork": "Virtual network", + "subnets": "Subnets" + }, + "toolTip": { + "virtualNetwork": "Virtual Network Name", + "subnets": "List of subnets to deploy into" + }, + "defaultValue": { + "name": "vnet01", + "addressPrefixSize": "/16" + }, + "constraints": { + "minAddressPrefixSize": "/28" + }, + "options": { + "hideExisting": false + }, + "subnets": { + "subnet1": { + "label": "Frontend subnet", + "defaultValue": { + "name": "Frontend", + "addressPrefixSize": "/24" + }, + "constraints": { + "minAddressPrefixSize": "/29", + "minAddressCount": 2, + "requireContiguousAddresses": true + } + }, + "subnet2": { + "label": "Backend subnet", + "defaultValue": { + "name": "Backend", + "addressPrefixSize": "/24" + }, + "constraints": { + "minAddressPrefixSize": "/29", + "minAddressCount": 2, + "requireContiguousAddresses": true + } + } + } + } + ] + } + ], + "outputs": { + "location": "[location()]", + "cloudGuardVersion": "[concat(steps('chkp').cloudGuardVersion, ' - ', coalesce(steps('chkp').R80Offer, 'Bring Your Own License'))]", + "adminPassword": "[basics('auth').password]", + "authenticationType": "[basics('auth').authenticationType]", + "sshPublicKey": "[basics('auth').sshPublicKey]", + "vmName": "[basics('clusterObjectNameUi')]", + "vmSize": "[coalesce(steps('chkp').R8040vmSizeUiBYOL, steps('chkp').R8040vmSizeUiNGTP, steps('chkp').R8040vmSizeUiNGTX, steps('chkp').R81vmSizeUiBYOL, steps('chkp').R81vmSizeUiNGTP, steps('chkp').R81vmSizeUiNGTX)]", + "sicKey": "[steps('chkp').sicKeyUi]", + "virtualNetworkName": "[steps('network').virtualNetwork.name]", + "virtualNetworkAddressPrefixes": "[steps('network').virtualNetwork.addressPrefixes]", + "subnet1Name": "[steps('network').virtualNetwork.subnets.subnet1.name]", + "subnet1Prefix": "[steps('network').virtualNetwork.subnets.subnet1.addressPrefix]", + "subnet1StartAddress": "[steps('network').virtualNetwork.subnets.subnet1.startAddress]", + "subnet2Name": "[steps('network').virtualNetwork.subnets.subnet2.name]", + "subnet2Prefix": "[steps('network').virtualNetwork.subnets.subnet2.addressPrefix]", + "subnet2StartAddress": "[steps('network').virtualNetwork.subnets.subnet2.startAddress]", + "vnetNewOrExisting": "[steps('network').virtualNetwork.newOrExisting]", + "virtualNetworkExistingRGName": "[steps('network').virtualNetwork.resourceGroup]", + "bootstrapScript": "[steps('chkp').bootstrapScript]", + "allowDownloadFromUploadToCheckPoint": "[coalesce(steps('chkp').allowUploadDownload, 'true')]", + "additionalDiskSizeGB": "[int(steps('chkp').additionalDiskSizeGB)]", + "sourceImageVhdUri": "[coalesce(steps('chkp').sourceImageVhdUri, 'noCustomUri')]" + } + } +} \ No newline at end of file diff --git a/deprecated/azure/templates/stack-R8040-R81/stack-ha-r8040-r81/mainTemplate.json b/deprecated/azure/templates/stack-R8040-R81/stack-ha-r8040-r81/mainTemplate.json new file mode 100644 index 00000000..0847143c --- /dev/null +++ b/deprecated/azure/templates/stack-R8040-R81/stack-ha-r8040-r81/mainTemplate.json @@ -0,0 +1,699 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string", + "metadata": { + "description": "Deployment location" + }, + "defaultValue": "[resourceGroup().location]" + }, + "cloudGuardVersion": { + "type": "string", + "allowedValues": [ + "R80.40 - Bring Your Own License", + "R80.40 - Pay As You Go (NGTP)", + "R80.40 - Pay As You Go (NGTX)", + "R81 - Bring Your Own License", + "R81 - Pay As You Go (NGTP)", + "R81 - Pay As You Go (NGTX)", + ], + "defaultValue": "R81 - Bring Your Own License", + "metadata": { + "description": "Version of Check Point CloudGuard" + } + }, + "adminPassword": { + "type": "securestring", + "metadata": { + "description": "Administrator password" + }, + "defaultValue": "" + }, + "authenticationType": { + "type": "string", + "allowedValues": [ + "password", + "sshPublicKey" + ], + "defaultValue": "password", + "metadata": { + "description": "Authentication type" + } + }, + "sshPublicKey": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Administrator SSH public key" + } + }, + "vmName": { + "type": "string", + "defaultValue": "[resourceGroup().name]", + "metadata": { + "description": "Name of the Check Point Cluster object" + } + }, + "vmSize": { + "type": "string", + "defaultValue": "Standard_D3_v2", + "metadata": { + "description": "Size of the VM" + } + }, + "sicKey": { + "type": "securestring", + "metadata": { + "description": "One time key for Secure Internal Communication" + } + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "[concat(resourceGroup().name, '-vnet')]" + }, + "virtualNetworkAddressPrefixes": { + "type": "array", + "metadata": { + "description": "The address prefixes of the virtual network" + }, + "defaultValue": [ + "10.0.0.0/16" + ] + }, + "subnet1Name": { + "type": "string", + "metadata": { + "description": "The name of the frontend subnet" + }, + "defaultValue": "Frontend" + }, + "subnet1Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the frontend subnet" + }, + "defaultValue": "10.0.1.0/24" + }, + "subnet1StartAddress": { + "type": "string", + "metadata": { + "description": "The first available address on the frontend subnet" + }, + "defaultValue": "10.0.1.10" + }, + "subnet2Name": { + "type": "string", + "metadata": { + "description": "The name of the backend subnet" + }, + "defaultValue": "Backend" + }, + "subnet2Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the backend subnet" + }, + "defaultValue": "10.0.2.0/24" + }, + "subnet2StartAddress": { + "type": "string", + "metadata": { + "description": "The first available address on the 2nd subnet" + }, + "defaultValue": "10.0.2.10" + }, + "vnetNewOrExisting": { + "type": "string", + "defaultValue": "new", + "allowedValues": [ + "new", + "existing" + ], + "metadata": { + "Description": "Indicates whether the virtual network is new or existing" + } + }, + "virtualNetworkExistingRGName": { + "type": "string", + "metadata": { + "description": "Resource Group of the existing virtual network" + }, + "defaultValue": "" + }, + "_artifactsLocation": { + "type": "string", + "metadata": { + "description": "The base URI where artifacts required by this template are located including a trailing '/'" + }, + "defaultValue": "[deployment().properties.templateLink.uri]" + }, + "_artifactsLocationSasToken": { + "type": "securestring", + "metadata": { + "description": "The sasToken required to access _artifactsLocation. When the template is deployed using the accompanying scripts, a sasToken will be automatically generated. Use the defaultValue if the staging location is not secured." + }, + "defaultValue": "" + }, + "bootstrapScript": { + "type": "string", + "metadata": { + "description": "Bootstrap script" + }, + "defaultValue": "" + }, + "allowDownloadFromUploadToCheckPoint": { + "type": "string", + "allowedValues": [ + "true", + "false" + ], + "defaultValue": "true", + "metadata": { + "description": "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + } + }, + "additionalDiskSizeGB": { + "type": "int", + "defaultValue": 0, + "metadata": { + "description": "Amount of additional disk space (in GB)" + }, + "minValue": 0, + "maxValue": 3995 + }, + "diskType": { + "type": "string", + "defaultValue": "Standard_LRS", + "metadata": { + "description": "The type of the OS disk. Premium is applicable only to DS machine sizes" + }, + "allowedValues": [ + "Standard_LRS", + "Premium_LRS" + ] + }, + "preview": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Deploy the staged image" + }, + "allowedValues": [ + "", + "-preview" + ] + }, + "sourceImageVhdUri": { + "type": "string", + "defaultValue": "noCustomUri", + "metadata": { + "description": "The URI of the blob containing the development image" + } + }, + "Check_PointTags": { + "type": "object", + "defaultValue": { + "provider": "30DE18BC-F9F6-4F22-9D30-54B8E74CFD5F" + } + } + }, + "variables": { + "installationType": "cluster-stack", + "templateName": "stack-ha", + "templateVersion": "20230219", + "location": "[parameters('location')]", + "offers": { + "R80.40 - Bring Your Own License": "BYOL", + "R80.40 - Pay As You Go (NGTP)": "NGTP", + "R80.40 - Pay As You Go (NGTX)": "NGTX", + "R81 - Bring Your Own License": "BYOL", + "R81 - Pay As You Go (NGTP)": "NGTP", + "R81 - Pay As You Go (NGTX)": "NGTX" + }, + "offer": "[variables('offers')[parameters('cloudGuardVersion')]]", + "osVersions": { + "R80.40 - Bring Your Own License": "R8040", + "R80.40 - Pay As You Go (NGTP)": "R8040", + "R80.40 - Pay As You Go (NGTX)": "R8040", + "R81 - Bring Your Own License": "R81", + "R81 - Pay As You Go (NGTP)": "R81", + "R81 - Pay As You Go (NGTX)": "R81" + }, + "osVersion": "[variables('osVersions')[parameters('cloudGuardVersion')]]", + "isBlink": true, + "computeApiVersion": "2017-03-30", + "storageApiVersion": "2016-01-01", + "networkApiVersion": "2017-10-01", + "deploymentsApiVersion": "2016-02-01", + "storageAccountName": "[concat('bootdiag', uniqueString(resourceGroup().id, deployment().name))]", + "storageAccountType": "Standard_LRS", + "diskSize100GB": 100, + "diskSizeGB": "[add(parameters('additionalDiskSizeGB'), variables('diskSize100GB'))]", + "customData": "[concat('#!/usr/bin/python /etc/cloud_config.py\n', '\n', 'installationType=\"', variables('installationType'), '\"', '\n', 'allowUploadDownload=\"', variables('allowUploadDownload'), '\"', '\n', 'osVersion=\"', variables('osVersion'), '\"', '\n', 'templateName=\"', variables('templateName'), '\"', '\n', 'isBlink=\"', variables('isBlink'), '\"', '\n', 'templateVersion=\"', variables('templateVersion'), '\"', '\n', 'bootstrapScript64=\"', variables('bootstrapScript64'), '\"', '\n', 'location=\"', variables('location'), '\"', '\n', 'sicKey=\"', variables('sicKey'), '\"', '\n', 'managementGUIClientNetwork=\"', variables('managementGUIClientNetwork'), '\"', '\n', 'resourceGroup=\"', resourceGroup().name, '\"', '\n', 'subscriptionId=\"', subscription().subscriptionId, '\"', '\n', 'subnet1Prefix=\"', first(split(parameters('subnet1Prefix'), '/')), '\"', '\n', 'location=\"', variables('location'), '\"', '\n', 'tenantId=\"', subscription().tenantId, '\"', '\n', 'virtualNetwork=\"', parameters('virtualNetworkName'), '\"', '\n', 'clusterName=\"', parameters('vmName'), '\"', '\n')]", + "imageOfferR8040": "check-point-cg-r8040", + "imageOfferR81": "check-point-cg-r81", + "imageOffer": "[concat(variables(concat('imageOffer', variables('osVersion'))), parameters('preview'))]", + "imagePublisher": "checkpoint", + "imageReferenceBYOL": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-byol", + "version": "latest" + }, + "imageReferenceNGTP": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtp", + "version": "latest" + }, + "imageReferenceNGTX": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtx", + "version": "latest" + }, + "imageReferenceMarketplace": "[variables(concat('imageReference', variables('offer')))]", + "customImage": "customImage", + "imageReferenceCustomUri": { + "id": "[resourceId('Microsoft.Compute/images/', variables('customImage'))]" + }, + "imageReference": "[if(equals(parameters('sourceImageVhdUri'),'noCustomUri'), variables('imageReferenceMarketplace'), variables('imageReferenceCustomUri'))]", + "nic1Name": "eth0", + "nic2Name": "eth1", + "linuxConfigurationpassword": {}, + "linuxConfigurationsshPublicKey": { + "disablePasswordAuthentication": "true", + "ssh": { + "publicKeys": [ + { + "keyData": "[parameters('sshPublicKey')]", + "path": "/home/notused/.ssh/authorized_keys" + } + ] + } + }, + "linuxConfiguration": "[variables(concat('linuxConfiguration', parameters('authenticationType')))]", + "planBYOL": { + "name": "sg-byol", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTP": { + "name": "sg-ngtp", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTX": { + "name": "sg-ngtx", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "plan": "[variables(concat('plan', variables('offer')))]", + "publicIPAddressName": "[parameters('vmName')]", + "publicIPAddressId": "[resourceId('Microsoft.Network/publicIPAddresses', variables('publicIPAddressName'))]", + "bootstrapScript64": "[base64(parameters('bootstrapScript'))]", + "allowUploadDownload": "[parameters('allowDownloadFromUploadToCheckPoint')]", + "networkSetupURL": "[uri(parameters('_artifactsLocation'), concat('nestedtemplates/vnet-', parameters('vnetNewOrExisting'), '-stack-ha', '.json', parameters('_artifactsLocationSasToken')))]", + "sicKey": "[parameters('sicKey')]", + "managementGUIClientNetwork": "", + "externalPrivateAddresses": [ + "[parameters('Subnet1StartAddress')]", + "[concat(split(parameters('subnet1StartAddress'), '.')[0],'.', split(parameters('subnet1StartAddress'), '.')[1],'.', split(parameters('subnet1StartAddress'), '.')[2],'.', string(add(int(split(parameters('subnet1StartAddress'), '.')[3]),1)))]" + ], + "Subnet2PrivateAddresses": [ + "[parameters('subnet2StartAddress')]", + "[concat(split(parameters('subnet2StartAddress'), '.')[0],'.', split(parameters('subnet2StartAddress'), '.')[1],'.', split(parameters('subnet2StartAddress'), '.')[2],'.', string(add(int(split(parameters('subnet2StartAddress'), '.')[3]),1)))]" + ], + "publicIPAddressName1": "[concat(parameters('vmName'), 1)]", + "publicIPAddressId1": "[resourceId('Microsoft.Network/publicIPAddresses', variables('publicIPAddressName1'))]", + "publicIPAddressName2": "[concat(parameters('vmName'), 2)]", + "publicIPAddressId2": "[resourceId('Microsoft.Network/publicIPAddresses', variables('publicIPAddressName2'))]", + "availabilitySetName": "[concat(parameters('vmName'), '-AvailabilitySet')]", + "count": 2, + "frontEndIPConfMember1Id": "[concat(variables('lbId'), '/frontendIPConfigurations/LoadBalancerFrontEnd1')]", + "frontEndIPConfMember2Id": "[concat(variables('lbId'), '/frontendIPConfigurations/LoadBalancerFrontEnd2')]", + "member1IPConfigId": "[concat(variables('lbId'), '/frontendIPConfigurations/LoadBalancerFrontEnd1')]", + "member2IPConfigId": "[concat(variables('lbId'), '/frontendIPConfigurations/LoadBalancerFrontEnd2')]", + "elbBEAddressPool": "[concat(variables('lbName'), '-pool')]", + "elbBEAddressPoolID": "[concat(variables('lbId'),'/backendAddressPools/',variables('elbBEAddressPool'))]", + "appProbeName": "health_prob_port", + "elbPublicIPName": "frontend-lb-address", + "elbPublicIPId": "[resourceId('Microsoft.Network/publicIPAddresses', variables('elbPublicIPName'))]", + "lbId": "[resourceId('Microsoft.Network/loadBalancers', variables('lbName'))]", + "lbName": "frontend-lb" + }, + "resources": [ + { + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('storageAccountName')]", + "apiVersion": "[variables('storageApiVersion')]", + "location": "[variables('location')]", + "sku": { + "name": "[variables('storageAccountType')]" + }, + "kind": "Storage", + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "name": "networkSetup", + "type": "Microsoft.Resources/deployments", + "apiVersion": "[variables('deploymentsApiVersion')]", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "[variables('networkSetupURL')]", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "location": { + "value": "[variables('location')]" + }, + "apiVersion": { + "value": "[variables('networkApiVersion')]" + }, + "virtualNetworkName": { + "value": "[parameters('virtualNetworkName')]" + }, + "virtualNetworkAddressPrefixes": { + "value": "[parameters('virtualNetworkAddressPrefixes')]" + }, + "subnet1Name": { + "value": "[parameters('subnet1Name')]" + }, + "subnet1Prefix": { + "value": "[parameters('subnet1Prefix')]" + }, + "subnet1StartAddress": { + "value": "[parameters('subnet1StartAddress')]" + }, + "subnet2Name": { + "value": "[parameters('subnet2Name')]" + }, + "subnet2Prefix": { + "value": "[parameters('subnet2Prefix')]" + }, + "subnet2StartAddress": { + "value": "[parameters('subnet2StartAddress')]" + }, + "vnetNewOrExisting": { + "value": "[parameters('vnetNewOrExisting')]" + }, + "virtualNetworkExistingRGName": { + "value": "[parameters('virtualNetworkExistingRGName')]" + } + } + } + }, + { + "type": "Microsoft.Compute/availabilitySets", + "apiVersion": "[variables('computeApiVersion')]", + "location": "[variables('location')]", + "name": "[concat(variables('availabilitySetName'))]", + "properties": { + "platformFaultDomainCount": 2 + }, + "sku": { + "name": "Aligned" + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "type": "Microsoft.Network/publicIPAddresses", + "apiVersion": "[variables('networkApiVersion')]", + "location": "[variables('location')]", + "name": "[variables('elbPublicIPName')]", + "properties": { + "idleTimeoutInMinutes": 30, + "publicIPAllocationMethod": "Static" + } + }, + { + "type": "Microsoft.Network/publicIPAddresses", + "apiVersion": "[variables('networkApiVersion')]", + "location": "[variables('location')]", + "name": "[concat(parameters('vmName'), copyIndex(1))]", + "copy": { + "name": "publicAddressCopy", + "count": "[variables('count')]" + }, + "properties": { + "idleTimeoutInMinutes": 30, + "publicIPAllocationMethod": "Static" + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "[variables('networkApiVersion')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', 'networkSetup')]", + "[variables('lbId')]", + "[variables('publicIPAddressId1')]" + ], + "location": "[variables('location')]", + "name": "[concat(parameters('vmName'), '1-', variables('nic1Name'))]", + "properties": { + "enableIPForwarding": true, + "ipConfigurations": [ + { + "name": "ipconfig1", + "properties": { + "privateIPAddress": "[variables('externalPrivateAddresses')[0]]", + "privateIPAllocationMethod": "Static", + "PublicIpAddress": { + "Id": "[variables(concat('publicIPAddressId', 1))]" + }, + "subnet": { + "id": "[concat(reference('networkSetup').outputs.vnetId.value, '/subnets/', parameters('Subnet1Name'))]" + }, + "loadBalancerBackendAddressPools": [ + { + "id": "[variables('elbBEAddressPoolID')]" + } + ] + } + } + ] + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "[variables('networkApiVersion')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', 'networkSetup')]", + "[variables('lbId')]", + "[variables('publicIPAddressId2')]" + ], + "location": "[variables('location')]", + "name": "[concat(parameters('vmName'), '2-', variables('nic1Name'))]", + "properties": { + "enableIPForwarding": true, + "ipConfigurations": [ + { + "name": "ipconfig2", + "properties": { + "privateIPAddress": "[variables('externalPrivateAddresses')[1]]", + "privateIPAllocationMethod": "Static", + "PublicIpAddress": { + "Id": "[variables(concat('publicIPAddressId', 2))]" + }, + "subnet": { + "id": "[concat(reference('networkSetup').outputs.vnetId.value, '/subnets/', parameters('Subnet1Name'))]" + }, + "loadBalancerBackendAddressPools": [ + { + "id": "[variables('elbBEAddressPoolID')]" + } + ] + } + } + ] + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "[variables('networkApiVersion')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', 'networkSetup')]" + ], + "location": "[variables('location')]", + "name": "[concat(parameters('vmName'), copyIndex(1), '-', variables('nic2Name'))]", + "copy": { + "name": "interface2Copy", + "count": "[variables('count')]" + }, + "properties": { + "enableIPForwarding": true, + "ipConfigurations": [ + { + "name": "ipconfig2", + "properties": { + "privateIPAddress": "[variables('Subnet2PrivateAddresses')[copyIndex(0)]]", + "privateIPAllocationMethod": "Static", + "subnet": { + "id": "[concat(reference('networkSetup').outputs.vnetId.value, '/subnets/', parameters('Subnet2Name'))]" + } + } + } + ] + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "condition": "[not(equals(parameters('sourceImageVhdUri'), 'noCustomUri'))]", + "type": "Microsoft.Compute/images", + "apiVersion": "2017-12-01", + "name": "[variables('customImage')]", + "location": "[variables('location')]", + "properties": { + "storageProfile": { + "osDisk": { + "osType": "Linux", + "osState": "Generalized", + "blobUri": "[parameters('sourceImageVhdUri')]", + "storageAccountType": "Standard_LRS" + } + } + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "type": "Microsoft.Compute/virtualMachines", + "apiVersion": "[variables('computeApiVersion')]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]", + "[resourceId('Microsoft.Network/networkInterfaces', concat(parameters('vmName'), copyIndex(1), '-', variables('nic1Name')))]", + "[resourceId('Microsoft.Network/networkInterfaces', concat(parameters('vmName'), copyIndex(1), '-', variables('nic2Name')))]", + "[resourceId('Microsoft.Compute/availabilitySets', variables('availabilitySetName'))]", + "[resourceId('Microsoft.Compute/images/', variables('customImage'))]" + ], + "location": "[variables('location')]", + "name": "[concat(parameters('vmName'), copyIndex(1))]", + "copy": { + "name": "virtualMachineCopy", + "count": "[variables('count')]" + }, + "plan": "[if(equals(parameters('sourceImageVhdUri'),'noCustomUri'), variables('plan'), json('null'))]", + "properties": { + "availabilitySet": { + "id": "[resourceId('Microsoft.Compute/availabilitySets', variables('availabilitySetName'))]" + }, + "diagnosticsProfile": { + "bootDiagnostics": { + "enabled": "true", + "storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName')), variables('storageApiVersion')).primaryEndpoints.blob]" + } + }, + "hardwareProfile": { + "vmSize": "[parameters('vmSize')]" + }, + "networkProfile": { + "networkInterfaces": [ + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', concat(parameters('vmName'), copyIndex(1), '-', variables('nic1Name')))]", + "properties": { + "primary": true + } + }, + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', concat(parameters('vmName'), copyIndex(1), '-', variables('nic2Name')))]", + "properties": { + "primary": false + } + } + ] + }, + "osProfile": { + "adminPassword": "[parameters('adminPassword')]", + "adminUsername": "notused", + "computerName": "[concat(toLower(parameters('vmName')), copyIndex(1))]", + "customData": "[base64(variables('customData'))]", + "linuxConfiguration": "[variables('linuxConfiguration')]" + }, + "storageProfile": { + "imageReference": "[variables('imageReference')]", + "osDisk": { + "caching": "ReadWrite", + "createOption": "FromImage", + "diskSizeGB": "[variables('diskSizeGB')]", + "name": "[concat(parameters('vmName'), copyIndex(1))]", + "managedDisk": { + "storageAccountType": "[parameters('diskType')]" + } + } + } + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "type": "Microsoft.Network/loadBalancers", + "apiVersion": "[variables('networkApiVersion')]", + "dependsOn": [ + "[variables('elbPublicIPId')]" + ], + "name": "[variables('lbName')]", + "location": "[variables('location')]", + "properties": { + "frontendIPConfigurations": [ + { + "name": "LoadBalancerFrontend", + "properties": { + "publicIPAddress": { + "id": "[variables('elbPublicIPId')]" + } + } + } + ], + "backendAddressPools": [ + { + "name": "[variables('elbBEAddressPool')]" + } + ], + "probes": [ + { + "name": "[variables('appProbeName')]", + "properties": { + "protocol": "tcp", + "port": 8081, + "intervalInSeconds": 5, + "numberOfProbes": 2 + } + } + ] + } + } + ], + "outputs": { + "Member1IPAddr": { + "type": "string", + "value": "[reference(variables('publicIPAddressId1')).IpAddress]" + }, + "Member2IPAddr": { + "type": "string", + "value": "[reference(variables('publicIPAddressId2')).IpAddress]" + } + } +} \ No newline at end of file diff --git a/deprecated/azure/templates/stack-R8040-R81/stack-management-r8040-r81/createUiDefinition.json b/deprecated/azure/templates/stack-R8040-R81/stack-management-r8040-r81/createUiDefinition.json new file mode 100644 index 00000000..0ce4fcf5 --- /dev/null +++ b/deprecated/azure/templates/stack-R8040-R81/stack-management-r8040-r81/createUiDefinition.json @@ -0,0 +1,366 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", + "handler": "Microsoft.Azure.CreateUIDef", + "version": "0.1.2-preview", + "parameters": { + "basics": [ + { + "name": "gatewayNameUi", + "type": "Microsoft.Common.TextBox", + "label": "Server Name", + "toolTip": "The name of the Check Point CloudGuard Security Management Server.", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z]{1,30}$", + "validationMessage": "Only alphanumeric characters are allowed, and the name must be 1-30 characters long." + } + }, + { + "name": "auth", + "type": "Microsoft.Compute.CredentialsCombo", + "label": { + "authenticationType": "Authentication type", + "password": "Password", + "confirmPassword": "Confirm password", + "sshPublicKey": "SSH public key" + }, + "toolTip": { + "authenticationType": "", + "password": "The user 'admin' password", + "sshPublicKey": "Paste an OpenSSH public key. You can generate a key pair using ssh-keygen (Linux, OS X, Cygwin) or PuttyGen (Windows)" + }, + "constraints": { + "required": true + }, + "options": { + "hideConfirmation": false, + "hidePassword": false + }, + "osPlatform": "Linux" + } + ], + "steps": [ + { + "name": "chkp", + "label": "Check Point CloudGuard Security Management Server settings", + "subLabel": { + "preValidation": "Configure CloudGuard Security Management Server settings", + "postValidation": "Done" + }, + "bladeTitle": "CloudGuard Security Management settings", + "elements": [ + { + "name": "cloudGuardVersion", + "type": "Microsoft.Common.DropDown", + "label": "Check Point CloudGuard version", + "defaultValue": "R81", + "toolTip": "The version of Check Point CloudGuard.", + "constraints": { + "allowedValues": [ + { + "label": "R80.40", + "value": "R80.40" + }, + { + "label": "R81", + "value": "R81" + } + ] + } + }, + { + "name": "R80Offer", + "type": "Microsoft.Common.DropDown", + "label": "License type", + "toolTip": "The type of license.", + "defaultValue": "Bring Your Own License", + "visible": true, + "constraints": { + "allowedValues": [ + { + "label": "Bring Your Own License", + "value": "Bring Your Own License" + }, + { + "label": "Pay As You Go (MGMT25)", + "value": "Pay As You Go (MGMT25)" + } + ] + } + }, + { + "name": "R8040vmSizeUiBYOL", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R80.40'), contains(steps('chkp').R80Offer, 'Bring Your Own License'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Management", + "recommendedSizes": [ + "Standard_D3_v2" + ], + "constraints": { + "excludedSizes": [ + "Standard_A1_v2", + "Standard_D1_v2", + "Standard_DS1_v2", + "Standard_F1", + "Standard_F1s", + "Standard_G1", + "Standard_GS1" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r8040", + "sku": "mgmt-byol" + }, + "count": 1 + }, + { + "name": "R8040vmSizeUiMGMT25", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R80.40'), contains(steps('chkp').R80Offer, '(MGMT25)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Management", + "recommendedSizes": [ + "Standard_D3_v2" + ], + "constraints": { + "excludedSizes": [ + "Standard_A1_v2", + "Standard_D1_v2", + "Standard_DS1_v2", + "Standard_F1", + "Standard_F1s", + "Standard_G1", + "Standard_GS1" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r8040", + "sku": "mgmt-25" + }, + "count": 1 + }, + { + "name": "R81vmSizeUiBYOL", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R81'), contains(steps('chkp').R80Offer, 'Bring Your Own License'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Management", + "recommendedSizes": [ + "Standard_D3_v2" + ], + "constraints": { + "excludedSizes": [ + "Standard_A1_v2", + "Standard_D1_v2", + "Standard_DS1_v2", + "Standard_F1", + "Standard_F1s", + "Standard_G1", + "Standard_GS1" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r81", + "sku": "mgmt-byol" + }, + "count": 1 + }, + { + "name": "R81vmSizeUiMGMT25", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R81'), contains(steps('chkp').R80Offer, '(MGMT25)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Management", + "recommendedSizes": [ + "Standard_D3_v2" + ], + "constraints": { + "excludedSizes": [ + "Standard_A1_v2", + "Standard_D1_v2", + "Standard_DS1_v2", + "Standard_F1", + "Standard_F1s", + "Standard_G1", + "Standard_GS1" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r81", + "sku": "mgmt-25" + }, + "count": 1 + }, + { + "name": "managementGUIClientNetwork", + "type": "Microsoft.Common.TextBox", + "label": "Allowed GUI clients", + "toolTip": "GUI clients network CIDR", + "defaultValue": "0.0.0.0/0", + "constraints": { + "required": true, + "regex": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$", + "validationMessage": "Enter a valid IPv4 network CIDR" + } + }, + { + "name": "bootstrapScript", + "type": "Microsoft.Common.FileUpload", + "label": "Bootstrap script", + "toolTip": "An optional script to run on the initial boot", + "constraints": { + "required": false, + "accept": ".sh,text/plain" + }, + "options": { + "multiple": false, + "uploadMode": "file", + "openMode": "text", + "encoding": "UTF-8" + } + }, + { + "name": "allowUploadDownload", + "type": "Microsoft.Common.OptionsGroup", + "label": "Allow download from/upload to Check Point", + "defaultValue": "Yes", + "toolTip": "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "true" + }, + { + "label": "No", + "value": "false" + } + ] + } + }, + { + "name": "additionalDiskSizeGB", + "type": "Microsoft.Common.TextBox", + "label": "Additional disk space (GB)", + "defaultValue": "0", + "toolTip": "Additional disk space (in GB), Initial disk size is 100 GB.", + "constraints": { + "regex": "^([0-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-2][0-9][0-9][0-9]|3[0-8][0-9][0-9]|399[0-5])$", + "validationMessage": "Select a number between 0 and 3995" + } + }, + { + "name": "useCustomImageUri", + "type": "Microsoft.Common.OptionsGroup", + "label": "Use development image uri", + "defaultValue": "No", + "toolTip": "", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ], + "required": true + }, + "visible": false + }, + { + "name": "sourceImageVhdUri", + "type": "Microsoft.Common.TextBox", + "label": "Development Image URI", + "toolTip": "The URI of the blob containing the development image", + "constraints": { + "required": "[equals(steps('chkp').useCustomImageUri, 'Yes')]", + "regex": "^[a-z0-9A-Z_\\-\\.\\:\\/]{1,500}.vhd$", + "validationMessage": "Only alphanumeric characters and '_','-','.',':','/' are allowed, the value must be 1-500 characters long and must end with .vhd. " + }, + "visible": "[equals(steps('chkp').useCustomImageUri, 'Yes')]" + } + ] + }, + { + "name": "network", + "label": "Network settings", + "subLabel": { + "preValidation": "Configure network settings", + "postValidation": "Done" + }, + "bladeTitle": "Network settings", + "elements": [ + { + "name": "virtualNetwork", + "type": "Microsoft.Network.VirtualNetworkCombo", + "label": { + "virtualNetwork": "Virtual network", + "subnets": "Subnet" + }, + "toolTip": { + "virtualNetwork": "Virtual Network Name", + "subnets": "The subnet to deploy into" + }, + "defaultValue": { + "name": "vnet01", + "addressPrefixSize": "/20" + }, + "constraints": { + "minAddressPrefixSize": "/29" + }, + "options": { + "hideExisting": false + }, + "subnets": { + "subnet1": { + "label": "Management subnet", + "defaultValue": { + "name": "Management", + "addressPrefixSize": "/24" + }, + "constraints": { + "minAddressPrefixSize": "/29", + "minAddressCount": 1, + "requireContiguousAddresses": true + } + } + } + } + ] + } + ], + "outputs": { + "location": "[location()]", + "cloudGuardVersion": "[concat(steps('chkp').cloudGuardVersion, ' - ', coalesce(steps('chkp').R80Offer, 'Bring Your Own License'))]", + "adminPassword": "[basics('auth').password]", + "authenticationType": "[basics('auth').authenticationType]", + "sshPublicKey": "[basics('auth').sshPublicKey]", + "vmName": "[basics('gatewayNameUi')]", + "vmSize": "[coalesce(steps('chkp').R8040vmSizeUiBYOL, steps('chkp').R8040vmSizeUiMGMT25, steps('chkp').R81vmSizeUiBYOL, steps('chkp').R81vmSizeUiMGMT25)]", + "virtualNetworkName": "[steps('network').virtualNetwork.name]", + "virtualNetworkAddressPrefix": "[steps('network').virtualNetwork.addressPrefix]", + "Subnet1Name": "[steps('network').virtualNetwork.subnets.subnet1.name]", + "Subnet1Prefix": "[steps('network').virtualNetwork.subnets.subnet1.addressPrefix]", + "Subnet1StartAddress": "[steps('network').virtualNetwork.subnets.subnet1.startAddress]", + "vnetNewOrExisting": "[steps('network').virtualNetwork.newOrExisting]", + "virtualNetworkExistingRGName": "[steps('network').virtualNetwork.resourceGroup]", + "managementGUIClientNetwork": "[steps('chkp').managementGUIClientNetwork]", + "bootstrapScript": "[steps('chkp').bootstrapScript]", + "allowDownloadFromUploadToCheckPoint": "[coalesce(steps('chkp').allowUploadDownload, 'true')]", + "additionalDiskSizeGB": "[int(steps('chkp').additionalDiskSizeGB)]", + "sourceImageVhdUri": "[coalesce(steps('chkp').sourceImageVhdUri, 'noCustomUri')]" + } + } +} \ No newline at end of file diff --git a/deprecated/azure/templates/stack-R8040-R81/stack-management-r8040-r81/mainTemplate.json b/deprecated/azure/templates/stack-R8040-R81/stack-management-r8040-r81/mainTemplate.json new file mode 100644 index 00000000..d2e59edb --- /dev/null +++ b/deprecated/azure/templates/stack-R8040-R81/stack-management-r8040-r81/mainTemplate.json @@ -0,0 +1,472 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string", + "metadata": { + "description": "Deployment location" + }, + "defaultValue": "[resourceGroup().location]" + }, + "cloudGuardVersion": { + "type": "string", + "allowedValues": [ + "R80.40 - Bring Your Own License", + "R80.40 - Pay As You Go (MGMT25)", + "R81 - Bring Your Own License", + "R81 - Pay As You Go (MGMT25)", + ], + "defaultValue": "R81 - Bring Your Own License", + "metadata": { + "description": "Version of Check Point CloudGuard" + } + }, + "adminPassword": { + "type": "securestring", + "metadata": { + "description": "Administrator password" + }, + "defaultValue": "" + }, + "authenticationType": { + "type": "string", + "allowedValues": [ + "password", + "sshPublicKey" + ], + "defaultValue": "password", + "metadata": { + "description": "Authentication type" + } + }, + "sshPublicKey": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Administrator SSH public key" + } + }, + "vmName": { + "type": "string", + "defaultValue": "[resourceGroup().name]", + "metadata": { + "description": "Name of the Check Point Security Management Server" + } + }, + "vmSize": { + "type": "string", + "defaultValue": "Standard_D3_v2", + "metadata": { + "description": "Size of the VM" + } + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "[concat(resourceGroup().name, '-vnet')]" + }, + "virtualNetworkAddressPrefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the virtual network" + }, + "defaultValue": "10.0.0.0/16" + }, + "Subnet1Name": { + "type": "string", + "metadata": { + "description": "The name of the management subnet" + }, + "defaultValue": "Frontend" + }, + "Subnet1Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the management subnet" + }, + "defaultValue": "10.0.1.0/24" + }, + "Subnet1StartAddress": { + "type": "string", + "metadata": { + "description": "The first available address on the management subnet" + }, + "defaultValue": "10.0.1.10" + }, + "vnetNewOrExisting": { + "type": "string", + "defaultValue": "new", + "allowedValues": [ + "new", + "existing" + ], + "metadata": { + "Description": "Indicates whether the virtual network is new or existing" + } + }, + "virtualNetworkExistingRGName": { + "type": "string", + "metadata": { + "description": "Resource Group of the existing virtual network" + }, + "defaultValue": "" + }, + "managementGUIClientNetwork": { + "type": "string", + "metadata": { + "description": "Allowed GUI clients" + }, + "defaultValue": "0.0.0.0/0" + }, + "_artifactsLocation": { + "type": "string", + "metadata": { + "description": "The base URI where artifacts required by this template are located including a trailing '/'" + }, + "defaultValue": "[deployment().properties.templateLink.uri]" + }, + "_artifactsLocationSasToken": { + "type": "securestring", + "metadata": { + "description": "The sasToken required to access _artifactsLocation. When the template is deployed using the accompanying scripts, a sasToken will be automatically generated. Use the defaultValue if the staging location is not secured." + }, + "defaultValue": "" + }, + "bootstrapScript": { + "type": "string", + "metadata": { + "description": "Bootstrap script" + }, + "defaultValue": "" + }, + "allowDownloadFromUploadToCheckPoint": { + "type": "string", + "allowedValues": [ + "true", + "false" + ], + "defaultValue": "true", + "metadata": { + "description": "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + } + }, + "additionalDiskSizeGB": { + "type": "int", + "defaultValue": 0, + "metadata": { + "description": "Amount of additional disk space (in GB)" + }, + "minValue": 0, + "maxValue": 3995 + }, + "diskType": { + "type": "string", + "defaultValue": "Standard_LRS", + "metadata": { + "description": "The type of the OS disk. Premium is applicable only to DS machine sizes" + }, + "allowedValues": [ + "Standard_LRS", + "Premium_LRS" + ] + }, + "preview": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Deploy the staged image" + }, + "allowedValues": [ + "", + "-preview" + ] + }, + "sourceImageVhdUri": { + "type": "string", + "defaultValue": "noCustomUri", + "metadata": { + "description": "The URI of the blob containing the development image" + } + }, + "Check_PointTags": { + "type": "object", + "defaultValue": { + "provider": "30DE18BC-F9F6-4F22-9D30-54B8E74CFD5F" + } + }, + "msi": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Configure managed service identity for the VM" + } + } + }, + "variables": { + "installationType": "management-stack", + "templateName": "stack-management", + "templateVersion": "20230219", + "location": "[parameters('location')]", + "offers": { + "R80.40 - Bring Your Own License": "BYOL", + "R80.40 - Pay As You Go (MGMT25)": "MGMT25", + "R81 - Bring Your Own License": "BYOL", + "R81 - Pay As You Go (MGMT25)": "MGMT25" + }, + "offer": "[variables('offers')[parameters('cloudGuardVersion')]]", + "osVersions": { + "R80.40 - Bring Your Own License": "R8040", + "R80.40 - Pay As You Go (MGMT25)": "R8040", + "R81 - Bring Your Own License": "R81", + "R81 - Pay As You Go (MGMT25)": "R81" + }, + "osVersion": "[variables('osVersions')[parameters('cloudGuardVersion')]]", + "isBlink": false, + "computeApiVersion": "2017-03-30", + "storageApiVersion": "2016-01-01", + "networkApiVersion": "2017-10-01", + "deploymentsApiVersion": "2016-02-01", + "storageAccountName": "[concat('bootdiag', uniqueString(resourceGroup().id, deployment().name))]", + "storageAccountType": "Standard_LRS", + "diskSize100GB": 100, + "diskSizeGB": "[add(parameters('additionalDiskSizeGB'), variables('diskSize100GB'))]", + "customData": "[concat('#!/usr/bin/python /etc/cloud_config.py\n', '\n', 'installationType=\"', variables('installationType'), '\"', '\n', 'allowUploadDownload=\"', variables('allowUploadDownload'), '\"', '\n', 'osVersion=\"', variables('osVersion'), '\"', '\n', 'templateName=\"', variables('templateName'), '\"', '\n', 'isBlink=\"', variables('isBlink'), '\"', '\n', 'templateVersion=\"', variables('templateVersion'), '\"', '\n', 'bootstrapScript64=\"', variables('bootstrapScript64'), '\"', '\n', 'location=\"', variables('location'), '\"', '\n', 'sicKey=\"', variables('sicKey'), '\"', '\n', 'managementGUIClientNetwork=\"', variables('managementGUIClientNetwork'), '\"', '\n', 'resourceGroup=\"', resourceGroup().name, '\"', '\n', 'subscriptionId=\"', subscription().subscriptionId, '\"', '\n')]", + "imageOfferR8040": "check-point-cg-r8040", + "imageOfferR81": "check-point-cg-r81", + "imageOffer": "[concat(variables(concat('imageOffer', variables('osVersion'))), parameters('preview'))]", + "imagePublisher": "checkpoint", + "imageReferenceBYOL": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "mgmt-byol", + "version": "latest" + }, + "imageReferenceMGMT25": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "mgmt-25", + "version": "latest" + }, + "imageReferenceMarketplace": "[variables(concat('imageReference', variables('offer')))]", + "customImage": "customImage", + "imageReferenceCustomUri": { + "id": "[resourceId('Microsoft.Compute/images/', variables('customImage'))]" + }, + "imageReference": "[if(equals(parameters('sourceImageVhdUri'),'noCustomUri'), variables('imageReferenceMarketplace'), variables('imageReferenceCustomUri'))]", + "nic1Name": "[concat(parameters('vmName'), '-eth0')]", + "linuxConfigurationpassword": {}, + "linuxConfigurationsshPublicKey": { + "disablePasswordAuthentication": "true", + "ssh": { + "publicKeys": [ + { + "keyData": "[parameters('sshPublicKey')]", + "path": "/home/notused/.ssh/authorized_keys" + } + ] + } + }, + "linuxConfiguration": "[variables(concat('linuxConfiguration', parameters('authenticationType')))]", + "planBYOL": { + "name": "mgmt-byol", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planMGMT25": { + "name": "mgmt-25", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "plan": "[variables(concat('plan', variables('offer')))]", + "publicIPAddressName": "[parameters('vmName')]", + "publicIPAddressId": "[resourceId('Microsoft.Network/publicIPAddresses', variables('publicIPAddressName'))]", + "bootstrapScript64": "[base64(parameters('bootstrapScript'))]", + "allowUploadDownload": "[parameters('allowDownloadFromUploadToCheckPoint')]", + "networkSetupURL": "[uri(parameters('_artifactsLocation'), concat('nestedtemplates/vnet-', parameters('vnetNewOrExisting'), '-stack-mgmt.json', parameters('_artifactsLocationSasToken')))]", + "sicKey": "notused", + "managementGUIClientNetwork": "[parameters('managementGUIClientNetwork')]", + "identity": "[if(parameters('msi'), json('{\"type\": \"SystemAssigned\"}'), json('null'))]" + }, + "resources": [ + { + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('storageAccountName')]", + "apiVersion": "[variables('storageApiVersion')]", + "location": "[variables('location')]", + "sku": { + "name": "[variables('storageAccountType')]" + }, + "kind": "Storage", + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "name": "networkSetup", + "type": "Microsoft.Resources/deployments", + "apiVersion": "[variables('deploymentsApiVersion')]", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "[variables('networkSetupURL')]", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "location": { + "value": "[variables('location')]" + }, + "apiVersion": { + "value": "[variables('networkApiVersion')]" + }, + "virtualNetworkName": { + "value": "[parameters('virtualNetworkName')]" + }, + "virtualNetworkAddressPrefix": { + "value": "[parameters('virtualNetworkAddressPrefix')]" + }, + "Subnet1Name": { + "value": "[parameters('Subnet1Name')]" + }, + "Subnet1Prefix": { + "value": "[parameters('Subnet1Prefix')]" + }, + "vnetNewOrExisting": { + "value": "[parameters('vnetNewOrExisting')]" + }, + "virtualNetworkExistingRGName": { + "value": "[parameters('virtualNetworkExistingRGName')]" + } + } + } + }, + { + "type": "Microsoft.Network/publicIPAddresses", + "apiVersion": "[variables('networkApiVersion')]", + "location": "[variables('location')]", + "name": "[variables('publicIPAddressName')]", + "properties": { + "idleTimeoutInMinutes": 30, + "publicIPAllocationMethod": "Static" + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "[variables('networkApiVersion')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', 'networkSetup')]", + "[variables('publicIPAddressId')]" + ], + "location": "[variables('location')]", + "name": "[variables('nic1Name')]", + "properties": { + "enableIPForwarding": false, + "ipConfigurations": [ + { + "name": "ipconfig1", + "properties": { + "privateIPAddress": "[parameters('Subnet1StartAddress')]", + "privateIPAllocationMethod": "Static", + "PublicIpAddress": { + "Id": "[variables('publicIPAddressId')]" + }, + "subnet": { + "id": "[concat(reference('networkSetup').outputs.vnetId.value, '/subnets/', parameters('Subnet1Name'))]" + } + } + } + ] + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "condition": "[not(equals(parameters('sourceImageVhdUri'), 'noCustomUri'))]", + "type": "Microsoft.Compute/images", + "apiVersion": "2017-12-01", + "name": "[variables('customImage')]", + "location": "[variables('location')]", + "properties": { + "storageProfile": { + "osDisk": { + "osType": "Linux", + "osState": "Generalized", + "blobUri": "[parameters('sourceImageVhdUri')]", + "storageAccountType": "Standard_LRS" + } + } + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "type": "Microsoft.Compute/virtualMachines", + "apiVersion": "[variables('computeApiVersion')]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]", + "[resourceId('Microsoft.Network/networkInterfaces', variables('nic1Name'))]", + "[resourceId('Microsoft.Compute/images/', variables('customImage'))]" + ], + "location": "[variables('location')]", + "name": "[parameters('vmName')]", + "plan": "[if(equals(parameters('sourceImageVhdUri'),'noCustomUri'), variables('plan'), json('null'))]", + "identity": "[variables('identity')]", + "properties": { + "diagnosticsProfile": { + "bootDiagnostics": { + "enabled": "true", + "storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName')), variables('storageApiVersion')).primaryEndpoints.blob]" + } + }, + "hardwareProfile": { + "vmSize": "[parameters('vmSize')]" + }, + "networkProfile": { + "networkInterfaces": [ + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', variables('nic1Name'))]", + "properties": { + "primary": true + } + } + ] + }, + "osProfile": { + "adminPassword": "[parameters('adminPassword')]", + "adminUsername": "notused", + "computerName": "[toLower(parameters('vmName'))]", + "customData": "[base64(variables('customData'))]", + "linuxConfiguration": "[variables('linuxConfiguration')]" + }, + "storageProfile": { + "imageReference": "[variables('imageReference')]", + "osDisk": { + "caching": "ReadWrite", + "createOption": "FromImage", + "diskSizeGB": "[variables('diskSizeGB')]", + "name": "[parameters('vmName')]", + "managedDisk": { + "storageAccountType": "[parameters('diskType')]" + } + } + } + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + } + ], + "outputs": { + "IPAddress": { + "type": "string", + "value": "[reference(variables('publicIPAddressId')).IpAddress]" + } + } +} \ No newline at end of file diff --git a/deprecated/azure/templates/stack-R8040-R81/stack-single-r8040-r81/createUiDefinition.json b/deprecated/azure/templates/stack-R8040-R81/stack-single-r8040-r81/createUiDefinition.json new file mode 100644 index 00000000..cff833ef --- /dev/null +++ b/deprecated/azure/templates/stack-R8040-R81/stack-single-r8040-r81/createUiDefinition.json @@ -0,0 +1,763 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", + "handler": "Microsoft.Azure.CreateUIDef", + "version": "0.1.2-preview", + "parameters": { + "basics": [ + { + "name": "gatewayNameUi", + "type": "Microsoft.Common.TextBox", + "label": "VM Name", + "toolTip": "The name of the Check Point CloudGuard Gateway.", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z]{1,30}$", + "validationMessage": "Only alphanumeric characters are allowed, and the name must be 1-30 characters long." + } + }, + { + "name": "auth", + "type": "Microsoft.Compute.CredentialsCombo", + "label": { + "authenticationType": "Authentication type", + "password": "Password", + "confirmPassword": "Confirm password", + "sshPublicKey": "SSH public key" + }, + "toolTip": { + "authenticationType": "", + "password": "The user 'admin' password", + "sshPublicKey": "Paste an OpenSSH public key. You can generate a key pair using ssh-keygen (Linux, OS X, Cygwin) or PuttyGen (Windows)" + }, + "constraints": { + "required": true + }, + "options": { + "hideConfirmation": false, + "hidePassword": false + }, + "osPlatform": "Linux" + } + ], + "steps": [ + { + "name": "chkp", + "label": "Check Point CloudGuard Gateway settings", + "subLabel": { + "preValidation": "Configure CloudGuard Gateway settings", + "postValidation": "Done" + }, + "bladeTitle": "CloudGuard Gateway settings", + "elements": [ + { + "name": "cloudGuardVersion", + "type": "Microsoft.Common.DropDown", + "label": "Check Point CloudGuard version", + "defaultValue": "R81", + "toolTip": "The version of Check Point CloudGuard Gateway.", + "constraints": { + "allowedValues": [ + { + "label": "R80.40", + "value": "R80.40" + }, + { + "label": "R81", + "value": "R81" + } + ] + } + }, + { + "name": "R80Offer", + "type": "Microsoft.Common.DropDown", + "label": "License type", + "toolTip": "The type of license.", + "defaultValue": "Bring Your Own License", + "visible": true, + "constraints": { + "allowedValues": [ + { + "label": "Bring Your Own License", + "value": "Bring Your Own License" + } + ] + } + }, + { + "name": "R8040vmSizeUiBYOL", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R80.40'), contains(steps('chkp').R80Offer, 'Bring Your Own License'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2", + "Standard_DS3_v2" + ], + "constraints": { + "allowedSizes": [ + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r8040", + "sku": "sg-byol" + }, + "count": 1 + }, + { + "name": "R8040vmSizeUiNGTP", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R80.40'), contains(steps('chkp').R80Offer, '(NGTP)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2", + "Standard_DS3_v2" + ], + "constraints": { + "allowedSizes": [ + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r8040", + "sku": "sg-ngtp" + }, + "count": 1 + }, + { + "name": "R8040vmSizeUiNGTX", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R80.40'), contains(steps('chkp').R80Offer, '(NGTX)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2", + "Standard_DS3_v2" + ], + "constraints": { + "allowedSizes": [ + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r8040", + "sku": "sg-ngtx" + }, + "count": 1 + }, + { + "name": "R81vmSizeUiBYOL", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R81'), contains(steps('chkp').R80Offer, 'Bring Your Own License'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2", + "Standard_DS3_v2" + ], + "constraints": { + "allowedSizes": [ + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r81", + "sku": "sg-byol" + }, + "count": 1 + }, + { + "name": "R81vmSizeUiNGTP", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R81'), contains(steps('chkp').R80Offer, '(NGTP)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2", + "Standard_DS3_v2" + ], + "constraints": { + "allowedSizes": [ + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r81", + "sku": "sg-ngtp" + }, + "count": 1 + }, + { + "name": "R81vmSizeUiNGTX", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R81'), contains(steps('chkp').R80Offer, '(NGTX)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D3_v2", + "Standard_DS3_v2" + ], + "constraints": { + "allowedSizes": [ + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r81", + "sku": "sg-ngtx" + }, + "count": 1 + }, + { + "name": "sicKeyUi", + "type": "Microsoft.Common.PasswordBox", + "label": { + "password": "SIC key", + "confirmPassword": "Confirm SIC key" + }, + "toolTip": "Set the Secure Internal Communication one time secret used to set up trust between the gateway and the management server.", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z]{8,30}$", + "validationMessage": "Only alphanumeric characters are allowed, and the value must be 8-30 characters long." + }, + "options": { + "hideConfirmation": true + } + }, + { + "name": "bootstrapScript", + "type": "Microsoft.Common.FileUpload", + "label": "Bootstrap script", + "toolTip": "An optional script to run on the initial boot", + "constraints": { + "required": false, + "accept": ".sh,text/plain" + }, + "options": { + "multiple": false, + "uploadMode": "file", + "openMode": "text", + "encoding": "UTF-8" + } + }, + { + "name": "allowUploadDownload", + "type": "Microsoft.Common.OptionsGroup", + "label": "Allow download from/upload to Check Point", + "defaultValue": "Yes", + "toolTip": "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "true" + }, + { + "label": "No", + "value": "false" + } + ] + } + }, + { + "name": "additionalDiskSizeGB", + "type": "Microsoft.Common.TextBox", + "label": "Additional disk space (GB)", + "defaultValue": "0", + "toolTip": "Additional disk space (in GB), Initial disk size is 100 GB.", + "constraints": { + "regex": "^([0-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-2][0-9][0-9][0-9]|3[0-8][0-9][0-9]|399[0-5])$", + "validationMessage": "Select a number between 0 and 3995" + } + }, + { + "name": "useCustomImageUri", + "type": "Microsoft.Common.OptionsGroup", + "label": "Use development image uri", + "defaultValue": "No", + "toolTip": "", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ], + "required": true + }, + "visible": false + }, + { + "name": "sourceImageVhdUri", + "type": "Microsoft.Common.TextBox", + "label": "Development Image URI", + "toolTip": "The URI of the blob containing the development image", + "constraints": { + "required": "[equals(steps('chkp').useCustomImageUri, 'Yes')]", + "regex": "^[a-z0-9A-Z_\\-\\.\\:\\/]{1,500}.vhd$", + "validationMessage": "Only alphanumeric characters and '_','-','.',':','/' are allowed, the value must be 1-500 characters long and must end with .vhd. " + }, + "visible": "[equals(steps('chkp').useCustomImageUri, 'Yes')]" + } + ] + }, + { + "name": "network", + "label": "Network settings", + "subLabel": { + "preValidation": "Configure network settings", + "postValidation": "Done" + }, + "bladeTitle": "Network settings", + "elements": [ + { + "name": "virtualNetwork", + "type": "Microsoft.Network.VirtualNetworkCombo", + "label": { + "virtualNetwork": "Virtual network", + "subnets": "Subnets" + }, + "toolTip": { + "virtualNetwork": "Virtual Network Name", + "subnets": "List of subnets to deploy into" + }, + "defaultValue": { + "name": "vnet01", + "addressPrefixSize": "/16" + }, + "constraints": { + "minAddressPrefixSize": "/28" + }, + "options": { + "hideExisting": false + }, + "subnets": { + "subnet1": { + "label": "Frontend subnet", + "defaultValue": { + "name": "Frontend", + "addressPrefixSize": "/24" + }, + "constraints": { + "minAddressPrefixSize": "/29", + "minAddressCount": 1, + "requireContiguousAddresses": true + } + }, + "subnet2": { + "label": "Backend subnet", + "defaultValue": { + "name": "Backend", + "addressPrefixSize": "/24" + }, + "constraints": { + "minAddressPrefixSize": "/29", + "minAddressCount": 1, + "requireContiguousAddresses": true + } + } + } + } + ] + } + ], + "outputs": { + "location": "[location()]", + "cloudGuardVersion": "[concat(steps('chkp').cloudGuardVersion, ' - ', coalesce(steps('chkp').R80Offer, 'Bring Your Own License'))]", + "adminPassword": "[basics('auth').password]", + "authenticationType": "[basics('auth').authenticationType]", + "sshPublicKey": "[basics('auth').sshPublicKey]", + "vmName": "[basics('gatewayNameUi')]", + "vmSize": "[coalesce(steps('chkp').R8040vmSizeUiBYOL, steps('chkp').R8040vmSizeUiNGTP, steps('chkp').R8040vmSizeUiNGTX,steps('chkp').R81vmSizeUiBYOL, steps('chkp').R81vmSizeUiNGTP, steps('chkp').R81vmSizeUiNGTX)]", + "sicKey": "[coalesce(steps('chkp').sicKeyUi, 'notused')]", + "virtualNetworkName": "[steps('network').virtualNetwork.name]", + "virtualNetworkAddressPrefix": "[steps('network').virtualNetwork.addressPrefix]", + "Subnet1Name": "[steps('network').virtualNetwork.subnets.subnet1.name]", + "Subnet1Prefix": "[steps('network').virtualNetwork.subnets.subnet1.addressPrefix]", + "Subnet1StartAddress": "[steps('network').virtualNetwork.subnets.subnet1.startAddress]", + "Subnet2Name": "[steps('network').virtualNetwork.subnets.subnet2.name]", + "Subnet2Prefix": "[steps('network').virtualNetwork.subnets.subnet2.addressPrefix]", + "Subnet2StartAddress": "[steps('network').virtualNetwork.subnets.subnet2.startAddress]", + "vnetNewOrExisting": "[steps('network').virtualNetwork.newOrExisting]", + "virtualNetworkExistingRGName": "[steps('network').virtualNetwork.resourceGroup]", + "managementGUIClientNetwork": "[steps('chkp').managementGUIClientNetwork]", + "bootstrapScript": "[steps('chkp').bootstrapScript]", + "allowDownloadFromUploadToCheckPoint": "[coalesce(steps('chkp').allowUploadDownload, 'true')]", + "additionalDiskSizeGB": "[int(steps('chkp').additionalDiskSizeGB)]", + "sourceImageVhdUri": "[coalesce(steps('chkp').sourceImageVhdUri, 'noCustomUri')]" + } + } +} \ No newline at end of file diff --git a/deprecated/azure/templates/stack-R8040-R81/stack-single-r8040-r81/mainTemplate.json b/deprecated/azure/templates/stack-R8040-R81/stack-single-r8040-r81/mainTemplate.json new file mode 100644 index 00000000..50422c53 --- /dev/null +++ b/deprecated/azure/templates/stack-R8040-R81/stack-single-r8040-r81/mainTemplate.json @@ -0,0 +1,562 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string", + "metadata": { + "description": "Deployment location" + }, + "defaultValue": "[resourceGroup().location]" + }, + "cloudGuardVersion": { + "type": "string", + "allowedValues": [ + "R80.40 - Bring Your Own License", + "R80.40 - Pay As You Go (NGTP)", + "R80.40 - Pay As You Go (NGTX)", + "R81 - Bring Your Own License", + "R81 - Pay As You Go (NGTP)", + "R81 - Pay As You Go (NGTX)", + ], + "defaultValue": "R81 - Bring Your Own License", + "metadata": { + "description": "Version of Check Point CloudGuard" + } + }, + "adminPassword": { + "type": "securestring", + "metadata": { + "description": "Administrator password" + }, + "defaultValue": "" + }, + "authenticationType": { + "type": "string", + "allowedValues": [ + "password", + "sshPublicKey" + ], + "defaultValue": "password", + "metadata": { + "description": "Authentication type" + } + }, + "sshPublicKey": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Administrator SSH public key" + } + }, + "vmName": { + "type": "string", + "defaultValue": "[resourceGroup().name]", + "metadata": { + "description": "Name of the Check Point Security Gateway" + } + }, + "vmSize": { + "type": "string", + "defaultValue": "Standard_D3_v2", + "metadata": { + "description": "Size of the VM" + } + }, + "sicKey": { + "type": "securestring", + "metadata": { + "description": "One time key for Secure Internal Communication" + } + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "The name of the virtual network" + }, + "defaultValue": "[concat(resourceGroup().name, '-vnet')]" + }, + "virtualNetworkAddressPrefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the virtual network" + }, + "defaultValue": "10.0.0.0/16" + }, + "Subnet1Name": { + "type": "string", + "metadata": { + "description": "The name of the frontend subnet" + }, + "defaultValue": "Frontend" + }, + "Subnet1Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the frontend subnet" + }, + "defaultValue": "10.0.1.0/24" + }, + "Subnet1StartAddress": { + "type": "string", + "metadata": { + "description": "The first available address on the frontend subnet" + }, + "defaultValue": "10.0.1.10" + }, + "Subnet2Name": { + "type": "string", + "metadata": { + "description": "The name of the backend subnet" + }, + "defaultValue": "Backend" + }, + "Subnet2Prefix": { + "type": "string", + "metadata": { + "description": "The address prefix of the backend subnet" + }, + "defaultValue": "10.0.2.0/24" + }, + "Subnet2StartAddress": { + "type": "string", + "metadata": { + "description": "The first available address on the backend subnet" + }, + "defaultValue": "10.0.2.10" + }, + "vnetNewOrExisting": { + "type": "string", + "defaultValue": "new", + "allowedValues": [ + "new", + "existing" + ], + "metadata": { + "Description": "Indicates whether the virtual network is new or existing" + } + }, + "virtualNetworkExistingRGName": { + "type": "string", + "metadata": { + "description": "Resource Group of the existing virtual network" + }, + "defaultValue": "" + }, + "managementGUIClientNetwork": { + "type": "string", + "metadata": { + "description": "Allowed GUI clients" + }, + "defaultValue": "0.0.0.0/0" + }, + "_artifactsLocation": { + "type": "string", + "metadata": { + "description": "The base URI where artifacts required by this template are located including a trailing '/'" + }, + "defaultValue": "[deployment().properties.templateLink.uri]" + }, + "_artifactsLocationSasToken": { + "type": "securestring", + "metadata": { + "description": "The sasToken required to access _artifactsLocation. When the template is deployed using the accompanying scripts, a sasToken will be automatically generated. Use the defaultValue if the staging location is not secured." + }, + "defaultValue": "" + }, + "bootstrapScript": { + "type": "string", + "metadata": { + "description": "Bootstrap script" + }, + "defaultValue": "" + }, + "allowDownloadFromUploadToCheckPoint": { + "type": "string", + "allowedValues": [ + "true", + "false" + ], + "defaultValue": "true", + "metadata": { + "description": "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + } + }, + "additionalDiskSizeGB": { + "type": "int", + "defaultValue": 0, + "metadata": { + "description": "Amount of additional disk space (in GB)" + }, + "minValue": 0, + "maxValue": 3995 + }, + "diskType": { + "type": "string", + "defaultValue": "Standard_LRS", + "metadata": { + "description": "The type of the OS disk. Premium is applicable only to DS machine sizes" + }, + "allowedValues": [ + "Standard_LRS", + "Premium_LRS" + ] + }, + "preview": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Deploy the staged image" + }, + "allowedValues": [ + "", + "-preview" + ] + }, + "sourceImageVhdUri": { + "type": "string", + "defaultValue": "noCustomUri", + "metadata": { + "description": "The URI of the blob containing the development image" + } + }, + "Check_PointTags": { + "type": "object", + "defaultValue": { + "provider": "30DE18BC-F9F6-4F22-9D30-54B8E74CFD5F" + } + } + }, + "variables": { + "installationType": "gateway-stack", + "templateName": "stack-single", + "templateVersion": "20230219", + "location": "[parameters('location')]", + "offers": { + "R80.40 - Bring Your Own License": "BYOL", + "R80.40 - Pay As You Go (NGTP)": "NGTP", + "R80.40 - Pay As You Go (NGTX)": "NGTX", + "R81 - Bring Your Own License": "BYOL", + "R81 - Pay As You Go (NGTP)": "NGTP", + "R81 - Pay As You Go (NGTX)": "NGTX", + }, + "offer": "[variables('offers')[parameters('cloudGuardVersion')]]", + "osVersions": { + "R80.40 - Bring Your Own License": "R8040", + "R80.40 - Pay As You Go (NGTP)": "R8040", + "R80.40 - Pay As You Go (NGTX)": "R8040", + "R81 - Bring Your Own License": "R81", + "R81 - Pay As You Go (NGTP)": "R81", + "R81 - Pay As You Go (NGTX)": "R81" + }, + "osVersion": "[variables('osVersions')[parameters('cloudGuardVersion')]]", + "isBlink": true, + "computeApiVersion": "2017-03-30", + "storageApiVersion": "2016-01-01", + "networkApiVersion": "2017-10-01", + "deploymentsApiVersion": "2016-02-01", + "storageAccountName": "[concat('bootdiag', uniqueString(resourceGroup().id, deployment().name))]", + "storageAccountType": "Standard_LRS", + "diskSize100GB": 100, + "diskSizeGB": "[add(parameters('additionalDiskSizeGB'), variables('diskSize100GB'))]", + "customData": "[concat('#!/usr/bin/python /etc/cloud_config.py\n', '\n', 'installationType=\"', variables('installationType'), '\"', '\n', 'allowUploadDownload=\"', variables('allowUploadDownload'), '\"', '\n', 'osVersion=\"', variables('osVersion'), '\"', '\n', 'templateName=\"', variables('templateName'), '\"', '\n', 'isBlink=\"', variables('isBlink'), '\"', '\n', 'templateVersion=\"', variables('templateVersion'), '\"', '\n', 'bootstrapScript64=\"', variables('bootstrapScript64'), '\"', '\n', 'location=\"', variables('location'), '\"', '\n', 'sicKey=\"', variables('sicKey'), '\"', '\n', 'managementGUIClientNetwork=\"', variables('managementGUIClientNetwork'), '\"', '\n', 'resourceGroup=\"', resourceGroup().name, '\"', '\n', 'subscriptionId=\"', subscription().subscriptionId, '\"', '\n')]", + "imageOfferR8040": "check-point-cg-r8040", + "imageOfferR81": "check-point-cg-r81", + "imageOffer": "[concat(variables(concat('imageOffer', variables('osVersion'))), parameters('preview'))]", + "imagePublisher": "checkpoint", + "imageReferenceBYOL": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-byol", + "version": "latest" + }, + "imageReferenceNGTP": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtp", + "version": "latest" + }, + "imageReferenceNGTX": { + "offer": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]", + "sku": "sg-ngtx", + "version": "latest" + }, + "imageReferenceMarketplace": "[variables(concat('imageReference', variables('offer')))]", + "customImage": "customImage", + "imageReferenceCustomUri": { + "id": "[resourceId('Microsoft.Compute/images/', variables('customImage'))]" + }, + "imageReference": "[if(equals(parameters('sourceImageVhdUri'),'noCustomUri'), variables('imageReferenceMarketplace'), variables('imageReferenceCustomUri'))]", + "nic1Name": "[concat(parameters('vmName'), '-eth0')]", + "nic2Name": "[concat(parameters('vmName'), '-eth1')]", + "linuxConfigurationpassword": {}, + "linuxConfigurationsshPublicKey": { + "disablePasswordAuthentication": "true", + "ssh": { + "publicKeys": [ + { + "keyData": "[parameters('sshPublicKey')]", + "path": "/home/notused/.ssh/authorized_keys" + } + ] + } + }, + "linuxConfiguration": "[variables(concat('linuxConfiguration', parameters('authenticationType')))]", + "planBYOL": { + "name": "sg-byol", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTP": { + "name": "sg-ngtp", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTP-V2": { + "name": "sg-ngtp-v2", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "planNGTX": { + "name": "sg-ngtx", + "product": "[variables('imageOffer')]", + "publisher": "[variables('imagePublisher')]" + }, + "plan": "[variables(concat('plan', variables('offer')))]", + "publicIPAddressName": "[parameters('vmName')]", + "publicIPAddressId": "[resourceId('Microsoft.Network/publicIPAddresses', variables('publicIPAddressName'))]", + "bootstrapScript64": "[base64(parameters('bootstrapScript'))]", + "allowUploadDownload": "[parameters('allowDownloadFromUploadToCheckPoint')]", + "networkSetupURL": "[uri(parameters('_artifactsLocation'), concat('nestedtemplates/vnet-', parameters('vnetNewOrExisting'), '-stack.json', parameters('_artifactsLocationSasToken')))]", + "sicKey": "[parameters('sicKey')]", + "managementGUIClientNetwork": "[parameters('managementGUIClientNetwork')]" + }, + "resources": [ + { + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('storageAccountName')]", + "apiVersion": "[variables('storageApiVersion')]", + "location": "[variables('location')]", + "sku": { + "name": "[variables('storageAccountType')]" + }, + "kind": "Storage", + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "name": "networkSetup", + "type": "Microsoft.Resources/deployments", + "apiVersion": "[variables('deploymentsApiVersion')]", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "[variables('networkSetupURL')]", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "location": { + "value": "[variables('location')]" + }, + "apiVersion": { + "value": "[variables('networkApiVersion')]" + }, + "virtualNetworkName": { + "value": "[parameters('virtualNetworkName')]" + }, + "virtualNetworkAddressPrefix": { + "value": "[parameters('virtualNetworkAddressPrefix')]" + }, + "Subnet1Name": { + "value": "[parameters('Subnet1Name')]" + }, + "Subnet1Prefix": { + "value": "[parameters('Subnet1Prefix')]" + }, + "Subnet1StartAddress": { + "value": "[parameters('Subnet1StartAddress')]" + }, + "Subnet2Name": { + "value": "[parameters('Subnet2Name')]" + }, + "Subnet2Prefix": { + "value": "[parameters('Subnet2Prefix')]" + }, + "Subnet2StartAddress": { + "value": "[parameters('Subnet2StartAddress')]" + }, + "vnetNewOrExisting": { + "value": "[parameters('vnetNewOrExisting')]" + }, + "virtualNetworkExistingRGName": { + "value": "[parameters('virtualNetworkExistingRGName')]" + } + } + } + }, + { + "type": "Microsoft.Network/publicIPAddresses", + "apiVersion": "[variables('networkApiVersion')]", + "name": "[variables('publicIPAddressName')]", + "location": "[variables('location')]", + "sku": { + "name": "Basic" + }, + "properties": { + "idleTimeoutInMinutes": 30, + "publicIPAllocationMethod": "Static" + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "[variables('networkApiVersion')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', 'networkSetup')]", + "[variables('publicIPAddressId')]" + ], + "location": "[variables('location')]", + "name": "[variables('nic1Name')]", + "properties": { + "enableIPForwarding": true, + "ipConfigurations": [ + { + "name": "ipconfig1", + "properties": { + "privateIPAddress": "[parameters('Subnet1StartAddress')]", + "privateIPAllocationMethod": "Static", + "PublicIpAddress": { + "Id": "[variables('publicIPAddressId')]" + }, + "subnet": { + "id": "[concat(reference('networkSetup').outputs.vnetId.value, '/subnets/', parameters('Subnet1Name'))]" + } + } + } + ] + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "[variables('networkApiVersion')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', 'networkSetup')]" + ], + "location": "[variables('location')]", + "name": "[variables('nic2Name')]", + "properties": { + "enableIPForwarding": true, + "ipConfigurations": [ + { + "name": "ipconfig2", + "properties": { + "privateIPAddress": "[parameters('Subnet2StartAddress')]", + "privateIPAllocationMethod": "Static", + "subnet": { + "id": "[concat(reference('networkSetup').outputs.vnetId.value, '/subnets/', parameters('Subnet2Name'))]" + } + } + } + ] + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "condition": "[not(equals(parameters('sourceImageVhdUri'), 'noCustomUri'))]", + "type": "Microsoft.Compute/images", + "apiVersion": "2017-12-01", + "name": "[variables('customImage')]", + "location": "[variables('location')]", + "properties": { + "storageProfile": { + "osDisk": { + "osType": "Linux", + "osState": "Generalized", + "blobUri": "[parameters('sourceImageVhdUri')]", + "storageAccountType": "Standard_LRS" + } + } + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + }, + { + "type": "Microsoft.Compute/virtualMachines", + "apiVersion": "[variables('computeApiVersion')]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]", + "[resourceId('Microsoft.Network/networkInterfaces', variables('nic1Name'))]", + "[resourceId('Microsoft.Network/networkInterfaces', variables('nic2Name'))]", + "[resourceId('Microsoft.Compute/images/', variables('customImage'))]" + ], + "location": "[variables('location')]", + "name": "[parameters('vmName')]", + "plan": "[if(equals(parameters('sourceImageVhdUri'),'noCustomUri'), variables('plan'), json('null'))]", + "properties": { + "diagnosticsProfile": { + "bootDiagnostics": { + "enabled": "true", + "storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName')), variables('storageApiVersion')).primaryEndpoints.blob]" + } + }, + "hardwareProfile": { + "vmSize": "[parameters('vmSize')]" + }, + "networkProfile": { + "networkInterfaces": [ + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', variables('nic1Name'))]", + "properties": { + "primary": true + } + }, + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', variables('nic2Name'))]", + "properties": { + "primary": false + } + } + ] + }, + "osProfile": { + "adminPassword": "[parameters('adminPassword')]", + "adminUsername": "notused", + "computerName": "[toLower(parameters('vmName'))]", + "customData": "[base64(variables('customData'))]", + "linuxConfiguration": "[variables('linuxConfiguration')]" + }, + "storageProfile": { + "imageReference": "[variables('imageReference')]", + "osDisk": { + "caching": "ReadWrite", + "createOption": "FromImage", + "diskSizeGB": "[variables('diskSizeGB')]", + "name": "[parameters('vmName')]", + "managedDisk": { + "storageAccountType": "[parameters('diskType')]" + } + } + } + }, + "tags": { + "provider": "[toUpper(parameters('Check_PointTags').provider)]" + } + } + ], + "outputs": { + "GatewayIPAddr": { + "type": "string", + "value": "[reference(variables('publicIPAddressId')).IpAddress]" + } + } +} \ No newline at end of file diff --git a/deprecated/gcp/R80.30/autoscale-byol-R80.30/README.md b/deprecated/gcp/R80.30/autoscale-byol-R80.30/README.md new file mode 100644 index 00000000..45472adf --- /dev/null +++ b/deprecated/gcp/R80.30/autoscale-byol-R80.30/README.md @@ -0,0 +1,126 @@ +# GCP Deployment Manager package for Check Point Autoscaling BYOL solution +This directory contains CloudGuard IaaS deployment package for Check Point Autoscaling (BYOL) solution published in the [GCP Marketplace](https://console.cloud.google.com/marketplace/details/checkpoint-public/check-point-autoscaling-byol). + +# How to deploy the package manually +To deploy the Deployment Manager's package manually, without using the GCP Marketplace, follow these instructions: +1. Clone or download the files in this directory +2. Fill variables in the config.yaml(see below for variables descriptions). +3. Log into [Google Cloud Platform Console](https://console.cloud.google.com) +4. [Activate Cloud Shell](https://cloud.google.com/shell/docs/using-cloud-shell) +5. Set your Cloud Platform project in the Cloud Shell session use: + + gcloud config set project [PROJECT_ID] +6. Upload the content of the CloudGuardIaaS/gcp/deployment-packages/autoscale-byol/ directory to the [cloud shell](https://cloud.google.com/shell/docs/uploading-and-downloading-files) +7. Launch deployment by running: + + gcloud deployment-manager deployments create [DEPLOYMENT_NAME] --config config.yaml +8. Make sure the deployment finished successfully.
Example of successful deployment output: + + The fingerprint of the deployment is h8R2exQYuc4bzlO14boUhg== + Waiting for create [operation-1585217870871-5a1bf4c15b9ea-f8d824d5-1089cc78]...done. + Create operation operation-1585217870871-5a1bf4c15b9ea-f8d824d5-1089cc78 completed successfully. + NAME TYPE STATE ERRORS INTENT + mig-as compute.v1.regionAutoscaler COMPLETED [] + mig-igm compute.v1.regionInstanceGroupManager COMPLETED [] + mig-vpc-icmp compute.v1.firewall COMPLETED [] + mig-vpc-udp compute.v1.firewall COMPLETED [] + mig-tmplt compute.v1.instanceTemplate COMPLETED [] + OUTPUTS VALUE + Deployment autoscale + Managed instance group https://www.googleapis.com/compute/v1/projects/checkpoint/regions/asia-east1/instanceGroups/autoscale-igm + Minimum instances 2 + Maximum instances 10 + Target CPU usage 60% + +## config.yaml variables +| Name | Description | Type | Allowed values | +| ------------- | ------------- | ------------- | ------------- | +| **autoscalingVersion** | Autoscaling Version | string | R80.30 Autoscaling; | +| | | | | | +| **managementName** | Security Management Server name | string | The name of the Security Management Server as appears in autoprovisioning configuration | +| | | | | | +| **AutoProvTemplate** | Configuration template name | string | Specify the provisioning configuration template name (for autoprovisioning) | +| | | | | | +| **instanceSSHKey** | Public SSH key for the user 'admin' | string | A valid public ssh key | +| | | | | | +| **mgmtNIC** | Management Interface | string | Ephemeral Public IP (eth0)
; Private IP (eth1); | +| | | | | | +| **networkDefinedByRoutes** | Networks behind the Internal interface will be defined by routes.
Set eth1 topology to define the networks behind this interface by the routes configured on the gateway | boolean | true;
false; | +| | | | | | +| **shell** | Admin shell | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh;
| +| | | | | | +| **allowUploadDownload** | Allow download from/upload to Check Point | boolean | true;
false; | +| | | | | | +| **zone** | The zone determines what computing resources are available and where your data is stored and used | string | List of allowed [Regions and Zones](https://cloud.google.com/compute/docs/regions-zones?_ga=2.31926582.-962483654.1585043745) | +| | | | | | +| **networks** | The external networks ID in which the gateways will reside and internal networks ID in which application servers reside. | list(string) | Available network in the chosen zone | +| | | | | | +| **subnetworks** | External and Internal subnet ID. Assigns the instance an IPv4 address from the subnetwork’s range. Instances in different subnetworks can communicate with each other using their internal IPs as long as they belong to the same network. | list(string) | Available subnetwork in the chosen network | +| | | | | | +| **enableIcmp** | Allow ICMP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **icmpSourceRanges** | Source IP ranges for ICMP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **enableTcp** | Allow TCP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **tcpSourceRanges** | Allow TCP traffic from the Internet | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway all ports are allowed. For management allowed ports are: 257,18191,18210,18264,22,443,18190,19009 [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **enableUdp** | Allow UDP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **udpSourceRanges** | Source IP ranges for UDP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only - all ports are allowed. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **enableSctp** | Allow SCTP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **sctpSourceRanges** | Source IP ranges for SCTP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only - all ports are allowed. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **enableEsp** | Allow ESP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **espSourceRanges** | Source IP ranges for ESP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **machineType** | Machine types determine the specifications of your machines, such as the amount of memory, virtual cores, and persistent disk limits an instance will have | string | [Learn more about Machine Types](https://cloud.google.com/compute/docs/machine-types?hl=en_US&_ga=2.267871494.-962483654.1585043745) | +| | | | | | +| **cpuUsage** | Target CPU usage (%).
Autoscaling adds or removes instances in the group to maintain this level of CPU usage on each instance | number | A number in the range 10 - 90 | +| | | | | | +| **minInstances** | Minimum number of instances | number | A number in the range 1 and the maximum number of instances | +| | | | | | +| **maxInstances** | Maximum number of instances | number | A number in the range the minimum number of instances and infinity | +| | | | | | +| **diskType** | Disk type | string | pd-ssd;
pd-standard;
Storage space is much less expensive for a standard persistent disk. An SSD persistent disk is better for random IOPS or streaming throughput with low latency. [Learn more](https://cloud.google.com/compute/docs/disks/?hl=en_US&_ga=2.66020774.-962483654.1585043745#overview_of_disk_types)| +| | | | | | +| **bootDiskSizeGb** | Disk size in GB | number | Persistent disk performance is tied to the size of the persistent disk volume. You are charged for the actual amount of provisioned disk space. [Learn more](https://cloud.google.com/compute/docs/disks/?hl=en_US&_ga=2.232680471.-962483654.1585043745#pdperformance)| +| | | | | | +| **enableMonitoring** | Enable Stackdriver monitoring | boolean | true;
false; | +| | | | | | + +## Example + autoscalingVersion: "R80.30 Autoscaling" + managementName: "mgmt" + AutoProvTemplate: "template" + instanceSSHKey: "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxx imported-openssh-key" + mgmtNIC: "Ephemeral Public IP (eth0)" + networkDefinedByRoutes: true + shell: "/bin/bash" + allowUploadDownload: true + zone: "asia-east1-a" + networks: ["external-vpc", "internal-vpc"] + subnetworks: ["frontend", "backend"] + enableIcmp: true + icmpSourceRanges: "0.0.0.0/0" + enableTcp: false + tcpSourceRanges: "" + enableUdp: true + udpSourceRanges: "0.0.0.0/0" + enableSctp: false + sctpSourceRanges: "" + enableEsp: false + espSourceRanges: "" + machineType: "n1-standard-4" + cpuUsage: 60 + minInstances: 2 + maxInstances: 10 + diskType: "pd-ssd" + bootDiskSizeGb: 100 + enableMonitoring: false + +## Notes +See [sk147032](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk147032) for revision history diff --git a/deprecated/gcp/R80.30/autoscale-byol-R80.30/c2d_deployment_configuration.json b/deprecated/gcp/R80.30/autoscale-byol-R80.30/c2d_deployment_configuration.json new file mode 100644 index 00000000..00588f89 --- /dev/null +++ b/deprecated/gcp/R80.30/autoscale-byol-R80.30/c2d_deployment_configuration.json @@ -0,0 +1,7 @@ +{ + "defaultDeploymentType": "MULTI_VM", + "imageName": "check-point-r8110-gw-byol-mig-335-985-v20220126", + "projectId": "checkpoint-public", + "templateName": "nonexistent_template", + "useSolutionPackage": "true" +} diff --git a/deprecated/gcp/R80.30/autoscale-byol-R80.30/check-point-autoscale--byol.py b/deprecated/gcp/R80.30/autoscale-byol-R80.30/check-point-autoscale--byol.py new file mode 100644 index 00000000..020f3ff7 --- /dev/null +++ b/deprecated/gcp/R80.30/autoscale-byol-R80.30/check-point-autoscale--byol.py @@ -0,0 +1,621 @@ +# Copyright 2016 Check Point Software LTD. + +import common +import default +import images +import password + +GATEWAY = 'checkpoint-gateway' +PROJECT = 'checkpoint-public' +LICENSE = 'byol' +LICENCE_TYPE = 'mig' + +VERSIONS = { + 'R80.30-GW': 'r8030-gw' +} + +TEMPLATE_NAME = 'autoscale' +TEMPLATE_VERSION = '20220130' + +startup_script = ''' +#!/bin/bash + +generatePassword="$(echo {generatePassword} | tr 'TF' 'tf')" +allowUploadDownload="{allowUploadDownload}" + +echo "template_name: {templateName}" >> /etc/cloud-version +echo "template_version: {templateVersion}" >> /etc/cloud-version + +function get_router() {{ + local interface="$1" + local subnet_router_meta_path="computeMetadata/v1/instance/network-interfaces/$interface/gateway" + local router="$(get-cloud-data.sh ${{subnet_router_meta_path}})" + echo "${{router}}" +}} + +function set_mgmt_if() {{ + mgmtNIC="{mgmtNIC}" + local mgmt_int="eth0" + if [ "X$mgmtNIC" == "XEphemeral Public IP (eth0)" ]; then + mgmt_int="eth0" + elif [ "X$mgmtNIC" == "XPrivate IP (eth1)" ]; then + mgmt_int="eth1" + fi + local set_mgmt_if_out="$(clish -s -c "set management interface ${{mgmt_int}}")" + echo "${{set_mgmt_if_out}}" +}} + +function set_internal_static_routes() {{ + local private_cidrs='10.0.0.0/8 172.16.0.0/12 192.168.0.0/16' + #Define interface for internal networks and configure + local interface="$internalInterfaceNumber" + local router=$(get_router $interface) + clish -c 'lock database override' + #Configure static routes destined to internal networks, defined in the RFC 1918, through the internal interface + for cidr in ${{private_cidrs}}; do + echo "setting route to $cidr via gateway $router" + echo "running clish -c 'set static-route $cidr nexthop gateway address $router on' -s" + clish -c "set static-route $cidr nexthop gateway address $router on" -s + done +}} + +function create_dynamic_objects() {{ + local is_managment="$1" + local interfaces='eth0 eth1' + for interface in ${{interfaces}}; do + if ${{is_managment}}; then + dynamic_objects -n "LocalGateway" + dynamic_objects -n "LocalGatewayExternal" + dynamic_objects -n "LocalGatewayInternal" + else + local addr="$(ip addr show dev $interface | awk "/inet/{{print \$2; exit}}" | cut -d / -f 1)" + if [ "${{interface}}" == "eth0" ]; then + dynamic_objects -n "LocalGateway" -r "$addr" "$addr" -a + dynamic_objects -n "LocalGatewayExternal" -r "$addr" "$addr" -a + else + dynamic_objects -n "LocalGatewayInternal" -r "$addr" "$addr" -a + fi + fi + done +}} + + +function post_status() {{ + local is_success="$1" + local need_boot="$2" + local status + local value + local instance_id + + if "{hasInternet}" ; then + if "$is_success" ; then + status="success" + value="Success" + else + status="failure" + value="Failure" + fi + instance_id="$(get-cloud-data.sh computeMetadata/v1/instance/id)" + cat </etc/software-status + $FWDIR/scripts/gcp.py POST "{config_url}/variables" \ + --body '{{ + "name": "{config_path}/variables/status/$status/$instance_id", + "value": "$(echo $value | base64)" + }}' +EOF + fi + + create_dynamic_objects $installSecurityManagement + + if "$installSecurityGateway" ; then + + set_internal_static_routes + set_mgmt_if + + ########## + # DA Self update + + DAselfUpdateHappening=$(dbget installer:self_update_in_progress) + if [ "X$DAselfUpdateHappening" == "X1" ]; then + oldDApid=$(pidof DAService) + countdown=121 + while [ $((--countdown)) -gt 0 ] + do + sleep 1 + DApid=$(pidof DAService) + + if [ "${{DApid:-$oldDApid}}" -ne "$oldDApid" ]; then + break + fi + done + if [ $countdown -eq 0 ]; then + dbset installer:self_update_in_progress + fi + fi + + ########## + fi + + if [ "$installSecurityManagement" -a "Management only" = "{installationType}" ] ; then + public_ip="$(get-cloud-data.sh computeMetadata/v1/instance/network-interfaces/0/access-configs/0/external-ip)" + declare -i attempts=0 + declare -i max_attempts=80 + mgmt_cli -r true discard + result=$? + while [ $result -ne 0 ] && [ $attempts -lt $max_attempts ] + do + attempts=$attempts+1 + sleep 30 + mgmt_cli -r true discard + result=$? + done + generic_objects="$(mgmt_cli -r true show-generic-objects class-name com.checkpoint.objects.classes.dummy.CpmiHostCkp details-level full -f json)" + uid="$(echo $generic_objects | jq .objects | jq .[0] | jq .uid)" + if [ ! -z "$public_ip" ] && [ ! -z "${{uid:1:-1}}" ] ; then + mgmt_cli -r true set-generic-object uid $uid ipaddr $public_ip + fi + fi + + if "$need_boot" ; then + if [ "{enableMonitoring}" = "True" ] ; then + chkconfig --add gcp-statd + fi + shutdown -r now + else + service gcpd restart + if [ "{enableMonitoring}" = "True" ] ; then + chkconfig --add gcp-statd + service gcp-statd start + fi + fi +}} +clish -c 'set user admin shell {shell}' -s + +case "{installationType}" in +"Gateway only") + installSecurityGateway=true + gatewayClusterMember=false + installSecurityManagement=false + sicKey="{computed_sic_key}" + internalInterfaceNumber=1 + ;; +"Management only") + installSecurityGateway=false + installSecurityManagement=true + sicKey=notused + ;; +"Manual Configuration") + post_status true false + exit 0 + ;; +"Gateway and Management (Standalone)") + installSecurityGateway=true + installSecurityManagement=true + gatewayClusterMember=false + sicKey=notused + internalInterfaceNumber=1 + ;; +"Cluster") + installSecurityGateway=true + gatewayClusterMember=true + installSecurityManagement=false + sicKey="{sicKey}" + internalInterfaceNumber=2 + ;; +"AutoScale") + installSecurityGateway=true + gatewayClusterMember=false + installSecurityManagement=false + sicKey="{computed_sic_key}" + internalInterfaceNumber=1 + ;; +esac + +conf="install_security_gw=$installSecurityGateway" +if ${{installSecurityGateway}} ; then + conf="$conf&install_ppak=true" + blink_conf="gateway_cluster_member=$gatewayClusterMember" +fi +conf="$conf&install_security_managment=$installSecurityManagement" +if ${{installSecurityManagement}} ; then + if "$generatePassword" ; then + managementAdminPassword="$(get-cloud-data.sh \ + computeMetadata/v1/instance/attributes/adminPasswordSourceMetadata)" + conf="$conf&mgmt_admin_name=admin" + conf="$conf&mgmt_admin_passwd=$managementAdminPassword" + else + conf="$conf&mgmt_admin_radio=gaia_admin" + fi + + managementGUIClientNetwork="{managementGUIClientNetwork}" + conf="$conf&install_mgmt_primary=true" + + if [ "0.0.0.0/0" = "$managementGUIClientNetwork" ]; then + conf="$conf&mgmt_gui_clients_radio=any" + else + conf="$conf&mgmt_gui_clients_radio=network" + ManagementGUIClientBase="$(echo ${{managementGUIClientNetwork}} | \ + cut -d / -f 1)" + ManagementGUIClientMaskLength="$(echo ${{managementGUIClientNetwork}} | \ + cut -d / -f 2)" + conf="$conf&mgmt_gui_clients_ip_field=$ManagementGUIClientBase" + conf="$conf&mgmt_gui_clients_subnet_field=$ManagementGUIClientMaskLength" + fi + +fi + +blink_conf="$blink_conf&ftw_sic_key=$sicKey" +blink_conf="$blink_conf&download_info=$allowUploadDownload" +blink_conf="$blink_conf&upload_info=$allowUploadDownload" + +conf="$conf&$blink_conf" + +if "$generatePassword" ; then + blink_password="$(get-cloud-data.sh \ + computeMetadata/v1/instance/attributes/adminPasswordSourceMetadata)" +else + blink_password="$(dd if=/dev/urandom count=1 \ + 2>/dev/null | sha256sum | cut -c -28)" +fi +blink_conf="$blink_conf&admin_password_regular=$blink_password" + +if [ "Gateway only" = "{installationType}" ] || [ "Cluster" = "{installationType}" ] || [ "AutoScale" = "{installationType}" ]; then + config_cmd="blink_config -s $blink_conf" +else + config_cmd="config_system -s $conf" +fi + +if ${{config_cmd}} ; then + if "$installSecurityManagement" ; then + post_status true "$installSecurityGateway" + elif [ "Cluster" = "{installationType}" ] ; then + mgmt_subnet_gw="$(get-cloud-data.sh computeMetadata/v1/instance/network-interfaces/1/gateway)" + sed -i 's/__CLUSTER_PUBLIC_IP_NAME__/'"{primary_cluster_address_name}"'/g' /etc/fw/conf/gcp-ha.json + sed -i 's/__SECONDARY_PUBLIC_IP_NAME__/'"{secondary_cluster_address_name}"'/g' /etc/fw/conf/gcp-ha.json + clish -c 'set static-route '"{managementNetwork}"' nexthop gateway address '"$mgmt_subnet_gw"' on' -s + post_status true true + else + post_status true false + fi +else + post_status false false +fi + +''' + + +def make_nic(context, net_name, subnet, external_ip=False): + prop = context.properties + network_interface = { + 'kind': 'compute#networkInterface', + 'network': common.GlobalNetworkLink(prop['project'], net_name) + } + if subnet: + network_interface["subnetwork"] = common.MakeRegionalSubnetworkLink( + prop['project'], prop['zone'], subnet) + # add ephemeral public IP address + if external_ip: + network_interface["accessConfigs"] = \ + [make_access_config(name="external-nat")] + return network_interface + + +def create_nics(context): + prop = context.properties + firewall_rules = create_firewall_rules(context) + if firewall_rules: + prop['resources'].extend(firewall_rules) + networks = prop.setdefault('networks', ['default']) + subnetworks = prop.get('subnetworks', []) + nics = [] + for i in range(len(networks)): + name = networks[i] + subnet = '' + external_ip = prop.get('gatewayExternalIP') and i == 0 + if subnetworks and i < len(subnetworks) and subnetworks[i]: + subnet = subnetworks[i] + network_interface = make_nic(context, name, subnet, external_ip) + nics.append(network_interface) + return nics + + +def create_firewall_rules(context): + prop = context.properties + deployment = prop['deployment'] + network = prop.setdefault('networks', ['default'])[0] + firewall_rules = [] + protocols = ['Icmp', 'Udp', 'Tcp', 'Sctp', 'Esp'] + for protocol in protocols: + proto = protocol.lower() + source_ranges = prop.get(proto + 'SourceRanges', '') + protocol_enabled = prop.get('enable' + protocol, '') + if protocol_enabled and source_ranges: + firewall_rules.append(make_firewall_rule( + proto, source_ranges, deployment, network)) + return firewall_rules + + +def make_firewall_rule(protocol, source_ranges, deployment, net_name): + fw_rule_name = '%s-%s-%s' % (deployment[:34], net_name[:22], protocol) + ranges = [] + ranges_list = source_ranges.split(',') + for source_range in ranges_list: + ranges.append(source_range.replace(" ", "")) + firewall_rule = { + 'type': default.FIREWALL, + 'name': fw_rule_name, + 'properties': { + 'network': 'global/networks/' + net_name, + 'sourceRanges': ranges, + 'targetTags': [GATEWAY], + 'allowed': [{'IPProtocol': protocol}] + } + } + return firewall_rule + + +def create_instance_template(context, + name, + nics, + depends_on=None, + gw_version=VERSIONS['R80.30-GW']): + if 'gw' in gw_version: + license_name = "{}-{}".format(LICENSE, LICENCE_TYPE) + else: + license_name = LICENSE + family = '-'.join(['check-point', gw_version, license_name]) + formatter = common.DefaultFormatter() + instance_template_name = common.AutoName(name, default.TEMPLATE) + instance_template = { + "type": default.TEMPLATE, + "name": instance_template_name, + 'metadata': { + 'dependsOn': depends_on + }, + "properties": { + "project": context.properties['project'], + "properties": { + "canIpForward": True, + "disks": [{"autoDelete": True, + "boot": True, + "deviceName": common.set_name_and_truncate( + context.properties['deployment'], + '-{}-boot'.format(name)), + "index": 0, + "initializeParams": { + "diskType": + context.properties['diskType'], + "diskSizeGb": + context.properties['bootDiskSizeGb'], + "sourceImage": + 'projects/%s/global/images/%s' % ( + PROJECT, images.IMAGES[family]) + }, + "kind": 'compute#attachedDisk', + "mode": "READ_WRITE", + "type": "PERSISTENT"}], + "machineType": context.properties['machineType'], + "networkInterfaces": nics, + 'metadata': { + "kind": 'compute#metadata', + 'items': [ + { + 'key': 'startup-script', + 'value': formatter.format( + startup_script, **context.properties) + }, + { + 'key': 'serial-port-enable', + 'value': 'true' + } + ]}, + "scheduling": { + "automaticRestart": True, + "onHostMaintenance": "MIGRATE", + "preemptible": False + }, + "serviceAccounts": [ + { + "email": "default", + "scopes": [ + "https://www.googleapis.com/" + + "auth/devstorage.read_only", + "https://www.googleapis.com/auth/logging.write", + "https://www.googleapis.com/auth/monitoring.write", + "https://www.googleapis.com/auth/pubsub", + "https://www.googleapis.com/" + + "auth/service.management.readonly", + "https://www.googleapis.com/auth/servicecontrol", + "https://www.googleapis.com/auth/trace.append" + ] + }], + "tags": { + "items": [ + 'x-chkp-management--{}'. + format(context.properties['managementName']), + 'x-chkp-template--{}'. + format(context.properties['AutoProvTemplate']), + 'checkpoint-gateway' + ] + } + } + } + } + tagItems = instance_template['properties']['properties']['tags']['items'] + if context.properties['mgmtNIC'] == 'Ephemeral Public IP (eth0)': + tagItems.append("x-chkp-ip-address--public") + tagItems.append("x-chkp-management-interface--eth0") + elif context.properties['mgmtNIC'] == 'Private IP (eth1)': + tagItems.append("x-chkp-ip-address--private") + tagItems.append("x-chkp-management-interface--eth1") + if context.properties['networkDefinedByRoutes']: + tagItems.append("x-chkp-topology-eth1--internal") + tagItems.append("x-chkp-topology-settings-eth1" + "--network-defined-by-routes") + metadata = instance_template['properties']['properties']['metadata'] + if 'instanceSSHKey' in context.properties: + metadata['items'].append( + { + 'key': 'instanceSSHKey', + 'value': context.properties['instanceSSHKey'] + } + ) + return instance_template + + +def GenerateAutscaledGroup(context, name, + instance_template, depends_on=None): + prop = context.properties + igm_name = common.AutoName(name, default.IGM) + depends_on = depends_on + resource = { + 'name': igm_name, + 'metadata': { + 'dependsOn': depends_on + }, + 'type': default.REGION_IGM, + 'properties': { + 'region': common.ZoneToRegion(prop.get("zone")), + 'baseInstanceName': name, + 'instanceTemplate': '$(ref.' + instance_template + '.selfLink)', + 'targetSize': prop.get("minInstances"), + # 'autoHealingPolicies': [{ + # 'initialDelaySec': 60 + # }] + } + } + return resource + + +def CreateAutscaler(context, name, + igm, cpu_usage, depends_on=None): + prop = context.properties + autoscaler_name = common.AutoName(name, default.AUTOSCALER) + depends_on = depends_on + cpu_usage = float(cpu_usage) / 100 + resource = { + 'name': autoscaler_name, + 'metadata': { + 'dependsOn': depends_on + }, + 'type': default.REGION_AUTOSCALER, + 'properties': { + 'target': '$(ref.' + igm + '.selfLink)', + 'region': common.ZoneToRegion(prop.get("zone")), + 'autoscalingPolicy': { + 'minNumReplicas': int(prop.get("minInstances")), + 'maxNumReplicas': int(prop.get("maxInstances")), + 'cpuUtilization': { + 'utilizationTarget': cpu_usage + }, + 'coolDownPeriodSec': 90 + } + } + } + return resource + + +def make_access_config(name=None): + access_config = { + 'type': default.ONE_NAT, + "kind": 'compute#accessConfig' + } + if name: + access_config['name'] = name + return access_config + + +def validate_region(test_zone, valid_region): + test_region = common.ZoneToRegion(test_zone) + if test_region != valid_region: + err_msg = '{} is in region {}. All subnets must be ' + \ + 'in the same region ({})' + raise common.Error( + err_msg.format(test_zone, test_region, valid_region) + ) + + +@common.FormatErrorsDec +def generate_config(context): + # This method will: + # 1. Create a instance template for a security GW + # (with a tag for the managing security server) + # 2. Create a managed instance group + # (based on the instance template and zones list provided by the user) + # 3. Configure autoscaling + # (based on min, max & policy settings provided by the user) + prop = context.properties + prop['deployment'] = context.env['deployment'] + prop['project'] = context.env['project'] + prop['templateName'] = TEMPLATE_NAME + prop['templateVersion'] = TEMPLATE_VERSION + prop['allowUploadDownload'] = str(prop['allowUploadDownload']).lower() + prop['hasInternet'] = 'true' # via Google Private Access + prop['installationType'] = 'AutoScale' + prop['resources'] = [] + prop['outputs'] = [] + prop['gw_dependencies'] = [] + prop['computed_sic_key'] = password.GeneratePassword(12, False) + prop['gatewayExternalIP'] = (prop['mgmtNIC'] == + 'Ephemeral Public IP (eth0)') + version_chosen = prop['autoscalingVersion'].split(' ')[0] + "-GW" + nics = create_nics(context) + gw_template = create_instance_template(context, + prop['deployment'], + nics, + depends_on=prop['gw_dependencies'], + gw_version=VERSIONS[version_chosen]) + prop['resources'] += [gw_template] + prop['igm_dependencies'] = [gw_template['name']] + igm = GenerateAutscaledGroup(context, + prop['deployment'], + gw_template['name'], + prop['igm_dependencies']) + prop['resources'] += [igm] + prop['autoscaler_dependencies'] = [igm['name']] + cpu_usage = prop.get("cpuUsage") + autoscaler = CreateAutscaler(context, + prop['deployment'], + igm['name'], + cpu_usage, + prop['autoscaler_dependencies']) + prop['resources'] += [autoscaler] + prop['outputs'] += [ + { + 'name': 'deployment', + 'value': prop['deployment'] + }, + { + 'name': 'project', + 'value': prop['project'] + }, + { + 'name': 'instanceTemplateName', + 'value': gw_template['name'] + }, + { + 'name': 'InstanceTemplateLink', + 'value': common.Ref(gw_template['name']) + }, + { + 'name': 'IGMname', + 'value': igm['name'] + }, + { + 'name': 'IGMLink', + 'value': common.RefGroup(igm['name']) + }, + { + 'name': 'cpuUsagePercentage', + 'value': str(int(prop['cpuUsage'])) + '%' + }, + { + 'name': 'minInstancesInt', + 'value': str(int(prop['minInstances'])) + }, + { + 'name': 'maxInstancesInt', + 'value': str(int(prop['maxInstances'])) + }, + ] + return common.MakeResource(prop['resources'], prop['outputs']) diff --git a/deprecated/gcp/R80.30/autoscale-byol-R80.30/check-point-autoscale--byol.py.schema b/deprecated/gcp/R80.30/autoscale-byol-R80.30/check-point-autoscale--byol.py.schema new file mode 100644 index 00000000..7d138e8b --- /dev/null +++ b/deprecated/gcp/R80.30/autoscale-byol-R80.30/check-point-autoscale--byol.py.schema @@ -0,0 +1,202 @@ +imports: + - path: check-point-autoscale--byol.py + +info: + version: 1.0 + title: Check Point CloudGuard Network Security Autoscaling - BYOL Template + +required: + - autoscalingVersion + - networks + - zone + - machineType + - cpuUsage + - minInstances + - maxInstances + - diskType + - bootDiskSizeGb + - managementName + - AutoProvTemplate + - allowUploadDownload + - networkDefinedByRoutes + - shell + - enableMonitoring + +properties: + zone: + type: string + default: us-central1-a + x-googleProperty: + type: GCE_ZONE + networks: + type: array + default: [default, default1] + minItems: 2 + maxItems: 2 + x-googleProperty: + type: GCE_NETWORK + gceNetwork: + labels: + - External + - Internal + allowSharedVpcs: True + machineTypeProperty: machineType + subnetworks: + type: array + minItems: 2 + maxItems: 2 + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zone + gceSubnetwork: + networkProperty: networks + mgmtNIC: + type: string + default: Ephemeral Public IP (eth0) + enum: + - Ephemeral Public IP (eth0) + - Private IP (eth1) + enableIcmp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: networks + icmpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: enableIcmp + enableTcp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: networks + tcpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: enableTcp + enableUdp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: networks + udpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: enableUdp + enableSctp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: networks + sctpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: enableSctp + enableEsp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: networks + espSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: enableEsp + machineType: + type: string + default: n1-standard-4 + x-googleProperty: + type: GCE_MACHINE_TYPE + zoneProperty: zone + gceMachineType: + minCpu: 2 + minRamGb: 1.843000054359436 + cpuUsage: + type: integer + minimum: 10 + maximum: 90 + default: 60 + minInstances: + type: integer + minimum: 1 + maximum: 16384 + default: 2 + maxInstances: + type: integer + minimum: 1 + maximum: 32768 + default: 10 + instanceSSHKey: + type: string + pattern: ^([0-9a-z\-]+ +[0-9A-Za-z/\+=]+( .*)?|)$ + default: '' + diskType: + type: string + default: pd-ssd + x-googleProperty: + type: GCE_DISK_TYPE + zoneProperty: zone + bootDiskSizeGb: + type: integer + default: 100 + minimum: 100 + maximum: 4096 + x-googleProperty: + type: GCE_DISK_SIZE + gceDiskSize: + diskTypeProperty: diskType + autoscalingVersion: + type: string + default: R81.10 Autoscaling + enum: + - R80.30 Autoscaling + managementName: + type: string + default: 'checkpoint-management' + pattern: ^([ -~]+)$ + AutoProvTemplate: + type: string + default: 'gcp-asg-autoprov-tmplt' + pattern: ^([ -~]{1,30})$ + enableMonitoring: + type: boolean + default: False + networkDefinedByRoutes: + type: boolean + default: True + allowUploadDownload: + type: boolean + default: True + shell: + type: string + default: /etc/cli.sh + enum: + - /etc/cli.sh + - /bin/bash + - /bin/csh + - /bin/tcsh + +outputs: + deployment: + type: string + project: + type: string \ No newline at end of file diff --git a/deprecated/gcp/R80.30/autoscale-byol-R80.30/common.py b/deprecated/gcp/R80.30/autoscale-byol-R80.30/common.py new file mode 100644 index 00000000..e123c502 --- /dev/null +++ b/deprecated/gcp/R80.30/autoscale-byol-R80.30/common.py @@ -0,0 +1,262 @@ +# Copyright 2015 Google Inc. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +"""Generic simple functions used for python based template generation.""" + +import re +import sys +import traceback +import default +import string + +import yaml + +RFC1035_RE = re.compile(r'^[a-z][-a-z0-9]{1,61}[a-z0-9]{1}$') + + +class Error(Exception): + """Common exception wrapper for template exceptions.""" + pass + + +class DefaultFormatter(string.Formatter): + """Returns default instead of key error when looking for keys. + + Used for startup-script which contains params from multiple deployments + whiles keys from one deployment may not be set in another. + """ + def __init__(self, default=''): + self.default = default + def get_value(self, key, args, dict): + if isinstance(key, str): + return dict.get(key, self.default) + else: + return string.Formatter.get_value(key, args, dict) + + +def set_name_and_truncate(primary, secondary, maxlength=62): + return '%s%s' % (primary[:maxlength - len(secondary)], secondary) + + +def AddDiskResourcesIfNeeded(context): + """Checks context if disk resources need to be added.""" + if default.DISK_RESOURCES in context.properties: + return context.properties[default.DISK_RESOURCES] + else: + return [] + + +def AutoName(base, resource, *args): + """Helper method to generate names automatically based on default.""" + auto_name = '%s-%s' % (base, '-'.join(list(args) + [default.AKA[resource]])) + if not RFC1035_RE.match(auto_name): + raise Error('"%s" name for type %s does not match RFC1035 regex (%s)' % + (auto_name, resource, RFC1035_RE.pattern)) + return auto_name + + +def AutoRef(base, resource, *args): + """Helper method that builds a reference for an auto-named resource.""" + return Ref(AutoName(base, resource, *args)) + + +def OrderedItems(dict_obj): + """Convenient method to yield sorted iteritems of a dictionary.""" + keys = list(dict_obj.keys()) + keys.sort() + for k in keys: + yield (k, dict_obj[k]) + + +def ShortenZoneName(zone): + """Given a string that looks like a zone name, creates a shorter version.""" + geo, coord, number, letter = re.findall(r'(\w+)-(\w+)(\d)-(\w)', zone)[0] + geo = geo.lower() if len(geo) == 2 else default.LOC[geo.lower()] + coord = default.LOC[coord.lower()] + number = str(number) + letter = letter.lower() + return geo + '-' + coord + number + letter + + +def ZoneToRegion(zone): + """Derives the region from a zone name.""" + parts = zone.split('-') + if len(parts) != 3: + raise Error('Cannot derive region from zone "%s"' % zone) + return '-'.join(parts[:2]) + + +def FormatException(message): + """Adds more information to the exception.""" + message = ('Exception Type: %s\n' + 'Details: %s\n' + 'Message: %s\n') % (sys.exc_info()[0], + traceback.format_exc(), message) + return message + + +def Ref(name): + return '$(ref.%s.selfLink)' % name + + +def RefGroup(name): + return '$(ref.%s.instanceGroup)' % name + + +def GlobalComputeLink(project, collection, name): + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/global/', + collection, '/', name]) + +def GlobalNetworkLink(project, network): + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/global/', + default.NETWORKS, '/', network]) + + +def LocalComputeLink(project, zone, key, value): + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/zones/', + zone, '/', key, '/', value]) + + +def ReadContext(context, prop_key): + return (context.env['project'], context.properties.get('zone', None), + context.properties[prop_key]) + + +def MakeLocalComputeLink(context, key, zone=None): + if not zone: + project, zone, value = ReadContext(context, key) + else: + project, _, value = ReadContext(context, key) + + if IsComputeLink(value): + return value + else: + return LocalComputeLink(project, zone, key + 's', value) + + +def MakeGlobalComputeLink(context, key): + project, _, value = ReadContext(context, key) + if IsComputeLink(value): + return value + else: + return GlobalComputeLink(project, key + 's', value) + +def MakeRegionalSubnetworkLink(project, zone, subnet): + region = ZoneToRegion(zone) + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/regions/', + region, '/subnetworks/', subnet]) + + +def MakeSubnetworkComputeLink(context, key): + project, zone, value = ReadContext(context, key) + region = ZoneToRegion(zone) + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/regions/', + region, '/subnetworks/', value]) + + +def MakeFQHN(context, name): + return '%s.c.%s.internal' % (name, context.env['project']) + + +# TODO(victorg): Consider moving this method to a different file +def MakeC2DImageLink(name, dev_mode=False): + if IsGlobalProjectShortcut(name) or name.startswith('http'): + return name + else: + if dev_mode: + return 'global/images/%s' % name + else: + return GlobalComputeLink(default.C2D_IMAGES, 'images', name) + + +def IsGlobalProjectShortcut(name): + return name.startswith('projects/') or name.startswith('global/') + + +def IsComputeLink(name): + return (name.startswith(default.COMPUTE_URL_BASE) or + name.startswith(default.REFERENCE_PREFIX)) + + +def GetNamesAndTypes(resources_dict): + return [(d['name'], d['type']) for d in resources_dict] + + +def SummarizeResources(res_dict): + """Summarizes the name of resources per resource type.""" + result = {} + for res in res_dict: + result.setdefault(res['type'], []).append(res['name']) + return result + + +def ListPropertyValuesOfType(res_dict, prop, res_type): + """Lists all the values for a property of a certain type.""" + return [r['properties'][prop] for r in res_dict if r['type'] == res_type] + + +def MakeResource(resource_list, output_list=None): + """Wrapper for a DM template basic spec.""" + content = {'resources': resource_list} + if output_list: + content['outputs'] = output_list + return yaml.dump(content) + + +def TakeZoneOut(properties): + """Given a properties dictionary, removes the zone specific information.""" + + def _CleanZoneUrl(value): + value = value.split('/')[-1] if IsComputeLink(value) else value + return value + + for name in default.VM_ZONE_PROPERTIES: + if name in properties: + properties[name] = _CleanZoneUrl(properties[name]) + if default.ZONE in properties: + properties.pop(default.ZONE) + if default.BOOTDISK in properties: + properties[default.BOOTDISK] = _CleanZoneUrl(properties[default.BOOTDISK]) + if default.DISKS in properties: + for disk in properties[default.DISKS]: + # Don't touch references to other disks + if default.DISK_SOURCE in disk: + continue + if default.INITIALIZEP in disk: + disk_init = disk[default.INITIALIZEP] + if default.DISKTYPE in disk_init: + disk_init[default.DISKTYPE] = _CleanZoneUrl(disk_init[default.DISKTYPE]) + + +def GenerateEmbeddableYaml(yaml_string): + # Because YAML is a space delimited format, we need to be careful about + # embedding one YAML document in another. This function takes in a string in + # YAML format and produces an equivalent YAML representation that can be + # inserted into arbitrary points of another YAML document. It does so by + # printing the YAML string in a single line format. Consistent ordering of + # the string is also guaranteed by using yaml.dump. + yaml_object = yaml.load(yaml_string) + dumped_yaml = yaml.dump(yaml_object, default_flow_style=True) + return dumped_yaml + + +def FormatErrorsDec(func): + """Decorator to format exceptions if they get raised.""" + + def FormatErrorsWrap(context): + try: + return func(context) + except Exception as e: + raise Error(FormatException(e.message)) + + return FormatErrorsWrap diff --git a/deprecated/gcp/R80.30/autoscale-byol-R80.30/config.yaml b/deprecated/gcp/R80.30/autoscale-byol-R80.30/config.yaml new file mode 100644 index 00000000..bc223154 --- /dev/null +++ b/deprecated/gcp/R80.30/autoscale-byol-R80.30/config.yaml @@ -0,0 +1,50 @@ +imports: +- path: check-point-autoscale--byol.py +- path: common.py +- path: default.py +- path: password.py +- path: images.py + +resources: +- name: check-point-autoscale--byol + type: check-point-autoscale--byol.py + properties: + autoscalingVersion: "PLEASE ENTER AUTOSCALE VERSION" + managementName: "PLEASE ENTER MANAGEMENT NAME" + AutoProvTemplate: "PLEASE ENTER AUTOPROVISION TEMPLATE NAME" + instanceSSHKey: "PLEASE ENTER A VALID PUBLIC KEY" + mgmtNIC: "PLEASE ENTER MANAGEMENT NIC TYPE" + networkDefinedByRoutes: "PLEASE ENTER true or false" + shell: "PLEASE ENTER A SHELL" + allowUploadDownload: "PLEASE ENTER true or false" + zone: "PLEASE ENTER A ZONE" + networks: "PLEASE ENTER A LIST OF EXTERNAL AND INTERNAL NETWORKS ID" + subnetworks: "PLEASE ENTER A LIST OF EXTERNAL AND INTERNAL SUBNETWORKS ID" + enableIcmp: "PLEASE ENTER true or false" + icmpSourceRanges: "PLEASE ENTER ICMP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + enableTcp: "PLEASE ENTER true or false" + tcpSourceRanges: "PLEASE ENTER TCP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + enableUdp: "PLEASE ENTER true or false" + udpSourceRanges: "PLEASE ENTER UDP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + enableSctp: "PLEASE ENTER true or false" + sctpSourceRanges: "PLEASE ENTER SCTP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + enableEsp: "PLEASE ENTER true or false" + espSourceRanges: "PLEASE ENTER ESP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + machineType: "PLEASE ENTER A MACHINE TYPE" + cpuUsage: "PLEASE ENTER CPU USAGE (%)" + minInstances: "PLEASE ENTER MINIMUM NUMBER OF INSTANCES" + maxInstances: "PLEASE ENTER MAXIMUM NUMBER OF INSTANCES" + diskType: "PLEASE ENTER A DISK TYPE" + bootDiskSizeGb: "PLEASE ENTER A DISK SIZE" + enableMonitoring: "PLEASE ENTER true or false" +outputs: +- name: "Deployment" + value: $(ref.check-point-autoscale--byol.deployment) +- name: "Managed instance group" + value: $(ref.check-point-autoscale--byol.IGMLink) +- name: "Minimum instances" + value: $(ref.check-point-autoscale--byol.minInstancesInt) +- name: "Maximum instances" + value: $(ref.check-point-autoscale--byol.maxInstancesInt) +- name: "Target CPU usage" + value: $(ref.check-point-autoscale--byol.cpuUsagePercentage) \ No newline at end of file diff --git a/deprecated/gcp/R80.30/autoscale-byol-R80.30/default.py b/deprecated/gcp/R80.30/autoscale-byol-R80.30/default.py new file mode 100644 index 00000000..0c7dd919 --- /dev/null +++ b/deprecated/gcp/R80.30/autoscale-byol-R80.30/default.py @@ -0,0 +1,134 @@ +# Copyright 2015 Google Inc. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +"""Convenience module to hold default constants for C2D components. + +There should not be any logic in this module. Its purpose is to simplify +analysis of commonly used GCP and properties names and identify the names +that were custom created for these modules. +""" +# Generic constants +C2D_IMAGES = 'click-to-deploy-images' + +# URL constants +COMPUTE_URL_BASE = 'https://www.googleapis.com/compute/v1/' + +# Deployment Manager constructs +REFERENCE_PREFIX = '$(ref.' + +# Commonly used in properties namespace +AUTO_DELETE = 'autoDelete' +BOOTDISK = 'bootDiskType' +BOOTDISKSIZE = 'bootDiskSizeGb' +C_IMAGE = 'containerImage' +DC_MANIFEST = 'dcManifest' +DEPLOYMENT = 'DEPLOYMENT' # used in the deployment coordinator +DISK_NAME = 'diskName' +DISK_RESOURCES = 'addedDiskResources' +DISK_SOURCE = 'source' +ENDPOINT_NAME = 'serviceRegistryEndpointName' +FIXED_GCLOUD = 'fixedGcloud' +GENERATED_PROP = 'generatedProperties' +INITIALIZEP = 'initializeParams' +INSTANCE_NAME = 'instanceName' +LOCAL_SSD = 'localSSDs' +MAX_NUM = 'maxNumReplicas' +NETWORKS = 'networks' +NO_SCOPE = 'noScope' +PROVIDE_BOOT = 'provideBoot' +REPLICAS = 'replicas' +SIZE = 'size' +VM_COPIES = 'numberOfVMReplicas' +ZONES = 'zones' + +# Common properties values (only official GCP values allowed here) +EXTERNAL = 'External NAT' +ONE_NAT = 'ONE_TO_ONE_NAT' + +# Common 1st level properties (only official GCP names allowed here) +CAN_IP_FWD = 'canIpForward' +CONTAINER = 'container' +DCKRENV = 'dockerEnv' +DCKRIMAGE = 'dockerImage' +DEFAULT_SERVICE = 'defaultService' +DEVICE_NAME = 'deviceName' +DISKS = 'disks' +DISK_SIZE = 'diskSizeGb' +DISKTYPE = 'diskType' +HEALTH_PATH = 'healthPath' +HOST_RULES = 'hostRules' +IP_PROTO = 'IPProtocol' +MACHINETYPE = 'machineType' +METADATA = 'metadata' +NAME = 'name' +NETWORK = 'network' +NETWORKS = 'networks' +SUBNETWORK = 'subnetwork' +PATH_MATCHERS = 'pathMatchers' +PORT = 'port' +PROJECT = 'project' +SERVICE = 'service' +SERVICE_ACCOUNTS = 'serviceAccounts' +SRCIMAGE = 'sourceImage' +SRC_RANGES = 'sourceRanges' +TAGS = 'tags' +TYPE = 'type' +VM_TEMPLATE = 'instanceTemplate' +ZONE = 'zone' + +# Zone specfic VM properties +VM_ZONE_PROPERTIES = [DISKTYPE, MACHINETYPE, BOOTDISK] + +# Resource type defaults names +ADDRESS = 'compute.v1.address' +AUTOSCALER = 'compute.v1.autoscaler' +BACKEND_SERVICE = 'compute.v1.backendService' +DISK = 'compute.v1.disk' +ENDPOINT = 'serviceregistry.v1alpha.endpoint' +FIREWALL = 'compute.v1.firewall' +GF_RULE = 'compute.v1.globalForwardingRule' +HEALTHCHECK = 'compute.v1.httpHealthCheck' +IGM = 'compute.v1.instanceGroupManager' +INSTANCE = 'compute.v1.instance' +PROXY = 'compute.v1.targetHttpProxy' +TEMPLATE = 'compute.v1.instanceTemplate' +REGION_IGM = 'compute.v1.regionInstanceGroupManager' +REGION_AUTOSCALER = 'compute.v1.regionAutoscaler' +URL_MAP = 'compute.v1.urlMap' +VPC='compute.v1.network' +VPC_SUBNET='compute.v1.subnetwork' + +# Also Known As constants +AKA = { + TEMPLATE: 'tmplt', + AUTOSCALER: 'as', + BACKEND_SERVICE: 'bes', + DISK: 'disk', + FIREWALL: 'fwall', + GF_RULE: 'ip', + HEALTHCHECK: 'hc', + INSTANCE: 'vm', + PROXY: 'tproxy', + IGM: 'igm', + URL_MAP: 'umap', +} + +LOC = { + 'europe': 'eu', + 'asia': 'as', + 'central': 'c', + 'east': 'e', + 'west': 'w', + 'north': 'n', + 'south': 's', +} diff --git a/deprecated/gcp/R80.30/autoscale-byol-R80.30/images.py b/deprecated/gcp/R80.30/autoscale-byol-R80.30/images.py new file mode 100644 index 00000000..2811fa30 --- /dev/null +++ b/deprecated/gcp/R80.30/autoscale-byol-R80.30/images.py @@ -0,0 +1,10 @@ +IMAGES = { + "check-point-r8030-payg": "check-point-r8030-payg-200-773-v20201208", + "check-point-r8030-gw-payg-single": "check-point-r8030-gw-payg-single-273-904-v20210715", + "check-point-r8030-gw-payg-mig": "check-point-r8030-gw-payg-mig-273-904-v20210715", + "check-point-r8030-gw-payg-cluster": "check-point-r8030-gw-payg-cluster-273-904-v20210715", + "check-point-r8030-gw-byol-single": "check-point-r8030-gw-byol-single-273-904-v20210715", + "check-point-r8030-gw-byol-mig": "check-point-r8030-gw-byol-mig-273-904-v20210715", + "check-point-r8030-gw-byol-cluster": "check-point-r8030-gw-byol-cluster-273-904-v20210715", + "check-point-r8030-byol": "check-point-r8030-byol-200-773-v20201208" +} diff --git a/deprecated/gcp/R80.30/autoscale-byol-R80.30/password.py b/deprecated/gcp/R80.30/autoscale-byol-R80.30/password.py new file mode 100644 index 00000000..273210a6 --- /dev/null +++ b/deprecated/gcp/R80.30/autoscale-byol-R80.30/password.py @@ -0,0 +1,135 @@ +# Copyright 2015 Google Inc. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +"""A DM template that generates password as an output, namely "password". + +An example YAML showing how this template can be used: + resources: + - name: generated-password + type: password.py + properties: + length: 8 + includeSymbols: true + - name: main-template + type: main-template.jinja + properties: + password: $(ref.generated-password.password) + +Input properties to this template: + - length: the length of the generated password. At least 8. Default 8. + - includeSymbols: true/false whether to include symbol chars. Default false. + +The generated password satisfies the following requirements: + - The length is as specified, + - Containing letters and numbers, and optionally symbols if specified, + - Starting with a letter, + - Containing characters from at least 3 of the 4 categories: uppercases, + lowercases, numbers, and symbols. + +""" + +import random +import yaml + +PROPERTY_LENGTH = 'length' +PROPERTY_INCLUDE_SYMBOLS = 'includeSymbols' + +# Note the omission of some hard to distinguish characters like I, l, 0, and O. +UPPERS = 'ABCDEFGHJKLMNPQRSTUVWXYZ' +LOWERS = 'abcdefghijkmnopqrstuvwxyz' +ALPHABET = UPPERS + LOWERS +DIGITS = '123456789' +ALPHANUMS = ALPHABET + DIGITS +# Including only symbols that can be passed around easily in shell scripts. +SYMBOLS = '*-+.' + +CANDIDATES_WITH_SYMBOLS = ALPHANUMS + SYMBOLS +CANDIDATES_WITHOUT_SYMBOLS = ALPHANUMS + +CATEGORIES_WITH_SYMBOLS = [UPPERS, LOWERS, DIGITS, SYMBOLS] +CATEGORIES_WITHOUT_SYMBOLS = [UPPERS, LOWERS, DIGITS] + +MIN_LENGTH = 8 + + +class InputError(Exception): + """Raised when input properties are unexpected.""" + + +def GenerateConfig(context): + """Entry function to generate the DM config.""" + props = context.properties + length = props.setdefault(PROPERTY_LENGTH, MIN_LENGTH) + include_symbols = props.setdefault(PROPERTY_INCLUDE_SYMBOLS, False) + + if not isinstance(include_symbols, bool): + raise InputError('%s must be a boolean' % PROPERTY_INCLUDE_SYMBOLS) + + content = { + 'resources': [], + 'outputs': [{ + 'name': 'password', + 'value': GeneratePassword(length, include_symbols) + }] + } + return yaml.dump(content) + + +def GeneratePassword(length=8, include_symbols=False): + """Generates a random password.""" + if length < MIN_LENGTH: + raise InputError('Password length must be at least %d' % MIN_LENGTH) + + candidates = (CANDIDATES_WITH_SYMBOLS if include_symbols + else CANDIDATES_WITHOUT_SYMBOLS) + categories = (CATEGORIES_WITH_SYMBOLS if include_symbols + else CATEGORIES_WITHOUT_SYMBOLS) + + # Generates up to the specified length minus the number of categories. + # Then inserts one character for each category, ensuring that the character + # satisfy the category if the generated string hasn't already. + generated = ([random.choice(ALPHABET)] + + [random.choice(candidates) + for _ in range(length - 1 - len(categories))]) + for category in categories: + _InsertAndEnsureSatisfaction(generated, category, candidates) + return ''.join(generated) + + +def _InsertAndEnsureSatisfaction(generated, required, all_candidates): + """Inserts 1 char into generated, satisfying required if not already. + + If the required characters are not already in the generated string, one will + be inserted. If any required character is already in the generated string, a + random character from all_candidates will be inserted. The insertion happens + at a random location but not at the beginning. + + Args: + generated: the string to be modified. + required: list of required characters to check for. + all_candidates: list of characters to choose from if the required characters + are already satisfied. + """ + if set(generated).isdisjoint(required): + # Not yet satisfied. Insert a required candidate. + _InsertInto(generated, required) + else: + # Already satisfied. Insert any candidate. + _InsertInto(generated, all_candidates) + + +def _InsertInto(generated, candidates): + """Inserts a random candidate into a random non-zero index of generated.""" + # Avoids inserting at index 0, since the first character follows its own rule. + generated.insert(random.randint(1, len(generated) - 1), + random.choice(candidates)) diff --git a/deprecated/gcp/R80.30/autoscale-payg-R80.30/README.md b/deprecated/gcp/R80.30/autoscale-payg-R80.30/README.md new file mode 100644 index 00000000..310ce5cf --- /dev/null +++ b/deprecated/gcp/R80.30/autoscale-payg-R80.30/README.md @@ -0,0 +1,126 @@ +# GCP Deployment Manager package for Check Point Autoscaling PAYG solution +This directory contains CloudGuard IaaS deployment package for Check Point Autoscaling (PAYG) solution published in the [GCP Marketplace](https://console.cloud.google.com/marketplace/details/checkpoint-public/check-point-autoscaling-ngtp). + +# How to deploy the package manually +To deploy the Deployment Manager's package manually, without using the GCP Marketplace, follow these instructions: +1. Clone or download the files in this directory +2. Fill variables in the config.yaml(see below for variables descriptions). +3. Log into [Google Cloud Platform Console](https://console.cloud.google.com) +4. [Activate Cloud Shell](https://cloud.google.com/shell/docs/using-cloud-shell) +5. Set your Cloud Platform project in the Cloud Shell session use: + + gcloud config set project [PROJECT_ID] +6. Upload the content of the CloudGuardIaaS/gcp/deployment-packages/autoscale-payg/ directory to the [cloud shell](https://cloud.google.com/shell/docs/uploading-and-downloading-files) +7. Launch deployment by running: + + gcloud deployment-manager deployments create [DEPLOYMENT_NAME] --config config.yaml +8. Make sure the deployment finished successfully.
Example of successful deployment output: + + The fingerprint of the deployment is h8R2exQYuc4bzlO14boUhg== + Waiting for create [operation-1585217870871-5a1bf4c15b9ea-f8d824d5-1089cc78]...done. + Create operation operation-1585217870871-5a1bf4c15b9ea-f8d824d5-1089cc78 completed successfully. + NAME TYPE STATE ERRORS INTENT + mig-as compute.v1.regionAutoscaler COMPLETED [] + mig-igm compute.v1.regionInstanceGroupManager COMPLETED [] + mig-vpc-icmp compute.v1.firewall COMPLETED [] + mig-vpc-udp compute.v1.firewall COMPLETED [] + mig-tmplt compute.v1.instanceTemplate COMPLETED [] + OUTPUTS VALUE + Deployment autoscale + Managed instance group https://www.googleapis.com/compute/v1/projects/checkpoint/regions/asia-east1/instanceGroups/autoscale-igm + Minimum instances 2 + Maximum instances 10 + Target CPU usage 60% + +## config.yaml variables +| Name | Description | Type | Allowed values | +| ------------- | ------------- | ------------- | ------------- | +| **autoscalingVersion** | Autoscaling Version | string | R80.30 Autoscaling;| +| | | | | | +| **managementName** | Security Management Server name | string | The name of the Security Management Server as appears in autoprovisioning configuration | +| | | | | | +| **AutoProvTemplate** | Configuration template name | string | Specify the provisioning configuration template name (for autoprovisioning) | +| | | | | | +| **instanceSSHKey** | Public SSH key for the user 'admin' | string | A valid public ssh key | +| | | | | | +| **mgmtNIC** | Management Interface | string | Ephemeral Public IP (eth0)
; Private IP (eth1); | +| | | | | | +| **networkDefinedByRoutes** | Networks behind the Internal interface will be defined by routes.
Set eth1 topology to define the networks behind this interface by the routes configured on the gateway | boolean | true;
false; | +| | | | | | +| **shell** | Admin shell | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh;
| +| | | | | | +| **allowUploadDownload** | Allow download from/upload to Check Point | boolean | true;
false; | +| | | | | | +| **zone** | The zone determines what computing resources are available and where your data is stored and used | string | List of allowed [Regions and Zones](https://cloud.google.com/compute/docs/regions-zones?_ga=2.31926582.-962483654.1585043745) | +| | | | | | +| **networks** | The external networks ID in which the gateways will reside and internal networks ID in which application servers reside. | list(string) | Available network in the chosen zone | +| | | | | | +| **subnetworks** | External and Internal subnet ID. Assigns the instance an IPv4 address from the subnetwork’s range. Instances in different subnetworks can communicate with each other using their internal IPs as long as they belong to the same network. | list(string) | Available subnetwork in the chosen network | +| | | | | | +| **enableIcmp** | Allow ICMP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **icmpSourceRanges** | Source IP ranges for ICMP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **enableTcp** | Allow TCP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **tcpSourceRanges** | Allow TCP traffic from the Internet | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway all ports are allowed. For management allowed ports are: 257,18191,18210,18264,22,443,18190,19009 [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **enableUdp** | Allow UDP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **udpSourceRanges** | Source IP ranges for UDP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only - all ports are allowed. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **enableSctp** | Allow SCTP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **sctpSourceRanges** | Source IP ranges for SCTP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only - all ports are allowed. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **enableEsp** | Allow ESP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **espSourceRanges** | Source IP ranges for ESP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **machineType** | Machine types determine the specifications of your machines, such as the amount of memory, virtual cores, and persistent disk limits an instance will have | string | [Learn more about Machine Types](https://cloud.google.com/compute/docs/machine-types?hl=en_US&_ga=2.267871494.-962483654.1585043745) | +| | | | | | +| **cpuUsage** | Target CPU usage (%).
Autoscaling adds or removes instances in the group to maintain this level of CPU usage on each instance | number | A number in the range 10 - 90 | +| | | | | | +| **minInstances** | Minimum number of instances | number | A number in the range 1 and the maximum number of instances | +| | | | | | +| **maxInstances** | Maximum number of instances | number | A number in the range the minimum number of instances and infinity | +| | | | | | +| **diskType** | Disk type | string | pd-ssd;
pd-standard;
Storage space is much less expensive for a standard persistent disk. An SSD persistent disk is better for random IOPS or streaming throughput with low latency. [Learn more](https://cloud.google.com/compute/docs/disks/?hl=en_US&_ga=2.66020774.-962483654.1585043745#overview_of_disk_types)| +| | | | | | +| **bootDiskSizeGb** | Disk size in GB | number | Persistent disk performance is tied to the size of the persistent disk volume. You are charged for the actual amount of provisioned disk space. [Learn more](https://cloud.google.com/compute/docs/disks/?hl=en_US&_ga=2.232680471.-962483654.1585043745#pdperformance)| +| | | | | | +| **enableMonitoring** | Enable Stackdriver monitoring | boolean | true;
false; | +| | | | | | + +## Example + autoscalingVersion: "R80.30 Autoscaling" + managementName: "mgmt" + AutoProvTemplate: "template" + instanceSSHKey: "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxx imported-openssh-key" + mgmtNIC: "Ephemeral Public IP (eth0)" + networkDefinedByRoutes: true + shell: "/bin/bash" + allowUploadDownload: true + zone: "asia-east1-a" + networks: ["external-vpc", "internal-vpc"] + subnetworks: ["frontend", "backend"] + enableIcmp: true + icmpSourceRanges: "0.0.0.0/0" + enableTcp: false + tcpSourceRanges: "" + enableUdp: true + udpSourceRanges: "0.0.0.0/0" + enableSctp: false + sctpSourceRanges: "" + enableEsp: false + espSourceRanges: "" + machineType: "n1-standard-4" + cpuUsage: 60 + minInstances: 2 + maxInstances: 10 + diskType: "pd-ssd" + bootDiskSizeGb: 100 + enableMonitoring: false + +## Notes +See [sk147032](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk147032) for revision history diff --git a/deprecated/gcp/R80.30/autoscale-payg-R80.30/c2d_deployment_configuration.json b/deprecated/gcp/R80.30/autoscale-payg-R80.30/c2d_deployment_configuration.json new file mode 100644 index 00000000..4cd5038e --- /dev/null +++ b/deprecated/gcp/R80.30/autoscale-payg-R80.30/c2d_deployment_configuration.json @@ -0,0 +1,7 @@ +{ + "defaultDeploymentType": "MULTI_VM", + "imageName": "check-point-r8110-gw-payg-mig-335-985-v20220126", + "projectId": "checkpoint-public", + "templateName": "nonexistent_template", + "useSolutionPackage": "true" +} diff --git a/deprecated/gcp/R80.30/autoscale-payg-R80.30/check-point-autoscale--payg.py b/deprecated/gcp/R80.30/autoscale-payg-R80.30/check-point-autoscale--payg.py new file mode 100644 index 00000000..35b63cad --- /dev/null +++ b/deprecated/gcp/R80.30/autoscale-payg-R80.30/check-point-autoscale--payg.py @@ -0,0 +1,621 @@ +# Copyright 2016 Check Point Software LTD. + +import common +import default +import images +import password + +GATEWAY = 'checkpoint-gateway' +PROJECT = 'checkpoint-public' +LICENSE = 'payg' +LICENCE_TYPE = 'mig' + +VERSIONS = { + 'R80.30-GW': 'r8030-gw' +} + +TEMPLATE_NAME = 'autoscale' +TEMPLATE_VERSION = '20220130' + +startup_script = ''' +#!/bin/bash + +generatePassword="$(echo {generatePassword} | tr 'TF' 'tf')" +allowUploadDownload="{allowUploadDownload}" + +echo "template_name: {templateName}" >> /etc/cloud-version +echo "template_version: {templateVersion}" >> /etc/cloud-version + +function get_router() {{ + local interface="$1" + local subnet_router_meta_path="computeMetadata/v1/instance/network-interfaces/$interface/gateway" + local router="$(get-cloud-data.sh ${{subnet_router_meta_path}})" + echo "${{router}}" +}} + +function set_mgmt_if() {{ + mgmtNIC="{mgmtNIC}" + local mgmt_int="eth0" + if [ "X$mgmtNIC" == "XEphemeral Public IP (eth0)" ]; then + mgmt_int="eth0" + elif [ "X$mgmtNIC" == "XPrivate IP (eth1)" ]; then + mgmt_int="eth1" + fi + local set_mgmt_if_out="$(clish -s -c "set management interface ${{mgmt_int}}")" + echo "${{set_mgmt_if_out}}" +}} + +function set_internal_static_routes() {{ + local private_cidrs='10.0.0.0/8 172.16.0.0/12 192.168.0.0/16' + #Define interface for internal networks and configure + local interface="$internalInterfaceNumber" + local router=$(get_router $interface) + clish -c 'lock database override' + #Configure static routes destined to internal networks, defined in the RFC 1918, through the internal interface + for cidr in ${{private_cidrs}}; do + echo "setting route to $cidr via gateway $router" + echo "running clish -c 'set static-route $cidr nexthop gateway address $router on' -s" + clish -c "set static-route $cidr nexthop gateway address $router on" -s + done +}} + +function create_dynamic_objects() {{ + local is_managment="$1" + local interfaces='eth0 eth1' + for interface in ${{interfaces}}; do + if ${{is_managment}}; then + dynamic_objects -n "LocalGateway" + dynamic_objects -n "LocalGatewayExternal" + dynamic_objects -n "LocalGatewayInternal" + else + local addr="$(ip addr show dev $interface | awk "/inet/{{print \$2; exit}}" | cut -d / -f 1)" + if [ "${{interface}}" == "eth0" ]; then + dynamic_objects -n "LocalGateway" -r "$addr" "$addr" -a + dynamic_objects -n "LocalGatewayExternal" -r "$addr" "$addr" -a + else + dynamic_objects -n "LocalGatewayInternal" -r "$addr" "$addr" -a + fi + fi + done +}} + + +function post_status() {{ + local is_success="$1" + local need_boot="$2" + local status + local value + local instance_id + + if "{hasInternet}" ; then + if "$is_success" ; then + status="success" + value="Success" + else + status="failure" + value="Failure" + fi + instance_id="$(get-cloud-data.sh computeMetadata/v1/instance/id)" + cat </etc/software-status + $FWDIR/scripts/gcp.py POST "{config_url}/variables" \ + --body '{{ + "name": "{config_path}/variables/status/$status/$instance_id", + "value": "$(echo $value | base64)" + }}' +EOF + fi + + create_dynamic_objects $installSecurityManagement + + if "$installSecurityGateway" ; then + + set_internal_static_routes + set_mgmt_if + + ########## + # DA Self update + + DAselfUpdateHappening=$(dbget installer:self_update_in_progress) + if [ "X$DAselfUpdateHappening" == "X1" ]; then + oldDApid=$(pidof DAService) + countdown=121 + while [ $((--countdown)) -gt 0 ] + do + sleep 1 + DApid=$(pidof DAService) + + if [ "${{DApid:-$oldDApid}}" -ne "$oldDApid" ]; then + break + fi + done + if [ $countdown -eq 0 ]; then + dbset installer:self_update_in_progress + fi + fi + + ########## + fi + + if [ "$installSecurityManagement" -a "Management only" = "{installationType}" ] ; then + public_ip="$(get-cloud-data.sh computeMetadata/v1/instance/network-interfaces/0/access-configs/0/external-ip)" + declare -i attempts=0 + declare -i max_attempts=80 + mgmt_cli -r true discard + result=$? + while [ $result -ne 0 ] && [ $attempts -lt $max_attempts ] + do + attempts=$attempts+1 + sleep 30 + mgmt_cli -r true discard + result=$? + done + generic_objects="$(mgmt_cli -r true show-generic-objects class-name com.checkpoint.objects.classes.dummy.CpmiHostCkp details-level full -f json)" + uid="$(echo $generic_objects | jq .objects | jq .[0] | jq .uid)" + if [ ! -z "$public_ip" ] && [ ! -z "${{uid:1:-1}}" ] ; then + mgmt_cli -r true set-generic-object uid $uid ipaddr $public_ip + fi + fi + + if "$need_boot" ; then + if [ "{enableMonitoring}" = "True" ] ; then + chkconfig --add gcp-statd + fi + shutdown -r now + else + service gcpd restart + if [ "{enableMonitoring}" = "True" ] ; then + chkconfig --add gcp-statd + service gcp-statd start + fi + fi +}} +clish -c 'set user admin shell {shell}' -s + +case "{installationType}" in +"Gateway only") + installSecurityGateway=true + gatewayClusterMember=false + installSecurityManagement=false + sicKey="{computed_sic_key}" + internalInterfaceNumber=1 + ;; +"Management only") + installSecurityGateway=false + installSecurityManagement=true + sicKey=notused + ;; +"Manual Configuration") + post_status true false + exit 0 + ;; +"Gateway and Management (Standalone)") + installSecurityGateway=true + installSecurityManagement=true + gatewayClusterMember=false + sicKey=notused + internalInterfaceNumber=1 + ;; +"Cluster") + installSecurityGateway=true + gatewayClusterMember=true + installSecurityManagement=false + sicKey="{sicKey}" + internalInterfaceNumber=2 + ;; +"AutoScale") + installSecurityGateway=true + gatewayClusterMember=false + installSecurityManagement=false + sicKey="{computed_sic_key}" + internalInterfaceNumber=1 + ;; +esac + +conf="install_security_gw=$installSecurityGateway" +if ${{installSecurityGateway}} ; then + conf="$conf&install_ppak=true" + blink_conf="gateway_cluster_member=$gatewayClusterMember" +fi +conf="$conf&install_security_managment=$installSecurityManagement" +if ${{installSecurityManagement}} ; then + if "$generatePassword" ; then + managementAdminPassword="$(get-cloud-data.sh \ + computeMetadata/v1/instance/attributes/adminPasswordSourceMetadata)" + conf="$conf&mgmt_admin_name=admin" + conf="$conf&mgmt_admin_passwd=$managementAdminPassword" + else + conf="$conf&mgmt_admin_radio=gaia_admin" + fi + + managementGUIClientNetwork="{managementGUIClientNetwork}" + conf="$conf&install_mgmt_primary=true" + + if [ "0.0.0.0/0" = "$managementGUIClientNetwork" ]; then + conf="$conf&mgmt_gui_clients_radio=any" + else + conf="$conf&mgmt_gui_clients_radio=network" + ManagementGUIClientBase="$(echo ${{managementGUIClientNetwork}} | \ + cut -d / -f 1)" + ManagementGUIClientMaskLength="$(echo ${{managementGUIClientNetwork}} | \ + cut -d / -f 2)" + conf="$conf&mgmt_gui_clients_ip_field=$ManagementGUIClientBase" + conf="$conf&mgmt_gui_clients_subnet_field=$ManagementGUIClientMaskLength" + fi + +fi + +blink_conf="$blink_conf&ftw_sic_key=$sicKey" +blink_conf="$blink_conf&download_info=$allowUploadDownload" +blink_conf="$blink_conf&upload_info=$allowUploadDownload" + +conf="$conf&$blink_conf" + +if "$generatePassword" ; then + blink_password="$(get-cloud-data.sh \ + computeMetadata/v1/instance/attributes/adminPasswordSourceMetadata)" +else + blink_password="$(dd if=/dev/urandom count=1 \ + 2>/dev/null | sha256sum | cut -c -28)" +fi +blink_conf="$blink_conf&admin_password_regular=$blink_password" + +if [ "Gateway only" = "{installationType}" ] || [ "Cluster" = "{installationType}" ] || [ "AutoScale" = "{installationType}" ]; then + config_cmd="blink_config -s $blink_conf" +else + config_cmd="config_system -s $conf" +fi + +if ${{config_cmd}} ; then + if "$installSecurityManagement" ; then + post_status true "$installSecurityGateway" + elif [ "Cluster" = "{installationType}" ] ; then + mgmt_subnet_gw="$(get-cloud-data.sh computeMetadata/v1/instance/network-interfaces/1/gateway)" + sed -i 's/__CLUSTER_PUBLIC_IP_NAME__/'"{primary_cluster_address_name}"'/g' /etc/fw/conf/gcp-ha.json + sed -i 's/__SECONDARY_PUBLIC_IP_NAME__/'"{secondary_cluster_address_name}"'/g' /etc/fw/conf/gcp-ha.json + clish -c 'set static-route '"{managementNetwork}"' nexthop gateway address '"$mgmt_subnet_gw"' on' -s + post_status true true + else + post_status true false + fi +else + post_status false false +fi + +''' + + +def make_nic(context, net_name, subnet, external_ip=False): + prop = context.properties + network_interface = { + 'kind': 'compute#networkInterface', + 'network': common.GlobalNetworkLink(prop['project'], net_name) + } + if subnet: + network_interface["subnetwork"] = common.MakeRegionalSubnetworkLink( + prop['project'], prop['zone'], subnet) + # add ephemeral public IP address + if external_ip: + network_interface["accessConfigs"] = \ + [make_access_config(name="external-nat")] + return network_interface + + +def create_nics(context): + prop = context.properties + firewall_rules = create_firewall_rules(context) + if firewall_rules: + prop['resources'].extend(firewall_rules) + networks = prop.setdefault('networks', ['default']) + subnetworks = prop.get('subnetworks', []) + nics = [] + for i in range(len(networks)): + name = networks[i] + subnet = '' + external_ip = prop.get('gatewayExternalIP') and i == 0 + if subnetworks and i < len(subnetworks) and subnetworks[i]: + subnet = subnetworks[i] + network_interface = make_nic(context, name, subnet, external_ip) + nics.append(network_interface) + return nics + + +def create_firewall_rules(context): + prop = context.properties + deployment = prop['deployment'] + network = prop.setdefault('networks', ['default'])[0] + firewall_rules = [] + protocols = ['Icmp', 'Udp', 'Tcp', 'Sctp', 'Esp'] + for protocol in protocols: + proto = protocol.lower() + source_ranges = prop.get(proto + 'SourceRanges', '') + protocol_enabled = prop.get('enable' + protocol, '') + if protocol_enabled and source_ranges: + firewall_rules.append(make_firewall_rule( + proto, source_ranges, deployment, network)) + return firewall_rules + + +def make_firewall_rule(protocol, source_ranges, deployment, net_name): + fw_rule_name = '%s-%s-%s' % (deployment[:34], net_name[:22], protocol) + ranges = [] + ranges_list = source_ranges.split(',') + for source_range in ranges_list: + ranges.append(source_range.replace(" ", "")) + firewall_rule = { + 'type': default.FIREWALL, + 'name': fw_rule_name, + 'properties': { + 'network': 'global/networks/' + net_name, + 'sourceRanges': ranges, + 'targetTags': [GATEWAY], + 'allowed': [{'IPProtocol': protocol}] + } + } + return firewall_rule + + +def create_instance_template(context, + name, + nics, + depends_on=None, + gw_version=VERSIONS['R80.30-GW']): + if 'gw' in gw_version: + license_name = "{}-{}".format(LICENSE, LICENCE_TYPE) + else: + license_name = LICENSE + family = '-'.join(['check-point', gw_version, license_name]) + formatter = common.DefaultFormatter() + instance_template_name = common.AutoName(name, default.TEMPLATE) + instance_template = { + "type": default.TEMPLATE, + "name": instance_template_name, + 'metadata': { + 'dependsOn': depends_on + }, + "properties": { + "project": context.properties['project'], + "properties": { + "canIpForward": True, + "disks": [{"autoDelete": True, + "boot": True, + "deviceName": common.set_name_and_truncate( + context.properties['deployment'], + '-{}-boot'.format(name)), + "index": 0, + "initializeParams": { + "diskType": + context.properties['diskType'], + "diskSizeGb": + context.properties['bootDiskSizeGb'], + "sourceImage": + 'projects/%s/global/images/%s' % ( + PROJECT, images.IMAGES[family]) + }, + "kind": 'compute#attachedDisk', + "mode": "READ_WRITE", + "type": "PERSISTENT"}], + "machineType": context.properties['machineType'], + "networkInterfaces": nics, + 'metadata': { + "kind": 'compute#metadata', + 'items': [ + { + 'key': 'startup-script', + 'value': formatter.format( + startup_script, **context.properties) + }, + { + 'key': 'serial-port-enable', + 'value': 'true' + } + ]}, + "scheduling": { + "automaticRestart": True, + "onHostMaintenance": "MIGRATE", + "preemptible": False + }, + "serviceAccounts": [ + { + "email": "default", + "scopes": [ + "https://www.googleapis.com/" + + "auth/devstorage.read_only", + "https://www.googleapis.com/auth/logging.write", + "https://www.googleapis.com/auth/monitoring.write", + "https://www.googleapis.com/auth/pubsub", + "https://www.googleapis.com/" + + "auth/service.management.readonly", + "https://www.googleapis.com/auth/servicecontrol", + "https://www.googleapis.com/auth/trace.append" + ] + }], + "tags": { + "items": [ + 'x-chkp-management--{}'. + format(context.properties['managementName']), + 'x-chkp-template--{}'. + format(context.properties['AutoProvTemplate']), + 'checkpoint-gateway' + ] + } + } + } + } + tagItems = instance_template['properties']['properties']['tags']['items'] + if context.properties['mgmtNIC'] == 'Ephemeral Public IP (eth0)': + tagItems.append("x-chkp-ip-address--public") + tagItems.append("x-chkp-management-interface--eth0") + elif context.properties['mgmtNIC'] == 'Private IP (eth1)': + tagItems.append("x-chkp-ip-address--private") + tagItems.append("x-chkp-management-interface--eth1") + if context.properties['networkDefinedByRoutes']: + tagItems.append("x-chkp-topology-eth1--internal") + tagItems.append("x-chkp-topology-settings-eth1" + "--network-defined-by-routes") + metadata = instance_template['properties']['properties']['metadata'] + if 'instanceSSHKey' in context.properties: + metadata['items'].append( + { + 'key': 'instanceSSHKey', + 'value': context.properties['instanceSSHKey'] + } + ) + return instance_template + + +def GenerateAutscaledGroup(context, name, + instance_template, depends_on=None): + prop = context.properties + igm_name = common.AutoName(name, default.IGM) + depends_on = depends_on + resource = { + 'name': igm_name, + 'metadata': { + 'dependsOn': depends_on + }, + 'type': default.REGION_IGM, + 'properties': { + 'region': common.ZoneToRegion(prop.get("zone")), + 'baseInstanceName': name, + 'instanceTemplate': '$(ref.' + instance_template + '.selfLink)', + 'targetSize': prop.get("minInstances"), + # 'autoHealingPolicies': [{ + # 'initialDelaySec': 60 + # }] + } + } + return resource + + +def CreateAutscaler(context, name, + igm, cpu_usage, depends_on=None): + prop = context.properties + autoscaler_name = common.AutoName(name, default.AUTOSCALER) + depends_on = depends_on + cpu_usage = float(cpu_usage) / 100 + resource = { + 'name': autoscaler_name, + 'metadata': { + 'dependsOn': depends_on + }, + 'type': default.REGION_AUTOSCALER, + 'properties': { + 'target': '$(ref.' + igm + '.selfLink)', + 'region': common.ZoneToRegion(prop.get("zone")), + 'autoscalingPolicy': { + 'minNumReplicas': int(prop.get("minInstances")), + 'maxNumReplicas': int(prop.get("maxInstances")), + 'cpuUtilization': { + 'utilizationTarget': cpu_usage + }, + 'coolDownPeriodSec': 90 + } + } + } + return resource + + +def make_access_config(name=None): + access_config = { + 'type': default.ONE_NAT, + "kind": 'compute#accessConfig' + } + if name: + access_config['name'] = name + return access_config + + +def validate_region(test_zone, valid_region): + test_region = common.ZoneToRegion(test_zone) + if test_region != valid_region: + err_msg = '{} is in region {}. All subnets must be ' + \ + 'in the same region ({})' + raise common.Error( + err_msg.format(test_zone, test_region, valid_region) + ) + + +@common.FormatErrorsDec +def generate_config(context): + # This method will: + # 1. Create a instance template for a security GW + # (with a tag for the managing security server) + # 2. Create a managed instance group + # (based on the instance template and zones list provided by the user) + # 3. Configure autoscaling + # (based on min, max & policy settings provided by the user) + prop = context.properties + prop['deployment'] = context.env['deployment'] + prop['project'] = context.env['project'] + prop['templateName'] = TEMPLATE_NAME + prop['templateVersion'] = TEMPLATE_VERSION + prop['allowUploadDownload'] = str(prop['allowUploadDownload']).lower() + prop['hasInternet'] = 'true' # via Google Private Access + prop['installationType'] = 'AutoScale' + prop['resources'] = [] + prop['outputs'] = [] + prop['gw_dependencies'] = [] + prop['computed_sic_key'] = password.GeneratePassword(12, False) + prop['gatewayExternalIP'] = (prop['mgmtNIC'] == + 'Ephemeral Public IP (eth0)') + version_chosen = prop['autoscalingVersion'].split(' ')[0] + "-GW" + nics = create_nics(context) + gw_template = create_instance_template(context, + prop['deployment'], + nics, + depends_on=prop['gw_dependencies'], + gw_version=VERSIONS[version_chosen]) + prop['resources'] += [gw_template] + prop['igm_dependencies'] = [gw_template['name']] + igm = GenerateAutscaledGroup(context, + prop['deployment'], + gw_template['name'], + prop['igm_dependencies']) + prop['resources'] += [igm] + prop['autoscaler_dependencies'] = [igm['name']] + cpu_usage = prop.get("cpuUsage") + autoscaler = CreateAutscaler(context, + prop['deployment'], + igm['name'], + cpu_usage, + prop['autoscaler_dependencies']) + prop['resources'] += [autoscaler] + prop['outputs'] += [ + { + 'name': 'deployment', + 'value': prop['deployment'] + }, + { + 'name': 'project', + 'value': prop['project'] + }, + { + 'name': 'instanceTemplateName', + 'value': gw_template['name'] + }, + { + 'name': 'InstanceTemplateLink', + 'value': common.Ref(gw_template['name']) + }, + { + 'name': 'IGMname', + 'value': igm['name'] + }, + { + 'name': 'IGMLink', + 'value': common.RefGroup(igm['name']) + }, + { + 'name': 'cpuUsagePercentage', + 'value': str(int(prop['cpuUsage'])) + '%' + }, + { + 'name': 'minInstancesInt', + 'value': str(int(prop['minInstances'])) + }, + { + 'name': 'maxInstancesInt', + 'value': str(int(prop['maxInstances'])) + }, + ] + return common.MakeResource(prop['resources'], prop['outputs']) diff --git a/deprecated/gcp/R80.30/autoscale-payg-R80.30/check-point-autoscale--payg.py.schema b/deprecated/gcp/R80.30/autoscale-payg-R80.30/check-point-autoscale--payg.py.schema new file mode 100644 index 00000000..7eb1a0ae --- /dev/null +++ b/deprecated/gcp/R80.30/autoscale-payg-R80.30/check-point-autoscale--payg.py.schema @@ -0,0 +1,202 @@ +imports: + - path: check-point-autoscale--payg.py + +info: + version: 1.0 + title: Check Point CloudGuard Network Security Autoscaling - PAYG Template + +required: + - autoscalingVersion + - networks + - zone + - machineType + - cpuUsage + - minInstances + - maxInstances + - diskType + - bootDiskSizeGb + - managementName + - AutoProvTemplate + - allowUploadDownload + - networkDefinedByRoutes + - shell + - enableMonitoring + +properties: + zone: + type: string + default: us-central1-a + x-googleProperty: + type: GCE_ZONE + networks: + type: array + default: [default, default1] + minItems: 2 + maxItems: 2 + x-googleProperty: + type: GCE_NETWORK + gceNetwork: + labels: + - External + - Internal + allowSharedVpcs: True + machineTypeProperty: machineType + subnetworks: + type: array + minItems: 2 + maxItems: 2 + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zone + gceSubnetwork: + networkProperty: networks + mgmtNIC: + type: string + default: Ephemeral Public IP (eth0) + enum: + - Ephemeral Public IP (eth0) + - Private IP (eth1) + enableIcmp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: networks + icmpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: enableIcmp + enableTcp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: networks + tcpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: enableTcp + enableUdp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: networks + udpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: enableUdp + enableSctp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: networks + sctpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: enableSctp + enableEsp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: networks + espSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: enableEsp + machineType: + type: string + default: n1-standard-4 + x-googleProperty: + type: GCE_MACHINE_TYPE + zoneProperty: zone + gceMachineType: + minCpu: 2 + minRamGb: 1.843000054359436 + cpuUsage: + type: integer + minimum: 10 + maximum: 90 + default: 60 + minInstances: + type: integer + minimum: 1 + maximum: 16384 + default: 2 + maxInstances: + type: integer + minimum: 1 + maximum: 32768 + default: 10 + instanceSSHKey: + type: string + pattern: ^([0-9a-z\-]+ +[0-9A-Za-z/\+=]+( .*)?|)$ + default: '' + diskType: + type: string + default: pd-ssd + x-googleProperty: + type: GCE_DISK_TYPE + zoneProperty: zone + bootDiskSizeGb: + type: integer + default: 100 + minimum: 100 + maximum: 4096 + x-googleProperty: + type: GCE_DISK_SIZE + gceDiskSize: + diskTypeProperty: diskType + autoscalingVersion: + type: string + default: R81.10 Autoscaling + enum: + - R80.30 Autoscaling + managementName: + type: string + default: 'checkpoint-management' + pattern: ^([ -~]+)$ + AutoProvTemplate: + type: string + default: 'gcp-asg-autoprov-tmplt' + pattern: ^([ -~]{1,30})$ + enableMonitoring: + type: boolean + default: False + networkDefinedByRoutes: + type: boolean + default: True + allowUploadDownload: + type: boolean + default: True + shell: + type: string + default: /etc/cli.sh + enum: + - /etc/cli.sh + - /bin/bash + - /bin/csh + - /bin/tcsh + +outputs: + deployment: + type: string + project: + type: string \ No newline at end of file diff --git a/deprecated/gcp/R80.30/autoscale-payg-R80.30/common.py b/deprecated/gcp/R80.30/autoscale-payg-R80.30/common.py new file mode 100644 index 00000000..e123c502 --- /dev/null +++ b/deprecated/gcp/R80.30/autoscale-payg-R80.30/common.py @@ -0,0 +1,262 @@ +# Copyright 2015 Google Inc. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +"""Generic simple functions used for python based template generation.""" + +import re +import sys +import traceback +import default +import string + +import yaml + +RFC1035_RE = re.compile(r'^[a-z][-a-z0-9]{1,61}[a-z0-9]{1}$') + + +class Error(Exception): + """Common exception wrapper for template exceptions.""" + pass + + +class DefaultFormatter(string.Formatter): + """Returns default instead of key error when looking for keys. + + Used for startup-script which contains params from multiple deployments + whiles keys from one deployment may not be set in another. + """ + def __init__(self, default=''): + self.default = default + def get_value(self, key, args, dict): + if isinstance(key, str): + return dict.get(key, self.default) + else: + return string.Formatter.get_value(key, args, dict) + + +def set_name_and_truncate(primary, secondary, maxlength=62): + return '%s%s' % (primary[:maxlength - len(secondary)], secondary) + + +def AddDiskResourcesIfNeeded(context): + """Checks context if disk resources need to be added.""" + if default.DISK_RESOURCES in context.properties: + return context.properties[default.DISK_RESOURCES] + else: + return [] + + +def AutoName(base, resource, *args): + """Helper method to generate names automatically based on default.""" + auto_name = '%s-%s' % (base, '-'.join(list(args) + [default.AKA[resource]])) + if not RFC1035_RE.match(auto_name): + raise Error('"%s" name for type %s does not match RFC1035 regex (%s)' % + (auto_name, resource, RFC1035_RE.pattern)) + return auto_name + + +def AutoRef(base, resource, *args): + """Helper method that builds a reference for an auto-named resource.""" + return Ref(AutoName(base, resource, *args)) + + +def OrderedItems(dict_obj): + """Convenient method to yield sorted iteritems of a dictionary.""" + keys = list(dict_obj.keys()) + keys.sort() + for k in keys: + yield (k, dict_obj[k]) + + +def ShortenZoneName(zone): + """Given a string that looks like a zone name, creates a shorter version.""" + geo, coord, number, letter = re.findall(r'(\w+)-(\w+)(\d)-(\w)', zone)[0] + geo = geo.lower() if len(geo) == 2 else default.LOC[geo.lower()] + coord = default.LOC[coord.lower()] + number = str(number) + letter = letter.lower() + return geo + '-' + coord + number + letter + + +def ZoneToRegion(zone): + """Derives the region from a zone name.""" + parts = zone.split('-') + if len(parts) != 3: + raise Error('Cannot derive region from zone "%s"' % zone) + return '-'.join(parts[:2]) + + +def FormatException(message): + """Adds more information to the exception.""" + message = ('Exception Type: %s\n' + 'Details: %s\n' + 'Message: %s\n') % (sys.exc_info()[0], + traceback.format_exc(), message) + return message + + +def Ref(name): + return '$(ref.%s.selfLink)' % name + + +def RefGroup(name): + return '$(ref.%s.instanceGroup)' % name + + +def GlobalComputeLink(project, collection, name): + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/global/', + collection, '/', name]) + +def GlobalNetworkLink(project, network): + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/global/', + default.NETWORKS, '/', network]) + + +def LocalComputeLink(project, zone, key, value): + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/zones/', + zone, '/', key, '/', value]) + + +def ReadContext(context, prop_key): + return (context.env['project'], context.properties.get('zone', None), + context.properties[prop_key]) + + +def MakeLocalComputeLink(context, key, zone=None): + if not zone: + project, zone, value = ReadContext(context, key) + else: + project, _, value = ReadContext(context, key) + + if IsComputeLink(value): + return value + else: + return LocalComputeLink(project, zone, key + 's', value) + + +def MakeGlobalComputeLink(context, key): + project, _, value = ReadContext(context, key) + if IsComputeLink(value): + return value + else: + return GlobalComputeLink(project, key + 's', value) + +def MakeRegionalSubnetworkLink(project, zone, subnet): + region = ZoneToRegion(zone) + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/regions/', + region, '/subnetworks/', subnet]) + + +def MakeSubnetworkComputeLink(context, key): + project, zone, value = ReadContext(context, key) + region = ZoneToRegion(zone) + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/regions/', + region, '/subnetworks/', value]) + + +def MakeFQHN(context, name): + return '%s.c.%s.internal' % (name, context.env['project']) + + +# TODO(victorg): Consider moving this method to a different file +def MakeC2DImageLink(name, dev_mode=False): + if IsGlobalProjectShortcut(name) or name.startswith('http'): + return name + else: + if dev_mode: + return 'global/images/%s' % name + else: + return GlobalComputeLink(default.C2D_IMAGES, 'images', name) + + +def IsGlobalProjectShortcut(name): + return name.startswith('projects/') or name.startswith('global/') + + +def IsComputeLink(name): + return (name.startswith(default.COMPUTE_URL_BASE) or + name.startswith(default.REFERENCE_PREFIX)) + + +def GetNamesAndTypes(resources_dict): + return [(d['name'], d['type']) for d in resources_dict] + + +def SummarizeResources(res_dict): + """Summarizes the name of resources per resource type.""" + result = {} + for res in res_dict: + result.setdefault(res['type'], []).append(res['name']) + return result + + +def ListPropertyValuesOfType(res_dict, prop, res_type): + """Lists all the values for a property of a certain type.""" + return [r['properties'][prop] for r in res_dict if r['type'] == res_type] + + +def MakeResource(resource_list, output_list=None): + """Wrapper for a DM template basic spec.""" + content = {'resources': resource_list} + if output_list: + content['outputs'] = output_list + return yaml.dump(content) + + +def TakeZoneOut(properties): + """Given a properties dictionary, removes the zone specific information.""" + + def _CleanZoneUrl(value): + value = value.split('/')[-1] if IsComputeLink(value) else value + return value + + for name in default.VM_ZONE_PROPERTIES: + if name in properties: + properties[name] = _CleanZoneUrl(properties[name]) + if default.ZONE in properties: + properties.pop(default.ZONE) + if default.BOOTDISK in properties: + properties[default.BOOTDISK] = _CleanZoneUrl(properties[default.BOOTDISK]) + if default.DISKS in properties: + for disk in properties[default.DISKS]: + # Don't touch references to other disks + if default.DISK_SOURCE in disk: + continue + if default.INITIALIZEP in disk: + disk_init = disk[default.INITIALIZEP] + if default.DISKTYPE in disk_init: + disk_init[default.DISKTYPE] = _CleanZoneUrl(disk_init[default.DISKTYPE]) + + +def GenerateEmbeddableYaml(yaml_string): + # Because YAML is a space delimited format, we need to be careful about + # embedding one YAML document in another. This function takes in a string in + # YAML format and produces an equivalent YAML representation that can be + # inserted into arbitrary points of another YAML document. It does so by + # printing the YAML string in a single line format. Consistent ordering of + # the string is also guaranteed by using yaml.dump. + yaml_object = yaml.load(yaml_string) + dumped_yaml = yaml.dump(yaml_object, default_flow_style=True) + return dumped_yaml + + +def FormatErrorsDec(func): + """Decorator to format exceptions if they get raised.""" + + def FormatErrorsWrap(context): + try: + return func(context) + except Exception as e: + raise Error(FormatException(e.message)) + + return FormatErrorsWrap diff --git a/deprecated/gcp/R80.30/autoscale-payg-R80.30/config.yaml b/deprecated/gcp/R80.30/autoscale-payg-R80.30/config.yaml new file mode 100644 index 00000000..d0993a52 --- /dev/null +++ b/deprecated/gcp/R80.30/autoscale-payg-R80.30/config.yaml @@ -0,0 +1,50 @@ +imports: +- path: check-point-autoscale--payg.py +- path: common.py +- path: default.py +- path: password.py +- path: images.py + +resources: +- name: check-point-autoscale--payg + type: check-point-autoscale--payg.py + properties: + autoscalingVersion: "PLEASE ENTER AUTOSCALE VERSION" + managementName: "PLEASE ENTER MANAGEMENT NAME" + AutoProvTemplate: "PLEASE ENTER AUTOPROVISION TEMPLATE NAME" + instanceSSHKey: "PLEASE ENTER A VALID PUBLIC KEY" + mgmtNIC: "PLEASE ENTER MANAGEMENT NIC TYPE" + networkDefinedByRoutes: "PLEASE ENTER true or false" + shell: "PLEASE ENTER A SHELL" + allowUploadDownload: "PLEASE ENTER true or false" + zone: "PLEASE ENTER A ZONE" + networks: "PLEASE ENTER A LIST OF EXTERNAL AND INTERNAL NETWORKS ID" + subnetworks: "PLEASE ENTER A LIST OF EXTERNAL AND INTERNAL SUBNETWORKS ID" + enableIcmp: "PLEASE ENTER true or false" + icmpSourceRanges: "PLEASE ENTER ICMP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + enableTcp: "PLEASE ENTER true or false" + tcpSourceRanges: "PLEASE ENTER TCP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + enableUdp: "PLEASE ENTER true or false" + udpSourceRanges: "PLEASE ENTER UDP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + enableSctp: "PLEASE ENTER true or false" + sctpSourceRanges: "PLEASE ENTER SCTP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + enableEsp: "PLEASE ENTER true or false" + espSourceRanges: "PLEASE ENTER ESP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + machineType: "PLEASE ENTER A MACHINE TYPE" + cpuUsage: "PLEASE ENTER CPU USAGE (%)" + minInstances: "PLEASE ENTER MINIMUM NUMBER OF INSTANCES" + maxInstances: "PLEASE ENTER MAXIMUM NUMBER OF INSTANCES" + diskType: "PLEASE ENTER A DISK TYPE" + bootDiskSizeGb: "PLEASE ENTER A DISK SIZE" + enableMonitoring: "PLEASE ENTER true or false" +outputs: +- name: "Deployment" + value: $(ref.check-point-autoscale--payg.deployment) +- name: "Managed instance group" + value: $(ref.check-point-autoscale--payg.IGMLink) +- name: "Minimum instances" + value: $(ref.check-point-autoscale--payg.minInstancesInt) +- name: "Maximum instances" + value: $(ref.check-point-autoscale--payg.maxInstancesInt) +- name: "Target CPU usage" + value: $(ref.check-point-autoscale--payg.cpuUsagePercentage) \ No newline at end of file diff --git a/deprecated/gcp/R80.30/autoscale-payg-R80.30/default.py b/deprecated/gcp/R80.30/autoscale-payg-R80.30/default.py new file mode 100644 index 00000000..0c7dd919 --- /dev/null +++ b/deprecated/gcp/R80.30/autoscale-payg-R80.30/default.py @@ -0,0 +1,134 @@ +# Copyright 2015 Google Inc. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +"""Convenience module to hold default constants for C2D components. + +There should not be any logic in this module. Its purpose is to simplify +analysis of commonly used GCP and properties names and identify the names +that were custom created for these modules. +""" +# Generic constants +C2D_IMAGES = 'click-to-deploy-images' + +# URL constants +COMPUTE_URL_BASE = 'https://www.googleapis.com/compute/v1/' + +# Deployment Manager constructs +REFERENCE_PREFIX = '$(ref.' + +# Commonly used in properties namespace +AUTO_DELETE = 'autoDelete' +BOOTDISK = 'bootDiskType' +BOOTDISKSIZE = 'bootDiskSizeGb' +C_IMAGE = 'containerImage' +DC_MANIFEST = 'dcManifest' +DEPLOYMENT = 'DEPLOYMENT' # used in the deployment coordinator +DISK_NAME = 'diskName' +DISK_RESOURCES = 'addedDiskResources' +DISK_SOURCE = 'source' +ENDPOINT_NAME = 'serviceRegistryEndpointName' +FIXED_GCLOUD = 'fixedGcloud' +GENERATED_PROP = 'generatedProperties' +INITIALIZEP = 'initializeParams' +INSTANCE_NAME = 'instanceName' +LOCAL_SSD = 'localSSDs' +MAX_NUM = 'maxNumReplicas' +NETWORKS = 'networks' +NO_SCOPE = 'noScope' +PROVIDE_BOOT = 'provideBoot' +REPLICAS = 'replicas' +SIZE = 'size' +VM_COPIES = 'numberOfVMReplicas' +ZONES = 'zones' + +# Common properties values (only official GCP values allowed here) +EXTERNAL = 'External NAT' +ONE_NAT = 'ONE_TO_ONE_NAT' + +# Common 1st level properties (only official GCP names allowed here) +CAN_IP_FWD = 'canIpForward' +CONTAINER = 'container' +DCKRENV = 'dockerEnv' +DCKRIMAGE = 'dockerImage' +DEFAULT_SERVICE = 'defaultService' +DEVICE_NAME = 'deviceName' +DISKS = 'disks' +DISK_SIZE = 'diskSizeGb' +DISKTYPE = 'diskType' +HEALTH_PATH = 'healthPath' +HOST_RULES = 'hostRules' +IP_PROTO = 'IPProtocol' +MACHINETYPE = 'machineType' +METADATA = 'metadata' +NAME = 'name' +NETWORK = 'network' +NETWORKS = 'networks' +SUBNETWORK = 'subnetwork' +PATH_MATCHERS = 'pathMatchers' +PORT = 'port' +PROJECT = 'project' +SERVICE = 'service' +SERVICE_ACCOUNTS = 'serviceAccounts' +SRCIMAGE = 'sourceImage' +SRC_RANGES = 'sourceRanges' +TAGS = 'tags' +TYPE = 'type' +VM_TEMPLATE = 'instanceTemplate' +ZONE = 'zone' + +# Zone specfic VM properties +VM_ZONE_PROPERTIES = [DISKTYPE, MACHINETYPE, BOOTDISK] + +# Resource type defaults names +ADDRESS = 'compute.v1.address' +AUTOSCALER = 'compute.v1.autoscaler' +BACKEND_SERVICE = 'compute.v1.backendService' +DISK = 'compute.v1.disk' +ENDPOINT = 'serviceregistry.v1alpha.endpoint' +FIREWALL = 'compute.v1.firewall' +GF_RULE = 'compute.v1.globalForwardingRule' +HEALTHCHECK = 'compute.v1.httpHealthCheck' +IGM = 'compute.v1.instanceGroupManager' +INSTANCE = 'compute.v1.instance' +PROXY = 'compute.v1.targetHttpProxy' +TEMPLATE = 'compute.v1.instanceTemplate' +REGION_IGM = 'compute.v1.regionInstanceGroupManager' +REGION_AUTOSCALER = 'compute.v1.regionAutoscaler' +URL_MAP = 'compute.v1.urlMap' +VPC='compute.v1.network' +VPC_SUBNET='compute.v1.subnetwork' + +# Also Known As constants +AKA = { + TEMPLATE: 'tmplt', + AUTOSCALER: 'as', + BACKEND_SERVICE: 'bes', + DISK: 'disk', + FIREWALL: 'fwall', + GF_RULE: 'ip', + HEALTHCHECK: 'hc', + INSTANCE: 'vm', + PROXY: 'tproxy', + IGM: 'igm', + URL_MAP: 'umap', +} + +LOC = { + 'europe': 'eu', + 'asia': 'as', + 'central': 'c', + 'east': 'e', + 'west': 'w', + 'north': 'n', + 'south': 's', +} diff --git a/deprecated/gcp/R80.30/autoscale-payg-R80.30/images.py b/deprecated/gcp/R80.30/autoscale-payg-R80.30/images.py new file mode 100644 index 00000000..2811fa30 --- /dev/null +++ b/deprecated/gcp/R80.30/autoscale-payg-R80.30/images.py @@ -0,0 +1,10 @@ +IMAGES = { + "check-point-r8030-payg": "check-point-r8030-payg-200-773-v20201208", + "check-point-r8030-gw-payg-single": "check-point-r8030-gw-payg-single-273-904-v20210715", + "check-point-r8030-gw-payg-mig": "check-point-r8030-gw-payg-mig-273-904-v20210715", + "check-point-r8030-gw-payg-cluster": "check-point-r8030-gw-payg-cluster-273-904-v20210715", + "check-point-r8030-gw-byol-single": "check-point-r8030-gw-byol-single-273-904-v20210715", + "check-point-r8030-gw-byol-mig": "check-point-r8030-gw-byol-mig-273-904-v20210715", + "check-point-r8030-gw-byol-cluster": "check-point-r8030-gw-byol-cluster-273-904-v20210715", + "check-point-r8030-byol": "check-point-r8030-byol-200-773-v20201208" +} diff --git a/deprecated/gcp/R80.30/autoscale-payg-R80.30/password.py b/deprecated/gcp/R80.30/autoscale-payg-R80.30/password.py new file mode 100644 index 00000000..273210a6 --- /dev/null +++ b/deprecated/gcp/R80.30/autoscale-payg-R80.30/password.py @@ -0,0 +1,135 @@ +# Copyright 2015 Google Inc. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +"""A DM template that generates password as an output, namely "password". + +An example YAML showing how this template can be used: + resources: + - name: generated-password + type: password.py + properties: + length: 8 + includeSymbols: true + - name: main-template + type: main-template.jinja + properties: + password: $(ref.generated-password.password) + +Input properties to this template: + - length: the length of the generated password. At least 8. Default 8. + - includeSymbols: true/false whether to include symbol chars. Default false. + +The generated password satisfies the following requirements: + - The length is as specified, + - Containing letters and numbers, and optionally symbols if specified, + - Starting with a letter, + - Containing characters from at least 3 of the 4 categories: uppercases, + lowercases, numbers, and symbols. + +""" + +import random +import yaml + +PROPERTY_LENGTH = 'length' +PROPERTY_INCLUDE_SYMBOLS = 'includeSymbols' + +# Note the omission of some hard to distinguish characters like I, l, 0, and O. +UPPERS = 'ABCDEFGHJKLMNPQRSTUVWXYZ' +LOWERS = 'abcdefghijkmnopqrstuvwxyz' +ALPHABET = UPPERS + LOWERS +DIGITS = '123456789' +ALPHANUMS = ALPHABET + DIGITS +# Including only symbols that can be passed around easily in shell scripts. +SYMBOLS = '*-+.' + +CANDIDATES_WITH_SYMBOLS = ALPHANUMS + SYMBOLS +CANDIDATES_WITHOUT_SYMBOLS = ALPHANUMS + +CATEGORIES_WITH_SYMBOLS = [UPPERS, LOWERS, DIGITS, SYMBOLS] +CATEGORIES_WITHOUT_SYMBOLS = [UPPERS, LOWERS, DIGITS] + +MIN_LENGTH = 8 + + +class InputError(Exception): + """Raised when input properties are unexpected.""" + + +def GenerateConfig(context): + """Entry function to generate the DM config.""" + props = context.properties + length = props.setdefault(PROPERTY_LENGTH, MIN_LENGTH) + include_symbols = props.setdefault(PROPERTY_INCLUDE_SYMBOLS, False) + + if not isinstance(include_symbols, bool): + raise InputError('%s must be a boolean' % PROPERTY_INCLUDE_SYMBOLS) + + content = { + 'resources': [], + 'outputs': [{ + 'name': 'password', + 'value': GeneratePassword(length, include_symbols) + }] + } + return yaml.dump(content) + + +def GeneratePassword(length=8, include_symbols=False): + """Generates a random password.""" + if length < MIN_LENGTH: + raise InputError('Password length must be at least %d' % MIN_LENGTH) + + candidates = (CANDIDATES_WITH_SYMBOLS if include_symbols + else CANDIDATES_WITHOUT_SYMBOLS) + categories = (CATEGORIES_WITH_SYMBOLS if include_symbols + else CATEGORIES_WITHOUT_SYMBOLS) + + # Generates up to the specified length minus the number of categories. + # Then inserts one character for each category, ensuring that the character + # satisfy the category if the generated string hasn't already. + generated = ([random.choice(ALPHABET)] + + [random.choice(candidates) + for _ in range(length - 1 - len(categories))]) + for category in categories: + _InsertAndEnsureSatisfaction(generated, category, candidates) + return ''.join(generated) + + +def _InsertAndEnsureSatisfaction(generated, required, all_candidates): + """Inserts 1 char into generated, satisfying required if not already. + + If the required characters are not already in the generated string, one will + be inserted. If any required character is already in the generated string, a + random character from all_candidates will be inserted. The insertion happens + at a random location but not at the beginning. + + Args: + generated: the string to be modified. + required: list of required characters to check for. + all_candidates: list of characters to choose from if the required characters + are already satisfied. + """ + if set(generated).isdisjoint(required): + # Not yet satisfied. Insert a required candidate. + _InsertInto(generated, required) + else: + # Already satisfied. Insert any candidate. + _InsertInto(generated, all_candidates) + + +def _InsertInto(generated, candidates): + """Inserts a random candidate into a random non-zero index of generated.""" + # Avoids inserting at index 0, since the first character follows its own rule. + generated.insert(random.randint(1, len(generated) - 1), + random.choice(candidates)) diff --git a/deprecated/gcp/R80.30/ha-byol-R80.30/README.md b/deprecated/gcp/R80.30/ha-byol-R80.30/README.md new file mode 100644 index 00000000..e81e628c --- /dev/null +++ b/deprecated/gcp/R80.30/ha-byol-R80.30/README.md @@ -0,0 +1,178 @@ +# GCP Deployment Manager package for Check Point High Availability BYOL solution +This directory contains CloudGuard IaaS deployment package for Check Point High Availability (BYOL) solution published in the [GCP Marketplace](https://console.cloud.google.com/marketplace/details/checkpoint-public/check-point-ha--byol). + +# How to deploy the package manually +To deploy the Deployment Manager's package manually, without using the GCP Marketplace, follow these instructions: +1. Clone or download the files in this directory +2. Fill variables in the config.yaml(see below for variables descriptions). +3. Log into [Google Cloud Platform Console](https://console.cloud.google.com) +4. [Activate Cloud Shell](https://cloud.google.com/shell/docs/using-cloud-shell) +5. Set your Cloud Platform project in the Cloud Shell session use: + + gcloud config set project [PROJECT_ID] +6. Upload the content of the CloudGuardIaaS/gcp/deployment-packages/ha-byol/ directory to the [cloud shell](https://cloud.google.com/shell/docs/uploading-and-downloading-files) +7. Launch deployment by running: + + gcloud deployment-manager deployments create [DEPLOYMENT_NAME] --config config.yaml +8. Make sure the deployment finished successfully.
Example of successful deployment output: + + The fingerprint of the deployment is CgwkIUxcTnI5_eZY1g9SFw== + Waiting for create [operation-1585150261645-5a1af8e42d0ba-6b3d4618-5856e790]...done. + Create operation operation-1585150261645-5a1af8e42d0ba-6b3d4618-5856e790 completed successfully. + NAME TYPE STATE ERRORS INTENT + cluster-cluster-network-icmp compute.v1.firewall COMPLETED [] + cluster-cluster-network-tcp compute.v1.firewall COMPLETED [] + cluster-config runtimeconfig.v1beta1.config COMPLETED [] + cluster-member-a compute.v1.instance COMPLETED [] + cluster-member-a-address compute.v1.address COMPLETED [] + cluster-member-b compute.v1.instance COMPLETED [] + cluster-member-b-address compute.v1.address COMPLETED [] + cluster-mgmt-network-esp compute.v1.firewall COMPLETED [] + cluster-mgmt-network-sctp compute.v1.firewall COMPLETED [] + cluster-primary-cluster-address compute.v1.address COMPLETED [] + cluster-secondary-cluster-address compute.v1.address COMPLETED [] + cluster-software runtimeconfig.v1beta1.waiter COMPLETED [] + OUTPUTS VALUE + Deployment cluster + Cluster IP external address 35.201.201.163 + Member A cluster-member-a + Member A external IP 104.199.168.141 + Member B cluster-member-b + Member B external IP 35.221.178.173 + +## config.yaml variables +| Name | Description | Type | Allowed values | +| ------------- | ------------- | ------------- | ------------- | +| **ha_version** | High Availability Version | string | R80.30 Cluster; | +| | | | | | +| **zoneA** | Member A Zone. The zone determines what computing resources are available and where your data is stored and used | string | List of allowed [Regions and Zones](https://cloud.google.com/compute/docs/regions-zones?_ga=2.31926582.-962483654.1585043745) | +| | | | | | +| **zoneB** | Member B Zone | string | Must be in the same region as member A zone | +| | | | | | +| **machineType** | Machine types determine the specifications of your machines, such as the amount of memory, virtual cores, and persistent disk limits an instance will have | string | [Learn more about Machine Types](https://cloud.google.com/compute/docs/machine-types?hl=en_US&_ga=2.267871494.-962483654.1585043745) | +| | | | | | +| **managementNetwork** | Security Management Server address | string | The public address of the Security Management Server, in CIDR notation. VPN peers addresses cannot be in this CIDR block, so this value cannot be the zero-address | +| | | | | | +| **cluster-network-cidr** | Cluster external subnet CIDR.
If the variable's value is not empty double quotes, a new network will be created.
The Cluster public IP will be translated to a private address assigned to the active member in this external network. | string | Specify an RFC 1918 CIDR block that does not overlap with your other networks to create a new network or select an existing one below | +| | | | | | +| **cluster-network-name** | Cluster external network ID. The network determines what network traffic the instance can access | string | Available network in the chosen zone | +| | | | | | +| **cluster-network-subnetwork-name** | Cluster subnet ID. Assigns the instance an IPv4 address from the subnetwork’s range.
If you have specified a CIDR block above, this subnetwork will not be used.
. Instances in different subnetworks can communicate with each other using their internal IPs as long as they belong to the same network. | string | Available subnetwork in the chosen network | +| | | | | | +| **cluster-network_enableTcp** | Allow TCP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **cluster-network_tcpSourceRanges** | Allow TCP traffic from the Internet | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway all ports are allowed. For management allowed ports are: 257,18191,18210,18264,22,443,18190,19009 [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **cluster-network_enableIcmp** | Allow ICMP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **cluster-network_icmpSourceRanges** | Source IP ranges for ICMP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **cluster-network_enableUdp** | Allow UDP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **cluster-network_udpSourceRanges** | Source IP ranges for UDP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only - all ports are allowed. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **cluster-network_enableSctp** | Allow SCTP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **cluster-network_sctpSourceRanges** | Source IP ranges for SCTP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only - all ports are allowed. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **cluster-network_enableEsp** | Allow ESP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **cluster-network_espSourceRanges** | Source IP ranges for ESP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **mgmt-network-cidr** | Management external subnet CIDR.
If the variable's value is not empty double quotes, a new network will be created.
The public IP used to manage each member will be translated to a private address in this external network | string | Specify an RFC 1918 CIDR block that does not overlap with your other networks to create a new network or select an existing one below | +| | | | | | +| **mgmt-network-name** | Management network ID. The network determines what network traffic the instance can access | string | Available network in the chosen zone | +| | | | | | +| **mgmt-network-subnetwork-name** | Management subnet ID. Assigns the instance an IPv4 address from the subnetwork’s range.
If you have specified a CIDR block above, this subnetwork will not be used.
. Instances in different subnetworks can communicate with each other using their internal IPs as long as they belong to the same network. | string | Available subnetwork in the chosen network | +| | | | | | +| **mgmt-network_enableTcp** | Allow TCP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **mgmt-network_tcpSourceRanges** | Allow TCP traffic from the Internet | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway all ports are allowed. For management allowed ports are: 257,18191,18210,18264,22,443,18190,19009 [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **mgmt-network_enableIcmp** | Allow ICMP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **mgmt-network_icmpSourceRanges** | Source IP ranges for ICMP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **mgmt-network_enableUdp** | Allow UDP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **mgmt-network_udpSourceRanges** | Source IP ranges for UDP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only - all ports are allowed. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **mgmt-network_enableSctp** | Allow SCTP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **mgmt-network_sctpSourceRanges** | Source IP ranges for SCTP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only - all ports are allowed. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **mgmt-network_enableEsp** | Allow ESP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **mgmt-network_espSourceRanges** | Source IP ranges for ESP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **diskType** | Disk type | string | pd-ssd;
pd-standard;
Storage space is much less expensive for a standard persistent disk. An SSD persistent disk is better for random IOPS or streaming throughput with low latency. [Learn more](https://cloud.google.com/compute/docs/disks/?hl=en_US&_ga=2.66020774.-962483654.1585043745#overview_of_disk_types)| +| | | | | | +| **bootDiskSizeGb** | Disk size in GB | number | Persistent disk performance is tied to the size of the persistent disk volume. You are charged for the actual amount of provisioned disk space. [Learn more](https://cloud.google.com/compute/docs/disks/?hl=en_US&_ga=2.232680471.-962483654.1585043745#pdperformance)| +| | | | | | +| **generatePassword** | Automatically generate an administrator password | boolean | true;
false; | +| | | | | | +| **allowUploadDownload** | Allow download from/upload to Check Point | boolean | true;
false; | +| | | | | | +| **enableMonitoring** | Enable Stackdriver monitoring | boolean | true;
false; | +| | | | | | +| **shell** | Admin shell | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh;
| +| | | | | | +| **instanceSSHKey** | Public SSH key for the user 'admin' | string | A valid public ssh key | +| | | | | | +| **sicKey** | The Secure Internal Communication one time secret used to set up trust between the cluster object and the management server | string | At least 8 alpha numeric characters.
If SIC is not provided and needed, a key will be automatically generated | +| | | | | | +| **numAdditionalNICs** | Number of additional network interfaces | number | A number in the range 0 - 6.
Multiple network interfaces deployment is described in [sk121637 - Deploy a CloudGuard for GCP with Multiple Network Interfaces](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk121637) | +| | | | | | +| **internal-network1-cidr** | 1st internal subnet CIDR.
If the variable's value is not empty double quotes, a new subnet will be created.
Assigns the cluster members an IPv4 address in this internal network | string | Specify an RFC 1918 CIDR block that does not overlap with your other networks to create a new network or select an existing one below | +| | | | | | +| **internal-network1-name** | 1st internal network ID. The network determines what network traffic the instance can access | string | Available network in the chosen zone | +| | | | | | +| **internal-network1-subnetwork-name** | 1st internal subnet ID. Assigns the instance an IPv4 address from the subnetwork’s range.
If you have specified a CIDR block above, this subnetwork will not be used.
Instances in different subnetworks can communicate with each other using their internal IPs as long as they belong to the same network. | string | Available subnetwork in the chosen network | +| | | | | | +## Example + ha_version: "R80.30 Cluster" + zoneA: "asia-east1-a" + zoneB: "asia-east1-a" + machineType: "n1-standard-4" + diskType: "pd-ssd" + bootDiskSizeGb: 100 + instanceSSHKey: "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxxx imported-openssh-key" + enableMonitoring: false + managementNetwork: "209.87.209.100/32" + sicKey: "aaaaaaaa" + generatePassword: false + allowUploadDownload: false + shell: "/bin/bash" + cluster-network-cidr: "10.0.1.0/24" + cluster-network-name: "external-vpc" + cluster-network-subnetwork-name: "frontend" + cluster-network_enableIcmp: true + cluster-network_icmpSourceRanges: "0.0.0.0/0" + cluster-network_enableTcp: true + cluster-network_tcpSourceRanges: "0.0.0.0/0" + cluster-network_enableUdp: false + cluster-network_udpSourceRanges: "" + cluster-network_enableSctp: false + cluster-network_sctpSourceRanges: "" + cluster-network_enableEsp: false + cluster-network_espSourceRanges: "" + mgmt-network-cidr: "10.0.2.0/24" + mgmt-network-name: "vpc-internal" + mgmt-network-subnetwork-name: "" + mgmt-network_enableIcmp: false + mgmt-network_icmpSourceRanges: "" + mgmt-network_enableTcp: false + mgmt-network_tcpSourceRanges: "" + mgmt-network_enableUdp: true + mgmt-network_udpSourceRanges: "0.0.0.0/0" + mgmt-network_enableSctp: true + mgmt-network_sctpSourceRanges: "0.0.0.0/0" + mgmt-network_enableEsp: true + mgmt-network_espSourceRanges: "0.0.0.0/0" + numInternalNetworks: 1 + internal-network1-cidr: "10.0.3.0/24" + internal-network1-name: "vpc-internal2" + internal-network1-subnetwork-name: "vpc-internal2" + +## Notes +See [sk147032](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk147032) for revision history \ No newline at end of file diff --git a/deprecated/gcp/R80.30/ha-byol-R80.30/c2d_deployment_configuration.json b/deprecated/gcp/R80.30/ha-byol-R80.30/c2d_deployment_configuration.json new file mode 100644 index 00000000..6a2bef5d --- /dev/null +++ b/deprecated/gcp/R80.30/ha-byol-R80.30/c2d_deployment_configuration.json @@ -0,0 +1,7 @@ +{ + "defaultDeploymentType": "MULTI_VM", + "imageName": "check-point-r8110-gw-byol-cluster-335-985-v20220126", + "projectId": "checkpoint-public", + "templateName": "nonexistent_template", + "useSolutionPackage": "true" +} diff --git a/deprecated/gcp/R80.30/ha-byol-R80.30/check-point-cluster--byol.py b/deprecated/gcp/R80.30/ha-byol-R80.30/check-point-cluster--byol.py new file mode 100644 index 00000000..b60cf970 --- /dev/null +++ b/deprecated/gcp/R80.30/ha-byol-R80.30/check-point-cluster--byol.py @@ -0,0 +1,713 @@ +# Copyright 2016 Check Point Software LTD. + +import common +import copy +import default +import images +import password + + +MAX_ADDITIONAL_NICS = 6 + +GATEWAY = 'checkpoint-gateway' + +PROJECT = 'checkpoint-public' +LICENSE = 'byol' +LICENCE_TYPE = 'cluster' + +VERSIONS = { + 'R80.30': 'r8030-gw' +} + +TEMPLATE_NAME = 'cluster' +TEMPLATE_VERSION = '20220130' + +CLUSTER_NET_FIELD = 'cluster-network' +MGMT_NET_FIELD = 'mgmt-network' +INTERNAL_NET_FIELD = 'internal-network{}' + +MGMT_NIC = 1 + +startup_script = ''' +#!/bin/bash + +generatePassword="$(echo {generatePassword} | tr 'TF' 'tf')" +allowUploadDownload="{allowUploadDownload}" + +echo "template_name: {templateName}" >> /etc/cloud-version +echo "template_version: {templateVersion}" >> /etc/cloud-version + +function get_router() {{ + local interface="$1" + local subnet_router_meta_path="computeMetadata/v1/instance/network-interfaces/$interface/gateway" + local router="$(get-cloud-data.sh ${{subnet_router_meta_path}})" + echo "${{router}}" +}} + +function set_mgmt_if() {{ + mgmtNIC="{mgmtNIC}" + local mgmt_int="eth0" + if [ "X$mgmtNIC" == "XEphemeral Public IP (eth0)" ]; then + mgmt_int="eth0" + elif [ "X$mgmtNIC" == "XPrivate IP (eth1)" ]; then + mgmt_int="eth1" + fi + local set_mgmt_if_out="$(clish -s -c "set management interface ${{mgmt_int}}")" + echo "${{set_mgmt_if_out}}" +}} + +function set_internal_static_routes() {{ + local private_cidrs='10.0.0.0/8 172.16.0.0/12 192.168.0.0/16' + #Define interface for internal networks and configure + local interface="$internalInterfaceNumber" + local router=$(get_router $interface) + clish -c 'lock database override' + #Configure static routes destined to internal networks, defined in the RFC 1918, through the internal interface + for cidr in ${{private_cidrs}}; do + echo "setting route to $cidr via gateway $router" + echo "running clish -c 'set static-route $cidr nexthop gateway address $router on' -s" + clish -c "set static-route $cidr nexthop gateway address $router on" -s + done +}} + +function create_dynamic_objects() {{ + local is_managment="$1" + local interfaces='eth0 eth1' + for interface in ${{interfaces}}; do + if ${{is_managment}}; then + dynamic_objects -n "LocalGateway" + dynamic_objects -n "LocalGatewayExternal" + dynamic_objects -n "LocalGatewayInternal" + else + local addr="$(ip addr show dev $interface | awk "/inet/{{print \$2; exit}}" | cut -d / -f 1)" + if [ "${{interface}}" == "eth0" ]; then + dynamic_objects -n "LocalGateway" -r "$addr" "$addr" -a + dynamic_objects -n "LocalGatewayExternal" -r "$addr" "$addr" -a + else + dynamic_objects -n "LocalGatewayInternal" -r "$addr" "$addr" -a + fi + fi + done +}} + + +function post_status() {{ + local is_success="$1" + local need_boot="$2" + local status + local value + local instance_id + + if "{hasInternet}" ; then + if "$is_success" ; then + status="success" + value="Success" + else + status="failure" + value="Failure" + fi + instance_id="$(get-cloud-data.sh computeMetadata/v1/instance/id)" + cat </etc/software-status + $FWDIR/scripts/gcp.py POST "{config_url}/variables" \ + --body '{{ + "name": "{config_path}/variables/status/$status/$instance_id", + "value": "$(echo $value | base64)" + }}' +EOF + fi + + create_dynamic_objects $installSecurityManagement + + if "$installSecurityGateway" ; then + + set_internal_static_routes + set_mgmt_if + + ########## + # DA Self update + + DAselfUpdateHappening=$(dbget installer:self_update_in_progress) + if [ "X$DAselfUpdateHappening" == "X1" ]; then + oldDApid=$(pidof DAService) + countdown=121 + while [ $((--countdown)) -gt 0 ] + do + sleep 1 + DApid=$(pidof DAService) + + if [ "${{DApid:-$oldDApid}}" -ne "$oldDApid" ]; then + break + fi + done + if [ $countdown -eq 0 ]; then + dbset installer:self_update_in_progress + fi + fi + + ########## + fi + + if [ "$installSecurityManagement" -a "Management only" = "{installationType}" ] ; then + public_ip="$(get-cloud-data.sh computeMetadata/v1/instance/network-interfaces/0/access-configs/0/external-ip)" + declare -i attempts=0 + declare -i max_attempts=80 + mgmt_cli -r true discard + result=$? + while [ $result -ne 0 ] && [ $attempts -lt $max_attempts ] + do + attempts=$attempts+1 + sleep 30 + mgmt_cli -r true discard + result=$? + done + generic_objects="$(mgmt_cli -r true show-generic-objects class-name com.checkpoint.objects.classes.dummy.CpmiHostCkp details-level full -f json)" + uid="$(echo $generic_objects | jq .objects | jq .[0] | jq .uid)" + if [ ! -z "$public_ip" ] && [ ! -z "${{uid:1:-1}}" ] ; then + mgmt_cli -r true set-generic-object uid $uid ipaddr $public_ip + fi + fi + + if "$need_boot" ; then + if [ "{enableMonitoring}" = "True" ] ; then + chkconfig --add gcp-statd + fi + shutdown -r now + else + service gcpd restart + if [ "{enableMonitoring}" = "True" ] ; then + chkconfig --add gcp-statd + service gcp-statd start + fi + fi +}} +clish -c 'set user admin shell {shell}' -s + +case "{installationType}" in +"Gateway only") + installSecurityGateway=true + gatewayClusterMember=false + installSecurityManagement=false + sicKey="{computed_sic_key}" + internalInterfaceNumber=1 + ;; +"Management only") + installSecurityGateway=false + installSecurityManagement=true + sicKey=notused + ;; +"Manual Configuration") + post_status true false + exit 0 + ;; +"Gateway and Management (Standalone)") + installSecurityGateway=true + installSecurityManagement=true + gatewayClusterMember=false + sicKey=notused + internalInterfaceNumber=1 + ;; +"Cluster") + installSecurityGateway=true + gatewayClusterMember=true + installSecurityManagement=false + sicKey="{sicKey}" + internalInterfaceNumber=2 + ;; +"AutoScale") + installSecurityGateway=true + gatewayClusterMember=false + installSecurityManagement=false + sicKey="{computed_sic_key}" + internalInterfaceNumber=1 + ;; +esac + +conf="install_security_gw=$installSecurityGateway" +if ${{installSecurityGateway}} ; then + conf="$conf&install_ppak=true" + blink_conf="gateway_cluster_member=$gatewayClusterMember" +fi +conf="$conf&install_security_managment=$installSecurityManagement" +if ${{installSecurityManagement}} ; then + if "$generatePassword" ; then + managementAdminPassword="$(get-cloud-data.sh \ + computeMetadata/v1/instance/attributes/adminPasswordSourceMetadata)" + conf="$conf&mgmt_admin_name=admin" + conf="$conf&mgmt_admin_passwd=$managementAdminPassword" + else + conf="$conf&mgmt_admin_radio=gaia_admin" + fi + + managementGUIClientNetwork="{managementGUIClientNetwork}" + conf="$conf&install_mgmt_primary=true" + + if [ "0.0.0.0/0" = "$managementGUIClientNetwork" ]; then + conf="$conf&mgmt_gui_clients_radio=any" + else + conf="$conf&mgmt_gui_clients_radio=network" + ManagementGUIClientBase="$(echo ${{managementGUIClientNetwork}} | \ + cut -d / -f 1)" + ManagementGUIClientMaskLength="$(echo ${{managementGUIClientNetwork}} | \ + cut -d / -f 2)" + conf="$conf&mgmt_gui_clients_ip_field=$ManagementGUIClientBase" + conf="$conf&mgmt_gui_clients_subnet_field=$ManagementGUIClientMaskLength" + fi + +fi + +blink_conf="$blink_conf&ftw_sic_key=$sicKey" +blink_conf="$blink_conf&download_info=$allowUploadDownload" +blink_conf="$blink_conf&upload_info=$allowUploadDownload" + +conf="$conf&$blink_conf" + +if "$generatePassword" ; then + blink_password="$(get-cloud-data.sh \ + computeMetadata/v1/instance/attributes/adminPasswordSourceMetadata)" +else + blink_password="$(dd if=/dev/urandom count=1 \ + 2>/dev/null | sha256sum | cut -c -28)" +fi +blink_conf="$blink_conf&admin_password_regular=$blink_password" + +if [ "Gateway only" = "{installationType}" ] || [ "Cluster" = "{installationType}" ] || [ "AutoScale" = "{installationType}" ]; then + config_cmd="blink_config -s $blink_conf" +else + config_cmd="config_system -s $conf" +fi + +if ${{config_cmd}} ; then + if "$installSecurityManagement" ; then + post_status true "$installSecurityGateway" + elif [ "Cluster" = "{installationType}" ] ; then + mgmt_subnet_gw="$(get-cloud-data.sh computeMetadata/v1/instance/network-interfaces/1/gateway)" + sed -i 's/__CLUSTER_PUBLIC_IP_NAME__/'"{primary_cluster_address_name}"'/g' /etc/fw/conf/gcp-ha.json + sed -i 's/__SECONDARY_PUBLIC_IP_NAME__/'"{secondary_cluster_address_name}"'/g' /etc/fw/conf/gcp-ha.json + clish -c 'set static-route '"{managementNetwork}"' nexthop gateway address '"$mgmt_subnet_gw"' on' -s + post_status true true + else + post_status true false + fi +else + post_status false false +fi + +''' + + +def make_gw(context, name, zone, nics, passwd=None, depends_on=None): + cg_version = context.properties['ha_version'].split(' ')[0] + if 'gw' in VERSIONS[cg_version]: + license_name = "{}-{}".format(LICENSE, LICENCE_TYPE) + else: + license_name = LICENSE + family = '-'.join(['check-point', VERSIONS[cg_version], license_name]) + formatter = common.DefaultFormatter() + + gw = { + 'type': default.INSTANCE, + 'name': name, + 'metadata': { + 'dependsOn': depends_on + }, + 'properties': { + 'description': 'CloudGuard Highly Available Security Cluster', + 'zone': zone, + 'tags': { + 'items': [GATEWAY], + }, + 'machineType': common.MakeLocalComputeLink( + context, default.MACHINETYPE, zone), + 'canIpForward': True, + 'networkInterfaces': nics, + 'disks': [{ + 'autoDelete': True, + 'boot': True, + 'deviceName': common.set_name_and_truncate( + context.properties['deployment'], + '-{}-boot'.format(name)), + 'initializeParams': { + 'diskType': common.MakeLocalComputeLink( + context, default.DISKTYPE, zone), + 'diskSizeGb': context.properties['bootDiskSizeGb'], + 'sourceImage': + 'projects/%s/global/images/%s' % ( + PROJECT, images.IMAGES[family]), + }, + 'type': 'PERSISTENT', + }], + 'metadata': { + 'items': [ + { + 'key': 'startup-script', + 'value': formatter.format( + startup_script, **context.properties) + } + ] + }, + 'serviceAccounts': [{ + 'email': 'default', + 'scopes': [ + 'https://www.googleapis.com/auth/monitoring.write', + 'https://www.googleapis.com/auth/compute', + 'https://www.googleapis.com/auth/cloudruntimeconfig' + ], + }] + } + } + + if 'instanceSSHKey' in context.properties: + gw['properties']['metadata']['items'].append( + { + 'key': 'instanceSSHKey', + 'value': context.properties['instanceSSHKey'] + } + ) + + if passwd: + gw['properties']['metadata']['items'].append( + { + 'key': 'adminPasswordSourceMetadata', + 'value': passwd + } + ) + + return gw + + +def make_access_config(ip, name=None): + access_config = { + 'type': default.ONE_NAT, + 'natIP': ip + } + + if name: + access_config['name'] = name + + return access_config + + +def make_static_address(prop, name): + address = { + 'name': name, + 'type': default.ADDRESS, + 'properties': { + 'name': name, + 'region': prop['region'] + } + } + + return address + + +def create_external_addresses(prop, resources, member_a_nics, member_b_nics): + member_a_address_name = common.set_name_and_truncate( + prop['deployment'], '-member-a-address') + member_b_address_name = common.set_name_and_truncate( + prop['deployment'], '-member-b-address') + + prop['member_a_address_name'] = member_a_address_name + prop['member_b_address_name'] = member_b_address_name + + member_a_address = make_static_address(prop, member_a_address_name) + member_b_address = make_static_address(prop, member_b_address_name) + + resources += [member_a_address, member_b_address] + + member_a_nics[MGMT_NIC]['accessConfigs'] = [make_access_config( + '$(ref.{}.address)'.format(member_a_address_name))] + member_b_nics[MGMT_NIC]['accessConfigs'] = [make_access_config( + '$(ref.{}.address)'.format(member_b_address_name))] + + primary_cluster_address_name = common.set_name_and_truncate( + prop['deployment'], '-primary-cluster-address') + secondary_cluster_address_name = common.set_name_and_truncate( + prop['deployment'], '-secondary-cluster-address') + + primary_cluster_address = make_static_address( + prop, primary_cluster_address_name) + secondary_cluster_address = make_static_address( + prop, secondary_cluster_address_name) + + resources += [primary_cluster_address, secondary_cluster_address] + + prop['primary_cluster_address_name'] = primary_cluster_address_name + prop['secondary_cluster_address_name'] = secondary_cluster_address_name + + +def make_nic(prop, net_name, subnet_name): + network_interface = { + 'network': ''.join([default.COMPUTE_URL_BASE, 'projects/', + prop['project'], '/global/networks/', + net_name]), + 'subnetwork': ''.join([default.COMPUTE_URL_BASE, 'projects/', + prop['project'], '/regions/', prop['region'], + '/subnetworks/', subnet_name]) + } + + return network_interface + + +def make_subnet(prop, name, net_name, cidr, private_google_access=False): + subnet = { + 'type': default.VPC_SUBNET, + 'name': name, + 'metadata': { + 'dependsOn': [net_name] + }, + 'properties': { + 'network': 'projects/{}/global' + '/networks/{}'.format(prop['project'], net_name), + 'region': prop['region'], + 'ipCidrRange': cidr, + 'privateIpGoogleAccess': private_google_access, + 'enableFlowLogs': False + } + } + + return subnet + + +def make_net(name): + net = { + 'type': default.VPC, + 'name': name, + 'properties': { + 'autoCreateSubnetworks': False + } + } + + return net + + +def get_or_create_net(prop, name, resources, gw_dependencies, + private_google_access=False, create_firewall=False): + net_cidr = prop.get(name + '-cidr') + + if net_cidr: + net_name = '{}-{}'.format(prop['deployment'][:20], name) + subnet_name = '{}-subnet'.format(net_name) + net = make_net(net_name) + subnet = make_subnet( + prop, subnet_name, net_name, net_cidr, private_google_access) + + resources += [net, subnet] + gw_dependencies.append(subnet_name) + else: + net_name = prop.get(name + '-name') + subnet_name = prop.get(name + '-subnetwork-name') + if not subnet_name: + raise common.Error( + 'Network {} is missing.'.format(net_name.split('-'))) + + if create_firewall: + firewall_rules = create_firewall_rules(prop, name, net_name, net_cidr) + if firewall_rules: + resources.extend(firewall_rules) + + return net_name, subnet_name + + +def create_firewall_rules(prop, net_prop_name, net_name, net_cidr): + deployment = prop['deployment'] + firewall_rules = [] + protocols = ['Icmp', 'Udp', 'Tcp', 'Sctp', 'Esp'] + for protocol in protocols: + proto = protocol.lower() + source_ranges = prop.get(net_prop_name + '_' + proto + + 'SourceRanges', '') + protocol_enabled = prop.get(net_prop_name + '_enable' + protocol, '') + if protocol_enabled and source_ranges: + firewall_rules.append( + make_firewall_rule(proto, source_ranges, deployment, + net_prop_name, net_name, net_cidr)) + + return firewall_rules + + +def make_firewall_rule(protocol, source_ranges, deployment, net_prop_name, + net_name, net_cidr): + fw_rule_name = '%s-%s-%s' % (deployment[:40], net_prop_name, protocol) + ranges_list = source_ranges.split(',') + ranges = [] + for source_range in ranges_list: + ranges.append(source_range.replace(" ", "")) + firewall_rule = { + 'type': default.FIREWALL, + 'name': fw_rule_name, + 'properties': { + 'network': 'global/networks/' + net_name, + 'sourceRanges': ranges, + 'targetTags': [GATEWAY], + 'allowed': [{'IPProtocol': protocol}], + } + } + + if net_cidr: + firewall_rule['metadata'] = { + 'dependsOn': [net_name] + } + + return firewall_rule + + +def add_readiness_waiter(prop, resources): + deployment_config = common.set_name_and_truncate( + prop['deployment'], '-config') + + prop['config_path'] = 'projects/{}/configs/{}'.format( + prop['project'], deployment_config) + prop['config_url'] = ( + 'https://runtimeconfig.googleapis.com/v1beta1/{}'.format( + prop['config_path'])) + + resources.append( + { + 'name': deployment_config, + 'type': 'runtimeconfig.v1beta1.config', + 'properties': { + 'config': deployment_config, + 'description': ( + 'Holds software readiness status ' + 'for deployment {}').format(prop['deployment']) + } + } + ) + + resources.append( + { + 'name': common.set_name_and_truncate( + prop['deployment'], '-software'), + 'type': 'runtimeconfig.v1beta1.waiter', + 'metadata': { + 'dependsOn': [], + }, + 'properties': { + 'parent': '$(ref.{}.name)'.format(deployment_config), + 'waiter': 'software', + 'timeout': '1800s', + 'success': { + 'cardinality': { + 'number': 2, + 'path': 'status/success', + }, + }, + 'failure': { + 'cardinality': { + 'number': 1, + 'path': 'status/failure', + }, + }, + }, + } + ) + + +def validate_same_region(zone_a, zone_b): + if not common.ZoneToRegion(zone_a) == common.ZoneToRegion(zone_b): + raise common.Error('Member A Zone ({}) and Member B Zone ({}) ' + 'are not in the same region'.format(zone_a, zone_b)) + + +@common.FormatErrorsDec +def generate_config(context): + prop = context.properties + + validate_same_region(prop['zoneA'], prop['zoneB']) + + prop['deployment'] = context.env['deployment'] + prop['project'] = context.env['project'] + prop['region'] = common.ZoneToRegion(prop['zoneA']) + prop['templateName'] = TEMPLATE_NAME + prop['templateVersion'] = TEMPLATE_VERSION + prop['allowUploadDownload'] = str(prop['allowUploadDownload']).lower() + prop['hasInternet'] = 'true' # via Google Private Access + prop['installationType'] = 'Cluster' + + resources = [] + outputs = [] + gw_dependencies = [] + member_a_nics = [] + + add_readiness_waiter(prop, resources) + + cluster_net_name, cluster_subnet_name = get_or_create_net( + prop, CLUSTER_NET_FIELD, resources, gw_dependencies, True, True) + member_a_nics.append(make_nic(prop, cluster_net_name, cluster_subnet_name)) + + mgmt_net_name, mgmt_subnet_name = get_or_create_net( + prop, MGMT_NET_FIELD, resources, gw_dependencies, False, True) + member_a_nics.append(make_nic(prop, mgmt_net_name, mgmt_subnet_name)) + + for ifnum in range(1, prop['numInternalNetworks'] + 1): + int_net_name, int_subnet_name = get_or_create_net( + prop, INTERNAL_NET_FIELD.format(ifnum), resources, + gw_dependencies) + member_a_nics.append(make_nic(prop, int_net_name, int_subnet_name)) + + member_b_nics = copy.deepcopy(member_a_nics) + + create_external_addresses(prop, resources, member_a_nics, member_b_nics) + + member_a_name = common.set_name_and_truncate( + prop['deployment'], '-member-a') + member_b_name = common.set_name_and_truncate( + prop['deployment'], '-member-b') + + if prop['generatePassword']: + passwd = password.GeneratePassword(12, False) + else: + passwd = '' + + member_a = make_gw(context, member_a_name, prop['zoneA'], + member_a_nics, passwd, gw_dependencies) + member_b = make_gw(context, member_b_name, prop['zoneB'], + member_b_nics, passwd, gw_dependencies) + + resources += [member_a, member_b] + + outputs += [ + { + 'name': 'deployment', + 'value': prop['deployment'] + }, + { + 'name': 'project', + 'value': prop['project'] + }, + { + 'name': 'clusterIP', + 'value': '$(ref.{}.address)'.format( + prop['primary_cluster_address_name']) + }, + { + 'name': 'vmAName', + 'value': member_a_name, + }, + { + 'name': 'vmAExternalIP', + 'value': '$(ref.{}.address)'.format(prop['member_a_address_name']) + }, + { + 'name': 'vmASelfLink', + 'value': '$(ref.{}.selfLink)'.format(member_a_name), + }, + { + 'name': 'vmBName', + 'value': member_b_name, + }, + { + 'name': 'vmBExternalIP', + 'value': '$(ref.{}.address)'.format(prop['member_b_address_name']) + }, + { + 'name': 'vmBSelfLink', + 'value': '$(ref.{}.selfLink)'.format(member_b_name), + }, + { + 'name': 'password', + 'value': passwd + } + ] + + return common.MakeResource(resources, outputs) diff --git a/deprecated/gcp/R80.30/ha-byol-R80.30/check-point-cluster--byol.py.schema b/deprecated/gcp/R80.30/ha-byol-R80.30/check-point-cluster--byol.py.schema new file mode 100644 index 00000000..eb2ddcb9 --- /dev/null +++ b/deprecated/gcp/R80.30/ha-byol-R80.30/check-point-cluster--byol.py.schema @@ -0,0 +1,384 @@ +imports: + - path: check-point-cluster--byol.py + +info: + version: 1.0 + title: Check Point CloudGuard Network Security Cluster - BYOL Template + +required: + - zoneA + - zoneB + - machineType + - diskType + - bootDiskSizeGb + - sicKey + - managementNetwork + - allowUploadDownload + - shell + - generatePassword + - enableMonitoring + - numInternalNetworks + +properties: + zoneA: + type: string + default: us-central1-a + x-googleProperty: + type: GCE_ZONE + zoneB: + type: string + default: us-central1-a + x-googleProperty: + type: GCE_ZONE + machineType: + type: string + default: n1-standard-4 + x-googleProperty: + type: GCE_MACHINE_TYPE + zoneProperty: zoneA + gceMachineType: + minCpu: 2 + minRamGb: 1.843000054359436 + instanceSSHKey: + type: string + pattern: ^([0-9a-z\-]+ +[0-9A-Za-z/\+=]+( .*)?|)$ + default: '' + diskType: + type: string + default: pd-ssd + x-googleProperty: + type: GCE_DISK_TYPE + zoneProperty: zoneA + bootDiskSizeGb: + type: integer + maximum: 1000 + default: 100 + minimum: 100 + x-googleProperty: + type: GCE_DISK_SIZE + gceDiskSize: + diskTypeProperty: diskType + ha_version: + type: string + default: R81.10 Cluster + enum: + - R80.30 Cluster + enableMonitoring: + type: boolean + default: False + sicKey: + type: string + pattern: ^([a-z0-9A-Z]{8,30})$ + default: '' + managementNetwork: + type: string + default: '' + pattern: ^(?!0\.0\.0\.0/0)([0-9]{1,3}\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])$ + generatePassword: + type: boolean + default: False + allowUploadDownload: + type: boolean + default: False + shell: + type: string + default: /etc/cli.sh + enum: + - /etc/cli.sh + - /bin/bash + - /bin/csh + - /bin/tcsh + cluster-network-cidr: + type: string + default: '10.0.0.0/24' + pattern: ^(?!0\.0\.0\.0/0)([0-9]{1,3}\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])|$ + cluster-network-name: + type: string + pattern: ^([a-z0-9-]{1,38})$ + x-googleProperty: + type: GCE_NETWORK + cluster-network-subnetwork-name: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zoneA + gceSubnetwork: + networkProperty: cluster-network-name + cluster-network_enableIcmp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: cluster-network-name + cluster-network_icmpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: cluster-network_enableIcmp + cluster-network_enableTcp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: cluster-network-name + cluster-network_tcpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: cluster-network_enableTcp + cluster-network_enableUdp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: cluster-network-name + cluster-network_udpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: cluster-network_enableUdp + cluster-network_enableSctp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: cluster-network-name + cluster-network_sctpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: cluster-network_enableSctp + cluster-network_enableEsp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: cluster-network-name + cluster-network_espSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: cluster-network_enableEsp + mgmt-network-cidr: + type: string + default: '10.0.1.0/24' + pattern: ^(?!0\.0\.0\.0/0)([0-9]{1,3}\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])|$ + mgmt-network-name: + type: string + pattern: ^([a-z0-9-]{1,38})$ + x-googleProperty: + type: GCE_NETWORK + mgmt-network-subnetwork-name: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zoneA + gceSubnetwork: + networkProperty: mgmt-network-name + mgmt-network_enableIcmp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: mgmt-network-name + mgmt-network_icmpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: mgmt-network_enableIcmp + mgmt-network_enableTcp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: mgmt-network-name + mgmt-network_tcpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: mgmt-network_enableTcp + mgmt-network_enableUdp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: mgmt-network-name + mgmt-network_udpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: mgmt-network_enableUdp + mgmt-network_enableSctp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: mgmt-network-name + mgmt-network_sctpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: mgmt-network_enableSctp + mgmt-network_enableEsp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: mgmt-network-name + mgmt-network_espSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: mgmt-network_enableEsp + numInternalNetworks: + type: integer + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + minimum: 1 + maximum: 6 + default: 1 + internal-network1-cidr: + type: string + pattern: ^(?!0\.0\.0\.0/0)([0-9]{1,3}\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])|$ + default: '10.0.2.0/24' + internal-network1-name: + type: string + pattern: ^([a-z0-9-]{1,38})$ + x-googleProperty: + type: GCE_NETWORK + internal-network1-subnetwork-name: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zoneA + gceSubnetwork: + networkProperty: internal-network1-name + internal-network2-cidr: + type: string + pattern: ^(?!0\.0\.0\.0/0)([0-9]{1,3}\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])|$ + default: '' + internal-network2-name: + type: string + pattern: ^([a-z0-9-]{1,38})$ + x-googleProperty: + type: GCE_NETWORK + internal-network2-subnetwork-name: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zoneA + gceSubnetwork: + networkProperty: internal-network2-name + internal-network3-cidr: + type: string + pattern: ^(?!0\.0\.0\.0/0)([0-9]{1,3}\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])|$ + default: '' + internal-network3-name: + type: string + pattern: ^([a-z0-9-]{1,38})$ + x-googleProperty: + type: GCE_NETWORK + internal-network3-subnetwork-name: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zoneA + gceSubnetwork: + networkProperty: internal-network3-name + internal-network4-cidr: + type: string + pattern: ^(?!0\.0\.0\.0/0)([0-9]{1,3}\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])|$ + default: '' + internal-network4-name: + type: string + pattern: ^([a-z0-9-]{1,38})$ + x-googleProperty: + type: GCE_NETWORK + internal-network4-subnetwork-name: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zoneA + gceSubnetwork: + networkProperty: internal-network4-name + internal-network5-cidr: + type: string + pattern: ^(?!0\.0\.0\.0/0)([0-9]{1,3}\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])|$ + default: '' + internal-network5-name: + type: string + pattern: ^([a-z0-9-]{1,38})$ + x-googleProperty: + type: GCE_NETWORK + internal-network5-subnetwork-name: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zoneA + gceSubnetwork: + networkProperty: internal-network5-name + internal-network6-cidr: + type: string + pattern: ^(?!0\.0\.0\.0/0)([0-9]{1,3}\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])|$ + default: '' + internal-network6-name: + type: string + pattern: ^([a-z0-9-]{1,38})$ + x-googleProperty: + type: GCE_NETWORK + internal-network6-subnetwork-name: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zoneA + gceSubnetwork: + networkProperty: internal-network6-name + +outputs: + deployment: + type: string + project: + type: string + clusterIP: + type: string + vmAName: + type: string + vmAExternalIP: + type: string + vmASelfLink: + type: string + vmBName: + type: string + vmBExternalIP: + type: string + vmBSelfLink: + type: string + password: + type: string + ha_version: + type: string diff --git a/deprecated/gcp/R80.30/ha-byol-R80.30/common.py b/deprecated/gcp/R80.30/ha-byol-R80.30/common.py new file mode 100644 index 00000000..e123c502 --- /dev/null +++ b/deprecated/gcp/R80.30/ha-byol-R80.30/common.py @@ -0,0 +1,262 @@ +# Copyright 2015 Google Inc. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +"""Generic simple functions used for python based template generation.""" + +import re +import sys +import traceback +import default +import string + +import yaml + +RFC1035_RE = re.compile(r'^[a-z][-a-z0-9]{1,61}[a-z0-9]{1}$') + + +class Error(Exception): + """Common exception wrapper for template exceptions.""" + pass + + +class DefaultFormatter(string.Formatter): + """Returns default instead of key error when looking for keys. + + Used for startup-script which contains params from multiple deployments + whiles keys from one deployment may not be set in another. + """ + def __init__(self, default=''): + self.default = default + def get_value(self, key, args, dict): + if isinstance(key, str): + return dict.get(key, self.default) + else: + return string.Formatter.get_value(key, args, dict) + + +def set_name_and_truncate(primary, secondary, maxlength=62): + return '%s%s' % (primary[:maxlength - len(secondary)], secondary) + + +def AddDiskResourcesIfNeeded(context): + """Checks context if disk resources need to be added.""" + if default.DISK_RESOURCES in context.properties: + return context.properties[default.DISK_RESOURCES] + else: + return [] + + +def AutoName(base, resource, *args): + """Helper method to generate names automatically based on default.""" + auto_name = '%s-%s' % (base, '-'.join(list(args) + [default.AKA[resource]])) + if not RFC1035_RE.match(auto_name): + raise Error('"%s" name for type %s does not match RFC1035 regex (%s)' % + (auto_name, resource, RFC1035_RE.pattern)) + return auto_name + + +def AutoRef(base, resource, *args): + """Helper method that builds a reference for an auto-named resource.""" + return Ref(AutoName(base, resource, *args)) + + +def OrderedItems(dict_obj): + """Convenient method to yield sorted iteritems of a dictionary.""" + keys = list(dict_obj.keys()) + keys.sort() + for k in keys: + yield (k, dict_obj[k]) + + +def ShortenZoneName(zone): + """Given a string that looks like a zone name, creates a shorter version.""" + geo, coord, number, letter = re.findall(r'(\w+)-(\w+)(\d)-(\w)', zone)[0] + geo = geo.lower() if len(geo) == 2 else default.LOC[geo.lower()] + coord = default.LOC[coord.lower()] + number = str(number) + letter = letter.lower() + return geo + '-' + coord + number + letter + + +def ZoneToRegion(zone): + """Derives the region from a zone name.""" + parts = zone.split('-') + if len(parts) != 3: + raise Error('Cannot derive region from zone "%s"' % zone) + return '-'.join(parts[:2]) + + +def FormatException(message): + """Adds more information to the exception.""" + message = ('Exception Type: %s\n' + 'Details: %s\n' + 'Message: %s\n') % (sys.exc_info()[0], + traceback.format_exc(), message) + return message + + +def Ref(name): + return '$(ref.%s.selfLink)' % name + + +def RefGroup(name): + return '$(ref.%s.instanceGroup)' % name + + +def GlobalComputeLink(project, collection, name): + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/global/', + collection, '/', name]) + +def GlobalNetworkLink(project, network): + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/global/', + default.NETWORKS, '/', network]) + + +def LocalComputeLink(project, zone, key, value): + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/zones/', + zone, '/', key, '/', value]) + + +def ReadContext(context, prop_key): + return (context.env['project'], context.properties.get('zone', None), + context.properties[prop_key]) + + +def MakeLocalComputeLink(context, key, zone=None): + if not zone: + project, zone, value = ReadContext(context, key) + else: + project, _, value = ReadContext(context, key) + + if IsComputeLink(value): + return value + else: + return LocalComputeLink(project, zone, key + 's', value) + + +def MakeGlobalComputeLink(context, key): + project, _, value = ReadContext(context, key) + if IsComputeLink(value): + return value + else: + return GlobalComputeLink(project, key + 's', value) + +def MakeRegionalSubnetworkLink(project, zone, subnet): + region = ZoneToRegion(zone) + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/regions/', + region, '/subnetworks/', subnet]) + + +def MakeSubnetworkComputeLink(context, key): + project, zone, value = ReadContext(context, key) + region = ZoneToRegion(zone) + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/regions/', + region, '/subnetworks/', value]) + + +def MakeFQHN(context, name): + return '%s.c.%s.internal' % (name, context.env['project']) + + +# TODO(victorg): Consider moving this method to a different file +def MakeC2DImageLink(name, dev_mode=False): + if IsGlobalProjectShortcut(name) or name.startswith('http'): + return name + else: + if dev_mode: + return 'global/images/%s' % name + else: + return GlobalComputeLink(default.C2D_IMAGES, 'images', name) + + +def IsGlobalProjectShortcut(name): + return name.startswith('projects/') or name.startswith('global/') + + +def IsComputeLink(name): + return (name.startswith(default.COMPUTE_URL_BASE) or + name.startswith(default.REFERENCE_PREFIX)) + + +def GetNamesAndTypes(resources_dict): + return [(d['name'], d['type']) for d in resources_dict] + + +def SummarizeResources(res_dict): + """Summarizes the name of resources per resource type.""" + result = {} + for res in res_dict: + result.setdefault(res['type'], []).append(res['name']) + return result + + +def ListPropertyValuesOfType(res_dict, prop, res_type): + """Lists all the values for a property of a certain type.""" + return [r['properties'][prop] for r in res_dict if r['type'] == res_type] + + +def MakeResource(resource_list, output_list=None): + """Wrapper for a DM template basic spec.""" + content = {'resources': resource_list} + if output_list: + content['outputs'] = output_list + return yaml.dump(content) + + +def TakeZoneOut(properties): + """Given a properties dictionary, removes the zone specific information.""" + + def _CleanZoneUrl(value): + value = value.split('/')[-1] if IsComputeLink(value) else value + return value + + for name in default.VM_ZONE_PROPERTIES: + if name in properties: + properties[name] = _CleanZoneUrl(properties[name]) + if default.ZONE in properties: + properties.pop(default.ZONE) + if default.BOOTDISK in properties: + properties[default.BOOTDISK] = _CleanZoneUrl(properties[default.BOOTDISK]) + if default.DISKS in properties: + for disk in properties[default.DISKS]: + # Don't touch references to other disks + if default.DISK_SOURCE in disk: + continue + if default.INITIALIZEP in disk: + disk_init = disk[default.INITIALIZEP] + if default.DISKTYPE in disk_init: + disk_init[default.DISKTYPE] = _CleanZoneUrl(disk_init[default.DISKTYPE]) + + +def GenerateEmbeddableYaml(yaml_string): + # Because YAML is a space delimited format, we need to be careful about + # embedding one YAML document in another. This function takes in a string in + # YAML format and produces an equivalent YAML representation that can be + # inserted into arbitrary points of another YAML document. It does so by + # printing the YAML string in a single line format. Consistent ordering of + # the string is also guaranteed by using yaml.dump. + yaml_object = yaml.load(yaml_string) + dumped_yaml = yaml.dump(yaml_object, default_flow_style=True) + return dumped_yaml + + +def FormatErrorsDec(func): + """Decorator to format exceptions if they get raised.""" + + def FormatErrorsWrap(context): + try: + return func(context) + except Exception as e: + raise Error(FormatException(e.message)) + + return FormatErrorsWrap diff --git a/deprecated/gcp/R80.30/ha-byol-R80.30/config.yaml b/deprecated/gcp/R80.30/ha-byol-R80.30/config.yaml new file mode 100644 index 00000000..bac60311 --- /dev/null +++ b/deprecated/gcp/R80.30/ha-byol-R80.30/config.yaml @@ -0,0 +1,69 @@ +imports: +- path: check-point-cluster--byol.py +- path: common.py +- path: default.py +- path: password.py +- path: images.py + +resources: +- name: check-point-cluster--byol + type: check-point-cluster--byol.py + properties: + ha_version: "PLEASE ENTER HA VERSION" + zoneA: "PLEASE ENTER ZONE A" + zoneB: "PLEASE ENTER ZONE B. MUST BE EQUAL TO ZONE A" + machineType: "PLEASE ENTER A MACHINE TYPE" + diskType: "PLEASE ENTER A DISK TYPE" + bootDiskSizeGb: "PLEASE ENTER A DISK SIZE" + instanceSSHKey: "PLEASE ENTER A VALID PUBLIC KEY" + enableMonitoring: "PLEASE ENTER true or false" + managementNetwork: "PLEASE ENTER MANAGEMENT IP" + sicKey: "PLEASE ENTER A SIC KEY" + generatePassword: "PLEASE ENTER true or false" + allowUploadDownload: "PLEASE ENTER true or false" + shell: "PLEASE ENTER A SHELL" + cluster-network-cidr: "PLEASE ENTER CLUSTER NETWORK CIDR" + cluster-network-name: "PLEASE ENTER CLUSTER NETWORK ID" + cluster-network-subnetwork-name: "PLEASE ENTER CLUSTER SUBNETWORK ID" + cluster-network_enableIcmp: "PLEASE ENTER true or false" + cluster-network_icmpSourceRanges: "PLEASE ENTER ICMP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + cluster-network_enableTcp: "PLEASE ENTER true or false" + cluster-network_tcpSourceRanges: "PLEASE ENTER TCP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + cluster-network_enableUdp: "PLEASE ENTER true or false" + cluster-network_udpSourceRanges: "PLEASE ENTER UDP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + cluster-network_enableSctp: "PLEASE ENTER true or false" + cluster-network_sctpSourceRanges: "PLEASE ENTER SCTP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + cluster-network_enableEsp: "PLEASE ENTER true or false" + cluster-network_espSourceRanges: "PLEASE ENTER ESP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + mgmt-network-cidr: "PLEASE ENTER MANAGEMENT NETWORK CIDR" + mgmt-network-name: "PLEASE ENTER MANAGEMENT NETWORK ID" + mgmt-network-subnetwork-name: "PLEASE ENTER MANAGEMENT SUBNETWORK ID" + mgmt-network_enableIcmp: "PLEASE ENTER true or false" + mgmt-network_icmpSourceRanges: "PLEASE ENTER ICMP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + mgmt-network_enableTcp: "PLEASE ENTER true or false" + mgmt-network_tcpSourceRanges: "PLEASE ENTER TCP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + mgmt-network_enableUdp: "PLEASE ENTER true or false" + mgmt-network_udpSourceRanges: "PLEASE ENTER UDP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + mgmt-network_enableSctp: "PLEASE ENTER true or false" + mgmt-network_sctpSourceRanges: "PLEASE ENTER SCTP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + mgmt-network_enableEsp: "PLEASE ENTER true or false" + mgmt-network_espSourceRanges: "PLEASE ENTER ESP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + #Define additional NICs networks and subnetworks according the defined numAdditionalNICs value + #If there is no need in additional NICs remove additionalNetwork1 and additionalSubnetwork1 variables + numInternalNetworks: "PLEASE ENTER A NUMBER OF ADDITIONAL NICS" + internal-network1-cidr: "PLEASE ENTER 1ST INTERNAL NETWORK CIDR" + internal-network1-name: "PLEASE ENTER 1ST INTERNAL NETWORK ID" + internal-network1-subnetwork-name: "PLEASE ENTER INTERNAL SUBNETWORK ID" +outputs: +- name: "Deployment" + value: $(ref.check-point-cluster--byol.deployment) +- name: "Cluster IP external address" + value: $(ref.check-point-cluster--byol.clusterIP) +- name: "Member A" + value: $(ref.check-point-cluster--byol.vmAName) +- name: "Member A external IP" + value: $(ref.check-point-cluster--byol.vmAExternalIP) +- name: "Member B" + value: $(ref.check-point-cluster--byol.vmBName) +- name: "Member B external IP" + value: $(ref.check-point-cluster--byol.vmBExternalIP) \ No newline at end of file diff --git a/deprecated/gcp/R80.30/ha-byol-R80.30/default.py b/deprecated/gcp/R80.30/ha-byol-R80.30/default.py new file mode 100644 index 00000000..0c7dd919 --- /dev/null +++ b/deprecated/gcp/R80.30/ha-byol-R80.30/default.py @@ -0,0 +1,134 @@ +# Copyright 2015 Google Inc. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +"""Convenience module to hold default constants for C2D components. + +There should not be any logic in this module. Its purpose is to simplify +analysis of commonly used GCP and properties names and identify the names +that were custom created for these modules. +""" +# Generic constants +C2D_IMAGES = 'click-to-deploy-images' + +# URL constants +COMPUTE_URL_BASE = 'https://www.googleapis.com/compute/v1/' + +# Deployment Manager constructs +REFERENCE_PREFIX = '$(ref.' + +# Commonly used in properties namespace +AUTO_DELETE = 'autoDelete' +BOOTDISK = 'bootDiskType' +BOOTDISKSIZE = 'bootDiskSizeGb' +C_IMAGE = 'containerImage' +DC_MANIFEST = 'dcManifest' +DEPLOYMENT = 'DEPLOYMENT' # used in the deployment coordinator +DISK_NAME = 'diskName' +DISK_RESOURCES = 'addedDiskResources' +DISK_SOURCE = 'source' +ENDPOINT_NAME = 'serviceRegistryEndpointName' +FIXED_GCLOUD = 'fixedGcloud' +GENERATED_PROP = 'generatedProperties' +INITIALIZEP = 'initializeParams' +INSTANCE_NAME = 'instanceName' +LOCAL_SSD = 'localSSDs' +MAX_NUM = 'maxNumReplicas' +NETWORKS = 'networks' +NO_SCOPE = 'noScope' +PROVIDE_BOOT = 'provideBoot' +REPLICAS = 'replicas' +SIZE = 'size' +VM_COPIES = 'numberOfVMReplicas' +ZONES = 'zones' + +# Common properties values (only official GCP values allowed here) +EXTERNAL = 'External NAT' +ONE_NAT = 'ONE_TO_ONE_NAT' + +# Common 1st level properties (only official GCP names allowed here) +CAN_IP_FWD = 'canIpForward' +CONTAINER = 'container' +DCKRENV = 'dockerEnv' +DCKRIMAGE = 'dockerImage' +DEFAULT_SERVICE = 'defaultService' +DEVICE_NAME = 'deviceName' +DISKS = 'disks' +DISK_SIZE = 'diskSizeGb' +DISKTYPE = 'diskType' +HEALTH_PATH = 'healthPath' +HOST_RULES = 'hostRules' +IP_PROTO = 'IPProtocol' +MACHINETYPE = 'machineType' +METADATA = 'metadata' +NAME = 'name' +NETWORK = 'network' +NETWORKS = 'networks' +SUBNETWORK = 'subnetwork' +PATH_MATCHERS = 'pathMatchers' +PORT = 'port' +PROJECT = 'project' +SERVICE = 'service' +SERVICE_ACCOUNTS = 'serviceAccounts' +SRCIMAGE = 'sourceImage' +SRC_RANGES = 'sourceRanges' +TAGS = 'tags' +TYPE = 'type' +VM_TEMPLATE = 'instanceTemplate' +ZONE = 'zone' + +# Zone specfic VM properties +VM_ZONE_PROPERTIES = [DISKTYPE, MACHINETYPE, BOOTDISK] + +# Resource type defaults names +ADDRESS = 'compute.v1.address' +AUTOSCALER = 'compute.v1.autoscaler' +BACKEND_SERVICE = 'compute.v1.backendService' +DISK = 'compute.v1.disk' +ENDPOINT = 'serviceregistry.v1alpha.endpoint' +FIREWALL = 'compute.v1.firewall' +GF_RULE = 'compute.v1.globalForwardingRule' +HEALTHCHECK = 'compute.v1.httpHealthCheck' +IGM = 'compute.v1.instanceGroupManager' +INSTANCE = 'compute.v1.instance' +PROXY = 'compute.v1.targetHttpProxy' +TEMPLATE = 'compute.v1.instanceTemplate' +REGION_IGM = 'compute.v1.regionInstanceGroupManager' +REGION_AUTOSCALER = 'compute.v1.regionAutoscaler' +URL_MAP = 'compute.v1.urlMap' +VPC='compute.v1.network' +VPC_SUBNET='compute.v1.subnetwork' + +# Also Known As constants +AKA = { + TEMPLATE: 'tmplt', + AUTOSCALER: 'as', + BACKEND_SERVICE: 'bes', + DISK: 'disk', + FIREWALL: 'fwall', + GF_RULE: 'ip', + HEALTHCHECK: 'hc', + INSTANCE: 'vm', + PROXY: 'tproxy', + IGM: 'igm', + URL_MAP: 'umap', +} + +LOC = { + 'europe': 'eu', + 'asia': 'as', + 'central': 'c', + 'east': 'e', + 'west': 'w', + 'north': 'n', + 'south': 's', +} diff --git a/deprecated/gcp/R80.30/ha-byol-R80.30/images.py b/deprecated/gcp/R80.30/ha-byol-R80.30/images.py new file mode 100644 index 00000000..2811fa30 --- /dev/null +++ b/deprecated/gcp/R80.30/ha-byol-R80.30/images.py @@ -0,0 +1,10 @@ +IMAGES = { + "check-point-r8030-payg": "check-point-r8030-payg-200-773-v20201208", + "check-point-r8030-gw-payg-single": "check-point-r8030-gw-payg-single-273-904-v20210715", + "check-point-r8030-gw-payg-mig": "check-point-r8030-gw-payg-mig-273-904-v20210715", + "check-point-r8030-gw-payg-cluster": "check-point-r8030-gw-payg-cluster-273-904-v20210715", + "check-point-r8030-gw-byol-single": "check-point-r8030-gw-byol-single-273-904-v20210715", + "check-point-r8030-gw-byol-mig": "check-point-r8030-gw-byol-mig-273-904-v20210715", + "check-point-r8030-gw-byol-cluster": "check-point-r8030-gw-byol-cluster-273-904-v20210715", + "check-point-r8030-byol": "check-point-r8030-byol-200-773-v20201208" +} diff --git a/deprecated/gcp/R80.30/ha-byol-R80.30/password.py b/deprecated/gcp/R80.30/ha-byol-R80.30/password.py new file mode 100644 index 00000000..273210a6 --- /dev/null +++ b/deprecated/gcp/R80.30/ha-byol-R80.30/password.py @@ -0,0 +1,135 @@ +# Copyright 2015 Google Inc. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +"""A DM template that generates password as an output, namely "password". + +An example YAML showing how this template can be used: + resources: + - name: generated-password + type: password.py + properties: + length: 8 + includeSymbols: true + - name: main-template + type: main-template.jinja + properties: + password: $(ref.generated-password.password) + +Input properties to this template: + - length: the length of the generated password. At least 8. Default 8. + - includeSymbols: true/false whether to include symbol chars. Default false. + +The generated password satisfies the following requirements: + - The length is as specified, + - Containing letters and numbers, and optionally symbols if specified, + - Starting with a letter, + - Containing characters from at least 3 of the 4 categories: uppercases, + lowercases, numbers, and symbols. + +""" + +import random +import yaml + +PROPERTY_LENGTH = 'length' +PROPERTY_INCLUDE_SYMBOLS = 'includeSymbols' + +# Note the omission of some hard to distinguish characters like I, l, 0, and O. +UPPERS = 'ABCDEFGHJKLMNPQRSTUVWXYZ' +LOWERS = 'abcdefghijkmnopqrstuvwxyz' +ALPHABET = UPPERS + LOWERS +DIGITS = '123456789' +ALPHANUMS = ALPHABET + DIGITS +# Including only symbols that can be passed around easily in shell scripts. +SYMBOLS = '*-+.' + +CANDIDATES_WITH_SYMBOLS = ALPHANUMS + SYMBOLS +CANDIDATES_WITHOUT_SYMBOLS = ALPHANUMS + +CATEGORIES_WITH_SYMBOLS = [UPPERS, LOWERS, DIGITS, SYMBOLS] +CATEGORIES_WITHOUT_SYMBOLS = [UPPERS, LOWERS, DIGITS] + +MIN_LENGTH = 8 + + +class InputError(Exception): + """Raised when input properties are unexpected.""" + + +def GenerateConfig(context): + """Entry function to generate the DM config.""" + props = context.properties + length = props.setdefault(PROPERTY_LENGTH, MIN_LENGTH) + include_symbols = props.setdefault(PROPERTY_INCLUDE_SYMBOLS, False) + + if not isinstance(include_symbols, bool): + raise InputError('%s must be a boolean' % PROPERTY_INCLUDE_SYMBOLS) + + content = { + 'resources': [], + 'outputs': [{ + 'name': 'password', + 'value': GeneratePassword(length, include_symbols) + }] + } + return yaml.dump(content) + + +def GeneratePassword(length=8, include_symbols=False): + """Generates a random password.""" + if length < MIN_LENGTH: + raise InputError('Password length must be at least %d' % MIN_LENGTH) + + candidates = (CANDIDATES_WITH_SYMBOLS if include_symbols + else CANDIDATES_WITHOUT_SYMBOLS) + categories = (CATEGORIES_WITH_SYMBOLS if include_symbols + else CATEGORIES_WITHOUT_SYMBOLS) + + # Generates up to the specified length minus the number of categories. + # Then inserts one character for each category, ensuring that the character + # satisfy the category if the generated string hasn't already. + generated = ([random.choice(ALPHABET)] + + [random.choice(candidates) + for _ in range(length - 1 - len(categories))]) + for category in categories: + _InsertAndEnsureSatisfaction(generated, category, candidates) + return ''.join(generated) + + +def _InsertAndEnsureSatisfaction(generated, required, all_candidates): + """Inserts 1 char into generated, satisfying required if not already. + + If the required characters are not already in the generated string, one will + be inserted. If any required character is already in the generated string, a + random character from all_candidates will be inserted. The insertion happens + at a random location but not at the beginning. + + Args: + generated: the string to be modified. + required: list of required characters to check for. + all_candidates: list of characters to choose from if the required characters + are already satisfied. + """ + if set(generated).isdisjoint(required): + # Not yet satisfied. Insert a required candidate. + _InsertInto(generated, required) + else: + # Already satisfied. Insert any candidate. + _InsertInto(generated, all_candidates) + + +def _InsertInto(generated, candidates): + """Inserts a random candidate into a random non-zero index of generated.""" + # Avoids inserting at index 0, since the first character follows its own rule. + generated.insert(random.randint(1, len(generated) - 1), + random.choice(candidates)) diff --git a/deprecated/gcp/R80.30/ha-payg-R80.30/README.md b/deprecated/gcp/R80.30/ha-payg-R80.30/README.md new file mode 100644 index 00000000..6b7edf0b --- /dev/null +++ b/deprecated/gcp/R80.30/ha-payg-R80.30/README.md @@ -0,0 +1,178 @@ +# GCP Deployment Manager package for Check Point High Availability PAYG solution +This directory contains CloudGuard IaaS deployment package for Check Point High Availability (PAYG) solution published in the [GCP Marketplace](https://console.cloud.google.com/marketplace/details/checkpoint-public/check-point-ha--ngtp). + +# How to deploy the package manually +To deploy the Deployment Manager's package manually, without using the GCP Marketplace, follow these instructions: +1. Clone or download the files in this directory +2. Fill variables in the config.yaml(see below for variables descriptions). +3. Log into [Google Cloud Platform Console](https://console.cloud.google.com) +4. [Activate Cloud Shell](https://cloud.google.com/shell/docs/using-cloud-shell) +5. Set your Cloud Platform project in the Cloud Shell session use: + + gcloud config set project [PROJECT_ID] +6. Upload the content of the CloudGuardIaaS/gcp/deployment-packages/ha-payg/ directory to the [cloud shell](https://cloud.google.com/shell/docs/uploading-and-downloading-files) +7. Launch deployment by running: + + gcloud deployment-manager deployments create [DEPLOYMENT_NAME] --config config.yaml +8. Make sure the deployment finished successfully.
Example of successful deployment output: + + The fingerprint of the deployment is CgwkIUxcTnI5_eZY1g9SFw== + Waiting for create [operation-1585150261645-5a1af8e42d0ba-6b3d4618-5856e790]...done. + Create operation operation-1585150261645-5a1af8e42d0ba-6b3d4618-5856e790 completed successfully. + NAME TYPE STATE ERRORS INTENT + cluster-cluster-network-icmp compute.v1.firewall COMPLETED [] + cluster-cluster-network-tcp compute.v1.firewall COMPLETED [] + cluster-config runtimeconfig.v1beta1.config COMPLETED [] + cluster-member-a compute.v1.instance COMPLETED [] + cluster-member-a-address compute.v1.address COMPLETED [] + cluster-member-b compute.v1.instance COMPLETED [] + cluster-member-b-address compute.v1.address COMPLETED [] + cluster-mgmt-network-esp compute.v1.firewall COMPLETED [] + cluster-mgmt-network-sctp compute.v1.firewall COMPLETED [] + cluster-primary-cluster-address compute.v1.address COMPLETED [] + cluster-secondary-cluster-address compute.v1.address COMPLETED [] + cluster-software runtimeconfig.v1beta1.waiter COMPLETED [] + OUTPUTS VALUE + Deployment cluster + Cluster IP external address 35.201.201.163 + Member A cluster-member-a + Member A external IP 104.199.168.141 + Member B cluster-member-b + Member B external IP 35.221.178.173 + +## config.yaml variables +| Name | Description | Type | Allowed values | +| ------------- | ------------- | ------------- | ------------- | +| **ha_version** | High Availability Version | string | R80.30 Cluster; | +| | | | | | +| **zoneA** | Member A Zone. The zone determines what computing resources are available and where your data is stored and used | string | List of allowed [Regions and Zones](https://cloud.google.com/compute/docs/regions-zones?_ga=2.31926582.-962483654.1585043745) | +| | | | | | +| **zoneB** | Member B Zone | string | Must be in the same region as member A zone | +| | | | | | +| **machineType** | Machine types determine the specifications of your machines, such as the amount of memory, virtual cores, and persistent disk limits an instance will have | string | [Learn more about Machine Types](https://cloud.google.com/compute/docs/machine-types?hl=en_US&_ga=2.267871494.-962483654.1585043745) | +| | | | | | +| **managementNetwork** | Security Management Server address | string | The public address of the Security Management Server, in CIDR notation. VPN peers addresses cannot be in this CIDR block, so this value cannot be the zero-address | +| | | | | | +| **cluster-network-cidr** | Cluster external subnet CIDR.
If the variable's value is not empty double quotes, a new network will be created.
The Cluster public IP will be translated to a private address assigned to the active member in this external network. | string | Specify an RFC 1918 CIDR block that does not overlap with your other networks to create a new network or select an existing one below | +| | | | | | +| **cluster-network-name** | Cluster external network ID. The network determines what network traffic the instance can access | string | Available network in the chosen zone | +| | | | | | +| **cluster-network-subnetwork-name** | Cluster subnet ID. Assigns the instance an IPv4 address from the subnetwork’s range.
If you have specified a CIDR block above, this subnetwork will not be used.
. Instances in different subnetworks can communicate with each other using their internal IPs as long as they belong to the same network. | string | Available subnetwork in the chosen network | +| | | | | | +| **cluster-network_enableTcp** | Allow TCP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **cluster-network_tcpSourceRanges** | Allow TCP traffic from the Internet | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway all ports are allowed. For management allowed ports are: 257,18191,18210,18264,22,443,18190,19009 [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **cluster-network_enableIcmp** | Allow ICMP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **cluster-network_icmpSourceRanges** | Source IP ranges for ICMP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **cluster-network_enableUdp** | Allow UDP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **cluster-network_udpSourceRanges** | Source IP ranges for UDP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only - all ports are allowed. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **cluster-network_enableSctp** | Allow SCTP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **cluster-network_sctpSourceRanges** | Source IP ranges for SCTP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only - all ports are allowed. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **cluster-network_enableEsp** | Allow ESP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **cluster-network_espSourceRanges** | Source IP ranges for ESP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **mgmt-network-cidr** | Management external subnet CIDR.
If the variable's value is not empty double quotes, a new network will be created.
The public IP used to manage each member will be translated to a private address in this external network | string | Specify an RFC 1918 CIDR block that does not overlap with your other networks to create a new network or select an existing one below | +| | | | | | +| **mgmt-network-name** | Management network ID. The network determines what network traffic the instance can access | string | Available network in the chosen zone | +| | | | | | +| **mgmt-network-subnetwork-name** | Management subnet ID. Assigns the instance an IPv4 address from the subnetwork’s range.
If you have specified a CIDR block above, this subnetwork will not be used.
. Instances in different subnetworks can communicate with each other using their internal IPs as long as they belong to the same network. | string | Available subnetwork in the chosen network | +| | | | | | +| **mgmt-network_enableTcp** | Allow TCP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **mgmt-network_tcpSourceRanges** | Allow TCP traffic from the Internet | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway all ports are allowed. For management allowed ports are: 257,18191,18210,18264,22,443,18190,19009 [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **mgmt-network_enableIcmp** | Allow ICMP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **mgmt-network_icmpSourceRanges** | Source IP ranges for ICMP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **mgmt-network_enableUdp** | Allow UDP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **mgmt-network_udpSourceRanges** | Source IP ranges for UDP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only - all ports are allowed. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **mgmt-network_enableSctp** | Allow SCTP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **mgmt-network_sctpSourceRanges** | Source IP ranges for SCTP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only - all ports are allowed. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **mgmt-network_enableEsp** | Allow ESP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **mgmt-network_espSourceRanges** | Source IP ranges for ESP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **diskType** | Disk type | string | pd-ssd;
pd-standard;
Storage space is much less expensive for a standard persistent disk. An SSD persistent disk is better for random IOPS or streaming throughput with low latency. [Learn more](https://cloud.google.com/compute/docs/disks/?hl=en_US&_ga=2.66020774.-962483654.1585043745#overview_of_disk_types)| +| | | | | | +| **bootDiskSizeGb** | Disk size in GB | number | Persistent disk performance is tied to the size of the persistent disk volume. You are charged for the actual amount of provisioned disk space. [Learn more](https://cloud.google.com/compute/docs/disks/?hl=en_US&_ga=2.232680471.-962483654.1585043745#pdperformance)| +| | | | | | +| **generatePassword** | Automatically generate an administrator password | boolean | true;
false; | +| | | | | | +| **allowUploadDownload** | Allow download from/upload to Check Point | boolean | true;
false; | +| | | | | | +| **enableMonitoring** | Enable Stackdriver monitoring | boolean | true;
false; | +| | | | | | +| **shell** | Admin shell | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh;
| +| | | | | | +| **instanceSSHKey** | Public SSH key for the user 'admin' | string | A valid public ssh key | +| | | | | | +| **sicKey** | The Secure Internal Communication one time secret used to set up trust between the cluster object and the management server | string | At least 8 alpha numeric characters.
If SIC is not provided and needed, a key will be automatically generated | +| | | | | | +| **numAdditionalNICs** | Number of additional network interfaces | number | A number in the range 0 - 6.
Multiple network interfaces deployment is described in [sk121637 - Deploy a CloudGuard for GCP with Multiple Network Interfaces](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk121637) | +| | | | | | +| **internal-network1-cidr** | 1st internal subnet CIDR.
If the variable's value is not empty double quotes, a new subnet will be created.
Assigns the cluster members an IPv4 address in this internal network | string | Specify an RFC 1918 CIDR block that does not overlap with your other networks to create a new network or select an existing one below | +| | | | | | +| **internal-network1-name** | 1st internal network ID. The network determines what network traffic the instance can access | string | Available network in the chosen zone | +| | | | | | +| **internal-network1-subnetwork-name** | 1st internal subnet ID. Assigns the instance an IPv4 address from the subnetwork’s range.
If you have specified a CIDR block above, this subnetwork will not be used.
Instances in different subnetworks can communicate with each other using their internal IPs as long as they belong to the same network. | string | Available subnetwork in the chosen network | +| | | | | | +## Example + ha_version: "R80.30 Cluster" + zoneA: "asia-east1-a" + zoneB: "asia-east1-a" + machineType: "n1-standard-4" + diskType: "pd-ssd" + bootDiskSizeGb: 100 + instanceSSHKey: "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxxx imported-openssh-key" + enableMonitoring: false + managementNetwork: "209.87.209.100/32" + sicKey: "aaaaaaaa" + generatePassword: false + allowUploadDownload: false + shell: "/bin/bash" + cluster-network-cidr: "10.0.1.0/24" + cluster-network-name: "external-vpc" + cluster-network-subnetwork-name: "frontend" + cluster-network_enableIcmp: true + cluster-network_icmpSourceRanges: "0.0.0.0/0" + cluster-network_enableTcp: true + cluster-network_tcpSourceRanges: "0.0.0.0/0" + cluster-network_enableUdp: false + cluster-network_udpSourceRanges: "" + cluster-network_enableSctp: false + cluster-network_sctpSourceRanges: "" + cluster-network_enableEsp: false + cluster-network_espSourceRanges: "" + mgmt-network-cidr: "10.0.2.0/24" + mgmt-network-name: "vpc-internal" + mgmt-network-subnetwork-name: "" + mgmt-network_enableIcmp: false + mgmt-network_icmpSourceRanges: "" + mgmt-network_enableTcp: false + mgmt-network_tcpSourceRanges: "" + mgmt-network_enableUdp: true + mgmt-network_udpSourceRanges: "0.0.0.0/0" + mgmt-network_enableSctp: true + mgmt-network_sctpSourceRanges: "0.0.0.0/0" + mgmt-network_enableEsp: true + mgmt-network_espSourceRanges: "0.0.0.0/0" + numInternalNetworks: 1 + internal-network1-cidr: "10.0.3.0/24" + internal-network1-name: "vpc-internal2" + internal-network1-subnetwork-name: "vpc-internal2" + +## Notes +See [sk147032](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk147032) for revision history \ No newline at end of file diff --git a/deprecated/gcp/R80.30/ha-payg-R80.30/c2d_deployment_configuration.json b/deprecated/gcp/R80.30/ha-payg-R80.30/c2d_deployment_configuration.json new file mode 100644 index 00000000..447c0cab --- /dev/null +++ b/deprecated/gcp/R80.30/ha-payg-R80.30/c2d_deployment_configuration.json @@ -0,0 +1,7 @@ +{ + "defaultDeploymentType": "MULTI_VM", + "imageName": "check-point-r8110-gw-payg-cluster-335-985-v20220126", + "projectId": "checkpoint-public", + "templateName": "nonexistent_template", + "useSolutionPackage": "true" +} diff --git a/deprecated/gcp/R80.30/ha-payg-R80.30/check-point-cluster--payg.py b/deprecated/gcp/R80.30/ha-payg-R80.30/check-point-cluster--payg.py new file mode 100644 index 00000000..119d7304 --- /dev/null +++ b/deprecated/gcp/R80.30/ha-payg-R80.30/check-point-cluster--payg.py @@ -0,0 +1,713 @@ +# Copyright 2016 Check Point Software LTD. + +import common +import copy +import default +import images +import password + + +MAX_ADDITIONAL_NICS = 6 + +GATEWAY = 'checkpoint-gateway' + +PROJECT = 'checkpoint-public' +LICENSE = 'payg' +LICENCE_TYPE = 'cluster' + +VERSIONS = { + 'R80.30': 'r8030-gw' +} + +TEMPLATE_NAME = 'cluster' +TEMPLATE_VERSION = '20220130' + +CLUSTER_NET_FIELD = 'cluster-network' +MGMT_NET_FIELD = 'mgmt-network' +INTERNAL_NET_FIELD = 'internal-network{}' + +MGMT_NIC = 1 + +startup_script = ''' +#!/bin/bash + +generatePassword="$(echo {generatePassword} | tr 'TF' 'tf')" +allowUploadDownload="{allowUploadDownload}" + +echo "template_name: {templateName}" >> /etc/cloud-version +echo "template_version: {templateVersion}" >> /etc/cloud-version + +function get_router() {{ + local interface="$1" + local subnet_router_meta_path="computeMetadata/v1/instance/network-interfaces/$interface/gateway" + local router="$(get-cloud-data.sh ${{subnet_router_meta_path}})" + echo "${{router}}" +}} + +function set_mgmt_if() {{ + mgmtNIC="{mgmtNIC}" + local mgmt_int="eth0" + if [ "X$mgmtNIC" == "XEphemeral Public IP (eth0)" ]; then + mgmt_int="eth0" + elif [ "X$mgmtNIC" == "XPrivate IP (eth1)" ]; then + mgmt_int="eth1" + fi + local set_mgmt_if_out="$(clish -s -c "set management interface ${{mgmt_int}}")" + echo "${{set_mgmt_if_out}}" +}} + +function set_internal_static_routes() {{ + local private_cidrs='10.0.0.0/8 172.16.0.0/12 192.168.0.0/16' + #Define interface for internal networks and configure + local interface="$internalInterfaceNumber" + local router=$(get_router $interface) + clish -c 'lock database override' + #Configure static routes destined to internal networks, defined in the RFC 1918, through the internal interface + for cidr in ${{private_cidrs}}; do + echo "setting route to $cidr via gateway $router" + echo "running clish -c 'set static-route $cidr nexthop gateway address $router on' -s" + clish -c "set static-route $cidr nexthop gateway address $router on" -s + done +}} + +function create_dynamic_objects() {{ + local is_managment="$1" + local interfaces='eth0 eth1' + for interface in ${{interfaces}}; do + if ${{is_managment}}; then + dynamic_objects -n "LocalGateway" + dynamic_objects -n "LocalGatewayExternal" + dynamic_objects -n "LocalGatewayInternal" + else + local addr="$(ip addr show dev $interface | awk "/inet/{{print \$2; exit}}" | cut -d / -f 1)" + if [ "${{interface}}" == "eth0" ]; then + dynamic_objects -n "LocalGateway" -r "$addr" "$addr" -a + dynamic_objects -n "LocalGatewayExternal" -r "$addr" "$addr" -a + else + dynamic_objects -n "LocalGatewayInternal" -r "$addr" "$addr" -a + fi + fi + done +}} + + +function post_status() {{ + local is_success="$1" + local need_boot="$2" + local status + local value + local instance_id + + if "{hasInternet}" ; then + if "$is_success" ; then + status="success" + value="Success" + else + status="failure" + value="Failure" + fi + instance_id="$(get-cloud-data.sh computeMetadata/v1/instance/id)" + cat </etc/software-status + $FWDIR/scripts/gcp.py POST "{config_url}/variables" \ + --body '{{ + "name": "{config_path}/variables/status/$status/$instance_id", + "value": "$(echo $value | base64)" + }}' +EOF + fi + + create_dynamic_objects $installSecurityManagement + + if "$installSecurityGateway" ; then + + set_internal_static_routes + set_mgmt_if + + ########## + # DA Self update + + DAselfUpdateHappening=$(dbget installer:self_update_in_progress) + if [ "X$DAselfUpdateHappening" == "X1" ]; then + oldDApid=$(pidof DAService) + countdown=121 + while [ $((--countdown)) -gt 0 ] + do + sleep 1 + DApid=$(pidof DAService) + + if [ "${{DApid:-$oldDApid}}" -ne "$oldDApid" ]; then + break + fi + done + if [ $countdown -eq 0 ]; then + dbset installer:self_update_in_progress + fi + fi + + ########## + fi + + if [ "$installSecurityManagement" -a "Management only" = "{installationType}" ] ; then + public_ip="$(get-cloud-data.sh computeMetadata/v1/instance/network-interfaces/0/access-configs/0/external-ip)" + declare -i attempts=0 + declare -i max_attempts=80 + mgmt_cli -r true discard + result=$? + while [ $result -ne 0 ] && [ $attempts -lt $max_attempts ] + do + attempts=$attempts+1 + sleep 30 + mgmt_cli -r true discard + result=$? + done + generic_objects="$(mgmt_cli -r true show-generic-objects class-name com.checkpoint.objects.classes.dummy.CpmiHostCkp details-level full -f json)" + uid="$(echo $generic_objects | jq .objects | jq .[0] | jq .uid)" + if [ ! -z "$public_ip" ] && [ ! -z "${{uid:1:-1}}" ] ; then + mgmt_cli -r true set-generic-object uid $uid ipaddr $public_ip + fi + fi + + if "$need_boot" ; then + if [ "{enableMonitoring}" = "True" ] ; then + chkconfig --add gcp-statd + fi + shutdown -r now + else + service gcpd restart + if [ "{enableMonitoring}" = "True" ] ; then + chkconfig --add gcp-statd + service gcp-statd start + fi + fi +}} +clish -c 'set user admin shell {shell}' -s + +case "{installationType}" in +"Gateway only") + installSecurityGateway=true + gatewayClusterMember=false + installSecurityManagement=false + sicKey="{computed_sic_key}" + internalInterfaceNumber=1 + ;; +"Management only") + installSecurityGateway=false + installSecurityManagement=true + sicKey=notused + ;; +"Manual Configuration") + post_status true false + exit 0 + ;; +"Gateway and Management (Standalone)") + installSecurityGateway=true + installSecurityManagement=true + gatewayClusterMember=false + sicKey=notused + internalInterfaceNumber=1 + ;; +"Cluster") + installSecurityGateway=true + gatewayClusterMember=true + installSecurityManagement=false + sicKey="{sicKey}" + internalInterfaceNumber=2 + ;; +"AutoScale") + installSecurityGateway=true + gatewayClusterMember=false + installSecurityManagement=false + sicKey="{computed_sic_key}" + internalInterfaceNumber=1 + ;; +esac + +conf="install_security_gw=$installSecurityGateway" +if ${{installSecurityGateway}} ; then + conf="$conf&install_ppak=true" + blink_conf="gateway_cluster_member=$gatewayClusterMember" +fi +conf="$conf&install_security_managment=$installSecurityManagement" +if ${{installSecurityManagement}} ; then + if "$generatePassword" ; then + managementAdminPassword="$(get-cloud-data.sh \ + computeMetadata/v1/instance/attributes/adminPasswordSourceMetadata)" + conf="$conf&mgmt_admin_name=admin" + conf="$conf&mgmt_admin_passwd=$managementAdminPassword" + else + conf="$conf&mgmt_admin_radio=gaia_admin" + fi + + managementGUIClientNetwork="{managementGUIClientNetwork}" + conf="$conf&install_mgmt_primary=true" + + if [ "0.0.0.0/0" = "$managementGUIClientNetwork" ]; then + conf="$conf&mgmt_gui_clients_radio=any" + else + conf="$conf&mgmt_gui_clients_radio=network" + ManagementGUIClientBase="$(echo ${{managementGUIClientNetwork}} | \ + cut -d / -f 1)" + ManagementGUIClientMaskLength="$(echo ${{managementGUIClientNetwork}} | \ + cut -d / -f 2)" + conf="$conf&mgmt_gui_clients_ip_field=$ManagementGUIClientBase" + conf="$conf&mgmt_gui_clients_subnet_field=$ManagementGUIClientMaskLength" + fi + +fi + +blink_conf="$blink_conf&ftw_sic_key=$sicKey" +blink_conf="$blink_conf&download_info=$allowUploadDownload" +blink_conf="$blink_conf&upload_info=$allowUploadDownload" + +conf="$conf&$blink_conf" + +if "$generatePassword" ; then + blink_password="$(get-cloud-data.sh \ + computeMetadata/v1/instance/attributes/adminPasswordSourceMetadata)" +else + blink_password="$(dd if=/dev/urandom count=1 \ + 2>/dev/null | sha256sum | cut -c -28)" +fi +blink_conf="$blink_conf&admin_password_regular=$blink_password" + +if [ "Gateway only" = "{installationType}" ] || [ "Cluster" = "{installationType}" ] || [ "AutoScale" = "{installationType}" ]; then + config_cmd="blink_config -s $blink_conf" +else + config_cmd="config_system -s $conf" +fi + +if ${{config_cmd}} ; then + if "$installSecurityManagement" ; then + post_status true "$installSecurityGateway" + elif [ "Cluster" = "{installationType}" ] ; then + mgmt_subnet_gw="$(get-cloud-data.sh computeMetadata/v1/instance/network-interfaces/1/gateway)" + sed -i 's/__CLUSTER_PUBLIC_IP_NAME__/'"{primary_cluster_address_name}"'/g' /etc/fw/conf/gcp-ha.json + sed -i 's/__SECONDARY_PUBLIC_IP_NAME__/'"{secondary_cluster_address_name}"'/g' /etc/fw/conf/gcp-ha.json + clish -c 'set static-route '"{managementNetwork}"' nexthop gateway address '"$mgmt_subnet_gw"' on' -s + post_status true true + else + post_status true false + fi +else + post_status false false +fi + +''' + + +def make_gw(context, name, zone, nics, passwd=None, depends_on=None): + cg_version = context.properties['ha_version'].split(' ')[0] + if 'gw' in VERSIONS[cg_version]: + license_name = "{}-{}".format(LICENSE, LICENCE_TYPE) + else: + license_name = LICENSE + family = '-'.join(['check-point', VERSIONS[cg_version], license_name]) + formatter = common.DefaultFormatter() + + gw = { + 'type': default.INSTANCE, + 'name': name, + 'metadata': { + 'dependsOn': depends_on + }, + 'properties': { + 'description': 'CloudGuard Highly Available Security Cluster', + 'zone': zone, + 'tags': { + 'items': [GATEWAY], + }, + 'machineType': common.MakeLocalComputeLink( + context, default.MACHINETYPE, zone), + 'canIpForward': True, + 'networkInterfaces': nics, + 'disks': [{ + 'autoDelete': True, + 'boot': True, + 'deviceName': common.set_name_and_truncate( + context.properties['deployment'], + '-{}-boot'.format(name)), + 'initializeParams': { + 'diskType': common.MakeLocalComputeLink( + context, default.DISKTYPE, zone), + 'diskSizeGb': context.properties['bootDiskSizeGb'], + 'sourceImage': + 'projects/%s/global/images/%s' % ( + PROJECT, images.IMAGES[family]), + }, + 'type': 'PERSISTENT', + }], + 'metadata': { + 'items': [ + { + 'key': 'startup-script', + 'value': formatter.format( + startup_script, **context.properties) + } + ] + }, + 'serviceAccounts': [{ + 'email': 'default', + 'scopes': [ + 'https://www.googleapis.com/auth/monitoring.write', + 'https://www.googleapis.com/auth/compute', + 'https://www.googleapis.com/auth/cloudruntimeconfig' + ], + }] + } + } + + if 'instanceSSHKey' in context.properties: + gw['properties']['metadata']['items'].append( + { + 'key': 'instanceSSHKey', + 'value': context.properties['instanceSSHKey'] + } + ) + + if passwd: + gw['properties']['metadata']['items'].append( + { + 'key': 'adminPasswordSourceMetadata', + 'value': passwd + } + ) + + return gw + + +def make_access_config(ip, name=None): + access_config = { + 'type': default.ONE_NAT, + 'natIP': ip + } + + if name: + access_config['name'] = name + + return access_config + + +def make_static_address(prop, name): + address = { + 'name': name, + 'type': default.ADDRESS, + 'properties': { + 'name': name, + 'region': prop['region'] + } + } + + return address + + +def create_external_addresses(prop, resources, member_a_nics, member_b_nics): + member_a_address_name = common.set_name_and_truncate( + prop['deployment'], '-member-a-address') + member_b_address_name = common.set_name_and_truncate( + prop['deployment'], '-member-b-address') + + prop['member_a_address_name'] = member_a_address_name + prop['member_b_address_name'] = member_b_address_name + + member_a_address = make_static_address(prop, member_a_address_name) + member_b_address = make_static_address(prop, member_b_address_name) + + resources += [member_a_address, member_b_address] + + member_a_nics[MGMT_NIC]['accessConfigs'] = [make_access_config( + '$(ref.{}.address)'.format(member_a_address_name))] + member_b_nics[MGMT_NIC]['accessConfigs'] = [make_access_config( + '$(ref.{}.address)'.format(member_b_address_name))] + + primary_cluster_address_name = common.set_name_and_truncate( + prop['deployment'], '-primary-cluster-address') + secondary_cluster_address_name = common.set_name_and_truncate( + prop['deployment'], '-secondary-cluster-address') + + primary_cluster_address = make_static_address( + prop, primary_cluster_address_name) + secondary_cluster_address = make_static_address( + prop, secondary_cluster_address_name) + + resources += [primary_cluster_address, secondary_cluster_address] + + prop['primary_cluster_address_name'] = primary_cluster_address_name + prop['secondary_cluster_address_name'] = secondary_cluster_address_name + + +def make_nic(prop, net_name, subnet_name): + network_interface = { + 'network': ''.join([default.COMPUTE_URL_BASE, 'projects/', + prop['project'], '/global/networks/', + net_name]), + 'subnetwork': ''.join([default.COMPUTE_URL_BASE, 'projects/', + prop['project'], '/regions/', prop['region'], + '/subnetworks/', subnet_name]) + } + + return network_interface + + +def make_subnet(prop, name, net_name, cidr, private_google_access=False): + subnet = { + 'type': default.VPC_SUBNET, + 'name': name, + 'metadata': { + 'dependsOn': [net_name] + }, + 'properties': { + 'network': 'projects/{}/global' + '/networks/{}'.format(prop['project'], net_name), + 'region': prop['region'], + 'ipCidrRange': cidr, + 'privateIpGoogleAccess': private_google_access, + 'enableFlowLogs': False + } + } + + return subnet + + +def make_net(name): + net = { + 'type': default.VPC, + 'name': name, + 'properties': { + 'autoCreateSubnetworks': False + } + } + + return net + + +def get_or_create_net(prop, name, resources, gw_dependencies, + private_google_access=False, create_firewall=False): + net_cidr = prop.get(name + '-cidr') + + if net_cidr: + net_name = '{}-{}'.format(prop['deployment'][:20], name) + subnet_name = '{}-subnet'.format(net_name) + net = make_net(net_name) + subnet = make_subnet( + prop, subnet_name, net_name, net_cidr, private_google_access) + + resources += [net, subnet] + gw_dependencies.append(subnet_name) + else: + net_name = prop.get(name + '-name') + subnet_name = prop.get(name + '-subnetwork-name') + if not subnet_name: + raise common.Error( + 'Network {} is missing.'.format(net_name.split('-'))) + + if create_firewall: + firewall_rules = create_firewall_rules(prop, name, net_name, net_cidr) + if firewall_rules: + resources.extend(firewall_rules) + + return net_name, subnet_name + + +def create_firewall_rules(prop, net_prop_name, net_name, net_cidr): + deployment = prop['deployment'] + firewall_rules = [] + protocols = ['Icmp', 'Udp', 'Tcp', 'Sctp', 'Esp'] + for protocol in protocols: + proto = protocol.lower() + source_ranges = prop.get(net_prop_name + '_' + proto + + 'SourceRanges', '') + protocol_enabled = prop.get(net_prop_name + '_enable' + protocol, '') + if protocol_enabled and source_ranges: + firewall_rules.append( + make_firewall_rule(proto, source_ranges, deployment, + net_prop_name, net_name, net_cidr)) + + return firewall_rules + + +def make_firewall_rule(protocol, source_ranges, deployment, net_prop_name, + net_name, net_cidr): + fw_rule_name = '%s-%s-%s' % (deployment[:40], net_prop_name, protocol) + ranges_list = source_ranges.split(',') + ranges = [] + for source_range in ranges_list: + ranges.append(source_range.replace(" ", "")) + firewall_rule = { + 'type': default.FIREWALL, + 'name': fw_rule_name, + 'properties': { + 'network': 'global/networks/' + net_name, + 'sourceRanges': ranges, + 'targetTags': [GATEWAY], + 'allowed': [{'IPProtocol': protocol}], + } + } + + if net_cidr: + firewall_rule['metadata'] = { + 'dependsOn': [net_name] + } + + return firewall_rule + + +def add_readiness_waiter(prop, resources): + deployment_config = common.set_name_and_truncate( + prop['deployment'], '-config') + + prop['config_path'] = 'projects/{}/configs/{}'.format( + prop['project'], deployment_config) + prop['config_url'] = ( + 'https://runtimeconfig.googleapis.com/v1beta1/{}'.format( + prop['config_path'])) + + resources.append( + { + 'name': deployment_config, + 'type': 'runtimeconfig.v1beta1.config', + 'properties': { + 'config': deployment_config, + 'description': ( + 'Holds software readiness status ' + 'for deployment {}').format(prop['deployment']) + } + } + ) + + resources.append( + { + 'name': common.set_name_and_truncate( + prop['deployment'], '-software'), + 'type': 'runtimeconfig.v1beta1.waiter', + 'metadata': { + 'dependsOn': [], + }, + 'properties': { + 'parent': '$(ref.{}.name)'.format(deployment_config), + 'waiter': 'software', + 'timeout': '1800s', + 'success': { + 'cardinality': { + 'number': 2, + 'path': 'status/success', + }, + }, + 'failure': { + 'cardinality': { + 'number': 1, + 'path': 'status/failure', + }, + }, + }, + } + ) + + +def validate_same_region(zone_a, zone_b): + if not common.ZoneToRegion(zone_a) == common.ZoneToRegion(zone_b): + raise common.Error('Member A Zone ({}) and Member B Zone ({}) ' + 'are not in the same region'.format(zone_a, zone_b)) + + +@common.FormatErrorsDec +def generate_config(context): + prop = context.properties + + validate_same_region(prop['zoneA'], prop['zoneB']) + + prop['deployment'] = context.env['deployment'] + prop['project'] = context.env['project'] + prop['region'] = common.ZoneToRegion(prop['zoneA']) + prop['templateName'] = TEMPLATE_NAME + prop['templateVersion'] = TEMPLATE_VERSION + prop['allowUploadDownload'] = str(prop['allowUploadDownload']).lower() + prop['hasInternet'] = 'true' # via Google Private Access + prop['installationType'] = 'Cluster' + + resources = [] + outputs = [] + gw_dependencies = [] + member_a_nics = [] + + add_readiness_waiter(prop, resources) + + cluster_net_name, cluster_subnet_name = get_or_create_net( + prop, CLUSTER_NET_FIELD, resources, gw_dependencies, True, True) + member_a_nics.append(make_nic(prop, cluster_net_name, cluster_subnet_name)) + + mgmt_net_name, mgmt_subnet_name = get_or_create_net( + prop, MGMT_NET_FIELD, resources, gw_dependencies, False, True) + member_a_nics.append(make_nic(prop, mgmt_net_name, mgmt_subnet_name)) + + for ifnum in range(1, prop['numInternalNetworks'] + 1): + int_net_name, int_subnet_name = get_or_create_net( + prop, INTERNAL_NET_FIELD.format(ifnum), resources, + gw_dependencies) + member_a_nics.append(make_nic(prop, int_net_name, int_subnet_name)) + + member_b_nics = copy.deepcopy(member_a_nics) + + create_external_addresses(prop, resources, member_a_nics, member_b_nics) + + member_a_name = common.set_name_and_truncate( + prop['deployment'], '-member-a') + member_b_name = common.set_name_and_truncate( + prop['deployment'], '-member-b') + + if prop['generatePassword']: + passwd = password.GeneratePassword(12, False) + else: + passwd = '' + + member_a = make_gw(context, member_a_name, prop['zoneA'], + member_a_nics, passwd, gw_dependencies) + member_b = make_gw(context, member_b_name, prop['zoneB'], + member_b_nics, passwd, gw_dependencies) + + resources += [member_a, member_b] + + outputs += [ + { + 'name': 'deployment', + 'value': prop['deployment'] + }, + { + 'name': 'project', + 'value': prop['project'] + }, + { + 'name': 'clusterIP', + 'value': '$(ref.{}.address)'.format( + prop['primary_cluster_address_name']) + }, + { + 'name': 'vmAName', + 'value': member_a_name, + }, + { + 'name': 'vmAExternalIP', + 'value': '$(ref.{}.address)'.format(prop['member_a_address_name']) + }, + { + 'name': 'vmASelfLink', + 'value': '$(ref.{}.selfLink)'.format(member_a_name), + }, + { + 'name': 'vmBName', + 'value': member_b_name, + }, + { + 'name': 'vmBExternalIP', + 'value': '$(ref.{}.address)'.format(prop['member_b_address_name']) + }, + { + 'name': 'vmBSelfLink', + 'value': '$(ref.{}.selfLink)'.format(member_b_name), + }, + { + 'name': 'password', + 'value': passwd + } + ] + + return common.MakeResource(resources, outputs) diff --git a/deprecated/gcp/R80.30/ha-payg-R80.30/check-point-cluster--payg.py.schema b/deprecated/gcp/R80.30/ha-payg-R80.30/check-point-cluster--payg.py.schema new file mode 100644 index 00000000..927a3fae --- /dev/null +++ b/deprecated/gcp/R80.30/ha-payg-R80.30/check-point-cluster--payg.py.schema @@ -0,0 +1,384 @@ +imports: + - path: check-point-cluster--payg.py + +info: + version: 1.0 + title: Check Point CloudGuard Network Security Cluster - PAYG Template + +required: + - zoneA + - zoneB + - machineType + - diskType + - bootDiskSizeGb + - sicKey + - managementNetwork + - allowUploadDownload + - shell + - generatePassword + - enableMonitoring + - numInternalNetworks + +properties: + zoneA: + type: string + default: us-central1-a + x-googleProperty: + type: GCE_ZONE + zoneB: + type: string + default: us-central1-a + x-googleProperty: + type: GCE_ZONE + machineType: + type: string + default: n1-standard-4 + x-googleProperty: + type: GCE_MACHINE_TYPE + zoneProperty: zoneA + gceMachineType: + minCpu: 2 + minRamGb: 1.843000054359436 + instanceSSHKey: + type: string + pattern: ^([0-9a-z\-]+ +[0-9A-Za-z/\+=]+( .*)?|)$ + default: '' + diskType: + type: string + default: pd-ssd + x-googleProperty: + type: GCE_DISK_TYPE + zoneProperty: zoneA + bootDiskSizeGb: + type: integer + maximum: 1000 + default: 100 + minimum: 100 + x-googleProperty: + type: GCE_DISK_SIZE + gceDiskSize: + diskTypeProperty: diskType + ha_version: + type: string + default: R81.10 Cluster + enum: + - R80.30 Cluster + enableMonitoring: + type: boolean + default: False + sicKey: + type: string + pattern: ^([a-z0-9A-Z]{8,30})$ + default: '' + managementNetwork: + type: string + default: '' + pattern: ^(?!0\.0\.0\.0/0)([0-9]{1,3}\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])$ + generatePassword: + type: boolean + default: False + allowUploadDownload: + type: boolean + default: False + shell: + type: string + default: /etc/cli.sh + enum: + - /etc/cli.sh + - /bin/bash + - /bin/csh + - /bin/tcsh + cluster-network-cidr: + type: string + default: '10.0.0.0/24' + pattern: ^(?!0\.0\.0\.0/0)([0-9]{1,3}\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])|$ + cluster-network-name: + type: string + pattern: ^([a-z0-9-]{1,38})$ + x-googleProperty: + type: GCE_NETWORK + cluster-network-subnetwork-name: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zoneA + gceSubnetwork: + networkProperty: cluster-network-name + cluster-network_enableIcmp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: cluster-network-name + cluster-network_icmpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: cluster-network_enableIcmp + cluster-network_enableTcp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: cluster-network-name + cluster-network_tcpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: cluster-network_enableTcp + cluster-network_enableUdp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: cluster-network-name + cluster-network_udpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: cluster-network_enableUdp + cluster-network_enableSctp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: cluster-network-name + cluster-network_sctpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: cluster-network_enableSctp + cluster-network_enableEsp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: cluster-network-name + cluster-network_espSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: cluster-network_enableEsp + mgmt-network-cidr: + type: string + default: '10.0.1.0/24' + pattern: ^(?!0\.0\.0\.0/0)([0-9]{1,3}\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])|$ + mgmt-network-name: + type: string + pattern: ^([a-z0-9-]{1,38})$ + x-googleProperty: + type: GCE_NETWORK + mgmt-network-subnetwork-name: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zoneA + gceSubnetwork: + networkProperty: mgmt-network-name + mgmt-network_enableIcmp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: mgmt-network-name + mgmt-network_icmpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: mgmt-network_enableIcmp + mgmt-network_enableTcp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: mgmt-network-name + mgmt-network_tcpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: mgmt-network_enableTcp + mgmt-network_enableUdp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: mgmt-network-name + mgmt-network_udpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: mgmt-network_enableUdp + mgmt-network_enableSctp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: mgmt-network-name + mgmt-network_sctpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: mgmt-network_enableSctp + mgmt-network_enableEsp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: mgmt-network-name + mgmt-network_espSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: mgmt-network_enableEsp + numInternalNetworks: + type: integer + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + minimum: 1 + maximum: 6 + default: 1 + internal-network1-cidr: + type: string + pattern: ^(?!0\.0\.0\.0/0)([0-9]{1,3}\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])|$ + default: '10.0.2.0/24' + internal-network1-name: + type: string + pattern: ^([a-z0-9-]{1,38})$ + x-googleProperty: + type: GCE_NETWORK + internal-network1-subnetwork-name: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zoneA + gceSubnetwork: + networkProperty: internal-network1-name + internal-network2-cidr: + type: string + pattern: ^(?!0\.0\.0\.0/0)([0-9]{1,3}\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])|$ + default: '' + internal-network2-name: + type: string + pattern: ^([a-z0-9-]{1,38})$ + x-googleProperty: + type: GCE_NETWORK + internal-network2-subnetwork-name: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zoneA + gceSubnetwork: + networkProperty: internal-network2-name + internal-network3-cidr: + type: string + pattern: ^(?!0\.0\.0\.0/0)([0-9]{1,3}\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])|$ + default: '' + internal-network3-name: + type: string + pattern: ^([a-z0-9-]{1,38})$ + x-googleProperty: + type: GCE_NETWORK + internal-network3-subnetwork-name: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zoneA + gceSubnetwork: + networkProperty: internal-network3-name + internal-network4-cidr: + type: string + pattern: ^(?!0\.0\.0\.0/0)([0-9]{1,3}\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])|$ + default: '' + internal-network4-name: + type: string + pattern: ^([a-z0-9-]{1,38})$ + x-googleProperty: + type: GCE_NETWORK + internal-network4-subnetwork-name: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zoneA + gceSubnetwork: + networkProperty: internal-network4-name + internal-network5-cidr: + type: string + pattern: ^(?!0\.0\.0\.0/0)([0-9]{1,3}\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])|$ + default: '' + internal-network5-name: + type: string + pattern: ^([a-z0-9-]{1,38})$ + x-googleProperty: + type: GCE_NETWORK + internal-network5-subnetwork-name: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zoneA + gceSubnetwork: + networkProperty: internal-network5-name + internal-network6-cidr: + type: string + pattern: ^(?!0\.0\.0\.0/0)([0-9]{1,3}\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])|$ + default: '' + internal-network6-name: + type: string + pattern: ^([a-z0-9-]{1,38})$ + x-googleProperty: + type: GCE_NETWORK + internal-network6-subnetwork-name: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zoneA + gceSubnetwork: + networkProperty: internal-network6-name + +outputs: + deployment: + type: string + project: + type: string + clusterIP: + type: string + vmAName: + type: string + vmAExternalIP: + type: string + vmASelfLink: + type: string + vmBName: + type: string + vmBExternalIP: + type: string + vmBSelfLink: + type: string + password: + type: string + ha_version: + type: string diff --git a/deprecated/gcp/R80.30/ha-payg-R80.30/common.py b/deprecated/gcp/R80.30/ha-payg-R80.30/common.py new file mode 100644 index 00000000..e123c502 --- /dev/null +++ b/deprecated/gcp/R80.30/ha-payg-R80.30/common.py @@ -0,0 +1,262 @@ +# Copyright 2015 Google Inc. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +"""Generic simple functions used for python based template generation.""" + +import re +import sys +import traceback +import default +import string + +import yaml + +RFC1035_RE = re.compile(r'^[a-z][-a-z0-9]{1,61}[a-z0-9]{1}$') + + +class Error(Exception): + """Common exception wrapper for template exceptions.""" + pass + + +class DefaultFormatter(string.Formatter): + """Returns default instead of key error when looking for keys. + + Used for startup-script which contains params from multiple deployments + whiles keys from one deployment may not be set in another. + """ + def __init__(self, default=''): + self.default = default + def get_value(self, key, args, dict): + if isinstance(key, str): + return dict.get(key, self.default) + else: + return string.Formatter.get_value(key, args, dict) + + +def set_name_and_truncate(primary, secondary, maxlength=62): + return '%s%s' % (primary[:maxlength - len(secondary)], secondary) + + +def AddDiskResourcesIfNeeded(context): + """Checks context if disk resources need to be added.""" + if default.DISK_RESOURCES in context.properties: + return context.properties[default.DISK_RESOURCES] + else: + return [] + + +def AutoName(base, resource, *args): + """Helper method to generate names automatically based on default.""" + auto_name = '%s-%s' % (base, '-'.join(list(args) + [default.AKA[resource]])) + if not RFC1035_RE.match(auto_name): + raise Error('"%s" name for type %s does not match RFC1035 regex (%s)' % + (auto_name, resource, RFC1035_RE.pattern)) + return auto_name + + +def AutoRef(base, resource, *args): + """Helper method that builds a reference for an auto-named resource.""" + return Ref(AutoName(base, resource, *args)) + + +def OrderedItems(dict_obj): + """Convenient method to yield sorted iteritems of a dictionary.""" + keys = list(dict_obj.keys()) + keys.sort() + for k in keys: + yield (k, dict_obj[k]) + + +def ShortenZoneName(zone): + """Given a string that looks like a zone name, creates a shorter version.""" + geo, coord, number, letter = re.findall(r'(\w+)-(\w+)(\d)-(\w)', zone)[0] + geo = geo.lower() if len(geo) == 2 else default.LOC[geo.lower()] + coord = default.LOC[coord.lower()] + number = str(number) + letter = letter.lower() + return geo + '-' + coord + number + letter + + +def ZoneToRegion(zone): + """Derives the region from a zone name.""" + parts = zone.split('-') + if len(parts) != 3: + raise Error('Cannot derive region from zone "%s"' % zone) + return '-'.join(parts[:2]) + + +def FormatException(message): + """Adds more information to the exception.""" + message = ('Exception Type: %s\n' + 'Details: %s\n' + 'Message: %s\n') % (sys.exc_info()[0], + traceback.format_exc(), message) + return message + + +def Ref(name): + return '$(ref.%s.selfLink)' % name + + +def RefGroup(name): + return '$(ref.%s.instanceGroup)' % name + + +def GlobalComputeLink(project, collection, name): + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/global/', + collection, '/', name]) + +def GlobalNetworkLink(project, network): + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/global/', + default.NETWORKS, '/', network]) + + +def LocalComputeLink(project, zone, key, value): + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/zones/', + zone, '/', key, '/', value]) + + +def ReadContext(context, prop_key): + return (context.env['project'], context.properties.get('zone', None), + context.properties[prop_key]) + + +def MakeLocalComputeLink(context, key, zone=None): + if not zone: + project, zone, value = ReadContext(context, key) + else: + project, _, value = ReadContext(context, key) + + if IsComputeLink(value): + return value + else: + return LocalComputeLink(project, zone, key + 's', value) + + +def MakeGlobalComputeLink(context, key): + project, _, value = ReadContext(context, key) + if IsComputeLink(value): + return value + else: + return GlobalComputeLink(project, key + 's', value) + +def MakeRegionalSubnetworkLink(project, zone, subnet): + region = ZoneToRegion(zone) + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/regions/', + region, '/subnetworks/', subnet]) + + +def MakeSubnetworkComputeLink(context, key): + project, zone, value = ReadContext(context, key) + region = ZoneToRegion(zone) + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/regions/', + region, '/subnetworks/', value]) + + +def MakeFQHN(context, name): + return '%s.c.%s.internal' % (name, context.env['project']) + + +# TODO(victorg): Consider moving this method to a different file +def MakeC2DImageLink(name, dev_mode=False): + if IsGlobalProjectShortcut(name) or name.startswith('http'): + return name + else: + if dev_mode: + return 'global/images/%s' % name + else: + return GlobalComputeLink(default.C2D_IMAGES, 'images', name) + + +def IsGlobalProjectShortcut(name): + return name.startswith('projects/') or name.startswith('global/') + + +def IsComputeLink(name): + return (name.startswith(default.COMPUTE_URL_BASE) or + name.startswith(default.REFERENCE_PREFIX)) + + +def GetNamesAndTypes(resources_dict): + return [(d['name'], d['type']) for d in resources_dict] + + +def SummarizeResources(res_dict): + """Summarizes the name of resources per resource type.""" + result = {} + for res in res_dict: + result.setdefault(res['type'], []).append(res['name']) + return result + + +def ListPropertyValuesOfType(res_dict, prop, res_type): + """Lists all the values for a property of a certain type.""" + return [r['properties'][prop] for r in res_dict if r['type'] == res_type] + + +def MakeResource(resource_list, output_list=None): + """Wrapper for a DM template basic spec.""" + content = {'resources': resource_list} + if output_list: + content['outputs'] = output_list + return yaml.dump(content) + + +def TakeZoneOut(properties): + """Given a properties dictionary, removes the zone specific information.""" + + def _CleanZoneUrl(value): + value = value.split('/')[-1] if IsComputeLink(value) else value + return value + + for name in default.VM_ZONE_PROPERTIES: + if name in properties: + properties[name] = _CleanZoneUrl(properties[name]) + if default.ZONE in properties: + properties.pop(default.ZONE) + if default.BOOTDISK in properties: + properties[default.BOOTDISK] = _CleanZoneUrl(properties[default.BOOTDISK]) + if default.DISKS in properties: + for disk in properties[default.DISKS]: + # Don't touch references to other disks + if default.DISK_SOURCE in disk: + continue + if default.INITIALIZEP in disk: + disk_init = disk[default.INITIALIZEP] + if default.DISKTYPE in disk_init: + disk_init[default.DISKTYPE] = _CleanZoneUrl(disk_init[default.DISKTYPE]) + + +def GenerateEmbeddableYaml(yaml_string): + # Because YAML is a space delimited format, we need to be careful about + # embedding one YAML document in another. This function takes in a string in + # YAML format and produces an equivalent YAML representation that can be + # inserted into arbitrary points of another YAML document. It does so by + # printing the YAML string in a single line format. Consistent ordering of + # the string is also guaranteed by using yaml.dump. + yaml_object = yaml.load(yaml_string) + dumped_yaml = yaml.dump(yaml_object, default_flow_style=True) + return dumped_yaml + + +def FormatErrorsDec(func): + """Decorator to format exceptions if they get raised.""" + + def FormatErrorsWrap(context): + try: + return func(context) + except Exception as e: + raise Error(FormatException(e.message)) + + return FormatErrorsWrap diff --git a/deprecated/gcp/R80.30/ha-payg-R80.30/config.yaml b/deprecated/gcp/R80.30/ha-payg-R80.30/config.yaml new file mode 100644 index 00000000..d0c671b7 --- /dev/null +++ b/deprecated/gcp/R80.30/ha-payg-R80.30/config.yaml @@ -0,0 +1,69 @@ +imports: +- path: check-point-cluster--payg.py +- path: common.py +- path: default.py +- path: password.py +- path: images.py + +resources: +- name: check-point-cluster--payg + type: check-point-cluster--payg.py + properties: + ha_version: "PLEASE ENTER HA VERSION" + zoneA: "PLEASE ENTER ZONE A" + zoneB: "PLEASE ENTER ZONE B. MUST BE EQUAL TO ZONE A" + machineType: "PLEASE ENTER A MACHINE TYPE" + diskType: "PLEASE ENTER A DISK TYPE" + bootDiskSizeGb: "PLEASE ENTER A DISK SIZE" + instanceSSHKey: "PLEASE ENTER A VALID PUBLIC KEY" + enableMonitoring: "PLEASE ENTER true or false" + managementNetwork: "PLEASE ENTER MANAGEMENT IP" + sicKey: "PLEASE ENTER A SIC KEY" + generatePassword: "PLEASE ENTER true or false" + allowUploadDownload: "PLEASE ENTER true or false" + shell: "PLEASE ENTER A SHELL" + cluster-network-cidr: "PLEASE ENTER CLUSTER NETWORK CIDR" + cluster-network-name: "PLEASE ENTER CLUSTER NETWORK ID" + cluster-network-subnetwork-name: "PLEASE ENTER CLUSTER SUBNETWORK ID" + cluster-network_enableIcmp: "PLEASE ENTER true or false" + cluster-network_icmpSourceRanges: "PLEASE ENTER ICMP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + cluster-network_enableTcp: "PLEASE ENTER true or false" + cluster-network_tcpSourceRanges: "PLEASE ENTER TCP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + cluster-network_enableUdp: "PLEASE ENTER true or false" + cluster-network_udpSourceRanges: "PLEASE ENTER UDP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + cluster-network_enableSctp: "PLEASE ENTER true or false" + cluster-network_sctpSourceRanges: "PLEASE ENTER SCTP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + cluster-network_enableEsp: "PLEASE ENTER true or false" + cluster-network_espSourceRanges: "PLEASE ENTER ESP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + mgmt-network-cidr: "PLEASE ENTER MANAGEMENT NETWORK CIDR" + mgmt-network-name: "PLEASE ENTER MANAGEMENT NETWORK ID" + mgmt-network-subnetwork-name: "PLEASE ENTER MANAGEMENT SUBNETWORK ID" + mgmt-network_enableIcmp: "PLEASE ENTER true or false" + mgmt-network_icmpSourceRanges: "PLEASE ENTER ICMP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + mgmt-network_enableTcp: "PLEASE ENTER true or false" + mgmt-network_tcpSourceRanges: "PLEASE ENTER TCP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + mgmt-network_enableUdp: "PLEASE ENTER true or false" + mgmt-network_udpSourceRanges: "PLEASE ENTER UDP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + mgmt-network_enableSctp: "PLEASE ENTER true or false" + mgmt-network_sctpSourceRanges: "PLEASE ENTER SCTP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + mgmt-network_enableEsp: "PLEASE ENTER true or false" + mgmt-network_espSourceRanges: "PLEASE ENTER ESP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + #Define additional NICs networks and subnetworks according the defined numAdditionalNICs value + #If there is no need in additional NICs remove additionalNetwork1 and additionalSubnetwork1 variables + numInternalNetworks: "PLEASE ENTER A NUMBER OF ADDITIONAL NICS" + internal-network1-cidr: "PLEASE ENTER 1ST INTERNAL NETWORK CIDR" + internal-network1-name: "PLEASE ENTER 1ST INTERNAL NETWORK ID" + internal-network1-subnetwork-name: "PLEASE ENTER INTERNAL SUBNETWORK ID" +outputs: +- name: "Deployment" + value: $(ref.check-point-cluster--payg.deployment) +- name: "Cluster IP external address" + value: $(ref.check-point-cluster--payg.clusterIP) +- name: "Member A" + value: $(ref.check-point-cluster--payg.vmAName) +- name: "Member A external IP" + value: $(ref.check-point-cluster--payg.vmAExternalIP) +- name: "Member B" + value: $(ref.check-point-cluster--payg.vmBName) +- name: "Member B external IP" + value: $(ref.check-point-cluster--payg.vmBExternalIP) \ No newline at end of file diff --git a/deprecated/gcp/R80.30/ha-payg-R80.30/default.py b/deprecated/gcp/R80.30/ha-payg-R80.30/default.py new file mode 100644 index 00000000..0c7dd919 --- /dev/null +++ b/deprecated/gcp/R80.30/ha-payg-R80.30/default.py @@ -0,0 +1,134 @@ +# Copyright 2015 Google Inc. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +"""Convenience module to hold default constants for C2D components. + +There should not be any logic in this module. Its purpose is to simplify +analysis of commonly used GCP and properties names and identify the names +that were custom created for these modules. +""" +# Generic constants +C2D_IMAGES = 'click-to-deploy-images' + +# URL constants +COMPUTE_URL_BASE = 'https://www.googleapis.com/compute/v1/' + +# Deployment Manager constructs +REFERENCE_PREFIX = '$(ref.' + +# Commonly used in properties namespace +AUTO_DELETE = 'autoDelete' +BOOTDISK = 'bootDiskType' +BOOTDISKSIZE = 'bootDiskSizeGb' +C_IMAGE = 'containerImage' +DC_MANIFEST = 'dcManifest' +DEPLOYMENT = 'DEPLOYMENT' # used in the deployment coordinator +DISK_NAME = 'diskName' +DISK_RESOURCES = 'addedDiskResources' +DISK_SOURCE = 'source' +ENDPOINT_NAME = 'serviceRegistryEndpointName' +FIXED_GCLOUD = 'fixedGcloud' +GENERATED_PROP = 'generatedProperties' +INITIALIZEP = 'initializeParams' +INSTANCE_NAME = 'instanceName' +LOCAL_SSD = 'localSSDs' +MAX_NUM = 'maxNumReplicas' +NETWORKS = 'networks' +NO_SCOPE = 'noScope' +PROVIDE_BOOT = 'provideBoot' +REPLICAS = 'replicas' +SIZE = 'size' +VM_COPIES = 'numberOfVMReplicas' +ZONES = 'zones' + +# Common properties values (only official GCP values allowed here) +EXTERNAL = 'External NAT' +ONE_NAT = 'ONE_TO_ONE_NAT' + +# Common 1st level properties (only official GCP names allowed here) +CAN_IP_FWD = 'canIpForward' +CONTAINER = 'container' +DCKRENV = 'dockerEnv' +DCKRIMAGE = 'dockerImage' +DEFAULT_SERVICE = 'defaultService' +DEVICE_NAME = 'deviceName' +DISKS = 'disks' +DISK_SIZE = 'diskSizeGb' +DISKTYPE = 'diskType' +HEALTH_PATH = 'healthPath' +HOST_RULES = 'hostRules' +IP_PROTO = 'IPProtocol' +MACHINETYPE = 'machineType' +METADATA = 'metadata' +NAME = 'name' +NETWORK = 'network' +NETWORKS = 'networks' +SUBNETWORK = 'subnetwork' +PATH_MATCHERS = 'pathMatchers' +PORT = 'port' +PROJECT = 'project' +SERVICE = 'service' +SERVICE_ACCOUNTS = 'serviceAccounts' +SRCIMAGE = 'sourceImage' +SRC_RANGES = 'sourceRanges' +TAGS = 'tags' +TYPE = 'type' +VM_TEMPLATE = 'instanceTemplate' +ZONE = 'zone' + +# Zone specfic VM properties +VM_ZONE_PROPERTIES = [DISKTYPE, MACHINETYPE, BOOTDISK] + +# Resource type defaults names +ADDRESS = 'compute.v1.address' +AUTOSCALER = 'compute.v1.autoscaler' +BACKEND_SERVICE = 'compute.v1.backendService' +DISK = 'compute.v1.disk' +ENDPOINT = 'serviceregistry.v1alpha.endpoint' +FIREWALL = 'compute.v1.firewall' +GF_RULE = 'compute.v1.globalForwardingRule' +HEALTHCHECK = 'compute.v1.httpHealthCheck' +IGM = 'compute.v1.instanceGroupManager' +INSTANCE = 'compute.v1.instance' +PROXY = 'compute.v1.targetHttpProxy' +TEMPLATE = 'compute.v1.instanceTemplate' +REGION_IGM = 'compute.v1.regionInstanceGroupManager' +REGION_AUTOSCALER = 'compute.v1.regionAutoscaler' +URL_MAP = 'compute.v1.urlMap' +VPC='compute.v1.network' +VPC_SUBNET='compute.v1.subnetwork' + +# Also Known As constants +AKA = { + TEMPLATE: 'tmplt', + AUTOSCALER: 'as', + BACKEND_SERVICE: 'bes', + DISK: 'disk', + FIREWALL: 'fwall', + GF_RULE: 'ip', + HEALTHCHECK: 'hc', + INSTANCE: 'vm', + PROXY: 'tproxy', + IGM: 'igm', + URL_MAP: 'umap', +} + +LOC = { + 'europe': 'eu', + 'asia': 'as', + 'central': 'c', + 'east': 'e', + 'west': 'w', + 'north': 'n', + 'south': 's', +} diff --git a/deprecated/gcp/R80.30/ha-payg-R80.30/images.py b/deprecated/gcp/R80.30/ha-payg-R80.30/images.py new file mode 100644 index 00000000..2811fa30 --- /dev/null +++ b/deprecated/gcp/R80.30/ha-payg-R80.30/images.py @@ -0,0 +1,10 @@ +IMAGES = { + "check-point-r8030-payg": "check-point-r8030-payg-200-773-v20201208", + "check-point-r8030-gw-payg-single": "check-point-r8030-gw-payg-single-273-904-v20210715", + "check-point-r8030-gw-payg-mig": "check-point-r8030-gw-payg-mig-273-904-v20210715", + "check-point-r8030-gw-payg-cluster": "check-point-r8030-gw-payg-cluster-273-904-v20210715", + "check-point-r8030-gw-byol-single": "check-point-r8030-gw-byol-single-273-904-v20210715", + "check-point-r8030-gw-byol-mig": "check-point-r8030-gw-byol-mig-273-904-v20210715", + "check-point-r8030-gw-byol-cluster": "check-point-r8030-gw-byol-cluster-273-904-v20210715", + "check-point-r8030-byol": "check-point-r8030-byol-200-773-v20201208" +} diff --git a/deprecated/gcp/R80.30/ha-payg-R80.30/password.py b/deprecated/gcp/R80.30/ha-payg-R80.30/password.py new file mode 100644 index 00000000..273210a6 --- /dev/null +++ b/deprecated/gcp/R80.30/ha-payg-R80.30/password.py @@ -0,0 +1,135 @@ +# Copyright 2015 Google Inc. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +"""A DM template that generates password as an output, namely "password". + +An example YAML showing how this template can be used: + resources: + - name: generated-password + type: password.py + properties: + length: 8 + includeSymbols: true + - name: main-template + type: main-template.jinja + properties: + password: $(ref.generated-password.password) + +Input properties to this template: + - length: the length of the generated password. At least 8. Default 8. + - includeSymbols: true/false whether to include symbol chars. Default false. + +The generated password satisfies the following requirements: + - The length is as specified, + - Containing letters and numbers, and optionally symbols if specified, + - Starting with a letter, + - Containing characters from at least 3 of the 4 categories: uppercases, + lowercases, numbers, and symbols. + +""" + +import random +import yaml + +PROPERTY_LENGTH = 'length' +PROPERTY_INCLUDE_SYMBOLS = 'includeSymbols' + +# Note the omission of some hard to distinguish characters like I, l, 0, and O. +UPPERS = 'ABCDEFGHJKLMNPQRSTUVWXYZ' +LOWERS = 'abcdefghijkmnopqrstuvwxyz' +ALPHABET = UPPERS + LOWERS +DIGITS = '123456789' +ALPHANUMS = ALPHABET + DIGITS +# Including only symbols that can be passed around easily in shell scripts. +SYMBOLS = '*-+.' + +CANDIDATES_WITH_SYMBOLS = ALPHANUMS + SYMBOLS +CANDIDATES_WITHOUT_SYMBOLS = ALPHANUMS + +CATEGORIES_WITH_SYMBOLS = [UPPERS, LOWERS, DIGITS, SYMBOLS] +CATEGORIES_WITHOUT_SYMBOLS = [UPPERS, LOWERS, DIGITS] + +MIN_LENGTH = 8 + + +class InputError(Exception): + """Raised when input properties are unexpected.""" + + +def GenerateConfig(context): + """Entry function to generate the DM config.""" + props = context.properties + length = props.setdefault(PROPERTY_LENGTH, MIN_LENGTH) + include_symbols = props.setdefault(PROPERTY_INCLUDE_SYMBOLS, False) + + if not isinstance(include_symbols, bool): + raise InputError('%s must be a boolean' % PROPERTY_INCLUDE_SYMBOLS) + + content = { + 'resources': [], + 'outputs': [{ + 'name': 'password', + 'value': GeneratePassword(length, include_symbols) + }] + } + return yaml.dump(content) + + +def GeneratePassword(length=8, include_symbols=False): + """Generates a random password.""" + if length < MIN_LENGTH: + raise InputError('Password length must be at least %d' % MIN_LENGTH) + + candidates = (CANDIDATES_WITH_SYMBOLS if include_symbols + else CANDIDATES_WITHOUT_SYMBOLS) + categories = (CATEGORIES_WITH_SYMBOLS if include_symbols + else CATEGORIES_WITHOUT_SYMBOLS) + + # Generates up to the specified length minus the number of categories. + # Then inserts one character for each category, ensuring that the character + # satisfy the category if the generated string hasn't already. + generated = ([random.choice(ALPHABET)] + + [random.choice(candidates) + for _ in range(length - 1 - len(categories))]) + for category in categories: + _InsertAndEnsureSatisfaction(generated, category, candidates) + return ''.join(generated) + + +def _InsertAndEnsureSatisfaction(generated, required, all_candidates): + """Inserts 1 char into generated, satisfying required if not already. + + If the required characters are not already in the generated string, one will + be inserted. If any required character is already in the generated string, a + random character from all_candidates will be inserted. The insertion happens + at a random location but not at the beginning. + + Args: + generated: the string to be modified. + required: list of required characters to check for. + all_candidates: list of characters to choose from if the required characters + are already satisfied. + """ + if set(generated).isdisjoint(required): + # Not yet satisfied. Insert a required candidate. + _InsertInto(generated, required) + else: + # Already satisfied. Insert any candidate. + _InsertInto(generated, all_candidates) + + +def _InsertInto(generated, candidates): + """Inserts a random candidate into a random non-zero index of generated.""" + # Avoids inserting at index 0, since the first character follows its own rule. + generated.insert(random.randint(1, len(generated) - 1), + random.choice(candidates)) diff --git a/deprecated/gcp/R80.30/single-byol-R80.30/README.md b/deprecated/gcp/R80.30/single-byol-R80.30/README.md new file mode 100644 index 00000000..5b1562f9 --- /dev/null +++ b/deprecated/gcp/R80.30/single-byol-R80.30/README.md @@ -0,0 +1,131 @@ +# GCP Deployment Manager package for Management, Gateway and Standalone BYOL solutions +This directory contains CloudGuard IaaS deployment package for Management, Gateway and Standalone BYOL solution published in the [GCP Marketplace](https://console.cloud.google.com/marketplace/details/checkpoint-public/check-point-cloudguard-byol). + +# How to deploy the package manually +To deploy the Deployment Manager's package manually, without using the GCP Marketplace, follow these instructions: +1. Clone or download the files in this directory +2. Fill variables in the config.yaml(see below for variables descriptions). +3. Log into [Google Cloud Platform Console](https://console.cloud.google.com) +4. [Activate Cloud Shell](https://cloud.google.com/shell/docs/using-cloud-shell) +5. Set your Cloud Platform project in the Cloud Shell session use: + + gcloud config set project [PROJECT_ID] +6. Upload the content of the CloudGuardIaaS/gcp/deployment-packages/single-byol/ directory to the [cloud shell](https://cloud.google.com/shell/docs/uploading-and-downloading-files) +7. Launch deployment by running: + + gcloud deployment-manager deployments create [DEPLOYMENT_NAME] --config config.yaml +8. Make sure the deployment finished successfully.
Example of successful deployment output: + + The fingerprint of the deployment is NEBnvNbqOItDoLZrhYNo5Q== + Waiting for create [operation-1585065238276-5a19bc2792a32-becd058d-67862f39]...done. + Create operation operation-1585065238276-5a19bc2792a32-becd058d-67862f39 completed successfully. + NAME TYPE STATE ERRORS INTENT + gateway-config runtimeconfig.v1beta1.config COMPLETED [] + gateway-software runtimeconfig.v1beta1.waiter COMPLETED [] + gateway-vm compute.v1.instance COMPLETED [] + gateway-vm-address compute.v1.address COMPLETED [] + OUTPUTS VALUE + Deployment gateway + Instance gateway-single-vm + +## config.yaml variables +| Name | Description | Type | Allowed values | +| ------------- | ------------- | ------------- | ------------- | +| **zone** | The zone determines what computing resources are available and where your data is stored and used | string | List of allowed [Regions and Zones](https://cloud.google.com/compute/docs/regions-zones?_ga=2.31926582.-962483654.1585043745) | +| | | | | | +| **machineType** | Machine types determine the specifications of your machines, such as the amount of memory, virtual cores, and persistent disk limits an instance will have | string | [Learn more about Machine Types](https://cloud.google.com/compute/docs/machine-types?hl=en_US&_ga=2.267871494.-962483654.1585043745) | +| | | | | | +| **network** | The network determines what network traffic the instance can access | string | Available network in the chosen zone | +| | | | | | +| **Subnetwork** | Assigns the instance an IPv4 address from the subnetwork’s range. Instances in different subnetworks can communicate with each other using their internal IPs as long as they belong to the same network. | string | Available subnetwork in the chosen network | +| | | | | | +| **network_enableTcp** | Allow TCP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **network_tcpSourceRanges** | Allow TCP traffic from the Internet | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway all ports are allowed. For management allowed ports are: 257,18191,18210,18264,22,443,18190,19009 [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **network_enableGwNetwork** | This is relevant for **Management** only. The network in which managed gateways reside | boolean | true;
false; | +| | | | | | +| **network_gwNetworkSourceRanges** | Allow TCP traffic from the Internet | string | Enter a valid IPv4 network CIDR (e.g. 0.0.0.0/0) | +| | | | | | +| **network_enableIcmp** | Allow ICMP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **network_icmpSourceRanges** | Source IP ranges for ICMP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **network_enableUdp** | Allow UDP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **network_udpSourceRanges** | Source IP ranges for UDP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only - all ports are allowed. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **network_enableSctp** | Allow SCTP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **network_sctpSourceRanges** | Source IP ranges for SCTP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only - all ports are allowed. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **network_enableEsp** | Allow ESP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **network_espSourceRanges** | Source IP ranges for ESP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **externalIP** | External IP address type | string | Static;
Ephemeral;
None;
An external IP address associated with this instance. Selecting "None" will result in the instance having no external internet access. [Learn more](https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address?_ga=2.259654658.-962483654.1585043745) | +| | | | | | +| **installationType** | Installation type and version | string | R80.30 Gateway only
R80.30 Management only
R80.30 Manual Configuration | +| | | | | | +| **diskType** | Disk type | string | pd-ssd;
pd-standard;
Storage space is much less expensive for a standard persistent disk. An SSD persistent disk is better for random IOPS or streaming throughput with low latency. [Learn more](https://cloud.google.com/compute/docs/disks/?hl=en_US&_ga=2.66020774.-962483654.1585043745#overview_of_disk_types)| +| | | | | | +| **bootDiskSizeGb** | Disk size in GB | number | Persistent disk performance is tied to the size of the persistent disk volume. You are charged for the actual amount of provisioned disk space. [Learn more](https://cloud.google.com/compute/docs/disks/?hl=en_US&_ga=2.232680471.-962483654.1585043745#pdperformance)| +| | | | | | +| **generatePassword** | Automatically generate an administrator password | boolean | true;
false; | +| | | | | | +| **allowUploadDownload** | Allow download from/upload to Check Point | boolean | true;
false; | +| | | | | | +| **enableMonitoring** | Enable Stackdriver monitoring | boolean | true;
false; | +| | | | | | +| **shell** | Admin shell | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh;
| +| | | | | | +| **instanceSSHKey** | Public SSH key for the user 'admin' | string | A valid public ssh key | +| | | | | | +| **sicKey** | The Secure Internal Communication one time secret used to set up trust between the cluster object and the management server | string | At least 8 alpha numeric characters.
If SIC is not provided and needed, a key will be automatically generated | +| | | | | | +| **managementGUIClientNetwork** | Allowed GUI clients | string | A valid IPv4 network CIDR (e.g. 0.0.0.0/0) | +| | | | | | +| **numAdditionalNICs** | Number of additional network interfaces | number | A number in the range 0 - 7.
Multiple network interfaces deployment is described in [sk121637 - Deploy a CloudGuard for GCP with Multiple Network Interfaces](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk121637) | +| | | | | | + +## Example + zone: "asia-east1-a" + machineType: "n1-standard-4" + network: "frontend-vpc" + subnetwork: "frontend" + network_enableTcp: true + network_tcpSourceRanges: "0.0.0.0/0" + network_enableGwNetwork: true + network_gwNetworkSourceRanges: "0.0.0.0/0" + network_enableIcmp: true + network_icmpSourceRanges: "0.0.0.0/0" + network_enableUdp: true + network_udpSourceRanges: "0.0.0.0/0" + network_enableSctp: false + network_sctpSourceRanges: "" + network_enableEsp: false + network_espSourceRanges: "" + externalIP: "Static" + installationType: "R80.30 Gateway only" + diskType: "pd-ssd" + bootDiskSizeGb: 100 + generatePassword: false + allowUploadDownload: true + enableMonitoring: false + shell: "/bin/bash" + instanceSSHKey: "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx imported-openssh-key" + sicKey: "xxxxxxxx" + managementGUIClientNetwork: "0.0.0.0/0" + numAdditionalNICs: 1 + additionalNetwork1: "backend-vpc1" + additionalSubnetwork1: "backend1" + externalIP1": "None" + additionalNetwork2": "backend-vpc2" + additionalSubnetwork2": "backend2" + externalIP2": "None" + + + + +## Notes +See [sk147032](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk147032) for revision history \ No newline at end of file diff --git a/deprecated/gcp/R80.30/single-byol-R80.30/c2d_deployment_configuration.json b/deprecated/gcp/R80.30/single-byol-R80.30/c2d_deployment_configuration.json new file mode 100644 index 00000000..68fbb1a8 --- /dev/null +++ b/deprecated/gcp/R80.30/single-byol-R80.30/c2d_deployment_configuration.json @@ -0,0 +1,7 @@ +{ + "defaultDeploymentType": "SINGLE_VM", + "imageName": "check-point-r8110-gw-byol-single-335-985-v20220126", + "projectId": "checkpoint-public", + "templateName": "nonexistent_template", + "useSolutionPackage": "true" +} diff --git a/deprecated/gcp/R80.30/single-byol-R80.30/check-point-vsec--byol.py b/deprecated/gcp/R80.30/single-byol-R80.30/check-point-vsec--byol.py new file mode 100644 index 00000000..a7f626c9 --- /dev/null +++ b/deprecated/gcp/R80.30/single-byol-R80.30/check-point-vsec--byol.py @@ -0,0 +1,729 @@ +# Copyright 2016 Check Point Software LTD. +import common +import default +import images +import password + +GATEWAY = 'checkpoint-gateway' +MANAGEMENT = 'checkpoint-management' + +PROJECT = 'checkpoint-public' +LICENSE = 'byol' +LICENCE_TYPE = 'single' + +VERSIONS = { + 'R80.30': 'r8030', + 'R80.30-GW': 'r8030-gw' +} + +ADDITIONAL_NETWORK = 'additionalNetwork{}' +ADDITIONAL_SUBNET = 'additionalSubnetwork{}' +ADDITIONAL_EXTERNAL_IP = 'externalIP{}' +MAX_NICS = 8 + +TEMPLATE_NAME = 'single' +TEMPLATE_VERSION = '20220130' + +ATTRIBUTES = { + 'Gateway and Management (Standalone)': { + 'tags': [GATEWAY, MANAGEMENT], + 'description': 'Check Point Security Gateway and Management', + 'canIpForward': True, + }, + 'Management only': { + 'tags': [MANAGEMENT], + 'description': 'Check Point Security Management', + 'canIpForward': False, + }, + 'Gateway only': { + 'tags': [GATEWAY], + 'description': 'Check Point Security Gateway', + 'canIpForward': True, + }, + 'Manual Configuration': { + 'tags': [], + 'description': 'Check Point', + 'canIpForward': True, + } +} + +startup_script = ''' +#!/bin/bash + +generatePassword="$(echo {generatePassword} | tr 'TF' 'tf')" +allowUploadDownload="{allowUploadDownload}" + +echo "template_name: {templateName}" >> /etc/cloud-version +echo "template_version: {templateVersion}" >> /etc/cloud-version + +function get_router() {{ + local interface="$1" + local subnet_router_meta_path="computeMetadata/v1/instance/network-interfaces/$interface/gateway" + local router="$(get-cloud-data.sh ${{subnet_router_meta_path}})" + echo "${{router}}" +}} + +function set_mgmt_if() {{ + mgmtNIC="{mgmtNIC}" + local mgmt_int="eth0" + if [ "X$mgmtNIC" == "XEphemeral Public IP (eth0)" ]; then + mgmt_int="eth0" + elif [ "X$mgmtNIC" == "XPrivate IP (eth1)" ]; then + mgmt_int="eth1" + fi + local set_mgmt_if_out="$(clish -s -c "set management interface ${{mgmt_int}}")" + echo "${{set_mgmt_if_out}}" +}} + +function set_internal_static_routes() {{ + local private_cidrs='10.0.0.0/8 172.16.0.0/12 192.168.0.0/16' + #Define interface for internal networks and configure + local interface="$internalInterfaceNumber" + local router=$(get_router $interface) + clish -c 'lock database override' + #Configure static routes destined to internal networks, defined in the RFC 1918, through the internal interface + for cidr in ${{private_cidrs}}; do + echo "setting route to $cidr via gateway $router" + echo "running clish -c 'set static-route $cidr nexthop gateway address $router on' -s" + clish -c "set static-route $cidr nexthop gateway address $router on" -s + done +}} + +function create_dynamic_objects() {{ + local is_managment="$1" + local interfaces='eth0 eth1' + for interface in ${{interfaces}}; do + if ${{is_managment}}; then + dynamic_objects -n "LocalGateway" + dynamic_objects -n "LocalGatewayExternal" + dynamic_objects -n "LocalGatewayInternal" + else + local addr="$(ip addr show dev $interface | awk "/inet/{{print \$2; exit}}" | cut -d / -f 1)" + if [ "${{interface}}" == "eth0" ]; then + dynamic_objects -n "LocalGateway" -r "$addr" "$addr" -a + dynamic_objects -n "LocalGatewayExternal" -r "$addr" "$addr" -a + else + dynamic_objects -n "LocalGatewayInternal" -r "$addr" "$addr" -a + fi + fi + done +}} + + +function post_status() {{ + local is_success="$1" + local need_boot="$2" + local status + local value + local instance_id + + if "{hasInternet}" ; then + if "$is_success" ; then + status="success" + value="Success" + else + status="failure" + value="Failure" + fi + instance_id="$(get-cloud-data.sh computeMetadata/v1/instance/id)" + cat </etc/software-status + $FWDIR/scripts/gcp.py POST "{config_url}/variables" \ + --body '{{ + "name": "{config_path}/variables/status/$status/$instance_id", + "value": "$(echo $value | base64)" + }}' +EOF + fi + + create_dynamic_objects $installSecurityManagement + + if "$installSecurityGateway" ; then + + set_internal_static_routes + set_mgmt_if + + ########## + # DA Self update + + DAselfUpdateHappening=$(dbget installer:self_update_in_progress) + if [ "X$DAselfUpdateHappening" == "X1" ]; then + oldDApid=$(pidof DAService) + countdown=121 + while [ $((--countdown)) -gt 0 ] + do + sleep 1 + DApid=$(pidof DAService) + + if [ "${{DApid:-$oldDApid}}" -ne "$oldDApid" ]; then + break + fi + done + if [ $countdown -eq 0 ]; then + dbset installer:self_update_in_progress + fi + fi + + ########## + fi + + if [ "$installSecurityManagement" -a "Management only" = "{installationType}" ] ; then + public_ip="$(get-cloud-data.sh computeMetadata/v1/instance/network-interfaces/0/access-configs/0/external-ip)" + declare -i attempts=0 + declare -i max_attempts=80 + mgmt_cli -r true discard + result=$? + while [ $result -ne 0 ] && [ $attempts -lt $max_attempts ] + do + attempts=$attempts+1 + sleep 30 + mgmt_cli -r true discard + result=$? + done + generic_objects="$(mgmt_cli -r true show-generic-objects class-name com.checkpoint.objects.classes.dummy.CpmiHostCkp details-level full -f json)" + uid="$(echo $generic_objects | jq .objects | jq .[0] | jq .uid)" + if [ ! -z "$public_ip" ] && [ ! -z "${{uid:1:-1}}" ] ; then + mgmt_cli -r true set-generic-object uid $uid ipaddr $public_ip + fi + fi + + if "$need_boot" ; then + if [ "{enableMonitoring}" = "True" ] ; then + chkconfig --add gcp-statd + fi + shutdown -r now + else + service gcpd restart + if [ "{enableMonitoring}" = "True" ] ; then + chkconfig --add gcp-statd + service gcp-statd start + fi + fi +}} +clish -c 'set user admin shell {shell}' -s + +case "{installationType}" in +"Gateway only") + installSecurityGateway=true + gatewayClusterMember=false + installSecurityManagement=false + sicKey="{computed_sic_key}" + internalInterfaceNumber=1 + ;; +"Management only") + installSecurityGateway=false + installSecurityManagement=true + sicKey=notused + ;; +"Manual Configuration") + post_status true false + exit 0 + ;; +"Gateway and Management (Standalone)") + installSecurityGateway=true + installSecurityManagement=true + gatewayClusterMember=false + sicKey=notused + internalInterfaceNumber=1 + ;; +"Cluster") + installSecurityGateway=true + gatewayClusterMember=true + installSecurityManagement=false + sicKey="{sicKey}" + internalInterfaceNumber=2 + ;; +"AutoScale") + installSecurityGateway=true + gatewayClusterMember=false + installSecurityManagement=false + sicKey="{computed_sic_key}" + internalInterfaceNumber=1 + ;; +esac + +conf="install_security_gw=$installSecurityGateway" +if ${{installSecurityGateway}} ; then + conf="$conf&install_ppak=true" + blink_conf="gateway_cluster_member=$gatewayClusterMember" +fi +conf="$conf&install_security_managment=$installSecurityManagement" +if ${{installSecurityManagement}} ; then + if "$generatePassword" ; then + managementAdminPassword="$(get-cloud-data.sh \ + computeMetadata/v1/instance/attributes/adminPasswordSourceMetadata)" + conf="$conf&mgmt_admin_name=admin" + conf="$conf&mgmt_admin_passwd=$managementAdminPassword" + else + conf="$conf&mgmt_admin_radio=gaia_admin" + fi + + managementGUIClientNetwork="{managementGUIClientNetwork}" + conf="$conf&install_mgmt_primary=true" + + if [ "0.0.0.0/0" = "$managementGUIClientNetwork" ]; then + conf="$conf&mgmt_gui_clients_radio=any" + else + conf="$conf&mgmt_gui_clients_radio=network" + ManagementGUIClientBase="$(echo ${{managementGUIClientNetwork}} | \ + cut -d / -f 1)" + ManagementGUIClientMaskLength="$(echo ${{managementGUIClientNetwork}} | \ + cut -d / -f 2)" + conf="$conf&mgmt_gui_clients_ip_field=$ManagementGUIClientBase" + conf="$conf&mgmt_gui_clients_subnet_field=$ManagementGUIClientMaskLength" + fi + +fi + +blink_conf="$blink_conf&ftw_sic_key=$sicKey" +blink_conf="$blink_conf&download_info=$allowUploadDownload" +blink_conf="$blink_conf&upload_info=$allowUploadDownload" + +conf="$conf&$blink_conf" + +if "$generatePassword" ; then + blink_password="$(get-cloud-data.sh \ + computeMetadata/v1/instance/attributes/adminPasswordSourceMetadata)" +else + blink_password="$(dd if=/dev/urandom count=1 \ + 2>/dev/null | sha256sum | cut -c -28)" +fi +blink_conf="$blink_conf&admin_password_regular=$blink_password" + +if [ "Gateway only" = "{installationType}" ] || [ "Cluster" = "{installationType}" ] || [ "AutoScale" = "{installationType}" ]; then + config_cmd="blink_config -s $blink_conf" +else + config_cmd="config_system -s $conf" +fi + +if ${{config_cmd}} ; then + if "$installSecurityManagement" ; then + post_status true "$installSecurityGateway" + elif [ "Cluster" = "{installationType}" ] ; then + mgmt_subnet_gw="$(get-cloud-data.sh computeMetadata/v1/instance/network-interfaces/1/gateway)" + sed -i 's/__CLUSTER_PUBLIC_IP_NAME__/'"{primary_cluster_address_name}"'/g' /etc/fw/conf/gcp-ha.json + sed -i 's/__SECONDARY_PUBLIC_IP_NAME__/'"{secondary_cluster_address_name}"'/g' /etc/fw/conf/gcp-ha.json + clish -c 'set static-route '"{managementNetwork}"' nexthop gateway address '"$mgmt_subnet_gw"' on' -s + post_status true true + else + post_status true false + fi +else + post_status false false +fi + +''' + + +def set_name_and_truncate(primary, secondary, maxlength=62): + return '%s%s' % (primary[:maxlength - len(secondary)], secondary) + + +def MakeStaticAddress(vm_name, zone, ifnum=None): + """Creates a static IP address resource; returns it and the natIP.""" + if ifnum: + address_name = set_name_and_truncate(vm_name, + '-address-{}'.format(ifnum)) + else: + address_name = set_name_and_truncate(vm_name, '-address') + address_resource = { + 'name': address_name, + 'type': default.ADDRESS, + 'properties': { + 'name': address_name, + 'region': common.ZoneToRegion(zone), + }, + } + return address_resource, '$(ref.%s.address)' % address_name + + +def make_access_config(resources, vm_name, zone, static, index=None): + name = 'external-address' + if index: + name += '-{}'.format(index) + access_config = { + 'name': name, + 'type': default.ONE_NAT + } + if static: + address_resource, nat_ip = MakeStaticAddress(vm_name, zone, index) + resources.append(address_resource) + access_config['natIP'] = nat_ip + return access_config + + +def create_firewall_rules(prop, net_name, fw_rule_name_prefix, mgmt=False, + uid=''): + firewall_rules = [] + protocols = ['Icmp', 'Udp', 'Tcp', 'Sctp', 'Esp'] + if mgmt: + protocols.remove('Tcp') + for protocol in protocols: + proto = protocol.lower() + source_ranges = prop.get('network' + '_' + proto + 'SourceRanges', '') + protocol_enabled = prop.get('network' + '_enable' + protocol, '') + if protocol_enabled and source_ranges: + firewall_rules.append(make_firewall_rule( + proto, source_ranges, net_name, fw_rule_name_prefix, mgmt, + uid)) + return firewall_rules + + +def make_firewall_rule(protocol, source_ranges, + net_name, fw_rule_name_prefix, mgmt=False, uid=''): + ranges = [] + ranges_list = source_ranges.split(',') + for source_range in ranges_list: + ranges.append(source_range.replace(" ", "")) + fw_rule_name = fw_rule_name_prefix + '-' + protocol + if mgmt: + targetTags = [uid] + else: + targetTags = [GATEWAY] + firewall_rule = { + 'type': default.FIREWALL, + 'name': fw_rule_name, + 'properties': { + 'network': 'global/networks/' + net_name, + 'sourceRanges': ranges, + 'targetTags': targetTags, + 'allowed': [{'IPProtocol': protocol}], + } + } + return firewall_rule + + +def generate_config(context): + """Creates the gateway.""" + prop = context.properties + prop['cloudguardVersion'], _, prop['installationType'] = prop[ + 'installationType'].partition(' ') + prop['templateName'] = TEMPLATE_NAME + prop['templateVersion'] = TEMPLATE_VERSION + prop['allowUploadDownload'] = str(prop['allowUploadDownload']).lower() + if not prop['managementGUIClientNetwork'] and prop['installationType'] in { + 'Gateway and Management (Standalone)', 'Management only'}: + raise Exception('Allowed GUI clients are required when installing ' + 'a management server') + for k in ['managementGUIClientNetwork']: + prop.setdefault(k, '') + resources = [] + outputs = [] + network_interfaces = [] + external_ifs = [] + zone = prop['zone'] + deployment = context.env['deployment'] + vm_name = set_name_and_truncate(deployment, '-vm') + access_configs = [] + if prop['externalIP'] != 'None': + access_config = make_access_config(resources, vm_name, zone, + 'Static' == prop['externalIP']) + access_configs.append(access_config) + external_ifs.append(0) + prop['hasInternet'] = 'true' + else: + prop['hasInternet'] = 'false' + network = common.MakeGlobalComputeLink(context, default.NETWORK) + networks = {prop['network']} + network_interface = { + 'network': network, + 'accessConfigs': access_configs, + } + if default.SUBNETWORK in prop: + network_interface['subnetwork'] = common.MakeSubnetworkComputeLink( + context, default.SUBNETWORK) + network_interfaces.append(network_interface) + for ifnum in range(1, prop['numAdditionalNICs'] + 1): + net = prop.get(ADDITIONAL_NETWORK.format(ifnum)) + subnet = prop.get(ADDITIONAL_SUBNET.format(ifnum)) + ext_ip = prop.get(ADDITIONAL_EXTERNAL_IP.format(ifnum)) + if not net or not subnet: + raise Exception( + 'Missing network parameters for interface {}'.format(ifnum)) + if net in networks: + raise Exception('Cannot use network "' + net + '" more than once') + networks.add(net) + net = ''.join([ + default.COMPUTE_URL_BASE, + 'projects/', context.env['project'], '/global/networks/', net]) + subnet = ''.join([ + default.COMPUTE_URL_BASE, + 'projects/', context.env['project'], + '/regions/', common.ZoneToRegion(zone), '/subnetworks/', subnet]) + network_interface = { + 'network': net, + 'subnetwork': subnet, + } + if 'None' != ext_ip: + external_ifs.append(ifnum) + access_config = make_access_config( + resources, vm_name, zone, 'Static' == ext_ip, ifnum + 1) + access_configs = [access_config] + network_interface['accessConfigs'] = access_configs + if not prop.get('hasInternet') or 'false' == prop['hasInternet']: + prop['hasInternet'] = 'true' + network_interfaces.append(network_interface) + for ifnum in range(prop['numAdditionalNICs'] + 1, MAX_NICS): + prop.pop(ADDITIONAL_NETWORK.format(ifnum), None) + prop.pop(ADDITIONAL_SUBNET.format(ifnum), None) + prop.pop(ADDITIONAL_EXTERNAL_IP.format(ifnum), None) + deployment_config = set_name_and_truncate(deployment, '-config') + prop['config_url'] = ('https://runtimeconfig.googleapis.com/v1beta1/' + + 'projects/' + context.env[ + 'project'] + '/configs/' + deployment_config) + prop['config_path'] = '/'.join(prop['config_url'].split('/')[-4:]) + prop['deployment_config'] = deployment_config + tags = ATTRIBUTES[prop['installationType']]['tags'] + uid = set_name_and_truncate(vm_name, '-' + password.GeneratePassword( + 8, False).lower()) + if prop['installationType'] == 'Gateway only': + prop['cloudguardVersion'] += '-GW' + if not prop.get('sicKey'): + prop['computed_sic_key'] = password.GeneratePassword(12, False) + else: + prop['computed_sic_key'] = prop['sicKey'] + else: + prop['computed_sic_key'] = 'N/A' + outputs.append({ + 'name': 'sicKey', + 'value': prop['computed_sic_key'], + }, ) + if 'gw' in VERSIONS[prop['cloudguardVersion']]: + license_name = "{}-{}".format(LICENSE, LICENCE_TYPE) + else: + license_name = LICENSE + family = '-'.join(['check-point', VERSIONS[prop['cloudguardVersion']], + license_name]) + formatter = common.DefaultFormatter() + gw = { + 'type': default.INSTANCE, + 'name': vm_name, + 'properties': { + 'description': ATTRIBUTES[prop['installationType']]['description'], + 'zone': zone, + 'tags': { + 'items': tags + [uid], + }, + 'machineType': common.MakeLocalComputeLink( + context, default.MACHINETYPE), + 'canIpForward': ATTRIBUTES[ + prop['installationType']]['canIpForward'], + 'networkInterfaces': network_interfaces, + 'disks': [{ + 'autoDelete': True, + 'boot': True, + 'deviceName': common.AutoName( + context.env['name'], default.DISK, 'boot'), + 'initializeParams': { + 'diskType': common.MakeLocalComputeLink( + context, default.DISKTYPE), + 'diskSizeGb': prop['bootDiskSizeGb'], + 'sourceImage': + 'projects/%s/global/images/%s' % ( + PROJECT, images.IMAGES[family]), + }, + 'type': 'PERSISTENT', + }], + 'metadata': { + 'items': [ + { + 'key': 'startup-script', + 'value': formatter.format(startup_script, **prop) + }, + ] + }, + 'serviceAccounts': [{ + 'email': 'default', + 'scopes': [ + 'https://www.googleapis.com/auth/monitoring.write' + ], + }] + } + } + if (prop['externalIP'] != 'None') and ( + 'Manual Configuration' != prop['installationType']): + gw['properties']['serviceAccounts'][0]['scopes'].append( + 'https://www.googleapis.com/auth/cloudruntimeconfig') + resources.append({ + 'name': deployment_config, + 'type': 'runtimeconfig.v1beta1.config', + 'properties': { + 'config': deployment_config, + 'description': ('Holds software readiness status ' + 'for deployment {}').format(deployment), + }, + }) + resources.append({ + 'name': set_name_and_truncate(deployment, '-software'), + 'type': 'runtimeconfig.v1beta1.waiter', + 'metadata': { + 'dependsOn': [], + }, + 'properties': { + 'parent': '$(ref.' + deployment_config + '.name)', + 'waiter': 'software', + 'timeout': '1800s', + 'success': { + 'cardinality': { + 'number': 1, + 'path': 'status/success', + }, + }, + 'failure': { + 'cardinality': { + 'number': 1, + 'path': 'status/failure', + }, + }, + }, + }) + if 'instanceSSHKey' in prop: + gw['properties']['metadata']['items'].append( + { + 'key': 'instanceSSHKey', + 'value': prop['instanceSSHKey'] + } + ) + if prop['generatePassword']: + passwd = password.GeneratePassword(12, False) + gw['properties']['metadata']['items'].append( + { + 'key': 'adminPasswordSourceMetadata', + 'value': passwd + } + ) + else: + passwd = '' + resources.append(gw) + netlist = list(networks) + + if GATEWAY in tags: + for i in range(len(netlist)): + network = netlist[i] + fw_rule_name_prefix = set_name_and_truncate( + gen_fw_rule_name_deployment_network_prefix( + deployment, network), + '-allow-all-to-chkp-{}'.format(i + 1)) + firewall_rules = create_firewall_rules( + prop, network, fw_rule_name_prefix) + resources.extend(firewall_rules) + elif MANAGEMENT in tags: + for i in range(len(netlist)): + network = netlist[i] + source_ranges = prop['network_tcpSourceRanges'] + tcp_enabled = prop['network_enableTcp'] + gwNetwork_enabled = prop['network_enableGwNetwork'] + gwNetwork_source_range = prop['network_gwNetworkSourceRanges'] + if source_ranges and not tcp_enabled: + raise Exception( + 'Allowed source IP ranges for TCP traffic are provided ' + 'but TCP not marked as allowed') + if tcp_enabled and not source_ranges: + raise Exception('Allowed source IP ranges for TCP traffic' + ' are required when installing ' + 'a management server') + if not gwNetwork_enabled and gwNetwork_source_range: + raise Exception('Gateway network source IP are provided but ' + 'not marked as allowed.') + if gwNetwork_enabled and not gwNetwork_source_range: + raise Exception('Gateway network source IP is required in' + ' MGMT deployment.') + ranges_list = source_ranges.split(',') + gw_network_list = gwNetwork_source_range.split(',') + ranges = [] + gw_net_ranges = [] + for source_range in ranges_list: + ranges.append(source_range.replace(" ", "")) + for gw_net_range in gw_network_list: + gw_net_ranges.append(gw_net_range.replace(" ", "")) + if tcp_enabled: + if gwNetwork_enabled: + resources.append({ + 'type': 'compute.v1.firewall', + 'name': set_name_and_truncate( + gen_fw_rule_name_deployment_network_prefix( + deployment, network), + '-gateways-to-management-{}'.format(i + 1)), + 'properties': { + 'network': 'global/networks/' + network, + 'sourceRanges': list(set(gw_net_ranges + ranges)), + 'sourceTags': [GATEWAY], + 'targetTags': [uid], + 'allowed': [ + { + 'IPProtocol': 'tcp', + 'ports': ['257', '18191', '18210', '18264'] + }, + ], + } + }) + resources.append({ + 'type': 'compute.v1.firewall', + 'name': set_name_and_truncate( + gen_fw_rule_name_deployment_network_prefix(deployment, + network), + '-allow-gui-clients-{}'.format(i + 1)), + 'properties': { + 'network': 'global/networks/' + network, + 'sourceRanges': list(set(ranges)), + 'targetTags': [uid], + 'allowed': [ + { + 'IPProtocol': 'tcp', + 'ports': ['22', '443', '18190', '19009'] + }, + ], + } + }) + fw_rule_name_prefix = set_name_and_truncate( + gen_fw_rule_name_deployment_network_prefix( + deployment, network), + '-allow-all-to-chkp-{}'.format(i + 1)) + firewall_rules = create_firewall_rules( + prop, network, fw_rule_name_prefix, True, uid) + resources.extend(firewall_rules) + outputs += [ + { + 'name': 'deployment', + 'value': deployment + }, + { + 'name': 'project', + 'value': context.env['project'] + }, + { + 'name': 'vmName', + 'value': vm_name, + }, + { + 'name': 'vmId', + 'value': '$(ref.%s.id)' % vm_name, + }, + { + 'name': 'vmSelfLink', + 'value': '$(ref.%s.selfLink)' % vm_name, + }, + { + 'name': 'hasMultiExternalIPs', + 'value': 0 < len(external_ifs) and external_ifs != [0], + }, + { + 'name': 'additionalExternalIPs', + 'value': ', '.join([('$(ref.{}.networkInterfaces[{}].' + + 'accessConfigs[0].natIP)').format( + vm_name, ifnum) for ifnum in external_ifs if ifnum]) + }, + { + 'name': 'vmInternalIP', + 'value': '$(ref.%s.networkInterfaces[0].networkIP)' % vm_name, + }, + { + 'name': 'password', + 'value': passwd + } + ] + return common.MakeResource(resources, outputs) + + +def gen_fw_rule_name_deployment_network_prefix(deployment_name, network_name): + return '{}-{}'. \ + format(deployment_name[:20], network_name[:16]) diff --git a/deprecated/gcp/R80.30/single-byol-R80.30/check-point-vsec--byol.py.schema b/deprecated/gcp/R80.30/single-byol-R80.30/check-point-vsec--byol.py.schema new file mode 100644 index 00000000..7e7b587b --- /dev/null +++ b/deprecated/gcp/R80.30/single-byol-R80.30/check-point-vsec--byol.py.schema @@ -0,0 +1,343 @@ +imports: + - path: check-point-vsec--byol.py + +info: + version: 1.0 + title: Check Point CloudGuard Network Security - BYOL Template + +required: + - zone + - machineType + - network + - diskType + - bootDiskSizeGb + - installationType + - allowUploadDownload + - shell + - managementGUIClientNetwork + - generatePassword + - enableMonitoring + - numAdditionalNICs + +properties: + zone: + type: string + default: us-central1-a + x-googleProperty: + type: GCE_ZONE + machineType: + type: string + default: n1-standard-4 + x-googleProperty: + type: GCE_MACHINE_TYPE + zoneProperty: zone + gceMachineType: + minCpu: 2 + minRamGb: 1.843000054359436 + network: + type: string + default: default + x-googleProperty: + type: GCE_NETWORK + subnetwork: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zone + gceSubnetwork: + networkProperty: network + network_enableTcp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: network + network_tcpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: network_enableTcp + network_enableGwNetwork: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: network + network_gwNetworkSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: network_enableGwNetwork + network_enableIcmp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: network + network_icmpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: network_enableIcmp + network_enableUdp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: network + network_udpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: network_enableUdp + network_enableSctp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: network + network_sctpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: network_enableSctp + network_enableEsp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: network + network_espSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: network_enableEsp + diskType: + type: string + default: pd-ssd + x-googleProperty: + type: GCE_DISK_TYPE + zoneProperty: zone + bootDiskSizeGb: + type: integer + maximum: 1000 + default: 100 + minimum: 100 + x-googleProperty: + type: GCE_DISK_SIZE + gceDiskSize: + diskTypeProperty: diskType + installationType: + type: string + default: R81.10 Gateway only + enum: + - R80.30 Gateway only + - R80.30 Management only + - R80.30 Manual Configuration + allowUploadDownload: + type: boolean + default: True + shell: + type: string + default: /etc/cli.sh + enum: + - /etc/cli.sh + - /bin/bash + - /bin/csh + - /bin/tcsh + generatePassword: + type: boolean + default: False + enableMonitoring: + type: boolean + default: False + sicKey: + type: string + pattern: ^([a-z0-9A-Z]{8,30}|)$ + default: '' + managementGUIClientNetwork: + type: string + pattern: ^([0-9]{1,3}\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])$ + externalIP: + type: string + enum: + - Static + - Ephemeral + - None + default: Static + instanceSSHKey: + type: string + pattern: ^([0-9a-z\-]+ +[0-9A-Za-z/\+=]+( .*)?|)$ + default: '' + numAdditionalNICs: + type: integer + enum: + - 0 + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + minimum: 0 + maximum: 7 + default: 0 + additionalNetwork1: + type: string + x-googleProperty: + type: GCE_NETWORK + additionalSubnetwork1: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zone + gceSubnetwork: + networkProperty: additionalNetwork1 + externalIP1: + type: string + enum: + - Static + - Ephemeral + - None + default: None + additionalNetwork2: + type: string + x-googleProperty: + type: GCE_NETWORK + additionalSubnetwork2: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zone + gceSubnetwork: + networkProperty: additionalNetwork2 + externalIP2: + type: string + enum: + - Static + - Ephemeral + - None + default: None + additionalNetwork3: + type: string + x-googleProperty: + type: GCE_NETWORK + additionalSubnetwork3: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zone + gceSubnetwork: + networkProperty: additionalNetwork3 + externalIP3: + type: string + enum: + - Static + - Ephemeral + - None + default: None + additionalNetwork4: + type: string + x-googleProperty: + type: GCE_NETWORK + additionalSubnetwork4: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zone + gceSubnetwork: + networkProperty: additionalNetwork4 + externalIP4: + type: string + enum: + - Static + - Ephemeral + - None + default: None + additionalNetwork5: + type: string + x-googleProperty: + type: GCE_NETWORK + additionalSubnetwork5: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zone + gceSubnetwork: + networkProperty: additionalNetwork5 + externalIP5: + type: string + enum: + - Static + - Ephemeral + - None + default: None + additionalNetwork6: + type: string + x-googleProperty: + type: GCE_NETWORK + additionalSubnetwork6: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zone + gceSubnetwork: + networkProperty: additionalNetwork6 + externalIP6: + type: string + enum: + - Static + - Ephemeral + - None + default: None + additionalNetwork7: + type: string + x-googleProperty: + type: GCE_NETWORK + additionalSubnetwork7: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zone + gceSubnetwork: + networkProperty: additionalNetwork7 + externalIP7: + type: string + enum: + - Static + - Ephemeral + - None + default: None + +outputs: + deployment: + type: string + project: + type: string + vmId: + type: string + vmInternalIP: + type: string + hasMultiExternalIP: + type: boolean + additionalExternalIPs: + type: string + vmName: + type: string + vmSelfLink: + type: string + password: + type: string diff --git a/deprecated/gcp/R80.30/single-byol-R80.30/common.py b/deprecated/gcp/R80.30/single-byol-R80.30/common.py new file mode 100644 index 00000000..e123c502 --- /dev/null +++ b/deprecated/gcp/R80.30/single-byol-R80.30/common.py @@ -0,0 +1,262 @@ +# Copyright 2015 Google Inc. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +"""Generic simple functions used for python based template generation.""" + +import re +import sys +import traceback +import default +import string + +import yaml + +RFC1035_RE = re.compile(r'^[a-z][-a-z0-9]{1,61}[a-z0-9]{1}$') + + +class Error(Exception): + """Common exception wrapper for template exceptions.""" + pass + + +class DefaultFormatter(string.Formatter): + """Returns default instead of key error when looking for keys. + + Used for startup-script which contains params from multiple deployments + whiles keys from one deployment may not be set in another. + """ + def __init__(self, default=''): + self.default = default + def get_value(self, key, args, dict): + if isinstance(key, str): + return dict.get(key, self.default) + else: + return string.Formatter.get_value(key, args, dict) + + +def set_name_and_truncate(primary, secondary, maxlength=62): + return '%s%s' % (primary[:maxlength - len(secondary)], secondary) + + +def AddDiskResourcesIfNeeded(context): + """Checks context if disk resources need to be added.""" + if default.DISK_RESOURCES in context.properties: + return context.properties[default.DISK_RESOURCES] + else: + return [] + + +def AutoName(base, resource, *args): + """Helper method to generate names automatically based on default.""" + auto_name = '%s-%s' % (base, '-'.join(list(args) + [default.AKA[resource]])) + if not RFC1035_RE.match(auto_name): + raise Error('"%s" name for type %s does not match RFC1035 regex (%s)' % + (auto_name, resource, RFC1035_RE.pattern)) + return auto_name + + +def AutoRef(base, resource, *args): + """Helper method that builds a reference for an auto-named resource.""" + return Ref(AutoName(base, resource, *args)) + + +def OrderedItems(dict_obj): + """Convenient method to yield sorted iteritems of a dictionary.""" + keys = list(dict_obj.keys()) + keys.sort() + for k in keys: + yield (k, dict_obj[k]) + + +def ShortenZoneName(zone): + """Given a string that looks like a zone name, creates a shorter version.""" + geo, coord, number, letter = re.findall(r'(\w+)-(\w+)(\d)-(\w)', zone)[0] + geo = geo.lower() if len(geo) == 2 else default.LOC[geo.lower()] + coord = default.LOC[coord.lower()] + number = str(number) + letter = letter.lower() + return geo + '-' + coord + number + letter + + +def ZoneToRegion(zone): + """Derives the region from a zone name.""" + parts = zone.split('-') + if len(parts) != 3: + raise Error('Cannot derive region from zone "%s"' % zone) + return '-'.join(parts[:2]) + + +def FormatException(message): + """Adds more information to the exception.""" + message = ('Exception Type: %s\n' + 'Details: %s\n' + 'Message: %s\n') % (sys.exc_info()[0], + traceback.format_exc(), message) + return message + + +def Ref(name): + return '$(ref.%s.selfLink)' % name + + +def RefGroup(name): + return '$(ref.%s.instanceGroup)' % name + + +def GlobalComputeLink(project, collection, name): + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/global/', + collection, '/', name]) + +def GlobalNetworkLink(project, network): + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/global/', + default.NETWORKS, '/', network]) + + +def LocalComputeLink(project, zone, key, value): + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/zones/', + zone, '/', key, '/', value]) + + +def ReadContext(context, prop_key): + return (context.env['project'], context.properties.get('zone', None), + context.properties[prop_key]) + + +def MakeLocalComputeLink(context, key, zone=None): + if not zone: + project, zone, value = ReadContext(context, key) + else: + project, _, value = ReadContext(context, key) + + if IsComputeLink(value): + return value + else: + return LocalComputeLink(project, zone, key + 's', value) + + +def MakeGlobalComputeLink(context, key): + project, _, value = ReadContext(context, key) + if IsComputeLink(value): + return value + else: + return GlobalComputeLink(project, key + 's', value) + +def MakeRegionalSubnetworkLink(project, zone, subnet): + region = ZoneToRegion(zone) + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/regions/', + region, '/subnetworks/', subnet]) + + +def MakeSubnetworkComputeLink(context, key): + project, zone, value = ReadContext(context, key) + region = ZoneToRegion(zone) + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/regions/', + region, '/subnetworks/', value]) + + +def MakeFQHN(context, name): + return '%s.c.%s.internal' % (name, context.env['project']) + + +# TODO(victorg): Consider moving this method to a different file +def MakeC2DImageLink(name, dev_mode=False): + if IsGlobalProjectShortcut(name) or name.startswith('http'): + return name + else: + if dev_mode: + return 'global/images/%s' % name + else: + return GlobalComputeLink(default.C2D_IMAGES, 'images', name) + + +def IsGlobalProjectShortcut(name): + return name.startswith('projects/') or name.startswith('global/') + + +def IsComputeLink(name): + return (name.startswith(default.COMPUTE_URL_BASE) or + name.startswith(default.REFERENCE_PREFIX)) + + +def GetNamesAndTypes(resources_dict): + return [(d['name'], d['type']) for d in resources_dict] + + +def SummarizeResources(res_dict): + """Summarizes the name of resources per resource type.""" + result = {} + for res in res_dict: + result.setdefault(res['type'], []).append(res['name']) + return result + + +def ListPropertyValuesOfType(res_dict, prop, res_type): + """Lists all the values for a property of a certain type.""" + return [r['properties'][prop] for r in res_dict if r['type'] == res_type] + + +def MakeResource(resource_list, output_list=None): + """Wrapper for a DM template basic spec.""" + content = {'resources': resource_list} + if output_list: + content['outputs'] = output_list + return yaml.dump(content) + + +def TakeZoneOut(properties): + """Given a properties dictionary, removes the zone specific information.""" + + def _CleanZoneUrl(value): + value = value.split('/')[-1] if IsComputeLink(value) else value + return value + + for name in default.VM_ZONE_PROPERTIES: + if name in properties: + properties[name] = _CleanZoneUrl(properties[name]) + if default.ZONE in properties: + properties.pop(default.ZONE) + if default.BOOTDISK in properties: + properties[default.BOOTDISK] = _CleanZoneUrl(properties[default.BOOTDISK]) + if default.DISKS in properties: + for disk in properties[default.DISKS]: + # Don't touch references to other disks + if default.DISK_SOURCE in disk: + continue + if default.INITIALIZEP in disk: + disk_init = disk[default.INITIALIZEP] + if default.DISKTYPE in disk_init: + disk_init[default.DISKTYPE] = _CleanZoneUrl(disk_init[default.DISKTYPE]) + + +def GenerateEmbeddableYaml(yaml_string): + # Because YAML is a space delimited format, we need to be careful about + # embedding one YAML document in another. This function takes in a string in + # YAML format and produces an equivalent YAML representation that can be + # inserted into arbitrary points of another YAML document. It does so by + # printing the YAML string in a single line format. Consistent ordering of + # the string is also guaranteed by using yaml.dump. + yaml_object = yaml.load(yaml_string) + dumped_yaml = yaml.dump(yaml_object, default_flow_style=True) + return dumped_yaml + + +def FormatErrorsDec(func): + """Decorator to format exceptions if they get raised.""" + + def FormatErrorsWrap(context): + try: + return func(context) + except Exception as e: + raise Error(FormatException(e.message)) + + return FormatErrorsWrap diff --git a/deprecated/gcp/R80.30/single-byol-R80.30/config.yaml b/deprecated/gcp/R80.30/single-byol-R80.30/config.yaml new file mode 100644 index 00000000..867928b0 --- /dev/null +++ b/deprecated/gcp/R80.30/single-byol-R80.30/config.yaml @@ -0,0 +1,48 @@ +imports: +- path: check-point-vsec--byol.py +- path: common.py +- path: default.py +- path: password.py +- path: images.py + +resources: +- name: check-point-vsec--byol + type: check-point-vsec--byol.py + properties: + zone: "PLEASE ENTER A ZONE" + machineType: "PLEASE ENTER A MACHINE TYPE" + network: "PLEASE ENTER AN EXTERNAL NETWORK ID" + subnetwork: "PLEASE ENTER A SUBNETWORK ID" + network_enableTcp: "PLEASE ENTER true or false" + network_tcpSourceRanges: "PLEASE ENTER TCP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + network_enableGwNetwork: "PLEASE ENTER true or false" + network_gwNetworkSourceRanges: "PLEASE ENTER GATEWAY NETWORK SOURCE RANGES FOR MANAGEMENT, AND STANDALONE. LEAVE EMPTY DOUBLE QUOTES FOR GW" + network_enableIcmp: "PLEASE ENTER true or false" + network_icmpSourceRanges: "PLEASE ENTER ICMP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + network_enableUdp: "PLEASE ENTER true or false" + network_udpSourceRanges: "PLEASE ENTER UDP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + network_enableSctp: "PLEASE ENTER true or false" + network_sctpSourceRanges: "PLEASE ENTER SCTP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + network_enableEsp: "PLEASE ENTER true or false" + network_espSourceRanges: "PLEASE ENTER ESP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + externalIP: "PLEASE ENTER AN EXTERNAL IP ADDRESS TYPE" + installationType: "PLEASE ENTER AN INSTALLATION TYPE" + diskType: "PLEASE ENTER A DISK TYPE" + bootDiskSizeGb: "PLEASE ENTER A DISK SIZE" + generatePassword: "PLEASE ENTER true or false" + allowUploadDownload: "PLEASE ENTER true or false" + enableMonitoring: "PLEASE ENTER true or false" + shell: "PLEASE ENTER A SHELL" + instanceSSHKey: "PLEASE ENTER A VALID PUBLIC KEY" + sicKey: "PLEASE ENTER A SIC KEY" + managementGUIClientNetwork: "PLEASE ENTER A MANAGEMENT GUI CLIENT NETWORK" + numAdditionalNICs: "PLEASE ENTER A NUMBER OF ADDITIONAL NICS" + #Define additional NICs networks and subnetworks according the defined numAdditionalNICs value + #If there is no need in additional NICs remove additionalNetwork1 and additionalSubnetwork1 variables + additionalNetwork1: "PLEASE ENTER AN ADDITIONAL NETWORK1 ID" + additionalSubnetwork1: "PLEASE ENTER AN ADDITIONAL SUBNETWORK1 ID" +outputs: +- name: "Deployment" + value: $(ref.check-point-vsec--byol.deployment) +- name: "Instance" + value: $(ref.check-point-vsec--byol.vmName) \ No newline at end of file diff --git a/deprecated/gcp/R80.30/single-byol-R80.30/default.py b/deprecated/gcp/R80.30/single-byol-R80.30/default.py new file mode 100644 index 00000000..0c7dd919 --- /dev/null +++ b/deprecated/gcp/R80.30/single-byol-R80.30/default.py @@ -0,0 +1,134 @@ +# Copyright 2015 Google Inc. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +"""Convenience module to hold default constants for C2D components. + +There should not be any logic in this module. Its purpose is to simplify +analysis of commonly used GCP and properties names and identify the names +that were custom created for these modules. +""" +# Generic constants +C2D_IMAGES = 'click-to-deploy-images' + +# URL constants +COMPUTE_URL_BASE = 'https://www.googleapis.com/compute/v1/' + +# Deployment Manager constructs +REFERENCE_PREFIX = '$(ref.' + +# Commonly used in properties namespace +AUTO_DELETE = 'autoDelete' +BOOTDISK = 'bootDiskType' +BOOTDISKSIZE = 'bootDiskSizeGb' +C_IMAGE = 'containerImage' +DC_MANIFEST = 'dcManifest' +DEPLOYMENT = 'DEPLOYMENT' # used in the deployment coordinator +DISK_NAME = 'diskName' +DISK_RESOURCES = 'addedDiskResources' +DISK_SOURCE = 'source' +ENDPOINT_NAME = 'serviceRegistryEndpointName' +FIXED_GCLOUD = 'fixedGcloud' +GENERATED_PROP = 'generatedProperties' +INITIALIZEP = 'initializeParams' +INSTANCE_NAME = 'instanceName' +LOCAL_SSD = 'localSSDs' +MAX_NUM = 'maxNumReplicas' +NETWORKS = 'networks' +NO_SCOPE = 'noScope' +PROVIDE_BOOT = 'provideBoot' +REPLICAS = 'replicas' +SIZE = 'size' +VM_COPIES = 'numberOfVMReplicas' +ZONES = 'zones' + +# Common properties values (only official GCP values allowed here) +EXTERNAL = 'External NAT' +ONE_NAT = 'ONE_TO_ONE_NAT' + +# Common 1st level properties (only official GCP names allowed here) +CAN_IP_FWD = 'canIpForward' +CONTAINER = 'container' +DCKRENV = 'dockerEnv' +DCKRIMAGE = 'dockerImage' +DEFAULT_SERVICE = 'defaultService' +DEVICE_NAME = 'deviceName' +DISKS = 'disks' +DISK_SIZE = 'diskSizeGb' +DISKTYPE = 'diskType' +HEALTH_PATH = 'healthPath' +HOST_RULES = 'hostRules' +IP_PROTO = 'IPProtocol' +MACHINETYPE = 'machineType' +METADATA = 'metadata' +NAME = 'name' +NETWORK = 'network' +NETWORKS = 'networks' +SUBNETWORK = 'subnetwork' +PATH_MATCHERS = 'pathMatchers' +PORT = 'port' +PROJECT = 'project' +SERVICE = 'service' +SERVICE_ACCOUNTS = 'serviceAccounts' +SRCIMAGE = 'sourceImage' +SRC_RANGES = 'sourceRanges' +TAGS = 'tags' +TYPE = 'type' +VM_TEMPLATE = 'instanceTemplate' +ZONE = 'zone' + +# Zone specfic VM properties +VM_ZONE_PROPERTIES = [DISKTYPE, MACHINETYPE, BOOTDISK] + +# Resource type defaults names +ADDRESS = 'compute.v1.address' +AUTOSCALER = 'compute.v1.autoscaler' +BACKEND_SERVICE = 'compute.v1.backendService' +DISK = 'compute.v1.disk' +ENDPOINT = 'serviceregistry.v1alpha.endpoint' +FIREWALL = 'compute.v1.firewall' +GF_RULE = 'compute.v1.globalForwardingRule' +HEALTHCHECK = 'compute.v1.httpHealthCheck' +IGM = 'compute.v1.instanceGroupManager' +INSTANCE = 'compute.v1.instance' +PROXY = 'compute.v1.targetHttpProxy' +TEMPLATE = 'compute.v1.instanceTemplate' +REGION_IGM = 'compute.v1.regionInstanceGroupManager' +REGION_AUTOSCALER = 'compute.v1.regionAutoscaler' +URL_MAP = 'compute.v1.urlMap' +VPC='compute.v1.network' +VPC_SUBNET='compute.v1.subnetwork' + +# Also Known As constants +AKA = { + TEMPLATE: 'tmplt', + AUTOSCALER: 'as', + BACKEND_SERVICE: 'bes', + DISK: 'disk', + FIREWALL: 'fwall', + GF_RULE: 'ip', + HEALTHCHECK: 'hc', + INSTANCE: 'vm', + PROXY: 'tproxy', + IGM: 'igm', + URL_MAP: 'umap', +} + +LOC = { + 'europe': 'eu', + 'asia': 'as', + 'central': 'c', + 'east': 'e', + 'west': 'w', + 'north': 'n', + 'south': 's', +} diff --git a/deprecated/gcp/R80.30/single-byol-R80.30/images.py b/deprecated/gcp/R80.30/single-byol-R80.30/images.py new file mode 100644 index 00000000..2811fa30 --- /dev/null +++ b/deprecated/gcp/R80.30/single-byol-R80.30/images.py @@ -0,0 +1,10 @@ +IMAGES = { + "check-point-r8030-payg": "check-point-r8030-payg-200-773-v20201208", + "check-point-r8030-gw-payg-single": "check-point-r8030-gw-payg-single-273-904-v20210715", + "check-point-r8030-gw-payg-mig": "check-point-r8030-gw-payg-mig-273-904-v20210715", + "check-point-r8030-gw-payg-cluster": "check-point-r8030-gw-payg-cluster-273-904-v20210715", + "check-point-r8030-gw-byol-single": "check-point-r8030-gw-byol-single-273-904-v20210715", + "check-point-r8030-gw-byol-mig": "check-point-r8030-gw-byol-mig-273-904-v20210715", + "check-point-r8030-gw-byol-cluster": "check-point-r8030-gw-byol-cluster-273-904-v20210715", + "check-point-r8030-byol": "check-point-r8030-byol-200-773-v20201208" +} diff --git a/deprecated/gcp/R80.30/single-byol-R80.30/password.py b/deprecated/gcp/R80.30/single-byol-R80.30/password.py new file mode 100644 index 00000000..273210a6 --- /dev/null +++ b/deprecated/gcp/R80.30/single-byol-R80.30/password.py @@ -0,0 +1,135 @@ +# Copyright 2015 Google Inc. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +"""A DM template that generates password as an output, namely "password". + +An example YAML showing how this template can be used: + resources: + - name: generated-password + type: password.py + properties: + length: 8 + includeSymbols: true + - name: main-template + type: main-template.jinja + properties: + password: $(ref.generated-password.password) + +Input properties to this template: + - length: the length of the generated password. At least 8. Default 8. + - includeSymbols: true/false whether to include symbol chars. Default false. + +The generated password satisfies the following requirements: + - The length is as specified, + - Containing letters and numbers, and optionally symbols if specified, + - Starting with a letter, + - Containing characters from at least 3 of the 4 categories: uppercases, + lowercases, numbers, and symbols. + +""" + +import random +import yaml + +PROPERTY_LENGTH = 'length' +PROPERTY_INCLUDE_SYMBOLS = 'includeSymbols' + +# Note the omission of some hard to distinguish characters like I, l, 0, and O. +UPPERS = 'ABCDEFGHJKLMNPQRSTUVWXYZ' +LOWERS = 'abcdefghijkmnopqrstuvwxyz' +ALPHABET = UPPERS + LOWERS +DIGITS = '123456789' +ALPHANUMS = ALPHABET + DIGITS +# Including only symbols that can be passed around easily in shell scripts. +SYMBOLS = '*-+.' + +CANDIDATES_WITH_SYMBOLS = ALPHANUMS + SYMBOLS +CANDIDATES_WITHOUT_SYMBOLS = ALPHANUMS + +CATEGORIES_WITH_SYMBOLS = [UPPERS, LOWERS, DIGITS, SYMBOLS] +CATEGORIES_WITHOUT_SYMBOLS = [UPPERS, LOWERS, DIGITS] + +MIN_LENGTH = 8 + + +class InputError(Exception): + """Raised when input properties are unexpected.""" + + +def GenerateConfig(context): + """Entry function to generate the DM config.""" + props = context.properties + length = props.setdefault(PROPERTY_LENGTH, MIN_LENGTH) + include_symbols = props.setdefault(PROPERTY_INCLUDE_SYMBOLS, False) + + if not isinstance(include_symbols, bool): + raise InputError('%s must be a boolean' % PROPERTY_INCLUDE_SYMBOLS) + + content = { + 'resources': [], + 'outputs': [{ + 'name': 'password', + 'value': GeneratePassword(length, include_symbols) + }] + } + return yaml.dump(content) + + +def GeneratePassword(length=8, include_symbols=False): + """Generates a random password.""" + if length < MIN_LENGTH: + raise InputError('Password length must be at least %d' % MIN_LENGTH) + + candidates = (CANDIDATES_WITH_SYMBOLS if include_symbols + else CANDIDATES_WITHOUT_SYMBOLS) + categories = (CATEGORIES_WITH_SYMBOLS if include_symbols + else CATEGORIES_WITHOUT_SYMBOLS) + + # Generates up to the specified length minus the number of categories. + # Then inserts one character for each category, ensuring that the character + # satisfy the category if the generated string hasn't already. + generated = ([random.choice(ALPHABET)] + + [random.choice(candidates) + for _ in range(length - 1 - len(categories))]) + for category in categories: + _InsertAndEnsureSatisfaction(generated, category, candidates) + return ''.join(generated) + + +def _InsertAndEnsureSatisfaction(generated, required, all_candidates): + """Inserts 1 char into generated, satisfying required if not already. + + If the required characters are not already in the generated string, one will + be inserted. If any required character is already in the generated string, a + random character from all_candidates will be inserted. The insertion happens + at a random location but not at the beginning. + + Args: + generated: the string to be modified. + required: list of required characters to check for. + all_candidates: list of characters to choose from if the required characters + are already satisfied. + """ + if set(generated).isdisjoint(required): + # Not yet satisfied. Insert a required candidate. + _InsertInto(generated, required) + else: + # Already satisfied. Insert any candidate. + _InsertInto(generated, all_candidates) + + +def _InsertInto(generated, candidates): + """Inserts a random candidate into a random non-zero index of generated.""" + # Avoids inserting at index 0, since the first character follows its own rule. + generated.insert(random.randint(1, len(generated) - 1), + random.choice(candidates)) diff --git a/deprecated/gcp/R80.30/single-payg-R80.30/README.md b/deprecated/gcp/R80.30/single-payg-R80.30/README.md new file mode 100644 index 00000000..843eddcf --- /dev/null +++ b/deprecated/gcp/R80.30/single-payg-R80.30/README.md @@ -0,0 +1,131 @@ +# GCP Deployment Manager package for Management, Gateway and Standalone PAYG solutions +This directory contains CloudGuard IaaS deployment package for Management, Gateway and Standalone PAYG solution published in the [GCP Marketplace](https://console.cloud.google.com/marketplace/details/checkpoint-public/check-point-cloudguard-payg). + +# How to deploy the package manually +To deploy the Deployment Manager's package manually, without using the GCP Marketplace, follow these instructions: +1. Clone or download the files in this directory +2. Fill variables in the config.yaml(see below for variables descriptions). +3. Log into [Google Cloud Platform Console](https://console.cloud.google.com) +4. [Activate Cloud Shell](https://cloud.google.com/shell/docs/using-cloud-shell) +5. Set your Cloud Platform project in the Cloud Shell session use: + + gcloud config set project [PROJECT_ID] +6. Upload the content of the CloudGuardIaaS/gcp/deployment-packages/single-payg/ directory to the [cloud shell](https://cloud.google.com/shell/docs/uploading-and-downloading-files) +7. Launch deployment by running: + + gcloud deployment-manager deployments create [DEPLOYMENT_NAME] --config config.yaml +8. Make sure the deployment finished successfully.
Example of successful deployment output: + + The fingerprint of the deployment is NEBnvNbqOItDoLZrhYNo5Q== + Waiting for create [operation-1585065238276-5a19bc2792a32-becd058d-67862f39]...done. + Create operation operation-1585065238276-5a19bc2792a32-becd058d-67862f39 completed successfully. + NAME TYPE STATE ERRORS INTENT + gateway-config runtimeconfig.v1beta1.config COMPLETED [] + gateway-software runtimeconfig.v1beta1.waiter COMPLETED [] + gateway-vm compute.v1.instance COMPLETED [] + gateway-vm-address compute.v1.address COMPLETED [] + OUTPUTS VALUE + Deployment gateway + Instance gateway-single-vm + +## config.yaml variables +| Name | Description | Type | Allowed values | +| ------------- | ------------- | ------------- | ------------- | +| **zone** | The zone determines what computing resources are available and where your data is stored and used | string | List of allowed [Regions and Zones](https://cloud.google.com/compute/docs/regions-zones?_ga=2.31926582.-962483654.1585043745) | +| | | | | | +| **machineType** | Machine types determine the specifications of your machines, such as the amount of memory, virtual cores, and persistent disk limits an instance will have | string | [Learn more about Machine Types](https://cloud.google.com/compute/docs/machine-types?hl=en_US&_ga=2.267871494.-962483654.1585043745) | +| | | | | | +| **network** | The network determines what network traffic the instance can access | string | Available network in the chosen zone | +| | | | | | +| **Subnetwork** | Assigns the instance an IPv4 address from the subnetwork’s range. Instances in different subnetworks can communicate with each other using their internal IPs as long as they belong to the same network. | string | Available subnetwork in the chosen network | +| | | | | | +| **network_enableTcp** | Allow TCP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **network_tcpSourceRanges** | Allow TCP traffic from the Internet | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway all ports are allowed. For management allowed ports are: 257,18191,18210,18264,22,443,18190,19009 [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **network_enableGwNetwork** | This is relevant for **Management** only. The network in which managed gateways reside | boolean | true;
false; | +| | | | | | +| **network_gwNetworkSourceRanges** | Allow TCP traffic from the Internet | string | Enter a valid IPv4 network CIDR (e.g. 0.0.0.0/0) | +| | | | | | +| **network_enableIcmp** | Allow ICMP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **network_icmpSourceRanges** | Source IP ranges for ICMP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **network_enableUdp** | Allow UDP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **network_udpSourceRanges** | Source IP ranges for UDP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only - all ports are allowed. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **network_enableSctp** | Allow SCTP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **network_sctpSourceRanges** | Source IP ranges for SCTP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only - all ports are allowed. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **network_enableEsp** | Allow ESP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **network_espSourceRanges** | Source IP ranges for ESP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **externalIP** | External IP address type | string | Static;
Ephemeral;
None;
An external IP address associated with this instance. Selecting "None" will result in the instance having no external internet access. [Learn more](https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address?_ga=2.259654658.-962483654.1585043745) | +| | | | | | +| **installationType** | Installation type and version | string | R80.30 Gateway only
R80.30 Management only
R80.30 Manual Configuration | +| | | | | | +| **diskType** | Disk type | string | pd-ssd;
pd-standard;
Storage space is much less expensive for a standard persistent disk. An SSD persistent disk is better for random IOPS or streaming throughput with low latency. [Learn more](https://cloud.google.com/compute/docs/disks/?hl=en_US&_ga=2.66020774.-962483654.1585043745#overview_of_disk_types)| +| | | | | | +| **bootDiskSizeGb** | Disk size in GB | number | Persistent disk performance is tied to the size of the persistent disk volume. You are charged for the actual amount of provisioned disk space. [Learn more](https://cloud.google.com/compute/docs/disks/?hl=en_US&_ga=2.232680471.-962483654.1585043745#pdperformance)| +| | | | | | +| **generatePassword** | Automatically generate an administrator password | boolean | true;
false; | +| | | | | | +| **allowUploadDownload** | Allow download from/upload to Check Point | boolean | true;
false; | +| | | | | | +| **enableMonitoring** | Enable Stackdriver monitoring | boolean | true;
false; | +| | | | | | +| **shell** | Admin shell | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh;
| +| | | | | | +| **instanceSSHKey** | Public SSH key for the user 'admin' | string | A valid public ssh key | +| | | | | | +| **sicKey** | The Secure Internal Communication one time secret used to set up trust between the cluster object and the management server | string | At least 8 alpha numeric characters.
If SIC is not provided and needed, a key will be automatically generated | +| | | | | | +| **managementGUIClientNetwork** | Allowed GUI clients | string | A valid IPv4 network CIDR (e.g. 0.0.0.0/0) | +| | | | | | +| **numAdditionalNICs** | Number of additional network interfaces | number | A number in the range 0 - 7.
Multiple network interfaces deployment is described in [sk121637 - Deploy a CloudGuard for GCP with Multiple Network Interfaces](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk121637) | +| | | | | | + +## Example + zone: "asia-east1-a" + machineType: "n1-standard-4" + network: "frontend-vpc" + subnetwork: "frontend" + network_enableTcp: true + network_tcpSourceRanges: "0.0.0.0/0" + network_enableGwNetwork: true + network_gwNetworkSourceRanges: "0.0.0.0/0" + network_enableIcmp: true + network_icmpSourceRanges: "0.0.0.0/0" + network_enableUdp: true + network_udpSourceRanges: "0.0.0.0/0" + network_enableSctp: false + network_sctpSourceRanges: "" + network_enableEsp: false + network_espSourceRanges: "" + externalIP: "Static" + installationType: "R80.30 Gateway only" + diskType: "pd-ssd" + bootDiskSizeGb: 100 + generatePassword: false + allowUploadDownload: true + enableMonitoring: false + shell: "/bin/bash" + instanceSSHKey: "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx imported-openssh-key" + sicKey: "xxxxxxxx" + managementGUIClientNetwork: "0.0.0.0/0" + numAdditionalNICs: 1 + additionalNetwork1: "backend-vpc1" + additionalSubnetwork1: "backend1" + externalIP1": "None" + additionalNetwork2": "backend-vpc2" + additionalSubnetwork2": "backend2" + externalIP2": "None" + + + + +## Notes +See [sk147032](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk147032) for revision history \ No newline at end of file diff --git a/deprecated/gcp/R80.30/single-payg-R80.30/c2d_deployment_configuration.json b/deprecated/gcp/R80.30/single-payg-R80.30/c2d_deployment_configuration.json new file mode 100644 index 00000000..43f34062 --- /dev/null +++ b/deprecated/gcp/R80.30/single-payg-R80.30/c2d_deployment_configuration.json @@ -0,0 +1,7 @@ +{ + "defaultDeploymentType": "SINGLE_VM", + "imageName": "check-point-r8110-gw-payg-single-335-985-v20220126", + "projectId": "checkpoint-public", + "templateName": "nonexistent_template", + "useSolutionPackage": "true" +} diff --git a/deprecated/gcp/R80.30/single-payg-R80.30/check-point-vsec--payg.py b/deprecated/gcp/R80.30/single-payg-R80.30/check-point-vsec--payg.py new file mode 100644 index 00000000..0ac0bb28 --- /dev/null +++ b/deprecated/gcp/R80.30/single-payg-R80.30/check-point-vsec--payg.py @@ -0,0 +1,729 @@ +# Copyright 2016 Check Point Software LTD. +import common +import default +import images +import password + +GATEWAY = 'checkpoint-gateway' +MANAGEMENT = 'checkpoint-management' + +PROJECT = 'checkpoint-public' +LICENSE = 'payg' +LICENCE_TYPE = 'single' + +VERSIONS = { + 'R80.30': 'r8030', + 'R80.30-GW': 'r8030-gw' +} + +ADDITIONAL_NETWORK = 'additionalNetwork{}' +ADDITIONAL_SUBNET = 'additionalSubnetwork{}' +ADDITIONAL_EXTERNAL_IP = 'externalIP{}' +MAX_NICS = 8 + +TEMPLATE_NAME = 'single' +TEMPLATE_VERSION = '20220130' + +ATTRIBUTES = { + 'Gateway and Management (Standalone)': { + 'tags': [GATEWAY, MANAGEMENT], + 'description': 'Check Point Security Gateway and Management', + 'canIpForward': True, + }, + 'Management only': { + 'tags': [MANAGEMENT], + 'description': 'Check Point Security Management', + 'canIpForward': False, + }, + 'Gateway only': { + 'tags': [GATEWAY], + 'description': 'Check Point Security Gateway', + 'canIpForward': True, + }, + 'Manual Configuration': { + 'tags': [], + 'description': 'Check Point', + 'canIpForward': True, + } +} + +startup_script = ''' +#!/bin/bash + +generatePassword="$(echo {generatePassword} | tr 'TF' 'tf')" +allowUploadDownload="{allowUploadDownload}" + +echo "template_name: {templateName}" >> /etc/cloud-version +echo "template_version: {templateVersion}" >> /etc/cloud-version + +function get_router() {{ + local interface="$1" + local subnet_router_meta_path="computeMetadata/v1/instance/network-interfaces/$interface/gateway" + local router="$(get-cloud-data.sh ${{subnet_router_meta_path}})" + echo "${{router}}" +}} + +function set_mgmt_if() {{ + mgmtNIC="{mgmtNIC}" + local mgmt_int="eth0" + if [ "X$mgmtNIC" == "XEphemeral Public IP (eth0)" ]; then + mgmt_int="eth0" + elif [ "X$mgmtNIC" == "XPrivate IP (eth1)" ]; then + mgmt_int="eth1" + fi + local set_mgmt_if_out="$(clish -s -c "set management interface ${{mgmt_int}}")" + echo "${{set_mgmt_if_out}}" +}} + +function set_internal_static_routes() {{ + local private_cidrs='10.0.0.0/8 172.16.0.0/12 192.168.0.0/16' + #Define interface for internal networks and configure + local interface="$internalInterfaceNumber" + local router=$(get_router $interface) + clish -c 'lock database override' + #Configure static routes destined to internal networks, defined in the RFC 1918, through the internal interface + for cidr in ${{private_cidrs}}; do + echo "setting route to $cidr via gateway $router" + echo "running clish -c 'set static-route $cidr nexthop gateway address $router on' -s" + clish -c "set static-route $cidr nexthop gateway address $router on" -s + done +}} + +function create_dynamic_objects() {{ + local is_managment="$1" + local interfaces='eth0 eth1' + for interface in ${{interfaces}}; do + if ${{is_managment}}; then + dynamic_objects -n "LocalGateway" + dynamic_objects -n "LocalGatewayExternal" + dynamic_objects -n "LocalGatewayInternal" + else + local addr="$(ip addr show dev $interface | awk "/inet/{{print \$2; exit}}" | cut -d / -f 1)" + if [ "${{interface}}" == "eth0" ]; then + dynamic_objects -n "LocalGateway" -r "$addr" "$addr" -a + dynamic_objects -n "LocalGatewayExternal" -r "$addr" "$addr" -a + else + dynamic_objects -n "LocalGatewayInternal" -r "$addr" "$addr" -a + fi + fi + done +}} + + +function post_status() {{ + local is_success="$1" + local need_boot="$2" + local status + local value + local instance_id + + if "{hasInternet}" ; then + if "$is_success" ; then + status="success" + value="Success" + else + status="failure" + value="Failure" + fi + instance_id="$(get-cloud-data.sh computeMetadata/v1/instance/id)" + cat </etc/software-status + $FWDIR/scripts/gcp.py POST "{config_url}/variables" \ + --body '{{ + "name": "{config_path}/variables/status/$status/$instance_id", + "value": "$(echo $value | base64)" + }}' +EOF + fi + + create_dynamic_objects $installSecurityManagement + + if "$installSecurityGateway" ; then + + set_internal_static_routes + set_mgmt_if + + ########## + # DA Self update + + DAselfUpdateHappening=$(dbget installer:self_update_in_progress) + if [ "X$DAselfUpdateHappening" == "X1" ]; then + oldDApid=$(pidof DAService) + countdown=121 + while [ $((--countdown)) -gt 0 ] + do + sleep 1 + DApid=$(pidof DAService) + + if [ "${{DApid:-$oldDApid}}" -ne "$oldDApid" ]; then + break + fi + done + if [ $countdown -eq 0 ]; then + dbset installer:self_update_in_progress + fi + fi + + ########## + fi + + if [ "$installSecurityManagement" -a "Management only" = "{installationType}" ] ; then + public_ip="$(get-cloud-data.sh computeMetadata/v1/instance/network-interfaces/0/access-configs/0/external-ip)" + declare -i attempts=0 + declare -i max_attempts=80 + mgmt_cli -r true discard + result=$? + while [ $result -ne 0 ] && [ $attempts -lt $max_attempts ] + do + attempts=$attempts+1 + sleep 30 + mgmt_cli -r true discard + result=$? + done + generic_objects="$(mgmt_cli -r true show-generic-objects class-name com.checkpoint.objects.classes.dummy.CpmiHostCkp details-level full -f json)" + uid="$(echo $generic_objects | jq .objects | jq .[0] | jq .uid)" + if [ ! -z "$public_ip" ] && [ ! -z "${{uid:1:-1}}" ] ; then + mgmt_cli -r true set-generic-object uid $uid ipaddr $public_ip + fi + fi + + if "$need_boot" ; then + if [ "{enableMonitoring}" = "True" ] ; then + chkconfig --add gcp-statd + fi + shutdown -r now + else + service gcpd restart + if [ "{enableMonitoring}" = "True" ] ; then + chkconfig --add gcp-statd + service gcp-statd start + fi + fi +}} +clish -c 'set user admin shell {shell}' -s + +case "{installationType}" in +"Gateway only") + installSecurityGateway=true + gatewayClusterMember=false + installSecurityManagement=false + sicKey="{computed_sic_key}" + internalInterfaceNumber=1 + ;; +"Management only") + installSecurityGateway=false + installSecurityManagement=true + sicKey=notused + ;; +"Manual Configuration") + post_status true false + exit 0 + ;; +"Gateway and Management (Standalone)") + installSecurityGateway=true + installSecurityManagement=true + gatewayClusterMember=false + sicKey=notused + internalInterfaceNumber=1 + ;; +"Cluster") + installSecurityGateway=true + gatewayClusterMember=true + installSecurityManagement=false + sicKey="{sicKey}" + internalInterfaceNumber=2 + ;; +"AutoScale") + installSecurityGateway=true + gatewayClusterMember=false + installSecurityManagement=false + sicKey="{computed_sic_key}" + internalInterfaceNumber=1 + ;; +esac + +conf="install_security_gw=$installSecurityGateway" +if ${{installSecurityGateway}} ; then + conf="$conf&install_ppak=true" + blink_conf="gateway_cluster_member=$gatewayClusterMember" +fi +conf="$conf&install_security_managment=$installSecurityManagement" +if ${{installSecurityManagement}} ; then + if "$generatePassword" ; then + managementAdminPassword="$(get-cloud-data.sh \ + computeMetadata/v1/instance/attributes/adminPasswordSourceMetadata)" + conf="$conf&mgmt_admin_name=admin" + conf="$conf&mgmt_admin_passwd=$managementAdminPassword" + else + conf="$conf&mgmt_admin_radio=gaia_admin" + fi + + managementGUIClientNetwork="{managementGUIClientNetwork}" + conf="$conf&install_mgmt_primary=true" + + if [ "0.0.0.0/0" = "$managementGUIClientNetwork" ]; then + conf="$conf&mgmt_gui_clients_radio=any" + else + conf="$conf&mgmt_gui_clients_radio=network" + ManagementGUIClientBase="$(echo ${{managementGUIClientNetwork}} | \ + cut -d / -f 1)" + ManagementGUIClientMaskLength="$(echo ${{managementGUIClientNetwork}} | \ + cut -d / -f 2)" + conf="$conf&mgmt_gui_clients_ip_field=$ManagementGUIClientBase" + conf="$conf&mgmt_gui_clients_subnet_field=$ManagementGUIClientMaskLength" + fi + +fi + +blink_conf="$blink_conf&ftw_sic_key=$sicKey" +blink_conf="$blink_conf&download_info=$allowUploadDownload" +blink_conf="$blink_conf&upload_info=$allowUploadDownload" + +conf="$conf&$blink_conf" + +if "$generatePassword" ; then + blink_password="$(get-cloud-data.sh \ + computeMetadata/v1/instance/attributes/adminPasswordSourceMetadata)" +else + blink_password="$(dd if=/dev/urandom count=1 \ + 2>/dev/null | sha256sum | cut -c -28)" +fi +blink_conf="$blink_conf&admin_password_regular=$blink_password" + +if [ "Gateway only" = "{installationType}" ] || [ "Cluster" = "{installationType}" ] || [ "AutoScale" = "{installationType}" ]; then + config_cmd="blink_config -s $blink_conf" +else + config_cmd="config_system -s $conf" +fi + +if ${{config_cmd}} ; then + if "$installSecurityManagement" ; then + post_status true "$installSecurityGateway" + elif [ "Cluster" = "{installationType}" ] ; then + mgmt_subnet_gw="$(get-cloud-data.sh computeMetadata/v1/instance/network-interfaces/1/gateway)" + sed -i 's/__CLUSTER_PUBLIC_IP_NAME__/'"{primary_cluster_address_name}"'/g' /etc/fw/conf/gcp-ha.json + sed -i 's/__SECONDARY_PUBLIC_IP_NAME__/'"{secondary_cluster_address_name}"'/g' /etc/fw/conf/gcp-ha.json + clish -c 'set static-route '"{managementNetwork}"' nexthop gateway address '"$mgmt_subnet_gw"' on' -s + post_status true true + else + post_status true false + fi +else + post_status false false +fi + +''' + + +def set_name_and_truncate(primary, secondary, maxlength=62): + return '%s%s' % (primary[:maxlength - len(secondary)], secondary) + + +def MakeStaticAddress(vm_name, zone, ifnum=None): + """Creates a static IP address resource; returns it and the natIP.""" + if ifnum: + address_name = set_name_and_truncate(vm_name, + '-address-{}'.format(ifnum)) + else: + address_name = set_name_and_truncate(vm_name, '-address') + address_resource = { + 'name': address_name, + 'type': default.ADDRESS, + 'properties': { + 'name': address_name, + 'region': common.ZoneToRegion(zone), + }, + } + return address_resource, '$(ref.%s.address)' % address_name + + +def make_access_config(resources, vm_name, zone, static, index=None): + name = 'external-address' + if index: + name += '-{}'.format(index) + access_config = { + 'name': name, + 'type': default.ONE_NAT + } + if static: + address_resource, nat_ip = MakeStaticAddress(vm_name, zone, index) + resources.append(address_resource) + access_config['natIP'] = nat_ip + return access_config + + +def create_firewall_rules(prop, net_name, fw_rule_name_prefix, mgmt=False, + uid=''): + firewall_rules = [] + protocols = ['Icmp', 'Udp', 'Tcp', 'Sctp', 'Esp'] + if mgmt: + protocols.remove('Tcp') + for protocol in protocols: + proto = protocol.lower() + source_ranges = prop.get('network' + '_' + proto + 'SourceRanges', '') + protocol_enabled = prop.get('network' + '_enable' + protocol, '') + if protocol_enabled and source_ranges: + firewall_rules.append(make_firewall_rule( + proto, source_ranges, net_name, fw_rule_name_prefix, mgmt, + uid)) + return firewall_rules + + +def make_firewall_rule(protocol, source_ranges, + net_name, fw_rule_name_prefix, mgmt=False, uid=''): + ranges = [] + ranges_list = source_ranges.split(',') + for source_range in ranges_list: + ranges.append(source_range.replace(" ", "")) + fw_rule_name = fw_rule_name_prefix + '-' + protocol + if mgmt: + targetTags = [uid] + else: + targetTags = [GATEWAY] + firewall_rule = { + 'type': default.FIREWALL, + 'name': fw_rule_name, + 'properties': { + 'network': 'global/networks/' + net_name, + 'sourceRanges': ranges, + 'targetTags': targetTags, + 'allowed': [{'IPProtocol': protocol}], + } + } + return firewall_rule + + +def generate_config(context): + """Creates the gateway.""" + prop = context.properties + prop['cloudguardVersion'], _, prop['installationType'] = prop[ + 'installationType'].partition(' ') + prop['templateName'] = TEMPLATE_NAME + prop['templateVersion'] = TEMPLATE_VERSION + prop['allowUploadDownload'] = str(prop['allowUploadDownload']).lower() + if not prop['managementGUIClientNetwork'] and prop['installationType'] in { + 'Gateway and Management (Standalone)', 'Management only'}: + raise Exception('Allowed GUI clients are required when installing ' + 'a management server') + for k in ['managementGUIClientNetwork']: + prop.setdefault(k, '') + resources = [] + outputs = [] + network_interfaces = [] + external_ifs = [] + zone = prop['zone'] + deployment = context.env['deployment'] + vm_name = set_name_and_truncate(deployment, '-vm') + access_configs = [] + if prop['externalIP'] != 'None': + access_config = make_access_config(resources, vm_name, zone, + 'Static' == prop['externalIP']) + access_configs.append(access_config) + external_ifs.append(0) + prop['hasInternet'] = 'true' + else: + prop['hasInternet'] = 'false' + network = common.MakeGlobalComputeLink(context, default.NETWORK) + networks = {prop['network']} + network_interface = { + 'network': network, + 'accessConfigs': access_configs, + } + if default.SUBNETWORK in prop: + network_interface['subnetwork'] = common.MakeSubnetworkComputeLink( + context, default.SUBNETWORK) + network_interfaces.append(network_interface) + for ifnum in range(1, prop['numAdditionalNICs'] + 1): + net = prop.get(ADDITIONAL_NETWORK.format(ifnum)) + subnet = prop.get(ADDITIONAL_SUBNET.format(ifnum)) + ext_ip = prop.get(ADDITIONAL_EXTERNAL_IP.format(ifnum)) + if not net or not subnet: + raise Exception( + 'Missing network parameters for interface {}'.format(ifnum)) + if net in networks: + raise Exception('Cannot use network "' + net + '" more than once') + networks.add(net) + net = ''.join([ + default.COMPUTE_URL_BASE, + 'projects/', context.env['project'], '/global/networks/', net]) + subnet = ''.join([ + default.COMPUTE_URL_BASE, + 'projects/', context.env['project'], + '/regions/', common.ZoneToRegion(zone), '/subnetworks/', subnet]) + network_interface = { + 'network': net, + 'subnetwork': subnet, + } + if 'None' != ext_ip: + external_ifs.append(ifnum) + access_config = make_access_config( + resources, vm_name, zone, 'Static' == ext_ip, ifnum + 1) + access_configs = [access_config] + network_interface['accessConfigs'] = access_configs + if not prop.get('hasInternet') or 'false' == prop['hasInternet']: + prop['hasInternet'] = 'true' + network_interfaces.append(network_interface) + for ifnum in range(prop['numAdditionalNICs'] + 1, MAX_NICS): + prop.pop(ADDITIONAL_NETWORK.format(ifnum), None) + prop.pop(ADDITIONAL_SUBNET.format(ifnum), None) + prop.pop(ADDITIONAL_EXTERNAL_IP.format(ifnum), None) + deployment_config = set_name_and_truncate(deployment, '-config') + prop['config_url'] = ('https://runtimeconfig.googleapis.com/v1beta1/' + + 'projects/' + context.env[ + 'project'] + '/configs/' + deployment_config) + prop['config_path'] = '/'.join(prop['config_url'].split('/')[-4:]) + prop['deployment_config'] = deployment_config + tags = ATTRIBUTES[prop['installationType']]['tags'] + uid = set_name_and_truncate(vm_name, '-' + password.GeneratePassword( + 8, False).lower()) + if prop['installationType'] == 'Gateway only': + prop['cloudguardVersion'] += '-GW' + if not prop.get('sicKey'): + prop['computed_sic_key'] = password.GeneratePassword(12, False) + else: + prop['computed_sic_key'] = prop['sicKey'] + else: + prop['computed_sic_key'] = 'N/A' + outputs.append({ + 'name': 'sicKey', + 'value': prop['computed_sic_key'], + }, ) + if 'gw' in VERSIONS[prop['cloudguardVersion']]: + license_name = "{}-{}".format(LICENSE, LICENCE_TYPE) + else: + license_name = LICENSE + family = '-'.join(['check-point', VERSIONS[prop['cloudguardVersion']], + license_name]) + formatter = common.DefaultFormatter() + gw = { + 'type': default.INSTANCE, + 'name': vm_name, + 'properties': { + 'description': ATTRIBUTES[prop['installationType']]['description'], + 'zone': zone, + 'tags': { + 'items': tags + [uid], + }, + 'machineType': common.MakeLocalComputeLink( + context, default.MACHINETYPE), + 'canIpForward': ATTRIBUTES[ + prop['installationType']]['canIpForward'], + 'networkInterfaces': network_interfaces, + 'disks': [{ + 'autoDelete': True, + 'boot': True, + 'deviceName': common.AutoName( + context.env['name'], default.DISK, 'boot'), + 'initializeParams': { + 'diskType': common.MakeLocalComputeLink( + context, default.DISKTYPE), + 'diskSizeGb': prop['bootDiskSizeGb'], + 'sourceImage': + 'projects/%s/global/images/%s' % ( + PROJECT, images.IMAGES[family]), + }, + 'type': 'PERSISTENT', + }], + 'metadata': { + 'items': [ + { + 'key': 'startup-script', + 'value': formatter.format(startup_script, **prop) + }, + ] + }, + 'serviceAccounts': [{ + 'email': 'default', + 'scopes': [ + 'https://www.googleapis.com/auth/monitoring.write' + ], + }] + } + } + if (prop['externalIP'] != 'None') and ( + 'Manual Configuration' != prop['installationType']): + gw['properties']['serviceAccounts'][0]['scopes'].append( + 'https://www.googleapis.com/auth/cloudruntimeconfig') + resources.append({ + 'name': deployment_config, + 'type': 'runtimeconfig.v1beta1.config', + 'properties': { + 'config': deployment_config, + 'description': ('Holds software readiness status ' + 'for deployment {}').format(deployment), + }, + }) + resources.append({ + 'name': set_name_and_truncate(deployment, '-software'), + 'type': 'runtimeconfig.v1beta1.waiter', + 'metadata': { + 'dependsOn': [], + }, + 'properties': { + 'parent': '$(ref.' + deployment_config + '.name)', + 'waiter': 'software', + 'timeout': '1800s', + 'success': { + 'cardinality': { + 'number': 1, + 'path': 'status/success', + }, + }, + 'failure': { + 'cardinality': { + 'number': 1, + 'path': 'status/failure', + }, + }, + }, + }) + if 'instanceSSHKey' in prop: + gw['properties']['metadata']['items'].append( + { + 'key': 'instanceSSHKey', + 'value': prop['instanceSSHKey'] + } + ) + if prop['generatePassword']: + passwd = password.GeneratePassword(12, False) + gw['properties']['metadata']['items'].append( + { + 'key': 'adminPasswordSourceMetadata', + 'value': passwd + } + ) + else: + passwd = '' + resources.append(gw) + netlist = list(networks) + + if GATEWAY in tags: + for i in range(len(netlist)): + network = netlist[i] + fw_rule_name_prefix = set_name_and_truncate( + gen_fw_rule_name_deployment_network_prefix( + deployment, network), + '-allow-all-to-chkp-{}'.format(i + 1)) + firewall_rules = create_firewall_rules( + prop, network, fw_rule_name_prefix) + resources.extend(firewall_rules) + elif MANAGEMENT in tags: + for i in range(len(netlist)): + network = netlist[i] + source_ranges = prop['network_tcpSourceRanges'] + tcp_enabled = prop['network_enableTcp'] + gwNetwork_enabled = prop['network_enableGwNetwork'] + gwNetwork_source_range = prop['network_gwNetworkSourceRanges'] + if source_ranges and not tcp_enabled: + raise Exception( + 'Allowed source IP ranges for TCP traffic are provided ' + 'but TCP not marked as allowed') + if tcp_enabled and not source_ranges: + raise Exception('Allowed source IP ranges for TCP traffic' + ' are required when installing ' + 'a management server') + if not gwNetwork_enabled and gwNetwork_source_range: + raise Exception('Gateway network source IP are provided but ' + 'not marked as allowed.') + if gwNetwork_enabled and not gwNetwork_source_range: + raise Exception('Gateway network source IP is required in' + ' MGMT deployment.') + ranges_list = source_ranges.split(',') + gw_network_list = gwNetwork_source_range.split(',') + ranges = [] + gw_net_ranges = [] + for source_range in ranges_list: + ranges.append(source_range.replace(" ", "")) + for gw_net_range in gw_network_list: + gw_net_ranges.append(gw_net_range.replace(" ", "")) + if tcp_enabled: + if gwNetwork_enabled: + resources.append({ + 'type': 'compute.v1.firewall', + 'name': set_name_and_truncate( + gen_fw_rule_name_deployment_network_prefix( + deployment, network), + '-gateways-to-management-{}'.format(i + 1)), + 'properties': { + 'network': 'global/networks/' + network, + 'sourceRanges': list(set(gw_net_ranges + ranges)), + 'sourceTags': [GATEWAY], + 'targetTags': [uid], + 'allowed': [ + { + 'IPProtocol': 'tcp', + 'ports': ['257', '18191', '18210', '18264'] + }, + ], + } + }) + resources.append({ + 'type': 'compute.v1.firewall', + 'name': set_name_and_truncate( + gen_fw_rule_name_deployment_network_prefix(deployment, + network), + '-allow-gui-clients-{}'.format(i + 1)), + 'properties': { + 'network': 'global/networks/' + network, + 'sourceRanges': list(set(ranges)), + 'targetTags': [uid], + 'allowed': [ + { + 'IPProtocol': 'tcp', + 'ports': ['22', '443', '18190', '19009'] + }, + ], + } + }) + fw_rule_name_prefix = set_name_and_truncate( + gen_fw_rule_name_deployment_network_prefix( + deployment, network), + '-allow-all-to-chkp-{}'.format(i + 1)) + firewall_rules = create_firewall_rules( + prop, network, fw_rule_name_prefix, True, uid) + resources.extend(firewall_rules) + outputs += [ + { + 'name': 'deployment', + 'value': deployment + }, + { + 'name': 'project', + 'value': context.env['project'] + }, + { + 'name': 'vmName', + 'value': vm_name, + }, + { + 'name': 'vmId', + 'value': '$(ref.%s.id)' % vm_name, + }, + { + 'name': 'vmSelfLink', + 'value': '$(ref.%s.selfLink)' % vm_name, + }, + { + 'name': 'hasMultiExternalIPs', + 'value': 0 < len(external_ifs) and external_ifs != [0], + }, + { + 'name': 'additionalExternalIPs', + 'value': ', '.join([('$(ref.{}.networkInterfaces[{}].' + + 'accessConfigs[0].natIP)').format( + vm_name, ifnum) for ifnum in external_ifs if ifnum]) + }, + { + 'name': 'vmInternalIP', + 'value': '$(ref.%s.networkInterfaces[0].networkIP)' % vm_name, + }, + { + 'name': 'password', + 'value': passwd + } + ] + return common.MakeResource(resources, outputs) + + +def gen_fw_rule_name_deployment_network_prefix(deployment_name, network_name): + return '{}-{}'. \ + format(deployment_name[:20], network_name[:16]) diff --git a/deprecated/gcp/R80.30/single-payg-R80.30/check-point-vsec--payg.py.schema b/deprecated/gcp/R80.30/single-payg-R80.30/check-point-vsec--payg.py.schema new file mode 100644 index 00000000..b153a8fd --- /dev/null +++ b/deprecated/gcp/R80.30/single-payg-R80.30/check-point-vsec--payg.py.schema @@ -0,0 +1,343 @@ +imports: + - path: check-point-vsec--payg.py + +info: + version: 1.0 + title: Check Point CloudGuard Network Security - PAYG Template + +required: + - zone + - machineType + - network + - diskType + - bootDiskSizeGb + - installationType + - allowUploadDownload + - shell + - managementGUIClientNetwork + - generatePassword + - enableMonitoring + - numAdditionalNICs + +properties: + zone: + type: string + default: us-central1-a + x-googleProperty: + type: GCE_ZONE + machineType: + type: string + default: n1-standard-4 + x-googleProperty: + type: GCE_MACHINE_TYPE + zoneProperty: zone + gceMachineType: + minCpu: 2 + minRamGb: 1.843000054359436 + network: + type: string + default: default + x-googleProperty: + type: GCE_NETWORK + subnetwork: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zone + gceSubnetwork: + networkProperty: network + network_enableTcp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: network + network_tcpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: network_enableTcp + network_enableGwNetwork: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: network + network_gwNetworkSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: network_enableGwNetwork + network_enableIcmp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: network + network_icmpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: network_enableIcmp + network_enableUdp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: network + network_udpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: network_enableUdp + network_enableSctp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: network + network_sctpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: network_enableSctp + network_enableEsp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: network + network_espSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: network_enableEsp + diskType: + type: string + default: pd-ssd + x-googleProperty: + type: GCE_DISK_TYPE + zoneProperty: zone + bootDiskSizeGb: + type: integer + maximum: 1000 + default: 100 + minimum: 100 + x-googleProperty: + type: GCE_DISK_SIZE + gceDiskSize: + diskTypeProperty: diskType + installationType: + type: string + default: R81.10 Gateway only + enum: + - R80.30 Gateway only + - R80.30 Management only + - R80.30 Manual Configuration + allowUploadDownload: + type: boolean + default: True + shell: + type: string + default: /etc/cli.sh + enum: + - /etc/cli.sh + - /bin/bash + - /bin/csh + - /bin/tcsh + generatePassword: + type: boolean + default: False + enableMonitoring: + type: boolean + default: False + sicKey: + type: string + pattern: ^([a-z0-9A-Z]{8,30}|)$ + default: '' + managementGUIClientNetwork: + type: string + pattern: ^([0-9]{1,3}\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])$ + externalIP: + type: string + enum: + - Static + - Ephemeral + - None + default: Static + instanceSSHKey: + type: string + pattern: ^([0-9a-z\-]+ +[0-9A-Za-z/\+=]+( .*)?|)$ + default: '' + numAdditionalNICs: + type: integer + enum: + - 0 + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + minimum: 0 + maximum: 7 + default: 0 + additionalNetwork1: + type: string + x-googleProperty: + type: GCE_NETWORK + additionalSubnetwork1: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zone + gceSubnetwork: + networkProperty: additionalNetwork1 + externalIP1: + type: string + enum: + - Static + - Ephemeral + - None + default: None + additionalNetwork2: + type: string + x-googleProperty: + type: GCE_NETWORK + additionalSubnetwork2: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zone + gceSubnetwork: + networkProperty: additionalNetwork2 + externalIP2: + type: string + enum: + - Static + - Ephemeral + - None + default: None + additionalNetwork3: + type: string + x-googleProperty: + type: GCE_NETWORK + additionalSubnetwork3: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zone + gceSubnetwork: + networkProperty: additionalNetwork3 + externalIP3: + type: string + enum: + - Static + - Ephemeral + - None + default: None + additionalNetwork4: + type: string + x-googleProperty: + type: GCE_NETWORK + additionalSubnetwork4: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zone + gceSubnetwork: + networkProperty: additionalNetwork4 + externalIP4: + type: string + enum: + - Static + - Ephemeral + - None + default: None + additionalNetwork5: + type: string + x-googleProperty: + type: GCE_NETWORK + additionalSubnetwork5: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zone + gceSubnetwork: + networkProperty: additionalNetwork5 + externalIP5: + type: string + enum: + - Static + - Ephemeral + - None + default: None + additionalNetwork6: + type: string + x-googleProperty: + type: GCE_NETWORK + additionalSubnetwork6: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zone + gceSubnetwork: + networkProperty: additionalNetwork6 + externalIP6: + type: string + enum: + - Static + - Ephemeral + - None + default: None + additionalNetwork7: + type: string + x-googleProperty: + type: GCE_NETWORK + additionalSubnetwork7: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zone + gceSubnetwork: + networkProperty: additionalNetwork7 + externalIP7: + type: string + enum: + - Static + - Ephemeral + - None + default: None + +outputs: + deployment: + type: string + project: + type: string + vmId: + type: string + vmInternalIP: + type: string + hasMultiExternalIP: + type: boolean + additionalExternalIPs: + type: string + vmName: + type: string + vmSelfLink: + type: string + password: + type: string diff --git a/deprecated/gcp/R80.30/single-payg-R80.30/common.py b/deprecated/gcp/R80.30/single-payg-R80.30/common.py new file mode 100644 index 00000000..e123c502 --- /dev/null +++ b/deprecated/gcp/R80.30/single-payg-R80.30/common.py @@ -0,0 +1,262 @@ +# Copyright 2015 Google Inc. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +"""Generic simple functions used for python based template generation.""" + +import re +import sys +import traceback +import default +import string + +import yaml + +RFC1035_RE = re.compile(r'^[a-z][-a-z0-9]{1,61}[a-z0-9]{1}$') + + +class Error(Exception): + """Common exception wrapper for template exceptions.""" + pass + + +class DefaultFormatter(string.Formatter): + """Returns default instead of key error when looking for keys. + + Used for startup-script which contains params from multiple deployments + whiles keys from one deployment may not be set in another. + """ + def __init__(self, default=''): + self.default = default + def get_value(self, key, args, dict): + if isinstance(key, str): + return dict.get(key, self.default) + else: + return string.Formatter.get_value(key, args, dict) + + +def set_name_and_truncate(primary, secondary, maxlength=62): + return '%s%s' % (primary[:maxlength - len(secondary)], secondary) + + +def AddDiskResourcesIfNeeded(context): + """Checks context if disk resources need to be added.""" + if default.DISK_RESOURCES in context.properties: + return context.properties[default.DISK_RESOURCES] + else: + return [] + + +def AutoName(base, resource, *args): + """Helper method to generate names automatically based on default.""" + auto_name = '%s-%s' % (base, '-'.join(list(args) + [default.AKA[resource]])) + if not RFC1035_RE.match(auto_name): + raise Error('"%s" name for type %s does not match RFC1035 regex (%s)' % + (auto_name, resource, RFC1035_RE.pattern)) + return auto_name + + +def AutoRef(base, resource, *args): + """Helper method that builds a reference for an auto-named resource.""" + return Ref(AutoName(base, resource, *args)) + + +def OrderedItems(dict_obj): + """Convenient method to yield sorted iteritems of a dictionary.""" + keys = list(dict_obj.keys()) + keys.sort() + for k in keys: + yield (k, dict_obj[k]) + + +def ShortenZoneName(zone): + """Given a string that looks like a zone name, creates a shorter version.""" + geo, coord, number, letter = re.findall(r'(\w+)-(\w+)(\d)-(\w)', zone)[0] + geo = geo.lower() if len(geo) == 2 else default.LOC[geo.lower()] + coord = default.LOC[coord.lower()] + number = str(number) + letter = letter.lower() + return geo + '-' + coord + number + letter + + +def ZoneToRegion(zone): + """Derives the region from a zone name.""" + parts = zone.split('-') + if len(parts) != 3: + raise Error('Cannot derive region from zone "%s"' % zone) + return '-'.join(parts[:2]) + + +def FormatException(message): + """Adds more information to the exception.""" + message = ('Exception Type: %s\n' + 'Details: %s\n' + 'Message: %s\n') % (sys.exc_info()[0], + traceback.format_exc(), message) + return message + + +def Ref(name): + return '$(ref.%s.selfLink)' % name + + +def RefGroup(name): + return '$(ref.%s.instanceGroup)' % name + + +def GlobalComputeLink(project, collection, name): + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/global/', + collection, '/', name]) + +def GlobalNetworkLink(project, network): + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/global/', + default.NETWORKS, '/', network]) + + +def LocalComputeLink(project, zone, key, value): + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/zones/', + zone, '/', key, '/', value]) + + +def ReadContext(context, prop_key): + return (context.env['project'], context.properties.get('zone', None), + context.properties[prop_key]) + + +def MakeLocalComputeLink(context, key, zone=None): + if not zone: + project, zone, value = ReadContext(context, key) + else: + project, _, value = ReadContext(context, key) + + if IsComputeLink(value): + return value + else: + return LocalComputeLink(project, zone, key + 's', value) + + +def MakeGlobalComputeLink(context, key): + project, _, value = ReadContext(context, key) + if IsComputeLink(value): + return value + else: + return GlobalComputeLink(project, key + 's', value) + +def MakeRegionalSubnetworkLink(project, zone, subnet): + region = ZoneToRegion(zone) + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/regions/', + region, '/subnetworks/', subnet]) + + +def MakeSubnetworkComputeLink(context, key): + project, zone, value = ReadContext(context, key) + region = ZoneToRegion(zone) + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/regions/', + region, '/subnetworks/', value]) + + +def MakeFQHN(context, name): + return '%s.c.%s.internal' % (name, context.env['project']) + + +# TODO(victorg): Consider moving this method to a different file +def MakeC2DImageLink(name, dev_mode=False): + if IsGlobalProjectShortcut(name) or name.startswith('http'): + return name + else: + if dev_mode: + return 'global/images/%s' % name + else: + return GlobalComputeLink(default.C2D_IMAGES, 'images', name) + + +def IsGlobalProjectShortcut(name): + return name.startswith('projects/') or name.startswith('global/') + + +def IsComputeLink(name): + return (name.startswith(default.COMPUTE_URL_BASE) or + name.startswith(default.REFERENCE_PREFIX)) + + +def GetNamesAndTypes(resources_dict): + return [(d['name'], d['type']) for d in resources_dict] + + +def SummarizeResources(res_dict): + """Summarizes the name of resources per resource type.""" + result = {} + for res in res_dict: + result.setdefault(res['type'], []).append(res['name']) + return result + + +def ListPropertyValuesOfType(res_dict, prop, res_type): + """Lists all the values for a property of a certain type.""" + return [r['properties'][prop] for r in res_dict if r['type'] == res_type] + + +def MakeResource(resource_list, output_list=None): + """Wrapper for a DM template basic spec.""" + content = {'resources': resource_list} + if output_list: + content['outputs'] = output_list + return yaml.dump(content) + + +def TakeZoneOut(properties): + """Given a properties dictionary, removes the zone specific information.""" + + def _CleanZoneUrl(value): + value = value.split('/')[-1] if IsComputeLink(value) else value + return value + + for name in default.VM_ZONE_PROPERTIES: + if name in properties: + properties[name] = _CleanZoneUrl(properties[name]) + if default.ZONE in properties: + properties.pop(default.ZONE) + if default.BOOTDISK in properties: + properties[default.BOOTDISK] = _CleanZoneUrl(properties[default.BOOTDISK]) + if default.DISKS in properties: + for disk in properties[default.DISKS]: + # Don't touch references to other disks + if default.DISK_SOURCE in disk: + continue + if default.INITIALIZEP in disk: + disk_init = disk[default.INITIALIZEP] + if default.DISKTYPE in disk_init: + disk_init[default.DISKTYPE] = _CleanZoneUrl(disk_init[default.DISKTYPE]) + + +def GenerateEmbeddableYaml(yaml_string): + # Because YAML is a space delimited format, we need to be careful about + # embedding one YAML document in another. This function takes in a string in + # YAML format and produces an equivalent YAML representation that can be + # inserted into arbitrary points of another YAML document. It does so by + # printing the YAML string in a single line format. Consistent ordering of + # the string is also guaranteed by using yaml.dump. + yaml_object = yaml.load(yaml_string) + dumped_yaml = yaml.dump(yaml_object, default_flow_style=True) + return dumped_yaml + + +def FormatErrorsDec(func): + """Decorator to format exceptions if they get raised.""" + + def FormatErrorsWrap(context): + try: + return func(context) + except Exception as e: + raise Error(FormatException(e.message)) + + return FormatErrorsWrap diff --git a/deprecated/gcp/R80.30/single-payg-R80.30/config.yaml b/deprecated/gcp/R80.30/single-payg-R80.30/config.yaml new file mode 100644 index 00000000..a3edcb04 --- /dev/null +++ b/deprecated/gcp/R80.30/single-payg-R80.30/config.yaml @@ -0,0 +1,46 @@ +imports: +- path: check-point-vsec--payg.py +- path: common.py +- path: default.py +- path: password.py +- path: images.py + +resources: +- name: check-point-vsec--payg + type: check-point-vsec--payg.py + properties: + zone: "PLEASE ENTER A ZONE" + machineType: "PLEASE ENTER A MACHINE TYPE" + network: "PLEASE ENTER AN EXTERNAL NETWORK ID" + subnetwork: "PLEASE ENTER A SUBNETWORK ID" + network_enableTcp: "PLEASE ENTER true or false" + network_tcpSourceRanges: "PLEASE ENTER TCP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + network_enableIcmp: "PLEASE ENTER true or false" + network_icmpSourceRanges: "PLEASE ENTER ICMP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + network_enableUdp: "PLEASE ENTER true or false" + network_udpSourceRanges: "PLEASE ENTER UDP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + network_enableSctp: "PLEASE ENTER true or false" + network_sctpSourceRanges: "PLEASE ENTER SCTP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + network_enableEsp: "PLEASE ENTER true or false" + network_espSourceRanges: "PLEASE ENTER ESP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + externalIP: "PLEASE ENTER AN EXTERNAL IP ADDRESS TYPE" + installationType: "PLEASE ENTER AN INSTALLATION TYPE" + diskType: "PLEASE ENTER A DISK TYPE" + bootDiskSizeGb: "PLEASE ENTER A DISK SIZE" + generatePassword: "PLEASE ENTER true or false" + allowUploadDownload: "PLEASE ENTER true or false" + enableMonitoring: "PLEASE ENTER true or false" + shell: "PLEASE ENTER A SHELL" + instanceSSHKey: "PLEASE ENTER A VALID PUBLIC KEY" + sicKey: "PLEASE ENTER A SIC KEY" + managementGUIClientNetwork: "PLEASE ENTER A MANAGEMENT GUI CLIENT NETWORK" + numAdditionalNICs: "PLEASE ENTER A NUMBER OF ADDITIONAL NICS" + #Define additional NICs networks and subnetworks according the defined numAdditionalNICs value + #If there is no need in additional NICs remove additionalNetwork1 and additionalSubnetwork1 variables + additionalNetwork1: "PLEASE ENTER AN ADDITIONAL NETWORK1 ID" + additionalSubnetwork1: "PLEASE ENTER AN ADDITIONAL SUBNETWORK1 ID" +outputs: +- name: "Deployment" + value: $(ref.check-point-vsec--payg.deployment) +- name: "Instance" + value: $(ref.check-point-vsec--payg.vmName) \ No newline at end of file diff --git a/deprecated/gcp/R80.30/single-payg-R80.30/default.py b/deprecated/gcp/R80.30/single-payg-R80.30/default.py new file mode 100644 index 00000000..0c7dd919 --- /dev/null +++ b/deprecated/gcp/R80.30/single-payg-R80.30/default.py @@ -0,0 +1,134 @@ +# Copyright 2015 Google Inc. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +"""Convenience module to hold default constants for C2D components. + +There should not be any logic in this module. Its purpose is to simplify +analysis of commonly used GCP and properties names and identify the names +that were custom created for these modules. +""" +# Generic constants +C2D_IMAGES = 'click-to-deploy-images' + +# URL constants +COMPUTE_URL_BASE = 'https://www.googleapis.com/compute/v1/' + +# Deployment Manager constructs +REFERENCE_PREFIX = '$(ref.' + +# Commonly used in properties namespace +AUTO_DELETE = 'autoDelete' +BOOTDISK = 'bootDiskType' +BOOTDISKSIZE = 'bootDiskSizeGb' +C_IMAGE = 'containerImage' +DC_MANIFEST = 'dcManifest' +DEPLOYMENT = 'DEPLOYMENT' # used in the deployment coordinator +DISK_NAME = 'diskName' +DISK_RESOURCES = 'addedDiskResources' +DISK_SOURCE = 'source' +ENDPOINT_NAME = 'serviceRegistryEndpointName' +FIXED_GCLOUD = 'fixedGcloud' +GENERATED_PROP = 'generatedProperties' +INITIALIZEP = 'initializeParams' +INSTANCE_NAME = 'instanceName' +LOCAL_SSD = 'localSSDs' +MAX_NUM = 'maxNumReplicas' +NETWORKS = 'networks' +NO_SCOPE = 'noScope' +PROVIDE_BOOT = 'provideBoot' +REPLICAS = 'replicas' +SIZE = 'size' +VM_COPIES = 'numberOfVMReplicas' +ZONES = 'zones' + +# Common properties values (only official GCP values allowed here) +EXTERNAL = 'External NAT' +ONE_NAT = 'ONE_TO_ONE_NAT' + +# Common 1st level properties (only official GCP names allowed here) +CAN_IP_FWD = 'canIpForward' +CONTAINER = 'container' +DCKRENV = 'dockerEnv' +DCKRIMAGE = 'dockerImage' +DEFAULT_SERVICE = 'defaultService' +DEVICE_NAME = 'deviceName' +DISKS = 'disks' +DISK_SIZE = 'diskSizeGb' +DISKTYPE = 'diskType' +HEALTH_PATH = 'healthPath' +HOST_RULES = 'hostRules' +IP_PROTO = 'IPProtocol' +MACHINETYPE = 'machineType' +METADATA = 'metadata' +NAME = 'name' +NETWORK = 'network' +NETWORKS = 'networks' +SUBNETWORK = 'subnetwork' +PATH_MATCHERS = 'pathMatchers' +PORT = 'port' +PROJECT = 'project' +SERVICE = 'service' +SERVICE_ACCOUNTS = 'serviceAccounts' +SRCIMAGE = 'sourceImage' +SRC_RANGES = 'sourceRanges' +TAGS = 'tags' +TYPE = 'type' +VM_TEMPLATE = 'instanceTemplate' +ZONE = 'zone' + +# Zone specfic VM properties +VM_ZONE_PROPERTIES = [DISKTYPE, MACHINETYPE, BOOTDISK] + +# Resource type defaults names +ADDRESS = 'compute.v1.address' +AUTOSCALER = 'compute.v1.autoscaler' +BACKEND_SERVICE = 'compute.v1.backendService' +DISK = 'compute.v1.disk' +ENDPOINT = 'serviceregistry.v1alpha.endpoint' +FIREWALL = 'compute.v1.firewall' +GF_RULE = 'compute.v1.globalForwardingRule' +HEALTHCHECK = 'compute.v1.httpHealthCheck' +IGM = 'compute.v1.instanceGroupManager' +INSTANCE = 'compute.v1.instance' +PROXY = 'compute.v1.targetHttpProxy' +TEMPLATE = 'compute.v1.instanceTemplate' +REGION_IGM = 'compute.v1.regionInstanceGroupManager' +REGION_AUTOSCALER = 'compute.v1.regionAutoscaler' +URL_MAP = 'compute.v1.urlMap' +VPC='compute.v1.network' +VPC_SUBNET='compute.v1.subnetwork' + +# Also Known As constants +AKA = { + TEMPLATE: 'tmplt', + AUTOSCALER: 'as', + BACKEND_SERVICE: 'bes', + DISK: 'disk', + FIREWALL: 'fwall', + GF_RULE: 'ip', + HEALTHCHECK: 'hc', + INSTANCE: 'vm', + PROXY: 'tproxy', + IGM: 'igm', + URL_MAP: 'umap', +} + +LOC = { + 'europe': 'eu', + 'asia': 'as', + 'central': 'c', + 'east': 'e', + 'west': 'w', + 'north': 'n', + 'south': 's', +} diff --git a/deprecated/gcp/R80.30/single-payg-R80.30/images.py b/deprecated/gcp/R80.30/single-payg-R80.30/images.py new file mode 100644 index 00000000..2811fa30 --- /dev/null +++ b/deprecated/gcp/R80.30/single-payg-R80.30/images.py @@ -0,0 +1,10 @@ +IMAGES = { + "check-point-r8030-payg": "check-point-r8030-payg-200-773-v20201208", + "check-point-r8030-gw-payg-single": "check-point-r8030-gw-payg-single-273-904-v20210715", + "check-point-r8030-gw-payg-mig": "check-point-r8030-gw-payg-mig-273-904-v20210715", + "check-point-r8030-gw-payg-cluster": "check-point-r8030-gw-payg-cluster-273-904-v20210715", + "check-point-r8030-gw-byol-single": "check-point-r8030-gw-byol-single-273-904-v20210715", + "check-point-r8030-gw-byol-mig": "check-point-r8030-gw-byol-mig-273-904-v20210715", + "check-point-r8030-gw-byol-cluster": "check-point-r8030-gw-byol-cluster-273-904-v20210715", + "check-point-r8030-byol": "check-point-r8030-byol-200-773-v20201208" +} diff --git a/deprecated/gcp/R80.30/single-payg-R80.30/password.py b/deprecated/gcp/R80.30/single-payg-R80.30/password.py new file mode 100644 index 00000000..273210a6 --- /dev/null +++ b/deprecated/gcp/R80.30/single-payg-R80.30/password.py @@ -0,0 +1,135 @@ +# Copyright 2015 Google Inc. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +"""A DM template that generates password as an output, namely "password". + +An example YAML showing how this template can be used: + resources: + - name: generated-password + type: password.py + properties: + length: 8 + includeSymbols: true + - name: main-template + type: main-template.jinja + properties: + password: $(ref.generated-password.password) + +Input properties to this template: + - length: the length of the generated password. At least 8. Default 8. + - includeSymbols: true/false whether to include symbol chars. Default false. + +The generated password satisfies the following requirements: + - The length is as specified, + - Containing letters and numbers, and optionally symbols if specified, + - Starting with a letter, + - Containing characters from at least 3 of the 4 categories: uppercases, + lowercases, numbers, and symbols. + +""" + +import random +import yaml + +PROPERTY_LENGTH = 'length' +PROPERTY_INCLUDE_SYMBOLS = 'includeSymbols' + +# Note the omission of some hard to distinguish characters like I, l, 0, and O. +UPPERS = 'ABCDEFGHJKLMNPQRSTUVWXYZ' +LOWERS = 'abcdefghijkmnopqrstuvwxyz' +ALPHABET = UPPERS + LOWERS +DIGITS = '123456789' +ALPHANUMS = ALPHABET + DIGITS +# Including only symbols that can be passed around easily in shell scripts. +SYMBOLS = '*-+.' + +CANDIDATES_WITH_SYMBOLS = ALPHANUMS + SYMBOLS +CANDIDATES_WITHOUT_SYMBOLS = ALPHANUMS + +CATEGORIES_WITH_SYMBOLS = [UPPERS, LOWERS, DIGITS, SYMBOLS] +CATEGORIES_WITHOUT_SYMBOLS = [UPPERS, LOWERS, DIGITS] + +MIN_LENGTH = 8 + + +class InputError(Exception): + """Raised when input properties are unexpected.""" + + +def GenerateConfig(context): + """Entry function to generate the DM config.""" + props = context.properties + length = props.setdefault(PROPERTY_LENGTH, MIN_LENGTH) + include_symbols = props.setdefault(PROPERTY_INCLUDE_SYMBOLS, False) + + if not isinstance(include_symbols, bool): + raise InputError('%s must be a boolean' % PROPERTY_INCLUDE_SYMBOLS) + + content = { + 'resources': [], + 'outputs': [{ + 'name': 'password', + 'value': GeneratePassword(length, include_symbols) + }] + } + return yaml.dump(content) + + +def GeneratePassword(length=8, include_symbols=False): + """Generates a random password.""" + if length < MIN_LENGTH: + raise InputError('Password length must be at least %d' % MIN_LENGTH) + + candidates = (CANDIDATES_WITH_SYMBOLS if include_symbols + else CANDIDATES_WITHOUT_SYMBOLS) + categories = (CATEGORIES_WITH_SYMBOLS if include_symbols + else CATEGORIES_WITHOUT_SYMBOLS) + + # Generates up to the specified length minus the number of categories. + # Then inserts one character for each category, ensuring that the character + # satisfy the category if the generated string hasn't already. + generated = ([random.choice(ALPHABET)] + + [random.choice(candidates) + for _ in range(length - 1 - len(categories))]) + for category in categories: + _InsertAndEnsureSatisfaction(generated, category, candidates) + return ''.join(generated) + + +def _InsertAndEnsureSatisfaction(generated, required, all_candidates): + """Inserts 1 char into generated, satisfying required if not already. + + If the required characters are not already in the generated string, one will + be inserted. If any required character is already in the generated string, a + random character from all_candidates will be inserted. The insertion happens + at a random location but not at the beginning. + + Args: + generated: the string to be modified. + required: list of required characters to check for. + all_candidates: list of characters to choose from if the required characters + are already satisfied. + """ + if set(generated).isdisjoint(required): + # Not yet satisfied. Insert a required candidate. + _InsertInto(generated, required) + else: + # Already satisfied. Insert any candidate. + _InsertInto(generated, all_candidates) + + +def _InsertInto(generated, candidates): + """Inserts a random candidate into a random non-zero index of generated.""" + # Avoids inserting at index 0, since the first character follows its own rule. + generated.insert(random.randint(1, len(generated) - 1), + random.choice(candidates)) diff --git a/deprecated/gcp/R80.40-R81/autoscale-byol/README.md b/deprecated/gcp/R80.40-R81/autoscale-byol/README.md new file mode 100644 index 00000000..d11c9a1b --- /dev/null +++ b/deprecated/gcp/R80.40-R81/autoscale-byol/README.md @@ -0,0 +1,126 @@ +# GCP Deployment Manager package for Check Point Autoscaling BYOL solution +This directory contains CloudGuard IaaS deployment package for Check Point Autoscaling (BYOL) solution published in the [GCP Marketplace](https://console.cloud.google.com/marketplace/details/checkpoint-public/check-point-autoscaling-byol). + +# How to deploy the package manually +To deploy the Deployment Manager's package manually, without using the GCP Marketplace, follow these instructions: +1. Clone or download the files in this directory +2. Fill variables in the config.yaml(see below for variables descriptions). +3. Log into [Google Cloud Platform Console](https://console.cloud.google.com) +4. [Activate Cloud Shell](https://cloud.google.com/shell/docs/using-cloud-shell) +5. Set your Cloud Platform project in the Cloud Shell session use: + + gcloud config set project [PROJECT_ID] +6. Upload the content of the CloudGuardIaaS/gcp/deployment-packages/autoscale-byol/ directory to the [cloud shell](https://cloud.google.com/shell/docs/uploading-and-downloading-files) +7. Launch deployment by running: + + gcloud deployment-manager deployments create [DEPLOYMENT_NAME] --config config.yaml +8. Make sure the deployment finished successfully.
Example of successful deployment output: + + The fingerprint of the deployment is h8R2exQYuc4bzlO14boUhg== + Waiting for create [operation-1585217870871-5a1bf4c15b9ea-f8d824d5-1089cc78]...done. + Create operation operation-1585217870871-5a1bf4c15b9ea-f8d824d5-1089cc78 completed successfully. + NAME TYPE STATE ERRORS INTENT + mig-as compute.v1.regionAutoscaler COMPLETED [] + mig-igm compute.v1.regionInstanceGroupManager COMPLETED [] + mig-vpc-icmp compute.v1.firewall COMPLETED [] + mig-vpc-udp compute.v1.firewall COMPLETED [] + mig-tmplt compute.v1.instanceTemplate COMPLETED [] + OUTPUTS VALUE + Deployment autoscale + Managed instance group https://www.googleapis.com/compute/v1/projects/checkpoint/regions/asia-east1/instanceGroups/autoscale-igm + Minimum instances 2 + Maximum instances 10 + Target CPU usage 60% + +## config.yaml variables +| Name | Description | Type | Allowed values | +| ------------- | ------------- | ------------- | ------------- | +| **autoscalingVersion** | Autoscaling Version | string | R80.40 Autoscaling;
R81.00 Autoscaling;
R81.10 Autoscaling;
R81.20 Autoscaling;| +| | | | | | +| **managementName** | Security Management Server name | string | The name of the Security Management Server as appears in autoprovisioning configuration | +| | | | | | +| **AutoProvTemplate** | Configuration template name | string | Specify the provisioning configuration template name (for autoprovisioning) | +| | | | | | +| **instanceSSHKey** | Public SSH key for the user 'admin' | string | A valid public ssh key | +| | | | | | +| **mgmtNIC** | Management Interface | string | Ephemeral Public IP (eth0)
; Private IP (eth1); | +| | | | | | +| **networkDefinedByRoutes** | Networks behind the Internal interface will be defined by routes.
Set eth1 topology to define the networks behind this interface by the routes configured on the gateway | boolean | true;
false; | +| | | | | | +| **shell** | Admin shell | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh;
| +| | | | | | +| **allowUploadDownload** | Allow download from/upload to Check Point | boolean | true;
false; | +| | | | | | +| **zone** | The zone determines what computing resources are available and where your data is stored and used | string | List of allowed [Regions and Zones](https://cloud.google.com/compute/docs/regions-zones?_ga=2.31926582.-962483654.1585043745) | +| | | | | | +| **networks** | The external networks ID in which the gateways will reside and internal networks ID in which application servers reside. | list(string) | Available network in the chosen zone | +| | | | | | +| **subnetworks** | External and Internal subnet ID. Assigns the instance an IPv4 address from the subnetwork’s range. Instances in different subnetworks can communicate with each other using their internal IPs as long as they belong to the same network. | list(string) | Available subnetwork in the chosen network | +| | | | | | +| **enableIcmp** | Allow ICMP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **icmpSourceRanges** | Source IP ranges for ICMP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **enableTcp** | Allow TCP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **tcpSourceRanges** | Allow TCP traffic from the Internet | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway all ports are allowed. For management allowed ports are: 257,18191,18210,18264,22,443,18190,19009 [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **enableUdp** | Allow UDP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **udpSourceRanges** | Source IP ranges for UDP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only - all ports are allowed. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **enableSctp** | Allow SCTP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **sctpSourceRanges** | Source IP ranges for SCTP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only - all ports are allowed. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **enableEsp** | Allow ESP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **espSourceRanges** | Source IP ranges for ESP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **machineType** | Machine types determine the specifications of your machines, such as the amount of memory, virtual cores, and persistent disk limits an instance will have | string | [Learn more about Machine Types](https://cloud.google.com/compute/docs/machine-types?hl=en_US&_ga=2.267871494.-962483654.1585043745) | +| | | | | | +| **cpuUsage** | Target CPU usage (%).
Autoscaling adds or removes instances in the group to maintain this level of CPU usage on each instance | number | A number in the range 10 - 90 | +| | | | | | +| **minInstances** | Minimum number of instances | number | A number in the range 1 and the maximum number of instances | +| | | | | | +| **maxInstances** | Maximum number of instances | number | A number in the range the minimum number of instances and infinity | +| | | | | | +| **diskType** | Disk type | string | pd-ssd;
pd-standard;
Storage space is much less expensive for a standard persistent disk. An SSD persistent disk is better for random IOPS or streaming throughput with low latency. [Learn more](https://cloud.google.com/compute/docs/disks/?hl=en_US&_ga=2.66020774.-962483654.1585043745#overview_of_disk_types)| +| | | | | | +| **bootDiskSizeGb** | Disk size in GB | number | Persistent disk performance is tied to the size of the persistent disk volume. You are charged for the actual amount of provisioned disk space. [Learn more](https://cloud.google.com/compute/docs/disks/?hl=en_US&_ga=2.232680471.-962483654.1585043745#pdperformance)| +| | | | | | +| **enableMonitoring** | Enable Stackdriver monitoring | boolean | true;
false; | +| | | | | | + +## Example + autoscalingVersion: "R81.10 Autoscaling" + managementName: "mgmt" + AutoProvTemplate: "template" + instanceSSHKey: "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxx imported-openssh-key" + mgmtNIC: "Ephemeral Public IP (eth0)" + networkDefinedByRoutes: true + shell: "/bin/bash" + allowUploadDownload: true + zone: "asia-east1-a" + networks: ["external-vpc", "internal-vpc"] + subnetworks: ["frontend", "backend"] + enableIcmp: true + icmpSourceRanges: "0.0.0.0/0" + enableTcp: false + tcpSourceRanges: "" + enableUdp: true + udpSourceRanges: "0.0.0.0/0" + enableSctp: false + sctpSourceRanges: "" + enableEsp: false + espSourceRanges: "" + machineType: "n1-standard-4" + cpuUsage: 60 + minInstances: 2 + maxInstances: 10 + diskType: "pd-ssd" + bootDiskSizeGb: 100 + enableMonitoring: false + +## Notes +See [sk147032](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk147032) for revision history diff --git a/deprecated/gcp/R80.40-R81/autoscale-byol/c2d_deployment_configuration.json b/deprecated/gcp/R80.40-R81/autoscale-byol/c2d_deployment_configuration.json new file mode 100644 index 00000000..67d45592 --- /dev/null +++ b/deprecated/gcp/R80.40-R81/autoscale-byol/c2d_deployment_configuration.json @@ -0,0 +1,7 @@ +{ + "defaultDeploymentType": "MULTI_VM", + "imageName": "check-point-r8120-gw-byol-mig-631-991001475-v20231221", + "projectId": "checkpoint-public", + "templateName": "nonexistent_template", + "useSolutionPackage": "true" +} diff --git a/deprecated/gcp/R80.40-R81/autoscale-byol/check-point-autoscale--byol.py b/deprecated/gcp/R80.40-R81/autoscale-byol/check-point-autoscale--byol.py new file mode 100644 index 00000000..0c65f374 --- /dev/null +++ b/deprecated/gcp/R80.40-R81/autoscale-byol/check-point-autoscale--byol.py @@ -0,0 +1,381 @@ +# Copyright 2016 Check Point Software LTD. + +import common +import default +import images +import password + +GATEWAY = 'checkpoint-gateway' +PROJECT = 'checkpoint-public' +LICENSE = 'byol' +LICENCE_TYPE = 'mig' + +VERSIONS = { + 'R80.40-GW': 'r8040-gw', + 'R81-GW': 'r81-gw', + 'R81.10-GW': 'r8110-gw', + 'R81.20-GW': 'r8120-gw' +} + +TEMPLATE_NAME = 'autoscale' +TEMPLATE_VERSION = '20231221' + +startup_script = ''' +#cloud-config +runcmd: + - 'python3 /etc/cloud_config.py "generatePassword=\\"{generatePassword}\\"" "allowUploadDownload=\\"{allowUploadDownload}\\"" "templateName=\\"{templateName}\\"" "templateVersion=\\"{templateVersion}\\"" "mgmtNIC=\\"{mgmtNIC}\\"" "hasInternet=\\"{hasInternet}\\"" "config_url=\\"{config_url}\\"" "config_path=\\"{config_path}\\"" "installationType=\\"{installationType}\\"" "enableMonitoring=\\"{enableMonitoring}\\"" "shell=\\"{shell}\\"" "computed_sic_key=\\"{computed_sic_key}\\"" "sicKey=\\"{sicKey}\\"" "managementGUIClientNetwork=\\"{managementGUIClientNetwork}\\"" "primary_cluster_address_name=\\"{primary_cluster_address_name}\\"" "secondary_cluster_address_name=\\"{secondary_cluster_address_name}\\"" "managementNetwork=\\"{managementNetwork}\\"" "numAdditionalNICs=\\"{numAdditionalNICs}\\"" "smart1CloudToken=\\"{smart1CloudToken}\\"" "name=\\"{name}\\"" "zone=\\"{zoneConfig}\\"" "region=\\"{region}\\"" "osVersion=\\"{osVersion}\\"" "MaintenanceModePassword=\\"{maintenanceMode}\\""' +''' + + +def make_nic(context, net_name, subnet, external_ip=False): + prop = context.properties + network_interface = { + 'kind': 'compute#networkInterface', + 'network': common.GlobalNetworkLink(prop['project'], net_name) + } + if subnet: + network_interface["subnetwork"] = common.MakeRegionalSubnetworkLink( + prop['project'], prop['zone'], subnet) + # add ephemeral public IP address + if external_ip: + network_interface["accessConfigs"] = \ + [make_access_config(name="external-nat")] + return network_interface + + +def create_nics(context): + prop = context.properties + firewall_rules = create_firewall_rules(context) + if firewall_rules: + prop['resources'].extend(firewall_rules) + networks = prop.setdefault('networks', ['default']) + subnetworks = prop.get('subnetworks', []) + nics = [] + for i in range(len(networks)): + name = networks[i] + subnet = '' + external_ip = prop.get('gatewayExternalIP') and i == 0 + if subnetworks and i < len(subnetworks) and subnetworks[i]: + subnet = subnetworks[i] + network_interface = make_nic(context, name, subnet, external_ip) + nics.append(network_interface) + return nics + + +def create_firewall_rules(context): + prop = context.properties + deployment = prop['deployment'] + network = prop.setdefault('networks', ['default'])[0] + firewall_rules = [] + protocols = ['Icmp', 'Udp', 'Tcp', 'Sctp', 'Esp'] + for protocol in protocols: + proto = protocol.lower() + source_ranges = prop.get(proto + 'SourceRanges', '') + protocol_enabled = prop.get('enable' + protocol, '') + if protocol_enabled and source_ranges: + firewall_rules.append(make_firewall_rule( + proto, source_ranges, deployment, network)) + return firewall_rules + + +def make_firewall_rule(protocol, source_ranges, deployment, net_name): + fw_rule_name = '%s-%s-%s' % (deployment[:34], net_name[:22], protocol) + ranges = [] + ranges_list = source_ranges.split(',') + for source_range in ranges_list: + ranges.append(source_range.replace(" ", "")) + firewall_rule = { + 'type': default.FIREWALL, + 'name': fw_rule_name, + 'properties': { + 'network': 'global/networks/' + net_name, + 'sourceRanges': ranges, + 'targetTags': [GATEWAY], + 'allowed': [{'IPProtocol': protocol}] + } + } + return firewall_rule + + +def create_instance_template(context, + name, + nics, + depends_on=None, + gw_version=VERSIONS['R81.20-GW']): + if 'gw' in gw_version: + license_name = "{}-{}".format(LICENSE, LICENCE_TYPE) + else: + license_name = LICENSE + family = '-'.join(['check-point', gw_version, license_name]) + formatter = common.DefaultFormatter() + instance_template_name = common.AutoName(name, default.TEMPLATE) + instance_template = { + "type": default.TEMPLATE, + "name": instance_template_name, + 'metadata': { + 'dependsOn': depends_on + }, + "properties": { + "project": context.properties['project'], + "properties": { + "canIpForward": True, + "disks": [{"autoDelete": True, + "boot": True, + "deviceName": common.set_name_and_truncate( + context.properties['deployment'], + '-{}-boot'.format(name)), + "index": 0, + "initializeParams": { + "diskType": + context.properties['diskType'], + "diskSizeGb": + context.properties['bootDiskSizeGb'], + "sourceImage": + 'projects/%s/global/images/%s' % ( + PROJECT, images.IMAGES[family]) + }, + "kind": 'compute#attachedDisk', + "mode": "READ_WRITE", + "type": "PERSISTENT"}], + "machineType": context.properties['machineType'], + "networkInterfaces": nics, + 'metadata': { + "kind": 'compute#metadata', + 'items': [ + { + 'key': 'startup-script', + 'value': formatter.format( + startup_script, **context.properties) + }, + { + 'key': 'serial-port-enable', + 'value': 'true' + } + ]}, + "scheduling": { + "automaticRestart": True, + "onHostMaintenance": "MIGRATE", + "preemptible": False + }, + "serviceAccounts": [ + { + "email": "default", + "scopes": [ + "https://www.googleapis.com/" + + "auth/devstorage.read_only", + "https://www.googleapis.com/auth/logging.write", + "https://www.googleapis.com/auth/monitoring.write", + "https://www.googleapis.com/auth/pubsub", + "https://www.googleapis.com/" + + "auth/service.management.readonly", + "https://www.googleapis.com/auth/servicecontrol", + "https://www.googleapis.com/auth/trace.append" + ] + }], + "tags": { + "items": [ + 'x-chkp-management--{}'. + format(context.properties['managementName']), + 'x-chkp-template--{}'. + format(context.properties['AutoProvTemplate']), + 'checkpoint-gateway' + ] + } + } + } + } + tagItems = instance_template['properties']['properties']['tags']['items'] + if context.properties['mgmtNIC'] == 'Ephemeral Public IP (eth0)': + tagItems.append("x-chkp-ip-address--public") + tagItems.append("x-chkp-management-interface--eth0") + elif context.properties['mgmtNIC'] == 'Private IP (eth1)': + tagItems.append("x-chkp-ip-address--private") + tagItems.append("x-chkp-management-interface--eth1") + if context.properties['networkDefinedByRoutes']: + tagItems.append("x-chkp-topology-eth1--internal") + tagItems.append("x-chkp-topology-settings-eth1" + "--network-defined-by-routes") + metadata = instance_template['properties']['properties']['metadata'] + if 'instanceSSHKey' in context.properties: + metadata['items'].append( + { + 'key': 'instanceSSHKey', + 'value': context.properties['instanceSSHKey'] + } + ) + passwd = '' + if context.properties['generatePassword']: + passwd = password.GeneratePassword(12, False) + metadata['items'].append( + { + 'key': 'adminPasswordSourceMetadata', + 'value': passwd + } + ) + return instance_template, passwd + + +def GenerateAutscaledGroup(context, name, + instance_template, depends_on=None): + prop = context.properties + igm_name = common.AutoName(name, default.IGM) + depends_on = depends_on + resource = { + 'name': igm_name, + 'metadata': { + 'dependsOn': depends_on + }, + 'type': default.REGION_IGM, + 'properties': { + 'region': common.ZoneToRegion(prop.get("zone")), + 'baseInstanceName': name, + 'instanceTemplate': '$(ref.' + instance_template + '.selfLink)', + 'targetSize': prop.get("minInstances"), + # 'autoHealingPolicies': [{ + # 'initialDelaySec': 60 + # }] + } + } + return resource + + +def CreateAutscaler(context, name, + igm, cpu_usage, depends_on=None): + prop = context.properties + autoscaler_name = common.AutoName(name, default.AUTOSCALER) + depends_on = depends_on + cpu_usage = float(cpu_usage) / 100 + resource = { + 'name': autoscaler_name, + 'metadata': { + 'dependsOn': depends_on + }, + 'type': default.REGION_AUTOSCALER, + 'properties': { + 'target': '$(ref.' + igm + '.selfLink)', + 'region': common.ZoneToRegion(prop.get("zone")), + 'autoscalingPolicy': { + 'minNumReplicas': int(prop.get("minInstances")), + 'maxNumReplicas': int(prop.get("maxInstances")), + 'cpuUtilization': { + 'utilizationTarget': cpu_usage + }, + 'coolDownPeriodSec': 90 + } + } + } + return resource + + +def make_access_config(name=None): + access_config = { + 'type': default.ONE_NAT, + "kind": 'compute#accessConfig' + } + if name: + access_config['name'] = name + return access_config + + +def validate_region(test_zone, valid_region): + test_region = common.ZoneToRegion(test_zone) + if test_region != valid_region: + err_msg = '{} is in region {}. All subnets must be ' + \ + 'in the same region ({})' + raise common.Error( + err_msg.format(test_zone, test_region, valid_region) + ) + + +@common.FormatErrorsDec +def generate_config(context): + # This method will: + # 1. Create a instance template for a security GW + # (with a tag for the managing security server) + # 2. Create a managed instance group + # (based on the instance template and zones list provided by the user) + # 3. Configure autoscaling + # (based on min, max & policy settings provided by the user) + prop = context.properties + prop['deployment'] = context.env['deployment'] + prop['project'] = context.env['project'] + prop['templateName'] = TEMPLATE_NAME + prop['templateVersion'] = TEMPLATE_VERSION + prop['allowUploadDownload'] = str(prop['allowUploadDownload']).lower() + prop['hasInternet'] = 'true' # via Google Private Access + prop['installationType'] = 'AutoScale' + prop['resources'] = [] + prop['outputs'] = [] + prop['gw_dependencies'] = [] + prop['computed_sic_key'] = password.GeneratePassword(12, False) + prop['gatewayExternalIP'] = (prop['mgmtNIC'] == + 'Ephemeral Public IP (eth0)') + version_chosen = prop['autoscalingVersion'].split(' ')[0] + "-GW" + prop['osVersion'] = prop['autoscalingVersion'].split(' ')[0].replace( + ".", "") + nics = create_nics(context) + gw_template, passwd = create_instance_template(context, + prop['deployment'], + nics, + depends_on=prop[ + 'gw_dependencies'], + gw_version=VERSIONS[ + version_chosen]) + prop['resources'] += [gw_template] + prop['igm_dependencies'] = [gw_template['name']] + igm = GenerateAutscaledGroup(context, + prop['deployment'], + gw_template['name'], + prop['igm_dependencies']) + prop['resources'] += [igm] + prop['autoscaler_dependencies'] = [igm['name']] + cpu_usage = prop.get("cpuUsage") + autoscaler = CreateAutscaler(context, + prop['deployment'], + igm['name'], + cpu_usage, + prop['autoscaler_dependencies']) + prop['resources'] += [autoscaler] + prop['outputs'] += [ + { + 'name': 'deployment', + 'value': prop['deployment'] + }, + { + 'name': 'project', + 'value': prop['project'] + }, + { + 'name': 'instanceTemplateName', + 'value': gw_template['name'] + }, + { + 'name': 'InstanceTemplateLink', + 'value': common.Ref(gw_template['name']) + }, + { + 'name': 'IGMname', + 'value': igm['name'] + }, + { + 'name': 'IGMLink', + 'value': common.RefGroup(igm['name']) + }, + { + 'name': 'cpuUsagePercentage', + 'value': str(int(prop['cpuUsage'])) + '%' + }, + { + 'name': 'minInstancesInt', + 'value': str(int(prop['minInstances'])) + }, + { + 'name': 'maxInstancesInt', + 'value': str(int(prop['maxInstances'])) + }, + { + 'name': 'password', + 'value': passwd + } + ] + return common.MakeResource(prop['resources'], prop['outputs']) diff --git a/deprecated/gcp/R80.40-R81/autoscale-byol/check-point-autoscale--byol.py.schema b/deprecated/gcp/R80.40-R81/autoscale-byol/check-point-autoscale--byol.py.schema new file mode 100644 index 00000000..0c5117b2 --- /dev/null +++ b/deprecated/gcp/R80.40-R81/autoscale-byol/check-point-autoscale--byol.py.schema @@ -0,0 +1,215 @@ +imports: + - path: check-point-autoscale--byol.py + +info: + version: 1.0 + title: Check Point CloudGuard Network Security Autoscaling - BYOL Template + +required: + - autoscalingVersion + - networks + - zone + - machineType + - cpuUsage + - minInstances + - maxInstances + - diskType + - bootDiskSizeGb + - managementName + - AutoProvTemplate + - allowUploadDownload + - networkDefinedByRoutes + - shell + - enableMonitoring + - generatePassword + +properties: + zone: + type: string + default: us-central1-a + x-googleProperty: + type: GCE_ZONE + networks: + type: array + default: [default, default1] + minItems: 2 + maxItems: 2 + x-googleProperty: + type: GCE_NETWORK + gceNetwork: + labels: + - External + - Internal + allowSharedVpcs: True + machineTypeProperty: machineType + subnetworks: + type: array + minItems: 2 + maxItems: 2 + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zone + gceSubnetwork: + networkProperty: networks + mgmtNIC: + type: string + default: Ephemeral Public IP (eth0) + enum: + - Ephemeral Public IP (eth0) + - Private IP (eth1) + enableIcmp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: networks + icmpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: enableIcmp + enableTcp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: networks + tcpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: enableTcp + enableUdp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: networks + udpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: enableUdp + enableSctp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: networks + sctpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: enableSctp + enableEsp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: networks + espSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: enableEsp + machineType: + type: string + default: n1-standard-4 + x-googleProperty: + type: GCE_MACHINE_TYPE + zoneProperty: zone + gceMachineType: + minCpu: 2 + minRamGb: 1.843000054359436 + cpuUsage: + type: integer + minimum: 10 + maximum: 90 + default: 60 + minInstances: + type: integer + minimum: 1 + maximum: 16384 + default: 2 + maxInstances: + type: integer + minimum: 1 + maximum: 32768 + default: 10 + instanceSSHKey: + type: string + pattern: ^([0-9a-z\-]+ +[0-9A-Za-z/\+=]+( .*)?|)$ + default: '' + diskType: + type: string + default: pd-ssd + x-googleProperty: + type: GCE_DISK_TYPE + zoneProperty: zone + bootDiskSizeGb: + type: integer + default: 100 + minimum: 100 + maximum: 4096 + x-googleProperty: + type: GCE_DISK_SIZE + gceDiskSize: + diskTypeProperty: diskType + autoscalingVersion: + type: string + default: R81.20 Autoscaling + enum: + - R80.40 Autoscaling + - R81 Autoscaling + - R81.10 Autoscaling + - R81.20 Autoscaling + managementName: + type: string + default: 'checkpoint-management' + pattern: ^([ -~]+)$ + AutoProvTemplate: + type: string + default: 'gcp-asg-autoprov-tmplt' + pattern: ^([ -~]{1,30})$ + enableMonitoring: + type: boolean + default: False + networkDefinedByRoutes: + type: boolean + default: True + allowUploadDownload: + type: boolean + default: True + generatePassword: + type: boolean + default: False + maintenanceMode: + type: string + pattern: ^([a-z0-9A-Z.]{12,300}|)$ + default: '' + shell: + type: string + default: /etc/cli.sh + enum: + - /etc/cli.sh + - /bin/bash + - /bin/csh + - /bin/tcsh + +outputs: + deployment: + type: string + project: + type: string + password: + type: string \ No newline at end of file diff --git a/deprecated/gcp/R80.40-R81/autoscale-byol/common.py b/deprecated/gcp/R80.40-R81/autoscale-byol/common.py new file mode 100644 index 00000000..e123c502 --- /dev/null +++ b/deprecated/gcp/R80.40-R81/autoscale-byol/common.py @@ -0,0 +1,262 @@ +# Copyright 2015 Google Inc. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +"""Generic simple functions used for python based template generation.""" + +import re +import sys +import traceback +import default +import string + +import yaml + +RFC1035_RE = re.compile(r'^[a-z][-a-z0-9]{1,61}[a-z0-9]{1}$') + + +class Error(Exception): + """Common exception wrapper for template exceptions.""" + pass + + +class DefaultFormatter(string.Formatter): + """Returns default instead of key error when looking for keys. + + Used for startup-script which contains params from multiple deployments + whiles keys from one deployment may not be set in another. + """ + def __init__(self, default=''): + self.default = default + def get_value(self, key, args, dict): + if isinstance(key, str): + return dict.get(key, self.default) + else: + return string.Formatter.get_value(key, args, dict) + + +def set_name_and_truncate(primary, secondary, maxlength=62): + return '%s%s' % (primary[:maxlength - len(secondary)], secondary) + + +def AddDiskResourcesIfNeeded(context): + """Checks context if disk resources need to be added.""" + if default.DISK_RESOURCES in context.properties: + return context.properties[default.DISK_RESOURCES] + else: + return [] + + +def AutoName(base, resource, *args): + """Helper method to generate names automatically based on default.""" + auto_name = '%s-%s' % (base, '-'.join(list(args) + [default.AKA[resource]])) + if not RFC1035_RE.match(auto_name): + raise Error('"%s" name for type %s does not match RFC1035 regex (%s)' % + (auto_name, resource, RFC1035_RE.pattern)) + return auto_name + + +def AutoRef(base, resource, *args): + """Helper method that builds a reference for an auto-named resource.""" + return Ref(AutoName(base, resource, *args)) + + +def OrderedItems(dict_obj): + """Convenient method to yield sorted iteritems of a dictionary.""" + keys = list(dict_obj.keys()) + keys.sort() + for k in keys: + yield (k, dict_obj[k]) + + +def ShortenZoneName(zone): + """Given a string that looks like a zone name, creates a shorter version.""" + geo, coord, number, letter = re.findall(r'(\w+)-(\w+)(\d)-(\w)', zone)[0] + geo = geo.lower() if len(geo) == 2 else default.LOC[geo.lower()] + coord = default.LOC[coord.lower()] + number = str(number) + letter = letter.lower() + return geo + '-' + coord + number + letter + + +def ZoneToRegion(zone): + """Derives the region from a zone name.""" + parts = zone.split('-') + if len(parts) != 3: + raise Error('Cannot derive region from zone "%s"' % zone) + return '-'.join(parts[:2]) + + +def FormatException(message): + """Adds more information to the exception.""" + message = ('Exception Type: %s\n' + 'Details: %s\n' + 'Message: %s\n') % (sys.exc_info()[0], + traceback.format_exc(), message) + return message + + +def Ref(name): + return '$(ref.%s.selfLink)' % name + + +def RefGroup(name): + return '$(ref.%s.instanceGroup)' % name + + +def GlobalComputeLink(project, collection, name): + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/global/', + collection, '/', name]) + +def GlobalNetworkLink(project, network): + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/global/', + default.NETWORKS, '/', network]) + + +def LocalComputeLink(project, zone, key, value): + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/zones/', + zone, '/', key, '/', value]) + + +def ReadContext(context, prop_key): + return (context.env['project'], context.properties.get('zone', None), + context.properties[prop_key]) + + +def MakeLocalComputeLink(context, key, zone=None): + if not zone: + project, zone, value = ReadContext(context, key) + else: + project, _, value = ReadContext(context, key) + + if IsComputeLink(value): + return value + else: + return LocalComputeLink(project, zone, key + 's', value) + + +def MakeGlobalComputeLink(context, key): + project, _, value = ReadContext(context, key) + if IsComputeLink(value): + return value + else: + return GlobalComputeLink(project, key + 's', value) + +def MakeRegionalSubnetworkLink(project, zone, subnet): + region = ZoneToRegion(zone) + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/regions/', + region, '/subnetworks/', subnet]) + + +def MakeSubnetworkComputeLink(context, key): + project, zone, value = ReadContext(context, key) + region = ZoneToRegion(zone) + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/regions/', + region, '/subnetworks/', value]) + + +def MakeFQHN(context, name): + return '%s.c.%s.internal' % (name, context.env['project']) + + +# TODO(victorg): Consider moving this method to a different file +def MakeC2DImageLink(name, dev_mode=False): + if IsGlobalProjectShortcut(name) or name.startswith('http'): + return name + else: + if dev_mode: + return 'global/images/%s' % name + else: + return GlobalComputeLink(default.C2D_IMAGES, 'images', name) + + +def IsGlobalProjectShortcut(name): + return name.startswith('projects/') or name.startswith('global/') + + +def IsComputeLink(name): + return (name.startswith(default.COMPUTE_URL_BASE) or + name.startswith(default.REFERENCE_PREFIX)) + + +def GetNamesAndTypes(resources_dict): + return [(d['name'], d['type']) for d in resources_dict] + + +def SummarizeResources(res_dict): + """Summarizes the name of resources per resource type.""" + result = {} + for res in res_dict: + result.setdefault(res['type'], []).append(res['name']) + return result + + +def ListPropertyValuesOfType(res_dict, prop, res_type): + """Lists all the values for a property of a certain type.""" + return [r['properties'][prop] for r in res_dict if r['type'] == res_type] + + +def MakeResource(resource_list, output_list=None): + """Wrapper for a DM template basic spec.""" + content = {'resources': resource_list} + if output_list: + content['outputs'] = output_list + return yaml.dump(content) + + +def TakeZoneOut(properties): + """Given a properties dictionary, removes the zone specific information.""" + + def _CleanZoneUrl(value): + value = value.split('/')[-1] if IsComputeLink(value) else value + return value + + for name in default.VM_ZONE_PROPERTIES: + if name in properties: + properties[name] = _CleanZoneUrl(properties[name]) + if default.ZONE in properties: + properties.pop(default.ZONE) + if default.BOOTDISK in properties: + properties[default.BOOTDISK] = _CleanZoneUrl(properties[default.BOOTDISK]) + if default.DISKS in properties: + for disk in properties[default.DISKS]: + # Don't touch references to other disks + if default.DISK_SOURCE in disk: + continue + if default.INITIALIZEP in disk: + disk_init = disk[default.INITIALIZEP] + if default.DISKTYPE in disk_init: + disk_init[default.DISKTYPE] = _CleanZoneUrl(disk_init[default.DISKTYPE]) + + +def GenerateEmbeddableYaml(yaml_string): + # Because YAML is a space delimited format, we need to be careful about + # embedding one YAML document in another. This function takes in a string in + # YAML format and produces an equivalent YAML representation that can be + # inserted into arbitrary points of another YAML document. It does so by + # printing the YAML string in a single line format. Consistent ordering of + # the string is also guaranteed by using yaml.dump. + yaml_object = yaml.load(yaml_string) + dumped_yaml = yaml.dump(yaml_object, default_flow_style=True) + return dumped_yaml + + +def FormatErrorsDec(func): + """Decorator to format exceptions if they get raised.""" + + def FormatErrorsWrap(context): + try: + return func(context) + except Exception as e: + raise Error(FormatException(e.message)) + + return FormatErrorsWrap diff --git a/deprecated/gcp/R80.40-R81/autoscale-byol/config.yaml b/deprecated/gcp/R80.40-R81/autoscale-byol/config.yaml new file mode 100644 index 00000000..bc223154 --- /dev/null +++ b/deprecated/gcp/R80.40-R81/autoscale-byol/config.yaml @@ -0,0 +1,50 @@ +imports: +- path: check-point-autoscale--byol.py +- path: common.py +- path: default.py +- path: password.py +- path: images.py + +resources: +- name: check-point-autoscale--byol + type: check-point-autoscale--byol.py + properties: + autoscalingVersion: "PLEASE ENTER AUTOSCALE VERSION" + managementName: "PLEASE ENTER MANAGEMENT NAME" + AutoProvTemplate: "PLEASE ENTER AUTOPROVISION TEMPLATE NAME" + instanceSSHKey: "PLEASE ENTER A VALID PUBLIC KEY" + mgmtNIC: "PLEASE ENTER MANAGEMENT NIC TYPE" + networkDefinedByRoutes: "PLEASE ENTER true or false" + shell: "PLEASE ENTER A SHELL" + allowUploadDownload: "PLEASE ENTER true or false" + zone: "PLEASE ENTER A ZONE" + networks: "PLEASE ENTER A LIST OF EXTERNAL AND INTERNAL NETWORKS ID" + subnetworks: "PLEASE ENTER A LIST OF EXTERNAL AND INTERNAL SUBNETWORKS ID" + enableIcmp: "PLEASE ENTER true or false" + icmpSourceRanges: "PLEASE ENTER ICMP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + enableTcp: "PLEASE ENTER true or false" + tcpSourceRanges: "PLEASE ENTER TCP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + enableUdp: "PLEASE ENTER true or false" + udpSourceRanges: "PLEASE ENTER UDP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + enableSctp: "PLEASE ENTER true or false" + sctpSourceRanges: "PLEASE ENTER SCTP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + enableEsp: "PLEASE ENTER true or false" + espSourceRanges: "PLEASE ENTER ESP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + machineType: "PLEASE ENTER A MACHINE TYPE" + cpuUsage: "PLEASE ENTER CPU USAGE (%)" + minInstances: "PLEASE ENTER MINIMUM NUMBER OF INSTANCES" + maxInstances: "PLEASE ENTER MAXIMUM NUMBER OF INSTANCES" + diskType: "PLEASE ENTER A DISK TYPE" + bootDiskSizeGb: "PLEASE ENTER A DISK SIZE" + enableMonitoring: "PLEASE ENTER true or false" +outputs: +- name: "Deployment" + value: $(ref.check-point-autoscale--byol.deployment) +- name: "Managed instance group" + value: $(ref.check-point-autoscale--byol.IGMLink) +- name: "Minimum instances" + value: $(ref.check-point-autoscale--byol.minInstancesInt) +- name: "Maximum instances" + value: $(ref.check-point-autoscale--byol.maxInstancesInt) +- name: "Target CPU usage" + value: $(ref.check-point-autoscale--byol.cpuUsagePercentage) \ No newline at end of file diff --git a/deprecated/gcp/R80.40-R81/autoscale-byol/default.py b/deprecated/gcp/R80.40-R81/autoscale-byol/default.py new file mode 100644 index 00000000..0c7dd919 --- /dev/null +++ b/deprecated/gcp/R80.40-R81/autoscale-byol/default.py @@ -0,0 +1,134 @@ +# Copyright 2015 Google Inc. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +"""Convenience module to hold default constants for C2D components. + +There should not be any logic in this module. Its purpose is to simplify +analysis of commonly used GCP and properties names and identify the names +that were custom created for these modules. +""" +# Generic constants +C2D_IMAGES = 'click-to-deploy-images' + +# URL constants +COMPUTE_URL_BASE = 'https://www.googleapis.com/compute/v1/' + +# Deployment Manager constructs +REFERENCE_PREFIX = '$(ref.' + +# Commonly used in properties namespace +AUTO_DELETE = 'autoDelete' +BOOTDISK = 'bootDiskType' +BOOTDISKSIZE = 'bootDiskSizeGb' +C_IMAGE = 'containerImage' +DC_MANIFEST = 'dcManifest' +DEPLOYMENT = 'DEPLOYMENT' # used in the deployment coordinator +DISK_NAME = 'diskName' +DISK_RESOURCES = 'addedDiskResources' +DISK_SOURCE = 'source' +ENDPOINT_NAME = 'serviceRegistryEndpointName' +FIXED_GCLOUD = 'fixedGcloud' +GENERATED_PROP = 'generatedProperties' +INITIALIZEP = 'initializeParams' +INSTANCE_NAME = 'instanceName' +LOCAL_SSD = 'localSSDs' +MAX_NUM = 'maxNumReplicas' +NETWORKS = 'networks' +NO_SCOPE = 'noScope' +PROVIDE_BOOT = 'provideBoot' +REPLICAS = 'replicas' +SIZE = 'size' +VM_COPIES = 'numberOfVMReplicas' +ZONES = 'zones' + +# Common properties values (only official GCP values allowed here) +EXTERNAL = 'External NAT' +ONE_NAT = 'ONE_TO_ONE_NAT' + +# Common 1st level properties (only official GCP names allowed here) +CAN_IP_FWD = 'canIpForward' +CONTAINER = 'container' +DCKRENV = 'dockerEnv' +DCKRIMAGE = 'dockerImage' +DEFAULT_SERVICE = 'defaultService' +DEVICE_NAME = 'deviceName' +DISKS = 'disks' +DISK_SIZE = 'diskSizeGb' +DISKTYPE = 'diskType' +HEALTH_PATH = 'healthPath' +HOST_RULES = 'hostRules' +IP_PROTO = 'IPProtocol' +MACHINETYPE = 'machineType' +METADATA = 'metadata' +NAME = 'name' +NETWORK = 'network' +NETWORKS = 'networks' +SUBNETWORK = 'subnetwork' +PATH_MATCHERS = 'pathMatchers' +PORT = 'port' +PROJECT = 'project' +SERVICE = 'service' +SERVICE_ACCOUNTS = 'serviceAccounts' +SRCIMAGE = 'sourceImage' +SRC_RANGES = 'sourceRanges' +TAGS = 'tags' +TYPE = 'type' +VM_TEMPLATE = 'instanceTemplate' +ZONE = 'zone' + +# Zone specfic VM properties +VM_ZONE_PROPERTIES = [DISKTYPE, MACHINETYPE, BOOTDISK] + +# Resource type defaults names +ADDRESS = 'compute.v1.address' +AUTOSCALER = 'compute.v1.autoscaler' +BACKEND_SERVICE = 'compute.v1.backendService' +DISK = 'compute.v1.disk' +ENDPOINT = 'serviceregistry.v1alpha.endpoint' +FIREWALL = 'compute.v1.firewall' +GF_RULE = 'compute.v1.globalForwardingRule' +HEALTHCHECK = 'compute.v1.httpHealthCheck' +IGM = 'compute.v1.instanceGroupManager' +INSTANCE = 'compute.v1.instance' +PROXY = 'compute.v1.targetHttpProxy' +TEMPLATE = 'compute.v1.instanceTemplate' +REGION_IGM = 'compute.v1.regionInstanceGroupManager' +REGION_AUTOSCALER = 'compute.v1.regionAutoscaler' +URL_MAP = 'compute.v1.urlMap' +VPC='compute.v1.network' +VPC_SUBNET='compute.v1.subnetwork' + +# Also Known As constants +AKA = { + TEMPLATE: 'tmplt', + AUTOSCALER: 'as', + BACKEND_SERVICE: 'bes', + DISK: 'disk', + FIREWALL: 'fwall', + GF_RULE: 'ip', + HEALTHCHECK: 'hc', + INSTANCE: 'vm', + PROXY: 'tproxy', + IGM: 'igm', + URL_MAP: 'umap', +} + +LOC = { + 'europe': 'eu', + 'asia': 'as', + 'central': 'c', + 'east': 'e', + 'west': 'w', + 'north': 'n', + 'south': 's', +} diff --git a/deprecated/gcp/R80.40-R81/autoscale-byol/images.py b/deprecated/gcp/R80.40-R81/autoscale-byol/images.py new file mode 100644 index 00000000..7b04bee0 --- /dev/null +++ b/deprecated/gcp/R80.40-R81/autoscale-byol/images.py @@ -0,0 +1,34 @@ +IMAGES = { + "check-point-r8120-payg": "check-point-r8120-payg-631-991001560-v20240425", + "check-point-r8120-gw-payg-single": "check-point-r8120-gw-payg-single-631-991001560-v20240425", + "check-point-r8120-gw-payg-mig": "check-point-r8120-gw-payg-mig-631-991001560-v20240425", + "check-point-r8120-gw-payg-cluster": "check-point-r8120-gw-payg-cluster-631-991001560-v20240425", + "check-point-r8120-gw-byol-single": "check-point-r8120-gw-byol-single-631-991001560-v20240425", + "check-point-r8120-gw-byol-mig": "check-point-r8120-gw-byol-mig-631-991001560-v20240425", + "check-point-r8120-gw-byol-cluster": "check-point-r8120-gw-byol-cluster-631-991001560-v20240425", + "check-point-r8120-byol": "check-point-r8120-byol-631-991001560-v20240425", + "check-point-r8110-payg": "check-point-r8110-payg-335-991001560-v20240425", + "check-point-r8110-gw-payg-single": "check-point-r8110-gw-payg-single-335-991001560-v20240425", + "check-point-r8110-gw-payg-mig": "check-point-r8110-gw-payg-mig-335-991001560-v20240425", + "check-point-r8110-gw-payg-cluster": "check-point-r8110-gw-payg-cluster-335-991001560-v20240425", + "check-point-r8110-gw-byol-single": "check-point-r8110-gw-byol-single-335-991001560-v20240425", + "check-point-r8110-gw-byol-mig": "check-point-r8110-gw-byol-mig-335-991001560-v20240425", + "check-point-r8110-gw-byol-cluster": "check-point-r8110-gw-byol-cluster-335-991001560-v20240425", + "check-point-r8110-byol": "check-point-r8110-byol-335-991001560-v20240425", + "check-point-r81-payg": "check-point-r81-payg-392-991001560-v20240425", + "check-point-r81-gw-payg-single": "check-point-r81-gw-payg-single-392-991001560-v20240425", + "check-point-r81-gw-payg-mig": "check-point-r81-gw-payg-mig-392-991001560-v20240425", + "check-point-r81-gw-payg-cluster": "check-point-r81-gw-payg-cluster-392-991001560-v20240425", + "check-point-r81-gw-byol-single": "check-point-r81-gw-byol-single-392-991001560-v20240425", + "check-point-r81-gw-byol-mig": "check-point-r81-gw-byol-mig-392-991001560-v20240425", + "check-point-r81-gw-byol-cluster": "check-point-r81-gw-byol-cluster-392-991001560-v20240425", + "check-point-r81-byol": "check-point-r81-byol-392-991001560-v20240425", + "check-point-r8040-payg": "check-point-r8040-payg-294-991001560-v20240425", + "check-point-r8040-gw-payg-single": "check-point-r8040-gw-payg-single-294-991001564-v20240505", + "check-point-r8040-gw-payg-mig": "check-point-r8040-gw-payg-mig-294-991001564-v20240505", + "check-point-r8040-gw-payg-cluster": "check-point-r8040-gw-payg-cluster-294-991001564-v20240505", + "check-point-r8040-gw-byol-single": "check-point-r8040-gw-byol-single-294-991001564-v20240505", + "check-point-r8040-gw-byol-mig": "check-point-r8040-gw-byol-mig-294-991001564-v20240505", + "check-point-r8040-gw-byol-cluster": "check-point-r8040-gw-byol-cluster-294-991001564-v20240505", + "check-point-r8040-byol": "check-point-r8040-byol-294-991001560-v20240425" +} \ No newline at end of file diff --git a/deprecated/gcp/R80.40-R81/autoscale-byol/password.py b/deprecated/gcp/R80.40-R81/autoscale-byol/password.py new file mode 100644 index 00000000..273210a6 --- /dev/null +++ b/deprecated/gcp/R80.40-R81/autoscale-byol/password.py @@ -0,0 +1,135 @@ +# Copyright 2015 Google Inc. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +"""A DM template that generates password as an output, namely "password". + +An example YAML showing how this template can be used: + resources: + - name: generated-password + type: password.py + properties: + length: 8 + includeSymbols: true + - name: main-template + type: main-template.jinja + properties: + password: $(ref.generated-password.password) + +Input properties to this template: + - length: the length of the generated password. At least 8. Default 8. + - includeSymbols: true/false whether to include symbol chars. Default false. + +The generated password satisfies the following requirements: + - The length is as specified, + - Containing letters and numbers, and optionally symbols if specified, + - Starting with a letter, + - Containing characters from at least 3 of the 4 categories: uppercases, + lowercases, numbers, and symbols. + +""" + +import random +import yaml + +PROPERTY_LENGTH = 'length' +PROPERTY_INCLUDE_SYMBOLS = 'includeSymbols' + +# Note the omission of some hard to distinguish characters like I, l, 0, and O. +UPPERS = 'ABCDEFGHJKLMNPQRSTUVWXYZ' +LOWERS = 'abcdefghijkmnopqrstuvwxyz' +ALPHABET = UPPERS + LOWERS +DIGITS = '123456789' +ALPHANUMS = ALPHABET + DIGITS +# Including only symbols that can be passed around easily in shell scripts. +SYMBOLS = '*-+.' + +CANDIDATES_WITH_SYMBOLS = ALPHANUMS + SYMBOLS +CANDIDATES_WITHOUT_SYMBOLS = ALPHANUMS + +CATEGORIES_WITH_SYMBOLS = [UPPERS, LOWERS, DIGITS, SYMBOLS] +CATEGORIES_WITHOUT_SYMBOLS = [UPPERS, LOWERS, DIGITS] + +MIN_LENGTH = 8 + + +class InputError(Exception): + """Raised when input properties are unexpected.""" + + +def GenerateConfig(context): + """Entry function to generate the DM config.""" + props = context.properties + length = props.setdefault(PROPERTY_LENGTH, MIN_LENGTH) + include_symbols = props.setdefault(PROPERTY_INCLUDE_SYMBOLS, False) + + if not isinstance(include_symbols, bool): + raise InputError('%s must be a boolean' % PROPERTY_INCLUDE_SYMBOLS) + + content = { + 'resources': [], + 'outputs': [{ + 'name': 'password', + 'value': GeneratePassword(length, include_symbols) + }] + } + return yaml.dump(content) + + +def GeneratePassword(length=8, include_symbols=False): + """Generates a random password.""" + if length < MIN_LENGTH: + raise InputError('Password length must be at least %d' % MIN_LENGTH) + + candidates = (CANDIDATES_WITH_SYMBOLS if include_symbols + else CANDIDATES_WITHOUT_SYMBOLS) + categories = (CATEGORIES_WITH_SYMBOLS if include_symbols + else CATEGORIES_WITHOUT_SYMBOLS) + + # Generates up to the specified length minus the number of categories. + # Then inserts one character for each category, ensuring that the character + # satisfy the category if the generated string hasn't already. + generated = ([random.choice(ALPHABET)] + + [random.choice(candidates) + for _ in range(length - 1 - len(categories))]) + for category in categories: + _InsertAndEnsureSatisfaction(generated, category, candidates) + return ''.join(generated) + + +def _InsertAndEnsureSatisfaction(generated, required, all_candidates): + """Inserts 1 char into generated, satisfying required if not already. + + If the required characters are not already in the generated string, one will + be inserted. If any required character is already in the generated string, a + random character from all_candidates will be inserted. The insertion happens + at a random location but not at the beginning. + + Args: + generated: the string to be modified. + required: list of required characters to check for. + all_candidates: list of characters to choose from if the required characters + are already satisfied. + """ + if set(generated).isdisjoint(required): + # Not yet satisfied. Insert a required candidate. + _InsertInto(generated, required) + else: + # Already satisfied. Insert any candidate. + _InsertInto(generated, all_candidates) + + +def _InsertInto(generated, candidates): + """Inserts a random candidate into a random non-zero index of generated.""" + # Avoids inserting at index 0, since the first character follows its own rule. + generated.insert(random.randint(1, len(generated) - 1), + random.choice(candidates)) diff --git a/deprecated/gcp/R80.40-R81/autoscale-payg/README.md b/deprecated/gcp/R80.40-R81/autoscale-payg/README.md new file mode 100644 index 00000000..9dfa6b83 --- /dev/null +++ b/deprecated/gcp/R80.40-R81/autoscale-payg/README.md @@ -0,0 +1,126 @@ +# GCP Deployment Manager package for Check Point Autoscaling PAYG solution +This directory contains CloudGuard IaaS deployment package for Check Point Autoscaling (PAYG) solution published in the [GCP Marketplace](https://console.cloud.google.com/marketplace/details/checkpoint-public/check-point-autoscaling-ngtp). + +# How to deploy the package manually +To deploy the Deployment Manager's package manually, without using the GCP Marketplace, follow these instructions: +1. Clone or download the files in this directory +2. Fill variables in the config.yaml(see below for variables descriptions). +3. Log into [Google Cloud Platform Console](https://console.cloud.google.com) +4. [Activate Cloud Shell](https://cloud.google.com/shell/docs/using-cloud-shell) +5. Set your Cloud Platform project in the Cloud Shell session use: + + gcloud config set project [PROJECT_ID] +6. Upload the content of the CloudGuardIaaS/gcp/deployment-packages/autoscale-payg/ directory to the [cloud shell](https://cloud.google.com/shell/docs/uploading-and-downloading-files) +7. Launch deployment by running: + + gcloud deployment-manager deployments create [DEPLOYMENT_NAME] --config config.yaml +8. Make sure the deployment finished successfully.
Example of successful deployment output: + + The fingerprint of the deployment is h8R2exQYuc4bzlO14boUhg== + Waiting for create [operation-1585217870871-5a1bf4c15b9ea-f8d824d5-1089cc78]...done. + Create operation operation-1585217870871-5a1bf4c15b9ea-f8d824d5-1089cc78 completed successfully. + NAME TYPE STATE ERRORS INTENT + mig-as compute.v1.regionAutoscaler COMPLETED [] + mig-igm compute.v1.regionInstanceGroupManager COMPLETED [] + mig-vpc-icmp compute.v1.firewall COMPLETED [] + mig-vpc-udp compute.v1.firewall COMPLETED [] + mig-tmplt compute.v1.instanceTemplate COMPLETED [] + OUTPUTS VALUE + Deployment autoscale + Managed instance group https://www.googleapis.com/compute/v1/projects/checkpoint/regions/asia-east1/instanceGroups/autoscale-igm + Minimum instances 2 + Maximum instances 10 + Target CPU usage 60% + +## config.yaml variables +| Name | Description | Type | Allowed values | +| ------------- | ------------- | ------------- | ------------- | +| **autoscalingVersion** | Autoscaling Version | string | R80.40 Autoscaling;
R81.00 Autoscaling;
R81.10 Autoscaling;
R81.20 Autoscaling;| +| | | | | | +| **managementName** | Security Management Server name | string | The name of the Security Management Server as appears in autoprovisioning configuration | +| | | | | | +| **AutoProvTemplate** | Configuration template name | string | Specify the provisioning configuration template name (for autoprovisioning) | +| | | | | | +| **instanceSSHKey** | Public SSH key for the user 'admin' | string | A valid public ssh key | +| | | | | | +| **mgmtNIC** | Management Interface | string | Ephemeral Public IP (eth0)
; Private IP (eth1); | +| | | | | | +| **networkDefinedByRoutes** | Networks behind the Internal interface will be defined by routes.
Set eth1 topology to define the networks behind this interface by the routes configured on the gateway | boolean | true;
false; | +| | | | | | +| **shell** | Admin shell | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh;
| +| | | | | | +| **allowUploadDownload** | Allow download from/upload to Check Point | boolean | true;
false; | +| | | | | | +| **zone** | The zone determines what computing resources are available and where your data is stored and used | string | List of allowed [Regions and Zones](https://cloud.google.com/compute/docs/regions-zones?_ga=2.31926582.-962483654.1585043745) | +| | | | | | +| **networks** | The external networks ID in which the gateways will reside and internal networks ID in which application servers reside. | list(string) | Available network in the chosen zone | +| | | | | | +| **subnetworks** | External and Internal subnet ID. Assigns the instance an IPv4 address from the subnetwork’s range. Instances in different subnetworks can communicate with each other using their internal IPs as long as they belong to the same network. | list(string) | Available subnetwork in the chosen network | +| | | | | | +| **enableIcmp** | Allow ICMP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **icmpSourceRanges** | Source IP ranges for ICMP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **enableTcp** | Allow TCP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **tcpSourceRanges** | Allow TCP traffic from the Internet | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway all ports are allowed. For management allowed ports are: 257,18191,18210,18264,22,443,18190,19009 [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **enableUdp** | Allow UDP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **udpSourceRanges** | Source IP ranges for UDP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only - all ports are allowed. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **enableSctp** | Allow SCTP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **sctpSourceRanges** | Source IP ranges for SCTP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only - all ports are allowed. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **enableEsp** | Allow ESP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **espSourceRanges** | Source IP ranges for ESP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **machineType** | Machine types determine the specifications of your machines, such as the amount of memory, virtual cores, and persistent disk limits an instance will have | string | [Learn more about Machine Types](https://cloud.google.com/compute/docs/machine-types?hl=en_US&_ga=2.267871494.-962483654.1585043745) | +| | | | | | +| **cpuUsage** | Target CPU usage (%).
Autoscaling adds or removes instances in the group to maintain this level of CPU usage on each instance | number | A number in the range 10 - 90 | +| | | | | | +| **minInstances** | Minimum number of instances | number | A number in the range 1 and the maximum number of instances | +| | | | | | +| **maxInstances** | Maximum number of instances | number | A number in the range the minimum number of instances and infinity | +| | | | | | +| **diskType** | Disk type | string | pd-ssd;
pd-standard;
Storage space is much less expensive for a standard persistent disk. An SSD persistent disk is better for random IOPS or streaming throughput with low latency. [Learn more](https://cloud.google.com/compute/docs/disks/?hl=en_US&_ga=2.66020774.-962483654.1585043745#overview_of_disk_types)| +| | | | | | +| **bootDiskSizeGb** | Disk size in GB | number | Persistent disk performance is tied to the size of the persistent disk volume. You are charged for the actual amount of provisioned disk space. [Learn more](https://cloud.google.com/compute/docs/disks/?hl=en_US&_ga=2.232680471.-962483654.1585043745#pdperformance)| +| | | | | | +| **enableMonitoring** | Enable Stackdriver monitoring | boolean | true;
false; | +| | | | | | + +## Example + autoscalingVersion: "R81.10 Autoscaling" + managementName: "mgmt" + AutoProvTemplate: "template" + instanceSSHKey: "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxx imported-openssh-key" + mgmtNIC: "Ephemeral Public IP (eth0)" + networkDefinedByRoutes: true + shell: "/bin/bash" + allowUploadDownload: true + zone: "asia-east1-a" + networks: ["external-vpc", "internal-vpc"] + subnetworks: ["frontend", "backend"] + enableIcmp: true + icmpSourceRanges: "0.0.0.0/0" + enableTcp: false + tcpSourceRanges: "" + enableUdp: true + udpSourceRanges: "0.0.0.0/0" + enableSctp: false + sctpSourceRanges: "" + enableEsp: false + espSourceRanges: "" + machineType: "n1-standard-4" + cpuUsage: 60 + minInstances: 2 + maxInstances: 10 + diskType: "pd-ssd" + bootDiskSizeGb: 100 + enableMonitoring: false + +## Notes +See [sk147032](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk147032) for revision history diff --git a/deprecated/gcp/R80.40-R81/autoscale-payg/c2d_deployment_configuration.json b/deprecated/gcp/R80.40-R81/autoscale-payg/c2d_deployment_configuration.json new file mode 100644 index 00000000..4141cb87 --- /dev/null +++ b/deprecated/gcp/R80.40-R81/autoscale-payg/c2d_deployment_configuration.json @@ -0,0 +1,7 @@ +{ + "defaultDeploymentType": "MULTI_VM", + "imageName": "check-point-r8120-gw-payg-mig-631-991001475-v20231221", + "projectId": "checkpoint-public", + "templateName": "nonexistent_template", + "useSolutionPackage": "true" +} diff --git a/deprecated/gcp/R80.40-R81/autoscale-payg/check-point-autoscale--payg.py b/deprecated/gcp/R80.40-R81/autoscale-payg/check-point-autoscale--payg.py new file mode 100644 index 00000000..05acbfdc --- /dev/null +++ b/deprecated/gcp/R80.40-R81/autoscale-payg/check-point-autoscale--payg.py @@ -0,0 +1,381 @@ +# Copyright 2016 Check Point Software LTD. + +import common +import default +import images +import password + +GATEWAY = 'checkpoint-gateway' +PROJECT = 'checkpoint-public' +LICENSE = 'payg' +LICENCE_TYPE = 'mig' + +VERSIONS = { + 'R80.40-GW': 'r8040-gw', + 'R81-GW': 'r81-gw', + 'R81.10-GW': 'r8110-gw', + 'R81.20-GW': 'r8120-gw' +} + +TEMPLATE_NAME = 'autoscale' +TEMPLATE_VERSION = '20231221' + +startup_script = ''' +#cloud-config +runcmd: + - 'python3 /etc/cloud_config.py "generatePassword=\\"{generatePassword}\\"" "allowUploadDownload=\\"{allowUploadDownload}\\"" "templateName=\\"{templateName}\\"" "templateVersion=\\"{templateVersion}\\"" "mgmtNIC=\\"{mgmtNIC}\\"" "hasInternet=\\"{hasInternet}\\"" "config_url=\\"{config_url}\\"" "config_path=\\"{config_path}\\"" "installationType=\\"{installationType}\\"" "enableMonitoring=\\"{enableMonitoring}\\"" "shell=\\"{shell}\\"" "computed_sic_key=\\"{computed_sic_key}\\"" "sicKey=\\"{sicKey}\\"" "managementGUIClientNetwork=\\"{managementGUIClientNetwork}\\"" "primary_cluster_address_name=\\"{primary_cluster_address_name}\\"" "secondary_cluster_address_name=\\"{secondary_cluster_address_name}\\"" "managementNetwork=\\"{managementNetwork}\\"" "numAdditionalNICs=\\"{numAdditionalNICs}\\"" "smart1CloudToken=\\"{smart1CloudToken}\\"" "name=\\"{name}\\"" "zone=\\"{zoneConfig}\\"" "region=\\"{region}\\"" "osVersion=\\"{osVersion}\\"" "MaintenanceModePassword=\\"{maintenanceMode}\\""' +''' + + +def make_nic(context, net_name, subnet, external_ip=False): + prop = context.properties + network_interface = { + 'kind': 'compute#networkInterface', + 'network': common.GlobalNetworkLink(prop['project'], net_name) + } + if subnet: + network_interface["subnetwork"] = common.MakeRegionalSubnetworkLink( + prop['project'], prop['zone'], subnet) + # add ephemeral public IP address + if external_ip: + network_interface["accessConfigs"] = \ + [make_access_config(name="external-nat")] + return network_interface + + +def create_nics(context): + prop = context.properties + firewall_rules = create_firewall_rules(context) + if firewall_rules: + prop['resources'].extend(firewall_rules) + networks = prop.setdefault('networks', ['default']) + subnetworks = prop.get('subnetworks', []) + nics = [] + for i in range(len(networks)): + name = networks[i] + subnet = '' + external_ip = prop.get('gatewayExternalIP') and i == 0 + if subnetworks and i < len(subnetworks) and subnetworks[i]: + subnet = subnetworks[i] + network_interface = make_nic(context, name, subnet, external_ip) + nics.append(network_interface) + return nics + + +def create_firewall_rules(context): + prop = context.properties + deployment = prop['deployment'] + network = prop.setdefault('networks', ['default'])[0] + firewall_rules = [] + protocols = ['Icmp', 'Udp', 'Tcp', 'Sctp', 'Esp'] + for protocol in protocols: + proto = protocol.lower() + source_ranges = prop.get(proto + 'SourceRanges', '') + protocol_enabled = prop.get('enable' + protocol, '') + if protocol_enabled and source_ranges: + firewall_rules.append(make_firewall_rule( + proto, source_ranges, deployment, network)) + return firewall_rules + + +def make_firewall_rule(protocol, source_ranges, deployment, net_name): + fw_rule_name = '%s-%s-%s' % (deployment[:34], net_name[:22], protocol) + ranges = [] + ranges_list = source_ranges.split(',') + for source_range in ranges_list: + ranges.append(source_range.replace(" ", "")) + firewall_rule = { + 'type': default.FIREWALL, + 'name': fw_rule_name, + 'properties': { + 'network': 'global/networks/' + net_name, + 'sourceRanges': ranges, + 'targetTags': [GATEWAY], + 'allowed': [{'IPProtocol': protocol}] + } + } + return firewall_rule + + +def create_instance_template(context, + name, + nics, + depends_on=None, + gw_version=VERSIONS['R81.20-GW']): + if 'gw' in gw_version: + license_name = "{}-{}".format(LICENSE, LICENCE_TYPE) + else: + license_name = LICENSE + family = '-'.join(['check-point', gw_version, license_name]) + formatter = common.DefaultFormatter() + instance_template_name = common.AutoName(name, default.TEMPLATE) + instance_template = { + "type": default.TEMPLATE, + "name": instance_template_name, + 'metadata': { + 'dependsOn': depends_on + }, + "properties": { + "project": context.properties['project'], + "properties": { + "canIpForward": True, + "disks": [{"autoDelete": True, + "boot": True, + "deviceName": common.set_name_and_truncate( + context.properties['deployment'], + '-{}-boot'.format(name)), + "index": 0, + "initializeParams": { + "diskType": + context.properties['diskType'], + "diskSizeGb": + context.properties['bootDiskSizeGb'], + "sourceImage": + 'projects/%s/global/images/%s' % ( + PROJECT, images.IMAGES[family]) + }, + "kind": 'compute#attachedDisk', + "mode": "READ_WRITE", + "type": "PERSISTENT"}], + "machineType": context.properties['machineType'], + "networkInterfaces": nics, + 'metadata': { + "kind": 'compute#metadata', + 'items': [ + { + 'key': 'startup-script', + 'value': formatter.format( + startup_script, **context.properties) + }, + { + 'key': 'serial-port-enable', + 'value': 'true' + } + ]}, + "scheduling": { + "automaticRestart": True, + "onHostMaintenance": "MIGRATE", + "preemptible": False + }, + "serviceAccounts": [ + { + "email": "default", + "scopes": [ + "https://www.googleapis.com/" + + "auth/devstorage.read_only", + "https://www.googleapis.com/auth/logging.write", + "https://www.googleapis.com/auth/monitoring.write", + "https://www.googleapis.com/auth/pubsub", + "https://www.googleapis.com/" + + "auth/service.management.readonly", + "https://www.googleapis.com/auth/servicecontrol", + "https://www.googleapis.com/auth/trace.append" + ] + }], + "tags": { + "items": [ + 'x-chkp-management--{}'. + format(context.properties['managementName']), + 'x-chkp-template--{}'. + format(context.properties['AutoProvTemplate']), + 'checkpoint-gateway' + ] + } + } + } + } + tagItems = instance_template['properties']['properties']['tags']['items'] + if context.properties['mgmtNIC'] == 'Ephemeral Public IP (eth0)': + tagItems.append("x-chkp-ip-address--public") + tagItems.append("x-chkp-management-interface--eth0") + elif context.properties['mgmtNIC'] == 'Private IP (eth1)': + tagItems.append("x-chkp-ip-address--private") + tagItems.append("x-chkp-management-interface--eth1") + if context.properties['networkDefinedByRoutes']: + tagItems.append("x-chkp-topology-eth1--internal") + tagItems.append("x-chkp-topology-settings-eth1" + "--network-defined-by-routes") + metadata = instance_template['properties']['properties']['metadata'] + if 'instanceSSHKey' in context.properties: + metadata['items'].append( + { + 'key': 'instanceSSHKey', + 'value': context.properties['instanceSSHKey'] + } + ) + passwd = '' + if context.properties['generatePassword']: + passwd = password.GeneratePassword(12, False) + metadata['items'].append( + { + 'key': 'adminPasswordSourceMetadata', + 'value': passwd + } + ) + return instance_template, passwd + + +def GenerateAutscaledGroup(context, name, + instance_template, depends_on=None): + prop = context.properties + igm_name = common.AutoName(name, default.IGM) + depends_on = depends_on + resource = { + 'name': igm_name, + 'metadata': { + 'dependsOn': depends_on + }, + 'type': default.REGION_IGM, + 'properties': { + 'region': common.ZoneToRegion(prop.get("zone")), + 'baseInstanceName': name, + 'instanceTemplate': '$(ref.' + instance_template + '.selfLink)', + 'targetSize': prop.get("minInstances"), + # 'autoHealingPolicies': [{ + # 'initialDelaySec': 60 + # }] + } + } + return resource + + +def CreateAutscaler(context, name, + igm, cpu_usage, depends_on=None): + prop = context.properties + autoscaler_name = common.AutoName(name, default.AUTOSCALER) + depends_on = depends_on + cpu_usage = float(cpu_usage) / 100 + resource = { + 'name': autoscaler_name, + 'metadata': { + 'dependsOn': depends_on + }, + 'type': default.REGION_AUTOSCALER, + 'properties': { + 'target': '$(ref.' + igm + '.selfLink)', + 'region': common.ZoneToRegion(prop.get("zone")), + 'autoscalingPolicy': { + 'minNumReplicas': int(prop.get("minInstances")), + 'maxNumReplicas': int(prop.get("maxInstances")), + 'cpuUtilization': { + 'utilizationTarget': cpu_usage + }, + 'coolDownPeriodSec': 90 + } + } + } + return resource + + +def make_access_config(name=None): + access_config = { + 'type': default.ONE_NAT, + "kind": 'compute#accessConfig' + } + if name: + access_config['name'] = name + return access_config + + +def validate_region(test_zone, valid_region): + test_region = common.ZoneToRegion(test_zone) + if test_region != valid_region: + err_msg = '{} is in region {}. All subnets must be ' + \ + 'in the same region ({})' + raise common.Error( + err_msg.format(test_zone, test_region, valid_region) + ) + + +@common.FormatErrorsDec +def generate_config(context): + # This method will: + # 1. Create a instance template for a security GW + # (with a tag for the managing security server) + # 2. Create a managed instance group + # (based on the instance template and zones list provided by the user) + # 3. Configure autoscaling + # (based on min, max & policy settings provided by the user) + prop = context.properties + prop['deployment'] = context.env['deployment'] + prop['project'] = context.env['project'] + prop['templateName'] = TEMPLATE_NAME + prop['templateVersion'] = TEMPLATE_VERSION + prop['allowUploadDownload'] = str(prop['allowUploadDownload']).lower() + prop['hasInternet'] = 'true' # via Google Private Access + prop['installationType'] = 'AutoScale' + prop['resources'] = [] + prop['outputs'] = [] + prop['gw_dependencies'] = [] + prop['computed_sic_key'] = password.GeneratePassword(12, False) + prop['gatewayExternalIP'] = (prop['mgmtNIC'] == + 'Ephemeral Public IP (eth0)') + version_chosen = prop['autoscalingVersion'].split(' ')[0] + "-GW" + prop['osVersion'] = prop['autoscalingVersion'].split(' ')[0].replace( + ".", "") + nics = create_nics(context) + gw_template, passwd = create_instance_template(context, + prop['deployment'], + nics, + depends_on=prop[ + 'gw_dependencies'], + gw_version=VERSIONS[ + version_chosen]) + prop['resources'] += [gw_template] + prop['igm_dependencies'] = [gw_template['name']] + igm = GenerateAutscaledGroup(context, + prop['deployment'], + gw_template['name'], + prop['igm_dependencies']) + prop['resources'] += [igm] + prop['autoscaler_dependencies'] = [igm['name']] + cpu_usage = prop.get("cpuUsage") + autoscaler = CreateAutscaler(context, + prop['deployment'], + igm['name'], + cpu_usage, + prop['autoscaler_dependencies']) + prop['resources'] += [autoscaler] + prop['outputs'] += [ + { + 'name': 'deployment', + 'value': prop['deployment'] + }, + { + 'name': 'project', + 'value': prop['project'] + }, + { + 'name': 'instanceTemplateName', + 'value': gw_template['name'] + }, + { + 'name': 'InstanceTemplateLink', + 'value': common.Ref(gw_template['name']) + }, + { + 'name': 'IGMname', + 'value': igm['name'] + }, + { + 'name': 'IGMLink', + 'value': common.RefGroup(igm['name']) + }, + { + 'name': 'cpuUsagePercentage', + 'value': str(int(prop['cpuUsage'])) + '%' + }, + { + 'name': 'minInstancesInt', + 'value': str(int(prop['minInstances'])) + }, + { + 'name': 'maxInstancesInt', + 'value': str(int(prop['maxInstances'])) + }, + { + 'name': 'password', + 'value': passwd + } + ] + return common.MakeResource(prop['resources'], prop['outputs']) diff --git a/deprecated/gcp/R80.40-R81/autoscale-payg/check-point-autoscale--payg.py.schema b/deprecated/gcp/R80.40-R81/autoscale-payg/check-point-autoscale--payg.py.schema new file mode 100644 index 00000000..b3ab0980 --- /dev/null +++ b/deprecated/gcp/R80.40-R81/autoscale-payg/check-point-autoscale--payg.py.schema @@ -0,0 +1,215 @@ +imports: + - path: check-point-autoscale--payg.py + +info: + version: 1.0 + title: Check Point CloudGuard Network Security Autoscaling - PAYG Template + +required: + - autoscalingVersion + - networks + - zone + - machineType + - cpuUsage + - minInstances + - maxInstances + - diskType + - bootDiskSizeGb + - managementName + - AutoProvTemplate + - allowUploadDownload + - networkDefinedByRoutes + - shell + - enableMonitoring + - generatePassword + +properties: + zone: + type: string + default: us-central1-a + x-googleProperty: + type: GCE_ZONE + networks: + type: array + default: [default, default1] + minItems: 2 + maxItems: 2 + x-googleProperty: + type: GCE_NETWORK + gceNetwork: + labels: + - External + - Internal + allowSharedVpcs: True + machineTypeProperty: machineType + subnetworks: + type: array + minItems: 2 + maxItems: 2 + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zone + gceSubnetwork: + networkProperty: networks + mgmtNIC: + type: string + default: Ephemeral Public IP (eth0) + enum: + - Ephemeral Public IP (eth0) + - Private IP (eth1) + enableIcmp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: networks + icmpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: enableIcmp + enableTcp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: networks + tcpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: enableTcp + enableUdp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: networks + udpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: enableUdp + enableSctp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: networks + sctpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: enableSctp + enableEsp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: networks + espSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: enableEsp + machineType: + type: string + default: n1-standard-4 + x-googleProperty: + type: GCE_MACHINE_TYPE + zoneProperty: zone + gceMachineType: + minCpu: 2 + minRamGb: 1.843000054359436 + cpuUsage: + type: integer + minimum: 10 + maximum: 90 + default: 60 + minInstances: + type: integer + minimum: 1 + maximum: 16384 + default: 2 + maxInstances: + type: integer + minimum: 1 + maximum: 32768 + default: 10 + instanceSSHKey: + type: string + pattern: ^([0-9a-z\-]+ +[0-9A-Za-z/\+=]+( .*)?|)$ + default: '' + diskType: + type: string + default: pd-ssd + x-googleProperty: + type: GCE_DISK_TYPE + zoneProperty: zone + bootDiskSizeGb: + type: integer + default: 100 + minimum: 100 + maximum: 4096 + x-googleProperty: + type: GCE_DISK_SIZE + gceDiskSize: + diskTypeProperty: diskType + autoscalingVersion: + type: string + default: R81.20 Autoscaling + enum: + - R80.40 Autoscaling + - R81 Autoscaling + - R81.10 Autoscaling + - R81.20 Autoscaling + managementName: + type: string + default: 'checkpoint-management' + pattern: ^([ -~]+)$ + AutoProvTemplate: + type: string + default: 'gcp-asg-autoprov-tmplt' + pattern: ^([ -~]{1,30})$ + enableMonitoring: + type: boolean + default: False + networkDefinedByRoutes: + type: boolean + default: True + allowUploadDownload: + type: boolean + default: True + generatePassword: + type: boolean + default: False + maintenanceMode: + type: string + pattern: ^([a-z0-9A-Z.]{12,300}|)$ + default: '' + shell: + type: string + default: /etc/cli.sh + enum: + - /etc/cli.sh + - /bin/bash + - /bin/csh + - /bin/tcsh + +outputs: + deployment: + type: string + project: + type: string + password: + type: string \ No newline at end of file diff --git a/deprecated/gcp/R80.40-R81/autoscale-payg/common.py b/deprecated/gcp/R80.40-R81/autoscale-payg/common.py new file mode 100644 index 00000000..e123c502 --- /dev/null +++ b/deprecated/gcp/R80.40-R81/autoscale-payg/common.py @@ -0,0 +1,262 @@ +# Copyright 2015 Google Inc. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +"""Generic simple functions used for python based template generation.""" + +import re +import sys +import traceback +import default +import string + +import yaml + +RFC1035_RE = re.compile(r'^[a-z][-a-z0-9]{1,61}[a-z0-9]{1}$') + + +class Error(Exception): + """Common exception wrapper for template exceptions.""" + pass + + +class DefaultFormatter(string.Formatter): + """Returns default instead of key error when looking for keys. + + Used for startup-script which contains params from multiple deployments + whiles keys from one deployment may not be set in another. + """ + def __init__(self, default=''): + self.default = default + def get_value(self, key, args, dict): + if isinstance(key, str): + return dict.get(key, self.default) + else: + return string.Formatter.get_value(key, args, dict) + + +def set_name_and_truncate(primary, secondary, maxlength=62): + return '%s%s' % (primary[:maxlength - len(secondary)], secondary) + + +def AddDiskResourcesIfNeeded(context): + """Checks context if disk resources need to be added.""" + if default.DISK_RESOURCES in context.properties: + return context.properties[default.DISK_RESOURCES] + else: + return [] + + +def AutoName(base, resource, *args): + """Helper method to generate names automatically based on default.""" + auto_name = '%s-%s' % (base, '-'.join(list(args) + [default.AKA[resource]])) + if not RFC1035_RE.match(auto_name): + raise Error('"%s" name for type %s does not match RFC1035 regex (%s)' % + (auto_name, resource, RFC1035_RE.pattern)) + return auto_name + + +def AutoRef(base, resource, *args): + """Helper method that builds a reference for an auto-named resource.""" + return Ref(AutoName(base, resource, *args)) + + +def OrderedItems(dict_obj): + """Convenient method to yield sorted iteritems of a dictionary.""" + keys = list(dict_obj.keys()) + keys.sort() + for k in keys: + yield (k, dict_obj[k]) + + +def ShortenZoneName(zone): + """Given a string that looks like a zone name, creates a shorter version.""" + geo, coord, number, letter = re.findall(r'(\w+)-(\w+)(\d)-(\w)', zone)[0] + geo = geo.lower() if len(geo) == 2 else default.LOC[geo.lower()] + coord = default.LOC[coord.lower()] + number = str(number) + letter = letter.lower() + return geo + '-' + coord + number + letter + + +def ZoneToRegion(zone): + """Derives the region from a zone name.""" + parts = zone.split('-') + if len(parts) != 3: + raise Error('Cannot derive region from zone "%s"' % zone) + return '-'.join(parts[:2]) + + +def FormatException(message): + """Adds more information to the exception.""" + message = ('Exception Type: %s\n' + 'Details: %s\n' + 'Message: %s\n') % (sys.exc_info()[0], + traceback.format_exc(), message) + return message + + +def Ref(name): + return '$(ref.%s.selfLink)' % name + + +def RefGroup(name): + return '$(ref.%s.instanceGroup)' % name + + +def GlobalComputeLink(project, collection, name): + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/global/', + collection, '/', name]) + +def GlobalNetworkLink(project, network): + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/global/', + default.NETWORKS, '/', network]) + + +def LocalComputeLink(project, zone, key, value): + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/zones/', + zone, '/', key, '/', value]) + + +def ReadContext(context, prop_key): + return (context.env['project'], context.properties.get('zone', None), + context.properties[prop_key]) + + +def MakeLocalComputeLink(context, key, zone=None): + if not zone: + project, zone, value = ReadContext(context, key) + else: + project, _, value = ReadContext(context, key) + + if IsComputeLink(value): + return value + else: + return LocalComputeLink(project, zone, key + 's', value) + + +def MakeGlobalComputeLink(context, key): + project, _, value = ReadContext(context, key) + if IsComputeLink(value): + return value + else: + return GlobalComputeLink(project, key + 's', value) + +def MakeRegionalSubnetworkLink(project, zone, subnet): + region = ZoneToRegion(zone) + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/regions/', + region, '/subnetworks/', subnet]) + + +def MakeSubnetworkComputeLink(context, key): + project, zone, value = ReadContext(context, key) + region = ZoneToRegion(zone) + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/regions/', + region, '/subnetworks/', value]) + + +def MakeFQHN(context, name): + return '%s.c.%s.internal' % (name, context.env['project']) + + +# TODO(victorg): Consider moving this method to a different file +def MakeC2DImageLink(name, dev_mode=False): + if IsGlobalProjectShortcut(name) or name.startswith('http'): + return name + else: + if dev_mode: + return 'global/images/%s' % name + else: + return GlobalComputeLink(default.C2D_IMAGES, 'images', name) + + +def IsGlobalProjectShortcut(name): + return name.startswith('projects/') or name.startswith('global/') + + +def IsComputeLink(name): + return (name.startswith(default.COMPUTE_URL_BASE) or + name.startswith(default.REFERENCE_PREFIX)) + + +def GetNamesAndTypes(resources_dict): + return [(d['name'], d['type']) for d in resources_dict] + + +def SummarizeResources(res_dict): + """Summarizes the name of resources per resource type.""" + result = {} + for res in res_dict: + result.setdefault(res['type'], []).append(res['name']) + return result + + +def ListPropertyValuesOfType(res_dict, prop, res_type): + """Lists all the values for a property of a certain type.""" + return [r['properties'][prop] for r in res_dict if r['type'] == res_type] + + +def MakeResource(resource_list, output_list=None): + """Wrapper for a DM template basic spec.""" + content = {'resources': resource_list} + if output_list: + content['outputs'] = output_list + return yaml.dump(content) + + +def TakeZoneOut(properties): + """Given a properties dictionary, removes the zone specific information.""" + + def _CleanZoneUrl(value): + value = value.split('/')[-1] if IsComputeLink(value) else value + return value + + for name in default.VM_ZONE_PROPERTIES: + if name in properties: + properties[name] = _CleanZoneUrl(properties[name]) + if default.ZONE in properties: + properties.pop(default.ZONE) + if default.BOOTDISK in properties: + properties[default.BOOTDISK] = _CleanZoneUrl(properties[default.BOOTDISK]) + if default.DISKS in properties: + for disk in properties[default.DISKS]: + # Don't touch references to other disks + if default.DISK_SOURCE in disk: + continue + if default.INITIALIZEP in disk: + disk_init = disk[default.INITIALIZEP] + if default.DISKTYPE in disk_init: + disk_init[default.DISKTYPE] = _CleanZoneUrl(disk_init[default.DISKTYPE]) + + +def GenerateEmbeddableYaml(yaml_string): + # Because YAML is a space delimited format, we need to be careful about + # embedding one YAML document in another. This function takes in a string in + # YAML format and produces an equivalent YAML representation that can be + # inserted into arbitrary points of another YAML document. It does so by + # printing the YAML string in a single line format. Consistent ordering of + # the string is also guaranteed by using yaml.dump. + yaml_object = yaml.load(yaml_string) + dumped_yaml = yaml.dump(yaml_object, default_flow_style=True) + return dumped_yaml + + +def FormatErrorsDec(func): + """Decorator to format exceptions if they get raised.""" + + def FormatErrorsWrap(context): + try: + return func(context) + except Exception as e: + raise Error(FormatException(e.message)) + + return FormatErrorsWrap diff --git a/deprecated/gcp/R80.40-R81/autoscale-payg/config.yaml b/deprecated/gcp/R80.40-R81/autoscale-payg/config.yaml new file mode 100644 index 00000000..d0993a52 --- /dev/null +++ b/deprecated/gcp/R80.40-R81/autoscale-payg/config.yaml @@ -0,0 +1,50 @@ +imports: +- path: check-point-autoscale--payg.py +- path: common.py +- path: default.py +- path: password.py +- path: images.py + +resources: +- name: check-point-autoscale--payg + type: check-point-autoscale--payg.py + properties: + autoscalingVersion: "PLEASE ENTER AUTOSCALE VERSION" + managementName: "PLEASE ENTER MANAGEMENT NAME" + AutoProvTemplate: "PLEASE ENTER AUTOPROVISION TEMPLATE NAME" + instanceSSHKey: "PLEASE ENTER A VALID PUBLIC KEY" + mgmtNIC: "PLEASE ENTER MANAGEMENT NIC TYPE" + networkDefinedByRoutes: "PLEASE ENTER true or false" + shell: "PLEASE ENTER A SHELL" + allowUploadDownload: "PLEASE ENTER true or false" + zone: "PLEASE ENTER A ZONE" + networks: "PLEASE ENTER A LIST OF EXTERNAL AND INTERNAL NETWORKS ID" + subnetworks: "PLEASE ENTER A LIST OF EXTERNAL AND INTERNAL SUBNETWORKS ID" + enableIcmp: "PLEASE ENTER true or false" + icmpSourceRanges: "PLEASE ENTER ICMP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + enableTcp: "PLEASE ENTER true or false" + tcpSourceRanges: "PLEASE ENTER TCP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + enableUdp: "PLEASE ENTER true or false" + udpSourceRanges: "PLEASE ENTER UDP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + enableSctp: "PLEASE ENTER true or false" + sctpSourceRanges: "PLEASE ENTER SCTP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + enableEsp: "PLEASE ENTER true or false" + espSourceRanges: "PLEASE ENTER ESP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + machineType: "PLEASE ENTER A MACHINE TYPE" + cpuUsage: "PLEASE ENTER CPU USAGE (%)" + minInstances: "PLEASE ENTER MINIMUM NUMBER OF INSTANCES" + maxInstances: "PLEASE ENTER MAXIMUM NUMBER OF INSTANCES" + diskType: "PLEASE ENTER A DISK TYPE" + bootDiskSizeGb: "PLEASE ENTER A DISK SIZE" + enableMonitoring: "PLEASE ENTER true or false" +outputs: +- name: "Deployment" + value: $(ref.check-point-autoscale--payg.deployment) +- name: "Managed instance group" + value: $(ref.check-point-autoscale--payg.IGMLink) +- name: "Minimum instances" + value: $(ref.check-point-autoscale--payg.minInstancesInt) +- name: "Maximum instances" + value: $(ref.check-point-autoscale--payg.maxInstancesInt) +- name: "Target CPU usage" + value: $(ref.check-point-autoscale--payg.cpuUsagePercentage) \ No newline at end of file diff --git a/deprecated/gcp/R80.40-R81/autoscale-payg/default.py b/deprecated/gcp/R80.40-R81/autoscale-payg/default.py new file mode 100644 index 00000000..0c7dd919 --- /dev/null +++ b/deprecated/gcp/R80.40-R81/autoscale-payg/default.py @@ -0,0 +1,134 @@ +# Copyright 2015 Google Inc. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +"""Convenience module to hold default constants for C2D components. + +There should not be any logic in this module. Its purpose is to simplify +analysis of commonly used GCP and properties names and identify the names +that were custom created for these modules. +""" +# Generic constants +C2D_IMAGES = 'click-to-deploy-images' + +# URL constants +COMPUTE_URL_BASE = 'https://www.googleapis.com/compute/v1/' + +# Deployment Manager constructs +REFERENCE_PREFIX = '$(ref.' + +# Commonly used in properties namespace +AUTO_DELETE = 'autoDelete' +BOOTDISK = 'bootDiskType' +BOOTDISKSIZE = 'bootDiskSizeGb' +C_IMAGE = 'containerImage' +DC_MANIFEST = 'dcManifest' +DEPLOYMENT = 'DEPLOYMENT' # used in the deployment coordinator +DISK_NAME = 'diskName' +DISK_RESOURCES = 'addedDiskResources' +DISK_SOURCE = 'source' +ENDPOINT_NAME = 'serviceRegistryEndpointName' +FIXED_GCLOUD = 'fixedGcloud' +GENERATED_PROP = 'generatedProperties' +INITIALIZEP = 'initializeParams' +INSTANCE_NAME = 'instanceName' +LOCAL_SSD = 'localSSDs' +MAX_NUM = 'maxNumReplicas' +NETWORKS = 'networks' +NO_SCOPE = 'noScope' +PROVIDE_BOOT = 'provideBoot' +REPLICAS = 'replicas' +SIZE = 'size' +VM_COPIES = 'numberOfVMReplicas' +ZONES = 'zones' + +# Common properties values (only official GCP values allowed here) +EXTERNAL = 'External NAT' +ONE_NAT = 'ONE_TO_ONE_NAT' + +# Common 1st level properties (only official GCP names allowed here) +CAN_IP_FWD = 'canIpForward' +CONTAINER = 'container' +DCKRENV = 'dockerEnv' +DCKRIMAGE = 'dockerImage' +DEFAULT_SERVICE = 'defaultService' +DEVICE_NAME = 'deviceName' +DISKS = 'disks' +DISK_SIZE = 'diskSizeGb' +DISKTYPE = 'diskType' +HEALTH_PATH = 'healthPath' +HOST_RULES = 'hostRules' +IP_PROTO = 'IPProtocol' +MACHINETYPE = 'machineType' +METADATA = 'metadata' +NAME = 'name' +NETWORK = 'network' +NETWORKS = 'networks' +SUBNETWORK = 'subnetwork' +PATH_MATCHERS = 'pathMatchers' +PORT = 'port' +PROJECT = 'project' +SERVICE = 'service' +SERVICE_ACCOUNTS = 'serviceAccounts' +SRCIMAGE = 'sourceImage' +SRC_RANGES = 'sourceRanges' +TAGS = 'tags' +TYPE = 'type' +VM_TEMPLATE = 'instanceTemplate' +ZONE = 'zone' + +# Zone specfic VM properties +VM_ZONE_PROPERTIES = [DISKTYPE, MACHINETYPE, BOOTDISK] + +# Resource type defaults names +ADDRESS = 'compute.v1.address' +AUTOSCALER = 'compute.v1.autoscaler' +BACKEND_SERVICE = 'compute.v1.backendService' +DISK = 'compute.v1.disk' +ENDPOINT = 'serviceregistry.v1alpha.endpoint' +FIREWALL = 'compute.v1.firewall' +GF_RULE = 'compute.v1.globalForwardingRule' +HEALTHCHECK = 'compute.v1.httpHealthCheck' +IGM = 'compute.v1.instanceGroupManager' +INSTANCE = 'compute.v1.instance' +PROXY = 'compute.v1.targetHttpProxy' +TEMPLATE = 'compute.v1.instanceTemplate' +REGION_IGM = 'compute.v1.regionInstanceGroupManager' +REGION_AUTOSCALER = 'compute.v1.regionAutoscaler' +URL_MAP = 'compute.v1.urlMap' +VPC='compute.v1.network' +VPC_SUBNET='compute.v1.subnetwork' + +# Also Known As constants +AKA = { + TEMPLATE: 'tmplt', + AUTOSCALER: 'as', + BACKEND_SERVICE: 'bes', + DISK: 'disk', + FIREWALL: 'fwall', + GF_RULE: 'ip', + HEALTHCHECK: 'hc', + INSTANCE: 'vm', + PROXY: 'tproxy', + IGM: 'igm', + URL_MAP: 'umap', +} + +LOC = { + 'europe': 'eu', + 'asia': 'as', + 'central': 'c', + 'east': 'e', + 'west': 'w', + 'north': 'n', + 'south': 's', +} diff --git a/deprecated/gcp/R80.40-R81/autoscale-payg/images.py b/deprecated/gcp/R80.40-R81/autoscale-payg/images.py new file mode 100644 index 00000000..7b04bee0 --- /dev/null +++ b/deprecated/gcp/R80.40-R81/autoscale-payg/images.py @@ -0,0 +1,34 @@ +IMAGES = { + "check-point-r8120-payg": "check-point-r8120-payg-631-991001560-v20240425", + "check-point-r8120-gw-payg-single": "check-point-r8120-gw-payg-single-631-991001560-v20240425", + "check-point-r8120-gw-payg-mig": "check-point-r8120-gw-payg-mig-631-991001560-v20240425", + "check-point-r8120-gw-payg-cluster": "check-point-r8120-gw-payg-cluster-631-991001560-v20240425", + "check-point-r8120-gw-byol-single": "check-point-r8120-gw-byol-single-631-991001560-v20240425", + "check-point-r8120-gw-byol-mig": "check-point-r8120-gw-byol-mig-631-991001560-v20240425", + "check-point-r8120-gw-byol-cluster": "check-point-r8120-gw-byol-cluster-631-991001560-v20240425", + "check-point-r8120-byol": "check-point-r8120-byol-631-991001560-v20240425", + "check-point-r8110-payg": "check-point-r8110-payg-335-991001560-v20240425", + "check-point-r8110-gw-payg-single": "check-point-r8110-gw-payg-single-335-991001560-v20240425", + "check-point-r8110-gw-payg-mig": "check-point-r8110-gw-payg-mig-335-991001560-v20240425", + "check-point-r8110-gw-payg-cluster": "check-point-r8110-gw-payg-cluster-335-991001560-v20240425", + "check-point-r8110-gw-byol-single": "check-point-r8110-gw-byol-single-335-991001560-v20240425", + "check-point-r8110-gw-byol-mig": "check-point-r8110-gw-byol-mig-335-991001560-v20240425", + "check-point-r8110-gw-byol-cluster": "check-point-r8110-gw-byol-cluster-335-991001560-v20240425", + "check-point-r8110-byol": "check-point-r8110-byol-335-991001560-v20240425", + "check-point-r81-payg": "check-point-r81-payg-392-991001560-v20240425", + "check-point-r81-gw-payg-single": "check-point-r81-gw-payg-single-392-991001560-v20240425", + "check-point-r81-gw-payg-mig": "check-point-r81-gw-payg-mig-392-991001560-v20240425", + "check-point-r81-gw-payg-cluster": "check-point-r81-gw-payg-cluster-392-991001560-v20240425", + "check-point-r81-gw-byol-single": "check-point-r81-gw-byol-single-392-991001560-v20240425", + "check-point-r81-gw-byol-mig": "check-point-r81-gw-byol-mig-392-991001560-v20240425", + "check-point-r81-gw-byol-cluster": "check-point-r81-gw-byol-cluster-392-991001560-v20240425", + "check-point-r81-byol": "check-point-r81-byol-392-991001560-v20240425", + "check-point-r8040-payg": "check-point-r8040-payg-294-991001560-v20240425", + "check-point-r8040-gw-payg-single": "check-point-r8040-gw-payg-single-294-991001564-v20240505", + "check-point-r8040-gw-payg-mig": "check-point-r8040-gw-payg-mig-294-991001564-v20240505", + "check-point-r8040-gw-payg-cluster": "check-point-r8040-gw-payg-cluster-294-991001564-v20240505", + "check-point-r8040-gw-byol-single": "check-point-r8040-gw-byol-single-294-991001564-v20240505", + "check-point-r8040-gw-byol-mig": "check-point-r8040-gw-byol-mig-294-991001564-v20240505", + "check-point-r8040-gw-byol-cluster": "check-point-r8040-gw-byol-cluster-294-991001564-v20240505", + "check-point-r8040-byol": "check-point-r8040-byol-294-991001560-v20240425" +} \ No newline at end of file diff --git a/deprecated/gcp/R80.40-R81/autoscale-payg/password.py b/deprecated/gcp/R80.40-R81/autoscale-payg/password.py new file mode 100644 index 00000000..273210a6 --- /dev/null +++ b/deprecated/gcp/R80.40-R81/autoscale-payg/password.py @@ -0,0 +1,135 @@ +# Copyright 2015 Google Inc. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +"""A DM template that generates password as an output, namely "password". + +An example YAML showing how this template can be used: + resources: + - name: generated-password + type: password.py + properties: + length: 8 + includeSymbols: true + - name: main-template + type: main-template.jinja + properties: + password: $(ref.generated-password.password) + +Input properties to this template: + - length: the length of the generated password. At least 8. Default 8. + - includeSymbols: true/false whether to include symbol chars. Default false. + +The generated password satisfies the following requirements: + - The length is as specified, + - Containing letters and numbers, and optionally symbols if specified, + - Starting with a letter, + - Containing characters from at least 3 of the 4 categories: uppercases, + lowercases, numbers, and symbols. + +""" + +import random +import yaml + +PROPERTY_LENGTH = 'length' +PROPERTY_INCLUDE_SYMBOLS = 'includeSymbols' + +# Note the omission of some hard to distinguish characters like I, l, 0, and O. +UPPERS = 'ABCDEFGHJKLMNPQRSTUVWXYZ' +LOWERS = 'abcdefghijkmnopqrstuvwxyz' +ALPHABET = UPPERS + LOWERS +DIGITS = '123456789' +ALPHANUMS = ALPHABET + DIGITS +# Including only symbols that can be passed around easily in shell scripts. +SYMBOLS = '*-+.' + +CANDIDATES_WITH_SYMBOLS = ALPHANUMS + SYMBOLS +CANDIDATES_WITHOUT_SYMBOLS = ALPHANUMS + +CATEGORIES_WITH_SYMBOLS = [UPPERS, LOWERS, DIGITS, SYMBOLS] +CATEGORIES_WITHOUT_SYMBOLS = [UPPERS, LOWERS, DIGITS] + +MIN_LENGTH = 8 + + +class InputError(Exception): + """Raised when input properties are unexpected.""" + + +def GenerateConfig(context): + """Entry function to generate the DM config.""" + props = context.properties + length = props.setdefault(PROPERTY_LENGTH, MIN_LENGTH) + include_symbols = props.setdefault(PROPERTY_INCLUDE_SYMBOLS, False) + + if not isinstance(include_symbols, bool): + raise InputError('%s must be a boolean' % PROPERTY_INCLUDE_SYMBOLS) + + content = { + 'resources': [], + 'outputs': [{ + 'name': 'password', + 'value': GeneratePassword(length, include_symbols) + }] + } + return yaml.dump(content) + + +def GeneratePassword(length=8, include_symbols=False): + """Generates a random password.""" + if length < MIN_LENGTH: + raise InputError('Password length must be at least %d' % MIN_LENGTH) + + candidates = (CANDIDATES_WITH_SYMBOLS if include_symbols + else CANDIDATES_WITHOUT_SYMBOLS) + categories = (CATEGORIES_WITH_SYMBOLS if include_symbols + else CATEGORIES_WITHOUT_SYMBOLS) + + # Generates up to the specified length minus the number of categories. + # Then inserts one character for each category, ensuring that the character + # satisfy the category if the generated string hasn't already. + generated = ([random.choice(ALPHABET)] + + [random.choice(candidates) + for _ in range(length - 1 - len(categories))]) + for category in categories: + _InsertAndEnsureSatisfaction(generated, category, candidates) + return ''.join(generated) + + +def _InsertAndEnsureSatisfaction(generated, required, all_candidates): + """Inserts 1 char into generated, satisfying required if not already. + + If the required characters are not already in the generated string, one will + be inserted. If any required character is already in the generated string, a + random character from all_candidates will be inserted. The insertion happens + at a random location but not at the beginning. + + Args: + generated: the string to be modified. + required: list of required characters to check for. + all_candidates: list of characters to choose from if the required characters + are already satisfied. + """ + if set(generated).isdisjoint(required): + # Not yet satisfied. Insert a required candidate. + _InsertInto(generated, required) + else: + # Already satisfied. Insert any candidate. + _InsertInto(generated, all_candidates) + + +def _InsertInto(generated, candidates): + """Inserts a random candidate into a random non-zero index of generated.""" + # Avoids inserting at index 0, since the first character follows its own rule. + generated.insert(random.randint(1, len(generated) - 1), + random.choice(candidates)) diff --git a/deprecated/gcp/R80.40-R81/ha-byol/README.md b/deprecated/gcp/R80.40-R81/ha-byol/README.md new file mode 100644 index 00000000..f915c4b4 --- /dev/null +++ b/deprecated/gcp/R80.40-R81/ha-byol/README.md @@ -0,0 +1,187 @@ +# GCP Deployment Manager package for Check Point High Availability BYOL solution +This directory contains CloudGuard IaaS deployment package for Check Point High Availability (BYOL) solution published in the [GCP Marketplace](https://console.cloud.google.com/marketplace/details/checkpoint-public/check-point-ha--byol). + +# How to deploy the package manually +To deploy the Deployment Manager's package manually, without using the GCP Marketplace, follow these instructions: +1. Clone or download the files in this directory +2. Fill variables in the config.yaml(see below for variables descriptions). +3. Log into [Google Cloud Platform Console](https://console.cloud.google.com) +4. [Activate Cloud Shell](https://cloud.google.com/shell/docs/using-cloud-shell) +5. Set your Cloud Platform project in the Cloud Shell session use: + + gcloud config set project [PROJECT_ID] +6. Upload the content of the CloudGuardIaaS/gcp/deployment-packages/ha-byol/ directory to the [cloud shell](https://cloud.google.com/shell/docs/uploading-and-downloading-files) +7. Launch deployment by running: + + gcloud deployment-manager deployments create [DEPLOYMENT_NAME] --config config.yaml +8. Make sure the deployment finished successfully.
Example of successful deployment output: + + The fingerprint of the deployment is CgwkIUxcTnI5_eZY1g9SFw== + Waiting for create [operation-1585150261645-5a1af8e42d0ba-6b3d4618-5856e790]...done. + Create operation operation-1585150261645-5a1af8e42d0ba-6b3d4618-5856e790 completed successfully. + NAME TYPE STATE ERRORS INTENT + cluster-cluster-network-icmp compute.v1.firewall COMPLETED [] + cluster-cluster-network-tcp compute.v1.firewall COMPLETED [] + cluster-config runtimeconfig.v1beta1.config COMPLETED [] + cluster-member-a compute.v1.instance COMPLETED [] + cluster-member-a-address compute.v1.address COMPLETED [] + cluster-member-b compute.v1.instance COMPLETED [] + cluster-member-b-address compute.v1.address COMPLETED [] + cluster-mgmt-network-esp compute.v1.firewall COMPLETED [] + cluster-mgmt-network-sctp compute.v1.firewall COMPLETED [] + cluster-primary-cluster-address compute.v1.address COMPLETED [] + cluster-secondary-cluster-address compute.v1.address COMPLETED [] + cluster-software runtimeconfig.v1beta1.waiter COMPLETED [] + OUTPUTS VALUE + Deployment cluster + Cluster IP external address 35.201.201.163 + Member A cluster-member-a + Member A external IP 104.199.168.141 + Member B cluster-member-b + Member B external IP 35.221.178.173 + +## config.yaml variables +| Name | Description | Type | Allowed values | +| ------------- | ------------- | ------------- | ------------- | +| **ha_version** | High Availability Version | string | R80.40 Cluster;
R81.00 Cluster;
R81.10 Cluster;
R81.20 Cluster; | +| | | | | | +| **zoneA** | Member A Zone. The zone determines what computing resources are available and where your data is stored and used | string | List of allowed [Regions and Zones](https://cloud.google.com/compute/docs/regions-zones?_ga=2.31926582.-962483654.1585043745) | +| | | | | | +| **zoneB** | Member B Zone | string | Must be in the same region as member A zone | +| | | | | | +| **machineType** | Machine types determine the specifications of your machines, such as the amount of memory, virtual cores, and persistent disk limits an instance will have | string | [Learn more about Machine Types](https://cloud.google.com/compute/docs/machine-types?hl=en_US&_ga=2.267871494.-962483654.1585043745) | +| | | | | | +| **managementNetwork** | Security Management Server address | string | The public address of the Security Management Server, in CIDR notation. If using Smart-1 Cloud insert 'S1C'. VPN peers addresses cannot be in this CIDR block, so this value cannot be the zero-address | +| | | | | | +| **cluster-network-cidr** | Cluster external subnet CIDR.
If the variable's value is not empty double quotes, a new network will be created.
The Cluster public IP will be translated to a private address assigned to the active member in this external network. | string | Specify an RFC 1918 CIDR block that does not overlap with your other networks to create a new network or select an existing one below | +| | | | | | +| **cluster-network-name** | Cluster external network ID. The network determines what network traffic the instance can access | string | Available network in the chosen zone | +| | | | | | +| **cluster-network-subnetwork-name** | Cluster subnet ID. Assigns the instance an IPv4 address from the subnetwork’s range.
If you have specified a CIDR block above, this subnetwork will not be used.
. Instances in different subnetworks can communicate with each other using their internal IPs as long as they belong to the same network. | string | Available subnetwork in the chosen network | +| | | | | | +| **cluster-network_enableTcp** | Allow TCP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **cluster-network_tcpSourceRanges** | Allow TCP traffic from the Internet | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway all ports are allowed. For management allowed ports are: 257,18191,18210,18264,22,443,18190,19009 [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **cluster-network_enableIcmp** | Allow ICMP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **cluster-network_icmpSourceRanges** | Source IP ranges for ICMP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **cluster-network_enableUdp** | Allow UDP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **cluster-network_udpSourceRanges** | Source IP ranges for UDP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only - all ports are allowed. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **cluster-network_enableSctp** | Allow SCTP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **cluster-network_sctpSourceRanges** | Source IP ranges for SCTP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only - all ports are allowed. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **cluster-network_enableEsp** | Allow ESP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **cluster-network_espSourceRanges** | Source IP ranges for ESP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **mgmt-network-cidr** | Management external subnet CIDR.
If the variable's value is not empty double quotes, a new network will be created.
The public IP used to manage each member will be translated to a private address in this external network | string | Specify an RFC 1918 CIDR block that does not overlap with your other networks to create a new network or select an existing one below | +| | | | | | +| **mgmt-network-name** | Management network ID. The network determines what network traffic the instance can access | string | Available network in the chosen zone | +| | | | | | +| **mgmt-network-subnetwork-name** | Management subnet ID. Assigns the instance an IPv4 address from the subnetwork’s range.
If you have specified a CIDR block above, this subnetwork will not be used.
. Instances in different subnetworks can communicate with each other using their internal IPs as long as they belong to the same network. | string | Available subnetwork in the chosen network | +| | | | | | +| **mgmt-network_enableTcp** | Allow TCP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **mgmt-network_tcpSourceRanges** | Allow TCP traffic from the Internet | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway all ports are allowed. For management allowed ports are: 257,18191,18210,18264,22,443,18190,19009 [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **mgmt-network_enableIcmp** | Allow ICMP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **mgmt-network_icmpSourceRanges** | Source IP ranges for ICMP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **mgmt-network_enableUdp** | Allow UDP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **mgmt-network_udpSourceRanges** | Source IP ranges for UDP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only - all ports are allowed. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **mgmt-network_enableSctp** | Allow SCTP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **mgmt-network_sctpSourceRanges** | Source IP ranges for SCTP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only - all ports are allowed. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **mgmt-network_enableEsp** | Allow ESP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **mgmt-network_espSourceRanges** | Source IP ranges for ESP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **diskType** | Disk type | string | pd-ssd;
pd-standard;
Storage space is much less expensive for a standard persistent disk. An SSD persistent disk is better for random IOPS or streaming throughput with low latency. [Learn more](https://cloud.google.com/compute/docs/disks/?hl=en_US&_ga=2.66020774.-962483654.1585043745#overview_of_disk_types)| +| | | | | | +| **bootDiskSizeGb** | Disk size in GB | number | Persistent disk performance is tied to the size of the persistent disk volume. You are charged for the actual amount of provisioned disk space. [Learn more](https://cloud.google.com/compute/docs/disks/?hl=en_US&_ga=2.232680471.-962483654.1585043745#pdperformance)| +| | | | | | +| **generatePassword** | Automatically generate an administrator password | boolean | true;
false; | +| | | | | | +| **allowUploadDownload** | Allow download from/upload to Check Point | boolean | true;
false; | +| | | | | | +| **enableMonitoring** | Enable Stackdriver monitoring | boolean | true;
false; | +| | | | | | +| **shell** | Admin shell | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh;
| +| | | | | | +| **deployWithPublicIPs** | Deploy HA with public IPs | boolean | true;
false; | +| | | | | | +| **instanceSSHKey** | Public SSH key for the user 'admin' | string | A valid public ssh key | +| | | | | | +| **smart1CloudTokenA** | Smart-1 Cloud token to connect ***member A*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal.| +| | | | | | +| **smart1CloudTokenB** | Smart-1 Cloud token to connect ***member B*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal.| +| | | | | | +| **sicKey** | The Secure Internal Communication one time secret used to set up trust between the cluster object and the management server | string | At least 8 alpha numeric characters.
If SIC is not provided and needed, a key will be automatically generated | +| | | | | | +| **numAdditionalNICs** | Number of additional network interfaces | number | A number in the range 0 - 6.
Multiple network interfaces deployment is described in [sk121637 - Deploy a CloudGuard for GCP with Multiple Network Interfaces](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk121637) | +| | | | | | +| **internal-network1-cidr** | 1st internal subnet CIDR.
If the variable's value is not empty double quotes, a new subnet will be created.
Assigns the cluster members an IPv4 address in this internal network | string | Specify an RFC 1918 CIDR block that does not overlap with your other networks to create a new network or select an existing one below | +| | | | | | +| **internal-network1-name** | 1st internal network ID. The network determines what network traffic the instance can access | string | Available network in the chosen zone | +| | | | | | +| **internal-network1-subnetwork-name** | 1st internal subnet ID. Assigns the instance an IPv4 address from the subnetwork’s range.
If you have specified a CIDR block above, this subnetwork will not be used.
Instances in different subnetworks can communicate with each other using their internal IPs as long as they belong to the same network. | string | Available subnetwork in the chosen network | +| | | | | | +## Example + ha_version: "R81.10 Cluster" + zoneA: "asia-east1-a" + zoneB: "asia-east1-a" + machineType: "n1-standard-4" + diskType: "pd-ssd" + bootDiskSizeGb: 100 + instanceSSHKey: "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxxx imported-openssh-key" + smart1CloudTokenA: "xxxxxxxxxxxxxxxxxxxxxxxx" + smart1CloudTokenB: "xxxxxxxxxxxxxxxxxxxxxxxx" + enableMonitoring: false + managementNetwork: "209.87.209.100/32" + sicKey: "aaaaaaaa" + generatePassword: false + allowUploadDownload: false + shell: "/bin/bash" + deployWithPublicIPs: true + cluster-network-cidr: "10.0.1.0/24" + cluster-network-name: "external-vpc" + cluster-network-subnetwork-name: "frontend" + cluster-network_enableIcmp: true + cluster-network_icmpSourceRanges: "0.0.0.0/0" + cluster-network_enableTcp: true + cluster-network_tcpSourceRanges: "0.0.0.0/0" + cluster-network_enableUdp: false + cluster-network_udpSourceRanges: "" + cluster-network_enableSctp: false + cluster-network_sctpSourceRanges: "" + cluster-network_enableEsp: false + cluster-network_espSourceRanges: "" + mgmt-network-cidr: "10.0.2.0/24" + mgmt-network-name: "vpc-internal" + mgmt-network-subnetwork-name: "" + mgmt-network_enableIcmp: false + mgmt-network_icmpSourceRanges: "" + mgmt-network_enableTcp: false + mgmt-network_tcpSourceRanges: "" + mgmt-network_enableUdp: true + mgmt-network_udpSourceRanges: "0.0.0.0/0" + mgmt-network_enableSctp: true + mgmt-network_sctpSourceRanges: "0.0.0.0/0" + mgmt-network_enableEsp: true + mgmt-network_espSourceRanges: "0.0.0.0/0" + numInternalNetworks: 1 + internal-network1-cidr: "10.0.3.0/24" + internal-network1-name: "vpc-internal2" + internal-network1-subnetwork-name: "vpc-internal2" + +## Notes +See [sk147032](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk147032) for revision history \ No newline at end of file diff --git a/deprecated/gcp/R80.40-R81/ha-byol/c2d_deployment_configuration.json b/deprecated/gcp/R80.40-R81/ha-byol/c2d_deployment_configuration.json new file mode 100644 index 00000000..5af767bf --- /dev/null +++ b/deprecated/gcp/R80.40-R81/ha-byol/c2d_deployment_configuration.json @@ -0,0 +1,7 @@ +{ + "defaultDeploymentType": "MULTI_VM", + "imageName": "check-point-r8120-gw-byol-cluster-631-991001475-v20231221", + "projectId": "checkpoint-public", + "templateName": "nonexistent_template", + "useSolutionPackage": "true" +} diff --git a/deprecated/gcp/R80.40-R81/ha-byol/check-point-cluster--byol.py b/deprecated/gcp/R80.40-R81/ha-byol/check-point-cluster--byol.py new file mode 100644 index 00000000..61a2e521 --- /dev/null +++ b/deprecated/gcp/R80.40-R81/ha-byol/check-point-cluster--byol.py @@ -0,0 +1,494 @@ +# Copyright 2016 Check Point Software LTD. + +import common +import copy +import default +import images +import password + + +MAX_ADDITIONAL_NICS = 6 + +GATEWAY = 'checkpoint-gateway' + +PROJECT = 'checkpoint-public' +LICENSE = 'byol' +LICENCE_TYPE = 'cluster' + +VERSIONS = { + 'R80.40': 'r8040-gw', + 'R81': 'r81-gw', + 'R81.10': 'r8110-gw', + 'R81.20': 'r8120-gw' +} + +TEMPLATE_NAME = 'cluster' +TEMPLATE_VERSION = '20231221' + +CLUSTER_NET_FIELD = 'cluster-network' +MGMT_NET_FIELD = 'mgmt-network' +INTERNAL_NET_FIELD = 'internal-network{}' + +MGMT_NIC = 1 + +NO_PUBLIC_IP = 'no-public-ip' + +startup_script = ''' +#cloud-config +runcmd: + - 'python3 /etc/cloud_config.py "generatePassword=\\"{generatePassword}\\"" "allowUploadDownload=\\"{allowUploadDownload}\\"" "templateName=\\"{templateName}\\"" "templateVersion=\\"{templateVersion}\\"" "mgmtNIC=\\"{mgmtNIC}\\"" "hasInternet=\\"{hasInternet}\\"" "config_url=\\"{config_url}\\"" "config_path=\\"{config_path}\\"" "installationType=\\"{installationType}\\"" "enableMonitoring=\\"{enableMonitoring}\\"" "shell=\\"{shell}\\"" "computed_sic_key=\\"{computed_sic_key}\\"" "sicKey=\\"{sicKey}\\"" "managementGUIClientNetwork=\\"{managementGUIClientNetwork}\\"" "primary_cluster_address_name=\\"{primary_cluster_address_name}\\"" "secondary_cluster_address_name=\\"{secondary_cluster_address_name}\\"" "managementNetwork=\\"{managementNetwork}\\"" "numAdditionalNICs=\\"{numAdditionalNICs}\\"" "smart1CloudToken=\\"{smart1CloudToken}\\"" "name=\\"{name}\\"" "zone=\\"{zoneConfig}\\"" "region=\\"{region}\\"" "osVersion=\\"{osVersion}\\"" "MaintenanceModePassword=\\"{maintenanceMode}\\""' +''' + + +def make_gw(context, name, zone, nics, passwd=None, depends_on=None, + smart1cloudToken=None): + cg_version = context.properties['ha_version'].split(' ')[0] + if 'gw' in VERSIONS[cg_version]: + license_name = "{}-{}".format(LICENSE, LICENCE_TYPE) + else: + license_name = LICENSE + family = '-'.join(['check-point', VERSIONS[cg_version], license_name]) + formatter = common.DefaultFormatter() + + context.properties['smart1CloudToken'] = smart1cloudToken + context.properties['name'] = name + context.properties['zoneConfig'] = zone + context.properties['osVersion'] = cg_version.replace(".", "") + + gw = { + 'type': default.INSTANCE, + 'name': name, + 'metadata': { + 'dependsOn': depends_on + }, + 'properties': { + 'description': 'CloudGuard Highly Available Security Cluster', + 'zone': zone, + 'tags': { + 'items': [GATEWAY], + }, + 'machineType': common.MakeLocalComputeLink( + context, default.MACHINETYPE, zone), + 'canIpForward': True, + 'networkInterfaces': nics, + 'disks': [{ + 'autoDelete': True, + 'boot': True, + 'deviceName': common.set_name_and_truncate( + context.properties['deployment'], + '-{}-boot'.format(name)), + 'initializeParams': { + 'diskType': common.MakeLocalComputeLink( + context, default.DISKTYPE, zone), + 'diskSizeGb': context.properties['bootDiskSizeGb'], + 'sourceImage': + 'projects/%s/global/images/%s' % ( + PROJECT, images.IMAGES[family]), + }, + 'type': 'PERSISTENT', + }], + 'metadata': { + 'items': [ + { + 'key': 'startup-script', + 'value': formatter.format( + startup_script, **context.properties) + } + ] + }, + 'serviceAccounts': [{ + 'email': 'default', + 'scopes': [ + 'https://www.googleapis.com/auth/monitoring.write', + 'https://www.googleapis.com/auth/compute', + 'https://www.googleapis.com/auth/cloudruntimeconfig' + ], + }] + } + } + + if 'instanceSSHKey' in context.properties: + gw['properties']['metadata']['items'].append( + { + 'key': 'instanceSSHKey', + 'value': context.properties['instanceSSHKey'] + } + ) + + if passwd: + gw['properties']['metadata']['items'].append( + { + 'key': 'adminPasswordSourceMetadata', + 'value': passwd + } + ) + + return gw + + +def make_access_config(ip, name=None): + access_config = { + 'type': default.ONE_NAT, + 'natIP': ip + } + + if name: + access_config['name'] = name + + return access_config + + +def make_static_address(prop, name): + address = { + 'name': name, + 'type': default.ADDRESS, + 'properties': { + 'name': name, + 'region': prop['region'] + } + } + + return address + + +def create_external_addresses_if_needed( + prop, resources, member_a_nics, member_b_nics): + if not prop['deployWithPublicIPs']: + prop['primary_cluster_address_name'] = NO_PUBLIC_IP + prop['secondary_cluster_address_name'] = NO_PUBLIC_IP + else: + member_a_address_name = common.set_name_and_truncate( + prop['deployment'], '-member-a-address') + member_b_address_name = common.set_name_and_truncate( + prop['deployment'], '-member-b-address') + + prop['member_a_address_name'] = member_a_address_name + prop['member_b_address_name'] = member_b_address_name + + member_a_address = make_static_address(prop, member_a_address_name) + member_b_address = make_static_address(prop, member_b_address_name) + + resources += [member_a_address, member_b_address] + + member_a_nics[MGMT_NIC]['accessConfigs'] = [make_access_config( + '$(ref.{}.address)'.format(member_a_address_name))] + member_b_nics[MGMT_NIC]['accessConfigs'] = [make_access_config( + '$(ref.{}.address)'.format(member_b_address_name))] + + primary_cluster_address_name = common.set_name_and_truncate( + prop['deployment'], '-primary-cluster-address') + secondary_cluster_address_name = common.set_name_and_truncate( + prop['deployment'], '-secondary-cluster-address') + + primary_cluster_address = make_static_address( + prop, primary_cluster_address_name) + secondary_cluster_address = make_static_address( + prop, secondary_cluster_address_name) + + resources += [primary_cluster_address, secondary_cluster_address] + + prop['primary_cluster_address_name'] = primary_cluster_address_name + prop['secondary_cluster_address_name'] = secondary_cluster_address_name + + +def make_nic(prop, net_name, subnet_name): + network_interface = { + 'network': ''.join([default.COMPUTE_URL_BASE, 'projects/', + prop['project'], '/global/networks/', + net_name]), + 'subnetwork': ''.join([default.COMPUTE_URL_BASE, 'projects/', + prop['project'], '/regions/', prop['region'], + '/subnetworks/', subnet_name]) + } + + return network_interface + + +def make_subnet(prop, name, net_name, cidr, private_google_access=False): + subnet = { + 'type': default.VPC_SUBNET, + 'name': name, + 'metadata': { + 'dependsOn': [net_name] + }, + 'properties': { + 'network': 'projects/{}/global' + '/networks/{}'.format(prop['project'], net_name), + 'region': prop['region'], + 'ipCidrRange': cidr, + 'privateIpGoogleAccess': private_google_access, + 'enableFlowLogs': False + } + } + + return subnet + + +def make_net(name): + net = { + 'type': default.VPC, + 'name': name, + 'properties': { + 'autoCreateSubnetworks': False + } + } + + return net + + +def get_or_create_net(prop, name, resources, gw_dependencies, + private_google_access=False, create_firewall=False): + net_cidr = prop.get(name + '-cidr') + + if net_cidr: + net_name = '{}-{}'.format(prop['deployment'][:20], name) + subnet_name = '{}-subnet'.format(net_name) + net = make_net(net_name) + subnet = make_subnet( + prop, subnet_name, net_name, net_cidr, private_google_access) + + resources += [net, subnet] + gw_dependencies.append(subnet_name) + else: + net_name = prop.get(name + '-name') + subnet_name = prop.get(name + '-subnetwork-name') + if not subnet_name: + raise common.Error( + 'Network {} is missing.'.format(net_name.split('-'))) + + if create_firewall: + firewall_rules = create_firewall_rules(prop, name, net_name, net_cidr) + if firewall_rules: + resources.extend(firewall_rules) + + return net_name, subnet_name + + +def create_firewall_rules(prop, net_prop_name, net_name, net_cidr): + deployment = prop['deployment'] + firewall_rules = [] + protocols = ['Icmp', 'Udp', 'Tcp', 'Sctp', 'Esp'] + for protocol in protocols: + proto = protocol.lower() + source_ranges = prop.get(net_prop_name + '_' + proto + + 'SourceRanges', '') + protocol_enabled = prop.get(net_prop_name + '_enable' + protocol, '') + if protocol_enabled and source_ranges: + firewall_rules.append( + make_firewall_rule(proto, source_ranges, deployment, + net_prop_name, net_name, net_cidr)) + + return firewall_rules + + +def make_firewall_rule(protocol, source_ranges, deployment, net_prop_name, + net_name, net_cidr): + fw_rule_name = '%s-%s-%s' % (deployment[:40], net_prop_name, protocol) + ranges_list = source_ranges.split(',') + ranges = [] + for source_range in ranges_list: + ranges.append(source_range.replace(" ", "")) + firewall_rule = { + 'type': default.FIREWALL, + 'name': fw_rule_name, + 'properties': { + 'network': 'global/networks/' + net_name, + 'sourceRanges': ranges, + 'targetTags': [GATEWAY], + 'allowed': [{'IPProtocol': protocol}], + } + } + + if net_cidr: + firewall_rule['metadata'] = { + 'dependsOn': [net_name] + } + + return firewall_rule + + +def add_readiness_waiter(prop, resources): + deployment_config = common.set_name_and_truncate( + prop['deployment'], '-config') + + prop['config_path'] = 'projects/{}/configs/{}'.format( + prop['project'], deployment_config) + prop['config_url'] = ( + 'https://runtimeconfig.googleapis.com/v1beta1/{}'.format( + prop['config_path'])) + + resources.append( + { + 'name': deployment_config, + 'type': 'runtimeconfig.v1beta1.config', + 'properties': { + 'config': deployment_config, + 'description': ( + 'Holds software readiness status ' + 'for deployment {}').format(prop['deployment']) + } + } + ) + + resources.append( + { + 'name': common.set_name_and_truncate( + prop['deployment'], '-software'), + 'type': 'runtimeconfig.v1beta1.waiter', + 'metadata': { + 'dependsOn': [], + }, + 'properties': { + 'parent': '$(ref.{}.name)'.format(deployment_config), + 'waiter': 'software', + 'timeout': '1800s', + 'success': { + 'cardinality': { + 'number': 2, + 'path': 'status/success', + }, + }, + 'failure': { + 'cardinality': { + 'number': 1, + 'path': 'status/failure', + }, + }, + }, + } + ) + + +def validate_same_region(zone_a, zone_b): + if not common.ZoneToRegion(zone_a) == common.ZoneToRegion(zone_b): + raise common.Error('Member A Zone ({}) and Member B Zone ({}) ' + 'are not in the same region'.format(zone_a, zone_b)) + + +def validate_both_tokens(token_a, token_b): + if (not token_a and token_b) or (not token_b and token_a) or \ + (token_a and token_a == token_b): + raise common.Error('To connect to Smart-1 Cloud, \ + you must provide two tokens (one per member)') + + +def validate_mgmt_network_if_required(token_a, mgmt_network): + if not token_a and mgmt_network == "S1C": + raise common.Error( + 'Public address of the Security Management Server is required') + + +@common.FormatErrorsDec +def generate_config(context): + prop = context.properties + + validate_same_region(prop['zoneA'], prop['zoneB']) + validate_both_tokens(prop['smart1CloudTokenA'], prop['smart1CloudTokenB']) + validate_mgmt_network_if_required( + prop['smart1CloudTokenA'], prop['managementNetwork']) + + prop['deployment'] = context.env['deployment'] + prop['project'] = context.env['project'] + prop['region'] = common.ZoneToRegion(prop['zoneA']) + prop['templateName'] = TEMPLATE_NAME + prop['templateVersion'] = TEMPLATE_VERSION + prop['allowUploadDownload'] = str(prop['allowUploadDownload']).lower() + prop['hasInternet'] = 'true' # via Google Private Access + prop['installationType'] = 'Cluster' + + resources = [] + outputs = [] + gw_dependencies = [] + member_a_nics = [] + + add_readiness_waiter(prop, resources) + + cluster_net_name, cluster_subnet_name = get_or_create_net( + prop, CLUSTER_NET_FIELD, resources, gw_dependencies, True, True) + member_a_nics.append(make_nic(prop, cluster_net_name, cluster_subnet_name)) + + mgmt_net_name, mgmt_subnet_name = get_or_create_net( + prop, MGMT_NET_FIELD, resources, gw_dependencies, False, True) + member_a_nics.append(make_nic(prop, mgmt_net_name, mgmt_subnet_name)) + + for ifnum in range(1, prop['numInternalNetworks'] + 1): + int_net_name, int_subnet_name = get_or_create_net( + prop, INTERNAL_NET_FIELD.format(ifnum), resources, + gw_dependencies) + member_a_nics.append(make_nic(prop, int_net_name, int_subnet_name)) + + member_b_nics = copy.deepcopy(member_a_nics) + + create_external_addresses_if_needed( + prop, resources, member_a_nics, member_b_nics) + + member_a_name = common.set_name_and_truncate( + prop['deployment'], '-member-a') + member_b_name = common.set_name_and_truncate( + prop['deployment'], '-member-b') + + if prop['generatePassword']: + passwd = password.GeneratePassword(12, False) + else: + passwd = '' + + member_a = make_gw(context, member_a_name, prop['zoneA'], + member_a_nics, passwd, gw_dependencies, + prop['smart1CloudTokenA']) + member_b = make_gw(context, member_b_name, prop['zoneB'], + member_b_nics, passwd, gw_dependencies, + prop['smart1CloudTokenB']) + + resources += [member_a, member_b] + + outputs += [ + { + 'name': 'deployment', + 'value': prop['deployment'] + }, + { + 'name': 'project', + 'value': prop['project'] + }, + { + 'name': 'vmAName', + 'value': member_a_name, + }, + { + 'name': 'vmASelfLink', + 'value': '$(ref.{}.selfLink)'.format(member_a_name), + }, + { + 'name': 'vmBName', + 'value': member_b_name, + }, + { + 'name': 'vmBSelfLink', + 'value': '$(ref.{}.selfLink)'.format(member_b_name), + }, + { + 'name': 'password', + 'value': passwd + } + ] + + if prop['deployWithPublicIPs']: + outputs += [ + { + 'name': 'clusterIP', + 'value': '$(ref.{}.address)'.format( + prop['primary_cluster_address_name']) + }, + { + 'name': 'vmAExternalIP', + 'value': '$(ref.{}.address)'.format( + prop['member_a_address_name']) + }, + { + 'name': 'vmBExternalIP', + 'value': '$(ref.{}.address)'.format( + prop['member_b_address_name']) + } + ] + + return common.MakeResource(resources, outputs) diff --git a/deprecated/gcp/R80.40-R81/ha-byol/check-point-cluster--byol.py.schema b/deprecated/gcp/R80.40-R81/ha-byol/check-point-cluster--byol.py.schema new file mode 100644 index 00000000..fcc01058 --- /dev/null +++ b/deprecated/gcp/R80.40-R81/ha-byol/check-point-cluster--byol.py.schema @@ -0,0 +1,400 @@ +imports: + - path: check-point-cluster--byol.py + +info: + version: 1.0 + title: Check Point CloudGuard Network Security Cluster - BYOL Template + +required: + - zoneA + - zoneB + - machineType + - diskType + - bootDiskSizeGb + - sicKey + - managementNetwork + - allowUploadDownload + - shell + - generatePassword + - enableMonitoring + - numInternalNetworks + +properties: + zoneA: + type: string + default: us-central1-a + x-googleProperty: + type: GCE_ZONE + zoneB: + type: string + default: us-central1-a + x-googleProperty: + type: GCE_ZONE + machineType: + type: string + default: n1-standard-4 + x-googleProperty: + type: GCE_MACHINE_TYPE + zoneProperty: zoneA + gceMachineType: + minCpu: 2 + minRamGb: 1.843000054359436 + deployWithPublicIPs: + type: boolean + default: True + instanceSSHKey: + type: string + pattern: ^([0-9a-z\-]+ +[0-9A-Za-z/\+=]+( .*)?|)$ + default: '' + smart1CloudTokenA: + type: string + default: '' + smart1CloudTokenB: + type: string + default: '' + diskType: + type: string + default: pd-ssd + x-googleProperty: + type: GCE_DISK_TYPE + zoneProperty: zoneA + bootDiskSizeGb: + type: integer + maximum: 1000 + default: 100 + minimum: 100 + x-googleProperty: + type: GCE_DISK_SIZE + gceDiskSize: + diskTypeProperty: diskType + ha_version: + type: string + default: R81.20 Cluster + enum: + - R80.40 Cluster + - R81 Cluster + - R81.10 Cluster + - R81.20 Cluster + enableMonitoring: + type: boolean + default: False + sicKey: + type: string + pattern: ^([a-z0-9A-Z]{8,30})$ + default: '' + managementNetwork: + type: string + default: '' + pattern: ^((?!0\.0\.0\.0/0)([0-9]{1,3}\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2]))|(S1C)$ + generatePassword: + type: boolean + default: False + maintenanceMode: + type: string + pattern: ^([a-z0-9A-Z.]{12,300}|)$ + default: '' + allowUploadDownload: + type: boolean + default: False + shell: + type: string + default: /etc/cli.sh + enum: + - /etc/cli.sh + - /bin/bash + - /bin/csh + - /bin/tcsh + cluster-network-cidr: + type: string + default: '10.0.0.0/24' + pattern: ^(?!0\.0\.0\.0/0)([0-9]{1,3}\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])|$ + cluster-network-name: + type: string + pattern: ^([a-z0-9-]{1,38})$ + x-googleProperty: + type: GCE_NETWORK + cluster-network-subnetwork-name: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zoneA + gceSubnetwork: + networkProperty: cluster-network-name + cluster-network_enableIcmp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: cluster-network-name + cluster-network_icmpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: cluster-network_enableIcmp + cluster-network_enableTcp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: cluster-network-name + cluster-network_tcpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: cluster-network_enableTcp + cluster-network_enableUdp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: cluster-network-name + cluster-network_udpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: cluster-network_enableUdp + cluster-network_enableSctp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: cluster-network-name + cluster-network_sctpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: cluster-network_enableSctp + cluster-network_enableEsp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: cluster-network-name + cluster-network_espSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: cluster-network_enableEsp + mgmt-network-cidr: + type: string + default: '10.0.1.0/24' + pattern: ^(?!0\.0\.0\.0/0)([0-9]{1,3}\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])|$ + mgmt-network-name: + type: string + pattern: ^([a-z0-9-]{1,38})$ + x-googleProperty: + type: GCE_NETWORK + mgmt-network-subnetwork-name: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zoneA + gceSubnetwork: + networkProperty: mgmt-network-name + mgmt-network_enableIcmp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: mgmt-network-name + mgmt-network_icmpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: mgmt-network_enableIcmp + mgmt-network_enableTcp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: mgmt-network-name + mgmt-network_tcpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: mgmt-network_enableTcp + mgmt-network_enableUdp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: mgmt-network-name + mgmt-network_udpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: mgmt-network_enableUdp + mgmt-network_enableSctp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: mgmt-network-name + mgmt-network_sctpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: mgmt-network_enableSctp + mgmt-network_enableEsp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: mgmt-network-name + mgmt-network_espSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: mgmt-network_enableEsp + numInternalNetworks: + type: integer + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + minimum: 1 + maximum: 6 + default: 1 + internal-network1-cidr: + type: string + pattern: ^(?!0\.0\.0\.0/0)([0-9]{1,3}\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])|$ + default: '10.0.2.0/24' + internal-network1-name: + type: string + pattern: ^([a-z0-9-]{1,38})$ + x-googleProperty: + type: GCE_NETWORK + internal-network1-subnetwork-name: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zoneA + gceSubnetwork: + networkProperty: internal-network1-name + internal-network2-cidr: + type: string + pattern: ^(?!0\.0\.0\.0/0)([0-9]{1,3}\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])|$ + default: '' + internal-network2-name: + type: string + pattern: ^([a-z0-9-]{1,38})$ + x-googleProperty: + type: GCE_NETWORK + internal-network2-subnetwork-name: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zoneA + gceSubnetwork: + networkProperty: internal-network2-name + internal-network3-cidr: + type: string + pattern: ^(?!0\.0\.0\.0/0)([0-9]{1,3}\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])|$ + default: '' + internal-network3-name: + type: string + pattern: ^([a-z0-9-]{1,38})$ + x-googleProperty: + type: GCE_NETWORK + internal-network3-subnetwork-name: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zoneA + gceSubnetwork: + networkProperty: internal-network3-name + internal-network4-cidr: + type: string + pattern: ^(?!0\.0\.0\.0/0)([0-9]{1,3}\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])|$ + default: '' + internal-network4-name: + type: string + pattern: ^([a-z0-9-]{1,38})$ + x-googleProperty: + type: GCE_NETWORK + internal-network4-subnetwork-name: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zoneA + gceSubnetwork: + networkProperty: internal-network4-name + internal-network5-cidr: + type: string + pattern: ^(?!0\.0\.0\.0/0)([0-9]{1,3}\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])|$ + default: '' + internal-network5-name: + type: string + pattern: ^([a-z0-9-]{1,38})$ + x-googleProperty: + type: GCE_NETWORK + internal-network5-subnetwork-name: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zoneA + gceSubnetwork: + networkProperty: internal-network5-name + internal-network6-cidr: + type: string + pattern: ^(?!0\.0\.0\.0/0)([0-9]{1,3}\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])|$ + default: '' + internal-network6-name: + type: string + pattern: ^([a-z0-9-]{1,38})$ + x-googleProperty: + type: GCE_NETWORK + internal-network6-subnetwork-name: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zoneA + gceSubnetwork: + networkProperty: internal-network6-name + +outputs: + deployment: + type: string + project: + type: string + clusterIP: + type: string + vmAName: + type: string + vmAExternalIP: + type: string + vmASelfLink: + type: string + vmBName: + type: string + vmBExternalIP: + type: string + vmBSelfLink: + type: string + password: + type: string + ha_version: + type: string diff --git a/deprecated/gcp/R80.40-R81/ha-byol/common.py b/deprecated/gcp/R80.40-R81/ha-byol/common.py new file mode 100644 index 00000000..e123c502 --- /dev/null +++ b/deprecated/gcp/R80.40-R81/ha-byol/common.py @@ -0,0 +1,262 @@ +# Copyright 2015 Google Inc. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +"""Generic simple functions used for python based template generation.""" + +import re +import sys +import traceback +import default +import string + +import yaml + +RFC1035_RE = re.compile(r'^[a-z][-a-z0-9]{1,61}[a-z0-9]{1}$') + + +class Error(Exception): + """Common exception wrapper for template exceptions.""" + pass + + +class DefaultFormatter(string.Formatter): + """Returns default instead of key error when looking for keys. + + Used for startup-script which contains params from multiple deployments + whiles keys from one deployment may not be set in another. + """ + def __init__(self, default=''): + self.default = default + def get_value(self, key, args, dict): + if isinstance(key, str): + return dict.get(key, self.default) + else: + return string.Formatter.get_value(key, args, dict) + + +def set_name_and_truncate(primary, secondary, maxlength=62): + return '%s%s' % (primary[:maxlength - len(secondary)], secondary) + + +def AddDiskResourcesIfNeeded(context): + """Checks context if disk resources need to be added.""" + if default.DISK_RESOURCES in context.properties: + return context.properties[default.DISK_RESOURCES] + else: + return [] + + +def AutoName(base, resource, *args): + """Helper method to generate names automatically based on default.""" + auto_name = '%s-%s' % (base, '-'.join(list(args) + [default.AKA[resource]])) + if not RFC1035_RE.match(auto_name): + raise Error('"%s" name for type %s does not match RFC1035 regex (%s)' % + (auto_name, resource, RFC1035_RE.pattern)) + return auto_name + + +def AutoRef(base, resource, *args): + """Helper method that builds a reference for an auto-named resource.""" + return Ref(AutoName(base, resource, *args)) + + +def OrderedItems(dict_obj): + """Convenient method to yield sorted iteritems of a dictionary.""" + keys = list(dict_obj.keys()) + keys.sort() + for k in keys: + yield (k, dict_obj[k]) + + +def ShortenZoneName(zone): + """Given a string that looks like a zone name, creates a shorter version.""" + geo, coord, number, letter = re.findall(r'(\w+)-(\w+)(\d)-(\w)', zone)[0] + geo = geo.lower() if len(geo) == 2 else default.LOC[geo.lower()] + coord = default.LOC[coord.lower()] + number = str(number) + letter = letter.lower() + return geo + '-' + coord + number + letter + + +def ZoneToRegion(zone): + """Derives the region from a zone name.""" + parts = zone.split('-') + if len(parts) != 3: + raise Error('Cannot derive region from zone "%s"' % zone) + return '-'.join(parts[:2]) + + +def FormatException(message): + """Adds more information to the exception.""" + message = ('Exception Type: %s\n' + 'Details: %s\n' + 'Message: %s\n') % (sys.exc_info()[0], + traceback.format_exc(), message) + return message + + +def Ref(name): + return '$(ref.%s.selfLink)' % name + + +def RefGroup(name): + return '$(ref.%s.instanceGroup)' % name + + +def GlobalComputeLink(project, collection, name): + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/global/', + collection, '/', name]) + +def GlobalNetworkLink(project, network): + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/global/', + default.NETWORKS, '/', network]) + + +def LocalComputeLink(project, zone, key, value): + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/zones/', + zone, '/', key, '/', value]) + + +def ReadContext(context, prop_key): + return (context.env['project'], context.properties.get('zone', None), + context.properties[prop_key]) + + +def MakeLocalComputeLink(context, key, zone=None): + if not zone: + project, zone, value = ReadContext(context, key) + else: + project, _, value = ReadContext(context, key) + + if IsComputeLink(value): + return value + else: + return LocalComputeLink(project, zone, key + 's', value) + + +def MakeGlobalComputeLink(context, key): + project, _, value = ReadContext(context, key) + if IsComputeLink(value): + return value + else: + return GlobalComputeLink(project, key + 's', value) + +def MakeRegionalSubnetworkLink(project, zone, subnet): + region = ZoneToRegion(zone) + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/regions/', + region, '/subnetworks/', subnet]) + + +def MakeSubnetworkComputeLink(context, key): + project, zone, value = ReadContext(context, key) + region = ZoneToRegion(zone) + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/regions/', + region, '/subnetworks/', value]) + + +def MakeFQHN(context, name): + return '%s.c.%s.internal' % (name, context.env['project']) + + +# TODO(victorg): Consider moving this method to a different file +def MakeC2DImageLink(name, dev_mode=False): + if IsGlobalProjectShortcut(name) or name.startswith('http'): + return name + else: + if dev_mode: + return 'global/images/%s' % name + else: + return GlobalComputeLink(default.C2D_IMAGES, 'images', name) + + +def IsGlobalProjectShortcut(name): + return name.startswith('projects/') or name.startswith('global/') + + +def IsComputeLink(name): + return (name.startswith(default.COMPUTE_URL_BASE) or + name.startswith(default.REFERENCE_PREFIX)) + + +def GetNamesAndTypes(resources_dict): + return [(d['name'], d['type']) for d in resources_dict] + + +def SummarizeResources(res_dict): + """Summarizes the name of resources per resource type.""" + result = {} + for res in res_dict: + result.setdefault(res['type'], []).append(res['name']) + return result + + +def ListPropertyValuesOfType(res_dict, prop, res_type): + """Lists all the values for a property of a certain type.""" + return [r['properties'][prop] for r in res_dict if r['type'] == res_type] + + +def MakeResource(resource_list, output_list=None): + """Wrapper for a DM template basic spec.""" + content = {'resources': resource_list} + if output_list: + content['outputs'] = output_list + return yaml.dump(content) + + +def TakeZoneOut(properties): + """Given a properties dictionary, removes the zone specific information.""" + + def _CleanZoneUrl(value): + value = value.split('/')[-1] if IsComputeLink(value) else value + return value + + for name in default.VM_ZONE_PROPERTIES: + if name in properties: + properties[name] = _CleanZoneUrl(properties[name]) + if default.ZONE in properties: + properties.pop(default.ZONE) + if default.BOOTDISK in properties: + properties[default.BOOTDISK] = _CleanZoneUrl(properties[default.BOOTDISK]) + if default.DISKS in properties: + for disk in properties[default.DISKS]: + # Don't touch references to other disks + if default.DISK_SOURCE in disk: + continue + if default.INITIALIZEP in disk: + disk_init = disk[default.INITIALIZEP] + if default.DISKTYPE in disk_init: + disk_init[default.DISKTYPE] = _CleanZoneUrl(disk_init[default.DISKTYPE]) + + +def GenerateEmbeddableYaml(yaml_string): + # Because YAML is a space delimited format, we need to be careful about + # embedding one YAML document in another. This function takes in a string in + # YAML format and produces an equivalent YAML representation that can be + # inserted into arbitrary points of another YAML document. It does so by + # printing the YAML string in a single line format. Consistent ordering of + # the string is also guaranteed by using yaml.dump. + yaml_object = yaml.load(yaml_string) + dumped_yaml = yaml.dump(yaml_object, default_flow_style=True) + return dumped_yaml + + +def FormatErrorsDec(func): + """Decorator to format exceptions if they get raised.""" + + def FormatErrorsWrap(context): + try: + return func(context) + except Exception as e: + raise Error(FormatException(e.message)) + + return FormatErrorsWrap diff --git a/deprecated/gcp/R80.40-R81/ha-byol/config.yaml b/deprecated/gcp/R80.40-R81/ha-byol/config.yaml new file mode 100644 index 00000000..e8012a71 --- /dev/null +++ b/deprecated/gcp/R80.40-R81/ha-byol/config.yaml @@ -0,0 +1,73 @@ +imports: +- path: check-point-cluster--byol.py +- path: common.py +- path: default.py +- path: password.py +- path: images.py + +resources: +- name: check-point-cluster--byol + type: check-point-cluster--byol.py + properties: + ha_version: "PLEASE ENTER HA VERSION" + zoneA: "PLEASE ENTER ZONE A" + zoneB: "PLEASE ENTER ZONE B. MUST BE IN THE SAME REGION AS MEMBER A ZONE" + machineType: "PLEASE ENTER A MACHINE TYPE" + diskType: "PLEASE ENTER A DISK TYPE" + #To connect to Smart-1 Cloud you must provide two valid tokens (one per member) + smart1CloudTokenA: "PLEASE ENTER A TOKEN TO CONNECT TO SMART-1 CLOUD FOR MEMBER A OR LEAVE EMPTY DOUBLE QUOTES" + smart1CloudTokenB: "PLEASE ENTER A TOKEN TO CONNECT TO SMART-1 CLOUD FOR MEMBER B OR LEAVE EMPTY DOUBLE QUOTES" + bootDiskSizeGb: "PLEASE ENTER A DISK SIZE" + instanceSSHKey: "PLEASE ENTER A VALID PUBLIC KEY" + enableMonitoring: "PLEASE ENTER true or false" + managementNetwork: "PLEASE ENTER MANAGEMENT IP, if using Smart-1 Cloud insert 'S1C'" + sicKey: "PLEASE ENTER A SIC KEY" + generatePassword: "PLEASE ENTER true or false" + allowUploadDownload: "PLEASE ENTER true or false" + shell: "PLEASE ENTER A SHELL" + deployWithPublicIPs: "PLEASE ENTER true or false" + cluster-network-cidr: "PLEASE ENTER CLUSTER NETWORK CIDR" + cluster-network-name: "PLEASE ENTER CLUSTER NETWORK ID" + cluster-network-subnetwork-name: "PLEASE ENTER CLUSTER SUBNETWORK ID" + cluster-network_enableIcmp: "PLEASE ENTER true or false" + cluster-network_icmpSourceRanges: "PLEASE ENTER ICMP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + cluster-network_enableTcp: "PLEASE ENTER true or false" + cluster-network_tcpSourceRanges: "PLEASE ENTER TCP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + cluster-network_enableUdp: "PLEASE ENTER true or false" + cluster-network_udpSourceRanges: "PLEASE ENTER UDP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + cluster-network_enableSctp: "PLEASE ENTER true or false" + cluster-network_sctpSourceRanges: "PLEASE ENTER SCTP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + cluster-network_enableEsp: "PLEASE ENTER true or false" + cluster-network_espSourceRanges: "PLEASE ENTER ESP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + mgmt-network-cidr: "PLEASE ENTER MANAGEMENT NETWORK CIDR" + mgmt-network-name: "PLEASE ENTER MANAGEMENT NETWORK ID" + mgmt-network-subnetwork-name: "PLEASE ENTER MANAGEMENT SUBNETWORK ID" + mgmt-network_enableIcmp: "PLEASE ENTER true or false" + mgmt-network_icmpSourceRanges: "PLEASE ENTER ICMP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + mgmt-network_enableTcp: "PLEASE ENTER true or false" + mgmt-network_tcpSourceRanges: "PLEASE ENTER TCP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + mgmt-network_enableUdp: "PLEASE ENTER true or false" + mgmt-network_udpSourceRanges: "PLEASE ENTER UDP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + mgmt-network_enableSctp: "PLEASE ENTER true or false" + mgmt-network_sctpSourceRanges: "PLEASE ENTER SCTP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + mgmt-network_enableEsp: "PLEASE ENTER true or false" + mgmt-network_espSourceRanges: "PLEASE ENTER ESP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + #Define additional NICs networks and subnetworks according the defined numAdditionalNICs value + #If there is no need in additional NICs remove additionalNetwork1 and additionalSubnetwork1 variables + numInternalNetworks: "PLEASE ENTER A NUMBER OF ADDITIONAL NICS" + internal-network1-cidr: "PLEASE ENTER 1ST INTERNAL NETWORK CIDR" + internal-network1-name: "PLEASE ENTER 1ST INTERNAL NETWORK ID" + internal-network1-subnetwork-name: "PLEASE ENTER INTERNAL SUBNETWORK ID" +outputs: +- name: "Deployment" + value: $(ref.check-point-cluster--byol.deployment) +- name: "Cluster IP external address" + value: $(ref.check-point-cluster--byol.clusterIP) +- name: "Member A" + value: $(ref.check-point-cluster--byol.vmAName) +- name: "Member A external IP" + value: $(ref.check-point-cluster--byol.vmAExternalIP) +- name: "Member B" + value: $(ref.check-point-cluster--byol.vmBName) +- name: "Member B external IP" + value: $(ref.check-point-cluster--byol.vmBExternalIP) \ No newline at end of file diff --git a/deprecated/gcp/R80.40-R81/ha-byol/default.py b/deprecated/gcp/R80.40-R81/ha-byol/default.py new file mode 100644 index 00000000..0c7dd919 --- /dev/null +++ b/deprecated/gcp/R80.40-R81/ha-byol/default.py @@ -0,0 +1,134 @@ +# Copyright 2015 Google Inc. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +"""Convenience module to hold default constants for C2D components. + +There should not be any logic in this module. Its purpose is to simplify +analysis of commonly used GCP and properties names and identify the names +that were custom created for these modules. +""" +# Generic constants +C2D_IMAGES = 'click-to-deploy-images' + +# URL constants +COMPUTE_URL_BASE = 'https://www.googleapis.com/compute/v1/' + +# Deployment Manager constructs +REFERENCE_PREFIX = '$(ref.' + +# Commonly used in properties namespace +AUTO_DELETE = 'autoDelete' +BOOTDISK = 'bootDiskType' +BOOTDISKSIZE = 'bootDiskSizeGb' +C_IMAGE = 'containerImage' +DC_MANIFEST = 'dcManifest' +DEPLOYMENT = 'DEPLOYMENT' # used in the deployment coordinator +DISK_NAME = 'diskName' +DISK_RESOURCES = 'addedDiskResources' +DISK_SOURCE = 'source' +ENDPOINT_NAME = 'serviceRegistryEndpointName' +FIXED_GCLOUD = 'fixedGcloud' +GENERATED_PROP = 'generatedProperties' +INITIALIZEP = 'initializeParams' +INSTANCE_NAME = 'instanceName' +LOCAL_SSD = 'localSSDs' +MAX_NUM = 'maxNumReplicas' +NETWORKS = 'networks' +NO_SCOPE = 'noScope' +PROVIDE_BOOT = 'provideBoot' +REPLICAS = 'replicas' +SIZE = 'size' +VM_COPIES = 'numberOfVMReplicas' +ZONES = 'zones' + +# Common properties values (only official GCP values allowed here) +EXTERNAL = 'External NAT' +ONE_NAT = 'ONE_TO_ONE_NAT' + +# Common 1st level properties (only official GCP names allowed here) +CAN_IP_FWD = 'canIpForward' +CONTAINER = 'container' +DCKRENV = 'dockerEnv' +DCKRIMAGE = 'dockerImage' +DEFAULT_SERVICE = 'defaultService' +DEVICE_NAME = 'deviceName' +DISKS = 'disks' +DISK_SIZE = 'diskSizeGb' +DISKTYPE = 'diskType' +HEALTH_PATH = 'healthPath' +HOST_RULES = 'hostRules' +IP_PROTO = 'IPProtocol' +MACHINETYPE = 'machineType' +METADATA = 'metadata' +NAME = 'name' +NETWORK = 'network' +NETWORKS = 'networks' +SUBNETWORK = 'subnetwork' +PATH_MATCHERS = 'pathMatchers' +PORT = 'port' +PROJECT = 'project' +SERVICE = 'service' +SERVICE_ACCOUNTS = 'serviceAccounts' +SRCIMAGE = 'sourceImage' +SRC_RANGES = 'sourceRanges' +TAGS = 'tags' +TYPE = 'type' +VM_TEMPLATE = 'instanceTemplate' +ZONE = 'zone' + +# Zone specfic VM properties +VM_ZONE_PROPERTIES = [DISKTYPE, MACHINETYPE, BOOTDISK] + +# Resource type defaults names +ADDRESS = 'compute.v1.address' +AUTOSCALER = 'compute.v1.autoscaler' +BACKEND_SERVICE = 'compute.v1.backendService' +DISK = 'compute.v1.disk' +ENDPOINT = 'serviceregistry.v1alpha.endpoint' +FIREWALL = 'compute.v1.firewall' +GF_RULE = 'compute.v1.globalForwardingRule' +HEALTHCHECK = 'compute.v1.httpHealthCheck' +IGM = 'compute.v1.instanceGroupManager' +INSTANCE = 'compute.v1.instance' +PROXY = 'compute.v1.targetHttpProxy' +TEMPLATE = 'compute.v1.instanceTemplate' +REGION_IGM = 'compute.v1.regionInstanceGroupManager' +REGION_AUTOSCALER = 'compute.v1.regionAutoscaler' +URL_MAP = 'compute.v1.urlMap' +VPC='compute.v1.network' +VPC_SUBNET='compute.v1.subnetwork' + +# Also Known As constants +AKA = { + TEMPLATE: 'tmplt', + AUTOSCALER: 'as', + BACKEND_SERVICE: 'bes', + DISK: 'disk', + FIREWALL: 'fwall', + GF_RULE: 'ip', + HEALTHCHECK: 'hc', + INSTANCE: 'vm', + PROXY: 'tproxy', + IGM: 'igm', + URL_MAP: 'umap', +} + +LOC = { + 'europe': 'eu', + 'asia': 'as', + 'central': 'c', + 'east': 'e', + 'west': 'w', + 'north': 'n', + 'south': 's', +} diff --git a/deprecated/gcp/R80.40-R81/ha-byol/images.py b/deprecated/gcp/R80.40-R81/ha-byol/images.py new file mode 100644 index 00000000..7b04bee0 --- /dev/null +++ b/deprecated/gcp/R80.40-R81/ha-byol/images.py @@ -0,0 +1,34 @@ +IMAGES = { + "check-point-r8120-payg": "check-point-r8120-payg-631-991001560-v20240425", + "check-point-r8120-gw-payg-single": "check-point-r8120-gw-payg-single-631-991001560-v20240425", + "check-point-r8120-gw-payg-mig": "check-point-r8120-gw-payg-mig-631-991001560-v20240425", + "check-point-r8120-gw-payg-cluster": "check-point-r8120-gw-payg-cluster-631-991001560-v20240425", + "check-point-r8120-gw-byol-single": "check-point-r8120-gw-byol-single-631-991001560-v20240425", + "check-point-r8120-gw-byol-mig": "check-point-r8120-gw-byol-mig-631-991001560-v20240425", + "check-point-r8120-gw-byol-cluster": "check-point-r8120-gw-byol-cluster-631-991001560-v20240425", + "check-point-r8120-byol": "check-point-r8120-byol-631-991001560-v20240425", + "check-point-r8110-payg": "check-point-r8110-payg-335-991001560-v20240425", + "check-point-r8110-gw-payg-single": "check-point-r8110-gw-payg-single-335-991001560-v20240425", + "check-point-r8110-gw-payg-mig": "check-point-r8110-gw-payg-mig-335-991001560-v20240425", + "check-point-r8110-gw-payg-cluster": "check-point-r8110-gw-payg-cluster-335-991001560-v20240425", + "check-point-r8110-gw-byol-single": "check-point-r8110-gw-byol-single-335-991001560-v20240425", + "check-point-r8110-gw-byol-mig": "check-point-r8110-gw-byol-mig-335-991001560-v20240425", + "check-point-r8110-gw-byol-cluster": "check-point-r8110-gw-byol-cluster-335-991001560-v20240425", + "check-point-r8110-byol": "check-point-r8110-byol-335-991001560-v20240425", + "check-point-r81-payg": "check-point-r81-payg-392-991001560-v20240425", + "check-point-r81-gw-payg-single": "check-point-r81-gw-payg-single-392-991001560-v20240425", + "check-point-r81-gw-payg-mig": "check-point-r81-gw-payg-mig-392-991001560-v20240425", + "check-point-r81-gw-payg-cluster": "check-point-r81-gw-payg-cluster-392-991001560-v20240425", + "check-point-r81-gw-byol-single": "check-point-r81-gw-byol-single-392-991001560-v20240425", + "check-point-r81-gw-byol-mig": "check-point-r81-gw-byol-mig-392-991001560-v20240425", + "check-point-r81-gw-byol-cluster": "check-point-r81-gw-byol-cluster-392-991001560-v20240425", + "check-point-r81-byol": "check-point-r81-byol-392-991001560-v20240425", + "check-point-r8040-payg": "check-point-r8040-payg-294-991001560-v20240425", + "check-point-r8040-gw-payg-single": "check-point-r8040-gw-payg-single-294-991001564-v20240505", + "check-point-r8040-gw-payg-mig": "check-point-r8040-gw-payg-mig-294-991001564-v20240505", + "check-point-r8040-gw-payg-cluster": "check-point-r8040-gw-payg-cluster-294-991001564-v20240505", + "check-point-r8040-gw-byol-single": "check-point-r8040-gw-byol-single-294-991001564-v20240505", + "check-point-r8040-gw-byol-mig": "check-point-r8040-gw-byol-mig-294-991001564-v20240505", + "check-point-r8040-gw-byol-cluster": "check-point-r8040-gw-byol-cluster-294-991001564-v20240505", + "check-point-r8040-byol": "check-point-r8040-byol-294-991001560-v20240425" +} \ No newline at end of file diff --git a/deprecated/gcp/R80.40-R81/ha-byol/password.py b/deprecated/gcp/R80.40-R81/ha-byol/password.py new file mode 100644 index 00000000..273210a6 --- /dev/null +++ b/deprecated/gcp/R80.40-R81/ha-byol/password.py @@ -0,0 +1,135 @@ +# Copyright 2015 Google Inc. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +"""A DM template that generates password as an output, namely "password". + +An example YAML showing how this template can be used: + resources: + - name: generated-password + type: password.py + properties: + length: 8 + includeSymbols: true + - name: main-template + type: main-template.jinja + properties: + password: $(ref.generated-password.password) + +Input properties to this template: + - length: the length of the generated password. At least 8. Default 8. + - includeSymbols: true/false whether to include symbol chars. Default false. + +The generated password satisfies the following requirements: + - The length is as specified, + - Containing letters and numbers, and optionally symbols if specified, + - Starting with a letter, + - Containing characters from at least 3 of the 4 categories: uppercases, + lowercases, numbers, and symbols. + +""" + +import random +import yaml + +PROPERTY_LENGTH = 'length' +PROPERTY_INCLUDE_SYMBOLS = 'includeSymbols' + +# Note the omission of some hard to distinguish characters like I, l, 0, and O. +UPPERS = 'ABCDEFGHJKLMNPQRSTUVWXYZ' +LOWERS = 'abcdefghijkmnopqrstuvwxyz' +ALPHABET = UPPERS + LOWERS +DIGITS = '123456789' +ALPHANUMS = ALPHABET + DIGITS +# Including only symbols that can be passed around easily in shell scripts. +SYMBOLS = '*-+.' + +CANDIDATES_WITH_SYMBOLS = ALPHANUMS + SYMBOLS +CANDIDATES_WITHOUT_SYMBOLS = ALPHANUMS + +CATEGORIES_WITH_SYMBOLS = [UPPERS, LOWERS, DIGITS, SYMBOLS] +CATEGORIES_WITHOUT_SYMBOLS = [UPPERS, LOWERS, DIGITS] + +MIN_LENGTH = 8 + + +class InputError(Exception): + """Raised when input properties are unexpected.""" + + +def GenerateConfig(context): + """Entry function to generate the DM config.""" + props = context.properties + length = props.setdefault(PROPERTY_LENGTH, MIN_LENGTH) + include_symbols = props.setdefault(PROPERTY_INCLUDE_SYMBOLS, False) + + if not isinstance(include_symbols, bool): + raise InputError('%s must be a boolean' % PROPERTY_INCLUDE_SYMBOLS) + + content = { + 'resources': [], + 'outputs': [{ + 'name': 'password', + 'value': GeneratePassword(length, include_symbols) + }] + } + return yaml.dump(content) + + +def GeneratePassword(length=8, include_symbols=False): + """Generates a random password.""" + if length < MIN_LENGTH: + raise InputError('Password length must be at least %d' % MIN_LENGTH) + + candidates = (CANDIDATES_WITH_SYMBOLS if include_symbols + else CANDIDATES_WITHOUT_SYMBOLS) + categories = (CATEGORIES_WITH_SYMBOLS if include_symbols + else CATEGORIES_WITHOUT_SYMBOLS) + + # Generates up to the specified length minus the number of categories. + # Then inserts one character for each category, ensuring that the character + # satisfy the category if the generated string hasn't already. + generated = ([random.choice(ALPHABET)] + + [random.choice(candidates) + for _ in range(length - 1 - len(categories))]) + for category in categories: + _InsertAndEnsureSatisfaction(generated, category, candidates) + return ''.join(generated) + + +def _InsertAndEnsureSatisfaction(generated, required, all_candidates): + """Inserts 1 char into generated, satisfying required if not already. + + If the required characters are not already in the generated string, one will + be inserted. If any required character is already in the generated string, a + random character from all_candidates will be inserted. The insertion happens + at a random location but not at the beginning. + + Args: + generated: the string to be modified. + required: list of required characters to check for. + all_candidates: list of characters to choose from if the required characters + are already satisfied. + """ + if set(generated).isdisjoint(required): + # Not yet satisfied. Insert a required candidate. + _InsertInto(generated, required) + else: + # Already satisfied. Insert any candidate. + _InsertInto(generated, all_candidates) + + +def _InsertInto(generated, candidates): + """Inserts a random candidate into a random non-zero index of generated.""" + # Avoids inserting at index 0, since the first character follows its own rule. + generated.insert(random.randint(1, len(generated) - 1), + random.choice(candidates)) diff --git a/deprecated/gcp/R80.40-R81/ha-payg/README.md b/deprecated/gcp/R80.40-R81/ha-payg/README.md new file mode 100644 index 00000000..4f8405cd --- /dev/null +++ b/deprecated/gcp/R80.40-R81/ha-payg/README.md @@ -0,0 +1,187 @@ +# GCP Deployment Manager package for Check Point High Availability PAYG solution +This directory contains CloudGuard IaaS deployment package for Check Point High Availability (PAYG) solution published in the [GCP Marketplace](https://console.cloud.google.com/marketplace/details/checkpoint-public/check-point-ha--ngtp). + +# How to deploy the package manually +To deploy the Deployment Manager's package manually, without using the GCP Marketplace, follow these instructions: +1. Clone or download the files in this directory +2. Fill variables in the config.yaml(see below for variables descriptions). +3. Log into [Google Cloud Platform Console](https://console.cloud.google.com) +4. [Activate Cloud Shell](https://cloud.google.com/shell/docs/using-cloud-shell) +5. Set your Cloud Platform project in the Cloud Shell session use: + + gcloud config set project [PROJECT_ID] +6. Upload the content of the CloudGuardIaaS/gcp/deployment-packages/ha-payg/ directory to the [cloud shell](https://cloud.google.com/shell/docs/uploading-and-downloading-files) +7. Launch deployment by running: + + gcloud deployment-manager deployments create [DEPLOYMENT_NAME] --config config.yaml +8. Make sure the deployment finished successfully.
Example of successful deployment output: + + The fingerprint of the deployment is CgwkIUxcTnI5_eZY1g9SFw== + Waiting for create [operation-1585150261645-5a1af8e42d0ba-6b3d4618-5856e790]...done. + Create operation operation-1585150261645-5a1af8e42d0ba-6b3d4618-5856e790 completed successfully. + NAME TYPE STATE ERRORS INTENT + cluster-cluster-network-icmp compute.v1.firewall COMPLETED [] + cluster-cluster-network-tcp compute.v1.firewall COMPLETED [] + cluster-config runtimeconfig.v1beta1.config COMPLETED [] + cluster-member-a compute.v1.instance COMPLETED [] + cluster-member-a-address compute.v1.address COMPLETED [] + cluster-member-b compute.v1.instance COMPLETED [] + cluster-member-b-address compute.v1.address COMPLETED [] + cluster-mgmt-network-esp compute.v1.firewall COMPLETED [] + cluster-mgmt-network-sctp compute.v1.firewall COMPLETED [] + cluster-primary-cluster-address compute.v1.address COMPLETED [] + cluster-secondary-cluster-address compute.v1.address COMPLETED [] + cluster-software runtimeconfig.v1beta1.waiter COMPLETED [] + OUTPUTS VALUE + Deployment cluster + Cluster IP external address 35.201.201.163 + Member A cluster-member-a + Member A external IP 104.199.168.141 + Member B cluster-member-b + Member B external IP 35.221.178.173 + +## config.yaml variables +| Name | Description | Type | Allowed values | +| ------------- | ------------- | ------------- | ------------- | +| **ha_version** | High Availability Version | string | R80.40 Cluster;
R81.00 Cluster;
R81.10 Cluster;
R81.20 Cluster; | +| | | | | | +| **zoneA** | Member A Zone. The zone determines what computing resources are available and where your data is stored and used | string | List of allowed [Regions and Zones](https://cloud.google.com/compute/docs/regions-zones?_ga=2.31926582.-962483654.1585043745) | +| | | | | | +| **zoneB** | Member B Zone | string | Must be in the same region as member A zone | +| | | | | | +| **machineType** | Machine types determine the specifications of your machines, such as the amount of memory, virtual cores, and persistent disk limits an instance will have | string | [Learn more about Machine Types](https://cloud.google.com/compute/docs/machine-types?hl=en_US&_ga=2.267871494.-962483654.1585043745) | +| | | | | | +| **managementNetwork** | Security Management Server address | string | The public address of the Security Management Server, in CIDR notation. If using Smart-1 Cloud insert 'S1C'. VPN peers addresses cannot be in this CIDR block, so this value cannot be the zero-address | +| | | | | | +| **cluster-network-cidr** | Cluster external subnet CIDR.
If the variable's value is not empty double quotes, a new network will be created.
The Cluster public IP will be translated to a private address assigned to the active member in this external network. | string | Specify an RFC 1918 CIDR block that does not overlap with your other networks to create a new network or select an existing one below | +| | | | | | +| **cluster-network-name** | Cluster external network ID. The network determines what network traffic the instance can access | string | Available network in the chosen zone | +| | | | | | +| **cluster-network-subnetwork-name** | Cluster subnet ID. Assigns the instance an IPv4 address from the subnetwork’s range.
If you have specified a CIDR block above, this subnetwork will not be used.
. Instances in different subnetworks can communicate with each other using their internal IPs as long as they belong to the same network. | string | Available subnetwork in the chosen network | +| | | | | | +| **cluster-network_enableTcp** | Allow TCP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **cluster-network_tcpSourceRanges** | Allow TCP traffic from the Internet | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway all ports are allowed. For management allowed ports are: 257,18191,18210,18264,22,443,18190,19009 [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **cluster-network_enableIcmp** | Allow ICMP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **cluster-network_icmpSourceRanges** | Source IP ranges for ICMP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **cluster-network_enableUdp** | Allow UDP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **cluster-network_udpSourceRanges** | Source IP ranges for UDP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only - all ports are allowed. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **cluster-network_enableSctp** | Allow SCTP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **cluster-network_sctpSourceRanges** | Source IP ranges for SCTP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only - all ports are allowed. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **cluster-network_enableEsp** | Allow ESP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **cluster-network_espSourceRanges** | Source IP ranges for ESP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **mgmt-network-cidr** | Management external subnet CIDR.
If the variable's value is not empty double quotes, a new network will be created.
The public IP used to manage each member will be translated to a private address in this external network | string | Specify an RFC 1918 CIDR block that does not overlap with your other networks to create a new network or select an existing one below | +| | | | | | +| **mgmt-network-name** | Management network ID. The network determines what network traffic the instance can access | string | Available network in the chosen zone | +| | | | | | +| **mgmt-network-subnetwork-name** | Management subnet ID. Assigns the instance an IPv4 address from the subnetwork’s range.
If you have specified a CIDR block above, this subnetwork will not be used.
. Instances in different subnetworks can communicate with each other using their internal IPs as long as they belong to the same network. | string | Available subnetwork in the chosen network | +| | | | | | +| **mgmt-network_enableTcp** | Allow TCP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **mgmt-network_tcpSourceRanges** | Allow TCP traffic from the Internet | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway all ports are allowed. For management allowed ports are: 257,18191,18210,18264,22,443,18190,19009 [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **mgmt-network_enableIcmp** | Allow ICMP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **mgmt-network_icmpSourceRanges** | Source IP ranges for ICMP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **mgmt-network_enableUdp** | Allow UDP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **mgmt-network_udpSourceRanges** | Source IP ranges for UDP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only - all ports are allowed. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **mgmt-network_enableSctp** | Allow SCTP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **mgmt-network_sctpSourceRanges** | Source IP ranges for SCTP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only - all ports are allowed. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **mgmt-network_enableEsp** | Allow ESP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **mgmt-network_espSourceRanges** | Source IP ranges for ESP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **diskType** | Disk type | string | pd-ssd;
pd-standard;
Storage space is much less expensive for a standard persistent disk. An SSD persistent disk is better for random IOPS or streaming throughput with low latency. [Learn more](https://cloud.google.com/compute/docs/disks/?hl=en_US&_ga=2.66020774.-962483654.1585043745#overview_of_disk_types)| +| | | | | | +| **bootDiskSizeGb** | Disk size in GB | number | Persistent disk performance is tied to the size of the persistent disk volume. You are charged for the actual amount of provisioned disk space. [Learn more](https://cloud.google.com/compute/docs/disks/?hl=en_US&_ga=2.232680471.-962483654.1585043745#pdperformance)| +| | | | | | +| **generatePassword** | Automatically generate an administrator password | boolean | true;
false; | +| | | | | | +| **allowUploadDownload** | Allow download from/upload to Check Point | boolean | true;
false; | +| | | | | | +| **enableMonitoring** | Enable Stackdriver monitoring | boolean | true;
false; | +| | | | | | +| **shell** | Admin shell | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh;
| +| | | | | | +| **deployWithPublicIPs** | Deploy HA with public IPs | boolean | true;
false; | +| | | | | | +| **instanceSSHKey** | Public SSH key for the user 'admin' | string | A valid public ssh key | +| | | | | | +| **smart1CloudTokenA** | Smart-1 Cloud token to connect ***member A*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal.| +| | | | | | +| **smart1CloudTokenB** | Smart-1 Cloud token to connect ***member B*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501)| string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal.| +| | | | | | +| **sicKey** | The Secure Internal Communication one time secret used to set up trust between the cluster object and the management server | string | At least 8 alpha numeric characters.
If SIC is not provided and needed, a key will be automatically generated | +| | | | | | +| **numAdditionalNICs** | Number of additional network interfaces | number | A number in the range 0 - 6.
Multiple network interfaces deployment is described in [sk121637 - Deploy a CloudGuard for GCP with Multiple Network Interfaces](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk121637) | +| | | | | | +| **internal-network1-cidr** | 1st internal subnet CIDR.
If the variable's value is not empty double quotes, a new subnet will be created.
Assigns the cluster members an IPv4 address in this internal network | string | Specify an RFC 1918 CIDR block that does not overlap with your other networks to create a new network or select an existing one below | +| | | | | | +| **internal-network1-name** | 1st internal network ID. The network determines what network traffic the instance can access | string | Available network in the chosen zone | +| | | | | | +| **internal-network1-subnetwork-name** | 1st internal subnet ID. Assigns the instance an IPv4 address from the subnetwork’s range.
If you have specified a CIDR block above, this subnetwork will not be used.
Instances in different subnetworks can communicate with each other using their internal IPs as long as they belong to the same network. | string | Available subnetwork in the chosen network | +| | | | | | +## Example + ha_version: "R81.10 Cluster" + zoneA: "asia-east1-a" + zoneB: "asia-east1-a" + machineType: "n1-standard-4" + diskType: "pd-ssd" + bootDiskSizeGb: 100 + instanceSSHKey: "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxxx imported-openssh-key" + smart1CloudTokenA: "xxxxxxxxxxxxxxxxxxxxxxxx" + smart1CloudTokenB: "xxxxxxxxxxxxxxxxxxxxxxxx" + enableMonitoring: false + managementNetwork: "209.87.209.100/32" + sicKey: "aaaaaaaa" + generatePassword: false + allowUploadDownload: false + shell: "/bin/bash" + deployWithPublicIPs: true + cluster-network-cidr: "10.0.1.0/24" + cluster-network-name: "external-vpc" + cluster-network-subnetwork-name: "frontend" + cluster-network_enableIcmp: true + cluster-network_icmpSourceRanges: "0.0.0.0/0" + cluster-network_enableTcp: true + cluster-network_tcpSourceRanges: "0.0.0.0/0" + cluster-network_enableUdp: false + cluster-network_udpSourceRanges: "" + cluster-network_enableSctp: false + cluster-network_sctpSourceRanges: "" + cluster-network_enableEsp: false + cluster-network_espSourceRanges: "" + mgmt-network-cidr: "10.0.2.0/24" + mgmt-network-name: "vpc-internal" + mgmt-network-subnetwork-name: "" + mgmt-network_enableIcmp: false + mgmt-network_icmpSourceRanges: "" + mgmt-network_enableTcp: false + mgmt-network_tcpSourceRanges: "" + mgmt-network_enableUdp: true + mgmt-network_udpSourceRanges: "0.0.0.0/0" + mgmt-network_enableSctp: true + mgmt-network_sctpSourceRanges: "0.0.0.0/0" + mgmt-network_enableEsp: true + mgmt-network_espSourceRanges: "0.0.0.0/0" + numInternalNetworks: 1 + internal-network1-cidr: "10.0.3.0/24" + internal-network1-name: "vpc-internal2" + internal-network1-subnetwork-name: "vpc-internal2" + +## Notes +See [sk147032](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk147032) for revision history \ No newline at end of file diff --git a/deprecated/gcp/R80.40-R81/ha-payg/c2d_deployment_configuration.json b/deprecated/gcp/R80.40-R81/ha-payg/c2d_deployment_configuration.json new file mode 100644 index 00000000..81bed1f6 --- /dev/null +++ b/deprecated/gcp/R80.40-R81/ha-payg/c2d_deployment_configuration.json @@ -0,0 +1,7 @@ +{ + "defaultDeploymentType": "MULTI_VM", + "imageName": "check-point-r8120-gw-payg-cluster-631-991001475-v20231221", + "projectId": "checkpoint-public", + "templateName": "nonexistent_template", + "useSolutionPackage": "true" +} diff --git a/deprecated/gcp/R80.40-R81/ha-payg/check-point-cluster--payg.py b/deprecated/gcp/R80.40-R81/ha-payg/check-point-cluster--payg.py new file mode 100644 index 00000000..6c554aac --- /dev/null +++ b/deprecated/gcp/R80.40-R81/ha-payg/check-point-cluster--payg.py @@ -0,0 +1,494 @@ +# Copyright 2016 Check Point Software LTD. + +import common +import copy +import default +import images +import password + + +MAX_ADDITIONAL_NICS = 6 + +GATEWAY = 'checkpoint-gateway' + +PROJECT = 'checkpoint-public' +LICENSE = 'payg' +LICENCE_TYPE = 'cluster' + +VERSIONS = { + 'R80.40': 'r8040-gw', + 'R81': 'r81-gw', + 'R81.10': 'r8110-gw', + 'R81.20': 'r8120-gw' +} + +TEMPLATE_NAME = 'cluster' +TEMPLATE_VERSION = '20231221' + +CLUSTER_NET_FIELD = 'cluster-network' +MGMT_NET_FIELD = 'mgmt-network' +INTERNAL_NET_FIELD = 'internal-network{}' + +MGMT_NIC = 1 + +NO_PUBLIC_IP = 'no-public-ip' + +startup_script = ''' +#cloud-config +runcmd: + - 'python3 /etc/cloud_config.py "generatePassword=\\"{generatePassword}\\"" "allowUploadDownload=\\"{allowUploadDownload}\\"" "templateName=\\"{templateName}\\"" "templateVersion=\\"{templateVersion}\\"" "mgmtNIC=\\"{mgmtNIC}\\"" "hasInternet=\\"{hasInternet}\\"" "config_url=\\"{config_url}\\"" "config_path=\\"{config_path}\\"" "installationType=\\"{installationType}\\"" "enableMonitoring=\\"{enableMonitoring}\\"" "shell=\\"{shell}\\"" "computed_sic_key=\\"{computed_sic_key}\\"" "sicKey=\\"{sicKey}\\"" "managementGUIClientNetwork=\\"{managementGUIClientNetwork}\\"" "primary_cluster_address_name=\\"{primary_cluster_address_name}\\"" "secondary_cluster_address_name=\\"{secondary_cluster_address_name}\\"" "managementNetwork=\\"{managementNetwork}\\"" "numAdditionalNICs=\\"{numAdditionalNICs}\\"" "smart1CloudToken=\\"{smart1CloudToken}\\"" "name=\\"{name}\\"" "zone=\\"{zoneConfig}\\"" "region=\\"{region}\\"" "osVersion=\\"{osVersion}\\"" "MaintenanceModePassword=\\"{maintenanceMode}\\""' +''' + + +def make_gw(context, name, zone, nics, passwd=None, depends_on=None, + smart1cloudToken=None): + cg_version = context.properties['ha_version'].split(' ')[0] + if 'gw' in VERSIONS[cg_version]: + license_name = "{}-{}".format(LICENSE, LICENCE_TYPE) + else: + license_name = LICENSE + family = '-'.join(['check-point', VERSIONS[cg_version], license_name]) + formatter = common.DefaultFormatter() + + context.properties['smart1CloudToken'] = smart1cloudToken + context.properties['name'] = name + context.properties['zoneConfig'] = zone + context.properties['osVersion'] = cg_version.replace(".", "") + + gw = { + 'type': default.INSTANCE, + 'name': name, + 'metadata': { + 'dependsOn': depends_on + }, + 'properties': { + 'description': 'CloudGuard Highly Available Security Cluster', + 'zone': zone, + 'tags': { + 'items': [GATEWAY], + }, + 'machineType': common.MakeLocalComputeLink( + context, default.MACHINETYPE, zone), + 'canIpForward': True, + 'networkInterfaces': nics, + 'disks': [{ + 'autoDelete': True, + 'boot': True, + 'deviceName': common.set_name_and_truncate( + context.properties['deployment'], + '-{}-boot'.format(name)), + 'initializeParams': { + 'diskType': common.MakeLocalComputeLink( + context, default.DISKTYPE, zone), + 'diskSizeGb': context.properties['bootDiskSizeGb'], + 'sourceImage': + 'projects/%s/global/images/%s' % ( + PROJECT, images.IMAGES[family]), + }, + 'type': 'PERSISTENT', + }], + 'metadata': { + 'items': [ + { + 'key': 'startup-script', + 'value': formatter.format( + startup_script, **context.properties) + } + ] + }, + 'serviceAccounts': [{ + 'email': 'default', + 'scopes': [ + 'https://www.googleapis.com/auth/monitoring.write', + 'https://www.googleapis.com/auth/compute', + 'https://www.googleapis.com/auth/cloudruntimeconfig' + ], + }] + } + } + + if 'instanceSSHKey' in context.properties: + gw['properties']['metadata']['items'].append( + { + 'key': 'instanceSSHKey', + 'value': context.properties['instanceSSHKey'] + } + ) + + if passwd: + gw['properties']['metadata']['items'].append( + { + 'key': 'adminPasswordSourceMetadata', + 'value': passwd + } + ) + + return gw + + +def make_access_config(ip, name=None): + access_config = { + 'type': default.ONE_NAT, + 'natIP': ip + } + + if name: + access_config['name'] = name + + return access_config + + +def make_static_address(prop, name): + address = { + 'name': name, + 'type': default.ADDRESS, + 'properties': { + 'name': name, + 'region': prop['region'] + } + } + + return address + + +def create_external_addresses_if_needed( + prop, resources, member_a_nics, member_b_nics): + if not prop['deployWithPublicIPs']: + prop['primary_cluster_address_name'] = NO_PUBLIC_IP + prop['secondary_cluster_address_name'] = NO_PUBLIC_IP + else: + member_a_address_name = common.set_name_and_truncate( + prop['deployment'], '-member-a-address') + member_b_address_name = common.set_name_and_truncate( + prop['deployment'], '-member-b-address') + + prop['member_a_address_name'] = member_a_address_name + prop['member_b_address_name'] = member_b_address_name + + member_a_address = make_static_address(prop, member_a_address_name) + member_b_address = make_static_address(prop, member_b_address_name) + + resources += [member_a_address, member_b_address] + + member_a_nics[MGMT_NIC]['accessConfigs'] = [make_access_config( + '$(ref.{}.address)'.format(member_a_address_name))] + member_b_nics[MGMT_NIC]['accessConfigs'] = [make_access_config( + '$(ref.{}.address)'.format(member_b_address_name))] + + primary_cluster_address_name = common.set_name_and_truncate( + prop['deployment'], '-primary-cluster-address') + secondary_cluster_address_name = common.set_name_and_truncate( + prop['deployment'], '-secondary-cluster-address') + + primary_cluster_address = make_static_address( + prop, primary_cluster_address_name) + secondary_cluster_address = make_static_address( + prop, secondary_cluster_address_name) + + resources += [primary_cluster_address, secondary_cluster_address] + + prop['primary_cluster_address_name'] = primary_cluster_address_name + prop['secondary_cluster_address_name'] = secondary_cluster_address_name + + +def make_nic(prop, net_name, subnet_name): + network_interface = { + 'network': ''.join([default.COMPUTE_URL_BASE, 'projects/', + prop['project'], '/global/networks/', + net_name]), + 'subnetwork': ''.join([default.COMPUTE_URL_BASE, 'projects/', + prop['project'], '/regions/', prop['region'], + '/subnetworks/', subnet_name]) + } + + return network_interface + + +def make_subnet(prop, name, net_name, cidr, private_google_access=False): + subnet = { + 'type': default.VPC_SUBNET, + 'name': name, + 'metadata': { + 'dependsOn': [net_name] + }, + 'properties': { + 'network': 'projects/{}/global' + '/networks/{}'.format(prop['project'], net_name), + 'region': prop['region'], + 'ipCidrRange': cidr, + 'privateIpGoogleAccess': private_google_access, + 'enableFlowLogs': False + } + } + + return subnet + + +def make_net(name): + net = { + 'type': default.VPC, + 'name': name, + 'properties': { + 'autoCreateSubnetworks': False + } + } + + return net + + +def get_or_create_net(prop, name, resources, gw_dependencies, + private_google_access=False, create_firewall=False): + net_cidr = prop.get(name + '-cidr') + + if net_cidr: + net_name = '{}-{}'.format(prop['deployment'][:20], name) + subnet_name = '{}-subnet'.format(net_name) + net = make_net(net_name) + subnet = make_subnet( + prop, subnet_name, net_name, net_cidr, private_google_access) + + resources += [net, subnet] + gw_dependencies.append(subnet_name) + else: + net_name = prop.get(name + '-name') + subnet_name = prop.get(name + '-subnetwork-name') + if not subnet_name: + raise common.Error( + 'Network {} is missing.'.format(net_name.split('-'))) + + if create_firewall: + firewall_rules = create_firewall_rules(prop, name, net_name, net_cidr) + if firewall_rules: + resources.extend(firewall_rules) + + return net_name, subnet_name + + +def create_firewall_rules(prop, net_prop_name, net_name, net_cidr): + deployment = prop['deployment'] + firewall_rules = [] + protocols = ['Icmp', 'Udp', 'Tcp', 'Sctp', 'Esp'] + for protocol in protocols: + proto = protocol.lower() + source_ranges = prop.get(net_prop_name + '_' + proto + + 'SourceRanges', '') + protocol_enabled = prop.get(net_prop_name + '_enable' + protocol, '') + if protocol_enabled and source_ranges: + firewall_rules.append( + make_firewall_rule(proto, source_ranges, deployment, + net_prop_name, net_name, net_cidr)) + + return firewall_rules + + +def make_firewall_rule(protocol, source_ranges, deployment, net_prop_name, + net_name, net_cidr): + fw_rule_name = '%s-%s-%s' % (deployment[:40], net_prop_name, protocol) + ranges_list = source_ranges.split(',') + ranges = [] + for source_range in ranges_list: + ranges.append(source_range.replace(" ", "")) + firewall_rule = { + 'type': default.FIREWALL, + 'name': fw_rule_name, + 'properties': { + 'network': 'global/networks/' + net_name, + 'sourceRanges': ranges, + 'targetTags': [GATEWAY], + 'allowed': [{'IPProtocol': protocol}], + } + } + + if net_cidr: + firewall_rule['metadata'] = { + 'dependsOn': [net_name] + } + + return firewall_rule + + +def add_readiness_waiter(prop, resources): + deployment_config = common.set_name_and_truncate( + prop['deployment'], '-config') + + prop['config_path'] = 'projects/{}/configs/{}'.format( + prop['project'], deployment_config) + prop['config_url'] = ( + 'https://runtimeconfig.googleapis.com/v1beta1/{}'.format( + prop['config_path'])) + + resources.append( + { + 'name': deployment_config, + 'type': 'runtimeconfig.v1beta1.config', + 'properties': { + 'config': deployment_config, + 'description': ( + 'Holds software readiness status ' + 'for deployment {}').format(prop['deployment']) + } + } + ) + + resources.append( + { + 'name': common.set_name_and_truncate( + prop['deployment'], '-software'), + 'type': 'runtimeconfig.v1beta1.waiter', + 'metadata': { + 'dependsOn': [], + }, + 'properties': { + 'parent': '$(ref.{}.name)'.format(deployment_config), + 'waiter': 'software', + 'timeout': '1800s', + 'success': { + 'cardinality': { + 'number': 2, + 'path': 'status/success', + }, + }, + 'failure': { + 'cardinality': { + 'number': 1, + 'path': 'status/failure', + }, + }, + }, + } + ) + + +def validate_same_region(zone_a, zone_b): + if not common.ZoneToRegion(zone_a) == common.ZoneToRegion(zone_b): + raise common.Error('Member A Zone ({}) and Member B Zone ({}) ' + 'are not in the same region'.format(zone_a, zone_b)) + + +def validate_both_tokens(token_a, token_b): + if (not token_a and token_b) or (not token_b and token_a) or \ + (token_a and token_a == token_b): + raise common.Error('To connect to Smart-1 Cloud, \ + you must provide two tokens (one per member)') + + +def validate_mgmt_network_if_required(token_a, mgmt_network): + if not token_a and mgmt_network == "S1C": + raise common.Error( + 'Public address of the Security Management Server is required') + + +@common.FormatErrorsDec +def generate_config(context): + prop = context.properties + + validate_same_region(prop['zoneA'], prop['zoneB']) + validate_both_tokens(prop['smart1CloudTokenA'], prop['smart1CloudTokenB']) + validate_mgmt_network_if_required( + prop['smart1CloudTokenA'], prop['managementNetwork']) + + prop['deployment'] = context.env['deployment'] + prop['project'] = context.env['project'] + prop['region'] = common.ZoneToRegion(prop['zoneA']) + prop['templateName'] = TEMPLATE_NAME + prop['templateVersion'] = TEMPLATE_VERSION + prop['allowUploadDownload'] = str(prop['allowUploadDownload']).lower() + prop['hasInternet'] = 'true' # via Google Private Access + prop['installationType'] = 'Cluster' + + resources = [] + outputs = [] + gw_dependencies = [] + member_a_nics = [] + + add_readiness_waiter(prop, resources) + + cluster_net_name, cluster_subnet_name = get_or_create_net( + prop, CLUSTER_NET_FIELD, resources, gw_dependencies, True, True) + member_a_nics.append(make_nic(prop, cluster_net_name, cluster_subnet_name)) + + mgmt_net_name, mgmt_subnet_name = get_or_create_net( + prop, MGMT_NET_FIELD, resources, gw_dependencies, False, True) + member_a_nics.append(make_nic(prop, mgmt_net_name, mgmt_subnet_name)) + + for ifnum in range(1, prop['numInternalNetworks'] + 1): + int_net_name, int_subnet_name = get_or_create_net( + prop, INTERNAL_NET_FIELD.format(ifnum), resources, + gw_dependencies) + member_a_nics.append(make_nic(prop, int_net_name, int_subnet_name)) + + member_b_nics = copy.deepcopy(member_a_nics) + + create_external_addresses_if_needed( + prop, resources, member_a_nics, member_b_nics) + + member_a_name = common.set_name_and_truncate( + prop['deployment'], '-member-a') + member_b_name = common.set_name_and_truncate( + prop['deployment'], '-member-b') + + if prop['generatePassword']: + passwd = password.GeneratePassword(12, False) + else: + passwd = '' + + member_a = make_gw(context, member_a_name, prop['zoneA'], + member_a_nics, passwd, gw_dependencies, + prop['smart1CloudTokenA']) + member_b = make_gw(context, member_b_name, prop['zoneB'], + member_b_nics, passwd, gw_dependencies, + prop['smart1CloudTokenB']) + + resources += [member_a, member_b] + + outputs += [ + { + 'name': 'deployment', + 'value': prop['deployment'] + }, + { + 'name': 'project', + 'value': prop['project'] + }, + { + 'name': 'vmAName', + 'value': member_a_name, + }, + { + 'name': 'vmASelfLink', + 'value': '$(ref.{}.selfLink)'.format(member_a_name), + }, + { + 'name': 'vmBName', + 'value': member_b_name, + }, + { + 'name': 'vmBSelfLink', + 'value': '$(ref.{}.selfLink)'.format(member_b_name), + }, + { + 'name': 'password', + 'value': passwd + } + ] + + if prop['deployWithPublicIPs']: + outputs += [ + { + 'name': 'clusterIP', + 'value': '$(ref.{}.address)'.format( + prop['primary_cluster_address_name']) + }, + { + 'name': 'vmAExternalIP', + 'value': '$(ref.{}.address)'.format( + prop['member_a_address_name']) + }, + { + 'name': 'vmBExternalIP', + 'value': '$(ref.{}.address)'.format( + prop['member_b_address_name']) + } + ] + + return common.MakeResource(resources, outputs) diff --git a/deprecated/gcp/R80.40-R81/ha-payg/check-point-cluster--payg.py.schema b/deprecated/gcp/R80.40-R81/ha-payg/check-point-cluster--payg.py.schema new file mode 100644 index 00000000..9c674034 --- /dev/null +++ b/deprecated/gcp/R80.40-R81/ha-payg/check-point-cluster--payg.py.schema @@ -0,0 +1,400 @@ +imports: + - path: check-point-cluster--payg.py + +info: + version: 1.0 + title: Check Point CloudGuard Network Security Cluster - PAYG Template + +required: + - zoneA + - zoneB + - machineType + - diskType + - bootDiskSizeGb + - sicKey + - managementNetwork + - allowUploadDownload + - shell + - generatePassword + - enableMonitoring + - numInternalNetworks + +properties: + zoneA: + type: string + default: us-central1-a + x-googleProperty: + type: GCE_ZONE + zoneB: + type: string + default: us-central1-a + x-googleProperty: + type: GCE_ZONE + machineType: + type: string + default: n1-standard-4 + x-googleProperty: + type: GCE_MACHINE_TYPE + zoneProperty: zoneA + gceMachineType: + minCpu: 2 + minRamGb: 1.843000054359436 + deployWithPublicIPs: + type: boolean + default: True + instanceSSHKey: + type: string + pattern: ^([0-9a-z\-]+ +[0-9A-Za-z/\+=]+( .*)?|)$ + default: '' + smart1CloudTokenA: + type: string + default: '' + smart1CloudTokenB: + type: string + default: '' + diskType: + type: string + default: pd-ssd + x-googleProperty: + type: GCE_DISK_TYPE + zoneProperty: zoneA + bootDiskSizeGb: + type: integer + maximum: 1000 + default: 100 + minimum: 100 + x-googleProperty: + type: GCE_DISK_SIZE + gceDiskSize: + diskTypeProperty: diskType + ha_version: + type: string + default: R81.20 Cluster + enum: + - R80.40 Cluster + - R81 Cluster + - R81.10 Cluster + - R81.20 Cluster + enableMonitoring: + type: boolean + default: False + sicKey: + type: string + pattern: ^([a-z0-9A-Z]{8,30})$ + default: '' + managementNetwork: + type: string + default: '' + pattern: ^((?!0\.0\.0\.0/0)([0-9]{1,3}\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2]))|(S1C)$ + generatePassword: + type: boolean + default: False + maintenanceMode: + type: string + pattern: ^([a-z0-9A-Z.]{12,300}|)$ + default: '' + allowUploadDownload: + type: boolean + default: False + shell: + type: string + default: /etc/cli.sh + enum: + - /etc/cli.sh + - /bin/bash + - /bin/csh + - /bin/tcsh + cluster-network-cidr: + type: string + default: '10.0.0.0/24' + pattern: ^(?!0\.0\.0\.0/0)([0-9]{1,3}\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])|$ + cluster-network-name: + type: string + pattern: ^([a-z0-9-]{1,38})$ + x-googleProperty: + type: GCE_NETWORK + cluster-network-subnetwork-name: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zoneA + gceSubnetwork: + networkProperty: cluster-network-name + cluster-network_enableIcmp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: cluster-network-name + cluster-network_icmpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: cluster-network_enableIcmp + cluster-network_enableTcp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: cluster-network-name + cluster-network_tcpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: cluster-network_enableTcp + cluster-network_enableUdp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: cluster-network-name + cluster-network_udpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: cluster-network_enableUdp + cluster-network_enableSctp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: cluster-network-name + cluster-network_sctpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: cluster-network_enableSctp + cluster-network_enableEsp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: cluster-network-name + cluster-network_espSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: cluster-network_enableEsp + mgmt-network-cidr: + type: string + default: '10.0.1.0/24' + pattern: ^(?!0\.0\.0\.0/0)([0-9]{1,3}\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])|$ + mgmt-network-name: + type: string + pattern: ^([a-z0-9-]{1,38})$ + x-googleProperty: + type: GCE_NETWORK + mgmt-network-subnetwork-name: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zoneA + gceSubnetwork: + networkProperty: mgmt-network-name + mgmt-network_enableIcmp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: mgmt-network-name + mgmt-network_icmpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: mgmt-network_enableIcmp + mgmt-network_enableTcp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: mgmt-network-name + mgmt-network_tcpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: mgmt-network_enableTcp + mgmt-network_enableUdp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: mgmt-network-name + mgmt-network_udpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: mgmt-network_enableUdp + mgmt-network_enableSctp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: mgmt-network-name + mgmt-network_sctpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: mgmt-network_enableSctp + mgmt-network_enableEsp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: mgmt-network-name + mgmt-network_espSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: mgmt-network_enableEsp + numInternalNetworks: + type: integer + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + minimum: 1 + maximum: 6 + default: 1 + internal-network1-cidr: + type: string + pattern: ^(?!0\.0\.0\.0/0)([0-9]{1,3}\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])|$ + default: '10.0.2.0/24' + internal-network1-name: + type: string + pattern: ^([a-z0-9-]{1,38})$ + x-googleProperty: + type: GCE_NETWORK + internal-network1-subnetwork-name: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zoneA + gceSubnetwork: + networkProperty: internal-network1-name + internal-network2-cidr: + type: string + pattern: ^(?!0\.0\.0\.0/0)([0-9]{1,3}\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])|$ + default: '' + internal-network2-name: + type: string + pattern: ^([a-z0-9-]{1,38})$ + x-googleProperty: + type: GCE_NETWORK + internal-network2-subnetwork-name: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zoneA + gceSubnetwork: + networkProperty: internal-network2-name + internal-network3-cidr: + type: string + pattern: ^(?!0\.0\.0\.0/0)([0-9]{1,3}\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])|$ + default: '' + internal-network3-name: + type: string + pattern: ^([a-z0-9-]{1,38})$ + x-googleProperty: + type: GCE_NETWORK + internal-network3-subnetwork-name: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zoneA + gceSubnetwork: + networkProperty: internal-network3-name + internal-network4-cidr: + type: string + pattern: ^(?!0\.0\.0\.0/0)([0-9]{1,3}\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])|$ + default: '' + internal-network4-name: + type: string + pattern: ^([a-z0-9-]{1,38})$ + x-googleProperty: + type: GCE_NETWORK + internal-network4-subnetwork-name: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zoneA + gceSubnetwork: + networkProperty: internal-network4-name + internal-network5-cidr: + type: string + pattern: ^(?!0\.0\.0\.0/0)([0-9]{1,3}\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])|$ + default: '' + internal-network5-name: + type: string + pattern: ^([a-z0-9-]{1,38})$ + x-googleProperty: + type: GCE_NETWORK + internal-network5-subnetwork-name: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zoneA + gceSubnetwork: + networkProperty: internal-network5-name + internal-network6-cidr: + type: string + pattern: ^(?!0\.0\.0\.0/0)([0-9]{1,3}\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])|$ + default: '' + internal-network6-name: + type: string + pattern: ^([a-z0-9-]{1,38})$ + x-googleProperty: + type: GCE_NETWORK + internal-network6-subnetwork-name: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zoneA + gceSubnetwork: + networkProperty: internal-network6-name + +outputs: + deployment: + type: string + project: + type: string + clusterIP: + type: string + vmAName: + type: string + vmAExternalIP: + type: string + vmASelfLink: + type: string + vmBName: + type: string + vmBExternalIP: + type: string + vmBSelfLink: + type: string + password: + type: string + ha_version: + type: string diff --git a/deprecated/gcp/R80.40-R81/ha-payg/common.py b/deprecated/gcp/R80.40-R81/ha-payg/common.py new file mode 100644 index 00000000..e123c502 --- /dev/null +++ b/deprecated/gcp/R80.40-R81/ha-payg/common.py @@ -0,0 +1,262 @@ +# Copyright 2015 Google Inc. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +"""Generic simple functions used for python based template generation.""" + +import re +import sys +import traceback +import default +import string + +import yaml + +RFC1035_RE = re.compile(r'^[a-z][-a-z0-9]{1,61}[a-z0-9]{1}$') + + +class Error(Exception): + """Common exception wrapper for template exceptions.""" + pass + + +class DefaultFormatter(string.Formatter): + """Returns default instead of key error when looking for keys. + + Used for startup-script which contains params from multiple deployments + whiles keys from one deployment may not be set in another. + """ + def __init__(self, default=''): + self.default = default + def get_value(self, key, args, dict): + if isinstance(key, str): + return dict.get(key, self.default) + else: + return string.Formatter.get_value(key, args, dict) + + +def set_name_and_truncate(primary, secondary, maxlength=62): + return '%s%s' % (primary[:maxlength - len(secondary)], secondary) + + +def AddDiskResourcesIfNeeded(context): + """Checks context if disk resources need to be added.""" + if default.DISK_RESOURCES in context.properties: + return context.properties[default.DISK_RESOURCES] + else: + return [] + + +def AutoName(base, resource, *args): + """Helper method to generate names automatically based on default.""" + auto_name = '%s-%s' % (base, '-'.join(list(args) + [default.AKA[resource]])) + if not RFC1035_RE.match(auto_name): + raise Error('"%s" name for type %s does not match RFC1035 regex (%s)' % + (auto_name, resource, RFC1035_RE.pattern)) + return auto_name + + +def AutoRef(base, resource, *args): + """Helper method that builds a reference for an auto-named resource.""" + return Ref(AutoName(base, resource, *args)) + + +def OrderedItems(dict_obj): + """Convenient method to yield sorted iteritems of a dictionary.""" + keys = list(dict_obj.keys()) + keys.sort() + for k in keys: + yield (k, dict_obj[k]) + + +def ShortenZoneName(zone): + """Given a string that looks like a zone name, creates a shorter version.""" + geo, coord, number, letter = re.findall(r'(\w+)-(\w+)(\d)-(\w)', zone)[0] + geo = geo.lower() if len(geo) == 2 else default.LOC[geo.lower()] + coord = default.LOC[coord.lower()] + number = str(number) + letter = letter.lower() + return geo + '-' + coord + number + letter + + +def ZoneToRegion(zone): + """Derives the region from a zone name.""" + parts = zone.split('-') + if len(parts) != 3: + raise Error('Cannot derive region from zone "%s"' % zone) + return '-'.join(parts[:2]) + + +def FormatException(message): + """Adds more information to the exception.""" + message = ('Exception Type: %s\n' + 'Details: %s\n' + 'Message: %s\n') % (sys.exc_info()[0], + traceback.format_exc(), message) + return message + + +def Ref(name): + return '$(ref.%s.selfLink)' % name + + +def RefGroup(name): + return '$(ref.%s.instanceGroup)' % name + + +def GlobalComputeLink(project, collection, name): + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/global/', + collection, '/', name]) + +def GlobalNetworkLink(project, network): + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/global/', + default.NETWORKS, '/', network]) + + +def LocalComputeLink(project, zone, key, value): + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/zones/', + zone, '/', key, '/', value]) + + +def ReadContext(context, prop_key): + return (context.env['project'], context.properties.get('zone', None), + context.properties[prop_key]) + + +def MakeLocalComputeLink(context, key, zone=None): + if not zone: + project, zone, value = ReadContext(context, key) + else: + project, _, value = ReadContext(context, key) + + if IsComputeLink(value): + return value + else: + return LocalComputeLink(project, zone, key + 's', value) + + +def MakeGlobalComputeLink(context, key): + project, _, value = ReadContext(context, key) + if IsComputeLink(value): + return value + else: + return GlobalComputeLink(project, key + 's', value) + +def MakeRegionalSubnetworkLink(project, zone, subnet): + region = ZoneToRegion(zone) + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/regions/', + region, '/subnetworks/', subnet]) + + +def MakeSubnetworkComputeLink(context, key): + project, zone, value = ReadContext(context, key) + region = ZoneToRegion(zone) + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/regions/', + region, '/subnetworks/', value]) + + +def MakeFQHN(context, name): + return '%s.c.%s.internal' % (name, context.env['project']) + + +# TODO(victorg): Consider moving this method to a different file +def MakeC2DImageLink(name, dev_mode=False): + if IsGlobalProjectShortcut(name) or name.startswith('http'): + return name + else: + if dev_mode: + return 'global/images/%s' % name + else: + return GlobalComputeLink(default.C2D_IMAGES, 'images', name) + + +def IsGlobalProjectShortcut(name): + return name.startswith('projects/') or name.startswith('global/') + + +def IsComputeLink(name): + return (name.startswith(default.COMPUTE_URL_BASE) or + name.startswith(default.REFERENCE_PREFIX)) + + +def GetNamesAndTypes(resources_dict): + return [(d['name'], d['type']) for d in resources_dict] + + +def SummarizeResources(res_dict): + """Summarizes the name of resources per resource type.""" + result = {} + for res in res_dict: + result.setdefault(res['type'], []).append(res['name']) + return result + + +def ListPropertyValuesOfType(res_dict, prop, res_type): + """Lists all the values for a property of a certain type.""" + return [r['properties'][prop] for r in res_dict if r['type'] == res_type] + + +def MakeResource(resource_list, output_list=None): + """Wrapper for a DM template basic spec.""" + content = {'resources': resource_list} + if output_list: + content['outputs'] = output_list + return yaml.dump(content) + + +def TakeZoneOut(properties): + """Given a properties dictionary, removes the zone specific information.""" + + def _CleanZoneUrl(value): + value = value.split('/')[-1] if IsComputeLink(value) else value + return value + + for name in default.VM_ZONE_PROPERTIES: + if name in properties: + properties[name] = _CleanZoneUrl(properties[name]) + if default.ZONE in properties: + properties.pop(default.ZONE) + if default.BOOTDISK in properties: + properties[default.BOOTDISK] = _CleanZoneUrl(properties[default.BOOTDISK]) + if default.DISKS in properties: + for disk in properties[default.DISKS]: + # Don't touch references to other disks + if default.DISK_SOURCE in disk: + continue + if default.INITIALIZEP in disk: + disk_init = disk[default.INITIALIZEP] + if default.DISKTYPE in disk_init: + disk_init[default.DISKTYPE] = _CleanZoneUrl(disk_init[default.DISKTYPE]) + + +def GenerateEmbeddableYaml(yaml_string): + # Because YAML is a space delimited format, we need to be careful about + # embedding one YAML document in another. This function takes in a string in + # YAML format and produces an equivalent YAML representation that can be + # inserted into arbitrary points of another YAML document. It does so by + # printing the YAML string in a single line format. Consistent ordering of + # the string is also guaranteed by using yaml.dump. + yaml_object = yaml.load(yaml_string) + dumped_yaml = yaml.dump(yaml_object, default_flow_style=True) + return dumped_yaml + + +def FormatErrorsDec(func): + """Decorator to format exceptions if they get raised.""" + + def FormatErrorsWrap(context): + try: + return func(context) + except Exception as e: + raise Error(FormatException(e.message)) + + return FormatErrorsWrap diff --git a/deprecated/gcp/R80.40-R81/ha-payg/config.yaml b/deprecated/gcp/R80.40-R81/ha-payg/config.yaml new file mode 100644 index 00000000..de203447 --- /dev/null +++ b/deprecated/gcp/R80.40-R81/ha-payg/config.yaml @@ -0,0 +1,73 @@ +imports: +- path: check-point-cluster--payg.py +- path: common.py +- path: default.py +- path: password.py +- path: images.py + +resources: +- name: check-point-cluster--payg + type: check-point-cluster--payg.py + properties: + ha_version: "PLEASE ENTER HA VERSION" + zoneA: "PLEASE ENTER ZONE A" + zoneB: "PLEASE ENTER ZONE B. MUST BE IN THE SAME REGION AS MEMBER A ZONE" + machineType: "PLEASE ENTER A MACHINE TYPE" + diskType: "PLEASE ENTER A DISK TYPE" + #To connect to Smart-1 Cloud you must provide two valid tokens (one per member) + smart1CloudTokenA: "PLEASE ENTER A TOKEN TO CONNECT TO SMART-1 CLOUD FOR MEMBER A OR LEAVE EMPTY DOUBLE QUOTES" + smart1CloudTokenB: "PLEASE ENTER A TOKEN TO CONNECT TO SMART-1 CLOUD FOR MEMBER B OR LEAVE EMPTY DOUBLE QUOTES" + bootDiskSizeGb: "PLEASE ENTER A DISK SIZE" + instanceSSHKey: "PLEASE ENTER A VALID PUBLIC KEY" + enableMonitoring: "PLEASE ENTER true or false" + managementNetwork: "PLEASE ENTER MANAGEMENT IP, if using Smart-1 Cloud insert 'S1C'" + sicKey: "PLEASE ENTER A SIC KEY" + generatePassword: "PLEASE ENTER true or false" + allowUploadDownload: "PLEASE ENTER true or false" + shell: "PLEASE ENTER A SHELL" + deployWithPublicIPs: "PLEASE ENTER true or false" + cluster-network-cidr: "PLEASE ENTER CLUSTER NETWORK CIDR" + cluster-network-name: "PLEASE ENTER CLUSTER NETWORK ID" + cluster-network-subnetwork-name: "PLEASE ENTER CLUSTER SUBNETWORK ID" + cluster-network_enableIcmp: "PLEASE ENTER true or false" + cluster-network_icmpSourceRanges: "PLEASE ENTER ICMP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + cluster-network_enableTcp: "PLEASE ENTER true or false" + cluster-network_tcpSourceRanges: "PLEASE ENTER TCP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + cluster-network_enableUdp: "PLEASE ENTER true or false" + cluster-network_udpSourceRanges: "PLEASE ENTER UDP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + cluster-network_enableSctp: "PLEASE ENTER true or false" + cluster-network_sctpSourceRanges: "PLEASE ENTER SCTP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + cluster-network_enableEsp: "PLEASE ENTER true or false" + cluster-network_espSourceRanges: "PLEASE ENTER ESP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + mgmt-network-cidr: "PLEASE ENTER MANAGEMENT NETWORK CIDR" + mgmt-network-name: "PLEASE ENTER MANAGEMENT NETWORK ID" + mgmt-network-subnetwork-name: "PLEASE ENTER MANAGEMENT SUBNETWORK ID" + mgmt-network_enableIcmp: "PLEASE ENTER true or false" + mgmt-network_icmpSourceRanges: "PLEASE ENTER ICMP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + mgmt-network_enableTcp: "PLEASE ENTER true or false" + mgmt-network_tcpSourceRanges: "PLEASE ENTER TCP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + mgmt-network_enableUdp: "PLEASE ENTER true or false" + mgmt-network_udpSourceRanges: "PLEASE ENTER UDP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + mgmt-network_enableSctp: "PLEASE ENTER true or false" + mgmt-network_sctpSourceRanges: "PLEASE ENTER SCTP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + mgmt-network_enableEsp: "PLEASE ENTER true or false" + mgmt-network_espSourceRanges: "PLEASE ENTER ESP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + #Define additional NICs networks and subnetworks according the defined numAdditionalNICs value + #If there is no need in additional NICs remove additionalNetwork1 and additionalSubnetwork1 variables + numInternalNetworks: "PLEASE ENTER A NUMBER OF ADDITIONAL NICS" + internal-network1-cidr: "PLEASE ENTER 1ST INTERNAL NETWORK CIDR" + internal-network1-name: "PLEASE ENTER 1ST INTERNAL NETWORK ID" + internal-network1-subnetwork-name: "PLEASE ENTER INTERNAL SUBNETWORK ID" +outputs: +- name: "Deployment" + value: $(ref.check-point-cluster--payg.deployment) +- name: "Cluster IP external address" + value: $(ref.check-point-cluster--payg.clusterIP) +- name: "Member A" + value: $(ref.check-point-cluster--payg.vmAName) +- name: "Member A external IP" + value: $(ref.check-point-cluster--payg.vmAExternalIP) +- name: "Member B" + value: $(ref.check-point-cluster--payg.vmBName) +- name: "Member B external IP" + value: $(ref.check-point-cluster--payg.vmBExternalIP) \ No newline at end of file diff --git a/deprecated/gcp/R80.40-R81/ha-payg/default.py b/deprecated/gcp/R80.40-R81/ha-payg/default.py new file mode 100644 index 00000000..0c7dd919 --- /dev/null +++ b/deprecated/gcp/R80.40-R81/ha-payg/default.py @@ -0,0 +1,134 @@ +# Copyright 2015 Google Inc. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +"""Convenience module to hold default constants for C2D components. + +There should not be any logic in this module. Its purpose is to simplify +analysis of commonly used GCP and properties names and identify the names +that were custom created for these modules. +""" +# Generic constants +C2D_IMAGES = 'click-to-deploy-images' + +# URL constants +COMPUTE_URL_BASE = 'https://www.googleapis.com/compute/v1/' + +# Deployment Manager constructs +REFERENCE_PREFIX = '$(ref.' + +# Commonly used in properties namespace +AUTO_DELETE = 'autoDelete' +BOOTDISK = 'bootDiskType' +BOOTDISKSIZE = 'bootDiskSizeGb' +C_IMAGE = 'containerImage' +DC_MANIFEST = 'dcManifest' +DEPLOYMENT = 'DEPLOYMENT' # used in the deployment coordinator +DISK_NAME = 'diskName' +DISK_RESOURCES = 'addedDiskResources' +DISK_SOURCE = 'source' +ENDPOINT_NAME = 'serviceRegistryEndpointName' +FIXED_GCLOUD = 'fixedGcloud' +GENERATED_PROP = 'generatedProperties' +INITIALIZEP = 'initializeParams' +INSTANCE_NAME = 'instanceName' +LOCAL_SSD = 'localSSDs' +MAX_NUM = 'maxNumReplicas' +NETWORKS = 'networks' +NO_SCOPE = 'noScope' +PROVIDE_BOOT = 'provideBoot' +REPLICAS = 'replicas' +SIZE = 'size' +VM_COPIES = 'numberOfVMReplicas' +ZONES = 'zones' + +# Common properties values (only official GCP values allowed here) +EXTERNAL = 'External NAT' +ONE_NAT = 'ONE_TO_ONE_NAT' + +# Common 1st level properties (only official GCP names allowed here) +CAN_IP_FWD = 'canIpForward' +CONTAINER = 'container' +DCKRENV = 'dockerEnv' +DCKRIMAGE = 'dockerImage' +DEFAULT_SERVICE = 'defaultService' +DEVICE_NAME = 'deviceName' +DISKS = 'disks' +DISK_SIZE = 'diskSizeGb' +DISKTYPE = 'diskType' +HEALTH_PATH = 'healthPath' +HOST_RULES = 'hostRules' +IP_PROTO = 'IPProtocol' +MACHINETYPE = 'machineType' +METADATA = 'metadata' +NAME = 'name' +NETWORK = 'network' +NETWORKS = 'networks' +SUBNETWORK = 'subnetwork' +PATH_MATCHERS = 'pathMatchers' +PORT = 'port' +PROJECT = 'project' +SERVICE = 'service' +SERVICE_ACCOUNTS = 'serviceAccounts' +SRCIMAGE = 'sourceImage' +SRC_RANGES = 'sourceRanges' +TAGS = 'tags' +TYPE = 'type' +VM_TEMPLATE = 'instanceTemplate' +ZONE = 'zone' + +# Zone specfic VM properties +VM_ZONE_PROPERTIES = [DISKTYPE, MACHINETYPE, BOOTDISK] + +# Resource type defaults names +ADDRESS = 'compute.v1.address' +AUTOSCALER = 'compute.v1.autoscaler' +BACKEND_SERVICE = 'compute.v1.backendService' +DISK = 'compute.v1.disk' +ENDPOINT = 'serviceregistry.v1alpha.endpoint' +FIREWALL = 'compute.v1.firewall' +GF_RULE = 'compute.v1.globalForwardingRule' +HEALTHCHECK = 'compute.v1.httpHealthCheck' +IGM = 'compute.v1.instanceGroupManager' +INSTANCE = 'compute.v1.instance' +PROXY = 'compute.v1.targetHttpProxy' +TEMPLATE = 'compute.v1.instanceTemplate' +REGION_IGM = 'compute.v1.regionInstanceGroupManager' +REGION_AUTOSCALER = 'compute.v1.regionAutoscaler' +URL_MAP = 'compute.v1.urlMap' +VPC='compute.v1.network' +VPC_SUBNET='compute.v1.subnetwork' + +# Also Known As constants +AKA = { + TEMPLATE: 'tmplt', + AUTOSCALER: 'as', + BACKEND_SERVICE: 'bes', + DISK: 'disk', + FIREWALL: 'fwall', + GF_RULE: 'ip', + HEALTHCHECK: 'hc', + INSTANCE: 'vm', + PROXY: 'tproxy', + IGM: 'igm', + URL_MAP: 'umap', +} + +LOC = { + 'europe': 'eu', + 'asia': 'as', + 'central': 'c', + 'east': 'e', + 'west': 'w', + 'north': 'n', + 'south': 's', +} diff --git a/deprecated/gcp/R80.40-R81/ha-payg/images.py b/deprecated/gcp/R80.40-R81/ha-payg/images.py new file mode 100644 index 00000000..7b04bee0 --- /dev/null +++ b/deprecated/gcp/R80.40-R81/ha-payg/images.py @@ -0,0 +1,34 @@ +IMAGES = { + "check-point-r8120-payg": "check-point-r8120-payg-631-991001560-v20240425", + "check-point-r8120-gw-payg-single": "check-point-r8120-gw-payg-single-631-991001560-v20240425", + "check-point-r8120-gw-payg-mig": "check-point-r8120-gw-payg-mig-631-991001560-v20240425", + "check-point-r8120-gw-payg-cluster": "check-point-r8120-gw-payg-cluster-631-991001560-v20240425", + "check-point-r8120-gw-byol-single": "check-point-r8120-gw-byol-single-631-991001560-v20240425", + "check-point-r8120-gw-byol-mig": "check-point-r8120-gw-byol-mig-631-991001560-v20240425", + "check-point-r8120-gw-byol-cluster": "check-point-r8120-gw-byol-cluster-631-991001560-v20240425", + "check-point-r8120-byol": "check-point-r8120-byol-631-991001560-v20240425", + "check-point-r8110-payg": "check-point-r8110-payg-335-991001560-v20240425", + "check-point-r8110-gw-payg-single": "check-point-r8110-gw-payg-single-335-991001560-v20240425", + "check-point-r8110-gw-payg-mig": "check-point-r8110-gw-payg-mig-335-991001560-v20240425", + "check-point-r8110-gw-payg-cluster": "check-point-r8110-gw-payg-cluster-335-991001560-v20240425", + "check-point-r8110-gw-byol-single": "check-point-r8110-gw-byol-single-335-991001560-v20240425", + "check-point-r8110-gw-byol-mig": "check-point-r8110-gw-byol-mig-335-991001560-v20240425", + "check-point-r8110-gw-byol-cluster": "check-point-r8110-gw-byol-cluster-335-991001560-v20240425", + "check-point-r8110-byol": "check-point-r8110-byol-335-991001560-v20240425", + "check-point-r81-payg": "check-point-r81-payg-392-991001560-v20240425", + "check-point-r81-gw-payg-single": "check-point-r81-gw-payg-single-392-991001560-v20240425", + "check-point-r81-gw-payg-mig": "check-point-r81-gw-payg-mig-392-991001560-v20240425", + "check-point-r81-gw-payg-cluster": "check-point-r81-gw-payg-cluster-392-991001560-v20240425", + "check-point-r81-gw-byol-single": "check-point-r81-gw-byol-single-392-991001560-v20240425", + "check-point-r81-gw-byol-mig": "check-point-r81-gw-byol-mig-392-991001560-v20240425", + "check-point-r81-gw-byol-cluster": "check-point-r81-gw-byol-cluster-392-991001560-v20240425", + "check-point-r81-byol": "check-point-r81-byol-392-991001560-v20240425", + "check-point-r8040-payg": "check-point-r8040-payg-294-991001560-v20240425", + "check-point-r8040-gw-payg-single": "check-point-r8040-gw-payg-single-294-991001564-v20240505", + "check-point-r8040-gw-payg-mig": "check-point-r8040-gw-payg-mig-294-991001564-v20240505", + "check-point-r8040-gw-payg-cluster": "check-point-r8040-gw-payg-cluster-294-991001564-v20240505", + "check-point-r8040-gw-byol-single": "check-point-r8040-gw-byol-single-294-991001564-v20240505", + "check-point-r8040-gw-byol-mig": "check-point-r8040-gw-byol-mig-294-991001564-v20240505", + "check-point-r8040-gw-byol-cluster": "check-point-r8040-gw-byol-cluster-294-991001564-v20240505", + "check-point-r8040-byol": "check-point-r8040-byol-294-991001560-v20240425" +} \ No newline at end of file diff --git a/deprecated/gcp/R80.40-R81/ha-payg/password.py b/deprecated/gcp/R80.40-R81/ha-payg/password.py new file mode 100644 index 00000000..273210a6 --- /dev/null +++ b/deprecated/gcp/R80.40-R81/ha-payg/password.py @@ -0,0 +1,135 @@ +# Copyright 2015 Google Inc. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +"""A DM template that generates password as an output, namely "password". + +An example YAML showing how this template can be used: + resources: + - name: generated-password + type: password.py + properties: + length: 8 + includeSymbols: true + - name: main-template + type: main-template.jinja + properties: + password: $(ref.generated-password.password) + +Input properties to this template: + - length: the length of the generated password. At least 8. Default 8. + - includeSymbols: true/false whether to include symbol chars. Default false. + +The generated password satisfies the following requirements: + - The length is as specified, + - Containing letters and numbers, and optionally symbols if specified, + - Starting with a letter, + - Containing characters from at least 3 of the 4 categories: uppercases, + lowercases, numbers, and symbols. + +""" + +import random +import yaml + +PROPERTY_LENGTH = 'length' +PROPERTY_INCLUDE_SYMBOLS = 'includeSymbols' + +# Note the omission of some hard to distinguish characters like I, l, 0, and O. +UPPERS = 'ABCDEFGHJKLMNPQRSTUVWXYZ' +LOWERS = 'abcdefghijkmnopqrstuvwxyz' +ALPHABET = UPPERS + LOWERS +DIGITS = '123456789' +ALPHANUMS = ALPHABET + DIGITS +# Including only symbols that can be passed around easily in shell scripts. +SYMBOLS = '*-+.' + +CANDIDATES_WITH_SYMBOLS = ALPHANUMS + SYMBOLS +CANDIDATES_WITHOUT_SYMBOLS = ALPHANUMS + +CATEGORIES_WITH_SYMBOLS = [UPPERS, LOWERS, DIGITS, SYMBOLS] +CATEGORIES_WITHOUT_SYMBOLS = [UPPERS, LOWERS, DIGITS] + +MIN_LENGTH = 8 + + +class InputError(Exception): + """Raised when input properties are unexpected.""" + + +def GenerateConfig(context): + """Entry function to generate the DM config.""" + props = context.properties + length = props.setdefault(PROPERTY_LENGTH, MIN_LENGTH) + include_symbols = props.setdefault(PROPERTY_INCLUDE_SYMBOLS, False) + + if not isinstance(include_symbols, bool): + raise InputError('%s must be a boolean' % PROPERTY_INCLUDE_SYMBOLS) + + content = { + 'resources': [], + 'outputs': [{ + 'name': 'password', + 'value': GeneratePassword(length, include_symbols) + }] + } + return yaml.dump(content) + + +def GeneratePassword(length=8, include_symbols=False): + """Generates a random password.""" + if length < MIN_LENGTH: + raise InputError('Password length must be at least %d' % MIN_LENGTH) + + candidates = (CANDIDATES_WITH_SYMBOLS if include_symbols + else CANDIDATES_WITHOUT_SYMBOLS) + categories = (CATEGORIES_WITH_SYMBOLS if include_symbols + else CATEGORIES_WITHOUT_SYMBOLS) + + # Generates up to the specified length minus the number of categories. + # Then inserts one character for each category, ensuring that the character + # satisfy the category if the generated string hasn't already. + generated = ([random.choice(ALPHABET)] + + [random.choice(candidates) + for _ in range(length - 1 - len(categories))]) + for category in categories: + _InsertAndEnsureSatisfaction(generated, category, candidates) + return ''.join(generated) + + +def _InsertAndEnsureSatisfaction(generated, required, all_candidates): + """Inserts 1 char into generated, satisfying required if not already. + + If the required characters are not already in the generated string, one will + be inserted. If any required character is already in the generated string, a + random character from all_candidates will be inserted. The insertion happens + at a random location but not at the beginning. + + Args: + generated: the string to be modified. + required: list of required characters to check for. + all_candidates: list of characters to choose from if the required characters + are already satisfied. + """ + if set(generated).isdisjoint(required): + # Not yet satisfied. Insert a required candidate. + _InsertInto(generated, required) + else: + # Already satisfied. Insert any candidate. + _InsertInto(generated, all_candidates) + + +def _InsertInto(generated, candidates): + """Inserts a random candidate into a random non-zero index of generated.""" + # Avoids inserting at index 0, since the first character follows its own rule. + generated.insert(random.randint(1, len(generated) - 1), + random.choice(candidates)) diff --git a/deprecated/gcp/R80.40-R81/single-byol/README.md b/deprecated/gcp/R80.40-R81/single-byol/README.md new file mode 100644 index 00000000..4c14d447 --- /dev/null +++ b/deprecated/gcp/R80.40-R81/single-byol/README.md @@ -0,0 +1,134 @@ +# GCP Deployment Manager package for Management, Gateway and Standalone BYOL solutions +This directory contains CloudGuard IaaS deployment package for Management, Gateway and Standalone BYOL solution published in the [GCP Marketplace](https://console.cloud.google.com/marketplace/details/checkpoint-public/check-point-cloudguard-byol). + +# How to deploy the package manually +To deploy the Deployment Manager's package manually, without using the GCP Marketplace, follow these instructions: +1. Clone or download the files in this directory +2. Fill variables in the config.yaml(see below for variables descriptions). +3. Log into [Google Cloud Platform Console](https://console.cloud.google.com) +4. [Activate Cloud Shell](https://cloud.google.com/shell/docs/using-cloud-shell) +5. Set your Cloud Platform project in the Cloud Shell session use: + + gcloud config set project [PROJECT_ID] +6. Upload the content of the CloudGuardIaaS/gcp/deployment-packages/single-byol/ directory to the [cloud shell](https://cloud.google.com/shell/docs/uploading-and-downloading-files) +7. Launch deployment by running: + + gcloud deployment-manager deployments create [DEPLOYMENT_NAME] --config config.yaml +8. Make sure the deployment finished successfully.
Example of successful deployment output: + + The fingerprint of the deployment is NEBnvNbqOItDoLZrhYNo5Q== + Waiting for create [operation-1585065238276-5a19bc2792a32-becd058d-67862f39]...done. + Create operation operation-1585065238276-5a19bc2792a32-becd058d-67862f39 completed successfully. + NAME TYPE STATE ERRORS INTENT + gateway-config runtimeconfig.v1beta1.config COMPLETED [] + gateway-software runtimeconfig.v1beta1.waiter COMPLETED [] + gateway-vm compute.v1.instance COMPLETED [] + gateway-vm-address compute.v1.address COMPLETED [] + OUTPUTS VALUE + Deployment gateway + Instance gateway-single-vm + +## config.yaml variables +| Name | Description | Type | Allowed values | +| ------------- | ------------- | ------------- | ------------- | +| **zone** | The zone determines what computing resources are available and where your data is stored and used | string | List of allowed [Regions and Zones](https://cloud.google.com/compute/docs/regions-zones?_ga=2.31926582.-962483654.1585043745) | +| | | | | | +| **machineType** | Machine types determine the specifications of your machines, such as the amount of memory, virtual cores, and persistent disk limits an instance will have | string | [Learn more about Machine Types](https://cloud.google.com/compute/docs/machine-types?hl=en_US&_ga=2.267871494.-962483654.1585043745) | +| | | | | | +| **network** | The network determines what network traffic the instance can access | string | Available network in the chosen zone | +| | | | | | +| **Subnetwork** | Assigns the instance an IPv4 address from the subnetwork’s range. Instances in different subnetworks can communicate with each other using their internal IPs as long as they belong to the same network. | string | Available subnetwork in the chosen network | +| | | | | | +| **network_enableTcp** | Allow TCP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **network_tcpSourceRanges** | Allow TCP traffic from the Internet | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway all ports are allowed. For management allowed ports are: 257,18191,18210,18264,22,443,18190,19009 [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **network_enableGwNetwork** | This is relevant for **Management** only. The network in which managed gateways reside | boolean | true;
false; | +| | | | | | +| **network_gwNetworkSourceRanges** | Allow TCP traffic from the Internet | string | Enter a valid IPv4 network CIDR (e.g. 0.0.0.0/0) | +| | | | | | +| **network_enableIcmp** | Allow ICMP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **network_icmpSourceRanges** | Source IP ranges for ICMP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **network_enableUdp** | Allow UDP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **network_udpSourceRanges** | Source IP ranges for UDP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only - all ports are allowed. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **network_enableSctp** | Allow SCTP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **network_sctpSourceRanges** | Source IP ranges for SCTP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only - all ports are allowed. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **network_enableEsp** | Allow ESP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **network_espSourceRanges** | Source IP ranges for ESP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **externalIP** | External IP address type | string | Static;
Ephemeral;
None;
An external IP address associated with this instance. Selecting "None" will result in the instance having no external internet access. [Learn more](https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address?_ga=2.259654658.-962483654.1585043745) | +| | | | | | +| **installationType** | Installation type and version | string | R80.40 Gateway only
R80.40 Management only
R80.40 Manual Configuration
R80.40 Gateway and Management (Standalone)
R81.00 Gateway only
R81.00 Management only
R81.00 Manual Configuration
R81.00 Gateway and Management (Standalone)
R81.10 Gateway only
R81.10 Management only
R81.10 Manual Configuration
R81.10 Gateway and Management (Standalone)
R81.20 Gateway only
R81.20 Management only
R81.20 Manual Configuration
R81.20 Gateway and Management (Standalone) | +| | | | | | +| **smart1CloudToken** | Smart-1 Cloud token to connect this gateway to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal.| +| | | | | | +| **diskType** | Disk type | string | pd-ssd;
pd-standard;
Storage space is much less expensive for a standard persistent disk. An SSD persistent disk is better for random IOPS or streaming throughput with low latency. [Learn more](https://cloud.google.com/compute/docs/disks/?hl=en_US&_ga=2.66020774.-962483654.1585043745#overview_of_disk_types)| +| | | | | | +| **bootDiskSizeGb** | Disk size in GB | number | Persistent disk performance is tied to the size of the persistent disk volume. You are charged for the actual amount of provisioned disk space. [Learn more](https://cloud.google.com/compute/docs/disks/?hl=en_US&_ga=2.232680471.-962483654.1585043745#pdperformance)| +| | | | | | +| **generatePassword** | Automatically generate an administrator password | boolean | true;
false; | +| | | | | | +| **allowUploadDownload** | Allow download from/upload to Check Point | boolean | true;
false; | +| | | | | | +| **enableMonitoring** | Enable Stackdriver monitoring | boolean | true;
false; | +| | | | | | +| **shell** | Admin shell | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh;
| +| | | | | | +| **instanceSSHKey** | Public SSH key for the user 'admin' | string | A valid public ssh key | +| | | | | | +| **sicKey** | The Secure Internal Communication one time secret used to set up trust between the cluster object and the management server | string | At least 8 alpha numeric characters.
If SIC is not provided and needed, a key will be automatically generated | +| | | | | | +| **managementGUIClientNetwork** | Allowed GUI clients | string | A valid IPv4 network CIDR (e.g. 0.0.0.0/0) | +| | | | | | +| **numAdditionalNICs** | Number of additional network interfaces | number | A number in the range 0 - 7.
Multiple network interfaces deployment is described in [sk121637 - Deploy a CloudGuard for GCP with Multiple Network Interfaces](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk121637) | +| | | | | | + +## Example + zone: "asia-east1-a" + machineType: "n1-standard-4" + network: "frontend-vpc" + subnetwork: "frontend" + network_enableTcp: true + network_tcpSourceRanges: "0.0.0.0/0" + network_enableGwNetwork: true + network_gwNetworkSourceRanges: "0.0.0.0/0" + network_enableIcmp: true + network_icmpSourceRanges: "0.0.0.0/0" + network_enableUdp: true + network_udpSourceRanges: "0.0.0.0/0" + network_enableSctp: false + network_sctpSourceRanges: "" + network_enableEsp: false + network_espSourceRanges: "" + externalIP: "Static" + installationType: "R81.10 Gateway only" + smart1CloudToken: "xxxxxxxxxxxxxxxxxxxxxxxx" + diskType: "pd-ssd" + bootDiskSizeGb: 100 + generatePassword: false + allowUploadDownload: true + enableMonitoring: false + shell: "/bin/bash" + instanceSSHKey: "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx imported-openssh-key" + sicKey: "xxxxxxxx" + managementGUIClientNetwork: "0.0.0.0/0" + numAdditionalNICs: 1 + additionalNetwork1: "backend-vpc1" + additionalSubnetwork1: "backend1" + externalIP1": "None" + additionalNetwork2": "backend-vpc2" + additionalSubnetwork2": "backend2" + externalIP2": "None" + + + + +## Notes +See [sk147032](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk147032) for revision history \ No newline at end of file diff --git a/deprecated/gcp/R80.40-R81/single-byol/c2d_deployment_configuration.json b/deprecated/gcp/R80.40-R81/single-byol/c2d_deployment_configuration.json new file mode 100644 index 00000000..006d39c7 --- /dev/null +++ b/deprecated/gcp/R80.40-R81/single-byol/c2d_deployment_configuration.json @@ -0,0 +1,7 @@ +{ + "defaultDeploymentType": "SINGLE_VM", + "imageName": "check-point-r8120-gw-byol-single-631-991001475-v20231221", + "projectId": "checkpoint-public", + "templateName": "nonexistent_template", + "useSolutionPackage": "true" +} diff --git a/deprecated/gcp/R80.40-R81/single-byol/check-point-vsec--byol.py b/deprecated/gcp/R80.40-R81/single-byol/check-point-vsec--byol.py new file mode 100644 index 00000000..d1fd7411 --- /dev/null +++ b/deprecated/gcp/R80.40-R81/single-byol/check-point-vsec--byol.py @@ -0,0 +1,479 @@ +# Copyright 2016 Check Point Software LTD. +import common +import default +import images +import password + +GATEWAY = 'checkpoint-gateway' +MANAGEMENT = 'checkpoint-management' + +PROJECT = 'checkpoint-public' +LICENSE = 'byol' +LICENCE_TYPE = 'single' + +VERSIONS = { + 'R80.40': 'r8040', + 'R80.40-GW': 'r8040-gw', + 'R81': 'r81', + 'R81-GW': 'r81-gw', + 'R81.10': 'r8110', + 'R81.10-GW': 'r8110-gw', + 'R81.20': 'r8120', + 'R81.20-GW': 'r8120-gw' +} + +ADDITIONAL_NETWORK = 'additionalNetwork{}' +ADDITIONAL_SUBNET = 'additionalSubnetwork{}' +ADDITIONAL_EXTERNAL_IP = 'externalIP{}' +MAX_NICS = 8 + +TEMPLATE_NAME = 'single' +TEMPLATE_VERSION = '20231221' + +ATTRIBUTES = { + 'Gateway and Management (Standalone)': { + 'tags': [GATEWAY, MANAGEMENT], + 'description': 'Check Point Security Gateway and Management', + 'canIpForward': True, + }, + 'Management only': { + 'tags': [MANAGEMENT], + 'description': 'Check Point Security Management', + 'canIpForward': False, + }, + 'Gateway only': { + 'tags': [GATEWAY], + 'description': 'Check Point Security Gateway', + 'canIpForward': True, + }, + 'Manual Configuration': { + 'tags': [], + 'description': 'Check Point', + 'canIpForward': True, + } +} + +startup_script = ''' +#cloud-config +runcmd: + - 'python3 /etc/cloud_config.py "generatePassword=\\"{generatePassword}\\"" "allowUploadDownload=\\"{allowUploadDownload}\\"" "templateName=\\"{templateName}\\"" "templateVersion=\\"{templateVersion}\\"" "mgmtNIC=\\"{mgmtNIC}\\"" "hasInternet=\\"{hasInternet}\\"" "config_url=\\"{config_url}\\"" "config_path=\\"{config_path}\\"" "installationType=\\"{installationType}\\"" "enableMonitoring=\\"{enableMonitoring}\\"" "shell=\\"{shell}\\"" "computed_sic_key=\\"{computed_sic_key}\\"" "sicKey=\\"{sicKey}\\"" "managementGUIClientNetwork=\\"{managementGUIClientNetwork}\\"" "primary_cluster_address_name=\\"{primary_cluster_address_name}\\"" "secondary_cluster_address_name=\\"{secondary_cluster_address_name}\\"" "managementNetwork=\\"{managementNetwork}\\"" "numAdditionalNICs=\\"{numAdditionalNICs}\\"" "smart1CloudToken=\\"{smart1CloudToken}\\"" "name=\\"{name}\\"" "zone=\\"{zoneConfig}\\"" "region=\\"{region}\\"" "osVersion=\\"{osVersion}\\"" "MaintenanceModePassword=\\"{maintenanceMode}\\""' +''' + + +def set_name_and_truncate(primary, secondary, maxlength=62): + return '%s%s' % (primary[:maxlength - len(secondary)], secondary) + + +def MakeStaticAddress(vm_name, zone, ifnum=None): + """Creates a static IP address resource; returns it and the natIP.""" + if ifnum: + address_name = set_name_and_truncate(vm_name, + '-address-{}'.format(ifnum)) + else: + address_name = set_name_and_truncate(vm_name, '-address') + address_resource = { + 'name': address_name, + 'type': default.ADDRESS, + 'properties': { + 'name': address_name, + 'region': common.ZoneToRegion(zone), + }, + } + return address_resource, '$(ref.%s.address)' % address_name + + +def make_access_config(resources, vm_name, zone, static, index=None): + name = 'external-address' + if index: + name += '-{}'.format(index) + access_config = { + 'name': name, + 'type': default.ONE_NAT + } + if static: + address_resource, nat_ip = MakeStaticAddress(vm_name, zone, index) + resources.append(address_resource) + access_config['natIP'] = nat_ip + return access_config + + +def create_firewall_rules(prop, net_name, fw_rule_name_prefix, mgmt=False, + uid=''): + firewall_rules = [] + protocols = ['Icmp', 'Udp', 'Tcp', 'Sctp', 'Esp'] + if mgmt: + protocols.remove('Tcp') + for protocol in protocols: + proto = protocol.lower() + source_ranges = prop.get('network' + '_' + proto + 'SourceRanges', '') + protocol_enabled = prop.get('network' + '_enable' + protocol, '') + if protocol_enabled and source_ranges: + firewall_rules.append(make_firewall_rule( + proto, source_ranges, net_name, fw_rule_name_prefix, mgmt, + uid)) + return firewall_rules + + +def make_firewall_rule(protocol, source_ranges, + net_name, fw_rule_name_prefix, mgmt=False, uid=''): + ranges = [] + ranges_list = source_ranges.split(',') + for source_range in ranges_list: + ranges.append(source_range.replace(" ", "")) + fw_rule_name = fw_rule_name_prefix + '-' + protocol + if mgmt: + targetTags = [uid] + else: + targetTags = [GATEWAY] + firewall_rule = { + 'type': default.FIREWALL, + 'name': fw_rule_name, + 'properties': { + 'network': 'global/networks/' + net_name, + 'sourceRanges': ranges, + 'targetTags': targetTags, + 'allowed': [{'IPProtocol': protocol}], + } + } + return firewall_rule + + +def generate_config(context): + """Creates the gateway.""" + prop = context.properties + prop['cloudguardVersion'], _, prop['installationType'] = prop[ + 'installationType'].partition(' ') + if prop['smart1CloudToken'] and prop['installationType'] != 'Gateway only': + raise Exception('Use of Smart-1 Cloud token is allowed only\ + for Gateway development.') + prop['templateName'] = TEMPLATE_NAME + prop['templateVersion'] = TEMPLATE_VERSION + prop['osVersion'] = prop['cloudguardVersion'].replace(".", "") + prop['allowUploadDownload'] = str(prop['allowUploadDownload']).lower() + if not prop['managementGUIClientNetwork'] and prop['installationType'] in { + 'Gateway and Management (Standalone)', 'Management only'}: + raise Exception('Allowed GUI clients are required when installing ' + 'a management server') + for k in ['managementGUIClientNetwork']: + prop.setdefault(k, '') + resources = [] + outputs = [] + network_interfaces = [] + external_ifs = [] + zone = prop['zone'] + deployment = context.env['deployment'] + vm_name = set_name_and_truncate(deployment, '-vm') + access_configs = [] + if prop['externalIP'] != 'None': + access_config = make_access_config(resources, vm_name, zone, + 'Static' == prop['externalIP']) + access_configs.append(access_config) + external_ifs.append(0) + prop['hasInternet'] = 'true' + else: + prop['hasInternet'] = 'false' + network = common.MakeGlobalComputeLink(context, default.NETWORK) + networks = {prop['network']} + network_interface = { + 'network': network, + 'accessConfigs': access_configs, + } + if default.SUBNETWORK in prop: + network_interface['subnetwork'] = common.MakeSubnetworkComputeLink( + context, default.SUBNETWORK) + network_interfaces.append(network_interface) + for ifnum in range(1, prop['numAdditionalNICs'] + 1): + net = prop.get(ADDITIONAL_NETWORK.format(ifnum)) + subnet = prop.get(ADDITIONAL_SUBNET.format(ifnum)) + ext_ip = prop.get(ADDITIONAL_EXTERNAL_IP.format(ifnum)) + if not net or not subnet: + raise Exception( + 'Missing network parameters for interface {}'.format(ifnum)) + if net in networks: + raise Exception('Cannot use network "' + net + '" more than once') + networks.add(net) + net = ''.join([ + default.COMPUTE_URL_BASE, + 'projects/', context.env['project'], '/global/networks/', net]) + subnet = ''.join([ + default.COMPUTE_URL_BASE, + 'projects/', context.env['project'], + '/regions/', common.ZoneToRegion(zone), '/subnetworks/', subnet]) + network_interface = { + 'network': net, + 'subnetwork': subnet, + } + if 'None' != ext_ip: + external_ifs.append(ifnum) + access_config = make_access_config( + resources, vm_name, zone, 'Static' == ext_ip, ifnum + 1) + access_configs = [access_config] + network_interface['accessConfigs'] = access_configs + if not prop.get('hasInternet') or 'false' == prop['hasInternet']: + prop['hasInternet'] = 'true' + network_interfaces.append(network_interface) + for ifnum in range(prop['numAdditionalNICs'] + 1, MAX_NICS): + prop.pop(ADDITIONAL_NETWORK.format(ifnum), None) + prop.pop(ADDITIONAL_SUBNET.format(ifnum), None) + prop.pop(ADDITIONAL_EXTERNAL_IP.format(ifnum), None) + deployment_config = set_name_and_truncate(deployment, '-config') + prop['config_url'] = ('https://runtimeconfig.googleapis.com/v1beta1/' + + 'projects/' + context.env[ + 'project'] + '/configs/' + deployment_config) + prop['config_path'] = '/'.join(prop['config_url'].split('/')[-4:]) + prop['deployment_config'] = deployment_config + tags = ATTRIBUTES[prop['installationType']]['tags'] + uid = set_name_and_truncate(vm_name, '-' + password.GeneratePassword( + 8, False).lower()) + if prop['installationType'] == 'Gateway only': + prop['cloudguardVersion'] += '-GW' + if not prop.get('sicKey'): + prop['computed_sic_key'] = password.GeneratePassword(12, False) + else: + prop['computed_sic_key'] = prop['sicKey'] + else: + prop['computed_sic_key'] = 'N/A' + outputs.append({ + 'name': 'sicKey', + 'value': prop['computed_sic_key'], + }, ) + if 'gw' in VERSIONS[prop['cloudguardVersion']]: + license_name = "{}-{}".format(LICENSE, LICENCE_TYPE) + else: + license_name = LICENSE + family = '-'.join(['check-point', VERSIONS[prop['cloudguardVersion']], + license_name]) + formatter = common.DefaultFormatter() + gw = { + 'type': default.INSTANCE, + 'name': vm_name, + 'properties': { + 'description': ATTRIBUTES[prop['installationType']]['description'], + 'zone': zone, + 'tags': { + 'items': tags + [uid], + }, + 'machineType': common.MakeLocalComputeLink( + context, default.MACHINETYPE), + 'canIpForward': ATTRIBUTES[ + prop['installationType']]['canIpForward'], + 'networkInterfaces': network_interfaces, + 'disks': [{ + 'autoDelete': True, + 'boot': True, + 'deviceName': common.AutoName( + context.env['name'], default.DISK, 'boot'), + 'initializeParams': { + 'diskType': common.MakeLocalComputeLink( + context, default.DISKTYPE), + 'diskSizeGb': prop['bootDiskSizeGb'], + 'sourceImage': + 'projects/%s/global/images/%s' % ( + PROJECT, images.IMAGES[family]), + }, + 'type': 'PERSISTENT', + }], + 'metadata': { + 'items': [ + { + 'key': 'startup-script', + 'value': formatter.format(startup_script, **prop) + }, + ] + }, + 'serviceAccounts': [{ + 'email': 'default', + 'scopes': [ + 'https://www.googleapis.com/auth/monitoring.write' + ], + }] + } + } + if (prop['externalIP'] != 'None') and ( + 'Manual Configuration' != prop['installationType']): + gw['properties']['serviceAccounts'][0]['scopes'].append( + 'https://www.googleapis.com/auth/cloudruntimeconfig') + resources.append({ + 'name': deployment_config, + 'type': 'runtimeconfig.v1beta1.config', + 'properties': { + 'config': deployment_config, + 'description': ('Holds software readiness status ' + 'for deployment {}').format(deployment), + }, + }) + resources.append({ + 'name': set_name_and_truncate(deployment, '-software'), + 'type': 'runtimeconfig.v1beta1.waiter', + 'metadata': { + 'dependsOn': [], + }, + 'properties': { + 'parent': '$(ref.' + deployment_config + '.name)', + 'waiter': 'software', + 'timeout': '1800s', + 'success': { + 'cardinality': { + 'number': 1, + 'path': 'status/success', + }, + }, + 'failure': { + 'cardinality': { + 'number': 1, + 'path': 'status/failure', + }, + }, + }, + }) + if 'instanceSSHKey' in prop: + gw['properties']['metadata']['items'].append( + { + 'key': 'instanceSSHKey', + 'value': prop['instanceSSHKey'] + } + ) + if prop['generatePassword']: + passwd = password.GeneratePassword(12, False) + gw['properties']['metadata']['items'].append( + { + 'key': 'adminPasswordSourceMetadata', + 'value': passwd + } + ) + else: + passwd = '' + resources.append(gw) + netlist = list(networks) + + if GATEWAY in tags: + for i in range(len(netlist)): + network = netlist[i] + fw_rule_name_prefix = set_name_and_truncate( + gen_fw_rule_name_deployment_network_prefix( + deployment, network), + '-allow-all-to-chkp-{}'.format(i + 1)) + firewall_rules = create_firewall_rules( + prop, network, fw_rule_name_prefix) + resources.extend(firewall_rules) + elif MANAGEMENT in tags: + for i in range(len(netlist)): + network = netlist[i] + source_ranges = prop['network_tcpSourceRanges'] + tcp_enabled = prop['network_enableTcp'] + gwNetwork_enabled = prop['network_enableGwNetwork'] + gwNetwork_source_range = prop['network_gwNetworkSourceRanges'] + if source_ranges and not tcp_enabled: + raise Exception( + 'Allowed source IP ranges for TCP traffic are provided ' + 'but TCP not marked as allowed') + if tcp_enabled and not source_ranges: + raise Exception('Allowed source IP ranges for TCP traffic' + ' are required when installing ' + 'a management server') + if not gwNetwork_enabled and gwNetwork_source_range: + raise Exception('Gateway network source IP are provided but ' + 'not marked as allowed.') + if gwNetwork_enabled and not gwNetwork_source_range: + raise Exception('Gateway network source IP is required in' + ' MGMT deployment.') + ranges_list = source_ranges.split(',') + gw_network_list = gwNetwork_source_range.split(',') + ranges = [] + gw_net_ranges = [] + for source_range in ranges_list: + ranges.append(source_range.replace(" ", "")) + for gw_net_range in gw_network_list: + gw_net_ranges.append(gw_net_range.replace(" ", "")) + if tcp_enabled: + if gwNetwork_enabled: + resources.append({ + 'type': 'compute.v1.firewall', + 'name': set_name_and_truncate( + gen_fw_rule_name_deployment_network_prefix( + deployment, network), + '-gateways-to-management-{}'.format(i + 1)), + 'properties': { + 'network': 'global/networks/' + network, + 'sourceRanges': list(set(gw_net_ranges + ranges)), + 'sourceTags': [GATEWAY], + 'targetTags': [uid], + 'allowed': [ + { + 'IPProtocol': 'tcp', + 'ports': ['257', '18191', '18210', '18264'] + }, + ], + } + }) + resources.append({ + 'type': 'compute.v1.firewall', + 'name': set_name_and_truncate( + gen_fw_rule_name_deployment_network_prefix(deployment, + network), + '-allow-gui-clients-{}'.format(i + 1)), + 'properties': { + 'network': 'global/networks/' + network, + 'sourceRanges': list(set(ranges)), + 'targetTags': [uid], + 'allowed': [ + { + 'IPProtocol': 'tcp', + 'ports': ['22', '443', '18190', '19009'] + }, + ], + } + }) + fw_rule_name_prefix = set_name_and_truncate( + gen_fw_rule_name_deployment_network_prefix( + deployment, network), + '-allow-all-to-chkp-{}'.format(i + 1)) + firewall_rules = create_firewall_rules( + prop, network, fw_rule_name_prefix, True, uid) + resources.extend(firewall_rules) + outputs += [ + { + 'name': 'deployment', + 'value': deployment + }, + { + 'name': 'project', + 'value': context.env['project'] + }, + { + 'name': 'vmName', + 'value': vm_name, + }, + { + 'name': 'vmId', + 'value': '$(ref.%s.id)' % vm_name, + }, + { + 'name': 'vmSelfLink', + 'value': '$(ref.%s.selfLink)' % vm_name, + }, + { + 'name': 'hasMultiExternalIPs', + 'value': 0 < len(external_ifs) and external_ifs != [0], + }, + { + 'name': 'additionalExternalIPs', + 'value': ', '.join([('$(ref.{}.networkInterfaces[{}].' + + 'accessConfigs[0].natIP)').format( + vm_name, ifnum) for ifnum in external_ifs if ifnum]) + }, + { + 'name': 'vmInternalIP', + 'value': '$(ref.%s.networkInterfaces[0].networkIP)' % vm_name, + }, + { + 'name': 'password', + 'value': passwd + } + ] + return common.MakeResource(resources, outputs) + + +def gen_fw_rule_name_deployment_network_prefix(deployment_name, network_name): + return '{}-{}'. \ + format(deployment_name[:20], network_name[:16]) diff --git a/deprecated/gcp/R80.40-R81/single-byol/check-point-vsec--byol.py.schema b/deprecated/gcp/R80.40-R81/single-byol/check-point-vsec--byol.py.schema new file mode 100644 index 00000000..f08b551a --- /dev/null +++ b/deprecated/gcp/R80.40-R81/single-byol/check-point-vsec--byol.py.schema @@ -0,0 +1,363 @@ +imports: + - path: check-point-vsec--byol.py + +info: + version: 1.0 + title: Check Point CloudGuard Network Security - BYOL Template + +required: + - zone + - machineType + - network + - diskType + - bootDiskSizeGb + - installationType + - allowUploadDownload + - shell + - managementGUIClientNetwork + - generatePassword + - enableMonitoring + - numAdditionalNICs + +properties: + zone: + type: string + default: us-central1-a + x-googleProperty: + type: GCE_ZONE + machineType: + type: string + default: n1-standard-4 + x-googleProperty: + type: GCE_MACHINE_TYPE + zoneProperty: zone + gceMachineType: + minCpu: 2 + minRamGb: 1.843000054359436 + network: + type: string + default: default + x-googleProperty: + type: GCE_NETWORK + subnetwork: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zone + gceSubnetwork: + networkProperty: network + network_enableTcp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: network + network_tcpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: network_enableTcp + network_enableGwNetwork: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: network + network_gwNetworkSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: network_enableGwNetwork + network_enableIcmp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: network + network_icmpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: network_enableIcmp + network_enableUdp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: network + network_udpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: network_enableUdp + network_enableSctp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: network + network_sctpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: network_enableSctp + network_enableEsp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: network + network_espSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: network_enableEsp + smart1CloudToken: + type: string + default: '' + diskType: + type: string + default: pd-ssd + x-googleProperty: + type: GCE_DISK_TYPE + zoneProperty: zone + bootDiskSizeGb: + type: integer + maximum: 1000 + default: 100 + minimum: 100 + x-googleProperty: + type: GCE_DISK_SIZE + gceDiskSize: + diskTypeProperty: diskType + installationType: + type: string + default: R81.20 Gateway only + enum: + - R80.40 Gateway only + - R80.40 Management only + - R80.40 Manual Configuration + - R80.40 Gateway and Management (Standalone) + - R81 Gateway only + - R81 Management only + - R81 Manual Configuration + - R81 Gateway and Management (Standalone) + - R81.10 Gateway only + - R81.10 Management only + - R81.10 Manual Configuration + - R81.10 Gateway and Management (Standalone) + - R81.20 Gateway only + - R81.20 Management only + - R81.20 Manual Configuration + - R81.20 Gateway and Management (Standalone) + maintenanceMode: + type: string + pattern: ^([a-z0-9A-Z.]{12,300}|)$ + default: '' + allowUploadDownload: + type: boolean + default: True + shell: + type: string + default: /etc/cli.sh + enum: + - /etc/cli.sh + - /bin/bash + - /bin/csh + - /bin/tcsh + generatePassword: + type: boolean + default: False + enableMonitoring: + type: boolean + default: False + sicKey: + type: string + pattern: ^([a-z0-9A-Z]{8,30}|)$ + default: '' + managementGUIClientNetwork: + type: string + pattern: ^([0-9]{1,3}\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])$ + externalIP: + type: string + enum: + - Static + - Ephemeral + - None + default: Static + instanceSSHKey: + type: string + pattern: ^([0-9a-z\-]+ +[0-9A-Za-z/\+=]+( .*)?|)$ + default: '' + numAdditionalNICs: + type: integer + enum: + - 0 + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + minimum: 0 + maximum: 7 + default: 1 + additionalNetwork1: + type: string + x-googleProperty: + type: GCE_NETWORK + additionalSubnetwork1: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zone + gceSubnetwork: + networkProperty: additionalNetwork1 + externalIP1: + type: string + enum: + - Static + - Ephemeral + - None + default: None + additionalNetwork2: + type: string + x-googleProperty: + type: GCE_NETWORK + additionalSubnetwork2: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zone + gceSubnetwork: + networkProperty: additionalNetwork2 + externalIP2: + type: string + enum: + - Static + - Ephemeral + - None + default: None + additionalNetwork3: + type: string + x-googleProperty: + type: GCE_NETWORK + additionalSubnetwork3: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zone + gceSubnetwork: + networkProperty: additionalNetwork3 + externalIP3: + type: string + enum: + - Static + - Ephemeral + - None + default: None + additionalNetwork4: + type: string + x-googleProperty: + type: GCE_NETWORK + additionalSubnetwork4: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zone + gceSubnetwork: + networkProperty: additionalNetwork4 + externalIP4: + type: string + enum: + - Static + - Ephemeral + - None + default: None + additionalNetwork5: + type: string + x-googleProperty: + type: GCE_NETWORK + additionalSubnetwork5: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zone + gceSubnetwork: + networkProperty: additionalNetwork5 + externalIP5: + type: string + enum: + - Static + - Ephemeral + - None + default: None + additionalNetwork6: + type: string + x-googleProperty: + type: GCE_NETWORK + additionalSubnetwork6: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zone + gceSubnetwork: + networkProperty: additionalNetwork6 + externalIP6: + type: string + enum: + - Static + - Ephemeral + - None + default: None + additionalNetwork7: + type: string + x-googleProperty: + type: GCE_NETWORK + additionalSubnetwork7: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zone + gceSubnetwork: + networkProperty: additionalNetwork7 + externalIP7: + type: string + enum: + - Static + - Ephemeral + - None + default: None + +outputs: + deployment: + type: string + project: + type: string + vmId: + type: string + vmInternalIP: + type: string + hasMultiExternalIP: + type: boolean + additionalExternalIPs: + type: string + vmName: + type: string + vmSelfLink: + type: string + password: + type: string diff --git a/deprecated/gcp/R80.40-R81/single-byol/common.py b/deprecated/gcp/R80.40-R81/single-byol/common.py new file mode 100644 index 00000000..e123c502 --- /dev/null +++ b/deprecated/gcp/R80.40-R81/single-byol/common.py @@ -0,0 +1,262 @@ +# Copyright 2015 Google Inc. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +"""Generic simple functions used for python based template generation.""" + +import re +import sys +import traceback +import default +import string + +import yaml + +RFC1035_RE = re.compile(r'^[a-z][-a-z0-9]{1,61}[a-z0-9]{1}$') + + +class Error(Exception): + """Common exception wrapper for template exceptions.""" + pass + + +class DefaultFormatter(string.Formatter): + """Returns default instead of key error when looking for keys. + + Used for startup-script which contains params from multiple deployments + whiles keys from one deployment may not be set in another. + """ + def __init__(self, default=''): + self.default = default + def get_value(self, key, args, dict): + if isinstance(key, str): + return dict.get(key, self.default) + else: + return string.Formatter.get_value(key, args, dict) + + +def set_name_and_truncate(primary, secondary, maxlength=62): + return '%s%s' % (primary[:maxlength - len(secondary)], secondary) + + +def AddDiskResourcesIfNeeded(context): + """Checks context if disk resources need to be added.""" + if default.DISK_RESOURCES in context.properties: + return context.properties[default.DISK_RESOURCES] + else: + return [] + + +def AutoName(base, resource, *args): + """Helper method to generate names automatically based on default.""" + auto_name = '%s-%s' % (base, '-'.join(list(args) + [default.AKA[resource]])) + if not RFC1035_RE.match(auto_name): + raise Error('"%s" name for type %s does not match RFC1035 regex (%s)' % + (auto_name, resource, RFC1035_RE.pattern)) + return auto_name + + +def AutoRef(base, resource, *args): + """Helper method that builds a reference for an auto-named resource.""" + return Ref(AutoName(base, resource, *args)) + + +def OrderedItems(dict_obj): + """Convenient method to yield sorted iteritems of a dictionary.""" + keys = list(dict_obj.keys()) + keys.sort() + for k in keys: + yield (k, dict_obj[k]) + + +def ShortenZoneName(zone): + """Given a string that looks like a zone name, creates a shorter version.""" + geo, coord, number, letter = re.findall(r'(\w+)-(\w+)(\d)-(\w)', zone)[0] + geo = geo.lower() if len(geo) == 2 else default.LOC[geo.lower()] + coord = default.LOC[coord.lower()] + number = str(number) + letter = letter.lower() + return geo + '-' + coord + number + letter + + +def ZoneToRegion(zone): + """Derives the region from a zone name.""" + parts = zone.split('-') + if len(parts) != 3: + raise Error('Cannot derive region from zone "%s"' % zone) + return '-'.join(parts[:2]) + + +def FormatException(message): + """Adds more information to the exception.""" + message = ('Exception Type: %s\n' + 'Details: %s\n' + 'Message: %s\n') % (sys.exc_info()[0], + traceback.format_exc(), message) + return message + + +def Ref(name): + return '$(ref.%s.selfLink)' % name + + +def RefGroup(name): + return '$(ref.%s.instanceGroup)' % name + + +def GlobalComputeLink(project, collection, name): + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/global/', + collection, '/', name]) + +def GlobalNetworkLink(project, network): + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/global/', + default.NETWORKS, '/', network]) + + +def LocalComputeLink(project, zone, key, value): + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/zones/', + zone, '/', key, '/', value]) + + +def ReadContext(context, prop_key): + return (context.env['project'], context.properties.get('zone', None), + context.properties[prop_key]) + + +def MakeLocalComputeLink(context, key, zone=None): + if not zone: + project, zone, value = ReadContext(context, key) + else: + project, _, value = ReadContext(context, key) + + if IsComputeLink(value): + return value + else: + return LocalComputeLink(project, zone, key + 's', value) + + +def MakeGlobalComputeLink(context, key): + project, _, value = ReadContext(context, key) + if IsComputeLink(value): + return value + else: + return GlobalComputeLink(project, key + 's', value) + +def MakeRegionalSubnetworkLink(project, zone, subnet): + region = ZoneToRegion(zone) + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/regions/', + region, '/subnetworks/', subnet]) + + +def MakeSubnetworkComputeLink(context, key): + project, zone, value = ReadContext(context, key) + region = ZoneToRegion(zone) + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/regions/', + region, '/subnetworks/', value]) + + +def MakeFQHN(context, name): + return '%s.c.%s.internal' % (name, context.env['project']) + + +# TODO(victorg): Consider moving this method to a different file +def MakeC2DImageLink(name, dev_mode=False): + if IsGlobalProjectShortcut(name) or name.startswith('http'): + return name + else: + if dev_mode: + return 'global/images/%s' % name + else: + return GlobalComputeLink(default.C2D_IMAGES, 'images', name) + + +def IsGlobalProjectShortcut(name): + return name.startswith('projects/') or name.startswith('global/') + + +def IsComputeLink(name): + return (name.startswith(default.COMPUTE_URL_BASE) or + name.startswith(default.REFERENCE_PREFIX)) + + +def GetNamesAndTypes(resources_dict): + return [(d['name'], d['type']) for d in resources_dict] + + +def SummarizeResources(res_dict): + """Summarizes the name of resources per resource type.""" + result = {} + for res in res_dict: + result.setdefault(res['type'], []).append(res['name']) + return result + + +def ListPropertyValuesOfType(res_dict, prop, res_type): + """Lists all the values for a property of a certain type.""" + return [r['properties'][prop] for r in res_dict if r['type'] == res_type] + + +def MakeResource(resource_list, output_list=None): + """Wrapper for a DM template basic spec.""" + content = {'resources': resource_list} + if output_list: + content['outputs'] = output_list + return yaml.dump(content) + + +def TakeZoneOut(properties): + """Given a properties dictionary, removes the zone specific information.""" + + def _CleanZoneUrl(value): + value = value.split('/')[-1] if IsComputeLink(value) else value + return value + + for name in default.VM_ZONE_PROPERTIES: + if name in properties: + properties[name] = _CleanZoneUrl(properties[name]) + if default.ZONE in properties: + properties.pop(default.ZONE) + if default.BOOTDISK in properties: + properties[default.BOOTDISK] = _CleanZoneUrl(properties[default.BOOTDISK]) + if default.DISKS in properties: + for disk in properties[default.DISKS]: + # Don't touch references to other disks + if default.DISK_SOURCE in disk: + continue + if default.INITIALIZEP in disk: + disk_init = disk[default.INITIALIZEP] + if default.DISKTYPE in disk_init: + disk_init[default.DISKTYPE] = _CleanZoneUrl(disk_init[default.DISKTYPE]) + + +def GenerateEmbeddableYaml(yaml_string): + # Because YAML is a space delimited format, we need to be careful about + # embedding one YAML document in another. This function takes in a string in + # YAML format and produces an equivalent YAML representation that can be + # inserted into arbitrary points of another YAML document. It does so by + # printing the YAML string in a single line format. Consistent ordering of + # the string is also guaranteed by using yaml.dump. + yaml_object = yaml.load(yaml_string) + dumped_yaml = yaml.dump(yaml_object, default_flow_style=True) + return dumped_yaml + + +def FormatErrorsDec(func): + """Decorator to format exceptions if they get raised.""" + + def FormatErrorsWrap(context): + try: + return func(context) + except Exception as e: + raise Error(FormatException(e.message)) + + return FormatErrorsWrap diff --git a/deprecated/gcp/R80.40-R81/single-byol/config.yaml b/deprecated/gcp/R80.40-R81/single-byol/config.yaml new file mode 100644 index 00000000..3301dada --- /dev/null +++ b/deprecated/gcp/R80.40-R81/single-byol/config.yaml @@ -0,0 +1,50 @@ +imports: +- path: check-point-vsec--byol.py +- path: common.py +- path: default.py +- path: password.py +- path: images.py + +resources: +- name: check-point-vsec--byol + type: check-point-vsec--byol.py + properties: + zone: "PLEASE ENTER A ZONE" + machineType: "PLEASE ENTER A MACHINE TYPE" + network: "PLEASE ENTER AN EXTERNAL NETWORK ID" + subnetwork: "PLEASE ENTER A SUBNETWORK ID" + network_enableTcp: "PLEASE ENTER true or false" + network_tcpSourceRanges: "PLEASE ENTER TCP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + network_enableGwNetwork: "PLEASE ENTER true or false" + network_gwNetworkSourceRanges: "PLEASE ENTER GATEWAY NETWORK SOURCE RANGES FOR MANAGEMENT, AND STANDALONE. LEAVE EMPTY DOUBLE QUOTES FOR GW" + network_enableIcmp: "PLEASE ENTER true or false" + network_icmpSourceRanges: "PLEASE ENTER ICMP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + network_enableUdp: "PLEASE ENTER true or false" + network_udpSourceRanges: "PLEASE ENTER UDP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + network_enableSctp: "PLEASE ENTER true or false" + network_sctpSourceRanges: "PLEASE ENTER SCTP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + network_enableEsp: "PLEASE ENTER true or false" + network_espSourceRanges: "PLEASE ENTER ESP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + externalIP: "PLEASE ENTER AN EXTERNAL IP ADDRESS TYPE" + installationType: "PLEASE ENTER AN INSTALLATION TYPE" + #Connecting to Smart-1 Cloud is only available for Gateway only installation + smart1CloudToken: "PLEASE ENTER A TOKEN TO CONNECT TO SMART-1 CLOUD OR LEAVE EMPTY DOUBLE QUOTES" + diskType: "PLEASE ENTER A DISK TYPE" + bootDiskSizeGb: "PLEASE ENTER A DISK SIZE" + generatePassword: "PLEASE ENTER true or false" + allowUploadDownload: "PLEASE ENTER true or false" + enableMonitoring: "PLEASE ENTER true or false" + shell: "PLEASE ENTER A SHELL" + instanceSSHKey: "PLEASE ENTER A VALID PUBLIC KEY" + sicKey: "PLEASE ENTER A SIC KEY" + managementGUIClientNetwork: "PLEASE ENTER A MANAGEMENT GUI CLIENT NETWORK" + numAdditionalNICs: "PLEASE ENTER A NUMBER OF ADDITIONAL NICS" + #Define additional NICs networks and subnetworks according the defined numAdditionalNICs value + #If there is no need in additional NICs remove additionalNetwork1 and additionalSubnetwork1 variables + additionalNetwork1: "PLEASE ENTER AN ADDITIONAL NETWORK1 ID" + additionalSubnetwork1: "PLEASE ENTER AN ADDITIONAL SUBNETWORK1 ID" +outputs: +- name: "Deployment" + value: $(ref.check-point-vsec--byol.deployment) +- name: "Instance" + value: $(ref.check-point-vsec--byol.vmName) \ No newline at end of file diff --git a/deprecated/gcp/R80.40-R81/single-byol/default.py b/deprecated/gcp/R80.40-R81/single-byol/default.py new file mode 100644 index 00000000..0c7dd919 --- /dev/null +++ b/deprecated/gcp/R80.40-R81/single-byol/default.py @@ -0,0 +1,134 @@ +# Copyright 2015 Google Inc. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +"""Convenience module to hold default constants for C2D components. + +There should not be any logic in this module. Its purpose is to simplify +analysis of commonly used GCP and properties names and identify the names +that were custom created for these modules. +""" +# Generic constants +C2D_IMAGES = 'click-to-deploy-images' + +# URL constants +COMPUTE_URL_BASE = 'https://www.googleapis.com/compute/v1/' + +# Deployment Manager constructs +REFERENCE_PREFIX = '$(ref.' + +# Commonly used in properties namespace +AUTO_DELETE = 'autoDelete' +BOOTDISK = 'bootDiskType' +BOOTDISKSIZE = 'bootDiskSizeGb' +C_IMAGE = 'containerImage' +DC_MANIFEST = 'dcManifest' +DEPLOYMENT = 'DEPLOYMENT' # used in the deployment coordinator +DISK_NAME = 'diskName' +DISK_RESOURCES = 'addedDiskResources' +DISK_SOURCE = 'source' +ENDPOINT_NAME = 'serviceRegistryEndpointName' +FIXED_GCLOUD = 'fixedGcloud' +GENERATED_PROP = 'generatedProperties' +INITIALIZEP = 'initializeParams' +INSTANCE_NAME = 'instanceName' +LOCAL_SSD = 'localSSDs' +MAX_NUM = 'maxNumReplicas' +NETWORKS = 'networks' +NO_SCOPE = 'noScope' +PROVIDE_BOOT = 'provideBoot' +REPLICAS = 'replicas' +SIZE = 'size' +VM_COPIES = 'numberOfVMReplicas' +ZONES = 'zones' + +# Common properties values (only official GCP values allowed here) +EXTERNAL = 'External NAT' +ONE_NAT = 'ONE_TO_ONE_NAT' + +# Common 1st level properties (only official GCP names allowed here) +CAN_IP_FWD = 'canIpForward' +CONTAINER = 'container' +DCKRENV = 'dockerEnv' +DCKRIMAGE = 'dockerImage' +DEFAULT_SERVICE = 'defaultService' +DEVICE_NAME = 'deviceName' +DISKS = 'disks' +DISK_SIZE = 'diskSizeGb' +DISKTYPE = 'diskType' +HEALTH_PATH = 'healthPath' +HOST_RULES = 'hostRules' +IP_PROTO = 'IPProtocol' +MACHINETYPE = 'machineType' +METADATA = 'metadata' +NAME = 'name' +NETWORK = 'network' +NETWORKS = 'networks' +SUBNETWORK = 'subnetwork' +PATH_MATCHERS = 'pathMatchers' +PORT = 'port' +PROJECT = 'project' +SERVICE = 'service' +SERVICE_ACCOUNTS = 'serviceAccounts' +SRCIMAGE = 'sourceImage' +SRC_RANGES = 'sourceRanges' +TAGS = 'tags' +TYPE = 'type' +VM_TEMPLATE = 'instanceTemplate' +ZONE = 'zone' + +# Zone specfic VM properties +VM_ZONE_PROPERTIES = [DISKTYPE, MACHINETYPE, BOOTDISK] + +# Resource type defaults names +ADDRESS = 'compute.v1.address' +AUTOSCALER = 'compute.v1.autoscaler' +BACKEND_SERVICE = 'compute.v1.backendService' +DISK = 'compute.v1.disk' +ENDPOINT = 'serviceregistry.v1alpha.endpoint' +FIREWALL = 'compute.v1.firewall' +GF_RULE = 'compute.v1.globalForwardingRule' +HEALTHCHECK = 'compute.v1.httpHealthCheck' +IGM = 'compute.v1.instanceGroupManager' +INSTANCE = 'compute.v1.instance' +PROXY = 'compute.v1.targetHttpProxy' +TEMPLATE = 'compute.v1.instanceTemplate' +REGION_IGM = 'compute.v1.regionInstanceGroupManager' +REGION_AUTOSCALER = 'compute.v1.regionAutoscaler' +URL_MAP = 'compute.v1.urlMap' +VPC='compute.v1.network' +VPC_SUBNET='compute.v1.subnetwork' + +# Also Known As constants +AKA = { + TEMPLATE: 'tmplt', + AUTOSCALER: 'as', + BACKEND_SERVICE: 'bes', + DISK: 'disk', + FIREWALL: 'fwall', + GF_RULE: 'ip', + HEALTHCHECK: 'hc', + INSTANCE: 'vm', + PROXY: 'tproxy', + IGM: 'igm', + URL_MAP: 'umap', +} + +LOC = { + 'europe': 'eu', + 'asia': 'as', + 'central': 'c', + 'east': 'e', + 'west': 'w', + 'north': 'n', + 'south': 's', +} diff --git a/deprecated/gcp/R80.40-R81/single-byol/images.py b/deprecated/gcp/R80.40-R81/single-byol/images.py new file mode 100644 index 00000000..7b04bee0 --- /dev/null +++ b/deprecated/gcp/R80.40-R81/single-byol/images.py @@ -0,0 +1,34 @@ +IMAGES = { + "check-point-r8120-payg": "check-point-r8120-payg-631-991001560-v20240425", + "check-point-r8120-gw-payg-single": "check-point-r8120-gw-payg-single-631-991001560-v20240425", + "check-point-r8120-gw-payg-mig": "check-point-r8120-gw-payg-mig-631-991001560-v20240425", + "check-point-r8120-gw-payg-cluster": "check-point-r8120-gw-payg-cluster-631-991001560-v20240425", + "check-point-r8120-gw-byol-single": "check-point-r8120-gw-byol-single-631-991001560-v20240425", + "check-point-r8120-gw-byol-mig": "check-point-r8120-gw-byol-mig-631-991001560-v20240425", + "check-point-r8120-gw-byol-cluster": "check-point-r8120-gw-byol-cluster-631-991001560-v20240425", + "check-point-r8120-byol": "check-point-r8120-byol-631-991001560-v20240425", + "check-point-r8110-payg": "check-point-r8110-payg-335-991001560-v20240425", + "check-point-r8110-gw-payg-single": "check-point-r8110-gw-payg-single-335-991001560-v20240425", + "check-point-r8110-gw-payg-mig": "check-point-r8110-gw-payg-mig-335-991001560-v20240425", + "check-point-r8110-gw-payg-cluster": "check-point-r8110-gw-payg-cluster-335-991001560-v20240425", + "check-point-r8110-gw-byol-single": "check-point-r8110-gw-byol-single-335-991001560-v20240425", + "check-point-r8110-gw-byol-mig": "check-point-r8110-gw-byol-mig-335-991001560-v20240425", + "check-point-r8110-gw-byol-cluster": "check-point-r8110-gw-byol-cluster-335-991001560-v20240425", + "check-point-r8110-byol": "check-point-r8110-byol-335-991001560-v20240425", + "check-point-r81-payg": "check-point-r81-payg-392-991001560-v20240425", + "check-point-r81-gw-payg-single": "check-point-r81-gw-payg-single-392-991001560-v20240425", + "check-point-r81-gw-payg-mig": "check-point-r81-gw-payg-mig-392-991001560-v20240425", + "check-point-r81-gw-payg-cluster": "check-point-r81-gw-payg-cluster-392-991001560-v20240425", + "check-point-r81-gw-byol-single": "check-point-r81-gw-byol-single-392-991001560-v20240425", + "check-point-r81-gw-byol-mig": "check-point-r81-gw-byol-mig-392-991001560-v20240425", + "check-point-r81-gw-byol-cluster": "check-point-r81-gw-byol-cluster-392-991001560-v20240425", + "check-point-r81-byol": "check-point-r81-byol-392-991001560-v20240425", + "check-point-r8040-payg": "check-point-r8040-payg-294-991001560-v20240425", + "check-point-r8040-gw-payg-single": "check-point-r8040-gw-payg-single-294-991001564-v20240505", + "check-point-r8040-gw-payg-mig": "check-point-r8040-gw-payg-mig-294-991001564-v20240505", + "check-point-r8040-gw-payg-cluster": "check-point-r8040-gw-payg-cluster-294-991001564-v20240505", + "check-point-r8040-gw-byol-single": "check-point-r8040-gw-byol-single-294-991001564-v20240505", + "check-point-r8040-gw-byol-mig": "check-point-r8040-gw-byol-mig-294-991001564-v20240505", + "check-point-r8040-gw-byol-cluster": "check-point-r8040-gw-byol-cluster-294-991001564-v20240505", + "check-point-r8040-byol": "check-point-r8040-byol-294-991001560-v20240425" +} \ No newline at end of file diff --git a/deprecated/gcp/R80.40-R81/single-byol/password.py b/deprecated/gcp/R80.40-R81/single-byol/password.py new file mode 100644 index 00000000..273210a6 --- /dev/null +++ b/deprecated/gcp/R80.40-R81/single-byol/password.py @@ -0,0 +1,135 @@ +# Copyright 2015 Google Inc. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +"""A DM template that generates password as an output, namely "password". + +An example YAML showing how this template can be used: + resources: + - name: generated-password + type: password.py + properties: + length: 8 + includeSymbols: true + - name: main-template + type: main-template.jinja + properties: + password: $(ref.generated-password.password) + +Input properties to this template: + - length: the length of the generated password. At least 8. Default 8. + - includeSymbols: true/false whether to include symbol chars. Default false. + +The generated password satisfies the following requirements: + - The length is as specified, + - Containing letters and numbers, and optionally symbols if specified, + - Starting with a letter, + - Containing characters from at least 3 of the 4 categories: uppercases, + lowercases, numbers, and symbols. + +""" + +import random +import yaml + +PROPERTY_LENGTH = 'length' +PROPERTY_INCLUDE_SYMBOLS = 'includeSymbols' + +# Note the omission of some hard to distinguish characters like I, l, 0, and O. +UPPERS = 'ABCDEFGHJKLMNPQRSTUVWXYZ' +LOWERS = 'abcdefghijkmnopqrstuvwxyz' +ALPHABET = UPPERS + LOWERS +DIGITS = '123456789' +ALPHANUMS = ALPHABET + DIGITS +# Including only symbols that can be passed around easily in shell scripts. +SYMBOLS = '*-+.' + +CANDIDATES_WITH_SYMBOLS = ALPHANUMS + SYMBOLS +CANDIDATES_WITHOUT_SYMBOLS = ALPHANUMS + +CATEGORIES_WITH_SYMBOLS = [UPPERS, LOWERS, DIGITS, SYMBOLS] +CATEGORIES_WITHOUT_SYMBOLS = [UPPERS, LOWERS, DIGITS] + +MIN_LENGTH = 8 + + +class InputError(Exception): + """Raised when input properties are unexpected.""" + + +def GenerateConfig(context): + """Entry function to generate the DM config.""" + props = context.properties + length = props.setdefault(PROPERTY_LENGTH, MIN_LENGTH) + include_symbols = props.setdefault(PROPERTY_INCLUDE_SYMBOLS, False) + + if not isinstance(include_symbols, bool): + raise InputError('%s must be a boolean' % PROPERTY_INCLUDE_SYMBOLS) + + content = { + 'resources': [], + 'outputs': [{ + 'name': 'password', + 'value': GeneratePassword(length, include_symbols) + }] + } + return yaml.dump(content) + + +def GeneratePassword(length=8, include_symbols=False): + """Generates a random password.""" + if length < MIN_LENGTH: + raise InputError('Password length must be at least %d' % MIN_LENGTH) + + candidates = (CANDIDATES_WITH_SYMBOLS if include_symbols + else CANDIDATES_WITHOUT_SYMBOLS) + categories = (CATEGORIES_WITH_SYMBOLS if include_symbols + else CATEGORIES_WITHOUT_SYMBOLS) + + # Generates up to the specified length minus the number of categories. + # Then inserts one character for each category, ensuring that the character + # satisfy the category if the generated string hasn't already. + generated = ([random.choice(ALPHABET)] + + [random.choice(candidates) + for _ in range(length - 1 - len(categories))]) + for category in categories: + _InsertAndEnsureSatisfaction(generated, category, candidates) + return ''.join(generated) + + +def _InsertAndEnsureSatisfaction(generated, required, all_candidates): + """Inserts 1 char into generated, satisfying required if not already. + + If the required characters are not already in the generated string, one will + be inserted. If any required character is already in the generated string, a + random character from all_candidates will be inserted. The insertion happens + at a random location but not at the beginning. + + Args: + generated: the string to be modified. + required: list of required characters to check for. + all_candidates: list of characters to choose from if the required characters + are already satisfied. + """ + if set(generated).isdisjoint(required): + # Not yet satisfied. Insert a required candidate. + _InsertInto(generated, required) + else: + # Already satisfied. Insert any candidate. + _InsertInto(generated, all_candidates) + + +def _InsertInto(generated, candidates): + """Inserts a random candidate into a random non-zero index of generated.""" + # Avoids inserting at index 0, since the first character follows its own rule. + generated.insert(random.randint(1, len(generated) - 1), + random.choice(candidates)) diff --git a/deprecated/gcp/R80.40-R81/single-payg/README.md b/deprecated/gcp/R80.40-R81/single-payg/README.md new file mode 100644 index 00000000..c3f9443a --- /dev/null +++ b/deprecated/gcp/R80.40-R81/single-payg/README.md @@ -0,0 +1,133 @@ +# GCP Deployment Manager package for Management, Gateway and Standalone PAYG solutions +This directory contains CloudGuard IaaS deployment package for Management, Gateway and Standalone PAYG solution published in the [GCP Marketplace](https://console.cloud.google.com/marketplace/details/checkpoint-public/check-point-cloudguard-payg). + +# How to deploy the package manually +To deploy the Deployment Manager's package manually, without using the GCP Marketplace, follow these instructions: +1. Clone or download the files in this directory +2. Fill variables in the config.yaml(see below for variables descriptions). +3. Log into [Google Cloud Platform Console](https://console.cloud.google.com) +4. [Activate Cloud Shell](https://cloud.google.com/shell/docs/using-cloud-shell) +5. Set your Cloud Platform project in the Cloud Shell session use: + + gcloud config set project [PROJECT_ID] +6. Upload the content of the CloudGuardIaaS/gcp/deployment-packages/single-payg/ directory to the [cloud shell](https://cloud.google.com/shell/docs/uploading-and-downloading-files) +7. Launch deployment by running: + + gcloud deployment-manager deployments create [DEPLOYMENT_NAME] --config config.yaml +8. Make sure the deployment finished successfully.
Example of successful deployment output: + + The fingerprint of the deployment is NEBnvNbqOItDoLZrhYNo5Q== + Waiting for create [operation-1585065238276-5a19bc2792a32-becd058d-67862f39]...done. + Create operation operation-1585065238276-5a19bc2792a32-becd058d-67862f39 completed successfully. + NAME TYPE STATE ERRORS INTENT + gateway-config runtimeconfig.v1beta1.config COMPLETED [] + gateway-software runtimeconfig.v1beta1.waiter COMPLETED [] + gateway-vm compute.v1.instance COMPLETED [] + gateway-vm-address compute.v1.address COMPLETED [] + OUTPUTS VALUE + Deployment gateway + Instance gateway-single-vm + +## config.yaml variables +| Name | Description | Type | Allowed values | +| ------------- | ------------- | ------------- | ------------- | +| **zone** | The zone determines what computing resources are available and where your data is stored and used | string | List of allowed [Regions and Zones](https://cloud.google.com/compute/docs/regions-zones?_ga=2.31926582.-962483654.1585043745) | +| | | | | | +| **machineType** | Machine types determine the specifications of your machines, such as the amount of memory, virtual cores, and persistent disk limits an instance will have | string | [Learn more about Machine Types](https://cloud.google.com/compute/docs/machine-types?hl=en_US&_ga=2.267871494.-962483654.1585043745) | +| | | | | | +| **network** | The network determines what network traffic the instance can access | string | Available network in the chosen zone | +| | | | | | +| **Subnetwork** | Assigns the instance an IPv4 address from the subnetwork’s range. Instances in different subnetworks can communicate with each other using their internal IPs as long as they belong to the same network. | string | Available subnetwork in the chosen network | +| | | | | | +| **network_enableTcp** | Allow TCP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **network_tcpSourceRanges** | Allow TCP traffic from the Internet | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway all ports are allowed. For management allowed ports are: 257,18191,18210,18264,22,443,18190,19009 [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **network_enableGwNetwork** | This is relevant for **Management** only. The network in which managed gateways reside | boolean | true;
false; | +| | | | | | +| **network_gwNetworkSourceRanges** | Allow TCP traffic from the Internet | string | Enter a valid IPv4 network CIDR (e.g. 0.0.0.0/0) | +| | | | | | +| **network_enableIcmp** | Allow ICMP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **network_icmpSourceRanges** | Source IP ranges for ICMP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **network_enableUdp** | Allow UDP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **network_udpSourceRanges** | Source IP ranges for UDP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only - all ports are allowed. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **network_enableSctp** | Allow SCTP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **network_sctpSourceRanges** | Source IP ranges for SCTP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only - all ports are allowed. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **network_enableEsp** | Allow ESP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **network_espSourceRanges** | Source IP ranges for ESP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **externalIP** | External IP address type | string | Static;
Ephemeral;
None;
An external IP address associated with this instance. Selecting "None" will result in the instance having no external internet access. [Learn more](https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address?_ga=2.259654658.-962483654.1585043745) | +| | | | | | +| **installationType** | Installation type and version | string | R80.40 Gateway only
R80.40 Management only
R80.40 Manual Configuration
R80.40 Gateway and Management (Standalone)
R81.00 Gateway only
R81.00 Management only
R81.00 Manual Configuration
R81.00 Gateway and Management (Standalone)
R81.10 Gateway only
R81.10 Management only
R81.10 Manual Configuration
R81.10 Gateway and Management (Standalone)
R81.20 Gateway only
R81.20 Management only
R81.20 Manual Configuration
R81.20 Gateway and Management (Standalone) | +| **smart1CloudToken** | Smart-1 Cloud token to connect this gateway to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal.| +| | | | | | +| **diskType** | Disk type | string | pd-ssd;
pd-standard;
Storage space is much less expensive for a standard persistent disk. An SSD persistent disk is better for random IOPS or streaming throughput with low latency. [Learn more](https://cloud.google.com/compute/docs/disks/?hl=en_US&_ga=2.66020774.-962483654.1585043745#overview_of_disk_types)| +| | | | | | +| **bootDiskSizeGb** | Disk size in GB | number | Persistent disk performance is tied to the size of the persistent disk volume. You are charged for the actual amount of provisioned disk space. [Learn more](https://cloud.google.com/compute/docs/disks/?hl=en_US&_ga=2.232680471.-962483654.1585043745#pdperformance)| +| | | | | | +| **generatePassword** | Automatically generate an administrator password | boolean | true;
false; | +| | | | | | +| **allowUploadDownload** | Allow download from/upload to Check Point | boolean | true;
false; | +| | | | | | +| **enableMonitoring** | Enable Stackdriver monitoring | boolean | true;
false; | +| | | | | | +| **shell** | Admin shell | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh;
| +| | | | | | +| **instanceSSHKey** | Public SSH key for the user 'admin' | string | A valid public ssh key | +| | | | | | +| **sicKey** | The Secure Internal Communication one time secret used to set up trust between the cluster object and the management server | string | At least 8 alpha numeric characters.
If SIC is not provided and needed, a key will be automatically generated | +| | | | | | +| **managementGUIClientNetwork** | Allowed GUI clients | string | A valid IPv4 network CIDR (e.g. 0.0.0.0/0) | +| | | | | | +| **numAdditionalNICs** | Number of additional network interfaces | number | A number in the range 0 - 7.
Multiple network interfaces deployment is described in [sk121637 - Deploy a CloudGuard for GCP with Multiple Network Interfaces](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk121637) | +| | | | | | + +## Example + zone: "asia-east1-a" + machineType: "n1-standard-4" + network: "frontend-vpc" + subnetwork: "frontend" + network_enableTcp: true + network_tcpSourceRanges: "0.0.0.0/0" + network_enableGwNetwork: true + network_gwNetworkSourceRanges: "0.0.0.0/0" + network_enableIcmp: true + network_icmpSourceRanges: "0.0.0.0/0" + network_enableUdp: true + network_udpSourceRanges: "0.0.0.0/0" + network_enableSctp: false + network_sctpSourceRanges: "" + network_enableEsp: false + network_espSourceRanges: "" + externalIP: "Static" + installationType: "R81.10 Gateway only" + smart1CloudToken: "xxxxxxxxxxxxxxxxxxxxxxxx" + diskType: "pd-ssd" + bootDiskSizeGb: 100 + generatePassword: false + allowUploadDownload: true + enableMonitoring: false + shell: "/bin/bash" + instanceSSHKey: "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx imported-openssh-key" + sicKey: "xxxxxxxx" + managementGUIClientNetwork: "0.0.0.0/0" + numAdditionalNICs: 1 + additionalNetwork1: "backend-vpc1" + additionalSubnetwork1: "backend1" + externalIP1": "None" + additionalNetwork2": "backend-vpc2" + additionalSubnetwork2": "backend2" + externalIP2": "None" + + + + +## Notes +See [sk147032](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk147032) for revision history \ No newline at end of file diff --git a/deprecated/gcp/R80.40-R81/single-payg/c2d_deployment_configuration.json b/deprecated/gcp/R80.40-R81/single-payg/c2d_deployment_configuration.json new file mode 100644 index 00000000..e6af487e --- /dev/null +++ b/deprecated/gcp/R80.40-R81/single-payg/c2d_deployment_configuration.json @@ -0,0 +1,7 @@ +{ + "defaultDeploymentType": "SINGLE_VM", + "imageName": "check-point-r8120-gw-payg-single-631-991001475-v20231221", + "projectId": "checkpoint-public", + "templateName": "nonexistent_template", + "useSolutionPackage": "true" +} diff --git a/deprecated/gcp/R80.40-R81/single-payg/check-point-vsec--payg.py b/deprecated/gcp/R80.40-R81/single-payg/check-point-vsec--payg.py new file mode 100644 index 00000000..7165477d --- /dev/null +++ b/deprecated/gcp/R80.40-R81/single-payg/check-point-vsec--payg.py @@ -0,0 +1,474 @@ +# Copyright 2016 Check Point Software LTD. +import common +import default +import images +import password + +GATEWAY = 'checkpoint-gateway' +MANAGEMENT = 'checkpoint-management' + +PROJECT = 'checkpoint-public' +LICENSE = 'payg' +LICENCE_TYPE = 'single' + +VERSIONS = { + 'R80.40': 'r8040', + 'R80.40-GW': 'r8040-gw', + 'R81': 'r81', + 'R81-GW': 'r81-gw', + 'R81.10': 'r8110', + 'R81.10-GW': 'r8110-gw', + 'R81.20': 'r8120', + 'R81.20-GW': 'r8120-gw' +} + +ADDITIONAL_NETWORK = 'additionalNetwork{}' +ADDITIONAL_SUBNET = 'additionalSubnetwork{}' +ADDITIONAL_EXTERNAL_IP = 'externalIP{}' +MAX_NICS = 8 + +TEMPLATE_NAME = 'single' +TEMPLATE_VERSION = '20231221' + +ATTRIBUTES = { + 'Gateway and Management (Standalone)': { + 'tags': [GATEWAY, MANAGEMENT], + 'description': 'Check Point Security Gateway and Management', + 'canIpForward': True, + }, + 'Gateway only': { + 'tags': [GATEWAY], + 'description': 'Check Point Security Gateway', + 'canIpForward': True, + }, + 'Manual Configuration': { + 'tags': [], + 'description': 'Check Point', + 'canIpForward': True, + } +} + +startup_script = ''' +#cloud-config +runcmd: + - 'python3 /etc/cloud_config.py "generatePassword=\\"{generatePassword}\\"" "allowUploadDownload=\\"{allowUploadDownload}\\"" "templateName=\\"{templateName}\\"" "templateVersion=\\"{templateVersion}\\"" "mgmtNIC=\\"{mgmtNIC}\\"" "hasInternet=\\"{hasInternet}\\"" "config_url=\\"{config_url}\\"" "config_path=\\"{config_path}\\"" "installationType=\\"{installationType}\\"" "enableMonitoring=\\"{enableMonitoring}\\"" "shell=\\"{shell}\\"" "computed_sic_key=\\"{computed_sic_key}\\"" "sicKey=\\"{sicKey}\\"" "managementGUIClientNetwork=\\"{managementGUIClientNetwork}\\"" "primary_cluster_address_name=\\"{primary_cluster_address_name}\\"" "secondary_cluster_address_name=\\"{secondary_cluster_address_name}\\"" "managementNetwork=\\"{managementNetwork}\\"" "numAdditionalNICs=\\"{numAdditionalNICs}\\"" "smart1CloudToken=\\"{smart1CloudToken}\\"" "name=\\"{name}\\"" "zone=\\"{zoneConfig}\\"" "region=\\"{region}\\"" "osVersion=\\"{osVersion}\\"" "MaintenanceModePassword=\\"{maintenanceMode}\\""' +''' + + +def set_name_and_truncate(primary, secondary, maxlength=62): + return '%s%s' % (primary[:maxlength - len(secondary)], secondary) + + +def MakeStaticAddress(vm_name, zone, ifnum=None): + """Creates a static IP address resource; returns it and the natIP.""" + if ifnum: + address_name = set_name_and_truncate(vm_name, + '-address-{}'.format(ifnum)) + else: + address_name = set_name_and_truncate(vm_name, '-address') + address_resource = { + 'name': address_name, + 'type': default.ADDRESS, + 'properties': { + 'name': address_name, + 'region': common.ZoneToRegion(zone), + }, + } + return address_resource, '$(ref.%s.address)' % address_name + + +def make_access_config(resources, vm_name, zone, static, index=None): + name = 'external-address' + if index: + name += '-{}'.format(index) + access_config = { + 'name': name, + 'type': default.ONE_NAT + } + if static: + address_resource, nat_ip = MakeStaticAddress(vm_name, zone, index) + resources.append(address_resource) + access_config['natIP'] = nat_ip + return access_config + + +def create_firewall_rules(prop, net_name, fw_rule_name_prefix, mgmt=False, + uid=''): + firewall_rules = [] + protocols = ['Icmp', 'Udp', 'Tcp', 'Sctp', 'Esp'] + if mgmt: + protocols.remove('Tcp') + for protocol in protocols: + proto = protocol.lower() + source_ranges = prop.get('network' + '_' + proto + 'SourceRanges', '') + protocol_enabled = prop.get('network' + '_enable' + protocol, '') + if protocol_enabled and source_ranges: + firewall_rules.append(make_firewall_rule( + proto, source_ranges, net_name, fw_rule_name_prefix, mgmt, + uid)) + return firewall_rules + + +def make_firewall_rule(protocol, source_ranges, + net_name, fw_rule_name_prefix, mgmt=False, uid=''): + ranges = [] + ranges_list = source_ranges.split(',') + for source_range in ranges_list: + ranges.append(source_range.replace(" ", "")) + fw_rule_name = fw_rule_name_prefix + '-' + protocol + if mgmt: + targetTags = [uid] + else: + targetTags = [GATEWAY] + firewall_rule = { + 'type': default.FIREWALL, + 'name': fw_rule_name, + 'properties': { + 'network': 'global/networks/' + net_name, + 'sourceRanges': ranges, + 'targetTags': targetTags, + 'allowed': [{'IPProtocol': protocol}], + } + } + return firewall_rule + + +def generate_config(context): + """Creates the gateway.""" + prop = context.properties + prop['cloudguardVersion'], _, prop['installationType'] = prop[ + 'installationType'].partition(' ') + if prop['smart1CloudToken'] and prop['installationType'] != 'Gateway only': + raise Exception('Use of Smart-1 Cloud token is allowed only\ + for Gateway development.') + prop['templateName'] = TEMPLATE_NAME + prop['templateVersion'] = TEMPLATE_VERSION + prop['osVersion'] = prop['cloudguardVersion'].replace(".", "") + prop['allowUploadDownload'] = str(prop['allowUploadDownload']).lower() + if not prop['managementGUIClientNetwork'] and prop['installationType'] in { + 'Gateway and Management (Standalone)'}: + raise Exception('Allowed GUI clients are required when installing ' + 'a management server') + for k in ['managementGUIClientNetwork']: + prop.setdefault(k, '') + resources = [] + outputs = [] + network_interfaces = [] + external_ifs = [] + zone = prop['zone'] + deployment = context.env['deployment'] + vm_name = set_name_and_truncate(deployment, '-vm') + access_configs = [] + if prop['externalIP'] != 'None': + access_config = make_access_config(resources, vm_name, zone, + 'Static' == prop['externalIP']) + access_configs.append(access_config) + external_ifs.append(0) + prop['hasInternet'] = 'true' + else: + prop['hasInternet'] = 'false' + network = common.MakeGlobalComputeLink(context, default.NETWORK) + networks = {prop['network']} + network_interface = { + 'network': network, + 'accessConfigs': access_configs, + } + if default.SUBNETWORK in prop: + network_interface['subnetwork'] = common.MakeSubnetworkComputeLink( + context, default.SUBNETWORK) + network_interfaces.append(network_interface) + for ifnum in range(1, prop['numAdditionalNICs'] + 1): + net = prop.get(ADDITIONAL_NETWORK.format(ifnum)) + subnet = prop.get(ADDITIONAL_SUBNET.format(ifnum)) + ext_ip = prop.get(ADDITIONAL_EXTERNAL_IP.format(ifnum)) + if not net or not subnet: + raise Exception( + 'Missing network parameters for interface {}'.format(ifnum)) + if net in networks: + raise Exception('Cannot use network "' + net + '" more than once') + networks.add(net) + net = ''.join([ + default.COMPUTE_URL_BASE, + 'projects/', context.env['project'], '/global/networks/', net]) + subnet = ''.join([ + default.COMPUTE_URL_BASE, + 'projects/', context.env['project'], + '/regions/', common.ZoneToRegion(zone), '/subnetworks/', subnet]) + network_interface = { + 'network': net, + 'subnetwork': subnet, + } + if 'None' != ext_ip: + external_ifs.append(ifnum) + access_config = make_access_config( + resources, vm_name, zone, 'Static' == ext_ip, ifnum + 1) + access_configs = [access_config] + network_interface['accessConfigs'] = access_configs + if not prop.get('hasInternet') or 'false' == prop['hasInternet']: + prop['hasInternet'] = 'true' + network_interfaces.append(network_interface) + for ifnum in range(prop['numAdditionalNICs'] + 1, MAX_NICS): + prop.pop(ADDITIONAL_NETWORK.format(ifnum), None) + prop.pop(ADDITIONAL_SUBNET.format(ifnum), None) + prop.pop(ADDITIONAL_EXTERNAL_IP.format(ifnum), None) + deployment_config = set_name_and_truncate(deployment, '-config') + prop['config_url'] = ('https://runtimeconfig.googleapis.com/v1beta1/' + + 'projects/' + context.env[ + 'project'] + '/configs/' + deployment_config) + prop['config_path'] = '/'.join(prop['config_url'].split('/')[-4:]) + prop['deployment_config'] = deployment_config + tags = ATTRIBUTES[prop['installationType']]['tags'] + uid = set_name_and_truncate(vm_name, '-' + password.GeneratePassword( + 8, False).lower()) + if prop['installationType'] == 'Gateway only': + prop['cloudguardVersion'] += '-GW' + if not prop.get('sicKey'): + prop['computed_sic_key'] = password.GeneratePassword(12, False) + else: + prop['computed_sic_key'] = prop['sicKey'] + else: + prop['computed_sic_key'] = 'N/A' + outputs.append({ + 'name': 'sicKey', + 'value': prop['computed_sic_key'], + }, ) + if 'gw' in VERSIONS[prop['cloudguardVersion']]: + license_name = "{}-{}".format(LICENSE, LICENCE_TYPE) + else: + license_name = LICENSE + family = '-'.join(['check-point', VERSIONS[prop['cloudguardVersion']], + license_name]) + formatter = common.DefaultFormatter() + gw = { + 'type': default.INSTANCE, + 'name': vm_name, + 'properties': { + 'description': ATTRIBUTES[prop['installationType']]['description'], + 'zone': zone, + 'tags': { + 'items': tags + [uid], + }, + 'machineType': common.MakeLocalComputeLink( + context, default.MACHINETYPE), + 'canIpForward': ATTRIBUTES[ + prop['installationType']]['canIpForward'], + 'networkInterfaces': network_interfaces, + 'disks': [{ + 'autoDelete': True, + 'boot': True, + 'deviceName': common.AutoName( + context.env['name'], default.DISK, 'boot'), + 'initializeParams': { + 'diskType': common.MakeLocalComputeLink( + context, default.DISKTYPE), + 'diskSizeGb': prop['bootDiskSizeGb'], + 'sourceImage': + 'projects/%s/global/images/%s' % ( + PROJECT, images.IMAGES[family]), + }, + 'type': 'PERSISTENT', + }], + 'metadata': { + 'items': [ + { + 'key': 'startup-script', + 'value': formatter.format(startup_script, **prop) + }, + ] + }, + 'serviceAccounts': [{ + 'email': 'default', + 'scopes': [ + 'https://www.googleapis.com/auth/monitoring.write' + ], + }] + } + } + if (prop['externalIP'] != 'None') and ( + 'Manual Configuration' != prop['installationType']): + gw['properties']['serviceAccounts'][0]['scopes'].append( + 'https://www.googleapis.com/auth/cloudruntimeconfig') + resources.append({ + 'name': deployment_config, + 'type': 'runtimeconfig.v1beta1.config', + 'properties': { + 'config': deployment_config, + 'description': ('Holds software readiness status ' + 'for deployment {}').format(deployment), + }, + }) + resources.append({ + 'name': set_name_and_truncate(deployment, '-software'), + 'type': 'runtimeconfig.v1beta1.waiter', + 'metadata': { + 'dependsOn': [], + }, + 'properties': { + 'parent': '$(ref.' + deployment_config + '.name)', + 'waiter': 'software', + 'timeout': '1800s', + 'success': { + 'cardinality': { + 'number': 1, + 'path': 'status/success', + }, + }, + 'failure': { + 'cardinality': { + 'number': 1, + 'path': 'status/failure', + }, + }, + }, + }) + if 'instanceSSHKey' in prop: + gw['properties']['metadata']['items'].append( + { + 'key': 'instanceSSHKey', + 'value': prop['instanceSSHKey'] + } + ) + if prop['generatePassword']: + passwd = password.GeneratePassword(12, False) + gw['properties']['metadata']['items'].append( + { + 'key': 'adminPasswordSourceMetadata', + 'value': passwd + } + ) + else: + passwd = '' + resources.append(gw) + netlist = list(networks) + + if GATEWAY in tags: + for i in range(len(netlist)): + network = netlist[i] + fw_rule_name_prefix = set_name_and_truncate( + gen_fw_rule_name_deployment_network_prefix( + deployment, network), + '-allow-all-to-chkp-{}'.format(i + 1)) + firewall_rules = create_firewall_rules( + prop, network, fw_rule_name_prefix) + resources.extend(firewall_rules) + elif MANAGEMENT in tags: + for i in range(len(netlist)): + network = netlist[i] + source_ranges = prop['network_tcpSourceRanges'] + tcp_enabled = prop['network_enableTcp'] + gwNetwork_enabled = prop['network_enableGwNetwork'] + gwNetwork_source_range = prop['network_gwNetworkSourceRanges'] + if source_ranges and not tcp_enabled: + raise Exception( + 'Allowed source IP ranges for TCP traffic are provided ' + 'but TCP not marked as allowed') + if tcp_enabled and not source_ranges: + raise Exception('Allowed source IP ranges for TCP traffic' + ' are required when installing ' + 'a management server') + if not gwNetwork_enabled and gwNetwork_source_range: + raise Exception('Gateway network source IP are provided but ' + 'not marked as allowed.') + if gwNetwork_enabled and not gwNetwork_source_range: + raise Exception('Gateway network source IP is required in' + ' MGMT deployment.') + ranges_list = source_ranges.split(',') + gw_network_list = gwNetwork_source_range.split(',') + ranges = [] + gw_net_ranges = [] + for source_range in ranges_list: + ranges.append(source_range.replace(" ", "")) + for gw_net_range in gw_network_list: + gw_net_ranges.append(gw_net_range.replace(" ", "")) + if tcp_enabled: + if gwNetwork_enabled: + resources.append({ + 'type': 'compute.v1.firewall', + 'name': set_name_and_truncate( + gen_fw_rule_name_deployment_network_prefix( + deployment, network), + '-gateways-to-management-{}'.format(i + 1)), + 'properties': { + 'network': 'global/networks/' + network, + 'sourceRanges': list(set(gw_net_ranges + ranges)), + 'sourceTags': [GATEWAY], + 'targetTags': [uid], + 'allowed': [ + { + 'IPProtocol': 'tcp', + 'ports': ['257', '18191', '18210', '18264'] + }, + ], + } + }) + resources.append({ + 'type': 'compute.v1.firewall', + 'name': set_name_and_truncate( + gen_fw_rule_name_deployment_network_prefix(deployment, + network), + '-allow-gui-clients-{}'.format(i + 1)), + 'properties': { + 'network': 'global/networks/' + network, + 'sourceRanges': list(set(ranges)), + 'targetTags': [uid], + 'allowed': [ + { + 'IPProtocol': 'tcp', + 'ports': ['22', '443', '18190', '19009'] + }, + ], + } + }) + fw_rule_name_prefix = set_name_and_truncate( + gen_fw_rule_name_deployment_network_prefix( + deployment, network), + '-allow-all-to-chkp-{}'.format(i + 1)) + firewall_rules = create_firewall_rules( + prop, network, fw_rule_name_prefix, True, uid) + resources.extend(firewall_rules) + outputs += [ + { + 'name': 'deployment', + 'value': deployment + }, + { + 'name': 'project', + 'value': context.env['project'] + }, + { + 'name': 'vmName', + 'value': vm_name, + }, + { + 'name': 'vmId', + 'value': '$(ref.%s.id)' % vm_name, + }, + { + 'name': 'vmSelfLink', + 'value': '$(ref.%s.selfLink)' % vm_name, + }, + { + 'name': 'hasMultiExternalIPs', + 'value': 0 < len(external_ifs) and external_ifs != [0], + }, + { + 'name': 'additionalExternalIPs', + 'value': ', '.join([('$(ref.{}.networkInterfaces[{}].' + + 'accessConfigs[0].natIP)').format( + vm_name, ifnum) for ifnum in external_ifs if ifnum]) + }, + { + 'name': 'vmInternalIP', + 'value': '$(ref.%s.networkInterfaces[0].networkIP)' % vm_name, + }, + { + 'name': 'password', + 'value': passwd + } + ] + return common.MakeResource(resources, outputs) + + +def gen_fw_rule_name_deployment_network_prefix(deployment_name, network_name): + return '{}-{}'. \ + format(deployment_name[:20], network_name[:16]) diff --git a/deprecated/gcp/R80.40-R81/single-payg/check-point-vsec--payg.py.schema b/deprecated/gcp/R80.40-R81/single-payg/check-point-vsec--payg.py.schema new file mode 100644 index 00000000..8383e1c7 --- /dev/null +++ b/deprecated/gcp/R80.40-R81/single-payg/check-point-vsec--payg.py.schema @@ -0,0 +1,359 @@ +imports: + - path: check-point-vsec--payg.py + +info: + version: 1.0 + title: Check Point CloudGuard Network Security - PAYG Template + +required: + - zone + - machineType + - network + - diskType + - bootDiskSizeGb + - installationType + - allowUploadDownload + - shell + - managementGUIClientNetwork + - generatePassword + - enableMonitoring + - numAdditionalNICs + +properties: + zone: + type: string + default: us-central1-a + x-googleProperty: + type: GCE_ZONE + machineType: + type: string + default: n1-standard-4 + x-googleProperty: + type: GCE_MACHINE_TYPE + zoneProperty: zone + gceMachineType: + minCpu: 2 + minRamGb: 1.843000054359436 + network: + type: string + default: default + x-googleProperty: + type: GCE_NETWORK + subnetwork: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zone + gceSubnetwork: + networkProperty: network + network_enableTcp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: network + network_tcpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: network_enableTcp + network_enableGwNetwork: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: network + network_gwNetworkSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: network_enableGwNetwork + network_enableIcmp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: network + network_icmpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: network_enableIcmp + network_enableUdp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: network + network_udpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: network_enableUdp + network_enableSctp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: network + network_sctpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: network_enableSctp + network_enableEsp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: network + network_espSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: network_enableEsp + smart1CloudToken: + type: string + default: '' + diskType: + type: string + default: pd-ssd + x-googleProperty: + type: GCE_DISK_TYPE + zoneProperty: zone + bootDiskSizeGb: + type: integer + maximum: 1000 + default: 100 + minimum: 100 + x-googleProperty: + type: GCE_DISK_SIZE + gceDiskSize: + diskTypeProperty: diskType + installationType: + type: string + default: R81.20 Gateway only + enum: + - R80.40 Gateway only + - R80.40 Manual Configuration + - R80.40 Gateway and Management (Standalone) + - R81 Gateway only + - R81 Manual Configuration + - R81 Gateway and Management (Standalone) + - R81.10 Gateway only + - R81.10 Manual Configuration + - R81.10 Gateway and Management (Standalone) + - R81.20 Gateway only + - R81.20 Manual Configuration + - R81.20 Gateway and Management (Standalone) + maintenanceMode: + type: string + pattern: ^([a-z0-9A-Z.]{12,300}|)$ + default: '' + allowUploadDownload: + type: boolean + default: True + shell: + type: string + default: /etc/cli.sh + enum: + - /etc/cli.sh + - /bin/bash + - /bin/csh + - /bin/tcsh + generatePassword: + type: boolean + default: False + enableMonitoring: + type: boolean + default: False + sicKey: + type: string + pattern: ^([a-z0-9A-Z]{8,30}|)$ + default: '' + managementGUIClientNetwork: + type: string + pattern: ^([0-9]{1,3}\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])$ + externalIP: + type: string + enum: + - Static + - Ephemeral + - None + default: Static + instanceSSHKey: + type: string + pattern: ^([0-9a-z\-]+ +[0-9A-Za-z/\+=]+( .*)?|)$ + default: '' + numAdditionalNICs: + type: integer + enum: + - 0 + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + minimum: 0 + maximum: 7 + default: 1 + additionalNetwork1: + type: string + x-googleProperty: + type: GCE_NETWORK + additionalSubnetwork1: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zone + gceSubnetwork: + networkProperty: additionalNetwork1 + externalIP1: + type: string + enum: + - Static + - Ephemeral + - None + default: None + additionalNetwork2: + type: string + x-googleProperty: + type: GCE_NETWORK + additionalSubnetwork2: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zone + gceSubnetwork: + networkProperty: additionalNetwork2 + externalIP2: + type: string + enum: + - Static + - Ephemeral + - None + default: None + additionalNetwork3: + type: string + x-googleProperty: + type: GCE_NETWORK + additionalSubnetwork3: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zone + gceSubnetwork: + networkProperty: additionalNetwork3 + externalIP3: + type: string + enum: + - Static + - Ephemeral + - None + default: None + additionalNetwork4: + type: string + x-googleProperty: + type: GCE_NETWORK + additionalSubnetwork4: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zone + gceSubnetwork: + networkProperty: additionalNetwork4 + externalIP4: + type: string + enum: + - Static + - Ephemeral + - None + default: None + additionalNetwork5: + type: string + x-googleProperty: + type: GCE_NETWORK + additionalSubnetwork5: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zone + gceSubnetwork: + networkProperty: additionalNetwork5 + externalIP5: + type: string + enum: + - Static + - Ephemeral + - None + default: None + additionalNetwork6: + type: string + x-googleProperty: + type: GCE_NETWORK + additionalSubnetwork6: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zone + gceSubnetwork: + networkProperty: additionalNetwork6 + externalIP6: + type: string + enum: + - Static + - Ephemeral + - None + default: None + additionalNetwork7: + type: string + x-googleProperty: + type: GCE_NETWORK + additionalSubnetwork7: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zone + gceSubnetwork: + networkProperty: additionalNetwork7 + externalIP7: + type: string + enum: + - Static + - Ephemeral + - None + default: None + +outputs: + deployment: + type: string + project: + type: string + vmId: + type: string + vmInternalIP: + type: string + hasMultiExternalIP: + type: boolean + additionalExternalIPs: + type: string + vmName: + type: string + vmSelfLink: + type: string + password: + type: string diff --git a/deprecated/gcp/R80.40-R81/single-payg/common.py b/deprecated/gcp/R80.40-R81/single-payg/common.py new file mode 100644 index 00000000..e123c502 --- /dev/null +++ b/deprecated/gcp/R80.40-R81/single-payg/common.py @@ -0,0 +1,262 @@ +# Copyright 2015 Google Inc. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +"""Generic simple functions used for python based template generation.""" + +import re +import sys +import traceback +import default +import string + +import yaml + +RFC1035_RE = re.compile(r'^[a-z][-a-z0-9]{1,61}[a-z0-9]{1}$') + + +class Error(Exception): + """Common exception wrapper for template exceptions.""" + pass + + +class DefaultFormatter(string.Formatter): + """Returns default instead of key error when looking for keys. + + Used for startup-script which contains params from multiple deployments + whiles keys from one deployment may not be set in another. + """ + def __init__(self, default=''): + self.default = default + def get_value(self, key, args, dict): + if isinstance(key, str): + return dict.get(key, self.default) + else: + return string.Formatter.get_value(key, args, dict) + + +def set_name_and_truncate(primary, secondary, maxlength=62): + return '%s%s' % (primary[:maxlength - len(secondary)], secondary) + + +def AddDiskResourcesIfNeeded(context): + """Checks context if disk resources need to be added.""" + if default.DISK_RESOURCES in context.properties: + return context.properties[default.DISK_RESOURCES] + else: + return [] + + +def AutoName(base, resource, *args): + """Helper method to generate names automatically based on default.""" + auto_name = '%s-%s' % (base, '-'.join(list(args) + [default.AKA[resource]])) + if not RFC1035_RE.match(auto_name): + raise Error('"%s" name for type %s does not match RFC1035 regex (%s)' % + (auto_name, resource, RFC1035_RE.pattern)) + return auto_name + + +def AutoRef(base, resource, *args): + """Helper method that builds a reference for an auto-named resource.""" + return Ref(AutoName(base, resource, *args)) + + +def OrderedItems(dict_obj): + """Convenient method to yield sorted iteritems of a dictionary.""" + keys = list(dict_obj.keys()) + keys.sort() + for k in keys: + yield (k, dict_obj[k]) + + +def ShortenZoneName(zone): + """Given a string that looks like a zone name, creates a shorter version.""" + geo, coord, number, letter = re.findall(r'(\w+)-(\w+)(\d)-(\w)', zone)[0] + geo = geo.lower() if len(geo) == 2 else default.LOC[geo.lower()] + coord = default.LOC[coord.lower()] + number = str(number) + letter = letter.lower() + return geo + '-' + coord + number + letter + + +def ZoneToRegion(zone): + """Derives the region from a zone name.""" + parts = zone.split('-') + if len(parts) != 3: + raise Error('Cannot derive region from zone "%s"' % zone) + return '-'.join(parts[:2]) + + +def FormatException(message): + """Adds more information to the exception.""" + message = ('Exception Type: %s\n' + 'Details: %s\n' + 'Message: %s\n') % (sys.exc_info()[0], + traceback.format_exc(), message) + return message + + +def Ref(name): + return '$(ref.%s.selfLink)' % name + + +def RefGroup(name): + return '$(ref.%s.instanceGroup)' % name + + +def GlobalComputeLink(project, collection, name): + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/global/', + collection, '/', name]) + +def GlobalNetworkLink(project, network): + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/global/', + default.NETWORKS, '/', network]) + + +def LocalComputeLink(project, zone, key, value): + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/zones/', + zone, '/', key, '/', value]) + + +def ReadContext(context, prop_key): + return (context.env['project'], context.properties.get('zone', None), + context.properties[prop_key]) + + +def MakeLocalComputeLink(context, key, zone=None): + if not zone: + project, zone, value = ReadContext(context, key) + else: + project, _, value = ReadContext(context, key) + + if IsComputeLink(value): + return value + else: + return LocalComputeLink(project, zone, key + 's', value) + + +def MakeGlobalComputeLink(context, key): + project, _, value = ReadContext(context, key) + if IsComputeLink(value): + return value + else: + return GlobalComputeLink(project, key + 's', value) + +def MakeRegionalSubnetworkLink(project, zone, subnet): + region = ZoneToRegion(zone) + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/regions/', + region, '/subnetworks/', subnet]) + + +def MakeSubnetworkComputeLink(context, key): + project, zone, value = ReadContext(context, key) + region = ZoneToRegion(zone) + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/regions/', + region, '/subnetworks/', value]) + + +def MakeFQHN(context, name): + return '%s.c.%s.internal' % (name, context.env['project']) + + +# TODO(victorg): Consider moving this method to a different file +def MakeC2DImageLink(name, dev_mode=False): + if IsGlobalProjectShortcut(name) or name.startswith('http'): + return name + else: + if dev_mode: + return 'global/images/%s' % name + else: + return GlobalComputeLink(default.C2D_IMAGES, 'images', name) + + +def IsGlobalProjectShortcut(name): + return name.startswith('projects/') or name.startswith('global/') + + +def IsComputeLink(name): + return (name.startswith(default.COMPUTE_URL_BASE) or + name.startswith(default.REFERENCE_PREFIX)) + + +def GetNamesAndTypes(resources_dict): + return [(d['name'], d['type']) for d in resources_dict] + + +def SummarizeResources(res_dict): + """Summarizes the name of resources per resource type.""" + result = {} + for res in res_dict: + result.setdefault(res['type'], []).append(res['name']) + return result + + +def ListPropertyValuesOfType(res_dict, prop, res_type): + """Lists all the values for a property of a certain type.""" + return [r['properties'][prop] for r in res_dict if r['type'] == res_type] + + +def MakeResource(resource_list, output_list=None): + """Wrapper for a DM template basic spec.""" + content = {'resources': resource_list} + if output_list: + content['outputs'] = output_list + return yaml.dump(content) + + +def TakeZoneOut(properties): + """Given a properties dictionary, removes the zone specific information.""" + + def _CleanZoneUrl(value): + value = value.split('/')[-1] if IsComputeLink(value) else value + return value + + for name in default.VM_ZONE_PROPERTIES: + if name in properties: + properties[name] = _CleanZoneUrl(properties[name]) + if default.ZONE in properties: + properties.pop(default.ZONE) + if default.BOOTDISK in properties: + properties[default.BOOTDISK] = _CleanZoneUrl(properties[default.BOOTDISK]) + if default.DISKS in properties: + for disk in properties[default.DISKS]: + # Don't touch references to other disks + if default.DISK_SOURCE in disk: + continue + if default.INITIALIZEP in disk: + disk_init = disk[default.INITIALIZEP] + if default.DISKTYPE in disk_init: + disk_init[default.DISKTYPE] = _CleanZoneUrl(disk_init[default.DISKTYPE]) + + +def GenerateEmbeddableYaml(yaml_string): + # Because YAML is a space delimited format, we need to be careful about + # embedding one YAML document in another. This function takes in a string in + # YAML format and produces an equivalent YAML representation that can be + # inserted into arbitrary points of another YAML document. It does so by + # printing the YAML string in a single line format. Consistent ordering of + # the string is also guaranteed by using yaml.dump. + yaml_object = yaml.load(yaml_string) + dumped_yaml = yaml.dump(yaml_object, default_flow_style=True) + return dumped_yaml + + +def FormatErrorsDec(func): + """Decorator to format exceptions if they get raised.""" + + def FormatErrorsWrap(context): + try: + return func(context) + except Exception as e: + raise Error(FormatException(e.message)) + + return FormatErrorsWrap diff --git a/deprecated/gcp/R80.40-R81/single-payg/config.yaml b/deprecated/gcp/R80.40-R81/single-payg/config.yaml new file mode 100644 index 00000000..33316f05 --- /dev/null +++ b/deprecated/gcp/R80.40-R81/single-payg/config.yaml @@ -0,0 +1,48 @@ +imports: +- path: check-point-vsec--payg.py +- path: common.py +- path: default.py +- path: password.py +- path: images.py + +resources: +- name: check-point-vsec--payg + type: check-point-vsec--payg.py + properties: + zone: "PLEASE ENTER A ZONE" + machineType: "PLEASE ENTER A MACHINE TYPE" + network: "PLEASE ENTER AN EXTERNAL NETWORK ID" + subnetwork: "PLEASE ENTER A SUBNETWORK ID" + network_enableTcp: "PLEASE ENTER true or false" + network_tcpSourceRanges: "PLEASE ENTER TCP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + network_enableIcmp: "PLEASE ENTER true or false" + network_icmpSourceRanges: "PLEASE ENTER ICMP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + network_enableUdp: "PLEASE ENTER true or false" + network_udpSourceRanges: "PLEASE ENTER UDP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + network_enableSctp: "PLEASE ENTER true or false" + network_sctpSourceRanges: "PLEASE ENTER SCTP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + network_enableEsp: "PLEASE ENTER true or false" + network_espSourceRanges: "PLEASE ENTER ESP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + externalIP: "PLEASE ENTER AN EXTERNAL IP ADDRESS TYPE" + installationType: "PLEASE ENTER AN INSTALLATION TYPE" + diskType: "PLEASE ENTER A DISK TYPE" + bootDiskSizeGb: "PLEASE ENTER A DISK SIZE" + #Connecting to Smart-1 Cloud is only available for Gateway only installation + smart1CloudToken: "PLEASE ENTER A TOKEN TO CONNECT TO SMART-1 CLOUD OR LEAVE EMPTY DOUBLE QUOTES" + generatePassword: "PLEASE ENTER true or false" + allowUploadDownload: "PLEASE ENTER true or false" + enableMonitoring: "PLEASE ENTER true or false" + shell: "PLEASE ENTER A SHELL" + instanceSSHKey: "PLEASE ENTER A VALID PUBLIC KEY" + sicKey: "PLEASE ENTER A SIC KEY" + managementGUIClientNetwork: "PLEASE ENTER A MANAGEMENT GUI CLIENT NETWORK" + numAdditionalNICs: "PLEASE ENTER A NUMBER OF ADDITIONAL NICS" + #Define additional NICs networks and subnetworks according the defined numAdditionalNICs value + #If there is no need in additional NICs remove additionalNetwork1 and additionalSubnetwork1 variables + additionalNetwork1: "PLEASE ENTER AN ADDITIONAL NETWORK1 ID" + additionalSubnetwork1: "PLEASE ENTER AN ADDITIONAL SUBNETWORK1 ID" +outputs: +- name: "Deployment" + value: $(ref.check-point-vsec--payg.deployment) +- name: "Instance" + value: $(ref.check-point-vsec--payg.vmName) \ No newline at end of file diff --git a/deprecated/gcp/R80.40-R81/single-payg/default.py b/deprecated/gcp/R80.40-R81/single-payg/default.py new file mode 100644 index 00000000..0c7dd919 --- /dev/null +++ b/deprecated/gcp/R80.40-R81/single-payg/default.py @@ -0,0 +1,134 @@ +# Copyright 2015 Google Inc. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +"""Convenience module to hold default constants for C2D components. + +There should not be any logic in this module. Its purpose is to simplify +analysis of commonly used GCP and properties names and identify the names +that were custom created for these modules. +""" +# Generic constants +C2D_IMAGES = 'click-to-deploy-images' + +# URL constants +COMPUTE_URL_BASE = 'https://www.googleapis.com/compute/v1/' + +# Deployment Manager constructs +REFERENCE_PREFIX = '$(ref.' + +# Commonly used in properties namespace +AUTO_DELETE = 'autoDelete' +BOOTDISK = 'bootDiskType' +BOOTDISKSIZE = 'bootDiskSizeGb' +C_IMAGE = 'containerImage' +DC_MANIFEST = 'dcManifest' +DEPLOYMENT = 'DEPLOYMENT' # used in the deployment coordinator +DISK_NAME = 'diskName' +DISK_RESOURCES = 'addedDiskResources' +DISK_SOURCE = 'source' +ENDPOINT_NAME = 'serviceRegistryEndpointName' +FIXED_GCLOUD = 'fixedGcloud' +GENERATED_PROP = 'generatedProperties' +INITIALIZEP = 'initializeParams' +INSTANCE_NAME = 'instanceName' +LOCAL_SSD = 'localSSDs' +MAX_NUM = 'maxNumReplicas' +NETWORKS = 'networks' +NO_SCOPE = 'noScope' +PROVIDE_BOOT = 'provideBoot' +REPLICAS = 'replicas' +SIZE = 'size' +VM_COPIES = 'numberOfVMReplicas' +ZONES = 'zones' + +# Common properties values (only official GCP values allowed here) +EXTERNAL = 'External NAT' +ONE_NAT = 'ONE_TO_ONE_NAT' + +# Common 1st level properties (only official GCP names allowed here) +CAN_IP_FWD = 'canIpForward' +CONTAINER = 'container' +DCKRENV = 'dockerEnv' +DCKRIMAGE = 'dockerImage' +DEFAULT_SERVICE = 'defaultService' +DEVICE_NAME = 'deviceName' +DISKS = 'disks' +DISK_SIZE = 'diskSizeGb' +DISKTYPE = 'diskType' +HEALTH_PATH = 'healthPath' +HOST_RULES = 'hostRules' +IP_PROTO = 'IPProtocol' +MACHINETYPE = 'machineType' +METADATA = 'metadata' +NAME = 'name' +NETWORK = 'network' +NETWORKS = 'networks' +SUBNETWORK = 'subnetwork' +PATH_MATCHERS = 'pathMatchers' +PORT = 'port' +PROJECT = 'project' +SERVICE = 'service' +SERVICE_ACCOUNTS = 'serviceAccounts' +SRCIMAGE = 'sourceImage' +SRC_RANGES = 'sourceRanges' +TAGS = 'tags' +TYPE = 'type' +VM_TEMPLATE = 'instanceTemplate' +ZONE = 'zone' + +# Zone specfic VM properties +VM_ZONE_PROPERTIES = [DISKTYPE, MACHINETYPE, BOOTDISK] + +# Resource type defaults names +ADDRESS = 'compute.v1.address' +AUTOSCALER = 'compute.v1.autoscaler' +BACKEND_SERVICE = 'compute.v1.backendService' +DISK = 'compute.v1.disk' +ENDPOINT = 'serviceregistry.v1alpha.endpoint' +FIREWALL = 'compute.v1.firewall' +GF_RULE = 'compute.v1.globalForwardingRule' +HEALTHCHECK = 'compute.v1.httpHealthCheck' +IGM = 'compute.v1.instanceGroupManager' +INSTANCE = 'compute.v1.instance' +PROXY = 'compute.v1.targetHttpProxy' +TEMPLATE = 'compute.v1.instanceTemplate' +REGION_IGM = 'compute.v1.regionInstanceGroupManager' +REGION_AUTOSCALER = 'compute.v1.regionAutoscaler' +URL_MAP = 'compute.v1.urlMap' +VPC='compute.v1.network' +VPC_SUBNET='compute.v1.subnetwork' + +# Also Known As constants +AKA = { + TEMPLATE: 'tmplt', + AUTOSCALER: 'as', + BACKEND_SERVICE: 'bes', + DISK: 'disk', + FIREWALL: 'fwall', + GF_RULE: 'ip', + HEALTHCHECK: 'hc', + INSTANCE: 'vm', + PROXY: 'tproxy', + IGM: 'igm', + URL_MAP: 'umap', +} + +LOC = { + 'europe': 'eu', + 'asia': 'as', + 'central': 'c', + 'east': 'e', + 'west': 'w', + 'north': 'n', + 'south': 's', +} diff --git a/deprecated/gcp/R80.40-R81/single-payg/images.py b/deprecated/gcp/R80.40-R81/single-payg/images.py new file mode 100644 index 00000000..7b04bee0 --- /dev/null +++ b/deprecated/gcp/R80.40-R81/single-payg/images.py @@ -0,0 +1,34 @@ +IMAGES = { + "check-point-r8120-payg": "check-point-r8120-payg-631-991001560-v20240425", + "check-point-r8120-gw-payg-single": "check-point-r8120-gw-payg-single-631-991001560-v20240425", + "check-point-r8120-gw-payg-mig": "check-point-r8120-gw-payg-mig-631-991001560-v20240425", + "check-point-r8120-gw-payg-cluster": "check-point-r8120-gw-payg-cluster-631-991001560-v20240425", + "check-point-r8120-gw-byol-single": "check-point-r8120-gw-byol-single-631-991001560-v20240425", + "check-point-r8120-gw-byol-mig": "check-point-r8120-gw-byol-mig-631-991001560-v20240425", + "check-point-r8120-gw-byol-cluster": "check-point-r8120-gw-byol-cluster-631-991001560-v20240425", + "check-point-r8120-byol": "check-point-r8120-byol-631-991001560-v20240425", + "check-point-r8110-payg": "check-point-r8110-payg-335-991001560-v20240425", + "check-point-r8110-gw-payg-single": "check-point-r8110-gw-payg-single-335-991001560-v20240425", + "check-point-r8110-gw-payg-mig": "check-point-r8110-gw-payg-mig-335-991001560-v20240425", + "check-point-r8110-gw-payg-cluster": "check-point-r8110-gw-payg-cluster-335-991001560-v20240425", + "check-point-r8110-gw-byol-single": "check-point-r8110-gw-byol-single-335-991001560-v20240425", + "check-point-r8110-gw-byol-mig": "check-point-r8110-gw-byol-mig-335-991001560-v20240425", + "check-point-r8110-gw-byol-cluster": "check-point-r8110-gw-byol-cluster-335-991001560-v20240425", + "check-point-r8110-byol": "check-point-r8110-byol-335-991001560-v20240425", + "check-point-r81-payg": "check-point-r81-payg-392-991001560-v20240425", + "check-point-r81-gw-payg-single": "check-point-r81-gw-payg-single-392-991001560-v20240425", + "check-point-r81-gw-payg-mig": "check-point-r81-gw-payg-mig-392-991001560-v20240425", + "check-point-r81-gw-payg-cluster": "check-point-r81-gw-payg-cluster-392-991001560-v20240425", + "check-point-r81-gw-byol-single": "check-point-r81-gw-byol-single-392-991001560-v20240425", + "check-point-r81-gw-byol-mig": "check-point-r81-gw-byol-mig-392-991001560-v20240425", + "check-point-r81-gw-byol-cluster": "check-point-r81-gw-byol-cluster-392-991001560-v20240425", + "check-point-r81-byol": "check-point-r81-byol-392-991001560-v20240425", + "check-point-r8040-payg": "check-point-r8040-payg-294-991001560-v20240425", + "check-point-r8040-gw-payg-single": "check-point-r8040-gw-payg-single-294-991001564-v20240505", + "check-point-r8040-gw-payg-mig": "check-point-r8040-gw-payg-mig-294-991001564-v20240505", + "check-point-r8040-gw-payg-cluster": "check-point-r8040-gw-payg-cluster-294-991001564-v20240505", + "check-point-r8040-gw-byol-single": "check-point-r8040-gw-byol-single-294-991001564-v20240505", + "check-point-r8040-gw-byol-mig": "check-point-r8040-gw-byol-mig-294-991001564-v20240505", + "check-point-r8040-gw-byol-cluster": "check-point-r8040-gw-byol-cluster-294-991001564-v20240505", + "check-point-r8040-byol": "check-point-r8040-byol-294-991001560-v20240425" +} \ No newline at end of file diff --git a/deprecated/gcp/R80.40-R81/single-payg/password.py b/deprecated/gcp/R80.40-R81/single-payg/password.py new file mode 100644 index 00000000..273210a6 --- /dev/null +++ b/deprecated/gcp/R80.40-R81/single-payg/password.py @@ -0,0 +1,135 @@ +# Copyright 2015 Google Inc. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +"""A DM template that generates password as an output, namely "password". + +An example YAML showing how this template can be used: + resources: + - name: generated-password + type: password.py + properties: + length: 8 + includeSymbols: true + - name: main-template + type: main-template.jinja + properties: + password: $(ref.generated-password.password) + +Input properties to this template: + - length: the length of the generated password. At least 8. Default 8. + - includeSymbols: true/false whether to include symbol chars. Default false. + +The generated password satisfies the following requirements: + - The length is as specified, + - Containing letters and numbers, and optionally symbols if specified, + - Starting with a letter, + - Containing characters from at least 3 of the 4 categories: uppercases, + lowercases, numbers, and symbols. + +""" + +import random +import yaml + +PROPERTY_LENGTH = 'length' +PROPERTY_INCLUDE_SYMBOLS = 'includeSymbols' + +# Note the omission of some hard to distinguish characters like I, l, 0, and O. +UPPERS = 'ABCDEFGHJKLMNPQRSTUVWXYZ' +LOWERS = 'abcdefghijkmnopqrstuvwxyz' +ALPHABET = UPPERS + LOWERS +DIGITS = '123456789' +ALPHANUMS = ALPHABET + DIGITS +# Including only symbols that can be passed around easily in shell scripts. +SYMBOLS = '*-+.' + +CANDIDATES_WITH_SYMBOLS = ALPHANUMS + SYMBOLS +CANDIDATES_WITHOUT_SYMBOLS = ALPHANUMS + +CATEGORIES_WITH_SYMBOLS = [UPPERS, LOWERS, DIGITS, SYMBOLS] +CATEGORIES_WITHOUT_SYMBOLS = [UPPERS, LOWERS, DIGITS] + +MIN_LENGTH = 8 + + +class InputError(Exception): + """Raised when input properties are unexpected.""" + + +def GenerateConfig(context): + """Entry function to generate the DM config.""" + props = context.properties + length = props.setdefault(PROPERTY_LENGTH, MIN_LENGTH) + include_symbols = props.setdefault(PROPERTY_INCLUDE_SYMBOLS, False) + + if not isinstance(include_symbols, bool): + raise InputError('%s must be a boolean' % PROPERTY_INCLUDE_SYMBOLS) + + content = { + 'resources': [], + 'outputs': [{ + 'name': 'password', + 'value': GeneratePassword(length, include_symbols) + }] + } + return yaml.dump(content) + + +def GeneratePassword(length=8, include_symbols=False): + """Generates a random password.""" + if length < MIN_LENGTH: + raise InputError('Password length must be at least %d' % MIN_LENGTH) + + candidates = (CANDIDATES_WITH_SYMBOLS if include_symbols + else CANDIDATES_WITHOUT_SYMBOLS) + categories = (CATEGORIES_WITH_SYMBOLS if include_symbols + else CATEGORIES_WITHOUT_SYMBOLS) + + # Generates up to the specified length minus the number of categories. + # Then inserts one character for each category, ensuring that the character + # satisfy the category if the generated string hasn't already. + generated = ([random.choice(ALPHABET)] + + [random.choice(candidates) + for _ in range(length - 1 - len(categories))]) + for category in categories: + _InsertAndEnsureSatisfaction(generated, category, candidates) + return ''.join(generated) + + +def _InsertAndEnsureSatisfaction(generated, required, all_candidates): + """Inserts 1 char into generated, satisfying required if not already. + + If the required characters are not already in the generated string, one will + be inserted. If any required character is already in the generated string, a + random character from all_candidates will be inserted. The insertion happens + at a random location but not at the beginning. + + Args: + generated: the string to be modified. + required: list of required characters to check for. + all_candidates: list of characters to choose from if the required characters + are already satisfied. + """ + if set(generated).isdisjoint(required): + # Not yet satisfied. Insert a required candidate. + _InsertInto(generated, required) + else: + # Already satisfied. Insert any candidate. + _InsertInto(generated, all_candidates) + + +def _InsertInto(generated, candidates): + """Inserts a random candidate into a random non-zero index of generated.""" + # Avoids inserting at index 0, since the first character follows its own rule. + generated.insert(random.randint(1, len(generated) - 1), + random.choice(candidates)) diff --git a/deprecated/gcp/README.MD b/deprecated/gcp/README.MD new file mode 100644 index 00000000..5ea437ca --- /dev/null +++ b/deprecated/gcp/README.MD @@ -0,0 +1,5 @@ +# Deprecated CloudGuard IaaS GCP Deployment Manager packages +This directory contains deprecated CloudGuard IaaS solution templates. + +# How to deploy the templates +To deploy the Deployment Manager packages follow the instructions in the README.MD file in each directory. \ No newline at end of file diff --git a/deprecated/terraform/azure/R8040-R81/high-availability-existing-vnet/README.md b/deprecated/terraform/azure/R8040-R81/high-availability-existing-vnet/README.md new file mode 100644 index 00000000..c26e307a --- /dev/null +++ b/deprecated/terraform/azure/R8040-R81/high-availability-existing-vnet/README.md @@ -0,0 +1,239 @@ +# Check Point CloudGuard IaaS High Availability Terraform deployment for Azure + +This Terraform module deploys Check Point CloudGuard IaaS High Availability solution into an existing Vnet in Azure. +As part of the deployment the following resources are created: +- Resource group +- System assigned identity +- Availability Set - conditional creation + +For additional information, +please see the [CloudGuard Network for Azure High Availability Cluster Deployment Guide](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_Network_for_Azure_HA_Cluster/Default.htm) + +This solution uses the following modules: +- /terraform/azure/modules/common - used for creating a resource group and defining common variables. + + +## Configurations +- Install and configure Terraform to provision Azure resources: [Configure Terraform for Azure](https://docs.microsoft.com/en-us/azure/virtual-machines/linux/terraform-install-configure) +- In order to use ssh connection to VMs, it is **required** to add a public key to the /terraform/azure/high-availability-existing-vnet/azure_public_key file. + +## Usage +- Choose the preferred login method to Azure in order to deploy the solution: +
1. Using Service Principal: + - Create a [Service Principal](https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal) (or use the existing one) + - Grant the Service Principal at least "**Managed Application Contributor**", "**Storage Account Contributor**", "**Network Contributor**", "**Virtual Machine Contributor**", "**User Access Administrator**" permissions to the Azure subscription
+ - The Service Principal credentials can be stored either in the terraform.tfvars or as [Environment Variables](https://www.terraform.io/docs/providers/azuread/guides/service_principal_client_secret.html)
+ + In case the Environment Variables are used, perform modifications described below:
+ + a. The next lines in the main.tf file, in the provider azurerm resource, need to be deleted or commented: + + provider "azurerm" { + + // subscription_id = var.subscription_id + // client_id = var.client_id + // client_secret = var.client_secret + // tenant_id = var.tenant_id + + features {} + } + + b. In the terraform.tfvars file leave empty double quotes for client_secret, client_id , tenant_id and subscription_id variables: + + client_secret = "" + client_id = "" + tenant_id = "" + subscription_id = "" + +
2. Using **az** commands from a command-line: + - Run **az login** command + - Sign in with your account credentials in the browser + - [Accept Azure Marketplace image terms](https://docs.microsoft.com/en-us/cli/azure/vm/image/terms?view=azure-cli-latest) by running: +
**az vm image terms accept --urn publisher:offer:sku:version**, where: + - publisher = checkpoint; + - offer = vm_os_offer (see accepted values in the table below); + - sku = vm_os_sku (see accepted values in the table below); + - version = latest
+
Example:
+ az vm image terms accept --urn checkpoint:check-point-cg-r8040:sg-byol:latest + + - In the terraform.tfvars file leave empty double quotes for client_secret, client_id and tenant_id variables. + +- Fill all variables in the /terraform/azure/high-availability-existing-vnet/terraform.tfvars file with proper values (see below for variables descriptions). +- From a command line initialize the Terraform configuration directory: + + terraform init +- Create an execution plan: + + terraform plan +- Create or modify the deployment: + + terraform apply + +### terraform.tfvars variables: + | Name | Description | Type | Allowed values | Default | + | ------------- | ------------- |--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------| ------------- | + | **client_secret** | The client secret of the Service Principal used to deploy the solution | string | | n/a | + | | | | | | + | **client_id** | The client ID of the Service Principal used to deploy the solution | string | | n/a | + | | | | | | + | **tenant_id** | The tenant ID of the Service Principal used to deploy the solution | string | | n/a | + | | | | | | + | **subscription_id** | The subscription ID is used to pay for Azure cloud services | string | | n/a | + | | | | | | + | **source_image_vhd_uri** | The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images | string | | "noCustomUri" | + | | | | | | + | **resource_group_name** | The name of the resource group that will contain the contents of the deployment | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period | n/a | + | | | | | | + | **location** | The region where the resources will be deployed at | string | The full list of Azure regions can be found at https://azure.microsoft.com/regions | n/a | + | | | | | | + | **cluster_name** | The name of the Check Point Cluster Object | string | Only alphanumeric characters are allowed, and the name must be 1-30 characters long | n/a | + | | | | | | + | **vnet_name** | Virtual Network name | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | n/a | + | | | | | | + | **vnet_resource_group** | Resource Group of the existing virtual network | string | The exact name of the existing vnet's resource group | n/a | + | | | | | | + | **frontend_subnet_name** | Specifies the name of the external subnet | string | The exact name of the existing external subnet | n/a | + | | | | | | + | **backend_subnet_name** | Specifies the name of the internal subnet | string | The exact name of the existing internal subnet | n/a | + | | | | | | + | **frontend_IP_addresses** | A list of three whole numbers representing the private ip addresses of the members eth0 NICs and the cluster vip ip addresses. The numbers can be represented as binary integers with no more than the number of digits remaining in the address after the given frontend subnet prefix. The IP addresses are defined by their position in the frontend subnet | list(number) | | n/a + | | | | | | + | **backend_IP_addresses** | A list of three whole numbers representing the private ip addresses of the members eth1 NICs and the backend lb ip addresses. The numbers can be represented as binary integers with no more than the number of digits remaining in the address after the given backend subnet prefix. The IP addresses are defined by their position in the backend subnet | list(number) | | n/a + | | | | | | + | **admin_password** | The password associated with the local administrator account on each cluster member | string | Password must have 3 of the following: 1 lower case character, 1 upper case character, 1 number, and 1 special character | n/a | + | | | | | | + | **smart_1_cloud_token_a** | Smart-1 Cloud token to connect automatically ***Member A*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal | n/a | | + | | | | | | + | **smart_1_cloud_token_b** | Smart-1 Cloud token to connect automatically ***Member B*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501)| string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal | n/a | | + | | | | | | + | **sic_key** | The Secure Internal Communication one time secret used to set up trust between the cluster object and the management server | string | Only alphanumeric characters are allowed, and the value must be 12-30 characters long | n/a | + | | | | | | + | **vm_size** | Specifies the size of Virtual Machine | string | "Standard_DS2_v2", "Standard_DS3_v2", "Standard_DS4_v2", "Standard_DS5_v2", "Standard_F2s", "Standard_F4s", "Standard_F8s", "Standard_F16s", "Standard_D4s_v3", "Standard_D8s_v3", "Standard_D16s_v3", "Standard_D32s_v3", "Standard_D64s_v3", "Standard_E4s_v3", "Standard_E8s_v3", "Standard_E16s_v3", "Standard_E20s_v3", "Standard_E32s_v3", "Standard_E64s_v3", "Standard_E64is_v3", "Standard_F4s_v2", "Standard_F8s_v2", "Standard_F16s_v2", "Standard_F32s_v2", "Standard_F64s_v2", "Standard_M8ms", "Standard_M16ms", "Standard_M32ms", "Standard_M64ms", "Standard_M64s", "Standard_D2_v2", "Standard_D3_v2", "Standard_D4_v2", "Standard_D5_v2", "Standard_D11_v2", "Standard_D12_v2", "Standard_D13_v2", "Standard_D14_v2", "Standard_D15_v2", "Standard_F2", "Standard_F4", "Standard_F8", "Standard_F16", "Standard_D4_v3", "Standard_D8_v3", "Standard_D16_v3", "Standard_D32_v3", "Standard_D64_v3", "Standard_E4_v3", "Standard_E8_v3", "Standard_E16_v3", "Standard_E20_v3", "Standard_E32_v3", "Standard_E64_v3", "Standard_E64i_v3", "Standard_DS11_v2", "Standard_DS12_v2", "Standard_DS13_v2", "Standard_DS14_v2", "Standard_DS15_v2", "Standard_D2_v5", "Standard_D4_v5", "Standard_D8_v5", "Standard_D16_v5","Standard_D32_v5", "Standard_D2s_v5", "Standard_D4s_v5", "Standard_D8s_v5", "Standard_D16s_v5", "Standard_D2d_v5", "Standard_D4d_v5", "Standard_D8d_v5", "Standard_D16d_v5", "Standard_D32d_v5", "Standard_D2ds_v5", "Standard_D4ds_v5", "Standard_D8ds_v5", "Standard_D16ds_v5", "Standard_D32ds_v5" | n/a + | | | | | | + | **disk_size** | Storage data disk size size(GB) | string | A number in the range 100 - 3995 (GB) | n/a | + | | | | | | + | **vm_os_sku** | A sku of the image to be deployed | string | "sg-byol" - BYOL license;
"sg-ngtp" - NGTP PAYG license;
"sg-ngtx" - NGTX PAYG license; | n/a | + | | | | | | + | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r8040";
"check-point-cg-r81";
"check-point-cg-r81.10";
"check-point-cg-r81.20"; | n/a | + | | | | | | + | **os_version** | GAIA OS version | string | "R8040";
"R81";
"R8110";
"R8120"; | n/a | + | | | | | | + | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | n/a | + | | | | | | + | **allow_upload_download** | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | boolean | true;
false; | n/a | + | | | | | | + | **authentication_type** | Specifies whether a password authentication or SSH Public Key authentication should be used | string | "Password";
"SSH Public Key"; | n/a | + | | | | | | + | **availability_type** | Specifies whether to deploy the solution based on Azure Availability Set or based on Azure Availability Zone | string | "Availability Zone";
"Availability Set"; | "Availability Zone" | + | | | | | | + | **enable_custom_metrics** | Indicates whether CloudGuard Metrics will be use for Cluster members monitoring | boolean | true;
false; | true | + | | | | | | + | **enable_floating_ip** | Indicates whether the load balancers will be deployed with floating IP | boolean | true;
false; | false | + | | | | | | + | **use_public_ip_prefix** | Indicates whether the public IP resources will be deployed with public IP prefix | boolean | true;
false; | false | + | | | | | | + | **create_public_ip_prefix** | Indicates whether the public IP prefix will created or an existing will be used | boolean | true;
false; | false | + | | | | | | + | **existing_public_ip_prefix_id** | The existing public IP prefix resource id | string | Existing public IP prefix resource id | n/a | + | | | | | | + | **admin_shell** | Enables to select different admin shells | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh; | n/a | + | | | | | | + | **serial_console_password_hash** | Optional parameter, used to enable serial console connection in case of SSH key as authentication type, to generate password hash use the command 'openssl passwd -6 PASSWORD' on Linux and paste it here | string | | n/a + | | | | | | + | **maintenance_mode_password_hash** | Maintenance mode password hash, relevant only for R81.20 and higher versions, to generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here | string | | n/a + | | | | | | + | **add_storage_account_ip_rules** | Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, if false then accses will be allowed from all networks | boolean | true;
false; | false + | | | | | | + | **storage_account_additional_ips** | IPs/CIDRs that are allowed access to the Storage Account | list(string) | A list of valid IPs and CIDRs | [] + +## Conditional creation +- To deploy the solution based on Azure Availability Set and create a new Availability Set for the virtual machines: +``` +availability_type = "Availability Set" +``` + Otherwise, to deploy the solution based on Azure Availability Zone: +``` +availability_type = "Availability Zone" +``` +- To enable CloudGuard metrics in order to send statuses and statistics collected from HA instances to the Azure Monitor service: + ``` + enable_custom_metrics = true + ``` +- To create new public IP prefix for the public IP: + ``` + use_public_ip_prefix = true + create_public_ip_prefix = true + ``` +- To use an existing public IP prefix for the public IP: + ``` + use_public_ip_prefix = true + create_public_ip_prefix = false + existing_public_ip_prefix_id = "public IP prefix resource id" + ``` + +## Example + client_secret = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + client_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + tenant_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + subscription_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + source_image_vhd_uri = "noCustomUri" + resource_group_name = "checkpoint-ha-terraform" + cluster_name = "checkpoint-ha-terraform" + location = "eastus" + vnet_name = "checkpoint-ha-vnet" + vnet_resource_group = "existing-vnet" + frontend_subnet_name = "frontend" + backend_subnet_name = "backend" + frontend_IP_addresses = [5, 6, 7] + backend_IP_addresses = [5, 6, 7] + admin_password = "xxxxxxxxxxxx" + smart_1_cloud_token_a = "xxxxxxxxxxxx" + smart_1_cloud_token_b = "xxxxxxxxxxxx" + sic_key = "xxxxxxxxxxxx" + vm_size = "Standard_D3_v2" + disk_size = "110" + vm_os_sku = "sg-byol" + vm_os_offer = "check-point-cg-r8110" + os_version = "R8110" + bootstrap_script = "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" + allow_upload_download = true + authentication_type = "Password" + availability_type = "Availability Zone" + enable_custom_metrics = true + enable_floating_ip = false + use_public_ip_prefix = false + create_public_ip_prefix = false + existing_public_ip_prefix_id = "" + admin_shell = "/etc/cli.sh" + serial_console_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + maintenance_mode_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + add_storage_account_ip_rules = false + storage_account_additional_ips = [] + +## Revision History +In order to check the template version refer to the [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) + +| Template Version | Description | +| ---------------- |----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| 20240613 | - Updated Azure Terraform provider version
- Updated managed identity permissions
- Cosmetic fixes & default values
- Added option to limit storage account access by specify allowed sourcess
- Added validation for os_version & os_offer | +| | | | +| 20230910 | - R81.20 is the default version | +| | | | +| 20230212 | - Added Smart-1 Cloud support | +| | | | +| 20221124 | - Added R81.20 support
- Upgraded azurerm provider | +| | | | +| 20220111 | - Added support to select different shells. | +| | | | +| 20210309 | - Add "source_image_vhd_uri" variable for using a custom development image | +| | | | +| 20210111 | First release of Check Point CloudGuard IaaS High Availability Terraform deployment into an existing Vnet in Azure. | +| | | | +| | Addition of "templateType" parameter to "cloud-version" files. | +| | | | + +## License + +See the [LICENSE](../../LICENSE) file for details + diff --git a/deprecated/terraform/azure/R8040-R81/high-availability-existing-vnet/azure_public_key b/deprecated/terraform/azure/R8040-R81/high-availability-existing-vnet/azure_public_key new file mode 100644 index 00000000..e69de29b diff --git a/deprecated/terraform/azure/R8040-R81/high-availability-existing-vnet/cloud-init.sh b/deprecated/terraform/azure/R8040-R81/high-availability-existing-vnet/cloud-init.sh new file mode 100644 index 00000000..0609bfcf --- /dev/null +++ b/deprecated/terraform/azure/R8040-R81/high-availability-existing-vnet/cloud-init.sh @@ -0,0 +1,22 @@ +#!/usr/bin/python3 /etc/cloud_config.py + +installationType="${installation_type}" +allowUploadDownload="${allow_upload_download}" +osVersion="${os_version}" +templateName="${template_name}" +templateVersion="${template_version}" +templateType="${template_type}" +isBlink="${is_blink}" +bootstrapScript64="${bootstrap_script64}" +location="${location}" +sicKey="${sic_key}" +tenantId="${tenant_id}" +virtualNetwork="${virtual_network}" +clusterName="${cluster_name}" +externalPrivateAddresses="${external_private_addresses}" +customMetrics="${enable_custom_metrics}" +adminShell="${admin_shell}" +smart1CloudToken="${smart_1_cloud_token}" +Vips='[{"name": "cluster-vip", "privateIPAddress": "${external_private_addresses}", "publicIPAddress": "${cluster_name}"}]' +passwordHash="${serial_console_password_hash}" +MaintenanceModePassword="${maintenance_mode_password_hash}" diff --git a/deprecated/terraform/azure/R8040-R81/high-availability-existing-vnet/main.tf b/deprecated/terraform/azure/R8040-R81/high-availability-existing-vnet/main.tf new file mode 100644 index 00000000..cd020475 --- /dev/null +++ b/deprecated/terraform/azure/R8040-R81/high-availability-existing-vnet/main.tf @@ -0,0 +1,531 @@ +//********************** Providers **************************// +provider "azurerm" { + + subscription_id = var.subscription_id + client_id = var.client_id + client_secret = var.client_secret + tenant_id = var.tenant_id + + features {} +} + +//********************** Basic Configuration **************************// +module "common" { + source = "../modules/common" + resource_group_name = var.resource_group_name + location = var.location + admin_password = var.admin_password + installation_type = var.installation_type + template_name = var.template_name + template_version = var.template_version + number_of_vm_instances = var.number_of_vm_instances + allow_upload_download = var.allow_upload_download + vm_size = var.vm_size + disk_size = var.disk_size + is_blink = var.is_blink + os_version = var.os_version + vm_os_sku = var.vm_os_sku + vm_os_offer = var.vm_os_offer + authentication_type = var.authentication_type + serial_console_password_hash = var.serial_console_password_hash + maintenance_mode_password_hash = var.maintenance_mode_password_hash + storage_account_additional_ips = var.storage_account_additional_ips +} + +//********************** Networking **************************// +resource "random_id" "random_id" { + byte_length = 13 + keepers = { + rg_id = module.common.resource_group_id + } +} + +resource "azurerm_public_ip_prefix" "public_ip_prefix" { + count = var.use_public_ip_prefix && var.create_public_ip_prefix ? 1 : 0 + name = "${module.common.resource_group_name}-ipprefix" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + prefix_length = 30 +} + +data "azurerm_subnet" "frontend" { + name = var.frontend_subnet_name + virtual_network_name = var.vnet_name + resource_group_name = var.vnet_resource_group +} + +data "azurerm_subnet" "backend" { + name = var.backend_subnet_name + virtual_network_name = var.vnet_name + resource_group_name = var.vnet_resource_group +} + +resource "azurerm_public_ip" "public-ip" { + count = 2 + name = "${var.cluster_name}${count.index+1}_IP" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + allocation_method = var.vnet_allocation_method + sku = var.sku + domain_name_label = "${lower(var.cluster_name)}-${count.index+1}-${random_id.random_id.hex}" + public_ip_prefix_id = var.use_public_ip_prefix ? (var.create_public_ip_prefix ? azurerm_public_ip_prefix.public_ip_prefix[0].id : var.existing_public_ip_prefix_id) : null +} + +resource "azurerm_public_ip" "cluster-vip" { + name = var.cluster_name + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + allocation_method = var.vnet_allocation_method + sku = var.sku + domain_name_label = "${lower(var.cluster_name)}-vip-${random_id.random_id.hex}" + public_ip_prefix_id = var.use_public_ip_prefix ? (var.create_public_ip_prefix ? azurerm_public_ip_prefix.public_ip_prefix[0].id : var.existing_public_ip_prefix_id) : null +} + +resource "azurerm_network_interface" "nic_vip" { + depends_on = [ + azurerm_public_ip.cluster-vip, + azurerm_public_ip.public-ip] + name = "${var.cluster_name}1-eth0" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + enable_ip_forwarding = true + enable_accelerated_networking = true + + ip_configuration { + name = "ipconfig1" + primary = true + subnet_id = data.azurerm_subnet.frontend.id + private_ip_address_allocation = var.vnet_allocation_method + private_ip_address = cidrhost(data.azurerm_subnet.frontend.address_prefixes[0], var.frontend_IP_addresses[0]) + public_ip_address_id = azurerm_public_ip.public-ip.0.id + } + ip_configuration { + name = "cluster-vip" + subnet_id = data.azurerm_subnet.frontend.id + primary = false + private_ip_address_allocation = var.vnet_allocation_method + private_ip_address = cidrhost(data.azurerm_subnet.frontend.address_prefixes[0], var.frontend_IP_addresses[2]) + public_ip_address_id = azurerm_public_ip.cluster-vip.id + } + lifecycle { + ignore_changes = [ + # Ignore changes to ip_configuration when Re-applying, e.g. because a cluster failover and associating the cluster- vip with the other member. + # updates these based on some ruleset managed elsewhere. + ip_configuration + ] + } +} + +resource "azurerm_network_interface_backend_address_pool_association" "nic_vip_lb_association" { + depends_on = [azurerm_network_interface.nic_vip, azurerm_lb_backend_address_pool.frontend-lb-pool] + network_interface_id = azurerm_network_interface.nic_vip.id + ip_configuration_name = "ipconfig1" + backend_address_pool_id = azurerm_lb_backend_address_pool.frontend-lb-pool.id +} + +resource "azurerm_network_interface" "nic" { + depends_on = [ + azurerm_public_ip.public-ip, + azurerm_lb.frontend-lb] + name = "${var.cluster_name}2-eth0" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + enable_ip_forwarding = true + enable_accelerated_networking = true + + ip_configuration { + name = "ipconfig1" + primary = true + subnet_id = data.azurerm_subnet.frontend.id + private_ip_address_allocation = var.vnet_allocation_method + private_ip_address = cidrhost(data.azurerm_subnet.frontend.address_prefixes[0], var.frontend_IP_addresses[1]) + public_ip_address_id = azurerm_public_ip.public-ip.1.id + } + lifecycle { + ignore_changes = [ + # Ignore changes to ip_configuration when Re-applying, e.g. because a cluster failover and associating the cluster- vip with the other member. + # updates these based on some ruleset managed elsewhere. + ip_configuration + ] + } +} + +resource "azurerm_network_interface_backend_address_pool_association" "nic_lb_association" { + depends_on = [azurerm_network_interface.nic, azurerm_lb_backend_address_pool.frontend-lb-pool] + network_interface_id = azurerm_network_interface.nic.id + ip_configuration_name = "ipconfig1" + backend_address_pool_id = azurerm_lb_backend_address_pool.frontend-lb-pool.id +} + +resource "azurerm_network_interface" "nic1" { + depends_on = [ + azurerm_lb.backend-lb] + count = 2 + name = "${var.cluster_name}${count.index+1}-eth1" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + enable_ip_forwarding = true + enable_accelerated_networking = true + + ip_configuration { + name = "ipconfig2" + subnet_id = data.azurerm_subnet.backend.id + private_ip_address_allocation = var.vnet_allocation_method + private_ip_address = cidrhost(data.azurerm_subnet.backend.address_prefixes[0], var.backend_IP_addresses[count.index+1]) + } +} + +resource "azurerm_network_interface_backend_address_pool_association" "nic1_lb_association" { + depends_on = [azurerm_network_interface.nic1, azurerm_lb_backend_address_pool.backend-lb-pool] + count = 2 + network_interface_id = azurerm_network_interface.nic1[count.index].id + ip_configuration_name = "ipconfig2" + backend_address_pool_id = azurerm_lb_backend_address_pool.backend-lb-pool.id +} + +//********************** Load Balancers **************************// +resource "azurerm_public_ip" "public-ip-lb" { + name = "frontend_lb_ip" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + allocation_method = var.vnet_allocation_method + sku = var.sku + domain_name_label = "${lower(var.cluster_name)}-${random_id.random_id.hex}" + public_ip_prefix_id = var.use_public_ip_prefix ? (var.create_public_ip_prefix ? azurerm_public_ip_prefix.public_ip_prefix[0].id : var.existing_public_ip_prefix_id) : null +} + +resource "azurerm_lb" "frontend-lb" { + depends_on = [ + azurerm_public_ip.public-ip-lb] + name = "frontend-lb" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + sku = var.sku + + frontend_ip_configuration { + name = "LoadBalancerFrontend" + public_ip_address_id = azurerm_public_ip.public-ip-lb.id + } +} + +resource "azurerm_lb_backend_address_pool" "frontend-lb-pool" { + loadbalancer_id = azurerm_lb.frontend-lb.id + name = "frontend-lb-pool" +} + +resource "azurerm_lb" "backend-lb" { + name = "backend-lb" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + sku = var.sku + frontend_ip_configuration { + name = "backend-lb" + subnet_id = data.azurerm_subnet.backend.id + private_ip_address_allocation = var.vnet_allocation_method + private_ip_address = cidrhost(data.azurerm_subnet.backend.address_prefixes[0], var.backend_IP_addresses[0]) + } +} + +resource "azurerm_lb_backend_address_pool" "backend-lb-pool" { + name = "backend-lb-pool" + loadbalancer_id = azurerm_lb.backend-lb.id +} + +resource "azurerm_lb_probe" "azure_lb_healprob" { + count = 2 + loadbalancer_id = count.index == 0 ? azurerm_lb.frontend-lb.id : azurerm_lb.backend-lb.id + name = var.lb_probe_name + protocol = var.lb_probe_protocol + port = var.lb_probe_port + interval_in_seconds = var.lb_probe_interval + number_of_probes = var.lb_probe_unhealthy_threshold +} + +resource "azurerm_lb_rule" "backend_lb_rules" { + loadbalancer_id = azurerm_lb.backend-lb.id + name = "backend-lb" + protocol = "All" + frontend_port = 0 + backend_port = 0 + frontend_ip_configuration_name = "backend-lb" + load_distribution = "Default" + backend_address_pool_ids = [azurerm_lb_backend_address_pool.backend-lb-pool.id] + probe_id = azurerm_lb_probe.azure_lb_healprob[1].id + enable_floating_ip = var.enable_floating_ip +} + +//********************** Availability Set **************************// +locals { + availability_set_condition = var.availability_type == "Availability Set" ? true : false + SSH_authentication_type_condition = var.authentication_type == "SSH Public Key" ? true : false +} +resource "azurerm_availability_set" "availability-set" { + count = local.availability_set_condition ? 1 : 0 + name = "${var.cluster_name}-AvailabilitySet" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + platform_fault_domain_count = 2 + platform_update_domain_count = 5 + managed = true +} + +//********************** Storage accounts **************************// +// Generate random text for a unique storage account name +resource "random_id" "randomId" { + keepers = { + # Generate a new ID only when a new resource group is defined + resource_group = module.common.resource_group_name + } + byte_length = 8 +} +resource "azurerm_storage_account" "vm-boot-diagnostics-storage" { + name = "bootdiag${random_id.randomId.hex}" + resource_group_name = module.common.resource_group_name + location = module.common.resource_group_location + account_tier = module.common.storage_account_tier + account_replication_type = module.common.account_replication_type + network_rules { + default_action = var.add_storage_account_ip_rules ? "Deny" : "Allow" + ip_rules = module.common.storage_account_ip_rules + } + blob_properties { + delete_retention_policy { + days = "15" + } + } +} + +//********************** Virtual Machines **************************// +locals { + custom_image_condition = var.source_image_vhd_uri == "noCustomUri" ? false : true +} + +resource "azurerm_image" "custom-image" { + count = local.custom_image_condition ? 1 : 0 + name = "custom-image" + location = var.location + resource_group_name = module.common.resource_group_name + + os_disk { + os_type = "Linux" + os_state = "Generalized" + blob_uri = var.source_image_vhd_uri + } +} +resource "azurerm_virtual_machine" "vm-instance-availability-set" { + depends_on = [ + azurerm_network_interface.nic, + azurerm_network_interface.nic1, + azurerm_network_interface.nic_vip] + count = local.availability_set_condition ? module.common.number_of_vm_instances : 0 + name = "${var.cluster_name}${count.index+1}" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + availability_set_id = local.availability_set_condition ? azurerm_availability_set.availability-set[0].id : "" + vm_size = module.common.vm_size + network_interface_ids = count.index == 0 ? [ + azurerm_network_interface.nic_vip.id, + azurerm_network_interface.nic1.0.id] : [ + azurerm_network_interface.nic.id, + azurerm_network_interface.nic1.1.id] + delete_os_disk_on_termination = module.common.delete_os_disk_on_termination + primary_network_interface_id = count.index == 0 ? azurerm_network_interface.nic_vip.id : azurerm_network_interface.nic.id + identity { + type = module.common.vm_instance_identity + } + storage_image_reference { + id = local.custom_image_condition ? azurerm_image.custom-image[0].id : null + publisher = local.custom_image_condition ? null : module.common.publisher + offer = module.common.vm_os_offer + sku = module.common.vm_os_sku + version = module.common.vm_os_version + } + + storage_os_disk { + name = "${var.cluster_name}-${count.index+1}" + create_option = module.common.storage_os_disk_create_option + caching = module.common.storage_os_disk_caching + managed_disk_type = module.common.storage_account_type + disk_size_gb = module.common.disk_size + } + + dynamic "plan" { + for_each = local.custom_image_condition ? [ + ] : [1] + content { + name = module.common.vm_os_sku + publisher = module.common.publisher + product = module.common.vm_os_offer + } + } + + os_profile { + computer_name = "${var.cluster_name}${count.index+1}" + admin_username = module.common.admin_username + admin_password = module.common.admin_password + custom_data = templatefile("${path.module}/cloud-init.sh", { + installation_type = module.common.installation_type + allow_upload_download = module.common.allow_upload_download + os_version = module.common.os_version + template_name = module.common.template_name + template_version = module.common.template_version + template_type = "terraform" + is_blink = module.common.is_blink + bootstrap_script64 = base64encode(var.bootstrap_script) + location = module.common.resource_group_location + sic_key = var.sic_key + tenant_id = var.tenant_id + virtual_network = var.vnet_name + cluster_name = var.cluster_name + external_private_addresses = azurerm_network_interface.nic_vip.ip_configuration[1].private_ip_address + enable_custom_metrics = var.enable_custom_metrics ? "yes" : "no" + admin_shell = var.admin_shell + smart_1_cloud_token = count.index == 0 ? var.smart_1_cloud_token_a : var.smart_1_cloud_token_b + serial_console_password_hash = var.serial_console_password_hash + maintenance_mode_password_hash = var.maintenance_mode_password_hash + }) + } + + os_profile_linux_config { + disable_password_authentication = local.SSH_authentication_type_condition + + dynamic "ssh_keys" { + for_each = local.SSH_authentication_type_condition ? [ + 1] : [] + content { + path = "/home/notused/.ssh/authorized_keys" + key_data = file("${path.module}/azure_public_key") + } + } + } + + boot_diagnostics { + enabled = module.common.boot_diagnostics + storage_uri = module.common.boot_diagnostics ? join(",", azurerm_storage_account.vm-boot-diagnostics-storage.*.primary_blob_endpoint) : "" + } +} + +resource "azurerm_virtual_machine" "vm-instance-availability-zone" { + depends_on = [ + azurerm_network_interface.nic, + azurerm_network_interface.nic1, + azurerm_network_interface.nic_vip] + count = local.availability_set_condition ? 0 : module.common.number_of_vm_instances + name = "${var.cluster_name}${count.index+1}" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + zones = [ + count.index+1] + vm_size = module.common.vm_size + network_interface_ids = count.index == 0 ? [ + azurerm_network_interface.nic_vip.id, + azurerm_network_interface.nic1.0.id] : [ + azurerm_network_interface.nic.id, + azurerm_network_interface.nic1.1.id] + delete_os_disk_on_termination = module.common.delete_os_disk_on_termination + primary_network_interface_id = count.index == 0 ? azurerm_network_interface.nic_vip.id : azurerm_network_interface.nic.id + identity { + type = module.common.vm_instance_identity + } + storage_image_reference { + id = local.custom_image_condition ? azurerm_image.custom-image[0].id : null + publisher = local.custom_image_condition ? null : module.common.publisher + offer = module.common.vm_os_offer + sku = module.common.vm_os_sku + version = module.common.vm_os_version + } + + storage_os_disk { + name = "${var.cluster_name}-${count.index+1}" + create_option = module.common.storage_os_disk_create_option + caching = module.common.storage_os_disk_caching + managed_disk_type = module.common.storage_account_type + disk_size_gb = module.common.disk_size + } + + dynamic "plan" { + for_each = local.custom_image_condition ? [ + ] : [1] + content { + name = module.common.vm_os_sku + publisher = module.common.publisher + product = module.common.vm_os_offer + } + } + + os_profile { + computer_name = "${var.cluster_name}${count.index+1}" + admin_username = module.common.admin_username + admin_password = module.common.admin_password + custom_data = templatefile("${path.module}/cloud-init.sh", { + installation_type = module.common.installation_type + allow_upload_download = module.common.allow_upload_download + os_version = module.common.os_version + template_name = module.common.template_name + template_version = module.common.template_version + template_type = "terraform" + is_blink = module.common.is_blink + bootstrap_script64 = base64encode(var.bootstrap_script) + location = module.common.resource_group_location + sic_key = var.sic_key + tenant_id = var.tenant_id + virtual_network = var.vnet_name + cluster_name = var.cluster_name + external_private_addresses = azurerm_network_interface.nic_vip.ip_configuration[1].private_ip_address + enable_custom_metrics = var.enable_custom_metrics ? "yes" : "no" + admin_shell = var.admin_shell + smart_1_cloud_token = count.index == 0 ? var.smart_1_cloud_token_a : var.smart_1_cloud_token_b + serial_console_password_hash = var.serial_console_password_hash + maintenance_mode_password_hash = var.maintenance_mode_password_hash + }) + } + + os_profile_linux_config { + disable_password_authentication = local.SSH_authentication_type_condition + + dynamic "ssh_keys" { + for_each = local.SSH_authentication_type_condition ? [ + 1] : [] + content { + path = "/home/notused/.ssh/authorized_keys" + key_data = file("${path.module}/azure_public_key") + } + } + } + + boot_diagnostics { + enabled = module.common.boot_diagnostics + storage_uri = module.common.boot_diagnostics ? join(",", azurerm_storage_account.vm-boot-diagnostics-storage.*.primary_blob_endpoint) : "" + } +} +//********************** Role Assigments **************************// +data "azurerm_role_definition" "virtual_machine_contributor_role_definition" { + name = "Virtual Machine Contributor" +} +data "azurerm_role_definition" "reader_role_definition" { + name = "Reader" +} +data "azurerm_client_config" "client_config" { +} +resource "azurerm_role_assignment" "cluster_virtual_machine_contributor_assignment" { + count = 2 + lifecycle { + ignore_changes = [ + role_definition_id, principal_id + ] + } + scope = module.common.resource_group_id + role_definition_id = data.azurerm_role_definition.virtual_machine_contributor_role_definition.id + principal_id = local.availability_set_condition ? lookup(azurerm_virtual_machine.vm-instance-availability-set[count.index].identity[0], "principal_id") : lookup(azurerm_virtual_machine.vm-instance-availability-zone[count.index].identity[0], "principal_id") +} +resource "azurerm_role_assignment" "cluster_reader_assigment" { + count = 2 + lifecycle { + ignore_changes = [ + role_definition_id, principal_id + ] + } + scope = module.common.resource_group_id + role_definition_id = data.azurerm_role_definition.reader_role_definition.id + principal_id = local.availability_set_condition ? lookup(azurerm_virtual_machine.vm-instance-availability-set[count.index].identity[0], "principal_id") : lookup(azurerm_virtual_machine.vm-instance-availability-zone[count.index].identity[0], "principal_id") +} \ No newline at end of file diff --git a/deprecated/terraform/azure/R8040-R81/high-availability-existing-vnet/terraform.tfvars b/deprecated/terraform/azure/R8040-R81/high-availability-existing-vnet/terraform.tfvars new file mode 100644 index 00000000..e235eaa9 --- /dev/null +++ b/deprecated/terraform/azure/R8040-R81/high-availability-existing-vnet/terraform.tfvars @@ -0,0 +1,38 @@ +#PLEASE refer to the README.md for accepted values FOR THE VARIABLES BELOW +client_secret = "PLEASE ENTER CLIENT SECRET" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +client_id = "PLEASE ENTER CLIENT ID" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +tenant_id = "PLEASE ENTER TENANT ID" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +subscription_id = "PLEASE ENTER SUBSCRIPTION ID" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +source_image_vhd_uri = "PLEASE ENTER SOURCE IMAGE VHD URI OR noCustomUri" # "noCustomUri" +resource_group_name = "PLEASE ENTER RESOURCE GROUP NAME" # "checkpoint-ha-terraform" +cluster_name = "PLEASE ENTER CLUSTER NAME" # "checkpoint-ha-terraform" +location = "PLEASE ENTER LOCATION" # "eastus" +vnet_name = "PLEASE ENTER VIRTUAL NETWORK NAME" # "checkpoint-ha-vnet" +vnet_resource_group = "PLEASE ENTER VIRTUAL NETWORK'S RESOURCE GROUP NAME" # "existing-vnet" +frontend_subnet_name = "PLEASE ENTER EXTERNAL SUBNET NAME" # "frontend" +backend_subnet_name = "PLEASE ENTER INTERNAL SUBNET NAME" # "backend" +frontend_IP_addresses = "PLEASE ENTER 3 FRONTEND IP ADDRESS POSITIONAL NUMBER" # [5, 6, 7] +backend_IP_addresses = "PLEASE ENTER 3 BACKEND IP ADDRESSES POSITIONAL NUMBERS" # [5, 6, 7] +admin_password = "PLEASE ENTER ADMIN PASSWORD" # "xxxxxxxxxxxx" +smart_1_cloud_token_a = "PASTE TOKEN FROM SMART-1 CLOUD PORTAL" # "" +smart_1_cloud_token_b = "PASTE TOKEN FROM SMART-1 CLOUD PORTAL" # "" +sic_key = "PLEASE ENTER SIC KEY" # "xxxxxxxxxxxx" +vm_size = "PLEASE ENTER VM SIZE" # "Standard_D3_v2" +disk_size = "PLEASE ENTER DISK SIZE" # "110" +vm_os_sku = "PLEASE ENTER VM SKU" # "sg-byol" +vm_os_offer = "PLEASE ENTER VM OFFER" # "check-point-cg-r8110" +os_version = "PLEASE ENTER GAIA OS VERSION" # "R8110" +bootstrap_script = "PLEASE ENTER CUSTOM SCRIPT OR LEAVE EMPTY DOUBLE QUOTES" # "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" +allow_upload_download = "PLEASE ENTER true or false" # true +authentication_type = "PLEASE ENTER AUTHENTICATION TYPE" # "Password" +availability_type = "PLEASE ENTER AVAILABILITY TYPE" # "Availability Zone" +enable_custom_metrics = "PLEASE ENTER true or false" # true +enable_floating_ip = "PLEASE ENTER true or false" # false +use_public_ip_prefix = "PLEASE ENTER true or false" # false +create_public_ip_prefix = "PLEASE ENTER true or false" # false +existing_public_ip_prefix_id = "PLEASE ENTER IP PREFIX RESOURCE ID" # "" +admin_shell = "PLEASE ENTER ADMIN SHELL" # "/etc/cli.sh" +serial_console_password_hash = "PLEASE ENTER SERIAL CONSOLE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +maintenance_mode_password_hash = "PLEASE ENTER MAINTENANCE MODE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +add_storage_account_ip_rules = "PLEASE ENTER true or false" # false +storage_account_additional_ips = "PLEASE ENTER A LIST OF VALID IPS/CIDRS" # [] \ No newline at end of file diff --git a/deprecated/terraform/azure/R8040-R81/high-availability-existing-vnet/variables.tf b/deprecated/terraform/azure/R8040-R81/high-availability-existing-vnet/variables.tf new file mode 100644 index 00000000..c11fa238 --- /dev/null +++ b/deprecated/terraform/azure/R8040-R81/high-availability-existing-vnet/variables.tf @@ -0,0 +1,339 @@ +//********************** Basic Configuration Variables **************************// +variable "cluster_name" { + description = "Cluster name" + type = string +} + +variable "resource_group_name" { + description = "Azure Resource Group name to build into" + type = string +} + +variable "location" { + description = "The location/region where resources will be created. The full list of Azure regions can be found at https://azure.microsoft.com/regions" + type = string +} + +//********************** Virtual Machine Instances Variables **************************// +variable "availability_type" { + description = "Specifies whether to deploy the solution based on Azure Availability Set or based on Azure Availability Zone." + type = string + default = "Availability Zone" +} + +locals { // locals for 'availability_type' allowed values + availability_type_allowed_values = [ + "Availability Zone", + "Availability Set" + ] + // will fail if [var.availability_type] is invalid: + validate_availability_type_value = index(local.availability_type_allowed_values, var.availability_type) +} + +variable "source_image_vhd_uri" { + type = string + description = "The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images." + default = "noCustomUri" +} + +variable "admin_username" { + description = "Administrator username of deployed VM. Due to Azure limitations 'notused' name can be used" + default = "notused" +} + +variable "admin_password" { + description = "Administrator password of deployed Virtual Machine. The password must meet the complexity requirements of Azure" + type = string +} + +variable "serial_console_password_hash" { + description = "Optional parameter, used to enable serial console connection in case of SSH key as authentication type" + type = string +} + +variable "maintenance_mode_password_hash" { + description = "Maintenance mode password hash, relevant only for R81.20 and higher versions" + type = string +} + +variable "smart_1_cloud_token_a" { + description = "Smart-1 Cloud Token, for configuring member A" + type = string +} + +variable "smart_1_cloud_token_b" { + description = "Smart-1 Cloud Token, for configuring member B" + type = string +} + +variable "sic_key" { + description = "Secure Internal Communication(SIC) key" + type = string +} +resource "null_resource" "sic_key_invalid" { + count = length(var.sic_key) >= 12 ? 0 : "SIC key must be at least 12 characters long" +} + +variable "template_name" { + description = "Template name. Should be defined according to deployment type(ha, vmss)" + type = string + default = "ha_terraform" +} + +variable "template_version" { + description = "Template version. It is recommended to always use the latest template version" + type = string + default = "20230910" +} + +variable "installation_type" { + description = "Installation type" + type = string + default = "cluster" +} + +variable "number_of_vm_instances" { + description = "Number of VM instances to deploy " + type = string + default = "2" +} + +variable "vm_size" { + description = "Specifies size of Virtual Machine" + type = string +} + +variable "disk_size" { + description = "Storage data disk size size(GB). Select a number between 100 and 3995" + type = string +} + +variable "os_version" { + description = "GAIA OS version" + type = string +} + +locals { // locals for 'vm_os_offer' allowed values + os_version_allowed_values = [ + "R8040", + "R81", + "R8110", + "R8120" + ] + // will fail if [var.os_version] is invalid: + validate_os_version_value = index(local.os_version_allowed_values, var.os_version) +} + +variable "vm_os_sku" { + description = "The sku of the image to be deployed." + type = string +} + +variable "vm_os_offer" { + description = "The name of the image offer to be deployed.Choose from: check-point-cg-r8040, check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120" + type = string +} + +locals { // locals for 'vm_os_offer' allowed values + vm_os_offer_allowed_values = [ + "check-point-cg-r8040", + "check-point-cg-r81", + "check-point-cg-r8110", + "check-point-cg-r8120" + ] + // will fail if [var.vm_os_offer] is invalid: + validate_os_offer_value = index(local.vm_os_offer_allowed_values, var.vm_os_offer) +} + +variable "authentication_type" { + description = "Specifies whether a password authentication or SSH Public Key authentication should be used" + type = string +} +locals { // locals for 'authentication_type' allowed values + authentication_type_allowed_values = [ + "Password", + "SSH Public Key" + ] + // will fail if [var.authentication_type] is invalid: + validate_authentication_type_value = index(local.authentication_type_allowed_values, var.authentication_type) +} + +variable "allow_upload_download" { + description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + type = bool +} + +variable "is_blink" { + description = "Define if blink image is used for deployment" + default = true +} + +variable "admin_shell" { + description = "The admin shell to configure on machine or the first time" + type = string + default = "/etc/cli.sh" +} + +locals { + admin_shell_allowed_values = [ + "/etc/cli.sh", + "/bin/bash", + "/bin/csh", + "/bin/tcsh" + ] + // Will fail if [var.admin_shell] is invalid + validate_admin_shell_value = index(local.admin_shell_allowed_values, var.admin_shell) +} + +//********************** Networking Variables **************************// +variable "vnet_name" { + description = "Virtual Network name" + type = string +} + +variable "vnet_resource_group" { + description = "Resource group of existing vnet" + type = string +} + +variable "frontend_subnet_name" { + description = "Frontend subnet name" + type = string +} + +variable "backend_subnet_name" { + description = "Backend subnet name" + type = string +} + +variable "frontend_IP_addresses" { + description = "A list of three whole numbers representing the private ip addresses of the members eth0 NICs and the cluster vip ip addresses. The numbers can be represented as binary integers with no more than the number of digits remaining in the address after the given frontend subnet prefix. The IP addresses are defined by their position in the frontend subnet." + type = list(number) +} + +variable "backend_IP_addresses" { + description = "A list of three whole numbers representing the private ip addresses of the members eth1 NICs and the backend lb ip addresses. The numbers can be represented as binary integers with no more than the number of digits remaining in the address after the given backend subnet prefix. The IP addresses are defined by their position in the backend subnet." + type = list(number) +} + +variable "vnet_allocation_method" { + description = "IP address allocation method" + type = string + default = "Static" +} + +variable "lb_probe_name" { + description = "Name to be used for lb health probe" + default = "health_prob_port" +} + +variable "lb_probe_port" { + description = "Port to be used for load balancer health probes and rules" + default = "8117" +} + +variable "lb_probe_protocol" { + description = "Protocols to be used for load balancer health probes and rules" + default = "Tcp" +} + +variable "lb_probe_unhealthy_threshold" { + description = "Number of times load balancer health probe has an unsuccessful attempt before considering the endpoint unhealthy." + default = 2 +} + +variable "lb_probe_interval" { + description = "Interval in seconds load balancer health probe rule performs a check" + default = 5 +} + +variable "bootstrap_script" { + description = "An optional script to run on the initial boot" + #example: + #"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" +} + +variable "add_storage_account_ip_rules" { + type = bool + default = false + description = "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location" +} + +variable "storage_account_additional_ips" { + type = list(string) + description = "IPs/CIDRs that are allowed access to the Storage Account" + default = [] +} +//********************** Credentials **************************// +variable "tenant_id" { + description = "Tenant ID" + type = string +} + +variable "subscription_id" { + description = "Subscription ID" + type = string +} + +variable "client_id" { + description = "Application ID(Client ID)" + type = string +} + +variable "client_secret" { + description = "A secret string that the application uses to prove its identity when requesting a token. Also can be referred to as application password." + type = string +} + +variable "sku" { + description = "SKU" + type = string + default = "Standard" +} + +variable "enable_custom_metrics" { + description = "Indicates whether CloudGuard Metrics will be use for Cluster members monitoring." + type = bool + default = true +} + +variable "enable_floating_ip" { + description = "Indicates whether the load balancers will be deployed with floating IP." + type = bool + default = false +} + +variable "use_public_ip_prefix" { + description = "Indicates whether the public IP resources will be deployed with public IP prefix." + type = bool + default = false +} + +variable "create_public_ip_prefix" { + description = "Indicates whether the public IP prefix will created or an existing will be used." + type = bool + default = false +} + +variable "existing_public_ip_prefix_id" { + description = "The existing public IP prefix resource id." + type = string + default = "" +} + +locals{ + # Validate both s1c tokens are used or both empty + is_both_tokens_used = length(var.smart_1_cloud_token_a) > 0 == length(var.smart_1_cloud_token_b) > 0 + validation_message_both = "To connect to Smart-1 Cloud, you must provide two tokens (one per member)" + _ = regex("^$", (local.is_both_tokens_used ? "" : local.validation_message_both)) + + is_tokens_used = length(var.smart_1_cloud_token_a) > 0 + # Validate both s1c tokens are unqiue + token_parts_a = split(" ",var.smart_1_cloud_token_a) + token_parts_b = split(" ",var.smart_1_cloud_token_b) + acutal_token_a = local.token_parts_a[length(local.token_parts_a) - 1] + acutal_token_b = local.token_parts_b[length(local.token_parts_b) - 1] + is_both_tokens_the_same = local.acutal_token_a == local.acutal_token_b + validation_message_unique = "Same Smart-1 Cloud token used for both memeber, you must provide unique token for each member" + __ = local.is_tokens_used ? regex("^$", (local.is_both_tokens_the_same ? local.validation_message_unique : "")) : "" +} \ No newline at end of file diff --git a/deprecated/terraform/azure/R8040-R81/high-availability-existing-vnet/versions.tf b/deprecated/terraform/azure/R8040-R81/high-availability-existing-vnet/versions.tf new file mode 100644 index 00000000..0d5ca4f3 --- /dev/null +++ b/deprecated/terraform/azure/R8040-R81/high-availability-existing-vnet/versions.tf @@ -0,0 +1,12 @@ +terraform { + required_version = ">= 0.14.3" + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "~> 3.81.0" + } + random = { + version = "~> 3.5.1" + } + } +} \ No newline at end of file diff --git a/deprecated/terraform/azure/R8040-R81/high-availability-new-vnet/README.md b/deprecated/terraform/azure/R8040-R81/high-availability-new-vnet/README.md new file mode 100644 index 00000000..51153c0a --- /dev/null +++ b/deprecated/terraform/azure/R8040-R81/high-availability-new-vnet/README.md @@ -0,0 +1,242 @@ +# Check Point CloudGuard IaaS High Availability Terraform deployment for Azure + +This Terraform module deploys Check Point CloudGuard IaaS High Availability solution into a new Vnet in Azure. +As part of the deployment the following resources are created: +- Resource group +- Virtual network +- Network security group +- System assigned identity +- Availability Set - conditional creation + +For additional information, +please see the [CloudGuard Network for Azure High Availability Cluster Deployment Guide](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_Network_for_Azure_HA_Cluster/Default.htm) + +This solution uses the following modules: +- /terraform/azure/modules/common - used for creating a resource group and defining common variables. +- /terraform/azure/modules/vnet - used for creating new virtual network and subnets. +- /terraform/azure/modules/network-security-group - used for creating new network security groups and rules. + + +## Configurations +- Install and configure Terraform to provision Azure resources: [Configure Terraform for Azure](https://docs.microsoft.com/en-us/azure/virtual-machines/linux/terraform-install-configure) +- In order to use ssh connection to VMs, it is **required** to add a public key to the /terraform/azure/high-availability-new-vnet/azure_public_key file. + +## Usage +- Choose the preferred login method to Azure in order to deploy the solution: +
1. Using Service Principal: + - Create a [Service Principal](https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal) (or use the existing one) + - Grant the Service Principal at least "**Managed Application Contributor**", "**Storage Account Contributor**", "**Network Contributor**", "**Virtual Machine Contributor**", "**User Access Administrator**" permissions to the Azure subscription
+ - The Service Principal credentials can be stored either in the terraform.tfvars or as [Environment Variables](https://www.terraform.io/docs/providers/azuread/guides/service_principal_client_secret.html)
+ + In case the Environment Variables are used, perform modifications described below:
+ + a. The next lines in the main.tf file, in the provider azurerm resource, need to be deleted or commented: + + provider "azurerm" { + + // subscription_id = var.subscription_id + // client_id = var.client_id + // client_secret = var.client_secret + // tenant_id = var.tenant_id + + features {} + } + + b. In the terraform.tfvars file leave empty double quotes for client_secret, client_id , tenant_id and subscription_id variables: + + client_secret = "" + client_id = "" + tenant_id = "" + subscription_id = "" + +
2. Using **az** commands from a command-line: + - Run **az login** command + - Sign in with your account credentials in the browser + - [Accept Azure Marketplace image terms](https://docs.microsoft.com/en-us/cli/azure/vm/image/terms?view=azure-cli-latest) by running: +
**az vm image terms accept --urn publisher:offer:sku:version**, where: + - publisher = checkpoint; + - offer = vm_os_offer (see accepted values in the table below); + - sku = vm_os_sku (see accepted values in the table below); + - version = latest
+
Example:
+ az vm image terms accept --urn checkpoint:check-point-cg-r8040:sg-byol:latest + + - In the terraform.tfvars file leave empty double quotes for client_secret, client_id and tenant_id variables. + +- Fill all variables in the /terraform/azure/high-availability-new-vnet/terraform.tfvars file with proper values (see below for variables descriptions). +- From a command line initialize the Terraform configuration directory: + + terraform init +- Create an execution plan: + + terraform plan +- Create or modify the deployment: + + terraform apply + +### terraform.tfvars variables: + | Name | Description | Type | Allowed values | Default | + | ------------- | ------------- |--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------| ------------- | + | **client_secret** | The client secret of the Service Principal used to deploy the solution | string | | n/a | + | | | | | | + | **client_id** | The client ID of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **tenant_id** | The tenant ID of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **subscription_id** | The subscription ID is used to pay for Azure cloud services | string | | n/a + | | | | | | + | **source_image_vhd_uri** | The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images | string | | "noCustomUri" + | | | | | | + | **resource_group_name** | The name of the resource group that will contain the contents of the deployment | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period | n/a | + | | | | | | + | **location** | The region where the resources will be deployed at | string | The full list of Azure regions can be found at https://azure.microsoft.com/regions | n/a | + | | | | | | + | **cluster_name** | The name of the Check Point Cluster Object | string | Only alphanumeric characters are allowed, and the name must be 1-30 characters long | n/a | + | | | | | | + | **vnet_name** | The name of virtual network that will be created | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | n/a | + | | | | | | + | **address_space** | The address prefixes of the virtual network | string | Valid CIDR block | "10.0.0.0/16" | + | | | | | | + | **subnet_prefixes** | The address prefixes to be used for created subnets | string | The subnets need to contain within the address space for this virtual network(defined by address_space variable) | ["10.0.0.0/24", "10.0.1.0/24"] | + | | | | | | + | **admin_password** | The password associated with the local administrator account on each cluster member | string | Password must have 3 of the following: 1 lower case character, 1 upper case character, 1 number, and 1 special character | n/a | + | | | | | | + | **smart_1_cloud_token_a** | Smart-1 Cloud token to connect automatically ***Member A*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal | n/a | | + | | | | | | + | **smart_1_cloud_token_b** | Smart-1 Cloud token to connect automatically ***Member B*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal | n/a | | + | | | | | | + | **sic_key** | The Secure Internal Communication one time secret used to set up trust between the cluster object and the management server | string | Only alphanumeric characters are allowed, and the value must be 12-30 characters long | n/a | + | | | | | | + | **vm_size** | Specifies the size of Virtual Machine | string | "Standard_DS2_v2", "Standard_DS3_v2", "Standard_DS4_v2", "Standard_DS5_v2", "Standard_F2s", "Standard_F4s", "Standard_F8s", "Standard_F16s", "Standard_D4s_v3", "Standard_D8s_v3", "Standard_D16s_v3", "Standard_D32s_v3", "Standard_D64s_v3", "Standard_E4s_v3", "Standard_E8s_v3", "Standard_E16s_v3", "Standard_E20s_v3", "Standard_E32s_v3", "Standard_E64s_v3", "Standard_E64is_v3", "Standard_F4s_v2", "Standard_F8s_v2", "Standard_F16s_v2", "Standard_F32s_v2", "Standard_F64s_v2", "Standard_M8ms", "Standard_M16ms", "Standard_M32ms", "Standard_M64ms", "Standard_M64s", "Standard_D2_v2", "Standard_D3_v2", "Standard_D4_v2", "Standard_D5_v2", "Standard_D11_v2", "Standard_D12_v2", "Standard_D13_v2", "Standard_D14_v2", "Standard_D15_v2", "Standard_F2", "Standard_F4", "Standard_F8", "Standard_F16", "Standard_D4_v3", "Standard_D8_v3", "Standard_D16_v3", "Standard_D32_v3", "Standard_D64_v3", "Standard_E4_v3", "Standard_E8_v3", "Standard_E16_v3", "Standard_E20_v3", "Standard_E32_v3", "Standard_E64_v3", "Standard_E64i_v3", "Standard_DS11_v2", "Standard_DS12_v2", "Standard_DS13_v2", "Standard_DS14_v2", "Standard_DS15_v2", "Standard_D2_v5", "Standard_D4_v5", "Standard_D8_v5", "Standard_D16_v5","Standard_D32_v5", "Standard_D2s_v5", "Standard_D4s_v5", "Standard_D8s_v5", "Standard_D16s_v5", "Standard_D2d_v5", "Standard_D4d_v5", "Standard_D8d_v5", "Standard_D16d_v5", "Standard_D32d_v5", "Standard_D2ds_v5", "Standard_D4ds_v5", "Standard_D8ds_v5", "Standard_D16ds_v5", "Standard_D32ds_v5" | n/a + | | | | | | + | **disk_size** | Storage data disk size size(GB) | string | A number in the range 100 - 3995 (GB) | n/a | + | | | | | | + | **vm_os_sku** | A sku of the image to be deployed | string | "sg-byol" - BYOL license;
"sg-ngtp" - NGTP PAYG license;
"sg-ngtx" - NGTX PAYG license;| n/a | + | | | | | | + | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r8040";
"check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | n/a | + | | | | | | + | **os_version** | GAIA OS version | string | "R8040";
"R81";
"R8110";
"R8120"; | n/a | + | | | | | | + | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | n/a | + | | | | | | + | **allow_upload_download** | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | boolean | true;
false; | n/a | + | | | | | | + | **authentication_type** | Specifies whether a password authentication or SSH Public Key authentication should be used | string | "Password";
"SSH Public Key"; | n/a | + | | | | | | + | **availability_type** | Specifies whether to deploy the solution based on Azure Availability Set or based on Azure Availability Zone | string | "Availability Zone";
"Availability Set"; | "Availability Zone" | + | | | | | | + | **enable_custom_metrics** | Indicates whether CloudGuard Metrics will be use for Cluster members monitoring | boolean | true;
false; | true | + | | | | | | + | **enable_floating_ip** | Indicates whether the load balancers will be deployed with floating IP | boolean | true;
false; | false | + | | | | | | + | **use_public_ip_prefix** | Indicates whether the public IP resources will be deployed with public IP prefix | boolean | true;
false; | false| + | | | | | | + | **create_public_ip_prefix** | Indicates whether the public IP prefix will created or an existing will be used | boolean | true;
false; | false | + | | | | | | + | **existing_public_ip_prefix_id** | The existing public IP prefix resource id | string | Existing public IP prefix resource id | ""| + | | | | | | + | **admin_shell** | Enables to select different admin shells | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh; | "/etc/cli.sh" | + | | | | | | + | **serial_console_password_hash** | Optional parameter, used to enable serial console connection in case of SSH key as authentication type, to generate password hash use the command 'openssl passwd -6 PASSWORD' on Linux and paste it here | string | | n/a + | | | | | | + | **maintenance_mode_password_hash** | Maintenance mode password hash, relevant only for R81.20 and higher versions, to generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here | string | | n/a + | | | | | | + | **nsg_id** | Optional ID for a Network Security Group that already exists in Azure, if not provided, will create a default NSG | string | Existing NSG resource ID | "" | + | | | | | | + | **add_storage_account_ip_rules** | Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, if false then accses will be allowed from all networks | boolean | true;
false; | false + | | | | | | + | **storage_account_additional_ips** | IPs/CIDRs that are allowed access to the Storage Account | list(string) | A list of valid IPs and CIDRs | [] + + +## Conditional creation +- To deploy the solution based on Azure Availability Set and create a new Availability Set for the virtual machines: +``` +availability_type = "Availability Set" +``` + Otherwise, to deploy the solution based on Azure Availability Zone: +``` +availability_type = "Availability Zone" +``` +- To enable CloudGuard metrics in order to send statuses and statistics collected from HA instances to the Azure Monitor service: + ``` + enable_custom_metrics = true + ``` +- To create new public IP prefix for the public IP: + ``` + use_public_ip_prefix = true + create_public_ip_prefix = true + ``` +- To use an exisiting public IP prefix for the public IP: + ``` + use_public_ip_prefix = true + create_public_ip_prefix = false + existing_public_ip_prefix_id = "public IP prefix resource id" + ``` + +## Example + client_secret = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + client_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + tenant_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + subscription_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + source_image_vhd_uri = "noCustomUri" + resource_group_name = "checkpoint-ha-terraform" + cluster_name = "checkpoint-ha-terraform" + location = "eastus" + vnet_name = "checkpoint-ha-vnet" + address_space = "10.0.0.0/16" + subnet_prefixes = ["10.0.1.0/24","10.0.2.0/24"] + admin_password = "xxxxxxxxxxxx" + smart_1_cloud_token_a = "xxxxxxxxxxxx" + smart_1_cloud_token_b = "xxxxxxxxxxxx" + sic_key = "xxxxxxxxxxxx" + vm_size = "Standard_D3_v2" + disk_size = "110" + vm_os_sku = "sg-byol" + vm_os_offer = "check-point-cg-r8110" + os_version = "R8110" + bootstrap_script = "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" + allow_upload_download = true + authentication_type = "Password" + availability_type = "Availability Zone" + enable_custom_metrics = true + enable_floating_ip = false + use_public_ip_prefix = false + create_public_ip_prefix = false + existing_public_ip_prefix_id = "" + admin_shell = "/etc/cli.sh" + serial_console_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + maintenance_mode_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + nsg_id = "" + add_storage_account_ip_rules = false + storage_account_additional_ips = [] + +## Revision History +In order to check the template version refer to the [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) + +| Template Version | Description | +| ---------------- | ------------- | +| 20240613 | - Updated Azure Terraform provider version
- Updated managed identity permissions
- Cosmetic fixes & default values
- Added option to limit storage account access by specify allowed sourcess
- Added validation for os_version & os_offer | +| | | | +| 20230910 | - R81.20 is the default version | +| | | | +| 20230212 | - Added Smart-1 Cloud support | +| | | | +| 20221124 | - Added R81.20 support
- Upgraded azurerm provider | +| | | | +| 20220111 | - Added support to select different shells | +| | | | +| 20210309 | - Add "source_image_vhd_uri" variable for using a custom development image | +| | | | +| 20210111 |- Update terraform version to 0.14.3
- Update azurerm version to 2.17.0
- Add authentication_type variable for choosing the authentication type.
- Merge ha-availability-set-new-vnet and ha-availability-zones-new-vnet deployments to one deployment.
- Adding support for R81.
- Add support to CloudGuards metrics.
- Update resources for NSG https://github.com/CheckPointSW/CloudGuardIaaS/issues/67
- The cluster member current state is kept when redeploying.
- Avoid role-assignment re-creation when re-apply | +| | | | +| 20200508 |- Add backend load balancer rules resource.
- Rename the health probe for the backend load balancer.
- Rename the template name to "ha" | +| | | | +| 20200305 | First release of Check Point CloudGuard IaaS High Availability Terraform deployment for Azure | +| | | | +| | Addition of "templateType" parameter to "cloud-version" files | +| | | | + +## License + +See the [LICENSE](../../LICENSE) file for details + diff --git a/deprecated/terraform/azure/R8040-R81/high-availability-new-vnet/azure_public_key b/deprecated/terraform/azure/R8040-R81/high-availability-new-vnet/azure_public_key new file mode 100644 index 00000000..e69de29b diff --git a/deprecated/terraform/azure/R8040-R81/high-availability-new-vnet/cloud-init.sh b/deprecated/terraform/azure/R8040-R81/high-availability-new-vnet/cloud-init.sh new file mode 100644 index 00000000..0609bfcf --- /dev/null +++ b/deprecated/terraform/azure/R8040-R81/high-availability-new-vnet/cloud-init.sh @@ -0,0 +1,22 @@ +#!/usr/bin/python3 /etc/cloud_config.py + +installationType="${installation_type}" +allowUploadDownload="${allow_upload_download}" +osVersion="${os_version}" +templateName="${template_name}" +templateVersion="${template_version}" +templateType="${template_type}" +isBlink="${is_blink}" +bootstrapScript64="${bootstrap_script64}" +location="${location}" +sicKey="${sic_key}" +tenantId="${tenant_id}" +virtualNetwork="${virtual_network}" +clusterName="${cluster_name}" +externalPrivateAddresses="${external_private_addresses}" +customMetrics="${enable_custom_metrics}" +adminShell="${admin_shell}" +smart1CloudToken="${smart_1_cloud_token}" +Vips='[{"name": "cluster-vip", "privateIPAddress": "${external_private_addresses}", "publicIPAddress": "${cluster_name}"}]' +passwordHash="${serial_console_password_hash}" +MaintenanceModePassword="${maintenance_mode_password_hash}" diff --git a/deprecated/terraform/azure/R8040-R81/high-availability-new-vnet/main.tf b/deprecated/terraform/azure/R8040-R81/high-availability-new-vnet/main.tf new file mode 100644 index 00000000..56495095 --- /dev/null +++ b/deprecated/terraform/azure/R8040-R81/high-availability-new-vnet/main.tf @@ -0,0 +1,550 @@ +//********************** Providers **************************// +provider "azurerm" { + subscription_id = var.subscription_id + client_id = var.client_id + client_secret = var.client_secret + tenant_id = var.tenant_id + + features {} +} + +//********************** Basic Configuration **************************// +module "common" { + source = "../modules/common" + resource_group_name = var.resource_group_name + location = var.location + admin_password = var.admin_password + installation_type = var.installation_type + template_name = var.template_name + template_version = var.template_version + number_of_vm_instances = var.number_of_vm_instances + allow_upload_download = var.allow_upload_download + vm_size = var.vm_size + disk_size = var.disk_size + is_blink = var.is_blink + os_version = var.os_version + vm_os_sku = var.vm_os_sku + vm_os_offer = var.vm_os_offer + authentication_type = var.authentication_type + serial_console_password_hash = var.serial_console_password_hash + maintenance_mode_password_hash = var.maintenance_mode_password_hash + storage_account_additional_ips = var.storage_account_additional_ips +} + +//********************** Networking **************************// +module "vnet" { + source = "../modules/vnet" + vnet_name = var.vnet_name + resource_group_name = module.common.resource_group_name + location = module.common.resource_group_location + nsg_id = var.nsg_id == "" ? module.network-security-group[0].network_security_group_id: var.nsg_id + address_space = var.address_space + subnet_prefixes = var.subnet_prefixes +} + +module "network-security-group" { + source = "../modules/network-security-group" + count = var.nsg_id == "" ? 1 : 0 + resource_group_name = module.common.resource_group_name + security_group_name = "${module.common.resource_group_name}_nsg" + location = module.common.resource_group_location + security_rules = [ + { + name = "AllowAllInBound" + priority = "100" + direction = "Inbound" + access = "Allow" + protocol = "*" + source_port_ranges = "*" + destination_port_ranges = "*" + description = "Allow all inbound connections" + source_address_prefix = "*" + destination_address_prefix = "*" + } + ] +} + +resource "random_id" "random_id" { + byte_length = 13 + keepers = { + rg_id = module.common.resource_group_id + } +} + +resource "azurerm_public_ip_prefix" "public_ip_prefix" { + count = var.use_public_ip_prefix && var.create_public_ip_prefix ? 1 : 0 + name = "${module.common.resource_group_name}-ipprefix" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + prefix_length = 30 +} + +resource "azurerm_public_ip" "public-ip" { + count = 2 + name = "${var.cluster_name}${count.index+1}_IP" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + allocation_method = module.vnet.allocation_method + sku = var.sku + domain_name_label = "${lower(var.cluster_name)}-${count.index+1}-${random_id.random_id.hex}" + public_ip_prefix_id = var.use_public_ip_prefix ? (var.create_public_ip_prefix ? azurerm_public_ip_prefix.public_ip_prefix[0].id : var.existing_public_ip_prefix_id) : null +} + +resource "azurerm_public_ip" "cluster-vip" { + name = var.cluster_name + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + allocation_method = module.vnet.allocation_method + sku = var.sku + domain_name_label = "${lower(var.cluster_name)}-vip-${random_id.random_id.hex}" + public_ip_prefix_id = var.use_public_ip_prefix ? (var.create_public_ip_prefix ? azurerm_public_ip_prefix.public_ip_prefix[0].id : var.existing_public_ip_prefix_id) : null +} + +resource "azurerm_network_interface" "nic_vip" { + depends_on = [ + azurerm_public_ip.cluster-vip, + azurerm_public_ip.public-ip] + name = "${var.cluster_name}1-eth0" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + enable_ip_forwarding = true + enable_accelerated_networking = true + + ip_configuration { + name = "ipconfig1" + primary = true + subnet_id = module.vnet.vnet_subnets[0] + private_ip_address_allocation = module.vnet.allocation_method + private_ip_address = cidrhost(module.vnet.subnet_prefixes[0], 5) + public_ip_address_id = azurerm_public_ip.public-ip.0.id + } + ip_configuration { + name = "cluster-vip" + subnet_id = module.vnet.vnet_subnets[0] + primary = false + private_ip_address_allocation = module.vnet.allocation_method + private_ip_address = cidrhost(module.vnet.subnet_prefixes[0], 7) + public_ip_address_id = azurerm_public_ip.cluster-vip.id + } + lifecycle { + ignore_changes = [ + # Ignore changes to ip_configuration when Re-applying, e.g. because a cluster failover and associating the cluster- vip with the other member. + # updates these based on some ruleset managed elsewhere. + ip_configuration + ] + } +} + +resource "azurerm_network_interface_backend_address_pool_association" "nic_vip_lb_association" { + depends_on = [azurerm_network_interface.nic_vip, azurerm_lb_backend_address_pool.frontend-lb-pool] + network_interface_id = azurerm_network_interface.nic_vip.id + ip_configuration_name = "ipconfig1" + backend_address_pool_id = azurerm_lb_backend_address_pool.frontend-lb-pool.id +} + +resource "azurerm_network_interface" "nic" { + depends_on = [ + azurerm_public_ip.public-ip, + azurerm_lb.frontend-lb] + name = "${var.cluster_name}2-eth0" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + enable_ip_forwarding = true + enable_accelerated_networking = true + + ip_configuration { + name = "ipconfig1" + primary = true + subnet_id = module.vnet.vnet_subnets[0] + private_ip_address_allocation = module.vnet.allocation_method + private_ip_address = cidrhost(module.vnet.subnet_prefixes[0], 6) + public_ip_address_id = azurerm_public_ip.public-ip.1.id + } + lifecycle { + ignore_changes = [ + # Ignore changes to ip_configuration when Re-applying, e.g. because a cluster failover and associating the cluster- vip with the other member. + # updates these based on some ruleset managed elsewhere. + ip_configuration + ] + } +} + +resource "azurerm_network_interface_backend_address_pool_association" "nic_lb_association" { + depends_on = [azurerm_network_interface.nic, azurerm_lb_backend_address_pool.frontend-lb-pool] + network_interface_id = azurerm_network_interface.nic.id + ip_configuration_name = "ipconfig1" + backend_address_pool_id = azurerm_lb_backend_address_pool.frontend-lb-pool.id +} + +resource "azurerm_network_interface" "nic1" { + depends_on = [ + azurerm_lb.backend-lb] + count = 2 + name = "${var.cluster_name}${count.index+1}-eth1" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + enable_ip_forwarding = true + enable_accelerated_networking = true + + ip_configuration { + name = "ipconfig2" + subnet_id = module.vnet.vnet_subnets[1] + private_ip_address_allocation = module.vnet.allocation_method + private_ip_address = cidrhost(module.vnet.subnet_prefixes[1], count.index+5) + } +} + +resource "azurerm_network_interface_backend_address_pool_association" "nic1_lb_association" { + depends_on = [azurerm_network_interface.nic1, azurerm_lb_backend_address_pool.backend-lb-pool] + count = 2 + network_interface_id = azurerm_network_interface.nic1[count.index].id + ip_configuration_name = "ipconfig2" + backend_address_pool_id = azurerm_lb_backend_address_pool.backend-lb-pool.id +} + +//********************** Load Balancers **************************// +resource "azurerm_public_ip" "public-ip-lb" { + name = "frontend_lb_ip" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + allocation_method = module.vnet.allocation_method + sku = var.sku + domain_name_label = "${lower(var.cluster_name)}-${random_id.random_id.hex}" + public_ip_prefix_id = var.use_public_ip_prefix ? (var.create_public_ip_prefix ? azurerm_public_ip_prefix.public_ip_prefix[0].id : var.existing_public_ip_prefix_id) : null +} + +resource "azurerm_lb" "frontend-lb" { +// depends_on = [ +// azurerm_public_ip.public-ip-lb] + name = "frontend-lb" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + sku = var.sku + + frontend_ip_configuration { + name = "LoadBalancerFrontend" + public_ip_address_id = azurerm_public_ip.public-ip-lb.id + } +} + +resource "azurerm_lb_backend_address_pool" "frontend-lb-pool" { + loadbalancer_id = azurerm_lb.frontend-lb.id + name = "frontend-lb-pool" +} + +resource "azurerm_lb" "backend-lb" { + name = "backend-lb" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + sku = var.sku + frontend_ip_configuration { + name = "backend-lb" + subnet_id = module.vnet.vnet_subnets[1] + private_ip_address_allocation = module.vnet.allocation_method + private_ip_address = cidrhost(module.vnet.subnet_prefixes[1], 4) + } +} + +resource "azurerm_lb_backend_address_pool" "backend-lb-pool" { + name = "backend-lb-pool" + loadbalancer_id = azurerm_lb.backend-lb.id +} + +resource "azurerm_lb_probe" "azure_lb_healprob" { + count = 2 + loadbalancer_id = count.index == 0 ? azurerm_lb.frontend-lb.id : azurerm_lb.backend-lb.id + name = var.lb_probe_name + protocol = var.lb_probe_protocol + port = var.lb_probe_port + interval_in_seconds = var.lb_probe_interval + number_of_probes = var.lb_probe_unhealthy_threshold +} + +resource "azurerm_lb_rule" "backend_lb_rules" { + loadbalancer_id = azurerm_lb.backend-lb.id + name = "backend-lb" + protocol = "All" + frontend_port = 0 + backend_port = 0 + frontend_ip_configuration_name = "backend-lb" + load_distribution = "Default" + backend_address_pool_ids = [azurerm_lb_backend_address_pool.backend-lb-pool.id] + probe_id = azurerm_lb_probe.azure_lb_healprob[1].id + enable_floating_ip = var.enable_floating_ip +} + +//********************** Availability Set **************************// +locals { + availability_set_condition = var.availability_type == "Availability Set" ? true : false + SSH_authentication_type_condition = var.authentication_type == "SSH Public Key" ? true : false +} +resource "azurerm_availability_set" "availability-set" { + count = local.availability_set_condition ? 1 : 0 + name = "${var.cluster_name}-AvailabilitySet" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + platform_fault_domain_count = 2 + platform_update_domain_count = 5 + managed = true +} + +//********************** Storage accounts **************************// +// Generate random text for a unique storage account name +resource "random_id" "randomId" { + keepers = { + # Generate a new ID only when a new resource group is defined + resource_group = module.common.resource_group_name + } + byte_length = 8 +} +resource "azurerm_storage_account" "vm-boot-diagnostics-storage" { + name = "bootdiag${random_id.randomId.hex}" + resource_group_name = module.common.resource_group_name + location = module.common.resource_group_location + account_tier = module.common.storage_account_tier + account_replication_type = module.common.account_replication_type + network_rules { + default_action = var.add_storage_account_ip_rules ? "Deny" : "Allow" + ip_rules = module.common.storage_account_ip_rules + } + blob_properties { + delete_retention_policy { + days = "15" + } + } +} + +//********************** Virtual Machines **************************// +locals { + custom_image_condition = var.source_image_vhd_uri == "noCustomUri" ? false : true +} + +resource "azurerm_image" "custom-image" { + count = local.custom_image_condition ? 1 : 0 + name = "custom-image" + location = var.location + resource_group_name = module.common.resource_group_name + + os_disk { + os_type = "Linux" + os_state = "Generalized" + blob_uri = var.source_image_vhd_uri + } +} +resource "azurerm_virtual_machine" "vm-instance-availability-set" { + depends_on = [ + azurerm_network_interface.nic, + azurerm_network_interface.nic1, + azurerm_network_interface.nic_vip] + count = local.availability_set_condition ? module.common.number_of_vm_instances : 0 + name = "${var.cluster_name}${count.index+1}" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + availability_set_id = local.availability_set_condition ? azurerm_availability_set.availability-set[0].id : "" + vm_size = module.common.vm_size + network_interface_ids = count.index == 0 ? [ + azurerm_network_interface.nic_vip.id, + azurerm_network_interface.nic1.0.id] : [ + azurerm_network_interface.nic.id, + azurerm_network_interface.nic1.1.id] + delete_os_disk_on_termination = module.common.delete_os_disk_on_termination + primary_network_interface_id = count.index == 0 ? azurerm_network_interface.nic_vip.id : azurerm_network_interface.nic.id + identity { + type = module.common.vm_instance_identity + } + storage_image_reference { + id = local.custom_image_condition ? azurerm_image.custom-image[0].id : null + publisher = local.custom_image_condition ? null : module.common.publisher + offer = module.common.vm_os_offer + sku = module.common.vm_os_sku + version = module.common.vm_os_version + } + + storage_os_disk { + name = "${var.cluster_name}-${count.index+1}" + create_option = module.common.storage_os_disk_create_option + caching = module.common.storage_os_disk_caching + managed_disk_type = module.common.storage_account_type + disk_size_gb = module.common.disk_size + } + + dynamic "plan" { + for_each = local.custom_image_condition ? [ + ] : [1] + content { + name = module.common.vm_os_sku + publisher = module.common.publisher + product = module.common.vm_os_offer + } + } + + os_profile { + computer_name = "${var.cluster_name}${count.index+1}" + admin_username = module.common.admin_username + admin_password = module.common.admin_password + custom_data = templatefile("${path.module}/cloud-init.sh", { + installation_type = module.common.installation_type + allow_upload_download = module.common.allow_upload_download + os_version = module.common.os_version + template_name = module.common.template_name + template_version = module.common.template_version + template_type = "terraform" + is_blink = module.common.is_blink + bootstrap_script64 = base64encode(var.bootstrap_script) + location = module.common.resource_group_location + sic_key = var.sic_key + tenant_id = var.tenant_id + virtual_network = module.vnet.vnet_name + cluster_name = var.cluster_name + external_private_addresses = azurerm_network_interface.nic_vip.ip_configuration[1].private_ip_address + enable_custom_metrics = var.enable_custom_metrics ? "yes" : "no" + admin_shell = var.admin_shell + smart_1_cloud_token = count.index == 0 ? var.smart_1_cloud_token_a : var.smart_1_cloud_token_b + serial_console_password_hash = var.serial_console_password_hash + maintenance_mode_password_hash = var.maintenance_mode_password_hash + }) + } + + os_profile_linux_config { + disable_password_authentication = local.SSH_authentication_type_condition + + dynamic "ssh_keys" { + for_each = local.SSH_authentication_type_condition ? [ + 1] : [] + content { + path = "/home/notused/.ssh/authorized_keys" + key_data = file("${path.module}/azure_public_key") + } + } + } + + boot_diagnostics { + enabled = module.common.boot_diagnostics + storage_uri = module.common.boot_diagnostics ? join(",", azurerm_storage_account.vm-boot-diagnostics-storage.*.primary_blob_endpoint) : "" + } +} + +resource "azurerm_virtual_machine" "vm-instance-availability-zone" { + depends_on = [ + azurerm_network_interface.nic, + azurerm_network_interface.nic1, + azurerm_network_interface.nic_vip] + count = local.availability_set_condition ? 0 : module.common.number_of_vm_instances + name = "${var.cluster_name}${count.index+1}" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + zones = [ + count.index+1] + vm_size = module.common.vm_size + network_interface_ids = count.index == 0 ? [ + azurerm_network_interface.nic_vip.id, + azurerm_network_interface.nic1.0.id] : [ + azurerm_network_interface.nic.id, + azurerm_network_interface.nic1.1.id] + delete_os_disk_on_termination = module.common.delete_os_disk_on_termination + primary_network_interface_id = count.index == 0 ? azurerm_network_interface.nic_vip.id : azurerm_network_interface.nic.id + identity { + type = module.common.vm_instance_identity + } + storage_image_reference { + id = local.custom_image_condition ? azurerm_image.custom-image[0].id : null + publisher = local.custom_image_condition ? null : module.common.publisher + offer = module.common.vm_os_offer + sku = module.common.vm_os_sku + version = module.common.vm_os_version + } + + storage_os_disk { + name = "${var.cluster_name}-${count.index+1}" + create_option = module.common.storage_os_disk_create_option + caching = module.common.storage_os_disk_caching + managed_disk_type = module.common.storage_account_type + disk_size_gb = module.common.disk_size + } + + dynamic "plan" { + for_each = local.custom_image_condition ? [ + ] : [1] + content { + name = module.common.vm_os_sku + publisher = module.common.publisher + product = module.common.vm_os_offer + } + } + + os_profile { + computer_name = "${var.cluster_name}${count.index+1}" + admin_username = module.common.admin_username + admin_password = module.common.admin_password + custom_data = templatefile("${path.module}/cloud-init.sh", { + installation_type = module.common.installation_type + allow_upload_download = module.common.allow_upload_download + os_version = module.common.os_version + template_name = module.common.template_name + template_version = module.common.template_version + template_type = "terraform" + is_blink = module.common.is_blink + bootstrap_script64 = base64encode(var.bootstrap_script) + location = module.common.resource_group_location + sic_key = var.sic_key + tenant_id = var.tenant_id + virtual_network = module.vnet.vnet_name + cluster_name = var.cluster_name + external_private_addresses = cidrhost(module.vnet.subnet_prefixes[0], 7) + enable_custom_metrics = var.enable_custom_metrics ? "yes" : "no" + admin_shell = var.admin_shell + smart_1_cloud_token = count.index == 0 ? var.smart_1_cloud_token_a : var.smart_1_cloud_token_b + serial_console_password_hash = var.serial_console_password_hash + maintenance_mode_password_hash = var.maintenance_mode_password_hash + }) + } + + os_profile_linux_config { + disable_password_authentication = local.SSH_authentication_type_condition + + dynamic "ssh_keys" { + for_each = local.SSH_authentication_type_condition ? [ + 1] : [] + content { + path = "/home/notused/.ssh/authorized_keys" + key_data = file("${path.module}/azure_public_key") + } + } + } + + boot_diagnostics { + enabled = module.common.boot_diagnostics + storage_uri = module.common.boot_diagnostics ? join(",", azurerm_storage_account.vm-boot-diagnostics-storage.*.primary_blob_endpoint) : "" + } +} +//********************** Role Assigments **************************// +data "azurerm_role_definition" "virtual_machine_contributor_role_definition" { + name = "Virtual Machine Contributor" +} +data "azurerm_role_definition" "reader_role_definition" { + name = "Reader" +} +data "azurerm_client_config" "client_config" { +} +resource "azurerm_role_assignment" "cluster_virtual_machine_contributor_assignment" { + count = 2 + lifecycle { + ignore_changes = [ + role_definition_id, principal_id + ] + } + scope = module.common.resource_group_id + role_definition_id = data.azurerm_role_definition.virtual_machine_contributor_role_definition.id + principal_id = local.availability_set_condition ? lookup(azurerm_virtual_machine.vm-instance-availability-set[count.index].identity[0], "principal_id") : lookup(azurerm_virtual_machine.vm-instance-availability-zone[count.index].identity[0], "principal_id") +} +resource "azurerm_role_assignment" "cluster_reader_assigment" { + count = 2 + lifecycle { + ignore_changes = [ + role_definition_id, principal_id + ] + } + scope = module.common.resource_group_id + role_definition_id = data.azurerm_role_definition.reader_role_definition.id + principal_id = local.availability_set_condition ? lookup(azurerm_virtual_machine.vm-instance-availability-set[count.index].identity[0], "principal_id") : lookup(azurerm_virtual_machine.vm-instance-availability-zone[count.index].identity[0], "principal_id") +} \ No newline at end of file diff --git a/deprecated/terraform/azure/R8040-R81/high-availability-new-vnet/terraform.tfvars b/deprecated/terraform/azure/R8040-R81/high-availability-new-vnet/terraform.tfvars new file mode 100644 index 00000000..7cd8490e --- /dev/null +++ b/deprecated/terraform/azure/R8040-R81/high-availability-new-vnet/terraform.tfvars @@ -0,0 +1,36 @@ +//#PLEASE refer to the README.md for accepted values FOR THE VARIABLES BELOW +client_secret = "PLEASE ENTER CLIENT SECRET" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +client_id = "PLEASE ENTER CLIENT ID" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +tenant_id = "PLEASE ENTER TENANT ID" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +subscription_id = "PLEASE ENTER SUBSCRIPTION ID" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +source_image_vhd_uri = "PLEASE ENTER SOURCE IMAGE VHD URI OR noCustomUri" # "noCustomUri" +resource_group_name = "PLEASE ENTER RESOURCE GROUP NAME" # "checkpoint-ha-terraform" +cluster_name = "PLEASE ENTER CLUSTER NAME" # "checkpoint-ha-terraform" +location = "PLEASE ENTER LOCATION" # "eastus" +vnet_name = "PLEASE ENTER VIRTUAL NETWORK NAME" # "checkpoint-ha-vnet" +address_space = "PLEASE ENTER VIRTUAL NETWORK ADDRESS SPACE" # "10.0.0.0/16" +subnet_prefixes = "PLEASE ENTER ADDRESS PREFIXES FOR SUBNETS" # ["10.0.1.0/24","10.0.2.0/24"] +admin_password = "PLEASE ENTER ADMIN PASSWORD" # "xxxxxxxxxxxx" +smart_1_cloud_token_a = "PASTE TOKEN FROM SMART-1 CLOUD PORTAL" # "" +smart_1_cloud_token_b = "PASTE TOKEN FROM SMART-1 CLOUD PORTAL" # "" +sic_key = "PLEASE ENTER SIC KEY" # "xxxxxxxxxxxx" +vm_size = "PLEASE ENTER VM SIZE" # "Standard_D3_v2" +disk_size = "PLEASE ENTER DISK SIZE" # "110" +vm_os_sku = "PLEASE ENTER VM SKU" # "sg-byol" +vm_os_offer = "PLEASE ENTER VM OFFER" # "check-point-cg-r8110" +os_version = "PLEASE ENTER GAIA OS VERSION" # "R8110" +bootstrap_script = "PLEASE ENTER CUSTOM SCRIPT OR LEAVE EMPTY DOUBLE QUOTES" # "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" +allow_upload_download = "PLEASE ENTER true or false" # true +authentication_type = "PLEASE ENTER AUTHENTICATION TYPE" # "Password" +availability_type = "PLEASE ENTER AVAILABILITY TYPE" # "Availability Zone" +enable_custom_metrics = "PLEASE ENTER true or false" # true +enable_floating_ip = "PLEASE ENTER true or false" # false +use_public_ip_prefix = "PLEASE ENTER true or false" # false +create_public_ip_prefix = "PLEASE ENTER true or false" # false +existing_public_ip_prefix_id = "PLEASE ENTER IP PREFIX RESOURCE ID" # "" +admin_shell = "PLEASE ENTER ADMIN SHELL" # "/etc/cli.sh" +serial_console_password_hash = "PLEASE ENTER SERIAL CONSOLE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +maintenance_mode_password_hash = "PLEASE ENTER MAINTENANCE MODE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +nsg_id = "PLEASE ENTER NETWORK SECURITY GROUP ID" # "" +add_storage_account_ip_rules = "PLEASE ENTER true or false" # false +storage_account_additional_ips = "PLEASE ENTER A LIST OF VALID IPS/CIDRS" # [] \ No newline at end of file diff --git a/deprecated/terraform/azure/R8040-R81/high-availability-new-vnet/variables.tf b/deprecated/terraform/azure/R8040-R81/high-availability-new-vnet/variables.tf new file mode 100644 index 00000000..6bb79338 --- /dev/null +++ b/deprecated/terraform/azure/R8040-R81/high-availability-new-vnet/variables.tf @@ -0,0 +1,328 @@ +//********************** Basic Configuration Variables **************************// +variable "cluster_name" { + description = "Cluster name" + type = string +} + +variable "resource_group_name" { + description = "Azure Resource Group name to build into" + type = string +} + +variable "location" { + description = "The location/region where resources will be created. The full list of Azure regions can be found at https://azure.microsoft.com/regions" + type = string +} + +//********************** Virtual Machine Instances Variables **************************// +variable "availability_type" { + description = "Specifies whether to deploy the solution based on Azure Availability Set or based on Azure Availability Zone." + type = string + default = "Availability Zone" +} + +locals { // locals for 'availability_type' allowed values + availability_type_allowed_values = [ + "Availability Zone", + "Availability Set" + ] + // will fail if [var.availability_type] is invalid: + validate_availability_type_value = index(local.availability_type_allowed_values, var.availability_type) +} + +variable "source_image_vhd_uri" { + type = string + description = "The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images." + default = "noCustomUri" +} + +variable "admin_username" { + description = "Administrator username of deployed VM. Due to Azure limitations 'notused' name can be used" + default = "notused" +} + +variable "admin_password" { + description = "Administrator password of deployed Virtual Macine. The password must meet the complexity requirements of Azure" + type = string +} + +variable "serial_console_password_hash" { + description = "Optional parameter, used to enable serial console connection in case of SSH key as authentication type" + type = string +} + +variable "maintenance_mode_password_hash" { + description = "Maintenance mode password hash, relevant only for R81.20 and higher versions" + type = string +} + +variable "smart_1_cloud_token_a" { + description = "Smart-1 Cloud Token, for configuring member A" + type = string +} + +variable "smart_1_cloud_token_b" { + description = "Smart-1 Cloud Token, for configuring member B" + type = string +} + +variable "sic_key" { + description = "Secure Internal Communication(SIC) key" + type = string +} +resource "null_resource" "sic_key_invalid" { + count = length(var.sic_key) >= 12 ? 0 : "SIC key must be at least 12 characters long" +} + +variable "template_name" { + description = "Template name. Should be defined according to deployment type(ha, vmss)" + type = string + default = "ha_terraform" +} + +variable "template_version" { + description = "Template version. It is reccomended to always use the latest template version" + type = string + default = "20230910" +} + +variable "installation_type" { + description = "Installaiton type" + type = string + default = "cluster" +} + +variable "number_of_vm_instances" { + description = "Number of VM instances to deploy " + type = string + default = "2" +} + +variable "vm_size" { + description = "Specifies size of Virtual Machine" + type = string +} + +variable "disk_size" { + description = "Storage data disk size size(GB). Select a number between 100 and 3995" + type = string +} + +variable "os_version" { + description = "GAIA OS version" + type = string +} + +locals { // locals for 'vm_os_offer' allowed values + os_version_allowed_values = [ + "R8040", + "R81", + "R8110", + "R8120" + ] + // will fail if [var.os_version] is invalid: + validate_os_version_value = index(local.os_version_allowed_values, var.os_version) +} + +variable "vm_os_sku" { + description = "The sku of the image to be deployed." + type = string +} + +variable "vm_os_offer" { + description = "The name of the image offer to be deployed.Choose from: check-point-cg-r8040, check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120" + type = string +} + +locals { // locals for 'vm_os_offer' allowed values + vm_os_offer_allowed_values = [ + "check-point-cg-r8040", + "check-point-cg-r81", + "check-point-cg-r8110", + "check-point-cg-r8120" + ] + // will fail if [var.vm_os_offer] is invalid: + validate_os_offer_value = index(local.vm_os_offer_allowed_values, var.vm_os_offer) +} + +variable "authentication_type" { + description = "Specifies whether a password authentication or SSH Public Key authentication should be used" + type = string +} +locals { // locals for 'authentication_type' allowed values + authentication_type_allowed_values = [ + "Password", + "SSH Public Key" + ] + // will fail if [var.authentication_type] is invalid: + validate_authentication_type_value = index(local.authentication_type_allowed_values, var.authentication_type) +} + +variable "allow_upload_download" { + description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + type = bool +} + +variable "is_blink" { + description = "Define if blink image is used for deployment" + default = true +} + +variable "admin_shell" { + description = "The admin shell to configure on machine or the first time" + type = string + default = "/etc/cli.sh" +} + +locals { + admin_shell_allowed_values = [ + "/etc/cli.sh", + "/bin/bash", + "/bin/csh", + "/bin/tcsh" + ] + // Will fail if [var.admin_shell] is invalid + validate_admin_shell_value = index(local.admin_shell_allowed_values, var.admin_shell) +} + +//********************** Natworking Variables **************************// +variable "vnet_name" { + description = "Virtual Network name" + type = string +} + +variable "address_space" { + description = "The address space that is used by a Virtual Network." + type = string + default = "10.0.0.0/16" +} + +variable "subnet_prefixes" { + description = "Address prefix to be used for netwok subnets" + type = list(string) + default = [ + "10.0.0.0/24", + "10.0.1.0/24"] +} + +variable "lb_probe_name" { + description = "Name to be used for lb health probe" + default = "health_prob_port" +} + +variable "lb_probe_port" { + description = "Port to be used for load balancer health probes and rules" + default = "8117" +} + +variable "lb_probe_protocol" { + description = "Protocols to be used for load balancer health probes and rules" + default = "Tcp" +} + +variable "lb_probe_unhealthy_threshold" { + description = "Number of times load balancer health probe has an unsuccessful attempt before considering the endpoint unhealthy." + default = 2 +} + +variable "lb_probe_interval" { + description = "Interval in seconds load balancer health probe rule perfoms a check" + default = 5 +} + +variable "bootstrap_script" { + description = "An optional script to run on the initial boot" + #example: + #"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" +} + +variable "nsg_id" { + description = "NSG ID - Optional - if empty use default NSG" + default = "" +} + +variable "add_storage_account_ip_rules" { + type = bool + default = false + description = "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location" +} + +variable "storage_account_additional_ips" { + type = list(string) + description = "IPs/CIDRs that are allowed access to the Storage Account" + default = [] +} +//********************** Credentials **************************// + +variable "tenant_id" { + description = "Tenant ID" + type = string +} + +variable "subscription_id" { + description = "Subscription ID" + type = string +} + +variable "client_id" { + description = "Aplication ID(Client ID)" + type = string +} + +variable "client_secret" { + description = "A secret string that the application uses to prove its identity when requesting a token. Also can be referred to as application password." + type = string +} + +variable "sku" { + description = "SKU" + type = string + default = "Standard" +} + +variable "enable_custom_metrics" { + description = "Indicates whether CloudGuard Metrics will be use for Cluster members monitoring." + type = bool + default = true +} + +variable "enable_floating_ip" { + description = "Indicates whether the load balancers will be deployed with floating IP." + type = bool + default = false +} + +variable "use_public_ip_prefix" { + description = "Indicates whether the public IP resources will be deployed with public IP prefix." + type = bool + default = false +} + +variable "create_public_ip_prefix" { + description = "Indicates whether the public IP prefix will created or an existing will be used." + type = bool + default = false +} + +variable "existing_public_ip_prefix_id" { + description = "The existing public IP prefix resource id." + type = string + default = "" +} + +locals{ + # Validate both s1c tokens are used or both empty + is_both_tokens_used = length(var.smart_1_cloud_token_a) > 0 == length(var.smart_1_cloud_token_b) > 0 + validation_message_both = "To connect to Smart-1 Cloud, you must provide two tokens (one per member)" + _ = regex("^$", (local.is_both_tokens_used ? "" : local.validation_message_both)) + + is_tokens_used = length(var.smart_1_cloud_token_a) > 0 + # Validate both s1c tokens are unqiue + token_parts_a = split(" ",var.smart_1_cloud_token_a) + token_parts_b = split(" ",var.smart_1_cloud_token_b) + acutal_token_a = local.token_parts_a[length(local.token_parts_a) - 1] + acutal_token_b = local.token_parts_b[length(local.token_parts_b) - 1] + is_both_tokens_the_same = local.acutal_token_a == local.acutal_token_b + validation_message_unique = "Same Smart-1 Cloud token used for both memeber, you must provide unique token for each member" + __ = local.is_tokens_used ? regex("^$", (local.is_both_tokens_the_same ? local.validation_message_unique : "")) : "" +} \ No newline at end of file diff --git a/deprecated/terraform/azure/R8040-R81/high-availability-new-vnet/versions.tf b/deprecated/terraform/azure/R8040-R81/high-availability-new-vnet/versions.tf new file mode 100644 index 00000000..0d5ca4f3 --- /dev/null +++ b/deprecated/terraform/azure/R8040-R81/high-availability-new-vnet/versions.tf @@ -0,0 +1,12 @@ +terraform { + required_version = ">= 0.14.3" + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "~> 3.81.0" + } + random = { + version = "~> 3.5.1" + } + } +} \ No newline at end of file diff --git a/deprecated/terraform/azure/R8040-R81/management-existing-vnet/README.md b/deprecated/terraform/azure/R8040-R81/management-existing-vnet/README.md new file mode 100644 index 00000000..3ab73dbd --- /dev/null +++ b/deprecated/terraform/azure/R8040-R81/management-existing-vnet/README.md @@ -0,0 +1,189 @@ +# Check Point CloudGuard IaaS Management Terraform deployment for Azure + +This Terraform module deploys Check Point CloudGuard IaaS Management solution into an existing Vnet in Azure. +As part of the deployment the following resources are created: +- Resource group +- Network security group +- Virtual Machine +- System assigned identity + +This solution uses the following modules: +- /terraform/azure/modules/common - used for creating a resource group and defining common variables. +- /terraform/azure/modules/network-security-group - used for creating new network security groups and rules. + + +## Configurations +- Install and configure Terraform to provision Azure resources: [Configure Terraform for Azure](https://docs.microsoft.com/en-us/azure/virtual-machines/linux/terraform-install-configure) +- In order to use ssh connection to VMs, it is **required** to add a public key to the /terraform/azure/management-existing-vnet/azure_public_key file. + +## Usage +- Choose the preferred login method to Azure in order to deploy the solution: +
1. Using Service Principal: + - Create a [Service Principal](https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal) (or use the existing one) + - Grant the Service Principal at least "**Managed Application Contributor**", "**Storage Account Contributor**", "**Network Contributor**", "**Virtual Machine Contributor**" permissions to the Azure subscription
+ - The Service Principal credentials can be stored either in the terraform.tfvars or as [Environment Variables](https://www.terraform.io/docs/providers/azuread/guides/service_principal_client_secret.html)
+ + In case the Environment Variables are used, perform modifications described below:
+ + a. The next lines in the main.tf file, in the provider azurerm resource, need to be deleted or commented: + + provider "azurerm" { + + // subscription_id = var.subscription_id + // client_id = var.client_id + // client_secret = var.client_secret + // tenant_id = var.tenant_id + + features {} + } + + b. In the terraform.tfvars file leave empty double quotes for client_secret, client_id , tenant_id and subscription_id variables: + + client_secret = "" + client_id = "" + tenant_id = "" + subscription_id = "" + +
2. Using **az** commands from a command-line: + - Run **az login** command + - Sign in with your account credentials in the browser + - [Accept Azure Marketplace image terms](https://docs.microsoft.com/en-us/cli/azure/vm/image/terms?view=azure-cli-latest) by running: +
**az vm image terms accept --urn publisher:offer:sku:version**, where: + - publisher = checkpoint; + - offer = vm_os_offer (see accepted values in the table below); + - sku = vm_os_sku (see accepted values in the table below); + - version = latest
+
Example:
+ az vm image terms accept --urn checkpoint:check-point-cg-r8040:sg-byol:latest + + - In the terraform.tfvars file leave empty double quotes for client_secret, client_id and tenant_id variables. + +- Fill all variables in the /terraform/azure/management-existing-vnet/terraform.tfvars file with proper values (see below for variables descriptions). +- From a command line initialize the Terraform configuration directory: + + terraform init +- Create an execution plan: + + terraform plan +- Create or modify the deployment: + + terraform apply + +### terraform.tfvars variables: + | Name | Description | Type | Allowed values | Default | + | ------------- | ------------- | ------------- | ------------- | ------------- | + | **client_secret** | The client secret of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **client_id** | The client ID of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **tenant_id** | The tenant ID of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **subscription_id** | The subscription ID is used to pay for Azure cloud services | string | | n/a + | | | | | | + | **source_image_vhd_uri** | The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images | string | | "noCustomUri" + | | | | | | + | **resource_group_name** | The name of the resource group that will contain the contents of the deployment | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period | n/a + | | | | | | + | **mgmt_name** | Management name | string | | n/a + | | | | | | + | **location** | The region where the resources will be deployed at | string | The full list of Azure regions can be found at https://azure.microsoft.com/regions | n/a + | | | | | | + | **vnet_name** | Virtual Network name | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | n/a + | | | | | | + | **vnet_resource_group** | Resource Group of the existing virtual network | string | The exact name of the existing vnet's resource group | n/a + | | | | | | + | **management_subnet_name** | Management subnet name | string | The exact name of the existing subnet | n/a + | | | | | | + | **subnet_1st_Address** | The first available address of the subnet | string | | n/a + | | | | | | + | **management_GUI_client_network** | Allowed GUI clients - GUI clients network CIDR | string | | n/a + | | | | | | + | **mgmt_enable_api** | Enable api access to the management | string | - "all";
- "management_only";
- "gui_clients"
- "disable"; | "disable" + | | | | | | + | **admin_password** | The password associated with the local administrator account on each cluster member | string | Password must have 3 of the following: 1 lower case character, 1 upper case character, 1 number, and 1 special character | n/a + | | | | | | + | **vm_size** | Specifies the size of Virtual Machine | string | "Standard_DS2_v2", "Standard_DS3_v2", "Standard_DS4_v2", "Standard_DS5_v2", "Standard_F2s", "Standard_F4s", "Standard_F8s", "Standard_F16s", "Standard_D4s_v3", "Standard_D8s_v3", "Standard_D16s_v3", "Standard_D32s_v3", "Standard_D64s_v3", "Standard_E4s_v3", "Standard_E8s_v3", "Standard_E16s_v3", "Standard_E20s_v3", "Standard_E32s_v3", "Standard_E64s_v3", "Standard_E64is_v3", "Standard_F4s_v2", "Standard_F8s_v2", "Standard_F16s_v2", "Standard_F32s_v2", "Standard_F64s_v2", "Standard_M8ms", "Standard_M16ms", "Standard_M32ms", "Standard_M64ms", "Standard_M64s", "Standard_D2_v2", "Standard_D3_v2", "Standard_D4_v2", "Standard_D5_v2", "Standard_D11_v2", "Standard_D12_v2", "Standard_D13_v2", "Standard_D14_v2", "Standard_D15_v2", "Standard_F2", "Standard_F4", "Standard_F8", "Standard_F16", "Standard_D4_v3", "Standard_D8_v3", "Standard_D16_v3", "Standard_D32_v3", "Standard_D64_v3", "Standard_E4_v3", "Standard_E8_v3", "Standard_E16_v3", "Standard_E20_v3", "Standard_E32_v3", "Standard_E64_v3", "Standard_E64i_v3", "Standard_DS11_v2", "Standard_DS12_v2", "Standard_DS13_v2", "Standard_DS14_v2", "Standard_DS15_v2", "Standard_D2_v5", "Standard_D4_v5", "Standard_D8_v5", "Standard_D16_v5","Standard_D32_v5", "Standard_D2s_v5", "Standard_D4s_v5", "Standard_D8s_v5", "Standard_D16s_v5", "Standard_D2d_v5", "Standard_D4d_v5", "Standard_D8d_v5", "Standard_D16d_v5", "Standard_D32d_v5", "Standard_D2ds_v5", "Standard_D4ds_v5", "Standard_D8ds_v5", "Standard_D16ds_v5", "Standard_D32ds_v5" | n/a + | | | | | | + | **disk_size** | Storage data disk size size(GB) | string | A number in the range 100 - 3995 (GB) | n/a + | | | | | | + | **vm_os_sku** | A sku of the image to be deployed | string | "mgmt-byol" - BYOL license;
"mgmt-25" - PAYG; | n/a + | | | | | | + | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r8040";
"check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | n/a + | | | | | | + | **os_version** | GAIA OS version | string | "R8040";
"R81";
"R8110";
"R8120";| n/a + | | | | | | + | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | "" + | | | | | | + | **allow_upload_download** | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | boolean | true;
false; | n/a + | | | | | | + | **authentication_type** | Specifies whether a password authentication or SSH Public Key authentication should be used | string | "Password";
"SSH Public Key"; | n/a + | | | | | | + | **admin_shell** | Enables to select different admin shells | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh; | "/etc/cli.sh" + | | | | | | + | **serial_console_password_hash** | Optional parameter, used to enable serial console connection in case of SSH key as authentication type, to generate password hash use the command 'openssl passwd -6 PASSWORD' on Linux and paste it here | string | | n/a + | | | | | | + | **maintenance_mode_password_hash** | Maintenance mode password hash, relevant only for R81.20 and higher versions, to generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here | string | | n/a + | | | | | | + | **nsg_id** | Optional ID for a Network Security Group that already exists in Azure, if not provided, will create a default NSG | string | Existing NSG resource ID | "" + | | | | | | + | **add_storage_account_ip_rules** | Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, if false then accses will be allowed from all networks | boolean | true;
false; | false + | | | | | | + | **storage_account_additional_ips** | IPs/CIDRs that are allowed access to the Storage Account | list(string) | A list of valid IPs and CIDRs | [] + + +## Example + client_secret = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + client_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + tenant_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + subscription_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + source_image_vhd_uri = "noCustomUri" + resource_group_name = "checkpoint-mgmt-terraform" + mgmt_name = "checkpoint-mgmt-terraform" + location = "eastus" + vnet_name = "checkpoint-mgmt-vnet" + vnet_resource_group = "existing-vnet" + management_subnet_name = "mgmt-subnet" + subnet_1st_Address = "10.0.1.4" + management_GUI_client_network = "0.0.0.0/0" + mgmt_enable_api = "disable" + admin_password = "xxxxxxxxxxxx" + vm_size = "Standard_D3_v2" + disk_size = "110" + vm_os_sku = "mgmt-byol" + vm_os_offer = "check-point-cg-r8110" + os_version = "R8110" + bootstrap_script = "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" + allow_upload_download = true + authentication_type = "Password" + admin_shell = "/etc/cli.sh" + serial_console_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + maintenance_mode_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + nsg_id = "" + add_storage_account_ip_rules = false + storage_account_additional_ips = [] + + +## Revision History +In order to check the template version refer to the [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) + +| Template Version | Description | +| ---------------- | ------------- | +| 20240613 | - Updated Azure Terraform provider version
- Cosmetic fixes & default values
- Added option to limit storage account access by specify allowed sourcess
- Updated Public IP sku to Standard
- Added validation for os_version & os_offer | +| | | | +| 20230910 | - R81.20 is the default version | +| | | | +| 20221124 | - Added R81.20 support
- Upgraded azurerm provider | +| | | | +| 20220111 | - Added support to select different shells | +| | | | +| 20210309 | - Add "source_image_vhd_uri" variable for using a custom development image | +| | | | +| 20210111 | First release of Check Point CloudGuard IaaS Management Terraform deployment into an existing Vnet in Azure | +| | | | +| | Addition of "templateType" parameter to "cloud-version" files | +| | | | + +## License + +See the [LICENSE](../../LICENSE) file for details + diff --git a/deprecated/terraform/azure/R8040-R81/management-existing-vnet/azure_public_key b/deprecated/terraform/azure/R8040-R81/management-existing-vnet/azure_public_key new file mode 100644 index 00000000..e69de29b diff --git a/deprecated/terraform/azure/R8040-R81/management-existing-vnet/cloud-init.sh b/deprecated/terraform/azure/R8040-R81/management-existing-vnet/cloud-init.sh new file mode 100644 index 00000000..4639554e --- /dev/null +++ b/deprecated/terraform/azure/R8040-R81/management-existing-vnet/cloud-init.sh @@ -0,0 +1,16 @@ +#!/usr/bin/python3 /etc/cloud_config.py + +installationType="${installation_type}" +allowUploadDownload="${allow_upload_download}" +osVersion="${os_version}" +templateName="${template_name}" +templateVersion="${template_version}" +templateType="${template_type}" +isBlink="${is_blink}" +bootstrapScript64="${bootstrap_script64}" +location="${location}" +managementGUIClientNetwork="${management_GUI_client_network}" +enableApi="${enable_api}" +adminShell="${admin_shell}" +passwordHash="${serial_console_password_hash}" +MaintenanceModePassword="${maintenance_mode_password_hash}" diff --git a/deprecated/terraform/azure/R8040-R81/management-existing-vnet/main.tf b/deprecated/terraform/azure/R8040-R81/management-existing-vnet/main.tf new file mode 100644 index 00000000..7b0d1ffe --- /dev/null +++ b/deprecated/terraform/azure/R8040-R81/management-existing-vnet/main.tf @@ -0,0 +1,312 @@ +//********************** Providers **************************// +provider "azurerm" { + subscription_id = var.subscription_id + client_id = var.client_id + client_secret = var.client_secret + tenant_id = var.tenant_id + + features {} +} + +//********************** Basic Configuration **************************// +module "common" { + source = "../modules/common" + resource_group_name = var.resource_group_name + location = var.location + admin_password = var.admin_password + installation_type = var.installation_type + template_name = var.template_name + template_version = var.template_version + number_of_vm_instances = 1 + allow_upload_download = var.allow_upload_download + vm_size = var.vm_size + disk_size = var.disk_size + is_blink = false + os_version = var.os_version + vm_os_sku = var.vm_os_sku + vm_os_offer = var.vm_os_offer + authentication_type = var.authentication_type + serial_console_password_hash = var.serial_console_password_hash + maintenance_mode_password_hash = var.maintenance_mode_password_hash + storage_account_additional_ips = var.storage_account_additional_ips +} + +//********************** Networking **************************// +data "azurerm_subnet" "mgmt_subnet" { + name = var.management_subnet_name + virtual_network_name = var.vnet_name + resource_group_name = var.vnet_resource_group +} + +resource "azurerm_public_ip" "public-ip" { + name = var.mgmt_name + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + allocation_method = var.vnet_allocation_method + sku = var.sku + idle_timeout_in_minutes = 30 + domain_name_label = join("", [ + lower(var.mgmt_name), + "-", + random_id.randomId.hex]) +} + +module "network-security-group" { + source = "../modules/network-security-group" + count = var.nsg_id == "" ? 1 : 0 + resource_group_name = module.common.resource_group_name + security_group_name = "${module.common.resource_group_name}-nsg" + location = module.common.resource_group_location + security_rules = [ + { + name = "SSH" + priority = "100" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_ranges = "*" + destination_port_ranges = "22" + description = "Allow inbound SSH connection" + source_address_prefix = var.management_GUI_client_network + destination_address_prefix = "*" + }, + { + name = "GAiA-portal" + priority = "110" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_ranges = "*" + destination_port_ranges = "443" + description = "Allow inbound HTTPS access to the GAiA portal" + source_address_prefix = var.management_GUI_client_network + destination_address_prefix = "*" + }, + { + name = "SmartConsole-1" + priority = "120" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_ranges = "*" + destination_port_ranges = "18190" + description = "Allow inbound access using the SmartConsole GUI client" + source_address_prefix = var.management_GUI_client_network + destination_address_prefix = "*" + }, + { + name = "SmartConsole-2" + priority = "130" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_ranges = "*" + destination_port_ranges = "19009" + description = "Allow inbound access using the SmartConsole GUI client" + source_address_prefix = var.management_GUI_client_network + destination_address_prefix = "*" + }, + { + name = "Logs" + priority = "140" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_ranges = "*" + destination_port_ranges = "257" + description = "Allow inbound logging connections from managed gateways" + source_address_prefix = "*" + destination_address_prefix = "*" + }, + { + name = "ICA-pull" + priority = "150" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_ranges = "*" + destination_port_ranges = "18210" + description = "Allow security gateways to pull a SIC certificate" + source_address_prefix = "*" + destination_address_prefix = "*" + }, + { + name = "CRL-fetch" + priority = "160" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_ranges = "*" + destination_port_ranges = "18264" + description = "Allow security gateways to fetch CRLs" + source_address_prefix = "*" + destination_address_prefix = "*" + }, + { + name = "Policy-fetch" + priority = "170" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_ranges = "*" + destination_port_ranges = "18191" + description = "Allow security gateways to fetch policy" + source_address_prefix = "*" + destination_address_prefix = "*" + } + ] +} + +resource "azurerm_network_interface_security_group_association" "security_group_association" { + depends_on = [azurerm_network_interface.nic] + network_interface_id = azurerm_network_interface.nic.id + network_security_group_id = var.nsg_id == "" ? module.network-security-group[0].network_security_group_id: var.nsg_id +} + +resource "azurerm_network_interface" "nic" { + depends_on = [ + azurerm_public_ip.public-ip] + name = "${var.mgmt_name}-eth0" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + enable_ip_forwarding = false + + ip_configuration { + name = "ipconfig1" + subnet_id = data.azurerm_subnet.mgmt_subnet.id + private_ip_address_allocation = var.vnet_allocation_method + private_ip_address = var.subnet_1st_Address + public_ip_address_id = azurerm_public_ip.public-ip.id + } +} + +//********************** Storage accounts **************************// +// Generate random text for a unique storage account name +resource "random_id" "randomId" { + keepers = { + # Generate a new ID only when a new resource group is defined + resource_group = module.common.resource_group_name + } + byte_length = 8 +} +resource "azurerm_storage_account" "vm-boot-diagnostics-storage" { + name = "bootdiag${random_id.randomId.hex}" + resource_group_name = module.common.resource_group_name + location = module.common.resource_group_location + account_tier = module.common.storage_account_tier + account_replication_type = module.common.account_replication_type + account_kind = "Storage" + network_rules { + default_action = var.add_storage_account_ip_rules ? "Deny" : "Allow" + ip_rules = module.common.storage_account_ip_rules + } + blob_properties { + delete_retention_policy { + days = "15" + } + } + +} + +//********************** Virtual Machines **************************// +locals { + SSH_authentication_type_condition = var.authentication_type == "SSH Public Key" ? true : false + custom_image_condition = var.source_image_vhd_uri == "noCustomUri" ? false : true +} + +resource "azurerm_image" "custom-image" { + count = local.custom_image_condition ? 1 : 0 + name = "custom-image" + location = var.location + resource_group_name = module.common.resource_group_name + + os_disk { + os_type = "Linux" + os_state = "Generalized" + blob_uri = var.source_image_vhd_uri + } +} + +resource "azurerm_virtual_machine" "mgmt-vm-instance" { + depends_on = [ + azurerm_network_interface.nic] + location = module.common.resource_group_location + name = var.mgmt_name + network_interface_ids = [ + azurerm_network_interface.nic.id] + resource_group_name = module.common.resource_group_name + vm_size = module.common.vm_size + delete_os_disk_on_termination = module.common.delete_os_disk_on_termination + primary_network_interface_id = azurerm_network_interface.nic.id + + identity { + type = module.common.vm_instance_identity + } + + dynamic "plan" { + for_each = local.custom_image_condition ? [ + ] : [1] + content { + name = module.common.vm_os_sku + publisher = module.common.publisher + product = module.common.vm_os_offer + } + } + + boot_diagnostics { + enabled = module.common.boot_diagnostics + storage_uri = module.common.boot_diagnostics ? join(",", azurerm_storage_account.vm-boot-diagnostics-storage.*.primary_blob_endpoint) : "" + } + + os_profile { + computer_name = var.mgmt_name + admin_username = module.common.admin_username + admin_password = module.common.admin_password + custom_data = templatefile("${path.module}/cloud-init.sh", { + installation_type = module.common.installation_type + allow_upload_download = module.common.allow_upload_download + os_version = module.common.os_version + template_name = module.common.template_name + template_version = module.common.template_version + template_type = "terraform" + is_blink = module.common.is_blink + bootstrap_script64 = base64encode(var.bootstrap_script) + location = module.common.resource_group_location + management_GUI_client_network = var.management_GUI_client_network + enable_api = var.mgmt_enable_api + admin_shell = var.admin_shell + serial_console_password_hash = var.serial_console_password_hash + maintenance_mode_password_hash = var.maintenance_mode_password_hash + }) + } + + + os_profile_linux_config { + disable_password_authentication = local.SSH_authentication_type_condition + + dynamic "ssh_keys" { + for_each = local.SSH_authentication_type_condition ? [ + 1] : [] + content { + path = "/home/notused/.ssh/authorized_keys" + key_data = file("${path.module}/azure_public_key") + } + } + } + + storage_image_reference { + id = local.custom_image_condition ? azurerm_image.custom-image[0].id : null + publisher = local.custom_image_condition ? null : module.common.publisher + offer = module.common.vm_os_offer + sku = module.common.vm_os_sku + version = module.common.vm_os_version + } + + storage_os_disk { + name = var.mgmt_name + create_option = module.common.storage_os_disk_create_option + caching = module.common.storage_os_disk_caching + managed_disk_type = module.common.storage_account_type + disk_size_gb = module.common.disk_size + } +} \ No newline at end of file diff --git a/deprecated/terraform/azure/R8040-R81/management-existing-vnet/terraform.tfvars b/deprecated/terraform/azure/R8040-R81/management-existing-vnet/terraform.tfvars new file mode 100644 index 00000000..ea2f8f7e --- /dev/null +++ b/deprecated/terraform/azure/R8040-R81/management-existing-vnet/terraform.tfvars @@ -0,0 +1,30 @@ +#PLEASE refer to the README.md for accepted values FOR THE VARIABLES BELOW +client_secret = "PLEASE ENTER CLIENT SECRET" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +client_id = "PLEASE ENTER CLIENT ID" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +tenant_id = "PLEASE ENTER TENANT ID" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +subscription_id = "PLEASE ENTER SUBSCRIPTION ID" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +source_image_vhd_uri = "PLEASE ENTER SOURCE IMAGE VHD URI OR noCustomUri" # "noCustomUri" +resource_group_name = "PLEASE ENTER RESOURCE GROUP NAME" # "checkpoint-mgmt-terraform" +mgmt_name = "PLEASE ENTER MANAGEMENT NAME" # "checkpoint-mgmt-terraform" +location = "PLEASE ENTER LOCATION" # "eastus" +vnet_name = "PLEASE ENTER VIRTUAL NETWORK NAME" # "checkpoint-mgmt-vnet" +vnet_resource_group = "PLEASE ENTER VIRTUAL NETWORK'S RESOURCE GROUP NAME" # "existing-vnet" +management_subnet_name = "PLEASE ENTER MGMT SUBNET NAME" # "mgmt-subnet" +subnet_1st_Address = "PLEASE ENTER AVAILABLE ADDRESS OF THE SUBNET" # "10.0.1.4" +management_GUI_client_network = "PLEASE ENTER A MANAGEMENT GUI CLIENT NETWORK" # "0.0.0.0/0" +mgmt_enable_api = "PLEASE ENTER FOR WHOM TO ENABLE API ACCESS OR disable" # "disable" +admin_password = "PLEASE ENTER ADMIN PASSWORD" # "xxxxxxxxxxxx" +vm_size = "PLEASE ENTER VM SIZE" # "Standard_D3_v2" +disk_size = "PLEASE ENTER DISK SIZE" # "110" +vm_os_sku = "PLEASE ENTER VM SKU" # "mgmt-byol" +vm_os_offer = "PLEASE ENTER VM OFFER" # "check-point-cg-r8110" +os_version = "PLEASE ENTER GAIA OS VERSION" # "R8110" +bootstrap_script = "PLEASE ENTER CUSTOM SCRIPT OR LEAVE EMPTY DOUBLE QUOTES" # "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" +allow_upload_download = "PLEASE ENTER true or false" # true +authentication_type = "PLEASE ENTER AUTHENTICATION TYPE" # "Password" +admin_shell = "PLEASE ENTER ADMIN SHELL" # "/etc/cli.sh" +serial_console_password_hash = "PLEASE ENTER SERIAL CONSOLE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +maintenance_mode_password_hash = "PLEASE ENTER MAINTENANCE MODE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +nsg_id = "PLEASE ENTER NETWORK SECURITY GROUP ID" # "" +add_storage_account_ip_rules = "PLEASE ENTER true or false" # false +storage_account_additional_ips = "PLEASE ENTER A LIST OF VALID IPS/CIDRS" # [] \ No newline at end of file diff --git a/deprecated/terraform/azure/R8040-R81/management-existing-vnet/variables.tf b/deprecated/terraform/azure/R8040-R81/management-existing-vnet/variables.tf new file mode 100644 index 00000000..6030652b --- /dev/null +++ b/deprecated/terraform/azure/R8040-R81/management-existing-vnet/variables.tf @@ -0,0 +1,251 @@ +//********************** Basic Configuration Variables **************************// +variable "mgmt_name" { + description = "Management name" + type = string +} + +variable "resource_group_name" { + description = "Azure Resource Group name to build into" + type = string +} + +variable "location" { + description = "The location/region where resource will be created. The full list of Azure regions can be found at https://azure.microsoft.com/regions" + type = string +} + +//********************** Virtual Machine Instances Variables **************************// +variable "source_image_vhd_uri" { + type = string + description = "The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images." + default = "noCustomUri" +} + +variable "admin_username" { + description = "Administrator username of deployed VM. Due to Azure limitations 'notused' name can be used" + default = "notused" +} + +variable "admin_password" { + description = "Administrator password of deployed Virtual Machine. The password must meet the complexity requirements of Azure" + type = string +} + +variable "serial_console_password_hash" { + description = "Optional parameter, used to enable serial console connection in case of SSH key as authentication type" + type = string +} + +variable "maintenance_mode_password_hash" { + description = "Maintenance mode password hash, relevant only for R81.20 and higher versions" + type = string +} + +variable "authentication_type" { + description = "Specifies whether a password authentication or SSH Public Key authentication should be used" + type = string +} +locals { // locals for 'authentication_type' allowed values + authentication_type_allowed_values = [ + "Password", + "SSH Public Key" + ] + // will fail if [var.authentication_type] is invalid: + validate_authentication_type_value = index(local.authentication_type_allowed_values, var.authentication_type) +} + +variable "template_name" { + description = "Template name. Should be defined according to deployment type(mgmt, ha, vmss)" + type = string + default = "mgmt_terraform" +} + +variable "template_version" { + description = "Template version. It is recommended to always use the latest template version" + type = string + default = "20230910" +} + +variable "installation_type" { + description = "Installation type" + type = string + default = "management" +} + +variable "vm_size" { + description = "Specifies size of Virtual Machine" + type = string +} + +variable "disk_size" { + description = "Storage data disk size size(GB). Select a number between 100 and 3995" + type = string +} + +variable "os_version" { + description = "GAIA OS version" + type = string +} + +locals { // locals for 'vm_os_offer' allowed values + os_version_allowed_values = [ + "R8040", + "R81", + "R8110", + "R8120" + ] + // will fail if [var.os_version] is invalid: + validate_os_version_value = index(local.os_version_allowed_values, var.os_version) +} + +variable "vm_os_sku" { + description = "The sku of the image to be deployed." + type = string +} + +variable "vm_os_offer" { + description = "The name of the image offer to be deployed.Choose from: check-point-cg-r8040, check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120" + type = string +} + +locals { // locals for 'vm_os_offer' allowed values + vm_os_offer_allowed_values = [ + "check-point-cg-r8040", + "check-point-cg-r81", + "check-point-cg-r8110", + "check-point-cg-r8120", + ] + // will fail if [var.vm_os_offer] is invalid: + validate_os_offer_value = index(local.vm_os_offer_allowed_values, var.vm_os_offer) +} + +variable "allow_upload_download" { + description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + type = bool +} + +variable "admin_shell" { + description = "The admin shell to configure on machine or the first time" + type = string + default = "/etc/cli.sh" +} + +locals { + admin_shell_allowed_values = [ + "/etc/cli.sh", + "/bin/bash", + "/bin/csh", + "/bin/tcsh" + ] + // Will fail if [var.admin_shell] is invalid + validate_admin_shell_value = index(local.admin_shell_allowed_values, var.admin_shell) +} + +//********************** Networking Variables **************************// +variable "vnet_name" { + description = "Virtual Network name" + type = string +} + +variable "management_subnet_name" { + description = "management subnet name" + type = string +} + +variable "subnet_1st_Address" { + description = "The first available address of the subnet" + type = string +} + +variable "vnet_resource_group" { + description = "Resource group of existing vnet" + type = string +} + +variable "vnet_allocation_method" { + description = "IP address allocation method" + type = string + default = "Static" +} + +variable "management_GUI_client_network" { + description = "Allowed GUI clients - GUI clients network CIDR" + type = string +} + +variable "mgmt_enable_api" { + description = "Enable api access to the management. allowed values: all, management_only, gui_clients, disable" + type = string + default = "disable" +} + +locals { + regex_valid_management_GUI_client_network = "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(/(3[0-2]|2[0-9]|1[0-9]|[0-9]))$" + // Will fail if var.management_GUI_client_network is invalid + regex_management_GUI_client_network = regex(local.regex_valid_management_GUI_client_network, var.management_GUI_client_network) == var.management_GUI_client_network ? 0 : "Variable [management_GUI_client_network] must be a valid IPv4 network CIDR." + + mgmt_enable_api_allowed_values = [ + "disable", + "all", + "management_only", + "gui_clients" + ] + // will fail if [var.mgmt_enable_api] is invalid: + validate_mgmt_enable_api_value = index(local.mgmt_enable_api_allowed_values, var.mgmt_enable_api) + + regex_valid_subnet_1st_Address = "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$" + // Will fail if var.subnet_1st_Address is invalid + regex_subnet_1st_Address = regex(local.regex_valid_subnet_1st_Address, var.subnet_1st_Address) == var.subnet_1st_Address ? 0 : "Variable [subnet_1st_Address] must be a valid address." +} + +variable "bootstrap_script" { + description = "An optional script to run on the initial boot" + default = "" + type = string + #example: + #"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" +} + +variable "nsg_id" { + description = "NSG ID - Optional - if empty use default NSG" + default = "" +} + +variable "add_storage_account_ip_rules" { + type = bool + default = false + description = "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location" +} + +variable "storage_account_additional_ips" { + type = list(string) + description = "IPs/CIDRs that are allowed access to the Storage Account" + default = [] +} +//********************** Credentials **************************// + +variable "tenant_id" { + description = "Tenant ID" + type = string +} + +variable "subscription_id" { + description = "Subscription ID" + type = string +} + +variable "client_id" { + description = "Application ID(Client ID)" + type = string +} + +variable "client_secret" { + description = "A secret string that the application uses to prove its identity when requesting a token. Also can be referred to as application password." + type = string +} + +variable "sku" { + description = "SKU" + type = string + default = "Standard" +} diff --git a/deprecated/terraform/azure/R8040-R81/management-existing-vnet/versions.tf b/deprecated/terraform/azure/R8040-R81/management-existing-vnet/versions.tf new file mode 100644 index 00000000..0d5ca4f3 --- /dev/null +++ b/deprecated/terraform/azure/R8040-R81/management-existing-vnet/versions.tf @@ -0,0 +1,12 @@ +terraform { + required_version = ">= 0.14.3" + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "~> 3.81.0" + } + random = { + version = "~> 3.5.1" + } + } +} \ No newline at end of file diff --git a/deprecated/terraform/azure/R8040-R81/management-new-vnet/README.md b/deprecated/terraform/azure/R8040-R81/management-new-vnet/README.md new file mode 100644 index 00000000..f744dccc --- /dev/null +++ b/deprecated/terraform/azure/R8040-R81/management-new-vnet/README.md @@ -0,0 +1,187 @@ +# Check Point CloudGuard IaaS Management Terraform deployment for Azure + +This Terraform module deploys Check Point CloudGuard IaaS Management solution into a new Vnet in Azure. +As part of the deployment the following resources are created: +- Resource group +- Virtual network +- Network security group +- Virtual Machine +- System assigned identity + +This solution uses the following modules: +- /terraform/azure/modules/common - used for creating a resource group and defining common variables. +- /terraform/azure/modules/vnet - used for creating new virtual network and subnets. +- /terraform/azure/modules/network-security-group - used for creating new network security groups and rules. + + +## Configurations +- Install and configure Terraform to provision Azure resources: [Configure Terraform for Azure](https://docs.microsoft.com/en-us/azure/virtual-machines/linux/terraform-install-configure) +- In order to use ssh connection to VMs, it is **required** to add a public key to the /terraform/azure/management-new-vnet/azure_public_key file. + +## Usage +- Choose the preferred login method to Azure in order to deploy the solution: +
1. Using Service Principal: + - Create a [Service Principal](https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal) (or use the existing one) + - Grant the Service Principal at least "**Managed Application Contributor**", "**Storage Account Contributor**", "**Network Contributor**", "**Virtual Machine Contributor**" permissions to the Azure subscription
+ - The Service Principal credentials can be stored either in the terraform.tfvars or as [Environment Variables](https://www.terraform.io/docs/providers/azuread/guides/service_principal_client_secret.html)
+ + In case the Environment Variables are used, perform modifications described below:
+ + a. The next lines in the main.tf file, in the provider azurerm resource, need to be deleted or commented: + + provider "azurerm" { + + // subscription_id = var.subscription_id + // client_id = var.client_id + // client_secret = var.client_secret + // tenant_id = var.tenant_id + + features {} + } + + b. In the terraform.tfvars file leave empty double quotes for client_secret, client_id , tenant_id and subscription_id variables: + + client_secret = "" + client_id = "" + tenant_id = "" + subscription_id = "" + +
2. Using **az** commands from a command-line: + - Run **az login** command + - Sign in with your account credentials in the browser + - [Accept Azure Marketplace image terms](https://docs.microsoft.com/en-us/cli/azure/vm/image/terms?view=azure-cli-latest) by running: +
**az vm image terms accept --urn publisher:offer:sku:version**, where: + - publisher = checkpoint; + - offer = vm_os_offer (see accepted values in the table below); + - sku = vm_os_sku (see accepted values in the table below); + - version = latest
+
Example:
+ az vm image terms accept --urn checkpoint:check-point-cg-r8040:sg-byol:latest + + - In the terraform.tfvars file leave empty double quotes for client_secret, client_id and tenant_id variables. + +- Fill all variables in the /terraform/azure/management-new-vnet/terraform.tfvars file with proper values (see below for variables descriptions). +- From a command line initialize the Terraform configuration directory: + + terraform init +- Create an execution plan: + + terraform plan +- Create or modify the deployment: + + terraform apply + +### terraform.tfvars variables: + | Name | Description | Type | Allowed values | Default | + | ------------- | ------------- | ------------- | ------------- | ------------- | + | **client_secret** | The client secret of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **client_id** | The client ID of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **tenant_id** | The tenant ID of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **subscription_id** | The subscription ID is used to pay for Azure cloud services | string | | n/a + | | | | | | + | **source_image_vhd_uri** | The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images | string | | "noCustomUri" + | | | | | | + | **resource_group_name** | The name of the resource group that will contain the contents of the deployment | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period | n/a + | | | | | | + | **mgmt_name** | Management name | string | | n/a + | | | | | | + | **location** | The region where the resources will be deployed at | string | The full list of Azure regions can be found at https://azure.microsoft.com/regions | n/a + | | | | | | + | **vnet_name** | The name of virtual network that will be created | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | n/a + | | | | | | + | **address_space** | The address space that is used by a Virtual Network | string | A valid address in CIDR notation | "10.0.0.0/16" + | | | | | | + | **subnet_prefix** | Address prefix to be used for network subnet | string | A valid address in CIDR notation | "10.0.0.0/24" + | | | | | | + | **management_GUI_client_network** | Allowed GUI clients - GUI clients network CIDR | string | | n/a + | | | | | | + | **mgmt_enable_api** | Enable api access to the management | string | - "all";
- "management_only";
- "gui_clients"
- "disable"; | "disable" + | | | | | | + | **admin_password** | The password associated with the local administrator account on each cluster member | string | Password must have 3 of the following: 1 lower case character, 1 upper case character, 1 number, and 1 special character | n/a + | | | | | | + | **vm_size** | Specifies the size of Virtual Machine | string | "Standard_DS2_v2", "Standard_DS3_v2", "Standard_DS4_v2", "Standard_DS5_v2", "Standard_F2s", "Standard_F4s", "Standard_F8s", "Standard_F16s", "Standard_D4s_v3", "Standard_D8s_v3", "Standard_D16s_v3", "Standard_D32s_v3", "Standard_D64s_v3", "Standard_E4s_v3", "Standard_E8s_v3", "Standard_E16s_v3", "Standard_E20s_v3", "Standard_E32s_v3", "Standard_E64s_v3", "Standard_E64is_v3", "Standard_F4s_v2", "Standard_F8s_v2", "Standard_F16s_v2", "Standard_F32s_v2", "Standard_F64s_v2", "Standard_M8ms", "Standard_M16ms", "Standard_M32ms", "Standard_M64ms", "Standard_M64s", "Standard_D2_v2", "Standard_D3_v2", "Standard_D4_v2", "Standard_D5_v2", "Standard_D11_v2", "Standard_D12_v2", "Standard_D13_v2", "Standard_D14_v2", "Standard_D15_v2", "Standard_F2", "Standard_F4", "Standard_F8", "Standard_F16", "Standard_D4_v3", "Standard_D8_v3", "Standard_D16_v3", "Standard_D32_v3", "Standard_D64_v3", "Standard_E4_v3", "Standard_E8_v3", "Standard_E16_v3", "Standard_E20_v3", "Standard_E32_v3", "Standard_E64_v3", "Standard_E64i_v3", "Standard_DS11_v2", "Standard_DS12_v2", "Standard_DS13_v2", "Standard_DS14_v2", "Standard_DS15_v2", "Standard_D2_v5", "Standard_D4_v5", "Standard_D8_v5", "Standard_D16_v5","Standard_D32_v5", "Standard_D2s_v5", "Standard_D4s_v5", "Standard_D8s_v5", "Standard_D16s_v5", "Standard_D2d_v5", "Standard_D4d_v5", "Standard_D8d_v5", "Standard_D16d_v5", "Standard_D32d_v5", "Standard_D2ds_v5", "Standard_D4ds_v5", "Standard_D8ds_v5", "Standard_D16ds_v5", "Standard_D32ds_v5" | n/a + | | | | | | + | **disk_size** | Storage data disk size size(GB) | string | A number in the range 100 - 3995 (GB) | n/a + | | | | | | + | **vm_os_sku** | A sku of the image to be deployed | string | "mgmt-byol" - BYOL license;
"mgmt-25" - PAYG; | n/a + | | | | | | + | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r8040";
"check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | n/a + | | | | | | + | **os_version** | GAIA OS version | string | "R8040";
"R81";
"R8110";
"R8120";| n/a + | | | | | | + | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | "" + | | | | | | + | **allow_upload_download** | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | boolean | true;
false; | n/a + | | | | | | + | **authentication_type** | Specifies whether a password authentication or SSH Public Key authentication should be used | string | "Password";
"SSH Public Key"; | n/a + | | | | | | + | **admin_shell** | Enables to select different admin shells | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh; | "/etc/cli.sh" + | | | | | | + | **serial_console_password_hash** | Optional parameter, used to enable serial console connection in case of SSH key as authentication type, to generate password hash use the command 'openssl passwd -6 PASSWORD' on Linux and paste it here | string | | n/a + | | | | | | + | **maintenance_mode_password_hash** | Maintenance mode password hash, relevant only for R81.20 and higher versions, to generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here | string | | n/a + | | | | | | + | **nsg_id** | Optional ID for a Network Security Group that already exists in Azure, if not provided, will create a default NSG | string | Existing NSG resource ID | "" + | | | | | | + | **add_storage_account_ip_rules** | Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, if false then accses will be allowed from all networks | boolean | true;
false; | false + | | | | | | + | **storage_account_additional_ips** | IPs/CIDRs that are allowed access to the Storage Account | list(string) | A list of valid IPs and CIDRs | [] + + +## Example + client_secret = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + client_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + tenant_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + subscription_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + source_image_vhd_uri = "noCustomUri" + resource_group_name = "checkpoint-mgmt-terraform" + mgmt_name = "checkpoint-mgmt-terraform" + location = "eastus" + vnet_name = "checkpoint-mgmt-vnet" + address_space = "10.0.0.0/16" + subnet_prefix = "10.0.0.0/24" + management_GUI_client_network = "0.0.0.0/0" + mgmt_enable_api = "disable" + admin_password = "xxxxxxxxxxxx" + vm_size = "Standard_D3_v2" + disk_size = "110" + vm_os_sku = "mgmt-byol" + vm_os_offer = "check-point-cg-r8110" + os_version = "R8110" + bootstrap_script = "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" + allow_upload_download = true + authentication_type = "Password" + admin_shell = "/etc/cli.sh" + serial_console_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + maintenance_mode_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + nsg_id = "" + add_storage_account_ip_rules = false + storage_account_additional_ips = [] + +## Revision History +In order to check the template version refer to the [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) + +| Template Version | Description | +| ---------------- | ------------- | +| 20240613 | - Updated Azure Terraform provider version
- Cosmetic fixes & default values
- Added option to limit storage account access by specify allowed sourcess
- Updated Public IP sku to Standard
- Added validation for os_version & os_offer | +| | | | +| 20230910 | - R81.20 is the default version | +| | | | +| 20221124 | - Added R81.20 support
- Upgraded azurerm provider | +| | | | +| 20220111 | - Added support to select different shells | +| | | | +| 20210309 | - Add "source_image_vhd_uri" variable for using a custom development image | +| | | | +| 20210111 | First release of Check Point CloudGuard IaaS Management Terraform deployment into a new Vnet in Azure | +| | | | +| | Addition of "templateType" parameter to "cloud-version" files | +| | | | + +## License + +See the [LICENSE](../../LICENSE) file for details + diff --git a/deprecated/terraform/azure/R8040-R81/management-new-vnet/azure_public_key b/deprecated/terraform/azure/R8040-R81/management-new-vnet/azure_public_key new file mode 100644 index 00000000..e69de29b diff --git a/deprecated/terraform/azure/R8040-R81/management-new-vnet/cloud-init.sh b/deprecated/terraform/azure/R8040-R81/management-new-vnet/cloud-init.sh new file mode 100644 index 00000000..4639554e --- /dev/null +++ b/deprecated/terraform/azure/R8040-R81/management-new-vnet/cloud-init.sh @@ -0,0 +1,16 @@ +#!/usr/bin/python3 /etc/cloud_config.py + +installationType="${installation_type}" +allowUploadDownload="${allow_upload_download}" +osVersion="${os_version}" +templateName="${template_name}" +templateVersion="${template_version}" +templateType="${template_type}" +isBlink="${is_blink}" +bootstrapScript64="${bootstrap_script64}" +location="${location}" +managementGUIClientNetwork="${management_GUI_client_network}" +enableApi="${enable_api}" +adminShell="${admin_shell}" +passwordHash="${serial_console_password_hash}" +MaintenanceModePassword="${maintenance_mode_password_hash}" diff --git a/deprecated/terraform/azure/R8040-R81/management-new-vnet/main.tf b/deprecated/terraform/azure/R8040-R81/management-new-vnet/main.tf new file mode 100644 index 00000000..969a62cc --- /dev/null +++ b/deprecated/terraform/azure/R8040-R81/management-new-vnet/main.tf @@ -0,0 +1,316 @@ +//********************** Providers **************************// +provider "azurerm" { + subscription_id = var.subscription_id + client_id = var.client_id + client_secret = var.client_secret + tenant_id = var.tenant_id + + features {} +} + +//********************** Basic Configuration **************************// +module "common" { + source = "../modules/common" + resource_group_name = var.resource_group_name + location = var.location + admin_password = var.admin_password + installation_type = var.installation_type + template_name = var.template_name + template_version = var.template_version + number_of_vm_instances = 1 + allow_upload_download = var.allow_upload_download + vm_size = var.vm_size + disk_size = var.disk_size + is_blink = false + os_version = var.os_version + vm_os_sku = var.vm_os_sku + vm_os_offer = var.vm_os_offer + authentication_type = var.authentication_type + serial_console_password_hash = var.serial_console_password_hash + maintenance_mode_password_hash = var.maintenance_mode_password_hash + storage_account_additional_ips = var.storage_account_additional_ips +} + +//********************** Networking **************************// +module "vnet" { + source = "../modules/vnet" + + vnet_name = var.vnet_name + resource_group_name = module.common.resource_group_name + location = module.common.resource_group_location + address_space = var.address_space + subnet_prefixes = [var.subnet_prefix] + subnet_names = ["${var.mgmt_name}-subnet"] + nsg_id = var.nsg_id == "" ? module.network-security-group[0].network_security_group_id: var.nsg_id +} + +module "network-security-group" { + source = "../modules/network-security-group" + count = var.nsg_id == "" ? 1 : 0 + resource_group_name = module.common.resource_group_name + security_group_name = "${module.common.resource_group_name}-nsg" + location = module.common.resource_group_location + security_rules = [ + { + name = "SSH" + priority = "100" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_ranges = "*" + destination_port_ranges = "22" + description = "Allow inbound SSH connection" + source_address_prefix = var.management_GUI_client_network + destination_address_prefix = "*" + }, + { + name = "GAiA-portal" + priority = "110" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_ranges = "*" + destination_port_ranges = "443" + description = "Allow inbound HTTPS access to the GAiA portal" + source_address_prefix = var.management_GUI_client_network + destination_address_prefix = "*" + }, + { + name = "SmartConsole-1" + priority = "120" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_ranges = "*" + destination_port_ranges = "18190" + description = "Allow inbound access using the SmartConsole GUI client" + source_address_prefix = var.management_GUI_client_network + destination_address_prefix = "*" + }, + { + name = "SmartConsole-2" + priority = "130" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_ranges = "*" + destination_port_ranges = "19009" + description = "Allow inbound access using the SmartConsole GUI client" + source_address_prefix = var.management_GUI_client_network + destination_address_prefix = "*" + }, + { + name = "Logs" + priority = "140" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_ranges = "*" + destination_port_ranges = "257" + description = "Allow inbound logging connections from managed gateways" + source_address_prefix = "*" + destination_address_prefix = "*" + }, + { + name = "ICA-pull" + priority = "150" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_ranges = "*" + destination_port_ranges = "18210" + description = "Allow security gateways to pull a SIC certificate" + source_address_prefix = "*" + destination_address_prefix = "*" + }, + { + name = "CRL-fetch" + priority = "160" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_ranges = "*" + destination_port_ranges = "18264" + description = "Allow security gateways to fetch CRLs" + source_address_prefix = "*" + destination_address_prefix = "*" + }, + { + name = "Policy-fetch" + priority = "170" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_ranges = "*" + destination_port_ranges = "18191" + description = "Allow security gateways to fetch policy" + source_address_prefix = "*" + destination_address_prefix = "*" + } + ] +} + +resource "azurerm_public_ip" "public-ip" { + name = var.mgmt_name + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + allocation_method = var.vnet_allocation_method + sku = var.sku + idle_timeout_in_minutes = 30 + domain_name_label = join("", [ + lower(var.mgmt_name), + "-", + random_id.randomId.hex]) +} + +resource "azurerm_network_interface_security_group_association" "security_group_association" { + depends_on = [azurerm_network_interface.nic, module.network-security-group] + network_interface_id = azurerm_network_interface.nic.id + network_security_group_id = var.nsg_id == "" ? module.network-security-group[0].network_security_group_id: var.nsg_id +} + +resource "azurerm_network_interface" "nic" { + depends_on = [ + azurerm_public_ip.public-ip] + name = "${var.mgmt_name}-eth0" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + enable_ip_forwarding = false + + ip_configuration { + name = "ipconfig1" + subnet_id = module.vnet.vnet_subnets[0] + private_ip_address_allocation = var.vnet_allocation_method + private_ip_address = cidrhost(var.subnet_prefix, 4) + public_ip_address_id = azurerm_public_ip.public-ip.id + } +} + +//********************** Storage accounts **************************// +// Generate random text for a unique storage account name +resource "random_id" "randomId" { + keepers = { + # Generate a new ID only when a new resource group is defined + resource_group = module.common.resource_group_name + } + byte_length = 8 +} +resource "azurerm_storage_account" "vm-boot-diagnostics-storage" { + name = "bootdiag${random_id.randomId.hex}" + resource_group_name = module.common.resource_group_name + location = module.common.resource_group_location + account_tier = module.common.storage_account_tier + account_replication_type = module.common.account_replication_type + account_kind = "Storage" + network_rules { + default_action = var.add_storage_account_ip_rules ? "Deny" : "Allow" + ip_rules = module.common.storage_account_ip_rules + } + blob_properties { + delete_retention_policy { + days = "15" + } + } +} + +//********************** Virtual Machines **************************// +locals { + SSH_authentication_type_condition = var.authentication_type == "SSH Public Key" ? true : false + custom_image_condition = var.source_image_vhd_uri == "noCustomUri" ? false : true +} + +resource "azurerm_image" "custom-image" { + count = local.custom_image_condition ? 1 : 0 + name = "custom-image" + location = var.location + resource_group_name = module.common.resource_group_name + + os_disk { + os_type = "Linux" + os_state = "Generalized" + blob_uri = var.source_image_vhd_uri + } +} + +resource "azurerm_virtual_machine" "mgmt-vm-instance" { + depends_on = [ + azurerm_network_interface.nic] + location = module.common.resource_group_location + name = var.mgmt_name + network_interface_ids = [ + azurerm_network_interface.nic.id] + resource_group_name = module.common.resource_group_name + vm_size = module.common.vm_size + delete_os_disk_on_termination = module.common.delete_os_disk_on_termination + primary_network_interface_id = azurerm_network_interface.nic.id + + identity { + type = module.common.vm_instance_identity + } + + dynamic "plan" { + for_each = local.custom_image_condition ? [ + ] : [1] + content { + name = module.common.vm_os_sku + publisher = module.common.publisher + product = module.common.vm_os_offer + } + } + + boot_diagnostics { + enabled = module.common.boot_diagnostics + storage_uri = module.common.boot_diagnostics ? join(",", azurerm_storage_account.vm-boot-diagnostics-storage.*.primary_blob_endpoint) : "" + } + + os_profile { + computer_name = var.mgmt_name + admin_username = module.common.admin_username + admin_password = module.common.admin_password + custom_data = templatefile("${path.module}/cloud-init.sh", { + installation_type = module.common.installation_type + allow_upload_download = module.common.allow_upload_download + os_version = module.common.os_version + template_name = module.common.template_name + template_version = module.common.template_version + template_type = "terraform" + is_blink = module.common.is_blink + bootstrap_script64 = base64encode(var.bootstrap_script) + location = module.common.resource_group_location + management_GUI_client_network = var.management_GUI_client_network + enable_api = var.mgmt_enable_api + admin_shell = var.admin_shell + serial_console_password_hash = var.serial_console_password_hash + maintenance_mode_password_hash = var.maintenance_mode_password_hash + }) + } + + os_profile_linux_config { + disable_password_authentication = local.SSH_authentication_type_condition + + dynamic "ssh_keys" { + for_each = local.SSH_authentication_type_condition ? [ + 1] : [] + content { + path = "/home/notused/.ssh/authorized_keys" + key_data = file("${path.module}/azure_public_key") + } + } + } + + storage_image_reference { + id = local.custom_image_condition ? azurerm_image.custom-image[0].id : null + publisher = local.custom_image_condition ? null : module.common.publisher + offer = module.common.vm_os_offer + sku = module.common.vm_os_sku + version = module.common.vm_os_version + } + + storage_os_disk { + name = var.mgmt_name + create_option = module.common.storage_os_disk_create_option + caching = module.common.storage_os_disk_caching + managed_disk_type = module.common.storage_account_type + disk_size_gb = module.common.disk_size + } +} diff --git a/deprecated/terraform/azure/R8040-R81/management-new-vnet/terraform.tfvars b/deprecated/terraform/azure/R8040-R81/management-new-vnet/terraform.tfvars new file mode 100644 index 00000000..163314eb --- /dev/null +++ b/deprecated/terraform/azure/R8040-R81/management-new-vnet/terraform.tfvars @@ -0,0 +1,29 @@ +#PLEASE refer to the README.md for accepted values FOR THE VARIABLES BELOW +client_secret = "PLEASE ENTER CLIENT SECRET" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +client_id = "PLEASE ENTER CLIENT ID" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +tenant_id = "PLEASE ENTER TENANT ID" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +subscription_id = "PLEASE ENTER SUBSCRIPTION ID" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +source_image_vhd_uri = "PLEASE ENTER SOURCE IMAGE VHD URI OR noCustomUri" # "noCustomUri" +resource_group_name = "PLEASE ENTER RESOURCE GROUP NAME" # "checkpoint-mgmt-terraform" +mgmt_name = "PLEASE ENTER MANAGEMENT NAME" # "checkpoint-mgmt-terraform" +location = "PLEASE ENTER LOCATION" # "eastus" +vnet_name = "PLEASE ENTER VIRTUAL NETWORK NAME" # "checkpoint-mgmt-vnet" +address_space = "PLEASE ENTER VIRTUAL NETWORK ADDRESS SPACE" # "10.0.0.0/16" +subnet_prefix = "PLEASE ENTER ADDRESS PREFIX FOR SUBNET" # "10.0.0.0/24" +management_GUI_client_network = "PLEASE ENTER A MANAGEMENT GUI CLIENT NETWORK" # "0.0.0.0/0" +mgmt_enable_api = "PLEASE ENTER FOR WHOM TO ENABLE API ACCESS OR disable" # "disable" +admin_password = "PLEASE ENTER ADMIN PASSWORD" # "xxxxxxxxxxxx" +vm_size = "PLEASE ENTER VM SIZE" # "Standard_D3_v2" +disk_size = "PLEASE ENTER DISK SIZE" # "110" +vm_os_sku = "PLEASE ENTER VM SKU" # "mgmt-byol" +vm_os_offer = "PLEASE ENTER VM OFFER" # "check-point-cg-r8110" +os_version = "PLEASE ENTER GAIA OS VERSION" # "R8110" +bootstrap_script = "PLEASE ENTER CUSTOM SCRIPT OR LEAVE EMPTY DOUBLE QUOTES" # "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" +allow_upload_download = "PLEASE ENTER true or false" # true +authentication_type = "PLEASE ENTER AUTHENTICATION TYPE" # "Password" +admin_shell = "PLEASE ENTER ADMIN SHELL" # "/etc/cli.sh" +serial_console_password_hash = "PLEASE ENTER SERIAL CONSOLE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +maintenance_mode_password_hash = "PLEASE ENTER MAINTENANCE MODE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +nsg_id = "PLEASE ENTER NETWORK SECURITY GROUP ID" # "" +add_storage_account_ip_rules = "PLEASE ENTER true or false" # false +storage_account_additional_ips = "PLEASE ENTER A LIST OF VALID IPS/CIDRS" # [] \ No newline at end of file diff --git a/deprecated/terraform/azure/R8040-R81/management-new-vnet/variables.tf b/deprecated/terraform/azure/R8040-R81/management-new-vnet/variables.tf new file mode 100644 index 00000000..63839bd0 --- /dev/null +++ b/deprecated/terraform/azure/R8040-R81/management-new-vnet/variables.tf @@ -0,0 +1,249 @@ +//********************** Basic Configuration Variables **************************// +variable "mgmt_name" { + description = "Management name" + type = string +} + +variable "resource_group_name" { + description = "Azure Resource Group name to build into" + type = string +} + +variable "location" { + description = "The location/region where resource will be created. The full list of Azure regions can be found at https://azure.microsoft.com/regions" + type = string +} + +//********************** Virtual Machine Instances Variables **************************// +variable "source_image_vhd_uri" { + type = string + description = "The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images." + default = "noCustomUri" +} + +variable "admin_username" { + description = "Administrator username of deployed VM. Due to Azure limitations 'notused' name can be used" + default = "notused" +} + +variable "admin_password" { + description = "Administrator password of deployed Virtual Macine. The password must meet the complexity requirements of Azure" + type = string +} + +variable "serial_console_password_hash" { + description = "Optional parameter, used to enable serial console connection in case of SSH key as authentication type" + type = string +} + +variable "maintenance_mode_password_hash" { + description = "Maintenance mode password hash, relevant only for R81.20 and higher versions" + type = string +} + +variable "authentication_type" { + description = "Specifies whether a password authentication or SSH Public Key authentication should be used" + type = string +} +locals { // locals for 'authentication_type' allowed values + authentication_type_allowed_values = [ + "Password", + "SSH Public Key" + ] + // will fail if [var.authentication_type] is invalid: + validate_authentication_type_value = index(local.authentication_type_allowed_values, var.authentication_type) +} +variable "template_name" { + description = "Template name. Should be defined according to deployment type(mgmt, ha, vmss)" + type = string + default = "mgmt_terraform" +} + +variable "template_version" { + description = "Template version. It is reccomended to always use the latest template version" + type = string + default = "20230910" +} + +variable "installation_type" { + description = "Installaiton type" + type = string + default = "management" +} + +variable "vm_size" { + description = "Specifies size of Virtual Machine" + type = string +} + +variable "disk_size" { + description = "Storage data disk size size(GB). Select a number between 100 and 3995" + type = string +} + +variable "os_version" { + description = "GAIA OS version" + type = string +} + +locals { // locals for 'vm_os_offer' allowed values + os_version_allowed_values = [ + "R8040", + "R81", + "R8110", + "R8120", + ] + // will fail if [var.os_version] is invalid: + validate_os_version_value = index(local.os_version_allowed_values, var.os_version) +} + +variable "vm_os_sku" { + description = "The sku of the image to be deployed." + type = string +} + +variable "vm_os_offer" { + description = "The name of the image offer to be deployed.Choose from: check-point-cg-r8040, check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120" + type = string +} + +locals { // locals for 'vm_os_offer' allowed values + vm_os_offer_allowed_values = [ + "check-point-cg-r8040", + "check-point-cg-r81", + "check-point-cg-r8110", + "check-point-cg-r8120" + ] + // will fail if [var.vm_os_offer] is invalid: + validate_os_offer_value = index(local.vm_os_offer_allowed_values, var.vm_os_offer) +} + +variable "allow_upload_download" { + description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + type = bool +} + +variable "admin_shell" { + description = "The admin shell to configure on machine or the first time" + type = string + default = "/etc/cli.sh" +} + +locals { + admin_shell_allowed_values = [ + "/etc/cli.sh", + "/bin/bash", + "/bin/csh", + "/bin/tcsh" + ] + // Will fail if [var.admin_shell] is invalid + validate_admin_shell_value = index(local.admin_shell_allowed_values, var.admin_shell) +} + +//********************** Natworking Variables **************************// +variable "vnet_name" { + description = "Virtual Network name" + type = string +} + +variable "address_space" { + description = "The address space that is used by a Virtual Network." + type = string + default = "10.0.0.0/16" +} + +variable "subnet_prefix" { + description = "Address prefix to be used for network subnet" + type = string + default = "10.0.0.0/24" +} + +variable "vnet_allocation_method" { + description = "IP address allocation method" + type = string + default = "Static" +} + +variable "management_GUI_client_network" { + description = "Allowed GUI clients - GUI clients network CIDR" + type = string +} + +variable "mgmt_enable_api" { + description = "Enable api access to the management. allowed values: all, management_only, gui_clients, disable" + type = string + default = "disable" +} + +locals { + regex_valid_management_GUI_client_network = "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(/(3[0-2]|2[0-9]|1[0-9]|[0-9]))$" + // Will fail if var.management_GUI_client_network is invalid + regex_management_GUI_client_network = regex(local.regex_valid_management_GUI_client_network, var.management_GUI_client_network) == var.management_GUI_client_network ? 0 : "Variable [management_GUI_client_network] must be a valid IPv4 network CIDR." + + mgmt_enable_api_allowed_values = [ + "disable", + "all", + "management_only", + "gui_clients" + ] + // will fail if [var.mgmt_enable_api] is invalid: + validate_mgmt_enable_api_value = index(local.mgmt_enable_api_allowed_values, var.mgmt_enable_api) + + regex_valid_network_cidr = "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(/(3[0-2]|2[0-9]|1[0-9]|[0-9]))|$" + // Will fail if var.address_space is invalid + regex_address_space = regex(local.regex_valid_network_cidr, var.address_space) == var.address_space ? 0 : "Variable [address_space] must be a valid address in CIDR notation." + // Will fail if var.subnet_prefix is invalid + regex_subnet_prefix = regex(local.regex_valid_network_cidr, var.subnet_prefix) == var.subnet_prefix ? 0 : "Variable [subnet_prefix] must be a valid address in CIDR notation." +} + +variable "bootstrap_script" { + description = "An optional script to run on the initial boot" + default = "" + type = string + #example: + #"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" +} + +variable "nsg_id" { + description = "NSG ID - Optional - if empty use default NSG" + default = "" +} + +variable "add_storage_account_ip_rules" { + type = bool + default = false + description = "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location" +} + +variable "storage_account_additional_ips" { + type = list(string) + description = "IPs/CIDRs that are allowed access to the Storage Account" + default = [] +} +//********************** Credentials **************************// + +variable "tenant_id" { + description = "Tenant ID" + type = string +} + +variable "subscription_id" { + description = "Subscription ID" + type = string +} + +variable "client_id" { + description = "Aplication ID(Client ID)" + type = string +} + +variable "client_secret" { + description = "A secret string that the application uses to prove its identity when requesting a token. Also can be referred to as application password." + type = string +} + +variable "sku" { + description = "SKU" + type = string + default = "Standard" +} diff --git a/deprecated/terraform/azure/R8040-R81/management-new-vnet/versions.tf b/deprecated/terraform/azure/R8040-R81/management-new-vnet/versions.tf new file mode 100644 index 00000000..0d5ca4f3 --- /dev/null +++ b/deprecated/terraform/azure/R8040-R81/management-new-vnet/versions.tf @@ -0,0 +1,12 @@ +terraform { + required_version = ">= 0.14.3" + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "~> 3.81.0" + } + random = { + version = "~> 3.5.1" + } + } +} \ No newline at end of file diff --git a/deprecated/terraform/azure/R8040-R81/mds-existing-vnet/README.md b/deprecated/terraform/azure/R8040-R81/mds-existing-vnet/README.md new file mode 100644 index 00000000..7c8003fd --- /dev/null +++ b/deprecated/terraform/azure/R8040-R81/mds-existing-vnet/README.md @@ -0,0 +1,195 @@ +# Check Point CloudGuard Network Security MDS Terraform deployment for Azure + +This Terraform module deploys Check Point CloudGuard Network Security Management solution into a new Vnet in Azure. +As part of the deployment the following resources are created: +- Resource group +- Network security group +- Virtual Machine +- System assigned identity + +This solution uses the following modules: +- /terraform/azure/modules/common - used for creating a resource group and defining common variables. +- /terraform/azure/modules/network-security-group - used for creating new network security groups and rules. + + +## Configurations +- Install and configure Terraform to provision Azure resources: [Configure Terraform for Azure](https://docs.microsoft.com/en-us/azure/virtual-machines/linux/terraform-install-configure) +- In order to use ssh connection to VMs, it is **required** to add a public key to the /terraform/azure/mds-existing-vnet/azure_public_key file. + +## Usage +- Choose the preferred login method to Azure in order to deploy the solution: +
1. Using Service Principal: + - Create a [Service Principal](https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal) (or use the existing one) + - Grant the Service Principal at least "**Managed Application Contributor**", "**Storage Account Contributor**", "**Network Contributor**", "**Virtual Machine Contributor**" permissions to the Azure subscription
+ - The Service Principal credentials can be stored either in the terraform.tfvars or as [Environment Variables](https://www.terraform.io/docs/providers/azuread/guides/service_principal_client_secret.html)
+ + In case the Environment Variables are used, perform modifications described below:
+ + a. The next lines in the main.tf file, in the provider azurerm resource, need to be deleted or commented: + + provider "azurerm" { + + // subscription_id = var.subscription_id + // client_id = var.client_id + // client_secret = var.client_secret + // tenant_id = var.tenant_id + + features {} + } + + b. In the terraform.tfvars file leave empty double quotes for client_secret, client_id , tenant_id and subscription_id variables: + + client_secret = "" + client_id = "" + tenant_id = "" + subscription_id = "" + +
2. Using **az** commands from a command-line: + - Run **az login** command + - Sign in with your account credentials in the browser + - [Accept Azure Marketplace image terms](https://docs.microsoft.com/en-us/cli/azure/vm/image/terms?view=azure-cli-latest) by running: +
**az vm image terms accept --urn publisher:offer:sku:version**, where: + - publisher = checkpoint; + - offer = vm_os_offer (see accepted values in the table below); + - sku = vm_os_sku (see accepted values in the table below); + - version = latest
+
Example:
+ az vm image terms accept --urn checkpoint:check-point-cg-r8040:sg-byol:latest + + - In the terraform.tfvars file leave empty double quotes for client_secret, client_id and tenant_id variables. + +- Fill all variables in the /terraform/azure/mds-existing-vnet/terraform.tfvars file with proper values (see below for variables descriptions). +- From a command line initialize the Terraform configuration directory: + + terraform init +- Create an execution plan: + + terraform plan +- Create or modify the deployment: + + terraform apply + +### terraform.tfvars variables: + | Name | Description | Type | Allowed values | Default | + | ------------- | ------------- | ------------- | ------------- | ------------- | + | **client_secret** | The client secret value of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **client_id** | The client ID of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **tenant_id** | The tenant ID of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **subscription_id** | The subscription ID is used to pay for Azure cloud services | string | | n/a + | | | | | | + | **source_image_vhd_uri** | The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images | string | | "noCustomUri" + | | | | | | + | **resource_group_name** | The name of the resource group that will contain the contents of the deployment | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period | n/a + | | | | | | + | **mds_name** | MDS name | string | | n/a + | | | | | | + | **location** | The region where the resources will be deployed at | string | The full list of Azure regions can be found at https://azure.microsoft.com/regions | n/a + | | | | | | + | **vnet_name** | The name of virtual network that will be created | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | n/a + | | | | | | + | **vnet_resource_group** | Resource Group of the existing virtual network | string | The exact name of the existing vnet's resource group | n/a + | | | | | | + | **management_subnet_name** | Specifies the name of the external subnet | string | The exact name of the existing external subnet | n/a + | | | | | | + | **subnet_1st_Address** | First available address in management subnet | string | | n/a + | | | | | | + | **management_GUI_client_network** | Allowed GUI clients - GUI clients network CIDR | string | | n/a + | | | | | | + | **mds_enable_api** | Enable api access to the mds | string | - "all";
- "management_only";
- "gui_clients"
- "disable"; | "disable" + | | | | | | + | **admin_password** | The password associated with the local administrator account on the mds | string | Password must have 3 of the following: 1 lower case character, 1 upper case character, 1 number, and 1 special character | n/a + | | | | | | + | **vm_size** | Specifies the size of Virtual Machine | string | "Standard_DS2_v2", "Standard_DS3_v2", "Standard_DS4_v2", "Standard_DS5_v2", "Standard_F2s", "Standard_F4s", "Standard_F8s", "Standard_F16s", "Standard_D4s_v3", "Standard_D8s_v3", "Standard_D16s_v3", "Standard_D32s_v3", "Standard_D64s_v3", "Standard_E4s_v3", "Standard_E8s_v3", "Standard_E16s_v3", "Standard_E20s_v3", "Standard_E32s_v3", "Standard_E64s_v3", "Standard_E64is_v3", "Standard_F4s_v2", "Standard_F8s_v2", "Standard_F16s_v2", "Standard_F32s_v2", "Standard_F64s_v2", "Standard_M8ms", "Standard_M16ms", "Standard_M32ms", "Standard_M64ms", "Standard_M64s", "Standard_D2_v2", "Standard_D3_v2", "Standard_D4_v2", "Standard_D5_v2", "Standard_D11_v2", "Standard_D12_v2", "Standard_D13_v2", "Standard_D14_v2", "Standard_D15_v2", "Standard_F2", "Standard_F4", "Standard_F8", "Standard_F16", "Standard_D4_v3", "Standard_D8_v3", "Standard_D16_v3", "Standard_D32_v3", "Standard_D64_v3", "Standard_E4_v3", "Standard_E8_v3", "Standard_E16_v3", "Standard_E20_v3", "Standard_E32_v3", "Standard_E64_v3", "Standard_E64i_v3", "Standard_DS11_v2", "Standard_DS12_v2", "Standard_DS13_v2", "Standard_DS14_v2", "Standard_DS15_v2", "Standard_D2_v5", "Standard_D4_v5", "Standard_D8_v5", "Standard_D16_v5","Standard_D32_v5", "Standard_D2s_v5", "Standard_D4s_v5", "Standard_D8s_v5", "Standard_D16s_v5", "Standard_D2d_v5", "Standard_D4d_v5", "Standard_D8d_v5", "Standard_D16d_v5", "Standard_D32d_v5", "Standard_D2ds_v5", "Standard_D4ds_v5", "Standard_D8ds_v5", "Standard_D16ds_v5", "Standard_D32ds_v5" | n/a + | | | | | | + | **disk_size** | Storage data disk size size(GB) | string | A number in the range 100 - 3995 (GB) | n/a + | | | | | | + | **vm_os_sku** | A sku of the image to be deployed | string | "mgmt-byol" - BYOL license;
"mgmt-25" - PAYG; | n/a + | | | | | | + | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r8040";
"check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | n/a + | | | | | | + | **os_version** | GAIA OS version | string | "R8040";
"R81";
"R8110";
"R8120";| n/a + | | | | | | + | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | "" + | | | | | | + | **allow_upload_download** | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | boolean | true;
false; | n/a + | | | | | | + | **authentication_type** | Specifies whether a password authentication or SSH Public Key authentication should be used | string | "Password";
"SSH Public Key"; | n/a + | | | | | | + | **admin_shell** | Enables to select different admin shells | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh; | "/etc/cli.sh" + | | | | | | + | **sic_key** | Set the Secure Internal Communication one time secret used to set up trust between the primary and secondary servers. SIC key must be provided if installing a secondary Multi-Domain Server | string | Only alphanumeric characters are allowed, and the value must be 12-30 characters long | n/a + | | | | | | + | **installation_type** | Enables to select installation type - gateway/standalone | string | mds-primary;
mds-secondary;
mds-logserver; | n/a + | | | | | | + | **primary** | Indicates if the installation type is mds-primary | boolean | true;
false; | n/a + | | | | | | + | **secondary** | Indicates if the installation type is mds-secondary | boolean | true;
false; | n/a + | | | | | | + | **logserver** | Indicates if the installation type is mds-logserver | boolean | true;
false; | n/a + | | | | | | + | **serial_console_password_hash** | Optional parameter, used to enable serial console connection in case of SSH key as authentication type, to generate password hash use the command 'openssl passwd -6 PASSWORD' on Linux and paste it here | string | | n/a + | | | | | | + | **maintenance_mode_password_hash** | Maintenance mode password hash, relevant only for R81.20 and higher versions, to generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here | string | | n/a + | | | | | | + | **nsg_id** | Optional ID for a Network Security Group that already exists in Azure, if not provided, will create a default NSG | string | Existing NSG resource ID | "" + | | | | | | + | **add_storage_account_ip_rules** | Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, if false then accses will be allowed from all networks | boolean | true;
false; | false + | | | | | | + | **storage_account_additional_ips** | IPs/CIDRs that are allowed access to the Storage Account | list(string) | A list of valid IPs and CIDRs | [] + + +## Example + client_secret = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + client_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + tenant_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + subscription_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + source_image_vhd_uri = "noCustomUri" + resource_group_name = "checkpoint-mds-rg-terraform" + mds_name = "checkpoint-mds-terraform" + location = "eastus" + vnet_name = "checkpoint-mds-vnet" + vnet_resource_group = "existing-vnet" + management_subnet_name = "mgmt-subnet" + subnet_1st_Address = "10.0.1.4" + management_GUI_client_network = "0.0.0.0/0" + mds_enable_api = "disable" + admin_password = "xxxxxxxxxxxx" + vm_size = "Standard_D3_v2" + disk_size = "110" + vm_os_sku = "mgmt-byol" + vm_os_offer = "check-point-cg-r8110" + os_version = "R8110" + bootstrap_script = "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" + allow_upload_download = true + authentication_type = "Password" + admin_shell = "/etc/cli.sh" + sic_key = "xxxxxxxxxxxx" + installation_type = "mds-primary" + primary = "true" + secondary = "false" + logserver = "false" + serial_console_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + maintenance_mode_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + nsg_id = "" + add_storage_account_ip_rules = false + storage_account_additional_ips = [] + +## Revision History +In order to check the template version refer to the [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) + +| Template Version | Description | +|------------------|---------------------------------------------------------------------------------------------| +| 20240613 | - Updated Azure Terraform provider version
- Cosmetic fixes & default values
- Added option to limit storage account access by specify allowed sourcess
- Updated Public IP sku to Standard
- Added validation for os_version & os_offer | +| | | | +| 20230910 | - R81.20 is the default version | +| | | | +| 20230629 | First release of Check Point CloudGuard Network Security MDS Terraform deployment for Azure | +| | | | + +## License + +See the [LICENSE](../../LICENSE) file for details + diff --git a/deprecated/terraform/azure/R8040-R81/mds-existing-vnet/azure_public_key b/deprecated/terraform/azure/R8040-R81/mds-existing-vnet/azure_public_key new file mode 100644 index 00000000..e69de29b diff --git a/deprecated/terraform/azure/R8040-R81/mds-existing-vnet/cloud-init.sh b/deprecated/terraform/azure/R8040-R81/mds-existing-vnet/cloud-init.sh new file mode 100644 index 00000000..627de012 --- /dev/null +++ b/deprecated/terraform/azure/R8040-R81/mds-existing-vnet/cloud-init.sh @@ -0,0 +1,20 @@ +#!/usr/bin/python3 /etc/cloud_config.py + +installationType="${installation_type}" +allowUploadDownload="${allow_upload_download}" +osVersion="${os_version}" +templateName="${template_name}" +templateVersion="${template_version}" +templateType="${template_type}" +isBlink="${is_blink}" +bootstrapScript64="${bootstrap_script64}" +location="${location}" +managementGUIClientNetwork="${management_GUI_client_network}" +enableApi="${enable_api}" +adminShell="${admin_shell}" +sicKey="${sic_key}" +primary="${primary}" +secondary="${secondary}" +logserver="${logserver}" +passwordHash="${serial_console_password_hash}" +MaintenanceModePassword="${maintenance_mode_password_hash}" diff --git a/deprecated/terraform/azure/R8040-R81/mds-existing-vnet/main.tf b/deprecated/terraform/azure/R8040-R81/mds-existing-vnet/main.tf new file mode 100644 index 00000000..ff654c86 --- /dev/null +++ b/deprecated/terraform/azure/R8040-R81/mds-existing-vnet/main.tf @@ -0,0 +1,316 @@ +//********************** Providers **************************// +provider "azurerm" { + subscription_id = var.subscription_id + client_id = var.client_id + client_secret = var.client_secret + tenant_id = var.tenant_id + + features {} +} + +//********************** Basic Configuration **************************// +module "common" { + source = "../modules/common" + resource_group_name = var.resource_group_name + location = var.location + admin_password = var.admin_password + template_name = var.template_name + installation_type = var.installation_type + template_version = var.template_version + number_of_vm_instances = 1 + allow_upload_download = var.allow_upload_download + vm_size = var.vm_size + disk_size = var.disk_size + is_blink = false + os_version = var.os_version + vm_os_sku = var.vm_os_sku + vm_os_offer = var.vm_os_offer + authentication_type = var.authentication_type + serial_console_password_hash = var.serial_console_password_hash + maintenance_mode_password_hash = var.maintenance_mode_password_hash + storage_account_additional_ips = var.storage_account_additional_ips +} + +//********************** Networking **************************// +data "azurerm_subnet" "mds_subnet" { + name = var.management_subnet_name + virtual_network_name = var.vnet_name + resource_group_name = var.vnet_resource_group +} + +resource "azurerm_public_ip" "public-ip" { + name = var.mds_name + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + allocation_method = var.vnet_allocation_method + sku = var.sku + idle_timeout_in_minutes = 30 + domain_name_label = join("", [ + lower(var.mds_name), + "-", + random_id.randomId.hex]) +} + +module "network-security-group" { + source = "../modules/network-security-group" + count = var.nsg_id == "" ? 1 : 0 + resource_group_name = module.common.resource_group_name + security_group_name = "${module.common.resource_group_name}-nsg" + location = module.common.resource_group_location + security_rules = [ + { + name = "SSH" + priority = "100" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_ranges = "*" + destination_port_ranges = "22" + description = "Allow inbound SSH connection" + source_address_prefix = var.management_GUI_client_network + destination_address_prefix = "*" + }, + { + name = "GAiA-portal" + priority = "110" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_ranges = "*" + destination_port_ranges = "443" + description = "Allow inbound HTTPS access to the GAiA portal" + source_address_prefix = var.management_GUI_client_network + destination_address_prefix = "*" + }, + { + name = "SmartConsole-1" + priority = "120" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_ranges = "*" + destination_port_ranges = "18190" + description = "Allow inbound access using the SmartConsole GUI client" + source_address_prefix = var.management_GUI_client_network + destination_address_prefix = "*" + }, + { + name = "SmartConsole-2" + priority = "130" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_ranges = "*" + destination_port_ranges = "19009" + description = "Allow inbound access using the SmartConsole GUI client" + source_address_prefix = var.management_GUI_client_network + destination_address_prefix = "*" + }, + { + name = "Logs" + priority = "140" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_ranges = "*" + destination_port_ranges = "257" + description = "Allow inbound logging connections from managed gateways" + source_address_prefix = "*" + destination_address_prefix = "*" + }, + { + name = "ICA-pull" + priority = "150" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_ranges = "*" + destination_port_ranges = "18210" + description = "Allow security gateways to pull a SIC certificate" + source_address_prefix = "*" + destination_address_prefix = "*" + }, + { + name = "CRL-fetch" + priority = "160" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_ranges = "*" + destination_port_ranges = "18264" + description = "Allow security gateways to fetch CRLs" + source_address_prefix = "*" + destination_address_prefix = "*" + }, + { + name = "Policy-fetch" + priority = "170" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_ranges = "*" + destination_port_ranges = "18191" + description = "Allow security gateways to fetch policy" + source_address_prefix = "*" + destination_address_prefix = "*" + } + ] +} + +resource "azurerm_network_interface_security_group_association" "security_group_association" { + depends_on = [azurerm_network_interface.nic] + network_interface_id = azurerm_network_interface.nic.id + network_security_group_id = var.nsg_id == "" ? module.network-security-group[0].network_security_group_id: var.nsg_id +} + +resource "azurerm_network_interface" "nic" { + depends_on = [ + azurerm_public_ip.public-ip] + name = "${var.mds_name}-eth0" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + enable_ip_forwarding = false + + ip_configuration { + name = "ipconfig1" + subnet_id = data.azurerm_subnet.mds_subnet.id + private_ip_address_allocation = var.vnet_allocation_method + private_ip_address = var.subnet_1st_Address + public_ip_address_id = azurerm_public_ip.public-ip.id + } +} + +//********************** Storage accounts **************************// +// Generate random text for a unique storage account name +resource "random_id" "randomId" { + keepers = { + # Generate a new ID only when a new resource group is defined + resource_group = module.common.resource_group_name + } + byte_length = 8 +} +resource "azurerm_storage_account" "vm-boot-diagnostics-storage" { + name = "bootdiag${random_id.randomId.hex}" + resource_group_name = module.common.resource_group_name + location = module.common.resource_group_location + account_tier = module.common.storage_account_tier + account_replication_type = module.common.account_replication_type + account_kind = "Storage" + network_rules { + default_action = var.add_storage_account_ip_rules ? "Deny" : "Allow" + ip_rules = module.common.storage_account_ip_rules + } + blob_properties { + delete_retention_policy { + days = "15" + } + } + +} + +//********************** Virtual Machines **************************// +locals { + SSH_authentication_type_condition = var.authentication_type == "SSH Public Key" ? true : false + custom_image_condition = var.source_image_vhd_uri == "noCustomUri" ? false : true +} + +resource "azurerm_image" "custom-image" { + count = local.custom_image_condition ? 1 : 0 + name = "custom-image" + location = var.location + resource_group_name = module.common.resource_group_name + + os_disk { + os_type = "Linux" + os_state = "Generalized" + blob_uri = var.source_image_vhd_uri + } +} + +resource "azurerm_virtual_machine" "mds-vm-instance" { + depends_on = [ + azurerm_network_interface.nic] + location = module.common.resource_group_location + name = var.mds_name + network_interface_ids = [ + azurerm_network_interface.nic.id] + resource_group_name = module.common.resource_group_name + vm_size = module.common.vm_size + delete_os_disk_on_termination = module.common.delete_os_disk_on_termination + primary_network_interface_id = azurerm_network_interface.nic.id + + identity { + type = module.common.vm_instance_identity + } + + dynamic "plan" { + for_each = local.custom_image_condition ? [ + ] : [1] + content { + name = module.common.vm_os_sku + publisher = module.common.publisher + product = module.common.vm_os_offer + } + } + + boot_diagnostics { + enabled = module.common.boot_diagnostics + storage_uri = module.common.boot_diagnostics ? join(",", azurerm_storage_account.vm-boot-diagnostics-storage.*.primary_blob_endpoint) : "" + } + + os_profile { + computer_name = var.mds_name + admin_username = module.common.admin_username + admin_password = module.common.admin_password + custom_data = templatefile("${path.module}/cloud-init.sh", { + installation_type = var.installation_type + allow_upload_download = module.common.allow_upload_download + os_version = module.common.os_version + template_name = module.common.template_name + template_version = module.common.template_version + template_type = "terraform" + is_blink = module.common.is_blink + bootstrap_script64 = base64encode(var.bootstrap_script) + location = module.common.resource_group_location + management_GUI_client_network = var.management_GUI_client_network + enable_api = var.mds_enable_api + admin_shell = var.admin_shell + sic_key = var.sic_key + primary = var.primary + secondary = var.secondary + logserver = var.logserver + serial_console_password_hash = var.serial_console_password_hash + maintenance_mode_password_hash = var.maintenance_mode_password_hash + }) + } + + + os_profile_linux_config { + disable_password_authentication = local.SSH_authentication_type_condition + + dynamic "ssh_keys" { + for_each = local.SSH_authentication_type_condition ? [ + 1] : [] + content { + path = "/home/notused/.ssh/authorized_keys" + key_data = file("${path.module}/azure_public_key") + } + } + } + + storage_image_reference { + id = local.custom_image_condition ? azurerm_image.custom-image[0].id : null + publisher = local.custom_image_condition ? null : module.common.publisher + offer = module.common.vm_os_offer + sku = module.common.vm_os_sku + version = module.common.vm_os_version + } + + storage_os_disk { + name = var.mds_name + create_option = module.common.storage_os_disk_create_option + caching = module.common.storage_os_disk_caching + managed_disk_type = module.common.storage_account_type + disk_size_gb = module.common.disk_size + } +} \ No newline at end of file diff --git a/deprecated/terraform/azure/R8040-R81/mds-existing-vnet/terraform.tfvars b/deprecated/terraform/azure/R8040-R81/mds-existing-vnet/terraform.tfvars new file mode 100644 index 00000000..61547ee1 --- /dev/null +++ b/deprecated/terraform/azure/R8040-R81/mds-existing-vnet/terraform.tfvars @@ -0,0 +1,35 @@ +#PLEASE refer to the README.md for accepted values for the variables below +client_secret = "PLEASE ENTER CLIENT SECRET" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +client_id = "PLEASE ENTER CLIENT ID" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +tenant_id = "PLEASE ENTER TENANT ID" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +subscription_id = "PLEASE ENTER SUBSCRIPTION ID" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +source_image_vhd_uri = "PLEASE ENTER SOURCE IMAGE VHD URI OR noCustomUri" # "noCustomUri" +resource_group_name = "PLEASE ENTER RESOURCE GROUP NAME" # "checkpoint-mds-rg-terraform" +mds_name = "PLEASE ENTER MDS NAME" # "checkpoint-mds-terraform" +location = "PLEASE ENTER LOCATION" # "eastus" +vnet_name = "PLEASE ENTER VIRTUAL NETWORK NAME" # "checkpoint-mds-vnet" +vnet_resource_group = "PLEASE ENTER VIRTUAL NETWORK RESOURCE GROUP NAME" # "existing-vnet" +management_subnet_name = "PLEASE ENTER MANAGEMENT SUBNET NAME" # "mgmt-subnet" +subnet_1st_Address = "PLEASE ENTER SUBNET FIRST ADDRESS" # "10.0.1.4" +management_GUI_client_network = "PLEASE ENTER A MANAGEMENT GUI CLIENT NETWORK" # "0.0.0.0/0" +mds_enable_api = "PLEASE ENTER FOR WHOM TO ENABLE API ACCESS OR disable" # "disable" +admin_password = "PLEASE ENTER ADMIN PASSWORD" # "xxxxxxxxxxxx" +vm_size = "PLEASE ENTER VM SIZE" # "Standard_D3_v2" +disk_size = "PLEASE ENTER DISK SIZE" # "110" +vm_os_sku = "PLEASE ENTER VM SKU" # "mgmt-byol" +vm_os_offer = "PLEASE ENTER VM OFFER" # "check-point-cg-r8110" +os_version = "PLEASE ENTER GAIA OS VERSION" # "R8110" +bootstrap_script = "PLEASE ENTER CUSTOM SCRIPT OR LEAVE EMPTY DOUBLE QUOTES" # "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" +allow_upload_download = "PLEASE ENTER true or false" # true +authentication_type = "PLEASE ENTER AUTHENTICATION TYPE" # "Password" +admin_shell = "PLEASE ENTER ADMIN SHELL" # "/etc/cli.sh" +sic_key = "PLEASE ENTER SIC KEY" # "xxxxxxxxxxxx" +installation_type = "PLEASE ENTER INSTALLATION TYPE" # "mds-primary" +primary = "PLEASE ENTER true or false" # "true" +secondary = "PLEASE ENTER true or false" # "false" +logserver = "PLEASE ENTER true or false" # "false" +serial_console_password_hash = "PLEASE ENTER SERIAL CONSOLE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +maintenance_mode_password_hash = "PLEASE ENTER MAINTENANCE MODE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +nsg_id = "PLEASE ENTER NETWORK SECURITY GROUP ID" # "" +add_storage_account_ip_rules = "PLEASE ENTER true or false" # false +storage_account_additional_ips = "PLEASE ENTER A LIST OF VALID IPS/CIDRS" # [] \ No newline at end of file diff --git a/deprecated/terraform/azure/R8040-R81/mds-existing-vnet/variables.tf b/deprecated/terraform/azure/R8040-R81/mds-existing-vnet/variables.tf new file mode 100644 index 00000000..8896ceae --- /dev/null +++ b/deprecated/terraform/azure/R8040-R81/mds-existing-vnet/variables.tf @@ -0,0 +1,280 @@ +//********************** Basic Configuration Variables **************************// +variable "mds_name" { + description = "MDS name" + type = string +} + +variable "resource_group_name" { + description = "Azure Resource Group name to build into" + type = string +} + +variable "location" { + description = "The location/region where resource will be created. The full list of Azure regions can be found at https://azure.microsoft.com/regions" + type = string +} + +//********************** Virtual Machine Instances Variables **************************// +variable "source_image_vhd_uri" { + type = string + description = "The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images." + default = "noCustomUri" +} + +variable "admin_username" { + description = "Administrator username of deployed VM. Due to Azure limitations 'notused' name can be used" + default = "notused" +} + +variable "admin_password" { + description = "Administrator password of deployed Virtual Machine. The password must meet the complexity requirements of Azure" + type = string +} + +variable "serial_console_password_hash" { + description = "Optional parameter, used to enable serial console connection in case of SSH key as authentication type" + type = string +} + +variable "maintenance_mode_password_hash" { + description = "Maintenance mode password hash, relevant only for R81.20 and higher versions" + type = string +} + +variable "authentication_type" { + description = "Specifies whether a password authentication or SSH Public Key authentication should be used" + type = string +} +locals { // locals for 'authentication_type' allowed values + authentication_type_allowed_values = [ + "Password", + "SSH Public Key" + ] + // will fail if [var.authentication_type] is invalid: + validate_authentication_type_value = index(local.authentication_type_allowed_values, var.authentication_type) +} + +variable "template_name" { + description = "Template name. Should be defined according to deployment type(mds, ha, vmss)" + type = string + default = "mds_terraform" +} + +variable "template_version" { + description = "Template version. It is recommended to always use the latest template version" + type = string + default = "20230910" +} + +variable "installation_type" { + description = "Installaiton type" + type = string + default = "mds-primary" +} + +variable "primary" { + type = string +} + +variable "secondary" { + type = string +} + +variable "logserver" { + type = string +} + +locals { //locals for 'installation_type' + isntallation_type_allowed_values = [ + "mds-primary", + "mds-secondary", + "mds-logserver" + ] +} + +variable "vm_size" { + description = "Specifies size of Virtual Machine" + type = string +} + +variable "disk_size" { + description = "Storage data disk size size(GB). Select a number between 100 and 3995" + type = string +} + +variable "os_version" { + description = "GAIA OS version" + type = string +} + +locals { // locals for 'vm_os_offer' allowed values + os_version_allowed_values = [ + "R8040", + "R81", + "R8110", + "R8120" + ] + // will fail if [var.os_version] is invalid: + validate_os_version_value = index(local.os_version_allowed_values, var.os_version) +} + +variable "vm_os_sku" { + description = "The sku of the image to be deployed." + type = string +} + +variable "vm_os_offer" { + description = "The name of the image offer to be deployed.Choose from: check-point-cg-r8040, check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120" + type = string +} + +locals { // locals for 'vm_os_offer' allowed values + vm_os_offer_allowed_values = [ + "check-point-cg-r8040", + "check-point-cg-r81", + "check-point-cg-r8110", + "check-point-cg-r8120" + ] + // will fail if [var.vm_os_offer] is invalid: + validate_os_offer_value = index(local.vm_os_offer_allowed_values, var.vm_os_offer) +} + +variable "allow_upload_download" { + description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + type = bool +} + +variable "admin_shell" { + description = "The admin shell to configure on machine or the first time" + type = string + default = "/etc/cli.sh" +} + +locals { + admin_shell_allowed_values = [ + "/etc/cli.sh", + "/bin/bash", + "/bin/csh", + "/bin/tcsh" + ] + // Will fail if [var.admin_shell] is invalid + validate_admin_shell_value = index(local.admin_shell_allowed_values, var.admin_shell) +} + +//********************** Networking Variables **************************// +variable "vnet_name" { + description = "Virtual Network name" + type = string +} + +variable "management_subnet_name" { + description = "management subnet name" + type = string +} + +variable "subnet_1st_Address" { + description = "The first available address of the subnet" + type = string +} + +variable "vnet_resource_group" { + description = "Resource group of existing vnet" + type = string +} + +variable "vnet_allocation_method" { + description = "IP address allocation method" + type = string + default = "Static" +} + +variable "management_GUI_client_network" { + description = "Allowed GUI clients - GUI clients network CIDR" + type = string + validation { + condition = can(regex("(^0\\.0\\.0\\.0\\/0$)|(^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/32)?$)", var.management_GUI_client_network)) && var.management_GUI_client_network != "0.0.0.0/32" + error_message = "Variable [management_GUI_client_network] must be a valid IPv4 network CIDR (only 0.0.0.0/0, X.X.X.X/32 or X.X.X.X are acceptable)." + } +} + +variable "mds_enable_api" { + description = "Enable api access to the management. allowed values: all, management_only, gui_clients, disable" + type = string + default = "disable" +} + +locals { + mds_enable_api_allowed_values = [ + "disable", + "all", + "management_only", + "gui_clients" + ] + // will fail if [var.mds_enable_api] is invalid: + validate_mds_enable_api_value = index(local.mds_enable_api_allowed_values, var.mds_enable_api) + + regex_valid_subnet_1st_Address = "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$" + // Will fail if var.subnet_1st_Address is invalid + regex_subnet_1st_Address = regex(local.regex_valid_subnet_1st_Address, var.subnet_1st_Address) == var.subnet_1st_Address ? 0 : "Variable [subnet_1st_Address] must be a valid address." +} + +variable "bootstrap_script" { + description = "An optional script to run on the initial boot" + default = "" + type = string + #example: + #"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" +} + +variable "nsg_id" { + description = "NSG ID - Optional - if empty use default NSG" + default = "" +} + +variable "add_storage_account_ip_rules" { + type = bool + default = false + description = "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location" +} + +variable "storage_account_additional_ips" { + type = list(string) + description = "IPs/CIDRs that are allowed access to the Storage Account" + default = [] +} +//********************** Credentials **************************// + +variable "tenant_id" { + description = "Tenant ID" + type = string +} + +variable "subscription_id" { + description = "Subscription ID" + type = string +} + +variable "client_id" { + description = "Application ID(Client ID)" + type = string +} + +variable "client_secret" { + description = "A secret string that the application uses to prove its identity when requesting a token. Also can be referred to as application password." + type = string +} + +variable sic_key { + description = "sic_key" + type = string +} + +resource "null_resource" "sic_key_invalid" { + count = length(var.sic_key) >= 12 ? 0 : "SIC key must be at least 12 characters long" +} + +variable "sku" { + description = "SKU" + type = string + default = "Standard" +} diff --git a/deprecated/terraform/azure/R8040-R81/mds-existing-vnet/versions.tf b/deprecated/terraform/azure/R8040-R81/mds-existing-vnet/versions.tf new file mode 100644 index 00000000..0d5ca4f3 --- /dev/null +++ b/deprecated/terraform/azure/R8040-R81/mds-existing-vnet/versions.tf @@ -0,0 +1,12 @@ +terraform { + required_version = ">= 0.14.3" + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "~> 3.81.0" + } + random = { + version = "~> 3.5.1" + } + } +} \ No newline at end of file diff --git a/deprecated/terraform/azure/R8040-R81/mds-new-vnet/README.md b/deprecated/terraform/azure/R8040-R81/mds-new-vnet/README.md new file mode 100644 index 00000000..293c3862 --- /dev/null +++ b/deprecated/terraform/azure/R8040-R81/mds-new-vnet/README.md @@ -0,0 +1,188 @@ +# Check Point CloudGuard Network Security MDS Terraform deployment for Azure + +This Terraform module deploys Check Point CloudGuard Network Security Management solution into a new Vnet in Azure. +As part of the deployment the following resources are created: +- Resource group +- Virtual network +- Network security group +- Virtual Machine +- System assigned identity + +This solution uses the following modules: +- /terraform/azure/modules/common - used for creating a resource group and defining common variables. +- /terraform/azure/modules/vnet - used for creating new virtual network and subnets. +- /terraform/azure/modules/network-security-group - used for creating new network security groups and rules. + + +## Configurations +- Install and configure Terraform to provision Azure resources: [Configure Terraform for Azure](https://docs.microsoft.com/en-us/azure/virtual-machines/linux/terraform-install-configure) +- In order to use ssh connection to VMs, it is **required** to add a public key to the /terraform/azure/mds-new-vnet/azure_public_key file. + +## Usage +- Choose the preferred login method to Azure in order to deploy the solution: +
1. Using Service Principal: + - Create a [Service Principal](https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal) (or use the existing one) + - Grant the Service Principal at least "**Managed Application Contributor**", "**Storage Account Contributor**", "**Network Contributor**", "**Virtual Machine Contributor**" permissions to the Azure subscription
+ - The Service Principal credentials can be stored either in the terraform.tfvars or as [Environment Variables](https://www.terraform.io/docs/providers/azuread/guides/service_principal_client_secret.html)
+ + In case the Environment Variables are used, perform modifications described below:
+ + a. The next lines in the main.tf file, in the provider azurerm resource, need to be deleted or commented: + + provider "azurerm" { + + // subscription_id = var.subscription_id + // client_id = var.client_id + // client_secret = var.client_secret + // tenant_id = var.tenant_id + + features {} + } + + b. In the terraform.tfvars file leave empty double quotes for client_secret, client_id , tenant_id and subscription_id variables: + + client_secret = "" + client_id = "" + tenant_id = "" + subscription_id = "" + +
2. Using **az** commands from a command-line: + - Run **az login** command + - Sign in with your account credentials in the browser + - [Accept Azure Marketplace image terms](https://docs.microsoft.com/en-us/cli/azure/vm/image/terms?view=azure-cli-latest) by running: +
**az vm image terms accept --urn publisher:offer:sku:version**, where: + - publisher = checkpoint; + - offer = vm_os_offer (see accepted values in the table below); + - sku = vm_os_sku (see accepted values in the table below); + - version = latest
+
Example:
+ az vm image terms accept --urn checkpoint:check-point-cg-r8040:sg-byol:latest + + - In the terraform.tfvars file leave empty double quotes for client_secret, client_id and tenant_id variables. + +- Fill all variables in the /terraform/azure/mds-new-vnet/terraform.tfvars file with proper values (see below for variables descriptions). +- From a command line initialize the Terraform configuration directory: + + terraform init +- Create an execution plan: + + terraform plan +- Create or modify the deployment: + + terraform apply + +### terraform.tfvars variables: + | Name | Description | Type | Allowed values | Default | + | ------------- | ------------- | ------------- | ------------- | ------------- | + | **client_secret** | The client secret value of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **client_id** | The client ID of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **tenant_id** | The tenant ID of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **subscription_id** | The subscription ID is used to pay for Azure cloud services | string | | n/a + | | | | | | + | **source_image_vhd_uri** | The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images | string | | "noCustomUri" + | | | | | | + | **resource_group_name** | The name of the resource group that will contain the contents of the deployment | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period | n/a + | | | | | | + | **mds_name** | MDS name | string | | n/a + | | | | | | + | **location** | The region where the resources will be deployed at | string | The full list of Azure regions can be found at https://azure.microsoft.com/regions | n/a + | | | | | | + | **vnet_name** | The name of virtual network that will be created | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | n/a + | | | | | | + | **address_space** | The address space that is used by a Virtual Network | string | A valid address in CIDR notation | "10.0.0.0/16" + | | | | | | + | **subnet_prefix** | Address prefix to be used for network subnet | string | A valid address in CIDR notation | "10.0.0.0/24" + | | | | | | + | **management_GUI_client_network** | Allowed GUI clients - GUI clients network CIDR | string | | n/a + | | | | | | + | **mds_enable_api** | Enable api access to the mds | string | - "all";
- "management_only";
- "gui_clients"
- "disable"; | "disable" + | | | | | | + | **admin_password** | The password associated with the local administrator account on the mds | string | Password must have 3 of the following: 1 lower case character, 1 upper case character, 1 number, and 1 special character | n/a + | | | | | | + | **vm_size** | Specifies the size of Virtual Machine | string | "Standard_DS2_v2", "Standard_DS3_v2", "Standard_DS4_v2", "Standard_DS5_v2", "Standard_F2s", "Standard_F4s", "Standard_F8s", "Standard_F16s", "Standard_D4s_v3", "Standard_D8s_v3", "Standard_D16s_v3", "Standard_D32s_v3", "Standard_D64s_v3", "Standard_E4s_v3", "Standard_E8s_v3", "Standard_E16s_v3", "Standard_E20s_v3", "Standard_E32s_v3", "Standard_E64s_v3", "Standard_E64is_v3", "Standard_F4s_v2", "Standard_F8s_v2", "Standard_F16s_v2", "Standard_F32s_v2", "Standard_F64s_v2", "Standard_M8ms", "Standard_M16ms", "Standard_M32ms", "Standard_M64ms", "Standard_M64s", "Standard_D2_v2", "Standard_D3_v2", "Standard_D4_v2", "Standard_D5_v2", "Standard_D11_v2", "Standard_D12_v2", "Standard_D13_v2", "Standard_D14_v2", "Standard_D15_v2", "Standard_F2", "Standard_F4", "Standard_F8", "Standard_F16", "Standard_D4_v3", "Standard_D8_v3", "Standard_D16_v3", "Standard_D32_v3", "Standard_D64_v3", "Standard_E4_v3", "Standard_E8_v3", "Standard_E16_v3", "Standard_E20_v3", "Standard_E32_v3", "Standard_E64_v3", "Standard_E64i_v3", "Standard_DS11_v2", "Standard_DS12_v2", "Standard_DS13_v2", "Standard_DS14_v2", "Standard_DS15_v2", "Standard_D2_v5", "Standard_D4_v5", "Standard_D8_v5", "Standard_D16_v5","Standard_D32_v5", "Standard_D2s_v5", "Standard_D4s_v5", "Standard_D8s_v5", "Standard_D16s_v5", "Standard_D2d_v5", "Standard_D4d_v5", "Standard_D8d_v5", "Standard_D16d_v5", "Standard_D32d_v5", "Standard_D2ds_v5", "Standard_D4ds_v5", "Standard_D8ds_v5", "Standard_D16ds_v5", "Standard_D32ds_v5" | n/a + | | | | | | + | **disk_size** | Storage data disk size size(GB) | string | A number in the range 100 - 3995 (GB) | n/a + | | | | | | + | **vm_os_sku** | A sku of the image to be deployed | string | "mgmt-byol" - BYOL license;
"mgmt-25" - PAYG; | n/a + | | | | | | + | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r8040";
"check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | n/a + | | | | | | + | **os_version** | GAIA OS version | string | "R8040";
"R81";
"R8110";
"R8120";| n/a + | | | | | | + | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | "" + | | | | | | + | **allow_upload_download** | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | boolean | true;
false; | n/a + | | | | | | + | **authentication_type** | Specifies whether a password authentication or SSH Public Key authentication should be used | string | "Password";
"SSH Public Key"; | n/a + | | | | | | + | **admin_shell** | Enables to select different admin shells | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh; | "/etc/cli.sh" + | | | | | | + | **sic_key** | Set the Secure Internal Communication one time secret used to set up trust between the primary and secondary servers. SIC key must be provided if installing a secondary Multi-Domain Server | string | Only alphanumeric characters are allowed, and the value must be 12-30 characters long | n/a + | | | | | | + | **installation_type** | Enables to select installation type- gateway/standalone | string | mds-primary;
mds-secondary;
mds-logserver; | n/a + | | | | | | + | **serial_console_password_hash** | Optional parameter, used to enable serial console connection in case of SSH key as authentication type, to generate password hash use the command 'openssl passwd -6 PASSWORD' on Linux and paste it here | string | | n/a + | | | | | | + | **maintenance_mode_password_hash** | Maintenance mode password hash, relevant only for R81.20 and higher versions, to generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here | string | | n/a + | | | | | | + | **nsg_id** | Optional ID for a Network Security Group that already exists in Azure, if not provided, will create a default NSG | string | Existing NSG resource ID | "" + | | | | | | + | **add_storage_account_ip_rules** | Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, if false then accses will be allowed from all networks | boolean | true;
false; | false + | | | | | | + | **storage_account_additional_ips** | IPs/CIDRs that are allowed access to the Storage Account | list(string) | A list of valid IPs and CIDRs | [] + + +## Example + client_secret = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + client_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + tenant_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + subscription_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + source_image_vhd_uri = "noCustomUri" + resource_group_name = "checkpoint-mds-rg-terraform" + mds_name = "checkpoint-mds-terraform" + location = "eastus" + vnet_name = "checkpoint-mds-vnet" + address_space = "10.0.0.0/16" + subnet_prefix = "10.0.0.0/24" + management_GUI_client_network = "0.0.0.0/0" + mds_enable_api = "disable" + admin_password = "xxxxxxxxxxxx" + vm_size = "Standard_D3_v2" + disk_size = "110" + vm_os_sku = "mgmt-byol" + vm_os_offer = "check-point-cg-r8110" + os_version = "R8110" + bootstrap_script = "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" + allow_upload_download = true + authentication_type = "Password" + admin_shell = "/etc/cli.sh" + sic_key = "xxxxxxxxxxxx" + installation_type = "mds-primary" + primary = "true" + secondary = "false" + logserver = "false" + serial_console_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + maintenance_mode_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + nsg_id = "" + add_storage_account_ip_rules = false + storage_account_additional_ips = [] + +## Revision History +In order to check the template version refer to the [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) + +| Template Version | Description | +|------------------|---------------------------------------------------------------------------------------------| +| 20240613 | - Updated Azure Terraform provider version
- Cosmetic fixes & default values
- Added option to limit storage account access by specify allowed sourcess
- Updated Public IP sku to Standard
- Added validation for os_version & os_offer | +| | | | +| 20230910 | - R81.20 is the default version | +| | | | +| 20230629 | First release of Check Point CloudGuard Network Security MDS Terraform deployment for Azure | +| | | | + +## License + +See the [LICENSE](../../LICENSE) file for details + diff --git a/deprecated/terraform/azure/R8040-R81/mds-new-vnet/azure_public_key b/deprecated/terraform/azure/R8040-R81/mds-new-vnet/azure_public_key new file mode 100644 index 00000000..e69de29b diff --git a/deprecated/terraform/azure/R8040-R81/mds-new-vnet/cloud-init.sh b/deprecated/terraform/azure/R8040-R81/mds-new-vnet/cloud-init.sh new file mode 100644 index 00000000..627de012 --- /dev/null +++ b/deprecated/terraform/azure/R8040-R81/mds-new-vnet/cloud-init.sh @@ -0,0 +1,20 @@ +#!/usr/bin/python3 /etc/cloud_config.py + +installationType="${installation_type}" +allowUploadDownload="${allow_upload_download}" +osVersion="${os_version}" +templateName="${template_name}" +templateVersion="${template_version}" +templateType="${template_type}" +isBlink="${is_blink}" +bootstrapScript64="${bootstrap_script64}" +location="${location}" +managementGUIClientNetwork="${management_GUI_client_network}" +enableApi="${enable_api}" +adminShell="${admin_shell}" +sicKey="${sic_key}" +primary="${primary}" +secondary="${secondary}" +logserver="${logserver}" +passwordHash="${serial_console_password_hash}" +MaintenanceModePassword="${maintenance_mode_password_hash}" diff --git a/deprecated/terraform/azure/R8040-R81/mds-new-vnet/main.tf b/deprecated/terraform/azure/R8040-R81/mds-new-vnet/main.tf new file mode 100644 index 00000000..f3162e70 --- /dev/null +++ b/deprecated/terraform/azure/R8040-R81/mds-new-vnet/main.tf @@ -0,0 +1,321 @@ +//********************** Providers **************************// +provider "azurerm" { + subscription_id = var.subscription_id + client_id = var.client_id + client_secret = var.client_secret + tenant_id = var.tenant_id + + features {} +} + +//********************** Basic Configuration **************************// +module "common" { + source = "../modules/common" + resource_group_name = var.resource_group_name + location = var.location + admin_password = var.admin_password + installation_type = var.installation_type + template_name = var.template_name + template_version = var.template_version + number_of_vm_instances = 1 + allow_upload_download = var.allow_upload_download + vm_size = var.vm_size + disk_size = var.disk_size + is_blink = false + os_version = var.os_version + vm_os_sku = var.vm_os_sku + vm_os_offer = var.vm_os_offer + authentication_type = var.authentication_type + serial_console_password_hash = var.serial_console_password_hash + maintenance_mode_password_hash = var.maintenance_mode_password_hash + storage_account_additional_ips = var.storage_account_additional_ips +} + +//********************** Networking **************************// +module "vnet" { + source = "../modules/vnet" + + vnet_name = var.vnet_name + resource_group_name = module.common.resource_group_name + location = module.common.resource_group_location + address_space = var.address_space + subnet_prefixes = [var.subnet_prefix] + subnet_names = ["${var.mds_name}-subnet"] + nsg_id = var.nsg_id == "" ? module.network-security-group[0].network_security_group_id: var.nsg_id +} + +module "network-security-group" { + source = "../modules/network-security-group" + count = var.nsg_id == "" ? 1 : 0 + resource_group_name = module.common.resource_group_name + security_group_name = "${module.common.resource_group_name}-nsg" + location = module.common.resource_group_location + security_rules = [ + { + name = "SSH" + priority = "100" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_ranges = "*" + destination_port_ranges = "22" + description = "Allow inbound SSH connection" + source_address_prefix = var.management_GUI_client_network + destination_address_prefix = "*" + }, + { + name = "GAiA-portal" + priority = "110" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_ranges = "*" + destination_port_ranges = "443" + description = "Allow inbound HTTPS access to the GAiA portal" + source_address_prefix = var.management_GUI_client_network + destination_address_prefix = "*" + }, + { + name = "SmartConsole-1" + priority = "120" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_ranges = "*" + destination_port_ranges = "18190" + description = "Allow inbound access using the SmartConsole GUI client" + source_address_prefix = var.management_GUI_client_network + destination_address_prefix = "*" + }, + { + name = "SmartConsole-2" + priority = "130" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_ranges = "*" + destination_port_ranges = "19009" + description = "Allow inbound access using the SmartConsole GUI client" + source_address_prefix = var.management_GUI_client_network + destination_address_prefix = "*" + }, + { + name = "Logs" + priority = "140" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_ranges = "*" + destination_port_ranges = "257" + description = "Allow inbound logging connections from managed gateways" + source_address_prefix = "*" + destination_address_prefix = "*" + }, + { + name = "ICA-pull" + priority = "150" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_ranges = "*" + destination_port_ranges = "18210" + description = "Allow security gateways to pull a SIC certificate" + source_address_prefix = "*" + destination_address_prefix = "*" + }, + { + name = "CRL-fetch" + priority = "160" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_ranges = "*" + destination_port_ranges = "18264" + description = "Allow security gateways to fetch CRLs" + source_address_prefix = "*" + destination_address_prefix = "*" + }, + { + name = "Policy-fetch" + priority = "170" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_ranges = "*" + destination_port_ranges = "18191" + description = "Allow security gateways to fetch policy" + source_address_prefix = "*" + destination_address_prefix = "*" + } + ] +} + +resource "azurerm_public_ip" "public-ip" { + name = var.mds_name + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + allocation_method = var.vnet_allocation_method + sku = var.sku + idle_timeout_in_minutes = 30 + domain_name_label = join("", [ + lower(var.mds_name), + "-", + random_id.randomId.hex]) +} + +resource "azurerm_network_interface_security_group_association" "security_group_association" { + depends_on = [azurerm_network_interface.nic, module.network-security-group] + network_interface_id = azurerm_network_interface.nic.id + network_security_group_id = var.nsg_id == "" ? module.network-security-group[0].network_security_group_id: var.nsg_id +} + +resource "azurerm_network_interface" "nic" { + depends_on = [ + azurerm_public_ip.public-ip] + name = "${var.mds_name}-eth0" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + enable_ip_forwarding = false + + ip_configuration { + name = "ipconfig1" + subnet_id = module.vnet.vnet_subnets[0] + private_ip_address_allocation = var.vnet_allocation_method + private_ip_address = cidrhost(var.subnet_prefix, 4) + public_ip_address_id = azurerm_public_ip.public-ip.id + } +} + +//********************** Storage accounts **************************// +// Generate random text for a unique storage account name +resource "random_id" "randomId" { + keepers = { + # Generate a new ID only when a new resource group is defined + resource_group = module.common.resource_group_name + } + byte_length = 8 +} +resource "azurerm_storage_account" "vm-boot-diagnostics-storage" { + name = "bootdiag${random_id.randomId.hex}" + resource_group_name = module.common.resource_group_name + location = module.common.resource_group_location + account_tier = module.common.storage_account_tier + account_replication_type = module.common.account_replication_type + account_kind = "Storage" + network_rules { + default_action = var.add_storage_account_ip_rules ? "Deny" : "Allow" + ip_rules = module.common.storage_account_ip_rules + } + blob_properties { + delete_retention_policy { + days = "15" + } + } + +} + +//********************** Virtual Machines **************************// +locals { + SSH_authentication_type_condition = var.authentication_type == "SSH Public Key" ? true : false + custom_image_condition = var.source_image_vhd_uri == "noCustomUri" ? false : true +} + +resource "azurerm_image" "custom-image" { + count = local.custom_image_condition ? 1 : 0 + name = "custom-image" + location = var.location + resource_group_name = module.common.resource_group_name + + os_disk { + os_type = "Linux" + os_state = "Generalized" + blob_uri = var.source_image_vhd_uri + } +} + +resource "azurerm_virtual_machine" "mds-vm-instance" { + depends_on = [ + azurerm_network_interface.nic] + location = module.common.resource_group_location + name = var.mds_name + network_interface_ids = [ + azurerm_network_interface.nic.id] + resource_group_name = module.common.resource_group_name + vm_size = module.common.vm_size + delete_os_disk_on_termination = module.common.delete_os_disk_on_termination + primary_network_interface_id = azurerm_network_interface.nic.id + + identity { + type = module.common.vm_instance_identity + } + + dynamic "plan" { + for_each = local.custom_image_condition ? [ + ] : [1] + content { + name = module.common.vm_os_sku + publisher = module.common.publisher + product = module.common.vm_os_offer + } + } + + boot_diagnostics { + enabled = module.common.boot_diagnostics + storage_uri = module.common.boot_diagnostics ? join(",", azurerm_storage_account.vm-boot-diagnostics-storage.*.primary_blob_endpoint) : "" + } + + os_profile { + computer_name = var.mds_name + admin_username = module.common.admin_username + admin_password = module.common.admin_password + custom_data = templatefile("${path.module}/cloud-init.sh", { + installation_type = var.installation_type + allow_upload_download = module.common.allow_upload_download + os_version = module.common.os_version + template_name = module.common.template_name + template_version = module.common.template_version + template_type = "terraform" + is_blink = module.common.is_blink + bootstrap_script64 = base64encode(var.bootstrap_script) + location = module.common.resource_group_location + management_GUI_client_network = var.management_GUI_client_network + enable_api = var.mds_enable_api + admin_shell = var.admin_shell + sic_key = var.sic_key + primary = var.primary + secondary = var.secondary + logserver = var.logserver + serial_console_password_hash = var.serial_console_password_hash + maintenance_mode_password_hash = var.maintenance_mode_password_hash + }) + } + + os_profile_linux_config { + disable_password_authentication = local.SSH_authentication_type_condition + + dynamic "ssh_keys" { + for_each = local.SSH_authentication_type_condition ? [ + 1] : [] + content { + path = "/home/notused/.ssh/authorized_keys" + key_data = file("${path.module}/azure_public_key") + } + } + } + + storage_image_reference { + id = local.custom_image_condition ? azurerm_image.custom-image[0].id : null + publisher = local.custom_image_condition ? null : module.common.publisher + offer = module.common.vm_os_offer + sku = module.common.vm_os_sku + version = module.common.vm_os_version + } + + storage_os_disk { + name = var.mds_name + create_option = module.common.storage_os_disk_create_option + caching = module.common.storage_os_disk_caching + managed_disk_type = module.common.storage_account_type + disk_size_gb = module.common.disk_size + } +} diff --git a/deprecated/terraform/azure/R8040-R81/mds-new-vnet/terraform.tfvars b/deprecated/terraform/azure/R8040-R81/mds-new-vnet/terraform.tfvars new file mode 100644 index 00000000..7a1045b3 --- /dev/null +++ b/deprecated/terraform/azure/R8040-R81/mds-new-vnet/terraform.tfvars @@ -0,0 +1,34 @@ +#PLEASE refer to the README.md for accepted values for the variables below +client_secret = "PLEASE ENTER CLIENT SECRET" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +client_id = "PLEASE ENTER CLIENT ID" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +tenant_id = "PLEASE ENTER TENANT ID" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +subscription_id = "PLEASE ENTER SUBSCRIPTION ID" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +source_image_vhd_uri = "PLEASE ENTER SOURCE IMAGE VHD URI OR noCustomUri" # "noCustomUri" +resource_group_name = "PLEASE ENTER RESOURCE GROUP NAME" # "checkpoint-mds-rg-terraform" +mds_name = "PLEASE ENTER MDS NAME" # "checkpoint-mds-terraform" +location = "PLEASE ENTER LOCATION" # "eastus" +vnet_name = "PLEASE ENTER VIRTUAL NETWORK NAME" # "checkpoint-mds-vnet" +address_space = "PLEASE ENTER VIRTUAL NETWORK ADDRESS SPACE" # "10.0.0.0/16" +subnet_prefix = "PLEASE ENTER ADDRESS PREFIX FOR SUBNET" # "10.0.0.0/24" +management_GUI_client_network = "PLEASE ENTER A MANAGEMENT GUI CLIENT NETWORK" # "0.0.0.0/0" +mds_enable_api = "PLEASE ENTER FOR WHOM TO ENABLE API ACCESS OR disable" # "disable" +admin_password = "PLEASE ENTER ADMIN PASSWORD" # "xxxxxxxxxxxx" +vm_size = "PLEASE ENTER VM SIZE" # "Standard_D3_v2" +disk_size = "PLEASE ENTER DISK SIZE" # "110" +vm_os_sku = "PLEASE ENTER VM SKU" # "mgmt-byol" +vm_os_offer = "PLEASE ENTER VM OFFER" # "check-point-cg-r8110" +os_version = "PLEASE ENTER GAIA OS VERSION" # "R8110" +bootstrap_script = "PLEASE ENTER CUSTOM SCRIPT OR LEAVE EMPTY DOUBLE QUOTES" # "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" +allow_upload_download = "PLEASE ENTER true or false" # true +authentication_type = "PLEASE ENTER AUTHENTICATION TYPE" # "Password" +admin_shell = "PLEASE ENTER ADMIN SHELL" # "/etc/cli.sh" +sic_key = "PLEASE ENTER SIC KEY" # "xxxxxxxxxxxx" +installation_type = "PLEASE ENTER INSTALLATION TYPE" # "mds-primary" +primary = "PLEASE ENTER true or false" # "true" +secondary = "PLEASE ENTER true or false" # "false" +logserver = "PLEASE ENTER true or false" # "false" +serial_console_password_hash = "PLEASE ENTER SERIAL CONSOLE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +maintenance_mode_password_hash = "PLEASE ENTER MAINTENANCE MODE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +nsg_id = "PLEASE ENTER NETWORK SECURITY GROUP ID" # "" +add_storage_account_ip_rules = "PLEASE ENTER true or false" # false +storage_account_additional_ips = "PLEASE ENTER A LIST OF VALID IPS/CIDRS" # [] \ No newline at end of file diff --git a/deprecated/terraform/azure/R8040-R81/mds-new-vnet/variables.tf b/deprecated/terraform/azure/R8040-R81/mds-new-vnet/variables.tf new file mode 100644 index 00000000..9ce9d0ba --- /dev/null +++ b/deprecated/terraform/azure/R8040-R81/mds-new-vnet/variables.tf @@ -0,0 +1,278 @@ +//********************** Basic Configuration Variables **************************// +variable "mds_name" { + description = "MDS name" + type = string +} + +variable "resource_group_name" { + description = "Azure Resource Group name to build into" + type = string +} + +variable "location" { + description = "The location/region where resource will be created. The full list of Azure regions can be found at https://azure.microsoft.com/regions" + type = string +} + +//********************** Virtual Machine Instances Variables **************************// +variable "source_image_vhd_uri" { + type = string + description = "The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images." + default = "noCustomUri" +} + +variable "admin_username" { + description = "Administrator username of deployed VM. Due to Azure limitations 'notused' name can be used" + default = "notused" +} + +variable "admin_password" { + description = "Administrator password of deployed Virtual Machine. The password must meet the complexity requirements of Azure" + type = string +} + +variable "serial_console_password_hash" { + description = "Optional parameter, used to enable serial console connection in case of SSH key as authentication type" + type = string +} + +variable "maintenance_mode_password_hash" { + description = "Maintenance mode password hash, relevant only for R81.20 and higher versions" + type = string +} + +variable "authentication_type" { + description = "Specifies whether a password authentication or SSH Public Key authentication should be used" + type = string +} +locals { // locals for 'authentication_type' allowed values + authentication_type_allowed_values = [ + "Password", + "SSH Public Key" + ] + // will fail if [var.authentication_type] is invalid: + validate_authentication_type_value = index(local.authentication_type_allowed_values, var.authentication_type) +} +variable "template_name" { + description = "Template name. Should be defined according to deployment type(mds, ha, vmss)" + type = string + default = "mds_terraform" +} + +variable "template_version" { + description = "Template version. It is recommended to always use the latest template version" + type = string + default = "20230910" +} + +variable "installation_type" { + description = "Installaiton type" + type = string + default = "mds-primary" +} + +variable "primary" { + type = string +} + +variable "secondary" { + type = string +} + +variable "logserver" { + type = string +} + +locals { //locals for 'installation_type' + isntallation_type_allowed_values = [ + "mds-primary", + "mds-secondary", + "mds-logserver" + ] +} + +variable "vm_size" { + description = "Specifies size of Virtual Machine" + type = string +} + +variable "disk_size" { + description = "Storage data disk size size(GB). Select a number between 100 and 3995" + type = string +} + +variable "os_version" { + description = "GAIA OS version" + type = string +} + +locals { // locals for 'vm_os_offer' allowed values + os_version_allowed_values = [ + "R8040", + "R81", + "R8110", + "R8120" + ] + // will fail if [var.os_version] is invalid: + validate_os_version_value = index(local.os_version_allowed_values, var.os_version) +} + +variable "vm_os_sku" { + description = "The sku of the image to be deployed." + type = string +} + +variable "vm_os_offer" { + description = "The name of the image offer to be deployed.Choose from: check-point-cg-r8040, check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120" + type = string +} + +locals { // locals for 'vm_os_offer' allowed values + vm_os_offer_allowed_values = [ + "check-point-cg-r8040", + "check-point-cg-r81", + "check-point-cg-r8110", + "check-point-cg-r8120" + ] + // will fail if [var.vm_os_offer] is invalid: + validate_os_offer_value = index(local.vm_os_offer_allowed_values, var.vm_os_offer) +} + +variable "allow_upload_download" { + description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + type = bool +} + +variable "admin_shell" { + description = "The admin shell to configure on machine or the first time" + type = string + default = "/etc/cli.sh" +} + +locals { + admin_shell_allowed_values = [ + "/etc/cli.sh", + "/bin/bash", + "/bin/csh", + "/bin/tcsh" + ] + // Will fail if [var.admin_shell] is invalid + validate_admin_shell_value = index(local.admin_shell_allowed_values, var.admin_shell) +} + +//********************** Networking Variables **************************// +variable "vnet_name" { + description = "Virtual Network name" + type = string +} + +variable "address_space" { + description = "The address space that is used by a Virtual Network." + type = string + default = "10.0.0.0/16" +} + +variable "subnet_prefix" { + description = "Address prefix to be used for network subnet" + type = string + default = "10.0.0.0/24" +} + +variable "vnet_allocation_method" { + description = "IP address allocation method" + type = string + default = "Static" +} + +variable "management_GUI_client_network" { + description = "Allowed GUI clients - GUI clients network CIDR" + type = string + validation { + condition = can(regex("(^0\\.0\\.0\\.0\\/0$)|(^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/32)?$)", var.management_GUI_client_network)) && var.management_GUI_client_network != "0.0.0.0/32" + error_message = "Variable [management_GUI_client_network] must be a valid IPv4 network CIDR (only 0.0.0.0/0, X.X.X.X/32 or X.X.X.X are acceptable)." + } +} + +variable "mds_enable_api" { + description = "Enable api access to the management. allowed values: all, management_only, gui_clients, disable" + type = string + default = "disable" +} + +locals { + mds_enable_api_allowed_values = [ + "disable", + "all", + "management_only", + "gui_clients" + ] + // will fail if [var.mds_enable_api] is invalid: + validate_mds_enable_api_value = index(local.mds_enable_api_allowed_values, var.mds_enable_api) + + regex_valid_network_cidr = "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(/(3[0-2]|2[0-9]|1[0-9]|[0-9]))|$" + // Will fail if var.address_space is invalid + regex_address_space = regex(local.regex_valid_network_cidr, var.address_space) == var.address_space ? 0 : "Variable [address_space] must be a valid address in CIDR notation." + // Will fail if var.subnet_prefix is invalid + regex_subnet_prefix = regex(local.regex_valid_network_cidr, var.subnet_prefix) == var.subnet_prefix ? 0 : "Variable [subnet_prefix] must be a valid address in CIDR notation." +} + +variable "bootstrap_script" { + description = "An optional script to run on the initial boot" + default = "" + type = string + #example: + #"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" +} + +variable "nsg_id" { + description = "NSG ID - Optional - if empty use default NSG" + default = "" +} + +variable "add_storage_account_ip_rules" { + type = bool + default = false + description = "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location" +} + +variable "storage_account_additional_ips" { + type = list(string) + description = "IPs/CIDRs that are allowed access to the Storage Account" + default = [] +} + +//********************** Credentials **************************// +variable "tenant_id" { + description = "Tenant ID" + type = string +} + +variable "subscription_id" { + description = "Subscription ID" + type = string +} + +variable "client_id" { + description = "Application ID(Client ID)" + type = string +} + +variable "client_secret" { + description = "A secret string that the application uses to prove its identity when requesting a token. Also can be referred to as application password." + type = string +} + +variable "sic_key" { + description = "sic key" + type = string +} + +resource "null_resource" "sic_key_invalid" { + count = length(var.sic_key) >= 12 ? 0 : "SIC key must be at least 12 characters long" +} + +variable "sku" { + description = "SKU" + type = string + default = "Standard" +} \ No newline at end of file diff --git a/deprecated/terraform/azure/R8040-R81/mds-new-vnet/versions.tf b/deprecated/terraform/azure/R8040-R81/mds-new-vnet/versions.tf new file mode 100644 index 00000000..de940e72 --- /dev/null +++ b/deprecated/terraform/azure/R8040-R81/mds-new-vnet/versions.tf @@ -0,0 +1,12 @@ +terraform { + required_version = ">= 0.14.3" + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "~> 3.81.0" + } + random = { + version = "~> 3.5.1" + } + } +} diff --git a/deprecated/terraform/azure/R8040-R81/modules/add-routing-intent.py b/deprecated/terraform/azure/R8040-R81/modules/add-routing-intent.py new file mode 100644 index 00000000..87437061 --- /dev/null +++ b/deprecated/terraform/azure/R8040-R81/modules/add-routing-intent.py @@ -0,0 +1,29 @@ +import json +import requests +import sys + + +def perform_put_request(url, data, headers=None): + """ + This function perform the PUT request to Azure in order to edit the vWAN Hub Routing-Intent + """ + result = {"status": "success", "message": ""} + try: + response = requests.put(url, json=data, headers=headers) + result["message"] = response.text + except Exception as e: + result["status"] = "error" + result["message"] = f"An error occurred: {str(e)}" + return result + + +if __name__ == "__main__": + """ + This script receives url, body, and authorization token as arguments and set vWAN Hub Routing-Intent + """ + api_url = sys.argv[1] + api_data = eval(sys.argv[2]) + auth_token = sys.argv[3] + api_headers = {"Authorization": f'Bearer {auth_token}'} + result = perform_put_request(api_url, api_data, api_headers) + print(json.dumps(result)) diff --git a/deprecated/terraform/azure/R8040-R81/modules/common/main.tf b/deprecated/terraform/azure/R8040-R81/modules/common/main.tf new file mode 100644 index 00000000..08bc5f97 --- /dev/null +++ b/deprecated/terraform/azure/R8040-R81/modules/common/main.tf @@ -0,0 +1,5 @@ +resource "azurerm_resource_group" "resource_group" { + name = var.resource_group_name + location = var.location +} + diff --git a/deprecated/terraform/azure/R8040-R81/modules/common/outputs.tf b/deprecated/terraform/azure/R8040-R81/modules/common/outputs.tf new file mode 100644 index 00000000..1d4ad2b0 --- /dev/null +++ b/deprecated/terraform/azure/R8040-R81/modules/common/outputs.tf @@ -0,0 +1,130 @@ +output "resource_group_name" { + value = azurerm_resource_group.resource_group.name +} + +output "resource_group_id" { + value = azurerm_resource_group.resource_group.id +} + +output "resource_group_location" { + value = azurerm_resource_group.resource_group.location +} + +output "azurerm_resource_group_id" { + value = azurerm_resource_group.resource_group.id +} + +output "admin_username" { + value = var.admin_username +} + +output "admin_password"{ + value = var.admin_password +} + +output "vm_instance_identity" { + value = var.vm_instance_identity_type +} + +output "template_name"{ + value = var.template_name +} + +output "template_version" { + value = var.template_version +} + +output "bootstrap_script"{ + value = var.bootstrap_script +} + +output "os_version" { + value = var.os_version +} + +output "installation_type" { + value = var.installation_type +} + +output "number_of_vm_instances" { + value = var.number_of_vm_instances +} + +output "allow_upload_download" { + value = var.allow_upload_download +} + +output "is_blink" { + value = var.is_blink +} + +output "vm_size" { + value = var.vm_size +} + +output "delete_os_disk_on_termination" { + value = var.delete_os_disk_on_termination +} + +output "vm_os_offer" { + value = var.vm_os_offer +} + +output "vm_os_sku" { + value = var.vm_os_sku +} + +output "vm_os_version" { + value = var.vm_os_version +} + +output "storage_account_type" { + value = var.storage_account_type +} + +output "storage_account_tier" { + value = var.storage_account_tier +} + +output "account_replication_type" { + value = var.account_replication_type +} + +output "disk_size" { + value = var.disk_size +} + +output "publisher" { + value = var.publisher +} + +output "storage_os_disk_create_option" { + value = var.storage_os_disk_create_option +} + +output "storage_os_disk_caching" { + value = var.storage_os_disk_caching +} + +output "managed_disk_type" { + value = var.managed_disk_type +} + +output "authentication_type" { + value = var.authentication_type +} + +output "tags" { + value = var.tags +} + +output "boot_diagnostics" { + value = var.boot_diagnostics +} + +output "storage_account_ip_rules" { + value = local.storage_account_ip_rules +} +output "role_definition" { + value = var.role_definition +} \ No newline at end of file diff --git a/deprecated/terraform/azure/R8040-R81/modules/common/variables.tf b/deprecated/terraform/azure/R8040-R81/modules/common/variables.tf new file mode 100644 index 00000000..e768159b --- /dev/null +++ b/deprecated/terraform/azure/R8040-R81/modules/common/variables.tf @@ -0,0 +1,369 @@ +//************** Basic config variables**************// +variable "resource_group_name" { + description = "Azure Resource Group name to build into" + type = string +} + +variable "resource_group_id" { + description = "Azure Resource Group ID to use." + type = string + default = "" +} + +variable "location" { + description = "The location/region where resources will be created. The full list of Azure regions can be found at https://azure.microsoft.com/regions" + type = string +} +//************** Virtual machine instance variables ************** +variable "admin_username" { + description = "Administrator username of deployed VM. Due to Azure limitations 'notused' name can be used" + type = string + default = "notused" +} + +variable "admin_password" { + description = "Administrator password of deployed Virtual Machine. The password must meet the complexity requirements of Azure" + type = string +} + +variable "serial_console_password_hash" { + description = "Optional parameter, used to enable serial console connection in case of SSH key as authentication type" + type = string +} + +variable "maintenance_mode_password_hash" { + description = "Maintenance mode password hash, relevant only for R81.20 and higher versions" + type = string +} + +variable "tags" { + type = map(string) + description = "A map of the tags to use on the resources that are deployed with this module." + default = {} +} + +variable "boot_diagnostics" { + type = bool + description = "Enable or Disable boot diagnostics" + default = true +} + +variable "storage_account_additional_ips" { + type = list(string) + description = "IPs/CIDRs that are allowed access to the Storage Account" + default = [] + validation { + condition = !contains(var.storage_account_additional_ips, "0.0.0.0") && can([for ip in var.storage_account_additional_ips: regex("^(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$", ip)]) + error_message = "Invalid IPv4 address." + } +} +locals { + serial_console_ips_per_location = { + "eastasia" : ["20.205.69.28", "20.195.85.180"], + "southeastasia" : ["20.205.69.28", "20.195.85.180"], + "australiacentral" : ["20.53.53.224", "20.70.222.112"], + "australiacentral2" : ["20.53.53.224", "20.70.222.112"], + "australiaeast" : ["20.53.53.224", "20.70.222.112"], + "australiasoutheast" : ["20.53.53.224", "20.70.222.112"], + "brazilsouth" : ["91.234.136.63", "20.206.0.194"], + "brazilsoutheast" : ["91.234.136.63", "20.206.0.194"], + "canadacentral" : ["52.228.86.177", "52.242.40.90"], + "canadaeast" : ["52.228.86.177", "52.242.40.90"], + "northeurope" : ["52.146.139.220", "20.105.209.72"], + "westeurope" : ["52.146.139.220", "20.105.209.72"], + "francecentral" : ["20.111.0.244", "52.136.191.10"], + "francesouth" : ["20.111.0.244", "52.136.191.10"], + "germanynorth" : ["51.116.75.88", "20.52.95.48"], + "germanywestcentral" : ["51.116.75.88", "20.52.95.48"], + "centralindia" : ["20.192.168.150", "20.192.153.104"], + "southindia" : ["20.192.168.150", "20.192.153.104"], + "westindia" : ["20.192.168.150", "20.192.153.104"], + "japaneast" : ["20.43.70.205", "20.189.228.222"], + "japanwest" : ["20.43.70.205", "20.189.228.222"], + "koreacentral" : ["20.200.196.96", "52.147.119.29"], + "koreasouth" : ["20.200.196.96", "52.147.119.29"], + "norwaywest" : ["20.100.1.184", "51.13.138.76"], + "norwayeast" : ["20.100.1.184", "51.13.138.76"], + "switzerlandnorth" : ["20.208.4.98", "51.107.251.190"], + "switzerlandwest" : ["20.208.4.98", "51.107.251.190"], + "uaecentral" : ["20.45.95.66", "20.38.141.5"], + "uaenorth" : ["20.45.95.66", "20.38.141.5"], + "uksouth" : ["20.90.132.144", "20.58.68.62"], + "ukwest" : ["20.90.132.144", "20.58.68.62"], + "swedencentral" : ["51.12.72.223", "51.12.22.174"], + "swedensouth" : ["51.12.72.223", "51.12.22.174"], + "centralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "eastus2" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "eastus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "northcentralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "southcentralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "westus2" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "westus3" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "westcentralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "westus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "eastus2euap" : ["20.45.242.18", "20.51.21.252"], + "centraluseuap" : ["20.45.242.18", "20.51.21.252"] + } + serial_console_ips = contains(keys(local.serial_console_ips_per_location),var.location) ? local.serial_console_ips_per_location[var.location] : [] + storage_account_ip_rules = concat(local.serial_console_ips, var.storage_account_additional_ips) +} +variable "vm_instance_identity_type" { + description = "Managed Service Identity type" + type = string + default = "SystemAssigned" +} + +variable "template_name"{ + description = "Template name. Should be defined according to deployment type(ha, vmss)" + type = string +} + +variable "template_version"{ + description = "Template name. Should be defined according to deployment type(e.g. ha, vmss)" + type = string +} + +variable "bootstrap_script" { + description = "An optional script to run on the initial boot" + type = string + default = "" +} + +variable "os_version"{ + description = "GAIA OS version" + type = string +} + +locals { // locals for 'os_version' allowed values + os_version_allowed_values = [ + "R8040", + "R81", + "R8110", + "R8120" + ] + // will fail if [var.installation_type] is invalid: + validate_os_version_value = index(local.os_version_allowed_values, var.os_version) +} + +variable "installation_type"{ + description = "Installation type. Allowed values: cluster, vmss" + type = string +} + +locals { // locals for 'installation_type' allowed values + installation_type_allowed_values = [ + "cluster", + "vmss", + "management", + "standalone", + "gateway", + "mds-primary", + "mds-secondary", + "mds-logserver" + ] + // will fail if [var.installation_type] is invalid: + validate_installation_type_value = index(local.installation_type_allowed_values, var.installation_type) +} + +variable "number_of_vm_instances"{ + description = "Number of VM instances to deploy" + type = string +} + +variable "allow_upload_download" { + description = "Allow upload/download to Check Point" + type = bool +} + +variable "is_blink" { + description = "Define if blink image is used for deployment" +} + +variable "vm_size" { + description = "Specifies size of Virtual Machine" + type = string +} + +locals {// locals for 'vm_size' allowed values + allowed_vm_sizes = ["Standard_DS2_v2", "Standard_DS3_v2", "Standard_DS4_v2", "Standard_DS5_v2", "Standard_F2s", + "Standard_F4s", "Standard_F8s", "Standard_F16s", "Standard_D4s_v3", "Standard_D8s_v3", + "Standard_D16s_v3", "Standard_D32s_v3", "Standard_D64s_v3", "Standard_E4s_v3", "Standard_E8s_v3", + "Standard_E16s_v3", "Standard_E20s_v3", "Standard_E32s_v3", "Standard_E64s_v3", "Standard_E64is_v3", + "Standard_F4s_v2", "Standard_F8s_v2", "Standard_F16s_v2", "Standard_F32s_v2", "Standard_F64s_v2", + "Standard_M8ms", "Standard_M16ms", "Standard_M32ms", "Standard_M64ms", "Standard_M64s", + "Standard_D2_v2", "Standard_D3_v2", "Standard_D4_v2", "Standard_D5_v2", "Standard_D11_v2", + "Standard_D12_v2", "Standard_D13_v2", "Standard_D14_v2", "Standard_D15_v2", "Standard_F2", + "Standard_F4", "Standard_F8", "Standard_F16", "Standard_D4_v3", "Standard_D8_v3", "Standard_D16_v3", + "Standard_D32_v3", "Standard_D64_v3", "Standard_E4_v3", "Standard_E8_v3", "Standard_E16_v3", + "Standard_E20_v3", "Standard_E32_v3", "Standard_E64_v3", "Standard_E64i_v3", "Standard_DS11_v2", + "Standard_DS12_v2", "Standard_DS13_v2", "Standard_DS14_v2", "Standard_DS15_v2", "Standard_D2_v5", "Standard_D4_v5", + "Standard_D8_v5", "Standard_D16_v5","Standard_D32_v5", "Standard_D2s_v5", "Standard_D4s_v5", "Standard_D8s_v5", + "Standard_D16s_v5", "Standard_D2d_v5", "Standard_D4d_v5", "Standard_D8d_v5", "Standard_D16d_v5", "Standard_D32d_v5", + "Standard_D2ds_v5", "Standard_D4ds_v5", "Standard_D8ds_v5", "Standard_D16ds_v5", "Standard_D32ds_v5" + ] + // will fail if [var.vm_size] is invalid: + validate_vm_size_value = index(local.allowed_vm_sizes, var.vm_size) +} +variable "delete_os_disk_on_termination" { + type = bool + description = "Delete datadisk when VM is terminated" + default = true +} + +variable "publisher" { + description = "CheckPoint publisher" + default = "checkpoint" +} + +//************** Storage image reference and plan variables ****************// +variable "vm_os_offer" { + description = "The name of the image offer to be deployed.Choose from: check-point-cg-r8040, check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120" + type = string +} + +locals { // locals for 'vm_os_offer' allowed values + vm_os_offer_allowed_values = [ + "check-point-cg-r8040", + "check-point-cg-r81", + "check-point-cg-r8110", + "check-point-cg-r8120" + ] + // will fail if [var.vm_os_offer] is invalid: + validate_os_offer_value = index(local.vm_os_offer_allowed_values, var.vm_os_offer) + validate_os_version_match = regex(split("-", var.vm_os_offer)[3], lower(var.os_version)) +} + +variable "vm_os_sku" { + /* + Choose from: + - "sg-byol" + - "sg-ngtp" (for R80.40 and above) + - "sg-ngtx" (for R80.40 and above) + - "mgmt-byol" + - "mgmt-25" + */ + description = "The sku of the image to be deployed" + type = string +} + +locals { // locals for 'vm_os_sku' allowed values + vm_os_sku_allowed_values = [ + "sg-byol", + "sg-ngtp", + "sg-ngtx", + "mgmt-byol", + "mgmt-25" + ] + // will fail if [var.vm_os_sku] is invalid: + validate_vm_os_sku_value = index(local.vm_os_sku_allowed_values, var.vm_os_sku) +} + +variable "vm_os_version" { + description = "The version of the image that you want to deploy. " + type = string + default = "latest" +} + +variable "storage_account_type" { + description = "Defines the type of storage account to be created. Valid options is Standard_LRS, Premium_LRS" + type = string + default = "Standard_LRS" +} + +locals { // locals for 'storage_account_type' allowed values + storage_account_type_allowed_values = [ + "Standard_LRS", + "Premium_LRS" + ] + // will fail if [var.storage_account_type] is invalid: + validate_storage_account_type_value = index(local.storage_account_type_allowed_values, var.storage_account_type) +} + +variable "storage_account_tier" { + description = "Defines the Tier to use for this storage account.Valid options are Standard and Premium" + default = "Standard" +} + +locals { // locals for 'storage_account_tier' allowed values + storage_account_tier_allowed_values = [ + "Standard", + "Premium" + ] + // will fail if [var.storage_account_tier] is invalid: + validate_storage_account_tier_value = index(local.storage_account_tier_allowed_values, var.storage_account_tier) +} + +variable "account_replication_type" { + description = "Defines the type of replication to use for this storage account.Valid options are LRS, GRS, RAGRS and ZRS" + type = string + default = "LRS" +} + +locals { // locals for 'account_replication_type' allowed values + account_replication_type_allowed_values = [ + "LRS", + "GRS", + "RAGRS", + "ZRS" + ] + // will fail if [var.account_replication_type] is invalid: + validate_account_replication_type_value = index(local.account_replication_type_allowed_values, var.account_replication_type) +} + +variable "disk_size" { + description = "Storage data disk size size(GB). Select a number between 100 and 3995" + type = string +} + +resource "null_resource" "disk_size_validation" { + // Will fail if var.disk_size is less than 100 or more than 3995 + count = tonumber(var.disk_size) >= 100 && tonumber(var.disk_size) <= 3995 ? 0 : "variable disk_size must be a number between 100 and 3995" +} + +//************** Storage OS disk variables **************// +variable "storage_os_disk_create_option" { + description = "The method to use when creating the managed disk" + type = string + default = "FromImage" +} + +variable "storage_os_disk_caching" { + description = "Specifies the caching requirements for the OS Disk" + default = "ReadWrite" +} + +variable "managed_disk_type" { + description = "Specifies the type of managed disk to create. Possible values are either Standard_LRS, StandardSSD_LRS, Premium_LRS" + type = string + default = "Standard_LRS" +} + +locals { // locals for 'managed_disk_type' allowed values + managed_disk_type_allowed_values = [ + "Standard_LRS", + "Premium_LRS" + ] + // will fail if [var.managed_disk_type] is invalid: + validate_managed_disk_type_value = index(local.managed_disk_type_allowed_values, var.managed_disk_type) +} + +variable "authentication_type" { + description = "Specifies whether a password authentication or SSH Public Key authentication should be used" + type = string +} +locals { // locals for 'authentication_type' allowed values + authentication_type_allowed_values = [ + "Password", + "SSH Public Key" + ] + // will fail if [var.authentication_type] is invalid: + validate_authentication_type_value = index(local.authentication_type_allowed_values, var.authentication_type) +} + + +//********************** Role Assignments variables**************************// +variable "role_definition" { + description = "Role definition. The full list of Azure Built-in role descriptions can be found at https://docs.microsoft.com/bs-latn-ba/azure/role-based-access-control/built-in-roles" + type = string + default = "Contributor" +} \ No newline at end of file diff --git a/deprecated/terraform/azure/R8040-R81/modules/common/versions.tf b/deprecated/terraform/azure/R8040-R81/modules/common/versions.tf new file mode 100644 index 00000000..0ec4dcca --- /dev/null +++ b/deprecated/terraform/azure/R8040-R81/modules/common/versions.tf @@ -0,0 +1,3 @@ +terraform { + required_version = ">= 0.14.3" +} \ No newline at end of file diff --git a/deprecated/terraform/azure/R8040-R81/modules/network-security-group/main.tf b/deprecated/terraform/azure/R8040-R81/modules/network-security-group/main.tf new file mode 100644 index 00000000..1beeaf14 --- /dev/null +++ b/deprecated/terraform/azure/R8040-R81/modules/network-security-group/main.tf @@ -0,0 +1,23 @@ +resource "azurerm_network_security_group" "nsg" { + name = var.security_group_name + location = var.location + resource_group_name = var.resource_group_name + tags = var.tags + } + +//************ Security Rule Example **************// +resource "azurerm_network_security_rule" "security_rule" { + count = length(var.security_rules) + name = lookup(var.security_rules[count.index], "name") + priority = lookup(var.security_rules[count.index], "priority", 4096 - length(var.security_rules) + count.index) + direction = lookup(var.security_rules[count.index], "direction") + access = lookup(var.security_rules[count.index], "access") + protocol = lookup(var.security_rules[count.index], "protocol") + source_port_range = lookup(var.security_rules[count.index], "source_port_ranges") + destination_port_range = lookup(var.security_rules[count.index], "destination_port_ranges") + description = lookup(var.security_rules[count.index], "description") + source_address_prefix = lookup(var.security_rules[count.index], "source_address_prefix") + destination_address_prefix = lookup(var.security_rules[count.index], "destination_address_prefix") + resource_group_name = var.resource_group_name + network_security_group_name = azurerm_network_security_group.nsg.name +} diff --git a/deprecated/terraform/azure/R8040-R81/modules/network-security-group/output.tf b/deprecated/terraform/azure/R8040-R81/modules/network-security-group/output.tf new file mode 100644 index 00000000..c1aa127d --- /dev/null +++ b/deprecated/terraform/azure/R8040-R81/modules/network-security-group/output.tf @@ -0,0 +1,7 @@ +output "network_security_group_id" { + value = azurerm_network_security_group.nsg.id +} + +output "network_security_group_name" { + value = azurerm_network_security_group.nsg.name +} \ No newline at end of file diff --git a/deprecated/terraform/azure/R8040-R81/modules/network-security-group/variables.tf b/deprecated/terraform/azure/R8040-R81/modules/network-security-group/variables.tf new file mode 100644 index 00000000..363489e3 --- /dev/null +++ b/deprecated/terraform/azure/R8040-R81/modules/network-security-group/variables.tf @@ -0,0 +1,43 @@ +variable "resource_group_name" { + description = "Azure Resource Group name to build into" + type = string +} + +variable "location" { + type = string + description = "The location/region where Network Security Group will be created. The full list of Azure regions can be found at https://azure.microsoft.com/regions" +} + +variable "security_group_name" { + description = "Network Security Group name" + default = "nsg" +} + +variable "tags" { + description = "The tags to associate with Network Security Group" + type = map(string) + default = {} +} + +# Security Rules definition + +variable "security_rules" { + description = "Security rules for the Network Security Group using this format name = [priority, direction, access, protocol, source_port_range, destination_port_range, source_address_prefix, destination_address_prefix, description]" + type = list(any) + default = [] +} + +variable "source_address_prefix" { + description = "Source address prefix to be applied to all rules" + type = list(string) + default = ["*"] + # Example ["10.0.3.0/24"] or ["VirtualNetwork"] +} + +variable "destination_address_prefix" { + description = "Destination address prefix to be applied to all rules" + type = list(string) + default = ["*"] + # Example ["10.0.3.0/32","10.0.3.128/32"] or ["VirtualNetwork"] +} + diff --git a/deprecated/terraform/azure/R8040-R81/modules/network-security-group/versions.tf b/deprecated/terraform/azure/R8040-R81/modules/network-security-group/versions.tf new file mode 100644 index 00000000..0ec4dcca --- /dev/null +++ b/deprecated/terraform/azure/R8040-R81/modules/network-security-group/versions.tf @@ -0,0 +1,3 @@ +terraform { + required_version = ">= 0.14.3" +} \ No newline at end of file diff --git a/deprecated/terraform/azure/R8040-R81/modules/vnet/main.tf b/deprecated/terraform/azure/R8040-R81/modules/vnet/main.tf new file mode 100644 index 00000000..2c67fc4f --- /dev/null +++ b/deprecated/terraform/azure/R8040-R81/modules/vnet/main.tf @@ -0,0 +1,80 @@ +resource "azurerm_virtual_network" "vnet" { + name = var.vnet_name + location = var.location + address_space = [var.address_space] + resource_group_name = var.resource_group_name + dns_servers = var.dns_servers + tags = var.tags +} + +resource "azurerm_subnet" "subnet" { + depends_on = [azurerm_virtual_network.vnet] + count = length(var.subnet_names) + name = var.subnet_names[count.index] + virtual_network_name = azurerm_virtual_network.vnet.name + resource_group_name = var.resource_group_name + address_prefixes = [var.subnet_prefixes[count.index]] +} + +resource "azurerm_subnet_network_security_group_association" "security_group_frontend_association" { + depends_on = [azurerm_virtual_network.vnet, azurerm_subnet.subnet[0]] + subnet_id = azurerm_subnet.subnet[0].id + network_security_group_id = var.nsg_id +} +resource "azurerm_subnet_network_security_group_association" "security_group_backend_association" { + count = length(var.subnet_names) >= 2 ? 1 : 0 + depends_on = [azurerm_virtual_network.vnet, azurerm_subnet.subnet[1]] + subnet_id = azurerm_subnet.subnet[1].id + network_security_group_id = var.nsg_id +} + +locals { // locals for 'next_hop_type' allowed values + next_hop_type_allowed_values = [ + "VirtualNetworkGateway", + "VnetLocal", + "Internet", + "VirtualAppliance", + "None" + ] +} + +resource "azurerm_route_table" "frontend" { + name = azurerm_subnet.subnet[0].name + location = var.location + resource_group_name = var.resource_group_name + + route { + name = "Local-Subnet" + address_prefix = azurerm_subnet.subnet[0].address_prefixes[0] + next_hop_type = local.next_hop_type_allowed_values[1] + } + route { + name = "To-Internal" + address_prefix = var.address_space + next_hop_type = local.next_hop_type_allowed_values[4] + } +} + +resource "azurerm_subnet_route_table_association" "frontend_association" { + subnet_id = azurerm_subnet.subnet[0].id + route_table_id = azurerm_route_table.frontend.id +} + +resource "azurerm_route_table" "backend" { + count = length(var.subnet_names) >= 2 ? 1 : 0 + name = azurerm_subnet.subnet[1].name + location = var.location + resource_group_name = var.resource_group_name + + route { + name = "To-Internet" + address_prefix = "0.0.0.0/0" + next_hop_type = local.next_hop_type_allowed_values[4] + } +} + +resource "azurerm_subnet_route_table_association" "backend_association" { + count = length(var.subnet_names) >= 2 ? 1 : 0 + subnet_id = azurerm_subnet.subnet[1].id + route_table_id = azurerm_route_table.backend[count.index].id +} diff --git a/deprecated/terraform/azure/R8040-R81/modules/vnet/outputs.tf b/deprecated/terraform/azure/R8040-R81/modules/vnet/outputs.tf new file mode 100644 index 00000000..9dc8e206 --- /dev/null +++ b/deprecated/terraform/azure/R8040-R81/modules/vnet/outputs.tf @@ -0,0 +1,27 @@ +output "vnet_id" { + value = azurerm_virtual_network.vnet.id +} + +output "vnet_name" { + value = azurerm_virtual_network.vnet.name +} + +output "vnet_location" { + value = azurerm_virtual_network.vnet.location +} + +output "vnet_address_space" { + value = azurerm_virtual_network.vnet.address_space +} + +output "vnet_subnets" { + value = azurerm_subnet.subnet.*.id +} + +output "subnet_prefixes" { + value = var.subnet_prefixes +} + +output "allocation_method" { + value = var.allocation_method +} \ No newline at end of file diff --git a/deprecated/terraform/azure/R8040-R81/modules/vnet/variables.tf b/deprecated/terraform/azure/R8040-R81/modules/vnet/variables.tf new file mode 100644 index 00000000..1f64d28e --- /dev/null +++ b/deprecated/terraform/azure/R8040-R81/modules/vnet/variables.tf @@ -0,0 +1,63 @@ +variable "vnet_name" { + description = "Name of Virtual Network" + type = string + default = "vnet01" +} + +variable "resource_group_name" { + description = "Azure Resource Group name to build into" + type = string +} + +variable "location" { + description = "The location/region where the core network will be created. The full list of Azure regions can be found at https://azure.microsoft.com/regions" + type = string +} + +variable "address_space" { + description = "The address prefixes of the virtual network" + type = string + default = "10.0.0.0/16" +} + +variable "dns_servers" { + description = " DNS servers to be used with a Virtual Network. If no values specified, this defaults to Azure DNS" + type = list(string) + default = [] +} + +variable "subnet_prefixes" { + description = "The address prefixes to be used for subnets" + type = list(string) + default = ["10.0.0.0/24","10.0.1.0/24"] +} + +variable "subnet_names" { + description = "A list of subnet names in a Virtual Network" + type = list(string) + default = ["Frontend","Backend"] +} + +variable "tags" { + description = "Tags to be associated with Virtual Network and subnets" + type = map(string) + default = {} +} +variable "nsg_id" { + description = "Network security group to be associated with a Virtual Network and subnets" + type = string +} + +variable "allocation_method" { + description = "IP address allocation method" + type = string + default = "Static" +} + +locals { // locals for 'allocation_method' allowed values + allocation_method_allowed_values = [ + "Static" + ] + // will fail if [var.allocation_method] is invalid: + validate_method_allowed_value = index(local.allocation_method_allowed_values, var.allocation_method) +} \ No newline at end of file diff --git a/deprecated/terraform/azure/R8040-R81/modules/vnet/versions.tf b/deprecated/terraform/azure/R8040-R81/modules/vnet/versions.tf new file mode 100644 index 00000000..0ec4dcca --- /dev/null +++ b/deprecated/terraform/azure/R8040-R81/modules/vnet/versions.tf @@ -0,0 +1,3 @@ +terraform { + required_version = ">= 0.14.3" +} \ No newline at end of file diff --git a/deprecated/terraform/azure/R8040-R81/nva-into-existing-hub/README.md b/deprecated/terraform/azure/R8040-R81/nva-into-existing-hub/README.md new file mode 100644 index 00000000..a2765298 --- /dev/null +++ b/deprecated/terraform/azure/R8040-R81/nva-into-existing-hub/README.md @@ -0,0 +1,172 @@ +# Check Point CloudGuard Network Security Virtual WAN Terraform deployment for Azure + +This Terraform module deploys Check Point CloudGuard Network Security Virtual WAN NVA solution into an existing vWAN Hub in Azure. +As part of the deployment the following resources are created: +- Resource groups +- Azure Managed Application: + - NVA + - Managed identity + +For additional information, +please see the [CloudGuard Network for Azure Virtual WAN Deployment Guide](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_Network_for_Azure_vWAN/Default.htm) + +## Configurations +- Install and configure Terraform to provision Azure resources: [Configure Terraform for Azure](https://docs.microsoft.com/en-us/azure/virtual-machines/linux/terraform-install-configure). +- In order to configure hub routing-intent policies it is **required** to have Python and 'requests' library installed. + +## Usage +- Choose the preferred login method to Azure in order to deploy the solution: +
1. Using Service Principal: + - Create a [Service Principal](https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal) (or use the existing one) + - Grant the Service Principal at least "**Contributor**" permissions to the Azure subscription
+ - The Service Principal credentials can be stored either in the terraform.tfvars or as [Environment Variables](https://www.terraform.io/docs/providers/azuread/guides/service_principal_client_secret.html)
+ + In case the Environment Variables are used, perform modifications described below:
+ + a. The next lines in the versions.tf file, in the provider azurerm resource, need to be deleted or commented: + + provider "azurerm" { + + // subscription_id = var.subscription_id + // client_id = var.client_id + // client_secret = var.client_secret + // tenant_id = var.tenant_id + + features {} + } + + b. In the terraform.tfvars file leave empty double quotes for client_secret, client_id , tenant_id and subscription_id variables: + + client_secret = "" + client_id = "" + tenant_id = "" + subscription_id = "" + +
2. Using **az** commands from a command-line: + - Run **az login** command + - Sign in with your account credentials in the browser + - In the terraform.tfvars file leave empty double quotes for client_secret, client_id and tenant_id variables. + +- Fill all variables in the /terraform/azure/nva-into-existing-hub/terraform.tfvars file with proper values (see below for variables descriptions). +- From a command line initialize the Terraform configuration directory: + + terraform init +- Create an execution plan: + + terraform plan +- Create or modify the deployment: + + terraform apply + +### terraform.tfvars variables: + | Name | Description | Type | Allowed values | Default | + |-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| ------------- | ------------- | + | **authentication_method** | The authentication method used to deploy the solution | string | "Service Principal";
"Azure CLI"; | n/a + | | + | **client_secret** | The client secret value of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **client_id** | The client ID of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **tenant_id** | The tenant ID of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **subscription_id** | The subscription ID is used to pay for Azure cloud services | string | | n/a + | | | | | | + | **resource-group-name** | The name of the resource group that will contain the managed application | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period| "tf-managed-app-resource-group" | + | | | | | | + | **location** | The region where the resources will be deployed at | string | The full list of supported Azure regions can be found at https://learn.microsoft.com/en-us/azure/virtual-wan/virtual-wan-locations-partners#locations | "westcentralus" | + | | | | | | + | **vwan-hub-name** | The name of the virtual WAN hub that will be created | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | n/a | + | | | | | | + | **vwan-hub-resource-group** | The virtual WAN hub resource group name | string | | n/a | + | | | | | | + | **managed-app-name** | The name of the managed application that will be created | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | "tf-vwan-managed-app-nva" | + | | | | | | + | **nva-name** | The name of the NVA that will be created | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | "tf-vwan-nva" | + | | | | | | + | **nva-rg-name** | The name of the resource group that will contain the NVA | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period | "tf-vwan-nva-rg"| + | | | | | | + | **os-version** | The GAIA os version | string | "R8110"
"R8120" | "R8120" | + | | | | | | + | **license-type** | The Check Point licence type | string | "Security Enforcement (NGTP)"
"Full Package (NGTX + S1C)"
"Full Package Premium (NGTX + S1C++)" | "Security Enforcement (NGTP)" | + | | | | | | | | | | + | **scale-unit** | The scale unit determines the size and number of resources deployed. The higher the scale unit, the greater the amount of traffic that can be handled. | string | "2"
"4"
"10"
"20"
"30"
"60"
"80"
| "2" | + | | | | | | + | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | "" + | | | | | | | | | | + | **admin_shell** | Enables to select different admin shells | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh; | "/etc/cli.sh" | + | | | | | | + | **sic-key** | The Secure Internal Communication one time secret used to set up trust between the gateway object and the management server | string | Only alphanumeric characters are allowed, and the value must be 12-30 characters long | n/a | + | | | | | | + | **ssh-public-key** | The public ssh key used for ssh connection to the NVA GW instances | string | ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxx generated-by-azure; | n/a | | string | gateway;
standalone; | + | | | | | | + | **bgp-asn** | The BGP autonomous system number | string | 64512 | "64512" || + | | | | | | + | **custom-metrics** | Indicates whether CloudGuard Metrics will be use for gateway monitoring | string | yes;
no; | "yes" | + | | | | | | + | **routing-intent-internet-traffic** | Set routing intent policy to allow internet traffic through the new nva | string | yes;
no;
Please verify routing-intent is configured successfully post-deployment | "yes" | + | | | | | | + | **routing-intent-private-traffic** | Set routing intent policy to allow private traffic through the new nva | string | yes;
no;
Please verify routing-intent is configured successfully post-deployment | "yes" | + | | | | | | + | **smart1-cloud-token-a** | Smart-1 Cloud token to connect automatically ***NVA instance a*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal | n/a | | + | | | | | | + | **smart1-cloud-token-b** | Smart-1 Cloud token to connect automatically ***NVA instance b*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal | n/a | | + | | | | | | + | **smart1-cloud-token-c** | Smart-1 Cloud token to connect automatically ***NVA instance c*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal | n/a | | + | | | | | | + | **smart1-cloud-token-d** | Smart-1 Cloud token to connect automatically ***NVA instance d*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal | n/a | | + | | | | | | + | **smart1-cloud-token-e** | Smart-1 Cloud token to connect automatically ***NVA instance e*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal | n/a | | + | | + +## Conditional creation +- To enable CloudGuard metrics in order to send statuses and statistics collected from the gateway instance to the Azure Monitor service: + ``` + custom-metrics = yes + ``` + +## Example + authentication_method = "Service Principal" + client_secret = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + client_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + tenant_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + subscription_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + resource-group-name = "tf-managed-app-resource-group" + location = "westcentralus" + vwan-hub-name = "tf-vwan-hub" + vwan-hub-resource-group = "tf-vwan-hub-rg" + managed-app-name = "tf-vwan-managed-app-nva" + nva-rg-name = "tf-vwan-nva-rg" + nva-name = "tf-vwan-nva" + os-version = "R8120" + license-type = "Security Enforcement (NGTP)" + scale-unit = "2" + bootstrap-script = "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" + admin-shell = "/etc/cli.sh" + sic-key = "xxxxxxxxxxxx" + ssh-public-key = "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxx imported-openssh-key" + bgp-asn = "64512" + custom-metrics = "yes" + routing-intent-internet-traffic = "yes" + routing-intent-private-traffic = "yes" + smart1-cloud-token-a = "" + smart1-cloud-token-b = "" + smart1-cloud-token-c = "" + smart1-cloud-token-d = "" + smart1-cloud-token-e = "" + existing-public-ip = "" + new-public-ip = "yes" + +## Revision History +In order to check the template version refer to the [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) + +| Template Version | Description | +|------------------|-------------------| +| 20240613 | Cosmetic fixes & default values | +| 20240228 | Added public IP for ingress support | | | +| 20231226 | First release of Check Point CloudGuard Network Security Virtual WAN Terraform deployment for Azure | | + + +## License + +See the [LICENSE](../../LICENSE) file for details + diff --git a/deprecated/terraform/azure/R8040-R81/nva-into-existing-hub/main.tf b/deprecated/terraform/azure/R8040-R81/nva-into-existing-hub/main.tf new file mode 100644 index 00000000..5987c76b --- /dev/null +++ b/deprecated/terraform/azure/R8040-R81/nva-into-existing-hub/main.tf @@ -0,0 +1,195 @@ +//********************** Basic Configuration **************************// +resource "azurerm_resource_group" "managed-app-rg" { + name = var.resource-group-name + location = var.location +} + +data "azurerm_virtual_hub" "vwan-hub" { + name = var.vwan-hub-name + resource_group_name = var.vwan-hub-resource-group +} + +//********************** Image Version **************************// + +data "external" "az_access_token" { + count = var.authentication_method == "Azure CLI" ? 1 : 0 + program = ["az", "account", "get-access-token", "--resource=https://management.azure.com", "--query={accessToken: accessToken}", "--output=json"] +} + +data "http" "azure_auth" { + count = var.authentication_method == "Service Principal" ? 1 : 0 + url = "https://login.microsoftonline.com/${var.tenant_id}/oauth2/v2.0/token" + method = "POST" + request_headers = { + "Content-Type" = "application/x-www-form-urlencoded" + } + request_body = "grant_type=client_credentials&client_id=${var.client_id}&client_secret=${var.client_secret}&scope=https://management.azure.com/.default" +} + +locals { + access_token = var.authentication_method == "Service Principal" ? jsondecode(data.http.azure_auth[0].response_body).access_token : data.external.az_access_token[0].result.accessToken +} + +data "http" "image-versions" { + method = "GET" + url = "https://management.azure.com/subscriptions/${var.subscription_id}/providers/Microsoft.Network/networkVirtualApplianceSKUs/checkpoint${var.license-type == "Full Package (NGTX + S1C)" ? "-ngtx" : var.license-type == "Full Package Premium (NGTX + S1C++)" ? "-premium" : ""}?api-version=2020-05-01" + request_headers = { + Accept = "application/json" + "Authorization" = "Bearer ${local.access_token}" + } +} + +locals { + image_versions = tolist([for version in jsondecode(data.http.image-versions.response_body).properties.availableVersions : version if substr(version, 0, 4) == substr(lower(var.os-version), 1, 4)]) + routing_intent-internet-policy = { + "name": "InternetTraffic", + "destinations": [ + "Internet" + ], + "nextHop": "/subscriptions/${var.subscription_id}/resourcegroups/${var.nva-rg-name}/providers/Microsoft.Network/networkVirtualAppliances/${var.nva-name}" + } + routing_intent-private-policy = { + "name": "PrivateTrafficPolicy", + "destinations": [ + "PrivateTraffic" + ], + "nextHop": "/subscriptions/${var.subscription_id}/resourcegroups/${var.nva-rg-name}/providers/Microsoft.Network/networkVirtualAppliances/${var.nva-name}" + } + routing-intent-policies = var.routing-intent-internet-traffic == "yes" ? (var.routing-intent-private-traffic == "yes" ? tolist([local.routing_intent-internet-policy, local.routing_intent-private-policy]) : tolist([local.routing_intent-internet-policy])) : (var.routing-intent-private-traffic == "yes" ? tolist([local.routing_intent-private-policy]) : []) + req_body = jsonencode({"properties": {"routingPolicies": local.routing-intent-policies}}) + req_url = "https://management.azure.com/subscriptions/${var.subscription_id}/resourceGroups/${var.vwan-hub-resource-group}/providers/Microsoft.Network/virtualHubs/${var.vwan-hub-name}/routingIntent/hubRoutingIntent?api-version=2022-01-01" +} + +//********************** Marketplace Terms & Solution Registration **************************// +data "http" "accept-marketplace-terms-existing-agreement" { + method = "GET" + url = "https://management.azure.com/subscriptions/${var.subscription_id}/providers/Microsoft.MarketplaceOrdering/agreements/checkpoint/offers/cp-vwan-managed-app/plans/vwan-app?api-version=2021-01-01" + request_headers = { + Accept = "application/json" + "Authorization" = "Bearer ${local.access_token}" + } +} + +resource "azurerm_marketplace_agreement" "accept-marketplace-terms" { + count = can(jsondecode(data.http.accept-marketplace-terms-existing-agreement.response_body).id) ? (jsondecode(data.http.accept-marketplace-terms-existing-agreement.response_body).properties.state == "Active" ? 0 : 1) : 1 + publisher = "checkpoint" + offer = "cp-vwan-managed-app" + plan = "vwan-app" +} + +data "http" "azurerm_resource_provider_registration-exist" { + method = "GET" + url = "https://management.azure.com/subscriptions/${var.subscription_id}/providers/Microsoft.Solutions?api-version=2021-01-01" + request_headers = { + Accept = "application/json" + "Authorization" = "Bearer ${local.access_token}" + } +} + +resource "azurerm_resource_provider_registration" "solutions" { + count = jsondecode(data.http.azurerm_resource_provider_registration-exist.response_body).registrationState == "Registered" ? 0 : 1 + name = "Microsoft.Solutions" +} + + +//********************** Managed Application Configuration **************************// +resource "azurerm_managed_application" "nva" { + depends_on = [azurerm_marketplace_agreement.accept-marketplace-terms, azurerm_resource_provider_registration.solutions] + name = var.managed-app-name + location = azurerm_resource_group.managed-app-rg.location + resource_group_name = azurerm_resource_group.managed-app-rg.name + kind = "MarketPlace" + managed_resource_group_name = var.nva-rg-name + + plan { + name = "vwan-app" + product = "cp-vwan-managed-app" + publisher = "checkpoint" + version = "1.0.14" + } + parameter_values = jsonencode({ + location = { + value = azurerm_resource_group.managed-app-rg.location + }, + hubId = { + value = data.azurerm_virtual_hub.vwan-hub.id + }, + osVersion = { + value = var.os-version + }, + LicenseType = { + value = var.license-type + }, + imageVersion = { + value = element(local.image_versions, length(local.image_versions) -1) + }, + scaleUnit = { + value = var.scale-unit + }, + bootstrapScript = { + value = var.bootstrap-script + }, + adminShell = { + value = var.admin-shell + }, + sicKey = { + value = var.sic-key + }, + sshPublicKey = { + value = var.ssh-public-key + }, + BGP = { + value = var.bgp-asn + }, + NVA = { + value = var.nva-name + }, + customMetrics = { + value = var.custom-metrics + }, + hubASN = { + value = data.azurerm_virtual_hub.vwan-hub.virtual_router_asn + }, + hubPeers = { + value = data.azurerm_virtual_hub.vwan-hub.virtual_router_ips + }, + smart1CloudTokenA = { + value = var.smart1-cloud-token-a + }, + smart1CloudTokenB = { + value = var.smart1-cloud-token-b + }, + smart1CloudTokenC = { + value = var.smart1-cloud-token-c + }, + smart1CloudTokenD = { + value = var.smart1-cloud-token-d + }, + smart1CloudTokenE = { + value = var.smart1-cloud-token-e + }, + publicIPIngress = { + value = (var.new-public-ip == "yes" || length(var.existing-public-ip) > 0) ? "yes" : "no" + }, + createNewIPIngress = { + value = var.new-public-ip + } + ipIngressExistingResourceId = { + value = var.existing-public-ip + } + }) +} + +//********************** Routing Intent **************************// + + +data "external" "update-routing-intent" { + count = length(local.routing-intent-policies) != 0 ? 1 : 0 + depends_on = [azurerm_managed_application.nva] + program = ["python", "../modules/add-routing-intent.py", "${local.req_url}", "${local.req_body}", "${local.access_token}"] +} + +output "api_request_result" { + value = length(local.routing-intent-policies) != 0 ? data.external.update-routing-intent[0].result : {routing-intent: "not changed"} +} + diff --git a/deprecated/terraform/azure/R8040-R81/nva-into-existing-hub/terraform.tfvars b/deprecated/terraform/azure/R8040-R81/nva-into-existing-hub/terraform.tfvars new file mode 100644 index 00000000..268fb4c1 --- /dev/null +++ b/deprecated/terraform/azure/R8040-R81/nva-into-existing-hub/terraform.tfvars @@ -0,0 +1,31 @@ +#PLEASE refer to the README.md for accepted values for the variables below +authentication_method = "PLEASE ENTER AUTHENTICATION METHOD" # "Service Principal" +client_secret = "PLEASE ENTER CLIENT SECRET" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +client_id = "PLEASE ENTER CLIENT ID" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +tenant_id = "PLEASE ENTER TENANT ID" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +subscription_id = "PLEASE ENTER SUBSCRIPTION ID" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +resource-group-name = "PLEASE ENTER RESOURCE GROUP NAME" # "tf-managed-app-resource-group" +location = "PLEASE ENTER LOCATION" # "westcentralus" +vwan-hub-name = "PLEASE ENTER VWAN HUB NAME" # "tf-vwan-hub" +vwan-hub-resource-group = "PLEASE ENTER VWAN HUB RESOURCE GROUP" # "tf-vwan-hub-rg" +managed-app-name = "PLEASE ENTER MANAGED APPLICATION NAME" # "tf-vwan-managed-app-nva" +nva-rg-name = "PLEASE ENTER NVA RESOURCE GROUP NAME" # "tf-vwan-nva-rg" +nva-name = "PLEASE ENTER NVA NAME" # "tf-vwan-nva" +os-version = "PLEASE ENTER GAIA OS VERSION" # "R8120" +license-type = "PLEASE ENTER LICENSE TYPE" # "Security Enforcement (NGTP)" +scale-unit = "PLEASE ENTER SCALE UNIT" # "2" +bootstrap-script = "PLEASE ENTER CUSTOM SCRIPT OR LEAVE EMPTY DOUBLE QUOTES" # "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" +admin-shell = "PLEASE ENTER ADMIN SHELL" # "/etc/cli.sh" +sic-key = "PLEASE ENTER SIC KEY" # "xxxxxxxxxx" +ssh-public-key = "PLEASE ENTER SSH PUBLIC KEY" # "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxx imported-openssh-key" +bgp-asn = "PLEASE ENTER BGP AUTONOMOUS SYSTEM NUMBER" # "64512" +custom-metrics = "PLEASE ENTER yes or no" # "yes" +routing-intent-internet-traffic = "PLEASE ENTER yes or no" # "yes" +routing-intent-private-traffic = "PLEASE ENTER yes or no" # "yes" +smart1-cloud-token-a = "PASTE TOKEN FROM SMART-1 CLOUD PORTAL FOR INSTANCE A OR LEAVE EMPTY DOUBLE QUOTES" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +smart1-cloud-token-b = "PASTE TOKEN FROM SMART-1 CLOUD PORTAL FOR INSTANCE B OR LEAVE EMPTY DOUBLE QUOTES" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +smart1-cloud-token-c = "PASTE TOKEN FROM SMART-1 CLOUD PORTAL FOR INSTANCE C OR LEAVE EMPTY DOUBLE QUOTES" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +smart1-cloud-token-d = "PASTE TOKEN FROM SMART-1 CLOUD PORTAL FOR INSTANCE D OR LEAVE EMPTY DOUBLE QUOTES" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +smart1-cloud-token-e = "PASTE TOKEN FROM SMART-1 CLOUD PORTAL FOR INSTANCE E OR LEAVE EMPTY DOUBLE QUOTES" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +existing-public-ip = "PLEASE ENTER THE RESOURCE ID OF A PUBLIC IP RESOURCE OR LEAVE EMPTY DOUBLE QUOTES" # "/subscription/123/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pip1" +new-public-ip = "PLEASE ENTER yes or no" # "no" \ No newline at end of file diff --git a/deprecated/terraform/azure/R8040-R81/nva-into-existing-hub/variables.tf b/deprecated/terraform/azure/R8040-R81/nva-into-existing-hub/variables.tf new file mode 100644 index 00000000..d00283d4 --- /dev/null +++ b/deprecated/terraform/azure/R8040-R81/nva-into-existing-hub/variables.tf @@ -0,0 +1,198 @@ +variable "authentication_method" { + description = "Azure authentication method" + type = string + validation { + condition = contains(["Azure CLI", "Service Principal"], var.authentication_method) + error_message = "Valid values for authentication_method are 'Azure CLI','Service Principal'" + } +} + +variable "subscription_id" { + description = "Subscription ID" + type = string +} + +variable "tenant_id" { + description = "Tenant ID" + type = string +} + +variable "client_id" { + description = "Application ID(Client ID)" + type = string +} + +variable "client_secret" { + description = "A secret string that the application uses to prove its identity when requesting a token. Also can be referred to as application password." + type = string +} + +variable "resource-group-name" { + type = string + default = "tf-managed-app-resource-group" +} + +variable "location" { + type = string + default = "westcentralus" +} + +variable "managed-app-name" { + type = string + default = "tf-vwan-managed-app-nva" +} + +variable "vwan-hub-name" { + type = string +} + +variable "vwan-hub-resource-group" { + type = string +} + +variable "nva-rg-name" { + type = string + default = "tf-vwan-nva-rg" +} + +variable "nva-name" { + type = string + default = "tf-vwan-nva" +} + +variable "os-version" { + description = "GAIA OS version" + type = string + default = "R8120" + validation { + condition = contains(["R8110", "R8120"], var.os-version) + error_message = "Allowed values for os-version are 'R8110', 'R8120'" + } +} + +variable "license-type" { + type = string + default = "Security Enforcement (NGTP)" + validation { + condition = contains(["Security Enforcement (NGTP)", "Full Package (NGTX + S1C)", "Full Package Premium (NGTX + S1C++)"], var.license-type) + error_message = "Allowed values for License Type are 'Security Enforcement (NGTP)', 'Full Package (NGTX + S1C)', 'Full Package Premium (NGTX + S1C++)'" + } +} + +variable "scale-unit" { + type = string + default = "2" + validation { + condition = contains(["2", "4", "10", "20", "30", "60", "80"], var.scale-unit) + error_message = "Valid values for CloudGuard version are '2', '4', '10', '20', '30', '60', '80'" + } +} + +variable "bootstrap-script" { + type = string + default = "" +} + +variable "admin-shell" { + type = string + default = "/etc/cli.sh" + validation { + condition = contains(["/etc/cli.sh", "/bin/bash", "/bin/tcsh", "/bin/csh"], var.admin-shell) + error_message = "Valid shells are '/etc/cli.sh', '/bin/bash', '/bin/tcsh', '/bin/csh'" + } +} + +variable "sic-key" { + type = string + default = "" + sensitive = true + validation { + condition = can(regex("^[a-z0-9A-Z]{12,30}$", var.sic-key)) + error_message = "Only alphanumeric characters are allowed, and the value must be 12-30 characters long." + } +} + +variable "ssh-public-key" { + type = string + default = "" +} + +variable "bgp-asn" { + type = string + default = "64512" + validation { + condition = tonumber(var.bgp-asn) >= 64512 && tonumber(var.bgp-asn) <= 65534 && !contains([65515, 65520], tonumber(var.bgp-asn)) + error_message = "Only numbers between 64512 to 65534 are allowed excluding 65515, 65520." + } +} + +variable "custom-metrics" { + type = string + default = "yes" + validation { + condition = contains(["yes", "no"], var.custom-metrics) + error_message = "Valid options are string('yes' or 'no')" + } +} + +variable "routing-intent-internet-traffic" { + default = "yes" + validation { + condition = contains(["yes", "no"], var.routing-intent-internet-traffic) + error_message = "Valid options are string('yes' or 'no')" + } +} + +variable "routing-intent-private-traffic" { + default = "yes" + validation { + condition = contains(["yes", "no"], var.routing-intent-private-traffic) + error_message = "Valid options are string('yes' or 'no')" + } +} + +variable "smart1-cloud-token-a" { + type = string + default = "" +} + +variable "smart1-cloud-token-b" { + type = string + default = "" +} + +variable "smart1-cloud-token-c" { + type = string + default = "" +} + +variable "smart1-cloud-token-d" { + type = string + default = "" +} + +variable "smart1-cloud-token-e" { + type = string + default = "" +} + +variable "existing-public-ip" { + type = string + default = "" +} + +variable "new-public-ip" { + type = string + default = "no" + validation { + condition = contains(["yes", "no"], var.new-public-ip) + error_message = "Valid options are string('yes' or 'no')" + } +} + +locals{ + # Validate that new-public-ip is false when existing-public-ip is used + is_both_params_used = length(var.existing-public-ip) > 0 && var.new-public-ip == "yes" + validation_message_both = "Only one parameter of existing-public-ip or new-public-ip can be used" + _ = regex("^$", (!local.is_both_params_used ? "" : local.validation_message_both)) +} \ No newline at end of file diff --git a/deprecated/terraform/azure/R8040-R81/nva-into-existing-hub/versions.tf b/deprecated/terraform/azure/R8040-R81/nva-into-existing-hub/versions.tf new file mode 100644 index 00000000..1c68a298 --- /dev/null +++ b/deprecated/terraform/azure/R8040-R81/nva-into-existing-hub/versions.tf @@ -0,0 +1,17 @@ +terraform { + required_version = ">= 1.5.0" + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = " 3.79.0" + } + } +} + +provider "azurerm" { + subscription_id = var.subscription_id + client_id = var.client_id + client_secret = var.client_secret + tenant_id = var.tenant_id + features {} +} diff --git a/deprecated/terraform/azure/R8040-R81/nva-into-new-vwan/README.md b/deprecated/terraform/azure/R8040-R81/nva-into-new-vwan/README.md new file mode 100644 index 00000000..52cc1b17 --- /dev/null +++ b/deprecated/terraform/azure/R8040-R81/nva-into-new-vwan/README.md @@ -0,0 +1,182 @@ +# Check Point CloudGuard Network Security Virtual WAN Terraform deployment for Azure + +This Terraform module deploys Check Point CloudGuard Network Security Virtual WAN NVA solution into a new vWAN Hub in Azure. +As part of the deployment the following resources are created: +- Resource groups +- Virtual WAN +- Virtual WAN Hub +- Azure Managed Application: + - NVA + - Managed identity + +For additional information, +please see the [CloudGuard Network for Azure Virtual WAN Deployment Guide](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_Network_for_Azure_vWAN/Default.htm) + + +## Configurations +- Install and configure Terraform to provision Azure resources: [Configure Terraform for Azure](https://docs.microsoft.com/en-us/azure/virtual-machines/linux/terraform-install-configure). +- In order to configure hub routing-intent policies it is **required** to have Python and 'requests' library installed. + +## Usage +- Choose the preferred login method to Azure in order to deploy the solution: +
1. Using Service Principal: + - Create a [Service Principal](https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal) (or use the existing one) + - Grant the Service Principal at least "**Contributor**" permissions to the Azure subscription
+ - The Service Principal credentials can be stored either in the terraform.tfvars or as [Environment Variables](https://www.terraform.io/docs/providers/azuread/guides/service_principal_client_secret.html)
+ + In case the Environment Variables are used, perform modifications described below:
+ + a. The next lines in the versions.tf file, in the provider azurerm resource, need to be deleted or commented: + + provider "azurerm" { + + // subscription_id = var.subscription_id + // client_id = var.client_id + // client_secret = var.client_secret + // tenant_id = var.tenant_id + + features {} + } + + b. In the terraform.tfvars file leave empty double quotes for client_secret, client_id , tenant_id and subscription_id variables: + + client_secret = "" + client_id = "" + tenant_id = "" + subscription_id = "" + +
2. Using **az** commands from a command-line: + - Run **az login** command + - Sign in with your account credentials in the browser + - In the terraform.tfvars file leave empty double quotes for client_secret, client_id and tenant_id variables. + +- Fill all variables in the /terraform/azure/nva-into-new-vwan/terraform.tfvars file with proper values (see below for variables descriptions). +- From a command line initialize the Terraform configuration directory: + + terraform init +- Create an execution plan: + + terraform plan +- Create or modify the deployment: + + terraform apply + +### terraform.tfvars variables: + | Name | Description | Type | Allowed values | Default | + |--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| ------------- | ------------- | + | **authentication_method** | The authentication method used to deploy the solution | string | "Service Principal";
"Azure CLI"; | n/a + | | + | **client_secret** | The client secret value of the Service Principal used to deploy the solution | string | | n/a + | || | | | + | **client_id** | The client ID of the Service Principal used to deploy the solution | string | | n/a + | || | | | + | **tenant_id** | The tenant ID of the Service Principal used to deploy the solution | string | | n/a + | || | | | + | **subscription_id** | The subscription ID is used to pay for Azure cloud services | string | | n/a + | || | | | + | **resource-group-name** | The name of the resource group that will contain the managed application | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period | "managed-app-resource-group" | + | || | | | + | **location** | The region where the resources will be deployed at | string | The full list of supported Azure regions can be found at https://learn.microsoft.com/en-us/azure/virtual-wan/virtual-wan-locations-partners#locations | "westcentralus" | + | || | | | + | **vwan-name** | The name of the virtual WAN that will be created | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | "tf-vwan" | + | || | | | + | **vwan-hub-name** | The name of the virtual WAN hub that will be created | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | "tf-vwan-hub" | + | || | | | + | **vwan-hub-address-prefix** | The address prefixes of the virtual hub | string | Valid CIDR block | "10.0.0.0/16" | + | || | | | + | **managed-app-name** | The name of the managed application that will be created | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | tf-vwan-managed-app | + | || | | | + | **nva-name** | The name of the NVA that will be created | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | tf-vwan-nva | + | || | | | + | **nva-rg-name** | The name of the resource group that will contain the NVA | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period | tf-vwan-nva-rg | + | || | | | + | **os-version** | The GAIA os version| string | "R8110"
"R8120" | "R8120" | + | || | | | + | **license-type** | The Check Point licence type | string | "Security Enforcement (NGTP)"
"Full Package (NGTX + S1C)"
"Full Package Premium (NGTX + S1C++)" | "Security Enforcement (NGTP)" | + | || | | | + | **scale-unit** | The scale unit determines the size and number of resources deployed. The higher the scale unit, the greater the amount of traffic that can be handled. | string | "2"
"4"
"10"
"20"
"30"
"60"
"80"
| "2" | + | || | | | + | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | "" + | || | | | | | | | + | **admin_shell** | Enables to select different admin shells | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh; | "/etc/cli.sh" | + | || | | | + | **sic-key** | The Secure Internal Communication one time secret used to set up trust between the gateway object and the management server | string | Only alphanumeric characters are allowed, and the value must be 12-30 characters long | n/a | + | || | | | + | **ssh-public-key** | The public ssh key used for ssh connection to the NVA GW instances | string | ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxx generated-by-azure; | n/a | | string | gateway;
standalone; | + | || | | | + | **bgp-asn** | The BGP autonomous system number. | string | 64512 | "64512" || + | || | | | + | **custom-metrics** | Indicates whether CloudGuard Metrics will be use for gateway monitoring | string | yes;
no; | "yes" | + | || | | | + | **routing-intent-internet-traffic** | Set routing intent policy to allow internet traffic through the new nva | string | yes;
no;
Please verify routing-intent is configured successfully post-deployment | "yes" | + | || | | | + | **routing-intent-private-traffic** | Set routing intent policy to allow private traffic through the new nva | string | yes;
no;
Please verify routing-intent is configured successfully post-deployment | "yes" | + | || | | | + | **smart1-cloud-token-a** | Smart-1 Cloud token to connect automatically ***NVA instance a*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal | n/a | | + | || | | | + | **smart1-cloud-token-b** | Smart-1 Cloud token to connect automatically ***NVA instance b*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal | n/a | | + | || | | | + | **smart1-cloud-token-c** | Smart-1 Cloud token to connect automatically ***NVA instance c*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal | n/a | | + | || | | | + | **smart1-cloud-token-d** | Smart-1 Cloud token to connect automatically ***NVA instance d*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal | n/a | | + | || | | | + | **smart1-cloud-token-e** | Smart-1 Cloud token to connect automatically ***NVA instance e*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal | n/a | | + | | + | **existing-public-ip** | Existing public IP reosurce to attach to the newly deployed NVA | string | A resource ID of the public IP resource | | + | | | | | | + | **new-public-ip** | Deploy a new public IP resource as part of the managed app and attach to the NVA | string | yes;
no;| | + | | + +## Conditional creation +- To enable CloudGuard metrics in order to send statuses and statistics collected from the gateway instance to the Azure Monitor service: + ``` + custom-metrics = yes + ``` + +## Example + authentication_method = "Service Principal" + client_secret = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + client_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + tenant_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + subscription_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + resource-group-name = "tf-managed-app-resource-group" + location = "westcentralus" + vwan-name = "tf-vwan" + vwan-hub-name = "tf-vwan-hub" + vwan-hub-address-prefix = "10.0.0.0/16" + managed-app-name = "tf-vwan-managed-app-nva" + nva-rg-name = "tf-vwan-nva-rg" + nva-name = "tf-vwan-nva" + os-version = "R8120" + license-type = "Security Enforcement (NGTP)" + scale-unit = "2" + bootstrap-script = "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" + admin-shell = "/etc/cli.sh" + sic-key = "xxxxxxxxxxxx" + ssh-public-key = "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxx imported-openssh-key" + bgp-asn = "64512" + custom-metrics = "yes" + routing-intent-internet-traffic = "yes" + routing-intent-private-traffic = "yes" + smart1-cloud-token-a = "" + smart1-cloud-token-b = "" + smart1-cloud-token-c = "" + smart1-cloud-token-d = "" + smart1-cloud-token-e = "" + existing-public-ip = "" + new-public-ip = "yes" + +## Revision History +In order to check the template version refer to the [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) + +| Template Version | Description | +|------------------|-----------------------------------------------------------------------------------------------| +| 20240613 | Cosmetic fixes & default values | +| 20240228 | Added public IP for ingress support | | | +| 20231226 | First release of Check Point CloudGuard Network Security Virtual WAN Terraform deployment for Azure | | | + + +## License + +See the [LICENSE](../../LICENSE) file for details + diff --git a/deprecated/terraform/azure/R8040-R81/nva-into-new-vwan/main.tf b/deprecated/terraform/azure/R8040-R81/nva-into-new-vwan/main.tf new file mode 100644 index 00000000..43a409c3 --- /dev/null +++ b/deprecated/terraform/azure/R8040-R81/nva-into-new-vwan/main.tf @@ -0,0 +1,202 @@ +//********************** Basic Configuration **************************// +resource "azurerm_resource_group" "managed-app-rg" { + name = var.resource-group-name + location = var.location +} + +resource "azurerm_virtual_wan" "vwan" { + name = var.vwan-name + resource_group_name = azurerm_resource_group.managed-app-rg.name + location = var.location +} + +resource "azurerm_virtual_hub" "vwan-hub" { + name = var.vwan-hub-name + resource_group_name = azurerm_resource_group.managed-app-rg.name + location = azurerm_resource_group.managed-app-rg.location + address_prefix = var.vwan-hub-address-prefix + virtual_wan_id = azurerm_virtual_wan.vwan.id +} + +//********************** Image Version **************************// + +data "external" "az_access_token" { + count = var.authentication_method == "Azure CLI" ? 1 : 0 + program = ["az", "account", "get-access-token", "--resource=https://management.azure.com", "--query={accessToken: accessToken}", "--output=json"] +} + +data "http" "azure_auth" { + count = var.authentication_method == "Service Principal" ? 1 : 0 + url = "https://login.microsoftonline.com/${var.tenant_id}/oauth2/v2.0/token" + method = "POST" + request_headers = { + "Content-Type" = "application/x-www-form-urlencoded" + } + request_body = "grant_type=client_credentials&client_id=${var.client_id}&client_secret=${var.client_secret}&scope=https://management.azure.com/.default" +} + +locals { + access_token = var.authentication_method == "Service Principal" ? jsondecode(data.http.azure_auth[0].response_body).access_token : data.external.az_access_token[0].result.accessToken +} + +data "http" "image-versions" { + method = "GET" + url = "https://management.azure.com/subscriptions/${var.subscription_id}/providers/Microsoft.Network/networkVirtualApplianceSKUs/checkpoint${var.license-type == "Full Package (NGTX + S1C)" ? "-ngtx" : var.license-type == "Full Package Premium (NGTX + S1C++)" ? "-premium" : ""}?api-version=2020-05-01" + request_headers = { + Accept = "application/json" + "Authorization" = "Bearer ${local.access_token}" + } +} + +locals { + image_versions = tolist([for version in jsondecode(data.http.image-versions.response_body).properties.availableVersions : version if substr(version, 0, 4) == substr(lower(var.os-version), 1, 4)]) + routing_intent-internet-policy = { + "name": "InternetTraffic", + "destinations": [ + "Internet" + ], + "nextHop": "/subscriptions/${var.subscription_id}/resourcegroups/${var.nva-rg-name}/providers/Microsoft.Network/networkVirtualAppliances/${var.nva-name}" + } + routing_intent-private-policy = { + "name": "PrivateTrafficPolicy", + "destinations": [ + "PrivateTraffic" + ], + "nextHop": "/subscriptions/${var.subscription_id}/resourcegroups/${var.nva-rg-name}/providers/Microsoft.Network/networkVirtualAppliances/${var.nva-name}" + } + routing-intent-policies = var.routing-intent-internet-traffic == "yes" ? (var.routing-intent-private-traffic == "yes" ? tolist([local.routing_intent-internet-policy, local.routing_intent-private-policy]) : tolist([local.routing_intent-internet-policy])) : (var.routing-intent-private-traffic == "yes" ? tolist([local.routing_intent-private-policy]) : []) + req_body = jsonencode({"properties": {"routingPolicies": local.routing-intent-policies}}) + req_url = "https://management.azure.com/subscriptions/${var.subscription_id}/resourceGroups/${azurerm_resource_group.managed-app-rg.name}/providers/Microsoft.Network/virtualHubs/${var.vwan-hub-name}/routingIntent/hubRoutingIntent?api-version=2022-01-01" + +} + +//********************** Marketplace Terms & Solution Registration **************************// +data "http" "accept-marketplace-terms-existing-agreement" { + method = "GET" + url = "https://management.azure.com/subscriptions/${var.subscription_id}/providers/Microsoft.MarketplaceOrdering/agreements/checkpoint/offers/cp-vwan-managed-app/plans/vwan-app?api-version=2021-01-01" + request_headers = { + Accept = "application/json" + "Authorization" = "Bearer ${local.access_token}" + } +} + +resource "azurerm_marketplace_agreement" "accept-marketplace-terms" { + count = can(jsondecode(data.http.accept-marketplace-terms-existing-agreement.response_body).id) ? (jsondecode(data.http.accept-marketplace-terms-existing-agreement.response_body).properties.state == "Active" ? 0 : 1) : 1 + publisher = "checkpoint" + offer = "cp-vwan-managed-app" + plan = "vwan-app" +} + + +data "http" "azurerm_resource_provider_registration-exist" { + method = "GET" + url = "https://management.azure.com/subscriptions/${var.subscription_id}/providers/Microsoft.Solutions?api-version=2021-01-01" + request_headers = { + Accept = "application/json" + "Authorization" = "Bearer ${local.access_token}" + } +} + +resource "azurerm_resource_provider_registration" "solutions" { + count = jsondecode(data.http.azurerm_resource_provider_registration-exist.response_body).registrationState == "Registered" ? 0 : 1 + name = "Microsoft.Solutions" +} + +//********************** Managed Application Configuration **************************// +resource "azurerm_managed_application" "nva" { + depends_on = [azurerm_marketplace_agreement.accept-marketplace-terms, azurerm_resource_provider_registration.solutions] + name = var.managed-app-name + location = azurerm_resource_group.managed-app-rg.location + resource_group_name = azurerm_resource_group.managed-app-rg.name + kind = "MarketPlace" + managed_resource_group_name = var.nva-rg-name + + plan { + name = "vwan-app" + product = "cp-vwan-managed-app" + publisher = "checkpoint" + version = "1.0.14" + } + parameter_values = jsonencode({ + location = { + value = azurerm_resource_group.managed-app-rg.location + }, + hubId = { + value = azurerm_virtual_hub.vwan-hub.id + }, + osVersion = { + value = var.os-version + }, + LicenseType = { + value = var.license-type + }, + imageVersion = { + value = element(local.image_versions, length(local.image_versions) -1) + }, + scaleUnit = { + value = var.scale-unit + }, + bootstrapScript = { + value = var.bootstrap-script + }, + adminShell = { + value = var.admin-shell + }, + sicKey = { + value = var.sic-key + }, + sshPublicKey = { + value = var.ssh-public-key + }, + BGP = { + value = var.bgp-asn + }, + NVA = { + value = var.nva-name + }, + customMetrics = { + value = var.custom-metrics + }, + hubASN = { + value = azurerm_virtual_hub.vwan-hub.virtual_router_asn + }, + hubPeers = { + value = azurerm_virtual_hub.vwan-hub.virtual_router_ips + }, + smart1CloudTokenA = { + value = var.smart1-cloud-token-a + }, + smart1CloudTokenB = { + value = var.smart1-cloud-token-b + }, + smart1CloudTokenC = { + value = var.smart1-cloud-token-c + }, + smart1CloudTokenD = { + value = var.smart1-cloud-token-d + }, + smart1CloudTokenE = { + value = var.smart1-cloud-token-e + }, + publicIPIngress = { + value = (var.new-public-ip == "yes" || length(var.existing-public-ip) > 0) ? "yes" : "no" + }, + createNewIPIngress = { + value = var.new-public-ip + } + ipIngressExistingResourceId = { + value = var.existing-public-ip + } + }) +} + +//********************** Routing Intent **************************// +data "external" "update-routing-intent" { + count = length(local.routing-intent-policies) != 0 ? 1 : 0 + depends_on = [azurerm_managed_application.nva] + program = ["python", "../modules/add-routing-intent.py", "${local.req_url}", "${local.req_body}", "${local.access_token}"] +} + +output "api_request_result" { + value = length(local.routing-intent-policies) != 0 ? data.external.update-routing-intent[0].result : {routing-intent: "not changed"} +} diff --git a/deprecated/terraform/azure/R8040-R81/nva-into-new-vwan/terraform.tfvars b/deprecated/terraform/azure/R8040-R81/nva-into-new-vwan/terraform.tfvars new file mode 100644 index 00000000..8473e72c --- /dev/null +++ b/deprecated/terraform/azure/R8040-R81/nva-into-new-vwan/terraform.tfvars @@ -0,0 +1,32 @@ +#PLEASE refer to the README.md for accepted values for the variables below +authentication_method = "PLEASE ENTER AUTHENTICATION METHOD" # "Service Principal" +client_secret = "PLEASE ENTER CLIENT SECRET" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +client_id = "PLEASE ENTER CLIENT ID" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +tenant_id = "PLEASE ENTER TENANT ID" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +subscription_id = "PLEASE ENTER SUBSCRIPTION ID" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +resource-group-name = "PLEASE ENTER RESOURCE GROUP NAME" # "tf-managed-app-resource-group" +location = "PLEASE ENTER LOCATION" # "westcentralus" +vwan-name = "PLEASE ENTER VIRTUAL WAN NAME" # "tf-cp-vwan" +vwan-hub-name = "PLEASE ENTER VWAN HUB NAME" # "tf-cp-vwan-hub" +vwan-hub-address-prefix = "PLEASE ENTER VWAN HUB ADDRESS PREFIX" # "10.0.0.0/16" +managed-app-name = "PLEASE ENTER MANAGED APPLICATION NAME" # "tf-vwan-managed-app-nva" +nva-rg-name = "PLEASE ENTER NVA RESOURCE GROUP NAME" # "tf-vwan-nva-rg" +nva-name = "PLEASE ENTER NVA NAME" # "tf-vwan-nva" +os-version = "PLEASE ENTER GAIA OS VERSION" # "R8120" +license-type = "PLEASE ENTER LICENSE TYPE" # "Security Enforcement (NGTP)" +scale-unit = "PLEASE ENTER SCALE UNIT" # "2" +bootstrap-script = "PLEASE ENTER CUSTOM SCRIPT OR LEAVE EMPTY DOUBLE QUOTES" # "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" +admin-shell = "PLEASE ENTER ADMIN SHELL" # "/etc/cli.sh" +sic-key = "PLEASE ENTER SIC KEY" # "xxxxxxxxxx" +ssh-public-key = "PLEASE ENTER SSH PUBLIC KEY" # "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxx imported-openssh-key" +bgp-asn = "PLEASE ENTER BGP AUTONOMOUS SYSTEM NUMBER" # "64512" +custom-metrics = "PLEASE ENTER yes or no" # "yes" +routing-intent-internet-traffic = "PLEASE ENTER yes or no" # "yes" +routing-intent-private-traffic = "PLEASE ENTER yes or no" # "yes" +smart1-cloud-token-a = "PASTE TOKEN FROM SMART-1 CLOUD PORTAL FOR INSTANCE A OR LEAVE EMPTY DOUBLE QUOTES" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +smart1-cloud-token-b = "PASTE TOKEN FROM SMART-1 CLOUD PORTAL FOR INSTANCE B OR LEAVE EMPTY DOUBLE QUOTES" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +smart1-cloud-token-c = "PASTE TOKEN FROM SMART-1 CLOUD PORTAL FOR INSTANCE C OR LEAVE EMPTY DOUBLE QUOTES" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +smart1-cloud-token-d = "PASTE TOKEN FROM SMART-1 CLOUD PORTAL FOR INSTANCE D OR LEAVE EMPTY DOUBLE QUOTES" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +smart1-cloud-token-e = "PASTE TOKEN FROM SMART-1 CLOUD PORTAL FOR INSTANCE E OR LEAVE EMPTY DOUBLE QUOTES" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +existing-public-ip = "PLEASE ENTER THE RESOURCE ID OF A PUBLIC IP RESOURCE OR LEAVE EMPTY DOUBLE QUOTES" # "/subscription/123/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pip1" +new-public-ip = "PLEASE ENTER yes or no" # "no" \ No newline at end of file diff --git a/deprecated/terraform/azure/R8040-R81/nva-into-new-vwan/variables.tf b/deprecated/terraform/azure/R8040-R81/nva-into-new-vwan/variables.tf new file mode 100644 index 00000000..927592c9 --- /dev/null +++ b/deprecated/terraform/azure/R8040-R81/nva-into-new-vwan/variables.tf @@ -0,0 +1,209 @@ +variable "authentication_method" { + description = "Azure authentication method" + type = string + validation { + condition = contains(["Azure CLI", "Service Principal"], var.authentication_method) + error_message = "Valid values for authentication_method are 'Azure CLI','Service Principal'" + } +} + +variable "subscription_id" { + description = "Subscription ID" + type = string +} + +variable "tenant_id" { + description = "Tenant ID" + type = string +} + +variable "client_id" { + description = "Application ID(Client ID)" + type = string +} + +variable "client_secret" { + description = "A secret string that the application uses to prove its identity when requesting a token. Also can be referred to as application password." + type = string +} + +variable "resource-group-name" { + type = string + default = "managed-app-resource-group" +} + +variable "location" { + type = string + default = "westcentralus" +} + +variable "vwan-name" { + type = string + default = "tf-vwan" +} + +variable "vwan-hub-name" { + type = string + default = "tf-vwan-hub" +} + +variable "vwan-hub-address-prefix" { + type = string + default = "10.0.0.0/16" + validation { + condition = can(cidrhost(var.vwan-hub-address-prefix, 0)) + error_message = "Please provide a valid CIDR specification for the VWAN address space" + } +} + +variable "managed-app-name" { + type = string + default = "tf-vwan-managed-app" +} + +variable "nva-rg-name" { + type = string + default = "tf-vwan-nva-rg" +} + +variable "nva-name" { + type = string + default = "tf-vwan-nva" +} + +variable "os-version" { + description = "GAIA OS version" + type = string + default = "R8120" + validation { + condition = contains(["R8110", "R8120"], var.os-version) + error_message = "Allowed values for os-version are 'R8110', 'R8120'" + } +} + +variable "license-type" { + type = string + default = "Security Enforcement (NGTP)" + validation { + condition = contains(["Security Enforcement (NGTP)", "Full Package (NGTX + S1C)", "Full Package Premium (NGTX + S1C++)"], var.license-type) + error_message = "Allowed values for License Type are 'Security Enforcement (NGTP)', 'Full Package (NGTX + S1C)', 'Full Package Premium (NGTX + S1C++)'" + } +} + +variable "scale-unit" { + type = string + default = "2" + validation { + condition = contains(["2", "4", "10", "20", "30", "60", "80"], var.scale-unit) + error_message = "Valid values for CloudGuard version are '2', '4', '10', '20', '30', '60', '80'" + } +} + +variable "bootstrap-script" { + type = string + default = "" +} + +variable "admin-shell" { + type = string + default = "/etc/cli.sh" + validation { + condition = contains(["/etc/cli.sh", "/bin/bash", "/bin/tcsh", "/bin/csh"], var.admin-shell) + error_message = "Valid shells are '/etc/cli.sh', '/bin/bash', '/bin/tcsh', '/bin/csh'" + } +} + +variable "sic-key" { + type = string + default = "" + sensitive = true + validation { + condition = can(regex("^[a-z0-9A-Z]{12,30}$", var.sic-key)) + error_message = "Only alphanumeric characters are allowed, and the value must be 12-30 characters long." + } +} + +variable "ssh-public-key" { + type = string + default = "" +} + +variable "bgp-asn" { + type = string + default = "64512" + validation { + condition = tonumber(var.bgp-asn) >= 64512 && tonumber(var.bgp-asn) <= 65534 && !contains([65515, 65520], tonumber(var.bgp-asn)) + error_message = "Only numbers between 64512 to 65534 are allowed excluding 65515, 65520." + } +} + +variable "custom-metrics" { + type = string + default = "yes" + validation { + condition = contains(["yes", "no"], var.custom-metrics) + error_message = "Valid options are string('yes' or 'no')" + } +} + +variable "routing-intent-internet-traffic" { + default = "yes" + validation { + condition = contains(["yes", "no"], var.routing-intent-internet-traffic) + error_message = "Valid options are string('yes' or 'no')" + } +} + +variable "routing-intent-private-traffic" { + default = "yes" + validation { + condition = contains(["yes", "no"], var.routing-intent-private-traffic) + error_message = "Valid options are string('yes' or 'no')" + } +} + +variable "smart1-cloud-token-a" { + type = string + default = "" +} + +variable "smart1-cloud-token-b" { + type = string + default = "" +} + +variable "smart1-cloud-token-c" { + type = string + default = "" +} + +variable "smart1-cloud-token-d" { + type = string + default = "" +} + +variable "smart1-cloud-token-e" { + type = string + default = "" +} + +variable "existing-public-ip" { + type = string + default = "" +} + +variable "new-public-ip" { + type = string + default = "no" + validation { + condition = contains(["yes", "no"], var.new-public-ip) + error_message = "Valid options are string('yes' or 'no')" + } +} + +locals{ + # Validate that new-public-ip is false when existing-public-ip is used + is_both_params_used = length(var.existing-public-ip) > 0 && var.new-public-ip == "yes" + validation_message_both = "Only one parameter of existing-public-ip or new-public-ip can be used" + _ = regex("^$", (!local.is_both_params_used ? "" : local.validation_message_both)) +} \ No newline at end of file diff --git a/deprecated/terraform/azure/R8040-R81/nva-into-new-vwan/versions.tf b/deprecated/terraform/azure/R8040-R81/nva-into-new-vwan/versions.tf new file mode 100644 index 00000000..40d04f16 --- /dev/null +++ b/deprecated/terraform/azure/R8040-R81/nva-into-new-vwan/versions.tf @@ -0,0 +1,17 @@ +terraform { + required_version = ">= 1.5.0" + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = " 3.79.0" + } + } +} + +provider "azurerm" { + subscription_id = var.subscription_id + client_id = var.client_id + client_secret = var.client_secret + tenant_id = var.tenant_id + features {} +} \ No newline at end of file diff --git a/deprecated/terraform/azure/R8040-R81/single-gateway-existing-vnet/README.md b/deprecated/terraform/azure/R8040-R81/single-gateway-existing-vnet/README.md new file mode 100644 index 00000000..73fa074d --- /dev/null +++ b/deprecated/terraform/azure/R8040-R81/single-gateway-existing-vnet/README.md @@ -0,0 +1,200 @@ +# Check Point CloudGuard Network Security Single Gateway Terraform deployment for Azure + +This Terraform module deploys Check Point CloudGuard Network Security Single Gateway solution into an existing Vnet in Azure. +As part of the deployment the following resources are created: +- Resource group +- System assigned identity + + +This solution uses the following modules: +- /terraform/azure/modules/common - used for creating a resource group and defining common variables. + + +## Configurations +- Install and configure Terraform to provision Azure resources: [Configure Terraform for Azure](https://docs.microsoft.com/en-us/azure/virtual-machines/linux/terraform-install-configure) +- In order to use ssh connection to VMs, it is **required** to add a public key to the /terraform/azure/single-gateway-existing-vnet/azure_public_key file. + +## Usage +- Choose the preferred login method to Azure in order to deploy the solution: +
1. Using Service Principal: + - Create a [Service Principal](https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal) (or use the existing one) + - Grant the Service Principal at least "**Managed Application Contributor**", "**Storage Account Contributor**", "**Network Contributor**", "**Virtual Machine Contributor**" permissions to the Azure subscription
+ - The Service Principal credentials can be stored either in the terraform.tfvars or as [Environment Variables](https://www.terraform.io/docs/providers/azuread/guides/service_principal_client_secret.html)
+ + In case the Environment Variables are used, perform modifications described below:
+ + a. The next lines in the main.tf file, in the provider azurerm resource, need to be deleted or commented: + + provider "azurerm" { + + // subscription_id = var.subscription_id + // client_id = var.client_id + // client_secret = var.client_secret + // tenant_id = var.tenant_id + + features {} + } + + b. In the terraform.tfvars file leave empty double quotes for client_secret, client_id , tenant_id and subscription_id variables: + + client_secret = "" + client_id = "" + tenant_id = "" + subscription_id = "" + +
2. Using **az** commands from a command-line: + - Run **az login** command + - Sign in with your account credentials in the browser + - [Accept Azure Marketplace image terms](https://docs.microsoft.com/en-us/cli/azure/vm/image/terms?view=azure-cli-latest) by running: +
**az vm image terms accept --urn publisher:offer:sku:version**, where: + - publisher = checkpoint; + - offer = vm_os_offer (see accepted values in the table below); + - sku = vm_os_sku (see accepted values in the table below); + - version = latest
+
Example:
+ az vm image terms accept --urn checkpoint:check-point-cg-r8040:sg-byol:latest + + - In the terraform.tfvars file leave empty double quotes for client_secret, client_id and tenant_id variables. + +- Fill all variables in the /terraform/azure/single-gateway-existing-vnet/terraform.tfvars file with proper values (see below for variables descriptions). +- From a command line initialize the Terraform configuration directory: + + terraform init +- Create an execution plan: + + terraform plan +- Create or modify the deployment: + + terraform apply + +### terraform.tfvars variables: + | Name | Description | Type | Allowed values | Default | + |---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| ------------- | ------------- |---------| ------------- | + | **client_secret** | The client secret value of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **client_id** | The client ID of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **tenant_id** | The tenant ID of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **subscription_id** | The subscription ID is used to pay for Azure cloud services | string | | n/a + | | | | | | + | **source_image_vhd_uri** | The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images | string | | "noCustomUri" + | | | | | | + | **resource_group_name** | The name of the resource group that will contain the contents of the deployment | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period | n/a + | | | | | | + | **single_gateway_name** | The name of the Check Point single GW Object | string | Only alphanumeric characters are allowed, and the name must be 1-30 characters long | n/a + | | | | | | + | **location** | The region where the resources will be deployed at | string | The full list of Azure regions can be found at https://azure.microsoft.com/regions | n/a + | | | | | | + | **vnet_name** | The name of virtual network that will be created | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | n/a + | | | | | | + | **vnet_resource_group** | Resource Group of the existing virtual network | string | The exact name of the existing vnet's resource group | n/a + | | | | | | + | **frontend_subnet_name** | Specifies the name of the external subnet | string | The exact name of the existing external subnet | n/a + | | | | | | + | **backend_subnet_name** | Specifies the name of the internal subnet | string | The exact name of the existing internal subnet | n/a + | | | | | | + | **subnet_frontend_1st_Address** | First available address in frontend subnet | string | | n/a + | | | | | | + | **subnet_backend_1st_Address** | First available address in backend subnet | string | | n/a + | | | | | | + | **management_GUI_client_network** | Allowed GUI clients - GUI clients network CIDR | string | | n/a + | | | | | | + | **admin_password** | The password associated with the local administrator account on the gateway | string | Password must have 3 of the following: 1 lower case character, 1 upper case character, 1 number, and 1 special character | n/a + | | | | | | + | **smart_1_cloud_token** | Smart-1 Cloud token to connect automatically ***Gateway*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal | n/a | + | | | | | | + | **sic_key** | The Secure Internal Communication one time secret used to set up trust between the gateway object and the management server | string | Only alphanumeric characters are allowed, and the value must be 12-30 characters long | n/a + | | | | | | + | **vm_size** | Specifies the size of Virtual Machine | string | "Standard_DS2_v2", "Standard_DS3_v2", "Standard_DS4_v2", "Standard_DS5_v2", "Standard_F2s", "Standard_F4s", "Standard_F8s", "Standard_F16s", "Standard_D4s_v3", "Standard_D8s_v3", "Standard_D16s_v3", "Standard_D32s_v3", "Standard_D64s_v3", "Standard_E4s_v3", "Standard_E8s_v3", "Standard_E16s_v3", "Standard_E20s_v3", "Standard_E32s_v3", "Standard_E64s_v3", "Standard_E64is_v3", "Standard_F4s_v2", "Standard_F8s_v2", "Standard_F16s_v2", "Standard_F32s_v2", "Standard_F64s_v2", "Standard_M8ms", "Standard_M16ms", "Standard_M32ms", "Standard_M64ms", "Standard_M64s", "Standard_D2_v2", "Standard_D3_v2", "Standard_D4_v2", "Standard_D5_v2", "Standard_D11_v2", "Standard_D12_v2", "Standard_D13_v2", "Standard_D14_v2", "Standard_D15_v2", "Standard_F2", "Standard_F4", "Standard_F8", "Standard_F16", "Standard_D4_v3", "Standard_D8_v3", "Standard_D16_v3", "Standard_D32_v3", "Standard_D64_v3", "Standard_E4_v3", "Standard_E8_v3", "Standard_E16_v3", "Standard_E20_v3", "Standard_E32_v3", "Standard_E64_v3", "Standard_E64i_v3", "Standard_DS11_v2", "Standard_DS12_v2", "Standard_DS13_v2", "Standard_DS14_v2", "Standard_DS15_v2", "Standard_D2_v5", "Standard_D4_v5", "Standard_D8_v5", "Standard_D16_v5","Standard_D32_v5", "Standard_D2s_v5", "Standard_D4s_v5", "Standard_D8s_v5", "Standard_D16s_v5", "Standard_D2d_v5", "Standard_D4d_v5", "Standard_D8d_v5", "Standard_D16d_v5", "Standard_D32d_v5", "Standard_D2ds_v5", "Standard_D4ds_v5", "Standard_D8ds_v5", "Standard_D16ds_v5", "Standard_D32ds_v5" | n/a + | | | | | | + | **disk_size** | Storage data disk size size(GB) | string | A number in the range 100 - 3995 (GB) | n/a + | | | | | | + | **vm_os_sku** | A sku of the image to be deployed | string | "sg-byol" - BYOL license;
"sg-ngtp" - NGTP PAYG license;
"sg-ngtx" - NGTX PAYG license | n/a + | | | | | | + | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r8040";
"check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | n/a + | | | | | | + | **os_version** | GAIA OS version | string | "R8040";
"R81";
"R8110";
"R8120"; | n/a + | | | | | | + | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | "" + | | | | | | + | **allow_upload_download** | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | boolean | true;
false; | n/a + | | | | | | + | **authentication_type** | Specifies whether a password authentication or SSH Public Key authentication should be used | string | "Password";
"SSH Public Key"; | n/a + | | | | | | + | **enable_custom_metrics** | Indicates whether CloudGuard Metrics will be use for gateways monitoring | boolean | true;
false; | true + | | | | | | + | **admin_shell** | Enables to select different admin shells | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh; | "/etc/cli.sh" + | | | | | | + | **installation_type** | Enables to select installation type- gateway/standalone | string | gateway;
standalone; | n/a + | | | | | | + | **serial_console_password_hash** | Optional parameter, used to enable serial console connection in case of SSH key as authentication type, to generate password hash use the command 'openssl passwd -6 PASSWORD' on Linux and paste it here | string | | n/a + | | | | | | + | **maintenance_mode_password_hash** | Maintenance mode password hash, relevant only for R81.20 and higher versions, to generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here | string | | n/a + | | | | | | + | **nsg_id** | Optional ID for a Network Security Group that already exists in Azure, if not provided, will create a default NSG | string | Existing NSG resource ID | "" + | | | | | | + | **add_storage_account_ip_rules** | Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, if false then accses will be allowed from all networks | boolean | true;
false; | false + | | | | | | + | **storage_account_additional_ips** | IPs/CIDRs that are allowed access to the Storage Account | list(string) | A list of valid IPs and CIDRs | [] + +## Conditional creation +- To enable CloudGuard metrics in order to send statuses and statistics collected from the gateway instance to the Azure Monitor service: + ``` + enable_custom_metrics = true + ``` + +## Example + client_secret = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + client_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + tenant_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + subscription_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + source_image_vhd_uri = "noCustomUri" + resource_group_name = "checkpoint-single-gw-terraform" + single_gateway_name = "checkpoint-single-gw-terraform" + location = "eastus" + vnet_name = "checkpoint-single-gw-vnet" + vnet_resource_group = "existing-vnet-rg" + subnet_frontend_name = "frontend" + subnet_backend_name = "backend" + subnet_frontend_1st_Address = "10.0.1.4" + subnet_backend_1st_Address = "10.12.1.5" + management_GUI_client_network = "0.0.0.0/0" + admin_password = "xxxxxxxxxxxx" + smart_1_cloud_token = "xxxxxxxxxxxx" + sic_key = "xxxxxxxxxxxx" + vm_size = "Standard_D3_v2" + disk_size = "110" + vm_os_sku = "sg-byol" + vm_os_offer = "check-point-cg-r8110" + os_version = "R8110" + bootstrap_script = "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" + allow_upload_download = true + authentication_type = "Password" + enable_custom_metrics = true + admin_shell = "/etc/cli.sh" + installation_type = "gateway" + serial_console_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + maintenance_mode_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + nsg_id = "" + add_storage_account_ip_rules = false + storage_account_additional_ips = [] + +## Revision History +In order to check the template version refer to the [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) + +| Template Version | Description | +|------------------|---------------------------------------------------------------------------------------------------| +| 20240613 | - Updated Azure Terraform provider version
- Cosmetic fixes & default values
- Added option to limit storage account access by specify allowed sourcess
- Added accelerated networking to SGW Terraform templates
- Updated Public IP sku to Standard
- Added validation for os_version & os_offer | +| | | | +| 20230910 | - R81.20 is the default version | +| | | | +| 20230629 | First release of Check Point CloudGuard Network Security Single GW Terraform deployment for Azure | +| | | | + + + +## License + +See the [LICENSE](../../LICENSE) file for details + diff --git a/deprecated/terraform/azure/R8040-R81/single-gateway-existing-vnet/azure_public_key b/deprecated/terraform/azure/R8040-R81/single-gateway-existing-vnet/azure_public_key new file mode 100644 index 00000000..e69de29b diff --git a/deprecated/terraform/azure/R8040-R81/single-gateway-existing-vnet/cloud-init.sh b/deprecated/terraform/azure/R8040-R81/single-gateway-existing-vnet/cloud-init.sh new file mode 100644 index 00000000..71bf3916 --- /dev/null +++ b/deprecated/terraform/azure/R8040-R81/single-gateway-existing-vnet/cloud-init.sh @@ -0,0 +1,18 @@ +#!/usr/bin/python3 /etc/cloud_config.py + +installationType="${installation_type}" +allowUploadDownload="${allow_upload_download}" +osVersion="${os_version}" +templateName="${template_name}" +templateVersion="${template_version}" +templateType="${template_type}" +isBlink="${is_blink}" +bootstrapScript64="${bootstrap_script64}" +location="${location}" +adminShell="${admin_shell}" +sicKey="${sic_key}" +managementGUIClientNetwork="${management_GUI_client_network}" +smart1CloudToken="${smart_1_cloud_token}" +customMetrics="${enable_custom_metrics}" +passwordHash="${serial_console_password_hash}" +MaintenanceModePassword="${maintenance_mode_password_hash}" \ No newline at end of file diff --git a/deprecated/terraform/azure/R8040-R81/single-gateway-existing-vnet/main.tf b/deprecated/terraform/azure/R8040-R81/single-gateway-existing-vnet/main.tf new file mode 100644 index 00000000..5a61f135 --- /dev/null +++ b/deprecated/terraform/azure/R8040-R81/single-gateway-existing-vnet/main.tf @@ -0,0 +1,257 @@ +//********************** Providers **************************// +provider "azurerm" { + subscription_id = var.subscription_id + client_id = var.client_id + client_secret = var.client_secret + tenant_id = var.tenant_id + + features {} +} + +//********************** Basic Configuration **************************// +module "common" { + source = "../modules/common" + resource_group_name = var.resource_group_name + location = var.location + admin_password = var.admin_password + installation_type = var.installation_type + template_name = var.template_name + template_version = var.template_version + number_of_vm_instances = 1 + allow_upload_download = var.allow_upload_download + vm_size = var.vm_size + disk_size = var.disk_size + is_blink = var.is_blink + os_version = var.os_version + vm_os_sku = var.vm_os_sku + vm_os_offer = var.vm_os_offer + authentication_type = var.authentication_type + serial_console_password_hash = var.serial_console_password_hash + maintenance_mode_password_hash = var.maintenance_mode_password_hash + storage_account_additional_ips = var.storage_account_additional_ips +} + +//********************** Networking **************************// +data "azurerm_subnet" "frontend_subnet" { + name = var.subnet_frontend_name + virtual_network_name = var.vnet_name + resource_group_name = var.vnet_resource_group +} + +data "azurerm_subnet" "backend_subnet" { + name = var.subnet_backend_name + virtual_network_name = var.vnet_name + resource_group_name = var.vnet_resource_group +} + +resource "azurerm_public_ip" "public-ip" { + name = var.single_gateway_name + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + allocation_method = var.vnet_allocation_method + sku = var.sku + idle_timeout_in_minutes = 30 + domain_name_label = join("", [ + lower(var.single_gateway_name), + "-", + random_id.randomId.hex]) +} + +module "network-security-group" { + source = "../modules/network-security-group" + count = var.nsg_id == "" ? 1 : 0 + resource_group_name = module.common.resource_group_name + security_group_name = "${module.common.resource_group_name}-nsg" + location = module.common.resource_group_location + security_rules = [ + { + name = "AllowAllInBound" + priority = "100" + direction = "Inbound" + access = "Allow" + protocol = "*" + source_port_ranges = "*" + destination_port_ranges = "*" + description = "Allow all inbound connections" + source_address_prefix = "*" + destination_address_prefix = "*" + } + ] +} + +resource "azurerm_network_interface_security_group_association" "security_group_association" { + depends_on = [azurerm_network_interface.nic] + network_interface_id = azurerm_network_interface.nic.id + network_security_group_id = var.nsg_id == "" ? module.network-security-group[0].network_security_group_id: var.nsg_id +} + +resource "azurerm_network_interface" "nic" { + depends_on = [ + azurerm_public_ip.public-ip] + name = "${var.single_gateway_name}-eth0" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + enable_ip_forwarding = true + enable_accelerated_networking = true + + + ip_configuration { + name = "ipconfig1" + subnet_id = data.azurerm_subnet.frontend_subnet.id + private_ip_address_allocation = var.vnet_allocation_method + private_ip_address = var.subnet_frontend_1st_Address + public_ip_address_id = azurerm_public_ip.public-ip.id + } +} + +resource "azurerm_network_interface" "nic1" { + depends_on = [] + name = "${var.single_gateway_name}-eth1" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + enable_ip_forwarding = true + enable_accelerated_networking = true + + + ip_configuration { + name = "ipconfig2" + subnet_id = data.azurerm_subnet.backend_subnet.id + private_ip_address_allocation = var.vnet_allocation_method + private_ip_address = var.subnet_backend_1st_Address + } +} + +//********************** Storage accounts **************************// +// Generate random text for a unique storage account name +resource "random_id" "randomId" { + keepers = { + # Generate a new ID only when a new resource group is defined + resource_group = module.common.resource_group_name + } + byte_length = 8 +} +resource "azurerm_storage_account" "vm-boot-diagnostics-storage" { + name = "bootdiag${random_id.randomId.hex}" + resource_group_name = module.common.resource_group_name + location = module.common.resource_group_location + account_tier = module.common.storage_account_tier + account_replication_type = module.common.account_replication_type + account_kind = "Storage" + network_rules { + default_action = var.add_storage_account_ip_rules ? "Deny" : "Allow" + ip_rules = module.common.storage_account_ip_rules + } + blob_properties { + delete_retention_policy { + days = "15" + } + } + +} + +//********************** Virtual Machines **************************// +locals { + SSH_authentication_type_condition = var.authentication_type == "SSH Public Key" ? true : false + custom_image_condition = var.source_image_vhd_uri == "noCustomUri" ? false : true +} + +resource "azurerm_image" "custom-image" { + count = local.custom_image_condition ? 1 : 0 + name = "custom-image" + location = var.location + resource_group_name = module.common.resource_group_name + + os_disk { + os_type = "Linux" + os_state = "Generalized" + blob_uri = var.source_image_vhd_uri + } +} + +resource "azurerm_virtual_machine" "single-gateway-vm-instance" { + depends_on = [ + azurerm_network_interface.nic, + azurerm_network_interface.nic1] + location = module.common.resource_group_location + name = var.single_gateway_name + network_interface_ids = [ + azurerm_network_interface.nic.id, + azurerm_network_interface.nic1.id] + resource_group_name = module.common.resource_group_name + vm_size = module.common.vm_size + delete_os_disk_on_termination = module.common.delete_os_disk_on_termination + primary_network_interface_id = azurerm_network_interface.nic.id + + identity { + type = module.common.vm_instance_identity + } + + dynamic "plan" { + for_each = local.custom_image_condition ? [ + ] : [1] + content { + name = module.common.vm_os_sku + publisher = module.common.publisher + product = module.common.vm_os_offer + } + } + + boot_diagnostics { + enabled = module.common.boot_diagnostics + storage_uri = module.common.boot_diagnostics ? join(",", azurerm_storage_account.vm-boot-diagnostics-storage.*.primary_blob_endpoint) : "" + } + + os_profile { + computer_name = var.single_gateway_name + admin_username = module.common.admin_username + admin_password = module.common.admin_password + custom_data = templatefile("${path.module}/cloud-init.sh", { + installation_type = module.common.installation_type + allow_upload_download = module.common.allow_upload_download + os_version = module.common.os_version + template_name = module.common.template_name + template_version = module.common.template_version + template_type = "terraform" + is_blink = module.common.is_blink + bootstrap_script64 = base64encode(var.bootstrap_script) + location = module.common.resource_group_location + admin_shell = var.admin_shell + sic_key = var.sic_key + management_GUI_client_network = var.management_GUI_client_network + smart_1_cloud_token = var.smart_1_cloud_token + enable_custom_metrics = var.enable_custom_metrics ? "yes" : "no" + serial_console_password_hash = var.serial_console_password_hash + maintenance_mode_password_hash = var.maintenance_mode_password_hash + }) + } + + + os_profile_linux_config { + disable_password_authentication = local.SSH_authentication_type_condition + + dynamic "ssh_keys" { + for_each = local.SSH_authentication_type_condition ? [ + 1] : [] + content { + path = "/home/notused/.ssh/authorized_keys" + key_data = file("${path.module}/azure_public_key") + } + } + } + + storage_image_reference { + id = local.custom_image_condition ? azurerm_image.custom-image[0].id : null + publisher = local.custom_image_condition ? null : module.common.publisher + offer = module.common.vm_os_offer + sku = module.common.vm_os_sku + version = module.common.vm_os_version + } + + storage_os_disk { + name = var.single_gateway_name + create_option = module.common.storage_os_disk_create_option + caching = module.common.storage_os_disk_caching + managed_disk_type = module.common.storage_account_type + disk_size_gb = module.common.disk_size + } +} diff --git a/deprecated/terraform/azure/R8040-R81/single-gateway-existing-vnet/terraform.tfvars b/deprecated/terraform/azure/R8040-R81/single-gateway-existing-vnet/terraform.tfvars new file mode 100644 index 00000000..0a186633 --- /dev/null +++ b/deprecated/terraform/azure/R8040-R81/single-gateway-existing-vnet/terraform.tfvars @@ -0,0 +1,35 @@ + #PLEASE refer to the README.md for accepted values for the variables below +client_secret = "PLEASE ENTER CLIENT SECRET" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +client_id = "PLEASE ENTER CLIENT ID" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +tenant_id = "PLEASE ENTER TENANT ID" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +subscription_id = "PLEASE ENTER SUBSCRIPTION ID" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +source_image_vhd_uri = "PLEASE ENTER SOURCE IMAGE VHD URI OR noCustomUri" # "noCustomUri" +resource_group_name = "PLEASE ENTER RESOURCE GROUP NAME" # "checkpoint-single-terraform" +single_gateway_name = "PLEASE ENTER GW NAME" # "checkpoint-single-terraform" +location = "PLEASE ENTER LOCATION" # "eastus" +vnet_name = "PLEASE ENTER VIRTUAL NETWORK NAME" # "checkpoint-single-vnet" +vnet_resource_group = "PLEASE ENTER VIRTUAL NETWORK RG NAME" # "existing-vnet-rg" +subnet_frontend_name = "PLEASE ENTER VIRTUAL NETWORK FRONTEND SUBNET NAME" # "frontend" +subnet_backend_name = "PLEASE ENTER VIRTUAL NETWORK BACKEND SUBNET NAME" # "backend" +subnet_frontend_1st_Address = "PLEASE ENTER VIRTUAL NETWORK FRONTEND SUBNET FIRST ADDRESS" # "10.0.1.4" +subnet_backend_1st_Address = "PLEASE ENTER VIRTUAL NETWORK BACKEND SUBNET FIRST ADDRESS" # "10.0.2.5" +management_GUI_client_network = "PLEASE ENTER A MANAGEMENT GUI CLIENT NETWORK" # "0.0.0.0/0" +admin_password = "PLEASE ENTER ADMIN PASSWORD" # "xxxxxxxxxxxx" +smart_1_cloud_token = "PASTE TOKEN FROM SMART-1 CLOUD PORTAL" # "" +sic_key = "PLEASE ENTER SIC KEY" # "xxxxxxxxxxxx" +vm_size = "PLEASE ENTER VM SIZE" # "Standard_D3_v2" +disk_size = "PLEASE ENTER DISK SIZE" # "110" +vm_os_sku = "PLEASE ENTER VM SKU" # "sg-byol" +vm_os_offer = "PLEASE ENTER VM OFFER" # "check-point-cg-r8110" +os_version = "PLEASE ENTER GAIA OS VERSION" # "R8110" +bootstrap_script = "PLEASE ENTER CUSTOM SCRIPT OR LEAVE EMPTY DOUBLE QUOTES" # "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" +allow_upload_download = "PLEASE ENTER true or false" # true +authentication_type = "PLEASE ENTER AUTHENTICATION TYPE" # "Password" +enable_custom_metrics = "PLEASE ENTER true or false" # true +admin_shell = "PLEASE ENTER ADMIN SHELL" # "/etc/cli.sh" +installation_type = "PLEASE ENTER INSTALLATION TYPE" # "gateway" +serial_console_password_hash = "PLEASE ENTER SERIAL CONSOLE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +maintenance_mode_password_hash = "PLEASE ENTER MAINTENANCE MODE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +nsg_id = "PLEASE ENTER NETWORK SECURITY GROUP ID" # "" +add_storage_account_ip_rules = "PLEASE ENTER true or false" # false +storage_account_additional_ips = "PLEASE ENTER A LIST OF VALID IPS/CIDRS" # [] diff --git a/deprecated/terraform/azure/R8040-R81/single-gateway-existing-vnet/variables.tf b/deprecated/terraform/azure/R8040-R81/single-gateway-existing-vnet/variables.tf new file mode 100644 index 00000000..dd4dc15e --- /dev/null +++ b/deprecated/terraform/azure/R8040-R81/single-gateway-existing-vnet/variables.tf @@ -0,0 +1,281 @@ +//********************** Basic Configuration Variables **************************// +variable "single_gateway_name" { + description = "Single gateway name" + type = string +} + +variable "resource_group_name" { + description = "Azure Resource Group name to build into" + type = string +} + +variable "location" { + description = "The location/region where resource will be created. The full list of Azure regions can be found at https://azure.microsoft.com/regions" + type = string +} + + +//********************** Virtual Machine Instances Variables **************************// +variable "source_image_vhd_uri" { + type = string + description = "The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images." + default = "noCustomUri" +} + +variable "admin_username" { + description = "Administrator username of deployed VM. Due to Azure limitations 'notused' name can be used" + default = "notused" +} + +variable "admin_password" { + description = "Administrator password of deployed Virtual Machine. The password must meet the complexity requirements of Azure" + type = string +} + +variable "serial_console_password_hash" { + description = "Optional parameter, used to enable serial console connection in case of SSH key as authentication type" + type = string +} + +variable "maintenance_mode_password_hash" { + description = "Maintenance mode password hash, relevant only for R81.20 and higher versions" + type = string +} + +variable "smart_1_cloud_token" { + description = "Smart-1 Cloud Token" + type = string +} + +variable "authentication_type" { + description = "Specifies whether a password authentication or SSH Public Key authentication should be used" + type = string +} +locals { // locals for 'authentication_type' allowed values + authentication_type_allowed_values = [ + "Password", + "SSH Public Key" + ] + // will fail if [var.authentication_type] is invalid: + validate_authentication_type_value = index(local.authentication_type_allowed_values, var.authentication_type) +} + +variable "template_name" { + description = "Template name. Should be defined according to deployment type(mgmt, ha, vmss, sg)" + type = string + default = "single" +} + +variable "template_version" { + description = "Template version. It is recommended to always use the latest template version" + type = string + default = "20230910" +} + +variable "installation_type" { + description = "Installation type" + type = string + default = "gateway" +} + +locals { // locals for 'installation_type' allowed values + installation_type_allowed_values = [ + "gateway", + "standalone" + ] +} + +variable "vm_size" { + description = "Specifies size of Virtual Machine" + type = string +} + +variable "disk_size" { + description = "Storage data disk size size(GB). Select a number between 100 and 3995" + type = string +} + +variable "os_version" { + description = "GAIA OS version" + type = string +} + +locals { // locals for 'vm_os_offer' allowed values + os_version_allowed_values = [ + "R8040", + "R81", + "R8110", + "R8120" + ] + // will fail if [var.os_version] is invalid: + validate_os_version_value = index(local.os_version_allowed_values, var.os_version) +} + +variable "vm_os_sku" { + description = "The sku of the image to be deployed." + type = string +} + +variable "vm_os_offer" { + description = "The name of the image offer to be deployed.Choose from: check-point-cg-r8040, check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120" + type = string +} + +locals { // locals for 'vm_os_offer' allowed values + vm_os_offer_allowed_values = [ + "check-point-cg-r8040", + "check-point-cg-r81", + "check-point-cg-r8110", + "check-point-cg-r8120" + ] + // will fail if [var.vm_os_offer] is invalid: + validate_os_offer_value = index(local.vm_os_offer_allowed_values, var.vm_os_offer) +} + +variable "allow_upload_download" { + description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + type = bool +} + +variable "enable_custom_metrics" { + description = "Indicates whether CloudGuard Metrics will be use for Cluster members monitoring." + type = bool + default = true +} + +variable "is_blink" { + description = "Define if blink image is used for deployment" + default = true +} + +variable "admin_shell" { + description = "The admin shell to configure on machine or the first time" + type = string + default = "/etc/cli.sh" +} + +locals { + admin_shell_allowed_values = [ + "/etc/cli.sh", + "/bin/bash", + "/bin/csh", + "/bin/tcsh" + ] + // Will fail if [var.admin_shell] is invalid + validate_admin_shell_value = index(local.admin_shell_allowed_values, var.admin_shell) +} + +//********************** Networking Variables **************************// +variable "vnet_name" { + description = "Virtual Network name" + type = string +} + +variable "subnet_frontend_name" { + description = "management subnet name" + type = string +} + +variable "subnet_backend_name" { + description = "management subnet name" + type = string +} + +variable "subnet_frontend_1st_Address" { + description = "The first available address of the frontend subnet" + type = string +} + +variable "subnet_backend_1st_Address" { + description = "The first available address of the backend subnet" + type = string +} + +variable "vnet_resource_group" { + description = "Resource group of existing vnet" + type = string +} + +variable "vnet_allocation_method" { + description = "IP address allocation method" + type = string + default = "Static" +} + +variable "management_GUI_client_network" { + description = "Allowed GUI clients - GUI clients network CIDR" + type = string +} + +locals { + regex_valid_single_GUI_client_network = "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(/(3[0-2]|2[0-9]|1[0-9]|[0-9]))$" + // Will fail if var.management_GUI_client_network is invalid + regex_single_GUI_client_network = regex(local.regex_valid_single_GUI_client_network, var.management_GUI_client_network) == var.management_GUI_client_network ? 0 : "Variable [management_GUI_client_network] must be a valid IPv4 network CIDR." + + + regex_valid_subnet_1st_Address = "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$" + // Will fail if var.subnet_1st_Address is invalid + regex_subnet_frontend_1st_Address = regex(local.regex_valid_subnet_1st_Address, var.subnet_frontend_1st_Address) == var.subnet_frontend_1st_Address ? 0 : "Variable [subnet_1st_Address] must be a valid address." + + regex_subnet_backend_1st_Address = regex(local.regex_valid_subnet_1st_Address, var.subnet_backend_1st_Address) == var.subnet_backend_1st_Address ? 0 : "Variable [subnet_1st_Address] must be a valid address." +} + +variable "bootstrap_script" { + description = "An optional script to run on the initial boot" + default = "" + type = string + #example: + #"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" +} + +variable "nsg_id" { + description = "NSG ID - Optional - if empty use default NSG" + default = "" +} + +variable "add_storage_account_ip_rules" { + type = bool + default = false + description = "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location" +} + +variable "storage_account_additional_ips" { + type = list(string) + description = "IPs/CIDRs that are allowed access to the Storage Account" + default = [] +} + +//********************** Credentials **************************// +variable "tenant_id" { + description = "Tenant ID" + type = string +} + +variable "subscription_id" { + description = "Subscription ID" + type = string +} + +variable "client_id" { + description = "Application ID(Client ID)" + type = string +} + +variable "client_secret" { + description = "A secret string that the application uses to prove its identity when requesting a token. Also can be referred to as application password." + type = string +} + +variable "sic_key" { + type = string +} + +resource "null_resource" "sic_key_invalid" { + count = length(var.sic_key) >= 12 ? 0 : "SIC key must be at least 12 characters long" +} + +variable "sku" { + description = "SKU" + type = string + default = "Standard" +} \ No newline at end of file diff --git a/deprecated/terraform/azure/R8040-R81/single-gateway-existing-vnet/versions.tf b/deprecated/terraform/azure/R8040-R81/single-gateway-existing-vnet/versions.tf new file mode 100644 index 00000000..0d5ca4f3 --- /dev/null +++ b/deprecated/terraform/azure/R8040-R81/single-gateway-existing-vnet/versions.tf @@ -0,0 +1,12 @@ +terraform { + required_version = ">= 0.14.3" + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "~> 3.81.0" + } + random = { + version = "~> 3.5.1" + } + } +} \ No newline at end of file diff --git a/deprecated/terraform/azure/R8040-R81/single-gateway-new-vnet/README.md b/deprecated/terraform/azure/R8040-R81/single-gateway-new-vnet/README.md new file mode 100644 index 00000000..d4d821ac --- /dev/null +++ b/deprecated/terraform/azure/R8040-R81/single-gateway-new-vnet/README.md @@ -0,0 +1,197 @@ +# Check Point CloudGuard Network Security Single Gateway Terraform deployment for Azure + +This Terraform module deploys Check Point CloudGuard Network Security Single Gateway solution into a new Vnet in Azure. +As part of the deployment the following resources are created: +- Resource group +- Virtual network +- Network security group +- System assigned identity + + +This solution uses the following modules: +- /terraform/azure/modules/common - used for creating a resource group and defining common variables. +- /terraform/azure/modules/vnet - used for creating new virtual network and subnets. +- /terraform/azure/modules/network-security-group - used for creating new network security groups and rules. + + +## Configurations +- Install and configure Terraform to provision Azure resources: [Configure Terraform for Azure](https://docs.microsoft.com/en-us/azure/virtual-machines/linux/terraform-install-configure) +- In order to use ssh connection to VMs, it is **required** to add a public key to the /terraform/azure/single-gateway-new-vnet/azure_public_key file. + +## Usage +- Choose the preferred login method to Azure in order to deploy the solution: +
1. Using Service Principal: + - Create a [Service Principal](https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal) (or use the existing one) + - Grant the Service Principal at least "**Managed Application Contributor**", "**Storage Account Contributor**", "**Network Contributor**", "**Virtual Machine Contributor**" permissions to the Azure subscription
+ - The Service Principal credentials can be stored either in the terraform.tfvars or as [Environment Variables](https://www.terraform.io/docs/providers/azuread/guides/service_principal_client_secret.html)
+ + In case the Environment Variables are used, perform modifications described below:
+ + a. The next lines in the main.tf file, in the provider azurerm resource, need to be deleted or commented: + + provider "azurerm" { + + // subscription_id = var.subscription_id + // client_id = var.client_id + // client_secret = var.client_secret + // tenant_id = var.tenant_id + + features {} + } + + b. In the terraform.tfvars file leave empty double quotes for client_secret, client_id , tenant_id and subscription_id variables: + + client_secret = "" + client_id = "" + tenant_id = "" + subscription_id = "" + +
2. Using **az** commands from a command-line: + - Run **az login** command + - Sign in with your account credentials in the browser + - [Accept Azure Marketplace image terms](https://docs.microsoft.com/en-us/cli/azure/vm/image/terms?view=azure-cli-latest) by running: +
**az vm image terms accept --urn publisher:offer:sku:version**, where: + - publisher = checkpoint; + - offer = vm_os_offer (see accepted values in the table below); + - sku = vm_os_sku (see accepted values in the table below); + - version = latest
+
Example:
+ az vm image terms accept --urn checkpoint:check-point-cg-r8040:sg-byol:latest + + - In the terraform.tfvars file leave empty double quotes for client_secret, client_id and tenant_id variables. + +- Fill all variables in the /terraform/azure/single-gateway-new-vnet/terraform.tfvars file with proper values (see below for variables descriptions). +- From a command line initialize the Terraform configuration directory: + + terraform init +- Create an execution plan: + + terraform plan +- Create or modify the deployment: + + terraform apply + +### terraform.tfvars variables: + | Name | Description | Type | Allowed values | Default | + |---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| ------------- | ------------- |----------------| ------------- | + | **client_secret** | The client secret value of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **client_id** | The client ID of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **tenant_id** | The tenant ID of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **subscription_id** | The subscription ID is used to pay for Azure cloud services | string | | n/a + | | | | | | + | **source_image_vhd_uri** | The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images | string | | "noCustomUri" + | | | | | | + | **resource_group_name** | The name of the resource group that will contain the contents of the deployment | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period | n/a + | | | | | | + | **single_gateway_name** | The name of the Check Point single GW Object | string | Only alphanumeric characters are allowed, and the name must be 1-30 characters long | n/a + | | | | | | + | **location** | The region where the resources will be deployed at | string | The full list of Azure regions can be found at https://azure.microsoft.com/regions | n/a + | | | | | | + | **vnet_name** | The name of virtual network that will be created | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | n/a + | | | | | | + | **address_space** | The address prefixes of the virtual network | string | Valid CIDR block | "10.12.0.0/16" + | | | | | | + | **frontend_subnet_prefix** | The address prefix to be used for created frontend subnet | string | The subnets need to contain within the address space for this virtual network(defined by address_space variable) | "10.12.0.0/24" + | | | | | | + | **backend_subnet_prefix** | The address prefix to be used for created backend subnet | string | The subnets need to contain within the address space for this virtual network(defined by address_space variable) | "10.12.1.0/24" + | | | | | | + | **management_GUI_client_network** | Allowed GUI clients - GUI clients network CIDR | string | | n/a + | | | | | | + | **admin_password** | The password associated with the local administrator account on the gateway | string | Password must have 3 of the following: 1 lower case character, 1 upper case character, 1 number, and 1 special character | n/a + | | | | | | + | **smart_1_cloud_token** | Smart-1 Cloud token to connect automatically ***Gateway*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal | n/a + | | | | | | + | **sic_key** | The Secure Internal Communication one time secret used to set up trust between the gateway object and the management server | string | Only alphanumeric characters are allowed, and the value must be 12-30 characters long | n/a + | | | | | | + | **vm_size** | Specifies the size of Virtual Machine | string | "Standard_DS2_v2", "Standard_DS3_v2", "Standard_DS4_v2", "Standard_DS5_v2", "Standard_F2s", "Standard_F4s", "Standard_F8s", "Standard_F16s", "Standard_D4s_v3", "Standard_D8s_v3", "Standard_D16s_v3", "Standard_D32s_v3", "Standard_D64s_v3", "Standard_E4s_v3", "Standard_E8s_v3", "Standard_E16s_v3", "Standard_E20s_v3", "Standard_E32s_v3", "Standard_E64s_v3", "Standard_E64is_v3", "Standard_F4s_v2", "Standard_F8s_v2", "Standard_F16s_v2", "Standard_F32s_v2", "Standard_F64s_v2", "Standard_M8ms", "Standard_M16ms", "Standard_M32ms", "Standard_M64ms", "Standard_M64s", "Standard_D2_v2", "Standard_D3_v2", "Standard_D4_v2", "Standard_D5_v2", "Standard_D11_v2", "Standard_D12_v2", "Standard_D13_v2", "Standard_D14_v2", "Standard_D15_v2", "Standard_F2", "Standard_F4", "Standard_F8", "Standard_F16", "Standard_D4_v3", "Standard_D8_v3", "Standard_D16_v3", "Standard_D32_v3", "Standard_D64_v3", "Standard_E4_v3", "Standard_E8_v3", "Standard_E16_v3", "Standard_E20_v3", "Standard_E32_v3", "Standard_E64_v3", "Standard_E64i_v3", "Standard_DS11_v2", "Standard_DS12_v2", "Standard_DS13_v2", "Standard_DS14_v2", "Standard_DS15_v2", "Standard_D2_v5", "Standard_D4_v5", "Standard_D8_v5", "Standard_D16_v5","Standard_D32_v5", "Standard_D2s_v5", "Standard_D4s_v5", "Standard_D8s_v5", "Standard_D16s_v5", "Standard_D2d_v5", "Standard_D4d_v5", "Standard_D8d_v5", "Standard_D16d_v5", "Standard_D32d_v5", "Standard_D2ds_v5", "Standard_D4ds_v5", "Standard_D8ds_v5", "Standard_D16ds_v5", "Standard_D32ds_v5" | n/a + | | | | | | + | **disk_size** | Storage data disk size size(GB) | string | A number in the range 100 - 3995 (GB) | n/a + | | | | | | + | **vm_os_sku** | A sku of the image to be deployed | string | "sg-byol" - BYOL license;
"sg-ngtp" - NGTP PAYG license;
"sg-ngtx" - NGTX PAYG license | n/a + | | | | | | + | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r8040";
"check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | n/a + | | | | | | + | **os_version** | GAIA OS version | string | "R8040";
"R81";
"R8110";
"R8120"; | n/a | + | | | | | | + | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | "" + | | | | | | + | **allow_upload_download** | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | boolean | true;
false; | n/a + | | | | | | + | **authentication_type** | Specifies whether a password authentication or SSH Public Key authentication should be used | string | "Password";
"SSH Public Key"; | n/a + | | | | | | + | **enable_custom_metrics** | Indicates whether CloudGuard Metrics will be use for gateway monitoring | boolean | true;
false; | true + | | | | | | + | **admin_shell** | Enables to select different admin shells | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh; | "/etc/cli.sh" + | | | | | | + | **installation_type** | Enables to select installation type- gateway/standalone | string | gateway;
standalone; | n/a | string | gateway;
standalone; | + | | | | | | + | **serial_console_password_hash** | Optional parameter, used to enable serial console connection in case of SSH key as authentication type, to generate password hash use the command 'openssl passwd -6 PASSWORD' on Linux and paste it here | string | | n/a + | | | | | | + | **maintenance_mode_password_hash** | Maintenance mode password hash, relevant only for R81.20 and higher versions, to generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here | string | | n/a + | | | | | | + | **nsg_id** | Optional ID for a Network Security Group that already exists in Azure, if isn't provided will create a default NSG | string | Existing NSG resource ID | "" + | | | | | | + | **add_storage_account_ip_rules** | Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, if false then accses will be allowed from all networks | boolean | true;
false; | false + | | | | | | + | **storage_account_additional_ips** | IPs/CIDRs that are allowed access to the Storage Account | list(string) | A list of valid IPs and CIDRs | [] + +## Conditional creation +- To enable CloudGuard metrics in order to send statuses and statistics collected from the gateway instance to the Azure Monitor service: + ``` + enable_custom_metrics = true + ``` + +## Example + client_secret = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + client_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + tenant_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + subscription_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + source_image_vhd_uri = "noCustomUri" + resource_group_name = "checkpoint-single-gw-terraform" + single_gateway_name = "checkpoint-single-gw-terraform" + location = "eastus" + vnet_name = "checkpoint-single-gw-vnet" + address_space = "10.0.0.0/16" + frontend_subnet_prefix = "10.0.1.0/24" + backend_subnet_prefix = "10.0.2.0/24" + management_GUI_client_network = "0.0.0.0/0" + admin_password = "xxxxxxxxxxxx" + smart_1_cloud_token = "xxxxxxxxxxxx" + sic_key = "xxxxxxxxxxxx" + vm_size = "Standard_D3_v2" + disk_size = "110" + vm_os_sku = "sg-byol" + vm_os_offer = "check-point-cg-r8110" + os_version = "R8110" + bootstrap_script = "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" + allow_upload_download = true + authentication_type = "Password" + enable_custom_metrics = true + admin_shell = "/etc/cli.sh" + installation_type = "gateway" + serial_console_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + maintenance_mode_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + nsg_id = "" + add_storage_account_ip_rules = false + storage_account_additional_ips = [] + +## Revision History +In order to check the template version refer to the [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) + +| Template Version | Description | +|------------------|---------------------------------------------------------------------------------------------------| +| 20240613 | - Updated Azure Terraform provider version
- Cosmetic fixes & default values
- Added option to limit storage account access by specify allowed sourcess
- Added accelerated networking to SGW Terraform templates
- Updated Public IP sku to Standard
- Added validation for os_version & os_offer | +| | | | +| 20230910 | - R81.20 is the default version | +| | | | +| 20230629 | First release of Check Point CloudGuard Network Security Single GW Terraform deployment for Azure | +| | | | + + +## License + +See the [LICENSE](../../LICENSE) file for details + diff --git a/deprecated/terraform/azure/R8040-R81/single-gateway-new-vnet/azure_public_key b/deprecated/terraform/azure/R8040-R81/single-gateway-new-vnet/azure_public_key new file mode 100644 index 00000000..e69de29b diff --git a/deprecated/terraform/azure/R8040-R81/single-gateway-new-vnet/cloud-init.sh b/deprecated/terraform/azure/R8040-R81/single-gateway-new-vnet/cloud-init.sh new file mode 100644 index 00000000..71bf3916 --- /dev/null +++ b/deprecated/terraform/azure/R8040-R81/single-gateway-new-vnet/cloud-init.sh @@ -0,0 +1,18 @@ +#!/usr/bin/python3 /etc/cloud_config.py + +installationType="${installation_type}" +allowUploadDownload="${allow_upload_download}" +osVersion="${os_version}" +templateName="${template_name}" +templateVersion="${template_version}" +templateType="${template_type}" +isBlink="${is_blink}" +bootstrapScript64="${bootstrap_script64}" +location="${location}" +adminShell="${admin_shell}" +sicKey="${sic_key}" +managementGUIClientNetwork="${management_GUI_client_network}" +smart1CloudToken="${smart_1_cloud_token}" +customMetrics="${enable_custom_metrics}" +passwordHash="${serial_console_password_hash}" +MaintenanceModePassword="${maintenance_mode_password_hash}" \ No newline at end of file diff --git a/deprecated/terraform/azure/R8040-R81/single-gateway-new-vnet/main.tf b/deprecated/terraform/azure/R8040-R81/single-gateway-new-vnet/main.tf new file mode 100644 index 00000000..b4642666 --- /dev/null +++ b/deprecated/terraform/azure/R8040-R81/single-gateway-new-vnet/main.tf @@ -0,0 +1,256 @@ +//********************** Providers **************************// +provider "azurerm" { + subscription_id = var.subscription_id + client_id = var.client_id + client_secret = var.client_secret + tenant_id = var.tenant_id + + features {} +} + +//********************** Basic Configuration **************************// +module "common" { + source = "../modules/common" + resource_group_name = var.resource_group_name + location = var.location + admin_password = var.admin_password + installation_type = var.installation_type + template_name = var.template_name + template_version = var.template_version + number_of_vm_instances = 1 + allow_upload_download = var.allow_upload_download + vm_size = var.vm_size + disk_size = var.disk_size + os_version = var.os_version + vm_os_sku = var.vm_os_sku + vm_os_offer = var.vm_os_offer + is_blink = var.is_blink + authentication_type = var.authentication_type + serial_console_password_hash = var.serial_console_password_hash + maintenance_mode_password_hash = var.maintenance_mode_password_hash + storage_account_additional_ips = var.storage_account_additional_ips +} + +//********************** Networking **************************// +module "vnet" { + source = "../modules/vnet" + + vnet_name = var.vnet_name + resource_group_name = module.common.resource_group_name + location = module.common.resource_group_location + address_space = var.address_space + subnet_prefixes = [var.frontend_subnet_prefix, var.backend_subnet_prefix] + subnet_names = ["${var.single_gateway_name}-frontend-subnet", "${var.single_gateway_name}-backend-subnet"] + nsg_id = var.nsg_id == "" ? module.network-security-group[0].network_security_group_id: var.nsg_id +} + +module "network-security-group" { + source = "../modules/network-security-group" + count = var.nsg_id == "" ? 1 : 0 + resource_group_name = module.common.resource_group_name + security_group_name = "${module.common.resource_group_name}-nsg" + location = module.common.resource_group_location + security_rules = [ + { + name = "AllowAllInBound" + priority = "100" + direction = "Inbound" + access = "Allow" + protocol = "*" + source_port_ranges = "*" + destination_port_ranges = "*" + description = "Allow all inbound connections" + source_address_prefix = "*" + destination_address_prefix = "*" + } + ] +} + +resource "azurerm_public_ip" "public-ip" { + name = var.single_gateway_name + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + allocation_method = var.vnet_allocation_method + sku = var.sku + idle_timeout_in_minutes = 30 + domain_name_label = join("", [ + lower(var.single_gateway_name), + "-", + random_id.randomId.hex]) +} + +resource "azurerm_network_interface_security_group_association" "security_group_association" { + depends_on = [azurerm_network_interface.nic, module.network-security-group] + network_interface_id = azurerm_network_interface.nic.id + network_security_group_id = var.nsg_id == "" ? module.network-security-group[0].network_security_group_id: var.nsg_id +} + +resource "azurerm_network_interface" "nic" { + depends_on = [ + azurerm_public_ip.public-ip] + name = "${var.single_gateway_name}-eth0" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + enable_ip_forwarding = true + enable_accelerated_networking = true + + + ip_configuration { + name = "ipconfig1" + subnet_id = module.vnet.vnet_subnets[0] + private_ip_address_allocation = var.vnet_allocation_method + private_ip_address = cidrhost(var.frontend_subnet_prefix, 4) + public_ip_address_id = azurerm_public_ip.public-ip.id + } +} + +resource "azurerm_network_interface" "nic1" { + depends_on = [] + name = "${var.single_gateway_name}-eth1" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + enable_ip_forwarding = true + enable_accelerated_networking = true + + + ip_configuration { + name = "ipconfig2" + subnet_id = module.vnet.vnet_subnets[1] + private_ip_address_allocation = var.vnet_allocation_method + private_ip_address = cidrhost(var.backend_subnet_prefix, 4) + } +} + +//********************** Storage accounts **************************// +// Generate random text for a unique storage account name +resource "random_id" "randomId" { + keepers = { + # Generate a new ID only when a new resource group is defined + resource_group = module.common.resource_group_name + } + byte_length = 8 +} +resource "azurerm_storage_account" "vm-boot-diagnostics-storage" { + name = "bootdiag${random_id.randomId.hex}" + resource_group_name = module.common.resource_group_name + location = module.common.resource_group_location + account_tier = module.common.storage_account_tier + account_replication_type = module.common.account_replication_type + account_kind = "Storage" + network_rules { + default_action = var.add_storage_account_ip_rules ? "Deny" : "Allow" + ip_rules = module.common.storage_account_ip_rules + } + blob_properties { + delete_retention_policy { + days = "15" + } + } + +} + +//********************** Virtual Machines **************************// +locals { + SSH_authentication_type_condition = var.authentication_type == "SSH Public Key" ? true : false + custom_image_condition = var.source_image_vhd_uri == "noCustomUri" ? false : true +} + +resource "azurerm_image" "custom-image" { + count = local.custom_image_condition ? 1 : 0 + name = "custom-image" + location = var.location + resource_group_name = module.common.resource_group_name + + os_disk { + os_type = "Linux" + os_state = "Generalized" + blob_uri = var.source_image_vhd_uri + } +} + +resource "azurerm_virtual_machine" "single-gateway-vm-instance" { + depends_on = [ + azurerm_network_interface.nic, + azurerm_network_interface.nic1] + location = module.common.resource_group_location + name = var.single_gateway_name + network_interface_ids = [ + azurerm_network_interface.nic.id, + azurerm_network_interface.nic1.id] + resource_group_name = module.common.resource_group_name + vm_size = module.common.vm_size + delete_os_disk_on_termination = module.common.delete_os_disk_on_termination + primary_network_interface_id = azurerm_network_interface.nic.id + + identity { + type = module.common.vm_instance_identity + } + + dynamic "plan" { + for_each = local.custom_image_condition ? [ + ] : [1] + content { + name = module.common.vm_os_sku + publisher = module.common.publisher + product = module.common.vm_os_offer + } + } + + boot_diagnostics { + enabled = module.common.boot_diagnostics + storage_uri = module.common.boot_diagnostics ? join(",", azurerm_storage_account.vm-boot-diagnostics-storage.*.primary_blob_endpoint) : "" + } + + os_profile { + computer_name = var.single_gateway_name + admin_username = module.common.admin_username + admin_password = module.common.admin_password + custom_data = templatefile("${path.module}/cloud-init.sh", { + installation_type = module.common.installation_type + allow_upload_download = module.common.allow_upload_download + os_version = module.common.os_version + template_name = module.common.template_name + template_version = module.common.template_version + template_type = "terraform" + is_blink = module.common.is_blink + bootstrap_script64 = base64encode(var.bootstrap_script) + location = module.common.resource_group_location + admin_shell = var.admin_shell + sic_key = var.sic_key + management_GUI_client_network = var.management_GUI_client_network + smart_1_cloud_token = var.smart_1_cloud_token + enable_custom_metrics = var.enable_custom_metrics ? "yes" : "no" + serial_console_password_hash = var.serial_console_password_hash + maintenance_mode_password_hash = var.maintenance_mode_password_hash + }) + } + + os_profile_linux_config { + disable_password_authentication = local.SSH_authentication_type_condition + + dynamic "ssh_keys" { + for_each = local.SSH_authentication_type_condition ? [ + 1] : [] + content { + path = "/home/notused/.ssh/authorized_keys" + key_data = file("${path.module}/azure_public_key") + } + } + } + + storage_image_reference { + id = local.custom_image_condition ? azurerm_image.custom-image[0].id : null + publisher = local.custom_image_condition ? null : module.common.publisher + offer = module.common.vm_os_offer + sku = module.common.vm_os_sku + version = module.common.vm_os_version + } + + storage_os_disk { + name = var.single_gateway_name + create_option = module.common.storage_os_disk_create_option + caching = module.common.storage_os_disk_caching + managed_disk_type = module.common.storage_account_type + disk_size_gb = module.common.disk_size + } +} diff --git a/deprecated/terraform/azure/R8040-R81/single-gateway-new-vnet/terraform.tfvars b/deprecated/terraform/azure/R8040-R81/single-gateway-new-vnet/terraform.tfvars new file mode 100644 index 00000000..636e9491 --- /dev/null +++ b/deprecated/terraform/azure/R8040-R81/single-gateway-new-vnet/terraform.tfvars @@ -0,0 +1,33 @@ +#PLEASE refer to the README.md for accepted values for the variables below +client_secret = "PLEASE ENTER CLIENT SECRET" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +client_id = "PLEASE ENTER CLIENT ID" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +tenant_id = "PLEASE ENTER TENANT ID" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +subscription_id = "PLEASE ENTER SUBSCRIPTION ID" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +source_image_vhd_uri = "PLEASE ENTER SOURCE IMAGE VHD URI OR noCustomUri" # "noCustomUri" +resource_group_name = "PLEASE ENTER RESOURCE GROUP NAME" # "checkpoint-single-terraform" +single_gateway_name = "PLEASE ENTER GW NAME" # "checkpoint-single-terraform" +location = "PLEASE ENTER LOCATION" # "eastus" +vnet_name = "PLEASE ENTER VIRTUAL NETWORK NAME" # "checkpoint-single-vnet" +address_space = "PLEASE ENTER VIRTUAL NETWORK ADDRESS SPACE" # "10.0.0.0/16" +frontend_subnet_prefix = "PLEASE ENTER ADDRESS PREFIX FOR FRONTEND SUBNET" # "10.0.0.0/24" +backend_subnet_prefix = "PLEASE ENTER ADDRESS PREFIX FOR BACKEND SUBNET" # "10.0.1.0/24" +management_GUI_client_network = "PLEASE ENTER A MANAGEMENT GUI CLIENT NETWORK" # "0.0.0.0/0" +admin_password = "PLEASE ENTER ADMIN PASSWORD" # "xxxxxxxxxxxx" +smart_1_cloud_token = "PASTE TOKEN FROM SMART-1 CLOUD PORTAL" # "" +sic_key = "PLEASE ENTER SIC KEY" # "xxxxxxxxxxxx" +vm_size = "PLEASE ENTER VM SIZE" # "Standard_D3_v2" +disk_size = "PLEASE ENTER DISK SIZE" # "110" +vm_os_sku = "PLEASE ENTER VM SKU" # "sg-byol" +vm_os_offer = "PLEASE ENTER VM OFFER" # "check-point-cg-r8110" +os_version = "PLEASE ENTER GAIA OS VERSION" # "R8110" +bootstrap_script = "PLEASE ENTER CUSTOM SCRIPT OR LEAVE EMPTY DOUBLE QUOTES" # "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" +allow_upload_download = "PLEASE ENTER true or false" # true +authentication_type = "PLEASE ENTER AUTHENTICATION TYPE" # "Password" +enable_custom_metrics = "PLEASE ENTER true or false" # true +admin_shell = "PLEASE ENTER ADMIN SHELL" # "/etc/cli.sh" +installation_type = "PLEASE ENTER INSTALLATION TYPE" # "gateway" +serial_console_password_hash = "PLEASE ENTER SERIAL CONSOLE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +maintenance_mode_password_hash = "PLEASE ENTER MAINTENANCE MODE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +nsg_id = "PLEASE ENTER NETWORK SECURITY GROUP ID" # "" +add_storage_account_ip_rules = "PLEASE ENTER true or false" # false +storage_account_additional_ips = "PLEASE ENTER A LIST OF VALID IPS/CIDRS" # [] \ No newline at end of file diff --git a/deprecated/terraform/azure/R8040-R81/single-gateway-new-vnet/variables.tf b/deprecated/terraform/azure/R8040-R81/single-gateway-new-vnet/variables.tf new file mode 100644 index 00000000..65076afc --- /dev/null +++ b/deprecated/terraform/azure/R8040-R81/single-gateway-new-vnet/variables.tf @@ -0,0 +1,280 @@ +//********************** Basic Configuration Variables **************************// +variable "single_gateway_name" { + description = "Single gateway name" + type = string +} + +variable "resource_group_name" { + description = "Azure Resource Group name to build into" + type = string +} + +variable "location" { + description = "The location/region where resource will be created. The full list of Azure regions can be found at https://azure.microsoft.com/regions" + type = string +} + +//********************** Virtual Machine Instances Variables **************************// +variable "source_image_vhd_uri" { + type = string + description = "The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images." + default = "noCustomUri" +} + +variable "admin_username" { + description = "Administrator username of deployed VM. Due to Azure limitations 'notused' name can be used" + default = "notused" +} + +variable "admin_password" { + description = "Administrator password of deployed Virtual Machine. The password must meet the complexity requirements of Azure" + type = string +} + +variable "smart_1_cloud_token" { + description = "Smart-1 Cloud Token" + type = string +} + +variable "serial_console_password_hash" { + description = "Optional parameter, used to enable serial console connection in case of SSH key as authentication type" + type = string +} + +variable "maintenance_mode_password_hash" { + description = "Maintenance mode password hash, relevant only for R81.20 and higher versions" + type = string +} + +variable "authentication_type" { + description = "Specifies whether a password authentication or SSH Public Key authentication should be used" + type = string +} +locals { // locals for 'authentication_type' allowed values + authentication_type_allowed_values = [ + "Password", + "SSH Public Key" + ] + // will fail if [var.authentication_type] is invalid: + validate_authentication_type_value = index(local.authentication_type_allowed_values, var.authentication_type) +} + +variable "template_name" { + description = "Template name. Should be defined according to deployment type(mgmt, ha, vmss, sg)" + type = string + default = "single" +} + +variable "template_version" { + description = "Template version. It is recommended to always use the latest template version" + type = string + default = "20230910" +} + +variable "installation_type" { + description = "installation type" + type = string + default = "gateway" +} + +locals { // locals for 'installation_type' allowed values + installation_type_allowed_values = [ + "gateway", + "standalone" + ] +} + +variable "vm_size" { + description = "Specifies size of Virtual Machine" + type = string +} + +variable "disk_size" { + description = "Storage data disk size size(GB). Select a number between 100 and 3995" + type = string +} + +variable "os_version" { + description = "GAIA OS version" + type = string +} + +locals { // locals for 'vm_os_offer' allowed values + os_version_allowed_values = [ + "R8040", + "R81", + "R8110", + "R8120" + ] + // will fail if [var.os_version] is invalid: + validate_os_version_value = index(local.os_version_allowed_values, var.os_version) +} + +variable "vm_os_sku" { + description = "The sku of the image to be deployed." + type = string +} + +variable "vm_os_offer" { + description = "The name of the image offer to be deployed.Choose from: check-point-cg-r8040, check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120" + type = string +} + +locals { // locals for 'vm_os_offer' allowed values + vm_os_offer_allowed_values = [ + "check-point-cg-r8040", + "check-point-cg-r81", + "check-point-cg-r8110", + "check-point-cg-r8120" + ] + // will fail if [var.vm_os_offer] is invalid: + validate_os_offer_value = index(local.vm_os_offer_allowed_values, var.vm_os_offer) +} + +variable "allow_upload_download" { + description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + type = bool +} + +variable "enable_custom_metrics" { + description = "Indicates whether CloudGuard Metrics will be use for Cluster members monitoring." + type = bool + default = true +} + +variable "is_blink" { + description = "Define if blink image is used for deployment" + default = true +} + +variable "admin_shell" { + description = "The admin shell to configure on machine or the first time" + type = string + default = "/etc/cli.sh" +} + +locals { + admin_shell_allowed_values = [ + "/etc/cli.sh", + "/bin/bash", + "/bin/csh", + "/bin/tcsh" + ] + // Will fail if [var.admin_shell] is invalid + validate_admin_shell_value = index(local.admin_shell_allowed_values, var.admin_shell) +} + +//********************** Networking Variables **************************// +variable "vnet_name" { + description = "Virtual Network name" + type = string +} + +variable "address_space" { + description = "The address space that is used by a Virtual Network." + type = string + default = "10.12.0.0/16" +} + +variable "frontend_subnet_prefix" { + description = "Address prefix to be used for network frontend subnet" + type = string + default = "10.12.0.0/24" +} + +variable "backend_subnet_prefix" { + description = "Address prefix to be used for network backend subnet" + type = string + default = "10.12.1.0/24" +} + +variable "vnet_subnets" { + description = "Subnets in vnet" + type = list(string) + default = ["10.12.0.0/24", "10.12.1.0/24"] +} + +variable "vnet_allocation_method" { + description = "IP address allocation method" + type = string + default = "Static" +} + +variable "management_GUI_client_network" { + description = "Allowed GUI clients - GUI clients network CIDR" + type = string +} + +variable "nsg_id" { + description = "NSG ID - Optional - if empty use default NSG" + default = "" +} + +variable "add_storage_account_ip_rules" { + type = bool + default = false + description = "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location" +} + +variable "storage_account_additional_ips" { + type = list(string) + description = "IPs/CIDRs that are allowed access to the Storage Account" + default = [] +} +locals { + regex_valid_management_GUI_client_network = "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(/(3[0-2]|2[0-9]|1[0-9]|[0-9]))$" + // Will fail if var.management_GUI_client_network is invalid + regex_management_GUI_client_network = regex(local.regex_valid_management_GUI_client_network, var.management_GUI_client_network) == var.management_GUI_client_network ? 0 : "Variable [management_GUI_client_network] must be a valid IPv4 network CIDR." + + + regex_valid_network_cidr = "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(/(3[0-2]|2[0-9]|1[0-9]|[0-9]))|$" + // Will fail if var.address_space is invalid + regex_address_space = regex(local.regex_valid_network_cidr, var.address_space) == var.address_space ? 0 : "Variable [address_space] must be a valid address in CIDR notation." + // Will fail if var.subnet_prefix is invalid + regex_frontend_subnet_prefix = regex(local.regex_valid_network_cidr, var.frontend_subnet_prefix) == var.frontend_subnet_prefix ? 0 : "Variable [subnet_prefix] must be a valid address in CIDR notation." + // Will fail if var.subnet_prefix is invalid + regex_backend_subnet_prefix = regex(local.regex_valid_network_cidr, var.backend_subnet_prefix) == var.backend_subnet_prefix ? 0 : "Variable [subnet_prefix] must be a valid address in CIDR notation." +} + +variable "bootstrap_script" { + description = "An optional script to run on the initial boot" + default = "" + type = string + #example: + #"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" +} + +//********************** Credentials **************************// +variable "tenant_id" { + description = "Tenant ID" + type = string +} + +variable "subscription_id" { + description = "Subscription ID" + type = string +} + +variable "client_id" { + description = "Application ID(Client ID)" + type = string +} + +variable "client_secret" { + description = "A secret string that the application uses to prove its identity when requesting a token. Also can be referred to as application password." + type = string +} + +variable "sic_key" { + type = string +} + +resource "null_resource" "sic_key_invalid" { + count = length(var.sic_key) >= 12 ? 0 : "SIC key must be at least 12 characters long" +} + +variable "sku" { + description = "SKU" + type = string + default = "Standard" +} \ No newline at end of file diff --git a/deprecated/terraform/azure/R8040-R81/single-gateway-new-vnet/versions.tf b/deprecated/terraform/azure/R8040-R81/single-gateway-new-vnet/versions.tf new file mode 100644 index 00000000..0d5ca4f3 --- /dev/null +++ b/deprecated/terraform/azure/R8040-R81/single-gateway-new-vnet/versions.tf @@ -0,0 +1,12 @@ +terraform { + required_version = ">= 0.14.3" + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "~> 3.81.0" + } + random = { + version = "~> 3.5.1" + } + } +} \ No newline at end of file diff --git a/deprecated/terraform/azure/R8040-R81/vmss-existing-vnet/README.md b/deprecated/terraform/azure/R8040-R81/vmss-existing-vnet/README.md new file mode 100644 index 00000000..dca0361a --- /dev/null +++ b/deprecated/terraform/azure/R8040-R81/vmss-existing-vnet/README.md @@ -0,0 +1,247 @@ +# Check Point CloudGuard IaaS VMSS Terraform deployment for Azure + +This Terraform module deploys Check Point CloudGuard IaaS VMSS solution into an existing Vnet in Azure. +As part of the deployment the following resources are created: +- Resource group +- Role assignment - conditional creation + + +For additional information, +please see the [CloudGuard Network for Azure Virtual Machine Scale Sets (VMSS) Deployment Guide](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_VMSS_for_Azure/Default.htm) + +This solution uses the following modules: +- /terraform/azure/modules/common - used for creating a resource group and defining common variables. + + +## Configurations +- Install and configure Terraform to provision Azure resources: [Configure Terraform for Azure](https://docs.microsoft.com/en-us/azure/virtual-machines/linux/terraform-install-configure) +- In order to use ssh connection to VMs, it is **required** to add a public key to the /terraform/azure/vmss-existing-vnet/azure_public_key file + +## Usage +- Choose the preferred login method to Azure in order to deploy the solution: +
1. Using Service Principal: + - Create a [Service Principal](https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal) (or use the existing one) + - Grant the Service Principal at least "**Managed Application Contributor**", "**Storage Account Contributor**", "**Network Contributor**", "**Virtual Machine Contributor**" permissions to the Azure subscription
+ - The Service Principal credentials can be stored either in the terraform.tfvars or as [Environment Variables](https://www.terraform.io/docs/providers/azuread/guides/service_principal_client_secret.html)
+ + In case the Environment Variables are used, perform modifications described below:
+ + a. The next lines in the main.tf file, in the provider azurerm resource, need to be deleted or commented: + + provider "azurerm" { + + // subscription_id = var.subscription_id + // client_id = var.client_id + // client_secret = var.client_secret + // tenant_id = var.tenant_id + + features {} + } + + b. In the terraform.tfvars file leave empty double quotes for client_secret, client_id, tenant_id and subscription_id variables: + + client_secret = "" + client_id = "" + tenant_id = "" + subscription_id = "" + +
2. Using **az** commands from a command-line: + - Run **az login** command + - Sign in with your account credentials in the browser + - [Accept Azure Marketplace image terms](https://docs.microsoft.com/en-us/cli/azure/vm/image/terms?view=azure-cli-latest) by running: +
**az vm image terms accept --urn publisher:offer:sku:version**, where: + - publisher = checkpoint; + - offer = vm_os_offer (see accepted values in the table below); + - sku = vm_os_sku (see accepted values in the table below); + - version = latest
+
Example:
+ az vm image terms accept --urn checkpoint:check-point-cg-r8040:sg-byol:latest + + - In the terraform.tfvars file leave empty double quotes for client_secret, client_id and tenant_id variables. + +- Fill all variables in the /terraform/azure/vmss-existing-vnet/terraform.tfvars file with proper values (see below for variables descriptions). +- From a command line initialize the Terraform configuration directory: + + terraform init +- Create an execution plan: + + terraform plan +- Create or modify the deployment: + + terraform apply + +### terraform.tfvars variables: + | Name | Description | Type | Allowed values | Default | + | ------------- |-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| ------------- | ------------- | ------------- | + | **client_secret** | The client secret of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **client_id** | The client ID of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **tenant_id** | The tenant ID of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **subscription_id** | The subsscription ID is used to pay for Azure cloud services | string | | n/a + | | | | | | + | **source_image_vhd_uri** | The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images | string | | "noCustomUri" + | | | | | | + | **resource_group_name** | The name of the resource group that will contain the contents of the deployment | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period
Note: Resource group name must not contain reserved words based on: sk40179| n/a + | | | | | | + | **location** | The region where the resources will be deployed at | string | The full list of Azure regions can be found at https://azure.microsoft.com/regions | n/a + | | | | | | + | **vmss_name** | The name of the Check Point VMSS Object | string | Only alphanumeric characters are allowed, and the name must be 1-30 characters long
Note: vmss_name name must not contain reserved words based on: sk40179 | n/a + | | | | | | + | **vnet_name** | Virtual Network name | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | n/a + | | | | | | + | **vnet_resource_group** | Resource Group of the existing virtual network | string | The exact name of the existing vnet's resource group | n/a + | | | | | | + | **frontend_subnet_name** | Specifies the name of the external subnet | string | The exact name of the existing external subnet | n/a + | | | | | | + | **backend_subnet_name** | Specifies the name of the internal subnet | string | The exact name of the existing internal subnet | n/a + | | | | | | + | **backend_lb_IP_address** | Is a whole number that can be represented as a binary integer with no more than the number of digits remaining in the address after the given prefix | string | Starting from 5-th IP address in a subnet. For example: subnet - 10.0.1.0/24, backend_lb_IP_address = 4 , the LB IP is 10.0.1.4 | n/a + | | | | | | + | **admin_password** | The password associated with the local administrator account on each cluster member | string | Password must have 3 of the following: 1 lower case character, 1 upper case character, 1 number, and 1 special character | n/a + | | | | | | + | **sic_key** | The Secure Internal Communication one time secret used to set up trust between the cluster object and the management server | string | Only alphanumeric characters are allowed, and the value must be 12-30 characters long | n/a + | | | | | | + | **vm_size** | Specifies the size of Virtual Machine | string | "Standard_DS2_v2", "Standard_DS3_v2", "Standard_DS4_v2", "Standard_DS5_v2", "Standard_F2s", "Standard_F4s", "Standard_F8s", "Standard_F16s", "Standard_D4s_v3", "Standard_D8s_v3", "Standard_D16s_v3", "Standard_D32s_v3", "Standard_D64s_v3", "Standard_E4s_v3", "Standard_E8s_v3", "Standard_E16s_v3", "Standard_E20s_v3", "Standard_E32s_v3", "Standard_E64s_v3", "Standard_E64is_v3", "Standard_F4s_v2", "Standard_F8s_v2", "Standard_F16s_v2", "Standard_F32s_v2", "Standard_F64s_v2", "Standard_M8ms", "Standard_M16ms", "Standard_M32ms", "Standard_M64ms", "Standard_M64s", "Standard_D2_v2", "Standard_D3_v2", "Standard_D4_v2", "Standard_D5_v2", "Standard_D11_v2", "Standard_D12_v2", "Standard_D13_v2", "Standard_D14_v2", "Standard_D15_v2", "Standard_F2", "Standard_F4", "Standard_F8", "Standard_F16", "Standard_D4_v3", "Standard_D8_v3", "Standard_D16_v3", "Standard_D32_v3", "Standard_D64_v3", "Standard_E4_v3", "Standard_E8_v3", "Standard_E16_v3", "Standard_E20_v3", "Standard_E32_v3", "Standard_E64_v3", "Standard_E64i_v3", "Standard_DS11_v2", "Standard_DS12_v2", "Standard_DS13_v2", "Standard_DS14_v2", "Standard_DS15_v2", "Standard_D2_v5", "Standard_D4_v5", "Standard_D8_v5", "Standard_D16_v5","Standard_D32_v5", "Standard_D2s_v5", "Standard_D4s_v5", "Standard_D8s_v5", "Standard_D16s_v5", "Standard_D2d_v5", "Standard_D4d_v5", "Standard_D8d_v5", "Standard_D16d_v5", "Standard_D32d_v5", "Standard_D2ds_v5", "Standard_D4ds_v5", "Standard_D8ds_v5", "Standard_D16ds_v5", "Standard_D32ds_v5" | n/a + | | | | | | + | **disk_size** | Storage data disk size size(GB) must be 100 for versions R81.20 and below | string | A number in the range 100 - 3995 (GB) | 100 + | | | | | | + | **vm_os_sku** | A sku of the image to be deployed | string | "sg-byol" - BYOL license;
"sg-ngtp" - NGTP PAYG license;
"sg-ngtx" - NGTX PAYG license; | n/a + | | | | | | + | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r8040";
"check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | n/a + | | | | | | + | **os_version** | GAIA OS version | string | "R8040";
"R81";
"R8110";
"R8120"; | n/a + | | | | | | + | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | n/a + | | | | | | + | **allow_upload_download** | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | boolean | true;
false; | n/a + | | | | | | + | **authentication_type** | Specifies whether a password authentication or SSH Public Key authentication should be used | string | "Password";
"SSH Public Key"; | n/a + | | | | | | + | **availability_zones_num** | A list of a single item of the Availability Zone which the Virtual Machine should be allocated in | string | "centralus", "eastus2", "francecentral", "northeurope", "southeastasia", "westeurope", "westus2", "eastus", "uksouth" | n/a + | | | | | | + | **minimum_number_of_vm_instances** | The minimum number of VMSS instances for this resource | number | Valid values are in the range 0 - 10 | n/a + | | | | | | + | **maximum_number_of_vm_instances** | The maximum number of VMSS instances for this resource | number | Valid values are in the range 0 - 10 | n/a + | | | | | | + | **management_name** | The name of the management server as it appears in the configuration file | string | Field cannot be empty. Only alphanumeric characters or '_'/'-' are allowed, and the name must be 1-30 characters long | n/a + | | | | | | + | **management_IP** | The IP address used to manage the VMSS instances | string | A valid IP address | n/a + | | | | | | + | **management_interface** | Management option for the Gateways in the VMSS | string | "eth0-public" - Manages the GWs using their external NIC's public IP address;
"eth0-private" -Manages the GWs using their external NIC's private IP address;
"eth1-private" - Manages the GWs using their internal NIC's private IP address | "eth1-private" + | | | | | | + | **configuration_template_name** | The configuration template name as it appears in the configuration file | string | Field cannot be empty. Only alphanumeric characters or '_'/'-' are allowed, and the name must be 1-30 characters long | n/a + | | | | | | + | **frontend_load_distribution** | The load balancing distribution method for the External Load Balancer | string | "Default" - None(5-tuple);
"SourceIP" - ClientIP(2-tuple);
"SourceIPProtocol" - ClientIP and protocol(3-tuple) | n/a + | | | | | | + | **backend_load_distribution** | The load balancing distribution method for the Internal Load Balancer | string | "Default" - None(5-tuple);
"SourceIP" - ClientIP(2-tuple);
"SourceIPProtocol" - ClientIP and protocol(3-tuple) | n/a + | | | | | | + | **notification_email** | An email address to notify about scaling operations | string | Leave empty double quotes or enter a valid email address | n/a + | | | | | | + | **enable_custom_metrics** | Indicates whether Custom Metrics will be used for VMSS Scaling policy and VM monitoring | boolean | true;
false; | true + | | | | | | + | **enable_floating_ip** | Indicates whether the load balancers will be deployed with floating IP | boolean | true;
false; | false + | | | | | | + | **deployment_mode** | Indicates which load balancer need to be deployed. External + Internal(Standard), only External, only Internal | string | Standard ;
External;
Internal; | "Standard" + | | | | | | + | **admin_shell** | Enables to select different admin shells | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh; | "/etc/cli.sh" + | | | | | | + | **serial_console_password_hash** | Optional parameter, used to enable serial console connection in case of SSH key as authentication type, to generate password hash use the command 'openssl passwd -6 PASSWORD' on Linux and paste it here | string | | n/a + | | | | | | + | **maintenance_mode_password_hash** | Maintenance mode password hash, relevant only for R81.20 and higher versions, to generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here | string | | n/a + | | | | | | + | **nsg_id** | Optional ID for a Network Security Group that already exists in Azure, if not provided, will create a default NSG | string | Existing NSG resource ID | "" + | | | | | | + | **add_storage_account_ip_rules** | Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, if false then accses will be allowed from all networks | boolean | true;
false; | false + | | | | | | + | **storage_account_additional_ips** | IPs/CIDRs that are allowed access to the Storage Account | list(string) | A list of valid IPs and CIDRs | [] + +## Conditional creation +To create role assignment and enable CloudGuard metrics in order to send statuses and statistics collected from VMSS instances to the Azure Monitor service: +``` +enable_custom_metrics = true +``` + +## Example + client_secret = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + client_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + tenant_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + subscription_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + source_image_vhd_uri = "noCustomUri" + resource_group_name = "checkpoint-vmss-terraform" + location = "eastus" + vmss_name = "checkpoint-vmss-terraform" + vnet_name = "checkpoint-vmss-vnet" + vnet_resource_group = "existing-vnet" + frontend_subnet_name = "frontend" + backend_subnet_name = "backend" + backend_lb_IP_address = 4 + admin_password = "xxxxxxxxxxxx" + sic_key = "xxxxxxxxxxxx" + vm_size = "Standard_D3_v2" + disk_size = "100" + vm_os_sku = "sg-byol" + vm_os_offer = "check-point-cg-r8110" + os_version = "R8110" + bootstrap_script = "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" + allow_upload_download = true + authentication_type = "Password" + availability_zones_num = "1" + minimum_number_of_vm_instances = 2 + maximum_number_of_vm_instances = 10 + management_name = "mgmt" + management_IP = "13.92.42.181" + management_interface = "eth1-private" + configuration_template_name = "vmss_template" + notification_email = "" + frontend_load_distribution = "Default" + backend_load_distribution = "Default" + enable_custom_metrics = true + enable_floating_ip = false + deployment_mode = "Standard" + admin_shell = "/etc/cli.sh" + serial_console_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + maintenance_mode_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + nsg_id = "" + add_storage_account_ip_rules = false + storage_account_additional_ips = [] + + +## Deploy Without Public IP + +1. By default, the VMSS is deployed with public IP +2. To deploy without public IP, remove the "public_ip_address_configuration" block in main.tf + +## Known limitations + +## Revision History + +In order to check the template version refer to the [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) + +| Template Version | Description | +| ---------------- | ------------- | +| 20240613 | - Updated Azure Terraform provider version
- Cosmetic fixes & default values
- Added option to limit storage account access by specify allowed sourcess
- Updated diskSizeGB
- Added validation for os_version & os_offer | +| | | | +| 20230910 | - R81.20 is the default version | +| | | | +| 20221124 | - Added R81.20 support
- Upgraded azurerm provider | +| | | | +| 20220111 | - Added support to select different shells | +| | | | +| 20210309 | - Add "source_image_vhd_uri" variable for using a custom development image
- Fix zones filed for scale set be installed as multi-zone
- Modify "management_interface" variable and tags regarding managing the Gateways in the Scale Set | +| | | | +| 20210111 |- Update terraform version to 0.14.3
- Update azurerm version to 2.17.0
- Add authentication_type variable for choosing the authentication type.
- Adding support for R81.
- Add public IP addresses support.
- Add support to CloudGuards metrics.
- Avoid role-assignment re-creation when re-apply | +| | | | +| 20200323 | Remove the domain_name_label variable from the azurerm_public_ip resource; | +| | | | +| 20200305 | First release of Check Point CloudGuard IaaS VMSS Terraform deployment for Azure | +| | | | +| | Addition of "templateType" parameter to "cloud-version" files | +| | | | + + +## License + +See the [LICENSE](../../LICENSE) file for details + diff --git a/deprecated/terraform/azure/R8040-R81/vmss-existing-vnet/azure_public_key b/deprecated/terraform/azure/R8040-R81/vmss-existing-vnet/azure_public_key new file mode 100644 index 00000000..e69de29b diff --git a/deprecated/terraform/azure/R8040-R81/vmss-existing-vnet/cloud-init.sh b/deprecated/terraform/azure/R8040-R81/vmss-existing-vnet/cloud-init.sh new file mode 100644 index 00000000..f11f72c3 --- /dev/null +++ b/deprecated/terraform/azure/R8040-R81/vmss-existing-vnet/cloud-init.sh @@ -0,0 +1,17 @@ +#!/usr/bin/python3 /etc/cloud_config.py + +installationType="${installation_type}" +allowUploadDownload="${allow_upload_download}" +osVersion="${os_version}" +templateName="${template_name}" +templateVersion="${template_version}" +templateType="${template_type}" +isBlink="${is_blink}" +bootstrapScript64="${bootstrap_script64}" +location="${location}" +sicKey="${sic_key}" +vnet="${vnet}" +customMetrics="${enable_custom_metrics}" +adminShell="${admin_shell}" +passwordHash="${serial_console_password_hash}" +MaintenanceModePassword="${maintenance_mode_password_hash}" diff --git a/deprecated/terraform/azure/R8040-R81/vmss-existing-vnet/main.tf b/deprecated/terraform/azure/R8040-R81/vmss-existing-vnet/main.tf new file mode 100644 index 00000000..7cc4399a --- /dev/null +++ b/deprecated/terraform/azure/R8040-R81/vmss-existing-vnet/main.tf @@ -0,0 +1,446 @@ +provider "azurerm" { + subscription_id = var.subscription_id + client_id = var.client_id + client_secret = var.client_secret + tenant_id = var.tenant_id + + features {} +} + +//********************** Basic Configuration **************************// +module "common" { + source = "../modules/common" + resource_group_name = var.resource_group_name + location = var.location + admin_password = var.authentication_type == "SSH Public Key" ? random_id.random_id.hex : var.admin_password + installation_type = var.installation_type + template_name = var.template_name + template_version = var.template_version + number_of_vm_instances = var.number_of_vm_instances + allow_upload_download = var.allow_upload_download + vm_size = var.vm_size + disk_size = var.disk_size + is_blink = var.is_blink + os_version = var.os_version + vm_os_sku = var.vm_os_sku + vm_os_offer = var.vm_os_offer + authentication_type = var.authentication_type + serial_console_password_hash = var.serial_console_password_hash + maintenance_mode_password_hash = var.maintenance_mode_password_hash + storage_account_additional_ips = var.storage_account_additional_ips +} + +//********************** Networking **************************// + +data "azurerm_subnet" "frontend" { + name = var.frontend_subnet_name + virtual_network_name = var.vnet_name + resource_group_name = var.vnet_resource_group +} + +data "azurerm_subnet" "backend" { + name = var.backend_subnet_name + virtual_network_name = var.vnet_name + resource_group_name = var.vnet_resource_group +} + +module "network-security-group" { + source = "../modules/network-security-group" + count = var.nsg_id == "" ? 1 : 0 + resource_group_name = module.common.resource_group_name + security_group_name = "${module.common.resource_group_name}_nsg" + location = module.common.resource_group_location + security_rules = [ + { + name = "AllowAllInBound" + priority = "100" + direction = "Inbound" + access = "Allow" + protocol = "*" + source_port_ranges = "*" + destination_port_ranges = "*" + description = "Allow all inbound connections" + source_address_prefix = "*" + destination_address_prefix = "*" + } + ] +} + +//********************** Load Balancers **************************// +resource "random_id" "random_id" { + byte_length = 13 + keepers = { + rg_id = module.common.resource_group_id + } +} + +resource "azurerm_public_ip" "public-ip-lb" { + count = var.deployment_mode != "Internal" ? 1 : 0 + name = "${var.vmss_name}-app-1" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + allocation_method = var.vnet_allocation_method + sku = var.sku + domain_name_label = "${lower(var.vmss_name)}-${random_id.random_id.hex}" +} + +resource "azurerm_lb" "frontend-lb" { + count = var.deployment_mode != "Internal" ? 1 : 0 + depends_on = [azurerm_public_ip.public-ip-lb] + name = "frontend-lb" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + sku = var.sku + + frontend_ip_configuration { + name = "${var.vmss_name}-app-1" + public_ip_address_id = azurerm_public_ip.public-ip-lb[0].id + } +} + +resource "azurerm_lb_backend_address_pool" "frontend-lb-pool" { + count = var.deployment_mode != "Internal" ? 1 : 0 + loadbalancer_id = azurerm_lb.frontend-lb[0].id + name = "${var.vmss_name}-app-1" +} + +resource "azurerm_lb" "backend-lb" { + count = var.deployment_mode != "External" ? 1 : 0 + name = "backend-lb" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + sku = var.sku + frontend_ip_configuration { + name = "backend-lb" + subnet_id = data.azurerm_subnet.backend.id + private_ip_address_allocation = "Static" + private_ip_address = cidrhost(data.azurerm_subnet.backend.address_prefixes[0],var.backend_lb_IP_address) + } +} + +resource "azurerm_lb_backend_address_pool" "backend-lb-pool" { + count = var.deployment_mode != "External" ? 1 : 0 + name = "backend-lb-pool" + loadbalancer_id = azurerm_lb.backend-lb[0].id +} + +resource "azurerm_lb_probe" "azure_lb_healprob" { + count = var.deployment_mode == "Standard" ? 2 : 1 + depends_on = [azurerm_lb.frontend-lb, azurerm_lb.backend-lb] + loadbalancer_id = var.deployment_mode == "Standard" ? (count.index == 0 ? azurerm_lb.frontend-lb[0].id : azurerm_lb.backend-lb[0].id) : (var.deployment_mode == "External" ? azurerm_lb.frontend-lb[0].id : azurerm_lb.backend-lb[0].id) + name = var.deployment_mode == "Standard" ? (count.index == 0 ? "${var.vmss_name}-app-1" : "backend-lb") : (var.deployment_mode == "External" ? "${var.vmss_name}-app-1" : "backend-lb") + protocol = var.lb_probe_protocol + port = var.lb_probe_port + interval_in_seconds = var.lb_probe_interval + number_of_probes = var.lb_probe_unhealthy_threshold +} + +// Standard deployment +resource "azurerm_lb_rule" "lbnatrule-standard" { + count = var.deployment_mode == "Standard" ? 2 : 0 + depends_on = [azurerm_lb.frontend-lb[0],azurerm_lb_probe.azure_lb_healprob,azurerm_lb.backend-lb[0]] + loadbalancer_id = count.index == 0 ? azurerm_lb.frontend-lb[0].id : azurerm_lb.backend-lb[0].id + name = count.index == 0 ? "${var.vmss_name}-app-1" : "backend-lb" + protocol = count.index == 0 ? "Tcp" : "All" + frontend_port = count.index == 0 ? var.frontend_port : "0" + backend_port = count.index == 0 ? var.backend_port : "0" + backend_address_pool_ids = count.index == 0 ? [azurerm_lb_backend_address_pool.frontend-lb-pool[0].id] : [azurerm_lb_backend_address_pool.backend-lb-pool[0].id] + frontend_ip_configuration_name = count.index == 0 ? azurerm_lb.frontend-lb[0].frontend_ip_configuration[0].name : azurerm_lb.backend-lb[0].frontend_ip_configuration[0].name + probe_id = azurerm_lb_probe.azure_lb_healprob[count.index].id + load_distribution = count.index == 0 ? var.frontend_load_distribution : var.backend_load_distribution + enable_floating_ip = var.enable_floating_ip +} + +// External deployment +resource "azurerm_lb_rule" "lbnatrule-external" { + count = var.deployment_mode == "External" ? 1 : 0 + depends_on = [azurerm_lb.frontend-lb[0],azurerm_lb_probe.azure_lb_healprob] + loadbalancer_id = azurerm_lb.frontend-lb[0].id + name = "${var.vmss_name}-app-1" + protocol = "Tcp" + frontend_port = var.frontend_port + backend_port = var.backend_port + backend_address_pool_ids = [azurerm_lb_backend_address_pool.frontend-lb-pool[0].id] + frontend_ip_configuration_name = azurerm_lb.frontend-lb[0].frontend_ip_configuration[0].name + probe_id = azurerm_lb_probe.azure_lb_healprob[0].id + load_distribution = var.frontend_load_distribution + enable_floating_ip = var.enable_floating_ip +} + +// Internal deployment +resource "azurerm_lb_rule" "lbnatrule-internal" { + count = var.deployment_mode == "Internal" ? 1 : 0 + depends_on = [azurerm_lb_probe.azure_lb_healprob,azurerm_lb.backend-lb[0]] + loadbalancer_id = azurerm_lb.backend-lb[0].id + name = "backend-lb" + protocol = "All" + frontend_port = "0" + backend_port = "0" + backend_address_pool_ids = [azurerm_lb_backend_address_pool.backend-lb-pool[0].id] + frontend_ip_configuration_name = azurerm_lb.backend-lb[0].frontend_ip_configuration[0].name + probe_id = azurerm_lb_probe.azure_lb_healprob[0].id + load_distribution = var.backend_load_distribution + enable_floating_ip = var.enable_floating_ip +} + +//********************** Storage accounts **************************// +// Generate random text for a unique storage account name +resource "random_id" "randomId" { + keepers = { + # Generate a new ID only when a new resource group is defined + resource_group = module.common.resource_group_name + } + byte_length = 8 +} +resource "azurerm_storage_account" "vm-boot-diagnostics-storage" { + name = "diag${random_id.randomId.hex}" + resource_group_name = module.common.resource_group_name + location = module.common.resource_group_location + account_tier = module.common.storage_account_tier + account_replication_type = module.common.account_replication_type + network_rules { + default_action = var.add_storage_account_ip_rules ? "Deny" : "Allow" + ip_rules = module.common.storage_account_ip_rules + } + blob_properties { + delete_retention_policy { + days = "15" + } + } +} + + +//********************** Virtual Machines **************************// +locals { + SSH_authentication_type_condition = var.authentication_type == "SSH Public Key" ? true : false + availability_zones_num_condition = var.availability_zones_num == "0" ? null : var.availability_zones_num == "1" ? ["1"] : var.availability_zones_num == "2" ? ["1", "2"] : ["1", "2", "3"] + custom_image_condition = var.source_image_vhd_uri == "noCustomUri" ? false : true + management_interface_name = split("-", var.management_interface)[0] + management_ip_address_type = split("-", var.management_interface)[1] +} + +resource "azurerm_image" "custom-image" { + count = local.custom_image_condition ? 1 : 0 + name = "custom-image" + location = var.location + resource_group_name = module.common.resource_group_name + + os_disk { + os_type = "Linux" + os_state = "Generalized" + blob_uri = var.source_image_vhd_uri + } +} + +resource "azurerm_linux_virtual_machine_scale_set" "vmss" { + name = var.vmss_name + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + sku = module.common.vm_size + zones = local.availability_zones_num_condition + instances = var.number_of_vm_instances + overprovision = false + + dynamic "identity" { + for_each = var.enable_custom_metrics ? [1] : [] + content { + type = "SystemAssigned" + } + } + + dynamic "source_image_reference" { + for_each = local.custom_image_condition ? [] : [1] + content { + publisher = module.common.publisher + offer = module.common.vm_os_offer + sku = module.common.vm_os_sku + version = module.common.vm_os_version + } + } + source_image_id = local.custom_image_condition? azurerm_image.custom-image[0].id : null + + os_disk { + disk_size_gb = module.common.disk_size + caching = module.common.storage_os_disk_caching + storage_account_type = module.common.storage_account_type + } + + dynamic "plan" { + for_each = local.custom_image_condition ? [] : [1] + content { + name = module.common.vm_os_sku + publisher = module.common.publisher + product = module.common.vm_os_offer + } + } + + computer_name_prefix = var.vmss_name + admin_username = module.common.admin_username + admin_password = module.common.admin_password + custom_data = base64encode(templatefile("${path.module}/cloud-init.sh", { + installation_type = module.common.installation_type + allow_upload_download = module.common.allow_upload_download + os_version = module.common.os_version + template_name = module.common.template_name + template_version = module.common.template_version + template_type = "terraform" + is_blink = module.common.is_blink + bootstrap_script64 = base64encode(var.bootstrap_script) + location = module.common.resource_group_location + sic_key = var.sic_key + vnet = data.azurerm_subnet.frontend.address_prefixes[0] + enable_custom_metrics = var.enable_custom_metrics ? "yes" : "no" + admin_shell = var.admin_shell + serial_console_password_hash = var.serial_console_password_hash + maintenance_mode_password_hash = var.maintenance_mode_password_hash + })) + + + disable_password_authentication = local.SSH_authentication_type_condition + + dynamic "admin_ssh_key" { + for_each = local.SSH_authentication_type_condition ? [ + 1] : [] + content { + public_key = file("azure_public_key") + username = "notused" + } + } + + + boot_diagnostics { + storage_account_uri = module.common.boot_diagnostics ? join(",", azurerm_storage_account.vm-boot-diagnostics-storage.*.primary_blob_endpoint) : "" + } + + upgrade_mode = "Manual" + + network_interface { + name = "eth0" + primary = true + enable_ip_forwarding = true + enable_accelerated_networking = true + network_security_group_id = module.network-security-group[0].network_security_group_id + ip_configuration { + name = "ipconfig1" + subnet_id = data.azurerm_subnet.frontend.id + load_balancer_backend_address_pool_ids = var.deployment_mode != "Internal" ? [azurerm_lb_backend_address_pool.frontend-lb-pool[0].id]: null + primary = true + public_ip_address { + name = "${var.vmss_name}-public-ip" + idle_timeout_in_minutes = 15 + domain_name_label = "${lower(var.vmss_name)}-dns-name" + } + } + } + + network_interface { + name = "eth1" + primary = false + enable_ip_forwarding = true + enable_accelerated_networking = true + ip_configuration { + name = "ipconfig2" + subnet_id = data.azurerm_subnet.backend.id + load_balancer_backend_address_pool_ids = var.deployment_mode != "External" ? [azurerm_lb_backend_address_pool.backend-lb-pool[0].id] : null + primary = true + } + } + + tags = var.management_interface == "eth0"?{ + x-chkp-management = var.management_name, + x-chkp-template = var.configuration_template_name, + x-chkp-ip-address = local.management_ip_address_type, + x-chkp-management-interface = local.management_interface_name, + x-chkp-management-address = var.management_IP, + x-chkp-topology = "eth0:external,eth1:internal", + x-chkp-anti-spoofing = "eth0:false,eth1:false", + x-chkp-srcImageUri = var.source_image_vhd_uri + }:{ + x-chkp-management = var.management_name, + x-chkp-template = var.configuration_template_name, + x-chkp-ip-address = local.management_ip_address_type, + x-chkp-management-interface = local.management_interface_name, + x-chkp-topology = "eth0:external,eth1:internal", + x-chkp-anti-spoofing = "eth0:false,eth1:false", + x-chkp-srcImageUri = var.source_image_vhd_uri + } +} + +resource "azurerm_monitor_autoscale_setting" "vmss_settings" { + depends_on = [azurerm_linux_virtual_machine_scale_set.vmss] + name = var.vmss_name + resource_group_name = module.common.resource_group_name + location = module.common.resource_group_location + target_resource_id = azurerm_linux_virtual_machine_scale_set.vmss.id + + profile { + name = "Profile1" + + capacity { + default = module.common.number_of_vm_instances + minimum = var.minimum_number_of_vm_instances + maximum = var.maximum_number_of_vm_instances + } + + rule { + metric_trigger { + metric_name = "Percentage CPU" + metric_resource_id = azurerm_linux_virtual_machine_scale_set.vmss.id + time_grain = "PT1M" + statistic = "Average" + time_window = "PT5M" + time_aggregation = "Average" + operator = "GreaterThan" + threshold = 80 + } + + scale_action { + direction = "Increase" + type = "ChangeCount" + value = "1" + cooldown = "PT5M" + } + } + + rule { + metric_trigger { + metric_name = "Percentage CPU" + metric_resource_id = azurerm_linux_virtual_machine_scale_set.vmss.id + time_grain = "PT1M" + statistic = "Average" + time_window = "PT5M" + time_aggregation = "Average" + operator = "LessThan" + threshold = 60 + } + + scale_action { + direction = "Decrease" + type = "ChangeCount" + value = "1" + cooldown = "PT5M" + } + } + } + + notification { + email { + send_to_subscription_administrator = false + send_to_subscription_co_administrator = false + custom_emails = var.notification_email == "" ? [] : [var.notification_email] + } + } +} + +resource "azurerm_role_assignment" "custom_metrics_role_assignment"{ + depends_on = [azurerm_linux_virtual_machine_scale_set.vmss] + count = var.enable_custom_metrics ? 1 : 0 + role_definition_id = join("", ["/subscriptions/", var.subscription_id, "/providers/Microsoft.Authorization/roleDefinitions/", "3913510d-42f4-4e42-8a64-420c390055eb"]) + principal_id = lookup(azurerm_linux_virtual_machine_scale_set.vmss.identity[0], "principal_id") + scope = module.common.resource_group_id + lifecycle { + ignore_changes = [ + role_definition_id, principal_id + ] + } +} diff --git a/deprecated/terraform/azure/R8040-R81/vmss-existing-vnet/terraform.tfvars b/deprecated/terraform/azure/R8040-R81/vmss-existing-vnet/terraform.tfvars new file mode 100644 index 00000000..66836af3 --- /dev/null +++ b/deprecated/terraform/azure/R8040-R81/vmss-existing-vnet/terraform.tfvars @@ -0,0 +1,43 @@ +#PLEASE refer to the README.md for accepted values FOR THE VARIABLES BELOW +client_secret = "PLEASE ENTER CLIENT SECRET" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +client_id = "PLEASE ENTER CLIENT ID" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +tenant_id = "PLEASE ENTER TENANT ID" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +subscription_id = "PLEASE ENTER SUBSCRIPTION ID" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +source_image_vhd_uri = "PLEASE ENTER SOURCE IMAGE VHD URI OR noCustomUri" # "noCustomUri" +resource_group_name = "PLEASE ENTER RESOURCE GROUP NAME" # "checkpoint-vmss-terraform" +vmss_name = "PLEASE ENTER SCALE SET NAME" # "checkpoint-vmss-terraform" +location = "PLEASE ENTER LOCATION" # "eastus" +vnet_name = "PLEASE ENTER VIRTUAL NETWORK NAME" # "checkpoint-vmss-vnet" +vnet_resource_group = "PLEASE ENTER VIRTUAL NETWORK'S RESOURCE GROUP NAME" # "existing-vnet" +frontend_subnet_name = "PLEASE ENTER EXTERNAL SUBNET NAME" # "frontend" +backend_subnet_name = "PLEASE ENTER INTERNAL SUBNET NAME" # "backend" +backend_lb_IP_address = "PLEASE ENTER BACKEND LB IP ADDRESS POSITIONAL NUMBER" # 4 +admin_password = "PLEASE ENTER ADMIN PASSWORD" # "xxxxxxxxxxxx" +sic_key = "PLEASE ENTER SIC KEY" # "xxxxxxxxxxxx" +vm_size = "PLEASE ENTER VM SIZE" # "Standard_D3_v2" +disk_size = "PLEASE ENTER DISK SIZE MUST BE 100 FOR VERSIONS R81.20 AND BELOW" # "100" +vm_os_sku = "PLEASE ENTER VM SKU" # "sg-byol" +vm_os_offer = "PLEASE ENTER VM OFFER" # "check-point-cg-r8110" +os_version = "PLEASE ENTER GAIA OS VERSION" # "R8110" +bootstrap_script = "PLEASE ENTER CUSTOM SCRIPT OR LEAVE EMPTY DOUBLE QUOTES" # "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" +allow_upload_download = "PLEASE ENTER true or false" # true +authentication_type = "PLEASE ENTER AUTHENTICATION TYPE" # "Password" +availability_zones_num = "PLEASE ENTER NUMBER OF AVAILABILITY ZONES" # "1" +minimum_number_of_vm_instances = "PLEASE ENTER MINIMUM NUMBER OF VM INSTANCES" # 2 +maximum_number_of_vm_instances = "PLEASE ENTER MAXIMUM NUMBER OF VM INSTANCES" # 10 +management_name = "PLEASE ENTER MANAGEMENT NAME" # "mgmt" +management_IP = "PLEASE ENTER MANAGEMENT IP" # "13.92.42.181" +management_interface = "PLEASE ENTER MANAGEMENT INTERFACE" # "eth1-private" +configuration_template_name = "PLEASE ENTER CONFIGURATION TEMPLATE NAME" # "vmss_template" +notification_email = "PLEASE ENTER NOTIFICATION MAIL OR LEAVE EMPTY DOUBLE QUOTES" # "" +frontend_load_distribution = "PLEASE ENTER EXTERNAL LOAD BALANCER SESSION PERSISTENCE" # "Default" +backend_load_distribution = "PLEASE ENTER INTERNAL LOAD BALANCER SESSION PERSISTENCE" # "Default" +enable_custom_metrics = "PLEASE ENTER true or false" # true +enable_floating_ip = "PLEASE ENTER true or false" # false +deployment_mode = "PLEASE ENTER DEPLOYMENT MODE" # "Standard" +admin_shell = "PLEASE ENTER ADMIN SHELL" # "/etc/cli.sh" +serial_console_password_hash = "PLEASE ENTER SERIAL CONSOLE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +maintenance_mode_password_hash = "PLEASE ENTER MAINTENANCE MODE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +add_storage_account_ip_rules = "PLEASE ENTER true or false" # false +storage_account_additional_ips = "PLEASE ENTER A LIST OF VALID IPS/CIDRS" # [] +nsg_id = "PLEASE ENTER NETWORK SECURITY GROUP ID" # "" \ No newline at end of file diff --git a/deprecated/terraform/azure/R8040-R81/vmss-existing-vnet/variables.tf b/deprecated/terraform/azure/R8040-R81/vmss-existing-vnet/variables.tf new file mode 100644 index 00000000..9ef598a3 --- /dev/null +++ b/deprecated/terraform/azure/R8040-R81/vmss-existing-vnet/variables.tf @@ -0,0 +1,404 @@ +//********************** Basic Configuration Variables **************************// +variable "vmss_name"{ + description = "vmss name" + type = string +} + +variable "resource_group_name" { + description = "Azure Resource Group name to build into" + type = string +} + +variable "location" { + description = "The location/region where resources will be created. The full list of Azure regions can be found at https://azure.microsoft.com/regions" + type = string +} + +//********************** Virtual Machine Instances Variables **************************// +variable "source_image_vhd_uri" { + type = string + description = "The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images." + default = "noCustomUri" +} + +variable "admin_username" { + description = "Administrator username of deployed VM. Due to Azure limitations 'notused' name can be used" + default = "notused" +} + +variable "admin_password" { + description = "Administrator password of deployed Virtual Machine. The password must meet the complexity requirements of Azure" + type = string +} + +variable "serial_console_password_hash" { + description = "Optional parameter, used to enable serial console connection in case of SSH key as authentication type" + type = string +} + +variable "maintenance_mode_password_hash" { + description = "Maintenance mode password hash, relevant only for R81.20 and higher versions" + type = string +} + +variable "availability_zones_num" { + description = "The number of availability zones to use for Scale Set. Note that the load balancers and their IP addresses will be redundant in any case" + #Availability Zones are only supported in several regions at this time + #"centralus", "eastus2", "francecentral", "northeurope", "southeastasia", "westeurope", "westus2", "eastus", "uksouth" + #type = list(string) +} + +locals { // locals for 'availability_zones_num' allowed values + availability_zones_num_allowed_values = [ + "0", + "1", + "2", + "3" + ] + // will fail if [var.availability_zones_num] is invalid: + validate_availability_zones_num_value = index(local.availability_zones_num_allowed_values, var.availability_zones_num) +} + +variable "sic_key" { + description = "Secure Internal Communication(SIC) key" + type = string +} +resource "null_resource" "sic_key_invalid" { + count = length(var.sic_key) >= 12 ? 0 : "SIC key must be at least 12 characters long" +} + +variable "template_name"{ + description = "Template name. Should be defined according to deployment type(ha, vmss)" + type = string + default = "vmss-terraform" +} + +variable "template_version"{ + description = "Template version. It is recommended to always use the latest template version" + type = string + default = "20230910" +} + +variable "installation_type"{ + description = "Installation type" + type = string + default = "vmss" +} + +variable "number_of_vm_instances"{ + description = "Default number of VM instances to deploy" + type = string + default = "2" +} + +variable "minimum_number_of_vm_instances" { + description = "Minimum number of VM instances to deploy" + type = string +} + +variable "maximum_number_of_vm_instances" { + description = "Maximum number of VM instances to deploy" + type = string +} + +variable "vm_size" { + description = "Specifies size of Virtual Machine" + type = string +} + + +variable "os_version" { + description = "GAIA OS version" + type = string +} + +locals { // locals for 'vm_os_offer' allowed values + os_version_allowed_values = [ + "R8040", + "R81", + "R8110", + "R8120" + ] + // will fail if [var.os_version] is invalid: + validate_os_version_value = index(local.os_version_allowed_values, var.os_version) +} +variable "disk_size" { + description = "Storage data disk size size(GB). Select a number between 100 and 3995, if you are using R81.20 or below, the disk size must be 100" + type = string + default = 100 +} +resource "null_resource" "disk_size_validation" { + // Will fail if var.disk_size is not 100 and the version is R81.20 or below + count = tonumber(var.disk_size) != 100 && contains(["R8040", "R81", "R8110", "R8120"], var.os_version) ? "variable disk_size can not be changed for R81.20 and below" : 0 +} +variable "vm_os_sku" { + description = "The sku of the image to be deployed." + type = string +} + +variable "authentication_type" { + description = "Specifies whether a password authentication or SSH Public Key authentication should be used" + type = string +} +locals { // locals for 'authentication_type' allowed values + authentication_type_allowed_values = [ + "Password", + "SSH Public Key" + ] + // will fail if [var.authentication_type] is invalid: + validate_authentication_type_value = index(local.authentication_type_allowed_values, var.authentication_type) +} + +variable "allow_upload_download" { + description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + type = bool +} + +variable "is_blink" { + description = "Define if blink image is used for deployment" + default = true +} + +variable "management_name" { + description = "The name of the management server as it appears in the configuration file" + type = string +} + +variable "management_IP" { + description = "The IP address used to manage the VMSS instances" + type = string +} + +variable "management_interface" { + description = "Manage the Gateways in the Scale Set via the instance's external (eth0) or internal (eth1) NIC's private IP address" + type = string + default = "eth1-private" +} +locals { // locals for 'management_interface' allowed values + management_interface_allowed_values = [ + "eth0-public", + "eth0-private", + "eth1-private" + ] + // will fail if [var.management_interface] is invalid: + validate_management_interface_value = index(local.management_interface_allowed_values, var.management_interface) +} + +variable "configuration_template_name" { + description = "The configuration template name as it appears in the configuration file" + type = string +} + +variable "admin_shell" { + description = "The admin shell to configure on machine or the first time" + type = string + default = "/etc/cli.sh" +} + +locals { + admin_shell_allowed_values = [ + "/etc/cli.sh", + "/bin/bash", + "/bin/csh", + "/bin/tcsh" + ] + // Will fail if [var.admin_shell] is invalid + validate_admin_shell_value = index(local.admin_shell_allowed_values, var.admin_shell) +} + +//********************** Networking Variables **************************// +variable "vnet_name" { + description = "Virtual Network name" + type = string +} + +variable "frontend_subnet_name" { + description = "Frontend subnet name" + type = string +} + +variable "backend_subnet_name" { + description = "Backend subnet name" + type = string +} + +variable "vnet_resource_group" { + description = "Resource group of existing vnet" + type = string +} + +variable "vnet_allocation_method" { + description = "IP address allocation method" + type = string + default = "Static" +} + +variable "add_storage_account_ip_rules" { + type = bool + default = false + description = "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location" +} + +variable "storage_account_additional_ips" { + type = list(string) + description = "IPs/CIDRs that are allowed access to the Storage Account" + default = [] +} + +//********************* Load Balancers Variables **********************// + +variable "deployment_mode" { + description = "The type of the deployment, can be 'Standard' for both load balancers or 'External' for external load balancer or 'Internal for internal load balancer" + type = string + default = "Standard" +} + +locals { // locals for 'deployment_mode' allowed values + deployment_mode_allowd_values = [ + "Standard", + "External", + "Internal" + ] + // will fail if [var.deployment_mode] is invalid: + validate_deployment_mode_value = index(local.deployment_mode_allowd_values, var.deployment_mode) +} + +variable "backend_lb_IP_address" { + description = "The IP address is defined by its position in the subnet" + type = number +} + +variable "lb_probe_port" { + description = "Port to be used for load balancer health probes and rules" + default = "8117" +} + +variable "lb_probe_protocol" { + description = "Protocols to be used for load balancer health probes and rules" + default = "Tcp" +} + +variable "lb_probe_unhealthy_threshold" { + description = "Number of times load balancer health probe has an unsuccessful attempt before considering the endpoint unhealthy." + default = 2 +} + +variable "lb_probe_interval" { + description = "Interval in seconds load balancer health probe rule performs a check" + default = 5 +} + +variable "frontend_port" { + description = "Port that will be exposed to the external Load Balancer" + type = string + default = "80" +} + +variable "backend_port" { + description = "Port that will be exposed to the external Load Balance" + type = string + default = "8081" +} + +variable "frontend_load_distribution" { + description = "Specifies the load balancing distribution type to be used by the frontend load balancer" + type = string +} + +locals { // locals for 'frontend_load_distribution' allowed values + frontend_load_distribution_allowed_values = [ + "Default", + "SourceIP", + "SourceIPProtocol" + ] + // will fail if [var.frontend_load_distribution] is invalid: + validate_frontend_load_distribution_value = index(local.frontend_load_distribution_allowed_values, var.frontend_load_distribution) +} + +variable "backend_load_distribution" { + description = "Specifies the load balancing distribution type to be used by the backend load balancer" + type = string +} + +locals { // locals for 'frontend_load_distribution' allowed values + backend_load_distribution_allowed_values = [ + "Default", + "SourceIP", + "SourceIPProtocol" + ] + // will fail if [var.backend_load_distribution] is invalid: + validate_backend_load_distribution_value = index(local.backend_load_distribution_allowed_values, var.backend_load_distribution) +} + +//********************** Scale Set variables *******************// + +variable "vm_os_offer" { + description = "The name of the offer of the image that you want to deploy.Choose from: check-point-cg-r8040, check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120" + type = string +} + +locals { // locals for 'vm_os_offer' allowed values + vm_os_offer_allowed_values = [ + "check-point-cg-r8040", + "check-point-cg-r81", + "check-point-cg-r8110", + "check-point-cg-r8120", + ] + // will fail if [var.vm_os_offer] is invalid: + validate_os_offer_value = index(local.vm_os_offer_allowed_values, var.vm_os_offer) +} + +variable "bootstrap_script"{ + description = "An optional script to run on the initial boot" + #example: + #"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" +} + +variable "notification_email" { + description = "Specifies a list of custom email addresses to which the email notifications will be sent" + type = string +} + +//********************** Credentials **************************// +variable "tenant_id" { + description = "Tenant ID" + type = string +} + +variable "subscription_id" { + description = "Subscription ID" + type = string +} + +variable "client_id" { + description = "Application ID(Client ID)" + type = string +} + +variable "client_secret" { + description = "A secret string that the application uses to prove its identity when requesting a token. Also can be referred to as application password." + type = string +} + +variable "sku" { + description = "SKU" + type = string + default = "Standard" +} + +variable "enable_custom_metrics" { + description = "Enable CloudGuard metrics in order to send statuses and statistics collected from VMSS instances to the Azure Monitor service." + type = bool + default = true +} + +variable "enable_floating_ip" { + description = "Indicates whether the load balancers will be deployed with floating IP." + type = bool + default = false +} + +variable "nsg_id" { + description = "NSG ID - Optional - if empty use default NSG" + default = "" +} diff --git a/deprecated/terraform/azure/R8040-R81/vmss-existing-vnet/versions.tf b/deprecated/terraform/azure/R8040-R81/vmss-existing-vnet/versions.tf new file mode 100644 index 00000000..df4caa26 --- /dev/null +++ b/deprecated/terraform/azure/R8040-R81/vmss-existing-vnet/versions.tf @@ -0,0 +1,14 @@ +terraform { + required_version = ">= 0.14.3" + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "~> 3.81.0" + } + random = { + version = "~> 3.5.1" + } + } +} + + diff --git a/deprecated/terraform/azure/R8040-R81/vmss-new-vnet/README.md b/deprecated/terraform/azure/R8040-R81/vmss-new-vnet/README.md new file mode 100644 index 00000000..b57e3011 --- /dev/null +++ b/deprecated/terraform/azure/R8040-R81/vmss-new-vnet/README.md @@ -0,0 +1,247 @@ +# Check Point CloudGuard IaaS VMSS Terraform deployment for Azure + +This Terraform module deploys Check Point CloudGuard IaaS VMSS solution into a new Vnet in Azure. +As part of the deployment the following resources are created: +- Resource group +- Virtual network +- Network security group +- Role assignment - conditional creation + + +For additional information, +please see the [CloudGuard Network for Azure Virtual Machine Scale Sets (VMSS) Deployment Guide](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_VMSS_for_Azure/Default.htm) + +This solution uses the following modules: +- /terraform/azure/modules/common - used for creating a resource group and defining common variables. +- /terraform/azure/modules/vnet - used for creating new virtual network and subnets. +- /terraform/azure/modules/network-security-group - used for creating new network security groups and rules. + + +## Configurations +- Install and configure Terraform to provision Azure resources: [Configure Terraform for Azure](https://docs.microsoft.com/en-us/azure/virtual-machines/linux/terraform-install-configure) +- In order to use ssh connection to VMs, it is **required** to add a public key to the /terraform/azure/vmss-new-vnet/azure_public_key file + +## Usage +- Choose the preferred login method to Azure in order to deploy the solution: +
1. Using Service Principal: + - Create a [Service Principal](https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal) (or use the existing one) + - Grant the Service Principal at least "**Managed Application Contributor**", "**Storage Account Contributor**", "**Network Contributor**", "**Virtual Machine Contributor**" permissions to the Azure subscription
+ - The Service Principal credentials can be stored either in the terraform.tfvars or as [Environment Variables](https://www.terraform.io/docs/providers/azuread/guides/service_principal_client_secret.html)
+ + In case the Environment Variables are used, perform modifications described below:
+ + a. The next lines in the main.tf file, in the provider azurerm resource, need to be deleted or commented: + + provider "azurerm" { + + // subscription_id = var.subscription_id + // client_id = var.client_id + // client_secret = var.client_secret + // tenant_id = var.tenant_id + + features {} + } + + b. In the terraform.tfvars file leave empty double quotes for client_secret, client_id , tenant_id and subscription_id variables: + + client_secret = "" + client_id = "" + tenant_id = "" + subscription_id = "" + +
2. Using **az** commands from a command-line: + - Run **az login** command + - Sign in with your account credentials in the browser + - [Accept Azure Marketplace image terms](https://docs.microsoft.com/en-us/cli/azure/vm/image/terms?view=azure-cli-latest) by running: +
**az vm image terms accept --urn publisher:offer:sku:version**, where: + - publisher = checkpoint; + - offer = vm_os_offer (see accepted values in the table below); + - sku = vm_os_sku (see accepted values in the table below); + - version = latest
+
Example:
+ az vm image terms accept --urn checkpoint:check-point-cg-r8040:sg-byol:latest + + - In the terraform.tfvars file leave empty double quotes for client_secret, client_id and tenant_id variables. + +- Fill all variables in the /terraform/azure/vmss-new-vnet/terraform.tfvars file with proper values (see below for variables descriptions). +- From a command line initialize the Terraform configuration directory: + + terraform init +- Create an execution plan: + + terraform plan +- Create or modify the deployment: + + terraform apply + +### terraform.tfvars variables: + | Name | Description | Type | Allowed values | Default | + | ------------- | ------------- | ------------- |---------| ------------- | + | **client_secret** | The client secret of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **client_id** | The client ID of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **tenant_id** | The tenant ID of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **subscription_id** | The subscription ID is used to pay for Azure cloud services | string | | n/a + | | | | | | + | **source_image_vhd_uri** | The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images | string | | "noCustomUri" + | | | | | | + | **resource_group_name** | The name of the resource group that will contain the contents of the deployment | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period
Note: Resource group name must not contain reserved words based on: sk40179| n/a + | | | | | | + | **location** | The region where the resources will be deployed at | string | The full list of Azure regions can be found at https://azure.microsoft.com/regions | n/a + | | | | | | + | **vmss_name** | The name of the Check Point VMSS Object | string | Only alphanumeric characters are allowed, and the name must be 1-30 characters long
Note: vmss name must not contain reserved words based on: sk40179 | n/a + | | | | | | + | **vnet_name** | The name of virtual network that will be created | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | n/a + | | | | | | + | **address_space** | The address prefixes of the virtual network | string | Valid CIDR block | "10.0.0.0/16" + | | | | | | + | **subnet_prefixes** | The address prefixes to be used for created subnets | string | The subnets need to contain within the address space for this virtual network(defined by address_space variable) | ["10.0.0.0/24","10.0.1.0/24"] + | | | | | | + | **backend_lb_IP_address** | Is a whole number that can be represented as a binary integer with no more than the number of digits remaining in the address after the given prefix| number | Starting from 5-th IP address in a subnet. For example: subnet - 10.0.1.0/24, backend_lb_IP_address = 4 , the LB IP is 10.0.1.4 | n/a + | | | | | | + | **admin_password** | The password associated with the local administrator account on each cluster member | string | Password must have 3 of the following: 1 lower case character, 1 upper case character, 1 number, and 1 special character | n/a + | | | | | | + | **sic_key** | The Secure Internal Communication one time secret used to set up trust between the cluster object and the management server | string | Only alphanumeric characters are allowed, and the value must be 12-30 characters long | n/a + | | | | | | + | **vm_size** | Specifies the size of Virtual Machine | string | "Standard_DS2_v2", "Standard_DS3_v2", "Standard_DS4_v2", "Standard_DS5_v2", "Standard_F2s", "Standard_F4s", "Standard_F8s", "Standard_F16s", "Standard_D4s_v3", "Standard_D8s_v3", "Standard_D16s_v3", "Standard_D32s_v3", "Standard_D64s_v3", "Standard_E4s_v3", "Standard_E8s_v3", "Standard_E16s_v3", "Standard_E20s_v3", "Standard_E32s_v3", "Standard_E64s_v3", "Standard_E64is_v3", "Standard_F4s_v2", "Standard_F8s_v2", "Standard_F16s_v2", "Standard_F32s_v2", "Standard_F64s_v2", "Standard_M8ms", "Standard_M16ms", "Standard_M32ms", "Standard_M64ms", "Standard_M64s", "Standard_D2_v2", "Standard_D3_v2", "Standard_D4_v2", "Standard_D5_v2", "Standard_D11_v2", "Standard_D12_v2", "Standard_D13_v2", "Standard_D14_v2", "Standard_D15_v2", "Standard_F2", "Standard_F4", "Standard_F8", "Standard_F16", "Standard_D4_v3", "Standard_D8_v3", "Standard_D16_v3", "Standard_D32_v3", "Standard_D64_v3", "Standard_E4_v3", "Standard_E8_v3", "Standard_E16_v3", "Standard_E20_v3", "Standard_E32_v3", "Standard_E64_v3", "Standard_E64i_v3", "Standard_DS11_v2", "Standard_DS12_v2", "Standard_DS13_v2", "Standard_DS14_v2", "Standard_DS15_v2", "Standard_D2_v5", "Standard_D4_v5", "Standard_D8_v5", "Standard_D16_v5","Standard_D32_v5", "Standard_D2s_v5", "Standard_D4s_v5", "Standard_D8s_v5", "Standard_D16s_v5", "Standard_D2d_v5", "Standard_D4d_v5", "Standard_D8d_v5", "Standard_D16d_v5", "Standard_D32d_v5", "Standard_D2ds_v5", "Standard_D4ds_v5", "Standard_D8ds_v5", "Standard_D16ds_v5", "Standard_D32ds_v5" | n/a + | | | | | | + | **disk_size** | Storage data disk size size(GB) must be 100 for versions R81.20 and below | string | A number in the range 100 - 3995 (GB) | 100 + | | | | | | + | **vm_os_sku** | A sku of the image to be deployed | string | "sg-byol" - BYOL license;
"sg-ngtp" - NGTP PAYG license;
"sg-ngtx" - NGTX PAYG license; | n/a + | | | | | | + | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r8040";
"check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | n/a + | | | | | | + | **os_version** | GAIA OS version | string | "R8040";
"R81";
"R8110";
"R8120"; | n/a + | | | | | | + | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | n/a + | | | | | | + | **allow_upload_download** | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | boolean | true;
false; | n/a + | | | | | | + | **authentication_type** | Specifies whether a password authentication or SSH Public Key authentication should be used | string | "Password";
"SSH Public Key"; | n/a + | | | | | | + | **availability_zones_num** | A list of a single item of the Availability Zone which the Virtual Machine should be allocated in | string | "centralus", "eastus2", "francecentral", "northeurope", "southeastasia", "westeurope", "westus2", "eastus", "uksouth" | n/a + | | | | | | + | **minimum_number_of_vm_instances** | The minimum number of VMSS instances for this resource | number | Valid values are in the range 0 - 10 | n/a + | | | | | | + | **maximum_number_of_vm_instances** | The maximum number of VMSS instances for this resource | number | Valid values are in the range 0 - 10 | n/a + | | | | | | + | **management_name** | The name of the management server as it appears in the configuration file | string | Field cannot be empty. Only alphanumeric characters or '_'/'-' are allowed, and the name must be 1-30 characters long | n/a + | | | | | | + | **management_IP** | The IP address used to manage the VMSS instances | string | A valid IP address | n/a + | | | | | | + | **management_interface** | Management option for the Gateways in the VMSS | string | "eth0-public" - Manages the GWs using their external NIC's public IP address;
"eth0-private" -Manages the GWs using their external NIC's private IP address;
"eth1-private" - Manages the GWs using their internal NIC's private IP address | "eth1-private" + | | | | | | + | **configuration_template_name** | The configuration template name as it appears in the configuration file | string | Field cannot be empty. Only alphanumeric characters or '_'/'-' are allowed, and the name must be 1-30 characters long | n/a + | | | | | | + | **frontend_load_distribution** | The load balancing distribution method for the External Load Balancer | string | "Default" - None(5-tuple);
"SourceIP" - ClientIP(2-tuple);
"SourceIPProtocol" - ClientIP and protocol(3-tuple) | n/a + | | | | | | + | **backend_load_distribution** | The load balancing distribution method for the Internal Load Balancer | string | "Default" - None(5-tuple);
"SourceIP" - ClientIP(2-tuple);
"SourceIPProtocol" - ClientIP and protocol(3-tuple) | n/a + | | | | | | + | **notification_email** | An email address to notify about scaling operations | string | Leave empty double quotes or enter a valid email address | n/a + | | | | | | + | **enable_custom_metrics** | Indicates whether Custom Metrics will be used for VMSS Scaling policy and VM monitoring | boolean | true;
false; | n/a + | | | | | | + | **enable_floating_ip** | Indicates whether the load balancers will be deployed with floating IP | boolean | true;
false; | n/a + | | | | | | + | **deployment_mode** | Indicates which load balancer need to be deployed. External + Internal(Standard), only External, only Internal | string | Standard ;
External;
Internal; | "Standard" + | | | | | | + | **admin_shell** | Enables to select different admin shells | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh; | "/etc/cli.sh" + | | | | | | + | **serial_console_password_hash** | Optional parameter, used to enable serial console connection in case of SSH key as authentication type, to generate password hash use the command 'openssl passwd -6 PASSWORD' on Linux and paste it here | string | | n/a + | | | | | | + | **maintenance_mode_password_hash** | Maintenance mode password hash, relevant only for R81.20 and higher versions, to generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here | string | | n/a + | | | | | | + | **nsg_id** | Optional ID for a Network Security Group that already exists in Azure, if not provided, will create a default NSG | string | Existing NSG resource ID | "" + | | | | | | + | **add_storage_account_ip_rules** | Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, if false then accses will be allowed from all networks | boolean | true;
false; | false + | | | | | | + | **storage_account_additional_ips** | IPs/CIDRs that are allowed access to the Storage Account | list(string) | A list of valid IPs and CIDRs | [] + +## Conditional creation +To create role assignment and enable CloudGuard metrics in order to send statuses and statistics collected from VMSS instances to the Azure Monitor service: +``` +enable_custom_metrics = true +``` + +## Example + client_secret = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + client_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + tenant_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + subscription_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + source_image_vhd_uri = "noCustomUri" + resource_group_name = "checkpoint-vmss-terraform" + location = "eastus" + vmss_name = "checkpoint-vmss-terraform" + vnet_name = "checkpoint-vmss-vnet" + address_space = "10.0.0.0/16" + subnet_prefixes = ["10.0.1.0/24","10.0.2.0/24"] + backend_lb_IP_address = 4 + admin_password = "xxxxxxxxxxxx" + sic_key = "xxxxxxxxxxxx" + vm_size = "Standard_D3_v2" + disk_size = "100" + vm_os_sku = "sg-byol" + vm_os_offer = "check-point-cg-r8110" + os_version = "R8110" + bootstrap_script = "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" + allow_upload_download = true + authentication_type = "Password" + availability_zones_num = "1" + minimum_number_of_vm_instances = 2 + maximum_number_of_vm_instances = 10 + management_name = "mgmt" + management_IP = "13.92.42.181" + management_interface = "eth1-private" + configuration_template_name = "vmss_template" + notification_email = "" + frontend_load_distribution = "Default" + backend_load_distribution = "Default" + enable_custom_metrics = true + enable_floating_ip = false + deployment_mode = "Standard" + admin_shell = "/etc/cli.sh" + serial_console_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + maintenance_mode_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + nsg_id = "" + add_storage_account_ip_rules = false + storage_account_additional_ips = [] + +## Deploy Without Public IP + +1. By default, the VMSS is deployed with public IP +2. To deploy without public IP, remove the "public_ip_address_configuration" block in main.tf + +## Known limitations + +## Revision History + +In order to check the template version refer to the [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) + +| Template Version | Description | +| ---------------- | --------- | +| 20240613 | - Updated Azure Terraform provider version
- Cosmetic fixes & default values
- Added option to limit storage account access by specify allowed sourcess
- Updated diskSizeGB
- Added validation for os_version & os_offer | +| | | | +| 20230910 | - R81.20 is the default version | +| | | | +| 20221124 | - Added R81.20 support
- Upgraded azurerm provider | +| | | | +| 20220111 | - Added support to select different shells | +| | | | +| 20210309 | - Add "source_image_vhd_uri" variable for using a custom development image
- Fix zones filed for scale set be installed as multi-zone
- Modify "management_interface" variable and tags regarding managing the Gateways in the Scale Set | +| | | | +| 20210111 |- Update terraform version to 0.14.3
- Update azurerm version to 2.17.0
- Add authentication_type variable for choosing the authentication type.
- Add support for R81.
- Add public IP addresses support.
- Add support to CloudGuards metrics.
- Update resources for NSG https://github.com/CheckPointSW/CloudGuardIaaS/issues/67
- Avoid role-assignment re-creation when re-applying | +| | | | +| 20200323 | Remove the domain_name_label variable from the azurerm_public_ip resource | +| | | | +| 20200305 | First release of Check Point CloudGuard IaaS VMSS Terraform deployment for Azure | +| | | | +| | Addition of "templateType" parameter to "cloud-version" files | +| | | | + + +## License + +See the [LICENSE](../../LICENSE) file for details + diff --git a/deprecated/terraform/azure/R8040-R81/vmss-new-vnet/azure_public_key b/deprecated/terraform/azure/R8040-R81/vmss-new-vnet/azure_public_key new file mode 100644 index 00000000..e69de29b diff --git a/deprecated/terraform/azure/R8040-R81/vmss-new-vnet/cloud-init.sh b/deprecated/terraform/azure/R8040-R81/vmss-new-vnet/cloud-init.sh new file mode 100644 index 00000000..f11f72c3 --- /dev/null +++ b/deprecated/terraform/azure/R8040-R81/vmss-new-vnet/cloud-init.sh @@ -0,0 +1,17 @@ +#!/usr/bin/python3 /etc/cloud_config.py + +installationType="${installation_type}" +allowUploadDownload="${allow_upload_download}" +osVersion="${os_version}" +templateName="${template_name}" +templateVersion="${template_version}" +templateType="${template_type}" +isBlink="${is_blink}" +bootstrapScript64="${bootstrap_script64}" +location="${location}" +sicKey="${sic_key}" +vnet="${vnet}" +customMetrics="${enable_custom_metrics}" +adminShell="${admin_shell}" +passwordHash="${serial_console_password_hash}" +MaintenanceModePassword="${maintenance_mode_password_hash}" diff --git a/deprecated/terraform/azure/R8040-R81/vmss-new-vnet/main.tf b/deprecated/terraform/azure/R8040-R81/vmss-new-vnet/main.tf new file mode 100644 index 00000000..967fd8c8 --- /dev/null +++ b/deprecated/terraform/azure/R8040-R81/vmss-new-vnet/main.tf @@ -0,0 +1,442 @@ +provider "azurerm" { + subscription_id = var.subscription_id + client_id = var.client_id + client_secret = var.client_secret + tenant_id = var.tenant_id + + features {} +} + +//********************** Basic Configuration **************************// +module "common" { + source = "../modules/common" + resource_group_name = var.resource_group_name + location = var.location + admin_password = var.authentication_type == "SSH Public Key" ? random_id.random_id.hex : var.admin_password + installation_type = var.installation_type + template_name = var.template_name + template_version = var.template_version + number_of_vm_instances = var.number_of_vm_instances + allow_upload_download = var.allow_upload_download + vm_size = var.vm_size + disk_size = var.disk_size + is_blink = var.is_blink + os_version = var.os_version + vm_os_sku = var.vm_os_sku + vm_os_offer = var.vm_os_offer + authentication_type = var.authentication_type + serial_console_password_hash = var.serial_console_password_hash + maintenance_mode_password_hash = var.maintenance_mode_password_hash + storage_account_additional_ips = var.storage_account_additional_ips +} + +//********************** Networking **************************// +module "vnet" { + source = "../modules/vnet" + vnet_name = var.vnet_name + resource_group_name = module.common.resource_group_name + location = module.common.resource_group_location + nsg_id = var.nsg_id == "" ? module.network-security-group[0].network_security_group_id: var.nsg_id + address_space = var.address_space + subnet_prefixes = var.subnet_prefixes +} + +module "network-security-group" { + source = "../modules/network-security-group" + count = var.nsg_id == "" ? 1 : 0 + resource_group_name = module.common.resource_group_name + security_group_name = "${module.common.resource_group_name}_nsg" + location = module.common.resource_group_location + security_rules = [ + { + name = "AllowAllInBound" + priority = "100" + direction = "Inbound" + access = "Allow" + protocol = "*" + source_port_ranges = "*" + destination_port_ranges = "*" + description = "Allow all inbound connections" + source_address_prefix = "*" + destination_address_prefix = "*" + } + ] +} + +//********************** Load Balancers **************************// +resource "random_id" "random_id" { + byte_length = 13 + keepers = { + rg_id = module.common.resource_group_id + } +} + +resource "azurerm_public_ip" "public-ip-lb" { + count = var.deployment_mode != "Internal" ? 1 : 0 + name = "${var.vmss_name}-app-1" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + allocation_method = module.vnet.allocation_method + sku = var.sku + domain_name_label = "${lower(var.vmss_name)}-${random_id.random_id.hex}" +} + +resource "azurerm_lb" "frontend-lb" { + count = var.deployment_mode != "Internal" ? 1 : 0 + depends_on = [azurerm_public_ip.public-ip-lb] + name = "frontend-lb" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + sku = var.sku + + frontend_ip_configuration { + name = "${var.vmss_name}-app-1" + public_ip_address_id = azurerm_public_ip.public-ip-lb[0].id + } +} + +resource "azurerm_lb_backend_address_pool" "frontend-lb-pool" { + count = var.deployment_mode != "Internal" ? 1 : 0 + loadbalancer_id = azurerm_lb.frontend-lb[0].id + name = "${var.vmss_name}-app-1" +} + +resource "azurerm_lb" "backend-lb" { + count = var.deployment_mode != "External" ? 1 : 0 + name = "backend-lb" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + sku = var.sku + frontend_ip_configuration { + name = "backend-lb" + subnet_id = module.vnet.vnet_subnets[1] + private_ip_address_allocation = module.vnet.allocation_method + private_ip_address = cidrhost(module.vnet.subnet_prefixes[1], var.backend_lb_IP_address) + } +} + +resource "azurerm_lb_backend_address_pool" "backend-lb-pool" { + count = var.deployment_mode != "External" ? 1 : 0 + name = "backend-lb-pool" + loadbalancer_id = azurerm_lb.backend-lb[0].id +} + +resource "azurerm_lb_probe" "azure_lb_healprob" { + count = var.deployment_mode == "Standard" ? 2 : 1 + depends_on = [azurerm_lb.frontend-lb, azurerm_lb.backend-lb] + loadbalancer_id = var.deployment_mode == "Standard" ? (count.index == 0 ? azurerm_lb.frontend-lb[0].id : azurerm_lb.backend-lb[0].id) : (var.deployment_mode == "External" ? azurerm_lb.frontend-lb[0].id : azurerm_lb.backend-lb[0].id) + name = var.deployment_mode == "Standard" ? (count.index == 0 ? "${var.vmss_name}-app-1" : "backend-lb") : (var.deployment_mode == "External" ? "${var.vmss_name}-app-1" : "backend-lb") + protocol = var.lb_probe_protocol + port = var.lb_probe_port + interval_in_seconds = var.lb_probe_interval + number_of_probes = var.lb_probe_unhealthy_threshold +} + +// Standard deployment +resource "azurerm_lb_rule" "lbnatrule-standard" { + count = var.deployment_mode == "Standard" ? 2 : 0 + depends_on = [azurerm_lb.frontend-lb[0],azurerm_lb_probe.azure_lb_healprob,azurerm_lb.backend-lb[0]] + loadbalancer_id = count.index == 0 ? azurerm_lb.frontend-lb[0].id : azurerm_lb.backend-lb[0].id + name = count.index == 0 ? "${var.vmss_name}-app-1" : "backend-lb" + protocol = count.index == 0 ? "Tcp" : "All" + frontend_port = count.index == 0 ? var.frontend_port : "0" + backend_port = count.index == 0 ? var.backend_port : "0" + backend_address_pool_ids = count.index == 0 ? [azurerm_lb_backend_address_pool.frontend-lb-pool[0].id] : [azurerm_lb_backend_address_pool.backend-lb-pool[0].id] + frontend_ip_configuration_name = count.index == 0 ? azurerm_lb.frontend-lb[0].frontend_ip_configuration[0].name : azurerm_lb.backend-lb[0].frontend_ip_configuration[0].name + probe_id = azurerm_lb_probe.azure_lb_healprob[count.index].id + load_distribution = count.index == 0 ? var.frontend_load_distribution : var.backend_load_distribution + enable_floating_ip = var.enable_floating_ip +} + +// External deployment +resource "azurerm_lb_rule" "lbnatrule-external" { + count = var.deployment_mode == "External" ? 1 : 0 + depends_on = [azurerm_lb.frontend-lb[0],azurerm_lb_probe.azure_lb_healprob] + loadbalancer_id = azurerm_lb.frontend-lb[0].id + name = "${var.vmss_name}-app-1" + protocol = "Tcp" + frontend_port = var.frontend_port + backend_port = var.backend_port + backend_address_pool_ids = [azurerm_lb_backend_address_pool.frontend-lb-pool[0].id] + frontend_ip_configuration_name = azurerm_lb.frontend-lb[0].frontend_ip_configuration[0].name + probe_id = azurerm_lb_probe.azure_lb_healprob[0].id + load_distribution = var.frontend_load_distribution + enable_floating_ip = var.enable_floating_ip +} + +// Internal deployment +resource "azurerm_lb_rule" "lbnatrule-internal" { + count = var.deployment_mode == "Internal" ? 1 : 0 + depends_on = [azurerm_lb_probe.azure_lb_healprob,azurerm_lb.backend-lb[0]] + loadbalancer_id = azurerm_lb.backend-lb[0].id + name = "backend-lb" + protocol = "All" + frontend_port = "0" + backend_port = "0" + backend_address_pool_ids = [azurerm_lb_backend_address_pool.backend-lb-pool[0].id] + frontend_ip_configuration_name = azurerm_lb.backend-lb[0].frontend_ip_configuration[0].name + probe_id = azurerm_lb_probe.azure_lb_healprob[0].id + load_distribution = var.backend_load_distribution + enable_floating_ip = var.enable_floating_ip +} + +//********************** Storage accounts **************************// +// Generate random text for a unique storage account name +resource "random_id" "randomId" { + keepers = { + # Generate a new ID only when a new resource group is defined + resource_group = module.common.resource_group_name + } + byte_length = 8 +} +resource "azurerm_storage_account" "vm-boot-diagnostics-storage" { + name = "diag${random_id.randomId.hex}" + resource_group_name = module.common.resource_group_name + location = module.common.resource_group_location + account_tier = module.common.storage_account_tier + account_replication_type = module.common.account_replication_type + network_rules { + default_action = var.add_storage_account_ip_rules ? "Deny" : "Allow" + ip_rules = module.common.storage_account_ip_rules + } + blob_properties { + delete_retention_policy { + days = "15" + } + } +} + +//********************** Virtual Machines **************************// +locals { + SSH_authentication_type_condition = var.authentication_type == "SSH Public Key" ? true : false + availability_zones_num_condition = var.availability_zones_num == "0" ? null : var.availability_zones_num == "1" ? ["1"] : var.availability_zones_num == "2" ? ["1", "2"] : ["1", "2", "3"] + custom_image_condition = var.source_image_vhd_uri == "noCustomUri" ? false : true + management_interface_name = split("-", var.management_interface)[0] + management_ip_address_type = split("-", var.management_interface)[1] +} + +resource "azurerm_image" "custom-image" { + count = local.custom_image_condition ? 1 : 0 + name = "custom-image" + location = var.location + resource_group_name = module.common.resource_group_name + + os_disk { + os_type = "Linux" + os_state = "Generalized" + blob_uri = var.source_image_vhd_uri + } +} + +resource "azurerm_linux_virtual_machine_scale_set" "vmss" { + name = var.vmss_name + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + sku = module.common.vm_size + zones = local.availability_zones_num_condition + instances = var.number_of_vm_instances + overprovision = false + + dynamic "identity" { + for_each = var.enable_custom_metrics ? [1] : [] + content { + type = "SystemAssigned" + } + } + + dynamic "source_image_reference" { + for_each = local.custom_image_condition ? [] : [1] + content { + publisher = module.common.publisher + offer = module.common.vm_os_offer + sku = module.common.vm_os_sku + version = module.common.vm_os_version + } + } + source_image_id = local.custom_image_condition? azurerm_image.custom-image[0].id : null + + os_disk { + disk_size_gb = module.common.disk_size + caching = module.common.storage_os_disk_caching + storage_account_type = module.common.storage_account_type + } + + dynamic "plan" { + for_each = local.custom_image_condition ? [] : [1] + content { + name = module.common.vm_os_sku + publisher = module.common.publisher + product = module.common.vm_os_offer + } + } + + computer_name_prefix = var.vmss_name + admin_username = module.common.admin_username + admin_password = module.common.admin_password + custom_data = base64encode(templatefile("${path.module}/cloud-init.sh", { + installation_type = module.common.installation_type + allow_upload_download = module.common.allow_upload_download + os_version = module.common.os_version + template_name = module.common.template_name + template_version = module.common.template_version + template_type = "terraform" + is_blink = module.common.is_blink + bootstrap_script64 = base64encode(var.bootstrap_script) + location = module.common.resource_group_location + sic_key = var.sic_key + vnet = module.vnet.subnet_prefixes[0] + enable_custom_metrics = var.enable_custom_metrics ? "yes" : "no" + admin_shell = var.admin_shell + serial_console_password_hash = var.serial_console_password_hash + maintenance_mode_password_hash = var.maintenance_mode_password_hash + })) + + + disable_password_authentication = local.SSH_authentication_type_condition + + dynamic "admin_ssh_key" { + for_each = local.SSH_authentication_type_condition ? [ + 1] : [] + content { + public_key = file("azure_public_key") + username = "notused" + } + } + + + boot_diagnostics { + storage_account_uri = module.common.boot_diagnostics ? join(",", azurerm_storage_account.vm-boot-diagnostics-storage.*.primary_blob_endpoint) : "" + } + + upgrade_mode = "Manual" + + network_interface { + name = "eth0" + primary = true + enable_ip_forwarding = true + enable_accelerated_networking = true + network_security_group_id = module.network-security-group[0].network_security_group_id + ip_configuration { + name = "ipconfig1" + subnet_id = module.vnet.vnet_subnets[0] + load_balancer_backend_address_pool_ids = var.deployment_mode != "Internal" ? [azurerm_lb_backend_address_pool.frontend-lb-pool[0].id]: null + primary = true + public_ip_address { + name = "${var.vmss_name}-public-ip" + idle_timeout_in_minutes = 15 + domain_name_label = "${lower(var.vmss_name)}-dns-name" + } + } + } + + network_interface { + name = "eth1" + primary = false + enable_ip_forwarding = true + enable_accelerated_networking = true + ip_configuration { + name = "ipconfig2" + subnet_id = module.vnet.vnet_subnets[1] + load_balancer_backend_address_pool_ids = var.deployment_mode != "External" ? [azurerm_lb_backend_address_pool.backend-lb-pool[0].id] : null + primary = true + } + } + + tags = var.management_interface == "eth0"?{ + x-chkp-management = var.management_name, + x-chkp-template = var.configuration_template_name, + x-chkp-ip-address = local.management_ip_address_type, + x-chkp-management-interface = local.management_interface_name, + x-chkp-management-address = var.management_IP, + x-chkp-topology = "eth0:external,eth1:internal", + x-chkp-anti-spoofing = "eth0:false,eth1:false", + x-chkp-srcImageUri = var.source_image_vhd_uri + }:{ + x-chkp-management = var.management_name, + x-chkp-template = var.configuration_template_name, + x-chkp-ip-address = local.management_ip_address_type, + x-chkp-management-interface = local.management_interface_name, + x-chkp-topology = "eth0:external,eth1:internal", + x-chkp-anti-spoofing = "eth0:false,eth1:false", + x-chkp-srcImageUri = var.source_image_vhd_uri + } +} + +resource "azurerm_monitor_autoscale_setting" "vmss_settings" { + depends_on = [azurerm_linux_virtual_machine_scale_set.vmss] + name = var.vmss_name + resource_group_name = module.common.resource_group_name + location = module.common.resource_group_location + target_resource_id = azurerm_linux_virtual_machine_scale_set.vmss.id + + profile { + name = "Profile1" + + capacity { + default = module.common.number_of_vm_instances + minimum = var.minimum_number_of_vm_instances + maximum = var.maximum_number_of_vm_instances + } + + rule { + metric_trigger { + metric_name = "Percentage CPU" + metric_resource_id = azurerm_linux_virtual_machine_scale_set.vmss.id + time_grain = "PT1M" + statistic = "Average" + time_window = "PT5M" + time_aggregation = "Average" + operator = "GreaterThan" + threshold = 80 + } + + scale_action { + direction = "Increase" + type = "ChangeCount" + value = "1" + cooldown = "PT5M" + } + } + + rule { + metric_trigger { + metric_name = "Percentage CPU" + metric_resource_id = azurerm_linux_virtual_machine_scale_set.vmss.id + time_grain = "PT1M" + statistic = "Average" + time_window = "PT5M" + time_aggregation = "Average" + operator = "LessThan" + threshold = 60 + } + + scale_action { + direction = "Decrease" + type = "ChangeCount" + value = "1" + cooldown = "PT5M" + } + } + } + + notification { + email { + send_to_subscription_administrator = false + send_to_subscription_co_administrator = false + custom_emails = var.notification_email == "" ? [] : [var.notification_email] + } + } +} + +resource "azurerm_role_assignment" "custom_metrics_role_assignment"{ + depends_on = [azurerm_linux_virtual_machine_scale_set.vmss] + count = var.enable_custom_metrics ? 1 : 0 + role_definition_id = join("", ["/subscriptions/", var.subscription_id, "/providers/Microsoft.Authorization/roleDefinitions/", "3913510d-42f4-4e42-8a64-420c390055eb"]) + principal_id = lookup(azurerm_linux_virtual_machine_scale_set.vmss.identity[0], "principal_id") + scope = module.common.resource_group_id + lifecycle { + ignore_changes = [ + role_definition_id, principal_id + ] + } +} diff --git a/deprecated/terraform/azure/R8040-R81/vmss-new-vnet/terraform.tfvars b/deprecated/terraform/azure/R8040-R81/vmss-new-vnet/terraform.tfvars new file mode 100644 index 00000000..73266464 --- /dev/null +++ b/deprecated/terraform/azure/R8040-R81/vmss-new-vnet/terraform.tfvars @@ -0,0 +1,42 @@ +//#PLEASE refer to the README.md for accepted values FOR THE VARIABLES BELOW +client_secret = "PLEASE ENTER CLIENT SECRET" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +client_id = "PLEASE ENTER CLIENT ID" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +tenant_id = "PLEASE ENTER TENANT ID" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +subscription_id = "PLEASE ENTER SUBSCRIPTION ID" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +source_image_vhd_uri = "PLEASE ENTER SOURCE IMAGE VHD URI OR noCustomUri" # "noCustomUri" +resource_group_name = "PLEASE ENTER RESOURCE GROUP NAME" # "checkpoint-vmss-terraform" +vmss_name = "PLEASE ENTER SCALE SET NAME" # "checkpoint-vmss-terraform" +location = "PLEASE ENTER LOCATION" # "eastus" +vnet_name = "PLEASE ENTER VIRTUAL NETWORK NAME" # "checkpoint-vmss-vnet" +address_space = "PLEASE ENTER VIRTUAL NETWORK ADDRESS SPACE" # "10.0.0.0/16" +subnet_prefixes = "PLEASE ENTER ADDRESS PREFIXES FOR SUBNETS" # ["10.0.1.0/24","10.0.2.0/24"] +backend_lb_IP_address = "PLEASE ENTER BACKEND LB IP ADDRESS POSITIONAL NUMBER" # 4 +admin_password = "PLEASE ENTER ADMIN PASSWORD" # "xxxxxxxxxxxx" +sic_key = "PLEASE ENTER SIC KEY" # "xxxxxxxxxxxx" +vm_size = "PLEASE ENTER VM SIZE" # "Standard_D3_v2" +disk_size = "PLEASE ENTER DISK SIZE MUST BE 100 FOR VERSIONS R81.20 AND BELOW" # "100" +vm_os_sku = "PLEASE ENTER VM SKU" # "sg-byol" +vm_os_offer = "PLEASE ENTER VM OFFER" # "check-point-cg-r8110" +os_version = "PLEASE ENTER GAIA OS VERSION" # "R8110" +bootstrap_script = "PLEASE ENTER CUSTOM SCRIPT OR LEAVE EMPTY DOUBLE QUOTES" # "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" +allow_upload_download = "PLEASE ENTER true or false" # true +authentication_type = "PLEASE ENTER AUTHENTICATION TYPE" # "Password" +availability_zones_num = "PLEASE ENTER NUMBER OF AVAILABILITY ZONES" # "1" +minimum_number_of_vm_instances = "PLEASE ENTER MINIMUM NUMBER OF VM INSTANCES" # 2 +maximum_number_of_vm_instances = "PLEASE ENTER MAXIMUM NUMBER OF VM INSTANCES" # 10 +management_name = "PLEASE ENTER MANAGEMENT NAME" # "mgmt" +management_IP = "PLEASE ENTER MANAGEMENT IP" # "13.92.42.181" +management_interface = "PLEASE ENTER MANAGEMENT INTERFACE" # "eth1-private" +configuration_template_name = "PLEASE ENTER CONFIGURATION TEMPLATE NAME" # "vmss_template" +notification_email = "PLEASE ENTER NOTIFICATION MAIL OR LEAVE EMPTY DOUBLE QUOTES" # "" +frontend_load_distribution = "PLEASE ENTER EXTERNAL LOAD BALANCER SESSION PERSISTENCE" # "Default" +backend_load_distribution = "PLEASE ENTER INTERNAL LOAD BALANCER SESSION PERSISTENCE" # "Default" +enable_custom_metrics = "PLEASE ENTER true or false" # true +enable_floating_ip = "PLEASE ENTER true or false" # false +deployment_mode = "PLEASE ENTER DEPLOYMENT MODE" # "Standard" +admin_shell = "PLEASE ENTER ADMIN SHELL" # "/etc/cli.sh" +serial_console_password_hash = "PLEASE ENTER SERIAL CONSOLE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +maintenance_mode_password_hash = "PLEASE ENTER MAINTENANCE MODE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +nsg_id = "PLEASE ENTER NETWORK SECURITY GROUP ID" # "" +add_storage_account_ip_rules = "PLEASE ENTER true or false" # false +storage_account_additional_ips = "PLEASE ENTER A LIST OF VALID IPS/CIDRS" # [] \ No newline at end of file diff --git a/deprecated/terraform/azure/R8040-R81/vmss-new-vnet/variables.tf b/deprecated/terraform/azure/R8040-R81/vmss-new-vnet/variables.tf new file mode 100644 index 00000000..1760b8a2 --- /dev/null +++ b/deprecated/terraform/azure/R8040-R81/vmss-new-vnet/variables.tf @@ -0,0 +1,393 @@ +//********************** Basic Configuration Variables **************************// +variable "vmss_name"{ + description = "vmss name" + type = string +} + +variable "resource_group_name" { + description = "Azure Resource Group name to build into" + type = string +} + +variable "location" { + description = "The location/region where resources will be created. The full list of Azure regions can be found at https://azure.microsoft.com/regions" + type = string +} + +//********************** Virtual Machine Instances Variables **************************// +variable "source_image_vhd_uri" { + type = string + description = "The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images." + default = "noCustomUri" +} + +variable "admin_username" { + description = "Administrator username of deployed VM. Due to Azure limitations 'notused' name can be used" + default = "notused" +} + +variable "admin_password" { + description = "Administrator password of deployed Virtual Machine. The password must meet the complexity requirements of Azure" + type = string +} + +variable "serial_console_password_hash" { + description = "Optional parameter, used to enable serial console connection in case of SSH key as authentication type" + type = string +} + +variable "maintenance_mode_password_hash" { + description = "Maintenance mode password hash, relevant only for R81.20 and higher versions" + type = string +} + +variable "availability_zones_num" { + description = "The number of availability zones to use for Scale Set. Note that the load balancers and their IP addresses will be redundant in any case" + #Availability Zones are only supported in several regions at this time + #"centralus", "eastus2", "francecentral", "northeurope", "southeastasia", "westeurope", "westus2", "eastus", "uksouth" + #type = list(string) +} + +locals { // locals for 'availability_zones_num' allowed values + availability_zones_num_allowed_values = [ + "0", + "1", + "2", + "3" + ] + // will fail if [var.availability_zones_num] is invalid: + validate_availability_zones_num_value = index(local.availability_zones_num_allowed_values, var.availability_zones_num) +} + +variable "sic_key" { + description = "Secure Internal Communication(SIC) key" + type = string +} +resource "null_resource" "sic_key_invalid" { + count = length(var.sic_key) >= 12 ? 0 : "SIC key must be at least 12 characters long" +} + +variable "template_name"{ + description = "Template name. Should be defined according to deployment type(ha, vmss)" + type = string + default = "vmss-terraform" +} + +variable "template_version"{ + description = "Template version. It is recommended to always use the latest template version" + type = string + default = "20230910" +} + +variable "installation_type"{ + description = "Installation type" + type = string + default = "vmss" +} + +variable "number_of_vm_instances"{ + description = "Default number of VM instances to deploy" + type = string + default = "2" +} + +variable "minimum_number_of_vm_instances" { + description = "Minimum number of VM instances to deploy" + type = string +} + +variable "maximum_number_of_vm_instances" { + description = "Maximum number of VM instances to deploy" + type = string +} + +variable "vm_size" { + description = "Specifies size of Virtual Machine" + type = string +} + + +variable "os_version" { + description = "GAIA OS version" + type = string +} + +locals { // locals for 'vm_os_offer' allowed values + os_version_allowed_values = [ + "R8040", + "R81", + "R8110", + "R8120", + ] + // will fail if [var.os_version] is invalid: + validate_os_version_value = index(local.os_version_allowed_values, var.os_version) +} +variable "disk_size" { + description = "Storage data disk size size(GB). Select a number between 100 and 3995, if you are using R81.20 or below, the disk size must be 100" + type = string + default = 100 +} +resource "null_resource" "disk_size_validation" { + // Will fail if var.disk_size is not 100 and the version is R81.20 or below + count = tonumber(var.disk_size) != 100 && contains(["R8040", "R81", "R8110", "R8120"], var.os_version) ? "variable disk_size can not be changed for R81.20 and below" : 0 +} +variable "vm_os_sku" { + description = "The sku of the image to be deployed." + type = string +} + +variable "authentication_type" { + description = "Specifies whether a password authentication or SSH Public Key authentication should be used" + type = string +} +locals { // locals for 'authentication_type' allowed values + authentication_type_allowed_values = [ + "Password", + "SSH Public Key" + ] + // will fail if [var.authentication_type] is invalid: + validate_authentication_type_value = index(local.authentication_type_allowed_values, var.authentication_type) +} + +variable "allow_upload_download" { + description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + type = bool +} + +variable "is_blink" { + description = "Define if blink image is used for deployment" + default = true +} + +variable "management_name" { + description = "The name of the management server as it appears in the configuration file" + type = string +} + +variable "management_IP" { + description = "The IP address used to manage the VMSS instances" + type = string +} + +variable "management_interface" { + description = "Manage the Gateways in the Scale Set via the instance's external (eth0) or internal (eth1) NIC's private IP address" + type = string + default = "eth1-private" +} +locals { // locals for 'management_interface' allowed values + management_interface_allowed_values = [ + "eth0-public", + "eth0-private", + "eth1-private" + ] + // will fail if [var.management_interface] is invalid: + validate_management_interface_value = index(local.management_interface_allowed_values, var.management_interface) +} + +variable "configuration_template_name" { + description = "The configuration template name as it appears in the configuration file" + type = string +} + +variable "admin_shell" { + description = "The admin shell to configure on machine or the first time" + type = string + default = "/etc/cli.sh" +} + +locals { + admin_shell_allowed_values = [ + "/etc/cli.sh", + "/bin/bash", + "/bin/csh", + "/bin/tcsh" + ] + // Will fail if [var.admin_shell] is invalid + validate_admin_shell_value = index(local.admin_shell_allowed_values, var.admin_shell) +} + +//********************** Networking Variables **************************// +variable "vnet_name" { + description = "Virtual Network name" + type = string +} + +variable "address_space" { + description = "The address space that is used by a Virtual Network." + type = string + default = "10.0.0.0/16" +} + +variable "subnet_prefixes" { + description = "Address prefix to be used for network subnets" + type = list(string) + default = ["10.0.0.0/24","10.0.1.0/24"] +} + +variable "nsg_id" { + description = "NSG ID - Optional - if empty use default NSG" + default = "" +} + +variable "add_storage_account_ip_rules" { + type = bool + default = false + description = "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location" +} + +variable "storage_account_additional_ips" { + type = list(string) + description = "IPs/CIDRs that are allowed access to the Storage Account" + default = [] +} +//********************* Load Balancers Variables **********************// +variable "deployment_mode" { + description = "The type of the deployment, can be 'Standard' for both load balancers or 'External' for external load balancer or 'Internal for internal load balancer" + type = string + default = "Standard" +} + +locals { // locals for 'deployment_mode' allowed values + deployment_mode_allowd_values = [ + "Standard", + "External", + "Internal" + ] + // will fail if [var.deployment_mode] is invalid: + validate_deployment_mode_value = index(local.deployment_mode_allowd_values, var.deployment_mode) +} + +variable "backend_lb_IP_address" { + description = "The IP address is defined by its position in the subnet" + type = number +} + +variable "lb_probe_port" { + description = "Port to be used for load balancer health probes and rules" + default = "8117" +} + +variable "lb_probe_protocol" { + description = "Protocols to be used for load balancer health probes and rules" + default = "Tcp" +} + +variable "lb_probe_unhealthy_threshold" { + description = "Number of times load balancer health probe has an unsuccessful attempt before considering the endpoint unhealthy." + default = 2 +} + +variable "lb_probe_interval" { + description = "Interval in seconds load balancer health probe rule performs a check" + default = 5 +} + +variable "frontend_port" { + description = "Port that will be exposed to the external Load Balancer" + type = string + default = "80" +} + +variable "backend_port" { + description = "Port that will be exposed to the external Load Balance" + type = string + default = "8081" +} + +variable "frontend_load_distribution" { + description = "Specifies the load balancing distribution type to be used by the frontend load balancer" + type = string +} + +locals { // locals for 'frontend_load_distribution' allowed values + frontend_load_distribution_allowed_values = [ + "Default", + "SourceIP", + "SourceIPProtocol" + ] + // will fail if [var.frontend_load_distribution] is invalid: + validate_frontend_load_distribution_value = index(local.frontend_load_distribution_allowed_values, var.frontend_load_distribution) +} + +variable "backend_load_distribution" { + description = "Specifies the load balancing distribution type to be used by the backend load balancer" + type = string +} + +locals { // locals for 'frontend_load_distribution' allowed values + backend_load_distribution_allowed_values = [ + "Default", + "SourceIP", + "SourceIPProtocol" + ] + // will fail if [var.backend_load_distribution] is invalid: + validate_backend_load_distribution_value = index(local.backend_load_distribution_allowed_values, var.backend_load_distribution) +} + +//********************** Scale Set variables *******************// + +variable "vm_os_offer" { + description = "The name of the offer of the image that you want to deploy.Choose from: check-point-cg-r8040, check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120" + type = string +} + +locals { // locals for 'vm_os_offer' allowed values + vm_os_offer_allowed_values = [ + "check-point-cg-r8040", + "check-point-cg-r81", + "check-point-cg-r8110", + "check-point-cg-r8120", + ] + // will fail if [var.vm_os_offer] is invalid: + validate_os_offer_value = index(local.vm_os_offer_allowed_values, var.vm_os_offer) +} + +variable "bootstrap_script"{ + description = "An optional script to run on the initial boot" + #example: + #"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" +} + +variable "notification_email" { + description = "Specifies a list of custom email addresses to which the email notifications will be sent" + type = string +} + +//********************** Credentials **************************// +variable "tenant_id" { + description = "Tenant ID" + type = string +} + +variable "subscription_id" { + description = "Subscription ID" + type = string +} + +variable "client_id" { + description = "Application ID(Client ID)" + type = string +} + +variable "client_secret" { + description = "A secret string that the application uses to prove its identity when requesting a token. Also can be referred to as application password." + type = string +} + +variable "sku" { + description = "SKU" + type = string + default = "Standard" +} + +variable "enable_custom_metrics" { + description = "Enable CloudGuard metrics in order to send statuses and statistics collected from VMSS instances to the Azure Monitor service." + type = bool + default = true +} + +variable "enable_floating_ip" { + description = "Indicates whether the load balancers will be deployed with floating IP." + type = bool + default = false +} diff --git a/deprecated/terraform/azure/R8040-R81/vmss-new-vnet/versions.tf b/deprecated/terraform/azure/R8040-R81/vmss-new-vnet/versions.tf new file mode 100644 index 00000000..df4caa26 --- /dev/null +++ b/deprecated/terraform/azure/R8040-R81/vmss-new-vnet/versions.tf @@ -0,0 +1,14 @@ +terraform { + required_version = ">= 0.14.3" + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "~> 3.81.0" + } + random = { + version = "~> 3.5.1" + } + } +} + + diff --git a/deprecated/terraform/azure/README.md b/deprecated/terraform/azure/README.md new file mode 100644 index 00000000..c24588d9 --- /dev/null +++ b/deprecated/terraform/azure/README.md @@ -0,0 +1,12 @@ +# Check Point Terraform deployment modules for Azure + +This project was developed to allow Terraform deployments for Check Point CloudGuard IaaS solutions on Azure. + + +These modules use Terraform's [Azurerm provider](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs) in order to create and provision resources on Azure. + + + ## Prerequisites + +1. [Download Terraform](https://www.terraform.io/downloads.html) and follow the instructions according to your OS. +2. Get started with Terraform Azurerm provider - refer to [Terraform Azurerm provider best practices](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs). \ No newline at end of file diff --git a/deprecated/terraform/gcp/R8040-R81/autoscale-into-existing-vpc/README.md b/deprecated/terraform/gcp/R8040-R81/autoscale-into-existing-vpc/README.md new file mode 100644 index 00000000..1c11c3d3 --- /dev/null +++ b/deprecated/terraform/gcp/R8040-R81/autoscale-into-existing-vpc/README.md @@ -0,0 +1,233 @@ +# Check Point Autoscale into VPC (MIG) Terraform module for GCP + +Terraform module which deploys an Auto Scaling Group of Check Point Security Gateways into an existing VPC on GCP. + +These types of Terraform resources are supported: +* [Instance Template](https://www.terraform.io/docs/providers/google/r/compute_instance_template.html) +* [Firewall](https://www.terraform.io/docs/providers/google/r/compute_firewall.html) - conditional creation +* [Instance Group Manager](https://www.terraform.io/docs/providers/google/r/compute_region_instance_group_manager.html) +* [Autoscaler](https://www.terraform.io/docs/providers/google/r/compute_region_autoscaler.html) + + +For additional information, +please see the [CloudGuard Network for GCP Autoscaling MIG Deployment Guide](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_Network_for_GCP_Autoscaling_MIG/Default.htm) + +Terraform is controlled via a very easy to use command-line interface (CLI). Terraform is only a single command-line application: **terraform**. + +## Before you begin +1. Create a project in the [Google Cloud Console](https://console.cloud.google.com/) and set up billing on that project. +2. [Install Terraform](https://learn.hashicorp.com/tutorials/terraform/install-cli) and read the Terraform getting started guide that follows. This guide will assume basic proficiency with Terraform - it is an introduction to the Google provider. + +## Configuring the Provider +The **main.tf** file includes the following provider configuration block used to configure the credentials you use to authenticate with GCP, as well as a default project and location for your resources: +``` +provider "google" { + credentials = file(var.service_account_path) + project = var.project + region = var.region +} +... +``` + +1. [Create a Service Account](https://cloud.google.com/docs/authentication/getting-started) (or use the existing one). Next, download the JSON key file. Name it something you can remember and store it somewhere secure on your machine.
+2. Select "Editor" Role or verify you have the following permissions: + ``` + compute.autoscalers.create + compute.autoscalers.delete + compute.autoscalers.get + compute.disks.create + compute.disks.delete + compute.firewalls.create + compute.firewalls.delete + compute.firewalls.get + compute.images.get + compute.images.useReadOnly + compute.instanceGroupManagers.create + compute.instanceGroupManagers.delete + compute.instanceGroupManagers.get + compute.instanceGroupManagers.use + compute.instanceTemplates.create + compute.instanceTemplates.delete + compute.instanceTemplates.get + compute.instanceTemplates.useReadOnly + compute.instances.create + compute.instances.delete + compute.instances.setMetadata + compute.instances.setTags + compute.networks.get + compute.networks.updatePolicy + compute.regions.list + compute.subnetworks.get + compute.subnetworks.use + compute.subnetworks.useExternalIp + iam.serviceAccountKeys.get + iam.serviceAccountKeys.list + iam.serviceAccounts.actAs + iam.serviceAccounts.get + iam.serviceAccounts.list + ``` +3. ```credentials``` - Your service account key file is used to complete a two-legged OAuth 2.0 flow to obtain access tokens to authenticate with the GCP API as needed; Terraform will use it to reauthenticate automatically when tokens expire.
+The provider credentials can be provided either as static credentials or as [Environment Variables](https://www.terraform.io/docs/providers/google/guides/provider_reference.html#credentials-1). + - Static credentials can be provided by adding the path to your service-account json file, project-id and region in /gcp/modules/autoscale-into-new-vpc/**terraform.tfvars** file as follows: + ``` + service_account_path = "service-accounts/service-account-file-name.json" + project = "project-id" + region = "us-central1" + ``` + - In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in the main.tf file, in the provider google resource, need to be deleted or commented: + ``` + provider "google" { + // credentials = file(var.service_account_path) + // project = var.project + + region = var.region + } + ``` + b.In the terraform.tfvars file leave empty double quotes for credentials and project variables: + ``` + service_account_path = "" + project = "" + ``` +## Usage +- Fill all variables in the /gcp/autoscale-into-existing-vpc/**terraform.tfvars** file with proper values (see below for variables descriptions). +- From a command line initialize the Terraform configuration directory: + ``` + terraform init + ``` +- Create an execution plan: + ``` + terraform plan + ``` +- Create or modify the deployment: + ``` + terraform apply + ``` + +#### Variables are configured in autoscale-into-existing-vpc/**terraform.tfvars** file as follows: +``` +# --- Google Provider --- +service_account_path = "service-accounts/service-account-file-name.json" +project = "project-id" + +# --- Check Point--- +prefix = "chkp-tf-mig" +license = "BYOL" +image_name = "check-point-r8110-gw-byol-mig-335-985-v20220126" +management_nic = "Ephemeral Public IP (eth0)" +management_name = "tf-checkpoint-management" +configuration_template_name = "tf-asg-autoprov-tmplt" +admin_SSH_key = "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxx imported-openssh-key" +network_defined_by_routes = true +admin_shell = "/etc/cli.sh" +allow_upload_download = true + +# --- Networking --- +region = "us-central1" +external_network_name = "default" +external_subnetwork_name = "default" +internal_network_name = "tf-vpc-network" +internal_subnetwork_name = "tf-vpc-subnetwork" +ICMP_traffic = ["123.123.0.0/24", "234.234.0.0/24"] +TCP_traffic = ["0.0.0.0/0"] +UDP_traffic = [] +SCTP_traffic = [] +ESP_traffic = [] + +# --- Instance Configuration --- +machine_type = "n1-standard-4" +cpu_usage = 60 +instances_min_grop_size = 2 +instances_max_grop_size = 10 +disk_type = "SSD Persistent Disk" +disk_size = 100 +enable_monitoring = false +``` + +- To tear down your resources: + ``` + terraform destroy + ``` + +## Conditional creation +To create Firewall and allow traffic for ICMP, TCP, UDP, SCTP or/and ESP - enter list of Source IP ranges. +``` +ICMP_traffic = ["123.123.0.0/24", "234.234.0.0/24"] +TCP_traffic = ["0.0.0.0/0"] +UDP_traffic = [] +SCTP_traffic = [] +ESP_traffic = [] +``` +Please leave empty list for a protocol if you want to disable traffic for it. + +## Inputs +| Name | Description | Type | Allowed values | Default | Required | +| ------------- | ------------- | ------------- | ------------- | ------------- | ------------- | +| service_account_path | User service account path in JSON format - From the service account key page in the Cloud Console choose an existing account or create a new one. Next, download the JSON key file. Name it something you can remember, store it somewhere secure on your machine, and supply the path to the location is stored. (e.g. "service-accounts/service-account-name.json") | string | N/A | "" | yes | +| project | Personal project id. The project indicates the default GCP project all of your resources will be created in. | string | N/A | "" | yes | +| | | | | | +| prefix | (Optional) Resources name prefix. | string | N/A | "chkp-tf-mig" | no | +| license | Checkpoint license (BYOL or PAYG). | string | - BYOL
- PAYG
| "BYOL" | no | +| image_name | The autoscaling (MIG) image name (e.g. check-point-r8110-gw-byol-mig-335-985-v20220126). You can choose the desired mig image value from [Github](https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/gcp/deployment-packages/autoscale-byol/images.py). | string | N/A | N/A | yes | +| management_nic | Management Interface - Autoscaling Security Gateways in GCP can be managed by an ephemeral public IP or using the private IP of the internal interface (eth1). | string | Ephemeral Public IP (eth0)
- Private IP (eth1) | "Ephemeral Public IP (eth0)" | no | +| management_name | The name of the Security Management Server as appears in autoprovisioning configuration. (Please enter a valid Security Management name including lowercase letters, digits and hyphens only). | string | N/A | "checkpoint-management" | no | +| configuration_template_name | Specify the provisioning configuration template name (for autoprovisioning). (Please enter a valid autoprovisioing configuration template name including lowercase letters, digits and hyphens only). | string | N/A | "gcp-asg-autoprov-tmplt" | no | +| admin_SSH_key | Public SSH key for the user 'admin' - The SSH public key for SSH authentication to the MIG instances. Leave this field blank to use all project-wide pre-configured SSH keys. | string | A valid public ssh key | "" | no | +| network_defined_by_routes | Set eth1 topology to define the networks behind this interface by the routes configured on the gateway. | bool | true/false | true | no | +| admin_shell | Change the admin shell to enable advanced command line configuration. | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | "/etc/cli.sh" | no | +| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no | +| | | | | | +| region | GCP region | string | N/A | N/A | yes | +| external_network_name | The network determines what network traffic the instance can access. | string | N/A | N/A | yes | +| external_subnetwork_name | Assigns the instance an IPv4 address from the subnetwork’s range. Instances in different subnetworks can communicate with each other using their internal IPs as long as they belong to the same network. | string | N/A | N/A | yes | +| internal_network_name | The network determines what network traffic the instance can access. | string | N/A | N/A | yes | +| internal_subnetwork_name | Assigns the instance an IPv4 address from the subnetwork’s range. Instances in different subnetworks can communicate with each other using their internal IPs as long as they belong to the same network. | string | N/A | N/A | yes | +| ICMP_traffic | (Optional) Source IP ranges for ICMP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable ICMP traffic. | list(string) | N/A | [] | no | +| TCP_traffic | (Optional) Source IP ranges for TCP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable TCP traffic. | list(string) | N/A | [] | no | +| UDP_traffic | (Optional) Source IP ranges for UDP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable UDP traffic. | list(string) | N/A | [] | no | +| SCTP_traffic | (Optional) Source IP ranges for SCTP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable SCTP traffic. | list(string) | N/A | [] | no | +| ESP_traffic | (Optional) Source IP ranges for ESP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable ESP traffic. | list(string) | N/A | [] | no | +| | | | | | +| machine_type | Machine Type. | string | N/A | "n1-standard-4" | no | +| cpu_usage | Target CPU usage (%) - Autoscaling adds or removes instances in the group to maintain this level of CPU usage on each instance. | number | number between 10 and 90 | 60 | no | +| instances_min_grop_size | The minimal number of instances | number | N/A | 2 | no | +| instances_max_grop_size | The maximal number of instances | number | N/A | 10 | no | +| disk_type | Storage space is much less expensive for a standard Persistent Disk. An SSD Persistent Disk is better for random IOPS or streaming throughput with low latency. | string | - SSD Persistent Disk
- Balanced Persistent Disk
- Standard Persistent Disk | "SSD Persistent Disk" | no | +| disk_size | Disk size in GB - Persistent disk performance is tied to the size of the persistent disk volume. You are charged for the actual amount of provisioned disk space. | number | number between 100 and 4096 | 100 | no | +| enable_monitoring | Enable Stackdriver monitoring | bool | true/false | false | no | + + +## Outputs +| Name | Description | +| ------------- | ------------- | +| SIC_key | Secure Internal Communication (SIC) initiation key. | +| management_name | Security Management server name. | +| configuration_template_name | Provisioning configuration template name. | +| instance_template_name | Instance template name. | +| instance_group_manager_name | Instance group manager name. | +| autoscaler_name | Autoscaler name. | +| ICMP_firewall_rules_name | If enable - the ICMP firewall rules name, otherwise, an empty list. | +| TCP_firewall_rules_name | If enable - the TCP firewall rules name, otherwise, an empty list. | +| UDP_firewall_rules_name | If enable - the UDP firewall rules name, otherwise, an empty list. | +| SCTP_firewall_rules_name | If enable - the SCTP firewall rules name, otherwise, an empty list. | +| ESP_firewall_rules_name | If enable - the ESP firewall rules name, otherwise, an empty list. | + + +## Revision History +In order to check the template version refer to the [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) + +| Template Version | Description | +| ---------------- | ------------- | +| 20230109 | Updated startup script to use cloud-config. | +| | | | +| 20201208 | First release of Check Point CloudGuard IaaS Auto Scaling Group of Check Point Security Gateways Terraform solution into an existing VPC on GCP. | +| | | | +| | Addition of "template_type" parameter to "cloud-version" files. | +| | | | + +## Authors + + +## License + +This project is licensed under the MIT License - see the [LICENSE](../../../LICENSE) file for details \ No newline at end of file diff --git a/deprecated/terraform/gcp/R8040-R81/autoscale-into-existing-vpc/locals.tf b/deprecated/terraform/gcp/R8040-R81/autoscale-into-existing-vpc/locals.tf new file mode 100644 index 00000000..058d0689 --- /dev/null +++ b/deprecated/terraform/gcp/R8040-R81/autoscale-into-existing-vpc/locals.tf @@ -0,0 +1,63 @@ +locals { + license_allowed_values = [ + "BYOL", + "PAYG"] + // will fail if [var.license] is invalid: + validate_license = index(local.license_allowed_values, upper(var.license)) + + regex_validate_image_name = "check-point-r8[0-1][1-4]0-gw-(byol|payg)-mig-[0-9]{3}-([0-9]{3,}|[a-z]+)-v[0-9]{8,}" + // will fail if the image name is not in the right syntax + validate_image_name = length(regexall(local.regex_validate_image_name, var.image_name)) > 0 ? 0 : index(split("-", var.image_name), "INVALID IMAGE NAME") + + management_nic_allowed_values = [ + "Ephemeral Public IP (eth0)", + "Private IP (eth1)"] + // will fail if [var.management_nic] is invalid: + validate_management_nic = index(local.management_nic_allowed_values, var.management_nic) + + regex_valid_management_name = "^([ -~]+)$" + // Will fail if var.management_name is invalid + regex_management_name = regex(local.regex_valid_management_name, var.management_name) == var.management_name ? 0 : "Variable [management_name] must be a valid Security Management name including ascii characters only" + + regex_valid_configuration_template_name = "^([ -~]+)$" + // Will fail if var.configuration_template_name is invalid + regex_configuration_template_name = regex(local.regex_valid_configuration_template_name, var.configuration_template_name) == var.configuration_template_name ? 0 : "Variable [configuration_template_name] must be a valid autoprovisioing configuration template name including ascii characters only" + + regex_valid_admin_SSH_key = "^(^$|ssh-rsa AAAA[0-9A-Za-z+/]+[=]{0,3})" + // Will fail if var.admin_SSH_key is invalid + regex_admin_SSH_key = regex(local.regex_valid_admin_SSH_key, var.admin_SSH_key) == var.admin_SSH_key ? 0 : "Please enter a valid SSH public key or leave empty" + + admin_shell_allowed_values = [ + "/etc/cli.sh", + "/bin/bash", + "/bin/csh", + "/bin/tcsh"] + // Will fail if var.admin_shell is invalid + validate_admin_shell = index(local.admin_shell_allowed_values, var.admin_shell) + + regions_allowed_values = data.google_compute_regions.available_regions.names + // Will fail if var.region is invalid + validate_region = index(local.regions_allowed_values, var.region) + + disk_type_allowed_values = [ + "SSD Persistent Disk", + "Balanced Persistent Disk", + "Standard Persistent Disk"] + // Will fail if var.disk_type is invalid + validate_disk_type = index(local.disk_type_allowed_values, var.disk_type) + + + + disk_type_condition = var.disk_type == "SSD Persistent Disk" ? "pd-ssd" : var.disk_type == "Balanced Persistent Disk" ? "pd-balanced" : var.disk_type == "Standard Persistent Disk" ? "pd-standard" : "" + mgmt_nic_condition = var.management_nic == "Ephemeral Public IP (eth0)" ? true : false + mgmt_nic_ip_address_condition = local.mgmt_nic_condition ? "x-chkp-ip-address--public" : "x-chkp-ip-address--private" + mgmt_nic_interface_condition = local.mgmt_nic_condition ? "x-chkp-management-interface--eth0" : "x-chkp-management-interface--eth1" + network_defined_by_routes_condition = var.network_defined_by_routes ? "x-chkp-topology-eth1--internal" : "" + network_defined_by_routes_settings_condition = var.network_defined_by_routes ? "x-chkp-topology-settings-eth1--network-defined-by-routes" : "" + admin_SSH_key_condition = var.admin_SSH_key != "" ? true : false + ICMP_traffic_condition = length(var.ICMP_traffic) == 0 ? 0 : 1 + TCP_traffic_condition = length(var.TCP_traffic) == 0 ? 0 : 1 + UDP_traffic_condition = length(var.UDP_traffic) == 0 ? 0 : 1 + SCTP_traffic_condition = length(var.SCTP_traffic) == 0 ? 0 : 1 + ESP_traffic_condition = length(var.ESP_traffic) == 0 ? 0 : 1 +} \ No newline at end of file diff --git a/deprecated/terraform/gcp/R8040-R81/autoscale-into-existing-vpc/main.tf b/deprecated/terraform/gcp/R8040-R81/autoscale-into-existing-vpc/main.tf new file mode 100644 index 00000000..24548144 --- /dev/null +++ b/deprecated/terraform/gcp/R8040-R81/autoscale-into-existing-vpc/main.tf @@ -0,0 +1,197 @@ +provider "google" { + credentials = file(var.service_account_path) + project = var.project + region = var.region +} + +resource "random_string" "random_string" { + length = 5 + special = false + upper = false + keepers = {} +} +data "google_compute_network" "external_network" { + name = var.external_network_name +} +data "google_compute_network" "internal_network" { + name = var.internal_network_name +} +resource "random_string" "random_sic_key" { + length = 12 + special = false +} + +resource "google_compute_instance_template" "instance_template" { + name = "${var.prefix}-tmplt-${random_string.random_string.result}" + machine_type = var.machine_type + can_ip_forward = true + + + disk { + source_image = "checkpoint-public/${var.image_name}" + auto_delete = true + boot = true + device_name = "${var.prefix}-boot-${random_string.random_string.result}" + disk_type = local.disk_type_condition + disk_size_gb = var.disk_size + mode = "READ_WRITE" + type = "PERSISTENT" + } + + network_interface { + network = data.google_compute_network.external_network.self_link + subnetwork = var.external_subnetwork_name + dynamic "access_config" { + for_each = local.mgmt_nic_condition ? [ + 1] : [] + content { + network_tier = local.mgmt_nic_condition ? "PREMIUM" : "STANDARD" + } + } + } + + network_interface { + network = data.google_compute_network.internal_network.self_link + subnetwork = var.internal_subnetwork_name + } + + scheduling { + automatic_restart = true + on_host_maintenance = "MIGRATE" + preemptible = false + } + + service_account { + email = "default" + scopes = [ + "https://www.googleapis.com/auth/devstorage.read_only", + "https://www.googleapis.com/auth/logging.write", + "https://www.googleapis.com/auth/monitoring.write", + "https://www.googleapis.com/auth/pubsub", + "https://www.googleapis.com/auth/service.management.readonly", + "https://www.googleapis.com/auth/servicecontrol", + "https://www.googleapis.com/auth/trace.append"] + } + tags = [ + format("x-chkp-management--%s", var.management_name), + format("x-chkp-template--%s", var.configuration_template_name), + "checkpoint-gateway", + local.mgmt_nic_ip_address_condition, + local.mgmt_nic_interface_condition, + local.network_defined_by_routes_condition, + local.network_defined_by_routes_settings_condition] + + metadata_startup_script = templatefile("${path.module}/../common/startup-script.sh", { + // script's arguments + generatePassword = "false" + config_url = "" + config_path = "" + sicKey = "" + allowUploadDownload = var.allow_upload_download + templateName = "autoscale_tf" + templateVersion = "20230109" + templateType = "terraform" + mgmtNIC = var.management_nic + hasInternet = "false" + enableMonitoring = var.enable_monitoring + shell = var.admin_shell + installationType = "AutoScale" + computed_sic_key = random_string.random_sic_key.result + managementGUIClientNetwork = "" + primary_cluster_address_name = "" + secondary_cluster_address_name = "" + managementNetwork = "" + numAdditionalNICs = "" + smart_1_cloud_token = "" + name = "" + zoneConfig = "" + region = "" + }) + + metadata = local.admin_SSH_key_condition ? { + serial-port-enable = "true" + instanceSSHKey = var.admin_SSH_key + } : { + serial-port-enable = "true" + } +} + +resource "google_compute_firewall" "ICMP_firewall_rules" { + count = local.ICMP_traffic_condition + name = "${var.prefix}-icmp-${random_string.random_string.result}" + network = data.google_compute_network.external_network.self_link + allow { + protocol = "icmp" + } + source_ranges = var.ICMP_traffic + target_tags = [ + "checkpoint-gateway"] +} +resource "google_compute_firewall" "TCP_firewall_rules" { + count = local.TCP_traffic_condition + name = "${var.prefix}-tcp-${random_string.random_string.result}" + network = data.google_compute_network.external_network.self_link + allow { + protocol = "tcp" + } + source_ranges = var.TCP_traffic + target_tags = [ + "checkpoint-gateway"] +} +resource "google_compute_firewall" "UDP_firewall_rules" { + count = local.UDP_traffic_condition + name = "${var.prefix}-udp-${random_string.random_string.result}" + network = data.google_compute_network.external_network.self_link + allow { + protocol = "udp" + } + source_ranges = var.UDP_traffic + target_tags = [ + "checkpoint-gateway"] +} +resource "google_compute_firewall" "SCTP_firewall_rules" { + count = local.SCTP_traffic_condition + name = "${var.prefix}-sctp-${random_string.random_string.result}" + network = data.google_compute_network.external_network.self_link + allow { + protocol = "sctp" + } + source_ranges = var.SCTP_traffic + target_tags = [ + "checkpoint-gateway"] +} +resource "google_compute_firewall" "ESP_firewall_rules" { + count = local.ESP_traffic_condition + name = "${var.prefix}-esp-${random_string.random_string.result}" + network = data.google_compute_network.external_network.self_link + allow { + protocol = "esp" + } + source_ranges = var.ESP_traffic + target_tags = [ + "checkpoint-gateway"] +} +resource "google_compute_region_instance_group_manager" "instance_group_manager" { + region = var.region + name = "${var.prefix}-igm-${random_string.random_string.result}" + version { + instance_template = google_compute_instance_template.instance_template.id + name = "${var.prefix}-tmplt" + } + base_instance_name = "${var.prefix}-${random_string.random_string.result}" +} +resource "google_compute_region_autoscaler" "autoscaler" { + region = var.region + name = "${var.prefix}-autoscaler-${random_string.random_string.result}" + target = google_compute_region_instance_group_manager.instance_group_manager.id + + autoscaling_policy { + max_replicas = var.instances_max_grop_size + min_replicas = var.instances_min_grop_size + cooldown_period = 90 + + cpu_utilization { + target = var.cpu_usage/100 + } + } +} diff --git a/deprecated/terraform/gcp/R8040-R81/autoscale-into-existing-vpc/output.tf b/deprecated/terraform/gcp/R8040-R81/autoscale-into-existing-vpc/output.tf new file mode 100644 index 00000000..62b1f028 --- /dev/null +++ b/deprecated/terraform/gcp/R8040-R81/autoscale-into-existing-vpc/output.tf @@ -0,0 +1,33 @@ +output "SIC_key" { + value = random_string.random_sic_key.result +} +output "management_name" { + value = var.management_name +} +output "configuration_template_name" { + value = var.configuration_template_name +} +output "instance_template_name" { + value = google_compute_instance_template.instance_template.name +} +output "instance_group_manager_name" { + value = google_compute_region_instance_group_manager.instance_group_manager.name +} +output "autoscaler_name" { + value = google_compute_region_autoscaler.autoscaler.name +} +output "ICMP_firewall_rules_name" { + value = google_compute_firewall.ICMP_firewall_rules[*].name +} +output "TCP_firewall_rules_name" { + value = google_compute_firewall.TCP_firewall_rules[*].name +} +output "UDP_firewall_rules_name" { + value = google_compute_firewall.UDP_firewall_rules[*].name +} +output "SCTP_firewall_rules_name" { + value = google_compute_firewall.SCTP_firewall_rules[*].name +} +output "ESP_firewall_rules_name" { + value = google_compute_firewall.ESP_firewall_rules[*].name +} \ No newline at end of file diff --git a/deprecated/terraform/gcp/R8040-R81/autoscale-into-existing-vpc/terraform.tfvars b/deprecated/terraform/gcp/R8040-R81/autoscale-into-existing-vpc/terraform.tfvars new file mode 100644 index 00000000..dfb828db --- /dev/null +++ b/deprecated/terraform/gcp/R8040-R81/autoscale-into-existing-vpc/terraform.tfvars @@ -0,0 +1,36 @@ +# --- Google Provider --- +service_account_path = "PLEASE ENTER SERVICE ACCOUNT PATH" # "service-accounts/service-account-file-name.json" +project = "PLEASE ENTER PROJECT ID" # "project-id" + +# --- Check Point--- +prefix = "PLEASE ENTER PREFIX" # "chkp-tf-mig" +license = "PLEASE ENTER LICENSE" # "BYOL" +image_name = "PLEASE ENTER IMAGE NAME" # "check-point-r8110-gw-byol-mig-335-985-v20220126" +management_nic = "PLEASE ENTER MANAGEMENT INTERFACE" # "Ephemeral Public IP (eth0)" +management_name = "PLEASE ENTER MANAGEMENT NAME" # "tf-checkpoint-management" +configuration_template_name = "PLEASE ENTER CONFIGURATION TEMPLATE NAME" # "tf-asg-autoprov-tmplt" +admin_SSH_key = "PLEASE ENTER ADMIN SSH KEY" # "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxx imported-openssh-key" +network_defined_by_routes = "PLEASE ENTER true OR false" # true +admin_shell = "PLEASE ENTER ADMIN SHELL" # "/etc/cli.sh" +allow_upload_download = "PLEASE ENTER true OR false" # true + +# --- Networking --- +region = "PLEASE ENTER REGION" # "us-central1" +external_network_name = "PLEASE ENTER EXTERNAL NETWORK NAME" # "default" +external_subnetwork_name = "PLEASE ENTER EXTERNAL SUBNETWORK NAME" # "default" +internal_network_name = "PLEASE ENTER INTERNAL NETWORK NAME" # "tf-vpc-network" +internal_subnetwork_name = "PLEASE ENTER INTERNAL SUBNETWORK NAME" # "tf-vpc-subnetwork" +ICMP_traffic = "PLEASE ENTER ICMP SOURCE IP RANGES" # ["123.123.0.0/24", "234.234.0.0/24"] +TCP_traffic = "PLEASE ENTER TCP SOURCE IP RANGES" # ["0.0.0.0/0"] +UDP_traffic = "PLEASE ENTER UDP SOURCE IP RANGES" # [] +SCTP_traffic = "PLEASE ENTER SCTP SOURCE IP RANGES" # [] +ESP_traffic = "PLEASE ENTER ESP SOURCE IP RANGES" # [] + +# --- Instance Configuration --- +machine_type = "PLEASE ENTER MACHINE TYPE" # "n1-standard-4" +cpu_usage = "PLEASE ENTER CPU USAGE" # 60 +instances_min_grop_size = "PLEASE ENTER INSTANCES MIN GROP SIZE" # 2 +instances_max_grop_size = "PLEASE ENTER INSTANCES MAX GROP SIZE" # 10 +disk_type = "PLEASE ENTER DISK TYPE" # "SSD Persistent Disk" +disk_size = "PLEASE ENTER DISK SIZE" # 100 +enable_monitoring = "PLEASE ENTER true OR false" # false \ No newline at end of file diff --git a/deprecated/terraform/gcp/R8040-R81/autoscale-into-existing-vpc/variables.tf b/deprecated/terraform/gcp/R8040-R81/autoscale-into-existing-vpc/variables.tf new file mode 100644 index 00000000..8acd8fda --- /dev/null +++ b/deprecated/terraform/gcp/R8040-R81/autoscale-into-existing-vpc/variables.tf @@ -0,0 +1,157 @@ +# Check Point CloudGuard IaaS Autoscaling - Terraform Template + +# --- Google Provider --- +variable "service_account_path" { + type = string + description = "User service account path in JSON format - From the service account key page in the Cloud Console choose an existing account or create a new one. Next, download the JSON key file. Name it something you can remember, store it somewhere secure on your machine, and supply the path to the location is stored." + default = "" +} +variable "project" { + type = string + description = "Personal project id. The project indicates the default GCP project all of your resources will be created in." + default = "" +} + +# --- Check Point--- +variable "prefix" { + type = string + description = "(Optional) Resources name prefix" + default = "chkp-tf-mig" +} +variable "license" { + type = string + description = "Checkpoint license (BYOL or PAYG)." + default = "BYOL" +} +variable "image_name" { + type = string + description = "The autoscaling (MIG) image name (e.g. check-point-r8110-gw-byol-mig-335-985-v20220126). You can choose the desired mig image value from: https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/gcp/deployment-packages/autoscale-byol/images.py" +} +variable "management_nic" { + type = string + description = "Management Interface - Autoscaling Security Gateways in GCP can be managed by an ephemeral public IP or using the private IP of the internal interface (eth1)." + default = "Ephemeral Public IP (eth0)" +} +variable "management_name" { + type = string + description = "The name of the Security Management Server as appears in autoprovisioning configuration. (Please enter a valid Security Management name including ascii characters only)" + default = "tf-checkpoint-management" +} +variable "configuration_template_name" { + type = string + description = "Specify the provisioning configuration template name (for autoprovisioning). (Please enter a valid autoprovisioing configuration template name including ascii characters only)" + default = "tf-asg-autoprov-tmplt" +} +variable "admin_SSH_key" { + type = string + description = "(Optional) The SSH public key for SSH authentication to the MIG instances. Leave this field blank to use all project-wide pre-configured SSH keys." + default = "" +} +variable "network_defined_by_routes" { + type = bool + description = "Set eth1 topology to define the networks behind this interface by the routes configured on the gateway." + default = true +} +variable "admin_shell" { + type = string + description = "Change the admin shell to enable advanced command line configuration." + default = "/etc/cli.sh" +} +variable "allow_upload_download" { + type = bool + description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + default = true +} + +# --- Networking --- +data "google_compute_regions" "available_regions" { +} +variable "region" { + type = string + default = "us-central1" +} +variable "external_network_name" { + type = string + description = "The network determines what network traffic the instance can access" +} +variable "external_subnetwork_name" { + type = string + description = "Assigns the instance an IPv4 address from the subnetwork’s range. Instances in different subnetworks can communicate with each other using their internal IPs as long as they belong to the same network." +} +variable "internal_network_name" { + type = string + description = "The network determines what network traffic the instance can access" +} +variable "internal_subnetwork_name" { + type = string + description = "Assigns the instance an IPv4 address from the subnetwork’s range. Instances in different subnetworks can communicate with each other using their internal IPs as long as they belong to the same network." +} +variable "ICMP_traffic" { + type = list(string) + description = "(Optional) Source IP ranges for ICMP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable ICMP traffic." + default = [] +} +variable "TCP_traffic" { + type = list(string) + description = "(Optional) Source IP ranges for TCP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable TCP traffic." + default = [] +} +variable "UDP_traffic" { + type = list(string) + description = "(Optional) Source IP ranges for UDP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable UDP traffic." + default = [] +} +variable "SCTP_traffic" { + type = list(string) + description = "(Optional) Source IP ranges for SCTP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable SCTP traffic." + default = [] +} +variable "ESP_traffic" { + type = list(string) + description = "(Optional) Source IP ranges for ESP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable ESP traffic." + default = [] +} + +# --- Instance Configuration --- +variable "machine_type" { + type = string + default = "n1-standard-4" +} +variable "cpu_usage" { + type = number + description = "Target CPU usage (%) - Autoscaling adds or removes instances in the group to maintain this level of CPU usage on each instance." + default = 60 +} +resource "null_resource" "cpu_usage_validation" { + // Will fail if var.cpu_usage is less than 10 or more than 90 + count = var.cpu_usage >= 10 && var.cpu_usage <= 90 ? 0 : "variable cpu_usage must be a number between 10 and 90" +} +variable "instances_min_grop_size" { + type = number + description = "The minimal number of instances" + default = 2 +} +variable "instances_max_grop_size" { + type = number + description = "The maximal number of instances" + default = 10 +} +variable "disk_type" { + type = string + description = "Storage space is much less expensive for a standard Persistent Disk. An SSD Persistent Disk is better for random IOPS or streaming throughput with low latency." + default = "SSD Persistent Disk" +} +variable "disk_size" { + type = number + description = "Disk size in GB - Persistent disk performance is tied to the size of the persistent disk volume. You are charged for the actual amount of provisioned disk space." + default = 100 +} +resource "null_resource" "disk_size_validation" { + // Will fail if var.disk_size is less than 100 or more than 4096 + count = var.disk_size >= 100 && var.disk_size <= 4096 ? 0 : "variable disk_size must be a number between 100 and 4096" +} +variable "enable_monitoring" { + type = bool + description = "Enable Stackdriver monitoring" + default = false +} \ No newline at end of file diff --git a/deprecated/terraform/gcp/R8040-R81/autoscale-into-new-vpc/README.md b/deprecated/terraform/gcp/R8040-R81/autoscale-into-new-vpc/README.md new file mode 100644 index 00000000..3439418c --- /dev/null +++ b/deprecated/terraform/gcp/R8040-R81/autoscale-into-new-vpc/README.md @@ -0,0 +1,241 @@ +# Check Point Autoscale (MIG) Terraform module for GCP + +Terraform module which deploys an Auto Scaling Group of Check Point Security Gateways into a new VPC on GCP. + +These types of Terraform resources are supported: +* [Network](https://www.terraform.io/docs/providers/google/d/compute_network.html) +* [Subnetwork](https://www.terraform.io/docs/providers/google/r/compute_subnetwork.html) +* [Instance Template](https://www.terraform.io/docs/providers/google/r/compute_instance_template.html) +* [Firewall](https://www.terraform.io/docs/providers/google/r/compute_firewall.html) - conditional creation +* [Instance Group Manager](https://www.terraform.io/docs/providers/google/r/compute_region_instance_group_manager.html) +* [Autoscaler](https://www.terraform.io/docs/providers/google/r/compute_region_autoscaler.html) + + +For additional information, +please see the [CloudGuard Network for GCP Autoscaling MIG Deployment Guide](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_Network_for_GCP_Autoscaling_MIG/Default.htm) + +This solution uses the following modules: +- /gcp/autoscale-into-existing-vpc + +Terraform is controlled via a very easy to use command-line interface (CLI). Terraform is only a single command-line application: **terraform**. + +## Before you begin +1. Create a project in the [Google Cloud Console](https://console.cloud.google.com/) and set up billing on that project. +2. [Install Terraform](https://learn.hashicorp.com/tutorials/terraform/install-cli) and read the Terraform getting started guide that follows. This guide will assume basic proficiency with Terraform - it is an introduction to the Google provider. + +## Configuring the Provider +The **main.tf** file includes the following provider configuration block used to configure the credentials you use to authenticate with GCP, as well as a default project and location for your resources: +``` +provider "google" { + credentials = file(var.service_account_path) + project = var.project + region = var.region +} +... +``` +1. [Create a Service Account](https://cloud.google.com/docs/authentication/getting-started) (or use the existing one). Next, download the JSON key file. Name it something you can remember and store it somewhere secure on your machine.
+2. Select "Editor" Role or verify you have the following permissions: + ``` + compute.autoscalers.create + compute.autoscalers.delete + compute.autoscalers.get + compute.disks.create + compute.disks.delete + compute.firewalls.create + compute.firewalls.delete + compute.firewalls.get + compute.images.get + compute.images.useReadOnly + compute.instanceGroupManagers.create + compute.instanceGroupManagers.delete + compute.instanceGroupManagers.get + compute.instanceGroupManagers.use + compute.instanceTemplates.create + compute.instanceTemplates.delete + compute.instanceTemplates.get + compute.instanceTemplates.useReadOnly + compute.instances.create + compute.instances.delete + compute.instances.setMetadata + compute.instances.setTags + compute.networks.create + compute.networks.delete + compute.networks.get + compute.networks.updatePolicy + compute.regions.list + compute.subnetworks.create + compute.subnetworks.delete + compute.subnetworks.get + compute.subnetworks.use + compute.subnetworks.useExternalIp + iam.serviceAccountKeys.get + iam.serviceAccountKeys.list + iam.serviceAccounts.actAs + iam.serviceAccounts.get + iam.serviceAccounts.list + ``` +3. ```credentials``` - Your service account key file is used to complete a two-legged OAuth 2.0 flow to obtain access tokens to authenticate with the GCP API as needed; Terraform will use it to reauthenticate automatically when tokens expire.
+The provider credentials can be provided either as static credentials or as [Environment Variables](https://www.terraform.io/docs/providers/google/guides/provider_reference.html#credentials-1). + - Static credentials can be provided by adding the path to your service-account json file, project-id and region in /gcp/modules/autoscale-into-new-vpc/**terraform.tfvars** file as follows: + ``` + service_account_path = "service-accounts/service-account-file-name.json" + project = "project-id" + region = "us-central1" + ``` + - In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in the main.tf file, in the provider google resource, need to be deleted or commented: + ``` + provider "google" { + // credentials = file(var.service_account_path) + // project = var.project + + region = var.region + } + ``` + b.In the terraform.tfvars file leave empty double quotes for credentials and project variables: + ``` + service_account_path = "" + project = "" + ``` + ## Usage +- Fill all variables in the /gcp/autoscale-into-new-vpc/**terraform.tfvars** file with proper values (see below for variables descriptions). +- From a command line initialize the Terraform configuration directory: + ``` + terraform init + ``` +- Create an execution plan: + ``` + terraform plan + ``` +- Create or modify the deployment: + ``` + terraform apply + ``` + +#### Variables are configured in autoscale-into-new-vpc/**terraform.tfvars** file as follows: +``` +# --- Google Provider --- +service_account_path = "service-accounts/service-account-file-name.json" +project = "project-id" + +# --- Check Point--- +prefix = "chkp-tf-mig" +license = "BYOL" +image_name = "check-point-r8110-gw-byol-mig-335-985-v20220126" +management_nic = "Ephemeral Public IP (eth0)" +management_name = "tf-checkpoint-management" +configuration_template_name = "tf-asg-autoprov-tmplt" +admin_SSH_key = "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxx imported-openssh-key" +network_defined_by_routes = true +admin_shell = "/etc/cli.sh" +allow_upload_download = true + +# --- Networking --- +region = "us-central1" +external_subnetwork_ip_cidr_range = "10.0.1.0/24" +internal_subnetwork_ip_cidr_range = "10.0.2.0/24" +ICMP_traffic = ["123.123.0.0/24", "234.234.0.0/24"] +TCP_traffic = ["0.0.0.0/0"] +UDP_traffic = [] +SCTP_traffic = [] +ESP_traffic = [] + +# --- Instance Configuration --- +machine_type = "n1-standard-4" +cpu_usage = 60 +instances_min_grop_size = 2 +instances_max_grop_size = 10 +disk_type = "SSD Persistent Disk" +disk_size = 100 +enable_monitoring = false +``` + +- To tear down your resources: + ``` + terraform destroy + ``` + +## Conditional creation +To create Firewall and allow traffic for ICMP, TCP, UDP, SCTP or/and ESP - enter list of Source IP ranges. +``` +ICMP_traffic = ["123.123.0.0/24", "234.234.0.0/24"] +TCP_traffic = ["0.0.0.0/0"] +UDP_traffic = [] +SCTP_traffic = [] +ESP_traffic = [] +``` +Please leave empty list for a protocol if you want to disable traffic for it. + +## Inputs +| Name | Description | Type | Allowed values | Default | Required | +| ------------- | ------------- | ------------- | ------------- | ------------- | ------------- | +| service_account_path | User service account path in JSON format - From the service account key page in the Cloud Console choose an existing account or create a new one. Next, download the JSON key file. Name it something you can remember, store it somewhere secure on your machine, and supply the path to the location is stored. (e.g. "service-accounts/service-account-name.json") | string | N/A | "" | yes | +| project | Personal project id. The project indicates the default GCP project all of your resources will be created in. | string | N/A | "" | yes | +| | | | | | +| prefix | (Optional) Resources name prefix. | string | N/A | "chkp-tf-mig" | no | +| license | Checkpoint license (BYOL or PAYG). | string | - BYOL
- PAYG
| "BYOL" | no | +| image_name | The autoscaling (MIG) image name (e.g. check-point-r8110-gw-byol-mig-335-985-v20220126). You can choose the desired mig image value from [Github](https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/gcp/deployment-packages/autoscale-byol/images.py). | string | N/A | N/A | yes | +| management_nic | Management Interface - Autoscaling Security Gateways in GCP can be managed by an ephemeral public IP or using the private IP of the internal interface (eth1). | string | Ephemeral Public IP (eth0)
- Private IP (eth1) | "Ephemeral Public IP (eth0)" | no | +| management_name | The name of the Security Management Server as appears in autoprovisioning configuration. (Please enter a valid Security Management name including lowercase letters, digits and hyphens only). | string | N/A | "checkpoint-management" | no | +| configuration_template_name | Specify the provisioning configuration template name (for autoprovisioning). (Please enter a valid autoprovisioing configuration template name including lowercase letters, digits and hyphens only). | string | N/A | "gcp-asg-autoprov-tmplt" | no | +| admin_SSH_key | Public SSH key for the user 'admin' - The SSH public key for SSH authentication to the MIG instances. Leave this field blank to use all project-wide pre-configured SSH keys. | string | A valid public ssh key | "" | no | +| network_defined_by_routes | Set eth1 topology to define the networks behind this interface by the routes configured on the gateway. | bool | true/false | true | no | +| admin_shell | Change the admin shell to enable advanced command line configuration. | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | "/etc/cli.sh" | no | +| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no | +| | | | | | +| region | GCP region | string | N/A | N/A | yes | +| external_subnetwork_ip_cidr_range | The range of internal addresses that are owned by this subnetwork, only IPv4 is supported (e.g. "10.0.0.0/8" or "192.168.0.0/16"). | string | N/A | N/A | yes | +| internal_subnetwork_ip_cidr_range | The range of internal addresses that are owned by this subnetwork, only IPv4 is supported (e.g. "10.0.0.0/8" or "192.168.0.0/16"). | string | N/A | N/A | yes | +| ICMP_traffic | (Optional) Source IP ranges for ICMP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable ICMP traffic. | list(string) | N/A | [] | no | +| TCP_traffic | (Optional) Source IP ranges for TCP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable TCP traffic. | list(string) | N/A | [] | no | +| UDP_traffic | (Optional) Source IP ranges for UDP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable UDP traffic. | list(string) | N/A | [] | no | +| SCTP_traffic | (Optional) Source IP ranges for SCTP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable SCTP traffic. | list(string) | N/A | [] | no | +| ESP_traffic | (Optional) Source IP ranges for ESP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable ESP traffic. | list(string) | N/A | [] | no | +| | | | | | +| machine_type | Machine Type. | string | N/A | "n1-standard-4" | no | +| cpu_usage | Target CPU usage (%) - Autoscaling adds or removes instances in the group to maintain this level of CPU usage on each instance. | number | number between 10 and 90 | 60 | no | +| instances_min_grop_size | The minimal number of instances | number | N/A | 2 | no | +| instances_max_grop_size | The maximal number of instances | number | N/A | 10 | no | +| disk_type | Storage space is much less expensive for a standard Persistent Disk. An SSD Persistent Disk is better for random IOPS or streaming throughput with low latency. | string | - SSD Persistent Disk
- Balanced Persistent Disk
- Standard Persistent Disk | "SSD Persistent Disk" | no | +| disk_size | Disk size in GB - Persistent disk performance is tied to the size of the persistent disk volume. You are charged for the actual amount of provisioned disk space. | number | number between 100 and 4096 | 100 | no | +| enable_monitoring | Enable Stackdriver monitoring | bool | true/false | false | no | + + + +## Outputs +| Name | Description | +| ------------- | ------------- | +| external_network_name | The external network name in which the gateways will reside. | +| external_subnetwork_name | The external subnetwork name. | +| internal_network_name | The internal network name in which application servers reside. | +| internal_subnetwork_name | The internal subnetwork name. | +| SIC_key | Secure Internal Communication (SIC) initiation key. | +| management_name | Security Management server name. | +| configuration_template_name | Provisioning configuration template name. | +| instance_template_name | Instance template name. | +| instance_group_manager_name | Instance group manager name. | +| autoscaler_name | Autoscaler name. | +| ICMP_firewall_rules_name | If enable - the ICMP firewall rules name, otherwise, an empty list. | +| TCP_firewall_rules_name | If enable - the TCP firewall rules name, otherwise, an empty list. | +| UDP_firewall_rules_name | If enable - the UDP firewall rules name, otherwise, an empty list. | +| SCTP_firewall_rules_name | If enable - the SCTP firewall rules name, otherwise, an empty list. | +| ESP_firewall_rules_name | If enable - the ESP firewall rules name, otherwise, an empty list. | + +## Revision History +In order to check the template version refer to the [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) + +| Template Version | Description | +| ---------------- | ------------- | +| 20230109 | Updated startup script to use cloud-config. | +| | | | +| 20201208 | First release of Check Point CloudGuard IaaS Auto Scaling Group of Check Point Security Gateways Terraform solution into a new VPC on GCP. | +| | | | +| | Addition of "template_type" parameter to "cloud-version" files. | +| | | | + +## Authors + + +## License + +This project is licensed under the MIT License - see the [LICENSE](../../../LICENSE) file for details diff --git a/deprecated/terraform/gcp/R8040-R81/autoscale-into-new-vpc/locals.tf b/deprecated/terraform/gcp/R8040-R81/autoscale-into-new-vpc/locals.tf new file mode 100644 index 00000000..451bbd93 --- /dev/null +++ b/deprecated/terraform/gcp/R8040-R81/autoscale-into-new-vpc/locals.tf @@ -0,0 +1,48 @@ +locals { + license_allowed_values = [ + "BYOL", + "PAYG"] + // will fail if [var.license] is invalid: + validate_license = index(local.license_allowed_values, upper(var.license)) + + regex_validate_image_name = "check-point-r8[0-1][1-4]0-gw-(byol|payg)-mig-[0-9]{3}-([0-9]{3,}|[a-z]+)-v[0-9]{8,}" + // will fail if the image name is not in the right syntax + validate_image_name = length(regexall(local.regex_validate_image_name, var.image_name)) > 0 ? 0 : index(split("-", var.image_name), "INVALID IMAGE NAME") + + management_nic_allowed_values = [ + "Ephemeral Public IP (eth0)", + "Private IP (eth1)"] + // will fail if [var.management_nic] is invalid: + validate_management_nic = index(local.management_nic_allowed_values, var.management_nic) + + regex_valid_management_name = "^([ -~]+)$" + // Will fail if var.management_name is invalid + regex_management_name = regex(local.regex_valid_management_name, var.management_name) == var.management_name ? 0 : "Variable [management_name] must be a valid Security Management name including ascii characters only" + + regex_valid_configuration_template_name = "^([ -~]+)$" + // Will fail if var.configuration_template_name is invalid + regex_configuration_template_name = regex(local.regex_valid_configuration_template_name, var.configuration_template_name) == var.configuration_template_name ? 0 : "Variable [configuration_template_name] must be a valid autoprovisioing configuration template name including ascii characters only" + + regex_valid_admin_SSH_key = "^(^$|ssh-rsa AAAA[0-9A-Za-z+/]+[=]{0,3})" + // Will fail if var.admin_SSH_key is invalid + regex_admin_SSH_key = regex(local.regex_valid_admin_SSH_key, var.admin_SSH_key) == var.admin_SSH_key ? 0 : "Please enter a valid SSH public key or leave empty" + + admin_shell_allowed_values = [ + "/etc/cli.sh", + "/bin/bash", + "/bin/csh", + "/bin/tcsh"] + // Will fail if var.admin_shell is invalid + validate_admin_shell = index(local.admin_shell_allowed_values, var.admin_shell) + + regions_allowed_values = data.google_compute_regions.available_regions.names + // Will fail if var.region is invalid + validate_region = index(local.regions_allowed_values, var.region) + + disk_type_allowed_values = [ + "SSD Persistent Disk", + "Balanced Persistent Disk", + "Standard Persistent Disk"] + // Will fail if var.disk_type is invalid + validate_disk_type = index(local.disk_type_allowed_values, var.disk_type) +} \ No newline at end of file diff --git a/deprecated/terraform/gcp/R8040-R81/autoscale-into-new-vpc/main.tf b/deprecated/terraform/gcp/R8040-R81/autoscale-into-new-vpc/main.tf new file mode 100644 index 00000000..16ec2197 --- /dev/null +++ b/deprecated/terraform/gcp/R8040-R81/autoscale-into-new-vpc/main.tf @@ -0,0 +1,73 @@ +provider "google" { + credentials = file(var.service_account_path) + project = var.project + region = var.region +} + +resource "random_string" "mig_random_string" { + length = 5 + special = false + upper = false + keepers = {} +} +resource "google_compute_network" "external_network" { + name = "${var.prefix}-ext-network-${random_string.mig_random_string.result}" + auto_create_subnetworks = false +} +resource "google_compute_subnetwork" "external_subnetwork" { + name = "${var.prefix}-ext-subnet-${random_string.mig_random_string.result}" + ip_cidr_range = var.external_subnetwork_ip_cidr_range + region = var.region + network = google_compute_network.external_network.id +} + +resource "google_compute_network" "internal_network" { + name = "${var.prefix}-int-network-${random_string.mig_random_string.result}" + auto_create_subnetworks = false +} +resource "google_compute_subnetwork" "internal_subnetwork" { + name = "${var.prefix}-int-subnet-${random_string.mig_random_string.result}" + ip_cidr_range = var.internal_subnetwork_ip_cidr_range + region = var.region + network = google_compute_network.internal_network.id +} + + +module "autoscale-into-existing-vpc" { + source = "../autoscale-into-existing-vpc" + + service_account_path = var.service_account_path + project = var.project + + # --- Check Point--- + prefix = var.prefix + image_name = var.image_name + management_nic = var.management_nic + management_name = var.management_name + configuration_template_name = var.configuration_template_name + admin_SSH_key = var.admin_SSH_key + network_defined_by_routes = var.network_defined_by_routes + admin_shell = var.admin_shell + allow_upload_download = var.allow_upload_download + + # --- Networking --- + region = var.region + external_network_name = google_compute_network.external_network.name + external_subnetwork_name = google_compute_subnetwork.external_subnetwork.name + internal_network_name = google_compute_network.internal_network.name + internal_subnetwork_name = google_compute_subnetwork.internal_subnetwork.name + ICMP_traffic = var.ICMP_traffic + TCP_traffic = var.TCP_traffic + UDP_traffic = var.UDP_traffic + SCTP_traffic = var.SCTP_traffic + ESP_traffic = var.ESP_traffic + + # --- Instance Configuration --- + machine_type = var.machine_type + cpu_usage = var.cpu_usage + instances_min_grop_size = var.instances_min_grop_size + instances_max_grop_size = var.instances_max_grop_size + disk_type = var.disk_type + disk_size = var.disk_size + enable_monitoring = var.enable_monitoring +} \ No newline at end of file diff --git a/deprecated/terraform/gcp/R8040-R81/autoscale-into-new-vpc/output.tf b/deprecated/terraform/gcp/R8040-R81/autoscale-into-new-vpc/output.tf new file mode 100644 index 00000000..ef020e27 --- /dev/null +++ b/deprecated/terraform/gcp/R8040-R81/autoscale-into-new-vpc/output.tf @@ -0,0 +1,46 @@ +output "external_network_name" { + value = google_compute_network.external_network.name +} +output "external_subnetwork_name" { + value = google_compute_subnetwork.external_subnetwork.name +} +output "internal_network_name" { + value = google_compute_network.internal_network.name +} +output "internal_subnetwork_name" { + value = google_compute_subnetwork.internal_subnetwork.name +} + +output "SIC_key" { + value = module.autoscale-into-existing-vpc.SIC_key +} +output "management_name" { + value = var.management_name +} +output "configuration_template_name" { + value = var.configuration_template_name +} +output "instance_template_name" { + value = module.autoscale-into-existing-vpc.instance_template_name +} +output "instance_group_manager_name" { + value = module.autoscale-into-existing-vpc.instance_group_manager_name +} +output "autoscaler_name" { + value = module.autoscale-into-existing-vpc.autoscaler_name +} +output "ICMP_firewall_rules_name" { + value = module.autoscale-into-existing-vpc.ICMP_firewall_rules_name +} +output "TCP_firewall_rules_name" { + value = module.autoscale-into-existing-vpc.TCP_firewall_rules_name +} +output "UDP_firewall_rules_name" { + value = module.autoscale-into-existing-vpc.UDP_firewall_rules_name +} +output "SCTP_firewall_rules_name" { + value = module.autoscale-into-existing-vpc.SCTP_firewall_rules_name +} +output "ESP_firewall_rules_name" { + value = module.autoscale-into-existing-vpc.ESP_firewall_rules_name +} diff --git a/deprecated/terraform/gcp/R8040-R81/autoscale-into-new-vpc/terraform.tfvars b/deprecated/terraform/gcp/R8040-R81/autoscale-into-new-vpc/terraform.tfvars new file mode 100644 index 00000000..48fe765a --- /dev/null +++ b/deprecated/terraform/gcp/R8040-R81/autoscale-into-new-vpc/terraform.tfvars @@ -0,0 +1,34 @@ +# --- Google Provider --- +service_account_path = "PLEASE ENTER SERVICE ACCOUNT PATH" # "service-accounts/service-account-file-name.json" +project = "PLEASE ENTER PROJECT ID" # "project-id" + +# --- Check Point--- +prefix = "PLEASE ENTER PREFIX" # "chkp-tf-mig" +license = "PLEASE ENTER LICENSE" # "BYOL" +image_name = "PLEASE ENTER IMAGE NAME" # "check-point-r8110-gw-byol-mig-335-985-v20220126" +management_nic = "PLEASE ENTER MANAGEMENT INTERFACE" # "Ephemeral Public IP (eth0)" +management_name = "PLEASE ENTER MANAGEMENT NAME" # "tf-checkpoint-management" +configuration_template_name = "PLEASE ENTER CONFIGURATION TEMPLATE NAME" # "tf-asg-autoprov-tmplt" +admin_SSH_key = "PLEASE ENTER ADMIN SSH KEY" # "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxx imported-openssh-key" +network_defined_by_routes = "PLEASE ENTER true OR false" # true +admin_shell = "PLEASE ENTER ADMIN SHELL" # "/etc/cli.sh" +allow_upload_download = "PLEASE ENTER true OR false" # true + +# --- Networking --- +region = "PLEASE ENTER REGION" # "us-central1" +external_subnetwork_ip_cidr_range = "PLEASE ENTER EXTERNAL SUBNETWORK CIDR" # "10.0.1.0/24" +internal_subnetwork_ip_cidr_range = "PLEASE ENTER INTERNAL SUBNETWORK CIDR" # "10.0.2.0/24" +ICMP_traffic = "PLEASE ENTER ICMP SOURCE IP RANGES" # ["123.123.0.0/24", "234.234.0.0/24"] +TCP_traffic = "PLEASE ENTER TCP SOURCE IP RANGES" # ["0.0.0.0/0"] +UDP_traffic = "PLEASE ENTER UDP SOURCE IP RANGES" # [] +SCTP_traffic = "PLEASE ENTER SCTP SOURCE IP RANGES" # [] +ESP_traffic = "PLEASE ENTER ESP SOURCE IP RANGES" # [] + +# --- Instance Configuration --- +machine_type = "PLEASE ENTER MACHINE TYPE" # "n1-standard-4" +cpu_usage = "PLEASE ENTER CPU USAGE" # 60 +instances_min_grop_size = "PLEASE ENTER INSTANCES MIN GROP SIZE" # 2 +instances_max_grop_size = "PLEASE ENTER INSTANCES MAX GROP SIZE" # 10 +disk_type = "PLEASE ENTER DISK TYPE" # "SSD Persistent Disk" +disk_size = "PLEASE ENTER DISK SIZE" # 100 +enable_monitoring = "PLEASE ENTER true OR false" # false \ No newline at end of file diff --git a/deprecated/terraform/gcp/R8040-R81/autoscale-into-new-vpc/variables.tf b/deprecated/terraform/gcp/R8040-R81/autoscale-into-new-vpc/variables.tf new file mode 100644 index 00000000..f19a77d2 --- /dev/null +++ b/deprecated/terraform/gcp/R8040-R81/autoscale-into-new-vpc/variables.tf @@ -0,0 +1,150 @@ +# Check Point CloudGuard IaaS Autoscaling - Terraform Template + +# --- Google Provider --- +variable "service_account_path" { + type = string + description = "User service account path in JSON format - From the service account key page in the Cloud Console choose an existing account or create a new one. Next, download the JSON key file. Name it something you can remember, store it somewhere secure on your machine, and supply the path to the location is stored." + default = "" +} +variable "project" { + type = string + description = "Personal project id. The project indicates the default GCP project all of your resources will be created in." + default = "" +} + +# --- Check Point--- +variable "prefix" { + type = string + description = "(Optional) Resources name prefix" + default = "chkp-tf-mig" +} +variable "license" { + type = string + description = "Checkpoint license (BYOL or PAYG)." + default = "BYOL" +} +variable "image_name" { + type = string + description = "The autoscaling (MIG) image name (e.g. check-point-r8110-gw-byol-mig-335-985-v20220126). You can choose the desired mig image value from: https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/gcp/deployment-packages/autoscale-byol/images.py" +} +variable "management_nic" { + type = string + description = "Management Interface - Autoscaling Security Gateways in GCP can be managed by an ephemeral public IP or using the private IP of the internal interface (eth1)." + default = "Ephemeral Public IP (eth0)" +} +variable "management_name" { + type = string + description = "The name of the Security Management Server as appears in autoprovisioning configuration. (Please enter a valid Security Management name including ascii characters only)" + default = "tf-checkpoint-management" +} +variable "configuration_template_name" { + type = string + description = "Specify the provisioning configuration template name (for autoprovisioning). (Please enter a valid autoprovisioing configuration template name including ascii characters only)" + default = "tf-asg-autoprov-tmplt" +} +variable "admin_SSH_key" { + type = string + description = "(Optional) The SSH public key for SSH authentication to the MIG instances. Leave this field blank to use all project-wide pre-configured SSH keys." + default = "" +} +variable "network_defined_by_routes" { + type = bool + description = "Set eth1 topology to define the networks behind this interface by the routes configured on the gateway." + default = true +} +variable "admin_shell" { + type = string + description = "Change the admin shell to enable advanced command line configuration." + default = "/etc/cli.sh" +} +variable "allow_upload_download" { + type = bool + description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + default = true +} + +# --- Networking --- +data "google_compute_regions" "available_regions" { +} +variable "region" { + type = string + default = "us-central1" +} + +variable "external_subnetwork_ip_cidr_range" { + type = string + description = "The range of external addresses that are owned by this subnetwork, only IPv4 is supported (e.g. \"10.0.0.0/8\" or \"192.168.0.0/16\")." +} +variable "internal_subnetwork_ip_cidr_range" { + type = string + description = "The range of internal addresses that are owned by this subnetwork, only IPv4 is supported (e.g. \"10.0.0.0/8\" or \"192.168.0.0/16\")." +} +variable "ICMP_traffic" { + type = list(string) + description = "(Optional) Source IP ranges for ICMP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable ICMP traffic." + default = [] +} +variable "TCP_traffic" { + type = list(string) + description = "(Optional) Source IP ranges for TCP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable TCP traffic." + default = [] +} +variable "UDP_traffic" { + type = list(string) + description = "(Optional) Source IP ranges for UDP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable UDP traffic." + default = [] +} +variable "SCTP_traffic" { + type = list(string) + description = "(Optional) Source IP ranges for SCTP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable SCTP traffic." + default = [] +} +variable "ESP_traffic" { + type = list(string) + description = "(Optional) Source IP ranges for ESP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable ESP traffic." + default = [] +} + +# --- Instance Configuration --- +variable "machine_type" { + type = string + default = "n1-standard-4" +} +variable "cpu_usage" { + type = number + description = "Target CPU usage (%) - Autoscaling adds or removes instances in the group to maintain this level of CPU usage on each instance." + default = 60 +} +resource "null_resource" "cpu_usage_validation" { + // Will fail if var.cpu_usage is less than 10 or more than 90 + count = var.cpu_usage >= 10 && var.cpu_usage <= 90 ? 0 : "variable cpu_usage must be a number between 10 and 90" +} +variable "instances_min_grop_size" { + type = number + description = "The minimal number of instances" + default = 2 +} +variable "instances_max_grop_size" { + type = number + description = "The maximal number of instances" + default = 10 +} +variable "disk_type" { + type = string + description = "Storage space is much less expensive for a standard Persistent Disk. An SSD Persistent Disk is better for random IOPS or streaming throughput with low latency." + default = "SSD Persistent Disk" +} +variable "disk_size" { + type = number + description = "Disk size in GB - Persistent disk performance is tied to the size of the persistent disk volume. You are charged for the actual amount of provisioned disk space." + default = 100 +} +resource "null_resource" "disk_size_validation" { + // Will fail if var.disk_size is less than 100 or more than 4096 + count = var.disk_size >= 100 && var.disk_size <= 4096 ? 0 : "variable disk_size must be a number between 100 and 4096" +} +variable "enable_monitoring" { + type = bool + description = "Enable Stackdriver monitoring" + default = false +} \ No newline at end of file diff --git a/deprecated/terraform/gcp/R8040-R81/common/cluster-member/main.tf b/deprecated/terraform/gcp/R8040-R81/common/cluster-member/main.tf new file mode 100644 index 00000000..c740f8b3 --- /dev/null +++ b/deprecated/terraform/gcp/R8040-R81/common/cluster-member/main.tf @@ -0,0 +1,130 @@ +locals { + disk_type_condition = var.disk_type == "SSD Persistent Disk" ? "pd-ssd" : var.disk_type == "Standard Persistent Disk" ? "pd-standard" : "" + admin_SSH_key_condition = var.admin_SSH_key != "" ? true : false +} + +resource "google_compute_address" "member_ip_address" { + name = "${var.member_name}-address" + region = var.region +} + +resource "google_compute_instance" "cluster_member" { + name = var.member_name + description = "CloudGuard Highly Available Security Cluster" + zone = var.zone + tags = [ + "checkpoint-gateway"] + machine_type = var.machine_type + can_ip_forward = true + + boot_disk { + auto_delete = true + device_name = "${var.prefix}-boot" + + initialize_params { + size = var.disk_size + type = local.disk_type_condition + image = var.image_name + } + } + + network_interface { + network = var.cluster_network[0] + subnetwork = var.cluster_network_subnetwork[0] + } + network_interface { + network = var.mgmt_network[0] + subnetwork = var.mgmt_network_subnetwork[0] + access_config { + nat_ip = google_compute_address.member_ip_address.address + } + } + dynamic "network_interface" { + for_each = var.num_internal_networks >= 1 ? [ + 1] : [] + content { + network = var.internal_network1_network[0] + subnetwork = var.internal_network1_subnetwork[0] + } + } + dynamic "network_interface" { + for_each = var.num_internal_networks >= 2 ? [ + 1] : [] + content { + network = var.internal_network2_network[0] + subnetwork = var.internal_network2_subnetwork[0] + } + } + dynamic "network_interface" { + for_each = var.num_internal_networks >= 3 ? [ + 1] : [] + content { + network = var.internal_network3_network[0] + subnetwork = var.internal_network3_subnetwork[0] + } + } + dynamic "network_interface" { + for_each = var.num_internal_networks >= 4 ? [ + 1] : [] + content { + network = var.internal_network4_network[0] + subnetwork = var.internal_network4_subnetwork[0] + } + } + dynamic "network_interface" { + for_each = var.num_internal_networks >= 5 ? [ + 1] : [] + content { + network = var.internal_network5_network[0] + subnetwork = var.internal_network5_subnetwork[0] + } + } + dynamic "network_interface" { + for_each = var.num_internal_networks == 6 ? [ + 1] : [] + content { + network = var.internal_network6_network[0] + subnetwork = var.internal_network6_subnetwork[0] + } + } + + service_account { + + scopes = [ + "https://www.googleapis.com/auth/monitoring.write", + "https://www.googleapis.com/auth/compute", + "https://www.googleapis.com/auth/cloudruntimeconfig"] + } + + metadata = local.admin_SSH_key_condition ? { + instanceSSHKey = var.admin_SSH_key + adminPasswordSourceMetadata = var.generate_password ? var.generated_admin_password : "" + } : { adminPasswordSourceMetadata = var.generate_password ? var.generated_admin_password : "" } + + metadata_startup_script = templatefile("${path.module}/../startup-script.sh", { + // script's arguments + generatePassword = var.generate_password + config_url = "https://runtimeconfig.googleapis.com/v1beta1/projects/${var.project}/configs/${var.prefix}-config" + config_path = "projects/${var.project}/configs/${var.prefix}-config" + sicKey = var.sic_key + allowUploadDownload = var.allow_upload_download + templateName = "cluster_tf" + templateVersion = "20230109" + templateType = "terraform" + mgmtNIC = "" + hasInternet = "true" + enableMonitoring = var.enable_monitoring + shell = var.admin_shell + installationType = "Cluster" + computed_sic_key = "" + managementGUIClientNetwork = "" + primary_cluster_address_name = var.primary_cluster_address_name + secondary_cluster_address_name = var.secondary_cluster_address_name + managementNetwork = var.management_network + numAdditionalNICs = var.num_internal_networks + smart_1_cloud_token = "${var.member_name}" == "${var.prefix}-member-a" ? var.smart_1_cloud_token_a : var.smart_1_cloud_token_b + name = var.member_name + zoneConfig = var.zone + region = var.region + }) +} \ No newline at end of file diff --git a/deprecated/terraform/gcp/R8040-R81/common/cluster-member/output.tf b/deprecated/terraform/gcp/R8040-R81/common/cluster-member/output.tf new file mode 100644 index 00000000..ab8ad2dc --- /dev/null +++ b/deprecated/terraform/gcp/R8040-R81/common/cluster-member/output.tf @@ -0,0 +1,6 @@ +output "cluster_member_name" { + value = google_compute_instance.cluster_member.name +} +output "cluster_member_ip_address" { + value = google_compute_address.member_ip_address.address +} diff --git a/deprecated/terraform/gcp/R8040-R81/common/cluster-member/variables.tf b/deprecated/terraform/gcp/R8040-R81/common/cluster-member/variables.tf new file mode 100644 index 00000000..51b0e1d9 --- /dev/null +++ b/deprecated/terraform/gcp/R8040-R81/common/cluster-member/variables.tf @@ -0,0 +1,174 @@ +variable "prefix" { + type = string + description = "(Optional) Resources name prefix" + default = "chkp-tf-ha" +} +variable "member_name" { + type = string +} +variable "region" { + type = string + default = "us-central1" +} +variable "zone" { + type = string + default = "us-central1-a" +} +variable "machine_type" { + type = string + description = "Machine types determine the specifications of your machines, such as the amount of memory, virtual cores, and persistent disk limits an instance will have." + default = "n1-standard-4" +} +variable "disk_size" { + type = number + description = "Disk size in GB - Persistent disk performance is tied to the size of the persistent disk volume. You are charged for the actual amount of provisioned disk space." + default = 100 +} +variable "disk_type" { + type = string + description = "Storage space is much less expensive for a standard Persistent Disk. An SSD Persistent Disk is better for random IOPS or streaming throughput with low latency." + default = "SSD Persistent Disk" +} +variable "image_name" { + type = string + description = "The High Availability (cluster) image name (e.g. check-point-r8110-gw-byol-cluster-335-985-v20220126). You can choose the desired cluster image value from: https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/gcp/deployment-packages/ha-byol/images.py" +} +variable "cluster_network" { + type = list(string) + description = "Cluster external network ID in the chosen zone." +} +variable "cluster_network_subnetwork" { + type = list(string) + description = "Cluster subnet ID in the chosen network." +} +variable "mgmt_network" { + type = list(string) + description = "Management network ID in the chosen zone." +} +variable "mgmt_network_subnetwork" { + type = list(string) + description = "Management subnet ID in the chosen network." +} +variable "num_internal_networks" { + type = number + description = "A number in the range 1 - 6 of internal network interfaces." + default = 1 +} +variable "internal_network1_network" { + type = list(string) + description = "1st internal network ID in the chosen zone." + default = [] +} +variable "internal_network1_subnetwork" { + type = list(string) + description = "1st internal subnet ID in the chosen network." + default = [] +} +variable "internal_network2_network" { + type = list(string) + description = "2nd internal network ID in the chosen zone." + default = [] +} +variable "internal_network2_subnetwork" { + type = list(string) + description = "2nd internal subnet ID in the chosen network." + default = [] +} +variable "internal_network3_network" { + type = list(string) + description = "3rd internal network ID in the chosen zone." + default = [] +} +variable "internal_network3_subnetwork" { + type = list(string) + description = "3rd internal subnet ID in the chosen network." + default = [] +} +variable "internal_network4_network" { + type = list(string) + description = "4th internal network ID in the chosen zone." + default = [] +} +variable "internal_network4_subnetwork" { + type = list(string) + description = "4th internal subnet ID in the chosen network." + default = [] +} +variable "internal_network5_network" { + type = list(string) + description = "5th internal network ID in the chosen zone." + default = [] +} +variable "internal_network5_subnetwork" { + type = list(string) + description = "5th internal subnet ID in the chosen network." + default = [] +} +variable "internal_network6_network" { + type = list(string) + description = "6th internal network ID in the chosen zone." + default = [] +} +variable "internal_network6_subnetwork" { + type = list(string) + description = "6th internal subnet ID in the chosen network." + default = [] +} +variable "admin_SSH_key" { + type = string + description = "(Optional) The SSH public key for SSH authentication to the MIG instances. Leave this field blank to use all project-wide pre-configured SSH keys." + default = "" +} +variable "project" { + type = string + description = "Personal project id. The project indicates the default GCP project all of your resources will be created in." + default = "" +} +variable "generate_password" { + type = bool + description = "Automatically generate an administrator password." + default = false +} +variable "sic_key" { + type = string + description = "The Secure Internal Communication one time secret used to set up trust between the cluster object and the management server. At least 8 alpha numeric characters. If SIC is not provided and needed, a key will be automatically generated" +} +variable "allow_upload_download" { + type = bool + description = "Allow download from/upload to Check Point." + default = false +} +variable "enable_monitoring" { + type = bool + description = "Enable Stackdriver monitoring" + default = false +} +variable "admin_shell" { + type = string + description = "Change the admin shell to enable advanced command line configuration." + default = "/etc/cli.sh" +} +variable "smart_1_cloud_token_a" { + type = string + description ="(Optional) Smart-1 cloud token for member A to connect this Gateway to Check Point's Security Management as a Service" + default = "" +} +variable "smart_1_cloud_token_b" { + type = string + description ="(Optional) Smart-1 cloud token for member B to connect this Gateway to Check Point's Security Management as a Service" + default = "" +} +variable "management_network" { + type = string + description = "Security Management Server address - The public address of the Security Management Server, in CIDR notation. If using Smart-1 Cloud management, insert 'S1C'. VPN peers addresses cannot be in this CIDR block, so this value cannot be the zero-address." +} +variable "generated_admin_password" { + type = string + description = "administrator password" +} +variable "primary_cluster_address_name" { + type = string +} +variable "secondary_cluster_address_name" { + type = string +} \ No newline at end of file diff --git a/deprecated/terraform/gcp/R8040-R81/common/firewall-rule/main.tf b/deprecated/terraform/gcp/R8040-R81/common/firewall-rule/main.tf new file mode 100644 index 00000000..9f440b4a --- /dev/null +++ b/deprecated/terraform/gcp/R8040-R81/common/firewall-rule/main.tf @@ -0,0 +1,10 @@ +resource "google_compute_firewall" "firewall_rules" { + name = var.rule_name + network = var.network[0] + allow { + protocol = var.protocol + } + source_ranges = var.source_ranges + target_tags = [ + "checkpoint-gateway"] +} \ No newline at end of file diff --git a/deprecated/terraform/gcp/R8040-R81/common/firewall-rule/output.tf b/deprecated/terraform/gcp/R8040-R81/common/firewall-rule/output.tf new file mode 100644 index 00000000..e6088959 --- /dev/null +++ b/deprecated/terraform/gcp/R8040-R81/common/firewall-rule/output.tf @@ -0,0 +1,3 @@ +output "firewall_rule_name" { + value = google_compute_firewall.firewall_rules.name +} \ No newline at end of file diff --git a/deprecated/terraform/gcp/R8040-R81/common/firewall-rule/variables.tf b/deprecated/terraform/gcp/R8040-R81/common/firewall-rule/variables.tf new file mode 100644 index 00000000..39ac095b --- /dev/null +++ b/deprecated/terraform/gcp/R8040-R81/common/firewall-rule/variables.tf @@ -0,0 +1,17 @@ +variable "protocol" { + type = string + description = "The IP protocol to which this rule applies." +} +variable "source_ranges" { + type = list(string) + description = "(Optional) Source IP ranges for the protocol traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only. Please leave empty list to unable this protocol traffic." + default = [] +} +variable "rule_name" { + type = string + description = "Firewall rule name." +} +variable "network" { + type = list(string) + description = "The name or self_link of the network to attach this firewall to." +} \ No newline at end of file diff --git a/deprecated/terraform/gcp/R8040-R81/common/members-a-b/main.tf b/deprecated/terraform/gcp/R8040-R81/common/members-a-b/main.tf new file mode 100644 index 00000000..d40ae6d1 --- /dev/null +++ b/deprecated/terraform/gcp/R8040-R81/common/members-a-b/main.tf @@ -0,0 +1,85 @@ +module "member_a" { + source = "../cluster-member" + + prefix = var.prefix + member_name = "${var.prefix}-member-a" + region = var.region + zone = var.zoneA + machine_type = var.machine_type + disk_size = var.disk_size + disk_type = var.disk_type + image_name = var.image_name + cluster_network = var.cluster_network + cluster_network_subnetwork = var.cluster_network_subnetwork + mgmt_network = var.mgmt_network + mgmt_network_subnetwork = var.mgmt_network_subnetwork + num_internal_networks = var.num_internal_networks + internal_network1_network = var.internal_network1_network + internal_network1_subnetwork = var.internal_network1_subnetwork + internal_network2_network = var.internal_network2_network + internal_network2_subnetwork = var.internal_network2_subnetwork + internal_network3_network = var.internal_network3_network + internal_network3_subnetwork = var.internal_network3_subnetwork + internal_network4_network = var.internal_network4_network + internal_network4_subnetwork = var.internal_network4_subnetwork + internal_network5_network = var.internal_network5_network + internal_network5_subnetwork = var.internal_network5_subnetwork + internal_network6_network = var.internal_network6_network + internal_network6_subnetwork = var.internal_network6_subnetwork + admin_SSH_key = var.admin_SSH_key + generated_admin_password = var.generated_admin_password + project = var.project + generate_password = var.generate_password + sic_key = var.sic_key + allow_upload_download = var.allow_upload_download + enable_monitoring = var.enable_monitoring + admin_shell = var.admin_shell + management_network = var.management_network + primary_cluster_address_name = var.primary_cluster_address_name + secondary_cluster_address_name = var.secondary_cluster_address_name + smart_1_cloud_token_a = var.smart_1_cloud_token_a + smart_1_cloud_token_b = var.smart_1_cloud_token_b +} + +module "member_b" { + source = "../cluster-member" + + prefix = var.prefix + member_name = "${var.prefix}-member-b" + region = var.region + zone = var.zoneB + machine_type = var.machine_type + disk_size = var.disk_size + disk_type = var.disk_type + image_name = var.image_name + cluster_network = var.cluster_network + cluster_network_subnetwork = var.cluster_network_subnetwork + mgmt_network = var.mgmt_network + mgmt_network_subnetwork = var.mgmt_network_subnetwork + num_internal_networks = var.num_internal_networks + internal_network1_network = var.internal_network1_network + internal_network1_subnetwork = var.internal_network1_subnetwork + internal_network2_network = var.internal_network2_network + internal_network2_subnetwork = var.internal_network2_subnetwork + internal_network3_network = var.internal_network3_network + internal_network3_subnetwork = var.internal_network3_subnetwork + internal_network4_network = var.internal_network4_network + internal_network4_subnetwork = var.internal_network4_subnetwork + internal_network5_network = var.internal_network5_network + internal_network5_subnetwork = var.internal_network5_subnetwork + internal_network6_network = var.internal_network6_network + internal_network6_subnetwork = var.internal_network6_subnetwork + admin_SSH_key = var.admin_SSH_key + generated_admin_password = var.generated_admin_password + project = var.project + generate_password = var.generate_password + sic_key = var.sic_key + allow_upload_download = var.allow_upload_download + enable_monitoring = var.enable_monitoring + admin_shell = var.admin_shell + management_network = var.management_network + primary_cluster_address_name = var.primary_cluster_address_name + secondary_cluster_address_name = var.secondary_cluster_address_name + smart_1_cloud_token_a = var.smart_1_cloud_token_a + smart_1_cloud_token_b = var.smart_1_cloud_token_b +} diff --git a/deprecated/terraform/gcp/R8040-R81/common/members-a-b/output.tf b/deprecated/terraform/gcp/R8040-R81/common/members-a-b/output.tf new file mode 100644 index 00000000..2398e6f3 --- /dev/null +++ b/deprecated/terraform/gcp/R8040-R81/common/members-a-b/output.tf @@ -0,0 +1,13 @@ +output "member_a_name" { + value = module.member_a.cluster_member_name +} +output "member_a_external_ip" { + value = module.member_a.cluster_member_ip_address +} + +output "member_b_name" { + value = module.member_b.cluster_member_name +} +output "member_b_external_ip" { + value = module.member_b.cluster_member_ip_address +} \ No newline at end of file diff --git a/deprecated/terraform/gcp/R8040-R81/common/members-a-b/variables.tf b/deprecated/terraform/gcp/R8040-R81/common/members-a-b/variables.tf new file mode 100644 index 00000000..4a5b6e04 --- /dev/null +++ b/deprecated/terraform/gcp/R8040-R81/common/members-a-b/variables.tf @@ -0,0 +1,175 @@ +variable "prefix" { + type = string + description = "(Optional) Resources name prefix" + default = "chkp-tf-ha" +} +variable "region" { + type = string + default = "us-central1" +} +variable "zoneA" { + type = string + default = "us-central1-a" +} +variable "zoneB" { + type = string + default = "us-central1-a" +} +variable "machine_type" { + type = string + description = "Machine types determine the specifications of your machines, such as the amount of memory, virtual cores, and persistent disk limits an instance will have." + default = "n1-standard-4" +} +variable "disk_size" { + type = number + description = "Disk size in GB - Persistent disk performance is tied to the size of the persistent disk volume. You are charged for the actual amount of provisioned disk space." + default = 100 +} +variable "disk_type" { + type = string + description = "Storage space is much less expensive for a standard Persistent Disk. An SSD Persistent Disk is better for random IOPS or streaming throughput with low latency." + default = "SSD Persistent Disk" +} +variable "image_name" { + type = string + description = "The High Availability (cluster) image name (e.g. check-point-r8110-gw-byol-cluster-335-985-v20220126). You can choose the desired cluster image value from: https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/gcp/deployment-packages/ha-byol/images.py" +} +variable "cluster_network" { + type = list(string) + description = "Cluster external network ID in the chosen zone." +} +variable "cluster_network_subnetwork" { + type = list(string) + description = "Cluster subnet ID in the chosen network." +} +variable "mgmt_network" { + type = list(string) + description = "Management network ID in the chosen zone." +} +variable "mgmt_network_subnetwork" { + type = list(string) + description = "Management subnet ID in the chosen network." +} +variable "num_internal_networks" { + type = number + description = "A number in the range 1 - 6 of internal network interfaces." + default = 1 +} +variable "internal_network1_network" { + type = list(string) + description = "1st internal network ID in the chosen zone." + default = [] +} +variable "internal_network1_subnetwork" { + type = list(string) + description = "1st internal subnet ID in the chosen network." + default = [] +} +variable "internal_network2_network" { + type = list(string) + description = "2nd internal network ID in the chosen zone." + default = [] +} +variable "internal_network2_subnetwork" { + type = list(string) + description = "2nd internal subnet ID in the chosen network." + default = [] +} +variable "internal_network3_network" { + type = list(string) + description = "3rd internal network ID in the chosen zone." + default = [] +} +variable "internal_network3_subnetwork" { + type = list(string) + description = "3rd internal subnet ID in the chosen network." + default = [] +} +variable "internal_network4_network" { + type = list(string) + description = "4th internal network ID in the chosen zone." + default = [] +} +variable "internal_network4_subnetwork" { + type = list(string) + description = "4th internal subnet ID in the chosen network." + default = [] +} +variable "internal_network5_network" { + type = list(string) + description = "5th internal network ID in the chosen zone." + default = [] +} +variable "internal_network5_subnetwork" { + type = list(string) + description = "5th internal subnet ID in the chosen network." + default = [] +} +variable "internal_network6_network" { + type = list(string) + description = "6th internal network ID in the chosen zone." + default = [] +} +variable "internal_network6_subnetwork" { + type = list(string) + description = "6th internal subnet ID in the chosen network." + default = [] +} +variable "admin_SSH_key" { + type = string + description = "(Optional) The SSH public key for SSH authentication to the MIG instances. Leave this field blank to use all project-wide pre-configured SSH keys." + default = "" +} +variable "project" { + type = string + description = "Personal project id. The project indicates the default GCP project all of your resources will be created in." + default = "" +} +variable "generate_password" { + type = bool + description = "Automatically generate an administrator password." + default = false +} +variable "sic_key" { + type = string + description = "The Secure Internal Communication one time secret used to set up trust between the cluster object and the management server. At least 8 alpha numeric characters. If SIC is not provided and needed, a key will be automatically generated" +} +variable "allow_upload_download" { + type = bool + description = "Allow download from/upload to Check Point." + default = false +} +variable "enable_monitoring" { + type = bool + description = "Enable Stackdriver monitoring" + default = false +} +variable "admin_shell" { + type = string + description = "Change the admin shell to enable advanced command line configuration." + default = "/etc/cli.sh" +} +variable "smart_1_cloud_token_a" { + type = string + description ="(Optional) Smart-1 cloud token for member A to connect this Gateway to Check Point's Security Management as a Service" + default = "" +} +variable "smart_1_cloud_token_b" { + type = string + description ="(Optional) Smart-1 cloud token for member B to connect this Gateway to Check Point's Security Management as a Service" + default = "" +} +variable "management_network" { + type = string + description = "Security Management Server address - The public address of the Security Management Server, in CIDR notation. If using Smart-1 Cloud management, insert 'S1C'. VPN peers addresses cannot be in this CIDR block, so this value cannot be the zero-address." +} +variable "generated_admin_password" { + type = string + description = "administrator password" +} +variable "primary_cluster_address_name" { + type = string +} +variable "secondary_cluster_address_name" { + type = string +} \ No newline at end of file diff --git a/deprecated/terraform/gcp/R8040-R81/common/network-and-subnet/main.tf b/deprecated/terraform/gcp/R8040-R81/common/network-and-subnet/main.tf new file mode 100644 index 00000000..7665da7c --- /dev/null +++ b/deprecated/terraform/gcp/R8040-R81/common/network-and-subnet/main.tf @@ -0,0 +1,21 @@ +locals { + create_network_condition = var.network_cidr == "" ? false : true +} + +resource "google_compute_network" "network" { + count = local.create_network_condition ? 1 : 0 + name = "${var.prefix}-${var.type}" + auto_create_subnetworks = false +} +resource "google_compute_subnetwork" "subnetwork" { + count = local.create_network_condition ? 1 : 0 + name = "${var.prefix}-${var.type}-subnet" + ip_cidr_range = var.network_cidr + private_ip_google_access = true + region = var.region + network = google_compute_network.network[count.index].id +} +data "google_compute_network" "network_name" { + count = local.create_network_condition ? 0 : 1 + name = var.network_name +} \ No newline at end of file diff --git a/deprecated/terraform/gcp/R8040-R81/common/network-and-subnet/output.tf b/deprecated/terraform/gcp/R8040-R81/common/network-and-subnet/output.tf new file mode 100644 index 00000000..862f84e4 --- /dev/null +++ b/deprecated/terraform/gcp/R8040-R81/common/network-and-subnet/output.tf @@ -0,0 +1,18 @@ +output "new_created_network_link" { + value = google_compute_network.network[*].self_link +} +output "new_created_subnet_link" { + value = google_compute_subnetwork.subnetwork[*].self_link +} +output "existing_network_link" { + value = data.google_compute_network.network_name[*].self_link +} +output "new_created_network_name" { + value = google_compute_network.network[*].name +} +output "new_created_subnet_name" { + value = google_compute_subnetwork.subnetwork[*].name +} +output "existing_network_name" { + value = data.google_compute_network.network_name[*].name +} \ No newline at end of file diff --git a/deprecated/terraform/gcp/R8040-R81/common/network-and-subnet/variables.tf b/deprecated/terraform/gcp/R8040-R81/common/network-and-subnet/variables.tf new file mode 100644 index 00000000..333d4f35 --- /dev/null +++ b/deprecated/terraform/gcp/R8040-R81/common/network-and-subnet/variables.tf @@ -0,0 +1,27 @@ +variable "prefix" { + type = string + description = "(Optional) Resources name prefix" + default = "chkp-tf-ha" +} +variable "type" { + type = string +} +variable "network_cidr" { + type = string + description = "External subnet CIDR. If the variable's value is not empty double quotes, a new network will be created." + default = "10.0.0.0/24" +} +variable "private_ip_google_access" { + type = bool + description = "When enabled, VMs in this subnetwork without external IP addresses can access Google APIs and services by using Private Google Access." + default = true +} +variable "region" { + type = string + default = "us-central1" +} +variable "network_name" { + type = string + description = "External network ID in the chosen zone. The network determines what network traffic the instance can access.If you have specified a CIDR block at var.network_cidr, this network name will not be used." + default = "" +} \ No newline at end of file diff --git a/deprecated/terraform/gcp/R8040-R81/common/startup-script.sh b/deprecated/terraform/gcp/R8040-R81/common/startup-script.sh new file mode 100644 index 00000000..196a04e3 --- /dev/null +++ b/deprecated/terraform/gcp/R8040-R81/common/startup-script.sh @@ -0,0 +1,3 @@ +#cloud-config +runcmd: + - 'python3 /etc/cloud_config.py generatePassword=\"${generatePassword}\" allowUploadDownload=\"${allowUploadDownload}\" templateName=\"${templateName}\" templateVersion=\"${templateVersion}\" mgmtNIC="X${mgmtNIC}X" hasInternet=\"${hasInternet}\" config_url=\"${config_url}\" config_path=\"${config_path}\" installationType="X${installationType}X" enableMonitoring=\"${enableMonitoring}\" shell=\"${shell}\" computed_sic_key=\"${computed_sic_key}\" sicKey=\"${sicKey}\" managementGUIClientNetwork=\"${managementGUIClientNetwork}\" primary_cluster_address_name=\"${primary_cluster_address_name}\" secondary_cluster_address_name=\"${secondary_cluster_address_name}\" managementNetwork=\"${managementNetwork}\" numAdditionalNICs=\"${numAdditionalNICs}\" smart1CloudToken="X${smart_1_cloud_token}X" name=\"${name}\" zone=\"${zoneConfig}\" region=\"${region}\"' \ No newline at end of file diff --git a/deprecated/terraform/gcp/R8040-R81/high-availability/README.md b/deprecated/terraform/gcp/R8040-R81/high-availability/README.md new file mode 100644 index 00000000..03e9d97b --- /dev/null +++ b/deprecated/terraform/gcp/R8040-R81/high-availability/README.md @@ -0,0 +1,317 @@ +# Check Point Cluster High Availability (HA) Terraform module for GCP + +Terraform module which deploys Check Point CloudGuard IaaS High Availability solution on GCP. + +These types of Terraform resources are supported: +* [Network](https://www.terraform.io/docs/providers/google/d/compute_network.html) - conditional creation +* [Subnetwork](https://www.terraform.io/docs/providers/google/r/compute_subnetwork.html) - conditional creation +* [Instance](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance) +* [IP address](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/compute_address) +* [Firewall](https://www.terraform.io/docs/providers/google/r/compute_firewall.html) - conditional creation + + +For additional information, +please see the [CloudGuard Network for GCP High Availability Cluster Deployment Guide](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_Network_for_GCP_HA_Cluster/Default.htm) + +This solution uses the following modules: +- \gcp\common\network-and-subnet +- \gcp\common\firewall-rule +- \gcp\common\cluster-member +- \gcp\common\members-a-b + +Terraform is controlled via a very easy to use command-line interface (CLI). Terraform is only a single command-line application: **terraform**. + +## Before you begin +1. Create a project in the [Google Cloud Console](https://console.cloud.google.com/) and set up billing on that project. +2. [Install Terraform](https://learn.hashicorp.com/tutorials/terraform/install-cli) and read the Terraform getting started guide that follows. This guide will assume basic proficiency with Terraform - it is an introduction to the Google provider. + +## Configuring the Provider +The **main.tf** file includes the following provider configuration block used to configure the credentials you use to authenticate with GCP, as well as a default project and location for your resources: +``` +provider "google" { + credentials = file(var.service_account_path) + project = var.project + region = var.region +} +... +``` +1. [Create a Service Account](https://cloud.google.com/docs/authentication/getting-started) (or use the existing one). Next, download the JSON key file. Name it something you can remember and store it somewhere secure on your machine.
+2. Select "Editor" Role or verify you have the following permissions: + ``` + compute.addresses.create + compute.addresses.delete + compute.addresses.get + compute.addresses.use + compute.disks.create + compute.firewalls.create + compute.firewalls.delete + compute.firewalls.get + compute.images.get + compute.images.useReadOnly + compute.instances.create + compute.instances.delete + compute.instances.get + compute.instances.setMetadata + compute.instances.setServiceAccount + compute.instances.setTags + compute.networks.create + compute.networks.delete + compute.networks.get + compute.networks.updatePolicy + compute.regions.list + compute.subnetworks.create + compute.subnetworks.delete + compute.subnetworks.get + compute.subnetworks.use + compute.subnetworks.useExternalIp + compute.zones.get + iam.serviceAccountKeys.get + iam.serviceAccountKeys.list + iam.serviceAccounts.actAs + iam.serviceAccounts.get + iam.serviceAccounts.list + ``` +3. ```credentials``` - Your service account key file is used to complete a two-legged OAuth 2.0 flow to obtain access tokens to authenticate with the GCP API as needed; Terraform will use it to reauthenticate automatically when tokens expire.
+The provider credentials can be provided either as static credentials or as [Environment Variables](https://www.terraform.io/docs/providers/google/guides/provider_reference.html#credentials-1). + - Static credentials can be provided by adding the path to your service-account json file, project-id and region in /gcp/modules/high-availability/**terraform.tfvars** file as follows: + ``` + service_account_path = "service-accounts/service-account-file-name.json" + project = "project-id" + region = "us-central1" + ``` + - In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in the main.tf file, in the provider google resource, need to be deleted or commented: + ``` + provider "google" { + // credentials = file(var.service_account_path) + // project = var.project + + region = var.region + } + ``` + b.In the terraform.tfvars file leave empty double quotes for credentials and project variables: + ``` + service_account_path = "" + project = "" + ``` + ## Usage +- Fill all variables in the /gcp/high-availability/**terraform.tfvars** file with proper values (see below for variables descriptions). +- From a command line initialize the Terraform configuration directory: + ``` + terraform init + ``` +- Create an execution plan: + ``` + terraform plan + ``` +- Create or modify the deployment: + ``` + terraform apply + ``` + +#### Variables are configured in high-availability/**terraform.tfvars** file as follows: +``` +# --- Google Provider --- +service_account_path = "service-accounts/service-account-file-name.json" +project = "project-id" + +# --- Check Point Deployment --- +prefix = "chkp-tf-ha" +license = "BYOL" +image_name = "check-point-r8110-gw-byol-cluster-335-985-v20220126" + +# --- Instances Configuration --- +region = "us-central1" +zoneA = "us-central1-a" +zoneB = "us-central1-a" +machine_type = "n1-standard-4" +disk_type = "SSD Persistent Disk" +disk_size = 100 +admin_SSH_key = "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxx imported-openssh-key" +enable_monitoring = false + +# --- Check Point --- +management_network = "209.87.209.100/32" +sic_key = "aaaaaaaa" +generate_password = false +allow_upload_download = false +admin_shell = "/bin/bash" + +#--- Quick connect to Smart-1 Cloud --- +smart_1_cloud_token_a = "xxxxxxxxxxxxxxxxxxxxxxxx" +smart_1_cloud_token_b = "xxxxxxxxxxxxxxxxxxxxxxxx" + +# --- Networking --- +cluster_network_cidr = "10.0.1.0/24" +cluster_network_name = "cluster-network" +cluster_network_subnetwork_name = "cluster-subnetwork" +cluster_ICMP_traffic = ["0.0.0.0/0"] +cluster_TCP_traffic = ["0.0.0.0/0"] +cluster_UDP_traffic = [] +cluster_SCTP_traffic = [] +cluster_ESP_traffic = [] +mgmt_network_cidr = "" +mgmt_network_name = "mgmt-network" +mgmt_network_subnetwork_name = "mgmt-subnetwork" +mgmt_ICMP_traffic = [] +mgmt_TCP_traffic = [] +mgmt_UDP_traffic = [] +mgmt_SCTP_traffic = ["0.0.0.0/0"] +mgmt_ESP_traffic = ["0.0.0.0/0"] +num_internal_networks = 1 +internal_network1_cidr = "10.0.3.0/24" +internal_network1_name = "" +internal_network1_subnetwork_name = "" + +``` + +- To tear down your resources: + ``` + terraform destroy + ``` + + +## Conditional creation +
1. For each network and subnet variable, you can choose whether to create a new network with a new subnet or to use an existing one. +- If you want to create a new network and subnet, please input a subnet CIDR block for the desired new network - In this case, the network name and subnetwork name will not be used: +``` + cluster_network_cidr = "10.0.1.0/24" + cluster_network_name = "not-use" + cluster_network_subnetwork_name = "not-use" +``` +- Otherwise, if you want to use existing network and subnet, please leave empty double quotes in the CIDR variable for the desired network: +``` + cluster_network_cidr = "" + cluster_network_name = "cluster-network" + cluster_network_subnetwork_name = "cluster-subnetwork" +``` +
2. To create Firewall and allow traffic for ICMP, TCP, UDP, SCTP or/and ESP - enter list of Source IP ranges. +
Please leave empty list for a protocol if you want to disable traffic for it. +- For cluster: +``` + cluster_ICMP_traffic = ["123.123.0.0/24", "234.234.0.0/24"] + cluster_TCP_traffic = ["0.0.0.0/0"] + cluster_UDP_traffic = [] + cluster_SCTP_traffic = [] + cluster_ESP_traffic = [] +``` +- For management: +``` + mgmt_ICMP_traffic = ["123.123.0.0/24", "234.234.0.0/24"] + mgmt_TCP_traffic = ["0.0.0.0/0"] + mgmt_UDP_traffic = [] + mgmt_SCTP_traffic = [] + mgmt_ESP_traffic = [] +``` +
3.The cluster members will each have a network interface in each internal network and create high priority routes that will route all outgoing traffic to the cluster member that is currently active. +
Using internal networks depends on the variable num_internal_networks, by selecting a number in range 1 - 6 that represents the number of internal networks: +``` + num_internal_networks = 3 + internal_network1_cidr = "" + internal_network1_name = "internal_network1" + internal_network1_subnetwork_name = "internal_subnetwork1" + internal_network2_cidr = "10.0.4.0/24" + internal_network2_name = "" + internal_network2_subnetwork_name = "" + internal_network3_cidr = "10.0.5.0/24" + internal_network3_name = "" + internal_network3_subnetwork_name = "" +``` + +## Inputs +| Name | Description | Type | Allowed values | Default | Required | +| ------------- | ------------- | ------------- | ------------- | ------------- | ------------- | +| service_account_path | User service account path in JSON format - From the service account key page in the Cloud Console choose an existing account or create a new one. Next, download the JSON key file. Name it something you can remember, store it somewhere secure on your machine, and supply the path to the location is stored. (e.g. "service-accounts/service-account-name.json") | string | N/A | "" | yes | +| project | Personal project id. The project indicates the default GCP project all of your resources will be created in. | string | N/A | "" | yes | +| | | | | | +| prefix | (Optional) Resources name prefix. | string | N/A | "chkp-tf-ha" | no | +| license | Checkpoint license (BYOL or PAYG). | string | - BYOL
- PAYG
| "BYOL" | no | +| image_name | The High Availability (cluster) image name (e.g. check-point-r8110-gw-byol-cluster-335-985-v20220126). You can choose the desired cluster image value from [Github](https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/gcp/deployment-packages/ha-byol/images.py). | string | N/A | N/A | yes | +| | | | | | +| region | GCP region | string | N/A | "us-central1" | no | +| zoneA | Member A Zone. The zone determines what computing resources are available and where your data is stored and used. | string | N/A | "us-central1-a" | no | +| zoneB | Member B Zone. | string | N/A | "us-central1-a" | no | +| machine_type | Machine types determine the specifications of your machines, such as the amount of memory, virtual cores, and persistent disk limits an instance will have. | string | N/A | "n1-standard-4" | no | +| disk_type | Storage space is much less expensive for a standard Persistent Disk. An SSD Persistent Disk is better for random IOPS or streaming throughput with low latency. | string | - SSD Persistent Disk
- Standard Persistent Disk | "SSD Persistent Disk" | no | +| disk_size | Disk size in GB - Persistent disk performance is tied to the size of the persistent disk volume. You are charged for the actual amount of provisioned disk space. | number | number between 100 and 4096 | 100 | no | +| enable_monitoring | Enable Stackdriver monitoring | bool | true/false | false | no | +| | | | | | +| management_network | Security Management Server address - The public address of the Security Management Server, in CIDR notation. If using Smart-1 Cloud management, insert 'S1C'. VPN peers addresses cannot be in this CIDR block, so this value cannot be the zero-address. | string | N/A | N/A | yes | +| sic_key | The Secure Internal Communication one time secret used to set up trust between the cluster object and the management server. At least 8 alpha numeric characters. If SIC is not provided and needed, a key will be automatically generated | string | N/A | N/A | yes | +| generate_password | Automatically generate an administrator password. | bool | true/false | false | no | +| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no | +| admin_shell | Change the admin shell to enable advanced command line configuration. | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | "/etc/cli.sh" | no | +| smart_1_cloud_token_a | Smart-1 Cloud token to connect ***member A*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal.| +| smart_1_cloud_token_b | Smart-1 Cloud token to connect ***member B*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501)| string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal.| +| cluster_network_cidr | Cluster external subnet CIDR. If the variable's value is not empty double quotes, a new network will be created. The Cluster public IP will be translated to a private address assigned to the active member in this external network. | string | N/A | "10.0.0.0/24" | no | +| cluster_network_name | Cluster external network ID in the chosen zone. The network determines what network traffic the instance can access.If you have specified a CIDR block at var.cluster_network_cidr, this network name will not be used. | string | N/A | "" | no | +| cluster_network_subnetwork_name | Cluster subnet ID in the chosen network. Assigns the instance an IPv4 address from the subnetwork’s range. If you have specified a CIDR block at var.cluster_network_cidr, this subnetwork will not be used. Instances in different subnetworks can communicate with each other using their internal IPs as long as they belong to the same network. | string | N/A | "" | no | +| cluster_ICMP_traffic | (Optional) Source IP ranges for ICMP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only. Please leave empty list to unable ICMP traffic. | list(string) | N/A | [] | no | +| cluster_TCP_traffic | (Optional) Source IP ranges for TCP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only. Please leave empty list to unable TCP traffic. | list(string) | N/A | [] | no | +| cluster_UDP_traffic | (Optional) Source IP ranges for UDP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only. Please leave empty list to unable UDP traffic. | list(string) | N/A | [] | no | +| cluster_SCTP_traffic | (Optional) Source IP ranges for SCTP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only. Please leave empty list to unable SCTP traffic. | list(string) | N/A | [] | no | +| cluster_ESP_traffic | (Optional) Source IP ranges for ESP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only. Please leave empty list to unable ESP traffic. | list(string) | N/A | [] | no | +| mgmt_network_cidr | Management external subnet CIDR. If the variable's value is not empty double quotes, a new network will be created. The public IP used to manage each member will be translated to a private address in this external network. | string | N/A | "10.0.1.0/24" | no | +| mgmt_network_name | Management network ID in the chosen zone. The network determines what network traffic the instance can access. If you have specified a CIDR block at var.mgmt_network_cidr, this network name will not be used. | string | N/A | "" | no | +| mgmt_network_subnetwork_name | Management subnet ID in the chosen network. Assigns the instance an IPv4 address from the subnetwork’s range. If you have specified a CIDR block at var.mgmt_network_cidr, this subnetwork will not be used. Instances in different subnetworks can communicate with each other using their internal IPs as long as they belong to the same network. | string | N/A | "" | no | +| mgmt_ICMP_traffic | (Optional) Source IP ranges for ICMP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway all ports are allowed. For management allowed ports are: 257,18191,18210,18264,22,443,18190,19009. Please leave empty list to unable ICMP traffic. | list(string) | N/A | [] | no | +| mgmt_TCP_traffic | (Optional) Source IP ranges for TCP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway all ports are allowed. For management allowed ports are: 257,18191,18210,18264,22,443,18190,19009. Please leave empty list to unable TCP traffic. | list(string) | N/A | [] | no | +| mgmt_UDP_traffic | (Optional) Source IP ranges for UDP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway all ports are allowed. For management allowed ports are: 257,18191,18210,18264,22,443,18190,19009. Please leave empty list to unable SCTP traffic. | list(string) | N/A | [] | no | +| mgmt_SCTP_traffic | (Optional) Source IP ranges for SCTP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway all ports are allowed. For management allowed ports are: 257,18191,18210,18264,22,443,18190,19009. Please leave empty list to unable TCP traffic. | list(string) | N/A | [] | no | +| mgmt_ESP_traffic | (Optional) Source IP ranges for ESP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway all ports are allowed. For management allowed ports are: 257,18191,18210,18264,22,443,18190,19009. Please leave empty list to unable ESP traffic. | list(string) | N/A | [] | no | +| num_internal_networks | A number in the range 1 - 6 of internal network interfaces. | number | 1 - 6 | 1 | no | +| internal_network1_cidr | 1st internal subnet CIDR. If the variable's value is not empty double quotes, a new subnet will be created. Assigns the cluster members an IPv4 address in this internal network. | string | N/A | "10.0.2.0/24" | no | +| internal_network1_name | 1st internal network ID in the chosen zone. The network determines what network traffic the instance can access. If you have specified a CIDR block at var.internal_network1_cidr, this network name will not be used. | string | N/A | "" | no | +| internal_network1_subnetwork_name | 1st internal subnet ID in the chosen network. Assigns the instance an IPv4 address from the subnetwork’s range. If you have specified a CIDR block at var.internal_network1_cidr, this subnetwork will not be used. Instances in different subnetworks can communicate with each other using their internal IPs as long as they belong to the same network. | string | N/A | "" | no | + + + +## Outputs +| Name | Description | +| ------------- | ------------- | +| cluster_new_created_network | If a new cluster network creation is selected - the cluster network name, otherwise, an empty list. | +| cluster_new_created_subnet | If a new cluster network creation is selected - the cluster subnetwork name, otherwise, an empty list. | +| mgmt_new_created_network | If a new management network creation is selected - the management network name, otherwise, an empty list. | +| mgmt_new_created_subnet | If a new management network creation is selected - the management subnetwork name, otherwise, an empty list. | +| int_network1_new_created_network | If a new internal network 1 creation is selected - the internal network 1 network name, otherwise, an empty list. | +| int_network1_new_created_subnet | If a new internal network 1 creation is selected - the internal network 1 subnetwork name, otherwise, an empty list. | +| cluster_ICMP_firewall_rule | If enable - the cluster ICMP firewall rules name, otherwise, an empty list. | +| cluster_TCP_firewall_rule | If enable - the cluster TCP firewall rules name, otherwise, an empty list. | +| cluster_UDP_firewall_rule | If enable - the cluster UDP firewall rules name, otherwise, an empty list. | +| cluster_SCTP_firewall_rule | If enable - the cluster SCTP firewall rules name, otherwise, an empty list. | +| cluster_ESP_firewall_rule | If enable - the cluster ESP firewall rules name, otherwise, an empty list. | +| mgmt_ICMP_firewall_rule | If enable - the mgmt ICMP firewall rules name, otherwise, an empty list. | +| mgmt_TCP_firewall_rule | If enable - the mgmt TCP firewall rules name, otherwise, an empty list. | +| mgmt_UDP_firewall_rule | If enable - the mgmt UDP firewall rules name, otherwise, an empty list. | +| mgmt_SCTP_firewall_rule | If enable - the mgmt SCTP firewall rules name, otherwise, an empty list. | +| mgmt_ESP_firewall_rule | If enable - the mgmt ESP firewall rules name, otherwise, an empty list. | +| cluster_ip_external_address | Primary public IP address. | +| admin_password | If enable generate_password - the administrator password, otherwise, an empty list. | +| sic_key | The Secure Internal Communication one time secret used to set up trust between the cluster object and the management server. | +| member_a_name | Member A name. | +| member_a_external_ip | Member A external ip. | +| member_a_zone | Member A Zone. | +| member_b_name | Member B name. | +| member_b_external_ip | Member B external ip. | +| member_b_zone | Member B Zone. | + +## Revision History +In order to check the template version refer to the [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) + +| Template Version | Description | +| ---------------- | ------------- | +| 20230209 | Added Smart-1 Cloud support. | +| | | | +| 20230109 | Updated startup script to use cloud-config. | +| | | | +| 20201208 | First release of Check Point Check Point CloudGuard IaaS High Availability Terraform solution on GCP. | +| | | | +| | Addition of "template_type" parameter to "cloud-version" files. | +| | | | + +## Authors + + +## License + +This project is licensed under the MIT License - see the [LICENSE](../../../LICENSE) file for details diff --git a/deprecated/terraform/gcp/R8040-R81/high-availability/locals.tf b/deprecated/terraform/gcp/R8040-R81/high-availability/locals.tf new file mode 100644 index 00000000..e764ccaf --- /dev/null +++ b/deprecated/terraform/gcp/R8040-R81/high-availability/locals.tf @@ -0,0 +1,106 @@ +locals { + license_allowed_values = [ + "BYOL", + "PAYG"] + // will fail if [var.license] is invalid: + validate_license = index(local.license_allowed_values, upper(var.license)) + + regex_validate_image_name = "check-point-r8[0-1][1-4]0-gw-(byol|payg)-cluster-[0-9]{3}-([0-9]{3,}|[a-z]+)-v[0-9]{8,}" + // will fail if the image name is not in the right syntax + validate_image_name = length(regexall(local.regex_validate_image_name, var.image_name)) > 0 ? 0 : index(split("-", var.image_name), "INVALID IMAGE NAME") + + split_zoneA = split("-", var.zoneA) + split_zoneB = split("-", var.zoneB) + // will fail if the var.zoneA and var.zoneB are not at the same region: + validate_zones = index(local.split_zoneA, local.split_zoneB[0]) == local.split_zoneA[0] && index(local.split_zoneA, local.split_zoneB[1]) == local.split_zoneA[0] ? 0 : "var.zoneA and var.zoneB are not at the same region" + + regex_valid_management_network = "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(/(3[0-2]|2[0-9]|1[0-9]|[0-9]))|(S1C)$" + // Will fail if var.management_network is invalid + regex_management_network = regex(local.regex_valid_management_network, var.management_network) == var.management_network ? 0 : "Variable [management_network] must be a valid address in CIDR notation or 'S1C'." + + regex_valid_network_cidr = "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(/(3[0-2]|2[0-9]|1[0-9]|[0-9]))|$" + + // Will fail if var.cluster_network_cidr is invalid + regex_cluster_network_cidr = regex(local.regex_valid_network_cidr, var.cluster_network_cidr) == var.cluster_network_cidr ? 0 : "Variable [cluster_network_cidr] must be a valid address in CIDR notation." + // Will fail if var.mgmt_network_cidr is invalid + regex_mgmt_network_cidr = regex(local.regex_valid_network_cidr, var.mgmt_network_cidr) == var.mgmt_network_cidr ? 0 : "Variable [mgmt_network_cidr] must be a valid address in CIDR notation." + // Will fail if var.internal_network1_cidr is invalid + regex_internal_network1_cidr = regex(local.regex_valid_network_cidr, var.internal_network1_cidr) == var.internal_network1_cidr ? 0 : "Variable [internal_network1_cidr] must be a valid address in CIDR notation." + + disk_type_allowed_values = [ + "SSD Persistent Disk", + "Standard Persistent Disk"] + // Will fail if var.disk_type is invalid + validate_disk_type = index(local.disk_type_allowed_values, var.disk_type) + + admin_shell_allowed_values = [ + "/etc/cli.sh", + "/bin/bash", + "/bin/csh", + "/bin/tcsh"] + // Will fail if var.admin_shell is invalid + validate_admin_shell = index(local.admin_shell_allowed_values, var.admin_shell) + + // Will fail if var.cluster_network_name or var.cluster_network_subnetwork_name are empty double quotes in case of use existing network. + validate_cluster_network = var.cluster_network_cidr == "" && var.cluster_network_name == "" ? index("error:", "using existing cluster network - cluster network name is missing") : 0 + validate_cluster_subnet = var.cluster_network_cidr == "" && var.cluster_network_subnetwork_name == "" ? index("error:", "using existing cluster network - cluster subnetwork name is missing") : 0 + + // Will fail if var.mgmt_network_name or var.mgmt_network_subnetwork_name are empty double quotes in case of use existing network. + validate_mgmt_network = var.mgmt_network_cidr == "" && var.mgmt_network_name == "" ? index("error:", "using existing mgmt network - mgmt network name is missing") : 0 + validate_mgmt_subnet = var.mgmt_network_cidr == "" && var.mgmt_network_subnetwork_name == "" ? index("error:", "using existing mgmt network - mgmt subnetwork name is missing") : 0 + + // Will fail if var.internal_network1_name or var.internal_network1_subnetwork_name are empty double quotes in case of use existing network. + validate_internal_network1 = var.internal_network1_cidr == "" && var.internal_network1_name == "" ? index("error:", "using existing network1 - internal network1 name is missing") : 0 + validate_internal_network1_subnet = var.internal_network1_cidr == "" && var.internal_network1_subnetwork_name == "" ? ("using existing network1 - internal network1 subnet name is missing") : 0 + + // Will fail if var.internal_network2_name or var.internal_network2_subnetwork_name are empty double quotes in case of use existing network. + validate_internal_network2 = var.num_internal_networks >= 2 && var.internal_network2_cidr == "" && var.internal_network2_name == "" ? index("error:", "using existing network2 - internal network2 name is missing") : 0 + validate_internal_network2_subnet = var.num_internal_networks >= 2 && var.internal_network2_cidr == "" && var.internal_network2_subnetwork_name == "" ? index("error:", "using existing network2 - internal network2 subnet name is missing") : 0 + + // Will fail if var.internal_network3_name or var.internal_network3_subnetwork_name are empty double quotes in case of use existing network. + validate_internal_network3 = var.num_internal_networks >= 3 && var.internal_network3_cidr == "" && var.internal_network3_name == "" ? index("error:", "using existing network3 - internal network3 name is missing") : 0 + validate_internal_network3_subnet = var.num_internal_networks >= 3 && var.internal_network3_cidr == "" && var.internal_network3_subnetwork_name == "" ? index("error:", "using existing network3 - internal network3 subnet name is missing") : 0 + + // Will fail if var.internal_network4_name or var.internal_network4_subnetwork_name are empty double quotes in case of use existing network. + validate_internal_network4 = var.num_internal_networks >= 4 && var.internal_network4_cidr == "" && var.internal_network4_name == "" ? index("error:", "using existing network4 - internal network4 name is missing") : 0 + validate_internal_network4_subnet = var.num_internal_networks >= 4 && var.internal_network4_cidr == "" && var.internal_network4_subnetwork_name == "" ? index("error:", "using existing network4 - internal network4 subnet name is missing") : 0 + + // Will fail if var.internal_network5_name or var.internal_network5_subnetwork_name are empty double quotes in case of use existing network. + validate_internal_network5 = var.num_internal_networks >= 5 && var.internal_network5_cidr == "" && var.internal_network5_name == "" ? index("error:", "using existing network5 - internal network5 name is missing") : 0 + validate_internal_network5_subnet = var.num_internal_networks >= 5 && var.internal_network5_cidr == "" && var.internal_network5_subnetwork_name == "" ? index("error:", "using existing network5 - internal network5 subnet name is missing") : 0 + + // Will fail if var.internal_network6_name or var.internal_network6_subnetwork_name are empty double quotes in case of use existing network. + validate_internal_network6 = var.num_internal_networks >= 6 && var.internal_network6_cidr == "" && var.internal_network6_name == "" ? index("error:", "using existing network6 - internal network6 name is missing") : 0 + validate_internal_network6_subnet = var.num_internal_networks >= 6 && var.internal_network6_cidr == "" && var.internal_network6_subnetwork_name == "" ? index("error:", "using existing network6 - internal network6 subnet name is missing") : 0 + + + regex_valid_admin_SSH_key = "^(^$|ssh-rsa AAAA[0-9A-Za-z+/]+[=]{0,3})" + // Will fail if var.admin_SSH_key is invalid + regex_admin_SSH_key = regex(local.regex_valid_admin_SSH_key, var.admin_SSH_key) == var.admin_SSH_key ? 0 : "Please enter a valid SSH public key or leave empty" + + regex_valid_sic_key = "^([a-z0-9A-Z]{8,30})$" + // Will fail if var.sic_key is invalid + regex_sic_key = regex(local.regex_valid_sic_key, var.sic_key) == var.sic_key ? 0 : "Variable [sic_key] must be at least 8 alpha numeric characters." + + + + + create_cluster_network_condition = var.cluster_network_cidr == "" ? false : true + create_mgmt_network_condition = var.mgmt_network_cidr == "" ? false : true + create_internal_network1_condition = var.internal_network1_cidr == "" ? false : true + create_internal_network2_condition = var.internal_network2_cidr == "" && var.num_internal_networks >= 2 ? false : true + create_internal_network3_condition = var.internal_network3_cidr == "" && var.num_internal_networks >= 3 ? false : true + create_internal_network4_condition = var.internal_network4_cidr == "" && var.num_internal_networks >= 4 ? false : true + create_internal_network5_condition = var.internal_network5_cidr == "" && var.num_internal_networks >= 5 ? false : true + create_internal_network6_condition = var.internal_network6_cidr == "" && var.num_internal_networks == 6 ? false : true + cluster_ICMP_traffic_condition = length(var.cluster_ICMP_traffic) == 0 ? 0 : 1 + cluster_TCP_traffic_condition = length(var.cluster_TCP_traffic) == 0 ? 0 : 1 + cluster_UDP_traffic_condition = length(var.cluster_UDP_traffic) == 0 ? 0 : 1 + cluster_SCTP_traffic_condition = length(var.cluster_SCTP_traffic) == 0 ? 0 : 1 + cluster_ESP_traffic_condition = length(var.cluster_ESP_traffic) == 0 ? 0 : 1 + mgmt_ICMP_traffic_condition = length(var.mgmt_ICMP_traffic) == 0 ? 0 : 1 + mgmt_TCP_traffic_condition = length(var.mgmt_TCP_traffic) == 0 ? 0 : 1 + mgmt_UDP_traffic_condition = length(var.mgmt_UDP_traffic) == 0 ? 0 : 1 + mgmt_SCTP_traffic_condition = length(var.mgmt_SCTP_traffic) == 0 ? 0 : 1 + mgmt_ESP_traffic_condition = length(var.mgmt_ESP_traffic) == 0 ? 0 : 1 +} \ No newline at end of file diff --git a/deprecated/terraform/gcp/R8040-R81/high-availability/main.tf b/deprecated/terraform/gcp/R8040-R81/high-availability/main.tf new file mode 100644 index 00000000..821d3542 --- /dev/null +++ b/deprecated/terraform/gcp/R8040-R81/high-availability/main.tf @@ -0,0 +1,250 @@ +provider "google" { + credentials = file(var.service_account_path) + project = var.project + region = var.region +} + +resource "random_string" "random_string" { + length = 5 + special = false + upper = false + keepers = {} +} + +module "cluster_network_and_subnet" { + source = "../common/network-and-subnet" + + prefix = "${var.prefix}-${random_string.random_string.result}" + type = "cluster" + network_cidr = var.cluster_network_cidr + private_ip_google_access = true + region = var.region + network_name = var.cluster_network_name +} +module "cluster_ICMP_firewall_rules" { + count = local.cluster_ICMP_traffic_condition + source = "../common/firewall-rule" + + protocol = "icmp" + source_ranges = var.cluster_ICMP_traffic + rule_name = "${var.prefix}-cluster-icmp-${random_string.random_string.result}" + network = local.create_cluster_network_condition ? module.cluster_network_and_subnet.new_created_network_link : module.cluster_network_and_subnet.existing_network_link +} +module "cluster_TCP_firewall_rules" { + count = local.cluster_TCP_traffic_condition + source = "../common/firewall-rule" + + protocol = "tcp" + source_ranges = var.cluster_TCP_traffic + rule_name = "${var.prefix}-cluster-tcp-${random_string.random_string.result}" + network = local.create_cluster_network_condition ? module.cluster_network_and_subnet.new_created_network_link : module.cluster_network_and_subnet.existing_network_link +} +module "cluster_UDP_firewall_rules" { + count = local.cluster_UDP_traffic_condition + source = "../common/firewall-rule" + + protocol = "udp" + source_ranges = var.cluster_UDP_traffic + rule_name = "${var.prefix}-cluster-udp-${random_string.random_string.result}" + network = local.create_cluster_network_condition ? module.cluster_network_and_subnet.new_created_network_link : module.cluster_network_and_subnet.existing_network_link +} +module "cluster_SCTP_firewall_rules" { + count = local.cluster_SCTP_traffic_condition + source = "../common/firewall-rule" + + protocol = "sctp" + source_ranges = var.cluster_SCTP_traffic + rule_name = "${var.prefix}-cluster-sctp-${random_string.random_string.result}" + network = local.create_cluster_network_condition ? module.cluster_network_and_subnet.new_created_network_link : module.cluster_network_and_subnet.existing_network_link +} +module "cluster_ESP_firewall_rules" { + count = local.cluster_ESP_traffic_condition + source = "../common/firewall-rule" + + protocol = "esp" + source_ranges = var.cluster_ESP_traffic + rule_name = "${var.prefix}-cluster-esp-${random_string.random_string.result}" + network = local.create_cluster_network_condition ? module.cluster_network_and_subnet.new_created_network_link : module.cluster_network_and_subnet.existing_network_link +} + +module "mgmt_network_and_subnet" { + source = "../common/network-and-subnet" + + prefix = "${var.prefix}-${random_string.random_string.result}" + type = "mgmt" + network_cidr = var.mgmt_network_cidr + private_ip_google_access = false + region = var.region + network_name = var.mgmt_network_name +} +module "mgmt_ICMP_firewall_rules" { + count = local.mgmt_ICMP_traffic_condition + source = "../common/firewall-rule" + + protocol = "icmp" + source_ranges = var.mgmt_ICMP_traffic + rule_name = "${var.prefix}-mgmt-icmp-${random_string.random_string.result}" + network = local.create_mgmt_network_condition ? module.mgmt_network_and_subnet.new_created_network_link : module.mgmt_network_and_subnet.existing_network_link +} +module "mgmt_TCP_firewall_rules" { + count = local.mgmt_TCP_traffic_condition + source = "../common/firewall-rule" + + protocol = "tcp" + source_ranges = var.mgmt_TCP_traffic + rule_name = "${var.prefix}-mgmt-tcp-${random_string.random_string.result}" + network = local.create_mgmt_network_condition ? module.mgmt_network_and_subnet.new_created_network_link : module.mgmt_network_and_subnet.existing_network_link +} +module "mgmt_UDP_firewall_rules" { + count = local.mgmt_UDP_traffic_condition + source = "../common/firewall-rule" + + protocol = "udp" + source_ranges = var.mgmt_UDP_traffic + rule_name = "${var.prefix}-mgmt-udp-${random_string.random_string.result}" + network = local.create_mgmt_network_condition ? module.mgmt_network_and_subnet.new_created_network_link : module.mgmt_network_and_subnet.existing_network_link +} +module "mgmt_SCTP_firewall_rules" { + count = local.mgmt_SCTP_traffic_condition + source = "../common/firewall-rule" + + protocol = "sctp" + source_ranges = var.mgmt_SCTP_traffic + rule_name = "${var.prefix}-mgmt-sctp-${random_string.random_string.result}" + network = local.create_mgmt_network_condition ? module.mgmt_network_and_subnet.new_created_network_link : module.mgmt_network_and_subnet.existing_network_link +} +module "mgmt_ESP_firewall_rules" { + count = local.mgmt_ESP_traffic_condition + source = "../common/firewall-rule" + + protocol = "esp" + source_ranges = var.mgmt_ESP_traffic + rule_name = "${var.prefix}-mgmt-esp-${random_string.random_string.result}" + network = local.create_mgmt_network_condition ? module.mgmt_network_and_subnet.new_created_network_link : module.mgmt_network_and_subnet.existing_network_link +} + +module "internal_network1_and_subnet" { + source = "../common/network-and-subnet" + + prefix = "${var.prefix}-${random_string.random_string.result}" + type = "internal-network1" + network_cidr = var.internal_network1_cidr + private_ip_google_access = false + region = var.region + network_name = var.internal_network1_name +} + +module "internal_network2_and_subnet" { + count = var.num_internal_networks < 2 ? 0 : 1 + source = "../common/network-and-subnet" + + prefix = "${var.prefix}-${random_string.random_string.result}" + type = "internal-network2" + network_cidr = var.internal_network2_cidr + private_ip_google_access = false + region = var.region + network_name = var.internal_network2_name +} + +module "internal_network3_and_subnet" { + count = var.num_internal_networks < 3 ? 0 : 1 + source = "../common/network-and-subnet" + + prefix = "${var.prefix}-${random_string.random_string.result}" + type = "internal-network3" + network_cidr = var.internal_network3_cidr + private_ip_google_access = false + region = var.region + network_name = var.internal_network3_name +} + +module "internal_network4_and_subnet" { + count = var.num_internal_networks < 4 ? 0 : 1 + source = "../common/network-and-subnet" + + prefix = "${var.prefix}-${random_string.random_string.result}" + type = "internal-network4" + network_cidr = var.internal_network4_cidr + private_ip_google_access = false + region = var.region + network_name = var.internal_network4_name +} + +module "internal_network5_and_subnet" { + count = var.num_internal_networks < 5 ? 0 : 1 + source = "../common/network-and-subnet" + + prefix = "${var.prefix}-${random_string.random_string.result}" + type = "internal-network5" + network_cidr = var.internal_network5_cidr + private_ip_google_access = false + region = var.region + network_name = var.internal_network5_name +} + +module "internal_network6_and_subnet" { + count = var.num_internal_networks < 6 ? 0 : 1 + source = "../common/network-and-subnet" + + prefix = "${var.prefix}-${random_string.random_string.result}" + type = "internal-network6" + network_cidr = var.internal_network6_cidr + private_ip_google_access = false + region = var.region + network_name = var.internal_network6_name +} +resource "google_compute_address" "primary_cluster_ip_ext_address" { + name = "${var.prefix}-primary-cluster-address-${random_string.random_string.result}" + region = var.region +} +resource "google_compute_address" "secondary_cluster_ip_ext_address" { + name = "${var.prefix}-secondary-cluster-address-${random_string.random_string.result}" + region = var.region +} +resource "random_string" "generated_password" { + length = 12 + special = false +} + +module "members_a_b" { + source = "../common/members-a-b" + + prefix = "${var.prefix}-${random_string.random_string.result}" + region = var.region + zoneA = var.zoneA + zoneB = var.zoneB + machine_type = var.machine_type + disk_size = var.disk_size + disk_type = var.disk_type + image_name = "checkpoint-public/${var.image_name}" + cluster_network = local.create_cluster_network_condition ? module.cluster_network_and_subnet.new_created_network_link : module.cluster_network_and_subnet.existing_network_link + cluster_network_subnetwork = local.create_cluster_network_condition ? module.cluster_network_and_subnet.new_created_subnet_link : [var.cluster_network_subnetwork_name] + mgmt_network = local.create_mgmt_network_condition ? module.mgmt_network_and_subnet.new_created_network_link : module.mgmt_network_and_subnet.existing_network_link + mgmt_network_subnetwork = local.create_mgmt_network_condition ? module.mgmt_network_and_subnet.new_created_subnet_link : [var.mgmt_network_subnetwork_name] + num_internal_networks = var.num_internal_networks + internal_network1_network = local.create_internal_network1_condition ? module.internal_network1_and_subnet.new_created_network_link : [var.internal_network1_name] + internal_network1_subnetwork = local.create_internal_network1_condition ? module.internal_network1_and_subnet.new_created_subnet_link : [var.internal_network1_subnetwork_name] + internal_network2_network = var.num_internal_networks < 2 ? [] : local.create_internal_network2_condition ? module.internal_network2_and_subnet[0].new_created_network_link : [var.internal_network2_name] + internal_network2_subnetwork = var.num_internal_networks < 2 ? [] : local.create_internal_network2_condition ? module.internal_network2_and_subnet[0].new_created_subnet_link : [var.internal_network2_subnetwork_name] + internal_network3_network = var.num_internal_networks < 3 ? [] : local.create_internal_network3_condition ? module.internal_network3_and_subnet[0].new_created_network_link : [var.internal_network3_name] + internal_network3_subnetwork = var.num_internal_networks < 3 ? [] : local.create_internal_network3_condition ? module.internal_network3_and_subnet[0].new_created_subnet_link : [var.internal_network3_subnetwork_name] + internal_network4_network = var.num_internal_networks < 4 ? [] : local.create_internal_network4_condition ? module.internal_network4_and_subnet[0].new_created_network_link : [var.internal_network4_name] + internal_network4_subnetwork = var.num_internal_networks < 4 ? [] : local.create_internal_network4_condition ? module.internal_network4_and_subnet[0].new_created_subnet_link : [var.internal_network4_subnetwork_name] + internal_network5_network = var.num_internal_networks < 5 ? [] : local.create_internal_network5_condition ? module.internal_network5_and_subnet[0].new_created_network_link : [var.internal_network5_name] + internal_network5_subnetwork = var.num_internal_networks < 5 ? [] : local.create_internal_network5_condition ? module.internal_network5_and_subnet[0].new_created_subnet_link : [var.internal_network5_subnetwork_name] + internal_network6_network = var.num_internal_networks < 6 ? [] : local.create_internal_network6_condition ? module.internal_network6_and_subnet[0].new_created_network_link : [var.internal_network6_name] + internal_network6_subnetwork = var.num_internal_networks < 6 ? [] : local.create_internal_network6_condition ? module.internal_network6_and_subnet[0].new_created_subnet_link : [var.internal_network6_subnetwork_name] + admin_SSH_key = var.admin_SSH_key + generated_admin_password = var.generate_password ? random_string.generated_password.result : "" + project = var.project + generate_password = var.generate_password + sic_key = var.sic_key + allow_upload_download = var.allow_upload_download + enable_monitoring = var.enable_monitoring + admin_shell = var.admin_shell + management_network = var.management_network + primary_cluster_address_name = google_compute_address.primary_cluster_ip_ext_address.name + secondary_cluster_address_name = google_compute_address.secondary_cluster_ip_ext_address.name + smart_1_cloud_token_a = var.smart_1_cloud_token_a + smart_1_cloud_token_b = var.smart_1_cloud_token_b +} \ No newline at end of file diff --git a/deprecated/terraform/gcp/R8040-R81/high-availability/output.tf b/deprecated/terraform/gcp/R8040-R81/high-availability/output.tf new file mode 100644 index 00000000..12009d32 --- /dev/null +++ b/deprecated/terraform/gcp/R8040-R81/high-availability/output.tf @@ -0,0 +1,117 @@ +output "cluster_new_created_network" { + value = module.cluster_network_and_subnet.new_created_network_name +} +output "cluster_new_created_subnet" { + value = module.cluster_network_and_subnet.new_created_subnet_name +} + +output "mgmt_new_created_network" { + value = module.mgmt_network_and_subnet.new_created_network_name +} +output "mgmt_new_created_subnet" { + value = module.mgmt_network_and_subnet.new_created_subnet_name +} + +output "int_network1_new_created_network" { + value = module.internal_network1_and_subnet.new_created_network_name +} +output "int_network1_new_created_subnet" { + value = module.internal_network1_and_subnet.new_created_subnet_name +} + +output "int_network2_new_created_network" { + value = module.internal_network2_and_subnet[*].new_created_network_name +} +output "int_network2_new_created_subnet" { + value = module.internal_network2_and_subnet[*].new_created_subnet_name +} + +output "int_network3_new_created_network" { + value = module.internal_network3_and_subnet[*].new_created_network_name +} +output "int_network3_new_created_subnet" { + value = module.internal_network3_and_subnet[*].new_created_subnet_name +} + +output "int_network4_new_created_network" { + value = module.internal_network4_and_subnet[*].new_created_network_name +} +output "int_network4_new_created_subnet" { + value = module.internal_network4_and_subnet[*].new_created_subnet_name +} + +output "int_network5_new_created_network" { + value = module.internal_network5_and_subnet[*].new_created_network_name +} +output "int_network5_new_created_subnet" { + value = module.internal_network5_and_subnet[*].new_created_subnet_name +} + +output "int_network6_new_created_network" { + value = module.internal_network6_and_subnet[*].new_created_network_name +} +output "int_network6_new_created_subnet" { + value = module.internal_network6_and_subnet[*].new_created_subnet_name +} + +output "cluster_ICMP_firewall_rule" { + value = module.cluster_ICMP_firewall_rules[*].firewall_rule_name +} +output "cluster_TCP_firewall_rule" { + value = module.cluster_TCP_firewall_rules[*].firewall_rule_name +} +output "cluster_UDP_firewall_rule" { + value = module.cluster_UDP_firewall_rules[*].firewall_rule_name +} +output "cluster_SCTP_firewall_rule" { + value = module.cluster_SCTP_firewall_rules[*].firewall_rule_name +} +output "cluster_ESP_firewall_rule" { + value = module.cluster_ESP_firewall_rules[*].firewall_rule_name +} + +output "mgmt_ICMP_firewall_rule" { + value = module.mgmt_ICMP_firewall_rules[*].firewall_rule_name +} +output "mgmt_TCP_firewall_rule" { + value = module.mgmt_TCP_firewall_rules[*].firewall_rule_name +} +output "mgmt_UDP_firewall_rule" { + value = module.mgmt_UDP_firewall_rules[*].firewall_rule_name +} +output "mgmt_SCTP_firewall_rule" { + value = module.mgmt_SCTP_firewall_rules[*].firewall_rule_name +} +output "mgmt_ESP_firewall_rule" { + value = module.mgmt_ESP_firewall_rules[*].firewall_rule_name +} + +output "cluster_ip_external_address" { + value = google_compute_address.primary_cluster_ip_ext_address.address +} +output "admin_password" { + value = var.generate_password ? [random_string.generated_password.result] : [] +} +output "sic_key" { + value = var.sic_key +} + +output "member_a_name" { + value = module.members_a_b.member_a_name +} +output "member_a_external_ip" { + value = module.members_a_b.member_a_external_ip +} +output "member_a_zone" { + value = var.zoneA +} + +output "member_b_name" { + value = module.members_a_b.member_b_name +} +output "member_b_external_ip" { + value = module.members_a_b.member_b_external_ip +} +output "member_b_zone" { + value = var.zoneB +} \ No newline at end of file diff --git a/deprecated/terraform/gcp/R8040-R81/high-availability/terraform.tfvars b/deprecated/terraform/gcp/R8040-R81/high-availability/terraform.tfvars new file mode 100644 index 00000000..f888479f --- /dev/null +++ b/deprecated/terraform/gcp/R8040-R81/high-availability/terraform.tfvars @@ -0,0 +1,53 @@ +# --- Google Provider --- +service_account_path = "PLEASE ENTER SERVICE ACCOUNT PATH" # "service-accounts/service-account-file-name.json" +project = "PLEASE ENTER PROJECT ID" # "project-id" + +# --- Check Point Deployment --- +prefix = "PLEASE ENTER PREFIX" # "chkp-tf-ha" +license = "PLEASE ENTER LICENSE" # "BYOL" +image_name = "PLEASE ENTER IMAGE NAME" # "check-point-r8110-gw-byol-cluster-335-985-v20220126" + +# --- Instances Configuration --- +region = "PLEASE ENTER REGION" # "us-central1" +zoneA = "PLEASE ENTER ZONE A" # "us-central1-a" +zoneB = "PLEASE ENTER ZONE B" # "us-central1-a" +machine_type = "PLEASE ENTER MACHINE TYPE" # "n1-standard-4" +disk_type = "PLEASE ENTER DISK TYPE" # "SSD Persistent Disk" +disk_size = "PLEASE ENTER DISK SIZE" # 100 +admin_SSH_key = "PLEASE ENTER ADMIN SSH KEY" # "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxx imported-openssh-key" +enable_monitoring = "PLEASE ENTER true OR false" # false + +# --- Check Point --- +management_network = "PLEASE ENTER MANAGEMENT IP OR S1C IF USING SMART-1 CLOUD MANAGEMENT" # "209.87.209.100/32" +sic_key = "PLEASE ENTER A SIC KEY" # "aaaaaaaa" +generate_password = "PLEASE ENTER true or false" # false +allow_upload_download = "PLEASE ENTER true OR false" # true +admin_shell = "PLEASE ENTER ADMIN SHELL" # "/etc/cli.sh" + +# --- Quick connect to Smart-1 Cloud --- +smart_1_cloud_token_a = "PASTE TOKEN FROM SMART-1 CLOUD PORTAL" # "" +smart_1_cloud_token_b = "PASTE TOKEN FROM SMART-1 CLOUD PORTAL" # "" + +# --- Networking --- +cluster_network_cidr = "PLEASE ENTER CLUSTER NETWORK CIDR" # "10.0.1.0/24" +cluster_network_name = "PLEASE ENTER CLUSTER NETWORK ID" # "cluster-network" +cluster_network_subnetwork_name = "PLEASE ENTER CLUSTER SUBNETWORK ID" # "cluster-subnetwork" +cluster_ICMP_traffic = "PLEASE ENTER ICMP SOURCE IP RANGES" # ["123.123.0.0/24", "234.234.0.0/24"] +cluster_TCP_traffic = "PLEASE ENTER TCP SOURCE IP RANGES" # ["0.0.0.0/0"] +cluster_UDP_traffic = "PLEASE ENTER UDP SOURCE IP RANGES" # [] +cluster_SCTP_traffic = "PLEASE ENTER SCTP SOURCE IP RANGES" # [] +cluster_ESP_traffic = "PLEASE ENTER ESP SOURCE IP RANGES" # [] +mgmt_network_cidr = "PLEASE ENTER MANAGEMENT NETWORK CIDR" # "" +mgmt_network_name = "PLEASE ENTER MANAGEMENT NETWORK ID" # "mgmt-network" +mgmt_network_subnetwork_name = "PLEASE ENTER MANAGEMENT SUBNETWORK ID" # "mgmt-subnetwork" +mgmt_ICMP_traffic = "PLEASE ENTER ICMP SOURCE IP RANGES" # ["123.123.0.0/24", "234.234.0.0/24"] +mgmt_TCP_traffic = "PLEASE ENTER TCP SOURCE IP RANGES" # ["0.0.0.0/0"] +mgmt_UDP_traffic = "PLEASE ENTER UDP SOURCE IP RANGES" # [] +mgmt_SCTP_traffic = "PLEASE ENTER SCTP SOURCE IP RANGES" # [] +mgmt_ESP_traffic = "PLEASE ENTER ESP SOURCE IP RANGES" # [] +num_internal_networks = "PLEASE ENTER A NUMBER OF ADDITIONAL NICS" # 1 +internal_network1_cidr = "PLEASE ENTER 1ST INTERNAL NETWORK CIDR" # "10.0.3.0/24" +internal_network1_name = "PLEASE ENTER 1ST INTERNAL NETWORK ID" # "" +internal_network1_subnetwork_name = "PLEASE ENTER INTERNAL SUBNETWORK ID" # "" + +#Define internal NICs networks and subnetworks according the defined num_internal_networks value diff --git a/deprecated/terraform/gcp/R8040-R81/high-availability/variables.tf b/deprecated/terraform/gcp/R8040-R81/high-availability/variables.tf new file mode 100644 index 00000000..a7bede31 --- /dev/null +++ b/deprecated/terraform/gcp/R8040-R81/high-availability/variables.tf @@ -0,0 +1,302 @@ +# Check Point CloudGuard IaaS High Availability - Terraform Template + +# --- Google Provider --- +variable "service_account_path" { + type = string + description = "User service account path in JSON format - From the service account key page in the Cloud Console choose an existing account or create a new one. Next, download the JSON key file. Name it something you can remember, store it somewhere secure on your machine, and supply the path to the location is stored." + default = "" +} +variable "project" { + type = string + description = "Personal project id. The project indicates the default GCP project all of your resources will be created in." + default = "" +} + +# --- Check Point Deployment --- +variable "prefix" { + type = string + description = "(Optional) Resources name prefix" + default = "chkp-tf-ha" +} +variable "license" { + type = string + description = "Checkpoint license (BYOL or PAYG)." + default = "BYOL" +} +variable "image_name" { + type = string + description = "The High Availability (cluster) image name (e.g. check-point-r8110-gw-byol-cluster-335-985-v20220126). You can choose the desired cluster image value from: https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/gcp/deployment-packages/ha-byol/images.py" +} + +# --- Instances Configuration --- +data "google_compute_regions" "available_regions" { +} +variable "region" { + type = string + default = "us-central1" +} +variable "zoneA" { + type = string + description = "Member A Zone. The zone determines what computing resources are available and where your data is stored and used." + default = "us-central1-a" +} +variable "zoneB" { + type = string + description = "Member B Zone." + default = "us-central1-a" +} +variable "machine_type" { + type = string + description = "Machine types determine the specifications of your machines, such as the amount of memory, virtual cores, and persistent disk limits an instance will have." + default = "n1-standard-4" +} +variable "disk_type" { + type = string + description = "Storage space is much less expensive for a standard Persistent Disk. An SSD Persistent Disk is better for random IOPS or streaming throughput with low latency." + default = "SSD Persistent Disk" +} +variable "disk_size" { + type = number + description = "Disk size in GB - Persistent disk performance is tied to the size of the persistent disk volume. You are charged for the actual amount of provisioned disk space." + default = 100 +} +variable "admin_SSH_key" { + type = string + description = "(Optional) The SSH public key for SSH authentication to the MIG instances. Leave this field blank to use all project-wide pre-configured SSH keys." + default = "" +} +variable "enable_monitoring" { + type = bool + description = "Enable Stackdriver monitoring" + default = false +} + +# --- Check Point --- +variable "management_network" { + type = string + description = "Security Management Server address - The public address of the Security Management Server, in CIDR notation. If using Smart-1 Cloud management, insert 'S1C'. VPN peers addresses cannot be in this CIDR block, so this value cannot be the zero-address." + validation { + condition = var.management_network != "0.0.0.0/0" + error_message = "Var.management_network value cannot be the zero-address." + } +} +resource "null_resource" "validate_mgmt_network_if_required" { + count = var.smart_1_cloud_token_a == "" && var.management_network == "S1C" ? "Public address of the Security Management Server is required" : 0 +} +variable "sic_key" { + type = string + description = "The Secure Internal Communication one time secret used to set up trust between the cluster object and the management server. At least 8 alpha numeric characters. If SIC is not provided and needed, a key will be automatically generated" +} +variable "generate_password" { + type = bool + description = "Automatically generate an administrator password." + default = false +} +variable "allow_upload_download" { + type = bool + description = "Allow download from/upload to Check Point." + default = false +} +variable "admin_shell" { + type = string + description = "Change the admin shell to enable advanced command line configuration." + default = "/etc/cli.sh" +} +# --- Quick connect to Smart-1 Cloud --- +variable "smart_1_cloud_token_a" { + type = string + description ="(Optional) Smart-1 cloud token for member A to connect this Gateway to Check Point's Security Management as a Service" + default = "" +} +variable "smart_1_cloud_token_b" { + type = string + description ="(Optional) Smart-1 cloud token for member B to connect this Gateway to Check Point's Security Management as a Service" + default = "" +} + +resource "null_resource" "validate_both_tokens" { + count = (var.smart_1_cloud_token_a != "" && var.smart_1_cloud_token_b != "") || (var.smart_1_cloud_token_a == "" && var.smart_1_cloud_token_b == "") ? 0 : "To connect to Smart-1 Cloud, you must provide two tokens (one per member)" +} +resource "null_resource" "validate_different_tokens" { + count = var.smart_1_cloud_token_a != "" && var.smart_1_cloud_token_a == var.smart_1_cloud_token_b ? "To connect to Smart-1 Cloud, you must provide two different tokens" : 0 +} +# --- Networking --- +variable "cluster_network_cidr" { + type = string + description = "Cluster external subnet CIDR. If the variable's value is not empty double quotes, a new network will be created. The Cluster public IP will be translated to a private address assigned to the active member in this external network." + default = "10.0.0.0/24" +} +variable "cluster_network_name" { + type = string + description = "Cluster external network ID in the chosen zone. The network determines what network traffic the instance can access.If you have specified a CIDR block at var.cluster_network_cidr, this network name will not be used." + default = "" +} +variable "cluster_network_subnetwork_name" { + type = string + description = "Cluster subnet ID in the chosen network. Assigns the instance an IPv4 address from the subnetwork’s range. If you have specified a CIDR block at var.cluster_network_cidr, this subnetwork will not be used. Instances in different subnetworks can communicate with each other using their internal IPs as long as they belong to the same network." + default = "" +} +variable "cluster_ICMP_traffic" { + type = list(string) + description = "(Optional) Source IP ranges for ICMP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only. Please leave empty list to unable ICMP traffic." + default = [] +} +variable "cluster_TCP_traffic" { + type = list(string) + description = "(Optional) Source IP ranges for TCP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only. Please leave empty list to unable TCP traffic." + default = [] +} +variable "cluster_UDP_traffic" { + type = list(string) + description = "(Optional) Source IP ranges for UDP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only. Please leave empty list to unable UDP traffic." + default = [] +} +variable "cluster_SCTP_traffic" { + type = list(string) + description = "(Optional) Source IP ranges for SCTP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only. Please leave empty list to unable SCTP traffic." + default = [] +} +variable "cluster_ESP_traffic" { + type = list(string) + description = "(Optional) Source IP ranges for ESP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only. Please leave empty list to unable ESP traffic." + default = [] +} +variable "mgmt_network_cidr" { + type = string + description = "Management external subnet CIDR. If the variable's value is not empty double quotes, a new network will be created. The public IP used to manage each member will be translated to a private address in this external network" + default = "10.0.1.0/24" +} +variable "mgmt_network_name" { + type = string + description = "Management network ID in the chosen zone. The network determines what network traffic the instance can access. If you have specified a CIDR block at var.mgmt_network_cidr, this network name will not be used. " + default = "" +} +variable "mgmt_network_subnetwork_name" { + type = string + description = "Management subnet ID in the chosen network. Assigns the instance an IPv4 address from the subnetwork’s range. If you have specified a CIDR block at var.mgmt_network_cidr, this subnetwork will not be used. Instances in different subnetworks can communicate with each other using their internal IPs as long as they belong to the same network." + default = "" +} +variable "mgmt_ICMP_traffic" { + type = list(string) + description = "(Optional) Source IP ranges for ICMP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway all ports are allowed. For management allowed ports are: 257,18191,18210,18264,22,443,18190,19009. Please leave empty list to unable ICMP traffic." + default = [] +} +variable "mgmt_TCP_traffic" { + type = list(string) + description = "(Optional) Source IP ranges for TCP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway all ports are allowed. For management allowed ports are: 257,18191,18210,18264,22,443,18190,19009. Please leave empty list to unable TCP traffic." + default = [] +} +variable "mgmt_UDP_traffic" { + type = list(string) + description = "(Optional) Source IP ranges for UDP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway all ports are allowed. For management allowed ports are: 257,18191,18210,18264,22,443,18190,19009. Please leave empty list to unable UDP traffic." + default = [] +} +variable "mgmt_SCTP_traffic" { + type = list(string) + description = "(Optional) Source IP ranges for SCTP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway all ports are allowed. For management allowed ports are: 257,18191,18210,18264,22,443,18190,19009. Please leave empty list to unable SCTP traffic." + default = [] +} +variable "mgmt_ESP_traffic" { + type = list(string) + description = "(Optional) Source IP ranges for ESP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway all ports are allowed. For management allowed ports are: 257,18191,18210,18264,22,443,18190,19009. Please leave empty list to unable ESP traffic." + default = [] +} +variable "num_internal_networks" { + type = number + description = "A number in the range 1 - 6 of internal network interfaces." + default = 1 +} +resource "null_resource" "num_internal_networks_validation" { + // Will fail if var.num_internal_networks is less than 1 or more than 6 + count = var.num_internal_networks >= 1 && var.num_internal_networks <= 6 ? 0 : "variable num_internal_networks must be a number between 1 and 6. Multiple network interfaces deployment is described in: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk121637" +} +variable "internal_network1_cidr" { + type = string + description = "1st internal subnet CIDR. If the variable's value is not empty double quotes, a new subnet will be created. Assigns the cluster members an IPv4 address in this internal network." + default = "10.0.2.0/24" +} +variable "internal_network1_name" { + type = string + description = "1st internal network ID in the chosen zone. The network determines what network traffic the instance can access. If you have specified a CIDR block at var.internal_network1_cidr, this network name will not be used. " + default = "" +} +variable "internal_network1_subnetwork_name" { + type = string + description = "1st internal subnet ID in the chosen network. Assigns the instance an IPv4 address from the subnetwork’s range. If you have specified a CIDR block at var.internal_network1_cidr, this subnetwork will not be used. Instances in different subnetworks can communicate with each other using their internal IPs as long as they belong to the same network." + default = "" +} +variable "internal_network2_cidr" { + type = string + description = "Used only if var.num_internal_networks is 2 or and above - 2nd internal subnet CIDR. If the variable's value is not empty double quotes, a new subnet will be created. Assigns the cluster members an IPv4 address in this internal network." + default = "" +} +variable "internal_network2_name" { + type = string + description = "Used only if var.num_internal_networks is 2 or and above - 2nd internal network ID in the chosen zone. The network determines what network traffic the instance can access. If you have specified a CIDR block at var.internal_network2_cidr, this network name will not be used. " + default = "" +} +variable "internal_network2_subnetwork_name" { + type = string + description = "Used only if var.num_internal_networks is 2 or and above - 2nd internal subnet ID in the chosen network. Assigns the instance an IPv4 address from the subnetwork’s range. If you have specified a CIDR block at var.internal_network2_cidr, this subnetwork will not be used. Instances in different subnetworks can communicate with each other using their internal IPs as long as they belong to the same network." + default = "" +} +variable "internal_network3_cidr" { + type = string + description = "Used only if var.num_internal_networks is 3 or and above - 3rd internal subnet CIDR. If the variable's value is not empty double quotes, a new subnet will be created. Assigns the cluster members an IPv4 address in this internal network." + default = "" +} +variable "internal_network3_name" { + type = string + description = "Used only if var.num_internal_networks is 3 or and above - 3rd internal network ID in the chosen zone. The network determines what network traffic the instance can access. If you have specified a CIDR block at var.internal_network3_cidr, this network name will not be used. " + default = "" +} +variable "internal_network3_subnetwork_name" { + type = string + description = "Used only if var.num_internal_networks is 3 or and above - 3rd internal subnet ID in the chosen network. Assigns the instance an IPv4 address from the subnetwork’s range. If you have specified a CIDR block at var.internal_network3_cidr, this subnetwork will not be used. Instances in different subnetworks can communicate with each other using their internal IPs as long as they belong to the same network." + default = "" +} +variable "internal_network4_cidr" { + type = string + description = "Used only if var.num_internal_networks is 4 or and above - 4th internal subnet CIDR. If the variable's value is not empty double quotes, a new subnet will be created. Assigns the cluster members an IPv4 address in this internal network." + default = "" +} +variable "internal_network4_name" { + type = string + description = "Used only if var.num_internal_networks is 4 or and above - 4th internal network ID in the chosen zone. The network determines what network traffic the instance can access. If you have specified a CIDR block at var.internal_network4_cidr, this network name will not be used. " + default = "" +} +variable "internal_network4_subnetwork_name" { + type = string + description = "Used only if var.num_internal_networks is 4 or and above - 4th internal subnet ID in the chosen network. Assigns the instance an IPv4 address from the subnetwork’s range. If you have specified a CIDR block at var.internal_network4_cidr, this subnetwork will not be used. Instances in different subnetworks can communicate with each other using their internal IPs as long as they belong to the same network." + default = "" +} +variable "internal_network5_cidr" { + type = string + description = "Used only if var.num_internal_networks is 5 or and above - 5th internal subnet CIDR. If the variable's value is not empty double quotes, a new subnet will be created. Assigns the cluster members an IPv4 address in this internal network." + default = "" +} +variable "internal_network5_name" { + type = string + description = "Used only if var.num_internal_networks is 5 or and above - 5th internal network ID in the chosen zone. The network determines what network traffic the instance can access. If you have specified a CIDR block at var.internal_network5_cidr, this network name will not be used. " + default = "" +} +variable "internal_network5_subnetwork_name" { + type = string + description = "Used only if var.num_internal_networks is 5 or and above - 5th internal subnet ID in the chosen network. Assigns the instance an IPv4 address from the subnetwork’s range. If you have specified a CIDR block at var.internal_network5_cidr, this subnetwork will not be used. Instances in different subnetworks can communicate with each other using their internal IPs as long as they belong to the same network." + default = "" +} +variable "internal_network6_cidr" { + type = string + description = "Used only if var.num_internal_networks equals 6 - 6th internal subnet CIDR. If the variable's value is not empty double quotes, a new subnet will be created. Assigns the cluster members an IPv4 address in this internal network." + default = "" +} +variable "internal_network6_name" { + type = string + description = "Used only if var.num_internal_networks equals 6 - 6th internal network ID in the chosen zone. The network determines what network traffic the instance can access. If you have specified a CIDR block at var.internal_network6_cidr, this network name will not be used. " + default = "" +} +variable "internal_network6_subnetwork_name" { + type = string + description = "Used only if var.num_internal_networks equals 6 - 6th internal subnet ID in the chosen network. Assigns the instance an IPv4 address from the subnetwork’s range. If you have specified a CIDR block at var.internal_network6_cidr, this subnetwork will not be used. Instances in different subnetworks can communicate with each other using their internal IPs as long as they belong to the same network." + default = "" +} \ No newline at end of file diff --git a/deprecated/terraform/gcp/R8040-R81/single-into-existing-vpc/README.md b/deprecated/terraform/gcp/R8040-R81/single-into-existing-vpc/README.md new file mode 100644 index 00000000..a3213acb --- /dev/null +++ b/deprecated/terraform/gcp/R8040-R81/single-into-existing-vpc/README.md @@ -0,0 +1,275 @@ +# Check Point single gateway and management Terraform module for GCP + +Terraform module which deploys a single gateway and management of Check Point Security Gateways. + +These types of Terraform resources are supported: + [Instance Template](https://www.terraform.io/docs/providers/google/r/compute_instance_template.html) + [Firewall](https://www.terraform.io/docs/providers/google/r/compute_firewall.html) - conditional creation + [Instance Group Manager](https://www.terraform.io/docs/providers/google/r/compute_region_instance_group_manager.html) + [Compute instance](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance) + + +See Check Point's documentation for Single [here](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk114577) + +Terraform is controlled via a very easy to use command-line interface (CLI). Terraform is only a single command-line application: terraform. + +## Before you begin +1. Create a project in the [Google Cloud Console](https://console.cloud.google.com/) and set up billing on that project. +2. [Install Terraform](https://learn.hashicorp.com/tutorials/terraform/install-cli) and read the Terraform getting started guide that follows. This guide will assume basic proficiency with Terraform - it is an introduction to the Google provider. + +## Configuring the Provider +The main.tf file includes the following provider configuration block used to configure the credentials you use to authenticate with GCP, as well as a default project and location for your resources: +``` +provider "google" { + credentials = file(var.service_account_path) + project = var.project +} +... +``` + +1. [Create a Service Account](https://cloud.google.com/docs/authentication/getting-started) (or use the existing one). Next, download the JSON key file. Name it something you can remember and store it somewhere secure on your machine.
+2. Select "Editor" Role or verify you have the following permissions: + ``` + compute.addresses.get + compute.addresses.use + compute.addresses.create + compute.disks.create + compute.disks.delete + compute.firewalls.create + compute.firewalls.delete + compute.firewalls.get + compute.images.get + compute.images.useReadOnly + compute.images.getFromFamily + compute.instanceTemplates.create + compute.instanceTemplates.delete + compute.instanceTemplates.get + compute.instanceTemplates.useReadOnly + compute.instances.addAccessConfig + compute.instances.create + compute.instances.delete + compute.instances.get + compute.instances.setMetadata + compute.instances.setTags + compute.instances.setLabels + compute.networks.get + compute.networks.updatePolicy + compute.regions.list + compute.subnetworks.get + compute.subnetworks.use + compute.subnetworks.useExternalIp + compute.zones.get + iam.serviceAccountKeys.get + iam.serviceAccountKeys.list + iam.serviceAccounts.actAs + iam.serviceAccounts.get + iam.serviceAccounts.list + iam.serviceAccounts.set + ``` +3. ```credentials``` - Your service account key file is used to complete a two-legged OAuth 2.0 flow to obtain access tokens to authenticate with the GCP API as needed; Terraform will use it to reauthenticate automatically when tokens expire.
+The provider credentials can be provided either as static credentials or as [Environment Variables](https://www.terraform.io/docs/providers/google/guides/provider_reference.html#credentials-1). + - Static credentials can be provided by adding the path to your service-account json file, project-id and region in /gcp/modules/single/terraform.tfvars file as follows: + ``` + service_account_path = "service-accounts/service-account-file-name.json" + project = "project-id" + ``` + - In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in the main.tf file, in the provider google resource, need to be deleted or commented: + ``` + provider "google" { + // credentials = file(var.service_account_path) + // project = var.project + + } + ``` + b.In the terraform.tfvars file leave empty double quotes for credentials and project variables: + ``` + service_account_path = "" + project = "" + ``` +## Usage +- Fill all variables in the /gcp/single/terraform.tfvars file with proper values (see below for variables descriptions). +- From a command line initialize the Terraform configuration directory: + ``` + terraform init + ``` +- Create an execution plan: + ``` + terraform plan + ``` +- Create or modify the deployment: + ``` + terraform apply + ``` + +#### Variables are configured in single/terraform.tfvars file as follows: +``` +# --- Google Provider --- +service_account_path = "service-accounts/service-account-file-name.json" +project = "project-id" + +# --- Check Point--- +image_name = "check-point-r8110-gw-byol-single-335-985-v20220126" +installationType = "Gateway only" +license = "BYOL" +prefix = "chkp-single-tf-" +management_nic = "Ephemeral Public IP (eth0)" +admin_shell = "/etc/cli.sh" +admin_SSH_key = "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxx imported-openssh-key" +generatePassword = false +allow_upload_download = true +sicKey = "" +managementGUIClientNetwork = "0.0.0.0/0" + +#--- Quick connect to Smart-1 Cloud --- +smart_1_cloud_token = "xxxxxxxxxxxxxxxxxxxxxxxx" + +# --- Networking --- +zone = "us-central1-a +network = ["default"] +subnetwork = ["default"] +network_enableTcp= true +network_tcpSourceRanges= ["0.0.0.0/0"] +network_enableGwNetwork= false +network_gwNetworkSourceRanges= [""] +network_enableIcmp= false +network_icmpSourceRanges = [""] +network_enableUdp= false +network_udpSourceRanges= [""] +network_enableSctp= false +network_sctpSourceRanges= [""] +network_enableEsp= false +network_espSourceRanges= [""] +numAdditionalNICs= 1 +externalIP= "static" +internal_network1_network= [""] +internal_network1_subnetwork = [""] + +# --- Instance Configuration --- +machine_type = "n1-standard-4" +diskType = "SSD Persistent Disk" +bootDiskSizeGb = 100 +enableMonitoring = false + +``` + +- To tear down your resources: + ``` + terraform destroy + ``` + +## Conditional creation +To create Firewall and allow traffic for ICMP, TCP, UDP, SCTP or/and ESP - enter list of Source IP ranges. +``` +ICMP_traffic = ["123.123.0.0/24", "234.234.0.0/24"] +TCP_traffic = ["0.0.0.0/0"] +UDP_traffic = ["0.0.0.0/0"] +SCTP_traffic = ["0.0.0.0/0"] +ESP_traffic = ["0.0.0.0/0"] +``` +Please leave empty list for a protocol if you want to disable traffic for it. + +## Inputs +| Name | Description | Type | Allowed values |Default| Required | +| ------------- | ------------- | ------------- | ------------- |-------|---------------| +| service_account_path | User service account path in JSON format - From the service account key page in the Cloud Console choose an existing account or create a new one. Next, download the JSON key file. Name it something you can remember, store it somewhere secure on your machine, and supply the path to the location is stored. (e.g. "service-accounts/service-account-name.json") | string | N/A | "" | yes | +| | | | | | +| project | Personal project id. The project indicates the default GCP project all of your resources will be created in. | string | N/A | "" | yes | +| | | | | | +| zone | The zone determines what computing resources are available and where your data is stored and used | string | List of allowed [Regions and Zones](https://cloud.google.com/compute/docs/regions-zones?_ga=2.31926582.-962483654.1585043745) |us-central1-a|yes| +| | | | | | +| image_name |The single gateway or management image name (e.g. check-point-r8110-gw-byol-single-335-985-v20220126 for gateway or check-point-r8110-byol-335-883-v20210706 for management). You can choose the desired gateway image value from [Github](https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/gcp/deployment-packages/single-byol/images.py).| string | N/A | N/A | yes | +| | | | | | +| installationType | Installation type and version | string |Gateway only;
Management only;
Manual Configuration
Gateway and Management (Standalone) |Gateway only|yes| +| | | | | | +| license | Checkpoint license (BYOL or PAYG).|string|BYOL;
PAYG;|BYOL|yes| +| | | | | | +| prefix | (Optional) Resources name prefix|string|N\A|chkp-single-tf-|no| +| | | | | | +| machineType | Machine types determine the specifications of your machines, such as the amount of memory, virtual cores, and persistent disk limits an instance will have | string | [Learn more about Machine Types](https://cloud.google.com/compute/docs/machine-types?hl=en_US&_ga=2.267871494.-962483654.1585043745) | n1-standard-4|no| +| | | | | | +| network | The network determines what network traffic the instance can access | list(string) | Available network in the chosen zone |N/A|yes| +| | | | | | +| Subnetwork | Assigns the instance an IPv4 address from the subnetwork’s range. Instances in different subnetworks can communicate with each other using their internal IPs as long as they belong to the same network. | list(string) | Available subnetwork in the chosen network |N/A|yes| +| | | | | | +| network_enableTcp | Allow TCP traffic from the Internet | boolean | true;
false; |false|no| +| | | | | | +| network_tcpSourceRanges | Allow TCP traffic from the Internet | list(string) | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway all ports are allowed. For management allowed ports are: 257,18191,18210,18264,22,443,18190,19009 [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) |N/A|no| +| | | | | | +| network_enableGwNetwork | This is relevant for Management only. The network in which managed gateways reside | boolean | true;
false; |false|no| +| | | | | | +| network_gwNetworkSourceRanges | Allow TCP traffic from the Internet | list(string) | Enter a valid IPv4 network CIDR (e.g. 0.0.0.0/0) |N/A|no| +| | | | | | +| network_enableIcmp | Allow ICMP traffic from the Internet | boolean | true;
false; |false|no| +| | | | | | +| network_icmpSourceRanges | Source IP ranges for ICMP traffic | list(string) | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) |N/A|no| +| | | | | | +| network_enableUdp | Allow UDP traffic from the Internet | boolean | true;
false; |false|no| +| | | | | | +| network_udpSourceRanges | Source IP ranges for UDP traffic | list(string) | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only - all ports are allowed. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) |N/A|no| +| | | | | | +| network_enableSctp | Allow SCTP traffic from the Internet | boolean | true;
false; |false|no| +| | | | | | +| network_sctpSourceRanges | Source IP ranges for SCTP traffic | list(string) | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only - all ports are allowed. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) |N/A|no| +| | | | | | +| network_enableEsp | Allow ESP traffic from the Internet | boolean | true;
false; |false|no| +| | | | | | +| network_espSourceRanges | Source IP ranges for ESP traffic | list(string) | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) |N/A|no| +| | | | | | +| diskType | Disk type | string | SSD Persistent Disk;
standard-Persistent Disk;
Storage space is much less expensive for a standard persistent disk. An SSD persistent disk is better for random IOPS or streaming throughput with low latency. [Learn more](https://cloud.google.com/compute/docs/disks/?hl=en_US&_ga=2.66020774.-962483654.1585043745#overview_of_disk_types)|SSD Persistent Disk|no| +| | | | | | +| bootDiskSizeGb | Disk size in GB | number | Persistent disk performance is tied to the size of the persistent disk volume. You are charged for the actual amount of provisioned disk space. [Learn more](https://cloud.google.com/compute/docs/disks/?hl=en_US&_ga=2.232680471.-962483654.1585043745#pdperformance)|100|no| +| | | | | | +| generatePassword | Automatically generate an administrator password | boolean | true;
false; |false|no| +| | | | | | +| allowUploadDownload | Allow download from/upload to Check Point | boolean | true;
false; |false|no| +| | | | | | +| enableMonitoring | Enable Stackdriver monitoring | boolean | true;
false; |false|no| +| | | | | | +| admin_shell | Change the admin shell to enable advanced command line configuration. | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh;
|/etc/cli.sh|no| +| | | | | | +| admin_SSH_key | Public SSH key for the user 'admin' - The SSH public key for SSH authentication to the instances. Leave this field blank to use all project-wide pre-configured SSH keys. | string | A valid public ssh key | "" | no | +| | | | | | +| sicKey | The Secure Internal Communication one time secret used to set up trust between the single gateway object and the management server | string | At least 8 alpha numeric characters.
If SIC is not provided and needed, a key will be automatically generated |""|no| +| | | | | | +| managementGUIClientNetwork | Allowed GUI clients | string | A valid IPv4 network CIDR (e.g. 0.0.0.0/0) |0.0.0.0/0|no| +| | | | | | +| smart_1_cloud_token | Smart-1 Cloud token to connect this gateway to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal.| +| | | | | | +| numAdditionalNICs | Number of additional network interfaces | number | A number in the range 0 - 8.
Multiple network interfaces deployment is described in [sk121637 - Deploy a CloudGuard for GCP with Multiple Network Interfaces](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk121637) |0|no| +| | | | | | +| externalIP | External IP address type | string | Static;
Ephemeral;
An external IP address associated with this instance. Selecting "None" will result in the instance having no external internet access. [Learn more](https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address?_ga=2.259654658.-962483654.1585043745) |static|no| +| | | | | | +| management_nic | Management Interface - Security Gateways in GCP can be managed by an ephemeral public IP or using the private IP of the internal interface (eth1). | string | Ephemeral Public IP (eth0)
- Private IP (eth1) |XEphemeral Public IP (eth0)|no| +| | | | | | + +## Outputs +| Name | Description | +| ------------- | ------------- | +| SIC_key | Secure Internal Communication (SIC) initiation key. | +| ICMP_firewall_rules_name | If enable - the ICMP firewall rules name, otherwise, an empty list. | +| TCP_firewall_rules_name | If enable - the TCP firewall rules name, otherwise, an empty list. | +| UDP_firewall_rules_name | If enable - the UDP firewall rules name, otherwise, an empty list. | +| SCTP_firewall_rules_name | If enable - the SCTP firewall rules name, otherwise, an empty list. | +| ESP_firewall_rules_name | If enable - the ESP firewall rules name, otherwise, an empty list. | + +## Revision History +In order to check the template version refer to the [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) + +| Template Version | Description | +| ---------------- | ------------- | +| 20230209 | Added Smart-1 Cloud support. | +| | | | +| 20230109 | Updated startup script to use cloud-config. | +| | | | +| 20201208 | First release of Check Point Check Point CloudGuard IaaS High Availability Terraform solution on GCP. | +| | | | +| | Addition of "template_type" parameter to "cloud-version" files. | +| | | | + +## Authors + + +## License + +This project is licensed under the MIT License - see the [LICENSE](../../../LICENSE) file for details diff --git a/deprecated/terraform/gcp/R8040-R81/single-into-existing-vpc/locals.tf b/deprecated/terraform/gcp/R8040-R81/single-into-existing-vpc/locals.tf new file mode 100644 index 00000000..39527714 --- /dev/null +++ b/deprecated/terraform/gcp/R8040-R81/single-into-existing-vpc/locals.tf @@ -0,0 +1,55 @@ +locals { + license_allowed_values = [ + "BYOL", + "PAYG"] + // will fail if [var.license] is invalid: + validate_license = index(local.license_allowed_values, upper(var.license)) + + installation_type_allowed_values = [ + "Gateway only", + "Management only", + "Standalone", + "Manual Configuration" + ] + // Will fail if the installation type is none of the above + validate_installation_type = index(local.installation_type_allowed_values, var.installationType) + + regex_valid_sicKey = "^([a-z0-9A-Z]{8,30})$" + // Will fail if var.sicKey is invalid + regex_sicKey = regex(local.regex_valid_sicKey, var.sicKey) == var.sicKey ? 0 : "Variable [sicKey] must be at least 8 alphanumeric characters." + + regex_validate_mgmt_image_name = "check-point-r8[0-1][1-4]0-(byol|payg)-[0-9]{3}-([0-9]{3,}|[a-z]+)-v[0-9]{8,}" + regex_validate_single_image_name = "check-point-r8[0-1][1-4]0-gw-(byol|payg)-single-[0-9]{3}-([0-9]{3,}|[a-z]+)-v[0-9]{8,}" + // will fail if the image name is not in the right syntax + validate_image_name = var.installationType != "Gateway only" && length(regexall(local.regex_validate_mgmt_image_name, var.image_name)) > 0 ? 0 : (var.installationType == "Gateway only" && length(regexall(local.regex_validate_single_image_name, var.image_name)) > 0 ? 0 : index(split("-", var.image_name), "INVALID IMAGE NAME")) + regex_valid_admin_SSH_key = "^(^$|ssh-rsa AAAA[0-9A-Za-z+/]+[=]{0,3})" + // Will fail if var.admin_SSH_key is invalid + regex_admin_SSH_key = regex(local.regex_valid_admin_SSH_key, var.admin_SSH_key) == var.admin_SSH_key ? 0 : "Please enter a valid SSH public key or leave empty" + admin_shell_allowed_values = [ + "/etc/cli.sh", + "/bin/bash", + "/bin/csh", + "/bin/tcsh"] + // Will fail if var.admin_shell is invalid + validate_admin_shell = index(local.admin_shell_allowed_values, var.admin_shell) + disk_type_allowed_values = [ + "SSD Persistent Disk", + "Balanced Persistent Disk", + "Standard Persistent Disk"] + // Will fail if var.disk_type is invalid + validate_disk_type = index(local.disk_type_allowed_values, var.diskType) + adminPasswordSourceMetadata = var.generatePassword ?random_string.generated_password.result : "" + disk_type_condition = var.diskType == "SSD Persistent Disk" ? "pd-ssd" : var.diskType == "Balanced Persistent Disk" ? "pd-balanced" : var.diskType == "Standard Persistent Disk" ? "pd-standard" : "" + admin_SSH_key_condition = var.admin_SSH_key != "" ? true : false + ICMP_traffic_condition = length(var.network_icmpSourceRanges ) == 0 ? 0 : 1 + TCP_traffic_condition = length(var.network_tcpSourceRanges) == 0 ? 0 : 1 + UDP_traffic_condition = length(var.network_udpSourceRanges ) == 0 ? 0 : 1 + SCTP_traffic_condition = length(var.network_sctpSourceRanges) == 0 ? 0 : 1 + ESP_traffic_condition = length(var.network_espSourceRanges) == 0 ? 0 : 1 + // Will fail if management_only and payg + is_management_only = var.installationType == "Management only" + is_license_payg = var.license == "PAYG" + validation_message = "Cannot use 'Management only' installation type with 'PAYG' license." + _= regex("^$",local.is_management_only && local.is_license_payg ? local.validation_message : "") + +} diff --git a/deprecated/terraform/gcp/R8040-R81/single-into-existing-vpc/main.tf b/deprecated/terraform/gcp/R8040-R81/single-into-existing-vpc/main.tf new file mode 100644 index 00000000..aeab8b93 --- /dev/null +++ b/deprecated/terraform/gcp/R8040-R81/single-into-existing-vpc/main.tf @@ -0,0 +1,218 @@ +provider "google" { + credentials = file(var.service_account_path) + project = var.project + zone = var.zone +} + +resource "random_string" "random_string" { + length = 5 + special = false + upper = false + keepers = {} +} +data "google_compute_network" "external_network" { + name = var.network[0] +} +resource "random_string" "random_sic_key" { + length = 12 + special = false +} + +resource "google_compute_firewall" "ICMP_firewall_rules" { + count = local.ICMP_traffic_condition + name = "${var.prefix}-icmp-${random_string.random_string.result}" + network = data.google_compute_network.external_network.self_link + allow { + protocol = "icmp" + } + source_ranges = var.network_icmpSourceRanges + target_tags = [ + "checkpoint-${replace(replace(lower(var.installationType)," ","-"),"(standalone)","standalone")}"] +} +resource "google_compute_firewall" "TCP_firewall_rules" { + count = local.TCP_traffic_condition + name = "${var.prefix}-tcp-${random_string.random_string.result}" + network = data.google_compute_network.external_network.self_link + allow { + protocol = "tcp" + } + source_ranges = var.network_tcpSourceRanges + target_tags = [ + "checkpoint-${replace(replace(lower(var.installationType)," ","-"),"(standalone)","standalone")}"] +} +resource "google_compute_firewall" "UDP_firewall_rules" { + count = local.UDP_traffic_condition + name = "${var.prefix}-udp-${random_string.random_string.result}" + network = data.google_compute_network.external_network.self_link + allow { + protocol = "udp" + } + source_ranges = var.network_udpSourceRanges + target_tags = [ + "checkpoint-${replace(replace(lower(var.installationType)," ","-"),"(standalone)","standalone")}"] +} +resource "random_string" "generated_password" { + length = 12 + special = false +} +resource "google_compute_firewall" "SCTP_firewall_rules" { + count = local.SCTP_traffic_condition + name = "${var.prefix}-sctp-${random_string.random_string.result}" + network = data.google_compute_network.external_network.self_link + allow { + protocol = "sctp" + } + source_ranges = var.network_sctpSourceRanges + target_tags = [ + "checkpoint-${replace(replace(lower(var.installationType)," ","-"),"(standalone)","standalone")}"] +} +resource "google_compute_firewall" "ESP_firewall_rules" { + count = local.ESP_traffic_condition + name = "${var.prefix}-esp-${random_string.random_string.result}" + network = data.google_compute_network.external_network.self_link + allow { + protocol = "esp" + } + source_ranges = var.network_espSourceRanges + target_tags = [ + "checkpoint-${replace(replace(lower(var.installationType)," ","-"),"(standalone)","standalone")}"] +} + +resource "google_compute_instance" "gateway" { + name = "${var.prefix}-${random_string.random_string.result}" + description = "Check Point Security ${replace(var.installationType,"(Standalone)","--")==var.installationType?split(" ",var.installationType)[0]:" Gateway and Management"}" + zone = var.zone + labels = {goog-dm = "${var.prefix}-${random_string.random_string.result}"} + tags =replace(var.installationType,"(Standalone)","--")==var.installationType?[ + "checkpoint-${split(" ",lower(var.installationType))[0]}","${var.prefix}${random_string.random_string.result}" + ]:["checkpoint-gateway","checkpoint-management","${var.prefix}${random_string.random_string.result}"] + machine_type = var.machine_type + can_ip_forward = var.installationType == "Management only"? false:true + boot_disk { + auto_delete = true + device_name = "chkp-single-boot-${random_string.random_string.result}" + initialize_params { + size = var.bootDiskSizeGb + type = local.disk_type_condition + image = "checkpoint-public/${var.image_name}" + } + } + network_interface { + network = var.network[0] + subnetwork = var.subnetwork[0] + dynamic "access_config" { + for_each = var.externalIP == "None"? []:[1] + content { + nat_ip = var.externalIP=="static" ? google_compute_address.static.address : null + } + } + + } + dynamic "network_interface" { + for_each = var.numAdditionalNICs >= 1 ? [ + 1] : [] + content { + network = var.internal_network1_network[0] + subnetwork = var.internal_network1_subnetwork[0] + } + } + dynamic "network_interface" { + for_each = var.numAdditionalNICs >= 2 ? [ + 1] : [] + content { + network = var.internal_network2_network[0] + subnetwork = var.internal_network2_subnetwork[0] + } + } + dynamic "network_interface" { + for_each = var.numAdditionalNICs >= 3 ? [ + 1] : [] + content { + network = var.internal_network3_network[0] + subnetwork = var.internal_network3_subnetwork[0] + } + } + dynamic "network_interface" { + for_each = var.numAdditionalNICs >= 4 ? [ + 1] : [] + content { + network = var.internal_network4_network[0] + subnetwork = var.internal_network4_subnetwork[0] + } + } + dynamic "network_interface" { + for_each = var.numAdditionalNICs >= 5 ? [ + 1] : [] + content { + network = var.internal_network5_network[0] + subnetwork = var.internal_network5_subnetwork[0] + } + } + dynamic "network_interface" { + for_each = var.numAdditionalNICs == 6 ? [ + 1] : [] + content { + network = var.internal_network6_network[0] + subnetwork = var.internal_network6_subnetwork[0] + } + } + dynamic "network_interface" { + for_each = var.numAdditionalNICs == 7 ? [ + 1] : [] + content { + network = var.internal_network7_network[0] + subnetwork = var.internal_network7_subnetwork[0] + } + } + dynamic "network_interface" { + for_each = var.numAdditionalNICs == 8 ? [ + 1] : [] + content { + network = var.internal_network8_network[0] + subnetwork = var.internal_network8_subnetwork[0] + } + } + + service_account { + scopes = [ + "https://www.googleapis.com/auth/cloudruntimeconfig", + "https://www.googleapis.com/auth/monitoring.write"] + } + + metadata = local.admin_SSH_key_condition ? { + instanceSSHKey = var.admin_SSH_key + adminPasswordSourceMetadata = var.generatePassword ?random_string.generated_password.result : "" + } : {adminPasswordSourceMetadata = var.generatePassword?random_string.generated_password.result : ""} + + metadata_startup_script = templatefile("${path.module}/../common/startup-script.sh", { + // script's arguments + generatePassword = var.generatePassword + config_url = "https://runtimeconfig.googleapis.com/v1beta1/projects/${var.project}/configs/-config" + config_path = "projects/${var.project}/configs/-config" + sicKey = "" + allowUploadDownload = var.allowUploadDownload + templateName = "single_tf" + templateVersion = "20230109" + templateType = "terraform" + hasInternet = "true" + enableMonitoring = var.enableMonitoring + shell = var.admin_shell + installationType = var.installationType + computed_sic_key = var.sicKey + managementGUIClientNetwork = var.managementGUIClientNetwork + installSecurityManagement = true + primary_cluster_address_name = "" + secondary_cluster_address_name = "" + subnet_router_meta_path = "" + mgmtNIC = var.management_nic + managementNetwork = "" + numAdditionalNICs = "" + smart_1_cloud_token = var.smart_1_cloud_token + name = "" + zoneConfig = "" + region = "" + }) +} +resource "google_compute_address" "static" { + name = "ipv4-address-${random_string.random_string.result}" +} \ No newline at end of file diff --git a/deprecated/terraform/gcp/R8040-R81/single-into-existing-vpc/output.tf b/deprecated/terraform/gcp/R8040-R81/single-into-existing-vpc/output.tf new file mode 100644 index 00000000..0f0882d0 --- /dev/null +++ b/deprecated/terraform/gcp/R8040-R81/single-into-existing-vpc/output.tf @@ -0,0 +1,18 @@ +output "SIC_key" { + value = random_string.random_sic_key.result +} +output "ICMP_firewall_rules_name" { + value = google_compute_firewall.ICMP_firewall_rules[*].name +} +output "TCP_firewall_rules_name" { + value = google_compute_firewall.TCP_firewall_rules[*].name +} +output "UDP_firewall_rules_name" { + value = google_compute_firewall.UDP_firewall_rules[*].name +} +output "SCTP_firewall_rules_name" { + value = google_compute_firewall.SCTP_firewall_rules[*].name +} +output "ESP_firewall_rules_name" { + value = google_compute_firewall.ESP_firewall_rules[*].name +} \ No newline at end of file diff --git a/deprecated/terraform/gcp/R8040-R81/single-into-existing-vpc/terraform.tfvars b/deprecated/terraform/gcp/R8040-R81/single-into-existing-vpc/terraform.tfvars new file mode 100644 index 00000000..8ac21504 --- /dev/null +++ b/deprecated/terraform/gcp/R8040-R81/single-into-existing-vpc/terraform.tfvars @@ -0,0 +1,46 @@ +# --- Google Provider --- +service_account_path = "PLEASE ENTER SERVICE_ACCOUNT_PATH" # "service-accounts/service-account-file-name.json" +project = "PLEASE ENTER PROJECT ID" # "project-id" + +# --- Check Point Deployment--- +image_name = "PLEASE ENTER IMAGE_NAME" # "check-point-r8110-gw-byol-single-335-985-v20220126" +installationType = "PLEASE ENTER INSTALLATION TYPE" # "Gateway only" +license = "PLEASE ENTER LICENSE" # "BYOL" +prefix = "PLEASE ENTER PREFIX" # "chkp-single-tf-" +management_nic = "PLEASE ENTER MANAGEMENT_NIC" # "Ephemeral Public IP (eth0)" +admin_shell = "PLEASE ENTER ADMIN_SHELL" # "/etc/cli.sh" +admin_SSH_key = "PLEASE ENTER ADMIN_SSH_KEY" # "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxx imported-openssh-key" +generatePassword = "PLEASE ENTER GENERATE PASSWORD" # false +allowUploadDownload = "PLEASE ENTER ALLOW UPLOAD DOWNLOAD" # false +sicKey = "PLEASE ENTER SIC KEY" # "" +managementGUIClientNetwork = "PLEASE ENTER MANAGEMENT GUI CLIENT NETWORK" # "0.0.0.0/0" + +# --- Quick connect to Smart-1 Cloud --- +smart_1_cloud_token = "PASTE TOKEN FROM SMART-1 CLOUD PORTAL" # "" + +# --- Networking--- +zone = "PLEASE ENTER ZONE" # "us-central1-a" +network = "PLEASE ENTER NETWORK" # ["default"] +subnetwork = "PLEASE ENTER SUBNETWORK" # ["default"] +network_enableTcp = "PLEASE ENTER NETWORK ENABLE TCP" # false +network_tcpSourceRanges = "PLEASE ENTER NETWORK TCP SOURCE RANGES" # [""] +network_enableGwNetwork = "PLEASE ENTER NETWORK ENABLE GW NETWORK" # false +network_gwNetworkSourceRanges = "PLEASE ENTER NETWORK GW NETWORK SOURCE RANGES" # [""] +network_enableIcmp = "PLEASE ENTER NETWORK ENABLE ICMP" # false +network_icmpSourceRanges = "PLEASE ENTER NETWORK ICMP SOURCE RANGES" # [""] +network_enableUdp = "PLEASE ENTER NETWORK ENABLE UDP" # false +network_udpSourceRanges = "PLEASE ENTER NETWORK UDP SOURCE RANGES" # [""] +network_enableSctp = "PLEASE ENTER NETWORK ENABLE SCTP" # false +network_sctpSourceRanges = "PLEASE ENTER NETWORK SCTP SOURCE RANGES" # [""] +network_enableEsp = "PLEASE ENTER NETWORK ENABLE ESP" # false +network_espSourceRanges = "PLEASE ENTER NETWORK ESP SOURCE RANGES" # [""] +numAdditionalNICs = "PLEASE ENTER NUM ADDITIONAL NICS" # 1 +externalIP = "PLEASE ENTER EXTERNAL IP" # "static" +internal_network1_network = "PLEASE ENTER INTERNAL_NETWORK1_NETWORK" # [""] +internal_network1_subnetwork = "PLEASE ENTER INTERNAL_NETWORK1_SUBNETWORK" # [""] + +# --- Instances configuration--- +machine_type = "PLEASE ENTER MACHINE_TYPE" # "n1-standard-4" +diskType = "PLEASE ENTER DISK TYPE" # "SSD Persistent Disk" +bootDiskSizeGb = "PLEASE ENTER BOOT DISK SIZE GB" # 100 +enableMonitoring = "PLEASE ENTER ENABLE MONITORING" # false diff --git a/deprecated/terraform/gcp/R8040-R81/single-into-existing-vpc/variables.tf b/deprecated/terraform/gcp/R8040-R81/single-into-existing-vpc/variables.tf new file mode 100644 index 00000000..0b4718bc --- /dev/null +++ b/deprecated/terraform/gcp/R8040-R81/single-into-existing-vpc/variables.tf @@ -0,0 +1,254 @@ +variable "service_account_path" { + type = string + description = "User service account path in JSON format - From the service account key page in the Cloud Console choose an existing account or create a new one. Next, download the JSON key file. Name it something you can remember, store it somewhere secure on your machine, and supply the path to the location is stored." + default = "" +} +variable "project" { + type = string + description = "Personal project id. The project indicates the default GCP project all of your resources will be created in." + default = "" +} +variable "zone" { + type = string + description = "The zone determines what computing resources are available and where your data is stored and used" + default = "us-central1-a" +} +variable "image_name" { + type = string + description = "The single gateway and management image name. You can choose the desired image value from: https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/gcp/deployment-packages/single-byol/images.py" +} +variable "installationType" { + type = string + description = "Installation type and version" + default = "Gateway only" +} +variable "license" { + type = string + description = "Checkpoint license (BYOL or PAYG)." + default = "BYOL" +} +variable "prefix" { + type = string + description = "(Optional) Resources name prefix" + default = "chkp-single-tf-" +} +variable "machine_type" { + type = string + default = "n1-standard-4" +} +variable "network" { + type = list(string) + description = "The network determines what network traffic the instance can access" + default = ["default"] +} +variable "subnetwork" { + type = list(string) + description = "Assigns the instance an IPv4 address from the subnetwork’s range. Instances in different subnetworks can communicate with each other using their internal IPs as long as they belong to the same network." + default = ["default"] +} +variable "network_enableTcp" { + type = bool + description = "Allow TCP traffic from the Internet" + default = false +} +variable "network_tcpSourceRanges" { + type = list(string) + description = "Allow TCP traffic from the Internet" + default = [] +} +variable "network_enableGwNetwork" { + type = bool + description = "This is relevant for Management only. The network in which managed gateways reside" + default = false +} +variable network_gwNetworkSourceRanges{ + type = list(string) + description = "Allow TCP traffic from the Internet" + default = [] +} +variable "network_enableIcmp" { + type = bool + description ="Allow ICMP traffic from the Internet" + default = false +} +variable "network_icmpSourceRanges" { + type = list(string) + description = "(Optional) Source IP ranges for ICMP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable ICMP traffic." + default = [] +} +variable network_enableUdp{ + type = bool + description ="Allow UDP traffic from the Internet" + default = false +} +variable "network_udpSourceRanges" { + type = list(string) + description = "(Optional) Source IP ranges for UDP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable UDP traffic." + default = [] +} +variable "network_enableSctp" { + type = bool + description ="Allow SCTP traffic from the Internet" + default = false +} +variable "network_sctpSourceRanges" { + type = list(string) + description = "(Optional) Source IP ranges for SCTP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable SCTP traffic." + default = [] +} + +variable "network_enableEsp" { + type = bool + description ="Allow ESP traffic from the Internet " + default = false +} +variable "network_espSourceRanges" { + type = list(string) + description = "(Optional) Source IP ranges for ESP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable ESP traffic." + default = [] +} +variable "diskType" { + type = string + description ="Disk type" + default = "pd-ssd" +} +variable "bootDiskSizeGb" { + type = number + description ="Disk size in GB" + default = 100 +} +variable "generatePassword" { + type = bool + description ="Automatically generate an administrator password " + default = false +} +variable "management_nic" { + type = string + description = "Management Interface - Gateways in GCP can be managed by an ephemeral public IP or using the private IP of the internal interface (eth1)." + default = "Ephemeral Public IP (eth0)" +} +variable "allowUploadDownload" { + type = string + description ="Allow download from/upload to Check Point" + default = true +} +variable "enableMonitoring" { + type = bool + description ="Enable Stackdriver monitoring" + default = false +} +variable "admin_shell" { + type = string + description = "Change the admin shell to enable advanced command line configuration." + default = "/etc/cli.sh" +} +variable "admin_SSH_key" { + type = string + description = "(Optional) The SSH public key for SSH authentication to the template instances. Leave this field blank to use all project-wide pre-configured SSH keys." + default = "" +} +variable "sicKey" { + type = string + description ="The Secure Internal Communication one time secret used to set up trust between the single gateway object and the management server" + default = "" +} +variable "managementGUIClientNetwork" { + type = string + description ="Allowed GUI clients " + default = "0.0.0.0/0" +} +variable "smart_1_cloud_token" { + type = string + description ="(Optional) Smart-1 cloud token to connect this Gateway to Check Point's Security Management as a Service" + default = "" +} +variable "numAdditionalNICs" { + type = number + description ="Number of additional network interfaces" + default = 0 +} +variable "externalIP" { + type = string + description = "External IP address type" + default = "static" +} +variable "internal_network1_network" { + type = list(string) + description = "1st internal network ID in the chosen zone." + default = [] +} +variable "internal_network1_subnetwork" { + type = list(string) + description = "1st internal subnet ID in the chosen network." + default = [] +} +variable "internal_network2_network" { + type = list(string) + description = "2nd internal network ID in the chosen zone." + default = [] +} +variable "internal_network2_subnetwork" { + type = list(string) + description = "2nd internal subnet ID in the chosen network." + default = [] +} +variable "internal_network3_network" { + type = list(string) + description = "3rd internal network ID in the chosen zone." + default = [] +} +variable "internal_network3_subnetwork" { + type = list(string) + description = "3rd internal subnet ID in the chosen network." + default = [] +} +variable "internal_network4_network" { + type = list(string) + description = "4th internal network ID in the chosen zone." + default = [] +} +variable "internal_network4_subnetwork" { + type = list(string) + description = "4th internal subnet ID in the chosen network." + default = [] +} +variable "internal_network5_network" { + type = list(string) + description = "5th internal network ID in the chosen zone." + default = [] +} +variable "internal_network5_subnetwork" { + type = list(string) + description = "5th internal subnet ID in the chosen network." + default = [] +} +variable "internal_network6_network" { + type = list(string) + description = "6th internal network ID in the chosen zone." + default = [] +} +variable "internal_network6_subnetwork" { + type = list(string) + description = "6th internal subnet ID in the chosen network." + default = [] +} +variable "internal_network7_network" { + type = list(string) + description = "7th internal network ID in the chosen zone." + default = [] +} +variable "internal_network7_subnetwork" { + type = list(string) + description = "7th internal subnet ID in the chosen network." + default = [] +} +variable "internal_network8_network" { + type = list(string) + description = "8th internal network ID in the chosen zone." + default = [] +} +variable "internal_network8_subnetwork" { + type = list(string) + description = "8th internal subnet ID in the chosen network." + default = [] +} diff --git a/deprecated/terraform/gcp/R8040-R81/single-into-new-vpc/README.md b/deprecated/terraform/gcp/R8040-R81/single-into-new-vpc/README.md new file mode 100644 index 00000000..857b7c75 --- /dev/null +++ b/deprecated/terraform/gcp/R8040-R81/single-into-new-vpc/README.md @@ -0,0 +1,270 @@ +# Check Point single gateway and management Terraform module for GCP + +Terraform module which deploys a single gateway and management of Check Point Security Gateways. + +These types of Terraform resources are supported: + [Instance Template](https://www.terraform.io/docs/providers/google/r/compute_instance_template.html) + [Firewall](https://www.terraform.io/docs/providers/google/r/compute_firewall.html) - conditional creation + [Instance Group Manager](https://www.terraform.io/docs/providers/google/r/compute_region_instance_group_manager.html) + [Compute instance](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance) + + +See Check Point's documentation for Single [here](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk114577) + +Terraform is controlled via a very easy to use command-line interface (CLI). Terraform is only a single command-line application: terraform. + +## Before you begin +1. Create a project in the [Google Cloud Console](https://console.cloud.google.com/) and set up billing on that project. +2. [Install Terraform](https://learn.hashicorp.com/tutorials/terraform/install-cli) and read the Terraform getting started guide that follows. This guide will assume basic proficiency with Terraform - it is an introduction to the Google provider. + +## Configuring the Provider +The main.tf file includes the following provider configuration block used to configure the credentials you use to authenticate with GCP, as well as a default project and location for your resources: +``` +provider "google" { + credentials = file(var.service_account_path) + project = var.project +} +... +``` + +1. [Create a Service Account](https://cloud.google.com/docs/authentication/getting-started) (or use the existing one). Next, download the JSON key file. Name it something you can remember and store it somewhere secure on your machine.
+2. Select "Editor" Role or verify you have the following permissions: + ``` + compute.addresses.get + compute.addresses.use + compute.addresses.create + compute.disks.create + compute.disks.delete + compute.firewalls.create + compute.firewalls.delete + compute.firewalls.get + compute.images.get + compute.images.useReadOnly + compute.images.getFromFamily + compute.instanceTemplates.create + compute.instanceTemplates.delete + compute.instanceTemplates.get + compute.instanceTemplates.useReadOnly + compute.instances.addAccessConfig + compute.instances.create + compute.instances.delete + compute.instances.get + compute.instances.setMetadata + compute.instances.setTags + compute.instances.setLabels + compute.networks.get + compute.networks.updatePolicy + compute.regions.list + compute.subnetworks.get + compute.subnetworks.use + compute.subnetworks.useExternalIp + compute.zones.get + iam.serviceAccountKeys.get + iam.serviceAccountKeys.list + iam.serviceAccounts.actAs + iam.serviceAccounts.get + iam.serviceAccounts.list + iam.serviceAccounts.set + ``` +3. ```credentials``` - Your service account key file is used to complete a two-legged OAuth 2.0 flow to obtain access tokens to authenticate with the GCP API as needed; Terraform will use it to reauthenticate automatically when tokens expire.
+The provider credentials can be provided either as static credentials or as [Environment Variables](https://www.terraform.io/docs/providers/google/guides/provider_reference.html#credentials-1). + - Static credentials can be provided by adding the path to your service-account json file, project-id and region in /gcp/modules/single/terraform.tfvars file as follows: + ``` + service_account_path = "service-accounts/service-account-file-name.json" + project = "project-id" + ``` + - In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in the main.tf file, in the provider google resource, need to be deleted or commented: + ``` + provider "google" { + // credentials = file(var.service_account_path) + // project = var.project + + } + ``` + b.In the terraform.tfvars file leave empty double quotes for credentials and project variables: + ``` + service_account_path = "" + project = "" + ``` +## Usage +- Fill all variables in the /gcp/single/terraform.tfvars file with proper values (see below for variables descriptions). +- From a command line initialize the Terraform configuration directory: + ``` + terraform init + ``` +- Create an execution plan: + ``` + terraform plan + ``` +- Create or modify the deployment: + ``` + terraform apply + ``` + +#### Variables are configured in single/terraform.tfvars file as follows: +``` +# --- Google Provider --- +service_account_path = "service-accounts/service-account-file-name.json" +project = "project-id" + +# --- Check Point--- +image_name = "check-point-r8120-gw-byol-single-631-991001335-v20230622" +installationType = "Gateway only" +license = "BYOL" +prefix = "chkp-single-tf-" +management_nic = "Ephemeral Public IP (eth0)" +admin_shell = "/etc/cli.sh" +admin_SSH_key = "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxx imported-openssh-key" +generatePassword = false +allow_upload_download = true +sicKey = "" +managementGUIClientNetwork = "0.0.0.0/0" + +#--- Quick connect to Smart-1 Cloud --- +smart_1_cloud_token = "xxxxxxxxxxxxxxxxxxxxxxxx" + +# --- Networking --- +region = "us-central1" +zone = "us-central1-a" +subnetwork_cidr = "10.0.0.0/24" +network_enableTcp= true +network_tcpSourceRanges= ["0.0.0.0/0"] +network_enableGwNetwork= false +network_gwNetworkSourceRanges= [] +network_enableIcmp= false +network_icmpSourceRanges = [] +network_enableUdp= false +network_udpSourceRanges= [] +network_enableSctp= false +network_sctpSourceRanges= [] +network_enableEsp= false +network_espSourceRanges= [] +numAdditionalNICs= 1 +externalIP= "static" +internal_subnetwork_cidr = "10.0.1.0/24" + +# --- Instance Configuration --- +machine_type = "n1-standard-4" +diskType = "SSD Persistent Disk" +bootDiskSizeGb = 100 +enableMonitoring = false + +``` + +- To tear down your resources: + ``` + terraform destroy + ``` + +## Conditional creation +To create Firewall and allow traffic for ICMP, TCP, UDP, SCTP or/and ESP - enter list of Source IP ranges. +``` +ICMP_traffic = ["123.123.0.0/24", "234.234.0.0/24"] +TCP_traffic = ["0.0.0.0/0"] +UDP_traffic = ["0.0.0.0/0"] +SCTP_traffic = ["0.0.0.0/0"] +ESP_traffic = ["0.0.0.0/0"] +``` +Please leave empty list for a protocol if you want to disable traffic for it. + +## Inputs +| Name | Description | Type | Allowed values |Default| Required | +| ------------- | ------------- | ------------- | ------------- |-------|---------------| +| service_account_path | User service account path in JSON format - From the service account key page in the Cloud Console choose an existing account or create a new one. Next, download the JSON key file. Name it something you can remember, store it somewhere secure on your machine, and supply the path to the location is stored. (e.g. "service-accounts/service-account-name.json") | string | N/A | "" | yes | +| | | | | | +| project | Personal project id. The project indicates the default GCP project all of your resources will be created in. | string | N/A | "" | yes | +| | | | | | +| region | GCP region | string | N/A | N/A | yes | +| | | | | | +| zone | The zone determines what computing resources are available and where your data is stored and used | string | List of allowed [Regions and Zones](https://cloud.google.com/compute/docs/regions-zones?_ga=2.31926582.-962483654.1585043745) |us-central1-a|yes| +| | | | | | +| image_name |The single gateway or management image name (e.g. check-point-r8120-gw-byol-single-631-991001335-v20230622 for gateway or check-point-r8120-byol-631-991001335-v20230621 for management). You can choose the desired gateway image value from [Github](https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/gcp/deployment-packages/single-byol/images.py).| string | N/A | N/A | yes | +| | | | | | +| installationType | Installation type and version | string |Gateway only;
Management only;
Manual Configuration
Gateway and Management (Standalone) |Gateway only|yes| +| | | | | | +| license | Checkpoint license (BYOL or PAYG).|string|BYOL;
PAYG;|BYOL|yes| +| | | | | | +| prefix | (Optional) Resources name prefix|string|N\A|chkp-single-tf-|no| +| | | | | | +| machineType | Machine types determine the specifications of your machines, such as the amount of memory, virtual cores, and persistent disk limits an instance will have | string | [Learn more about Machine Types](https://cloud.google.com/compute/docs/machine-types?hl=en_US&_ga=2.267871494.-962483654.1585043745) | n1-standard-4|no| +| | | | | | +| subnetwork_cidr | The range of internal addresses that are owned by this subnetwork, only IPv4 is supported (e.g. "10.0.0.0/8" or "192.168.0.0/16"). | string | N/A | N/A | yes | +| | | | | | +| network_enableTcp | Allow TCP traffic from the Internet | boolean | true;
false; |false|no| +| | | | | | +| network_tcpSourceRanges | Allow TCP traffic from the Internet | list(string) | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway all ports are allowed. For management allowed ports are: 257,18191,18210,18264,22,443,18190,19009 [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) |N/A|no| +| | | | | | +| network_enableGwNetwork | This is relevant for Management only. The network in which managed gateways reside | boolean | true;
false; |false|no| +| | | | | | +| network_gwNetworkSourceRanges | Allow TCP traffic from the Internet | list(string) | Enter a valid IPv4 network CIDR (e.g. 0.0.0.0/0) |N/A|no| +| | | | | | +| network_enableIcmp | Allow ICMP traffic from the Internet | boolean | true;
false; |false|no| +| | | | | | +| network_icmpSourceRanges | Source IP ranges for ICMP traffic | list(string) | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) |N/A|no| +| | | | | | +| network_enableUdp | Allow UDP traffic from the Internet | boolean | true;
false; |false|no| +| | | | | | +| network_udpSourceRanges | Source IP ranges for UDP traffic | list(string) | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only - all ports are allowed. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) |N/A|no| +| | | | | | +| network_enableSctp | Allow SCTP traffic from the Internet | boolean | true;
false; |false|no| +| | | | | | +| network_sctpSourceRanges | Source IP ranges for SCTP traffic | list(string) | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only - all ports are allowed. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) |N/A|no| +| | | | | | +| network_enableEsp | Allow ESP traffic from the Internet | boolean | true;
false; |false|no| +| | | | | | +| network_espSourceRanges | Source IP ranges for ESP traffic | list(string) | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) |N/A|no| +| | | | | | +| diskType | Disk type | string | SSD Persistent Disk;
standard-Persistent Disk;
Storage space is much less expensive for a standard persistent disk. An SSD persistent disk is better for random IOPS or streaming throughput with low latency. [Learn more](https://cloud.google.com/compute/docs/disks/?hl=en_US&_ga=2.66020774.-962483654.1585043745#overview_of_disk_types)|SSD Persistent Disk|no| +| | | | | | +| bootDiskSizeGb | Disk size in GB | number | Persistent disk performance is tied to the size of the persistent disk volume. You are charged for the actual amount of provisioned disk space. [Learn more](https://cloud.google.com/compute/docs/disks/?hl=en_US&_ga=2.232680471.-962483654.1585043745#pdperformance)|100|no| +| | | | | | +| generatePassword | Automatically generate an administrator password | boolean | true;
false; |false|no| +| | | | | | +| allowUploadDownload | Allow download from/upload to Check Point | boolean | true;
false; |false|no| +| | | | | | +| enableMonitoring | Enable Stackdriver monitoring | boolean | true;
false; |false|no| +| | | | | | +| admin_shell | Change the admin shell to enable advanced command line configuration. | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh;
|/etc/cli.sh|no| +| | | | | | +| admin_SSH_key | Public SSH key for the user 'admin' - The SSH public key for SSH authentication to the instances. Leave this field blank to use all project-wide pre-configured SSH keys. | string | A valid public ssh key | "" | no | +| | | | | | +| sicKey | The Secure Internal Communication one time secret used to set up trust between the single gateway object and the management server | string | At least 8 alpha numeric characters.
If SIC is not provided and needed, a key will be automatically generated |""|no| +| | | | | | +| managementGUIClientNetwork | Allowed GUI clients | string | A valid IPv4 network CIDR (e.g. 0.0.0.0/0) |0.0.0.0/0|no| +| | | | | | +| smart_1_cloud_token | Smart-1 Cloud token to connect this gateway to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal.| +| | | | | | +| numAdditionalNICs | Number of additional network interfaces | number | A number in the range 0 - 8.
Multiple network interfaces deployment is described in [sk121637 - Deploy a CloudGuard for GCP with Multiple Network Interfaces](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk121637) |0|no| +| | | | | | +| externalIP | External IP address type | string | Static;
Ephemeral;
An external IP address associated with this instance. Selecting "None" will result in the instance having no external internet access. [Learn more](https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address?_ga=2.259654658.-962483654.1585043745) |static|no| +| | | | | | +| internal_subnetwork_cidr | The range of internal addresses that are owned by this subnetwork, only IPv4 is supported (e.g. "10.0.0.0/8" or "192.168.0.0/16"). | string | N/A | N/A | yes | +| | | | | | +| management_nic | Management Interface - Security Gateways in GCP can be managed by an ephemeral public IP or using the private IP of the internal interface (eth1). | string | Ephemeral Public IP (eth0)
- Private IP (eth1) |XEphemeral Public IP (eth0)|no| +| | | | | | + +## Outputs +| Name | Description | +| ------------- | ------------- | +| SIC_key | Secure Internal Communication (SIC) initiation key. | +| ICMP_firewall_rules_name | If enable - the ICMP firewall rules name, otherwise, an empty list. | +| TCP_firewall_rules_name | If enable - the TCP firewall rules name, otherwise, an empty list. | +| UDP_firewall_rules_name | If enable - the UDP firewall rules name, otherwise, an empty list. | +| SCTP_firewall_rules_name | If enable - the SCTP firewall rules name, otherwise, an empty list. | +| ESP_firewall_rules_name | If enable - the ESP firewall rules name, otherwise, an empty list. | + +## Revision History +In order to check the template version refer to the [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) + +| Template Version | Description | +|------------------|-------------------------------------| +| 20230921 | Added single-into-new-vpc template. | +| | | + +## Authors + + +## License + +This project is licensed under the MIT License - see the [LICENSE](../../LICENSE) file for details diff --git a/deprecated/terraform/gcp/R8040-R81/single-into-new-vpc/main.tf b/deprecated/terraform/gcp/R8040-R81/single-into-new-vpc/main.tf new file mode 100644 index 00000000..1597ae33 --- /dev/null +++ b/deprecated/terraform/gcp/R8040-R81/single-into-new-vpc/main.tf @@ -0,0 +1,90 @@ +provider "google" { + credentials = file(var.service_account_path) + project = var.project + region = var.region +} + +resource "random_string" "random_string" { + length = 5 + special = false + upper = false + keepers = {} +} + +resource "google_compute_network" "network" { + name = "${var.prefix}-network-${random_string.random_string.result}" + auto_create_subnetworks = false +} + +resource "google_compute_subnetwork" "subnetwork" { + name = "${var.prefix}-subnetwork-${random_string.random_string.result}" + ip_cidr_range = var.subnetwork_cidr + private_ip_google_access = true + region = var.region + network = google_compute_network.network.id +} + +resource "google_compute_network" "internal_network" { + name = "${var.prefix}-internal-network-${random_string.random_string.result}" + auto_create_subnetworks = false +} + +resource "google_compute_subnetwork" "internal_subnetwork" { + name = "${var.prefix}-internal-subnetwork-${random_string.random_string.result}" + ip_cidr_range = var.internal_subnetwork_cidr + private_ip_google_access = true + region = var.region + network = google_compute_network.internal_network.id +} + + +module "single-into-existing-vpc" { + source = "../single-into-existing-vpc" + + service_account_path = var.service_account_path + project = var.project + + + # --- Check Point Deployment--- + image_name = var.image_name + installationType = var.installationType + license = var.license + prefix = var.prefix + management_nic = var.management_nic + admin_shell = var.admin_shell + admin_SSH_key = var.admin_SSH_key + generatePassword = var.generatePassword + allowUploadDownload = var.allowUploadDownload + sicKey = var.sicKey + managementGUIClientNetwork = var.managementGUIClientNetwork + + # --- Quick connect to Smart-1 Cloud --- + smart_1_cloud_token = var.smart_1_cloud_token + + # --- Networking --- + zone = var.zone + network = [google_compute_network.network.name] + subnetwork = [google_compute_subnetwork.subnetwork.name] + network_enableTcp = var.network_enableTcp + network_tcpSourceRanges = var.network_tcpSourceRanges + network_enableGwNetwork = var.network_enableGwNetwork + network_gwNetworkSourceRanges = var.network_gwNetworkSourceRanges + network_enableIcmp = var.network_enableIcmp + network_icmpSourceRanges = var.network_icmpSourceRanges + network_enableUdp = var.network_enableUdp + network_udpSourceRanges = var.network_udpSourceRanges + network_enableSctp = var.network_enableSctp + network_sctpSourceRanges = var.network_sctpSourceRanges + network_enableEsp = var.network_enableEsp + network_espSourceRanges = var.network_espSourceRanges + numAdditionalNICs = var.numAdditionalNICs + externalIP = var.externalIP + internal_network1_network = [google_compute_network.internal_network.name] + internal_network1_subnetwork = [google_compute_subnetwork.internal_subnetwork.name] + + # --- Instances configuration--- + machine_type = var.machine_type + diskType = var.diskType + bootDiskSizeGb = var.bootDiskSizeGb + enableMonitoring = var.enableMonitoring +} \ No newline at end of file diff --git a/deprecated/terraform/gcp/R8040-R81/single-into-new-vpc/output.tf b/deprecated/terraform/gcp/R8040-R81/single-into-new-vpc/output.tf new file mode 100644 index 00000000..f1ba99cf --- /dev/null +++ b/deprecated/terraform/gcp/R8040-R81/single-into-new-vpc/output.tf @@ -0,0 +1,30 @@ +output "network" { + value = google_compute_network.network.name +} +output "subnetwork" { + value = google_compute_subnetwork.subnetwork.name +} +output "internal_network" { + value = google_compute_network.internal_network.name +} +output "internal_subnetwork" { + value = google_compute_subnetwork.internal_subnetwork.name +} +output "SIC_key" { + value = module.single-into-existing-vpc.SIC_key +} +output "ICMP_firewall_rules_name" { + value = module.single-into-existing-vpc.ICMP_firewall_rules_name +} +output "TCP_firewall_rules_name" { + value = module.single-into-existing-vpc.TCP_firewall_rules_name +} +output "UDP_firewall_rules_name" { + value = module.single-into-existing-vpc.UDP_firewall_rules_name +} +output "SCTP_firewall_rules_name" { + value = module.single-into-existing-vpc.SCTP_firewall_rules_name +} +output "ESP_firewall_rules_name" { + value = module.single-into-existing-vpc.ESP_firewall_rules_name +} diff --git a/deprecated/terraform/gcp/R8040-R81/single-into-new-vpc/terraform.tfvars b/deprecated/terraform/gcp/R8040-R81/single-into-new-vpc/terraform.tfvars new file mode 100644 index 00000000..b387fa3d --- /dev/null +++ b/deprecated/terraform/gcp/R8040-R81/single-into-new-vpc/terraform.tfvars @@ -0,0 +1,45 @@ +# --- Google Provider --- +service_account_path = "PLEASE ENTER SERVICE_ACCOUNT_PATH" # "service-accounts/service-account-file-name.json" +project = "PLEASE ENTER PROJECT ID" # "project-id" + +# --- Check Point Deployment--- +image_name = "PLEASE ENTER IMAGE_NAME" # "check-point-r8120-gw-byol-single-631-991001335-v20230622" +installationType = "PLEASE ENTER INSTALLATION TYPE" # "Gateway only" +license = "PLEASE ENTER LICENSE" # "BYOL" +prefix = "PLEASE ENTER PREFIX" # "chkp-single-tf-" +management_nic = "PLEASE ENTER MANAGEMENT_NIC" # "Ephemeral Public IP (eth0)" +admin_shell = "PLEASE ENTER ADMIN_SHELL" # "/etc/cli.sh" +admin_SSH_key = "PLEASE ENTER ADMIN_SSH_KEY" # "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxx imported-openssh-key" +generatePassword = "PLEASE ENTER GENERATE PASSWORD" # false +allowUploadDownload = "PLEASE ENTER ALLOW UPLOAD DOWNLOAD" # false +sicKey = "PLEASE ENTER SIC KEY" # "" +managementGUIClientNetwork = "PLEASE ENTER MANAGEMENT GUI CLIENT NETWORK" # "0.0.0.0/0" + +# --- Quick connect to Smart-1 Cloud --- +smart_1_cloud_token = "PASTE TOKEN FROM SMART-1 CLOUD PORTAL" # "" + +# --- Networking--- +region = "PLEASE ENTER REGION" # "us-central1" +zone = "PLEASE ENTER ZONE" # "us-central1-a" +subnetwork_cidr = "PLEASE ENTER SUBNETWORK CIDR" # "10.0.1.0/24" +network_enableTcp = "PLEASE ENTER NETWORK ENABLE TCP" # false +network_tcpSourceRanges = "PLEASE ENTER NETWORK TCP SOURCE RANGES" # [] +network_enableGwNetwork = "PLEASE ENTER NETWORK ENABLE GW NETWORK" # false +network_gwNetworkSourceRanges = "PLEASE ENTER NETWORK GW NETWORK SOURCE RANGES" # [] +network_enableIcmp = "PLEASE ENTER NETWORK ENABLE ICMP" # false +network_icmpSourceRanges = "PLEASE ENTER NETWORK ICMP SOURCE RANGES" # [] +network_enableUdp = "PLEASE ENTER NETWORK ENABLE UDP" # false +network_udpSourceRanges = "PLEASE ENTER NETWORK UDP SOURCE RANGES" # [] +network_enableSctp = "PLEASE ENTER NETWORK ENABLE SCTP" # false +network_sctpSourceRanges = "PLEASE ENTER NETWORK SCTP SOURCE RANGES" # [] +network_enableEsp = "PLEASE ENTER NETWORK ENABLE ESP" # false +network_espSourceRanges = "PLEASE ENTER NETWORK ESP SOURCE RANGES" # [] +numAdditionalNICs = "PLEASE ENTER NUM ADDITIONAL NICS" # 1 +externalIP = "PLEASE ENTER EXTERNAL IP" # "static" +internal_subnetwork_cidr = "PLEASE ENTER INTERNAL SUBNETWORK CIDR" # "10.0.2.0/24" + +# --- Instances configuration--- +machine_type = "PLEASE ENTER MACHINE_TYPE" # "n1-standard-4" +diskType = "PLEASE ENTER DISK TYPE" # "SSD Persistent Disk" +bootDiskSizeGb = "PLEASE ENTER BOOT DISK SIZE GB" # 100 +enableMonitoring = "PLEASE ENTER ENABLE MONITORING" # false \ No newline at end of file diff --git a/deprecated/terraform/gcp/R8040-R81/single-into-new-vpc/variables.tf b/deprecated/terraform/gcp/R8040-R81/single-into-new-vpc/variables.tf new file mode 100644 index 00000000..51d15492 --- /dev/null +++ b/deprecated/terraform/gcp/R8040-R81/single-into-new-vpc/variables.tf @@ -0,0 +1,256 @@ +variable "service_account_path" { + type = string + description = "User service account path in JSON format - From the service account key page in the Cloud Console choose an existing account or create a new one. Next, download the JSON key file. Name it something you can remember, store it somewhere secure on your machine, and supply the path to the location is stored." + default = "" +} +variable "project" { + type = string + description = "Personal project id. The project indicates the default GCP project all of your resources will be created in." + default = "" +} +variable "region" { + type = string + default = "us-central1" +} +variable "zone" { + type = string + description = "The zone determines what computing resources are available and where your data is stored and used" + default = "us-central1-a" +} +variable "image_name" { + type = string + description = "The single gateway and management image name. You can choose the desired image value from: https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/gcp/deployment-packages/single-byol/images.py" +} +variable "installationType" { + type = string + description = "Installation type and version" + default = "Gateway only" +} +variable "license" { + type = string + description = "Checkpoint license (BYOL or PAYG)." + default = "BYOL" +} +variable "prefix" { + type = string + description = "(Optional) Resources name prefix" + default = "chkp-single-tf-" +} +variable "machine_type" { + type = string + default = "n1-standard-4" +} +variable "subnetwork_cidr" { + type = string + description = "The range of external addresses that are owned by this subnetwork, only IPv4 is supported (e.g. \"10.0.0.0/8\" or \"192.168.0.0/16\")." +} +variable "internal_subnetwork_cidr" { + type = string + description = "The range of internal addresses that are owned by this subnetwork, only IPv4 is supported (e.g. \"10.0.0.0/8\" or \"192.168.0.0/16\")." +} +variable "network_enableTcp" { + type = bool + description = "Allow TCP traffic from the Internet" + default = false +} +variable "network_tcpSourceRanges" { + type = list(string) + description = "Allow TCP traffic from the Internet" + default = [] +} +variable "network_enableGwNetwork" { + type = bool + description = "This is relevant for Management only. The network in which managed gateways reside" + default = false +} +variable network_gwNetworkSourceRanges{ + type = list(string) + description = "Allow TCP traffic from the Internet" + default = [] +} +variable "network_enableIcmp" { + type = bool + description ="Allow ICMP traffic from the Internet" + default = false +} +variable "network_icmpSourceRanges" { + type = list(string) + description = "(Optional) Source IP ranges for ICMP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable ICMP traffic." + default = [] +} +variable network_enableUdp{ + type = bool + description ="Allow UDP traffic from the Internet" + default = false +} +variable "network_udpSourceRanges" { + type = list(string) + description = "(Optional) Source IP ranges for UDP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable UDP traffic." + default = [] +} +variable "network_enableSctp" { + type = bool + description ="Allow SCTP traffic from the Internet" + default = false +} +variable "network_sctpSourceRanges" { + type = list(string) + description = "(Optional) Source IP ranges for SCTP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable SCTP traffic." + default = [] +} + +variable "network_enableEsp" { + type = bool + description ="Allow ESP traffic from the Internet " + default = false +} +variable "network_espSourceRanges" { + type = list(string) + description = "(Optional) Source IP ranges for ESP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable ESP traffic." + default = [] +} +variable "diskType" { + type = string + description ="Disk type" + default = "pd-ssd" +} +variable "bootDiskSizeGb" { + type = number + description ="Disk size in GB" + default = 100 +} +variable "generatePassword" { + type = bool + description ="Automatically generate an administrator password " + default = false +} +variable "management_nic" { + type = string + description = "Management Interface - Gateways in GCP can be managed by an ephemeral public IP or using the private IP of the internal interface (eth1)." + default = "Ephemeral Public IP (eth0)" +} +variable "allowUploadDownload" { + type = string + description ="Allow download from/upload to Check Point" + default = true +} +variable "enableMonitoring" { + type = bool + description ="Enable Stackdriver monitoring" + default = false +} +variable "admin_shell" { + type = string + description = "Change the admin shell to enable advanced command line configuration." + default = "/etc/cli.sh" +} +variable "admin_SSH_key" { + type = string + description = "(Optional) The SSH public key for SSH authentication to the template instances. Leave this field blank to use all project-wide pre-configured SSH keys." + default = "" +} +variable "sicKey" { + type = string + description ="The Secure Internal Communication one time secret used to set up trust between the single gateway object and the management server" + default = "" +} +variable "managementGUIClientNetwork" { + type = string + description ="Allowed GUI clients " + default = "0.0.0.0/0" +} +variable "smart_1_cloud_token" { + type = string + description ="(Optional) Smart-1 cloud token to connect this Gateway to Check Point's Security Management as a Service" + default = "" +} +variable "numAdditionalNICs" { + type = number + description ="Number of additional network interfaces" + default = 0 +} +variable "externalIP" { + type = string + description = "External IP address type" + default = "static" +} +variable "internal_network1_network" { + type = list(string) + description = "1st internal network ID in the chosen zone." + default = [] +} +variable "internal_network1_subnetwork" { + type = list(string) + description = "1st internal subnet ID in the chosen network." + default = [] +} +variable "internal_network2_network" { + type = list(string) + description = "2nd internal network ID in the chosen zone." + default = [] +} +variable "internal_network2_subnetwork" { + type = list(string) + description = "2nd internal subnet ID in the chosen network." + default = [] +} +variable "internal_network3_network" { + type = list(string) + description = "3rd internal network ID in the chosen zone." + default = [] +} +variable "internal_network3_subnetwork" { + type = list(string) + description = "3rd internal subnet ID in the chosen network." + default = [] +} +variable "internal_network4_network" { + type = list(string) + description = "4th internal network ID in the chosen zone." + default = [] +} +variable "internal_network4_subnetwork" { + type = list(string) + description = "4th internal subnet ID in the chosen network." + default = [] +} +variable "internal_network5_network" { + type = list(string) + description = "5th internal network ID in the chosen zone." + default = [] +} +variable "internal_network5_subnetwork" { + type = list(string) + description = "5th internal subnet ID in the chosen network." + default = [] +} +variable "internal_network6_network" { + type = list(string) + description = "6th internal network ID in the chosen zone." + default = [] +} +variable "internal_network6_subnetwork" { + type = list(string) + description = "6th internal subnet ID in the chosen network." + default = [] +} +variable "internal_network7_network" { + type = list(string) + description = "7th internal network ID in the chosen zone." + default = [] +} +variable "internal_network7_subnetwork" { + type = list(string) + description = "7th internal subnet ID in the chosen network." + default = [] +} +variable "internal_network8_network" { + type = list(string) + description = "8th internal network ID in the chosen zone." + default = [] +} +variable "internal_network8_subnetwork" { + type = list(string) + description = "8th internal subnet ID in the chosen network." + default = [] +} diff --git a/gcp/deployment-packages/README.MD b/gcp/deployment-packages/README.MD new file mode 100644 index 00000000..16194ca2 --- /dev/null +++ b/gcp/deployment-packages/README.MD @@ -0,0 +1,5 @@ +# Check Point CloudGuard IaaS GCP Deployment Manager packages +This directory contains Check Point CloudGuard IaaS Deployment Manager packages for all the solutions available in the marketplace. + +# How to deploy the templates +To deploy the Deployment Manager packages follow the instructions in the README.MD file in each directory. diff --git a/gcp/deployment-packages/autoscale-byol/README.md b/gcp/deployment-packages/autoscale-byol/README.md new file mode 100644 index 00000000..d11c9a1b --- /dev/null +++ b/gcp/deployment-packages/autoscale-byol/README.md @@ -0,0 +1,126 @@ +# GCP Deployment Manager package for Check Point Autoscaling BYOL solution +This directory contains CloudGuard IaaS deployment package for Check Point Autoscaling (BYOL) solution published in the [GCP Marketplace](https://console.cloud.google.com/marketplace/details/checkpoint-public/check-point-autoscaling-byol). + +# How to deploy the package manually +To deploy the Deployment Manager's package manually, without using the GCP Marketplace, follow these instructions: +1. Clone or download the files in this directory +2. Fill variables in the config.yaml(see below for variables descriptions). +3. Log into [Google Cloud Platform Console](https://console.cloud.google.com) +4. [Activate Cloud Shell](https://cloud.google.com/shell/docs/using-cloud-shell) +5. Set your Cloud Platform project in the Cloud Shell session use: + + gcloud config set project [PROJECT_ID] +6. Upload the content of the CloudGuardIaaS/gcp/deployment-packages/autoscale-byol/ directory to the [cloud shell](https://cloud.google.com/shell/docs/uploading-and-downloading-files) +7. Launch deployment by running: + + gcloud deployment-manager deployments create [DEPLOYMENT_NAME] --config config.yaml +8. Make sure the deployment finished successfully.
Example of successful deployment output: + + The fingerprint of the deployment is h8R2exQYuc4bzlO14boUhg== + Waiting for create [operation-1585217870871-5a1bf4c15b9ea-f8d824d5-1089cc78]...done. + Create operation operation-1585217870871-5a1bf4c15b9ea-f8d824d5-1089cc78 completed successfully. + NAME TYPE STATE ERRORS INTENT + mig-as compute.v1.regionAutoscaler COMPLETED [] + mig-igm compute.v1.regionInstanceGroupManager COMPLETED [] + mig-vpc-icmp compute.v1.firewall COMPLETED [] + mig-vpc-udp compute.v1.firewall COMPLETED [] + mig-tmplt compute.v1.instanceTemplate COMPLETED [] + OUTPUTS VALUE + Deployment autoscale + Managed instance group https://www.googleapis.com/compute/v1/projects/checkpoint/regions/asia-east1/instanceGroups/autoscale-igm + Minimum instances 2 + Maximum instances 10 + Target CPU usage 60% + +## config.yaml variables +| Name | Description | Type | Allowed values | +| ------------- | ------------- | ------------- | ------------- | +| **autoscalingVersion** | Autoscaling Version | string | R80.40 Autoscaling;
R81.00 Autoscaling;
R81.10 Autoscaling;
R81.20 Autoscaling;| +| | | | | | +| **managementName** | Security Management Server name | string | The name of the Security Management Server as appears in autoprovisioning configuration | +| | | | | | +| **AutoProvTemplate** | Configuration template name | string | Specify the provisioning configuration template name (for autoprovisioning) | +| | | | | | +| **instanceSSHKey** | Public SSH key for the user 'admin' | string | A valid public ssh key | +| | | | | | +| **mgmtNIC** | Management Interface | string | Ephemeral Public IP (eth0)
; Private IP (eth1); | +| | | | | | +| **networkDefinedByRoutes** | Networks behind the Internal interface will be defined by routes.
Set eth1 topology to define the networks behind this interface by the routes configured on the gateway | boolean | true;
false; | +| | | | | | +| **shell** | Admin shell | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh;
| +| | | | | | +| **allowUploadDownload** | Allow download from/upload to Check Point | boolean | true;
false; | +| | | | | | +| **zone** | The zone determines what computing resources are available and where your data is stored and used | string | List of allowed [Regions and Zones](https://cloud.google.com/compute/docs/regions-zones?_ga=2.31926582.-962483654.1585043745) | +| | | | | | +| **networks** | The external networks ID in which the gateways will reside and internal networks ID in which application servers reside. | list(string) | Available network in the chosen zone | +| | | | | | +| **subnetworks** | External and Internal subnet ID. Assigns the instance an IPv4 address from the subnetwork’s range. Instances in different subnetworks can communicate with each other using their internal IPs as long as they belong to the same network. | list(string) | Available subnetwork in the chosen network | +| | | | | | +| **enableIcmp** | Allow ICMP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **icmpSourceRanges** | Source IP ranges for ICMP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **enableTcp** | Allow TCP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **tcpSourceRanges** | Allow TCP traffic from the Internet | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway all ports are allowed. For management allowed ports are: 257,18191,18210,18264,22,443,18190,19009 [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **enableUdp** | Allow UDP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **udpSourceRanges** | Source IP ranges for UDP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only - all ports are allowed. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **enableSctp** | Allow SCTP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **sctpSourceRanges** | Source IP ranges for SCTP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only - all ports are allowed. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **enableEsp** | Allow ESP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **espSourceRanges** | Source IP ranges for ESP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **machineType** | Machine types determine the specifications of your machines, such as the amount of memory, virtual cores, and persistent disk limits an instance will have | string | [Learn more about Machine Types](https://cloud.google.com/compute/docs/machine-types?hl=en_US&_ga=2.267871494.-962483654.1585043745) | +| | | | | | +| **cpuUsage** | Target CPU usage (%).
Autoscaling adds or removes instances in the group to maintain this level of CPU usage on each instance | number | A number in the range 10 - 90 | +| | | | | | +| **minInstances** | Minimum number of instances | number | A number in the range 1 and the maximum number of instances | +| | | | | | +| **maxInstances** | Maximum number of instances | number | A number in the range the minimum number of instances and infinity | +| | | | | | +| **diskType** | Disk type | string | pd-ssd;
pd-standard;
Storage space is much less expensive for a standard persistent disk. An SSD persistent disk is better for random IOPS or streaming throughput with low latency. [Learn more](https://cloud.google.com/compute/docs/disks/?hl=en_US&_ga=2.66020774.-962483654.1585043745#overview_of_disk_types)| +| | | | | | +| **bootDiskSizeGb** | Disk size in GB | number | Persistent disk performance is tied to the size of the persistent disk volume. You are charged for the actual amount of provisioned disk space. [Learn more](https://cloud.google.com/compute/docs/disks/?hl=en_US&_ga=2.232680471.-962483654.1585043745#pdperformance)| +| | | | | | +| **enableMonitoring** | Enable Stackdriver monitoring | boolean | true;
false; | +| | | | | | + +## Example + autoscalingVersion: "R81.10 Autoscaling" + managementName: "mgmt" + AutoProvTemplate: "template" + instanceSSHKey: "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxx imported-openssh-key" + mgmtNIC: "Ephemeral Public IP (eth0)" + networkDefinedByRoutes: true + shell: "/bin/bash" + allowUploadDownload: true + zone: "asia-east1-a" + networks: ["external-vpc", "internal-vpc"] + subnetworks: ["frontend", "backend"] + enableIcmp: true + icmpSourceRanges: "0.0.0.0/0" + enableTcp: false + tcpSourceRanges: "" + enableUdp: true + udpSourceRanges: "0.0.0.0/0" + enableSctp: false + sctpSourceRanges: "" + enableEsp: false + espSourceRanges: "" + machineType: "n1-standard-4" + cpuUsage: 60 + minInstances: 2 + maxInstances: 10 + diskType: "pd-ssd" + bootDiskSizeGb: 100 + enableMonitoring: false + +## Notes +See [sk147032](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk147032) for revision history diff --git a/gcp/deployment-packages/autoscale-byol/c2d_deployment_configuration.json b/gcp/deployment-packages/autoscale-byol/c2d_deployment_configuration.json new file mode 100755 index 00000000..8103c6e1 --- /dev/null +++ b/gcp/deployment-packages/autoscale-byol/c2d_deployment_configuration.json @@ -0,0 +1,7 @@ +{ + "defaultDeploymentType": "MULTI_VM", + "imageName": "check-point-r8120-gw-byol-mig-634-991001611-v20240613", + "projectId": "checkpoint-public", + "templateName": "nonexistent_template", + "useSolutionPackage": "true" +} diff --git a/gcp/deployment-packages/autoscale-byol/check-point-autoscale--byol.py b/gcp/deployment-packages/autoscale-byol/check-point-autoscale--byol.py new file mode 100755 index 00000000..226e09ea --- /dev/null +++ b/gcp/deployment-packages/autoscale-byol/check-point-autoscale--byol.py @@ -0,0 +1,379 @@ +# Copyright 2016 Check Point Software LTD. + +import common +import default +import images +import password + +GATEWAY = 'checkpoint-gateway' +PROJECT = 'checkpoint-public' +LICENSE = 'byol' +LICENCE_TYPE = 'mig' + +VERSIONS = { + 'R81.10-GW': 'r8110-gw', + 'R81.20-GW': 'r8120-gw' +} + +TEMPLATE_NAME = 'autoscale' +TEMPLATE_VERSION = '20240714' + +startup_script = ''' +#cloud-config +runcmd: + - 'python3 /etc/cloud_config.py "generatePassword=\\"{generatePassword}\\"" "allowUploadDownload=\\"{allowUploadDownload}\\"" "templateName=\\"{templateName}\\"" "templateVersion=\\"{templateVersion}\\"" "mgmtNIC=\\"{mgmtNIC}\\"" "hasInternet=\\"{hasInternet}\\"" "config_url=\\"{config_url}\\"" "config_path=\\"{config_path}\\"" "installationType=\\"{installationType}\\"" "enableMonitoring=\\"{enableMonitoring}\\"" "shell=\\"{shell}\\"" "computed_sic_key=\\"{computed_sic_key}\\"" "sicKey=\\"{sicKey}\\"" "managementGUIClientNetwork=\\"{managementGUIClientNetwork}\\"" "primary_cluster_address_name=\\"{primary_cluster_address_name}\\"" "secondary_cluster_address_name=\\"{secondary_cluster_address_name}\\"" "managementNetwork=\\"{managementNetwork}\\"" "numAdditionalNICs=\\"{numAdditionalNICs}\\"" "smart1CloudToken=\\"{smart1CloudToken}\\"" "name=\\"{name}\\"" "zone=\\"{zoneConfig}\\"" "region=\\"{region}\\"" "osVersion=\\"{osVersion}\\"" "MaintenanceModePassword=\\"{maintenanceMode}\\""' +''' + + +def make_nic(context, net_name, subnet, external_ip=False): + prop = context.properties + network_interface = { + 'kind': 'compute#networkInterface', + 'network': common.GlobalNetworkLink(prop['project'], net_name) + } + if subnet: + network_interface["subnetwork"] = common.MakeRegionalSubnetworkLink( + prop['project'], prop['zone'], subnet) + # add ephemeral public IP address + if external_ip: + network_interface["accessConfigs"] = \ + [make_access_config(name="external-nat")] + return network_interface + + +def create_nics(context): + prop = context.properties + firewall_rules = create_firewall_rules(context) + if firewall_rules: + prop['resources'].extend(firewall_rules) + networks = prop.setdefault('networks', ['default']) + subnetworks = prop.get('subnetworks', []) + nics = [] + for i in range(len(networks)): + name = networks[i] + subnet = '' + external_ip = prop.get('gatewayExternalIP') and i == 0 + if subnetworks and i < len(subnetworks) and subnetworks[i]: + subnet = subnetworks[i] + network_interface = make_nic(context, name, subnet, external_ip) + nics.append(network_interface) + return nics + + +def create_firewall_rules(context): + prop = context.properties + deployment = prop['deployment'] + network = prop.setdefault('networks', ['default'])[0] + firewall_rules = [] + protocols = ['Icmp', 'Udp', 'Tcp', 'Sctp', 'Esp'] + for protocol in protocols: + proto = protocol.lower() + source_ranges = prop.get(proto + 'SourceRanges', '') + protocol_enabled = prop.get('enable' + protocol, '') + if protocol_enabled and source_ranges: + firewall_rules.append(make_firewall_rule( + proto, source_ranges, deployment, network)) + return firewall_rules + + +def make_firewall_rule(protocol, source_ranges, deployment, net_name): + fw_rule_name = '%s-%s-%s' % (deployment[:34], net_name[:22], protocol) + ranges = [] + ranges_list = source_ranges.split(',') + for source_range in ranges_list: + ranges.append(source_range.replace(" ", "")) + firewall_rule = { + 'type': default.FIREWALL, + 'name': fw_rule_name, + 'properties': { + 'network': 'global/networks/' + net_name, + 'sourceRanges': ranges, + 'targetTags': [GATEWAY], + 'allowed': [{'IPProtocol': protocol}] + } + } + return firewall_rule + + +def create_instance_template(context, + name, + nics, + depends_on=None, + gw_version=VERSIONS['R81.20-GW']): + if 'gw' in gw_version: + license_name = "{}-{}".format(LICENSE, LICENCE_TYPE) + else: + license_name = LICENSE + family = '-'.join(['check-point', gw_version, license_name]) + formatter = common.DefaultFormatter() + instance_template_name = common.AutoName(name, default.TEMPLATE) + instance_template = { + "type": default.TEMPLATE, + "name": instance_template_name, + 'metadata': { + 'dependsOn': depends_on + }, + "properties": { + "project": context.properties['project'], + "properties": { + "canIpForward": True, + "disks": [{"autoDelete": True, + "boot": True, + "deviceName": common.set_name_and_truncate( + context.properties['deployment'], + '-{}-boot'.format(name)), + "index": 0, + "initializeParams": { + "diskType": + context.properties['diskType'], + "diskSizeGb": + context.properties['bootDiskSizeGb'], + "sourceImage": + 'projects/%s/global/images/%s' % ( + PROJECT, images.IMAGES[family]) + }, + "kind": 'compute#attachedDisk', + "mode": "READ_WRITE", + "type": "PERSISTENT"}], + "machineType": context.properties['machineType'], + "networkInterfaces": nics, + 'metadata': { + "kind": 'compute#metadata', + 'items': [ + { + 'key': 'startup-script', + 'value': formatter.format( + startup_script, **context.properties) + }, + { + 'key': 'serial-port-enable', + 'value': 'true' + } + ]}, + "scheduling": { + "automaticRestart": True, + "onHostMaintenance": "MIGRATE", + "preemptible": False + }, + "serviceAccounts": [ + { + "email": "default", + "scopes": [ + "https://www.googleapis.com/" + + "auth/devstorage.read_only", + "https://www.googleapis.com/auth/logging.write", + "https://www.googleapis.com/auth/monitoring.write", + "https://www.googleapis.com/auth/pubsub", + "https://www.googleapis.com/" + + "auth/service.management.readonly", + "https://www.googleapis.com/auth/servicecontrol", + "https://www.googleapis.com/auth/trace.append" + ] + }], + "tags": { + "items": [ + 'x-chkp-management--{}'. + format(context.properties['managementName']), + 'x-chkp-template--{}'. + format(context.properties['AutoProvTemplate']), + 'checkpoint-gateway' + ] + } + } + } + } + tagItems = instance_template['properties']['properties']['tags']['items'] + if context.properties['mgmtNIC'] == 'Ephemeral Public IP (eth0)': + tagItems.append("x-chkp-ip-address--public") + tagItems.append("x-chkp-management-interface--eth0") + elif context.properties['mgmtNIC'] == 'Private IP (eth1)': + tagItems.append("x-chkp-ip-address--private") + tagItems.append("x-chkp-management-interface--eth1") + if context.properties['networkDefinedByRoutes']: + tagItems.append("x-chkp-topology-eth1--internal") + tagItems.append("x-chkp-topology-settings-eth1" + "--network-defined-by-routes") + metadata = instance_template['properties']['properties']['metadata'] + if 'instanceSSHKey' in context.properties: + metadata['items'].append( + { + 'key': 'instanceSSHKey', + 'value': context.properties['instanceSSHKey'] + } + ) + passwd = '' + if context.properties['generatePassword']: + passwd = password.GeneratePassword(12, False) + metadata['items'].append( + { + 'key': 'adminPasswordSourceMetadata', + 'value': passwd + } + ) + return instance_template, passwd + + +def GenerateAutscaledGroup(context, name, + instance_template, depends_on=None): + prop = context.properties + igm_name = common.AutoName(name, default.IGM) + depends_on = depends_on + resource = { + 'name': igm_name, + 'metadata': { + 'dependsOn': depends_on + }, + 'type': default.REGION_IGM, + 'properties': { + 'region': common.ZoneToRegion(prop.get("zone")), + 'baseInstanceName': name, + 'instanceTemplate': '$(ref.' + instance_template + '.selfLink)', + 'targetSize': prop.get("minInstances"), + # 'autoHealingPolicies': [{ + # 'initialDelaySec': 60 + # }] + } + } + return resource + + +def CreateAutscaler(context, name, + igm, cpu_usage, depends_on=None): + prop = context.properties + autoscaler_name = common.AutoName(name, default.AUTOSCALER) + depends_on = depends_on + cpu_usage = float(cpu_usage) / 100 + resource = { + 'name': autoscaler_name, + 'metadata': { + 'dependsOn': depends_on + }, + 'type': default.REGION_AUTOSCALER, + 'properties': { + 'target': '$(ref.' + igm + '.selfLink)', + 'region': common.ZoneToRegion(prop.get("zone")), + 'autoscalingPolicy': { + 'minNumReplicas': int(prop.get("minInstances")), + 'maxNumReplicas': int(prop.get("maxInstances")), + 'cpuUtilization': { + 'utilizationTarget': cpu_usage + }, + 'coolDownPeriodSec': 90 + } + } + } + return resource + + +def make_access_config(name=None): + access_config = { + 'type': default.ONE_NAT, + "kind": 'compute#accessConfig' + } + if name: + access_config['name'] = name + return access_config + + +def validate_region(test_zone, valid_region): + test_region = common.ZoneToRegion(test_zone) + if test_region != valid_region: + err_msg = '{} is in region {}. All subnets must be ' + \ + 'in the same region ({})' + raise common.Error( + err_msg.format(test_zone, test_region, valid_region) + ) + + +@common.FormatErrorsDec +def generate_config(context): + # This method will: + # 1. Create a instance template for a security GW + # (with a tag for the managing security server) + # 2. Create a managed instance group + # (based on the instance template and zones list provided by the user) + # 3. Configure autoscaling + # (based on min, max & policy settings provided by the user) + prop = context.properties + prop['deployment'] = context.env['deployment'] + prop['project'] = context.env['project'] + prop['templateName'] = TEMPLATE_NAME + prop['templateVersion'] = TEMPLATE_VERSION + prop['allowUploadDownload'] = str(prop['allowUploadDownload']).lower() + prop['hasInternet'] = 'true' # via Google Private Access + prop['installationType'] = 'AutoScale' + prop['resources'] = [] + prop['outputs'] = [] + prop['gw_dependencies'] = [] + prop['computed_sic_key'] = password.GeneratePassword(12, False) + prop['gatewayExternalIP'] = (prop['mgmtNIC'] == + 'Ephemeral Public IP (eth0)') + version_chosen = prop['autoscalingVersion'].split(' ')[0] + "-GW" + prop['osVersion'] = prop['autoscalingVersion'].split(' ')[0].replace( + ".", "") + nics = create_nics(context) + gw_template, passwd = create_instance_template(context, + prop['deployment'], + nics, + depends_on=prop[ + 'gw_dependencies'], + gw_version=VERSIONS[ + version_chosen]) + prop['resources'] += [gw_template] + prop['igm_dependencies'] = [gw_template['name']] + igm = GenerateAutscaledGroup(context, + prop['deployment'], + gw_template['name'], + prop['igm_dependencies']) + prop['resources'] += [igm] + prop['autoscaler_dependencies'] = [igm['name']] + cpu_usage = prop.get("cpuUsage") + autoscaler = CreateAutscaler(context, + prop['deployment'], + igm['name'], + cpu_usage, + prop['autoscaler_dependencies']) + prop['resources'] += [autoscaler] + prop['outputs'] += [ + { + 'name': 'deployment', + 'value': prop['deployment'] + }, + { + 'name': 'project', + 'value': prop['project'] + }, + { + 'name': 'instanceTemplateName', + 'value': gw_template['name'] + }, + { + 'name': 'InstanceTemplateLink', + 'value': common.Ref(gw_template['name']) + }, + { + 'name': 'IGMname', + 'value': igm['name'] + }, + { + 'name': 'IGMLink', + 'value': common.RefGroup(igm['name']) + }, + { + 'name': 'cpuUsagePercentage', + 'value': str(int(prop['cpuUsage'])) + '%' + }, + { + 'name': 'minInstancesInt', + 'value': str(int(prop['minInstances'])) + }, + { + 'name': 'maxInstancesInt', + 'value': str(int(prop['maxInstances'])) + }, + { + 'name': 'password', + 'value': passwd + } + ] + return common.MakeResource(prop['resources'], prop['outputs']) diff --git a/gcp/deployment-packages/autoscale-byol/check-point-autoscale--byol.py.schema b/gcp/deployment-packages/autoscale-byol/check-point-autoscale--byol.py.schema new file mode 100755 index 00000000..65b41f3d --- /dev/null +++ b/gcp/deployment-packages/autoscale-byol/check-point-autoscale--byol.py.schema @@ -0,0 +1,213 @@ +imports: + - path: check-point-autoscale--byol.py + +info: + version: 1.0 + title: Check Point CloudGuard Network Security Autoscaling - BYOL Template + +required: + - autoscalingVersion + - networks + - zone + - machineType + - cpuUsage + - minInstances + - maxInstances + - diskType + - bootDiskSizeGb + - managementName + - AutoProvTemplate + - allowUploadDownload + - networkDefinedByRoutes + - shell + - enableMonitoring + - generatePassword + +properties: + zone: + type: string + default: us-central1-a + x-googleProperty: + type: GCE_ZONE + networks: + type: array + default: [default, default1] + minItems: 2 + maxItems: 2 + x-googleProperty: + type: GCE_NETWORK + gceNetwork: + labels: + - External + - Internal + allowSharedVpcs: True + machineTypeProperty: machineType + subnetworks: + type: array + minItems: 2 + maxItems: 2 + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zone + gceSubnetwork: + networkProperty: networks + mgmtNIC: + type: string + default: Ephemeral Public IP (eth0) + enum: + - Ephemeral Public IP (eth0) + - Private IP (eth1) + enableIcmp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: networks + icmpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: enableIcmp + enableTcp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: networks + tcpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: enableTcp + enableUdp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: networks + udpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: enableUdp + enableSctp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: networks + sctpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: enableSctp + enableEsp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: networks + espSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: enableEsp + machineType: + type: string + default: n1-standard-4 + x-googleProperty: + type: GCE_MACHINE_TYPE + zoneProperty: zone + gceMachineType: + minCpu: 2 + minRamGb: 1.843000054359436 + cpuUsage: + type: integer + minimum: 10 + maximum: 90 + default: 60 + minInstances: + type: integer + minimum: 1 + maximum: 16384 + default: 2 + maxInstances: + type: integer + minimum: 1 + maximum: 32768 + default: 10 + instanceSSHKey: + type: string + pattern: ^([0-9a-z\-]+ +[0-9A-Za-z/\+=]+( .*)?|)$ + default: '' + diskType: + type: string + default: pd-ssd + x-googleProperty: + type: GCE_DISK_TYPE + zoneProperty: zone + bootDiskSizeGb: + type: integer + default: 100 + minimum: 100 + maximum: 4096 + x-googleProperty: + type: GCE_DISK_SIZE + gceDiskSize: + diskTypeProperty: diskType + autoscalingVersion: + type: string + default: R81.20 Autoscaling + enum: + - R81.10 Autoscaling + - R81.20 Autoscaling + managementName: + type: string + default: 'checkpoint-management' + pattern: ^([ -~]+)$ + AutoProvTemplate: + type: string + default: 'gcp-asg-autoprov-tmplt' + pattern: ^([ -~]{1,30})$ + enableMonitoring: + type: boolean + default: False + networkDefinedByRoutes: + type: boolean + default: True + allowUploadDownload: + type: boolean + default: True + generatePassword: + type: boolean + default: False + maintenanceMode: + type: string + pattern: ^([a-z0-9A-Z.]{12,300}|)$ + default: '' + shell: + type: string + default: /etc/cli.sh + enum: + - /etc/cli.sh + - /bin/bash + - /bin/csh + - /bin/tcsh + +outputs: + deployment: + type: string + project: + type: string + password: + type: string \ No newline at end of file diff --git a/gcp/deployment-packages/autoscale-byol/common.py b/gcp/deployment-packages/autoscale-byol/common.py new file mode 100755 index 00000000..e123c502 --- /dev/null +++ b/gcp/deployment-packages/autoscale-byol/common.py @@ -0,0 +1,262 @@ +# Copyright 2015 Google Inc. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +"""Generic simple functions used for python based template generation.""" + +import re +import sys +import traceback +import default +import string + +import yaml + +RFC1035_RE = re.compile(r'^[a-z][-a-z0-9]{1,61}[a-z0-9]{1}$') + + +class Error(Exception): + """Common exception wrapper for template exceptions.""" + pass + + +class DefaultFormatter(string.Formatter): + """Returns default instead of key error when looking for keys. + + Used for startup-script which contains params from multiple deployments + whiles keys from one deployment may not be set in another. + """ + def __init__(self, default=''): + self.default = default + def get_value(self, key, args, dict): + if isinstance(key, str): + return dict.get(key, self.default) + else: + return string.Formatter.get_value(key, args, dict) + + +def set_name_and_truncate(primary, secondary, maxlength=62): + return '%s%s' % (primary[:maxlength - len(secondary)], secondary) + + +def AddDiskResourcesIfNeeded(context): + """Checks context if disk resources need to be added.""" + if default.DISK_RESOURCES in context.properties: + return context.properties[default.DISK_RESOURCES] + else: + return [] + + +def AutoName(base, resource, *args): + """Helper method to generate names automatically based on default.""" + auto_name = '%s-%s' % (base, '-'.join(list(args) + [default.AKA[resource]])) + if not RFC1035_RE.match(auto_name): + raise Error('"%s" name for type %s does not match RFC1035 regex (%s)' % + (auto_name, resource, RFC1035_RE.pattern)) + return auto_name + + +def AutoRef(base, resource, *args): + """Helper method that builds a reference for an auto-named resource.""" + return Ref(AutoName(base, resource, *args)) + + +def OrderedItems(dict_obj): + """Convenient method to yield sorted iteritems of a dictionary.""" + keys = list(dict_obj.keys()) + keys.sort() + for k in keys: + yield (k, dict_obj[k]) + + +def ShortenZoneName(zone): + """Given a string that looks like a zone name, creates a shorter version.""" + geo, coord, number, letter = re.findall(r'(\w+)-(\w+)(\d)-(\w)', zone)[0] + geo = geo.lower() if len(geo) == 2 else default.LOC[geo.lower()] + coord = default.LOC[coord.lower()] + number = str(number) + letter = letter.lower() + return geo + '-' + coord + number + letter + + +def ZoneToRegion(zone): + """Derives the region from a zone name.""" + parts = zone.split('-') + if len(parts) != 3: + raise Error('Cannot derive region from zone "%s"' % zone) + return '-'.join(parts[:2]) + + +def FormatException(message): + """Adds more information to the exception.""" + message = ('Exception Type: %s\n' + 'Details: %s\n' + 'Message: %s\n') % (sys.exc_info()[0], + traceback.format_exc(), message) + return message + + +def Ref(name): + return '$(ref.%s.selfLink)' % name + + +def RefGroup(name): + return '$(ref.%s.instanceGroup)' % name + + +def GlobalComputeLink(project, collection, name): + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/global/', + collection, '/', name]) + +def GlobalNetworkLink(project, network): + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/global/', + default.NETWORKS, '/', network]) + + +def LocalComputeLink(project, zone, key, value): + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/zones/', + zone, '/', key, '/', value]) + + +def ReadContext(context, prop_key): + return (context.env['project'], context.properties.get('zone', None), + context.properties[prop_key]) + + +def MakeLocalComputeLink(context, key, zone=None): + if not zone: + project, zone, value = ReadContext(context, key) + else: + project, _, value = ReadContext(context, key) + + if IsComputeLink(value): + return value + else: + return LocalComputeLink(project, zone, key + 's', value) + + +def MakeGlobalComputeLink(context, key): + project, _, value = ReadContext(context, key) + if IsComputeLink(value): + return value + else: + return GlobalComputeLink(project, key + 's', value) + +def MakeRegionalSubnetworkLink(project, zone, subnet): + region = ZoneToRegion(zone) + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/regions/', + region, '/subnetworks/', subnet]) + + +def MakeSubnetworkComputeLink(context, key): + project, zone, value = ReadContext(context, key) + region = ZoneToRegion(zone) + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/regions/', + region, '/subnetworks/', value]) + + +def MakeFQHN(context, name): + return '%s.c.%s.internal' % (name, context.env['project']) + + +# TODO(victorg): Consider moving this method to a different file +def MakeC2DImageLink(name, dev_mode=False): + if IsGlobalProjectShortcut(name) or name.startswith('http'): + return name + else: + if dev_mode: + return 'global/images/%s' % name + else: + return GlobalComputeLink(default.C2D_IMAGES, 'images', name) + + +def IsGlobalProjectShortcut(name): + return name.startswith('projects/') or name.startswith('global/') + + +def IsComputeLink(name): + return (name.startswith(default.COMPUTE_URL_BASE) or + name.startswith(default.REFERENCE_PREFIX)) + + +def GetNamesAndTypes(resources_dict): + return [(d['name'], d['type']) for d in resources_dict] + + +def SummarizeResources(res_dict): + """Summarizes the name of resources per resource type.""" + result = {} + for res in res_dict: + result.setdefault(res['type'], []).append(res['name']) + return result + + +def ListPropertyValuesOfType(res_dict, prop, res_type): + """Lists all the values for a property of a certain type.""" + return [r['properties'][prop] for r in res_dict if r['type'] == res_type] + + +def MakeResource(resource_list, output_list=None): + """Wrapper for a DM template basic spec.""" + content = {'resources': resource_list} + if output_list: + content['outputs'] = output_list + return yaml.dump(content) + + +def TakeZoneOut(properties): + """Given a properties dictionary, removes the zone specific information.""" + + def _CleanZoneUrl(value): + value = value.split('/')[-1] if IsComputeLink(value) else value + return value + + for name in default.VM_ZONE_PROPERTIES: + if name in properties: + properties[name] = _CleanZoneUrl(properties[name]) + if default.ZONE in properties: + properties.pop(default.ZONE) + if default.BOOTDISK in properties: + properties[default.BOOTDISK] = _CleanZoneUrl(properties[default.BOOTDISK]) + if default.DISKS in properties: + for disk in properties[default.DISKS]: + # Don't touch references to other disks + if default.DISK_SOURCE in disk: + continue + if default.INITIALIZEP in disk: + disk_init = disk[default.INITIALIZEP] + if default.DISKTYPE in disk_init: + disk_init[default.DISKTYPE] = _CleanZoneUrl(disk_init[default.DISKTYPE]) + + +def GenerateEmbeddableYaml(yaml_string): + # Because YAML is a space delimited format, we need to be careful about + # embedding one YAML document in another. This function takes in a string in + # YAML format and produces an equivalent YAML representation that can be + # inserted into arbitrary points of another YAML document. It does so by + # printing the YAML string in a single line format. Consistent ordering of + # the string is also guaranteed by using yaml.dump. + yaml_object = yaml.load(yaml_string) + dumped_yaml = yaml.dump(yaml_object, default_flow_style=True) + return dumped_yaml + + +def FormatErrorsDec(func): + """Decorator to format exceptions if they get raised.""" + + def FormatErrorsWrap(context): + try: + return func(context) + except Exception as e: + raise Error(FormatException(e.message)) + + return FormatErrorsWrap diff --git a/gcp/deployment-packages/autoscale-byol/config.yaml b/gcp/deployment-packages/autoscale-byol/config.yaml new file mode 100644 index 00000000..bc223154 --- /dev/null +++ b/gcp/deployment-packages/autoscale-byol/config.yaml @@ -0,0 +1,50 @@ +imports: +- path: check-point-autoscale--byol.py +- path: common.py +- path: default.py +- path: password.py +- path: images.py + +resources: +- name: check-point-autoscale--byol + type: check-point-autoscale--byol.py + properties: + autoscalingVersion: "PLEASE ENTER AUTOSCALE VERSION" + managementName: "PLEASE ENTER MANAGEMENT NAME" + AutoProvTemplate: "PLEASE ENTER AUTOPROVISION TEMPLATE NAME" + instanceSSHKey: "PLEASE ENTER A VALID PUBLIC KEY" + mgmtNIC: "PLEASE ENTER MANAGEMENT NIC TYPE" + networkDefinedByRoutes: "PLEASE ENTER true or false" + shell: "PLEASE ENTER A SHELL" + allowUploadDownload: "PLEASE ENTER true or false" + zone: "PLEASE ENTER A ZONE" + networks: "PLEASE ENTER A LIST OF EXTERNAL AND INTERNAL NETWORKS ID" + subnetworks: "PLEASE ENTER A LIST OF EXTERNAL AND INTERNAL SUBNETWORKS ID" + enableIcmp: "PLEASE ENTER true or false" + icmpSourceRanges: "PLEASE ENTER ICMP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + enableTcp: "PLEASE ENTER true or false" + tcpSourceRanges: "PLEASE ENTER TCP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + enableUdp: "PLEASE ENTER true or false" + udpSourceRanges: "PLEASE ENTER UDP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + enableSctp: "PLEASE ENTER true or false" + sctpSourceRanges: "PLEASE ENTER SCTP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + enableEsp: "PLEASE ENTER true or false" + espSourceRanges: "PLEASE ENTER ESP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + machineType: "PLEASE ENTER A MACHINE TYPE" + cpuUsage: "PLEASE ENTER CPU USAGE (%)" + minInstances: "PLEASE ENTER MINIMUM NUMBER OF INSTANCES" + maxInstances: "PLEASE ENTER MAXIMUM NUMBER OF INSTANCES" + diskType: "PLEASE ENTER A DISK TYPE" + bootDiskSizeGb: "PLEASE ENTER A DISK SIZE" + enableMonitoring: "PLEASE ENTER true or false" +outputs: +- name: "Deployment" + value: $(ref.check-point-autoscale--byol.deployment) +- name: "Managed instance group" + value: $(ref.check-point-autoscale--byol.IGMLink) +- name: "Minimum instances" + value: $(ref.check-point-autoscale--byol.minInstancesInt) +- name: "Maximum instances" + value: $(ref.check-point-autoscale--byol.maxInstancesInt) +- name: "Target CPU usage" + value: $(ref.check-point-autoscale--byol.cpuUsagePercentage) \ No newline at end of file diff --git a/gcp/deployment-packages/autoscale-byol/default.py b/gcp/deployment-packages/autoscale-byol/default.py new file mode 100755 index 00000000..0c7dd919 --- /dev/null +++ b/gcp/deployment-packages/autoscale-byol/default.py @@ -0,0 +1,134 @@ +# Copyright 2015 Google Inc. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +"""Convenience module to hold default constants for C2D components. + +There should not be any logic in this module. Its purpose is to simplify +analysis of commonly used GCP and properties names and identify the names +that were custom created for these modules. +""" +# Generic constants +C2D_IMAGES = 'click-to-deploy-images' + +# URL constants +COMPUTE_URL_BASE = 'https://www.googleapis.com/compute/v1/' + +# Deployment Manager constructs +REFERENCE_PREFIX = '$(ref.' + +# Commonly used in properties namespace +AUTO_DELETE = 'autoDelete' +BOOTDISK = 'bootDiskType' +BOOTDISKSIZE = 'bootDiskSizeGb' +C_IMAGE = 'containerImage' +DC_MANIFEST = 'dcManifest' +DEPLOYMENT = 'DEPLOYMENT' # used in the deployment coordinator +DISK_NAME = 'diskName' +DISK_RESOURCES = 'addedDiskResources' +DISK_SOURCE = 'source' +ENDPOINT_NAME = 'serviceRegistryEndpointName' +FIXED_GCLOUD = 'fixedGcloud' +GENERATED_PROP = 'generatedProperties' +INITIALIZEP = 'initializeParams' +INSTANCE_NAME = 'instanceName' +LOCAL_SSD = 'localSSDs' +MAX_NUM = 'maxNumReplicas' +NETWORKS = 'networks' +NO_SCOPE = 'noScope' +PROVIDE_BOOT = 'provideBoot' +REPLICAS = 'replicas' +SIZE = 'size' +VM_COPIES = 'numberOfVMReplicas' +ZONES = 'zones' + +# Common properties values (only official GCP values allowed here) +EXTERNAL = 'External NAT' +ONE_NAT = 'ONE_TO_ONE_NAT' + +# Common 1st level properties (only official GCP names allowed here) +CAN_IP_FWD = 'canIpForward' +CONTAINER = 'container' +DCKRENV = 'dockerEnv' +DCKRIMAGE = 'dockerImage' +DEFAULT_SERVICE = 'defaultService' +DEVICE_NAME = 'deviceName' +DISKS = 'disks' +DISK_SIZE = 'diskSizeGb' +DISKTYPE = 'diskType' +HEALTH_PATH = 'healthPath' +HOST_RULES = 'hostRules' +IP_PROTO = 'IPProtocol' +MACHINETYPE = 'machineType' +METADATA = 'metadata' +NAME = 'name' +NETWORK = 'network' +NETWORKS = 'networks' +SUBNETWORK = 'subnetwork' +PATH_MATCHERS = 'pathMatchers' +PORT = 'port' +PROJECT = 'project' +SERVICE = 'service' +SERVICE_ACCOUNTS = 'serviceAccounts' +SRCIMAGE = 'sourceImage' +SRC_RANGES = 'sourceRanges' +TAGS = 'tags' +TYPE = 'type' +VM_TEMPLATE = 'instanceTemplate' +ZONE = 'zone' + +# Zone specfic VM properties +VM_ZONE_PROPERTIES = [DISKTYPE, MACHINETYPE, BOOTDISK] + +# Resource type defaults names +ADDRESS = 'compute.v1.address' +AUTOSCALER = 'compute.v1.autoscaler' +BACKEND_SERVICE = 'compute.v1.backendService' +DISK = 'compute.v1.disk' +ENDPOINT = 'serviceregistry.v1alpha.endpoint' +FIREWALL = 'compute.v1.firewall' +GF_RULE = 'compute.v1.globalForwardingRule' +HEALTHCHECK = 'compute.v1.httpHealthCheck' +IGM = 'compute.v1.instanceGroupManager' +INSTANCE = 'compute.v1.instance' +PROXY = 'compute.v1.targetHttpProxy' +TEMPLATE = 'compute.v1.instanceTemplate' +REGION_IGM = 'compute.v1.regionInstanceGroupManager' +REGION_AUTOSCALER = 'compute.v1.regionAutoscaler' +URL_MAP = 'compute.v1.urlMap' +VPC='compute.v1.network' +VPC_SUBNET='compute.v1.subnetwork' + +# Also Known As constants +AKA = { + TEMPLATE: 'tmplt', + AUTOSCALER: 'as', + BACKEND_SERVICE: 'bes', + DISK: 'disk', + FIREWALL: 'fwall', + GF_RULE: 'ip', + HEALTHCHECK: 'hc', + INSTANCE: 'vm', + PROXY: 'tproxy', + IGM: 'igm', + URL_MAP: 'umap', +} + +LOC = { + 'europe': 'eu', + 'asia': 'as', + 'central': 'c', + 'east': 'e', + 'west': 'w', + 'north': 'n', + 'south': 's', +} diff --git a/gcp/deployment-packages/autoscale-byol/images.py b/gcp/deployment-packages/autoscale-byol/images.py new file mode 100755 index 00000000..7b04bee0 --- /dev/null +++ b/gcp/deployment-packages/autoscale-byol/images.py @@ -0,0 +1,34 @@ +IMAGES = { + "check-point-r8120-payg": "check-point-r8120-payg-631-991001560-v20240425", + "check-point-r8120-gw-payg-single": "check-point-r8120-gw-payg-single-631-991001560-v20240425", + "check-point-r8120-gw-payg-mig": "check-point-r8120-gw-payg-mig-631-991001560-v20240425", + "check-point-r8120-gw-payg-cluster": "check-point-r8120-gw-payg-cluster-631-991001560-v20240425", + "check-point-r8120-gw-byol-single": "check-point-r8120-gw-byol-single-631-991001560-v20240425", + "check-point-r8120-gw-byol-mig": "check-point-r8120-gw-byol-mig-631-991001560-v20240425", + "check-point-r8120-gw-byol-cluster": "check-point-r8120-gw-byol-cluster-631-991001560-v20240425", + "check-point-r8120-byol": "check-point-r8120-byol-631-991001560-v20240425", + "check-point-r8110-payg": "check-point-r8110-payg-335-991001560-v20240425", + "check-point-r8110-gw-payg-single": "check-point-r8110-gw-payg-single-335-991001560-v20240425", + "check-point-r8110-gw-payg-mig": "check-point-r8110-gw-payg-mig-335-991001560-v20240425", + "check-point-r8110-gw-payg-cluster": "check-point-r8110-gw-payg-cluster-335-991001560-v20240425", + "check-point-r8110-gw-byol-single": "check-point-r8110-gw-byol-single-335-991001560-v20240425", + "check-point-r8110-gw-byol-mig": "check-point-r8110-gw-byol-mig-335-991001560-v20240425", + "check-point-r8110-gw-byol-cluster": "check-point-r8110-gw-byol-cluster-335-991001560-v20240425", + "check-point-r8110-byol": "check-point-r8110-byol-335-991001560-v20240425", + "check-point-r81-payg": "check-point-r81-payg-392-991001560-v20240425", + "check-point-r81-gw-payg-single": "check-point-r81-gw-payg-single-392-991001560-v20240425", + "check-point-r81-gw-payg-mig": "check-point-r81-gw-payg-mig-392-991001560-v20240425", + "check-point-r81-gw-payg-cluster": "check-point-r81-gw-payg-cluster-392-991001560-v20240425", + "check-point-r81-gw-byol-single": "check-point-r81-gw-byol-single-392-991001560-v20240425", + "check-point-r81-gw-byol-mig": "check-point-r81-gw-byol-mig-392-991001560-v20240425", + "check-point-r81-gw-byol-cluster": "check-point-r81-gw-byol-cluster-392-991001560-v20240425", + "check-point-r81-byol": "check-point-r81-byol-392-991001560-v20240425", + "check-point-r8040-payg": "check-point-r8040-payg-294-991001560-v20240425", + "check-point-r8040-gw-payg-single": "check-point-r8040-gw-payg-single-294-991001564-v20240505", + "check-point-r8040-gw-payg-mig": "check-point-r8040-gw-payg-mig-294-991001564-v20240505", + "check-point-r8040-gw-payg-cluster": "check-point-r8040-gw-payg-cluster-294-991001564-v20240505", + "check-point-r8040-gw-byol-single": "check-point-r8040-gw-byol-single-294-991001564-v20240505", + "check-point-r8040-gw-byol-mig": "check-point-r8040-gw-byol-mig-294-991001564-v20240505", + "check-point-r8040-gw-byol-cluster": "check-point-r8040-gw-byol-cluster-294-991001564-v20240505", + "check-point-r8040-byol": "check-point-r8040-byol-294-991001560-v20240425" +} \ No newline at end of file diff --git a/gcp/deployment-packages/autoscale-byol/password.py b/gcp/deployment-packages/autoscale-byol/password.py new file mode 100755 index 00000000..273210a6 --- /dev/null +++ b/gcp/deployment-packages/autoscale-byol/password.py @@ -0,0 +1,135 @@ +# Copyright 2015 Google Inc. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +"""A DM template that generates password as an output, namely "password". + +An example YAML showing how this template can be used: + resources: + - name: generated-password + type: password.py + properties: + length: 8 + includeSymbols: true + - name: main-template + type: main-template.jinja + properties: + password: $(ref.generated-password.password) + +Input properties to this template: + - length: the length of the generated password. At least 8. Default 8. + - includeSymbols: true/false whether to include symbol chars. Default false. + +The generated password satisfies the following requirements: + - The length is as specified, + - Containing letters and numbers, and optionally symbols if specified, + - Starting with a letter, + - Containing characters from at least 3 of the 4 categories: uppercases, + lowercases, numbers, and symbols. + +""" + +import random +import yaml + +PROPERTY_LENGTH = 'length' +PROPERTY_INCLUDE_SYMBOLS = 'includeSymbols' + +# Note the omission of some hard to distinguish characters like I, l, 0, and O. +UPPERS = 'ABCDEFGHJKLMNPQRSTUVWXYZ' +LOWERS = 'abcdefghijkmnopqrstuvwxyz' +ALPHABET = UPPERS + LOWERS +DIGITS = '123456789' +ALPHANUMS = ALPHABET + DIGITS +# Including only symbols that can be passed around easily in shell scripts. +SYMBOLS = '*-+.' + +CANDIDATES_WITH_SYMBOLS = ALPHANUMS + SYMBOLS +CANDIDATES_WITHOUT_SYMBOLS = ALPHANUMS + +CATEGORIES_WITH_SYMBOLS = [UPPERS, LOWERS, DIGITS, SYMBOLS] +CATEGORIES_WITHOUT_SYMBOLS = [UPPERS, LOWERS, DIGITS] + +MIN_LENGTH = 8 + + +class InputError(Exception): + """Raised when input properties are unexpected.""" + + +def GenerateConfig(context): + """Entry function to generate the DM config.""" + props = context.properties + length = props.setdefault(PROPERTY_LENGTH, MIN_LENGTH) + include_symbols = props.setdefault(PROPERTY_INCLUDE_SYMBOLS, False) + + if not isinstance(include_symbols, bool): + raise InputError('%s must be a boolean' % PROPERTY_INCLUDE_SYMBOLS) + + content = { + 'resources': [], + 'outputs': [{ + 'name': 'password', + 'value': GeneratePassword(length, include_symbols) + }] + } + return yaml.dump(content) + + +def GeneratePassword(length=8, include_symbols=False): + """Generates a random password.""" + if length < MIN_LENGTH: + raise InputError('Password length must be at least %d' % MIN_LENGTH) + + candidates = (CANDIDATES_WITH_SYMBOLS if include_symbols + else CANDIDATES_WITHOUT_SYMBOLS) + categories = (CATEGORIES_WITH_SYMBOLS if include_symbols + else CATEGORIES_WITHOUT_SYMBOLS) + + # Generates up to the specified length minus the number of categories. + # Then inserts one character for each category, ensuring that the character + # satisfy the category if the generated string hasn't already. + generated = ([random.choice(ALPHABET)] + + [random.choice(candidates) + for _ in range(length - 1 - len(categories))]) + for category in categories: + _InsertAndEnsureSatisfaction(generated, category, candidates) + return ''.join(generated) + + +def _InsertAndEnsureSatisfaction(generated, required, all_candidates): + """Inserts 1 char into generated, satisfying required if not already. + + If the required characters are not already in the generated string, one will + be inserted. If any required character is already in the generated string, a + random character from all_candidates will be inserted. The insertion happens + at a random location but not at the beginning. + + Args: + generated: the string to be modified. + required: list of required characters to check for. + all_candidates: list of characters to choose from if the required characters + are already satisfied. + """ + if set(generated).isdisjoint(required): + # Not yet satisfied. Insert a required candidate. + _InsertInto(generated, required) + else: + # Already satisfied. Insert any candidate. + _InsertInto(generated, all_candidates) + + +def _InsertInto(generated, candidates): + """Inserts a random candidate into a random non-zero index of generated.""" + # Avoids inserting at index 0, since the first character follows its own rule. + generated.insert(random.randint(1, len(generated) - 1), + random.choice(candidates)) diff --git a/gcp/deployment-packages/autoscale-payg/README.md b/gcp/deployment-packages/autoscale-payg/README.md new file mode 100644 index 00000000..9dfa6b83 --- /dev/null +++ b/gcp/deployment-packages/autoscale-payg/README.md @@ -0,0 +1,126 @@ +# GCP Deployment Manager package for Check Point Autoscaling PAYG solution +This directory contains CloudGuard IaaS deployment package for Check Point Autoscaling (PAYG) solution published in the [GCP Marketplace](https://console.cloud.google.com/marketplace/details/checkpoint-public/check-point-autoscaling-ngtp). + +# How to deploy the package manually +To deploy the Deployment Manager's package manually, without using the GCP Marketplace, follow these instructions: +1. Clone or download the files in this directory +2. Fill variables in the config.yaml(see below for variables descriptions). +3. Log into [Google Cloud Platform Console](https://console.cloud.google.com) +4. [Activate Cloud Shell](https://cloud.google.com/shell/docs/using-cloud-shell) +5. Set your Cloud Platform project in the Cloud Shell session use: + + gcloud config set project [PROJECT_ID] +6. Upload the content of the CloudGuardIaaS/gcp/deployment-packages/autoscale-payg/ directory to the [cloud shell](https://cloud.google.com/shell/docs/uploading-and-downloading-files) +7. Launch deployment by running: + + gcloud deployment-manager deployments create [DEPLOYMENT_NAME] --config config.yaml +8. Make sure the deployment finished successfully.
Example of successful deployment output: + + The fingerprint of the deployment is h8R2exQYuc4bzlO14boUhg== + Waiting for create [operation-1585217870871-5a1bf4c15b9ea-f8d824d5-1089cc78]...done. + Create operation operation-1585217870871-5a1bf4c15b9ea-f8d824d5-1089cc78 completed successfully. + NAME TYPE STATE ERRORS INTENT + mig-as compute.v1.regionAutoscaler COMPLETED [] + mig-igm compute.v1.regionInstanceGroupManager COMPLETED [] + mig-vpc-icmp compute.v1.firewall COMPLETED [] + mig-vpc-udp compute.v1.firewall COMPLETED [] + mig-tmplt compute.v1.instanceTemplate COMPLETED [] + OUTPUTS VALUE + Deployment autoscale + Managed instance group https://www.googleapis.com/compute/v1/projects/checkpoint/regions/asia-east1/instanceGroups/autoscale-igm + Minimum instances 2 + Maximum instances 10 + Target CPU usage 60% + +## config.yaml variables +| Name | Description | Type | Allowed values | +| ------------- | ------------- | ------------- | ------------- | +| **autoscalingVersion** | Autoscaling Version | string | R80.40 Autoscaling;
R81.00 Autoscaling;
R81.10 Autoscaling;
R81.20 Autoscaling;| +| | | | | | +| **managementName** | Security Management Server name | string | The name of the Security Management Server as appears in autoprovisioning configuration | +| | | | | | +| **AutoProvTemplate** | Configuration template name | string | Specify the provisioning configuration template name (for autoprovisioning) | +| | | | | | +| **instanceSSHKey** | Public SSH key for the user 'admin' | string | A valid public ssh key | +| | | | | | +| **mgmtNIC** | Management Interface | string | Ephemeral Public IP (eth0)
; Private IP (eth1); | +| | | | | | +| **networkDefinedByRoutes** | Networks behind the Internal interface will be defined by routes.
Set eth1 topology to define the networks behind this interface by the routes configured on the gateway | boolean | true;
false; | +| | | | | | +| **shell** | Admin shell | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh;
| +| | | | | | +| **allowUploadDownload** | Allow download from/upload to Check Point | boolean | true;
false; | +| | | | | | +| **zone** | The zone determines what computing resources are available and where your data is stored and used | string | List of allowed [Regions and Zones](https://cloud.google.com/compute/docs/regions-zones?_ga=2.31926582.-962483654.1585043745) | +| | | | | | +| **networks** | The external networks ID in which the gateways will reside and internal networks ID in which application servers reside. | list(string) | Available network in the chosen zone | +| | | | | | +| **subnetworks** | External and Internal subnet ID. Assigns the instance an IPv4 address from the subnetwork’s range. Instances in different subnetworks can communicate with each other using their internal IPs as long as they belong to the same network. | list(string) | Available subnetwork in the chosen network | +| | | | | | +| **enableIcmp** | Allow ICMP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **icmpSourceRanges** | Source IP ranges for ICMP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **enableTcp** | Allow TCP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **tcpSourceRanges** | Allow TCP traffic from the Internet | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway all ports are allowed. For management allowed ports are: 257,18191,18210,18264,22,443,18190,19009 [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **enableUdp** | Allow UDP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **udpSourceRanges** | Source IP ranges for UDP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only - all ports are allowed. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **enableSctp** | Allow SCTP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **sctpSourceRanges** | Source IP ranges for SCTP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only - all ports are allowed. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **enableEsp** | Allow ESP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **espSourceRanges** | Source IP ranges for ESP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **machineType** | Machine types determine the specifications of your machines, such as the amount of memory, virtual cores, and persistent disk limits an instance will have | string | [Learn more about Machine Types](https://cloud.google.com/compute/docs/machine-types?hl=en_US&_ga=2.267871494.-962483654.1585043745) | +| | | | | | +| **cpuUsage** | Target CPU usage (%).
Autoscaling adds or removes instances in the group to maintain this level of CPU usage on each instance | number | A number in the range 10 - 90 | +| | | | | | +| **minInstances** | Minimum number of instances | number | A number in the range 1 and the maximum number of instances | +| | | | | | +| **maxInstances** | Maximum number of instances | number | A number in the range the minimum number of instances and infinity | +| | | | | | +| **diskType** | Disk type | string | pd-ssd;
pd-standard;
Storage space is much less expensive for a standard persistent disk. An SSD persistent disk is better for random IOPS or streaming throughput with low latency. [Learn more](https://cloud.google.com/compute/docs/disks/?hl=en_US&_ga=2.66020774.-962483654.1585043745#overview_of_disk_types)| +| | | | | | +| **bootDiskSizeGb** | Disk size in GB | number | Persistent disk performance is tied to the size of the persistent disk volume. You are charged for the actual amount of provisioned disk space. [Learn more](https://cloud.google.com/compute/docs/disks/?hl=en_US&_ga=2.232680471.-962483654.1585043745#pdperformance)| +| | | | | | +| **enableMonitoring** | Enable Stackdriver monitoring | boolean | true;
false; | +| | | | | | + +## Example + autoscalingVersion: "R81.10 Autoscaling" + managementName: "mgmt" + AutoProvTemplate: "template" + instanceSSHKey: "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxx imported-openssh-key" + mgmtNIC: "Ephemeral Public IP (eth0)" + networkDefinedByRoutes: true + shell: "/bin/bash" + allowUploadDownload: true + zone: "asia-east1-a" + networks: ["external-vpc", "internal-vpc"] + subnetworks: ["frontend", "backend"] + enableIcmp: true + icmpSourceRanges: "0.0.0.0/0" + enableTcp: false + tcpSourceRanges: "" + enableUdp: true + udpSourceRanges: "0.0.0.0/0" + enableSctp: false + sctpSourceRanges: "" + enableEsp: false + espSourceRanges: "" + machineType: "n1-standard-4" + cpuUsage: 60 + minInstances: 2 + maxInstances: 10 + diskType: "pd-ssd" + bootDiskSizeGb: 100 + enableMonitoring: false + +## Notes +See [sk147032](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk147032) for revision history diff --git a/gcp/deployment-packages/autoscale-payg/c2d_deployment_configuration.json b/gcp/deployment-packages/autoscale-payg/c2d_deployment_configuration.json new file mode 100755 index 00000000..0854e0f3 --- /dev/null +++ b/gcp/deployment-packages/autoscale-payg/c2d_deployment_configuration.json @@ -0,0 +1,7 @@ +{ + "defaultDeploymentType": "MULTI_VM", + "imageName": "check-point-r8120-gw-payg-mig-634-991001611-v20240613", + "projectId": "checkpoint-public", + "templateName": "nonexistent_template", + "useSolutionPackage": "true" +} diff --git a/gcp/deployment-packages/autoscale-payg/check-point-autoscale--payg.py b/gcp/deployment-packages/autoscale-payg/check-point-autoscale--payg.py new file mode 100755 index 00000000..b13af6da --- /dev/null +++ b/gcp/deployment-packages/autoscale-payg/check-point-autoscale--payg.py @@ -0,0 +1,379 @@ +# Copyright 2016 Check Point Software LTD. + +import common +import default +import images +import password + +GATEWAY = 'checkpoint-gateway' +PROJECT = 'checkpoint-public' +LICENSE = 'payg' +LICENCE_TYPE = 'mig' + +VERSIONS = { + 'R81.10-GW': 'r8110-gw', + 'R81.20-GW': 'r8120-gw' +} + +TEMPLATE_NAME = 'autoscale' +TEMPLATE_VERSION = '20240714' + +startup_script = ''' +#cloud-config +runcmd: + - 'python3 /etc/cloud_config.py "generatePassword=\\"{generatePassword}\\"" "allowUploadDownload=\\"{allowUploadDownload}\\"" "templateName=\\"{templateName}\\"" "templateVersion=\\"{templateVersion}\\"" "mgmtNIC=\\"{mgmtNIC}\\"" "hasInternet=\\"{hasInternet}\\"" "config_url=\\"{config_url}\\"" "config_path=\\"{config_path}\\"" "installationType=\\"{installationType}\\"" "enableMonitoring=\\"{enableMonitoring}\\"" "shell=\\"{shell}\\"" "computed_sic_key=\\"{computed_sic_key}\\"" "sicKey=\\"{sicKey}\\"" "managementGUIClientNetwork=\\"{managementGUIClientNetwork}\\"" "primary_cluster_address_name=\\"{primary_cluster_address_name}\\"" "secondary_cluster_address_name=\\"{secondary_cluster_address_name}\\"" "managementNetwork=\\"{managementNetwork}\\"" "numAdditionalNICs=\\"{numAdditionalNICs}\\"" "smart1CloudToken=\\"{smart1CloudToken}\\"" "name=\\"{name}\\"" "zone=\\"{zoneConfig}\\"" "region=\\"{region}\\"" "osVersion=\\"{osVersion}\\"" "MaintenanceModePassword=\\"{maintenanceMode}\\""' +''' + + +def make_nic(context, net_name, subnet, external_ip=False): + prop = context.properties + network_interface = { + 'kind': 'compute#networkInterface', + 'network': common.GlobalNetworkLink(prop['project'], net_name) + } + if subnet: + network_interface["subnetwork"] = common.MakeRegionalSubnetworkLink( + prop['project'], prop['zone'], subnet) + # add ephemeral public IP address + if external_ip: + network_interface["accessConfigs"] = \ + [make_access_config(name="external-nat")] + return network_interface + + +def create_nics(context): + prop = context.properties + firewall_rules = create_firewall_rules(context) + if firewall_rules: + prop['resources'].extend(firewall_rules) + networks = prop.setdefault('networks', ['default']) + subnetworks = prop.get('subnetworks', []) + nics = [] + for i in range(len(networks)): + name = networks[i] + subnet = '' + external_ip = prop.get('gatewayExternalIP') and i == 0 + if subnetworks and i < len(subnetworks) and subnetworks[i]: + subnet = subnetworks[i] + network_interface = make_nic(context, name, subnet, external_ip) + nics.append(network_interface) + return nics + + +def create_firewall_rules(context): + prop = context.properties + deployment = prop['deployment'] + network = prop.setdefault('networks', ['default'])[0] + firewall_rules = [] + protocols = ['Icmp', 'Udp', 'Tcp', 'Sctp', 'Esp'] + for protocol in protocols: + proto = protocol.lower() + source_ranges = prop.get(proto + 'SourceRanges', '') + protocol_enabled = prop.get('enable' + protocol, '') + if protocol_enabled and source_ranges: + firewall_rules.append(make_firewall_rule( + proto, source_ranges, deployment, network)) + return firewall_rules + + +def make_firewall_rule(protocol, source_ranges, deployment, net_name): + fw_rule_name = '%s-%s-%s' % (deployment[:34], net_name[:22], protocol) + ranges = [] + ranges_list = source_ranges.split(',') + for source_range in ranges_list: + ranges.append(source_range.replace(" ", "")) + firewall_rule = { + 'type': default.FIREWALL, + 'name': fw_rule_name, + 'properties': { + 'network': 'global/networks/' + net_name, + 'sourceRanges': ranges, + 'targetTags': [GATEWAY], + 'allowed': [{'IPProtocol': protocol}] + } + } + return firewall_rule + + +def create_instance_template(context, + name, + nics, + depends_on=None, + gw_version=VERSIONS['R81.20-GW']): + if 'gw' in gw_version: + license_name = "{}-{}".format(LICENSE, LICENCE_TYPE) + else: + license_name = LICENSE + family = '-'.join(['check-point', gw_version, license_name]) + formatter = common.DefaultFormatter() + instance_template_name = common.AutoName(name, default.TEMPLATE) + instance_template = { + "type": default.TEMPLATE, + "name": instance_template_name, + 'metadata': { + 'dependsOn': depends_on + }, + "properties": { + "project": context.properties['project'], + "properties": { + "canIpForward": True, + "disks": [{"autoDelete": True, + "boot": True, + "deviceName": common.set_name_and_truncate( + context.properties['deployment'], + '-{}-boot'.format(name)), + "index": 0, + "initializeParams": { + "diskType": + context.properties['diskType'], + "diskSizeGb": + context.properties['bootDiskSizeGb'], + "sourceImage": + 'projects/%s/global/images/%s' % ( + PROJECT, images.IMAGES[family]) + }, + "kind": 'compute#attachedDisk', + "mode": "READ_WRITE", + "type": "PERSISTENT"}], + "machineType": context.properties['machineType'], + "networkInterfaces": nics, + 'metadata': { + "kind": 'compute#metadata', + 'items': [ + { + 'key': 'startup-script', + 'value': formatter.format( + startup_script, **context.properties) + }, + { + 'key': 'serial-port-enable', + 'value': 'true' + } + ]}, + "scheduling": { + "automaticRestart": True, + "onHostMaintenance": "MIGRATE", + "preemptible": False + }, + "serviceAccounts": [ + { + "email": "default", + "scopes": [ + "https://www.googleapis.com/" + + "auth/devstorage.read_only", + "https://www.googleapis.com/auth/logging.write", + "https://www.googleapis.com/auth/monitoring.write", + "https://www.googleapis.com/auth/pubsub", + "https://www.googleapis.com/" + + "auth/service.management.readonly", + "https://www.googleapis.com/auth/servicecontrol", + "https://www.googleapis.com/auth/trace.append" + ] + }], + "tags": { + "items": [ + 'x-chkp-management--{}'. + format(context.properties['managementName']), + 'x-chkp-template--{}'. + format(context.properties['AutoProvTemplate']), + 'checkpoint-gateway' + ] + } + } + } + } + tagItems = instance_template['properties']['properties']['tags']['items'] + if context.properties['mgmtNIC'] == 'Ephemeral Public IP (eth0)': + tagItems.append("x-chkp-ip-address--public") + tagItems.append("x-chkp-management-interface--eth0") + elif context.properties['mgmtNIC'] == 'Private IP (eth1)': + tagItems.append("x-chkp-ip-address--private") + tagItems.append("x-chkp-management-interface--eth1") + if context.properties['networkDefinedByRoutes']: + tagItems.append("x-chkp-topology-eth1--internal") + tagItems.append("x-chkp-topology-settings-eth1" + "--network-defined-by-routes") + metadata = instance_template['properties']['properties']['metadata'] + if 'instanceSSHKey' in context.properties: + metadata['items'].append( + { + 'key': 'instanceSSHKey', + 'value': context.properties['instanceSSHKey'] + } + ) + passwd = '' + if context.properties['generatePassword']: + passwd = password.GeneratePassword(12, False) + metadata['items'].append( + { + 'key': 'adminPasswordSourceMetadata', + 'value': passwd + } + ) + return instance_template, passwd + + +def GenerateAutscaledGroup(context, name, + instance_template, depends_on=None): + prop = context.properties + igm_name = common.AutoName(name, default.IGM) + depends_on = depends_on + resource = { + 'name': igm_name, + 'metadata': { + 'dependsOn': depends_on + }, + 'type': default.REGION_IGM, + 'properties': { + 'region': common.ZoneToRegion(prop.get("zone")), + 'baseInstanceName': name, + 'instanceTemplate': '$(ref.' + instance_template + '.selfLink)', + 'targetSize': prop.get("minInstances"), + # 'autoHealingPolicies': [{ + # 'initialDelaySec': 60 + # }] + } + } + return resource + + +def CreateAutscaler(context, name, + igm, cpu_usage, depends_on=None): + prop = context.properties + autoscaler_name = common.AutoName(name, default.AUTOSCALER) + depends_on = depends_on + cpu_usage = float(cpu_usage) / 100 + resource = { + 'name': autoscaler_name, + 'metadata': { + 'dependsOn': depends_on + }, + 'type': default.REGION_AUTOSCALER, + 'properties': { + 'target': '$(ref.' + igm + '.selfLink)', + 'region': common.ZoneToRegion(prop.get("zone")), + 'autoscalingPolicy': { + 'minNumReplicas': int(prop.get("minInstances")), + 'maxNumReplicas': int(prop.get("maxInstances")), + 'cpuUtilization': { + 'utilizationTarget': cpu_usage + }, + 'coolDownPeriodSec': 90 + } + } + } + return resource + + +def make_access_config(name=None): + access_config = { + 'type': default.ONE_NAT, + "kind": 'compute#accessConfig' + } + if name: + access_config['name'] = name + return access_config + + +def validate_region(test_zone, valid_region): + test_region = common.ZoneToRegion(test_zone) + if test_region != valid_region: + err_msg = '{} is in region {}. All subnets must be ' + \ + 'in the same region ({})' + raise common.Error( + err_msg.format(test_zone, test_region, valid_region) + ) + + +@common.FormatErrorsDec +def generate_config(context): + # This method will: + # 1. Create a instance template for a security GW + # (with a tag for the managing security server) + # 2. Create a managed instance group + # (based on the instance template and zones list provided by the user) + # 3. Configure autoscaling + # (based on min, max & policy settings provided by the user) + prop = context.properties + prop['deployment'] = context.env['deployment'] + prop['project'] = context.env['project'] + prop['templateName'] = TEMPLATE_NAME + prop['templateVersion'] = TEMPLATE_VERSION + prop['allowUploadDownload'] = str(prop['allowUploadDownload']).lower() + prop['hasInternet'] = 'true' # via Google Private Access + prop['installationType'] = 'AutoScale' + prop['resources'] = [] + prop['outputs'] = [] + prop['gw_dependencies'] = [] + prop['computed_sic_key'] = password.GeneratePassword(12, False) + prop['gatewayExternalIP'] = (prop['mgmtNIC'] == + 'Ephemeral Public IP (eth0)') + version_chosen = prop['autoscalingVersion'].split(' ')[0] + "-GW" + prop['osVersion'] = prop['autoscalingVersion'].split(' ')[0].replace( + ".", "") + nics = create_nics(context) + gw_template, passwd = create_instance_template(context, + prop['deployment'], + nics, + depends_on=prop[ + 'gw_dependencies'], + gw_version=VERSIONS[ + version_chosen]) + prop['resources'] += [gw_template] + prop['igm_dependencies'] = [gw_template['name']] + igm = GenerateAutscaledGroup(context, + prop['deployment'], + gw_template['name'], + prop['igm_dependencies']) + prop['resources'] += [igm] + prop['autoscaler_dependencies'] = [igm['name']] + cpu_usage = prop.get("cpuUsage") + autoscaler = CreateAutscaler(context, + prop['deployment'], + igm['name'], + cpu_usage, + prop['autoscaler_dependencies']) + prop['resources'] += [autoscaler] + prop['outputs'] += [ + { + 'name': 'deployment', + 'value': prop['deployment'] + }, + { + 'name': 'project', + 'value': prop['project'] + }, + { + 'name': 'instanceTemplateName', + 'value': gw_template['name'] + }, + { + 'name': 'InstanceTemplateLink', + 'value': common.Ref(gw_template['name']) + }, + { + 'name': 'IGMname', + 'value': igm['name'] + }, + { + 'name': 'IGMLink', + 'value': common.RefGroup(igm['name']) + }, + { + 'name': 'cpuUsagePercentage', + 'value': str(int(prop['cpuUsage'])) + '%' + }, + { + 'name': 'minInstancesInt', + 'value': str(int(prop['minInstances'])) + }, + { + 'name': 'maxInstancesInt', + 'value': str(int(prop['maxInstances'])) + }, + { + 'name': 'password', + 'value': passwd + } + ] + return common.MakeResource(prop['resources'], prop['outputs']) diff --git a/gcp/deployment-packages/autoscale-payg/check-point-autoscale--payg.py.schema b/gcp/deployment-packages/autoscale-payg/check-point-autoscale--payg.py.schema new file mode 100755 index 00000000..b9341dfa --- /dev/null +++ b/gcp/deployment-packages/autoscale-payg/check-point-autoscale--payg.py.schema @@ -0,0 +1,213 @@ +imports: + - path: check-point-autoscale--payg.py + +info: + version: 1.0 + title: Check Point CloudGuard Network Security Autoscaling - PAYG Template + +required: + - autoscalingVersion + - networks + - zone + - machineType + - cpuUsage + - minInstances + - maxInstances + - diskType + - bootDiskSizeGb + - managementName + - AutoProvTemplate + - allowUploadDownload + - networkDefinedByRoutes + - shell + - enableMonitoring + - generatePassword + +properties: + zone: + type: string + default: us-central1-a + x-googleProperty: + type: GCE_ZONE + networks: + type: array + default: [default, default1] + minItems: 2 + maxItems: 2 + x-googleProperty: + type: GCE_NETWORK + gceNetwork: + labels: + - External + - Internal + allowSharedVpcs: True + machineTypeProperty: machineType + subnetworks: + type: array + minItems: 2 + maxItems: 2 + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zone + gceSubnetwork: + networkProperty: networks + mgmtNIC: + type: string + default: Ephemeral Public IP (eth0) + enum: + - Ephemeral Public IP (eth0) + - Private IP (eth1) + enableIcmp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: networks + icmpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: enableIcmp + enableTcp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: networks + tcpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: enableTcp + enableUdp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: networks + udpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: enableUdp + enableSctp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: networks + sctpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: enableSctp + enableEsp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: networks + espSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: enableEsp + machineType: + type: string + default: n1-standard-4 + x-googleProperty: + type: GCE_MACHINE_TYPE + zoneProperty: zone + gceMachineType: + minCpu: 2 + minRamGb: 1.843000054359436 + cpuUsage: + type: integer + minimum: 10 + maximum: 90 + default: 60 + minInstances: + type: integer + minimum: 1 + maximum: 16384 + default: 2 + maxInstances: + type: integer + minimum: 1 + maximum: 32768 + default: 10 + instanceSSHKey: + type: string + pattern: ^([0-9a-z\-]+ +[0-9A-Za-z/\+=]+( .*)?|)$ + default: '' + diskType: + type: string + default: pd-ssd + x-googleProperty: + type: GCE_DISK_TYPE + zoneProperty: zone + bootDiskSizeGb: + type: integer + default: 100 + minimum: 100 + maximum: 4096 + x-googleProperty: + type: GCE_DISK_SIZE + gceDiskSize: + diskTypeProperty: diskType + autoscalingVersion: + type: string + default: R81.20 Autoscaling + enum: + - R81.10 Autoscaling + - R81.20 Autoscaling + managementName: + type: string + default: 'checkpoint-management' + pattern: ^([ -~]+)$ + AutoProvTemplate: + type: string + default: 'gcp-asg-autoprov-tmplt' + pattern: ^([ -~]{1,30})$ + enableMonitoring: + type: boolean + default: False + networkDefinedByRoutes: + type: boolean + default: True + allowUploadDownload: + type: boolean + default: True + generatePassword: + type: boolean + default: False + maintenanceMode: + type: string + pattern: ^([a-z0-9A-Z.]{12,300}|)$ + default: '' + shell: + type: string + default: /etc/cli.sh + enum: + - /etc/cli.sh + - /bin/bash + - /bin/csh + - /bin/tcsh + +outputs: + deployment: + type: string + project: + type: string + password: + type: string \ No newline at end of file diff --git a/gcp/deployment-packages/autoscale-payg/common.py b/gcp/deployment-packages/autoscale-payg/common.py new file mode 100755 index 00000000..e123c502 --- /dev/null +++ b/gcp/deployment-packages/autoscale-payg/common.py @@ -0,0 +1,262 @@ +# Copyright 2015 Google Inc. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +"""Generic simple functions used for python based template generation.""" + +import re +import sys +import traceback +import default +import string + +import yaml + +RFC1035_RE = re.compile(r'^[a-z][-a-z0-9]{1,61}[a-z0-9]{1}$') + + +class Error(Exception): + """Common exception wrapper for template exceptions.""" + pass + + +class DefaultFormatter(string.Formatter): + """Returns default instead of key error when looking for keys. + + Used for startup-script which contains params from multiple deployments + whiles keys from one deployment may not be set in another. + """ + def __init__(self, default=''): + self.default = default + def get_value(self, key, args, dict): + if isinstance(key, str): + return dict.get(key, self.default) + else: + return string.Formatter.get_value(key, args, dict) + + +def set_name_and_truncate(primary, secondary, maxlength=62): + return '%s%s' % (primary[:maxlength - len(secondary)], secondary) + + +def AddDiskResourcesIfNeeded(context): + """Checks context if disk resources need to be added.""" + if default.DISK_RESOURCES in context.properties: + return context.properties[default.DISK_RESOURCES] + else: + return [] + + +def AutoName(base, resource, *args): + """Helper method to generate names automatically based on default.""" + auto_name = '%s-%s' % (base, '-'.join(list(args) + [default.AKA[resource]])) + if not RFC1035_RE.match(auto_name): + raise Error('"%s" name for type %s does not match RFC1035 regex (%s)' % + (auto_name, resource, RFC1035_RE.pattern)) + return auto_name + + +def AutoRef(base, resource, *args): + """Helper method that builds a reference for an auto-named resource.""" + return Ref(AutoName(base, resource, *args)) + + +def OrderedItems(dict_obj): + """Convenient method to yield sorted iteritems of a dictionary.""" + keys = list(dict_obj.keys()) + keys.sort() + for k in keys: + yield (k, dict_obj[k]) + + +def ShortenZoneName(zone): + """Given a string that looks like a zone name, creates a shorter version.""" + geo, coord, number, letter = re.findall(r'(\w+)-(\w+)(\d)-(\w)', zone)[0] + geo = geo.lower() if len(geo) == 2 else default.LOC[geo.lower()] + coord = default.LOC[coord.lower()] + number = str(number) + letter = letter.lower() + return geo + '-' + coord + number + letter + + +def ZoneToRegion(zone): + """Derives the region from a zone name.""" + parts = zone.split('-') + if len(parts) != 3: + raise Error('Cannot derive region from zone "%s"' % zone) + return '-'.join(parts[:2]) + + +def FormatException(message): + """Adds more information to the exception.""" + message = ('Exception Type: %s\n' + 'Details: %s\n' + 'Message: %s\n') % (sys.exc_info()[0], + traceback.format_exc(), message) + return message + + +def Ref(name): + return '$(ref.%s.selfLink)' % name + + +def RefGroup(name): + return '$(ref.%s.instanceGroup)' % name + + +def GlobalComputeLink(project, collection, name): + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/global/', + collection, '/', name]) + +def GlobalNetworkLink(project, network): + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/global/', + default.NETWORKS, '/', network]) + + +def LocalComputeLink(project, zone, key, value): + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/zones/', + zone, '/', key, '/', value]) + + +def ReadContext(context, prop_key): + return (context.env['project'], context.properties.get('zone', None), + context.properties[prop_key]) + + +def MakeLocalComputeLink(context, key, zone=None): + if not zone: + project, zone, value = ReadContext(context, key) + else: + project, _, value = ReadContext(context, key) + + if IsComputeLink(value): + return value + else: + return LocalComputeLink(project, zone, key + 's', value) + + +def MakeGlobalComputeLink(context, key): + project, _, value = ReadContext(context, key) + if IsComputeLink(value): + return value + else: + return GlobalComputeLink(project, key + 's', value) + +def MakeRegionalSubnetworkLink(project, zone, subnet): + region = ZoneToRegion(zone) + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/regions/', + region, '/subnetworks/', subnet]) + + +def MakeSubnetworkComputeLink(context, key): + project, zone, value = ReadContext(context, key) + region = ZoneToRegion(zone) + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/regions/', + region, '/subnetworks/', value]) + + +def MakeFQHN(context, name): + return '%s.c.%s.internal' % (name, context.env['project']) + + +# TODO(victorg): Consider moving this method to a different file +def MakeC2DImageLink(name, dev_mode=False): + if IsGlobalProjectShortcut(name) or name.startswith('http'): + return name + else: + if dev_mode: + return 'global/images/%s' % name + else: + return GlobalComputeLink(default.C2D_IMAGES, 'images', name) + + +def IsGlobalProjectShortcut(name): + return name.startswith('projects/') or name.startswith('global/') + + +def IsComputeLink(name): + return (name.startswith(default.COMPUTE_URL_BASE) or + name.startswith(default.REFERENCE_PREFIX)) + + +def GetNamesAndTypes(resources_dict): + return [(d['name'], d['type']) for d in resources_dict] + + +def SummarizeResources(res_dict): + """Summarizes the name of resources per resource type.""" + result = {} + for res in res_dict: + result.setdefault(res['type'], []).append(res['name']) + return result + + +def ListPropertyValuesOfType(res_dict, prop, res_type): + """Lists all the values for a property of a certain type.""" + return [r['properties'][prop] for r in res_dict if r['type'] == res_type] + + +def MakeResource(resource_list, output_list=None): + """Wrapper for a DM template basic spec.""" + content = {'resources': resource_list} + if output_list: + content['outputs'] = output_list + return yaml.dump(content) + + +def TakeZoneOut(properties): + """Given a properties dictionary, removes the zone specific information.""" + + def _CleanZoneUrl(value): + value = value.split('/')[-1] if IsComputeLink(value) else value + return value + + for name in default.VM_ZONE_PROPERTIES: + if name in properties: + properties[name] = _CleanZoneUrl(properties[name]) + if default.ZONE in properties: + properties.pop(default.ZONE) + if default.BOOTDISK in properties: + properties[default.BOOTDISK] = _CleanZoneUrl(properties[default.BOOTDISK]) + if default.DISKS in properties: + for disk in properties[default.DISKS]: + # Don't touch references to other disks + if default.DISK_SOURCE in disk: + continue + if default.INITIALIZEP in disk: + disk_init = disk[default.INITIALIZEP] + if default.DISKTYPE in disk_init: + disk_init[default.DISKTYPE] = _CleanZoneUrl(disk_init[default.DISKTYPE]) + + +def GenerateEmbeddableYaml(yaml_string): + # Because YAML is a space delimited format, we need to be careful about + # embedding one YAML document in another. This function takes in a string in + # YAML format and produces an equivalent YAML representation that can be + # inserted into arbitrary points of another YAML document. It does so by + # printing the YAML string in a single line format. Consistent ordering of + # the string is also guaranteed by using yaml.dump. + yaml_object = yaml.load(yaml_string) + dumped_yaml = yaml.dump(yaml_object, default_flow_style=True) + return dumped_yaml + + +def FormatErrorsDec(func): + """Decorator to format exceptions if they get raised.""" + + def FormatErrorsWrap(context): + try: + return func(context) + except Exception as e: + raise Error(FormatException(e.message)) + + return FormatErrorsWrap diff --git a/gcp/deployment-packages/autoscale-payg/config.yaml b/gcp/deployment-packages/autoscale-payg/config.yaml new file mode 100644 index 00000000..d0993a52 --- /dev/null +++ b/gcp/deployment-packages/autoscale-payg/config.yaml @@ -0,0 +1,50 @@ +imports: +- path: check-point-autoscale--payg.py +- path: common.py +- path: default.py +- path: password.py +- path: images.py + +resources: +- name: check-point-autoscale--payg + type: check-point-autoscale--payg.py + properties: + autoscalingVersion: "PLEASE ENTER AUTOSCALE VERSION" + managementName: "PLEASE ENTER MANAGEMENT NAME" + AutoProvTemplate: "PLEASE ENTER AUTOPROVISION TEMPLATE NAME" + instanceSSHKey: "PLEASE ENTER A VALID PUBLIC KEY" + mgmtNIC: "PLEASE ENTER MANAGEMENT NIC TYPE" + networkDefinedByRoutes: "PLEASE ENTER true or false" + shell: "PLEASE ENTER A SHELL" + allowUploadDownload: "PLEASE ENTER true or false" + zone: "PLEASE ENTER A ZONE" + networks: "PLEASE ENTER A LIST OF EXTERNAL AND INTERNAL NETWORKS ID" + subnetworks: "PLEASE ENTER A LIST OF EXTERNAL AND INTERNAL SUBNETWORKS ID" + enableIcmp: "PLEASE ENTER true or false" + icmpSourceRanges: "PLEASE ENTER ICMP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + enableTcp: "PLEASE ENTER true or false" + tcpSourceRanges: "PLEASE ENTER TCP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + enableUdp: "PLEASE ENTER true or false" + udpSourceRanges: "PLEASE ENTER UDP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + enableSctp: "PLEASE ENTER true or false" + sctpSourceRanges: "PLEASE ENTER SCTP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + enableEsp: "PLEASE ENTER true or false" + espSourceRanges: "PLEASE ENTER ESP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + machineType: "PLEASE ENTER A MACHINE TYPE" + cpuUsage: "PLEASE ENTER CPU USAGE (%)" + minInstances: "PLEASE ENTER MINIMUM NUMBER OF INSTANCES" + maxInstances: "PLEASE ENTER MAXIMUM NUMBER OF INSTANCES" + diskType: "PLEASE ENTER A DISK TYPE" + bootDiskSizeGb: "PLEASE ENTER A DISK SIZE" + enableMonitoring: "PLEASE ENTER true or false" +outputs: +- name: "Deployment" + value: $(ref.check-point-autoscale--payg.deployment) +- name: "Managed instance group" + value: $(ref.check-point-autoscale--payg.IGMLink) +- name: "Minimum instances" + value: $(ref.check-point-autoscale--payg.minInstancesInt) +- name: "Maximum instances" + value: $(ref.check-point-autoscale--payg.maxInstancesInt) +- name: "Target CPU usage" + value: $(ref.check-point-autoscale--payg.cpuUsagePercentage) \ No newline at end of file diff --git a/gcp/deployment-packages/autoscale-payg/default.py b/gcp/deployment-packages/autoscale-payg/default.py new file mode 100755 index 00000000..0c7dd919 --- /dev/null +++ b/gcp/deployment-packages/autoscale-payg/default.py @@ -0,0 +1,134 @@ +# Copyright 2015 Google Inc. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +"""Convenience module to hold default constants for C2D components. + +There should not be any logic in this module. Its purpose is to simplify +analysis of commonly used GCP and properties names and identify the names +that were custom created for these modules. +""" +# Generic constants +C2D_IMAGES = 'click-to-deploy-images' + +# URL constants +COMPUTE_URL_BASE = 'https://www.googleapis.com/compute/v1/' + +# Deployment Manager constructs +REFERENCE_PREFIX = '$(ref.' + +# Commonly used in properties namespace +AUTO_DELETE = 'autoDelete' +BOOTDISK = 'bootDiskType' +BOOTDISKSIZE = 'bootDiskSizeGb' +C_IMAGE = 'containerImage' +DC_MANIFEST = 'dcManifest' +DEPLOYMENT = 'DEPLOYMENT' # used in the deployment coordinator +DISK_NAME = 'diskName' +DISK_RESOURCES = 'addedDiskResources' +DISK_SOURCE = 'source' +ENDPOINT_NAME = 'serviceRegistryEndpointName' +FIXED_GCLOUD = 'fixedGcloud' +GENERATED_PROP = 'generatedProperties' +INITIALIZEP = 'initializeParams' +INSTANCE_NAME = 'instanceName' +LOCAL_SSD = 'localSSDs' +MAX_NUM = 'maxNumReplicas' +NETWORKS = 'networks' +NO_SCOPE = 'noScope' +PROVIDE_BOOT = 'provideBoot' +REPLICAS = 'replicas' +SIZE = 'size' +VM_COPIES = 'numberOfVMReplicas' +ZONES = 'zones' + +# Common properties values (only official GCP values allowed here) +EXTERNAL = 'External NAT' +ONE_NAT = 'ONE_TO_ONE_NAT' + +# Common 1st level properties (only official GCP names allowed here) +CAN_IP_FWD = 'canIpForward' +CONTAINER = 'container' +DCKRENV = 'dockerEnv' +DCKRIMAGE = 'dockerImage' +DEFAULT_SERVICE = 'defaultService' +DEVICE_NAME = 'deviceName' +DISKS = 'disks' +DISK_SIZE = 'diskSizeGb' +DISKTYPE = 'diskType' +HEALTH_PATH = 'healthPath' +HOST_RULES = 'hostRules' +IP_PROTO = 'IPProtocol' +MACHINETYPE = 'machineType' +METADATA = 'metadata' +NAME = 'name' +NETWORK = 'network' +NETWORKS = 'networks' +SUBNETWORK = 'subnetwork' +PATH_MATCHERS = 'pathMatchers' +PORT = 'port' +PROJECT = 'project' +SERVICE = 'service' +SERVICE_ACCOUNTS = 'serviceAccounts' +SRCIMAGE = 'sourceImage' +SRC_RANGES = 'sourceRanges' +TAGS = 'tags' +TYPE = 'type' +VM_TEMPLATE = 'instanceTemplate' +ZONE = 'zone' + +# Zone specfic VM properties +VM_ZONE_PROPERTIES = [DISKTYPE, MACHINETYPE, BOOTDISK] + +# Resource type defaults names +ADDRESS = 'compute.v1.address' +AUTOSCALER = 'compute.v1.autoscaler' +BACKEND_SERVICE = 'compute.v1.backendService' +DISK = 'compute.v1.disk' +ENDPOINT = 'serviceregistry.v1alpha.endpoint' +FIREWALL = 'compute.v1.firewall' +GF_RULE = 'compute.v1.globalForwardingRule' +HEALTHCHECK = 'compute.v1.httpHealthCheck' +IGM = 'compute.v1.instanceGroupManager' +INSTANCE = 'compute.v1.instance' +PROXY = 'compute.v1.targetHttpProxy' +TEMPLATE = 'compute.v1.instanceTemplate' +REGION_IGM = 'compute.v1.regionInstanceGroupManager' +REGION_AUTOSCALER = 'compute.v1.regionAutoscaler' +URL_MAP = 'compute.v1.urlMap' +VPC='compute.v1.network' +VPC_SUBNET='compute.v1.subnetwork' + +# Also Known As constants +AKA = { + TEMPLATE: 'tmplt', + AUTOSCALER: 'as', + BACKEND_SERVICE: 'bes', + DISK: 'disk', + FIREWALL: 'fwall', + GF_RULE: 'ip', + HEALTHCHECK: 'hc', + INSTANCE: 'vm', + PROXY: 'tproxy', + IGM: 'igm', + URL_MAP: 'umap', +} + +LOC = { + 'europe': 'eu', + 'asia': 'as', + 'central': 'c', + 'east': 'e', + 'west': 'w', + 'north': 'n', + 'south': 's', +} diff --git a/gcp/deployment-packages/autoscale-payg/images.py b/gcp/deployment-packages/autoscale-payg/images.py new file mode 100755 index 00000000..7b04bee0 --- /dev/null +++ b/gcp/deployment-packages/autoscale-payg/images.py @@ -0,0 +1,34 @@ +IMAGES = { + "check-point-r8120-payg": "check-point-r8120-payg-631-991001560-v20240425", + "check-point-r8120-gw-payg-single": "check-point-r8120-gw-payg-single-631-991001560-v20240425", + "check-point-r8120-gw-payg-mig": "check-point-r8120-gw-payg-mig-631-991001560-v20240425", + "check-point-r8120-gw-payg-cluster": "check-point-r8120-gw-payg-cluster-631-991001560-v20240425", + "check-point-r8120-gw-byol-single": "check-point-r8120-gw-byol-single-631-991001560-v20240425", + "check-point-r8120-gw-byol-mig": "check-point-r8120-gw-byol-mig-631-991001560-v20240425", + "check-point-r8120-gw-byol-cluster": "check-point-r8120-gw-byol-cluster-631-991001560-v20240425", + "check-point-r8120-byol": "check-point-r8120-byol-631-991001560-v20240425", + "check-point-r8110-payg": "check-point-r8110-payg-335-991001560-v20240425", + "check-point-r8110-gw-payg-single": "check-point-r8110-gw-payg-single-335-991001560-v20240425", + "check-point-r8110-gw-payg-mig": "check-point-r8110-gw-payg-mig-335-991001560-v20240425", + "check-point-r8110-gw-payg-cluster": "check-point-r8110-gw-payg-cluster-335-991001560-v20240425", + "check-point-r8110-gw-byol-single": "check-point-r8110-gw-byol-single-335-991001560-v20240425", + "check-point-r8110-gw-byol-mig": "check-point-r8110-gw-byol-mig-335-991001560-v20240425", + "check-point-r8110-gw-byol-cluster": "check-point-r8110-gw-byol-cluster-335-991001560-v20240425", + "check-point-r8110-byol": "check-point-r8110-byol-335-991001560-v20240425", + "check-point-r81-payg": "check-point-r81-payg-392-991001560-v20240425", + "check-point-r81-gw-payg-single": "check-point-r81-gw-payg-single-392-991001560-v20240425", + "check-point-r81-gw-payg-mig": "check-point-r81-gw-payg-mig-392-991001560-v20240425", + "check-point-r81-gw-payg-cluster": "check-point-r81-gw-payg-cluster-392-991001560-v20240425", + "check-point-r81-gw-byol-single": "check-point-r81-gw-byol-single-392-991001560-v20240425", + "check-point-r81-gw-byol-mig": "check-point-r81-gw-byol-mig-392-991001560-v20240425", + "check-point-r81-gw-byol-cluster": "check-point-r81-gw-byol-cluster-392-991001560-v20240425", + "check-point-r81-byol": "check-point-r81-byol-392-991001560-v20240425", + "check-point-r8040-payg": "check-point-r8040-payg-294-991001560-v20240425", + "check-point-r8040-gw-payg-single": "check-point-r8040-gw-payg-single-294-991001564-v20240505", + "check-point-r8040-gw-payg-mig": "check-point-r8040-gw-payg-mig-294-991001564-v20240505", + "check-point-r8040-gw-payg-cluster": "check-point-r8040-gw-payg-cluster-294-991001564-v20240505", + "check-point-r8040-gw-byol-single": "check-point-r8040-gw-byol-single-294-991001564-v20240505", + "check-point-r8040-gw-byol-mig": "check-point-r8040-gw-byol-mig-294-991001564-v20240505", + "check-point-r8040-gw-byol-cluster": "check-point-r8040-gw-byol-cluster-294-991001564-v20240505", + "check-point-r8040-byol": "check-point-r8040-byol-294-991001560-v20240425" +} \ No newline at end of file diff --git a/gcp/deployment-packages/autoscale-payg/password.py b/gcp/deployment-packages/autoscale-payg/password.py new file mode 100755 index 00000000..273210a6 --- /dev/null +++ b/gcp/deployment-packages/autoscale-payg/password.py @@ -0,0 +1,135 @@ +# Copyright 2015 Google Inc. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +"""A DM template that generates password as an output, namely "password". + +An example YAML showing how this template can be used: + resources: + - name: generated-password + type: password.py + properties: + length: 8 + includeSymbols: true + - name: main-template + type: main-template.jinja + properties: + password: $(ref.generated-password.password) + +Input properties to this template: + - length: the length of the generated password. At least 8. Default 8. + - includeSymbols: true/false whether to include symbol chars. Default false. + +The generated password satisfies the following requirements: + - The length is as specified, + - Containing letters and numbers, and optionally symbols if specified, + - Starting with a letter, + - Containing characters from at least 3 of the 4 categories: uppercases, + lowercases, numbers, and symbols. + +""" + +import random +import yaml + +PROPERTY_LENGTH = 'length' +PROPERTY_INCLUDE_SYMBOLS = 'includeSymbols' + +# Note the omission of some hard to distinguish characters like I, l, 0, and O. +UPPERS = 'ABCDEFGHJKLMNPQRSTUVWXYZ' +LOWERS = 'abcdefghijkmnopqrstuvwxyz' +ALPHABET = UPPERS + LOWERS +DIGITS = '123456789' +ALPHANUMS = ALPHABET + DIGITS +# Including only symbols that can be passed around easily in shell scripts. +SYMBOLS = '*-+.' + +CANDIDATES_WITH_SYMBOLS = ALPHANUMS + SYMBOLS +CANDIDATES_WITHOUT_SYMBOLS = ALPHANUMS + +CATEGORIES_WITH_SYMBOLS = [UPPERS, LOWERS, DIGITS, SYMBOLS] +CATEGORIES_WITHOUT_SYMBOLS = [UPPERS, LOWERS, DIGITS] + +MIN_LENGTH = 8 + + +class InputError(Exception): + """Raised when input properties are unexpected.""" + + +def GenerateConfig(context): + """Entry function to generate the DM config.""" + props = context.properties + length = props.setdefault(PROPERTY_LENGTH, MIN_LENGTH) + include_symbols = props.setdefault(PROPERTY_INCLUDE_SYMBOLS, False) + + if not isinstance(include_symbols, bool): + raise InputError('%s must be a boolean' % PROPERTY_INCLUDE_SYMBOLS) + + content = { + 'resources': [], + 'outputs': [{ + 'name': 'password', + 'value': GeneratePassword(length, include_symbols) + }] + } + return yaml.dump(content) + + +def GeneratePassword(length=8, include_symbols=False): + """Generates a random password.""" + if length < MIN_LENGTH: + raise InputError('Password length must be at least %d' % MIN_LENGTH) + + candidates = (CANDIDATES_WITH_SYMBOLS if include_symbols + else CANDIDATES_WITHOUT_SYMBOLS) + categories = (CATEGORIES_WITH_SYMBOLS if include_symbols + else CATEGORIES_WITHOUT_SYMBOLS) + + # Generates up to the specified length minus the number of categories. + # Then inserts one character for each category, ensuring that the character + # satisfy the category if the generated string hasn't already. + generated = ([random.choice(ALPHABET)] + + [random.choice(candidates) + for _ in range(length - 1 - len(categories))]) + for category in categories: + _InsertAndEnsureSatisfaction(generated, category, candidates) + return ''.join(generated) + + +def _InsertAndEnsureSatisfaction(generated, required, all_candidates): + """Inserts 1 char into generated, satisfying required if not already. + + If the required characters are not already in the generated string, one will + be inserted. If any required character is already in the generated string, a + random character from all_candidates will be inserted. The insertion happens + at a random location but not at the beginning. + + Args: + generated: the string to be modified. + required: list of required characters to check for. + all_candidates: list of characters to choose from if the required characters + are already satisfied. + """ + if set(generated).isdisjoint(required): + # Not yet satisfied. Insert a required candidate. + _InsertInto(generated, required) + else: + # Already satisfied. Insert any candidate. + _InsertInto(generated, all_candidates) + + +def _InsertInto(generated, candidates): + """Inserts a random candidate into a random non-zero index of generated.""" + # Avoids inserting at index 0, since the first character follows its own rule. + generated.insert(random.randint(1, len(generated) - 1), + random.choice(candidates)) diff --git a/gcp/deployment-packages/ha-byol/README.md b/gcp/deployment-packages/ha-byol/README.md new file mode 100644 index 00000000..f915c4b4 --- /dev/null +++ b/gcp/deployment-packages/ha-byol/README.md @@ -0,0 +1,187 @@ +# GCP Deployment Manager package for Check Point High Availability BYOL solution +This directory contains CloudGuard IaaS deployment package for Check Point High Availability (BYOL) solution published in the [GCP Marketplace](https://console.cloud.google.com/marketplace/details/checkpoint-public/check-point-ha--byol). + +# How to deploy the package manually +To deploy the Deployment Manager's package manually, without using the GCP Marketplace, follow these instructions: +1. Clone or download the files in this directory +2. Fill variables in the config.yaml(see below for variables descriptions). +3. Log into [Google Cloud Platform Console](https://console.cloud.google.com) +4. [Activate Cloud Shell](https://cloud.google.com/shell/docs/using-cloud-shell) +5. Set your Cloud Platform project in the Cloud Shell session use: + + gcloud config set project [PROJECT_ID] +6. Upload the content of the CloudGuardIaaS/gcp/deployment-packages/ha-byol/ directory to the [cloud shell](https://cloud.google.com/shell/docs/uploading-and-downloading-files) +7. Launch deployment by running: + + gcloud deployment-manager deployments create [DEPLOYMENT_NAME] --config config.yaml +8. Make sure the deployment finished successfully.
Example of successful deployment output: + + The fingerprint of the deployment is CgwkIUxcTnI5_eZY1g9SFw== + Waiting for create [operation-1585150261645-5a1af8e42d0ba-6b3d4618-5856e790]...done. + Create operation operation-1585150261645-5a1af8e42d0ba-6b3d4618-5856e790 completed successfully. + NAME TYPE STATE ERRORS INTENT + cluster-cluster-network-icmp compute.v1.firewall COMPLETED [] + cluster-cluster-network-tcp compute.v1.firewall COMPLETED [] + cluster-config runtimeconfig.v1beta1.config COMPLETED [] + cluster-member-a compute.v1.instance COMPLETED [] + cluster-member-a-address compute.v1.address COMPLETED [] + cluster-member-b compute.v1.instance COMPLETED [] + cluster-member-b-address compute.v1.address COMPLETED [] + cluster-mgmt-network-esp compute.v1.firewall COMPLETED [] + cluster-mgmt-network-sctp compute.v1.firewall COMPLETED [] + cluster-primary-cluster-address compute.v1.address COMPLETED [] + cluster-secondary-cluster-address compute.v1.address COMPLETED [] + cluster-software runtimeconfig.v1beta1.waiter COMPLETED [] + OUTPUTS VALUE + Deployment cluster + Cluster IP external address 35.201.201.163 + Member A cluster-member-a + Member A external IP 104.199.168.141 + Member B cluster-member-b + Member B external IP 35.221.178.173 + +## config.yaml variables +| Name | Description | Type | Allowed values | +| ------------- | ------------- | ------------- | ------------- | +| **ha_version** | High Availability Version | string | R80.40 Cluster;
R81.00 Cluster;
R81.10 Cluster;
R81.20 Cluster; | +| | | | | | +| **zoneA** | Member A Zone. The zone determines what computing resources are available and where your data is stored and used | string | List of allowed [Regions and Zones](https://cloud.google.com/compute/docs/regions-zones?_ga=2.31926582.-962483654.1585043745) | +| | | | | | +| **zoneB** | Member B Zone | string | Must be in the same region as member A zone | +| | | | | | +| **machineType** | Machine types determine the specifications of your machines, such as the amount of memory, virtual cores, and persistent disk limits an instance will have | string | [Learn more about Machine Types](https://cloud.google.com/compute/docs/machine-types?hl=en_US&_ga=2.267871494.-962483654.1585043745) | +| | | | | | +| **managementNetwork** | Security Management Server address | string | The public address of the Security Management Server, in CIDR notation. If using Smart-1 Cloud insert 'S1C'. VPN peers addresses cannot be in this CIDR block, so this value cannot be the zero-address | +| | | | | | +| **cluster-network-cidr** | Cluster external subnet CIDR.
If the variable's value is not empty double quotes, a new network will be created.
The Cluster public IP will be translated to a private address assigned to the active member in this external network. | string | Specify an RFC 1918 CIDR block that does not overlap with your other networks to create a new network or select an existing one below | +| | | | | | +| **cluster-network-name** | Cluster external network ID. The network determines what network traffic the instance can access | string | Available network in the chosen zone | +| | | | | | +| **cluster-network-subnetwork-name** | Cluster subnet ID. Assigns the instance an IPv4 address from the subnetwork’s range.
If you have specified a CIDR block above, this subnetwork will not be used.
. Instances in different subnetworks can communicate with each other using their internal IPs as long as they belong to the same network. | string | Available subnetwork in the chosen network | +| | | | | | +| **cluster-network_enableTcp** | Allow TCP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **cluster-network_tcpSourceRanges** | Allow TCP traffic from the Internet | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway all ports are allowed. For management allowed ports are: 257,18191,18210,18264,22,443,18190,19009 [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **cluster-network_enableIcmp** | Allow ICMP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **cluster-network_icmpSourceRanges** | Source IP ranges for ICMP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **cluster-network_enableUdp** | Allow UDP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **cluster-network_udpSourceRanges** | Source IP ranges for UDP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only - all ports are allowed. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **cluster-network_enableSctp** | Allow SCTP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **cluster-network_sctpSourceRanges** | Source IP ranges for SCTP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only - all ports are allowed. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **cluster-network_enableEsp** | Allow ESP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **cluster-network_espSourceRanges** | Source IP ranges for ESP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **mgmt-network-cidr** | Management external subnet CIDR.
If the variable's value is not empty double quotes, a new network will be created.
The public IP used to manage each member will be translated to a private address in this external network | string | Specify an RFC 1918 CIDR block that does not overlap with your other networks to create a new network or select an existing one below | +| | | | | | +| **mgmt-network-name** | Management network ID. The network determines what network traffic the instance can access | string | Available network in the chosen zone | +| | | | | | +| **mgmt-network-subnetwork-name** | Management subnet ID. Assigns the instance an IPv4 address from the subnetwork’s range.
If you have specified a CIDR block above, this subnetwork will not be used.
. Instances in different subnetworks can communicate with each other using their internal IPs as long as they belong to the same network. | string | Available subnetwork in the chosen network | +| | | | | | +| **mgmt-network_enableTcp** | Allow TCP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **mgmt-network_tcpSourceRanges** | Allow TCP traffic from the Internet | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway all ports are allowed. For management allowed ports are: 257,18191,18210,18264,22,443,18190,19009 [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **mgmt-network_enableIcmp** | Allow ICMP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **mgmt-network_icmpSourceRanges** | Source IP ranges for ICMP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **mgmt-network_enableUdp** | Allow UDP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **mgmt-network_udpSourceRanges** | Source IP ranges for UDP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only - all ports are allowed. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **mgmt-network_enableSctp** | Allow SCTP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **mgmt-network_sctpSourceRanges** | Source IP ranges for SCTP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only - all ports are allowed. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **mgmt-network_enableEsp** | Allow ESP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **mgmt-network_espSourceRanges** | Source IP ranges for ESP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **diskType** | Disk type | string | pd-ssd;
pd-standard;
Storage space is much less expensive for a standard persistent disk. An SSD persistent disk is better for random IOPS or streaming throughput with low latency. [Learn more](https://cloud.google.com/compute/docs/disks/?hl=en_US&_ga=2.66020774.-962483654.1585043745#overview_of_disk_types)| +| | | | | | +| **bootDiskSizeGb** | Disk size in GB | number | Persistent disk performance is tied to the size of the persistent disk volume. You are charged for the actual amount of provisioned disk space. [Learn more](https://cloud.google.com/compute/docs/disks/?hl=en_US&_ga=2.232680471.-962483654.1585043745#pdperformance)| +| | | | | | +| **generatePassword** | Automatically generate an administrator password | boolean | true;
false; | +| | | | | | +| **allowUploadDownload** | Allow download from/upload to Check Point | boolean | true;
false; | +| | | | | | +| **enableMonitoring** | Enable Stackdriver monitoring | boolean | true;
false; | +| | | | | | +| **shell** | Admin shell | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh;
| +| | | | | | +| **deployWithPublicIPs** | Deploy HA with public IPs | boolean | true;
false; | +| | | | | | +| **instanceSSHKey** | Public SSH key for the user 'admin' | string | A valid public ssh key | +| | | | | | +| **smart1CloudTokenA** | Smart-1 Cloud token to connect ***member A*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal.| +| | | | | | +| **smart1CloudTokenB** | Smart-1 Cloud token to connect ***member B*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal.| +| | | | | | +| **sicKey** | The Secure Internal Communication one time secret used to set up trust between the cluster object and the management server | string | At least 8 alpha numeric characters.
If SIC is not provided and needed, a key will be automatically generated | +| | | | | | +| **numAdditionalNICs** | Number of additional network interfaces | number | A number in the range 0 - 6.
Multiple network interfaces deployment is described in [sk121637 - Deploy a CloudGuard for GCP with Multiple Network Interfaces](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk121637) | +| | | | | | +| **internal-network1-cidr** | 1st internal subnet CIDR.
If the variable's value is not empty double quotes, a new subnet will be created.
Assigns the cluster members an IPv4 address in this internal network | string | Specify an RFC 1918 CIDR block that does not overlap with your other networks to create a new network or select an existing one below | +| | | | | | +| **internal-network1-name** | 1st internal network ID. The network determines what network traffic the instance can access | string | Available network in the chosen zone | +| | | | | | +| **internal-network1-subnetwork-name** | 1st internal subnet ID. Assigns the instance an IPv4 address from the subnetwork’s range.
If you have specified a CIDR block above, this subnetwork will not be used.
Instances in different subnetworks can communicate with each other using their internal IPs as long as they belong to the same network. | string | Available subnetwork in the chosen network | +| | | | | | +## Example + ha_version: "R81.10 Cluster" + zoneA: "asia-east1-a" + zoneB: "asia-east1-a" + machineType: "n1-standard-4" + diskType: "pd-ssd" + bootDiskSizeGb: 100 + instanceSSHKey: "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxxx imported-openssh-key" + smart1CloudTokenA: "xxxxxxxxxxxxxxxxxxxxxxxx" + smart1CloudTokenB: "xxxxxxxxxxxxxxxxxxxxxxxx" + enableMonitoring: false + managementNetwork: "209.87.209.100/32" + sicKey: "aaaaaaaa" + generatePassword: false + allowUploadDownload: false + shell: "/bin/bash" + deployWithPublicIPs: true + cluster-network-cidr: "10.0.1.0/24" + cluster-network-name: "external-vpc" + cluster-network-subnetwork-name: "frontend" + cluster-network_enableIcmp: true + cluster-network_icmpSourceRanges: "0.0.0.0/0" + cluster-network_enableTcp: true + cluster-network_tcpSourceRanges: "0.0.0.0/0" + cluster-network_enableUdp: false + cluster-network_udpSourceRanges: "" + cluster-network_enableSctp: false + cluster-network_sctpSourceRanges: "" + cluster-network_enableEsp: false + cluster-network_espSourceRanges: "" + mgmt-network-cidr: "10.0.2.0/24" + mgmt-network-name: "vpc-internal" + mgmt-network-subnetwork-name: "" + mgmt-network_enableIcmp: false + mgmt-network_icmpSourceRanges: "" + mgmt-network_enableTcp: false + mgmt-network_tcpSourceRanges: "" + mgmt-network_enableUdp: true + mgmt-network_udpSourceRanges: "0.0.0.0/0" + mgmt-network_enableSctp: true + mgmt-network_sctpSourceRanges: "0.0.0.0/0" + mgmt-network_enableEsp: true + mgmt-network_espSourceRanges: "0.0.0.0/0" + numInternalNetworks: 1 + internal-network1-cidr: "10.0.3.0/24" + internal-network1-name: "vpc-internal2" + internal-network1-subnetwork-name: "vpc-internal2" + +## Notes +See [sk147032](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk147032) for revision history \ No newline at end of file diff --git a/gcp/deployment-packages/ha-byol/c2d_deployment_configuration.json b/gcp/deployment-packages/ha-byol/c2d_deployment_configuration.json new file mode 100755 index 00000000..d92114e1 --- /dev/null +++ b/gcp/deployment-packages/ha-byol/c2d_deployment_configuration.json @@ -0,0 +1,7 @@ +{ + "defaultDeploymentType": "MULTI_VM", + "imageName": "check-point-r8120-gw-byol-cluster-634-991001611-v20240613", + "projectId": "checkpoint-public", + "templateName": "nonexistent_template", + "useSolutionPackage": "true" +} diff --git a/gcp/deployment-packages/ha-byol/check-point-cluster--byol.py b/gcp/deployment-packages/ha-byol/check-point-cluster--byol.py new file mode 100755 index 00000000..4a66ea50 --- /dev/null +++ b/gcp/deployment-packages/ha-byol/check-point-cluster--byol.py @@ -0,0 +1,492 @@ +# Copyright 2016 Check Point Software LTD. + +import common +import copy +import default +import images +import password + + +MAX_ADDITIONAL_NICS = 6 + +GATEWAY = 'checkpoint-gateway' + +PROJECT = 'checkpoint-public' +LICENSE = 'byol' +LICENCE_TYPE = 'cluster' + +VERSIONS = { + 'R81.10': 'r8110-gw', + 'R81.20': 'r8120-gw' +} + +TEMPLATE_NAME = 'cluster' +TEMPLATE_VERSION = '20240714' + +CLUSTER_NET_FIELD = 'cluster-network' +MGMT_NET_FIELD = 'mgmt-network' +INTERNAL_NET_FIELD = 'internal-network{}' + +MGMT_NIC = 1 + +NO_PUBLIC_IP = 'no-public-ip' + +startup_script = ''' +#cloud-config +runcmd: + - 'python3 /etc/cloud_config.py "generatePassword=\\"{generatePassword}\\"" "allowUploadDownload=\\"{allowUploadDownload}\\"" "templateName=\\"{templateName}\\"" "templateVersion=\\"{templateVersion}\\"" "mgmtNIC=\\"{mgmtNIC}\\"" "hasInternet=\\"{hasInternet}\\"" "config_url=\\"{config_url}\\"" "config_path=\\"{config_path}\\"" "installationType=\\"{installationType}\\"" "enableMonitoring=\\"{enableMonitoring}\\"" "shell=\\"{shell}\\"" "computed_sic_key=\\"{computed_sic_key}\\"" "sicKey=\\"{sicKey}\\"" "managementGUIClientNetwork=\\"{managementGUIClientNetwork}\\"" "primary_cluster_address_name=\\"{primary_cluster_address_name}\\"" "secondary_cluster_address_name=\\"{secondary_cluster_address_name}\\"" "managementNetwork=\\"{managementNetwork}\\"" "numAdditionalNICs=\\"{numAdditionalNICs}\\"" "smart1CloudToken=\\"{smart1CloudToken}\\"" "name=\\"{name}\\"" "zone=\\"{zoneConfig}\\"" "region=\\"{region}\\"" "osVersion=\\"{osVersion}\\"" "MaintenanceModePassword=\\"{maintenanceMode}\\""' +''' + + +def make_gw(context, name, zone, nics, passwd=None, depends_on=None, + smart1cloudToken=None): + cg_version = context.properties['ha_version'].split(' ')[0] + if 'gw' in VERSIONS[cg_version]: + license_name = "{}-{}".format(LICENSE, LICENCE_TYPE) + else: + license_name = LICENSE + family = '-'.join(['check-point', VERSIONS[cg_version], license_name]) + formatter = common.DefaultFormatter() + + context.properties['smart1CloudToken'] = smart1cloudToken + context.properties['name'] = name + context.properties['zoneConfig'] = zone + context.properties['osVersion'] = cg_version.replace(".", "") + + gw = { + 'type': default.INSTANCE, + 'name': name, + 'metadata': { + 'dependsOn': depends_on + }, + 'properties': { + 'description': 'CloudGuard Highly Available Security Cluster', + 'zone': zone, + 'tags': { + 'items': [GATEWAY], + }, + 'machineType': common.MakeLocalComputeLink( + context, default.MACHINETYPE, zone), + 'canIpForward': True, + 'networkInterfaces': nics, + 'disks': [{ + 'autoDelete': True, + 'boot': True, + 'deviceName': common.set_name_and_truncate( + context.properties['deployment'], + '-{}-boot'.format(name)), + 'initializeParams': { + 'diskType': common.MakeLocalComputeLink( + context, default.DISKTYPE, zone), + 'diskSizeGb': context.properties['bootDiskSizeGb'], + 'sourceImage': + 'projects/%s/global/images/%s' % ( + PROJECT, images.IMAGES[family]), + }, + 'type': 'PERSISTENT', + }], + 'metadata': { + 'items': [ + { + 'key': 'startup-script', + 'value': formatter.format( + startup_script, **context.properties) + } + ] + }, + 'serviceAccounts': [{ + 'email': 'default', + 'scopes': [ + 'https://www.googleapis.com/auth/monitoring.write', + 'https://www.googleapis.com/auth/compute', + 'https://www.googleapis.com/auth/cloudruntimeconfig' + ], + }] + } + } + + if 'instanceSSHKey' in context.properties: + gw['properties']['metadata']['items'].append( + { + 'key': 'instanceSSHKey', + 'value': context.properties['instanceSSHKey'] + } + ) + + if passwd: + gw['properties']['metadata']['items'].append( + { + 'key': 'adminPasswordSourceMetadata', + 'value': passwd + } + ) + + return gw + + +def make_access_config(ip, name=None): + access_config = { + 'type': default.ONE_NAT, + 'natIP': ip + } + + if name: + access_config['name'] = name + + return access_config + + +def make_static_address(prop, name): + address = { + 'name': name, + 'type': default.ADDRESS, + 'properties': { + 'name': name, + 'region': prop['region'] + } + } + + return address + + +def create_external_addresses_if_needed( + prop, resources, member_a_nics, member_b_nics): + if not prop['deployWithPublicIPs']: + prop['primary_cluster_address_name'] = NO_PUBLIC_IP + prop['secondary_cluster_address_name'] = NO_PUBLIC_IP + else: + member_a_address_name = common.set_name_and_truncate( + prop['deployment'], '-member-a-address') + member_b_address_name = common.set_name_and_truncate( + prop['deployment'], '-member-b-address') + + prop['member_a_address_name'] = member_a_address_name + prop['member_b_address_name'] = member_b_address_name + + member_a_address = make_static_address(prop, member_a_address_name) + member_b_address = make_static_address(prop, member_b_address_name) + + resources += [member_a_address, member_b_address] + + member_a_nics[MGMT_NIC]['accessConfigs'] = [make_access_config( + '$(ref.{}.address)'.format(member_a_address_name))] + member_b_nics[MGMT_NIC]['accessConfigs'] = [make_access_config( + '$(ref.{}.address)'.format(member_b_address_name))] + + primary_cluster_address_name = common.set_name_and_truncate( + prop['deployment'], '-primary-cluster-address') + secondary_cluster_address_name = common.set_name_and_truncate( + prop['deployment'], '-secondary-cluster-address') + + primary_cluster_address = make_static_address( + prop, primary_cluster_address_name) + secondary_cluster_address = make_static_address( + prop, secondary_cluster_address_name) + + resources += [primary_cluster_address, secondary_cluster_address] + + prop['primary_cluster_address_name'] = primary_cluster_address_name + prop['secondary_cluster_address_name'] = secondary_cluster_address_name + + +def make_nic(prop, net_name, subnet_name): + network_interface = { + 'network': ''.join([default.COMPUTE_URL_BASE, 'projects/', + prop['project'], '/global/networks/', + net_name]), + 'subnetwork': ''.join([default.COMPUTE_URL_BASE, 'projects/', + prop['project'], '/regions/', prop['region'], + '/subnetworks/', subnet_name]) + } + + return network_interface + + +def make_subnet(prop, name, net_name, cidr, private_google_access=False): + subnet = { + 'type': default.VPC_SUBNET, + 'name': name, + 'metadata': { + 'dependsOn': [net_name] + }, + 'properties': { + 'network': 'projects/{}/global' + '/networks/{}'.format(prop['project'], net_name), + 'region': prop['region'], + 'ipCidrRange': cidr, + 'privateIpGoogleAccess': private_google_access, + 'enableFlowLogs': False + } + } + + return subnet + + +def make_net(name): + net = { + 'type': default.VPC, + 'name': name, + 'properties': { + 'autoCreateSubnetworks': False + } + } + + return net + + +def get_or_create_net(prop, name, resources, gw_dependencies, + private_google_access=False, create_firewall=False): + net_cidr = prop.get(name + '-cidr') + + if net_cidr: + net_name = '{}-{}'.format(prop['deployment'][:20], name) + subnet_name = '{}-subnet'.format(net_name) + net = make_net(net_name) + subnet = make_subnet( + prop, subnet_name, net_name, net_cidr, private_google_access) + + resources += [net, subnet] + gw_dependencies.append(subnet_name) + else: + net_name = prop.get(name + '-name') + subnet_name = prop.get(name + '-subnetwork-name') + if not subnet_name: + raise common.Error( + 'Network {} is missing.'.format(net_name.split('-'))) + + if create_firewall: + firewall_rules = create_firewall_rules(prop, name, net_name, net_cidr) + if firewall_rules: + resources.extend(firewall_rules) + + return net_name, subnet_name + + +def create_firewall_rules(prop, net_prop_name, net_name, net_cidr): + deployment = prop['deployment'] + firewall_rules = [] + protocols = ['Icmp', 'Udp', 'Tcp', 'Sctp', 'Esp'] + for protocol in protocols: + proto = protocol.lower() + source_ranges = prop.get(net_prop_name + '_' + proto + + 'SourceRanges', '') + protocol_enabled = prop.get(net_prop_name + '_enable' + protocol, '') + if protocol_enabled and source_ranges: + firewall_rules.append( + make_firewall_rule(proto, source_ranges, deployment, + net_prop_name, net_name, net_cidr)) + + return firewall_rules + + +def make_firewall_rule(protocol, source_ranges, deployment, net_prop_name, + net_name, net_cidr): + fw_rule_name = '%s-%s-%s' % (deployment[:40], net_prop_name, protocol) + ranges_list = source_ranges.split(',') + ranges = [] + for source_range in ranges_list: + ranges.append(source_range.replace(" ", "")) + firewall_rule = { + 'type': default.FIREWALL, + 'name': fw_rule_name, + 'properties': { + 'network': 'global/networks/' + net_name, + 'sourceRanges': ranges, + 'targetTags': [GATEWAY], + 'allowed': [{'IPProtocol': protocol}], + } + } + + if net_cidr: + firewall_rule['metadata'] = { + 'dependsOn': [net_name] + } + + return firewall_rule + + +def add_readiness_waiter(prop, resources): + deployment_config = common.set_name_and_truncate( + prop['deployment'], '-config') + + prop['config_path'] = 'projects/{}/configs/{}'.format( + prop['project'], deployment_config) + prop['config_url'] = ( + 'https://runtimeconfig.googleapis.com/v1beta1/{}'.format( + prop['config_path'])) + + resources.append( + { + 'name': deployment_config, + 'type': 'runtimeconfig.v1beta1.config', + 'properties': { + 'config': deployment_config, + 'description': ( + 'Holds software readiness status ' + 'for deployment {}').format(prop['deployment']) + } + } + ) + + resources.append( + { + 'name': common.set_name_and_truncate( + prop['deployment'], '-software'), + 'type': 'runtimeconfig.v1beta1.waiter', + 'metadata': { + 'dependsOn': [], + }, + 'properties': { + 'parent': '$(ref.{}.name)'.format(deployment_config), + 'waiter': 'software', + 'timeout': '1800s', + 'success': { + 'cardinality': { + 'number': 2, + 'path': 'status/success', + }, + }, + 'failure': { + 'cardinality': { + 'number': 1, + 'path': 'status/failure', + }, + }, + }, + } + ) + + +def validate_same_region(zone_a, zone_b): + if not common.ZoneToRegion(zone_a) == common.ZoneToRegion(zone_b): + raise common.Error('Member A Zone ({}) and Member B Zone ({}) ' + 'are not in the same region'.format(zone_a, zone_b)) + + +def validate_both_tokens(token_a, token_b): + if (not token_a and token_b) or (not token_b and token_a) or \ + (token_a and token_a == token_b): + raise common.Error('To connect to Smart-1 Cloud, \ + you must provide two tokens (one per member)') + + +def validate_mgmt_network_if_required(token_a, mgmt_network): + if not token_a and mgmt_network == "S1C": + raise common.Error( + 'Public address of the Security Management Server is required') + + +@common.FormatErrorsDec +def generate_config(context): + prop = context.properties + + validate_same_region(prop['zoneA'], prop['zoneB']) + validate_both_tokens(prop['smart1CloudTokenA'], prop['smart1CloudTokenB']) + validate_mgmt_network_if_required( + prop['smart1CloudTokenA'], prop['managementNetwork']) + + prop['deployment'] = context.env['deployment'] + prop['project'] = context.env['project'] + prop['region'] = common.ZoneToRegion(prop['zoneA']) + prop['templateName'] = TEMPLATE_NAME + prop['templateVersion'] = TEMPLATE_VERSION + prop['allowUploadDownload'] = str(prop['allowUploadDownload']).lower() + prop['hasInternet'] = 'true' # via Google Private Access + prop['installationType'] = 'Cluster' + + resources = [] + outputs = [] + gw_dependencies = [] + member_a_nics = [] + + add_readiness_waiter(prop, resources) + + cluster_net_name, cluster_subnet_name = get_or_create_net( + prop, CLUSTER_NET_FIELD, resources, gw_dependencies, True, True) + member_a_nics.append(make_nic(prop, cluster_net_name, cluster_subnet_name)) + + mgmt_net_name, mgmt_subnet_name = get_or_create_net( + prop, MGMT_NET_FIELD, resources, gw_dependencies, False, True) + member_a_nics.append(make_nic(prop, mgmt_net_name, mgmt_subnet_name)) + + for ifnum in range(1, prop['numInternalNetworks'] + 1): + int_net_name, int_subnet_name = get_or_create_net( + prop, INTERNAL_NET_FIELD.format(ifnum), resources, + gw_dependencies) + member_a_nics.append(make_nic(prop, int_net_name, int_subnet_name)) + + member_b_nics = copy.deepcopy(member_a_nics) + + create_external_addresses_if_needed( + prop, resources, member_a_nics, member_b_nics) + + member_a_name = common.set_name_and_truncate( + prop['deployment'], '-member-a') + member_b_name = common.set_name_and_truncate( + prop['deployment'], '-member-b') + + if prop['generatePassword']: + passwd = password.GeneratePassword(12, False) + else: + passwd = '' + + member_a = make_gw(context, member_a_name, prop['zoneA'], + member_a_nics, passwd, gw_dependencies, + prop['smart1CloudTokenA']) + member_b = make_gw(context, member_b_name, prop['zoneB'], + member_b_nics, passwd, gw_dependencies, + prop['smart1CloudTokenB']) + + resources += [member_a, member_b] + + outputs += [ + { + 'name': 'deployment', + 'value': prop['deployment'] + }, + { + 'name': 'project', + 'value': prop['project'] + }, + { + 'name': 'vmAName', + 'value': member_a_name, + }, + { + 'name': 'vmASelfLink', + 'value': '$(ref.{}.selfLink)'.format(member_a_name), + }, + { + 'name': 'vmBName', + 'value': member_b_name, + }, + { + 'name': 'vmBSelfLink', + 'value': '$(ref.{}.selfLink)'.format(member_b_name), + }, + { + 'name': 'password', + 'value': passwd + } + ] + + if prop['deployWithPublicIPs']: + outputs += [ + { + 'name': 'clusterIP', + 'value': '$(ref.{}.address)'.format( + prop['primary_cluster_address_name']) + }, + { + 'name': 'vmAExternalIP', + 'value': '$(ref.{}.address)'.format( + prop['member_a_address_name']) + }, + { + 'name': 'vmBExternalIP', + 'value': '$(ref.{}.address)'.format( + prop['member_b_address_name']) + } + ] + + return common.MakeResource(resources, outputs) diff --git a/gcp/deployment-packages/ha-byol/check-point-cluster--byol.py.schema b/gcp/deployment-packages/ha-byol/check-point-cluster--byol.py.schema new file mode 100755 index 00000000..d01c7887 --- /dev/null +++ b/gcp/deployment-packages/ha-byol/check-point-cluster--byol.py.schema @@ -0,0 +1,398 @@ +imports: + - path: check-point-cluster--byol.py + +info: + version: 1.0 + title: Check Point CloudGuard Network Security Cluster - BYOL Template + +required: + - zoneA + - zoneB + - machineType + - diskType + - bootDiskSizeGb + - sicKey + - managementNetwork + - allowUploadDownload + - shell + - generatePassword + - enableMonitoring + - numInternalNetworks + +properties: + zoneA: + type: string + default: us-central1-a + x-googleProperty: + type: GCE_ZONE + zoneB: + type: string + default: us-central1-a + x-googleProperty: + type: GCE_ZONE + machineType: + type: string + default: n1-standard-4 + x-googleProperty: + type: GCE_MACHINE_TYPE + zoneProperty: zoneA + gceMachineType: + minCpu: 2 + minRamGb: 1.843000054359436 + deployWithPublicIPs: + type: boolean + default: True + instanceSSHKey: + type: string + pattern: ^([0-9a-z\-]+ +[0-9A-Za-z/\+=]+( .*)?|)$ + default: '' + smart1CloudTokenA: + type: string + default: '' + smart1CloudTokenB: + type: string + default: '' + diskType: + type: string + default: pd-ssd + x-googleProperty: + type: GCE_DISK_TYPE + zoneProperty: zoneA + bootDiskSizeGb: + type: integer + maximum: 1000 + default: 100 + minimum: 100 + x-googleProperty: + type: GCE_DISK_SIZE + gceDiskSize: + diskTypeProperty: diskType + ha_version: + type: string + default: R81.20 Cluster + enum: + - R81.10 Cluster + - R81.20 Cluster + enableMonitoring: + type: boolean + default: False + sicKey: + type: string + pattern: ^([a-z0-9A-Z]{8,30})$ + default: '' + managementNetwork: + type: string + default: '' + pattern: ^((?!0\.0\.0\.0/0)([0-9]{1,3}\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2]))|(S1C)$ + generatePassword: + type: boolean + default: False + maintenanceMode: + type: string + pattern: ^([a-z0-9A-Z.]{12,300}|)$ + default: '' + allowUploadDownload: + type: boolean + default: False + shell: + type: string + default: /etc/cli.sh + enum: + - /etc/cli.sh + - /bin/bash + - /bin/csh + - /bin/tcsh + cluster-network-cidr: + type: string + default: '10.0.0.0/24' + pattern: ^(?!0\.0\.0\.0/0)([0-9]{1,3}\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])|$ + cluster-network-name: + type: string + pattern: ^([a-z0-9-]{1,38})$ + x-googleProperty: + type: GCE_NETWORK + cluster-network-subnetwork-name: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zoneA + gceSubnetwork: + networkProperty: cluster-network-name + cluster-network_enableIcmp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: cluster-network-name + cluster-network_icmpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: cluster-network_enableIcmp + cluster-network_enableTcp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: cluster-network-name + cluster-network_tcpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: cluster-network_enableTcp + cluster-network_enableUdp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: cluster-network-name + cluster-network_udpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: cluster-network_enableUdp + cluster-network_enableSctp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: cluster-network-name + cluster-network_sctpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: cluster-network_enableSctp + cluster-network_enableEsp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: cluster-network-name + cluster-network_espSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: cluster-network_enableEsp + mgmt-network-cidr: + type: string + default: '10.0.1.0/24' + pattern: ^(?!0\.0\.0\.0/0)([0-9]{1,3}\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])|$ + mgmt-network-name: + type: string + pattern: ^([a-z0-9-]{1,38})$ + x-googleProperty: + type: GCE_NETWORK + mgmt-network-subnetwork-name: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zoneA + gceSubnetwork: + networkProperty: mgmt-network-name + mgmt-network_enableIcmp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: mgmt-network-name + mgmt-network_icmpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: mgmt-network_enableIcmp + mgmt-network_enableTcp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: mgmt-network-name + mgmt-network_tcpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: mgmt-network_enableTcp + mgmt-network_enableUdp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: mgmt-network-name + mgmt-network_udpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: mgmt-network_enableUdp + mgmt-network_enableSctp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: mgmt-network-name + mgmt-network_sctpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: mgmt-network_enableSctp + mgmt-network_enableEsp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: mgmt-network-name + mgmt-network_espSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: mgmt-network_enableEsp + numInternalNetworks: + type: integer + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + minimum: 1 + maximum: 6 + default: 1 + internal-network1-cidr: + type: string + pattern: ^(?!0\.0\.0\.0/0)([0-9]{1,3}\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])|$ + default: '10.0.2.0/24' + internal-network1-name: + type: string + pattern: ^([a-z0-9-]{1,38})$ + x-googleProperty: + type: GCE_NETWORK + internal-network1-subnetwork-name: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zoneA + gceSubnetwork: + networkProperty: internal-network1-name + internal-network2-cidr: + type: string + pattern: ^(?!0\.0\.0\.0/0)([0-9]{1,3}\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])|$ + default: '' + internal-network2-name: + type: string + pattern: ^([a-z0-9-]{1,38})$ + x-googleProperty: + type: GCE_NETWORK + internal-network2-subnetwork-name: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zoneA + gceSubnetwork: + networkProperty: internal-network2-name + internal-network3-cidr: + type: string + pattern: ^(?!0\.0\.0\.0/0)([0-9]{1,3}\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])|$ + default: '' + internal-network3-name: + type: string + pattern: ^([a-z0-9-]{1,38})$ + x-googleProperty: + type: GCE_NETWORK + internal-network3-subnetwork-name: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zoneA + gceSubnetwork: + networkProperty: internal-network3-name + internal-network4-cidr: + type: string + pattern: ^(?!0\.0\.0\.0/0)([0-9]{1,3}\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])|$ + default: '' + internal-network4-name: + type: string + pattern: ^([a-z0-9-]{1,38})$ + x-googleProperty: + type: GCE_NETWORK + internal-network4-subnetwork-name: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zoneA + gceSubnetwork: + networkProperty: internal-network4-name + internal-network5-cidr: + type: string + pattern: ^(?!0\.0\.0\.0/0)([0-9]{1,3}\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])|$ + default: '' + internal-network5-name: + type: string + pattern: ^([a-z0-9-]{1,38})$ + x-googleProperty: + type: GCE_NETWORK + internal-network5-subnetwork-name: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zoneA + gceSubnetwork: + networkProperty: internal-network5-name + internal-network6-cidr: + type: string + pattern: ^(?!0\.0\.0\.0/0)([0-9]{1,3}\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])|$ + default: '' + internal-network6-name: + type: string + pattern: ^([a-z0-9-]{1,38})$ + x-googleProperty: + type: GCE_NETWORK + internal-network6-subnetwork-name: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zoneA + gceSubnetwork: + networkProperty: internal-network6-name + +outputs: + deployment: + type: string + project: + type: string + clusterIP: + type: string + vmAName: + type: string + vmAExternalIP: + type: string + vmASelfLink: + type: string + vmBName: + type: string + vmBExternalIP: + type: string + vmBSelfLink: + type: string + password: + type: string + ha_version: + type: string diff --git a/gcp/deployment-packages/ha-byol/common.py b/gcp/deployment-packages/ha-byol/common.py new file mode 100755 index 00000000..e123c502 --- /dev/null +++ b/gcp/deployment-packages/ha-byol/common.py @@ -0,0 +1,262 @@ +# Copyright 2015 Google Inc. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +"""Generic simple functions used for python based template generation.""" + +import re +import sys +import traceback +import default +import string + +import yaml + +RFC1035_RE = re.compile(r'^[a-z][-a-z0-9]{1,61}[a-z0-9]{1}$') + + +class Error(Exception): + """Common exception wrapper for template exceptions.""" + pass + + +class DefaultFormatter(string.Formatter): + """Returns default instead of key error when looking for keys. + + Used for startup-script which contains params from multiple deployments + whiles keys from one deployment may not be set in another. + """ + def __init__(self, default=''): + self.default = default + def get_value(self, key, args, dict): + if isinstance(key, str): + return dict.get(key, self.default) + else: + return string.Formatter.get_value(key, args, dict) + + +def set_name_and_truncate(primary, secondary, maxlength=62): + return '%s%s' % (primary[:maxlength - len(secondary)], secondary) + + +def AddDiskResourcesIfNeeded(context): + """Checks context if disk resources need to be added.""" + if default.DISK_RESOURCES in context.properties: + return context.properties[default.DISK_RESOURCES] + else: + return [] + + +def AutoName(base, resource, *args): + """Helper method to generate names automatically based on default.""" + auto_name = '%s-%s' % (base, '-'.join(list(args) + [default.AKA[resource]])) + if not RFC1035_RE.match(auto_name): + raise Error('"%s" name for type %s does not match RFC1035 regex (%s)' % + (auto_name, resource, RFC1035_RE.pattern)) + return auto_name + + +def AutoRef(base, resource, *args): + """Helper method that builds a reference for an auto-named resource.""" + return Ref(AutoName(base, resource, *args)) + + +def OrderedItems(dict_obj): + """Convenient method to yield sorted iteritems of a dictionary.""" + keys = list(dict_obj.keys()) + keys.sort() + for k in keys: + yield (k, dict_obj[k]) + + +def ShortenZoneName(zone): + """Given a string that looks like a zone name, creates a shorter version.""" + geo, coord, number, letter = re.findall(r'(\w+)-(\w+)(\d)-(\w)', zone)[0] + geo = geo.lower() if len(geo) == 2 else default.LOC[geo.lower()] + coord = default.LOC[coord.lower()] + number = str(number) + letter = letter.lower() + return geo + '-' + coord + number + letter + + +def ZoneToRegion(zone): + """Derives the region from a zone name.""" + parts = zone.split('-') + if len(parts) != 3: + raise Error('Cannot derive region from zone "%s"' % zone) + return '-'.join(parts[:2]) + + +def FormatException(message): + """Adds more information to the exception.""" + message = ('Exception Type: %s\n' + 'Details: %s\n' + 'Message: %s\n') % (sys.exc_info()[0], + traceback.format_exc(), message) + return message + + +def Ref(name): + return '$(ref.%s.selfLink)' % name + + +def RefGroup(name): + return '$(ref.%s.instanceGroup)' % name + + +def GlobalComputeLink(project, collection, name): + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/global/', + collection, '/', name]) + +def GlobalNetworkLink(project, network): + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/global/', + default.NETWORKS, '/', network]) + + +def LocalComputeLink(project, zone, key, value): + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/zones/', + zone, '/', key, '/', value]) + + +def ReadContext(context, prop_key): + return (context.env['project'], context.properties.get('zone', None), + context.properties[prop_key]) + + +def MakeLocalComputeLink(context, key, zone=None): + if not zone: + project, zone, value = ReadContext(context, key) + else: + project, _, value = ReadContext(context, key) + + if IsComputeLink(value): + return value + else: + return LocalComputeLink(project, zone, key + 's', value) + + +def MakeGlobalComputeLink(context, key): + project, _, value = ReadContext(context, key) + if IsComputeLink(value): + return value + else: + return GlobalComputeLink(project, key + 's', value) + +def MakeRegionalSubnetworkLink(project, zone, subnet): + region = ZoneToRegion(zone) + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/regions/', + region, '/subnetworks/', subnet]) + + +def MakeSubnetworkComputeLink(context, key): + project, zone, value = ReadContext(context, key) + region = ZoneToRegion(zone) + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/regions/', + region, '/subnetworks/', value]) + + +def MakeFQHN(context, name): + return '%s.c.%s.internal' % (name, context.env['project']) + + +# TODO(victorg): Consider moving this method to a different file +def MakeC2DImageLink(name, dev_mode=False): + if IsGlobalProjectShortcut(name) or name.startswith('http'): + return name + else: + if dev_mode: + return 'global/images/%s' % name + else: + return GlobalComputeLink(default.C2D_IMAGES, 'images', name) + + +def IsGlobalProjectShortcut(name): + return name.startswith('projects/') or name.startswith('global/') + + +def IsComputeLink(name): + return (name.startswith(default.COMPUTE_URL_BASE) or + name.startswith(default.REFERENCE_PREFIX)) + + +def GetNamesAndTypes(resources_dict): + return [(d['name'], d['type']) for d in resources_dict] + + +def SummarizeResources(res_dict): + """Summarizes the name of resources per resource type.""" + result = {} + for res in res_dict: + result.setdefault(res['type'], []).append(res['name']) + return result + + +def ListPropertyValuesOfType(res_dict, prop, res_type): + """Lists all the values for a property of a certain type.""" + return [r['properties'][prop] for r in res_dict if r['type'] == res_type] + + +def MakeResource(resource_list, output_list=None): + """Wrapper for a DM template basic spec.""" + content = {'resources': resource_list} + if output_list: + content['outputs'] = output_list + return yaml.dump(content) + + +def TakeZoneOut(properties): + """Given a properties dictionary, removes the zone specific information.""" + + def _CleanZoneUrl(value): + value = value.split('/')[-1] if IsComputeLink(value) else value + return value + + for name in default.VM_ZONE_PROPERTIES: + if name in properties: + properties[name] = _CleanZoneUrl(properties[name]) + if default.ZONE in properties: + properties.pop(default.ZONE) + if default.BOOTDISK in properties: + properties[default.BOOTDISK] = _CleanZoneUrl(properties[default.BOOTDISK]) + if default.DISKS in properties: + for disk in properties[default.DISKS]: + # Don't touch references to other disks + if default.DISK_SOURCE in disk: + continue + if default.INITIALIZEP in disk: + disk_init = disk[default.INITIALIZEP] + if default.DISKTYPE in disk_init: + disk_init[default.DISKTYPE] = _CleanZoneUrl(disk_init[default.DISKTYPE]) + + +def GenerateEmbeddableYaml(yaml_string): + # Because YAML is a space delimited format, we need to be careful about + # embedding one YAML document in another. This function takes in a string in + # YAML format and produces an equivalent YAML representation that can be + # inserted into arbitrary points of another YAML document. It does so by + # printing the YAML string in a single line format. Consistent ordering of + # the string is also guaranteed by using yaml.dump. + yaml_object = yaml.load(yaml_string) + dumped_yaml = yaml.dump(yaml_object, default_flow_style=True) + return dumped_yaml + + +def FormatErrorsDec(func): + """Decorator to format exceptions if they get raised.""" + + def FormatErrorsWrap(context): + try: + return func(context) + except Exception as e: + raise Error(FormatException(e.message)) + + return FormatErrorsWrap diff --git a/gcp/deployment-packages/ha-byol/config.yaml b/gcp/deployment-packages/ha-byol/config.yaml new file mode 100644 index 00000000..e8012a71 --- /dev/null +++ b/gcp/deployment-packages/ha-byol/config.yaml @@ -0,0 +1,73 @@ +imports: +- path: check-point-cluster--byol.py +- path: common.py +- path: default.py +- path: password.py +- path: images.py + +resources: +- name: check-point-cluster--byol + type: check-point-cluster--byol.py + properties: + ha_version: "PLEASE ENTER HA VERSION" + zoneA: "PLEASE ENTER ZONE A" + zoneB: "PLEASE ENTER ZONE B. MUST BE IN THE SAME REGION AS MEMBER A ZONE" + machineType: "PLEASE ENTER A MACHINE TYPE" + diskType: "PLEASE ENTER A DISK TYPE" + #To connect to Smart-1 Cloud you must provide two valid tokens (one per member) + smart1CloudTokenA: "PLEASE ENTER A TOKEN TO CONNECT TO SMART-1 CLOUD FOR MEMBER A OR LEAVE EMPTY DOUBLE QUOTES" + smart1CloudTokenB: "PLEASE ENTER A TOKEN TO CONNECT TO SMART-1 CLOUD FOR MEMBER B OR LEAVE EMPTY DOUBLE QUOTES" + bootDiskSizeGb: "PLEASE ENTER A DISK SIZE" + instanceSSHKey: "PLEASE ENTER A VALID PUBLIC KEY" + enableMonitoring: "PLEASE ENTER true or false" + managementNetwork: "PLEASE ENTER MANAGEMENT IP, if using Smart-1 Cloud insert 'S1C'" + sicKey: "PLEASE ENTER A SIC KEY" + generatePassword: "PLEASE ENTER true or false" + allowUploadDownload: "PLEASE ENTER true or false" + shell: "PLEASE ENTER A SHELL" + deployWithPublicIPs: "PLEASE ENTER true or false" + cluster-network-cidr: "PLEASE ENTER CLUSTER NETWORK CIDR" + cluster-network-name: "PLEASE ENTER CLUSTER NETWORK ID" + cluster-network-subnetwork-name: "PLEASE ENTER CLUSTER SUBNETWORK ID" + cluster-network_enableIcmp: "PLEASE ENTER true or false" + cluster-network_icmpSourceRanges: "PLEASE ENTER ICMP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + cluster-network_enableTcp: "PLEASE ENTER true or false" + cluster-network_tcpSourceRanges: "PLEASE ENTER TCP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + cluster-network_enableUdp: "PLEASE ENTER true or false" + cluster-network_udpSourceRanges: "PLEASE ENTER UDP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + cluster-network_enableSctp: "PLEASE ENTER true or false" + cluster-network_sctpSourceRanges: "PLEASE ENTER SCTP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + cluster-network_enableEsp: "PLEASE ENTER true or false" + cluster-network_espSourceRanges: "PLEASE ENTER ESP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + mgmt-network-cidr: "PLEASE ENTER MANAGEMENT NETWORK CIDR" + mgmt-network-name: "PLEASE ENTER MANAGEMENT NETWORK ID" + mgmt-network-subnetwork-name: "PLEASE ENTER MANAGEMENT SUBNETWORK ID" + mgmt-network_enableIcmp: "PLEASE ENTER true or false" + mgmt-network_icmpSourceRanges: "PLEASE ENTER ICMP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + mgmt-network_enableTcp: "PLEASE ENTER true or false" + mgmt-network_tcpSourceRanges: "PLEASE ENTER TCP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + mgmt-network_enableUdp: "PLEASE ENTER true or false" + mgmt-network_udpSourceRanges: "PLEASE ENTER UDP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + mgmt-network_enableSctp: "PLEASE ENTER true or false" + mgmt-network_sctpSourceRanges: "PLEASE ENTER SCTP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + mgmt-network_enableEsp: "PLEASE ENTER true or false" + mgmt-network_espSourceRanges: "PLEASE ENTER ESP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + #Define additional NICs networks and subnetworks according the defined numAdditionalNICs value + #If there is no need in additional NICs remove additionalNetwork1 and additionalSubnetwork1 variables + numInternalNetworks: "PLEASE ENTER A NUMBER OF ADDITIONAL NICS" + internal-network1-cidr: "PLEASE ENTER 1ST INTERNAL NETWORK CIDR" + internal-network1-name: "PLEASE ENTER 1ST INTERNAL NETWORK ID" + internal-network1-subnetwork-name: "PLEASE ENTER INTERNAL SUBNETWORK ID" +outputs: +- name: "Deployment" + value: $(ref.check-point-cluster--byol.deployment) +- name: "Cluster IP external address" + value: $(ref.check-point-cluster--byol.clusterIP) +- name: "Member A" + value: $(ref.check-point-cluster--byol.vmAName) +- name: "Member A external IP" + value: $(ref.check-point-cluster--byol.vmAExternalIP) +- name: "Member B" + value: $(ref.check-point-cluster--byol.vmBName) +- name: "Member B external IP" + value: $(ref.check-point-cluster--byol.vmBExternalIP) \ No newline at end of file diff --git a/gcp/deployment-packages/ha-byol/default.py b/gcp/deployment-packages/ha-byol/default.py new file mode 100755 index 00000000..0c7dd919 --- /dev/null +++ b/gcp/deployment-packages/ha-byol/default.py @@ -0,0 +1,134 @@ +# Copyright 2015 Google Inc. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +"""Convenience module to hold default constants for C2D components. + +There should not be any logic in this module. Its purpose is to simplify +analysis of commonly used GCP and properties names and identify the names +that were custom created for these modules. +""" +# Generic constants +C2D_IMAGES = 'click-to-deploy-images' + +# URL constants +COMPUTE_URL_BASE = 'https://www.googleapis.com/compute/v1/' + +# Deployment Manager constructs +REFERENCE_PREFIX = '$(ref.' + +# Commonly used in properties namespace +AUTO_DELETE = 'autoDelete' +BOOTDISK = 'bootDiskType' +BOOTDISKSIZE = 'bootDiskSizeGb' +C_IMAGE = 'containerImage' +DC_MANIFEST = 'dcManifest' +DEPLOYMENT = 'DEPLOYMENT' # used in the deployment coordinator +DISK_NAME = 'diskName' +DISK_RESOURCES = 'addedDiskResources' +DISK_SOURCE = 'source' +ENDPOINT_NAME = 'serviceRegistryEndpointName' +FIXED_GCLOUD = 'fixedGcloud' +GENERATED_PROP = 'generatedProperties' +INITIALIZEP = 'initializeParams' +INSTANCE_NAME = 'instanceName' +LOCAL_SSD = 'localSSDs' +MAX_NUM = 'maxNumReplicas' +NETWORKS = 'networks' +NO_SCOPE = 'noScope' +PROVIDE_BOOT = 'provideBoot' +REPLICAS = 'replicas' +SIZE = 'size' +VM_COPIES = 'numberOfVMReplicas' +ZONES = 'zones' + +# Common properties values (only official GCP values allowed here) +EXTERNAL = 'External NAT' +ONE_NAT = 'ONE_TO_ONE_NAT' + +# Common 1st level properties (only official GCP names allowed here) +CAN_IP_FWD = 'canIpForward' +CONTAINER = 'container' +DCKRENV = 'dockerEnv' +DCKRIMAGE = 'dockerImage' +DEFAULT_SERVICE = 'defaultService' +DEVICE_NAME = 'deviceName' +DISKS = 'disks' +DISK_SIZE = 'diskSizeGb' +DISKTYPE = 'diskType' +HEALTH_PATH = 'healthPath' +HOST_RULES = 'hostRules' +IP_PROTO = 'IPProtocol' +MACHINETYPE = 'machineType' +METADATA = 'metadata' +NAME = 'name' +NETWORK = 'network' +NETWORKS = 'networks' +SUBNETWORK = 'subnetwork' +PATH_MATCHERS = 'pathMatchers' +PORT = 'port' +PROJECT = 'project' +SERVICE = 'service' +SERVICE_ACCOUNTS = 'serviceAccounts' +SRCIMAGE = 'sourceImage' +SRC_RANGES = 'sourceRanges' +TAGS = 'tags' +TYPE = 'type' +VM_TEMPLATE = 'instanceTemplate' +ZONE = 'zone' + +# Zone specfic VM properties +VM_ZONE_PROPERTIES = [DISKTYPE, MACHINETYPE, BOOTDISK] + +# Resource type defaults names +ADDRESS = 'compute.v1.address' +AUTOSCALER = 'compute.v1.autoscaler' +BACKEND_SERVICE = 'compute.v1.backendService' +DISK = 'compute.v1.disk' +ENDPOINT = 'serviceregistry.v1alpha.endpoint' +FIREWALL = 'compute.v1.firewall' +GF_RULE = 'compute.v1.globalForwardingRule' +HEALTHCHECK = 'compute.v1.httpHealthCheck' +IGM = 'compute.v1.instanceGroupManager' +INSTANCE = 'compute.v1.instance' +PROXY = 'compute.v1.targetHttpProxy' +TEMPLATE = 'compute.v1.instanceTemplate' +REGION_IGM = 'compute.v1.regionInstanceGroupManager' +REGION_AUTOSCALER = 'compute.v1.regionAutoscaler' +URL_MAP = 'compute.v1.urlMap' +VPC='compute.v1.network' +VPC_SUBNET='compute.v1.subnetwork' + +# Also Known As constants +AKA = { + TEMPLATE: 'tmplt', + AUTOSCALER: 'as', + BACKEND_SERVICE: 'bes', + DISK: 'disk', + FIREWALL: 'fwall', + GF_RULE: 'ip', + HEALTHCHECK: 'hc', + INSTANCE: 'vm', + PROXY: 'tproxy', + IGM: 'igm', + URL_MAP: 'umap', +} + +LOC = { + 'europe': 'eu', + 'asia': 'as', + 'central': 'c', + 'east': 'e', + 'west': 'w', + 'north': 'n', + 'south': 's', +} diff --git a/gcp/deployment-packages/ha-byol/images.py b/gcp/deployment-packages/ha-byol/images.py new file mode 100755 index 00000000..7b04bee0 --- /dev/null +++ b/gcp/deployment-packages/ha-byol/images.py @@ -0,0 +1,34 @@ +IMAGES = { + "check-point-r8120-payg": "check-point-r8120-payg-631-991001560-v20240425", + "check-point-r8120-gw-payg-single": "check-point-r8120-gw-payg-single-631-991001560-v20240425", + "check-point-r8120-gw-payg-mig": "check-point-r8120-gw-payg-mig-631-991001560-v20240425", + "check-point-r8120-gw-payg-cluster": "check-point-r8120-gw-payg-cluster-631-991001560-v20240425", + "check-point-r8120-gw-byol-single": "check-point-r8120-gw-byol-single-631-991001560-v20240425", + "check-point-r8120-gw-byol-mig": "check-point-r8120-gw-byol-mig-631-991001560-v20240425", + "check-point-r8120-gw-byol-cluster": "check-point-r8120-gw-byol-cluster-631-991001560-v20240425", + "check-point-r8120-byol": "check-point-r8120-byol-631-991001560-v20240425", + "check-point-r8110-payg": "check-point-r8110-payg-335-991001560-v20240425", + "check-point-r8110-gw-payg-single": "check-point-r8110-gw-payg-single-335-991001560-v20240425", + "check-point-r8110-gw-payg-mig": "check-point-r8110-gw-payg-mig-335-991001560-v20240425", + "check-point-r8110-gw-payg-cluster": "check-point-r8110-gw-payg-cluster-335-991001560-v20240425", + "check-point-r8110-gw-byol-single": "check-point-r8110-gw-byol-single-335-991001560-v20240425", + "check-point-r8110-gw-byol-mig": "check-point-r8110-gw-byol-mig-335-991001560-v20240425", + "check-point-r8110-gw-byol-cluster": "check-point-r8110-gw-byol-cluster-335-991001560-v20240425", + "check-point-r8110-byol": "check-point-r8110-byol-335-991001560-v20240425", + "check-point-r81-payg": "check-point-r81-payg-392-991001560-v20240425", + "check-point-r81-gw-payg-single": "check-point-r81-gw-payg-single-392-991001560-v20240425", + "check-point-r81-gw-payg-mig": "check-point-r81-gw-payg-mig-392-991001560-v20240425", + "check-point-r81-gw-payg-cluster": "check-point-r81-gw-payg-cluster-392-991001560-v20240425", + "check-point-r81-gw-byol-single": "check-point-r81-gw-byol-single-392-991001560-v20240425", + "check-point-r81-gw-byol-mig": "check-point-r81-gw-byol-mig-392-991001560-v20240425", + "check-point-r81-gw-byol-cluster": "check-point-r81-gw-byol-cluster-392-991001560-v20240425", + "check-point-r81-byol": "check-point-r81-byol-392-991001560-v20240425", + "check-point-r8040-payg": "check-point-r8040-payg-294-991001560-v20240425", + "check-point-r8040-gw-payg-single": "check-point-r8040-gw-payg-single-294-991001564-v20240505", + "check-point-r8040-gw-payg-mig": "check-point-r8040-gw-payg-mig-294-991001564-v20240505", + "check-point-r8040-gw-payg-cluster": "check-point-r8040-gw-payg-cluster-294-991001564-v20240505", + "check-point-r8040-gw-byol-single": "check-point-r8040-gw-byol-single-294-991001564-v20240505", + "check-point-r8040-gw-byol-mig": "check-point-r8040-gw-byol-mig-294-991001564-v20240505", + "check-point-r8040-gw-byol-cluster": "check-point-r8040-gw-byol-cluster-294-991001564-v20240505", + "check-point-r8040-byol": "check-point-r8040-byol-294-991001560-v20240425" +} \ No newline at end of file diff --git a/gcp/deployment-packages/ha-byol/password.py b/gcp/deployment-packages/ha-byol/password.py new file mode 100755 index 00000000..273210a6 --- /dev/null +++ b/gcp/deployment-packages/ha-byol/password.py @@ -0,0 +1,135 @@ +# Copyright 2015 Google Inc. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +"""A DM template that generates password as an output, namely "password". + +An example YAML showing how this template can be used: + resources: + - name: generated-password + type: password.py + properties: + length: 8 + includeSymbols: true + - name: main-template + type: main-template.jinja + properties: + password: $(ref.generated-password.password) + +Input properties to this template: + - length: the length of the generated password. At least 8. Default 8. + - includeSymbols: true/false whether to include symbol chars. Default false. + +The generated password satisfies the following requirements: + - The length is as specified, + - Containing letters and numbers, and optionally symbols if specified, + - Starting with a letter, + - Containing characters from at least 3 of the 4 categories: uppercases, + lowercases, numbers, and symbols. + +""" + +import random +import yaml + +PROPERTY_LENGTH = 'length' +PROPERTY_INCLUDE_SYMBOLS = 'includeSymbols' + +# Note the omission of some hard to distinguish characters like I, l, 0, and O. +UPPERS = 'ABCDEFGHJKLMNPQRSTUVWXYZ' +LOWERS = 'abcdefghijkmnopqrstuvwxyz' +ALPHABET = UPPERS + LOWERS +DIGITS = '123456789' +ALPHANUMS = ALPHABET + DIGITS +# Including only symbols that can be passed around easily in shell scripts. +SYMBOLS = '*-+.' + +CANDIDATES_WITH_SYMBOLS = ALPHANUMS + SYMBOLS +CANDIDATES_WITHOUT_SYMBOLS = ALPHANUMS + +CATEGORIES_WITH_SYMBOLS = [UPPERS, LOWERS, DIGITS, SYMBOLS] +CATEGORIES_WITHOUT_SYMBOLS = [UPPERS, LOWERS, DIGITS] + +MIN_LENGTH = 8 + + +class InputError(Exception): + """Raised when input properties are unexpected.""" + + +def GenerateConfig(context): + """Entry function to generate the DM config.""" + props = context.properties + length = props.setdefault(PROPERTY_LENGTH, MIN_LENGTH) + include_symbols = props.setdefault(PROPERTY_INCLUDE_SYMBOLS, False) + + if not isinstance(include_symbols, bool): + raise InputError('%s must be a boolean' % PROPERTY_INCLUDE_SYMBOLS) + + content = { + 'resources': [], + 'outputs': [{ + 'name': 'password', + 'value': GeneratePassword(length, include_symbols) + }] + } + return yaml.dump(content) + + +def GeneratePassword(length=8, include_symbols=False): + """Generates a random password.""" + if length < MIN_LENGTH: + raise InputError('Password length must be at least %d' % MIN_LENGTH) + + candidates = (CANDIDATES_WITH_SYMBOLS if include_symbols + else CANDIDATES_WITHOUT_SYMBOLS) + categories = (CATEGORIES_WITH_SYMBOLS if include_symbols + else CATEGORIES_WITHOUT_SYMBOLS) + + # Generates up to the specified length minus the number of categories. + # Then inserts one character for each category, ensuring that the character + # satisfy the category if the generated string hasn't already. + generated = ([random.choice(ALPHABET)] + + [random.choice(candidates) + for _ in range(length - 1 - len(categories))]) + for category in categories: + _InsertAndEnsureSatisfaction(generated, category, candidates) + return ''.join(generated) + + +def _InsertAndEnsureSatisfaction(generated, required, all_candidates): + """Inserts 1 char into generated, satisfying required if not already. + + If the required characters are not already in the generated string, one will + be inserted. If any required character is already in the generated string, a + random character from all_candidates will be inserted. The insertion happens + at a random location but not at the beginning. + + Args: + generated: the string to be modified. + required: list of required characters to check for. + all_candidates: list of characters to choose from if the required characters + are already satisfied. + """ + if set(generated).isdisjoint(required): + # Not yet satisfied. Insert a required candidate. + _InsertInto(generated, required) + else: + # Already satisfied. Insert any candidate. + _InsertInto(generated, all_candidates) + + +def _InsertInto(generated, candidates): + """Inserts a random candidate into a random non-zero index of generated.""" + # Avoids inserting at index 0, since the first character follows its own rule. + generated.insert(random.randint(1, len(generated) - 1), + random.choice(candidates)) diff --git a/gcp/deployment-packages/ha-payg/README.md b/gcp/deployment-packages/ha-payg/README.md new file mode 100644 index 00000000..4f8405cd --- /dev/null +++ b/gcp/deployment-packages/ha-payg/README.md @@ -0,0 +1,187 @@ +# GCP Deployment Manager package for Check Point High Availability PAYG solution +This directory contains CloudGuard IaaS deployment package for Check Point High Availability (PAYG) solution published in the [GCP Marketplace](https://console.cloud.google.com/marketplace/details/checkpoint-public/check-point-ha--ngtp). + +# How to deploy the package manually +To deploy the Deployment Manager's package manually, without using the GCP Marketplace, follow these instructions: +1. Clone or download the files in this directory +2. Fill variables in the config.yaml(see below for variables descriptions). +3. Log into [Google Cloud Platform Console](https://console.cloud.google.com) +4. [Activate Cloud Shell](https://cloud.google.com/shell/docs/using-cloud-shell) +5. Set your Cloud Platform project in the Cloud Shell session use: + + gcloud config set project [PROJECT_ID] +6. Upload the content of the CloudGuardIaaS/gcp/deployment-packages/ha-payg/ directory to the [cloud shell](https://cloud.google.com/shell/docs/uploading-and-downloading-files) +7. Launch deployment by running: + + gcloud deployment-manager deployments create [DEPLOYMENT_NAME] --config config.yaml +8. Make sure the deployment finished successfully.
Example of successful deployment output: + + The fingerprint of the deployment is CgwkIUxcTnI5_eZY1g9SFw== + Waiting for create [operation-1585150261645-5a1af8e42d0ba-6b3d4618-5856e790]...done. + Create operation operation-1585150261645-5a1af8e42d0ba-6b3d4618-5856e790 completed successfully. + NAME TYPE STATE ERRORS INTENT + cluster-cluster-network-icmp compute.v1.firewall COMPLETED [] + cluster-cluster-network-tcp compute.v1.firewall COMPLETED [] + cluster-config runtimeconfig.v1beta1.config COMPLETED [] + cluster-member-a compute.v1.instance COMPLETED [] + cluster-member-a-address compute.v1.address COMPLETED [] + cluster-member-b compute.v1.instance COMPLETED [] + cluster-member-b-address compute.v1.address COMPLETED [] + cluster-mgmt-network-esp compute.v1.firewall COMPLETED [] + cluster-mgmt-network-sctp compute.v1.firewall COMPLETED [] + cluster-primary-cluster-address compute.v1.address COMPLETED [] + cluster-secondary-cluster-address compute.v1.address COMPLETED [] + cluster-software runtimeconfig.v1beta1.waiter COMPLETED [] + OUTPUTS VALUE + Deployment cluster + Cluster IP external address 35.201.201.163 + Member A cluster-member-a + Member A external IP 104.199.168.141 + Member B cluster-member-b + Member B external IP 35.221.178.173 + +## config.yaml variables +| Name | Description | Type | Allowed values | +| ------------- | ------------- | ------------- | ------------- | +| **ha_version** | High Availability Version | string | R80.40 Cluster;
R81.00 Cluster;
R81.10 Cluster;
R81.20 Cluster; | +| | | | | | +| **zoneA** | Member A Zone. The zone determines what computing resources are available and where your data is stored and used | string | List of allowed [Regions and Zones](https://cloud.google.com/compute/docs/regions-zones?_ga=2.31926582.-962483654.1585043745) | +| | | | | | +| **zoneB** | Member B Zone | string | Must be in the same region as member A zone | +| | | | | | +| **machineType** | Machine types determine the specifications of your machines, such as the amount of memory, virtual cores, and persistent disk limits an instance will have | string | [Learn more about Machine Types](https://cloud.google.com/compute/docs/machine-types?hl=en_US&_ga=2.267871494.-962483654.1585043745) | +| | | | | | +| **managementNetwork** | Security Management Server address | string | The public address of the Security Management Server, in CIDR notation. If using Smart-1 Cloud insert 'S1C'. VPN peers addresses cannot be in this CIDR block, so this value cannot be the zero-address | +| | | | | | +| **cluster-network-cidr** | Cluster external subnet CIDR.
If the variable's value is not empty double quotes, a new network will be created.
The Cluster public IP will be translated to a private address assigned to the active member in this external network. | string | Specify an RFC 1918 CIDR block that does not overlap with your other networks to create a new network or select an existing one below | +| | | | | | +| **cluster-network-name** | Cluster external network ID. The network determines what network traffic the instance can access | string | Available network in the chosen zone | +| | | | | | +| **cluster-network-subnetwork-name** | Cluster subnet ID. Assigns the instance an IPv4 address from the subnetwork’s range.
If you have specified a CIDR block above, this subnetwork will not be used.
. Instances in different subnetworks can communicate with each other using their internal IPs as long as they belong to the same network. | string | Available subnetwork in the chosen network | +| | | | | | +| **cluster-network_enableTcp** | Allow TCP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **cluster-network_tcpSourceRanges** | Allow TCP traffic from the Internet | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway all ports are allowed. For management allowed ports are: 257,18191,18210,18264,22,443,18190,19009 [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **cluster-network_enableIcmp** | Allow ICMP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **cluster-network_icmpSourceRanges** | Source IP ranges for ICMP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **cluster-network_enableUdp** | Allow UDP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **cluster-network_udpSourceRanges** | Source IP ranges for UDP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only - all ports are allowed. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **cluster-network_enableSctp** | Allow SCTP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **cluster-network_sctpSourceRanges** | Source IP ranges for SCTP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only - all ports are allowed. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **cluster-network_enableEsp** | Allow ESP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **cluster-network_espSourceRanges** | Source IP ranges for ESP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **mgmt-network-cidr** | Management external subnet CIDR.
If the variable's value is not empty double quotes, a new network will be created.
The public IP used to manage each member will be translated to a private address in this external network | string | Specify an RFC 1918 CIDR block that does not overlap with your other networks to create a new network or select an existing one below | +| | | | | | +| **mgmt-network-name** | Management network ID. The network determines what network traffic the instance can access | string | Available network in the chosen zone | +| | | | | | +| **mgmt-network-subnetwork-name** | Management subnet ID. Assigns the instance an IPv4 address from the subnetwork’s range.
If you have specified a CIDR block above, this subnetwork will not be used.
. Instances in different subnetworks can communicate with each other using their internal IPs as long as they belong to the same network. | string | Available subnetwork in the chosen network | +| | | | | | +| **mgmt-network_enableTcp** | Allow TCP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **mgmt-network_tcpSourceRanges** | Allow TCP traffic from the Internet | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway all ports are allowed. For management allowed ports are: 257,18191,18210,18264,22,443,18190,19009 [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **mgmt-network_enableIcmp** | Allow ICMP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **mgmt-network_icmpSourceRanges** | Source IP ranges for ICMP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **mgmt-network_enableUdp** | Allow UDP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **mgmt-network_udpSourceRanges** | Source IP ranges for UDP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only - all ports are allowed. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **mgmt-network_enableSctp** | Allow SCTP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **mgmt-network_sctpSourceRanges** | Source IP ranges for SCTP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only - all ports are allowed. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **mgmt-network_enableEsp** | Allow ESP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **mgmt-network_espSourceRanges** | Source IP ranges for ESP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **diskType** | Disk type | string | pd-ssd;
pd-standard;
Storage space is much less expensive for a standard persistent disk. An SSD persistent disk is better for random IOPS or streaming throughput with low latency. [Learn more](https://cloud.google.com/compute/docs/disks/?hl=en_US&_ga=2.66020774.-962483654.1585043745#overview_of_disk_types)| +| | | | | | +| **bootDiskSizeGb** | Disk size in GB | number | Persistent disk performance is tied to the size of the persistent disk volume. You are charged for the actual amount of provisioned disk space. [Learn more](https://cloud.google.com/compute/docs/disks/?hl=en_US&_ga=2.232680471.-962483654.1585043745#pdperformance)| +| | | | | | +| **generatePassword** | Automatically generate an administrator password | boolean | true;
false; | +| | | | | | +| **allowUploadDownload** | Allow download from/upload to Check Point | boolean | true;
false; | +| | | | | | +| **enableMonitoring** | Enable Stackdriver monitoring | boolean | true;
false; | +| | | | | | +| **shell** | Admin shell | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh;
| +| | | | | | +| **deployWithPublicIPs** | Deploy HA with public IPs | boolean | true;
false; | +| | | | | | +| **instanceSSHKey** | Public SSH key for the user 'admin' | string | A valid public ssh key | +| | | | | | +| **smart1CloudTokenA** | Smart-1 Cloud token to connect ***member A*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal.| +| | | | | | +| **smart1CloudTokenB** | Smart-1 Cloud token to connect ***member B*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501)| string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal.| +| | | | | | +| **sicKey** | The Secure Internal Communication one time secret used to set up trust between the cluster object and the management server | string | At least 8 alpha numeric characters.
If SIC is not provided and needed, a key will be automatically generated | +| | | | | | +| **numAdditionalNICs** | Number of additional network interfaces | number | A number in the range 0 - 6.
Multiple network interfaces deployment is described in [sk121637 - Deploy a CloudGuard for GCP with Multiple Network Interfaces](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk121637) | +| | | | | | +| **internal-network1-cidr** | 1st internal subnet CIDR.
If the variable's value is not empty double quotes, a new subnet will be created.
Assigns the cluster members an IPv4 address in this internal network | string | Specify an RFC 1918 CIDR block that does not overlap with your other networks to create a new network or select an existing one below | +| | | | | | +| **internal-network1-name** | 1st internal network ID. The network determines what network traffic the instance can access | string | Available network in the chosen zone | +| | | | | | +| **internal-network1-subnetwork-name** | 1st internal subnet ID. Assigns the instance an IPv4 address from the subnetwork’s range.
If you have specified a CIDR block above, this subnetwork will not be used.
Instances in different subnetworks can communicate with each other using their internal IPs as long as they belong to the same network. | string | Available subnetwork in the chosen network | +| | | | | | +## Example + ha_version: "R81.10 Cluster" + zoneA: "asia-east1-a" + zoneB: "asia-east1-a" + machineType: "n1-standard-4" + diskType: "pd-ssd" + bootDiskSizeGb: 100 + instanceSSHKey: "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxxx imported-openssh-key" + smart1CloudTokenA: "xxxxxxxxxxxxxxxxxxxxxxxx" + smart1CloudTokenB: "xxxxxxxxxxxxxxxxxxxxxxxx" + enableMonitoring: false + managementNetwork: "209.87.209.100/32" + sicKey: "aaaaaaaa" + generatePassword: false + allowUploadDownload: false + shell: "/bin/bash" + deployWithPublicIPs: true + cluster-network-cidr: "10.0.1.0/24" + cluster-network-name: "external-vpc" + cluster-network-subnetwork-name: "frontend" + cluster-network_enableIcmp: true + cluster-network_icmpSourceRanges: "0.0.0.0/0" + cluster-network_enableTcp: true + cluster-network_tcpSourceRanges: "0.0.0.0/0" + cluster-network_enableUdp: false + cluster-network_udpSourceRanges: "" + cluster-network_enableSctp: false + cluster-network_sctpSourceRanges: "" + cluster-network_enableEsp: false + cluster-network_espSourceRanges: "" + mgmt-network-cidr: "10.0.2.0/24" + mgmt-network-name: "vpc-internal" + mgmt-network-subnetwork-name: "" + mgmt-network_enableIcmp: false + mgmt-network_icmpSourceRanges: "" + mgmt-network_enableTcp: false + mgmt-network_tcpSourceRanges: "" + mgmt-network_enableUdp: true + mgmt-network_udpSourceRanges: "0.0.0.0/0" + mgmt-network_enableSctp: true + mgmt-network_sctpSourceRanges: "0.0.0.0/0" + mgmt-network_enableEsp: true + mgmt-network_espSourceRanges: "0.0.0.0/0" + numInternalNetworks: 1 + internal-network1-cidr: "10.0.3.0/24" + internal-network1-name: "vpc-internal2" + internal-network1-subnetwork-name: "vpc-internal2" + +## Notes +See [sk147032](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk147032) for revision history \ No newline at end of file diff --git a/gcp/deployment-packages/ha-payg/c2d_deployment_configuration.json b/gcp/deployment-packages/ha-payg/c2d_deployment_configuration.json new file mode 100755 index 00000000..c6b9e41f --- /dev/null +++ b/gcp/deployment-packages/ha-payg/c2d_deployment_configuration.json @@ -0,0 +1,7 @@ +{ + "defaultDeploymentType": "MULTI_VM", + "imageName": "check-point-r8120-gw-payg-cluster-634-991001611-v20240613", + "projectId": "checkpoint-public", + "templateName": "nonexistent_template", + "useSolutionPackage": "true" +} diff --git a/gcp/deployment-packages/ha-payg/check-point-cluster--payg.py b/gcp/deployment-packages/ha-payg/check-point-cluster--payg.py new file mode 100755 index 00000000..d65178a6 --- /dev/null +++ b/gcp/deployment-packages/ha-payg/check-point-cluster--payg.py @@ -0,0 +1,492 @@ +# Copyright 2016 Check Point Software LTD. + +import common +import copy +import default +import images +import password + + +MAX_ADDITIONAL_NICS = 6 + +GATEWAY = 'checkpoint-gateway' + +PROJECT = 'checkpoint-public' +LICENSE = 'payg' +LICENCE_TYPE = 'cluster' + +VERSIONS = { + 'R81.10': 'r8110-gw', + 'R81.20': 'r8120-gw' +} + +TEMPLATE_NAME = 'cluster' +TEMPLATE_VERSION = '20240714' + +CLUSTER_NET_FIELD = 'cluster-network' +MGMT_NET_FIELD = 'mgmt-network' +INTERNAL_NET_FIELD = 'internal-network{}' + +MGMT_NIC = 1 + +NO_PUBLIC_IP = 'no-public-ip' + +startup_script = ''' +#cloud-config +runcmd: + - 'python3 /etc/cloud_config.py "generatePassword=\\"{generatePassword}\\"" "allowUploadDownload=\\"{allowUploadDownload}\\"" "templateName=\\"{templateName}\\"" "templateVersion=\\"{templateVersion}\\"" "mgmtNIC=\\"{mgmtNIC}\\"" "hasInternet=\\"{hasInternet}\\"" "config_url=\\"{config_url}\\"" "config_path=\\"{config_path}\\"" "installationType=\\"{installationType}\\"" "enableMonitoring=\\"{enableMonitoring}\\"" "shell=\\"{shell}\\"" "computed_sic_key=\\"{computed_sic_key}\\"" "sicKey=\\"{sicKey}\\"" "managementGUIClientNetwork=\\"{managementGUIClientNetwork}\\"" "primary_cluster_address_name=\\"{primary_cluster_address_name}\\"" "secondary_cluster_address_name=\\"{secondary_cluster_address_name}\\"" "managementNetwork=\\"{managementNetwork}\\"" "numAdditionalNICs=\\"{numAdditionalNICs}\\"" "smart1CloudToken=\\"{smart1CloudToken}\\"" "name=\\"{name}\\"" "zone=\\"{zoneConfig}\\"" "region=\\"{region}\\"" "osVersion=\\"{osVersion}\\"" "MaintenanceModePassword=\\"{maintenanceMode}\\""' +''' + + +def make_gw(context, name, zone, nics, passwd=None, depends_on=None, + smart1cloudToken=None): + cg_version = context.properties['ha_version'].split(' ')[0] + if 'gw' in VERSIONS[cg_version]: + license_name = "{}-{}".format(LICENSE, LICENCE_TYPE) + else: + license_name = LICENSE + family = '-'.join(['check-point', VERSIONS[cg_version], license_name]) + formatter = common.DefaultFormatter() + + context.properties['smart1CloudToken'] = smart1cloudToken + context.properties['name'] = name + context.properties['zoneConfig'] = zone + context.properties['osVersion'] = cg_version.replace(".", "") + + gw = { + 'type': default.INSTANCE, + 'name': name, + 'metadata': { + 'dependsOn': depends_on + }, + 'properties': { + 'description': 'CloudGuard Highly Available Security Cluster', + 'zone': zone, + 'tags': { + 'items': [GATEWAY], + }, + 'machineType': common.MakeLocalComputeLink( + context, default.MACHINETYPE, zone), + 'canIpForward': True, + 'networkInterfaces': nics, + 'disks': [{ + 'autoDelete': True, + 'boot': True, + 'deviceName': common.set_name_and_truncate( + context.properties['deployment'], + '-{}-boot'.format(name)), + 'initializeParams': { + 'diskType': common.MakeLocalComputeLink( + context, default.DISKTYPE, zone), + 'diskSizeGb': context.properties['bootDiskSizeGb'], + 'sourceImage': + 'projects/%s/global/images/%s' % ( + PROJECT, images.IMAGES[family]), + }, + 'type': 'PERSISTENT', + }], + 'metadata': { + 'items': [ + { + 'key': 'startup-script', + 'value': formatter.format( + startup_script, **context.properties) + } + ] + }, + 'serviceAccounts': [{ + 'email': 'default', + 'scopes': [ + 'https://www.googleapis.com/auth/monitoring.write', + 'https://www.googleapis.com/auth/compute', + 'https://www.googleapis.com/auth/cloudruntimeconfig' + ], + }] + } + } + + if 'instanceSSHKey' in context.properties: + gw['properties']['metadata']['items'].append( + { + 'key': 'instanceSSHKey', + 'value': context.properties['instanceSSHKey'] + } + ) + + if passwd: + gw['properties']['metadata']['items'].append( + { + 'key': 'adminPasswordSourceMetadata', + 'value': passwd + } + ) + + return gw + + +def make_access_config(ip, name=None): + access_config = { + 'type': default.ONE_NAT, + 'natIP': ip + } + + if name: + access_config['name'] = name + + return access_config + + +def make_static_address(prop, name): + address = { + 'name': name, + 'type': default.ADDRESS, + 'properties': { + 'name': name, + 'region': prop['region'] + } + } + + return address + + +def create_external_addresses_if_needed( + prop, resources, member_a_nics, member_b_nics): + if not prop['deployWithPublicIPs']: + prop['primary_cluster_address_name'] = NO_PUBLIC_IP + prop['secondary_cluster_address_name'] = NO_PUBLIC_IP + else: + member_a_address_name = common.set_name_and_truncate( + prop['deployment'], '-member-a-address') + member_b_address_name = common.set_name_and_truncate( + prop['deployment'], '-member-b-address') + + prop['member_a_address_name'] = member_a_address_name + prop['member_b_address_name'] = member_b_address_name + + member_a_address = make_static_address(prop, member_a_address_name) + member_b_address = make_static_address(prop, member_b_address_name) + + resources += [member_a_address, member_b_address] + + member_a_nics[MGMT_NIC]['accessConfigs'] = [make_access_config( + '$(ref.{}.address)'.format(member_a_address_name))] + member_b_nics[MGMT_NIC]['accessConfigs'] = [make_access_config( + '$(ref.{}.address)'.format(member_b_address_name))] + + primary_cluster_address_name = common.set_name_and_truncate( + prop['deployment'], '-primary-cluster-address') + secondary_cluster_address_name = common.set_name_and_truncate( + prop['deployment'], '-secondary-cluster-address') + + primary_cluster_address = make_static_address( + prop, primary_cluster_address_name) + secondary_cluster_address = make_static_address( + prop, secondary_cluster_address_name) + + resources += [primary_cluster_address, secondary_cluster_address] + + prop['primary_cluster_address_name'] = primary_cluster_address_name + prop['secondary_cluster_address_name'] = secondary_cluster_address_name + + +def make_nic(prop, net_name, subnet_name): + network_interface = { + 'network': ''.join([default.COMPUTE_URL_BASE, 'projects/', + prop['project'], '/global/networks/', + net_name]), + 'subnetwork': ''.join([default.COMPUTE_URL_BASE, 'projects/', + prop['project'], '/regions/', prop['region'], + '/subnetworks/', subnet_name]) + } + + return network_interface + + +def make_subnet(prop, name, net_name, cidr, private_google_access=False): + subnet = { + 'type': default.VPC_SUBNET, + 'name': name, + 'metadata': { + 'dependsOn': [net_name] + }, + 'properties': { + 'network': 'projects/{}/global' + '/networks/{}'.format(prop['project'], net_name), + 'region': prop['region'], + 'ipCidrRange': cidr, + 'privateIpGoogleAccess': private_google_access, + 'enableFlowLogs': False + } + } + + return subnet + + +def make_net(name): + net = { + 'type': default.VPC, + 'name': name, + 'properties': { + 'autoCreateSubnetworks': False + } + } + + return net + + +def get_or_create_net(prop, name, resources, gw_dependencies, + private_google_access=False, create_firewall=False): + net_cidr = prop.get(name + '-cidr') + + if net_cidr: + net_name = '{}-{}'.format(prop['deployment'][:20], name) + subnet_name = '{}-subnet'.format(net_name) + net = make_net(net_name) + subnet = make_subnet( + prop, subnet_name, net_name, net_cidr, private_google_access) + + resources += [net, subnet] + gw_dependencies.append(subnet_name) + else: + net_name = prop.get(name + '-name') + subnet_name = prop.get(name + '-subnetwork-name') + if not subnet_name: + raise common.Error( + 'Network {} is missing.'.format(net_name.split('-'))) + + if create_firewall: + firewall_rules = create_firewall_rules(prop, name, net_name, net_cidr) + if firewall_rules: + resources.extend(firewall_rules) + + return net_name, subnet_name + + +def create_firewall_rules(prop, net_prop_name, net_name, net_cidr): + deployment = prop['deployment'] + firewall_rules = [] + protocols = ['Icmp', 'Udp', 'Tcp', 'Sctp', 'Esp'] + for protocol in protocols: + proto = protocol.lower() + source_ranges = prop.get(net_prop_name + '_' + proto + + 'SourceRanges', '') + protocol_enabled = prop.get(net_prop_name + '_enable' + protocol, '') + if protocol_enabled and source_ranges: + firewall_rules.append( + make_firewall_rule(proto, source_ranges, deployment, + net_prop_name, net_name, net_cidr)) + + return firewall_rules + + +def make_firewall_rule(protocol, source_ranges, deployment, net_prop_name, + net_name, net_cidr): + fw_rule_name = '%s-%s-%s' % (deployment[:40], net_prop_name, protocol) + ranges_list = source_ranges.split(',') + ranges = [] + for source_range in ranges_list: + ranges.append(source_range.replace(" ", "")) + firewall_rule = { + 'type': default.FIREWALL, + 'name': fw_rule_name, + 'properties': { + 'network': 'global/networks/' + net_name, + 'sourceRanges': ranges, + 'targetTags': [GATEWAY], + 'allowed': [{'IPProtocol': protocol}], + } + } + + if net_cidr: + firewall_rule['metadata'] = { + 'dependsOn': [net_name] + } + + return firewall_rule + + +def add_readiness_waiter(prop, resources): + deployment_config = common.set_name_and_truncate( + prop['deployment'], '-config') + + prop['config_path'] = 'projects/{}/configs/{}'.format( + prop['project'], deployment_config) + prop['config_url'] = ( + 'https://runtimeconfig.googleapis.com/v1beta1/{}'.format( + prop['config_path'])) + + resources.append( + { + 'name': deployment_config, + 'type': 'runtimeconfig.v1beta1.config', + 'properties': { + 'config': deployment_config, + 'description': ( + 'Holds software readiness status ' + 'for deployment {}').format(prop['deployment']) + } + } + ) + + resources.append( + { + 'name': common.set_name_and_truncate( + prop['deployment'], '-software'), + 'type': 'runtimeconfig.v1beta1.waiter', + 'metadata': { + 'dependsOn': [], + }, + 'properties': { + 'parent': '$(ref.{}.name)'.format(deployment_config), + 'waiter': 'software', + 'timeout': '1800s', + 'success': { + 'cardinality': { + 'number': 2, + 'path': 'status/success', + }, + }, + 'failure': { + 'cardinality': { + 'number': 1, + 'path': 'status/failure', + }, + }, + }, + } + ) + + +def validate_same_region(zone_a, zone_b): + if not common.ZoneToRegion(zone_a) == common.ZoneToRegion(zone_b): + raise common.Error('Member A Zone ({}) and Member B Zone ({}) ' + 'are not in the same region'.format(zone_a, zone_b)) + + +def validate_both_tokens(token_a, token_b): + if (not token_a and token_b) or (not token_b and token_a) or \ + (token_a and token_a == token_b): + raise common.Error('To connect to Smart-1 Cloud, \ + you must provide two tokens (one per member)') + + +def validate_mgmt_network_if_required(token_a, mgmt_network): + if not token_a and mgmt_network == "S1C": + raise common.Error( + 'Public address of the Security Management Server is required') + + +@common.FormatErrorsDec +def generate_config(context): + prop = context.properties + + validate_same_region(prop['zoneA'], prop['zoneB']) + validate_both_tokens(prop['smart1CloudTokenA'], prop['smart1CloudTokenB']) + validate_mgmt_network_if_required( + prop['smart1CloudTokenA'], prop['managementNetwork']) + + prop['deployment'] = context.env['deployment'] + prop['project'] = context.env['project'] + prop['region'] = common.ZoneToRegion(prop['zoneA']) + prop['templateName'] = TEMPLATE_NAME + prop['templateVersion'] = TEMPLATE_VERSION + prop['allowUploadDownload'] = str(prop['allowUploadDownload']).lower() + prop['hasInternet'] = 'true' # via Google Private Access + prop['installationType'] = 'Cluster' + + resources = [] + outputs = [] + gw_dependencies = [] + member_a_nics = [] + + add_readiness_waiter(prop, resources) + + cluster_net_name, cluster_subnet_name = get_or_create_net( + prop, CLUSTER_NET_FIELD, resources, gw_dependencies, True, True) + member_a_nics.append(make_nic(prop, cluster_net_name, cluster_subnet_name)) + + mgmt_net_name, mgmt_subnet_name = get_or_create_net( + prop, MGMT_NET_FIELD, resources, gw_dependencies, False, True) + member_a_nics.append(make_nic(prop, mgmt_net_name, mgmt_subnet_name)) + + for ifnum in range(1, prop['numInternalNetworks'] + 1): + int_net_name, int_subnet_name = get_or_create_net( + prop, INTERNAL_NET_FIELD.format(ifnum), resources, + gw_dependencies) + member_a_nics.append(make_nic(prop, int_net_name, int_subnet_name)) + + member_b_nics = copy.deepcopy(member_a_nics) + + create_external_addresses_if_needed( + prop, resources, member_a_nics, member_b_nics) + + member_a_name = common.set_name_and_truncate( + prop['deployment'], '-member-a') + member_b_name = common.set_name_and_truncate( + prop['deployment'], '-member-b') + + if prop['generatePassword']: + passwd = password.GeneratePassword(12, False) + else: + passwd = '' + + member_a = make_gw(context, member_a_name, prop['zoneA'], + member_a_nics, passwd, gw_dependencies, + prop['smart1CloudTokenA']) + member_b = make_gw(context, member_b_name, prop['zoneB'], + member_b_nics, passwd, gw_dependencies, + prop['smart1CloudTokenB']) + + resources += [member_a, member_b] + + outputs += [ + { + 'name': 'deployment', + 'value': prop['deployment'] + }, + { + 'name': 'project', + 'value': prop['project'] + }, + { + 'name': 'vmAName', + 'value': member_a_name, + }, + { + 'name': 'vmASelfLink', + 'value': '$(ref.{}.selfLink)'.format(member_a_name), + }, + { + 'name': 'vmBName', + 'value': member_b_name, + }, + { + 'name': 'vmBSelfLink', + 'value': '$(ref.{}.selfLink)'.format(member_b_name), + }, + { + 'name': 'password', + 'value': passwd + } + ] + + if prop['deployWithPublicIPs']: + outputs += [ + { + 'name': 'clusterIP', + 'value': '$(ref.{}.address)'.format( + prop['primary_cluster_address_name']) + }, + { + 'name': 'vmAExternalIP', + 'value': '$(ref.{}.address)'.format( + prop['member_a_address_name']) + }, + { + 'name': 'vmBExternalIP', + 'value': '$(ref.{}.address)'.format( + prop['member_b_address_name']) + } + ] + + return common.MakeResource(resources, outputs) diff --git a/gcp/deployment-packages/ha-payg/check-point-cluster--payg.py.schema b/gcp/deployment-packages/ha-payg/check-point-cluster--payg.py.schema new file mode 100755 index 00000000..b3b513b6 --- /dev/null +++ b/gcp/deployment-packages/ha-payg/check-point-cluster--payg.py.schema @@ -0,0 +1,398 @@ +imports: + - path: check-point-cluster--payg.py + +info: + version: 1.0 + title: Check Point CloudGuard Network Security Cluster - PAYG Template + +required: + - zoneA + - zoneB + - machineType + - diskType + - bootDiskSizeGb + - sicKey + - managementNetwork + - allowUploadDownload + - shell + - generatePassword + - enableMonitoring + - numInternalNetworks + +properties: + zoneA: + type: string + default: us-central1-a + x-googleProperty: + type: GCE_ZONE + zoneB: + type: string + default: us-central1-a + x-googleProperty: + type: GCE_ZONE + machineType: + type: string + default: n1-standard-4 + x-googleProperty: + type: GCE_MACHINE_TYPE + zoneProperty: zoneA + gceMachineType: + minCpu: 2 + minRamGb: 1.843000054359436 + deployWithPublicIPs: + type: boolean + default: True + instanceSSHKey: + type: string + pattern: ^([0-9a-z\-]+ +[0-9A-Za-z/\+=]+( .*)?|)$ + default: '' + smart1CloudTokenA: + type: string + default: '' + smart1CloudTokenB: + type: string + default: '' + diskType: + type: string + default: pd-ssd + x-googleProperty: + type: GCE_DISK_TYPE + zoneProperty: zoneA + bootDiskSizeGb: + type: integer + maximum: 1000 + default: 100 + minimum: 100 + x-googleProperty: + type: GCE_DISK_SIZE + gceDiskSize: + diskTypeProperty: diskType + ha_version: + type: string + default: R81.20 Cluster + enum: + - R81.10 Cluster + - R81.20 Cluster + enableMonitoring: + type: boolean + default: False + sicKey: + type: string + pattern: ^([a-z0-9A-Z]{8,30})$ + default: '' + managementNetwork: + type: string + default: '' + pattern: ^((?!0\.0\.0\.0/0)([0-9]{1,3}\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2]))|(S1C)$ + generatePassword: + type: boolean + default: False + maintenanceMode: + type: string + pattern: ^([a-z0-9A-Z.]{12,300}|)$ + default: '' + allowUploadDownload: + type: boolean + default: False + shell: + type: string + default: /etc/cli.sh + enum: + - /etc/cli.sh + - /bin/bash + - /bin/csh + - /bin/tcsh + cluster-network-cidr: + type: string + default: '10.0.0.0/24' + pattern: ^(?!0\.0\.0\.0/0)([0-9]{1,3}\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])|$ + cluster-network-name: + type: string + pattern: ^([a-z0-9-]{1,38})$ + x-googleProperty: + type: GCE_NETWORK + cluster-network-subnetwork-name: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zoneA + gceSubnetwork: + networkProperty: cluster-network-name + cluster-network_enableIcmp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: cluster-network-name + cluster-network_icmpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: cluster-network_enableIcmp + cluster-network_enableTcp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: cluster-network-name + cluster-network_tcpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: cluster-network_enableTcp + cluster-network_enableUdp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: cluster-network-name + cluster-network_udpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: cluster-network_enableUdp + cluster-network_enableSctp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: cluster-network-name + cluster-network_sctpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: cluster-network_enableSctp + cluster-network_enableEsp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: cluster-network-name + cluster-network_espSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: cluster-network_enableEsp + mgmt-network-cidr: + type: string + default: '10.0.1.0/24' + pattern: ^(?!0\.0\.0\.0/0)([0-9]{1,3}\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])|$ + mgmt-network-name: + type: string + pattern: ^([a-z0-9-]{1,38})$ + x-googleProperty: + type: GCE_NETWORK + mgmt-network-subnetwork-name: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zoneA + gceSubnetwork: + networkProperty: mgmt-network-name + mgmt-network_enableIcmp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: mgmt-network-name + mgmt-network_icmpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: mgmt-network_enableIcmp + mgmt-network_enableTcp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: mgmt-network-name + mgmt-network_tcpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: mgmt-network_enableTcp + mgmt-network_enableUdp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: mgmt-network-name + mgmt-network_udpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: mgmt-network_enableUdp + mgmt-network_enableSctp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: mgmt-network-name + mgmt-network_sctpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: mgmt-network_enableSctp + mgmt-network_enableEsp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: mgmt-network-name + mgmt-network_espSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: mgmt-network_enableEsp + numInternalNetworks: + type: integer + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + minimum: 1 + maximum: 6 + default: 1 + internal-network1-cidr: + type: string + pattern: ^(?!0\.0\.0\.0/0)([0-9]{1,3}\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])|$ + default: '10.0.2.0/24' + internal-network1-name: + type: string + pattern: ^([a-z0-9-]{1,38})$ + x-googleProperty: + type: GCE_NETWORK + internal-network1-subnetwork-name: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zoneA + gceSubnetwork: + networkProperty: internal-network1-name + internal-network2-cidr: + type: string + pattern: ^(?!0\.0\.0\.0/0)([0-9]{1,3}\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])|$ + default: '' + internal-network2-name: + type: string + pattern: ^([a-z0-9-]{1,38})$ + x-googleProperty: + type: GCE_NETWORK + internal-network2-subnetwork-name: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zoneA + gceSubnetwork: + networkProperty: internal-network2-name + internal-network3-cidr: + type: string + pattern: ^(?!0\.0\.0\.0/0)([0-9]{1,3}\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])|$ + default: '' + internal-network3-name: + type: string + pattern: ^([a-z0-9-]{1,38})$ + x-googleProperty: + type: GCE_NETWORK + internal-network3-subnetwork-name: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zoneA + gceSubnetwork: + networkProperty: internal-network3-name + internal-network4-cidr: + type: string + pattern: ^(?!0\.0\.0\.0/0)([0-9]{1,3}\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])|$ + default: '' + internal-network4-name: + type: string + pattern: ^([a-z0-9-]{1,38})$ + x-googleProperty: + type: GCE_NETWORK + internal-network4-subnetwork-name: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zoneA + gceSubnetwork: + networkProperty: internal-network4-name + internal-network5-cidr: + type: string + pattern: ^(?!0\.0\.0\.0/0)([0-9]{1,3}\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])|$ + default: '' + internal-network5-name: + type: string + pattern: ^([a-z0-9-]{1,38})$ + x-googleProperty: + type: GCE_NETWORK + internal-network5-subnetwork-name: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zoneA + gceSubnetwork: + networkProperty: internal-network5-name + internal-network6-cidr: + type: string + pattern: ^(?!0\.0\.0\.0/0)([0-9]{1,3}\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])|$ + default: '' + internal-network6-name: + type: string + pattern: ^([a-z0-9-]{1,38})$ + x-googleProperty: + type: GCE_NETWORK + internal-network6-subnetwork-name: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zoneA + gceSubnetwork: + networkProperty: internal-network6-name + +outputs: + deployment: + type: string + project: + type: string + clusterIP: + type: string + vmAName: + type: string + vmAExternalIP: + type: string + vmASelfLink: + type: string + vmBName: + type: string + vmBExternalIP: + type: string + vmBSelfLink: + type: string + password: + type: string + ha_version: + type: string diff --git a/gcp/deployment-packages/ha-payg/common.py b/gcp/deployment-packages/ha-payg/common.py new file mode 100755 index 00000000..e123c502 --- /dev/null +++ b/gcp/deployment-packages/ha-payg/common.py @@ -0,0 +1,262 @@ +# Copyright 2015 Google Inc. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +"""Generic simple functions used for python based template generation.""" + +import re +import sys +import traceback +import default +import string + +import yaml + +RFC1035_RE = re.compile(r'^[a-z][-a-z0-9]{1,61}[a-z0-9]{1}$') + + +class Error(Exception): + """Common exception wrapper for template exceptions.""" + pass + + +class DefaultFormatter(string.Formatter): + """Returns default instead of key error when looking for keys. + + Used for startup-script which contains params from multiple deployments + whiles keys from one deployment may not be set in another. + """ + def __init__(self, default=''): + self.default = default + def get_value(self, key, args, dict): + if isinstance(key, str): + return dict.get(key, self.default) + else: + return string.Formatter.get_value(key, args, dict) + + +def set_name_and_truncate(primary, secondary, maxlength=62): + return '%s%s' % (primary[:maxlength - len(secondary)], secondary) + + +def AddDiskResourcesIfNeeded(context): + """Checks context if disk resources need to be added.""" + if default.DISK_RESOURCES in context.properties: + return context.properties[default.DISK_RESOURCES] + else: + return [] + + +def AutoName(base, resource, *args): + """Helper method to generate names automatically based on default.""" + auto_name = '%s-%s' % (base, '-'.join(list(args) + [default.AKA[resource]])) + if not RFC1035_RE.match(auto_name): + raise Error('"%s" name for type %s does not match RFC1035 regex (%s)' % + (auto_name, resource, RFC1035_RE.pattern)) + return auto_name + + +def AutoRef(base, resource, *args): + """Helper method that builds a reference for an auto-named resource.""" + return Ref(AutoName(base, resource, *args)) + + +def OrderedItems(dict_obj): + """Convenient method to yield sorted iteritems of a dictionary.""" + keys = list(dict_obj.keys()) + keys.sort() + for k in keys: + yield (k, dict_obj[k]) + + +def ShortenZoneName(zone): + """Given a string that looks like a zone name, creates a shorter version.""" + geo, coord, number, letter = re.findall(r'(\w+)-(\w+)(\d)-(\w)', zone)[0] + geo = geo.lower() if len(geo) == 2 else default.LOC[geo.lower()] + coord = default.LOC[coord.lower()] + number = str(number) + letter = letter.lower() + return geo + '-' + coord + number + letter + + +def ZoneToRegion(zone): + """Derives the region from a zone name.""" + parts = zone.split('-') + if len(parts) != 3: + raise Error('Cannot derive region from zone "%s"' % zone) + return '-'.join(parts[:2]) + + +def FormatException(message): + """Adds more information to the exception.""" + message = ('Exception Type: %s\n' + 'Details: %s\n' + 'Message: %s\n') % (sys.exc_info()[0], + traceback.format_exc(), message) + return message + + +def Ref(name): + return '$(ref.%s.selfLink)' % name + + +def RefGroup(name): + return '$(ref.%s.instanceGroup)' % name + + +def GlobalComputeLink(project, collection, name): + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/global/', + collection, '/', name]) + +def GlobalNetworkLink(project, network): + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/global/', + default.NETWORKS, '/', network]) + + +def LocalComputeLink(project, zone, key, value): + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/zones/', + zone, '/', key, '/', value]) + + +def ReadContext(context, prop_key): + return (context.env['project'], context.properties.get('zone', None), + context.properties[prop_key]) + + +def MakeLocalComputeLink(context, key, zone=None): + if not zone: + project, zone, value = ReadContext(context, key) + else: + project, _, value = ReadContext(context, key) + + if IsComputeLink(value): + return value + else: + return LocalComputeLink(project, zone, key + 's', value) + + +def MakeGlobalComputeLink(context, key): + project, _, value = ReadContext(context, key) + if IsComputeLink(value): + return value + else: + return GlobalComputeLink(project, key + 's', value) + +def MakeRegionalSubnetworkLink(project, zone, subnet): + region = ZoneToRegion(zone) + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/regions/', + region, '/subnetworks/', subnet]) + + +def MakeSubnetworkComputeLink(context, key): + project, zone, value = ReadContext(context, key) + region = ZoneToRegion(zone) + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/regions/', + region, '/subnetworks/', value]) + + +def MakeFQHN(context, name): + return '%s.c.%s.internal' % (name, context.env['project']) + + +# TODO(victorg): Consider moving this method to a different file +def MakeC2DImageLink(name, dev_mode=False): + if IsGlobalProjectShortcut(name) or name.startswith('http'): + return name + else: + if dev_mode: + return 'global/images/%s' % name + else: + return GlobalComputeLink(default.C2D_IMAGES, 'images', name) + + +def IsGlobalProjectShortcut(name): + return name.startswith('projects/') or name.startswith('global/') + + +def IsComputeLink(name): + return (name.startswith(default.COMPUTE_URL_BASE) or + name.startswith(default.REFERENCE_PREFIX)) + + +def GetNamesAndTypes(resources_dict): + return [(d['name'], d['type']) for d in resources_dict] + + +def SummarizeResources(res_dict): + """Summarizes the name of resources per resource type.""" + result = {} + for res in res_dict: + result.setdefault(res['type'], []).append(res['name']) + return result + + +def ListPropertyValuesOfType(res_dict, prop, res_type): + """Lists all the values for a property of a certain type.""" + return [r['properties'][prop] for r in res_dict if r['type'] == res_type] + + +def MakeResource(resource_list, output_list=None): + """Wrapper for a DM template basic spec.""" + content = {'resources': resource_list} + if output_list: + content['outputs'] = output_list + return yaml.dump(content) + + +def TakeZoneOut(properties): + """Given a properties dictionary, removes the zone specific information.""" + + def _CleanZoneUrl(value): + value = value.split('/')[-1] if IsComputeLink(value) else value + return value + + for name in default.VM_ZONE_PROPERTIES: + if name in properties: + properties[name] = _CleanZoneUrl(properties[name]) + if default.ZONE in properties: + properties.pop(default.ZONE) + if default.BOOTDISK in properties: + properties[default.BOOTDISK] = _CleanZoneUrl(properties[default.BOOTDISK]) + if default.DISKS in properties: + for disk in properties[default.DISKS]: + # Don't touch references to other disks + if default.DISK_SOURCE in disk: + continue + if default.INITIALIZEP in disk: + disk_init = disk[default.INITIALIZEP] + if default.DISKTYPE in disk_init: + disk_init[default.DISKTYPE] = _CleanZoneUrl(disk_init[default.DISKTYPE]) + + +def GenerateEmbeddableYaml(yaml_string): + # Because YAML is a space delimited format, we need to be careful about + # embedding one YAML document in another. This function takes in a string in + # YAML format and produces an equivalent YAML representation that can be + # inserted into arbitrary points of another YAML document. It does so by + # printing the YAML string in a single line format. Consistent ordering of + # the string is also guaranteed by using yaml.dump. + yaml_object = yaml.load(yaml_string) + dumped_yaml = yaml.dump(yaml_object, default_flow_style=True) + return dumped_yaml + + +def FormatErrorsDec(func): + """Decorator to format exceptions if they get raised.""" + + def FormatErrorsWrap(context): + try: + return func(context) + except Exception as e: + raise Error(FormatException(e.message)) + + return FormatErrorsWrap diff --git a/gcp/deployment-packages/ha-payg/config.yaml b/gcp/deployment-packages/ha-payg/config.yaml new file mode 100644 index 00000000..de203447 --- /dev/null +++ b/gcp/deployment-packages/ha-payg/config.yaml @@ -0,0 +1,73 @@ +imports: +- path: check-point-cluster--payg.py +- path: common.py +- path: default.py +- path: password.py +- path: images.py + +resources: +- name: check-point-cluster--payg + type: check-point-cluster--payg.py + properties: + ha_version: "PLEASE ENTER HA VERSION" + zoneA: "PLEASE ENTER ZONE A" + zoneB: "PLEASE ENTER ZONE B. MUST BE IN THE SAME REGION AS MEMBER A ZONE" + machineType: "PLEASE ENTER A MACHINE TYPE" + diskType: "PLEASE ENTER A DISK TYPE" + #To connect to Smart-1 Cloud you must provide two valid tokens (one per member) + smart1CloudTokenA: "PLEASE ENTER A TOKEN TO CONNECT TO SMART-1 CLOUD FOR MEMBER A OR LEAVE EMPTY DOUBLE QUOTES" + smart1CloudTokenB: "PLEASE ENTER A TOKEN TO CONNECT TO SMART-1 CLOUD FOR MEMBER B OR LEAVE EMPTY DOUBLE QUOTES" + bootDiskSizeGb: "PLEASE ENTER A DISK SIZE" + instanceSSHKey: "PLEASE ENTER A VALID PUBLIC KEY" + enableMonitoring: "PLEASE ENTER true or false" + managementNetwork: "PLEASE ENTER MANAGEMENT IP, if using Smart-1 Cloud insert 'S1C'" + sicKey: "PLEASE ENTER A SIC KEY" + generatePassword: "PLEASE ENTER true or false" + allowUploadDownload: "PLEASE ENTER true or false" + shell: "PLEASE ENTER A SHELL" + deployWithPublicIPs: "PLEASE ENTER true or false" + cluster-network-cidr: "PLEASE ENTER CLUSTER NETWORK CIDR" + cluster-network-name: "PLEASE ENTER CLUSTER NETWORK ID" + cluster-network-subnetwork-name: "PLEASE ENTER CLUSTER SUBNETWORK ID" + cluster-network_enableIcmp: "PLEASE ENTER true or false" + cluster-network_icmpSourceRanges: "PLEASE ENTER ICMP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + cluster-network_enableTcp: "PLEASE ENTER true or false" + cluster-network_tcpSourceRanges: "PLEASE ENTER TCP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + cluster-network_enableUdp: "PLEASE ENTER true or false" + cluster-network_udpSourceRanges: "PLEASE ENTER UDP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + cluster-network_enableSctp: "PLEASE ENTER true or false" + cluster-network_sctpSourceRanges: "PLEASE ENTER SCTP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + cluster-network_enableEsp: "PLEASE ENTER true or false" + cluster-network_espSourceRanges: "PLEASE ENTER ESP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + mgmt-network-cidr: "PLEASE ENTER MANAGEMENT NETWORK CIDR" + mgmt-network-name: "PLEASE ENTER MANAGEMENT NETWORK ID" + mgmt-network-subnetwork-name: "PLEASE ENTER MANAGEMENT SUBNETWORK ID" + mgmt-network_enableIcmp: "PLEASE ENTER true or false" + mgmt-network_icmpSourceRanges: "PLEASE ENTER ICMP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + mgmt-network_enableTcp: "PLEASE ENTER true or false" + mgmt-network_tcpSourceRanges: "PLEASE ENTER TCP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + mgmt-network_enableUdp: "PLEASE ENTER true or false" + mgmt-network_udpSourceRanges: "PLEASE ENTER UDP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + mgmt-network_enableSctp: "PLEASE ENTER true or false" + mgmt-network_sctpSourceRanges: "PLEASE ENTER SCTP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + mgmt-network_enableEsp: "PLEASE ENTER true or false" + mgmt-network_espSourceRanges: "PLEASE ENTER ESP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + #Define additional NICs networks and subnetworks according the defined numAdditionalNICs value + #If there is no need in additional NICs remove additionalNetwork1 and additionalSubnetwork1 variables + numInternalNetworks: "PLEASE ENTER A NUMBER OF ADDITIONAL NICS" + internal-network1-cidr: "PLEASE ENTER 1ST INTERNAL NETWORK CIDR" + internal-network1-name: "PLEASE ENTER 1ST INTERNAL NETWORK ID" + internal-network1-subnetwork-name: "PLEASE ENTER INTERNAL SUBNETWORK ID" +outputs: +- name: "Deployment" + value: $(ref.check-point-cluster--payg.deployment) +- name: "Cluster IP external address" + value: $(ref.check-point-cluster--payg.clusterIP) +- name: "Member A" + value: $(ref.check-point-cluster--payg.vmAName) +- name: "Member A external IP" + value: $(ref.check-point-cluster--payg.vmAExternalIP) +- name: "Member B" + value: $(ref.check-point-cluster--payg.vmBName) +- name: "Member B external IP" + value: $(ref.check-point-cluster--payg.vmBExternalIP) \ No newline at end of file diff --git a/gcp/deployment-packages/ha-payg/default.py b/gcp/deployment-packages/ha-payg/default.py new file mode 100755 index 00000000..0c7dd919 --- /dev/null +++ b/gcp/deployment-packages/ha-payg/default.py @@ -0,0 +1,134 @@ +# Copyright 2015 Google Inc. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +"""Convenience module to hold default constants for C2D components. + +There should not be any logic in this module. Its purpose is to simplify +analysis of commonly used GCP and properties names and identify the names +that were custom created for these modules. +""" +# Generic constants +C2D_IMAGES = 'click-to-deploy-images' + +# URL constants +COMPUTE_URL_BASE = 'https://www.googleapis.com/compute/v1/' + +# Deployment Manager constructs +REFERENCE_PREFIX = '$(ref.' + +# Commonly used in properties namespace +AUTO_DELETE = 'autoDelete' +BOOTDISK = 'bootDiskType' +BOOTDISKSIZE = 'bootDiskSizeGb' +C_IMAGE = 'containerImage' +DC_MANIFEST = 'dcManifest' +DEPLOYMENT = 'DEPLOYMENT' # used in the deployment coordinator +DISK_NAME = 'diskName' +DISK_RESOURCES = 'addedDiskResources' +DISK_SOURCE = 'source' +ENDPOINT_NAME = 'serviceRegistryEndpointName' +FIXED_GCLOUD = 'fixedGcloud' +GENERATED_PROP = 'generatedProperties' +INITIALIZEP = 'initializeParams' +INSTANCE_NAME = 'instanceName' +LOCAL_SSD = 'localSSDs' +MAX_NUM = 'maxNumReplicas' +NETWORKS = 'networks' +NO_SCOPE = 'noScope' +PROVIDE_BOOT = 'provideBoot' +REPLICAS = 'replicas' +SIZE = 'size' +VM_COPIES = 'numberOfVMReplicas' +ZONES = 'zones' + +# Common properties values (only official GCP values allowed here) +EXTERNAL = 'External NAT' +ONE_NAT = 'ONE_TO_ONE_NAT' + +# Common 1st level properties (only official GCP names allowed here) +CAN_IP_FWD = 'canIpForward' +CONTAINER = 'container' +DCKRENV = 'dockerEnv' +DCKRIMAGE = 'dockerImage' +DEFAULT_SERVICE = 'defaultService' +DEVICE_NAME = 'deviceName' +DISKS = 'disks' +DISK_SIZE = 'diskSizeGb' +DISKTYPE = 'diskType' +HEALTH_PATH = 'healthPath' +HOST_RULES = 'hostRules' +IP_PROTO = 'IPProtocol' +MACHINETYPE = 'machineType' +METADATA = 'metadata' +NAME = 'name' +NETWORK = 'network' +NETWORKS = 'networks' +SUBNETWORK = 'subnetwork' +PATH_MATCHERS = 'pathMatchers' +PORT = 'port' +PROJECT = 'project' +SERVICE = 'service' +SERVICE_ACCOUNTS = 'serviceAccounts' +SRCIMAGE = 'sourceImage' +SRC_RANGES = 'sourceRanges' +TAGS = 'tags' +TYPE = 'type' +VM_TEMPLATE = 'instanceTemplate' +ZONE = 'zone' + +# Zone specfic VM properties +VM_ZONE_PROPERTIES = [DISKTYPE, MACHINETYPE, BOOTDISK] + +# Resource type defaults names +ADDRESS = 'compute.v1.address' +AUTOSCALER = 'compute.v1.autoscaler' +BACKEND_SERVICE = 'compute.v1.backendService' +DISK = 'compute.v1.disk' +ENDPOINT = 'serviceregistry.v1alpha.endpoint' +FIREWALL = 'compute.v1.firewall' +GF_RULE = 'compute.v1.globalForwardingRule' +HEALTHCHECK = 'compute.v1.httpHealthCheck' +IGM = 'compute.v1.instanceGroupManager' +INSTANCE = 'compute.v1.instance' +PROXY = 'compute.v1.targetHttpProxy' +TEMPLATE = 'compute.v1.instanceTemplate' +REGION_IGM = 'compute.v1.regionInstanceGroupManager' +REGION_AUTOSCALER = 'compute.v1.regionAutoscaler' +URL_MAP = 'compute.v1.urlMap' +VPC='compute.v1.network' +VPC_SUBNET='compute.v1.subnetwork' + +# Also Known As constants +AKA = { + TEMPLATE: 'tmplt', + AUTOSCALER: 'as', + BACKEND_SERVICE: 'bes', + DISK: 'disk', + FIREWALL: 'fwall', + GF_RULE: 'ip', + HEALTHCHECK: 'hc', + INSTANCE: 'vm', + PROXY: 'tproxy', + IGM: 'igm', + URL_MAP: 'umap', +} + +LOC = { + 'europe': 'eu', + 'asia': 'as', + 'central': 'c', + 'east': 'e', + 'west': 'w', + 'north': 'n', + 'south': 's', +} diff --git a/gcp/deployment-packages/ha-payg/images.py b/gcp/deployment-packages/ha-payg/images.py new file mode 100755 index 00000000..7b04bee0 --- /dev/null +++ b/gcp/deployment-packages/ha-payg/images.py @@ -0,0 +1,34 @@ +IMAGES = { + "check-point-r8120-payg": "check-point-r8120-payg-631-991001560-v20240425", + "check-point-r8120-gw-payg-single": "check-point-r8120-gw-payg-single-631-991001560-v20240425", + "check-point-r8120-gw-payg-mig": "check-point-r8120-gw-payg-mig-631-991001560-v20240425", + "check-point-r8120-gw-payg-cluster": "check-point-r8120-gw-payg-cluster-631-991001560-v20240425", + "check-point-r8120-gw-byol-single": "check-point-r8120-gw-byol-single-631-991001560-v20240425", + "check-point-r8120-gw-byol-mig": "check-point-r8120-gw-byol-mig-631-991001560-v20240425", + "check-point-r8120-gw-byol-cluster": "check-point-r8120-gw-byol-cluster-631-991001560-v20240425", + "check-point-r8120-byol": "check-point-r8120-byol-631-991001560-v20240425", + "check-point-r8110-payg": "check-point-r8110-payg-335-991001560-v20240425", + "check-point-r8110-gw-payg-single": "check-point-r8110-gw-payg-single-335-991001560-v20240425", + "check-point-r8110-gw-payg-mig": "check-point-r8110-gw-payg-mig-335-991001560-v20240425", + "check-point-r8110-gw-payg-cluster": "check-point-r8110-gw-payg-cluster-335-991001560-v20240425", + "check-point-r8110-gw-byol-single": "check-point-r8110-gw-byol-single-335-991001560-v20240425", + "check-point-r8110-gw-byol-mig": "check-point-r8110-gw-byol-mig-335-991001560-v20240425", + "check-point-r8110-gw-byol-cluster": "check-point-r8110-gw-byol-cluster-335-991001560-v20240425", + "check-point-r8110-byol": "check-point-r8110-byol-335-991001560-v20240425", + "check-point-r81-payg": "check-point-r81-payg-392-991001560-v20240425", + "check-point-r81-gw-payg-single": "check-point-r81-gw-payg-single-392-991001560-v20240425", + "check-point-r81-gw-payg-mig": "check-point-r81-gw-payg-mig-392-991001560-v20240425", + "check-point-r81-gw-payg-cluster": "check-point-r81-gw-payg-cluster-392-991001560-v20240425", + "check-point-r81-gw-byol-single": "check-point-r81-gw-byol-single-392-991001560-v20240425", + "check-point-r81-gw-byol-mig": "check-point-r81-gw-byol-mig-392-991001560-v20240425", + "check-point-r81-gw-byol-cluster": "check-point-r81-gw-byol-cluster-392-991001560-v20240425", + "check-point-r81-byol": "check-point-r81-byol-392-991001560-v20240425", + "check-point-r8040-payg": "check-point-r8040-payg-294-991001560-v20240425", + "check-point-r8040-gw-payg-single": "check-point-r8040-gw-payg-single-294-991001564-v20240505", + "check-point-r8040-gw-payg-mig": "check-point-r8040-gw-payg-mig-294-991001564-v20240505", + "check-point-r8040-gw-payg-cluster": "check-point-r8040-gw-payg-cluster-294-991001564-v20240505", + "check-point-r8040-gw-byol-single": "check-point-r8040-gw-byol-single-294-991001564-v20240505", + "check-point-r8040-gw-byol-mig": "check-point-r8040-gw-byol-mig-294-991001564-v20240505", + "check-point-r8040-gw-byol-cluster": "check-point-r8040-gw-byol-cluster-294-991001564-v20240505", + "check-point-r8040-byol": "check-point-r8040-byol-294-991001560-v20240425" +} \ No newline at end of file diff --git a/gcp/deployment-packages/ha-payg/password.py b/gcp/deployment-packages/ha-payg/password.py new file mode 100755 index 00000000..273210a6 --- /dev/null +++ b/gcp/deployment-packages/ha-payg/password.py @@ -0,0 +1,135 @@ +# Copyright 2015 Google Inc. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +"""A DM template that generates password as an output, namely "password". + +An example YAML showing how this template can be used: + resources: + - name: generated-password + type: password.py + properties: + length: 8 + includeSymbols: true + - name: main-template + type: main-template.jinja + properties: + password: $(ref.generated-password.password) + +Input properties to this template: + - length: the length of the generated password. At least 8. Default 8. + - includeSymbols: true/false whether to include symbol chars. Default false. + +The generated password satisfies the following requirements: + - The length is as specified, + - Containing letters and numbers, and optionally symbols if specified, + - Starting with a letter, + - Containing characters from at least 3 of the 4 categories: uppercases, + lowercases, numbers, and symbols. + +""" + +import random +import yaml + +PROPERTY_LENGTH = 'length' +PROPERTY_INCLUDE_SYMBOLS = 'includeSymbols' + +# Note the omission of some hard to distinguish characters like I, l, 0, and O. +UPPERS = 'ABCDEFGHJKLMNPQRSTUVWXYZ' +LOWERS = 'abcdefghijkmnopqrstuvwxyz' +ALPHABET = UPPERS + LOWERS +DIGITS = '123456789' +ALPHANUMS = ALPHABET + DIGITS +# Including only symbols that can be passed around easily in shell scripts. +SYMBOLS = '*-+.' + +CANDIDATES_WITH_SYMBOLS = ALPHANUMS + SYMBOLS +CANDIDATES_WITHOUT_SYMBOLS = ALPHANUMS + +CATEGORIES_WITH_SYMBOLS = [UPPERS, LOWERS, DIGITS, SYMBOLS] +CATEGORIES_WITHOUT_SYMBOLS = [UPPERS, LOWERS, DIGITS] + +MIN_LENGTH = 8 + + +class InputError(Exception): + """Raised when input properties are unexpected.""" + + +def GenerateConfig(context): + """Entry function to generate the DM config.""" + props = context.properties + length = props.setdefault(PROPERTY_LENGTH, MIN_LENGTH) + include_symbols = props.setdefault(PROPERTY_INCLUDE_SYMBOLS, False) + + if not isinstance(include_symbols, bool): + raise InputError('%s must be a boolean' % PROPERTY_INCLUDE_SYMBOLS) + + content = { + 'resources': [], + 'outputs': [{ + 'name': 'password', + 'value': GeneratePassword(length, include_symbols) + }] + } + return yaml.dump(content) + + +def GeneratePassword(length=8, include_symbols=False): + """Generates a random password.""" + if length < MIN_LENGTH: + raise InputError('Password length must be at least %d' % MIN_LENGTH) + + candidates = (CANDIDATES_WITH_SYMBOLS if include_symbols + else CANDIDATES_WITHOUT_SYMBOLS) + categories = (CATEGORIES_WITH_SYMBOLS if include_symbols + else CATEGORIES_WITHOUT_SYMBOLS) + + # Generates up to the specified length minus the number of categories. + # Then inserts one character for each category, ensuring that the character + # satisfy the category if the generated string hasn't already. + generated = ([random.choice(ALPHABET)] + + [random.choice(candidates) + for _ in range(length - 1 - len(categories))]) + for category in categories: + _InsertAndEnsureSatisfaction(generated, category, candidates) + return ''.join(generated) + + +def _InsertAndEnsureSatisfaction(generated, required, all_candidates): + """Inserts 1 char into generated, satisfying required if not already. + + If the required characters are not already in the generated string, one will + be inserted. If any required character is already in the generated string, a + random character from all_candidates will be inserted. The insertion happens + at a random location but not at the beginning. + + Args: + generated: the string to be modified. + required: list of required characters to check for. + all_candidates: list of characters to choose from if the required characters + are already satisfied. + """ + if set(generated).isdisjoint(required): + # Not yet satisfied. Insert a required candidate. + _InsertInto(generated, required) + else: + # Already satisfied. Insert any candidate. + _InsertInto(generated, all_candidates) + + +def _InsertInto(generated, candidates): + """Inserts a random candidate into a random non-zero index of generated.""" + # Avoids inserting at index 0, since the first character follows its own rule. + generated.insert(random.randint(1, len(generated) - 1), + random.choice(candidates)) diff --git a/gcp/deployment-packages/single-byol/README.md b/gcp/deployment-packages/single-byol/README.md new file mode 100644 index 00000000..4c14d447 --- /dev/null +++ b/gcp/deployment-packages/single-byol/README.md @@ -0,0 +1,134 @@ +# GCP Deployment Manager package for Management, Gateway and Standalone BYOL solutions +This directory contains CloudGuard IaaS deployment package for Management, Gateway and Standalone BYOL solution published in the [GCP Marketplace](https://console.cloud.google.com/marketplace/details/checkpoint-public/check-point-cloudguard-byol). + +# How to deploy the package manually +To deploy the Deployment Manager's package manually, without using the GCP Marketplace, follow these instructions: +1. Clone or download the files in this directory +2. Fill variables in the config.yaml(see below for variables descriptions). +3. Log into [Google Cloud Platform Console](https://console.cloud.google.com) +4. [Activate Cloud Shell](https://cloud.google.com/shell/docs/using-cloud-shell) +5. Set your Cloud Platform project in the Cloud Shell session use: + + gcloud config set project [PROJECT_ID] +6. Upload the content of the CloudGuardIaaS/gcp/deployment-packages/single-byol/ directory to the [cloud shell](https://cloud.google.com/shell/docs/uploading-and-downloading-files) +7. Launch deployment by running: + + gcloud deployment-manager deployments create [DEPLOYMENT_NAME] --config config.yaml +8. Make sure the deployment finished successfully.
Example of successful deployment output: + + The fingerprint of the deployment is NEBnvNbqOItDoLZrhYNo5Q== + Waiting for create [operation-1585065238276-5a19bc2792a32-becd058d-67862f39]...done. + Create operation operation-1585065238276-5a19bc2792a32-becd058d-67862f39 completed successfully. + NAME TYPE STATE ERRORS INTENT + gateway-config runtimeconfig.v1beta1.config COMPLETED [] + gateway-software runtimeconfig.v1beta1.waiter COMPLETED [] + gateway-vm compute.v1.instance COMPLETED [] + gateway-vm-address compute.v1.address COMPLETED [] + OUTPUTS VALUE + Deployment gateway + Instance gateway-single-vm + +## config.yaml variables +| Name | Description | Type | Allowed values | +| ------------- | ------------- | ------------- | ------------- | +| **zone** | The zone determines what computing resources are available and where your data is stored and used | string | List of allowed [Regions and Zones](https://cloud.google.com/compute/docs/regions-zones?_ga=2.31926582.-962483654.1585043745) | +| | | | | | +| **machineType** | Machine types determine the specifications of your machines, such as the amount of memory, virtual cores, and persistent disk limits an instance will have | string | [Learn more about Machine Types](https://cloud.google.com/compute/docs/machine-types?hl=en_US&_ga=2.267871494.-962483654.1585043745) | +| | | | | | +| **network** | The network determines what network traffic the instance can access | string | Available network in the chosen zone | +| | | | | | +| **Subnetwork** | Assigns the instance an IPv4 address from the subnetwork’s range. Instances in different subnetworks can communicate with each other using their internal IPs as long as they belong to the same network. | string | Available subnetwork in the chosen network | +| | | | | | +| **network_enableTcp** | Allow TCP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **network_tcpSourceRanges** | Allow TCP traffic from the Internet | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway all ports are allowed. For management allowed ports are: 257,18191,18210,18264,22,443,18190,19009 [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **network_enableGwNetwork** | This is relevant for **Management** only. The network in which managed gateways reside | boolean | true;
false; | +| | | | | | +| **network_gwNetworkSourceRanges** | Allow TCP traffic from the Internet | string | Enter a valid IPv4 network CIDR (e.g. 0.0.0.0/0) | +| | | | | | +| **network_enableIcmp** | Allow ICMP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **network_icmpSourceRanges** | Source IP ranges for ICMP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **network_enableUdp** | Allow UDP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **network_udpSourceRanges** | Source IP ranges for UDP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only - all ports are allowed. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **network_enableSctp** | Allow SCTP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **network_sctpSourceRanges** | Source IP ranges for SCTP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only - all ports are allowed. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **network_enableEsp** | Allow ESP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **network_espSourceRanges** | Source IP ranges for ESP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **externalIP** | External IP address type | string | Static;
Ephemeral;
None;
An external IP address associated with this instance. Selecting "None" will result in the instance having no external internet access. [Learn more](https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address?_ga=2.259654658.-962483654.1585043745) | +| | | | | | +| **installationType** | Installation type and version | string | R80.40 Gateway only
R80.40 Management only
R80.40 Manual Configuration
R80.40 Gateway and Management (Standalone)
R81.00 Gateway only
R81.00 Management only
R81.00 Manual Configuration
R81.00 Gateway and Management (Standalone)
R81.10 Gateway only
R81.10 Management only
R81.10 Manual Configuration
R81.10 Gateway and Management (Standalone)
R81.20 Gateway only
R81.20 Management only
R81.20 Manual Configuration
R81.20 Gateway and Management (Standalone) | +| | | | | | +| **smart1CloudToken** | Smart-1 Cloud token to connect this gateway to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal.| +| | | | | | +| **diskType** | Disk type | string | pd-ssd;
pd-standard;
Storage space is much less expensive for a standard persistent disk. An SSD persistent disk is better for random IOPS or streaming throughput with low latency. [Learn more](https://cloud.google.com/compute/docs/disks/?hl=en_US&_ga=2.66020774.-962483654.1585043745#overview_of_disk_types)| +| | | | | | +| **bootDiskSizeGb** | Disk size in GB | number | Persistent disk performance is tied to the size of the persistent disk volume. You are charged for the actual amount of provisioned disk space. [Learn more](https://cloud.google.com/compute/docs/disks/?hl=en_US&_ga=2.232680471.-962483654.1585043745#pdperformance)| +| | | | | | +| **generatePassword** | Automatically generate an administrator password | boolean | true;
false; | +| | | | | | +| **allowUploadDownload** | Allow download from/upload to Check Point | boolean | true;
false; | +| | | | | | +| **enableMonitoring** | Enable Stackdriver monitoring | boolean | true;
false; | +| | | | | | +| **shell** | Admin shell | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh;
| +| | | | | | +| **instanceSSHKey** | Public SSH key for the user 'admin' | string | A valid public ssh key | +| | | | | | +| **sicKey** | The Secure Internal Communication one time secret used to set up trust between the cluster object and the management server | string | At least 8 alpha numeric characters.
If SIC is not provided and needed, a key will be automatically generated | +| | | | | | +| **managementGUIClientNetwork** | Allowed GUI clients | string | A valid IPv4 network CIDR (e.g. 0.0.0.0/0) | +| | | | | | +| **numAdditionalNICs** | Number of additional network interfaces | number | A number in the range 0 - 7.
Multiple network interfaces deployment is described in [sk121637 - Deploy a CloudGuard for GCP with Multiple Network Interfaces](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk121637) | +| | | | | | + +## Example + zone: "asia-east1-a" + machineType: "n1-standard-4" + network: "frontend-vpc" + subnetwork: "frontend" + network_enableTcp: true + network_tcpSourceRanges: "0.0.0.0/0" + network_enableGwNetwork: true + network_gwNetworkSourceRanges: "0.0.0.0/0" + network_enableIcmp: true + network_icmpSourceRanges: "0.0.0.0/0" + network_enableUdp: true + network_udpSourceRanges: "0.0.0.0/0" + network_enableSctp: false + network_sctpSourceRanges: "" + network_enableEsp: false + network_espSourceRanges: "" + externalIP: "Static" + installationType: "R81.10 Gateway only" + smart1CloudToken: "xxxxxxxxxxxxxxxxxxxxxxxx" + diskType: "pd-ssd" + bootDiskSizeGb: 100 + generatePassword: false + allowUploadDownload: true + enableMonitoring: false + shell: "/bin/bash" + instanceSSHKey: "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx imported-openssh-key" + sicKey: "xxxxxxxx" + managementGUIClientNetwork: "0.0.0.0/0" + numAdditionalNICs: 1 + additionalNetwork1: "backend-vpc1" + additionalSubnetwork1: "backend1" + externalIP1": "None" + additionalNetwork2": "backend-vpc2" + additionalSubnetwork2": "backend2" + externalIP2": "None" + + + + +## Notes +See [sk147032](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk147032) for revision history \ No newline at end of file diff --git a/gcp/deployment-packages/single-byol/c2d_deployment_configuration.json b/gcp/deployment-packages/single-byol/c2d_deployment_configuration.json new file mode 100755 index 00000000..949dc18a --- /dev/null +++ b/gcp/deployment-packages/single-byol/c2d_deployment_configuration.json @@ -0,0 +1,7 @@ +{ + "defaultDeploymentType": "SINGLE_VM", + "imageName": "check-point-r8120-gw-byol-single-634-991001611-v20240613", + "projectId": "checkpoint-public", + "templateName": "nonexistent_template", + "useSolutionPackage": "true" +} diff --git a/gcp/deployment-packages/single-byol/check-point-vsec--byol.py b/gcp/deployment-packages/single-byol/check-point-vsec--byol.py new file mode 100755 index 00000000..3cef893f --- /dev/null +++ b/gcp/deployment-packages/single-byol/check-point-vsec--byol.py @@ -0,0 +1,475 @@ +# Copyright 2016 Check Point Software LTD. +import common +import default +import images +import password + +GATEWAY = 'checkpoint-gateway' +MANAGEMENT = 'checkpoint-management' + +PROJECT = 'checkpoint-public' +LICENSE = 'byol' +LICENCE_TYPE = 'single' + +VERSIONS = { + 'R81.10': 'r8110', + 'R81.10-GW': 'r8110-gw', + 'R81.20': 'r8120', + 'R81.20-GW': 'r8120-gw' +} + +ADDITIONAL_NETWORK = 'additionalNetwork{}' +ADDITIONAL_SUBNET = 'additionalSubnetwork{}' +ADDITIONAL_EXTERNAL_IP = 'externalIP{}' +MAX_NICS = 8 + +TEMPLATE_NAME = 'single' +TEMPLATE_VERSION = '20240714' + +ATTRIBUTES = { + 'Gateway and Management (Standalone)': { + 'tags': [GATEWAY, MANAGEMENT], + 'description': 'Check Point Security Gateway and Management', + 'canIpForward': True, + }, + 'Management only': { + 'tags': [MANAGEMENT], + 'description': 'Check Point Security Management', + 'canIpForward': False, + }, + 'Gateway only': { + 'tags': [GATEWAY], + 'description': 'Check Point Security Gateway', + 'canIpForward': True, + }, + 'Manual Configuration': { + 'tags': [], + 'description': 'Check Point', + 'canIpForward': True, + } +} + +startup_script = ''' +#cloud-config +runcmd: + - 'python3 /etc/cloud_config.py "generatePassword=\\"{generatePassword}\\"" "allowUploadDownload=\\"{allowUploadDownload}\\"" "templateName=\\"{templateName}\\"" "templateVersion=\\"{templateVersion}\\"" "mgmtNIC=\\"{mgmtNIC}\\"" "hasInternet=\\"{hasInternet}\\"" "config_url=\\"{config_url}\\"" "config_path=\\"{config_path}\\"" "installationType=\\"{installationType}\\"" "enableMonitoring=\\"{enableMonitoring}\\"" "shell=\\"{shell}\\"" "computed_sic_key=\\"{computed_sic_key}\\"" "sicKey=\\"{sicKey}\\"" "managementGUIClientNetwork=\\"{managementGUIClientNetwork}\\"" "primary_cluster_address_name=\\"{primary_cluster_address_name}\\"" "secondary_cluster_address_name=\\"{secondary_cluster_address_name}\\"" "managementNetwork=\\"{managementNetwork}\\"" "numAdditionalNICs=\\"{numAdditionalNICs}\\"" "smart1CloudToken=\\"{smart1CloudToken}\\"" "name=\\"{name}\\"" "zone=\\"{zoneConfig}\\"" "region=\\"{region}\\"" "osVersion=\\"{osVersion}\\"" "MaintenanceModePassword=\\"{maintenanceMode}\\""' +''' + + +def set_name_and_truncate(primary, secondary, maxlength=62): + return '%s%s' % (primary[:maxlength - len(secondary)], secondary) + + +def MakeStaticAddress(vm_name, zone, ifnum=None): + """Creates a static IP address resource; returns it and the natIP.""" + if ifnum: + address_name = set_name_and_truncate(vm_name, + '-address-{}'.format(ifnum)) + else: + address_name = set_name_and_truncate(vm_name, '-address') + address_resource = { + 'name': address_name, + 'type': default.ADDRESS, + 'properties': { + 'name': address_name, + 'region': common.ZoneToRegion(zone), + }, + } + return address_resource, '$(ref.%s.address)' % address_name + + +def make_access_config(resources, vm_name, zone, static, index=None): + name = 'external-address' + if index: + name += '-{}'.format(index) + access_config = { + 'name': name, + 'type': default.ONE_NAT + } + if static: + address_resource, nat_ip = MakeStaticAddress(vm_name, zone, index) + resources.append(address_resource) + access_config['natIP'] = nat_ip + return access_config + + +def create_firewall_rules(prop, net_name, fw_rule_name_prefix, mgmt=False, + uid=''): + firewall_rules = [] + protocols = ['Icmp', 'Udp', 'Tcp', 'Sctp', 'Esp'] + if mgmt: + protocols.remove('Tcp') + for protocol in protocols: + proto = protocol.lower() + source_ranges = prop.get('network' + '_' + proto + 'SourceRanges', '') + protocol_enabled = prop.get('network' + '_enable' + protocol, '') + if protocol_enabled and source_ranges: + firewall_rules.append(make_firewall_rule( + proto, source_ranges, net_name, fw_rule_name_prefix, mgmt, + uid)) + return firewall_rules + + +def make_firewall_rule(protocol, source_ranges, + net_name, fw_rule_name_prefix, mgmt=False, uid=''): + ranges = [] + ranges_list = source_ranges.split(',') + for source_range in ranges_list: + ranges.append(source_range.replace(" ", "")) + fw_rule_name = fw_rule_name_prefix + '-' + protocol + if mgmt: + targetTags = [uid] + else: + targetTags = [GATEWAY] + firewall_rule = { + 'type': default.FIREWALL, + 'name': fw_rule_name, + 'properties': { + 'network': 'global/networks/' + net_name, + 'sourceRanges': ranges, + 'targetTags': targetTags, + 'allowed': [{'IPProtocol': protocol}], + } + } + return firewall_rule + + +def generate_config(context): + """Creates the gateway.""" + prop = context.properties + prop['cloudguardVersion'], _, prop['installationType'] = prop[ + 'installationType'].partition(' ') + if prop['smart1CloudToken'] and prop['installationType'] != 'Gateway only': + raise Exception('Use of Smart-1 Cloud token is allowed only\ + for Gateway development.') + prop['templateName'] = TEMPLATE_NAME + prop['templateVersion'] = TEMPLATE_VERSION + prop['osVersion'] = prop['cloudguardVersion'].replace(".", "") + prop['allowUploadDownload'] = str(prop['allowUploadDownload']).lower() + if not prop['managementGUIClientNetwork'] and prop['installationType'] in { + 'Gateway and Management (Standalone)', 'Management only'}: + raise Exception('Allowed GUI clients are required when installing ' + 'a management server') + for k in ['managementGUIClientNetwork']: + prop.setdefault(k, '') + resources = [] + outputs = [] + network_interfaces = [] + external_ifs = [] + zone = prop['zone'] + deployment = context.env['deployment'] + vm_name = set_name_and_truncate(deployment, '-vm') + access_configs = [] + if prop['externalIP'] != 'None': + access_config = make_access_config(resources, vm_name, zone, + 'Static' == prop['externalIP']) + access_configs.append(access_config) + external_ifs.append(0) + prop['hasInternet'] = 'true' + else: + prop['hasInternet'] = 'false' + network = common.MakeGlobalComputeLink(context, default.NETWORK) + networks = {prop['network']} + network_interface = { + 'network': network, + 'accessConfigs': access_configs, + } + if default.SUBNETWORK in prop: + network_interface['subnetwork'] = common.MakeSubnetworkComputeLink( + context, default.SUBNETWORK) + network_interfaces.append(network_interface) + for ifnum in range(1, prop['numAdditionalNICs'] + 1): + net = prop.get(ADDITIONAL_NETWORK.format(ifnum)) + subnet = prop.get(ADDITIONAL_SUBNET.format(ifnum)) + ext_ip = prop.get(ADDITIONAL_EXTERNAL_IP.format(ifnum)) + if not net or not subnet: + raise Exception( + 'Missing network parameters for interface {}'.format(ifnum)) + if net in networks: + raise Exception('Cannot use network "' + net + '" more than once') + networks.add(net) + net = ''.join([ + default.COMPUTE_URL_BASE, + 'projects/', context.env['project'], '/global/networks/', net]) + subnet = ''.join([ + default.COMPUTE_URL_BASE, + 'projects/', context.env['project'], + '/regions/', common.ZoneToRegion(zone), '/subnetworks/', subnet]) + network_interface = { + 'network': net, + 'subnetwork': subnet, + } + if 'None' != ext_ip: + external_ifs.append(ifnum) + access_config = make_access_config( + resources, vm_name, zone, 'Static' == ext_ip, ifnum + 1) + access_configs = [access_config] + network_interface['accessConfigs'] = access_configs + if not prop.get('hasInternet') or 'false' == prop['hasInternet']: + prop['hasInternet'] = 'true' + network_interfaces.append(network_interface) + for ifnum in range(prop['numAdditionalNICs'] + 1, MAX_NICS): + prop.pop(ADDITIONAL_NETWORK.format(ifnum), None) + prop.pop(ADDITIONAL_SUBNET.format(ifnum), None) + prop.pop(ADDITIONAL_EXTERNAL_IP.format(ifnum), None) + deployment_config = set_name_and_truncate(deployment, '-config') + prop['config_url'] = ('https://runtimeconfig.googleapis.com/v1beta1/' + + 'projects/' + context.env[ + 'project'] + '/configs/' + deployment_config) + prop['config_path'] = '/'.join(prop['config_url'].split('/')[-4:]) + prop['deployment_config'] = deployment_config + tags = ATTRIBUTES[prop['installationType']]['tags'] + uid = set_name_and_truncate(vm_name, '-' + password.GeneratePassword( + 8, False).lower()) + if prop['installationType'] == 'Gateway only': + prop['cloudguardVersion'] += '-GW' + if not prop.get('sicKey'): + prop['computed_sic_key'] = password.GeneratePassword(12, False) + else: + prop['computed_sic_key'] = prop['sicKey'] + else: + prop['computed_sic_key'] = 'N/A' + outputs.append({ + 'name': 'sicKey', + 'value': prop['computed_sic_key'], + }, ) + if 'gw' in VERSIONS[prop['cloudguardVersion']]: + license_name = "{}-{}".format(LICENSE, LICENCE_TYPE) + else: + license_name = LICENSE + family = '-'.join(['check-point', VERSIONS[prop['cloudguardVersion']], + license_name]) + formatter = common.DefaultFormatter() + gw = { + 'type': default.INSTANCE, + 'name': vm_name, + 'properties': { + 'description': ATTRIBUTES[prop['installationType']]['description'], + 'zone': zone, + 'tags': { + 'items': tags + [uid], + }, + 'machineType': common.MakeLocalComputeLink( + context, default.MACHINETYPE), + 'canIpForward': ATTRIBUTES[ + prop['installationType']]['canIpForward'], + 'networkInterfaces': network_interfaces, + 'disks': [{ + 'autoDelete': True, + 'boot': True, + 'deviceName': common.AutoName( + context.env['name'], default.DISK, 'boot'), + 'initializeParams': { + 'diskType': common.MakeLocalComputeLink( + context, default.DISKTYPE), + 'diskSizeGb': prop['bootDiskSizeGb'], + 'sourceImage': + 'projects/%s/global/images/%s' % ( + PROJECT, images.IMAGES[family]), + }, + 'type': 'PERSISTENT', + }], + 'metadata': { + 'items': [ + { + 'key': 'startup-script', + 'value': formatter.format(startup_script, **prop) + }, + ] + }, + 'serviceAccounts': [{ + 'email': 'default', + 'scopes': [ + 'https://www.googleapis.com/auth/monitoring.write' + ], + }] + } + } + if (prop['externalIP'] != 'None') and ( + 'Manual Configuration' != prop['installationType']): + gw['properties']['serviceAccounts'][0]['scopes'].append( + 'https://www.googleapis.com/auth/cloudruntimeconfig') + resources.append({ + 'name': deployment_config, + 'type': 'runtimeconfig.v1beta1.config', + 'properties': { + 'config': deployment_config, + 'description': ('Holds software readiness status ' + 'for deployment {}').format(deployment), + }, + }) + resources.append({ + 'name': set_name_and_truncate(deployment, '-software'), + 'type': 'runtimeconfig.v1beta1.waiter', + 'metadata': { + 'dependsOn': [], + }, + 'properties': { + 'parent': '$(ref.' + deployment_config + '.name)', + 'waiter': 'software', + 'timeout': '1800s', + 'success': { + 'cardinality': { + 'number': 1, + 'path': 'status/success', + }, + }, + 'failure': { + 'cardinality': { + 'number': 1, + 'path': 'status/failure', + }, + }, + }, + }) + if 'instanceSSHKey' in prop: + gw['properties']['metadata']['items'].append( + { + 'key': 'instanceSSHKey', + 'value': prop['instanceSSHKey'] + } + ) + if prop['generatePassword']: + passwd = password.GeneratePassword(12, False) + gw['properties']['metadata']['items'].append( + { + 'key': 'adminPasswordSourceMetadata', + 'value': passwd + } + ) + else: + passwd = '' + resources.append(gw) + netlist = list(networks) + + if GATEWAY in tags: + for i in range(len(netlist)): + network = netlist[i] + fw_rule_name_prefix = set_name_and_truncate( + gen_fw_rule_name_deployment_network_prefix( + deployment, network), + '-allow-all-to-chkp-{}'.format(i + 1)) + firewall_rules = create_firewall_rules( + prop, network, fw_rule_name_prefix) + resources.extend(firewall_rules) + else: + for i in range(len(netlist)): + network = netlist[i] + source_ranges = prop['network_tcpSourceRanges'] + tcp_enabled = prop['network_enableTcp'] + gwNetwork_enabled = prop['network_enableGwNetwork'] + gwNetwork_source_range = prop['network_gwNetworkSourceRanges'] + if source_ranges and not tcp_enabled: + raise Exception( + 'Allowed source IP ranges for TCP traffic are provided ' + 'but TCP not marked as allowed') + if tcp_enabled and not source_ranges: + raise Exception('Allowed source IP ranges for TCP traffic' + ' are required when installing ' + 'a management server') + if not gwNetwork_enabled and gwNetwork_source_range: + raise Exception('Gateway network source IP are provided but ' + 'not marked as allowed.') + if gwNetwork_enabled and not gwNetwork_source_range: + raise Exception('Gateway network source IP is required in' + ' MGMT deployment.') + ranges_list = source_ranges.split(',') + gw_network_list = gwNetwork_source_range.split(',') + ranges = [] + gw_net_ranges = [] + for source_range in ranges_list: + ranges.append(source_range.replace(" ", "")) + for gw_net_range in gw_network_list: + gw_net_ranges.append(gw_net_range.replace(" ", "")) + if tcp_enabled: + if gwNetwork_enabled: + resources.append({ + 'type': 'compute.v1.firewall', + 'name': set_name_and_truncate( + gen_fw_rule_name_deployment_network_prefix( + deployment, network), + '-gateways-to-management-{}'.format(i + 1)), + 'properties': { + 'network': 'global/networks/' + network, + 'sourceRanges': list(set(gw_net_ranges + ranges)), + 'sourceTags': [GATEWAY], + 'targetTags': [uid], + 'allowed': [ + { + 'IPProtocol': 'tcp', + 'ports': ['257', '18191', '18210', '18264'] + }, + ], + } + }) + resources.append({ + 'type': 'compute.v1.firewall', + 'name': set_name_and_truncate( + gen_fw_rule_name_deployment_network_prefix(deployment, + network), + '-allow-gui-clients-{}'.format(i + 1)), + 'properties': { + 'network': 'global/networks/' + network, + 'sourceRanges': list(set(ranges)), + 'targetTags': [uid], + 'allowed': [ + { + 'IPProtocol': 'tcp', + 'ports': ['22', '443', '18190', '19009'] + }, + ], + } + }) + fw_rule_name_prefix = set_name_and_truncate( + gen_fw_rule_name_deployment_network_prefix( + deployment, network), + '-allow-all-to-chkp-{}'.format(i + 1)) + firewall_rules = create_firewall_rules( + prop, network, fw_rule_name_prefix, True, uid) + resources.extend(firewall_rules) + outputs += [ + { + 'name': 'deployment', + 'value': deployment + }, + { + 'name': 'project', + 'value': context.env['project'] + }, + { + 'name': 'vmName', + 'value': vm_name, + }, + { + 'name': 'vmId', + 'value': '$(ref.%s.id)' % vm_name, + }, + { + 'name': 'vmSelfLink', + 'value': '$(ref.%s.selfLink)' % vm_name, + }, + { + 'name': 'hasMultiExternalIPs', + 'value': 0 < len(external_ifs) and external_ifs != [0], + }, + { + 'name': 'additionalExternalIPs', + 'value': ', '.join([('$(ref.{}.networkInterfaces[{}].' + + 'accessConfigs[0].natIP)').format( + vm_name, ifnum) for ifnum in external_ifs if ifnum]) + }, + { + 'name': 'vmInternalIP', + 'value': '$(ref.%s.networkInterfaces[0].networkIP)' % vm_name, + }, + { + 'name': 'password', + 'value': passwd + } + ] + return common.MakeResource(resources, outputs) + + +def gen_fw_rule_name_deployment_network_prefix(deployment_name, network_name): + return '{}-{}'. \ + format(deployment_name[:20], network_name[:16]) diff --git a/gcp/deployment-packages/single-byol/check-point-vsec--byol.py.schema b/gcp/deployment-packages/single-byol/check-point-vsec--byol.py.schema new file mode 100755 index 00000000..2a3c922a --- /dev/null +++ b/gcp/deployment-packages/single-byol/check-point-vsec--byol.py.schema @@ -0,0 +1,355 @@ +imports: + - path: check-point-vsec--byol.py + +info: + version: 1.0 + title: Check Point CloudGuard Network Security - BYOL Template + +required: + - zone + - machineType + - network + - diskType + - bootDiskSizeGb + - installationType + - allowUploadDownload + - shell + - managementGUIClientNetwork + - generatePassword + - enableMonitoring + - numAdditionalNICs + +properties: + zone: + type: string + default: us-central1-a + x-googleProperty: + type: GCE_ZONE + machineType: + type: string + default: n1-standard-4 + x-googleProperty: + type: GCE_MACHINE_TYPE + zoneProperty: zone + gceMachineType: + minCpu: 2 + minRamGb: 1.843000054359436 + network: + type: string + default: default + x-googleProperty: + type: GCE_NETWORK + subnetwork: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zone + gceSubnetwork: + networkProperty: network + network_enableTcp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: network + network_tcpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: network_enableTcp + network_enableGwNetwork: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: network + network_gwNetworkSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: network_enableGwNetwork + network_enableIcmp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: network + network_icmpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: network_enableIcmp + network_enableUdp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: network + network_udpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: network_enableUdp + network_enableSctp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: network + network_sctpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: network_enableSctp + network_enableEsp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: network + network_espSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: network_enableEsp + smart1CloudToken: + type: string + default: '' + diskType: + type: string + default: pd-ssd + x-googleProperty: + type: GCE_DISK_TYPE + zoneProperty: zone + bootDiskSizeGb: + type: integer + maximum: 1000 + default: 100 + minimum: 100 + x-googleProperty: + type: GCE_DISK_SIZE + gceDiskSize: + diskTypeProperty: diskType + installationType: + type: string + default: R81.20 Gateway only + enum: + - R81.10 Gateway only + - R81.10 Management only + - R81.10 Manual Configuration + - R81.10 Gateway and Management (Standalone) + - R81.20 Gateway only + - R81.20 Management only + - R81.20 Manual Configuration + - R81.20 Gateway and Management (Standalone) + maintenanceMode: + type: string + pattern: ^([a-z0-9A-Z.]{12,300}|)$ + default: '' + allowUploadDownload: + type: boolean + default: True + shell: + type: string + default: /etc/cli.sh + enum: + - /etc/cli.sh + - /bin/bash + - /bin/csh + - /bin/tcsh + generatePassword: + type: boolean + default: False + enableMonitoring: + type: boolean + default: False + sicKey: + type: string + pattern: ^([a-z0-9A-Z]{8,30}|)$ + default: '' + managementGUIClientNetwork: + type: string + pattern: ^([0-9]{1,3}\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])$ + externalIP: + type: string + enum: + - Static + - Ephemeral + - None + default: Static + instanceSSHKey: + type: string + pattern: ^([0-9a-z\-]+ +[0-9A-Za-z/\+=]+( .*)?|)$ + default: '' + numAdditionalNICs: + type: integer + enum: + - 0 + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + minimum: 0 + maximum: 7 + default: 1 + additionalNetwork1: + type: string + x-googleProperty: + type: GCE_NETWORK + additionalSubnetwork1: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zone + gceSubnetwork: + networkProperty: additionalNetwork1 + externalIP1: + type: string + enum: + - Static + - Ephemeral + - None + default: None + additionalNetwork2: + type: string + x-googleProperty: + type: GCE_NETWORK + additionalSubnetwork2: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zone + gceSubnetwork: + networkProperty: additionalNetwork2 + externalIP2: + type: string + enum: + - Static + - Ephemeral + - None + default: None + additionalNetwork3: + type: string + x-googleProperty: + type: GCE_NETWORK + additionalSubnetwork3: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zone + gceSubnetwork: + networkProperty: additionalNetwork3 + externalIP3: + type: string + enum: + - Static + - Ephemeral + - None + default: None + additionalNetwork4: + type: string + x-googleProperty: + type: GCE_NETWORK + additionalSubnetwork4: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zone + gceSubnetwork: + networkProperty: additionalNetwork4 + externalIP4: + type: string + enum: + - Static + - Ephemeral + - None + default: None + additionalNetwork5: + type: string + x-googleProperty: + type: GCE_NETWORK + additionalSubnetwork5: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zone + gceSubnetwork: + networkProperty: additionalNetwork5 + externalIP5: + type: string + enum: + - Static + - Ephemeral + - None + default: None + additionalNetwork6: + type: string + x-googleProperty: + type: GCE_NETWORK + additionalSubnetwork6: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zone + gceSubnetwork: + networkProperty: additionalNetwork6 + externalIP6: + type: string + enum: + - Static + - Ephemeral + - None + default: None + additionalNetwork7: + type: string + x-googleProperty: + type: GCE_NETWORK + additionalSubnetwork7: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zone + gceSubnetwork: + networkProperty: additionalNetwork7 + externalIP7: + type: string + enum: + - Static + - Ephemeral + - None + default: None + +outputs: + deployment: + type: string + project: + type: string + vmId: + type: string + vmInternalIP: + type: string + hasMultiExternalIP: + type: boolean + additionalExternalIPs: + type: string + vmName: + type: string + vmSelfLink: + type: string + password: + type: string diff --git a/gcp/deployment-packages/single-byol/common.py b/gcp/deployment-packages/single-byol/common.py new file mode 100755 index 00000000..e123c502 --- /dev/null +++ b/gcp/deployment-packages/single-byol/common.py @@ -0,0 +1,262 @@ +# Copyright 2015 Google Inc. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +"""Generic simple functions used for python based template generation.""" + +import re +import sys +import traceback +import default +import string + +import yaml + +RFC1035_RE = re.compile(r'^[a-z][-a-z0-9]{1,61}[a-z0-9]{1}$') + + +class Error(Exception): + """Common exception wrapper for template exceptions.""" + pass + + +class DefaultFormatter(string.Formatter): + """Returns default instead of key error when looking for keys. + + Used for startup-script which contains params from multiple deployments + whiles keys from one deployment may not be set in another. + """ + def __init__(self, default=''): + self.default = default + def get_value(self, key, args, dict): + if isinstance(key, str): + return dict.get(key, self.default) + else: + return string.Formatter.get_value(key, args, dict) + + +def set_name_and_truncate(primary, secondary, maxlength=62): + return '%s%s' % (primary[:maxlength - len(secondary)], secondary) + + +def AddDiskResourcesIfNeeded(context): + """Checks context if disk resources need to be added.""" + if default.DISK_RESOURCES in context.properties: + return context.properties[default.DISK_RESOURCES] + else: + return [] + + +def AutoName(base, resource, *args): + """Helper method to generate names automatically based on default.""" + auto_name = '%s-%s' % (base, '-'.join(list(args) + [default.AKA[resource]])) + if not RFC1035_RE.match(auto_name): + raise Error('"%s" name for type %s does not match RFC1035 regex (%s)' % + (auto_name, resource, RFC1035_RE.pattern)) + return auto_name + + +def AutoRef(base, resource, *args): + """Helper method that builds a reference for an auto-named resource.""" + return Ref(AutoName(base, resource, *args)) + + +def OrderedItems(dict_obj): + """Convenient method to yield sorted iteritems of a dictionary.""" + keys = list(dict_obj.keys()) + keys.sort() + for k in keys: + yield (k, dict_obj[k]) + + +def ShortenZoneName(zone): + """Given a string that looks like a zone name, creates a shorter version.""" + geo, coord, number, letter = re.findall(r'(\w+)-(\w+)(\d)-(\w)', zone)[0] + geo = geo.lower() if len(geo) == 2 else default.LOC[geo.lower()] + coord = default.LOC[coord.lower()] + number = str(number) + letter = letter.lower() + return geo + '-' + coord + number + letter + + +def ZoneToRegion(zone): + """Derives the region from a zone name.""" + parts = zone.split('-') + if len(parts) != 3: + raise Error('Cannot derive region from zone "%s"' % zone) + return '-'.join(parts[:2]) + + +def FormatException(message): + """Adds more information to the exception.""" + message = ('Exception Type: %s\n' + 'Details: %s\n' + 'Message: %s\n') % (sys.exc_info()[0], + traceback.format_exc(), message) + return message + + +def Ref(name): + return '$(ref.%s.selfLink)' % name + + +def RefGroup(name): + return '$(ref.%s.instanceGroup)' % name + + +def GlobalComputeLink(project, collection, name): + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/global/', + collection, '/', name]) + +def GlobalNetworkLink(project, network): + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/global/', + default.NETWORKS, '/', network]) + + +def LocalComputeLink(project, zone, key, value): + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/zones/', + zone, '/', key, '/', value]) + + +def ReadContext(context, prop_key): + return (context.env['project'], context.properties.get('zone', None), + context.properties[prop_key]) + + +def MakeLocalComputeLink(context, key, zone=None): + if not zone: + project, zone, value = ReadContext(context, key) + else: + project, _, value = ReadContext(context, key) + + if IsComputeLink(value): + return value + else: + return LocalComputeLink(project, zone, key + 's', value) + + +def MakeGlobalComputeLink(context, key): + project, _, value = ReadContext(context, key) + if IsComputeLink(value): + return value + else: + return GlobalComputeLink(project, key + 's', value) + +def MakeRegionalSubnetworkLink(project, zone, subnet): + region = ZoneToRegion(zone) + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/regions/', + region, '/subnetworks/', subnet]) + + +def MakeSubnetworkComputeLink(context, key): + project, zone, value = ReadContext(context, key) + region = ZoneToRegion(zone) + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/regions/', + region, '/subnetworks/', value]) + + +def MakeFQHN(context, name): + return '%s.c.%s.internal' % (name, context.env['project']) + + +# TODO(victorg): Consider moving this method to a different file +def MakeC2DImageLink(name, dev_mode=False): + if IsGlobalProjectShortcut(name) or name.startswith('http'): + return name + else: + if dev_mode: + return 'global/images/%s' % name + else: + return GlobalComputeLink(default.C2D_IMAGES, 'images', name) + + +def IsGlobalProjectShortcut(name): + return name.startswith('projects/') or name.startswith('global/') + + +def IsComputeLink(name): + return (name.startswith(default.COMPUTE_URL_BASE) or + name.startswith(default.REFERENCE_PREFIX)) + + +def GetNamesAndTypes(resources_dict): + return [(d['name'], d['type']) for d in resources_dict] + + +def SummarizeResources(res_dict): + """Summarizes the name of resources per resource type.""" + result = {} + for res in res_dict: + result.setdefault(res['type'], []).append(res['name']) + return result + + +def ListPropertyValuesOfType(res_dict, prop, res_type): + """Lists all the values for a property of a certain type.""" + return [r['properties'][prop] for r in res_dict if r['type'] == res_type] + + +def MakeResource(resource_list, output_list=None): + """Wrapper for a DM template basic spec.""" + content = {'resources': resource_list} + if output_list: + content['outputs'] = output_list + return yaml.dump(content) + + +def TakeZoneOut(properties): + """Given a properties dictionary, removes the zone specific information.""" + + def _CleanZoneUrl(value): + value = value.split('/')[-1] if IsComputeLink(value) else value + return value + + for name in default.VM_ZONE_PROPERTIES: + if name in properties: + properties[name] = _CleanZoneUrl(properties[name]) + if default.ZONE in properties: + properties.pop(default.ZONE) + if default.BOOTDISK in properties: + properties[default.BOOTDISK] = _CleanZoneUrl(properties[default.BOOTDISK]) + if default.DISKS in properties: + for disk in properties[default.DISKS]: + # Don't touch references to other disks + if default.DISK_SOURCE in disk: + continue + if default.INITIALIZEP in disk: + disk_init = disk[default.INITIALIZEP] + if default.DISKTYPE in disk_init: + disk_init[default.DISKTYPE] = _CleanZoneUrl(disk_init[default.DISKTYPE]) + + +def GenerateEmbeddableYaml(yaml_string): + # Because YAML is a space delimited format, we need to be careful about + # embedding one YAML document in another. This function takes in a string in + # YAML format and produces an equivalent YAML representation that can be + # inserted into arbitrary points of another YAML document. It does so by + # printing the YAML string in a single line format. Consistent ordering of + # the string is also guaranteed by using yaml.dump. + yaml_object = yaml.load(yaml_string) + dumped_yaml = yaml.dump(yaml_object, default_flow_style=True) + return dumped_yaml + + +def FormatErrorsDec(func): + """Decorator to format exceptions if they get raised.""" + + def FormatErrorsWrap(context): + try: + return func(context) + except Exception as e: + raise Error(FormatException(e.message)) + + return FormatErrorsWrap diff --git a/gcp/deployment-packages/single-byol/config.yaml b/gcp/deployment-packages/single-byol/config.yaml new file mode 100644 index 00000000..3301dada --- /dev/null +++ b/gcp/deployment-packages/single-byol/config.yaml @@ -0,0 +1,50 @@ +imports: +- path: check-point-vsec--byol.py +- path: common.py +- path: default.py +- path: password.py +- path: images.py + +resources: +- name: check-point-vsec--byol + type: check-point-vsec--byol.py + properties: + zone: "PLEASE ENTER A ZONE" + machineType: "PLEASE ENTER A MACHINE TYPE" + network: "PLEASE ENTER AN EXTERNAL NETWORK ID" + subnetwork: "PLEASE ENTER A SUBNETWORK ID" + network_enableTcp: "PLEASE ENTER true or false" + network_tcpSourceRanges: "PLEASE ENTER TCP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + network_enableGwNetwork: "PLEASE ENTER true or false" + network_gwNetworkSourceRanges: "PLEASE ENTER GATEWAY NETWORK SOURCE RANGES FOR MANAGEMENT, AND STANDALONE. LEAVE EMPTY DOUBLE QUOTES FOR GW" + network_enableIcmp: "PLEASE ENTER true or false" + network_icmpSourceRanges: "PLEASE ENTER ICMP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + network_enableUdp: "PLEASE ENTER true or false" + network_udpSourceRanges: "PLEASE ENTER UDP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + network_enableSctp: "PLEASE ENTER true or false" + network_sctpSourceRanges: "PLEASE ENTER SCTP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + network_enableEsp: "PLEASE ENTER true or false" + network_espSourceRanges: "PLEASE ENTER ESP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + externalIP: "PLEASE ENTER AN EXTERNAL IP ADDRESS TYPE" + installationType: "PLEASE ENTER AN INSTALLATION TYPE" + #Connecting to Smart-1 Cloud is only available for Gateway only installation + smart1CloudToken: "PLEASE ENTER A TOKEN TO CONNECT TO SMART-1 CLOUD OR LEAVE EMPTY DOUBLE QUOTES" + diskType: "PLEASE ENTER A DISK TYPE" + bootDiskSizeGb: "PLEASE ENTER A DISK SIZE" + generatePassword: "PLEASE ENTER true or false" + allowUploadDownload: "PLEASE ENTER true or false" + enableMonitoring: "PLEASE ENTER true or false" + shell: "PLEASE ENTER A SHELL" + instanceSSHKey: "PLEASE ENTER A VALID PUBLIC KEY" + sicKey: "PLEASE ENTER A SIC KEY" + managementGUIClientNetwork: "PLEASE ENTER A MANAGEMENT GUI CLIENT NETWORK" + numAdditionalNICs: "PLEASE ENTER A NUMBER OF ADDITIONAL NICS" + #Define additional NICs networks and subnetworks according the defined numAdditionalNICs value + #If there is no need in additional NICs remove additionalNetwork1 and additionalSubnetwork1 variables + additionalNetwork1: "PLEASE ENTER AN ADDITIONAL NETWORK1 ID" + additionalSubnetwork1: "PLEASE ENTER AN ADDITIONAL SUBNETWORK1 ID" +outputs: +- name: "Deployment" + value: $(ref.check-point-vsec--byol.deployment) +- name: "Instance" + value: $(ref.check-point-vsec--byol.vmName) \ No newline at end of file diff --git a/gcp/deployment-packages/single-byol/default.py b/gcp/deployment-packages/single-byol/default.py new file mode 100755 index 00000000..0c7dd919 --- /dev/null +++ b/gcp/deployment-packages/single-byol/default.py @@ -0,0 +1,134 @@ +# Copyright 2015 Google Inc. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +"""Convenience module to hold default constants for C2D components. + +There should not be any logic in this module. Its purpose is to simplify +analysis of commonly used GCP and properties names and identify the names +that were custom created for these modules. +""" +# Generic constants +C2D_IMAGES = 'click-to-deploy-images' + +# URL constants +COMPUTE_URL_BASE = 'https://www.googleapis.com/compute/v1/' + +# Deployment Manager constructs +REFERENCE_PREFIX = '$(ref.' + +# Commonly used in properties namespace +AUTO_DELETE = 'autoDelete' +BOOTDISK = 'bootDiskType' +BOOTDISKSIZE = 'bootDiskSizeGb' +C_IMAGE = 'containerImage' +DC_MANIFEST = 'dcManifest' +DEPLOYMENT = 'DEPLOYMENT' # used in the deployment coordinator +DISK_NAME = 'diskName' +DISK_RESOURCES = 'addedDiskResources' +DISK_SOURCE = 'source' +ENDPOINT_NAME = 'serviceRegistryEndpointName' +FIXED_GCLOUD = 'fixedGcloud' +GENERATED_PROP = 'generatedProperties' +INITIALIZEP = 'initializeParams' +INSTANCE_NAME = 'instanceName' +LOCAL_SSD = 'localSSDs' +MAX_NUM = 'maxNumReplicas' +NETWORKS = 'networks' +NO_SCOPE = 'noScope' +PROVIDE_BOOT = 'provideBoot' +REPLICAS = 'replicas' +SIZE = 'size' +VM_COPIES = 'numberOfVMReplicas' +ZONES = 'zones' + +# Common properties values (only official GCP values allowed here) +EXTERNAL = 'External NAT' +ONE_NAT = 'ONE_TO_ONE_NAT' + +# Common 1st level properties (only official GCP names allowed here) +CAN_IP_FWD = 'canIpForward' +CONTAINER = 'container' +DCKRENV = 'dockerEnv' +DCKRIMAGE = 'dockerImage' +DEFAULT_SERVICE = 'defaultService' +DEVICE_NAME = 'deviceName' +DISKS = 'disks' +DISK_SIZE = 'diskSizeGb' +DISKTYPE = 'diskType' +HEALTH_PATH = 'healthPath' +HOST_RULES = 'hostRules' +IP_PROTO = 'IPProtocol' +MACHINETYPE = 'machineType' +METADATA = 'metadata' +NAME = 'name' +NETWORK = 'network' +NETWORKS = 'networks' +SUBNETWORK = 'subnetwork' +PATH_MATCHERS = 'pathMatchers' +PORT = 'port' +PROJECT = 'project' +SERVICE = 'service' +SERVICE_ACCOUNTS = 'serviceAccounts' +SRCIMAGE = 'sourceImage' +SRC_RANGES = 'sourceRanges' +TAGS = 'tags' +TYPE = 'type' +VM_TEMPLATE = 'instanceTemplate' +ZONE = 'zone' + +# Zone specfic VM properties +VM_ZONE_PROPERTIES = [DISKTYPE, MACHINETYPE, BOOTDISK] + +# Resource type defaults names +ADDRESS = 'compute.v1.address' +AUTOSCALER = 'compute.v1.autoscaler' +BACKEND_SERVICE = 'compute.v1.backendService' +DISK = 'compute.v1.disk' +ENDPOINT = 'serviceregistry.v1alpha.endpoint' +FIREWALL = 'compute.v1.firewall' +GF_RULE = 'compute.v1.globalForwardingRule' +HEALTHCHECK = 'compute.v1.httpHealthCheck' +IGM = 'compute.v1.instanceGroupManager' +INSTANCE = 'compute.v1.instance' +PROXY = 'compute.v1.targetHttpProxy' +TEMPLATE = 'compute.v1.instanceTemplate' +REGION_IGM = 'compute.v1.regionInstanceGroupManager' +REGION_AUTOSCALER = 'compute.v1.regionAutoscaler' +URL_MAP = 'compute.v1.urlMap' +VPC='compute.v1.network' +VPC_SUBNET='compute.v1.subnetwork' + +# Also Known As constants +AKA = { + TEMPLATE: 'tmplt', + AUTOSCALER: 'as', + BACKEND_SERVICE: 'bes', + DISK: 'disk', + FIREWALL: 'fwall', + GF_RULE: 'ip', + HEALTHCHECK: 'hc', + INSTANCE: 'vm', + PROXY: 'tproxy', + IGM: 'igm', + URL_MAP: 'umap', +} + +LOC = { + 'europe': 'eu', + 'asia': 'as', + 'central': 'c', + 'east': 'e', + 'west': 'w', + 'north': 'n', + 'south': 's', +} diff --git a/gcp/deployment-packages/single-byol/images.py b/gcp/deployment-packages/single-byol/images.py new file mode 100755 index 00000000..7b04bee0 --- /dev/null +++ b/gcp/deployment-packages/single-byol/images.py @@ -0,0 +1,34 @@ +IMAGES = { + "check-point-r8120-payg": "check-point-r8120-payg-631-991001560-v20240425", + "check-point-r8120-gw-payg-single": "check-point-r8120-gw-payg-single-631-991001560-v20240425", + "check-point-r8120-gw-payg-mig": "check-point-r8120-gw-payg-mig-631-991001560-v20240425", + "check-point-r8120-gw-payg-cluster": "check-point-r8120-gw-payg-cluster-631-991001560-v20240425", + "check-point-r8120-gw-byol-single": "check-point-r8120-gw-byol-single-631-991001560-v20240425", + "check-point-r8120-gw-byol-mig": "check-point-r8120-gw-byol-mig-631-991001560-v20240425", + "check-point-r8120-gw-byol-cluster": "check-point-r8120-gw-byol-cluster-631-991001560-v20240425", + "check-point-r8120-byol": "check-point-r8120-byol-631-991001560-v20240425", + "check-point-r8110-payg": "check-point-r8110-payg-335-991001560-v20240425", + "check-point-r8110-gw-payg-single": "check-point-r8110-gw-payg-single-335-991001560-v20240425", + "check-point-r8110-gw-payg-mig": "check-point-r8110-gw-payg-mig-335-991001560-v20240425", + "check-point-r8110-gw-payg-cluster": "check-point-r8110-gw-payg-cluster-335-991001560-v20240425", + "check-point-r8110-gw-byol-single": "check-point-r8110-gw-byol-single-335-991001560-v20240425", + "check-point-r8110-gw-byol-mig": "check-point-r8110-gw-byol-mig-335-991001560-v20240425", + "check-point-r8110-gw-byol-cluster": "check-point-r8110-gw-byol-cluster-335-991001560-v20240425", + "check-point-r8110-byol": "check-point-r8110-byol-335-991001560-v20240425", + "check-point-r81-payg": "check-point-r81-payg-392-991001560-v20240425", + "check-point-r81-gw-payg-single": "check-point-r81-gw-payg-single-392-991001560-v20240425", + "check-point-r81-gw-payg-mig": "check-point-r81-gw-payg-mig-392-991001560-v20240425", + "check-point-r81-gw-payg-cluster": "check-point-r81-gw-payg-cluster-392-991001560-v20240425", + "check-point-r81-gw-byol-single": "check-point-r81-gw-byol-single-392-991001560-v20240425", + "check-point-r81-gw-byol-mig": "check-point-r81-gw-byol-mig-392-991001560-v20240425", + "check-point-r81-gw-byol-cluster": "check-point-r81-gw-byol-cluster-392-991001560-v20240425", + "check-point-r81-byol": "check-point-r81-byol-392-991001560-v20240425", + "check-point-r8040-payg": "check-point-r8040-payg-294-991001560-v20240425", + "check-point-r8040-gw-payg-single": "check-point-r8040-gw-payg-single-294-991001564-v20240505", + "check-point-r8040-gw-payg-mig": "check-point-r8040-gw-payg-mig-294-991001564-v20240505", + "check-point-r8040-gw-payg-cluster": "check-point-r8040-gw-payg-cluster-294-991001564-v20240505", + "check-point-r8040-gw-byol-single": "check-point-r8040-gw-byol-single-294-991001564-v20240505", + "check-point-r8040-gw-byol-mig": "check-point-r8040-gw-byol-mig-294-991001564-v20240505", + "check-point-r8040-gw-byol-cluster": "check-point-r8040-gw-byol-cluster-294-991001564-v20240505", + "check-point-r8040-byol": "check-point-r8040-byol-294-991001560-v20240425" +} \ No newline at end of file diff --git a/gcp/deployment-packages/single-byol/password.py b/gcp/deployment-packages/single-byol/password.py new file mode 100755 index 00000000..273210a6 --- /dev/null +++ b/gcp/deployment-packages/single-byol/password.py @@ -0,0 +1,135 @@ +# Copyright 2015 Google Inc. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +"""A DM template that generates password as an output, namely "password". + +An example YAML showing how this template can be used: + resources: + - name: generated-password + type: password.py + properties: + length: 8 + includeSymbols: true + - name: main-template + type: main-template.jinja + properties: + password: $(ref.generated-password.password) + +Input properties to this template: + - length: the length of the generated password. At least 8. Default 8. + - includeSymbols: true/false whether to include symbol chars. Default false. + +The generated password satisfies the following requirements: + - The length is as specified, + - Containing letters and numbers, and optionally symbols if specified, + - Starting with a letter, + - Containing characters from at least 3 of the 4 categories: uppercases, + lowercases, numbers, and symbols. + +""" + +import random +import yaml + +PROPERTY_LENGTH = 'length' +PROPERTY_INCLUDE_SYMBOLS = 'includeSymbols' + +# Note the omission of some hard to distinguish characters like I, l, 0, and O. +UPPERS = 'ABCDEFGHJKLMNPQRSTUVWXYZ' +LOWERS = 'abcdefghijkmnopqrstuvwxyz' +ALPHABET = UPPERS + LOWERS +DIGITS = '123456789' +ALPHANUMS = ALPHABET + DIGITS +# Including only symbols that can be passed around easily in shell scripts. +SYMBOLS = '*-+.' + +CANDIDATES_WITH_SYMBOLS = ALPHANUMS + SYMBOLS +CANDIDATES_WITHOUT_SYMBOLS = ALPHANUMS + +CATEGORIES_WITH_SYMBOLS = [UPPERS, LOWERS, DIGITS, SYMBOLS] +CATEGORIES_WITHOUT_SYMBOLS = [UPPERS, LOWERS, DIGITS] + +MIN_LENGTH = 8 + + +class InputError(Exception): + """Raised when input properties are unexpected.""" + + +def GenerateConfig(context): + """Entry function to generate the DM config.""" + props = context.properties + length = props.setdefault(PROPERTY_LENGTH, MIN_LENGTH) + include_symbols = props.setdefault(PROPERTY_INCLUDE_SYMBOLS, False) + + if not isinstance(include_symbols, bool): + raise InputError('%s must be a boolean' % PROPERTY_INCLUDE_SYMBOLS) + + content = { + 'resources': [], + 'outputs': [{ + 'name': 'password', + 'value': GeneratePassword(length, include_symbols) + }] + } + return yaml.dump(content) + + +def GeneratePassword(length=8, include_symbols=False): + """Generates a random password.""" + if length < MIN_LENGTH: + raise InputError('Password length must be at least %d' % MIN_LENGTH) + + candidates = (CANDIDATES_WITH_SYMBOLS if include_symbols + else CANDIDATES_WITHOUT_SYMBOLS) + categories = (CATEGORIES_WITH_SYMBOLS if include_symbols + else CATEGORIES_WITHOUT_SYMBOLS) + + # Generates up to the specified length minus the number of categories. + # Then inserts one character for each category, ensuring that the character + # satisfy the category if the generated string hasn't already. + generated = ([random.choice(ALPHABET)] + + [random.choice(candidates) + for _ in range(length - 1 - len(categories))]) + for category in categories: + _InsertAndEnsureSatisfaction(generated, category, candidates) + return ''.join(generated) + + +def _InsertAndEnsureSatisfaction(generated, required, all_candidates): + """Inserts 1 char into generated, satisfying required if not already. + + If the required characters are not already in the generated string, one will + be inserted. If any required character is already in the generated string, a + random character from all_candidates will be inserted. The insertion happens + at a random location but not at the beginning. + + Args: + generated: the string to be modified. + required: list of required characters to check for. + all_candidates: list of characters to choose from if the required characters + are already satisfied. + """ + if set(generated).isdisjoint(required): + # Not yet satisfied. Insert a required candidate. + _InsertInto(generated, required) + else: + # Already satisfied. Insert any candidate. + _InsertInto(generated, all_candidates) + + +def _InsertInto(generated, candidates): + """Inserts a random candidate into a random non-zero index of generated.""" + # Avoids inserting at index 0, since the first character follows its own rule. + generated.insert(random.randint(1, len(generated) - 1), + random.choice(candidates)) diff --git a/gcp/deployment-packages/single-payg/README.md b/gcp/deployment-packages/single-payg/README.md new file mode 100644 index 00000000..c3f9443a --- /dev/null +++ b/gcp/deployment-packages/single-payg/README.md @@ -0,0 +1,133 @@ +# GCP Deployment Manager package for Management, Gateway and Standalone PAYG solutions +This directory contains CloudGuard IaaS deployment package for Management, Gateway and Standalone PAYG solution published in the [GCP Marketplace](https://console.cloud.google.com/marketplace/details/checkpoint-public/check-point-cloudguard-payg). + +# How to deploy the package manually +To deploy the Deployment Manager's package manually, without using the GCP Marketplace, follow these instructions: +1. Clone or download the files in this directory +2. Fill variables in the config.yaml(see below for variables descriptions). +3. Log into [Google Cloud Platform Console](https://console.cloud.google.com) +4. [Activate Cloud Shell](https://cloud.google.com/shell/docs/using-cloud-shell) +5. Set your Cloud Platform project in the Cloud Shell session use: + + gcloud config set project [PROJECT_ID] +6. Upload the content of the CloudGuardIaaS/gcp/deployment-packages/single-payg/ directory to the [cloud shell](https://cloud.google.com/shell/docs/uploading-and-downloading-files) +7. Launch deployment by running: + + gcloud deployment-manager deployments create [DEPLOYMENT_NAME] --config config.yaml +8. Make sure the deployment finished successfully.
Example of successful deployment output: + + The fingerprint of the deployment is NEBnvNbqOItDoLZrhYNo5Q== + Waiting for create [operation-1585065238276-5a19bc2792a32-becd058d-67862f39]...done. + Create operation operation-1585065238276-5a19bc2792a32-becd058d-67862f39 completed successfully. + NAME TYPE STATE ERRORS INTENT + gateway-config runtimeconfig.v1beta1.config COMPLETED [] + gateway-software runtimeconfig.v1beta1.waiter COMPLETED [] + gateway-vm compute.v1.instance COMPLETED [] + gateway-vm-address compute.v1.address COMPLETED [] + OUTPUTS VALUE + Deployment gateway + Instance gateway-single-vm + +## config.yaml variables +| Name | Description | Type | Allowed values | +| ------------- | ------------- | ------------- | ------------- | +| **zone** | The zone determines what computing resources are available and where your data is stored and used | string | List of allowed [Regions and Zones](https://cloud.google.com/compute/docs/regions-zones?_ga=2.31926582.-962483654.1585043745) | +| | | | | | +| **machineType** | Machine types determine the specifications of your machines, such as the amount of memory, virtual cores, and persistent disk limits an instance will have | string | [Learn more about Machine Types](https://cloud.google.com/compute/docs/machine-types?hl=en_US&_ga=2.267871494.-962483654.1585043745) | +| | | | | | +| **network** | The network determines what network traffic the instance can access | string | Available network in the chosen zone | +| | | | | | +| **Subnetwork** | Assigns the instance an IPv4 address from the subnetwork’s range. Instances in different subnetworks can communicate with each other using their internal IPs as long as they belong to the same network. | string | Available subnetwork in the chosen network | +| | | | | | +| **network_enableTcp** | Allow TCP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **network_tcpSourceRanges** | Allow TCP traffic from the Internet | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway all ports are allowed. For management allowed ports are: 257,18191,18210,18264,22,443,18190,19009 [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **network_enableGwNetwork** | This is relevant for **Management** only. The network in which managed gateways reside | boolean | true;
false; | +| | | | | | +| **network_gwNetworkSourceRanges** | Allow TCP traffic from the Internet | string | Enter a valid IPv4 network CIDR (e.g. 0.0.0.0/0) | +| | | | | | +| **network_enableIcmp** | Allow ICMP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **network_icmpSourceRanges** | Source IP ranges for ICMP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **network_enableUdp** | Allow UDP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **network_udpSourceRanges** | Source IP ranges for UDP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only - all ports are allowed. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **network_enableSctp** | Allow SCTP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **network_sctpSourceRanges** | Source IP ranges for SCTP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only - all ports are allowed. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **network_enableEsp** | Allow ESP traffic from the Internet | boolean | true;
false; | +| | | | | | +| **network_espSourceRanges** | Source IP ranges for ESP traffic | string | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) | +| | | | | | +| **externalIP** | External IP address type | string | Static;
Ephemeral;
None;
An external IP address associated with this instance. Selecting "None" will result in the instance having no external internet access. [Learn more](https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address?_ga=2.259654658.-962483654.1585043745) | +| | | | | | +| **installationType** | Installation type and version | string | R80.40 Gateway only
R80.40 Management only
R80.40 Manual Configuration
R80.40 Gateway and Management (Standalone)
R81.00 Gateway only
R81.00 Management only
R81.00 Manual Configuration
R81.00 Gateway and Management (Standalone)
R81.10 Gateway only
R81.10 Management only
R81.10 Manual Configuration
R81.10 Gateway and Management (Standalone)
R81.20 Gateway only
R81.20 Management only
R81.20 Manual Configuration
R81.20 Gateway and Management (Standalone) | +| **smart1CloudToken** | Smart-1 Cloud token to connect this gateway to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal.| +| | | | | | +| **diskType** | Disk type | string | pd-ssd;
pd-standard;
Storage space is much less expensive for a standard persistent disk. An SSD persistent disk is better for random IOPS or streaming throughput with low latency. [Learn more](https://cloud.google.com/compute/docs/disks/?hl=en_US&_ga=2.66020774.-962483654.1585043745#overview_of_disk_types)| +| | | | | | +| **bootDiskSizeGb** | Disk size in GB | number | Persistent disk performance is tied to the size of the persistent disk volume. You are charged for the actual amount of provisioned disk space. [Learn more](https://cloud.google.com/compute/docs/disks/?hl=en_US&_ga=2.232680471.-962483654.1585043745#pdperformance)| +| | | | | | +| **generatePassword** | Automatically generate an administrator password | boolean | true;
false; | +| | | | | | +| **allowUploadDownload** | Allow download from/upload to Check Point | boolean | true;
false; | +| | | | | | +| **enableMonitoring** | Enable Stackdriver monitoring | boolean | true;
false; | +| | | | | | +| **shell** | Admin shell | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh;
| +| | | | | | +| **instanceSSHKey** | Public SSH key for the user 'admin' | string | A valid public ssh key | +| | | | | | +| **sicKey** | The Secure Internal Communication one time secret used to set up trust between the cluster object and the management server | string | At least 8 alpha numeric characters.
If SIC is not provided and needed, a key will be automatically generated | +| | | | | | +| **managementGUIClientNetwork** | Allowed GUI clients | string | A valid IPv4 network CIDR (e.g. 0.0.0.0/0) | +| | | | | | +| **numAdditionalNICs** | Number of additional network interfaces | number | A number in the range 0 - 7.
Multiple network interfaces deployment is described in [sk121637 - Deploy a CloudGuard for GCP with Multiple Network Interfaces](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk121637) | +| | | | | | + +## Example + zone: "asia-east1-a" + machineType: "n1-standard-4" + network: "frontend-vpc" + subnetwork: "frontend" + network_enableTcp: true + network_tcpSourceRanges: "0.0.0.0/0" + network_enableGwNetwork: true + network_gwNetworkSourceRanges: "0.0.0.0/0" + network_enableIcmp: true + network_icmpSourceRanges: "0.0.0.0/0" + network_enableUdp: true + network_udpSourceRanges: "0.0.0.0/0" + network_enableSctp: false + network_sctpSourceRanges: "" + network_enableEsp: false + network_espSourceRanges: "" + externalIP: "Static" + installationType: "R81.10 Gateway only" + smart1CloudToken: "xxxxxxxxxxxxxxxxxxxxxxxx" + diskType: "pd-ssd" + bootDiskSizeGb: 100 + generatePassword: false + allowUploadDownload: true + enableMonitoring: false + shell: "/bin/bash" + instanceSSHKey: "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx imported-openssh-key" + sicKey: "xxxxxxxx" + managementGUIClientNetwork: "0.0.0.0/0" + numAdditionalNICs: 1 + additionalNetwork1: "backend-vpc1" + additionalSubnetwork1: "backend1" + externalIP1": "None" + additionalNetwork2": "backend-vpc2" + additionalSubnetwork2": "backend2" + externalIP2": "None" + + + + +## Notes +See [sk147032](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk147032) for revision history \ No newline at end of file diff --git a/gcp/deployment-packages/single-payg/c2d_deployment_configuration.json b/gcp/deployment-packages/single-payg/c2d_deployment_configuration.json new file mode 100755 index 00000000..e7f5e013 --- /dev/null +++ b/gcp/deployment-packages/single-payg/c2d_deployment_configuration.json @@ -0,0 +1,7 @@ +{ + "defaultDeploymentType": "SINGLE_VM", + "imageName": "check-point-r8120-gw-payg-single-634-991001611-v20240613", + "projectId": "checkpoint-public", + "templateName": "nonexistent_template", + "useSolutionPackage": "true" +} diff --git a/gcp/deployment-packages/single-payg/check-point-vsec--payg.py b/gcp/deployment-packages/single-payg/check-point-vsec--payg.py new file mode 100755 index 00000000..a5dfbedf --- /dev/null +++ b/gcp/deployment-packages/single-payg/check-point-vsec--payg.py @@ -0,0 +1,475 @@ +# Copyright 2016 Check Point Software LTD. +import common +import default +import images +import password + +GATEWAY = 'checkpoint-gateway' +MANAGEMENT = 'checkpoint-management' + +PROJECT = 'checkpoint-public' +LICENSE = 'payg' +LICENCE_TYPE = 'single' + +VERSIONS = { + 'R81.10': 'r8110', + 'R81.10-GW': 'r8110-gw', + 'R81.20': 'r8120', + 'R81.20-GW': 'r8120-gw' +} + +ADDITIONAL_NETWORK = 'additionalNetwork{}' +ADDITIONAL_SUBNET = 'additionalSubnetwork{}' +ADDITIONAL_EXTERNAL_IP = 'externalIP{}' +MAX_NICS = 8 + +TEMPLATE_NAME = 'single' +TEMPLATE_VERSION = '20240714' + +ATTRIBUTES = { + 'Gateway and Management (Standalone)': { + 'tags': [GATEWAY, MANAGEMENT], + 'description': 'Check Point Security Gateway and Management', + 'canIpForward': True, + }, + 'Management only': { + 'tags': [MANAGEMENT], + 'description': 'Check Point Security Management', + 'canIpForward': False, + }, + 'Gateway only': { + 'tags': [GATEWAY], + 'description': 'Check Point Security Gateway', + 'canIpForward': True, + }, + 'Manual Configuration': { + 'tags': [], + 'description': 'Check Point', + 'canIpForward': True, + } +} + +startup_script = ''' +#cloud-config +runcmd: + - 'python3 /etc/cloud_config.py "generatePassword=\\"{generatePassword}\\"" "allowUploadDownload=\\"{allowUploadDownload}\\"" "templateName=\\"{templateName}\\"" "templateVersion=\\"{templateVersion}\\"" "mgmtNIC=\\"{mgmtNIC}\\"" "hasInternet=\\"{hasInternet}\\"" "config_url=\\"{config_url}\\"" "config_path=\\"{config_path}\\"" "installationType=\\"{installationType}\\"" "enableMonitoring=\\"{enableMonitoring}\\"" "shell=\\"{shell}\\"" "computed_sic_key=\\"{computed_sic_key}\\"" "sicKey=\\"{sicKey}\\"" "managementGUIClientNetwork=\\"{managementGUIClientNetwork}\\"" "primary_cluster_address_name=\\"{primary_cluster_address_name}\\"" "secondary_cluster_address_name=\\"{secondary_cluster_address_name}\\"" "managementNetwork=\\"{managementNetwork}\\"" "numAdditionalNICs=\\"{numAdditionalNICs}\\"" "smart1CloudToken=\\"{smart1CloudToken}\\"" "name=\\"{name}\\"" "zone=\\"{zoneConfig}\\"" "region=\\"{region}\\"" "osVersion=\\"{osVersion}\\"" "MaintenanceModePassword=\\"{maintenanceMode}\\""' +''' + + +def set_name_and_truncate(primary, secondary, maxlength=62): + return '%s%s' % (primary[:maxlength - len(secondary)], secondary) + + +def MakeStaticAddress(vm_name, zone, ifnum=None): + """Creates a static IP address resource; returns it and the natIP.""" + if ifnum: + address_name = set_name_and_truncate(vm_name, + '-address-{}'.format(ifnum)) + else: + address_name = set_name_and_truncate(vm_name, '-address') + address_resource = { + 'name': address_name, + 'type': default.ADDRESS, + 'properties': { + 'name': address_name, + 'region': common.ZoneToRegion(zone), + }, + } + return address_resource, '$(ref.%s.address)' % address_name + + +def make_access_config(resources, vm_name, zone, static, index=None): + name = 'external-address' + if index: + name += '-{}'.format(index) + access_config = { + 'name': name, + 'type': default.ONE_NAT + } + if static: + address_resource, nat_ip = MakeStaticAddress(vm_name, zone, index) + resources.append(address_resource) + access_config['natIP'] = nat_ip + return access_config + + +def create_firewall_rules(prop, net_name, fw_rule_name_prefix, mgmt=False, + uid=''): + firewall_rules = [] + protocols = ['Icmp', 'Udp', 'Tcp', 'Sctp', 'Esp'] + if mgmt: + protocols.remove('Tcp') + for protocol in protocols: + proto = protocol.lower() + source_ranges = prop.get('network' + '_' + proto + 'SourceRanges', '') + protocol_enabled = prop.get('network' + '_enable' + protocol, '') + if protocol_enabled and source_ranges: + firewall_rules.append(make_firewall_rule( + proto, source_ranges, net_name, fw_rule_name_prefix, mgmt, + uid)) + return firewall_rules + + +def make_firewall_rule(protocol, source_ranges, + net_name, fw_rule_name_prefix, mgmt=False, uid=''): + ranges = [] + ranges_list = source_ranges.split(',') + for source_range in ranges_list: + ranges.append(source_range.replace(" ", "")) + fw_rule_name = fw_rule_name_prefix + '-' + protocol + if mgmt: + targetTags = [uid] + else: + targetTags = [GATEWAY] + firewall_rule = { + 'type': default.FIREWALL, + 'name': fw_rule_name, + 'properties': { + 'network': 'global/networks/' + net_name, + 'sourceRanges': ranges, + 'targetTags': targetTags, + 'allowed': [{'IPProtocol': protocol}], + } + } + return firewall_rule + + +def generate_config(context): + """Creates the gateway.""" + prop = context.properties + prop['cloudguardVersion'], _, prop['installationType'] = prop[ + 'installationType'].partition(' ') + if prop['smart1CloudToken'] and prop['installationType'] != 'Gateway only': + raise Exception('Use of Smart-1 Cloud token is allowed only\ + for Gateway development.') + prop['templateName'] = TEMPLATE_NAME + prop['templateVersion'] = TEMPLATE_VERSION + prop['osVersion'] = prop['cloudguardVersion'].replace(".", "") + prop['allowUploadDownload'] = str(prop['allowUploadDownload']).lower() + if not prop['managementGUIClientNetwork'] and prop['installationType'] in { + 'Gateway and Management (Standalone)', 'Management only'}: + raise Exception('Allowed GUI clients are required when installing ' + 'a management server') + for k in ['managementGUIClientNetwork']: + prop.setdefault(k, '') + resources = [] + outputs = [] + network_interfaces = [] + external_ifs = [] + zone = prop['zone'] + deployment = context.env['deployment'] + vm_name = set_name_and_truncate(deployment, '-vm') + access_configs = [] + if prop['externalIP'] != 'None': + access_config = make_access_config(resources, vm_name, zone, + 'Static' == prop['externalIP']) + access_configs.append(access_config) + external_ifs.append(0) + prop['hasInternet'] = 'true' + else: + prop['hasInternet'] = 'false' + network = common.MakeGlobalComputeLink(context, default.NETWORK) + networks = {prop['network']} + network_interface = { + 'network': network, + 'accessConfigs': access_configs, + } + if default.SUBNETWORK in prop: + network_interface['subnetwork'] = common.MakeSubnetworkComputeLink( + context, default.SUBNETWORK) + network_interfaces.append(network_interface) + for ifnum in range(1, prop['numAdditionalNICs'] + 1): + net = prop.get(ADDITIONAL_NETWORK.format(ifnum)) + subnet = prop.get(ADDITIONAL_SUBNET.format(ifnum)) + ext_ip = prop.get(ADDITIONAL_EXTERNAL_IP.format(ifnum)) + if not net or not subnet: + raise Exception( + 'Missing network parameters for interface {}'.format(ifnum)) + if net in networks: + raise Exception('Cannot use network "' + net + '" more than once') + networks.add(net) + net = ''.join([ + default.COMPUTE_URL_BASE, + 'projects/', context.env['project'], '/global/networks/', net]) + subnet = ''.join([ + default.COMPUTE_URL_BASE, + 'projects/', context.env['project'], + '/regions/', common.ZoneToRegion(zone), '/subnetworks/', subnet]) + network_interface = { + 'network': net, + 'subnetwork': subnet, + } + if 'None' != ext_ip: + external_ifs.append(ifnum) + access_config = make_access_config( + resources, vm_name, zone, 'Static' == ext_ip, ifnum + 1) + access_configs = [access_config] + network_interface['accessConfigs'] = access_configs + if not prop.get('hasInternet') or 'false' == prop['hasInternet']: + prop['hasInternet'] = 'true' + network_interfaces.append(network_interface) + for ifnum in range(prop['numAdditionalNICs'] + 1, MAX_NICS): + prop.pop(ADDITIONAL_NETWORK.format(ifnum), None) + prop.pop(ADDITIONAL_SUBNET.format(ifnum), None) + prop.pop(ADDITIONAL_EXTERNAL_IP.format(ifnum), None) + deployment_config = set_name_and_truncate(deployment, '-config') + prop['config_url'] = ('https://runtimeconfig.googleapis.com/v1beta1/' + + 'projects/' + context.env[ + 'project'] + '/configs/' + deployment_config) + prop['config_path'] = '/'.join(prop['config_url'].split('/')[-4:]) + prop['deployment_config'] = deployment_config + tags = ATTRIBUTES[prop['installationType']]['tags'] + uid = set_name_and_truncate(vm_name, '-' + password.GeneratePassword( + 8, False).lower()) + if prop['installationType'] == 'Gateway only': + prop['cloudguardVersion'] += '-GW' + if not prop.get('sicKey'): + prop['computed_sic_key'] = password.GeneratePassword(12, False) + else: + prop['computed_sic_key'] = prop['sicKey'] + else: + prop['computed_sic_key'] = 'N/A' + outputs.append({ + 'name': 'sicKey', + 'value': prop['computed_sic_key'], + }, ) + if 'gw' in VERSIONS[prop['cloudguardVersion']]: + license_name = "{}-{}".format(LICENSE, LICENCE_TYPE) + else: + license_name = LICENSE + family = '-'.join(['check-point', VERSIONS[prop['cloudguardVersion']], + license_name]) + formatter = common.DefaultFormatter() + gw = { + 'type': default.INSTANCE, + 'name': vm_name, + 'properties': { + 'description': ATTRIBUTES[prop['installationType']]['description'], + 'zone': zone, + 'tags': { + 'items': tags + [uid], + }, + 'machineType': common.MakeLocalComputeLink( + context, default.MACHINETYPE), + 'canIpForward': ATTRIBUTES[ + prop['installationType']]['canIpForward'], + 'networkInterfaces': network_interfaces, + 'disks': [{ + 'autoDelete': True, + 'boot': True, + 'deviceName': common.AutoName( + context.env['name'], default.DISK, 'boot'), + 'initializeParams': { + 'diskType': common.MakeLocalComputeLink( + context, default.DISKTYPE), + 'diskSizeGb': prop['bootDiskSizeGb'], + 'sourceImage': + 'projects/%s/global/images/%s' % ( + PROJECT, images.IMAGES[family]), + }, + 'type': 'PERSISTENT', + }], + 'metadata': { + 'items': [ + { + 'key': 'startup-script', + 'value': formatter.format(startup_script, **prop) + }, + ] + }, + 'serviceAccounts': [{ + 'email': 'default', + 'scopes': [ + 'https://www.googleapis.com/auth/monitoring.write' + ], + }] + } + } + if (prop['externalIP'] != 'None') and ( + 'Manual Configuration' != prop['installationType']): + gw['properties']['serviceAccounts'][0]['scopes'].append( + 'https://www.googleapis.com/auth/cloudruntimeconfig') + resources.append({ + 'name': deployment_config, + 'type': 'runtimeconfig.v1beta1.config', + 'properties': { + 'config': deployment_config, + 'description': ('Holds software readiness status ' + 'for deployment {}').format(deployment), + }, + }) + resources.append({ + 'name': set_name_and_truncate(deployment, '-software'), + 'type': 'runtimeconfig.v1beta1.waiter', + 'metadata': { + 'dependsOn': [], + }, + 'properties': { + 'parent': '$(ref.' + deployment_config + '.name)', + 'waiter': 'software', + 'timeout': '1800s', + 'success': { + 'cardinality': { + 'number': 1, + 'path': 'status/success', + }, + }, + 'failure': { + 'cardinality': { + 'number': 1, + 'path': 'status/failure', + }, + }, + }, + }) + if 'instanceSSHKey' in prop: + gw['properties']['metadata']['items'].append( + { + 'key': 'instanceSSHKey', + 'value': prop['instanceSSHKey'] + } + ) + if prop['generatePassword']: + passwd = password.GeneratePassword(12, False) + gw['properties']['metadata']['items'].append( + { + 'key': 'adminPasswordSourceMetadata', + 'value': passwd + } + ) + else: + passwd = '' + resources.append(gw) + netlist = list(networks) + + if GATEWAY in tags: + for i in range(len(netlist)): + network = netlist[i] + fw_rule_name_prefix = set_name_and_truncate( + gen_fw_rule_name_deployment_network_prefix( + deployment, network), + '-allow-all-to-chkp-{}'.format(i + 1)) + firewall_rules = create_firewall_rules( + prop, network, fw_rule_name_prefix) + resources.extend(firewall_rules) + else: + for i in range(len(netlist)): + network = netlist[i] + source_ranges = prop['network_tcpSourceRanges'] + tcp_enabled = prop['network_enableTcp'] + gwNetwork_enabled = prop['network_enableGwNetwork'] + gwNetwork_source_range = prop['network_gwNetworkSourceRanges'] + if source_ranges and not tcp_enabled: + raise Exception( + 'Allowed source IP ranges for TCP traffic are provided ' + 'but TCP not marked as allowed') + if tcp_enabled and not source_ranges: + raise Exception('Allowed source IP ranges for TCP traffic' + ' are required when installing ' + 'a management server') + if not gwNetwork_enabled and gwNetwork_source_range: + raise Exception('Gateway network source IP are provided but ' + 'not marked as allowed.') + if gwNetwork_enabled and not gwNetwork_source_range: + raise Exception('Gateway network source IP is required in' + ' MGMT deployment.') + ranges_list = source_ranges.split(',') + gw_network_list = gwNetwork_source_range.split(',') + ranges = [] + gw_net_ranges = [] + for source_range in ranges_list: + ranges.append(source_range.replace(" ", "")) + for gw_net_range in gw_network_list: + gw_net_ranges.append(gw_net_range.replace(" ", "")) + if tcp_enabled: + if gwNetwork_enabled: + resources.append({ + 'type': 'compute.v1.firewall', + 'name': set_name_and_truncate( + gen_fw_rule_name_deployment_network_prefix( + deployment, network), + '-gateways-to-management-{}'.format(i + 1)), + 'properties': { + 'network': 'global/networks/' + network, + 'sourceRanges': list(set(gw_net_ranges + ranges)), + 'sourceTags': [GATEWAY], + 'targetTags': [uid], + 'allowed': [ + { + 'IPProtocol': 'tcp', + 'ports': ['257', '18191', '18210', '18264'] + }, + ], + } + }) + resources.append({ + 'type': 'compute.v1.firewall', + 'name': set_name_and_truncate( + gen_fw_rule_name_deployment_network_prefix(deployment, + network), + '-allow-gui-clients-{}'.format(i + 1)), + 'properties': { + 'network': 'global/networks/' + network, + 'sourceRanges': list(set(ranges)), + 'targetTags': [uid], + 'allowed': [ + { + 'IPProtocol': 'tcp', + 'ports': ['22', '443', '18190', '19009'] + }, + ], + } + }) + fw_rule_name_prefix = set_name_and_truncate( + gen_fw_rule_name_deployment_network_prefix( + deployment, network), + '-allow-all-to-chkp-{}'.format(i + 1)) + firewall_rules = create_firewall_rules( + prop, network, fw_rule_name_prefix, True, uid) + resources.extend(firewall_rules) + outputs += [ + { + 'name': 'deployment', + 'value': deployment + }, + { + 'name': 'project', + 'value': context.env['project'] + }, + { + 'name': 'vmName', + 'value': vm_name, + }, + { + 'name': 'vmId', + 'value': '$(ref.%s.id)' % vm_name, + }, + { + 'name': 'vmSelfLink', + 'value': '$(ref.%s.selfLink)' % vm_name, + }, + { + 'name': 'hasMultiExternalIPs', + 'value': 0 < len(external_ifs) and external_ifs != [0], + }, + { + 'name': 'additionalExternalIPs', + 'value': ', '.join([('$(ref.{}.networkInterfaces[{}].' + + 'accessConfigs[0].natIP)').format( + vm_name, ifnum) for ifnum in external_ifs if ifnum]) + }, + { + 'name': 'vmInternalIP', + 'value': '$(ref.%s.networkInterfaces[0].networkIP)' % vm_name, + }, + { + 'name': 'password', + 'value': passwd + } + ] + return common.MakeResource(resources, outputs) + + +def gen_fw_rule_name_deployment_network_prefix(deployment_name, network_name): + return '{}-{}'. \ + format(deployment_name[:20], network_name[:16]) diff --git a/gcp/deployment-packages/single-payg/check-point-vsec--payg.py.schema b/gcp/deployment-packages/single-payg/check-point-vsec--payg.py.schema new file mode 100755 index 00000000..50f3e9bb --- /dev/null +++ b/gcp/deployment-packages/single-payg/check-point-vsec--payg.py.schema @@ -0,0 +1,353 @@ +imports: + - path: check-point-vsec--payg.py + +info: + version: 1.0 + title: Check Point CloudGuard Network Security - PAYG Template + +required: + - zone + - machineType + - network + - diskType + - bootDiskSizeGb + - installationType + - allowUploadDownload + - shell + - managementGUIClientNetwork + - generatePassword + - enableMonitoring + - numAdditionalNICs + +properties: + zone: + type: string + default: us-central1-a + x-googleProperty: + type: GCE_ZONE + machineType: + type: string + default: n1-standard-4 + x-googleProperty: + type: GCE_MACHINE_TYPE + zoneProperty: zone + gceMachineType: + minCpu: 2 + minRamGb: 1.843000054359436 + network: + type: string + default: default + x-googleProperty: + type: GCE_NETWORK + subnetwork: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zone + gceSubnetwork: + networkProperty: network + network_enableTcp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: network + network_tcpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: network_enableTcp + network_enableGwNetwork: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: network + network_gwNetworkSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: network_enableGwNetwork + network_enableIcmp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: network + network_icmpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: network_enableIcmp + network_enableUdp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: network + network_udpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: network_enableUdp + network_enableSctp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: network + network_sctpSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: network_enableSctp + network_enableEsp: + type: boolean + default: False + x-googleProperty: + type: GCE_FIREWALL + gceFirewall: + networkProperty: network + network_espSourceRanges: + type: string + x-googleProperty: + type: GCE_FIREWALL_RANGE + gceFirewallRange: + firewallProperty: network_enableEsp + smart1CloudToken: + type: string + default: '' + diskType: + type: string + default: pd-ssd + x-googleProperty: + type: GCE_DISK_TYPE + zoneProperty: zone + bootDiskSizeGb: + type: integer + maximum: 1000 + default: 100 + minimum: 100 + x-googleProperty: + type: GCE_DISK_SIZE + gceDiskSize: + diskTypeProperty: diskType + installationType: + type: string + default: R81.20 Gateway only + enum: + - R81.10 Gateway only + - R81.10 Manual Configuration + - R81.10 Gateway and Management (Standalone) + - R81.20 Gateway only + - R81.20 Manual Configuration + - R81.20 Gateway and Management (Standalone) + maintenanceMode: + type: string + pattern: ^([a-z0-9A-Z.]{12,300}|)$ + default: '' + allowUploadDownload: + type: boolean + default: True + shell: + type: string + default: /etc/cli.sh + enum: + - /etc/cli.sh + - /bin/bash + - /bin/csh + - /bin/tcsh + generatePassword: + type: boolean + default: False + enableMonitoring: + type: boolean + default: False + sicKey: + type: string + pattern: ^([a-z0-9A-Z]{8,30}|)$ + default: '' + managementGUIClientNetwork: + type: string + pattern: ^([0-9]{1,3}\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])$ + externalIP: + type: string + enum: + - Static + - Ephemeral + - None + default: Static + instanceSSHKey: + type: string + pattern: ^([0-9a-z\-]+ +[0-9A-Za-z/\+=]+( .*)?|)$ + default: '' + numAdditionalNICs: + type: integer + enum: + - 0 + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + minimum: 0 + maximum: 7 + default: 1 + additionalNetwork1: + type: string + x-googleProperty: + type: GCE_NETWORK + additionalSubnetwork1: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zone + gceSubnetwork: + networkProperty: additionalNetwork1 + externalIP1: + type: string + enum: + - Static + - Ephemeral + - None + default: None + additionalNetwork2: + type: string + x-googleProperty: + type: GCE_NETWORK + additionalSubnetwork2: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zone + gceSubnetwork: + networkProperty: additionalNetwork2 + externalIP2: + type: string + enum: + - Static + - Ephemeral + - None + default: None + additionalNetwork3: + type: string + x-googleProperty: + type: GCE_NETWORK + additionalSubnetwork3: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zone + gceSubnetwork: + networkProperty: additionalNetwork3 + externalIP3: + type: string + enum: + - Static + - Ephemeral + - None + default: None + additionalNetwork4: + type: string + x-googleProperty: + type: GCE_NETWORK + additionalSubnetwork4: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zone + gceSubnetwork: + networkProperty: additionalNetwork4 + externalIP4: + type: string + enum: + - Static + - Ephemeral + - None + default: None + additionalNetwork5: + type: string + x-googleProperty: + type: GCE_NETWORK + additionalSubnetwork5: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zone + gceSubnetwork: + networkProperty: additionalNetwork5 + externalIP5: + type: string + enum: + - Static + - Ephemeral + - None + default: None + additionalNetwork6: + type: string + x-googleProperty: + type: GCE_NETWORK + additionalSubnetwork6: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zone + gceSubnetwork: + networkProperty: additionalNetwork6 + externalIP6: + type: string + enum: + - Static + - Ephemeral + - None + default: None + additionalNetwork7: + type: string + x-googleProperty: + type: GCE_NETWORK + additionalSubnetwork7: + type: string + x-googleProperty: + type: GCE_SUBNETWORK + zoneProperty: zone + gceSubnetwork: + networkProperty: additionalNetwork7 + externalIP7: + type: string + enum: + - Static + - Ephemeral + - None + default: None + +outputs: + deployment: + type: string + project: + type: string + vmId: + type: string + vmInternalIP: + type: string + hasMultiExternalIP: + type: boolean + additionalExternalIPs: + type: string + vmName: + type: string + vmSelfLink: + type: string + password: + type: string diff --git a/gcp/deployment-packages/single-payg/common.py b/gcp/deployment-packages/single-payg/common.py new file mode 100755 index 00000000..e123c502 --- /dev/null +++ b/gcp/deployment-packages/single-payg/common.py @@ -0,0 +1,262 @@ +# Copyright 2015 Google Inc. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +"""Generic simple functions used for python based template generation.""" + +import re +import sys +import traceback +import default +import string + +import yaml + +RFC1035_RE = re.compile(r'^[a-z][-a-z0-9]{1,61}[a-z0-9]{1}$') + + +class Error(Exception): + """Common exception wrapper for template exceptions.""" + pass + + +class DefaultFormatter(string.Formatter): + """Returns default instead of key error when looking for keys. + + Used for startup-script which contains params from multiple deployments + whiles keys from one deployment may not be set in another. + """ + def __init__(self, default=''): + self.default = default + def get_value(self, key, args, dict): + if isinstance(key, str): + return dict.get(key, self.default) + else: + return string.Formatter.get_value(key, args, dict) + + +def set_name_and_truncate(primary, secondary, maxlength=62): + return '%s%s' % (primary[:maxlength - len(secondary)], secondary) + + +def AddDiskResourcesIfNeeded(context): + """Checks context if disk resources need to be added.""" + if default.DISK_RESOURCES in context.properties: + return context.properties[default.DISK_RESOURCES] + else: + return [] + + +def AutoName(base, resource, *args): + """Helper method to generate names automatically based on default.""" + auto_name = '%s-%s' % (base, '-'.join(list(args) + [default.AKA[resource]])) + if not RFC1035_RE.match(auto_name): + raise Error('"%s" name for type %s does not match RFC1035 regex (%s)' % + (auto_name, resource, RFC1035_RE.pattern)) + return auto_name + + +def AutoRef(base, resource, *args): + """Helper method that builds a reference for an auto-named resource.""" + return Ref(AutoName(base, resource, *args)) + + +def OrderedItems(dict_obj): + """Convenient method to yield sorted iteritems of a dictionary.""" + keys = list(dict_obj.keys()) + keys.sort() + for k in keys: + yield (k, dict_obj[k]) + + +def ShortenZoneName(zone): + """Given a string that looks like a zone name, creates a shorter version.""" + geo, coord, number, letter = re.findall(r'(\w+)-(\w+)(\d)-(\w)', zone)[0] + geo = geo.lower() if len(geo) == 2 else default.LOC[geo.lower()] + coord = default.LOC[coord.lower()] + number = str(number) + letter = letter.lower() + return geo + '-' + coord + number + letter + + +def ZoneToRegion(zone): + """Derives the region from a zone name.""" + parts = zone.split('-') + if len(parts) != 3: + raise Error('Cannot derive region from zone "%s"' % zone) + return '-'.join(parts[:2]) + + +def FormatException(message): + """Adds more information to the exception.""" + message = ('Exception Type: %s\n' + 'Details: %s\n' + 'Message: %s\n') % (sys.exc_info()[0], + traceback.format_exc(), message) + return message + + +def Ref(name): + return '$(ref.%s.selfLink)' % name + + +def RefGroup(name): + return '$(ref.%s.instanceGroup)' % name + + +def GlobalComputeLink(project, collection, name): + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/global/', + collection, '/', name]) + +def GlobalNetworkLink(project, network): + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/global/', + default.NETWORKS, '/', network]) + + +def LocalComputeLink(project, zone, key, value): + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/zones/', + zone, '/', key, '/', value]) + + +def ReadContext(context, prop_key): + return (context.env['project'], context.properties.get('zone', None), + context.properties[prop_key]) + + +def MakeLocalComputeLink(context, key, zone=None): + if not zone: + project, zone, value = ReadContext(context, key) + else: + project, _, value = ReadContext(context, key) + + if IsComputeLink(value): + return value + else: + return LocalComputeLink(project, zone, key + 's', value) + + +def MakeGlobalComputeLink(context, key): + project, _, value = ReadContext(context, key) + if IsComputeLink(value): + return value + else: + return GlobalComputeLink(project, key + 's', value) + +def MakeRegionalSubnetworkLink(project, zone, subnet): + region = ZoneToRegion(zone) + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/regions/', + region, '/subnetworks/', subnet]) + + +def MakeSubnetworkComputeLink(context, key): + project, zone, value = ReadContext(context, key) + region = ZoneToRegion(zone) + return ''.join([default.COMPUTE_URL_BASE, 'projects/', project, '/regions/', + region, '/subnetworks/', value]) + + +def MakeFQHN(context, name): + return '%s.c.%s.internal' % (name, context.env['project']) + + +# TODO(victorg): Consider moving this method to a different file +def MakeC2DImageLink(name, dev_mode=False): + if IsGlobalProjectShortcut(name) or name.startswith('http'): + return name + else: + if dev_mode: + return 'global/images/%s' % name + else: + return GlobalComputeLink(default.C2D_IMAGES, 'images', name) + + +def IsGlobalProjectShortcut(name): + return name.startswith('projects/') or name.startswith('global/') + + +def IsComputeLink(name): + return (name.startswith(default.COMPUTE_URL_BASE) or + name.startswith(default.REFERENCE_PREFIX)) + + +def GetNamesAndTypes(resources_dict): + return [(d['name'], d['type']) for d in resources_dict] + + +def SummarizeResources(res_dict): + """Summarizes the name of resources per resource type.""" + result = {} + for res in res_dict: + result.setdefault(res['type'], []).append(res['name']) + return result + + +def ListPropertyValuesOfType(res_dict, prop, res_type): + """Lists all the values for a property of a certain type.""" + return [r['properties'][prop] for r in res_dict if r['type'] == res_type] + + +def MakeResource(resource_list, output_list=None): + """Wrapper for a DM template basic spec.""" + content = {'resources': resource_list} + if output_list: + content['outputs'] = output_list + return yaml.dump(content) + + +def TakeZoneOut(properties): + """Given a properties dictionary, removes the zone specific information.""" + + def _CleanZoneUrl(value): + value = value.split('/')[-1] if IsComputeLink(value) else value + return value + + for name in default.VM_ZONE_PROPERTIES: + if name in properties: + properties[name] = _CleanZoneUrl(properties[name]) + if default.ZONE in properties: + properties.pop(default.ZONE) + if default.BOOTDISK in properties: + properties[default.BOOTDISK] = _CleanZoneUrl(properties[default.BOOTDISK]) + if default.DISKS in properties: + for disk in properties[default.DISKS]: + # Don't touch references to other disks + if default.DISK_SOURCE in disk: + continue + if default.INITIALIZEP in disk: + disk_init = disk[default.INITIALIZEP] + if default.DISKTYPE in disk_init: + disk_init[default.DISKTYPE] = _CleanZoneUrl(disk_init[default.DISKTYPE]) + + +def GenerateEmbeddableYaml(yaml_string): + # Because YAML is a space delimited format, we need to be careful about + # embedding one YAML document in another. This function takes in a string in + # YAML format and produces an equivalent YAML representation that can be + # inserted into arbitrary points of another YAML document. It does so by + # printing the YAML string in a single line format. Consistent ordering of + # the string is also guaranteed by using yaml.dump. + yaml_object = yaml.load(yaml_string) + dumped_yaml = yaml.dump(yaml_object, default_flow_style=True) + return dumped_yaml + + +def FormatErrorsDec(func): + """Decorator to format exceptions if they get raised.""" + + def FormatErrorsWrap(context): + try: + return func(context) + except Exception as e: + raise Error(FormatException(e.message)) + + return FormatErrorsWrap diff --git a/gcp/deployment-packages/single-payg/config.yaml b/gcp/deployment-packages/single-payg/config.yaml new file mode 100644 index 00000000..33316f05 --- /dev/null +++ b/gcp/deployment-packages/single-payg/config.yaml @@ -0,0 +1,48 @@ +imports: +- path: check-point-vsec--payg.py +- path: common.py +- path: default.py +- path: password.py +- path: images.py + +resources: +- name: check-point-vsec--payg + type: check-point-vsec--payg.py + properties: + zone: "PLEASE ENTER A ZONE" + machineType: "PLEASE ENTER A MACHINE TYPE" + network: "PLEASE ENTER AN EXTERNAL NETWORK ID" + subnetwork: "PLEASE ENTER A SUBNETWORK ID" + network_enableTcp: "PLEASE ENTER true or false" + network_tcpSourceRanges: "PLEASE ENTER TCP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + network_enableIcmp: "PLEASE ENTER true or false" + network_icmpSourceRanges: "PLEASE ENTER ICMP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + network_enableUdp: "PLEASE ENTER true or false" + network_udpSourceRanges: "PLEASE ENTER UDP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + network_enableSctp: "PLEASE ENTER true or false" + network_sctpSourceRanges: "PLEASE ENTER SCTP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + network_enableEsp: "PLEASE ENTER true or false" + network_espSourceRanges: "PLEASE ENTER ESP SOURCE RANGES OR LEAVE EMPTY DOUBLE QUOTES" + externalIP: "PLEASE ENTER AN EXTERNAL IP ADDRESS TYPE" + installationType: "PLEASE ENTER AN INSTALLATION TYPE" + diskType: "PLEASE ENTER A DISK TYPE" + bootDiskSizeGb: "PLEASE ENTER A DISK SIZE" + #Connecting to Smart-1 Cloud is only available for Gateway only installation + smart1CloudToken: "PLEASE ENTER A TOKEN TO CONNECT TO SMART-1 CLOUD OR LEAVE EMPTY DOUBLE QUOTES" + generatePassword: "PLEASE ENTER true or false" + allowUploadDownload: "PLEASE ENTER true or false" + enableMonitoring: "PLEASE ENTER true or false" + shell: "PLEASE ENTER A SHELL" + instanceSSHKey: "PLEASE ENTER A VALID PUBLIC KEY" + sicKey: "PLEASE ENTER A SIC KEY" + managementGUIClientNetwork: "PLEASE ENTER A MANAGEMENT GUI CLIENT NETWORK" + numAdditionalNICs: "PLEASE ENTER A NUMBER OF ADDITIONAL NICS" + #Define additional NICs networks and subnetworks according the defined numAdditionalNICs value + #If there is no need in additional NICs remove additionalNetwork1 and additionalSubnetwork1 variables + additionalNetwork1: "PLEASE ENTER AN ADDITIONAL NETWORK1 ID" + additionalSubnetwork1: "PLEASE ENTER AN ADDITIONAL SUBNETWORK1 ID" +outputs: +- name: "Deployment" + value: $(ref.check-point-vsec--payg.deployment) +- name: "Instance" + value: $(ref.check-point-vsec--payg.vmName) \ No newline at end of file diff --git a/gcp/deployment-packages/single-payg/default.py b/gcp/deployment-packages/single-payg/default.py new file mode 100755 index 00000000..0c7dd919 --- /dev/null +++ b/gcp/deployment-packages/single-payg/default.py @@ -0,0 +1,134 @@ +# Copyright 2015 Google Inc. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +"""Convenience module to hold default constants for C2D components. + +There should not be any logic in this module. Its purpose is to simplify +analysis of commonly used GCP and properties names and identify the names +that were custom created for these modules. +""" +# Generic constants +C2D_IMAGES = 'click-to-deploy-images' + +# URL constants +COMPUTE_URL_BASE = 'https://www.googleapis.com/compute/v1/' + +# Deployment Manager constructs +REFERENCE_PREFIX = '$(ref.' + +# Commonly used in properties namespace +AUTO_DELETE = 'autoDelete' +BOOTDISK = 'bootDiskType' +BOOTDISKSIZE = 'bootDiskSizeGb' +C_IMAGE = 'containerImage' +DC_MANIFEST = 'dcManifest' +DEPLOYMENT = 'DEPLOYMENT' # used in the deployment coordinator +DISK_NAME = 'diskName' +DISK_RESOURCES = 'addedDiskResources' +DISK_SOURCE = 'source' +ENDPOINT_NAME = 'serviceRegistryEndpointName' +FIXED_GCLOUD = 'fixedGcloud' +GENERATED_PROP = 'generatedProperties' +INITIALIZEP = 'initializeParams' +INSTANCE_NAME = 'instanceName' +LOCAL_SSD = 'localSSDs' +MAX_NUM = 'maxNumReplicas' +NETWORKS = 'networks' +NO_SCOPE = 'noScope' +PROVIDE_BOOT = 'provideBoot' +REPLICAS = 'replicas' +SIZE = 'size' +VM_COPIES = 'numberOfVMReplicas' +ZONES = 'zones' + +# Common properties values (only official GCP values allowed here) +EXTERNAL = 'External NAT' +ONE_NAT = 'ONE_TO_ONE_NAT' + +# Common 1st level properties (only official GCP names allowed here) +CAN_IP_FWD = 'canIpForward' +CONTAINER = 'container' +DCKRENV = 'dockerEnv' +DCKRIMAGE = 'dockerImage' +DEFAULT_SERVICE = 'defaultService' +DEVICE_NAME = 'deviceName' +DISKS = 'disks' +DISK_SIZE = 'diskSizeGb' +DISKTYPE = 'diskType' +HEALTH_PATH = 'healthPath' +HOST_RULES = 'hostRules' +IP_PROTO = 'IPProtocol' +MACHINETYPE = 'machineType' +METADATA = 'metadata' +NAME = 'name' +NETWORK = 'network' +NETWORKS = 'networks' +SUBNETWORK = 'subnetwork' +PATH_MATCHERS = 'pathMatchers' +PORT = 'port' +PROJECT = 'project' +SERVICE = 'service' +SERVICE_ACCOUNTS = 'serviceAccounts' +SRCIMAGE = 'sourceImage' +SRC_RANGES = 'sourceRanges' +TAGS = 'tags' +TYPE = 'type' +VM_TEMPLATE = 'instanceTemplate' +ZONE = 'zone' + +# Zone specfic VM properties +VM_ZONE_PROPERTIES = [DISKTYPE, MACHINETYPE, BOOTDISK] + +# Resource type defaults names +ADDRESS = 'compute.v1.address' +AUTOSCALER = 'compute.v1.autoscaler' +BACKEND_SERVICE = 'compute.v1.backendService' +DISK = 'compute.v1.disk' +ENDPOINT = 'serviceregistry.v1alpha.endpoint' +FIREWALL = 'compute.v1.firewall' +GF_RULE = 'compute.v1.globalForwardingRule' +HEALTHCHECK = 'compute.v1.httpHealthCheck' +IGM = 'compute.v1.instanceGroupManager' +INSTANCE = 'compute.v1.instance' +PROXY = 'compute.v1.targetHttpProxy' +TEMPLATE = 'compute.v1.instanceTemplate' +REGION_IGM = 'compute.v1.regionInstanceGroupManager' +REGION_AUTOSCALER = 'compute.v1.regionAutoscaler' +URL_MAP = 'compute.v1.urlMap' +VPC='compute.v1.network' +VPC_SUBNET='compute.v1.subnetwork' + +# Also Known As constants +AKA = { + TEMPLATE: 'tmplt', + AUTOSCALER: 'as', + BACKEND_SERVICE: 'bes', + DISK: 'disk', + FIREWALL: 'fwall', + GF_RULE: 'ip', + HEALTHCHECK: 'hc', + INSTANCE: 'vm', + PROXY: 'tproxy', + IGM: 'igm', + URL_MAP: 'umap', +} + +LOC = { + 'europe': 'eu', + 'asia': 'as', + 'central': 'c', + 'east': 'e', + 'west': 'w', + 'north': 'n', + 'south': 's', +} diff --git a/gcp/deployment-packages/single-payg/images.py b/gcp/deployment-packages/single-payg/images.py new file mode 100755 index 00000000..7b04bee0 --- /dev/null +++ b/gcp/deployment-packages/single-payg/images.py @@ -0,0 +1,34 @@ +IMAGES = { + "check-point-r8120-payg": "check-point-r8120-payg-631-991001560-v20240425", + "check-point-r8120-gw-payg-single": "check-point-r8120-gw-payg-single-631-991001560-v20240425", + "check-point-r8120-gw-payg-mig": "check-point-r8120-gw-payg-mig-631-991001560-v20240425", + "check-point-r8120-gw-payg-cluster": "check-point-r8120-gw-payg-cluster-631-991001560-v20240425", + "check-point-r8120-gw-byol-single": "check-point-r8120-gw-byol-single-631-991001560-v20240425", + "check-point-r8120-gw-byol-mig": "check-point-r8120-gw-byol-mig-631-991001560-v20240425", + "check-point-r8120-gw-byol-cluster": "check-point-r8120-gw-byol-cluster-631-991001560-v20240425", + "check-point-r8120-byol": "check-point-r8120-byol-631-991001560-v20240425", + "check-point-r8110-payg": "check-point-r8110-payg-335-991001560-v20240425", + "check-point-r8110-gw-payg-single": "check-point-r8110-gw-payg-single-335-991001560-v20240425", + "check-point-r8110-gw-payg-mig": "check-point-r8110-gw-payg-mig-335-991001560-v20240425", + "check-point-r8110-gw-payg-cluster": "check-point-r8110-gw-payg-cluster-335-991001560-v20240425", + "check-point-r8110-gw-byol-single": "check-point-r8110-gw-byol-single-335-991001560-v20240425", + "check-point-r8110-gw-byol-mig": "check-point-r8110-gw-byol-mig-335-991001560-v20240425", + "check-point-r8110-gw-byol-cluster": "check-point-r8110-gw-byol-cluster-335-991001560-v20240425", + "check-point-r8110-byol": "check-point-r8110-byol-335-991001560-v20240425", + "check-point-r81-payg": "check-point-r81-payg-392-991001560-v20240425", + "check-point-r81-gw-payg-single": "check-point-r81-gw-payg-single-392-991001560-v20240425", + "check-point-r81-gw-payg-mig": "check-point-r81-gw-payg-mig-392-991001560-v20240425", + "check-point-r81-gw-payg-cluster": "check-point-r81-gw-payg-cluster-392-991001560-v20240425", + "check-point-r81-gw-byol-single": "check-point-r81-gw-byol-single-392-991001560-v20240425", + "check-point-r81-gw-byol-mig": "check-point-r81-gw-byol-mig-392-991001560-v20240425", + "check-point-r81-gw-byol-cluster": "check-point-r81-gw-byol-cluster-392-991001560-v20240425", + "check-point-r81-byol": "check-point-r81-byol-392-991001560-v20240425", + "check-point-r8040-payg": "check-point-r8040-payg-294-991001560-v20240425", + "check-point-r8040-gw-payg-single": "check-point-r8040-gw-payg-single-294-991001564-v20240505", + "check-point-r8040-gw-payg-mig": "check-point-r8040-gw-payg-mig-294-991001564-v20240505", + "check-point-r8040-gw-payg-cluster": "check-point-r8040-gw-payg-cluster-294-991001564-v20240505", + "check-point-r8040-gw-byol-single": "check-point-r8040-gw-byol-single-294-991001564-v20240505", + "check-point-r8040-gw-byol-mig": "check-point-r8040-gw-byol-mig-294-991001564-v20240505", + "check-point-r8040-gw-byol-cluster": "check-point-r8040-gw-byol-cluster-294-991001564-v20240505", + "check-point-r8040-byol": "check-point-r8040-byol-294-991001560-v20240425" +} \ No newline at end of file diff --git a/gcp/deployment-packages/single-payg/password.py b/gcp/deployment-packages/single-payg/password.py new file mode 100755 index 00000000..273210a6 --- /dev/null +++ b/gcp/deployment-packages/single-payg/password.py @@ -0,0 +1,135 @@ +# Copyright 2015 Google Inc. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +"""A DM template that generates password as an output, namely "password". + +An example YAML showing how this template can be used: + resources: + - name: generated-password + type: password.py + properties: + length: 8 + includeSymbols: true + - name: main-template + type: main-template.jinja + properties: + password: $(ref.generated-password.password) + +Input properties to this template: + - length: the length of the generated password. At least 8. Default 8. + - includeSymbols: true/false whether to include symbol chars. Default false. + +The generated password satisfies the following requirements: + - The length is as specified, + - Containing letters and numbers, and optionally symbols if specified, + - Starting with a letter, + - Containing characters from at least 3 of the 4 categories: uppercases, + lowercases, numbers, and symbols. + +""" + +import random +import yaml + +PROPERTY_LENGTH = 'length' +PROPERTY_INCLUDE_SYMBOLS = 'includeSymbols' + +# Note the omission of some hard to distinguish characters like I, l, 0, and O. +UPPERS = 'ABCDEFGHJKLMNPQRSTUVWXYZ' +LOWERS = 'abcdefghijkmnopqrstuvwxyz' +ALPHABET = UPPERS + LOWERS +DIGITS = '123456789' +ALPHANUMS = ALPHABET + DIGITS +# Including only symbols that can be passed around easily in shell scripts. +SYMBOLS = '*-+.' + +CANDIDATES_WITH_SYMBOLS = ALPHANUMS + SYMBOLS +CANDIDATES_WITHOUT_SYMBOLS = ALPHANUMS + +CATEGORIES_WITH_SYMBOLS = [UPPERS, LOWERS, DIGITS, SYMBOLS] +CATEGORIES_WITHOUT_SYMBOLS = [UPPERS, LOWERS, DIGITS] + +MIN_LENGTH = 8 + + +class InputError(Exception): + """Raised when input properties are unexpected.""" + + +def GenerateConfig(context): + """Entry function to generate the DM config.""" + props = context.properties + length = props.setdefault(PROPERTY_LENGTH, MIN_LENGTH) + include_symbols = props.setdefault(PROPERTY_INCLUDE_SYMBOLS, False) + + if not isinstance(include_symbols, bool): + raise InputError('%s must be a boolean' % PROPERTY_INCLUDE_SYMBOLS) + + content = { + 'resources': [], + 'outputs': [{ + 'name': 'password', + 'value': GeneratePassword(length, include_symbols) + }] + } + return yaml.dump(content) + + +def GeneratePassword(length=8, include_symbols=False): + """Generates a random password.""" + if length < MIN_LENGTH: + raise InputError('Password length must be at least %d' % MIN_LENGTH) + + candidates = (CANDIDATES_WITH_SYMBOLS if include_symbols + else CANDIDATES_WITHOUT_SYMBOLS) + categories = (CATEGORIES_WITH_SYMBOLS if include_symbols + else CATEGORIES_WITHOUT_SYMBOLS) + + # Generates up to the specified length minus the number of categories. + # Then inserts one character for each category, ensuring that the character + # satisfy the category if the generated string hasn't already. + generated = ([random.choice(ALPHABET)] + + [random.choice(candidates) + for _ in range(length - 1 - len(categories))]) + for category in categories: + _InsertAndEnsureSatisfaction(generated, category, candidates) + return ''.join(generated) + + +def _InsertAndEnsureSatisfaction(generated, required, all_candidates): + """Inserts 1 char into generated, satisfying required if not already. + + If the required characters are not already in the generated string, one will + be inserted. If any required character is already in the generated string, a + random character from all_candidates will be inserted. The insertion happens + at a random location but not at the beginning. + + Args: + generated: the string to be modified. + required: list of required characters to check for. + all_candidates: list of characters to choose from if the required characters + are already satisfied. + """ + if set(generated).isdisjoint(required): + # Not yet satisfied. Insert a required candidate. + _InsertInto(generated, required) + else: + # Already satisfied. Insert any candidate. + _InsertInto(generated, all_candidates) + + +def _InsertInto(generated, candidates): + """Inserts a random candidate into a random non-zero index of generated.""" + # Avoids inserting at index 0, since the first character follows its own rule. + generated.insert(random.randint(1, len(generated) - 1), + random.choice(candidates)) diff --git a/terraform/.gitattributes b/terraform/.gitattributes new file mode 100644 index 00000000..526c8a38 --- /dev/null +++ b/terraform/.gitattributes @@ -0,0 +1 @@ +*.sh text eol=lf \ No newline at end of file diff --git a/terraform/.gitignore b/terraform/.gitignore new file mode 100644 index 00000000..c4bd74d9 --- /dev/null +++ b/terraform/.gitignore @@ -0,0 +1,14 @@ +# Local .terraform directories +**/.terraform/* + +# .tfstate files +*.tfstate +*.tfstate.* + +# Crash log files +crash.log + +# JSON files under terraform/gcp/ directory +gcp/*.json + +.idea diff --git a/terraform/LICENSE b/terraform/LICENSE new file mode 100644 index 00000000..35088bb5 --- /dev/null +++ b/terraform/LICENSE @@ -0,0 +1,199 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + +TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + +1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + +2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + +3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + +4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + +5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + +6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + +7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + +8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + +9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + +END OF TERMS AND CONDITIONS + +APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "{}" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. diff --git a/terraform/alicloud/cluster-master/README.md b/terraform/alicloud/cluster-master/README.md new file mode 100755 index 00000000..8c16dc10 --- /dev/null +++ b/terraform/alicloud/cluster-master/README.md @@ -0,0 +1,174 @@ +# Check Point CloudGuard Network Security Cluster Master Terraform module for AliCloud + +Terraform module which deploys a Check Point CloudGuard Network Security Cluster into a new VPC. + +These types of Terraform resources are supported: +* [Security group](https://www.terraform.io/docs/providers/alicloud/r/security_group.html) +* [Network interface](https://www.terraform.io/docs/providers/alicloud/r/network_interface.html) +* [EIP](https://www.terraform.io/docs/providers/alicloud/r/eip.html) - conditional creation +* [Route_entry](https://www.terraform.io/docs/providers/alicloud/r/route_entry.html) - Internal default route: conditional creation +* [Instance](https://www.terraform.io/docs/providers/alicloud/r/instance.html) - Gateway Instances +* [RAM Role](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/ram_role) + +## Note +- Make sure your region and zone are supporting the gateway instance types in **modules/common/instance_type/main.tf** + [Alicloud Instance_By_Region](https://ecs-buy.aliyun.com/instanceTypes/?spm=a2c63.p38356.879954.139.1eeb2d44eZQw2m#/instanceTypeByRegion) + +## Configuration + +- Due to a terraform limitation, apply command is: +``` +terraform apply -target=alicloud_route_table.private_vswitch_rt -auto-approve && terraform apply +``` +>Once terraform is updated, we will update accordingly. + +- Best practice is to configure credentials in the Environment variables - [Alicloud provider](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs) +``` +Configure environment variables in Linux: + +$ export ALICLOUD_ACCESS_KEY=anaccesskey +$ export ALICLOUD_SECRET_KEY=asecretkey +$ export ALICLOUD_REGION=cn-beijing + +Configure envrionment variables in Windows: + set ALICLOUD_ACCESS_KEY=anaccesskey + set ALICLOUD_SECRET_KEY=asecretkey + set ALICLOUD_REGION=cn-beijing + +``` + +## Usage +- Fill all variables in the cluster-master/**terraform.tfvars** file with proper values (see below for variables descriptions). +- From a command line initialize the Terraform configuration directory: + terraform init +- Create an execution plan: + terraform plan -target=alicloud_route_table.private_vswitch_rt -auto-approve && terraform plan +- Create or modify the deployment: + terraform apply -target=alicloud_route_table.private_vswitch_rt -auto-approve && terraform apply + +### terraform.tfvars variables: + +| Name | Description | Type | Allowed values | Default | Required | +|----------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------|----------| +| vpc_name | (Optional) The name of the VPC | string | n/a | "cp-vpc" | no | +| vpc_cidr | The CIDR block of the VPC | string | n/a | n/a | yes | +| cluster_vswitchs_map | A map of pairs {availability-zone = vswitch-suffix-number}. Each entry creates a vswitch. Minimum 1 pair. (e.g. {\"us-east-1a\" = 1} ) | map | n/a | n/a | yes | +| management_vswitchs_map | A map of pairs {availability-zone = vswitch-suffix-number}. Each entry creates a vswitch. Minimum 1 pair. (e.g. {\"us-east-1a\" = 1} ) | map | n/a | n/a | yes | +| private_vswitchs_map | A map of pairs {availability-zone = vswitch-suffix-number}. Each entry creates a vswitch. Minimum 1 pair. (e.g. {\"us-east-1a\" = 2} ) | map | n/a | n/a | yes | +| vswitchs_bit_length | Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a vswitchs_bit_length value of 4, the resulting vswitch address will have length /20. | number | n/a | n/a | yes | +| gateway_name | (optional) The name tag of the Cluster's Security Gateway instances | string | n/a | "Check-Point-Cluster-tf" | no | +| gateway_instance_type | The instance type of the Security Gateways | string | - ecs.g5ne.large
- ecs.g5ne.xlarge
- ecs.g5ne.2xlarge
- ecs.g5ne.4xlarge
- ecs.g5ne.8xlarge
- ecs.g7ne.large
- ecs.g7ne.xlarge
- ecs.g7ne.2xlarge
- ecs.g7ne.4xlarge
- ecs.g7ne.8xlarge | "ecs.g5ne.xlarge" | no | +| key_name | The ECS Key Pair name to allow SSH access to the instances | string | n/a | n/a | yes | +| allocate_and_associate_eip | If set to TRUE, an elastic IP will be allocated and associated with each cluster member, in addition to the cluster Elastic IP | bool | true/false | true | no | +| volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no | +| disk_category | The ECS disk category | string | - cloud
- cloud_efficiency
- cloud_ssd,
- cloud_essd | "cloud_efficiency" | no | +| ram_role_name | A predefined RAM role name to attach to the cluster's security gateway instances | string | n/a | "" | no | +| instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Gateway ECS Instances | map(string) | n/a | {} | no | +| gateway_version | Gateway version and license | string | - R81-BYOL
- R81.10-BYOL
- R81.20-BYOL | R81.20-BYOL | no | +| admin_shell | Set the admin shell to enable advanced command line configuration. | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | "/etc/cli.sh" | no | +| gateway_SIC_Key | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | n/a | yes | +| gateway_password_hash | (optional) Admin user's password hash (use command \"openssl passwd -6 PASSWORD\" to get the PASSWORD's hash) | string | n/a | "" | no | +| memberAToken | (Recommended) Quick connect to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. | string | n/a | "" | no | +| memberBToken | (Recommended) Quick connect to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. | string | n/a | "" | no | +| management_ip_address | (Optional) The Security Management IP address (public or private IP address). If provided, a static-route [management_ip --> via eth1] will be added to the Cluster's Security Gateway instances. If not provided, the static-route will need to be added manually post-deployment by user | string | n/a | "" | no | +| resources_tag_name | (optional) Name tag prefix of the resources | string | n/a | "" | no | +| gateway_hostname | (optional) The host name will be appended with member-a/b accordingly. The name must not contain reserved words. For details, refer to sk40179. | string | n/a | "" | no | +| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | n/a | true | no | +| gateway_bootstrap_script | (Optional) Semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no | +| primary_ntp | (optional) | string | n/a | "ntp1.cloud.aliyuncs.com" | no | +| secondary_ntp | (optional) | string | n/a | "ntp2.cloud.aliyuncs.com" | no | + +## Example for terraform.tfvars + +``` +// --- VPC Network Configuration --- +vpc_name = "cp-vpc" +vpc_cidr = "10.0.0.0/16" +cluster_vswitchs_map = { + "us-east-1a" = 1 +} +management_vswitchs_map = { + "us-east-1a" = 2 +} +private_vswitchs_map = { + "us-east-1a" = 3 +} +vswitchs_bit_length = 8 + +// --- ECS Instance Configuration --- +gateway_name = "Check-Point-Cluster-tf" +gateway_instance_type = "ecs.g5ne.large" +key_name = "publickey" +allocate_and_associate_eip = true +volume_size = 100 +disk_category = "cloud_efficiency" +ram_role_name = "" +instance_tags = { + key1 = "value1" + key2 = "value2" +} + +// --- Check Point Settings --- +gateway_version = "R81.20-BYOL" +admin_shell = "/etc/cli.sh" +gateway_SICKey = "12345678" +gateway_password_hash = "" + +// --- Quick connect to Smart-1 Cloud (Recommended) --- +memberAToken = "" +memberBToken = "" + +// --- Advanced Settings --- +management_ip_address = "1.2.3.4" +resources_tag_name = "tag-name" +gateway_hostname = "gw-hostname" +allow_upload_download = true +gateway_bootstrap_script = "" +primary_ntp = "ntp1.cloud.aliyuncs.com" +secondary_ntp = "ntp2.cloud.aliyuncs.com" +``` +## Conditional creation +- To create an Elastic IP for each Cluster member and associate it to the Security Gateway instances: +``` +allocate_and_associate_eip = true +``` +- To create a cluster RAM role for your Cluster instances with the required permissions for Cluster behavior, leave the ram_role_name variable empty: +``` +ram_role_name = "" +``` + +## Outputs +| Name | Description | +|----------------------------------|------------------------------------------------| +| vpc_id | The id of the deployed vpc | +| internal_rt_id | The internal route table id id | +| vpc_cluster_vswitchs_ids_list | A list of the cluster vswitchs ids | +| vpc_management_vswitchs_ids_list | A list of the management vswitchs ids | +| vpc_private_vswitchs_ids_list | A list of the private vswitchs ids | +| image_id | The image id of the deployed Security Gateways | +| cluster_primary_EIP | Cluster Primary EIP | +| cluster_secondary_EIP | Cluster secondary EIP | +| member_a_EIP | Member A instance EIP | +| member_b_EIP | Member B instance EIP | +| member_a_instance_id | Member A instance id | +| member_b_instance_id | Member B instance id | +| member_a_instance_name | Member A instance name | +| member_b_instance_name | Member B instance name | +| permissive_sg_id | The permissive security group id | +| permissive_sg_name | The permissive security group name | + +## Revision History + +| Template Version | Description | +|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| 20230830 | Change default Check Point version to R81.20 | +| 20230615 | - Improved userdata quality and stability by moving to cloud-config
- Define default primary and secondary NTP servers
- Improved deployment experience for gateways and clusters managed by Smart-1 Cloud | +| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | +| 20230420 | Change alicloud terraform provider version to 1.203.0 | +| 20230330 | - Added support of ECS disk category.
- Stability fixes. | +| 20230329 | First release of R81.20 & R81.10 CloudGuard Gateway Terraform deployment in Alibaba Cloud and added support for g7ne instance type. | +| 20211011 | First release of Check Point CloudGuard Cluster Terraform deployment into a new VPC in Alibaba cloud. | + +## License + +This project is licensed under the MIT License - see the [LICENSE](../../../LICENSE) file for details diff --git a/terraform/alicloud/cluster-master/locals.tf b/terraform/alicloud/cluster-master/locals.tf new file mode 100755 index 00000000..58775cec --- /dev/null +++ b/terraform/alicloud/cluster-master/locals.tf @@ -0,0 +1,28 @@ +locals { + admin_shell_allowed_values = [ + "/etc/cli.sh", + "/bin/bash", + "/bin/csh", + "/bin/tcsh"] + // Will fail if var.admin_shell is invalid + validate_admin_shell = index(local.admin_shell_allowed_values, var.admin_shell) + + regex_valid_gateway_sic_key = "^[a-zA-Z0-9]{8,}$" + // Will fail if var.gateway_SIC_Key is invalid + regex_gateway_sic_result = regex(local.regex_valid_gateway_sic_key, var.gateway_SICKey) == var.gateway_SICKey ? 0 : "Variable [gateway_SIC_Key] must be at least 8 alphanumeric characters" + + is_both_tokens_used = length(var.memberAToken) > 0 == length(var.memberBToken) > 0 + validation_message_both = "Smart-1 Cloud Tokens for member A and member B can not be empty." + //Will fail if var.memberAToken is empty and var.memberBToken isn't and vice versa + regex_s1c_validate = regex("^$", (local.is_both_tokens_used ? "" : local.validation_message_both)) + + is_tokens_used = length(var.memberAToken) > 0 + is_both_tokens_the_same = var.memberAToken == var.memberBToken + validation_message_unique = "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token" + //Will fail if both s1c tokens are the same + regex_s1c_unique = local.is_tokens_used ? regex("^$", (local.is_both_tokens_the_same ? local.validation_message_unique : "")) : "" + + regex_valid_gateway_hostname = "^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$" + // Will fail if var.gateway_hostname is invalid + regex_gateway_hostname = regex(local.regex_valid_gateway_hostname, var.gateway_hostname) == var.gateway_hostname ? 0 : "Variable [gateway_hostname] must be a valid hostname label or an empty string" +} \ No newline at end of file diff --git a/terraform/alicloud/cluster-master/main.tf b/terraform/alicloud/cluster-master/main.tf new file mode 100755 index 00000000..41bb165d --- /dev/null +++ b/terraform/alicloud/cluster-master/main.tf @@ -0,0 +1,53 @@ +// --- VPC --- +module "launch_vpc" { + source = "../modules/vpc" + + vpc_name = var.vpc_name + vpc_cidr = var.vpc_cidr + public_vswitchs_map = var.cluster_vswitchs_map + management_vswitchs_map = var.management_vswitchs_map + private_vswitchs_map = var.private_vswitchs_map + vswitchs_bit_length = var.vswitchs_bit_length +} + +resource "alicloud_route_table" "private_vswitch_rt" { + depends_on = [module.launch_vpc] + route_table_name = "Internal_Route_Table" + vpc_id = module.launch_vpc.vpc_id +} +resource "alicloud_route_table_attachment" "private_rt_to_private_vswitchs" { + depends_on = [module.launch_vpc, alicloud_route_table.private_vswitch_rt] + route_table_id = alicloud_route_table.private_vswitch_rt.id + vswitch_id = module.launch_vpc.private_vswitchs_ids_list[0] +} + +module "launch_cluster_into_vpc" { + source = "../cluster" + + vpc_id = module.launch_vpc.vpc_id + cluster_vswitch_id = module.launch_vpc.public_vswitchs_ids_list[0] + mgmt_vswitch_id = module.launch_vpc.management_vswitchs_ids_list[0] + private_vswitch_id = module.launch_vpc.private_vswitchs_ids_list[0] + private_route_table = alicloud_route_table.private_vswitch_rt.id + gateway_name = var.gateway_name + gateway_instance_type = var.gateway_instance_type + key_name = var.key_name + allocate_and_associate_eip = var.allocate_and_associate_eip + volume_size = var.volume_size + disk_category = var.disk_category + ram_role_name = var.ram_role_name + instance_tags = var.instance_tags + gateway_version = var.gateway_version + admin_shell = var.admin_shell + gateway_SICKey = var.gateway_SICKey + gateway_password_hash = var.gateway_password_hash + management_ip_address = var.management_ip_address + memberAToken = var.memberAToken + memberBToken = var.memberBToken + resources_tag_name = var.resources_tag_name + gateway_hostname = var.gateway_hostname + allow_upload_download = var.allow_upload_download + gateway_bootstrap_script = var.gateway_bootstrap_script + primary_ntp = var.primary_ntp + secondary_ntp = var.secondary_ntp +} \ No newline at end of file diff --git a/terraform/alicloud/cluster-master/output.tf b/terraform/alicloud/cluster-master/output.tf new file mode 100755 index 00000000..25347ba0 --- /dev/null +++ b/terraform/alicloud/cluster-master/output.tf @@ -0,0 +1,48 @@ +output "vpc_id" { + value = module.launch_vpc.vpc_id +} +output "internal_rt_id" { + value = alicloud_route_table.private_vswitch_rt.id +} +output "vpc_cluster_vswitchs_ids_list" { + value = module.launch_vpc.public_vswitchs_ids_list +} +output "vpc_management_vswitchs_ids_list" { + value = module.launch_vpc.management_vswitchs_ids_list +} +output "vpc_private_vswitchs_ids_list" { + value = module.launch_vpc.private_vswitchs_ids_list +} +output "image_id" { + value = module.launch_cluster_into_vpc.image_id +} +output "cluster_primary_EIP" { + value = module.launch_cluster_into_vpc.cluster_primary_EIP +} +output "cluster_secondary_EIP" { + value = module.launch_cluster_into_vpc.cluster_secondary_EIP +} +output "member_a_EIP" { + value = module.launch_cluster_into_vpc.member_a_EIP +} +output "member_b_EIP" { + value = module.launch_cluster_into_vpc.member_b_EIP +} +output "member_a_instance_id" { + value = module.launch_cluster_into_vpc.member_a_instance_id +} +output "member_b_instance_id" { + value = module.launch_cluster_into_vpc.member_b_instance_id +} +output "member_a_instance_name" { + value = module.launch_cluster_into_vpc.member_a_instance_name +} +output "member_b_instance_name" { + value = module.launch_cluster_into_vpc.member_b_instance_name +} +output "permissive_sg_id" { + value = module.launch_cluster_into_vpc.permissive_sg_id +} +output "permissive_sg_name" { + value = module.launch_cluster_into_vpc.permissive_sg_name +} \ No newline at end of file diff --git a/terraform/alicloud/cluster-master/terraform.tfvars b/terraform/alicloud/cluster-master/terraform.tfvars new file mode 100755 index 00000000..42dd5743 --- /dev/null +++ b/terraform/alicloud/cluster-master/terraform.tfvars @@ -0,0 +1,47 @@ +//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW + +// --- VPC Network Configuration --- +vpc_name = "cp-vpc" +vpc_cidr = "10.0.0.0/16" +cluster_vswitchs_map = { + "us-east-1a" = 1 +} +management_vswitchs_map = { + "us-east-1a" = 2 +} +private_vswitchs_map = { + "us-east-1a" = 3 +} +vswitchs_bit_length = 8 + +// --- ECS Instance Configuration --- +gateway_name = "Check-Point-Cluster-tf" +gateway_instance_type = "ecs.g5ne.large" +key_name = "publickey" +allocate_and_associate_eip = true +volume_size = 100 +disk_category = "cloud_efficiency" +ram_role_name = "" +instance_tags = { + key1 = "value1" + key2 = "value2" +} + +// --- Check Point Settings --- +gateway_version = "R81.20-BYOL" +admin_shell = "/etc/cli.sh" +gateway_SICKey = "12345678" +gateway_password_hash = "" + +// --- Quick connect to Smart-1 Cloud (Recommended) --- +memberAToken = "" +memberBToken = "" + +// --- Advanced Settings --- +management_ip_address = "1.2.3.4" +resources_tag_name = "tag-name" +gateway_hostname = "gw-hostname" +allow_upload_download = true +gateway_bootstrap_script = "" +primary_ntp = "ntp1.cloud.aliyuncs.com" +secondary_ntp = "ntp2.cloud.aliyuncs.com" diff --git a/terraform/alicloud/cluster-master/variables.tf b/terraform/alicloud/cluster-master/variables.tf new file mode 100755 index 00000000..c20366aa --- /dev/null +++ b/terraform/alicloud/cluster-master/variables.tf @@ -0,0 +1,150 @@ +// --- VPC Network Configuration --- +variable "vpc_name" { + type = string + description = "The name of the VPC" + default = "cp-vpc" +} +variable "vpc_cidr" { + type = string + description = "The CIDR block of the VPC" + default = "10.0.0.0/16" +} +variable "cluster_vswitchs_map" { + type = map(string) + description = "A map of pairs {availability-zone = vswitch-suffix-number}. Each entry creates a vswitch. Minimum 1 pair. (e.g. {\"us-east-1a\" = 1} ) " +} +variable "management_vswitchs_map" { + type = map(string) + description = "A map of pairs {availability-zone = vswitch-suffix-number}. Each entry creates a vswitch. Minimum 1 pair. (e.g. {\"us-east-1a\" = 2} ) " +} +variable "private_vswitchs_map" { + type = map(string) + description = "A map of pairs {availability-zone = vswitch-suffix-number}. Each entry creates a vswitch. Minimum 1 pair. (e.g. {\"us-east-1a\" = 2} ) " +} +variable "vswitchs_bit_length" { + type = number + description = "Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a vswitchs_bit_length value is 4, the resulting vswitch address will have length /20" +} + +// --- ECS Instance Configuration --- +variable "gateway_name" { + type = string + description = "(Optional) The name tag of the Cluster's Security Gateway instances" + default = "Check-Point-Cluster-tf" +} +variable "gateway_instance_type" { + type = string + description = "The instance type of the Security Gateways" +default = "ecs.g5ne.xlarge" +} +module "validate_instance_type" { + source = "../modules/common/instance_type" + + chkp_type = "gateway" + instance_type = var.gateway_instance_type +} +variable "key_name" { + type = string + description = "The ECS Key Pair name to allow SSH access to the instances" +} +variable "allocate_and_associate_eip" { + type = bool + description = "If set to TRUE, an elastic IP will be allocated and associated with each cluster member, in addition to the cluster Elastic IP" +default = true +} +variable "volume_size" { + type = number + description = "Root volume size (GB) - minimum 100" +default = 100 +} +variable "disk_category" { + type = string + description = "(Optional) Category of the ECS disk" + default = "cloud_efficiency" +} +variable "ram_role_name" { + type = string + description = "A predefined RAM role name to attach to the cluster's security gateway instances" + default = "" +} +resource "null_resource" "volume_size_too_small" { + // Volume Size validation - resource will not be created if the volume size is smaller than 100 + count = var.volume_size >= 100 ? 0 : "volume_size must be at least 100" +} +variable "instance_tags" { + type = map(string) + description = "(Optional) A map of tags as key=value pairs. All tags will be added to the Gateway ECS Instances" +default = {} +} + +// --- Check Point Settings --- +variable "gateway_version" { + type = string + description = "Gateway version and license" + default = "R81.20-BYOL" +} +module "validate_gateway_version" { + source = "../modules/common/version_license" + + chkp_type = "gateway" + version_license = var.gateway_version +} +variable "admin_shell" { + type = string + description = "Set the admin shell to enable advanced command line configuration" +default = "/etc/cli.sh" +} +variable "gateway_SICKey" { + type = string + description = "The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters" +} +variable "gateway_password_hash" { + type = string + description = "(Optional) Admin user's password hash (use command \"openssl passwd -6 PASSWORD\" to get the PASSWORD's hash)" +default = "" +} +// --- Quick connect to Smart-1 Cloud (Recommended) --- +variable "memberAToken" { + type = string + description = "Follow the instructions in sk180501 to quickly connect this Single AZ Cluster to Smart-1 Cloud." +} +variable "memberBToken" { + type = string + description = "Follow the instructions in sk180501 to quickly connect this Single AZ Cluster to Smart-1 Cloud." +} +// --- Advanced Settings --- +variable "management_ip_address" { + type = string + description = "(Optional) The Security Management IP address (public or private IP address). If provided, a static-route [management_ip --> via eth1] will be added to the Cluster's Security Gateway instances. If not provided, the static-route will need to be added manually post-deployment by user" + default = "" +} +variable "resources_tag_name" { + type = string + description = "(Optional) Name tag prefix of the resources" + default = "" +} +variable "gateway_hostname" { + type = string + description = "(Optional) The host name will be appended with member-a/b accordingly" + default = "" +} +variable "allow_upload_download" { + type = bool + description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" +default = true +} +variable "gateway_bootstrap_script" { + type = string + description = "(Optional) An optional script with semicolon (;) separated commands to run on the initial boot" + default = "" +} +variable "primary_ntp" { + type = string + description = "(Optional) The IPv4 addresses of Network Time Protocol primary server" + default = "" +} +variable "secondary_ntp" { + type = string + description = "(Optional) The IPv4 addresses of Network Time Protocol secondary server" + default = "" +} \ No newline at end of file diff --git a/terraform/alicloud/cluster-master/versions.tf b/terraform/alicloud/cluster-master/versions.tf new file mode 100755 index 00000000..71e9843e --- /dev/null +++ b/terraform/alicloud/cluster-master/versions.tf @@ -0,0 +1,9 @@ +terraform { + required_version = ">= 0.14.3" + required_providers { + alicloud = { + source = "hashicorp/alicloud" + version = "1.203.0" + } + } +} diff --git a/terraform/alicloud/cluster/README.md b/terraform/alicloud/cluster/README.md new file mode 100755 index 00000000..a703b75c --- /dev/null +++ b/terraform/alicloud/cluster/README.md @@ -0,0 +1,158 @@ +# Check Point CloudGuard Network Security Cluster Terraform module for AliCloud + +Terraform module which deploys a Check Point CloudGuard Network Security Cluster into an existing VPC. + +These types of Terraform resources are supported: +* [Security group](https://www.terraform.io/docs/providers/alicloud/r/security_group.html) +* [Network interface](https://www.terraform.io/docs/providers/alicloud/r/network_interface.html) +* [EIP](https://www.terraform.io/docs/providers/alicloud/r/eip.html) - conditional creation +* [Route_entry](https://www.terraform.io/docs/providers/alicloud/r/route_entry.html) - Internal default route: conditional creation +* [Instance](https://www.terraform.io/docs/providers/alicloud/r/instance.html) - Gateway Instances +* [RAM Role](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/ram_role) + +## Note +- Make sure your region and zone are supporting the gateway instance types in **modules/common/instance_type/main.tf** + [Alicloud Instance_By_Region](https://ecs-buy.aliyun.com/instanceTypes/?spm=a2c63.p38356.879954.139.1eeb2d44eZQw2m#/instanceTypeByRegion) + +## Configuration +- Best practice is to configure credentials in the Environment variables - [Alicloud provider](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs) +``` +Configure environment variables in Linux: + +$ export ALICLOUD_ACCESS_KEY=anaccesskey +$ export ALICLOUD_SECRET_KEY=asecretkey +$ export ALICLOUD_REGION=cn-beijing + +Configure envrionment variables in Windows: + set ALICLOUD_ACCESS_KEY=anaccesskey + set ALICLOUD_SECRET_KEY=asecretkey + set ALICLOUD_REGION=cn-beijing + +``` + +## Usage +- Fill all variables in the cluster/**terraform.tfvars** file with proper values (see below for variables descriptions). +- From a command line initialize the Terraform configuration directory: + terraform init +- Create an execution plan: + terraform plan +- Create or modify the deployment: + terraform apply + + +### terraform.tfvars variables: +| Name | Description | Type | Allowed values | Default | Required | +|----------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------|----------| +| vpc_id | The VPC id in which to deploy | string | n/a | n/a | yes | +| cluster_vswitch_id | The cluster vswitch of the security gateways | string | Subnet in the same availability zone with mgmt_vswitch_id and private_vswitch_id | n/a | yes | +| mgmt_vswitch_id | The management vswitch of the security gateways Connect the Security Gateways to the Management Server with the ENI in this vswitch. | string | Subnet in the same availability zone with cluster_vswitch_id and private_vswitch_id | n/a | yes | +| private_vswitch_id | The private vswitch of the security gateways | string | Subnet in the same availability zone with cluster_vswitch_id and mgmt_vswitch_id | n/a | yes | +| private_route_table | (optional) Sets '0.0.0.0/0' route to the Active Cluster member instance in the specified route table (e.g. vtb-12a34567). Route table cannot have an existing 0.0.0.0/0 route. If empty - traffic will not be routed through the Security Gateway, this requires manual configuration in the Route Table. | string | n/a | "" | no | +| gateway_name | (optional) The name tag of the Cluster's Security Gateway instances | string | n/a | "Check-Point-Cluster-tf" | no | +| gateway_instance_type | The instance type of the Security Gateways | string | - ecs.g5ne.large
- ecs.g5ne.xlarge
- ecs.g5ne.2xlarge
- ecs.g5ne.4xlarge
- ecs.g5ne.8xlarge
- ecs.g7ne.large
- ecs.g7ne.xlarge
- ecs.g7ne.2xlarge
- ecs.g7ne.4xlarge
- ecs.g7ne.8xlarge | "ecs.g5ne.xlarge" | no | +| key_name | The ECS Key Pair name to allow SSH access to the instances | string | n/a | n/a | yes | +| allocate_and_associate_eip | If set to TRUE, an elastic IP will be allocated and associated with each cluster member, in addition to the cluster Elastic IP | bool | true/false | true | no | +| volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no | +| disk_category | The ECS disk category | string | - cloud
- cloud_efficiency
- cloud_ssd,
- cloud_essd | "cloud_efficiency" | no | +| ram_role_name | A predefined RAM role name to attach to the cluster's security gateway instances | string | n/a | "" | no | +| instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Gateway ECS Instances | map(string) | n/a | {} | no | +| gateway_version | Gateway version and license | string | - R81-BYOL
- R81.10-BYOL
- R81.20-BYOL | R81.20-BYOL | no | +| admin_shell | Set the admin shell to enable advanced command line configuration. | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | "/etc/cli.sh" | no | +| gateway_SIC_Key | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | n/a | yes | +| gateway_password_hash | (optional) Admin user's password hash (use command \"openssl passwd -6 PASSWORD\" to get the PASSWORD's hash) | string | n/a | "" | no | +| memberAToken | (Recommended) Quick connect to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. | string | n/a | "" | no | +| memberBToken | (Recommended) Quick connect to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. | string | n/a | "" | no | +| management_ip_address | (Optional) The Security Management IP address (public or private IP address). If provided, a static-route [management_ip --> via eth1] will be added to the Cluster's Security Gateway instances. If not provided, the static-route will need to be added manually post-deployment by user | string | n/a | "" | no | +| resources_tag_name | (optional) Name tag prefix of the resources | string | n/a | "" | no | +| gateway_hostname | (optional) The host name will be appended with member-a/b accordingly | string | n/a | "" | no | +| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | n/a | true | no | +| gateway_bootstrap_script | (Optional) Semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no | +| primary_ntp | (optional) | string | n/a | "ntp1.cloud.aliyuncs.com" | no | +| secondary_ntp | (optional) | string | n/a | "ntp2.cloud.aliyuncs.com" | no | + +## Example for terraform.tfvars +``` +// --- VPC Network Configuration --- +vpc_id = "vpc-" +cluster_vswitch_id = "vsw-" +mgmt_vswitch_id = "vsw-" +private_vswitch_id = "vsw-" +private_route_table = "vtb-" + +// --- ECS Instance Configuration --- +gateway_name = "Check-Point-Cluster-tf" +gateway_instance_type = "ecs.g5ne.xlarge" +key_name = "publickey" +allocate_and_associate_eip = true +volume_size = 100 +disk_category = "cloud_efficiency" +ram_role_name = "" +instance_tags = { + key1 = "value1" + key2 = "value2" +} + +// --- Check Point Settings --- +gateway_version = "R81.20-BYOL" +admin_shell = "/etc/cli.sh" +gateway_SICKey = "12345678" +gateway_password_hash = "" + +// --- Quick connect to Smart-1 Cloud (Recommended) --- +memberAToken = "" +memberBToken = "" + +// --- Advanced Settings --- +management_ip_address = "1.2.3.4" +resources_tag_name = "tag-name" +gateway_hostname = "gw-hostname" +allow_upload_download = true +gateway_bootstrap_script = "" +primary_ntp = "ntp1.cloud.aliyuncs.com" +secondary_ntp = "ntp2.cloud.aliyuncs.com" +``` + +## Conditional creation +- To create an Elastic IP for each Cluster member and associate it to the Security Gateway instances: +``` +allocate_and_associate_eip = true +``` +- To create a default route to the Active Cluster member, fill the private_route_table variable: +``` +private_route_table = "rtb-12345678" +``` +- To create a cluster RAM role for your Cluster instances with the required permissions for Cluster behavior, leave the ram_role_name variable empty: +``` +ram_role_name = "" +``` + +## Outputs +| Name | Description | +|------------------------|------------------------------------------------| +| cluster_primary_EIP | Cluster Primary EIP | +| cluster_secondary_EIP | Cluster secondary EIP | +| image_id | The image id of the deployed Security Gateways | +| member_a_EIP | Member A instance EIP | +| member_b_EIP | Member B instance EIP | +| member_a_instance_id | Member A instance id | +| member_b_instance_id | Member B instance id | +| member_a_instance_name | Member A instance name | +| member_b_instance_name | Member B instance name | +| permissive_sg_id | The permissive security group id | +| permissive_sg_name | The permissive security group name | + +## Revision History + +| Template Version | Description | +|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| 20230830 | Change default Check Point version to R81.20 | +| 20230615 | - Improved userdata quality and stability by moving to cloud-config
- Define default primary and secondary NTP servers
- Improved deployment experience for gateways and clusters managed by Smart-1 Cloud | +| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | +| 20230420 | Change alicloud terraform provider version to 1.203.0 | +| 20230330 | - Added support of ECS disk category.
- Stability fixes. | +| 20230329 | First release of R81.20 & R81.10 CloudGuard Gateway Terraform deployment in Alibaba Cloud and added support for g7ne instance type. | +| 20211011 | First release of Check Point CloudGuard Cluster Terraform deployment into an existing VPC in Alibaba cloud. | + +## License + +This project is licensed under the MIT License - see the [LICENSE](../../../LICENSE) file for details \ No newline at end of file diff --git a/terraform/alicloud/cluster/cluster_member_a_userdata.yaml b/terraform/alicloud/cluster/cluster_member_a_userdata.yaml new file mode 100644 index 00000000..534d8e42 --- /dev/null +++ b/terraform/alicloud/cluster/cluster_member_a_userdata.yaml @@ -0,0 +1,4 @@ +#cloud-config +runcmd: + - | + python3 /etc/cloud_config.py managementIpAddress=\"${ManagementIpAddress}\" sicKey=\"${SICKey}\" installationType=\"cluster\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20230830\" templateName=\"cluster\" templateType=\"terraform\" shell=\"${Shell}\" hostName=\"${Hostname}\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" "smart1CloudToken=\"${TokenA}\"" bootstrapScript64=\"${GatewayBootstrapScript}\" \ No newline at end of file diff --git a/terraform/alicloud/cluster/cluster_member_b_userdata.yaml b/terraform/alicloud/cluster/cluster_member_b_userdata.yaml new file mode 100644 index 00000000..43c69a99 --- /dev/null +++ b/terraform/alicloud/cluster/cluster_member_b_userdata.yaml @@ -0,0 +1,4 @@ +#cloud-config +runcmd: + - | + python3 /etc/cloud_config.py managementIpAddress=\"${ManagementIpAddress}\" sicKey=\"${SICKey}\" installationType=\"cluster\" osVersion=\"{OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20230830\" templateName=\"cluster\" templateType=\"terraform\" shell=\"${Shell}\" hostName=\"${Hostname }\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" "smart1CloudToken=\"${TokenB}\"" bootstrapScript64=\"${GatewayBootstrapScript}\" \ No newline at end of file diff --git a/terraform/alicloud/cluster/locals.tf b/terraform/alicloud/cluster/locals.tf new file mode 100755 index 00000000..89314651 --- /dev/null +++ b/terraform/alicloud/cluster/locals.tf @@ -0,0 +1,46 @@ +locals { + admin_shell_allowed_values = [ + "/etc/cli.sh", + "/bin/bash", + "/bin/csh", + "/bin/tcsh"] + // Will fail if var.admin_shell is invalid + validate_admin_shell = index(local.admin_shell_allowed_values, var.admin_shell) + + regex_valid_gateway_sic_key = "^[a-zA-Z0-9]{8,}$" + // Will fail if var.gateway_SIC_Key is invalid + regex_gateway_sic_result = regex(local.regex_valid_gateway_sic_key, var.gateway_SICKey) == var.gateway_SICKey ? 0 : "Variable [gateway_SIC_Key] must be at least 8 alphanumeric characters" + + regex_token_valid = "(^https://(.+).checkpoint.com/app/maas/api/v1/tenant(.+)|^$)" + //TokenA: will fail if decode token should contain https:// and .checkpoint.com/app/maas/api/v1/tenant or empty string + split_tokenA = split(" ", var.memberAToken) + tokenA_decode = base64decode(element(local.split_tokenA, length(local.split_tokenA)-1)) + regex_tokenA = regex(local.regex_token_valid, local.tokenA_decode) == local.tokenA_decode ? 0 : "Smart-1 Cloud token A is invalid format" + + //TokenB: will fail if decode token should contain https:// and .checkpoint.com/app/maas/api/v1/tenant or empty string + split_tokenB = split(" ", var.memberBToken) + tokenB_decode = base64decode(element(local.split_tokenB, length(local.split_tokenB)-1)) + regex_tokenB = regex(local.regex_token_valid, local.tokenB_decode) == local.tokenB_decode ? 0 : "Smart-1 Cloud token B is invalid format" + + is_both_tokens_used = length(var.memberAToken) > 0 == length(var.memberBToken) > 0 + validation_message_both = "Smart-1 Cloud Tokens for member A and member B can not be empty." + //Will fail if var.memberAToken is empty and var.memberBToken isn't and vice versa + regex_s1c_validate = regex("^$", (local.is_both_tokens_used ? "" : local.validation_message_both)) + + is_tokens_used = length(var.memberAToken) > 0 + is_both_tokens_the_same = var.memberAToken == var.memberBToken + validation_message_unique = "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token" + //Will fail if both s1c tokens are the same + regex_s1c_unique = local.is_tokens_used ? regex("^$", (local.is_both_tokens_the_same ? local.validation_message_unique : "")) : "" + + regex_valid_gateway_hostname = "^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$" + // Will fail if var.gateway_hostname is invalid + regex_gateway_hostname = regex(local.regex_valid_gateway_hostname, var.gateway_hostname) == var.gateway_hostname ? 0 : "Variable [gateway_hostname] must be a valid hostname label or an empty string" + + // Create RAM Role only if input variable ram_role_name was not provided + create_ram_role = var.ram_role_name == "" ? 1 : 0 + version_split = element(split("-", var.gateway_version), 0) + gateway_bootstrap_script64 = base64encode(var.gateway_bootstrap_script) + gateway_SICkey_base64 = base64encode(var.gateway_SICKey) + gateway_password_hash_base64 = base64encode(var.gateway_password_hash) +} \ No newline at end of file diff --git a/terraform/alicloud/cluster/main.tf b/terraform/alicloud/cluster/main.tf new file mode 100755 index 00000000..5fa001d6 --- /dev/null +++ b/terraform/alicloud/cluster/main.tf @@ -0,0 +1,178 @@ +module "images" { + source = "../modules/images" + + version_license = var.gateway_version + chkp_type = "gateway" +} + +module "common_permissive_sg" { + source = "../modules/common/permissive_sg" + + vpc_id = var.vpc_id + resources_tag_name = var.resources_tag_name + gateway_name = var.gateway_name +} + +// Instances +resource "alicloud_instance" "member-a-instance" { + instance_name = format("%s-Member-A", var.gateway_name) + instance_type = var.gateway_instance_type + key_name = var.key_name + image_id = module.images.image_id + vswitch_id = var.cluster_vswitch_id + security_groups = [ + module.common_permissive_sg.permissive_sg_id] + system_disk_size = var.volume_size + system_disk_category = var.disk_category + + tags = merge({ + Name = format("%s-Member-A", var.gateway_name) + }, var.instance_tags) + + user_data = templatefile("${path.module}/cluster_member_a_userdata.yaml", { + // script's arguments + Hostname = format("%s-member-a", var.gateway_hostname), + PasswordHash = local.gateway_password_hash_base64, + AllowUploadDownload = var.allow_upload_download, + NTPPrimary = var.primary_ntp, + NTPSecondary = var.secondary_ntp, + Shell = var.admin_shell, + GatewayBootstrapScript = local.gateway_bootstrap_script64, + SICKey = local.gateway_SICkey_base64, + TokenA = var.memberAToken, + ManagementIpAddress = var.management_ip_address, + OsVersion = local.version_split + }) +} +resource "alicloud_instance" "member-b-instance" { + instance_name = format("%s-Member-B", var.gateway_name) + instance_type = var.gateway_instance_type + key_name = var.key_name + image_id = module.images.image_id + vswitch_id = var.cluster_vswitch_id + security_groups = [ + module.common_permissive_sg.permissive_sg_id] + system_disk_size = var.volume_size + system_disk_category = var.disk_category + + tags = merge({ + Name = format("%s-Member-B", var.gateway_name) + }, var.instance_tags) + + user_data = templatefile("${path.module}/cluster_member_b_userdata.yaml", { + // script's arguments + Hostname = format("%s-member-b", var.gateway_hostname), + PasswordHash = local.gateway_password_hash_base64, + AllowUploadDownload = var.allow_upload_download, + NTPPrimary = var.primary_ntp, + NTPSecondary = var.secondary_ntp, + Shell = var.admin_shell, + GatewayBootstrapScript = local.gateway_bootstrap_script64, + SICKey = local.gateway_SICkey_base64, + TokenB = var.memberBToken, + ManagementIpAddress = var.management_ip_address, + OsVersion = local.version_split + }) +} + +// Management ENIs +resource "alicloud_network_interface" "member_a_mgmt_eni" { + network_interface_name = format("%s-Member-A-management-eni", var.resources_tag_name != "" ? var.resources_tag_name : var.gateway_name) + vswitch_id = var.mgmt_vswitch_id + security_group_ids = [ + module.common_permissive_sg.permissive_sg_id] + description = "eth2" +} +resource "alicloud_network_interface_attachment" "member_a_mgmt_eni_attachment" { + instance_id = alicloud_instance.member-a-instance.id + network_interface_id = alicloud_network_interface.member_a_mgmt_eni.id +} +resource "alicloud_network_interface" "member_b_mgmt_eni" { + network_interface_name = format("%s-Member-B-management-eni", var.resources_tag_name != "" ? var.resources_tag_name : var.gateway_name) + vswitch_id = var.mgmt_vswitch_id + security_group_ids = [ + module.common_permissive_sg.permissive_sg_id] + description = "eth2" +} +resource "alicloud_network_interface_attachment" "member_b_mgmt_eni_attachment" { + instance_id = alicloud_instance.member-b-instance.id + network_interface_id = alicloud_network_interface.member_b_mgmt_eni.id +} + +// Internal ENIs +resource "alicloud_network_interface" "member_a_internal_eni" { + depends_on = [alicloud_network_interface_attachment.member_a_mgmt_eni_attachment] + network_interface_name = format("%s-Member-A-internal-eni", var.resources_tag_name != "" ? var.resources_tag_name : var.gateway_name) + vswitch_id = var.private_vswitch_id + security_group_ids = [ + module.common_permissive_sg.permissive_sg_id] + description = "eth2" +} +resource "alicloud_network_interface_attachment" "member_a_internal_eni_attachment" { + instance_id = alicloud_instance.member-a-instance.id + network_interface_id = alicloud_network_interface.member_a_internal_eni.id +} +resource "alicloud_network_interface" "member_b_internal_eni" { + depends_on = [alicloud_network_interface_attachment.member_b_mgmt_eni_attachment] + network_interface_name = format("%s-Member-B-internal-eni", var.resources_tag_name != "" ? var.resources_tag_name : var.gateway_name) + vswitch_id = var.private_vswitch_id + security_group_ids = [ + module.common_permissive_sg.permissive_sg_id] + description = "eth2" +} +resource "alicloud_network_interface_attachment" "member_b_internal_eni_attachment" { + instance_id = alicloud_instance.member-b-instance.id + network_interface_id = alicloud_network_interface.member_b_internal_eni.id +} + +// EIPs +module "common_cluster_primary_eip" { + source = "../modules/common/elastic_ip" + + allocate_and_associate_eip = true + instance_id = alicloud_instance.member-a-instance.id + eip_name = format("%s-cluster-primary-eip", var.resources_tag_name != "" ? var.resources_tag_name : var.gateway_name) +} +module "common_cluster_secondary_eip" { + source = "../modules/common/elastic_ip" + + allocate_and_associate_eip = true + instance_id = alicloud_instance.member-b-instance.id + eip_name = format("%s-cluster-secondary-eip", var.resources_tag_name != "" ? var.resources_tag_name : var.gateway_name) +} +module "common_member_a_mgmt_eip" { + source = "../modules/common/elastic_ip" + + allocate_and_associate_eip = var.allocate_and_associate_eip + instance_id = alicloud_network_interface.member_a_mgmt_eni.id + association_instance_type = "NetworkInterface" + eip_name = format("%s-member-A-eip", var.resources_tag_name != "" ? var.resources_tag_name : var.gateway_name) +} +module "common_member_b_mgmt_eip" { + source = "../modules/common/elastic_ip" + + allocate_and_associate_eip = var.allocate_and_associate_eip + instance_id = alicloud_network_interface.member_b_mgmt_eni.id + association_instance_type = "NetworkInterface" + eip_name = format("%s-member-B-eip", var.resources_tag_name != "" ? var.resources_tag_name : var.gateway_name) +} + +module "common_internal_default_route" { + source = "../modules/common/internal_default_route" + + private_route_table = var.private_route_table + internal_eni_id = alicloud_network_interface.member_a_internal_eni.id +} + +module "cluster_ram_role" { + count = local.create_ram_role + source = "../modules/cluster-ram-role" + + gateway_name = var.gateway_name +} + +resource "alicloud_ram_role_attachment" "attach" { + depends_on = [alicloud_instance.member-a-instance, alicloud_instance.member-b-instance] + role_name = var.ram_role_name != "" ? var.ram_role_name : module.cluster_ram_role[0].cluster_ram_role_name + instance_ids = [alicloud_instance.member-a-instance.id, alicloud_instance.member-b-instance.id] +} diff --git a/terraform/alicloud/cluster/output.tf b/terraform/alicloud/cluster/output.tf new file mode 100755 index 00000000..623cca8f --- /dev/null +++ b/terraform/alicloud/cluster/output.tf @@ -0,0 +1,33 @@ +output "cluster_primary_EIP" { + value = module.common_cluster_primary_eip.instance_eip_public_ip[0] +} +output "cluster_secondary_EIP" { + value = module.common_cluster_secondary_eip.instance_eip_public_ip[0] +} +output "image_id" { + value = module.images.image_id +} +output "member_a_EIP" { + value = module.common_member_a_mgmt_eip.instance_eip_public_ip[0] +} +output "member_b_EIP" { + value = module.common_member_b_mgmt_eip.instance_eip_public_ip[0] +} +output "member_a_instance_id" { + value = alicloud_instance.member-a-instance.id +} +output "member_b_instance_id" { + value = alicloud_instance.member-b-instance.id +} +output "member_a_instance_name" { + value = alicloud_instance.member-a-instance.instance_name +} +output "member_b_instance_name" { + value = alicloud_instance.member-b-instance.instance_name +} +output "permissive_sg_id" { + value = module.common_permissive_sg.permissive_sg_id +} +output "permissive_sg_name" { + value = module.common_permissive_sg.permissive_sg_name +} \ No newline at end of file diff --git a/terraform/alicloud/cluster/terraform.tfvars b/terraform/alicloud/cluster/terraform.tfvars new file mode 100755 index 00000000..35d0209a --- /dev/null +++ b/terraform/alicloud/cluster/terraform.tfvars @@ -0,0 +1,40 @@ +//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW + +// --- VPC Network Configuration --- +vpc_id = "vpc-" +cluster_vswitch_id = "vsw-" +mgmt_vswitch_id = "vsw-" +private_vswitch_id = "vsw-" +private_route_table = "vtb-" + +// --- ECS Instance Configuration --- +gateway_name = "Check-Point-Cluster-tf" +gateway_instance_type = "ecs.g5ne.xlarge" +key_name = "publickey" +allocate_and_associate_eip = true +volume_size = 100 +disk_category = "cloud_efficiency" +ram_role_name = "" +instance_tags = { + key1 = "value1" + key2 = "value2" +} + +// --- Check Point Settings --- +gateway_version = "R81.20-BYOL" +admin_shell = "/etc/cli.sh" +gateway_SICKey = "12345678" +gateway_password_hash = "" + +// --- Quick connect to Smart-1 Cloud (Recommended) --- +memberAToken = "" +memberBToken = "" + +// --- Advanced Settings --- +management_ip_address = "1.2.3.4" +resources_tag_name = "tag-name" +gateway_hostname = "gw-hostname" +allow_upload_download = true +gateway_bootstrap_script = "" +primary_ntp = "ntp1.cloud.aliyuncs.com" +secondary_ntp = "ntp2.cloud.aliyuncs.com" \ No newline at end of file diff --git a/terraform/alicloud/cluster/variables.tf b/terraform/alicloud/cluster/variables.tf new file mode 100755 index 00000000..51042420 --- /dev/null +++ b/terraform/alicloud/cluster/variables.tf @@ -0,0 +1,144 @@ +// --- VPC Network Configuration --- +variable "vpc_id" { + type = string +} +variable "cluster_vswitch_id" { + type = string + description = "The cluster vswitch of the security gateways" +} +variable "mgmt_vswitch_id" { + type = string + description = "The management vswitch of the security gateways" +} +variable "private_vswitch_id" { + type = string + description = "The private vswitch of the security gateways" +} +variable "private_route_table" { + type = string + description = "(Optional) Sets '0.0.0.0/0' route to the Active Cluster member instance in the specified route table (e.g. vtb-12a34567). Route table cannot have an existing 0.0.0.0/0 route. If empty - traffic will not be routed through the Security Gateway, this requires manual configuration in the Route Table" + default="" +} + +// --- ECS Instance Configuration --- +variable "gateway_name" { + type = string + description = "(Optional) The name tag of the Cluster's Security Gateway instances" + default = "Check-Point-Cluster-tf" +} +variable "gateway_instance_type" { + type = string + description = "The instance type of the Security Gateways" + default = "ecs.g5ne.xlarge" +} +module "validate_instance_type" { + source = "../modules/common/instance_type" + + chkp_type = "gateway" + instance_type = var.gateway_instance_type +} +variable "key_name" { + type = string + description = "The ECS Key Pair name to allow SSH access to the instances" +} +variable "allocate_and_associate_eip" { + type = bool + description = "If set to TRUE, an elastic IP will be allocated and associated with each cluster member, in addition to the cluster Elastic IP" + default = true +} +variable "volume_size" { + type = number + description = "Root volume size (GB) - minimum 100" + default = 100 +} +variable "disk_category" { + type = string + description = "(Optional) Category of the ECS disk" + default = "cloud_efficiency" +} +variable "ram_role_name" { + type = string + description = "A predefined RAM role name to attach to the cluster's security gateway instances" + default = "" +} +resource "null_resource" "volume_size_too_small" { + // Volume Size validation - resource will not be created if the volume size is smaller than 100 + count = var.volume_size >= 100 ? 0 : "volume_size must be at least 100" +} +variable "instance_tags" { + type = map(string) + description = "(Optional) A map of tags as key=value pairs. All tags will be added to the Gateway ECS Instances" + default = {} +} + +// --- Check Point Settings --- +variable "gateway_version" { + type = string + description = "Gateway version and license" + default = "R81.20-BYOL" +} +module "validate_gateway_version" { + source = "../modules/common/version_license" + + chkp_type = "gateway" + version_license = var.gateway_version +} +variable "admin_shell" { + type = string + description = "Set the admin shell to enable advanced command line configuration" + default = "/etc/cli.sh" +} +variable "gateway_SICKey" { + type = string + description = "The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters" +} +variable "gateway_password_hash" { + type = string + description = "(Optional) Admin user's password hash (use command \"openssl passwd -6 PASSWORD\" to get the PASSWORD's hash)" + default = "" +} +// --- Quick connect to Smart-1 Cloud (Recommended) --- +variable "memberAToken" { + type = string + description = "Follow the instructions in sk180501 to quickly connect this Single AZ Cluster to Smart-1 Cloud." +} +variable "memberBToken" { + type = string + description = "Follow the instructions in sk180501 to quickly connect this Single AZ Cluster to Smart-1 Cloud." +} +// --- Advanced Settings --- +variable "management_ip_address" { + type = string + description = "(Optional) The Security Management IP address (public or private IP address). If provided, a static-route [management_ip --> via eth1] will be added to the Cluster's Security Gateway instances. If not provided, the static-route will need to be added manually post-deployment by user" + default = "" +} +variable "resources_tag_name" { + type = string + description = "(Optional) Name tag prefix of the resources" + default = "" +} +variable "gateway_hostname" { + type = string + description = "(Optional) The host name will be appended with member-a/b accordingly" + default = "" +} +variable "allow_upload_download" { + type = bool + description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + default = true +} +variable "gateway_bootstrap_script" { + type = string + description = "(Optional) An optional script with semicolon (;) separated commands to run on the initial boot" + default = "" +} +variable "primary_ntp" { + type = string + description = "(Optional) The IPv4 addresses of Network Time Protocol primary server" + default = "" +} +variable "secondary_ntp" { + type = string + description = "(Optional) The IPv4 addresses of Network Time Protocol secondary server" + default = "" +} \ No newline at end of file diff --git a/terraform/alicloud/cluster/versions.tf b/terraform/alicloud/cluster/versions.tf new file mode 100755 index 00000000..71e9843e --- /dev/null +++ b/terraform/alicloud/cluster/versions.tf @@ -0,0 +1,9 @@ +terraform { + required_version = ">= 0.14.3" + required_providers { + alicloud = { + source = "hashicorp/alicloud" + version = "1.203.0" + } + } +} diff --git a/terraform/alicloud/gateway-master/README.md b/terraform/alicloud/gateway-master/README.md new file mode 100755 index 00000000..301c12a6 --- /dev/null +++ b/terraform/alicloud/gateway-master/README.md @@ -0,0 +1,155 @@ +# Check Point Gateway Master Terraform module for AliCloud + +Terraform module which deploys a Check Point Security Gateway into a new VPC on AliCloud. + +These types of Terraform resources are supported: +* [Security group](https://www.terraform.io/docs/providers/alicloud/r/security_group.html) +* [Network interface](https://www.terraform.io/docs/providers/alicloud/r/network_interface.html) +* [EIP](https://www.terraform.io/docs/providers/alicloud/r/eip.html) - conditional creation +* [Route_entry](https://www.terraform.io/docs/providers/alicloud/r/route_entry.html) - Internal default route: conditional creation +* [Instance](https://www.terraform.io/docs/providers/alicloud/r/instance.html) - Gateway Instance + +## Note +- Make sure your region and zone are supporting the gateway instance types in **modules/common/instance_type/main.tf** + [Alicloud Instance_By_Region](https://ecs-buy.aliyun.com/instanceTypes/?spm=a2c63.p38356.879954.139.1eeb2d44eZQw2m#/instanceTypeByRegion) + +## Configuration + +- Due to a terraform limitation, apply command is: +``` +terraform apply -target=alicloud_route_table.private_vswitch_rt -auto-approve && terraform apply +``` +>Once terraform is updated, we will update accordingly. + +- Best practice is to configure credentials in the Environment variables - [Alicloud provider](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs) +``` +Configure environment variables in Linux: + +$ export ALICLOUD_ACCESS_KEY=anaccesskey +$ export ALICLOUD_SECRET_KEY=asecretkey +$ export ALICLOUD_REGION=cn-beijing + +Configure envrionment variables in Windows: + set ALICLOUD_ACCESS_KEY=anaccesskey + set ALICLOUD_SECRET_KEY=asecretkey + set ALICLOUD_REGION=cn-beijing + +``` + +## Usage +- Fill all variables in the gateway-master/**terraform.tfvars** file with proper values (see below for variables descriptions). +- From a command line initialize the Terraform configuration directory: + terraform init +- Create an execution plan: + terraform plan -target=alicloud_route_table.private_vswitch_rt -auto-approve && terraform plan +- Create or modify the deployment: + terraform apply -target=alicloud_route_table.private_vswitch_rt -auto-approve && terraform apply + +### terraform.tfvars variables: + +| Name | Description | Type | Allowed values | Default | Required | +|----------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------|----------| +| vpc_name | (Optional) The name of the VPC | string | n/a | "cp-vpc" | no | +| vpc_cidr | The CIDR block of the VPC. | string | n/a | n/a | yes | +| public_vswitchs_map | A map of pairs {availability-zone = vswitch-suffix-number}. Each entry creates a vswitch. Minimum 1 pair. (e.g. {\"us-east-1a\" = 1} ) | map | n/a | n/a | yes | +| private_vswitchs_map | A map of pairs {availability-zone = vswitch-suffix-number}. Each entry creates a vswitch. Minimum 1 pair. (e.g. {\"us-east-1a\" = 2} ) | map | n/a | n/a | yes | +| vswitchs_bit_length | Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a vswitchs_bit_length value of 4, the resulting vswitch address will have length /20. | number | n/a | n/a | yes | +| gateway_name | The name tag of the Security Gateway instances (optional) | string | n/a | "Check-Point-Gateway-tf" | no | +| gateway_instance_type | The instance type of the Security Gateways | string | - ecs.g5ne.large
- ecs.g5ne.xlarge
- ecs.g5ne.2xlarge
- ecs.g5ne.4xlarge
- ecs.g5ne.8xlarge
- ecs.g7ne.large
- ecs.g7ne.xlarge
- ecs.g7ne.2xlarge
- ecs.g7ne.4xlarge
- ecs.g7ne.8xlarge
- ecs.g7nene.large
- ecs.g7nene.xlarge
- ecs.g7nene.2xlarge
- ecs.g7nene.4xlarge
- ecs.g7nene.8xlarge | "ecs.g5ne.xlarge" | no | +| key_name | The ECS Key Pair name to allow SSH access to the instances | string | n/a | n/a | yes | +| allocate_and_associate_eip | If set to TRUE, an elastic IP will be allocated and associated with the launched instance | bool | true/false | true | no | +| volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no | +| disk_category | The ECS disk category | string | - cloud
- cloud_efficiency
- cloud_ssd,
- cloud_essd | "cloud_efficiency" | no | +| ram_role_name | A predefined RAM role name to attach to the security gateway instance | string | n/a | "" | no | +| gateway_version | Gateway version and license | string | - R81-BYOL
- R81.10-BYOL
- R81.20-BYOL | R81.20-BYOL | no | +| admin_shell | Set the admin shell to enable advanced command line configuration. | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | "/etc/cli.sh" | no | +| gateway_SIC_Key | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | n/a | yes | +| password_hash | Admin user's password hash (use command \"openssl passwd -6 PASSWORD\" to get the PASSWORD's hash) (optional) | string | n/a | "" | no | +| gateway_TokenKey | (Recommended) Quick connect to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. | string | n/a | "" | no | +| resources_tag_name | (optional) | string | n/a | "" | no | +| gateway_hostname | (optional) The name must not contain reserved words. For details, refer to sk40179. | string | n/a | "" | no | +| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | n/a | true | no | +| gateway_bootstrap_script | (Optional) Semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no | +| primary_ntp | (optional) | string | n/a | "ntp1.cloud.aliyuncs.com" | no | +| secondary_ntp | (optional) | string | n/a | "ntp2.cloud.aliyuncs.com" | no | + +## Example for terraform.tfvars + +``` +// --- VPC Network Configuration --- +vpc_name = "cp-vpc" +vpc_cidr = "10.0.0.0/16" +public_vswitchs_map = { + "us-east-1a" = 1 +} +private_vswitchs_map = { + "us-east-1a" = 2 +} +vswitchs_bit_length = 8 + +// --- ECS Instance Configuration --- +gateway_name = "Check-Point-Gateway-tf" +gateway_instance_type = "ecs.g5ne.xlarge" +key_name = "publickey" +allocate_and_associate_eip = true +volume_size = 100 +disk_category = "cloud_efficiency" +ram_role_name = "" +instance_tags = { + key1 = "value1" + key2 = "value2" +} + +// --- Check Point Settings --- +gateway_version = "R81.20-BYOL" +admin_shell = "/etc/cli.sh" +gateway_SICKey = "12345678" +gateway_password_hash = "" + +// --- Quick connect to Smart-1 Cloud (Recommended) --- +gateway_TokenKey = "" + +// --- Advanced Settings --- +resources_tag_name = "tag-name" +gateway_hostname = "gw-hostname" +allow_upload_download = true +gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/testfile.txt" +primary_ntp = "ntp1.cloud.aliyuncs.com" +secondary_ntp = "ntp2.cloud.aliyuncs.com" +``` +## Conditional creation +- To create an Elastic IP and associate it to the Gateway instance: +``` +allocate_and_associate_eip = true +``` + +## Outputs +| Name | Description | +|-------------------------------|---------------------------------------------| +| vpc_id | The id of the deployed vpc | +| internal_rt_id | The internal route table id id | +| vpc_public_vswitchs_ids_list | A list of the private vswitchs ids | +| vpc_private_vswitchs_ids_list | A list of the private vswitchs ids | +| image_id | The ami id of the deployed Security Gateway | +| permissive_sg_id | The permissive security group id | +| permissive_sg_name | The permissive security group id name | +| gateway_eip_id | The id of the elastic IP | +| gateway_eip_public_ip | The elastic pubic IP | +| gateway_instance_id | The Security Gateway instance id | +| gateway_instance_name | The deployed Gateway AliCloud instance name | + +## Revision History + +| Template Version | Description | +|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| 20230830 | Change default Check Point version to R81.20 | +| 20230615 | - Improved userdata quality and stability by moving to cloud-config
- Define default primary and secondary NTP servers
- Improved deployment experience for gateways and clusters managed by Smart-1 Cloud | +| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | +| 20230420 | Change alicloud terraform provider version to 1.203.0 | +| 20230330 | - Added support of ECS disk category.
- Stability fixes. | +| 20230329 | First release of R81.20 & R81.10 CloudGuard Gateway Terraform deployment in Alibaba Cloud and added support for g7ne instance type. | +| 20211011 | First release of Check Point CloudGuard Gateway Terraform deployment into a new VPC in Alibaba cloud. | + +## License + +This project is licensed under the MIT License - see the [LICENSE](../../../LICENSE) file for details \ No newline at end of file diff --git a/terraform/alicloud/gateway-master/locals.tf b/terraform/alicloud/gateway-master/locals.tf new file mode 100755 index 00000000..706b0458 --- /dev/null +++ b/terraform/alicloud/gateway-master/locals.tf @@ -0,0 +1,17 @@ +locals { + admin_shell_allowed_values = [ + "/etc/cli.sh", + "/bin/bash", + "/bin/csh", + "/bin/tcsh"] + // Will fail if var.admin_shell is invalid + validate_admin_shell = index(local.admin_shell_allowed_values, var.admin_shell) + + regex_valid_gateway_sic_key = "^[a-zA-Z0-9]{8,}$" + // Will fail if var.gateway_SIC_Key is invalid + regex_gateway_sic_result = regex(local.regex_valid_gateway_sic_key, var.gateway_SICKey) == var.gateway_SICKey ? 0 : "Variable [gateway_SIC_Key] must be at least 8 alphanumeric characters" + + regex_valid_gateway_hostname = "^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$" + // Will fail if var.gateway_hostname is invalid + regex_gateway_hostname = regex(local.regex_valid_gateway_hostname, var.gateway_hostname) == var.gateway_hostname ? 0 : "Variable [gateway_hostname] must be a valid hostname label or an empty string" +} \ No newline at end of file diff --git a/terraform/alicloud/gateway-master/main.tf b/terraform/alicloud/gateway-master/main.tf new file mode 100755 index 00000000..d2c35c1f --- /dev/null +++ b/terraform/alicloud/gateway-master/main.tf @@ -0,0 +1,49 @@ +// --- VPC --- +module "launch_vpc" { + source = "../modules/vpc" + + vpc_name = var.vpc_name + vpc_cidr = var.vpc_cidr + public_vswitchs_map = var.public_vswitchs_map + private_vswitchs_map = var.private_vswitchs_map + vswitchs_bit_length = var.vswitchs_bit_length +} + +resource "alicloud_route_table" "private_vswitch_rt" { + depends_on = [module.launch_vpc] + route_table_name = "Internal_Route_Table" + vpc_id = module.launch_vpc.vpc_id +} +resource "alicloud_route_table_attachment" "private_rt_to_private_vswitchs" { + depends_on = [module.launch_vpc, alicloud_route_table.private_vswitch_rt] + route_table_id = alicloud_route_table.private_vswitch_rt.id + vswitch_id = module.launch_vpc.private_vswitchs_ids_list[0] +} + +module "launch_gateway_into_vpc" { + source = "../gateway" + + vpc_id = module.launch_vpc.vpc_id + public_vswitch_id = module.launch_vpc.public_vswitchs_ids_list[0] + private_vswitch_id = module.launch_vpc.private_vswitchs_ids_list[0] + private_route_table = alicloud_route_table.private_vswitch_rt.id + resources_tag_name = var.resources_tag_name + gateway_name = var.gateway_name + gateway_instance_type = var.gateway_instance_type + key_name = var.key_name + allocate_and_associate_eip = var.allocate_and_associate_eip + volume_size = var.volume_size + disk_category = var.disk_category + ram_role_name = var.ram_role_name + instance_tags = var.instance_tags + gateway_version = var.gateway_version + admin_shell = var.admin_shell + gateway_SICKey = var.gateway_SICKey + gateway_password_hash = var.gateway_password_hash + gateway_TokenKey = var.gateway_TokenKey + gateway_hostname = var.gateway_hostname + allow_upload_download = var.allow_upload_download + gateway_bootstrap_script = var.gateway_bootstrap_script + primary_ntp = var.primary_ntp + secondary_ntp = var.secondary_ntp +} \ No newline at end of file diff --git a/terraform/alicloud/gateway-master/output.tf b/terraform/alicloud/gateway-master/output.tf new file mode 100755 index 00000000..ed33d983 --- /dev/null +++ b/terraform/alicloud/gateway-master/output.tf @@ -0,0 +1,33 @@ +output "vpc_id" { + value = module.launch_vpc.vpc_id +} +output "internal_rt_id" { + value = alicloud_route_table.private_vswitch_rt.id +} +output "vpc_public_vswitchs_ids_list" { + value = module.launch_vpc.public_vswitchs_ids_list +} +output "vpc_private_vswitchs_ids_list" { + value = module.launch_vpc.private_vswitchs_ids_list +} +output "image_id" { + value = module.launch_gateway_into_vpc.image_id +} +output "permissive_sg_id" { + value = module.launch_gateway_into_vpc.permissive_sg_id +} +output "permissive_sg_name" { + value = module.launch_gateway_into_vpc.permissive_sg_name +} +output "gateway_eip_id" { + value = module.launch_gateway_into_vpc.gateway_eip_id +} +output "gateway_eip_public_ip" { + value = module.launch_gateway_into_vpc.gateway_eip_public_ip +} +output "gateway_instance_id" { + value = module.launch_gateway_into_vpc.gateway_instance_id +} +output "gateway_instance_name" { + value = module.launch_gateway_into_vpc.gateway_instance_name +} \ No newline at end of file diff --git a/terraform/alicloud/gateway-master/terraform.tfvars b/terraform/alicloud/gateway-master/terraform.tfvars new file mode 100755 index 00000000..c43d3d8d --- /dev/null +++ b/terraform/alicloud/gateway-master/terraform.tfvars @@ -0,0 +1,42 @@ +//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW + +// --- VPC Network Configuration --- +vpc_name = "cp-vpc" +vpc_cidr = "10.0.0.0/16" +public_vswitchs_map = { + "us-east-1a" = 1 +} +private_vswitchs_map = { + "us-east-1a" = 2 +} +vswitchs_bit_length = 8 + +// --- ECS Instance Configuration --- +gateway_name = "Check-Point-Gateway-tf" +gateway_instance_type = "ecs.g5ne.xlarge" +key_name = "publickey" +allocate_and_associate_eip = true +volume_size = 100 +disk_category = "cloud_efficiency" +ram_role_name = "" +instance_tags = { + key1 = "value1" + key2 = "value2" +} + +// --- Check Point Settings --- +gateway_version = "R81.20-BYOL" +admin_shell = "/etc/cli.sh" +gateway_SICKey = "12345678" +gateway_password_hash = "" + +// --- Quick connect to Smart-1 Cloud (Recommended) --- +gateway_TokenKey = "" + +// --- Advanced Settings --- +resources_tag_name = "tag-name" +gateway_hostname = "gw-hostname" +allow_upload_download = true +gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/testfile.txt" +primary_ntp = "ntp1.cloud.aliyuncs.com" +secondary_ntp = "ntp2.cloud.aliyuncs.com" diff --git a/terraform/alicloud/gateway-master/variables.tf b/terraform/alicloud/gateway-master/variables.tf new file mode 100755 index 00000000..68b88ac6 --- /dev/null +++ b/terraform/alicloud/gateway-master/variables.tf @@ -0,0 +1,140 @@ +// --- VPC Network Configuration --- +variable "vpc_name" { + type = string + description = "The name of the VPC" + default = "cp-vpc" +} +variable "vpc_cidr" { + type = string + description = "The CIDR block of the VPC" + default = "10.0.0.0/16" +} +variable "public_vswitchs_map" { + type = map(string) + description = "A map of pairs {availability-zone = vswitch-suffix-number}. Each entry creates a vswitch. Minimum 1 pair. (e.g. {\"us-east-1a\" = 1} ) " +} +variable "private_vswitchs_map" { + type = map(string) + description = "A map of pairs {availability-zone = vswitch-suffix-number}. Each entry creates a vswitch. Minimum 1 pair. (e.g. {\"us-east-1a\" = 2} ) " + +} +variable "vswitchs_bit_length" { + type = number + description = "Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a vswitchs_bit_length value is 4, the resulting vswitch address will have length /20" +} + +// --- ECS Instance Configuration --- +variable "gateway_name" { + type = string + description = "(Optional) The name tag of the Security Gateway instances" +default = "Check-Point-Gateway-tf" +} +variable "gateway_instance_type" { + type = string + description = "The instance type of the Secutiry Gateways" +default = "ecs.g5ne.xlarge" +} +module "validate_instance_type" { + source = "../modules/common/instance_type" + + chkp_type = "gateway" + instance_type = var.gateway_instance_type +} +variable "key_name" { + type = string + description = "The ECS Key Pair name to allow SSH access to the instance" +} +variable "allocate_and_associate_eip" { + type = bool + description = "If set to TRUE, an elastic IP will be allocated and associated with the launched instance" +default = true +} +variable "volume_size" { + type = number + description = "Root volume size (GB) - minimum 100" +default = 100 +} +variable "disk_category" { + type = string + description = "(Optional) Category of the ECS disk" + default = "cloud_efficiency" +} +variable "ram_role_name" { + type = string + description = "RAM role name to attach to the instance profile" + default = "" +} +resource "null_resource" "volume_size_too_small" { + // Volume Size validation - resource will not be created if the volume size is smaller than 100 + count = var.volume_size >= 100 ? 0 : "volume_size must be at least 100" +} +variable "instance_tags" { + type = map(string) + description = "(Optional) A map of tags as key=value pairs. All tags will be added to the Gateway ECS Instance" +default = {} +} + +// --- Check Point Settings --- +variable "gateway_version" { + type = string + description = "Gateway version and license" + default = "R81.20-BYOL" +} +module "validate_gateway_version" { + source = "../modules/common/version_license" + + chkp_type = "gateway" + version_license = var.gateway_version +} +variable "admin_shell" { + type = string + description = "Set the admin shell to enable advanced command line configuration" +default = "/etc/cli.sh" +} +variable "gateway_SICKey" { + type = string + description = "The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters" +} +variable "gateway_password_hash" { + type = string + description = "(Optional) Admin user's password hash (use command \"openssl passwd -6 PASSWORD\" to get the PASSWORD's hash)" +default = "" +} + +// --- Quick connect to Smart-1 Cloud (Recommended) --- +variable "gateway_TokenKey" { + type = string + description = "Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud." +} + +// --- Advanced Settings --- +variable "resources_tag_name" { + type = string + description = "(Optional)" + default = "" +} +variable "gateway_hostname" { + type = string + description = "(Optional)" + default = "" +} +variable "allow_upload_download" { + type = bool + description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" +default = true +} +variable "gateway_bootstrap_script" { + type = string + description = "(Optional) An optional script with semicolon (;) separated commands to run on the initial boot" + default = "" +} +variable "primary_ntp" { + type = string + description = "(Optional) The IPv4 addresses of Network Time Protocol primary server" + default = "" +} +variable "secondary_ntp" { + type = string + description = "(Optional) The IPv4 addresses of Network Time Protocol secondary server" + default = "" +} \ No newline at end of file diff --git a/terraform/alicloud/gateway-master/versions.tf b/terraform/alicloud/gateway-master/versions.tf new file mode 100755 index 00000000..71e9843e --- /dev/null +++ b/terraform/alicloud/gateway-master/versions.tf @@ -0,0 +1,9 @@ +terraform { + required_version = ">= 0.14.3" + required_providers { + alicloud = { + source = "hashicorp/alicloud" + version = "1.203.0" + } + } +} diff --git a/terraform/alicloud/gateway/README.md b/terraform/alicloud/gateway/README.md new file mode 100755 index 00000000..db7c32e2 --- /dev/null +++ b/terraform/alicloud/gateway/README.md @@ -0,0 +1,141 @@ +# Check Point Gateway Terraform module for AliCloud + +Terraform module which deploys a Check Point Security Gateway into an existing VPC. + +These types of Terraform resources are supported: +* [Security group](https://www.terraform.io/docs/providers/alicloud/r/security_group.html) +* [Network interface](https://www.terraform.io/docs/providers/alicloud/r/network_interface.html) +* [EIP](https://www.terraform.io/docs/providers/alicloud/r/eip.html) - conditional creation +* [Route_entry](https://www.terraform.io/docs/providers/alicloud/r/route_entry.html) - Internal default route: conditional creation +* [Instance](https://www.terraform.io/docs/providers/alicloud/r/instance.html) - Gateway Instance + +## Note +- Make sure your region and zone are supporting the gateway instance types in **modules/common/instance_type/main.tf** + [Alicloud Instance_By_Region](https://ecs-buy.aliyun.com/instanceTypes/?spm=a2c63.p38356.879954.139.1eeb2d44eZQw2m#/instanceTypeByRegion) + +## Configuration +- Best practice is to configure credentials in the Environment variables - [Alicloud provider](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs) +``` +Configure environment variables in Linux: + +$ export ALICLOUD_ACCESS_KEY=anaccesskey +$ export ALICLOUD_SECRET_KEY=asecretkey +$ export ALICLOUD_REGION=cn-beijing + +Configure envrionment variables in Windows: + set ALICLOUD_ACCESS_KEY=anaccesskey + set ALICLOUD_SECRET_KEY=asecretkey + set ALICLOUD_REGION=cn-beijing + +``` + +## Usage +- Fill all variables in the gateway/**terraform.tfvars** file with proper values (see below for variables descriptions). +- From a command line initialize the Terraform configuration directory: + terraform init +- Create an execution plan: + terraform plan +- Create or modify the deployment: + terraform apply + +### terraform.tfvars variables: +| Name | Description | Type | Allowed values | Default | Required | +|----------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------|----------| +| vpc_id | The VPC id in which to deploy | string | n/a | n/a | yes | +| vpc_cidr | The CIDR block of the provided VPC | string | n/a | n/a | yes | +| public_vswitch_id | The public vswitch of the security gateway | string | n/a | n/a | yes | +| private_vswitch_id | The private vswitch of the security gateway | string | n/a | n/a | yes | +| private_route_table | Sets '0.0.0.0/0' route to the Gateway instance in the specified route table (e.g. rtb-12a34567) | string | n/a | "" | no | +| gateway_name | The name tag of the Security Gateway instances (optional) | string | n/a | "Check-Point-Gateway-tf" | no | +| gateway_instance_type | The instance type of the Security Gateways | string | - ecs.g5ne.large
- ecs.g5ne.xlarge
- ecs.g5ne.2xlarge
- ecs.g5ne.4xlarge
- ecs.g5ne.8xlarge
- ecs.g7ne.large
- ecs.g7ne.xlarge
- ecs.g7ne.2xlarge
- ecs.g7ne.4xlarge
- ecs.g7ne.8xlarge | "ecs.g5ne.xlarge" | no | +| key_name | The ECS Key Pair name to allow SSH access to the instances | string | n/a | n/a | yes | +| allocate_and_associate_eip | If set to TRUE, an elastic IP will be allocated and associated with the launched instance | bool | true/false | true | no | +| volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no | +| disk_category | The ECS disk category | string | - cloud
- cloud_efficiency
- cloud_ssd,
- cloud_essd | "cloud_efficiency" | no | +| ram_role_name | A predefined RAM role name to attach to the security gateway instance | string | n/a | "" | no | +| gateway_version | Gateway version and license | string | - R81-BYOL
- R81.10-BYOL
- R81.20-BYOL | R81.20-BYOL | no | +| admin_shell | Set the admin shell to enable advanced command line configuration. | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | "/etc/cli.sh" | no | +| gateway_SIC_Key | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | n/a | yes | +| password_hash | Admin user's password hash (use command \"openssl passwd -6 PASSWORD\" to get the PASSWORD's hash) (optional) | string | n/a | "" | no | +| gateway_TokenKey | (Recommended) Quick connect to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. | string | n/a | "" | no | +| resources_tag_name | (optional) | string | n/a | "" | no | +| gateway_hostname | (optional) The name must not contain reserved words. For details, refer to sk40179. | string | n/a | "" | no | +| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | n/a | true | no | +| gateway_bootstrap_script | (Optional) Semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no | +| primary_ntp | (optional) | string | n/a | "ntp1.cloud.aliyuncs.com" | no | +| secondary_ntp | (optional) | string | n/a | "ntp2.cloud.aliyuncs.com" | no | + +## Example for terraform.tfvars +``` +// --- VPC Network Configuration --- +vpc_id = "vpc-" +public_vswitch_id = "vsw-" +private_vswitch_id = "vsw-" +private_route_table = "vtb-" + +// --- ECS Instance Configuration --- +gateway_name = "Check-Point-Gateway-tf" +gateway_instance_type = "ecs.g5ne.xlarge" +key_name = "publickey" +allocate_and_associate_eip = true +volume_size = 100 +disk_category = "cloud_efficiency" +ram_role_name = "" +instance_tags = { + key1 = "value1" + key2 = "value2" +} + +// --- Check Point Settings --- +gateway_version = "R81.20-BYOL" +admin_shell = "/etc/cli.sh" +gateway_SICKey = "12345678" +gateway_password_hash = "" + +// --- Quick connect to Smart-1 Cloud (Recommended) --- +gateway_TokenKey = "" + +// --- Advanced Settings --- +resources_tag_name = "tag-name" +gateway_hostname = "gw-hostname" +allow_upload_download = true +gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/testfile.txt" +primary_ntp = "ntp1.cloud.aliyuncs.com" +secondary_ntp = "ntp2.cloud.aliyuncs.com" +``` +## Conditional creation +- To create an Elastic IP and associate it to the Gateway instance: +``` +allocate_and_associate_eip = true +``` +- To create a default route at the private route table: +``` +private_route_table = "rtb-12345678" +``` + +## Outputs +| Name | Description | +|-----------------------|-----------------------------------------------| +| image_id | The image id of the deployed Security Gateway | +| permissive_sg_id | The permissive security group id | +| permissive_sg_name | The permissive security group id name | +| gateway_eip_id | The id of the elastic IP | +| gateway_eip_public_ip | The elastic pubic IP | +| gateway_instance_id | The Security Gateway instance id | +| gateway_instance_name | The deployed Gateway AliCloud instance name | + +## Revision History + +| Template Version | Description | +|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| 20230830 | Change default Check Point version to R81.20 | +| 20230615 | - Improved userdata quality and stability by moving to cloud-config
- Define default primary and secondary NTP servers
- Improved deployment experience for gateways and clusters managed by Smart-1 Cloud | +| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | +| 20230420 | Change alicloud terraform provider version to 1.203.0 | +| 20230330 | - Added support of ECS disk category.
- Stability fixes. | +| 20230329 | First release of R81.20 & R81.10 CloudGuard Gateway Terraform deployment in Alibaba Cloud and added support for g7ne instance type. | +| 20211011 | First release of Check Point CloudGaurd Gateway Terraform deployment into an existing VPC in Alibaba cloud. | + +## License + +This project is licensed under the MIT License - see the [LICENSE](../../../LICENSE) file for details \ No newline at end of file diff --git a/terraform/alicloud/gateway/locals.tf b/terraform/alicloud/gateway/locals.tf new file mode 100755 index 00000000..7f880dea --- /dev/null +++ b/terraform/alicloud/gateway/locals.tf @@ -0,0 +1,23 @@ +locals { + admin_shell_allowed_values = [ + "/etc/cli.sh", + "/bin/bash", + "/bin/csh", + "/bin/tcsh"] + // Will fail if var.admin_shell is invalid + validate_admin_shell = index(local.admin_shell_allowed_values, var.admin_shell) + + regex_valid_gateway_sic_key = "^[a-zA-Z0-9]{8,}$" + // Will fail if var.gateway_SIC_Key is invalid + regex_gateway_sic_result = regex(local.regex_valid_gateway_sic_key, var.gateway_SICKey) == var.gateway_SICKey ? 0 : "Variable [gateway_SIC_Key] must be at least 8 alphanumeric characters" + + //will fail if decode token should contain https:// and .checkpoint.com/app/maas/api/v1/tenant or empty string + split_token = split(" ", var.gateway_TokenKey) + token_decode = base64decode(element(local.split_token, length(local.split_token)-1)) + regex_token_valid = "(^https://(.+).checkpoint.com/app/maas/api/v1/tenant(.+)|^$)" + regex_token = regex(local.regex_token_valid, local.token_decode) == local.token_decode ? 0 : "Smart-1 Cloud token is invalid format" + + regex_valid_gateway_hostname = "^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$" + // Will fail if var.gateway_hostname is invalid + regex_gateway_hostname = regex(local.regex_valid_gateway_hostname, var.gateway_hostname) == var.gateway_hostname ? 0 : "Variable [gateway_hostname] must be a valid hostname label or an empty string" +} \ No newline at end of file diff --git a/terraform/alicloud/gateway/main.tf b/terraform/alicloud/gateway/main.tf new file mode 100755 index 00000000..93bfb0c1 --- /dev/null +++ b/terraform/alicloud/gateway/main.tf @@ -0,0 +1,70 @@ +module "images" { + source = "../modules/images" + + version_license = var.gateway_version + chkp_type = "gateway" +} + +module "common_permissive_sg" { + source = "../modules/common/permissive_sg" + + vpc_id = var.vpc_id + resources_tag_name = var.resources_tag_name + gateway_name = var.gateway_name +} + +module "common_gateway_instance" { + source = "../modules/common/gateway_instance" + security_groups = [ + module.common_permissive_sg.permissive_sg_id] + gateway_name = var.gateway_name + volume_size = var.volume_size + disk_category = var.disk_category + vswitch_id = var.public_vswitch_id + gateway_instance_type = var.gateway_instance_type + instance_tags = var.instance_tags + key_name = var.key_name + image_id = module.images.image_id + gateway_password_hash = var.gateway_password_hash + admin_shell = var.admin_shell + gateway_SICKey = var.gateway_SICKey + gateway_TokenKey = var.gateway_TokenKey + gateway_bootstrap_script = var.gateway_bootstrap_script + gateway_hostname = var.gateway_hostname + allow_upload_download = var.allow_upload_download + primary_ntp = var.primary_ntp + secondary_ntp = var.secondary_ntp + gateway_version = var.gateway_version +} + +resource "alicloud_network_interface" "internal_eni" { + network_interface_name = format("%s-internal-eni", var.resources_tag_name != "" ? var.resources_tag_name : var.gateway_name) + vswitch_id = var.private_vswitch_id + security_group_ids = [ + module.common_permissive_sg.permissive_sg_id] + description = "eth1" +} + +resource "alicloud_network_interface_attachment" "internal_eni_attachment" { + instance_id = module.common_gateway_instance.gateway_instance_id + network_interface_id = alicloud_network_interface.internal_eni.id +} + +module "common_internal_default_route" { + source = "../modules/common/internal_default_route" + + private_route_table = var.private_route_table + internal_eni_id = alicloud_network_interface.internal_eni.id +} + +module "common_eip" { + source = "../modules/common/elastic_ip" + allocate_and_associate_eip = var.allocate_and_associate_eip + instance_id = module.common_gateway_instance.gateway_instance_id +} + +resource "alicloud_ram_role_attachment" "attach" { + count = var.ram_role_name != "" ? 1 : 0 + role_name = var.ram_role_name + instance_ids = [module.common_gateway_instance.gateway_instance_id] +} \ No newline at end of file diff --git a/terraform/alicloud/gateway/output.tf b/terraform/alicloud/gateway/output.tf new file mode 100755 index 00000000..7f2e85c1 --- /dev/null +++ b/terraform/alicloud/gateway/output.tf @@ -0,0 +1,21 @@ +output "image_id" { + value = module.images.image_id +} +output "permissive_sg_id" { + value = module.common_permissive_sg.permissive_sg_id +} +output "permissive_sg_name" { + value = module.common_permissive_sg.permissive_sg_name +} +output "gateway_eip_id" { + value = module.common_eip.instance_eip_id +} +output "gateway_eip_public_ip" { + value = module.common_eip.instance_eip_public_ip +} +output "gateway_instance_id" { + value = module.common_gateway_instance.gateway_instance_id +} +output "gateway_instance_name" { + value = module.common_gateway_instance.gateway_instance_name +} \ No newline at end of file diff --git a/terraform/alicloud/gateway/terraform.tfvars b/terraform/alicloud/gateway/terraform.tfvars new file mode 100755 index 00000000..4d02e623 --- /dev/null +++ b/terraform/alicloud/gateway/terraform.tfvars @@ -0,0 +1,37 @@ +//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW + +// --- VPC Network Configuration --- +vpc_id = "vpc-" +public_vswitch_id = "vsw-" +private_vswitch_id = "vsw-" +private_route_table = "vtb-" + +// --- ECS Instance Configuration --- +gateway_name = "Check-Point-Gateway-tf" +gateway_instance_type = "ecs.g5ne.xlarge" +key_name = "publickey" +allocate_and_associate_eip = true +volume_size = 100 +disk_category = "cloud_efficiency" +ram_role_name = "" +instance_tags = { + key1 = "value1" + key2 = "value2" +} + +// --- Check Point Settings --- +gateway_version = "R81.20-BYOL" +admin_shell = "/etc/cli.sh" +gateway_SICKey = "12345678" +gateway_password_hash = "" + +// --- Quick connect to Smart-1 Cloud (Recommended) --- +gateway_TokenKey = "" + +// --- Advanced Settings --- +resources_tag_name = "tag-name" +gateway_hostname = "gw-hostname" +allow_upload_download = true +gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/testfile.txt" +primary_ntp = "ntp1.cloud.aliyuncs.com" +secondary_ntp = "ntp2.cloud.aliyuncs.com" \ No newline at end of file diff --git a/terraform/alicloud/gateway/variables.tf b/terraform/alicloud/gateway/variables.tf new file mode 100755 index 00000000..a141b140 --- /dev/null +++ b/terraform/alicloud/gateway/variables.tf @@ -0,0 +1,133 @@ +// --- VPC Network Configuration --- +variable "vpc_id" { + type = string +} +variable "public_vswitch_id" { + type = string + description = "The public vswitch of the security gateway" +} +variable "private_vswitch_id" { + type = string + description = "The private vswitch of the security gateway" +} +variable "private_route_table" { + type = string + description = "Sets '0.0.0.0/0' route to the Gateway instance in the specified route table (e.g. vtb-12a34567). Route table cannot have an existing 0.0.0.0/0 route. If empty - traffic will not be routed through the Security Gateway, this requires manual configuration in the Route Table" +default="" +} + +// --- ECS Instance Configuration --- +variable "gateway_name" { + type = string + description = "(Optional) The name tag of the Security Gateway instances" + default = "Check-Point-Gateway-tf" +} +variable "gateway_instance_type" { + type = string + description = "The instance type of the Secutiry Gateways" + default = "ecs.g5ne.xlarge" +} +module "validate_instance_type" { + source = "../modules/common/instance_type" + + chkp_type = "gateway" + instance_type = var.gateway_instance_type +} +variable "key_name" { + type = string + description = "The ECS Key Pair name to allow SSH access to the instance" +} +variable "allocate_and_associate_eip" { + type = bool + description = "If set to TRUE, an elastic IP will be allocated and associated with the launched instance" + default = true +} +variable "volume_size" { + type = number + description = "Root volume size (GB) - minimum 100" + default = 100 +} +variable "disk_category" { + type = string + description = "(Optional) Category of the ECS disk" + default = "cloud_efficiency" +} +variable "ram_role_name" { + type = string + description = "RAM role name to attach to the instance profile" + default = "" +} +resource "null_resource" "volume_size_too_small" { + // Volume Size validation - resource will not be created if the volume size is smaller than 100 + count = var.volume_size >= 100 ? 0 : "volume_size must be at least 100" +} +variable "instance_tags" { + type = map(string) + description = "(Optional) A map of tags as key=value pairs. All tags will be added to the Gateway ECS Instance" +default = {} +} + +// --- Check Point Settings --- +variable "gateway_version" { + type = string + description = "Gateway version and license" + default = "R81.20-BYOL" +} +module "validate_gateway_version" { + source = "../modules/common/version_license" + + chkp_type = "gateway" + version_license = var.gateway_version +} +variable "admin_shell" { + type = string + description = "Set the admin shell to enable advanced command line configuration" + default = "/etc/cli.sh" +} +variable "gateway_SICKey" { + type = string + description = "The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters" +} +variable "gateway_password_hash" { + type = string + description = "(Optional) Admin user's password hash (use command \"openssl passwd -6 PASSWORD\" to get the PASSWORD's hash)" + default = "" +} + +// --- Quick connect to Smart-1 Cloud (Recommended) --- +variable "gateway_TokenKey" { + type = string + description = "Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud." +} + +// --- Advanced Settings --- +variable "resources_tag_name" { + type = string + description = "(Optional)" + default = "" +} +variable "gateway_hostname" { + type = string + description = "(Optional)" + default = "" +} +variable "allow_upload_download" { + type = bool + description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + default = true +} +variable "gateway_bootstrap_script" { + type = string + description = "(Optional) An optional script with semicolon (;) separated commands to run on the initial boot" + default = "" +} +variable "primary_ntp" { + type = string + description = "(Optional) The IPv4 addresses of Network Time Protocol primary server" + default = "" +} +variable "secondary_ntp" { + type = string + description = "(Optional) The IPv4 addresses of Network Time Protocol secondary server" + default = "" +} \ No newline at end of file diff --git a/terraform/alicloud/gateway/versions.tf b/terraform/alicloud/gateway/versions.tf new file mode 100755 index 00000000..71e9843e --- /dev/null +++ b/terraform/alicloud/gateway/versions.tf @@ -0,0 +1,9 @@ +terraform { + required_version = ">= 0.14.3" + required_providers { + alicloud = { + source = "hashicorp/alicloud" + version = "1.203.0" + } + } +} diff --git a/terraform/alicloud/management-master/README.md b/terraform/alicloud/management-master/README.md new file mode 100755 index 00000000..ec200646 --- /dev/null +++ b/terraform/alicloud/management-master/README.md @@ -0,0 +1,135 @@ +# Check Point Management master Server Terraform module for AliCloud + +Terraform module which deploys a Check Point Management Server into a new VPC on AliCloud. + +These types of Terraform resources are supported: +* [Instance](https://www.terraform.io/docs/providers/alicloud/r/instance.html) - management Instance +* [Security group](https://www.terraform.io/docs/providers/alicloud/r/security_group.html) + + +## Note +- Make sure your region and zone are supporting the management instance types in **modules/common/instance_type/main.tf** + [Alicloud Instance_By_Region](https://ecs-buy.aliyun.com/instanceTypes/?spm=a2c63.p38356.879954.139.1eeb2d44eZQw2m#/instanceTypeByRegion) + +## Configuration +- Best practice is to configure credentials in the Environment variables - [Alicloud provider](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs) +``` +Configure environment variables in Linux: + +$ export ALICLOUD_ACCESS_KEY=anaccesskey +$ export ALICLOUD_SECRET_KEY=asecretkey +$ export ALICLOUD_REGION=cn-beijing + +Configure envrionment variables in Windows: + set ALICLOUD_ACCESS_KEY=anaccesskey + set ALICLOUD_SECRET_KEY=asecretkey + set ALICLOUD_REGION=cn-beijing + +``` +## Usage +- Fill all variables in the management-master/**terraform.tfvars** file with proper values (see below for variables descriptions). +- From a command line initialize the Terraform configuration directory: + terraform init +- Create an execution plan: + terraform plan +- Create or modify the deployment: + terraform apply + +### terraform.tfvars variables: +| Name | Description | Type | Allowed values | Default | Required | +|-----------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|----------------------------------------------------------------------------------------------------------------|---------------------------|----------| +| vpc_name | (Optional) The name of the VPC | string | n/a | "cp-vpc" | no | +| vpc_id | The VPC id in which to deploy | string | n/a | n/a | yes | +| vswitch_id | Vswitch id | string | n/a | n/a | yes | +| instance_name | AliCloud instance name to launch | string | n/a | "CP-Management-tf" | no | +| instance_type | AliCloud instance type | string | - ecs.g6e.large
- ecs.g6e.xlarge
- ecs.g6e.2xlarge
- ecs.g6e.4xlarge
- ecs.g6e.8xlarge | "ecs.g6e.xlarge" | no | +| key_name | The ECS Key Pair name to allow SSH access to the instances | string | n/a | n/a | yes | +| eip | Allocate and associate an elastic IP with the launched instance | bool | true/false | true | no | +| volume_size | Root volume size (GB) | number | n/a | 100 | no | +| disk_category | The ECS disk category | string | - cloud
- cloud_efficiency
- cloud_ssd,
- cloud_essd | "cloud_essd" | no | +| ram_role_name | RAM role name to attach to the instance profile, leave it empty for automatic creation | string | n/a | "" | no | +| instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Management ECS Instance | map(string) | n/a | {} | no | +| version_license | Version and license of the Check Point Security Management | string | - R81-BYOL
- R81.10-BYOL
- R81.20-BYOL | R81.20-BYOL | no | +| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | +| password_hash | (Optional) Admin user's password hash (use command \"openssl passwd -6 PASSWORD\" to get the PASSWORD's hash) | string | n/a | "" | no | +| hostname | (Optional) Management prompt hostname. The name must not contain reserved words. For details, refer to sk40179. | string | n/a | n/a | no | +| is_primary_management | Determines if this is the primary Management Server or not | bool | true/false | true | no | +| SICKey | "Mandatory only when deploying a secondary Management Server, the Secure Internal Communication key creates trusted connections between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "" | no | +| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | n/a | true | no | +| gateway_management | Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address | string | - Locally managed
- Over the internet | Locally managed | no | +| admin_cidr | (CIDR) Allow web, SSH, and graphical clients only from this network to communicate with the Management Server | string | valid CIDR | 0.0.0.0/0 | no | +| gateway_addresses | (CIDR) Allow gateways only from this network to communicate with the Management Server | string | valid CIDR | 0.0.0.0/0 | no | +| primary_ntp | (Optional) | string | n/a | "ntp1.cloud.aliyuncs.com" | no | +| secondary_ntp | (Optional) | string | n/a | "ntp2.cloud.aliyuncs.com" | no | +| bootstrap_script | (Optional) Semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no | + +## Example for terraform.tfvars +``` +// --- VPC Network Configuration --- +vpc_name = "cp-vpc" +vpc_cidr = "10.0.0.0/16" +public_vswitchs_map = { + "us-east-1a" = 1 +} +vswitchs_bit_length = 8 + + +// --- ECS Instances Configuration --- +instance_name = "CP-Management-tf" +instance_type = "ecs.g6e.xlarge" +key_name = "publickey" +allocate_and_associate_eip = true +volume_size = 100 +disk_category = "cloud_essd" +ram_role_name = "" +instance_tags = { + key1 = "value1" + key2 = "value2" +} + +// --- Check Point Settings --- +version_license = "R81.20-BYOL" +admin_shell = "/etc/cli.sh" +password_hash = "" +hostname = "mgmt-tf" + +// --- Security Management Server Settings --- +is_primary_management = "true" +SICKey = "" +allow_upload_download = "true" +gateway_management = "Locally managed" +admin_cidr = "0.0.0.0/0" +gateway_addresses = "0.0.0.0/0" +primary_ntp = "ntp1.cloud.aliyuncs.com" +secondary_ntp = "ntp2.cloud.aliyuncs.com" +bootstrap_script = "echo 'this is bootstrap script' > /home/admin/testfile.txt" +``` + +## Outputs +| Name | Description | +|-------------------------------|-------------------------------------------------| +| vpc_id | The id of the deployed vpc | +| vpc_public_vswitchs_ids_list | A list of the private vswitchs ids | +| vpc_private_vswitchs_ids_list | A list of the private vswitchs ids | +| image_id | The ami id of the deployed Security Gateway | +| management_instance_id | The deployed Management AliCloud instance id | +| management_instance_name | The deployed Management AliCloud instance name | +| management_instance_tags | The deployed Management AliCloud tags | +| management_public_ip | The deployed Management AliCloud public address | + +## Revision History + +| Template Version | Description | +|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| 20230830 | Change default Check Point version to R81.20 | +| 20230615 | - Improved userdata quality and stability by moving to cloud-config
- Define default primary and secondary NTP servers
- Improved deployment experience for gateways and clusters managed by Smart-1 Cloud | +| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | +| 20230512 | New images with Jumbo Hotfix | +| 20230420 | Change alicloud terraform provider version to 1.203.0 | +| 20230330 | - Added support of ECS disk category.
- Stability fixes. | +| 20230129 | First release of R81.20 CloudGuard Management Terraform deployment in Alibaba Cloud. | +| 20211011 | First release of Check Point CloudGuard Management Terraform deployment into a new VPC in Alibaba cloud. | + +## License + +This project is licensed under the MIT License - see the [LICENSE](../../../LICENSE) file for details \ No newline at end of file diff --git a/terraform/alicloud/management-master/locals.tf b/terraform/alicloud/management-master/locals.tf new file mode 100755 index 00000000..d64e0b51 --- /dev/null +++ b/terraform/alicloud/management-master/locals.tf @@ -0,0 +1,20 @@ +locals { + admin_shell_allowed_values = [ + "/etc/cli.sh", + "/bin/bash", + "/bin/csh", + "/bin/tcsh"] + // Will fail if var.admin_shell is invalid + validate_admin_shell = index(local.admin_shell_allowed_values, var.admin_shell) + + gateway_management_allowed_values = [ + "Locally managed", + "Over the internet"] + // Will fail if var.gateway_management is invalid + validate_gateway_management = index(local.gateway_management_allowed_values, var.gateway_management) + + regex_valid_cidr_range = "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(/(3[0-2]|2[0-9]|1[0-9]|[0-9]))?$" + // Will fail if var.admin_cidr or var.gateway_addresses are invalid + mgmt_vswitch_regex_result = regex(local.regex_valid_cidr_range, var.admin_cidr) == var.admin_cidr ? 0 : "var.admin_cidr must be a valid CIDR range" + gw_addr_regex_result = regex(local.regex_valid_cidr_range, var.gateway_addresses) == var.gateway_addresses ? 0 : "var.gateway_addresses must be a valid CIDR range" +} \ No newline at end of file diff --git a/terraform/alicloud/management-master/main.tf b/terraform/alicloud/management-master/main.tf new file mode 100755 index 00000000..1e47d448 --- /dev/null +++ b/terraform/alicloud/management-master/main.tf @@ -0,0 +1,40 @@ +// --- VPC --- +module "launch_vpc" { + source = "../modules/vpc" + + vpc_name = var.vpc_name + vpc_cidr = var.vpc_cidr + public_vswitchs_map = var.public_vswitchs_map + private_vswitchs_map = {} + vswitchs_bit_length = var.vswitchs_bit_length +} + +module "launch_management_into_vpc" { + source = "../management" + + vpc_id = module.launch_vpc.vpc_id + vswitch_id = module.launch_vpc.public_vswitchs_ids_list[0] + ram_role_name = var.ram_role_name + + instance_name = var.instance_name + instance_type = var.instance_type + key_name = var.key_name + + allocate_and_associate_eip = var.allocate_and_associate_eip + volume_size = var.volume_size + disk_category = var.disk_category + instance_tags = var.instance_tags + version_license = var.version_license + admin_shell = var.admin_shell + password_hash = var.password_hash + hostname = var.hostname + is_primary_management = var.is_primary_management + SICKey = var.SICKey + allow_upload_download = var.allow_upload_download + gateway_management = var.gateway_management + admin_cidr = var.admin_cidr + gateway_addresses = var.gateway_addresses + bootstrap_script = var.bootstrap_script + primary_ntp = var.primary_ntp + secondary_ntp = var.secondary_ntp +} diff --git a/terraform/alicloud/management-master/output.tf b/terraform/alicloud/management-master/output.tf new file mode 100755 index 00000000..fa85cce2 --- /dev/null +++ b/terraform/alicloud/management-master/output.tf @@ -0,0 +1,25 @@ +output "Deployment" { + value = "Finalizing configuration may take up to 20 minutes after deployment is finished" +} + +output "vpc_id" { + value = module.launch_vpc.vpc_id +} +output "vpc_public_vswitchs_ids_list" { + value = module.launch_vpc.public_vswitchs_ids_list +} +output "image_id" { + value = module.launch_management_into_vpc.image_id +} +output "management_instance_id" { + value = module.launch_management_into_vpc.management_instance_id +} +output "management_instance_name" { + value = module.launch_management_into_vpc.management_instance_name +} +output "management_instance_tags" { + value = module.launch_management_into_vpc.management_instance_tags +} +output "management_public_ip" { + value = module.launch_management_into_vpc.management_public_ip +} diff --git a/terraform/alicloud/management-master/terraform.tfvars b/terraform/alicloud/management-master/terraform.tfvars new file mode 100755 index 00000000..bf6cb990 --- /dev/null +++ b/terraform/alicloud/management-master/terraform.tfvars @@ -0,0 +1,40 @@ +//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW + +// --- VPC Network Configuration --- +vpc_name = "cp-vpc" +vpc_cidr = "10.0.0.0/16" +public_vswitchs_map = { + "us-east-1a" = 1 +} +vswitchs_bit_length = 8 + + +// --- ECS Instances Configuration --- +instance_name = "CP-Management-tf" +instance_type = "ecs.g6e.xlarge" +key_name = "publickey" +allocate_and_associate_eip = true +volume_size = 100 +disk_category = "cloud_essd" +ram_role_name = "" +instance_tags = { + key1 = "value1" + key2 = "value2" +} + +// --- Check Point Settings --- +version_license = "R81.20-BYOL" +admin_shell = "/etc/cli.sh" +password_hash = "" +hostname = "mgmt-tf" + +// --- Security Management Server Settings --- +is_primary_management = "true" +SICKey = "" +allow_upload_download = "true" +gateway_management = "Locally managed" +admin_cidr = "0.0.0.0/0" +gateway_addresses = "0.0.0.0/0" +primary_ntp = "ntp1.cloud.aliyuncs.com" +secondary_ntp = "ntp2.cloud.aliyuncs.com" +bootstrap_script = "echo 'this is bootstrap script' > /home/admin/testfile.txt" diff --git a/terraform/alicloud/management-master/variables.tf b/terraform/alicloud/management-master/variables.tf new file mode 100755 index 00000000..aa9954f7 --- /dev/null +++ b/terraform/alicloud/management-master/variables.tf @@ -0,0 +1,137 @@ +// --- VPC Network Configuration --- +variable "vpc_name" { + type = string + description = "The name of the VPC" + default = "cp-vpc" +} +variable "vpc_cidr" { + type = string + description = "The CIDR block of the VPC" + default = "10.0.0.0/16" +} +variable "public_vswitchs_map" { + type = map(string) + description = "A map of pairs {availability-zone = vswitch-suffix-number}. Each entry creates a vswitch. Minimum 1 pair. (e.g. {\"us-east-1a\" = 1} ) " +} +variable "vswitchs_bit_length" { + type = number + description = "Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a vswitchs_bit_length value is 4, the resulting vswitch address will have length /20" +} +// --- ECS Instance Configuration --- +variable "instance_name" { + type = string + description = "AliCloud instance name to launch" + default = "CP-Management-tf" +} +variable "instance_type" { + type = string + description = "" + default ="ecs.g6e.xlarge" +} +module "validate_instance_type" { + source = "../modules/common/instance_type" + + chkp_type = "management" + instance_type = var.instance_type +} +variable "key_name" { + type = string + description = "The ECS Key Pair name to allow SSH access to the instances" +} +variable "allocate_and_associate_eip" { + type = bool + description = "When set to 'true', an elastic IP will be allocated and associated with the launched instance" + default = true +} +variable "volume_size" { + type = number + description = "Root volume size (GB) - minimum 100" + default = 100 +} +variable "disk_category" { + type = string + description = "(Optional) Category of the ECS disk" + default = "cloud_essd" +} +variable "ram_role_name" { + type = string + description = "RAM role name to attach to the instance profile" + default = "" +} +variable "instance_tags" { + type = map(string) + description = "(Optional) A map of tags as key=value pairs. All tags will be added to the Management ECS Instance" +default = {} +} +// --- Check Point Settings --- +variable "version_license" { + type = string + description = "version and license" + default = "R81.20-BYOL" +} +module "validate_management_version" { + source = "../modules/common/version_license" + + chkp_type = "management" + version_license = var.version_license +} +variable "admin_shell" { + type = string + description = "Set the admin shell to enable advanced command line configuration" + default = "/etc/cli.sh" +} +variable "password_hash" { + type = string + description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)" + default = "" +} +variable "hostname" { + type = string + description = "(Optional)" + default = "" +} + +// --- Security Management Server Settings --- +variable "is_primary_management" { + type = bool + description = "true/false. Determines if this is the primary management server or not" + default = true +} +variable "SICKey" { + type = string + description = "Mandatory only when deploying a secondary Management Server, the Secure Internal Communication key creates trusted connections between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters" + default = "" +} +variable "allow_upload_download" { + type = bool + description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + default = true +} +variable "gateway_management" { + type = string + description = "Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address" + default = "Locally managed" +} +variable "admin_cidr" { + type = string + description = "(CIDR) Allow web, SSH, and graphical clients only from this network to communicate with the Management Server" +} +variable "gateway_addresses" { + type = string + description = "(CIDR) Allow gateways only from this network to communicate with the Management Server" +} +variable "primary_ntp" { + type = string + description = "(Optional) The IPv4 addresses of Network Time Protocol primary server" + default = "" +} +variable "secondary_ntp" { + type = string + description = "(Optional) The IPv4 addresses of Network Time Protocol secondary server" + default = "" +} +variable "bootstrap_script" { + type = string + description = "(Optional) Semicolon (;) separated commands to run on the initial boot" + default = "" +} \ No newline at end of file diff --git a/terraform/alicloud/management-master/versions.tf b/terraform/alicloud/management-master/versions.tf new file mode 100755 index 00000000..71e9843e --- /dev/null +++ b/terraform/alicloud/management-master/versions.tf @@ -0,0 +1,9 @@ +terraform { + required_version = ">= 0.14.3" + required_providers { + alicloud = { + source = "hashicorp/alicloud" + version = "1.203.0" + } + } +} diff --git a/terraform/alicloud/management/README.md b/terraform/alicloud/management/README.md new file mode 100755 index 00000000..ccff6e8f --- /dev/null +++ b/terraform/alicloud/management/README.md @@ -0,0 +1,128 @@ +# Check Point Management Server Terraform module for AliCloud + +Terraform module which deploys a Check Point Management Server into an existing VPC on AliCloud. + +These types of Terraform resources are supported: +* [Instance](https://www.terraform.io/docs/providers/alicloud/r/instance.html) - management Instance +* [Security group](https://www.terraform.io/docs/providers/alicloud/r/security_group.html) + + +## Note +- Make sure your region and zone are supporting the management instance types in **modules/common/instance_type/main.tf** + [Alicloud Instance_By_Region](https://ecs-buy.aliyun.com/instanceTypes/?spm=a2c63.p38356.879954.139.1eeb2d44eZQw2m#/instanceTypeByRegion) + +## Configuration +- Best practice is to configure credentials in the Environment variables - [Alicloud provider](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs) +``` +Configure environment variables in Linux: + +$ export ALICLOUD_ACCESS_KEY=anaccesskey +$ export ALICLOUD_SECRET_KEY=asecretkey +$ export ALICLOUD_REGION=cn-beijing + +Configure envrionment variables in Windows: + set ALICLOUD_ACCESS_KEY=anaccesskey + set ALICLOUD_SECRET_KEY=asecretkey + set ALICLOUD_REGION=cn-beijing + +``` + +## Usage +- Fill all variables in the management/**terraform.tfvars** file with proper values (see below for variables descriptions). +- From a command line initialize the Terraform configuration directory: + terraform init +- Create an execution plan: + terraform plan +- Create or modify the deployment: + terraform apply + +### terraform.tfvars variables: +| Name | Description | Type | Allowed values | Default | Required | +|-----------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|----------------------------------------------------------------------------------------------------------------|---------------------------|----------| +| vpc_id | The VPC id in which to deploy | string | n/a | n/a | yes | +| vswitch_id | Vswitch id | string | n/a | n/a | yes | +| instance_name | AliCloud instance name to launch | string | n/a | "CP-Management-tf" | no | +| instance_type | AliCloud instance type | string | - ecs.g6e.large
- ecs.g6e.xlarge
- ecs.g6e.2xlarge
- ecs.g6e.4xlarge
- ecs.g6e.8xlarge | "ecs.g6e.xlarge" | no | +| key_name | The ECS Key Pair name to allow SSH access to the instances | string | n/a | n/a | yes | +| eip | Allocate and associate an elastic IP with the launched instance | bool | true/false | true | no | +| volume_size | Root volume size (GB) | number | n/a | 100 | no | +| disk_category | The ECS disk category | string | - cloud
- cloud_efficiency
- cloud_ssd,
- cloud_essd | "cloud_essd" | no | +| ram_role_name | RAM role name to attach to the instance profile, leave it empty for automatic creation | string | n/a | "" | no | +| instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Management ECS Instance | map(string) | n/a | {} | no | +| version_license | Version and license of the Check Point Security Management | string | - R81-BYOL
- R81.10-BYOL
- R81.20-BYOL | R81.20-BYOL | | +| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | +| password_hash | (Optional) Admin user's password hash (use command \"openssl passwd -6 PASSWORD\" to get the PASSWORD's hash) | string | n/a | "" | no | +| hostname | (Optional) Management prompt hostname. The name must not contain reserved words. For details, refer to sk40179. | string | n/a | n/a | no | +| is_primary_management | Determines if this is the primary Management Server or not | bool | true/false | true | no | +| SICKey | "Mandatory only when deploying a secondary Management Server, the Secure Internal Communication key creates trusted connections between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "" | no | +| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | n/a | true | no | +| gateway_management | Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address | string | - Locally managed
- Over the internet | Locally managed | no | +| admin_cidr | (CIDR) Allow web, SSH, and graphical clients only from this network to communicate with the Management Server | string | valid CIDR | 0.0.0.0/0 | no | +| gateway_addresses | (CIDR) Allow gateways only from this network to communicate with the Management Server | string | valid CIDR | 0.0.0.0/0 | no | +| primary_ntp | (Optional) | string | n/a | "ntp1.cloud.aliyuncs.com" | no | +| secondary_ntp | (Optional) | string | n/a | "ntp2.cloud.aliyuncs.com" | no | +| bootstrap_script | (Optional) Semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no | + +## Example for terraform.tfvars + +``` +// --- VPC Network Configuration --- +vpc_id = "vpc-" +vswitch_id = "vsw-" + +// --- ECS Instances Configuration --- +instance_name = "CP-Management-tf" +instance_type = "ecs.g6e.xlarge" +key_name = "publickey" +allocate_and_associate_eip = true +volume_size = 100 +disk_category = "cloud_essd" +ram_role_name = "" +instance_tags = { + key1 = "value1" + key2 = "value2" +} + +// --- Check Point Settings --- +version_license = "R81.20-BYOL" +admin_shell = "/etc/cli.sh" +password_hash = "" +hostname = "mgmt-tf" + +// --- Security Management Server Settings --- +is_primary_management = "true" +SICKey = "" +allow_upload_download = "true" +gateway_management = "Locally managed" +admin_cidr = "0.0.0.0/0" +gateway_addresses = "0.0.0.0/0" +primary_ntp = "ntp1.cloud.aliyuncs.com" +secondary_ntp = "ntp2.cloud.aliyuncs.com" +bootstrap_script = "echo 'this is bootstrap script' > /home/admin/testfile.txt" +``` + +## Outputs +| Name | Description | +|--------------------------|-------------------------------------------------| +| image_id | The ami id of the deployed Security Gateway | +| management_instance_id | The deployed Management AliCloud instance id | +| management_instance_name | The deployed Management AliCloud instance name | +| management_instance_tags | The deployed Management AliCloud tags | +| management_public_ip | The deployed Management AliCloud public address | + +## Revision History + +| Template Version | Description | +|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| 20230830 | Change default Check Point version to R81.20 | +| 20230615 | - Improved userdata quality and stability by moving to cloud-config
- Define default primary and secondary NTP servers
- Improved deployment experience for gateways and clusters managed by Smart-1 Cloud | +| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | +| 20230512 | New images with Jumbo Hotfix | +| 20230420 | Change alicloud terraform provider version to 1.203.0 | +| 20230330 | - Added support of ECS disk category.
- Stability fixes. | +| 20230129 | First release of R81.20 CloudGuard Management Terraform deployment in Alibaba Cloud. | +| 20211011 | First release of Check Point CloudGaurd Management Terraform deployment into an existing VPC in Alibaba cloud. | + +## License + +This project is licensed under the MIT License - see the [LICENSE](../../../LICENSE) file for details \ No newline at end of file diff --git a/terraform/alicloud/management/locals.tf b/terraform/alicloud/management/locals.tf new file mode 100755 index 00000000..b6815a6f --- /dev/null +++ b/terraform/alicloud/management/locals.tf @@ -0,0 +1,24 @@ +locals { + admin_shell_allowed_values = [ + "/etc/cli.sh", + "/bin/bash", + "/bin/csh", + "/bin/tcsh"] + // Will fail if var.admin_shell is invalid + validate_admin_shell = index(local.admin_shell_allowed_values, var.admin_shell) + + gateway_management_allowed_values = [ + "Locally managed", + "Over the internet"] + // Will fail if var.gateway_management is invalid + validate_gateway_management = index(local.gateway_management_allowed_values, var.gateway_management) + + regex_valid_cidr_range = "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(/(3[0-2]|2[0-9]|1[0-9]|[0-9]))?$" + // Will fail if var.admin_cidr or var.gateway_addresses are invalid + mgmt_vswitch_regex_result = regex(local.regex_valid_cidr_range, var.admin_cidr) == var.admin_cidr ? 0 : "var.admin_cidr must be a valid CIDR range" + gw_addr_regex_result = regex(local.regex_valid_cidr_range, var.gateway_addresses) == var.gateway_addresses ? 0 : "var.gateway_addresses must be a valid CIDR range" + version_split = element(split("-", var.version_license), 0) + gateway_bootstrap_script64 = base64encode(var.bootstrap_script) + gateway_SICkey_base64 = base64encode(var.SICKey) + gateway_password_hash_base64 = base64encode(var.password_hash) +} \ No newline at end of file diff --git a/terraform/alicloud/management/main.tf b/terraform/alicloud/management/main.tf new file mode 100755 index 00000000..33b6d436 --- /dev/null +++ b/terraform/alicloud/management/main.tf @@ -0,0 +1,177 @@ +module "images" { + source = "../modules/images" + + version_license = var.version_license + chkp_type = "management" +} + +resource "alicloud_security_group" "management_sg" { + name = format("%s-SecurityGroup", var.instance_name) + description = "TF Management security group" + vpc_id = var.vpc_id +} + +resource "alicloud_security_group_rule" "permissive_egress" { + type = "egress" + ip_protocol = "all" + nic_type = "intranet" + policy = "accept" + port_range = "-1/-1" + priority = 1 + security_group_id = alicloud_security_group.management_sg.id + cidr_ip = "0.0.0.0/0" +} + +resource "alicloud_security_group_rule" "management_ingress-257" { + type = "ingress" + ip_protocol = "all" + nic_type = "intranet" + policy = "accept" + port_range = "257/257" + priority = 1 + security_group_id = alicloud_security_group.management_sg.id + cidr_ip = var.gateway_addresses +} + +resource "alicloud_security_group_rule" "management_ingress-8211" { + type = "ingress" + ip_protocol = "all" + nic_type = "intranet" + policy = "accept" + port_range = "8211/8211" + priority = 1 + security_group_id = alicloud_security_group.management_sg.id + cidr_ip = var.gateway_addresses +} + +resource "alicloud_security_group_rule" "management_ingress-18191-2" { + type = "ingress" + ip_protocol = "all" + nic_type = "intranet" + policy = "accept" + port_range = "18191/18192" + priority = 1 + security_group_id = alicloud_security_group.management_sg.id + cidr_ip = var.gateway_addresses +} + +resource "alicloud_security_group_rule" "management_ingress-18210-11" { + type = "ingress" + ip_protocol = "all" + nic_type = "intranet" + policy = "accept" + port_range = "18210/18211" + priority = 1 + security_group_id = alicloud_security_group.management_sg.id + cidr_ip = var.gateway_addresses +} + +resource "alicloud_security_group_rule" "management_ingress-18221" { + type = "ingress" + ip_protocol = "all" + nic_type = "intranet" + policy = "accept" + port_range = "18221/18221" + priority = 1 + security_group_id = alicloud_security_group.management_sg.id + cidr_ip = var.gateway_addresses +} + +resource "alicloud_security_group_rule" "management_ingress-18264" { + type = "ingress" + ip_protocol = "all" + nic_type = "intranet" + policy = "accept" + port_range = "18264/18264" + priority = 1 + security_group_id = alicloud_security_group.management_sg.id + cidr_ip = var.gateway_addresses +} + +resource "alicloud_security_group_rule" "management_ingress-22" { + type = "ingress" + ip_protocol = "all" + nic_type = "intranet" + policy = "accept" + port_range = "22/22" + priority = 1 + security_group_id = alicloud_security_group.management_sg.id + cidr_ip = var.admin_cidr +} + +resource "alicloud_security_group_rule" "management_ingress-433" { + type = "ingress" + ip_protocol = "all" + nic_type = "intranet" + policy = "accept" + port_range = "433/433" + priority = 1 + security_group_id = alicloud_security_group.management_sg.id + cidr_ip = var.admin_cidr +} + +resource "alicloud_security_group_rule" "management_ingress-18190" { + type = "ingress" + ip_protocol = "all" + nic_type = "intranet" + policy = "accept" + port_range = "18190/18190" + priority = 1 + security_group_id = alicloud_security_group.management_sg.id + cidr_ip = var.admin_cidr +} + +resource "alicloud_security_group_rule" "management_ingress-19009" { + type = "ingress" + ip_protocol = "all" + nic_type = "intranet" + policy = "accept" + port_range = "19009/19009" + priority = 1 + security_group_id = alicloud_security_group.management_sg.id + cidr_ip = var.admin_cidr +} + +resource "alicloud_instance" "management_instance" { + instance_name = var.instance_name + instance_type = var.instance_type + key_name = var.key_name + image_id = module.images.image_id + vswitch_id = var.vswitch_id + security_groups = [alicloud_security_group.management_sg.id] + system_disk_size = var.volume_size + system_disk_category = var.disk_category + + tags = merge({ + Name = var.instance_name + }, var.instance_tags) + + user_data = templatefile("${path.module}/management_userdata.yaml", { + // script's arguments + Hostname = var.hostname, + PasswordHash = local.gateway_password_hash_base64, + AllowUploadDownload = var.allow_upload_download, + NTPPrimary = var.primary_ntp, + NTPSecondary = var.secondary_ntp, + Shell = var.admin_shell, + AdminSubnet = var.admin_cidr, + IsPrimary = var.is_primary_management, + SICKey = local.gateway_SICkey_base64, + AllocateElasticIP = var.allocate_and_associate_eip, + GatewayManagement = var.gateway_management, + BootstrapScript = local.gateway_bootstrap_script64, + OsVersion = local.version_split + }) +} + +module "common_eip" { + source = "../modules/common/elastic_ip" + allocate_and_associate_eip = var.allocate_and_associate_eip + instance_id = alicloud_instance.management_instance.id +} + +resource "alicloud_ram_role_attachment" "attach" { + count = var.ram_role_name != "" ? 1 : 0 + role_name = var.ram_role_name + instance_ids = alicloud_instance.management_instance.*.id +} \ No newline at end of file diff --git a/terraform/alicloud/management/management_userdata.yaml b/terraform/alicloud/management/management_userdata.yaml new file mode 100644 index 00000000..9d957968 --- /dev/null +++ b/terraform/alicloud/management/management_userdata.yaml @@ -0,0 +1,4 @@ +#cloud-config +runcmd: + - | + python3 /etc/cloud_config.py sicKey=\"${SICKey}\" installationType=\"management\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20230830\" templateName=\"management\" templateType=\"terraform\" shell=\"${Shell}\" hostName=\"${Hostname}\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" primary=\"${IsPrimary}\" adminSubnet=\"${AdminSubnet}\" allocatePublicAddress=\"${AllocateElasticIP}\" "overTheInternet=\"${GatewayManagement}\"" bootstrapScript64=\"${BootstrapScript}\" diff --git a/terraform/alicloud/management/output.tf b/terraform/alicloud/management/output.tf new file mode 100755 index 00000000..82e2f5fe --- /dev/null +++ b/terraform/alicloud/management/output.tf @@ -0,0 +1,19 @@ +output "Deployment" { + value = "Finalizing configuration may take up to 20 minutes after deployment is finished" +} + +output "image_id" { + value = module.images.image_id +} +output "management_instance_id" { + value = alicloud_instance.management_instance.id +} +output "management_instance_name" { + value = alicloud_instance.management_instance.tags["Name"] +} +output "management_instance_tags" { + value = alicloud_instance.management_instance.tags +} +output "management_public_ip" { + value = module.common_eip.instance_eip_public_ip +} \ No newline at end of file diff --git a/terraform/alicloud/management/terraform.tfvars b/terraform/alicloud/management/terraform.tfvars new file mode 100755 index 00000000..9758387c --- /dev/null +++ b/terraform/alicloud/management/terraform.tfvars @@ -0,0 +1,35 @@ +//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW + +// --- VPC Network Configuration --- +vpc_id = "vpc-" +vswitch_id = "vsw-" + +// --- ECS Instances Configuration --- +instance_name = "CP-Management-tf" +instance_type = "ecs.g6e.xlarge" +key_name = "publickey" +allocate_and_associate_eip = true +volume_size = 100 +disk_category = "cloud_essd" +ram_role_name = "" +instance_tags = { + key1 = "value1" + key2 = "value2" +} + +// --- Check Point Settings --- +version_license = "R81.20-BYOL" +admin_shell = "/etc/cli.sh" +password_hash = "" +hostname = "mgmt-tf" + +// --- Security Management Server Settings --- +is_primary_management = "true" +SICKey = "" +allow_upload_download = "true" +gateway_management = "Locally managed" +admin_cidr = "0.0.0.0/0" +gateway_addresses = "0.0.0.0/0" +primary_ntp = "ntp1.cloud.aliyuncs.com" +secondary_ntp = "ntp2.cloud.aliyuncs.com" +bootstrap_script = "echo 'this is bootstrap script' > /home/admin/testfile.txt" \ No newline at end of file diff --git a/terraform/alicloud/management/variables.tf b/terraform/alicloud/management/variables.tf new file mode 100755 index 00000000..c91dd06e --- /dev/null +++ b/terraform/alicloud/management/variables.tf @@ -0,0 +1,128 @@ +// --- VPC Network Configuration --- +variable "vpc_id" { + type = string +} +variable "vswitch_id" { + type = string + description = "To access the instance from the internet, make sure the vswitch has a route to the internet" +} + +// --- ECS Instance Configuration --- +variable "instance_name" { + type = string + description = "AliCloud instance name to launch" + default = "CP-Management-tf" +} +variable "instance_type" { + type = string + description = "" + default ="ecs.g6e.xlarge" +} +module "validate_instance_type" { + source = "../modules/common/instance_type" + + chkp_type = "management" + instance_type = var.instance_type +} +variable "key_name" { + type = string + description = "The ECS Key Pair name to allow SSH access to the instances" +} +variable "allocate_and_associate_eip" { + type = bool + description = "When set to 'true', an elastic IP will be allocated and associated with the launched instance" + default = true +} +variable "volume_size" { + type = number + description = "Root volume size (GB) - minimum 100" + default = 100 +} +variable "disk_category" { + type = string + description = "(Optional) Category of the ECS disk" + default = "cloud_essd" +} +variable "ram_role_name" { + type = string + description = "RAM role name to attach to the instance profile" + default = "" +} +variable "instance_tags" { + type = map(string) + description = "(Optional) A map of tags as key=value pairs. All tags will be added to the Management ECS Instance" +default = {} +} + +// --- Check Point Settings --- +variable "version_license" { + type = string + description = "version and license" + default = "R81.20-BYOL" +} +module "validate_management_version" { + source = "../modules/common/version_license" + + chkp_type = "management" + version_license = var.version_license +} +variable "admin_shell" { + type = string + description = "Set the admin shell to enable advanced command line configuration" + default = "/etc/cli.sh" +} +variable "password_hash" { + type = string + description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)" + default = "" +} +variable "hostname" { + type = string + description = "(Optional)" + default = "" +} + +// --- Security Management Server Settings --- +variable "is_primary_management" { + type = bool + description = "true/false. Determines if this is the primary management server or not" + default = true +} +variable "SICKey" { + type = string + description = "Mandatory only when deploying a secondary Management Server, the Secure Internal Communication key creates trusted connections between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters" + default = "" +} +variable "allow_upload_download" { + type = bool + description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + default = true +} +variable "gateway_management" { + type = string + description = "Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address" + default = "Locally managed" +} +variable "admin_cidr" { + type = string + description = "(CIDR) Allow web, SSH, and graphical clients only from this network to communicate with the Management Server" +} +variable "gateway_addresses" { + type = string + description = "(CIDR) Allow gateways only from this network to communicate with the Management Server" +} +variable "primary_ntp" { + type = string + description = "(Optional) The IPv4 addresses of Network Time Protocol primary server" + default = "" +} +variable "secondary_ntp" { + type = string + description = "(Optional) The IPv4 addresses of Network Time Protocol secondary server" + default = "" +} +variable "bootstrap_script" { + type = string + description = "(Optional) Semicolon (;) separated commands to run on the initial boot" + default = "" +} \ No newline at end of file diff --git a/terraform/alicloud/management/versions.tf b/terraform/alicloud/management/versions.tf new file mode 100755 index 00000000..71e9843e --- /dev/null +++ b/terraform/alicloud/management/versions.tf @@ -0,0 +1,9 @@ +terraform { + required_version = ">= 0.14.3" + required_providers { + alicloud = { + source = "hashicorp/alicloud" + version = "1.203.0" + } + } +} diff --git a/terraform/alicloud/modules/cluster-ram-role/locals.tf b/terraform/alicloud/modules/cluster-ram-role/locals.tf new file mode 100755 index 00000000..395b7d40 --- /dev/null +++ b/terraform/alicloud/modules/cluster-ram-role/locals.tf @@ -0,0 +1,5 @@ +locals { + ram_role_name = format("%s-ram-role-%s", var.gateway_name, random_id.ram_uuid.hex) + ram_policy_name = format("%s-ram-policy-%s", var.gateway_name, random_id.ram_uuid.hex) + +} \ No newline at end of file diff --git a/terraform/alicloud/modules/cluster-ram-role/main.tf b/terraform/alicloud/modules/cluster-ram-role/main.tf new file mode 100755 index 00000000..95840d8b --- /dev/null +++ b/terraform/alicloud/modules/cluster-ram-role/main.tf @@ -0,0 +1,54 @@ +resource "random_id" "ram_uuid" { + byte_length = 5 +} + +resource "alicloud_ram_role" "ram_role" { + name = local.ram_role_name + document = <= 100 ? 0 : "volume_size must be at least 100" +} +variable "disk_category" { + type = string + description = "(Optional) Category of the ECS disk" + default = "cloud_efficiency" +} +variable "gateway_version" { + type = string + description = "Gateway version and license" + default = "R81.20-BYOL" +} +variable "gateway_instance_type" { + type = string + description = "The instance type of the Security Gateway" + default = "ecs.c5.xlarge" +} +module "validate_instance_type" { + source = "../instance_type" + + chkp_type = "gateway" + instance_type = var.gateway_instance_type +} +variable "instance_tags" { + type = map(string) + description = "(Optional) A map of tags as key=value pairs. All tags will be added to the Gateway ECS Instance" + default = {} +} +variable "key_name" { + type = string + description = "The ECS Key Pair name to allow SSH access to the instance" +} +variable "image_id" { + type = string + description = "The image ID to use for the instance" +} +variable "security_groups" { + type = list(string) + description = "The security groups of the instance" +} +variable "gateway_password_hash" { + type = string + description = "(Optional) Admin user's password hash (use command \"openssl passwd -6 PASSWORD\" to get the PASSWORD's hash)" + default = "" +} +variable "admin_shell" { + type = string + description = "Set the admin shell to enable advanced command line configuration" + default = "/etc/cli.sh" +} +variable "gateway_SICKey" { + type = string + description = "The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters" +} +// --- Quick connect to Smart-1 Cloud (Recommended) --- +variable "gateway_TokenKey" { + type = string + description = "Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud." +} +variable "gateway_bootstrap_script" { + type = string + description = "(Optional) An optional script with semicolon (;) separated commands to run on the initial boot" + default = "" +} +variable "gateway_hostname" { + type = string + description = "(Optional)" + default = "" +} +variable "allow_upload_download" { + type = bool + description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + default = true +} +variable "primary_ntp" { + type = string + description = "(Optional) The IPv4 addresses of Network Time Protocol primary server" + default = "" +} +variable "secondary_ntp" { + type = string + description = "(Optional) The IPv4 addresses of Network Time Protocol secondary server" + default = "" +} \ No newline at end of file diff --git a/terraform/alicloud/modules/common/gateway_instance/versions.tf b/terraform/alicloud/modules/common/gateway_instance/versions.tf new file mode 100755 index 00000000..906a4df0 --- /dev/null +++ b/terraform/alicloud/modules/common/gateway_instance/versions.tf @@ -0,0 +1,9 @@ +terraform { + required_version = ">= 0.14.3" + required_providers { + alicloud = { + source = "hashicorp/alicloud" + version = "1.203.0" + } + } +} \ No newline at end of file diff --git a/terraform/alicloud/modules/common/instance_type/main.tf b/terraform/alicloud/modules/common/instance_type/main.tf new file mode 100755 index 00000000..4a3d6ba1 --- /dev/null +++ b/terraform/alicloud/modules/common/instance_type/main.tf @@ -0,0 +1,28 @@ +locals { + gw_types = [ + "ecs.g5ne.large", + "ecs.g5ne.xlarge", + "ecs.g5ne.2xlarge", + "ecs.g5ne.4xlarge", + "ecs.g5ne.8xlarge", + "ecs.g7ne.large", + "ecs.g7ne.xlarge", + "ecs.g7ne.2xlarge", + "ecs.g7ne.4xlarge", + "ecs.g7ne.8xlarge" + ] + mgmt_types = [ + "ecs.g6e.large", + "ecs.g6e.xlarge", + "ecs.g6e.2xlarge", + "ecs.g6e.4xlarge", + "ecs.g6e.8xlarge" + ] +} + +locals { + gw_values = var.chkp_type == "gateway" ? local.gw_types : [] + mgmt_values = var.chkp_type == "management" ? local.mgmt_types : [] + allowed_values = coalescelist(local.gw_values, local.mgmt_values) + is_allowed_type = index(local.allowed_values, var.instance_type) +} \ No newline at end of file diff --git a/terraform/alicloud/modules/common/instance_type/variables.tf b/terraform/alicloud/modules/common/instance_type/variables.tf new file mode 100755 index 00000000..f114cf20 --- /dev/null +++ b/terraform/alicloud/modules/common/instance_type/variables.tf @@ -0,0 +1,20 @@ +variable "chkp_type" { + type = string + description = "The Check Point machine type" + default = "gateway" +} +locals { + type_allowed_values = [ + "gateway", + "management" + //"server" + ] + // Will fail if var.chkp_type is invalid + validate_instance_type = index(local.type_allowed_values, var.chkp_type) +} + +variable "instance_type" { + type = string + description = "Alicloud Instance type" +} + diff --git a/terraform/alicloud/modules/common/instance_type/versions.tf b/terraform/alicloud/modules/common/instance_type/versions.tf new file mode 100755 index 00000000..0ec4dcca --- /dev/null +++ b/terraform/alicloud/modules/common/instance_type/versions.tf @@ -0,0 +1,3 @@ +terraform { + required_version = ">= 0.14.3" +} \ No newline at end of file diff --git a/terraform/alicloud/modules/common/internal_default_route/locals.tf b/terraform/alicloud/modules/common/internal_default_route/locals.tf new file mode 100755 index 00000000..493c4d9a --- /dev/null +++ b/terraform/alicloud/modules/common/internal_default_route/locals.tf @@ -0,0 +1,3 @@ +locals { + internal_route_table_condition = var.private_route_table != "" ? 1 : 0 +} \ No newline at end of file diff --git a/terraform/alicloud/modules/common/internal_default_route/main.tf b/terraform/alicloud/modules/common/internal_default_route/main.tf new file mode 100755 index 00000000..7290ad9e --- /dev/null +++ b/terraform/alicloud/modules/common/internal_default_route/main.tf @@ -0,0 +1,7 @@ +resource "alicloud_route_entry" "internal_default_route" { + count = local.internal_route_table_condition + route_table_id = var.private_route_table + destination_cidrblock = "0.0.0.0/0" + nexthop_type = "NetworkInterface" + nexthop_id = var.internal_eni_id +} \ No newline at end of file diff --git a/terraform/alicloud/modules/common/internal_default_route/output.tf b/terraform/alicloud/modules/common/internal_default_route/output.tf new file mode 100755 index 00000000..fde54050 --- /dev/null +++ b/terraform/alicloud/modules/common/internal_default_route/output.tf @@ -0,0 +1,3 @@ +output "internal_default_route_id" { + value = alicloud_route_entry.internal_default_route.*.id +} \ No newline at end of file diff --git a/terraform/alicloud/modules/common/internal_default_route/variables.tf b/terraform/alicloud/modules/common/internal_default_route/variables.tf new file mode 100755 index 00000000..b8e2f458 --- /dev/null +++ b/terraform/alicloud/modules/common/internal_default_route/variables.tf @@ -0,0 +1,9 @@ +variable "private_route_table" { + type = string + description = "Sets '0.0.0.0/0' route to the Gateway instance in the specified route table (e.g. rtb-12a34567)" + default="" +} +variable "internal_eni_id" { + type = string + description = "The internal-eni of the security gateway" +} \ No newline at end of file diff --git a/terraform/alicloud/modules/common/internal_default_route/versions.tf b/terraform/alicloud/modules/common/internal_default_route/versions.tf new file mode 100755 index 00000000..906a4df0 --- /dev/null +++ b/terraform/alicloud/modules/common/internal_default_route/versions.tf @@ -0,0 +1,9 @@ +terraform { + required_version = ">= 0.14.3" + required_providers { + alicloud = { + source = "hashicorp/alicloud" + version = "1.203.0" + } + } +} \ No newline at end of file diff --git a/terraform/alicloud/modules/common/permissive_sg/main.tf b/terraform/alicloud/modules/common/permissive_sg/main.tf new file mode 100755 index 00000000..2ee7b17b --- /dev/null +++ b/terraform/alicloud/modules/common/permissive_sg/main.tf @@ -0,0 +1,27 @@ +resource "alicloud_security_group" "permissive_sg" { + name = format("%s-PermissiveSecurityGroup", var.resources_tag_name != "" ? var.resources_tag_name : var.gateway_name) + description = "Permissive security group" + vpc_id = var.vpc_id +} + +resource "alicloud_security_group_rule" "permissive_egress" { + type = "egress" + ip_protocol = "all" + nic_type = "intranet" + policy = "accept" + port_range = "-1/-1" + priority = 1 + security_group_id = alicloud_security_group.permissive_sg.id + cidr_ip = "0.0.0.0/0" +} + +resource "alicloud_security_group_rule" "permissive_ingress" { + type = "ingress" + ip_protocol = "all" + nic_type = "intranet" + policy = "accept" + port_range = "-1/-1" + priority = 1 + security_group_id = alicloud_security_group.permissive_sg.id + cidr_ip = "0.0.0.0/0" +} \ No newline at end of file diff --git a/terraform/alicloud/modules/common/permissive_sg/output.tf b/terraform/alicloud/modules/common/permissive_sg/output.tf new file mode 100755 index 00000000..d8b5df1e --- /dev/null +++ b/terraform/alicloud/modules/common/permissive_sg/output.tf @@ -0,0 +1,6 @@ +output "permissive_sg_id" { + value = alicloud_security_group.permissive_sg.id +} +output "permissive_sg_name" { + value = alicloud_security_group.permissive_sg.name +} \ No newline at end of file diff --git a/terraform/alicloud/modules/common/permissive_sg/variables.tf b/terraform/alicloud/modules/common/permissive_sg/variables.tf new file mode 100755 index 00000000..d2afaad2 --- /dev/null +++ b/terraform/alicloud/modules/common/permissive_sg/variables.tf @@ -0,0 +1,13 @@ +variable "vpc_id" { + type = string +} +variable "resources_tag_name" { + type = string + description = "(Optional)" + default = "" +} +variable "gateway_name" { + type = string + description = "(Optional) The name tag of the Security Gateway instances" + default = "Check-Point-Gateway-tf" +} \ No newline at end of file diff --git a/terraform/alicloud/modules/common/permissive_sg/versions.tf b/terraform/alicloud/modules/common/permissive_sg/versions.tf new file mode 100755 index 00000000..906a4df0 --- /dev/null +++ b/terraform/alicloud/modules/common/permissive_sg/versions.tf @@ -0,0 +1,9 @@ +terraform { + required_version = ">= 0.14.3" + required_providers { + alicloud = { + source = "hashicorp/alicloud" + version = "1.203.0" + } + } +} \ No newline at end of file diff --git a/terraform/alicloud/modules/common/version_license/main.tf b/terraform/alicloud/modules/common/version_license/main.tf new file mode 100755 index 00000000..94d144cd --- /dev/null +++ b/terraform/alicloud/modules/common/version_license/main.tf @@ -0,0 +1,23 @@ +locals { + gw_versions = [ + //"R81-PAYG-NGTP", + // "R81-PAYG-NGTX", + "R81-BYOL", + "R81.10-BYOL", + "R81.20-BYOL" + ] + mgmt_versions = [ + //"R81-PAYG", + "R81-BYOL", + "R81.10-BYOL", + "R81.20-BYOL" + ] +} + +locals { + gw_values = var.chkp_type == "gateway" ? local.gw_versions : [] + mgmt_values = var.chkp_type == "management" ? local.mgmt_versions : [] + // standalone_values = var.chkp_type == "standalone" ? local.standalone_versions : [] + allowed_values = coalescelist(local.gw_values, local.mgmt_values)//, local.standalone_values) + is_allowed_type = index(local.allowed_values, var.version_license) +} \ No newline at end of file diff --git a/terraform/alicloud/modules/common/version_license/variables.tf b/terraform/alicloud/modules/common/version_license/variables.tf new file mode 100755 index 00000000..9ecf1643 --- /dev/null +++ b/terraform/alicloud/modules/common/version_license/variables.tf @@ -0,0 +1,19 @@ +variable "chkp_type" { + type = string + description = "The Check Point machine type" + default = "gateway" +} +locals { + type_allowed_values = [ + "gateway", + "management", + "standalone",] + // Will fail if var.chkp_type is invalid + validate_chkp_type = index(local.type_allowed_values, var.chkp_type) +} + +variable "version_license" { + type = string + description = "AliCloud Version license" +} + diff --git a/terraform/alicloud/modules/common/version_license/versions.tf b/terraform/alicloud/modules/common/version_license/versions.tf new file mode 100755 index 00000000..906a4df0 --- /dev/null +++ b/terraform/alicloud/modules/common/version_license/versions.tf @@ -0,0 +1,9 @@ +terraform { + required_version = ">= 0.14.3" + required_providers { + alicloud = { + source = "hashicorp/alicloud" + version = "1.203.0" + } + } +} \ No newline at end of file diff --git a/terraform/alicloud/modules/images/images.yaml b/terraform/alicloud/modules/images/images.yaml new file mode 100755 index 00000000..c2eb1d52 --- /dev/null +++ b/terraform/alicloud/modules/images/images.yaml @@ -0,0 +1,210 @@ +Description: Returns a Check Point AliCloud Machine ID (__VERSION__) +Parameters: + Version: + Description: Security Gateway or Management Server version + Type: String + Default: R81.20-BYOL-GW + AllowedValues: + - R81-BYOL-GW + - R81-BYOL-MGMT + - R81.10-BYOL-GW + - R81.10-BYOL-MGMT + - R81.20-BYOL-GW + - R81.20-BYOL-MGMT +Mappings: + ConverterMap: + R81-BYOL-GW: + Value: R81BYOLGW + R81-BYOL-MGMT: + Value: R81BYOLMGMT + R81.10-BYOL-GW: + Value: R8110BYOLGW + R81.10-BYOL-MGMT: + Value: R8110BYOLMGMT + R81.20-BYOL-GW: + Value: R8120BYOLGW + R81.20-BYOL-MGMT: + Value: R8120BYOLMGMT + RegionMap: + cn-hongkong: + R81BYOLMGMT: m-j6c55b1lpz95colzzz1y + R81BYOLGW: m-j6c3gd3gcahojs40842v + R8110BYOLMGMT: m-j6c5n6p0tkx8clx72qes + R8110BYOLGW: m-j6c0x6ugw2012axbdmkn + R8120BYOLMGMT: m-j6c2gv0tohwb5otjzbk4 + R8120BYOLGW: m-j6cdnsm44k0csckg4cxa + ap-southeast-1: + R81BYOLMGMT: m-t4ngdphpnhzw065e30jt + R81BYOLGW: m-t4n99ag8zbinnc7n7xmw + R8110BYOLMGMT: m-t4n9x963l2fx13d4mzi8 + R8110BYOLGW: m-t4ndsvficp1ukrcpt4as + R8120BYOLMGMT: m-t4n3m9t1icbv1ptf8b67 + R8120BYOLGW: m-t4nj16t8nnlp7a70214i + us-west-1: + R81BYOLMGMT: m-rj95ffd9q3c8u7rpc7v5 + R81BYOLGW: m-rj9eblv5oe0ypm77no86 + R8110BYOLMGMT: m-rj9ebcmy6gxp3lzkjnrp + R8110BYOLGW: m-rj952h5pzgaecqhg9h6u + R8120BYOLMGMT: m-rj92n7t0j5uvmss2dak5 + R8120BYOLGW: m-rj99hmyezcyqa0in2us9 + us-east-1: + R81BYOLMGMT: m-0xi064illsngi8q7ejln + R81BYOLGW: m-0xiiv7m3m3ex8zai0lq4 + R8110BYOLMGMT: m-0xie3j6n8rxa26v6abni + R8110BYOLGW: m-0xiebcmy6gxpiyg830vh + R8120BYOLMGMT: m-0xihsclzmkgsxpsmfil2 + R8120BYOLGW: m-0xickak3e8yimpt90lh9 + ap-southeast-2: + R81BYOLMGMT: m-p0w0pl2rajygi6otl2mh + R81BYOLGW: m-p0w78ynl3rpgo1yq43qf + R8110BYOLMGMT: m-p0w7z34zl8gl2nmgzo75 + R8110BYOLGW: m-p0w2nhgtaqxil6bruwe2 + R8120BYOLMGMT: m-p0w2mgbmrn1pq4973ncq + R8120BYOLGW: m-p0wd45q8v82grbipwqkw + ap-southeast-3: + R81BYOLMGMT: m-8psi42zrfpq57cibgu2b + R81BYOLGW: m-8ps8swns48itw97zsb2i + R8110BYOLMGMT: m-8psc710cdd9x9guiajuk + R8110BYOLGW: m-8ps6mel7llq3ffzc2txa + R8120BYOLMGMT: m-8psc710cdd9x6k9vbn5m + R8120BYOLGW: m-8psf1zkz08byz41qrt1r + ap-southeast-5: + R81BYOLMGMT: m-k1aajdkea2t5oyxicbu8 + R81BYOLGW: m-k1afqua8zzbgdaosx7sf + R8110BYOLMGMT: m-k1ahug645c79svl6tgbp + R8110BYOLGW: m-k1a6n0hj1qidjiig80o0 + R8120BYOLMGMT: m-k1ahgt585wlm71lmpmg1 + R8120BYOLGW: m-k1a20f2u7nspfcja9mfc + ap-southeast-6: + R81BYOLMGMT: m-5ts832hgbk52wwnxzjlx + R81BYOLGW: m-5tsf5buudxrwbijypr0v + R8110BYOLMGMT: m-5tsa5qwchhf7q22qj685 + R8110BYOLGW: m-5tsdw01mce246abvrnes + R8120BYOLMGMT: m-5ts5ukwjgsl6t34hx7po + R8120BYOLGW: m-5tsa5qwchhf7pw5n70as + ap-northeast-1: + R81BYOLMGMT: m-6we8l9kvu9shqf3j5v4e + R81BYOLGW: m-6we42rtltap69nckfynw + R8110BYOLMGMT: m-6we20qh4jffzabapyyle + R8110BYOLGW: m-6wefezctjbied9npzp1n + R8120BYOLMGMT: m-6weihbzpoyt5h6i2i42e + R8120BYOLGW: m-6we215381e51fkneyv5v + eu-central-1: + R81BYOLMGMT: m-gw81j322yjmx03hq26qt + R81BYOLGW: m-gw82fm7sbwj7x6fpj1mn + R8110BYOLMGMT: m-gw89gvg18gk6nzo3gxe1 + R8110BYOLGW: m-gw8divjg7azjl2ndt34v + R8120BYOLMGMT: m-gw8csbodb1ntgbtu653c + R8120BYOLGW: m-gw83wxmsb5524ke9f6m7 + eu-west-1: + R81BYOLMGMT: m-d7ocob57ud2nqiv9fk8w + R81BYOLGW: m-d7oez9xgn0qg5g815tip + R8110BYOLMGMT: m-d7o7nj4f81gs8cyo52jd + R8110BYOLGW: m-d7o7nj4f81gsnpfbofnh + R8120BYOLMGMT: m-d7o63e77fokjsv4aq4kt + R8120BYOLGW: m-d7oj29ec4xx04sr8h61z + me-east-1: + R81BYOLMGMT: m-eb35op3wyu89kabry2zw + R81BYOLGW: m-eb35op3wyu89iv0z0nmz + R8110BYOLMGMT: m-eb33tyrfiy726a0xlw6g + R8110BYOLGW: m-eb30m4ho9mkzfb3xi78i + R8120BYOLMGMT: m-eb3bbb1nen46tqmcujmn + R8120BYOLGW: m-eb3dphy5uzm33cduxr7i + ap-south-1: + R81BYOLMGMT: m-a2d16a0v0ms9mg5xh1nm + R81BYOLGW: m-a2didx39bhgf547thni0 + R8110BYOLMGMT: m-a2d4ffz0q8dflg62j0zq + R8110BYOLGW: m-a2d9j14yemliag92m9d1 + R8120BYOLMGMT: m-a2d1e5s7uy9vv5a6n9cn + R8120BYOLGW: m-a2d1e5s7uy9vxvxqa04e + ap-southeast-7: + R81BYOLMGMT: m-0jo742iyh0qbzg51b6fd + R81BYOLGW: m-0joian1mgt9qt2lpvfnk + R8110BYOLMGMT: m-0jo3qwrwsdx3663is0b4 + R8110BYOLGW: m-0jogq1yzljp8ziw4caci + R8120BYOLMGMT: m-0jo67k42jvg301wis5ol + R8120BYOLGW: m-0jo5t1ypg4zy4h12i9c5 + ap-northeast-2: + R81BYOLMGMT: m-mj75cxsn1dhdiqhfc3a0 + R81BYOLGW: m-mj7bybnr5b9gebqrf3xt + R8110BYOLMGMT: m-mj7h0j7db1ryrwczg9ef + R8110BYOLGW: m-mj73osasl4gyi0zqscr5 + R8120BYOLMGMT: m-mj7aktw6610pznjgb16z + R8120BYOLGW: m-mj79jylrqomj0fv99s3b + cn-qingdao: + R81BYOLMGMT: m-m5e1i33z6ohq98tllukn + R81BYOLGW: m-m5eb1zyo5cjbvte7ovay + R8110BYOLMGMT: m-m5eftm32pjq4ghtwcn25 + R8110BYOLGW: m-m5ef0hxxec3ws2c2y26b + R8120BYOLMGMT: m-m5ebt96quorb2gj7dhku + R8120BYOLGW: m-m5eftm32pjq4g9xrwf5o + cn-beijing: + R81BYOLMGMT: m-2ze5d2jit72gotjw5d77 + R81BYOLGW: m-2zec8i2qli4cnqfw9e3o + R8110BYOLMGMT: m-2zehvbpbae19t51owc0j + R8110BYOLGW: m-2zeiwvllkl9jybavtmey + R8120BYOLMGMT: m-2ze1781062lxfwe35d1p + R8120BYOLGW: m-2ze347cq3f6fg3udyb1p + cn-zhangjiakou: + R81BYOLMGMT: m-8vb1rjkshxdaynvqbexj + R81BYOLGW: m-8vb1rjkshxdax8kxdzkk + R8110BYOLMGMT: m-8vb83tbc4hwpesbvte9d + R8110BYOLGW: m-8vbblzj10mzvpnkzdint + R8120BYOLMGMT: m-8vbeoj3rrq2tm6o5bhaa + R8120BYOLGW: m-8vbd1bffbjhlxjkb0k4i + cn-huhehaote: + R81BYOLMGMT: m-hp309790we62uhpo5eed + R81BYOLGW: m-hp3ab2tvfxuar5snxu2r + R8110BYOLMGMT: m-hp3h3tzxij7kl9tdrqg2 + R8110BYOLGW: m-hp325dwey9rn4tyiyuyu + R8120BYOLMGMT: m-hp31ci7e1eeaj062wki0 + R8120BYOLGW: m-hp31ci7e1eealqtmjb9n + cn-wulanchabu: + R81BYOLMGMT: m-0jlhwuucdujv3wee7m96 + R81BYOLGW: m-0jle5qxpr97s1c64e72k + R8110BYOLMGMT: m-0jl54w11sr4odheytky1 + R8110BYOLGW: m-0jlbavg2r5fjc4jxypp7 + R8120BYOLMGMT: m-0jl54w11sr4oakubuo94 + R8120BYOLGW: m-0jlbavg2r5fiwm6736o3 + cn-hangzhou: + R81BYOLMGMT: m-bp14kps2wrk6qquv5ok0 + R81BYOLGW: m-bp1aa9u6zcazi4o1hnjh + R8110BYOLMGMT: m-bp1dz2nq9fqppcf8smpk + R8110BYOLGW: m-bp1hamqhfny1smyl8ql7 + R8120BYOLMGMT: m-bp149dep83kgo5p0dw3l + R8120BYOLGW: m-bp1gvq0d0413vbnakoqj + cn-shanghai: + R81BYOLMGMT: m-uf6cj9tqmxx1bsfmbu45 + R81BYOLGW: m-uf63qkdigbprn96zy3vm + R8110BYOLMGMT: m-uf655j7a9r7otwa2xemv + R8110BYOLGW: m-uf6idj2b3zt57omxvzbr + R8120BYOLMGMT: m-uf62vrhc5bapfoy9lw7n + R8120BYOLGW: m-uf6c9vxp1n58y56ep033 + cn-shenzhen: + R81BYOLMGMT: m-wz9d9s75jsh11z089uuj + R81BYOLGW: m-wz9czejz43gyhdztsjnr + R8110BYOLMGMT: m-wz95gswem9lea2z0d9se + R8110BYOLGW: m-wz93e5pwshkmiv35y9ii + R8120BYOLMGMT: m-wz9am290ax9js6dfdt5o + R8120BYOLGW: m-wz94fs2enyvm6qhx3ged + cn-heyuan: + R81BYOLMGMT: m-f8z61z784gwfm1fhxgre + R81BYOLGW: m-f8z7wvp6hhvsvevtpb0j + R8110BYOLMGMT: m-f8z5o7741si10yq0piws + R8110BYOLGW: m-f8z985hmyc9d8951pr76 + R8120BYOLMGMT: m-f8zj0s3cyg3glnlz414g + R8120BYOLGW: m-f8z5o7741si10ssxdczf + cn-guangzhou: + R81BYOLMGMT: m-7xv95xjo0yd0lg4y1z9p + R81BYOLGW: m-7xv95xjo0yd0k0u54jwr + R8110BYOLMGMT: m-7xv4bih29ge5i2je9amd + R8110BYOLGW: m-7xv7i7fhzogppdgxa2cc + R8120BYOLMGMT: m-7xv3lyr4gpzmp8ei0qgi + R8120BYOLGW: m-7xv7i7fhzogp9v36ejbr + cn-chengdu: + R81BYOLMGMT: m-2vcho1h20xnncjlroavq + R81BYOLGW: m-2vc0m9vq9oty74yz83d4 + R8110BYOLMGMT: m-2vc13w2rjk7p9o285gtj + R8110BYOLGW: m-2vc13w2rjk7pp0ivotxs + R8120BYOLMGMT: m-2vc0nlbyccv29t5ql0oh + R8120BYOLGW: m-2vcd6ume44qej9ffhaxg diff --git a/terraform/alicloud/modules/images/main.tf b/terraform/alicloud/modules/images/main.tf new file mode 100755 index 00000000..86231617 --- /dev/null +++ b/terraform/alicloud/modules/images/main.tf @@ -0,0 +1,20 @@ +locals { + images_yaml_regionMap = yamldecode(split("Resources", file("${path.module}/images.yaml"))[0]).Mappings.RegionMap + images_yaml_converterMap = yamldecode(split("Resources", file("${path.module}/images.yaml"))[0]).Mappings.ConverterMap + + + // Variables example: + // version_license = "R81.20-BYOL" + // RESULT: + // version_license_key = "R81.20-BYOL-GW" + // version_license_value = "R8120BYOLGW" + + version_license_key = format("%s%s", var.version_license, var.chkp_type == "gateway" ? "-GW" : var.chkp_type == "management" ? "-MGMT" : "") + version_license_value = local.images_yaml_converterMap[local.version_license_key]["Value"] + + // Variables example: + // region = "us-east-1" + // version_license_key - see above + // RESULT: local.image_id = "m-1234567" + image_id = local.images_yaml_regionMap[local.region][local.version_license_value] +} \ No newline at end of file diff --git a/terraform/alicloud/modules/images/output.tf b/terraform/alicloud/modules/images/output.tf new file mode 100755 index 00000000..a4611551 --- /dev/null +++ b/terraform/alicloud/modules/images/output.tf @@ -0,0 +1,6 @@ +output "image_id" { + value = local.image_id +} +output "version_license_with_sufix" { + value = local.version_license_key +} \ No newline at end of file diff --git a/terraform/alicloud/modules/images/variables.tf b/terraform/alicloud/modules/images/variables.tf new file mode 100755 index 00000000..0c646605 --- /dev/null +++ b/terraform/alicloud/modules/images/variables.tf @@ -0,0 +1,20 @@ +data "alicloud_regions" "current" { + current = true +} +locals { + region = data.alicloud_regions.current.regions.0.id +} + +// --- Version and license --- +variable "chkp_type" { + type = string + description = "The Check Point machine type" + default = "gateway" +} + +variable "version_license" { + type = string + description = "Version and license" + default = "R81.20-BYOL" +} + diff --git a/terraform/alicloud/modules/images/versions.tf b/terraform/alicloud/modules/images/versions.tf new file mode 100755 index 00000000..0ec4dcca --- /dev/null +++ b/terraform/alicloud/modules/images/versions.tf @@ -0,0 +1,3 @@ +terraform { + required_version = ">= 0.14.3" +} \ No newline at end of file diff --git a/terraform/alicloud/modules/vpc/locals.tf b/terraform/alicloud/modules/vpc/locals.tf new file mode 100755 index 00000000..1e3622f2 --- /dev/null +++ b/terraform/alicloud/modules/vpc/locals.tf @@ -0,0 +1,6 @@ +locals { + regex_valid_cidr = "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$" + + // Will fail if var.vpc_cidr is invalid + regex_vpc_cidr = regex(local.regex_valid_cidr, var.vpc_cidr) == var.vpc_cidr ? 0 : "Variable [vpc_cidr] must be a valid vpc cidr" +} \ No newline at end of file diff --git a/terraform/alicloud/modules/vpc/main.tf b/terraform/alicloud/modules/vpc/main.tf new file mode 100755 index 00000000..55ae14a9 --- /dev/null +++ b/terraform/alicloud/modules/vpc/main.tf @@ -0,0 +1,38 @@ +// --- VPC --- +resource "alicloud_vpc" "vpc" { + cidr_block = var.vpc_cidr + vpc_name = var.vpc_name +} + +// --- Public Vswitch --- +resource "alicloud_vswitch" "publicVsw" { + for_each = var.public_vswitchs_map + + vpc_id = alicloud_vpc.vpc.id + zone_id = each.key + cidr_block = cidrsubnet(alicloud_vpc.vpc.cidr_block, var.vswitchs_bit_length, each.value) + vswitch_name = format("Public-vswitch-%s", each.value) + tags = {} +} + +// --- Management Vswitch --- +resource "alicloud_vswitch" "managementVsw" { + for_each = var.management_vswitchs_map + + vpc_id = alicloud_vpc.vpc.id + zone_id = each.key + cidr_block = cidrsubnet(alicloud_vpc.vpc.cidr_block, var.vswitchs_bit_length, each.value) + vswitch_name = format("Management-vswitch-%s", each.value) + tags = {} +} + +// --- Private Vswitch --- +resource "alicloud_vswitch" "privateVsw" { + for_each = var.private_vswitchs_map + + vpc_id = alicloud_vpc.vpc.id + zone_id = each.key + cidr_block = cidrsubnet(alicloud_vpc.vpc.cidr_block, var.vswitchs_bit_length, each.value) + vswitch_name = format("Private-vswitch-%s", each.value) + tags = {} +} diff --git a/terraform/alicloud/modules/vpc/output.tf b/terraform/alicloud/modules/vpc/output.tf new file mode 100755 index 00000000..ce218660 --- /dev/null +++ b/terraform/alicloud/modules/vpc/output.tf @@ -0,0 +1,15 @@ +output "vpc_id" { + value = alicloud_vpc.vpc.id +} +output "vpc_name" { + value = alicloud_vpc.vpc.name +} +output "public_vswitchs_ids_list" { + value = [for public_vswitch in alicloud_vswitch.publicVsw : public_vswitch.id ] +} +output "management_vswitchs_ids_list" { + value = [for management_vswitch in alicloud_vswitch.managementVsw : management_vswitch.id ] +} +output "private_vswitchs_ids_list" { + value = [for private_vswitch in alicloud_vswitch.privateVsw : private_vswitch.id] +} diff --git a/terraform/alicloud/modules/vpc/variables.tf b/terraform/alicloud/modules/vpc/variables.tf new file mode 100755 index 00000000..bb0807f5 --- /dev/null +++ b/terraform/alicloud/modules/vpc/variables.tf @@ -0,0 +1,23 @@ +variable "vpc_cidr" { + type = string +} +variable "vpc_name" { + type = string +} +variable "public_vswitchs_map" { + type = map(string) + description = "A map of pairs {availability-zone = vswitch-suffix-number}. Each entry creates a vswitch. Minimum 1 pair. (e.g. {\"cn-hangzhou-e\" = 1} ) " +} +variable "management_vswitchs_map" { + type = map(string) + description = "(Optional) A map of pairs {availability-zone = vswitch-suffix-number}. Each entry creates a vswitch. Minimum 1 pair. (e.g. {\"cn-hangzhou-e\" = 3} ) " + default = {} +} +variable "private_vswitchs_map" { + type = map(string) + description = "A map of pairs {availability-zone = vswitch-suffix-number}. Each entry creates a vswitch. Minimum 1 pair. (e.g. {\"cn-hangzhou-f\" = 3} ) " +} +variable "vswitchs_bit_length" { + type = number + description = "Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a vswitchs_bit_length value is 4, the resulting vswitch address will have length /20" +} diff --git a/terraform/alicloud/modules/vpc/versions.tf b/terraform/alicloud/modules/vpc/versions.tf new file mode 100755 index 00000000..906a4df0 --- /dev/null +++ b/terraform/alicloud/modules/vpc/versions.tf @@ -0,0 +1,9 @@ +terraform { + required_version = ">= 0.14.3" + required_providers { + alicloud = { + source = "hashicorp/alicloud" + version = "1.203.0" + } + } +} \ No newline at end of file diff --git a/terraform/aws/README.md b/terraform/aws/README.md new file mode 100644 index 00000000..9af36f4f --- /dev/null +++ b/terraform/aws/README.md @@ -0,0 +1,13 @@ +# Check Point CloudGuard Network Terraform deployment modules for AWS + +This project was developed to allow Terraform deployments for Check Point CloudGuard Network solutions on AWS. + + +These modules use Terraform's [AWS provider](https://www.terraform.io/docs/providers/aws/index.html) in order to create and provision resources on AWS. + + + ## Prerequisites + +1. [Download Terraform](https://www.terraform.io/downloads.html) and follow the instructions according to your OS. +2. Get started with Terraform AWS provider - refer to [Terraform AWS provider best practices](https://www.terraform.io/docs/providers/aws/index.html). +3. Subscribe to Check Point CloudGuard Network's offers - visit [AWS Marketplace](https://aws.amazon.com/marketplace/seller-profile?id=a979fc8a-dd48-42c8-84cc-63d5d50e3a2f). diff --git a/terraform/aws/autoscale-gwlb/README.md b/terraform/aws/autoscale-gwlb/README.md new file mode 100755 index 00000000..a156f3cc --- /dev/null +++ b/terraform/aws/autoscale-gwlb/README.md @@ -0,0 +1,185 @@ +# Check Point CloudGuard Network Auto Scaling GWLB Terraform module for AWS + +Terraform module which deploys an Auto Scaling Group of Check Point Security Gateways into an existing VPC. + +These types of Terraform resources are supported: +* [Launch template](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template) +* [Auto Scaling Group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/autoscaling_group) +* [Security group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) +* [CloudWatch Metric Alarm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) + + +See the [CloudGuard Auto Scaling for AWS](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CloudGuard_Network_for_AWS_AutoScaling_DeploymentGuide/Topics-AWS-AutoScale-DG/Check-Point-CloudGuard-Network-for-AWS.htm) for additional information + +This solution uses the following modules: +- /terraform/aws/modules/amis + +## Configurations + +The **main.tf** file includes the following provider configuration block used to configure the credentials for the authentication with AWS, as well as a default region for your resources: +``` +provider "aws" { + region = var.region + access_key = var.aws_access_key_ID + secret_key = var.aws_secret_access_key +} +``` +The provider credentials can be provided either as static credentials or as [Environment Variables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#environment-variables). +- Static credentials can be provided by adding an access_key and secret_key in /terraform/aws/autoscale/**terraform.tfvars** file as follows: +``` +region = "us-east-1" +access_key = "my-access-key" +secret_key = "my-secret-key" +``` +- In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented: + ``` + provider "aws" { + // region = var.region + // access_key = var.aws_access_key_ID + // secret_key = var.aws_secret_access_key + } + ``` + +## Usage +- Fill all variables in the /terraform/aws/autoscale/**terraform.tfvars** file with proper values (see below for variables descriptions). +- From a command line initialize the Terraform configuration directory: + ``` + terraform init + ``` +- Create an execution plan: + ``` + terraform plan + ``` +- Create or modify the deployment: + ``` + terraform apply + ``` + +- Variables are configured in /terraform/aws/autoscale/**terraform.tfvars** file as follows: + + ``` + //PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW + + // --- Environment --- + prefix = "env1" + asg_name = "autoscaling_group" + + // --- VPC Network Configuration --- + vpc_id = "vpc-12345678" + subnet_ids = ["subnet-abc123", "subnet-def456"] + + // --- Automatic Provisioning with Security Management Server Settings --- + gateways_provision_address_type = "private" + allocate_public_IP = false + management_server = "mgmt_env1" + configuration_template = "tmpl_env1" + + // --- EC2 Instances Configuration --- + gateway_name = "asg_gateway" + gateway_instance_type = "c5.xlarge" + key_name = "publickey" + instances_tags = { + key1 = "value1" + key2 = "value2" + } + + // --- Auto Scaling Configuration --- + minimum_group_size = 2 + maximum_group_size = 10 + target_groups = ["arn:aws:tg1/abc123", "arn:aws:tg2/def456"] + + // --- Check Point Settings --- + gateway_version = "R81.20-BYOL" + admin_shell = "/etc/cli.sh" + gateway_password_hash = "" + gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password. + gateway_SICKey = "12345678" + enable_instance_connect = false + allow_upload_download = true + enable_cloudwatch = false + gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt" + + + +- Conditional creation + - To enable cloudwatch for ASG: + ``` + enable_cloudwatch = true + ``` + Note: enabling cloudwatch will automatically create IAM role with cloudwatch:PutMetricData permission +- To tear down your resources: + ``` + terraform destroy + ``` + + + +## Inputs +| Name | Description | Type | Allowed values | Default | Required | +|----------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------|----------| +| prefix | (Optional) Instances name prefix | string | n/a | "" | no | +| asg_name | Autoscaling Group name | string | n/a | Check-Point-ASG-tf | no | +| vpc_id | The VPC id in which to deploy | string | n/a | n/a | yes | +| subnet_ids | List of public subnet IDs to launch resources into. Recommended at least 2 | list(string) | n/a | n/a | yes | +| gateways_provision_address_type | Determines if the gateways are provisioned using their private or public address. | string | - private
- public | private | no | +| allocate_public_IP | Allocate a Public IP for gateway members. | bool | true/false | false | no | +| management_server | The name that represents the Security Management Server in the CME configuration | string | n/a | n/a | yes | +| configuration_template | Name of the provisioning template in the CME configuration | string | n/a | n/a | yes | +| gateway_name | The name tag of the Security Gateways instances | string | n/a | Check-Point-ASG-gateway-tf | no | +| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no | +| key_name | The EC2 Key Pair name to allow SSH access to the instances | string | n/a | n/a | yes | +| volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no | +| enable_volume_encryption | Encrypt Environment instances volume with default AWS KMS key | bool | true/false | true | no | +| instances_tags | (Optional) A map of tags as key=value pairs. All tags will be added on all AutoScaling Group instances | map(string) | n/a | {} | no | +| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes | +| minimum_group_size | The minimum number of instances in the Auto Scaling group | number | n/a | 2 | no | +| maximum_group_size | The maximum number of instances in the Auto Scaling group | number | n/a | 10 | no | +| target_groups | (Optional) List of Target Group ARNs to associate with the Auto Scaling group | list(string) | n/a | [] | no | +| gateway_version | Gateway version and license | string | - R80.40-BYOL
- R80.40-PAYG-NGTP
- R80.40-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX | R81.20-BYOL | no | +| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | +| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | +| gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components (at least 8 alphanumeric characters) | string | n/a | "12345678" | yes | +| enable_instance_connect | Enable SSH connection over AWS web console. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no | +| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no | +| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no | +| gateway_bootstrap_script | (Optional) Semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no | +| volume_type | General Purpose SSD Volume Type | string | - gp3
- gp2 | gp3 | no | +| gateway_maintenance_mode_password_hash | (optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here). | string | n/a | "" | no | + +## Outputs +| Name | Description | +|------------------------------------------------|-------------------------------------------------------------------| +| autoscale_autoscaling_group_name | The name of the deployed AutoScaling Group | +| autoscale_autoscaling_group_arn | The ARN for the deployed AutoScaling Group | +| autoscale_autoscaling_group_availability_zones | The AZs on which the Autoscaling Group is configured | +| autoscale_autoscaling_group_desired_capacity | The deployed AutoScaling Group's desired capacity of instances | +| autoscale_autoscaling_group_min_size | The deployed AutoScaling Group's minimum number of instances | +| autoscale_autoscaling_group_max_size | The deployed AutoScaling Group's maximum number of instances | +| autoscale_autoscaling_group_target_group_arns | The deployed AutoScaling Group's configured target groups | +| autoscale_autoscaling_group_subnets | The subnets on which the deployed AutoScaling Group is configured | +| autoscale_launch_template_id | The id of the Launch Template | +| autoscale_autoscale_security_group_id | The deployed AutoScaling Group's security group id | +| autoscale_iam_role_name | The deployed AutoScaling Group's IAM role name (if created) | + +## Revision History +In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) + +| Template Version | Description | +|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| 20220414 | First release of Check Point Auto Scaling GWLB Terraform module for AWS | +| 20220606 | New instance type support | +| 20221123 | R81.20 version support | +| 20221226 | Support ASG Launch Template instead of Launch Configuration | +| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | +| 20230806 | Add support for c6in instance type | +| 20230829 | Change default Check Point version to R81.20 | +| 20230914 | Add support for maintenance mode password | +| 20230923 | Add support for C5d instance type | +| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20240414 | - Add support for Elastic Load Balancer Health Checks.
- EC2 Auto Scaling will start to detect and act on health checks performed by Elastic Load Balancing. | +| 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | + +## License + +This project is licensed under the MIT License - see the [LICENSE](../../LICENSE) file for details diff --git a/terraform/aws/autoscale-gwlb/asg_userdata.yaml b/terraform/aws/autoscale-gwlb/asg_userdata.yaml new file mode 100755 index 00000000..bb095c01 --- /dev/null +++ b/terraform/aws/autoscale-gwlb/asg_userdata.yaml @@ -0,0 +1,29 @@ +#cloud-config +network: + version: 1 + config: + - type: bridge + name: br0 + mtu: *eth0-mtu + subnets: + - address: *eth0-private + type: static + gateway: *default-gateway + dns_nameservers: + - *eth0-dns1 + bridge_interfaces: + - eth0 +kernel_parameters: + sim: + - sim_geneve_enabled=1 + - sim_geneve_br_dev=br0 + fw: + + - fwtls_bridge_mode_inspection=1 + - fw_geneve_enabled=1 +bootcmd: + - echo "brctl hairpin br0 eth0 on" >> /etc/rc.local + - echo "cpprod_util CPPROD_SetValue \"fw1\" \"AwsGwlb\" 4 1 1" >> /etc/rc.local +runcmd: + - | + python3 /etc/cloud_config.py enableCloudWatch=\"${EnableCloudWatch}\" sicKey=\"${SICKey}\" installationType=\"autoscale\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20231012\" templateName=\"autoscale_gwlb\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" bootstrapScript64=\"${BootstrapScript}\" \ No newline at end of file diff --git a/terraform/aws/autoscale-gwlb/locals.tf b/terraform/aws/autoscale-gwlb/locals.tf new file mode 100755 index 00000000..ef1abdf2 --- /dev/null +++ b/terraform/aws/autoscale-gwlb/locals.tf @@ -0,0 +1,56 @@ +locals { + asg_name = format("%s%s", var.prefix != "" ? format("%s-", var.prefix) : "", var.asg_name) + create_iam_role = var.enable_cloudwatch ? 1 : 0 + + gateways_provision_address_type_allowed_values = [ + "public", + "private" + ] + // Will fail if var.gateways_provision_address_type is invalid + validate_gateways_provision_address_type = index(local.gateways_provision_address_type_allowed_values, var.gateways_provision_address_type) + + admin_shell_allowed_values = [ + "/etc/cli.sh", + "/bin/bash", + "/bin/csh", + "/bin/tcsh" + ] + // Will fail if var.admin_shell is invalid + validate_admin_shell = index(local.admin_shell_allowed_values, var.admin_shell) + + regex_valid_key_name = "[\\S\\s]+[\\S]+" + // will fail if var.key_name is invalid + regex_key_name_result=regex(local.regex_valid_key_name, var.key_name) == var.key_name ? 0 : "Variable [key_name] must be a none empty string" + + regex_valid_sic_key = "^[a-zA-Z0-9]{8,}$" + // Will fail if var.gateway_SICKey is invalid + regex_sic_result = regex(local.regex_valid_sic_key, var.gateway_SICKey) == var.gateway_SICKey ? 0 : "Variable [gateway_SICKey] must be at least 8 alphanumeric characters" + + regex_valid_gateway_password_hash = "^[\\$\\./a-zA-Z0-9]*$" + // Will fail if var.gateway_password_hash is invalid + regex_gateway_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_password_hash) == var.gateway_password_hash ? 0 : "Variable [gateway_password_hash] must be a valid password hash" + regex_gateway_maintenance_mode_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_maintenance_mode_password_hash) == var.gateway_maintenance_mode_password_hash ? 0 : "Variable [gateway_maintenance_mode_password_hash] must be a valid password hash" + + regex_valid_cidr_range = "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(/(3[0-2]|2[0-9]|1[0-9]|[0-9]))?$" + + tags_asg_format = null_resource.tags_as_list_of_maps.*.triggers + + //Splits the version and licence and returns the os version + version_split = element(split("-", var.gateway_version), 0) + + gateway_bootstrap_script64 = base64encode(var.gateway_bootstrap_script) + gateway_SICkey_base64 = base64encode(var.gateway_SICKey) + gateway_password_hash_base64 = base64encode(var.gateway_password_hash) + maintenance_mode_password_hash_base64 = base64encode(var.gateway_maintenance_mode_password_hash) + is_gwlb_ami = length(regexall(".*R80.40.*", var.gateway_version)) > 0 + +} +resource "null_resource" "tags_as_list_of_maps" { + count = length(keys(var.instances_tags)) + + triggers = { + "key" = keys(var.instances_tags)[count.index] + "value" = values(var.instances_tags)[count.index] + "propagate_at_launch" = "true" + } +} diff --git a/terraform/aws/autoscale-gwlb/main.tf b/terraform/aws/autoscale-gwlb/main.tf new file mode 100755 index 00000000..3c7b7948 --- /dev/null +++ b/terraform/aws/autoscale-gwlb/main.tf @@ -0,0 +1,202 @@ +provider "aws" { + region = var.region + access_key = var.access_key + secret_key = var.secret_key +} + +module "amis" { + source = "../modules/amis" + version_license = var.gateway_version + amis_url = local.is_gwlb_ami == true ? "https://cgi-cfts.s3.amazonaws.com/gwlb/amis-gwlb.yaml" : "https://cgi-cfts.s3.amazonaws.com/utils/amis.yaml" + +} + +resource "aws_security_group" "permissive_sg" { + name_prefix = format("%s_PermissiveSecurityGroup", local.asg_name) + description = "Permissive security group" + vpc_id = var.vpc_id + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } + ingress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } + tags = { + Name = format("%s_PermissiveSecurityGroup", local.asg_name) + } +} + +resource "aws_launch_template" "asg_launch_template" { + name_prefix = local.asg_name + image_id = module.amis.ami_id + instance_type = var.gateway_instance_type + key_name = var.key_name + network_interfaces { + associate_public_ip_address = var.allocate_public_IP + security_groups = [aws_security_group.permissive_sg.id] + } + metadata_options { + http_tokens = var.metadata_imdsv2_required ? "required" : "optional" + } + + iam_instance_profile { + name = ( var.enable_cloudwatch ? aws_iam_instance_profile.instance_profile[0].name : "") + } + + monitoring { + enabled = true + } + + block_device_mappings { + device_name = "/dev/xvda" + ebs { + volume_type = var.volume_type + volume_size = var.volume_size + encrypted = var.enable_volume_encryption + } + } + + description = "Initial template version" + + user_data = base64encode(templatefile("${path.module}/asg_userdata.yaml", { + // script's arguments + PasswordHash = local.gateway_password_hash_base64, + MaintenanceModePassword = local.maintenance_mode_password_hash_base64, + EnableCloudWatch = var.enable_cloudwatch, + EnableInstanceConnect = var.enable_instance_connect, + Shell = var.admin_shell, + SICKey = local.gateway_SICkey_base64, + AllowUploadDownload = var.allow_upload_download, + BootstrapScript = local.gateway_bootstrap_script64, + OsVersion = local.version_split + })) +} +resource "aws_autoscaling_group" "asg" { + name_prefix = local.asg_name + launch_template { + id = aws_launch_template.asg_launch_template.id + version = aws_launch_template.asg_launch_template.latest_version + } + min_size = var.minimum_group_size + max_size = var.maximum_group_size + target_group_arns = var.target_groups + vpc_zone_identifier = var.subnet_ids + health_check_grace_period = 3600 + health_check_type = "ELB" + + tag { + key = "Name" + value = format("%s%s", var.prefix != "" ? format("%s-", var.prefix) : "", var.gateway_name) + propagate_at_launch = true + } + + tag { + key = "x-chkp-tags" + value = format("management=%s:template=%s:ip-address=%s", var.management_server, var.configuration_template, var.gateways_provision_address_type) + propagate_at_launch = true + } + + tag { + key = "x-chkp-topology" + value = "internal" + propagate_at_launch = true + } + + tag { + key = "x-chkp-solution" + value = "autoscale_gwlb" + propagate_at_launch = true + } + + dynamic "tag" { + for_each = var.instances_tags + content { + key = tag.key + value = tag.value + propagate_at_launch = true + } + } +} + +data "aws_iam_policy_document" "assume_role_policy_document" { + version = "2012-10-17" + statement { + actions = ["sts:AssumeRole"] + principals { + type = "Service" + identifiers = ["ec2.amazonaws.com"] + } + effect = "Allow" + } +} + +resource "aws_iam_role" "role" { + count = local.create_iam_role + name_prefix = format("%s-iam_role", local.asg_name) + assume_role_policy = data.aws_iam_policy_document.assume_role_policy_document.json + path = "/" +} +module "attach_cloudwatch_policy" { + source = "../modules/cloudwatch-policy" + count = local.create_iam_role + role = aws_iam_role.role[count.index].name + tag_name = local.asg_name +} +resource "aws_iam_instance_profile" "instance_profile" { + count = local.create_iam_role + name_prefix = format("%s-iam_instance_profile", local.asg_name) + path = "/" + role = aws_iam_role.role[count.index].name +} + +// Scaling metrics +resource "aws_cloudwatch_metric_alarm" "cpu_alarm_low" { + alarm_name = format("%s_alarm_low", aws_autoscaling_group.asg.name) + metric_name = "CPUUtilization" + alarm_description = "Scale-down if CPU < 60% for 10 minutes" + namespace = "AWS/EC2" + statistic = "Average" + period = 300 + evaluation_periods = 2 + threshold = 60 + alarm_actions = [aws_autoscaling_policy.scale_down_policy.arn] + dimensions = { + AutoScalingGroupName = aws_autoscaling_group.asg.name + } + comparison_operator = "LessThanThreshold" +} +resource "aws_autoscaling_policy" "scale_down_policy" { + autoscaling_group_name = aws_autoscaling_group.asg.name + name = format("%s_scale_down", aws_autoscaling_group.asg.name) + adjustment_type = "ChangeInCapacity" + cooldown = 300 + scaling_adjustment = -1 +} +resource "aws_cloudwatch_metric_alarm" "cpu_alarm_high" { + alarm_name = format("%s_alarm_high", aws_autoscaling_group.asg.name) + metric_name = "CPUUtilization" + alarm_description = "Scale-up if CPU > 80% for 10 minutes" + namespace = "AWS/EC2" + statistic = "Average" + period = 300 + evaluation_periods = 2 + threshold = 80 + alarm_actions = [aws_autoscaling_policy.scale_up_policy.arn] + dimensions = { + AutoScalingGroupName = aws_autoscaling_group.asg.name + } + comparison_operator = "GreaterThanThreshold" +} +resource "aws_autoscaling_policy" "scale_up_policy" { + autoscaling_group_name = aws_autoscaling_group.asg.name + name = format("%s_scale_up", aws_autoscaling_group.asg.name) + adjustment_type = "ChangeInCapacity" + cooldown = 300 + scaling_adjustment = 1 +} diff --git a/terraform/aws/autoscale-gwlb/output.tf b/terraform/aws/autoscale-gwlb/output.tf new file mode 100755 index 00000000..ce5f76ce --- /dev/null +++ b/terraform/aws/autoscale-gwlb/output.tf @@ -0,0 +1,41 @@ +output "Deployment" { + value = "Finalizing instances configuration may take up to 20 minutes after deployment is finished." +} + +output "autoscale_autoscaling_group_name" { + value = aws_autoscaling_group.asg.name +} +output "autoscale_autoscaling_group_arn" { + value = aws_autoscaling_group.asg.arn +} +output "autoscale_autoscaling_group_availability_zones" { + value = aws_autoscaling_group.asg.availability_zones +} +output "autoscale_autoscaling_group_desired_capacity" { + value = aws_autoscaling_group.asg.desired_capacity +} +output "autoscale_autoscaling_group_min_size" { + value = aws_autoscaling_group.asg.min_size +} +output "autoscale_autoscaling_group_max_size" { + value = aws_autoscaling_group.asg.max_size +} +output "autoscale_autoscaling_group_target_group_arns" { + value = aws_autoscaling_group.asg.target_group_arns +} +output "autoscale_autoscaling_group_subnets" { + value = aws_autoscaling_group.asg.vpc_zone_identifier +} + +output "autoscale_launch_template_id" { + value = aws_launch_template.asg_launch_template.id +} + +output "autoscale_security_group_id" { + value = aws_security_group.permissive_sg.id +} + +output "autoscale_iam_role_name" { + value = aws_iam_role.role.*.name +} + diff --git a/terraform/aws/autoscale-gwlb/terraform.tfvars b/terraform/aws/autoscale-gwlb/terraform.tfvars new file mode 100755 index 00000000..4cced958 --- /dev/null +++ b/terraform/aws/autoscale-gwlb/terraform.tfvars @@ -0,0 +1,42 @@ +//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW + +// --- Environment --- +prefix = "env1" +asg_name = "autoscaling_group" + +// --- VPC Network Configuration --- +vpc_id = "vpc-12345678" +subnet_ids = ["subnet-abc123", "subnet-def456"] + +// --- Automatic Provisioning with Security Management Server Settings --- +gateways_provision_address_type = "private" +allocate_public_IP = false +management_server = "mgmt_env1" +configuration_template = "tmpl_env1" + +// --- EC2 Instances Configuration --- +gateway_name = "asg_gateway" +gateway_instance_type = "c5.xlarge" +key_name = "publickey" +instances_tags = { + key1 = "value1" + key2 = "value2" +} +metadata_imdsv2_required = true + +// --- Auto Scaling Configuration --- +minimum_group_size = 2 +maximum_group_size = 10 +target_groups = ["arn:aws:tg1/abc123", "arn:aws:tg2/def456"] + +// --- Check Point Settings --- +gateway_version = "R81.20-BYOL" +admin_shell = "/etc/cli.sh" +gateway_password_hash = "" +gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password. +gateway_SICKey = "12345678" +enable_instance_connect = false +allow_upload_download = true +enable_cloudwatch = false +gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt" + diff --git a/terraform/aws/autoscale-gwlb/variables.tf b/terraform/aws/autoscale-gwlb/variables.tf new file mode 100644 index 00000000..cb1a985c --- /dev/null +++ b/terraform/aws/autoscale-gwlb/variables.tf @@ -0,0 +1,191 @@ +// Module: Check Point CloudGuard Network Auto Scaling Group into an existing VPC + +// --- AWS Provider --- +variable "region" { + type = string + description = "AWS region" + default = "" +} +variable "access_key" { + type = string + description = "AWS access key" + default = "" +} +variable "secret_key" { + type = string + description = "AWS secret key" + default = "" +} + +// --- Environment --- +variable "prefix" { + type = string + description = "(Optional) Instances name prefix" + default = "" +} +variable "asg_name" { + type = string + description = "Autoscaling Group name" + default = "Check-Point-ASG-tf" +} + +// --- VPC Network Configuration --- +variable "vpc_id" { + type = string +} +variable "subnet_ids" { + type = list(string) + description = "List of public subnet IDs to launch resources into. Recommended at least 2" +} + +// --- Automatic Provisioning with Security Management Server Settings --- +variable "gateways_provision_address_type" { + type = string + description = "Determines if the gateways are provisioned using their private or public address" + default = "private" +} + +variable "allocate_public_IP" { + type = bool + description = "Allocate an Elastic IP for security gateway." + default = false +} + +resource "null_resource" "invalid_allocation" { + // Will fail if var.gateways_provision_address_type is public and var.allocate_public_IP is false + count = var.gateways_provision_address_type != "public" ? 0 : var.allocate_public_IP == true ? 0 : "Gateway's selected to be provisioned by public IP, but [allocate_public_IP] parameter is false" +} + +variable "management_server" { + type = string + description = "The name that represents the Security Management Server in the CME configuration" +} +variable "configuration_template" { + type = string + description = "Name of the provisioning template in the CME configuration" + validation { + condition = length(var.configuration_template) < 31 + error_message = "The configuration_template name can not exceed 30 characters." + } +} + +// --- EC2 Instances Configuration --- +variable "gateway_name" { + type = string + description = "The name tag of the Security Gateways instances" + default = "Check-Point-ASG-gateway-tf" +} +variable "gateway_instance_type" { + type = string + description = "The instance type of the Security Gateways" + default = "c5.xlarge" +} +module "validate_instance_type" { + source = "../modules/common/instance_type" + + chkp_type = "gateway" + instance_type = var.gateway_instance_type +} +variable "key_name" { + type = string + description = "The EC2 Key Pair name to allow SSH access to the instances" +} +variable "volume_size" { + type = number + description = "Root volume size (GB) - minimum 100" + default = 100 +} +resource "null_resource" "volume_size_too_small" { + // Will fail if var.volume_size is less than 100 + count = var.volume_size >= 100 ? 0 : "variable volume_size must be at least 100" +} +variable "enable_volume_encryption" { + type = bool + description = "Encrypt Environment instances volume with default AWS KMS key" + default = true +} +variable "instances_tags" { + type = map(string) + description = "(Optional) A map of tags as key=value pairs. All tags will be added on all AutoScaling Group instances" + default = {} +} +variable "metadata_imdsv2_required" { + type = bool + description = "Set true to deploy the instance with metadata v2 token required" + default = true +} + +// --- Auto Scaling Configuration --- +variable "minimum_group_size" { + type = number + description = "The minimum number of instances in the Auto Scaling group" + default = 2 +} +variable "maximum_group_size" { + type = number + description = "The maximum number of instances in the Auto Scaling group" + default = 10 +} +variable "target_groups" { + type = list(string) + description = "(Optional) List of Target Group ARNs to associate with the Auto Scaling group" + default = [] +} + +// --- Check Point Settings --- +variable "gateway_version" { + type = string + description = "Gateway version and license" + default = "R81.20-BYOL" +} +module "validate_gateway_version" { + source = "../modules/common/version_license" + + chkp_type = "gwlb_gw" + version_license = var.gateway_version +} +variable "admin_shell" { + type = string + description = "Set the admin shell to enable advanced command line configuration" + default = "/etc/cli.sh" +} +variable "gateway_password_hash" { + type = string + description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)" + default = "" +} +variable "gateway_maintenance_mode_password_hash" { + description = "(optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here)." + type = string + default = "" +} +variable "gateway_SICKey" { + type = string + description = "The Secure Internal Communication key for trusted connection between Check Point components (at least 8 alphanumeric characters)" +} +variable "enable_instance_connect" { + type = bool + description = "Enable SSH connection over AWS web console" + default = false +} +variable "allow_upload_download" { + type = bool + description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + default = true +} +variable "enable_cloudwatch" { + type = bool + description = "Report Check Point specific CloudWatch metrics" + default = false +} +variable "gateway_bootstrap_script" { + type = string + description = "(Optional) Semicolon (;) separated commands to run on the initial boot" + default = "" +} + +variable "volume_type" { + type = string + description = "General Purpose SSD Volume Type" + default = "gp3" +} \ No newline at end of file diff --git a/terraform/aws/autoscale-gwlb/versions.tf b/terraform/aws/autoscale-gwlb/versions.tf new file mode 100755 index 00000000..dbebf275 --- /dev/null +++ b/terraform/aws/autoscale-gwlb/versions.tf @@ -0,0 +1,15 @@ +terraform { + required_version = ">= 0.14.3" + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.20.0" + } + http = { + version = "~> 3.4.0" + } + random = { + version = "~> 3.5.1" + } + } +} diff --git a/terraform/aws/autoscale/README.md b/terraform/aws/autoscale/README.md new file mode 100755 index 00000000..eb13ecd4 --- /dev/null +++ b/terraform/aws/autoscale/README.md @@ -0,0 +1,199 @@ +# Check Point CloudGuard Network Auto Scaling Terraform module for AWS + +Terraform module which deploys an Auto Scaling Group of Check Point Security Gateways into an existing VPC. + +These types of Terraform resources are supported: +* [Launch template](https://www.terraform.io/docs/providers/aws/r/launch_template.html) +* [Auto Scaling Group](https://www.terraform.io/docs/providers/aws/r/autoscaling_group.html) +* [Security group](https://www.terraform.io/docs/providers/aws/r/security_group.html) +* [CloudWatch Metric Alarm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) +* [IAM Role](https://www.terraform.io/docs/providers/aws/r/iam_role.html) - conditional creation +* [Proxy Elastic Load Balancer](https://www.terraform.io/docs/providers/aws/r/elb.html) - conditional creation + + +See the [CloudGuard Auto Scaling for AWS](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CloudGuard_Network_for_AWS_AutoScaling_DeploymentGuide/Default.htm) for additional information + +This solution uses the following modules: +- /terraform/aws/modules/amis + +## Configurations + +The **main.tf** file includes the following provider configuration block used to configure the credentials for the authentication with AWS, as well as a default region for your resources: +``` +provider "aws" { + region = var.region + access_key = var.aws_access_key_ID + secret_key = var.aws_secret_access_key +} +``` +The provider credentials can be provided either as static credentials or as [Environment Variables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#environment-variables). +- Static credentials can be provided by adding an access_key and secret_key in /terraform/aws/autoscale/**terraform.tfvars** file as follows: +``` +region = "us-east-1" +access_key = "my-access-key" +secret_key = "my-secret-key" +``` +- In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented: + ``` + provider "aws" { + // region = var.region + // access_key = var.aws_access_key_ID + // secret_key = var.aws_secret_access_key + } + ``` + +## Usage +- Fill all variables in the /terraform/aws/autoscale/**terraform.tfvars** file with proper values (see below for variables descriptions). +- From a command line initialize the Terraform configuration directory: + ``` + terraform init + ``` +- Create an execution plan: + ``` + terraform plan + ``` +- Create or modify the deployment: + ``` + terraform apply + ``` + +- Variables are configured in /terraform/aws/autoscale/**terraform.tfvars** file as follows: + + ``` + //PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW + + // --- Environment --- + prefix = "env1" + asg_name = "autoscaling_group" + + // --- VPC Network Configuration --- + vpc_id = "vpc-12345678" + subnet_ids = ["subnet-abc123", "subnet-def456"] + + // --- Automatic Provisioning with Security Management Server Settings --- + gateways_provision_address_type = "private" + management_server = "mgmt_env1" + configuration_template = "tmpl_env1" + + // --- EC2 Instances Configuration --- + gateway_name = "asg_gateway" + gateway_instance_type = "c5.xlarge" + key_name = "publickey" + instances_tags = { + key1 = "value1" + key2 = "value2" + } + + // --- Auto Scaling Configuration --- + minimum_group_size = 2 + maximum_group_size = 10 + target_groups = ["arn:aws:tg1/abc123", "arn:aws:tg2/def456"] + + // --- Check Point Settings --- + gateway_version = "R81.20-BYOL" + admin_shell = "/etc/cli.sh" + gateway_password_hash = "" + gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password. + gateway_SICKey = "12345678" + enable_instance_connect = false + allow_upload_download = true + enable_cloudwatch = false + gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt" + + // --- Outbound Proxy Configuration (optional) --- + proxy_elb_type = "internet-facing" + proxy_elb_clients = "0.0.0.0/0" + proxy_elb_port = 8080 + ``` + +- Conditional creation + - To enable cloudwatch for ASG: + ``` + enable_cloudwatch = true + ``` + Note: enabling cloudwatch will automatically create IAM role with cloudwatch:PutMetricData permission + - To create an ASG configuration without a proxy ELB: + ``` + proxy_elb_type= "none" + ``` +- To tear down your resources: + ``` + terraform destroy + ``` + + + +## Inputs +| Name | Description | Type | Allowed values | Default | Required | +|----------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------|----------| +| prefix | (Optional) Instances name prefix | string | n/a | "" | no | +| asg_name | Autoscaling Group name | string | n/a | Check-Point-ASG-tf | no | +| vpc_id | The VPC id in which to deploy | string | n/a | n/a | yes | +| subnet_ids | List of public subnet IDs to launch resources into. Recommended at least 2 | list(string) | n/a | n/a | yes | +| gateways_provision_address_type | Determines if the gateways are provisioned using their private or public address. | string | - private
- public | private | no | +| management_server | The name that represents the Security Management Server in the CME configuration | string | n/a | n/a | yes | +| configuration_template | Name of the provisioning template in the CME configuration | string | n/a | n/a | yes | +| gateway_name | The name tag of the Security Gateways instances | string | n/a | Check-Point-ASG-gateway-tf | no | +| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no | +| key_name | The EC2 Key Pair name to allow SSH access to the instances | string | n/a | n/a | yes | +| volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no | +| enable_volume_encryption | Encrypt Environment instances volume with default AWS KMS key | bool | true/false | true | no | +| instances_tags | (Optional) A map of tags as key=value pairs. All tags will be added on all AutoScaling Group instances | map(string) | n/a | {} | no | +| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes | +| minimum_group_size | The minimum number of instances in the Auto Scaling group | number | n/a | 2 | no | +| maximum_group_size | The maximum number of instances in the Auto Scaling group | number | n/a | 10 | no | +| target_groups | (Optional) List of Target Group ARNs to associate with the Auto Scaling group | list(string) | n/a | [] | no | +| gateway_version | Gateway version and license | string | - R80.40-BYOL
- R80.40-PAYG-NGTP
- R80.40-PAYG-NGTX
- R81-BYOL
- R81-PAYG-NGTP
- R81-PAYG-NGTX
- R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.10-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX | R81.20-BYOL | no | +| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | +| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | +| gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components (at least 8 alphanumeric characters) | string | n/a | "12345678" | yes | +| enable_instance_connect | Enable SSH connection over AWS web console. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no | +| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no | +| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no | +| gateway_bootstrap_script | (Optional) Semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no | +| proxy_elb_type | Type of ELB to create as an HTTP/HTTPS outbound proxy | string | - none
- internal
- internet-facing | none | no | +| proxy_elb_port | The TCP port on which the proxy will be listening | number | n/a | 8080 | no | +| proxy_elb_clients | The CIDR range of the clients of the proxy | string | n/a | 0.0.0.0/0 | no | +| gateway_maintenance_mode_password_hash | (optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here). | string | n/a | "" | no | + + +## Outputs +| Name | Description | +|------------------------------------------------|-------------------------------------------------------------------| +| autoscale_autoscaling_group_name | The name of the deployed AutoScaling Group | +| autoscale_autoscaling_group_arn | The ARN for the deployed AutoScaling Group | +| autoscale_autoscaling_group_availability_zones | The AZs on which the Autoscaling Group is configured | +| autoscale_autoscaling_group_desired_capacity | The deployed AutoScaling Group's desired capacity of instances | +| autoscale_autoscaling_group_min_size | The deployed AutoScaling Group's minimum number of instances | +| autoscale_autoscaling_group_max_size | The deployed AutoScaling Group's maximum number of instances | +| autoscale_autoscaling_group_load_balancers | The deployed AutoScaling Group's configured load balancers | +| autoscale_autoscaling_group_target_group_arns | The deployed AutoScaling Group's configured target groups | +| autoscale_autoscaling_group_subnets | The subnets on which the deployed AutoScaling Group is configured | +| autoscale_launch_template_id | The id of the Launch Template | +| autoscale_autoscale_security_group_id | The deployed AutoScaling Group's security group id | +| autoscale_iam_role_name | The deployed AutoScaling Group's IAM role name (if created) | + +## Revision History +In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) + +| Template Version | Description | +|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| 20200318 | First release of Check Point Auto Scaling Terraform module for AWS | +| 20210309 | AWS Terraform modules refactor | +| 20210329 | Stability fixes | +| 20220606 | New instance type support | +| 20221123 | R81.20 version support | +| 20221226 | Support ASG Launch Template instead of Launch Configuration | +| 20230521 | Change default shell for the admin user to /etc/cli.sh | +| 20230806 | Add support for c6in instance type | +| 20230829 | Change default Check Point version to R81.20 | +| 20230914 | Add support for maintenance mode password | +| 20230923 | Add support for C5d instance type | +| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20240414 | - Add support for Elastic Load Balancer Health Checks.
- EC2 Auto Scaling will start to detect and act on health checks performed by Elastic Load Balancing. | +| 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | + +## License + +This project is licensed under the MIT License - see the [LICENSE](../../LICENSE) file for details diff --git a/terraform/aws/autoscale/asg_userdata.yaml b/terraform/aws/autoscale/asg_userdata.yaml new file mode 100755 index 00000000..ea6de749 --- /dev/null +++ b/terraform/aws/autoscale/asg_userdata.yaml @@ -0,0 +1,4 @@ +#cloud-config +runcmd: + - | + python3 /etc/cloud_config.py enableCloudWatch=\"${EnableCloudWatch}\" sicKey=\"${SICKey}\" installationType=\"autoscale\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20231012\" templateName=\"autoscale\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" bootstrapScript64=\"${BootstrapScript}\" diff --git a/terraform/aws/autoscale/locals.tf b/terraform/aws/autoscale/locals.tf new file mode 100755 index 00000000..72fa5951 --- /dev/null +++ b/terraform/aws/autoscale/locals.tf @@ -0,0 +1,62 @@ +locals { + asg_name = format("%s%s", var.prefix != "" ? format("%s-", var.prefix) : "", var.asg_name) + create_iam_role = var.enable_cloudwatch ? 1 : 0 + + gateways_provision_address_type_allowed_values = [ + "public", + "private" + ] + // Will fail if var.gateways_provision_address_type is invalid + validate_gateways_provision_address_type = index(local.gateways_provision_address_type_allowed_values, var.gateways_provision_address_type) + + admin_shell_allowed_values = [ + "/etc/cli.sh", + "/bin/bash", + "/bin/csh", + "/bin/tcsh" + ] + // Will fail if var.admin_shell is invalid + validate_admin_shell = index(local.admin_shell_allowed_values, var.admin_shell) + + regex_valid_key_name = "[\\S\\s]+[\\S]+" + // will fail if var.key_name is invalid + regex_key_name_result=regex(local.regex_valid_key_name, var.key_name) == var.key_name ? 0 : "Variable [key_name] must be a none empty string" + regex_valid_gateway_password_hash = "^[\\$\\./a-zA-Z0-9]*$" + // Will fail if var.gateway_password_hash is invalid + regex_gateway_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_password_hash) == var.gateway_password_hash ? 0 : "Variable [gateway_password_hash] must be a valid password hash" + regex_gateway_maintenance_mode_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_maintenance_mode_password_hash) == var.gateway_maintenance_mode_password_hash ? 0 : "Variable [gateway_maintenance_mode_password_hash] must be a valid password hash" + + regex_valid_sic_key = "^[a-zA-Z0-9]{8,}$" + // Will fail if var.gateway_SICKey is invalid + regex_sic_result = regex(local.regex_valid_sic_key, var.gateway_SICKey) == var.gateway_SICKey ? 0 : "Variable [gateway_SICKey] must be at least 8 alphanumeric characters" + + proxy_elb_type_allowed_values = [ + "none", + "internal", + "internet-facing" + ] + // Will fail if var.proxy_elb_type is invalid + validate_proxy_elb_type = index(local.proxy_elb_type_allowed_values, var.proxy_elb_type) + + regex_valid_cidr_range = "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(/(3[0-2]|2[0-9]|1[0-9]|[0-9]))?$" + // Will fail if var.proxy_elb_clients is invalid + regex_cidr_result = regex(local.regex_valid_cidr_range, var.proxy_elb_clients) == var.proxy_elb_clients ? 0 : "Variable [proxy_elb_clients] must be a valid CIDR range" + + tags_asg_format = null_resource.tags_as_list_of_maps.*.triggers + + //Splits the version and licence and returns the os version + version_split = element(split("-", var.gateway_version), 0) + gateway_bootstrap_script64 = base64encode(var.gateway_bootstrap_script) + gateway_password_hash_base64 = base64encode(var.gateway_password_hash) + maintenance_mode_password_hash_base64 = base64encode(var.gateway_maintenance_mode_password_hash) + gateway_SICkey_base64 = base64encode(var.gateway_SICKey) +} +resource "null_resource" "tags_as_list_of_maps" { + count = length(keys(var.instances_tags)) + + triggers = { + "key" = keys(var.instances_tags)[count.index] + "value" = values(var.instances_tags)[count.index] + "propagate_at_launch" = "true" + } +} \ No newline at end of file diff --git a/terraform/aws/autoscale/main.tf b/terraform/aws/autoscale/main.tf new file mode 100755 index 00000000..dea10eca --- /dev/null +++ b/terraform/aws/autoscale/main.tf @@ -0,0 +1,248 @@ +provider "aws" { + region = var.region + access_key = var.access_key + secret_key = var.secret_key +} + +module "amis" { + source = "../modules/amis" + + version_license = var.gateway_version +} + +resource "aws_security_group" "permissive_sg" { + name_prefix = format("%s_PermissiveSecurityGroup", local.asg_name) + description = "Permissive security group" + vpc_id = var.vpc_id + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } + ingress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } + tags = { + Name = format("%s_PermissiveSecurityGroup", local.asg_name) + } +} + +resource "aws_launch_template" "asg_launch_template" { + name_prefix = local.asg_name + image_id = module.amis.ami_id + instance_type = var.gateway_instance_type + key_name = var.key_name + network_interfaces { + associate_public_ip_address = true + security_groups = [aws_security_group.permissive_sg.id] + } + + metadata_options { + http_tokens = var.metadata_imdsv2_required ? "required" : "optional" + } + + iam_instance_profile { + name = ( var.enable_cloudwatch ? aws_iam_instance_profile.instance_profile[0].name : "") + } + monitoring { + enabled = true + } + + block_device_mappings { + device_name = "/dev/xvda" + ebs { + volume_type = "gp3" + volume_size = var.volume_size + encrypted = var.enable_volume_encryption + } + } + description = "Initial template version" + + + user_data = base64encode(templatefile("${path.module}/asg_userdata.yaml", { + // script's arguments + PasswordHash = local.gateway_password_hash_base64, + MaintenanceModePassword = local.maintenance_mode_password_hash_base64 + EnableCloudWatch = var.enable_cloudwatch, + EnableInstanceConnect = var.enable_instance_connect, + Shell = var.admin_shell, + SICKey = local.gateway_SICkey_base64, + AllowUploadDownload = var.allow_upload_download, + BootstrapScript = local.gateway_bootstrap_script64, + OsVersion = local.version_split + })) +} +resource "aws_autoscaling_group" "asg" { + name_prefix = local.asg_name + launch_template { + id = aws_launch_template.asg_launch_template.id + version = aws_launch_template.asg_launch_template.latest_version + } + min_size = var.minimum_group_size + max_size = var.maximum_group_size + load_balancers = aws_elb.proxy_elb.*.name + target_group_arns = var.target_groups + vpc_zone_identifier = var.subnet_ids + health_check_grace_period = 3600 + health_check_type = "ELB" + + tag { + key = "Name" + value = format("%s%s", var.prefix != "" ? format("%s-", var.prefix) : "", var.gateway_name) + propagate_at_launch = true + } + + tag { + key = "x-chkp-tags" + value = format("management=%s:template=%s:ip-address=%s", var.management_server, var.configuration_template, var.gateways_provision_address_type) + propagate_at_launch = true + } + + dynamic "tag" { + for_each = var.instances_tags + content { + key = tag.key + value = tag.value + propagate_at_launch = true + } + } +} + +data "aws_iam_policy_document" "assume_role_policy_document" { + version = "2012-10-17" + statement { + actions = ["sts:AssumeRole"] + principals { + type = "Service" + identifiers = ["ec2.amazonaws.com"] + } + effect = "Allow" + } +} + +resource "aws_iam_role" "role" { + count = local.create_iam_role + name_prefix = format("%s-iam_role", local.asg_name) + assume_role_policy = data.aws_iam_policy_document.assume_role_policy_document.json + path = "/" +} +module "attach_cloudwatch_policy" { + source = "../modules/cloudwatch-policy" + count = local.create_iam_role + role = aws_iam_role.role[count.index].name + tag_name = local.asg_name +} + +resource "aws_iam_instance_profile" "instance_profile" { + count = local.create_iam_role + name_prefix = format("%s-iam_instance_profile", local.asg_name) + path = "/" + role = aws_iam_role.role[count.index].name +} + +// Proxy ELB +locals { + proxy_elb_condition = var.proxy_elb_type != "none" ? 1 : 0 +} +resource "random_id" "proxy_elb_uuid" { + byte_length = 5 +} +resource "aws_elb" "proxy_elb" { + count = local.proxy_elb_condition + name = format("%s-proxy-elb-%s", var.prefix, random_id.proxy_elb_uuid.hex) + internal = var.proxy_elb_type == "internal" + cross_zone_load_balancing = true + listener { + instance_port = var.proxy_elb_port + instance_protocol = "TCP" + lb_port = var.proxy_elb_port + lb_protocol = "TCP" + } + health_check { + target = format("TCP:%s", var.proxy_elb_port) + healthy_threshold = 3 + unhealthy_threshold = 5 + interval = 30 + timeout = 5 + } + subnets = var.subnet_ids + security_groups = [aws_security_group.elb_security_group[count.index].id] +} +resource "aws_load_balancer_policy" "proxy_elb_policy" { + count = local.proxy_elb_condition + load_balancer_name = aws_elb.proxy_elb[count.index].name + policy_name = "EnableProxyProtocol" + policy_type_name = "ProxyProtocolPolicyType" + + policy_attribute { + name = "ProxyProtocol" + value = "true" + } +} +resource "aws_security_group" "elb_security_group" { + count = local.proxy_elb_condition + description = "ELB security group" + vpc_id = var.vpc_id + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } + ingress { + protocol = "tcp" + cidr_blocks = [var.proxy_elb_clients] + from_port = var.proxy_elb_port + to_port = var.proxy_elb_port + } +} + +// Scaling metrics +resource "aws_cloudwatch_metric_alarm" "cpu_alarm_low" { + alarm_name = format("%s_alarm_low", aws_autoscaling_group.asg.name) + metric_name = "CPUUtilization" + alarm_description = "Scale-down if CPU < 60% for 10 minutes" + namespace = "AWS/EC2" + statistic = "Average" + period = 300 + evaluation_periods = 2 + threshold = 60 + alarm_actions = [aws_autoscaling_policy.scale_down_policy.arn] + dimensions = { + AutoScalingGroupName = aws_autoscaling_group.asg.name + } + comparison_operator = "LessThanThreshold" +} +resource "aws_autoscaling_policy" "scale_down_policy" { + autoscaling_group_name = aws_autoscaling_group.asg.name + name = format("%s_scale_down", aws_autoscaling_group.asg.name) + adjustment_type = "ChangeInCapacity" + cooldown = 300 + scaling_adjustment = -1 +} +resource "aws_cloudwatch_metric_alarm" "cpu_alarm_high" { + alarm_name = format("%s_alarm_high", aws_autoscaling_group.asg.name) + metric_name = "CPUUtilization" + alarm_description = "Scale-up if CPU > 80% for 10 minutes" + namespace = "AWS/EC2" + statistic = "Average" + period = 300 + evaluation_periods = 2 + threshold = 80 + alarm_actions = [aws_autoscaling_policy.scale_up_policy.arn] + dimensions = { + AutoScalingGroupName = aws_autoscaling_group.asg.name + } + comparison_operator = "GreaterThanThreshold" +} +resource "aws_autoscaling_policy" "scale_up_policy" { + autoscaling_group_name = aws_autoscaling_group.asg.name + name = format("%s_scale_up", aws_autoscaling_group.asg.name) + adjustment_type = "ChangeInCapacity" + cooldown = 300 + scaling_adjustment = 1 +} diff --git a/terraform/aws/autoscale/output.tf b/terraform/aws/autoscale/output.tf new file mode 100755 index 00000000..152bb744 --- /dev/null +++ b/terraform/aws/autoscale/output.tf @@ -0,0 +1,43 @@ +output "Deployment" { + value = "Finalizing instances configuration may take up to 20 minutes after deployment is finished." +} + +output "autoscale_autoscaling_group_name" { + value = aws_autoscaling_group.asg.name +} +output "autoscale_autoscaling_group_arn" { + value = aws_autoscaling_group.asg.arn +} +output "autoscale_autoscaling_group_availability_zones" { + value = aws_autoscaling_group.asg.availability_zones +} +output "autoscale_autoscaling_group_desired_capacity" { + value = aws_autoscaling_group.asg.desired_capacity +} +output "autoscale_autoscaling_group_min_size" { + value = aws_autoscaling_group.asg.min_size +} +output "autoscale_autoscaling_group_max_size" { + value = aws_autoscaling_group.asg.max_size +} +output "autoscale_autoscaling_group_load_balancers" { + value = aws_autoscaling_group.asg.load_balancers +} +output "autoscale_autoscaling_group_target_group_arns" { + value = aws_autoscaling_group.asg.target_group_arns +} +output "autoscale_autoscaling_group_subnets" { + value = aws_autoscaling_group.asg.vpc_zone_identifier +} +output "autoscale_launch_template_id" { + value = aws_launch_template.asg_launch_template.id +} + +output "autoscale_security_group_id" { + value = aws_security_group.permissive_sg.id +} + +output "autoscale_iam_role_name" { + value = aws_iam_role.role.*.name +} + diff --git a/terraform/aws/autoscale/terraform.tfvars b/terraform/aws/autoscale/terraform.tfvars new file mode 100755 index 00000000..d513fcd5 --- /dev/null +++ b/terraform/aws/autoscale/terraform.tfvars @@ -0,0 +1,45 @@ +//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW + +// --- Environment --- +prefix = "env1" +asg_name = "autoscaling_group" + +// --- VPC Network Configuration --- +vpc_id = "vpc-12345678" +subnet_ids = ["subnet-abc123", "subnet-def456"] + +// --- Automatic Provisioning with Security Management Server Settings --- +gateways_provision_address_type = "private" +management_server = "mgmt_env1" +configuration_template = "tmpl_env1" + +// --- EC2 Instances Configuration --- +gateway_name = "asg_gateway" +gateway_instance_type = "c5.xlarge" +key_name = "publickey" +instances_tags = { + key1 = "value1" + key2 = "value2" +} +metadata_imdsv2_required = true + +// --- Auto Scaling Configuration --- +minimum_group_size = 2 +maximum_group_size = 10 +target_groups = ["arn:aws:tg1/abc123", "arn:aws:tg2/def456"] + +// --- Check Point Settings --- +gateway_version = "R81.20-BYOL" +admin_shell = "/etc/cli.sh" +gateway_password_hash = "" +gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password. +gateway_SICKey = "12345678" +enable_instance_connect = false +allow_upload_download = true +enable_cloudwatch = false +gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt" + +// --- Outbound Proxy Configuration (optional) --- +proxy_elb_type = "internet-facing" +proxy_elb_clients = "0.0.0.0/0" +proxy_elb_port = 8080 diff --git a/terraform/aws/autoscale/variables.tf b/terraform/aws/autoscale/variables.tf new file mode 100755 index 00000000..81d256ab --- /dev/null +++ b/terraform/aws/autoscale/variables.tf @@ -0,0 +1,190 @@ +// Module: Check Point CloudGuard Network Auto Scaling Group into an existing VPC + +// --- AWS Provider --- +variable "region" { + type = string + description = "AWS region" + default = "" +} +variable "access_key" { + type = string + description = "AWS access key" + default = "" +} +variable "secret_key" { + type = string + description = "AWS secret key" + default = "" +} + +// --- Environment --- +variable "prefix" { + type = string + description = "(Optional) Instances name prefix" + default = "" +} +variable "asg_name" { + type = string + description = "Autoscaling Group name" + default = "Check-Point-ASG-tf" +} + +// --- VPC Network Configuration --- +variable "vpc_id" { + type = string +} +variable "subnet_ids" { + type = list(string) + description = "List of public subnet IDs to launch resources into. Recommended at least 2" +} + +// --- Automatic Provisioning with Security Management Server Settings --- +variable "gateways_provision_address_type" { + type = string + description = "Determines if the gateways are provisioned using their private or public address" + default = "private" +} +variable "management_server" { + type = string + description = "The name that represents the Security Management Server in the CME configuration" +} +variable "configuration_template" { + type = string + description = "Name of the provisioning template in the CME configuration" + validation { + condition = length(var.configuration_template) < 31 + error_message = "The configuration_template name can not exceed 30 characters." + } +} + +// --- EC2 Instances Configuration --- +variable "gateway_name" { + type = string + description = "The name tag of the Security Gateways instances" + default = "Check-Point-ASG-gateway-tf" +} +variable "gateway_instance_type" { + type = string + description = "The instance type of the Security Gateways" + default = "c5.xlarge" +} +module "validate_instance_type" { + source = "../modules/common/instance_type" + + chkp_type = "gateway" + instance_type = var.gateway_instance_type +} +variable "key_name" { + type = string + description = "The EC2 Key Pair name to allow SSH access to the instances" +} +variable "volume_size" { + type = number + description = "Root volume size (GB) - minimum 100" + default = 100 +} +resource "null_resource" "volume_size_too_small" { + // Will fail if var.volume_size is less than 100 + count = var.volume_size >= 100 ? 0 : "variable volume_size must be at least 100" +} +variable "enable_volume_encryption" { + type = bool + description = "Encrypt Environment instances volume with default AWS KMS key" + default = true +} +variable "instances_tags" { + type = map(string) + description = "(Optional) A map of tags as key=value pairs. All tags will be added on all AutoScaling Group instances" + default = {} +} +variable "metadata_imdsv2_required" { + type = bool + description = "Set true to deploy the instance with metadata v2 token required" + default = true +} + +// --- Auto Scaling Configuration --- +variable "minimum_group_size" { + type = number + description = "The minimum number of instances in the Auto Scaling group" + default = 2 +} +variable "maximum_group_size" { + type = number + description = "The maximum number of instances in the Auto Scaling group" + default = 10 +} +variable "target_groups" { + type = list(string) + description = "(Optional) List of Target Group ARNs to associate with the Auto Scaling group" + default = [] +} + +// --- Check Point Settings --- +variable "gateway_version" { + type = string + description = "Gateway version and license" + default = "R81.20-BYOL" +} +module "validate_gateway_version" { + source = "../modules/common/version_license" + + chkp_type = "gateway" + version_license = var.gateway_version +} +variable "admin_shell" { + type = string + description = "Set the admin shell to enable advanced command line configuration" + default = "/etc/cli.sh" +} +variable "gateway_password_hash" { + type = string + description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)" + default = "" +} +variable "gateway_maintenance_mode_password_hash" { + description = "(optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here)." + type = string + default = "" +} +variable "gateway_SICKey" { + type = string + description = "The Secure Internal Communication key for trusted connection between Check Point components (at least 8 alphanumeric characters)" +} +variable "enable_instance_connect" { + type = bool + description = "Enable SSH connection over AWS web console" + default = false +} +variable "allow_upload_download" { + type = bool + description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + default = true +} +variable "enable_cloudwatch" { + type = bool + description = "Report Check Point specific CloudWatch metrics" + default = false +} +variable "gateway_bootstrap_script" { + type = string + description = "(Optional) Semicolon (;) separated commands to run on the initial boot" + default = "" +} + +// --- (Optional) Outbound Proxy Configuration --- +variable "proxy_elb_type" { + type = string + description = "Type of ELB to create as an HTTP/HTTPS outbound proxy" + default = "none" +} +variable "proxy_elb_port" { + type = number + description = "The TCP port on which the proxy will be listening" + default = 8080 +} +variable "proxy_elb_clients" { + type = string + description = "The CIDR range of the clients of the proxy" + default = "0.0.0.0/0" +} diff --git a/terraform/aws/autoscale/versions.tf b/terraform/aws/autoscale/versions.tf new file mode 100755 index 00000000..dbebf275 --- /dev/null +++ b/terraform/aws/autoscale/versions.tf @@ -0,0 +1,15 @@ +terraform { + required_version = ">= 0.14.3" + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.20.0" + } + http = { + version = "~> 3.4.0" + } + random = { + version = "~> 3.5.1" + } + } +} diff --git a/terraform/aws/cluster-master/README.md b/terraform/aws/cluster-master/README.md new file mode 100755 index 00000000..cfabfd18 --- /dev/null +++ b/terraform/aws/cluster-master/README.md @@ -0,0 +1,221 @@ +# Check Point CloudGuard Network Security Cluster Master Terraform module for AWS + +Terraform module which deploys a Check Point CloudGuard Network Security Cluster into a new VPC. + +These types of Terraform resources are supported: +* [AWS Instance](https://www.terraform.io/docs/providers/aws/r/instance.html) +* [VPC](https://www.terraform.io/docs/providers/aws/r/vpc.html) +* [Security Group](https://www.terraform.io/docs/providers/aws/r/security_group.html) +* [Network interface](https://www.terraform.io/docs/providers/aws/r/network_interface.html) +* [Route](https://www.terraform.io/docs/providers/aws/r/route.html) +* [EIP](https://www.terraform.io/docs/providers/aws/r/eip.html) - conditional creation +* [IAM Role](https://www.terraform.io/docs/providers/aws/r/iam_role.html) - conditional creation + +See the [Deploying a Check Point Cluster in AWS (Amazon Web Services)](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk104418) for additional information + +This solution uses the following modules: +- /terraform/aws/cluster +- /terraform/aws/modules/amis +- /terraform/aws/modules/vpc +- /terraform/aws/modules/cluster-iam-role + + +## Configurations + +The **main.tf** file includes the following provider configuration block used to configure the credentials for the authentication with AWS, as well as a default region for your resources: +``` +provider "aws" { + region = var.region + access_key = var.access_key + secret_key = var.secret_key +} +``` +The provider credentials can be provided either as static credentials or as [Environment Variables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#environment-variables). +- Static credentials can be provided by adding an access_key and secret_key in /terraform/aws/cluster-master/**terraform.tfvars** file as follows: +``` +region = "us-east-1" +access_key = "my-access-key" +secret_key = "my-secret-key" +``` +- In case the Static credentials are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented for sub-module /terraform/aws/cluster: + ``` + provider "aws" { + // region = var.region + // access_key = var.access_key + // secret_key = var.secret_key + } + ``` +- In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented: + ``` + provider "aws" { + // region = var.region + // access_key = var.access_key + // secret_key = var.secret_key + } + ``` + b. The next lines in main.tf file, in the provider aws resource, need to be commented for sub-module /terraform/aws/cluster: + ``` + provider "aws" { + // region = var.region + // access_key = var.access_key + // secret_key = var.secret_key + } + ``` + +## Usage +- Fill all variables in the /terraform/aws/cluster-master/**terraform.tfvars** file with proper values (see below for variables descriptions). +- From a command line initialize the Terraform configuration directory: + ``` + terraform init + ``` +- Create an execution plan: + ``` + terraform plan + ``` +- Create or modify the deployment: + - Due to terraform limitation, the apply command is: + ``` + terraform apply -target=aws_route_table.private_subnet_rtb -auto-approve && terraform apply + ``` + >Once terraform is updated, we will update accordingly. + +- Variables are configured in /terraform/aws/cluster-master/**terraform.tfvars** file as follows: + + ``` + //PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW + + // --- VPC Network Configuration --- + vpc_cidr = "10.0.0.0/16" + public_subnets_map = { + "us-east-1a" = 1 + } + private_subnets_map = { + "us-east-1a" = 2 + } + subnets_bit_length = 8 + + // --- EC2 Instance Configuration --- + gateway_name = "Check-Point-Cluster-tf" + gateway_instance_type = "c5.xlarge" + key_name = "publickey" + allocate_and_associate_eip = true + volume_size = 100 + volume_encryption = "alias/aws/ebs" + enable_instance_connect = false + disable_instance_termination = false + instance_tags = { + key1 = "value1" + key2 = "value2" + } + predefined_role = "" + + // --- Check Point Settings --- + gateway_version = "R81.20-BYOL" + admin_shell = "/etc/cli.sh" + gateway_SICKey = "12345678" + gateway_password_hash = "" + gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password. + + // --- Quick connect to Smart-1 Cloud (Recommended) --- + memberAToken = "" + memberBToken = "" + + // --- Advanced Settings --- + resources_tag_name = "tag-name" + gateway_hostname = "gw-hostname" + allow_upload_download = true + enable_cloudwatch = false + gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt" + primary_ntp = "" + secondary_ntp = "" + ``` + +- Conditional creation + - To create an Elastic IP and associate it to each cluster member instance: + ``` + allocate_and_associate_eip = "true" + ``` + - To create IAM Role: + ``` + predefined_role = "" + ``` +- To tear down your resources: + ``` + terraform destroy + ``` + ### Optional re-deploy of cluster member: + In case of re-deploying one cluster member, make sure that it's in STANDBY state, and the second member is the ACTIVE one. + Follow the commands below in order to re-deploy (replace MEMBER with a or b): + - terraform taint module.launch_cluster_into_vpc.aws_instance.member-MEMBER-instance + - terraform plan (review the changes) + - terraform apply + - In Smart Console: reset SIC with the re-deployed member and install policy + +## Inputs +| Name | Description | Type | Allowed values | Default | Required | +|----------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------|----------| +| vpc_cidr | The CIDR block of the VPC | string | n/a | n/a | yes | +| public_subnets_map | A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 1 pairs. (e.g. {\"us-east-1a\" = 1} ) | map | n/a | n/a | yes | +| private_subnets_map | A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 1 pairs. (e.g. {\"us-east-1a\" = 2} ) | map | n/a | n/a | yes | +| subnets_bit_length | Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a subnets_bit_length value of 4, the resulting subnet address will have length /20 | number | n/a | n/a | yes | +| gateway_name | (Optional) The name tag of the Security Gateway instances | string | n/a | Check-Point-Cluster-tf | no | +| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no | +| key_name | The EC2 Key Pair name to allow SSH access to the instance | string | n/a | n/a | yes | +| allocate_and_associate_eip | If set to true, an elastic IP will be allocated and associated with each cluster member, in addition to the shared cluster Elastic IP | bool | true/false | true | no | +| volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no | +| volume_encryption | KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs') | string | n/a | alias/aws/ebs | no | +| enable_instance_connect | Enable AWS Instance Connect. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no | +| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no | +| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes | +| instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Gateway EC2 Instances | map(string) | n/a | {} | no | +| predefined_role | (Optional) A predefined IAM role to attach to the cluster profile | string | n/a | "" | no | +| gateway_version | Gateway version and license | string | - R80.40-BYOL
- R80.40-PAYG-NGTP
- R80.40-PAYG-NGTX
- R81-BYOL
- R81-PAYG-NGTP
- R81-PAYG-NGTX
- R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.10-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX | R81.20-BYOL | no | +| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | +| gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes | +| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | +| memberAToken | (Recommended) Quick connect to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. | string | n/a | "" | no | +| memberBToken | (Recommended) Quick connect to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. | string | n/a | "" | no | +| resources_tag_name | (Optional) Name tag prefix of the resources | string | n/a | "" | no | +| gateway_hostname | (Optional) The host name will be appended with member-a/b accordingly. The name must not contain reserved words. For details, refer to sk40179. | string | n/a | "" | no | +| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no | +| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no | +| gateway_bootstrap_script | (Optional) Semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no | +| primary_ntp | (Optional) The IPv4 addresses of Network Time Protocol primary server | string | n/a | 169.254.169.123 | no | +| secondary_ntp | (Optional) The IPv4 addresses of Network Time Protocol secondary server | string | n/a | 0.pool.ntp.org | no | +| gateway_maintenance_mode_password_hash | (optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here). | string | n/a | "" | no | + +## Outputs +| Name | Description | +|--------------------|-----------------------------------------------------| +| ami_id | The ami id of the deployed Security Cluster members | +| cluster_public_ip | The public address of the cluster | +| member_a_public_ip | The public address of member A | +| member_b_public_ip | The public address of member B | +| member_a_ssh | SSH command to member A | +| member_b_ssh | SSH command to member B | +| member_a_url | URL to the member A portal | +| member_b_url | URL to the member B portal | + +## Revision History +In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) + +| Template Version | Description | +|------------------|---------------------------------------------------------------------------------------------------------------| +| 20210309 | First release of Check Point Security Cluster Master Terraform module for AWS | +| 20220606 | New instance type support | +| 20221123 | R81.20 version support | +| 20230411 | Improved deployment experience for gateways and clusters managed by Smart-1 Cloud | +| 20230503 | Smart-1 Cloud token validation | +| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | +| 20230806 | Add support for c6in instance type | +| 20230829 | Change default Check Point version to R81.20 | +| 20230914 | Add support for maintenance mode password | +| 20230923 | Add support for C5d instance type | +| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | + +## License + +This project is licensed under the MIT License - see the [LICENSE](../../LICENSE) file for details diff --git a/terraform/aws/cluster-master/locals.tf b/terraform/aws/cluster-master/locals.tf new file mode 100755 index 00000000..b77484fe --- /dev/null +++ b/terraform/aws/cluster-master/locals.tf @@ -0,0 +1,52 @@ +locals { + regex_valid_vpc_cidr = "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$" + // Will fail if var.vpc_cidr is invalid + regex_vpc_cidr = regex(local.regex_valid_vpc_cidr, var.vpc_cidr) == var.vpc_cidr ? 0 : "Variable [vpc_cidr] must be a valid vpc cidr" + + admin_shell_allowed_values = [ + "/etc/cli.sh", + "/bin/bash", + "/bin/csh", + "/bin/tcsh"] + // Will fail if var.admin_shell is invalid + validate_admin_shell = index(local.admin_shell_allowed_values, var.admin_shell) + + create_iam_role = var.predefined_role == "" ? 1 : 0 + + regex_valid_key_name = "[\\S\\s]+[\\S]+" + // will fail if var.key_name is invalid + regex_key_name_result=regex(local.regex_valid_key_name, var.key_name) == var.key_name ? 0 : "Variable [key_name] must be a none empty string" + + regex_valid_gateway_sic_key = "^[a-zA-Z0-9]{8,}$" + // Will fail if var.gateway_SIC_Key is invalid + regex_gateway_sic_result = regex(local.regex_valid_gateway_sic_key, var.gateway_SICKey) == var.gateway_SICKey ? 0 : "Variable [gateway_SIC_Key] must be at least 8 alphanumeric characters" + + is_both_tokens_used = length(var.memberAToken) > 0 == length(var.memberBToken) > 0 + validation_message_both = "Smart-1 Cloud Tokens for member A and member B can not be empty." + //Will fail if var.memberAToken is empty and var.memberBToken isn't and vice versa + regex_s1c_validate = regex("^$", (local.is_both_tokens_used ? "" : local.validation_message_both)) + + is_tokens_used = length(var.memberAToken) > 0 + is_both_tokens_the_same = var.memberAToken == var.memberBToken + validation_message_unique = "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token" + //Will fail if both s1c tokens are the same + regex_s1c_unique = local.is_tokens_used ? regex("^$", (local.is_both_tokens_the_same ? local.validation_message_unique : "")) : "" + + regex_valid_gateway_hostname = "^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$" + // Will fail if var.gateway_hostname is invalid + regex_gateway_hostname = regex(local.regex_valid_gateway_hostname, var.gateway_hostname) == var.gateway_hostname ? 0 : "Variable [gateway_hostname] must be a valid hostname label or an empty string" + volume_encryption_condition = var.volume_encryption != "" ? true : false + + regex_valid_gateway_password_hash = "^[\\$\\./a-zA-Z0-9]*$" + // Will fail if var.gateway_password_hash is invalid + regex_gateway_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_password_hash) == var.gateway_password_hash ? 0 : "Variable [gateway_password_hash] must be a valid password hash" + regex_gateway_maintenance_mode_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_maintenance_mode_password_hash) == var.gateway_maintenance_mode_password_hash ? 0 : "Variable [gateway_maintenance_mode_password_hash] must be a valid password hash" + + regex_valid_primary_ntp = "^[\\.a-zA-Z0-9\\-]*$" + // Will fail if var.primary_ntp is invalid + regex_primary_ntp = regex(local.regex_valid_primary_ntp, var.primary_ntp) == var.primary_ntp ? 0 : "Variable [primary_ntp] must be a valid ntp" + + regex_valid_secondary_ntp = "^[\\.a-zA-Z0-9\\-]*$" + // Will fail if var.secondary_ntp is invalid + regex_secondary_ntp = regex(local.regex_valid_secondary_ntp, var.secondary_ntp) == var.secondary_ntp ? 0 : "Variable [secondary_ntp] must be a valid ntp" +} diff --git a/terraform/aws/cluster-master/main.tf b/terraform/aws/cluster-master/main.tf new file mode 100755 index 00000000..29746863 --- /dev/null +++ b/terraform/aws/cluster-master/main.tf @@ -0,0 +1,64 @@ +provider "aws" { + region = var.region + access_key = var.access_key + secret_key = var.secret_key +} + +// --- VPC --- +module "launch_vpc" { + source = "../modules/vpc" + + vpc_cidr = var.vpc_cidr + public_subnets_map = var.public_subnets_map + private_subnets_map = var.private_subnets_map + subnets_bit_length = var.subnets_bit_length +} + +resource "aws_route_table" "private_subnet_rtb" { + depends_on = [module.launch_vpc] + vpc_id = module.launch_vpc.vpc_id + tags = { + Name = "Private Subnets Route Table" + } +} +resource "aws_route_table_association" "private_rtb_to_private_subnets" { + depends_on = [module.launch_vpc, aws_route_table.private_subnet_rtb] + route_table_id = aws_route_table.private_subnet_rtb.id + subnet_id = module.launch_vpc.private_subnets_ids_list[0] +} +module "launch_cluster_into_vpc" { + source = "../cluster" + providers = { + aws = aws + } + + vpc_id = module.launch_vpc.vpc_id + public_subnet_id = module.launch_vpc.public_subnets_ids_list[0] + private_subnet_id = module.launch_vpc.private_subnets_ids_list[0] + private_route_table = aws_route_table.private_subnet_rtb.id + gateway_name = var.gateway_name + gateway_instance_type = var.gateway_instance_type + key_name = var.key_name + allocate_and_associate_eip = var.allocate_and_associate_eip + volume_size = var.volume_size + volume_encryption = var.volume_encryption + enable_instance_connect = var.enable_instance_connect + disable_instance_termination = var.disable_instance_termination + metadata_imdsv2_required = var.metadata_imdsv2_required + instance_tags = var.instance_tags + predefined_role = var.predefined_role + gateway_version = var.gateway_version + admin_shell = var.admin_shell + gateway_SICKey = var.gateway_SICKey + gateway_password_hash = var.gateway_password_hash + gateway_maintenance_mode_password_hash = var.gateway_maintenance_mode_password_hash + memberAToken = var.memberAToken + memberBToken = var.memberBToken + resources_tag_name = var.resources_tag_name + gateway_hostname = var.gateway_hostname + allow_upload_download = var.allow_upload_download + enable_cloudwatch = var.enable_cloudwatch + gateway_bootstrap_script = var.gateway_bootstrap_script + primary_ntp = var.primary_ntp + secondary_ntp = var.secondary_ntp +} diff --git a/terraform/aws/cluster-master/output.tf b/terraform/aws/cluster-master/output.tf new file mode 100755 index 00000000..c1f47385 --- /dev/null +++ b/terraform/aws/cluster-master/output.tf @@ -0,0 +1,24 @@ +output "ami_id" { + value = module.launch_cluster_into_vpc.ami_id +} +output "cluster_public_ip" { + value = module.launch_cluster_into_vpc.cluster_public_ip +} +output "member_a_public_ip" { + value = module.launch_cluster_into_vpc.member_a_public_ip +} +output "member_b_public_ip" { + value = module.launch_cluster_into_vpc.member_b_public_ip +} +output "member_a_ssh" { + value = module.launch_cluster_into_vpc.member_a_ssh +} +output "member_b_ssh" { + value = module.launch_cluster_into_vpc.member_b_ssh +} +output "member_a_url" { + value = module.launch_cluster_into_vpc.member_a_url +} +output "member_b_url" { + value = module.launch_cluster_into_vpc.member_b_url +} \ No newline at end of file diff --git a/terraform/aws/cluster-master/terraform.tfvars b/terraform/aws/cluster-master/terraform.tfvars new file mode 100755 index 00000000..1e7b2c78 --- /dev/null +++ b/terraform/aws/cluster-master/terraform.tfvars @@ -0,0 +1,47 @@ +//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW + +// --- VPC Network Configuration --- +vpc_cidr = "10.0.0.0/16" +public_subnets_map = { + "us-east-1a" = 1 +} +private_subnets_map = { + "us-east-1a" = 2 +} +subnets_bit_length = 8 + +// --- EC2 Instance Configuration --- +gateway_name = "Check-Point-Cluster-tf" +gateway_instance_type = "c5.xlarge" +key_name = "publickey" +allocate_and_associate_eip = true +volume_size = 100 +volume_encryption = "alias/aws/ebs" +enable_instance_connect = false +disable_instance_termination = false +metadata_imdsv2_required = true +instance_tags = { + key1 = "value1" + key2 = "value2" +} +predefined_role = "" + +// --- Check Point Settings --- +gateway_version = "R81.20-BYOL" +admin_shell = "/etc/cli.sh" +gateway_SICKey = "12345678" +gateway_password_hash = "" +gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password. + +// --- Quick connect to Smart-1 Cloud (Recommended) --- +memberAToken = "" +memberBToken = "" + +// --- Advanced Settings --- +resources_tag_name = "tag-name" +gateway_hostname = "gw-hostname" +allow_upload_download = true +enable_cloudwatch = false +gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt" +primary_ntp = "" +secondary_ntp = "" \ No newline at end of file diff --git a/terraform/aws/cluster-master/variables.tf b/terraform/aws/cluster-master/variables.tf new file mode 100755 index 00000000..d1faf72c --- /dev/null +++ b/terraform/aws/cluster-master/variables.tf @@ -0,0 +1,183 @@ +// Module: Check Point CloudGuard Network Security Cluster into a new VPC + +// --- AWS Provider --- +variable "region" { + type = string + description = "AWS region" + default = "" +} +variable "access_key" { + type = string + description = "AWS access key" + default = "" +} +variable "secret_key" { + type = string + description = "AWS secret key" + default = "" +} + +// --- VPC Network Configuration --- +variable "vpc_cidr" { + type = string + description = "The CIDR block of the VPC" + default = "10.0.0.0/16" +} +variable "public_subnets_map" { + type = map(string) + description = "A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 1 pairs. (e.g. {\"us-east-1a\" = 1} ) " +} +variable "private_subnets_map" { + type = map(string) + description = "A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 1 pairs. (e.g. {\"us-east-1a\" = 2} ) " + +} +variable "subnets_bit_length" { + type = number + description = "Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a subnets_bit_length value of 4, the resulting subnet address will have length /20" +} + +// --- EC2 Instance Configuration --- +variable "gateway_name" { + type = string + description = "(Optional) The name tag of the Security Gateway instances" + default = "Check-Point-Cluster-tf" +} +variable "gateway_instance_type" { + type = string + description = "The instance type of the Security Gateways" + default = "c5.xlarge" +} +module "validate_instance_type" { + source = "../modules/common/instance_type" + + chkp_type = "gateway" + instance_type = var.gateway_instance_type +} +variable "key_name" { + type = string + description = "The EC2 Key Pair name to allow SSH access to the instance" +} +variable "allocate_and_associate_eip" { + type = bool + description = "If set to true, an elastic IP will be allocated and associated with each cluster member, in addition to the shared cluster Elastic IP" + default = true +} +variable "volume_size" { + type = number + description = "Root volume size (GB) - minimum 100" + default = 100 +} +resource "null_resource" "volume_size_too_small" { + // Volume Size validation - resource will not be created if the volume size is smaller than 100 + count = var.volume_size >= 100 ? 0 : "volume_size must be at least 100" +} +variable "volume_encryption" { + type = string + description = "KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs')" + default = "alias/aws/ebs" +} +variable "enable_instance_connect" { + type = bool + description = "Enable SSH connection over AWS web console" + default = false +} +variable "disable_instance_termination" { + type = bool + description = "Prevents an instance from accidental termination" + default = false +} +variable "metadata_imdsv2_required" { + type = bool + description = "Set true to deploy the instance with metadata v2 token required" + default = true +} +variable "instance_tags" { + type = map(string) + description = "(Optional) A map of tags as key=value pairs. All tags will be added to the Gateway EC2 Instance" + default = {} +} +variable "predefined_role" { + type = string + description = "(Optional) A predefined IAM role to attach to the cluster profile" + default = "" +} + +// --- Check Point Settings --- +variable "gateway_version" { + type = string + description = "Gateway version and license" + default = "R81.20-BYOL" +} +module "validate_gateway_version" { + source = "../modules/common/version_license" + + chkp_type = "gateway" + version_license = var.gateway_version +} +variable "admin_shell" { + type = string + description = "Set the admin shell to enable advanced command line configuration" + default = "/etc/cli.sh" +} +variable "gateway_SICKey" { + type = string + description = "The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters" +} +variable "gateway_password_hash" { + type = string + description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)" + default = "" +} +variable "gateway_maintenance_mode_password_hash" { + description = "(optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here)." + type = string + default = "" +} + +// --- Quick connect to Smart-1 Cloud (Recommended) --- +variable "memberAToken" { + type = string + description = "Follow the instructions in sk180501 to quickly connect this Single AZ Cluster to Smart-1 Cloud." +} +variable "memberBToken" { + type = string + description = "Follow the instructions in sk180501 to quickly connect this Single AZ Cluster to Smart-1 Cloud." +} + +// --- Advanced Settings --- +variable "resources_tag_name" { + type = string + description = "(Optional) Name tag prefix of the resources" + default = "" +} +variable "gateway_hostname" { + type = string + description = "(Optional) The host name will be appended with member-a/b accordingly" + default = "" +} +variable "allow_upload_download" { + type = bool + description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + default = true +} +variable "enable_cloudwatch" { + type = bool + description = "Report Check Point specific CloudWatch metrics" + default = false +} +variable "gateway_bootstrap_script" { + type = string + description = "(Optional) An optional script with semicolon (;) separated commands to run on the initial boot" + default = "" +} +variable "primary_ntp" { + type = string + description = "(Optional) The IPv4 addresses of Network Time Protocol primary server" + default = "169.254.169.123" +} +variable "secondary_ntp" { + type = string + description = "(Optional) The IPv4 addresses of Network Time Protocol secondary server" + default = "0.pool.ntp.org" +} diff --git a/terraform/aws/cluster-master/versions.tf b/terraform/aws/cluster-master/versions.tf new file mode 100755 index 00000000..c138bbb3 --- /dev/null +++ b/terraform/aws/cluster-master/versions.tf @@ -0,0 +1,12 @@ +terraform { + required_version = ">= 0.14.3" + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.20.0" + } + http = { + version = "~> 3.4.0" + } + } +} diff --git a/terraform/aws/cluster/README.md b/terraform/aws/cluster/README.md new file mode 100755 index 00000000..073c7fe7 --- /dev/null +++ b/terraform/aws/cluster/README.md @@ -0,0 +1,201 @@ +# Check Point CloudGuard Network Security Cluster Terraform module for AWS + +Terraform module which deploys a Check Point CloudGuard Network Security Cluster into an existing VPC on AWS. + +These types of Terraform resources are supported: +* [AWS Instance](https://www.terraform.io/docs/providers/aws/r/instance.html) +* [Security Group](https://www.terraform.io/docs/providers/aws/r/security_group.html) +* [Network interface](https://www.terraform.io/docs/providers/aws/r/network_interface.html) +* [EIP](https://www.terraform.io/docs/providers/aws/r/eip.html) - conditional creation +* [Route](https://www.terraform.io/docs/providers/aws/r/route.html) - conditional creation +* [IAM Role](https://www.terraform.io/docs/providers/aws/r/iam_role.html) - conditional creation + +See the [Deploying a Check Point Cluster in AWS (Amazon Web Services)](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk104418) for additional information + +This solution uses the following modules: +- /terraform/aws/modules/amis +- /terraform/aws/modules/cluster-iam-role + + +## Configurations + +The **main.tf** file includes the following provider configuration block used to configure the credentials for the authentication with AWS, as well as a default region for your resources: +``` +provider "aws" { + region = var.region + access_key = var.access_key + secret_key = var.secret_key +} +``` +The provider credentials can be provided either as static credentials or as [Environment Variables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#environment-variables). +- Static credentials can be provided by adding an access_key and secret_key in /terraform/aws/cluster/**terraform.tfvars** file as follows: +``` +region = "us-east-1" +access_key = "my-access-key" +secret_key = "my-secret-key" +``` +- In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented: + ``` + provider "aws" { + // region = var.region + // access_key = var.access_key + // secret_key = var.secret_key + } + ``` + +## Usage +- Fill all variables in the /terraform/aws/cluster/**terraform.tfvars** file with proper values (see below for variables descriptions). +- From a command line initialize the Terraform configuration directory: + ``` + terraform init + ``` +- Create an execution plan: + ``` + terraform plan + ``` +- Create or modify the deployment: + ``` + terraform apply + ``` + +- Variables are configured in /terraform/aws/cluster/**terraform.tfvars** file as follows: + + ``` + //PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW + + // --- VPC Network Configuration --- + vpc_id = "vpc-12345678" + public_subnet_id = "subnet-123456" + private_subnet_id = "subnet-345678" + private_route_table = "rtb-12345678" + + // --- EC2 Instance Configuration --- + gateway_name = "Check-Point-Cluster-tf" + gateway_instance_type = "c5.xlarge" + key_name = "publickey" + allocate_and_associate_eip = true + volume_size = 100 + volume_encryption = "alias/aws/ebs" + enable_instance_connect = false + disable_instance_termination = false + instance_tags = { + key1 = "value1" + key2 = "value2" + } + predefined_role = "" + + // --- Check Point Settings --- + gateway_version = "R81.20-BYOL" + admin_shell = "/etc/cli.sh" + gateway_SICKey = "12345678" + gateway_password_hash = "" + gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password. + + // --- Quick connect to Smart-1 Cloud (Recommended) --- + memberAToken = "" + memberBToken = "" + + // --- Advanced Settings --- + resources_tag_name = "tag-name" + gateway_hostname = "gw-hostname" + allow_upload_download = true + enable_cloudwatch = false + gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt" + primary_ntp = "" + secondary_ntp = "" + ``` + +- Conditional creation + - To create an Elastic IP and associate it to each cluster member instance: + ``` + allocate_and_associate_eip = "true" + ``` + - To create IAM Role: + ``` + predefined_role = "" + ``` + - To create route from '0.0.0.0/0' to the Active Cluster member instance, please provide route table: + ``` + private_route_table = "rtb-12345678" + ``` +- To tear down your resources: + ``` + terraform destroy + ``` + ### Optional re-deploy of cluster member: + In case of re-deploying one cluster member, make sure that it's in STANDBY state, and the second member is the ACTIVE one. + Follow the commands below in order to re-deploy (replace MEMBER with a or b): + - terraform taint aws_instance.member-MEMBER-instance + - terraform plan (review the changes) + - terraform apply + - In Smart Console: reset SIC with the re-deployed member and install policy + +## Inputs +| Name | Description | Type | Allowed values | Default | Required | +|----------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------|----------| +| vpc_id | The VPC id in which to deploy | string | n/a | n/a | yes | +| public_subnet_id | The public subnet of the cluster. The cluster's public IPs will be generated from this subnet | string | n/a | n/a | yes | +| private_subnet_id | The private subnet of the cluster. The cluster's private IPs will be generated from this subnet | string | n/a | n/a | yes | +| private_route_table | (Optional) Set 0.0.0.0/0 route to the Active Cluster member instance in this route table (e.g. rtb-12a34567). Route table cannot have an existing 0.0.0.0/0 route | string | n/a | "" | no | +| gateway_name | (Optional) The name tag of the Security Gateway instances | string | n/a | Check-Point-Cluster-tf | no | +| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no | +| key_name | The EC2 Key Pair name to allow SSH access to the instance | string | n/a | n/a | yes | +| allocate_and_associate_eip | If set to true, an elastic IP will be allocated and associated with each cluster member, in addition to the shared cluster Elastic IP | bool | true/false | true | no | +| volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no | +| volume_encryption | KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs') | string | n/a | alias/aws/ebs | no | +| enable_instance_connect | Enable AWS Instance Connect. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no | +| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no | +| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes | +| instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Gateway EC2 Instances | map(string) | n/a | {} | no | +| predefined_role | (Optional) A predefined IAM role to attach to the cluster profile | string | n/a | "" | no | +| gateway_version | Gateway version and license | string | - R80.40-BYOL
- R80.40-PAYG-NGTP
- R80.40-PAYG-NGTX
- R81-BYOL
- R81-PAYG-NGTP
- R81-PAYG-NGTX
- R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.10-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX | R81.20-BYOL | no | +| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | +| gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | no | +| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | +| memberAToken | (Recommended) Quick connect to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. | string | n/a | "" | no | +| memberBToken | (Recommended) Quick connect to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. | string | n/a | "" | no | +| resources_tag_name | (Optional) Name tag prefix of the resources | string | n/a | "" | no | +| gateway_hostname | (Optional) The host name will be appended with member-a/b accordingly. The name must not contain reserved words. For details, refer to sk40179. | string | n/a | "" | no | +| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no | +| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no | +| gateway_bootstrap_script | (Optional) Semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no | +| primary_ntp | (Optional) The IPv4 addresses of Network Time Protocol primary server | string | n/a | 169.254.169.123 | no | +| secondary_ntp | (Optional) The IPv4 addresses of Network Time Protocol secondary server | string | n/a | 0.pool.ntp.org | no | +| gateway_maintenance_mode_password_hash | (optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here). | string | n/a | "" | no | + +## Outputs +| Name | Description | +|--------------------|-----------------------------------------------------| +| ami_id | The ami id of the deployed Security Cluster members | +| cluster_public_ip | The public address of the cluster | +| member_a_public_ip | The public address of member A | +| member_b_public_ip | The public address of member B | +| member_a_ssh | SSH command to member A | +| member_b_ssh | SSH command to member B | +| member_a_url | URL to the member A portal | +| member_b_url | URL to the member B portal | + +## Revision History +In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) + +| Template Version | Description | +|------------------|---------------------------------------------------------------------------------------------------------------| +| 20210309 | First release of Check Point Security Cluster Terraform module for AWS | +| 20220606 | New instance type support | +| 20221123 | R81.20 version support | +| 20230411 | Improved deployment experience for gateways and clusters managed by Smart-1 Cloud | +| 20230503 | Smart-1 Cloud token validation | +| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | +| 20230806 | Add support for c6in instance type | +| 20230829 | Change default Check Point version to R81.20 | +| 20230914 | Add support for maintenance mode password | +| 20230923 | Add support for C5d instance type | +| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20240304 | Add x-chkp-cluster-ips, x-chkp-member-ips tags to cluster members | +| 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | + + +## License + +This project is licensed under the MIT License - see the [LICENSE](../../LICENSE) file for details diff --git a/terraform/aws/cluster/cluster_member_a_userdata.yaml b/terraform/aws/cluster/cluster_member_a_userdata.yaml new file mode 100755 index 00000000..6329e2cf --- /dev/null +++ b/terraform/aws/cluster/cluster_member_a_userdata.yaml @@ -0,0 +1,4 @@ +#cloud-config +runcmd: + - | + python3 /etc/cloud_config.py enableCloudWatch=\"${EnableCloudWatch}\" sicKey=\"${SICKey}\" "smart1CloudToken=\"${TokenA}\"" installationType=\"cluster\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" elasticIp=\"${MemberAPublicAddress}\" templateVersion=\"20231012\" templateName=\"cluster\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" hostName=\"${Hostname}\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" allocatePublicAddress=\"${AllocateAddress}\" bootstrapScript64=\"${GatewayBootstrapScript}\" \ No newline at end of file diff --git a/terraform/aws/cluster/cluster_member_b_userdata.yaml b/terraform/aws/cluster/cluster_member_b_userdata.yaml new file mode 100755 index 00000000..36d29dc5 --- /dev/null +++ b/terraform/aws/cluster/cluster_member_b_userdata.yaml @@ -0,0 +1,4 @@ +#cloud-config +runcmd: + - | + python3 /etc/cloud_config.py enableCloudWatch=\"${EnableCloudWatch}\" sicKey=\"${SICKey}\" "smart1CloudToken=\"${TokenB}\"" installationType=\"cluster\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" elasticIp=\"${MemberBPublicAddress}\" templateVersion=\"20231012\" templateName=\"cluster\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" hostName=\"${Hostname }\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" allocatePublicAddress=\"${AllocateAddress}\" bootstrapScript64=\"${GatewayBootstrapScript}\" \ No newline at end of file diff --git a/terraform/aws/cluster/locals.tf b/terraform/aws/cluster/locals.tf new file mode 100755 index 00000000..d64b39e7 --- /dev/null +++ b/terraform/aws/cluster/locals.tf @@ -0,0 +1,69 @@ +locals { + admin_shell_allowed_values = [ + "/etc/cli.sh", + "/bin/bash", + "/bin/csh", + "/bin/tcsh"] + // Will fail if var.admin_shell is invalid + validate_admin_shell = index(local.admin_shell_allowed_values, var.admin_shell) + + enable_cloudwatch_policy = var.enable_cloudwatch ? 1 : 0 + create_iam_role = var.predefined_role == "" ? 1 : 0 + provided_roue_table = var.private_route_table == "" ? 0 : 1 + internal_route_table_condition = var.private_route_table != "" ? 1 : 0 + + regex_valid_key_name = "[\\S\\s]+[\\S]+" + // will fail if var.key_name is invalid + regex_key_name_result=regex(local.regex_valid_key_name, var.key_name) == var.key_name ? 0 : "Variable [key_name] must be a none empty string" + + regex_valid_gateway_sic_key = "^[a-zA-Z0-9]{8,}$" + // Will fail if var.gateway_SIC_Key is invalid + regex_gateway_sic_result = regex(local.regex_valid_gateway_sic_key, var.gateway_SICKey) == var.gateway_SICKey ? 0 : "Variable [gateway_SIC_Key] must be at least 8 alphanumeric characters" + + regex_token_valid = "(^https://(.+).checkpoint.com/app/maas/api/v1/tenant(.+)|^$)" + //TokenA: will fail if decode token should contain https:// and .checkpoint.com/app/maas/api/v1/tenant or empty string + split_tokenA = split(" ", var.memberAToken) + tokenA_decode = base64decode(element(local.split_tokenA, length(local.split_tokenA)-1)) + regex_tokenA = regex(local.regex_token_valid, local.tokenA_decode) == local.tokenA_decode ? 0 : "Smart-1 Cloud token A is invalid format" + + //TokenB: will fail if decode token should contain https:// and .checkpoint.com/app/maas/api/v1/tenant or empty string + split_tokenB = split(" ", var.memberBToken) + tokenB_decode = base64decode(element(local.split_tokenB, length(local.split_tokenB)-1)) + regex_tokenB = regex(local.regex_token_valid, local.tokenB_decode) == local.tokenB_decode ? 0 : "Smart-1 Cloud token B is invalid format" + + is_both_tokens_used = length(var.memberAToken) > 0 == length(var.memberBToken) > 0 + validation_message_both = "Smart-1 Cloud Tokens for member A and member B can not be empty." + //Will fail if var.memberAToken is empty and var.memberBToken isn't and vice versa + regex_s1c_validate = regex("^$", (local.is_both_tokens_used ? "" : local.validation_message_both)) + + is_tokens_used = length(var.memberAToken) > 0 + is_both_tokens_the_same = var.memberAToken == var.memberBToken + validation_message_unique = "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token" + //Will fail if both s1c tokens are the same + regex_s1c_unique = local.is_tokens_used ? regex("^$", (local.is_both_tokens_the_same ? local.validation_message_unique : "")) : "" + + regex_valid_gateway_hostname = "^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$" + // Will fail if var.gateway_hostname is invalid + regex_gateway_hostname = regex(local.regex_valid_gateway_hostname, var.gateway_hostname) == var.gateway_hostname ? 0 : "Variable [gateway_hostname] must be a valid hostname label or an empty string" + volume_encryption_condition = var.volume_encryption != "" ? true : false + + regex_valid_gateway_password_hash = "^[\\$\\./a-zA-Z0-9]*$" + // Will fail if var.gateway_password_hash is invalid + regex_gateway_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_password_hash) == var.gateway_password_hash ? 0 : "Variable [gateway_password_hash] must be a valid password hash" + regex_gateway_maintenance_mode_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_maintenance_mode_password_hash) == var.gateway_maintenance_mode_password_hash ? 0 : "Variable [gateway_maintenance_mode_password_hash] must be a valid password hash" + + regex_valid_primary_ntp = "^[\\.a-zA-Z0-9\\-]*$" + // Will fail if var.primary_ntp is invalid + regex_primary_ntp = regex(local.regex_valid_primary_ntp, var.primary_ntp) == var.primary_ntp ? 0 : "Variable [primary_ntp] must be a valid ntp" + + regex_valid_secondary_ntp = "^[\\.a-zA-Z0-9\\-]*$" + // Will fail if var.secondary_ntp is invalid + regex_secondary_ntp = regex(local.regex_valid_secondary_ntp, var.secondary_ntp) == var.secondary_ntp ? 0 : "Variable [secondary_ntp] must be a valid ntp" + //Splits the version and licence and returns the os version + version_split = element(split("-", var.gateway_version), 0) + + gateway_bootstrap_script64 = base64encode(var.gateway_bootstrap_script) + gateway_SICkey_base64 = base64encode(var.gateway_SICKey) + gateway_password_hash_base64=base64encode(var.gateway_password_hash) + maintenance_mode_password_hash_base64 = base64encode(var.gateway_maintenance_mode_password_hash) +} diff --git a/terraform/aws/cluster/main.tf b/terraform/aws/cluster/main.tf new file mode 100755 index 00000000..8282b24b --- /dev/null +++ b/terraform/aws/cluster/main.tf @@ -0,0 +1,291 @@ +provider "aws" { + region = var.region + access_key = var.access_key + secret_key = var.secret_key +} + +module "amis" { + source = "../modules/amis" + + version_license = var.gateway_version + chkp_type = "gateway" +} + +module "common_permissive_sg" { + source = "../modules/common/permissive_sg" + + vpc_id = var.vpc_id + resources_tag_name = var.resources_tag_name + gateway_name = var.gateway_name +} + +resource "aws_iam_instance_profile" "cluster_instance_profile" { + path = "/" + role = local.create_iam_role == 1 ? join("", module.cluster_iam_role.*.cluster_iam_role_name) : var.predefined_role +} + +module "cluster_iam_role" { + source = "../modules/cluster-iam-role" + count = local.create_iam_role +} + +module "attach_cloudwatch_policy" { + source = "../modules/cloudwatch-policy" + count = local.enable_cloudwatch_policy + role = aws_iam_instance_profile.cluster_instance_profile.role + tag_name = var.resources_tag_name != "" ? var.resources_tag_name : var.gateway_name +} + +resource "aws_network_interface" "member_a_external_eni" { + subnet_id = var.public_subnet_id + security_groups = [module.common_permissive_sg.permissive_sg_id] + description = "Member A external" + source_dest_check = false + lifecycle { + ignore_changes = [private_ips_count,] + } + private_ips_count = 1 + tags = { + Name = format("%s-Member_A_ExternalInterface", var.resources_tag_name != "" ? var.resources_tag_name : var.gateway_name) } +} + +resource "aws_network_interface" "member_b_external_eni" { + subnet_id = var.public_subnet_id + security_groups = [module.common_permissive_sg.permissive_sg_id] + description = "Member B external" + source_dest_check = false + tags = { + Name = format("%s-Member_B_ExternalInterface", var.resources_tag_name != "" ? var.resources_tag_name : var.gateway_name) } +} + +resource "aws_network_interface" "member_a_internal_eni" { + subnet_id = var.private_subnet_id + security_groups = [module.common_permissive_sg.permissive_sg_id] + description = "Member A internal" + source_dest_check = false + lifecycle { + ignore_changes = [private_ips_count,] + } + private_ips_count = 1 + tags = { + Name = format("%s-Member_A_InternalInterface", var.resources_tag_name != "" ? var.resources_tag_name : var.gateway_name) } +} + +resource "aws_network_interface" "member_b_internal_eni" { + subnet_id = var.private_subnet_id + security_groups = [module.common_permissive_sg.permissive_sg_id] + description = "Member B internal" + source_dest_check = false + tags = { + Name = format("%s-Member_B_InternalInterface", var.resources_tag_name != "" ? var.resources_tag_name : var.gateway_name) } +} + +resource "aws_route" "internal_default_route" { + count = local.internal_route_table_condition + route_table_id = var.private_route_table + lifecycle { + ignore_changes = [network_interface_id,] + } + destination_cidr_block = "0.0.0.0/0" + network_interface_id = aws_network_interface.member_a_internal_eni.id +} + +resource "aws_route_table_association" "private_rtb_to_private_subnet" { + count = var.private_route_table == "" ? 0 : 1 + route_table_id = var.private_route_table + subnet_id = var.private_subnet_id +} + +resource "aws_launch_template" "member_a_launch_template" { + instance_type = var.gateway_instance_type + key_name = var.key_name + image_id = module.amis.ami_id + description = "Initial launch template version" + + iam_instance_profile { + name = aws_iam_instance_profile.cluster_instance_profile.id + } + + metadata_options { + http_tokens = var.metadata_imdsv2_required ? "required" : "optional" + } + + network_interfaces { + network_interface_id = aws_network_interface.member_a_external_eni.id + device_index = 0 + } + network_interfaces { + network_interface_id = aws_network_interface.member_a_internal_eni.id + device_index = 1 + } +} + +resource "aws_launch_template" "member_b_launch_template" { + instance_type = var.gateway_instance_type + key_name = var.key_name + image_id = module.amis.ami_id + description = "Initial launch template version" + + iam_instance_profile { + name = aws_iam_instance_profile.cluster_instance_profile.id + } + + metadata_options { + http_tokens = var.metadata_imdsv2_required ? "required" : "optional" + } + + network_interfaces { + network_interface_id = aws_network_interface.member_b_external_eni.id + device_index = 0 + } + network_interfaces { + network_interface_id = aws_network_interface.member_b_internal_eni.id + device_index = 1 + } +} + +resource "aws_instance" "member-a-instance" { + depends_on = [ + aws_network_interface.member_a_external_eni, + aws_network_interface.member_a_internal_eni + ] + + launch_template { + id = aws_launch_template.member_a_launch_template.id + version = "$Latest" + } + + disable_api_termination = var.disable_instance_termination + + tags = merge({ + Name = format("%s-Member-A",var.gateway_name), + x-chkp-member-ips = format("public-ip=%s:external-private-ip=%s:internal-private-ip=%s", + var.allocate_and_associate_eip ? aws_eip.member_a_eip[0].public_ip : "", aws_network_interface.member_a_external_eni.private_ip,aws_network_interface.member_a_internal_eni.private_ip), + x-chkp-cluster-ips = format("cluster-ip=%s:cluster-eth0-private-ip=%s:cluster-eth1-private-ip=%s", + aws_eip.cluster_eip.public_ip, element(tolist(setsubtract(tolist(aws_network_interface.member_a_external_eni.private_ips), [aws_network_interface.member_a_external_eni.private_ip])), 0), + element(tolist(setsubtract(tolist(aws_network_interface.member_a_internal_eni.private_ips), [aws_network_interface.member_a_internal_eni.private_ip])), 0)) + }, var.instance_tags) + + ebs_block_device { + device_name = "/dev/xvda" + volume_type = "gp2" + volume_size = var.volume_size + encrypted = local.volume_encryption_condition + kms_key_id = local.volume_encryption_condition ? var.volume_encryption : "" + } + + lifecycle { + ignore_changes = [ebs_block_device,] + } + + user_data = templatefile("${path.module}/cluster_member_a_userdata.yaml", { + // script's arguments + Hostname = var.gateway_hostname, + PasswordHash = local.gateway_password_hash_base64, + MaintenanceModePassword = local.maintenance_mode_password_hash_base64, + AllowUploadDownload = var.allow_upload_download, + EnableCloudWatch = var.enable_cloudwatch, + NTPPrimary = var.primary_ntp, + NTPSecondary = var.secondary_ntp, + Shell = var.admin_shell, + EnableInstanceConnect = var.enable_instance_connect, + GatewayBootstrapScript = local.gateway_bootstrap_script64, + SICKey = local.gateway_SICkey_base64, + TokenA = var.memberAToken, + MemberAPublicAddress = var.allocate_and_associate_eip ? aws_eip.member_a_eip[0].public_ip : "", + AllocateAddress = var.allocate_and_associate_eip, + OsVersion = local.version_split + }) +} + +resource "aws_instance" "member-b-instance" { + depends_on = [ + aws_network_interface.member_b_external_eni, + aws_network_interface.member_b_internal_eni + ] + + launch_template { + id = aws_launch_template.member_b_launch_template.id + version = "$Latest" + } + + disable_api_termination = var.disable_instance_termination + + tags = merge({ + Name = format("%s-Member-B",var.gateway_name), + x-chkp-member-ips = format("public-ip=%s:external-private-ip=%s:internal-private-ip=%s", + var.allocate_and_associate_eip ? aws_eip.member_b_eip[0].public_ip : "", aws_network_interface.member_b_external_eni.private_ip,aws_network_interface.member_b_internal_eni.private_ip), + x-chkp-cluster-ips = format("cluster-ip=%s:cluster-eth0-private-ip=%s:cluster-eth1-private-ip=%s", + aws_eip.cluster_eip.public_ip, element(tolist(setsubtract(tolist(aws_network_interface.member_a_external_eni.private_ips), [aws_network_interface.member_a_external_eni.private_ip])), 0), + element(tolist(setsubtract(tolist(aws_network_interface.member_a_internal_eni.private_ips), [aws_network_interface.member_a_internal_eni.private_ip])), 0)) + }, var.instance_tags) + + ebs_block_device { + device_name = "/dev/xvda" + volume_type = "gp2" + volume_size = var.volume_size + encrypted = local.volume_encryption_condition + kms_key_id = local.volume_encryption_condition ? var.volume_encryption : "" + } + + lifecycle { + ignore_changes = [ebs_block_device,] + } + + user_data = templatefile("${path.module}/cluster_member_b_userdata.yaml", { + // script's arguments + Hostname = var.gateway_hostname, + PasswordHash = local.gateway_password_hash_base64, + MaintenanceModePassword = local.maintenance_mode_password_hash_base64, + AllowUploadDownload = var.allow_upload_download, + EnableCloudWatch = var.enable_cloudwatch, + NTPPrimary = var.primary_ntp, + NTPSecondary = var.secondary_ntp, + Shell = var.admin_shell, + EnableInstanceConnect = var.enable_instance_connect, + GatewayBootstrapScript = local.gateway_bootstrap_script64, + SICKey = local.gateway_SICkey_base64, + TokenB = var.memberBToken, + MemberBPublicAddress = var.allocate_and_associate_eip ? aws_eip.member_b_eip[0].public_ip : "", + AllocateAddress = var.allocate_and_associate_eip, + OsVersion = local.version_split + }) +} + +resource "aws_eip" "cluster_eip" { +} + +resource "aws_eip" "member_a_eip" { + count = var.allocate_and_associate_eip ? 1 : 0 +} + +resource "aws_eip" "member_b_eip" { + count = var.allocate_and_associate_eip ? 1 : 0 +} + +resource "aws_eip_association" "cluster_address_assoc" { + depends_on = [aws_instance.member-a-instance] + allocation_id = aws_eip.cluster_eip.id + lifecycle { + ignore_changes = [ + network_interface_id, private_ip_address + ] + } + network_interface_id = aws_network_interface.member_a_external_eni.id + private_ip_address = length(tolist(aws_network_interface.member_a_external_eni.private_ips)) > 1 ? element(tolist(setsubtract(tolist(aws_network_interface.member_a_external_eni.private_ips), [aws_network_interface.member_a_external_eni.private_ip])), 0) : ""//extracting member's secondary ip which represent the cluster ip +} +resource "aws_eip_association" "member_a_address_assoc" { + depends_on = [aws_instance.member-a-instance] + count = var.allocate_and_associate_eip ? 1 : 0 + allocation_id = aws_eip.member_a_eip[0].id + network_interface_id = aws_network_interface.member_a_external_eni.id + private_ip_address = aws_network_interface.member_a_external_eni.private_ip //primary +} +resource "aws_eip_association" "member_b_address_assoc" { + depends_on = [aws_instance.member-b-instance] + count = var.allocate_and_associate_eip ? 1 : 0 + allocation_id = aws_eip.member_b_eip[0].id + network_interface_id = aws_network_interface.member_b_external_eni.id + private_ip_address = aws_network_interface.member_b_external_eni.private_ip //primary +} + diff --git a/terraform/aws/cluster/output.tf b/terraform/aws/cluster/output.tf new file mode 100755 index 00000000..6e8f5cbf --- /dev/null +++ b/terraform/aws/cluster/output.tf @@ -0,0 +1,24 @@ +output "ami_id" { + value = module.amis.ami_id +} +output "cluster_public_ip" { + value = aws_eip.cluster_eip.*.public_ip +} +output "member_a_public_ip" { + value = aws_eip.member_a_eip.*.public_ip +} +output "member_b_public_ip" { + value = aws_eip.member_b_eip.*.public_ip +} +output "member_a_ssh" { + value = var.allocate_and_associate_eip ? format("ssh -i %s admin@%s", var.key_name, aws_eip.member_a_eip[0].public_ip) : "" +} +output "member_b_ssh" { + value = var.allocate_and_associate_eip ? format("ssh -i %s admin@%s", var.key_name, aws_eip.member_b_eip[0].public_ip) : "" +} +output "member_a_url" { + value = var.allocate_and_associate_eip ? format("https://%s", aws_eip.member_a_eip[0].public_ip) : "" +} +output "member_b_url" { + value = var.allocate_and_associate_eip ? format("https://%s", aws_eip.member_b_eip[0].public_ip) : "" +} \ No newline at end of file diff --git a/terraform/aws/cluster/terraform.tfvars b/terraform/aws/cluster/terraform.tfvars new file mode 100755 index 00000000..179fe10b --- /dev/null +++ b/terraform/aws/cluster/terraform.tfvars @@ -0,0 +1,43 @@ +//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW + +// --- VPC Network Configuration --- +vpc_id = "vpc-12345678" +public_subnet_id = "subnet-123456" +private_subnet_id = "subnet-345678" +private_route_table = "rtb-12345678" + +// --- EC2 Instance Configuration --- +gateway_name = "Check-Point-Cluster-tf" +gateway_instance_type = "c5.xlarge" +key_name = "publickey" +allocate_and_associate_eip = true +volume_size = 100 +volume_encryption = "alias/aws/ebs" +enable_instance_connect = false +disable_instance_termination = false +metadata_imdsv2_required = true +instance_tags = { + key1 = "value1" + key2 = "value2" +} +predefined_role = "" + +// --- Check Point Settings --- +gateway_version = "R81.20-BYOL" +admin_shell = "/etc/cli.sh" +gateway_SICKey = "12345678" +gateway_password_hash = "" +gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password. + +// --- Quick connect to Smart-1 Cloud (Recommended) --- +memberAToken = "" +memberBToken = "" + +// --- Advanced Settings --- +resources_tag_name = "tag-name" +gateway_hostname = "gw-hostname" +allow_upload_download = true +enable_cloudwatch = false +gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt" +primary_ntp = "" +secondary_ntp = "" \ No newline at end of file diff --git a/terraform/aws/cluster/variables.tf b/terraform/aws/cluster/variables.tf new file mode 100755 index 00000000..1b515744 --- /dev/null +++ b/terraform/aws/cluster/variables.tf @@ -0,0 +1,181 @@ +// Module: Check Point CloudGuard Network Security Cluster into an existing VPC + +// --- AWS Provider --- +variable "region" { + type = string + description = "AWS region" + default = "" +} +variable "access_key" { + type = string + description = "AWS access key" + default = "" +} +variable "secret_key" { + type = string + description = "AWS secret key" + default = "" +} + +// --- VPC Network Configuration --- +variable "vpc_id" { + type = string +} +variable "public_subnet_id" { + type = string + description = "The public subnet of the cluster. The cluster's public IPs will be generated from this subnet" +} +variable "private_subnet_id" { + type = string + description = "The private subnet of the cluster. The cluster's private IPs will be generated from this subnet" +} +variable "private_route_table" { + type = string + description = "(Optional) Set 0.0.0.0/0 route to the Active Cluster member instance in this route table (e.g. rtb-12a34567). Route table cannot have an existing 0.0.0.0/0 route" + default= "" +} + +// --- EC2 Instance Configuration --- +variable "gateway_name" { + type = string + description = "(Optional) The name tag of the Security Gateway instances" + default = "Check-Point-Cluster-tf" +} +variable "gateway_instance_type" { + type = string + description = "The instance type of the Security Gateways" + default = "c5.xlarge" +} +module "validate_instance_type" { + source = "../modules/common/instance_type" + + chkp_type = "gateway" + instance_type = var.gateway_instance_type +} +variable "key_name" { + type = string + description = "The EC2 Key Pair name to allow SSH access to the instance" +} +variable "allocate_and_associate_eip" { + type = bool + description = "If set to true, an elastic IP will be allocated and associated with each cluster member, in addition to the shared cluster Elastic IP" + default = true +} +variable "volume_size" { + type = number + description = "Root volume size (GB) - minimum 100" + default = 100 +} +resource "null_resource" "volume_size_too_small" { + // Volume Size validation - resource will not be created if the volume size is smaller than 100 + count = var.volume_size >= 100 ? 0 : "volume_size must be at least 100" +} +variable "volume_encryption" { + type = string + description = "KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs')" + default = "alias/aws/ebs" +} +variable "enable_instance_connect" { + type = bool + description = "Enable SSH connection over AWS web console" + default = false +} +variable "disable_instance_termination" { + type = bool + description = "Prevents an instance from accidental termination" + default = false +} +variable "metadata_imdsv2_required" { + type = bool + description = "Set true to deploy the instance with metadata v2 token required" + default = true +} +variable "instance_tags" { + type = map(string) + description = "(Optional) A map of tags as key=value pairs. All tags will be added to the Gateway EC2 Instances" + default = {} +} +variable "predefined_role" { + type = string + description = "(Optional) A predefined IAM role to attach to the cluster profile" + default = "" +} + +// --- Check Point Settings --- +variable "gateway_version" { + type = string + description = "Gateway version and license" + default = "R81.20-BYOL" +} +module "validate_gateway_version" { + source = "../modules/common/version_license" + + chkp_type = "gateway" + version_license = var.gateway_version +} +variable "admin_shell" { + type = string + description = "Set the admin shell to enable advanced command line configuration" + default = "/etc/cli.sh" +} +variable "gateway_SICKey" { + type = string + description = "The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters" +} +variable "gateway_password_hash" { + type = string + description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)" + default = "" +} +variable "gateway_maintenance_mode_password_hash" { + description = "(optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here)." + type = string + default = "" +} + +// --- Quick connect to Smart-1 Cloud (Recommended) --- +variable "memberAToken" { + type = string + description = "Follow the instructions in sk180501 to quickly connect this Single AZ Cluster to Smart-1 Cloud." +} +variable "memberBToken" { + type = string + description = "Follow the instructions in sk180501 to quickly connect this Single AZ Cluster to Smart-1 Cloud." +} + +// --- Advanced Settings --- +variable "resources_tag_name" { + type = string + description = "(Optional) Name tag prefix of the resources" + default = "" +} +variable "gateway_hostname" { + type = string + description = "(Optional) The host name will be appended with member-a/b accordingly" + default = "" +} +variable "allow_upload_download" { + type = bool + description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + default = true +} +variable "enable_cloudwatch" { + type = bool + description = "Report Check Point specific CloudWatch metrics" + default = false +} +variable "gateway_bootstrap_script" { + type = string + description = "(Optional) An optional script with semicolon (;) separated commands to run on the initial boot" + default = "" +} +variable "primary_ntp" { + type = string + description = "(Optional) The IPv4 addresses of Network Time Protocol primary server" + default = "169.254.169.123" +} +variable "secondary_ntp" { + type = string + description = "(Optional) The IPv4 addresses of Network Time Protocol secondary server" + default = "0.pool.ntp.org" +} diff --git a/terraform/aws/cluster/versions.tf b/terraform/aws/cluster/versions.tf new file mode 100755 index 00000000..c138bbb3 --- /dev/null +++ b/terraform/aws/cluster/versions.tf @@ -0,0 +1,12 @@ +terraform { + required_version = ">= 0.14.3" + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.20.0" + } + http = { + version = "~> 3.4.0" + } + } +} diff --git a/terraform/aws/cme-iam-role-gwlb/README.md b/terraform/aws/cme-iam-role-gwlb/README.md new file mode 100644 index 00000000..2d6e639b --- /dev/null +++ b/terraform/aws/cme-iam-role-gwlb/README.md @@ -0,0 +1,101 @@ +# AWS IAM Role for Cloud Management Extension (CME) manages Gateway Load Balancer Auto Scale Group Terraform module + +Terraform module which creates an AWS IAM Role for Cloud Management Extension (CME) manages Gateway Load Balancer Auto Scale Group on Security Management Server. + +These types of Terraform resources are supported: +* [AWS IAM role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) +* [AWS IAM policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) +* [AWS IAM policy attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) + +This type of Terraform data source is supported: +* [AWS IAM policy document](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) + +See the [Creating an AWS IAM Role for Security Management Server](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk122074) for additional information + +## Configurations + +The **main.tf** file includes the following provider configuration block used to configure the credentials for the authentication with AWS, as well as a default region for your resources: +``` +provider "aws" { + region = var.region + access_key = var.access_key + secret_key = var.secret_key +} +``` +The provider credentials can be provided either as static credentials or as [Environment Variables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#environment-variables). +- Static credentials can be provided by adding an access_key and secret_key in /terraform/aws/cme-iam-role-gwlb/**terraform.tfvars** file as follows: +``` +region = "us-east-1" +access_key = "my-access-key" +secret_key = "my-secret-key" +``` +- In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented: + ``` + provider "aws" { + // region = var.region + // access_key = var.access_key + // secret_key = var.secret_key + } + ``` + +## Usage +- Fill all variables in the /terraform/aws/cme-iam-role-gwlb/**terraform.tfvars** file with proper values (see below for variables descriptions). +- From a command line initialize the Terraform configuration directory: + ``` + terraform init + ``` +- Create an execution plan: + ``` + terraform plan + ``` +- Create or modify the deployment: + ``` + terraform apply + ``` + +- Variables are configured in /terraform/aws/cme-iam-role-gwlb/**terraform.tfvars** file as follows: + + ``` + //PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW + + permissions = "Create with read permissions" + sts_roles = ['arn:aws:iam::111111111111:role/role_name'] + trusted_account = "" + ``` + +- To tear down your resources: + ``` + terraform destroy + ``` + + +## Inputs +| Name | Description | Type | Allowed values | Default | Required | +|-----------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------|-------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------|----------| +| permissions | The IAM role permissions | string | - Create with assume role permissions (specify an STS role ARN)
- Create with read permissions
- Create with read-write permissions | Create with read permissions | no | +| sts_roles | The IAM role will be able to assume these STS Roles (map of string ARNs) | list(string) | n/a | [] | no | +| trusted_account | A 12 digits number that represents the ID of a trusted account. IAM users in this account will be able assume the IAM role and receive the permissions attached to it | string | n/a | "" | no | + + +## Outputs +| Name | Description | +|----------------------|---------------------------------------| +| cme_iam_role_arn | The created AWS IAM Role arn | +| cme_iam_role_name | The created AWS IAM Role name | +| cme_iam_profile_name | The created AWS instance profile name | +| cme_iam_profile_arn | The created AWS instance profile arn | + +## Revision History +In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) + +| Template Version | Description | +|------------------|-------------------------------------------------------------------| +| 20230926 | CME instance profile for IAM Role | +| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20240507 | Add ec2:DescribeRegions read permission to the IAM role policy | + + +## License + +This project is licensed under the MIT License - see the [LICENSE](../../LICENSE) file for details diff --git a/terraform/aws/cme-iam-role-gwlb/main.tf b/terraform/aws/cme-iam-role-gwlb/main.tf new file mode 100644 index 00000000..33ea37ab --- /dev/null +++ b/terraform/aws/cme-iam-role-gwlb/main.tf @@ -0,0 +1,110 @@ +provider "aws" { + region = var.region + access_key = var.access_key + secret_key = var.secret_key +} + +resource "aws_iam_role" "cme_iam_role_gwlb" { + assume_role_policy = data.aws_iam_policy_document.cme_role_assume_policy_document.json + path = "/" +} + +data "aws_iam_policy_document" "cme_role_assume_policy_document" { + version = "2012-10-17" + statement { + effect = "Allow" + actions = ["sts:AssumeRole"] + principals { + type = var.trusted_account == "" ? "Service" : "AWS" + identifiers = var.trusted_account == "" ? ["ec2.amazonaws.com"] : [var.trusted_account] + } + } +} + +locals { + provided_sts_roles = length(var.sts_roles) == 0 ? 0 : 1 + allow_read_permissions = var.permissions == "Create with read-write permissions" || var.permissions == "Create with read permissions" ? 1 : 0 + allow_write_permissions = var.permissions == "Create with read-write permissions" ? 1 : 0 +} + +data "aws_iam_policy_document" "cme_role_sts_policy_doc" { + version = "2012-10-17" + statement { + effect = "Allow" + actions = ["sts:AssumeRole"] + resources = var.sts_roles + } +} +resource "aws_iam_policy" "cme_role_sts_policy" { + count = local.provided_sts_roles + policy = data.aws_iam_policy_document.cme_role_sts_policy_doc.json + +} +resource "aws_iam_role_policy_attachment" "attach_sts_policy" { + count = local.provided_sts_roles + policy_arn = aws_iam_policy.cme_role_sts_policy[0].arn + role = aws_iam_role.cme_iam_role_gwlb.id +} + +data "aws_iam_policy_document" "cme_role_read_policy_doc" { + version = "2012-10-17" + statement { + effect = "Allow" + actions = [ + "autoscaling:DescribeAutoScalingGroups", + "ec2:DescribeRegions", + "ec2:DescribeInstances", + "ec2:DescribeNetworkInterfaces", + "ec2:DescribeRouteTables", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", + "ec2:DescribeVpcs", + "ec2:DescribeInternetGateways", + "ec2:DescribeVpcEndpoints", + "ec2:DescribeVpcEndpointServiceConfigurations", + "elasticloadbalancing:DescribeLoadBalancers", + "elasticloadbalancing:DescribeTags", + "elasticloadbalancing:DescribeListeners", + "elasticloadbalancing:DescribeTargetGroups", + "elasticloadbalancing:DescribeRules", + "elasticloadbalancing:DescribeTargetHealth"] + resources = ["*"] + } +} +resource "aws_iam_policy" "cme_role_read_policy" { + count = local.allow_read_permissions + policy = data.aws_iam_policy_document.cme_role_read_policy_doc.json +} +resource "aws_iam_role_policy_attachment" "attach_read_policy" { + count = local.allow_read_permissions + policy_arn = aws_iam_policy.cme_role_read_policy[0].arn + role = aws_iam_role.cme_iam_role_gwlb.id +} + +data "aws_iam_policy_document" "cme_role_write_policy_doc" { + version = "2012-10-17" + statement { + effect = "Allow" + actions = [ + "ec2:CreateRoute", + "ec2:ReplaceRoute", + "ec2:DeleteRoute", + "ec2:CreateRouteTable", + "ec2:AssociateRouteTable", + "ec2:CreateTags" +] + resources = ["*"] + } +} +resource "aws_iam_policy" "cme_role_write_policy" { + count = local.allow_write_permissions + policy = data.aws_iam_policy_document.cme_role_write_policy_doc.json +} +resource "aws_iam_role_policy_attachment" "attach_write_policy" { + count = local.allow_write_permissions + policy_arn = aws_iam_policy.cme_role_write_policy[0].arn + role = aws_iam_role.cme_iam_role_gwlb.id +} +resource "aws_iam_instance_profile" "iam_instance_profile" { + role = aws_iam_role.cme_iam_role_gwlb.id +} \ No newline at end of file diff --git a/terraform/aws/cme-iam-role-gwlb/output.tf b/terraform/aws/cme-iam-role-gwlb/output.tf new file mode 100644 index 00000000..8c86901a --- /dev/null +++ b/terraform/aws/cme-iam-role-gwlb/output.tf @@ -0,0 +1,13 @@ +output "cme_iam_role_arn" { + value = aws_iam_role.cme_iam_role_gwlb.arn +} +output "cme_iam_role_name" { + value = aws_iam_role.cme_iam_role_gwlb.name +} +output "cme_iam_profile_name" { + value = aws_iam_instance_profile.iam_instance_profile.name +} +output "cme_iam_profile_arn" { + value = aws_iam_instance_profile.iam_instance_profile.arn +} + diff --git a/terraform/aws/cme-iam-role-gwlb/terraform.tfvars b/terraform/aws/cme-iam-role-gwlb/terraform.tfvars new file mode 100644 index 00000000..9914eae9 --- /dev/null +++ b/terraform/aws/cme-iam-role-gwlb/terraform.tfvars @@ -0,0 +1,5 @@ +//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW + +permissions = "Create with read permissions" +sts_roles = [] +trusted_account = "" \ No newline at end of file diff --git a/terraform/aws/cme-iam-role-gwlb/variables.tf b/terraform/aws/cme-iam-role-gwlb/variables.tf new file mode 100644 index 00000000..3a0fe740 --- /dev/null +++ b/terraform/aws/cme-iam-role-gwlb/variables.tf @@ -0,0 +1,42 @@ +// Module: IAM role for selected permissions + +// --- AWS Provider --- +variable "region" { + type = string + description = "AWS region" + default = "" +} +variable "access_key" { + type = string + description = "AWS access key" + default = "" +} +variable "secret_key" { + type = string + description = "AWS secret key" + default = "" +} + +variable "permissions" { + type = string + description = "The IAM role permissions" + default = "Create with read permissions" +} +locals { + permissions_allowed_values = [ + "Create with assume role permissions (specify an STS role ARN)", + "Create with read permissions", + "Create with read-write permissions"] + // Will fail if var.permissions is invalid + validate_permissions = index(local.permissions_allowed_values, var.permissions) +} +variable "sts_roles" { + type = list(string) + description = "The IAM role will be able to assume these STS Roles (map of string ARNs)" + default = [] +} +variable "trusted_account" { + type = string + description = "A 12 digits number that represents the ID of a trusted account. IAM users in this account will be able assume the IAM role and receive the permissions attached to it" + default = "" +} diff --git a/terraform/aws/cme-iam-role-gwlb/versions.tf b/terraform/aws/cme-iam-role-gwlb/versions.tf new file mode 100644 index 00000000..b3e24059 --- /dev/null +++ b/terraform/aws/cme-iam-role-gwlb/versions.tf @@ -0,0 +1,9 @@ +terraform { + required_version = ">= 0.14.3" + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.20.0" + } + } +} diff --git a/terraform/aws/cme-iam-role/README.md b/terraform/aws/cme-iam-role/README.md new file mode 100755 index 00000000..203326cb --- /dev/null +++ b/terraform/aws/cme-iam-role/README.md @@ -0,0 +1,102 @@ +# AWS IAM Role for Cloud Management Extension (CME) Terraform module + +Terraform module which creates an AWS IAM Role for Cloud Management Extension (CME) on Security Management Server. + +These types of Terraform resources are supported: +* [AWS IAM role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) +* [AWS IAM policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) +* [AWS IAM policy attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) + +This type of Terraform data source is supported: +* [AWS IAM policy document](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) + +See the [Creating an AWS IAM Role for Security Management Server](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk122074) for additional information + +## Configurations + +The **main.tf** file includes the following provider configuration block used to configure the credentials for the authentication with AWS, as well as a default region for your resources: +``` +provider "aws" { + region = var.region + access_key = var.access_key + secret_key = var.secret_key +} +``` +The provider credentials can be provided either as static credentials or as [Environment Variables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#environment-variables). +- Static credentials can be provided by adding an access_key and secret_key in /terraform/aws/cme-iam-role/**terraform.tfvars** file as follows: +``` +region = "us-east-1" +access_key = "my-access-key" +secret_key = "my-secret-key" +``` +- In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented: + ``` + provider "aws" { + // region = var.region + // access_key = var.access_key + // secret_key = var.secret_key + } + ``` + +## Usage +- Fill all variables in the /terraform/aws/cme-iam-role/**terraform.tfvars** file with proper values (see below for variables descriptions). +- From a command line initialize the Terraform configuration directory: + ``` + terraform init + ``` +- Create an execution plan: + ``` + terraform plan + ``` +- Create or modify the deployment: + ``` + terraform apply + ``` + +- Variables are configured in /terraform/aws/cme-iam-role/**terraform.tfvars** file as follows: + + ``` + //PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW + + permissions = "Create with read permissions" + sts_roles = ['arn:aws:iam::111111111111:role/role_name'] + trusted_account = "" + ``` + +- To tear down your resources: + ``` + terraform destroy + ``` + + +## Inputs +| Name | Description | Type | Allowed values | Default | Required | +|-----------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------|-------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------|----------| +| permissions | The IAM role permissions | string | - Create with assume role permissions (specify an STS role ARN)
- Create with read permissions
- Create with read-write permissions | Create with read permissions | no | +| sts_roles | The IAM role will be able to assume these STS Roles (map of string ARNs) | list(string) | n/a | [] | no | +| trusted_account | A 12 digits number that represents the ID of a trusted account. IAM users in this account will be able assume the IAM role and receive the permissions attached to it | string | n/a | "" | no | + + +## Outputs +| Name | Description | +|----------------------|---------------------------------------| +| cme_iam_role_arn | The created AWS IAM Role arn | +| cme_iam_role_name | The created AWS IAM Role name | +| cme_iam_profile_name | The created AWS instance profile name | +| cme_iam_profile_arn | The created AWS instance profile arn | + +## Revision History +In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) + +| Template Version | Description | +|------------------|--------------------------------------------------------------------| +| 20210309 | First release of Check Point CME IAM Role Terraform module for AWS | +| 20230514 | CME instance profile for IAM Role | +| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20240507 | Add ec2:DescribeRegions read permission to the IAM role policy | + + +## License + +This project is licensed under the MIT License - see the [LICENSE](../../LICENSE) file for details diff --git a/terraform/aws/cme-iam-role/main.tf b/terraform/aws/cme-iam-role/main.tf new file mode 100755 index 00000000..817e3b90 --- /dev/null +++ b/terraform/aws/cme-iam-role/main.tf @@ -0,0 +1,136 @@ +provider "aws" { + region = var.region + access_key = var.access_key + secret_key = var.secret_key +} + +resource "aws_iam_role" "cme_iam_role" { + assume_role_policy = data.aws_iam_policy_document.cme_role_assume_policy_document.json + path = "/" +} + +data "aws_iam_policy_document" "cme_role_assume_policy_document" { + version = "2012-10-17" + statement { + effect = "Allow" + actions = ["sts:AssumeRole"] + principals { + type = var.trusted_account == "" ? "Service" : "AWS" + identifiers = var.trusted_account == "" ? ["ec2.amazonaws.com"] : [var.trusted_account] + } + } +} + +locals { + provided_sts_roles = length(var.sts_roles) == 0 ? 0 : 1 + allow_read_permissions = var.permissions == "Create with read-write permissions" || var.permissions == "Create with read permissions" ? 1 : 0 + allow_write_permissions = var.permissions == "Create with read-write permissions" ? 1 : 0 +} + +data "aws_iam_policy_document" "cme_role_sts_policy_doc" { + version = "2012-10-17" + statement { + effect = "Allow" + actions = ["sts:AssumeRole"] + resources = var.sts_roles + } +} +resource "aws_iam_policy" "cme_role_sts_policy" { + count = local.provided_sts_roles + policy = data.aws_iam_policy_document.cme_role_sts_policy_doc.json + +} +resource "aws_iam_role_policy_attachment" "attach_sts_policy" { + count = local.provided_sts_roles + policy_arn = aws_iam_policy.cme_role_sts_policy[0].arn + role = aws_iam_role.cme_iam_role.id +} + +data "aws_iam_policy_document" "cme_role_read_policy_doc" { + version = "2012-10-17" + statement { + effect = "Allow" + actions = [ + "autoscaling:DescribeAutoScalingGroups", + "ec2:DescribeRegions", + "ec2:DescribeCustomerGateways", + "ec2:DescribeInstances", + "ec2:DescribeNetworkInterfaces", + "ec2:DescribeRouteTables", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", + "ec2:DescribeTransitGateways", + "ec2:DescribeTransitGatewayAttachments", + "ec2:DescribeTransitGatewayRouteTables", + "ec2:DescribeVpcs", + "ec2:DescribeVpnGateways", + "ec2:DescribeVpnConnections", + "ec2:GetTransitGatewayAttachmentPropagations", + "elasticloadbalancing:DescribeLoadBalancers", + "elasticloadbalancing:DescribeTags", + "elasticloadbalancing:DescribeListeners", + "elasticloadbalancing:DescribeTargetGroups", + "elasticloadbalancing:DescribeRules", + "elasticloadbalancing:DescribeTargetHealth"] + resources = ["*"] + } +} +resource "aws_iam_policy" "cme_role_read_policy" { + count = local.allow_read_permissions + policy = data.aws_iam_policy_document.cme_role_read_policy_doc.json +} +resource "aws_iam_role_policy_attachment" "attach_read_policy" { + count = local.allow_read_permissions + policy_arn = aws_iam_policy.cme_role_read_policy[0].arn + role = aws_iam_role.cme_iam_role.id +} + +data "aws_iam_policy_document" "cme_role_write_policy_doc" { + version = "2012-10-17" + statement { + effect = "Allow" + actions = [ + "ec2:AssociateTransitGatewayRouteTable", + "ec2:AttachVpnGateway", + "ec2:CreateCustomerGateway", + "ec2:CreateVpnConnection", + "ec2:CreateVpnGateway", + "ec2:DeleteCustomerGateway", + "ec2:DeleteVpnConnection", + "ec2:DeleteVpnGateway", + "ec2:DetachVpnGateway", + "ec2:DisableTransitGatewayRouteTablePropagation", + "ec2:DisableVgwRoutePropagation", + "ec2:DisassociateTransitGatewayRouteTable", + "ec2:EnableTransitGatewayRouteTablePropagation", + "ec2:EnableVgwRoutePropagation"] + resources = ["*"] + } + statement { + effect = "Allow" + actions = [ + "cloudformation:DescribeStacks", + "cloudformation:DescribeStackResources", + "cloudformation:ListStacks"] + resources = ["*"] + } + statement { + effect = "Allow" + actions = [ + "cloudformation:CreateStack", + "cloudformation:DeleteStack"] + resources = ["arn:aws:cloudformation:*:*:stack/vpn-by-tag--*/*"] + } +} +resource "aws_iam_policy" "cme_role_write_policy" { + count = local.allow_write_permissions + policy = data.aws_iam_policy_document.cme_role_write_policy_doc.json +} +resource "aws_iam_role_policy_attachment" "attach_write_policy" { + count = local.allow_write_permissions + policy_arn = aws_iam_policy.cme_role_write_policy[0].arn + role = aws_iam_role.cme_iam_role.id +} +resource "aws_iam_instance_profile" "iam_instance_profile" { + role = aws_iam_role.cme_iam_role.id +} \ No newline at end of file diff --git a/terraform/aws/cme-iam-role/output.tf b/terraform/aws/cme-iam-role/output.tf new file mode 100755 index 00000000..cad35709 --- /dev/null +++ b/terraform/aws/cme-iam-role/output.tf @@ -0,0 +1,12 @@ +output "cme_iam_role_arn" { + value = aws_iam_role.cme_iam_role.arn +} +output "cme_iam_role_name" { + value = aws_iam_role.cme_iam_role.name +} +output "cme_iam_profile_name" { + value = aws_iam_instance_profile.iam_instance_profile.name +} +output "cme_iam_profile_arn" { + value = aws_iam_instance_profile.iam_instance_profile.arn +} \ No newline at end of file diff --git a/terraform/aws/cme-iam-role/terraform.tfvars b/terraform/aws/cme-iam-role/terraform.tfvars new file mode 100755 index 00000000..9914eae9 --- /dev/null +++ b/terraform/aws/cme-iam-role/terraform.tfvars @@ -0,0 +1,5 @@ +//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW + +permissions = "Create with read permissions" +sts_roles = [] +trusted_account = "" \ No newline at end of file diff --git a/terraform/aws/cme-iam-role/variables.tf b/terraform/aws/cme-iam-role/variables.tf new file mode 100755 index 00000000..3a0fe740 --- /dev/null +++ b/terraform/aws/cme-iam-role/variables.tf @@ -0,0 +1,42 @@ +// Module: IAM role for selected permissions + +// --- AWS Provider --- +variable "region" { + type = string + description = "AWS region" + default = "" +} +variable "access_key" { + type = string + description = "AWS access key" + default = "" +} +variable "secret_key" { + type = string + description = "AWS secret key" + default = "" +} + +variable "permissions" { + type = string + description = "The IAM role permissions" + default = "Create with read permissions" +} +locals { + permissions_allowed_values = [ + "Create with assume role permissions (specify an STS role ARN)", + "Create with read permissions", + "Create with read-write permissions"] + // Will fail if var.permissions is invalid + validate_permissions = index(local.permissions_allowed_values, var.permissions) +} +variable "sts_roles" { + type = list(string) + description = "The IAM role will be able to assume these STS Roles (map of string ARNs)" + default = [] +} +variable "trusted_account" { + type = string + description = "A 12 digits number that represents the ID of a trusted account. IAM users in this account will be able assume the IAM role and receive the permissions attached to it" + default = "" +} diff --git a/terraform/aws/cme-iam-role/versions.tf b/terraform/aws/cme-iam-role/versions.tf new file mode 100755 index 00000000..b3e24059 --- /dev/null +++ b/terraform/aws/cme-iam-role/versions.tf @@ -0,0 +1,9 @@ +terraform { + required_version = ">= 0.14.3" + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.20.0" + } + } +} diff --git a/terraform/aws/cross-az-cluster-master/README.md b/terraform/aws/cross-az-cluster-master/README.md new file mode 100755 index 00000000..9209ec51 --- /dev/null +++ b/terraform/aws/cross-az-cluster-master/README.md @@ -0,0 +1,219 @@ +# Check Point CloudGuard Network Security Cross AZ Cluster Master Terraform module for AWS + +Terraform module which deploys a Check Point CloudGuard Network Security Cross AZ Cluster into into a new VPC. + +These types of Terraform resources are supported: +* [AWS Instance](https://www.terraform.io/docs/providers/aws/r/instance.html) +* [VPC](https://www.terraform.io/docs/providers/aws/r/vpc.html) +* [Security Group](https://www.terraform.io/docs/providers/aws/r/security_group.html) +* [Network interface](https://www.terraform.io/docs/providers/aws/r/network_interface.html) +* [Route](https://www.terraform.io/docs/providers/aws/r/route.html) +* [EIP](https://www.terraform.io/docs/providers/aws/r/eip.html) +* [IAM Role](https://www.terraform.io/docs/providers/aws/r/iam_role.html) - conditional creation + +See the [Deploying a Check Point Cluster in AWS (Amazon Web Services)](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_for_AWS_Cross_AZ_Cluster/Default.htm) for additional information + +This solution uses the following modules: +- /terraform/aws/cross-az-cluster +- /terraform/aws/modules/amis +- /terraform/aws/modules/vpc +- /terraform/aws/modules/cluster-iam-role + + +## Configurations + +The **main.tf** file includes the following provider configuration block used to configure the credentials for the authentication with AWS, as well as a default region for your resources: +``` +provider "aws" { + region = var.region + access_key = var.access_key + secret_key = var.secret_key +} +``` +The provider credentials can be provided either as static credentials or as [Environment Variables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#environment-variables). +- Static credentials can be provided by adding an access_key and secret_key in /terraform/aws/cross-az-cluster-master/**terraform.tfvars** file as follows: +``` +region = "us-east-1" +access_key = "my-access-key" +secret_key = "my-secret-key" +``` +- In case the Static credentials are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented for sub-module /terraform/aws/cross-az-cluster: + ``` + provider "aws" { + // region = var.region + // access_key = var.access_key + // secret_key = var.secret_key + } + ``` +- In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented: + ``` + provider "aws" { + // region = var.region + // access_key = var.access_key + // secret_key = var.secret_key + } + ``` + b. The next lines in main.tf file, in the provider aws resource, need to be commented for sub-module /terraform/aws/cross-az-cluster: + ``` + provider "aws" { + // region = var.region + // access_key = var.access_key + // secret_key = var.secret_key + } + ``` + +## Usage +- Fill all variables in the /terraform/aws/cross-az-cluster-master/**terraform.tfvars** file with proper values (see below for variables descriptions). +- From a command line initialize the Terraform configuration directory: + ``` + terraform init + ``` +- Create an execution plan: + ``` + terraform plan + ``` +- Create or modify the deployment: + - Due to terraform limitation, the apply command is: + ``` + terraform apply -target=aws_route_table.private_subnet_rtb -auto-approve && terraform apply + ``` + >Once terraform is updated, we will update accordingly. + +- Variables are configured in /terraform/aws/cross-az-cluster-master/**terraform.tfvars** file as follows: + + ``` + //PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW + + // --- VPC Network Configuration --- + vpc_cidr = "10.0.0.0/16" + public_subnets_map = { + "us-east-1a" = 1 + "us-east-1b" = 2 + } + private_subnets_map = { + "us-east-1a" = 3 + "us-east-1a" = 4 + } + subnets_bit_length = 8 + + + + // --- EC2 Instance Configuration --- + gateway_name = "Check-Point-Cluster-tf" + gateway_instance_type = "c5.xlarge" + key_name = "publickey" + volume_size = 100 + volume_encryption = "alias/aws/ebs" + enable_instance_connect = false + disable_instance_termination = false + instance_tags = { + key1 = "value1" + key2 = "value2" + } + predefined_role = "" + + // --- Check Point Settings --- + gateway_version = "R81.20-BYOL" + admin_shell = "/etc/cli.sh" + gateway_SICKey = "12345678" + gateway_password_hash = "" + gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password. + + // --- Quick connect to Smart-1 Cloud (Recommended) --- + memberAToken = "" + memberBToken = "" + + // --- Advanced Settings --- + resources_tag_name = "tag-name" + gateway_hostname = "gw-hostname" + allow_upload_download = true + enable_cloudwatch = false + gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt" + primary_ntp = "" + secondary_ntp = "" + ``` + +- Conditional creation + - To create IAM Role: + ``` + predefined_role = "" + ``` +- To tear down your resources: + ``` + terraform destroy + ``` + ### Optional re-deploy of cluster member: + In case of re-deploying one cluster member, make sure that it's in STANDBY state, and the second member is the ACTIVE one. + Follow the commands below in order to re-deploy (replace MEMBER with a or b): + - terraform taint module.launch_cluster_into_vpc.aws_instance.member-MEMBER-instance + - terraform plan (review the changes) + - terraform apply + - In Smart Console: reset SIC with the re-deployed member and install policy + +## Inputs +| Name | Description | Type | Allowed values | Default | Required | +|----------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------|----------| +| vpc_cidr | The CIDR block of the VPC | string | n/a | n/a | yes | +| public_subnets_map | A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 2 pairs. (e.g. {\"us-east-1a\" = 1 \"us-east-1b\" = 2} ) | map | n/a | n/a | yes | +| private_subnets_map | A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 2 pairs. (e.g. {\"us-east-1a\" = 3 \"us-east-1b\" = 4} ) | map | n/a | n/a | yes | +| subnets_bit_length | Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a subnets_bit_length value of 4, the resulting subnet address will have length /20 | number | n/a | n/a | yes | +| gateway_name | (Optional) The name tag of the Security Gateway instances | string | n/a | Check-Point-Cluster-tf | no | +| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no | +| key_name | The EC2 Key Pair name to allow SSH access to the instance | string | n/a | n/a | yes | +| volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no | +| volume_type | General Purpose SSD Volume Type | string | - gp3
- gp2 | gp3 | no | +| volume_encryption | KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs') | string | n/a | alias/aws/ebs | no | +| enable_instance_connect | Enable AWS Instance Connect. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no | +| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no | +| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes | +| instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Gateway EC2 Instances | map(string) | n/a | {} | no | +| predefined_role | (Optional) A predefined IAM role to attach to the cluster profile | string | n/a | "" | no | +| gateway_version | Gateway version and license | string | - R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX | R81.20-BYOL | no | +| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | +| gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes | +| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | +| memberAToken | (Recommended) Quick connect to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. | string | n/a | "" | no | +| memberBToken | (Recommended) Quick connect to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. | string | n/a | "" | no | +| resources_tag_name | (Optional) Name tag prefix of the resources | string | n/a | "" | no | +| gateway_hostname | (Optional) The host name will be appended with member-a/b accordingly. The name must not contain reserved words. For details, refer to sk40179. | string | n/a | "" | no | +| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no | +| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no | +| gateway_bootstrap_script | (Optional) Semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no | +| primary_ntp | (Optional) The IPv4 addresses of Network Time Protocol primary server | string | n/a | 169.254.169.123 | no | +| secondary_ntp | (Optional) The IPv4 addresses of Network Time Protocol secondary server | string | n/a | 0.pool.ntp.org | no | +| gateway_maintenance_mode_password_hash | (optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here). | string | n/a | "" | no | + +## Outputs +| Name | Description | +|--------------------|--------------------------------------------------------------| +| ami_id | The ami id of the deployed Security Cross AZ Cluster members | +| cluster_public_ip | The public address of the cluster | +| member_a_public_ip | The public address of member A | +| member_b_public_ip | The public address of member B | +| member_a_ssh | SSH command to member A | +| member_b_ssh | SSH command to member B | +| member_a_url | URL to the member A portal | +| member_b_url | URL to the member B portal | + +## Revision History +In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) + +| Template Version | Description | +|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| 20221123 | First release of Check Point Security Cross AZ Cluster Master Terraform module for AWS | +| 20221123 | Changed default version and added instances types | +| 20221123 | R81.20 version support | +| 20230411 | - Improved deployment experience for gateways and clusters managed by Smart-1 Cloud
- Multiple VIPs support for Cross Availability Zone Cluster. For more details refer to the [Cross Availability Zone Cluster for AWS R81.20 Administration Guide](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_for_AWS_Cross_AZ_Cluster/Content/Topics-AWS-CrossAZ-Cluster-AG/Check-Point-CloudGuard-for-AWS.htm) -> "Deploying Cross AZ Cluster with multiple VIPs" section. | +| 20230503 | Smart-1 Cloud token validation | +| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | +| 20230806 | Add support for c6in instance type | +| 20230914 | Add support for maintenance mode password | +| 20230923 | Add support for C5d instance type | +| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | + +## License + +This project is licensed under the MIT License - see the [LICENSE](../../../cross-az/LICENSE) file for details diff --git a/terraform/aws/cross-az-cluster-master/locals.tf b/terraform/aws/cross-az-cluster-master/locals.tf new file mode 100755 index 00000000..68e4523f --- /dev/null +++ b/terraform/aws/cross-az-cluster-master/locals.tf @@ -0,0 +1,58 @@ +locals { + regex_valid_vpc_cidr = "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$" + // Will fail if var.vpc_cidr is invalid + regex_vpc_cidr = regex(local.regex_valid_vpc_cidr, var.vpc_cidr) == var.vpc_cidr ? 0 : "Variable [vpc_cidr] must be a valid vpc cidr" + + admin_shell_allowed_values = [ + "/etc/cli.sh", + "/bin/bash", + "/bin/csh", + "/bin/tcsh"] + // Will fail if var.admin_shell is invalid + validate_admin_shell = index(local.admin_shell_allowed_values, var.admin_shell) + + create_iam_role = var.predefined_role == "" ? 1 : 0 + + regex_valid_key_name = "[\\S\\s]+[\\S]+" + // will fail if var.key_name is invalid + regex_key_name_result=regex(local.regex_valid_key_name, var.key_name) == var.key_name ? 0 : "Variable [key_name] must be a none empty string" + + regex_valid_gateway_sic_key = "^[a-zA-Z0-9]{8,}$" + // Will fail if var.gateway_SIC_Key is invalid + regex_gateway_sic_result = regex(local.regex_valid_gateway_sic_key, var.gateway_SICKey) == var.gateway_SICKey ? 0 : "Variable [gateway_SIC_Key] must be at least 8 alphanumeric characters" + + is_both_tokens_used = length(var.memberAToken) > 0 == length(var.memberBToken) > 0 + validation_message_both = "Smart-1 Cloud Tokens for member A and member B can not be empty." + //Will fail if var.memberAToken is empty and var.memberBToken isn't and vice versa + regex_s1c_validate = regex("^$", (local.is_both_tokens_used ? "" : local.validation_message_both)) + + is_tokens_used = length(var.memberAToken) > 0 + is_both_tokens_the_same = var.memberAToken == var.memberBToken + validation_message_unique = "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token" + //Will fail if both s1c tokens are the same + regex_s1c_unique = local.is_tokens_used ? regex("^$", (local.is_both_tokens_the_same ? local.validation_message_unique : "")) : "" + + regex_valid_gateway_hostname = "^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$" + // Will fail if var.gateway_hostname is invalid + regex_gateway_hostname = regex(local.regex_valid_gateway_hostname, var.gateway_hostname) == var.gateway_hostname ? 0 : "Variable [gateway_hostname] must be a valid hostname label or an empty string" + volume_encryption_condition = var.volume_encryption != "" ? true : false + + regex_valid_gateway_password_hash = "^[\\$\\./a-zA-Z0-9]*$" + // Will fail if var.gateway_password_hash is invalid + regex_gateway_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_password_hash) == var.gateway_password_hash ? 0 : "Variable [gateway_password_hash] must be a valid password hash" + regex_maintenance_mode_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_maintenance_mode_password_hash) == var.gateway_maintenance_mode_password_hash ? 0 : "Variable [gateway_maintenance_mode_password_hash] must be a valid password hash" + + regex_valid_primary_ntp = "^[\\.a-zA-Z0-9\\-]*$" + // Will fail if var.primary_ntp is invalid + regex_primary_ntp = regex(local.regex_valid_primary_ntp, var.primary_ntp) == var.primary_ntp ? 0 : "Variable [primary_ntp] must be a valid ntp" + + regex_valid_secondary_ntp = "^[\\.a-zA-Z0-9\\-]*$" + // Will fail if var.secondary_ntp is invalid + regex_secondary_ntp = regex(local.regex_valid_secondary_ntp, var.secondary_ntp) == var.secondary_ntp ? 0 : "Variable [secondary_ntp] must be a valid ntp" + + volume_type_allowed_values = [ + "gp3", + "gp2"] + // will fail if [var.VolumeType] is invalid: + validate_volume_type = index(local.volume_type_allowed_values, var.volume_type) +} diff --git a/terraform/aws/cross-az-cluster-master/main.tf b/terraform/aws/cross-az-cluster-master/main.tf new file mode 100755 index 00000000..f12ae536 --- /dev/null +++ b/terraform/aws/cross-az-cluster-master/main.tf @@ -0,0 +1,70 @@ +provider "aws" { + region = var.region + access_key = var.access_key + secret_key = var.secret_key +} + +// --- VPC --- +module "launch_vpc" { + source = "../modules/vpc" + + vpc_cidr = var.vpc_cidr + public_subnets_map = var.public_subnets_map + private_subnets_map = var.private_subnets_map + subnets_bit_length = var.subnets_bit_length +} + +resource "aws_route_table" "private_subnet_rtb" { + depends_on = [module.launch_vpc] + vpc_id = module.launch_vpc.vpc_id + tags = { + Name = "Private Subnets Route Table" + } +} +resource "aws_route_table_association" "private_rtb_to_private_subnets_a" { + depends_on = [module.launch_vpc, aws_route_table.private_subnet_rtb] + route_table_id = aws_route_table.private_subnet_rtb.id + subnet_id = module.launch_vpc.private_subnets_ids_list[0] +} +resource "aws_route_table_association" "private_rtb_to_private_subnets_b" { + depends_on = [module.launch_vpc, aws_route_table.private_subnet_rtb] + route_table_id = aws_route_table.private_subnet_rtb.id + subnet_id = module.launch_vpc.private_subnets_ids_list[1] +} + +module "launch_cluster_into_vpc" { + source = "../cross-az-cluster" + providers = { + aws = aws + } + + vpc_id = module.launch_vpc.vpc_id + public_subnet_ids = module.launch_vpc.public_subnets_ids_list + private_subnet_ids = module.launch_vpc.private_subnets_ids_list + private_route_table = aws_route_table.private_subnet_rtb.id + gateway_name = var.gateway_name + gateway_instance_type = var.gateway_instance_type + key_name = var.key_name + volume_size = var.volume_size + volume_encryption = var.volume_encryption + enable_instance_connect = var.enable_instance_connect + disable_instance_termination = var.disable_instance_termination + metadata_imdsv2_required = var.metadata_imdsv2_required + instance_tags = var.instance_tags + predefined_role = var.predefined_role + gateway_version = var.gateway_version + admin_shell = var.admin_shell + gateway_SICKey = var.gateway_SICKey + memberAToken = var.memberAToken + memberBToken = var.memberBToken + gateway_password_hash = var.gateway_password_hash + gateway_maintenance_mode_password_hash = var.gateway_maintenance_mode_password_hash + resources_tag_name = var.resources_tag_name + gateway_hostname = var.gateway_hostname + allow_upload_download = var.allow_upload_download + enable_cloudwatch = var.enable_cloudwatch + gateway_bootstrap_script = var.gateway_bootstrap_script + primary_ntp = var.primary_ntp + secondary_ntp = var.secondary_ntp + volume_type = var.volume_type +} diff --git a/terraform/aws/cross-az-cluster-master/output.tf b/terraform/aws/cross-az-cluster-master/output.tf new file mode 100755 index 00000000..c1f47385 --- /dev/null +++ b/terraform/aws/cross-az-cluster-master/output.tf @@ -0,0 +1,24 @@ +output "ami_id" { + value = module.launch_cluster_into_vpc.ami_id +} +output "cluster_public_ip" { + value = module.launch_cluster_into_vpc.cluster_public_ip +} +output "member_a_public_ip" { + value = module.launch_cluster_into_vpc.member_a_public_ip +} +output "member_b_public_ip" { + value = module.launch_cluster_into_vpc.member_b_public_ip +} +output "member_a_ssh" { + value = module.launch_cluster_into_vpc.member_a_ssh +} +output "member_b_ssh" { + value = module.launch_cluster_into_vpc.member_b_ssh +} +output "member_a_url" { + value = module.launch_cluster_into_vpc.member_a_url +} +output "member_b_url" { + value = module.launch_cluster_into_vpc.member_b_url +} \ No newline at end of file diff --git a/terraform/aws/cross-az-cluster-master/terraform.tfvars b/terraform/aws/cross-az-cluster-master/terraform.tfvars new file mode 100755 index 00000000..28cb64a3 --- /dev/null +++ b/terraform/aws/cross-az-cluster-master/terraform.tfvars @@ -0,0 +1,48 @@ +//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW + +// --- VPC Network Configuration --- +vpc_cidr = "10.0.0.0/16" +public_subnets_map = { + "us-east-1a" = 1 + "us-east-1b" = 2 +} +private_subnets_map = { + "us-east-1a" = 3 + "us-east-1b" = 4 +} +subnets_bit_length = 8 + +// --- EC2 Instance Configuration --- +gateway_name = "Check-Point-Cluster-tf" +gateway_instance_type = "c5.xlarge" +key_name = "publickey" +volume_size = 100 +volume_encryption = "alias/aws/ebs" +enable_instance_connect = false +disable_instance_termination = false +metadata_imdsv2_required = true +instance_tags = { + key1 = "value1" + key2 = "value2" +} +predefined_role = "" + +// --- Check Point Settings --- +gateway_version = "R81.20-BYOL" +admin_shell = "/etc/cli.sh" +gateway_SICKey = "12345678" +gateway_password_hash = "" +gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password. + +// --- Quick connect to Smart-1 Cloud (Recommended) --- +memberAToken = "" +memberBToken = "" + +// --- Advanced Settings --- +resources_tag_name = "tag-name" +gateway_hostname = "gw-hostname" +allow_upload_download = true +enable_cloudwatch = false +gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt" +primary_ntp = "" +secondary_ntp = "" \ No newline at end of file diff --git a/terraform/aws/cross-az-cluster-master/variables.tf b/terraform/aws/cross-az-cluster-master/variables.tf new file mode 100755 index 00000000..d49cf50c --- /dev/null +++ b/terraform/aws/cross-az-cluster-master/variables.tf @@ -0,0 +1,183 @@ +// Module: Check Point CloudGuard Network Security Cross AZ Cluster into a new VPC + +// --- AWS Provider --- +variable "region" { + type = string + description = "AWS region" + default = "" +} +variable "access_key" { + type = string + description = "AWS access key" + default = "" +} +variable "secret_key" { + type = string + description = "AWS secret key" + default = "" +} + +// --- VPC Network Configuration --- +variable "vpc_cidr" { + type = string + description = "The CIDR block of the VPC" + default = "10.0.0.0/16" +} +variable "public_subnets_map" { + type = map(string) + description = "A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 2 pairs. (e.g. {\"us-east-1a\" = 1 \"us-east-1b\" = 2} ) " +} +variable "private_subnets_map" { + type = map(string) + description = "A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 2 pairs. (e.g. {\"us-east-1a\" = 3 \"us-east-1b\" = 4} ) " + +} +variable "subnets_bit_length" { + type = number + description = "Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a subnets_bit_length value of 4, the resulting subnet address will have length /20" +} + +// --- EC2 Instance Configuration --- +variable "gateway_name" { + type = string + description = "(Optional) The name tag of the Security Gateway instances" + default = "Check-Point-Cluster-tf" +} +variable "gateway_instance_type" { + type = string + description = "The instance type of the Security Gateways" + default = "c5.xlarge" +} +module "validate_instance_type" { + source = "../modules/common/instance_type" + + chkp_type = "gateway" + instance_type = var.gateway_instance_type +} +variable "key_name" { + type = string + description = "The EC2 Key Pair name to allow SSH access to the instance" +} +variable "volume_size" { + type = number + description = "Root volume size (GB) - minimum 100" + default = 100 +} +resource "null_resource" "volume_size_too_small" { + // Volume Size validation - resource will not be created if the volume size is smaller than 100 + count = var.volume_size >= 100 ? 0 : "volume_size must be at least 100" +} +variable "volume_type" { + type = string + description = "General Purpose SSD Volume Type" + default = "gp3" +} +variable "volume_encryption" { + type = string + description = "KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs')" + default = "alias/aws/ebs" +} +variable "enable_instance_connect" { + type = bool + description = "Enable SSH connection over AWS web console" + default = false +} +variable "disable_instance_termination" { + type = bool + description = "Prevents an instance from accidental termination" + default = false +} +variable "metadata_imdsv2_required" { + type = bool + description = "Set true to deploy the instance with metadata v2 token required" + default = true +} +variable "instance_tags" { + type = map(string) + description = "(Optional) A map of tags as key=value pairs. All tags will be added to the Gateway EC2 Instance" + default = {} +} +variable "predefined_role" { + type = string + description = "(Optional) A predefined IAM role to attach to the cluster profile" + default = "" +} + +// --- Check Point Settings --- +variable "gateway_version" { + type = string + description = "Gateway version and license" + default = "R81.20-BYOL" +} +module "validate_gateway_version" { + source = "../modules/common/version_license" + + chkp_type = "gateway" + version_license = var.gateway_version +} +variable "admin_shell" { + type = string + description = "Set the admin shell to enable advanced command line configuration" + default = "/etc/cli.sh" +} +variable "gateway_SICKey" { + type = string + description = "The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters" +} +variable "gateway_password_hash" { + type = string + description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)" + default = "" +} +variable "gateway_maintenance_mode_password_hash" { + description = "(optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here)." + type = string + default = "" +} + +// --- Quick connect to Smart-1 Cloud (Recommended) --- +variable "memberAToken" { + type = string + description = "Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud." +} +variable "memberBToken" { + type = string + description = "Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud." +} + +// --- Advanced Settings --- +variable "resources_tag_name" { + type = string + description = "(Optional) Name tag prefix of the resources" + default = "" +} +variable "gateway_hostname" { + type = string + description = "(Optional) The host name will be appended with member-a/b accordingly" + default = "" +} +variable "allow_upload_download" { + type = bool + description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + default = true +} +variable "enable_cloudwatch" { + type = bool + description = "Report Check Point specific CloudWatch metrics" + default = false +} +variable "gateway_bootstrap_script" { + type = string + description = "(Optional) An optional script with semicolon (;) separated commands to run on the initial boot" + default = "" +} +variable "primary_ntp" { + type = string + description = "(Optional) The IPv4 addresses of Network Time Protocol primary server" + default = "169.254.169.123" +} +variable "secondary_ntp" { + type = string + description = "(Optional) The IPv4 addresses of Network Time Protocol secondary server" + default = "0.pool.ntp.org" +} diff --git a/terraform/aws/cross-az-cluster-master/versions.tf b/terraform/aws/cross-az-cluster-master/versions.tf new file mode 100755 index 00000000..c138bbb3 --- /dev/null +++ b/terraform/aws/cross-az-cluster-master/versions.tf @@ -0,0 +1,12 @@ +terraform { + required_version = ">= 0.14.3" + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.20.0" + } + http = { + version = "~> 3.4.0" + } + } +} diff --git a/terraform/aws/cross-az-cluster/README.md b/terraform/aws/cross-az-cluster/README.md new file mode 100755 index 00000000..f473732d --- /dev/null +++ b/terraform/aws/cross-az-cluster/README.md @@ -0,0 +1,196 @@ +# Check Point CloudGuard Network Security Cross AZ Cluster Terraform module for AWS + +Terraform module which deploys a Check Point CloudGuard Network Security Cross AZ Cluster into an existing VPC on AWS. + +These types of Terraform resources are supported: +* [AWS Instance](https://www.terraform.io/docs/providers/aws/r/instance.html) +* [Security Group](https://www.terraform.io/docs/providers/aws/r/security_group.html) +* [Network interface](https://www.terraform.io/docs/providers/aws/r/network_interface.html) +* [EIP](https://www.terraform.io/docs/providers/aws/r/eip.html) +* [Route](https://www.terraform.io/docs/providers/aws/r/route.html) - conditional creation +* [IAM Role](https://www.terraform.io/docs/providers/aws/r/iam_role.html) - conditional creation + +See the [Deploying a Check Point Cluster in AWS (Amazon Web Services)](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_for_AWS_Cross_AZ_Cluster/Default.htm) for additional information + +This solution uses the following modules: +- /terraform/aws/modules/amis +- /terraform/aws/modules/cluster-iam-role + + +## Configurations + +The **main.tf** file includes the following provider configuration block used to configure the credentials for the authentication with AWS, as well as a default region for your resources: +``` +provider "aws" { + region = var.region + access_key = var.access_key + secret_key = var.secret_key +} +``` +The provider credentials can be provided either as static credentials or as [Environment Variables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#environment-variables). +- Static credentials can be provided by adding an access_key and secret_key in /terraform/aws/cross-az-cluster/**terraform.tfvars** file as follows: +``` +region = "us-east-1" +access_key = "my-access-key" +secret_key = "my-secret-key" +``` +- In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented: + ``` + provider "aws" { + // region = var.region + // access_key = var.access_key + // secret_key = var.secret_key + } + ``` + +## Usage +- Fill all variables in the /terraform/aws/cross-az-cluster/**terraform.tfvars** file with proper values (see below for variables descriptions). +- From a command line initialize the Terraform configuration directory: + ``` + terraform init + ``` +- Create an execution plan: + ``` + terraform plan + ``` +- Create or modify the deployment: + ``` + terraform apply + ``` + +- Variables are configured in /terraform/aws/cross-az-cluster/**terraform.tfvars** file as follows: + + ``` + //PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW + + // --- VPC Network Configuration --- + vpc_id = "vpc-12345678" + public_subnet_ids = ["subnet-abc123", "subnet-def456"] + private_subnet_ids = ["subnet-abc234", "subnet-def567"] + private_route_table = "rtb-12345678" + + + // --- EC2 Instance Configuration --- + gateway_name = "Check-Point-Cluster-tf" + gateway_instance_type = "c5.xlarge" + key_name = "publickey" + volume_size = 100 + volume_encryption = "alias/aws/ebs" + enable_instance_connect = false + disable_instance_termination = false + instance_tags = { + key1 = "value1" + key2 = "value2" + } + predefined_role = "" + + // --- Check Point Settings --- + gateway_version = "R81.20-BYOL" + admin_shell = "/etc/cli.sh" + gateway_SICKey = "12345678" + gateway_password_hash = "" + + // --- Quick connect to Smart-1 Cloud (Recommended) --- + memberAToken = "" + memberBToken = "" + gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password. + + // --- Advanced Settings --- + resources_tag_name = "tag-name" + gateway_hostname = "gw-hostname" + allow_upload_download = true + enable_cloudwatch = false + gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt" + primary_ntp = "" + secondary_ntp = "" + ``` + +- Conditional creation + - To create IAM Role: + ``` + predefined_role = "" + ``` + - To create route from '0.0.0.0/0' to the Active Cluster member instance, please provide route table: + ``` + private_route_table = "rtb-12345678" + ``` +- To tear down your resources: + ``` + terraform destroy + ``` + ### Optional re-deploy of cluster member: + In case of re-deploying one cluster member, make sure that it's in STANDBY state, and the second member is the ACTIVE one. + Follow the commands below in order to re-deploy (replace MEMBER with a or b): + - terraform taint aws_instance.member-MEMBER-instance + - terraform plan (review the changes) + - terraform apply + - In Smart Console: reset SIC with the re-deployed member and install policy + +## Inputs +| Name | Description | Type | Allowed values | Default | Required | +|----------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------|----------| +| vpc_id | The VPC id in which to deploy | string | n/a | n/a | yes | +| public_subnet_ids | List of public subnet IDs to launch resources into. At least 2 | list(string) | n/a | n/a | yes | +| private_subnet_ids | List of private subnet IDs to launch resources into. At least 2 | list(string) | n/a | n/a | yes | +| private_route_table | (Optional) Set 0.0.0.0/0 route to the Active Cluster member instance in this route table (e.g. rtb-12a34567). Route table cannot have an existing 0.0.0.0/0 route | string | n/a | "" | no | +| gateway_name | (Optional) The name tag of the Security Gateway instances | string | n/a | Check-Point-Cluster-tf | no | +| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no | +| key_name | The EC2 Key Pair name to allow SSH access to the instance | string | n/a | n/a | yes | +| volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no | +| volume_type | General Purpose SSD Volume Type | string | - gp3
- gp2 | gp3 | no | +| volume_encryption | KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs') | string | n/a | alias/aws/ebs | no | +| enable_instance_connect | Enable AWS Instance Connect. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no | +| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no | +| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes | +| instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Gateway EC2 Instances | map(string) | n/a | {} | no | +| predefined_role | (Optional) A predefined IAM role to attach to the cluster profile | string | n/a | "" | no | +| gateway_version | Gateway version and license | string | - R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX | R81.20-BYOL | no | +| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | +| gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes | +| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | +| memberAToken | (Recommended) Quick connect to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. | string | n/a | "" | no | +| memberBToken | (Recommended) Quick connect to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. | string | n/a | "" | no | +| resources_tag_name | (Optional) Name tag prefix of the resources | string | n/a | "" | no | +| gateway_hostname | (Optional) The host name will be appended with member-a/b accordingly. The name must not contain reserved words. For details, refer to sk40179. | string | n/a | "" | no | +| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no | +| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no | +| gateway_bootstrap_script | (Optional) Semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no | +| primary_ntp | (Optional) The IPv4 addresses of Network Time Protocol primary server | string | n/a | 169.254.169.123 | no | +| secondary_ntp | (Optional) The IPv4 addresses of Network Time Protocol secondary server | string | n/a | 0.pool.ntp.org | no | +| gateway_maintenance_mode_password_hash | (optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here). | string | n/a | "" | no | + + +## Outputs +| Name | Description | +|--------------------|--------------------------------------------------------------| +| ami_id | The ami id of the deployed Security Cross AZ Cluster members | +| cluster_public_ip | The public address of the cluster | +| member_a_public_ip | The public address of member A | +| member_b_public_ip | The public address of member B | +| member_a_ssh | SSH command to member A | +| member_b_ssh | SSH command to member B | +| member_a_url | URL to the member A portal | +| member_b_url | URL to the member B portal | + +## Revision History +In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) + +| Template Version | Description | +|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| 20221123 | First release of Check Point Security Cross AZ Cluster Terraform module for AWS | +| 20221123 | Changed default version and added instances types | +| 20221123 | R81.20 version support | +| 20230411 | - Improved deployment experience for gateways and clusters managed by Smart-1 Cloud
- Multiple VIPs support for Cross Availability Zone Cluster. For more details refer to the [Cross Availability Zone Cluster for AWS R81.20 Administration Guide](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_for_AWS_Cross_AZ_Cluster/Content/Topics-AWS-CrossAZ-Cluster-AG/Check-Point-CloudGuard-for-AWS.htm) -> "Deploying Cross AZ Cluster with multiple VIPs" section. | +| 20230503 | Smart-1 Cloud token validation | +| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | +| 20230806 | Add support for c6in instance type | +| 20230914 | Add support for maintenance mode password | +| 20230923 | Add support for C5d instance type | +| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20240304 | Add x-chkp-cluster-ips, x-chkp-member-ips tags to cluster members | +| 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | + +## License + +This project is licensed under the MIT License - see the [LICENSE](../../../cross-az/LICENSE) file for details diff --git a/terraform/aws/cross-az-cluster/cluster_member_a_userdata.yaml b/terraform/aws/cross-az-cluster/cluster_member_a_userdata.yaml new file mode 100755 index 00000000..1a3095e2 --- /dev/null +++ b/terraform/aws/cross-az-cluster/cluster_member_a_userdata.yaml @@ -0,0 +1,4 @@ +#cloud-config +runcmd: + - | + python3 /etc/cloud_config.py enableCloudWatch=\"${EnableCloudWatch}\" sicKey=\"${SICKey}\" "smart1CloudToken=\"${TokenA}\"" installationType=\"cross-az-cluster\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20231012\" templateName=\"cross_az_cluster\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" hostName=\"${Hostname}\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" elasticIp=\"${MemberAPublicAddress}\" otherMemberIp=\"${MemberBPrivateAddressCluster}\" clusterIp=\"${PublicAddressCluster}\" secondaryIp=\"${MemberAPrivateAddressSecondary}\" otherMemberPrivateClusterIp=\"${MemberBPrivateAddressSecondary}\" bootstrapScript64=\"${GatewayBootstrapScript}\" \ No newline at end of file diff --git a/terraform/aws/cross-az-cluster/cluster_member_b_userdata.yaml b/terraform/aws/cross-az-cluster/cluster_member_b_userdata.yaml new file mode 100755 index 00000000..9ec9d23a --- /dev/null +++ b/terraform/aws/cross-az-cluster/cluster_member_b_userdata.yaml @@ -0,0 +1,4 @@ +#cloud-config +runcmd: + - | + python3 /etc/cloud_config.py enableCloudWatch=\"${EnableCloudWatch}\" sicKey=\"${SICKey}\" "smart1CloudToken=\"${TokenB}\"" installationType=\"cross-az-cluster\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20231012\" templateName=\"cross_az_cluster\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" hostName=\"${Hostname}\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" elasticIp=\"${MemberBPublicAddress}\" otherMemberIp=\"${MemberAPrivateAddressCluster}\" clusterIp=\"${PublicAddressCluster}\" secondaryIp=\"${MemberBPrivateAddressSecondary}\" otherMemberPrivateClusterIp=\"${MemberAPrivateAddressSecondary}\" bootstrapScript64=\"${GatewayBootstrapScript}\" \ No newline at end of file diff --git a/terraform/aws/cross-az-cluster/locals.tf b/terraform/aws/cross-az-cluster/locals.tf new file mode 100755 index 00000000..19f67f30 --- /dev/null +++ b/terraform/aws/cross-az-cluster/locals.tf @@ -0,0 +1,75 @@ +locals { + admin_shell_allowed_values = [ + "/etc/cli.sh", + "/bin/bash", + "/bin/csh", + "/bin/tcsh"] + // Will fail if var.admin_shell is invalid + validate_admin_shell = index(local.admin_shell_allowed_values, var.admin_shell) + + enable_cloudwatch_policy = var.enable_cloudwatch ? 1 : 0 + create_iam_role = var.predefined_role == "" ? 1 : 0 + provided_roue_table = var.private_route_table == "" ? 0 : 1 + internal_route_table_condition = var.private_route_table != "" ? 1 : 0 + + regex_valid_key_name = "[\\S\\s]+[\\S]+" + // will fail if var.key_name is invalid + regex_key_name_result=regex(local.regex_valid_key_name, var.key_name) == var.key_name ? 0 : "Variable [key_name] must be a none empty string" + + regex_valid_gateway_sic_key = "^[a-zA-Z0-9]{8,}$" + // Will fail if var.gateway_SIC_Key is invalid + regex_gateway_sic_result = regex(local.regex_valid_gateway_sic_key, var.gateway_SICKey) == var.gateway_SICKey ? 0 : "Variable [gateway_SIC_Key] must be at least 8 alphanumeric characters" + + regex_token_valid = "(^https://(.+).checkpoint.com/app/maas/api/v1/tenant(.+)|^$)" + //TokenA: will fail if decode token should contain https:// and .checkpoint.com/app/maas/api/v1/tenant or empty string + split_tokenA = split(" ", var.memberAToken) + tokenA_decode = base64decode(element(local.split_tokenA, length(local.split_tokenA)-1)) + regex_tokenA = regex(local.regex_token_valid, local.tokenA_decode) == local.tokenA_decode ? 0 : "Smart-1 Cloud token A is invalid format" + + //TokenB: will fail if decode token should contain https:// and .checkpoint.com/app/maas/api/v1/tenant or empty string + split_tokenB = split(" ", var.memberBToken) + tokenB_decode = base64decode(element(local.split_tokenB, length(local.split_tokenB)-1)) + regex_tokenB = regex(local.regex_token_valid, local.tokenB_decode) == local.tokenB_decode ? 0 : "Smart-1 Cloud token B is invalid format" + + is_both_tokens_used = length(var.memberAToken) > 0 == length(var.memberBToken) > 0 + validation_message_both = "Smart-1 Cloud Tokens for member A and member B can not be empty." + //Will fail if var.memberAToken is empty and var.memberBToken isn't and vice versa + regex_s1c_validate = regex("^$", (local.is_both_tokens_used ? "" : local.validation_message_both)) + + is_tokens_used = length(var.memberAToken) > 0 + is_both_tokens_the_same = var.memberAToken == var.memberBToken + validation_message_unique = "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token" + //Will fail if both s1c tokens are the same + regex_s1c_unique = local.is_tokens_used ? regex("^$", (local.is_both_tokens_the_same ? local.validation_message_unique : "")) : "" + + regex_valid_gateway_hostname = "^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$" + // Will fail if var.gateway_hostname is invalid + regex_gateway_hostname = regex(local.regex_valid_gateway_hostname, var.gateway_hostname) == var.gateway_hostname ? 0 : "Variable [gateway_hostname] must be a valid hostname label or an empty string" + volume_encryption_condition = var.volume_encryption != "" ? true : false + + regex_valid_gateway_password_hash = "^[\\$\\./a-zA-Z0-9]*$" + // Will fail if var.gateway_password_hash is invalid + regex_gateway_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_password_hash) == var.gateway_password_hash ? 0 : "Variable [gateway_password_hash] must be a valid password hash" + regex_gateway_maintenance_mode_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_maintenance_mode_password_hash) == var.gateway_maintenance_mode_password_hash ? 0 : "Variable [gateway_maintenance_mode_password_hash] must be a valid password hash" + + regex_valid_primary_ntp = "^[\\.a-zA-Z0-9\\-]*$" + // Will fail if var.primary_ntp is invalid + regex_primary_ntp = regex(local.regex_valid_primary_ntp, var.primary_ntp) == var.primary_ntp ? 0 : "Variable [primary_ntp] must be a valid ntp" + + regex_valid_secondary_ntp = "^[\\.a-zA-Z0-9\\-]*$" + // Will fail if var.secondary_ntp is invalid + regex_secondary_ntp = regex(local.regex_valid_secondary_ntp, var.secondary_ntp) == var.secondary_ntp ? 0 : "Variable [secondary_ntp] must be a valid ntp" + + gateway_bootstrap_script64 = base64encode(var.gateway_bootstrap_script) + gateway_SICkey_base64=base64encode(var.gateway_SICKey) + gateway_password_hash_base64=base64encode(var.gateway_password_hash) + maintenance_mode_password_hash_base64 = base64encode(var.gateway_maintenance_mode_password_hash) + + //Splits the version and licence and returns the os version + version_split = element(split("-", var.gateway_version), 0) + volume_type_allowed_values = [ + "gp3", + "gp2"] + // will fail if [var.VolumeType] is invalid: + validate_volume_type = index(local.volume_type_allowed_values, var.volume_type) +} diff --git a/terraform/aws/cross-az-cluster/main.tf b/terraform/aws/cross-az-cluster/main.tf new file mode 100755 index 00000000..d6a3bda3 --- /dev/null +++ b/terraform/aws/cross-az-cluster/main.tf @@ -0,0 +1,294 @@ +provider "aws" { + region = var.region + access_key = var.access_key + secret_key = var.secret_key +} + +module "amis" { + source = "../modules/amis" + + version_license = var.gateway_version + chkp_type = "gateway" +} + +module "common_permissive_sg" { + source = "../modules/common/permissive_sg" + + vpc_id = var.vpc_id + resources_tag_name = var.resources_tag_name + gateway_name = var.gateway_name +} + +resource "aws_iam_instance_profile" "cluster_instance_profile" { + path = "/" + role = local.create_iam_role == 1 ? join("", module.cluster_iam_role.*.cluster_iam_role_name) : var.predefined_role +} + +module "cluster_iam_role" { + source = "../modules/cluster-iam-role" + count = local.create_iam_role +} + +module "attach_cloudwatch_policy" { + source = "../modules/cloudwatch-policy" + count = local.enable_cloudwatch_policy + role = aws_iam_instance_profile.cluster_instance_profile.role + tag_name = var.resources_tag_name != "" ? var.resources_tag_name : var.gateway_name +} + +resource "aws_network_interface" "member_a_external_eni" { + subnet_id = var.public_subnet_ids[0] + security_groups = [module.common_permissive_sg.permissive_sg_id] + description = "Member A external" + source_dest_check = false + private_ips_count = 1 + tags = { + x-chkp-interface-type = "external" } +} + +resource "aws_network_interface" "member_b_external_eni" { + subnet_id = var.public_subnet_ids[1] + security_groups = [module.common_permissive_sg.permissive_sg_id] + description = "Member B external" + source_dest_check = false + private_ips_count = 1 + tags = { + x-chkp-interface-type = "external" } +} + +resource "aws_network_interface" "member_a_internal_eni" { + subnet_id = var.private_subnet_ids[0] + security_groups = [module.common_permissive_sg.permissive_sg_id] + description = "Member A internal" + source_dest_check = false + tags = { + x-chkp-interface-type = "internal" } +} + +resource "aws_network_interface" "member_b_internal_eni" { + subnet_id = var.private_subnet_ids[1] + security_groups = [module.common_permissive_sg.permissive_sg_id] + description = "Member B internal" + source_dest_check = false + tags = { + x-chkp-interface-type = "internal" } +} + +resource "aws_route" "internal_default_route" { + count = local.internal_route_table_condition + route_table_id = var.private_route_table + lifecycle { + ignore_changes = [network_interface_id,] + } + destination_cidr_block = "0.0.0.0/0" + network_interface_id = aws_network_interface.member_a_internal_eni.id +} + +resource "aws_route_table_association" "private_rtb_a" { + count = var.private_route_table == "" ? 0 : 1 + route_table_id = var.private_route_table + subnet_id = var.private_subnet_ids[0] +} +resource "aws_route_table_association" "private_rtb_b" { + count = var.private_route_table == "" ? 0 : 1 + route_table_id = var.private_route_table + subnet_id = var.private_subnet_ids[1] +} + +resource "aws_launch_template" "member_a_launch_template" { + depends_on = [ + aws_network_interface.member_a_external_eni, + aws_network_interface.member_a_internal_eni + ] + instance_type = var.gateway_instance_type + key_name = var.key_name + image_id = module.amis.ami_id + description = "Initial launch template version" + + iam_instance_profile { + name = aws_iam_instance_profile.cluster_instance_profile.id + } + + metadata_options { + http_tokens = var.metadata_imdsv2_required ? "required" : "optional" + } + + network_interfaces { + network_interface_id = aws_network_interface.member_a_external_eni.id + device_index = 0 + } + network_interfaces { + network_interface_id = aws_network_interface.member_a_internal_eni.id + device_index = 1 + } +} + +resource "aws_launch_template" "member_b_launch_template" { + depends_on = [ + aws_network_interface.member_b_external_eni, + aws_network_interface.member_b_internal_eni + ] + instance_type = var.gateway_instance_type + key_name = var.key_name + image_id = module.amis.ami_id + description = "Initial launch template version" + + iam_instance_profile { + name = aws_iam_instance_profile.cluster_instance_profile.id + } + + metadata_options { + http_tokens = var.metadata_imdsv2_required ? "required" : "optional" + } + + network_interfaces { + network_interface_id = aws_network_interface.member_b_external_eni.id + device_index = 0 + } + network_interfaces { + network_interface_id = aws_network_interface.member_b_internal_eni.id + device_index = 1 + } +} + +resource "aws_instance" "member-a-instance" { + depends_on = [ + aws_launch_template.member_a_launch_template + ] + + launch_template { + id = aws_launch_template.member_a_launch_template.id + version = "$Latest" + } + + disable_api_termination = var.disable_instance_termination + + tags = merge({ + Name = format("%s-Member-A",var.gateway_name), + x-chkp-member-ips = format("public-ip=%s:external-private-ip=%s:internal-private-ip=%s", + aws_eip.member_a_eip.public_ip, aws_network_interface.member_a_external_eni.private_ip,aws_network_interface.member_a_internal_eni.private_ip), + x-chkp-cluster-ips = format("cluster-ip=%s:secondary-external-private-ip=%s", + aws_eip.cluster_eip.public_ip, element(tolist(setsubtract(tolist(aws_network_interface.member_a_external_eni.private_ips), [aws_network_interface.member_a_external_eni.private_ip])), 0)) + }, var.instance_tags) + + ebs_block_device { + device_name = "/dev/xvda" + volume_type = "gp2" + volume_size = var.volume_size + encrypted = local.volume_encryption_condition + kms_key_id = local.volume_encryption_condition ? var.volume_encryption : "" + } + + lifecycle { + ignore_changes = [ebs_block_device,] + } + + user_data = templatefile("${path.module}/cluster_member_a_userdata.yaml", { + // script's arguments + Hostname = var.gateway_hostname, + PasswordHash = local.gateway_password_hash_base64, + MaintenanceModePassword = local.maintenance_mode_password_hash_base64 + AllowUploadDownload = var.allow_upload_download, + EnableCloudWatch = var.enable_cloudwatch, + NTPPrimary = var.primary_ntp, + NTPSecondary = var.secondary_ntp, + Shell = var.admin_shell, + EnableInstanceConnect = var.enable_instance_connect, + GatewayBootstrapScript = local.gateway_bootstrap_script64, + SICKey = local.gateway_SICkey_base64, + TokenA = var.memberAToken, + MemberAPublicAddress = aws_eip.member_a_eip.public_ip, + PublicAddressCluster = aws_eip.cluster_eip.public_ip, + MemberAPrivateAddressSecondary = length(tolist(aws_network_interface.member_a_external_eni.private_ips)) > 1 ? element(tolist(setsubtract(tolist(aws_network_interface.member_a_external_eni.private_ips), [aws_network_interface.member_a_external_eni.private_ip])), 0) : "",//extracting member's secondary ip which represent the cluster ip + MemberBPrivateAddressCluster = aws_network_interface.member_b_internal_eni.private_ip, + MemberBPrivateAddressSecondary = length(tolist(aws_network_interface.member_b_external_eni.private_ips)) > 1 ? element(tolist(setsubtract(tolist(aws_network_interface.member_b_external_eni.private_ips), [aws_network_interface.member_b_external_eni.private_ip])), 0) : "", + AllocateAddress = true, + OsVersion = local.version_split + }) +} + +resource "aws_instance" "member-b-instance" { + depends_on = [ + aws_launch_template.member_b_launch_template + ] + + launch_template { + id = aws_launch_template.member_b_launch_template.id + version = "$Latest" + } + + disable_api_termination = var.disable_instance_termination + + tags = merge({ + Name = format("%s-Member-B",var.gateway_name), + x-chkp-member-ips = format("public-ip=%s:external-private-ip=%s:internal-private-ip=%s", + aws_eip.member_b_eip.public_ip, aws_network_interface.member_b_external_eni.private_ip,aws_network_interface.member_b_internal_eni.private_ip), + x-chkp-cluster-ips = format("cluster-ip=%s:secondary-external-private-ip=%s", + aws_eip.cluster_eip.public_ip, element(tolist(setsubtract(tolist(aws_network_interface.member_b_external_eni.private_ips), [aws_network_interface.member_b_external_eni.private_ip])), 0)) + }, var.instance_tags) + + ebs_block_device { + device_name = "/dev/xvda" + volume_type = "gp2" + volume_size = var.volume_size + encrypted = local.volume_encryption_condition + kms_key_id = local.volume_encryption_condition ? var.volume_encryption : "" + } + lifecycle { + ignore_changes = [ebs_block_device,] + } + + user_data = templatefile("${path.module}/cluster_member_b_userdata.yaml", { + // script's arguments + Hostname = var.gateway_hostname, + PasswordHash = local.gateway_password_hash_base64, + MaintenanceModePassword = local.maintenance_mode_password_hash_base64 + AllowUploadDownload = var.allow_upload_download, + EnableCloudWatch = var.enable_cloudwatch, + NTPPrimary = var.primary_ntp, + NTPSecondary = var.secondary_ntp, + Shell = var.admin_shell, + EnableInstanceConnect = var.enable_instance_connect, + GatewayBootstrapScript = local.gateway_bootstrap_script64, + SICKey = local.gateway_SICkey_base64, + TokenB = var.memberBToken, + MemberBPublicAddress = aws_eip.member_b_eip.public_ip, + PublicAddressCluster=aws_eip.cluster_eip.public_ip, + MemberBPrivateAddressSecondary = length(tolist(aws_network_interface.member_b_external_eni.private_ips)) > 1 ? element(tolist(setsubtract(tolist(aws_network_interface.member_b_external_eni.private_ips), [aws_network_interface.member_b_external_eni.private_ip])), 0) : "", //extracting member's secondary ip which represent the member ip + MemberAPrivateAddressCluster=aws_network_interface.member_a_internal_eni.private_ip, + MemberAPrivateAddressSecondary = length(tolist(aws_network_interface.member_a_external_eni.private_ips)) > 1 ? element(tolist(setsubtract(tolist(aws_network_interface.member_a_external_eni.private_ips), [aws_network_interface.member_a_external_eni.private_ip])), 0) : "", + AllocateAddress = true, + OsVersion = local.version_split + }) +} + +resource "aws_eip" "cluster_eip" { +} +resource "aws_eip" "member_a_eip" { +} +resource "aws_eip" "member_b_eip" { +} + +resource "aws_eip_association" "cluster_address_assoc" { + depends_on = [aws_instance.member-a-instance] + allocation_id = aws_eip.cluster_eip.id + lifecycle { + ignore_changes = [ + network_interface_id, private_ip_address + ] + } + network_interface_id = aws_network_interface.member_a_external_eni.id + private_ip_address = length(tolist(aws_network_interface.member_a_external_eni.private_ips)) > 1 ? element(tolist(setsubtract(tolist(aws_network_interface.member_a_external_eni.private_ips), [aws_network_interface.member_a_external_eni.private_ip])), 0) : ""//extracting member's secondary ip which represent the cluster ip +} +resource "aws_eip_association" "member_a_address_assoc" { + depends_on = [aws_instance.member-a-instance] + allocation_id = aws_eip.member_a_eip.id + network_interface_id = aws_network_interface.member_a_external_eni.id + private_ip_address = aws_network_interface.member_a_external_eni.private_ip //primary +} +resource "aws_eip_association" "member_b_address_assoc" { + depends_on = [aws_instance.member-b-instance] + allocation_id = aws_eip.member_b_eip.id + network_interface_id = aws_network_interface.member_b_external_eni.id + private_ip_address = aws_network_interface.member_b_external_eni.private_ip //primary +} \ No newline at end of file diff --git a/terraform/aws/cross-az-cluster/output.tf b/terraform/aws/cross-az-cluster/output.tf new file mode 100755 index 00000000..e475a650 --- /dev/null +++ b/terraform/aws/cross-az-cluster/output.tf @@ -0,0 +1,30 @@ +output "ami_id" { + value = module.amis.ami_id +} +output "cluster_public_ip" { + value = aws_eip.cluster_eip.*.public_ip +} +output "member_a_public_ip" { + value = aws_eip.member_a_eip.*.public_ip +} +output "member_b_public_ip" { + value = aws_eip.member_b_eip.*.public_ip +} +output "member_a_eni" { + value = aws_network_interface.member_a_external_eni.id +} +output "member_a_ssh" { + value = format("ssh -i %s admin@%s", var.key_name, aws_eip.member_a_eip.public_ip) +} +output "member_b_ssh" { + value = format("ssh -i %s admin@%s", var.key_name, aws_eip.member_b_eip.public_ip) +} +output "member_a_url" { + value = format("https://%s", aws_eip.member_a_eip.public_ip) +} +output "member_b_url" { + value = format("https://%s", aws_eip.member_b_eip.public_ip) +} +output "member_b_eni" { + value = aws_network_interface.member_b_external_eni.id +} \ No newline at end of file diff --git a/terraform/aws/cross-az-cluster/terraform.tfvars b/terraform/aws/cross-az-cluster/terraform.tfvars new file mode 100755 index 00000000..8c6aff9b --- /dev/null +++ b/terraform/aws/cross-az-cluster/terraform.tfvars @@ -0,0 +1,42 @@ +//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW + +// --- VPC Network Configuration --- +vpc_id = "vpc-12345678" +public_subnet_ids = ["subnet-abc123", "subnet-def456"] +private_subnet_ids = ["subnet-abc234", "subnet-def567"] +private_route_table = "rtb-12345678" + +// --- EC2 Instance Configuration --- +gateway_name = "Check-Point-Cluster-tf" +gateway_instance_type = "c5.xlarge" +key_name = "publickey" +volume_size = 100 +volume_encryption = "alias/aws/ebs" +enable_instance_connect = false +disable_instance_termination = false +metadata_imdsv2_required = true +instance_tags = { + key1 = "value1" + key2 = "value2" +} +predefined_role = "" + +// --- Check Point Settings --- +gateway_version = "R81.20-BYOL" +admin_shell = "/etc/cli.sh" +gateway_SICKey = "12345678" +gateway_password_hash = "" +gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password. + +// --- Quick connect to Smart-1 Cloud (Recommended) --- +memberAToken = "" +memberBToken = "" + +// --- Advanced Settings --- +resources_tag_name = "tag-name" +gateway_hostname = "gw-hostname" +allow_upload_download = true +enable_cloudwatch = false +gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt" +primary_ntp = "" +secondary_ntp = "" \ No newline at end of file diff --git a/terraform/aws/cross-az-cluster/variables.tf b/terraform/aws/cross-az-cluster/variables.tf new file mode 100755 index 00000000..c2d66839 --- /dev/null +++ b/terraform/aws/cross-az-cluster/variables.tf @@ -0,0 +1,181 @@ +// Module: Check Point CloudGuard Network Security Cross AZ Cluster into an existing VPC + +// --- AWS Provider --- +variable "region" { + type = string + description = "AWS region" + default = "" +} +variable "access_key" { + type = string + description = "AWS access key" + default = "" +} +variable "secret_key" { + type = string + description = "AWS secret key" + default = "" +} + +// --- VPC Network Configuration --- +variable "vpc_id" { + type = string +} +variable "public_subnet_ids" { + type = list(string) + description = "List of public subnet IDs to launch resources into. At least 2" +} +variable "private_subnet_ids" { + type = list(string) + description = "List of public subnet IDs to launch resources into. At least 2" +} +variable "private_route_table" { + type = string + description = "(Optional) Set 0.0.0.0/0 route to the Active Cluster member instance in this route table (e.g. rtb-12a34567). Route table cannot have an existing 0.0.0.0/0 route" + default= "" +} + +// --- EC2 Instance Configuration --- +variable "gateway_name" { + type = string + description = "(Optional) The name tag of the Security Gateway instances" + default = "Check-Point-Cluster-tf" +} +variable "gateway_instance_type" { + type = string + description = "The instance type of the Security Gateways" + default = "c5.xlarge" +} +module "validate_instance_type" { + source = "../modules/common/instance_type" + + chkp_type = "gateway" + instance_type = var.gateway_instance_type +} +variable "key_name" { + type = string + description = "The EC2 Key Pair name to allow SSH access to the instance" +} +variable "volume_size" { + type = number + description = "Root volume size (GB) - minimum 100" + default = 100 +} +resource "null_resource" "volume_size_too_small" { + // Volume Size validation - resource will not be created if the volume size is smaller than 100 + count = var.volume_size >= 100 ? 0 : "volume_size must be at least 100" +} +variable "volume_type" { + type = string + description = "General Purpose SSD Volume Type" + default = "gp3" +} +variable "volume_encryption" { + type = string + description = "KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs')" + default = "alias/aws/ebs" +} +variable "enable_instance_connect" { + type = bool + description = "Enable SSH connection over AWS web console" + default = false +} +variable "disable_instance_termination" { + type = bool + description = "Prevents an instance from accidental termination" + default = false +} +variable "metadata_imdsv2_required" { + type = bool + description = "Set true to deploy the instance with metadata v2 token required" + default = true +} +variable "instance_tags" { + type = map(string) + description = "(Optional) A map of tags as key=value pairs. All tags will be added to the Gateway EC2 Instances" + default = {} +} +variable "predefined_role" { + type = string + description = "(Optional) A predefined IAM role to attach to the cluster profile" + default = "" +} + +// --- Check Point Settings --- +variable "gateway_version" { + type = string + description = "Gateway version and license" + default = "R81.20-BYOL" +} +module "validate_gateway_version" { + source = "../modules/common/version_license" + + chkp_type = "gateway" + version_license = var.gateway_version +} +variable "admin_shell" { + type = string + description = "Set the admin shell to enable advanced command line configuration" + default = "/etc/cli.sh" +} +variable "gateway_SICKey" { + type = string + description = "The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters" +} +variable "gateway_password_hash" { + type = string + description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)" + default = "" +} +variable "gateway_maintenance_mode_password_hash" { + description = "(optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here)." + type = string + default = "" +} + +// --- Quick connect to Smart-1 Cloud (Recommended) --- +variable "memberAToken" { + type = string + description = "Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud." +} +variable "memberBToken" { + type = string + description = "Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud." +} + +// --- Advanced Settings --- +variable "resources_tag_name" { + type = string + description = "(Optional) Name tag prefix of the resources" + default = "" +} +variable "gateway_hostname" { + type = string + description = "(Optional) The host name will be appended with member-a/b accordingly" + default = "" +} +variable "allow_upload_download" { + type = bool + description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + default = true +} +variable "enable_cloudwatch" { + type = bool + description = "Report Check Point specific CloudWatch metrics" + default = false +} +variable "gateway_bootstrap_script" { + type = string + description = "(Optional) An optional script with semicolon (;) separated commands to run on the initial boot" + default = "" +} +variable "primary_ntp" { + type = string + description = "(Optional) The IPv4 addresses of Network Time Protocol primary server" + default = "169.254.169.123" +} +variable "secondary_ntp" { + type = string + description = "(Optional) The IPv4 addresses of Network Time Protocol secondary server" + default = "0.pool.ntp.org" +} diff --git a/terraform/aws/cross-az-cluster/versions.tf b/terraform/aws/cross-az-cluster/versions.tf new file mode 100755 index 00000000..c138bbb3 --- /dev/null +++ b/terraform/aws/cross-az-cluster/versions.tf @@ -0,0 +1,12 @@ +terraform { + required_version = ">= 0.14.3" + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.20.0" + } + http = { + version = "~> 3.4.0" + } + } +} diff --git a/terraform/aws/gateway-master/README.md b/terraform/aws/gateway-master/README.md new file mode 100755 index 00000000..e6f56bec --- /dev/null +++ b/terraform/aws/gateway-master/README.md @@ -0,0 +1,216 @@ +# Check Point CloudGuard Network Security Gateway Master Terraform module for AWS + +Terraform module which deploys a Check Point CloudGuard Network Security Gateway into a new VPC. + +These types of Terraform resources are supported: +* [AWS Instance](https://www.terraform.io/docs/providers/aws/r/instance.html) +* [VPC](https://www.terraform.io/docs/providers/aws/r/vpc.html) +* [Security group](https://www.terraform.io/docs/providers/aws/r/security_group.html) +* [Network interface](https://www.terraform.io/docs/providers/aws/r/network_interface.html) +* [Route](https://www.terraform.io/docs/providers/aws/r/route.html) +* [EIP](https://www.terraform.io/docs/providers/aws/r/eip.html) - conditional creation + + +See the [Automatically Provision a CloudGuard Security Gateway in AWS](https://supportcenter.us.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk131434) for additional information + +This solution uses the following modules: +- /terraform/aws/gateway +- /terraform/aws/modules/amis +- /terraform/aws/modules/vpc + +## Configurations + +The **main.tf** file includes the following provider configuration block used to configure the credentials for the authentication with AWS, as well as a default region for your resources: +``` +provider "aws" { + region = var.region + access_key = var.access_key + secret_key = var.secret_key +} +``` +The provider credentials can be provided either as static credentials or as [Environment Variables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#environment-variables). +- Static credentials can be provided by adding an access_key and secret_key in /terraform/aws/gateway-master/**terraform.tfvars** file as follows: +``` +region = "us-east-1" +access_key = "my-access-key" +secret_key = "my-secret-key" +``` +- In case the Static credentials are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented for sub-module /terraform/aws/gateway: + ``` + provider "aws" { + // region = var.region + // access_key = var.access_key + // secret_key = var.secret_key + } + ``` +- In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented: + ``` + provider "aws" { + // region = var.region + // access_key = var.access_key + // secret_key = var.secret_key + } + ``` + b. The next lines in main.tf file, in the provider aws resource, need to be commented for sub-module /terraform/aws/gateway: + ``` + provider "aws" { + // region = var.region + // access_key = var.access_key + // secret_key = var.secret_key + } + + +## Usage +- Fill all variables in the /terraform/aws/gateway-master/**terraform.tfvars** file with proper values (see below for variables descriptions). +- From a command line initialize the Terraform configuration directory: + ``` + terraform init + ``` +- Create an execution plan: + ``` + terraform plan + ``` +- Create or modify the deployment: + - Due to terraform limitation, the apply command is: + ``` + terraform apply -target=aws_route_table.private_subnet_rtb -auto-approve && terraform apply + ``` + >Once terraform is updated, we will update accordingly. + +- Variables are configured in /terraform/aws/gateway-master/**terraform.tfvars** file as follows: + + ``` + //PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW + + // --- VPC Network Configuration --- + vpc_cidr = "10.0.0.0/16" + public_subnets_map = { + "us-east-1a" = 1 + } + private_subnets_map = { + "us-east-1a" = 2 + } + subnets_bit_length = 8 + + // --- EC2 Instance Configuration --- + gateway_name = "Check-Point-Gateway-tf" + gateway_instance_type = "c5.xlarge" + key_name = "publickey" + allocate_and_associate_eip = true + volume_size = 100 + volume_encryption = "" + enable_instance_connect = false + disable_instance_termination = false + instance_tags = { + key1 = "value1" + key2 = "value2" + } + + // --- Check Point Settings --- + gateway_version = "R81.20-BYOL" + admin_shell = "/etc/cli.sh" + gateway_SICKey = "12345678" + gateway_password_hash = "" + gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password. + // --- Quick connect to Smart-1 Cloud (Recommended) --- + gateway_TokenKey = "" + + // --- Advanced Settings --- + resources_tag_name = "tag-name" + gateway_hostname = "gw-hostname" + allow_upload_download = true + enable_cloudwatch = false + gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt" + primary_ntp = "" + secondary_ntp = "" + + // --- (Optional) Automatic Provisioning with Security Management Server Settings --- + control_gateway_over_public_or_private_address = "private" + management_server = "" + configuration_template = "" + ``` + +- Conditional creation + - To create an Elastic IP and associate it to the Gateway instance: + ``` + allocate_and_associate_eip = true + ``` + +- To tear down your resources: + ``` + terraform destroy + ``` + + +## Inputs +| Name | Description | Type | Allowed values | Default | Required | +|------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------|----------| +| vpc_cidr | The CIDR block of the VPC | string | n/a | n/a | yes | +| public_subnets_map | A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 1 pair. (e.g. {\"us-east-1a\" = 1} ) | map | n/a | n/a | yes | +| private_subnets_map | A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 1 pair. (e.g. {\"us-east-1a\" = 2} ) | map | n/a | n/a | yes | +| subnets_bit_length | Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a subnets_bit_length value of 4, the resulting subnet address will have length /20 | number | n/a | n/a | yes | +| gateway_name | (Optional) The name tag of the Security Gateway instance | string | n/a | Check-Point-Gateway-tf | no | +| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no | +| key_name | The EC2 Key Pair name to allow SSH access to the instance | string | n/a | n/a | yes | +| allocate_and_associate_eip | If set to true, an elastic IP will be allocated and associated with the launched instance | bool | true/false | true | no | +| volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no | +| volume_encryption | KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs') | string | n/a | alias/aws/ebs | no | +| enable_instance_connect | Enable SSH connection over AWS web console. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no | +| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no | +| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes | +| instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Security Gateway EC2 Instance | map(string) | n/a | {} | no | +| gateway_version | Gateway version and license | string | - R80.40-BYOL
- R80.40-PAYG-NGTP
- R80.40-PAYG-NGTX
- R81-BYOL
- R81-PAYG-NGTP
- R81-PAYG-NGTX
- R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.10-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX | R81.20-BYOL | no | +| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | +| gateway_SIC_Key | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes | +| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | +| gateway_TokenKey | (Recommended) Quick connect to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. | string | n/a | "" | no | +| resources_tag_name | (optional) | string | n/a | "" | no | +| gateway_hostname | (Optional) Security Gateway prompt hostname. The name must not contain reserved words. For details, refer to sk40179. | string | n/a | "" | no | +| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no | +| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no | +| gateway_bootstrap_script | (Optional) Semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no | +| primary_ntp | (Optional) The IPv4 addresses of Network Time Protocol primary server | string | n/a | 169.254.169.123 | no | +| secondary_ntp | (Optional) The IPv4 addresses of Network Time Protocol secondary server | string | n/a | 0.pool.ntp.org | no | +| control_gateway_over_public_or_private_address | Determines if the Security Gateway is provisioned using its private or public address | string | - public
- private | private | no | +| management_server | (Optional) The name that represents the Security Management Server in the automatic provisioning configuration | string | n/a | "" | no | +| configuration_template | (Optional) A name of a Security Gateway configuration template in the automatic provisioning configuration | string | n/a | "" | no | +| gateway_maintenance_mode_password_hash | (optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here). | string | n/a | "" | no | + +## Outputs +| Name | Description | +|------------------------------|----------------------------------------------------| +| vpc_id | The id of the deployed vpc | +| internal_rt_id | The internal route table id | +| vpc_public_subnets_ids_list | A list of the public subnets ids | +| vpc_private_subnets_ids_list | A list of the private subnets ids | +| ami_id | The ami id of the deployed Security Gateway | +| permissive_sg_id | The permissive security group id | +| permissive_sg_name | The permissive security group id name | +| gateway_url | URL to the portal of the deployed Security Gateway | +| gateway_public_ip | The deployed Security Gateway Server AWS public ip | +| gateway_instance_id | The deployed Security Gateway AWS instance id | +| gateway_instance_name | The deployed Security Gateway AWS instance name | + +## Revision History +In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) + +| Template Version | Description | +|------------------|---------------------------------------------------------------------------------------------------------------| +| 20210309 | First release of Check Point Security Gateway Master Terraform module for AWS | +| 20220606 | New instance type support | +| 20221123 | R81.20 version support | +| 20230411 | Improved deployment experience for gateways and clusters managed by Smart-1 Cloud | +| 20230503 | Smart-1 Cloud token validation | +| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | +| 20230806 | Add support for c6in instance type | +| 20230829 | Change default Check Point version to R81.20 | +| 20230914 | Add support for maintenance mode password | +| 20230923 | Add support for C5d instance type | +| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | + +## License + +This project is licensed under the MIT License - see the [LICENSE](../../LICENSE) file for details \ No newline at end of file diff --git a/terraform/aws/gateway-master/locals.tf b/terraform/aws/gateway-master/locals.tf new file mode 100755 index 00000000..0ca4134f --- /dev/null +++ b/terraform/aws/gateway-master/locals.tf @@ -0,0 +1,48 @@ +locals { + regex_valid_vpc_cidr = "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$" + // Will fail if var.vpc_cidr is invalid + regex_vpc_cidr = regex(local.regex_valid_vpc_cidr, var.vpc_cidr) == var.vpc_cidr ? 0 : "Variable [vpc_cidr] must be a valid vpc cidr" + + admin_shell_allowed_values = [ + "/etc/cli.sh", + "/bin/bash", + "/bin/csh", + "/bin/tcsh"] + // Will fail if var.admin_shell is invalid + validate_admin_shell = index(local.admin_shell_allowed_values, var.admin_shell) + + regex_valid_key_name = "[\\S\\s]+[\\S]+" + // will fail if var.key_name is invalid + regex_key_name_result=regex(local.regex_valid_key_name, var.key_name) == var.key_name ? 0 : "Variable [key_name] must be a none empty string" + + regex_valid_gateway_sic_key = "^[a-zA-Z0-9]{8,}$" + // Will fail if var.gateway_SIC_Key is invalid + regex_gateway_sic_result = regex(local.regex_valid_gateway_sic_key, var.gateway_SICKey) == var.gateway_SICKey ? 0 : "Variable [gateway_SIC_Key] must be at least 8 alphanumeric characters." + + regex_valid_gateway_hostname = "^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$" + // Will fail if var.gateway_hostname is invalid + regex_gateway_hostname = regex(local.regex_valid_gateway_hostname, var.gateway_hostname) == var.gateway_hostname ? 0 : "Variable [gateway_hostname] must be a valid hostname label or an empty string" + + regex_valid_gateway_password_hash = "^[\\$\\./a-zA-Z0-9]*$" + // Will fail if var.gateway_password_hash is invalid + regex_gateway_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_password_hash) == var.gateway_password_hash ? 0 : "Variable [gateway_password_hash] must be a valid password hash" + regex_gateway_maintenance_mode_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_maintenance_mode_password_hash) == var.gateway_maintenance_mode_password_hash ? 0 : "Variable [gateway_maintenance_mode_password_hash] must be a valid password hash" + + control_over_public_or_private_allowed_values = [ + "public", + "private"] + // will fail if [var.control_gateway_over_public_or_private_address] is invalid: + validate_control_over_public_or_private = index(local.control_over_public_or_private_allowed_values, var.control_gateway_over_public_or_private_address) + + regex_valid_primary_ntp = "^[\\.a-zA-Z0-9\\-]*$" + // Will fail if var.primary_ntp is invalid + regex_primary_ntp = regex(local.regex_valid_primary_ntp, var.primary_ntp) == var.primary_ntp ? 0 : "Variable [primary_ntp] must be a valid ntp" + + regex_valid_secondary_ntp = "^[\\.a-zA-Z0-9\\-]*$" + // Will fail if var.secondary_ntp is invalid + regex_secondary_ntp = regex(local.regex_valid_secondary_ntp, var.secondary_ntp) == var.secondary_ntp ? 0 : "Variable [secondary_ntp] must be a valid ntp" + + regex_valid_sic_key = "^[a-zA-Z0-9]{8,}$" + // Will fail if var.gateway_SICKey is invalid + regex_sic_result = regex(local.regex_valid_sic_key, var.gateway_SICKey) == var.gateway_SICKey ? 0 : "Variable [gateway_SICKey] must be at least 8 alphanumeric characters" +} \ No newline at end of file diff --git a/terraform/aws/gateway-master/main.tf b/terraform/aws/gateway-master/main.tf new file mode 100755 index 00000000..dd09ebb4 --- /dev/null +++ b/terraform/aws/gateway-master/main.tf @@ -0,0 +1,66 @@ +provider "aws" { + region = var.region + access_key = var.access_key + secret_key = var.secret_key +} + +// --- VPC --- +module "launch_vpc" { + source = "../modules/vpc" + + vpc_cidr = var.vpc_cidr + public_subnets_map = var.public_subnets_map + private_subnets_map = var.private_subnets_map + subnets_bit_length = var.subnets_bit_length +} + +resource "aws_route_table" "private_subnet_rtb" { + depends_on = [module.launch_vpc] + vpc_id = module.launch_vpc.vpc_id + tags = { + Name = "Private Subnets Route Table" + } +} +resource "aws_route_table_association" "private_rtb_to_private_subnets" { + depends_on = [module.launch_vpc, aws_route_table.private_subnet_rtb] + route_table_id = aws_route_table.private_subnet_rtb.id + subnet_id = module.launch_vpc.private_subnets_ids_list[0] +} + +module "launch_gateway_into_vpc" { + source = "../gateway" + providers = { + aws = aws + } + + vpc_id = module.launch_vpc.vpc_id + public_subnet_id = module.launch_vpc.public_subnets_ids_list[0] + private_subnet_id = module.launch_vpc.private_subnets_ids_list[0] + private_route_table = aws_route_table.private_subnet_rtb.id + resources_tag_name = var.resources_tag_name + gateway_name = var.gateway_name + gateway_instance_type = var.gateway_instance_type + key_name = var.key_name + allocate_and_associate_eip = var.allocate_and_associate_eip + volume_size = var.volume_size + volume_encryption = var.volume_encryption + enable_instance_connect = var.enable_instance_connect + disable_instance_termination = var.disable_instance_termination + metadata_imdsv2_required = var.metadata_imdsv2_required + instance_tags = var.instance_tags + gateway_version = var.gateway_version + admin_shell = var.admin_shell + gateway_SICKey = var.gateway_SICKey + gateway_password_hash = var.gateway_password_hash + gateway_maintenance_mode_password_hash = var.gateway_maintenance_mode_password_hash + gateway_TokenKey = var.gateway_TokenKey + gateway_hostname = var.gateway_hostname + allow_upload_download = var.allow_upload_download + enable_cloudwatch = var.enable_cloudwatch + gateway_bootstrap_script = var.gateway_bootstrap_script + primary_ntp = var.primary_ntp + secondary_ntp = var.secondary_ntp + control_gateway_over_public_or_private_address = var.control_gateway_over_public_or_private_address + management_server = var.management_server + configuration_template = var.configuration_template +} diff --git a/terraform/aws/gateway-master/output.tf b/terraform/aws/gateway-master/output.tf new file mode 100755 index 00000000..2d8a716c --- /dev/null +++ b/terraform/aws/gateway-master/output.tf @@ -0,0 +1,33 @@ +output "vpc_id" { + value = module.launch_vpc.vpc_id +} +output "internal_rtb_id" { + value = aws_route_table.private_subnet_rtb.id +} +output "vpc_public_subnets_ids_list" { + value = module.launch_vpc.public_subnets_ids_list +} +output "vpc_private_subnets_ids_list" { + value = module.launch_vpc.private_subnets_ids_list +} +output "ami_id" { + value = module.launch_gateway_into_vpc.ami_id +} +output "permissive_sg_id" { + value = module.launch_gateway_into_vpc.permissive_sg_id +} +output "permissive_sg_name" { + value = module.launch_gateway_into_vpc.permissive_sg_name +} +output "gateway_url" { + value = module.launch_gateway_into_vpc.gateway_url +} +output "gateway_public_ip" { + value = module.launch_gateway_into_vpc.gateway_public_ip +} +output "gateway_instance_id" { + value = module.launch_gateway_into_vpc.gateway_instance_id +} +output "gateway_instance_name" { + value = module.launch_gateway_into_vpc.gateway_instance_name +} \ No newline at end of file diff --git a/terraform/aws/gateway-master/terraform.tfvars b/terraform/aws/gateway-master/terraform.tfvars new file mode 100755 index 00000000..a8eb1d58 --- /dev/null +++ b/terraform/aws/gateway-master/terraform.tfvars @@ -0,0 +1,50 @@ +//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW + +// --- VPC Network Configuration --- +vpc_cidr = "10.0.0.0/16" +public_subnets_map = { + "us-east-1a" = 1 +} +private_subnets_map = { + "us-east-1a" = 2 +} +subnets_bit_length = 8 + +// --- EC2 Instance Configuration --- +gateway_name = "Check-Point-Gateway-tf" +gateway_instance_type = "c5.xlarge" +key_name = "publickey" +allocate_and_associate_eip = true +volume_size = 100 +volume_encryption = "" +enable_instance_connect = false +disable_instance_termination = false +metadata_imdsv2_required = true +instance_tags = { + key1 = "value1" + key2 = "value2" +} + +// --- Check Point Settings --- +gateway_version = "R81.20-BYOL" +admin_shell = "/etc/cli.sh" +gateway_SICKey = "12345678" +gateway_password_hash = "" +gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password. + +// --- Quick connect to Smart-1 Cloud (Recommended) --- +gateway_TokenKey = "" + +// --- Advanced Settings --- +resources_tag_name = "tag-name" +gateway_hostname = "gw-hostname" +allow_upload_download = true +enable_cloudwatch = false +gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt" +primary_ntp = "" +secondary_ntp = "" + +// --- (Optional) Automatic Provisioning with Security Management Server Settings --- +control_gateway_over_public_or_private_address = "private" +management_server = "" +configuration_template = "" \ No newline at end of file diff --git a/terraform/aws/gateway-master/variables.tf b/terraform/aws/gateway-master/variables.tf new file mode 100755 index 00000000..1c00c4f3 --- /dev/null +++ b/terraform/aws/gateway-master/variables.tf @@ -0,0 +1,195 @@ +// Module: Check Point CloudGuard Network Security Gateway into a new VPC + +// --- AWS Provider --- +variable "region" { + type = string + description = "AWS region" + default = "" +} +variable "access_key" { + type = string + description = "AWS access key" + default = "" +} +variable "secret_key" { + type = string + description = "AWS secret key" + default = "" +} + +// --- VPC Network Configuration --- +variable "vpc_cidr" { + type = string + description = "The CIDR block of the VPC" + default = "10.0.0.0/16" +} +variable "public_subnets_map" { + type = map(string) + description = "A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 1 pair. (e.g. {\"us-east-1a\" = 1} ) " +} +variable "private_subnets_map" { + type = map(string) + description = "A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 1 pair. (e.g. {\"us-east-1a\" = 2} ) " + +} +variable "subnets_bit_length" { + type = number + description = "Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a subnets_bit_length value of 4, the resulting subnet address will have length /20." +} + +// --- EC2 Instance Configuration --- +variable "gateway_name" { + type = string + description = "(Optional) The name tag of the Security Gateway instance" + default = "Check-Point-Gateway-tf" +} +variable "gateway_instance_type" { + type = string + description = "The instance type of the Security Gateway" + default = "c5.xlarge" +} +module "validate_instance_type" { + source = "../modules/common/instance_type" + + chkp_type = "gateway" + instance_type = var.gateway_instance_type +} +variable "key_name" { + type = string + description = "The EC2 Key Pair name to allow SSH access to the instance" +} +variable "allocate_and_associate_eip" { + type = bool + description = "If set to true, an elastic IP will be allocated and associated with the launched instance" + default = true +} +variable "volume_size" { + type = number + description = "Root volume size (GB) - minimum 100" + default = 100 +} +resource "null_resource" "volume_size_too_small" { + // Volume Size validation - resource will not be created if the volume size is smaller than 100 + count = var.volume_size >= 100 ? 0 : "volume_size must be at least 100" +} +variable "volume_encryption" { + type = string + description = "KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs')" + default = "alias/aws/ebs" +} +variable "enable_instance_connect" { + type = bool + description = "Enable SSH connection over AWS web console" + default = false +} +variable "disable_instance_termination" { + type = bool + description = "Prevents an instance from accidental termination" + default = false +} +variable "metadata_imdsv2_required" { + type = bool + description = "Set true to deploy the instance with metadata v2 token required" + default = true +} +variable "instance_tags" { + type = map(string) + description = "(Optional) A map of tags as key=value pairs. All tags will be added to the Gateway EC2 Instance" + default = {} +} + +// --- Check Point Settings --- +variable "gateway_version" { + type = string + description = "Gateway version and license" + default = "R81.20-BYOL" +} +module "validate_gateway_version" { + source = "../modules/common/version_license" + + chkp_type = "gateway" + version_license = var.gateway_version +} +variable "admin_shell" { + type = string + description = "Set the admin shell to enable advanced command line configuration" + default = "/etc/cli.sh" +} +variable "gateway_SICKey" { + type = string + description = "The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters" +} +variable "gateway_password_hash" { + type = string + description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)" + default = "" +} +variable "gateway_maintenance_mode_password_hash" { + description = "(optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here)." + type = string + default = "" +} + +// --- Quick connect to Smart-1 Cloud (Recommended) --- +variable "gateway_TokenKey" { + type = string + description = "Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud." +} + +// --- Advanced Settings --- +variable "resources_tag_name" { + type = string + description = "(Optional)" + default = "" +} +variable "gateway_hostname" { + type = string + description = "(Optional) Security Gateway prompt hostname" + default = "" +} +variable "allow_upload_download" { + type = bool + description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + default = true +} +variable "enable_cloudwatch" { + type = bool + description = "Report Check Point specific CloudWatch metrics" + default = false +} +variable "gateway_bootstrap_script" { + type = string + description = "(Optional) An optional script with semicolon (;) separated commands to run on the initial boot" + default = "" +} +variable "primary_ntp" { + type = string + description = "(Optional) The IPv4 addresses of Network Time Protocol primary server" + default = "169.254.169.123" +} +variable "secondary_ntp" { + type = string + description = "(Optional) The IPv4 addresses of Network Time Protocol secondary server" + default = "0.pool.ntp.org" +} + +// --- (Optional) Automatic Provisioning with Security Management Server Settings --- +variable "control_gateway_over_public_or_private_address" { + type = string + description = "Determines if the Security Gateway is provisioned using its private or public address" + default = "private" +} +variable "management_server" { + type = string + description = "(Optional) The name that represents the Security Management Server in the automatic provisioning configuration" + default = "" +} +variable "configuration_template" { + type = string + description = "(Optional) A name of a Security Gateway configuration template in the automatic provisioning configuration" + default = "" + validation { + condition = length(var.configuration_template) < 31 + error_message = "The configuration_template name can not exceed 30 characters." + } +} \ No newline at end of file diff --git a/terraform/aws/gateway-master/versions.tf b/terraform/aws/gateway-master/versions.tf new file mode 100755 index 00000000..c138bbb3 --- /dev/null +++ b/terraform/aws/gateway-master/versions.tf @@ -0,0 +1,12 @@ +terraform { + required_version = ">= 0.14.3" + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.20.0" + } + http = { + version = "~> 3.4.0" + } + } +} diff --git a/terraform/aws/gateway/README.md b/terraform/aws/gateway/README.md new file mode 100755 index 00000000..0ee957ff --- /dev/null +++ b/terraform/aws/gateway/README.md @@ -0,0 +1,191 @@ +# Check Point CloudGuard Network Security Gateway Terraform module for AWS + +Terraform module which deploys a Check Point CloudGuard Network Security Gateway into an existing VPC. + +These types of Terraform resources are supported: +* [AWS Instance](https://www.terraform.io/docs/providers/aws/r/instance.html) +* [Security group](https://www.terraform.io/docs/providers/aws/r/security_group.html) +* [Network interface](https://www.terraform.io/docs/providers/aws/r/network_interface.html) +* [EIP](https://www.terraform.io/docs/providers/aws/r/eip.html) - conditional creation +* [Route](https://www.terraform.io/docs/providers/aws/r/route.html) - conditional creation + +See the [Automatically Provision a CloudGuard Security Gateway in AWS](https://supportcenter.us.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk131434) for additional information + +This solution uses the following modules: +- /terraform/aws/modules/amis + +## Configurations + +The **main.tf** file includes the following provider configuration block used to configure the credentials for the authentication with AWS, as well as a default region for your resources: +``` +provider "aws" { + region = var.region + access_key = var.access_key + secret_key = var.secret_key +} +``` +The provider credentials can be provided either as static credentials or as [Environment Variables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#environment-variables). +- Static credentials can be provided by adding an access_key and secret_key in /terraform/aws/gateway/**terraform.tfvars** file as follows: +``` +region = "us-east-1" +access_key = "my-access-key" +secret_key = "my-secret-key" +``` +- In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented: + ``` + provider "aws" { + // region = var.region + // access_key = var.access_key + // secret_key = var.secret_key + } + ``` + +## Usage +- Fill all variables in the /terraform/aws/gateway/**terraform.tfvars** file with proper values (see below for variables descriptions). +- From a command line initialize the Terraform configuration directory: + ``` + terraform init + ``` +- Create an execution plan: + ``` + terraform plan + ``` +- Create or modify the deployment: + ``` + terraform apply + ``` + +- Variables are configured in /terraform/aws/gateway/**terraform.tfvars** file as follows: + + ``` + //PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW + + // --- VPC Network Configuration --- + vpc_id = "vpc-12345678" + public_subnet_id = "subnet-123456" + private_subnet_id = "subnet-345678" + private_route_table = "rtb-12345678" + + // --- EC2 Instance Configuration --- + gateway_name = "Check-Point-Gateway-tf" + gateway_instance_type = "c5.xlarge" + key_name = "publickey" + allocate_and_associate_eip = true + volume_size = 100 + volume_encryption = "alias/aws/ebs" + enable_instance_connect = false + disable_instance_termination = false + instance_tags = { + key1 = "value1" + key2 = "value2" + } + + // --- Check Point Settings --- + gateway_version = "R81.20-BYOL" + admin_shell = "/etc/cli.sh" + gateway_SICKey = "12345678" + gateway_password_hash = "" + gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password. + + // --- Quick connect to Smart-1 Cloud (Recommended) --- + gateway_TokenKey = "" + + // --- Advanced Settings --- + resources_tag_name = "tag-name" + gateway_hostname = "gw-hostname" + allow_upload_download = true + enable_cloudwatch = false + gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt" + primary_ntp = "" + secondary_ntp = "" + + // --- Automatic Provisioning with Security Management Server Settings (optional) --- + control_gateway_over_public_or_private_address = "private" + management_server = "" + configuration_template = "" + ``` + +- Conditional creation + - To create an Elastic IP and associate it to the Gateway instance: + ``` + allocate_and_associate_eip = true + ``` + - To create route from '0.0.0.0/0' to the Security Gateway instance, please provide route table: + ``` + private_route_table = "rtb-12345678" + ``` +- To tear down your resources: + ``` + terraform destroy + ``` + + + +## Inputs +| Name | Description | Type | Allowed values | Default | Required | +|------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------|----------| +| vpc_id | The VPC id in which to deploy | string | n/a | n/a | yes | +| public_subnet_id | The public subnet of the security gateway | string | n/a | n/a | yes | +| private_subnet_id | The private subnet of the security gateway | string | n/a | n/a | yes | +| private_route_table | Sets '0.0.0.0/0' route to the Gateway instance in the specified route table (e.g. rtb-12a34567) | string | n/a | "" | no | +| gateway_name | (Optional) The name tag of the Security Gateway instance | string | n/a | Check-Point-Gateway-tf | no | +| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no | +| key_name | The EC2 Key Pair name to allow SSH access to the instance | string | n/a | n/a | yes | +| allocate_and_associate_eip | If set to true, an elastic IP will be allocated and associated with the launched instance | bool | true/false | true | no | +| volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no | +| volume_encryption | KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs') | string | n/a | alias/aws/ebs | no | +| enable_instance_connect | Enable SSH connection over AWS web console. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no | +| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no | +| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes | +| instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Security Gateway EC2 Instance | map(string) | n/a | {} | no | +| gateway_version | Gateway version and license | string | - R80.40-BYOL
- R80.40-PAYG-NGTP
- R80.40-PAYG-NGTX
- R81-BYOL
- R81-PAYG-NGTP
- R81-PAYG-NGTX
- R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.10-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX | R81.20-BYOL | no | +| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | +| gateway_SIC_Key | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes | +| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | +| gateway_TokenKey | (Recommended) Quick connect to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. | string | n/a | "" | no | +| resources_tag_name | (optional) | string | n/a | "" | no | +| gateway_hostname | (Optional) Security Gateway prompt hostname. The name must not contain reserved words. For details, refer to sk40179. | string | n/a | "" | no | +| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no | +| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no | +| gateway_bootstrap_script | (Optional) Semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no | +| primary_ntp | (Optional) The IPv4 addresses of Network Time Protocol primary server | string | n/a | 169.254.169.123 | no | +| secondary_ntp | (Optional) The IPv4 addresses of Network Time Protocol secondary server | string | n/a | 0.pool.ntp.org | no | +| control_gateway_over_public_or_private_address | Determines if the Security Gateway is provisioned using its private or public address | string | - public
- private | private | no | +| management_server | (Optional) The name that represents the Security Management Server in the automatic provisioning configuration | string | n/a | "" | no | +| configuration_template | (Optional) A name of a Security Gateway configuration template in the automatic provisioning configuration | string | n/a | "" | no | +| gateway_maintenance_mode_password_hash | (optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here). | string | n/a | "" | no | + + +## Outputs +| Name | Description | +|-----------------------|----------------------------------------------------| +| ami_id | The ami id of the deployed Security Gateway | +| permissive_sg_id | The permissive security group id | +| permissive_sg_name | The permissive security group id name | +| gateway_url | URL to the portal of the deployed Security Gateway | +| gateway_public_ip | The deployed Security Gateway Server AWS public ip | +| gateway_instance_id | The deployed Security Gateway AWS instance id | +| gateway_instance_name | The deployed Security Gateway AWS instance name | + +## Revision History +In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) + +| Template Version | Description | +|------------------|---------------------------------------------------------------------------------------------------------------| +| 20210309 | First release of Check Point Security Gateway Terraform module for AWS | +| 20220606 | New instance type support | +| 20221123 | R81.20 version support | +| 20230411 | Improved deployment experience for gateways and clusters managed by Smart-1 Cloud | +| 20230503 | Smart-1 Cloud token validation | +| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | +| 20230806 | Add support for c6in instance type | +| 20230829 | Change default Check Point version to R81.20 | +| 20230914 | Add support for maintenance mode password | +| 20230923 | Add support for C5d instance type | +| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | + +## License + +This project is licensed under the MIT License - see the [LICENSE](../../LICENSE) file for details \ No newline at end of file diff --git a/terraform/aws/gateway/locals.tf b/terraform/aws/gateway/locals.tf new file mode 100755 index 00000000..79c894db --- /dev/null +++ b/terraform/aws/gateway/locals.tf @@ -0,0 +1,48 @@ +locals { + admin_shell_allowed_values = [ + "/etc/cli.sh", + "/bin/bash", + "/bin/csh", + "/bin/tcsh"] + // Will fail if var.admin_shell is invalid + validate_admin_shell = index(local.admin_shell_allowed_values, var.admin_shell) + + enable_cloudwatch_policy = var.enable_cloudwatch ? 1 : 0 + + regex_valid_key_name = "[\\S\\s]+[\\S]+" + // will fail if var.key_name is invalid + regex_key_name_result=regex(local.regex_valid_key_name, var.key_name) == var.key_name ? 0 : "Variable [key_name] must be a none empty string" + + regex_valid_gateway_sic_key = "^[a-zA-Z0-9]{8,}$" + // Will fail if var.gateway_SIC_Key is invalid + regex_gateway_sic_result = regex(local.regex_valid_gateway_sic_key, var.gateway_SICKey) == var.gateway_SICKey ? 0 : "Variable [gateway_SIC_Key] must be at least 8 alphanumeric characters" + + //will fail if decode token should contain https:// and .checkpoint.com/app/maas/api/v1/tenant or empty string + split_token = split(" ", var.gateway_TokenKey) + token_decode = base64decode(element(local.split_token, length(local.split_token)-1)) + regex_token_valid = "(^https://(.+).checkpoint.com/app/maas/api/v1/tenant(.+)|^$)" + regex_token = regex(local.regex_token_valid, local.token_decode) == local.token_decode ? 0 : "Smart-1 Cloud token is invalid format" + + regex_valid_gateway_hostname = "^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$" + // Will fail if var.gateway_hostname is invalid + regex_gateway_hostname = regex(local.regex_valid_gateway_hostname, var.gateway_hostname) == var.gateway_hostname ? 0 : "Variable [gateway_hostname] must be a valid hostname label or an empty string" + + regex_valid_gateway_password_hash = "^[\\$\\./a-zA-Z0-9]*$" + // Will fail if var.gateway_password_hash is invalid + regex_gateway_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_password_hash) == var.gateway_password_hash ? 0 : "Variable [gateway_password_hash] must be a valid password hash" + regex_gateway_maintenance_mode_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_maintenance_mode_password_hash) == var.gateway_maintenance_mode_password_hash ? 0 : "Variable [gateway_maintenance_mode_password_hash] must be a valid password hash" + + control_over_public_or_private_allowed_values = [ + "public", + "private"] + // will fail if [var.control_gateway_over_public_or_private_address] is invalid: + validate_control_over_public_or_private = index(local.control_over_public_or_private_allowed_values, var.control_gateway_over_public_or_private_address) + + regex_valid_primary_ntp = "^[\\.a-zA-Z0-9\\-]*$" + // Will fail if var.primary_ntp is invalid + regex_primary_ntp = regex(local.regex_valid_primary_ntp, var.primary_ntp) == var.primary_ntp ? 0 : "Variable [primary_ntp] must be a valid ntp" + + regex_valid_secondary_ntp = "^[\\.a-zA-Z0-9\\-]*$" + // Will fail if var.secondary_ntp is invalid + regex_secondary_ntp = regex(local.regex_valid_secondary_ntp, var.secondary_ntp) == var.secondary_ntp ? 0 : "Variable [secondary_ntp] must be a valid ntp" +} \ No newline at end of file diff --git a/terraform/aws/gateway/main.tf b/terraform/aws/gateway/main.tf new file mode 100755 index 00000000..164d6bf0 --- /dev/null +++ b/terraform/aws/gateway/main.tf @@ -0,0 +1,119 @@ +provider "aws" { + region = var.region + access_key = var.access_key + secret_key = var.secret_key +} + +module "amis" { + source = "../modules/amis" + + version_license = var.gateway_version + chkp_type = "gateway" +} + +module "common_permissive_sg" { + source = "../modules/common/permissive_sg" + + vpc_id = var.vpc_id + resources_tag_name = var.resources_tag_name + gateway_name = var.gateway_name +} + +resource "aws_iam_instance_profile" "gateway_instance_profile" { + count = local.enable_cloudwatch_policy + path = "/" + role = aws_iam_role.gateway_iam_role[count.index].name +} + +resource "aws_iam_role" "gateway_iam_role" { + count = local.enable_cloudwatch_policy + assume_role_policy = data.aws_iam_policy_document.gateway_role_assume_policy_document.json + path = "/" +} + +data "aws_iam_policy_document" "gateway_role_assume_policy_document" { + version = "2012-10-17" + statement { + effect = "Allow" + actions = ["sts:AssumeRole"] + principals { + type = "Service" + identifiers = ["ec2.amazonaws.com"] + } + } +} + +module "attach_cloudwatch_policy" { + source = "../modules/cloudwatch-policy" + count = local.enable_cloudwatch_policy + role = aws_iam_role.gateway_iam_role[count.index].name + tag_name = var.resources_tag_name != "" ? var.resources_tag_name : var.gateway_name +} + +resource "aws_network_interface" "public_eni" { + subnet_id = var.public_subnet_id + security_groups = [module.common_permissive_sg.permissive_sg_id] + description = "eth0" + source_dest_check = false + tags = { + Name = format("%s-external-eni", var.resources_tag_name != "" ? var.resources_tag_name : var.gateway_name) } +} +resource "aws_network_interface" "private_eni" { + subnet_id = var.private_subnet_id + security_groups = [module.common_permissive_sg.permissive_sg_id] + description = "eth1" + source_dest_check = false + tags = { + Name = format("%s-internal-eni", var.resources_tag_name != "" ? var.resources_tag_name : var.gateway_name) } +} + +module "common_eip" { + source = "../modules/common/elastic_ip" + depends_on = [ + module.common_gateway_instance + ] + + allocate_and_associate_eip = var.allocate_and_associate_eip + external_eni_id = aws_network_interface.public_eni.id + private_ip_address = aws_network_interface.public_eni.private_ip +} + +module "common_internal_default_route" { + source = "../modules/common/internal_default_route" + + private_route_table = var.private_route_table + internal_eni_id = aws_network_interface.private_eni.id +} + +module "common_gateway_instance" { + source = "../modules/common/gateway_instance" + + external_eni_id = aws_network_interface.public_eni.id + internal_eni_id = aws_network_interface.private_eni.id + gateway_name = var.gateway_name + management_server = var.management_server + configuration_template = var.configuration_template + control_gateway_over_public_or_private_address = var.control_gateway_over_public_or_private_address + volume_size = var.volume_size + volume_encryption = var.volume_encryption + gateway_version = module.amis.version_license_with_suffix + gateway_instance_type = var.gateway_instance_type + instance_tags = var.instance_tags + key_name = var.key_name + iam_instance_profile_id = (local.enable_cloudwatch_policy == 1 ? aws_iam_instance_profile.gateway_instance_profile[0].id : "") + ami_id = module.amis.ami_id + gateway_password_hash = var.gateway_password_hash + gateway_maintenance_mode_password_hash = var.gateway_maintenance_mode_password_hash + admin_shell = var.admin_shell + gateway_SICKey = var.gateway_SICKey + gateway_TokenKey = var.gateway_TokenKey + gateway_bootstrap_script = var.gateway_bootstrap_script + gateway_hostname = var.gateway_hostname + allow_upload_download = var.allow_upload_download + enable_cloudwatch = var.enable_cloudwatch + primary_ntp = var.primary_ntp + secondary_ntp = var.secondary_ntp + enable_instance_connect = var.enable_instance_connect + disable_instance_termination = var.disable_instance_termination + metadata_imdsv2_required = var.metadata_imdsv2_required +} \ No newline at end of file diff --git a/terraform/aws/gateway/output.tf b/terraform/aws/gateway/output.tf new file mode 100755 index 00000000..ab3c934f --- /dev/null +++ b/terraform/aws/gateway/output.tf @@ -0,0 +1,21 @@ +output "ami_id" { + value = module.amis.ami_id +} +output "permissive_sg_id" { + value = module.common_permissive_sg.permissive_sg_id +} +output "permissive_sg_name" { + value = module.common_permissive_sg.permissive_sg_name +} +output "gateway_url" { + value = format("https://%s", module.common_eip.gateway_eip_public_ip[0]) +} +output "gateway_public_ip" { + value = module.common_eip.gateway_eip_public_ip +} +output "gateway_instance_id" { + value = module.common_gateway_instance.gateway_instance_id +} +output "gateway_instance_name" { + value = module.common_gateway_instance.gateway_instance_name +} \ No newline at end of file diff --git a/terraform/aws/gateway/terraform.tfvars b/terraform/aws/gateway/terraform.tfvars new file mode 100755 index 00000000..02b1f781 --- /dev/null +++ b/terraform/aws/gateway/terraform.tfvars @@ -0,0 +1,46 @@ +//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW + +// --- VPC Network Configuration --- +vpc_id = "vpc-12345678" +public_subnet_id = "subnet-123456" +private_subnet_id = "subnet-345678" +private_route_table = "rtb-12345678" + +// --- EC2 Instance Configuration --- +gateway_name = "Check-Point-Gateway-tf" +gateway_instance_type = "c5.xlarge" +key_name = "publickey" +allocate_and_associate_eip = true +volume_size = 100 +volume_encryption = "alias/aws/ebs" +enable_instance_connect = false +disable_instance_termination = false +metadata_imdsv2_required = true +instance_tags = { + key1 = "value1" + key2 = "value2" +} + +// --- Check Point Settings --- +gateway_version = "R81.20-BYOL" +admin_shell = "/etc/cli.sh" +gateway_SICKey = "12345678" +gateway_password_hash = "" +gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password. + +// --- Quick connect to Smart-1 Cloud (Recommended) --- +gateway_TokenKey = "" + +// --- Advanced Settings --- +resources_tag_name = "tag-name" +gateway_hostname = "gw-hostname" +allow_upload_download = true +enable_cloudwatch = false +gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt" +primary_ntp = "" +secondary_ntp = "" + +// --- Automatic Provisioning with Security Management Server Settings (optional) --- +control_gateway_over_public_or_private_address = "private" +management_server = "" +configuration_template = "" \ No newline at end of file diff --git a/terraform/aws/gateway/variables.tf b/terraform/aws/gateway/variables.tf new file mode 100755 index 00000000..7d32ab1a --- /dev/null +++ b/terraform/aws/gateway/variables.tf @@ -0,0 +1,192 @@ +// Module: Check Point CloudGuard Network Security Gateway into an existing VPC + +// --- AWS Provider --- +variable "region" { + type = string + description = "AWS region" + default = "" +} +variable "access_key" { + type = string + description = "AWS access key" + default = "" +} +variable "secret_key" { + type = string + description = "AWS secret key" + default = "" +} + +// --- VPC Network Configuration --- +variable "vpc_id" { + type = string +} +variable "public_subnet_id" { + type = string + description = "The public subnet of the security gateway" +} +variable "private_subnet_id" { + type = string + description = "The private subnet of the security gateway" +} +variable "private_route_table" { + type = string + description = "Sets '0.0.0.0/0' route to the Security Gateway instance in the specified route table (e.g. rtb-12a34567)" + default= "" +} + +// --- EC2 Instance Configuration --- +variable "gateway_name" { + type = string + description = "(Optional) The name tag of the Security Gateway instance" + default = "Check-Point-Gateway-tf" +} +variable "gateway_instance_type" { + type = string + description = "The instance type of the Security Gateway" + default = "c5.xlarge" +} +module "validate_instance_type" { + source = "../modules/common/instance_type" + + chkp_type = "gateway" + instance_type = var.gateway_instance_type +} +variable "key_name" { + type = string + description = "The EC2 Key Pair name to allow SSH access to the instance" +} +variable "allocate_and_associate_eip" { + type = bool + description = "If set to true, an elastic IP will be allocated and associated with the launched instance" + default = true +} +variable "volume_size" { + type = number + description = "Root volume size (GB) - minimum 100" + default = 100 +} +resource "null_resource" "volume_size_too_small" { + // Volume Size validation - resource will not be created if the volume size is smaller than 100 + count = var.volume_size >= 100 ? 0 : "volume_size must be at least 100" +} +variable "volume_encryption" { + type = string + description = "KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs')" + default = "alias/aws/ebs" +} +variable "enable_instance_connect" { + type = bool + description = "Enable SSH connection over AWS web console" + default = false +} +variable "disable_instance_termination" { + type = bool + description = "Prevents an instance from accidental termination" + default = false +} +variable "metadata_imdsv2_required" { + type = bool + description = "Set true to deploy the instance with metadata v2 token required" + default = true +} +variable "instance_tags" { + type = map(string) + description = "(Optional) A map of tags as key=value pairs. All tags will be added to the Security Gateway EC2 Instance" + default = {} +} + +// --- Check Point Settings --- +variable "gateway_version" { + type = string + description = "Gateway version and license" + default = "R81.20-BYOL" +} +module "validate_gateway_version" { + source = "../modules/common/version_license" + + chkp_type = "gateway" + version_license = var.gateway_version +} +variable "admin_shell" { + type = string + description = "Set the admin shell to enable advanced command line configuration" + default = "/etc/cli.sh" +} +variable "gateway_SICKey" { + type = string + description = "The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters" +} +variable "gateway_password_hash" { + type = string + description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)" + default = "" +} +variable "gateway_maintenance_mode_password_hash" { + description = "(optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here)." + type = string + default = "" +} +// --- Quick connect to Smart-1 Cloud (Recommended) --- +variable "gateway_TokenKey" { + type = string + description = "Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud." +} + +// --- Advanced Settings --- +variable "resources_tag_name" { + type = string + description = "(Optional)" + default = "" +} +variable "gateway_hostname" { + type = string + description = "(Optional) Security Gateway prompt hostname" + default = "" +} +variable "allow_upload_download" { + type = bool + description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + default = true +} +variable "enable_cloudwatch" { + type = bool + description = "Report Check Point specific CloudWatch metrics" + default = false +} +variable "gateway_bootstrap_script" { + type = string + description = "(Optional) An optional script with semicolon (;) separated commands to run on the initial boot" + default = "" +} +variable "primary_ntp" { + type = string + description = "(Optional) The IPv4 addresses of Network Time Protocol primary server" + default = "169.254.169.123" +} +variable "secondary_ntp" { + type = string + description = "(Optional) The IPv4 addresses of Network Time Protocol secondary server" + default = "0.pool.ntp.org" +} + +// --- (Optional) Automatic Provisioning with Security Management Server Settings --- +variable "control_gateway_over_public_or_private_address" { + type = string + description = "Determines if the Security Gateway is provisioned using its private or public address" + default = "private" +} +variable "management_server" { + type = string + description = "(Optional) The name that represents the Security Management Server in the automatic provisioning configuration" + default = "" +} +variable "configuration_template" { + type = string + description = "(Optional) A name of a Security Gateway configuration template in the automatic provisioning configuration" + default = "" + validation { + condition = length(var.configuration_template) < 31 + error_message = "The configuration_template name can not exceed 30 characters." + } +} \ No newline at end of file diff --git a/terraform/aws/gateway/versions.tf b/terraform/aws/gateway/versions.tf new file mode 100755 index 00000000..c138bbb3 --- /dev/null +++ b/terraform/aws/gateway/versions.tf @@ -0,0 +1,12 @@ +terraform { + required_version = ">= 0.14.3" + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.20.0" + } + http = { + version = "~> 3.4.0" + } + } +} diff --git a/terraform/aws/gwlb-master/README.md b/terraform/aws/gwlb-master/README.md new file mode 100755 index 00000000..4fcdeaa2 --- /dev/null +++ b/terraform/aws/gwlb-master/README.md @@ -0,0 +1,235 @@ +# Check Point CloudGuard Network Gateway Load Balancer Master Terraform module for AWS + +Terraform module which deploys an AWS Auto Scaling group configured for Gateway Load Balancer into a new VPC. + +These types of Terraform resources are supported: +* [AWS Instance](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance) +* [VPC](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc) +* [Security Group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) +* [Load Balancer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb) +* [Load Balancer Target Group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group) +* [Launch template](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template) +* [Auto Scaling Group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/autoscaling_group) +* [IAM Role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) - conditional creation + +See the [Check Point CloudGuard Gateway Load Balancer on AWS](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_Network_for_AWS_Centralized_Gateway_Load_Balancer/Content/Topics-AWS-GWLB-VPC-DG/Introduction.htm) for additional information + +This solution uses the following modules: +- /terraform/aws/autoscale-gwlb +- /terraform/aws/management +- /terraform/aws/cme-iam-role-gwlb +- /terraform/aws/modules/amis +- /terraform/aws/modules/vpc +## Configurations + +The **main.tf** file includes the following provider configuration block used to configure the credentials for the authentication with AWS, as well as a default region for your resources: +``` +provider "aws" { + region = var.region + access_key = var.aws_access_key_ID + secret_key = var.aws_secret_access_key +} +``` +The provider credentials can be provided either as static credentials or as [Environment Variables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#environment-variables). +- Static credentials can be provided by adding an access_key and secret_key in /terraform/aws/qs-autoscale/**terraform.tfvars** file as follows: +``` +region = "us-east-1" +access_key = "my-access-key" +secret_key = "my-secret-key" +``` +- In case the Static credentials are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented for sub-modules /terraform/aws/autoscale-gwlb, /terraform/aws/management and /terraform/aws/cme-iam-role-gwlb: + ``` + provider "aws" { + // region = var.region + // access_key = var.access_key + // secret_key = var.secret_key + } + ``` +- In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented: + ``` + provider "aws" { + // region = var.region + // access_key = var.aws_access_key_ID + // secret_key = var.aws_secret_access_key + } + ``` + b. The next lines in main.tf file, in the provider aws resource, need to be commented for sub-modules /terraform/aws/autoscale, /terraform/aws/management and /terraform/aws/cme-iam-role-gwlb: + ``` + provider "aws" { + // region = var.region + // access_key = var.aws_access_key_ID + // secret_key = var.aws_secret_access_key + } + ``` + +## Usage +- Fill all variables in the /terraform/aws/gwlb/**terraform.tfvars** file with proper values (see below for variables descriptions). +- From a command line initialize the Terraform configuration directory: + ``` + terraform init + ``` +- Create an execution plan: + ``` + terraform plan + ``` + - Create or modify the deployment: + ``` + terraform apply + ``` + + - Variables are configured in /terraform/aws/qs-autoscale/**terraform.tfvars** file as follows: + + ``` + //PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW + + + // --- Network Configuration --- + vpc_cidr = "10.0.0.0/16" + public_subnets_map = { + "us-east-1a" = 1 + "us-east-1b" = 2 + } + subnets_bit_length = 8 + + // --- General Settings --- + key_name = "publickey" + enable_volume_encryption = true + volume_size = 100 + enable_instance_connect = false + disable_instance_termination = false + allow_upload_download = true + management_server = "CP-Management-gwlb-tf" + configuration_template = "gwlb-configuration" + admin_shell = "/etc/cli.sh" + + // --- Gateway Load Balancer Configuration --- + gateway_load_balancer_name = "gwlb1" + target_group_name = "tg1" + connection_acceptance_required = "false" + enable_cross_zone_load_balancing = "true" + + // --- Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration --- + gateway_name = "Check-Point-GW-tf" + gateway_instance_type = "c5.xlarge" + minimum_group_size = 2 + maximum_group_size = 10 + gateway_version = "R81.20-BYOL" + gateway_password_hash = "" + gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password. + gateway_SICKey = "12345678" + gateways_provision_address_type = "private" + allocate_public_IP = false + enable_cloudwatch = false + gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt" + + // --- Check Point CloudGuard IaaS Security Management Server Configuration --- + management_deploy = true + management_instance_type = "m5.xlarge" + management_version = "R81.20-BYOL" + management_password_hash = "" + management_maintenance_mode_password_hash = "" # For R81.10 and below the management_password_hash is used also as maintenance-mode password. + gateways_policy = "Standard" + gateway_management = "Locally managed" + admin_cidr = "" + gateways_addresses = "" + + // --- Other parameters --- + volume_type = "gp3" + + + ``` + +- Conditional creation + - To enable cloudwatch for gwlb-master: + ``` + enable_cloudwatch = true + ``` + Note: enabling cloudwatch will automatically create IAM role with cloudwatch:PutMetricData permission + - To deploy Security Management Server: + ``` + management_deploy = true + ``` +- To tear down your resources: + ``` + terraform destroy + ``` + +## Inputs +| Name | Description | Type | Allowed values | Default | Required | +|-------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------|----------| +| vpc_cidr | The CIDR block of the VPC | string | n/a | n/a | yes | +| public_subnets_map | A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 1 pair. (e.g. {\"us-east-1a\" = 1} ) | map | n/a | n/a | yes | +| subnets_bit_length | Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a subnets_bit_length value of 4, the resulting subnet address will have length /20 | number | n/a | n/a | yes | +| key_name | The EC2 Key Pair name to allow SSH access to the instances | string | n/a | n/a | yes | +| enable_volume_encryption | Encrypt Environment instances volume with default AWS KMS key | bool | true/false | true | no | +| enable_instance_connect | Enable SSH connection over AWS web console. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no | +| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no | +| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes | +| volume_size | Instances volume size | number | n/a | 100 | no | +| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no | +| management_server | The name that represents the Security Management Server in the automatic provisioning configuration. | string | n/a | CP-Management-gwlb-tf | yes | +| configuration_template | The tag is used by the Security Management Server to automatically provision the Security Gateways. Must be up to 12 alphanumeric characters and unique for each Quick Start deployment | string | n/a | gwlb-configuration | no | +| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | +| gateway_load_balancer_name | Load Balancer name in AWS | string | n/a | gwlb1 | yes | +| target_group_name | Target Group Name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. | string | n/a | tg1 | yes | +| connection_acceptance_required | Indicate whether requests from service consumers to create an endpoint to your service must be accepted. Default is set to false(acceptance not required). | bool | true/false | false | yes | +| enable_cross_zone_load_balancing | Select 'true' to enable cross-az load balancing. NOTE! this may cause a spike in cross-az charges. | bool | true/false | true | yes | +| gateway_name | The name tag of the Security Gateway instances. (optional) | string | n/a | Check-Point-GW-tf | yes | +| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no | +| gateways_min_group_size | The minimal number of Security Gateways | number | n/a | 2 | no | +| gateways_max_group_size | The maximal number of Security Gateways | number | n/a | 10 | no | +| gateway_version | Gateway version and license | string | - R80.40-BYOL
- R80.40-PAYG-NGTP
- R80.40-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX | R81.20-BYOL | no | +| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | +| gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes | +| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no | +| gateway_bootstrap_script | (Optional) An optional script with semicolon (;) separated commands to run on the initial boot | string | n/ a | "" | no | +| gateways_provision_address_type | Determines if the gateways are provisioned using their private or public address. | string | - private
- public | private | no | +| allocate_public_IP | Allocate a Public IP for gateway members. | bool | true/false | false | no | +| management_deploy | Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section | bool | true/false | true | no | +| management_instance_type | The EC2 instance type of the Security Management Server | string | - c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| m5.xlarge | no | +| management_version | The license to install on the Security Management Server | string | - R80.40-BYOL
- R80.40-PAYG
- R81-BYOL
- R81-PAYG
- R81.10-BYOL
- R81.10-PAYG | R81.20-BYOL | no | +| management_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | +| gateways_policy | The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group | string | n/a | Standard | no | +| gateway_management | Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address. | string | - Locally managed
- Over the internet | Locally managed | no | +| admin_cidr | (CIDR) Allow web, ssh, and graphical clients only from this network to communicate with the Management Server | string | valid CIDR | n/a | no | +| gateway_addresses | (CIDR) Allow gateways only from this network to communicate with the Management Server | string | valid CIDR | n/a | no | +| volume_type | General Purpose SSD Volume Type | string | - gp3
- gp2 | gp3 | no | +| gateway_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | +| management_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | + + +## Outputs +| Name | Description | +|---------------------|---------------------------------------------------------------------------------------| +| managment_public_ip | The deployed Security Management AWS instance public IP | +| load_balancer_url | The URL of the external Load Balancer | +| template_name | Name of a gateway configuration template in the automatic provisioning configuration. | +| controller_name | The controller name in CME. | +| gwlb_name | The name of the deployed Gateway Load Balancer | +| gwlb_service_name | The service name for the deployed Gateway Load Balancer | +| gwlb_arn | The arn for the deployed Gateway Load Balancer | + + +## Revision History +In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) + +| Template Version | Description | +|------------------|---------------------------------------------------------------------------------------------| +| 20220414 | First release of Check Point CloudGuard Network Gateway Load Balancer master module for AWS | +| 20220606 | New instance type support | +| 20221123 | R81.20 version support | +| 20221215 | Support ASG Launch Template instead of Launch Configuration | +| 20230521 | Change default shell for the admin user to /etc/cli.sh | +| 20230806 | Add support for c6in instance type | +| 20230829 | Change default Check Point version to R81.20 | +| 20230910 | Add bootstrap script execution option for deployed gateways | +| 20230914 | Add support for maintenance mode password | +| 20230923 | Add support for C5d instance type | +| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | + +## License + +This project is licensed under the MIT License - see the [LICENSE](../../LICENSE) file for details diff --git a/terraform/aws/gwlb-master/locals.tf b/terraform/aws/gwlb-master/locals.tf new file mode 100755 index 00000000..29a557ee --- /dev/null +++ b/terraform/aws/gwlb-master/locals.tf @@ -0,0 +1,61 @@ +locals { + regex_valid_vpc_cidr = "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$" + // Will fail if var.vpc_cidr is invalid + regex_vpc_cidr = regex(local.regex_valid_vpc_cidr, var.vpc_cidr) == var.vpc_cidr ? 0 : "Variable [vpc_cidr] must be a valid vpc cidr" + + regex_valid_key_name = "[\\S\\s]+[\\S]+" + // will fail if var.key_name is invalid + regex_key_name_result=regex(local.regex_valid_key_name, var.key_name) == var.key_name ? 0 : "Variable [key_name] must be a none empty string" + + regex_valid_gateway_sic_key = "^[a-zA-Z0-9]{8,}$" + // Will fail if var.gateway_SIC_Key is invalid + regex_gateway_sic_result = regex(local.regex_valid_gateway_sic_key, var.gateway_SICKey) == var.gateway_SICKey ? 0 : "Variable [gateway_SIC_Key] must be at least 8 alphanumeric characters" + + control_over_public_or_private_allowed_values = [ + "public", + "private"] + // will fail if [var.control_gateway_over_public_or_private_address] is invalid: + validate_control_over_public_or_private = index(local.control_over_public_or_private_allowed_values, var.gateways_provision_address_type) + + gateway_management_allowed_values = [ + "Locally managed", + "Over the internet"] + // will fail if [var.gateway_management] is invalid: + validate_gateway_management = index(local.gateway_management_allowed_values, var.gateway_management) + + regex_valid_management_password_hash = "^[\\$\\./a-zA-Z0-9]*$" + // Will fail if var.management_password_hash is invalid + regex_management_password_hash = regex(local.regex_valid_management_password_hash, var.management_password_hash) == var.management_password_hash ? 0 : "Variable [management_password_hash] must be a valid password hash" + regex_management_maintenance_mode_password_hash = regex(local.regex_valid_management_password_hash, var.management_maintenance_mode_password_hash) == var.management_maintenance_mode_password_hash ? 0 : "Variable [management_maintenance_mode_password_hash] must be a valid password hash" + + regex_valid_gateway_password_hash = "^[\\$\\./a-zA-Z0-9]*$" + // Will fail if var.gateway_password_hash is invalid + regex_gateway_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_password_hash) == var.gateway_password_hash ? 0 : "Variable [gateway_password_hash] must be a valid password hash" + regex_gateway_maintenance_mode_password_hash = regex(local.regex_valid_management_password_hash, var.gateway_maintenance_mode_password_hash) == var.gateway_maintenance_mode_password_hash ? 0 : "Variable [gateway_maintenance_mode_password_hash] must be a valid password hash" + + + regex_valid_admin_cidr = "^([0-9]{1,3}\\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])$" + // Will fail if var.admin_cidr is invalid + regex_admin_cidr = regex(local.regex_valid_admin_cidr, var.admin_cidr) == var.admin_cidr ? 0 : "Variable [admin_cidr] must be a valid CIDR" + + regex_valid_gateways_addresses = "^([0-9]{1,3}\\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])$" + // Will fail if var.gateways_addresses is invalid + regex_gateways_addresses = regex(local.regex_valid_gateways_addresses, var.gateways_addresses) == var.gateways_addresses ? 0 : "Variable [gateways_addresses] must be a valid gateways addresses" + + regex_valid_management_server = "^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$" + // Will fail if var.management_server is invalid + regex_management_server = regex(local.regex_valid_management_server, var.management_server) == var.management_server ? 0 : "Variable [management_server] can not be an empty string" + + regex_valid_configuration_template = "^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$" + // Will fail if var.configuration_template is invalid + regex_configuration_template = regex(local.regex_valid_configuration_template, var.configuration_template) == var.configuration_template ? 0 : "Variable [configuration_template] can not be an empty string" + + deploy_management_condition = var.management_deploy == true + + volume_type_allowed_values = [ + "gp3", + "gp2"] + // will fail if [var.VolumeType] is invalid: + validate_volume_type = index(local.volume_type_allowed_values, var.volume_type) + +} \ No newline at end of file diff --git a/terraform/aws/gwlb-master/main.tf b/terraform/aws/gwlb-master/main.tf new file mode 100755 index 00000000..da8bf39c --- /dev/null +++ b/terraform/aws/gwlb-master/main.tf @@ -0,0 +1,69 @@ +provider "aws" { + region = var.region + access_key = var.access_key + secret_key = var.secret_key +} + + +module "launch_vpc" { + source = "../modules/vpc" + + vpc_cidr = var.vpc_cidr + public_subnets_map = var.public_subnets_map + private_subnets_map = {} + subnets_bit_length = var.subnets_bit_length +} + +module "gwlb" { + source = "../gwlb" + providers = { + aws = aws + } + vpc_id = module.launch_vpc.vpc_id + subnet_ids = module.launch_vpc.public_subnets_ids_list + + // --- General Settings --- + key_name = var.key_name + enable_volume_encryption = var.enable_volume_encryption + volume_size = var.volume_size + enable_instance_connect = var.enable_instance_connect + disable_instance_termination = var.disable_instance_termination + metadata_imdsv2_required = var.metadata_imdsv2_required + allow_upload_download = var.allow_upload_download + management_server = var.management_server + configuration_template = var.configuration_template + admin_shell = var.admin_shell + + // --- Gateway Load Balancer Configuration --- + gateway_load_balancer_name = var.gateway_load_balancer_name + target_group_name = var.target_group_name + connection_acceptance_required = false + enable_cross_zone_load_balancing = var.enable_cross_zone_load_balancing + + // --- Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration --- + gateway_name = var.gateway_name + gateway_instance_type = var.gateway_instance_type + minimum_group_size = var.minimum_group_size + maximum_group_size = var.maximum_group_size + gateway_version = var.gateway_version + gateway_password_hash = var.gateway_password_hash + gateway_maintenance_mode_password_hash = var.gateway_maintenance_mode_password_hash + gateway_SICKey = var.gateway_SICKey + gateways_provision_address_type = var.gateways_provision_address_type + allocate_public_IP = var.allocate_public_IP + enable_cloudwatch = var.enable_cloudwatch + gateway_bootstrap_script = var.gateway_bootstrap_script + + // --- Check Point CloudGuard IaaS Security Management Server Configuration --- + management_deploy = var.management_deploy + management_instance_type = var.management_instance_type + management_version = var.management_version + management_password_hash = var.management_password_hash + management_maintenance_mode_password_hash = var.management_maintenance_mode_password_hash + gateways_policy = var.gateways_policy + gateway_management = var.gateway_management + admin_cidr = var.admin_cidr + gateways_addresses = var.gateways_addresses + + volume_type = var.volume_type +} \ No newline at end of file diff --git a/terraform/aws/gwlb-master/output.tf b/terraform/aws/gwlb-master/output.tf new file mode 100755 index 00000000..15cb48a3 --- /dev/null +++ b/terraform/aws/gwlb-master/output.tf @@ -0,0 +1,24 @@ +output "Deployment" { + value = "Finalizing instances configuration may take up to 20 minutes after deployment is finished." +} +output "management_public_ip" { + depends_on = [module.gwlb] + value = module.gwlb[*].management_public_ip +} +output "gwlb_arn" { + depends_on = [module.gwlb] + value = module.gwlb[*].gwlb_arn +} +output "gwlb_service_name" { + depends_on = [module.gwlb] + value = module.gwlb[*].gwlb_service_name +} +output "gwlb_name" { + value = var.gateway_load_balancer_name +} +output "controller_name" { + value = "gwlb-controller" +} +output "template_name" { + value = var.configuration_template +} \ No newline at end of file diff --git a/terraform/aws/gwlb-master/terraform.tfvars b/terraform/aws/gwlb-master/terraform.tfvars new file mode 100755 index 00000000..f0f13c92 --- /dev/null +++ b/terraform/aws/gwlb-master/terraform.tfvars @@ -0,0 +1,56 @@ +//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW + +// --- Network Configuration --- +vpc_cidr = "10.0.0.0/16" +public_subnets_map = { + "us-east-1a" = 1 + "us-east-1b" = 2 +} +subnets_bit_length = 8 + +// --- General Settings --- +key_name = "publickey" +enable_volume_encryption = true +volume_size = 100 +enable_instance_connect = false +disable_instance_termination = false +metadata_imdsv2_required = true +allow_upload_download = true +management_server = "CP-Management-gwlb-tf" +configuration_template = "gwlb-configuration" +admin_shell = "/etc/cli.sh" + +// --- Gateway Load Balancer Configuration --- +gateway_load_balancer_name = "gwlb1" +target_group_name = "tg1" +connection_acceptance_required = "false" +enable_cross_zone_load_balancing = "true" + +// --- Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration --- +gateway_name = "Check-Point-GW-tf" +gateway_instance_type = "c5.xlarge" +minimum_group_size = 2 +maximum_group_size = 10 +gateway_version = "R81.20-BYOL" +gateway_password_hash = "" +gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password. +gateway_SICKey = "12345678" +gateways_provision_address_type = "private" +allocate_public_IP = false +enable_cloudwatch = false +gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt" + +// --- Check Point CloudGuard IaaS Security Management Server Configuration --- +management_deploy = true +management_instance_type = "m5.xlarge" +management_version = "R81.20-BYOL" +management_password_hash = "" +management_maintenance_mode_password_hash = "" # For R81.10 and below the management_password_hash is used also as maintenance-mode password. +gateways_policy = "Standard" +gateway_management = "Locally managed" +admin_cidr = "0.0.0.0/0" +gateways_addresses = "0.0.0.0/0" + +// --- Other parameters --- +volume_type = "gp3" + diff --git a/terraform/aws/gwlb-master/variables.tf b/terraform/aws/gwlb-master/variables.tf new file mode 100755 index 00000000..fd72c46c --- /dev/null +++ b/terraform/aws/gwlb-master/variables.tf @@ -0,0 +1,274 @@ +// Module: Check Point CloudGuard Network Gateway Load Balancer into an existing VPC + +// --- AWS Provider --- +variable "region" { + type = string + description = "AWS region" + default = "" +} +variable "access_key" { + type = string + description = "AWS access key" + default = "" +} +variable "secret_key" { + type = string + description = "AWS secret key" + default = "" +} + +// --- Network Configuration --- +variable "number_of_AZs" { + type = number + description = "Number of Availability Zones to use in the VPC. This must match your selections in the list of Availability Zones parameter" + default = 2 +} +variable "vpc_cidr" { + type = string + description = "The CIDR block of the VPC" + default = "10.0.0.0/16" +} +variable "public_subnets_map" { + type = map(string) + description = "A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 2 pairs. (e.g. {\"us-east-1a\" = 1} ) " +} +variable "subnets_bit_length" { + type = number + description = "Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a subnets_bit_length value of 4, the resulting subnet address will have length /20" +} + +// --- General Settings --- +variable "key_name" { + type = string + description = "The EC2 Key Pair name to allow SSH access to the instances" +} +variable "enable_volume_encryption" { + type = bool + description = "Encrypt Environment instances volume with default AWS KMS key" + default = true +} +variable "volume_size" { + type = number + description = "Root volume size (GB) - minimum 100" + default = 100 +} +resource "null_resource" "volume_size_too_small" { + // Will fail if var.volume_size is less than 100 + count = var.volume_size >= 100 ? 0 : "variable volume_size must be at least 100" +} +variable "enable_instance_connect" { + type = bool + description = "Enable SSH connection over AWS web console" + default = false +} +variable "disable_instance_termination" { + type = bool + description = "Prevents an instance from accidental termination" + default = false +} +variable "metadata_imdsv2_required" { + type = bool + description = "Set true to deploy the instance with metadata v2 token required" + default = true +} +variable "allow_upload_download" { + type = bool + description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + default = true +} +variable "management_server" { + type = string + description = "The name that represents the Security Management Server in the automatic provisioning configuration." +} +variable "configuration_template" { + type = string + description = "A name of a gateway configuration template in the automatic provisioning configuration." + validation { + condition = length(var.configuration_template) < 31 + error_message = "The configuration_template name can not exceed 30 characters" + } +} +variable "admin_shell" { + type = string + description = "Set the admin shell to enable advanced command line configuration" + default = "/etc/cli.sh" +} + +// --- Gateway Load Balancer Configuration --- + +variable "gateway_load_balancer_name" { + type = string + description = "Gateway Load Balancer name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. A name cannot begin or end with a hyphen." + default = "gwlb1" +} +resource "null_resource" "gateway_load_balancer_name_too_long" { + // Will fail if gateway_load_balancer_name more than 32 + count = length(var.gateway_load_balancer_name) <= 32 ? 0 : "variable gateway_load_balancer_name must be at most 32" +} +variable "target_group_name" { + type = string + description = "Target Group Name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. A name cannot begin or end with a hyphen." + default = "tg1" +} +resource "null_resource" "target_group_name_too_long" { + // Will fail if target_group_name more than 32 + count = length(var.target_group_name) <= 32 ? 0 : "variable target_group_name must be at most 32" +} +variable "connection_acceptance_required" { + type = bool + description = "Indicate whether requests from service consumers to create an endpoint to your service must be accepted. Default is set to false(acceptance not required)." + default = false +} +variable "enable_cross_zone_load_balancing" { + type = bool + description = "Select 'true' to enable cross-az load balancing. NOTE! this may cause a spike in cross-az charges." + default = true +} + +// --- Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration --- + +variable "gateway_name" { + type = string + description = "The name tag of the Security Gateway instances. (optional)" + default = "Check-Point-Gateway-tf" +} +variable "gateway_instance_type" { + type = string + description = "The EC2 instance type for the Security Gateways." + default = "c5.xlarge" +} +module "validate_instance_type" { + source = "../modules/common/instance_type" + + chkp_type = "gateway" + instance_type = var.gateway_instance_type +} +variable "minimum_group_size" { + type = number + description = "The minimal number of Security Gateways." + default = 2 +} +variable "maximum_group_size" { + type = number + description = "The maximal number of Security Gateways." + default = 10 +} +variable "gateway_version" { + type = string + description = "The version and license to install on the Security Gateways." + default = "R81.20-BYOL" +} +module "validate_gateway_version" { + source = "../modules/common/version_license" + + chkp_type = "gwlb_gw" + version_license = var.gateway_version +} +variable "gateway_password_hash" { + type = string + description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)" + default = "" +} +variable "gateway_maintenance_mode_password_hash" { + description = "Maintenance mode password hash for the gateway instances, relevant only for R81.20 and higher versions" + type = string + default = "" +} +variable "gateway_SICKey" { + type = string + description = "The Secure Internal Communication key for trusted connection between Check Point components (at least 8 alphanumeric characters)" +} + +variable "gateways_provision_address_type" { + type = string + description = "Determines if the gateways are provisioned using their private or public address" + default = "private" +} + +variable "allocate_public_IP" { + type = bool + description = "Allocate an Elastic IP for security gateway." + default = false +} + +resource "null_resource" "invalid_allocation" { + // Will fail if var.gateways_provision_address_type is public and var.allocate_public_IP is false + count = var.gateways_provision_address_type != "public" ? 0 : var.allocate_public_IP == true ? 0 : "Gateway's selected to be provisioned by public IP, but [allocate_public_IP] parameter is false" +} + +variable "enable_cloudwatch" { + type = bool + description = "Report Check Point specific CloudWatch metrics." + default = false +} + +variable "gateway_bootstrap_script" { + type = string + description = "(Optional) An optional script with semicolon (;) separated commands to run on the initial boot" + default = "" +} + +// --- Check Point CloudGuard IaaS Security Management Server Configuration --- + +variable "management_deploy" { + type = bool + description = "Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section" + default = true +} +variable "management_instance_type" { + type = string + description = "The EC2 instance type of the Security Management Server" + default = "m5.xlarge" +} +module "validate_management_instance_type" { + source = "../modules/common/instance_type" + + chkp_type = "management" + instance_type = var.management_instance_type +} +variable "management_version" { + type = string + description = "The license to install on the Security Management Server" + default = "R81.20-BYOL" +} +module "validate_management_version" { + source = "../modules/common/version_license" + + chkp_type = "management" + version_license = var.management_version +} +variable "management_password_hash" { + type = string + description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)" + default = "" +} +variable "management_maintenance_mode_password_hash" { + description = "Maintenance mode password hash for the management instance, relevant only for R81.20 and higher versions" + type = string + default = "" +} +variable "gateways_policy" { + type = string + description = "The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group" + default = "Standard" +} +variable "gateway_management" { + type = string + description = "Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address." + default = "Locally managed" +} +variable "admin_cidr" { + type = string + description = "Allow web, ssh, and graphical clients only from this network to communicate with the Security Management Server" +} +variable "gateways_addresses" { + type = string + description = "Allow gateways only from this network to communicate with the Security Management Server" +} + +// --- Other parameters --- +variable "volume_type" { + type = string + description = "General Purpose SSD Volume Type" + default = "gp3" +} \ No newline at end of file diff --git a/terraform/aws/gwlb-master/versions.tf b/terraform/aws/gwlb-master/versions.tf new file mode 100755 index 00000000..dbebf275 --- /dev/null +++ b/terraform/aws/gwlb-master/versions.tf @@ -0,0 +1,15 @@ +terraform { + required_version = ">= 0.14.3" + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.20.0" + } + http = { + version = "~> 3.4.0" + } + random = { + version = "~> 3.5.1" + } + } +} diff --git a/terraform/aws/gwlb/README.md b/terraform/aws/gwlb/README.md new file mode 100755 index 00000000..4363e8c9 --- /dev/null +++ b/terraform/aws/gwlb/README.md @@ -0,0 +1,228 @@ +# Check Point CloudGuard Network Gateway Load Balancer Terraform module for AWS + +Terraform module which deploys an AWS Auto Scaling group configured for Gateway Load Balancer into an existing VPC. + +These types of Terraform resources are supported: +* [AWS Instance](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance) +* [Security Group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) +* [Load Balancer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb) +* [Load Balancer Target Group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group) +* [Launch template](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template) +* [Auto Scaling Group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/autoscaling_group) +* [IAM Role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) - conditional creation + +See the [Check Point CloudGuard Gateway Load Balancer on AWS](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_Network_for_AWS_Centralized_Gateway_Load_Balancer/Content/Topics-AWS-GWLB-VPC-DG/Introduction.htm) for additional information + +This solution uses the following modules: +- /terraform/aws/autoscale-gwlb +- /terraform/aws/management +- /terraform/aws/cme-iam-role-gwlb +- /terraform/aws/modules/amis +## Configurations + +The **main.tf** file includes the following provider configuration block used to configure the credentials for the authentication with AWS, as well as a default region for your resources: +``` +provider "aws" { + region = var.region + access_key = var.aws_access_key_ID + secret_key = var.aws_secret_access_key +} +``` +The provider credentials can be provided either as static credentials or as [Environment Variables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#environment-variables). +- Static credentials can be provided by adding an access_key and secret_key in /terraform/aws/qs-autoscale/**terraform.tfvars** file as follows: +``` +region = "us-east-1" +access_key = "my-access-key" +secret_key = "my-secret-key" +``` +- In case the Static credentials are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented for sub-modules /terraform/aws/autoscale-gwlb, /terraform/aws/management and /terraform/aws/cme-iam-role-gwlb: + ``` + provider "aws" { + // region = var.region + // access_key = var.access_key + // secret_key = var.secret_key + } + ``` +- In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented: + ``` + provider "aws" { + // region = var.region + // access_key = var.aws_access_key_ID + // secret_key = var.aws_secret_access_key + } + ``` + b. The next lines in main.tf file, in the provider aws resource, need to be commented for sub-modules /terraform/aws/autoscale, /terraform/aws/management and /terraform/aws/cme-iam-role-gwlb: + ``` + provider "aws" { + // region = var.region + // access_key = var.aws_access_key_ID + // secret_key = var.aws_secret_access_key + } + ``` + +## Usage +- Fill all variables in the /terraform/aws/gwlb/**terraform.tfvars** file with proper values (see below for variables descriptions). +- From a command line initialize the Terraform configuration directory: + ``` + terraform init + ``` +- Create an execution plan: + ``` + terraform plan + ``` +- Create or modify the deployment: + ``` + terraform apply + ``` + + - Variables are configured in /terraform/aws/qs-autoscale/**terraform.tfvars** file as follows: + + ``` + //PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW + + // --- VPC Network Configuration --- + vpc_id = "vpc-12345" + subnet_ids = ["subnet-123457", "subnet-123456"] + + // --- General Settings --- + key_name = "publickey" + enable_volume_encryption = true + volume_size = 100 + enable_instance_connect = false + disable_instance_termination = false + allow_upload_download = true + management_server = "CP-Management-gwlb-tf" + configuration_template = "gwlb-configuration" + admin_shell = "/etc/cli.sh" + + // --- Gateway Load Balancer Configuration --- + gateway_load_balancer_name = "gwlb1" + target_group_name = "tg1" + connection_acceptance_required = "false" + enable_cross_zone_load_balancing = "true" + + // --- Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration --- + gateway_name = "Check-Point-GW-tf" + gateway_instance_type = "c5.xlarge" + minimum_group_size = 2 + maximum_group_size = 10 + gateway_version = "R81.20-BYOL" + gateway_password_hash = "" + gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password. + gateway_SICKey = "12345678" + gateways_provision_address_type = "private" + allocate_public_IP = false + enable_cloudwatch = false + gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt" + + // --- Check Point CloudGuard IaaS Security Management Server Configuration --- + management_deploy = true + management_instance_type = "m5.xlarge" + management_version = "R81.20-BYOL" + management_password_hash = "" + management_maintenance_mode_password_hash = "" # For R81.10 and below the management_password_hash is used also as maintenance-mode password. + gateways_policy = "Standard" + gateway_management = "Locally managed" + admin_cidr = "" + gateways_addresses = "" + + // --- Other parameters --- + volume_type = "gp3" + + + ``` + +- Conditional creation + - To enable cloudwatch for GWLB: + ``` + enable_cloudwatch = true + ``` + Note: enabling cloudwatch will automatically create IAM role with cloudwatch:PutMetricData permission + - To deploy Security Management Server: + ``` + management_deploy = true + ``` +- To tear down your resources: + ``` + terraform destroy + ``` + +## Inputs +| Name | Description | Type | Allowed values | Default | Required | +|-------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------|----------| +| vpc_id | Select an existing VPC | string | n/a | n/a | yes | +| subnet_ids | The VPC subnets ID | string | n/a | n/a | yes | +| key_name | The EC2 Key Pair name to allow SSH access to the instances | string | n/a | n/a | yes | +| enable_volume_encryption | Encrypt Environment instances volume with default AWS KMS key | bool | true/false | true | no | +| enable_instance_connect | Enable SSH connection over AWS web console. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no | +| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no | +| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes | +| volume_size | Instances volume size | number | n/a | 100 | no | +| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no | +| management_server | The name that represents the Security Management Server in the automatic provisioning configuration. | string | n/a | CP-Management-gwlb-tf | yes | +| configuration_template | The tag is used by the Security Management Server to automatically provision the Security Gateways. Must be up to 12 alphanumeric characters and unique for each Quick Start deployment | string | n/a | gwlb-configuration | no | +| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | +| gateway_load_balancer_name | Load Balancer name in AWS | string | n/a | gwlb1 | yes | +| target_group_name | Target Group Name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. | string | n/a | tg1 | yes | +| connection_acceptance_required | Indicate whether requests from service consumers to create an endpoint to your service must be accepted. Default is set to false(acceptance not required). | bool | true/false | false | yes | +| enable_cross_zone_load_balancing | Select 'true' to enable cross-az load balancing. NOTE! this may cause a spike in cross-az charges. | bool | true/false | true | yes | +| gateway_name | The name tag of the Security Gateway instances. (optional) | string | n/a | Check-Point-GW-tf | yes | +| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no | +| gateways_min_group_size | The minimal number of Security Gateways | number | n/a | 2 | no | +| gateways_max_group_size | The maximal number of Security Gateways | number | n/a | 10 | no | +| gateway_version | Gateway version and license | string | - R80.40-BYOL
- R80.40-PAYG-NGTP
- R80.40-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX | R81.20-BYOL | no | +| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | +| gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes | +| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no | +| gateway_bootstrap_script | (Optional) An optional script with semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no | +| gateways_provision_address_type | Determines if the gateways are provisioned using their private or public address. | string | - private
- public | private | no | +| allocate_public_IP | Allocate a Public IP for gateway members. | bool | true/false | false | no | +| management_deploy | Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section | bool | true/false | true | no | +| management_instance_type | The EC2 instance type of the Security Management Server | string | - c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| m5.xlarge | no | +| management_version | The license to install on the Security Management Server | string | - R80.40-BYOL
- R80.40-PAYG
- R81-BYOL
- R81-PAYG
- R81.10-BYOL
- R81.10-PAYG | R81.20-BYOL | no | +| management_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | +| gateways_policy | The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group | string | n/a | Standard | no | +| gateway_management | Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address. | string | - Locally managed
- Over the internet | Locally managed | no | +| admin_cidr | (CIDR) Allow web, ssh, and graphical clients only from this network to communicate with the Management Server | string | valid CIDR | n/a | no | +| gateway_addresses | (CIDR) Allow gateways only from this network to communicate with the Management Server | string | valid CIDR | n/a | no | +| volume_type | General Purpose SSD Volume Type | string | - gp3
- gp2 | gp3 | no | +| gateway_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | +| management_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | + +## Outputs +| Name | Description | +|---------------------|---------------------------------------------------------------------------------------| +| managment_public_ip | The deployed Security Management AWS instance public IP | +| load_balancer_url | The URL of the external Load Balancer | +| template_name | Name of a gateway configuration template in the automatic provisioning configuration. | +| controller_name | The controller name in CME. | +| gwlb_name | The name of the deployed Gateway Load Balancer | +| gwlb_service_name | The service name for the deployed Gateway Load Balancer | +| gwlb_arn | The arn for the deployed Gateway Load Balancer | + + +## Revision History +In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) + +| Template Version | Description | +|------------------|---------------------------------------------------------------------------------------| +| 20220414 | First release of Check Point CloudGuard Network Gateway Load Balancer module for AWS | +| 20220523 | Add support for cross zone load balancing | +| 20220606 | New instance type support | +| 20221123 | R81.20 version support | +| 20221226 | Support ASG Launch Template instead of Launch Configuration | +| 20230521 | Change default shell for the admin user to /etc/cli.sh | +| 20230806 | Add support for c6in instance type | +| 20230829 | Change default Check Point version to R81.20 | +| 20230910 | Add bootstrap script execution option for deployed gateways | +| 20230914 | Add support for maintenance mode password | +| 20230923 | Add support for C5d instance type | +| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20231022 | Fixed template to populate x-chkp-tags correctly | +| 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | + +## License + +This project is licensed under the MIT License - see the [LICENSE](../../LICENSE) file for details diff --git a/terraform/aws/gwlb/locals.tf b/terraform/aws/gwlb/locals.tf new file mode 100755 index 00000000..44363311 --- /dev/null +++ b/terraform/aws/gwlb/locals.tf @@ -0,0 +1,55 @@ +locals { + + regex_valid_gateway_sic_key = "^[a-zA-Z0-9]{8,}$" + // Will fail if var.gateway_SIC_Key is invalid + regex_gateway_sic_result = regex(local.regex_valid_gateway_sic_key, var.gateway_SICKey) == var.gateway_SICKey ? 0 : "Variable [gateway_SIC_Key] must be at least 8 alphanumeric characters" + + control_over_public_or_private_allowed_values = [ + "public", + "private"] + // will fail if [var.control_gateway_over_public_or_private_address] is invalid: + validate_control_over_public_or_private = index(local.control_over_public_or_private_allowed_values, var.gateways_provision_address_type) + + gateway_management_allowed_values = [ + "Locally managed", + "Over the internet"] + // will fail if [var.gateway_management] is invalid: + validate_gateway_management = index(local.gateway_management_allowed_values, var.gateway_management) + + regex_valid_key_name = "[\\S\\s]+[\\S]+" + // will fail if var.key_name is invalid + regex_key_name_result=regex(local.regex_valid_key_name, var.key_name) == var.key_name ? 0 : "Variable [key_name] must be a none empty string" + + regex_valid_management_password_hash = "^[\\$\\./a-zA-Z0-9]*$" + // Will fail if var.management_password_hash is invalid + regex_management_password_hash = regex(local.regex_valid_management_password_hash, var.management_password_hash) == var.management_password_hash ? 0 : "Variable [management_password_hash] must be a valid password hash" + regex_management_maintenance_mode_password_hash = regex(local.regex_valid_management_password_hash, var.management_maintenance_mode_password_hash) == var.management_maintenance_mode_password_hash ? 0 : "Variable [management_maintenance_mode_password_hash] must be a valid password hash" + regex_valid_gateway_password_hash = "^[\\$\\./a-zA-Z0-9]*$" + // Will fail if var.gateway_password_hash is invalid + regex_gateway_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_password_hash) == var.gateway_password_hash ? 0 : "Variable [gateway_password_hash] must be a valid password hash" + regex_gateway_maintenance_mode_password_hash = regex(local.regex_valid_management_password_hash, var.gateway_maintenance_mode_password_hash) == var.gateway_maintenance_mode_password_hash ? 0 : "Variable [gateway_maintenance_mode_password_hash] must be a valid password hash" + + regex_valid_admin_cidr = "^([0-9]{1,3}\\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])$" + // Will fail if var.admin_cidr is invalid + regex_admin_cidr = regex(local.regex_valid_admin_cidr, var.admin_cidr) == var.admin_cidr ? 0 : "Variable [admin_cidr] must be a valid CIDR" + + regex_valid_gateways_addresses = "^([0-9]{1,3}\\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])$" + // Will fail if var.gateways_addresses is invalid + regex_gateways_addresses = regex(local.regex_valid_gateways_addresses, var.gateways_addresses) == var.gateways_addresses ? 0 : "Variable [gateways_addresses] must be a valid gateways addresses" + + regex_valid_management_server = "^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$" + // Will fail if var.management_server is invalid + regex_management_server = regex(local.regex_valid_management_server, var.management_server) == var.management_server ? 0 : "Variable [management_server] can not be an empty string" + + regex_valid_configuration_template = "^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$" + // Will fail if var.configuration_template is invalid + regex_configuration_template = regex(local.regex_valid_configuration_template, var.configuration_template) == var.configuration_template ? 0 : "Variable [configuration_template] can not be an empty string" + + deploy_management_condition = var.management_deploy == true + + volume_type_allowed_values = [ + "gp3", + "gp2"] + // will fail if [var.VolumeType] is invalid: + validate_volume_type = index(local.volume_type_allowed_values, var.volume_type) +} \ No newline at end of file diff --git a/terraform/aws/gwlb/main.tf b/terraform/aws/gwlb/main.tf new file mode 100755 index 00000000..7c4e4616 --- /dev/null +++ b/terraform/aws/gwlb/main.tf @@ -0,0 +1,99 @@ +provider "aws" { + region = var.region + access_key = var.access_key + secret_key = var.secret_key +} +module "gateway_load_balancer" { + source = "../modules/common/load_balancer" + + load_balancers_type = "gateway" + instances_subnets = var.subnet_ids + prefix_name = var.gateway_load_balancer_name + internal = true + + security_groups = [] + tags = { + x-chkp-management = var.management_server + x-chkp-template = var.configuration_template + } + vpc_id = var.vpc_id + load_balancer_protocol = "GENEVE" + target_group_port = 6081 + listener_port = 6081 + cross_zone_load_balancing = var.enable_cross_zone_load_balancing +} + +resource "aws_vpc_endpoint_service" "gwlb_endpoint_service" { +depends_on = [module.gateway_load_balancer] + gateway_load_balancer_arns = module.gateway_load_balancer[*].load_balancer_arn + acceptance_required = var.connection_acceptance_required + + tags = { + "Name" = "gwlb-endpoint-service-${var.gateway_load_balancer_name}" + } +} + +module "autoscale_gwlb" { + source = "../autoscale-gwlb" + providers = { + aws = aws + } + depends_on = [module.gateway_load_balancer] + + target_groups = module.gateway_load_balancer[*].target_group_arn + vpc_id = var.vpc_id + subnet_ids = var.subnet_ids + gateway_name = var.gateway_name + gateway_instance_type = var.gateway_instance_type + key_name = var.key_name + enable_volume_encryption = var.enable_volume_encryption + enable_instance_connect = var.enable_instance_connect + metadata_imdsv2_required = var.metadata_imdsv2_required + minimum_group_size = var.minimum_group_size + maximum_group_size = var.maximum_group_size + gateway_version = var.gateway_version + gateway_password_hash = var.gateway_password_hash + gateway_maintenance_mode_password_hash = var.gateway_maintenance_mode_password_hash + gateway_SICKey = var.gateway_SICKey + allow_upload_download = var.allow_upload_download + enable_cloudwatch = var.enable_cloudwatch + gateway_bootstrap_script = var.gateway_bootstrap_script + admin_shell = var.admin_shell + gateways_provision_address_type = var.gateways_provision_address_type + allocate_public_IP = var.allocate_public_IP + management_server = var.management_server + configuration_template = var.configuration_template + volume_type = var.volume_type +} + +data "aws_region" "current"{} + +module "management" { + providers = { + aws = aws + } + count = local.deploy_management_condition ? 1 : 0 + source = "../management" + + vpc_id = var.vpc_id + subnet_id = var.subnet_ids[0] + management_name = var.management_server + management_instance_type = var.management_instance_type + key_name = var.key_name + allocate_and_associate_eip = true + volume_encryption = var.enable_volume_encryption ? "alias/aws/ebs" : "" + enable_instance_connect = var.enable_instance_connect + disable_instance_termination = var.disable_instance_termination + metadata_imdsv2_required = var.metadata_imdsv2_required + management_version = var.management_version + management_password_hash = var.management_password_hash + management_maintenance_mode_password_hash = var.management_maintenance_mode_password_hash + allow_upload_download = var.allow_upload_download + admin_cidr = var.admin_cidr + admin_shell = var.admin_shell + gateway_addresses = var.gateways_addresses + gateway_management = var.gateway_management + management_bootstrap_script = "echo -e '\nStarting Bootstrap script\n'; cv_json_path='/etc/cloud-version.json'\n cv_json_path_tmp='/etc/cloud-version-tmp.json'\n if test -f \"$cv_json_path\"; then cat \"$cv_json_path\" | jq '.template_name = \"'\"management_gwlb\"'\"' > \"$cv_json_path_tmp\"; mv \"$cv_json_path_tmp\" \"$cv_json_path\"; fi; autoprov_cfg -f init AWS -mn ${var.management_server} -tn ${var.configuration_template} -cn gwlb-controller -po ${var.gateways_policy} -otp ${var.gateway_SICKey} -r ${data.aws_region.current.name} -ver ${split("-", var.gateway_version)[0]} -iam; echo -e '\nFinished Bootstrap script\n'" + volume_type = var.volume_type + is_gwlb_iam = true +} diff --git a/terraform/aws/gwlb/output.tf b/terraform/aws/gwlb/output.tf new file mode 100755 index 00000000..3beba7ee --- /dev/null +++ b/terraform/aws/gwlb/output.tf @@ -0,0 +1,22 @@ +output "Deployment" { + value = "Finalizing instances configuration may take up to 20 minutes after deployment is finished." +} +output "gwlb_arn" { + value = module.gateway_load_balancer.load_balancer_arn +} +output "gwlb_service_name" { + value = "com.amazonaws.vpce.${data.aws_region.current.name}.${aws_vpc_endpoint_service.gwlb_endpoint_service.id}" +} +output "management_public_ip" { + depends_on = [module.management] + value = module.management[*].management_public_ip +} +output "gwlb_name" { + value = var.gateway_load_balancer_name +} +output "controller_name" { + value = "gwlb-controller" +} +output "template_name" { + value = var.configuration_template +} \ No newline at end of file diff --git a/terraform/aws/gwlb/terraform.tfvars b/terraform/aws/gwlb/terraform.tfvars new file mode 100755 index 00000000..0e26ad11 --- /dev/null +++ b/terraform/aws/gwlb/terraform.tfvars @@ -0,0 +1,52 @@ +//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW + +// --- VPC Network Configuration --- +vpc_id = "vpc-12345678" +subnet_ids = ["subnet-123456", "subnet-345678"] + +// --- General Settings --- +key_name = "publickey" +enable_volume_encryption = true +volume_size = 100 +enable_instance_connect = false +disable_instance_termination = false +metadata_imdsv2_required = true +allow_upload_download = true +management_server = "CP-Management-gwlb-tf" +configuration_template = "gwlb-configuration" +admin_shell = "/etc/cli.sh" + +// --- Gateway Load Balancer Configuration --- +gateway_load_balancer_name = "gwlb1" +target_group_name = "tg1" +connection_acceptance_required = "false" +enable_cross_zone_load_balancing = "true" + +// --- Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration --- +gateway_name = "Check-Point-GW-tf" +gateway_instance_type = "c5.xlarge" +minimum_group_size = 2 +maximum_group_size = 10 +gateway_version = "R81.20-BYOL" +gateway_password_hash = "" +gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password. +gateway_SICKey = "12345678" +gateways_provision_address_type = "private" +allocate_public_IP = false +enable_cloudwatch = false +gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt" + +// --- Check Point CloudGuard IaaS Security Management Server Configuration --- +management_deploy = true +management_instance_type = "m5.xlarge" +management_version = "R81.20-BYOL" +management_password_hash = "" +management_maintenance_mode_password_hash = "" # For R81.10 and below the management_password_hash is used also as maintenance-mode password. +gateways_policy = "Standard" +gateway_management = "Locally managed" +admin_cidr = "0.0.0.0/0" +gateways_addresses = "0.0.0.0/0" + +// --- Other parameters --- +volume_type = "gp3" + diff --git a/terraform/aws/gwlb/variables.tf b/terraform/aws/gwlb/variables.tf new file mode 100755 index 00000000..5f099c6c --- /dev/null +++ b/terraform/aws/gwlb/variables.tf @@ -0,0 +1,263 @@ +// Module: Check Point CloudGuard Network Gateway Load Balancer into an existing VPC + +// --- AWS Provider --- +variable "region" { + type = string + description = "AWS region" + default = "" +} +variable "access_key" { + type = string + description = "AWS access key" + default = "" +} +variable "secret_key" { + type = string + description = "AWS secret key" + default = "" +} + +// --- Network Configuration --- +variable "vpc_id" { + type = string +} +variable "subnet_ids" { + type = list(string) + description = "List of public subnet IDs to launch resources into. Recommended at least 2" +} + +// --- General Settings --- +variable "key_name" { + type = string + description = "The EC2 Key Pair name to allow SSH access to the instances" +} +variable "enable_volume_encryption" { + type = bool + description = "Encrypt Environment instances volume with default AWS KMS key" + default = true +} +variable "volume_size" { + type = number + description = "Root volume size (GB) - minimum 100" + default = 100 +} +resource "null_resource" "volume_size_too_small" { + // Will fail if var.volume_size is less than 100 + count = var.volume_size >= 100 ? 0 : "variable volume_size must be at least 100" +} +variable "enable_instance_connect" { + type = bool + description = "Enable SSH connection over AWS web console" + default = false +} +variable "disable_instance_termination" { + type = bool + description = "Prevents an instance from accidental termination" + default = false +} +variable "metadata_imdsv2_required" { + type = bool + description = "Set true to deploy the instance with metadata v2 token required" + default = true +} +variable "allow_upload_download" { + type = bool + description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + default = true +} +variable "management_server" { + type = string + description = "The name that represents the Security Management Server in the automatic provisioning configuration." +} +variable "configuration_template" { + type = string + description = "A name of a gateway configuration template in the automatic provisioning configuration." + validation { + condition = length(var.configuration_template) < 31 + error_message = "The configuration_template name can not exceed 30 characters" + } +} +variable "admin_shell" { + type = string + description = "Set the admin shell to enable advanced command line configuration" + default = "/etc/cli.sh" +} + +// --- Gateway Load Balancer Configuration --- + +variable "gateway_load_balancer_name" { + type = string + description = "Gateway Load Balancer name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. A name cannot begin or end with a hyphen." + default = "gwlb1" +} +resource "null_resource" "gateway_load_balancer_name_too_long" { + // Will fail if gateway_load_balancer_name more than 32 + count = length(var.gateway_load_balancer_name) <= 32 ? 0 : "variable gateway_load_balancer_name must be at most 32" +} +variable "target_group_name" { + type = string + description = "Target Group Name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. A name cannot begin or end with a hyphen." + default = "tg1" +} +resource "null_resource" "target_group_name_too_long" { + // Will fail if target_group_name more than 32 + count = length(var.target_group_name) <= 32 ? 0 : "variable target_group_name must be at most 32" +} +variable "connection_acceptance_required" { + type = bool + description = "Indicate whether requests from service consumers to create an endpoint to your service must be accepted. Default is set to false(acceptance not required)." + default = false +} +variable "enable_cross_zone_load_balancing" { + type = bool + description = "Select 'true' to enable cross-az load balancing. NOTE! this may cause a spike in cross-az charges." + default = true +} + +// --- Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration --- + +variable "gateway_name" { + type = string + description = "The name tag of the Security Gateway instances. (optional)" + default = "Check-Point-Gateway-tf" +} +variable "gateway_instance_type" { + type = string + description = "The EC2 instance type for the Security Gateways." + default = "c5.xlarge" +} +module "validate_instance_type" { + source = "../modules/common/instance_type" + + chkp_type = "gateway" + instance_type = var.gateway_instance_type +} +variable "minimum_group_size" { + type = number + description = "The minimal number of Security Gateways." + default = 2 +} +variable "maximum_group_size" { + type = number + description = "The maximal number of Security Gateways." + default = 10 +} +variable "gateway_version" { + type = string + description = "The version and license to install on the Security Gateways." + default = "R81.20-BYOL" +} +module "validate_gateway_version" { + source = "../modules/common/version_license" + + chkp_type = "gwlb_gw" + version_license = var.gateway_version +} +variable "gateway_password_hash" { + type = string + description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)" + default = "" +} +variable "gateway_maintenance_mode_password_hash" { + description = "Maintenance mode password hash for the gateway instances, relevant only for R81.20 and higher versions" + type = string + default = "" +} +variable "gateway_SICKey" { + type = string + description = "The Secure Internal Communication key for trusted connection between Check Point components (at least 8 alphanumeric characters)" +} + +variable "gateways_provision_address_type" { + type = string + description = "Determines if the gateways are provisioned using their private or public address" + default = "private" +} + +variable "allocate_public_IP" { + type = bool + description = "Allocate an Elastic IP for security gateway." + default = false +} + +resource "null_resource" "invalid_allocation" { + // Will fail if var.gateways_provision_address_type is public and var.allocate_public_IP is false + count = var.gateways_provision_address_type != "public" ? 0 : var.allocate_public_IP == true ? 0 : "Gateway's selected to be provisioned by public IP, but [allocate_public_IP] parameter is false" +} + +variable "enable_cloudwatch" { + type = bool + description = "Report Check Point specific CloudWatch metrics." + default = false +} + +variable "gateway_bootstrap_script" { + type = string + description = "(Optional) An optional script with semicolon (;) separated commands to run on the initial boot" + default = "" +} + +// --- Check Point CloudGuard IaaS Security Management Server Configuration --- + +variable "management_deploy" { + type = bool + description = "Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section" + default = true +} +variable "management_instance_type" { + type = string + description = "The EC2 instance type of the Security Management Server" + default = "m5.xlarge" +} +module "validate_management_instance_type" { + source = "../modules/common/instance_type" + + chkp_type = "management" + instance_type = var.management_instance_type +} +variable "management_version" { + type = string + description = "The license to install on the Security Management Server" + default = "R81.20-BYOL" +} +module "validate_management_version" { + source = "../modules/common/version_license" + + chkp_type = "management" + version_license = var.management_version +} +variable "management_password_hash" { + type = string + description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)" + default = "" +} +variable "management_maintenance_mode_password_hash" { + description = "Maintenance mode password hash for the management instance, relevant only for R81.20 and higher versions" + type = string + default = "" +} +variable "gateways_policy" { + type = string + description = "The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group" + default = "Standard" +} +variable "gateway_management" { + type = string + description = "Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address." + default = "Locally managed" +} +variable "admin_cidr" { + type = string + description = "Allow web, ssh, and graphical clients only from this network to communicate with the Security Management Server" +} +variable "gateways_addresses" { + type = string + description = "Allow gateways only from this network to communicate with the Security Management Server" +} + +// --- Other parameters --- +variable "volume_type" { + type = string + description = "General Purpose SSD Volume Type" + default = "gp3" +} \ No newline at end of file diff --git a/terraform/aws/gwlb/versions.tf b/terraform/aws/gwlb/versions.tf new file mode 100755 index 00000000..dbebf275 --- /dev/null +++ b/terraform/aws/gwlb/versions.tf @@ -0,0 +1,15 @@ +terraform { + required_version = ">= 0.14.3" + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.20.0" + } + http = { + version = "~> 3.4.0" + } + random = { + version = "~> 3.5.1" + } + } +} diff --git a/terraform/aws/management/README.md b/terraform/aws/management/README.md new file mode 100755 index 00000000..dd57ea4d --- /dev/null +++ b/terraform/aws/management/README.md @@ -0,0 +1,200 @@ +# Check Point CloudGuard Network Security Management Server Terraform module for AWS + +Terraform module which deploys a Check Point CloudGuard Network Security Management Server into an existing VPC. + +These types of Terraform resources are supported: +* [AWS Instance](https://www.terraform.io/docs/providers/aws/r/instance.html) +* [Security Group](https://www.terraform.io/docs/providers/aws/r/security_group.html) +* [Network interface](https://www.terraform.io/docs/providers/aws/r/network_interface.html) +* [EIP](https://www.terraform.io/docs/providers/aws/r/eip.html) - conditional creation +* [IAM Role](https://www.terraform.io/docs/providers/aws/r/iam_role.html) - conditional creation + +See the [Security Management Server with CloudGuard for AWS](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk130372) for additional information + +This solution uses the following modules: +- /terraform/aws/modules/amis +- /terraform/aws/cme-iam-role + +## Configurations + +The **main.tf** file includes the following provider configuration block used to configure the credentials for the authentication with AWS, as well as a default region for your resources: +``` +provider "aws" { + region = var.region + access_key = var.access_key + secret_key = var.secret_key +} +``` +The provider credentials can be provided either as static credentials or as [Environment Variables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#environment-variables). +- Static credentials can be provided by adding an access_key and secret_key in /terraform/aws/management/**terraform.tfvars** file as follows: +``` +region = "us-east-1" +access_key = "my-access-key" +secret_key = "my-secret-key" +``` +- In case the Static credentials are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented for sub-module /terraform/aws/cme-iam-role: + ``` + provider "aws" { + // region = var.region + // access_key = var.access_key + // secret_key = var.secret_key + } + ``` +- In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented: + ``` + provider "aws" { + // region = var.region + // access_key = var.access_key + // secret_key = var.secret_key + } + ``` + b. The next lines in main.tf file, in the provider aws resource, need to be commented for sub-module /terraform/aws/cme-iam-role: + ``` + provider "aws" { + // region = var.region + // access_key = var.access_key + // secret_key = var.secret_key + } + ``` + +## Usage +- Fill all variables in the /terraform/aws/management/**terraform.tfvars** file with proper values (see below for variables descriptions). +- From a command line initialize the Terraform configuration directory: + ``` + terraform init + ``` +- Create an execution plan: + ``` + terraform plan + ``` +- Create or modify the deployment: + ``` + terraform apply + ``` + +- Variables are configured in /terraform/aws/management/**terraform.tfvars** file as follows: + + ``` + //PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW + + // --- VPC Network Configuration --- + vpc_id = "vpc-12345678" + subnet_id = "subnet-abc123" + + // --- EC2 Instances Configuration --- + management_name = "CP-Management-tf" + management_instance_type = "m5.xlarge" + key_name = "publickey" + allocate_and_associate_eip = true + volume_size = 100 + volume_encryption = "alias/aws/ebs" + enable_instance_connect = false + disable_instance_termination = false + instance_tags = { + key1 = "value1" + key2 = "value2" + } + + // --- IAM Permissions --- + iam_permissions = "Create with read permissions" + predefined_role = "" + sts_roles = [] + + // --- Check Point Settings --- + management_version = "R81.20-BYOL" + admin_shell = "/etc/cli.sh" + management_password_hash = "" + management_maintenance_mode_password_hash = "" # For R81.10 and below the management_password_hash is used also as maintenance-mode password. + // --- Security Management Server Settings --- + management_hostname = "mgmt-tf" + management_installation_type = "Primary management" + SICKey = "" + allow_upload_download = "true" + gateway_management = "Locally managed" + admin_cidr = "0.0.0.0/0" + gateway_addresses = "0.0.0.0/0" + primary_ntp = "" + secondary_ntp = "" + management_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt" + ``` + +- Conditional creation + - To create an Elastic IP and associate it to the Management instance: + ``` + allocate_and_associate_eip = true + ``` + - To create IAM Role: + ``` + iam_permissions = "Create with read permissions" | "Create with read-write permissions" | "Create with assume role permissions (specify an STS role ARN)" + ``` +- To tear down your resources: + ``` + terraform destroy + ``` + +## Inputs +| Name | Description | Type | Allowed values | Default | Required | +|-------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------|----------| +| vpc_id | The VPC id in which to deploy | string | n/a | n/a | yes | +| subnet_id | To access the instance from the internet, make sure the subnet has a route to the internet | string | n/a | n/a | yes | +| management_name | (Optional) The name tag of the Security Management instance | string | n/a | Check-Point-Management-tf | no | +| management_instance_type | The instance type of the Security Management Server | string | - c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| m5.xlarge | no | +| key_name | The EC2 Key Pair name to allow SSH access to the instance | string | n/a | n/a | yes | +| allocate_and_associate_eip | If set to true, an elastic IP will be allocated and associated with the launched instance | bool | true/false | true | yes | +| volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no | +| volume_encryption | KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs') | string | n/a | alias/aws/ebs | no | +| enable_instance_connect | Enable SSH connection over AWS web console. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no | +| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no | +| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes | +| instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Management EC2 Instance | map(string) | n/a | {} | no | +| iam_permissions | IAM role to attach to the instance profile | string | - None (configure later)
- Use existing (specify an existing IAM role name)
- Create with assume role permissions (specify an STS role ARN)
- Create with read permissions
- Create with read-write permissions | Create with read permissions | no | +| predefined_role | (Optional) A predefined IAM role to attach to the instance profile. Ignored if var.iam_permissions is not set to 'Use existing' | string | n/a | "" | no | +| sts_roles | (Optional) The IAM role will be able to assume these STS Roles (list of ARNs). Ignored if var.iam_permissions is set to 'None' or 'Use existing' | list(string) | n/a | [] | no | +| management_version | Management version and license | string | - R80.40-BYOL
- R80.40-PAYG
- R81-BYOL
- R81-PAYG
- R81.10-BYOL
- R81.10-PAYG
- R81.20-BYOL
- R81.20-PAYG | R81.20-BYOL | no | +| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | +| management_password_hash | (Optional) Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash) | string | n/a | "" | no | +| management_hostname | (Optional) Security Management Server prompt hostname. The name must not contain reserved words. For details, refer to sk40179. | string | n/a | "" | no | +| management_installation_type | Determines if this is the primary management server, secondary management server or log server | string | - Primary management
- Secondary management
- Log Server
| Primary management | yes | +| SICKey | Mandatory only when deploying a secondary Management Server, the Secure Internal Communication key creates trusted connections between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "" | no | +| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no | +| gateway_management | Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address | string | - Locally managed
- Over the internet | Locally managed | no | +| admin_cidr | (CIDR) Allow web, ssh, and graphical clients only from this network to communicate with the Security Management Server | string | valid CIDR | 0.0.0.0/0 | no | +| gateway_addresses | (CIDR) Allow gateways only from this network to communicate with the Security Management Server | string | valid CIDR | 0.0.0.0/0 | no | +| primary_ntp | (Optional) The IPv4 addresses of Network Time Protocol primary server | string | n/a | 169.254.169.123 | no | +| secondary_ntp | (Optional) The IPv4 addresses of Network Time Protocol secondary server | string | n/a | 0.pool.ntp.org | no | +| management_bootstrap_script | (Optional) Semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no | +| management_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | + + +## Outputs +| Name | Description | +|--------------------------|--------------------------------------------------------------| +| management_instance_id | The deployed Security Management Server AWS instance id | +| management_instance_name | The deployed Security Management AWS instance name | +| management_instance_tags | The deployed Security Management Server AWS tags | +| management_public_ip | The deployed Security Management Server AWS public ip | +| management_url | URL to the portal of the deployed Security Management Server | + +## Revision History +In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) + +| Template Version | Description | +|------------------|---------------------------------------------------------------------------------------------------------------| +| 20210309 | First release of Check Point Security Management Server Terraform module for AWS | +| 20210329 | Stability fixes | +| 20220606 | New instance type support | +| 20221123 | R81.20 version support | +| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | +| 20230806 | Add support for c6in instance type | +| 20230829 | Change default Check Point version to R81.20 | +| 20230914 | Add support for maintenance mode password | +| 20230923 | Add support for C5d instance type | +| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20240207 | Added Log Server installation support | +| 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | + +## License + +This project is licensed under the MIT License - see the [LICENSE](../../LICENSE) file for details diff --git a/terraform/aws/management/locals.tf b/terraform/aws/management/locals.tf new file mode 100755 index 00000000..896719ba --- /dev/null +++ b/terraform/aws/management/locals.tf @@ -0,0 +1,76 @@ +locals { + permissions_allowed_values = [ + "None (configure later)", + "Use existing (specify an existing IAM role name)", + "Create with assume role permissions (specify an STS role ARN)", + "Create with read permissions", + "Create with read-write permissions"] + // Will fail if var.permissions is invalid + validate_permissions = index(local.permissions_allowed_values, var.iam_permissions) + + use_role = var.iam_permissions == "None (configure later)" ? 0 : 1 + create_iam_role = var.iam_permissions == "Create with assume role permissions (specify an STS role ARN)" || var.iam_permissions == "Create with read permissions" || var.iam_permissions == "Create with read-write permissions" + pre_role = (local.use_role == 1 && local.create_iam_role == false) ? 1 : 0 + new_instance_profile = (local.create_iam_role == true && local.use_role == 1) ? 1 : 0 + + new_instance_profile_general = local.new_instance_profile == 1 && var.is_gwlb_iam == false ? 1 : 0 + new_instance_profile_gwlb = local.new_instance_profile == 1 && var.is_gwlb_iam ? 1 : 0 + + admin_shell_allowed_values = [ + "/etc/cli.sh", + "/bin/bash", + "/bin/csh", + "/bin/tcsh"] + // Will fail if var.admin_shell is invalid + validate_admin_shell = index(local.admin_shell_allowed_values, var.admin_shell) + + regex_valid_key_name = "[\\S\\s]+[\\S]+" + // will fail if var.key_name is invalid + regex_key_name_result=regex(local.regex_valid_key_name, var.key_name) == var.key_name ? 0 : "Variable [key_name] must be a none empty string" + + gateway_management_allowed_values = [ + "Locally managed", + "Over the internet"] + // Will fail if var.gateway_management is invalid + validate_gateway_management = index(local.gateway_management_allowed_values, var.gateway_management) + + regex_valid_cidr_range = "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(/(3[0-2]|2[0-9]|1[0-9]|[0-9]))?$" + // Will fail if var.admin_subnet or var.gateway_addresses are invalid + mgmt_subnet_regex_result = regex(local.regex_valid_cidr_range, var.admin_cidr) == var.admin_cidr ? 0 : "var.admin_subnet must be a valid CIDR range" + gw_addr_regex_result = regex(local.regex_valid_cidr_range, var.gateway_addresses) == var.gateway_addresses ? 0 : "var.gateway_addresses must be a valid CIDR range" + volume_encryption_condition = var.volume_encryption != "" ? true : false + + regex_valid_primary_ntp = "^[\\.a-zA-Z0-9\\-]*$" + // Will fail if var.primary_ntp is invalid + regex_primary_ntp = regex(local.regex_valid_primary_ntp, var.primary_ntp) == var.primary_ntp ? 0 : "Variable [primary_ntp] must be a valid ntp" + + regex_valid_secondary_ntp = "^[\\.a-zA-Z0-9\\-]*$" + // Will fail if var.secondary_ntp is invalid + regex_secondary_ntp = regex(local.regex_valid_secondary_ntp, var.secondary_ntp) == var.secondary_ntp ? 0 : "Variable [secondary_ntp] must be a valid ntp" + + regex_valid_management_password_hash = "^[\\$\\./a-zA-Z0-9]*$" + // Will fail if var.management_password_hash is invalid + regex_management_password_hash = regex(local.regex_valid_management_password_hash, var.management_password_hash) == var.management_password_hash ? 0 : "Variable [management_password_hash] must be a valid password hash" + regex_maintenance_mode_password_hash = regex(local.regex_valid_management_password_hash, var.management_maintenance_mode_password_hash) == var.management_maintenance_mode_password_hash ? 0 : "Variable [management_maintenance_mode_password_hash] must be a valid password hash" + regex_valid_sic_key = "(|[a-zA-Z0-9]{8,})" + // Will fail if var.SICKey is invalid + regex_sic_result = regex(local.regex_valid_sic_key, var.SICKey) == var.SICKey ? 0 : "Variable [SICKey] must be at least 8 alphanumeric characters" + + //Splits the version and licence and returns the os version + version_split = element(split("-", var.management_version), 0) + + management_bootstrap_script64 = base64encode(var.management_bootstrap_script) + management_SICkey_base64=base64encode(var.SICKey) + management_password_hash_base64=base64encode(var.management_password_hash) + maintenance_mode_password_hash_base64=base64encode(var.management_maintenance_mode_password_hash) + + manage_over_the_internet = var.gateway_management == "Over the internet" ? true : false + manage_over_internet_and_EIP = var.allocate_and_associate_eip && local.manage_over_the_internet ? true : false + pub_mgmt = local.manage_over_internet_and_EIP ? true : false + + management_installation_type_allowed_values = [ + "Primary management", + "Secondary management", + "Log Server"] + validate_management_installation_type = index(local.management_installation_type_allowed_values, var.management_installation_type) +} \ No newline at end of file diff --git a/terraform/aws/management/main.tf b/terraform/aws/management/main.tf new file mode 100755 index 00000000..3714dfa2 --- /dev/null +++ b/terraform/aws/management/main.tf @@ -0,0 +1,221 @@ +provider "aws" { + region = var.region + access_key = var.access_key + secret_key = var.secret_key +} + +module "amis" { + source = "../modules/amis" + + version_license = var.management_version + chkp_type = "management" +} + +resource "aws_security_group" "management_sg" { + description = "terraform Management security group" + vpc_id = var.vpc_id + name_prefix = format("%s_SecurityGroup", var.management_name) + // Group name + tags = { + Name = format("%s_SecurityGroup", var.management_name) + // Resource name + } + ingress { + from_port = 257 + to_port = 257 + protocol = "tcp" + cidr_blocks = [var.gateway_addresses] + } + ingress { + from_port = 18191 + to_port = 18191 + protocol = "tcp" + cidr_blocks = [var.gateway_addresses] + } + ingress { + from_port = 18192 + to_port = 18192 + protocol = "tcp" + cidr_blocks = [var.gateway_addresses] + } + ingress { + from_port = 18208 + to_port = 18208 + protocol = "tcp" + cidr_blocks = [var.gateway_addresses] + } + ingress { + from_port = 18210 + to_port = 18210 + protocol = "tcp" + cidr_blocks = [var.gateway_addresses] + } + ingress { + from_port = 18211 + to_port = 18211 + protocol = "tcp" + cidr_blocks = [var.gateway_addresses] + } + ingress { + from_port = 18221 + to_port = 18221 + protocol = "tcp" + cidr_blocks = [var.gateway_addresses] + } + ingress { + from_port = 18264 + to_port = 18264 + protocol = "tcp" + cidr_blocks = [var.gateway_addresses] + } + + ingress { + from_port = 22 + to_port = 22 + protocol = "tcp" + cidr_blocks = [var.admin_cidr] + } + ingress { + from_port = 443 + to_port = 443 + protocol = "tcp" + cidr_blocks = [var.admin_cidr] + } + ingress { + from_port = 18190 + to_port = 18190 + protocol = "tcp" + cidr_blocks = [var.admin_cidr] + } + ingress { + from_port = 19009 + to_port = 19009 + protocol = "tcp" + cidr_blocks = [var.admin_cidr] + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } +} + +resource "aws_network_interface" "external-eni" { + subnet_id = var.subnet_id + security_groups = [aws_security_group.management_sg.id] + description = "eth0" + source_dest_check = true + tags = { + Name = format("%s-network_interface", var.management_name) + } +} + +resource "aws_eip" "eip" { + count = var.allocate_and_associate_eip ? 1 : 0 + network_interface = aws_network_interface.external-eni.id +} + +resource "aws_iam_instance_profile" "management_instance_profile" { + count = local.pre_role + path = "/" + role = var.predefined_role +} + +resource "aws_launch_template" "management_launch_template" { + depends_on = [ + aws_network_interface.external-eni, + aws_eip.eip + ] + + instance_type = var.management_instance_type + key_name = var.key_name + image_id = module.amis.ami_id + description = "Initial launch template version" + + iam_instance_profile { + name = local.use_role == 1 ? (local.pre_role == 1 ? aws_iam_instance_profile.management_instance_profile[0].id : join("", (var.is_gwlb_iam == true ? module.cme_iam_role_gwlb.*.cme_iam_profile_name : module.cme_iam_role.*.cme_iam_profile_name))): "" + } + + metadata_options { + http_tokens = var.metadata_imdsv2_required ? "required" : "optional" + } + + network_interfaces { + network_interface_id = aws_network_interface.external-eni.id + device_index = 0 + } +} + +resource "aws_instance" "management-instance" { + depends_on = [ + aws_launch_template.management_launch_template + ] + + launch_template { + id = aws_launch_template.management_launch_template.id + version = "$Latest" + } + + disable_api_termination = var.disable_instance_termination + + tags = merge({ + Name = var.management_name + }, var.instance_tags) + + ebs_block_device { + device_name = "/dev/xvda" + volume_type = var.volume_type + volume_size = var.volume_size + encrypted = local.volume_encryption_condition + kms_key_id = local.volume_encryption_condition ? var.volume_encryption : "" + } + + lifecycle { + ignore_changes = [ebs_block_device,] + } + + user_data = templatefile("${path.module}/management_userdata.yaml", { + // script's arguments + Hostname = var.management_hostname, + PasswordHash = local.management_password_hash_base64, + MaintenanceModePassword = local.maintenance_mode_password_hash_base64, + AllowUploadDownload = var.allow_upload_download, + NTPPrimary = var.primary_ntp + NTPSecondary = var.secondary_ntp + Shell = var.admin_shell, + AdminSubnet = var.admin_cidr + ManagementInstallationType = var.management_installation_type + SICKey = local.management_SICkey_base64, + OsVersion = local.version_split + EnableInstanceConnect = var.enable_instance_connect + AllocateElasticIP = var.allocate_and_associate_eip + GatewayManagement = var.gateway_management + BootstrapScript = local.management_bootstrap_script64 + PubMgmt = local.pub_mgmt + + }) +} + +module "cme_iam_role" { + source = "../cme-iam-role" + providers = { + aws = aws + } + count = local.new_instance_profile_general + + sts_roles = var.sts_roles + permissions = var.iam_permissions +} + +module "cme_iam_role_gwlb" { + source = "../cme-iam-role-gwlb" + providers = { + aws = aws + } + count = local.new_instance_profile_gwlb + + sts_roles = var.sts_roles + permissions = var.iam_permissions +} diff --git a/terraform/aws/management/management_userdata.yaml b/terraform/aws/management/management_userdata.yaml new file mode 100755 index 00000000..0f3801ff --- /dev/null +++ b/terraform/aws/management/management_userdata.yaml @@ -0,0 +1,4 @@ +#cloud-config +runcmd: + - | + python3 /etc/cloud_config.py sicKey=\"${SICKey}\" installationType=\"management\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20231012\" templateName=\"management\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" hostName=\"${Hostname }\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" "management_installation_type=\"${ManagementInstallationType}\"" adminSubnet=\"${AdminSubnet}\" allocatePublicAddress=\"${AllocateElasticIP}\" overTheInternet=\"${PubMgmt}\" bootstrapScript64=\"${BootstrapScript}\" \ No newline at end of file diff --git a/terraform/aws/management/output.tf b/terraform/aws/management/output.tf new file mode 100755 index 00000000..da20727b --- /dev/null +++ b/terraform/aws/management/output.tf @@ -0,0 +1,19 @@ +output "Deployment" { + value = "Finalizing configuration may take up to 20 minutes after deployment is finished." +} + +output "management_instance_id" { + value = aws_instance.management-instance.id +} +output "management_instance_name" { + value = aws_instance.management-instance.tags["Name"] +} +output "management_instance_tags" { + value = aws_instance.management-instance.tags +} +output "management_public_ip" { + value = aws_instance.management-instance.public_ip +} +output "management_url" { + value = format("https://%s", aws_instance.management-instance.public_ip) +} \ No newline at end of file diff --git a/terraform/aws/management/terraform.tfvars b/terraform/aws/management/terraform.tfvars new file mode 100755 index 00000000..81891681 --- /dev/null +++ b/terraform/aws/management/terraform.tfvars @@ -0,0 +1,42 @@ +//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW + +// --- VPC Network Configuration --- +vpc_id = "vpc-12345678" +subnet_id = "subnet-abc123" + +// --- EC2 Instances Configuration --- +management_name = "CP-Management-tf" +management_instance_type = "m5.xlarge" +key_name = "publickey" +allocate_and_associate_eip = true +volume_size = 100 +volume_encryption = "alias/aws/ebs" +enable_instance_connect = false +disable_instance_termination = false +metadata_imdsv2_required = true +instance_tags = { + key1 = "value1" + key2 = "value2" +} + +// --- IAM Permissions --- +iam_permissions = "Create with read permissions" +predefined_role = "" +sts_roles = [] + +// --- Check Point Settings --- +management_version = "R81.20-BYOL" +admin_shell = "/etc/cli.sh" +management_password_hash = "" +management_maintenance_mode_password_hash = "" # For R81.10 and below the management_password_hash is used also as maintenance-mode password. +// --- Security Management Server Settings --- +management_hostname = "mgmt-tf" +management_installation_type = "Primary management" +SICKey = "" +allow_upload_download = "true" +gateway_management = "Locally managed" +admin_cidr = "0.0.0.0/0" +gateway_addresses = "0.0.0.0/0" +primary_ntp = "" +secondary_ntp = "" +management_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt" diff --git a/terraform/aws/management/variables.tf b/terraform/aws/management/variables.tf new file mode 100755 index 00000000..763918f0 --- /dev/null +++ b/terraform/aws/management/variables.tf @@ -0,0 +1,194 @@ +// Module: Check Point CloudGuard Network Security Management Server into an existing VPC + +// --- AWS Provider --- +variable "region" { + type = string + description = "AWS region" + default = "" +} +variable "access_key" { + type = string + description = "AWS access key" + default = "" +} +variable "secret_key" { + type = string + description = "AWS secret key" + default = "" +} + +// --- VPC Network Configuration --- +variable "vpc_id" { + type = string +} +variable "subnet_id" { + type = string + description = "To access the instance from the internet, make sure the subnet has a route to the internet" +} + +// --- EC2 Instance Configuration --- +variable "management_name" { + type = string + description = "(Optional) The name tag of the Security Management instance" + default = "Check-Point-Management-tf" +} +variable "management_instance_type" { + type = string + description = "The instance type of the Security Management Server" + default = "m5.xlarge" +} +module "validate_instance_type" { + source = "../modules/common/instance_type" + + chkp_type = "management" + instance_type = var.management_instance_type +} +variable "key_name" { + type = string + description = "The EC2 Key Pair name to allow SSH access to the instances" +} +variable "allocate_and_associate_eip" { + type = bool + description = "If set to true, an elastic IP will be allocated and associated with the launched instance" + default = true +} +variable "volume_size" { + type = number + description = "Root volume size (GB) - minimum 100" + default = 100 +} +resource "null_resource" "volume_size_too_small" { + // Will fail if var.volume_size is less than 100 + count = var.volume_size >= 100 ? 0 : "variable volume_size must be at least 100" +} +variable "volume_encryption" { + type = string + description = "KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs')" + default = "alias/aws/ebs" +} +variable "enable_instance_connect" { + type = bool + description = "Enable AWS Instance Connect - Ec2 Instance Connect is not supported with versions prior to R80.40" + default = false +} +variable "disable_instance_termination" { + type = bool + description = "Prevents an instance from accidental termination" + default = false +} +variable "metadata_imdsv2_required" { + type = bool + description = "Set true to deploy the instance with metadata v2 token required" + default = true +} +variable "instance_tags" { + type = map(string) + description = "(Optional) A map of tags as key=value pairs. All tags will be added to the Management EC2 Instance" + default = {} +} + +// --- IAM Permissions (ignored when the installation is not Primary Management Server) --- +variable "iam_permissions" { + type = string + description = "IAM role to attach to the instance profile" + default = "Create with read permissions" +} +variable "predefined_role" { + type = string + description = "(Optional) A predefined IAM role to attach to the instance profile. Ignored if var.iam_permissions is not set to 'Use existing'" + default = "" +} +variable "sts_roles" { + type = list(string) + description = "(Optional) The IAM role will be able to assume these STS Roles (list of ARNs). Ignored if var.iam_permissions is set to 'None' or 'Use existing'" + default = [] +} + +// --- Check Point Settings --- +variable "management_version" { + type = string + description = "Management version and license" + default = "R81.20-BYOL" +} +module "validate_management_version" { + source = "../modules/common/version_license" + + chkp_type = "management" + version_license = var.management_version +} +variable "admin_shell" { + type = string + description = "Set the admin shell to enable advanced command line configuration" + default = "/etc/cli.sh" +} +variable "management_password_hash" { + type = string + description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)" + default = "" +} +variable "management_maintenance_mode_password_hash" { + description = "(optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here)." + type = string + default = "" +} + +// --- Security Management Server Settings --- +variable "management_hostname" { + type = string + description = "(Optional) Security Management Server prompt hostname" + default = "" +} +variable "management_installation_type" { + type = string + description = "Determines the Management Server installation type: Primary management, Secondary management, Log Server" + default = "Primary management" +} +variable "SICKey" { + type = string + description = "Mandatory only when deploying a secondary Management Server, the Secure Internal Communication key creates trusted connections between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters" + default = "" +} +variable "allow_upload_download" { + type = bool + description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + default = true +} +variable "gateway_management" { + type = string + description = "Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address" + default = "Locally managed" +} +variable "admin_cidr" { + type = string + description = "(CIDR) Allow web, ssh, and graphical clients only from this network to communicate with the Security Management Server" + default = "0.0.0.0/0" +} +variable "gateway_addresses" { + type = string + description = "(CIDR) Allow gateways only from this network to communicate with the Security Management Server" + default = "0.0.0.0/0" +} +variable "primary_ntp" { + type = string + description = "(Optional) The IPv4 addresses of Network Time Protocol primary server" + default = "169.254.169.123" +} +variable "secondary_ntp" { + type = string + description = "(Optional) The IPv4 addresses of Network Time Protocol secondary server" + default = "0.pool.ntp.org" +} +variable "management_bootstrap_script" { + type = string + description = "(Optional) Semicolon (;) separated commands to run on the initial boot" + default = "" +} +variable "volume_type" { + type = string + description = "General Purpose SSD Volume Type" + default = "gp3" +} +variable "is_gwlb_iam" { + type = bool + default = false +} \ No newline at end of file diff --git a/terraform/aws/management/versions.tf b/terraform/aws/management/versions.tf new file mode 100755 index 00000000..c138bbb3 --- /dev/null +++ b/terraform/aws/management/versions.tf @@ -0,0 +1,12 @@ +terraform { + required_version = ">= 0.14.3" + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.20.0" + } + http = { + version = "~> 3.4.0" + } + } +} diff --git a/terraform/aws/mds/README.md b/terraform/aws/mds/README.md new file mode 100755 index 00000000..5da9667d --- /dev/null +++ b/terraform/aws/mds/README.md @@ -0,0 +1,190 @@ +# Check Point CloudGuard Network Multi-Domain Server Terraform module for AWS + +Terraform module which deploys a Check Point CloudGuard Network Multi-Domain Server into an existing VPC. + +These types of Terraform resources are supported: +* [AWS Instance](https://www.terraform.io/docs/providers/aws/r/instance.html) +* [Security Group](https://www.terraform.io/docs/providers/aws/r/security_group.html) +* [Network interface](https://www.terraform.io/docs/providers/aws/r/network_interface.html) +* [IAM Role](https://www.terraform.io/docs/providers/aws/r/iam_role.html) - conditional creation + +See the [Multi-Domain Management Deployment on AWS](https://supportcenter.us.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk143213) for additional information + +This solution uses the following modules: +- /terraform/aws/modules/amis +- /terraform/aws/cme-iam-role + +## Configurations + +The **main.tf** file includes the following provider configuration block used to configure the credentials for the authentication with AWS, as well as a default region for your resources: +``` +provider "aws" { + region = var.region + access_key = var.access_key + secret_key = var.secret_key +} +``` +The provider credentials can be provided either as static credentials or as [Environment Variables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#environment-variables). +- Static credentials can be provided by adding an access_key and secret_key in /terraform/aws/mds/**terraform.tfvars** file as follows: +``` +region = "us-east-1" +access_key = "my-access-key" +secret_key = "my-secret-key" +``` +- In case the Static credentials are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented for sub-module /terraform/aws/cme-iam-role: + ``` + provider "aws" { + // region = var.region + // access_key = var.access_key + // secret_key = var.secret_key + } + ``` +- In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented: + ``` + provider "aws" { + // region = var.region + // access_key = var.access_key + // secret_key = var.secret_key + } + ``` + b. The next lines in main.tf file, in the provider aws resource, need to be commented for sub-module /terraform/aws/cme-iam-role: + ``` + provider "aws" { + // region = var.region + // access_key = var.access_key + // secret_key = var.secret_key + } + ``` + +## Usage +- Fill all variables in the /terraform/aws/mds/**terraform.tfvars** file with proper values (see below for variables descriptions). +- From a command line initialize the Terraform configuration directory: + ``` + terraform init + ``` +- Create an execution plan: + ``` + terraform plan + ``` +- Create or modify the deployment: + ``` + terraform apply + ``` + +- Variables are configured in /terraform/aws/mds/**terraform.tfvars** file as follows: + + ``` + //PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW + + // --- VPC Network Configuration --- + vpc_id = "vpc-12345678" + subnet_id = "subnet-abc123" + + // --- EC2 Instances Configuration --- + mds_name = "CP-MDS-tf" + mds_instance_type = "m5.12xlarge" + key_name = "publickey" + volume_size = 100 + volume_encryption = "alias/aws/ebs" + enable_instance_connect = false + disable_instance_termination = false + instance_tags = { + key1 = "value1" + key2 = "value2" + } + + // --- IAM Permissions --- + iam_permissions = "Create with read permissions" + predefined_role = "" + sts_roles = [] + + // --- Check Point Settings --- + mds_version = "R81.20-BYOL" + mds_admin_shell = "/etc/cli.sh" + mds_password_hash = "" + mds_maintenance_mode_password_hash = "" + + // --- Multi-Domain Server Settings --- + mds_hostname = "mds-tf" + mds_SICKey = "" + allow_upload_download = "true" + mds_installation_type = "Primary Multi-Domain Server" + admin_cidr = "0.0.0.0/0" + gateway_addresses = "0.0.0.0/0" + primary_ntp = "" + secondary_ntp = "" + mds_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt" + ``` + +- Conditional creation + - To create IAM Role: + ``` + iam_permissions = "Create with read permissions" | "Create with read-write permissions" | "Create with assume role permissions (specify an STS role ARN)" + and + mds_installation_type = "Primary Multi-Domain Server" + ``` +- To tear down your resources: + ``` + terraform destroy + ``` + +## Inputs +| Name | Description | Type | Allowed values | Default | Required | +|------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------|----------| +| vpc_id | The VPC id in which to deploy | string | n/a | n/a | yes | +| subnet_id | To access the instance from the internet, make sure the subnet has a route to the internet | string | n/a | n/a | yes | +| mds_name | (Optional) The name tag of the Multi-Domain Server instance | string | n/a | Check-Point-MDS-tf | no | +| mds_instance_type | The instance type of the Multi-Domain Server | string | - c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| m5.12xlarge | no | +| key_name | The EC2 Key Pair name to allow SSH access to the instance | string | n/a | n/a | yes | +| volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no | +| volume_encryption | KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs') | string | n/a | alias/aws/ebs | no | +| enable_instance_connect | Enable SSH connection over AWS web console. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no | +| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no | +| instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Multi-Domain Server EC2 Instance | map(string) | n/a | {} | no | +| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes | +| iam_permissions | IAM role to attach to the instance profile | string | - None (configure later)
- Use existing (specify an existing IAM role name)
- Create with assume role permissions (specify an STS role ARN)
- Create with read permissions
- Create with read-write permissions | Create with read permissions | no | +| predefined_role | (Optional) A predefined IAM role to attach to the instance profile. Ignored if var.iam_permissions is not set to 'Use existing' | string | n/a | "" | no | +| sts_roles | (Optional) The IAM role will be able to assume these STS Roles (list of ARNs). Ignored if var.iam_permissions is set to 'None' or 'Use existing' | list(string) | n/a | [] | no | +| mds_version | Multi-Domain Server version and license | string | - R80.40-BYOL
- R81-BYOL
- R81.10-BYOL
- R81.20-BYOL | R81.20-BYOL | no | +| mds_admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | +| mds_password_hash | (Optional) Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash) | string | n/a | "" | no | +| mds_hostname | (Optional) Multi-Domain Server prompt hostname. The name must not contain reserved words. For details, refer to sk40179. | string | n/a | "" | no | +| mds_SICKey | Mandatory if deploying a Secondary Multi-Domain Server or Multi-Domain Log Server, the Secure Internal Communication key creates trusted connections between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "" | no | +| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no | +| mds_installation_type | Determines the Multi-Domain Server installation type | string | - Primary Multi-Domain Server
- Secondary Multi-Domain Server
- Multi-Domain Log Server | Primary Multi-Domain Server | no | +| admin_cidr | (CIDR) Allow web, ssh, and graphical clients only from this network to communicate with the Multi-Domain Server | string | valid CIDR | 0.0.0.0/0 | no | +| gateway_addresses | (CIDR) Allow gateways only from this network to communicate with the Multi-Domain Server | string | valid CIDR | 0.0.0.0/0 | no | +| primary_ntp | (Optional) The IPv4 addresses of Network Time Protocol primary server | string | n/a | 169.254.169.123 | no | +| secondary_ntp | (Optional) The IPv4 addresses of Network Time Protocol secondary server | string | n/a | 0.pool.ntp.org | no | +| mds_bootstrap_script | (Optional) Semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no | +| mds_maintenance_mode_password_hash | (optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here). | string | n/a | "" | no | + + +## Outputs +| Name | Description | +|-------------------|----------------------------------------------------| +| mds_instance_id | The deployed Multi-Domain Server AWS instance id | +| mds_instance_name | The deployed Multi-Domain Server AWS instance name | +| mds_instance_tags | The deployed Multi-Domain Server AWS tags | + +## Revision History +In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) + +| Template Version | Description | +|------------------|---------------------------------------------------------------------------------------------------------------| +| 20210309 | First release of Check Point Multi-Domain Server Terraform module for AWS | +| 20210329 | Stability fixes | +| 20221123 | R81.20 version support | +| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | +| 20230806 | Add support for c6in instance type | +| 20230829 | Change default Check Point version to R81.20 | +| 20230914 | Add support for maintenance mode password | +| 20230923 | Add support for C5d instance type | +| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | + +## License + +This project is licensed under the MIT License - see the [LICENSE](../../LICENSE) file for details diff --git a/terraform/aws/mds/locals.tf b/terraform/aws/mds/locals.tf new file mode 100755 index 00000000..7dd690a2 --- /dev/null +++ b/terraform/aws/mds/locals.tf @@ -0,0 +1,69 @@ +locals { + permissions_allowed_values = [ + "None (configure later)", + "Use existing (specify an existing IAM role name)", + "Create with assume role permissions (specify an STS role ARN)", + "Create with read permissions", + "Create with read-write permissions"] + // Will fail if var.iam_permissions is invalid + validate_permissions = index(local.permissions_allowed_values, var.iam_permissions) + + installation_type_allowed_values = [ + "Primary Multi-Domain Server", + "Secondary Multi-Domain Server", + "Multi-Domain Log Server"] + // Will fail if var.mds_installation_type is invalid + validate_installation_type = index(local.installation_type_allowed_values, var.mds_installation_type) + + primary_mds = var.mds_installation_type == "Primary Multi-Domain Server" + secondary_mds = var.mds_installation_type == "Secondary Multi-Domain Server" + + use_role = var.iam_permissions != "None (configure later)" && local.primary_mds ? 1 : 0 + create_iam_role = (local.primary_mds) && (var.iam_permissions == "Create with assume role permissions (specify an STS role ARN)" || var.iam_permissions == "Create with read permissions" || var.iam_permissions == "Create with read-write permissions") + + admin_shell_allowed_values = [ + "/etc/cli.sh", + "/bin/bash", + "/bin/csh", + "/bin/tcsh"] + // Will fail if var.admin_shell is invalid + validate_admin_shell = index(local.admin_shell_allowed_values, var.mds_admin_shell) + + regex_valid_key_name = "[\\S\\s]+[\\S]+" + // will fail if var.key_name is invalid + regex_key_name_result=regex(local.regex_valid_key_name, var.key_name) == var.key_name ? 0 : "Variable [key_name] must be a none empty string" + + regex_valid_cidr_range = "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(/(3[0-2]|2[0-9]|1[0-9]|[0-9]))?$" + // Will fail if var.admin_subnet or var.gateway_addresses are invalid + mgmt_subnet_regex_result = regex(local.regex_valid_cidr_range, var.admin_cidr) == var.admin_cidr ? 0 : "var.admin_subnet must be a valid CIDR range" + gw_addr_regex_result = regex(local.regex_valid_cidr_range, var.gateway_addresses) == var.gateway_addresses ? 0 : "var.gateway_addresses must be a valid CIDR range" + volume_encryption_condition = var.volume_encryption != "" ? true : false + + regex_valid_gateway_hostname = "^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$" + // Will fail if var.mds_hostname is invalid + regex_gateway_hostname = regex(local.regex_valid_gateway_hostname, var.mds_hostname) == var.mds_hostname ? 0 : "Variable [mds_hostname] must be a valid hostname label or an empty string" + + regex_valid_primary_ntp = "^[\\.a-zA-Z0-9\\-]*$" + // Will fail if var.primary_ntp is invalid + regex_primary_ntp = regex(local.regex_valid_primary_ntp, var.primary_ntp) == var.primary_ntp ? 0 : "Variable [primary_ntp] must be a valid ntp" + + regex_valid_secondary_ntp = "^[\\.a-zA-Z0-9\\-]*$" + // Will fail if var.secondary_ntp is invalid + regex_secondary_ntp = regex(local.regex_valid_secondary_ntp, var.secondary_ntp) == var.secondary_ntp ? 0 : "Variable [secondary_ntp] must be a valid ntp" + + regex_valid_mds_password_hash = "^[\\$\\./a-zA-Z0-9]*$" + // Will fail if var.mds_password_hash is invalid + regex_mds_password_hash = regex(local.regex_valid_mds_password_hash, var.mds_password_hash) == var.mds_password_hash ? 0 : "Variable [mds_password_hash] must be a valid password hash" + regex_maintenance_mode_password_hash = regex(local.regex_valid_mds_password_hash, var.mds_maintenance_mode_password_hash) == var.mds_maintenance_mode_password_hash ? 0 : "Variable [mds_maintenance_mode_password_hash] must be a valid password hash" + + regex_valid_sic_key = "(|[a-zA-Z0-9]{8,})" + // Will fail if var.mds_SICKey is invalid + regex_sic_result = regex(local.regex_valid_sic_key, var.mds_SICKey) == var.mds_SICKey ? 0 : "Variable [mds_SICKey] must be at least 8 alphanumeric characters" + //Splits the version and licence and returns the os version + version_split = element(split("-", var.mds_version), 0) + + mds_bootstrap_script64 = base64encode(var.mds_bootstrap_script) + mds_SICkey_base64 = base64encode(var.mds_SICKey) + mds_password_hash_base64 =base64encode(var.mds_password_hash) + maintenance_mode_password_hash_base64 = base64encode(var.mds_maintenance_mode_password_hash) +} \ No newline at end of file diff --git a/terraform/aws/mds/main.tf b/terraform/aws/mds/main.tf new file mode 100755 index 00000000..8a22b264 --- /dev/null +++ b/terraform/aws/mds/main.tf @@ -0,0 +1,194 @@ +provider "aws" { + region = var.region + access_key = var.access_key + secret_key = var.secret_key +} + +module "amis" { + source = "../modules/amis" + + version_license = var.mds_version + chkp_type = "mds" +} + +resource "aws_security_group" "mds_sg" { + description = "terraform Multi-Domain Server security group" + vpc_id = var.vpc_id + name_prefix = format("%s_SecurityGroup", var.mds_name) + // Group name + tags = { + Name = format("%s_SecurityGroup", var.mds_name) + // Resource name + } + ingress { + from_port = 257 + to_port = 257 + protocol = "tcp" + cidr_blocks = [var.gateway_addresses] + } + ingress { + from_port = 8211 + to_port = 8211 + protocol = "tcp" + cidr_blocks = [var.gateway_addresses] + } + ingress { + from_port = 18191 + to_port = 18191 + protocol = "tcp" + cidr_blocks = [var.gateway_addresses] + } + ingress { + from_port = 18192 + to_port = 18192 + protocol = "tcp" + cidr_blocks = [var.gateway_addresses] + } + ingress { + from_port = 18208 + to_port = 18208 + protocol = "tcp" + cidr_blocks = [var.gateway_addresses] + } + ingress { + from_port = 18210 + to_port = 18210 + protocol = "tcp" + cidr_blocks = [var.gateway_addresses] + } + ingress { + from_port = 18211 + to_port = 18211 + protocol = "tcp" + cidr_blocks = [var.gateway_addresses] + } + ingress { + from_port = 18221 + to_port = 18221 + protocol = "tcp" + cidr_blocks = [var.gateway_addresses] + } + ingress { + from_port = 18264 + to_port = 18264 + protocol = "tcp" + cidr_blocks = [var.gateway_addresses] + } + ingress { + from_port = 22 + to_port = 22 + protocol = "tcp" + cidr_blocks = [var.admin_cidr] + } + ingress { + from_port = 443 + to_port = 443 + protocol = "tcp" + cidr_blocks = [var.admin_cidr] + } + ingress { + from_port = 18190 + to_port = 18190 + protocol = "tcp" + cidr_blocks = [var.admin_cidr] + } + ingress { + from_port = 19009 + to_port = 19009 + protocol = "tcp" + cidr_blocks = [var.admin_cidr] + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } +} + +resource "aws_iam_instance_profile" "mds_instance_profile" { + count = local.use_role + path = "/" + role = local.create_iam_role ? join("", module.cme_iam_role.*.cme_iam_role_name) : var.predefined_role +} + +resource "aws_network_interface" "external-eni" { + subnet_id = var.subnet_id + security_groups = [aws_security_group.mds_sg.id] + description = "eth0" + source_dest_check = true + tags = { + Name = format("%s-network_interface", var.mds_name) + } +} + +resource "aws_launch_template" "mds_launch_template" { + instance_type = var.mds_instance_type + key_name = var.key_name + image_id = module.amis.ami_id + description = "Initial launch template version" + + iam_instance_profile { + name = local.use_role == 1 ? aws_iam_instance_profile.mds_instance_profile[0].id : "" + } + + metadata_options { + http_tokens = var.metadata_imdsv2_required ? "required" : "optional" + } + + network_interfaces { + network_interface_id = aws_network_interface.external-eni.id + device_index = 0 + } +} + +resource "aws_instance" "mds-instance" { + launch_template { + id = aws_launch_template.mds_launch_template.id + version = "$Latest" + } + + disable_api_termination = var.disable_instance_termination + + tags = merge({ + Name = var.mds_name + }, var.instance_tags) + + ebs_block_device { + device_name = "/dev/xvda" + volume_type = "gp2" + volume_size = var.volume_size + encrypted = local.volume_encryption_condition + kms_key_id = local.volume_encryption_condition ? var.volume_encryption : "" + } + + user_data = templatefile("${path.module}/mds_userdata.yaml", { + // script's arguments + Hostname = var.mds_hostname, + PasswordHash = local.mds_password_hash_base64 + MaintenanceModePassword = local.maintenance_mode_password_hash_base64 + AllowUploadDownload = var.allow_upload_download, + NTPPrimary = var.primary_ntp + NTPSecondary = var.secondary_ntp + Shell = var.mds_admin_shell, + AdminSubnet = var.admin_cidr + IsPrimary = local.primary_mds + IsSecondary = local.secondary_mds + SICKey = local.mds_SICkey_base64, + EnableInstanceConnect = var.enable_instance_connect + BootstrapScript = local.mds_bootstrap_script64 + OsVersion = local.version_split + }) +} + +module "cme_iam_role" { + source = "../cme-iam-role" + providers = { + aws = aws + } + count = local.create_iam_role ? 1 : 0 + + sts_roles = var.sts_roles + permissions = var.iam_permissions +} diff --git a/terraform/aws/mds/mds_userdata.yaml b/terraform/aws/mds/mds_userdata.yaml new file mode 100755 index 00000000..3321cd60 --- /dev/null +++ b/terraform/aws/mds/mds_userdata.yaml @@ -0,0 +1,4 @@ +#cloud-config +runcmd: + - | + python3 /etc/cloud_config.py sicKey=\"${SICKey}\" installationType=\"mds\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20231012\" templateName=\"mds\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" hostName=\"${Hostname }\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" primary=\"${IsPrimary}\" secondary=\"${IsSecondary}\" adminSubnet=\"${AdminSubnet}\" bootstrapScript64=\"${BootstrapScript}\" \ No newline at end of file diff --git a/terraform/aws/mds/output.tf b/terraform/aws/mds/output.tf new file mode 100755 index 00000000..c1d3783a --- /dev/null +++ b/terraform/aws/mds/output.tf @@ -0,0 +1,13 @@ +output "Deployment" { + value = "Finalizing configuration may take up to 20 minutes after deployment is finished." +} + +output "mds_instance_id" { + value = aws_instance.mds-instance.id +} +output "mds_instance_name" { + value = aws_instance.mds-instance.tags["Name"] +} +output "mds_instance_tags" { + value = aws_instance.mds-instance.tags +} \ No newline at end of file diff --git a/terraform/aws/mds/terraform.tfvars b/terraform/aws/mds/terraform.tfvars new file mode 100755 index 00000000..e79af359 --- /dev/null +++ b/terraform/aws/mds/terraform.tfvars @@ -0,0 +1,41 @@ +//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW + +// --- VPC Network Configuration --- +vpc_id = "vpc-12345678" +subnet_id = "subnet-abc123" + +// --- EC2 Instances Configuration --- +mds_name = "CP-MDS-tf" +mds_instance_type = "m5.12xlarge" +key_name = "publickey" +volume_size = 100 +volume_encryption = "alias/aws/ebs" +enable_instance_connect = false +disable_instance_termination = false +metadata_imdsv2_required = true +instance_tags = { + key1 = "value1" + key2 = "value2" +} + +// --- IAM Permissions --- +iam_permissions = "Create with read permissions" +predefined_role = "" +sts_roles = [] + +// --- Check Point Settings --- +mds_version = "R81.20-BYOL" +mds_admin_shell = "/etc/cli.sh" +mds_password_hash = "" +mds_maintenance_mode_password_hash = "" + +// --- Multi-Domain Server Settings --- +mds_hostname = "mds-tf" +mds_SICKey = "" +allow_upload_download = "true" +mds_installation_type = "Primary Multi-Domain Server" +admin_cidr = "0.0.0.0/0" +gateway_addresses = "0.0.0.0/0" +primary_ntp = "" +secondary_ntp = "" +mds_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt" diff --git a/terraform/aws/mds/variables.tf b/terraform/aws/mds/variables.tf new file mode 100755 index 00000000..f4218e4c --- /dev/null +++ b/terraform/aws/mds/variables.tf @@ -0,0 +1,175 @@ +// Module: Check Point CloudGuard Network Multi-Domain Server into an existing VPC + +// --- AWS Provider --- +variable "region" { + type = string + description = "AWS region" + default = "" +} +variable "access_key" { + type = string + description = "AWS access key" + default = "" +} +variable "secret_key" { + type = string + description = "AWS secret key" + default = "" +} + +// --- VPC Network Configuration --- +variable "vpc_id" { + type = string +} +variable "subnet_id" { + type = string + description = "To access the instance from the internet, make sure the subnet has a route to the internet" +} + +// --- EC2 Instance Configuration --- +variable "mds_name" { + type = string + description = "(Optional) The name tag of the Multi-Domain Server instance" + default = "Check-Point-MDS-tf" +} +variable "mds_instance_type" { + type = string + description = "The instance type of the Multi-Domain Server" + default = "m5.2xlarge" +} +module "validate_instance_type" { + source = "../modules/common/instance_type" + + chkp_type = "mds" + instance_type = var.mds_instance_type +} +variable "key_name" { + type = string + description = "The EC2 Key Pair name to allow SSH access to the instance" +} +variable "volume_size" { + type = number + description = "Root volume size (GB) - minimum 100" + default = 100 +} +resource "null_resource" "volume_size_too_small" { + // Will fail if var.volume_size is less than 100 + count = var.volume_size >= 100 ? 0 : "variable volume_size must be at least 100" +} +variable "volume_encryption" { + type = string + description = "KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs')" + default = "alias/aws/ebs" +} +variable "enable_instance_connect" { + type = bool + description = "Enable SSH connection over AWS web console" + default = false +} +variable "disable_instance_termination" { + type = bool + description = "Prevents an instance from accidental termination" + default = false +} +variable "metadata_imdsv2_required" { + type = bool + description = "Set true to deploy the instance with metadata v2 token required" + default = true +} +variable "instance_tags" { + type = map(string) + description = "(Optional) A map of tags as key=value pairs. All tags will be added to the Multi-Domain Server EC2 Instance" + default = {} +} + +// --- IAM Permissions (ignored when the installation type is not Primary Multi-Domain Server) --- +variable "iam_permissions" { + type = string + description = "IAM role to attach to the instance profile" + default = "Create with read permissions" +} +variable "predefined_role" { + type = string + description = "(Optional) A predefined IAM role to attach to the instance profile. Ignored if var.iam_permissions is not set to 'Use existing'" + default = "" +} +variable "sts_roles" { + type = list(string) + description = "(Optional) The IAM role will be able to assume these STS Roles (list of ARNs). Ignored if var.iam_permissions is set to 'None' or 'Use existing'" + default = [] +} + +// --- Check Point Settings --- +variable "mds_version" { + type = string + description = "Multi-Domain Server version and license" + default = "R81.20-BYOL" +} +module "validate_mds_version" { + source = "../modules/common/version_license" + + chkp_type = "mds" + version_license = var.mds_version +} +variable "mds_admin_shell" { + type = string + description = "Set the admin shell to enable advanced command line configuration" + default = "/etc/cli.sh" +} +variable "mds_password_hash" { + type = string + description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)" + default = "" +} +variable "mds_maintenance_mode_password_hash" { + description = "(optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here)." + type = string + default = "" +} + +// --- Multi-Domain Server Settings --- +variable "mds_hostname" { + type = string + description = "(Optional) Multi-Domain Server prompt hostname" + default = "" +} +variable "mds_SICKey" { + type = string + description = "Mandatory if deploying a Secondary Multi-Domain Server or Multi-Domain Log Server, the Secure Internal Communication key creates trusted connections between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters" + default = "" +} +variable "allow_upload_download" { + type = bool + description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + default = true +} +variable "mds_installation_type" { + type = string + description = "Determines the Multi-Domain Server installation type" + default = "Primary Multi-Domain Server" +} +variable "admin_cidr" { + type = string + description = "(CIDR) Allow web, ssh, and graphical clients only from this network to communicate with the Multi-Domain Server" + default = "0.0.0.0/0" +} +variable "gateway_addresses" { + type = string + description = "(CIDR) Allow gateways only from this network to communicate with the Multi-Domain Server" + default = "0.0.0.0/0" +} +variable "primary_ntp" { + type = string + description = "(Optional) The IPv4 addresses of Network Time Protocol primary server" + default = "169.254.169.123" +} +variable "secondary_ntp" { + type = string + description = "(Optional) The IPv4 addresses of Network Time Protocol secondary server" + default = "0.pool.ntp.org" +} +variable "mds_bootstrap_script" { + type = string + description = "(Optional) Semicolon (;) separated commands to run on the initial boot" + default = "" +} diff --git a/terraform/aws/mds/versions.tf b/terraform/aws/mds/versions.tf new file mode 100755 index 00000000..c138bbb3 --- /dev/null +++ b/terraform/aws/mds/versions.tf @@ -0,0 +1,12 @@ +terraform { + required_version = ">= 0.14.3" + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.20.0" + } + http = { + version = "~> 3.4.0" + } + } +} diff --git a/terraform/aws/modules/amis/main.tf b/terraform/aws/modules/amis/main.tf new file mode 100644 index 00000000..4e76baa3 --- /dev/null +++ b/terraform/aws/modules/amis/main.tf @@ -0,0 +1,22 @@ +locals { + amis_yaml_regionMap = yamldecode(split("Resources", data.http.amis_yaml_http.response_body)[0]).Mappings.RegionMap + amis_yaml_converterMap = yamldecode(split("Resources", data.http.amis_yaml_http.response_body)[0]).Mappings.ConverterMap + + + // Variables example: + // version_license = "R80.40-PAYG-NGTX" + // RESULT: + // version_license_key = "R80.40-PAYG-NGTX-GW" + // version_license_value = "R8040PAYGNGTXGW" + + version_license_key_mgmt_gw = format("%s%s", var.version_license, var.chkp_type == "gateway" ? "-GW" : var.chkp_type == "management" ? "-MGMT" : var.chkp_type == "mds" ? "-MGMT" : "") + version_license_key = var.chkp_type == "standalone" ? format("%s%s", var.version_license, element(split("-", var.version_license), 1) == "BYOL" ? "-MGMT" : "") : local.version_license_key_mgmt_gw + + version_license_value = local.amis_yaml_converterMap[local.version_license_key]["Value"] + + // Variables example: + // region = "us-east-1" + // version_license_key - see above + // RESULT: local.ami_id = "ami-1234567" + ami_id = local.amis_yaml_regionMap[local.region][local.version_license_value] +} \ No newline at end of file diff --git a/terraform/aws/modules/amis/output.tf b/terraform/aws/modules/amis/output.tf new file mode 100644 index 00000000..0be16a15 --- /dev/null +++ b/terraform/aws/modules/amis/output.tf @@ -0,0 +1,6 @@ +output "ami_id" { + value = local.ami_id +} +output "version_license_with_suffix" { + value = local.version_license_key +} \ No newline at end of file diff --git a/terraform/aws/modules/amis/variables.tf b/terraform/aws/modules/amis/variables.tf new file mode 100644 index 00000000..10d6dee0 --- /dev/null +++ b/terraform/aws/modules/amis/variables.tf @@ -0,0 +1,26 @@ +variable "amis_url" { + type = string + description = "URL to amis.yaml" + default = "https://cgi-cfts.s3.amazonaws.com/utils/amis.yaml" +} + +data "http" "amis_yaml_http" { + url = var.amis_url +} + +data "aws_region" "current" {} +locals { + region = data.aws_region.current.name +} + +// --- Version & License --- +variable "chkp_type" { + type = string + description = "The Check Point machine type" + default = "gateway" +} +variable "version_license" { + type = string + description = "Version and license" +} + diff --git a/terraform/aws/modules/cloudwatch-policy/main.tf b/terraform/aws/modules/cloudwatch-policy/main.tf new file mode 100755 index 00000000..3d191a01 --- /dev/null +++ b/terraform/aws/modules/cloudwatch-policy/main.tf @@ -0,0 +1,18 @@ +data "aws_iam_policy_document" "policy_document" { + version = "2012-10-17" + statement { + actions = ["cloudwatch:PutMetricData"] + effect = "Allow" + resources = ["*"] + } +} + +resource "aws_iam_policy" "policy" { + name_prefix = format("%s-iam_policy", var.tag_name) + policy = data.aws_iam_policy_document.policy_document.json +} + +resource "aws_iam_role_policy_attachment" "attachment" { + role = var.role + policy_arn = aws_iam_policy.policy.arn +} \ No newline at end of file diff --git a/terraform/aws/modules/cloudwatch-policy/variables.tf b/terraform/aws/modules/cloudwatch-policy/variables.tf new file mode 100755 index 00000000..2d3f9452 --- /dev/null +++ b/terraform/aws/modules/cloudwatch-policy/variables.tf @@ -0,0 +1,9 @@ +variable "tag_name" { + type = string + description = "(Optional) IAM policy name prefix" + default = "cloudwatch" +} +variable "role" { + type = string + description = "A IAM role to attach the cloudwatch policy to it" +} \ No newline at end of file diff --git a/terraform/aws/modules/cluster-iam-role/main.tf b/terraform/aws/modules/cluster-iam-role/main.tf new file mode 100755 index 00000000..b56eacd6 --- /dev/null +++ b/terraform/aws/modules/cluster-iam-role/main.tf @@ -0,0 +1,38 @@ +resource "aws_iam_role" "cluster_iam_role" { + assume_role_policy = data.aws_iam_policy_document.cluster_role_assume_policy_document.json + path = "/" +} + +data "aws_iam_policy_document" "cluster_role_assume_policy_document" { + version = "2012-10-17" + statement { + effect = "Allow" + actions = ["sts:AssumeRole"] + principals { + type = "Service" + identifiers = ["ec2.amazonaws.com"] + } + } +} + +data "aws_iam_policy_document" "cluster_role_policy_doc" { + version = "2012-10-17" + statement { + effect = "Allow" + actions = [ + "ec2:AssignPrivateIpAddresses", + "ec2:AssociateAddress", + "ec2:CreateRoute", + "ec2:DescribeNetworkInterfaces", + "ec2:DescribeRouteTables", + "ec2:ReplaceRoute"] + resources = ["*"] + } +} +resource "aws_iam_policy" "cluster_role_policy" { + policy = data.aws_iam_policy_document.cluster_role_policy_doc.json +} +resource "aws_iam_role_policy_attachment" "attach_policy" { + policy_arn = aws_iam_policy.cluster_role_policy.arn + role = aws_iam_role.cluster_iam_role.id +} \ No newline at end of file diff --git a/terraform/aws/modules/cluster-iam-role/output.tf b/terraform/aws/modules/cluster-iam-role/output.tf new file mode 100755 index 00000000..7bbf0351 --- /dev/null +++ b/terraform/aws/modules/cluster-iam-role/output.tf @@ -0,0 +1,9 @@ +output "cluster_iam_role" { + value = aws_iam_role.cluster_iam_role +} +output "cluster_iam_role_arn" { + value = aws_iam_role.cluster_iam_role.arn +} +output "cluster_iam_role_name" { + value = aws_iam_role.cluster_iam_role.name +} \ No newline at end of file diff --git a/terraform/aws/modules/common/elastic_ip/locals.tf b/terraform/aws/modules/common/elastic_ip/locals.tf new file mode 100755 index 00000000..c4af5bca --- /dev/null +++ b/terraform/aws/modules/common/elastic_ip/locals.tf @@ -0,0 +1,3 @@ +locals { + allocate_and_associate_eip_condition = var.allocate_and_associate_eip == true ? 1 : 0 +} \ No newline at end of file diff --git a/terraform/aws/modules/common/elastic_ip/main.tf b/terraform/aws/modules/common/elastic_ip/main.tf new file mode 100755 index 00000000..879748a9 --- /dev/null +++ b/terraform/aws/modules/common/elastic_ip/main.tf @@ -0,0 +1,10 @@ +resource "aws_eip" "gateway_eip" { + count = local.allocate_and_associate_eip_condition + network_interface = var.external_eni_id +} +resource "aws_eip_association" "address_assoc" { + count = local.allocate_and_associate_eip_condition + allocation_id = aws_eip.gateway_eip[count.index].id + network_interface_id = var.external_eni_id + private_ip_address = var.private_ip_address +} \ No newline at end of file diff --git a/terraform/aws/modules/common/elastic_ip/output.tf b/terraform/aws/modules/common/elastic_ip/output.tf new file mode 100755 index 00000000..31857b83 --- /dev/null +++ b/terraform/aws/modules/common/elastic_ip/output.tf @@ -0,0 +1,9 @@ +output "gateway_eip_id" { + value = aws_eip.gateway_eip.*.id +} +output "gateway_eip_public_ip" { + value = aws_eip.gateway_eip.*.public_ip +} +output "gateway_eip_attached_instance" { + value = aws_eip.gateway_eip.*.instance +} diff --git a/terraform/aws/modules/common/elastic_ip/variables.tf b/terraform/aws/modules/common/elastic_ip/variables.tf new file mode 100755 index 00000000..c6881436 --- /dev/null +++ b/terraform/aws/modules/common/elastic_ip/variables.tf @@ -0,0 +1,13 @@ +variable "allocate_and_associate_eip" { + type = bool + description = "If set to TRUE, an elastic IP will be allocated and associated with the launched instance" + default = true +} +variable "external_eni_id" { + type = string + description = "The external-eni of the security gateway" +} +variable "private_ip_address" { + type = string + description = "The primary or secondary private IP address to associate with the Elastic IP address. " +} diff --git a/terraform/aws/modules/common/gateway_instance/gateway_userdata.yaml b/terraform/aws/modules/common/gateway_instance/gateway_userdata.yaml new file mode 100755 index 00000000..05538232 --- /dev/null +++ b/terraform/aws/modules/common/gateway_instance/gateway_userdata.yaml @@ -0,0 +1,4 @@ +#cloud-config +runcmd: + - | + python3 /etc/cloud_config.py enableCloudWatch=\"${EnableCloudWatch}\" sicKey=\"${SICKey}\" "smart1CloudToken=\"${TokenKey}\"" installationType=\"gateway\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20231012\" templateName=\"gateway\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" hostName=\"${Hostname }\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" bootstrapScript64=\"${GatewayBootstrapScript}\" \ No newline at end of file diff --git a/terraform/aws/modules/common/gateway_instance/locals.tf b/terraform/aws/modules/common/gateway_instance/locals.tf new file mode 100755 index 00000000..a0d9034d --- /dev/null +++ b/terraform/aws/modules/common/gateway_instance/locals.tf @@ -0,0 +1,39 @@ +locals { + control_over_public_or_private_allowed_values = [ + "public", + "private"] + // will fail if [var.control_gateway_over_public_or_private_address] is invalid: + validate_control_over_public_or_private = index(local.control_over_public_or_private_allowed_values, var.control_gateway_over_public_or_private_address) + + admin_shell_allowed_values = [ + "/etc/cli.sh", + "/bin/bash", + "/bin/csh", + "/bin/tcsh"] + // Will fail if var.admin_shell is invalid + validate_admin_shell = index(local.admin_shell_allowed_values, var.admin_shell) + + regex_valid_gateway_sic_key = "^[a-zA-Z0-9]{8,}$" + // Will fail if var.gateway_SIC_Key is invalid + regex_gateway_sic_result = regex(local.regex_valid_gateway_sic_key, var.gateway_SICKey) == var.gateway_SICKey ? 0 : "Variable [gateway_SIC_Key] must be at least 8 alphanumeric characters" + + regex_valid_gateway_hostname = "^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$" + // Will fail if var.gateway_hostname is invalid + regex_gateway_hostname = regex(local.regex_valid_gateway_hostname, var.gateway_hostname) == var.gateway_hostname ? 0 : "Variable [lambda_scheduled_interval] must be a valid hostname label or an empty string" + + regex_valid_gateway_password_hash = "^[\\$\\./a-zA-Z0-9]*$" + // Will fail if var.gateway_password_hash is invalid + regex_gateway_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_password_hash) == var.gateway_password_hash ? 0 : "Variable [gateway_password_hash] must be a valid password hash" + regex_gateway_maintenance_mode_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_maintenance_mode_password_hash) == var.gateway_maintenance_mode_password_hash ? 0 : "Variable [gateway_maintenance_mode_password_hash] must be a valid password hash" + + + volume_encryption_condition = var.volume_encryption != "" ? true : false + + //Splits the version and licence and returns the os version + version_split = element(split("-", var.gateway_version), 0) + + gateway_bootstrap_script64 = base64encode(var.gateway_bootstrap_script) + gateway_SICkey_base64 = base64encode(var.gateway_SICKey) + gateway_password_hash_base64 = base64encode(var.gateway_password_hash) + gateway_maintenance_mode_password_hash_base64 = base64encode(var.gateway_maintenance_mode_password_hash) +} \ No newline at end of file diff --git a/terraform/aws/modules/common/gateway_instance/main.tf b/terraform/aws/modules/common/gateway_instance/main.tf new file mode 100755 index 00000000..38382cc2 --- /dev/null +++ b/terraform/aws/modules/common/gateway_instance/main.tf @@ -0,0 +1,63 @@ +resource "aws_launch_template" "gateway_launch_template" { + key_name = var.key_name + image_id = var.ami_id + instance_type = var.gateway_instance_type + description = "Initial launch template version" + + iam_instance_profile { + name = var.iam_instance_profile_id + } + + network_interfaces { + network_interface_id = var.external_eni_id + device_index = 0 + } + + network_interfaces { + network_interface_id = var.internal_eni_id + device_index = 1 + } + + metadata_options { + http_tokens = var.metadata_imdsv2_required ? "required" : "optional" + } +} + +resource "aws_instance" "gateway_instance" { + launch_template { + id = aws_launch_template.gateway_launch_template.id + version = "$Latest" + } + + disable_api_termination = var.disable_instance_termination + + tags = merge({ + Name = var.gateway_name + x-chkp-tags = format("management=%s:template=%s:ip-address=%s", var.management_server, var.configuration_template, var.control_gateway_over_public_or_private_address) + }, var.instance_tags) + + ebs_block_device { + device_name = "/dev/xvda" + volume_type = "gp2" + volume_size = var.volume_size + encrypted = local.volume_encryption_condition ? true : false + kms_key_id = local.volume_encryption_condition ? var.volume_encryption : "" + } + + user_data = templatefile("${path.module}/gateway_userdata.yaml", { + // script's arguments + PasswordHash = local.gateway_password_hash_base64, + MaintenanceModePassword = local.gateway_maintenance_mode_password_hash_base64, + Shell = var.admin_shell, + SICKey = local.gateway_SICkey_base64, + TokenKey = var.gateway_TokenKey, + GatewayBootstrapScript = local.gateway_bootstrap_script64, + Hostname = var.gateway_hostname, + AllowUploadDownload = var.allow_upload_download, + EnableCloudWatch = var.enable_cloudwatch, + NTPPrimary = var.primary_ntp, + NTPSecondary = var.secondary_ntp, + EnableInstanceConnect = var.enable_instance_connect, + OsVersion = local.version_split + }) +} diff --git a/terraform/aws/modules/common/gateway_instance/output.tf b/terraform/aws/modules/common/gateway_instance/output.tf new file mode 100755 index 00000000..0c5f6d02 --- /dev/null +++ b/terraform/aws/modules/common/gateway_instance/output.tf @@ -0,0 +1,9 @@ +output "gateway_instance_id" { + value = aws_instance.gateway_instance.id +} +output "gateway_instance_arn" { + value = aws_instance.gateway_instance.arn +} +output "gateway_instance_name" { + value = aws_instance.gateway_instance.tags["Name"] +} diff --git a/terraform/aws/modules/common/gateway_instance/variables.tf b/terraform/aws/modules/common/gateway_instance/variables.tf new file mode 100755 index 00000000..0e1a010c --- /dev/null +++ b/terraform/aws/modules/common/gateway_instance/variables.tf @@ -0,0 +1,147 @@ +variable "external_eni_id" { + type = string + description = "The external-eni of the security gateway" +} +variable "internal_eni_id" { + type = string + description = "The internal-eni of the security gateway" +} +variable "gateway_name" { + type = string + description = "(Optional) The name tag of the Security Gateway instances" + default = "Check-Point-Gateway-tf" +} +variable "management_server" { + type = string + description = "(Optional) The name that represents the Security Management Server in the automatic provisioning configuration" + default = "" +} +variable "configuration_template" { + type = string + description = "(Optional) A name of a Security Gateway configuration template in the automatic provisioning configuration" + default = "" + validation { + condition = length(var.configuration_template) < 31 + error_message = "The configuration_template name can not exceed 30 characters." + } +} +variable "control_gateway_over_public_or_private_address" { + type = string + description = "Determines if the Security Gateway is provisioned using its private or public address" + default = "private" +} +variable "volume_size" { + type = number + description = "Root volume size (GB) - minimum 100" + default = 100 +} +resource "null_resource" "volume_size_too_small" { + // Volume Size validation - resource will not be created if the volume size is smaller than 100 + count = var.volume_size >= 100 ? 0 : "volume_size must be at least 100" +} +variable "volume_encryption" { + type = string + description = "KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs')." + default = "alias/aws/ebs" +} +variable "gateway_version" { + type = string + description = "Gateway version & license" + default = "R81.20-BYOL" +} +variable "gateway_instance_type" { + type = string + description = "The instance type of the Security Gateways" + default = "c5.xlarge" +} +module "validate_instance_type" { + source = "../instance_type" + + chkp_type = "gateway" + instance_type = var.gateway_instance_type +} +variable "instance_tags" { + type = map(string) + description = "(Optional) A map of tags as key=value pairs. All tags will be added to the Gateway EC2 Instance." + default = {} +} +variable "key_name" { + type = string + description = "The EC2 Key Pair name to allow SSH access to the instance" +} +variable "ami_id" { + type = string + description = "The AMI to use for the instance" +} +variable "iam_instance_profile_id" { + type = string + description = "The IAM instance profile id" +} +variable "gateway_password_hash" { + type = string + description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)" + default = "" +} +variable "gateway_maintenance_mode_password_hash" { + description = "(optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here)." + type = string + default = "" +} +variable "admin_shell" { + type = string + description = "Set the admin shell to enable advanced command line configuration" + default = "/etc/cli.sh" +} +variable "gateway_SICKey" { + type = string + description = "The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters" +} +variable "gateway_TokenKey" { + type = string + description = "Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud." +} +variable "gateway_bootstrap_script" { + type = string + description = "(Optional) An optional script with semicolon (;) separated commands to run on the initial boot" + default = "" +} +variable "gateway_hostname" { + type = string + description = "(Optional)" + default = "" +} +variable "allow_upload_download" { + type = bool + description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + default = true +} +variable "enable_cloudwatch" { + type = bool + description = "Report Check Point specific CloudWatch metrics" + default = false +} +variable "primary_ntp" { + type = string + description = "(Optional)" + default = "" +} +variable "secondary_ntp" { + type = string + description = "(Optional)" + default = "" +} +variable "enable_instance_connect" { + type = bool + description = "Enable SSH connection over AWS web console" + default = false +} +variable "disable_instance_termination" { + type = bool + description = "Prevents an instance from accidental termination" + default = false +} +variable "metadata_imdsv2_required" { + type = bool + description = "Set true to deploy the instance with metadata v2 token required" + default = true +} \ No newline at end of file diff --git a/terraform/aws/modules/common/instance_type/main.tf b/terraform/aws/modules/common/instance_type/main.tf new file mode 100755 index 00000000..22fffe49 --- /dev/null +++ b/terraform/aws/modules/common/instance_type/main.tf @@ -0,0 +1,353 @@ +locals { + gw_types = [ + "c4.large", + "c4.xlarge", + "c5.large", + "c5.xlarge", + "c5.2xlarge", + "c5.4xlarge", + "c5.9xlarge", + "c5.12xlarge", + "c5.18xlarge", + "c5.24xlarge", + "c5n.large", + "c5n.xlarge", + "c5n.2xlarge", + "c5n.4xlarge", + "c5n.9xlarge", + "c5n.18xlarge", + "c5d.large", + "c5d.xlarge", + "c5d.2xlarge", + "c5d.4xlarge", + "c5d.9xlarge", + "c5d.12xlarge", + "c5d.18xlarge", + "c5d.24xlarge", + "m5.large", + "m5.xlarge", + "m5.2xlarge", + "m5.4xlarge", + "m5.8xlarge", + "m5.12xlarge", + "m5.16xlarge", + "m5.24xlarge", + "m6i.large", + "m6i.xlarge", + "m6i.2xlarge", + "m6i.4xlarge", + "m6i.8xlarge", + "m6i.12xlarge", + "m6i.16xlarge", + "m6i.24xlarge", + "m6i.32xlarge", + "c6i.large", + "c6i.xlarge", + "c6i.2xlarge", + "c6i.4xlarge", + "c6i.8xlarge", + "c6i.12xlarge", + "c6i.16xlarge", + "c6i.24xlarge", + "c6i.32xlarge", + "c6in.large", + "c6in.xlarge", + "c6in.2xlarge", + "c6in.4xlarge", + "c6in.8xlarge", + "c6in.12xlarge", + "c6in.16xlarge", + "c6in.24xlarge", + "c6in.32xlarge", + "r5.large", + "r5.xlarge", + "r5.2xlarge", + "r5.4xlarge", + "r5.8xlarge", + "r5.12xlarge", + "r5.16xlarge", + "r5.24xlarge", + "r5a.large", + "r5a.xlarge", + "r5a.2xlarge", + "r5a.4xlarge", + "r5a.8xlarge", + "r5a.12xlarge", + "r5a.16xlarge", + "r5a.24xlarge", + "r5b.large", + "r5b.xlarge", + "r5b.2xlarge", + "r5b.4xlarge", + "r5b.8xlarge", + "r5b.12xlarge", + "r5b.16xlarge", + "r5b.24xlarge", + "r5n.large", + "r5n.xlarge", + "r5n.2xlarge", + "r5n.4xlarge", + "r5n.8xlarge", + "r5n.12xlarge", + "r5n.16xlarge", + "r5n.24xlarge", + "r6i.large", + "r6i.xlarge", + "r6i.2xlarge", + "r6i.4xlarge", + "r6i.8xlarge", + "r6i.12xlarge", + "r6i.16xlarge", + "r6i.24xlarge", + "r6i.32xlarge", + "m6a.large", + "m6a.xlarge", + "m6a.2xlarge", + "m6a.4xlarge", + "m6a.8xlarge", + "m6a.12xlarge", + "m6a.16xlarge", + "m6a.24xlarge", + "m6a.32xlarge", + "m6a.48xlarge" + ] + mgmt_types = [ + "c5.large", + "c5.xlarge", + "c5.2xlarge", + "c5.4xlarge", + "c5.9xlarge", + "c5.12xlarge", + "c5.18xlarge", + "c5.24xlarge", + "c5n.large", + "c5n.xlarge", + "c5n.2xlarge", + "c5n.4xlarge", + "c5n.9xlarge", + "c5n.18xlarge", + "c5d.large", + "c5d.xlarge", + "c5d.2xlarge", + "c5d.4xlarge", + "c5d.9xlarge", + "c5d.12xlarge", + "c5d.18xlarge", + "c5d.24xlarge", + "m5.large", + "m5.xlarge", + "m5.2xlarge", + "m5.4xlarge", + "m5.8xlarge", + "m5.12xlarge", + "m5.16xlarge", + "m5.24xlarge", + "m6i.large", + "m6i.xlarge", + "m6i.2xlarge", + "m6i.4xlarge", + "m6i.8xlarge", + "m6i.12xlarge", + "m6i.16xlarge", + "m6i.24xlarge", + "m6i.32xlarge", + "c6i.large", + "c6i.xlarge", + "c6i.2xlarge", + "c6i.4xlarge", + "c6i.8xlarge", + "c6i.12xlarge", + "c6i.16xlarge", + "c6i.24xlarge", + "c6i.32xlarge", + "c6in.large", + "c6in.xlarge", + "c6in.2xlarge", + "c6in.4xlarge", + "c6in.8xlarge", + "c6in.12xlarge", + "c6in.16xlarge", + "c6in.24xlarge", + "c6in.32xlarge", + "r5.large", + "r5.xlarge", + "r5.2xlarge", + "r5.4xlarge", + "r5.8xlarge", + "r5.12xlarge", + "r5.16xlarge", + "r5.24xlarge", + "r5a.large", + "r5a.xlarge", + "r5a.2xlarge", + "r5a.4xlarge", + "r5a.8xlarge", + "r5a.12xlarge", + "r5a.16xlarge", + "r5a.24xlarge", + "r5b.large", + "r5b.xlarge", + "r5b.2xlarge", + "r5b.4xlarge", + "r5b.8xlarge", + "r5b.12xlarge", + "r5b.16xlarge", + "r5b.24xlarge", + "r5n.large", + "r5n.xlarge", + "r5n.2xlarge", + "r5n.4xlarge", + "r5n.8xlarge", + "r5n.12xlarge", + "r5n.16xlarge", + "r5n.24xlarge", + "r6i.large", + "r6i.xlarge", + "r6i.2xlarge", + "r6i.4xlarge", + "r6i.8xlarge", + "r6i.12xlarge", + "r6i.16xlarge", + "r6i.24xlarge", + "r6i.32xlarge", + "m6a.large", + "m6a.xlarge", + "m6a.2xlarge", + "m6a.4xlarge", + "m6a.8xlarge", + "m6a.12xlarge", + "m6a.16xlarge", + "m6a.24xlarge", + "m6a.32xlarge", + "m6a.48xlarge" + ] + mds_types = [ + "c5.large", + "c5.xlarge", + "c5.2xlarge", + "c5.4xlarge", + "c5.9xlarge", + "c5.12xlarge", + "c5.18xlarge", + "c5.24xlarge", + "c5n.large", + "c5n.xlarge", + "c5n.2xlarge", + "c5n.4xlarge", + "c5n.9xlarge", + "c5n.18xlarge", + "c5d.large", + "c5d.xlarge", + "c5d.2xlarge", + "c5d.4xlarge", + "c5d.9xlarge", + "c5d.12xlarge", + "c5d.18xlarge", + "c5d.24xlarge", + "m5.large", + "m5.xlarge", + "m5.2xlarge", + "m5.4xlarge", + "m5.8xlarge", + "m5.12xlarge", + "m5.16xlarge", + "m5.24xlarge", + "m6i.large", + "m6i.xlarge", + "m6i.2xlarge", + "m6i.4xlarge", + "m6i.8xlarge", + "m6i.12xlarge", + "m6i.16xlarge", + "m6i.24xlarge", + "m6i.32xlarge", + "c6i.large", + "c6i.xlarge", + "c6i.2xlarge", + "c6i.4xlarge", + "c6i.8xlarge", + "c6i.12xlarge", + "c6i.16xlarge", + "c6i.24xlarge", + "c6i.32xlarge", + "c6in.large", + "c6in.xlarge", + "c6in.2xlarge", + "c6in.4xlarge", + "c6in.8xlarge", + "c6in.12xlarge", + "c6in.16xlarge", + "c6in.24xlarge", + "c6in.32xlarge", + "r5.large", + "r5.xlarge", + "r5.2xlarge", + "r5.4xlarge", + "r5.8xlarge", + "r5.12xlarge", + "r5.16xlarge", + "r5.24xlarge", + "r5a.large", + "r5a.xlarge", + "r5a.2xlarge", + "r5a.4xlarge", + "r5a.8xlarge", + "r5a.12xlarge", + "r5a.16xlarge", + "r5a.24xlarge", + "r5b.large", + "r5b.xlarge", + "r5b.2xlarge", + "r5b.4xlarge", + "r5b.8xlarge", + "r5b.12xlarge", + "r5b.16xlarge", + "r5b.24xlarge", + "r5n.large", + "r5n.xlarge", + "r5n.2xlarge", + "r5n.4xlarge", + "r5n.8xlarge", + "r5n.12xlarge", + "r5n.16xlarge", + "r5n.24xlarge", + "r6i.large", + "r6i.xlarge", + "r6i.2xlarge", + "r6i.4xlarge", + "r6i.8xlarge", + "r6i.12xlarge", + "r6i.16xlarge", + "r6i.24xlarge", + "r6i.32xlarge", + "m6a.large", + "m6a.xlarge", + "m6a.2xlarge", + "m6a.4xlarge", + "m6a.8xlarge", + "m6a.12xlarge", + "m6a.16xlarge", + "m6a.24xlarge", + "m6a.32xlarge", + "m6a.48xlarge" + ] + server_types = [ + "t3.nano", + "t3.micro", + "t3.small", + "t3.medium", + "t3.large", + "t3.xlarge", + "t3.2xlarge" + ] +} + +locals { + gw_values = var.chkp_type == "gateway" ? local.gw_types : [] + mgmt_values = var.chkp_type == "management" ? local.mgmt_types : [] + mds_values = var.chkp_type == "mds" ? local.mds_types : [] + server_values = var.chkp_type == "server" ? local.server_types : [] + sa_values = var.chkp_type == "standalone" ? concat(local.gw_types, local.mgmt_types) : [] + allowed_values = coalescelist(local.gw_values, local.mgmt_values, local.mds_values, local.sa_values , local.server_types) + is_allowed_type = index(local.allowed_values, var.instance_type) +} \ No newline at end of file diff --git a/terraform/aws/modules/common/instance_type/variables.tf b/terraform/aws/modules/common/instance_type/variables.tf new file mode 100755 index 00000000..1711c3f7 --- /dev/null +++ b/terraform/aws/modules/common/instance_type/variables.tf @@ -0,0 +1,22 @@ +variable "chkp_type" { + type = string + description = "The Check Point machine type" + default = "gateway" +} +locals { + type_allowed_values = [ + "gateway", + "management", + "mds", + "standalone", + "server" + ] + // Will fail if var.chkp_type is invalid + validate_instance_type = index(local.type_allowed_values, var.chkp_type) +} + +variable "instance_type" { + type = string + description = "AWS Instance type" +} + diff --git a/terraform/aws/modules/common/internal_default_route/locals.tf b/terraform/aws/modules/common/internal_default_route/locals.tf new file mode 100755 index 00000000..493c4d9a --- /dev/null +++ b/terraform/aws/modules/common/internal_default_route/locals.tf @@ -0,0 +1,3 @@ +locals { + internal_route_table_condition = var.private_route_table != "" ? 1 : 0 +} \ No newline at end of file diff --git a/terraform/aws/modules/common/internal_default_route/main.tf b/terraform/aws/modules/common/internal_default_route/main.tf new file mode 100755 index 00000000..ddcb5bd8 --- /dev/null +++ b/terraform/aws/modules/common/internal_default_route/main.tf @@ -0,0 +1,6 @@ +resource "aws_route" "internal_default_route" { + count = local.internal_route_table_condition + route_table_id = var.private_route_table + destination_cidr_block = "0.0.0.0/0" + network_interface_id = var.internal_eni_id +} \ No newline at end of file diff --git a/terraform/aws/modules/common/internal_default_route/output.tf b/terraform/aws/modules/common/internal_default_route/output.tf new file mode 100755 index 00000000..fa691b92 --- /dev/null +++ b/terraform/aws/modules/common/internal_default_route/output.tf @@ -0,0 +1,3 @@ +output "internal_default_route_id" { + value = aws_route.internal_default_route.*.id +} \ No newline at end of file diff --git a/terraform/aws/modules/common/internal_default_route/variables.tf b/terraform/aws/modules/common/internal_default_route/variables.tf new file mode 100755 index 00000000..b8e2f458 --- /dev/null +++ b/terraform/aws/modules/common/internal_default_route/variables.tf @@ -0,0 +1,9 @@ +variable "private_route_table" { + type = string + description = "Sets '0.0.0.0/0' route to the Gateway instance in the specified route table (e.g. rtb-12a34567)" + default="" +} +variable "internal_eni_id" { + type = string + description = "The internal-eni of the security gateway" +} \ No newline at end of file diff --git a/terraform/aws/modules/common/load_balancer/main.tf b/terraform/aws/modules/common/load_balancer/main.tf new file mode 100755 index 00000000..18b3b753 --- /dev/null +++ b/terraform/aws/modules/common/load_balancer/main.tf @@ -0,0 +1,36 @@ +resource "random_id" "unique_lb_id" { + keepers = { + prefix = var.prefix_name + } + byte_length = 8 +} +resource "aws_lb" "load_balancer" { + name = substr(format("%s-%s", "${var.prefix_name}-LB", random_id.unique_lb_id.hex), 0, 32) + load_balancer_type = var.load_balancers_type == "gateway" ? "gateway" : var.load_balancers_type == "Network Load Balancer" ? "network": "application" + internal = var.load_balancers_type == "gateway" ? "false" : var.internal + subnets = var.instances_subnets + security_groups = var.security_groups + tags = var.tags + enable_cross_zone_load_balancing = var.cross_zone_load_balancing +} +resource "aws_lb_target_group" "lb_target_group" { + name = substr(format("%s-%s", "${var.prefix_name}-TG", random_id.unique_lb_id.hex), 0, 32) + vpc_id = var.vpc_id + protocol = var.load_balancer_protocol + port = var.target_group_port + health_check { + port = var.load_balancers_type != "gateway" ? var.health_check_port : 8117 + protocol = var.load_balancers_type != "gateway" ? var.health_check_protocol : "TCP" + } +} +resource "aws_lb_listener" "lb_listener" { + depends_on = [aws_lb.load_balancer, aws_lb_target_group.lb_target_group] + load_balancer_arn = aws_lb.load_balancer.arn + certificate_arn = var.certificate_arn + protocol = var.load_balancers_type != "gateway" ? var.load_balancer_protocol : null + port = var.load_balancers_type != "gateway" ? var.listener_port : null + default_action { + type = "forward" + target_group_arn = aws_lb_target_group.lb_target_group.arn + } +} diff --git a/terraform/aws/modules/common/load_balancer/output.tf b/terraform/aws/modules/common/load_balancer/output.tf new file mode 100755 index 00000000..63123606 --- /dev/null +++ b/terraform/aws/modules/common/load_balancer/output.tf @@ -0,0 +1,18 @@ +output "load_balancer_id" { + value = aws_lb.load_balancer.id +} +output "load_balancer_arn" { + value = aws_lb.load_balancer.arn +} +output "load_balancer_url" { + value = aws_lb.load_balancer.dns_name +} +output "target_group_id" { + value = aws_lb_target_group.lb_target_group.id +} +output "target_group_arn" { + value = aws_lb_target_group.lb_target_group.arn +} +output "load_balancer_tags" { + value = aws_lb.load_balancer.tags +} \ No newline at end of file diff --git a/terraform/aws/modules/common/load_balancer/variables.tf b/terraform/aws/modules/common/load_balancer/variables.tf new file mode 100755 index 00000000..7cc6464e --- /dev/null +++ b/terraform/aws/modules/common/load_balancer/variables.tf @@ -0,0 +1,62 @@ +variable "instances_subnets" { + type = list(string) + description = "Select at least 2 public subnets in the VPC. If you choose to deploy a Security Management Server it will be deployed in the first subnet" +} +variable "prefix_name" { + type = string + description = "Load Balancer and Target Group prefix name" + default = "quickstart" +} +variable "internal" { + type = bool + description = "Select 'true' to create an Internal Load Balancer." + default = false +} +variable "security_groups" { + type = list(string) + description = "A list of security group IDs to assign to the LB. Only valid for Load Balancers of type application" +} +variable "tags" { + type = map(string) + description = "A map of tags to assign to the load balancer." +} +variable "vpc_id" { + type = string +} +variable "load_balancers_type" { + type = string + description = "Use Network Load Balancer if you wish to preserve the source IP address and Application Load Balancer if you wish to use content based routing" + default = "Network Load Balancer" +} +variable "load_balancer_protocol" { + type = string + description = "The protocol to use on the Load Balancer." +} +variable "target_group_port" { + type = number + description = "The port on which targets receive traffic." +} +variable "listener_port" { + type = string + description = "The port on which the load balancer is listening." +} +variable "certificate_arn" { + type = string + description = "The ARN of the default server certificate. Exactly one certificate is required if the protocol is HTTPS or TLS. " + default = "" +} +variable "cross_zone_load_balancing"{ + type = bool + default = false + description = "Select 'true' to enable cross-az load balancing. NOTE! this may cause a spike in cross-az charges." +} +variable "health_check_port" { + description = "The health check port" + type = number + default = null +} +variable "health_check_protocol" { + description = "The health check protocol" + type = string + default = null +} diff --git a/terraform/aws/modules/common/permissive_sg/main.tf b/terraform/aws/modules/common/permissive_sg/main.tf new file mode 100755 index 00000000..265f3c56 --- /dev/null +++ b/terraform/aws/modules/common/permissive_sg/main.tf @@ -0,0 +1,20 @@ +resource "aws_security_group" "permissive_sg" { + description = "Permissive security group" + vpc_id = var.vpc_id + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } + ingress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } + name_prefix = format("%s-PermissiveSecurityGroup", var.resources_tag_name != "" ? var.resources_tag_name : var.gateway_name) // Group name + tags = { + Name = format("%s-PermissiveSecurityGroup", var.resources_tag_name != "" ? var.resources_tag_name : var.gateway_name) // Resource name + } +} \ No newline at end of file diff --git a/terraform/aws/modules/common/permissive_sg/output.tf b/terraform/aws/modules/common/permissive_sg/output.tf new file mode 100755 index 00000000..83541c15 --- /dev/null +++ b/terraform/aws/modules/common/permissive_sg/output.tf @@ -0,0 +1,9 @@ +output "permissive_sg_id" { + value = aws_security_group.permissive_sg.id +} +output "permissive_sg_name" { + value = aws_security_group.permissive_sg.name +} +output "permissive_sg_arn" { + value = aws_security_group.permissive_sg.arn +} \ No newline at end of file diff --git a/terraform/aws/modules/common/permissive_sg/variables.tf b/terraform/aws/modules/common/permissive_sg/variables.tf new file mode 100755 index 00000000..d2afaad2 --- /dev/null +++ b/terraform/aws/modules/common/permissive_sg/variables.tf @@ -0,0 +1,13 @@ +variable "vpc_id" { + type = string +} +variable "resources_tag_name" { + type = string + description = "(Optional)" + default = "" +} +variable "gateway_name" { + type = string + description = "(Optional) The name tag of the Security Gateway instances" + default = "Check-Point-Gateway-tf" +} \ No newline at end of file diff --git a/terraform/aws/modules/common/version_license/main.tf b/terraform/aws/modules/common/version_license/main.tf new file mode 100755 index 00000000..43512f98 --- /dev/null +++ b/terraform/aws/modules/common/version_license/main.tf @@ -0,0 +1,60 @@ +locals { + gw_versions = [ + "R80.40-BYOL", + "R80.40-PAYG-NGTP", + "R80.40-PAYG-NGTX", + "R81-BYOL", + "R81-PAYG-NGTP", + "R81-PAYG-NGTX", + "R81.10-BYOL", + "R81.10-PAYG-NGTP", + "R81.10-PAYG-NGTX", + "R81.20-BYOL", + "R81.20-PAYG-NGTP", + "R81.20-PAYG-NGTX" + ] + mgmt_versions = [ + "R80.40-BYOL", + "R80.40-PAYG", + "R81-BYOL", + "R81-PAYG", + "R81.10-BYOL", + "R81.10-PAYG", + "R81.20-BYOL", + "R81.20-PAYG" + ] + mds_versions = [ + "R80.40-BYOL", + "R81-BYOL", + "R81.10-BYOL", + "R81.20-BYOL" + ] + standalone_versions = [ + "R80.40-BYOL", + "R80.40-PAYG-NGTP", + "R81-BYOL", + "R81-PAYG-NGTP", + "R81.10-BYOL", + "R81.10-PAYG-NGTP", + "R81.20-BYOL", + "R81.20-PAYG-NGTP" + ] + gwlb_gw_versions = [ + "R80.40-BYOL", + "R80.40-PAYG-NGTP", + "R80.40-PAYG-NGTX", + "R81.20-BYOL", + "R81.20-PAYG-NGTP", + "R81.20-PAYG-NGTX" + ] +} + +locals { + gw_values = var.chkp_type == "gateway" ? local.gw_versions : [] + mgmt_values = var.chkp_type == "management" ? local.mgmt_versions : [] + mds_values = var.chkp_type == "mds" ? local.mds_versions : [] + standalone_values = var.chkp_type == "standalone" ? local.standalone_versions : [] + gwlb_gw_values = var.chkp_type == "gwlb_gw" ? local.gwlb_gw_versions : [] + allowed_values = coalescelist(local.gw_values, local.mgmt_values, local.standalone_values, local.mds_values, local.gwlb_gw_values) + is_allowed_type = index(local.allowed_values, var.version_license) +} diff --git a/terraform/aws/modules/common/version_license/variables.tf b/terraform/aws/modules/common/version_license/variables.tf new file mode 100755 index 00000000..9467e232 --- /dev/null +++ b/terraform/aws/modules/common/version_license/variables.tf @@ -0,0 +1,21 @@ +variable "chkp_type" { + type = string + description = "The Check Point machine type" + default = "gateway" +} +locals { + type_allowed_values = [ + "gateway", + "management", + "mds", + "standalone", + "gwlb_gw"] + // Will fail if var.chkp_type is invalid + validate_chkp_type = index(local.type_allowed_values, var.chkp_type) +} + +variable "version_license" { + type = string + description = "AWS Version license" +} + diff --git a/terraform/aws/modules/custom-autoscale/locals.tf b/terraform/aws/modules/custom-autoscale/locals.tf new file mode 100755 index 00000000..1a9b6900 --- /dev/null +++ b/terraform/aws/modules/custom-autoscale/locals.tf @@ -0,0 +1,9 @@ +locals { + asg_name = format("%s%s-servers", var.prefix != "" ? format("%s-", var.prefix) : "", var.asg_name) + + regex_valid_server_ami = "^(ami-(([0-9a-f]{8})|([0-9a-f]{17})))?$" + // Will fail if var.server_ami is invalid + regex_server_ami = regex(local.regex_valid_server_ami, var.server_ami) == var.server_ami ? 0 : "Amazon Machine Image ID must be in the form ami-xxxxxxxx or ami-xxxxxxxxxxxxxxxxx" + + provided_target_groups_condition = var.servers_target_groups != "" ? true : false +} \ No newline at end of file diff --git a/terraform/aws/modules/custom-autoscale/main.tf b/terraform/aws/modules/custom-autoscale/main.tf new file mode 100755 index 00000000..e7d3decd --- /dev/null +++ b/terraform/aws/modules/custom-autoscale/main.tf @@ -0,0 +1,94 @@ +resource "aws_security_group" "servers_security_group" { + count = var.deploy_internal_security_group ? 1 : 0 + name_prefix = format("%s_ServersSecurityGroup", local.asg_name) + description = "Servers security group" + vpc_id = var.vpc_id + + ingress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } + + tags = { + Name = format("%s_ServersSecurityGroup", local.asg_name) + } +} + + +resource "aws_launch_template" "servers_launch_template" { + name_prefix = local.asg_name + network_interfaces { + associate_public_ip_address = var.allocate_public_address + security_groups = var.deploy_internal_security_group ? [aws_security_group.servers_security_group[0].id] : [var.source_security_group] + } + key_name = var.key_name + image_id = var.server_ami + description = "Initial template version" + monitoring { + enabled = true + } + instance_type = var.servers_instance_type +} +resource "aws_autoscaling_group" "servers_group" { + name_prefix = local.asg_name + vpc_zone_identifier = var.servers_subnets + launch_template { + name = aws_launch_template.servers_launch_template.name + version = aws_launch_template.servers_launch_template.latest_version + } + min_size = var.servers_min_group_size + max_size = var.servers_max_group_size + target_group_arns = local.provided_target_groups_condition ? [var.servers_target_groups] : [] + + tag { + key = "Name" + value = format("%s%s", var.prefix != "" ? format("%s-", var.prefix) : "", var.server_name) + propagate_at_launch = true + } +} +resource "aws_autoscaling_policy" "scale_up_policy" { + adjustment_type = "ChangeInCapacity" + autoscaling_group_name = aws_autoscaling_group.servers_group.name + name = "scale_up_policy" + cooldown = 300 + scaling_adjustment = 1 +} +resource "aws_autoscaling_policy" "scale_down_policy" { + adjustment_type = "ChangeInCapacity" + autoscaling_group_name = aws_autoscaling_group.servers_group.name + name = "scale_down_policy" + cooldown = 300 + scaling_adjustment = -1 +} +resource "aws_cloudwatch_metric_alarm" "cpu_alarm_high" { + alarm_description = "Scale-up if CPU > 80% for 10 minutes" + metric_name = "CPUUtilization" + namespace = "AWS/EC2" + statistic = "Average" + period = "300" + evaluation_periods = "2" + threshold = "80" + alarm_actions = [aws_autoscaling_policy.scale_up_policy.arn] + dimensions = { + AutoScalingGroupName = aws_autoscaling_group.servers_group.name + } + comparison_operator = "GreaterThanThreshold" + alarm_name = "cpu_alarm_high" +} +resource "aws_cloudwatch_metric_alarm" "cpu_alarm_low" { + alarm_description = "Scale-down if CPU < 60% for 10 minutes" + metric_name = "CPUUtilization" + namespace = "AWS/EC2" + statistic = "Average" + period = "300" + evaluation_periods = "2" + threshold = "60" + alarm_actions = [aws_autoscaling_policy.scale_down_policy.arn] + dimensions = { + AutoScalingGroupName = aws_autoscaling_group.servers_group.name + } + comparison_operator = "LessThanThreshold" + alarm_name = "cpu_alarm_low" +} \ No newline at end of file diff --git a/terraform/aws/modules/custom-autoscale/variables.tf b/terraform/aws/modules/custom-autoscale/variables.tf new file mode 100755 index 00000000..a99cb9a5 --- /dev/null +++ b/terraform/aws/modules/custom-autoscale/variables.tf @@ -0,0 +1,89 @@ +// Module: Auto Scaling group of workload servers + +// --- Environment --- +variable "prefix" { + type = string + description = "(Optional) Instances name prefix" + default = "" +} +variable "asg_name" { + type = string + description = "Autoscaling Group name" + default = "Check-Point-ASG-tf" +} + +// --- VPC Network Configuration --- +variable "vpc_id" { + type = string + description = "Select an existing VPC" +} +variable "servers_subnets" { + type = list(string) + description = "Provide at least 2 private subnet IDs in the chosen VPC, separated by commas (e.g. subnet-0d72417c,subnet-1f61306f,subnet-1061d06f)" +} + +// --- EC2 Instances Configuration --- +variable "server_ami" { + type = string + description = "The Amazon Machine Image ID of a preconfigured web server (e.g. ami-0dc7dc63)" +} +variable "server_name" { + type = string + description = "AMI of the servers" + default = "Server-tf" +} +variable "servers_instance_type" { + type = string + description = "The EC2 instance type for the web servers" + default = "t3.micro" +} +module "validate_servers_instance_type" { + source = "../common/instance_type" + + chkp_type = "server" + instance_type = var.servers_instance_type +} +variable "key_name" { + type = string + description = "The EC2 Key Pair name to allow SSH access to the instances" +} +variable "allocate_public_address" { + type = bool + description = "Allocate an elastic IP for each server" + default = false +} + +// --- Auto Scaling Configuration --- +variable "servers_min_group_size" { + type = number + description = "The minimal number of servers in the Auto Scaling group" + default = 2 +} +resource "null_resource" "servers_min_group_size_too_small" { + // servers_min_group_size validation - resource will not be created if the size is smaller than 1 + count = var.servers_min_group_size >= 1 ? 0 : "servers_min_group_size must be at least 1" +} +variable "servers_max_group_size" { + type = number + description = "The maximal number of servers in the Auto Scaling group" + default = 10 +} +resource "null_resource" "servers_max_group_size_too_small" { + // servers_max_group_size validation - resource will not be created if the size is smaller than 1 + count = var.servers_max_group_size >= 1 ? 0 : "servers_max_group_size must be at least 1" +} +variable "servers_target_groups" { + type = string + description = "(Optional) An optional list of Target Groups to associate with the Auto Scaling group (comma separated list of ARNs, without spaces)" + default = "" +} +variable "deploy_internal_security_group" { + type = bool + description = "Select 'false' to use an existing Security group" + default = true +} +variable "source_security_group" { + type = string + description = "The ID of Security Group from which access will be allowed to the instances in this Auto Scaling group" + default = "" +} \ No newline at end of file diff --git a/terraform/aws/modules/custom-autoscale/vpc/main.tf b/terraform/aws/modules/custom-autoscale/vpc/main.tf new file mode 100644 index 00000000..8f1bfd5c --- /dev/null +++ b/terraform/aws/modules/custom-autoscale/vpc/main.tf @@ -0,0 +1,52 @@ +// --- VPC --- +resource "aws_vpc" "vpc" { + cidr_block = var.vpc_cidr +} + +// --- Internet Gateway --- +resource "aws_internet_gateway" "igw" { + vpc_id = aws_vpc.vpc.id +} + +// --- Public Subnets --- +resource "aws_subnet" "public_subnets" { + for_each = var.public_subnets_map + + vpc_id = aws_vpc.vpc.id + availability_zone = each.key + cidr_block = cidrsubnet(aws_vpc.vpc.cidr_block, var.subnets_bit_length, each.value) + map_public_ip_on_launch = true + tags = { + Name = format("Public subnet %s", each.value) + } +} + +// --- Private Subnets --- +resource "aws_subnet" "private_subnets" { + for_each = var.private_subnets_map + + vpc_id = aws_vpc.vpc.id + availability_zone = each.key + cidr_block = cidrsubnet(aws_vpc.vpc.cidr_block, var.subnets_bit_length, each.value) + tags = { + Name = format("Private subnet %s", each.value) + } +} + +// --- Routes --- +resource "aws_route_table" "public_subnet_rtb" { + vpc_id = aws_vpc.vpc.id + tags = { + Name = "Public Subnets Route Table" + } +} +resource "aws_route" "vpc_internet_access" { + route_table_id = aws_route_table.public_subnet_rtb.id + destination_cidr_block = "0.0.0.0/0" + gateway_id = aws_internet_gateway.igw.id +} +resource "aws_route_table_association" "public_rtb_to_public_subnets" { + for_each = { for public_subnet in aws_subnet.public_subnets : public_subnet.cidr_block => public_subnet.id } + route_table_id = aws_route_table.public_subnet_rtb.id + subnet_id = each.value +} diff --git a/terraform/aws/modules/custom-autoscale/vpc/output.tf b/terraform/aws/modules/custom-autoscale/vpc/output.tf new file mode 100644 index 00000000..a9179921 --- /dev/null +++ b/terraform/aws/modules/custom-autoscale/vpc/output.tf @@ -0,0 +1,12 @@ +output "vpc_id" { + value = aws_vpc.vpc.id +} +output "public_subnets_ids_list" { + value = [for public_subnet in aws_subnet.public_subnets : public_subnet.id ] +} +output "private_subnets_ids_list" { + value = [for private_subnet in aws_subnet.private_subnets : private_subnet.id] +} +output "public_rtb" { + value = aws_route_table.public_subnet_rtb.id +} diff --git a/terraform/aws/modules/custom-autoscale/vpc/variables.tf b/terraform/aws/modules/custom-autoscale/vpc/variables.tf new file mode 100644 index 00000000..e7ffb2ea --- /dev/null +++ b/terraform/aws/modules/custom-autoscale/vpc/variables.tf @@ -0,0 +1,17 @@ +variable "vpc_cidr" { + type = string +} +variable "public_subnets_map" { + type = map(string) + description = "A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 1 pair. (e.g. {\"us-east-1a\" = 1} ) " +} +variable "private_subnets_map" { + type = map(string) + description = "A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 1 pair. (e.g. {\"us-east-1a\" = 2} ) " + +} +variable "subnets_bit_length" { + type = number + description = "Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a subnets_bit_length value of 4, the resulting subnet address will have length /20." +} + diff --git a/terraform/aws/modules/vpc/main.tf b/terraform/aws/modules/vpc/main.tf new file mode 100755 index 00000000..b4b223b8 --- /dev/null +++ b/terraform/aws/modules/vpc/main.tf @@ -0,0 +1,66 @@ +// --- VPC --- +resource "aws_vpc" "vpc" { + cidr_block = var.vpc_cidr +} + +// --- Internet Gateway --- +resource "aws_internet_gateway" "igw" { + vpc_id = aws_vpc.vpc.id +} + +// --- Public Subnets --- +resource "aws_subnet" "public_subnets" { + for_each = var.public_subnets_map + + vpc_id = aws_vpc.vpc.id + availability_zone = each.key + cidr_block = cidrsubnet(aws_vpc.vpc.cidr_block, var.subnets_bit_length, each.value) + map_public_ip_on_launch = true + tags = { + Name = format("Public subnet %s", each.value) + } +} + +// --- Private Subnets --- +resource "aws_subnet" "private_subnets" { + for_each = var.private_subnets_map + + vpc_id = aws_vpc.vpc.id + availability_zone = each.key + cidr_block = cidrsubnet(aws_vpc.vpc.cidr_block, var.subnets_bit_length, each.value) + tags = { + Name = format("Private subnet %s", each.value) + } +} + +// --- tgw Subnets --- +resource "aws_subnet" "tgw_subnets" { + for_each = var.tgw_subnets_map + + vpc_id = aws_vpc.vpc.id + availability_zone = each.key + cidr_block = cidrsubnet(aws_vpc.vpc.cidr_block, var.subnets_bit_length, each.value) + tags = { + Name = format("tgw subnet %s", each.value) + } +} + + +// --- Routes --- +resource "aws_route_table" "public_subnet_rtb" { + vpc_id = aws_vpc.vpc.id + tags = { + Name = "Public Subnets Route Table" + } +} +resource "aws_route" "vpc_internet_access" { + route_table_id = aws_route_table.public_subnet_rtb.id + destination_cidr_block = "0.0.0.0/0" + gateway_id = aws_internet_gateway.igw.id +} +resource "aws_route_table_association" "public_rtb_to_public_subnets" { + for_each = { for public_subnet in aws_subnet.public_subnets : public_subnet.cidr_block => public_subnet.id } + route_table_id = aws_route_table.public_subnet_rtb.id + subnet_id = each.value +} + diff --git a/terraform/aws/modules/vpc/output.tf b/terraform/aws/modules/vpc/output.tf new file mode 100755 index 00000000..fc4173c9 --- /dev/null +++ b/terraform/aws/modules/vpc/output.tf @@ -0,0 +1,18 @@ +output "vpc_id" { + value = aws_vpc.vpc.id +} +output "public_subnets_ids_list" { + value = [for public_subnet in aws_subnet.public_subnets : public_subnet.id ] +} +output "private_subnets_ids_list" { + value = [for private_subnet in aws_subnet.private_subnets : private_subnet.id] +} +output "tgw_subnets_ids_list" { + value = [for tgw_subnet in aws_subnet.tgw_subnets : tgw_subnet.id] +} +output "public_rtb" { + value = aws_route_table.public_subnet_rtb.id +} +output "aws_igw" { + value = aws_internet_gateway.igw.id +} diff --git a/terraform/aws/modules/vpc/variables.tf b/terraform/aws/modules/vpc/variables.tf new file mode 100755 index 00000000..2623f9d0 --- /dev/null +++ b/terraform/aws/modules/vpc/variables.tf @@ -0,0 +1,22 @@ +variable "vpc_cidr" { + type = string +} +variable "public_subnets_map" { + type = map(string) + description = "A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 1 pair. (e.g. {\"us-east-1a\" = 1} ) " +} +variable "private_subnets_map" { + type = map(string) + description = "A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 1 pair. (e.g. {\"us-east-1a\" = 2} ) " + +} +variable "tgw_subnets_map" { + type = map(string) + description = "A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 1 pair. (e.g. {\"us-east-1a\" = 2} ) " + default = {} +} +variable "subnets_bit_length" { + type = number + description = "Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a subnets_bit_length value of 4, the resulting subnet address will have length /20." +} + diff --git a/terraform/aws/qs-autoscale-master/README.md b/terraform/aws/qs-autoscale-master/README.md new file mode 100755 index 00000000..809de14a --- /dev/null +++ b/terraform/aws/qs-autoscale-master/README.md @@ -0,0 +1,258 @@ +# Check Point CloudGuard Network Quick Start Auto Scaling Master Terraform module for AWS + +Terraform module which deploys a Check Point CloudGuard Network Security Gateway Auto Scaling Group, an external ALB/NLB, and optionally a Security Management Server and a web server Auto Scaling Group in a new VPC. + +These types of Terraform resources are supported: +* [VPC](https://www.terraform.io/docs/providers/aws/r/vpc.html) +* [Subnet](https://www.terraform.io/docs/providers/aws/r/subnet.html) +* [Route](https://www.terraform.io/docs/providers/aws/r/route.html) +* [Security Group](https://www.terraform.io/docs/providers/aws/r/security_group.html) +* [Load Balancer](https://www.terraform.io/docs/providers/aws/r/lb.html) +* [Load Balancer Target Group](https://www.terraform.io/docs/providers/aws/r/lb_target_group.html) +* [Launch template](https://www.terraform.io/docs/providers/aws/r/launch_template.html) +* [Auto Scaling Group](https://www.terraform.io/docs/providers/aws/r/autoscaling_group.html) +* [AWS Instance](https://www.terraform.io/docs/providers/aws/r/instance.html) +* [IAM Role](https://www.terraform.io/docs/providers/aws/r/iam_role.html) - conditional creation + +See the [Check Point CloudGuard Auto Scaling on AWS](https://aws.amazon.com/quickstart/architecture/check-point-cloudguard/) for additional information + +This solution uses the following modules: +- /terraform/aws/qs-autoscale +- /terraform/aws/autoscale +- /terraform/aws/management +- /terraform/aws/cme-iam-role +- /terraform/aws/modules/vpc + +## Configurations + +The **main.tf** file includes the following provider configuration block used to configure the credentials for the authentication with AWS, as well as a default region for your resources: +``` +provider "aws" { + region = var.region + access_key = var.access_key + secret_key = var.secret_key +} +``` +The provider credentials can be provided either as static credentials or as [Environment Variables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#environment-variables). +- Static credentials can be provided by adding an access_key and secret_key in /terraform/aws/qs-autoscale-master/**terraform.tfvars** file as follows: +``` +region = "us-east-1" +access_key = "my-access-key" +secret_key = "my-secret-key" +``` +- In case the Static credentials are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented for sub-modules /terraform/aws/qs-autoscale, /terraform/aws/autoscale, /terraform/aws/management and /terraform/aws/cme-iam-role: + ``` + provider "aws" { + // region = var.region + // access_key = var.access_key + // secret_key = var.secret_key + } + ``` +- In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented: + ``` + provider "aws" { + // region = var.region + // access_key = var.access_key + // secret_key = var.secret_key + } + ``` + b. The next lines in main.tf file, in the provider aws resource, need to be commented for sub-modules /terraform/aws/qs-autoscale, /terraform/aws/autoscale and /terraform/aws/management: + ``` + provider "aws" { + // region = var.region + // access_key = var.access_key + // secret_key = var.secret_key + } + ``` + +## Usage +- Fill all variables in the /terraform/aws/qs-autoscale-master/**terraform.tfvars** file with proper values (see below for variables descriptions). +- From a command line initialize the Terraform configuration directory: + ``` + terraform init + ``` +- Create an execution plan: + ``` + terraform plan + ``` +- Create or modify the deployment: + ``` + terraform apply + ``` + +- Variables are configured in /terraform/aws/qs-autoscale-master/**terraform.tfvars** file as follows: + + ``` + //PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW + + // --- Environment --- + prefix = "TF" + asg_name = "asg-qs" + + // --- Network Configuration --- + vpc_cidr = "10.0.0.0/16" + public_subnets_map = { + "us-east-1a" = 1 + "us-east-1b" = 2 + } + private_subnets_map = { + "us-east-1a" = 3 + "us-east-1b" = 4 + } + subnets_bit_length = 8 + + // --- General Settings --- + key_name = "publickey" + enable_volume_encryption = true + enable_instance_connect = false + disable_instance_termination = false + allow_upload_download = true + provision_tag = "quickstart" + load_balancers_type = "Network Load Balancer" + LB_protocol = "TCP" + certificate = "arn:aws:iam::12345678:server-certificate/certificate" + service_port = "80" + admin_shell = "/etc/cli.sh" + + // --- Check Point CloudGuard Network Security Gateways Auto Scaling Group Configuration --- + gateway_instance_type = "c5.xlarge" + gateways_min_group_size = 2 + gateways_max_group_size = 8 + gateway_version = "R81.20-BYOL" + gateway_password_hash = "" + gateway_maintenance_mode_password_hash = "" # For R81.10 the gateway_password_hash is used also as maintenance-mode password. + gateway_SICKey = "12345678" + enable_cloudwatch = false + + // --- Check Point CloudGuard Network Security Management Server Configuration --- + management_deploy = true + management_instance_type = "m5.xlarge" + management_version = "R81.20-BYOL" + management_password_hash = "" + management_maintenance_mode_password_hash = "" # For R81.10 the management_password_hash is used also as maintenance-mode password. + gateways_policy = "Standard" + gateways_blades = true + admin_cidr = "0.0.0.0/0" + gateways_addresses = "0.0.0.0/0" + + // --- Web Servers Auto Scaling Group Configuration --- + servers_deploy = true + servers_instance_type = "t3.micro" + server_ami = "ami-12345abc" + ``` + +- Conditional creation + - To enable cloudwatch for ASG: + ``` + enable_cloudwatch = true + ``` + Note: enabling cloudwatch will automatically create IAM role with cloudwatch:PutMetricData permission + - To deploy Security Management Server: + ``` + management_deploy = true + ``` + - To deploy web servers: + ``` + servers_deploy = true + ``` + - To create an ASG configuration without a proxy ELB: + ``` + proxy_elb_type= "none" + ``` +- To tear down your resources: + ``` + terraform destroy + ``` + +## Inputs + +| Name | Description | Type | Allowed values | Default | Required | +|-------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------|----------| +| prefix | (Optional) Instances name prefix | string | n/a | "" | no | +| asg_name | Autoscaling Group name | string | n/a | Check-Point-ASG-tf | no | +| vpc_cidr | The CIDR block of the VPC | string | n/a | n/a | yes | +| public_subnets_map | A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 2 pairs. (e.g. {\"us-east-1a\" = 1} ) | map | n/a | n/a | yes | +| private_subnets_map | A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 2 pairs. (e.g. {\"us-east-1a\" = 2} ) | map | n/a | n/a | yes | +| subnets_bit_length | Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a subnets_bit_length value of 4, the resulting subnet address will have length /20 | number | n/a | n/a | yes | +| key_name | The EC2 Key Pair name to allow SSH access to the instances | string | n/a | n/a | yes | +| enable_volume_encryption | Encrypt Environment instances volume with default AWS KMS key | bool | true/false | true | no | +| enable_instance_connect | Enable SSH connection over AWS web console. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no | +| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no | +| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes | +| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no | +| provision_tag | The tag is used by the Security Management Server to automatically provision the Security Gateways. Must be up to 12 alphanumeric characters and unique for each Quick Start deployment | string | n/a | quickstart | no | +| load_balancers_type | Use Network Load Balancer if you wish to preserve the source IP address and Application Load Balancer if you wish to use content based routing | string | - Network Load Balancer
- Application Load Balancer
| Network Load Balancer | no | +| load_balancer_protocol | The protocol to use on the Load Balancer | string | Network Load Balancer:
- TCP
- TLS
- UDP
- TCP_UDP

Application Load Balancer:
- HTTP
- HTTPS | TCP | yes | +| certificate | Amazon Resource Name (ARN) of an HTTPS Certificate, ignored if the selected protocol is HTTP | string | n/a | n/a | no | +| service_port | The external Load Balancer listens to this port. Leave this field blank to use default ports: 80 for HTTP and 443 for HTTPS | string | n/a | n/a | no | +| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | +| gateways_subnets | Select at least 2 public subnets in the VPC. If you choose to deploy a Security Management Server it will be deployed in the first subnet | list(string) | n/a | n/a | yes | +| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no | +| gateways_min_group_size | The minimal number of Security Gateways | number | n/a | 2 | no | +| gateways_max_group_size | The maximal number of Security Gateways | number | n/a | 10 | no | +| gateway_version | Gateway version and license | string | - R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.10-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX | R81.20-BYOL | no | +| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | +| gateway_SIC_Key | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes | +| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no | +| management_deploy | Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section | bool | true/false | true | no | +| management_instance_type | The EC2 instance type of the Security Management Server | string | - c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| m5.xlarge | no | +| management_version | The license to install on the Security Management Server | string | - R81.10-BYOL
- R81.10-PAYG
- R81.20-BYOL
- R81.20-PAYG | R81.20-BYOL | no | +| management_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | +| gateways_policy | The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group | string | n/a | Standard | no | +| gateways_blades | Turn on the Intrusion Prevention System, Application Control, Anti-Virus and Anti-Bot Blades (additional Blades can be manually turned on later) | bool | true/false | true | no | +| admin_cidr | (CIDR) Allow web, ssh, and graphical clients only from this network to communicate with the Management Server | string | valid CIDR | n/a | no | +| gateway_addresses | (CIDR) Allow gateways only from this network to communicate with the Management Server | string | valid CIDR | n/a | no | +| servers_deploy | Select 'true' to deploy web servers and an internal Application Load Balancer. If you select 'false' the other parameters of this section will be ignored | bool | true/false | false | no | +| servers_subnets | Provide at least 2 private subnet IDs in the chosen VPC, separated by commas (e.g. subnet-0d72417c,subnet-1f61306f,subnet-1061d06f). | list(string) | n/a | n/a | yes | +| servers_instance_type | The EC2 instance type for the web servers | string | - t3.nano
- t3.micro
- t3.small
- t3.medium
- t3.large
- t3.xlarge
- t3.2xlarge | t3.micro | no | +| server_ami | The Amazon Machine Image ID of a preconfigured web server (e.g. ami-0dc7dc63) | string | n/a | n/a | yes | +| gateway_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | +| management_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | + + + +## Outputs +| Name | Description | +|----------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| vpc_id | The id of the deployed vpc | +| public_subnets_ids_list | A list of the public subnets ids | +| private_subnets_ids_list | A list of the private subnets ids | +| public_rout_table | The public route table id | +| internal_port | The internal Load Balancer should listen to this port | +| management_name | The deployed Security Management AWS instance name | +| load_balancer_url | The URL of the external Load Balancer | +| external_load_balancer_arn | The external Load Balancer ARN | +| internal_load_balancer_arn | The internal Load Balancer ARN | +| external_lb_target_group_arn | The external Load Balancer Target Group ARN | +| internal_lb_target_group_arn | The internal Load Balancer Target Group ARN | +| autoscale_autoscaling_group_name | The name of the deployed AutoScaling Group | +| autoscale_autoscaling_group_arn | The ARN for the deployed AutoScaling Group | +| autoscale_security_group_id | The deployed AutoScaling Group's security group id | +| autoscale_iam_role_name | The deployed AutoScaling Group's IAM role name (if created) | +| configuration_template | The name that represents the configuration template. Configurations required to automatically provision the Gateways in the Auto Scaling Group, such as what Security Policy to install and which Blades to enable, will be placed under this template name | +| controller_name | The name that represents the controller. Configurations required to connect to your AWS environment, such as credentials and regions, will be placed under this controller name | + +## Revision History +In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) + + +| Template Version | Description | +|------------------|---------------------------------------------------------------------------------------| +| 20210309 | First release of Check Point Quick Start Auto Scaling Master Terraform module for AWS | +| 20220606 | New instance type support | +| 20221123 | R81.20 version support | +| 20221226 | Support ASG Launch Template instead of Launch Configuration | +| 20230806 | Add support for c6in instance type | +| 20230829 | Change default Check Point version to R81.20 | +| 20230914 | Add support for maintenance mode password | +| 20230923 | Add support for C5d instance type | +| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20231127 | Add support for parameter admin shell | +| 20240425 | Remove support for R81 and lower versions | +| 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | + +## License + +This project is licensed under the MIT License - see the [LICENSE](../../LICENSE) file for details diff --git a/terraform/aws/qs-autoscale-master/locals.tf b/terraform/aws/qs-autoscale-master/locals.tf new file mode 100755 index 00000000..e23f58a2 --- /dev/null +++ b/terraform/aws/qs-autoscale-master/locals.tf @@ -0,0 +1,63 @@ +locals { + regex_valid_vpc_cidr = "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$" + // Will fail if var.vpc_cidr is invalid + regex_vpc_cidr = regex(local.regex_valid_vpc_cidr, var.vpc_cidr) == var.vpc_cidr ? 0 : "Variable [vpc_cidr] must be a valid vpc cidr" + + regex_valid_provision_tag = "^[a-zA-Z0-9-]{1,12}$" + // Will fail if var.provision_tag is invalid + regex_provision_tag = regex(local.regex_valid_provision_tag, var.provision_tag) == var.provision_tag ? 0 : "Variable [provision_tag] must be up to 12 alphanumeric characters and unique for each Quick Start deployment" + + load_balancers_type_allowed_values = [ + "Network Load Balancer", + "Application Load Balancer"] + // Will fail if var.load_balancers_type is invalid + validate_load_balancers_type = index(local.load_balancers_type_allowed_values, var.load_balancers_type) + + lb_protocol_allowed_values = var.load_balancers_type == "Network Load Balancer" ? [ + "TCP", + "TLS", + "UDP", + "TCP_UDP"] : [ + "HTTP", + "HTTPS"] + // Will fail if var.load_balancer_protocol is invalid + validate_lb_protocol = index(local.lb_protocol_allowed_values, var.load_balancer_protocol) + + regex_valid_key_name = "[\\S\\s]+[\\S]+" + // will fail if var.key_name is invalid + regex_key_name_result=regex(local.regex_valid_key_name, var.key_name) == var.key_name ? 0 : "Variable [key_name] must be a none empty string" + + regex_valid_certificate = "^(arn:aws:[a-z]+::[0-9]{12}:server-certificate/[a-zA-Z0-9-]*)?$" + // Will fail if var.certificate is invalid + regex_certificate = regex(local.regex_valid_certificate, var.certificate) == var.certificate ? 0 : "Variable [certificate] must be a valid Amazon Resource Name (ARN), for example: arn:aws:iam::123456789012:server-certificate/web-server-certificate" + + regex_valid_service_port = "^([0-9]{1,4}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])?$" + // Will fail if var.service_port is invalid + regex_service_port = regex(local.regex_valid_service_port, var.service_port) == var.service_port ? 0 : "Custom service port must be a number between 0 and 65535" + + regex_valid_gateway_password_hash = "^[\\$\\./a-zA-Z0-9]*$" + // Will fail if var.gateway_password_hash is invalid + regex_gateway_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_password_hash) == var.gateway_password_hash ? 0 : "Variable [gateway_password_hash] must be a valid password hash." + regex_gateway_maintenance_mode_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_maintenance_mode_password_hash) == var.gateway_maintenance_mode_password_hash ? 0 : "Variable [gateway_maintenance_mode_password_hash] must be a valid password hash" + + regex_valid_gateway_sic_key = "^[a-zA-Z0-9]{8,}$" + // Will fail if var.gateway_SIC_Key is invalid + regex_gateway_sic_result = regex(local.regex_valid_gateway_sic_key, var.gateway_SICKey) == var.gateway_SICKey ? 0 : "Variable [gateway_SIC_Key] must be at least 8 alphanumeric characters." + + regex_valid_management_password_hash = "^[\\$\\./a-zA-Z0-9]*$" + // Will fail if var.gateway_password_hash is invalid + regex_management_password_hash = regex(local.regex_valid_management_password_hash, var.management_password_hash) == var.management_password_hash ? 0 : "Variable [management_password_hash] must be a valid password hash." + + regex_valid_admin_cidr = "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$" + // Will fail if var.admin_cidr is invalid + regex_admin_cidr = regex(local.regex_valid_admin_cidr, var.admin_cidr) == var.admin_cidr ? 0 : "Variable [admin_cidr] must be a valid CIDR." + + regex_valid_gateways_addresses = "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$" + // Will fail if var.gateways_addresses is invalid + regex_gateways_addresses = regex(local.regex_valid_gateways_addresses, var.gateways_addresses) == var.gateways_addresses ? 0 : "Variable [gateways_addresses] must be a valid gateways addresses." + + + regex_valid_server_ami = "^(ami-(([0-9a-f]{8})|([0-9a-f]{17})))?$" + // Will fail if var.server_ami is invalid + regex_server_ami = regex(local.regex_valid_server_ami, var.server_ami) == var.server_ami ? 0 : "Amazon Machine Image ID must be in the form ami-xxxxxxxx or ami-xxxxxxxxxxxxxxxxx" +} \ No newline at end of file diff --git a/terraform/aws/qs-autoscale-master/main.tf b/terraform/aws/qs-autoscale-master/main.tf new file mode 100755 index 00000000..9c7eada0 --- /dev/null +++ b/terraform/aws/qs-autoscale-master/main.tf @@ -0,0 +1,60 @@ +provider "aws" { + region = var.region + access_key = var.access_key + secret_key = var.secret_key +} + +module "launch_vpc" { + source = "../modules/vpc" + + vpc_cidr = var.vpc_cidr + public_subnets_map = var.public_subnets_map + private_subnets_map = var.private_subnets_map + subnets_bit_length = var.subnets_bit_length +} + +module "launch_qs_autoscale" { + source = "../qs-autoscale" + providers = { + aws = aws + } + + region = var.region + prefix = var.prefix + asg_name = var.asg_name + vpc_id = module.launch_vpc.vpc_id + key_name = var.key_name + enable_volume_encryption = var.enable_volume_encryption + enable_instance_connect = var.enable_instance_connect + disable_instance_termination = var.disable_instance_termination + metadata_imdsv2_required = var.metadata_imdsv2_required + allow_upload_download = var.allow_upload_download + provision_tag = var.provision_tag + load_balancers_type = var.load_balancers_type + load_balancer_protocol = var.load_balancer_protocol + certificate = var.certificate + service_port = var.service_port + admin_shell = var.admin_shell + gateways_subnets = module.launch_vpc.public_subnets_ids_list + gateway_instance_type = var.gateway_instance_type + gateways_min_group_size = var.gateways_min_group_size + gateways_max_group_size = var.gateways_max_group_size + gateway_version = var.gateway_version + gateway_password_hash = var.gateway_password_hash + gateway_maintenance_mode_password_hash = var.gateway_maintenance_mode_password_hash + gateway_SICKey = var.gateway_SICKey + enable_cloudwatch = var.enable_cloudwatch + management_deploy = var.management_deploy + management_instance_type = var.management_instance_type + management_version = var.management_version + management_password_hash = var.gateway_password_hash + management_maintenance_mode_password_hash = var.management_maintenance_mode_password_hash + gateways_policy = var.gateways_policy + gateways_blades = var.gateways_blades + admin_cidr = var.admin_cidr + gateways_addresses = var.gateways_addresses + servers_deploy= var.servers_deploy + servers_subnets = module.launch_vpc.private_subnets_ids_list + servers_instance_type = var.servers_instance_type + server_ami = var.server_ami +} \ No newline at end of file diff --git a/terraform/aws/qs-autoscale-master/output.tf b/terraform/aws/qs-autoscale-master/output.tf new file mode 100755 index 00000000..1130dfe0 --- /dev/null +++ b/terraform/aws/qs-autoscale-master/output.tf @@ -0,0 +1,58 @@ +output "Deployment" { + value = module.launch_qs_autoscale.Deployment +} + +output "vpc_id" { + value = module.launch_vpc.vpc_id +} +output "public_subnets_ids_list" { + value = module.launch_vpc.public_subnets_ids_list +} +output "private_subnets_ids_list" { + value = module.launch_vpc.private_subnets_ids_list +} +output "public_rout_table" { + value = module.launch_vpc.public_rtb +} + +output "management_name" { + value = module.launch_qs_autoscale.management_name +} +output "internal_port" { + value = module.launch_qs_autoscale.internal_port +} +output "load_balancer_url" { + value = module.launch_qs_autoscale.load_balancer_url +} +output "external_load_balancer_arn" { + value = module.launch_qs_autoscale.external_load_balancer_arn +} +output "internal_load_balancer_arn" { + value = module.launch_qs_autoscale.internal_load_balancer_arn +} +output "external_lb_target_group_arn" { + value = module.launch_qs_autoscale.external_lb_target_group_arn +} +output "internal_lb_target_group_arn" { + value = module.launch_qs_autoscale.internal_lb_target_group_arn +} + +output "autoscale_autoscaling_group_name" { + value = module.launch_qs_autoscale.autoscale_autoscaling_group_name +} +output "autoscale_autoscaling_group_arn" { + value = module.launch_qs_autoscale.autoscale_autoscaling_group_arn +} +output "autoscale_security_group_id" { + value = module.launch_qs_autoscale.autoscale_security_group_id +} +output "autoscale_iam_role_name" { + value = module.launch_qs_autoscale.autoscale_iam_role_name +} + +output "configuration_template" { + value = module.launch_qs_autoscale.configuration_template +} +output "controller_name" { + value = module.launch_qs_autoscale.controller_name +} diff --git a/terraform/aws/qs-autoscale-master/terraform.tfvars b/terraform/aws/qs-autoscale-master/terraform.tfvars new file mode 100755 index 00000000..37a07774 --- /dev/null +++ b/terraform/aws/qs-autoscale-master/terraform.tfvars @@ -0,0 +1,57 @@ +//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW + +// --- Environment --- +prefix = "TF" +asg_name = "asg-qs" + +// --- Network Configuration --- +vpc_cidr = "10.0.0.0/16" +public_subnets_map = { + "us-east-1a" = 1 + "us-east-1b" = 2 +} +private_subnets_map = { + "us-east-1a" = 3 + "us-east-1b" = 4 +} +subnets_bit_length = 8 + +// --- General Settings --- +key_name = "publickey" +enable_volume_encryption = true +enable_instance_connect = false +disable_instance_termination = false +metadata_imdsv2_required = true +allow_upload_download = true +provision_tag = "quickstart" +load_balancers_type = "Application Load Balancer" +load_balancer_protocol = "HTTP" +certificate = "" +service_port = "80" +admin_shell = "/etc/cli.sh" + +// --- Check Point CloudGuard Network Security Gateways Auto Scaling Group Configuration --- +gateway_instance_type = "c5.xlarge" +gateways_min_group_size = 2 +gateways_max_group_size = 8 +gateway_version = "R81.20-BYOL" +gateway_password_hash = "" +gateway_maintenance_mode_password_hash = "" # For R81.10 the gateway_password_hash is used also as maintenance-mode password. +gateway_SICKey = "12345678" +enable_cloudwatch = true + +// --- Check Point CloudGuard Network Security Management Server Configuration --- +management_deploy = true +management_instance_type = "m5.xlarge" +management_version = "R81.20-BYOL" +management_password_hash = "" +management_maintenance_mode_password_hash = "" # For R81.10 the management_password_hash is used also as maintenance-mode password. +gateways_policy = "Standard" +gateways_blades = true +admin_cidr = "0.0.0.0/0" +gateways_addresses = "0.0.0.0/0" + +// --- Web Servers Auto Scaling Group Configuration --- +servers_deploy = true +servers_instance_type = "t3.micro" +server_ami = "ami-12345abc" \ No newline at end of file diff --git a/terraform/aws/qs-autoscale-master/variables.tf b/terraform/aws/qs-autoscale-master/variables.tf new file mode 100755 index 00000000..317b1c94 --- /dev/null +++ b/terraform/aws/qs-autoscale-master/variables.tf @@ -0,0 +1,240 @@ +// Module: Check Point CloudGuard Network Quick Start Auto Scaling +//Deploy a Check Point CloudGuard Network Security Gateways Auto Scaling Group, an external ALB/NLB, and optionally a Security Management Server and a web server Auto Scaling Group in a new VPC. + +// --- AWS Provider --- +variable "region" { + type = string + description = "AWS region" + default = "" +} +variable "access_key" { + type = string + description = "AWS access key" + default = "" +} +variable "secret_key" { + type = string + description = "AWS secret key" + default = "" +} + +// --- Environment --- +variable "prefix" { + type = string + description = "(Optional) Instances name prefix" + default = "" +} +variable "asg_name" { + type = string + description = "Autoscaling Group name" + default = "Check-Point-ASG-tf" +} +// --- Network Configuration --- +variable "vpc_cidr" { + type = string + description = "The CIDR block of the VPC" + default = "10.0.0.0/16" +} +variable "public_subnets_map" { + type = map(string) + description = "A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 2 pairs. (e.g. {\"us-east-1a\" = 1} ) " +} +variable "private_subnets_map" { + type = map(string) + description = "A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 2 pairs. (e.g. {\"us-east-1a\" = 2} ) " + +} +variable "subnets_bit_length" { + type = number + description = "Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a subnets_bit_length value of 4, the resulting subnet address will have length /20" +} + +// --- General Settings --- +variable "key_name" { + type = string + description = "The EC2 Key Pair name to allow SSH access to the instance" +} +variable "enable_volume_encryption" { + type = bool + description = "Encrypt Environment instances volume with default AWS KMS key" + default = true +} +variable "enable_instance_connect" { + type = bool + description = "Enable SSH connection over AWS web console" + default = false +} +variable "disable_instance_termination" { + type = bool + description = "Prevents an instance from accidental termination" + default = false +} +variable "metadata_imdsv2_required" { + type = bool + description = "Set true to deploy the instance with metadata v2 token required" + default = true +} +variable "allow_upload_download" { + type = bool + description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + default = true +} +variable "provision_tag" { + type = string + description = "The tag is used by the Security Management Server to automatically provision the Security Gateways. Must be up to 12 alphanumeric characters and unique for each Quick Start deployment" + default = "quickstart" +} +variable "load_balancers_type" { + type = string + description = "Use Network Load Balancer if you wish to preserve the source IP address and Application Load Balancer if you wish to use content based routing" + default = "Network Load Balancer" +} +variable "load_balancer_protocol" { + type = string + description = "The protocol to use on the Load Balancer" +} +variable "certificate" { + type = string + description = "Amazon Resource Name (ARN) of an HTTPS Certificate, ignored if the selected protocol is HTTP" +} +variable "service_port" { + type = string + description = "The external Load Balancer listens to this port. Leave this field blank to use default ports: 80 for HTTP and 443 for HTTPS" +} +variable "admin_shell" { + type = string + description = "Set the admin shell to enable advanced command line configuration" + default = "/etc/cli.sh" +} + +// --- Check Point CloudGuard Network Security Gateways Auto Scaling Group Configuration --- +variable "gateway_instance_type" { + type = string + description = "The instance type of the Security Gateways" + default = "c5.xlarge" +} +module "validate_gateway_instance_type" { + source = "../modules/common/instance_type" + + chkp_type = "gateway" + instance_type = var.gateway_instance_type +} +variable "gateways_min_group_size" { + type = number + description = "The minimal number of Security Gateways" + default = 2 +} +variable "gateways_max_group_size" { + type = number + description = "The maximal number of Security Gateways" + default = 10 +} +variable "gateway_version" { + type = string + description = "Gateway version and license" + default = "R81.20-BYOL" +} +module "validate_gateway_version" { + source = "../modules/common/version_license" + + chkp_type = "gateway" + version_license = var.gateway_version +} +variable "gateway_password_hash" { + type = string + description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)" + default = "" +} +variable "gateway_maintenance_mode_password_hash" { + description = "(optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here)." + type = string + default = "" +} +variable "gateway_SICKey" { + type = string + description = "The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters" +} +variable "enable_cloudwatch" { + type = bool + description = "Report Check Point specific CloudWatch metrics" + default = false +} + +// --- Check Point CloudGuard Network Security Management Server Configuration --- +variable "management_deploy" { + type = bool + description = "Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section" + default = true +} +variable "management_instance_type" { + type = string + description = "The EC2 instance type of the Security Management Server" + default = "m5.xlarge" +} +module "validate_management_instance_type" { + source = "../modules/common/instance_type" + + chkp_type = "management" + instance_type = var.management_instance_type +} +variable "management_version" { + type = string + description = "The license to install on the Security Management Server" + default = "R81.20-BYOL" +} +module "validate_management_version" { + source = "../modules/common/version_license" + + chkp_type = "management" + version_license = var.management_version +} +variable "management_password_hash" { + type = string + description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)" + default = "" +} +variable "management_maintenance_mode_password_hash" { + description = "(optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here)." + type = string + default = "" +} +variable "gateways_policy" { + type = string + description = "The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group" + default = "Standard" +} +variable "gateways_blades" { + type = bool + description = "Turn on the Intrusion Prevention System, Application Control, Anti-Virus and Anti-Bot Blades (additional Blades can be manually turned on later)" + default = true +} +variable "admin_cidr" { + type = string + description = "Allow web, ssh, and graphical clients only from this network to communicate with the Security Management Server" +} +variable "gateways_addresses" { + type = string + description = "Allow gateways only from this network to communicate with the Security Management Server" +} + +// --- Web Servers Auto Scaling Group Configuration --- +variable "servers_deploy" { + type = bool + description = "Select 'true' to deploy web servers and an internal Application Load Balancer. If you select 'false' the other parameters of this section will be ignored" + default = false +} +variable "servers_instance_type" { + type = string + description = "The EC2 instance type for the web servers" + default = "t3.micro" +} +module "validate_servers_instance_type" { + source = "../modules/common/instance_type" + + chkp_type = "server" + instance_type = var.servers_instance_type +} +variable "server_ami" { + type = string + description = "The Amazon Machine Image ID of a preconfigured web server (e.g. ami-0dc7dc63)" +} diff --git a/terraform/aws/qs-autoscale-master/versions.tf b/terraform/aws/qs-autoscale-master/versions.tf new file mode 100755 index 00000000..dbebf275 --- /dev/null +++ b/terraform/aws/qs-autoscale-master/versions.tf @@ -0,0 +1,15 @@ +terraform { + required_version = ">= 0.14.3" + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.20.0" + } + http = { + version = "~> 3.4.0" + } + random = { + version = "~> 3.5.1" + } + } +} diff --git a/terraform/aws/qs-autoscale/README.md b/terraform/aws/qs-autoscale/README.md new file mode 100755 index 00000000..adadaeff --- /dev/null +++ b/terraform/aws/qs-autoscale/README.md @@ -0,0 +1,239 @@ +# Check Point CloudGuard Network Quick Start Auto Scaling Terraform module for AWS + +Terraform module which deploys a Check Point CloudGuard Network Security Gateway Auto Scaling Group, an external ALB/NLB, and optionally a Security Management Server and a web server Auto Scaling Group. + +These types of Terraform resources are supported: +* [AWS Instance](https://www.terraform.io/docs/providers/aws/r/instance.html) +* [Security Group](https://www.terraform.io/docs/providers/aws/r/security_group.html) +* [Load Balancer](https://www.terraform.io/docs/providers/aws/r/lb.html) +* [Load Balancer Target Group](https://www.terraform.io/docs/providers/aws/r/lb_target_group.html) +* [Launch template](https://www.terraform.io/docs/providers/aws/r/launch_template.html) +* [Auto Scaling Group](https://www.terraform.io/docs/providers/aws/r/autoscaling_group.html) +* [IAM Role](https://www.terraform.io/docs/providers/aws/r/iam_role.html) - conditional creation + +See the [Check Point CloudGuard Auto Scaling on AWS](https://aws.amazon.com/quickstart/architecture/check-point-cloudguard/) for additional information + +This solution uses the following modules: +- /terraform/aws/autoscale +- /terraform/aws/modules/custom-autoscale +- /terraform/aws/management +- /terraform/aws/cme-iam-role + +## Configurations + +The **main.tf** file includes the following provider configuration block used to configure the credentials for the authentication with AWS, as well as a default region for your resources: +``` +provider "aws" { + region = var.region + access_key = var.aws_access_key_ID + secret_key = var.aws_secret_access_key +} +``` +The provider credentials can be provided either as static credentials or as [Environment Variables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#environment-variables). +- Static credentials can be provided by adding an access_key and secret_key in /terraform/aws/qs-autoscale/**terraform.tfvars** file as follows: +``` +region = "us-east-1" +access_key = "my-access-key" +secret_key = "my-secret-key" +``` +- In case the Static credentials are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented for sub-modules /terraform/aws/autoscale, /terraform/aws/management and /terraform/aws/cme-iam-role: + ``` + provider "aws" { + // region = var.region + // access_key = var.access_key + // secret_key = var.secret_key + } + ``` +- In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented: + ``` + provider "aws" { + // region = var.region + // access_key = var.aws_access_key_ID + // secret_key = var.aws_secret_access_key + } + ``` + b. The next lines in main.tf file, in the provider aws resource, need to be commented for sub-modules /terraform/aws/autoscale, /terraform/aws/management and /terraform/aws/cme-iam-role: + ``` + provider "aws" { + // region = var.region + // access_key = var.aws_access_key_ID + // secret_key = var.aws_secret_access_key + } + ``` + +## Usage +- Fill all variables in the /terraform/aws/qs-autoscale/**terraform.tfvars** file with proper values (see below for variables descriptions). +- From a command line initialize the Terraform configuration directory: + ``` + terraform init + ``` +- Create an execution plan: + ``` + terraform plan + ``` +- Create or modify the deployment: + ``` + terraform apply + ``` + +- Variables are configured in /terraform/aws/qs-autoscale/**terraform.tfvars** file as follows: + + ``` + //PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW + + // --- Environment --- + prefix = "TF" + asg_name = "asg-qs" + + // --- General Settings --- + vpc_id = "vpc-12345678" + key_name = "publickey" + enable_volume_encryption = true + enable_instance_connect = false + disable_instance_termination = false + allow_upload_download = true + provision_tag = "quickstart" + load_balancers_type = "Application Load Balancer" + load_balancer_protocol = "HTTP" + certificate = "" + service_port = "80" + admin_shell = "/etc/cli.sh" + + // --- Check Point CloudGuard Network Security Gateways Auto Scaling Group Configuration --- + gateways_subnets = ["subnet-123b5678", "subnet-123a4567"] + gateway_instance_type = "c5.xlarge" + gateways_min_group_size = 2 + gateways_max_group_size = 8 + gateway_version = "R81.20-BYOL" + gateway_password_hash = "" + gateway_maintenance_mode_password_hash = "" # For R81.10 the gateway_password_hash is used also as maintenance-mode password. + gateway_SICKey = "12345678" + enable_cloudwatch = true + + // --- Check Point CloudGuard Network Security Management Server Configuration --- + management_deploy = true + management_instance_type = "m5.xlarge" + management_version = "R81.20-BYOL" + management_password_hash = "" + management_maintenance_mode_password_hash = "" # For R81.10 the management_password_hash is used also as maintenance-mode password. + gateways_policy = "Standard" + gateways_blades = true + admin_cidr = "0.0.0.0/0" + gateways_addresses = "0.0.0.0/0" + + // --- Web Servers Auto Scaling Group Configuration --- + servers_deploy = false + servers_subnets = ["subnet-1234abcd", "subnet-56789def"] + servers_instance_type = "t3.micro" + server_ami = "ami-12345678" + ``` + +- Conditional creation + - To enable cloudwatch for ASG: + ``` + enable_cloudwatch = true + ``` + Note: enabling cloudwatch will automatically create IAM role with cloudwatch:PutMetricData permission + - To deploy Security Management Server: + ``` + management_deploy = true + ``` + - To deploy web servers: + ``` + servers_deploy = true + ``` + - To create an ASG configuration without a proxy ELB: + ``` + proxy_elb_type= "none" + ``` +- To tear down your resources: + ``` + terraform destroy + ``` + +## Inputs + +| Name | Description | Type | Allowed values | Default | Required | +|-------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------|----------| +| prefix | (Optional) Instances name prefix | string | n/a | "" | no | +| asg_name | Autoscaling Group name | string | n/a | Check-Point-ASG-tf | no | +| vpc_id | Select an existing VPC | string | n/a | n/a | yes | +| key_name | The EC2 Key Pair name to allow SSH access to the instances | string | n/a | n/a | yes | +| enable_volume_encryption | Encrypt Environment instances volume with default AWS KMS key | bool | true/false | true | no | +| enable_instance_connect | Enable SSH connection over AWS web console. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no | +| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no | +| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes | +| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no | +| provision_tag | The tag is used by the Security Management Server to automatically provision the Security Gateways. Must be up to 12 alphanumeric characters and unique for each Quick Start deployment | string | n/a | quickstart | no | +| load_balancers_type | Use Network Load Balancer if you wish to preserve the source IP address and Application Load Balancer if you wish to use content based routing | string | - Network Load Balancer
- Application Load Balancer
| Network Load Balancer | no | +| load_balancer_protocol | The protocol to use on the Load Balancer | string | Network Load Balancer:
- TCP
- TLS
- UDP
- TCP_UDP

Application Load Balancer:
- HTTP
- HTTPS | TCP | yes | +| certificate | Amazon Resource Name (ARN) of an HTTPS Certificate, ignored if the selected protocol is HTTP | string | n/a | n/a | no | +| service_port | The external Load Balancer listens to this port. Leave this field blank to use default ports: 80 for HTTP and 443 for HTTPS | string | n/a | n/a | no | +| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | +| gateways_subnets | Select at least 2 public subnets in the VPC. If you choose to deploy a Security Management Server it will be deployed in the first subnet | list(string) | n/a | n/a | yes | +| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no | +| gateways_min_group_size | The minimal number of Security Gateways | number | n/a | 2 | no | +| gateways_max_group_size | The maximal number of Security Gateways | number | n/a | 10 | no | +| gateway_version | Gateway version and license | string | - R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.10-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX | R81.20-BYOL | no | +| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | +| gateway_SIC_Key | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes | +| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no | +| management_deploy | Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section | bool | true/false | true | no | +| management_instance_type | The EC2 instance type of the Security Management Server | string | - c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| m5.xlarge | no | +| management_version | The license to install on the Security Management Server | string | - R81.10-BYOL
- R81.10-PAYG
- R81.20-BYOL
- R81.20-PAYG | R81.20-BYOL | no | +| management_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | +| gateways_policy | The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group | string | n/a | Standard | no | +| gateways_blades | Turn on the Intrusion Prevention System, Application Control, Anti-Virus and Anti-Bot Blades (additional Blades can be manually turned on later) | bool | true/false | true | no | +| admin_cidr | (CIDR) Allow web, ssh, and graphical clients only from this network to communicate with the Management Server | string | valid CIDR | n/a | no | +| gateway_addresses | (CIDR) Allow gateways only from this network to communicate with the Management Server | string | valid CIDR | n/a | no | +| servers_deploy | Select 'true' to deploy web servers and an internal Application Load Balancer. If you select 'false' the other parameters of this section will be ignored | bool | true/false | false | no | +| servers_subnets | Provide at least 2 private subnet IDs in the chosen VPC, separated by commas (e.g. subnet-0d72417c,subnet-1f61306f,subnet-1061d06f). | list(string) | n/a | n/a | yes | +| servers_instance_type | The EC2 instance type for the web servers | string | - t3.nano
- t3.micro
- t3.small
- t3.medium
- t3.large
- t3.xlarge
- t3.2xlarge | t3.micro | no | +| server_ami | The Amazon Machine Image ID of a preconfigured web server (e.g. ami-0dc7dc63) | string | n/a | n/a | yes | +| gateway_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | +| management_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | + + +## Outputs +| Name | Description | +|----------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| management_name | The deployed Security Management AWS instance name | +| internal_port | The internal Load Balancer should listen to this port | +| load_balancer_url | The URL of the external Load Balancer | +| external_load_balancer_arn | The external Load Balancer ARN | +| internal_load_balancer_arn | The internal Load Balancer ARN | +| external_LB_target_group_arn | The external Load Balancer Target Group ARN | +| internal_LB_target_group_arn | The internal Load Balancer Target Group ARN | +| autoscale_autoscaling_group_name | The name of the deployed AutoScaling Group | +| autoscale_autoscaling_group_arn | The ARN for the deployed AutoScaling Group | +| autoscale_security_group_id | The deployed AutoScaling Group's security group id | +| autoscale_iam_role_name | The deployed AutoScaling Group's IAM role name (if created) | +| configuration_template | The name that represents the configuration template. Configurations required to automatically provision the Gateways in the Auto Scaling Group, such as what Security Policy to install and which Blades to enable, will be placed under this template name | +| controller_name | The name that represents the controller. Configurations required to connect to your AWS environment, such as credentials and regions, will be placed under this controller name | + +## Revision History +In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) + +| Template Version | Description | +|------------------|-------------------------------------------------------------------------------------------------------------------------------------| +| 20210309 | First release of Check Point Quick Start Auto Scaling Terraform module for AWS | +| 20210329 | Stability fixes | +| 20220606 | New instance type support | +| 20221123 | R81.20 version support | +| 20221226 | Support ASG Launch Template instead of Launch Configuration | +| 20230806 | Add support for c6in instance type | +| 20230829 | Change default Check Point version to R81.20 | +| 20230914 | Add support for maintenance mode password | +| 20230923 | Add support for C5d instance type | +| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20231022 | Fixed template to populate x-chkp-tags correctly | +| 20231127 | Add support for parameter admin shell | +| 20240130 | Network Load Balancer Health Check configuration change for higher than R81 version. New Health Check Port is 8117 and Protocol TCP | +| 20240425 | Remove support for R81 and lower versions | +| 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | + +## License + +This project is licensed under the MIT License - see the [LICENSE](../../LICENSE) file for details diff --git a/terraform/aws/qs-autoscale/locals.tf b/terraform/aws/qs-autoscale/locals.tf new file mode 100755 index 00000000..2ecac5dd --- /dev/null +++ b/terraform/aws/qs-autoscale/locals.tf @@ -0,0 +1,71 @@ +locals { + load_balancer_name = format("%sLB", var.prefix != "" ? format("%s-", var.prefix) : "") + target_group_name = format("%sTG", var.prefix != "" ? format("%s-", var.prefix) : "") + regex_valid_provision_tag = "^[a-zA-Z0-9-]{1,12}$" + // Will fail if var.provision_tag is invalid + regex_provision_tag = regex(local.regex_valid_provision_tag, var.provision_tag) == var.provision_tag ? 0 : "Variable [provision_tag] must be up to 12 alphanumeric characters and unique for each Quick Start deployment" + + load_balancers_type_allowed_values = [ + "Network Load Balancer", + "Application Load Balancer" + ] + // Will fail if var.load_balancers_type is invalid + validate_load_balancers_type = index(local.load_balancers_type_allowed_values, var.load_balancers_type) + + lb_protocol_allowed_values = var.load_balancers_type == "Network Load Balancer" ? [ + "TCP", + "TLS", + "UDP", + "TCP_UDP" + ] : [ + "HTTP", + "HTTPS" + ] + // Will fail if var.load_balancer_protocol is invalid + validate_lb_protocol = index(local.lb_protocol_allowed_values, var.load_balancer_protocol) + + regex_valid_key_name = "[\\S\\s]+[\\S]+" + // will fail if var.key_name is invalid + regex_key_name_result=regex(local.regex_valid_key_name, var.key_name) == var.key_name ? 0 : "Variable [key_name] must be a none empty string" + + regex_valid_certificate = "^(arn:aws:[a-z]+::[0-9]{12}:server-certificate/[a-zA-Z0-9-]*)?$" + // Will fail if var.certificate is invalid + regex_certificate = regex(local.regex_valid_certificate, var.certificate) == var.certificate ? 0 : "Variable [certificate] must be a valid Amazon Resource Name (ARN), for example: arn:aws:iam::123456789012:server-certificate/web-server-certificate" + + regex_valid_service_port = "^([0-9]{1,4}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])?$" + // Will fail if var.service_port is invalid + regex_service_port = regex(local.regex_valid_service_port, var.service_port) == var.service_port ? 0 : "Custom service port must be a number between 0 and 65535" + + regex_valid_gateway_password_hash = "^[\\$\\./a-zA-Z0-9]*$" + // Will fail if var.gateway_password_hash is invalid + regex_gateway_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_password_hash) == var.gateway_password_hash ? 0 : "Variable [gateway_password_hash] must be a valid password hash." + regex_gateway_maintenance_mode_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_maintenance_mode_password_hash) == var.gateway_maintenance_mode_password_hash ? 0 : "Variable [gateway_maintenance_mode_password_hash] must be a valid password hash" + + regex_valid_gateway_sic_key = "^[a-zA-Z0-9]{8,}$" + // Will fail if var.gateway_SIC_Key is invalid + regex_gateway_sic_result = regex(local.regex_valid_gateway_sic_key, var.gateway_SICKey) == var.gateway_SICKey ? 0 : "Variable [gateway_SIC_Key] must be at least 8 alphanumeric characters." + + regex_valid_management_password_hash = "^[\\$\\./a-zA-Z0-9]*$" + // Will fail if var.gateway_password_hash is invalid + regex_management_password_hash = regex(local.regex_valid_management_password_hash, var.management_password_hash) == var.management_password_hash ? 0 : "Variable [management_password_hash] must be a valid password hash." + regex_management_maintenance_mode_password_hash = regex(local.regex_valid_management_password_hash, var.management_maintenance_mode_password_hash) == var.management_maintenance_mode_password_hash ? 0 : "Variable [management_maintenance_mode_password_hash] must be a valid password hash" + + regex_valid_admin_cidr = "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$" + // Will fail if var.admin_cidr is invalid + regex_admin_cidr = regex(local.regex_valid_admin_cidr, var.admin_cidr) == var.admin_cidr ? 0 : "Variable [admin_cidr] must be a valid CIDR." + + regex_valid_gateways_addresses = "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$" + // Will fail if var.gateways_addresses is invalid + regex_gateways_addresses = regex(local.regex_valid_gateways_addresses, var.gateways_addresses) == var.gateways_addresses ? 0 : "Variable [gateways_addresses] must be a valid gateways addresses." + + regex_valid_server_ami = "^(ami-(([0-9a-f]{8})|([0-9a-f]{17})))?$" + // Will fail if var.server_ami is invalid + regex_server_ami = regex(local.regex_valid_server_ami, var.server_ami) == var.server_ami ? 0 : "Amazon Machine Image ID must be in the form ami-xxxxxxxx or ami-xxxxxxxxxxxxxxxxx" + + alb_condition = var.load_balancers_type == "Application Load Balancer" + nlb_condition = var.load_balancers_type == "Network Load Balancer" + provided_port_condition = var.service_port != "" + encrypted_protocol_condition = (local.alb_condition && var.load_balancer_protocol == "HTTPS") || (local.nlb_condition && var.load_balancer_protocol == "TLS") ? true : false + deploy_management_condition = var.management_deploy == true + deploy_servers_condition = var.servers_deploy == true +} \ No newline at end of file diff --git a/terraform/aws/qs-autoscale/main.tf b/terraform/aws/qs-autoscale/main.tf new file mode 100755 index 00000000..7fa5f27f --- /dev/null +++ b/terraform/aws/qs-autoscale/main.tf @@ -0,0 +1,165 @@ +provider "aws" { + region = var.region + access_key = var.access_key + secret_key = var.secret_key +} + +resource "aws_security_group" "external_alb_security_group" { + count = local.alb_condition ? 1 : 0 + description = "External ALB security group" + vpc_id = var.vpc_id + + egress { + from_port = local.encrypted_protocol_condition ? 9443 : 9080 + protocol = "tcp" + to_port = local.encrypted_protocol_condition ? 9443 : 9080 + cidr_blocks = ["0.0.0.0/0"] + } + ingress { + from_port = local.provided_port_condition ? var.service_port : local.encrypted_protocol_condition ? 443 : 80 + protocol = "tcp" + to_port = local.provided_port_condition ? var.service_port : local.encrypted_protocol_condition ? 443 : 80 + cidr_blocks = ["0.0.0.0/0"] + } +} + +module "external_load_balancer" { + source = "../modules/common/load_balancer" + + load_balancers_type = var.load_balancers_type + instances_subnets = var.gateways_subnets + prefix_name = "${var.prefix}-External" + internal = false + security_groups = local.alb_condition ? [aws_security_group.external_alb_security_group[0].id] : [] + tags = {} + vpc_id = var.vpc_id + load_balancer_protocol = var.load_balancer_protocol + target_group_port = local.encrypted_protocol_condition ? 9443 : 9080 + listener_port = local.provided_port_condition ? var.service_port : local.encrypted_protocol_condition ? "443" : "80" + certificate_arn = local.encrypted_protocol_condition ? var.certificate : "" + health_check_port = var.load_balancers_type == "Network Load Balancer" ? 8117 : null + health_check_protocol = var.load_balancers_type == "Network Load Balancer" ? "TCP" : null +} + +module "autoscale" { + source = "../autoscale" + providers = { + aws = aws + } + + prefix = var.prefix + asg_name = var.asg_name + vpc_id = var.vpc_id + subnet_ids = var.gateways_subnets + gateway_name = "${var.provision_tag}-security-gateway" + gateway_instance_type = var.gateway_instance_type + key_name = var.key_name + enable_volume_encryption = var.enable_volume_encryption + enable_instance_connect = var.enable_instance_connect + metadata_imdsv2_required = var.metadata_imdsv2_required + minimum_group_size = var.gateways_min_group_size + maximum_group_size = var.gateways_max_group_size + target_groups = tolist([module.external_load_balancer.target_group_arn]) + gateway_version = var.gateway_version + admin_shell = var.admin_shell + gateway_password_hash = var.gateway_password_hash + gateway_maintenance_mode_password_hash = var.gateway_maintenance_mode_password_hash + gateway_SICKey = var.gateway_SICKey + allow_upload_download = var.allow_upload_download + enable_cloudwatch = var.enable_cloudwatch + gateway_bootstrap_script = "echo -e '\nStarting Bootstrap script\n'; echo 'Adding quickstart identifier to cloud-version'; cv_path='/etc/cloud-version'\n if test -f \"$cv_path\"; then sed -i '/template_name/c\\template_name: autoscale_qs' /etc/cloud-version; fi; cv_json_path='/etc/cloud-version.json'\n cv_json_path_tmp='/etc/cloud-version-tmp.json'\n if test -f \"$cv_json_path\"; then cat \"$cv_json_path\" | jq '.template_name = \"'\"autoscale_qs\"'\"' > \"$cv_json_path_tmp\"; mv \"$cv_json_path_tmp\" \"$cv_json_path\"; fi; echo -e '\nFinished Bootstrap script\n'" + management_server = "${var.provision_tag}-management" + configuration_template = "${var.provision_tag}-template" +} + +data "aws_region" "current"{} + +module "management" { + providers = { + aws = aws + } + count = local.deploy_management_condition ? 1 : 0 + source = "../management" + + vpc_id = var.vpc_id + subnet_id = var.gateways_subnets[0] + management_name = "${var.provision_tag}-management" + management_instance_type = var.management_instance_type + key_name = var.key_name + volume_encryption = var.enable_volume_encryption ? "alias/aws/ebs" : "" + enable_instance_connect = var.enable_instance_connect + disable_instance_termination = var.disable_instance_termination + metadata_imdsv2_required = var.metadata_imdsv2_required + iam_permissions = "Create with read-write permissions" + management_version = var.management_version + admin_shell = var.admin_shell + management_password_hash = var.management_password_hash + management_maintenance_mode_password_hash = var.management_maintenance_mode_password_hash + allow_upload_download = var.allow_upload_download + admin_cidr = var.admin_cidr + gateway_addresses = var.gateways_addresses + management_bootstrap_script = "echo -e '\nStarting Bootstrap script\n'; echo 'Adding quickstart identifier to cloud-version'; cv_path='/etc/cloud-version'\n if test -f \"$cv_path\"; then sed -i '/template_name/c\\template_name: management_qs' /etc/cloud-version; fi; cv_json_path='/etc/cloud-version.json'\n cv_json_path_tmp='/etc/cloud-version-tmp.json'\n if test -f \"$cv_json_path\"; then cat \"$cv_json_path\" | jq '.template_name = \"'\"management_qs\"'\"' > \"$cv_json_path_tmp\"; mv \"$cv_json_path_tmp\" \"$cv_json_path\"; fi; echo 'Creating CME configuration'; autoprov_cfg -f init AWS -mn ${var.provision_tag}-management -tn ${var.provision_tag}-template -cn ${var.provision_tag}-controller -po ${var.gateways_policy} -otp ${var.gateway_SICKey} -r ${data.aws_region.current.name} -ver ${split("-", var.gateway_version)[0]} -iam; ${var.gateways_blades} && autoprov_cfg -f set template -tn ${var.provision_tag}-template -ips -appi -av -ab; echo -e '\nFinished Bootstrap script\n'" +} + +resource "aws_security_group" "internal_security_group" { + count = local.deploy_servers_condition ? 1 : 0 + vpc_id = var.vpc_id + + egress { + from_port = local.provided_port_condition ? var.service_port : local.encrypted_protocol_condition ? 443 : 80 + protocol = "tcp" + to_port = local.provided_port_condition ? var.service_port : local.encrypted_protocol_condition ? 443 : 80 + cidr_blocks = ["0.0.0.0/0"] + } + ingress { + from_port = local.encrypted_protocol_condition ? 443 : 80 + protocol = "tcp" + to_port = local.encrypted_protocol_condition ? 443 : 80 + cidr_blocks = ["0.0.0.0/0"] + } + ingress { + from_port = -1 + protocol = "icmp" + to_port = -1 + cidr_blocks = ["0.0.0.0/0"] + } +} + +module "internal_load_balancer" { + count = local.deploy_servers_condition ? 1 : 0 + source = "../modules/common/load_balancer" + + load_balancers_type = var.load_balancers_type + instances_subnets = var.servers_subnets + prefix_name = "${var.prefix}-Internal" + internal = true + security_groups = local.alb_condition ? [aws_security_group.internal_security_group[0].id] : [] + tags = { + x-chkp-management = "${var.provision_tag}-management" + x-chkp-template = "${var.provision_tag}-template" + } + vpc_id = var.vpc_id + load_balancer_protocol = var.load_balancer_protocol + target_group_port = local.encrypted_protocol_condition ? 443 : 80 + listener_port = local.encrypted_protocol_condition ? "443" : "80" + certificate_arn = local.encrypted_protocol_condition ? var.certificate : "" +} + +module "custom_autoscale" { + count = local.deploy_servers_condition ? 1 : 0 + source = "../modules/custom-autoscale" + + prefix = var.prefix + asg_name = var.asg_name + vpc_id = var.vpc_id + servers_subnets = var.servers_subnets + server_ami = var.server_ami + server_name = "${var.provision_tag}-server" + servers_instance_type = var.servers_instance_type + key_name = var.key_name + servers_min_group_size = var.gateways_min_group_size + servers_max_group_size = var.gateways_max_group_size + servers_target_groups = module.internal_load_balancer[0].target_group_id + deploy_internal_security_group = local.nlb_condition ? true : false + source_security_group = local.nlb_condition ? "" : aws_security_group.internal_security_group[0].id +} \ No newline at end of file diff --git a/terraform/aws/qs-autoscale/output.tf b/terraform/aws/qs-autoscale/output.tf new file mode 100755 index 00000000..edb1a1f6 --- /dev/null +++ b/terraform/aws/qs-autoscale/output.tf @@ -0,0 +1,45 @@ +output "Deployment" { + value = "Finalizing instances configuration may take up to 20 minutes after deployment is finished." +} + +output "management_name" { + value = "${var.provision_tag}-management" +} +output "internal_port" { + value = local.encrypted_protocol_condition ? 443 : 80 +} +output "load_balancer_url" { + value = module.external_load_balancer.load_balancer_url +} +output "external_load_balancer_arn" { + value = module.external_load_balancer.load_balancer_arn +} +output "internal_load_balancer_arn" { + value = module.internal_load_balancer[*].load_balancer_arn +} +output "external_lb_target_group_arn" { + value = module.external_load_balancer.target_group_arn +} +output "internal_lb_target_group_arn" { + value = module.internal_load_balancer[*].target_group_arn +} + +output "autoscale_autoscaling_group_name" { + value = module.autoscale.autoscale_autoscaling_group_name +} +output "autoscale_autoscaling_group_arn" { + value = module.autoscale.autoscale_autoscaling_group_arn +} +output "autoscale_security_group_id" { + value = module.autoscale.autoscale_security_group_id +} +output "autoscale_iam_role_name" { + value = module.autoscale.autoscale_iam_role_name +} + +output "configuration_template" { + value = "${var.provision_tag}-template" +} +output "controller_name" { + value = "${var.provision_tag}-controller" +} diff --git a/terraform/aws/qs-autoscale/terraform.tfvars b/terraform/aws/qs-autoscale/terraform.tfvars new file mode 100755 index 00000000..d9eb16f4 --- /dev/null +++ b/terraform/aws/qs-autoscale/terraform.tfvars @@ -0,0 +1,48 @@ +//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW + +// --- Environment --- +prefix = "TF" +asg_name = "asg-qs" + +// --- General Settings --- +vpc_id = "vpc-12345678" +key_name = "publickey" +enable_volume_encryption = true +enable_instance_connect = false +disable_instance_termination = false +metadata_imdsv2_required = true +allow_upload_download = true +provision_tag = "quickstart" +load_balancers_type = "Application Load Balancer" +load_balancer_protocol = "HTTP" +certificate = "" +service_port = "80" +admin_shell = "/etc/cli.sh" + +// --- Check Point CloudGuard Network Security Gateways Auto Scaling Group Configuration --- +gateways_subnets = ["subnet-123b5678", "subnet-123a4567"] +gateway_instance_type = "c5.xlarge" +gateways_min_group_size = 2 +gateways_max_group_size = 8 +gateway_version = "R81.20-BYOL" +gateway_password_hash = "" +gateway_maintenance_mode_password_hash = "" # For R81.10 the gateway_password_hash is used also as maintenance-mode password. +gateway_SICKey = "12345678" +enable_cloudwatch = true + +// --- Check Point CloudGuard Network Security Management Server Configuration --- +management_deploy = true +management_instance_type = "m5.xlarge" +management_version = "R81.20-BYOL" +management_password_hash = "" +management_maintenance_mode_password_hash = "" # For R81.10 the management_password_hash is used also as maintenance-mode password. +gateways_policy = "Standard" +gateways_blades = true +admin_cidr = "0.0.0.0/0" +gateways_addresses = "0.0.0.0/0" + +// --- Web Servers Auto Scaling Group Configuration --- +servers_deploy = false +servers_subnets = ["subnet-1234abcd", "subnet-56789def"] +servers_instance_type = "t3.micro" +server_ami = "ami-12345678" \ No newline at end of file diff --git a/terraform/aws/qs-autoscale/variables.tf b/terraform/aws/qs-autoscale/variables.tf new file mode 100755 index 00000000..070ec4f4 --- /dev/null +++ b/terraform/aws/qs-autoscale/variables.tf @@ -0,0 +1,231 @@ +// Module: Check Point CloudGuard Network Quick Start Auto Scaling +//Deploy a Check Point CloudGuard Network Security Gateways Auto Scaling Group, an external ALB/NLB, and optionally a Security Management Server and a web server Auto Scaling Group. + +// --- AWS Provider --- +variable "region" { + type = string + description = "AWS region" + default = "" +} +variable "access_key" { + type = string + description = "AWS access key" + default = "" +} +variable "secret_key" { + type = string + description = "AWS secret key" + default = "" +} + +// --- Environment --- +variable "prefix" { + type = string + description = "(Optional) Instances name prefix" + default = "" +} +variable "asg_name" { + type = string + description = "Autoscaling Group name" + default = "Check-Point-ASG-tf" +} +// --- General Settings --- +variable "vpc_id" { + type = string +} +variable "key_name" { + type = string + description = "The EC2 Key Pair name to allow SSH access to the instances" +} +variable "enable_volume_encryption" { + type = bool + description = "Encrypt Environment instances volume with default AWS KMS key" + default = true +} +variable "enable_instance_connect" { + type = bool + description = "Enable SSH connection over AWS web console" + default = false +} +variable "disable_instance_termination" { + type = bool + description = "Prevents an instance from accidental termination" + default = false +} +variable "metadata_imdsv2_required" { + type = bool + description = "Set true to deploy the instance with metadata v2 token required" + default = true +} +variable "allow_upload_download" { + type = bool + description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + default = true +} +variable "provision_tag" { + type = string + description = "The tag is used by the Security Management Server to automatically provision the Security Gateways. Must be up to 12 alphanumeric characters and unique for each Quick Start deployment" + default = "quickstart" +} +variable "load_balancers_type" { + type = string + description = "Use Network Load Balancer if you wish to preserve the source IP address and Application Load Balancer if you wish to use content based routing" + default = "Network Load Balancer" +} +variable "load_balancer_protocol" { + type = string + description = "The protocol to use on the Load Balancer" +} +variable "certificate" { + type = string + description = "Amazon Resource Name (ARN) of an HTTPS Certificate, ignored if the selected protocol is HTTP" +} +variable "service_port" { + type = string + description = "The external Load Balancer listens to this port. Leave this field blank to use default ports: 80 for HTTP and 443 for HTTPS" +} +variable "admin_shell" { + type = string + description = "Set the admin shell to enable advanced command line configuration" + default = "/etc/cli.sh" +} + +// --- Check Point CloudGuard Network Security Gateways Auto Scaling Group Configuration --- +variable "gateways_subnets" { + type = list(string) + description = "Select at least 2 public subnets in the VPC. If you choose to deploy a Security Management Server it will be deployed in the first subnet" +} +variable "gateway_instance_type" { + type = string + description = "The instance type of the Security Gateways" + default = "c5.xlarge" +} +module "validate_gateway_instance_type" { + source = "../modules/common/instance_type" + + chkp_type = "gateway" + instance_type = var.gateway_instance_type +} +variable "gateways_min_group_size" { + type = number + description = "The minimal number of Security Gateways" + default = 2 +} +variable "gateways_max_group_size" { + type = number + description = "The maximal number of Security Gateways" + default = 10 +} +variable "gateway_version" { + type = string + description = "Gateway version and license" + default = "R81.20-BYOL" +} +module "validate_gateway_version" { + source = "../modules/common/version_license" + + chkp_type = "gateway" + version_license = var.gateway_version +} +variable "gateway_password_hash" { + type = string + description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)" + default = "" +} +variable "gateway_maintenance_mode_password_hash" { + description = "(optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here)." + type = string + default = "" +} +variable "gateway_SICKey" { + type = string + description = "The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters" +} +variable "enable_cloudwatch" { + type = bool + description = "Report Check Point specific CloudWatch metrics" + default = false +} + +// --- Check Point CloudGuard Network Security Management Server Configuration --- +variable "management_deploy" { + type = bool + description = "Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section" + default = true +} +variable "management_instance_type" { + type = string + description = "The EC2 instance type of the Security Management Server" + default = "m5.xlarge" +} +module "validate_management_instance_type" { + source = "../modules/common/instance_type" + + chkp_type = "management" + instance_type = var.management_instance_type +} +variable "management_version" { + type = string + description = "The license to install on the Security Management Server" + default = "R81.20-BYOL" +} +module "validate_management_version" { + source = "../modules/common/version_license" + + chkp_type = "management" + version_license = var.management_version +} +variable "management_password_hash" { + type = string + description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)" + default = "" +} +variable "management_maintenance_mode_password_hash" { + description = "(optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here)." + type = string + default = "" +} +variable "gateways_policy" { + type = string + description = "The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group" + default = "Standard" +} +variable "gateways_blades" { + type = bool + description = "Turn on the Intrusion Prevention System, Application Control, Anti-Virus and Anti-Bot Blades (additional Blades can be manually turned on later)" + default = true +} +variable "admin_cidr" { + type = string + description = "Allow web, ssh, and graphical clients only from this network to communicate with the Security Management Server" +} +variable "gateways_addresses" { + type = string + description = "Allow gateways only from this network to communicate with the Security Management Server" +} + +// --- Web Servers Auto Scaling Group Configuration --- +variable "servers_deploy" { + type = bool + description = "Select 'true' to deploy web servers and an internal Application Load Balancer. If you select 'false' the other parameters of this section will be ignored" + default = false +} +variable "servers_subnets" { + type = list(string) + description = "Provide at least 2 private subnet IDs in the chosen VPC, separated by commas (e.g. subnet-1234,subnet-5678,subnet-9012)" +} +variable "servers_instance_type" { + type = string + description = "The EC2 instance type for the web servers" + default = "t3.micro" +} +module "validate_servers_instance_type" { + source = "../modules/common/instance_type" + + chkp_type = "server" + instance_type = var.servers_instance_type +} +variable "server_ami" { + type = string + description = "The Amazon Machine Image ID of a preconfigured web server (e.g. ami-1234)" +} diff --git a/terraform/aws/qs-autoscale/versions.tf b/terraform/aws/qs-autoscale/versions.tf new file mode 100755 index 00000000..dbebf275 --- /dev/null +++ b/terraform/aws/qs-autoscale/versions.tf @@ -0,0 +1,15 @@ +terraform { + required_version = ">= 0.14.3" + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.20.0" + } + http = { + version = "~> 3.4.0" + } + random = { + version = "~> 3.5.1" + } + } +} diff --git a/terraform/aws/standalone-master/README.md b/terraform/aws/standalone-master/README.md new file mode 100755 index 00000000..7802954c --- /dev/null +++ b/terraform/aws/standalone-master/README.md @@ -0,0 +1,201 @@ +# Check Point CloudGuard Network Security Management Server & Security Gateway (Standalone) Master Terraform module for AWS + +Terraform module which deploys a Check Point CloudGuard Network Security Gateway & Management (Standalone) instance into a new VPC. + +These types of Terraform resources are supported: +* [AWS Instance](https://www.terraform.io/docs/providers/aws/r/instance.html) +* [VPC](https://www.terraform.io/docs/providers/aws/r/vpc.html) +* [Security group](https://www.terraform.io/docs/providers/aws/r/security_group.html) +* [Network interface](https://www.terraform.io/docs/providers/aws/r/network_interface.html) +* [Route](https://www.terraform.io/docs/providers/aws/r/route.html) +* [EIP](https://www.terraform.io/docs/providers/aws/r/eip.html) - conditional creation + +This solution uses the following modules: +- /terraform/aws/standalone +- /terraform/aws/modules/amis +- /terraform/aws/modules/vpc + +## Configurations + +The **main.tf** file includes the following provider configuration block used to configure the credentials for the authentication with AWS, as well as a default region for your resources: +``` +provider "aws" { + region = var.region + access_key = var.access_key + secret_key = var.secret_key +} +``` +The provider credentials can be provided either as static credentials or as [Environment Variables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#environment-variables). +- Static credentials can be provided by adding an access_key and secret_key in /terraform/aws/standalone-master/**terraform.tfvars** file as follows: +``` +region = "us-east-1" +access_key = "my-access-key" +secret_key = "my-secret-key" +``` +- In case the Static credentials are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented for sub-module /terraform/aws/standalone: + ``` + provider "aws" { + // region = var.region + // access_key = var.access_key + // secret_key = var.secret_key + } + ``` +- In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented: + ``` + provider "aws" { + // region = var.region + // access_key = var.access_key + // secret_key = var.secret_key + } + ``` + b. The next lines in main.tf file, in the provider aws resource, need to be commented for sub-module /terraform/aws/standalone: + ``` + provider "aws" { + // region = var.region + // access_key = var.access_key + // secret_key = var.secret_key + } + ``` + +## Usage +- Fill all variables in the /terraform/aws/standalone-master/**terraform.tfvars** file with proper values (see below for variables descriptions). +- From a command line initialize the Terraform configuration directory: + ``` + terraform init + ``` +- Create an execution plan: + ``` + terraform plan + ``` +- Create or modify the deployment: + - Due to terraform limitation, the apply command is: + ``` + terraform apply -target=aws_route_table.private_subnet_rtb -auto-approve && terraform apply + ``` + >Once terraform is updated, we will update accordingly. + +- Variables are configured in /terraform/aws/standalone-master/**terraform.tfvars** file as follows: + + ``` + //PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW + + // --- VPC Network Configuration --- + vpc_cidr = "10.0.0.0/16" + public_subnets_map = { + "us-east-1a" = 1 + } + private_subnets_map = { + "us-east-1a" = 2 + } + subnets_bit_length = 8 + + // --- EC2 Instance Configuration --- + standalone_name = "Check-Point-Standalone-tf" + standalone_instance_type = "c5.xlarge" + key_name = "publickey" + allocate_and_associate_eip = true + volume_size = 100 + volume_encryption = "alias/aws/ebs" + enable_instance_connect = false + disable_instance_termination = false + instance_tags = { + key1 = "value1" + key2 = "value2" + } + + // --- Check Point Settings --- + standalone_version = "R81.20-BYOL" + admin_shell = "/etc/cli.sh" + standalone_password_hash = "" + standalone_maintenance_mode_password_hash = "" + + // --- Advanced Settings --- + resources_tag_name = "tag-name" + standalone_hostname = "standalone-tf" + allow_upload_download = true + enable_cloudwatch = false + standalone_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt" + primary_ntp = "" + secondary_ntp = "" + admin_cidr = "0.0.0.0/0" + gateway_addresses = "0.0.0.0/0" + ``` + +- Conditional creation + - To create an Elastic IP and associate it to the Standalone instance: + ``` + allocate_and_associate_eip = true + ``` + +- To tear down your resources: + ``` + terraform destroy + ``` + + +## Inputs +| Name | Description | Type | Allowed values | Default | Required | +|-------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------|----------| +| vpc_cidr | The CIDR block of the VPC | string | n/a | n/a | yes | +| public_subnets_map | A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 1 pair. (e.g. {\"us-east-1a\" = 1} ) | map | n/a | n/a | yes | +| private_subnets_map | A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 1 pair. (e.g. {\"us-east-1a\" = 2} ) | map | n/a | n/a | yes | +| subnets_bit_length | Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a subnets_bit_length value of 4, the resulting subnet address will have length /20 | number | n/a | n/a | yes | +| standalone_name | (Optional) The name tag of the Security Gateway & Management (Standalone) instance | string | n/a | Check-Point-Standalone-tf | no | +| standalone_instance_type | The instance type of the Security Gateway & Management (Standalone) instance | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no | +| key_name | The EC2 Key Pair name to allow SSH access to the instances | string | n/a | n/a | yes | +| allocate_and_associate_eip | If set to true, an elastic IP will be allocated and associated with the launched instance | bool | true/false | true | no | +| volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no | +| volume_encryption | KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs') | string | n/a | alias/aws/ebs | no | +| enable_instance_connect | Enable SSH connection over AWS web console. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no | +| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no | +| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes | +| instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Standalone EC2 Instance | map(string) | n/a | {} | no | +| standalone_version | Security Gateway & Management (Standalone) version and license | string | - R80.40-BYOL
- R80.40-PAYG-NGTP
- R81-BYOL
- R81-PAYG-NGTP
- R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.20-BYOL
- R81.20-PAYG-NGTP | R81.20-BYOL | no | +| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | +| standalone_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | +| resources_tag_name | (optional) | string | n/a | "" | no | +| standalone_hostname | (Optional) Security Gateway & Management (Standalone) prompt hostname. The name must not contain reserved words. For details, refer to sk40179. | string | n/a | "" | no | +| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no | +| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no | +| standalone_bootstrap_script | (Optional) Semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no | +| primary_ntp | (Optional) The IPv4 addresses of Network Time Protocol primary server | string | n/a | 169.254.169.123 | no | +| secondary_ntp | (Optional) The IPv4 addresses of Network Time Protocol secondary server | string | n/a | 0.pool.ntp.org | no | +| admin_cidr | (CIDR) Allow web, ssh, and graphical clients only from this network to communicate with the Management Server | string | n/a | 0.0.0.0/0 | no | +| gateway_addresses | (CIDR) Allow gateways only from this network to communicate with the Management Server | string | n/a | 0.0.0.0/0 | no | +| standalone_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | + + +## Outputs +| Name | Description | +|------------------------------|------------------------------------------------------------------------------| +| vpc_id | The id of the deployed vpc | +| internal_rtb_id | The internal route table id | +| vpc_public_subnets_ids_list | A list of the public subnets ids | +| vpc_private_subnets_ids_list | A list of the private subnets ids | +| standalone_instance_id | The deployed Security Gateway & Management (Standalone) AWS instance id | +| standalone_instance_name | The deployed Security Gateway & Management (Standalone) AWS instance name | +| standalone_public_ip | The deployed Security Gateway & Management (Standalone) AWS public address | +| standalone_ssh | SSH command to the Security Gateway & Management (Standalone) | +| standalone_url | URL to the portal of the deployed Security Gateway & Management (Standalone) | + +## Revision History +In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) + +| Template Version | Description | +|------------------|-------------------------------------------------------------------------------------------------------------------------| +| 20210309 | First release of Check Point Security Management Server & Security Gateway (Standalone) Master Terraform module for AWS | +| 20220606 | New instance type support | +| 20221123 | R81.20 version support | +| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | +| 20230806 | Add support for c6in instance type | +| 20230829 | Change default Check Point version to R81.20 | +| 20230914 | Add support for maintenance mode password | +| 20231012 | Update AWS Terraform Provider version to 5.20.1 | +| 20231113 | Add support for BYOL license type for Standalone | +| 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | + +## License + +This project is licensed under the MIT License - see the [LICENSE](../../LICENSE) file for details diff --git a/terraform/aws/standalone-master/locals.tf b/terraform/aws/standalone-master/locals.tf new file mode 100755 index 00000000..e2e6ab47 --- /dev/null +++ b/terraform/aws/standalone-master/locals.tf @@ -0,0 +1,35 @@ +locals { + regex_valid_vpc_cidr = "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$" + // Will fail if var.vpc_cidr is invalid + regex_vpc_cidr = regex(local.regex_valid_vpc_cidr, var.vpc_cidr) == var.vpc_cidr ? 0 : "Variable [vpc_cidr] must be a valid vpc cidr" + + admin_shell_allowed_values = [ + "/etc/cli.sh", + "/bin/bash", + "/bin/csh", + "/bin/tcsh"] + // Will fail if var.admin_shell is invalid + validate_admin_shell = index(local.admin_shell_allowed_values, var.admin_shell) + + regex_valid_key_name = "[\\S\\s]+[\\S]+" + // will fail if var.key_name is invalid + regex_key_name_result=regex(local.regex_valid_key_name, var.key_name) == var.key_name ? 0 : "Variable [key_name] must be a none empty string" + + regex_valid_cidr_range = "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(/(3[0-2]|2[0-9]|1[0-9]|[0-9]))?$" + // Will fail if var.admin_subnet or var.gateway_addresses are invalid + mgmt_subnet_regex_result = regex(local.regex_valid_cidr_range, var.admin_cidr) == var.admin_cidr ? 0 : "var.admin_subnet must be a valid CIDR range" + gw_addr_regex_result = regex(local.regex_valid_cidr_range, var.gateway_addresses) == var.gateway_addresses ? 0 : "var.gateway_addresses must be a valid CIDR range" + + regex_valid_primary_ntp = "^[\\.a-zA-Z0-9\\-]*$" + // Will fail if var.primary_ntp is invalid + regex_primary_ntp = regex(local.regex_valid_primary_ntp, var.primary_ntp) == var.primary_ntp ? 0 : "Variable [primary_ntp] must be a valid ntp" + + regex_valid_secondary_ntp = "^[\\.a-zA-Z0-9\\-]*$" + // Will fail if var.secondary_ntp is invalid + regex_secondary_ntp = regex(local.regex_valid_secondary_ntp, var.secondary_ntp) == var.secondary_ntp ? 0 : "Variable [secondary_ntp] must be a valid ntp" + + regex_valid_standalone_password_hash = "^[\\$\\./a-zA-Z0-9]*$" + // Will fail if var.standalone_password_hash is invalid + regex_standalone_password_hash = regex(local.regex_valid_standalone_password_hash, var.standalone_password_hash) == var.standalone_password_hash ? 0 : "Variable [standalone_password_hash] must be a valid password hash" + regex_maintenance_mode_password_hash = regex(local.regex_valid_standalone_password_hash, var.standalone_maintenance_mode_password_hash) == var.standalone_maintenance_mode_password_hash ? 0 : "Variable [standalone_maintenance_mode_password_hash] must be a valid password hash" +} \ No newline at end of file diff --git a/terraform/aws/standalone-master/main.tf b/terraform/aws/standalone-master/main.tf new file mode 100755 index 00000000..999c506e --- /dev/null +++ b/terraform/aws/standalone-master/main.tf @@ -0,0 +1,63 @@ +provider "aws" { + region = var.region + access_key = var.access_key + secret_key = var.secret_key +} + +// --- VPC --- +module "launch_vpc" { + source = "../modules/vpc" + + vpc_cidr = var.vpc_cidr + public_subnets_map = var.public_subnets_map + private_subnets_map = var.private_subnets_map + subnets_bit_length = var.subnets_bit_length +} + +resource "aws_route_table" "private_subnet_rtb" { + depends_on = [module.launch_vpc] + vpc_id = module.launch_vpc.vpc_id + tags = { + Name = "Private Subnets Route Table" + } +} +resource "aws_route_table_association" "private_rtb_to_private_subnets" { + depends_on = [module.launch_vpc, aws_route_table.private_subnet_rtb] + route_table_id = aws_route_table.private_subnet_rtb.id + subnet_id = module.launch_vpc.private_subnets_ids_list[0] +} + +module "launch_standalone_into_vpc" { + source = "../standalone" + providers = { + aws = aws + } + + vpc_id = module.launch_vpc.vpc_id + public_subnet_id = module.launch_vpc.public_subnets_ids_list[0] + private_subnet_id = module.launch_vpc.private_subnets_ids_list[0] + private_route_table = aws_route_table.private_subnet_rtb.id + resources_tag_name = var.resources_tag_name + standalone_name = var.standalone_name + standalone_instance_type = var.standalone_instance_type + key_name = var.key_name + allocate_and_associate_eip = var.allocate_and_associate_eip + volume_size = var.volume_size + volume_encryption = var.volume_encryption + enable_instance_connect = var.enable_instance_connect + disable_instance_termination = var.disable_instance_termination + metadata_imdsv2_required = var.metadata_imdsv2_required + instance_tags = var.instance_tags + standalone_version = var.standalone_version + admin_shell = var.admin_shell + standalone_password_hash = var.standalone_password_hash + standalone_maintenance_mode_password_hash = var.standalone_maintenance_mode_password_hash + standalone_hostname = var.standalone_hostname + allow_upload_download = var.allow_upload_download + enable_cloudwatch = var.enable_cloudwatch + standalone_bootstrap_script = var.standalone_bootstrap_script + primary_ntp = var.primary_ntp + secondary_ntp = var.secondary_ntp + admin_cidr = var.admin_cidr + gateway_addresses = var.gateway_addresses +} diff --git a/terraform/aws/standalone-master/output.tf b/terraform/aws/standalone-master/output.tf new file mode 100755 index 00000000..11d557b9 --- /dev/null +++ b/terraform/aws/standalone-master/output.tf @@ -0,0 +1,27 @@ +output "vpc_id" { + value = module.launch_vpc.vpc_id +} +output "internal_rtb_id" { + value = aws_route_table.private_subnet_rtb.id +} +output "vpc_public_subnets_ids_list" { + value = module.launch_vpc.public_subnets_ids_list +} +output "vpc_private_subnets_ids_list" { + value = module.launch_vpc.private_subnets_ids_list +} +output "standalone_instance_id" { + value = module.launch_standalone_into_vpc.standalone_instance_id +} +output "standalone_instance_name" { + value = module.launch_standalone_into_vpc.standalone_instance_name +} +output "standalone_public_ip" { + value = module.launch_standalone_into_vpc.standalone_public_ip +} +output "standalone_ssh" { + value = module.launch_standalone_into_vpc.standalone_ssh +} +output "standalone_url" { + value = module.launch_standalone_into_vpc.standalone_url +} \ No newline at end of file diff --git a/terraform/aws/standalone-master/terraform.tfvars b/terraform/aws/standalone-master/terraform.tfvars new file mode 100755 index 00000000..4f6b6131 --- /dev/null +++ b/terraform/aws/standalone-master/terraform.tfvars @@ -0,0 +1,43 @@ +//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW + +// --- VPC Network Configuration --- +vpc_cidr = "10.0.0.0/16" +public_subnets_map = { + "us-east-1a" = 1 +} +private_subnets_map = { + "us-east-1a" = 2 +} +subnets_bit_length = 8 + +// --- EC2 Instance Configuration --- +standalone_name = "Check-Point-Standalone-tf" +standalone_instance_type = "c5.xlarge" +key_name = "publickey" +allocate_and_associate_eip = true +volume_size = 100 +volume_encryption = "alias/aws/ebs" +enable_instance_connect = false +disable_instance_termination = false +metadata_imdsv2_required = true +instance_tags = { + key1 = "value1" + key2 = "value2" +} + +// --- Check Point Settings --- +standalone_version = "R81.20-BYOL" +admin_shell = "/etc/cli.sh" +standalone_password_hash = "" +standalone_maintenance_mode_password_hash = "" + +// --- Advanced Settings --- +resources_tag_name = "tag-name" +standalone_hostname = "standalone-tf" +allow_upload_download = true +enable_cloudwatch = false +standalone_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt" +primary_ntp = "" +secondary_ntp = "" +admin_cidr = "0.0.0.0/0" +gateway_addresses = "0.0.0.0/0" \ No newline at end of file diff --git a/terraform/aws/standalone-master/variables.tf b/terraform/aws/standalone-master/variables.tf new file mode 100755 index 00000000..212dc108 --- /dev/null +++ b/terraform/aws/standalone-master/variables.tf @@ -0,0 +1,174 @@ +// Module: Check Point CloudGuard Network Security Gateway & Management (Standalone) instance into a new VPC + +// --- AWS Provider --- +variable "region" { + type = string + description = "AWS region" + default = "" +} +variable "access_key" { + type = string + description = "AWS access key" + default = "" +} +variable "secret_key" { + type = string + description = "AWS secret key" + default = "" +} + +// --- VPC Network Configuration --- +variable "vpc_cidr" { + type = string + description = "The CIDR block of the VPC" + default = "10.0.0.0/16" +} +variable "public_subnets_map" { + type = map(string) + description = "A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 1 pair. (e.g. {\"us-east-1a\" = 1} ) " +} +variable "private_subnets_map" { + type = map(string) + description = "A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 1 pair. (e.g. {\"us-east-1a\" = 2} ) " + +} +variable "subnets_bit_length" { + type = number + description = "Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a subnets_bit_length value of 4, the resulting subnet address will have length /20" +} + +// --- EC2 Instance Configuration --- +variable "standalone_name" { + type = string + description = "(Optional) The name tag of the Security Gateway & Management (Standalone) instance" + default = "Check-Point-Standalone-tf" +} +variable "standalone_instance_type" { + type = string + description = "The instance type of the Security Gateway & Management (Standalone) instance" + default = "c5.xlarge" +} +module "validate_instance_type" { + source = "../modules/common/instance_type" + + chkp_type = "standalone" + instance_type = var.standalone_instance_type +} +variable "key_name" { + type = string + description = "The EC2 Key Pair name to allow SSH access to the instance" +} +variable "allocate_and_associate_eip" { + type = bool + description = "If set to true, an elastic IP will be allocated and associated with the launched instance" + default = true +} +variable "volume_size" { + type = number + description = "Root volume size (GB) - minimum 100" + default = 100 +} +resource "null_resource" "volume_size_too_small" { + // Volume Size validation - resource will not be created if the volume size is smaller than 100 + count = var.volume_size >= 100 ? 0 : "volume_size must be at least 100" +} +variable "volume_encryption" { + type = string + description = "KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs')" + default = "alias/aws/ebs" +} +variable "enable_instance_connect" { + type = bool + description = "Enable SSH connection over AWS web console" + default = false +} +variable "disable_instance_termination" { + type = bool + description = "Prevents an instance from accidental termination" + default = false +} +variable "metadata_imdsv2_required" { + type = bool + description = "Set true to deploy the instance with metadata v2 token required" + default = true +} +variable "instance_tags" { + type = map(string) + description = "(Optional) A map of tags as key=value pairs. All tags will be added to the Standalone EC2 Instance" + default = {} +} + +// --- Check Point Settings --- +variable "standalone_version" { + type = string + description = "Gateway & Management (Standalone) version and license" + default = "R81.20-BYOL" +} +module "validate_standalone_version" { + source = "../modules/common/version_license" + + chkp_type = "standalone" + version_license = var.standalone_version +} +variable "admin_shell" { + type = string + description = "Set the admin shell to enable advanced command line configuration" + default = "/etc/cli.sh" +} +variable "standalone_password_hash" { + type = string + description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)" + default = "" +} +variable "standalone_maintenance_mode_password_hash" { + description = "(optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here)." + type = string + default = "" +} + +// --- Advanced Settings --- +variable "resources_tag_name" { + type = string + description = "(Optional) The name tag of the resources" + default = "" +} +variable "standalone_hostname" { + type = string + description = "(Optional) Security Gateway & Management (Standalone) prompt hostname" + default = "" +} +variable "allow_upload_download" { + type = bool + description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + default = true +} +variable "enable_cloudwatch" { + type = bool + description = "Report Check Point specific CloudWatch metrics" + default = false +} +variable "standalone_bootstrap_script" { + type = string + description = "(Optional) An optional script with semicolon (;) separated commands to run on the initial boot" + default = "" +} +variable "primary_ntp" { + type = string + description = "(Optional) The IPv4 addresses of Network Time Protocol primary server" + default = "169.254.169.123" +} +variable "secondary_ntp" { + type = string + description = "(Optional) The IPv4 addresses of Network Time Protocol secondary server" + default = "0.pool.ntp.org" +} +variable "admin_cidr" { + type = string + description = "(CIDR) Allow web, ssh, and graphical clients only from this network to communicate with the Management Server" + default = "0.0.0.0/0" +} +variable "gateway_addresses" { + type = string + description = "(CIDR) Allow gateways only from this network to communicate with the Management Server" + default = "0.0.0.0/0" +} diff --git a/terraform/aws/standalone-master/versions.tf b/terraform/aws/standalone-master/versions.tf new file mode 100755 index 00000000..a95f0172 --- /dev/null +++ b/terraform/aws/standalone-master/versions.tf @@ -0,0 +1,12 @@ +terraform { + required_version = ">= 0.14.3" + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.20.0" + } + http = { + version = "~> 3.4.0" + } + } +} \ No newline at end of file diff --git a/terraform/aws/standalone/README.md b/terraform/aws/standalone/README.md new file mode 100755 index 00000000..388bba1e --- /dev/null +++ b/terraform/aws/standalone/README.md @@ -0,0 +1,177 @@ +# Check Point CloudGuard Network Security Management Server & Security Gateway (Standalone) Terraform module for AWS + +Terraform module which deploys a Check Point CloudGuard Network Security Gateway & Management (Standalone) instance into an existing VPC. + +These types of Terraform resources are supported: +* [AWS Instance](https://www.terraform.io/docs/providers/aws/r/instance.html) +* [Security group](https://www.terraform.io/docs/providers/aws/r/security_group.html) +* [Network interface](https://www.terraform.io/docs/providers/aws/r/network_interface.html) +* [EIP](https://www.terraform.io/docs/providers/aws/r/eip.html) - conditional creation +* [Route](https://www.terraform.io/docs/providers/aws/r/route.html) - conditional creation + + +This solution uses the following modules: +- /terraform/aws/modules/amis + +## Configurations + +The **main.tf** file includes the following provider configuration block used to configure the credentials for the authentication with AWS, as well as a default region for your resources: +``` +provider "aws" { + region = var.region + access_key = var.access_key + secret_key = var.secret_key +} +``` +The provider credentials can be provided either as static credentials or as [Environment Variables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#environment-variables). +- Static credentials can be provided by adding an access_key and secret_key in /terraform/aws/standalone/**terraform.tfvars** file as follows: +``` +region = "us-east-1" +access_key = "my-access-key" +secret_key = "my-secret-key" +``` +- In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented: + ``` + provider "aws" { + // region = var.region + // access_key = var.access_key + // secret_key = var.secret_key + } + ``` + +## Usage +- Fill all variables in the /terraform/aws/standalone/**terraform.tfvars** file with proper values (see below for variables descriptions). +- From a command line initialize the Terraform configuration directory: + ``` + terraform init + ``` +- Create an execution plan: + ``` + terraform plan + ``` +- Create or modify the deployment: + ``` + terraform apply + ``` + +- Variables are configured in /terraform/aws/standalone/**terraform.tfvars** file as follows: + + ``` + //PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW + + // --- VPC Network Configuration --- + vpc_id = "vpc-12345678" + public_subnet_id = "subnet-123456" + private_subnet_id = "subnet-345678" + private_route_table = "rtb-12345678" + + // --- EC2 Instance Configuration --- + standalone_name = "Check-Point-Standalone-tf" + standalone_instance_type = "c5.xlarge" + key_name = "publickey" + allocate_and_associate_eip = true + volume_size = 100 + volume_encryption = "alias/aws/ebs" + enable_instance_connect = false + disable_instance_termination = false + instance_tags = { + key1 = "value1" + key2 = "value2" + } + + // --- Check Point Settings --- + standalone_version = "R81.20-BYOL" + admin_shell = "/etc/cli.sh" + standalone_password_hash = "" + standalone_maintenance_mode_password_hash = "" + // --- Advanced Settings --- + resources_tag_name = "tag-name" + standalone_hostname = "standalone-tf" + allow_upload_download = true + enable_cloudwatch = false + standalone_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt" + primary_ntp = "" + secondary_ntp = "" + admin_cidr = "0.0.0.0/0" + gateway_addresses = "0.0.0.0/0" + ``` + +- Conditional creation + - To create an Elastic IP and associate it to the Standalone instance: + ``` + allocate_and_associate_eip = true + ``` + - To create route from '0.0.0.0/0' to the Standalone instance, please provide route table: + ``` + private_route_table = "rtb-12345678" + ``` +- To tear down your resources: + ``` + terraform destroy + ``` + + +## Inputs +| Name | Description | Type | Allowed values | Default | Required | +|-------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------|----------| +| vpc_id | The VPC id in which to deploy | string | n/a | n/a | yes | +| public_subnet_id | The public subnet of the Security Gateway & Management (Standalone) | string | n/a | n/a | yes | +| private_subnet_id | The private subnet of the Security Gateway & Management (Standalone) | string | n/a | n/a | yes | +| private_route_table | Sets '0.0.0.0/0' route to the Security Gateway & Management (Standalone) instance in the specified route table (e.g. rtb-12a34567) | string | n/a | "" | no | +| standalone_name | (Optional) The name tag of the Security Gateway & Management (Standalone) instance | string | n/a | Check-Point-Standalone-tf | no | +| standalone_instance_type | The instance type of the Security Gateway & Management (Standalone) instance | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no | +| key_name | The EC2 Key Pair name to allow SSH access to the instances | string | n/a | n/a | yes | +| allocate_and_associate_eip | If set to true, an elastic IP will be allocated and associated with the launched instance | bool | true/false | true | no | +| volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no | +| volume_encryption | KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs') | string | n/a | alias/aws/ebs | no | +| enable_instance_connect | Enable SSH connection over AWS web console. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no | +| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no | +| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes | +| instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Standalone EC2 Instance | map(string) | n/a | {} | no | +| standalone_version | Security Gateway & Management (Standalone) version and license | string | - R80.40-BYOL
- R80.40-PAYG-NGTP
- R81-BYOL
- R81-PAYG-NGTP
- R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.20-BYOL
- R81.20-PAYG-NGTP | R81.20-BYOL | no | +| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | +| standalone_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | +| resources_tag_name | (optional) | string | n/a | "" | no | +| standalone_hostname | (Optional) Security Gateway & Management (Standalone) prompt hostname. The name must not contain reserved words. For details, refer to sk40179. | string | n/a | "" | no | +| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no | +| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no | +| standalone_bootstrap_script | (Optional) Semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no | +| primary_ntp | (Optional) The IPv4 addresses of Network Time Protocol primary server | string | n/a | 169.254.169.123 | no | +| secondary_ntp | (Optional) The IPv4 addresses of Network Time Protocol secondary server | string | n/a | 0.pool.ntp.org | no | +| admin_cidr | (CIDR) Allow web, ssh, and graphical clients only from this network to communicate with the Management Server | string | n/a | 0.0.0.0/0 | no | +| gateway_addresses | (CIDR) Allow gateways only from this network to communicate with the Management Server | string | n/a | 0.0.0.0/0 | no | +| standalone_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | + + +## Outputs +| Name | Description | +|--------------------------|------------------------------------------------------------------------------| +| standalone_instance_id | The deployed Security Gateway & Management (Standalone) AWS instance id | +| standalone_instance_name | The deployed Security Gateway & Management (Standalone) AWS instance name | +| standalone_public_ip | The deployed Security Gateway & Management (Standalone) AWS public address | +| standalone_ssh | SSH command to the Security Gateway & Management (Standalone) | +| standalone_url | URL to the portal of the deployed Security Gateway & Management (Standalone) | + +## Revision History +In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) + +| Template Version | Description | +|--------------------|------------------------------------------------------------------------------------------------------------------| +| 20210309 | First release of Check Point Security Management Server & Security Gateway (Standalone) Terraform module for AWS | +| 20210329 | Stability fixes | +| 20220606 | New instance type support | +| 20221123 | R81.20 version support | +| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | +| 20230806 | Add support for c6in instance type | +| 20230829 | Change default Check Point version to R81.20 | +| 20230914 | Add support for maintenance mode password | +| 20230923 | Add support for C5d instance type | +| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20231113 | Add support for BYOL license type for Standalone | +| 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | + + +## License + +This project is licensed under the MIT License - see the [LICENSE](../../LICENSE) file for details \ No newline at end of file diff --git a/terraform/aws/standalone/locals.tf b/terraform/aws/standalone/locals.tf new file mode 100755 index 00000000..6e438e83 --- /dev/null +++ b/terraform/aws/standalone/locals.tf @@ -0,0 +1,41 @@ +locals { + admin_shell_allowed_values = [ + "/etc/cli.sh", + "/bin/bash", + "/bin/csh", + "/bin/tcsh"] + // Will fail if var.admin_shell is invalid + validate_admin_shell = index(local.admin_shell_allowed_values, var.admin_shell) + + enable_cloudwatch_policy = var.enable_cloudwatch ? 1 : 0 + + regex_valid_key_name = "[\\S\\s]+[\\S]+" + // will fail if var.key_name is invalid + regex_key_name_result=regex(local.regex_valid_key_name, var.key_name) == var.key_name ? 0 : "Variable [key_name] must be a none empty string" + + regex_valid_cidr_range = "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(/(3[0-2]|2[0-9]|1[0-9]|[0-9]))?$" + // Will fail if var.admin_subnet or var.gateway_addresses are invalid + mgmt_subnet_regex_result = regex(local.regex_valid_cidr_range, var.admin_cidr) == var.admin_cidr ? 0 : "var.admin_subnet must be a valid CIDR range" + gw_addr_regex_result = regex(local.regex_valid_cidr_range, var.gateway_addresses) == var.gateway_addresses ? 0 : "var.gateway_addresses must be a valid CIDR range" + volume_encryption_condition = var.volume_encryption != "" ? true : false + + regex_valid_primary_ntp = "^[\\.a-zA-Z0-9\\-]*$" + // Will fail if var.primary_ntp is invalid + regex_primary_ntp = regex(local.regex_valid_primary_ntp, var.primary_ntp) == var.primary_ntp ? 0 : "Variable [primary_ntp] must be a valid ntp" + + regex_valid_secondary_ntp = "^[\\.a-zA-Z0-9\\-]*$" + // Will fail if var.secondary_ntp is invalid + regex_secondary_ntp = regex(local.regex_valid_secondary_ntp, var.secondary_ntp) == var.secondary_ntp ? 0 : "Variable [secondary_ntp] must be a valid ntp" + + regex_valid_standalone_password_hash = "^[\\$\\./a-zA-Z0-9]*$" + // Will fail if var.standalone_password_hash is invalid + regex_standalone_password_hash = regex(local.regex_valid_standalone_password_hash, var.standalone_password_hash) == var.standalone_password_hash ? 0 : "Variable [standalone_password_hash] must be a valid password hash" + regex_maintenance_mode_password_hash = regex(local.regex_valid_standalone_password_hash, var.standalone_maintenance_mode_password_hash) == var.standalone_maintenance_mode_password_hash ? 0 : "Variable [standalone_maintenance_mode_password_hash] must be a valid password hash" + + //Splits the version and licence and returns the os version + version_split = element(split("-", var.standalone_version), 0) + + standalone_bootstrap_script64 = base64encode(var.standalone_bootstrap_script) + standalone_password_hash_base64 = base64encode(var.standalone_password_hash) + maintenance_mode_password_hash_base64 = base64encode(var.standalone_maintenance_mode_password_hash) +} \ No newline at end of file diff --git a/terraform/aws/standalone/main.tf b/terraform/aws/standalone/main.tf new file mode 100755 index 00000000..f9df43ff --- /dev/null +++ b/terraform/aws/standalone/main.tf @@ -0,0 +1,145 @@ +provider "aws" { + region = var.region + access_key = var.access_key + secret_key = var.secret_key +} + +module "amis" { + source = "../modules/amis" + + version_license = var.standalone_version + chkp_type = "standalone" +} + +module "common_permissive_sg" { + source = "../modules/common/permissive_sg" + + vpc_id = var.vpc_id + resources_tag_name = var.resources_tag_name + gateway_name = var.standalone_name +} + +resource "aws_iam_instance_profile" "standalone_instance_profile" { + count = local.enable_cloudwatch_policy + path = "/" + role = aws_iam_role.standalone_iam_role[count.index].name +} + +resource "aws_iam_role" "standalone_iam_role" { + count = local.enable_cloudwatch_policy + assume_role_policy = data.aws_iam_policy_document.standalone_role_assume_policy_document.json + path = "/" +} + +data "aws_iam_policy_document" "standalone_role_assume_policy_document" { + version = "2012-10-17" + statement { + effect = "Allow" + actions = ["sts:AssumeRole"] + principals { + type = "Service" + identifiers = ["ec2.amazonaws.com"] + } + } +} + +module "attach_cloudwatch_policy" { + source = "../modules/cloudwatch-policy" + count = local.enable_cloudwatch_policy + role = aws_iam_role.standalone_iam_role[count.index].name + tag_name = var.resources_tag_name != "" ? var.resources_tag_name : var.standalone_name +} +resource "aws_network_interface" "public_eni" { + subnet_id = var.public_subnet_id + security_groups = [module.common_permissive_sg.permissive_sg_id] + description = "eth0" + source_dest_check = false + tags = { + Name = format("%s-external-eni", var.resources_tag_name != "" ? var.resources_tag_name : var.standalone_name) } +} +resource "aws_network_interface" "private_eni" { + subnet_id = var.private_subnet_id + security_groups = [module.common_permissive_sg.permissive_sg_id] + description = "eth1" + source_dest_check = false + tags = { + Name = format("%s-internal-eni", var.resources_tag_name != "" ? var.resources_tag_name : var.standalone_name) } +} + +module "common_eip" { + source = "../modules/common/elastic_ip" + + allocate_and_associate_eip = var.allocate_and_associate_eip + external_eni_id = aws_network_interface.public_eni.id + private_ip_address = aws_network_interface.public_eni.private_ip +} + +module "common_internal_default_route" { + source = "../modules/common/internal_default_route" + + private_route_table = var.private_route_table + internal_eni_id = aws_network_interface.private_eni.id +} + +resource "aws_launch_template" "standalone_launch_template" { + instance_type = var.standalone_instance_type + key_name = var.key_name + image_id = module.amis.ami_id + description = "Initial launch template version" + + iam_instance_profile { + name = (local.enable_cloudwatch_policy == 1 ? aws_iam_instance_profile.standalone_instance_profile[0].id : "") + } + + network_interfaces { + network_interface_id = aws_network_interface.public_eni.id + device_index = 0 + } + + metadata_options { + http_tokens = var.metadata_imdsv2_required ? "required" : "optional" + } + + network_interfaces { + network_interface_id = aws_network_interface.private_eni.id + device_index = 1 + } +} + +resource "aws_instance" "standalone-instance" { + launch_template { + id = aws_launch_template.standalone_launch_template.id + version = "$Latest" + } + + disable_api_termination = var.disable_instance_termination + + tags = merge({ + Name = var.standalone_name + }, var.instance_tags) + + ebs_block_device { + device_name = "/dev/xvda" + volume_type = "gp2" + volume_size = var.volume_size + encrypted = local.volume_encryption_condition + kms_key_id = local.volume_encryption_condition ? var.volume_encryption : "" + } + + user_data = templatefile("${path.module}/standalone_userdata.yaml", { + // script's arguments + Hostname = var.standalone_hostname, + PasswordHash = local.standalone_password_hash_base64, + MaintenanceModePassword = local.maintenance_mode_password_hash_base64, + AllowUploadDownload = var.allow_upload_download, + EnableCloudWatch = var.enable_cloudwatch, + NTPPrimary = var.primary_ntp, + NTPSecondary = var.secondary_ntp, + Shell = var.admin_shell, + AdminSubnet = var.admin_cidr, + EnableInstanceConnect = var.enable_instance_connect, + StandaloneBootstrapScript = local.standalone_bootstrap_script64 + AllocateElasticIP = var.allocate_and_associate_eip + OsVersion = local.version_split + }) +} \ No newline at end of file diff --git a/terraform/aws/standalone/output.tf b/terraform/aws/standalone/output.tf new file mode 100755 index 00000000..5a46d0fa --- /dev/null +++ b/terraform/aws/standalone/output.tf @@ -0,0 +1,15 @@ +output "standalone_instance_id" { + value = aws_instance.standalone-instance.id +} +output "standalone_instance_name" { + value = aws_instance.standalone-instance.tags["Name"] +} +output "standalone_public_ip" { + value = aws_instance.standalone-instance.public_ip +} +output "standalone_ssh" { + value = format("ssh -i %s admin@%s", var.key_name, aws_instance.standalone-instance.public_ip) +} +output "standalone_url" { + value = format("https://%s", aws_instance.standalone-instance.public_ip) +} \ No newline at end of file diff --git a/terraform/aws/standalone/standalone_userdata.yaml b/terraform/aws/standalone/standalone_userdata.yaml new file mode 100755 index 00000000..1bdf7eca --- /dev/null +++ b/terraform/aws/standalone/standalone_userdata.yaml @@ -0,0 +1,4 @@ +#cloud-config +runcmd: + - | + python3 /etc/cloud_config.py enableCloudWatch=\"${EnableCloudWatch}\" installationType=\"standalone\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20231012\" templateName=\"standalone\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" hostName=\"${Hostname }\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" adminSubnet=\"${AdminSubnet}\" allocatePublicAddress=\"${AllocateElasticIP}\" bootstrapScript64=\"${StandaloneBootstrapScript}\" \ No newline at end of file diff --git a/terraform/aws/standalone/terraform.tfvars b/terraform/aws/standalone/terraform.tfvars new file mode 100755 index 00000000..edad70cd --- /dev/null +++ b/terraform/aws/standalone/terraform.tfvars @@ -0,0 +1,39 @@ +//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW + +// --- VPC Network Configuration --- +vpc_id = "vpc-12345678" +public_subnet_id = "subnet-123456" +private_subnet_id = "subnet-345678" +private_route_table = "rtb-12345678" + +// --- EC2 Instance Configuration --- +standalone_name = "Check-Point-Standalone-tf" +standalone_instance_type = "c5.xlarge" +key_name = "publickey" +allocate_and_associate_eip = true +volume_size = 100 +volume_encryption = "alias/aws/ebs" +enable_instance_connect = false +disable_instance_termination = false +metadata_imdsv2_required = true +instance_tags = { + key1 = "value1" + key2 = "value2" +} + +// --- Check Point Settings --- +standalone_version = "R81.20-BYOL" +admin_shell = "/etc/cli.sh" +standalone_password_hash = "" +standalone_maintenance_mode_password_hash = "" + +// --- Advanced Settings --- +resources_tag_name = "tag-name" +standalone_hostname = "standalone-tf" +allow_upload_download = true +enable_cloudwatch = false +standalone_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt" +primary_ntp = "" +secondary_ntp = "" +admin_cidr = "0.0.0.0/0" +gateway_addresses = "0.0.0.0/0" \ No newline at end of file diff --git a/terraform/aws/standalone/variables.tf b/terraform/aws/standalone/variables.tf new file mode 100755 index 00000000..afdec993 --- /dev/null +++ b/terraform/aws/standalone/variables.tf @@ -0,0 +1,172 @@ +// Module: Check Point CloudGuard Network Security Gateway & Management (Standalone) instance into an existing VPC + +// --- AWS Provider --- +variable "region" { + type = string + description = "AWS region" + default = "" +} +variable "access_key" { + type = string + description = "AWS access key" + default = "" +} +variable "secret_key" { + type = string + description = "AWS secret key" + default = "" +} + +// --- VPC Network Configuration --- +variable "vpc_id" { + type = string +} +variable "public_subnet_id" { + type = string + description = "The public subnet of the Security Gateway & Management (Standalone)" +} +variable "private_subnet_id" { + type = string + description = "The private subnet of the Security Gateway & Management (Standalone)" +} +variable "private_route_table" { + type = string + description = "Sets '0.0.0.0/0' route to the Security Gateway & Management (Standalone) instance in the specified route table (e.g. rtb-12a34567)" + default= "" +} + +// --- EC2 Instance Configuration --- +variable "standalone_name" { + type = string + description = "(Optional) The name tag of the Security Gateway & Management (Standalone) instance" + default = "Check-Point-Standalone-tf" +} +variable "standalone_instance_type" { + type = string + description = "The instance type of the Security Gateway & Management (Standalone) instance" + default = "c5.xlarge" +} +module "validate_instance_type" { + source = "../modules/common/instance_type" + + chkp_type = "standalone" + instance_type = var.standalone_instance_type +} +variable "key_name" { + type = string + description = "The EC2 Key Pair name to allow SSH access to the instance" +} +variable "allocate_and_associate_eip" { + type = bool + description = "If set to true, an elastic IP will be allocated and associated with the launched instance" + default = true +} +variable "volume_size" { + type = number + description = "Root volume size (GB) - minimum 100" + default = 100 +} +resource "null_resource" "volume_size_too_small" { + // Volume Size validation - resource will not be created if the volume size is smaller than 100 + count = var.volume_size >= 100 ? 0 : "volume_size must be at least 100" +} +variable "volume_encryption" { + type = string + description = "KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs')" + default = "alias/aws/ebs" +} +variable "enable_instance_connect" { + type = bool + description = "Enable SSH connection over AWS web console" + default = false +} +variable "disable_instance_termination" { + type = bool + description = "Prevents an instance from accidental termination" + default = false +} +variable "metadata_imdsv2_required" { + type = bool + description = "Set true to deploy the instance with metadata v2 token required" + default = true +} +variable "instance_tags" { + type = map(string) + description = "(Optional) A map of tags as key=value pairs. All tags will be added to the Standalone EC2 Instance" + default = {} +} + +// --- Check Point Settings --- +variable "standalone_version" { + type = string + description = "Security Gateway & Management (Standalone) version and license" + default = "R81.20-BYOL" +} +module "validate_standalone_version" { + source = "../modules/common/version_license" + + chkp_type = "standalone" + version_license = var.standalone_version +} +variable "admin_shell" { + type = string + description = "Set the admin shell to enable advanced command line configuration" + default = "/etc/cli.sh" +} +variable "standalone_password_hash" { + type = string + description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)" + default = "" +} +variable "standalone_maintenance_mode_password_hash" { + description = "(optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here)." + type = string + default = "" +} + +// --- Advanced Settings --- +variable "resources_tag_name" { + type = string + description = "(Optional) The name tag of the resources" + default = "" +} +variable "standalone_hostname" { + type = string + description = "(Optional) Security Gateway & Management (Standalone) prompt hostname" + default = "" +} +variable "allow_upload_download" { + type = bool + description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + default = true +} +variable "enable_cloudwatch" { + type = bool + description = "Report Check Point specific CloudWatch metrics" + default = false +} +variable "standalone_bootstrap_script" { + type = string + description = "(Optional) An optional script with semicolon (;) separated commands to run on the initial boot" + default = "" +} +variable "primary_ntp" { + type = string + description = "(Optional) The IPv4 addresses of Network Time Protocol primary server" + default = "169.254.169.123" +} +variable "secondary_ntp" { + type = string + description = "(Optional) The IPv4 addresses of Network Time Protocol secondary server" + default = "0.pool.ntp.org" +} +variable "admin_cidr" { + type = string + description = "(CIDR) Allow web, ssh, and graphical clients only from this network to communicate with the Management Server" + default = "0.0.0.0/0" +} +variable "gateway_addresses" { + type = string + description = "(CIDR) Allow gateways only from this network to communicate with the Management Server" + default = "0.0.0.0/0" +} diff --git a/terraform/aws/standalone/versions.tf b/terraform/aws/standalone/versions.tf new file mode 100755 index 00000000..c138bbb3 --- /dev/null +++ b/terraform/aws/standalone/versions.tf @@ -0,0 +1,12 @@ +terraform { + required_version = ">= 0.14.3" + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.20.0" + } + http = { + version = "~> 3.4.0" + } + } +} diff --git a/terraform/aws/tap/Check Point NOW onboarding page.docx b/terraform/aws/tap/Check Point NOW onboarding page.docx new file mode 100644 index 0000000000000000000000000000000000000000..54b4968d384d7f6e8725be4aa9cf35b497f5bf2f GIT binary patch literal 287849 zcmeFY1CK62w6^_>ZQHhO+qSjGwr%XO?U_BcvB$P;+uuIt0supNAF?# zi?9$Bm@*##{O|ey*Zv3pfg$xRn+--pe}YSYMlZaUdH8Wm$M;#gc%1^gOSQ!5NcIbm zvw8BLFL^g(ai#Ow#m8a8tuOv-Q)iCe?aUUB5X9z2w$5_%Y5+~nyqj910m9A%Lv;jY zHF8a(Vk4fYTled$(Rcj=B8>2cW+PkS&$wrb4I{Doba08}K@gH;ozZZ2g8wk|>(MW_ z;gUv3bQxLPUrfEB;=i zLAyShMJ%6P{?qVBohySy*Cv)n)1<5-HCS*j3}c8 z+Vk6-oJ=6Kx@D8^&N9ViFmEHLASj5$-?3$N;E+g~_+Dq;60#zuKiTP4Adl%e2^gkZ zSQ5zjAOyX|Fr)`R zj;KYSkIG=Ih^b~4O-LJyavjxHUef(o@-vv0maQdqydf(2#CpQ;I;OGwpv?vTq_NN? z#1CvY=nbi!C$}-jT2npIV*g@fAj?iPu7<|G?V3CHD(Wp8jtr%RDu9Y)`0z2;Mb`d4 zi8{s-V80>KYBJcf$H~?cdidvr|EE4wx{OHiKmdS9bN~Ps014!7?_|pGUm`KJH*vN7 zXP5uslmEY9fc}}~zxVvlZi^av_6v-tz7qQas-C+wj!AyDCTofuVbpL?e~3J)bU)ac zgwwdj}o4e2m&nxH~;V*V3cbzcbYqvlclJ0Dm zi%CZUVX7HUQND zHuJ!{3{A4=6eRV{BXr7=LW`Mc5v*)lKb}e-J4sH6K+ZW7G|vM)INqn>rW(rjOE(dd zz%(E%0wiqhq{6So51;`;FtC3IO~cIoHGFI1_P&C$t)+{&x~N$xm}+bsaAe_Y=RQ7p zHZ8kAss1yw+*g}=VR%`&+D8Gtn*yUE(2x}YBb?1TI2DJ6yec)lYD0#5cxa526!p8o z_$aCvnz_Z8=m0g<$nMu4{3U6r8-FEq&3$F{`TLKF*E{3`HIveyEE!%ZYq~}#uHPdR zko*i3`PGf~LcfINk6FzqpAUs~_w$14;(CUx!Nt+j0ZGVkMg4E}D|`Yt_&NaIw-pxGBE8;0TE$hkPMs2ag=J_s#ck8iB8$U+mSqY7#aIt_t@koSs+`yk% zCz*S?4{I&y%zB73DAE@EMIn<2ZE<9eMoG7~R-H*JHq- zty50`DRn*5s>=yGRoi;P+iH(&BlO^7AehuVTy4s*+cEm9Lb=!6*GVvuwwN-}b!iK;WS~dz_0M4cPrL{Mg-88i007n)fdEMVsPUh8 z`R`!4)Z4JzkWK0_Fx)9v!3Z`r!lNUwNYWa1V;(p(9LoL4>(*}io4RO{G<9Yttqu-z zi1%y`z6$oN^{jMHs-w15EUM+?6M?sOERdc~oaI|RsIjy(yz})<9Ji`zNuqXdU8H7j z$CwC8oicX2G?F*Hz5L9c{)ZRJvl#i#+Jt&?8%*mT4V(;lcptRpLYmj{z>BD#Yrg#$TCDp( ziJS<@k%7b;2hglHT*t_);8&l>$>`6QA1T zpuf8qM#FWYA@}K^+>WyH^?RJYjL;zuT+Rotk23`{@q*pUldz!?;mAx+hb-g9Qsm20 zGH50MwGRvXf4n0M`f+h>lC}hJ4GBy3O9&TVhCrMQH0T>EBjx8z=;P)*>H}K~%OiGx z+c#kB^nAZalw6g&RWkFuKR@~FGs8zfN?YouaDoR_eNo4hoJ7_K?9E`M2>vqY1y8%w z&~3<+QN+$^Z#N|wKa!GO`^1TR3^8P;OaR8 z_4&NdY9J6KFAyZTutL6a#dw~PKry=h+WGfDOqy&OX!?4Q8fk{AxuuDuub6}9GBBFR zX1`^HXE(gGgImTd`cd%Zgbr}}3Pn&s%QF*ooPoe5tHA2J!M>W$jHtRJ;6UXUVRyr3 zsmfswzvMiKrfB&ppW212pw_z>#C>Sdc1>5x6A1+j5!o_edD;7nD}dPqI)6LCFai~0 zwf09)b7(pXnhjbFn6$wgGC2mDkW+Ff2`Y%9?ipO3qkixnYgbOz+rReBQ-fO%gM0#iBa) z{3<0;d}~+e zL*Kc0NH@?@!X*P%5x|06-J<4?H0B^$W>Y07;U(1(Z-LH`D+)|1gi4W|QDfwB!B(jb z5)-90h9aT@L?sF0kMpL3Q2dn3XcC64;Xtpq zi>;pFLZSs#D)v7q_Wyj{Jbi1ZtD=dip}L}ELpAu8av|FMVI4|jv@W&ijmL!KKVi>NSC^$G)4rgjwqo_YsodNA02!5v3i;KD6-v+~66Vbl6*B#H=1+E{ z6^=|_G@+=ReoJ%Wna6P|HO)v=3*90@jYQX|sc%Cj3%r=?ih_n<3-czTU!2c}gUpcy z;#f+pw+Kz9R#Z^-2rH-@UW*|#wQBvHmFh>9rKM`>^6>9i6ykf}DLN@h zjRLhrclnCx))qT+D(@1&e)Y6Nfc(YZOQ3C_Hl$;InmRoMTuSM)nI-Q-HvX0;w4W~^ z6-^WY5dy7UpiLfGYE{H8WbYM&2n<2S1{2ca6u_(;AofxQ$&n2nfaZX~0hnu$syVKi zO4JlAs?XJ`Pw{?yEMk8T(KeGQNSF5fn)hdzbPPvVOQs4cGlP~)Oo87lUxU!#UM-@4 zC8Ey*5~w_%pV_i9AXJE6%aMs7RqfS9B+?@!NEvl;3jqxuH6V?G#0AF2sQm?_zGtzZ zBC^5|Q$p%}f-54D3i|S3v!7&Bx%^T|@%XS?Q192h`OD9En{3&^EV#Yc*oV zZdKT5A*x@C@Zbl#qlClu3_P{Y8EPy3ePUoBr?@MgA={#Bc0IuT6^ea6SMRz2yj!mk zy56h}@hI#XbM~g2#n7>yd`v4&2rS7QKeImvlq0A_c=X8;zTMEGe-Y#(z6B*`GXk9L z@v5&2<}qu=o%iL6m#bbes%(3Gi+i109|CpHq_U1D@@RjFRK4Kp1#=y~aKR58E0q2m zg&)_Ot+&F}KNxz=DwUBy=%$rTsTMT`elF&KPE)R`69ODNmpX%t%Eo4*NT zh~21%6ED*!7#{(9O>fUOV&!NB^c0Kqxj{lhul);n%G6@*@Wi3`4ZM&!ah;sXMG;p% z41bYusJ)WGNL&DO8~ec8&2}vHg*_GlsQzQbur*K5qg2<-D0IJD3)TQYW^@85Y{4;v zEkk0Ju)>pn>ZtD>Ti<{vJdnQnw1<&HEqYvI%%Xh9qn2}lYJ5i^0Wsl*;nY&NU|5AM zb~851$Yw|Ac8=#@W?4oIrh1E723ijd#92H^Q$<^MG*lwcN{s}j_o4%MC*ZBd3~>Qg zn9Bi59ee;Fj})2u7XYcl#AM@yS%j6EHprl!73%Z!_m5Oz>!r9q!tHyAjl4&PVey3Q z^Mc&H1P+8F0?t6URzOv2)~!5}r1$;-#%grq_LvODkm2fCnMjnrgN37y=pZd3hp4d{ z=5D~oC@;>uRgQ!w@-0`W!;Xw!0GIK=)pZbSmw<1=O}&mR#w?Fe(m0~6vZSj(^t6nl zqX)G=r+cXoxs`bVGEyOwD&~pjYU|8bg@~Ki@`v+5^~XsrOg|6r*KqWT+1!Eo(3xt% zOjJ67U?X&CaNMGjMr4GVxdmT(JdvP=AG!+0$!3f1u<v-BP+49?LyY}G9wKp+O&7U52-+OVkVNOM%nxik{)HwWm<_- zFUva7oP0o!yaWXVe+8RvDFps^h#^fbk#2q!$MDj}KC}ibL?V6!jI>D*)sj1RXN|gr z1<2uaRcuYpR*rmlA6P23p;L;9Mrs1&pxUM(BNdO%hQnMLi~+A|KNR;;!RQs-G4pxu z-vDIz-5kYqz&5CrH=zmQ-zoE|T=GGGo0d4YOnYvLr{le>ubQhC5Z*JPTgT7oE0XRd zMJ)Jig4Z0fjt70PlaVs><5o$qYh(wC^MrphcxD*ouF2N3@U5qlQ*{pcf+5JTRam(= zMZXBH0bw;q*Vf@|JBGOoKN=%oNc}m_j-laJcY9%`LbH)?*t4}XGwEr3@CzJ z5C4(&sYS);mt?7Zf6D;+ZRQyW(o3k!?20fpf8VFmHANIbob27UrvH)pq5W02U1R%> zp9;^W9sV-+)YgHvdvBx823Y%&mD{s+c+KF?P^(T(@Fbzw{VC;dE>B&Ks*lYR@XTCV zi`8Bsyzw7p3>-VfRgI$H8Ad(0ju!1z!;myfjrWh(b_iCb#`b;#a8vvX1^#kHk4Ds; zUd&U>A7O|!FuIRL_fa{7$hfOxeQ$pr47`udjg1tGP9|@@rI8*KYI6^uWH`RU^Eb?q zy{KccTere`gGI@d6g$>UymNu)RfB<_vo&0XsUNqPOHk6t8DTqqjvRHX8@BoFDv(hB zZ2g^eYxi~Ane3~ttz~@{jcSdvr!QNdvK!Ct>Ln$@wB~o^wVm1@vYMuMl9h9ryLB|0 zPI&EZz2$SA-|D@w>IP(-)HV86PtsKa5pq3SKx5rmAQ#gGz?cSqc}E(tGQ*LUZ7^ClZS>qkCgN7=Vj`l>UkI$mK5 zozTyU*5AY4p=dp#eKEWW0VU5;YV6WM;cn5M>>0UC%uhSu{R`>W@8}b|L7jG%@8uIP zu4C@ZhU?8W?K}t=77NK!XjR#YjeAkTO}u=~n6?5sdxD4K11rY9dk$WCf1RVnJDIz8 z)YWIWhL>jZ!wmDKibgwTI$;LQbfrghr6LkJcF>N4NHotD9l7?L0BST$eU;M@VeGOp zbDBCyiU#J&{cy>@&_KMVlp{)s2Jc*zkE2C7GV^>2@fjtruF)k}jGOLQcf7P@-5|6W zG2bQH`w|U9H1#Qq=~HOx%l#$7u6ie(nKgLluM3~1yS(nIJAXg%@%T~?1$XfNHZp=s zC;eFMz2B%<-zAcKmQwiX>94Zxdr%({xvWj!T~A+UNvCZMj=Nd$5YZa1XG{o<8^6jS z-8t`2OrcCn;$=xL7US>Qa}UPRyS@l9j1MQ^IPJV}qt>)5e08ASIbZ2YFX&8iWS~k+ z$)9)x_I*x0CE-{^fvsSUk>ul~JVAQ!`@OSKU@iK4hP~VD=Ifn*LgTt5n|0%`cD%5S zVmU#XZb^WCmboNO*M*1TV;EJNFR?A3{N##w(gE+q-7*4+UiCnU8K`ILa1)!RI0%sn z3GZ>~rJcp5^~fi5Do2HgtFp@>2Bk_u<+f$dw-Du6pf0mEcTI>E|sMPa&2xG_pm6ax|n0N$oL z^fI+@7tKtH`ZTxnpOD{^HbLi|__&6V39;_+{rc!_h&R5!x)AVFZke^tm{6+V(77k@ z_|??j*%&V&NG091w!J|kEMEt$AM<^rS(UL~?Sc-JZTfHFw&rD@XpBeP+4cbKisausYPyAmPT7Rr1 zkQomo61D)CQ1AUS2wNh{a3XXu6}W*jc))Jl`7`$qr5`!Z-w2$QJ)MvkZfOOfInWUN zezcaQR%0xV-O zP?(fH)QV%8q{zL$_oop@e9rlOltI4>Z^fa==sjWx5+P#9CzZwZ$roDl!etHkryhcO zHu$WaPjkV$+s4Fz?sxbd&=BA8Xw!%w2 zD*F!iT?2FTukAIJ8lN6-?0BE9lm|IOtwTI86ipDCpAF$q^|K+Z0P(rq8wnS}TQ+nXvbl7Ao%ix_Xdf4zlK4^F}!6}t5J*aM??ORjA4O6FyQ)+CAn3YL_ z^w6hal!@RJkk9AJ8X~a66t}xWF565YejKBeN8VqW|<&?my^TJUG;(Fh`K{^i$N);spyid~hCfQwtejfr%F%{2y z8z6bQ(Z2s=#`-4J^n;7Lqe6#Lit06pHq%S7h%q+EyR`o(L$Yt}A zK_~BLli^?TSwb5TR%niC^lPB6bUxu08(a$8LL7RKPzWmNWk!Ou9mRpVC-gWxtIftq zZPSR3F&lA?NQM;$anUd-%<*n7j85wQiYg-hU#yW|5Zfp+@tfVXzqcF|G4VBS9GRF_ zk{TJY*zxWF;U`(qpI}^0nq6*@PzVbZTdsI~C7<5#ZA;b<>BYp51Sy_PHv2|T@l!1Y zLODfof$#SFPoD(n6^%Y-m3j?1Gwt=fifUa3bbZsLOrCn)<^*v9gNrBHVgIQ<_kA<7 zQ@)v`MRNanxOte1Jy#!wyLe&}$~b5wk_cY9M)WNhc)_#A+z*`=R!fgu_Ya;iyKHTe z(U72wkg%2N0#KNYoG@mw>H-W)V~*7yDOWaIdE5i`$}}4=NAd)PfNp4F_A04lVeHue zbkT-l3{n;mhL5=UF2qQ^ICDHy<+4;Txbbku7+9!#m4s+(f#?XFicPa$JA4o2MCcGg$dDE)GA+=B(X$biJEM)BB zLJVw4inMrbBy%ecOJckbK2+1-E=B@^#J%Oh=n3Sl?e1{yMD<}c?7|I7Swj4YoX(Xh z$5a0{CSit$;0CTrmX>PJVgjxLbu=u|=8udOQ>YW5#U+yRM06XsYO!gPKHkxl;hBED zMDX1ZE)gt9IDOPANHmZ=VnVtBT_oVt&?c3t>Qf|_yIJ8wF;p`#D891@M%O?z20Ew3 z0wv4tQ{G!=Ni1FQI1e=zv4^$82*A$wKiFp&ue#aLbUHd7C$q z(LP=Uf?g%nS!F-ds1*FIafYSV!3z}jAPyx-&XKa44hW?tDp#mEd7$_#D`y`hfe#=u z^<@)&q65QXwy2^)^+v|9+ZlQj09|+(%rLZ9mNkS6aq` zN5t$z&99&dki^zSnoGlyKik0(P8?#vHA%`q^z$;;P7WG(an>|*cKr2<8u?4v71v5Z zY_L2GCPZmrWhtcm8d;kLidFmwLgye5%heApS(Voh>k-e^8c&WX8l51Wm{?no!A%gk z+>_@hWl+Ei`mX6H0Hlpw@uA4Th0tFsO{cH?JAH#^P--Vb!`MpAwB2QjFnJ0R8*=sz zy$YUMVs`vluQC|k7Eeb zVgba$ek!lmDW23Tyv!rdeDsEL^@J|$D_*AI0g?AaLf1W5JhPPZC5K^M*JVve=X){a z%X>RH)7jI5?IWX{$j|(xbfJ61;%y9S!0}em@&nqo-tZxM^!K2)ho;DZ7~#skg`f|Y zqvS9Tfb8d5!(Z3MC*0t^Hl<95Ad}oFH}P^Dov#|Bnr+@9?3^*v<1= z?+I&L>J5F@4U1!0mdhrb>-|N7%XJFJIkz}($I0f5w_kkFGcGmwrpk8Nx~{AEYfB>R ze6W=)830pcN1f0=9UCRW0pZb^$a&>YV=Z>tOlCix#d&1fsGH&KS2ucvbgLJc}mDTDo9pKIdEfc zWVfXg=>Gy%f0q5gbVW9U`6_5JZvnFy-c(Fy4HK$naP^{w!nd89Mr;VzS{qbLlNqsc zU2B{gho^2agFEk2<8!Sg(2&K1rt3b--k|7DT4zx?8JcEXIi~QYvf4LZKC} zLF=sxO9CrB;WRZGJ8GVUt~AJ4W>c@yz#ffZw{k9b?ygDikGyWO;(!A^nAM*rJSI6v z=P)Q_0g4bGsSY$(g`dW8QRC%z*sEROL1;58U}-#PK?L*FBc)NxX_~1iKvTnfFZNhI zFRr_~vL2qs@pHaF3|J_bXFhLn*A;f$%$VeGw3dTT&YR5d)`Z_bJ2PB@%~UC&U6mSj zL%yH7s&8-L_M~rXU)`*chj0`O?(dNYV2@crgmVHPfHOodC? zkq@EkuMQ^5aTj%GC;@2LY@5g{ofI_t@V3yd!eDQuR;7n-2wms>3t65<+Y&s;tZ6>M zw$gC?RDt8YQQVOnPjQIvoMU*7pTIIp0>}}8s~9YH<9zaUHhI?RYN{TvLcEOc>N$@> zH-)FwRNp|x4&EeW2xH-}pIHb-VxL6~uXC;9PqMp9$OQwQEu|nbsH0{P!i2wE_vp2n zXzprkUimWyRH4Dg*&R5*u56nm*XWC5Wu*k-fWh)$m-$lo(9ds!SGB}Xklqm9am`%R z;qX`O-4YAAHFHr{iN`x*gs2~O83HVqhgiURHBiwJ%M7Kq$iwGX4!9@iBPDaw;>jqx z|LH5Jp(+;!$-;#x+u3eR^BVP7^qNmMvlrj#pE7m^g5V+9pe6zLm3l8b1up#(9$&xY ztNRg7{$E%$a2IkD#U{YBdKY#dZF~sKS8Z`sC&TiBm$DtY>?r-3CSpul3hk9fp*`*` z;t!2w3h-Ti)+Y_J3$9}7I3Qek^k$wqaYy9%ZBwb6n)ID2RHGFwykdg{0xcGyN|LqH zSs8nEoW@7m!=wx~x>X~W7jCvoTjkQ1t|z)uBEwo0Dl2On3)0(1><8ixn9}kJ=4X*e z@Xy*d-piqyNI|!x*_Y?U2<_JVwsehimg+~D6{fDM8LL6vg9(7@E3VP7r-Her_~1{& zmba+7sFU>MLE25W{Sje%cXx3nYs=Do3K#d;JsWz+j;G7Rnx~^$#J3_p>~@HjLnm+v z!m}Z#J%s5CGqYdIr+muv6Y?oUbQ4z5ajBP=gVq_DSwVJe=7SXy;W!d#XIgE!AGMP1 zI7RBb1PjJiPhDEM$2nnGSMz7^N*1$v*Ngcw3*Pawj=~F0+v(E}>duV6q3-Hj6b1`+ z@xgwr;>x}#Zy@sXes!IC8P>{oR(!^Y(T?7eG`{XGR2O}Qg>q(Nis3nPGp(KgQnh;z z?@5+^5c31-ZQ8^cd9TsC531>|1QsUdwKC=KLMdum+tQLL1SNzo;4O9bT}@}@B5Wt2 z=3Lk4X^8q7oX7!=%9ClNS*Dx2nlTn3__=pqQ^;ge78U;YxFnx2GiV955P5Wyb2A; zdXUJG`j`OMF|Z;A*bu2nz34Pxqs;|DO)3xnC&AUmV*lunZn1%FVk7&+dI>}S2g!8G zKd>4WL!*g|*DK-!Aru9S*M6k1Y5KxOu5lq#*Wm*ZM*c9N-Jt{9!bbK5^}X_xvKh8E z=0Ia!r?(U$Mw?o>Ns5?d5z9$=Ri(a~UJoOyW)q=mog0@|)X7(VJ#%7X6Y0{nDpjbp zd{>s;{VvXx0oo^P04o$s=u500+E{LjRt9y z7k8J%3d!98rBnw-Tb50k5_Kb!2W>h^onO-h`&3icK8=~M5P}8~kGH6pIHz!La){m+ z?_F$3!bD1oMo_cpLlxSGVosO1i(9`&TEm>Y?J!}qa$X8FDQPU4=Bo-k5WB_L7dE%o za>X2z(aE=^r60j~bQnV~JmnR|f6P19Y)6Yc3|C=I;)ac2hD^5CIimVT3K%siJ3!o4 z7>f+$8H|RS*{3>|xNvANmgTuRwcDESh)=!YoP`0o$<}4_`-k+m$1;I-uwraL6d1%u z&GlHlb@W+x*Y)Pp*SoXO>uWfdL9 z09Iy3E(;rO%^<0=J+d5p4r%7$Bo)t@b6-DV>WLE0^&p4i8=5YRYic&5{l`$(k_H>M zzIq*{Y>*YoC?rBaXyI_?xHej9r+#v+?J`=&3KzM0M;6mT;1qQ0f-wB#}P|@9@G-RJ4wtd%~=wqX?z#Vj*Q2Y^7+0}qZZ|}Ccg7#N^ z-r)zK*3w{gFZ%M-d3$&Dy-o+q$qPT_pwZ{tFMadCS>o?Ea8ScFg>i22CiTyXhhy%?a9^O4M?hKlFjl;=nt2aW>U z6UNsh^yAm7QJcczpQ67L8D_6dJX{Roo)tZX1NgS?PJ1_pHGS}yZ$5^pb6xu*8(rKD z)>)2<5lT~l-}m2Pg)DFmdZSpun8UsYC>Civm@5~&KJ2!j@_j5(a;#s$z2?)O!B@S#R#>=EXIat zQ;wT7CS59Zsr_4vc9c`WEa6U!%_d{lP%_v`JVuh5C-m@dtbLDt6K!FR5mk4O3$ta} zDH&I4=9Tlvzp!)rnXxPzq2?Fiu$b>b!l=C~R1MI(N4Roh+B129c=|TgON?9jb09(` zzXf0%im##iQf}NG^@W4vIFnu=^S8RimAeZVnqBN(jTvN8@_u)R6ZGfu6Xc4y*vhsR z!#8}E7)~S;NmC;gvVHq_zMk-fDi;j?vuuJS7GI7 zrvtXD?}tLyKk({B(Km7L#p8ATX@^18CVsYuVje-Jhv?<-3Fh^I)~=;fHAzefv+O7o zSUqC!!y|qaMue#S>)jVi#Ajw%0bl)eC#EilL(&%{21ftWi!#-koI-q9%De6oP3 zz|b$1+-`y|i2)ZT0A!kw*; zewO9oqtfiX-=K>`Fe-;{#!JQ_OWo_ zzk9YCp1H%0_Cvpx83U*mc|Ce)8PSkf^_jmhxl+wEOWwy57I^Cf8?7-&Rnd)drkGHH zGfFJg#pw8NCc32Uw)9Nimi_?mbiO?yeS$5;k<(ByH_tv$4$c8*RgZta4*swY5(2<8 zXFvaS^==Yi20pt3?X9D4#cVxJs6$VLGhe`3_T;2`;P>e4*9SLoL)i7p7MKQ60&eye zl&Jw$_#@X_VgZZ=x9AE^eWY#K!c^f`9HY+2jQ{e-)W9lAKLhCnV=+9BSWcvmGjjKf z$S}x%^i4hBgnbQk^SamGUh;qVWFAWO{B&>{`~0*54-6x~2nA7Q$onAH$|>RFEi)fI z=&r8i=WgiT+4nDK>oigehqjJRJ*IYt&9XHv_(ipEQDCeL5to2Fq<;0Wq8>h(w^F$$lvx~nA36`JUsDnl3sFHLZvy|T;KQ2HKN=%$sgw(?j z49T7azU{``R1B%|%-tzv6gKAezz@xklh9VNA%DkR;R{IAc8!M<45#wN62nEzN&;8r zRarJ+KJMP&n72F*zE{S5nJb1S!vmoboztxF@sHE{Pk;A4-1^f=34F7i^n$quNI#l> zDfoF5F2c&A7fUK{hwR#*0sF+qYP>@-)WFepBBada4rjo*5v~Sap&H+2hk zcQq`?D&NW|UbV}fk&0}rN(VAGB;MslnI%L$JmScp!s+*i&=ZSew!%kmH%=%2LYZ}; zWXy*n2-&nB?|b5=V|MU7GB-P-sB1-&2D@LK5qcgwh}#1~(y-MTO6KkFDkc%z!dn9u zb0}H7Sp{=(L`bZd0Z^jo_}!@_^Wp|;3ix+?P=`QlW4B%R2R|_X8L|1_%j*uhZC8l? zl@C=T0s#N6|H|(-x3_mOb7KCFx}i(;3%hkj)NcW+8^a@iDc}OZMMWZdwdTrb@DDz$ z(e{|3mR};{O&IGomt)5XFpBEnB{nP8!o&`j4>>p4H@Kr1Y3@?6=;_fB$Pz3zVc?8H zi_wz1mU$FKjV<6IAw$7TWUF(jnwDu>FE{kc8)>+d_QaPdL=rG1rY*HFsQaK%+Q>xm zU{7XnbE0KE1Vq(kDc)XNjIm1$BUA&z<%+(N=!%wLxE(yOQwNM{(^&Z>MTkz3H_MpE zbA)o;MXfg=WStdCVUgO8R0{d3{+{_12{Xr+vU|*wMOLU1P8Ec)56EHM>)9xs0i0Fk zru1&|B_1jGp9yX469I*uL6N#*i(GMN5YnQUe=1AIOy(AiHG^oM$^J<0I~k12UNnVa z9#&QZAru%$W(;vXd_|Nx1`uP39yvmWUZs;IgNmEty(*QgQP!^U!sqvZIMClZB2EDd zV@#OxVN=1#tGq=maOo6@l@;hEYlZ&CQYiZY`4bB>c z0pgBym8ZV;J62zq9K-HYklynqm2mfpwa#+jTjg!A{z>y;*1C$c#oC84?NYS3Z5*$J zjVTsVdO7)<2g|3Ev+qYgZQEB1N^Z2P^~CiIL1iyX^yHOJ^)=M3ZZg$e%u+z-Ic>aLlOy84}`tO*}lRLrhsl=*TD>QOy9Hvn4@>IH33-MJ8GwK0sej zCI-s=J=XQ!Tf7xe&rjWHGK;H?zvZHO-C9M~%eF<0cq0>IEAuLMgC6GYh9`3k{Aq7i z9)Y*7>jlJ8-B?nEY#FEGON;SIl`Ji>@I6$Ix1?aJJDYBWhOLh`HS{E5II;kxsm0={ z=G4Lh;o?!sy8^d|-bL*6zk@+3;ZcsIB(LIj#JyR|`!m_i_y4tA#t}P!asJpQ~ulb`I(pW%{6WSB5)h{!UD)KXNVpVqI zElr|MJdTC`{-XI-H{<_vwM1SgeHO^B@+OWd(mStxD3l)sy&{>jRGgrD7s^lLfpQE1)}@i9K| zJiOL15Q~<+tvWHRLKmDZsg-69NH>r*14a6gPcTdiW-$C)x}huZ^p_kHbvsLmXEXLa z)d}}+CI)pj^YvUzN!fnzX;rZy_R=SrIm18JLd)@7e`>8d?MVs`n_!sSwAO(5hd;@G zv$>`U#9@Xi{EY})wdNfT8D!Csu@+su-o*$tXJ}J;=M8uT5-h!aAe;v$R(yG?Wo0+^ z)K1-z>_O&Xb;4dp>)bNVP=A80K5n_(F?7vj%A+RDPq`rO)n=xj%MKDt@J5(FS%dW` zmHu?LEFRc6oDG<`C?E*KFiH}ib-|gF#oi-?lh`^_=Ny4)DqOENwW>=iz8aq-CN<*C z;5^J=Wf+iN6}$sh-KTsAe$eQ5o8#L|zsorE*;~fZQc+_>N4U(@sejnX2g_*m;$DcWZ&n!q&Tpf5!XM|>Fnb1 z9`E)9caw4ulg07vWOJwHYMKjLP@Br;zIzGZ}eaW<2rw+1XWx1Y9G{YHMIkT&dx{L4%4YtV{iUFg08o41|GjWV9Bz@`3 z|JW$hyVV8c%n!Ke)EbMQ{wIv6aE=|+eS2e-WdXOw6}7F{eWPcMls4kKn3GWbp$3?x?D#0%y85YnO3hAT zR_RO)PkktCOKfy>&0r41vi21CjLm@h?0g#U<)wxW9*9zu9lcTPUSn1YTQR~)%OfAZ z9%1|zNFMKrUM&baWn)x>Z3jW`q`d@pL|AcCB%2eD2 zA>!!G?`J&PYbdvrUn(@umFt#O-D+FcAoZA|mVrV6SBJ~qI}HlTpE+(NzZ=^FrWkwQ z1{oVWd8Cn4CpF=zh31$=fmBeLYvG~1zTfIs3;VbWnTZAefaau&xt~py>EWGBgKq1r zwJoy>g*tPOtj-5X8K)(wfS^0I785cZa+SfZ7&3Q37uA2wgHtvxhj&m^5~DwHdSy#Y zz*clSgXo%QBOa_e8jE6xu)o4=e$Af25*-!RM?tj*C8A?ssRAA&*MIJEdI=J8e zy>;so43aL|$Nz&_!bqtb*0rw~c;c2R6m4@b1Dg{@m4+t>zq9{YQJ+puSsvQbnkV!A$C4 zG#FS!KSblunc(#i%oaSTR9f*IrvmFL3(TYPXn_ox{4dUD>&hvVw; zP<|kIKPm#055Q@TDDUp^|B?32QI-VFzG&NaPg~Qr-92q%+O}9m)vR_sCJ7=>eRA`lUHTSK0H8!9HOjn zAh_hVx*wO;9r7V^e89*@GH|1R!j(d| z48#BU8oEf5qFX?HR2E?4*|elVw!8tg)Oz6?%oEpij_jHzzO_`0`NE@l*K+M%R%U|;*oBhC82(XqYjF&X2*S7U#@ z;8T|A@9+!V`Pcz+4g^=h{@F^tbY`N1E7fiUXpBVWAuLz#5x1q z@HOZYLhx1CMLs1H34kEj9@=aWbH^NL7Kp(mq7#~PKC&7`^q1R5l7+usN+|4IeN{y4 zP=+M`{1HBn1q0zIMu~=gy?-CJkODc!Dy$Gdf^LP9x_Z{_z9>@@fI0aC&jVtmWu6_o z!HM_V!krGS-jb|UFd|LUQ3+4$5PzHh=3(rxGqZ$q^0SJSrMgo-jybYA-l=2EY4b33oHM4z z&IxP~sRSmjk=YbER6SrRLfz*GbG9w{Q4mhnm5XSgGBdM6G@pm%B) z6|5U$?#-wegUQBiCn=&=-o*g8K^`%y!A&YLfE#q843b9r^ELcgskYtB)+ERzn3H9Iew2l%ytH=S=d9iNjhaXw3!e>f{kl=4 z-U$ht8rHS(w`ZycmYq{~!DKqYqnF zXe0t{JEV-V|Kid*x7SH7t;%Cg`%uwtv4|PLKWVOeQA1f z=i)mz6A%~I!cqvZwvGyNS@rzBBCh2b^$-8qCy7MXzo>2W)9=e^GGgkVzety93p5kbb5i%WXhKT|}4G-1p z4e;=1sRB6E#uEj6p}$=Yx-mpK^ebt7#`3}S3^0cpf=SB$|DjvDJu)Mm z;Fme1mc_IR#K;bIkvT$F;VO&np>i32Lcl1AO9PAjTYyV)zDAzduU?2ndFdaIXawW; zkZ8usDvm8q!|Jyw*JOefb@XbsFejPN|GR+G25VB^7}o%ij=1&u%8Ju;1Yw#EwKZDl zmnAfbCeCjv#^nd6Lu#r@@vN7*v3mx-Vqus=KPBcjo<9m*k!Hf~*vpJ_a$SU7NhxC-_DCzJIfNY32L%b<~ zxt&0U>m#3o09`G;+#PNRoh7m1dwp+r&8KoTZqHdqu3g?~)2j-!|FYyBVmMB(kD@0}^7&fNxIwLyCXAj#H~pQ`6>P z^3wfn*woI?AE7I`3a(OPp@B5Og*B|wd)o4?7B~XFx`UgFrbW?TrAyZYnO?gfpRF~K zugF22Dj9}DS)V;(X!DD-Dut0WrYL%JEc6YMcC^Zx-`K-Q;ClcqP$3p#-k(E%+zu%>NYiLYx5r z0s(4#5a8j_|Lggk%#5v#>Hl;7U%I@yjO{ubRu|%mFQJp|Cpx#ie2Ms8;pSR{;GWA# zT(VghD;W%F)g^w=4#v2x!ze`l zmOsnN!Uh3;d~xS3`y!G>=SkrY`q<+UJY>)tICjW};J=YoK>TC;Z6~N6EgF@>7-e`8 zcd%BraN$bj8a80s!W=WO#=aLwaI*D-7y1Qyz7MvxzulNl^w2t zP~arHUstfGF8}O+&9z#g*kxZn)0}JzV$Zc|QEaN!(X@7=?Ep6JH&M^ADA#CyWCUb# zc=0GvuGDY?4abrRCUffCRI_Y$ctB&?xhO;3vRcNO3}ZGel_c_JdJ|S3O)Sb8Ex_77 zG{6M<*`hWJ_Saq#Vr5w(WWOs{4YubT4D-rJs*8r!TwVMvptx+`JJUe?75m_@o}|d7(7>aAeN3m%aEY34`7V~ z?JOV$yoiic$H#+h7O_Iy!a(Cn2X!-cT2_2vKp_#q>#MQU=0|Db+{AuG32rWLPr9 zVIp$iTtS=?A7Z$xiI4(AjE6EbD=SdwG`oRjD79&cB$itZQ8`?%SG+PMQu8v`&nXKJHgH;3PZE-;tKBW}0+j*^^1<8DXFK!ze$rimH^)~h+gZOJJjbd5KErLd%2NQFTggzgN@~8F zEEV&jFFy?{|MVw+lwN8?y$vRJ8w3x( zl22)=NVAICTctYSrVpLkt(Eu0n!VFw8`jQ%NMvVr9mZHXFsY)^%>ni1> zmV@oDO~Q(8^aYJaX%&Yj$ zxnyWXg^e)~`-GD$GD%d3dWzGwENZdj6=o+m4c6V27_Us14q&ThJ*<)*xigg@^;9Pw zUBEj#jfs1R_W3#$ZL=COVsu64+DIlUM{06|QR#0FN0IkkFE~4=g2M*0ip8ybj3Y%j zT5Pz`YK)4B;#XciMPXdgUdFTfIF6p&W?AJL@>~>r^q9{M7+_Qn-QR zON>$^na`x!`KYkWE!c9-4D|sX^Q)Oxwr1g!uZ~PbsYBn)znzZyAexa+@(|a7{Ntu( zqlbgSIh^uX^1rHfUM;m}U&{P4TYrWjW zYRPE?gyj7T(I+V>(;yMQWH`;;rSCCxBx!lK!lPqNEW*h!)G6gH)WgD|!?B^(o7-ZAf$xMAWAxEGEkdDz$i69fHZ8X5kef8xPS>*X$MmVQkxJ6sU9#O zjlnRAOAM%X0!rT9n2pFO1WddK1dyiHi{}&uv>^>S_ioJU*9ih34>(fpokkC-V<@Qr z2os6GVbbcK89YE9SVH+pUqoNu$u$rNn>!(|2Y<~ute5TnpZr<4enH536PEg@Q@im% z&?A08NvaSD0+`}{U^J0HNy~jdGyBPaQDT9CsjA_A`qKe=Kn)96`>Mvc2(P}bt_)A< zIGYbcbZ(~q5RXj=)zp_Xmmj2!;`&0tCmlh+qW$R!{g6^3=bPE1`YW@r$O6!CcePl* zQvdL*8F)4LH*`cj#5BRFJmMC(7%Kfc_(PQ#?0Bi< zVPmBG5yfPJU-WA5*H^!8q=(#_AAEcV`?zGBg`Jbl@k*07d;=E;bv!eSk_*PbaP(bZ z;oLG_z(gzi_s9H_B-*;dI&aYIg&g@ zh}jdQ%?QVbJBgTgNPa%tWrvI7U4Sm8t5NJ#0mg<^N>)XgIKOQ$PskMfL4#$x0L{20 zE>HO!$|va*mJUFFq=f$=gx81tpx2b^zcg-Zc~aG1BtN@RSm?Ya9$r^|e~K4XTv2qx zho|mb$@<)rAIp7J3s;H?6$TgNe@X9`U0?DU>I};ePnS=i<-9SA;TB{4u6}pB%fR*! z26S~7nA0emz!8t<zu)+>P0yC7&QCEu)xb z8M0x5v>mul8eiZ-{v%MV5WuY9*jS|oOgA!Ay{29zQ(fkD27_OPe-T7sy9w;)dV;F5o1d1g7v5V3qprjN?sQ;9c4k%}4V3pwCg;K&X8Cn8~yu6af z@fE?uefq`#_Okwwd(=n{V>R+_z2(0-OeS#HI1_eUBjE=YDGuN*!Y>!;U_asn?oB2; z+T3?+NuC7f+fZ`v&LpERjfC`e%Xi7UH+}4`A?059K}u>~`%@VE1Mw500!8h>0=OS; zL%iNyhPU6suYq#1-}je5PumWwp_fy-ZyhY|*w73x*~sOvUhmm8eLl|m?d85@lx`lc zYA-*@hEbdI*Yc*n@ou$3SxmUsF><_W;Fj2`H47mOELKtzKMC}^3LPdh7K{>G1J9J)BPumb%^p z@yohDxK4V2nyk|0eeB%$4#?gfjN@68thK95t_lg<%BrWAGy0Yc-!8WTvgGnXti-IH3h*3 zR4+v%%pCqUWx}iq)oHX7jlf`&hk^85cT~q@pxxxzv{Bhu`_XLsS)64%;pOu(Be=9Q z86jok)v|xTa+$+^*TI_nI!thCYrAal-OMk@Tdw3bBE&vs^WwuA`Ok>xi9K|e*YvsmL+2-3P#){vL4X4r-JZAATDke@%dtzKO~go(_ZPZV7tKUgX{c^b_k*f=wbEDCnpSRC z+09LvGFbk`6HcO_tu@x19xfVxyYg$(Q(<#EoHPdXg{r0)A88FNQz=T|t#cFb+Iz@6 zL{}%o zN7`sH4sSN%?HQ*uSxYA}5Nokcvr3)e{y0F_r>TRFow{#Lu~k+H|LODTu~SEA^$}{C zjnD_f)RA&uwbkX_UeuXYEb}ecMTgjMYj=Lr%YDzldZ~>sa0g7KuBDjn^g^M8j)`kl zq)seNMj)Gp+DJ!z93SQEC>Il*n$E}DrvJG-k(szK@9oLUVST4|t>gPibtlm^7gYeYV9DpZiGL- zyxXZOD)`pY{Ki5h>^TFVesBVhu*46>AU+6=fh@8}DfMEYr>Ja{39~_`!K|n^o11<$ z{xV89rrnH9^8D+oTP+6pu!-IMz4_dnr@XUMMve1I&qYNKh8e-q;dnd+&5JHY+uu}Q zzuxA2zS|#CBAr%et%*)aN196yqP~jR&2z&GhSr=^Q)q0|Xki|LRu~o47+Pte&bL}m zU>z5r_OKQKYto5ylbX}j!PJ3QXrP>9D!;z4m6MoIB4wMnZ$NPRV;08i!pb^2izje{ z8t}A6wqI+FsC5UJ)dz^~1E!)c9Q@b##36n!XbxI-oo2do$V#$256moRVOb=UB@B28 zLlB<4C;p^N7FS=y5|zS>5?TcUYH?0ON}`itZfCZE>zv#&P}mS*&rYtqE=-_zypCf7 zX~?LvXFa_+4FtK!mS=7uG9y)_UHba^WxwF`E6v42?I02HFLrnR{V>OHu&~??M&cwA zeijuM%Vw~_R|X^Cad|#j3D38?Uh{cAU7XIBcs`ue8VrW__4TROo8)z9x4TfQR{a4d zQB2TW#_$P|v6bO_9a3r}h0tSl>q^;!U@w)0|}ddagk>l^jlO-o?-1_r({D zO~owk=) z?$!tFTU$lhZo=c0fR&z?)Lc8 z*9(G!gENbp7P7Ii0SbvgSeV72|4W9AgqT6d}e(7-r?b55B_Q<7>&Px$&-i_RxxF? z!ZWwkUh>+*>HKgs-ut?3H}CU?~D2m=J*t0THdi3SZ>#K zR48S4rIo4*TMUHFGaj+#4_{~`02%7wqjMqYO_YPOc(cy(PM6aonuUNh5cQ~bSqlBt zaSmYkOQfm7lc_~7w;rTx(mCD>M%C>y#E$~>969D1|L3cy1_ z0Q8}8GT^uZfPbQ-Hz~ccc(;uCkN}wSPo0PY)F_o>JvEVRBV6(k|tv&6q1l0p7V>#XCLBQ zt~rl%H5<%=NZ{~rR}chHY4A^hLsl01C$WDQN;>$UCQ`XAEhmFFnD{skP<+?c8-Dfx z!%pl?(3zhIUSb9S3$>YB zHl9B>`+H~upVwpQ)bELnk^@v)M*UT3Si@o(nR+8itFi`iy(4w(4z9-`ic3n=}_5cyR@W+}diQn6+HB z`{_(tSOU|5zQKB3#p5)wjP(!Ci__hWo9AE|o2={{W%w`TjW9o{@TQuunydbm)K}Yy z1OrCv4dy|v?&Cwjca27eKlk#bQYmyVAKs^ne=uGEm~rhviXInWy`F zo3XRx;NRTXME>eQ3n20R_A|}#wzsnv!PessV(M@qCP*!lSQKqe6* z{-M!s!wW(o&U`^=5!}18v%5bO6BGFX`4oP?gp#}zT}k9JCw|Kcf!?m}B+}zv|+8oaIOc7k|E9{APE1 zAdD#V8c8~x%Rz_=L*@LD8Oke*J7r2s3c~v^&@uECS%MVZ4rl6$7P2%j7nAqjAbMF5 zPzol}ug0i18tdv%sLNhMG~y9k-s+p1r^m-pD{qF_jP@FETSG#I0j~*r@l4~kM63rw zk?kPH&#Sxf(a{$LZi5o+&=D*-SqhXg_(<+_Etmg#{~@QB%Tbu8D`?U1Ea7msvbK&P z;Extp$xOzi*DC!By`>do2e;g(;S;pKrt^BVuEK`E1t^uN>Ayf8mdQ6O*hX)s%J=nhSwW5)~o!SVyN{y;; zOQ=8*hZ0!X3%Bi72Y~Yvy9D#?RhtE+pcbI_9RtK75x}alg6UaHnfSv~}Hg!wpyKkbmiJy~tL8#`p- z(VKUKH6Vyk62UD%ERQ~Ez`8o^;J-c&7$ScR2&+8&vY}%$o%A3xa)N>>_s#}}uf=qh zN5#Yd^bn7278^2s1P^^N^c@Ure_+mlD`_3fOS{u4N+Pb51T+*>;#~)T@t_|87!MD9 z$0Chxm(|}?mB|v;2RF4PgE5Q9Y1Ea@!}sa4MFLWYzYr|F{5<--Tzgu$SBeePPZo5s zQ^24Qq~zp);q9uaLE1JyJUo0+6p`78i4G0zfoU+`>G6+_jy_+m4jBO{RdTr5=>;H? zJkBXb@k06aogKZ*U!^=A4=4Hg`7bXotM#Ua#YLU+J=W_@`t%pVqN06-E`kptu4=hS zeRV5;wDzh3)T);_qR9saf0xLj^Y!>ro)fR_@x(+$4Pr40>>^6{_UGmj%EQ3J15`|j znCn6$avTsH3WrXFu%W66Op22%hPX4lzfTa4*!STfxMyBd!1?=ER|paTD-x${rRWPP zFHz`3UI20lmNWo=EXPw66cn7!R+ek%DNaejG{QXZ>gxKnoLf1bOdF^wFXzQes3GXu zN2noD+f-~k>q$FgzYVlaaGCf@Q!AdfXFgw?r>mUNM?f>uu#-Jqqu-BIb552~@ySyE z6CfQcpjeauqeL$nWG1`eQttQ%u-;TOq%e|H2MVXil%bY5e4 zs08HMe2c1f9u*y)yyyZq5Rm%w5IDmqaU*LScw8-c6 zXVl)_o?4|s088h1(I$&j-5(&Y(V$PNI*2<&Xei+|$5SyM^Y~iG0#;PoPKFk_{wR_H z7|N5_&)jh++BmjB5nd2!7HBv);fZn=G1$DS6>5j!P#3Xi+^}C(zls+Pwg9~qo{qz2 zX3&xz$DCWCf$Z7lt7TIbZh6=`RdhO+Q$ha#mXYkvH?aC{#Qq;` zbim$VKtK{Avcgrr^aB3Ry@Se5iQxJGP9YU^|Fcz|gU;C6q$3^HPDwf4@A{G;3t0?r zSzk=0St2Bs9bOcYmVk#WH_#6h3ku0uC1MbryATzP2#g`iCQ^CnO183*5Q;e04@SK2 z&ySx)giwL{K-#mjA_5y(&Ltc6rjU)K_1nI08&~UDN)~KtIA`Ua_}}}P-yg>tp6`2H z(Z69`g>;wghx(B?9K-f$Ch{t0?5B=7Wv5o!$MA-on}YF7i9fw#yWxttpX6``>_z9E zbZ)pgucv6z*=HOQ+iim1Ma|Rb_F>8jPxUU#N^`Y_RLO z!8sy9Yuz&Q;4RVcKtf__7xAWfDWodx4Qt4mhHa=tZj=HGxLKilQJaW;f8V4T`Ai>J z*gQwhm(>CJfaFBPh$eBKZL2bldqYEwu-Q}|vT=k;0UN$Ruh1CmvOf;{iVxzk2G^ir z_*4~TgnULSmw5vs`R;wPgfMFcJNaneuv#F?ePS0 z$n_4R?eQdG$qr7lw1m8<^f(D+)(#fMe@Pxt#Z?PeqkLkooXP-VO0@S3*@Z>r`A#pP zv}-)u{~fv}xj{M%G4q^3ifcu(Pa#B&3xY_x_L*i=7MZg$ z%dHqV{jJng9&=mM_vW^CEHo`?49doy+dPGoWD1YGYBkek7UStEr*icd@$pe^DP`y# zb7f0r>M{VsE$R)y!31Z2OBBJ{aI-1y_xep^Ag*VWmSyiZ-3oknZdb^Y%iDUKrC1kU zr^~~$Q-Y_pdh7GEEYq{kQK4fsye5B$_Kbx&k*P~OH}_~>*2{{7?4^;n=FPl?IAM+e zJ(2Z7(&odps15sF`|Ns@&pP-)cGa>ZPJbg?@Yf?(FNYjbHy~;cE~D@PN#K)lRZ5Df zg_O0;-Ri^Lh3m>2UhBhkunDJOsJsfsY>DszY~Ywn&N#gW0ln+~KDATVukU<6lq6YI zby9B-Nl;@l*_`}3ZExw|%cWtu9K_CP>Sev>9~VJz@QFz#uTnz74)9d-ju9-MB?%q3;*f9DOMLH;Mis7Kplm-YQ{-U9UP^L)t$SFi8a6wEh*>8^x zx-prOmmM+d?&Vs}dVk#}#&bCbH{ggV%e)tQ3;bViC};va z{*pZt2o00GM^>14DRA=@^-E;O4Yy!8b_SgDEU``Qp)K-R5dLt(#Sh{-Q&=nLoD#zu z=VntOSW$bOj)ORw>+#BfS1@Oxi6@5#bQgzr_}J6O#j63~{numl(lhx|bF@1u8(VzJ zxjrqAn76ZDP(|M`m4hkztq!^xkiy#Wyl#{h*ejF=@~ZHs$Qt{6H+Jjfh^?qC^BX-x z+g3Ll7}K>bdDg*Nrv2P=HT;SP@KXPM&6Iq^HkTXRnLg)$Sqx4#dG~TZY>j_gUEEjH zh_$c}i3iT?Hqy!GrzKNnBjd-!(2TEWGt-pHl0{6Oe_h|b9}#gkOR4nq@fc*6qsTTk zUo+qL@Y{lG@N?}e{`n&vZb-p`uS^Gbsw?E}wcZq7g&1U)&*U4faaQ#Hx3(MNRtTcm zJA*uE;~jDxIa6t%hEY=K2W$uIwOaJN4_unzz#~>yH1e_Gz&pp+HX~`QTyBa0zYPbn zSpXKx9{prUgYU=+e~VwePe4Ls%+M*$_S%VO;~lo?wCTXfHk{NU+Wj}0&-mAuTvaz@ z(y6)jo4AMe5|;%3ncPNUHQm5;j#n>jt)i8*?vU}DKlLM0aM$29=a}% z&0$r?*Txm=#uXyILP}KtDk%SND)0jQ^T=D#*HCeLySYob%Fo^Xz<4H;m^@HC9E6|< z>1Rk^g-q&g@Ms*$5H}cJ%!M;m>_kV)g3Qq%dRNB?34}RD3B`>9*x-Q(V^>5`v`6C8 z)+TwqAxCfXv5m1be+^^D(2yO^CBKP{>&S0Kgyw#;vw{^!l2t?!wQ}S+@%9`n7D26{ zA1Eh3jc_ANd_wY|4Q8Om^(a5#nSya2utqz?kj|0ofGqwl@3g0PL9vmHh|NTdWHIr{1W11>`q{G+ZarjGm1pTz84Ju*gkj%RY)N3j%L={~M?w z#LAWkHBrwa{oX(Fk;MZLXPF*wdk@sm2dF2M_7@Z~NP(g}FXnx7Fcm)B(}!;r$G!x! z%&Pk(wf9?MCn2!`T| zi57d}Y-c*pq^&=`i19kUU^Ws=AEZ=ybHh-nKUUrMWKFxLsiXFEpE~>MlBlh1TW#)s zeD*ygJGw);_g>9Cyz&ifA6&yatl#Z4yw>;foUvpUHZCC|w#90wKDXt1qhViLd*~W1 zmAO{GqBwU!^R&fD9s{<*3nm#j!diY7F#d4qv?Znqe9hn!;w|bnH}lM+Ew8@7eg83b z@#D%d{u<;B&K_}@+8M7kTWBw4%J~k`wA5?&PaYTy5u$_nbRIv&@s1@2Vsr*cRfgEA zT$R`UpIGQo)f=+Rg3FjGfsw#p6#j~9kn;qhbdg?IoeXb*d0_44xULk|#v_T3T)LuM zqp#;3lsowDII zzk%EtVm(4R;d_RGj@Wx>|L}|y@rHa6ItU&Fo`4sDNtz@6zcm)EjBeF?xE#F=Ipw6~ z?DOP)x=4%Ih{NOo-RUD8==2xG z`XIY>Mb+E?$(Yjoj8f~iHn%!nU4c*zaoajU@JE3vZXpXqAqYHV8{z{I?FGy#bAqT$ zF?R?uzTgq8k0?9Ol#tc?jLPG{EZxS055B_t`D-DrZl7o$p*C5nTUFo$W~k!Q8wKe4 z4Pd5>#|i_yGPMM%rQ+~gRmSDj2_kM?D(~0){nTsHdy#Hv^R5#P6Fo~VHflW!h+Q;v zzT$qk(g9O4PA1fEX6#{USENV(nReV)$1X%q)4c46RYu)lft4xcX^YS32i~=0%kGQ? zOTCT9$kr{|;9ur;utwNCz>H^%YlaW}{u@j!vF;zOrfpAC0Vd>WB;PxQ(+t<|%Pw~Y z?HTmd48^oHVRt{*mT&?R1M8A*ZI9OsXly8#h$IdO@_5DiTEF9O+1 zyQf+grm)u3pIy9~5<)I3Ue7ZPZFf8gEXQ#6 z#S{FvGxp01twSl6Q&^QI!1PFthBnGBdh3*&p6gt@{`n}n>nWUz7M>?B3Jzlg7a8Pm zcG!?I&yUf{=>Oea@5J*lCNcC>nh;(2e8C^1HbtW22v6kRgOvCq@F}QGyLx}==$$WP z%VV$x-B9KSoN?U4Y;W@taLF3;a2e`z@D25FP{t8BW`V6OZ>Byz8#k78Kbpj}f@Hxs5itBQ zDkjqX8j=@Qhn_DfwNfQW$a;9j|E!$6xBq)+?_{AC@}nvSD}adrBVG=+bqQxo_^^$e z{h=AQv9kNrI0r|Ld8=gBlI>67XpeVquDABJFMBWi(h)HVgV@AdEX{z~h~N|jc??$D-?R)MOe-84eRu=bmMKWy}Mt%&5BV@v4ksdajv*;atL z^Uz&pw?ut$9IQv0^Ol3Z=uY3RW{K0T@!!@9u5#8l9@>Xx4eozj_+8da#!^?0{kIqq z!fIu>(|_oTq^6;5Xr9>)*P_0wJZa3`CI*;^ZUDPRMeVlO+?_(*atrX`?X)c;72+n6 z9LytE4Z|7dI|T8q>!|0{Kkz<4%HGNC7ae~8b2R+FT@gPINmY1hfPnrT|C1{s=l_Q* z;xV8!MJT`$OCTF>+@F9iXghIrM<5_Nl79!VTM@qt;3l?{h?>)HTN5W&eFtM8K_goO zV?v349*&BDMegqQqsBZyK-6RZ@mpNG(1vxx9gL$Jy*?g8tbu3KsJW=;48%Y|ogmQ= z>S?vhJ#@FjHIv~3amCyVLTW)0I7fmaZFTdGg^eNA36k3BlY&9Q2X5%|qsLk=-|=H) z)6q9v#afSN^ck(Qu~edMR$=Dlt!HkpFR!}JkSpJGe{fP=)>YQlR<3*JKM%;IP+ef# zD=tsau~d?ffW8Cb9-9*@+IdKRh?67;dx*O@J1bM|FB6X=7MYssd6+G2BQjkO20B3( zKq!fkf4fm{X~>MGYD4_`D@Ab2B2SKMmVnGZHTm=v?$GyJgwyBLRf-|oH7s>*Jy?>S zs(Wzk`n2mp(QzYFQW^7sA6PN~BFHRCM30TQL(cH6ixOof9F4M0RC>2kmY|U(XKhYQ zYmyRtDm)w~aePjU*S}5^Lx2-HN%-xiTt~H#g8I%r+?IDrf00atJO%WWB%O~qjp?_) zBSdF+C2F!Q7gS8e3SvyBC*bYVH5H5{cAK`zBBuvwfUlzYM>ra%D2MATGrGL?t~zG~ z;d+rHDO@C(R#)h(YN=bELjTwDQl>TuSkpi-!pnJ+P>sVekr^X!n>vZ4-a-$G=5#to z1=vqG_HLI?fCJHH-gdO{WyqV?^FVN*U4Mlj!*h#Z&=|w+Lk^ky+?&FF&i3LWy6SJ$ zIAXCQG?*Jb4_Pv0S2PwPy#jJ(sF3~G{8Lcc6EhF5f~tUfUfatMe%~cZ@2@j@Bo=Fp zvdgOuP%1R`Y7QVo1UmoK1W1g96HTxq3h>82HtgPm}=86AfZkE0neB~l3QN9%}cAuL4VtM<6>R|(w| z9D#aw#b~+y$oyv@^t)3A}RU z=cxT7b)6}4o0*y%x|bsX;EUU8NI?37z31H42ke}!sW&9UMcraq!7!wEpq8XzntX}} z<)_SDFZd#}-o#2C?{S4@GwRj5Ix3B|4Xu(M-8ilho`vWoEpP2QE(((Zj7KRZRH9@P zAmC9Qu}H8Z^s!N*i%RYy>RNm3wB* zw<_kGTXf&0XHlfio4vHPJX7;?5@4w;-@$&$b!rw*ocVlDNifKG7c2{5rU_ehR@FVz!^ps281`GVh~D2LKm zi3G7Wo!|)$QcD_Mkk=s8uHcIGVmHh3u6xYP5I=&@`g$@qG+%Q^Vszy(yeAff8&4Si z><-yns+)g~i37JzJRz;8wS2gL-}ak+ zcIheA5A^urdpa@pmf_is)%hlGcJc6_MpvKApU{PM#G;Mr8yM--mR%Q6I%pymarkpS z4U5L{Oz(hZt@Bb?PpHG?u!;M!#yQ+e?fV7g^SSQoH2r#a5l~-D60og7T46!X`pe0- z8LGj%p#l%wR3k@7uqb7ZA&yV6bp>ijw3I9G$BCu|Zu#R<$dEyc-tA?ETW9;oTYvQ;AR#XwtC6z5+VB9Vb zt1bV5GXxy8?5G%0^7$GcFcTG-iKmd|sh5^xjF2mMB^%`XHev`U=NQ?PZOKx3ZpLzvrG^Y#Hka|-8MX9o{3-N&IQD#Q$Mzbz)JJA z7c~CMu4pz955$$JBIhvB z8&kc<7_)Z|_KTza;ia+zzOfrXrm~r*6bqX|sFlLB)*j_a4}KxXkU7bfUxspnP4Lj> zznkpKi2HLN3e1Mf9<>?e4Y(Dko)r23P5AWMQbKo$`*EY6-egPAD~&lwu>FC-&*Wb@ zk|xB`7-v5EP~^`1x$(<+@q>J~2^OQjC}YbX<^`AUeahP1T`nYT4sq{sKsXMn6sYC5 zHnj=36NTgND5-0;{*=gis0rv;YGH#ED#uZ&_?`{jGG_34`4tqxDW+uFyrQ%basjDg z>L#IEucetMXnoV~)!W-F{Z~Ph=I_72w~~{P4*L zyc+MHyYQ%b?@yhBKpLV8TEeS=`4HO$nzr_DEezfhGTpY&_%qt4;PuxmX&cLs@$Xfm zb*%LQGmEYyyuNVD7*@J?smpSjdLo9$TFE9o8#Xg?dIZM zWC++nmC;AxTOWTDTJUoea>xl$i>NV1Au`muXAFNwMrisRgcadPt#qv# z$;=*EFg^Wx331B_;t1>{znZON)GFFXE&V_Z)TmARziNXrG$a=#rL!Jvz*=*^)-4ny z>@6+f-4X7R52q}Jy^iY{hxhgHX_`{q3MP%dYASqSrD;xD!iaa1#l#R33x3uC$D|fo zg_>yT8Zf9R1h&o_k>|L{#)`6Wt683*rm|q`4TRFE-P_|hIUxi*X}|AQ9uoAg$z0wH zb_L4YKbWO**lj0S``z4W7`)(PB(<3iUl->TX)eS${Sf2s((87{)v*{d(^ zlVQ(V1?_^`Nb+?BgG=RuHHa|jMOXa7sLcG zbhYfSu`PI{Ys@q#oIGV1#_0He_4_)sZ90}02d&jnI+qSi_ZEUQKZQB!Vl8rXDjg4*F zHotk^^PW2At9s8LQ&Xv#Np(+8cVG8)cmHk(k8M8(=E~OB5c`|O`GoV=@1T{}H4owL z(w1j-cJa(#Rou^f@9$BEfV99r|0uy`3Seme<3pCI~H()7jUKrRo2kI0nuvM_1BxJ&}tkZGIE=PJUU91|WBf>+L9#FDOxI0-=;!U2c zhI6v`)gx0Wd}?O1OWQEnDO7rG+gpimrcAOt<2!3N)oYAjV0Ir-*vGwHtw6GvO0{SR zS-(-VQogYXeD2|0;&pP(BX)l|>X}UB`8mx}MpWvOI+2(4yl-{PyzK49rg-D_b6ua) zHS!wT1;^Ta{Mx3cLSX<6TC{_}LtM2BAS*SB#3uN<(o8-Y$a)!;=<2QB0z?Jfg@6#bnalE1wpZPArI~}N$Hn? zj1qer`E7~0;XPf+^4W52?UUvVul`Sl*skNs((^6csLw1Q3u3#iT@~EH;LlnI@o-l+ z0a508NG`EmI41G+JX*fpW-~q?zwYj?4{;bM_*}a4@ihpP!g3e11NOkBdQn8Gr;SjC z=y#zumu;^4A#~ICPxwz7-Iysp?NHU+CEP$Y8D%sUJ1|Q{&mVhWkiF#$j%>XIPdr9% zvO4whqI<$0^!PdkR>q&vZxwy88SHJr_`NIcL_r(WLM~!l9Jn_=&cXK!W+Pd7A?5s> z)odV|PwTIX>^r*=TjA%9eng77oGRltVdrC*($j%w58qPD`=44uZ3JIw?VgL^HT^Z~ z;k}`^r2-J|ev=%@L ze2w+dX3~f3Rg6toX3$!Cb-*&~wB;K?Uh1JX)(uN-sZVIb4-U&+)Uqa8Gf;W7R7K3_ zBK-D3`2|6*4q$Jnc&3Zp0A$_*_MG`X;a-AAb>c|9aVg9Fg$<>B`^?p#Zfr)rnvfF! zR#5-Xl`$a`7o4m(jWU+Zi)7b7;#P}EAd}~XbZEglEdD=U)nE4JyKYX86nVIA2u<*p zE(MB*cIn4>IokwQ>D@yOfYUrCUI$9uw`)~o7S2*=yx0H{>3QB4e7x_8-MWj<^>#*(N!ymbwo>lCi&Zrat#%?W78(Wh&+<%~qzEf0$o_w)PYdw9 ztI;UG8VwY|i@}cm!eH{uX4geBZ=6iGf&g5zQj2MxJNUt-Ql!=r=wp_S0-aW;Xa zN;jChTd@qi{R9y<>j?c>Z(J|mnceNe^zvTe8MeK&XEG85*UB7Ofu29LF_V8t-b}sq~YSo27k9`$H$W4}02cGGdbv%$f6{4Kc zGS>?|>(_W?aemlo8Za&UCe^N{n<{U>g99XsTPUMY9rC?ztFSz8y6@dU+uYxYc-WmV z^j%;7>4v(??;GvRd?F7dJ#WDzDCRGo3*`f^=DrJ5#x|9JYdVp;%4-m_ zy9Z!*0^?XqBGv+wVQyuK*c{}RwCysZA9B5`g>3Nq+Ele}T|Xs9K^myoM#8!{7%<`ArLbH7`Yk(W%uxhFABm+m#!0ol7O>ZM^#-7{ZGD z%x)9O%C8=2>1rK5!{|AciRAuacEtXsX+B|I)l2BP^tsS|ygF~21rJ|d1dJd{h^sWg zs2^MyV0DtcMBcpu)!v%)2N<&wJFG1pZ&djR9Ih$Cgf`U+MTdM4Ju!_YFa9Rb#cCpu z{#er#5J1t$tKsM-dsS1&>*$9#zVe-aXEbPdk1Am?RfhF_KG<~{!88g3{gVB&Ou|CG zv-fqNz*lYxNcV(*RddlLEh57&3P)P{^dC1=3UbW>7u&@AE$~lDjQmVYIqi2p8F>Z` z_st}2J4#Z## zxFq|cp?}0~w@KpEU9z&t@kd~cLG$Dkv)eHzHc1S8HLHOsst_ArWo;SjV@9^MfLEM{ zrgEsvZ2m4#?G;3tk~*Kdyo~7Czqc}auUfqs94GGGFqT}J9tOj56 zL8Cwol)9RUy1gDV1UGp*o(X6$s&K=atP^Z0GQ@K9*V1%o&<&yceD&sObBN&i&2Z(3 z4ZI`7{cI$oV(F9YI}$>eChnEf_p4~Mb_CoTz2fZ~Q&EeF4fHR)DqoAzgV%ycqOB#d ztvMp>Q3Wg80yhj`(IE$AMN88N7x)?Agi7HD@PT!Qs09kE++!p)@!DI`R+^`3m~O&W z1<`-<2tZ5)!QSaK)Dkr;+l4t zxc(~&Lo2D`Hj&VThPw)l0f`f#sz}77@73>cZs`I!y@i2)V>Br;&>6v*d6e3T)!Wrq zt55Y==bZWL-0vgxT;}X!_~79p(DLi>W$T~JmVVQ}24jHr1_=G!rR~>_+9tu8lsaqs zLdvzoI<4{ycXW6p2;YUeDfE;nR$GG}oHIQFr5Ed(sz$Co6#ZF8X2J9sBv`FxLFlgg zD$E`a&hfxh*fY7@76f@oNxF+;WpB~e2Ojm%P}%m34_4#4V`DK1-uEw!nDwF^U#VA- zm(}d}yl>Qp>aK1ghpsj_I=bNl#7M1byRhf&ZMbu8y9jsub%r2kVmJQ!h4B>hK8UJ# zNHh?_NiI&ZA4@!$rKbqkHv&;`7MA{vCCxem?!S-yl)YN_hdoG3k!l1IE)*tg2uhBTWc>Olwog#y0Y$LfBKG+k@Md4hFav#Z~bCSE~0QsAt1Fs%X>;m zb)rB)8G13kL`#|}5om&;hi6#p4N}E3Ep~!I77Ml{aZ-cNDCAThK{m>YBI+0;VGsNr zKT*nu#nEJ=AFw3eqOlE1apxtD-OTK~Q%;l2Q7#B|C7c;)Ysp6iU_l>lHILT_K@sTO zN!5ac2Pd zu_KAc+X_K9oQg#NqL*2~n&>LbFAE zi=$7v(ft@c(S_p%quSNrCsh094lRVIYn!?8wc~l{=6eT88zEWEr_LCHzUS$wHQSvXJP9U(3}Zb2vC7$ z;8*W0qI;2Vsd3Ia70c$=d2Fy!kbzJWIFbX5GhA;%w{x&qk-Ya)=knGx{RQ>Vjop2F z<7LcsTDK85en>=PR#Ig!Oo$x-6Rc?HWNgPjC(JIhhftU5;T5IrWB>b93S~&~@b`&w zJRQq*Zf#$HQe|$h3gVho9(RPz0X)@!P*_z6D+UAy{6JqWF_~kxTnq%sUY|A+#f#ip zrOu9|d$c*=@-jFH`|rMt5enB-~i9G2)@*Gs`#N6yl%H7v}r zLI|c;WQjd-z;m8o6lHG8_#GKCDDu}{gDQni6d^~MsY>V*_khX_7n%ZA5ro3^)c=so zQAbbveT}Ct1%#bl)|W!y2;E&`hd{}&whHM@_h~uCW5ryahm*879m~UIs9MGUNo5ToPsI_t z_vYlg$%QySmgf(+eLK9I?x!G3_oe1B*sj2j3x)S47hCc&e?&E1nt2$s5FPpLd#oMv zT7kvlec5~7wB7dGS}F>Gv`iQk`F)L76e&#quYVma06I0!O&FTNMG!hX%~v@2JL5I} zS_qQdkJj@lZhhzThhI_lz%eoMx3eDRLJ8>W2r~10_dpMM1Y+aGoMrFC2|cwv7v#Fp z#w#4bVL%7;jPQmheCL{g{##bgb2+Ege|0*Q+-Z39?0ETCFS?EL)Ubiyc>xP2)T z3o+*}oC%>roXdM)7GtMmS?Hp!;PNjgv!1sKo^k%wD>0)9yJ_!)^;)W6dT$#}$i{!Z zYMCVHK3w*nf?v0yBY2r#RZ#8vys4Wu^3qzz*r@kbQciVBwEl zyqC{PvmZ5Hr%GB++8Z6~pEnzNODV#;LYET=7XLMVGD!@uDTyD>lc13`g4&HsB*ZMu z=l3Qz^V@GgbqnhB1^9)-*{KG8^n?Fz>4C4)6iU&@W}dv*@BfTYG~A$z)cEz*;d=>M zutJUio^H!^QnSmg@2c)Z>(s}N-*MkUx!La7d7evW`2Ajv*0YNbxIQer>3n_s+3?5a zf49JZZm}W#o3c&`E)!J%`||}KFL2K)kLB$3G@ohycLT0T?Q(;Xez|=@a-r;g_&|mg zF{Ifr(qi=h=c(OEs?B@jFIK+Y!L%-a;m-$d!qbH+qcZpZH3A2Thq3FwvAWku{caJp zCc~rQ8repAvx15m?UiExC~YB+ya)$2C=wzgesjw;WU|8HpH8h$hhtCa{RVwQ{`y3C zncSy$uQL6(8qUd!kQ5eHdXKT4`vr>$sqZ7z|9H$F;EwQdt#-eYvn;USiu7f4BGKkj zr>km-3iX!)9Xg6mJXj1#8>7(B4VkWjR1cR%49JV`raF3yQ|527o&Sc0yzajuo*lRO z(N?-Ib*%j5oc_j^_9bXH7r^G17`pCDu-!#XW8@IK2^~rXfGaJ#oZkEAqF|1R1 z%}K<164F|x3?EQ^;~TR3|A8K0U_n*uUr_-Q;-hhTBufspp!j+J)?QVuR{S zVX1x)raY8Hd?rDG{MpAYhfPJCjAs8?$+*y7-`yd0Ql4jRp5tU`AN_r6dv30TKm#9n z&R$0$<~&T6qM?aE+|&ATfAEAZ&z$DvxBJcQrDkmtiWY_5%#k46thS|{W0yC^Q1m$w z7&a6(I$sr8>Cme}txi&qJ9o2NFaKI2E3TpHlBbg&bcTVfCfTy0SAf)if)%y-KOjOB zh5&_L4TVbgyk&wzeXQeDEqnk#eN zquJegXC3I9^_Xz-n?!9I?$~kO!1rOO{j8t1Jhrra7K_0RdW{hFZaRLuHrT4rX~5x( zJMWQM1!=(D?Y1gKk26M15YU-G$jtGCPpsVU45V@pB&Zfi zU!9J9E-!wDHP@?L-&vJ%ZA`}?8sNWotc>rQ+zrz2_EC=$o}ab|6Tn?_PM_E1-8O6q*_K+H`~UP~EnH1LH6`l{)Re{l zu|a1VtscHON%a|*#l*{pZ7aH*5@-xIHR`ucrDIwBV_Nr6gxkU;p9-wCAgI5eikD5D zQqd{*9|1?b=?PIRF1G4-7^Ub~*(K~80Da-tz&o!>MZ%WW_2$~&__W2RM9jg!HYPO` zXWulEunFmY-itfmK3){mwmd|d;mMTOtiYizWVmyydKCzSqt=OrS6;kvU#{B+u)a(Z zqrtX!^*O(bK-V#{=^KX&66T^Z10F|J{q1nOW_b=HG%y`9L2AfxP?f3opgh>k!zx2i zlLo0&^H0;(=2&Rt2^^NEcWLHDM2K++kB#&Lg6j z1RXN@lQq97|7HUYZ2!DGYKY|_04ghgn2V)Jt zo^j-+4wW=>GFR^r`#=(w))5E6+1C*{HPE#Nt`7*)=$c(swYw_9$jSP z9zYzhtyFMdoP)ro4s=vEU=9agtR3d5^4cuHplnn`Pn1wr@ zv~r)aAskQ#KyfN#)?XTZlP%fIUhx;R_%o9h~V>M z+w9e%WwLbEu(6p)!1~UD*1n5u`)I_{h9!mg7~OkFBLvQh%iRf$mC>T3FQbSs2VX_b z{+e=8fFb+Ko+X)H7pq?nI-3sBz{tu)<;DqHs2xsXzX!31HaGhE_*5XGEXfv1@J>+l zjFh9z>hE6_{Y~U89ca~1Mee|^Jc0yCu{Pi+xo?mfuWf)fjVv>j@%GS#7wNc%1s?Nv zD&^;>&|4mDux2mK5bcHE+lXm#gFSOtAHhr-B*wu%Q+}uT-L)66Xi=NJ18p$4{Ls&B zcmQ>Lx`*w4_Du%!<$1YDS}_1(Ys|T1GdctU$22JZ>4DY4jrM`NpHmQS4`yJOgn-zu znre3m0_xq5F*z&oCa7UO$h?ntey+?)Q{inh=U+AwThIh-wFDFl#E#R=kJy&*GN5tP z+XfZef()wjVS+BIMtOVHMwZ3O*w9C>IVzjC_xwC8>K{dwzoa`>;_7ucQkH~d(FV6aqnC+h0vuar3Yi4mP4Z!G6vkPJ!Bde=4gH?n?E zYn||?ZL_2qLsfFnSyK`ca1JaX?|7NsO#6~CO65_9goZI-JO2v5SpRHjOa48o^T4J7 z|1{R|Dx^5gU(=Y9G@(h?RVQ29CLhhlJc6?$obqMwk0dA^pS)VHoj+Q_+pVg-bmi+{ z-O21qS%i6k>EVl*3LlM-R=3WN^ZRov_PQQ$9abyB2Bs$kV?k<8Y z>IC|{1-jKfRe)l}$OT74j239SF*>({Hf+pczarD?IpJsJp)iivTzd*z$+GN0Tlv{% zkDPLti&Mp`mBdYH9Q0f@kz%(Gr@A1;zq8SwK)Su1<@dK`!#sIov~hFwj%9L}0^AF) zh9||W5wjc-E+N!xb%dj8bk17}rQ2x_r1h&cNZ0+(o7aHxPzm`?kZVNWr4>?`ZO?*1 zoh)cW5ng69mUT0cG%6s57hB~|(|$wkA$hS`)=`Q!fAEYCd|IBd)pfa*K|@zt{d&&N z*x&mz?yg+tTIy-)K7i~-{S~tj6r~-89@+cQ_CvOCPAJQ z#B&dvWoq+I!|J3LkdtKcKLVgfw0iHUDOCC1Np6Qm^yrhc^PpBM|G0tI5y3ohi`*wh}(DY?N zAnnsT}| z`&?B>MoF@vb+mX|cSV5OwZZZpFwBoW6M`T^nH04d4{c5F&DOs~=SmkbPj-rvI+ zX{hz~FJ>&Sd}_UjY2HngADT`x^6`o3lpZ<1bdLLxb!bEXK2>@^b(*7)s6tjTr;)PA z54JyfY8!4A%}l@d3^!Ba@n9;sh%aaZBKvgFrPKN+$f0OB9;#8yZ8LSlNraT6#&v8d zK+FJ~ZJ}TV-f#jZ2Tk@7AJinfVc0!a7vTF{Ww1eQqSsWL}J zqs~)!bzSLGY?P#gZ+x2~_bVwzv`~>ya{4|gD9FbB(n2{2C@7s^E3Jno(JfIIU3@9- z{=QH)<5BX+b6c}XlLLmT-|g0NOxv{qA%&mbX_oI*O^ z36aCh*Nh{m|E~QaA&9rOMAy3ZM$B|=RGNdUV^oyVWCy>+Vp$Ozq9tGxrFw*zQm9>r zJeCvfRWBNRbS34s{Z321q(!~a;PkS3s2*^JJ*IDs@H8WZS?WCX(-u*s%+;g!%uj^% z%(QPgKUKnaU2u|yvhOgTmJaJuxj|w`oJ0E8X@uSoYLkEOTL6G~@Q4y!&$h>dVe`Eh z1fU5PL5P!`H9&^hT)3jW3R{3`z^ zmA^Q!3p3gpHH1F_VdVn-=Oj}8f!kq7RLhKH;O&Q8b8ZdNF!hb&{+3brMR3-Ib_qi> zGy+Bs3@z&+pKsW;L#iSWhaR^jTcITT4>7V67s3t&KJ_S+8{4zS_nHkLQocGyN%Z{O(vLREgUch?TiuR|pzLoEbZOS)uFNjCo zXH^V|N*nO#@BiKTnoJN@aq&J0kVu%IhMjt4LXeI-sP*8hwf~S-{~z6f8?mf! zrvm}`&*OjU4%h#qJHx=182%T@Ri)!O@jvbQzeuihZvUI)ikPatn09?$gbxt}Gq?g1 z9a#oT0~2dX4#5%MS0X>^3SlaC&#@!F(5WM2phSF^XG>Cq``86*y@XcetFYE6^ODIL z90Jcq_CrDl5(5L41V;!X2@3Dz&9g_Z!}VBq(Ji;4-M#W`sk?qm@A#@?TIl<;=N+Ku z_r%)=@BIXSQV7!;ByvMtldG+RO~7h82-sd~D^zw*a=bfiU~;q>pc?LSw1jLBo9T4mihr{H zX!S=?slsu!-l9k}tKcbp#(k8`^}9q`4j_5N_$VE!*Tm*0a) zyVe-U+R!revRH4nHyQ5qx^Eri?f0d8>BIk-l>GMgR&CJX5-gApM2wWCr%)@oV6vCR z>p65>a<#Ci3R1zyr1IUDJEy`S*Erl)2Jqd_6eVqUNkL+AddPEnCZRNW-kS2^(FU0h zR{cw%MklSPtaKI*8^n<#3ixoYMspdC!}r*a<5tY(h+6M?JEQleWb!-a-+q0VS3*6y zuODY}{iQLA;$9HXg5WL6)4^wgpGy)HE!H8<0V-ypFHO=A&+Inv7-WVhD>YL!)3$SG z^s$E>>*K@%;r(`6TB?{U$FWC$7XpPCOojqeO|gkI&?-mDK&tQDUpk4Shl8u$Cj%pG zfL6^zb3kxd3wI>DT`FCOGP+Z$$k+YH%2Hhs$H;kGFcUvZFUOpts4P1hFMPmi3SdI> zVX) z@^v>e3laV7=z;%M6$#1a?Zq68+PfMCa0pOL@Fc* z+(phjcfVh)1K}nbS_YEXw7DeE13cE*NtAQ|c(6aI$$WoN7aK=%AOD?WiUylqZL|$m zIQrk`Af(|K$QEAe9vir+dgkJ{ZR#inNC!GYksfP!YwzXX)3HYR&s$~=a&3L#wA|8> zK;39;zql02NIehlJKM4r?CG>gzH#1nvlT5>I2ocQrs>7kyxCi-&;@YKh6&zJu!p8! z2YkQ3R!VXn;|F;bSSMGXbP_2Nys>+9cjXy<7An_Clz%ju z^*5{2`$unW3|LPmYtehO?#iFkS?%br_#QwiR(>?@SM?>>_b)Buz9-XWR-g4)njr+9 zw+^&urPcl2#oXF6^AxQ#FTDiRl1@%pTY3u!4$j8ZF0JBb+f+K$k<@A(x$?P316JL< zJ_!@?d)c3fQI2fLxz7@E6UQO!I&|)ahCdgX6c>u6_)$ZmSunvfy#VG?Qiz4S+SZYo z(}Tg)%->@ShL-1SRvBI=3Kw?PGE;umgrfEO6!ydH1u4lS6ueeIm=96Tu8xmj*(gWC zbqsTN;zHXJvdalm=Z%rG7uBfQVhwSlj<6uVdS5656{#Z zs1DN)<Bqn6>Yp8pe9e2Us4l|U3Hf3ZQ^j^>{f5pW|uXG4LX8zNuR z{Z?Vl!cL2fD@1uGOPAjfkqZ(@soa+ZARkUqeM-sy2xWl1qp~B<M z^(YIo5@o|H%xUMgO_YEnMA#Pne)YHWWS0Q{SjvQiC@33b!^62T9Jm{W1{Qea_Cnt! zQ|?LLtj8{*4eiHiBK183%#LTmvg{|55xwt(WtHflCm>TX3OXAUkdLC`S!Jjux7Bjr zSg*6Y%isgQ@%`9&L8<}b_NsLlSP8?TH($1I7Q5W-_pUv0-9}g)yxz|CC%;AMzJ(0A z%DIV-TuxNbFaeo>r{J#(r0)yIWo~co5?_%&Kbszc%o689api{2&VF%aiY>7ILp6kS zOo&4L962&%1l3)h z+Qez^I#%P;LpEeoH${Uu1euQ+l(D%Izf-B96T7}LdOn7fdHb(>zPsmfCdkpZmp~+Z zF$)e*K>Juu4F}|6BqyBU40T-xcAbFxdrjAqE*3w@d_wkb(ttn8kSyNIHQqP>5i)#-V zAOY(N?hGYwaf2z`XM=VQ=&$F$1OnL-&EL&uv(#(mWpqW+3&MDa!T>Vpd~PQ*ZLU_c z!;}QfaI;T`8AfYk&ljuWq|He|qfy4eVs}`gBHi`rOv0qeATScf!MaSVmy)Cn^Va1~ z@Sw5St!0sD$68b6<2wH#rCM{y?UC}?05iJ=;Z`K>3C3-#4f%ZAK9jle)5F2gNXvVk z>#l&C14JAa5Qa#@9VR0iQbuSVO}Rpd&Q@&4e<@?ZD^vbKhejkchqcl)qnD~;24#?b zACvcpq^e;iAYjeoNghk|pGo!<**0Pp7L=6gpdNLI!}l_gP^DZ^Bbk%YOk6On=>4ld z3P?Q(!^lJ)f(;GY-TGWcqoFF~e|Q~M5LS9hcp;%eiBF|;!({=&1faAPyEaU(omSgp zQ)YgN*Yi6^s0PXaj0pmLNIK#mQEq(Ix^3pEYRTJY6o>Wh(qR2SM#$+0kk+P2_hDrb zGN?$SuqB1_Cm4pHkMn%0859TaFYUZy`j2xxi28c5_BV7KE0Xjnqe&7@@Gysz!5X4PoI)g?TpeEjR##|dCQ@Znu$TGRS8KWssr_Sl-}U>d6VJFbJ3(4 zoe0(D#{#W>LCAHD6Uwccl?Q=C^W{qW32dNwYD518^7Y&z(aHv)0rvu|Bxx@SEGQ;O z$F3m}6q)~&2jYVne;bnlfMY*O5#J2PA(1qhwySw|5>Xk71sn71S5cQZH${=zWU#@(jaM?EZr1_<#g zy^YO}CaFhiq}F0`0HmyRao<4i!&{h66;t{22nY3i6}YLdhhISCZqs(z58X`ejwVhb zUL>@^_Nw$+RK?mR8NooT`?*fhFK_=esKUkpH6CSE?dLGlBNZ-en_3RIO=OKCH#xZ< zF(cplTi`?9C{NAYJZ}-nPgW?2Q}*(M$a2YFV?p8q9R4=TxF+%RV2W;$h$R4MBk&`1zmA5O@t(b z7!{+gUb0s}{OBPZ@=q$A9!Jw|IE)O@b{1mKa$PE^DV=3BP*-8lrm;(i&|1KxMrV-~ zq_RoM9U=fDB3!T%Qz@7OzwXo|Ou7SdV7w&cVmZqp$>06kIm`$_MecPdMRE@56W=I_ zr(em^I`uAv8-6?8SOgoKt`qyiGDwQH$E&gSG78#MuDrj!H=>EY#P?*OpG%fjL;K@X zvjb`R^Jv!8Izg)3^d`8*PFe1CEEm#I!Lq#Y{&+h7ZFzqP+sHf#c)Lv``_pw=a72!; z9FL}$Ol9idSQ>ppwWK2h3>a=PJA+QW`AmUmeF{RJVUPdk!M~JT`pwok5Sk{t)q4J` z)*>LOu$o4la*KrI6d{Q*roK2e6eZmfpVx)rLATBnl5&4I?tHza=AQoiZX$=<5xB}S zWUHyEfy0xIoh??HAi$Gsx{NadLmM+jN+fe_+~WvfZl1oTlPrdXREakxO4M}l?Ch)z z4A&Fk^6dN^b)P9+Ih(~K_--11t5G%PM>&hFfFgirc8~SU%6sD(^TijjpsZc2qePbayzC-$U(`Y9A$pHRq`hr8YrO>iv)S!nc5rv8Q2)=9LF z|GLxl;bd0dbhEt9Y@}Waqoo#r##TQ^;CyZ+{JvVIQj{nP%eQ-&$!gXbQ-W2V+OCjY z!1gNs-ytR4FKeIb0oOff(rD5p;GV719hb(a!;r{?Hg7R2`X<+bJD3dYPqC&7S*}gK zke{)_+1gkL=JK(yS}E ztT17@&-4pwIQB#`uvu4DfT?!M!xMDL4(=!RCf0uGl8LFLNgJUcMBakCI;_l$mLamF zo@@<=(OI#qZ2*)REflL`=Pi^tF;cparSb$xc$yyWB!hNspqQd|5cOrf{QR2zR&d3WN`k!98eeCX`yK$c&oE-F>n& zw3<-T$)R;lhY11K(~VKYgs4&?hAqy|`CoJ7572T@NK)k$2hNaik@8GbFoiz(?_m!C zBYtPRtTM5o5RnMY=UhAgeV`=}srrr=U25=C)&%8bmUV}%v`@T%O)&LVyBw&$5Cpu-%Sml0CRDRuTG2VScU_mc~Porn8bE~yOnU; zP!wc?&nI+TGmR|-hnxjs?$*kGED?+FahO)|a-iz|Vs-BPd|ICf=$E1rt1IamAI>u% zbT<)aDi5p5k&A~~<;miL_Nk?_B@jt2k73+$Xvv^kLFR^EXS0tf@6>~*4<9gTHYa2? zgH){PQa#fJ{K^i7kjug7Y>{*pOu_-@vOYOq%9%S}l*vWqlz4w!p)yQZF@YR9 z&*@rIrL{PSN3>X@^FPfg^f1ts5D+N&I9VQwMH(o1cW5MnorC*nVc`7cZxd0V6&H5> zgNg!?8LPCExM}!D4k$~|k5=P;qEb5DQ?1VeCB>8A%)C0jH0-DZa~_unw5?M{&4DHA zN{}Nks!A1M?%rdZ;#DRiEF&mJNp_UswT6QP)sicNZ`y%OsqVPq%ezoF!3hkUKb-PT ziIr&J06qLKHIaAwztu$CyS?o#w`}CbR)>e9I_xok=O%6SAutdj0TdR=!SW&JWUHx%54q)t1wS?1i%YgXjL z6-^!PpG5t-ynFd-yt?z2*Rd>n$&;q?7;)Xn%SIva_!HSNPxf zR@|jM&9mhB5DD=y@PT!sAxLNw8Fd`KXy*wdg(LmKutUwJF!{)!OaE^<5!~$-Tnpz= za;XN;NTiaWZ_SMeRnPz6Z6(PDR-Ic_fVOSNd6!fOho93xeLZ9%5`sbzQ2mco5_phZ z3l$j@Mh~0_y95paN4caqj2HyMUUf>CDG1_jib~Po8dl{_R*)5hii7Mr-(F*{%r%s9 zd7at|<4IKW60yL&r6onyv&Ich*bGZMFOl??`z`2gY)z~bdT+`4MfDQW1#t@WrNBkYXB0Q`Ha>Sgh^70){zTs$LsnB%ocE?l3jL|`HzO9`9r zNa{b{Z}dFA*?I``b2gaS3_6=+Cus7vL!%)`OVrcj17#sR-y@iV&g7N}HYcJ6}fZM@;HH@oeNKausc>mfZR;8wg`VWnwuVL4goyS zr?LD_EwHzXIqJtJ#xGL(JnyTh+38(lu&d2OCAmkB@PqeO&Pjs8WP*awjwNT8liaQr zW_S0lI0b5o94`Ac@&o}eWH!naYqMOErCU^~GnIB2K>Tn&LpX=?-e9AB?f+!Nw#781 zYD>gC#%b$Dac*kw#Wl%U6!vAYTQM25rxpyY>FXP`I_*y7^4r?lmJ|aa%Tu)rm0C4# zZ{F$5;>nahbmn66&h;upQTx-_!}5gZg7St z;pgBZx+`Lh)z$H{3ma{&&b91Mqb%oP*oMY+T)$zQEr1G+1LSGtyo7IE&A=cov*BDI z2P$1$GEjzrU?q64l0c&zHqP8YE?n~nuPivaEZ%IcSa$6;%emL0+_fJQ*Ui`7$Xm$&!`yBj z%exDUznkJbQehAc?iA7D)i(uP)ulF_s{aTtRAjE}Ohp7@&Ekz)$X0^$(pfy_bpM7` z5OsiRfQB;rbk;lu+7(gxC(u$-C5(tKLGU|h*Uk}P_+-PcUao-iiwdNuHTpUQn~$H) zps_B}mo6YHhP|i`(cOZhr)T?k?Cji~TPl?1hq=hs+FlvA%Lb!uzVVv6(tC<&6leRN$lK>Gb^pry&9agPh(q%(4u$Q&}#-I ziw9bp?s*q3^oGDc#?>6?>n}j%^UfEi()~nE133Tqfm)*e&#S5oG5&-NU-B{^jUzr+ zl2b0NU^{xn{Fk?;9A+JGMsPHTdqk-IN07C#mcuB^puzL!-ILLwbFOZGlw=sneWt-@ zVbW_-*z7!w5cyn0M48S0meeniD0RSMpQoe0`>@&v8ViCiJ0bPpT?Dl+TRzvEuess} z5s3K1QZ4n%Rf(zzrcxwWu8(mEC}IqxFsSM;6eO}2q*Q{pgXqBgMJEO@AR`RQ^FE{P z{u37E%TS7dDf@tyhf1YFPx&SuaBiGTvbwTzlFIA-K;tia4u&2ivv9dx^6O&7`MjzH zO&ur?#m35TL=}QnpSJ^qZ=+}^!ysy@^L^3&0Wa}G12wK*7S|urCCfJSkEeDIX+JObZV!u3fP5{;aYl zoE|3wLtU3ciwqH1huX>(SwSq^*SbD2ce4b7cMNEPuFuSf@C_uAiYto+yJ%>n(Vx6% zz$&>PPvrugu3mWIX`)oHI%Ad-IUjNrE&lFUyWaz3#|C@R?8l0pPzL6mjtM2e0x>_& zkIR3TlG`V)qmGstVnTtUrITR6TyOUfGpnnsw?fL324vK`KK!~|ql_w;B8n4I`E3vb zZBh=DT!COMLazttEju*yg0W;y!uu&tm+KuXPNup1!eqrwQBB+@{pOxb{SRt?qeVs5 z8myH5WcAe|%FUktr%K9$n~kkjkUGT4X}iaDo{E17YV1TGKC5Y{ELq7e0(6nCMp-cm zi(8k1!|DAkL&9%$S(CEiqtHNAI_j5)BMJy@G*Q};zfR~u$}(CQztEKyCD}r>9DU(_ zWsxYO&i!Mw*!x+N{jcT^?nmTKnue~@EU7V@tAxJe&OUeE@+(wSEKF$E4`GH6gkS<_Ipd4puzO(5Nh|8Jfpe*+O)vR6sv?D8%d{l3}^V; zBqXU7Q4`!H80J5-zsAQ#zO6oPc128WCZn@E?0EpGd%nQbW6OricrvBDF^+tSf$!~5 zk#s^HFlA>;9FNbfh&5`~hNB~viDrtgrIgDzq%}pYl=pF3nlE>gQgiaRrsntwNCf*G zhZ1SYFS6yiA4e`7{}AUW*GMW>4qFEaiUn?ZN|!?Z*7uYW63+RR(UEiX!6i#%10Q0l|7 zI9Z%6l+TwceZTA{z>2AkQnSXQ30cq#$NARJ=m29_VEF=4Fki9(wi@f59f&Vn-4atT zNfI>nJRb*l-|2}m0895?w@)oCTML);_{sGjN~H9SQ2JUpIao+UmN6Z0*z}qRg-c_1Ga@jZFsFNeS{~ zMbfti6FBpp29dcEZun6ETLbW1-e{^s+2 zVHt0EK3k;6i>t@sqt>@rU4n$i>ZMR@1ukn_!DPM`*22cUAirA5tEvv^TVe_MpMdTM zLqLpwg;b7PfI0;mkobSHT$A5zhsVdNWcuH`y%xZ0`yq~5=~tO9@F(QxYo@qh$tCdo zxDzZ8+zIaP z?ry=|-QC^Y-QC@tetqse_velGK41)*y{oEw_o!8C&bj7lGgo8IZ<#ryg$1@x0OoY2 z5SqAYjMqO_orIUhs*b$3jC?;swpA$53$@;Dm8q4!9e=2oeY#z$OktL5eW){aPx#HJ+W z1Q~izn#CYFcSZ6MLM6-Nb|feWvIt%clErBJ`MhrGT&RCAn$Wt;4FsX8t7vq4AXTiM zu%WS%2_LEetyAHChuvc=g8-np9N}OxM3xK>&|ywKi@`xL zV|?*wf&uQzd7SVTrj`Q`yVjiwqPi(oM4|{xp_8SuK#+IF*;7|kOf(|$n<7l)Po{663qV6~Qf}?cN-;VPSSiKA0eFr; zEIXgg_LmLp9vDeb#sT5qqv^2v)GAy8QXZiGB)0=W77ml?KUB0F6SSZtnAe)DllW1b z&K4&y+LR=spr=&?=m_3E-k#1Wjth*jXt04o7y>-%VN-;Z-oN@>LZ z8xbyFrxPdU94LgMDsO-n*b^ep*18*O%fR^S`oP~CJQE7-W7)Ovi7QlJS?fa?h_*p= z1jDynnsuzZ_B+FY(L`w(D7whD zrs56TY~0263PwJFoF`jbyM(+?@6nxrDwv3^Ogf`LPE)u@ls{1sh*Oa>@`7K%dx=3p z_%9R~BVT;8u~X7#ZiAdZxUjfcumcI zVtu^@KVmK=!<*f}9v$A$W@STPBt&WNZizVEc9h+E9v$A=WL2U*K$tv`my*s?Y-wI? zb2?QWngv zp{z){afBtQIlz>({=sl@Ko~A(_U};{9;Kvz@~i{jH0XXIVp?C%N$a!q`O?-=46xcr z!XH4HIX0A0406jRYCvrF=QKwWb%8YTopdEIzjB~(&h6_+ z7F;&K+npP7+8;`<(Eb%RFwo~fbUIb9H$h>3BtKG~(5&UqH?lqiMTTqYUWgx;T}M}+ z`Xl9QpH9j1d}qL4I}+6 zdC{X3Euf>A(G>lPojhVAoB`HGzU9`W(;J#B4>9aj$CLJB-B_2qdYSI>U-PIe6TEfc zTH|yZZsTnlCeR3YsdLq7A76diKQc%Sd^V>(GVfHwxIObI0fDNreL)CPtG`h<@wgmJ zKplZRR`E_Z+Bh^iI-WM&e_b`Wxa-2iD{}7?S*DEwi*>vWv!vt^+&>SNK0ObzIyv4~ z^QB}bll$U`6vyUvrb2tC1GS_TI64fGjMxV;GHYgP|BSMiTVORCPZ6|n@T^@xqZQ;| z<)MwoNx?6mrXv#mcpZ9uz~@e1BN0XPz9Bz9@sw~b>TSSnoN2vlb7C(ihpP#pT{ATP zZ7XO+{5U*W08$MZGP7i zj9umaeZuET)5a@l1kJ0v`K{IW!%fSBm`rLGe#%9NZ>3{P?U(aP!5s(mpUUK!+}Js< zkB4-yIZ%tN^UjDtZ_t@oMbkDAzVZjBaq%Vi!C{&;g~JVjxbEr2%bg%*YR*^?{hDDv z?@7*yN%KQt&M#hB9%k2VC6&&H#)p7qsQS07xFP(PTUs%7HAOQQDKgB53u*9YR{cSE zNQpl;8&_UQMBt|9VB9JvC(E&}52p*xo32Ieoj2yay@7CqF56(*NEuCA4s$a6pEuFK z>tO!&NA)@us+_AdHuJ@|t1d>>EpOn52}^&6W6h#539{**!78JLj?b$y5hU=_ttKR4 zT9U;0>%^yMAP+8B0B~swxMaW96lbRmL&<*+heleL8T!56uEm<#5TI#08h^i^NSt8( zVne5tE<%k~=0Lj2Y+LU<5n;yV@BAl8T*fxTPlX`ru`)rD`l^~CE7ie8o3HaRx8Pj3 zEdCa7d|M*iL{3Af6nX`-|W$%V52S=?VllFVFX0V$O|Me1=L_yTzP8bs!M-|Px~jQU zQQ?-v(?~YO*Z=MTk=;_OzM{tMVkNou5+}I%aT=0a!J-R(e?aI)uHDZQT(nsPe#xy+ z(M76t?2t zQ>`^g4+A3=6z)*`j%1mr-k--*sY-qm5P+aTweBGqscd>~?xUW%Uwv9v4kJQuUk++m z@Gv0RD?3k6zkksF(%9@c35BIMQ3&x@a`}YQPw5#w_7W(C8o%VK3`G?@8dOA%%D3IPu_>0{Sp|R1PQhYZolSp+e32dTfa3?9t@_ zj&#vve8QT2FW;;ej537j$D~3Jvx#?v8_M|APnb|N`(D7{H{MP6M&N3O zyVJvc#u*eR@e`<#_+>nF8P#%l*PV-mjTSTbW?zq-RP-ZJ!f>ZGgi8ase!Vcx1a;{p zT?ZDh=t}k)d4Sju%4L05-o$Iq-XWg!bPZXQ@;t+MRZFPl{yPacy+r>VonEr+0L;Wy za4icJ1>fTs?@(hD5|AO6Df9shANk*}-oJ=%bO^tOlZ7^N#K{p5pZd~cI;Lhh%%q!` z)NP^R_3qg@@2*Jk{0t4z|Gr zbi_3IB-H8w%4%;wtKcQawvEe*wTsQmJFm+lug#}+W7o;2_NULyqx8GXCcl~6w<#=k z#hgfJWH1r|@Q^PkRBV8Tb^<&{&x_;Z5L6lgH%5d~c{9V`gCaivUgIO#=4ss-v)O*} z5ekb!1o-bi=o_e#V3y&pyAz!3Xqu7B>$ zPpbTPW+DJHxxg%~!n)$O|BV`}-3s~dbi^SXbz9I@_Uu<$Rv?HU(VwE_#t2skaM6S8lO8aK73c@h3O<`p+cUAb}+Y zZL$V?>F>J4)}Yt5^(N{OP~LFm{TfdhT)vvTNS&iZy|OaHI47ALDnxdqBQK0yuvDUS z_t!iJc1F=4KON1)z|tM49gvPIaY&5}7DPx)RD@aTfKS`{!`7J)x$nXbOAKC@KCUhRFgK%3-Z4YcoiTI648tfYVi!7fq;77iLI3XJ{NVdSpJMzii{aK?`zDlKi@1PEsqqZ=x}0C<}cS z$w#l?Zd^pzA>F|>Iy*T{PMtqIKLVimda6RNsdG09K!-=$0)`DiM!%;%RN%-CbMZl_i%h+JR`Z} z{flNk0`E#8pk2k&6s5NUDTB{sHF{?(8%?;nl^uf+bny)GLFQ{GTqy%~t2f9zy?0P^ zoo1%bS7tA*4K>{cyj+OE*SchUUJBXBt3FFjD%NqWV)@6>@J6U#-e$s~U%L^Twl!M* z{ON%SyjR1YTP^e6vM|$wKhUW2Vv(}D@2=$AiWV9^C#2LtZ1MeD1QQDN9wn^FQU1`1 zYDdaTiUw0Op&63=)9c_g614oDJt1fnlj8&LCqk|$lVOkjX49Xw9yfRj3VR{LP&|fg zY?*xaV1T2^*PZ1N7NlIg*xg<%#y88gNgxyU;E~T(4QP-(n?FG9VOZ|;z(6(xuJq{U zb~`&eA@C9jM(3Pu)SWJqXC#PUIW7Uiw*YyiiszfXqGIl(hkFOn_%}|5&mxF1KL(w+ z0!zh25>%?jd*wL}6BB*ltKsU$a9fzFZLL}>`1BNfG&?u9{gICMq33J!w7F%^dk5xZ zx!iBZ`+maudWTQdI-y@~nGpF;rfz|l-X%KMSBssIC?ZQezp~1p5f^C73fo;+tanfH z{JSO_QT}f7FS?0}h%v?J%@<$++=T6>~cdBYy2kupSR15?6b@D!#SNf=ay~5-F3dyG8cZKhznEf%U)Zno6^oz=g0_qDfzpe0O-4os7KQ2(aVEY0o%8| zvAgz@BY*{!;Ch2CxSkN5mkH22Sk*=c<#27+(WaTHNwkDN0s0$9bLT+n@ctvW1S03; z81D`33Q`;&WUko<+?`0|$Az93M`Y?iiDaOmUF&?sO3_RimZXSayPb)2hk z&{CsGQAw#xE(hRk#i-L67V3%j@Ex*=#o~~KD;F(`{NuZ+bXMlp{mW02KIpEto#Vpi zcNk4B)2)R3?gAYaHBTPu%V$t7lXoMuOu_15ikzgY=`!Dm;zx0F`>syq4X%CSQRJt5 z7Yhr6o+#|aI{96@*U?wyeGs~)ZrTC@fnGI6=mMG!yc;qcNfgxZN8t8WDzALVLwZQ<8RKGcc{wtX5{8HJPB^OC5i_ErXcX_vy3<6n zVhNYn;LxB`p<)DdEf)os@0{Cae*B2}+gRXFgZ^Y5=H~KE)rsFhs=n;*^XX;DQ z^}t;#&8FLhvLsL>2rgR7cP%SjxVPWB{**6MW})(0jAsT~ou5tVjz4C1;Q} zyKuxiH_5)DHZxR@Gr;qR2fU1ft_wd9p4sC-wk zQQ`V;o$TNz!)Sx4!NF>Y7JXjovQDSn#!VdX%l+%Z*b$J`^LZNV>+3^0pW}K?#~P_M z1icm~H!ttrd`jJfhVu=tjYEGm80w!7RL9v)7@iGBwOh+oUIJiYBYyhTbLHil@>mRogg8Ld)e@^a&v~>+n!TP*gqw#k)9`;^*%f(X1^L^h{mVqq;8b+Hx}4$etfm3~tH6 z5qMkmfq7yHG{>OEXLY|V^+#Cp&>^7v`Q%R+sj^r!&zsxE0Wk7;3KhJ88*-!H7&5m+ zLt$jIYz}&VxW=UR;_DF-uM>xl$d9ZQmi5#@Z;a7Ux~g9{X1Z2jlg`?uJ37>trW~Is zvwi#>vNt1*gG(R?A&;;9b{o|4YYY>phzuQMm>8$FHtfg?cF6;&{X7317pKQ?i@*{3kZjF zs#Y8GuHDnNU6n6)Qxn{UQ<}%io$hCdm&dM`GadF=ONi5l31u93yk3LFMhFs8P31Xg zo>BtNcX!F2WLr1*J4*}SUHX>kA#OAF%_>l_6~AjHgGoVgmjpnCBzBN<=sBKiiVoK` zvz6)I4!_8mt)1v}1iZ)dyfo2Wds8wi6gwLIHo7y+HZSfyqd%tY@4{Mg>U3%6&UE+X z4vUe8mH6HTrtZ#tf4aG`){JED@eORPKG518=IvnbvKtT4lcNxNYBZG1HD?sK+9w?pEd4Fy2l~u+xVV>nbt|l zc)&>oSG}`R$LP2FixZ>O?$(r499eU^(=(i|@&=gBodYyDL0w2TSkEvH%X4t^%Dzz@r zKg-GCNKbBSh*^G*KSz~80mrn5IV!rxXQ9hFmD4I9)b;|Gqc6Lsm5U3QzD$TuV0Us} z)6L@LY@ObPkGeg*%>Ls*)MfwcP~t@6d(CN=0u(#~LTqf;rdOCT`xF+P!I-lLRu1E9 z`H%|Ov}xP%-It449OIYuo~j*>kHH5hZ-Uy3^!9c(9g1GKh+i*UCOJo}XJa;3OZ)(0 z-$TzXkvAs;2Pej@d1ZihZ=zsDWMWZkoi_=ewY-Vi3&moU+VQzv&Vy(yF9B}l0v_q+NQCRrkzQ2DlmB_XPo$UkA6_7D zJP&=sCl6*5>@^&olM3Yo%2rL=R<4BWo}Ga)i8BtY4^{MeEUlhtA@+lBdDSjXpw6mX zqX64P(8-v+n9&=$w*^J>5j;kK;$0xSB&3fo{j!&-FHSUM5X0Bgfg7t{T)uIXq{G_I z9%~{^S9z&E-2BbQK8dT*x+1U4(s-^|Z=ed?Y@zgJrw?jKc>;9QYp`1WLNx=lxxEHb zL=#dIFY?}$1Qz-1rNv;Mk6oeNMcQuKZMQKU!2wsDCkEZ3MZ%5I-mMu(wyGI8?8-^V zuFq^rvg@a=J17kH9fwqDGbN188D6<6DeB8TqzK53(T!TCUk}AMnHKpQJEwb$dfEeU zrT|ReH4AZH6KB2#U@I-}aHa3S&fObPvyZ_ikwUa(xV{Vpd8W|cSekMVRz~liIR%xC zT3Nm=EtUNy{LQ4E?oG*6R>6Q<`aElVN5rO{?O!UOUMcsATb(u5U+-Pfr7RxP;byNB*rLe z6J~cgmPKfuLFpQ==HK}EC)+k_hWKUDWfhBC+x*}7N1XQ{m%ZvsMifj6*7JEMV5KCVbUqaf2U@+iu9o``eLvp1&n%a_Z&x2QtT*?k2H$E8jSPFXDpZ;ft?W}d z%*Xv`OG+BdX3&Lu0e88gD&SqLV}%}ZDFaoH=hY@!=1I9wq)FGU-YeBL#g?XU_7ZN+ z;iHJC&7IRROXQuzxkH(1m(7gSzX&-$Mi2T z`Wb}AOcTK+|02M7#Y9%Hmd`gKISFHA12GF$CBFe`Z)>gRM*<^mSmL)E?lHIx9}^^V*w=IKtI!gO2o}@pNEvR1_!g%*rv&t7@vx}*zH+Y{5s86c0 z+DtTAAdYzLmf9OshV$$t?jq`Bn*0pv8Ee`6(|K)8ST-RWsJkbgs0DGzTT<+Se?IQ* z6KtKxw)I^0)4lVM=zM19Jw|1-3)Onh`&-geJPJpeqN3Vywl*TnekT7RWT@y8R@}VX z%OIvBaVWd?d(>I(DD|K#U54)nqXjQ^F(c^nTWulj43EJje@W~{HSV<4l(sOkr!Z>X zM@rp}Me|tq;Rtziyk)VTCIdQiv@IP$U7u?lQTFHq&U?BRl^@&7`HVx7xd*wtz3vfh z0}2jk@6&1n8t^v5|Hgdc?CIn#75A$33rhE6-2u8cGLxC4z9GDZIhJ>>=@`mXt2?|> z@(8jziTGQ#{ZT#yPe!(o?da~_GOXB_-Uk;&{Gq|hJ^ z@VrL;y`_B#`MQAo{GBI2CR2#B^DJ$_@#HuHyOvXg2DG2E6xqPeRR6+M5qH8AtyY_G zQOBCG8NTfa8s-!sLfxfHB6bge310u&InE=&Q9@5f{ZD}HGUzFn*z5dtKM<#Vf{ncx zSuSK9WVu!kslt+Za8SXJlJs=7a)&iVprY`$j_n6Cbvgtzt1 zXY7405Ly!*Wg=R_xkBv-us}G%Dj5M0^{B7g$dJxAvPv7(g?N=a?evP4w%It!FRDC6 zw!I(x@MkiO4KrO1Mk!7e)aD#wehFd+Pe(xQhbhB0L+_{YvAxKTlhQJt`+bBL7&;}8Qph+()el~#fnfiSd}#Es=@J9RN{6KYa1yVM(&lr82zoSQ zth8OElr1V^*{k7)AK%b$jpf&%&y2>^nn5Q8OJ~wc$FudDs|>z7uhhvC20d5@Ni3Ko z5@fI(@Z~xDcf!S;aktDE@U3@Qe`GO3QXdWy0R>tW<>1Rf-Z0lh#(*uT4xdiP zYyp3u?kcY7>pBI^s9wlGTZ=migAQ!DrA1i7<;^dM(#dWA1%Ilo3&Gom8mY~fG69!eMj!_&FkB*l~CW9Zkp-& z0I*@=o}E`)8uzGps#z%=q`uzVF3+3<*nW$*Rap>P#?b)bh@H?K3^9nLhS8^p8i#_L zXC~qBQr~UY0^BnQpOq;mw{CpB1$ z`z}FN0CH&lBJT4*AO1;%h@xNzxVD{2=iF^Dp=j4Q-}dX_ctr8T|KY0fyNCUC^OCfl zeKd};-i4S5ktsz@c0QF*uYtwkce-Ikbuaq7ib#}@O5pzP9v$Dc?aU1fKkmouIXYnK z9hYibzK6r&KQ zHlCLBL=T7SUb|>B{+8IFOc&>-F*z4sHLth0WV9PVI@d%O=BC zuGJ*JDn2*7;NLb`o?cG`&N9U9FO(T6>i{`5&UbpW##6 z!6&%6=70X5_lfL#`^%?&^LDdWk^jFp{#606F49)f3p=6w2elV?A-Oh$F-|p7>Re4Q z6aMemx3bwh$2BZVC!rDGamf5@5q<=GuPH|0lA z>(~D2YWE!H%cSpUk_>)6bOa2u=tW9HbBEJ%X`e=ucv$tvm}*H(V1kQ&O4=?Fa@|!ut}+@ z>Z+MojM|z&!#+N5Ry;8g5gymu{p}wAmX;Rznp5ph$eRwghf?S=Ib}Du*G9{=WK)p* z+Yeg^;ri)`@jPA;{*Za4cCE@Xnn|B0DLSRI+%{M+-23B9O+H64=5+Z4E@Y5z8Osbl z+&@dgs+@?6BJR%de5=|W=JTH- z`y?xh!on16Y(||zi6+jelD&d7;sXjPfVJJ0=jd2jX&L>PkeV8(?xoA_<5x7pR9fyv%`Kr zgj0TH@|YSK6&4hb-RO_U)PhS zGB}H6m%a{7)tdWsX}-e({H@BLQbV_}uESg<)?44QwYB!llpIBe7;Aq-0qt!c27wvR zN2ow3SN3}3_l7W2)seiO!wcP(4jJZ&vn63GdF`L5l^1_O)qk%!r$ZI-^+qb zN~MZ57Jn8-XJEKN9NEfQ2R9|ZCJinSXEI60WA0skB#SwQ%a?tjYZD>~^vtgvxVbox zT5O+w8QgDsZDdk*6l;xL7nSsdmot7UH@Xp?tWc)Z)k+R$2~OJQRmIYk-ksf-yI z)bTDYEmFwGMiuSma>`XX3%LJmw4J(biTgA7icz->`Ea_pIht#wTd>{u)q6Ve(2+q0 zPB?PAyr0KwwZNa$i2`^}tHMaw#e(PCO3~oveC5+hNk*YB9wLuvNal@Nj3v?p60=-0 z5?c#lAcmRz`Sa!B0F{8(4Lw(*M4r6Asj+c!X2$m_92(@a;s*TW1-w0+73Jg*|IvuK zm-{QnfhGC}EjRGw1f-F)x3||f?13z{0G$)7(U6gS{&y4O}alS{4!D8#thA=T* z)3f0gh>JOa;eVyH%Zwg`xs^{$%q8#3V)P6e|L#{NhHkVr6KR-6JqS5_U#Ej@@LqVI z9*N!|z2OIp=0>!)^PF!Z`(jOI34@E|eHv4<(-cz%fcxik$KwA2P|iy1S-!;(W29t=sH%2|s1TJht>N>tmLWJ~>sZ=!C9& z5V^-kCx0{=Pc(QtnVXxEpoQGe@R}p{7?0ihwZd_v;)V?(B8ICNqLf@$fo}{DGF@#= z+ppxu5Rf<|9mL)47E~yCR*Eh6$c%K70roE0Uv$635qWr{CrNwN*fb+Af<5QsA~GeLqS-)TE`fwfe2OV|=zW`m!C z8yG{1>tM;~%dm4Bp#4#XR;4mR`Tp8qM`03PTbAWkC zff6-_+Xc|1Y=*ayP)$y;=|X?^vnhble3U!>+-f1A@PcdR!00Mc?-tS=*S@2;f!eKx zcWfdOFqOP&4vmwMmiGK?IvPJw7^Eni<1v13IbrmW1=@lN138Kj!NkBtaJhGI8Dg~= z(6gZ9)4zP`U7N4hjxo|ucs=X%Etk&E8fz*czUN&8r$Gl|bV?%hb<(%)kxB}vfW(o}jvDDSx$PQ5i3S!x+-k#na z`Ow@AzVIaVfeCS@6G-#w6N_R7Xdt|20RVcrSg)UbL!M&eLZW}J;{uKz*%P1LBSWQZ zs_Xpj2l*sKh(7(o$CX9E3)`-l7Zw(}-Y&Uk)OutBn05WdlM@q-Oie?dr&XX0B`m0t zG56X4xPzVpbR;Y+cN=ZaRd-FG%7GoR9Z;!2bt3r?;=4NdC#dKaw2=$rF=(I^_0w_D zJW7O9Y&{=5|NavX-WraV-A0cW;BvtUQH4G_I*V!H{5fm86gc*UxcR45uy_N=`Z@{9 zOYoT(TJup;+A|``B*DZ@&K}CV`F0%sd|OVMr~oI@T`FxpA1h-dSqj1%>tlR5cv`PN zsSA-aoy8jL7cn4r2l>*vL^+n35|9hC%?RmD_}txLKHqIIa(*N2nZ+wR5KmhiB?o4t zPyNVp;>t?+Ltb<9T(-}_L8_=I53toIr5pYUvKyn*J7fSr$QN}raia-?jh ziBlUxIrCxqc`W>dXLouDXRfYGHy4+XYiBqTp(7Se;Y`K-!(RQv=r0HUpAt!>$t{A) zRhlgTam-6P_QMA~f656vpOxz|we5Inh3Y9ajqCX2z_6&nw#{2d^Of~b5-xt5nO$YO zDPIMMH7%1*!&d(mLYktV^?lk#CoaT=?$hnJxq&S?c}ev$E7Bi83{R_& z!9stMglQByG6NJM#c#L_s`!PS1vzb+YTvd7BB4J^ovc(NGL3Iya>eM=miPDf0mJb# zA3I!itv+9b1Ime-T z7n%n6I}Lr|flS|;FIF39!IflXk?JZvJUqY)dHXEx`RlCgjfjma0s{lPOGw5rLVVIH zroR&-q3?);ZP4FRAdwhfHiA%Sb>e$%jI`nzDA+f_#vp~{V{MxUgaKq^d=_GFOuGJ zhpCsk@L*01yxZ){6-+=WBD0B6&NWqzCb3d3mJ@UceXvMPoF5h66(RR5HoLz|kj77Gsc z2{Yf%f|5Ab=>4BVXKd3P+b3szR32R}F@uF1EHVw%7CuN$HX#D%`}^1HI_wvj&{Ya0a!6xum+N?zl%mQqBm z0IhK5MJ-#J;aWC&L0+=Djt~a`Ge>au7%6*I@K4Q7s!^Ft#BW z<;%GZ2V}pDLBBs1IkUWpVO6cSqBzO^A{a@q#U1evms3q(dY5RWeK-SSS)+_P4;FWH zt-B~>>}&Rq-ZCvolBd9abTE&WO+lxxpBBHFQf+qNN}nl#?ZRkZ03_6+MT)%!( z_q7>s>TSLvJX^|PYz@#fSlmg+K0bM%ypmv(R(M#h=@hl)eWY|(7pZUGVF0zWK<$-_ z*uP!bfp@Z)WD(1`h9*KhFb*l+zo79V)EXJ1aYD2+&*u!HHVJ0&)~`{UP{uT}^EwEh z!yD*?mZBy;v)QyDTq-i=0BK)*qKkq?t68@WVk@R#b#Y{ok| zN53XF1~p!@yD=}j&VRQJbdaf?5M79E*I_a^70f4wrB$p;R_&6|&)Nk(H^pj@9xPUq ztYwJG{gbSfge>UJwoRUXW`BCh;h#8g<~?yTG36BG#Z8}OZ=YgA*EBc_#4?{aSuK_f zfmd}kBUuDpc8*MnSlch)h$$iPPYKY*f2R?xr|^89ZbqeYuBbt5a|pl5z2R z-mmMmRVxcRkuko#Jal&H*1=w#m+AxOIl)U1qg`rkbiHnsNQZwj#7X(XlK&?m_VWQn zB`MLtei7&6Wf=eF^c@%&S>R?X1mU@jZ^-mU2NX%2A%$VPBLQdUc9D9d`Z~Pvnle5t z2h8bMoY>mgwL(_Gdh0m{#g=8p(H#-7_jS80W#eu|r$ibcrM|}T*~o_TZbd&Kj|bGx z_R7kuiJ&NdrA7Al&D$>1*f%%~@&BgC%%ntYCxHXrzy@s3;ba~N!vn6AoT~JGlIkjP zZxI1jkwi7}7q~DOqyq{TtVYsI-3D{k0fRCRN~M6T*ZtqRaQnyel|`{vXh+_+l$O}{ zI0I`}=sj-Lrlf#b((EGA{QS6NBNZ`r=E=$H7#m)`W{Li%KNZ}VGESqnmV`_; zTAx&FJ;)UkJ4%u|8nA+)&zEN)P>^N9tQk=6cJ*gK)$(o$xA4{u+w63;x>jrDN6Fa7 zHkbUCOud1|!;$BYR=!bsPh!_TL;2sUp2q%I`UZR>c)X=Kx5ztzlX0rvf5{uz(HRUC zFS}1NVNMeHLRA}!N)@-nEIF!f6&bJ5*H2b{{0OI5ho>mcg@grT(^Dsg&((sinTwt4 zzN7hPB#Q!->Q`=Xc((n6W!gg1N2|6{_h;7(L?n!Il|n4?=T@gBnu-O+onN8J0I2{= zdiYSJJP3Zt&ISiJ;!Fy=XJ$Rt9()V0wj+D2Sryakos++HAWzuzqc76Qb6UX3qGady ze!o8II6|*?#2B!M)fP3Su8jkMPbJ8IGwvk^G;Nt10x|) z0hc^z(QYXv#{L)A5fR9Q`Dve;z_S!*@n4t)bQLAIq;0v15nDc@aY|02vLFO^x;x@c zyz-%4vg||ZAY&}r!Swe5wvu(y0$7^Mfe|_^lO8npB`I%W2~lH_N6c6;Q*C^`WK1p>gdiiO|fT|~cQ_D_k3>$F^PE=OZ+ z15xAy%`1k~zeD=yp=Bc)4_NWnX8w0X^eB*iw3iJVTN-?n-*+^DhOM5p&-tZ_WtCb{L7fqapub zxiWuPzC}T_@q8vbey@Y|f$X%2<;xk^$0Y2g1)O?2MWYZ<6RgbB=+2}Ft(CdvX_WDBAimAeQs>RDZ{aDLxL zo-h#M@!ErJ4an)_yFGn&w4}g*=T(|kh#`zW>wvE|CiH;})li0NTJSr2JO=ZL5$I2~ zTWp=jF8ffB^z!twhP~1HDaq(xEX}VQxDig5UQU8{ij8V4qdbt^&+h|$!k6}TvoOZ< zrJ#l|?kJytlMqE9G=_lNo|tY|w`L5LpP1&j!Ag8ITm^rP-Feiy#IA7${>W}IJ4^+i zJZlG@qe)6!{C#G=%KUvPlhiT7eAnjSRV!7Ab=ym+tn{lcVi)1t-KnLyccykh7-YVX zxCYDXj6!|Aq30Y&i?!$bq{XVO&CGZWFISV2N>zGhOoKacMCgbe$eQF`A~basABKD7MZjW#5=)>ZCDf-%=PZr6LC^78c2gayp<^$7T+ ziHzs{lRFxmQ>6z7FZI`8i3=P!FT9LvI>Y;W!<8S_`%tOJu(@KMVv|7)Yu-90)|M@X zO@yglKlwSd@GH*GIVe9n&^FNvRG?DhZr=9-2?V_m!2F+ z>?lwA>TC_X4?1%CxKfsuGS?{_mSmTJg?U9V%6G5v5pVxNgfp$YRz6rs*PGkdis4H9 z3}pW8Sx1mbtZl2K9nNym*5EVfo9d>ugmmu4FDmYtBEdi*` z(q)KduB5aOF@D|=JOu)azD#`FDv9Bvk=C0kj>oyuvh#*X{S9_P??_E3bt)>MX+jJ& zE$;N~Nv=UVov%1suk5I-+-t1Axq&=Q*P~HzB zEHPxroXvZpKB-EV@f1a2u~3M{3I7WQt~u`${-~Exr!X};J2Wtcov08_Gs1k3iO%f& zW2kFnWt5)!SPBBZvdeUxFGamUupls}6hkR(Swm2c{xoI2SbO41al1&?l^x-%PaLM* zp>J|kUX&b(i`T-(eZOx=+q`K{b`%5{{WRf>{W<2Pc6hgYa5fAT&FA$RAasNOK}A4( zwdIXmo%20^u)(aEv+0W%!ow&bp9gE{?~X#ufKTkRB2&ic-(BJ|8QW; zVXF_wT3fENHvFCWbOwa6kyPT%VDyVdVFt|hRddJ8JWNEWCFE2&Ux`BLAerl#2M%_4 zd?2RcHmS8eWzEjdcTZ3;yrnr`j@^dQm(%&eBAzZ;x~p0-?wyM%WBw#j3$|}_!UuUM zoH!qMS7xk%9`1J|jcUMy^ z5m2O>0jDV`QIb~(O!MQX8+&zBymgs@dc0)LRyi7A8OqhE_mhNRQ`(eeBc;Wi*{&B< zwCRejoIxUVNmbP9qG9gYK2BV?JNpu+)rg|` z%Qm<^Apjf4sj9}(zeFEWKm-Ay^sv*@nQ4C!h?p@Lyl~)QbIel}3DjyH)nU6w>!u76 zhIdwL&=WPGnFN6aC$-@S8cJFh_YvdvJsi_g(UUNFIFNKaG+c-q^i^{#G>US*XPT&b z*Lu8^@PnS+Cq82!+^@F$yXtgT(HSUVEsA;}_yl!@UKhG1h{qT=S*o8W0yDe?qG# zFOQnv1ggRn6cp5}-K;f~T6?#Af4%`}vTbc`H#ax+3JXj?=RjYrH(4P_oa80L8Ffxp zzs|~MPs*U(Fp;4fNPo%VmTNOk99O9>$e!RH;a$;BEWw@QAlr1mE>F{{Dz1b7TOhkx{izB`$5C;nj zj~wIY;!1^~SrgHUS6Aob0FK4pA^h6u#nzuzib7GVYT%A~ z&f<4@r+d}1?Qxk%yVqKBx)uRp-aEf?z3}xNxPce;=MqAwkdwy02*TdrQ5yW~-aM-q zCU7`f2|u36s6@r~1`)qr$B91#yVM1MqW6#`i5ud&raEcrI0fc+eXb^Jwqon0`T8Zh zO|jgGIEz$_K{qHwoY>fS1G$b@klXxJ7M#E(sd%J>jLZYSW3GKt<+TF~GYctcFYzp= zo*_Tu+-sZ9PRDf98OU4lge=BjPR^h>rHoh1Kr%*j`N)C>?Eb7S=rg0Y;34_ zp~KQxB&v2BwW!rD=XhtAJCV@)-(sm473*NwE z;GSvK8o*El)+mb{*@FNy0f8^Q!SLAfs&oGs>N^_t=_h6#Qc8vRc%b^cYQrF4onDO= z^%!8F{0;GmmAnFZ^)Tw(5Y+L-C<2g-^atnW@wPX{5mDnNk} zOVD-%_CxKPZ)zxXJR}%7{+Z!jX`xIS`=4%~`53|eip0`n#+e6YI$U0|ZPr1NKUo>mL&?B5P>A<2 zg3x+NfKeF0aC6phuot0h}_3(KrVmr4ipLL`!6n4!T@~5|~_K3UD`_nDn|gE6ePw zj_i5^!B~R^)@8J6Zio7tZ31TCOq&UO)NrU-o$I%TXMK3B`aX0|=7y6!zuJjWn07lY z{m#|3%T&WnYR_q#;gf7}=UCHN%%w_AT?|l_o=)FAc=nfD@b!R85{%YS95%mq5ADS3zjD4;81I^aDLf!mv$FwFVlGc z^{w0iWb)Nco41Oh`@M70JB@=a8ZqGYjKx5cI^u=6(zZHo&BR^+YEWe*^Lg6}gHC;3 zUfxIwo1~Z+#NgD_)NeqN&lkqf&_Se&OpJ^tXY1W61@8^aWvfX_Ws?{Yi3HP3zIJQX zm{L$s7_2TV0778~;L#L=LR?&~Qw4I*57%sLY;@9sh6N^*r57Yvlf$Ry4$ZPTbd=Je zKsoJizGqitxj*Q{L5CjppjKPAg$}(!--jTE#olnd)KtT4nT@!xu<(AX@(naJm-*zo zkrI(U)6q28WzVxUupZ?RRYM7&pC(m!C#Uzz7bYgACG_AF#ZTUa!`BX(<#+UngaC5L`>lrwU?X zVwhpS8+`fFnmD`L0>|C+zO~A)24$|!at^?7CnUKG#3b!mT*O-iz=Q$Zi@nKwS=3b+OU+OoEUIvO0AgUPcVi9K>K`3{uz@ zD_K;uw4~r6P=e8#$b-ka?n`NU3p!7s59o+H-gv8~K}{k3COBawn97ECm$vzIZBuiv zP}g;~htswPkTfrHvUGH#hbD|xF#=;iMn|2+%-0Rk#I;9GtNHPc4xbRxVK6+`V3@r} zlZ^At{-~6n(GpiYk9T(fvNL31Dwl2KsgDn66yt~MDd8v}lxUcl0ZcUj`WS#j9RFzl zbZ1Y^E~;qb;^Ja}5*`s@A1XVV`B_~ZlU0&(uHqvR09#uP;5cJhi9ufjV$&{o5!}V7 z)0!TZ)whL+fFQ!|h>VgxUY)M;3-^QxpSVS(=+Z%K%wG;Ni7eGTtPSn6C~OByE4|DB z*S)zGwT96*o0`1yvbRLKIZJnKdfbkC7MK%@BMuT~R)8QT*1)zd*Qg+bfB*iylf%P% z5Fhuutn_pOJV)^_+3NZE`2bX1C4Y87#mDwO!L39@D6uu~`)w@E?UNI)#~W)Yrcfgs zQjA?|tdW!iMp8#-=j%iU9b6n7d-L^uR$Dg!=ZZQ>NWm1D)2aS&Z?Cbbsnf*lNAX6cHdg_ev06hDXynNf*r$B%I%9?otFEax?U9*Dfv*e~9mTqlorRv)X z;GG##?b+siLPTYb0t0dQ4BY-2Es@6DjcXfs4Ta0!LOBfIA#&3SY52Hio>? zT2aCDkeNS&LQe#CjZyg8r2F!&SQ(h&csB4S?e3S8ys7msT-^RtMa#U%>3rz82wKNn z;!?a)R z&?5x@w)aj=p+W7F*QXv-mop=qPN=_w#Y@=_cWlvfPbcl+auYR>y)VF$cG zxBJJGFnplDF@2~mIoOR|OtXbv1TM!N8I}>6Zj6Z%HLN*3S}f^@(yWRK+BC`p!xpxm$EuA zuLBTZQl~8n829-ayab~~cn@h5wA~Susl9eA2096% zy73WdcVJR8C;Vk9zNE^i|0SG4ML?6^9!1{hohCOtwk9%(BTXLJ_3`gU5_~4yuFR=QP-1!&jk+*G^i4^nxwbe<9Pa&n;x7z{+1b;6B0N7v# zoDXaHDLel`N)TT84YA+>ALIGwdc{$g=&QsUsQiP!W+>RF6`goL;TDth@z3>HX{f~e z3}%QjGl0(c8{^?K6@bEU%JA;yk1Q7EArqd|8O4n+`B!?UyzsAlSJf9vQ#$Kk)%nLs z4D|HxM^wcnhJXG9GBB)lb#-G{XuyASTHx&=z-1WPey7cht|9^5pX7Bc%+2rb?jUz< zk&uu!$Wc+L1Ox=g$stkM+1UYM1f<}pcOlUH1$h7@+CqYDC#;l}m5Bu*RY?GCzp#)f zteLqxM{cigZ~Fz)=73ISU352RXFl*@hyed0mS4ApR(w*%B}Wha$+V^_QHPf`Hs_25=UM%@l>00&l8eLJ;ZtWwz5 z-%kcuFDRbF^DLa4nA#{w5IG!H^JmwGbHPyQeI%UZ{UkPT0nBATt9VKyBzz`vLuPv?FC?ddo4T!HJf6*(|l?_7LY)eT=T~ef=?6A%GF7F z)6yXKWU_yC-R?{{?R{o7W&+*1dos^&w^QrO<|Vw)jEG0PFmD3CYqRQ~KG^;_``tS` zJQm}j1B|<@x5i;3{fs)bc4PJ1L0=SW9hq)p8+rgw7f+JC(@Wn)tLLMOqGELLQxlRI zcRJvc)Ty&bh>Jtt(fPHwXjD1d+e^XD9`7ufYvu;v0#+%h;jjgS%EJl56%oG%F zVoKFYq27oa%lj-ZFRv4k0RYByt$Nw$6^&Z6%z>t+2~UPu_}9AEcXWMJ#Ka->^7>A6)2WS9hfK!D?3<8nX$qQ)`9C!!I%ndw5nDW#@%ePxpg z@D(&e!}~EP0wE6PW2P9AxzR@gBOWpL^WzqGfgg`@>H0RdcrGk=>&JYalo6$xRT~R5 zLZXH-A+O(GNxF(CE=$xa2%Rro0^l&-(~mST-ZhzEVI8V7xG=q{Q4^mIOHzOb5w3N) zTW06taoNOEbFq+hi;2%&ovpWi!&tb3&1)NdIy;XGOqBt6cL>7oeVz4$DkU#J`kb}V zcsTPn8+-$QZ08l1a=qUDID4{eG0P(7eGaaq`GQn>j4PH%@t4mU~1-?m)5%#n233}dPd)*)OX0q?GVy*yy>^R%->0zw9RzUse)8W>C%-EB=vDihAJWZ9|JU zs*ZolEOg-97_Q*EWwa+p({0!v9TUa19Agj>> zd`UD`^20|yUf!G^fNJn4Q3&_fqysh)AlniuZip@amUT<$ijzpY003(ykE2AE^YYRX z01>Qr@=bSzR*GQsVwThx8JLJk3Sk03HLtgvJGsByZMf&eCsky(v9&#IY~+^yMlK-W z33#xrFS(B1y?X~B)p2rhHMliNYxDO089mr%vaCFUQGn0GW74nLBH)u&#-|oa$5DcT zfdTGVz!a^it4rr`ECAp>>ELmJNXES~ZBq5$OUFZ=l{Xod=!1`h&FsSg>taW3e(4_& zVE=<&SBHGH+5{fHGte^|r^`05eK;KuiE}yPVJJjR>+wNB&^JkpAK;|>)&aq_M!m@l zc!JZrTv_;SrAsA%QlH;ToOK05U2*kwA82zFalv&Y6^gCx0T?FU-rjfBfBeMa!9Z3s z()t<_4y!THKSDQSZ{Ee(*(4R{!sYQ&jq-D93cVPY)5`6Sc4rOWgG7PG`ckn!5?0NzAi1NMiX6?$zY8WlkDE#U$h-yHxk ztRN>B@I%zZen7q|;?OQISRDvPe7bD+eB`91wE+6h3>W}5#rgSpu&J3@|AoD)D>5u> zCrxnMldga<>>u)d>*u2^Ys=zhFAd=T-Q1lU&5nf=d@;Ji)ML8zqmoM{_u4_Ra$*u| zDlaPoT!_)SpO6O7*9R~^Ol_FSv;0lVD}cTvGfw*J*RK(}UZ^IZok$PRp{BC^^QGx* z8v<&82kk^K{aY?T2t-~0V!bbtpv7TZCb8Y;hv7@Pa4{6Rg^R`GJ=MN-btpUq!bO@E^FGJz<2+yL8ud81z1GF?vRbU?)|OHyLDe^ zSk+xBuyW`ymfy$#d31n9zVpoxDlsf9>0ZnH0Qdf(xb#$`K{ z7pO}8XZ}&Znn=g=L6^um0%l+J+ zvhI2+?8%fSq(NDiFZv%UHV+sL(4^5949bB!j7YBGCjj)UU+NBGX%cbJ%oLT;lS zpvtNc>6E!N1Yi^Wo_A73O2|C=HeG@~xnyJ8RqP-jRC(s~{H)-7dQN~uG6Ljcubr>5 z7BgV{%{AX;jljkyUO8Y)O;7j4s*P(mwwmbau>N%~VW8kC1)bV?f2N`US)sw>me52` z?LYqH!;eDkxzE9@S-0aF4mK=iJ^0&^_t$)y$O~IkDEKrsx7?0%6)~D7=oPeefS66+ zh2eaB$L{VaI*5~KfOPfX|2I!3h5%nWM2~F#;o{`tkaKi4{-kLS=CekW5Pp6uW{HO5_-8Kqoac#2O7F^14{|u_=bJ* zSz229?e!`wtl|C>+pD%^rj7YMSAZp&{@V!;G*yw$6h!Q81ELXcv2gLF{w@lm=K8J90zk(C-Y-udz3zK~4cyfQ&Np?zCB4W&LsP8R=H7Y#t)+!8PUi?3 z64Kw_Kg*SugJY(n14IHKc);|(b zOw8|d?U9wSG5M0#5jQtCu^nJqNPV)h;x`^Z*@4V0#pxQ!#6UuAbicOvt+zWhH3b%t z{vl9eRIvQGm9LJ)%s=7enejhD$@dtSD&wY?p(&A*xQIdC^xy>BtSf5w(I4w*;XCg5>h)nJPN zN5I$QaysF7bQj|8t`>wq@G`Y@59~juqdnFyTYGRAv|e+ix6uaOsO7IdzCbdxd>Z@q zqlh0g0)Ae$l6W?3?D?O&3PX~U62IAx@OT<1)AJ0b(-T6$Bj^qFem(i1-|=E82@X}z{v^20ec2dr99QE zTOtB*p2o$-;vm(@BxpC-usPjHp{vB@?T+DTEw*|;GICJlOUD(Qu51f_xjWM`{JI;S zGCF#k{R>VmI{a_df)rR)ngKm|7Z-<%O8`w9$nSJC@pgNC8A=!i*kxv4e_>vprjCw~ zM`Chptktg$IFiqwGr#)z%~t5>tS;ralxw4Dy^r}9=c8r^qmg1dh|&O=TbK)cxoc{` zAxWUsaIrrQuUY{zbtuVua!Yw$%)h*Ms!heUEz|=dsew@kb7K%JAM@H2KYcak{}<;E zfuUZ;9YveS9$+N~$|Q$CtiQ#HFb-N)0Quk2=MUneq%h#>>52VA2>=&Ei4zV0>Wo-& z|9he3Z+FSSAp?)tkni7@`9K0*4hkP}rGLG7d|JmVn8K}Vpd5udISBYji_5?JE~@`k zQ5FIc?)MkKhXj;C`1pe;73gyh9GJj2fC*yEWNl(>Zop)2ZD3}?&S+t0V)i=!x&}g# zk&u=E0XiB;ANT>iE`r2BaL~{&&`@wNFfj0NaPUajC`gEiNCX&|sMusg6y&5tq$HGd zTuhWS>@*~#%pxr8JbXaNor3Y5v>3k>mw+JO@0)#KOkG zrJ$surlDo$;N;@w;T3x)E+Hu;Eu*5Urmmr>rEO$vVruru+``ex*~QiEv%8;vKwwaC zNN8+ad_rPUa!P7WZeD&tVNr2ObxmzueM4hYb60myZ(skw;LzmM^vvws{I7-ejm@p? zo!!0tgY%2atLvNFyZeXV;{pRg{2A7NjO-udLIuVJ4habX3H^IqVBoI60f7qnhJ*zQ zO+*RWz#g5H)feWiXiRohCoCD8@)?Gq!vq{AIr}=r`R}3qHM0NOz`p)J8rgpg?7xp| z0fYbn1}q)~Do6-)+)A}Bgt&CaC!XPrZ0<13mq$Vge5+(G(Od-W{PP2(jX zo$M6^GJFMXd^$6G3c*Ew_Ok}?*0g75et+48v;Oe`(<$l+EbJ8&lKX-(2KNdYugUXX zL-_b4XRRcR-Tu$Jyn_7My4tVk_lfQxuwFsvI;x6LOiv^k7_XpgGpScl2X^~is?a*Z zS;aFvujC7;_Z8GLJM;GU17OSoy!W&wh0dUuUMQpP#Q5o6L87BEuOJ^5?{lEp^Z$OM z|9{QVPn;|S+kY$*yZ67-OnKUbF!p~Uwf{sUJXz=erOWcO5I+82Ju#IU0`DJ`O7ssZ zwX_KRO?dxKsgnPs(uEv=@cx}rC;qVl^+o@M7b>BK!1~`W^grz7|3oDJAI}gn&t3j{ zI)uWVbIAv-Pwvj;JznyI2DK3cj;s)0p(G)r`a-AfT3$iq{Ti>JdZ7niUTO%l&ddw) zPeM0{4X>aHOC7bawXu6NcA`h9#aGZ?U3m$JIw$nMe9+KX@Tj)hWUVETu_q%T;AKPa zna?B?E(}|{zYD?jI)pG7J#l{pWoplq?TtDHv2PANA_lNZqV`R4i9@D3bH3Avh-p&C z=E!ZUMb%q);VYyr+7msw?_;HvKFO&EjVy}cBf*Yss~uaD)ivqE*I(hua@t2`c?IUR z)^f?Tkh3(Sscs5LwmCAD(K6mRK0)UXW+#}6$Feo)WMAihbB%u#e3@!E3=QnWA!HL)|lfYRaVs*O}YBz(tcd zwG$@m<23SWYeTkh^!^GAL5qOvl*XorL?av%+Id9>+EU(7q81G={nnpvh>M7~P-hd9 zeMo5|Ls?|xEXT!)O00{z8Yt0-NWR)Ec5v7fu!Wxvof^z*(;%|**4uS#en(X65e%g+ z026Pl!eW@;X1JPdh~lJr5!UHfoEE;nRLO7 zVU|WM&7x@O?ahi!6?HX?w$vZZ58zd~sTKp_c4e?PJO$_US}NU4P&H*%TeYoX#NiM) z!YV>6n-zr9GL9wq#kBuWdmEaauZaxJBIN6 zV$}5wCys4@1X+4oW+G*iA9U8|S3EKQO0oRRK3V0;NUFHI)wh%(x&2hC>i||{48Tcw z9r+nRU%k}Uk9?`1PfH%1I^BOzk2i0&Q;KiObfN58-Hz3Ku(pcI-hHw#QfwG>h#2Rl z^+uAsF4la?dsOd`w0s2-9(YO%mCIQ0DTQeUJ(A|JgCXD#^Spv=iLy$n=YyuXK9^xs z9%Ug(k>Ss@*t`px6_b4WLD+r(Yy&gpcv|v;3Tx3Ve|1rY&YAk-B--sT%zGF7+0K&0 zP3Pn3pej`&pWS6mmI;uOqj?5FM^yw>)%sLN2V3`!jiJ%Vqd2rXB&6k48Y|})HHXiM zE0_tLw7JpH9AYv}pIc|l(bS;roOR6vN|rau5@X50UBf|0JjXI&{`;4c>OWd^J~De5 z8MQ>7@PG%2`lWXlNNSJP2GpJHx>y4B zeyBcsPF-HbfwX#r>RFO5zWOPFsNRKlXq9aCVX#qub6@7*hG8l-N}%>cHz$-P`mK^U z=%0suCYJYBGO$QD{jVTNNpYfoKLuIcvAw*DfPU$$e+4}-SXxwl!FdIdO8C8k^cTIK zG3)Atf%p2K9k_}-NoI=GSSm)WKd{* ztcTOyZtlw8;xUhfC@^G+y3)rHi1sdy_VI(ZUqQwXUL52TpQ{o^krh3W%QZr`nHqW~ z_{~0XlRF9Y(YhHkG;_UzG}DN@#Z=_;XvJla_Be5Fq7%p1zVcVP`W{PLyD{P<4I7() z)~m)Rb$hZBy^Nx*;yqm02eKmjJ`5lYGMCAs*WNtQl9xP+58LRq^~u`#cs=S{*{y|d zdq2z|ghmhfzhU9BviFw&+W`)XKXU_W0`Y>czE<;x8RSh zJVZ)rrYX4+87%4NXwZ+s#@?A0jID=Z?^vLgTWw+H`JFM|1m0A~Xlb%5V~RTtfUbms zIpT_zCFR7A+ZFEY??Y@|89I`jVg|PYzGU?w+qvJA(`bIC?=G11mMO=?yzh7gY1m`i z_uF?q3nd_vQGVlu{)xuAxyStyuk2qurIgl`dbq^JAlAbYCI0qO%l*Svl5%rOqOscc z*G)^a8147#8sr?E2z9R@MdV_tYmQ70ubYO+Hy1COo!!?0?&<**m=otu z9Lk!TNowKz7CmSp#P|l@4_60Wjse+pf;Ww|OyF>V{PwB6wQWhqkzb_-Jia0rcsne0mkYIN!1dCnd@=VA0@gBB0yh9H3aV{5|B@vX-G>h+82{&Flo z)2dOOSM4u~$f4;fXbS`oZ`BcW6FZoKvU=(XjFAGf&&Y5K2+1easdDf+F);|r6ik?k zjAu-6hNDbkg(|~=e;?^yp)iZE!(O>7yl0qd#kN_fnGU(MJ421Hlx2Co+#IYj(%g(C zryhAQ4MaPQ#k>S=5Y4UP7dfN-oa%jr-4rVf&&f*mQRQAAE_QZ&5eIw7*sM>UWikgP zfkq+?t1)SWYr58)P3s|{2dMb#JMk$d@B0>IYjmo9tSwO&l0SOkQ!l|&8lgrT8<3Id zl5GvUmzT?3-h-icakJ95^wXYLoG3-m$Ccxw>a6}0nPSHhxLtevlqy!WLFhb;TZZZySBFbdZwItXP5ptk58k`Oba4i zI!+e?POSCJjxib3-!(*L3764mG>2^tn>kOQy@wl*XPe`loe}ad_`f1+Ulq+pXfET& z`Gr*;(9l>q{EJim>o*eH#_3ZW!N-?*K>6I;%l)^rEW}JG?}3=CSI|7?>MKaR+*+OK z-_?{NP);cI|M`(ZANJPj#IA%@p-#;9GvY97eGfQ*%Sv)iCjTo=BV_N*X0PjZ^Y^tMmi8_GfjMWK-6@}x+Iq}V1%`A%o>Dv+Q_Oi zW#;+jSc*oWfz9W^N$ciJZQO`?+$h~x#3w%~nf*lDGZDhvacqC9=~8%bf z3PtNzkI!MX#?^gm`nyFxb;+6P$SAH&03P#@ZRLpyS1o$E^z zESZt{A>J)iK|1z^RR0(e+3K{KkLXdEfn%b4(6swhVR$omAyOf&=K)twRoR5Y@KC1G zlA7gVF{kJmAGvkZ0O} zc9;nJx2J1FJbi@CqF0b$?H-#zDtrG{lS1+)woU)jZ7+GrtqXtsVyVmFUU&QW)Q!_F zhg!ME4SZY3Rt6qVaLP?tChK{I$16xCn77*-KU5@i&qTrM6_iFan!+nxq*ea2HbZqU z96VuQEc;2E6wEXG-RwPMD4bc5^8xqmKt7hn0tdy(l|g=psR}v`Xb1XU_+|eU#9i`G zKKIK`+Xxa3af}$JUzpE+AwPD9=6F5j16YE6AQ{hrkWy4%u_aqy^B4QtWYSO5k&m#@ z{9Z%}7`bE6gf<_U89yKiFr$G`KbkDkd`HS=N5MIZ*y_!(|=a zZ;i_`s0zyLDlOzKz7h4lB68QC-hgfFW#-{g1S2DgY7?{du$j9QO63t&HH*uzzussl z)Q(STA-{QYL4V)oO_gLu<~UU+Zpa^o=7#5(vE-}z{WM@LbaBY|62?Y~xajG*Sffjj464_2>XJ4N2D@a+}5L_3m=kcU5i{V z$Vw=`d$uQp`(->48E6pbzF)MH zb&s(s@<}^Xyp3e~BtU`anCPWW@MLSTq|EY%Inw;p^h2h>O15i|bk%37=mcfWG>4uW z@NWgx@)z>Q-@Zbvi4bbvC}r+0P5NJjrpITBJfMr9X)V^qHkt|XPsZFv-MPbIzTo(x zaNZs@l0AjW-Xfywe3uv zJbVSs7TGecEN@6{YM8U#e#7onpwD6E9_E6}Z7LER!}l3 zx|F!!U8|GV*tec$#$5)0Vn5P_$&x>cZw0~mMGMv`sLp;1BjDv9kPuWFcRwFjdxn?& zI*D8hjXp*_JR(Uo?+&+fQ(g2NPgv^uA`wbUmn!Czj=eBoYis-{ewF!oj08GowvRgh zdyz^w*)TfiqI-mWyuktDXRE5@6FkB42cokI6^>nPe?iq)8LVgB#i;S?3O2TgX|0(+ z7c1+q^16=tlyE!w&YWoPVH`fLsj8drnF>ErXBKF%px8pPiMrfR6%^e!FTUFz9dfjE zEgexvRzL_nAR#|N)z%gl{0JMMhblA_6qV<{duDrzdIjk`MgVUsS-ZqHpS zEl$DkN$P(vVZr*oe0T-L8kN3+7Kxq-2;TnV6s+bSUXk8^I+g#avH!<;N={ZQP@bWJ z^rfSn5t@V5MFU*g5M5%TVcCS%UM*+pWu#B4z{LS{e-DYY`s^Osx1(nMrdxLVylP9= z(^8TQXJDtQa8OI4CL&X|Tyc3ekmLC0c%yODm?R7w>31*T?vMp@e&tn`z9h;`Wz2e%ijTzX#yrAv)>k{20Rj1r2_I81o{C%L&V6 z=Dgbdu5UeBdxB$VRF=IL2vbTI^olXIXw?m9Gn*J$S_njly1E-V7=O{9P3&lT^2S`1 zJswk!o)&+)Am=hmG4j6FAROf*x(O1}9*w|Oj-q$LvrctYZ@HC41y^R4G$RapAe^pu z6?HPU3NhsSpaALd!Xc|LgAmh0^;PprFL~)@Wn@;&w8uay3H(iDvBfkZa=cyOB z9Q5#+jnh3$S__sj{LWlyWB*cusx*{kPtTHG|L&vl_Z2&mya@GM<1I&l%hA!?1TPky~@`BmFSOprti3+fKDOn<*+20!f?|sg^jy+xR#<*9VZ7&@AiOq(kNMUMmWhrE zY&s*PQ!&aKjqyaSZhZLtVzVZt-?ws|OmJMbOn zFZEQADmYVU>snZUoJ}5c4@HK=%-?P_@H3Pz3mloAm^NK*Im6OtwglM6E+Z3Irq)AX zNwBJ#x!wHwapOTIH52BZzJz3R?Pi$Jz%M(x0k4mL`Jf(~S!?m_A&=VrdOvelH_^AO z+pC-u`#3vteHJH@jm?>x&-{VW`MlTox8y!pVz7R~>wJ1A116&n+=J%d8}5%Z zm{hSY@XC(2Pw?r*R&z2tOiE>k8Y&SMlglh{B@CsFCL~`$I{T{Zl@0Fx4NXw+CiCIE zY(_gmKG;tO3%s&qOG_w;H$5$hd%E7@_?}(~d)(rKG7I1HP*yP;s>~@q+$JeAl0p|j z^FdeQJX`$qhc$q_MK801CYkr^02#$8{*rhIm}qZQZb?D~NIlX18uZuz`3R=w%y-k) z5;!{ZrMunk{n?tGR+PyY#Pl;AZhVqZU1)18;KrCFc)%q1rtHPTN`v~{ahqhV=@s

gu0Stnz zl81=R3>3B3K2~QASCxh#AI?x7+Q6zyG5qs~3weg#lcQS2HC}|Mca65bd&61Q z^(~-iUKj0VY$`WDGBlE3IYy#*M6RB^P)#Li4 z!BzK`)e@6Wcdy zDxMPy^<})Q&Q>}tW*#Bxc8thHj3b4+TOWBN1=iV+ybLs;euZo0q_r zV!6gkq0G1w$5Bp~$A|$Nvc_OpbSRba>6EfoDT43TShra(FRT1Qjki|<2iJ8yt}L)* zRzO7@v&a=$)%Uy69YpjAag405e|zfwm)M8b-OMOJ3XVWcMN}*w`I{8==>T}=H zCu+!7$(LZA8nblldH2SL@v`1eX2C+{nI)=MuodC)pM@;IanAqy7M#6wTJ|^6=0|%({QR56NR)IiS(> zjI$d6z#pSwt_d@T(hQgSWR12*1TP5Lt}(PfP+Gc3GknMKH-Zc2MV99gfCd!5^fwo} z%zM=b=z$^9|wqH~Bx{Z(N~=`Y!;yOOEcsDmVC|A=Hcg;*nY=5} zEwTJsafp?dkIxhm4edrL5`6m#D@OFuxDK67fU5KpY)N)lO<16P2*%? zPc$>Km2u|~)PSDbCia@X9h)+bRDM&HY=I#eLTvHEMBHJxvARI{$n2v*<47PEIlghD zfCw3A_t58aX*Z1=kHion9eLRVtGW4f@y20`oapT8QKhWyjbpqtGi#xrZ(QU`!VrBq z!FYl+VhhhtXWnqy*~@oG+f*X~?QN&?W(4;)-_@0Z_D?^|yUQeSz+9ac$1mD!$cVi^ z;(ikaQODhACUz@{GiDKfJ!avC2fG}e!SWEgM=Y%rt093+YbVYQ;n!y_JvJgQy|v@> znQU&-2b?$4CLSy%Q-)dIvzRU5aIPGLw3u8q$U&Xl4~k?}OCvZ!<`yWyb?{;R1Yy{( z9w$+)?%O_z%Z2JL-cst^XU7*Fy8lI}NFXvD->zE10ASP#)Z2NE7Zu!_{JYV1mSOe2 zCnrWx{Csc5vQ8|EYl9wT9Bt7*yGRq0N8S;+ZAPZ_ar5l!UhhqnB58;2C*iPP@jf$b zd06u4kg=8zVVar{gDszVK6qNp=CcdR_EeK=dqyIB--SC(dqdR-9d}?JyY&5A!5|&0 z&LFwg;F^wbE7Rt)LY?u4zJ{^Feu9C&WTbx^toi66A1o#GzU#E93 z63445>YJ)D2C<+Gz@vjFn{n7L%sqI-UHTvwx_?vg*{ypl+9oEr4_Y7E_C1`R^i;!; zO+hD&+b)@)-@N-R&rgl%Ysu-8AKk{Ch6<@#!9zs^($_ZxhwgUqG}M=l95dG#CnuVT z+ja0!EILD>OQ%Mp(O5xbzPpKtm(-!D)MaM7w_)~F6m^X#k#pNr zRK8q2P@i6vU9T3`NJ5_Cl`Xy{UMig;Pjl!n+h2%NsA`<)v8Z9y6opGsb4h6vb%kFP zu*{1(s%I`kg$z-()|{)@)}08jdaqJ+@4P?V@X5L{QJwR_xia+4LT)LcEa6tFy=&tJ zS+(Hl@{i0-RVL%a;~6q7LJlhT-o+`Z_NhAU+C~Ag8uD{BT^U%u3ev&6ZkjE{(g0A;>&;{iN-Y7iP9N#@mS9MjHG?@x$UdV|%^Js2K zIZRpeseRtX_oUNP!^i;}*Xf3OuT+A0An9JE)$F=}5V4aIYE5(~d2Uu`uCD1GQ!FRL zQhi*>VM_AdLlHauTcg=a;e&>lX3~Dj7!IKg@}}=As77@IVX^~KvH2axPNK`f_UzJ;$Pt@ks9*hPUHxFsQQ24QAzPNsT3Qlp-M+J2gqacQ zH5nUxaprcCiv~n=PFO4t&z4o%yiOk2ZJu&EI>{$Sj46=#td*TAOQLQNa{Vf6dj~SD*Yk`d+_>o{15oKiRt2TYh?faR_LQ0d>627jV`iI+6 zUzSKvJDt{&$7(jI&Wp0ng>Eb;zPA_&W(;wLB-@6xuNnE?%}6*p<9~Mg;1TkROx#(E zG-;^GzdGpGPXBmj;YaO6JU*P{VRSYJd5FyTOxynJ92lp=qYuLSyopOVL=L-i-)Sbz z*Xr-cSt|E4EJ$EwUKU2j6c|@oRx1aOGR?QNrVxPPm)){hMc8B=Tnx*rjzI#;mPqh4k z{Ny|p#IDP#7j@`qcfcfG8aUIfz7H6ZL4ErQDuaKywO>sOt!3P35>Aq#QW~)Du4pG3 zQCBUM$iH{zLo7uZsL|$WXll?2-k}g#U|zm|1qo?qyAo`vqstX8N;(`o_HZG{qQMM| z+4t(SOrtH(;O?wb)_oQEx{C(Z&*w{6H)@HwkQl_@{0a(UT(}rgzho>YH(XS>Z4>Ud zANa1>$6Zp+$1Q$bavLq=jAg|kz|=FVU{n!Muvg=T>EJsH=d^`4s(Y+#HFl$L6g>R--z!ORt4;rcCVfeQ>RH{dFHtxzq5*L zX1G1fNiw4^!iwobTsn4M8D#WlkBNnLO~;HgUPuu?^^X%~?#|YRAdDEuFUdO&>O(2i zk>EpQ)EX7mX%Q<>2}l=XGUR>kD7od{e-CX6)5(3poxPl%5{1J9a(WAbxJbYOz0@vH zKT(5R8>OQk*Fev4D4rSF46lW^iQG?H>^uOOx~pm#Ngl`9O7ZyJi+a+P5@#ajf=ZPJl=ArANGY9?p-%#Uk}vLDqB38qR= z&`_sO1X$f3jKG^b;kxvHI%V}}dL2cr>7_i}5MED7GSmkdpGhoICYyc+yRXV@6o7US zsL{Q~s+Ujwm4IcfmHqk4ApHL9HmRgzYpMN7)(wG!H?nqHp;ot%Mfjoz@0RE0uK~cK zlC-hplhUb&S|hiE7AA}6U;cQ?vT2+3w!u9l5HWE?<~zps(DbYarhAT_5?;hfiwSk< zRgLWfTa2+&Or~q@$!&vFNm0BnB~V}Lj>b;Y^j(V9rXn_m9rOqvjfy7g0>iWSFW%U{R;9NGk8${wme8N7`ljsCAQ59_Sh&8R15?`W{Vdc0kmvURSr9Lu5%tI!7WQMU)mF~ zi~}T>{h1-3&2O>nwcm#4vN7|iK^we+4$GowPaf7+FoI8WfiXr4HXW`N&fjN3_wp$yR!*16g{yNhDWR|` z@Kwdew%RDbXtg!5hYfXptLCH5nB&4f!dq(dRG+!8!;#?ClHm-Ii2XDk+Skyf%f)t* zOD5N(M#PRV+OF!^eZ@YoDP30Ba8OmX__Dv{6)r^EVuLB2hd4B(n3-FEd_X7ko&uLV z`Z~Pl6{Jdm{K6~pL>ExXaf@4+OL_T=xMsR4h2h&k<1K;E!?i)VfurCzF3vf+X0|=# z_nyc^36hrBI!#CU>x|L9M~8D)FRH?XmQVrJHuRcnuEr-qOk1>@&tC050#|Ic-pP!e^ZpNwVTMuDw4{~>6(?M65m}v-03g2v->i4_o|3oyxe7=noS2aOw=-cp zK?EQIO(yaRsL(?V&e@ z33Qb4aCAgTc5qt}d$A0s(pI=hF70P0`>eHFm94Puwl72cS$-r|$$jfOx>5&#kxF%o zjcenmKtX}ul@LgXd%WH1#!q4x)>y^Ih3PM0q$ZZM?|+}PDpsc&xnK0%w2xoV@4fI- zN%7~GjDeBUzt?m3nryxboIQX}q?vtW3S)2Exf{Kq4?JU)fRy8@!rd#H4dQA~a$HU% z+rFQFG=j)MM^mieF!IQ2Mg7}IowD2&Q*yarGQvpAw(pr|SSmRb5YK33%7!mW7Y?6R z$}&IYC7fP#c@tD<^khCa=#U(84`@<-CM~$BtkB@#wV(auD@&9KM!R-H~~SaP!#?>c}Dv*#oe8;Jf%%m0`$Jo+SwbG18hxqr)Ooh9zrtK^hcJLSbZ}LoPjM* zZp}^w&2#mU4RvOGX;}&0%fHX`NOTn<$IUS}V6Vr5jbz>I^=qtl8i_OwlT)mXQP19M zVSAyCIev8)lk`XijZ>%@42jQicgrxse@^SW&6FOlNDJT3(FQy;?2-&(FDhc?b2j9? z)kzZ2g~?+=t9#wj_MhzVh+XXUp=%UpXnH5{9B@Acdw746(oUfTLPau@lOKx6k?T(o zJ>lGSun~u7N*M}w7CTn-BBC=;w^5T88(2+*=x{RqH_P$lL{YDS=^%Tej`=ygF3=MZ zaVGw0PST7IHgSkA!yIU(DN<2;D$Ff7_Pc_L{b?2oSt{_}{*JML9gT_#lpuiXw5aOW zlq96!Ur9o+J6##2j8(qdZJ2cu?j7<9P&2^zrY43)MBH%4@0Bb2?#l21Ldm~QXG)AV z%meHm0vj~F=v)op<102h52tOcJj0H>PO{2S5P2lQ1ro%n>g}C6PXB|^0y7wEdyB=_ zliI+C`@O_$i9KA-)h2fBamXGhQh=2(L1P0xbG4`b8>HFSa&jfBeHxp3Q}JsU#esCmA?6Rjgmv59>-S2-sFSRpV9 zKF4KkT#|Z52uncsqI>RC=nt* zPYGm)QDpeEtR~P=SnSFESxYvaCb&Eqvbt)Dg1cY!nT5g;S8u)VSMSWjbD;}VEdp{` zo@+xC3XYGrB>vAs^%YW6jLJS$cXS*JbDq1+;acJv&}7-4rFzzprK^m4*NXw9CIw^( z|6roctJ7V~*+z*?$1B27Gb4ap)tXT z+CNOWhK!YK``4k^_7}ZJXIc~$8dDFrFZ;c=1E%7z!(I&_G!%!zWMKCM=`OTMI`b7x zp_S~!_E^?`BBIMGdUcJx`8TB>NONJO^uk;_p-c0^HsICR|1XEufmm083opG6)!y6c z$E7!`Q}UZUy>b4T+(%r=Qf8wYJ4W^>UC5}-)+KE6n{YMV@CK)LOcz6r?i?MPM7RS` zJ(MiPpV#zH@s<)-+$aUIu~LXK{nJ?veR6dt$$Fhu8i`KVrv%n4pLH)2wd_(XOJ^;z zP79~>_aoIeHbInfRf;vo<<|*gH5}{%cd6CH;Ygyxkh=X5w$>AHjz5L}H=Lw+so$sd zP#OkUwPX@x`42`-f~KYjWL_p*vHB%Ix0>hGEcZ7rgbgtu@=9iOww!p6I_6)dt@GK)pErL` zZWX^{_}z_3>`r57ozD3-%Xj>Jo0II3u`7aVhJOwUWZhQZ1LgUmV~j&xoVKpc$6;WP zg3h1kt9NJbenoM~*gN;WZHyU)&D>RM;TY;ECvAP#OKGgKeX~=JoExT36sUk3C4yMr z4@P<}q4TeFzW#PXx(7b1a4JjT^uC~OdW#FQundgGtl^u_O6VPyZu#)dAGT^&(eK=@ zYRcq`o1;j)h{o|el;f2Qwkg4uLk6q0B<9RXE%gf{Z^~+*_H#Y*5*M6Oa&XT*#GMnbr$S)QJ+Ht80^srHaqV zQ9ZhZxyOp)K8X>o`sDvvYhToDrvUgV?o^NzY5%BMSgyBf7OjCuWrm572|^9gc!bMYL&D95$~=CvCr8m zAiku#1NyUOl(t_0ij8|6PSUPXScaBP)PiHbGh%ZAMnxa$-lwa~=Pt;NXZF2SqY{*| zo(w|BO|WMcR1RsfHzbQ^{+FggBJVH)@jwVmqGvBC#vd|mU!>Cjmu_N)grvjlp&?$;+rdt1@^?M8@Q%(1rVRZiZZ^OQthoq`X#0!I{^Nexrtc3}Y-vS)*zh<+ZwUYpmNLwpimp0)sZ0)f|ocKqj zXoy|N4M^2QqKOrzJ ze+DpP;pP>?DK}TAa`A|*R6>K!f1j7p`GCOjN-8;kb!Hhtq`j<_JXEt?As%^n0pAhlK9;3F&W-6@QzPra^0J{ij^#&u;Uvu3WAxG+lP zeK~b>@=eQa?{n;tnAj&;8tc@@eyi*9rb zMM=%R#DJ!-w9ZK|g7T5jBmwlrmhwqk#bggi-&0hsucNI4AKu5D+TxShOnh5m=}ePS zd0!u>VuDIc>}!R@q0e7`uCXe_9p7{$ko0t+n-_0vA)5SEGR?t%iq?zqXVOOL%dBko z{RDLCzeo(p?hsRXiki$#Ryd03w91Z}7o)^A`dm7l&cgqEcUxu`x*!;DI6iQFO6i2uP|=kwO}=#V%N z-EzK6civ7)Uz;gMcwsyOO?pl|Vd!E`bS9qY2WXk#U8O{Ap+N8?Lj*L$)px25?OOp) zUtp*bL_IOtjKkDq9b*QbXUGz7er(RJ!#$G~SxPH8$QRl&HGRC}$(A4Q^BR)dS0_~M zednQ|XTPIFZ1(Eyc=Y#*Fq^qNzoV7-J9O55J?Zr&?#C8@5<>@PucR1=W-gPrHhu%Y z^0?DcmlM=N{!smEYK@H$lz*6GSC=08j4--@&(i8BqGD^cR<|*0`ZR`Es3;P+aR^A`TGZ@1P6Rarl(ag|m|-|j+luGOIW<8R-yCsHwW>r6A6hY;Vj z_@}!nEVp@O8sx8nTJ+nqjkpal_k28Bn>wCOv?Dgp?j_NmR5_LOi0FP`ntNkL8L!;v zTw)9RHm2l2Ihn&)uaq@zKdV@KL03gd&NEJmEaDX$%>!)6!=hZ*}yz~F5@ z2R_eBv4l?q@VAW7$AEU;tW%19G%Z5mC;#+Wq@o#ZkE9@m$rjj;hkn+Y3~i3cJ~2ci$`zvAA!GuFX%Tlg2D!wQ7Pefb*TNCru6)m4C{ODoN!%@Vy#h2-IHxfWW-F(7_<_|2D1(BIW2w^Y3 zxb<@Ny~wwS;Dg`N;scF?`MYz4SMK(3Ol^`^WE@c&c-{f6!(@LkVtJet(z7?xAsj`hmy0yVXcbUV29HWeDtG>Sd-m`jQVd8#rj_toL zui@_xO&@MfE4YPQyDL7o6g)_pgB#Kk5zIE0qZJk&9ovvop=ig-WjwmR;NXcgM^N6^ zc{af~Q_7U1XHiYYj}O#Hv7f#!w={Mj@w1?a*7r}Pyy(5WT%UEe8PYvxY&hVoUPi8c z_uH*gwGzilI@u`st*br(+&p;kWXxl{_c(NV9EA)EhCeT`Sm9ym{$^Dm6e(tFF@@uQ z&#ltde)%C(<%&t}W^-Svt|E~||3izNCbfeUDj+C-OS^3}lD4 zx${Nl+fLn7Do<%Qs7+FG%SMk$NftYRIQz>FpXkE(l5waQ*Dv^Qw=*sZ6@l&a|6mCB z$qqF2=o2osq*|fjZ=5^%w551%o+Ry888zFH8%htNG-}Za9tW(Y7WX81s3s~R^z4q} zi&uSw8YYH{HUppW#}B`@(PfCeqNK!;khuwq{_=5Ig5dIY6ZYzPJnR}=Uo!` z#8_MV_5O}4+v@OL`#<7M$%Fj`06Kh;H-FTd$7OkF+G(*$AnVuD9T=Lc@-VqMSAyMz z=tAuApR-fSG;k#xd7S_a@y(zzUZ*JEjHZmII^X~7lm`BzF5eSi`Uf-03jI5t$G*qJ zMEs9SnAQIQTO0ikwc}3|+TZ`zOIB%C2+cmV$W(K4Q;N63?=KE@qTNQ=nbuGuPKdNq z(jGN{dcM1Kq+_-FXg&84zj$Pt!Io%^RSlogp#le_66#qsBUCxS&4AOCz;k&wXh*@# zu-C*eZVPCDL4QCS1cgAw!0buarv&5^2jy z2F6Ei&>_yBgJzZeo<FJ6?(ad3k0gS;A>O!tF$M>Y=`hM^prybU!QNbazJI!y@~1|8 zJ?um(Oc1eTT-Dp10zFwWX6YO~#5a>AEPez3bY04a^+Gc8xw<3mE6N@1+xRd9qn6R(vilP#=xA?in<3h?G9Yx;!6T@*Xyhr~wGi{AZ_m;8=(cB4k%#JF z^lmS~DyhAz@XJDYInUVXoz9&-^=V6Kq1ek<m&k zp7nQ?af$=vcSf^(|>jeMsQv8KDoa9|P}5e9oDKFfQlu`7t%o2XNq zGf1vAUKG@U3io(5m#7P#KX;|HE?j?VYFA0!Xir?pxV4nevK7h7%4qL8o8)>XnkmB{ zy&3%er(-$ehN51KiWkn25Bn#ZU*U^iag(jfQCetQOBCiDC&NcyBocpNo%6!V=p<@Q z&;)ER*-@3tvt6lMrIU8J3fh49qm9@0K3Qq?@mvzlX8n5;GWQLK)X7oz#IY@-Lqwe? zAC4C?j>OwFVo8-Hbw_!5)hD*AA*X^8;hwv9)o3{FO`j{RVhm4~f*Zxy`8lw%Y+H|o z&AIl5DaPwhfkyO??(Pd62um|{YtnvE<$}4L+!CG-U1MeIDM?VOGTgQ_A2O?5c7bb- zcr6%vAiq}mL&{=z^$eW5luDE4T)z`xgyhz93p-uY-S`RKfB4{NlSXj)>{-<`S7*8fj zT&+Q$w_isE)fQVxUfj-JcQ}fi`t6lY+xSZdYe00qEp|o+kiTXMPdP8&yq@??qy2ALb?o1ZAbN08YK+jja0=DR#{*Wi?m;G8l;){^AFA4F8#Gi zm=YS|8B*&x#o0q(VjN#j`yf-S@40kj7d4McQQ!983gleo4cr(*Cuu7yNO*TQ4@iY_ zna-z(Qm1Qh%IRjy=!UMN8;z{`pv~;s;JniBV1*BunoUg#V!i-6r`fDL<~S~NkLN>h zw25f3jzpPn-mm+oknvEyUp%`%ne|K!vE0Lh{9}*hoSi+!03d?wPk-!&)PLN##~_n9 zKB+4@%~n-bv3|lAZOQ4!NiPqoqtdUXFs6iWgndTrHG%Ok9xG z0%To>1gk(Ls}d!egVva4l0&d|Qe}=#iBSm$=EQsS2`-0;Az=`$qU=hw*#tFe2=bXS zY=joTBtcF5gsKt>Iv2D2mk+cFKXD_Z1Ml6Mz@7>p#^>GT8`%;foD4L6H&ohJGr{K# zCD<6ieT6Cj?Ol71>q;M}=1P<}$V*7lfXL;Ii?5tf735A+$gp@oT4P$Wj+SVF$oFsM z(+HjO0N}t>j{*MMKNyr+hU$E4DytJ(gR>R{0>L5`Tb;^6BrfvA@v~5x6Q#iqR5HYF zb2y4%&)68cz5)BK{j~yfp4FBmRbw9Q_%&UhnfVL#mc`;Irg2q-Op7hr_w>@=3zy$S zWVJP=5XYlxUnlhvAOzUsIUrX5_MUfDv;oYu)!cgRWQaIRYtJ8INP=M>xecWh*@VaKUZ>UzpiaPaqR@*8 zw>I?~eQXEVm(x_Y*q|$x>N8zSTlB{dSq-f;C2$l;mJm<5Yb&J~`9GL={P+A1Ro3m= z3IQf9tej4j`Yrby@XnSg+CkC{vXdzW0ckneVU7BY73ZF+t+qGaPso3a#!?)9k1cVf z_KCPrv4dm0a>Rv(adN2$!8Orby>5S<2bvQ;QkHNdzV5c+E!i5x?>E;&`Y$EN!KlxB zMMhhXtFsUy|J(3@;Z&5=-dpYmct46LzB02CCbQh4c1(^#!;RxEs+LsKy8+z(z}cRN zeBryb$A@!;$(;&0R@BtzD5B?cEIXR(Dmcg8$a^ZR=lc&hQ-84okQ+^+EsW`rN2GaWog89lnk5~Q=rW3@&pCcfjoU{>k%*)YFpX0oo zVI6dE0gPEUDt>7|(BFZJu%?B4LA{9sa4<^Peo{Uo3|S23wV6j|G@>-|7CM>FEmGCc zs7x44Hc`^_I`9?vT^z`-OA#NBmEd@`6zLzY2ikFhyUKcaJ;SFJ-3V-)N*m5pf71x5 z+Fz$8lK)~7!-gS3KgShks2viI89Pp8o!xczPL_=LhHJ5x+}zKF^p?sW^!Th6QW!tr zH_H2z(u{U}36HFeh9T*^gJEr-SMZI8HVEjkSve(%mt|AR# zfaYTKOJ45F8R=1#a$~(UGntpXf7^zz4sMt&9{L9zV1uwDAeSHWa+S20m^rzRT zu(l?F-1l;-L}R6{!_KB=>^vCk_rX5%zhhah&|ulCt)5DsbDmui_r43*{cEJXChJTi zqR+axjV*9wov{<5|6o4go8Dc}4_0O*H`s#XBqd%OVuYL=--cd!4R#w2Zm26o~W6{2C+Q8tFzm=S}zoZsTHhn>`Dj#zwbTrgEyKbIQIaeigIs}`esF-uBLSgZO6GvXE< zz6H{Mf*LUU_c%TWT+p+cV@b+lb`Ygn+kEXM6Y)4xep0W?O;w4PD7^Y0$f_vaR`5N? zB-H7P=Qo5t^RCOG0{p!{Rf;@-DlTGU^8#Ft1(xTT=qR@gq_ zb*kT*?a>pd)l>S=mRFV&IDao8E%BR^|7gYTlWH9myF|_*o5YFMoGZ!G zV&nV_No11hCtp=2Q!&Xbs^AdkC}Q(w#krbARLTL3dw>mZHN3;<4R37;IVUCgmx|db^vSRz}Hj#2c zi2dJkcdo-FxkSk)6oQV@YnbQU{L0cbtL|tkJgPA##62VFRWgRf8Nj z1I5|cZ&+~TwXMBN&}|D_Z4B6(W@B&8)o_<|e2;fXt1<2_p3F< zh8@WQGXxJw^vMaX<;`=@N{8qZ^^HBXg4FidD%A_dUmWC)&enf0u>fIs{hQ5WTe#zF ze||N#e1a)<+m|l?T*s|^UGQ3{<+sGq5JF(#$ic{|b58bY2c6XjMMI45k5ZWWTqfdx zjZpUaCd)Y@c&F#c^{uw9MMhHNjpI`8*W>mD4(P$FstOy_tk}QKg6-bu3S&r#k zfss4HbdPJx%S|3<#r0YA%cHVAio-@z)U{M4RQ-Z&2|@KYYi`m8R$P~)h7NO+qpvGd z&0iLIO11~M?c`j@HlRO#I*ZShw<0>I3%oN)nLAQnSp7J_VynQ@J8U?LlZ-s?s#3O= z;?;GYm+01POnRfWZLO}YAZdBXk80lJakg1oC=X{}oeZ%rP$qOO$l zLt`Kq%QK|V6j?IhLcnM%R)4H+-%_`Kyl?N<&2#SGLQhh4Hp#(#yGrjjx>2GQL|7>N zjO|`sxGcgzllH-urpBxrbAKrOH>2$;i=fz)x#tO(Eb|svU2o&fJKH)z7d=p6oDq;`6XfPLC};i5<&C!L&b!@@asZ zuRDKMO=xM7Z&47rIgdS2=yB&aKxH}{COGcii%15HT$B(&eIs-wbcGCsiF*kd_CIj< z-jQar0dGJSihG=e4dQq{>@4H-u{(~h+VbMQ0Igk;d<40!a9GYC5pfJ9A~)g>LGz zS|FYnWN9#-;LWtdcCIWb(rtCA^rbRmW}UfAM}kTyAVs5w5=NAdxH2*aGj^xjxgK+o(PH(DE((?K3GxC#CQ{ ztrVtd6tQh;VE139id%j{+r>(+j!(Y!&iL(Ouy#UECVHc^?)S#SX2Ok$zlsI|Q|G(KEY5D<`OI zg(Q3TwZDY;?zTeh!5vqLflbujYKm>np!$z79O9`LwhT6%vftwPy3~fYK6#X~7S=x) zt6}yIifXN>AWc&&X^~K8i~RXR)GLBZ%@OyR4-eOpSMkVr#E-+36XqFVn};Re%Et; z$BC>$P*k>8FFh|Be=Kj-vh7^RG07hVfOme4Jd|Fl-9q?&toX6i#W?183aplMKHDsB z8g^z}j-ql7OgFm|??XRWSKDRSIE@!$)9&T}DEbh<*YuNbdx2G^!ix1H8c8J$x5dkiOP8;f&Y%6fWTUFt{7#_#vbtSdH+g-c8o)(73@}jLwY0*@}`w(aMtG3K6VkE+1#>eOm{`yrpSqc$xW|(BC>MPG@cpr~{4be%k zkfIHq+H$EoP;VwF2Rjg%Ytpo^Mz<^PKh+I+sVQ~RF`FgCbZmThpnt-{qvS$iFtGFa zRd*=(GC94ExTm;2wd5W&!7kS-VDbB9Zzhfxz0<1bA%Zc*(Y&ZKQGOi`%RagD=W*u~ zkdDFDRmS%rv9U9Q6-imZCY`2&=XA3_Ky$COOfhMXXq1sxu)`5lJ&ag>`fc~r0zBxQ z88Vu4Qs2k=2XxSWU70E4G1!N=LC3`3!!ymlznpKy%hAv?o8nv|)NflAWhgL9cS-pM z+R?yXd*b?t@eSY{d-pl&*AOq+#K+NT5kNcIuTYBU?c3&QyDl?ju--2@r!BFB3+zJe zC&wpqFI)1&94NE~{8i3?Mf>n~qLnf}%U|A~Qq2^9)P|hu{gTIc;ReU|J_ zhlhkn)B3!$KwHkDGHC%GjL5cRplG zK-_z?ba9EArZNL=YK`>d2<^eVyEOd?q#})K;W_CQ+!2qE(FHKUB;ZNlPkofQD=WUp zEnBsBtvPFLB)hy#rS|hMrcP|t+4s|lohsj0?d3?M3Y&;P)}jHvwhEXy-cki=HKjGi zP18KLWlz5;h!V7hcI5jFg{zuY^J zM{i{}uc_S{8Eaf2M6M(Kn#$(S*%BsIwTzMKMp;rE7;o@v8Kvt5Cmy$^=?{ge#-d1S4U;*S;Td5 z)d2hu7v;Zk8g}v+G1J^K?<%6?kpYOh7?Q3P+*INgR21us%0dipvVpuCU!eO7bSJBI z%qM^T0=dG4Gl>$FNcgB4_7A4IA;d$a%vbKi4hl}yt+mvD?-mZ+Z`%NA^W*3^;f#3fMUuz2t^Ai(i*j4AkA5$)$E zmaqVh&iZc0nT4TOaBMX$@tIFLAL!JADo7t{&3&X(kK8kb#HZs&`8=mkMaaazoGQM2 zj3<}4COzL%UnBmGdn!m6pY0Y;aZd8!Qoi&LrcE{C0}9mbPVFBI03~fKL|PWr6Q8e* zEdN9oQ|VyY$t$j(I=dg!npJJcPd0YG2=sC**b5a6bb%gKI8#2X_CF2DGA)k4!NvZq zXw1e_?e$hQ-$&m-5}OMO$0>ly(*${~x3mjFEN57UKKfeq5>&oK1E$h9s4xpN-AmEN*pyfezAFfLp)O)nGjr_ZU$npj=qDds`~b?<%s=# zf8JmCql8*F5POec7CUz73Ce>hTA&m^)&O6__3+K=n^8nSjvriN7k6*6Uo{vxm`;jRfX0Tuknkn`461#Y=v@G!b5btE38)&8ujCG`Zg zmTZ$SOcXQXTwS(+$B=VuCyCMx$sdjyTgGJ@SQFzJap%Ol;wLWkus728J9K*#oxL-Xf=b>SSVbzVAiFgpuZeI~&E2 zxzl=5!fQPK-A-F^n%&3GB-Dtq{=0-_Dt=-j*zimM0N%niI z{+XTBYb`y}4fTZe$n}%pd(9H~Vh7EXbF=hARLn}XRF`H>44%f#7sjHmfdMz6M7}+{ zMSpJql3%huJ|UAvw|KqLcQ7Ap(w>1apKg?oy_N7ym2Z&6FMDs^tZAFNYn1CD;|EV9 zx>?eb6j^L(6HXXP$YeEw$!hVa&9=D6?ok7vho3NI&wmA(y_%g4hYrj~SVy*4Uj2JA zVwIF_b}fD~TC+7TIzwd?)%Rd-0^P5S)=2oClpBp0;`9Qh&unoLONE*8v5Jus0gHBD z45{LLs;eGEpDTQqZuun3f|=24s4(Fuq{qMGzr!sM-x6bC%q6=E%`>OK2HeY#daU#q zkQF;7&If6FTa=ZSTx#84Gg?)u&h4e_>Vt=h;6LqeGDLCZ=_GHQj)=3*CdJ&?`=o`H!VplT5O=W&x^>9qWDKhA)&Rpqwic zZkDT!Tho?eoRB40m3J@pWuL(qj~GwDw{k3zX7;vRYc1lvzmvV#_XLn_YZu zf!mMs&vIPw1(X78y^4%IHtG_BL!bTcqD?B>%)@OE8hbT;2G`4p&~h*7{`4<*DqF9D zKb`S;p5Ituj|ZL*UFKwh3^s>rtWiS8wuOO)uY;<@s`+s^(6JQpWW^q@jA5lXfk-X*&ir!j*VT%Ra}7 zYW8J1*;QqNWL)$Q<<9d(fE;t%GBCjd)Hh!Oog|7ZLZvWV9Ulota+ZErQUy>YbH2^2 zX%f+tUasX@t%ynGiN@^_vj~nX%tRUT42l(bZ*{)FVf|QVrMHJGK>ywFJMehxBdIk_ zhLl?(y>ji4f03o%HS3fKNPm}XPZ)BnhaGxHwp3k(qcquE(DgGd*If1Ro5l1CP>^1C zUfjt+W#H@(Ofsj#D%ZBM@;Gz_7h+`(5RA zUXOMk-xckSguZBZ8lf=S8gQZ57vE0W@(M7-v$PhJ&e%0gnwlEJw=tJ1yqdO}`M=f4 z|J2O?a;>cK#hx~0P|V_ELgdav9)&TpL{q$!!vaChj|IWr>xa;UPZ!|UQUUO~p`pVPC%be>B+AS}0M)ZKs zun-L2r~WwJ;S3VAF^V`jIoUyM_s0*qp79z<+=f9(+9}?VO=OIXZI^NHaCr~h<+-Ly zcQN+g-p3jRulqI{*fH*Ne?t>>{CQ_;=l*>ErOC)R_u12ZO0#pE6tt%-<@{2ADk6@^ z)(z@$uO7%GW79{0wz)T#g#x+3kA^>`2iR*zjbjRrsNO7b4@yFLs^uS?d|JK|H+KUC zii>2@sx_)Akaa`dxfmpBfC$3Q#?HhShBuMCFg4f)a8rKS<@5{pEQbw#!PYcocBSh0u)ahi8o!SmKlakSLF%--OJ;rLR9j7B;5OI47Z8Ihtrc957W^fYU4v%DzwG$F@z=lRx@SwR@%u9LD>HCUi_ zYH`xkWdz^*)a8kE64U>*kSbqBuE&{=KU{M5E@!)@@fIW-QUou@_u3yP{?T#4Wm}!K zy!~m8Zk^15|8Dfn7my-%eZ$T#(H5U?6q4_mq~uY(HP*& zxQnyu?7wblIRyI~ZO}W|+7ZW^QgIzi3Wk@(t_E=&T~fAm&{M)u6aPfUKUrCFr6FX_ zO*vn+Xk5OfV48ZspJCCb)4-Z?6O^kD$noVuB~HxAQns5sIE-gp%7yp0kwRV3quMNC zXc^Y=bG5<|c49O!s$DN->2@(3i@!h@hnaSkm4b{b#TcQoZhfwn?4#;=trlE09`d>d zVS_&LFxvg?zyZGJo?`nixR|c0>MrI z9sxLi?!{ef(FWO7!gG3ixD?Qcu z_e7<1c{ss~F5hj7E^W+Y;5SLoP@}%prZ=GNz3m&$@n9Ga!I2HMdCLhGW{%_tGTvV( zxATzR5wrLECG`EZO|_$GOhj}5z9HQL&!|fO-ZZQO)=#jSeD23(%zW|h=yKlLue5xj z-d5ik5|{M+vV$_^8Js)o1J94vKBG)@#POLg zcrWx>TL&6rNqm#oKt;DMe*Il5=0MQV`em3&;N*yW4lph5_wss z46Zvssi~ft;X<;71?}X^SpK!eeP~DGp6R%I;N4K1lt^@F=F7a1HP}!jJ z3ukMkvorI(Tp4sU&%$Dv=G`s!D#)uYRtntw)m&=5q~#O1kzLYe-){TiGQJyj{?t(w ztqXdOJJ-GH|GJ0sB+VcEhWGbq6AV88HZBuYl-)Mmo@!Tpw3v2nb%0Cu-S}@!daiZJ z352nM$O9MW^fIa;SIH|;Y0#H=zpBL&pDYar(0rDWu?y??>Bqp&jbSU(#=Itsn}$># zqm{~B@O>E-6f9{)+wvV_*#u6M)*zcXNSk&k##*&4RWR5d)|r_C+KHKb5inP^`)SgN zg|(NV3uZFNLyjsAP%7gbe^&F@=rd@cY@%frdlO?#Fk6agJa<#a7QasrZlyWFrU zVg3pNW!KhbvJ~20%B#EIJk;Gnvvz^&4?`rw%?}c1T6BY>gFuDKo)OBpVY@Eh;VX7h zyi;#q1o}16PjAHs!SlE1>Lv9ti}Y#d3)*W#T(A!k!WVKp6v!{5+Rl3^lmWN5<+We* zK`Ea53F6Td@%>*+M|*~MAejQi)Q(?R#wqF`5e1}{M^X30WL268YAp_Rff5RxT;93D zuc!Ebl4(8?kYppT54@IxbTIV%Q4a2zvM!|)mKG}cGI8;gbgX+`mhPgsp zj_0PdAw#8(TS1qc+++Uo)A-V_Bm!(pRo@c+GeTl>NWf`Al0Vll2h^w?1FU0j$5X!H zdq{fmZ;+s>`~0@+*l@XK-=PgeDr9XsO7Cfob{|_A+UCVDjGyl`K6S^I9j1<3|EWce zh&-!)>OWK?!|#p|6@?4ITR)F_iUA@zwDgdS+?PK)VDm#Jp^bc-ACl|N^E6PKmMxl2 z7x^!z-VN$FtHk%%qL%mEf&9&s3_po$h_~Mm{fmT4C9LZCwx|+%uAUg`9VQ0;w%}6{ zZZ$|~K%Pw}2lkLk%4-bYK+vsCg`Q>uh+f>-Xe2*94BBE!)YD^Tj?8T=%w_jlUGv>| zt(uvYkzo&B^r0=YW=P4et|r9a3#8UhfzeI?)lSb{_$duDRy=)|}s0#n@%P6%iBZXq^HTQjKfWEAj(XT;OK;q#a+;*_1GQ zQOEn;N8A}DcaU5NjCyagxeD#hm{mpMab^!QnMr4L#wT!fO<{3Wy35j|%U`g6-`Y3gS~P7{R~cNQ%RX5U zNjgc8_rtUoBygZi^AbOp%3m?J73d;|{dL`mNdrGw z_msygJK+zN(6=?5@z^F$^VjX0WrEXA3B}TWPzT_lOEITPa6}ZQRlkp&4~bOn=h{eF z_n;tNX$=xn{!v_grLpn|qL1OENqBuko?G{_Tjvk6+HU5wEoCF`5!KA&zMkkMS!;I*n|Qy?=c@Udc8B76N4)pt!)3rhBtyfc-wrfSbwKl+fh zIx(QH_Zo?*YkzDP0&>8~T)>+}t}I!QqH2umjsc3t?E719+21VWm11+)SgpCjwXdy_ zwJC2aFUsXf5xGxpD7(42nKHs=rWyhGYL%Xp<{-}$)brnUXBlbseblW|Ivk5Ddpk00 zEH>}n9DgHDP&P0z5TA+(Wvw}HJ!(&wGAV4Xq;y-XD&)9A!bd#AY@;Gi6+i+#2b-%)gO$~R5;gsE6?JX z*sYJ7aC0p1@XYjMy09u)567_Z&3DV*yU`WpuEH{6G(}phZY>Fd1YMLfr@LK_87kk?OHW@+tM7qUnytiGh-rKIG>wZqA;pr)5LVg^BbXkQ`DG(=W7<{m2imS%tr z-J?xGPg2D)5~WqBMSaD3fgmzy-6am*^KQK08MsU>!?dUeZRh7HPjjKHr7<~Qecvv` zR*XcPAT9}o&(~?#Mk_UqukgK2o+B(fsqpWS z>Ayez*UY@5)71R90S7kjrN@$nRg<}x{nYZ#tIi9!tJHq*1yko5Pw6f?4UKO2q~nfCKIIw|GmOWHM6 zT4skM&}wHq5L+x#nz)~=gW8{%hSeH>>lg7Q8@@3tuouAn;b58d2&wov9SU-4Es%EYmyyU0Te1FA6Wgdkb1Y>AWDYn92{A@Seh|3=n`c(7riTXL_ z>Cjn5U&5ZWATGKK;UP+VkEuM%@s5xDp)zlV9PU9# zIOHt=0$Od&n~r-yi_Zz<=?c~oin-U4mUu&Q{dNxYNoZNymFcIEnPM2bs*8)y#cNW{ zHCVFx?i?*mnFaRuJNdCXS_r?Z(|jk)VwB|Q&-q{o0hiV%%S|(9#s7w%2K5W;mAH0LryaT07DSLn=|R z(;(xUTqt?cb@76Ca8t^Q19t#GE7pEafWpU@QLZ>xwsX{|Mf9UhN$e67Rkb6p`%6JKvNZR?xr`IV7H^A0pnri*j@*lDxa7!}9i%($JN%2C;uU%70|!A8 z+Fw|Ri)lj6(2Mpb>jOoJ_sV9>23h4xG7e^@#)<4GYwqHMe*PG}75luy<~j47o7ge1 zCHJGZ8c-XqoGUkr{S9qS- ztnZ5PY^)1D{o5SeF}+&+XLAb&{31;m5Va%3$PQX2BT$C`HFY33&nCS;huWF!GuvG) zxLZ@`yA0vnCq^OU4*R0u0}*d+mK;IO1Uakz+L{JuzmvR@cC+eCc$!-9duviXsk$lC zbeIU?4!~K)`^&hwN&_p^Nw4&3MN#qX7)~Hfx=YBmyhWh5$FV+BY=SmS*UjhZ zitDTQQkjL#jpb-E`fP}K5^-aet@~yqkf|1Xs|oR4!aH1wsJKB?aGugkU)`(Kro>o!_T9Ts z#axTC67TrP8;(_O+d4c9k}9^sy*a4uJEg`byQkv$c^7~m|NYqIahhhK8p7nz1Y!)0 zVcgcPu&MB~jm5D@vGr2zY)ij8BxJ>E!pLh~O91`@u1jKdaC)Vj2|97z%ZOY!;>3VTH z1@h8mC3;`N<%>RQ(!Qk>0|5eMsInVHKR7sMdg0T8Tf#>oFLq|O7Lp|Jq@*N7KcNed zr`vKe7iqx-5K!C}2kT7js4NTFP04VNE$bN#7h2)nxr8=WVq7f2KgmDOZtmH*C{C3@ zXC2;fp*54iYrtV?jQCcPs${?eguP7n|*{xULH;2c+}tTe$= zQ^Ra!UzxbQ^fa=&97R{Ykr=+DSbNgl!-}Kww;Ze7ylj8$a6QQhe`aH)nVDXx#q@Ub zM%1*=zpCPwky1P)sBGV_Hu4`{7wtAdzBM;&i#hdi(-=9S9#(POn)Y&?fIEMy#+3}^ zW$SxI$ph3~;V4Q)#P*C2kJaQE!d}C>)SR1Iuhi$?WwHD2K?jIheOIPy6^c>&b#3N{CK&fJGuyF7&Q3pBdNcCH;|e=4_4y z_ICoKAFuYccF9bCh+=CxCI1AYJXpY7I?I%L1yO9g>5XB?blB@=?K0XyAt~!`mF~6h z0n<@+dWl#&GPFnS6+fFk86Bjzy_>x#7|PyotBim{72}@Uk6KrTQIoaEoe&QF7;?NK zUvapE&XlP~=vz6|muo;O6X>O4#sg(SG!48>$OqEBSlU>|tEo;I>)$)Fdp#-Ybd`Pr z-rI28haDfj;F>Uqy*dMwYLT($?yKMW3PatO=Oz03VDe{a_fb7i9neriM{-r_nPuvFa24=+&?cp1fqj((=wc1d^8__Cb~!B zsSKtM$INLdhZ*s21on$X($Q|UuQ6=FKBTZWr_ATEc5z5)hSAea<3Jm~x~h1wr<%p- z5qiIvsgm{Da##VBBnNt^y5y+BB_G9aI@iz@AH%01W=hkEuptZMOT#KW{WMt4LlFtv;(Zd|l@ z?V2?AL;!VYofDqD14_QG>DHV~w=xm78NrT>{-)zFdYPw!@ed6wx_a0} zTikI8{QD(S^63yowTM73xBO+jt~@v|hS;vZpl#eZw=a*A@hMt*)`-v-4Wu&kqh6kT)o68vETQbHGDtB} zoGOGAV_!KRQM4pykf-xN&-S}RVRt>M-`3zWloZ;gsq}xy6<4GrMQstZ3D?)vA507atKS!PrpWmzq^2Y8b{%EihJep-*D`*5*#k5y);M z3uDukC>6-6RMgR9$cAA4ox<6Fh;{#qsM6zW{s~ztOnqF|TWvxG(YH74b9(MOJMF~= z_uYb4t68G3x|kfyrsG~&YIq(WT(ymX>7`-zUXHlt0BD)B-1p#Z>HazozdYmmDm|8Q z{)EWeUR@uPEx2RVdA;Jq_-c03gw^}cxtz4~7n^RL(1%|2Xz+Z&^6-s~3xi>|30#^R zf0;Rv)uS$}+G?NP5$!T`K4+<+pC_`I6a(VwdcbT4Ya; zLc|u!qaOV$BJP@pBo-v7=$BS1r?nb!d!I=@IOj7hQA(@40M)b!AGu+Xd8aS-o7p}^ zJqfJlcL|gGjk8Whu<3S;s1tbv|Inz+kg%tXPDW-bTy)=Eyey$b)~G|;0jEfa2)($f z6&H6Xx*?W=04oZ+cX!6-d1*<^DA(YYqn1B_&Rkm6H~avU5Vi!e4W+lJ&p58I<*e&p z2tU2>ux>T%!37^*d>KuMZxx>}Fa7|U7IGGPMGC&XCuThYK6HgAy3eC`6MVkMU+_m3 zb-o0DS@#QiO4;UddY@OwNn@|JKeNEM3FmT|sd^Doo^fGbIk}xw1L{TE)=Bw*jrP&x zk{~a=xVczKCY6%@N(C%9;y1HD329udi>^6vwJt8kmBvAZ)08>o(Ygv@@nZqEYgTKr z_<1z^`~x7##mGK?;rZ2T_%w-2l2*KV4O@?j-I!RhDIAJHq#=3S%#(J${RUH4xOaMH z8gy}PJ0ag!XXuq1h9iw)=6dL}8pd&6l8vQmj3-2}Xvnu}JKrO4X_$L~FaY-zfOF(S z(;^?V6B*VUYIVk_wv$lU1#n3aO3yKz1$XO!g(diHjDgB0eawO{DNbM&oBzh)r5?sija8*jUB?m* zPx8|Cv)E&NS5^w-fNP}s4gD#G;?VylEG~`4Yt%N61QwkuxHWy!xd=_lR;CL z4`*z%L}k3&Xi5YB>77B>#Z<`eb+wE1f-F)XBnpt zl>8$~YK=bcJF?=o4O8!VOPjui^C5OdbM%ud%ruYXbt}G$C_!Hx$@z?;w(X_HzT|!c zMyV3WQ;N;sn)Gfu_yeHuPOzhOM?-+#jypmhyQ(oNE=$~$t_e|=dqq8EhJdZvR7ueeleDDe~Caulra z8xGdvfI3jPnR*ZB$+zkDO(qvLHKjEkQ>l?D%~1nXwTbb+siFTp8uMR}3-P}uN;U;*iB2+c41&*R8VZZ01mSRI{EB3}D?Fj*Twj;+p6p zd%+^#@M=T!?!>dm{+huqIeU;0K#CL1HOZ3=vivHmoXp`Y8%e&qdV#Zt6K!r!q~x?G zgfcv3``*kAGe;2l3^~r8SfKxz`6Jw1Rs;Xe&xm=p4EY#`?ZWRP7jq|DFSz!qJ95AO z0Fdu9A23GJ&h(j6L%zXR2%QhBG}(OBSr(qY1aT6~(m1v6_c$|Z+>kB->UPm?nJ7=9ujuUhuv1cV#J-J~ro=sQe#jP*^HulV#0 za*}quh>4nQU0B~_(NrQ@f>3ds@oCVO&eb{tENsCjOjpIL_F9b}x9eZaF`oxYgUP0Y zThhFkG-i}#s%Nu_ru?FfkAij6r}dFX>S@%aV6v;0b{C;ZO#>q*E*bSDW2oW;SE>q+ zq;2WDUW_{yLX{)d%Ywxm5$2HcRaHyvY0?>j86MPQie4oocUqB$F*s)KE( zNwB>^$NLcOO3oMyJgJo#yL{o%Se7z}vGjDa6w|DOptdgwxp@R7{qx8WJT)uoBR{t% z@0Xem0xEfzb|7aaY<)(xK(3u&2Z;&&4JoW@mnv~{`z`w+;qLxQ;p=Ztdwx!rzO!V{ zdv&xLovYrWTn9p0t`)8+L0*3DL{jaV1Gt;?z;sLb$2#2*&wG6`nEUBXH&=yxEsYgib)|R16p68&&&5gNmr2M+Nd{ciq&XKs#5iagVx~8GdB>a1`<}wCl%dJ z#vAtx%)=_8*X)4G+vAPZar?P)N~JldHC*)-Yt^1wIW_9y1{I2FIt4O|k@$O0noD`k z>o`RXq!o6mtH(~;GFNscR@EFU=_kiBsv>T&pj6UFxRuFGy)I;9eVMc$M?_I#mmQT% z$%xHYRr~&ZK0s?=y6kK45|@zKF#&vpW}^a%UW)6c5(?HhWu0SoIJ5X`7&-kv+y4s) z>tQj_-xaz3?O3CnyT07Q$_NB!0?(9zE~vS{00;B1O<_~jBmhp!SA;UDOkHzdMz4;5 zqj}2Vu(XNg<1Sebto=PEH77C5;m3Zp_w!4u;%bUiU2g|=QNndHKdQF#CBcSa!p%KF zO*ExjmsDkjc+?QB<*4`!fAv@K9K`9)y-2%9l{{Ok*W)jm zO@Y+Ft6@>imk%#IzZpJ#;QBHtN&cuGwFZ2+GDPhzdcK9f&hoRV6^Q{nDFeq;`M4xn zzt$PUSfOTf*}t0SIcP(-I5c-F>%NhhOOVHknnq;Wryukbl1bDlcGvA#*@LGGNB9Jz zX7W`cQtWIIirG2#5@6xzum1v524pZ=ET`BSz)nx8%!C)fVTHm z{=4_~s+G4L>QB(?;@Lz$-vPh-oRwf?0Lks?-GsH)g+VDSoG;F;G<@`Nw3gkBearA= zwGHca!{`^c2cqrt;^B!jZmroIvV}wiimvTQ#O3VNcV5vyy68`Si$d5-!z>zJ#u*!G zYswmgn*k!?(23$aoyl!Q`=d7o5C@M}eRg`PJJh!DNSVsLrHVtGUz%Fgdj-!YV0-`; zQ8o9iE_Ro~!>KaHWkygOH8)y6H#^rllgX^)JcCi@qgY9*u*=v~M_*=zi1BbeSF3?E z0dso#L|P zpjtwUG~sz*P{`k&qJQ>e{f~41s&eXoGG+LWsl(r1mma3oozSK_3G!s%cfOFE31WvO9i*)uMX)JZfc`)`g(7Ey)8T*~ zp4CrW-l$`o{G1Ar;BTW_{P_xV$%`*u-C$!_F@XH5qdGBPfnseBM~Tn6W(x-Xh;P|BwxLll77-s^rid2JsnG2|KVn9ATEp>~)69ImzjY|Qv+7i~P5_Q^H zav~z84Vk>&Q^e4i9Q@QYX>#V!lg_S}@$te%Cyfpk4aLc5$J=#l_BudB_bp1A@Y0H0 z^e{7l>jkZ88gfq9SQ%z;5aGbvKW**CX>Wg{i-1yvs812~zAI8o;%PA75lMcXFlo@c zxXICMVS_e*oB~l5x52GS2!2&0z{6w6!-J52(tZ05M{Qj1Z(a4D=}y=+|Dsu;subXF zy4U{?$CO(dnDdM6+Z$ojri5e(pJMZR_}pK)BH_m5FASx`G$aaqsKDztbBT6z20RVh zs_Kp;3Fk0F?3aC|)1x8jMXRj!?DtArDFP?muzNKl;7xLctCEX!-|`lan3wKmF&=CCqg$-vRR&uHTu< zEC%aqD?=F7kE%&a3*iXg1oa*3fzRr`y!itVUww+tgo#SR3P*wK_IK}Ig4*sGfv`dZ znJ3oOSKu)Zn8q9|HDm+UAdEZxR)jx*U#Bl}un3}C^$*~!M|q{S%KZa)k|O`_HvIqQ zd!YYc`Wyehd-K1a>VN64dqfMb`lU{@U?iCp{dT&DiYB&8$AMS=oKGFz0%2?PzZCXYS7$ z08>sHBn^Org9Dhr{s4a#0g?a|BqU@cL=1*3rIoddtDC!rrNk5ZQvU76t@(T)!imR$?AhmV%4UL^$-95d~zW#xU$*Jj?*}3_J z^^MJ~?Va7d{e$z1%d6{~+q?URzwCko!2i2hf3xf#?81WC^$Gz29s%huyWn1Vz;<{n zgx8cDh}hz)NFSZvQE>(!<4DA0Rd&3g=2APu{p383f=9!>PJ8~BY5!)~f6lPL|5uj% z&9MK|t_1)pJRGd^;IRNez;QGEIuLE?PDm;PjA7+G_&yW9pL$+;=*UzJMB@xP)muG- zF)+OZr^6E30iR&Qr{zBo(*AX_lW^Vm0nat+3GVwJz_*+i%uy7W4q$aIcn#I~NzqPK zjG*lw@A3!mm8-Muie;bt4jv!I5~Hu7g2?tnnSuKUkYxemA!;XRyGsGCqn=efzZH~u z0rbGe>6vMqzdiujA{e}vh}3_#=)b?C|C;Bh zg6?iV$4XD;hWzGpvW4l+bI#Bs_gk_jFVB%Nu87Q$mXT(Q8yFmz?DMh$zDWRhTLb~O zWXHfq#14M|*)z2z_#K%SG?u^{G#DU1Zlka9zdKg}s4B$DZWvAoX73W3hWi^f&pooB z9ymSri%J~^&BopPaUZoqG*=#QqkF#&QcyDzEJ^$N3VP&!2hnykrswX*M{Oy<(yQ)L zGWa)x5uB*9*`!qc8OGtDUV@jN5pt&W66PZ=KRYd8d9*$5@tW?fb*q)+!+xSVy&GJU z{QCw|>@R~U!%a;G7ARkmreUwA4z$}_I@$FNY>?h_OilbZ$lVLVMHc5Uu<2!y#Bz!XEek#9Doxx$y4A{PfZ54`4y_XnGS^L;p0mdUFX= zY$=4F6ox6cP)P^<0hla;pYb3Noz{QQQv9dYhX07TzY1q8-zUP4Nx*UY%>T-tR7#WY z2c6ao-p`1q;fs8kwmW!nNTTg?_ImB*V|`T+;U;~>foS~k64Ia-s$wAD@9M zE}4UcFhZ@u?fu;4J!({$QcRcqS1KBtSSURFQcCFYS>+<){v!3WP9Gs5$yI){zpJ}S zZ^xo*6~<=tiHM8(E=fu$+EF`+jBNoS(yo14lo(hrU}Atz)y>hK7U82|-IqCFC;#=a zR7E`=+7ofDwBF~w4O-TStNuMkc%#7x8Pdiy3$LY>P56NOln)sa#kDiGg&aZjeE?{I zao4Mak4Ze^r`I}0bhjAb}1 zETWokf3(gOdxwUyT)$R4Wf}+~vwt3vX|7;ojjm`k!%g-OtFR*iRt9dHY$Nfa?e5tYzixHvIGeR?N*lH>w9k>e2_rlS?q zICJ@R5u9_2$!~)C5rgC40HQ?+4NsfOVvq6lfHc3?|?7ZmA~P~yq`riH}79% z>@&D--$TMRJlXo(wIqXexZN&1yWjT^=*#%JiOXJ}H>TH#bt$<69^lUv@%X8DNGh{V zx|;?0G9&qipK7m+2xAoO%<`o?TCQjRu8S$jg(D)6i1tV4JC`q%QAlBD{;1v=o;N)l zXyF2uzkI%NI(NKHTLWWl#zbC~HUipNlLN4pjQK@$up8c<1{022|9-t$sG(yQM?l^y zL+(%VY*ps-UioAr*!Och`bv<<-JvRRp73B1#U`zZn75;^vYxw%&Lc`4-#dA}!q1&o z9c!l7x$@tMzsS6k#(=jqr5|%GzN<1a68avPt~h2Tr843o|o9NBbH|8 zniP0us5a5TcWxCf0m<@jp9NL4i9Rzd`qJxCeg#+MjT);*u1sgrhiRe<$HVgvDj=Qh z-k+t;a<= z52T$yPl~;om6Gb>v_07drY_8-)xe{HTT0n>*r;Dcsm*f7wp&b(?yY~>8}$RiX}P8o zbw14JHGN%b>>Hqom8N`F;)-%mVpg(rajvzqut|Mq?T&YUd0MtfT|JQVFe`!|k)bHA zu}D9!dlUF(HP8{GVBHXv$SBk9CA)Wp`XGh@I8am&Qq$e`_^ER-$o@^!7Sb&4V0f?< z|Kl5dL;H_fJo-`9RyJibhs8XF+2IGgfAg3Ba$i~93$Yess>bxjBHXFS2x;Cq6bd6F z)6WJB<)6`=Ala`Z3>xKb(&RAo-p=T|UK$QF7JEEzx?gAu9qRAd&nJqk$G?(fBq6*0 z+}zLmaqF1(?;2UI4L4%k&-Sf$#Z5mtFYb{KoDKJWXA#{#|h|h zTeq4jky280TeKrKjw*WRq-HHd7A&&dQY*Z#`Idx%KGru_ElEqU0lULClw9}%;DvD3 zFydEVt~aCosS|lq&5@7F!I`7x)gy66L4^}+C03${rcPX+Nq51MN;Kn$%RkrYPFto@ zHZ^6!+S`$7LbxtMZap2P_YDbFOa!@VN{kzGN#1iez7X=76yk{J2_Gl|(`$cBi$-ue z_kG*`EgSs+avcOa7DTh&C(yr1p1^<5xdw+;Tj$y%je3CP(zGr79;lRV-I995oMK1Q zw^f5FMaPL+{mocl0r{%$3YR7DV2zh$WmBkfS60GzJ(3-1f6T2kzGXUHZXxU_KB$Ht z;I9vVCqtd`oAvs;|B6Le44*y!j~GXOvag%hh;cuf;L3j=%$Zc_>d7SX%YM%^ok9t> zj0Qt@S{M*EtziP~u4@)cE*eq63tKyO)&~aIGN+*9fc?9N=`dkhQzTHnh~U>Fj^~9a zH@7E5i6lW3SyK9x?TZ5EMAN=r&j%Ozn?3YZW>EUep1ROxw36ug;p$37{x=6gq+>oA zg2zcGXq}P_V!Y10eg(d?FnZGzRuGi`cyeEc`%C+fd}^g7O80C-fi7Ui90X)~gQnzmMNB^tV8>leS1GUjsAR2?hyn{_&#nI5N33 zt5A3Clh*@Ai@OMTCI7jR&VYJoi7e^8&m;VcXWk$MuiC(jux;Hp*M5I^0 z7uHwZyBjD@pnOObO5wnV<>Kr^yjy%aWP5rq!k z1@$6}e$`CrKYNLMkShJo5`HnTnCc+j3&1UtB2?0tEG&KaN|N?2rTXvyhG<*s{Dq@y zN4$(>Ub2A~M_(o?K35PvX90JN{s8JSpYz1XlGjG>vAM|~5f}de_8?`&J^wgG{Ci-W zXVKQSs}Nz9;fp+zY>d47z-c6cO+-w}!LmmVn?i)P;0sB8j0P~e2LKmjat3>Fx65-E zCKPp_SXo_bpZVVNwwCtKh*B1WrtsUVEcH8)Cu31C05}jx{0K^=&s%y6>YKxG@H)-d zltLrYwq7KDw=(Ss#`DdfkKxuvQhgKTJsZ-A#egRTGi_4%N)Jo&)Hi%3E0z`Eh`L~2 z9{gRjZp!$icWQHTT$`#hkeej5J$I$wK50;%<-i`f!zs`GN!zpr-BXhgSRt2zSTj|w zejMfXdi_)J4Q~vz`TonrkXOeR(WdJ$ST0sd9>ROV(Ot>Ru!)o}$nzVcBR-Ry1etfnb8mSC?r5l6x}4V^MNVtcg*s!cAf8 zOTQv&RYQSlGI=g_s}E0dJgg^fT=7AYlgC@|aHdTcb7p58P$5{@&0oUiv!OG%y;e)! z49&bm&p{H+jN%D#^~yr(OJol7x0P|!!KEJ$4}dB-&6WwS$YbxYRxijlwYe)eN0`7( zS4TW(*)#qD7@vvl#otw#^fI^b#N!jHc&^!9pQg}4&WTCn#v6Czhzb;2L(?p-cd8Z@ zBDO&Jedm<|v2XqSPHEPa1vUe%1|2@-(s+z_?vm3EnPA22jR!&VZG_zGmN-{$47-E< zCLR0U7=(O{EE%PATFij92$I6lzpYark;q(LBDq|BVj|d}h_p2)0T;!xL>Zw2(}71b zCoVj{(4cIVq4WpjByPjZt!w(qZ#G|yKko_lL9<|VRB^-ncPd*6Qzu9wZ)n^eZch)q zHcH;d*^h^WlNKY2hZ7=-0gw7uD<)!U8mLAV)0$`RFCa2B z=P?~n8nxS|7cpZ)BAt6Iy#|uA@P?}w_}QY{qSx`~t^teW%L#~1lXo&k*BSIdcV#y| zsrP{Wj20%#_V^737^r!ek*nNRMwe-Pcuwf{$+H~|?MBc{0i)Fu7|d{?j6r%gS|aOx zId`*vJW=wT@^NP53Ebq9`J58;7QJ@i_k$t)A3*g~fWXTz@QVT;_=~LQ?d<-YmQ-YD zf!=|YI}f*Ij@@~$BZdKL+Qam7xFEC?4)Y>ZOTbymKOn2VgDz`*Dj5pGiHsfL50RN zm3*uucc=u8PLYDHC4Al_JMi1q_#U*n`u!PF40lJKe*kn@kiKoq+S<=~kZs69VqG#V zir0d-#&uNQg2DGqHx|0rSn*w04gC~1M;s3`JqpA&D%KrRIGSOw`6+<87i_6~pVW4| z`v+j9UH$jo?-z!`Ke)I5OGzfC1Eur*>P8MNWJeiQgD&eV7MkSP?X)*22{8j`Z7Txh zRXeX6U>XH9NCwz~;X}q4A8JqS>8S|cu#v~t+g|teIBr;uBC0`NdUyo>I3(Wd`wXtalAU{vzsaN8?-k9y1 zQ(C^g$q11YZ8bV`*d?T$Z>W%>;t+P1IN9?LB*55jxx5#4X14KMYbNcnpxFAdGo|y- zZ=S4sI_LTc<;RQlLPnpyP>m99lIoC8)O$5k-uQU5jODgY?5ZZ|TPcjg?;Um(ko}7C zh7=qaaZMiom~JU+Z85_b=1rxH)cgbRLKJw&DmA3J{{9SHL*G?)$STHO5Uu+>zfT+z z+=i$%x`U=*5BaWzWnKI3HT^4{^6BW^$5s>Sf+EC*Lm;`Q_k%IDs#H}y5*q1qLl_J| zF{IwSR5j$uUL1DVnOj=QWfAc4z-P~VT-&|GO`FO&|3y@noRn>lu753H5F^(*}FRR)eDWa zvBP+Nj|C|~8A`H!n@iy%{YRWrm{!%Ido@rHaDU;{20lu0aD++y?FVuBD~05D{vWc;`*^W;_CTeC^H1yn^jZy1kOjW z0z3Xh(vcCy_(_!sP6+%1;I!`cNWx~?xtagD`O3ywFbyucTf>?D8|wvO>8a^%da$z6 z<`}sIXjqKyQa8~TaYg!siitd51__C~H1jINibgvkt97tIsoA6icYpFuQHnOZ4*Sk~ z`FR|s493nZTpsoI)s6Op%Nd{a1O@3MiK*zcunV<6OEZWmR>Q7dD%uPdOM{8De1XPe zZ$zP=Ltn)4&%A${QGhoqKw+3*=t&9k=?;|g;WFy5M=ptIA|khzFNhG4T_Yv~_T%)gQnR%Alt|Om)GCYeYGj@_Pk&H->%COx1Ohe2bcn z(TYZcrW&trHt&MVlBt_=9@zD@&pwK5g80~rm=B9Y=# z0?prWl_>F;tg~kJaTf(ACLrJ|Q^e8;CCB_`_jOWR*4I6FUs^{=r%-6QWI@_No*<}{8>TXwmwYyLn%HAGy=nA zrV&LYi4(CD7H0lCvh=S&lyr!$^4LsYN3Oy+k}1sM_Iyj&)EgerE6_@5{Vj)*QF{Ui z_ebmGwo1a{iN7R)7H$pWo)sA<-H7G0+m_r7nQ`u#WD%lx)laDGtv3(x#BjZ6A~s+2 zBo3c?98=H>%nN**jc}EDsi;50#|;}%x#VvoB%HQA2?{?+SxGoX=z&(XFD_-g3aoFu z3*(N;hfI6d`ZO*l%RXAS;>2!vz5iqieM_QdJ8;4pfhjG$shf#D0n;aZszyIT4G|#h zhf>VyI~DszN|JWzF`GoA^{L6&6QDyl0=v~CioN$1PMTf{{1MFJ_#Ka5=HOYUmXk+-HI1x6Wryb6$+-e>-T{8%2BBF^ zBZ>#L@Mk`0Qe)F=LV%k%&&fFuMA~`7NDyK0iG*#KX$VhK|?Z z!+bBmX*EyA*PQf;3I6A{WFukRsq{+DL*zyyr6yDwPx$@>DGhBTo5G`a-kyU0CtQc= zMH0aa1m!j@)MNeheOJns{ zRu#>*XbQ!=j`eG=sCUUig+e^(d2k$;I6!ov%B|+m1a>y06s|s9xb1F$$ zcw|_m1@jPQVv&UO`8pBmw(NgNMf#-O`8Y-@@*Mh;_c>5^S~Vf(N9DJ3ve zd6QeMlB`t+fX?-d<>m&n;D@z{-OFAXZ=|q%P+K*Gzsy46OXZ5aVpjuk@0Muy?<@WS ze4aC4(i58ha03v_6%$xf)1-{8_iMv)()E`QRtR}a36XXW8WBkNd+HBKsWcLT^3Y7o zC*>ia++ySgGY-hM;(bjXxQVn6R)h#TUn8)bB=_9<>pf$7L2t$7>nQr9(^JuFj>Q?4!BJY^qzPhmokEtG6= z<9`6rq~>KKdD|zD2EH)S^FWm$(aJtf;AwG1v1j=4$4KCNs^O7+6Q)5}UO&x+uZuxX zQj{=lkwM{3e-R8W@!Wjp7fw-*6a{u~!o&dZH~OlB?B>CMR%UL$~XEftI` zv`dRUC#W^0oNAz&hx-!5wRD(glKWe#E$v#|wh(;PZxNXRaA*4ScVYS3RkdVwa(D51 zw^3USv^?eQA2GQ_X+?Eu6bX_gv~`5XXw<>kumTwp@gF zq~O)CvfTz*oY9{sSP!;7S9BMxIe7?eR{;fn(V3uaXK4icxRU706Zj@BMLg^s78S8I;R z2y2&%;lUN9_N8Sfx#KyEZWP}Hh^v$YC>%vDl^`gZ`+_`pQA6{fo@HVp^OE*hd1h*m z5F#bI2C9k4?Zfm$hqR8r$YG+7M&N@iWp#6n+4m7EispN#$*fTkr0FXo(OF9;@|Epmm5LV9cJCe|eIuBtTpW^dwBM5zzc< zm>jI2$mEcyte)LEQFgj)q&5#v&`xo?Ctf_dz9?Y)rSxQO0fd4s!igxeu6=Z(bu&Vo zt5(8<1lJfb)f4YV;j8%J_m#za3!M3JLLoygu7N4n4dGCm!!Iy;`skN)BoX2^`{u`~ zncGCc@L;CAM<~W z56^uL_qrjY^D=$)OLFi2L(fb>=|Y!7fuwam-L_|d1ay)$=5V3$Ufb{!Nf&>Nplqvr znni);+AS_OMs^p|uuVQWhnJQtfVz&b$A~DE{hq}hW9ru*zde6>XW5ldb1AazMm=pwJ=dMRAkJfOgF#2 zA)@!ebaQGXT>Kh=jESaYnsuPZ$>uF0zi!GGiwcC-n~~3Gu7;wS--=>fiuUW6at#dh zl?mw>wbqFT>E}~p=Az_6NVORK#>PjaI@E7UKol4x?Pr8eP-_0`JztwVr=mXgPgU^a z$*B)0BW-6#DgH7X`;`VC7IWhDPCBjxgoDPy3rB=F2&$H4a9CZed~jw4Pym{V^5)Pb z6K6vtH{rs4*;EI6%}uEl~>m6M2JbIf7W2sat#vc>m6V^i8MRm zXkQ5|_wlc{!7piop78C!HZ+NReAMWQJuxPs9_kUhHdnh@PcC{zlJyXhs>+rhqJttK zIe7R-5(*>Ghz5xxQy@Pb~4C~0k5jYXzP z+u~b04@%9lIn!-7<}`2q{n?dtkM%Mo1o=6hGKq&3va%h#40J@lL$oJvA2(bjc3(F% z`HB6+8|V;-x}iG$DapMGdC5Xp4iPJ~q1PvEswm%!=@7TupJDJ#*5x#C#2 zNro>ce}UQ6&a1=yLri?uExoO$IxP=dD*6`$0t_g*UV^Y>g%z=$dyra<2(j}i{K41V zi{dk@h3=0Il;fL?(rRiOGaIZu%H`{!LiF>c$d~ozsdt z z&Fa_G&E@E1Of|sCH8#fj26Q~388kwIy4hn~oh@`r#0Q0 zjY-SZML_`(H7YjN#kpVs=oC>;oce5yE)eWsQ;orNIMwSb(6cpUwJtlMIU6Zcd8d!G^iWYp> zEijmUoApHw($XNWyTP$ktNG3Pvx~i+HdsMBOYt6a-^EW#H zD81mhmuI1MmTdEC43dm^F<0wJeFdDCl8N^^I!hyES5c+>6SNUC(>Hp=VyJG3xRyyU z6-A0d)+om){_m~CrZA};@u^JV;({l$J96igFg(1rzqERnm%eWti>OKPzLb4tJYvu+ zJC;<7-k7i0NGvPsXAnLGx-U0|O8!+V{`WtX^M8+f{eO@8f4%P?hQL_G*+9M1Lwm44 z@cFv%Uu-6fy3@D6!w(xJ2a1rN_zKx9(v{xLJ($@%`u*A~4c$*nNYt7sIf`Y-ki1Y# zh~&DE2Uv?5?|$ja*WU?hK91qr(1=u!!wMKf%}pMphK))bP|41oJ9PFhw{`8Rrm?f= z)%^XEJ?ttoxe5EZ1a>B;zag8tN*f?0U_axn_q(_RU+R65W~>fZBhZ~>U&+MZhTky5(D_bGHENfVy)M64Iq2UVP(KKRMTvmYm$QPQqs&ypLaJ15_Gl~*0T+!zd(&~p{h zmN}?{S1o6j9&7zE?lldt4vQnCqxe8y9K$(eo_`DYTD80!TVcTTA5zF()dN6alyNbA z)ZiTPz(ZBa9ad!)*SrW4vlJ)G2%TEEOycx#~{|EB4Ugc;qeU z-ln&|GKm=!RDIjl9?v?0et{wr>{iQfyvt8>lxWPmww7m8MK6{{oj+pfWxW7mx?2f7 z6c&xK(*be9E;gU>0pp14`k5_4?Z=!nVZT>poNm)te47uPW+-Elt0D5Tv4m)FanT7G zy=KtHLm2yV@d;pEaJr|t^=jyPjo#~)nBP!!w>9<-c>J>X;Nn+2qCF015#p}P+=JoF zZhx9}))^e`+L&I_CjOHGwexlVK~r6qC$0t(W&R<%1*=(*(&OUn?PJXI96i%@hU}N$G_ic&P`ZAbUIb|+27@Q33ZU<5 zsEVk*>xltAVh+9Jdy;zFI1Q&)aT9vi&h+ep)}?%aYNZ$%wB$;HrALK+#C--q+j6Fw zk@9tkxx!yi9ldW9=g{^O*<-e5#F|4cF)!H~3}TRW35&&!!Lwc(EMtfh&9h)uc_ZyF z%-nphnq$|dGDw?*d%Lnvg)ZO~4Q=ja?foaI9I6YM0$yAZtIrAOKk`4dlG<7XM}T~# z)-D7gb5Z5;t$z6F?|Lm-fP$slNBlU7c8Y69ZnBkM8?tFf(^}L$^q~ZM`JOsDR;6{P z+<;qfvfRGRs|^ackC&jcSKU12AsXRx7t+47h4W%PkMb{xR7(COYcDdLxAqI5^!Sdm8{j5DRo^~pVi_7r z!QZ)Cqg`CkW2HqB%0B#K;uh&d$E05k3*4SyiQvGR^) zxZab~p8%QWu~7oR0GIFYBd^E1M-4;&mJ?Fu@4Dj9Ip3J(PraT&G+550J*3p~=bG}88*@sd@~aVF z;YDy7wuO^P%Aio4s-ETTIn4M3Q-zonFAgm+0&#o!jV(1pQt4-`g9Lx~hfIKzUA?7> zhGa%RRLrGQl;e(w_$lWYp~Iw4tr+Xmuv+J@2?y&_U|PI&ME`t)_ZY{(7_K#bhNbgU zGNc&A^gTc;N3$Wh3RArI$(`(vJ?F#1r)oI8#g}sZ2~ZEn`_t2Wds`z9WaemP^1nHC z^!amC0@Mvx!;fuR_4DVbjasDlzlr;;X<4-S-6#s1$#xe(S0<1WIuISSFS0)UKGa@Y z`kC(JH&x2I%tpR0wTXQL$c^;_xu7US!&J>f{ifQcCCNG_;4V|tuM1@z6B#t>_&#gh zzo2k)Xn*L=^9QyBr|%f3YX%InAJ4DlF;-&zW@>>@>6)#uWZSR^J4FEtY!-Sb0}{Yx z?F2z)!iNG-*py|6n{YfLkn8yk!m1T!BjiBBWe1yEZMCy3C!5n-X%4)*Jv1NAX{)D! zs%sB4Na%S)STVX(p@T^fVYfWC!yiBH2857$Z!0XBlUbQmP+w|%%!_r;p@2{PgR{=( z<0#`el83W1jqfEyg8G_c>kj)&Y|}j&vyDoay9?xLy+4; z=_i=aIV}>Qao$(6>h4JP-)SoI^`sMER%O-8q0LWLK22$ zJqF66F!s~y6A$ON8Lf;Rvk1Yb@iM~ARQs3}LjHswRQ3iWIyC858pyLmkAEwG49iw;$>8v?28jH{t3WA$i69$1$@3PFmUGt>8-To z^zA)3BC+3zbC;QR4&@1)6Rx}71*~Ncz2F&o!KH1W*jX!n%j>sdM-=d z;RTueZJQGvfuhC^39@|7gjGBn`+C`X#R{dN48E8$b zNNmtlrZouJS(dXb5ZJ){(eNi5n=n7k80Q+MGI*!@tN3h0B2wEK1v`s-=pRse;aZB# z=O=d@d^EVt9N2N_t?tQC(6L@IO6co{li=nV+x(dkm^y)wgoVi(WyST|y7<}b8=&BA zdP*j>_8u@CU-8C)a?lLiJ_r@$jV@hjs&jnz6F>+LAxCa}rCrLs+HQh!?#lRvj`Yr% zQDW!zAuQdF;I*%SH=Cx#5`DD2Jif_`kLm_Cq+iI_8ox~_|H7$c%|O=CEhWMY&ZrtS zG6eC7!Cv`?usbu}pKMvb$#-TtnLp#AL53bYO@+dwA8m=w@dg7Z1 zvSI-qbD8IO8(x(< zjCf5c63Hj_3&OTvp3)xn0jxxCP;Ml?3Ln3!CeyZc;@*AAR^5D8BlXSno51hmLDF9T z4K5&vdN)npJ%q7IM>}N0(^_DM2sWnuhf!E-a?GJr29daP0$b!{5aLtGOKgXCdIND$ zf4RVfNCtJQPviV_T(OU<1#CWSaBPuhLpJxfO$KMV1jEZ?f7W|{HOZmDv*sTK2Nr6n z#W_4CW`qg*{BiE~ex|Xxu=njyV=n2*H;rlUaE+Gih(~R*`t`qhg%~zJ3nxzw6zX}B zeQDjN1tkgYS|}L?D+=U%fKjfWCi;rXMa2TM%Sd)@cag~ad?+` z(_UNr5;`!w?UIIGM!D=RXtIYzu0e$vWn41@Up;2bla#o&B)bn$u_ab*EfT|`OV1RE z74(>yaW_<8)uf(TX)3E+1wIRBYHp38#!MCd8t?QJhmoGu!u<#cBrENd zp_L7Fme-dX+GqVtZN(_5Tn?v8@)NZ*zgcmcL%O_f+I)ydpYtl=a8XIeyj9nr%{)ov zRD~mLogNnzrQZKO@=jIab26U|V$nei`nEy32p40=K^W?^V5;pes&n6Cr5>-!n-d2r z$M9NycxN0LDvP}#2-R1kwHndtF4%6kVwgRU%D4p;W4h|#k+?XLP};IAObUkLhsux; zLUR==4~ff)8RM$M8Bca>(bIBX=ciq#>9zEiT?18{`*}*o$pL&SaD>#m4X2dth>?_s z{6wqNO#|gb#;C*@Qf`-pd3s-h@=xTdj-m*^x{h@eHYUzc#kVhCd+&8G?f~uH?aN?^;Y19)0gSqoTf>aad$J9=`z8 zU6E`rUUN!V(#HnVW!oBJa3_=pm>(Ni4c6C1^O(}o}i=Lq&1wFLn(1<979h)e)5 z7)O!{P9^$F5@vc&He87n&Sd6^A|AM~s7h7SR#z^soz-#pyoQ7!(-Iw#G8WCTpNd;s zu6#}fHe*#{&=F>)kB3N_tvf9`t&%ZTn~dsyJop__qQyzui~ZW3XSrU`$dHX=bZt&_ z=@Zxhlk(|%{dk;SS?&@P*R~mCF^MaeMKUuMA?*&{#X?{A$PR6U-@WY+|AOS%5GC*_zA66DhA#GXZSY)LFJj&KyiHJfiup)ekqKFB7I!; zRb9eLj`b5wraX%jwQzi~{?8=X)%@caK$yIMQKCp$+*f=V?VHH<9tR;_^o~AJwUx&P z`<#UXINusMLe&{LtB;s;SLr7qR$|10xsFS(xU}5gK-%_0oO&-YTPh*hhk_$%F>Dfy zF#_9ogQo?R67!DZ{d*qz)|xy1y(=c)pgb<;oSFbZxhC1NWfV${!=mlpo`{5}H2gNX zl|f&}@kyghs;|l#Aax*)9}g({=A%+-he)Do#at=;E*HOO59gZPjVoe*eVJ0P+~C<1 zUghM%G#?yOyO(D zT(_wiLMw}1r6{Gu|D(aUAPAUi{p!jOTDRW-WW3H{MWrR5Yha8u-EOzLH|m=0W#;eU z>J+&`Z^Uho5##c_z86B5p8n0ueCFakQz{j=#+b<^C$(d^lRXZ#zfk0&;!z--f>-pU zt;FU#uZk}ujM?Zl3S`TZoCY{&xVtZuB(Ulk^*Habx9}(VOb+ri zJ%5UIir2JmyKP*!AdeT1Z6}Iw)LPYcX6SfY#<&Trwi~$k^>P&JG}Vdj8|}Iz6qA?U zQ0VTg*RSEzO@&!wi(^;vPKz_&5|l|W%W``Ofy@q3x==Pv_$){RDzqPNtAK>b+I7kA zz7xtkG;KrByXEl8!(#7DG1r=oH#ZF(?T$YXG(K0?&9lv5YS^i4~!(Tv%zxNIQ ze>1*NSG`pd<)_VBe`sVO2R4~HJLxB_@y{`D=}-fsRYJrrA!r921N+Vr`LaVS(C6W* zT^S}vKK`oD+kaZdMq%(Bl>4CwB~lTHIWMmwwt5*>)^@@6DeHUK+hVhRt3%ApBMzUg z{iL;uY_Qf3<5qlAq?3E>7hAQ+9%~?~Bq4F5rux~0u{mQaZKkiZX|w3Eg9Ey=Q?`XO z^{LF%W)@LI$%4+ZuMIyd?!D}!H6a!GU~tiM`Sjx#ca@54)Uu}K^==xff!P_0<3D-p zVtH=0UgSELA@qD(p`<&t(aB_s2)f4eMIs!2A%HH+l{ji5=-`;7Z*|Xr5ADx2VT{v} zq(;N}&V|iHStIO7J>Qixlqv?S<$kR00ZTq7Xbd?HB~MwYslpMfmw|P8J!5?Jr^BZ# z*Etrmlg8So$J8sya)Wo2YL_aVA#_Q&&$6_aW%RU(04n;tiL%waEpy7Rk8M$ofJKW# zt(7%hyDO3AzmJA|8<&z#GV!=ds6juJGrmC(BAAnFQa@q6Xpx2zM5a& zm$8FzFjCOHP;Vx-Atm46pjb35P{la-7SX-3J!#LY)v~Tn1W?7n;YfNg=0-x>em>>R(r$>}=>P8$vw3`lA* z^ZOXiz{|T=CSPj+@#?KaLR(LKEroID3|z;R9}z){3{(BF@$J%f4AG`>v>PMQj2nR~IYS|M z_rbplmS7L19E;W7ocEG{JxQ*YDg?OAQd&jJZG75Kq%p$0VB&`gcV&>EW_jj8Xf{1;@CT~xI zN8DEk?DI3y?V+v}GsK2p!Z??$skF8{NsyUO<7MnM9`@`ft4!AHprbSDZhevk$KJLv zx_bF(gA;#9^#kyQppJ|lT*~s#6e2LuM(I7>9kWffzHEfg1hyAK*{Wnq+b@;HTe_#D zc7_}lH6TNOC_eec4-yFz&vY8vrllzHy@tWNeu}j6TPoEbv@;SpgniK~?PB;7MYny1 z8G05NQQ%FWn2ft##rMGB@%iFYWc;D#GN`VUrysIq=*>sP|E2(c%<&O5xh{$ z`QCJTk5|A3WtnPE?~A!Mf}5zPi1d0ERjwswG$2Mg1OLjw>Z)t(kxXUf8C;2da-A`0wV% z#$LQI+S8k)Q>W0N$8c0&ywgIHb76OR`6=|^%~mZH!h)WeHSM)@@;us!J{n#kX+nwJ z0#sW2{LB%RN#x~4F#nEikStb3yMw+aK%wogp^3vYMP1jY5{V z4!S`fGvx+qKBlv-k^nQf0m$V_P*!@`%I$q^XjpXI&U0?4Kwa-NnAmty2L?GJ2s-ms z$}{@c>WDkEx~BvJj@70N*n<@J#gn@u=*p@75?udt`EN$g{_0!gbj2qp5kB!o+cIxs zjo3NIvvTk7YA!MMM7w}@d=w28TZYb@~J^j4sm@7~cDW4Ew~ z`Y|Ac&VQ^+ipJ%=%CH7@01wN^^x#kmW`B<@a+)sZmt!z+pQ;LlBdGgH>D=mFrCC{U ze4ICV1bTzIHES8U<=5s+QoUEn*^e@>)$6-WumHoKAyAs?DSHE2`JZj1`!vBq?Rl5f z>0FukxYShJ2-D5W%knm1nbJi^(1Q=MQh&HK`@HG-K!%#pZ%~80Q#fK7+utkNE(j4bm>OM@l`J=Idk2qR*$sH!Qi)bx z2Qfi2+SBurgG>XvSU*3oQ^xU8?N{oizaB0)OQop1ccPwP@n02tQQFiW`0m0it=Mi1 zp_=0*9E9!?%Dj?C?ZoOHoAD5Q3qPgOaO1-uUpaA#LC}9f_7JEmRlMPLKUvrqb5cK? zDce@mighkq5a zJ9;3v*1w%mN^at;g+?ncwORDJio3<>OFaE#V^{z?w z3M0BF6jy!S+0z|`Z8Cz8NQMRIZk6elrSJTW7UEFXOOO1I=IWQ#o^7GC27Vvp#3=nP ziqf&7uB@;dT~NB>C|v=+&eR+TO>C+8@U-Y# zD!x>6n*Q?ta^rscJXqi>Qk{wdAhO0)Fz6d;epxNFY34lX?Dd_11=aOuIQbFC?BTlQ z?hiekUt|U$?L0-%-IWhn;IweB6_I~BNA%N$WcniwbV?cuHyGRP&B`R)pt^0Jg0kJc zKHj`RxtCN~H&_0~X8^O{=Oql2#QqXX;S7wqA0!21Uf-0mutJJn#7x6|AB=3F-!$2k zLU+FWdfw5SHE=!EJ}WnPn_?SeYA`*#?!4ryw@&==0eP%$lDrw-^vZ72e7*JlG^6SP zdLven@^V9irqa_A9_ye(ui?bpEJSUu8G=zHrE*E7RR|V2YK`%_nF~Ct7Sp3h)XD4X z`VPh-+WDdC6uc6|$2Xvxa^uh&YvO>H3{T)mj({>i%Bo?{dAU#QG+nB zEpN*zvV<*}!5(;c=n`H?I?OL1#(&5Sb-vwV>~SoFXrb&`R_A zsjm@^8s~aeuSA)Fx+J=|sOq@HcrjLUDHyCV1ol1)%^@f(MZrl$@aw#P(K=^@-a}w& ze*xA0W%-wUJHxSm(US!TasDe*LL>6u(((S&xH1%tml|8JCOf%fD@B3Lp|&a)K2}*x zT9Z&WeONEbl~E&%;r)=~q&@#@ld!sXyzs%UOv}4HCZE_yu_?_slF*RA$2B7` z4g9__c}TxnF0WLUbpBoS%l=)7vFa1gKF~gS!Q(U5tvtXTlea^caft3^V>^#FeXDzW zUpN1ILY)ErIukDou~x_F{E<$}oCUeNpqDf9wV3 zu52q_{@bAgp%6Gzk5hg9#WF6*?q)ML>{3;z2W&sQxUr?Mf~7zbQ4cX$0r_=-XG+!$b}_!*GJ^wk+xaS4A&yaRCtQDzsL4V zzVN{<(bIwfxG_|P3KU{y<4yNEC2+pT2NBGyIUMl+N=LL~_bpvPGE=*(!$`)+XRY2- zU;?JxGTwfoQz?ux&HbcGegs~ANDl#x+mv=paYgAn?bU(@zEP^(Nr^<37AOCVLrvFf zR~VIx#x~eo4H3DS3SGr}#T+_|`0W$TRp?Zb<96K0Hwk^YpLBQBv7tmpH#c{44w7`g1DOC=jjKp7O&S7=aMCcKd# zw=}=};3daN!$uK5{~ClUyT**IV%T;3olWB+$uvp>hyG`{^~%!EDE{=L#A zw5*4?|2be6=mei^h3B~e6jg+}?ALyTp3Nze zM&b&{_JZR$tDS075BQriNp}htqKW2S9)I`CPs*g}~{u0@icqF@%o{X! zV`pk6!UcYRIr-vrMQZ#IvG>gStFhhhYZF;-848pAhOpR1kS7tW0cp4cMeUSX5WZk( znrJk|AepH}iCD~yTtR*2cG;>Q4L6Yqg3w8oVZ=0w(1JV1Ln7S6eo|n)x0}j!S>4*0 zhXy%^-k*Kw?$=wRJL&W4CuxYMVrU2O_HgNPc?|F&OB}HS2QS~3x1Cq+*lhmdMj05b zHU0QaXF2f)@x<>UxlX}~?drk)6!O^|#_0M^CDto0uq_r|uwprp%@v~9gI0_@>9+7* zERUViF3>z^=Dzq~`VFf2Km_#MZlwvb6Z;Mv+3lKRR^q>AJ-$8=I=bTM|B)6{7L}j~ zh12TqIm?6ht?|dVAGmyzjtJJn+2_`>6213&+$ZrX`hB}%xM=M)c*`+SJqwd=kJp8j<&ZpLQM;lN(05f? zgm^1l;Rzccu>dEAk=XL_G~l3>hoZn}CrOlZcvChXC(qPr z*QzfkMG^bz0Z|cQd*^hQ_-doqHFzwY+T#h0c6!8wePVcmyx*D!`9-Z!5U)V=@44gu z)n}Z)b;y!^K zj_fn>fn&xaTdW^MQRFRE+1%?Ed9 zLCpWDe~FlW`(312ZE|miJ+#Qt_Gbj)eQpg}c?^5)qbFv?bZtv|!%SC!CG!}>Y^yAj zXn38}4QL&v0Tpp~KeUbv($To49)*K(A)$|*{&Hi}4Po4)hO6@A4M4c>&bi9^n8ATr zs~#jBH?8kDR)>LFmMZFdco^sY_3L1NhBZjtu~0$(aspYtR(A3r`61Q4Lu3k~9_Uxn z+l-fL`*q!x)0%=$zco}6WdFcq>6An8b5_CoFYr7M($9Cs>n~G}IrhNL+)%v&YfkE& z15IpxV0h@Ouyl3qiO>WAwu)?P07M}f@K2xhf4BZ0@Mr%C(2dxmYDE+NPM1JEksXFrs(Q-UJGRf%deuc!QeIfr9Ql0BGt?rwTLo(>PnON-mPz>{r=d15I_ zPHA){G4W6T%!I9GzV%Nmioq1P_z-aT= zRMr<32?}VM7BcK|VJI2lJaLtEurp0D45eo(HTX9VUiVn${T%#7QVVx!NAFm_jFl?R z*Ca42Z+SvL?LP%S=JYHOAeTkps5AWf1L>N-gy4ZUWsF7RbGrjowM=}&A=8?1{}np_ zzufoVpZ@%35B>MG2DgMK6S0a;jQXaO5-QSG<&+8^eOKSjB!;ja=|{akWOeQDrQl&6 zuy{ncssh(&fn^vk!29Z{?73H0adHFe4>1lJ;?-o$uVmi2umRo+#*!iyj9i5$tKgCc z{Q(6?%%<}HRonmPd-1<}2hf+h{g}>Ifx-3Kv=`_1Cl zabj~Iyhn2g?@@sDmEj-kU{K z@)v?~41%C^F?!Y@Jx{yWdJVCogvie!v&dV&{$fCXd1i#DlX)P~-M}gT3w8f)3kby$ zzdrUE9TIzvfCQyPHaQ{qNmP*ZD}v-3RG-TK`78hDuKdrn6+?xK8J+0{{}YjuF~#wx z;V0>|TdR46w9AXE!fig0WNc-Ge!TT-WPvLRQcKRq4-ARpUg5kPRe9865xwOWga{0-el= zP6#0mH^@qese2fnWWfdK&#m??n9r}St|mYbLnIV&qGV0D%-E06Mes#Q$k=l9RnVW~ z-ciJTZ}P4kvj6Ki@Kd{|u{KZlaD^$rsK;%u{i!PR$^10!>SuYS!)X~cdSHO4C>h!N z_lSt^-od~?2mYDBoNRQ*z)by*?f?60FY;W<_n7}Y?w|Yh!vb={w@Ux>{Qqlz6Cz9y zO~kh&7{Ny>c3t08Vx#+<`#`sMegs%{?P~ts0#nFN)}pCS-HBlHV*<#udS`E z&Q+F|3`FL1zFb(l17l)Xb`h5Hn+*PbW`O9|Uzn4kpNVAhVvPdIGo-b&w9F)Rq;wp z=e?;ye8-hb(^$_nk?lTKi&Op#6Rd-ji1m$DDa#X##(S0G8V`);G?&+c4Qg!_sNHhF3645>iytT6aL%aOO;g88R@N!6s>;wpy7jrSsYzK$tGb|_nU%J@zP_-c zu&JgduOyw1Vi>tm1OcHne0v~`fKVX<&wo3@jIj!$mnn+GWl4pIKa#?nHaCsC6l2hn zlQnK`R2`%X6SaD-+;5^(io^T+`{y(?VEr;Z?D;*2;#;dp4tiza{%U)WXIJ=sGQc6f z?Uf#TxT;E#N?ad9PgnQ)=4Q@8Pfs_g4A@U&&djWUc5~BY>FOq1o1dNiSz50|PyP~< zs4*Cw5?4ww?SAmZy_N6N<;3{-ZTEa+g#0Zr-{lSOy5vBwtBc#g;UStHhNQR&2J``O z4myJLz-ZL<>$JpaA8CGh>qzfx)I_=j*TV@Nc0re?$;ns}Ui^PF0!Xt8NS8?ke05wb z9K_FF>zLJx%Q@aA{q9ZSVC?_np}8ZlYropf{UgraCq99()H*WTmEMiX3&rs&Zf=eD z1DpEi*j`>POk7mwje7QfPNV(+rVwC0d3so~F?!k9=t*ka9E7)F#-1gI1%P-9&a5eb z^$iVqGlcl~o=h_IVXG*$C<^l@{&D|A$=GHQ zEdyw}bM~0^Yfm0EDohbWFKR4G#xnt{XuRd?iaFe8x>b+x^<2CqB{YopNGXK#nLz2_0{c#TNW66^y9YwOIktWPqI;l0~+P16nw=^KCHzj*`{!ykuShtva$v7@??vw zPlL+3D>GUN2u8f&?gyn7iMO5Ml)2Ca0CDk`tUKX)mj?xH^H@^Q+ip6> z&(+`74>!Q`+r_*Wqsj-zhiD+nwzc%YRIoSDR#!_`b?4~RX;}zELrcS6_s!ElftluT zQ!K5BApPDyRs@?c$JWm50=S=Dqm`DSV?!>&&D}6J$NgJ-G2};cbJ36Hw6wz%h<~r2 zX=_`N{kF{5dP|af{s)iQ*6eYXeu2fn(#}j4?RsbDuuho>1?6g@^RcnMf=H3mdGYofDgsv`RVQ#tdVlqvu@A%;jMMAAI-0<4_6;=w=a63Kbt7Wm-lU~~N2 z@z7aZyr8>VP|!CcgMd~s?R4+3;Wbj}88*nF?S|x1iFmQj_br~+}1=EUpf+eWp{QggzW z`N`Du6r{7~nX~Nks~g3U!Td!9Uj0ys^thzY1sumg@MEdMyGj#+#AlQ*2l-qjNC#fXg9H)-a+G3G$mqLdds>f$dP$@6M_$fT3RL7 zQB1O(w)Tn&Bfl!jyl(H5R{ciM>KiQH$P2~zRzzMOrICA%iX|0aXEFftO53!`=vrMI^F`U8X6irUzL>fQZq<|y@prEa5#>R z!41xR9ASJWOw5eINg^KW#E~Dzg$O@{Vj)qEGSZEXkGJ|gOb__``Wx8!syJE6#JxQ? zb3)V6@{*z=Okh8i(@fK-X&LCmr^QDES)Xn2v3!eg5RHpxpL(F#!F6=J1)@=n+VZpHnYL8#;Wc$s&=r!_^UX9a8h?|qYI!m0 z=<4Z(>(jF`R#sNxL+uipKK?dY{(C3V(9h8eP$u@o5u6C*}|A z;P;&Vj+Oy@0q4Al`H5FCvQ|5~Ij0J{VnyA?PP~|GwJ1 zMqyyQc)b*Ve7ga;>$&ItTJ>C3pesc{Cx)Q1a(F!7x=j3EM>=_YfoRUCl)Z~BmR*@g z=`90(PoX#KwrdS{?T@E{6TrA2&j?yaU_ITHu!whOKtv*Ps1n_Uu~kh~;EQl$Y|U zmlF8XIh?uy{yqr_6VDHlNmJm~Tkxts-6z_G(OH+Npl0RvP*VTBR_0G`XCg`I>Ch;J zT8N#BF}KYRKSU$c4ud@Fh8Y+{Z~k-@SpFGhvh`Ty&3L=q>ck-CM}JG_^_G$}n_I;Y z?6?Uvh@vAW$6rdQ68I$WyzhV3aS2*Rk}c)c2ac|dhs=9ghUU;r|57zVV$J06<#Ds{ z;SrTdHk2z>X7FTGv&KR!q@hJl=i8`;b1L``!=w)njmFnm$7*!{Jsi0HG+F5`!e;!9 z3chFZ0`qeDq6}!fO*`ZeFYbtJ`a&2_Pu@b1|AB-c$w)a&;(K4pK|sRvWl(qi&TPG! z3j6-I4{R9}_$2&p$WHNs!gxxw(ovl3-29FQ_mQmaDH%UQ*>%l1eTjnFF8X_sHvNRx z)*Y4~dTxb~h2XlWu*eEa8XMjAPkm|nrR1yAFo3~}zCc&nN8B9^1Ca_8{ED_VEP>_7 z3Q=@F=R-9J<8QgAYptUUe#Y~xdnK|P0k*NeezDQyE-+XcaS{m)shhJ_o+M_tcKBc; ztev16LFMw(bF+>bLuobD_aNw$q~wAJq05c-KtENy#0apJ6Uiz%;c1kW+SkOBX~Z!z zJ`u4J>v(G%uYI6nQd9ir@Y`_C0}G=H5!Xki=~Cvb#@b%n$_|xAXp{RCZ|WE9(lT>~ z9G{cC-*IH6uw^j%-F5+(SKd&l_`=m`U4|lxbj9U&GvjmtU24`2Hs#gTzp5(1Px^Nk z@dqaCBt+ukCW4qYW#w*mPp4P0>koS)N_8C5j#2kVb+L^OOTS9q=iT}CI$z^%FKr_* ze8L`7ZF!!(1Uy<;NIBd|PCy1QfiStVsT^~|pb!O`Oap(fqvmsxxsKZ=d6X4cmDt-6~kPTDx9YN%#HI=-U*z@%t1-p|Cw^aCgS z;9YfO#$5}?+|)J^c{a6^(-lbCI$gGZJR9*B&;3l^vt8LK6zZ0{jLD&@X$ajwfi6DA zPHyTF@G5wF?h7zie7UbY@em8kxt;KC9e?r8MupEe8JF`OZq5AhE zS##grx{ulIXlZS1uEf-}3(*NU%#GZNnw?096zics{6n|!!v>mw=z6h2R_`=&Y`^CP z_)eIellNs#2*{D~b7G6d>F$(;Y8i6jt8(r$|NC42+(QZUyt&QqkG%yLKDSeZo&JwC z04F4)s^u`a%+zc@Au9rUCP_?gu1o1GxW8eAKHfOR%?H_ux&@Qr`>@lVJG3 zG>>Q6T@<&`*V7#j>4c`5$*0Fl zlS49&G@$BnQlSXL{FmOLS8-{ij;>ACZ~CcRBMj(?nduh{JS%SW#;%dWnT{(BwUsWLva;C*$!Kg3{7^*15OTRTolOIj%}|~jK+kcrv5}dZ&4KUM zoENHbS#*SrRSN?H$&pz^S_au912GR$EL95-2Muv|_;u^Az0^3bK0s9^7=sp^Azdb>E7PCy6%6asb1fQ9l87j^_wVl^E_-k=ALmWbP~D=I3EY>qE9sr=wtY3HYN zp+wwy_gg|jf`TZ<@2GduxS{5M)OdUC>}*Zfekd7#&qi*MACG~YORt#8Cd~LLbW+!n zajsiVXmvIF`Ne3#r+)7|d}e`Jug&)2S?CFakdSaJn;-2>a;VR7#0|!~bY*PLZ2ZJZ z#p2uR!`WL}YU;g*Clysu^3UXv3SoD|B z*v(KVl-Shwr@NaWgu5wrpL%*e=axZSmRytP7QE*I(AoPGd*&Y<9eFiQDq?=B&-|u+ zbtOvYC~)%EM|XzRRaL0ygcI71(6}Ap!8uv+Wq~E_jV;JMzHGf^^T+j7a!*h7T`&xGKj-naznc^EVG}ev;2iAKkdI z0pbZbA|ei{xXC@E#nOu1fbseMvZg{VA<9;ZNNu(cSZXKWld$K$`(sN7RwL?nA2Yah zkbHgHqfpTv4@`&LU&7Tau23Sw*7{l^oZ*|r8iHAe=U~XxLpnbiV8xkW_HX#d$tP1h z%+!kcD|ecT!7Q}5JU+S$-+$jbZN0)(Q&S7Goe)z&#m53i4eo}Xbw-jUa8B(fB&vDW zxKW|nCz+u>!g)6)3Bod?q81iPW@_+GoGz2lIn+yl(zQrKG!P2o_H7J@32vldC&J}3N_d)o2wEFogci#69blu z9j4V1@0k!|_(o^Q(?39>vn&##uw3zyNm-BD?WoaFyC*zs*?$F0%PuXd%zFe$eZcu_ zrAzR|vIyRKSi{;ndVRDsT{*Ka{5~h|rfPALaj2}xw{x4DOMSxQu?$;H7W_Ck?@+y( zo<%J`)*S7=wZScT?&kRGygeWoReGLnyT5(%AOAu}94Yi1>u92Z)pa!rpCibsbf;zX zc>K|*`qgXfX@-*4@BCt)-}B*}@ghif)%B@tLf8wi3c?WacoN|(Q3||t=G0L|d=>TU znYjQJp~(EO{Q4`F?|)Hs&heEjTN_R$o){C`wrwYqOl;e>ZD(TJHYb=kJ2ob^&2Qg( z&pF?{f9~JjySuu&s=I2v&w3ZpV+>Y(YisxAh1Qby+u{oY|J&i#hx3{7JXECs#X@v` z06(k!ek56L*C)4&?@j+HaL<%4gSn3k;pOP*DRTr52xAO%r^lIPi66N0eZO>v}nw9ZOQiM{1*4s^z+ePoA>!7A5 zO>I=Lg0T?U5~6NeuFu_KM>Bx}OQ?0nS6b(kcoK5x z_qZz?Zo!}Pw_ij>r{h5tb3`SJ>+6YLb}(|g-tP|yyq}LdIMhqmgXnUGEA0sk7=T( z2Hqf;MJKP3NsOuK$xpU(@aktuXONkGUBysy?jV8ES9}AGikA?7$mpqeOFMAb!tMkX zh*lO#h>dt-F`IL~R|E<941X?^abk9psa?_Msn^^@95OC8yp)sFOw~TFJzLbEXcHDD zu5TJOdL>TAT#gz^v?U!Ks;ipC?djeDq$@;W1SfcS14TG4?4d=W%Hs_}ptIn_y+mi< z(9!L-x-aLNPe;(8BgV#Q{JYpuDMk71simf=>FGxqC?g~Jee$velhB9m$-NmI^1D+|!D!?Yia>}Bks2m*FV1UgZ3$|M66@RlAVozY9J!{X z)nv48SXQ`yPIS4)N~Wc&tf+~JjiCrLl#swcfYi|7GEU<1CH{)a$mOpetUMvk@LN7h z_jRE)U1P;LQTY!R)(WSnV>y0qaMzb%`d5uH?ezHDt}bDP0=T-u0OlXg3WH)OJ9(VU zzOKdwX?Iyk^$sw`3kE$$)P1w*g%t8Ey2CX$**23CQ~mVcjT5_Gr0h43gP|B zkFmgeQJaFp$aLf2^iEV%5$;Lm#_r(`j?Y_XG*V1)&6+2g<_Djgn9Ssdv$#T*$ia7Z z-Sik}=n!CX`=a+u%}U5A!tYjt(ld~I)o!W)GxT&+!`MMu2vrX8h-=|-lFt9qZ!lS) z&Gj)-X&_*~Fuwu)Y+oO@BpWFnv3#!{yeh4%PUGjcSs8_il{a6_;c?P|@686V-*g;$ ze!$n{NamD7-Jjo$3~#U*!q!5567awCxLm3r$3d_$ALLH@$zf3gOB-AmV(qVB77iRI zE#JSM1g%nDjtEPc7q4@tl1__l4DcR>1ef^OG2n46>Bp z$0Bf-Ai#%yoq_-2V=me35ZNrP>Ef>9ue*kXPZbpu35r*ZpzKn?&6b+U0JmX?Fmjy)@dmF4D-86| zIM&mHKSKypi3Zt>)+tNmICm?nT)2EqOH-Q;V|N;ug$D7bJ?b0EdWb?7mn>9can#_( zGn(hoJQXkG+$6xIuy!-Fwis)I3pV!kmS3;?+9YsIgA_P-YUk5uO8{Q7%`8ce$-bG! z;Wqq$_xj}Xxg;QPe!5F0fE(Yw_5LTMws(V;VOi}Ql?0NX5&T6Al}rtsuN&Zi3|rHl zddF`W#qnHJM2Svf6nH-4yAoAgP~dzSTYct2nllLTI!U;8%l|mnrgt+W8j7?4f~ORdy3wvXiiB+`;6!9)l4s1MlzL5(BWTC z2*Frdq7({2oKf(X%=~gaK8%pR6q@Y{v2E%bIpbIjRj1ppqoJty zD5B~?yrmKSd{}+c9Yi zlH48;G3_8Uz7H7*0;^M*sDkLfLKV>9p2YSpGol)>#FP?C8c(wSl6e6{ z_9?TXuue*@tmOTK8b3$R%ESUp+gez-P@<4oL+XHB3D65#+XF#R8? zxDYjK>PL_&blvPei(nc9B~y#M-nUWD4+UBndZeUG)S@vDvTW)%)gwO~gv07L+syR#!hb2S?N-leGtLIw9*BQZD8U;Sx> z9Ka-uT4`n3tMz#d6gJ|9xKNBbpufP=*^om@gU0+bI>5h(g!N(ON1SCgxZZ13s?q}^ z#8}*QqLYQ7p!0*VQ#B_Y;xtaED0#4K4y>|~NB@NTrNBj@$J4S@nJE9Khl0ce0fYU- zlouHPEz2{KBO|do$jVn@CjZx&zXbFX6PoYnBcnb3Z@(o$LuYW3m#V=1J;?s8UiIlC zBPC1)i7BiLOhDg}&1y&(Yb?!InOh|cb-kjbPZaYWawh|njSBGpY7wRmG#s7W*@9ShZIuT* zQ;Uq4>TehUGYT5+o1C?sot=#h8wUpm6Pw9OD9NI-8V4KO@#*R5@v#N2ln^Q#!f{#k z6@~@yEpH}f(_J6%0eGjyYTh<)F%sNZT?B<`YGG`TC%bau z0j1_-!aR?R<*EM(1IGm8Up1bg~d~xO;c{Am-+_HntYPt1C7) zH2axao$^eGgVOp}ulF5^3MR28sI)g14-F1FFJ^JEm`%AlJ66=x)KD@Q1pqMt7kg(` zX6C6eSpj?f&-Ai68=GqBeKA@Mu%L1Zxk0sxGL6<29SOBF023pt#J-NbC?6i3TOqg+1eq;7d;#m3BrX(V*;{BNC@8yP?bDEKH(r7kKNZuj{3CDyv(YbGmuXO`=0Xk^srywbd>yNRBf3i$#VBNv02 zr}QJS)#h1OM(g!YnBV!{S=UP;;#3Zwm3dhJTglIiH1$$S3uMckG|yl8BrhEs$f;n8 zsMqy#b0PdY^UKwMAbV-i#_mcPDy|V%H&@qNSJ{B#{C@3r%N{N`WKDM4O7u3V`AfP(M= zs8QeFIrDJy_|+r6Q#0zb)mPM5*eM?jgTX)>@>PDRaXDSY!p3GsnwmpBsc&dtW==Gm2A<}%wfFtJvbN_-lEd!sbsMw& zRM+FC7qI5TMkqYao@;kk7cCu~S3rDf>TtNEO23-hv<$EHx|W{a<uRtI<$>nAcw4V{sGkj z!lZd9<-Y!SNF!w7A(i|=mHemQ1n?21v7sS3F){J-D!2nVsm3Vt6#0!t0hYcIMbLr& z^UWz$UGt9>Ha?({OA=B==LF@Hpb6!m|HtngQ3|f4goJ)ex4R?7WukD0Zy4uE6yF9u)(18KesFCS19(pU)SR!i&gB9C3hha7Upq)zX$WYO zdOzPU%fG&iw;tt-gb~Kpkv&00r&e~AOx@i%r`lt}&~S{SGy%177;y6MIdH4WvAqfm zeZa?++vVo@>FN0NYtGMYk-NpgLD3RbTsYJn$w~VXjYiWL+8gII1Q2M>J~~1g1@1hh zIS6hzH}B{DpU3P^1An%$?6uP^t8}}ub(u}Z&_;kEnTYKRvgH745MG7Aa;7oz6BJj_BH=Nf}0URtO z6Lh&vjR7zsW7eV?BKlQ;x|Ri@6Np1J zGI)`MjMm!du(4;^=}vi%Uz^eJI!w--$VRH{{qsBC+@YAecxc;l8jg->VS)^(qO!K@ z)$&ScDEa;EuhI=cpCg%5(671PftQ@DL0~51fzvJ@aZ!E@^ zm22rJ^%|^w$O+(m{6_6>te>`6m`0+bVj?@DzmzP0z}T&U)DT{P?MYd*?n`y!C$JMoXj|ZVe(Pvhhb8eIo{k zL)Z6d9`xCiMNn3cIEgX+mV)8#72%GU&njAhceH0&k3F zd7&2<7k6Q`AFyIy&}G7*Wguv>)>VKyD2pm{Do06Lt&)dgk>;xKllMWo*~iOLuds=_ z4mEHo3AUGz$!dXOwpY>iGbOYa1RA6LqT}@Au2jI`ayL#O))TZ)OuGFr$BVPka-m|) zw)339?-|yQtGouOgCrMRr6V92ntuYq>UqtscM_nU#I7&wB0=4%+k?qT_3-r0c!8{(zP-D48=)?`b7SzUGATqW)747CJ3&CK7uiL1$7 zW9y07do`)-JHRT}?Rw`orz^`N3ha^&40`q|3(a=5x}R5bpWY`7pBwd;oXW5vmn(if z@26(EFWZgq8eAb>2syIy<6Pc1xB&#L;Th%zw#@t!1Z>D15gYAIU5V4e?(qx<7O_cY zsQB(T1b*(yb&u{pEZGAK+S8@POwM~h9$|hO zqRc|}p<(%G@jR1jVQa0{&n$5?KcL3lZj&9R5<~-6vs1ShWV<3==RthuwpwUC&J~~S zcRNN7D3zV_{j(zt7?_wN9ALN*2BtFwVzh{~10yWnOO5so&_ucV%O=NSE`78kiG8hf zTOV&Bielp8Q(0WMH@72n4c`(q3guIg*bw76AlfF#dM3+psfQmi^=#J>KDTB3j%SOT z#)V^%MjS&zCBAP50`~?7cGDmBB+lT~AqXN)8lc5y)O> zfZ3q?jXVH;jup(HYpz5NM`O=pM6E^}=Kjwi_;+mQmeS-A68PNRLikG4C-0rT2>qfZ zT`xK_6ciLv5Aplu+n<+$Y}FDzdrabMs)$I&3SXb$Zjur;z`hPDyAw^55^(e|xl5;$ z_!1F<6&?T?oVUJREXaujh{(ge&yUMb;CIYD#7|>8Tzf|2d(7hZzi)4{aX%`t^CE8M z4V8iTudt}BoRr4vbH-#Qduqzh8`S>!iD)bqR%T)BKdm>Zm+aNAFXO=DmXP<9o;)q$ zEL#?76ghv>bdY$wcs0H6vE#3yqz80Ls+(Ox&fvw!`n{Bv0uBfYXY7C9HNngIT8eEU zWkD^2J5uqTF<{M}*^B3~N07N1-L1RQ-ivx~jt0N+DW+4P+_*`YWXV%=degi8j<_p` z+>F`>d6AO8>TXXo83;QJZk+lEPDX^ENoSx}%T!$F@nBsAQzzc@Q z_}Lg#JZ#&I{0q@IBMSD`C0amiT|r;cQ~UIn=eOJG!jtP%vA|m2G7tvBC|cfLO3bV5 zffs3-DsgYCxw02C>O7r~#IrIeoxHGhh|g`;MWR$ERoa&zW+)>g+B#%^5}$y};(bfdi-0BHD^B5(o8Cvf8s=B&NW)=~+K z_dj&74<oUG(Z}m8~1~;BI)yeh_N}8 zC4>op68aBV9pg{K`GCoO+`x(+_<0M0AdxOO$LE8_u8v~Ppe@2~1UxE$MJvgn3Z-Zq zkb?bj<(k3S3)15R@V8?^-&%w8boiR4uC(*sRNO0tm4_MfzZ?}(W;ASo_<;Xr66(G>cI>|r+tWN z((hE1*X^N09|aua3SdJdXn1&&&Xv7Y{!v1pcyVOC`mguJeAXdsBB;d|u5P!@Q^D6n z5phv5{5TNsdm2p4jCCzdznpTHmiOcExo|PO5JZy`4}0zma9Z+pmywcX^5;`$?cFT7 zyq>jq+S;DL)78~oTr8!s;=rRZv?z*md9t&^IQ(8Wb8|kn+s!sVZ|Cgz-__Tz2P_V! z&<~BTH)giJX>Ks3P~MXyCG~JMIVB}6zTG~%eO#>}=6W4u3%qSDE?h3Dq|W{M2q-ax z+ZThta$u^an*<}zc(-z9O@Rc#-Oc%2$ig7VYSmA~@H>>ddb>o8^6R9Y9gL^Q%XQaf zWW_g9h37B}BfBlV1|cmm0n#{b`fwL#k#e$!jSgGYOY)g$=qTG_>H2;Q&DwGXMj~J` zu(!z*>o*k{i4Bp20t`Af*)1&(6YIidYjbg%9$Pj`SSK{QNpmo6*Y++QwVRltA=7u_qy1rmU ztz!C}f?#axHp7p|H?p|z=65Z2NXr3qr*UFM$(NET5z8u`a4vk-Xt&q95I z;=&SxX`N=%_|ADzt`PwWC`(exWt|rtuy*X`1yzN8SK-Y0@)Ki{R2cUwhrD`q-J!HW zLA=0Fnuv+qzE|4CHD48ZG8~q#$fyjmLVN2Gcf+5QC0e5{{~i6Jp5v0tI+tJL<+2AMEdh-n}odEv|U$j5xkAwmi zBe=oy0NIkDhd1g>mx(0;Xh@Zy)%^W{f`_$dg%t)r4)22GFC@{E-C{&enpO zxz%pN*i256qc8UCl54H3{5&vQT2RKuJjPD9I;NUFJp{;+3V!s%sSChIH^)pi-2-b| z1Q%hK4+?7>f<=xspxj7Gw^pw2M^8+wgALHx;MLD}x2RNQeEG= zOan&4WJCu>qxf61+~KTrxZ6SIhw#|!7QVDoWg#lw&zHC*HICLM&yMzO;&Aac$Ca%1 zISTP?8IQ-gm=%v9?E)MHL6`RlP6BugiM5@E$h#`$p!weg+VsqD?%S7<2VAHv*+N*R7as%h;jC(#m zUK^5n*5T<#tysiibn6}j8=uy;|NB?D2)~uksLuoGDpj$r7_J2J0Zto#?ta%L+8U1Pw4w44`IrWHHqMp=xT$^ z(k!RnR)t4@F@R)-YR_kv)zp_H4e%z}bZ3o0ayP&g{C-y!@P+vsq`LTT&~K*jzPm9T zd0*13403Nc-WY1yFs8;8NTy#LiEapooo}79KZWNOLVgS=&u66K=EE^0n;DEIk{y-Q zcHMln4Ur9w4)tcVbXa13dg{x)x{#J*`D zPT&KRD5(!&gp6&D>ElL$=#CjFryFcn71bQ z#@QaDP$X+O<9m37cVd_xo?aYagzRkG@~$irk@i;Dz|vIwi45l2^X0e{7;Evn1-V@w zZ_{~d`Xsg$fky+E`Y1SZ89`jw_mj~+c*Z)B0j||#sRjCxll}tM$e~k+y2n_;8 z0E<(xdKxzqit3t;YipxjlZAbWfcfQRr9Au-(8^P_BP+a*i>TU<+r#%Q-z;PtFT>YX z^p*!P4GStW`QLZ~4d-)9OFeI|1!u~UI_`|oc~nUl8x9i7(IIoGn_Xv{Uc5nX@G)|z zv6rt$&!t;W=Y>+G@_pSIIH!%MsJ>5Ug+MElN_rX#TWj^l7n)kW55T5fkF}LWsBiXW zBN*S!WGTK(OzaL0#Y^7j?KC&m1YQEm7j1T>syGT3_`$$u_(-3eP5;EUGfmwfG=XwCI_>lWaD-mmp zRJK7%F|-Wi2;n#6nxR%tKRv;@)NFQsXu7UaQ(16{pweiq*1mh)S~sz_cE5UBiLH_E z2%s#xAPSEA-8Z!;{ax*Hx!h?uG_jcFBkRok3{At z5dwgaaR#vtuV3+&K1(;FSem(iXH0gnl$F{%PE>yYErmfrh` znmbj#`=1f_a==hjf&V3%XpH2SWC2|x;S{CWyy5z{Z9VsNnT9ni84RnOyN!kU!2+?? z>uj^?0<|>g`Ut%-8N}88qj2PY)=-0=Syc9-mPz+qsj@5hlaeO2LYCyjP@95IRkc|{ z#^>eajwJJylgjQ6A8S$ zqG2FZMM$o~yx`aH4fYV9@hVKXXCSDpP+UJE!B#<&g2KnO(^q~niJlA?fP^IC7|_kb z5E!Nk<&=gn&&L(3*NEB{W2osD1Y~SG(|#uf*RE2z0B%8p>%Y{B+{p8%#`OQUUt9>1Da?{dBTdFCk z>Dag#4rY7-vxxL!GWH|bxElHMmc^Q^J#`W#79%Gp^z*LyqKa8!C=P~+#jd_!csL3- zTV=}o?Cy73n=BN0y!nNhd$_O1XGgO$b1Y1)^9yq<%#C?7C869n5=-b^Jg1gfU2i%* zL2%J3x(dd@wo5hCbXC=q&2EGYpXzjhIV$a(ZFC(Qzt#Jsy2c);vQHc_^2YwOFw}=}P@dM}AT|_sUFjYtZ{tZj zOrEFBIZIN}cA8t)-@7on_5emwyR+(y9$frqJqxR|GxfSWUi(qaP~Gr3>n{Q2!w2XT zP;0=?@}fiEQj?SNsaQu^3o2aim$nG_T&6|@{btUnz7`u!_s_k&L<;JC&jF8~rNZ(s z`L@tl63akI%VSUL`Mi^kGH@$A$khs4zMNfk@pRh?`dN4zUJ6{Y{-hJ?$DYh;Eb`dmgGh zl;P_lOplfZ;uCoYSbdf7y}AIQcoizz(SD9gdKL!erM{#0At7OZUl~$f88{t0PA;BwFl(u)8ozEQq>FBeuQR7{Z&YP*@C2bqqw9b>Z$YM&q=v zPVgUsP!tCmiBhEDMA||#nAq+&^GqAbisQU+skB@Z7>DW3Wc%r+ zR~#;Plf^D%v^j>$;4y|E*m4NOnyrqCiI8Vvd-D+R1$rT1aN>f^U>=I;p+dS*WBJyTBrHy+k$^Xg z!3A@iVCzj_hux+(Xicc8Mq&~&r^VvLek)lnS0XYFghX%!eaE?hh|=87ne+5E%u8s; zd9?uD0tD75qna&KV?(%r12{PblUsRtvFb#A*~tycr-RZo-pW1!(}TdeWeKTp|f+72o&F!UxkS0S)6X=mAy(fV!uD^1Yk0IkRow? z%)LZn&=j~V`dv1OP><7EVsp}q*}NUz&W6Yj)CHg@+wZOL8I;`hJL~#n2)Vb;zIy`! zKi`_g__Uo!PYRs5z({UHsHlpLgUE~$jEmf;0pe-XUUwBS6?j$CCoJk5eB!LQu&_)c zWm%MV>#p@|DZ||zNovvT0gA%P3QL`AJX7&l5vxI!guJA95IgVtI$DgML^`a`uWhLQ zfh;@0bs#Ves=qz6p!lcXyp$K^GK(vL$Rb;6WAqD_zugSLUFY;jHoQ!tqX#Sw(VMe&Yl=QU0?UIe&c-z2RzlLNH zkEfZW<81WHOo(`1SLywlfvazA3KYg1VkvKRdYEtKP$#RbY0q&LpduSs0LYWoxL19& zQ&No%_A1zz^UBF9?e3VE=`F0Seb6>p+8gg84jgv~5oOd2HS}~Xj`r-$b(XeeZujuR z^xA1DmZy7``en+`MN&}kKpP8vj20JH7DnMun(|6o5eHV*#YuVDkcuDpigU~Bv%@px zB?a6h7fnH#Zeof#%}F%AsdD#pD=;%p+J-6CRh9KkPSg{!!}YVjh7)BpB4*@ueP6`M z_aV6M=2$3k6C;sR5DrU+mz0y+UP1^3nft-mCJ-DA{W^T~Eeq~mRc`!`4deJpd_vkI z0>TQ(&rHXLdhv*Xy(S<)N5Vgo0My?VZY`lA z&kT*m=9zv`Ktc$5_o3WA|5NZnWwL#GE-y98UzMRjoQrpEvmF&LY=`LkWQlWf+R42p z^2#X{?Ih~1Aek4J4kOUfL3ONe6~aO+*U2d(71usKy%yxX!O5`t=^n9076u^)9tJNc zmpl^$zNV4>)VcQ3xw2DnbZ&UAZ=2V!lnAc30sgR zxXlbr2sh4^>UI8$Ss(BunkUzgb*rZ2g3!jYGh814!p#w9Ud#JXXlb62A2ItYuTqIz zQDi82q+C~b^WMdUjBE(A(BWRc@>@a9^B~FwuhH;Crd{{s#JcruDE#&Hp?&3S_}rSH zc>yUw0)0JhLrON9m8Auk3=1n$*lG(KTT4Az)2#YW*`c3EGsYQd*=RrMALkRPaGmKy<|eyt9_25CtKwlZ#JSI2(vV0u9-If$pd-Z8e86V=Ra>8m~41otLY7c*VAzvE%2T}ggAOM+^huw=(`t;i|p2ohJ_ ztl`s7V7l+O&awbzu6OBXyR(Aj##)tR?^AI(9Su&NkLkJmtCosC5Dp9WfhS?8np~J# zU+B+T7x5@&>#12x`a<@7Pb&3rR3 z#Mot{?avyJml-ok!Iv#O@q!XZO$lA)S@f;Dy>-(_!q|LK=o_R0mK#`9Rl(h8xR?mA zQK00(fNHLAGZ4UH_66StiwDif7~nn@Va z{+{1dSKsRN5X_IFTrkg3=iq#ckZpc=7HgKDA3^oF+V0tZJ5NWQ3~9R9l0{(SAjf;}t_MZtrdYNM5ln&8q}(v^I!c zHaY6EsOoq|kz(O;Wme1@$**#IEw{I&Yb>K5nsR%+;Aml%4rSHXIoaP`DUrdeSItWos(I=V>;Sjsa4rhaS$XRAR2vZ zr>ld?XrL`~yH5$;ZUk+A{NwpNVLo(?hevs(J$dy?hALL2AB$MAD5)w+8tlh}q$^+% z{bDw83#Igz)t5mk@fut_zUr3L+xwBiq@83J<@>TH?0$~*k@N@l>R9&b#e-B5tsb~+ z{wR$8B1GBqFPSwf}BKXZJXNo2y#<&Geld8 zK9fxvq&al}-xXnX>Tzz{dfV(4ca&qFC%dzRTFE zSi4^ANGIdxh-1zxsE(!$*!n_1c(64$BQZ~s_hVto1zV_~VWeUlaC<>zXlaeYA)=%r z&|gQ9U3B7NuX{NvW7Daf(?yAQ!I1?z;utrsn5G z1f3=RW0Vz&3OYF_+WtrxUbK<;m@ffl)K4xzJi2$6BHhqu?i~zP7*Xcw`LbG6Z)NqK z?peBu`W@vDDbcyK0>AOKV;_F-y1b{P%6br~_)TD|^73Xyx+HXrtec-jL3Kzu@KmDs z8Owk`%?(JBUPf~9j@9+qm0}Ys6aN3jPcf-8+;ugQ=RhkFxauE}@)-p)I7PdW7Z5WWm*l<_$;w{RjOfA|OC*o{2n@8$|+O$eGL-o4iZo=g$koU-X8PB@qmO0M!>}c{tw2jO$8k-RLJu2 z!v&9fGJCHHIpLr7>ANgY`*i2&8ndBuSVDx6Em_~?4)qx6m0nb4cG?x{YfML-+~Pc$bOfB zB8hz)i15!K*VIZov9NN3H(M*9`~L>Y0e|DpHu;c-NyA#-*w|UnqN~=-&~_z&huTOD z`8NY!h#c@SGdMLR&u(>baWcC&qezLSqmx~5x1s*{GSHiiRTfp)^~SLuB@0i?kV$Vbq4+lOlvedJI4e1za%B00EuI; zFM+tYxY2TQKntI-ap|O_r0neMZXfT;%F4MPO3`pJ(lSvj%*6h$p1FrTisdH6)~AD>B$6oaU&JJ2Jn^(8%{EB&T}JS5!znCt8 zO-=UzcMUbQu!2$86e%U#LJZJ)tJ|Y&oEetC`VQrM_7P|2+(Und%eA&Kv+bCL`!Q8^>^Ij;vzRUr}Ur< zC|Kp=%|m%jjirsn#nD-CDjVzk@1Y@dpeFz(=JK+7p%}4jMp~M(vg-2Mnwp9VG53#K zhShAXzbS9T?DKJZN|Eg4=E{nSjEsy;uS-5ia}$#x5O&-3<<-^5VJg($dT7kA%UP5q zRNxAzMB#Kc=Ox49y-)h)6^e>+|0F=v2!p>!qZ$N%_=4(aZj@7vR?Pu(Y^Q2!Op1%4 z?Ne13Q_<0f#Kg|=&e<2)L@Qyuypv5tSqj!R8>Wrg#z@)NtS+J&$2$7f%fX*ww{5Wk@^xlZinfjuE4{M@UswTu#nK(j1eCv3N*~ zn>(?VXbnhkFDdpk6f`syVGhkKPW6;@aFg&&4lT&#D=RN4BW7!Z_X{)Q3i!UAtu*F( zo|J3Zb-N5lV*w)uoL zW~r&e!$ZH%_s2RF?48+S$Z?ONNuW&PemIp)neEstCMI^-`{`?HdSGJP<(Mlo(M% zhw~tsaa1ZR-4$!xeKe#mou;fM{4O^U&f<~ibzRF3P(mH+wii^ewFXLE)$6&NrxG%4i7_yhGmju5ah&`mzQ_F-_3om zH=q0Jn+o7jze#5?F;qpbMRd?}uWq zw9!*Wrqn}%|K#PJw>QOvOD^uIsVU0?$xzYI zfXOeftR5;v#;PhPfSZZJkc>lOmR?+#7xdScSCDGwwT@u<_HAFi(nCjAcX+L5TpzeF zidSnAw4MaQ^|=-oC7HH?js~H+&6eMy;ctGEedtP}nlxYTjV3YHl`EApgGZ)kWL&H? zmbSNJS+T7W`KD%3WO(fiMkt6lOJL%&BK(p#AY3O15N_eQMW+nE$zcp2BwA~0cAaoi z#bH<5BoeV*H)Ax@z|??~h01o=RW(&rNUOm~N#x|1+n&ub;>Dbv8Z#aqHJ_W46H5#Y ztE|K!{p-_MZ3LK|A#@)O|9E{JAXH&w-ZrQuNh(dcN+GJyGIERE>7k&2#P-rn5dlY+{K=5^-D5+Z)?#yaSV zK6jqCtO1GT7cJX%h&84!e~P4%T5Q%_A2-~3?`CBb_~82gP0`wQfvP2~;DDov*4t@cDM3Ps*380B_1XR@k<46c zwfhNlb@;iPY1cz!`8tH5SHzfn$4sbx$0giCYO;%>Kn-_+NmuJDyFd) zP0i8{pQ0a{!|TDEKR55MFGXOV5UeVn%df-!-3s>sxm+Q*E*ko*K=H44LEBg4qu)7G zg;?33XUA|x13$WKH@KJc&p5*;)uvM53wLBiMF(e#W%3O%HdaDzMq(_7kWIyzZ1+Oo z&~^w&zdzIkOOI(-a~hwrhj4L@YOO3zNJ$H8DS|p^y)D%GLS*iVx3jlXOV9E>yH+IX zjRY2OlV;rpw=mMn{%L^Mw6$XWuGjlgvN^XhGlea&=(|Dl^}li}0dC+mx*5>dfxJYN zW8O6w#&t}}+@hRZ2PK#O2qmN&gugPb(Dd~5l844$C3H)O!bybaMv^dV!>VtCu-tnu zzOmK=t1SQeXFGw(_(hFDE}4wm<^R}v$M8JbwGFh5o5nU9TaB&8HXGY$+%&dr+s+d; zwrx9UZ0za#u5azNk7NJIuN*Va%-nO&b)DCVj+4*G@qL}&3pHx#DLqIK3e6iPIW{Q_ zXV)pswu>`xrkMV(k~4(So+GBcU@UL-_tL(Jrfcir*{Bu-nG7M1Uw;1CZhZ zPO?!8koNW=np@Y=T7Gc13gbpkLoP#KbPZ95*?%S&{yc?SQLrg(~y3QL1k)hS>|+P z%I4(MP;y7GQ>&OG4)hYUlT%WIyBGmNa%$oSC?e?9=vHxp_gq{nDfvBb^c{?o4Mm9FfC(|ttH$6otHXSyJe(h{Yk?E2T z?$;j;N&PJMMQD@JiKB8maxR~BD9UMNlE%}@k7J##7LOjlDYm`e59z1_sUxppf{`#T zDgWQ@lV}pxcf8W3_baZ{HISfZwQ2U}^z_@<;Pdl)$8zhvvbm^=nwqJY>hDx|59^B2 z{-7U(ycs{Z$Q!EjUv{co;^Wn1!eAsNCp>)45ZTynS64zi7RDRV&&1{W-ftTi^ljOk zWis&bi^j=)8g1mFv(ge;uy?PVq#YbI*C|e14fhLWLtm@koy0vr+Ti!sPhC^Vn7Yqk zxf1ZDyv)nW2~um^sA*443!STuUkYnmWu?kaMqBC;I~HvWtPc0BKwCk1Oqb@9zmJz& zT^Fo$UT-VoZ+P7FR}qwE7t{`E(7)wxEBxoV{?GfdNdj|dW;s$H(r*2j79IP1?19Vd z7)CoLUH#dxevFQGgoawrery&OLym=&kpm~;Cz|WEGt2waEG-%X#rE6tRv|D-HZ%l3?Qi2iO;JH4GnBcQdON+A>RnhTQc$^LXX^AQQ zyFNWmuQZm3Y=%+U?tbg=-RlLv7ad?HVyi%}8J^U}nZ}j0HJ2|>cl&o^m1p3U6Li`> z68bngMrVoJo2xim8;YuoiR+y%I$xCM_$t01FwyAf#Ojw=NaFGT1xMr%Q(l;mg8tie zL4ffh>$~}*&Ch@3Sk_wexF&(?UDIhsx4^xUlxwQ&_@vg?8rZ-3!mJHN;r|F~;mFTF z$ch-Nu47tYm*317gr!L+vCU*1|I<&#qVHVWNt9|VY zM~2&o|2osj2Y=_i2TzLg+^UPr(;`%UI z*~7J|y<#u^lWz;8ahfYZP@`-FOlf)PP9ex9{m;%3gf)8IOBk^2QM&CMzyB!aaV!v) z@7MEm68URX{K(bODbq14|La`|-Rb-YG3erBEkfAA04a5CvMRjN$7! zKW>(;szO?FB8#=+LWlJ%{8ZCX#QGEh1cB|2nObc z#vKkr^|*=Bd+YwY>GkEmlKn>?X9nm}*lSuVw}QNihEz#6#`(1@b5*@deckirEenLy z)CQKPN9X%<3sgcA5)t!doCrO*PX>cOu=WA#zodV>Klc1HVJ{zFKJe*MrcT)Kem--Y z;B9ihJ*LxY^nATt0GeND1iXitthaiTvDE&4F<5N^@gwL+MwRT;-;u*av&r zaU#+hF%`{}@YCET{*~@9s-2e;TumXcRY0daZ_6v~fX&L!gCHXv-g2^e*_^blt){69 z&Z#sMp$LB%wpgx%Z)ItLJ6vW_Lre;o8sp%6A5=Y@+i6;q)Ru&{Eweb`e{&dM*FsSE zxjfkB*nwDjdp}sx>(kzXU^A?e@^d&p@xpldb%e%}x%M+hRN~RG6~)1lLP}fT6vf|S zA~>?ydZqC%n-H=lC {a^|Z{1y}xbaVjm2z-DIcw1XKAxRP#3JMi&nOlxVZLsBq zXoIxomf}QX{;ndg<{#$`zI%A;|HLkY8$&3!z^&xxhb%8A?)Ss$wDWhq z9L+Fz?{1qpj-3X_)>;f=uZMyV2Y4=Dp5LF%P;Z#3s!z?74V0A1@Q8m|YnJBZp(5Me z%~pRRUXOa;Yxiky7@t^y6n3=x`MhiI&G2#`R`hn4)7Utk!9G5)>iLz=ui2apWT`es zRMbtp9zbNN8ILL6;y{@fSs4i`!@pO2)O)X+A6my5Q#}6wm(YdNP|TTVYB_0$d({@= z4`QjJ>`Nt6Y=_cS(rWtGOe1Lb783QFy1Dt$U)}u6gFS#uaefQ+;D5R30T8MEeG{X; z3azGf=LMYw9oLLuvTal3D~HG1lLf%{AR1ICo#Jp((X_n0j8e+bROubRr!Zn`u6&ES z|1y!BnKbK_xHrV>ai^}X?jI2FTX4_A_|IBsXsExx|KDE0)Ocg%_4$5bc9vGNKKM#T zMg{;fuJ7*lOSN^^SgW>vhi_y02CXX2EMDDVH6<+#+0DP!9*gw|IDSnWCC3X>>=3@s-5M-(WFq?gjqaHA;>niZ zA(y_mysj!Q{^`vG5}s9+vOF0^m+}LDofA2`g3sv^thN*Gt)&&ey*2<8{D9Wb@639m z!wV2NwY0R@aRC)@jhGd|*9Ra+bDvbMGc;J>?|%>dJh%z_{U z1cdO6rnax_>}m@PKGjD)Vq#Fv!_#@vByM!5e8)*)w^or)#+ShIdk{bc;y|{t)3F5$ zi(#8jY|Jg$+4gZIA&L;E#3hw!fZ9^~3`T!tY@Ehdjrgi2uw;t}KBq3PLa~H~2C=Xo zN|#_f(o-F#lBoiH+=&$fHm+dF~yZTbc zcy7ep@2XJ^DxqmxbShKWj&;`r5%C6(&ee5|%XS7?JN`v!ZETQbHn! z0Pyo1ZhN^J`K#yD(7=xkn10sswaP70=k_>J1eD~@|2k~JfrBOGhS)K1@@SlcFF|oTJ2TljU!8>? zcCk@yJ{Ad6`^gcrZ}tXg_TmopT@*Qez0x{*n6kT{Ng;HcA521Kskft7cB3ra!#&)b zc8QwACTIpD5;Z*Sj;-zOjL z??a79OG!C8Ir&EkeWZeG??IEb4wu3pH*Qhhk6#5l7#STkLenOxO=Fpb^8=3V001b{ zq@~1oIN#a6e1XV5{6v9`Q<;8Y;x3xkbHVHU9Tn&-|I_MkS_p3{vR;~UbgkgvI&XNX z{V6GO;(t%ChynHVkkJ=wE>FBG)iA=kab_YwO5_K#M42C5>f0i;t-DzuEO--ey#DR#3Q=OmR0=@xW7M2!J z=27PiG7t#r2v68wKB+?R3JLo66H|601J(h%Sf)QvIzlj~Md%ei2tir@+9D=Y#C^HC z*y_>H&`?lN=zY!vwx+9!LD_Oy?Jycb(KYM}s8K-lL_q!8i;Nrt zn`4{~;LQ|?_QS$gn-n zl_z`4tSeA<{yMXXLHOzwhEP8hcy0Tiuh_aW=#&~;SAe{|nxf>Inwmt$^`q^$9|`-e zuALVu=a`v~Gnv5WDPQ9lN>IMn6}~wI#!*kjh#q==#EDJ#W@uRAt)@l??w6I2M3eL3 zc2d>3VHU%e_If{~O2p=58u#*3>W>mrY4Gu1lOi-yW#|hV7Z0{s+HO14wuE})9H7?m zOqPZ5aRQfI5)%BJoGlj9F(%gdm!V(3gl#~tRfr67kuOod} z@T&U*+R{|C!G(f|AcWA;Ym9HXdJR~`O^Ruz@0|i&Mm~$3lR7z+jfEfgwr&WHq}o<$ zw2;v^^Of;Cm(j7>jW0HlvsJNYWVq~}$mkfnv9buUOHqSOnP$rWu`FW^{7_%su0z45 z!p%_SI9D2(q?-wLj8oQJ`0qxk}w_MkUFJhupiF8WR z8Ktfxbjy&C7o2NsmNzz?I`#({p$Rm%Zx7-bgx&(&vt9@I?JG8UA8t=xU;lgySuQEz z0=bwk%pG~Yx33E$Dkvgjm$=@qEe8a|1_wKzvv(?trWQQkcS;$uGWl{Jdp=hf>`V96 zo1@K_R`FLkS-}0O(Tf2bpiwEvkJAn5$l@eGV(jVAb0C@%G- zGkNyjpb6Y>rUq;~uPa-w_k;Wcft^}aIUdo6#B#`VeiW_&ky@;t`6Es9CGpO8w0?=p z5Q@y7@4urfTlR6vYcK=*x{fF32)u3-z|x6RVSYSd>Ux|t$g^tW@;{%lNDmd;AR{9K zCq0i~Uk|p%5$aC?yb*Q)6CaB8fE~biVT7(}RY)7gD1Mx%suVZY9GgPn;eyD2Zm2%o z<~o-`W4FQzB#r=#z<6#D1Qoto?;HjHA)PlJ9=Y05lH=`@NJq%&tJRc9;)qhg3BokpCiFfc;^}hcfW- z;GF@>r6nqxcJw^QgK~|v%*`u+W`(jA4Q?(?)91U&6c%pVP90FWwCRazaN+pdE0o*UUZgETZ7x!rC`@8RPDBAnM!W5f@HwOkaCg>f8;5O)uZ93!KY!kSp z)j=(U%4uwEC{FN|I8tRJWBt{OgaV9d+=ECk;o za=(j&cfL*M)#D#QD@jP%r2`kSPx%u&qwx^Y2bm~_@%cL6yu6%|%Mwmf;on5CW>&CH zE2n*33{vQzO7ofen()`>4KDF07Y{dccGg4h7yAWxb|=0UyQa?0@fySB+gq%#f-+fI z9mjnqj~`}gs>hy}kgT#JYZ)ufxw-WgmfTrB9o)={pHrKCe3~jM#(lwQ9b&&~XqL`R zPTqEbFH=!1FD>bODfQ#VKzHVOZ<~L(&J^j9cTqb7#p$Q zjz9&bhpzo=4PzKGBlea*8PAl+RGwyi7(;g*41rBPyxWf1W}y4C!Vb!4c&tN!LoT+Y z12^PmWb{{RktzR`kEC9O$*H8JQp0AB+;}l!#-K)R{;?r@QPy7Ul|I81d6bT>a>og{l=unNv*d-0FX@87wR?uiTJwjoo`^ zr_)SMrI9&wl0ot@B=HPCXb>jDIReb&`Jn(+Z}}=d%CFglv+dlzIYd4I@m-9wQtCnN zg?OrJu4L_nh6M`^4f7bjKc^Z;C~OS6<&MYkXxJ<^c#(nC5@1S{P@S{mLr1N*s`OKo zuE^M=?ebId>LueTESiCVNWNH_YM3FTC2PFWq|)JW)a~F>k(q`dP8-&!C_NOuur^;)p)1$UPS37XNQ0BZCCqS1XxSdrfHj7;Kl@4S4HS9T};{ z^ot|H3iMR2atLs-G)GIkE#57*wPUFZS2}Gf8{Jy{D`oG;`^{lx%z0;=yIWZtQ@Q_v z@WNpsHnl1$S_!@Kf9xWg!?*6I+MuE`U%G%mt}82+e-?k|l4u0UWd)K->W1JQieFx~ zE+$dP_GT!M1UMMrtAye_Hhg(*X*u$|&qyqyu%C&=z`|c+^Jp|`OcYj`-P_Yrzg15Q zwqatNjEqQ-o+cyH{PgJt0=(%w5FTQz{%mc9*Q@m|hE$QJ`*1a@NSp=W*b_u2y}W=~ zSy?|NZ{oOo^R!nrf!Z~^ptpHl3lN1z&c)A%-jIY)2ow-tO3IEZHal*Pc-y2JM&JZ9 zz)U0#QfK{_iBn&{tD_EZN|IhZF%z?@6)x#AdV&fLqYKHg)RXEQ57KNU3)lUio%KAC zDMWu5Ep!Lq`@D0p)cTT!*V#lqLpY~4=|0($T?-Ee5A^KkHJ7*ii!imPB>ez zB0<&H29}j2#Ll_9H~`1i4WqC~$`c@djR$shssqgXdX^(0Q&N2yVf#k zW$~rH;j-XKMBT~4VY;zm0}~w`VVx;P6-pQt8Y;cnG9Q?(*yl%Mp8YdOLI<;}^PgR1 zU_XDpnQeZ~)RPGgCZZVGt0D6s!Ly&~w`IDu_<|b=%(*6dXwA0gSQZTO0Ys>4 zkmP4}^G?@MbH0_d6$&9P=<8Qc0^U`;r16a2{VCG0M>9(uLso^{`!$X)5U7bO>-I5+ zo0+6)hg7jju@1F$Y~9Eu8k4z8Ex~3F@e##h8|D}Ps0`q7oBR=T z?9)F5PmWl2T^V;pEpt<4WqD3bV?zLIcdO>Im}EdiOiW!#NmW8ZK@Rm%M@?_*C1A|MXSr{M}RI-TvKpBmK8Lw07x2E^uBQ z!-C9!j_$Q?*6BXu%Ax^f%mdvaE3py%elvdH*5sjby9AM$Z7*hMF);(zw|Oj(t#uL< z9u6--HQ*Q)nuZf`6Z%?SCv-;LUSW|whC>IZiO$6+diJDhY@VlJQ=y^Qq9T;yDB+jX z&{5MA(KjaeaRK^?J2hDwUq9l45^#sz`h+xgj|p7Cb67GZ!#}r23=wQ)hJ}w8)AdVH zbwim^ruZq!M*62n^u~U={Uk_W1+-S}fPv|mGj}86Y)4YuZk4f{7&|K!6V zZi688*hbgZlJ+cSWgss{CPmM*kzvHmd9=AcHag@SVPY)3F?vk1m&xcKCLp}VUXPmn zf5E%w=DeGWTj~0IbBOE^tE=_tc^eC>FTeKKA}WjJ{^?ENK7nZ|DiJO!j#tO1%y4eJNM7L-8Jj0RM`A&yCRUf4XhXO zjx?Fa8W=muPp<1SIGt6Hfvyu;G}#8t~Hx|XO=bCH11_p@e^{jS!sLwT8zrj zRPP7in6&1Qdf`>t}#g4uC6!jd~L z|E&1qCLXW^z8MWT4Ec9-g$9J2@hyCubYH+zMOPUTU7JSOS1N&j4ChUV&T+zZBP6U41baL;C5{r-3L!af6$i zoBUDH6cR19GKqX3&FpYSm`R3L1yhwQZSW}5^N4w^xf-!Ha9GbROjO3%0qYp}QCI>P zGXHwM3zFE;R&D;SSXre*;Rksafke-UEI}`4uxpi{WR2(OTC+s8l5wd`np+Ue9o1C! z05XKX=H9_U9x3n@S5;MAUR;z;=cp+zhS^@6ocwvq2{83&Y2gYNmmXQ;p`C6WfT+j94tQwP`&$kpBK7?kbJHE^qgVbz?<}U{*ZKi@6~GSz>Zbk6@vmF~ z#u?CkVqjoEBN6~(Gc#-JwGJ9LUaUfWkBpNJ6)6YUvpuoKmirU>m6y`FgHLC(izh zDr72HHZm+QjSV+7wZ{u*xfcaU&CO7EEN&s}{G~Fy6Zh1l?2}SSifd1GD|4pwnkrFO z{A*-tD<@bl;RZJAwZ@;gp=+ z-Q9thXf=Qe%?ZAyd`;0Hsivqny|_5&#z6)RmRY_v-4gm<-~t7cx`+?-rF z%r;1}{cySC<>}cRAXN{hm(J(Kg;$fE{b7GteHYflf$!1T%gakrau^u0+yf3!>%b%q z00|v@+@0mlr6&kZm4?}O*U(=?ZV>zCT<=c6M+9V zH#cqy{1wGLd;$}|@m^YLQR5ODMCFaq!IF`dmd)ToM?%uKvI=J&&aFMM(J<)-V-=ire-)Rmb2RrjEH@DbV@G8!mKFQsDr9Nh`QHV!$QaFo!04}o9LQ6nX9`vIX+In6&YNF-gt0= z|DA`|$m#9vtsa;))c|v;D!tB3cLBu;5rnlM!Qv3%po(IRe|KsE-<#6o0q;c|i=>DB zSY8eUgpTfxg-xsZ$?2TeB~C;&#~v#Baj#B=_%<}Kc5@QX!J#3ytz0sIum1Sx2IHnw zB$vhGX5r?BtvEkhGBY+Ry+vqab3S7_uF8462MrnY^!U6mH*b)h!DSs7Qe!V6!DQ)X z_w5iU*CtZgR>sEifRO_u<>Awbnqt@J>gvo4HwSBeVJlP`mE`(%0e~BiZs|%T(q=U2 zD}4J_?3<&YFJCQ5L349;mx6@MWZfU0QfDHUg2&0pjG_sUe_@Xl;$lBeifD-VgBfU$ zYeE_$6!xuPvzTNL0j7Ny{kXPp@bCeALQ}Ih%47ChT6W}E#A}o^G}pJcdx}<8v~2Qp zIgEBPFeD^ociLQVd%w)-blb3=AkBATt%~;HPGPMT8}SWQGubRL+K@s+=za_Xy`qHf z3{w7NPmdvB?D|q*Zn4RrV$XdV?Q-hj74AHD|%!*O4WI7zxBl-~DF3w>WZR%^aQTLLu; z&xod^VE1!OcTBp~mBVlh$e^F9%de{P#aby&n{euHU%c-fk%lqpz z9=F<-7Ra{A-@iXS=VxT_!c8npYzXM_(|T&#*?rU2K5eYfl1=AORa3M4vnj8sS!?** z$f8iB!b1+>?i-gCmZoJV4|6-2m?`9TCp|lk&p$h>JmU)xV>Pr^qOTdo9xXL$(b4%_4f7sKGs*TV;e-B*QzvV3cwc%&iRSiA1VK# z8$xo>nbI0bP#uk84r(tmP*VfDfH57hck-ecHY9%v@OJfnxf}@g0nDNWCi0{JGBIG= z2zfj@DlGy6T;K?Y;>NqqHjTEnw!URL?vLik4v$n62Qg?xOo461)Puc33P1Iq0p`2W z`b(mUiQZIo27RI81aAI;Nb(B2=I$NGKQDfR5x<&+2A9--1J%Zdx#4GA zH26+8+wWju%JqF97h3&4BAwwU->brXhMioKW_0>{Ioud~H!al-{w-~3``g6&n4_-X zaQ8!;_F!8Q{|{%Ay`!V+>%ZscWlM^R%ZvRZn_FAhS!Z`Dpe#>M4@D@1F-5L>L{^uU z1Sjcke$D!|y0?0N{77GEQ(aj+Lji2+%q+~Qsb9_k0##IE;JLb%61-e(T~kn^hKA6tm5%WQ)9#a-roNHuDq#q|D1 z#iI*l_UiYBERxVQwgqiRfb9Pc4Ej2s&p`?pM^Je9P;f$rzXn4)AIEIPE%b_UZCF@j+Sfsg>4K{6$9(S7=JQOtY= zN+LCL1())CH8_l@{vbl{WQ#rbLq_P=BlJTSr>OG(Y<0l=f&%O;BZEKxV74A(125jF z7)#Z$4hISU?EEn^fKOEdH+EW+ORNwv&(Q^HzAS7~1V#{mf3!T(qN=Jg{D4S%VQ1%r zJU>4W2>SGQclY$~^`XhG>e5nX3htGek&%@Z=#BvOLvr-Vy83E6dwUh?+Z=qxHp?ol zw=@dxlRt!$rMcQzN#DP)#v~<~0?A(Hl3$ebfYMFWDL)#)5ET_r8Sn<==HwuUhM*Ey zmFMN@$o=LF0SQRz{{Y9eo&f0^mZ??ibKB0E8#s5el=IV`352iuA)$qvfyh82&u<}s4LrHE;1Ol^ z)%d9xNB)-*yi0BW&f%Rt=189$X`1gp)I;Z-OSNK_SfzQDDgMyM2OS;}*RHAcHot&l>XO>r1zVHhHUM1G+h4Rd_R(Rpjn9*tV^~&D@ zV`6Fw3LqI^udb0{czN58El$v$p2o&xh9pAFbO=Iw-=7F1pkQE(n87cziIbvDnOd`>lQ;j)(8hhiLZsZ0>Vb21CBu`r*PH9PQIGF z%6YD)Sbk&?L7=$m133ctVD6`XzZV}MYAug-dFm}|n^~$Vp64dHE=?nWBVmAMXc_5K)tERTlL1 zb)baA+)xYY0%UDbb=cXDUI-n`oDMj>kmJM}#bcx015x*hzg)Ib_UBX*&N#?hTMcyP z7Sy^~qQ8Ixu_o~61-AOxc?A&+q=_azDoFO8p6MkaC86XPv-7iXndHOL$i&eE-379l zJfEd@@(o`d1H^4J6wsyV5g?$&U^W$McD;#eQ%Ccfue9v7D3akBMHU|8^ zKt>1YPdY1Cll8lsxF~5J?(v-RKkNviL*q8>*5)qG6^*VzK?tI+YH}INcjv^s;-Arp z`ZY?bdP(7R!5m}t4v)S=_KQ(JuKY$vgM}4<)QbKvwL4g`Ft_w+BJQ(5<|e*m0LrsH zCMFkmh?y!iTD5SnsFI-}pr34-p%*D?tc;9Z=31^dwlR^NiMO?|Qe>lJ^NkN^Zz-)s z(KXQ555^=duS_yDkg;A{p0lmcY|(asKYbSDjb@ycx2m$EwGlb>M;GkF8WbHH^Q!Xf zl`_ya(Pk9d|2F=Sbz29=6FNHtA76*!{>DcBKm0XRkDv@! zZ)7VirUzJPC1JO?OGExqX-ch@`}37_X&ES`ITdeP+f*35S`WN(uwN8ph{}(n_F}S) z(jQ^cUlRRJEa>OzenOOSLFOhVmU|0gPx;OfIH36=m+tTsOUlYo9?&W`lvidE83dGf zDZF)WCIC`*x2L`O=~_F=fiT8mCV^5TTiJf+g6p-+EJZ=os;fV=OrF5X*LNb3U!Qea z*w=w<@GvBB%fe3-Z;U(3Xnp6wxtv<^=VQ(oedd@{;jD40AFkjEo?Z4m+y z1A1XD``nfP9vsMViZ)PF^YCv+nF}_vbUrbQyLGLh&+Y#W4ioqptZZ1IU|m)pwrIwI zvwYiHk7iQZ+p`Ub8-S7)i|fBh@_#Xb1LVntxf5vS2iJENtqVMJVg|n*-Rh zKmaN|>5e_2@{Yu(1tSc&1qr>egCJ6L`OFQ{s`1-v&y&;QB~{y%|Z`pQJWx!9+MDm!G{ zYP;Nexs|8Pl9kVoO@ZJiMomvLalANRXFz)3yG4GE@_!EkfD|bpf}Ic=8){jdIARZ& zwwu4Gs3*>Yg($(DrD5u)c9tuk#6j*cn%HF{%UY=@jL{1VHB0}BoOHJ2C00-M$mCgDrspEwpFTiRRTT3`@XqzsWA*qp*^&c zV;K5cHq|#)YS*xGOm^nw-HbBWc zsp>?iprxkHB>?6?lzHV0fTv#tn}Zl1M_gJO$miV~$S(qXCB? zDghz#r~?-_p*ep)W_kF&`@{P$hL2p58Rzuo1)p2UdYQTvz86nU&2e6@r-bWZ`zrD1 z2;=cf&>kL6x6U&datzc_E!_vahS|cwzP{d+bZ?g3yR39~9r4XP^sm#Pco-W?gr z%{mYj9ssdU05K2%M`XXUu?b!=vi6V~w_kL_#t;C|jNcNDW{3&^>@EKOEeJ@Z#>kB` zlTuSHEG&k}dIy1Q7$6-^^EY~JM@MF(kyfL2XR3y7vBsT3#pzD*fB=&j5Dlj$;}w^e z!Itk17yb=S@SojN8yTjatuf>IM*DXN7zl~`{p6(ryd1<0a=vv=D@%1m+~<}GLKkZHCGvwv#Kql7Z}EwHID z{(^CGcG|-m9$L?`J~PzGP&otjE?D{|mDH6~3ZW>WbV`Vbh{!mlZwB8kb#-S0nCWo$ zVu7$*X|1tsKuDBILZ|bb{C#Kh`pqT2qY^bmd#&9#iER~-S$$mcPOXBvWx>#P0j3Ps zAeU*yvE3c;c`FQPK>z{mdZ|hoBW%y^-^7!#WF~OTe%%QOC-|s-AXWwG`0hmSeHp+{ zdII6&e@DZw_>mg4@Y!vCP`k7dLGGQ2VFu_r^8LW}G!#c+yHpFwjDv$C>6orvV*rWF zf~2ISrS;>B>Hc_z$MGx`@T!Q5iv!wX-AP_zdRVs0<41QC(tr4C7{254)ixRkiFNdpk8_SEQP2yF<`2X!k2U~{v0COvY=IE6m*H0HID zjg{_*X25~R<+~=Gt8b?8IvG+~vUxFi2NJ{pAf$&Ics=}n{rbzX3C#w`n}PenK?n-yXp8`;!OM%^0TTj;fB+R@H*YEIy_lsNtV7pS@i^C*E;O7n{^HsLntCA9=fa;_KtuvyYP zH#}jP6sem6I!pliyGb*}ws`RKrZHGbOE298=NExwyih}FX}D9=eQ_+ddoE7Sv&9;4 zOXfiHQqg>WWGE;oax$_U@~bCcuz|M!Gn|0W^T*xklAY?W@+pMxajTIipBQ=(B6&XT zeP#b2cHVH}O~&3t3Dc>D4`NH(?7P+eD%(`Wt%*XNShXE@HCcYC8G za2t;2oni0HKN9Z?6}hg|s*`md{AGd&vacGksOX+=m1#X!9MNZ zxVYS}_s0hPFF4C5IMBQS&j@U6Y&$_TaVJR&Kfzp$Zb$`^9KSD?`4s@jR4PlhxB+@x=qyk5K{ns!?CgtoTlCYh~d39}*n zF8x5Brtnehh_qUg1bw2LwXSpM7w{ch7P>1-8SwJ5a=2$4D|c+3v=wwh5pkXlLqQws z&5Z*+$Dkxv3(0eTyN%5cax|Y&X{4@~TLb6x{=Au-Y|W1T63}ZR;zx8!tm@#txV;a$ zBM2F%q0Qpt?CqP{KRoJvuXuag3~6=@SsIU=NB;hnh|xcfQK*`Tk)YyC=+kh$VlB?> z7%B|L^WwEiQ)Z#&)9!d(i3%M#@RhZZHkq@duFUZ)@O8tAv;M$N+T3mICPdJN9zhX4 zaeu#1tjJJt2HBaaCf`PUWtFRo}L#jAR~+>ZY#z}a42=EfLLpIn`9+)v}JuYH!6 zc9wa)k@!t7>r#qC3wMLgjVRLodNhw}8W#}(XDS+~k%~>onelLbuyTjbjft9dbgIwG z#6wh-eUr!FYPIGO$`wOkDvi)s*HF*OVqaZHPhUn$RTctsjnB9L`x=@JJ&Mr)wk-K%^WPy*ZIZ%Mbnz7Ycx}df|JAH76YR;p&IlvIU~ zTvKf!L1c2Kj??q4V|Far-rNMgo4A3+IG}{p1KABf=-Uc=6_kaoEiKj~&f5@TZa3J? zL-6Y8Ky%Z04RuSwhaNuM0NU5{vn@1~&5p|;L)0Em!WPS=L|%%{CHKQ8%fdjYA2>M2 zAkHOx?zrZs6CI^~=+P7mG0<$b@}X~dX61O~t7*q#z0dFR%l<$p5JE<~`BL~&Oiq>0 zjgGAMP!I5fS(s|;85`=pzCVG4`A_+scWP4v`6>gUo?O0Sw6>aMX(EN6JsZ@N-Lh&wfn(W0Cn6B3kPSo z^vjZ6w%1ME)s-8pVd*~cemGw2ui!yT*n$3jo7HAya8~S2d);15x`8UYE;iBd>nP@q z!8DF)M9_c2*BbM`==>-|0l{PM)^EW$m9O1z%E`^Rs zGpCFT^#h6V7Dv|6j4)z`RZ2c$&BahC6-tU{gsvHMJbGE zGf|n`JhLMbu%#>W%a7HSbDM&8;H3&zmep~vDY;e5W4F|2kIv46b+IrGW7L#0V-*Vw4*kl)jL64P;XK`Q{W$4Hge%8?V`&TaqKpne- zHJ-A_`apQKwWV}PkMNaUk39?_4GWlM)D!YyZ!FHbuY__gCee+C&k`isg#)tFr~ds< zIeh$F#&`Iq*JQvN>du{Pwb6DS0aPwzTQV7z@?@C9-bw9nZ_%r~AlI|iOYq^8^c*`z zai2Mn)_|V_aS*TF*vLB3o~(yHz1;W8r$6XWLEob<4^ie#(Zrv+EWedTBQiXFgJH90 z%tEuT`ulBaAkEf{*$Re8jfP#J>JB;mij~CRU%-`@`Ypb6l=^+|?OULO@2TGs)kdNE zlX~Ry9EUc_(g3Hm2Tnq@734ZvayvU{)9LrabH8KKGu(Z$oPot>3)6SwyCuYlc_UQ@ zZ@2GvHEk?YOEr948!ARgmgviA^D?euS!Xfab1hvPg;xiezWlev^}n$QdwW{WgRXg) zhv}B<%WV-tn?1BAMZ`UX`yMyL+q!FkcdTcKNBgYc2RI!aU}~Tx&Q3@3p5WRcn&NTS z)HLwL=;gjg#_D&NjN4FKh+V@&{HagpH673N>ZqAe@gHGV+87OT>ly5V%*@0{8w1Td znm<<6j4a;AzZ19-(jSdp=^^-`wZgPiM>E;!JYVmFHgrH^vx}4c!!NA?ahG7qC1M9n zi_u>)$Hya9qP*|MGSd=eIv-n?4#Q45_;<~0_smS42Zr5P$RVp9P5vA^b07VzXn<_e z1L-@M7AZq|31k8u@|G4hZ=2VIE`%YEuT{1VF4d0YC2))_DRltgOuG9QL(MO^6e)-B{4C;Mu3; zr{|UQ9?;N(iJrQA@>c-QPDv@2sfDBh{>pJhk4+&EQ6)+@<|_5KUmLUgg}$3wT<=mQ*ZJdQ*sDCK!lQUa7aHi zGc#W-`yxmkQ4qnH&|lks0qQ>MIdewi+U+&3G#4W>dfx9k0UwH5R9<&Fu23RxB%jI5 z3~VC7ZY)V}R|m6&Q^uh&@9X{jdPhzy2dfY0XYk8XTpS%b#-=2m_-no$)3YE zu{yRZw%JK19ox2T+jht9*tTuk)~SD=bH=`^yBf7>)v7t?i{}eUx;V!Ym&ZT$AF1)wHZ)rzu&=K;HTPbJ-7g$klCThR1ebi1RSMi=P3tj>e`Gs2B0~zdA?-C@A+Z2?WE@ zJPsB%FAOtQ|9u?zA;#)iplG;yoI}ejhl*{MMU^#$&*0j2 z8)ZA?Tj5DtK-(Vc;EiMi>YWyru6UYb&m*V_gNcL=zwjrzFJE0%we`2|lcu`{8{=bD7=vm`%jQc@NF$0@^(Y-YByQ0DTG2oXBaqn!lP{j#>j;+vzI8e4F_2 zaN{ZsaAd+A*%wvu3I;69 z*L;2M>C67Qb$YrNW_S}|^HDR@K4}+7tW(C`M>!g+ji!m_wKD00iT{mGUt zQTO+^JnzjxIdl%sTg9;Jw)6Io>T-9d)6>4n(4>>A3kT~U%uA$X0(?npakLhbXY9a4 zCgD?sCRT5?#W`O0y7R~UWBaZt=3*0!TZ~J}&q9^0S0@=S2N!2K5l734)CzA6)k{kv zs~%Zd#CBwHB7W3Z#{JETBcS$?FJ}PQs{J$rVkX5@tHSI2^OakD#`C8+FRIGRE6V=% zvq`HX_{4p??NE+DKw7S;( zf*;P>+TdBpHqw$~Z`a75_tDNwvjY!W7Ji%juRVxdiZ0GBqxti*x41x!v8lO@XI1Uj zvTv=+@RPR^kRqDQ?pz`s!jW=RA6hJqG+7=F1(mPA>tG@ zjWGG3K8YQV!^$!zp(wWi<5iHbD`@C_el3O>$V?CbeD3MTx55g zd%ZBr<<$^ff)Lc=C{few{7?B$zmh$f+Xg!%CZx zn*srST#IEiu!p~BW;v~+5H6z-31p)#q7kj55vmXnWgn9jMfxll1R(1(BxhjdgD@DY z%3f`T>nb}E*4|1sL#J~1Q>Cp~{3j0LUk&!VUXnK4=lfEoat#cO;^I{vw$_Lw!}c%q z-gho#&N4He3As&83@-NcI^BnFvjXPM)`ke63&Mobajr~_^1e5#(SbKc@{>~+U^x~< z?9p^A`EdN>sn{5sE{E0rD+)HfRqUYB-qocC2lxhcDJdLQOY2WL)m4@m{M5Crt=9Kb z`-=S;Z6TT|(>XX-+pCLp_dV%NKb}mEQw{KQ`6wP{!v9rn80=}AIbF{>5@cta?#(^p z$54i3@D~|l8U!9;aqVeyPD&V5mRD^z?yvmLd~RuSMoFa~P0!ADLSSbmtH`rS3aX83 zJ8TAAMMPyu^dQCa@CJk)jJ}A^xZ9h&_=rLXA@;FGHz7O2c&cu%;VfdvS_N3qph<=!%~NG(n}c94 zTc=0>qE<2AWPYx%uf@|;RZZMz9UuUcdP1xNmh%*8R9H_#C0H!%EDY)_ZDeH1R7si5 zMEAdU!n zY{V}(gKNjUJ;N5mVsDZ6-QeOs|Fjsz52^2LX8UEl+9SUugh$@a$PpvBuD}#c^zm{f z%n|7*jVG-hzkkc9PO&Q@Ce4>FmtM8+I%V&7EkAY^9oPLAZm@pI;uc?%P;c8SBGS_(kH5=S%) zl#geKXKhwH>M#q8Hn%j)rvwA))@d1K7EBEdO~f2xn4nd1S2krhK?veV--S4-d9DWy zOBUB=G!+*%W=uoCApjaJ4dX*gb3;pTEE1naQbl5G$(Bs-bx=mieKuU+u|*tbY#a-m z>?voZGB?6+f*T0!ve&$f9nIhB@7G=BO)VgI!>`BUYVI^9gpcpCM1VdfY6a} zqoAoNhAyA4Tl>094jC`;|=-=%#7yttqD3uBOTQORh$< zMMbk)LqbXolUBxCCi0456pl9wx^bmP(D$to_P}8MeQCi`8e(9PO$=|Lt1N?$E7d;Ar zw&eLlr2T(pIUmZ&lCT7+a?lJ)s6Eo?kAzjD^e{t;gv4D6SW=^EhSI5#DXOb+E=O0# zEco~zi@j4~rjcmf@&~dj+4@*HSZpDdhI2#YG~}T!);^a>KTFizHJjL*27Rz(Ohm0F z59TQa47~Nd?}iTQ2kK9Kv*f=n8>`GEboqHs>!kc?!KHdtaxtNVyK4W9_Iv!1Y*>jF@70D>u7|GZG?{(2;M1 zeST}hCw}KJR|Kj~=8FTjkMp%9F}f<6BHjE&B21{5OCW-s4rchL&UDmnou1T0K>YIkJ#BKjK z=U$H6K`|ND6_(K=tU9irdxjQwicShPdw_25{rXzMQ#Z1U&G+>0X*Dr=i!)q9dv^5dh%OwpN{n(BZ4XwT|6 z!3?YQv^g=njQq^sN)7*W_5@nh%n&zK6{F?7WVQMK{6AK%ST{?*_1mtMbscndW5`@& z-Wkzfyep6>55%Ju=he}r;P#|{_?J*E1y^x#E5~h=6jo)jk?5D$<2_iQSMft zhyzm)mEE;d{AVbmJ+8hV_UBI%WU%q@bV+El*re@Maww&<@cL@{qci!2lvJm1t~lbn zC_CI4{_KDuFdpma{=O4MW!gY#h@{-Q6ZZQAove-ie~LX2VEs`b5U8DT5X(k_@ejF`9uQIVsVUTKci1ZF$&s0D@*i^_M#>`JX+dQGh6t><10Ahcnxdfg1_LuWixX5uBhQ*6SQ*CRVd*8_I0N1LS9kBGD~UHiPaI zN49$V@rh%Tgp78|8p?M;j@P#HyR(r#6|~=A6cnseOd^~Jlg=D$>}pEzh+ zXxqp6+S)SyX#V{hlK)d=HVF8`&SI!L_TOCH=rfo*7_r1+1g6ImTxqY|5eDN#v;Q}| z0}dm}TT?}5C;`PATZT$1Z^92q{8%}%ISLAYm;ku#>V@x8oE-ExLXRklEQydtN{JN4 zFdoqWN_ONV3GvaE;uO|bmeQnasUH}$@okJR_X?hN|0VuBP#@1CwrKn-Dtix{r?aR zk>N8jDr!rt1BB?-fD*q@f#-ia6g?EbgXA1qig@-rk|Gq)X`n~p9maRGBU3zbwW=jz zE^={PSJW!*A$r_!SJ!8;F;9RJB0(jk^b7UJNvoW5BI3+SQZ{ft#l(|BLM+kaCGEMTVv_sd5oV=q9)^sUC5w5;oqd(b?`CR#H45*cdRXgHuPw# zabGA$5_V3m5}Zr=tqw0#rwFS}!Ix>b#6`0^s=arrG(jq8q;f^91!O#=Kcy^G@MvGD zr@q#$fIcCXH;1=Bw!EiDhIJUd78Wh{A2RXdk!^9b7hy25yZs4weWa|W>;6_{>7~PE zRnx^kujz+2TB#4Cp{p^fxAS zz?MaGlHO(K4`B}n3>sSDQ7gDT9dEP-47P@MwS)$V50$PZ@^jim+g2rF8lI3@Cdyg> zODJ|@OvHmMGd6cG!-UW3&Ve~XwuTRwY~sLiIb1{m2HVJT_M$t$HZh#X5!9-x5IQt$ z-v11!!J&Y0YI5#fmlSckc@3ls!$}S2GC{`di|~x^ka5Nd2`$v`TZV-!h2uT)bep_q zVd7MTW*K+YH@5j}CTtmmik2X}^uzu3P^Iv~=^=+ApWJu!{}yt`c*%pN;I! zGBlznN^uyg7Z+A$`jU#QZF<)7^eM*VQmZL)HkSn_q*MQ79fWGhVUhaCE1mj2(e1o~ z&=kQNn{>xcsDMBUXK)AIH9@16@(a2lO8e0|Nhs8Q2h%2%j0mz1s-sGb=|@^ zykWhGt0^m=^Ao0(#@E*)8M#k9^t_|kn3@@`&^~FSJyDF`T) zdT1w>d)+rn%6wjCfK{ONA(&*yERh&`T9kMCy^-<&B5DO!k;}Tsx>xmW`bXwyoDz+{ zG}`qAQ?I|Bc|b;ZRg4F1M5j6vpP^p}^fAGBV5tY=1EI_*nv@b!1?4%{Rpv>(S+RFk z6K!1@C0TaOz-=V||0XZpP>9`d^^rXpew6i~0@dl&Q=Ek1A@a|?uri?NcjakA1ZC-n z3~U>+8hY;Q;G-f9Urn4O4RH)9$B2N7Da61yv$`-LX<>#{aUU$jl`AL=KE{DTWb_c& zQz86g&O6Ww&rwDeLx~APbH8eEEZ;6RK#XUmTnws@hb%bd<9p*spO+{<3Wym@u1Bj!t9ys!thFet<@$cZa)&x*&}N>)pX~}N z3OY$=7=CwNc&}c}^1glz6=fQVMl&9uzWHvRXt z_pdq(EN}RT4I$#@GCWp3sf7*yJ~S`f&?jOLuUA=#XrVwk8|L_En2j zFewgLHq@31Uew~&9DXSY=9cCp_yu%*jH~i9w&}U#L@t(f6vW|}6nk#PM4NvuTqH|K z>Xr6tqzZ`sH9_suinH=&An4=v+DD+IphEbjWnz)g^&|W_tz;n-Znt(Wx6ls={jFR7AbEge!YJ802+r%u`Hq zkTZ)*(sQn{a~vF{?R<2$x@-0DghDW2*#HyM;VhXmSC9MmMqSZ>0i@n#}Z##`RbtrS5vnGXVcET^2ki5%L4CM8c& zWhq0c{dCubN+I0cWP=N%BI-m7~ILo0+tfLxbQS)N2bE)HWa0z8iGb<+%+sa9FU>FIz#SA z^Fp@K8MtA!j6<1tbdAv&LjD6?{&yWB{(>z@pz%Fh{k{TTA5Hu25_c0>6GNMT7-HRj zgCGW6wNGj#YFF?5{8V}e^YKOG0~#paSAAWaDeU#9toc8KGUHI7TPsTWk|dMJ7zvaz zs7dU&Bpd)pkw)T4=e?~=!1#o4!YyC`O>Sy199b@Do~Vzqa4Rz4UdVA(2l8!1YDM{L z*2|5FkHkAxD?GjlmF4GD>c!Mg75y-CV5ZZ+DFp0vw;Ww4DT!0m3w=@!fvZ>CVkV>% zys!upct1u(!)*S$j{mk!$)O-dVEmz0;)*aXn$2RAs1udPCcC+zUR2gerP9hP&)~PQ ziYF7B=~nGgj=M?UnJi!Vw;VnkEHdZLl20dnJd!zG#b1r4CHj|_8X&GB%`*A`EV_|0 z4-O%Y71^J>OhN=$h{uIc8;F56NTia%_@lx{Gb^B>`W7X`{T|r>N>TYA z+)<8YlQk4w5R}6)6ZP!rg$ykWXMt3bMcQTBdu^gLqU=f9m{PvLq;vM9*o;K@h#F3A zcQ9R)#Fu+fadR+?rF)=BkgW2(*}3_An|54waja2b2yUVi9&n@_F@lpYnyYMi(E2`7hd*(1e7yROffoR}fUgER2-C$06gz{))aic?~68 zkTlBcfzfj6UpVOuPpapK%u;64&`nIr%e6a4L$;?q729ls)k7LsJlH0rZn7*8yhkW{ zH_{xRXEvi442~J07u|tC)cUH{rhH6!jdV3B4$(dv$uTNq|1f;FpRKl}xnV{PSTv=% ztI+k4(-{b1`n;G=wT@81{MkY4!5O;4_az=E@pztGSMXejzmbFRT6FWb}R zmJOfIPHWp%^R*)LwB9-q`3WmrBW70ChQ@@a_in(LIM!9QTC>&k2gj6!>ruAr)Wj9< zd)7T~=(5t~iQ5IODLWWofnT(k@+Wp1Mi8H-OqYX+r@cx2uQV$5llg?Rk_<87=p!Hz z*@RbCLr6H9vZMq}J&A*vIll#w7N)!dOAF6sg+-Q)&L(wVjYYNte>#KLlpE}~I0Q)8 zM#q={oxuBZ0|<4Nao&tw8J2cJ6(U5KDAZAG7UKy-QaDsF25Um`#eOxy%;zG|h#@#g}*JYV8(&>&FZrG%_!5 z2Pi#SPOdovhcv}2&HlAlHI*24=Cpc#c&IL~{?kN5!9qjB!}HX3-ZDHe@B|EXJ2g74 zo@(~zM~5Mxr|$2mryGtj*&F9zyQ?`sRA0a-RxInx={(t_XSWcDxiRQ7#J5Oz40!ZR z(+?6ts-c}o_3FABbCSa1aK-Iq8HWX77gQf9B3fXECHoTvR!l(4jvjs!cCy|P|v4Z zH{A3PP7g~d3>Sld92y)9;93Eato=TCd3mcUEB(Aw^ zCo`N~o?NQv=}AcPs{e2na2;M&F zm>%iC@W1vEJ*_^6V%;z(tPHGoaI~)miN}-@estszKZg8|bGRfbcwl%tOe8z*;t*gE zk!A-@L^sRZE=n7OBAj{xrwu0{BVL0Fooy_8&mpO3cJ4*PcY|{YL5RenjjE|j`(K#e zTdhi@TS;)_GsscmE?B>O8BiGx#z5m|{HbG$C27kr&r&L}{K))ZEtuY}%;?`oXmNcf zPAX3jw$SihRMMOpLK-GKC?mP&pK+5Lm#9NTKn#0p@$l0lJMxWik{)X+*T|ZZQVcMQ z=(jsYST)kyRXm`E=#5Q)4VQ9r^WEL}<7v~7kl=E0i7IO=9smG1M~?uXprK)^rKy>c zvdY2PIXmkY0MMS6k@4&IZvYRM`X3FAb#M0!DiJWU}bi{MI0ddk{zo`r8ltas@ET^ONb?eiai06Qh=z z-0D)WmRNA_wS)erT5$ay@r*q&b1@gbrimr7os3Jp%lgza-=xzYdlxq4Oz|BJnVIV) zlgobhL&K_v#>QLx{GXqnz!7ZnQ&WoJz%Lhwr4A35s;<7`Ue$O)dinwd)y~fDkxr9L zSkT$p`WZt+%RrM9fq|%LlxC*B!7yB<1|y5F5>3PtpP2sJL(Zchy9%>=;87SlbQghyL`Y*8Zx+ZuC{}v-RJk3=#0bM83LCo^u$|0MJC750xc^g^^+vQ zTadc@P@h>8Lm5W&NEEyK&94ro?I34le=bF1c_Cv{g>AkTtGnmh8E+MLIc~6V0?-pa zKfTR59@!#$XV`XSK6x8w=d|Yu9(O}#rvsKPi%mNqMGnj_l>7gT@ zw`wzM!_HH~fTxoxgz>OfR`xJ4TWlr0P*&1BHF#5f#8c6Wlk*jgt#F)l9?AL&b6uJF zm_X0Ha)B%`>ICuayGZ)^;bE<}83p9of$JmREm=}c4|oy|f{!wOI`8g>wQX%$e2k4qazSKn;M{#H1{SX31A31DS+wA8{J~}!Qf5ud4q;Ab` zT3Z@|SGk=ngnxa3(#k|$uG=EPB6{ve|Gu=kv}yf(`q=0IRu{^K#Pcy~x_5`ZzPbt} zkSm4|jxmhW%#x-jjG0H^{KKQ^v!^@jo^vueq25|$UZiS((yXdI=bRouYK@(z1PnMq zF!N7Zy3~Go*%?8u;G40zkeb;Tt>7B!kGi{mZojRnrNGN2#7o5m@rHQjhYylZ1y%9{ ziyaIM5}&ZtvK?{8 zZXcNw7@SCEjYw~-DFRh4hK0FVo71f;E#NQo=||@HC+?HM2zAeH%#nOSbE|#+<2_y7 zT-GJRc;aQoZL7lFtXRoYaxlpaJp1EP3duUeyHH1|jf)ok{Ne~yUAc!RMxbbiamt5r zxRb7&Ly2bxxTyrTzrOu?&d&bM%_Y>{)b{!dJxl@XBfF@mKxWdT^J9#>JXT5yCQ?MChA(17YFa4=Fa#UPM6l_0uSD^@M{f42y1ZYh(WHZ zYvA+d+>Z-%-%aJ9C$mr1#rwN7_gxC(ftqo0vAvyDlU-kpOU58K)S+^dozm--wg#`h zcHI5ceT!q9FT2U>&EIX=5*XSEl|K}uVBuQ1eMt|{{W?u zG}r21pE%UK^mMgYQNS=Pqm*-xi4MwA3&S$Pk@Nn}9R+neoMJ>27M7Z0Kq>+#t}Gv&>%HRT#?^g(ip$WLfNXv z!yh?OUUFaGIFk)ojmi{C4jCjd-leLm4jD<^36CP$9Tfug6hGI0>a7ye9!l+E#j`D1 zMN+b1g0(mN^T2rY3XM{{x$Vp8v(2_9ac;(oRgk%$p#;w%T6VE}4m z%htq-u@8cwP#Xu7(!ulO{G66<#MaDAQ9+)Alf9|Ak%OJ{R@z?4-dS}KILQ-OF_*HR z?dbuTj*N^1vNxci-YhLF$7E!HbOqqk*t&=PGC_x@h)c34HGkk+ri4fS;(PxjD;$DR_gG zeUzc>es8zfmt0ZzbkXtsi@dM}`9* zWK8hc5hv1UI}k@A`~f3|`R|)W0Z$&K-!2(T?!pe|=B4a_1wwW+mfc5qD_V)HwFKQh7Ls6BS(M2rK&z*cq9=*bhkQCpp7kzKT_R!2k%HoQX3&N9= z)5vI;s7M4SyIMZ@sUNvsJ2CX#ue-;~l@Sm34&ct#%p?a&G>Q(rurc=JTZh3?Uz+Ck_xHAhRj_mKtH0P(otZ#oGyvbY^;d zaRY&KzWjdZJD(d~+T!c+P9l5rQ#O`SG2$}w56|#V%J~FR15z;Yp&`dR+Hsm6Jnipu zDuzoX;@sRTCfL8C!;=~-_gmNaK~v9fBSPHB_B*3HJDod^b9s@I)7}<;p&%pvit{tu z)K776>!BM%p%4+>Sq{0jwTpC~Z)Q!mHCn3SQ<53ux_GNys3|HS%ds98X0~4qHFna3 z!YBZg@Stp9HIc!EUp=I&EJ)fWPn5Fc!;VTEcg4w=qM8(7^0Pwgkq)|Ja5m(pN3TA3 zhqoCi9>u{C;qM|9YP_IB&GOA<2Mi{-%9I>in42J4X+MCZqRkcCu5WKBY`}~Uj6gW2 z%s=wU5Pe7!^inY?9sK?GDupTYK}+93DxJcXvi3pEhe}O9nK6fM9)Hd7`|OZ{XjuzY zQNi5jsSCLkoXXD|@`+#}hu!xt{6% zf!@!$6hU!#_y)~t?a!H*stu+hHF5IzP>JEMrwdPH@BMEO_XX4;Q3&OGSIUZq;cjoj zJojts%vH4l1c~7x5=sHr>85p#Y6F(}-s+MpdtP?tj~}_+m|>&WJjLPVnUUZ`8VNhr zmwcDmeDs%m7(x-TwNU$a{)D+{GpWkSHHh3`sWf1M%pY~gA3GqTcpK|)-#WQZi)?81 zLukhdeUz^BK04|BZv~Uf4_HHJ9aO9|=MOadrzKAVM zu>)#C!UW^qA?{18sN-fh&jaT~se>&=aZtIg%wl!_Kt@A`yW+UyZ$Y(8A0D#-<&KJf zHRZ8hEfRf6eF!^%4Q_lNL${qH!3Wx+=BCWJuWEo!=>BstPif@U@3GnbSTMx-?p!1% z9Vc{mNNTVl|8NJkLzofN8D=oQ4iMeg=}k{7pa#%iUS zODyA-&i2CFm;Zcm@*@VL&1T#~zwO5Q#?t53*SwdKbWcp*uq7v@?RLW0G?#UsmRY(S zs8?bgDk$={cU5UStF6>dY-cH@=*L}b&BtY{Yg6betTUBbyoM;jbXUh3MWo*!Cew$d zK;*(nZA%}^kw+4?LNZvHwb?!$80YBvoAIhst$F`%em^#@r!Dm}NFmS2W)7&)U9!YS zCoD5eG7;s127+b{=%%|mU7|o6BS5oGM^*EcU#)Zrn`*iSDlV6mUUyg{<)gjW;BsM*WJg?N-egLyqQzd+#vTdYmA(jFh%21TY(g~x^oLN#5n3g;jkQOh zHegsysDYdm&4Q|h12ZRqC~$r(IYRc&gT1q3)tnw;>LKAC!7@4;F@C6|Aor$*)?ym@ z5VPdAug>L4vB0o}?^_jgT#?{@E7v+_i_6z%>vKIkt!=Bz@tAVG}e^H z_v!qa0DUpEc~GQW?L7UNX>b+Zi)D`##l;M}2Dr^cuimY$;P3uh(Rlu18zT~|OvVKs z81oc$)SV@;!J74U`0MWPzaPR1^+!%rvfesZ_pKAwdFFmov-9SXV5@e`{v0za=asKd zc-C#WPpI%xXfr73C!QyQtlBP@_!nN2HPz{fUmXX_lo2K%%shm7Ok(M@y!61f7rQ4I zi>#LaPqCaiOhV9I-ZD@PFlza~{+5q&m%eUy)(PXkUYuPE*9ECA6sisIV5XPXvrAa(I;YG6Gq>s~jSJJ#IfJ$P;Z$16ED=qR5Zv357 zqqO>r6RXrjzxTYC>3~1A)TS|0c20GOzR^Z2Gk6WZ7NRLeBho=foMB~BCu$8# z*N|lSeLsj2hcNydEuQ^Ng((#-r4HZmAO5*yOi&sp{nNN8kmU|OZRI^O7vH4YitaAF zons`|u!Odvf}EBHIGXO)dEbv0S4K8A*MN1XQ1M0#;v_;EtTQkFsM}c~*Ud(s;~ezu z??+Y_4vySbXV#{0b>Lcle&gzU3k26;U$^&;jTsm@S=qV$iae&Hn@A5l*o_tq=`H>v zg#{zIRd5w|Y_H@G%-w&#zgRL}^4fhKB^CXvogvOW=b-ep+nKn|^#XA9+_yznNS4%8 zzKk`rwvqX%`y-s@)LfVI|3Z8qNtF3YifF`@i%Z2Jhl3-j*f|g+j}eN|Lv>hf15wN< z-*G~`hpub60-O^cA6@KE)cP^KL6D|~yokois!~wIDh9^4h+067&nXF-l3M3i+D*1B z>DftMrFlK9*;Zk0apo=rM?FOC*sI)Rm>p()nB6(O{}A8Nev99kLKFYt6TT;i4W?vl_p3Q0k&DaM-B8%kS< z*3c*rchH{V>5F04*TZ2gZ;P)|{fmna-``o!@YcJ(TGySnrT?gqcd#q``^2TSExX1) zc>Mhb0>m1F*uYg73_ETiZgvN2H>3+^rorrP+0Rg4xA;1F&J_YXt!VmZd{DNvFQ2D6 z2@#=^e($`-T;1>s~OY!sqZH9pV%6_Lo;W%;350g{6!fN|i|^HkgT} z*)1#|)Gm}VC|TqEmof0U*AS$bA4-S{08>+9im!NcT))o&Dw0c{@%@@ zzP{1f9O$MfG-%i(!_ov6NKY_YOBqdC_;T@ta$@UQj#A+H3^Q(a;#Zl8tQ`I1q*m6& zsDYs-as8(74llbtk`NohK^(VN%pVU~0T*hPk8z%PFw$4br?aC>NfJss+^)og$&9z= zvoV|SVF&X}Z`~~9fR5Bt;K&m=@gOeV@0xph4SGBCGM)~! zjx1qOyyX)C^4c`0OQDM<%%;H&f8{uax1} zL&FAUx8t?A>D9R)V(KVbC|)B+N!@wm*eT83ravALHpuJImdIh;wgL`}>ts z54n-l9TDKt`V{aj$Ymi{5+;y}<@l-jFb)IJe*eT|mq#2~?#502#i0T61HF6RK z^LekBBLo;z1^Kv z93czPsrfu<%rEPJBmGTGeEqGVY58=YoB8=N++pKz5=Y9G^dhOEjYFA$XnT3G>U;5V z)rl)++{6^@_8=Pa77XF`?$Q40)}}mj+TY(lI6OW$z0S9?orvi-Ypvb+N}(#DaCn&f z>-h<>7Mr??Q6&odIkBz7Gf@u_0tYRwj}xvuOJo;RL_8!uf=@f4`)w+A+s-QCQw9;b9%P?9cPi4{nZ-YWsu;Rn^ zj;)QD?X!90AJAABzzDcCitPkzpxnwT>t$Gg zvg;O6Oab{lTUKgU$MEUp!121w$5eVwNLqbcWlsXQg&pqbe2-y98YlVk&=98q}^!%OwbAb*L%li!_YpvhW|dUtMkb!ztpH?|4U z`@DJ0_UypGdNi}Mzc!vn0m*_LdvFmT4=G7lXKx#Yn?kl}eKS{!v+!iRH z?l0qtEuq~A{$XvbW4=}0S6wu+X`-w;ymnbdQMZ6B1q@k+ALVd#T#77inZ!s+ZB9wf z5Y|Xwl+yIcP4FN{7I9jvaY$dWI__p!o_{^;D$@OhJS{z@KQ0jxC433$*^NBL)cquz z@M02mf*XI`hTWpTUMav~<;zp6;#(0I9T`=WYYfOpj!z41f-->Cclek~0e%7c3HlW? z^+d-Q(i5x>Ed~@SZ@JycJ;J&TQeB;V?w!aBhYLud!$Q>a>qZopIzV zeT&~j5<7c|f`GNdMcOIRx7k~yE==?Ffz&^~`)jY^kA_^x_4F)m!>?e*G$W%lBa@76 zj|wr5w%4aiN@yge5;x;vBtnx|UV}E*nzbc0eM7^9Ov|ayG(@4|h+}#DUpK8cU=5}H^E>C@CYjz?Z4lbn>?;!~I z?g_Zir>UrB2G4jx8TF8}(0K`Mpg9ku-X$aSc zf;ub=dO#YWu%ut8kq!fFF6j`>K$MB0nSTK!>!UmIMXtc~SkgGkY(t^f!Mi#NAmh%) z4MxicMvNf|V41qTrL5^Jv9iVtL#$odw0^rAkF)!0nw#Bm$uY0{DJ_+HA4(Krp82x% z4AE<1Z0v9lR$mM$`IGSR@nc*KEamgD=B&w5mB@?9{j$kK;5EFyNR-Kaa`LQ*yk`mG zCAQ}H&S8H0E9Dk90v3ic0n&|!4PxV0Otjp`urHOD_b#JYj;k9^S?RGzcz{;2oLqnwK91hxs9feyuBZIV zVaI249(U7VDzCnWoZL;)nB%c1cVQ@We|-R+RvC40&@2XTLGq&4SkBYb*0Ij_%jc)5 zFnH%Or9`5dxOzWEal+*5fgrXbT>)}c*^W_u2_d$9kdV+<4t4nM`Md#&Uw8NSLvF6e z@qYg?F`aSkzc~T5xsL@nVhlFTpJtRa`#x`9q%@Y7gqD7IcSnFG^i6!Cvl@w*>-LV zmqMGcFehhl@MU(6DiUJlqZ2t?`Ml23JGC>4ak#LSk7tW;Oj_2L1K`MIh6a?^{{rLX z)S*92Z5e6syuC-k;LmO!m*rxJayxFtowYVfS0cYodz!|^Mjy}J3Fc-Gs#^4zlTT!L zcqmm=Mnh;55-1G~M6c4!0X$%uKrZ{@)s=z41PzJML|QraGqE@eUhs=+ zQXRA@h+S0ft0WFH&?@QOBfmH@*fF@2^ShL7QTcS&bW_JktDB8K*+{kMB_uVMav&>z zTNx&<{BtDF@G^-2IM3W%)FZB22V*Bvx-8%@UcB>8)vjHt{rgq#zB`$oF2ECLNwdCy zcM}sLJDi?Av111bYh_y-@NP;mEji0b3K*$1pH#CbZWm~!#}&4=lOZ7@)7{uOWkaLU zvVaklXU>2Q&9A%8ij{WLbUrirm7=2UN7FTfe+Tga?qGmuLO;FA}E(#4XK4ew^ zL3|L2%#4P6ph>hZfL*2pS|xKmQ`)Rnca(I{BoH>y*4q{kIbHKX5D@EFI$1(hG7f_7 z=^+JQ(m9aaE`B`*huYu``CSJ~O0&UZzdXhhDpRM6uMHkn-f+GM$S_g9HslBx9)Syf zzXIbBf_QpPP>L5ADC8gzb%>qgCJ-Kc;mC-f2Ho9F-+mj` zQ0?QR%*#XnA&5QTqn8)2E9&Y@_UsYV;JS4JDT1*iyf`*S{oll6k4;cGNP>0ePOUha z6t>BG@4@_$uvQ&9H2%&zh>n#=Oh9BVE)+P5ymm>63Hy>3X;_KsVH#7fr~XLr;FPn3?6FVO} z-Af*Ye_`7YVv(BTHQ-u&XXf?I*36haHfAlVRfJeg@_FU$O{js^!%D78iaL;wQPSiJhh&R6@MszWbB_GRP|z7xe=VnAqA_ z+e+wb^U0nO0Sq&|Htn zG&Px09ErMl)hdO*KOQ~Gv{ci=LX)9E^}`P-BO)yBywm(oe^OxFV{b1uVcI+}-L zIy;GxdC|e%ggmlzTn-N6iM6$fqoa5WBX8{{Y$ZKxZNz936S!}isK!jx{Hx-KCV%o{ zQ%eiWZQCq2ZZJbzjSe~?!DM_~vZtYSHJ&wlk7hQtbS1@v&}_!AmNxoc1X53Je8|zq z;E`@?ZS}&N``-EJL|1RWzC+3D8!G~o;?*3iIr8%(sF;CDTmN?}UF-meI;MJ;G7Ts< z(!Pg&e5g6I8IcMy2uufc*D|wf&~4TJD)b*1dZ&Lko%+Is3CO;NKDyo^zS;b<&6xZ# z0#XtQ_G6tI)0ObrO5-?hGtR~{72y;twj1p;NG6RZ%DRI>a-WaMyiDo(+ z@^d%*rf?F?UWs0^>x}_n)OQoPS)aZUlh?n*5zyGeO!o8-d3y-QlS?(5*7oif-r9dn zdO~z~0FwZ7C^h!cY6p=pMgJk3aqR7-WUjKeN6|kZ$Tl}Ok+dBjSN8YO|4tMd;!`s+ z!nSHBC$T1jn3_TpN{l1bhk~KBwA5^9N_##f^@3JbYHMrpF3-)()ONN?a;E+LYG-Gm zh6X08RO9^v!=`5A7M9En6Bz5UQP|B1l*p7VLTB8tX^l^@D0h(bp>syKSu1u5KE8 z$O)h({Z|g3$~}`^>g;Hr5FPC8;XX!B{+Gji1TJN}NBLW%#`9+?| zRl7UruKq?LOgZ}xVR{F^q6zQpn!II+51#g86PQ=?FTj)}taGq4y@_>9F-ubdmi5;5 z7QR_H*fN;%l@ws&!q`Q)7@lq*S&YjJ%3KgwYe8%2u2SS6JfBnM0tPL8w-mwkn*Urw zX(o^n^)!G97%h49Oke2KLiaq(rQ`0419u{Yo_#oAVjQ#CieG=sdB#qMyN5yQ!CQhU zTVz}M1Wq3xGOzfZV(3g^uXwQ*k!bE1&U-bl>1-205J>uxefM9iV_q@)kzwMBITi9m zbc?_Wfr$W%(^)})@9(yF+yYtj>Gu5J81$sGs_|+`|F3k4 z=g9EF!vYJA!3yHZa#sEzW__D9DkNh}7=7fh5#N-$B<)Ii67ifwR zVd+qZP__v3N3I!UOq-KA^QU~I!HDFhfom8asuk+Wk1J~r*QR_mg%ZXYXi1Qc`>R^= zTY9Q{5WwY{Gr!=BIA9ak+RO5Q2tMhpGTt?9lecfHNh3@(hlE3=<6woxI_tiNFehi5xto zZ1qiTB^3=Sh`ni=j7t+2aGHt9kZSCMlJdP(<))rpioj}xW3NJGu4wjA)%g0Gdp?vH zAL-^cz5*-*fr~;-Vr5ZWQ9n31ykSio!Ca<#L>*5D+yuFE<^ZjDHoMfr#pyG*Z}Ri@ zSOF(i$0N9GR-*_{6d;aH;EIf^v$d0T#H|rH1?pY}xWq#Rc#ZUqP*(>MYRPM%pNhSg zy(rGphoBN9VtsGrN0p#G*iffXCz`S>JTZ1!va=-Owg?2mAUx18zBV~8+a zNHhZw{Z{+UFo0x+co1?%5YWJPA|6Wpa_V$4QZ=B;eL0swC}-4*b2a#saZs4`2=8xbMc#0M2*@x|zC13o2&^2KCwn%XE;5+NvA!|X!8y<7I0idn z^fP0H`V;kddT;yPHYi5C#91GFHhmomC^>gt$zD`dUW6+cHzLyOO=p_cetRw8_#*64 z-o@+)EN`mn6^p~iDWg=ZhMn`wtep7683>LD|7EDir3E3fF$cfaQ37XnL?;fRp1&m@TbPj%4H^VTmN& ztanKwUnFLtk?pL9h7i(tG#a!>TharXc7NO>Gct=iyLvg{Wum7LJ9qEY}?vG3441 z+Lp{_>}H&1*i*&E=f*^s9q_cfe<~HT-sq8uao8zR~0qc}S&QPwv5%$#e;HT{p z?jqc994uYJT&5ojRivCd65nW_^l~gta_R$gv~{zc6L0aUWVM0Tf!KRu5i)b%gi0imlrXx6 zyUzHW^6>${u?g#tpY>1opELa}n7QY3aTlT&3#Wi_E`Wd|<9OdNNu)gWC+m^0#6K86 z=L9Nj&Q!pr0JJhPM$|Ke#$4U_Fi`@3@Q9XHR%_R$ z->`jqN?KZSa_Xv8$+mWO?d|O&GyxM9BF4;o$uQBF7sbjRONNQ_ou8hOk@pL$Dol$N zN%?cE)9q+qv3`|_z1hyjg0~C#7UnjIKOCh|+*+U+xTBN)L-mO%8rlMLD|7B-q`e?Q z1cEeG;=#e|Les5T1QIj!L)_lgd;D}h05L4sS6}6diHXHve@0XDA3M6=>FWKst9Q@T zqvwOJ-n~loxV3d8(_K1J6TiUwvimIF(?A%-~=!CYiKPZ=Sc3exKmi~tR z=Imy0N&TsMl9;Q$w2Fc}608@~!~_dKz*Es%MKE)yn2~et9)XzI;-BBqwU%7j=OF>jQWNx^B)-5b5LWr?aUGq!%CNi|n`X z^}_aocDh&Fx?dnS5zLEf66D%^u9?z3`Y+Q`Z#Iq;tBp^x>*lOx=Wyr9+ad)YdEw-N zr01VJkN+a6YQjaJu$!5F4G~Fzeph){?0vDzdIkv^Tqd55WSO~OWVOnr{3L7kZA_TR z{lm=6%-7G~-#@^~*(EY6YSZS;k&)4^u5Rw`9^T$Q9-dw*mCD@A!pqy+#>Qr3WMmv? zwZ%SZy2MC^iMmAT%2-E+iSwODAY4{sYi4_yBD7Xvb75PNNfSk0q9yjaH{Vy+C?8tf@z>-fE!`ezAAE3NFDj6rr!fMA@CwAbFXU6YwaxQ1O#xS zMes&>6{rK^SqMk%)Ii%m=H@^vuH@oPgf9Hl6fyx zx-?Jr|%5_ z{=OcR85m{cD{>I&R|GQKqBo1OpU>v1fS}?5g9XKPF*zYFKdS4>KPtELu!Bg$YY@?f zVFCzvWm+B@e56 z1dIt2A;xWOZEw5n&O3M9wJJF!E+T5bt#BX{_(}BhT(aNlSNK|y0 zn*b>5j@JPkVK49sKKS1UNu|-smU|UskO2@|Cs&m50VDP%oQ^peYOhc zzM)MmiAvYi>d8@~T5mn&DV?^<66A48PXq7t!lm~1t@kNF)1pNHkmqO}=d zo$CG7c({=N<)Z{X2JO)?539nYN0LBt^PwMd$87~|{76gsLJ}WOK5meF<$Ht`j&P-! z1(~Qa%zr(fx7v%_(UibY&KYMkE1Cby1mnUcB3nUNJ!2>wAE_KgvQ2uS@<1i6oM&=) zn(q=a^#ELKbe7|~1s@Y+NK?=}Y%5KDfVv)8BhMnmJLZXebFoufyW|Rs+fs~^qfpI0Fjy`?uFD*kt-xW#jO!7 zr)#7uXwo~)o8%q$u)qz0e4zs??L6(!A_&GP-h;X&wk6F6(KymQLQhyKt7?zbLQK*b zmc2N5+wc3I!)3cloVv^`Z7qcX&4+bEjf2B=119D;FDeGgdd3H_lbkfMG@Trqm>8so z8ZMFoGKzZ233Ek%MXt@!%)o&;;}F(nwy`5!>6&INn8;ov^_`QWouh;8`TUBC>c#*+ z4+p!8XBxM{KktAW(Szhb)!E0-c2{=uD*_&fivjiv$Y_*&k?s-TmkB>zkP?@@TgDt{ zb_|PVSdtWMM>XEb-<{;zgWM9n*%pf?)xg5R~Z@>@*+x zf!D9tQ{lJH4;;z-1r_>XIpEJb)!QXxravM9AsNkap>Ba|#2kmR#W|+SpLp~G(%<&Ihns%?jqDl@Y_ z+W-fzUtV*~XJTWxX)o)9g&0M2gch0@xDakg@Q&o{giwZ}6f3jQG1WV79Bry?TNM^+ z;%s4JrtCV`HZg|bw!$UNV|-w&@tx|4;c`5O=07a`o=NyuCdd1Xd!$lgoX#;h`ITm7rnld)EMlwH zAwH?#1pJBa(r*_xoNZYDz4ai=*}DeVk!uE#^O+)#y!vaa=kCa-P>?Psi;Z$9=H3|G zZD!Mr;QNx@CENe9okKqS)5Dl@LxNtgN427(wBzXiJG%APTltBoOB{4xN0?}isDQ`? zuNGk90~Wvd#Ix?Ry*k%4KAV`9wx*`0>hPh1Foo^yZL=SZjg3COzAnzrWo2bOa?<(g zyzZ88)H0j6aPS&@(c&>5`{cL>dPq%E^92l_N7?Fu-_(|~)B&9iC zL4u?d#(0pF*5*8^sBb=BSrroN=Mm~=YHMa@Yi1klU?1+t!`#ur!r9U}#ocwCmqUy* zn^?M9*+)6s1lijJ*wIdAv~5H&X>OvbDGNMvK5S^tIE1&DZtR3jOf@2#IDJQyD*AZ2 z^$iSCTWM!w?dj%x2|GqE;bXLlwx|^MOqo0!n+Lg`#LUvEP) zxiI=12riGPQYb8$f&VB+hWiZK9K=whuwf`E;+z50*d6I$<{y4zxWOTvGiYP|W5{mE z#WONADpfAV9e*homAtJs0>+1lDXD249qk4A`DBwdwuv(rQqNIQ(Jn47Wu>JuOq8!h zeIp>l#6=@!X=WDT=CU;;Xh(F^?a`6xxVhNct_0qT``@W^MRkp>X^9bZT@eLRKuS%@ zTVM-n5KWb)HfE;Qw6+y85uSq-tvsyF?95HAOl<<~9ilvJ99s(Pk7owWopfGqmk1Hs=BclpCg_$!TLz1Ul{A)~bQG+UQM$@?_ z&je4*Qvx>y;xc0}+5or+PsCU9DcFVF0%PfNP;loo{iB4@JINb02{}{fK*&g^ASe7~ zNFvXN5dpZ^ZUgdIjmcBy0p9Jd?xr9ZaOoD|Hk(=#CX}PXyaps%xxW%?p4n}krLPED zs$@N#h31StE}+TTHIaNCsVAoV5q&iEl+2kL63P>2e8UiAk#3G~HLed1p@t9z4M*J; z1!HPhVZfqahVlwakHE4>_PF>+CEJl#p1n9Y@RoiyX-hv!c?3BES6>7y%}i}9;3jae zUY3u!0TFF#>1=B02=qlMiS;4&)xxz#a%~hU7U@r#+9151(A3QHr|1eTo(cqMX)4l) z<|gXt>YNMbp%%@Vmt>l_=yB08fN6yX`$mWPAI->n`-5WxLl^4G7aigPYU5<;oOqA4=^sWB-YPt@BGDW4`(^5k8Zx%vil2azVI~(jWN$6WBKo~>-R_xue#DC7gsRtnc-rv#>j)xOvVzX_` zIiYxEuldFrs(#6gGmY74ari~t$WdyeRW~fKv$v9}A%}a1`Ej`A7h51-jWx17&T>Rx zS=hv;rbc*y+it%jIW;XlAu%B_N&8r{W^HFj2ZCr14-c75T#hq(#g8eoiI?vw&M&FP zRXZsr6zFOQlmjs;EfoEgh2}?ugk`QW%cv&h`mPNo%a(MOf-g-T|80aU=W@&H8rwnw zylt!v1Sl){gaY4TeVQ|y!97BsWMhU@BI=GPV3|Y!Uy?=GWfyf&OGiN-kH|YBQTr}2 z*-dR+(as{sNN7BfIyYVX#}z+j5GLonsBzoACJ3kpumk)Ryk0=iQooi;?t1}V6ICyw zpOEW9XbB_mnOaf2yBPl|xINg!*&9mUhjjdddgSL5UgbDA&PT$bYo;k8^^ul#mVzT> z{0kRY*sN!>kQ~vq1>B$iQhxHI$rNa?`;(DVu6r0e1(7RiyeYp22W9pSjZGjW^esGe8jj#Jwl1j(h z(`ED8`1;27=il1j(A=T><|}_qsS60&f{Z_9P`*YI*5211JVa8J+^8-nYMG7^`(+yC zo%r1eEN}2Kq#Fuo%;5RJ&!H4yOipO}chl*5qPzYE9EJ|s#@zjK~zQn zIveF|!n}e_Q8Y*18VNwuyAh62CLs@^X9SjoO>ApxtE{N7wz3`^8U!y+Uj_#Un;M(^ z{QTV9++;RU&yyvuE+QbaiI?ehP+8NInOhd2ZBU;O54t22gA1`KA~ahw6Qx7vPCiL1XF9}Rkn|MI1C?r13;MuN@OUw! zMEiiz(XpJu%Hh$m+iysZ2@kj&Z-Ii)>K}tkL#~TM3UCLaOSrn|hMbl);HWE_&Nh|2 zQxdc-DCF7@5R&ek-<%Vp8V`lXnZKUlT8zIx9yzm)5(>a2rGe0yk+($Jc-l~-$+?Cd zL`Fj{HD*T)xl}4>7l;PhUN%qqY!VHNm1as1C(%YqEc%Wldd|5a7T@Rod5#i8ltUN~ zt^3Y8p;?|MPDgu3NpW#;Q9*H0 zq4rT!SWsSG9uOEPvx&=bIm^{aFPSR@RpOUT#9;yrf0oLExam)KVe- zz2Kn{yj)a_$f0l}L@DIs?b_ErbUwGt!OqsxLwM#b=_oJm#^4W-3I==RF<}scw+7>% zvJ&dXVA_ae_P?`h4%g6SF8JDDL@G-xLj)uh?<#f*a6+IRadQMzqV75Cw!AiQ6>=Gv zKQ?D>V5$0J^)PcZFTqx3K9Y~~DLGBj3WdZm;pHg6YS4aV@0TTiDcO6K_ne3vBu8N= z`D^eo<)OHCll`9$BSJJHok7>aRxq7&HYY@*gL4prz@CC`Nh{OkWj3^BDEb7F=|-ru zl#7vZFis*J4*~3(>bt~qx0IR4+Zq;uWvLP5OVh^I*4xL&$JcMh!_Pke{fZhIKwjhs z$Pu_|BGA~}(cIc;42&p+459?TZXt@E@woUHQJN5Siul2x&cRjj-F+EnvP1*u6@GdJ z%`-68lG6fLN6}l|u{!MiaJQjt3GF&AdEJ<>LM-nhjZ5+rif+?SHX&7^3UG;01r;6t z-{b8??I1QhXly-gbsSJMn;BLCn*fNQItVskAL9VI+KSpRfyX~`0p^vmyyAC?G2f24 zD+cKXXbJp;wU9@wNBV!IgEHqVWSktEq=;~AcnkoF!p7RkdQP`(=@1yOy|5h>PJdIs z=#4p-27qahZZ@?s#pjasIr~_n&p{Td6;!4o#0Hh>7@ygz5#heNK7xjpdGpUUa}s5Y zXmBtu;fBiu6Gd}pZ*OluKi?S(ef)T9LWYT#@SMxLmLqU+BOvVA8rz13M-hBn!JmDM za#&&_0)qp*_8dHWtnd$HIFrX#ciY0#yl7xmcvf~yKU zq)7$I*#kd3FgiGj!h=#a*smov`IS6hX)rxnzd_d*`F+t8U&w?`qb zW|GK+PyhKexQ*5+*x4*_On@`w&*+rV9ZMdHv>qvWuLQTnfwloG3FpL5Y*qeIIaPzW z9>O?Mwn!89`Syasn#3-9flZ{7b<906WVC0mjCT*o-{>9DSd$Ws)!$ehcEikcv-sIF zK1pRNhei`;Lr$w&G14=_(H;K9;l>PsHPK}oGLF2>3W&h6B%M1uJB}YaT3%L~ot>4F zlRf=${(NR*V?$JQw5zMDEMZvz7r^B=1v%+_*`2fQo`LMb3emsB)Ab65iJTWHo9^b~ z0FiSxyKH!5G$hd5R0nI7i*`<-#QGZgsLZ2>2Y?CI5QxJqoKinQA71i2xyCT1>R=VV z)?F1{BxhsqiUnFNabggYkce4NWzp1x6e?0;9X%1H^Ma%Jna9sCF`R2iH$xf1kX7uh zzySxF7_c=;kp*T5fFrX^);0ODWV~!7Y)S=T>AR&O*PJwWt{EPY)+y9Gx<|R=Xh@Y| z^qtWQG&}Ar?aY2A8wl%}1XA%*-^k>K80hOO}|J zSZ8PFQn?Gua-7mDeM}i9UUp}=vbLGlcESE$h=P}>Ub$S3-PPIN+S1}&PFZjNU`U`3 zm5Y~n<{AKtrj^zp(1%o~(R`WKy%Q*tZ zgo#odqGMuweEgi9T_U5R!^0!yctk`-Mn>a|Q&d!lR}MY>mL9;7(a{~Z-xM1iN$;$s zk0y_>k|Q9)#Fcz@=A2trenoLbeOhAp$}iV5Vr-op?Cde$&MRy0?1odcv{)!9X~g}` z7z!#2#RgOsWFaD1s@4)7Ng&UN`~rNSyL4muX2{6+ynu3)Y9-hOEJZJ4bk;gbj~AF2 zAdgx=U|dION5oALVK;~ARd5NIL+R3z+XA=*dr9edvaz&jhF?tkY8o(cVT4WMHRstJ zTnRzsD2{<{@R}sk8%{O=p(NBe=ln@G!zO~@p?+zCBGl6s^WG?#XW5=I>~-){WPMKV zoS`EVjg*AI!f2xMMhzYRK>VD!V9a+4UM@gPO}9Y3&N~~H>?)z(w4J*h^D($1j$S*J zS6=Q27!xM)85kKEnHV1@q0C}8ceg%!c*No1VY1J)b+vTtGJw#Y9TXWRF8779a>kco z;>tM}y3C|+U?{tw+(c;-;O9XmL6=Rgm~|W-Y@8kJ&gYe*;0X=#v9>bYRm6apP&@}t zsykkn`Oi#b5ae5dJ4j7QG78Lb$@9yaLjoY;F9WuqV2*ZhD6CK zGLz%Q?FBrf7bXVJ(Q&xFxIO&Fa5Brx2P+&}zraK?6s=S2yzCa8Bw1jP6ZL;qEw~HUA^D5Rb{=-~o-eh6ipj#)3vuVcScfF{WJIEQCDmFO@bQs1 z(MG_SzKIOVwFpN|x_M!yn!5$GpApkfJ-vM|J@fcIJ8lD~%4he=j)3f&czK=Q^6JL- z_GO^|4f6B2s@OzM6W1!=gdJUdw0;iob${^AZLThJ)PWiIgp$)l!HOUkwBZr&0fqoC z!d;=dSW)ReFcZvNOIAzf)0qz54hf%4p!{x8;H68f7#4yp^Qla7>oi0`Kd}H6H+w+B z)!*Dth8L76d2R#IC`JTu)0Z#&rts){q8DX4CAkbdBK3=sI-BE#!=pPNLg|3?fcfM& zNK7*SkqPyPnHgVAqt*8}>%IflqYZ7CE^(}H*QAe?a$%r;BULMXxrM1;{ ztwH{tcD6Iy<}P9I3pNFp@Hfg2xF}dF7$d2N3Sw0hvPMB*Mwu!=1Q-W>*iqKO^w5+* zBEtC@<&J=OqI^#|jq=b(hu<2G{zETX3&cY!Ir755DGCZn`$`ZEk#hbk`3Quuk6Ac# z%^h&KV;FD6p4uLcOL8s*rJ-4|b+h%~=ug?@eCGlviD?c+0$@IRmH_@lC*}EhU)Bc- zga6nmP?!?NIRP=4711#)qeryINZ$xxmmdtmf@gNhTdkn15S#}#)lpZ@Z0Tf^_e!2? zm@7X^2)j`(5_yo769L_REa)>|KI+^Ls5o3;VFjanBj__Pd0jaIas)1R1XQZ=w$2`V zJ1ZM&OCx3vF7{z8VSh+V;ZR+i95$~@=;-c!?cF0yEuBjkZ;nj~EL;}^7zm@Yyc6g^ z&D^G+ZCd>wt1$&6NxE_XqBQ%Sx}GzCKf`Pl6ADlijb4zI7$qjcq2{lr>rU16xAo)I zXYZwVayu){dT>!V0>QxVbuFD`@aIm-~j?s;#Xpz1&?YYn#feoBX}q z9qet4a!};>z$I1tsxa__#DaXH122xvWG!KgR@AR?#57%HT>{h&sbC6XJ`;n=L9cZ1 z0uh5m1Puel=<FsXfnH>K#1 zrrTI{&pG(`kU)NzFTzj)6DbB|aKALaIjKY%MvFd#w?^WFv+(uFIQZRA(tv3Zs9I2@ zrYob|)hM4Ud5~!lkYS>HIb3EDkYVCwbiyiXnzHjN!h?MeaOG_l}oZF!H>8#f)(hw0#cl>8w!^wjRYx<1fedB`CzZH1S))^ zkb~kk$->s+x}OMn&6ODe<0qY0=5flik|Q8T;37wWd}~X4*XY=oyPy)UE{*e?p~hOA zst&sBi!|Qv=z3U_}>%R&t}8Mk!=K;KqismTu~ww>F9v7Oc*n2 zTxrt3m%jR&s|DmT9`jUtv=$8q;FyX!G{_61t2qN+d7$##KhDu)nIcY!-2^z2#wF)V zmO1J3Ng%~Vd0F5fAQ;9G-yG>IfM2PSJoDEx*j0KadM=PbCO*)X@ejohGz~BrpH)*R zbAihPp%UU4dwQPs@LiK-P?OX2~(kgud#Wa04x zqPO+hZ>>epW56{mZ*qA>KxPv!uk$6(R;WiwUyh8a>}?nS?v~?q2_w)yIFwshN%GFm z+wID3zM^}OA#5zn%}}&7wRV+M)Oor&yEy4uKS!>X+B@=+qdlXz+rT7olg8r);z}>_ zO!wI?aZQvH6s}<_14cm-0S<#ITT~;g<4#4dyozoB4H{dxG<3TL07SCGYLyyQINk6t zotBUs)5h3^3PosII$ST%A5S|~(J1fzGD<=bR%@v>R4<4{5*|uG3bOz#269nR3eYFv z%YFf-i}tmHMW%-ejy46a7I?;b&S|DC;nd={iy;V+ws3_2DB01f&#js>(GPpd$*Mb9 z7q}sCK1>Xp1(f3@DJ7aYn=A9e)A16LSJN>9GMlJlpybu$2*?r8F9IE1z3pASZqD{s zb5-K(kU^|swVjq2!OeKrM<*((8y60%FjDCr5enSBmB)T{Y_NThwj5NXp(+*Ca;O&c z$gk>m1`S>tJV9E#;Ee)`=SWIYg9z1U0F0Y+0>Trqe++u^$S;ooYe=U8gY?aNGCj=3 zPyFUY)sd=@tsy>XK3WQmTxwHx69OQR(4wp-tRChvw2eu4IDuTPlxyacf$3EPs?@Kh z25$?Vmz+~8aHxUE>?rOa7hm~tC4<1{EfjXO0-H%nFkvV`Y-Gs;ubCIs!A)YRL;f0e zlQc2IM&A)V-&w#3oC%09&T}~tF(PyRne#MOfxE??-QdeZ-th8@fXpUdUgt}mt;{A~ zHrGIDWkYUJbzEeinW^d3t6rJwbOChmmPOIh*4bTDUhC%K2cg<@2#<-C|f zOAPvFK*&Yj5^3vYyJ!ydQe7o5Sl}3%sn8J^cm&^xazbAWx4`5f5kbu0BpR6@f(h9& zMFHx2yr_Li2h)!v^0r7Vazcp=?4vIq-IH}OaRd$59IC;++{xd`J#MO5Gxdmg-}Ke@ z1#Ssk!25;?^Mip}Mxum9n7lTGD;RO%vH_-7^kxy@74S!jTogfS40q=EH8L>?`h>fU zxFv$15iY7W;XCI;fl#VNZxp3|C3SY|6fRe2S4h_8%x2siVOUq}<)`muAg`}W1Z0?~ zOO)hwR!{`wr1J_o8S_ttTT6C9WovtPd{pqb#wS%?rbmFnO;ZySZ%>!Dj^4tu8p=1P zBSmh>&{4={&;ISKurIkOjNT-0hc@muD^0(wJt!zNr9ug8I`zj>c<>-@K(`^P`t(tg zEPRm=6X-FtFJ!S%<6;D(dv|8-$Y`RmA0HhYC0&bPMM6bD&!)3Ys8~>Ygj^e<3suJP z;thW8pXWeMoFJ*-PqJO4W)!WoThv0G?m&}cLqeU6)i&MjXrhRN&!QQ5A^=7N!XjQq z(vI3@&WM2vsX-)pO-%w9On+eY<+;$IqBoSE&5RFFLi|&`=MH0=R z&(htcsJTT$JdIXn_CmWCN0hmf7d zaxYr+T+1u0s0hfli7V=K$di#HaD_ymv%9ymyU)$VeiGhHUgn8_TA>C^tcnk_P@3+3 z=}0BbpU*X;OMozozAGB~5HN)Gv=Iq8qn`@WpshKrr~h&q`2{tU_yv+eHM23MDGwBy zP-E;WraW%rk2VTFm$`hT7dwmC5=H3`x3Me7i z@HoU@kUlF&m?Z=cqN+Yp%_&R&uXHft0=Z+3qT-_p47V||VJiqoVYuVGNN*mRvXG%B z!ie0dPldvq@0SBqB2J3b8qyU|9N@5u^&@YOG_w}-oV_p~yo##!S52o0MK77|;o+WP zD+j9$KiWVO>Xm#EE_&+a6_yeKI6!WuBYxH>i}nAGZJG2x3nNxl}Lf;5TR(bi#Q$w=SF%@wuH z4$;nQ?o5IxBJa7vvwJ`{NJO+3R0`s8gXTkWaMYLNTOjg+|7#YC4Nw#Y(Evolve+RE-qPo$d=(+sP4E;>`s zv!HY-c)ftIV7e(*Q7f1jiDrBp5gyTR(9T;JNiI4=d4(%A0>*)f^yRa*7Ve{y6BAGe zSYX)O+dDcsSz21szL^%!+E;9BMe#MO+1lDVIyzffS+fGm60brTCSIu*=`Op~wO|ST6BveD*;#o^3q)*R#-Oftv%V!!sc12~NVe z5$3PrVxC%FsFC&A`$a7_ZLx<$BgL~Xfk z8Gp>6)8K4jigu?RB^`92iGLtoIvhT{G=RoE8v=568hX*G$}3!X5ikNw1O<9|d9O=f z4?)<{(hMRD3lG2cx*OK5T^}A1IWj!l*4F0h>$i2=)(sms#m2^sjEwMYvgMj>n>KIp z^Yd$OYwPOj1ZXZLxH3#!O7t$TZDp9a^3PXK-yl??nW-qelM55I0Fhfe+#w_oUVXiJ zolU!|`--}40`1+_`#2`LT6x-dd%JdY_2m~;ySX^7P^73lt)wSe5P12uvANS3)Pbx3t-63!%i2B zh^{E_l{{EUz!T)0HgyK2%I3@yEIU=CIM30N{1w1dH3>STb`aO=&~2fMI-)cAtf#Yx zGhh@v7yFsm1qxMR9C7*aO7?;=B|}YFkwT21B@I*_b!(as{zI8R7WU5XLe3T#JnyspYFtOwE1NRwe? zge+7UqE-g^Ee!ZzBF{a34xb>>yI6LU8m8b+OKr|~bfm@eU(V-PoPwPSUMrv_%mVBq z)r6$8-6P$}6oc?k>R`>2`n5ScZl-pp7Ca~zH29ie&>{ZY+5gT4L-QxcX!J9y?-`WW zUm+1NTG+uGOwC>Nav!?;pL`t0XOct|6r90g?2K5Qn+_Cq> zx`estD9ZpJ_ty6^=9+J=p@dPpyV~QmSx;rTM7WS}UpN$^2Y25noM^;t5$KK)L`Ut= zscj5UuPL($3voJD(;RPM^KI11sG+0oih>&Cs-u-3dYT1J6I3fDmH4!C>7lA22_AMs z7}_Z#bHm2HO61WldIXHaCQ^n-TDi5gwZ5(nTG7GLv8KAZx2K0n#1Q^;aO~~vsj8~< z_VT*>GxrAs24rTQD=#gLj*eNgc3p2@Z(D2Y5(!0_O}yw=&L!KS%qCv4(CfBiVH#Xm zS=ZQ>6dO7|epMDG!V1D5PAVqHCR9CR-I?tQ6U9i&&{+4F|BhhSwO*#y8X+*3@?0`- zSR6RTF2N~E+2>2iDUy`LfsZo}1Q{D1OMEDiT;y`N^N2=p$7;bhD5o=wM3gR4 zM8U0jttnqh!M;(OIVGbC9LGl*_iSF*5hIei&3ZPAYC_D3C=k?s2%rOL=m&2{Y39Pp zYeXbe`#AiIOZ9MVuaX9457xxMB0> z0*Pa)Ho>fLhr&81&fR~lKL$OECc$<48j#nzaw1?fm{}+uPfQhK4#jJH5PpC~a(N6z!^(LUGG5@yfX*7dsLe zCN37COZ+}L(~R>)mgZ)DKJHp)gG)T8i?(~PANpm$--Kdfc)a_3d&8TR!wmy=5l+sl z+#I5uEu1X{I)OD?&?bm4LobkGPk%vijjN0Or9z6ph?>JSXC6O8-#I)5K{?Ch&V$ci z;ai0jA6CFqB02^e8Fo7W9^uZTG*gmUj@}WC)OSjWteT+pbLKxXfm!6r5%B7GMbHK3 z{FCP=MSyNQcaEzjt`Xf4Au>p+nJ9KsO-WVeeMXh^n`^{nwTo31C&NM&vD+MclJVluVrib6#!RwqrYKoW{1D#WT@|g9#pAD zcb<`vHeJ1ctEP4{gtQjA+)Uu%pVOSvtmy_qH#R1)FZ%x+9EumuZe)(@jW0HF3$rV) zi7G)X4sJUz#7YfNb(X{-bctFEWHYah=ZvP2_>xh})7csfO*ZDr1 zG-mK(azrhj`(&<`(2KA-&;6)u{HA?c1c^*^+`vOz4xv!(p8#ZEFb}Mr6A-O*ivW!I zuI!=25dqTZE4vekYrbQ3<)f?)zQcGnhhV40>oK+~7owP^JyHYw)Dc6gdYPXYAg3$j zn7e(~ht%*_r?hm;ioj=*5eQ?!B;X-Rlb;k!^Fr(yT&}2xU2;8%$yjN z8ukdRX<4Wg!VM|}QU?ZcVg zB2s(Dt{NI>LGOSJ9wYG0zV@O&(K*gEdjb?^tbOi33otQ{y7X+F`TzzBx;xjU5BZkT zd&$T*i;u-xNisJkK9+K2IZf^K1pOq;Ey(lQu*3i}HjY_r(pXuPeGqT#9G8{$hIISb zw4a4?1_u}j0@e^ver4!BunnGh(vd&dLzti)hOv_x=|90m0BnXgpU&?$sJFKeRg}`- zab9zkWRGFWw>w$uUvHNwo_D;yK07}=UJp5usV2BIVQsOYNo6FNX}j^I9pBk4eFSVL zJmfFOFW>`kxK>u(+jzBqrZU>Ef<*4*L9=BD4VlP6zi2<7SLYE-~`Iy_>avn&*vU)=v}$14o%=<@9k)ijUZyc9nFR zv!8t}R?CTodupC%jLYCDhWQTDnbPcC$1|(NOH+*ewOPk#|2T`4aoiYFT-jjX!I~!~ zC-pYHTRICE8E8%h(!dl;0y?8gu`+$*1TQJC;Vs_pulXwXcR$V;YhYp}Seq66*s1My z=nzPQ&^x$3kEY4|<~zpE(bK7Kb%=h2J5f+_v+vje>T3y4ZIDi?B}1Bs!#d`*(~Ivb znc43BM;P$;9xR1ckVF*MMSOw?Juum_DV3$ssHt_hrO_JU*hJ!|~H*St>y9b&3jH}bA zZX)jr>aTuI2PIgJM7_fS zt*`lVdtDd(EFHh9KQ9{vP3F!sB`k!?`GQhr8X!~GwYFC6%R$A_?MNS(XQH4|{Bd2M z4yzdEfu`>*3%`TLbpvpIY&dOivey1v@!;h>&uA(x8!DdJ-MRUuwqG$w^3=3s=k3l{ zk~=mu#IiE&G(3q{ji%|fd6c*)6~|hQ9|=;{5O7=m(gH^Jr<;gcNp~i)SA)nen2re> z)hfzJG+@|J#BayoJU6LgQS%y`U#X$Ykc@&|!a9A5liZsFwq0}+8JbAUPH=1gG$e4?&U3#36RqySfG);A4RQ4Q;w!Io>ac2@$A>3QkUpx0ygYnwSol~8uD z=qM1Lvdj=V=HK;gkDNc7^Dars$FzfM=GoN8C<6{=kjtv4DO0q4^@w`(*WF1}%(moa zAwzxqa_bmrt&S;!hKJ^1e+sERj+mecJNw}vZie}7OC&|jxN6aw1twBlz~$AYTWupO z@+~_jJ3A*jvMy9>u5a+ zde(PSH1g*F(^LPxdKi%lxC`CanD53+C38cBG7(Fa0CQQm&jrY4P-jZbjwLF^WZ&DRPm?z)x_Q+ zU&gHLZj4fT=GS(?j-X5r4XL9atQAihLe8`ACe)Aig<9>jZ3_P$*<>}(mQ`$Y1TG;& zlD_XC~T~ zSx4O5E)myF#jvgj$l6FkCnT2qRm@$4#G(uA8K_oLkpmk&!s^finOU$M_^^Bi`ytIO z1Y~9*)7jMi&{6*=3cK%1-l4t1lg^$giU42%jJg+x{Nt#aaj3aawqjG`BMEJLT=O3L zq||>F_7g%`$F>-0eVVbI8y`8fm%ZHx6vY|GZp0{e*uSH}XJ7PEK&SI0}$<2+=VrGwM!mLm}z1Ri~133@_L z*+O_tgRmD%8U0Gyb%Djp_A$}Y8V*3Nx{LUAd}XII3|al&}6a0gY@egD1I zG<>Ib#N$Ac`Nk5W8cGwvg>8++>rJ7=I%bLIl^2v?B!@v_nxDGz;Q7=+;u?jDp`i`q zc(zvztB`%$1r}D?95rwVn7v8xNW|*PVzC=5q}~oA#2=A0VqJx?7<;WqaCLlW+`&R- zDEKy0SHK3Qyfvz}wbGr%j0CgkGyJX(Mc|60P7W;WxZPg5HKzD|o>f{D!fq=7Kp&*^ zW&bv47fLxRs3F%4K5YyLZwv@EU_ZccSu=bE_L6_iRKp@u+{_G#hPM2B7B#mliAGP* zNFWsihWb?cP>vA)iy-!qGA(e3;<5o-2Ndm|V!t9H4qcL<5v=bO0&1#ExO-Vc#YBw}Gt_Sia>ss-=Bo zGC43Q`z@Ogr|)%VH7Iy52n08Ue&w=p@fn!*iNHqS(n_;p=+;|%5=nr1paiPDi(2^@ za*}|7%|QQ?x_mdVk)o}6on|M}g@d(+;d!2R0*L<=T`l3Rf7YBPqq!K=U1MDI*|_fD z93dM1x8P;|FL4g+HQ{1FyzpR#?6PuDTu&5f%%KH-eB=^eVFYrp4XIDlnKCervD z?)%AXNNF0FMD63=y#|eagDZ@4E;^BeI7I!EwzUg%rKE}c*R~XP*PNS7uRTg2{53|T zrgv?+8FwCM_?vL3HW@XSsPtC2p!P2eLvqyGX-RDb1ce5y#t=P19{#$nm)TKkoyY&y z)M~!4BcMQlzERBY{nSyo=o_~DEbXeP6ck&;cMSJx@{*tfMlWoRO-)Wl)OavIracN$ z*+pFqH7r~`t1p2;j}^u4)ba15mvDTAF+!X{-VMZ{`pR?W*XBP6k`djIjUz&-xXz+W z2R%fi@Ho2o+$~DHs3F-o;Y`~;PO~Sk?XIA!qzOt-sU&AGdsD0+C(Q(lK4^Eke)htY zruJ9EgJsMs4(?*;7>})S)x3$bz@qd%e+qb+b?3D&#c`HgCZewoqolxi!0*$H@7NT2bhEy_IZ0s`FgR#Ng*5DBL0QJs}tok?CJ~!srJe}%PF@0AC&LiAf9iV!_*S>ym@E= zz|N%^CX(p*Hh3;AX6`__p01h3^MwFbwE&D@z^ z9Q98enayW$gfV9J4>ogSapMj1y@_8FK&-SUw09ZeyflwE3Mng03elzjr~yp;=8?go zQc%Z@=6Jd)+nU)?oqNNVoT}%37!=>*cUz<`G?w|%B$`-?>naYMz(@a`z*Yk9cXi{a zsW_l$TEKF;ro-u_r|wrRZuGh*QkLgiQcT8rTU8}p&ma4c2bNh!p8ye3n=F36j@i1~ z7$o!Taq9Y};`nU{Bs61l^@94$24p=4#|Ec{dhYnR=ec$0bzaXMqM~MZW%bRQG2W2q z%(3-O&i&DpC)GuEZS9}(1J@76Oq}27ZKkY zCL^@;@58HtTR#Ta?SCmZ9QDg@j4e#K(!hGM_w1Rr%}6;bW4oQXm7uWCvqRVn%#G6Q z*0;1nY^eCQZE>&Q{8r}mm?9XtnAo23D|Oe!(qaGXxy2B*=#V&&*KTE^`AooCaD`_hRszQ8`>#6X&OjNZA<>w&h17$H+es)F@ro3;Kco9!Bb6F zW@~YBd53s=bMI=b`J}hJ@^r27{PciSDHEn1rO@#(mDedTML87s^4>C^3z=#?*gpog z6b@gL*9tzgusl9FwUoYpd2uEa4u9yfLk*Jd%q=k{BvqS=8LEDCRC6WZc;oKsrJ5U( zQU8Eh+T4j ztRms=>+72K*y?!8m;~E-c~JhU7>!HCap|%KNlB@RXbF9mFQWE>>WO#6_EJ%qpRy?X zmS;Vw*Tc2`vYGS%!&nk9uP% zDntjx-2vvrV&S2GIyF4bx#%*OFm#A4zL5a5K+Z`Gx5$yEUxzr?qcDvUR^UsJJ8Lae zXGO5YY&3!7erP`%jx-UkI1tc0B*^|GL2~5aXAPL+F}Fm28brEhjfm)i{&y;Vvq!6` z76B4k4%5%hsW5FI290h{e})Xc$Wl|&G`3bZn@x4SoV1tGr+pQb=DFDT+MXrV-L?g# zy;epi_Lf}<9UK}82z1naAf4cmpK!2o{Uc2>&)$}XlBWQxQuWrCZ}*#nx*jA^adB5t zpre)W3ni1%sJsU=5PC8~^K#u^Vi(AsO7r-3d_OkI_3qiuN<>v#)mf5XT$W$VP1RH1 zSa7W4io*(f^X=-p#5BeNrwf}EQ)Y7sZBUd#=LhQj>BZHt{*FOz4zK;#*wWv^@~*b( z!T!n7>EX%o{zDr7L7*lh9vC*`7#oTK^H%txh(L*3k;=f%JQ#z5;M}7ft7pg=#0|+K zH_UILWiVwhYr%JkNxU|6@<`nyijt`CO4M0Mj*eqV93;n2NMNMMqq1MRU;Cex?8^aZ zE>4c>rC$x2Md4YM_lE|EjV#nW{)?nEEOnd?2C0#UBm_#kJ2`C2wsZCAfStTM`EQ%A z)uW(O1+eiZfl&cfwzF?+9;V!2$`B9lwWCT2|9wEwMEVuuv51ly2*Sd@09Swa`^E~q z^tFtiZA9?94LZ8`O;rlgk+5Bs+G|hN%E;fRM;Xh)VvwG0orz<-E@VLu^nL%`Ab0sp zBX>L0(~=o?`&PprGd0{UGvvc)4IH(Jv4- z?%yLCFp{xXts5-yM~IVIig}D3E<63;<`H9OsZ~~9Uby%4EIU(3uCc|8-A${Dd9yE!7lKOrKX;A^l6iOY zX(^cHtL(27x9@K^JF8Buhtu7yIj^afeu-&WuYE{fP&yM9zv^?whl(@$xN76BFxJ4{ z|KO2kL`t^_6nvlW#Yy}gdbU8QP{#`o4KF$we;;ubaijCGZrOvc=Ep{w)|DqI@*_d6 z%;-UPwv7?`>W5u`+nil(C&Iq_jtlV7hjRh=mf>@gD?EcVk+^kt~T zUAmj#`AoCD$-gD^88uj%=JX1K5c3cSJx`MLz5k(NQNEV|wws;N%vq&{kpyGoeZ?@p z^4r_6`Bn0wB*X(1sgb|DdWIs3xF8js6`akbZS^JphUm*?cfSPms*x{SimM9Vkrl22 zAxxW$jcGPzFsg+$E60;Wr?4hw0Tu4%&KqGR@&bJh~ zQ^ZeqnH7ld<>E-0PmgRilsvk@NlQY|0VTN$xu!#qGkP0SVa2(M&yn1V{?5@)!1@{H z*R&lYFqrsNqnD;5NGu?*AQUfB;$XB8O~r?V#gA{$VC-i+W=vi6T7}~~Ms%P3F3ezV z$ivEWO!TK<(kgFbo_A53v1&SBC0?WD_kVe!iesH|2^tB(5*QG;UV}nwYRy6rdG_MJ zO@9mDVzrS_q88}?g&+3y7Gen{FibruM%sJ+cz*)lejnSkRv{UMFCfk9L0y2U_46@CYKz5+!lfbp@^84*m0XvlAyEfE2Bl z!!yqCHa`V&Qr=*H>W4?Rktj={vpE#rDN;KYc6Uj2h|idXe$%H}hJA9=$HLT4_DY&f z-Ec$pJ%qRAQ(MidO#(=O_j)XNe85PiAB&+*%QVm%jO!kb*Az`EVh$JR)&@G9vo*8@ zw39FRE-NoJl}sA!}|Y@WjtS4xdk?+hR|T0T!kQA z`3~CsBY1!Cy?%Ao18zkCINAZ3S!8>sYKB^`CMWxGx%%w$v3@MI4`!cska10DECPrw zXNYQQ4fL(?D#F5AS*JAc=s0%TuIWw(&`~?k+UOU?ddH|hP?z!W4Hcydo*-#p@4GFz zvYqXFts$``RMaIslf>#4E&_y2mEH2A8N41UGnBYOJtkjErd3w3YMBLx3p=b7gKQ9u ze-F5)rl+aNZz@c5GOHRYFQt79n&>K0`29WDL_?QB-(Ku0 zEGM;#3RDqo`U5`O=XvlvJ@5j-4`Nwilc>^k0tzHr;!tDB=`;>3JL8e1lWVb`FQm~h zrEi4;yaEFu13&sG;ywe&V2h(xR%$6YE6(fz|_!cXjHLt}MZ-CV-MU~2!?);8Bu zOrKw#f}I4ghz55Ux@1;Wv9p-`odCRJ#LOH6lY?=K>FMnT=*FaA8iT=skncBeZj3C; z2Q?z#9a7}W91RXW)Lw-rD2q&6YX*uen-v;jxg^E7@tp&K&`i+2`fh%t?9n~*kCx1l z`r9i=JL?YfZwKyd3($?0#)<%1)*BMb z@mnOUy2$Uy7Oq#BQP#H$f1=yaQ@V2q$+|yXtI8ad^Wm^0x~F^zeCDb=f6t@mkbaZQ ze@@SBDG&Dp2p=l<3O{vPY+582gx8{1(6uAh+%zXyE1p&M&by(vAtDxPwnQ%*Og+DG zRm|weXl_U@!#K(43{k%Hq#gQR=QC}0?Gc%|J*t_kKba3vyGHl%+uh+Lxeo}DtXI3z zqeNd?3#M33jW}7@2-#8!cH1)3d_L3B>p+DK;k)S8&EHTECZON;x5O6^IH@7)ACB*> zFbtBldqO=C@**3xJ6Pi$`WZyrwNZdsn?n6!J-lM6PVZ3(78b0989~^K<@qt{Zfc@h zRHnifqLZ1L3L*-2F+wMDbenkWg;$Go?YJ~Ro19Ex+%hK{+ZCJ~sFl{{X=rL;Xl4d( zN#+9?Sw18oq3RVt6b(vOKCr^ow^M2}<_0fh1iiv0ea*t`+S?@=cfV9>=H~SZ;^l!Q z3&mpm71<*+82G+#RDW%OSqn=v(v81=FaR+Z+bO{sSHc8Fg~^OaauOfTlgJsD=TouQ zC!b9#n(8R`+sm`W9v-ZTWI(9Nk)qvX|BTDvc6R=ia_V4xbyYDUEg3_ekI9?Qi)4Cp zGOkaW5;~)y5C&p-B3YM7+luptfa77ie8$sZurmh|igh5e7!F_s zRdJoM4(LU!2p8efSqT3H?_|J)h3DX<&oaJP@W$5>MV9O>u^J~qR0z0LnARLs z>JLlL-(OczKSno=1M&PiMo^jP{v+B<^eflXO*r1)|F*Zc*BP`KGCBQJ1J*e!r``C? z@&8>;aL+cqC8pe-9{8P?)i(?SuQU_jldVuZC@i%K!34f$IYhFbbYNKmSL&Id)g8^T zAo2wNB!H!P->E1@619>^JFhwa79mYkvT8E8hMRQzvx3u}sAq^$h)|iEswj&9XQ#@F z=QL+Ohae`d%*y4Nv!>3fF)9%I%1VCPqN%s)@*?YM>F9-hLL)%)0$eIIIeZ?Sn%_KH zPaSV(h(z5>&<5{>b?F zS;AxbxH{pM{`9p~Z2no|@J>jN8NY8)|slnspN4%mD#CI)pN;$SxIRPu$CDoV+(l7odp%DN%MIHPN}KT!m5~$510v(C{0YDP7;v@i0KX7Rz639!hUBldK}`Q zGO@^#9ee%@K;CqouQE0+Kzpwh8~{jaNCbSfp375RT>|kGGTfa1Uyv04xT3h)^au6$ zl@Ivciyt@7wPAr=zN`AR>7+@LSpuoeQNrsI5-At<6u)o$@LCj zvau!GHhJJJoQ}qQtC=XWu-mUXO*55a>$qRk2g$%>mIk^~r_v0AG=7@iy9OhK09#bB z(C`8)dj7wBxgWNR=K=yg6i5(?8e%Cv7{2qx;BXu&;zf-iC{BHM9U-qn!)V(&t#sXP z&#X#;Tb|L~z_omfSnDkK+JKRs831ze!63$VM0B$mwaha|m@~7a!uKjiRxcRQO58Bj z2V(5=R@J zgzq>wKD)2xPEIIfKIsHZI}amFvwpd{#Tg?^4r%fmlx&&A{VHwGz5bEw)!HS*_hwNB zM@;I^)iImR1=U%+ow=L2#LLzBXS`;hIRxdFm!npAw%;9f_fJudSp>LjPmRdem>F$m z4{9K#!q_NFYXAHi1|I3IRlDaqa@GXm({tPN(E}>c50glFlpB7P= zS$azB<+u1mOZel&3!31?TJIOIJtT`B9H?*pL!}m~QKcINj3=~{FM!$BJcmo>8WU}G zUJeIq3pF*~bySmk?f0rtm;2p6`MK{DfcKeI4z@BH9$F0EGM3Qhr{rFOklw$~$NO*W zEQ?!fTX!*I%pk(#;D@mI7_`<_EZBkSY)D^7ZJ}NMo3%|he|OjW55ME`WYc*xzLFSt zrM~n8#7HtZbm{)o*6#kd)xM~f)V$qFN<;H@9rMrhUzfM5tBjQt!+$p_G@yPB#|QA_ zJbZnJ03Wt+2g~pSgzUzp@pILPO+?SYkk0zt-apm#9}7OUvWuK&b&Jak6H*(;$>GR9 zvJxSTi+(kdg=z%{y-Ban&ixP*<=@Ten7Jtc5C5xTXe09DYy$COyv#}Z(O%}6#jQax zCZeH3iGsp%ls)8^a6M+*0+}e}rprAAuAt0*KpluC`E`=!nwGp}+T*$7-x)TsSHGW8 zFa>}?d};bg?`hszxeN;*54YeBIT$%!wnmR)tuua(epMGNo|KW#69T&zy<5QW*gEA! zat{H{$=@Tvql6*0uM6?VMo%i&&jhdkfG{=&4?NV5CFfEFc3-1rd`R%ybPxLH3N*f5 zsJPQ?`7uILa#WI>D%fpjvudHb1KhY-T+avG)i66p`527$=p}g*zNT9*%Xp8Yxe4#YS`{ydgC!jC4aZW!4W4?3jPvfl2L)gM% zlp5XE7oLBEP6<9Lc=d7uc=4eeqT{ia0pQ*SQ-Y;E!$3(4HyBk&ey}~S(SZb#wGWjcyCa+ z?_q44XF%~XnsR$?I@c8fhTEjo*#;CmOnl;JP=^^JpF_AS=B)*-g%g~^9DKi}oBtuZ z=V{q#uimV0=fB9&fQhNE%M1H$CL%RP#THXidoGcRQf*FQKLcDoKc)sPi{dqL5?~CVW zWNQkQ$ee7~ghA&ny23TW*J0de3zK2vtLfHJ&ED+txU9ZUS}IewdEo@2AtAP}xI6Mxe$DXu4CsC(2YfjJ zJ~$jmYGV_@o>pR$v$)Gl8l7jTX_T*S!D1!>`DqmXrk-OX>YhcvPw_7Omq79D71;`e zKu0LN1z>+W4iS~g=Bh%kLrak-IHkO(qTR~+vGL1QlZy~)N-g|&C`_9inc}XSp+7G zpSGLL%aHnbm39?O7kFY4W77k|aKhqq^D!*Fr|dzZW$on|dUVbh7^}M(eT8nsGp9IF z{9Iz0Xs9EJxw;Mq#jKAAcq6YQAwgX1={-6kBD8kE`)me*@Gp0)E)kfF3r724fM!-G z=|;k*-9y@=u=OC?Ra%==8atm(CLdVfVS@UPPRIfA`t=xgc3&ON4W7aV#d7*Yhgl&u zv<;`5Us|RChNKGHaAnZRocXBtDe-aE6Sb5BEV#z$0OmM0pwNq4jCN|qtvl9BQvtl= zM3iNoUt+%adgI4*+=19o-ttIc?YaCy&?Yw2eaIgOaDoBO$eNT-M9)B^2~Vxm_gozF zY{}ZRo5(a265MB{;Pdt+w>Hn#p0W}=pw#uz0Hss~pah6FD~*i>|3rqly;SXrvxzO! zMgnKO2}C3^I{O#A6CI0#yO^HfozN&M5!jI#n=Z>>qhNUO3tBF5L=g3Zn!bbEKJOv{ zWrjFx&d%w3GJWC@-flu@Wt8Ue4<0mj`Ty&v_y2g?f zCpWr^XhjKp0fVxEO^=fvy01AC{5E4h&e*Kz(ri)C`f4T|o^0!x^iCsW>{MBxdccD+Pik3 zS!npg!mzTrDlN${kQ5xC_<4q^%(`0-yUQ6gJyAaWjfly}Q;7HP_ih&-77x3dK{`7w z-v2Iw7?*p|%$`~t5iG9_V?dz9K8#e5)7)Th6 zeuXf9O3_{rx&{rUsKO5qW@(7TKpp-y=DFXsd5`u5NhOW{It^WS<%NHdwPINU{@ZY5 z0>T`3H+^vtr*^~kB1Z;*TGfL=yPT$rW-wx55)Vv^^Wi$|c8(`5ClJ@+wGRby#{J6l zr5YWY)0kn>wB}|6D!c)n&P<%=e00wTD%SiDl#QWZQgEa^9D?)x8-d(UpAL$@dxW|d zeIykM0njdQz9=_f^8V&Y%H-V?zaIWQ0q4<_=H;|QhRmcQx$1o zS3!8zrk%VLVjO3ij^L$Rij263m0zav4IEl+fq%?Bq5wfvd$#D;{uc196KF(Y=0`=D z>CZnwnH=zXJeH4SZ~41Dn>94JoUzC4UKyfQE`S;FBs?uPtcrUJGK9AEM)$gG>mH|_ zlr8VfYfu;>jy;6lYd#in>$Er|a6b>U0;L`xqp;pGB^nEVsaoaNFCq~C6vZ}dAb~cS z5I*X%t!;kYFIKuOeC&|QccTvkgJ3Kw@v8sdn zaFXQvu<`pg4G%|Ub$x9l34!*&>lqnQ1A~)_SB(QMqHC|Z2|Vh%w%5jz=X}uW#1@#2 zQ9eH5<>j?y>WQVxNu}G>uhiEQTW2ca}1ccc>$a3do4jqll9ecJ1} zkRS_cTS>1b6x#Eazd6vzO}zj#VI@Ho>2+l0ytA4ACJ9{euH(*-;D^Ns7HO9QoO9oW z;&od2w?jgh3VSA!RQ7wqG=vlUiwQ2WF++&k!htNxkK`Nfb!Gr-h(7xAzF#D#i85o* z9vX$TP{5D?dev;wEV%SmlVF(70GhBoOA0n*xg=rTWnI(mGpzf(vbNSo&Cuby^lC93 z((ZOSz%#2E9p+dsz(4hB+Eu<$X;+jb2qJX4dWQVvu;QgCM37{he?D*%SXNaw1b>q- zN;A1ozBTHP8!Y#$o*tf7YFr;C5B}o{T(9laF)sWV zB()4H`ux(=Rf0MEa-pbhH}~S)hF2FNmuSbr`}sSK9=(HOz08|YeATe548Z{%dx+JY z{&Y!+{l#b9+Z&Sn4`o&A(1KHDe)BdPOn#C5gBwOD)B z^NegzfXFgmG(QS?EL>%PMCs%9rxtt5vr9>m=lkq~7v>&OM{jcP zS^wg!n`p+WENaw2u9ULpkms4^EPNdI9H$Wz<}$$a(rEknUnN8GxO1fR1e(x`i;WK9 zrsP#V^EPWBN~i&A$DHG|Y+29K<66S=W=8PRC~*Yn7*H8@&_Mz0{xNPj6iSnC{z6(c zN7?*ZCoQw2yK5GqC}qZXbUOLtA)6MRk&IG_v7XIME*cALNC?rTLjC*Rd(78;H0sju z=0Ra;sCQGi7n3C-i#1>r@v99FwaV$>OFzm)bht=DbrZ*CmDJp}{pu64GU^LJGV3{a zC*)=CI{9a2t}To@_v7e&dYujcz)GUGBBqD7$;eV{(Se|UhGN)5K=4h5u7l*G-s}4z zF=rq)RE+%BS7B9!&4!4>zQ}%V9biZ5I`@*o#Irxl{5rSf7%+*80Y5c1p~7b;F{SI; zB-xDbie(dd=J&?p`qiHrAGh3QsA4YFN=BfCxnlJO^C1r&>8j?ENB9$tgmb6oP_8-{ z1{<2fQKkoeKN!!h&G6k79$qGD@d`iCztFafiq`YF)6J^9LTg@=IN312j->T&7RT&uC z4skNE+=tCdHT`X<2dM%>Qrq8`^_yhG&tx93n(Kq{(#pulxILUWBhv25FFUDiVry;! zV~Q*50-^nbN?h&7xF0_HjGXD>;@V>T{#)W*VH^}X9a=PLD;7@G{J0Tf-?kAfL9D~L zCp|R9JcrFS@GOn)zMQdoPQw=LP1Fmq&j&rNBpu6Ulphvvx zb=B3O({9><)Ke=kh?_Yg!i6;gX#iOhdG`Wxg&pc1h7VMxmxEs4e?**j^AE4Vn?(DLii(bIZEjxkn%%bZ4tZqnZc^CV+Di1J zxxOBd&DeLYU$9dBH=Za@HrylUTTUQF?`-Vc=x>=-mJ=h!V1HNbmXnq5Xyz;^Z!*1a zgQ%jPBF`)_Y){6e!E2(|23`ION5l026bn2&+azDCe$|oS2e`ROaU>$pLb$VYdb&LC zK1FwFS8GR9ATb(ohKB$78pPh7G4W`^)_R5|-RT)*dQZEEJr}tt%SNYHs)EVyJ5tn- zl+5M<+&q~liNne-oYz5oE4=A&Q?TM#Sx)G_sBC+{n6__Cx6t zYg>-ecxs6e808-){Fz1O z8gTK}6mkd#MeBD6+G%1113NFg%Hu6h?bcFi^O!N}?m(f^A;MMLd3}{u(b?h7jq;Q8 zMPmEAZdY^1l_o(^RFECkAEe%zh$G*+S|O4C7=~?CeQNgUV;Hc%>^0vCuEjW0j`}Iw z+4AFydH0m>-l6cjI!1vmm2uxdS%oWeVGDjGAfl;>KUe$so405E-wq4LhGG#>W7=Q8 zob=M_9N=$MRajq^pIud7sD(DxbWXQkmdUi~;Dp;Gw5blx6%ZA;~CUjb%+>&P$+V%AXN* zhigZ$w$~ci7HcjMP}%%TjMWGzr>_Z?c#}t+cb{C6h*Hj!7W(lU@!i1by4x}pzt|az zeVr9CDY%-O@?)miZZjbn2?*)~5lD)7A4&Nk!+`ce zz9RK-1*@I}gt4L7P$y=1=vW6et&g16_jdG$gG#y}?6HYN9$qC&%CUFZ$%#PeM2*r> zV>q*73Nmq_`pO;1a}2ROEdu-&xKh^hIHx3m<2L7Db7SH_*Uh} zd*5^+r$lHLSQq>#1TstaDc+#u^z{GpI38N>u>6<4PI(XPJ&AoaVpPY(Y|r7>slNF5 zz_NX~cS$Nlb~1yvr$4zQtSq<2!65+80o|cmaB^*Mb8J`~;Tq_RP_)k4{1lXe_Qbn9 z2kDB7t1Dir{^}*B^wcI~)L_c-OQ#qE=r*&=Ng)~NOtx=6I93+!g%zGXTT|)KOpPVY zIjB9Z*;i9n)zK49_U;X3MNS45fj@wnUf`eKy`mvOK^|gi`&$KCwhYm;sGv})np44H z8Z=2GtBEV321d%=68R;*2O`YXhHvYLdhXQ5hN+)A93I*m(B_m`JE&638a_H&%u_U1=d54}!lv1c<&B!=P&$vWiQ4M)#Bpn8m{ z{HP}gz4BDiCc8Ft@K+ielV-5)LA-gm*O&>zc62~Uec}Z)G&NHf7a9>_B46KI@M7J9 zscbB)j!#I0z0!WzH|b1uk`d^;DvG5m^DZAPDCe z*BrUX*-!;{b#11fR!1P_{d>K<6m zUx{o~e@~eM!o}PKkkdGnzX_Hv$;R3Gi1tvfLicb|M)8=dzT>^eRVm_IViQ~Sq{VZ# z!ja}iB&@1oW4^{7!c3ro=JtPk>46nvXP#kR0sacDIpz(%P=B3=%~?F(j@f}N1bQ&p zNT^cS+(ymaTT_o!$>E})_`e0AdgiF$HZlsIRuJZq$jurzzlDIzc*7TZIYva9n)ibi zR221OQUk}Vwe8#(Lc{^2XL>1t(nn8jdl=LCmri~!Peye(gAa4-aO-?XY_Aeq$ghlm zuS~mg1EaUyN}$tfvy~Zx9d7y0`Ckvc3V*H(x9o)5Oy$mgl?`~+xcVKBBg8|LU#9aC zr_tS83Kv)k+3CjCsz@>0yz3!*d+WaS6XPua!!j*sP3@tbeiDHW`zA15N5MHHeZconDT`+4*3 zUCggeqf{DZG2nsuKkJ&SId}6Qz|T-ESG}Hc%pGk1loZk0)6E?#9+$>zu>QjA7`4zq(CC8q2+h_-zi{YApUe8y) zT0GUA6NVc%gA6XTsUDSvI-xudhy294NA!z*z^N~5v%HNyVS0 zuYdFWXM?4LH}RCQsim<%*F!C63QnNcxa` z=NoEdv`BBQQ5k`Ur^yVvP#a~L3%-t?Ty)RF|2(eW0gtPWNh%CX|6{;j z4myajQt#5-)}=giW+QnG0s?}@Vl$dFqZ_3v1_+CKsf~rm-0p=1)())&8olyDE}Q9g z56W*OJ7n`2V*Q6sZ(%U7%zz0eHwOa=?@y7)9(Ccs-NUg-DeW1FT>_Yz#sWNYMo5o& zwqfD0Usgup_z<7aNgnFzEA6tt)I%urrM?3e*I*Y2Owt|>PL6|TO{?+B-B^a9N z1kitYe$KMBI)7VAag|INTm(nw)|5|nSQYgFHy9j24vSOjl~b;zI(2!mVP3xugQMpimmD)abuVj>N(S)a z^%yGpT_hg!{6w4LvLAzHo~h#3Lj4plQXA-`R{JbNTRLN$6(5)GB%q56g8Hb5GJq@h7JkMZ6>HKBWRcyjjduy zLSK4dXO?426LNB`%-xT@x4wM;d}Q7IYMKF3-f?z+m>*EJYSlUWoQ?as?)b0w<%9&&BehjF%Hc2} z!k&%`fJxpo_0JmH*eE~&dDhZTd^CVsMw-UguX2y(7LP?j#9iTY-+C|>m&UKJLJNak ziIiA1C!>G0@?oXT0lwC!P*AgGrsxT9aU&5>ZqIOCHz!}1y8<~HT8kWk-1SpWhRGkHN`?Z5}nzVx)ja=#8H{i%$hID8Xm}`WUWF_)w6a!d4K|2dwB0YV@ z1FH36>)bH2WCh$|K#+UTdR6fJO*}U^783J_!h{rx#e6z^iQUuOxWGAoKqbw{rqxxT zbDAvD%+2pA{X#Br3+t(EFwDe_s?zH#Mx}DEWLO=h&+Me=zv7aV-lVBe9ucP1oV0f1gN;63WA8VJ>~s!C-C0C0>il$Tue$z0vm1Q z>3Gk7Szi6u<-Ywzx^8w1e+oMhQ+470Ud-@uhWotC){;L(x57CiE2Y*{a8JWMI_X%E zQyX8qqp`!~yQj%ciSy8YI@exq@Y>d1gR8wdvVnrk(JhPQp`#tGdbl?ysbhf%vW=+14+MO!v{oO7 zkrW1?cgUutrHRv>;(IPicm7~~OO~Yoe!*E%VumLhk3VfR1op?Zl=3MMgz_xf&OJfb zIjLrA%EuE?sCAlO3MhOBB*Kzr0FPrg-Zy3m0(I{VH;I}I{%R=0?;&#`d4Hn!XsxNQ zjhukhfC0NpW`Gew9oUN1R4!S(#(lQU=neKy+r_MJO%=b2tR$0vQAV=c5ulbQ-8mXQ zP3bjFR>n(=JKso%y0j^lZ$z&D zO-91qpY~KbIb>cEVugQ%Fp>05*|D_NPb?4bM|?Y7lX@6T+MyQ#xFtH699N;h@whTQ z?sSR6zHMh{MMOyBe&%k4WM}aZS@pah;{!va-0SP%klrEtFw)jHzxs>Bf}M`YakF>| zh}YT2u7i^U!h`R5{9E?s#__P^aBW~u$}&`6+S=Q=*Ymjy78aJ!QSr~t>=h8R$DzX_ zeit{Ue6D3wwN=MQ57SELx>PdA2Um_CWjSh-qfzw(zqA|+;bo}32pAjH4|t|ZL=aC@ zqy8Bg0~d_>0R*QI5%YMQS^y;gxJlYt|G&q4Ksqpy5YaRfo2{+{=iqf3F+ru`hyIee zZP1Klt(9>}R$dXDBUbYNT~F$%82H`B%brW|{WN-dQ!ZdE;gM zFRm4l#yXUlDoL5&&p3B47vrJ(Z*BvZiV@0biCuo$1xqXg(%ks2pC~5@0@*XHOb7^J z+RxbCCv=Z~)Siuo)ecj96S?ZNj?op3Zg#0f>)4u&&H?0hkW%zErCV^x-`4z}h7VQt zz)Z@-4sCHtvr+&2#oBS&F(7g?9YiSui%{Z;lbw5_Cd{EU3i_5ZhAN(rkkDkF_m}ud zl%|)hsM9@TwHvNa<9_zXasXY-UK4zQ*#6JDkpD@95C42^SKspvw-SJA0(h0 zXZ!Mey8C^8ZSXM)d+qW36ansI(8|Qc(t6qKkpKzhStA!8+?m8~aRmHC@8enSrG|;} zrxglvQPReyD>-}wm%TiZ1n$A9wdK#2&x5bI zyq1oHg2rs$O9t`Pc{CZ-v@&SDBo(N+y) zCclaOMIs{YkMv2%sjGD0`=tZPvo^P-wYu~*paaFv>)29JU0eGHUT%Tam%%@JP9A6A z{n!KH_AS8Q3JU(0&V~HMBKbR~$E|npStG)5%&=ue#+|NT?U%3qTGU=I@ zH$!LO5HaCu+i_0`2u<*z`h+-6GT`|cPeo6Gav&8VeQMk@DxElt2#T<0CDIF|J79?T zNczB{k+Y=F)%Oc3sdVu}4Pym0g(*Fz#X_1)5ARQ=<#j%2%#5lde+6be30eog1a08r zxi1!Q_6D8blbI4DD=l9l>bPs#@gT{<_g@FaLxiH@Sori@0*Md(<{3H|``7Lb^a{X{!5ZH1e92{-ilg zobP%28GMk{Og-PxpEHFA5@RbYY z(BsawoGNx)9d!-TmzR(5I*wu>a*UQ_Ao&-Cf_pbNd4RCiZ6~5( zqPJPeZ2{w8y!i%6Dw@~?mtZM!;_ok+po!$E>?_Byd*>&%Wz^1dbSmE$gm^1V>V2X> z*ySHP(2z7`Wd}w#Xdm9e_ZRu`s*z+Ggq-;UFUq_^RMC9AHo5VeleQUc!3HGyarxOO zCh{P3Wr5XCJX;o?{E6E!htulfLI`Y2)|V^^M-*D8QBik{Xio#m;4^33hzXcm_K2J7 zBv7pbjL}Xa&xs43W`{fs7ig{2%JqH+McDTouT1OII(fJ#=yad-yc4$Fo@5^$psqNq zy=3}a_nx2VaM*8M{yl-*+jO38!FA|4KGCt4G3f1|pSRNUe)D@47=zKNUGH!@EZem2 zyl>2ZAJBW=>ZIZFddzBG-L3x&zv5s<@X9*h;Cl@nN7m#*M)L56CiZWDgG1or+2p&u zsQbPxPvGWRe|>FB*5q|+xw$>vfk(Wfh{7ZIJNkBo-))u#Pv$i&A$1d}vI!Pd{gX~o zHboFz1vGpPl}IEAp@b2@QHf}ag36Aj9lOUD;Ub=z)GWbu?;RVIn zdTULHxrU}@MeWQ7MEH8ZAwN)*Td3|Xq6;?5SizY8ajEo9p;6c&h;|}ovg@fHif}=aHW4FYmZ!C5H2mK zCet0Nn%^$g`HKE){*R#V8@g<2`4d-C)nX{m17eEZ1>1v-gPr~PPpmV&Bqo&85rD#7 z(36-Y06zMEsW&ih@%f@$vTVQ~mfT9UL%XYPd_Bi#zr=~TpbyR{z-_5mA(gCaJvjhr z(7k14kwJ|8;n_XlvQWqW@l&EgjY!4!#uVWk&p+j+Gi)WyG0xOp-r^VF55n5EtmSXE zxOz$=24MKL)7vGc3VCj;jXW)f4dp$;U3YP1{xgEogT2*_Nr!&#{1JLo{?yHtUSE6F zwFkOQ9L&sh)P=nm_nbheF_;vN$a%)}p~xaGdIU&Pg=qBIez26oF!T26s=PE1S%HsTi$V)g_)OvcxJ=A; z5tnj>Xn3_s3ip7VB&QzmAtYS%vuoIH%ZTV>OL2a!v85qL$63PfW>mIVa9GI-tDDdY zbX56pKPWQ)kH7H|H(qZ6^!Ug`vRgcX-vuN%w`uDCC>BBRtdpP=9Nm|8`>g z`;n=y>3$y7?d}GI=WX1JIT+i50&UIZjnp&6{o6SWh(xL@ELvmgXB)ORS_L*Nb`O&9 zBAUWbPpi+Ae95BD>UEclmd!xVSrXh9mgFND+N1wZHcQFq2@9Ya_iD)?Hzv~hpj zrM8cy=^v)iGWb}3xu+$V6Y*sVVm40cyYTFX~%IMDA~#P>T_&rhTq=$H-w zg{stgct#}J=H=oNlGl1c%+^s=Q(szLg@=cKeR%=8r~1h2HrF;*R5hG_lL9;UHa51F z&i42BuQ3hH%*ds&N5#cJ#VoLMw-&W_Q3GCU1CrpK_T&qGv~xf~dCCZ(YRQ)--wD~8 zB^D+oxHvaOlyEtc;BH*5T&&t}C&nreo9PpQ>2taDV2$Psoh9yk2^sEhq*6W9Y~?D6 zuyDc)v~e8v8QYnCP1Fuz#T3`HhrRymE}x*ymQ)t-eP$;jc15U-zD*MH z{0}F*D{qaEajg(If_l@EOm(Ydim!FYvS@XC2qsfT9oW{*9b+-Bzw7UBy!_X**;*|X z@8s0d$jTui4{Pau9IY5q!qqQSp`@t|1!wHNN9Kw` zh(A$XVOMKo8RAb$Ov|31u>`I&ew3}#;s2BiRlA!r15Q_oj#fP}0E2 z>Ca78P&^1Km<|L$F#{tF0~{?miMh#$#aYY1)TQ}yQB8!E{yjgy0a-+$+nF!pen8e# zoklXI+|>z-W96C-(-M2?hh>8iZxIqH$5RRpf+k@fU@qFx4cN20WpZkX$hWIOsAZ@; z_*!>-IB?ZEgJ>r8S^2i0R|>R$KyI%PR6-2@clh(GBh!zGLeDh0Hv`Ud`CpcvYpN@m zAG=iDn@j;sE+j~g{k(lc>C>?fZ0DtUEr)FAa6tnjGc$1Sx}mU#;2+Xbh3Nk z5>`e=6HMn$bVEbdhP8n~?^C?HA&FDr8Iq}$y%9DF3I;m1nx0x_TJG_|<-zIo?#RN9 zx{BWR=4Pw+bXLLMUi!+)R}cR-v=~r==B|;~kJ>ZFnB;X}tf#bzhH*BHh(~=W`wB7M zW`~O+#U!IXF7!nJ#5ecTFIGY!UI*$@Fo09yJ>F)&!-{zH=tRNmPKO=G3pbnK&+c$1F?G3@SFfFRzfXLQGB8y16l)>` z0GMGvxS-onrHZkzi7?o{Pa+HDP=u{~LPYbzjY#at@ZR3iZIlzEy|*@8$Zi`OJa_c@ zACJ_H{B}1~F(9geEr)eQg)TB!6?|X~=e=@bPWz678k`<-Bz4AI9Ry&&=oW0f&kXL7h{s35oP49ldJOqbch$o z>jBx#4ebz*ab}kw@{#bpvKec+X}up|Ymt3we~69x`MZjgrfJ6wLnaoc^m0u+1 ziI2&#G|HlE_vc(>D9`51#Qk8xMJe|hY+^YIWhJszAr z?9b24`;OWeX(;scE=%vEp(#jajb}33kGCM&!pkw!q|e}Uu2BwzWy~c1t>=5Mb@q(# zYoCVgAX#UiWHJFodB8SZVQ1_G1Uk2`%6mhVuOu&r)>)c{ck5Rw7|ObmMzUszkE(jka`Si(3k}WZ^X6)01&tofomY~#)AK9O>mv`pbswetkmAnzmlZg@GbRQI z>SkwUG*EUDevi5mrW~(WubXuWYGie%jq>`_3|Wk6gH?u0&RD5&CRUFAB}Iq9#`PiL z0Wsk>S_X4fnl-9QSY~%=dkjA0S{W)u(IX*s`TQ5t)ahCXMX&7$-U*>@R&2&$Dnk(~ zUmW`VgGOJx<`u93$!@cah94%v@sI5F015U#Mf=EKFtTeJ1U=XTcjLdFQ`MJ>D}Jne zJnmixOAz|)jRbUq0%*Tyig}P0ipKrUYHI@9dp~?Im1Chibno8-y5a^ff9R>~2J7vD zdFX@n^e-o{Qu*)oek{^D{@L|@K)8um(!@T1DTD8y#=Ry8k=SxNd}G6cio$K68M(v%7x#=g9QdgzgeGe{R^1;T4fpkmh%YuB?pg&~2=;pX5ip zMTfVs_o3%YPTm{K9kiW7>EX?Z^Bx9wZ~w{n=Cb9EIukS|*H zt98EAv`k%DNkEY2=GJ^{b{u>^w{9(Dj#`&z^LEe}mHMnir@1u7y;um|<*ZWXA$K4D*KBu?u+1Q_+!%=Q|!rIC8 ze7#(~75U@M4U8x+8!PPcr>qa`mqTJ#-_~K zB~^aB+X#7Ml~$HuWr6IDFrmbxxUeh4E>|a)k+`s6)+sYn;HGeO>FH?j$`K4D`im;IeSQYk~7|er6~kgI;p_^bv#GRKs??0FQDOzRXVJ@KrJ(l);ddslAb*v!Qic z@7B=l(vm{(^l@Pr^Nx~@o7srQzBWvxuCg`|qQLl_s$ z(aj|>dn)a&)>h*AnBjNKa8E`Q6_dLFg2Tn-g{3J5XmiWe@742-`0gz1{Nj`zDCnlH9l(cNV+;bHnRF zyllrF%GS6+$UFlTIXV3NqL#}+VszcFI%ckLxDIz&z`1Zl5{S<*4~IC1!-mVIp3uB^rw`rnM&KWwT&t4TmR0iLST!Y(ghHI+dRvXQyOQ+YJ^sIfS z0pDMc$4rdZN*C;-sD;e>4%WxwcJ%V`DVir-vRQdR2Hk1xC~{_D zWVP0?Hu;;+4ULC91+Aj_^lApc7FCv9{#F;N>NuM($~==le0T!8k^~aJ3TlNoCeDoF zBxLg!H^Nd86E@;bGx99MqF$?^!WNu{p^_aB^evG;<&hJxRr>F}XCDUIA`PdtjtxR6 z@;(DBjF`kI=HQ?N5l8`KFhQD@#zk-PhCHDZ6i8EEJ4?o;QPbRq|5gpIeEB2I@GjHER|ehiq$8BO>Xy5U4ZFDf}p&hu6~4>Hcn&hCBG4qf%v|F_{JF zgev|yoEx8%#1qdRD-tAtvy_vOAiRr7>JEAlP9+iTPOQ0@AchMC*C~+`1mJuiQVhoZ zo=8jwNno@j$IF=m)omvuy!E8w_Wh8>k6tILQlLNEz5J@GvOytF3l8c$bRWNZX+Wyu| z8u5r$z-eBNmj8~Uz}=b~yA&ED6~4ujfA%3HHsnS_lp6}H%RIb^C4X%Cuuz(xRsJOp z7BGrE9C!?svy|JkC->JIRiU^MR33l#Eo1;af~-=d*$TISP2Y2g_LG}~iw#ZCtlb6| zofH;wqTsbK#pFJ-?rb>BS*ns34=^3gCXRg~r~ZS2&+z#o0nt78pHW@1z-=@B++w?1 zbmV+|q&cp>Ltx^5Rh@2(Q1zP?y1@v8e~0JWLp&oqyRazyz>)@V znJ_XE`$uTtNgA7z!xTm(w4P11{Gr_AuDJ6!jM{m_JEJ4Uul9%R7#wLtKnvl0aKd<_hr;% zcDN5f`}OHyeasryoG*pL_>IfshWXP|2Sm6Enw$1)>9$&cPTNV5yOexpLBi&Dzy|pT zj!a2en6JsU1Rq}uM&oM(zgM@oE*)Y&yd3%UD4QNP-d2BN^N1lY4~|Yx*8$2!bxK9azKxPR*@*_OE-ACsP1O!_CN2qlubFv zc52SDzrDX5e>mGv481<){sY_AeXen1bZPOQi}oAbbr5_#Ul&3xBlal2y&9?6-R0Kb zg=&buF>v^7t(iDjC$H;!iH39(do3ReFF04NIf?(5)zR zfA(Xq7;Tj6m;bTnyrYWs!`tY=hv4hfU$0j=Jghgv`=h?~&v$r7L#X7;Ah&ZUa5N#g+!T{K-@00bfJ3J@i6G^f!z+^%%6W_&Y>JsfupF zD9Csd(?mrEWjJtNjx2b2Gk1xUhGLy1JoM>71gM;zdQ!ZrgAFG%AER(fTgV|IpZEq{I%+6yekmyiNZ$bWP5D=$5s$=h)N|R;`Tp??M`=<8)8-qbWLsP=`4z zNpi)oxu=)I`=2{S+ZUE18abWmx2m0{k^5t8!v%~p(9p-)VEE0WY3Ap6gR$l)3D&`T zuea{5hvJKuo@9_kd}O%p1|o9lLr zIb|x2f!kgl_2vw94lAG?3iI66kk)^g?f&B1G*B<7e_<@b_v{<(xY6!D{l4&3_E#QX zByW^f8ySWh7gr_f`W}5ArNcryeM?@vb^-^;b&WCvhH-oXuYRuo_w0<`YlO@7LQ8Hz zO_#7qY^PW2$-)!=hw%Q%FTw!ZzYrm0xI@c^z^PX1>H)-6h&k?q5K`JTdmFk~^hfUN zazF(ECr2N$qjVmPP_*Up?C-tu!B099J4oYt?Olg3B0x1=;tj;N3j$Zc#G294W2fvB zawj4gN~rS0AX5d5q*u362_iO%WK;p~9w4-s3!mT!w(~Q!h}c|+7<}Ecg(&uf&gg6=bzhyY42T~I_U~-USVq?NoP?(vA6yg<|1BQC! z^|iodFrK^PRt}*tWEf;Hmuv^A@o~+P|DTBLbg^st4?N#^OOlYm2dzZT0lb~nNwkKg z&1N`y)L4NTYGq*o_V2NN{@F;Gd&zW81(?;J&c?DBqvQ8(k%FGat3VvIEtdWzE9nE4 zA8NdBjazIou`9g8=(X`U3=wm{dgsAi<$L{0%|M6EF3!ZXwQt}Q%MndLEvJXxPuP-( zpILEGs2QsZ7AIl}L-m(>+Hd1AOb~3bD~$TJTPd2C+?5+^Fg0QdFL$qrz5ZVTZrED< zk?mv~y4N5G=G*p5qR^1AR3m}=I2V6?mO zC(KS(KL11CMw3>A)V94>MXUx{f4EhdJt|$KB1(``66GneIqb7!p|a+S<-X-Mm2kDA z?2cc%*=$;n&|e+63O@LEauflbU7IkkkZ}uPaDC3-`f<|C1CzV;&-jvyT%sX zNHE-|cfm0fsFY1m+&q`9VO`?dSQrQ63(A57>&B2AQ5bSYdEPP0S%7lJ2F-B92kA-l zBD{&sn6Q|9(jqO22&NbP*2c}eH_H|x5ws3{34|uxad9g4MlX?JzwC66o>g{7FQjvd zmu(c5o;E{y-)C@Ud1(TMel>7X&R~y1CooWrTVDu+{@zDJ-Oaz! zY{ulsZP0(APdQbwO!guT2S?aRL)(hoN{ewJf2`wAnDJU^FQhsa2$`M=szos5o31gD zO39M}rtpHaE+}TY&Uw7Z=HgiEb z?l#a>9vQUQZ)N$(-Ek8i7FGxDS=d6V${^t+_+V8Kf6Q#CX}?UePO{dA5s{gFz>tjXO-*F(^|PWw~lp!BA4r_7{eQQth(OZoaKvx}92&npCS zI(+oCE{GD1;8oaOP7POJN?uNW!jBPCO}WhO$sLN*72(WK#EH>Qjyq)(uY>uh@wGrV z?nf;3hAXyi;t9yr^ zp-QbHV4Zt73DaD^5Y5!XIUC0;I4{A9N}~J#vPqBaSkx^ka9Dj{C1d=f0*%Q44lCEn zhy4LxE`z@N$>W|WX{oOm8QO2B`|#zBwNjA-U4kKMxJ{3$1K)<0M2EyoVO4)&t!*<=dH zR~t)LAx^CNm8{^MKy#0DMv++0l}tDGWu^L#SJ{94-F*7plvbrMw+)9}#t&1BDHP^+ zc$5zs^6Wx_Og|;?U3vjUZ67g{j@t*`BE}f8E*kzW5F=uuyYa1?a+ZX6f1VVY%Menk zRKq%^QWp4GosTs%5}_dPx%}Dst0MseUAbQM>ND<59o~BPJkvK-2^z2-v7CxlWri9; zaA6rr&PeO*oJy(8q|G<$2pM<^NEy(ep%gRV!@_{lk$cPh`uPe;k6(bng6^@ftZ3v3b&)5vm)pfppVm}q^wkgWvbFwRVx>6q*EBw z9+gM!HJDDe`!>f;{zAoCD<~iQSD<9GXp&!WG59WHwiHMEv77+0%B}Qr6E1ze*i!A45nht}>@6ibhm@ z&O{~K-)MW@NECyOaBwRW3h-)r(w5;@V%AY1X`0L4u@XMf+9yQ|hy&qph7lqn1|-HX z5Hlu=136;@1+=QFD+Ts{o%qV^aK(u_rviY&~oVVfz9vTL2w_Q?(Nw zn36bIGZ7ovap6=NVrsN!S3dH= zP$GuI} zi3E`(kwB5uWu?*wbD@a;T}-eZ{$&%xuTKKc!X;xygIRE}IfEg(_Stxd2Z#6n;t)9o zlY0lt7rM{v)(_FScT7L&hqJ^T&aW39$6z{(cc&e|qvkmPJLg5`JQz|d<}6}iY^uYI zj?J7sg=H4w_b4c0gzY%?;pYtjjbf3&>Spa(23SYxnyn#}cxmlHMEL2Za%NKgjG_O}w+N;qr6 zod}liXuU-(EU8sC!YAc$bsb3t_sJp|+D}%D9mtf>A@odp!KDX|>qqjiAbCF|LB&MF zD8AcJEK-cp>4IZ)FM93MProEV2^SV37c=Z>(3H$?45`>k-W9C#=wM4+H1`mNEPw`6 z$h$^_$M%WnEK}CHIv7dEV4B++AEcvIQo4$dsn1%h1R1^KvDST#{QIL)_u{ui`-YK~ z@)YR$84}D&P4~m8%0dM-63xG*IV)o4;$*BX5--rg9p!Hn&X)S_SP=hgy^1c`DV1lE zDd}HZv_Nrc;F8xwT^#0tx*P%mW2lx?FV2BIm}tNk&`1Ibbqk{g>D_SmlPK~Ahcp*k zSx$z(({y9X`0UV7ydn|7sbW4$2^=(?PX{A}op?m+Tbd7Vy5ih9BqQ9a;x2e9txL~~ zsCrS}eE=k5;QZSM$F8W_z;jqPIbT2EW#rdQApJ(r~6Tc>o^auR)g%HDE{Bv9A?1kf=V}B3`2bZ)NSFLh? zBE1|2*jHjOuNsdM;q{z?7;?f&iEl90!q6;euBUmkNy09<+Q52HOL5fSE)tF0& zqDF#b1ve?LjcicH?l*xZjE>x+iL$7JbYs-uLDWbEh>EO9Zd<%J^o3DJ(pmrjQdS$1 zdK8X{#r0fI0z*Zb)cQHiQ0cVcnxlC^;v_hP(8N7nS-%~33WoXII0@Ggg*AjcM*X`u z|6f$hF`wX*yf0+#2$}}p+`MgWizUhu7fxHWw;u7s0oJ-*LI8O2ReU!r_sRX6AAJ=a z*+!@#@y?KyExXzaqPsC#FJw)BzAfYtc8I?yZvDV~bj%?qiQA92yI175_%KmsIlzi2 z!7o%m=$v>H1RRuIkx<>{sgtKt9iBVqU(Y3U=QqLjHIk~-=`{s}O4XN}bT$%HzIMfV zj~)RR5ejCdGClp90a$_dz~G=X2Gs*?kvLQ=X$@a92m|(R_`8)6ABD%2uXguE0S6og z-1zEK7Xj`FI5W55YPLYCtT>uwNDjChU-EBnsR^rcF$5yO6#9Q}e)NWtZ7$)!xgjo4 z_WfyYJ%YKRFQd;Bw&Oi07MpMPk-9b&SBsU;0UjC@%Frc~?Rk*h3LaHzTUea0SDRUJ zY8t1>e`$X!{&EN}PY{6HkG1$dv^_bI1t*Fh=LkN9&mpXMvs!Msb_fAKw9O8K#kJx_ zI*w{D*|+r}1MX6li5qVCa)A;F1p;46kq{t-f#vEGvF6#U7x{lK?%kP}{=gZ|=ZmcC zD=}wFaTv_M+wDv#V6-Wpdtu|Ku9d<0SK~e&U_hZwjX{=Tfh5GBFd&p~Vn3J*q;a^! z12XN6q8-l-=)*2alJ)k$4PG^9_nG722}diyo@A&Z6cS&=?JP?giS8-F&6#Mx<+$Nz zL^a}Kjp&Zhf`5el0N#h(L;xi46PTdO*i_YKW5c1q&Uf8Mr@EFHQ&>*ZxKr^d4ftra zs%izydlfMuj~~{eO1aXPF>u+I<94=;v;$?9EgQ%!R8qMO*87|QqBejCezI^PcwC0C zrR#IfnNS>RMf~Uww4Bww$h7=QQ`q%Gg$OK8Rogp{<53iKtTN!16e<;XMT-2^G!q>R zml-{9bIFNbk=zai8~}<2YF(;ZEd7^oDal9Qm;s=P^vRz8^|CkC@9)!?89#+Wz(S0! zj>0p;We3liF=Hxt?LpB^1da1L7Wo7q5bkR5=C9hJPzEhTk*W9giP&4PVhCu9T-(oC z$>d0XYUhzBm?;ggraEAEv1at}`w4rc%_Q&`A%qGsg_|3Fu{CG1PO_a}EL1vzHXwta zK!Li5pq@7w5}n<9cG;`0JV1bf@E)|!f{o*kSti8+e^Q$U(wMADsa5iOxGUYtmha{k zt)TLKXcNp|ueOMs@Ww%1a)xJGv+)ZRB<|Ee7}^*daaGo!*qMpC8dWqJ#eeGyCP829 z;7-P-CayTzRDLb2?TlW$wuVKL@j}5Y8tl1bN2Zo4%-eOV&ji=QDPr9?rp~Z%K|=vf zgE)xFRH@O6urSV(GR^JlQr2qP`ttT(nd}S^3>ZOdC=G3W^r+0b!GhI*iqwWBwBf#b zqwtx2&3CPj)1XBn_>~RA%Ye>BWs^RaHeKphq9QcbuuOidnL7e$$#lHF46=nY`Eqg}tzuAvBAr`h%k>nLl>Dx(z z(4Z_5hASHPOL8Hg4ehphg7v=d>9c;<*WZ74zuhKN5~^4hIrwhRFavJ3XZ@bD$$zT@ zL`g6rL^2MhFr)CKkTlx>^%+x_aPT7nMXf|KZu{~_|Kjn)hY}gi8oeLO!?lFnM=0+h zut~a-18ICcJd9noc<5Z@e6k93!7^=J!x|=Y3Ej$SWseJ^4P|lLh)TMq`A(oM4&A`1 zYd;pGGk%&_W}q-~v^f)wg%y~3XD`LsG{bV#4 zVO1CrvY5yEp!TT8h73kd8sPQz?Blsy;Ll5W@?_T;3EO$(%^cFh9f7M3syJB)sO>$w zC6U5OLy7|?ShioWZCH$1$Okl5Zp^_JRL~%zp&P@;+&^(2^?hV-3+C8ceVTtay&|3{ z%&oNBtR=@ogRUY=uC=m@!hGmE%uk>r27Iwd*I-;BKH?0J2npQg&cX*C3cNPBm1G>tA%V_ z`WDb~Y|HgqJr)K)@~Js}3syG_?>0ZSObIxRu^v;)H>v!D_-S%=Q*4CBQK__q-5eLL zbph&!daBacw2{nu_pD8^Pn3!Qa|~TnX#jF#5MZlj&!Lf$cvxB_(hJ$<(zQHOtfOJp zCe%b`-=Xf8FBcZp22&GGLyK7&zsdy4P*I>r9GR#Hfo%Uj(7Xo<6EYOzaC-Qlqe9n- zrnYVGA9NIB3I7BZ5mk(1_mi0(q~(bLQ*aL^QCM4Ci~e$XU`TG znEbb;y@}+sKG`}+k*lg|xq11m=YO_kF@FATYwP?|`sn=AfDR5ERE##gazWWUYqJ`X zG}0tCH$I!Vh#(rUhsKPsn2}H%?qq1R&-9g_ zem-IFre+TW+ebS#T`u}vd_#2|j9t#gdKUkx1!GOH0OD8MB$z%o% z<>6EZ5#;?vLOdo%uFJb3I=BsEw*v2m^}nh#fnF7b&8?-y26P7^+1>-!E;(!SEUxWk zxzpxV$!3;AmVaU@W>@V_d( z;H0YH#G#~(B$?hWGUX^T?Bul`j=6%_lMu_6Dq)EE30xD{MR99!qS1_IE?Rb-g2}V0 zPm>z+O!0K;7&}`Rm$+ngXyE%K>JP=6-(I9x{>O;{gN{ZmA&#?V4IAYwfUIblr_}{Q z^#;yhYU?rc^i|kML$BD%bcvIW?j>urRI;V&0vksYkXNS`YFUr{(YJsc77ES`k3%eCM0R_KDO+N z#x9@#(UO`b63Bay$uIx+zx_tJnWKk&dr+H&nq!2Gul;ksS+oW3x_bH~Mi~sMtPbzF z>d^)uqr53O;UEf%Nk?g!D-|I#N-$$pFOE7#1T4d`|R3{`k&|_Ik5ysp|dR)$gaBMtmMp|j2 zEOPyQja%SR6j|FBe>`FNl@*^;>vi~hAe=-m4vRU;(mc0Dmh%^QcmRlm^g2zcJ;2TGajnz{NhM{{O4u~e^(<#2muzaO*n-{!xc z+Ydfme~tR|bO6O~rwO?=d;z8F<{rze?w?Q1A-!J5q?+7D!flSFUf0B3Iw6#aiXq+i z&knvHovQ-&7X(9WU?}TrEAJC|hrNDRq&WyMxL5Q?@IqjciR@}EqhrfS(WkV^ze ziG!o;xrTRg)i4tFa&+Qu`si@u{-$4_GEZY)wg)O{*@M`g#Gh(M)DLf{P;#cZ`F5CN zu{!@|^U0SlTRLmnGEo6y^O>BuN87$&Z&(jp^#fzX;WH5{q=?}1SeRaP^Am-1vNk0FPZj9C@@UOK4jvsxWIw63_M841uI)N z^&U+w{x_tiw*N)bHw8%61nExOwr$(Ct!djfrfqZDwr$()Y1_8B_3z&MR&P~xPG)4r zr+6`8cs|nCoKYxXE;sK~N?ZrLsUblrikZw^n@(~-YhV^G2wWBM>WTIUc1Ue%<|uC^ zFK#8T-oFrexj^h%f?g0&zT(cSFfJ`KJtI9iJ#RESK1Mr(HcpDTUqa*%VFL;j*jFGf zNRL)bdGsaX)jBGHtaUx1EKxxerX`Dr{JzkzdE@())ahP@jk$mjleP;STCbQuy4K?h zsIAX6S2XT+x{i-7a(`qLJRRLCxS@OxRn*`Znbxna?fs6<{9eyl%4!dswj?jb4sO%z zbadZ$ThK}wSic|qzTd9?P(Xymyx9L%SIX+P6B~bsvsEIKNliYq(bY&uN@p(Mc!E23 zv(Z#mPj0t#U0X!3?NZ)RT3m(l%E&Aakoa&>8!X#i;3$(gCHk#MF{w4y+wNAIcK$a& z*k{^1GlZImvtabna(j_ik*yEC&K{aFYZ^EYvx!qo=dFAK%80{YWVcW@bFfg`o%baf;ISbiG2TGgSh?D+ z|IWAO$vHqvkj+q1tvhHR<>2pd9d2>83!CKSjzmB9$|?E-s5-kfB>s`K;Vd8wLOte7Urx4} zqZb?PreZ>|%O-A$0TIYVpG)hgA(CSRxo|-!hRmM>FbIEsv>C|9hi*{`__Pnih-wta zPGI_yDO1CN19n3y>8i6q@*ObsOkKh>9Egdj@~g@@w5&5b5(FQ1|DxS$iKKmnP_zh3 zpGowtgOE^)Up%~(!qYGPyNGA28dK@Jgh)xB?CpW&(brK+9As@vVUjaVcM7~^b7^tD znVt4#WDpm+WSrhK6*n+i{!6>>*aMOaxgcf(N$O8Nu(IAs}{0(?~om&AtE%4>S`Ad>MIkypfVSpK3OjQvUL@o14fcF3z02VALUs6&; zSm`GiHrEBldI`p@8ZYd?*k+9s2YEt^42R@JnG|l&4=h%gY~BCIZk{x%2a-LV6k~7* za%0>5`})oP^Ph_KUyK2UXafnJ)0`EE8#KlT?9j94V@BzHm%Vk+F!slS9Zz0z7hGFN|uw zSLsic(k#u?ijuGg!==|B&#AegT6bR}C)x6|OKJp9a$e!8=5{kfkRUa`sv;!m)ARIM zD#64YQ87uf!B2u44UD>8dogT5S{$a3Ph2u44+F&!5^K%bNSzpkcIAoVF?~ZTs0aD} zjP9)QEU`@(&O1#^>bQLfen47h;qqmQSXbJG7>guj!yOpPxGvuD-K0NxEk8xK@Nn5K zU;tnPhZ7`0bTRRYg}pmLkRvy0FLz(nsAdV%L>nnfdGniF1>cwL*`F=~CO^}VbffxT z$HIqfK|%u~kjD5qL1h8)dr|H&exLU_h0}OncC`qy3=^mcTRe+9TFm)n)5+C zsc+qb=&#>yF9FyUd|bvQJjXV0w%F!j`=lIZwE*Vl*^R(!so&25%?&u~pV<^`%4N^zZe&%WZxHRozV zD+@#MehH@XViTwL zVBK8$>C*sG;e5#o9>0ij6Vp^Ph#Co9=hr5c8@&Bn59{k46Q+&ruVI<#)QUG?Az^YU zWldz@gFuVmqB`1e(~d1dAv|!282B(AwQN}L<-i;nogfM5s6C$st9Mj%V}{w|wVC88 z<`A&p=;^6R=@5Eb?-xW!EGIeq4tun!h`b0!8uX)L5(&^5(=zJ6s3wG9*ol$155gUg zRS@JNrim_t70mhZI~xMf3=c`2?5cl-^A#fpLqp~2{-vOs(9=ziPs$I|%zvW2);hDW zI*`4iVOPFXl;Y2g!-qe<;sc#uh+2c!P&hY5PBU72h=DnLaN{-Xcd zM^2O{teQU7pL~in?EZxBojsdeOBh5_pzRMEI{DOni}Vq*f#zW>4D>G$hP4tLJ#CCN z9U)IM5>xCtzGv5e%$vXJccf*d1e0}N`AP;!;dq6CX8o6M+R>D0tF_D z+A3C}8ZoLsUjV(nst?5W^(cZ)hkmjBjSoAcx@U@HG?M6{?W?2uu3~${nqu(h!u>177ry=eHJ64cu#S?sJVKcAl?(!=p^RyEavqMndA>n||zKBOu z!-Lv@5UQJwt{wMXopXk-&R9w z@xehX+|D-PY{IC|-RmVkC4-sGR9lKgK~Gfubok?88Wuh^XYS|r_<#gVW2;%x1PxOy z64xC(VLYQX@knHDl3wcuBWqToM$v>M&iN(!cw%C+RR6D->B4{6?M58w)EqUny_!FF zH1=&aZs z;g%1*s!${47eS{^qaP$p2E4Lw9}P~7nh9Cqv`f6Ih@a^^aMF@%^c_cftcEb>OVUSP z8}Uj9J0KpQ)=5Pu{+gjqg=7M6B1UzXhs*`p9tZU_{Wt|ChaieDf+8!45n&WY!j8+K z8E7Yd3^&}>%?hf|r%EHeBZfRLUT+CNB7xV|ONi?)gohReg(093WoD*iKGl8xYvbC^ zZ3c#`qXD3$;IjzwE)xPX?bHlBbi+CqR*FZBOGOope?ojs6cj9c^7Up-Hlr{CM1P|c zQU?4~uettEd_Px8?D$BeSG50xgl)lN>x+6n?f8+YR6_q%?fJYBxURAn6#ENWAYBy! z1?rr`AyyUf;1f`Shu`$F&Ev6sa93S66~ZTL|fkaCLm4iS3{LKli?xEYw$%x zag}db9l_WrbpI~wI@uU!7rRW`7Z&0KF5wkkv8UsW^bdt(jmAL90|Q)O!dkX;F!0pP zTL{f@p*g4=qyRz%C%eBWM5Inu{DJ*;M~;gzVSrLqMwWibd?5UCkVY0Z0BF9EuqtBP zU=_otFK=wLQx%P|32}U=XIbo!if!A194<$6rXH8<6auwtvq+A6Fgt(2P^u z50=|z7GfqWm%0|4^dHx64T`LQa@UM>3kaGz$Ka#q;NN@U`)N{~;DFDJ>-t6~Mcc5( zk?;BNHR2*>BxZH2VMu;k ze=2Gau)%Q%5OZh$V@Ih!`M{xqVqZtluhsk|{$S@PY@S@o@G?VY4kWNlC2*f;^YMzx zOIC?dFf3=syLUJE5@`nggJ5|PloKoNCH8{?cJU=L##a0j<(7jQp-*&PCQ=G>(g1!x z?t5|mX-B8FMs;+RA248gs)QXSQf`#?2-A4wkoCV(n+B30SqK1yBZ#3wUT>{ie74S; zwNtOXpG0(j;wSgoygpI!)2l!!+>kOjKZ^Cs%mGA`qK4gO+eQcYj(`jL`&8L(SYDGD zW1*HpzzpmMZU5dMLvuVlwKuy)p|;R`5C8mC(ehBG=hib0MA6lUJatH>fwM-MGQ@$r zy{Wpl2EBHrq$Y8=gB{zCeCMFS+DcMCMYGsC56qcltR9OsjO%JOca5KzY8sVhHKe+a zGunN~Z5M8=qh?Psu3 z$b;O@JO1<(%BP-o-03IPp=Y%GB0YiS>(i1wKW;oK?MXzx4uFz!%J1Nowc4x`$OBc; zFfmG36KDs}9Qn57AI1}s;mR{?&umEZ814L^B?NK))Os9YsmW`S!bBbAm%B?jtui4l zai~h)PkI2m-7^<=k*1#m8)rHhsB}doDNTUIUS*8LlC}pQFx$XQMOALL$mgYuT$EwB&>EyDN`^|e**yl2M0e8fZEYl=P@0jB!IetqC zid>lKLGyPvd@E)eS;?V=*mG;cVbr4 znx2qjo-xMq5Z+`OuEQLw+?wQvqD9;&@~$lupBIR3AdOr&h$4YZ8vRP}Zqb>0R*D78 z{$1K-8dM`n_L7b;oxkA5eR!}c?emN9wizJt47%~vYL!Xw-)GVDR@!gFN5Eie3hhrp z>ZauluXjf1xSNhPR|GBIRrntD6eeZ<{DIr~!Y+My8isshWCL5#+)R$q30cyJZO)KW z`yc|9LP|=rb;!ZO*{*OD+iNfr;fpBO);a&;$NK;4fj@-^DMW&->=`NLbybbOVLfKV zg^vPc+bMd?(}o86>#qM}jQCrE>8RreAR;x8w^57`>0HI@W|MW(b=U+B75tAdj~5X6 zbn=#ituO6A4|l@{L$lK6D+}T5S<}|#?i7IBhVIQLJ(;(IOAzl***hNa$D&46U~8c4 zHxg%QBT5rqPb7Z>I7+~b=7NYN$Wxa#zDE%eIShu4XmZ}%x4N-}|9+o9H`d zC4N5}!_PUhG~~=V?SI_}Juzb{E0c07+C2~?Zm<^9h?lrK63zk}pvz!1ha?=MrHOHJ z!Iot&W17_xDB8 zfhoV1)8puUH0FO-tr53ySQVK4MyscDZ6*q*{#7NtQr20#zy>EAUA7XYJkNAt2?AF) z_#ZjPHI0r^2=!(_j|qDGmt5Q?vW_~@yDzYva7+*i*c~=tij@sE@+*j&ou#Jp0}tm` z_$GW}11`i>0vz{hd5NMSiK9p{FvNM+x(5igYXeeT78kC#5%XFoZ0AzOk6u3wB-=sA zO>vox(P#{AKEzR13=*sATi5k{{c-829OYW83@)Z@D4_#MlW)Hr+=1I?dhWukfF6Dg z5*P+FpuIE#1{9K6_P-4SPvXCig>AY})(?Dzey`$G(=WkG935UL0r6BC#w#KZ9ws$R zLLS>E$L$-LMlO$oq5{e3BSP?qSt&lyLl`sc5YrLJ*5YJnE*B=s+Y5!|DysWa7qfcU#9NV5bdKWvJ0jJh{~ z_LbRmGf)D0g1R9tt3tf`b`^Zr`Mt~SCZkuIWIByC(cZ z5=ff6DA1XgG12*k7eK#ndrnEk{kM|YK=bOV)ybdWqem3kg8ex~Knu8N{$h))5=^|y zD&3RIu`YUsmd+*(3OX0^?<7O8a7yt;^B=-A1mpf|VGT`7Nh$%LT3il~#F4MVjJqvg zwsbeG4#BwK&ii~wYm26{$(9-x2N5~I-*h)Ef>L2LF;UhdjBNjD+~fiB^Jo-7CvL!+ zMdSe{2101yWbd53&a?6!*+%4gaDyboohMkx#>D>48|B+SF87cHa^7_Mal2rY=by3IKRmL!zD(2T{4b z#5Ex64nE}gW9}cq;>S>>nV9d2@dr(|v}!$4gcYSgYl$IaqS4i`Mt1^P6&36PG_D6+ zx^qXRA!kD72De{!gPyv5SmDxd{v!cY>dD8#J|A0gGtuYMECglEvlZn_MKzMyyYQiR zH|O@X1?teMod-;0Mx;RYg!URa6|!REe(^Dcb$S2M=|XfEShPY0^F+T&8`YC|S*>m% zP>L#BPYFA&g8Pty0`jW)4BBuRRTVbnG(O+Kd)Lrh=9}Y8%iW8J{&McV@m2@1-FR=76UZ( zHuIth*iDy9TuMx2$M@6oK!VENujh;tf}DT`Tk+22! zncn-A#0Fzcnhn2qt%d7%@hD^qz-urwpYL#$=+&mvkwHr5SrJU{RX~#+T{gi>!kzYT zG*aAL5QqRKQ5S_63g{Z0_aidnOr(e@lmg^=5?Ozm-VSCe4okp9t?_yhjnIs3t9#Ax zBDX9-fNCE8zwLmxDOLO5cEAM2vaD!Q1*Fz8CJFTS4VWhZ@u?Q2!RZW9R2G} zS)MVkhzn5U3|b(=LjoU{Op^ZXIS?g;_)ty53QW|Pp^R4vgPCfY)KOgTnk}eiXxiq_ zZ{Cj1RLxVxL4TxGTyv&)4F8zu+R(vP+2Y`E2zxJK$d z#k>P}4AJresL?zf>BSs!^e{AYN#YDs2h0T*%lA;1eaD=q`y>>AW@4%~)z*9wiw|GB zaS|6ctn^j2FX!gv4H0V4fO#-Ke)eFP#sL{{Y3^N#ayoVa2Vo!%OdB@=3tG_|V!b2I zBH^UjeeveY`PJm|hyPLtkm+4O)fFP{khXIo_F;j3Qy_=?OXAmdHag7`h)%DwjJgo~ z@2qD7r@lb(UuSh~a2`Is4pFbYLl~^6QI@wl?A{hjkPL>A)DfzlIr9?>=|r{Z7~I8k zuuj3Pd?Gt!Zm&1Sk&TL+_Ttm>u8L_hYKyO?*K^qB4vm@hTW1>!e>ivc)^Js??&n(D z2ee18HoB&&9}mOMaJ7mqv`*|8S7mEw*nIL7+PMI;wnYEwpSeflUuxJYpkRzE$(vb8 z!+fwN3H7=(s}ZFJvTb`Yw&f{O$?B$i(F81VTu4|;&j+x-_txBS~Gg)$%R$ z>53SXurf_RsyH_kj{|yf`sDCN=}0ZymO&diX(dZ%=RWu^{5W<2iNxf?rVW#c!=_DK zMq&2UBrWA3llm%f;|B6#kE8pl1tU2(buS@3D|vLiy}LL0PTfROhTrY9wGF&nY$4~A zJe3Y_%5rWc8)r^ySG##CB%*-xtuyf2V-&Eb9LH`%!-RqCHOq;3nX#d)Xv#vUXIF~x}v?Y zTCPM!HcobsI?J?g@l&STDehef319KN_hRm3*ubfVYrcjyT6XXmH#?X?xg2gD*ZG&wzggMI;|6hP9a)!sOULgv(yv2S&7qWvf zJZRvRu80r4HZl4zl}almQ3hvur!Y#nkmAI$%i*BMCkccXYGum!MgOJ99^xq>Z$HYj zW-75P&g$Z@%pL`uhSL3R|Lxqz)~9NMPkSPg5=^dCCnqGRk~t$s%af^<8uA@mAq}%e z#dj$+Dr_;mjOiWuw$AV87Q$FXwfx8=5~HaYd$xTfF{AKNPx1?~*z{b;DOLk8Jp)_4 z8bxaKi6X`)LuU3yuF9e^n=fotCWN;=qvzt2lRGhD$3&f^6sTSUN=%bFtsp$zm=gwo zg2&zOSp_QuOk&65BW~xz@L_mTBNqSX;N_?A%8D-IcY`C}*wNm~&i762p92MfSA|WY z-Cp0D6^5_l+@6)irGcY|6ACvIRY2Vq1V$R0t7yU&Grxh9GLa&zaGpmE8f|LT-b0fA z!%JhC0zEQ-b>D&o5B_aBsTNedcG&u=Xa&YPzird7jPnQFeT*Zj>#Qtof1!aFpp=>k zD|Ho@aryO3)Y(3np+Tcll^sjo8izz5i&`Zvf#+-@$HFS@+8{%qJfK5l$NYIR@3(dNZp>Z zVdhnC6v-XwHp}TTPQrx-GSZZom{%+`-}18N)ZTMuGlGT=>`fI6EN$8-iVTqupDLEi zJ$ZNW$BkY*!MeJ^xw(1b%6nAy(`sc!fF<Pi(;O~b;Bp7gcff-m}BaPZ^@(Ld&=23hS6f=`jv@{WK-|6wWo%VJO z*~5~wk{Q&frB`b7Ixm1;OOQfOoj3(KkX8b7)p7CTri-cb4kU9FIoCP-QUAilUFvBDQ%$7L^@gyDIO*(+g5JOqrk!5S8sS zmY6KLa93=Q9hjcq1fnaT#=#3E=yVnVgnHIoVPgu>g;C^pmjqV=uA1%LVD=8=_m4z>UhvEFK(c^G& zgj{1}$>rfnBxDpoO5+a+d8Z;rr)pkL$jQk-F&BUL%6A7*De!f0C@QsYYsEkblAGtP zxT&%)<8ihtY9(+|nQL&=tjbHQV6EP;b6>-gbU3>?txKPhRNjMm3*FnxufcDEg&`J3 z`=e+7+gDy%om`(Zo+gPU5<2;JjG@Kr{X7aI4RNuT)vIL5!)I65v5_iih$+2dHid1$ zDt3=U$GdnNZc8$0gKQ&p+0scVk9f(~`4~#jZ;T%s|!Os|2&u z66uR`5ZyLR+RbW{$RkFpnRdc1=Bc)a1_TOZh$i8E(%pr2kKwAwpHgJWQ|pNyDq%)I z0uKM!t(wfPW~Agad%ni{iqnhpptNh~QztlV~Cd#YlSQiyD!vb1;4%m~h8% zhX$~kf3h7NH*xhmCEeI3Kks2H+&i5De^YrEqqU8yZ|Tn?g8byeq3LXDz2~APSxGKT%(7b^T`{v*K}@RS zOc8?{Acz4(En;|1i@CGb<+$($P#rP>J!$ByPol4JqBrPf zLAtW?D@LtL1%WOq1{yXmtXJJ{n%?%n=p-qam+5C^tTJrD6afqO*=JEe5i!6AxO(?_ zbx@g$%KvNp=Jg4@f?Q`MO8a5eX{m0#4xCcxy{agWtW=LOr(i^~39)jP_aH&{O!zb%FYGBOf)(D=pEMYsm`_AxOBV-OCeP9P$ z58>P1yA$uBTU0UchrQwYMfcJlB< zFlV@~_{yF=p5A+UG3A`Zgy0R1}HcwyQ2`TiZHm8(SL8j#|{)tOB~MZ zkf*e?LQ)6tH>gFifGM`9>MzPU0L+EOp&Zqfz)|2A@-`FG$yjw~{5MmoTVP6}34dC6qQF`rxoGn0 z_OU;Y;=2n~luX0ZL4RTvkN$tpzNZQlYZMj<@F`S~?sO1wI9e1v*-wKezYiNiOmmKM zGoZgPBXUPRGWs3DK5INBwx2Zgq<3_`YmvEQ&q=Qz2A>9Qr7i zT;i1E0UVHkmJk-m*2+n}qr*?}CQc0`#Ggw9RIxmGyhMRU4(1OGI7vLEEnYMot_w?= zkRfx-a3PUL;&{FrZ``#9ef(mY&62g?=^<<>^O>Pb+%{Nj*&osD)k1j{~gQxpdy%ZtEGWCR0N!7Ebg+2H%8$1^uZ7!;JhN2!{=f%U(&y z0VlQ_Dj`R^Ts@8jTE-J2C~8YwzXVZDr0a$Kpri8;9qoSFZTD5amj@$_&G9y&6!Kg0 zAUV~H2S&^MJR@+C`RFV(Fn&5pptsC=c{tO7MOWhRPhelRD8N?26TyBK^?x|T+8Nav zR>sVB{?J2GI(z^wM=PYF3pJ8bY%2~Kvt*SkxI`Eoz% zLl>OB-zuM2(AjDtfziaJ3; zUbkC$1>f7xW!+-S;yL#6^ANo~9U7bylUE!IVWQIHQT+hzf*3bs(c-oZ5!q`@tDULAS zXx&8CjoWYgfoHkr$rZ;8O4W!mB(!Om#@?3N08_#nKl9hYE>b$!kX!WPPjgHy5_E&8 z@t?sjI3}^|e&C=2aWaL(*@Bsz(c|{}4VrN2WK%@EtRelPqT$Y{U)iN}eG<@aqVUE* z=C_&EEh~EOJLWk)$xALhohyrYr`f88?I47+mGtoVy*}r{ThB2vZ#wX5m)SN@qQBPH z`5~N7^<`FkC}nahbVn(xo4qoFK3-&{(CH3iJRxD}i;Y$v!qkt@Q&jJ7WLoh<$!D%w zGP;SQcH^oJi<|PS(fJ0Nhw@%N^Tm3IwUiS<5guOqM7vC_*Md0JnhV@4toW6M)6Yg{!=51Wz9&NoD@-(w_@kL2SS{lZ=8IYJPT@fE8h~Y`{}_X;s3s5LIO$44tjb% z)gZ=55%ur+UPi$CJwgJYZ9u9zUQ!`k9un&vYL!Q92UGh;x4}+p*rImj3A!CUng1JC4YGu&+LRXR!wophF7D+q#4Eu6Wz$$&v z-XmzBYTv@Mo2S#%YK_^^X4Aqh)_>xxR1mta;b&r{B6dlc`HhK)LjmP&?YPTg;9;2k`9&t2 zu2KO5Epk8ZYImUG)b#U7{=K;^>sJvgBb$pz?P0Wjbdxh&hQqRxz!GzQvjj&CoxenL zzF`s14UJDNB!{hEz?fL6tzl8wwZ3eokVj~~4h3DXG*w8Qn4hy|zi*d6{nY7cRb?eT zk;fo|UbFv)IA5U=e$65W49lT>eg7I$1OU!<_Dj7Xy?g2i5SHQ@UQda__zcgx)%{3= z+5}nqcU&}+FuXkx;9~S)x*MBYTO2+=C8lES>r}W6yFg{%qX$lDvf#vv#HlKC2Ty|$ zGV{5PH%6;a}?3 zGsg|0?V+#otcwo%950{V=a~(J9EEY?3}5GtlUo#<%$imK(m!cxq?#()fwYp_f!Wvl z{6$R7j15tseL3)hvGOQjdgF@@r*u(|jpPSN@xH&)_>GkzeE9nE>g&}cXE>NZIz)Z^ z&(4%i+^Lh|d0csY+NY_r2fJZFzBYYGxZ$fmt2S0|4$%UL;rQash+L^iC4*xVCQAMX z9#vE`VlWmEHy_=;Ve?`qEa^6wa`sWo1qKTGHmh}j`;IO5!pZuYHsnC6+*<-0z?%5z?TqV^JiL<@;lBUSu>5t50*==J%HY8ePXi zJa4epnK7CksJEd!Hco!bqSK||=E3$QzRZ5X_GC)^2z=g=07P0&qq-(nxEj6RE;}Wr zceGysr-H`$dP`L`=xkkJqK-p;SAn^O8E z{qhUSDH#nKQ>A-WcO134p@Xl}Rk1dG8X4yTx8J#b`zeg>AZ;LYLDtHbS@7Ca7tJrR z7jP}8DP4pVa2gpaC%u|mz|V0yA8Int_ORr#4_rR0M4gn9VQON86_@dTF|ZUW5hWg4CkA@>OflP>oq%R}XrSVW z*|rc5g$T#yH4Wb$yrSPrvy_s8Pi;7v_x=c*)o2X|?YiH;oN7YV zobY;=U|4ApmM9_>=x!st2vvx;3OIZD$Xxd-KlfZK=lE=2!MVA{V@|WR$Z8;($Kube zEw5If-9ItgGq4hY0nD2MD1&^yU=#vGM|?a1>ecOacjRt^*f!6dsVq(jd406|cE6{6 zyRbz(XAGEqQHSsI_Zb)s?M4=rCMz&soT;-q!`8tR&-@P4muIxeiTlDoMASy|Jl%sa zaaydy!rvPNIW?B26XQ#wmPV`^*sh-)?_mN@hwz6&aWU0bLF_fjne|l0jzeLahEr1R zFkk_zy$u)>u;ZLiz%XDyZG?Lgi)D#|lY&9F5S(jeGp{?nYafHT-D@n2(98b>%09j_ z34-YUcs%Y`ddHr@l4ox}W@_-izY)CjXFWd%T=IBzfZOpy_V&|5CgIClUY&k?E9eaZ zkw@|2LN~iSeqA>QeZXtvXA}Hb&EA&fm)aj{_(w8R;Kgt3(s ziA`yfK6P-

wOvd~=X9sT|<9mLROS#)12cy7C(2xXkt& zg`-wWDLt1InJW9O%D2H?to0u`=Zkr~_9)iPT+3lt$t z?7*q8ytKN(UhgraO2mz~3)n!5j`lcI>JPC2MH=Xi(#8P3XRo4;v+D2Lz;V4C*gkgh z+>3T=+uT@T=$Am)7U6B>(RDEI?Y>d9Ug-nqmr;)fowGaaJnu#+DqnnEY8W*-n`jv@ z?~DT@iKq?-QvMcv!oKbX=Hv7}YQlmy)X(bLL5GNBuBi6iLMd2i+$gHaX=@3Y0n$KB zt+RsUQfMb<=g;BLJGX{)`dkZ-e`WBjk_w~U7}!4)&_q&!i=e5-hrU0($P1C7 zrFhn}n;<$z3+`JQQKGtZ^6}#Ptu-9Q@!cJs@c)F=`aIe5f2_^&-H#QTnjXoLqd>26 z5a%9ycolgD_5q6#o&(cNDEw?N@cQnIm?mdAal(FUBqzo0zVCFs&*KneE#XwNhw)_4 zS+}g}Z97+$)O!Q8_f5Z{LWuf7 zV({K+bG@uS%mo|?l%)!4I@(v&>8XNWu*hXkEoQ|&isSI)hW6G@GIe^JwA zDDxVUto9a=VvL~0r8dw7ke8HFr>0^smIs|gk`$1H=m26l4VzZ;U{G9R0d0qaIbvQQ z#$bLkjdT%Tll%9DqKwK-_F3wqFk)L2Bxxx5{vb+qVrpil`ws}ff!yc^#8V($jgO7Z z?RR}S8phw@b5_t_Haj)rd%Sj{?{mkZ-MW+d_b)yycpo8@R#()dLPyRCq#_kbPv!#u zd)Om*(p9J5%V%rPBa~{*Fmw`1YBx`@$;)a-eFjKajQNV<6;q08H2qYvT}!m7g^E%gtV z!(NaOp|@B)Ic8CHgOEJYCfrkZ;O9DN*~_a7C`=9`c(NR9z`d?Jv4g|mp|d41lk{{1^P z%syMG#a;Ej#ijLADu+MCBlZMKhL51VQ2#qXe*fd!e)1)Pv1=FFC!u7=?K9Eq<0-H? z$NAkOC*ukZ!(5oK65$}81y4gRFF|sPMhNCT`^^HFVg;ev;V7Dq9r4eD|CtJ0YbX~5 z)VhF*ErK{cO-#%YK9D58eR>ZuXg{!P{p2an{$(*}p|k+3OUN*w$wwDxpA+!_ra8}( z4}+OAP|ydGQLJIy8gaTy%cBrA@-PhF*JMQmp^+==xMTzdW5&@A!WNUi#hv#nt_}t)Rgfz;X9Nx~j&afqkh^0YEsK%Df zN-9ax7Fn94n?j8XVn{R*{gg)}xk36V;+H~?b<__Hq6wS@sbz2ceYYl%o08&X;K#S- zUd}GD7D`A9|9IqfzKh3;Hx@Jy%CBVy!`jQ^^k)bQBU{s@MmR`KHG6QPBNY*tT?XRP zEoCsWJ%;B}Vv4gWMKp*wuMz3+&5d=L9?!K$SM(oH7gtO(VsScH`8Yi7OHyOIZz90J zf}A}7tNIqvvrM?eaLntdTK`doVJAH*^>ANcGVli&mvnUpf6Fls;MjFDfo(0(iO19L zk9#_`zgmevM88V{Yn$wdIeP&mjbNYyL&dL@>~ESf58>HucOA|32ibSOt&g2bdi@qx zQc94{CQh1+pV@cfrbC~cn=_DcUM#a?rD6FPR`7HCcmD4~z{Brm8{myaQIGWSZ`8D9 z=zVM~&GjHX{~+HW7B@hev>pV72*|92yNcWF1&5k6HnktEr~~98+YOmEDs96tDNE}0 zf8n^7OL8?>w{Vl<6^7#~=L@aWpvhrrgoMQM(A?+Mv#jzHsOiw-LPK-PLaG#Epz;r% zIfw-1ici!i>h=vqY|wcKHtpkrBT{t=OAKpomKoZKmKi-NOki_g?^@WwZ8z|AkIHK} zdv5l6JO_a4rDu1G)ZXyr6i5qOBElL6cCp*t8sHccidH`K-(rQM9%a@AO!yOsHd7aF zy8o_;7?~Gq(%jUv{smzju-vCThaI99JRvIcCP&QyX;bR);-(5trimyP84m&)w+-ZJ zTe%fc^}MyAK@5X0!kkt`nM;R!A9at&gKBez+h?DW_z9aX${GM{J9bv!eOn^%`&o!MkZ^vuXKrjz zlm2&lN@;{5As*V;(6Caa&43iuPw3sz>DAFGa5v?Qz;}OY@B0)5LU0{6%RQ581PCO* z%}6_uqch5YJe)@V$N@3$<8|nieiarR2A3_KG+^WU0|XzrA#NhatJ5J7Pr7eH7SUhS zSAe|1z`x#>N=!&txn z^$7^giy_Gz?U6ykxU#XT=G$!H24eYUXXS7vI4L#^x&6Jo9`g1d;Q% zIMX3NlRUMR6Z|@*UnlPvR3OPhD~F3YUq}{H?mO;se;nvpnYCN*b^(?fiUy|l8~tG? ztyTmO$EKn%B8wInHLQaf-;W}hBWexuyQcCP#E_e&|Jm0|>{#&?eD!<{mFj(6maguq zbeh-g8hgHuFPfX#>QISiw#*v;>2xn_FRRy^SpN3vSh=90rdF?5GM~-5zC7)tBbCPt zU*wYig)w&)wR#qyGBQnTQ}3QNc>NSxSrZz zZTI0>h2=x&+9#YRmlU$25l;w!qNj0v=#Xx^MfOe)h|H6F-T4TEbyys<8a8AplsDh3 zQ(Cxnuf+ov0TU8Jo}IkG7fHdUBqhPaIp#})rMi-;Kx97>#=~UK8-x2?!Mx%j$YIK` zk(qG1SM-W|Xt*0kO${jW9ecp~JEUo>EVOo)RG~YUB35X@n-R54{X4BkR z-&kOZPc0T=>INC52O#8wx9Ibd=1^cdk1)g`1R$J8ee*JmIYh;}eJA}5;nxPGqSnS+ zP!2vrsMwC@%81)yr7Y2@n54{Eg5UALU`>X5HJ0bVR6BJQs6wI|B+|K(xwY2Ufoljb z!GfzTQ4K7=j?Xq^T}&7JlxkNg&z%*_5i2L2lz>^??Jx)x>nbMs7>_ zB)mT)?(8ze=hs+#c2~(zxjy^qRGkO zzJ$+H$|P~ZoB?A~YbyyK86919Q59|%qGtkqDoQ#%dEvaFbCqWM1i`I_E@$mxOr7S^ ziV-hPe#Bi~Yu$|QCM#11xgoKopDlY=qBWBN&(5AE`Ui5QIoJs&`Y4{E0AiU&4NRQ;+Di7?2!8f#mw$Z>`K+Y z`U9`YS245Nl`_KLUBw%10XYdC27ce8UwC{$kV$+l1?x7>v<$O6-tAaa>X2b#2|4HQ z@H*gcYvq)LE`U^#ro}CRNJ1G*Y&mrvD@pYgSAW8S0nQ4ZnzFH8d6aTUjV_Pod=>L1 z{|kXOTi1%;zU?(2#eWm%Q~rxds1wZI4veme&DpDheJbmBIe;N}@?_()>MmUh=3#4hO z5hLfNQa2bUAwOqM;*s+m5D_5XYhQwpY3~rSX8yueypTw%JlX>XQ#k^5lSwLn^=pnq z|NUO0)wWlG6nU@px091o-;KHRDs#I|?c$n^dhpq(0Neube-slNaGj`{D?;;HhD8b- zYr<7Y(3;+Q!-&wzTtJKUlNAPHS_;`(xSY)ezNq9;Q$3A?bRb!t|I@~Yg3$kv_s+qU zb=|^mZ0*<`+qP}nwr$%^I<`8tZ9D0t!wx!5I_Wsy?)Uu;o^wytt-Al-T{Y+4d#zcM zW39>Y8&@ak{NuaZo>M;`2PS?`3kGVfuRv-9KZz$1hV2HM4}rjXxKy=W_KKcBN5nH3 z63+r<8Eaqs5^rTto4ZbOs)Z~w%IH+Y-LB_@vmnr9HDw6U3yCDJ)(4u}p|$+@7+K+b z^-MeK*b`XoYlJ>CdGerp$>4;mwVqUoG))q5dllTwltK))56p#9&#Q_(uNyNnAto*J z?gp%(p^Oq!7`6sP>yk0#+ts>Yr|&oowp*lx924e{K($m#Avy}C?fPRnZ+o54PiHkf zu`RTgZN=OgUiDRw!-Acwk4Me?kH~s~)N1Q#TG+&v=hAI&b67^lU?DKdw4Qyc8TdV8z5>MJNBv6#hNv7 zw*Z6LPDaw95W(FELMDA~*mC8IW)dkedii9SvBolCBMkXO-r{u01Lh>@GTiueN>L(6 z#F0CoFHt-JQF>x)uDRTEo&>^w6(B-{K&mj`F)8H_N~kGSeNsF4ng+YZJ_b|$MX@67 z-Z@rk+~c_36a;77@4Z8A7K@hF-L zY0bT$Z9zTxYl9XWC0u^K|igY)$iV0DAfCZ>sU!0K2g&9L`s^ipF zMkYwPKz7g$Mi0P-H}o>8nKSxWtbZJUiCL7OEmBON1IKxD+qornZ6!WM2*OIJXh?&w zZd&>I8vy|)s^hzUADi?a*C3$~E0Uw_8H$=w63kd5ij}iH79(4>svZ42=*Mf{lW&~J z1TQerbk=84l8-v}m|m5_IFgZ(-z@&tq-zkYbqY}f3}8SqFBHPE()-Er@DmXh3~K&n z@&l-pL)uEp&|CA7{!+uJ|Ls{czEAs_r9Ot4G@ZFx9$|OruB+NHQXQxiF&FlBs}!g(Q`zo`q#S)Qauq5$VE=1W+N@Y|&S|Vs zs<+6vw_2{%(*XCrg@~Es zunM}azZ(YNT8#cd&hzBqZ)aT_+P}bY-o%xUVW(+J11DI#H8Rb|Huflo`f#W(kVzoM z6E}lrE##c0|y^?{=NJ+?4blIhCc@jM68ygFS_}=bC}8C1)mwC&$etI;vxE6(;5oRazkln=qNGj% znzgh~I&o*o^meO~MOJC$>$!Hx!hLxwhLml**_KLMjc@$a4ExaGcTI{(BA}tQqJp=p z-hxkWL6Z;Q%KNAZ=uG&87*yy8>OfZHNe3iwZUReK)Cuw5FcHGcACaH0$DRSdSxB&o zDw=Cauq=Cjzl<|pbH^N^dXhbG`FKW!L9(EbflU7S@^KMw*yjflNU|(Twny?tFcm&N zw>Geg*wt||-25ug2cs|*@4zSc{to^5`#Mle3Iv7$>UphCl`DDN z^u(g<$lUfB%z%k2dp~yxw#k(UBP-S0X{Ypt~{+qU06}yuOY}hg-B%A zx1bdCj3;J2D*A1BYC6{zOc91xnfliD?+VLVRxH!;23xMylI!0x)Zg9{5N%r3a%qmI zpY1?()ytRaR?5FApp`{=u^1eW$<4aRs~Dgf4qCco5e25n8L=2@SF*Why(s+IgudjG zOQN%SFH~Qz#QR2I-hgc<(7hiIr6gxtuU?1(Jk13}FgP^hA*9Tel4j8F!4|f1RUl9v zE>tQzwh&d3m`IDruwY40lkGnu{TjgF>52rfw)@4^=glGr;%bDi}EqzB-%VJCOYtdeBb# z8o@Q%bxatphoETdZ;Om8=vR%~=r-z&!;}J)4&sfj7FrLQ%6qQFUm1^!zJzS@?#7s0cAeC8rVWrB)df z$q}xQ{5nJJkjGc(2ciVU3!VO2eC`#M%3pE+lbJ!IqQyoHw?S8xRmntug!uBCaMOi6 zb-q|$f}B}OO9EHNS19wRit~(8DjE>Yh!QNeB<7V19}^>lSg&RX_BlN>BQrm-V8upG zURGvq-s$}eW5DP8(xODA*X_ZdZ`h|6zA+NUl?MbTN3O5oBStTbWCf=?bxx9egljaH z2}|9(S`&iG*B7>0EGyJa!q&dbCA6L|FIQOM*CK5v7mS?5bZ(@=r>bU@2C;`6k^iLl z$)AUy_ zaPS?Gie$rFc&Ir_Kp0!(Or70@Ozw+s0Fslz*^Aw$Wl=(-THF>)Aku+6l+jyKp5{#( zXi3B7;ub#MW}%WLnj?dX`QrA?S)>auFiAB9g{_>QqqZ5C1BnQWBx0NtlVUX)m?XbI z@Bwf?Y%?;0h>lOJl50v?wV0uL;1f9_gxULgti;U)v`Xfz#8cR#cmud=^$kL{L>fd7 zy^abCrvPfi`vPN1gLGAK7Pzx(W*oV=m?yH@A{=G}l;JR#l5bE!NuEB{HgqJc!8JmE zXR7oNsHFArizPDoGG#BnEkD3koaT8QzX*CjpfmCEdhT>RXm4)%zx!7xszBzYrl5Cw zTuQvSx<6pR(2`t|6R(Mp)cdzH6!Pv~A7rfO+wu)|3Ru~{UUt^F`y9g9L$v$3YxT-~ zy?a*2NJPh+bH65z@_ZFF3MPz&zOu89K&Ke{V0~vOfsbRg)ztukZo|YwGLHn3XxC!) zM~`8+=@@8TZ7CF|&iQv@+l{v5s^kVIk}ZeRod+ofRfP@e+dT6tt7+$?R4Jvs!Kx{s zuh#f5>6GNQhrmCGj&75dK~%s<(fkUd;yX2RAX}@e(%?DXN@1dd`4MKI9$BBrsUeT0 zq|+-YSnK$IVK8LwhYk>)TEP%%OqCJJTZ82NY|sK@=zv_oR)!xxzYQHGp2za2m+C+a zL%r?J!lB5Z@{ZInv=J%OX91gd@qU=;6)>kE;ntbxaw5XMb67b$6k zu!G86O0D?CL`uWC#O2fP;b2y)Og$wQX(0?l|bedc$W66GtUpM4`yDgen7Xv#W z1->huQy6~(zvBWS0b+i|-Owq{9q`9wlN^>7mEy%uU*nr0w~xUM&_`f85FMUcZ%+oo zK}W<6M&sgfh_Kx2R|YNP+hYjnhm57Ff(KRd$=B(YH=yl8ABHV$zRIH(Gzl5wG{}gF z@O+&^AGnNn#O86hX;31WNLe~R*t1AXlGfP(GU9ts8?_~*##^*^3fr%WgcTAMP|bGq z9vMdpqql|QB}t7e!m=-PMK=ycD1CUa5z(vnZ@y7Y%4ftTPkv3ZsBnPbgQH<}N(emI zk5}Gtl(~E9TBOSn3Ah}E*)4`4$-?5=eki6Z+@U(bu5yCWznvId0bLBOLcE1$qmvGz zL6TPPuqC^B=^(jCHOZ1=Ai){x;JSee!K@@nZy}=U;Dk{Yh0@{@96BPwP$9|QSnrBb z5n{udEiFpw`G8{wB24zSzv+iIe3cmqDJ%2d`whs!zIam?-Ae5YkyGYkdVT=FMwTHa zViRvZ{hSww!wvN`QkKGk2<8nH8nPmZi2X9+?d>g_NiS(FfbKTtc=WiIk+X#xs(>7# z)oEs}pisAJV{LDLc6rt3R%PSl#6(;!<|c1-kk_eqEXoMvnn$X4=$Z-zAS~4w3qSyE zOJMU+Ajc*Af^(m*%I`Dn-9u=4pymg?AKcADZS0_S$!^dZ+hd;1d{9$~O{3M#$9H=o zAmGTzn#FAP#wAt{A4M~R+e{lp$aesRPi#SU%$b z7RaY8YzpD9qzEcMgAXh4y{{|x{j89R9zQ454k`}(QDFjch>mA{HFvz8rM5{U676oC z*-K6M7=XFHHcG|GOM9o^ z;J-~ws-+`@g{Rr0N*MO??jhZ&LL!t4;`i9A2pR>Syev%8PV7iPob0>=B?Z8O!AcS( zvjIZyMR7sXci3~LrpUb^!}nsfwY5naH%vG@RdqFWZDsxS>BBIT3mKL1lNUz93^DIJ zg+s$_tTw1X0*z(m(jAP!-Ox_#j`8w@MX*R~FqBRa}lonCsu&~*mi5n+< z`&sk1I!Eh>502Dm5c@ej81fXk6LDwuIV)7MWp4?lo$t`ZV)A)p=NGs@+Prnj&)+C{ zF+hD-?UBS8)FvRkAR!mtUaC%qh+Y-AR(-4TR2X^ymTf29R4Fv2dT-1#44THCJbF|C zE1DnF`s0WImSyvyHNDmTmo!lZk5!EXD=QA(P&+Z&pT{OSW?vaRW;4F(N$X?z3QE>( zx;vLITR}vRvw`!7wbe6*Pxztgeac}5AnS@N*1}h zYNg`4UB{S`?3kT15o`cpNUYqgo`flq?baYXZRYFW)Ad*|M;111_F7wlrH<$LL8p^( zV-V#qS5lhHI_D2>>h zbVc88If5+>IOwI2m4+D1y2nwXDA0ww@o;yPXNmqw4>a(kA47sWS@U1R2o%B~MU1*@ zjM^H>>njrK8=*Sx+dmGRqDE(#n42Q4bqMI~x9gY}rhKe$Gr^X4lTJv_o$HB(R_l&j z0VhD!h2FN`vA%u42(KQ2pjsJ z)-~4xAAaT3Yt-X??^o%4Vcq$2()a}tHVt5n(X^urL-d9LwzIG#9ADsTdu-Mgiwi1( zhV^ilGWoZ}Y&l|NUQXYq)LIW@^r5R^$A{4YbrXQha_UbX`acD2%ze%2&-13Q?=9Cy zRiEK?TPO)qE@*qE!bbbh{v><=cP!IvUhYUDCdR*ND+UbkIOxCy)+8l}Bb7x_-nG(7 zAi(!K)mM^80^9oqLpSJ6y?(xN%J~Q7#B~ox6@ws3$?9qR^s`v^0r-=ihQK>qdd~SE z1xe~O@3ZAZEBEHYzEe^*=Y2hQv(jZ^VCA^MB>(xVp&%X{B*Nf*6x>QZRa%3XN0FM2 zrYHfQqNWtfcmzE6ec2~Q^-K>}Ynm;VMO=;TkP*kWAdzEDDxZ2C+RElwnLC#}qgoF0 zEJ;C%o|8$(ks(fef&yXX3LHtFIFsLPc@o}tuaYLO_vubBh6F(JIcVhgs5v@Z;tQFZ zag{_ndiBxK^2?o=>$p#j?c0?EWIMZ6DSMvxi3v8bkOf9iPsyOjmmaka&-rxL$`t=z zs;JE^zDDh|{(joi@*U$q6b>Hl-R)0e8kV_en`>8p=h;BR8V>Rw}!`R917=>=%kkHYKdvk|!UHyNun$wH{GINxSs}RKh5rbhn__=x8&h#XRxk zmIQ@~m|+%Hv(25`AciVd%bBs=+Q(CKYw-zi*3R6##3@o`%w3|j@L`~oXE&|b_Ebxi zsDu!^d3c>O#?Kee-JBl@`FBiOd*7Dk^8*e5iI!7_VX$X$Y%ZDr5P1X$5zKDclA+d? z8#K~unyf!ACr{Zv2YQ#2@DD7}4Lw{y75FDVP!o-wKMb%u@q36%)51{DDhWH<$H%CCZdLzEUYTj0zB_M)G03PP1F?H0ikg5bcir z1=ELZ?d|F5>6vNi%-XfJwHL+3CQzZ#FI5;n(_Oq%=1*ETFM(5iKY{-KdgP8DRPDI5 z6C*j;v@Y=1d?xaGUbY;Jl5zEU7jfw6DhXip{Qf0RXmS8S6Ij*U%xU(_P&nwb5I&1L z9?aJIY&*kg8H3rqDkUU8xGK^ta^M;HfhgnU92a!Y{AoaH8xWU-6f9=Ov#i_$NB9-x zZH6M1nUa%{kx>vE#%nttZ9I{H?@8Iz^zg&~THUY@BJ?1em2!9IUO`vZl?pwsfZzvr zu9PBB>1)75j9nt50R#ljO>t42Ki!#$_+U!nGq^ngugC zJ1ZJO$2!~rDYt`IR2_w*Cd^;u6*7k{nu!B(f}^2&1Dp!Kyv<*Fg!20E6H1f@6w`_6ex-Z7`cTdr z9NKRP2P5q39*Rouq%|eUoAZTm`m%yELlJw}H#=Q8%Y8jA3nlfJ)&q+&GB^%ShD;!W z1hV^$D9~&4ysX%N5KI^?c?(RJv}eYk06FkL-)~>S0Qo?iBA~XJ+xbI_GK7m&|0X;T zA26c*WZS`HvFFq^Z(wtALD069$3$hb0>>nk92CjOP)U`llg^VpPEm_4|3!gR5u^GE0041mB zL;sU^3cP55fPhIOm}U>9^a5!G3V_H5F)SQ2X{eYUmpf<1w1+f?gbV#+e!qc4I7|&O zpUS+Hqm*`@r581TDN71h$0tGp!SHFt0UfcxQ7YvY1>!&$sEXsYKzi~6@-H?DzHs+m ze+X`M>4)L^$~RV>N;uWvAT>G}g%p}2lcy4D4^SUrW(g4-OP_Dsh5qYSd+a1qje`?{ z1@nr@{YD^7CtfiGVo5$XkvBlNCpbV8BcVv9N-QUqFGN@(E@tsWnFq%kM$#rwIabVh z(AE~RY2whSFa$!8StbA;f{%`>V0`R$?{mH55IY&)GAPbXOtQTE`{Cs&jzrN-q-QMy z<6Niy=t=g0NCGL$3@b3lxt8!E5v&BjL6SlwigzFqpn-Rrp1?nkUzDN-oNnyww-YxV zHWs-_ksJ;Boi{pO^j67O)&xG1ou6VXTPW6V#XFN9y<##Go%cLWN)Uy3sBJ*M384?H0E`Q+-8h>9?uhUcE3S1A3iz7mz1r~5D2A}(y;qORA zA1vR^7Y)oK68^2Q*>l3IEp$8RJjgYuP>LK38{0S;75(ZP|NZ!H^;(0$eFDbe#B8 z0BNZ{GSRyWI8Wgy`nRjoG55`_us8_TVMI*3|I$SM27@!t2Go|4Vn}|D7}#qtwp!T` zG;7!}GJ(J=&O*@w@XH%AF`w2_A;yi} ziu0sKL8RS4W`fJ`Ljit1#v8F?`f#0Rlbu2&t~+{i88^28J01%c?;b*}FQk50Er4OP z8}CUt>j;hXygCJ?f>NB20l&Yxxz8OmW^$@Pg^%mIWh zdL<-=I5YzWTnMFdo!nIHi1^h5J9&w=2{N`f&b%4+lbPLc{GE?%UiNiJ}Quuq0;!ACj!iJ+oH z=BQ#SF!;A5#Eb{t6}Mb=!Aa0_k%Hl1eM}-B17KB>D%W06(~?L)GeBs69~Vk^;Rt5c zzrUzejyk-9K(w%OvoLFxON5PEUMH@q;WEj9M zu%nt{#g4=e?u)r`*Ru`6M#ZW3+!e5kveJ@S?ih0}@VrZhuJ?H3DJ)gb28hDFKmx<1 zaDINoa|P84lGG_WwhYzKV!&5DlBOlOK(Z29j+Jls>2Z+!N%{rK$TacgCsG7V-8^Gz zOeyRg%(ve=|y5OR#{3U7g*^jWUp4|bQB0&Q2LBa zM_rqW`o@yuEW!coWPztdAc4FM8E zI7R`E;7?HWme~ID(%&g%cq}k`@Sc|w6aNT5Lkx_5j<}=L`oBd1WJqHDot|B7B_{(# z;lJX~68$RCxb}K0L^g-wzbDz?^f!|I zIszQ-f0Um4?_p3op5TUa0< z0N@o*M;9|jS93QvYX?hL1}}TN5iM=k?-PIkMfDHxSZ_pmBPh!0JIuLOj+9H5%OjvZ z^k_5)f(=MivFh{n84gOZR4d1po&C>fqdmqxv)1E#{vVp&GNnZY0dgItplUSC)$&rQc?+1RDYoR%*c=_Sy9(`Q82Upx#9T z=TDBR`-JLr-J-K!D8=<3GScD};y0+u$3l3IOBgiPJ>%8vRD*ewGI7E`9Ri(A%Z^Rd9;}|>IyxVs{~7R_xW-6Ty@a}*Rs9e z*eb$9M2)OXeW+kbn#gVOm);fmkIrWvwp3BZK}I>|sP>)SxjXBoH=1$I%Td*ZBsO=E z#1(_K--q5>5g$Z6&NyJpo%Te^5iilJq$X=cN4gwp{91aUQ`Vqs1X=}*L8 z^VO?Nd>fvdQO%)-@0g@>??3Zu4A4LGbOTcO>6YnLJ&VtXCM>}U(m{&%ZI3dGs9y$W zD*J`$226rXpwAeHy4fb&}ZHPTGN{x z&F1?nPdB9!WU%(SXzcK|B@Usk4kXN9Z*Z^IB)J!?1)`4jTFEt4Z-v4Ld4==i|muTi1_h z`_J@04Y1fz>7QX9{Q$(ziP4?9e!}l2dY*>|KHDDdtfKP6UfzA_Kc-U755A;%z1p!8 zl+uoSjJxeekgc$&QE?(=mroVltQ|ln=G? z4muwtGFz-s)rV&nT}X4$a?>`J$P&qL^>?~eA_}kJS?n>+g;*&I&4!aR2}P>7tB$OtCCi<(E!52WpWv-+`~R{hEY~r za>5G*s+7f~!dA5JOcP4=rUzZzxYqbeB8za*;Jfz=?D3}SBvuk=aLL66lnI$WRvxJH zNYpu@WDPqY@szN=M;K%eu6XMi0N%mgIjf-grw1FnW#{bZ1Z7{5E8X^ z&KNI^ltNbKdq4Ps+xh~VrUeC7HfU|ByE7iI;1Ras4rp%BerB@Bebf^6oXC;*#fu{& z=v~nJT(3s$%bzfV)^!GFe<=Oaar%ER`e`Jh!q#xgG;DqgDAKV>i0?`iXWhr^OOFwh zTpP9k!-@r*+GwbAZ}ULg{l*3SOH?EVBrgg2tzN5bV(#vXhdsFjX#&CX26ZT1y#oh74?rH)+3Pnn4@zEdx z4Yxg>h!!u`V(I5ryoffNZ8aBttibk1?4BaW(ja87tCVJOThwT|qTJD3eUhJ1F#iUt zlo|Gz!)*tBRmp`aK?QTiz2r+j5BOKw&(A~WeW}U~VWju$p0SpqM?Kp~9}fMPxiEQF z{gI+CF>s*a{Q@grm%*pInJLpx_ej=RMt!O%F6yD02`03h5&7W_O`oBhn5Gjrk-oD# za=mj}Rrpd>)%)Q!CuB<6p}I>h212q;+R-9l8f1mTQ^J&ppN`y;l!YBRWI?i(ehMUn zo+*C}2Lk)x&rfiWfA-RM6&)--U?3pA2p}M+|ItfZI6Ang8JpOd|Lvw%(&ZDkm{20F z(_g-j>}GNi``H+eE{R{3MS9fa$2&)@ZY0==W(4j=qh%CBWc&`j924PUef)Zxnmu{B zlPc9qzZ^l!Ei4R8nkZeZp;t$F`u*_0B8ty6S}$2mnnRe^Vqxd^d-r!gd|K;x=+`nF zcpl;C*3FGSi1JxPgE+MGQQ^A1kC2Ok9Gi&hB%~RP-cy%z$jnzIG7^Tx#Rplc zkHU-bMoV4qeHPSIG}fs3*}Xae(K>a%X_jMHO!sC;=pP{V@3bkRY(zp-zs1GaLnEn* zAC(&U2JOg|LI)f01~*VFaMtFD)u-IdDl||Y!SZ~xWXPnN!^t?2As64}GUaG6E>DlA zz&Hi&M3>3r@sq0HUBi%%Jdn&9E{M)96Al3^g^)z;>&KPtO2x`MrUdzjB6MTI8$s+bO+@-cQSMocP>39G>K~iLWFX=gqd4HR5zkb z-gNZLs)TDfJO!l{LeRj3GPRZ1H!GM{lP*}vnSza95V4W#CbtB*5{p!`(K1!~^fcji zwLYTZETIiKcoI?9MSLWgC_k-IQ7BHvdW!CzCYI=%b5m03VmO@DF%f?*cK1WUuk(Et zWIX%eOMw9j=o3)Ild(U!h(jn){Pmy#eGnv1@s7~a&now5WS9&XddeV)=k3ujbj{Dr zKa)@gcNL?#0U!rz3h3g>7Gla|mr^Z^3EBWUvQcK(xDp@d+;^umG6}}yN(ze?wEs;~ z8A*F>HGm>&R0#rt{2!9)>gH`{{;$#Gg}$!iQ5!}8Y_rA4Z6$5As&uo#$$BQIbtQMPL}cluKnr9OVe|>weELaJ+S9b-?lRev#2rcb z=H`#Rli}VVGgsWv&BM(fnUOW`slA0%!*p0H&Z? zugtmm#|-mMA5SNxnM^Xo*n+bdvy0=9V{5IZg6BhF++)M_ns;t_O=Fz-12TpJf zNnbdM>rfG_ST6;JQ@^~FTJ+!0+|t-2voYp9G&C(00#=G_i5lE_sl`Te711NI!(27S zP^KVhWB0k3Zpt4sS<3vVN^yQpR39>_hyxJNOb{TFkb}Z<=p(|nxhdDa!aRYV?^%m{ zx#S4Zjpz*qkYHZdn&q=mbBq%tdX(mafybVmFI552fpu0In1jpR4O!#2n?FQzS-?Ap z6$dSIBIFDducfroPQ>xse(2>}it}#v1Z5&Wk)|^Fn*HeypWGyzeC*%m{Gwu*GYSwz zx_^IlRq!f&q5E9r(q8R1tD$ep1~8{~WoFD?rHo4Qe99ERrtENi=RHa^!RpuB{mDF= z{oqiylgjpiA_HHW^XA*KZR#?Y*^>yO|E{(*T-o575c5pX$ zYiBi4?mC5pwSOpz^D3d**!GbTd+zULsiN!5L%j|8)ad#rDfAHM@sN&ci}gW=%z)1= zpv_I7&26B~jiAjXQ{sE-rg2?mP&sd3Hk7&|YfLC_+b5ND=n_dfw+kj5IQZj_?mTkE zbpLcl_v}8Ty3(MG4B5-Uan|4|p{Jr})k!HN+ud0liZhNDn?WZ0!YXwYE{)8@;!x>4 zgJVw^vwNj6s@fIA5F-B8F{d4H1t-}P&74E7&2vBMe73iO=azRn6+o*dsTvIPgR!W(kV@MCEQxY^Wg^qlT( z!UGmSaD!$rzdTg|gG<0K|F^7gJ0&;dK^t7s4*2^UW@OFjp!qef;l7GR*PA`k+I6Wu z70segYEzcEwW~YZ!sokO-1*e&6|elBiZRze1&Va4N8D4;g4C~LI&}v^+&)$not|%cNVuol``buIzdmoNDhHc3)LW%2 zP@-OXK~ZSbw8rkKcDO)w%MNkfla5Zmv&E$j>=yps-(Mcz3$F9xn2%H!47#?~URuE` z&ry2bS7dozRD_<_{+7(|d+@leioq~Y?tCU)ql)V-Vv;SJJNnl3r6(}u1PAec0(py| zCPiFC3so`dk8xK@RXOyo3G-PrBnL8S-N376)_Bj`<4-kYgMpUKY!m)h&g|~UE<9W> z>H){~vaDmkSz6&E^of8K=iWB7U6DKopVRBZfF1Z;-X>HoqeX?Z7J6f%dp<=zqX#YD z?pqfYHe4bFn_(?lAXqI(uXF?0Zwir|+U44t$;N^EiH3pu*?P%TfEVGh8^n)mZ+vgn z2$1_SSkPlxM6j7mB#10c$PUJzHbz&pUAS4VLv;}MX<$}HeHSz5H;e;*o7o`u=9a*K zd9X}|9u&X}o2Mj1v5>MMK$sbBDdX2=qIX0#ZRsV9+2OZMv?Fs7LQ!PbMbt}%3i!Un zGz*vdeCUbShgvy4itng%nJJ%Std9DJS^}>>jRRQZP-XaMzfC6a(@Fm_K;9+a&!w|Q zP3|diot0K(#ib3u*4)>djXXEg_kY3`WSHIy&{ixx50i}KrLOtaE!_4R>^A~sHjLDy zNEWkhy{c^e4e>xZ(8M?&@!;0sKwf8|F!y(9*gW5se5bTGUfMW6^**bjj|yCct&)fK z5Am!(d-kwHhSw^1j?h~IPicgJ z6CR3NpvUoMEBm~r;}lO13ZyzRe<|Mqt2h)sZ?y_Po9lv3cVQ@`k8gWWsKZDXcoPblT`No`50+x(Z<|)P^`Ws2!0>&*a;Z7$(R*6yMf72=@=6Z~(NjK;%7Q##H~Q`+vV7G-i+i2`|9 zi30XN-OtLP?I~qqxGiO3h=04$oUqUm5uaS3!;=iB;z)o~UPyo={+~`M0dC?OFh~E+ z{ofL(*Z$%D|B$3urhm2i*tAqGwo3hCYeeU$tFK-eBWiL)cxx^0WQ|`yTYq`+UIuK6OLF$$0Dk9=YA}*SxhsGO zT*<;(h>q#2tWyhnb6lbJD8Sy0I%{sPP!ED|T)|}yl~fZD+Yy0|=!1%o5@JtuAJj@9 ziEm@*vx`ve*JV`$L_j^mLE@cIZyLJf`Ol~;N_<=?g-%%{5%)LZ7R)o0G}Vd16BaeC zEyDV?SV@1Ym*9YwDUu=>G+I!#M9eCAR7W^OsJHf(qJ(;&2L=NDSG4S64JzzGjhgIXO&aWBzf@YYKCLQo%Z%gkGsCRIIzY8a zM<6ZZ7m9V3D(P#;5eJ)eLb|Hm5^6Hs%CZ43HuG@{n(-D8X#(*~UZXih3%DGjz?8UNYC=AG9VTMcm0tJm?4c;Z4#LZ@S$^^~jisU9i@t8lSBOow3x4sF@LB zV%es^cV+$(9x}0pHc@Q$R~vry{Iw$ZLY{pQXHIx{)EyUp&|9-NULX2(jCn&??VSdS z6oO|5ifcjO2GYJ=w5#Zlxb)p@02WRE!~LzU3Ve4anPAcp9`&JjrL?Q7ybH+(?+JxQ ztOpNwubSeA%w5j3O}t+Tg!icOhGirMB4Usbo<9jp*HoSDyJbCzAN4n3N0PDvZ z5uMxhG*h-ZcDt_2Jv=<-#5fZT*)vCmnbE zN~eK7s_nV)P#07u(aLi+pW(f^m*TW)2x8xtR}H5~65~=-6#d|(Vaa=Q0BfQt6gpo* zml~B@XtMp`7d1Ez)mso3)h(__y3k5a)keJF7h%6WWA3yK`(hqdDJNBDdBY290Qz=` zF2_|*WGTu!Ur?%xoRoJb>J2xs3@3Io3id@`icP40!E>z!qL-UO@LN`RJW@U-nYrgN zpqT4Cp532%nwauh{?oE990YJ@-IzxHv{munYmIq2ay4Ij)Idq=HVH1H6EY!WWb>FP zI+-J7J~ln|2gpu_>=jIz6fx0gE_SP_3u2PD^pq+3Z>=g#%GV^aympR`q#VGG%js?q zo=c0cCC4TSI4C;pTA5OO*%)Vw<5CgEwDa%<-vm;3!ID z(v)){PhPqT)3fyBD<&w8h&fO8t5Y0fWWPphi?j2c-}B=k*VnB)#wNQ&65oYV25pRv z>Z@q>2#f;!4|b7etX1*l?9Nl}91D_TWe@YdUh*#XYg-Ds)~A=02Dp|Gl_d{GFCec& zVQIV{-siaDW_;-!tj-!(YP=^4m>F3_fy-)M^@U%c$DalbtarN#`)2)oZ=RW5a^#p;7nZ2Esfo>JELBU$go4{rdQzo&)vsXGduSp4zla8D_3VlWD&ErZsxl zSGl!bu;=C!u<4TB)>UDfjS7>^`86&16@GharJjBcnjS6xE{A?y)xGeFV|-P(yRB`N zC$amR$hpFD8g!S2x_v>pT?PF-(8?ZkgPU6$Pf6Lgex81zUwan3l3f&bomB~Y2b50s z%}ZSQ@YKI)lnvKR4{{+fwe70Za>8joTmh6eJv`QlBnI0v@+X;hdb=9ucDc{5ZROr& zNMR0_miJ-z?Uz)7JlDK4`ZCe%uvwolN+(f=RBsS+4?@_ z2n?~ZV;5MX^w_+FFO~=lnt%V*0RQpd&136*$%xymN77~Dz$Sb-L8v>CnY++*wdca? z7kUbsu1W#&P1Nw_5)6m}238d&v)^?p5G^YhQH1vHN{(g%ZWk@+@Op$Gs`_%4<_dJo z#GR|4J~_%g&`(&O4J*R_sB+C)+lHjw@qXK3(VUIPAs0A`c?8Q>3N{PQP=vWbLzFu+WRZ7-UCUzSTI#e*>oTx_D=fu8gtwcF0d}udl;{PE1_kthyn!FJQ(@FadB8 zl!Mg>WUYR-XV4O#p8Y-+j@TsYFJwzCN0#@8!A-ZKvUy7qqRncp^rcCFqN^k^!+jtNc# z{T_=zcmJu~pvO8vnW*~+ePew{h&Mb#o-*ERXpyni&hKaR$Av+EVD&iRG{zgP#M=H{ z=6S8FON*&LjknN)wy?KdlTG>*EqbOmfH8a4W!IH{v_h5kkVYL=i<-t3A4(@ucH|;k-W z=AQrK5J4hEN$j!5^dm_bHJv=}ws z6i9tNz&pgCARq+)u>@u4Vs7Wk=-_T|V(tRm+Wfm@%JBD6+L zUcYNW;iC{cCqy|ojwvRj?!*r{paH+B*jR0~@aB-Rv?p@&HF)nC`KXZxmdK;V6=rQ5 z<=ur8zLrbna!c?CELAxP;T$>WgC_BpM1tc@YaYn=!|3U+aA$s(bwm`h;=z=MH;orL z6PQN})0yKDy#H&l-2}OPhJbgdfW;;RfdMsjcXe~L*Rr=`{CC-{-OTNo|Fhgg#SoxW zg&@GN|Ns8{SNre%7_@TC-By|cRLD}h@yZ}|;Yv!&nNDljSnu{7m(#kPQbm8hDtGsW zi|aEtS6CHR*(hNXAPOiz1-!o7fX9rE4KkoF4iMn9?VL#Zj*QB{-d>>96pL{%#g;mL z+nmLw(@bN^n3m$!qBhNUYr3+dTrqU-U3=~a-AS!N3Jvzd##MUf-{<9sFY)Xk^@PR# zDIV^Dg$Y;D@McC6U)}C4!n_ALyjxur1KVZ$upGDp{=W(T17`y29m8mM8#wvRE0$UuZ^FZByS6RJ|eC|KOzgeZGC5#kPpx`R8QUQ8fwnD zqKVr=F4N*0KLsN5x(*c%l9TeWR>zS!F*(tS#TkR@anQ$X?Y><@_VngYBE@8-Ij%YN3whfN{_l6ZX9{%%SdTXV%qpPT~s zN#i31SWsz16Lp*v3P-NKs}^H747G`Q61O)jm==&1-{qg<(%|5fweeOQL-<&x!XYS0LId^#t`Y2kR_IlT+ ze=U7*jQSEYQ7S<|2fxL3vqMCu&s8gyV`+!`)6)>+Mx~6j&TgoF1A4hds$Gpbc3*^U z*~=af;x{&qaw=9uc*pjzzi}UlYjdm1B>z(%8F)gvFqW&g`co`bkr@;E@yWy_N}ju7 zW~SK4zheGYFTmi zH~3cK7l90=x!Pseb8G`@ocD7wj>kdD>3pn9 zi{{@fNIH(5D|h=amwWw!vzg8B(Km>1x8QvQ8HHEF_}*BozpqPqbxTvluPv#Lm*r@J zXcydNBsB+|oTG)(RgCV!4h``O_Z-QzhYtD$k`~b;@4DmPD={V~q_Z>-T}sDKFUP_H z9sg7#9#=x;9`WZs#NnfrCVwIx*~G)7|H8d0d6s#MhNHz!XG9Z@@S)HWH?hpMN7pIy zvo+Tt(rmca$sol5xEf~-#nvYDzCTS}NmEQ}6v8|;mg|uV{pZOTcHk{&UiH~pJdD68<=0L`vq?mS)p{9OX6heT}21@dpPV? z=9*K#vn&ng2u5^!YQgtq&e{nrFLEivHR_KXmCylwdXe6oz5@x*6%H3vKlY#lp)H+q zg{4_(t&MH&S5tUGp9y}^OW}#A(;XGIB;r`ukRTIi7cCY_OmntEajcpfVDCiYDje|A z^SxhY4k4CsB~;q)WyLX&Z?0Kg^9|%JTRN^Q9^y}QhHtT^CExd%jEai>`bNJ7j_Dws z;QV6$(QJFk<2)UcUu{Vk@T&aREl@wfZt+NA5Vm?1@L!F3c!{s{iK^L72v^G~?@iOl z^m~6;3bJ!m59lOj-fA7+Evr!&y)U~mT|<}{H;5cXdE_Rv(<$EC>?Oz^DUrWo=LVkt z@yQ`c*ex+w`rDggZ94Z!Lgqwh9f%)&4v9T@Kz@Q~RZ0IPdMtX6q6(IP>61unom<^M z6awtVzRvax?=)T892T6!b)?B^WKjsh#_zS#N2&7N(pex*q)fkITjZHfoK1xI{xy?a zldHFfeDYn{hXr`QoQFgXHY9!(ictBBe4JlQXZ|+M9h`#3f~A$+jdW9$1M8(E#TPes zo#$wx1Dx3RDBflLzWr2^;PE5;N%@5HSxx4JkQve>L{Ulpe~2Dl%n|Ghu{El6aEsI-zliJB z(f%r@nxkbF0zs_;v9Fyf)>^;#u_vOABj!s)7A6X$^&hYKKdZCfPD>RhMP^d5=Z#Ec zF&s4vN6XSosE2BhLo`H?hgQQVmgz}2MHP7h=$+sxAzOuq{<4X{h) z+a=Xf7Y-Jnx@gg~nVY1HudHXk=Jy~-;4c+oRT(B~Kz`kW2NbsolZ)`5CR9=$g`|xP zKXH&NAs(R%!H@8b4jP<)Q-R=;?Vd9`PG&h|6J~TjuLl=^u+$CqqqI|H@+0~}I?jl56xj#5gR2rP7PazxE5>#Ig)eBusX zMrt@w@947_=1enH7g%{U?dyO(I_Nv(Nr>%LG%sN>O9*;br*X3}n*80)tg9==+N@Ol zq5%Cyc!jx6Jx0OO(S9y=Cn9<0ZItww#fK6)Wly$#ux<}~qrVVCf3|0^|A7i!#O=Cj zg1Us72fhy(_@1;{?f{~0X01S$TPY#TX|-NiGRcBJG7l4#i2_}U;YaTn{`Wgdl4UE- zH0)pe9AcSZdPK4vb6jJc- zINl6E%i$aeZC!6S;ZTVpzi$Y<&!e%-XtF!nWh$^?*;=)HIDMWZRe-)Os;TvUl1dRI zNuITuA$MD2uEzOC2^+myMWV-MiBUQ1=^HMFZLtqI@`$atNs@$CvJ*l+#!+?|2RwPR z5gTBGq{7U;)ZsTV!;>{alv@m6Xy5R2$dEgfd=>oUY}T`7v@VRgz+Ap)UIHV?RbRE4 zl&aoXjkTZUWu96`dY(X-M=`+jw(o(Vgrk92`}>7h_Gw;b(Qwa>IQjaah9tRcPp`M> zNS5yp!(A5TreKUtxtw$u-1C zYO$*7-?qgV`@|^YY)86+DVo0Vy0}du zQ6*bu8JVOK2qY+?$JdRND#;dDJhObZDr`EHg`<(G5af?fSv$xXaEuFltwf{5u$UEJH;cy(pFtx7&#d+Dsa z0;fXyL3_X;yBbm-wFIX_7TUB|v6qQ~QzciwC{BFo7mYC2sL2r{Ez&E}_MjrfT*isp z4Kq>&H_Bn$dJZ=#SoHeVxXGOO_3tUTb7>_plU$3HyKpWs952+Fs!ceZ7>*}!F$MQQ zUAe8*CTYwNqAh4AvmLChft#JRc_M}&E{vwDqEKz92EX=@3JAqH?DP^( zxtm_lKf5~|B~WRUR#5W%$8eR^?9Y|8pF<6>g?kg%%RP`@$G=aD)Q#`5_V;(GA5)aa zL(H;9QwB$7uq}wz#jh}qOMR|?9P&JajdxZuv3lV21`mzGAmOKaJrd&WX-rdJL@%-* zHO)WUGWxIzAtDOGbesNdK50>!n3zZUZZeL*Q3zV2x?<(EMyk!C~s) zaJsbo|5fGh1y!!s~euG&E9+vc2fH z&ooE+)}Jw$6u}3U9+Dwa!rUkKel!JLgSuCZHU5K;6_20K?q_SdsCE`_YXSopo8=?_ zC02qNXllzUg}z$9UvQ#!}%=WSP#}Ea) z7HM}OrCQ;6qf?h(uG`lKk77P9xm4yZKq)EsT=h8!+_eZHE?mapW5m0xcssU1})*oZrI3eD3s!)8EU;w}%I|@qn2K0cL`8 z(M-%AI-Q-?`+qz6Z6^WI>JKNVu%ApbY>MmD-i03DtMMI)cxGY6wEKUKSAgT9)#IT@B2j|Ca+aG)?pkBPR7M&1v93^*)5w$ zV`6t{9dAo#*Q*&msT*(yTT>BsEo7*9OQ&Ktr19o6lybA<0{)6JG;K4~*5@91sf(B^ z(Pey9Pc#%?z_8=QNW0YYw6qW72c9DqF;<#1n`S+3UL_61hKkgg6duXy`J-T24ZclS z9ku5E^y4_gINW+%JXgGCx-mkYEu8erU4%TAqH843^v17#>?Ea)v0#GU1K(hdCU5^1 z52a$ z;nSM!V%id*y)c0ujrZ4<(*J2UsW74$wS^N~#)ocWD#rtx$u65JRVIMhZ7Vuwfx7|Bc8%kCf5k|ek>nuM*^Vt`_Djg&L%c@aR2=>%~EoX5e5C|X8 z$62V%BZ!&ig=m?LgtHFa0d(lwI`uWkq~>INMI%}%^vc5{E|l-e?)V{#p;=FUAC3^b zlf>$7O;Nk=%kT=?YfEdBNy?dWzE?>+CC2*<|0@n5?W+P=G8hSSX=WxiZqrC;?$)RsJ< zmQU@*123OSz4cWM{u1s03b2hXaVe)ud?Qa%mzQHEeem zbJ3pNH^TZ}mrz@Dv&n;U0qPAu25+YC5GErXM@%m}>L#lI2yV2^ir(DoUoRb{b zEf%I6nj_TqOPU2g%6H48F{8q7*|&qrjq@%~>NkdQ)0* z;CU882m+B^0@4EEV`sMT8x70}UF-lM{_ASE$|Qjh^sEf1;20;uS;*NrnLi-W8Pi3M ztMK^-yHRRDkV5R!Iq1b?4md{6;Fb>`!XQrE|Ej+uNfI~1br9$Xu;9z+aFSO(>1vZXnR2Tv%}I? zOYa@4COXBF0{GKdz4Jt<@COgExA{9{GO9rmomH(iBxBmt8{j(z}aNh9v1+>6ZfQ8^Pk;)$;m^H)>!g2O}L6N||{8^#~ zF?<7FU;_j!p61IG`S<=%*g-68OgU`qOsyaS><;!;S9O`cN{!wED58-4Duo2}Zwf(n zh@ItcigPKB7iqOcSwW!Fd|3)UufHjT&ZRh~*i9Z%Nd_u)nlDpi=lxB=^)Cw44$Jad zW)SE!U#5WN|4qUFFNz0f0tDWgAkb;POkw)rZwkJDQKVA*Y@|#Cflf0pKwL<;ObEY? z@r(@DTx`y>A)-Pk7M(05lo7g8%>k literal 0 HcmV?d00001 diff --git a/terraform/aws/tap/CheckPoint_NOW_onboarding_page.pdf b/terraform/aws/tap/CheckPoint_NOW_onboarding_page.pdf new file mode 100644 index 0000000000000000000000000000000000000000..c25e9592852d07d2f26f9b9272632d2e81df42e9 GIT binary patch literal 390187 zcmb@tb95$6xG$QColH2fjW@P!b7I@JZQHi(Ol;e>HJRXMzHjey_CELQweBCc*Sp^C zTK&}TK~-0G)vq2BIUx}mdRk^UXp*L{0}h%VpAO$f-y9B_iwmISW@`ix)N|Ccv@rq5 z>6sWg;4^&PRscxpS(}g>S<@&hQs4s=9qpYA9F^>ij1+8a9Pyc1{}GYav$qhpHn#bK z`Fm+(i2o&K#PfB)K^s{c{-feA*niXYj}CyKjg$2k4nWe(&_M&A@h==c!#}9_jLiR( z7}@_hG5u50!vC+Bf5rb_m|w=*8+~E^YrTSzgN>8DfswR-|JD#;!e^lS4|zFz8v{inM-9MN0|1naTpj;4K;Yk#;J+vFzrF$Z zt*vbwzal~Zuh$I!#(;t4FOnAim#v0odIC1C8ee5Pd}elLT1EzZHYR#nc80IJf?sxh zx$c0^^j91pYH#CY`(@`pP5Vy)pa@X1*Ryu8{Tm_!H-MlbK*-41%)m%NRNzawlAgZ9 zm&m`3{BIZ?@ag_*#Qy^SXT(L!EFF#P0V0-P!4fhuurV|ONEun1IGWcPS5M`x#~Ev%nq+M9mejl5+o_1`dDg-Jb{{K@ocyE`&o@ocyo;oee$s8X4!{{ z5jCOqz*!&H^geNnifoNem)ob(<}$-;Uf9RotMbGCbc_7KY;UpIPMG1KgQ?hlreq#D z-2fTa^kM)Z1v0K(9EE#5+x)|uCSJKff`Nx{`_{$g}#=c+y0!Vx{9IUkpg6?n>wK52O$Rt{`T zvhyIW%S<8n5OM=yC$N5G;foA=>X{`>{%WKYk^Vf9v!55*I`-GZK~l+egv68kmhrux z8iuN;0-7WyNF1APQ~RB4i|p0<)jU2w-`$gf$#TW^sX4h{9ZHUcN(gBOPi1US$MI0c zEgo%})QnYoXzYbY6|}w7s0Wn`Xl_TgQ)Qhbu7tvm#BWd)5 z^DI_?N!C7I`s2D;UMc%zv=cONAW7E`w>nYHt%Vzp!Ix6B1Uc^)*F;184SY-EeoW`88L~3 zze_LN`>E{<HR>Os*lU!TQbO?pLqk6GL43KDNY+RbE&W9R>Vo)4U=w*RwfTzkO?5FjOeY-{lNJH<2^18oC6M?-$3Lmm{Ekf9HQwCVL8KxBl>AKCl0)@Df* zEDT+e#NorBjyh3s$P_HlwWs;IvE8JW!zHE8m|GiihBmu^Yb0;+tnW+ zQ@euNEwp60=xyF|pGo=6hL2OVZ`4W=VIZalsxK2BFY?M~!7-4p^%b(USJr4V*a@z} z-&DZal(++A_XAjAvUT2--=SppqR#d(OZ{kBeM!%~u)cM2SuZYTooUV7FBX`iT$S$% zcByQ8L&zE+TSc+*^hLSKu8UOEMC_fxuQ|W7x|~fnHw(SP2UP6ri6CHk_O7Ls{dPNxc6yifV#< zoOXMMLxTM6Az~8~S&~=5!mRb|+K&J=@(<9&8*s4(*mCz&D9liQl#JM;5PcJ6H>z{= zqbm6#$1F~DO2}9xb_dWJE{-+u#X(`6!YDOOuS>36V68?uk>Wg3J1Q3lo~Fxrm#yXA z0Q^2IHe^?ym+XinTHw~*c~PGSbniEJgD@AZ4J3{UCT$PV(kmS8q?YAKg8X^bSf;vb@}@E=O*tC_&V3uTK_3P;#{I+k6xsv|Zmv&XIUX9V3b&(vu^z zYrE3vkuZ(>eTYHO%6u?(b(kUdBCIjN2~dA+89O4xYZ7`+AsQOQK-uBvMGz(aRA}AL z?3|KC7>6GYSa5VmM@ER4;zF!kMoyh&8;l9>3Y*rRgk4-Ht=GkwZLw5U{4RNERzs$Tz2Nbnim8LKTF`+qiHy7l zs6>I}7}?EVF|Em^DEV8rrYn_c&ejugIG>$=2mQ4Ks*Owjj@%w4ksWG!QfA7I&}&Iu zJPfYMcI}D1&1BJF(;-p#%FPA^%)-bg^_8y$!Kke5u}DHFVp0VpXP2ZWkw=n z&yJ6i%nn#ft=6V#Wghj&5=h<+(b{B~DDhZH9|fsTQZ7p?#NtKb?imiSbMSE0P(O^< z#+^1wClCY6zD4iX1`0L`iot8=MVK`aN3^lgb2W;Ma1k2}tYqajsBq*GRC{aJ_N%iQ z9$l~^lC|Z4oSC%Gh$v_Ej-J7u#q(v2G8qpl`CukdU0qb}F1^9y-D17?732S0bJbZC z=`imZfoq)Rfm!`4P+ zINCc(qJY5|+#wJOlS)=UKsO_&@RQv|AoS4^nTVR(LPU$wn6Fz!ekfhMN*Od*%3Tl* zsGM9-Tz0vn1sp$v`d5O7{xqs3=rGc4cd+6qbj_G}dv-s5rD zpA2kxvGo2YQ zNP)(>GawX@SL-H&)QyJ4ysc_ELeA$(57XrpJ&sSpNRZ8r{VSC+m12D?Srm=cL$p$c zncuedp-qLP<`urS)F+gd8m%iB*UFHR z_syV8Oklc{!o}q#@?Ar2Lf*YJVh}W30l5Nw+e`OuGB~GWRn| z!sj(J2hII~AeXIqSSp1po}7JS4kWl9->a_Cf*$1vkgBDtL)$pIml9B3h!U+>a&i*D z1F4#Qp!hF7-q@6Hno5YtHH>=v4z3KaHamwe?5rqR$?I(os!TN1uF>zXt)j>>WcFbb znjWLz_5#GX1=6^=~Vn4{|J_;rx)cnmD14EU)4)!fCH5PUw2U#<_0c6hC z7rfrMgu+gpIlK($Q4Q}*+JrC+37R6YRR+JCsUh%p8u@V`nL;83Ta*YA$=0eXM{Dj| zFRxLJHbC+`nW3x+gf}y6+O>~fqNeE^E+k636tH8N->_8E;%xxh6mK%`FT0e^U&(K& zMRwuv8Vk~}_C(fBm80VxzIo+!sK(e?nTQ7wj%j`A%3eB#!+D~kzs{&Gc7x}HImAge z<*`C)NtUpp4>&?Iej?~^Gr}^BuFHG`rL^e}(G#N#`?pP?bXJQGn0xf91=qDhjTcmF#Jv!gL|wyzo^FU& z5%I5|X+UhY+R8-jW>)7&N9-0IW6+80QwS<`99PoM;_jx25`B(hRy{QhLT(ny6uRnA zk<=dqTP*7TaHGEnHuPfNghJDvl6K)+?|sS%sAD*CCP(5>h~`pKJ1pJynonW$KqrdYz2Th@#0 z?T<7-K2`GCIPzz;e9Fy3Haby?S4eG?ucW}L;5zcT8G7U1G+FpuzZ{$~s@ghq{OmPL zePa{^lf2pI`#As0%xc4BTqo5DsT}VI-%6RhUZnWmj#wq)mf7@6AK#5~Q$ziEYmEjK zqDoT30wO<)Rz^CP)~5kJQCqdj%$2y$Z<8~z$;=3ci^GE%j6-n$8|#{9?AqxWWM@t^OVl%uz5PPaukd7?U11aojV6MtagOPPLL3?^ zP(c^3Q90*ntuTx~jZ)u}@+mOa-l<49PzM+N}N*&zKCLi!)bkXRAiSs=fP(KoFc zQ$#wxr%oNDIUt4lZoMic*6Au1T~i& z|0^xl%^_3JY~epU3uC%FC|=t%4P97MY~%N+rLS~g2y~~R9mj*Hmw_opi_3Bi zn>Dx!>0V^F3`*>?eA8g`4U#DhjrMwtOyZJk9Z#Hq?sOKNGns915c=w<3=k&}6KSYh z_BU0bbODuxjmp5~Q!c=cZQA{eo6@DTEt+Ui1i7@Qt8cGNdcC%-@5E|b5Dp?-q4^6~ z#-4v&h1KXLZpdn1!ccE0b?!CU5LX{#D412Y^yXUA5+h1QL6b>3*@OBIO*T}vV~iLQ zRe#YaLvNiB)kEyNqTpb9YvB#GNmZDscS2d3H7GQZAO3ppT>ekF%zfxRDo^~I?}0B} z%@dfTn&wy=r|wl8(J>^wvnrS16f-VHRaP!xwRm9GcuuW)9esL^iquQ9TJJ!j$FK%1 z1;}O84@jhU?7%<4g-Dux;8A%CQY-NchWNc5CXPEy)qvq+J_CO=Gvw=cB55w8ASm~b z#n~R;!P7KftpsH@S8lC*Xfth%b>lD3O?>B~PwNCS7I-x0ITuLY)f&;%&0BZ9JC^hu z)YW*%{Lz&asJ(3(po2s2%j8fwn5O2~Xihz8KtLwK8J}-$t|3~V-qjjfUCrnR5=mhg za3`69J@u!kkrdNl%&v%Ci=>D%E$Ze0#!Kq5;=Dsuc^u+4%6p`ES-{7W14Ac0HKsb{ zl70kS(h)AfY-4)^YhINVFd28*?p9iwRoI3*1r)IT0PYg_Ywx_x8p9KY~b_& zRe_t-iDyJse^aU0#hrX!^t3Zj!(Smo2FGE(OeaeQuYhF^D`nje zVtzj_S-u5B&=$DyJ^#_7ka}iLHdd!T(ts?-;(Ng*#X&U8C>O9v^PQ#BDUL}% zQ+VPN^RdvYhp4G4_5g91tE0&@QCoRVr_dzU!>TYr6%)d%eU+2-2_#Qp zg1DI5gf6IaNA=EiTIN}T=F7HRQ+zEZiZkBMqfpf=bBs$}`*bt-F6)1IAD^Dbngb*U zI)Q{Z=nG-Qb_j#^p&cdb6l1#wb6%gYQy82CwwXp#^6wI_~!pH8~=0$f%V<;u6eH4l-@|*3_ltO0^cW{+6!LgV-8bV)>Tia{0zs&)E4nz5aU<8(feCX zLej$Q(DQ<}c@^C^4Dx_hw&0)*?+qOMQNrt^+M`0~s)Gym&d*$u!XaO1RcqxRgXGBeu_ zfSED&4>J$F#e_y7W3xu26l}k9LP*U^I_PnrWn@V^&VG49bL;IyXXUGkz)b^%WKrX9 zPy}NwkzEkrO7cBMPt`6^ns-7XttbZMrICIz(>ktz_P#QI{v+{$VY-TB#NLqhy0+9PyvIY~V;-$>tUao`RC>SC8{xbB4F{5>D%!&D~wZ{%p6zT2fIX|uy-3G&ZL#KpTT0z`x^`u z^xv99Fpeb2?4^})ADs0=rM#3(-hU>LF;ZL|qRq^`z|g+d_{`8;QJRFLy5eM`^tGz;Ke)0sHWY_aSIf4Ne-MPM=w1jri3o7_nb=PSX$DJ3&C7#A40Qi zF)(cjW~4eM>x~y|3P`R+J6V7X@q#3H*E#>LMof~5nRiJme_LX9RP7?!myUNlAkyI~8BBajut3U|m!)0`KbUNcMF7 zv?Ge`qGFT}*S?n+!8_5sA1Tts_c6^SdAIKi+tN77{X0>X6qt(bbWcikhPXU5*?k%l zL(_d*)tE$)&QA$c=#AE*s_gCS35>`IPbl6u^)Y#Yhu>9Mx^PVoOR#`VVpqpy;IU_?JrjhhhV$ni+oaL5vK{05Kyo6VorI zkMWD8vb3>RwAC{(`rqUeK)}q=LC(lt(8kKv#`-UP#|9ApBD3smZT`|r_{Msc4n_b) zX*~xE{C~JG!2irXF*36={N=3v(`47o%dBHXC3Vb@=bV)rJqwEx=a%GyNVg#HQGD^h z@50{(fy5N}{h9DbNyB}0x7S;ULiI7@at(=pfFmNJfDyC#AFNFBB{(8zTVl2{ZL&38 zDRs%d^El?nC@XPyl5JsGTH?HUM8tIe=KXw0;ROP!%?x{4*w$(%tiF=}*wy$v1lswG zwz(or^E2g_gzQP4!V3e-`lcH|u7ZXE?1#K=!)rH_NrJQNRmq2?UquK1y>j1D->u&& zWoze=XnYKmm8I9wiT?H5-Xj>#2`ms6Umh@~YpmSb;M+58ah+3phwN6+2m{$PHde@b z@t>NC*;*eT@6+>NwM0VzzbT+xy1VmC=kNw;2mY4pCN}v;6f&1UE(aw(OJ^y9m&fq_rmT33EwfIJ`-e)$RAP(8kHSH{Vl zLRvZrZ`jy{^Mz4lL>Dj5!peG$^^=R6sAj53mO~IHbZCt>&o12f&xah%krh)e>A z1H?DKvckauQb*m(Eb6qkF2~(Ncuv2$39c=3>h@upnKO|-o-T`%xom%iFCTt<0N1xbmc*vL*F}kyYboh{}1UPcqDZnA1EwhlCp5p@Z9| zK&|Y++vSr%a5ftjF2S+ud7WvK?V_tECuC+n*07ENcWJholwy;EKx@yNVBvF7eV&$i z{K%bR zjq1di`u7%H@Ar%i+l`H|%Bn8tCS5-^T=K_!7J!bUbBc7aA<_>4|Rdmw~C<=+%$&=&7_4uKH1m`q9zV z{=H^j-#1F*QN)rRacxCmqvH^rbni=Ea@=F_b4z{SF4(=l&oJV-Y|wA&4CsoQ^CT8@ zr}B4N6av}N5(9(1qvSqHm8lt?63&nUj5s4S7S@N!Fu&)G;-Ryd(D*Y$7s zth_m4ns`!KK1H0#me1^L9WVvN7naWJ`Jd8G7_WCuBbjA6O;8+yKyu$T!daW$#Q_vD4?nJzhdvlv_4xXu16~OUal0%pu&`ei*Litc zau?4%y`?8Z7CCx6xnp(ag73xw2CBD|hXBz+n#cbQ9l2*2T{H9BYTZ`q&A{4qOHTW; zM0uEYY98j7fF#IC(AT&jX2R>PcX^LMuv?VKAsK+Yh?E7__&1)gZjRBs{mCbh=Hz#@ z6u&Vv#f0cr| zIeI&1w`gD`oNzHR>S#O@uyo%=>hMtZ^?d2>aM3BB`|9*7_;)97EQz1{*(6ycPvR`@ z?<&MaT#E7O&LCOe_y`VW)mb}rvTe}8{7wq)cEOw_WeMo0>nuiuM z(l^7-SLu6vOlC=1;`-|5QjM)m?yWfnwdZ`YbACyww|(U5=SS-K=CgWLH7OA@bjGo4 z8qIxR-+xBnk}2{BkU$|;?g%BSj&)jXguNQB$$h zi}U@;=4?-MMM%>6DX;a-P4!4$Q`-ovO`<#08uoBjD)%!XO4@1!Uu^ZXfmVR-&ZUZ3 zC2n4UdnRI1j>f|3iK0_?cxO`0F=0YT#W*#n3q|BRw>bU!a`Z z05v?Z%ZLNlkvj-OkRk?(@*?_*Aw~Y#giXRV^kJ&YsFpsODCtwe(RA=b>Fv*B}jgH|tH?UYBYdAq_n`=$pBcO%YRI4bg zGtnO>dr3xVyOze(4>1(XqQAZdx3-FunaX9rbAa@=%Ps7^EM$xEx8VWq==3aoFJ}gn zRFw7B4fLFng42h@4-}O#lbx%&OG~{X;5{N}HO8fKD`o5ooQD;^DZX!eA$^o}Z`dao zhd)SCh)*SWeIh=-{pzC+Rxr7K|7xAeU*=gh?RJ?o>hT&P3dZ+W6+_A5@wa!+KP!80 z=BQStJ78NGc#2H2p2l1u z_b!S*u+OC!-Qp64OlVs|O;E^91>w}2{$q9Z;7@o&*;$fD2y4_5BuNWt8BGZ;KZr}` z&^#8pyZMvcnps_GNmWw1rh?aTv>F<$%pzMtZoh_t*l!eKtb&Mo!&?#>6mgSvoS-$% z325i{CogAipSp|{LJw>Q`V`!SVrI%QYk*c;ef{9kvb;Ak{IF!Z`d~c<_nF1Qpx3Q0 z=kFf!$6a~D<8W0zjn>J&8Z9x_-}Pr5xoWzrfBSBpIAg~7$*m7;JTjmo%ig3E%Wimh zu*r#=3EBIndq9OMEoFz;(`7paCmb8~mP14Ut6}Kr5eD&v3a)p_o;L>@{gvf&22Kp_ z1!KKbY*m9F?GqQ!*SDH_tiRON3I{Dwm$TPhMu;STUUSqr9;~%&<9ECH6zV1DA7mZ2s$24ihPQm(fZn_B-o! zl=DI1z_TZu!y$t-`KTWwDkz8&C>D%DEOtTNSbU-qNr#(}u1;d5c(~iUf&Tsji%G57 zxpgwsr&HV_3%7}Q-AoFuO8Jv~A&p~g1(*9`2RC!#JLAR_N(z_L=I~vkwwNzXAJ=Hv z%`Q}twJpfsmti6Ph9ZgwgS->V271Mlo4i@bHlU5(HvS-X(^-n>1J|A8Ct)bCLy$}Dzlgqsw?P$R>spnT z#G4=H?o}|I7f@t*rf6@Eyma4U#%R9;bOHwAZd(`3Ij*CrAd+@+rte=1z<$-0_1h@< ze0BX5pi@z9Zx_8)4y)hi+dYpu@IW8eF97rCD#8EjJofKo^8c@Stf;-7+t&tIM@OT7 zw`bCQZOQ!qG_U=i=dw&p>}>zXTsFf+O-XdQ*95B;g}*lxvXmS@+!qWk8M1jmE&qh< zJ4!+Diogu0X4DW87N(_ItEqu4Ssq6d8*M$DhZAYzYfYbB)DHOOgYFN-8Nc;o#~R;r*6EGhr*!e~@K}>y1#HN` z_jAi>ZRjv}3aF8}wIYAYxv0`TF1TeZg?{=aMk*^36l`{K9@=NPdz+F`46zLJ*J)f^ zrI(0va0izcclDX}NO)MlFU8oy43*G98?_Yd7~)itS@ZcGxbY3xB!9_Q?KbQo+(38hz2i74 z*JHC`RX;l}E>3cb?uZ02gqpitGA@n?siRCV4 zaWNqcDwI$_C^rs^xeHrHP9Fu`gqpgA6K-QZ$-y>I933f(@0~=5kGl_)kbaM|WGRSZ z2I8=4K)g+nyP)iYD^k=4Dq@%&IC(?n$LV_!qS-8=kP7vQgx8O9Rzq!&_wkqm#MP$+ zK|*+(wS(hw(8PTvx5+%g5SG_g+axMo&PXk9Ap2x#=Xf+ZzmY~P(7ob2?*;yaO^~r= zFA`PKtN9kbLC#~iy2OmekaBn5XHi&!UErSLU%-9jd*||K3rxE3XJ*qox9EKOx!ukL z9B2kH7A0e`u{AHAA6c^up~e-z1vZG{d^7f58>^g zU*I#0d^u+p3x)P{LS$dB#cfBh8xlR7r}>V$nM#l`>Xln=U_~&Cg=81VP8jY?KagaX zaC?Q!uLXOEDM@fU#@~Sm64$pZjWHG&d=i%@H;8lE%ka`Hz_0Zh6$#;Dowvtbv6Rl@ zH*zbS5RRwx?0ANM78p?9${X*(Q}V#{9BgljoEEVU9>yEhty=qCzoVEk8R>C`QfMsP^dhC>9A3@S3*WTekQsKTu)!%=I)7i+ z_m$y9gJTaQ)oMzgWF(<3piB|_VkS6@(twj->S`zA!gDLnzzaQr-$GW~^8gH#Bddl1TDz-|1=(YP_i|LkqJCD}H? zs0PRj-?UG6D0Ic>?IEb<3ys0my<Dd!pZ zQ}LKyEuhqI;1_>=W%LUDxe0R+`NnkI8f@?Q={3rpuY#P_A>yQfAZ$GEH98PJ4BCku zP?dY?Mr;Gfh4nA{)$gQocHvQ6CFs!|R`#Jo8G08mHLayxcmkEHCsawkRxJ_a)FDog z7G%U{Z-;vHL&GZ&3airi#ZD^`fOIn2yBict%iTpg2$?`jp-4ECYR~rGa zv&-3mumNp7)^Yj(n5d{IEsB7ZD@5l~d9&CtIma+Z_<-UyVN`vC z(6_5fMLGB1oIx*o>Jj+bN-OF_LUlB!si2!gYO~^>_}^4=g<q+k*q65_@PCTPK+!)ISYUonB5J+J|mOMBQ#(HpB-qu*QbxSTIVRszDV(sooL< zrrM~5s-NY_^a;S{F!DPycL@0*{WOIX>NWF;%uESwKGj0a7JXzbIQ6)PP#AV3p+P-s;z;yVj2Q7?Wq6n@;*H7~*!{;ro)( z!K!fZ{Az<=OrC@GL4_Yr!X{XyGEY$)VYfUw16jvf*~g3}QYxW?<6r$`7KMn#$U_Jo zqGx5sRldZ%2pboMrN6kF8Ei9=n?&$54F8;h=>pPW+Ff$QK6^zmao2r@`viSZ(y(YK zhX~M9tsit1k@n>vnnWD6blp|Pm7pXtjWi`QGYaJpU)X0_W zQhBWcEBtIxh*4;hPR+PL8f7e%Iwo|5H#0Wv<>wLQj?q5&ZKwiJzb@|*UcnHJDR@4d zbQqK*sQjtgos` z?um5qH3Ti62##N_XCmn#rk*JB#}_%eeLHO4X}&>w6r`2RYTZZqF>t#NucT0VMZ4*h zojW^qECHIP{lqGX%u&W5_cjYzhR%sK z3?%|xLh2Xz4ubWLrB&F?EO7~comvL;(**gz>9=4LV#wx5ng59trc9Q!p~T+cX6MjM zHfRKV9YO?C_p=~!VqN#LvWAjlN+jM@09O5{Pm&0p6_n)-_+;Dqb}$mM(Wo`iUyl)o zWAue`Gu%%Lpx>7OIiPTT9SWt#ORxj)$sSSWiPD)-c%SWf!$r4{tqA z9-pCW7&{bHmGdAHl;E5keNNZbV}H=FLbaF+ z3EX=IgSG6L@Ut*D4u4+oU`71=9Q6qO8T*Xbgnvz7&c7wN;NKZi3g(6&50ft)3hsR> zptq{cDOOLKS%a#g^9W2fbH$K@RI`1e^C8^PMb?{k<$8utyRiLZF*$bj4f1Tjn$zee z#0RTiOB72~o;fBFvAteGUrD#fpM!SRIyR4QE|DDLv<4AJ z{1Fl{t-j004x*U#b?VOw~R zQhZgDu;!{Cg<^ljey`Qh6$R(@c~kL?9zdWQC5F&yz)^#jBss>R2LsO)upU6mRIZEh z;d<+;0W;^?IcPk!r{mVS>4Sc)Z-%i~q{;O|2OQzx?SRsI#OO}6jEZlAtl=g0 zas|{RDcF7_r0Ls_o3*44+-FF6rHdhscUj*NRSd?sX}c6F=flW@_RT7YA1icSi3T;W zb=aS~AOs9=63)849Xc}Uez1h+CD6PtdatO~vqX%b76g+w6YLX7d|dcto1(rM62og* z5{Ufno4nz?Q~H3Hia!y(8smuj(3!d~&gmB7{+M0llc9HyXZX%jf5Lu+zSEo)V?ZH3 z5ML~ZXYAFNn2NfGrpNd4TXv49-vN8!!M?iF_T~PY%@}Uq)k=V@$ zRenx3u0gFGJXWg^_+zc-1`&%OowrTQ1i_DI{rkj-4t$@_@CQv8|8aJ)QGDbt_c{TMHz*sHgf1;qBpF1IvFpxCbhT!Sf)92 z{#3aDFD)2-<`ix$4ru_}?qW*goGMr4_B{6t$@CYwh}V$JSGYEYC-tKmi=ke}@Y2B) zm+-u?nSii~|6>{RsQh7|fCXP998r|XvzbD?N9%%O8rv6Z9r1DfHnY4gyn*KT)jo^jr7z_fd*7acA&QJ`+;>{hRlLO)D6aJk! zq+WGf%Wr;!z3gW?dV2aYcMwqqvM1WD1%LM2d6D*NH(|k~;{iE=jXOew-b`1n7>+l6 z004(7VCDV8Zj5F(+k0XDK?DhP(lBToU*dRxnSc}&Va&XP8OCmBUXZ#71ypV;#|w%&;0J(gUO1a}ngmi?KD?`*CU4;n#?U*Ew<4L@#SxR^`1=#4g>r|CLz zNQRDlib5_ z(4S1HTr};by^qGi@=7f3Ke5y^_Jb-|Icr|^Z^nv?XI?nGOs3Q+rV7ox{%9Tk+P_zK zLwluWY@$%{a*~mQ9ASEvx<|9F)3zb!x(YaX~&-+qUhRa z|JPNezbU}~ZB^-iWfcPiqyaKE_Evh900TXI`v00+`!@smzg7A_w^WFH)dL9puk2q2 z20B_MCVWOlT2?luzq!GBj`n7MGlRc!f>~Jp<|EVLGtkmA{*#*gcP;9FUS?uuWMusB z%S=I<8r6rC@b7@r2|d}|0#GE#UnlfJ?=PkAcGqvb9IiCHVw7fOj*Tg9t3xcoeD9C< z=YZeOvcFknJv4al6PFL)I*J~C|Ka8Bk@!^R9dEqSc=h!0wo;sOQtZFZ(K&Clr0_XY zI&OCsNSDacC?)7I$A2@(R*)Pok#^EyQBr?BkrA8Me102Mq%3n1_)Kb%Gsrq?Z{}Mm zPCh1KqL}X-|>UuyBH5p)Tv_a1{A>mt~NSQ{@)x`QuU#$wP;HCji;lYr+Ihe%mJh#&U*ZGc5%^ElR=(!Dkej?)+-ROO~uB4NJ#dcjuO?@P2CF z8IXZhJo#YtJk_b)BnQ^#bkh+L*uWGB=zUM7wfj5F_GuKOJ1EWhQqBAGub`8`U{ z+mC{U`AQ;~85D>MN9M4`7j42Uuf1nzFNdcdSlal3<{a95zRUq(@^EWwrsKo;pi#9eJ!88g8S_u$}i+5BwR}p61l;ZZbV))Y9iik zf2fkg{$mjsTVTnc$m)L#WzkIxPwbjqYn@+&)prld()Qi+@~D=zUpb#<);B1l=6mN> zvy?`go{5j(l_OCglT}w~2B?jI_RmOD9fFscb=rn8HCMtyTTJn0$~yIkxDC^J!n)Of zU*f&c1lIfmtpW$ue82@r-`z~6ac5Yh8|dg#^A8SI1xdcPZp5i*G)uzLHn>6$lMu=Z zO))?vhKdzgr8w>P^ox~6h)4(`-WD#=PMQ#i04-Hz_-|kKG6RooT%8j_S zB#9vk3xKp?6KOkC<+#P;c|-||!7rf>B?Q7&0w$gCWWhpCq3uk}Emg&7qRslJr^bJVdRQ8J~+a%K( zdgWJ40@$qqdTUU;OzE#b3xFM*i-4SB2eliqCQbQivQkSJ89}P3MjC{quLTAtf0Q$g zLzBR1EooM12;+34tbnZS>713GCo&o79dHb&nbhO4v@{jei^`i-m8 z8Pp%r#A>^Fp@aA8+qZqV$FaeddfA>P%*E#ijS32l_ICfnK6rTEfV63GxFacl4Q-18 z1CWliruTT)#&`E{#vINWPcltur?lxA4gWG{|Cp``BlBc8$3%LX ze)_D3Ip=y~)H~ie$5`VxFM!7zvhua!T6>UbvQXLVfEj9LHy>!j_R;R8She6`K8Oml z-LTg^4b&aOHRw{OtF7-&^8H16{iC`}$P-7kCpNlA`{mdk)c zPk%F4MXx#g)SZ-4p5U^WJn=ezRMcH81*Zy2Ka9xh_L7RdMV6uV=<-;8CM20Z8=|K& zSf2&c+Au6zAh7)=RyKW0Y}zV=YV;)ZHCa|WGb}A~Y(Fl$ zj4n5KB^wJAMujrLb6sxHV*)+#9fGgSZ00jU3+Sk#MhJeqw4{t;TT^xVWPXTdHF9<# zFx<_iM?uu!nV1B2nV!9p7;c#UVO8?2$xi8w)f@Qqn-+l=?4~=U3$Pv4pVq}-muKx$ zgS$X%x|G-p*R7j$Z{iJlsYb92&c!Sa4^KmKvhiwDq*bj_Fwcw~vYTj7v`oAKD3w6L z4?qiBc}EqIdOX?p_nS(aPC1U-{1S@NA3k&FP$l=Iuv>5gdwWgVe{2`(R8z}zlc z2ULfRtwN|lH#g6j?@PU#4UycJDC%M%MJy%mVgeo0EODQAzM$_R|p`QX*OG z+2!b97sAt3TrC-G&EqB(@?skQ7V5Gzc$Mm-#$x!>LHx9RsO~T{e@M|91jM?&_tG-A zjUUOINs>RGTt~iKRk#U!sZWO$2b>0Un_>A|!;S$D7f469cafy4buUcy^b)QK%y36E zC1D$U-W1q(k&w`&-|~`>lYgz^M!{$GL3ATq_yBHnPDiet()keu-c48=^h-H=I&U!@ z4TyP!_yKJo)5EdB6atTo5a=>Y%^FFi?SXGD0yP&h?6#Q@Zp8CJy)fhP)jU?Y{>^AMQS~f%+)D6DR#96n0T5=7#3 zPSrr8%onroO1*F!ih>))AKwnPV^}Z+{Z^S|OR5l7hu#3Xi(e!8U?nt`sV}i)8qBHK z2M~0E4;dzATF?(=%)E=t9PMtzu(AoFLj;4a?7JftC6>oxC8fisyT#arzR_31TSxolWm`3SBi-gqvTA{=~;H9b0Rxa4)2!m%=%VDU^)3x++jh{}!WIt1WZ98!0|1ur- zKI@rmi*Gj6K38Xc?fy!jM>Dk5bszu=Yt^JkKC0liebBcxM_9E(z=coRi?oAG( z&Ln|QE_L#VV9V3XEqVvm@2q2Z)1r-=lAZ6~+$d?PEsRu9&@<|V9Ta{nd76$QSLh4$ z1PfxIhHZQUtt9M3v2=O&LeB&+?5aIQvAm$7O<78k0>r)mJuh#Ur1ktkpe z5xpbE+1sJ=E97e6s;vYh`^OAP-w<$`r;r=NDY&(zPuCM`4P@#vpb%SE%9r6kTy3yg zeb(jl&i9qCaiZ-+W^B#twZ|1PI?G~aK_e2y|-iIvDS0CS?-d5W8W##;Wus3~vuybzmf zQuYjG4Gt-hH_cNz30;@U4m5t96d}|FCcsu(#)E|P!Ao7gi z{IC+L`_o$jTO*eOPyHUOZU2cTN$V2^-sMfEJp%9otzjy8g*YWr4b<)|;_ZZn( z4Gh|EP@^$MQivb1;8!47h9?5hZ727F2%21MUphTG%!Q?Ia!?>;2(F24WEB~$Z!d+w zLwmTFUUCk84*mSI@SwXGjM%4hPPC8Wwm744p({&4bg7y{J3+x)>yAt>6yhtAue1V* z?Mb*oP&$2Gv8d+xBh>I|$hhpu^YzO`-CmNg=?q3ncqApzKN(z(5`?G#r-Aj^94%DS z6;}qn&`7eaO^D`NGd5qIDh-|t2xI@!n$^WKy$V_dml#{9i0l-&D<{5wwBLqI@dxb~ zPb3MoaLuo9SzP<@cy>jLu-b?#Wb6oq3nllC-w>M^r*Nf>HVYvFFR!lopA)tEjSE~n z8N8DC3|D=EsxFK99TorRLxf$J^bi@(jnmT^(?joUhq5aLpo_DY987{UaP;hKq(ww` zKFpfnq=?ALd26Bxg}(I+Oa7^wV;6gd61Kq=E2EjK$8#Nxs3WKb*4hgwg0tfCZ={`B zqCjW{s*^7wwTe={SyE_?Xgj^^iGn%PPez&VPvm@LU1!0g53v~NpX}@o42M&Tjo%M5DJqXi>rSL76P-j$TWnZ|#gOWaNE80tv!MOjsJ z2g4z!s*{nsm}JE?ieo2{CK@abxb@UIUq)SmmYb57qT5hh^gXk3d=C?ij>rwGPys_k z4;#&z4XSS+lsa$&SR&m^(}=;=`MMsMfG55tBCAp3s{Uc{y(N*gJ3dDUR|VVGn~i!2 zu7OO&rj6M|y@_*tI}%UmkZBbk^GlZUV*e4#bVj|j;C|@a7SI4u8g`R&K=tkeG z#Y2eIL==5d{w{Rt`Q!nK%~Bv>%~1EX$K+EaPR1ndpf0qF;3pN4#23LYt$9UM!AYlJno7$p!o@$Ai}CUs*aOY&mc^C;fUZ7=cn#mQBaogWDr zDd@1`2RTq_tWl+r?8ZuV&XgvPelPhJ2c~RdLErcL{tT?q(@Wx>+D;ciPJj6s z)v+OkuuvTZiKFV)fqfaC8V#tcUrq-IVU2ZocB8(?j`QW( zx7X#AspMP5Qdt@55{|TH2{dhHOcq=txfw+vFiFsEzV~h=sVId}VcNPFqhe9LiHs)l zLNn;L9}TA~CFQ+*0ZtHbAh?D7sk&FnZT;QR%{MCK_P)3@fvExI(x(_3Fsetv{`xf+ zIEpMZ7|(c0Q^NiAUlUUWS{Cz(gE7FLBn$GpH)#8#>~asn#PW8e^9?@D0R5rdGz*=R zvfVUFpd)#UWAK@GW!ub?WfiRq7q^ULe+w~?d;c&g62aW>y}Z?=R9Y|+9uW`X!iiKG zfsOZ=>{w3z@+%}e_fW6;T_Q`=!1gCP6brC=@E3h6Vz7uaC6L4~$yoNw*jf*Z9josL zHjxNaXGeB3<5YUs0SutMdp3GHb8JP#^gCPpKr8JR=N6N+=*dlqSIl$fk!u0l*ru)# z^Hj;S6L*<$B@<#EVj;+R-J_wnn*8(abYMul&xK7XEbm4-T%*C=v$*TrJr>5ltJW89 zL-l`a^i2P-Y6805vDJxHNov~Eyn-yv_eysI?~Tz>s~dlKt}=}@!W_2$MrPlg(5^vi zF$DK+<^9RZRejiT5CS~z_^OFxyQ9+gRhhv=_E>6D2{`>! zkZcRa(kFr6X@M!mEguIO)$Q3(_?oer;aX5V`%9!_Nl`re4M38mS2=B@j|=YS z()NP+THxalUKR?Ba-CKTrfYUqxtF1r8hCSi+fE z-fx!U@+tC+(Osnb>A~$F1>v#k8*x;$1*Yqu4Z$Z}wY{x%~*i=9;mXFnKa(Y%qAiPH=5j_W^#}>l&W_p&g zDomo*AmBqYYZFkVo3*gDgV~?w53QaXIT+ZR**e+rRbtU3s7~MCQL~j6uZ4((qTcNg9GgV&>?^An}Jx z4E3xXABJ%tW_d&-Wm2(uVQuz+ZVA%OBO2##y7?1=6a?A%s5x!oM>~5Y>+#A@0)IE1 zpM?A@mwYDq{9)DyV`KdR*!jo{=(389xa4zLJzJ)qq%u8M1DO*@{-7_F-5fyDe!yNO zW_cv;QRsi!1~JQzYDqN^@sGHqzY+gy5vRPpp^-gEgVaB#0inGr8JU=Yswmy4g+Umu zMi20>PPVp|Mph42^cyVb<19ZJeOxdP)c-}sBUOKy=uhVV57{Xv_pf#eGU12G|FBce z|Iki3ADjQQQ&z6O+v(%ipwx*GD@cZq()>+^|48*b>g}gm|K>p0{v&hzkG#kuO6|Yp zMOaz>@*;o0+5TdS|41+We@8{XDdbm={!$jg69ewIGWj5gP?I=C`mqis7)OmZ5?=+ znDks681=05+-e<4!XAXHijU4WnGX*vIMO+5E;skfXjbC8vm9q zd_))i$C~?V>-rbo??37ISRZkYe{+0)ARqr_PLFLKXV)TTeZ)Tg)$u)E`AOUFjt@k` zPp$m-eIDx%7yY{>6SF=#Vvrs|WyGNE9fa!q3*CP@Y>;mMTR!h`mY+QS$373l_x~Yx z_kVX={>|MzD)u+={kmoR)Z;I!i=CO9k&Ba` zAK)jH!6Uf#PeuMKo>&+;*@-!r*%-M&=-%usjGzub82qnzjQ?vqJtpw~om&q4e4|2fEW;BO}X>&E$S|AYd_4CHv|_802J@JlP3`99P;>-Kv;qV8202i*&2 zSjf+E_D*)f6A^a&U-kt)p&7u1iN45lDHcHjk*Ec!-}&TCP>FFLduv354fZ!>Ri<(IZ^cCYqtc8?g2$BADr zE%qL>@o}G|P<3*JlF5G*?rdoi=h_KD4m(#^iOPxfKn8ZIn{0&~SL;$`+&8(LCm&aH z+OD;wXL_;43ffyUnPM4%0aheY(2XH#Ar1w-`Bqxr1|I5>b(}#+jQb)3`re|;x}o&; zhDBozqGq%9t=naDwr@kdZ}1%*Y73>xyn&2;`8?tLF6ixR=H{1|^lv7)HZEt^pRwJc zikn`PjLwpWyo(|lOW%Ta=^ip6S@il^A}x@NEM%jhvTb~LN)|cJzacP4Dg105KFsrO zmn~ne3y+Bi%hnD_oDR~w2cbDW7#?W_fe+#?gHz!o+2C$~8PS!Md@{+?86I{P0C@l| zL5_O7Z|vK{51<6Ew}%x9Oa}Ay$piop!$?RB3tof81ng2H$VCf17mgH3y*DZ`fe&i4)M zSPMlYlqu{4u^ftLw)N3>`J|mot`$+8X)0c3pE!NEVeV9$icV(90$zD9-{+B0;K*?w zi4zIQuZIMENqRd0`3E%mSZ5A~Mk3uf_SxV%kVP@EazX}Iuhk3fxT&M`%T?)<3Zb`p29fT^Dm(nDv zF(GuBlG6pcw+n+&tf@+gV=h69`NDnN+>oAu>YACDfd?-;7P$;`$(9s#fE;y?`pzsz z1`hM8xU;E)P1VWIb?f6Rp=C6eqcGQSfi6a(C zR8uf`e9k?L!}Tcpj~YZR7WB=NhkeWJ zQhAvK!TXWdbz4h#^@nj>VtU|FN*v!S%7aspqa(R zE))Zb%aA5mUy6g3Ne~V2F&37H@33y&IkG`+e^(v4nwNuhnSUc-SK?DlQcMuMhMlUn zrG7w5J-axSB@&cdDu(;6=&034g`}&RVm$IR*KB5*WOkY0?=!{L^fkx3F^ThA zCc!Ag!R-@mMEW;dCrkQ_zH6*^Jv4{S+fvF%ulRb{Q`ISjaXm;A{Q96VZ4HyG6@{?! zpA+)Y#4y0aHVU-gjp1yNV3lI@5z=?TZ!ssD2kMJwzvWha!sE@S+C>pu^V%qBoyt*N z5a4AfMq$Mwl>#Mlf^d?G1P65J6(7m=W)84iA-jzvki_jPM3&rV2rmm8`2_i*jK4Ja zRkX7(R!SJ6I#U;8a4gq}FdtaJ%VarLz(=R_n#WY@Y^_(W z8BibQP1;AXP(4?ZWzS!m`?6zFd{4vl4C3`m%u}_SiUm*iU_0v??dKPT_{|mgr6qPD zI=!FdZ5Q1$r+}z07}{;ubKbnAoGJY9u?vkt#N@!}o#|VdTi**=BW9a0@y!8DCM~9x zw7BH094!q6F5x4^aWV(-)B0kDR>mXBt1O;QW7B;e`WR^}7}jqFh0>fOIsBX>Mdw1n z_)m?3H$F+sxP6Q|riK-7uoIZ`IBT?{OVY~`9DhovOwWr}+BX!Ll=4Os8O(8uNCQK! z(WG}q1yZ=oRMMnZLWexyEe6@5iLOeA#{CU$ByFHHRZ&j39lA`tV?0msdor^bZ2Q{7 zi7QEHtnYM51ezZ3sx=zK-#!w4$fIRlfWf*hdedHpP!`p4;2z!6cu=mq_r^hctn5Q| z5D!zvdLrkjg#$0llc$s~DETc7Lqja{xcu6n;zbB0WTBWDGKWab2PMfeZ{cT2EJJjn zDD2wD1wJ#jq}pcaifIIwNq0r}zqzhd=Ig+X$&lqgVYbYx+8@9W-Ib=^yF#9F=_9qw z2$?qT<9-$~MHl1sY`;_Dh&(ht86Ea1iRw3xt+KS&+Dz2E1%%bU=SqSdsm~ExLrw)4 z8p0YfY@6NyE(5HZRQ5d^z%a<%h2>y{(-nHxbzV?T(qZ70N@tci)oo@Eh?YvHLqs@t zhge%pxJX6a*U_a#y^~rat_Io`))qSz@i43AH-U4_#clJx&<=)tJn@cE(gaGo zn>8+l%A9vUO1sqeKoZ~dCHcauYAb^$9GY!BJCU4Gl_WVV^O9gH%j0n1U|j5|w@Tci z#KZ~S@ddDu#MMF*`Z?n1M@r(pL%Q0Wd3H8} z?5MhBo?=F=EI5>l<6g^+#R6tA4km?0Sb5O+vDhuxdD!qp-94r00j~1>Gqty*MR^ypr-3 zMCl1)^xH^5zhpgIQS27t&1&GQuyjH-Dr<<*4;JZD#z?>TFoY>I8? zBF9QpvCe2}cUz*F!ewO^ZLfLQ#PJFwoL(fs5mOI7iCK(3GQZWlS;MfFl256bS;5BQ zyCBZRW##fk-aK{vw!sJ%sh-c(bI+_>G>Rz}jczAZnqQQR<@?(DTFf|SPxJN~cWuv% zFD^An^wg)rySzX;*hC>y%e?Y9AbkU+$C`gG7rj5awbN2bwmW=1i3eF_ zbgqlih9h>%R+bamDW4{qW5#nI*d(Z+ZEZ}y;?aUh+tczCa5aB~|i zA#|T6C9ZOIpKCNZN=P>(&Q?A&a2k5RDa9+ zT*6m4br^W2>n7XS(z(6=;cWN{?u_cGEM`5=Tu65#!ZGFAoa!mGMgIqmF_z9CZ15C1 zBY$WoiTeHXV6l3^8-@Dx7R*WXcV}0)-#vvkV$t*m4iQ`{27BJ<6Mm1Vc+pRe;gNWb z*V3@NNfNR8{#i;ub*FpUtzQT(dtMi1L4K@-xIV4aVtQEK;a3S@ak4jv`tpkx^PUQp($OCdPxppZ3b8H&z;?NUO2Wi6wEMzP*o+ zjI4_Z#AD6j+GJip`I38y)M)ECJ>b$?W>O$TX5|mgPCkc{jWZDk4p37Rn+t}Ag96An z2EUsb(2rr03ZQU4XY{D$?j!%UGVy8wrC}Gi#w=bXKz>f?*}M2v{nfI7 zK5KiEw^;y_=k{WG#7eNseeO#S2iXaq+PPUjYd0-_MRC>`ZY4z~*-$Fvy*uXt#3L$u z#W{Wftso^o#Fa0D6CJPF?c3O-@`;n5`F)aVWqE1-M%Sv}i@D^sK@WFNx_Bz0+8jam z36Y_pr6p6O)b47PU|$_jMU0Vm(6@~A+uAm<*2`8l@_?|!Q<8VA9DDMjm~Pq0j)-kz zhK4By+CWT2!DgHI)Ik(Txu{vwB5ovM>aiW+qotX+!@CH+*WYqKCF|fSAhytx*?)Ft zND(@}w_5N}ZDDe5)mEh>{lawBiOAbM(ZZ4wLU<({4sMbuGh3P)eK8j>w(>lKwYlN^ zNlQhskK)zL#@v=5?=UX^-kYmLWXUFrSE?#Ht=Z>K!BTPb#~J2i*?s4PirK*x_z8l} z!SKS{uM6>9t35@FjFn+81YMDWKYFbs8S`{y&1R>)0^Ze{kJlL6Fk6W_x7~EJ%6)%B z@bwsru~Y|72?p4p>Mk2PqQXbmx>$6kSV;IyxrzpXcj}{Ifoe!?doI$t3w+o&M?u$^ zagIVxGq4$-kO_pb*XU%*U<;Cf=Q5`v9aEW&?WPL4vKo^`fzIy(v)!mSrRzy^f|>{` zlO~6%>KqD)_aL+_*zdnYnm6eruScR;w7ZC4@+LhQfYdcJD-u|F%$XLC83jGS`IA8bNALRQMSX~O*hXcU5HE1PL$~uP+e*` zU0R!vOlfgGkE%eqU4#1WYDnm`?v$be6@7PTK`A)I0TpO>0X`&pImDs1Bh5^v5>>hN zR?6qb9(Gw?AACcFG7%cD~vE#=cKS}#<#b6(2 z`8m>`8u(Xvr#~70_k*yYyxMQcQI21dqa569e@2Fp8t5A->(R)4{vn*`F=kj2PgYuF5>5kxc_|r1%M(YCMgC00|NuR z0{sWvuK+YfUCoRE09jc8EdT(31wcW70iZxfV4#l_1jOUthhu;u%8%oR6Gc=2BH?EqlGSpYy~%>6vz82}a<8U`8)76t|e4h|L`5d#Sk0Ra&Q4ILSS0GEi6 z02d#hn4FP{n3SFjAD^0&hMt)P2m}&Qar1Mr@-eajSsw-ggM))ZL_owwLc(Sx!6#w; z-~M;s4nTzk+k?=D03!u}qk=)8g57@v5P>L#0!iXQ7=Qc&1BZZwf`);GgGT^0s6_#Q zgF!%mLqb47L4w!?^8$SjfJB8tBViGSMpx8>A+^I`^^1E4OD0m;fvGfhNY18j?+*u$ z^%NTimx7XtnuZq0&cVsW&GYQJsF=8fq?EGC3sp6B4NU_>BV!X&Gjj(=CubK|H}`mL}On4FrP`8+$f zvbwhZbz^hu+xGXP;}Z}J`^Dwe17BbOh#zeI$=TodLIv>!4habX3G=`g7`O}Q1Az(& zMZyA&CaegfXNOM8>IaJ<68EmM1CESM=@3)jeheOq9JoU9{eiVd&i-?Z`Tv(V`;)Q1 z_?iPCf(#QJ6#^9?2>9N{AXwj)NT}&!=R@m+*^sgrcH4bZ#L>Hz8C$~fhI6_@g%>9Q zei3^gANM3FK%|-~Pc^&}{Z>;SkM%}~p46+|WGMn_;K$^AHFv9bD%&)OHc6Qa zx&twfbn%1(em!;P>{<@)>QPusYf7$GkF>;5qaSF`VB68|-fXveA|d0uX}*Y zNLYf)1X(Je>}$dK)1#b0`F*CZs$V85_H$UZ)E7swx5tD=U{;|xmU@nM-`7?*yscP5 z=^U-w@#_YtKC-9y*s-MYo9640Z&+y_WMa;Zc}?*JpFl;fHH?Wxd{(62>dJ689U@$4 zS!Sp(z@#7N5Pu{ypX0bF5{MQ+J@l$a>>hCL6fg;Fo50!iBE@ zCI5@C8nE6J%A+O`2pmcD*nhL$%^`4uz|`T&O??qgy(EdfqKHwAz6%8q|Aiwpxx^y+ zK?Jk9Y-7A6Hp}bKQwW@HR%wLK8q->Ig>x(oU7Z6egn{d}0ySW2ztC6OW#DG7B5dNo z@=D{mZMET(+*kIr%DLNm(`@;=Fm{Q`mX|hJy+APWU;32a1B}eY8~_tGo?kezTSu;a zPkY$H%gB|U(TM_W@WXBUwqLxy4(Q8*y?Hb~w+B-xnpA-B{Oh#XbP_wC+_2c6zX6i~ z!1>GQrE?lDmu2)ng!X+g^c8A9C7&)jOv-;1E#WwnME|7Q6AbNZ_r_{AW7Pjwi_L_$JNA}$a=%TYzqK3teCDXd5RnM~5_WJMIhR6$UARRG7hlaXS zk_;vj`g5~mp)eGMI!o2(BU;3!KcA!;MjppBxBF;TNJWn|Hlmg1vc`Rmehqd)S(m@K z<$gXJ`CZteunXLXY{;(EL=Vg(7C!UiIfvkp;}|Br~{!(eG{_W-4fo_(L7VDUBeMnhKDOf~=M0|m3164c=OSgWWh ziQ5IMu_K{DcK{u0v`=pad}Ba+s&)2Uk!encv{vS3yUOBhoDXk{g4Vx$B%e{N6u+1P)AEZLc z*wEnNy@&{>5D07do3>l`FWYurt_*iWOpM;6k#0H;mc984t0{!ZMHce62`kqnt}>k7 z#PwmPIKuY;jjybQ5T7$suBT%{(F|b1nc1Jem?AOZDY*J@y8);>ze`-Zv&u11#kQ!8p^m9oFo@YJ2*8>|yBH6g1j9=ilM% zWhHOLdHY$?&CTYvlBOyC`#FDU)+^F068t+%P({LWUvZW0Vq?)jaC#riq~WB1W1fag zm6b!X_9mj2#J=hKa+eR%<$_(>#HI!coJ4a~2D=`|ZyDL@qFbBQlndREkRw`$*s-k6 zGR^LKK+J4fU7oE)ns8ST1YaG^!fP$P>}MNB(=BNq@6ZQX}!D$Xy00l z7}jTKFIgV-H`H;QQ&CNB7M&N7wY7v3QS#2`MqnR}8zWpogwsFe_a0_AE%GGG8UDa8 zGCeYV)uYO_1mS%o*l*9@QEI{2JY(E&_&GqOQn>J?g3WVM8s+@% zq{=h<*=fT3J)lCv8*uCy<#Ww@_e_6~LrZYl>GI5{wr(PIeYLH{pNST4zA*c4-GQ}Y z{Ru7hdOQx6M6T<)a-yStsX(COtA?cueDfTYX*Ffs(X`tbj!&GI7k$@h4Z}KzOWCPn znX4XYC0%k)9tF0mO?cG39|I{pNdIf$V2HIZ5>I}%{M-hWuJ|2Mz2X@883(JJ zCb~$?3c{g`bw1rlJ3u{TjMSOg@s8*2U8P)T$|PhuqY~%@F$1#pz(Fh!-vg zM&TY1o40xE;&Tf-WuCNQ;NV2RTUiNq>#n zwC=B03-19z4qryEuxbvjPsMqjD6h}a?J!-a2_S+LZ6S9LXjAd&Y&bNzMbHHO$RZ~l zhUUl$^ECN}E)&}4Q*D9Ia&C5AO7-xEaAZtet3Kg zMOEUmD7LPnWzE|U8yj?Z1oM!`;4XF9)L)|v*2odp_>7ybTf9fRu7VbPjF+8^tnhj4 z8#lO)z>Ir~DE+XjT;;f1W!aRa(@N18@`B#Q^9@%59s1PX13YIEJt6M_amretyTOioKz6q~5|^^F^@bBImu64F{FhUk z>y4PYj_u|1VWV|$Fk-_mhNq>AWNO-)cwtC2NlUVW^Q)>vEXt9QKD2EH5P~*r`PZI= zWuTGA&Mx@1?k-Ckha+^yH`BjF@32xWK~rJxO-8!B8}moD;c#5G37Bd-NEKLyDe+lm ze-rTb)mXrm*)=S}4m$Ae@gfN36It~h&}u;+iBE{6&@^3hjgVN^P|q@O4{-7AF<`E9IZe<3a|ey+SZhe)D<%=f;nm24o6-Ro|T#eeWr<@pgE*2ViUs>5S7 zvt|>U`$}<_m`MFi!4Il)el*r_6?pyQdeQIK9sj+n6_`T~EGi>Hqolbpw@SBACg1J> zJM*`5pB~Q~Cc`63qf?daqdsS{vFROx^-6KH-JA%<7M7E3|jQhvUNQjt;N!Fu(7xYj6S=B|3PWF&P=zOX4F#3hcmlg{BtDy zt`S5bSczR&K6_XK+M&6{?#$4GR~gT*;k5#Ach@ET-Ou|7XpY`Da-KbMn)AnKUr(0N z%pqhV_M9^pq4}M)L`2uT^jkSUl3l1@R`r3 z@+CZ9@I4@-;0Uu{#EHRt=~_kG*n-Rk7>3yhRw;t-`Q>zk?P5kWYa7kH5i|Xys7f*i zaqvKmnk(CYF6rh+R}42Kkgnv{>DZK8Gx%j+1qe3OdXzQ!hrx2e%je5F%(+CIMvPX^ z@wdEn4@}mPsqBlVis!Jte0`k3<1gID4n!(ClW)_wpnx&q-WaLT2c(1J|Q2y zQ#;iJmBi0KP>D0=LM0gF4il{7YCO41-q6q(KDEX&Y)5&{yM`#{6}IZj z>G?OFk`K!k=eH@08|v$&2eA*{N?ivku`$yIT&O`5)T-1?S+9PF(3N$u{m#EQ)tq$Q z<{bC20g}mhEnyi5HhcL)Fw{qQckY>eYMK0Z*-R@<$x6-YR?SIoOIApa<%CS{0blcl zA^5D$%jadP8Y|K9n$8=M{PXSs0XV||tsh+#*Ew%a1!K$MiLelgYTrTU(Y@I-iC^?A z5C)4x0Z&qRBF=|CEHJM*8PCr#vT-`RYIZzGWZ1wRZ~hxw(POGRvI)Xz z*Q$5lYRLsWIUU|O99b_kT-OU^)HLRo_~@;A=@_`K$@+Igd~_H2$U#mN1MSO;{6j;3 zn9dsg+@@|iL%CDL;PVgfgB>m0nm@#)pcxw6NU=mZ7FsLqsE^g~OKGbq)unE@eo5GM zVL+3}tsAa!;llp}-Qi~rW41{Za6hGBsdf&&?sb8ES!;}xZ4R4Z2qQo2XCTe^~suBMQbKfq_e@4 zoJ0ugNQl55FS@wzlW6niXO;52^2D|MagA^LNr+;Jy)nSHb$(wA8%qRivhU{1zPa$1 zx}+xLR?WBe15oJzW%F@YYO;iRZVq4Qw36f2>g!RT9~E^0jv(n_w`}c^%K(nvzmGI( zc7E>MiZPWr9B<}$-Vlvr!aMuXaF5<2gN{kQwdF%y%jU*;A^bd8im@O#w%NK-s;q?y{PHTVhs&>$8!Ns z@P=JY~@O;^XG+#$XTIh)IsxLp&4^@f(7_<5mFD7}V0S&@@NprTQ;Y<`LsUlSrY_?;e3 z<>b+LFA`9EL%yoXuQFv6WTqHol_-C+mtVa`bF$K>-e*|)x;OqkQ15j+UJs3TP4zL?0t4OIbzx_@t$OhDz26ZXPr9vL8!cihdy%HP-$zfc z9s-fySATqJp0Fsl7PsWf!}Qxo9n<^eCgZ@+Br_|ycXk-ck_ecNhMB`zq<=w(b_3%vgQe0)t0)(I@{d@=}jKG60qwL zPQ=I)>~8amCY2c3@$8_A+?x1pVcb!C%l$0-k5G`C5aqm|pnqRgcH%m1ZB2)#dr^Za zQO)DpT0!k;)|kPtePr>p2$GxM2{zJ@&$_QPhh}UxG+$y526-|{?82A>4*u9+{@f)p zDyQ=+57TdVkJt}BlP3WaA_od>;mF$by`qdH%P*n_uVreSXVgNczleiZ_kzHu>Cs7I zu=`;6jD2}+eiPDHAcKj@)afO;bedST1-7Az&^k2zGt{^4F8Hd*(Msw$)xj2TKvw0} z;bvg8P4)^SE*QX!gM-tz4GSPl_-%dZsI8QQWsS2__?!5S@|Pmf;1B750CrY#&q zvf!Lig}0B_rfrdV^j9!aaehFy@7qfZ)@9QVgxQZ4>a7L1Wc=Xm{SH>nOb+vMo-l6d!UdEN3SDH<2;;}Wfdw7v?i3E}gBbP4${F4a72oR zE!T;zf!$-5<&fSJWfw$ysiC1Ijw?1cKR_O@5CEVi7%g+q9Lb&gP{KYd&+r6|`W{g4 zt0(?dg?F>%G4X+T-sYQmL~G%5dLekCULjl|cma10AT0;o&FBW)14P45m>58PmJ`iH z_w}?b9aB|`+l z^Sdq-WAi&LFB$aN=lm+3bPrgt8AyyhAWN7yL8zzS8{ZzmiB!`ue{KY!AJ-3wXh>+M zjqzQQVyZOMTm5ad!#0a*^IsDe<;HT%4hbYXAtqNxIEk@HH-0sypTWTgPp?$$%3esL zfjM(z5$VP$4eBSg2kU3J;qF_TYiwhbf0+A`$Gm}%VX_Qd(b+2Xvuu4zUAkd%fI1PA zOFq}I!H%kpMXo3$2*RK9ZIu?;8&#G_1Lui;zLR~6hNI={s7s~5SVuJ?zjxi>3A+xd zFHO%CyR55vt-#6S#lGBBS+&2+XtuZ0h7vRkxga_MW`G{5?AmC}`;whG!d-rF9`i$I zyzexkveUn|frOs(C>YUC8cB}#fYZIZJyY?!B5(gfbu#)PskozaOmD$c=@ZOetuzzSBE`Kqygk#gWbQ3yBS=M-UGZ; zdhDZn;{B7pTG6(fxxXk2?=wUZL*d4z!nA+$HReF@_EbDcuo;xdo|1NPp`kNXY#XyW zMJO!S@u;T^lcJlKGvJkk42W)l65-=4h{&%OG&N>uE|GKIr>ptEFR^W*JV>u0W0zobzwe-0NZmorc}y!{Si6X4*njv)x4%LdL~0RMlxd)N9V4%0mmEe z&FP9i$W;76i|A+dp|q}4&kkYqe4H?rA(eWAB-K+T50wDniB3yYW<|0-fP=4wb7mK& z&)+8Q>~SO{oY-4M%^pwzS|zOIfAyUO{|+Ak*iC)de$6Ze2+6<@M@ zfT}>j<>dQ&Kxx8ZJ~ccu^?W}`3i=GRFY750>^I!>p@d3=`5uN@}7dmg@?q%G<(haU=sXbmG8mc4F&s^;xDaFe9~o$%$zk_8t0dvZG5a~W?XIl5_u?IRIv9)FOJO1tp|ky zlqwIWWAX>dlalmsC5GgajS&lQu*su4OEpaAoYSp9xT0@uyU^dDqS)eP_-H1Zfu3(- zKqjMD1A5pK2R(Hcf@1@J7J*RxLdliz}DGb(5Hbv%C6{(ptr&+G_-x;w~r+J=PWz~v&&CG0rK)(O+?2i z%^Vjw5X`Wx=mXxmd%Wle?$GG0tbYib+YqGHAIxOod36;n%lJ=Hc}J19=7L(9pSnAu zbz1_0qz-)@A?D{QBu%VnpT`SD#=du*v4IsA5qSMK6=y+C0(baThs&7C#ywn!UxVIQ zMOu`J2zm{y{Fza!6&$mk_X?HZNclfh!-2%uGwqUrV7ivLm}{&US#3bIZA<$hZ)K5A ztzIi)N0;M;tY34F4yzm&+2mBq?}n8HPu7J?J-#f}oSZPMeG!8yZTioO(l+!*NRP%OR-o$UNI$}ItKDbqm*J2h)7Owq`+SOlurV$NbW}>P8 z(K+0UaY>ekmpUW?pF)NL=BlcI3@2NbNG=II~$njs__ zXFTPqrHc}PVX3@Ji!t9+f~98r*D;; zks3+Y_EV*!5Tu)`k_J4mb>=h>V{mj3(Br*p|7rZ-^XhZ6L0F&2g%u6JpaF`XylayM z15WVL!mKGP7wOBj=SS?~PsxjznzR&pm>%?;J~@{N7>N zhR%_|X*XjKJpK01H54N=4!p(vJpXMvZvMHJoeF`hx`nCE1}{iVV?`?V+zRe~mnt6e zHzy!}AN51bLP#Ks<87;@D3un_Xl`%*TG@2mep4JY6X+@EVT17$SGKwvfw$+KEk@-a zYK(G!8NuJw10!l=0Tn+hYJ;mqYl#YV>3pSMt=#F3=2uf0d?AT#M3IRrE)}_d6K{re=f{SO}=i@7)~G@d`Mo$b01@q zmH)-wTSmpzty{u{1P|^Wr~tv;H3Sdt?ozk}2oO9#AW%SI!GpU?;TGK8C3tXm$ye{` z^WJ{Xz328l-x#-h^pF0rMs2Htz4zK{&F7hOKKtm^l}mAbCS03Q9Kr6v)lCVXmYgR~ zP5-V1u2+z-^T>Q=f!@FG#^~Id4*%`~{Qun~1^A?_CV>cxW^q{e$k(N0)b*BI^QJv< z0*rY3k+aH%hg@x-3h0Vtox-+n6GLt=c8T}qr^nV03U|QtjWxOy3J#o93E~6v;CP9O z*3#HieSWiWzBs}ilb&XX*Jd5g!G*NLmJYVT+YrR&C3=Bf3a$}&;!k3qSZTs;=ttBB z*PjhAJo_556_Jj4NFXb@3>MfWkXy?6z5`{^SB)HlZ5sZqv9HZXT^mM4;5tUco^jtu zt<;UzeNjY~Y_0r}fifyI{z7Pl?m!vCk$}h!alHm2{qd18%BXF|dYa{EJ)QykxRXMk zzI`fB^*ff|EgTFkk5<9p@(&nXF7saTqVK@EBXp0xf2O);v70@3<7iV)1}wsG09G^7 z1nGYJ2@sqj+(C8@7q;(_3?Q~f&MKGOkQZJQ&9sdOJ0dC~SwTq(!jb}7wVb>I`xyGm zf6FDdD>N7T#hAuUA3D%iCp-2rJN`;cZ+m^tQM$;TIdRTvWG1B1LX|9@gbdSF!Q}c# zoI-?PM5fGG)?WWXM#^T#6Vr^@8}JsP`Q!@5y{1qYxgcVD*;=N&hH#F`y$NoJo1>1N zRzZ3q7}d9(>(WI|wK|hQbp3*AE;@CSDzJs=<55C%qs=Eu30jXWTh+yX`^))l5}e#U zxE2m7<>qXAp6Iw|Z?r7sKo0>+4dGn4sbO_i=%bLKmeHH8Yj>fCHGK5i| z9@CfOrVybzyKs-FtPnJ@ES9K~s5W73{&UlHw`!m93V^RF^>2-$h!!k~i#-sD*_%`c z%anfm4Oqd4qe@`Ai96@^f(c-~#AwwgU^0jQu_*Jm9XulVaLE7fkpFjG{^%wDcXS3R zW!S(dB89KDV=9HO0{8cZ-2Mpw_IiTwCguxr=Lz&#$y zVy`lDX((n`r|%%YHX2SYSiZsjqfN?E?-u=smbQzb{$3VcNN|o8e@{UQAkFeqH6(}{!4W`xaBx*{Xb@cIiiAw@f(0K=>p~gY_8C_26@y)mZobFA zId&AwMe8l&ckvwC06-rCeys|;gYj|2_Q7n)K*6GHRf&EtF5fDF#*0yuEzf=15qv;I zaWR1gV_*QF1HbkkB|pfviBwk{zX45*tTW7F`{us^A5;*2Wk&!Q{!g}Iy}Ic{Z-a{; z(Hz>_%>0OFDZ6!L@(zRwvKBLJRvG)6QW`<*__#!8amUZW)XtI8)X4<0u zjZ9i1PN7Anq{(B}D+-p1OwGnXl}giUKI5dOO5hb|YIp>&m<*Tn6gJqi9np@hy z3SRGx-pP@tE|GLq8jyR6RD#Yq+-RG#8>chw(S6X@paa~VxbMm^s`A-ykC9bVeiiFg z9>d1sSN}}XMTMm*1@kAU71vZ3!w>fXFmuOCRcGc9i!iv3j9LqR1G-3n_1;Z=_B%3CEtgOF9AhFp5s($-=q%{fk?5L+q%xnn?o={cjt@-Um*$ z^z{-E;@OQ5CgHm*hzId^+tuPNKY!@x$c}h}adQ$tbVQFY>W z85nOvtG!}R%VRc!sy?}(VMsw(^@M|A^K{_YF24S3v|!zig>qMK2H2YNaSKlm9>!j> z$gYkG5*V=yMI1ePW!Wv3<+YB5)se8AunfFJiL+HIsJgkIV?zFMQ097~6s$L4Rt>F# z8uM})e#zKi%%G?^CCz>S2$a2sV z#vGOGbO}@m@J%%U$d#pXkGx4EuI}gyj)@iw#b)nNP?2xNSH^u0FTbNJR)D@b5Og*; zK+h%*vxfwy##Zl1@xQ(%;_q}ay1}2 zBln5PktcV0WVrMfd$H=rJCCPBYszUj$4wo=d&9b$g_T*eMkz-PY&p?eggik*$3c{> zL=akcd2wmPB++0fu_oe8k#r_;eQmJMQJtlwuw^C6?nPHs39kH2cW0efjf@vGlSsaTUVNH4tdGXsOt5_z|BN;NQ(%HnJqH zJ1QrRZ3mb+FSYWeQTv~!7x0&Q(u*HNB-A6$GMQjVz zH3n?1GU0G6to~wV?|4yThv0MI|R4v z+Qlh2NGwc5&@E+XsrGP8%5q;tJrb(@+|qLWm^i#BZ%Z1n=9@=KSmR@b6W!VnSxF0? zi6aWOQUGbJioZt1ckyygkj6=iX1Cs<&+28OREScW?Nba|Hr8)ZWeU-Vv)dkB4>uVJq+caec;}VY}VS!O4xFZD$Ec&8n&0?gwI4I5aqK7K^fju36ZDnk+}7acdVN z;g<)1a}4H-$&P`jVvN!9kTtpH+6QyJ)!rz#kF2O17Kj}$L~}9ghO*A6u6-XpIaj$B zI};oVZpL0=a2(WHXa)J(MkyRo`kwXXZ8N`vCT-(W{g@&-d0W0Fp}?YQOgi}+kk|H* z%2FV#*LpS0H_^$ng-Xs;i5tQ-inU5Ujs4Njzj8m^%^lCs7CqD^hl%u4L%*8au~)et zR{e;t6O&vK*;d5X`!PJuuE(Q=G|Y5>@N9cf!L(&{lfrd|A|#qsSK;vo1vKi%TH$Vl zbNNzTctw&AqvNMJ=>Fo={rq@qz~Y{sL!(14(^rdSB(6{do>ravu}2@6pkwZk>YlhP zV&>4RQwm>=80MJx!!_~O26uXeud1IM@8|kg)S^eKR;08GW##Y!~a)2iZa4D2Ax1W>W^D$r3G0?HSLuq z2=EuG2$e(-|0vrDr9+JNLk9od8`$91u^`qP{nwQ`CS;?z-0DOTA*Cqm>0QIYvKuqw zlXmF$6LrA|9JkbJ{c4M8&3R~|phr4t%7s>Ikl2Zw-=vAH=Q!E`}AXIPz6oc#~fqIbW+_vjf&n+;<~$ zl*(AoRq-Lmi=0isS8J5`3l9GikN@$B+&#YRV7OJhZ2PpZm(u#>b=3E> zX!?iW0KJ`wMLx_(&7>HKEsdi>BW?#W!}qH3v~S#kL_`xBW9z6wRhRpA#lF?BTN3Y3 zb2a$unSXRKtpo3X$g_JVmBOQbjAOkIUagvaKBMH-FA9Fg{#jrU{0+aTaJ7eNh+=t& zHmwF(!2CpgzM$!TKd8zDRP(P z-mG%8tT26{E$yV!DYINq9Vy2>ou|# zB3wU@q()s;eZ>6Y*YxxJi=CzzBo{ECxKFJOH0$QYmy(;{`xtp@i<~I;Hk{%cb=TG< zKHP~vKx|8QR_x%`|5sgweg*J9q(CfLMhN?uHb1C4fPe!``bEw?#DG$l+O*)4d+^nd zgEq>^tC#x9ZP5>UOnDI;*xJTzqQ|I+yZn#$E=C={Ahf`U@JH%d!tNi2FT(d zN-laWCp9u<0xfg?2@BuTQI3bN%ZOXHP`_fgEF@tHA`>{c>*c6{rG|V_4v7Hl5~-%D zr@S#$2u5`4)o6K1B}C?lh!8m~z1dB8|7i*}W8aJAU11d3_wXB&z>rn zV29gh#9Rehjb|Winj#6zCa-zX3%4ABW| z*Gya8vPH&aqiBAB08hsG`N;XyN-u4?SwrH|VC=KRBR}yj?e|eeExX#bFd{zK+oc|` z670!kJy`iZ6(9)gUX^Fk&!!AgkdRyIm)P6kYi`_^`E#`$iz4t$k z0QmkVu8)7_1o`jUhHYdhV+nh4K_5<6$ovCb%GL)I;78z$W3Q9bSjrYG*Yz6!k7dH4 z=g041jB3P~<`qIKChd%MQAF^TT9a6l7`{#N>zR7N+jNv8x}`h)EB`>9k40JzPYHKx zkL@@%*%6PImv3Q{2u2D0bI+MA&11cH;j5(T(H!dNn^1qo!;&v&Z_W>oShb%lh$@>h zeSiAv9UWXLk@qOzB=wAagiE_SvVb5Rnu9^n*6YJ5Kz-O(UDE3qO z(;xQegSU9=qZp7qS6@p@97RTS#~C811}jrC%uY(z;91(^M`EIO8ZL;*$7Uo;@p65O z*-9(iip1;F>m)s_hpY`1DYUybS=+QNHA>oT{7~nFKt8vB7t2SiV@n%e-GR)F2V!xw+U z8XiTk_*$LnAv^oe?gtS4FQ$0-|MvZ0-R#c@w8gsts9R4Wb|Q6hRw49tP;{q;yEsEU zY)#@Vcuu#B+dW0P-s}aeuMVU)U5lUPZf3qyPZR*D}s?J^_%@s#>R#e7)WAe zKAC2=HEmWtpDJgVoHF?Y^JB|RX(whJS-AWPzredkJF*KuJz7a?3h9LwuIhI(f8EyW z1QwGrG;M*0SNsyD{2lkiF7aSgQ2Wp`&;5=rcYEk8^q!~gu_-?GuF9(v9)rbeVb5rxK-bvlqq3}mLLQhGs*%D=jxY8x zc#eN_D#c7-Ni5Xc_bHyw8O8@DBdh7%*urU5KjVqUackvb|G4;KuB*CZ!v|Md(zq)%)_Gf`)# zhl-~(_j*b}veN$jI@H?3`*Jf_BlmQ+Ww?y$D}7|~i?IcB^Ny{p$O}VF0$Ln64Hcyg z0OEb7-pF%j6&shrb@=e0#@!7TwYZX>c;EKX)VNkUK3qCsm^FshS&ku9O=B!cxk0_M ziju2L)kdNSZZAV3b#-;c${H8%M6(By^83IZ8&z>)@6}+|JYvG6H;%o=yl)?#%_HH_ zIAi7a7bfw$8i{a8y$uP(0Tte$^X|Nm!eq5f4cAaS7EaTOe;|o z{WKwt^_TJR&vEg8&u2}lc7)VOq{AoALppfgq7#Uc81wkGXHt+xb0bdI$T>?D!;(yi zweW*kNm8Rh>p(dVnVst|)lgY2nj?0w56IgQ zC~|NSldJaJ!Tg4OU@kE7frew`hzqUZ_K9ZXthaZYrUw}P1%(?##6L0CP|>U@p7l5{ zWo7$aqJn4R)3T`PMR{Wf|E9ga#L{Ywv9iJ!3WDs`dXNPepDAiA4e z-Q0rZ_PS*-mbbtqGm#tpxs08oVH5g(nu)w-S(;YW&W#a^6&wDm9s8ze7%P&pf1Yi6 z($$l{QD_tY!qJnz@g(CO=YccIChR7Mm!(QuM9Qzzpg(VJDdJ#l`pLNP*H{tQ+w;^*5Q_1aTIfU z+j8OHHvsvJzi!5ztUXD2+$lZ!Y&j4OYbQn}k$*&}r3PI|A4UzaTQ@)3vtw1v8bCtTB^cuZK+RYbZ@jh!>p6O8b6aK2RPBel&`l7Ny?E^0ZB=vCp3Vjbw~b^ta?qD%JV2p${#dKqPQH#f3Bq_DmzXN&~BuPQVT!%4X9R1EIuf%SxSEG zAmiH9PH&glq%6!Jx=_?Y&$NF7-Dc*tQx3 z&7?=?m+o`uRM(@?G}MN@M#0ErT)`?s-Pg~ABoYI+($3^+xswZ|@HO!N7(M?^Eg32%b-#4&>LugX!(t>rNzK_M7*Z7n zxB3C?2GX-FzWrUCy62`zg~%@!rEcO~#`)c<+`% zCsnyJL{*$!mIO*h4@kGaz}HNk?>}~3b9^}(%H-6Y4rS!H(O%0?-m=mD#p9PkXxUgZ z)velp*0aOgKaQz$4-lL&W4l6p1>HLueF&uruTXs`>dVtwg1qE z;jsas4mhFcNgn0*8(>ifR_u^rMK655I~4lq$2~r&AKS@II~*+;iY)3u9~TqhlNR0L zV?xQ8w>>bm)f6X>;#O$C+ULmrs?;jeBxc**9II)` z5&8D*Ps-l_J`v>dj|3VLZg@)zMVxj?II?B#?fwhu<;wh{Iv@J#^wP;>LyfDup@M1W zPSDSh--0RfzMcD=%U$ouG2_}?ALWB4hj@$p-z3T@DJPNySna+NC&#$=ELOgMZo<#J zdiucFpJ>HpBj-z`r0J9V_Hhoch!{CK_4p!qE}{nXa=Lp&IQHwo!k5VQVW~)C2CQX29dzqZojwdWpfovg+Ib}hMD=eKA;kC| zwAI&v7XSt=-{A864A1s`rmv#B@k@R{vYTki1T{_eG$P`SrQI@cPlrDGt$MLq=~k3~ zBhi&65dT$j$dr>E(eRc%B2p8=H~@rH!!lZ$e|?z#o{~+p2Sy0p>V44uTtA1w)wwAa zrni?J{r+?6N5y!EI0d2h{HNYUOg~2~5iWxee3SzdMH(GiK4VLTaEZ03@2{dWf}>Ll zDD1fO&MoVLK5DH3hQ*Nj319yP;}Aq1{*kuc%KQfiTbkEsXObNON5F5KB4mx{leoOexfthp!hKgXZYpxuta~D~Kb}Bm7kCY(J|Q6u19FvE6}P z%Kzn}Ba(P8fAG1)UO(VW{UGI2(@v~E;-U@LJ00C)=TAStRO6lp>iNOba_&oC9M|i8 z9^jY>`zDflz7v+oln6Rp-b+wrl( z1~lm7=LzweVMsxu2hL3=S+zj#)R=ds>_i>9uhoJT^v#R-Busi{l%!$d7l7S%fy)A$ zdA;Sef7e5P1Mu3WbnxcAlwh-RwC29*P1tPqwobHS%k%iuM&m+d19iDu5GwK&fo*k* zz;6IGgV-u8R+Y4!$vWn#R8{4fX{w*ipk58>wH5CS)d&)i$c6uxCpc9DLkSRS%8o?@ z$4q)9W6qkv=y{K&tr9kVL+Y1rX&?IN!QSd}RfYA&KsbmqvbqMi2z`iLYjBQ*8YnEu z(9pl#gefiJTZEKid}6`Dvnkg%da<#rU-k8wGiiG0M;IfY zHs`4%Zl|F{;kIW>OI;R;(!Dr-8dp{#$OfB5`66pBK}@~^tGeZspxsa36ME%#(Sif` zFH2ii?P{c*PrC_zc)2kFtz$=#ho6f-61^NjlT^sBq;?yIB6447etvm!^&oF!`c|x805PvA8hv)WwE*+^{%y}gZfPNr=54@ z+xLkk$l;p?0D{U62-gKU7)#tnKEz3Mj5+Bh5GOc|g945p!3nYI za-eKT-=_4)tUknrT%JH?vWT&4r`EzEo+W1Sa~hKnrYz-;$lrikJNcTp#`u-42!=xH zKQum!0{ODEY_Iqc_z{3lfURjFz5$Fg{p{Mfq4eVKF&rz=rjt4KQwtePB^Ts#UodA? z-sbx-h$VVYLABHjbx}e$H5Xp@-ZC$s*l9~NUOa7%5g)SKDe+G-%<@mD;+twp1Mv45 z95)=-VF{Bz*u%e0e19ze$w%U=6(^b$qnbGb$Ws9Fj6FRe+u5OwwHXBTfB_N}f5D2s zRVt$V-w%D^62u-OXWOrK*`C8FoS}=oMb77J_;t zvFP?ClevH&qtzQ{%30RyB7`gto*FDbkEgN}EOmqnTh zm>O?Bbv8cljZr2{Vqp!kk)9fMv8FkI+WJ%bFX>XL!YB!%%o+m;=~#&M-@&2o%VhCT z4*Cx}R(-RyJgl8MRW3VeZB>oMieS5f&on2D>ERq;=2FTnp@EC-B!?)EqeX0X>qR}K z&&6)*ziYB-GK1r^*!ol!3r-`~T5codT9R?#zCM>A8GJWuqp4hZq{bT}M8x8Q!y3dl zQv7L9@Xhsg&cetEwN4ACXB68|`)0w)lxxN3E1z^@MUbP)J9EY$KICBpo4ZWWRy)cc z-FR{v*C}%4FGHrI>@fWFQQ|9BOu8Ljf1wT5`XuWl%$LuzT{o=gCiJ=~x`yH9yal+! zI%50v8DW`|9X5;2^{HTc!nGxwvs(himjj*IGBmXi!MGY9r=pz=uH|-gBb5>|w=yET z-+<1l2?~F;#ErqbJSdK!p`dfDl z)f3|(sb40Of*WB$!ClmFDa+={h0BGnTSP+>TZ*XugVky=f4yXaaq}(aOnX&f+r+-G z71^^d=={WgNa1mKqIB)4@rdP9h?mn&*r%ms1`P~MKEGi2ytWxu$45BPthkp$Z(U8z z8eUa;WaQ-8L}8jz$2ysTa>G=v6ZutWm>___|okxnfU5Ceog28)gVKqcNzJ*8;fhb9*p_2x6o_Pk5G8>Cq94d6$vFqmo9XYyfqr*#&hI%WV-R+HOG z$w;4^XHD$kuWh!;hnP|7QUv2MCG`rLi*UqEmaD25uIkTsST!b_MUq=atN#*FWYMX! z&nPi8mb58r{s4KgO!LLj6_!z)zA8SRo6EN`*Q)t!^14^T)jzz3NFzf&hr4wOIDfp{yeJu$Aozo=#N{Sd5kj+E z*=~(QvP*`ibLN`P6c@_0EdUaECnpL;UDs!IsN!b|4|1jV-AZf*j*zxX?9W*UI!Nts zO6D_r65%w+q4VMj?*cQn%)jr(sx5&I5GR#^)yhouN0a0sj~6|ZDQ{;OnsBL)Yj}XRub6u#L+*x> zm!fHg`n(T!6YVIdre_0lz43Iz1LcN`h-0eU7IMY9eFB#v8l5cEK=h4CBUUC8SqS#j z2we~7u0AtD2hmXGn9z@hU#Qx_Dx@90wXFiVcwSYhNfLqN*1)KhaD>O5a$_TjTwN)AxlmUcXao;( z#ykl*TCiLlsc*3HS~GeP?MoM6Mf!KQXcG~JcH;)N>$VM{*+?ncBjYYP28Q>Hk7k_8jPAB6{y016on)wT>d@PT z-G^?Uh*qxDG9zNzOxq6vf6BN)ntyPAFjux!=#1mTrIc}r`C3f_al{m|-w zfHSaNOnHG!L+ISw+Qju(bD~Lj0}iVFz8kOa(w7-rbF3*0S6G-GvpZ54R)G=avLw3) z2E4V!DM#ltA*w=v?{F!=Vrtho3u3#P0Nnz%`?6JEy;4?swOMuk7J$_3}vw-1wKn-a4S z7E0iU(6A@r=64I$jl!g?1vPeGzmejtKNn#7$$qs{tP!>N%1*)RZ4{!EEFdTt5iN4B zo=%l*{^td}{mbphkjt?=z3jSXA=Zh^r?C9bQG_$9v}XN<@&U?Id-5NA9O4*T2faob zBbFPecZJ>h*0q1-B;Qa8H^=+exX_(>d2mp6v{}i_WjtREADoTeXf>Jb^Wid6?cs5K ze%*M7{}ap2FqK`CxetI5X8?3fEh=ZzFY68o^1iEsv!FvC2QGQ%ecR^i ziD`MjNpaEtd561HZT}OW`uJ+pTQi06SeZ*eVU6#o#_K_NWchGUyO!$qHuI_T@j%NC zU3cr^^=B^10-*Z$x}YV`IAX&UyWL;gJf`4}Nw4joyJcg9iP{WSxV>&RCj~`3_^L){ zhc5^{`AFaI=o_>)lMmQsU^RJDIfh0sAe2|O*H4!vZY(PP`be9lzKkFSJx5x-8%v}sw2-ysAFfmcMTOK+J;HQYD zKP~9Y)9IC$h32o$Uz8 z)L&@1=M`~aJfez_2}WjbEkjOfrJKHKRd1|xRd2+X9JFF~K!K{1+$-7PLe6fueMMDY zRZ7i>K`xI~>!epvq4P}^Rgd0iwtJ!LZpE@m7ILk4R@2H#LeB!lP}fF>hG-wRkJU2y zy#%q>+;b>{In#yD%zg-~1z}1NOyR5)xhcA29v1c?muP|jPTLg;PcJ8PN9)D}^GI@w z8#@R`+Dg!15|Jvq_KV7@UE!+hK8Z1Ti^`RKE1kSGJ6qxx9PML_ z7ciyO2TDOVJ)G{C{P}5yQ6-^F<1$i~A5x8aYsxwWkPVPUhP8e0t94|4G(ilDi`h)C zkM*$}C{v2iH;A8_&yf+PfNqO9jV*3m3yT;lUOqQXnJglFRKG-+1XsD-oqMNGKr{<3 zMN9xWatDbqmrUg{?uwE(Ob4$lxyC%1O=tCgkTyxs?2tL8K?I?|hs`>WzOIz*nDe|{ zGQQVTMp@uJmMsLutg2Qg;R~4OVUkx#M2;ubO~_DsjuXAaM_(7+Ui0plV+!0b=J*>R z&o}Ynu2vtTaoVgocnlN+0^*z3K}Y)nN{)`XQtGTthWA9aR6;|(=>tuU!chQz{1h&| zE(+!j+|k#~rG=KpjPr%?m||L67n<&hO4jiUdxMtAK&e#QUBLAyyU4{jsn4&l_Ga9d zN_%x*Lng~ST1$Uz=uQ)&Y5crF07QC@db^i>n|#Uncvz zGr5{<+zlOL>bID|^J<`2`AY6NO5F@=)*iq^- z@)!pTtQ^ZdUvSXE)ribrlasO>qP@Q`eD7$VC)wj{#%arkkc8qoO5W0@j z`=$c#Q%1^YtFWA5rjsv!o#z=j=|Z=in77W$W6bG~`^B1mG(2m*#)q5Q6Rg$CMGWB> zqr&a#ix->rCLJ%wl(zHIIwtwdhZCJJ@DsehnhmY3z)81aXzR08_zf8H=cxbk)aQX* z&uBpTYm(3E%37hM>s^UOln=K(LC$9|>J{*(&*V#%V*>x$a=qF#Zbc1acX(6s<%})`fjI4fnqh+ zGURbc;e9{_*@hgl|Bb}sb3CN&d%~6ZF%RwtOIt>fnBOE(A@XiBgKg1g zuOXIEaa3>mj6RM!BhMyDPf3Mj*W|NWyu0voy?rGPz?=71*W_;2YHf~FX;d6&kwe~y|H#vrt6@Dvj@cJ%_jnyy*t8j(Qdkn4rykVIHeBOHoW?xN5jT3hq5Q5B5o-) zCGw)9^?|v%Y-9t{k*e8vEL41kc@gj_S^k34Gb zA7kY|9rXUP9bp|N_JeX!kf1Z-jkD8Vlt)!KsQL8O&6o$t?dTF(${B8N9gChXJnwFM(QGP&a~=Zgm;gsYd11Ps6I1-mE`SC})!X zkCA)-;XI3vd~HfK%d-%jC0yQ5FT^P{SpwO^D`gxRL+UflxE~C3JL7QE?#we@aDRr? zY_!q!A6urnIaPhig4Hq?bM{~B)bRTOD|;bY>AzMbGj9*8&N+$oaLq8zBe3%Jd3Dpc zCGH5vArkoJ!pGt_fJ61EeCgSz4_223ZO^~vuzh!Q?fHrA7UsFIUhp5wYkzv6TGt*9 zuNwZJ$BE84z$)-;!YbH=d{|q!Hon+(f)(fuyH)f5<16XyPxr>BIms`;c1Ip-7pr0q zzf`ZAo$gMko-Ud4pU0|uMf?8w@h*A9j5Z7D)JYO|o|isQ8pWsIvk>#reR+HO_py~^X{Xr5XPIwexDQ|=OgRjV9B6+3y%eALu#KJ|<8 zsTqkl^01~iD>LO? zMMZ+_`95&(>yO*<$-9xJmT`#DzZlJcV2j3jf5siLrj;+xdsj$x?d#+)x6|(D%$sNB zXU6DT8SeJGb^52@02s>_k(16L)H)(UuNAHS`LWHg`;!8yaM2az_iLUUgN=`#@4=>= z5;XltD_vf2eFdvU{#A#+0ei6901vy58^sh&SnA#pTXoI+wNJRm=L^TUHhA8Aix&LU z(dzm*`+P*~URo|rjXDV_avG(&)Sd`&Yw%#BAKLa486O?8Kn1bpQAoPqexl`Fmz3#T-;lwlL1-x(l!ECGv(OT$mtLW-hrQLPhY&~RVD zW+ZO_a+!)dWd3d{WSWOsK?-;M)AxCD>+G`uQ5fFWls(FaNmTHNs-t-o!r?5{l*yvq zB7gdLl%ebMAAObku`G+6%0X;RZJv2rJVB7FGGs>+H{>QG@?vX+hCj17`igzc(lI=T(dU1nMz z)LF_h?sc3_exC1qfyQAzen!p`ftsI>7&SD8P9mjvqLN*g2%_^>Z zw}ZOr(!uO9zR`p)6-9vawm1@i1i*hLaLjRv)pcZXOA@t$7Ujy3v9z$B4U#GrfQZ*> zO|~98D8CI{mgpT#5sw5((R%%o_z**47?d4$O8 z4akjV50yLY%^H2A5@@3x5GhWkA*m6**9+I@tTH5MAqe` z8w!F#EYY2F2WXrLkT|(c(){SMLS@^=Z|1OxQ$)rW^Zl$P244BfA)ms3*(;Qha(laq z!puBL8~`RxLZJVCMOS6on5jR*O4;j$r>qmn?M5}JG9oRUYe9)zVJ6~$dpB{CT5Xx%02KOg z|6ip3CmS${x!Ky@jko2LzEQ{N`y3%1k1NXTK!U>T2qd4If2_wcAo`Dn3S9-)*-ls- z6!}+#|Ie0%{uCsu{+kUUfa*Unk-ZSnewN_#zZz&yur#z~F?GnH=`Lr@;76q=lQ62Q zD(t-gK{*ip>^d;#{_0%)GkF6Eap`ecfQEIA)RySkVccg)yZWk9R96dmF9Xz6q?PvR3Ih$-3;c zY&VkL)^*fp+<3Ov9$Hm$G|J4e+@m4di~{rCe8O7HTHfzH$5+xFN78_HysD^i)_@?1 zg+2p~#Hu|H=Kd0D4n%HnFXOTH~(VvMA{Vi$yRN0O8S z`IyO^EV>=P{WR`v(#`eMq9M(~=b=(dXd(rY*g!GqN^fRqugUXjebDN=1!iDr#N!nS z6_Zayo~Kjp5OXgZb|<{T*7M0nKXYP|=Tq83ZkdGdo{iO?bS*CSHc$#6=Z!fHx_%ezXCDf@@%>V; zqz58gwCstQJsj*0;6qe4P1D=faHuYPf~Q5t#AB3CB-D= z zSK?sYGtVYup&h9?U#Y&KCCX?I;a#McK;crip#OC#=?BhIScPioRhVx>OT%LKH=s-h zeZ7%NC1QX5Fb^XpJXnY#pCj`7GThjMA!AQQw2Pg;nbFQn8FN9R&Z*3|&Id}DSgC9x ztNMa+*n5=F84mNC8p0kJt2aHiS^? z;$^dZ*qGT~^4<4m3JY?k1s_co8`;c_@C@m%E#0}@AttBpm=kv*26u?&q~Jz{p14^) z%H^?)M52GF_Jw-JAEdXq4;0PmPcEYF>fZ_%V!pONtsBw5_4ruEyiUZsIp7n`&O~k> zZ@vxOrCm+6TlZ&@Z>ozsMA8nYks0FsSs-9$O#K_sJPFo`I9!-JVLACkR=BJuAJ;ve zUK$o8L9Q)llJ((0Qw4y-3b;pGU+w<&jL=?{vZX+a#K0HYt79thFzh?VGj9W}G~VMq z@8}LBEqOz1N$rYq2$BPRpPC-e&S_`}okh;@BIJ*;OosU@F&(eiIDuGpHsTA;5G;=8 zU}OY}F`hRDwdD%#g$}S}PpqR8HoVy?KC3sONZ7$ULd4MdE8?(5giEXl`7Dw>7{UhmPS0%H_yEZHxGw)oRdzOmCd@M2 z0bkUNzfwyJg@R{Ss6$*xF#t;bdaSItiy~t~?;-JJw?cXxtyUS;jI_E~%FeeOB?zIX5azW3cm zs=8~|>>9IbRt@>bKV0+6Y*x#qhlgFH*Ll8+P=2`vshSzMe$(3z!Pk|Rk$KDpsrx?@$ym0e^$hP#WMWaty)e zsY_x!t&0|R_z9AGezJa;?qzPnbj-~3>ae2!OoBFIa7}zC!_fVZU?*G}tH{_S{#_+G ze^rHx%ZGTdRAdq|1JO~b{$?F&)=1YlIan^vG(}C7R`?2Pi6`08 zi?5jBnr^C&2^z@5-JkQoF4r7elULWouPce$6_~VN=J`~lgWy$hK#oru`dSn8CdV0t z0Ix!o*A4q>1kc9D_bD#adkUKTEuV^)mOB?^Xd@0QdK_=G3aCV%!xtXyP^Y)I_bDe$ zmQP^Jk+@yUIbgV1lDvh}JI+58)+$NYnD0SZ(e7b@n8Tuw4$QOrd5yhy+nKM)jTA%a z7vYzDO(=7jNB#Y|{Y)HYveR^F!RPnOb1q!c43s>56DVn;)pYTRuo5N|@mRs@4%?%J zGPnJ>2S3m{ODBc8Wjz2tpLFD(Oxk}k1^=?`casdB{MH08TWenyBlc& zuU*RKPKyV{%#cCO`+)*Wt~z8x{p5F2{{DT-yd$ns@4d|Q0Us&p|0#I9+N%)ZO)SJm zudcNFU9~m+EQZ%a*)y!`Ay*CGj=g*E<)<&GuJ7}+xdl?|PeP|8xH?BNeGb$eQy?Z{ zfK~Jp^eqfr6B|?QcWihj#EOiX4qgHLMFOftrVUkfvaX(Gv^?)rHj!_SsfH?W_Bl2_ zshb~6kS&Iz+h<3y8FQ?_$x*qu2(S6p1IypD z&|W$ValCr1`8hd!Kpfxx2tX^~N7W)heO#UyO8kb!i+=anlMJr-;qGMDAZm(Og2`E- zSp5lf#MvXr&OGt`suE{dawumpoKr_AP_4EetF5Z|Z#H;vRnDHf$3nkW@7(7&pW!zi zkAQPdgM7IonS!n`G@d#gi!*EAIe*vDZNVWPaabNu1wBtN)+%^H8Nh*Zt=3){mUrX0+*gvZ7)_IxuEE6f zAKNJ|MDCVXBIAeg9rZ}HRH{$L<@DnE2^#g6O<5R(K+vNA9ILt8!NWlYbT$p@%dK}a z33*U8r7X~yS)3|V=f1ZV>a%V-ozSbN5B)6-Vrw;J1?ZTnSscEA{brugNa3kW7Vwn>SAL z`V1H+JH4dEw|P-IFib7nU#2w!F4NrVN|qtY?s1NoL3{f-6~Z{F^s57P8v8?TrViCI z>ycvk=vS%Aof0@(5tl@HHC)HHjC1;-MN9qJT}U6S`_753;Ory}2$JINGaAm@<6l3= zd_Ktk3~KVRDTt}qo=oF*rfx=)X%0d3NjD$7-r0#<@U-k)^ga|z`Ps*XZhTUy*CVra zdb#EXezJ1`Q`66c={sPlY3y#2g?k2orv&P()xsqGEA@tpX<5POr^u^~{VxU|GnL$9 z{Lpd~3M`(y0853ELHZ^GP7U6=J1u%BbF^@X1yKf*lvklh=xn{%h*nVJ84z^K!?My? zZ%}7v(9n$i36gCHgFnnKq8gWeCmi6ga5uG27oX*N{T&7^-k9QLOF6o5&{#QfDVF@1Rw8Ev+Gvr&N*vitWzDxWZA=dM24e@>Iu@IHAb^X zzJr?D9d-iN;vgAlA@^oeT@iXJg4>hYqvDTjG7Qnp=S|p4r1z=5QmvOqI(zCcUMtNW_>b}-O9pg1H*(LL0!sA6aNE)|HueR(RdCJQI=cam zyJVg9&UvoaTxSh3i_4EJ!gv*VQY7KBLB>(@YY*+EtQFF?>V)Nd_uCJ* z%#6iE+^jJ>O|Sv@PuqnW1Y3$EzR<;keGp`dAIWdN%R*X}m}aFzNP4?_F=5g^Kso8< zq{EYvIDQ3x{}U?<=0Euyv1?LM!rBB=E!3Uxp#UXQT)Z9Yaeosw1si%IHXXT}(5n8$ z4_BQ626J$$+*TTN&c5u6d#RRijdkW#?~g;7Hl|w?o}RKwY+-kLo&ID~d+STOo}i17 zz3Z642*~)mLK6A25?r&{GS@}6vg@efi6aQiipn+R0x^A3D!%dN)bFHZ|Z&qLmjZieC_p zJy7sTA9(!MA0N>B#UvW`2E&7~^8;^gA8dZN6N#LV0^>f(_1()|?uSAqQ?{ zsq5gPVvNC2ux>V!q!dl_Mli2x=MI3FL_&xI{IWr}c*1L>pL z!(7#8KU%5F#TFJ?><`~RHi(AU;y6FDdDDuSveyW}r%I+}KP}u(!8?RPQ1A#|IN%fi zle`wi+zM17Ha75^iu-Ju*+JW$ed$Bsg3TEm)7Ip!MjccL`{2alNwnrXE7Qn|TkIx! zs1MH=A&uf&d{YnL_@2jvKGq5e)nJv@H)aPnYBBWVzZ3{7?-g{8ib-9nKhTlb&Tz%( zy~a;0HNF?D@ONAzMEbz$dU0WW)ls?uHK`BhPPlloOKitAtK`Dy(|uY8R!v;u)3EttfVan?uKq$E!l(B`^6&!M2vF$F zPUm!=X)Uz$bcbNl-YhjTPbWIKSs7c*aIV?v6GAh^stWC%U^j~ynY0*}fa1baOU z#qKV&)NZa_6vY@@hLy5!&l9yzHcEx!I7%bMjS@fFl~E@9&@`ctlek(>z&g%Q+;nFn z<99hHHdHudax%iss`UC$*0A;2bLZu)ml{ z;N0p_Zx>i>yj{txpF9)FvC8ZA9zpF0?8Q&qOcE`=4}T8A8FP=`(Vh%Xuh5KD;frpE zI>f}%Ho?OB%0@*b5;|e^i*3jTF&&N85LP|z3ii|FG0n=SFE4m#9^Li z-ReOpepg|n+eM9w`><->x715f#;oI zNWQ)_dU}-pou=eo3L2Xd!roJyfgbz2o=p_UTGIffNHSAM)T(pF!b(QTbTQ=)-$I zjOYpWAOC!m-I}7KC+#Bq9c_w)M>9bEfT*m=rFOnJMxh{(D{X|Zy()?M)=fw&wMktFnwW<* z^$|Q3F;QaJYTP86I}qd*D10@(^Jp+;jj*V;MFR601VVgGhu>6xxN1(o{(?tbcX)Bb z_lhjW`mJ08tF^U3Rh`=o5D{>%Vu4+V(WzEk`VqKq#7bH1c79?)%uZlmK_ZCol(O-q zLet9wb;cchb>DKwA2`RTB*g5kXrvAkxe|`kwcqEvwt5TMWLXu%hTW*oI3Z6iIL4DM zu$SlYH3r4-(it>sLyc0i@27O-O=#j-#)b@>NNr^<}!lF{(3E89F`dUPf#hqLTsi<2*6#P^*j@qNwo_MW_bYAvR z$7sbV%lnyGiRofm7CgVz1fH%6wurDoan`W`)Fq*h@{)F_vD`#*Jzci1DGrrTya0N` zY}L~zfEiB!qw-;(p*i)!Q%O|V3Fb8t$m`f^7EF8?+$MI2CiesgQcC}e+>5_I%l^f- zUwIiu?%%Z&@grTsGQ*d-Yt*Hm1kB&dw3BRZq_*6t=q+4G5TI-IZAoDU^c&))QS&hR z*lA+ELs%3d(Pky7s?_KX9bE?BCW6De!32)^6w`3glFPE`n)5c%hWHd<(0b)=IturV ztcU9j3UVhtF&Pj9^at{GfXu_c`hxqR|KJO5(3EwM_-=p9a~tKe49%L$ zbIGUV^+nb15JbkWVA+P9aGn(+f8qk$BIb`C$LT@Q=L8ZBE{Z)1v>k&UQqEZ#6 z>vr>od%(zqPdtnz>gp>$lVghz`jw8mQs|#r5K8v054~xvPd%PnMX#=sy2c`V`+UPi zkbg!>aSYCd>s*8_FkFIe(8FILSyy~IiAbFDNNIl%hC$0fqjxuh%VK~ymv`f|G~x9m z)76NOWl@-zT+IbfB7D6G55Ko(YU)>uq6faoth9leDH3eW&g#!^3tLk^Va@N&Q-&w! zbmjFS3n-S38@-dgh*sDbu{Xe`V@sQ+NNSD$2?`VlEyejUnKnbXF<}_1_VPA}LMtaN zvC4vNzSP+rEjbS}B4YrEZF)4}>MzwxPSXrE&EWQ0ssPAN@t8wrs3Fso9nQ0?Z$zCL zd{kezvJIyc(d%d=>HUA;9X1LUiRaH#PK;rmxR_0dvSJ4I$O1k)qvMU!BIhK>$Ysu@ zk?-|sL+6tppB6R@Y^1I#wMJO<+CST!NNLbqDRt-*@Wy0{FQE8Pm!MDf0ok};(2bYS zEyrn*7rfZ3fp^l8p!OZ>LPy?*9lXsni#Xn}6L@}Rl!|Ye>_##!GzjMp=4c?G7Pvgn zRcXZv6fL*!%^r? zi|iVTm*~*DN%*zo!{J0tCXFKNfepCGzQ>&P?E7cLmord6r~EOFk7Cav{*fqsc$0WK z#zhS@(Y8s9_U$KVSF(5%Vv~p&LKe6yeP}Uq7|%B~{+K73 zs;S8HxX$!yf+REooD`n)Jy3tnSf4e{kf)fHXko6cXdx}<#HLFLD5B(HxLDD_ow#jQ zRhNv{4Y*Ns(sx_jk#iWP*)JYLZ1=~JhLFgKo8QCiKR5RTa#sXR0HFg@3W1|&Cj@G= zSIj`Pw(8`yq1?s_(aT5uuzS}>4s5&ZuzXRhOX!PeKs7AW1uPo{l-y%W!spxMWIn@G zpW|V3Wx(%rAbr(o$4Ltzk4lh6`kr-$9rT1ZNtrR*Ehpab7n0SqlIFFB>{=p)A=BSX zwWo)I;G*o^Uxv+&wX&<^hDbeyYb8nq5A^P3!7{iJa68ObJ0*WPvM!nHVl}2K42kYe z?JT4$k|l}17>fEnB%W?ZjPsz-;@-f-mCKDtAfb!jIO0UbTA9QW3dnCtCAlt$iw?!SITp+ zY(uU2hZ>TOr9*T+HOh^VkT4crD^6MqT>Q9G8&+gs$(H$=|0FaeMb$%F+ly_gvjQcC zB3gQm!97||WP79##5k5BE%{^!X=H7`5o%U;zr%by5t-rhcRSadqlrId+NdWC z0_r~Q_3@kpk2a#u4<250QO?BY-nk(W>G1H*H*DAuBF>E0P?$M3Q3Stes@Q4|2f!>9 z?SM1GE3TsP%ZZ1ZqQafIig3#pFrf#NFrQuJq+O-@uFm-3FpY6Ek28YUh%z-xj!fFWA?jH%lPk9pM;#=_g?l?0=-i zf7KWn@Rr%q5?bRP#SAZ1izpn%`D~gGyeLP2sF-3LCl5Oi5ho((4hHVnT%FTX?+TG{ zPGZw}Oa&@-mWzzEzhhhEW^q(#me-;uCqD0w8-)QsoU+*+sT~NAHcq1qz@X35oM%(} z9X>xqGw@AwP-==HJl3xBAM7(=zo#G0H`egl;D6C+bm&egI!R| zLnd)P6Yv_|=#~{S#sL6(B&>cUKt)%sM=Xh|wTVjU=oe(=vjo1h?Ib}~$ReniZ@1HK z`txRt(_LwFdMsUv6EpmFg`?oaFot}%HiYsX%u~kVtnJ>v)w>uGK8ccwdG&CiaKEXZ zqxZmFR~^o;9qA4*FApmox_v1i&Lea&AWH~9Xyww7c~C__fgRY~(Av2n<0 zz4b-*>b_p@L6sPDTTcFs!3E-8=M_6Jc~S}jt_M4!{~a12?xeatV`bhqa1(aEfg z#|zCnB2ee{urS(Fw%@T+Ke6&Y1!xfsJOAO-S@I|$AernIvdQ5mLtPaBaPrDx*8k{Qarm9I@4I||@(C3G17?ESQJz2)?iT>&9jPJD%6P2f* zCJ+mtswPh{U;=Q#VaKl*cP8(W#vRSn-Y5qrSY{8(wad|qwKP_0Urlk{Zmv;$9w;{o zeWGF4m!k{qm=xZne+7L4xmLB5Xz*KkJrQrN#!k;BiSxM4;7W9r1wZ^sj&5PFvYL6T zA9DxnPV7#OC1>A3(HzBi!C!^B%l%j*{S$Qh0&=DjmTm#3Z}Hv#;93OWu~1t~c+mwE zKJz6u@Z`RcQdT0xkfcyZ#4%#ol~8BLiW(JJOD-~Nu6Lq|#Q^F@WI9nd+%{wxxpBU60>P~!2>M6<1aehPJ z6J=2nyCYCn(95%@HM)oS;kZLlQid9YJbJqG5RwFWwAI^sx36A4c!DqYYPMwHReI@q zcSJl3|Bmo`(1}Fpp^gn1(oWL3zCk=%_1mUmZ>6_(r+8u~W4M>F({-c)jO*yV=`=e& z2nr58Y7<8}VOkzB_zI+}gQ7?LPu&2Z0^kxXTTOcixyyU> zMtcOQ=guU0z62_)KvaM*VFwV2LB5>-)G(mD{;Tb8JO%#>>GQ{D{|@5k@4jfAz#3~S z&JB`v`tGHPtTMe}2;IQ}ad&NrQ1pakQ*NyR8=8(2@#hhh_n96zm`e2YnT;t$&-@R~ zE&Bfoiy{Pkx1{`#8@*fP*TSOurB?tmds*PvIfFGf-hpDU zUFCk%f@Co{TrxTFL86`Lgm3r8ojkK8Ga<>T@YZ$&_Sq z8_c|}B&=aYj?U?Wk!YS<`;2f~{;NGzvWZeABN>Wt*Q4Va^(2j(+Ye+5zHNvkFXv0U zt*tiDwU@`9y^bc=t;gl%=?7?`Jlx>q7#eFjCH)!ttU(V&Mejcz8$(Pj*!M!r`E>YD z=)YVGAc;%dC4s`1nS+^#52=02~~!cx}bK16!k%H;5s&MF;16cj$WV$cd) z7E?Qq=V=deo|E-O%%Qj1?&cM3Q+eRjmdXa8P`h%R<86{`hE2oKQt(mVSSXP#fB2- zX`T7x*mir?O1S2c&~2#eo)ET2J|(E=Gf>v(tV=*X8;sU$m;N9X!RPrf>e>fqE9E(b zkNE0^6jsyN{Qyed z+>i*uMhAhlzF>c^7d+#c2BZE&Nq1DTk3m=lL3f7tO|5WenHWX~oNcaiW&kelsw#Je z+@9U#Ku-A6_vRW50OkQai|l2(Pnj2wf_bj-R^}@~=&e{OqGt+PZw`H>QWJ45MVpEF zPNWRQs1Y0!%g2YT8Q<_4=Wzcg!T3!G$G?@e0dNPuaew?fOJe%JD}=QIfb*Hu=H8@6 zv~y5b5{kmZy8U)RL=dszx&*tgBpAxk@@7(9vK4vqOC-gotp=`>nXOC6jhv(axwlnD z$^b@o0ePr@yS&?7crOw4{l@*JJc2yu#@)jWlq-I4K zTPJ>-N^u=o;rJg)C3X0AF=II}!{N@slam}a<>uEnX&+?bSFJ-S|JU9Or3Z1}l=qXvDSdxUKqmU( zn2ABVr1>M0N5+=IhL{7Hz@`8$gPizQzpw5-@3MHatbkyC-|2Xr!_?ZxG&mzytZ8`CBq+1K0aVFv z)SH!g@4hjaBwOAXaIR4)yCqTUMnFLS!dvxb)94Yggei+QN#kiqrpnH5Db|+bcHEGXg^6fwR61zTK~cu|Ea14SmAKG;TL^2aJJ$Z;4sm` z@OI@nG$Wb+SqkKW>OO8i~VrBhgbH8Or`&FuiEx-tuPu<0~G5XGkVzDceoGiyIvYBDU>2Wm$Kwd#rghx3VbEV zQ!vqeGXxiZf>r$OjZU+YFtQhQ<_)*>(TQMTF^NF(7~WcC7OD}qtA?B2VE_D z2iS@nP%2<-$o`d;{O8a9+cW@wRV$UJ7!njGsB5eRdTtdm4k3ISN1NvQYIZ>gY9hN` z{&zEOI^Gpl*MxRoo{710msR`cKS&7&=;(4~ z8buaMZoIe*Tg7Po*w4Jwnv7NY`$q~>GhV=e6d-~{^A8Cm5-13Fq7?pYa;_Oi7BAZ3 zO!Ycfj^TUfacz|~Y}l^o&f=ZwBlC$aWCpOp(u1oYKS4ym;MH4hvZg46WQ4^Nv4+K# z%shiPc#@myRjinn7Rch&-e+=- z$S8cX#y+M`jARMRxs`op1mb>Is6PV|1YFd@^FQWU6=o+{nV%E7=2u6mddw-|^WsT| zriW#+us5fIim=|WUpHOHaug9(um_a0wiIPfC`oDBP{z2`TYV3!pCdjk6Sz;axBT2H-WI80t<)^AFU8N>D~x`pu8?u? zY`D?s;wLB@=Dt8dCKhtoRsUcvXKsIz+ah;IQ`i_VKR1tyTU*5v#xpkD2OIv7G(hjC z?o3j*;8rB(DDaKZx9;5{{Y$@Y_iN$+vq@~VBcR|jD*c=9>B{6O@qz;ddv*CT`@mTz z{dXSHe{TDGojS$WxFpYaux967)#WFi+5ZT?4AK?LO|w85T)hOqE^u~}>TZynA7CXI z43r2oT`>A%x(Tfyo8)WigQU%xFrpK&HZB)mfsqVf$$n!&RM5N3|E+1vq$E!iL}cY+ z9+iQLie|9H_lD=P&W*vntQIf^6jcGYQfI^>swQXr3mrBb113>A7bwXYK|(1i5X0Ij zPomlw=$U8Meff{YE@9dS4>hdoudW<~w4{D}HbU*wWm~R?f z2*L#39lug8T*X+5bx&$3o%bLP8KG+xKOA}6T`9AE9Wh3fY6L*BH9_bJuQlwxp3O=}mJ7|l{+JRM^G!5UqxT6EJ| zRS*eNrf5aN0kt_ken?>MJd2y$VWSk@WPWcT$F)eYwXV)3So`(x+PQIzv$LOqj&rV# z`HEyS288dLwtItXu)RGXWzRq)WSri#;tBl{|wK3XGsN&DXta{g;A$s}{2K{4H-4 zDAW}@2$VTU-)aw#<5H)&r>Rv#N2i8pdTQ1dTSKVreq24!^#O*<#^?pK&G;v1&Qk5N zk!(KlC&)k#@=Z?olmHS&`_0C~0>D@JbUj#lAdZLE2n;(*qFrMh3vW^ZdQX`FlmlY$ zegi6Mo_2RlyrDhml$96|<^LGq5pj!@3ptpDgb~lG*Z%}XCYeH8KK+Gp68*cZ^DcBsHsjIRJF`C*`;^+{8kA?iPA2*0HI!gJGtLy zg{%ty1ii1@bi`m`O81RM+7*h;Mzw@tn?px?abFS9|H|*0NnL&q7;N#j)$nKjaqD$gP;j=Hz!(-5K zc{fqSS012ot`clnrB2IL%e(SJ>ST!4>YdO;R3pPG)bS_ikpBT->yc!BK>P_hm_9XT zP+?)<^Krvm;bP_kc;927=l5Bcc zORU|`W@_|if23)rdKPoF-S|ReSL9AHD#gfjyk^_L`V%+tr?MJY23Ga&1X~xB|QDUFQ<` z#@;vJ3)<%LlvjxE{(cZ0j+F>oUuYVOkNTc(Okat;y6j7B;S}4fuM6cW*Cf|MS7mGT zw?x=gtrEJgBY2mjUc&ZzXZb*o@hX9;u!Dzt`I*7Pf7UAg-Sywgc8Ib)E&U17NwRDq z8^4>aPu-CZ8WI0cclhH2kRtx@m2d9u+nQrn%0^8=no*J#*(~EA1oznG5Xrm0Lbf%*sXVkC6DM!{mf85Olrqbx0 zE1|uD#d7m0m%oSmjFMJmRqY-IFLG9zExq?svRYpfKhAKP84I#d5Pb~lr>}T1DY={3 zmkJph#tlxMoNkjvLPpnGUxXwhF|fVJ_5{WypD~_4x~&K5p=Q207q7@xsF<5-M`)y@ zuSz6ZX`1cEP9-vb=3#Xcu&mOsW|wlc7d#nksT#}~C@t>V31<-Mp`1F8gv1Q@LArwy zrvEZuK0)8J?2<<+)&WNa)@A}zm-RlUk)F3&78bLjSU!aQ#45U+vc-L(tuj)UBFM!# zV8R-%nHi@au?IY%<@es8L)fa}uI3*)DmFS1Ao`v~r#n2o(H`HOpXGL%y_X$j_-IWIPchr1|=NqhtWM!X+=q)E$? zD^$AT=t38B5kN49&tJK%S(6+=%KW9z#XJ?LPl7^Cb-y!!Tg`)JpINO=7J`#{9lq>T};L2U*eG9J}rP;1?0wP>| zWId77HdiFXSm#v7and$xH#lY;5hQB}S7g)u7|ZnS;0Xfk1kb2oQJGkgk{;3z|94ZI z^i6WFyR|qmBn?HXL!%_oSvlx>=(N!vJCQybfqvnWGdq_PL@hd(Dwv&^9>_%aDOX8a*L!MO4)4<}~Qv+Qp4tW%0GXc~I)%=)|LIZn1 zu1Ln<;GtR*8VWj7UBL+9NYA3xGo1RbZs2f9TXuhyIkJ%6Vv>j>b{%=o_R~s*56+L5 z-l1O(EsdlK`HJute z0g8^~zh6*ni(dA~AD8%;5ClfS8NeC9b z$7hPLs74l&>1tLEyBDf7LqMYT&MRW4ukEC<=-)zvwMM^DS%x7DEN*p+XxxXRotNMd z`TUdl`(Kdh|GE7i#ph+MaN_rI7Wm&wC`X9CF8#dArTtzULpTaES`OV41Ljs*=xf*$ z-eCIN`ibhvx`t>*AtgiUej*Pd4O4;VQ(=X3kDuPfW65B%NOrDXw4W^d&;l3#{|@~7 zU%i3<$@}NZ>f`cX84_xv;%gil&0-yJj|T+>r8ZRJ;wIV3jmb&E1A+QUHNTMFQ#@eY#z`ric##wAnAl~dpkv?dib*G{X;&+M{`6EV${GKk(NR-OYfojT6H z26m9cZMBx)A;^e=04FG|jIM_H++t(W*T^uD`nNuGIZMOb-0yIVo}=qI^PA%2e%E96 zU9-@5`_>LQ%d>^SaqQ&?b}?{ny<`U2^sbnpdr;L1fQp2u0#Yv=XZ+$R$tB0PN*d%k zbr>lSB7t|@g^pOv%y3Iug}MC-gx`&jgRU28v8LcBsBfh1J5Y33J@=5ZtGQD8HHpoK z4UYYj0TwJ49tqJRx!mguvg*k#M{8FgeAXSwd}A7mc7Hg%1a{R#-em<6isH*CvUW$M zAL&h6XstzmDKujLBG8)cW3%NKiYvpB7CC1|E@WZc<1;-{ml_($YoqxZwwS&j`_X{vND~Oh&$RR|2?W7_)wYunKI7!=M}vBvmX5Lo*R2lBNOfBQNgiOQSqlGc(pZ zg}Y-OExO&Q5?(D%9Nq1F>3}*qkj|y}w$u=xU%Xmv{|TZqy$;K@rCRjD!U4wOSgCVV zxWOE_J2&BA@nz;M0i0zCY|oWH$|NaVsU_G$8juRG>2HO$<6M4%VBfV(HwDw|JXa3I zbFN%*ky9lqvuzv9!DFiKdelvVG#^6ZoFasMlOIx?!nZ)x zKLBti*_cGL4c?NX@)Rzny)~_{gN_3XZ76$5lTyhzIYbrmh`W}Rnc>a^`D>vrdtH0# zX{T_gj}{t^BVtNI>T}uEzV*?XuKL1rdV20hGCR8mB(UKB z>}C3Q*8#88`?a5-XD2{#Q2`1#b?$*UHsBn%;`j;L0*upIwdVd1_O9JBTL4!Jj7dS> zPY~@-&|_u94^zlp668D$sIN!^aQL`-VIBYDo`5a<=WYr58OG2uTe_gQE707u2cVzp zLE$wZd1N0@B?bZC<_CbHDAD5|i?|Kl*KkpU@ltIQL=vOYY+4$%bfMwR;%_Gf|{}t;(f7Fyxa??BVj@{J#T$HkE z=tKCQWPtrW8vlQIJL1ndRAggoBL_!&V*{(-R&5L|P?6a=NmxjJTN4mqR&ld6W`1X2 z`s<&)v9%)!8?aG{S;^SJ#>pOR>;N>8w6S*lwO}RT{k2U7&G zcJ^O;{W0>cDK+sc*2yfGy(dwwpB#dydw$^Hg9{2Lb0L%Fah34quT+^e-q31c)PA%| zs(v-Eef%YxR(Ya42M+0@Q25x*295(kD#QM{Q1Ya$BWCKP6PH{6$tsmV$$n$fQsCYg zvm4J~uzl*3F(+EziqMpNV}2o@9szOJ-rS4UyVTWALK(vsaArkr6r_s%B_Ab@J&0G@ z7jNX1S5TN=U@&23-?Z-d!IOxSZC3=+Y)gvrW#tc5_!{nESdwO#VRpwm?s;&-lxs_` z+%5A`dY^dwe0DBe!7Q3poANq)&919i#0my#Vn>pQ4EMF3`fvzDwN?q+er=s3P1M&U zck?x#FgIAcX2DT9$2*;E$5DQka%%rFX;vypO=ig_rzRhDj8<&80xi)SxQk+) zLer~6uI%evN_KHdl z4fa9e4zkb9zB4w)D~@yB!3vPe@BHie|7#xpaSi`AH-4Y1%*sxNj=$~)zfDnQb#o)& zQfBAiWtKKJH#Ku4VP|Cn=GX@tdu3Y#uzkZX!I)zt0VE zF_qtEh72$_?QLy-%@q=0e*Jx_u(7kU@cwzS{G9!{3VQKIQbrO40|Nun2Yx_57eHd5 zrw9m$2=Gr45fPD)o+3ZPM16*W@(dT_B^o9n9x)Li9svOf1rs$183Q>10Sz}T0}Cq$ z2L~}VuOJVb024b0+pkVwkdTm`p*+JuMa5wwB_L({w_iWoLFi9mcwls4VaPyF&|zTF zVSaXlh(RD2c;IM%9q{ijm?yAs@Cb-ck&sb<1~o50PhenSpTNPw!^6P=t-XNlAUJe* z3{qARgqMm2h-7w{Y`#$$Psv3qIx%pv2kU>}cuDnB_Xi8rbmV{;gLERTq1|C|2tT|6XfL_}!{#aVN8w!+AP?kJ7Y)c8&_%`kzpei7 zNc{i&nwSZKe&fTA$|QacNzV9qPv~9HLl#z` z-_z0F|79+5j=8>s%A5qY9by6Q$;|jhJkTG2*#Gu2KRby>-7!4Bp;u$Q5M_X>Z%*Gu zEMi%ji&=-LIc?}Ha~Ksl_vVx#mxD@E1XsFuz2WL|Z}|&DPAsg8?YQHx-9u2?Hsqxm z5N0Pw?+*Ul@>@AOL^#qj6xR$B)+Hd6Dl=@rK0zL8*tFK|Zz?tmgGCBB_Np^o}>B^-p`kc`rl}~9VZ2(eM7mTH9t;`lyj(&bP=4m(4 z;s|vT&t$05{<*H@SV69!t)W3``$De%#|ATcl84L<$@G^FF zrD#w1%`R4Uz+;au``j+LlgqJ zo-gD?LI^(D9VFGIX=S2bt|=TJ#cq&1oJ>URqV1?IF(`i1UBnOa#Zk9f;X*qN7xYlH zJcf_S?`ShJ&ixSjIkuL4f;v4L)r)IU3agR8)NOHj1J?I8NqQ%?u%srL?wS6;eK~?4 z9~1{O6TffXqyZ_#*g#<{CT&ka96_zj%QUN)(S7EX{eWLVBqHHiJE5ie+s2yaiS^VG z(S^!~qB?x93eCHOzz;Q;awlvfIPJ;a+vF>p&hzw)cms^_65%wyHeVZrvY}3csiZTW z)0=zC+ltpI$JbkXEhp2DsCaZC7RVy!hDjzmr}?k@k79f^@SGkGlRm=aMQuBits@Ws zl|!8Sh_%KYHqC`{_qqA@X)>!R{yYKb+l9@`ZsXdH04v^XrtSaRNtIhgM{5GqT%@j1 z;@;mZDYmg)S$_Y*F6x44{<31nZ z^f?RMowLdXTe?ogcP{qJ+$O#PrP#_6wKQxey%wlB>J>Mu-L;2p8(!ieaeUb89E7vs z+X^ji;0HK*QtJr;8r_!7QrjDJ@g>iE#AIrDsmYgn(u`k|?dLe6pRH>TIQSvJfJ||( zdsM$*x2~Y;$M0UGCWd({_DTuTM$5X?d5(9OW3#y}&h`nUz(n*0fuq1w+do8z(1wU! zz(gpI5zXd*o6QdWwlH8vLe2D|VHEL9BT1rgx@>xqGbm2#{}I<>2+(Suf+Yw!nnvTh=+(YZa@{(XFa+TR%tG;JgHDRP(ml(&yv!nw)lxJOSDErSyzD9;{YBTxU{%)!3a#?&%7X1~#? zUdZdQSll_^6xh8V>WT<4x$_q`23BbIik<0zqc5`+ zdpt(z-a>R)->QS#)8}rz!Opgfn%IEevSif#d*Py2jI6G8ovvatA5c4d+WL=}1lB5X z^~}TI%Jt2!;*l!{f1XU=5X=7h2-;~z`U#@A>C(GKuK5Z2E~|?Q`lF{mmRtZCSKWs} zKkWa9wYLmvD{i;GX|YnEEwoT1NQ)LL?o!&~1&X`76Wp~p1Omm~-QAtw4uRkVcX!e^ z&ogso&V8Pb@A~hTm&}b=Aj_wK1bkdj zn>v>#$)e4?Sr;Mk%?lXRE|VeKC`wb9M21lxZAiM-yw!FuoLAgd*d zt|^glKBUbFjt|A>rJ^Dd&gJ@ikmzcGh_-Xx2FHAAT!gF)?6U>D72Y*U&w-n5XxP;NFU|XO9X1(3|nDE-k1mFIw#DdXd zJ^8`m-3L*!wUAiR&+-hBCwUYK_AdD=s_-%~>%lxf~@XlJ`QBx`Bl zhj+;loWjG0_hx@^eL4c0(RgzY;t%x*V0GIiYw`YaDKRSk%T+CwUdxJE_}#Z|RA1G> z$EmQsC_Pl|6G8W-%h0PgviLiXh?jxj~7 z+qXbRm{j`+*&jEL=!>bX*-@Du>u)FME^{u7zDndXeG5v4kNeK%6k_gi^vgb{qrP1w zHbzDuRfVc&xFWe20XW*)P81$j9>`)sS;S;eB3|2Z_rB9^XO+lqxONR*O9CO-e|zbB zo)H@5@pKuI^s%nS3uRhr$e$X20xV~=^V1_gs7uM0a@ev?s;6gaNPKcYPF`My(1KHU zSs{IYK9AM0eT#$+lfncsNPTYhT9x=iNd!rd*y}8P6jpS{E?o{=yaO`FNcbIaRS)vC zQ?un6&x6aI?QX|Jq(GcmfQc3v6|$mob6 zsscn^7a+xQ{ent@*n~&68|hHcrch9>@5J_QAc`uxz{;h=*fg~l-MSuU6#Q9G%%?c7 zgHzHxfZMHerE9tpoNHCA#dH(h&Jnl}xF@Dt_7!)pGFMZwX0VdFyuINHp#MTEndrms zcqt{hoZ5pA%W3aZY7Y;PjcMgk|JRDthI*6o4<%U(v5Hj9qdcG8FprT41NO$}_J1hH zBq-OXFMWrE&Y;f$<-S))rjPcmzsOd`ofV>6we#VNRrY`6j9;Z4M*%*;*=&)7kg zrL6T6VZb|s&46v((MC4+s@Ru)sP9A}8{xZ4o9N@^ZEZy#2>aZzXR_gRd?GOwcJQ|$ z^^(qHT(ITxJo}{S4GK3?CMisRP-nb7;f19tec61@4vI%H<<)@5U}e_u8888#z4+X! zy|T3dW@E%qqkWoaG-nqm@6r-qw<*vx#59GKXH@sbO@&ybQo0&d)3OoxTz{I?$)sXD za|DlYzi8f0x(poT>bCHqp4y66yq2vC1jxRw0kL`*HI_T!X=$Lp7ro&-R>uJ;hzq=7 zmG`NKGO+ODITq@$-w-!S6<9u`QQ}rWi(-S8dj75i22P+kD(%;3{*u;kQ(PO@MkVMQ z92Ih?yaeuH0p_sj`&fgUYZEpXfe7%s%kP(Il19RRyjEUal@ph7%5-mQ_hW3Mnbbt` zJ;VwzCL=dPdST-I_4DP!T6-iWby@n2RUCLUJ5h48&92Kih9R8SJUQq#Gv0prIjnFu~L*OTO&BqNkJ0;B%)nC;&g}BI7QSY!ZVJhJvw+wt;s9m#@ZXko1MQwv zmxRW1>B%^t`SL{X0YB`hkS5kw1UWrI zCrTxKZpRjG_K&Aay;BV4M-(Ye)^`7)m}YhLmRHmXC;B1(+tU7VnMX6XeQ?*OEBxs8 z>jxi#AcKu(?im%(nI*VRq2X?m7qbFG&f7}Ku=1$}iuv3?hrC6Bz>?T#jg=(F+^u1C zX-K|Gv9emjfKonj-B!g+%QesZ4kiWDInPu-6-;Z4VT>A2FydCdh}wrMVE*PUqCxhz zvF`^a-y6-b_J#lp#DtNfQ&e4D?BHuST@|Hqn)6L*nqfjGxTbk&h8k@6{eo3RA+~S* z^|n(v*U8h~_G~>`3gLEcQdF>AKP$}8HN|gZ@lNM*O(uWohMU6{gHX20Fx4iysQ!ZMHTyLsU zB1dtQ{}^?3ktW&~kFvg_$ef9t@1wY%kY`usg}fK?8L3~Y_xz!L5-RjRW?}RHf)2b4 zE;=Pobo|VwhL?snt48@Skyt3hK{LaPAJ51Xgt2xCfLb}fTv?Jq#U~W&rYb7?b2iIp zL(`NNN=@D7qi9eIr6SnfERxHc32$k1>7>f}v)?c5>>cc;r>wQYMknas9}3FbR)1){<1NpaRgq)@$7YA)7EUOW+&ef6IA8F@9kGaUWp{msh;}@T(*>T=^dPe`y|!! zBQ~+FVeMM&SgAcIjL!GKh}tBRQR?(GpAGx`xbK$j!1{`^sN4!pvr?*M$*;1`G1`604E_P|{S55vZ{PqTHFj zLXpvv>wVoPLJ@by4`O8=de5IOt6|e)6n8^t{cB=nI1sQLR>3 zv{ZtemXuuWkia`!L5dV_7Nrj(hzlIY>mTa;3Lf2v%ri{Ks)k848y(Ow87^ZZ+u&K0{A^*tP-p5z#HY??P?Fq8+g8L)usy1x91F&_Sh7L!87;Beqe)uQDakxjKC&GFp0modY_MK1AAuQ+wATnWY0 zG^SRvC)S)Ua{(6);u7RrsxI;diIk1gJKkseaPTowZaqYaE*9mnCb6QZ$3rx}axScM7g9Ic0 zun_X4*!Rb`xX+IRI#6iN)=X@2P0As#Z3p$=KGv^Q9p$i=?Kc(#Ecnv zQV1R~c({`LJ>bh(zTin4Z6qge0JnxphwOv9yT_>G5Mc2#`_-D@N7`im^MDGqLir7@ z4++u`{5#9J=P6|7fR&M{AObbuMl&Im4%JDPf&O#>PJC0!HV#6mKL0t~S909^^RMyE z-Wy*MDdEh@J+w~4nn?H~sbb)4_ZQTEC}bYy?~n{P2%`FJWh&C9GA>d{z^-jo(hSn! zKQp52%ay~hBvR!x;3pTI<^C0%R97l?$LiYtz-ulZDB z_o#>BaoVP7r54^pBI4j%RR5 ztu*gsbnA0ak16G&g)sxJMdqFnn9QW}AQS#DI;E_`7DMXS=^;-x3QuM`GuJNSXO;sjYrA~ z$gn&opp)$vAHH2fkdga*uG>(=i;xmHKr{=J%AH<@ z7!p216H559gV13?6pb99?&fhMLf$YqH}8O_p@%rHwpGPuaDq5$3iAEc;KatUw)1#& zjfTyMQ)+~kUutBEWAJN^+fD6&p^R#HfP;WqKFxKWpLKIkZ6pf3Q#w$gDncRXn=hNit9NK*UY`#|U72zLrn)83- zBZUxWv~b{S`JMcpH)k1q$j-0!XwCg!@Jj9CI!_`c zulWRM0!I~4Sg=06wu{Jzx68A zSqk0FOeQu<#r9>iA0@rL@_+z72h0_4Vt~-#KNNqZQ%+TXli1Z;g_Q0=kTRtd(0rva zo1%?8L?GCWjtj?LhYh5WHDk93+#1JTy3Z91`b!Ql%3Ti}kkw;fVP%%G<(hqDDK;=F zmn@F6@`%7)Ag^xPfIeqOk2e?Gxo0yY$H0waN2RllB7UtEd<<`pxWuNFgAKRrcMh(S z1O2XzjK#L%ya2f-D!!+4@M?@(ic=F}bS|eho$aFEyG5wCnOuK4WFdh(t98zX0~Y;f`XWxwr-O*BieMEaq9BK3#I^<@{9D3y_V{ja0V9dsZnm^v{9J<@uAzH z$aiAX5i87*G4giJ%gc0N%zqRs&Ac(z_P?J^`O_j-`!Rkq3S<1-1H05q8go{jO@XnE*cKABj_V202VQ>g~vX$rXjjtmy4lxBCXNv*wR{KjHjj6-OLg z%3#ZOt9AJ7+eK@s7^vXlecL$LoMVZszpRoXsQ7Fwpf~)3(+CyCD7HP?vW2d?-9*FY z=w$iqmzL`rzI!e3M1ib9UBbmEc*P=-yV0DrlOCTQm4cCud8z1g8O`(G<1JY)jx_Wp zmA|NaKfD$n06^pt2P=5bjTUtEO%~f1`W<8+avL3wtx7RNdgwCV(@x z%M4@Hx>zAv0iv5+%DqZs)w~hJMD}Znn94N%8}ET|?!|3|wayo{!XZ!hT#~BYXofgl zE8v?_%gLfy8-0t{Pu(*X<3fNp_xmZJpEINTz=BkDYLr|mukc=!GYNpv{j_h7*86)) zCY`|hCiJdN!2o;r>=FI3M#^V-@IB59x z91QagrLS5!UMH0(uQ6p5s`%zDS+Z2JSr-kkz7l$PXIYj(ToeB^Bs2Kv68k+c`jbcF2b ztfXtr*4TvqX;bV1c~|~Q%%Wx9OgVMSgZbLP z4~?uqKVwJuh_QuSn*P>iS?Zz(wSlkofz0P#?*crL-?-TV=gS19|4>MjO0~oSS>m?e zp$v!R?m4cqtu~mY9PGRYq$nqmjqc@9{1)BJk~vnzP`9V!GMWL<6JGq%G^s0z*ZZm0x(-G`k_gpb9i3;Hr#Lxx~ zjthBEXddQ~l;vVDqLW9CBFk1(%5CeTud*2ov%I~FcK_qpde_PaFe;bU?L879h>OTT$TdA^luv{_kKqe3z1 zw7RsmR@{t-Gv;%Ch4q~wRH4?aX||p@hIBod@y_tai2UqoeAVvy`6DoiJeM4RoSV*%L~%JuAUb3Q3H;BT?Ry+X=cr1 zzfu(Zb@ZF#EF-HjDC!t|+us{1Q=C*2gnSG>HEH}fX~}&%e}N+lWWxQ#yev;HPu0Qi zninV8In&byGfi|hmp?f%Y>Kf)+r4!_?Rk5W;myulXneJUDt6T$q`Du~ULZf>ZsgH} z@4GJQ_XNByj_d3AJmu1MY*)NU9^LHffBoI@UPZ>6M=QeSh=f|rd{|l=rrq0Ae7(#@ z`QR^OQDXVKZGtew*NQ!^MMg$hM4p|j_Y##hIBsv{1@;AoB|HxivDpD9xSu zy@?v|@Lt0~$IWE29aMay|Av^{h$Il?nD(a4p=%wNo*2TYi+Nxe1TzW z1nrl&kW1C!)yw?GyX;(DDYE?SW_Ca+?10Vh{gNl3a>pmW+@f+(%iWTzHRAggI>W(% z)D0%)8JEY&{90cOo-=Y04l^0r`lu>fhWYOGUSF$#@1 zG`;yG2fW5;zUQ*TGiOIqA+$7B=?~^RKk19KqoTZB&plLE?Jl`-g89flT|Y}lHoFRS z^i1n0NjEU*3;(itU1f@c!M(M9O^GV$WIW?L{bzE?AHP42BMA29+u>nGx}&b+#%Xv% z;w=!S{oSb5I)`=!kjzV@N=(+mv#SdRd}RvQId2>KhY}+6nLO|z<9gjpBl_m&=YmSQ znrClZ3na#M&seV?P(c$;s(~;yU8eiy>U<>5$9YJ+8!*W(HCRHsg{CTM6Qwjm(ux%c=7i%CB#mTG)Sx%I^kKCP=QlFs#J? zGGH&_cfC`?C66g|k_+T)WVLoRx@=PII*j>7Cda#3vPYP5Qv2c7RjG9}-|M(47ZpnJ zg)F2%zTV;!p~P^edQ+h5$c0>3w07wiV&S{&?*#jWU-Z;UT23n0lvVho^1rkzc@)|n zif2sB#oamf;O~936J&1_9hf%yBNZ#L?LTuUdro#~9&K6OA{py-OweC2*|tT{HOP0x zOCHZIg|ra=&{a(eypSBiW}`woQ3$*vw@7J-gx`v1iwiZZEn*_;+#K(N^3M+UXIl zMXUo5BoS4`w5RdoBjQ7-L=Xn$l=)uZwk8ntq*qdc-xdxp(24vqti%0^y+C-n53y0QrZ#zc&w{r+KFYexbAhEvLy{obJ595$z0C=?i=B77|V)>dr74 z^X-tMDxDrSKqkx#eB00nC@v{2(bBEe{;>_SWTRl7JP6!bcKC2PoKYgNv8)HAz9c0($FHeN)mHfTbyrD)jP%aZlo8L6Zf7c1h|qDCFG|Ep1i%Ga0H`AAfK2 zLoVI=+6|#P_GB!LwL!YGE%lh^biAy>==%;P;dqnIFB6)tkeV)XEU73uSx4t;bR2mG z)H*F*TBA!P4{DlI%TaeE`eaoe-&l{q$d?3&Ev_YO^nRDrhsUfTQl!&iBok0>-a9jpO$T3Mmst?4v zVa#Ut2OlaOB?}f+1*;|ez?IdKkxE-#%;QcBDUX9$1pK%CqZYOzFXt@hRvr(qZoEa0 zHkwRU@v?1dzTUzOdt(I7Bs}sGRi3?j*eRje)0r-bwE0%l(aBEt#{dZ5iJ?vB7pexf zgBLsX@N@3CG6JfW?I9auzY)vL;cRHo$`XqsjBQCpnNat=F2ZsC z-Ey^-N1fTvr*a7oH>4c;^(nk$m9nuZJssYjqB3q6m{5#IxW6VO=n+H`a_W+ zF@r~~S7eHs*}Jcy*uP$`C|?KD)arF;!v~k?@IM6`MBY#lUFV$2oMX&50t=F+O=NVAcAT|iOVf&X-Teb1j z=#8w_g{hqI0IO(v zbg?y#bAVAP#o2A8U%s?6buPNgcx-w>H8uN+y5;~*7^9@F!Uer>(pK6|!&UlsnO;t% z&t+3aG{T3dlhK2-6blCB%+PV;rbxhGu0RB!LG(B!1uE9)N9Yo(krZ%o!XU^0M!-|; zFo{9si^3n8DQd*&C2zszlKEUtQF$7;0{>>+2*CGt@-gyKrcoi%t43?=XjrMUXu{6& zv@sd%*iLq-jc6@f-PiO@W14Z~p4`6u{9u-ye>PAnTy4go{Wt8N|F8bBjM|-&jx%Ewhy|iX;$3IPdEcJzAV?XAJnO zS?O0%!|BM=4>N*1;%P>B9iC>MLgmU#b5*%p>`oe;TGPoVF;QM${zG}EYoVG!+s+>= zy%;3e9tKV$uZP`#463=c#LNS}SX$0_niI%;v#2LY+lJw8|H4%T&40;X(~zEFa@&Ot zPj)t3p&`1YMeu_3kWBh!fQ*)S`q4+5-9Y4}$1`IdXz909{HNKR#w3SH2utIADFtUi{{uttH}4Yr*G20dFYrwFGr>1rpu!2L)bwf0kv zJfa}|xOA_qL2`@5t}Th{1ZsfW z;Gvce?eup2+1Qp#Er+PzFMQf3uilf4-19N_H$}IOePDO)^CP0Y5?OH$V%4-+3)pJr z8AOcVGGBsNC5kilF8xCFKqcEGBh|4@FMa^M)?azC}qO8w}T7EFsJrodB2zbz1#CbAY7twKaG!R2hrIbt%rxZj91 z)mf+W>94ng)Wj2-TDG`DIu~85%)@fHqGKVk5bWDmr&I|&{w0~ncc@&|xSs=7*eJA} zCkibm12we##52pZe|_6#F4O#0D0mHc)0;9#GFDPnyRgWdOpI=GY#Of)j!sbTQkZnW zmHlj)()%?I2jNZ{UqSN90rMC8iDA~|YCZ5oBby$&GS;77KQr>A>l$xM4OziN%XkJ# z!h-WwjU5+%SdTREHqBw_^Y5BN(9YgiMz+v}8H9<=cJ*P7(X`bpHx|>y;TC5)1IF+$Y(+W~7vFjXi+T(n-z=QkY_xt8#V!~gqNk$K2&0Vlft+I$ z&)4aw&hzM~-X5dGWaHqqaI=cf5eouAq6GDJgh3yA7*|-AwY?S$2acrtu&8K4k(Daq z`M`YGGR<71O9S+GdO1P2x~d8)FU);#0`1M)2Fp0myssa~7A29RBH4MPG&NcKJ*o~d zj>8M6U6L{ihS0$mL5?De7@OwltGl|I^}Lhp{JJY9<@b%xWn0d4?M`YR2{j86Xw`Qc zf{5j=?P{OX6B}+RUt%5ck=F;AYziz5ji*854nF>PAv|Jt6MFIuP-S`n2jIWjQVm!1 z^y*X3{61?7Vb(thOSd+i_qT!D+J=gLHUXqjbR%p9+YRRCCv z?i#bgaiQD3`2zJf9qV7TEmIt2$jV$)No<>6kSj@8{~EqOj!ZxU)>Y1Dx|ZGL$b=fr zW_c1v8jJa8cTsm^?x>(u>a|En?;&P3hU$j&`?y_(HOMLG2Hl#7Nk16B1Kvg{w59C8 z`eQGMD(VvB$ekzAr#cT~9+w?6ljg*wt{#!QvI|sx8^+&Jn%=e=JAQ=E*Ks93dC>^R zB{79UpT6u&e3uLw&n%G4PWsa!>gRy6sr%~>;Oxa1{djtfar1jkJ`vM|3!&{`&+j60 zfHR_Xk8-UgqL!4ONL^xkBK5uSj*t8D2t;HhFjGl_^JWj)L9utUdDZE@OQDs1sS zX9H-ANGOt@YT=Cg@}Uo6efGoMcDRoRbwmM5xejnXVwA%_Q5C2o(N@46mhAcZ{T0T?l)iia4aJV(l(Iyc5X z(ouEn^5mFfswBtBX0owIO|6)*gN`Rg!A>Z?AG3%nYL#Z0>x!6UQCdxrPeiLtkPQiEVpfgt ze!G~(Y;_))tX5NK{xB&9#1`X3!em)h zf<+6KG`r1S1+P+vvrYZhSDsbAC|xVkDymZu`;Gpe=D6F3|1QFEzBv4UG}h+-;hy`3 z1uI@#&^q8ASUnJ7r=^S^BI9=|{i|qsFe*!1Htyvn@Z;3z9|~CO$x0UnBPA6JSVRMg zH>r@7boGBCCMr^fQv^}}{L(|xPqXJHFNide+=HNMX(9;e-!HWxuHKhwooX(D+<{gL?3kG(e@II?81)IhL538e}k zZqhSlz1N^nPT_B*b4Ph$?!NC2AJ<`cemmFWut(YLd6}%ee)wmpC7d#>E;uuUAdWk0 za-?qDzM?wT6d3Dav{O<0duAHJrRws%xf_K%7qi@mC#Y`8B?@L7S@~L;{g~NpG;s==4`dZ3s}^Q%n~-)-l`>pS4^Tjaj0!hey#d(V6QdMy8{~Tr=m!; zEhqIHG2aL#HDKB+DJdtxX9KzJGoo_gTte{Y!LG)CKxxpXC?r5_T}L`8%NwZBh1e>#BPxeZw^Jn_X0of-`pJJKHFR&j9#Q&5uYOF^f+6p19Vy>b}U*#XFpSYBL3C9 z3y|!Da-|o`nlvJ4`7JFXm&3L)M-;oxFD0PRG!^X9FB13aCaglo#2*P!`GGNK<&UL ze58Leluyd6kkx3MGM!dVr<1G=Ei$;te~HC$(3=iFkdSWe_Ekl6tk3p>G`IxZ$)Uey zzm_kYJ5WEO0dQWb__~9ygi3zSI9rL~=^iGy+*}wN$<@B4^5awe8{jyzvvjWtZb4%7 zU(M=@+B=3(Vl3#xNt53BDl%B5b074)XE-2iu%KH7N%nFkKXz3S8G5_K$)^@xKYIlm zuH30&^TquR5qD?V9KS!ceL58YH5tts1^QoIO}ZOGkDy1ez|o>Lmu;WXkK2!Vk=&wW z%@{e+T5Z!?Dyb65DlIEREshl0WVyT8(Z4%2wNkCzH+0NbmsZ3+sm5ZM7yuz>S@%D4 z8&~PFj{`0q^*-S?&Sww_54n@-l=bCEnT2kG8`6hI?Pa_B(`D8eM%7fc>waouW@Iv14U`9uza`JVnVX~I;%xiO~0{tcIEZ9PnOfbfN5kW}D zWeRg+8M2B%5)kNnwRIpnI=_Gcl-fWj(SU?AnI&y?@W$9&A3m<;LZp=u={r=&-_oew zGy+t>g{&Et&l=lHgp7qc?kz`J{eo&Y_kAyQnh}|Ax=Q75nNui4Giy45Gfnr`6j9%2dc?gex(ediRl-_#8;>y%`Kw1{^?ZzQIhTLrA1@t+Q= zsXvw+2M0+mM=ZxJb^#u)Dl)zjn$L*htl21EN-R5niksy{yuYr*2NAEQZSyBaBCU^( znQuj>937C+H)vrj=W#tfOIja~gnjN#fI>ZFW7#t@ycJeFVPRF&7xg&=bq6G7O>nCU z2rozWAjoZggEn+|Us1FxobdB(OjK8lkwY{HD=o+lm&8>Br>XJyco~-DURB75PF|~X z?U5aC`~6&uRo#;SX53elz%{EbkBMzv8JaC#7k|Q-7PjTx-Pe--QDj0{OpNAQAt+8l zu#2%;%~~EDCH38*v*o07{gxVuW-eR)-wsv{oD&w(f^){)UzbV-eOu<;+H4Bz_+;5I z#Z+%cqx~`sFya*BTvUWE`GOr|!uLqRVBA_6cuaPD>>B+Ag#rt&G*DcXP}# zeQJa$WiE;gJ(s+aUGf}7fH*LyzA|h7!XkyMJ+G{sT7RojPD*6HhHC4;1)fxC!y3DdKO{ZoWsDoCgrEmh z-W98Y}czqXV|jjR`KL>a{`fysL>oiqNQZVf+%i> zit^3|f=I)-+zaREQ0+fnCU??@jNCI@kKtjbF5O5jHlY954$KG?a=e=sMcTqfqEc;4 z(FWlom_qV`ad&FPb1G3iOk_hTLH4B@Ek*%y;Wl|sO4E(I=9H~pmoO?NQ;j-gl6w_8W(*%(bl7nQ}3 z%Luimhi0`v+m3(<@!_regj_+<=&6wdmHUz=SW?6cX-W!}Anv+H>UD&|^~MnQqL(xY zQiIAfdtcva7VnE0 z3Cc8CC}-gS6>bsTtf&}I8cnJo33xO!OF?*&zc$9*Q8H8Mrhr%F?l~>w}t z-LeIKx>ZI{6z{@{gz7s(D(1>7Ogd))K=c8#^pHp9xsQhzb6=eF>_e@ubrirhoi(7p zP4_!66PH`%1J4Ub&}QwD>=Y=^R#4=;}wXgs#* zQ$;jeNMJmh7`nkBMMHQswvJG>W;VXeY^1jUG3Zp z!QRdSmiU9NQiYs9ducJ58;eXJYU^+)frG3GInj8ott}G^)QK>m#(gU7Cgyr+k1cXb ze`d-ydCLxGIU*UbsTGl(@E63Y1@O27jtm1+h~?OGtQtP66~A| z@NQ8JpI$@S*(sUgRWD>$)?oUm-1gtsxGLo+1WQ0c(UkT;Ej0yAZOzQ%Q2fK+b_oK? zMCwb#qd%`ui{tK{N_?$nKKcD{#&KQ$Le)-YB^o;_}U1DmT(aoh?$PXUA~Ln_uHyJOZxDFX1-S(k0~rNTNbQ z>BkX-NWK&67~q^~iq~z~MBV9gQ;A}BWZ{wf>BwT7ZWN9-8TU!t{Dj$#k(;Hm4m+9f zcg2ep5l`&1VRn1q{+^W+tH~f`wC1jtM&X2O{%J#4UIq`2i}z;Rmgn`p2I5s+yWa{Y zc!aF^2gEezUzX5u~@v0{JM7c(OMN>DOWBxF55vKAV z)|X2fn^3LO$@uy0&UJqu3sdxUrYNAQZQ)34-44W4~L@v4Yq89jRTG&_o#)j`e%N4j@(YmIr3XcmrjY9 z+3T~b=Ui#ouR3@$i-#VPU^gbn7JlM;HmVq2>fLhf)ZcB+%V3BR7AC%q-Ktn_8Uq=YWNbkY*L9o2IxiW6v|k875(uGeZo*xJmNtvA$j@UW3H7N&opXtqvwo@J-tT#PZe+XqS_reM ztD@mCZHv}hNpW+YqG~Dg-p0N;=J|c&6ZSBQWmx^aL)p>c$`3*u$`_9pbf zW44iJa!CtfW=m;-=h_QIrJ$vBOiaWKx}iQ1DM&xbuimPuc6++gnI2s`I8K~vKcDiA zDJvCu)9aWVBWq`Sykm!aL?zlmy|T_Ea=`cY3~{P$b*O2wm?N&8VTI~6!cIY$Pu_Ub z_UYV6qkHiQ-yzg=rSf!O2|sRu%5ba8CG3sE_hR1e6Hx%bs2rJ5c|oAhuSjxnwJE!HQ}j~_Vt$EZMFUQzA^9skO(uyI1-?`Y|E z{G}h%)P6KGN$=$KuKBv?Iz$+z+GnqHEa~clH(^>~RG&Xm<>C#HRu}46A;>%aEJ-=z zM0`FQBQ_xh0N^j1c?H=@xVG%?iK5hf^B8fH5NBK)@amddBXPkMvWzv?0|#iIa$tBq zxmBx>3%f3#L2_0sx76SDY+c8zO4+lOvUv~OI*#JE0sZo4TU)Q^@Ctsg2lQqmo8j8c z{6~f1`M>#uL*^%Td38 z8s47456wJ$u<6L%Oa%jr@{=Ur;X+8mCYs8ul>bsW-z6(&GS^F=x>hgrmRmG(l(Fi4 zyWm+71IEe4{SMNye9!omxi%+S(ZjIqV&Z#a4fJY}YHs?0C+SO&6ue1DKHr1vfJsxQ z=W_{V&{>xL8(gv1<3L+0Il=eo{Lk}cPnL#Wu#!X1?A4fMxj=xinVV0#44H6!LZH? zuyL%)^Ey16E(P8LKTs{o<}8DXd*Jt6Y|MF{9NXrXwwtaW^) zeJWi+8Jo2H7z`84;k&Dgz_)al)L#k$Qx8avmgI3bXY-B|pwQ<3nJeW4Yv zwHV$%6pLr?U|DK@Ms3NsgIfyQBtV&#OE>Yj`1@w^Lb`o5O)DXm0nX=THa|k%DUU}6 zP^YNMQ|pRM^6esw9Q@_^DDXK)c<%=A2vzj1qwy-_v$a0niOK>)(lm$~pe-PSO3l_Pa3t1sT;0>LI*Lg*;<$~y+9-%tb zKmERrWCYd}T_a5Yj*9a8{4MPerjD;s{925ly?HuVN&o9&*=Osny(5*jorYAdLqvag zydY?gz(QX+yoZYPU@k{2VqPEkN|$;Tb6$*C7_kq0+T1yMUJwc~TwQ5>AY4A6eJ%)| zw);E|h)7+A+wzwnU%E?&Q`Xi-3G`usM>lwmxYgQ(B5S@rcOps?5>}R7px$5Ml18I; z1mO)=QIH7%-w7#4Wc=5sa8j?MB}S5&Y4A}wmnL*D%(u-q>%^DD`+2`!OfvVfB45BT zLP);&3bnaVeGyxIp_Z5~<|IKJ(2NM2bje$}))$_hV>+HEx{y#c^d_W+^tztY>d|0Esw{w!F%Gif4~0!yZ!vHd&SGaWoue|**B-L^oW+vgLzBq{$lkD4YTfRdbj1MmzBf89_->T z2<%I0;`Lt%zVn#GJtT9sRr+Ut$-re9f4Zun&4MQr~M67l}Cfhw`x< zsNBaZEzN2}<65myP@diCh!JN-ei-3tjJ6^1mmM*%CsHPHu%D z`*C@aFR(~(sL4#($bLyJqU{A) z@G)$b$2utAWERb8W-t&#Pv8S!4hp`Lr}DEZK36$X<^M1#N*6CckC&%`h7)B@_b_I%WN z61|~!6OD{wwq+b3?)E>Q$Vv*oliB9J={|l^*(b;A5Iak6$amWsV-aSj!W0M5ckXjkVLk>ZA`It4Mo(tTQ@irWh05rphVO@G z61|7rJrUSbySbJ|JuUtk%ZN|0x%)(R9CUxub3V02jM!AaB$qnQ58a99Ha(CsfKif= zUco5r|6}j1quTn`yFz^id%3(kOBpQyBBvSxRl~93GT(+ zEkJtn+hgo;&)M&L$3Ex2`}}e4J%44ak(DKLt<3q%`Fx+x7ZXcRgSKa9N<}4(g!{Y8 zw!Y<4A6GTN(t&P==>F#hs`=Aa7?OS1#SV z2(+MV4{Vspm7Q<NNBB9yxQ*!mG0)Cx;5#zS3Uw`>F)h>O-RcXo*KezPCCY) zz%(~BMr5KqGnjN6|3ggQ|KqI3zdZ}VQCZ@lDyNWb2-5&0l4DU_HP@1~t#Q3@h>Ggw z(0aI0dBr5YU}CCu*CEc^gek?J6tAkK#FuNFW_#zr!-&hXALL~w}>*fJwHDm zgB4cTV0omHgx-B5J~uGj7@=T_38|}(5^K-O*Xac6ibt5px9IE-DrIIdpg9PGLONt; zK`#d7o|ltL_c{vA$yrEIXVc$@jhvz={8ndkx>iaoQS1)UQgQx~>5vyTSxMc?O!ZF+ zY8Xibbu|14RgVL8WT9l51-a(aLy9R|(><_or&RleU7)<@Djx2FKzHJqqT~8TkeFGN z>e-3#e*T0IfGE!9RZB`9B*X7vwif;t*#=H9tf>i`L!h~(2T*~cHRBO4C-~u3Ci7PVt0mLWr`pM@=vuZTC6Y6# ze!K`Zuz={>F8Q5FJVlA)mC2gA2Sj-mhJ|am2E(clOa#e zrR8@Ls>w!xP9zKry)X45G*ux#<&Jf7Gk*NaP@ZB5ZcZ(p%sO_00^Y0~db=T}!VdW7b?;a&vZRjlv6%fid9Lv*kR+{ zf0wHKaUeWKcA+fO;`jG%_Md(JtGe^Q&Z9=GOnOKcDvh(F^m^faVU8bP%o=u{-HF~a zGtw@U!y7&QZK@Bo=TbNCaX0@m{l*rv*9*=YvX9t zrQ3@ZSxQ@$3fh6jzFe)B7Fy4ylHLA;w)T8x@i)jW?|Z!tZ%kMN+%)w2M_P1e?zdph(??B_7VUp6uqZ&eviY-(ID;egr!9DF7$96!w zH@{R1%Ycku1@PvEHM!<{UX1JTsn@7S@>8Q(VqEgTjNHr0#kF+b1mb_=CHAz4W;otI zz_paAkJZ*TYJmMH*7nw4fW6G+kcfLFQ%RI1&!M1gCjhf6{XL|yJbT|>}+3hy@`P9|p6B&4di*UNxD z+=wHC+wlINJ!SuccB-cQ3G<%b_vIh7>`D}ev=aijSEu@Kw$Hc!`OxkLsQ&=f z{}cHBFXH@v7<`R_68{~1&CUMtUk|?KX6NSq_}>kDo%HDA|A4Rm2K4?P@b&+Ium1<` z{r?Vg{)F_$3o!Df;xq7gF)IJJ+DwI{i@FgNLSJFC#nhT1b9^fI4 z43bBM0#C+Kp#b+kpw?$ZQ}Iw}b(DF~KO?X|wfc&ID){*J`WMv&(^v2f8|p-%x&Lq# z%~%W=D1V!OvJ)A@f8a>}vs3f`=bK;v$>yQk)ol3d!Q`x~3!z>PH;{?^YMUdaH|)3S zAJa*Fno}>r3m%}J0Uw4Sqawr5R{jCV{eK8NXJoWyjBi!=v6?{5!-+oF+5FNsI76%1 zJga+<8?kU=IB9NyBD#;YWXd=uaVs14^cyin7 z@Kt7%BM%3eq`$EpXE?>EEG~7~mRNwYBQYOupOw@nI?XLrJz4O=%}?X&Qv!&qEYH1x z>c=K8J!f*t%w29unkFRn=0{>oZhp6r$<;O$jA^FQ(QfeMv_+x%>JAaVf52i)YeGfo zBV{g+5mSRZLARQ`tHZ)Xa($VKe2XOA9wLr?W0_965KgAHN{;GFH>9i4MJay3`xfN% zs(hVHV?)ZBEka{QNDcqolVd$d`F@Wc&YGJw;K_d5%kGFb-DLdC7-p~AvUhhOZdbFZ z*3?m7?-)A-{XWXBNZG31I<5Z@+SD8x>q2VIG^^yyv@Z}w)uQQZ)H)*Zw&?8!{&a?N zZ#KRfP&v$rr({-aLVH`)-~J1UPw?{=2ec{VC3`XHO2Tqi)gB`*yFk6;&-Dsi{caSY zUG?u|x&O!~#u)P7z7YTNw?mc@wFFSi;!gL0b};l2Dc?_e6q-<5p^R}MWqutxLRRLA zt?aZxsyV#WK#5GStY>Bd@h7e>vJ9(9)1IBqoEDWcg)NU5>Vwd=rp5@mV@Ou{=x4X$ zLbC@mNj-Stj7?cH4lG1pK7H@kmz8`v6J<@WV(kRs(|RJlFeS+a&vaz~P(5>?tGs{wyqP1w&Apiat>u@d5yp@knaeo;2GaBFAhaW)+A z31V1)C$6Mz&528ArEkiL{j$Y(S8tW-d{>t@o6_Q4bF2ZVJcCH3@T;T@JMj!PPc4U; z|J+k8M(TaFvI?DB%SiL6&7XthfiW6~i*>qM$kP|oh#6i=_E=Y=1(g{jiEV#vTdLJu z#?be8{)c7WjWfW9P2Ip~T+L{^Mit+UKx51cWL^ERPbEuwou$?F#RIb}cLpEBpx#)^ zYmFbpXikB9~9q{Ddwi5#P@ zB))uo)Ji_$2;MCKh^iG-;T1caCo`K!D&@vL>*H}-$Sa%{N2#1Xps=n}f6#OW^GVcX z3@NW;%}U2HFEN&sGV%KEXDc%~6BXr=UM@EhbJZ9<%Bkh69`zK#%^BiLyaeYh)j;Cr!8KVcN}z~r(LT#n&i zK!oJZEP)JzU2t-ELXP`iAhDl+Pc=K($Gh!nEx$b_3<*BaI9B3(mU4y1`tgG#l<4K(?!0kH^J_RROY-pH!5{)7WBU{$)*IK)*@vnTTl*mfD0d>^1s_s zdWr%p{W}=%|62L}&z6ZEY4{*)U&~scl{Mj}r<(z3dw&GdK z=}t9S7_v^pV+8k!%QuI*6FDX4y`iOCijX2~_3~MWrieAxN~E_sywPw`2jy%wd@xw2 zZ~D~HKKq7T`q`-FAGC5M>0+GzPlmKDrVz?p1kyFnI`H$e*r{gx=J(#-zEu6wziFg% z>l^34m&Bf*L43MUKe;a+_9@M`52qjWZ7ZqyQe$^$vZf6*FRE^`9=LsOUe47@;XU7dcYRyxhJ3Sh-kDgtk|}1Ru(w8C znNWx^%nFdN`Yi}OXoOs4?-VmaD?pkC1M&ftZp+Y8aIB-XT%I8cj(%HY z+DBU9JBoB@kPfH$EIjb^Z3jDPuNMMqIi+6gaHpWQE_vX*fVvnP0Iuk6_X1#@8fLEH$lq(Z+M2+Kb2Le@N{8Nr$w!+tn>rSE zlg{V|f>_cW-dtk~N0qRS{rlpXSDX?-f6%o0tRJl6(8PAAH(tk6c2!Pd|Xvn==`Lko>#>OYrGRO!kv^pA;a+qFZ2UULLsbS z9c__w(8R+8ie01;B2?n8VcJryGP<}sF~-^%N>~MUPe)@qY+EE|>Ln%ol}_$fqT|m6 z?rz7woBPBv+aCc^-1K9zk>j#8w}|gQhNPS3e|{&R62bSu=|i$ZF>unN=29*tCzUW# z<|QFbGR*1l0JL|QCVdrMx3Z7*XpUs7f>5nQmdFbgNx3HZ4yS_$;V98mxOx3`1Yb2jepBV_WCG9C#QrJv=rD za!xBZGgPC#sC@mM(8z7u!C}|HK&0&C{9Df5{phgZRWxw3L6Lf~s}wyj9datCrx@Z| z*dYBoVYq&@<+uH+`+ZB~l1;6YrqZCOYX95IN`)YgX%yK{>{pDndo=K)5i@zQ&iF;*8`P z_IakXM3+W7JgRqM7)~1wf(>?eg`^iFIy|ZKS~gMq^wGZOBiQ~CD`SKSnwp9hi3kL) zmT$p14TI70^JsepPSohbS27J5vEOnWEt5_#BN6oGW$G5ld$kyDfkV5fMp0-*J&q)_ z|N703T~H4+O;LPDd3xf-uDgu53)Eo4kEDV4o{30x6qTdBb$k44n4k~}%(m4~PKree_%Q^vz$_FE4cvxwTJ1a~6@7%*5}uB{SS1gkl~ z)}ZaSq47V{V9wr@i&`_jR=l_`uJ=E1m1;=UM|uT^Ry}osgR^viq)jyu1pwMXpKX#Z zH^6o~Bdul|?AER!@$kBh#2rEAJDR>#0IuzIAQHVYf{|&uf_g`cUcPs%V$KwOf^n_|^51p{*y!FIsDMZO<)-Z9--G z`%cLMy8$h+m>gvRUw#p0y^+}lYT1e1j*!xQ%q43C{z zVsa_+)>#~hqkW+x8U~=7w5(qx1qxN5TvW_0dR^38 z{!)I6v~yt4?>WgmXb;=w&H`=;=5`@r;u;v^L!9apoD%4P=I9&Nt5PizbLkUInO$H| zQKKjAnTiU?9c;$qigN7mm9jY;Ryy}mo^ z4cGM(9$A(!JK)X$E~8dWdsa7itla#-n!m|qXF9wgSs$;aEm7BMY2y`|RN|WB3kh|Y z?OX+s@#Ztrl=`gS_8q^iK_I&<0S9Q}mfTAVl;A-tc6SuPnz$ zk%4v*jIwNg4Hi|>FHB*rNHgmcDw7_4`uQt5#-1W-2yC_2HPIIdbsI*2PecVW~(4{apo9pL3? zv?Lv6rqVgZoTIQkP(37`Bxf;=7J-Uu&SXUZzC>}xL`4HBTY-f6YY*?22UiZ?i#j>6 z4~Rq zIH>XxKEMgt)Wmis@G|(EklCav9V5G zf|k|#-{z{(xBsBM0c^zVcU+-DOQ}8ys(-hI=5X^5o^$^J!=Jw!{}80)l&o-wk-S)cbH95PWblJTYl#-L$_E zFuXsLPCUm^L`J&kuE#25Vm6Q5PMF)NMzY z>9IcsGj+B{o(UELKiV}|h31f(Lbhi*bVdyuoil5;Y~&AjH-v{ObAG~7eCE&>&9GZG zarY7MQYYHlXBDDMUNT7TeQ(risz*R>6uTn;e|B0wFDdu{yOZB9_*|&xR;qxx0Vt|- z)q6I{upK!m*l5DKl}8gAmbs4{zZkKyB5Tzgf2ZADwBl^U(Ly0g^{cCqM`VtrYGO-E zSRm#CrAmZ zKDR_H_s?Ke>9y5vh&#$aP?Z8LQG3i>N_xvrA2I5ymBo;Xox^!WvLXc5m95rwWeAPq zeU{D2VH6~$ZDuRhtTwp$7dsISwBxU9Fp|$v&E5=-DYKplX7nZ#xjY2f6*?^>X=XbQ zDSM+kkV&d3M1wdzDnuqTqifB%I zNoMOSBBD5wbM`$kJt-#aM+LRww0ZD61?w!T^r79V+-&TfOR#b$VoK^m_q5zRyylRq zOaF=%F1?Qj;a+pv&|Sdx*lHt+CH~1??`i90QQslfb z@^{VmRsN-q80l2;z&*&{+=Ok8itrt5pNn9zQ8%7R*oiG|mDo`i8-19Jf<&V4@6L#WOiw6|?9D z@wdn@KEwm_gyXlod^=4Qtn1Bk;FhQ6aC>u%(@Wt`{IkM-WBVEx`#_X$0GmA#v*U(f zv==%Yv`wW?X;t!J?o%|``9kJb@Cd_`4&FRut=Mr2<;62{@X0R$6yI0sPwA_ zWVHlnY-g+5?EU>HFAda1#PqV;SJ4qbJ|!=u+61o<88Y`r0XKdH&aB+8Pvyg=p8|X=AD?eZnVLKv#yD@A>f1 zkS4rHa<{jV<*;esKi`B6ohweren~7tl&Tx^I%JRO;#IxKjAbZc@2xT9 z^evz_6S*?o)W)=r#2>LMp9_Um_yJ8}4yHFi9;nOn3H$CHx81XWjIR9JtcREu1la|{ zNaHymEAGfef!FOWG8X%Lh4HIjozWLOY&OKNn4wFl$Q!DQaN85)`pWoq`5WD$ifnCa z+v3##cF_y!>PoTKO@R_6D8tRaIT4^15&z4=hxod9blmP;JN%e)KX05=b12+hT1R+R zHGow5?d0MD>#!uRNo&Bfy=O&lVaP#}9`3Z+&2VSDH7(!s`HRhady$|;OW}RWKWK7R z6&O8a+`iiSkXbAjI9BYjdg7!5V|idk+5nz^*m$tV(Yr{keumYTqL(G*k~~IhtjY8i zmO6WmKTl_untL2eh>y)Ue(r#Kq3&3NX|kN72dEXljaP&m+b8=EOnD!p9N79r@sF7B z$NIa$z)ORSn=-~JCwrc93OfpvR5XByhmF-FR({}ZnCT*z817y&#GN=&|LOH?R{R5= z!={==u| zeql`1#30MTH;L_SBQD`!BnhQ&E*zYW1q4;H?#&}V-G`9{$6hDi)U;;ysWilm1a1#* z!zkeAJyO{>G4tzpA5{VmQe$zFF*$|-ZTQE?W1YIxFnxIkip6N3&48MdL88lU5)(WL`E`;57!4WMVD`#fa)=HG)0d8d#2wkOEcb`e6pF(Ud6XHE<+D%1P@ z%ofO}f>EOZ`(dGgKDy_E?}Xu3C_joEkclwX6*fq6Udz<%Y$HoBQOqg0e>-ladS6%b z_(gvH$m`s^3ICxFf-=1zl(V>+SgWUJNnb+C?o|G5pyq7y# zQ2)+(MH9SrZTXRi=_sdA*5v1`IF0-eUa|8&5|rz%e`>;@IL~rsl5O{AGXD6(uc4Q{ zoXk&0_q^?@^tQywzXd{)FpFr6$R8Z>cnXL(Q=KE?$uwlNbIc}T#ZtX9^*R|Dm2<3H z^>-Y@PDB0)LgYBsz14s=exn#vOv3Kp#+|wmPdY22?hDv&ELxpg^9rY@bJV*eeY5E7a zzjr-Rcvj%&=rO{`e;Ya=ls=9}k59OyP52WjH+oy)KIe{(7qkVO&#m$d^loXYd7Y1rbqP<8@`WIi}(feMtHHK|D`{3zPkncAZY9MYFY0$!euN`f$}E{|MNOH207tQ)fC zu2_f&ZVS>OCI0X%L*wO!!slYK0ZCl?hROy zd>lxd2J zTMFiN@*gxTyx|$4w>eYRp^Wom<821vChk*jEf`|SKWd(h9V_NU{y~!+d@8S=Dd@Qo z`8mtvS?{Jn3e9>V20#IxY8NzG_x^K6ocuRJE~Y~+#J3~jdaoI6;yLacqUE%2T&dXF1QHK%8(u5I4ljn3ahng7r=n=1oaKdD7Ekf#h~1A?6i>^Bt`m1A=Q|GOdQVXx|q)ZioMYT0P>!g;rn^HDy8Mr$<$ z_(^1W9@{55=QArj^3s%#FrfgHJL14MYB~>?!TUXCJzZ9HNv)C^Z)(0^WIfEB2oGi> zZ3&J;WbNw9yEKPcte(bf8zK3q?sybv4H%lelVSc2mCPt21%HCek;pDmPF^B*j$Z3F zO)>58Wz_MzwZ7ZSVu$Dg^5T=EB?WY3aO;qE2WpzQ z+crUXm7a7}X@&m8?@m6@D{#QD&>Ff1Qs=>@gH_BpVJR`6$BY+WQw_$F7_5xdJWeU2 z8uh#8pj-*EupWO1R1Vatw~N+iUzU>IxuA~us39Qjh8^5GqT@UjaE=kCSx2;)tK_$W-Bc5kNS-lQcTMPv+6 zIehaeAJ^;KzpR*rQb|>Z&%o#Fnj?>dccVqSm~jY&I|*&VI^o+ysdl}!HZd&tNkF0J zkD{8Fk(c6~lw2Zg4b9Q>*x+{wj#O^WT>9)ul30*UdAOWJ)69hQ3o9G(zpUo|Yf|*F zey?h?r*bmajA!>-qam|h_?qUae5RbTYXt5*F(QGvHbnWfQDY%)lC%J3F9;* z7GX1hKa56Y0~Fe!+$iuHeWS!`X6ma;Ed*qs&15T{H9^$e`M4p>y z#o=8<-K<`us(51OkSE8LiXzi_GwOiVT-Guehc%Q(9sPuPpDC19kg0$zYa0)w1KIQ{F~@net~6Ojh!}M!*S!L?1HPe3c?8HV4Jcp8+6z?v9LlI2hd#4ywan`(-8n0~3Thnw zd?`|0b-~lk+TX-UMQzs&-hXE=P1^OL0&^9;FJH5|30@arByYWsyVk3T)LMGcHy4Ez z?kuNJ*;>$aDb}VI_2p}-H$MNoUW|6)a!YCby9xO8$f9~I&5muWU*t>1`3%JqjaA|K|9@Ya%jpD*LS>y|7F%5k;QoYRNUrFT^v4^~# zuWzTS^7dFUJI7g+#v6e=bnXaNAEs`VQrTwk)UvV7*Qy{MVliQ?DeogTM2t1omqZT) zHjtFi-2BDlGSuva=JmUGl15kzf>3C*iB`;!8f7l%r<{ zB1fM0A{kb&TuG-ZHoegoh-1(Mv3J~ugtK3V|5pQhOt zzoFUmqh)^qOwucsl)f!AScrg_)FOsb2F8@ z_eFs|^Dbg@A2nV$3f8z&C7lsE8P06qJU`A($Td*RwSG0fWa;x*3UDWL&&FIl1zaoE zl{^{PT>R|QPlt(8>SCbM>!Ef9Et9>KMlPNX_?msE*%aV%%X?lsSCgze3vJ5hV&N)B zBu?r6k@3be%s}%7aZ7oHw6aur;1STR*)Q|?^49?U&y6khfNo4jkpy?y*v{7egTrpj zV59eQS>j6jIyQ31G^?ITMhy(4PN6H0t^~Xe%qM}n7e4S5=D^+MwO-F$6SwJ8v$$!k zVsNyi5KpEfDyN(Bmrm!uK$k;HfL8a{JY5B`aH#aX>)>4=2IQjTL}$R5pyo}?IY&&x zhe5vkJ9Y21B2csVv-HZL%|pP4cI(3-&ng*$m_h&eh{2EO$32d}V8x6@I?9vBm4(s0 zokeBYes8WG)+rTGrdwIg4Ie)`-^$U1^|(c>(DC(CpYJg(rS=L@D3E zj|n28IJx7&9zNxo2irR7pvo533s8u+@C&c)Upmgi_T1Nv<40qs^Yzs9OTN1gj1t#j zKx1TzIZ>@OV6!b|j#v1LW#y`khsfyTvTqmKGt}qzUzuxJH|so+d#j61+Ik+nMGQ$_5fS1rGr;Yg}Z;f z8iF$Syi86Gq|v+fV}d8P2hF(9x{PM<4_eLo7DnK{JX>cmjOq}ZYcM>y&vpM69HiWS zM=@0w+td8K_u0I_#WrPQiSte4g4oqOGQ%lPc27-VrL}?P6j|-%%U4j%A@*UlzP=Ue zinT29lWm*&i8obtg$^vuQ0XhkhrOT47{b-KDe)1cF|1cHp1-#mGnQtVIc7FaC$dm2h zmArB5{G^ZK%?wJqBcELWoKU1mn%tei_auJByNMl`Yk(~dNk;h z#!)#WmhTc^z|2ZaLr!j4L}iqpka1=7c)P z_bzfp;`(^9Y2&zYB-c@cZ>>g!TJ@}&ihEcf>sqSNCr)*@o;}fKfB*YBG_>7nlYbHE z2gcvSEGo-uwv7Dj@4@$a7*BMb=i)eOFgdYy&qeY_M(MBbh^T9jV9aiRg-&D8vw2#Y zjS+p-?gp~5jyVJiE=Bus%Em_ZfiC>w7eZ4me@?z|*NH9LF=FFmvUt$~{{C3;m;~ii zlF__H;LG`a*0E1j&Z1)y0E3TIdRVmtGwwCwE<(y(_IV`6Mlw!2#N(&2-eH@FvJ$Cz zc*J3efyMoYR(DUurnu}HUstT0n#Pm@@KfDAb?=B*?(03& zNGgTBZ=+*fJ2YP(I*_WB%So*LxIn&#Ba)xWAYFaoP+8Svp&v55rd_42W^^gc{J|D( zu_rkQ2&*~}l!xWlrTJt^|FV4;7kaSKDYm-CbFyof&u_p_Ai<>A+teT;Sd(G$1}6*m zDN7Jez7y0iM=d>kaS$^>nrWnzEle*sQG3zY-3nW3n&dVm*lPRaF3tzupu~f#*7<|s z`YIPhJBr9fnyDZYr3JUfD@J&b%(Wcd)sD{vq?G0v1`9UBrh zKr$*~FU-koFz%W9`AX_oJG}tBou&T33BUqc_tdXf-X{0fG12`#imPRjlnA=}IeSJ! zs&_H32#5j1VfBVF0x3-7c}(1ETZZfJ6cIK2!XT!e#A1hXZGr|(n>5i@=8BJ%VgURe zz1Dhx(J+%RlO+6z@h>m%6!6x^k=%!*bLC#8z6_4Vq`jwB1y)uwIf!vVMj3)bSCQO~ z$tLWT#|ye1lYrN0NoTDqoLXWy?|Qki6m=HHj}o_KWlX|{nxVs*?3U?~xrnftrcj5v z+gzEabfNJd?IoGBou?vZ`X@7FCL9vx5dblde5pG~nQ)}Fy-n~5alo+<-F5KRm7qVL zQZ_+E<5=Z%ON_2WJ(RBQ-Sfs@dP9vUY`1dE_P;nSADkHL$8ijmVP!K@*9z-J7fe3l zzaRu3I$nHecvzJX{t-IM)eY&&W_n)CyH%C{yjR6J0k+U@LW2UoyH2%-a3ey?f7n+u z-ZN&IK|rwg;O5>2eAD-kDe!ycYkNI#D|%Vl{=&Z1hD4mplczNJj@vMv2DL9d4Kf}Z-aC}{Inx{N8qwHR5A{iR@3o#4Bs?`Ziidpa-22ud}s zl(%YqQv)TE_6v;jImsAxPqu3vir&Jrp<3pGa-I9M2`Dc z92XgV>6*Jt$WwVQ;I68&a^M7zeiHf?kD|C#A5De5DCHf;J-QTIqfCcbqzdCecjLm}x?a6V-XMe5pRyKwCaxf( z9`6?~y7!=t%UpV*8mODgJLg||W4|?cnXR86g{Tf_>A)Dj^Zh&{BC5e8`k4Hsl(<0? zqxL}nw;19lFP6M{qFTA?d^FNJ*FxeVh-7?C7x#kq(2(~+$~-)_sm%?Iwg8s?6=xKU-9~)GM_+j z=CcuvAfe=-o_=)=+xxyGhZ9tiGC%Y2lTaM5Q`qj9s-CL-e5z_bqis0(%aRhIc0cqP zk-+=(={yZh+_QFvD^eo$8c1*>iZ*#gnJJ6~azEXI(xED#OG9gG^DN}dIj}0BEsX5(V#IN>t1bjc? zTA=1JaG?0A0rS+@cP(3%b|fMc)Iz*+YT4oYU479J(tE|>;?=u6Q<=fyEr$cf%Jgzc z?3-*^dM#QFd%8q6gga3oyBT$l-7s!i?x5W1P+VD)EjJRQBU7}Zn*!DUZ~*CgAfpl@ zQoMQAD{wV7-SEykB}ePfq}vFmdd=JA_$E#^@#JSufw|jpT-I2_mOQ7;X5zA9t>+9* ziKDUnPw(xZ>th4wLJ|d6^~(oA^0QRi1Y0Ae8UsC^A-pxkrc8jqxVZDg_rvnZ<#*#% zyEp1~Z(HiplKTm8D<%&4kLT;`?Q@}_o6&v*!2W@JMSQaODfy(#z*>cFz+CvdB^QfUmlKr=(ub+cY^)AR?XE$eI*!uR=@z@KP+qW*Fcgg^db z1>wA}fy!k2$>E>t#|??n*q=#O17P&va1C zGwk5t?qa+9UIG}$%-GM5!PEb>`KqHt%7v}c!YE2HmHB&GKgS<5N)nfu0GrbK$>0QY zkV)m11v=Y-DLq~NmY+2lSI@i$$8FfAQhZ!HWIx+5F`@8@yF-!-z1(COu__#MF6TT^ z^}XDRZ6IJ>Hl!b(&51_c_;giru29+!VL;)fk+9nrwmG|B`2fWvp%BEt!$2%(nQR_F( z#EgrTx>)CYO)(o?hhgpkG6)G+eq>aZRBuj2&?G#*^{j7L)`E-gc;%7xlQcA96C(V7 zWscpRYE$B$Y<~x?5G)(+5x2WSvhSgO$Ddi!6U z+NPzGDrZ%Kmv1!H&5_`^KT=D#N4prYR8iotWA^tJQkm9|$RB=LQx_mSD*eU&Ct~VX z5=8;z0p+c+KbcR@z$l~Lp5a$3qhzuJCZIpz9x!hVri;1HDB*Oh>f7-rq-y({&bPmxjaGHXt$)ASO+ZYamhHi zx?>JLRnfX;#yE~L)gZ&xP)Qqo*7?|s>O3`qI$%P#Ka-?$BVssfx+WEYZztP7f7EyK-bVOtIu!0q=$w6~#Ww zKL_Yp-l}9+s-a?}!mrhfPEnlC2^x@tDC!y-ZK5jZIj3oe#uul^Zp1iM+_~8DgkB(m zD&J00#Ze*8j;;RbCEtTiS7-B<{KZEdi3udXF%#D%HD-g?R%JWcN>0i>plE(C8gDIh z#(gvOlF@F>At5HD0_zk8qYSPoIN7XQVV93J4L%F@da)X~+-xdn+ixWj5`8YCe_%*&1%^=72XIZ%@uwie@LOIdH506-+<+s4^1t$B8>#r~l zmmAwuI~#shE3%l@MVotHV@3u;RUi!<3Df{pvIC1 zF~qgB)@p_~2s!b!NAo5-&I>6Oqpq_z75cDd=(gbtviY1*2OogNzClcA_68M0A)2RJ z!_&22?};ur^Vl)C!Jv>lGVcLIs%T#+Hs)iRAVLd_YBx334a z&abaTEZmQ#I?Da1A1{7twcv<>O>TtSq2h(Nt@#7m)~=2fBkDl1W&RdTSdOwSit=Is zWs#WhtThD>(fXSJV6fFJ$O`ZgKUBOL5R@R7G-~gZ8f;JD=i&aHdn^a;pKH>!p=Rq- zsJYd7_d4?W^+q6a?_pOkvMb*;)i*J5)BdxlwiK~@7&abaD==vH@;Yb5$CldfAwDL+ z#7}4?OLX>fozTvfa8};sF{~dPcD3q+T8ARVXj3cIkA27s#ofw`-S%Euj9QP8TSfT) zr05Wk;bAUqTo?%0gnQvYoMw%HB9|5aM;rd&H#Xp=*&gkVyy!ZiQA;&gTcyu!RKg5(G8J5_u=PXA1>;&eqtuGx3O zifk54i!p0|SD?3F@$;|4nHneF4@{+Js!FnYVW^Q0fe*ZrY(qKt=KVF8R_73^%Z96$Io8L?D z^7rn@^p=bP7E;2K4DVbqGty>+ybK>Jd#PnTG9n(!K`}biR|4SVZe&@L@EFhuzi)}yRoz*@@pud}-NKY%ss+jyYo{cOPY)pqWGzsY`v<%9=d5wJ6N zLCAnJjTvdf|5dk~{UCz%|GpAl)~exBASlTqE&Y7C21@V$k})MXE{5+xtn(?#?Gg*w zdK7dN3j@@@c~ATU7_9>R(ZG-#KMPW{QWw}7}?z5Sraalq)hyce-U zLe?7Pk^dcLWyBP(-=C_*FOZ8tPo@T9FJtWbCb;SEtSY>g z5BE*h*={=!o2Zb`_(iqM&nV(ORXSbzZMm$AN0y5=r1FOvJ9$KD;0C5I*HmfuBpJd* zrv@iVg#ITdn*RW5G=IyG)io+sZqDW2t-V47Ra$Q0QeKjos6~l|xjOMak(JQ9$TDu5 zD$ArCf0dstvEP+7op;|e&UKvfCKky5q0C03P?n4NvMpa|E{L1ZxupIJ4EGUWwI7lW zttvV4h##dAs!cEp_Es#YWT8371@0A}xNVD&KI*-+08Q-Zzh`r>O1NXWO)CzUD@4McDPDDctt>(JBQ zN#Ccb0c18FYvf7ls&CG|RxLNv?`R#iXo`;=>cL(cH%CEZhdvt=C^{eN-H;v-JiEwN zr14JsA-NNq;>VuQ?Nj~7U1L2)Yk}<_!0!+ANJ~R|DeI?I1o2*0=tSIQT#Syz#89t! z^CR&mt5GuNBP#F-q+a?e>Ycml_n=XfEDc%M77JY=x-h_Cvts|iKod3j>%-nA9?RZ5 z(oji9x%ef1XwNEobmw#GhzR3G|M^_Xn!%dSWjqfuIhC0xo8BtYGc;M)qe4~r<)d?I>z^w+jz1Q+QVNc86a2X+ zLETU__GV_@E0ucgJ?CrM!DdFn>G1FtO>45vLij3<;Diy@sG!qAii5}S+O1nRO?xcu zCunXM_GYq^wmR-xu7}UoO^aIvw&C$rXqRuPV%~l^(lL4eI++E(E4EAZPj^+-{ZDE~ zEVDiRefIg~S-A_jjh-+dvny(C33bpS;>l>1gTvkx{L~LMq_f|@=Trgo zUnd+~r!LowFS$@1ZoZb2PpPCld+mPr$OWazFQkUB1o7fM49KjT-7#pKuNrh8!rwMNEu;Fw-FIo}b21?WsJ@)jR9Di_R zqldHt$!gP&E~US1yIHo-I#g7GV6

P5wTxfoWY5hy`Qldrt}vrvEV3s$u+_!FRU4 zAUPNa(%u@hWtxXZ+$bC7#kOf2w?cpFxn$PgdvBoNDxk*C2U zg`VQ=$h6NzjZ1s7qbmXB7MxE+X!odQtu^N7N3OjejpcA%L{oO~DZVi+iR?EA-)B!& zE!jdhy#55qfOZ#UeWBM{^rkh9%8|a*Y_B(g*;^uen0vQ&t6&vsh!%ptH5upYLHcTe zLY^J-yjuMbC$dps_u?x9fmc^a1VObafLNjRfg>o z=L17}fG7&(iA#UXmlAuad&>^RZv@#)7`>aNjm)VzFMQfriEWW7j|V>tU_Kb3P9Ciw zYhe3b%+_-fU1x6h>tB$|H>~W>xLyK6bYwC@p6?3qCv%YuJiy>OZ^f3|8%`67Di8To z%s+{AO0nRkIDEYo0T^$^n36(M(%)a*hs-d5Vt&*d&;7le&4Y6M@c!BRFs9+Qw5ri2 zenjVcP}lQAmdb7mTdWveP0;rSm2~pDd6PGAWi2>fV7@xJ3o*>5lS{s)ZoGqrd>S;! zIA}{ZZEQ@GZN6>E#7=nEp}Or84lT;oPW*<#(O?U&QNzDJQ_)blaQ%Au&A17u(<8na ziu*dKa%HSyRmAw)ZU(~#y^NC$0~+vn!?Lw>OAVFuapx+g=v2LV85kv#xlwjzodw}j z12LU`#Q`Kr&F7&&M> zsuR^~y<=n8I#sDJG30%7BcED(s!H((7Gmc2Hp8-9>PBkBB|QvSInh{+=l*-qn<*#j zs08w94at*SPLP0shQUuxf1|EUb8Iok=i8Fj;TDf+mVJ*6kGLpiXMqtMWWEM(WC8?7 zZ^5XYzTN4Hsyu+(4zIc`6}D$jPUuUV+I4wJ=HFeh4tD;-@GQjE91}~I?pc~;8CSDu zq#*a>kA0>JMTx}8*x4My^@jlM{Y`RJl3QoydDK4I7A>yaA zr%R|KE-vvpeQqVL^wL*{z-ZkFKjuzn+a%k$>LCWguCsk$$&_8&OuW!W{m4Inb(X5p zp(I|}1fi^eB7FSWZ-(#6eKKV~^pYXC+G;pc#%~Giokm}nC{VfSs@0eF;yw%t~(M!iV%dN6@ibe~HxW2pNn*CZKkk>Ko0sK>9WA0&Adk?Zc zS{;EC^2AJv%q&R*gDw=`B{Mb0zV5Y_gR4Tv;UG;Ne@1`ZQtk}4?6HL~6A+bY8#xuQ zRG6NrO3$LulUsR**VSODIpTAwWPv?w<=6R7dB07!`R?tug8GyAfV) zr<)3ELx`^`3d^6Y&f}?IHExYQB84 zE#UW71Y4S4%dH%X<>>2s2}H3ar&?B(Ag)3@g<@llyFYA&1UU{J=lA}$m;zMq1R7&O zVOnbyw2y4%iqNI>Afw56s6P;wpD5EdJ_UjFz&WmK88|HZo4Jfcf0dW83i(O`-JvFM*WtfWd(cZ41T!i z8aN8~jLM37Y3F{{(I4o={t*u)pL*ezbEqoEvzCq1i;}J+gnn9MjML_3PDS_ATYj{q zc9bRqtO29Jcxj$^Ddy3Q?2?@>64_cZ>Uv2Dmj_q=k`-(L2N&%&H=xuuM|k~GS;W@( zug#@3uc(x+Oq;LIiToQu>(f~mLB(C)ROx(E`swp+WhOnhbY@gPc<`v}do)!WDO2UC zFns$K0}qb6*cH`58i`gGRp7Z{Ey)~e{~8E6jL`X0wWyOViwG?&d(6tFiI9pVW4)gN z)6nli1lYOVvw*&ASk3vxt)Oi8#cgH1V7f?+m(7;VZty>}AMB6#H_nw05A-h$(sg16 z#`=D~awVg|F(6a$6J6SrI^nR0q7k8_I}df&?!EMAPnr7qXaRPQG&)_>8h@4Xncy+r z4eaib{>$B28TDr!6sPKVKbUytYVNDSCcCrr-%8(UK6r!*^(HCzlOI;_fh*XP)7pWZ z9x~6c4-E*RR4I2sPXVwf&()nzqd?h-O-dq3VAZgLw}Sr#WY>;s=Gi!zI+lVTs@^oI zoSw!KuM|qOq@)ktji*Tc$w&AY5A;VTx^EtzqHlDl zLmM9ntDq67i{Cj8JP{g;Jw4FT8F%p8&Y_DdP~Eim2;o>DMb=?@wWZ)!)3ntK%|#}) z<IFwKL-B}@XGvv#ZqJ*lm@Rcnz$@tu>2G3{Jw6`8 zqSA%AHM>skMWSupTy)UI?IPjZ?Uu>9?_3#3hqVc0BAjUuu(h3ANIy^zpYuwz5_21L zWHzx=g+?nhA-Y?57tEg3;&*z?3-mKrpVO1=WYR?LqozwO>-_a@%Y;OJ0z6i~bEg$4 zGIkk5$`=Hd`jgC-ar|5ac7}B)U#Zqll7q|2&ohj2=?tj-O7Mh*_eI`TcaEf$<*O{z zOkKhrrqwl5=+0j>mi}bwM&?CY;Xi|mtU!S^y~gLmeaY`hvqTEM2c8`qWa9ZRme#k! zbO^vE`fYXNFqW-;0HvxD47ZTt=qK4PyS6v=5z^11lo=aGcA9Cngs-=dK3)O#EKKj} z#}`|MtWm*^Ead7hnS~_}CCry&O$I70Z8JZdIybCx-WT4o(dnj2bCwzF?Dn>gXU2&I zI+G9|zxUZwb`z*ve)r@eVWx6LgXZt-Voaf+CGw+s*z5F_Lx%byGVM84$qwMnZ;l-N z)$bZYi&<`mEF$}l17RMIj1Ft-V4pQ$3AYr#81wXG;yIn63<=yohTKcSD&Cq@IQPz zGeCi{#w&!P&q_n#w)BRqZ@e#h&q^+~+~NSd&1p2&KmGy4uxlMLv?an`-MQ0xJDNtx z2uJ6Pd|-&8SKpanSQcdX5KB_al=`~O;zi{kd+eWY0pt^LSqck{!G2LvTEsz*f!fIc z*DJTOJ&TA=^{|1}m0lR1PCb@imgyV*@Y?jRT)z7RVyOV~-h4C8k8=#&={ET6*7ONC z#fGKfF*SW>@N&cqOw@Y|CM^dtpT?f-j2xFe)@UVZ@eeYmB7F-Loq*l@@zUL^~f64J|Z&$)1&j;*65bb^;eVDWoLX` zmbxJ3Rbt#)XE&Y4M}}?VQBbtu>`BudWB* z=iqZ7esQ;g+j5=DC8?**OdrF`X>6VVO`?DJ?Qv;Z>9ETRfl-eZyaSTiMiOy?4 z^W$#!J}z5-{zL@pigU91Yfz?%?qq$K&hvMDt5p~>S86VlI@gLzcK^wvJQX&;*0291 z6DToH9SeLx9PfYJF<)TtTk-b89t}}A)8y?TY%-Fv3xlhcz;bgaZ z)A&L8`Y96;*eIM(R<2dfzrJTc_UkbVgDywXN`psd;U^NasgS@ayx3f3xqN+5fb( zw+Dm~c>VYi@PPF}u4wcRFyHV2lQz_IXr_B*6}1lLKJ1l*M| zm#%Diyq<1p?!{1(>4)|2)Sod^0&J)Fs4xo3rbff6Ya9)(;J!i5;Gu5;w7tUDtSdUT zW*U5TV58_fZIaGS%ycA6Qk2C)FG=tLCN;=UV}!^uVXXTY7Ku-(>oSbG?2&O%~U9N8N+rydujyLdjCH8`3?uu z)cE>>v5?+J;Md!Ff9-Hf*z=|+iJhD*o}+03dRuVczKIDx#i@4v9dY!_{LR;#Lm<~Fy5c)RQD!^j_!%mg z>!5KA*3!_DyD3*2q~f)5FMjd1Mvsxt>Cbl;IR@eT^n2NICBFFC58%6Lm)@#VV%OQr zZTqZAZp1npG0ErtL;t!qx}e-g%0dSVJx<>j!d6}1g{-gKTkolzsIY3d$gfRCctv6T zA(Oh`lxYSK55rz+O!^{xM>!i0sY-nP8xl8qTJ*zcIYadop2*7iTD{<~E?mBj(4t5G z9vYQ?Z5@$Dk;*VLC>Fb=*^yGuzRM4fSH;Dekg;Hemu7n84_z1;eTfhqOP69rrL~d$ zrv|eOM4zTLKHLT%xx?b9znb$oo=odJJi(*DJIzN~JnsQgI=fB;1^h~uWU3%b27n*N z_3@<>#_p+u7eSh+r9G1w*X+nU2AOY&yLA%Mu}hBh*ugl=6bG8x`|JX&`u$nUFkyH* zf@hc}cpLl}wO?h;){uOs#cyt+%C16OD6OAQH*Fu{j)5use4pEe^~67N@1HAXh(^`D zojBqyXVB9lDYvyVVBWiEz+0l*Y7;&2v%TnlYUn+$@Wp>tyf4?0?8_bjv5E8*-Pw-Y zW>^3-CCZSSsj5LeKF`M|i0H{q@URqCn*+ayt#UNmd_;e|$qo>Bs3pIpb_DN$)g zUp!ISOOh>5E*|vtg0biw2+D^aT@oj0Q*6vs-Ux(c9n&M<)^(VJjj191P>VU;SG43v|^hDwv~r~NRm*SF}OxclTiDICWjh(0YeBjPznlcetoRN3qo%*}YpN5osl+|ihl?Bg7x{D~vSg*Tq~-+AG33F4w7HDU=#6yj zNUraVR-AU>hh7TG^HK||>O;3!QEyr%lDuZmB9(^X3ihhl!>Q%PLN%RTyYca-20K#! zeLDQl>wl;E_#a9nduUIwJ&Z5H_9>!gt@e-W1alx)6aMp3R!gAdwr!O(4f{v+65Kgi zc2KPV{H4nM9p0Y0{19kn0X8bXMw7Ltm<$OWBvq!7-ZBL?XZ%Evg=-xI>mS8#Rpewl{SO3I6n2JEkX+{n86Q;|eL zb}-m0La?ikAu9fX1ytndYN}L*S8A;DyIz&cI?OPYdq1zKo_&0y`pH8xF9}4n!l&b? zEqWi({7tc0dy_dd^X!AZt?Z~RmOUlj#idiXB`vu;jyu1AQL@ze%&Z(mMnZBwS)BzG z3fyKK=yq@}Oh#>cnOaviS_HX^9Qo83v$Yj1yvC5zTZrUw(w5>$Sn@6Jb^$JR9*N5p z+9uqEjTzsl_mC5~FRks(VL5mZIppG!;M5uFqCx5h$!SWjVe=WiBxVY&sQ8R~EN23# zGd}AwlrDA??|rNK?jT+{)Miq)B~LEI1me7$SKa2=lr$F30%wvQW%WU&%yRkyp4qKD7f zq^D;SFs9lzHCzjdeJ72e`-*84kLk0*1=wyNYu`b{Y7xfD#|sD@vN9NweuR7ZIc(Wk zxVVLXU_6usr`<#T4Awcbqiq_%j*&CUjvY;{`EyYGsAa(4jCb)0oVBMfQ+MZ+ftohq z={qPh)3Me1lh|dR=<`kf&il3`y~wK7##t$rBqZwyfTMZ7;%|KJvon(AQBV1pje3(l z_UeVYT?x$M#V;It@KjqV7J}gO%*K1Da$9Zk&lP6)> z{9}=|%Vj`9SLf!3s4(4eF6du`aRY9uV(g@L9gm^nobGl-l!T zGg92!;W5s&H6>73Fu6V=HNyYA!ihnqq)Jgf2J*daiYk$OZ{38m?0vQ&VsUpYF6zvZ zq1ADrtG;U3$k5 zl`XvTxuBHVQD!zEJLSv+`3}&kVPn?e1py(~5#uDq@7ab6=`v=DhjrM1@41%kCT8tW zC;YOg!!&b*YqhgaDN#;M2VI@x5xDA@EIV^*NOSA0{FUk2&aHG7R1sKW#F&)OMbWTe ze!$XngGE!zz>MKBbIIhm-&U4$-_ni zIhAwwCz(S)-zoA*=D(Y{P6rQ`GfmZWskg!|V#E#}1$FoP6ak-{M`WK8 zI^lL!{qimi#HCl0Xq6FN60AxgSR7|bQm0rcUlKhYojEHdKgwSmN~UwLl6w<=#7l8D z0`x1Df>{2X|2)xRUEn8|Q?@hVs616;yW<#n+uvF%U_PFw7$?{e-2cM6L{fxdyv|dO zZHs;FuON2k!Tzoqk{4gF+(d29U~x`+<9Yz;s~U9-f72su8W5K+#TT+gMvgf0zuYGT zGc542JK^RM{irstZxIbN+j{43%QSCTtkOw&kEpom3m1t8nXJ;UNzQK@lj8cs?&%st zWTZLC`Qh-jTWN1HV;_+~5W5Fv4J3;H>ZX6@q->E}u{Rxm-dwz_JtYOFVdr{!SdxRX4eHDr3rsJ>$vL$LMWy}yJ>PsS)Gb@w4CC7ec6o1b(eBO89adSE1lJMw)PzI znVXg=BjfyGbP!P(3wAAz1pF5!QeEc1uD$;O^o(K{eU9!b{{f60kIDUyyARa&53x{X z-#-;Mj|{ND%>44O#-smf^}$Mo*bLr(y|j&_UNuyvQp7M?c5J=GG5z)!+(A2RVK@g_ zGJ4l{D&p{%B(8RCVSFbQD!E1drGrp*_RP9cA-<15t?M_G?hX?*? z*<*U{Q$OS{twbSN=GZRPSlC>};r`TT`_Qisu%FS|L-;ykB~(tbNJT|O8Liy%{Zsw2 zw4CNKSxg!)is_I??-L3&xTz3;^V>IFo2S}-e(OEfg=8_8h4Dl=jC9@=i}Kv!og$Ur z%TJs^JQT%jRz|rogYO%m{kL}B-0dDCWu&h~5ZC^=t)7gtu1tR`z9+(v;v!Boq7Kg? zUk$_JdK78gSwvX&q!tCcNR(YX`_?f!e|fl$MpcW8<9DeGIBb6DQ&_vYboreA*7ik8 z?23IQr1Q3pdgKKG(7B!+sOuC~#R{gKvFHQAeQz3Yp7#PIjvcGpc{ zm%SL4W>0c!YL>Mv_LO}*)J7QClEOT}J}*a`2!`hOR5;@uG2W8_M|`tJ^6bepx6(3@ z6wLNvlz5X*YfsSn5Lo1;Gj3E7CSM|Q*A6l955igfk1$&nH-@i`ZNATVs+{p=#RV7aV-+H2G4?fd`}(LTJN z(S7A&vx$p;#K_p`U{PHk_tW$@a&|0iJ2QHl?{|QvhEbl-m{T0(%qVG?43xcC1h0@j zOX0X=Ec20YQL%=T z>E?!s<-zWeqZ(E$vPsMZEOKc7-Q=kq`K#H<1APX0rFH8tfE%MV{nm8r0y9*av~|Y1 zE;DA&HA!nhACYfcvxhxO_*JRD>k8#`7PY?CJU3$Zqt{ASZRY!)`x6$<@X*4%q!aFH z{m#?lq?R;Z$wk&#ZoDAg_Q;89_0XF+G0*@^1V-+PjumaW_rsbN3J{my&Tq0<(ze@*E^V0@=A?Lm zae)}<5@4dRp75z4@6GMF&wTh*CxN0AP3^)~$E$-=9O zPu7^!c-%B?*==WHi9D;S9$&;tb0&%eLS(ww1#`Fh`lavaO1l;R`Oe=0XJcrCKLh

HzwnBykuJ}RnaCKCm*k{3JYaQH{XC`XkXI5qiHj70Y0!%o(^P5 z9NdyVDf4wMoTb zHSf2$QK*i;kmrU`y?O!B2(NNV)op9KmtS>Udy@3W4ITTgVEb=1ZV*2Gt5I zcZFQ&>M{F@ZR=OozHxQUk505dbGtIs#GMyxITn@i~BO}?5|6| zU$qAGCi`7bJcwvLS8R{VTXQp<;3;d7%Y%$WX2rrYNo0--et!3X^%GiLF1T1v& zqbD);P_pEg11KBp$3^+cwd%i^Ur3-xV&j+CHgz@nwD6IB!Y?JRDv5&7T z#i54wo!ogz^7P1sOZVku@%)gtw9@#2F?p&KnR-Wu&ZxpKcdHWC9#P=3siG9VyZslQ z;bu-I?I~gwS8JO4x@L86zGNbG#Q?7uJA;M)VV?c(Mq2DOG3aXU9{^*l(LVqb{k4QB z>;JmN4d}=^QT>F)w40Wi+`X*(Jp=q-JqR}cttd(XV8F(@z=|WP9;bJm^`-3H+@t2^ z1>^S%b@fIk?^i_qRMM{g_ZO(!ZZ{UfjZ-O3}>d|OF8HIB)`(pXW} z_K`g|DAZn?>@A*Zaks{eP%H8uK=1nU9J%$q9vZbX8&G@q>K=Er)!sH$Fea8nk(Cs9 z+kEaRQP!Jaz))!5LH`bleR3kK3v8R7)uh>wzT9I>85B8ZDHaqL4bhB8?T!nBc-eKG zW(3VQA2oi?F_)@`&;O{ag=i;id2+jSR~a77-)O}fqA&|dM{S#*URAihv-?YKi^Gt5=9X(2Cc z<2?knH-QYsw4(A>GmCW0zdv+IK_-tj-7{PL@h`0Zt&yL{E8Ns%CfNI7!^fBPK$9(I zPNuaM>P+wEMz=mO{yeMYdp$TtF9vU7yu8DzElsey3tRHS$S-Uj)hJAHE2hcqZi(n} z?tJ&9*N#2PyD(E=*4e)fwqYMmK*8uvFyYyFMn94r^OJmq!XhpMf1&HPMAeYkIN<5p z1yTADn9FFReMM~9g;5*zZP=aDW$ANl^5HMBM`UTfW?bvzovtx7ZyV0tyMWxZERn7)^lxtAd!=`*)!wzoZ(r{#`?6f!_< zU*g?>>nWX!{-srmsIKlfX#pZh?6a{Y-BJG)$X-Um>bwSZ(~Qv@Q^f8Y++!b?=nr#c z`!*K@u_FIyV_-iWv5GoKp+3(`RkF6l^X6l+Zqj>&*awyDLr->rBdW$z3tUZ0%sHH- zT&*GC_2Q>|ZwwEi2k2!o<}Bz7#sozeZ3_=+-&jtk<9bwFjI-T*Z?jrLlR>dRxZ;E? z$2Yw^2PgAX6%{WMel)va=41WPwQmc!_qF}+MGkW-SBM&4gUpL2+4nHYwF10CCEXI) z(Apj5R1ZD60Nw`@uo4^=k&BWh8nz<(x=x4bnWvw=9`e2yIXi!CeO9(5-mi}>=fbr0 zjpS3gr^5DKeWrq+ac{D|S20Uvilk)RDi%+;*7DSOJF4FJQ7kvAXF$#wKDupR-Wax~ z8vnRHY>^2AwF02-hF-DY&Zb7Js}_9G5zh7qgHj~mZH|`X(b`l%s15S0_dQPU>qXa? zp6LBN=1xhzNDWbUip!i9F`XwO#89fiqt?W=jd(iitIbVsa@irtiMyYfB2twGLe4 zEW`MZzm}ONJ_u-%2i}DWsK@)VIhevKU}E5`bVu@~%uHD;JQ3$aizm`Tl#llbi)cgG@~$ zk0t)nb3kLIi2o=@Oxv~qxvEGxr>n{9zePEzxs*v{5cz7Meh=Oi+PXxNf~^Tlc2!BG zStR3j0_|=cFPgd$EoBDdtBY$m9V;tz?O2*DdL&jc&frcM?Q_ zO-B8X=2KoOa*w5-5z4g#?#XhBXTfl<>Rx>FH?w8cuzA<>YaPGEl*$aMCo^^r%;x#p z7%p>fMI$CB&b7XqM>^#3vB#6GtR0WqX=b;k78(>Fk81p-RE|C>!dUv(4b3blo{jMO z$<55CxzZ#}_~l4gF_0G8;$6jVfQxP8jTXGWd_zG`PFd9ZB@iAje?4KsL=*wA#Q<3K zf<3`C(a<4jv{C3cwr9+EL28V;=t5pelWq0g8Qr2V@?qmQc^D5=tI7F8$K7Jz#i;at zfVwK|8aC!{uq1uzOMiUt?z6hItcKznD&^$Hq5mB`JCQFp$5LwBy!YE-(_{FLj=)@A zG8F--1xkBxj&4IvBeN7;XR8Nc<29aFCA=u)mxa=M(MwOXN?xS3O03E&^@~IYQuolw z2zLO#(h8_4+rt0sY_yN%c-QVwyHBTQs9k!6Lw8$mT=o68UPv4gACni;YBcrn7rw2j zdzr*XjmAU}+@JQ-dV!{Ewi-lhc};9p8KfT4BN)I6Vz7Q^7n@&{NuwCVqA#{buQ|E@VdWHsS9 z`%yvWR9x{@Sg%r?skZ^7{wArC8$^ysx#p?nSKD`Ir4hv76nh_30SEOZ&-BW3io=-{-9&&GJ6>TRT)GZ!DKKo^yIL*M`5W z)nq~~&SJ4152&@dv9Kn;YH~cs!{_P5zshy|mQw3ooK7vIbZyZwGG_XdYIpN9Lw23{ zO^YN6o(KRXKV6>hQ;YXP>-_V?e5a=Y=l#Wns22v*&Kr*bgksoq@RasiUDC+-pLl7` zp}gRFn$Nvtq{Z4=DoY1-M*$yxyIs4C3^LXTyN|Lu1J3e46Mw6O#D9C;o8psIcr^vV z1x}9C6LVIU1ikOAeSvW`7#SobhlbMb{C3-HErVL!mi=5d`x4iYZl>h|K04C61p9Ko z`ttdZpLk{&U8jNIKICb0ZzREVd`@Q`5xuX=1C75jf0ncs74zN?*t%OZeG#KDtdBPN zO+}{ZVIIB_3leW!&vFXzajVYHlhl?C2z9+q{S?pD#4h_C`s+0|Vlc@8d~@U183y~! z))fWX$R++mzaP70^f0zAa6!xv+-DZ#CzpLjrmE2tzq`pnpaKT^!YA+WPP>$7-y z@gA}I75s}4_Wk3Qaf)nurXTTH2jCbG&z|a<`|(!N;KKWNmH~pMmUbV@ray@%N3`6}EZ1+R?4P zC*Gr(9oT^tYY)0NoD!SM^D|Hk5sn#pA`Kg%ZG>V>{RQ*EMKb;Sq4wX~-Zn;{Rrz=Z zpFeUIlNE9LjdL}f8EH37MH|A+$4BRobw2hPdR@O`IP}FGW-#9CnMRp4uza^p-{OjS zMB_69Wjb$Ylb?6sb%OUmDg zC7LSAb@_t{m+sulxLlz@a$+FrESSxo*FrSxwCDp0(8`>s=Z;98xD5(rcwj-)Z&U+ zfcI|b1{qOO@HViruuIajBvN2Qhn3SsP0B;i4Aa+Q1AH2D`y4qbz?U^)YmIIq_qXN(h3KkS{>^ z$;tMJnWp-!L)_UAH5-eNufl7WahZNK5seQZ1u52v;&FX#Mm;L7Jp!ZCDE~2S4V?{C z>!D&@8ULkX{Fz~>UY@f(IH+=bK!l-ix5#aZ;2XwZrQiQ*W%BBcUo@KaH4{uUV<(A%}=b0 zwSISe?ZlZv*Fj+s8zFuynU|1kP1UIkoRM*7@8FLM zBKC1ErHW9XE`&9GSvOcZ9JpT77{lT#z2Hnsne-bCcvs0c)$lXHFPc*!}6pcAH_^qim zUUI~}>bvchsG|~HhPJyHI({5uGtz&sK@rbuucnH*{X}9uHGM=o?kj1G$vpT^x%??Mwu{4>p9f@pka5>(Fi-iy@u0)9 zi7?%&R8PUNE5T6Q;^VAQyBmCFPsfpm>x~olss$cRu#}Y5n+%VS68l~~exp~q{81Uk zmRzLhAs@X5X_feoOn335{sEZSCD|r1J$<}G9cp57U&nuPA||ZZ&hn#(l5y%~gML?3 ze$%RS5Jl!d?)CJ-@#aR`51N6Ks!$Woe*pfHy|f)?v?U{=2I%Oj*PXokK)hB_Ok%Og)Qk=0~}#pq*T05*DRXvh>|_mBiIu~q;I1r=Y=or}j% z$;LIt&;{QN-+Nt8m8eI;xGu>CbW%T6Eyz}bso7=1v<-bs=?5}=Iolb>YTjZ(-#;38 zObq&3st11_dv7r0Z!YHZ4^L|C2|Q$E_-ThO+p6Qu6zf$5I*JcRnv)PdyW^>t5{eeu!k# z@gxX*89=;sJNz`ycH~{Y$NX(`Xt_z!s-oVNU%CV!4b9YNTJO-XO%{8~ zB`R&0#_shWgw8xY4=4O)PQqhrk~K=FZsQ9~LVv9h)c*R<2NCG!pG9s!A$@V6JsU~c z>A;K&M-0e2ow&o)pX>)$OPrb25WWDV$`T$WXec70@?xryUFz6ic?drC+%B1bKH;Hr z4I@$676SkpTVWTg&YzD6PckIWO2TD)K%|NphD;uqCMoZSG#Wd1Sr-VXFD+7VbN%|I z4{Ng)tD2H8D`fkrJRJ|-&eC@Fi5aVZE-fIe6gb2S@4eCn1~7v!Yk#q>5k9~Ta`st8 z!MrnF?`I09OLiSK2oUN+18*rA0V=X~rIPGI>GO5v*V~Neze|fTSvLILam?Kuu>pyv zR}-~gQb#UqT7n53OQdS7Gre!y5rT$`#d2!&{WfW~eT=5T*gZq3x2?f@JbsF5;GDAU z6RFx<1AY%wMn=zKEq|T)UO>C+o4UvH7v-MhyZEK4HgdJ`^D1fy1jI!HmuG^xtdO9- zfT>X;(CC(4(%V)0p!X__asL2(@+?1Kq0#2mu-|F0Mpxh~rz_lrnTdmJc@+j3_aO~v z8)(EXvy_1P+1`EIFLi$GB=Qdcnl(`V@y1cd&{T=Hb1azJH5?$jHyQTg1DIG*4@Fag^`2x~#|D&{%b)u~NWwBFLeUeF8NTBkKtKxnU+pvVL+UnLQ|bVxzI7E3Ug1q%SJW z|E>jWUjF|di21MY@c$E#c`7}QB?1AGbN+2W#9a31`2-k|c?O7*O(O|ozd#M>S9>>r! z2*Puq*TME~^Q>g~gs_J3{(9HyA3%G2*3NBUf&Qz;mekD^R+~2YDHW+8e$~lI4MoNs ziR|<|1r0O<@ZP%j1p6hdR*J8AQ8i_-TGJW{mx96K7pdJ&(wnanF4Jyrw3@XBs(46# z@h@B++zTqIHpHdw>Vp%5N~vM!ET<7<;u|OmZ!;iO11NUywxg~6|FQQLKyh{3x@ZCc zf`=qnfZ!hJ;0^(TyL%I)vEZ6U0|W^K_u%gC(73xKI6)f-4vqU=`Tx7mJ$v7CZoN8n zUe&8tw~A)1)jijA`Mxpd7~?};lfNcy{c9s0w989FNS34N0@9gJ%U%oM@hXp21)cX1 zMmgbNgcChVpmzwrPrCa!N(?SlyYNof*y*0gST0M&a+BR*dcxh(6izRqE{(Rqx*pg$ z-Nj+@2%N*|?A2{X&lv6E*5xLXaA@DcL{Z(*u{dJpmPsyI0D7>_ z{=P(-@1jrk+os&_JHbgGR*_siTib-Yt~(|O(SS|{)sHKk}7un zY$9zN9>a;88fWioc}2FvMYa>~%?gWy3*WGbx>!{9;yDfl5Rrz2FUB=|@rarcYP^%s zX}eN@rT>c6)XcVdQ%|h@%~wW)@_f&vU&w3sRV^72pCro_Rdi!^1QSG=SB6~#P>O3| z!<{=rC*)OaU!QBcUO&rU%%&}|UTk8(ak{=YF0jHg7;#2OZ29$PQ3Y+BZ5?Nof~5;N zmouV4i@i^BWjY5=9A+=>gN};d%4~LhWoz&(6WS@gND}@&MzDYR#Ab(Yi#*V(HPK8G zsy_lBRHsklpwR5Z*Pmc3i>t77HL&r+%J8@ zrLWEE&3##oEK(ra!1gyLzG?#FAYR~ly~(9U$8=sCzQRD>ncLL;yE8_e;SJp-r<=(LfTv4l$8B{5;6yVC=af@1EAx(o5QvSn;(*w*lJBLYS?ISFNaS~bk1 zY+|&-g2Mx$ozAxqEF9qY;gn30wTv01O(H_+i2Nu6^Jii~W*Xy+Gdr_yulic)FDJPW;Yc zgWJ=-CMUv{AwC#xw@ON*wFF$@Z;QB#zC9Aa7@Vvbcw-(dLx8{N>p<@5Ca8Y#y@a4_ z0`e^bCs>+z`}>px%QL`P4n3juKtzdtdRD-f(VULF+1P2FJoHE_#xnmv+4d5?D@a!Q`cx4*9`?l_*| zvgOTJve4TYX6$^DFhbLBq94_VoR8l}te#D*n7z4EQd@6a&-vkQZ;a>Y?&r0eNGb!W zT$N8CrSBQw1UO`5UWlDOlqq`cuF*pU>b#+xw`Ff^7CA3hug<@%sKVG zETviX-;8-RCXluh#za#M5$TFcy-|)Rol*68r^1zY_1F=s65u$s{hgU_Pi!BnhSC$!m>=)!-?okl#xZ@Q z&z{?zz_t>RFux(zvLw@}__pgO!D%>fms>yhTJw-z;A+%;t%gEhuUF`$nsATJ*44cj zv~hIL>3h9m(Ki!fn~(KBb@5#+X|#>CV>!bpdKJ--IpeEp_teOeG0Tzp;LrK*kxG_( zUdAuO-gRh`;vGuGM(T@I7HG^5eHM8&A(>z2*w$%4yMSI^yLKiGs|BIEm7qi&KA zoVc*Vc>eH+F&=c#Dm8v`&m~i~TKUsVhbSQKJ&cieKYg+$WgQ(uW^6#dF!EugzW0 zSVNxWB70ppyA~oxJ8xyP0lm?cXxA9TU#AyIwHylmWk$TdVeRg7R-6_GQK>a6*)RXi zUBZL;GVI0rKn#s}CE&ch{36pNUNJ~WtFnMgK&t84p1RjJ87;xrjCDsssX4U4zX-%1 zeVSJ~y^md2RV?-ok6&cTbp6zQj_66TQ*Au$FCvH^Gk0pz(eN*Lr{Unoto&i+EKfG% zn7v-!TYW?F`S+CgVk3iS4BhS@TspS-;l$BwjhIL!GV5d?t?C{X)z`II)>-(YuzY*Y zF}_)|<4JB-;sLelu>GTf3=BjBw}$_v6dsEQDuY5njExoW9KbiobQ0UmwxB-**JK5oNvls&;dLwkzERxKr%^>`kBko6)=@ z4ds-!=^FRGh4Sm8;TWFcbp%mS^{ifZm3)CXLTcC{X8%WvUJdfz&K=M5<)qvuz`9R1 z@8XV#?pL*M-yQWH^MAu~R|U@3S5N?omJvE0MlyM$_LSbdk=`&L-FTHILPKS%YDmpd zS6TaV0%yC^ZM{Psue~zhBJIwq^ekeYHT&*Hs+EKI5pvocaJ0;}(1vAlp-N(lDZ0mP zf4`%UDqPRwso>#R)HA)5i$255GQRnmUyNN6HtuZuh4!6-5pV3d_g~JY4}Z2J7IE=C zE9@~66&n9J?2-Oab|Ge{9r-7z7t@Yr7_0j9L3`X#{7l_0Wers7dsqe5YcG*k^*nFo z5C>OEM7w>m`FF|pahq5B^&=;)He}wl+2M?;F0|e*HqO9tgv^K>1AW;Wn#levL3m$1 z+GO3+5mrX40@XNP$3aDn9yztYhNS7Amc3-( z8&eY3ooWcCuJt2eA;rsno%;;y=jp#cY4?$;dX$vLTlaGVprlv^9nDHn*O<|ob$?}?(P*-9Wo17} zmVJF6$7WL`v&YOjc~{Q54tgws7@{A>&9lnYeHLp%Up)I}t{?;t$@eqrqY}_dTG%V0 zso8*6`>_(}LU5B>A2q$JwZ=QGJArO@#T35q=QGu~7oU`FKW!bA#{7)8+MZU~o_DED z@o^-IXFK$rE*(c@j27;nYeBUj#&4CA-MUP<7Y{Mr{|dLe+Csncxzpfk+N*o##aFVs zuBAHsl?m(8&-tHAkzP^DMWDlNi+Wdv5pjHcenjIscj2?QV<_iEmS`ZI~D-? zA!VNwb7l3XHxd%hA$lZrjglu+Yy-seU9KKx50!QGkuVh|Znmgx&21*q7j7STBKb85 z63jW>3!CB@zl`A~ya{*2!FflXRJy~=6bs!THYj%8-QnB|(o`%iV5xX}#m>jv5@HfC zCgk&Kx=732rFI=PjlCPozT4qa>s=^Ar}R`p_9F?%P+sV%j^}i6YWoUuq*9Agp_ItE z_t3jlUzOldoTba0iS_R!bUOZJGy+e8Xh2sZZ&`bY0$+x?Qw5L*n3v_-UT1`fpR%DX zAmYd5@9~Ruc60Sgm*+*j7KW4M9AcIt342&5a{sbA2+a8*j~M=opA+D8N;*RNZ289M z;ZgQ_R>VI&eP+95Ja%iJxBJ2=huLB`*jQWPM;x;kLsn8*Ku!4;N>*%gPiWUQc1`4i zkOel|!X_jhksmdCzxEmL0!~(Ik>A=zTpG0Diu?v*A7GBS=K$Qc3zl~UuO_&bD@8XFr0@b`BZZ6#wXh{>PGWNd&WIXNhRzdup_{m4nd z$@xD+Dm&Vls6m|dK+5kWLF$lC&VL6H`}-pP_eI8l0!UcY*4ED1Nsof_uT&^F|0;k1 z1xNv6YH1{9_el?k@+}1y9~UbJI|VN%8!I0>@T)jbD4@7b6r6t*03_vT=VA|J?63Ox z>j9(&Qg<}6b+Z3cFD6isxEkm^#MROSqADc@B&%*@>;wc+b9QtwasIpRoG7@3h5uJQ z{}uB;>RHm#+8N>qlC%bD=sm>5&J+TYhuE4sTTrm`@bUe5?H|qbDWyeE$8KHnxi`q|lG*(_e6t8EX>v^4$2 z)U*@>%y@gls^*{{FH-h6I>bcQqKu8Y*FXPiX)lSWXYZ~S>1an9=6zxuX<8!5v!or)M3fen7A(a~ zY69kOs$IwB73(SoQ%DkHu?R}U2DckTd34h6NltXQs zltLY|Wv=v82pfIub^3>6j3rhTWghT~>?@{kPYpldUJBM`C5j;LYF!KCu6aq8&gJ(# zqx?mUM1mZujqaM@&)J1ZA%??zfu3Pc{Pbv<`spL_RblF!z8cYI$Ikf};jE$spHdFu zS5Qr&W~fMMDPqSi7{qYK)EpbpM%yS?D{)2i*r0}hR;fhYcd7myA1$Vv6m80bA7q+N(JQcD8ekK|3^%-6YPrrZNdZ$@p}l_UWot_pBbP`{EzNa#+W7mlks!&#)OUIa7LM3G z6idQ4dQ?pmQ)p{?s{+*=i5`{=njf`=dfdnzKBekx=h-HtAK^xg+O}BKFeVZB{)&1b z!h(@V_`8GUg3T&o^2twDh##M0#6;I>7|w?1Jo|N6E%X@0O(!-3c^*lppl0VzF@g2@ zAj>!!juNP3E}?kjSKT>P&_by6^Vfkw9;>FA!TQxDLN2X!t|RH=-9vr~GozStDHr`8 z#wr~|*2_~5Lg3^r4t}Fl-!|FvtC0v3&q|+u7odM{1?_<4EC|W$2E0gL%eQYWb|T473Wbdb9^;9F6QB5Y6gwfKZkFad&64S2PHgpd(mEK~y=|UkFrB>{l5eW{ zicP=Moj|#tLa?b+u?bq%&Z?VwDH&2+qoi;nM$2`MfgI2y_fj_Jxg*}*kmXvtu}eZ> zrl0D*kp9@a3DZK_%p-y1W_0<1mkScT4Jr_4({J)xFAa(sQ_UeQQfwcpPzt-PTkGPXIQhQoE`&jze_bcr2JWvVB0`SI(P-GU|lCS-Qn4yuMrHo?lI%yEwx|5v`BbW8r`xovF5%VYkfl{XVY5H zO2IbBP! zL_$ey-ly`n^?*#5bwq%FzHll-RA##ZIO^)WhOb}@#$SxJILY|B}HL6Mj@2Vl`C(XhBQ^glo`1d zp4Wz*4$_dm==k-DPq9@!6Sdlw+S+CURjNORXpmc*F+u~gn77+0+{V|j_H}P~oke|)>*?B(kE|?Z^@)^MK9@@#Z z@0fa;vmxL_qi6s5MJJuDNi^#XlU4C{PxbwTVs(|FI;bqs#XQKR>E6pm^`Uc-hy4Pk z55ZZ{+!QXtHdHCTSdzw0PU>)x3Sd@7ry-G{baT=d^_%thCgzKy-&E?5BPM$N$?+ne zFQupO8A09E_TKUid6oH(XEO!3Y08^DlY9ho4@Si=%E(q;??>E|WIwcWh%h=?zS#S< z^&ybbJF_~`5Js&&j4?*#;atTNO8Tj}ZixT!%Mu5kf*72$V^OcCJr#AcF+v(XBh=>TPLDOB}UMSAmaEjr?RD){N2{%$hvVAitk~ zUNZ3k*RYj=vQX}~<}Yxcz>%%POjK6;GRT#}&|a8W?otb-oi>H$lIQ|w0P~V2=18a| zGjlxsX$lps{EJfza@z5*7TE#&% z(!=VC$fB{LGF>-N8=u`*mON^leu8a4dZk?6tjxJ*IPvT&gVp0vOAsMmSa5O24;cnz z&JXou7ar>TD@x3<5j+BvG~5rnqFhAx>|9vXX`~bbpS997qu(JiSkTEFxE<*_y;Qn{ zmS}$_IDXL$GqK#m9qL^0I?-DldlZ65j<9QfM)TBI@OWow!NDq@0;>{osIrAu_w@D4 z+&ew>sBp(e!TnEQoWUkhW|*{{>e&f_&qK9wI|udC2d&-xH;JBe0~)Z5foQ|pR(Y3O zawR-VYqCX}cLngW-oC{SVb4nM^eUwoNwyh$OI5`l9PDkNHAG=@tHb1=!5D#`7#g4B zw{hv?;N?E>8k4xHIK%~E1@_B;sTk{^s8kHdN)LsADe1MJg*FVxaP!@fvx}lg{f89g zFD(BL=&a^q?EHtN$XnWe1c-@=vmON-9|tQh7X>#5Co3Bl1qVA1D+dn+HzzkMF97Yu z)Bqf>Me!B@>5>$jAklxIdQlT+OFLTtvumiz{P{3gI6K=r@q<7{ZceO5Hb(AtwyY+0 zHXs`#$Bz(adut;T2*}&J^GThR&AG))2-&6y@KO1PY#i;s}4(%KxdLTdWo&PGWBgEX&=?^urv^9l%VzqF# zvHsul%==Gy{=?b+k>|ho(*NXjpntT~Uvv(nWoZh~8*UC>kTk^7+ybDMY#adZvbJ+n zv;R}K|Hh_3VwTQM$`D6!I~#jD+dm|f7bFAFGe>*7KXi%0%*fga0{YJx6dUJT4xqLF zJ%!p!b#s2%*Sh6)kt$?vID5G9emf6iy{RvPJB|9tr-eVnY24#)RxORu&qk4<$gtr_(= z_v;^RMbpDCx~ec4L$Vk`ill|u-Ux7TsO3ha3yS~XRQTcCGxu((g5EI4@;jgaxh9X8 z{PQJ+!hi8FYLNKmobB2|8}`L0f%tYSzZj(j8;EuEHlGPJbziZXFw(U4JVYxe z>cy!h-)Tba?$z&kP#f7P_(^YE3e1qxn)sA^eA+&>X&JQzyC&`yUR_@IjfhAe5~cxY$ok)i&a{Ft^#@zPbQa8`kK>vn8c;i ze+kg!1WM-3X}pkbR@RwY&Vc}V3s~o$^yElAm*UL3x;jvP}A%)rM^UA}k$sr$GPSD?M zXynyM*?pef*Y>R=CMJ$^O?8vnWPNn8)Z%g8MtgjDynb3reBJ+}1~Ud$(}tBp;NaSM zyHhLj*b18s zfKXK|$d`UzdxIT1Q&}-~6S|(3yH!Hz3<2c8Z}BF%LKcazX7$|q@g!zH*i*Y6_xTFT zSz12d(>6g3{BkJts?29-`{#Bw_N#hy`-R`i&W!^%dqZ|U6P#I!Exn?LNH(Y>s)8?==fpY%@%?je0Q zh$Q4x|Mmj#Tlv^Eq&kq4vMO^&%A zHq$EWR)cz#&q{#j8csA%yxAr?Q0MBL6QM#1J4gFSw)p5$wAN<<=T4-v%tTH%uVPmJ z2k^;y#zg>5mYyV5_rT`@g6)|d&(%m+e;+tj^woy{l3ArMOuQ}SF(Qr64U=$k$b7mW zlxc1G%jS>K(#3;#*i%YuyT_9(iu#3gF8EN5yhjshpZgyJ2dqBM(xQKUZGkG|vX~8f zIX)2T_SmyaEFSi7uUh*1a>^I?)5o9p7V@WX5fOut_PN~|yA)pN&hN?>Tcd{RYU3)| z#z*tQoe7fRzw-K~=@YO=8@|p=BFQ;nU^)>Hh2U@S^22z2<{VgoUx-ET%oSlA;!m`-jI5q6{CXA?$oJX`! z+4Tu$A2Skh8yVf@;k~n8R^cG2-BqK94a{yc10C@3{rhpcCNz@5$)(;Tz`2&$#hj>iH z<}wWO3De7%xGvpB@|Cu;G`Qk9Lp?oc2?7j>LdufgtLcpA$Bx=Mh&6m?N!~pYs9XQa zlTURzq?Z(wj#CZtp z^ImmbDAsc__Xx=v0Xkbgu@4nQGa8>~4NHq+S@{cPMR3I3Ue~97;1wbJb&22jyE?wj z$$ntdFXmp54OUfhv{PJ<+&9AZfsl`N5N%?#zxkrwrMod<@+kDliqH=>h3hjX=NxdOz*S7%VOR2 zR2j9kps*0uz6IhgJ&43(nh=pQ$X8@e-eFLkB3P;6E21avQhI4!POcb(nYNtzx|zCM zTw8$ta1`bG!?iTH?@-m-Lt<%WxfImyLNpNxYlY4o$MEH*hd)O&9j$yzS*Mp%`biOe zF=S@ofONajIHQi!xe%rHe5%p62IG@a?0dR!jPpdoxm9b9#AdfkL0Fow$43oBV@Yb# zjNKxNts)!_(*Ev`G_=siM_vAT@`$vG9^ON@#wa9JdaD?bZmuoBz4F}7?RUS**-y?+ zBfjx8*wb-%6qC6|<6Dd7u4Opal@I>oTDOCjr`tSO+rx(52GKP|ON3z$8-+zmLJvF1 zhdwy0ZKtwid+zreJoHLoXu-*~+l#_k7wJXnrJ5)HZ7tVj^>$mgih5_UC+S~srD|jz%j-gq{Jw(EZFCI1S= zkBOp!qW2E^dRuXfi|qRjmta~~=dP8awz{sVHCuY((M*wf~etIT>_ci`bfjFSlC0H_^>fajsb^C0znV*4%nfUXPDo(?g9g zX2~er7<|m(<57K`oGxr|rXb!*&jwNsWk)g;+IL%c(86o~o^ZJ0!;R8x$hq`89;WF+ zO9S%Lhvr=M`F4qX9QTx&9CS@}pG_yiPOj5y7T)()dS$z$DkywGF8HXb#Y-T8oKxIh z%k{_H8|O-m;oUEW_^(ccb=*;y#g`@llf_0GGl^Qe!63HsHsqzZpn*_}nN>j!^W?i# zV+27u$2r^u7O0xiUZ^3zlu2u3or&Q%v^W%(c9r{Lo)*qUTHI3T4hou{u`w*TSM=BX zg%&RNHsv*P@2Kr~)`HX2&KD?bl)1e}2;5`DGmHlX9FiUzpS^$Pdeq-yU*B)I^QHX8 zV_)MDtNuyPWnisYllE3^g$?}Ifg$2Ma7gFtIk_MrpGo6_oL9fLR{$6szh_&ZyVFjf zHYm-_WqNv<>+ZQtT$`}Vk1w;tO1C|s^ysN&Cj@h}P`Rib+q${C@0+3C`db=3IUmFO z_2^p97x>GKT)hgFsz=JiBOGU$5oWr*N-W(b=Z4}K@>mM+T3JW*cc5d&@4!=q z>>TRB$XSv-oK_RyvGN<}`j(-0^%5c2YumT0&#mXcc*%JB^4_}I#%kVhj5~oK#?t7f zF0QU`qPWQnm6*!7bd;L2D-fNF2)|uC2ph=R;Js{l%$7 zRyIg)SozR7_bFGo$@aRz6*^HJNsm#}FnTfsQuip=tm5;)@VAwv20sz+LVEJCv79whf2dJ8tFbzEHE|N!!;tgCuZ12 zx5oW$YW%mmARyYv(q~49|l|L$N@uRg_(DY0^T~u81mecgIfoJE7$fqOa zI6?Ql_v0i=$<>9z*u56&V^_N(bR-6hPg*+gi zADa7(DMI#1>h&QtgT5>q3WTu)u@Op(jUPCdX090&31fZpFjoA@{cx$JDV^sYY9o76 zhbQDiO3J}_aCcPhGcbQr?sM1t`bcc!#s}OKJ?n%RY;*YytQ|75ok?f-O|PYrmv`zz zuEWB~pK~a!8N#T-Qi$p9OR27q!oJ&`+f6#J968+N_mcN)irhH~f(<{p$6r?0`xIRn z!w`F#;WJQt=#(4dM>e}RC4DeNX~a%33u!b@3C-uJWfT|5+i@i?%WAN8CDCC3(vDA* zIx&pwH+fhuD%mV2>tRI}bAS;2AutU{ec7Ey!0`=|$gnZz9eeu91gX_xxa1 zOT5D}!^}zSDx{k!u!ahOTSsZO*`fxlk|8(S6?^!up?5A*tc>LyVU!>#^SGF^)QU2(F$a2dd1HC-PP<~mcjtc z9*5M(wC2t&VPvFbPdgz3=iY9`!`gE_7pgfBJ2Ab+$gH#(wiDb)Z>I>u@n-$z-2-Ne z%Ta>xLBxb;>t%gKj?skodE0J*=^HIh`57}2;=*@DbD>kq!bwiL%lJYLy5l7B$%`}~ zg8>7apG|atv9gTYQ_sXOXZFHkCv3QfgX8F2ep+XS3Dz|m~?G5hhQxZY;-wL^w-?ifZ5iZMKu=9sWU<$#vehIulBCwfC)h;ClsSUayb6C0_!Lod{Y_CK5#LXcT^M z+R*yf>D6mWA~d08z4aptxUabLB=@t(?=KgM56`b1q#Xx)!;kDP(~-|em!ZGmk&N`}VQ`?n7*{ z5A&>oJ?IDbWDWL-a^{k^zgVRJ4G6*%1@l#r#;UR;v78Tt7AV`biDu5G8YA*-;uWG3 zFv_Ht+8Jn2=W4<@ZMp>23+k6Ml=s3T-NfhV=4haW02smkCT1L|ups?|dssZc{RSJO z=O7XmTli8Ru>?C4xOGVuj>ggCK+1@0&`zq0dd>YtMC1XmhqKh8H&Keve_bc?@o=@o zONyz9t#zno>nkQYRE;?erjb^vvfFY^?m7QN5-AzTXE{YQVZmL2(blv4WI8??8&j?9W|@M)V14}* zPHO~wz#_2A_~UemL){Q_qm76#Qf;T6me-Bm@#iQt5ZIN!Xgs7gS;HvDAhx3~C!_sG zawPGI=E{3Vy*IG~%_`i0454=Uq3R)cHuqy4$v62uDk!5t2QA2=*>fZ>kL-Hgb{PN) zMMy>bu+0_zbpiid)_VUpt0K>>NW;_YT}IHLY)Cuj)Y@<%C;}eKsFu>9b+j{3w%!-f z{2^r_Fq3;6IL6?8e|zP=cC^}sGX%iu1Q4hKk9=FF+KkWB%^dFXOV@5;*$4iT;wd`p73Q(@}!f^cQz{c6lEqq^i8w za^4ph?Xp)YW6B=|cNZ^?tuxVFJoNk0hRM6osw7EEUlsiR^nQ_vL79sp^7Pz&Uq2U z*l>JsPURdv^>EPGc=bsm9VvyL7n`QkM-`(MH$3H>VYFc*z{ZFK z7N5s`Rge^;>u0Wp6(ZXk6q#s(0|r6-_+gPQBs!v}lEgD^Hzf6t!d=wov!`|WuW_pM zgW7C=^zB1rjlqrRqHbScMFIh|*)$0jjRmaIx>rdOJQ>Bm;)W9F$xc78S&fE(7 z1L?@=A5&qo&K}YMMQi;6#<$kWXVrG|==MQ0tMQ29F4GqgenG3*Wf(upgPvX7|BB6pw_j>E}~ zuT7nG%;4&6!uNDyjwxhW{mcn!oFwqL9>bfCsAOy!9I_DyHuUY)q>PGP<1`)9VCb1b z?dUED(L0OIR$kqSV*E()-uEcbq(2<abvJVi_A zri3!*1I44g`jFOaFR`*vd&t{SDSp2*^P~}x!sj#a?4$^Z)fkKn)wmn=GxW8)s?hsA z*HiR#xAbO3_DoVp>!T-COY(2U_47L{wsPq}>9R5QzOv=q*zBk@llt*+81OP7bLVUB zl0~=#$=cf5QBfa^N__a^GU&!&scxAPiYZsIv1h8r6XR$raNE2PGt=YrRkgPb9>=$p zF~$-41%~&_V<@k!pX5dTr};$On-iC z8c93b7l$$HLPAGW7IytD3&Y1W18!L(*4&plG$CCMl==6ZS%g}f!~21LW`w3&4(iB)M0nVXHp7dU4F3THH$617%&U)b9>q1GeC|ulu8$=a3)H2u zXgt0lGAQC18c}mVJe^(Ub$M2q_!d1KwSFqUz`(w)xIKOoJS>?{iu+C)95BH&Hm%%Y z{eV|lkyAWV#Eh#mNB&$N;jMh}qg>CEzU)pj^{>QOprHh+dKVpWXtQ3~;N1^Aed+9D z6wQ&q@@|75m~WLqriZzo53CNBL*ZA@wIQT1A6oc6hy9m7lN#bQwu8ENEO7tCAOGZ< zeF0{ynDAWFjkvM=cJXUO(UK6?CcCY~U$(qJY6|8(oC1HYHns zo=uJ=$!4Zl%N=TfF)-y}CJ=}OAM}|glRei=Gv_wdgw~;AtUqgm)z-uB%4R6uw+{9{ zwr|FHec=*%C`ns_6p(6MV=$-ewj4qyW=qM=oo(Di*d<7}M6eL@Y_(Ua=UYv{aGkS* zko#k=YWLV4r~(2N{J*8k6bu6(N4M}^DY&>SQj6s<#QzeYiY7~k9@v^{Bk7zL@LT(K zEnih+2P^p)z8Px@RwP^9ZBNAg0WFq@5wk}!v zD&LB#&RzRso=0$v>Ot1My5}U?7l3g%>_CDZSWk)pTYe}RRBjz2^Rc*>7PGHM)S0c7 z#X6ej2;-|Lw+*$z!dqPYoqZmLm(6Mp@KS_zSYks@hE;KR6i!<_aT1w3mgwV`n9~>B zJQhoeLcM##X;Cv1@MZNL-`Gn%)>b5kU%`yGZ+&6Ik;`!(K|L+^YseYms&@Z=HRC1zX*GOU-)&CyT4VDE~17;q&PX zp@Raua)a5ABDH$j5JNBobIX00lNV)q%ca7r$J_&QD(bna?foQgJtV;MSbqW+sZ&9> zGm_!C3`MG6;ko{{0Q4=8rHxL&Y1#*(a}10#D3%P%odju4^v}C8;P2vtIKXC`?_NgjfLuU|^j}}-jsZZ_ zEb6boHEA;7!C|VuBC-&QfyE|CASTbfH}1@^7bMqeC;!C117wk-I6B7d>bt@v(dNeT zj*w}V_0s*F;__;xsGZX@?3H^WE-0|@!ub8mt0`?3ykyiJe}K;j!a9pmXkt!#Fk9QE_mJ)<{M1(9)A{X&Z+5=TVm!*r*FsR#U#A-_bfemW zA6Kog0`AJv{Cn5yp5;R{7FY%+HAo^~B;w%QSki%y^K~O@!r@$*{$V(S^ii;P`%xzO z09)V@wvD2)Q+K{SBe~*c5Se%TeM!jTzBcHzJ;?P0(l6+Wc=PQ^8DP;SAv>*m%JS*6 z$e3g|4zqc`47bL`@JokpS*6NEd}+9a`t@Umw`fNp4n(hCq$m4eCW|eFw@BT&QsW-= zd^UNT>`L^E&w8?Sq0O9JWIs|sv<5IqfVDsG^wb>3ogd;#HHxi2X}8>3Z9nIJdirxN z)bT#Uji~o7D1w@Weynq2m+j4h>j6rG!(b*iF*!{cxY>ca{&%-HH02A^?fbQ@*iuz+ zxxV6P!xzXWw?$+MG>B%I+=U$4F}MKxu-K8k3TK5IeZONNb4ZnltQ+m|z9>={`t|at z5t!aszDqD*GFk_3;mlT9DmKFt^EgUV|kH8AhN zYjpg*`QqSk(d(I~D6P&-c+DZ-+Frm=Fv1hd&(GpZldY3JR-t}~C^oEYIWa1w4*6>f zS_HaIh~(Zu%Oy%N0gI9-66{?Ay$R82xW|;J1lZ_B(^mlu)3qn>mZKzb5J0bFaNqGe zcEGGe|B!1vNGbqj{T6NlvYni^oed|_qz4^{=Zz|g?LDk?h%b&BWhk>loHlWhv)F9K zz$v~&oJU>?JKRvW!lR=~wFb2IB+reVvv@pzuWbrp%z~Y@jpD#WLf<1`ob@Us1@)4T z@zDoF^)4T`N4-GE{9XM4upzBdW;AHqA$NiII*#=1)wWd&s)UGP3r;`gJyPL*6V|gd zSs5As{JTIU@7*p`B#T&4840jP13;G!19>_>!pDybN~Inuxt1`>Ef9f0L4CcwY5XpO zZKRnn{DDw80#^OvX`7B(9G?APop(z;%&HDr5yiBu4yx}AUQbanpvwEda{Q&XJW^(+ z$zomq0g3F{&YJL(b>yK$il0+$-LD}un-bpR9&j5p$O|5PH;e-+rtYMS>wweC1_|Qk z^PvI%WS+(R?P4Ow&VEw%k{GS$MW4Z{xf*PI$QPu%MTBY|UfUVYPi9f>G!pPW0s1aF`s+cj5^IUek{b%b2Ps$nhiaLW`^<2K)W-b$b>1CO}IN;z#H3cd{6Qp8g zRTLETUP@|+a^yQ#v*U)WtE;QNzW&uxswx$9!_k+5@B;AuE<}J>GxnP`>Yv@t@Yh4g z4mTf;J9PK2Ww`Naix;u>Jhfw!eLjl;H6PaVO(uRKOT=>tjL%?fw1}_bII^~j@c|T= z9R}*op5q={b^cXYOD0JNpz}xbhU=esv^|L3*|I3yF6B^XS zMioBwBQg}ZLuZ`eDOB&5es-m1Mh~n~?$$3xi7RAA(N@ha9#2%UV^Yey zih`eEUwBuIhBk|SNg@*e>93U%1BmY#0#Tm?!iv~t%C@o|#|6ROvDkJBoDnhY!lKci z)F1rRiYzKW=>#?x-ItACfQybGe2sK@@dna6c#anOpnXrjC*k^_CBccjN~{ z!y$c!K(L z2#{o{dGrj$m!?WuBv(w?&2$O;c7nmUe|zaKEK;)^bk0!fVLhm3orYd5)A{yU<^y8C_|bQ%=26ov6^q!1yM)h7 zYxQ0%KBMY&I2ce44i0=M$dg0=)}=N=e4;}VZ6ih+JRc#>Z*)!di0xzsd1bF3y}JA^ z-s5^v;z>U4Yr!Y{gsghyeXyX2R52`%jU5*c1l4Ao;eM36WO%xe+rW1K{UA52*v!Wp zo*E*Bka9DAAglQXU$0+tu!z0b;rt2Es7#M7ax80^d?ukyS{A~sPMs;#d(sQD_fOvWMO?1L0 zfPtqufJWE(xBivDUj5G<>JJkB55X;|s_VG>A4D4p&*jV6%Q%xqyi#u|xlD$2#6|MZ z({F8#BtxOl#>Pe-+r@08<0bMmla$3k*~De>P2!i zGB&1li~l6lJDVW{LjhuL9s?88D^N)021oJm^ZyU#-ZHALW=k6l76=4)cXxLPwsF~b zAh-o5xDyB#+%@PXxNGp>65JhvYe;a@qlg7@3{PC`=c=xC4N~JDpHWk)?;yL zN|{3VGA99z1*|Jddg(?=C&ekVPA4?9v@l=b>c67R!JP!Q$b9=QgOwopCG?dB5ren- zFM4AO({+ugI05kVQlk_2Sz@;De7GVx_l2C%)L}#mT>UMS3~{+u6wKE0FP3Vp1)7d# zPu4vGj&ljBIbP>UR*aKOQNM>D%gu34efg`lO^QIXt_!&AtCI~hdnu13-if>aD#fOu zsvtR~5UrOSL4jREt3phCMVI4{uNWqY0e4VUFo-U)4(!|}tA3TfEXB^9UUrd-G4(!1 z#ZXTL!@5Khzdu|qPHwZ(Q9Yo(h-a6*nW!XQ3nf<0^=N^*0d@uDi}ec+);C`qem~rM zUH(|ElRavcc&Y`A#xsu)7kuNa7Ym54JsUR1IS2a`(Fg4rV$PfHmXZDvwj(wsjXX6kDGu%5Uz z>5J__D&l>WEqMtzqNTZ~JEOq%I^<7q8c@c-5O!Kjy7!FgGUR`@$qn16-_rs|?aoXW z4(<}D;5-?0EHj!{XYSdr;FvhL8^@vf}!5bEGI?xrK<}pg6aS?(4<+!^<%>kOHMg z5p-lrP+GvfSPmVq6`moXMPHHc*19-#6WN9Tapft&Ebu^AN@$VE?qNm?!ArQdy%LCf zH_7M&t;Q_1GI*yel~5!JeA3J|wk2WyfBxyYk9B-V5Cj4#Nk)L#{dT)QI6NE~7B)CC za-kKJ1I#_Sbk^aU)7XTBjChJNGC%XYfrTB?>(KU|e8u!T4c*-^AciowK;e;CuGg$t zphQg0iUGv9L;YJ2{HaeA<>bT(a;!~FsjQGtQAg`v04pDu&6V>-YP5+TL<1ST*SVE9Xa%oZ0@k%;3QQ$j6wcI2#NR&j0O6(NZ*Z3en)Q9Mx5#_gG_c*6LRZ$8a zl>{r8;Y7UO*(X8xoXRz+Wpz!aG%88SG52ikF=d^p_x#fl-E1Rh|S-+Sy#Lx*yA*Vp>DJgOh*~ z%Zsfso6P(uK?C_ZbLJyhPb?|kUveyktjlwp!C{-ReFQR%)O;bYYEA>)fxfb*#i~AaLh4ER=}#^W zL{%I=#p3qMD~_aaa45MWB0v{qA5HL=%#~-st^LBpe;FoZ zgz_PS$DF4B)@cHy9);&|zi<1VY0!QlCTI=Up6f^7yZ20CPzQ9c(Km(Ne;SrzHtOv& zH^}H)0IP~&)%92&@oE!PeQ+M=F3|bb$@Vz)(X&zdhzyIWBfh^=DA88cC%p{-xaV|LvzFiIZUAYhxL~x!r7U3?R~&PzUs&Ik43J z@1DYvn004nl={yEHR&4uw6~1@c%AiZXIEE=btesn9w|01ZgNJ((UF(YP&&6Y&2fOF zrlzL4y1Jd6-L+Ls<{yxZ)1s%Ol%QqhSte1nI{`^c!_=WzOZYlERyVll$o>s6tj~7G z1N5kb=W@w7MJS0Zl7$g{(EfMNE*bwv^?ggn$3(Gd}n9yWlcP+CK8abCTwbURFT3^RZ_D*T>f8q_R>;AG-D=BDFYarPnv+NV;*mSkSh(TRyjzvVrG3R zL_W5`;J1IA+Q7hpbP?KIT&!i!AAM2XR8*3UC-RGJ@GNWUGBNisBQmBwQQg8Exc$A@ zoR!75&la`uJD9dEnSp1|Kj;c6CvrjuVOq|FH%B{kEEGYn`Te3R@7!}BYD_xL17{LO z`H?+|+H(D)KJxEp@OF1FUTghzq?aG#6Ilp@h6Fs^+d1Zkye;yny*ze|aGtH{I&azD zti`YXzB(1PZ3;RGID!6I*1I*#TK>tsHTEPIaS-WiLuHHGsZ%|MCBWg{DXc(>#KO5 z7fa~9@-U)feYR?K@kuMbBC<(yC3dM)FPp{M!tp!%R?yRjw`fak)cm-2tYA^HE>4!s z6CjV(@$oqN^`nRJ-n$+j8>m9tbX$vjhk>YWp4MP^*i(@P`o3ON#gB=@%UgiDQ8v!s ztq-;@Iak@`v}6OXH;zv!>>iWSv91RL?Gt&DR#sN_hJ{yHSdR(E1rJt?A#q`8snqe? zj~_qo?pjt}2`;Uy09!Idy8R-3o-$SpnAd!a6VJ(BTkz#bEpBJCBQ_=>H%JL6WJSX+aGkSi;nN0A^cUY`%kD=I{p#=lyJBUa%Y zRoP3y`!u{h&g<1yY-@TIt9Vz|+A3V?-T4j*3{qW!)^FZg9pD^vrLyYVid zvc+?U`zT2iI`~hzEG<YO1%xiSy*JAg5EbZ^j$%jf@mGYOYk+D=QD(Cye;a{?ymKJO|ray&HYCZRIE6 za?qBxIM2;??&EO1zczk*>sJ6HEe?o?Gw!rvZ4luj*m?#&@zh>%*q(NM*s#9D)k@GQ zTgtcx3)Yu!Gt8gcXBD*c;REWSE4k&fb1%<{s(G-l+j$Z^>LJ>4HV;&fQ?!(ar@>l} zalzwYs3&%5$?zs~@b+W?_Ae2yY&ieY)PGXkqn;D!XMg@VIFCZ%XncS8*C!+&Z%X;U zK7_~4|Mx?9oZM{xBZu&Kc{n-#`3&As#=VpJtViGP_cT8CaeJtW1(SPcAzYLA4U?9f zc1taSu0)G-?AmxXhXIl7-Q-mrNr8bYF`5gBuIJEkuORG1H-Sv~agMBe_sRbLYouIbFd{f~2A zy97;sj(0x{Lo3Q|xd+K3_)0-JulR_fBq{o%hsp2;xP2o7y(JG6N}$0XagO_;P6SSHU;R83NRxy>0cpm&P;$nL`n2Z!U=_61(W23UonC6xx=E z{Owl#v6Rw8pdw#m6q=t_QQlMrl5wFSE_IbkZ%rX!5Ay4hwTj!_a~iGEHjlf$DE(1b zT3qtov%N|8o}yXrXwU#xQW(E^-TKQD;1~|e*6@%jOi}8G!p6P|aAz&0lT-u&DXBE6 z1?WXIs0YIzr3Qs`$RQB@3x3)XC5s!3Y52-ztSQJG)EMg@v*FY<{|lMc0gqb3?I=%y z`iwFi*u)-z0_Gt8;6Pkp<{5NaJYl;h{k#EOr9R5oDYIBvv)xaW>JSGSzQe1BX=b=8S!+=#ZAZL# ztIqU}^5yZHN;qeoOVJ*Woq$Vy)}$}Q!ERc=eiWzne=Wp2epV;;ZWU^OmQLKf^O!Fz z=8P(`DV_ZfI00~W$6V2>-zM4+>m5f4q3I6@{0p-H7+aq#lp~OukoW_2^7;`1o@cw( zFZBKH&kY_ zp?Nw^e(csD2CT6SCoX^fa7*d!Xx}r+QWlp?nbK0jYpv~8TnvyCe%Oz0q#uHQ{b93)PiLnI)pdAna~#`5NiiVDbbbKHp* zWZBlX3Pt0rDIS@Uo%1!q5|fnFL`FrxX*;6HjlrK_izOodAk=-ra2fb&;Tw%u!vi)s z>v#pX5XNgARqsiHp<+`BJIE5>jbh(nZR%VMinUMTyO>qH&xPP^{dDQk2&y@HRzhm(Ws#Kc2+fwkG}3PQtvNrwyu?G( zT5iom!62$JkIqkZEF8@gW`y^i;i&g)eM87?bVlzuV~PWh=JhMw;I5Mhtc*vT<+Ta1 zw@r9QNKF{$NffjUvV>YLpO+!hZ2)78QKhBU$%Z-+A#)ENqESzxqn6jZ_k@1}gFxx%#nHkJQn8FUwlHn#_Z&>4Xd)K-`TJp48F z$8qgL0cjr1gYLq1_w1-YKP9VI^c{e^QT{R`@_NB{rP5ESfC(cU@4N`!2d~azG;;zg zBO@a|J|5rR$Jv<+tjKD0&Grb1bu1;WK>i^bMoi8`1vIzB~>g|d=6{R%z;%r&!1~zSRnjO8GJec z9-d$=X1~pT^m&Rf*^FFvjw+YejNjhM+Qhbk`M$+S>$8VXhSdlG>m-q&b1cE8GT|4- zA7ABxJ_=O@hG|>%(y(U5HfWP$2wtsKyfWTS20@U#KCuUB|?h4c=1^f1P5iH1RnMJDu0ekE|{I~ zm~VD6%9JZ0wRNQyw70K1XHp>zL5zGE!6C@EH%oNw05cBblZBGw&p(klL)T6HTI!%X z(8RPH;xir%!Y0GVOGFydj~=oH+E(7tv@NCm3#IE{UHoXoQAuxyHw;-#O%p08{4yOc z%z8+(%%MF13G-d)=EJ2snocos$5HeogR^v0l_4^of6eK?%%%!R?fO>=spXSQ$CNk> z{wk8171Vlvv3Rq#4Mg<&FhtcFJs+%g=j)dY}>!%>D>dZhX~(*>(nmA|un z6;h%#d?Y|{oxXbaTz=XCEM<}~WBwx+QrDk6&222m!h0s2#~31)s3{iNC4X^w3-BG<%65R zOaYMy-%ub*G-Eu5MYnXHMaMb6AA139yn2wzE(eAT5wk~U;>$Y3DCei-LzSD@fjAq$ zQJvd+Y~z4Tmd~@!K$b7L4zdR5E?*=nA?guEI>z+U9YW?md>fBBjY2Cc8JZG)!7;=( zszU%-3bNpkJ9x)6(F|6_@G||;eEnVCi=vN)$kyr1bCSReq>gnlcQD)vp6LUJq2O|_ zePfS(o$>*b95Hp4sCL6C+PjujBGob)+bZebz^@-w^lr>H0ha3px4Et34HOak9U3>g{!R( zy^#|P(lkn~q0WHUB|`_1<$`~4RDu}E!*4beg~!J(T@K>~(<1H(gQ<#5B89=l5Y zgcz7BVZw}b9>g^@V+m>v!f2)y$~+PnL8mizuU=#XHHZVbJYKD^J^!Cl{T zuqJ2L*nmk@R$oT{`y1>^$8$p+NG)w=;{^%CxQM-;pTli-jZKcGb_1g06peQtq;ZE# z3v|x;G2`_u-D4NaD{D?X_3VK)1E3cHcrKRDDa|>ro(PZEyVZ#6G49ia8^j$ zl{S4O#U233xJmYTU@GCZh?@p8!natm(X0?Vze6d&Zr%7+$XapYIV|K;cYAsKd+h`2 z(slpKkS?tX{hobbR|#k&l90Elxp}!RXDCM^WU0h{uF^<0z~}ZtcBIOruZ1gRt}_|D z>b`Jr>6waeR?Y$%?p6Thn5PDV3;jXEkDpvnOJ^d0b67zSKvVr0=0KHcsP~aG?jzBr z^<7a(Npl)mD|kJRAP8ADgMuN<$YsC?J|ok5wp_2>cX_DMc@Jaco5Ge4{`u!b);VrO zPnpV2{62>LkNA*ox*BsPIs1f*#3;NVZySVzAM#`+XP3amZ6dJnJBRZ%YHDg6NEtw2 z-+sA?Tg}677DCc+`dT@XLt?NLWcdl5aUvRG>cTCD`(2}+kw*Sy9(b?O`?^|tv(j4U zPA}T??Dm>t-yuMo0nJi&TtSGP5v!XH3)GLnY&OX?$htF{MM_902<&y}?v}iXdnlJ? zHppUy)h>2&cD98~)Xdc0l zI#8(1kdUKPsswQi6NMzrvxi}^Ka{7kdL@Bk0YA(b*8sF^WJx3yhUW*2#u}&d_rUMI zU5x>NMfUSj@fYUkBwZW{kmx=ydR00WF5C_BLvQ08fSx?*h$cT~0E-@{VB;y_lGYVH zDH+f1LP0H$*5*ear$Soz$N4@K`5rptq3aY|Nql1CQWsBrqDwz|j{2H;NUp+-1uc$* zeZO2o|F|45^osmknG2q9DbC`0v>eb$^%s#8NoWup(XMw`RT9;+UN`(e;D-!U=AHz& zPht@|t^V!iE^jl~3VZ$?B#X=-U%CrBU@+?e9Psfg~!E|^N_JlA+FBG4^r zJmr)qk_qMcZ^$H3F!vI4B#S2B4>6X6fU!Qj%!SGagPLVb!weVfDd6E^J`nt5n3luG zW3)CB$B7k+J3Jrs_C|t%(98;l$ZU<%36JNChUyr{qO_uA5cLFOq;O}6_~_i@D`k@_ z!RTG|1)6@qtNS5Uk##<{s#vb=b9xo+bM9#w;mBt=vo=oW>IxTxS7#1sANAA+ZRogKROnMr@q4ggpe`CeuAjNoz0#x87~8s@JhAVO0m zJk0>xT}Yd?L!ABC_G-Z3e{A}*=MM}ibL8i*quYhaTr1C8Nyr26>T&|wIcb5e8nm*u zd<3Mr#+=M2>zx}Jn5BTewv|Bs&6qM2h6>p~61q;qVsDFB5Qp^JTyZdr?Ya<2L2#Jb zA`pZ2{~(M`8a||-3HXgD7i@}iVwNB>phF_#bG|>_6@vN=QeGD!^xMP~gokVZ*MjC6Rok z-)~>$dizz8A;9@}JX)wbn5{_X2QCBQXvTnl5INv}&4$R*LFX1vHl*x(f|-cSO{DY+ za)LB6HD6;&OZUFy}*MQmu=AX9x;_7A~aAcR4I*~aiY-s-SvrC zRlm_}?G;DyKrk3j#3--q1Kkm<6yEEw7kdwH)%_iSL!VVuRh$+h3JMB&to)ZiXV~rb z350;Fu_T-`^1(sRpr;z0cF;=AnfJaG2EU*6n@FkC**hL8fns>siPgKgz&ufS9mEQ; z+HZLn`BdQB0r*^DI)ItckqkED<_a4MV1?)xo_NC3Me0;uaac)EM^en&RLA zPLwx(-MgCE-_f~XBpd@!tM=CUs&Dld?vNp`7D5euvmMbN2 zJbQ6D(7A$nzFuD~w9o~qBCR%0fzVucp(lY9lNeB_D(Ky#O>$?SL<9J0F)dCx^L?l1 z2!P=+O>}Wn@i8!u_PQP3_Rd1y}Z?Zsmj22ZobgaT)9_v>-?io2I*TiZ}Ua zL6VBvl*n--8h?_YO24O19DW9tTV7tqW!2}(g0eu5ruETXElFnayAoGSA9^_cg{jkJ z?ir@>Wv)9#6qtG1G1rQWMessDzBwvp>eCRiy zi;%_`1&Q*_Kvo7mv0(dgd+-z;RU$IQcWh7wX?x*J2VJzP*_aKxm0n>TT_i^xSQ5`Y zH`=`G?BV`)>vaQrSD~dAD;ly9-YWeUiukwx4}m-9}g(Rd2n1XImx&(j!|pvRS!o zKy%1Rbu#9g^kODyl%0XFWg^lv^Pt(Sq$J+y3p=>!@}1)mSjNP5)L#$Tl{)T@<#>!A zbl^m^)(L&`H$j209sM|G^Y8Fh@@kE{StpWi44ENFhJDw|B`5Mcj0#SKgLlhc-T@>a zHr!q6y~G(A7uQIVDyptkI|~_#{;k_!cXV*TiHx4S;&m*{&5%^7RKb~2@=c<3SqpV2 zdnd{gKmOs3VCTq=+6RZzeJGJ#S*X5g7|zhG{z56;D`tg`@4xbPxE|YXe}!3!k0a}N zQ?I}#;zpC%M7`sw>-W>Sihn-ohKmKVS8KqN#!T@RhoA0uw9p(2j2BY;d6l8j<1y^5 z9}nnD82GO|_&u@wRWQJ;iVkU00@N5#TO{f2r?n62`2*YSOTbbaz|#QN0{*mv@IfF_yy&GvF|DjA1%Rh#k&x17XbI@~HeEa)jtx3oODG);WCKyrA9Vt0gScM#T2GkK9@x`6&;DQfDjYKmBnx|DE# zAF+3F5_|UtqRp}0QdO&L8oIr#G6MYqq2$6e;Y4js0Y3f0V#LMS8TaK`aE#|hP`YT6 zr>^JCdQk)ICz)Yk;hap#4QeClrVYV>J)FGqOo!Qv?Td1iFN||b^H@s+2sX%5Zm?F1 zFdDZ0im^8*^{*^-C&Q0Ab`~W@8-jetaPE9{-}+cP_A$qDu#&o3<}MhXc%7P!e8BI=sgfEK|IGT`*c z+qG4+5bQmKHNh7Xkd(e)S-~I)1-VL5(j%|Kx9~2!|^M5 zAm1!_acH@Es@k{GO3ZqEThTUgzF(5zzIY@0uWv-}$VX83Ha9l&tu;j*`O)0;N^=dw&7wK4O^?{;-uBm?UYU;|=9U_L6K6GJ z?2Vh$^Bdg_%WULx%GLxKud(`NTQ7q!`xo zUzm6r9(?^FiLxLx*5;IrOfN8oPW<*bvH&G7^Py}Jaga$>*k$&&7<@je@FGt+r}zUY2gRNP1<2f{Q#h*2`b&d`!GUC1<1; z+Hfs@+X=aphC7!cH&nc65T2a4aF#zvQ`sz1*&I+Y)u5~9z|xmOp>7phCmzn!EBG8w38I@66?9=i&V4<@#YgTYEzO zxCcA3-#P6WwRq!-)$^?3{?Gb8et11}xJ5I+h*}dap}Rk~G8d=COda2IpL3hs$I#{) z&dkrTIQOiYs<^pCn+Ye&libO-YJSD17A;+UD+RJbojWjo@cQBR89NW(VsgW$sx zsCnnai)PP$OwZfLo8DY*ZUD(!6Hy;3v@Dd(H@(VA z^Hhnfo)k4*FR=hb$1BXmWX2yj?UGa`PJ)r-R5c6vs4oXzm1E~UsY@9-8Q8HT=TH4O zaJ$EpUTSu_Y$X>yfU^*1$$f3OAS#B$V5REv7DOsja9K-qrs|- zr<-C43C-_2Cf#57-{{L|y3rb+QCwcC$xWO6Tx(9(^*GghSb&DqxB3fK6^%1_$NIb< zmG26Bz||>^17CkfeSL4U z-uFC*!0Dy7Qt<~0ybKr?88Gqon(&a+x;CDfcxVC|mt#{{`+Yb;US2uq zW`T$C+6Rf0cM?C#d$OJ&DQ@TGI~>CpbA0+!whyBDMcF4BL-JR2+ngxJ$xd=xUV}R| zFWU@;ieirEx4eUowVaNJ-z3V0vs@98e%+eI5H&85QIp$Abz^V-v?EIK{WVU$^ZS@e z<%Y||F?1=FWrphO(y4Yl%_)PuN;gQcN7NG-k{bU^Pj+F12rTPKh;-~gMB~! z$TK`i9AP{y$%*N5%jzNr2!)b4Dr!E*mA7Q&lh6-;9v!pxN8M77efC_{<@>>#7kc{m zx|c(nF-XkJFoPjByX9D4p?+WUc0&aQbp_;D&4PxP z%jLmvFv(G79L%($9TQ*)Es?dbcx4fBc%y5NV_uos(P`VOg5Zj*G3t4lH>b~R9hiN! zS+_P^FDF~tX^tWdNR&y4HakLkj~i1MC6$S?F9%r0tYZ=qM+M)urz6${tahfn!Q_AW z>ly}^+NW6P)4q1ypzHvKjz%6sTtWgq#{F5yS2CP&+MGhi&MT5ht%D*Q256E%k;0jB z+p6d8XK=n^*|532sNvi2SWY`4cVQ-KejkiFkGbjWnw65+R!;{I+g!H=-pqep+8f6D zYS`WtecrVpe0AXvsSaBVBBC*x+^>J{NW@KICV4uFgytYUQb2%;_N*o0e)p_1ZUCVy zj)D5kK3F=HVqalE*0+!~rwG??VZ4@X{l(JIx>}MVlclhS zb#$#!j%Aa1d;;iFazA_j$t~jNUlr0PNE^wX)86|jSlCR^Y@_%sM=-n59QW_3(2C1* ziPbyWCXOl0q~pL~daSBbpBq=Xo)Vi@HnD@8N^)b>%d9{YH`4Ci#mjOq{tZ8H9F}M9 z0&tpKa0AGHk&ea2Wh`NkXgWG321Z(lg<(O<`S3ruE^$nzjK2`eTU|Dz;Y#%lV(&ED z%kjsX#G7n_-dUrgrA*=2%lJvFLXtDeM7z%SysF&<)= z^Gk0_7Xmt_$6Jk|Efuc2_Wd@qMu!`&M4(fq#kzO{lvT}Rq6o7Kk|BcqZ}lLTGPzD< zn|Dg^{JX3o3s^hU5m|4{EPcDNbI~QZ%rye8+eY_C4R73b=a&}n0>!9MRo#SWh34zr zvO#YvN;f8+G3@f4sX z!#ZB1KIbODo^#893=ogVo)Zf&Qf&uCn+d$_Tzk1MDpz3K(jtfI>#T~mOcc{9UsF=l zEEHwOBU@R5vb*>#vXDq`d^kZ2m&`U!Z=NacsHXB6Qs!q;L$5+7^WuiazA_waCj_=W zuCUQh12ovhj06+!RuoU@GqLK})KIpreezR}YLyVM31lz!Hc2owGd*LxB$PAWKlc*Q zM^wNd7s^{a-2Iv=iBs38ddNK)_R0mZDtaB2%p1A?Tv>)zt5C%2pnO90`7dn?@oUoF zS+>zeM@Ocz&T6C#pW!LU(WcAb5X*9KU|uojtecPIu)mf}(7aB6_!#>uQwK`i!ughUa~rQ2v!Q)i=gCO$j|0?N=#pQ=>}f zTawL2dM>cr+LH9t*y}`po333}RL(sV=<#3^RQXpEG`GCfiIlZsgpx0_6tMk3Uh6Iw zGe9`$Gr%-ub^IQtSJJiq)^m;8-4?B!rB*AQNg;5I0v4A!C|{uMci#jCh7OD{zs?;d zyPvhG4o9alorD0p(;&Ga!gGsfyNf%Cr0o10 zIkf?Nsb%l^my*{%7Ri&Wnuaxaeckz60A)QiqMqc#`;S6ccU5gJ0#XR#t4qD7wa^!S&D|k1mDg(h9o4} zE%4P5&w3(^b#2+*qwkDAlk#a>jmHNxKCd#-{;4UYl_bczO<{I~!7&qPykE4evr5X^ zThS~nm}dp2q{-3_sb0HO`5vHEO1gzTod5hsQ&IXAC^eaWAdH-!I0FxTGN6~vNp2AG zz2p9-6m#-bNCZb20_3+Z=vuNq(>P)N<3OAQ=vtkgg!otJFMZDS%I3EQmt-Q1)&f=2 zb@uqI`Ak`N8cN32K}NLjY0-8b;Wvz2YJx% zY-fwDzG&^H!4|e(lVcHo4f1C&oUfa46)D_PP(#AgeKtm*#hS(=@_gtm6n`ZYIdKLi zdc32#(k3;!KmT}{SebNT6M7zAt_Ubr`9)A0%vsZ5W9{3n)1@YXU3F*e^9wFkR63HZ zJeF5{^(SIHN@K~G0;U_83ibx`l%Sl5YI!L2+fVOzek(Ozc}6S{Uj;>5XIwauSisMw z>U45<-~Kq7`6&2IW5moS*s;z}eF59cEEx7nw#2$N!Y&Dp)R?N{uUp}!zGqjxg)2ML zXq1%M!h^wI3B%K0{hwhT8@oLoxbJS5}Q&C_pP*p9)2{SrFLU;<6bC25*^ne zmh{N-TQ0TUlJzRMc9hG7E98}*p|S1=)pd%w#nLv74kpCJ?Sq$Z;ZVcBpa#l*)Bah` zCXOw1t6$;#jOU9yRP)KenKxAX9S8Fbf7&qdr`Y#W;NRV)Jqz70tt*1_(<^kkvwZM_ z>7!h=uCpH<7i9X^n#%v^2D=22rYpp1ESAI?QC=ktiqli|K! z%bLc`=LnaLBxwC*5@4h_48VP*MjHUs2%;}yI;@V zr_!}?2JKS%CRLTn$c1?7GpbX~bEIDu9d{HBw&W|4=_}tm!^ty)s&_rM;)vc>B2aK6 ze30Z-{ge}e^CN*bZaXw!>5~dtGaC&f;v58TQi+G7|5R#4TE)oA% zjh<*0%oE1JUHvWa+HSxs{>;3)hTv4f(JNV$CGbmiJ|jz1wOZ%TpNg`oi4U|yhAsAA z!r9rM9|R(v2X?A|+iOcpW0p_x(&bc0HTs^&ua|0Ee)Z!mA~(W!DB(8KZc&UN4JIsS zSL~sz4=&=O70f6Ob^BJ1Zx+M76~cSvYe*D$P#L8=m66dz^*{fP-Vo`Qy7Gh~ou~2^zoe^cxdP2e1gol#vUhU|7itqUt z<%QA@SZ(jU+g+oD=a66S+-G#^FU6<3-$@AIp=M@b1SIh3m6z279@$Urx%BFSzDzV} zPk!d-e3tJ4am0wOPcXjkDXp}^Rj`^5ounHfcc%$h%2@pmHX`g-OmSBI0jeZ?Ig%6^x!yDr^92Zc zB)NS0E1vI3aDEpPGz{Z1alap+Q%n&#V!nB2M-&}^pKy6_)sLYRQ!<#0$u}&=_kvxa zynbBStgB14p_y!YeQeY))jmBxxEeJCI~j$M=L0-RY1i#glC>JhU}KxtOMSRb*R^Hr z{ZStV6e~yDJ_|xxkL}vq)Z^Dflq3ELI%Mm8mo6iOVz-`{e&L*3FLzO5qQjh&6rR7- z1u?Wf+(|K;q^!Fqy?ak$*WI(HLuqbBk~UqVem(XM5l@}~>l_cnzSBk3#}>w4eg<>4 zZx>a69@XC&7|NkJVx(z~*w-ugyR&gp*bRHw+8TL*QWJ0Xm$fI^(nyaAtwzNI4^$LU zLVFiy2{}iL!jHOA3!x#n3YBm|qbH%CXi3;wq`0J+0!>kasY*N7gA{=SlRKWNQ)QMKJH zp978$MCX#M2ffTIh2${rAh+BVws{24lny>fC|J)TCC{6kUQMZE26;>n4T80gfDpvS z9djRncgC2sa-~w;>zU<6+^IchdW!l*u`dz#%Uz;dizMr(@fr+yT-&l`@JCO20!Vf+ zb`?DBTY9CT8q!KEiXhd);w$?1M**kY%XGSrk&^Q!CcPz$^7d~Pyx;~mu zoZ@GP_;+kgb&2E62j+1=OAu14yMO&4pzrf?;b-rfj9&VuDcfd!LjvDLCQM0vm&>!% zUL8~oEj3Y{50z>?inr&yO<&u0{C3=?i7HuJ0$=}(yP%eNCwYsJA7Vk5>u6J-O=t2Nzf}eGqsL3eE~Gigxv`_BF46P; zMr7jIi_qd8TQ``fd3fEoc-h(Acm+aiP=YU?Yae9=Y!j>G)UW*zIv$hXNUJ$;u+X+Q z2-d1U40z81|IBAbj?RZc4J_=`Tmd`zI+&!?ep?dZXubA6z7tz5f(*u6*r!D*s(LDzvvm>tH{h! zVk^}k8k)2z&t?i6pSqP_$Aj{lsN04jChC<@rdnR+eb}6Xd+l=j(-UT{mlGK7BiF_8 z(J|(XzP5&lee+Tz>DdE(RSUcC2eKm$6Ca|j*u`O`x$wjsx6eM_T4Z^nUzBj1l{}Xe z4AV_SQ6=grQPqDF^Tx04p zNUmsJLuwanT{GIVcU$n`O@jNRo6~nKsqeqL)Cq1TVgwdc(g$EwnK-W0**v%@1E_%m zA$J8KH~Huk9yLk^N%&%*x5#{6HVY_qU*e(PfVL|`WI$Y-YV z$Y-Xe#VTQA?_w(LV&rHlYh@3ormp7#wUsYS7iJL1*LRx0@%|3g_=G^@c%C0?wtqqot7zv#hg`jirgAI;)f&z)o&yX94i{*@@XX zS^oX+$HbCmP9~0)4$k(DWZZu(%~(1*IZM1XawOyDW>o-&+S4;T2m2rXKPNJdKaA}E zsBTYL|3g*(t?Vbt`KNmRySf4N=@w1^-y`dv+KSm(*qD(qvvaVDIhj222J*9UvpyE{ z_{_|~#>XmQoi~IhxsO0xb1U$;F?@<(awJd7r*T#?HyjPX>JEk(K@lBcCLES|IwH ztp8$YaRRKByZ~%)bF=UPz{t<{#P|55h5y@n_b)V#>z_pX$1|w^LNpE@fTxld0DHDa zvQBQcCzei5Zh*@2zayEcy$L|m`Oj3Ht_~)wj}(zk&aAeUj*j+@k9zA2z`VJo3G?6I zFq_x|dTeUuX!J+`>h#2MN%ZWR8n`D~enCjv#UA-6fdBP^3aO=xvvzM1o`VW8Po#OM!z! z*XmxuvPz{=2h2jFw_uqiA?PDX{!~qPP2tXr)*%lz|M*`{u(T%Z(3ni}K;uq7_y)Zt zIBo4Sos-m00;_=J+#&1^>%tfMVH{ep6**4{Jf7Kq&s^a4QtoRwep9{jSQkdrHO27! zU-1RztPE(;B%C8|EU)b!Giy|Ty-jDgS4`nhygN0x8~pqGuw(*;FpCR_=l0$6<2ic7 zd^3$3Wlb0ZN#&BAN z)cR~wcrv2+Tr~qlXF`S*YzL&6D#D>}o*gGGxiaRA;=a0AL+PZlDU^$>H{*=E&6Z-{ z-aVBi_kSpR>#(?*WnUPF;O;KL-66O;1b270;O+z`xD(tRg2UkM?(S|uze)Bz@80)3 z_dNHzf6SUSv#h%0SJlpcfmwk4K4>a;t_*G+G%}-{*0H1cgD<|eW z=5nGus^juoBi@-BmTID!BUl7Jlewb5+}Q_hw~``>fj%SeogbjfS{Jm?A9w+)$LMF( z-SSDJA8l$fTI;fSB@OWvvj6@s>OnSu3@XFJHsWT!64&-{2x=CHa1Bx)bth;NxTpBT zdJkvk)#$9>$h(Sl~AdZq3cCreUT_xn}yXUP{U zd*AwaptNYp+5@n-&-Jk?)iAFZsFnj3d-)n`{eFp~0jq>uBT>n+12y9y@`HR(5%`a3 z6^x$9U!q9e5&m^#i+#@SD&~2A74u~g?PKSKUBfJNP6F+(F5rB1miwy=W|HIVf3+c< zgniNO>gzznRw2&Udf6*2;=mN(L6#ot02n>s!BL26NK$vp=1u%8e&)Dn^-ve=bf8v} z;kU1TBlHB$jLgdRBJyjJ{dOq;*_Mi2;|Avc-<+WgNm5m*o6*Kp%Xk zaqsrE?xi~dSYZNv2l-nU-P+UD^seI5_G{s3K`)WH&xX^(E3j~#Qsv>ro9gL^s=WZg zt)BG@q+u&W|OlzZR2vIhlQ*U1r_GM(G~X>KsVx`_T4yh5NnZ zy65HSdKXyTu>JOZb0htS>-LOluzEmqRqg#n2QB%JX?fC1PC`9$zGlvGY2n^BKo%L z->r|1+G)tX-}-iRe2pPR+N?b+xx7~B`zue-Ner=!faQtN#m;3fm2SA1D(dp5!!9)< zZl$nSgkkJ%xCTu7XQY+@OKokxB9mG9v4up}@oqStQroBZpk;j*ys~dmdwt?Q&KdsAj7CUA7`98bj;s7O{&AxVHVN3RZNl&rsTSd{ zzt=)W{hc=@_I?g-QKFi~p#csV;^(k({M#Og^xJ%S6=Q1wQ(I*<(K5YC-aW&*jfR#z z>Rjwq5R3J#Eo<>ANZLq{?Z$&K!1{)lM@Nzj;w3$iTm5W(Dq>Byd&9~FfCC7lKu#T!OMGx572mxGv>!Q`+vA5%6Eaw%Z%% zgyuj25_Hm)tFET@d5N5pQ$4+)xY*6r69P4tT@u4RevMQ*VFA|t8Uf6~TEOp zeKF~12doW`ImnyMCv_oiABp%H9Xy72l1!a!{}Ap4Ztp7!+y2afUQEISw`BCQwG|in zvwI?GpgL6~u-eTC^Q>tp=%=gM@QDUj1L*u+ASAs#%xz%k@BXsQTa- zujMrW(l3x%kDQ}Z7e~9r=d{DN^C?(*JW@9dh4yUX*@T%m>U?8kV|AVHw(G2I6|{0n z%~zzjwclNpf2V)4n>jK9Ff6Tx@GoD}d2{yGR3SBq| zeiGrS__D^LR|;ZkW)|4IJ#+#=lai9M>sqtOEi8I9gXqWf0(aGP`K>M!W64Z1EJGPy zuW_K9MH`f{r7Ru1h9?fgsgV9#N6oMmN_)fV)_LzfMQzDw-1BLkKPMR(z4=LrMGXZK_5cfgNj_~WYv^D8K@0N`rtvND=qr8ZPs2-ay=Q8=vmf$D{Q z2{cF#f#;Y#GOPt=%dGB@LBL{}OSX1)^2qITr@%nq&)<0N@ka-baB~QcjQrtx;94c_ zKvWK$qq|iI{SzwyPf7a&%b@LSwuztg;K;WSLWnfaydFh5^@B{!Bz@Ta8=wO(Rd@nU zTJ0JZLXd)B9FI#k{fnt=B38-3>wye`FVzHwD*wK>6okFFI5BeS%F^7T=nZEkMWz*2+d z51xN>Q~36f`A$jLbj-dVM^=Wa(a^7i(}ivg0qM zCj&nO+>a!w2G$l)0+!R$(liwnQ@74U)Z4yYUh|<>^A@;ggyZF7MS{TgC^?GsIR)OT zNGd^t($VV*5WAyYqP1b89E0lg(|!vnFR9KMng%ph;l(KTaW@LL`ktt);JMH0VSGSW zci|3i%~Nt6DEYoiCqd57WirreSF5WjW5}u81fiydvWOJ^+7qT(3{)I{WTR#$Q9V*d zQ9epU);()4F#q*Dn3kO-?%*b3g}7v{{o=P@9)^pE?aCDX{4`QbZgnDvUKwSNaOh#Aspfz8 zI3fNuEf3LNSBYF4Sh1+iCXyQ`SZ4qBJR-Q`bMiCjeB=!p9giT><<8-1i)4^`$6msR zk-Fae>SVG_7QY=>QTAD6wzai&W_A|M+uhXK+L{Slb_9G8KQ?KwDm|}-(4*p2G5C95 z;fX?uS0(QDR?>2TSs_?;9T=F|-Q6)Ox&BuP0-S368S|3#Y%=6_rFvyPPZET79&Ca* z+4f0LRz24ZP}U8N;$&MNZqj=~Qg`qG!SqvVfFqZVnpzQBX?wd4A?=rv`o+aXq$Q?1>7l-Wg2G*uNG5<eFUE`;Ex;BvCB#0mHslV4OLwoob|3WSGh9_9(> z=e~yWM9NQzn41^Z@T}!nmX|yEt7m^EDt2}Wv{qisH9wnCgRW+am$$OA+Cwv}0gYw+ z8}2zpvg%1`LaIGC#V{_<8&XNEZzU1l@yw`6tJqO{SlZfFc4jjf4B!h%S~!{D14r73Kv!o`<7WR0#O9L`-%n#fr(Og#o*Ig;e!-ezR8l zSpUaNGW&l{U{$enu`#7mw|6ojRxt&pHGzG7YGOtqR~HL=Cn`BZCmT~cVqxG%)bN|7 z3Gj%Blc^yvIYssU0U`%t31ST51Y!^34E&gZxPVlF5QC@#_nkmYfO{+;Od!l49RGC@ zFf$+uygQXB4+|3u6B9cV2QY`l!o)$##7fD;LHpi~|1-J3 z@n<&ie`mm&X%Pzxyu&xF-e8mKO)7;LM^ zl&7)U_g0Jl!Kr0fgCs5n&rx6m0$omuG=LoI=boYhc3Pkc_T5BfL673=^0uxT4r+p` zxX3rQsa}IG4J2qPHx?xPLi8Cz7)g$VlZhw6T8WS z^qZ7Sr%aJemx>J&rnTakvE!!eT;yuj0<$=dwt&-iO!#0LmG|)3rgI(_u~brVQRLMRR71E2&2Mi7%N%PXL~)Vfc`2#V=e$CVAKZxVAWOl4Y3>$eC_ zmwXeMX&v%NqUG)QifkO>1Pg3To9Wic80f*Ky2&ry zKX)i^u$pV^@PSPdJ9+y(5a)g9K#tgB40Z6ZStR@Mw_SdN5zqD6y_Rj7E10J=;L5Eb4>$WGzmCiw$Ji3EuWi|BOJr| z&BDOrKn{^wD8F%#K%hC=`HPW0#kTNh?5ImRFnocKN!X17Gj)pK4PNobAs_D# zm__23LehIBx>(-K6}lP1--58*6- zrS$nTB?BEDfdETgZDstj)45SGUbd zJr?~+y~+tS0XqhP^YnQ@`5Py2O{&1h;h@>$_3P`-zcOOGR``mFVE zr{QP1D&pIIll$^ZmBfp(PUkuDOQkC$gcK0m>`V*jRqD0>CMeAF@zMWXI&E<0qw2f7 z=3VlO`kOP3*P&A#^MFbviGKaTMCz2WV>V4jk#^=vjp5xq$6XGd9c8FV!Ng*dwa(&G zm6UEGZ{=Ct91EP&cf(JNS&>Q*j6`LXS5*BV9$$P?3G|3-yg|%C4MDX*RY4U%^Fd`n z#ev)J%v5@c2q4k^At2?LM=_?6)2I%p#8?Y3f|zv3QC=$FUD0(xSnfEY@g z@$R9XEFOl-7m=j$6-qQ7zLr>R&M6nFM9zmL$=&kjiB)ue)luajV7+26B}~jtmfR!I z$dTL#iXJji3C69!zF9K8u@vmYyKlj(BIoly51029EM_X2HMrI)QN&lIil#Ps6E6Lw zUpD>oD}beR0A8|Csr0@bFU88MkdUn9qR>t(shjFn>5GcXMXfno_b94ctI@cYKPE*X zjwA?cI!IozZ_KB2q#Kc6Rq{gWsfEJHWvWH(T)(LJ$GSQ<(kMh5f=l#7tXBuWkFVNu zE}o8xTLbU_UDmhcM-msq;BQY#P1!C!<=7|v2Ds9xVk($=0)v>IS1;!#+G{nzJXbn` zA~JNf&UDvs4Rvr9Bbj^LgtR4Qptc%HI&nN5QR?l}hZLhb1~~Bb+I%51sTg&#Wa#0pF5RCbQerq-%cq@?~aKgjKesJg=RK zPtqV(=!)g}K90;>?5H!3Dr~5aj?6F56ZSn06Kyw;BaJ7Bvfaz#lZ*gF@4-$F=)6p@ zj>Kd}DE>6E58O8ydJU|j57e#)miK#TsO8B)823R+P`0MkG7W;CGVX*cwWvZ;xq6KT z%@W^)vDkC>vijUHy@Ak)3l}x(YGZ>fQah`JvkKh<9uET;IS;*J?*cn!`kqSL%h~I-;(T_H4oI+7PL4?oJK1d(MGN z%f4yn^OVs9HAMG$tr@mC8MD|BTy;$tA)f1*)@mT#x2eykyR1{BOabCh*SoRcsvXTeBPTA-~IQyJIM%)kmnOD*TLg+ zpM*}SY-6?b6CrL8^tP2%+R+oNd1Y$|UWT5DZ=c+oWJs48B22VnO;}8K`JNGW2=_tT z)R01k;rpU+-iXalLkxAS1mr)nK9fu=U}Y+m&UMXPB^5K5-isOQ&>%=Q{``7c%FHm2 zAW0DYS$(q7u@rn-^yl>6$uKuVqdtlUP#ifg{TrehGB zi}pDo+~4r?dVA+uJs#xdB|F+8fxi8N;@&orM^YSkuHCwz-E4uUR{I#;iW`4O?K`P+x4vu*GX68lK<@Pe(#?EtI z?Pu#ov|-asq^8h>l~a|c^0K%4Qnc*$>(0ifb~XFe_m$93!B=3pqPi)C5^17}!#*Ri zHVYrVZLP8zQt^A`q=2s9D+U9#;n%8grC$VQGK17Y=batTD`vJ{_l@IA011B=uI7nz z*QMlgenP0U-S?~*U9YwNw%v(YEaXMGmkv}XPxgl51Qq)pR|uyll2zS!kK%*Z;dG{{ zz7IK8mEw=fjMc5EEL#aUi4;>dGmJH2Hk!jyn_cN{2%)oEUf=IX#PLP)U2HUZH&!FSuQq^ z3Ay8z*3$(kbVhA1I1a|D*HEDD>>Y$INT%*b(N>RNS7A`Av=N%c##n|2Yhr1R*{bY3 z-?e}&t@DwTYWa-dVs;dSlfQ9gyMf$@)&rT7-!l5jt*wLag{K9JYNH-H%Ev5E+eYTF zjdByT`}M1va$xCv{8;Dg+RkgiJtJGLr*H??X9^XLY3sbrNT~43-UCg`H&?&x)l|IQ z(~1D5FmO8YCJL9^95Db5)2 z<{`Zpn>)tOQjd}{yP%Mu`2?i0J)DTlcaC?=+i@`2SO8(!7GaJq+E6}BK#fbSXaxH7 za~DL8v;j1JF87yr9bJpr=;mu)7Ne6WjnC>@p?8{GmL|1&?h%gFkdy$A z&_mvD3jc!)|4c;quTIndEJJ1{;7o)+qxpY&NzA~Jc24&HF4eQFPX>7NX@dgMRnr#Y zthl-hhL$FpPIQAeNlP)tl>9rHap1f?h_uDNY_&{JP?8x&W*#yH%ANi(+opttCH9Ed@S!&>g6O5U9G{qQ&(%a|U^_{~2a z)eQpTi;f0dhHE|_sqMGofSUR-1E=^LjWODqq7CTnFgW|o=70SI<8<+Uj@QR6$Z^&_ zfY!14XnBeIX1iXZ$NNG6gyE(CBzt4OEzw-F`}I)5p=vwP(@QP;rBgx={3soI>-DuY zJKgiKY}8>x=TkCL#U)SamNOqW zS#6JcUvSH+```88r?R=dULX(C7qL72b$fn0dQEWKTU^PM6WxQR=t3cvuk*QI6Y6)N z4?I*GdD%WbbOa6HjR&>xy-P1VuJx?1UTW3Z3Sf`sfJ@SEI&Xw{)l0QtzVPPEZ94Zn z@ag0KKEDir+qvn-CC-V)@X~wS=benx*53~Lf^6s6L@HGj>-+QzOTX>yo)u$@(_lvY z6wSd(_hvxr=<8PFs(zbF02zfbSEq=;9l*2|H#-h*?8P)62l`3P1S-Jryoy9Q3qaeQyEwHcV_9DcIsG zJ#ph^j+8Q~m*m#4grgcMEn*VFp)cI+hevwpoI*LP(;K%8j-j2t81ahh?yHg zE9nfu(b(C&Q;~*fp&-M&o_gfbu1JK5kL*jVwH0TlE$!ChkG+WSoCdF-XX_oxO;OGU z?#7oMkS|>13J@nwwMK0n2oCgP_eE0Oz~x_<-o&Epd%iUqJ7(M)Z&514V~$n#{nlY` zLd38?*|dTu>M^YtJa&S&u8Dyw&cd!@T7y%^y%^sJ-scJ#b@;6w=M6tPP()8e#0YQ)c`@uMjUtIOB-Cxf>qMxBxxF=@b0KmvY-M^uV(CBM2r`89Wq4uAygl#? zm9wYwQ(8xFAA7i*AhD>QOmp>na`bGi~^^ ztmd8_9X2vONp57Euth0s>I`uCrrHH7JKOsG;ZNoemw+)lHoShL!JLgyw^gkcJ^EOk zMnGpdi5(^idjq*iQ#)rtsLK57FU7qZz+#!&SNMpKWR3oZ>>{zroX(@yqMH!DWSYj~ z>aZw#x#VUE6M@qAA_KQXzv5{ps?c zOn2(oE6l;vQRLA^Z<~uB5!D~{B(Vh#)hx||i36`E5=~N&u=XQwL6H^@{*#E@IB$ys z&6zw?Z7Y*9mfu-ff>JxS5E0p!I2jIQZr^ME8-sh&Bp8zS142yz{R@)Dk#o;#50m&Ps9lr#ykRp3ew3(Al6z5|5a{sZYPxQmEji<-zaDjf82a6 zSfM$l;5xrB7*zydc}Qd-dT<2x&}W(-BIxXhrX`=|J_2CF^Cp6v=A_V>gJ6FhQ`gQgi-0VQ4Oq zE1r$`I%09&g+KlBW>1=mTkmm+d5>3JSBNf?|8;$7Hh54;n<4E%4xC8Iq0&0|YF$^r zts(CTq{HWv5S7Q?iL>hM4hPH=u^PC0pOQ&HzXQh!MGfBlS1zpkHx&Vp!@PI2God$g zE`b+(@3<5G7UX-88mxQ$t&U~$ZI%|8dw>dK*rRDqKx}t^iF!9hiF$8g2~o(Sc}^&s zH^@EB6Xn=1+>{r&4!R?@u9Dk%dy&z9){!br)&(tmO_xjs_<>IYbl@A04i4M#v z!8drFh{DA@e#o4V*nD5anPtlDTL+Ajdk6Lttdb27B8hdR9KjBhDxo*h6Ep`jZ`6C4 zE9$w7ZGELK_?!uT#OCfUQ$NTL#Krs#*c_oZ*!k5hp1JB?bEPh*9Emrc`49h7CHpYO zT(d2xIm5X@1Bi#8g#LI+U7(z%exEjj8BP5_H}ju!99U1NfHe(?*8)AE=Xtl)=IjCL zbpl}@fvbui87Cx9G$*=O>~ojhi%MN^9|6yNEqpIj-b5@VZUBb|a|fh(FGGlXXb0jK zm{;V^08b)sw0nsw`ni{F0VN`Tr8($r;*;1?eh9bRcZkmDXXU5rGr$$oiNZF@ll@#y z56PUwcGa1})}acJ7_m1BZ=`$XC;pS_5`ILtpZuVYx%{6V&4>bvO9(@W%>3XL06@ug z$13I&KI5;&K7aY*|7`7!e9w8M_#pH|Kfl?dpy-DrFwPIc*bOLQ{Oa?GQ0NW(OL_;9 zUTDtG_xO{XEvyp1Q2qRONJ5b}+IjV@>$BJ``zwf(kM6{h>ii98zp!FO{UAWe2b{vs z_n?#0E1QR~E2uAF=^=+o%c=ag#?Luszf<3ZH;kVzKjX~$Jti~1H77 zxI2uAI>y3hEfU}zPJO2%n9cD49)Jgab6d&!g~l9DPBFiw{T#R}-ef5vDl&dHCO@%OM-e@0^)}DPP$2a$04ij!Ljax5vR~CW= z%??(Nl)qXFlPQghXLa~cPDb{Z^bilr0h96)NhRyzckZyB3wjroEY zkgcs4JPX4XZ)Imk+4a!dkyFbEVa1zP>E#ih5YADr(TXni^cGy`p^)xJRS8v zlwM?TllYnX;xcWHMFh^vdee~`vB$2eT8MJnm~EJe1$~mEs9-g7%?mJP)28R3wV!`u z4V)kGW=%9QUBLgT5f29D=o**Oyi{TziZ74WiE~olLkh;Y6vbt+WDEAb?BE_>!BHV- z|BFO%Gs<<1)3`3(*5tD?4qrLBemd7@|ycs()zmZDPdS{L4G@UNYwf zd+|8Pdb!+AoY@xp&_gMvgf>$qY2`jn*0?;D%|R_hq0iXlT@Law|1*1&0-CjVg@ zmTPq4HvXwLO`E`VhNZK>X_~8VLg=Er*ONmWc-1dv7CtuO-mIt*8O&lA<=e$$k9L(5{X;b4rd{bhJ ze=-}gb$%f0#PQ64=T==F@MitiMzsPtZMS#MG0d=&vu@Tr`Yl85aeQhpQB*xW@1%59k`fK1mdg=G`oc!X(FR%i>o@*j`uojA3EqdZ(Gy-vzPTh415s2~PoYMG{}+@UU;QT;}c_5C*4 zSL0JJmY=;@%~q#7aVX2uJO%%-&4-oTu7_mMs(Gh|CCOM~q&zvgUFFo)o7JV1J7?CU zE0=FDt@k%g*Gmib?{4l<*mcOiA)HgUH)~XyfBSoYmU6GCEILKANv%w)z4(+5YasE` zR0WGBq#pWIcQ5+=_}(M#gbw;Q^Xw-noK)(cG6sJ*=175Wz@ZJSj+9^tRHI^pQHF!GTEvADCkV87G^@)Yt&;4N$5zP0r;Y=IbmWwL69IjA)>r5TJNtJeBfqqRA~ zY0OP(Pi-i1yJiM^SpIskYqSS`D2?6<_s4P#_5?pZ7ioC2_SX^C6Sb)dzJ!aOEjYG~ zY&*CUs3|pN*qE_p*2F9ai|xTVOpmSFA}Y;wA!3=d`8+qD(;Q z;OmesyBfa3S)D;ny1n>Bd9tKlnV3Y@@T35czngjY@_Lp1RA5C8(+QhCI#J$Co(ca} z%&rLPWOMRV`vXy-y@=TmQBmKussz(Q(QSfA3(T>6u|6KNdMfDz3pYu#45}ei<{Hs9 zavm|qKeYdw+a`a=r!G~!?%p1@b&gCMr2c)(5fP|~dcO=Z6ggWu#851zLY^{P*pe9u zpnfqCYx;@=Lm&mL|G7-6wT3vny(Lx-xM``<`x0L;a2wNGY|rhH}s3ATT9mOINzvXPo$m`;nlJlK`aj4i`NO2y>6 ze^FwEWTY&is)N+bo&6@mnH&Y005v$PsS9^1`yiECV6>eReEjNxO8vMQ^v1v~3uL`X z-65?;LF;cg)u^0C^gIumiqt~Ybwq@#$MO(S*vJ2mc7+8IHEhGH&~%D9AU z9`gyqGL1(zlmZ`9JDHP~or!~-I6&IJNgj^f8%-F(b720XF?m{alahb&lMeYbT$G8! zO#Ro|MYy&iU!7RpNPCoP1*WE2W}S$umZ+u^ud1f1Nf;@xa9R38K3p5CLVFXs*~rn? zztl@>w|C!i>|{7vph4Wz8rf`#c_{cU!Hl5xu|CuGpo$yy9F$`N+wj#TGV zY3+ZEGS?4HnXWU9#_N`;e#Ix8 zFKl5dq~ULMdSEdTE=Ck{@a`48g+VC zy%M&1MWq6utvbK2h7p_LmV3PSP(qke)}qo?Ml-ADVo3Cq_Ai(j?XTb#uSGq-L)(P+ zD44dcT`gSe#HnsB=sQLHv6QLDu7P?5CEcElYQG$8FWxU8MDRFXQnoJT&01G6R$^~< zbBlC4&h*(37EAy4`e6SMv~olJzcHDUxql~vI{7~Jtz@PJ7!J@7hgVWjyv> z?A>7Mk``e_$5(+|L1WiI{wLt2x)AnwlAf5_D<>%Xy6I>_Kwy5d^1Lvnoe z_!8sTMuQEn8iG$zNT}E7aYk5ST<`fsFK19ym{8sU%7@|twR&~mImL5r)~}(nhS50f z>6bnby+;9m*qU%Qf7R_6CxI){4#@LALKY)}toJsVd^A>~!bgP6H=IVh>F=FZL|5Kc zWWk0Fp99~y_3-8&K173vRg_=hS>sCl%7`ecd~Gd$Q??HtCgKM~U_mJDEi zQ@3W0^rz0OzWL*;dos`d4JxrqqHQ<5L(pu__p-KJgX|1Vj%d zxuo_o<+NcxC&i|$rd}i1UdW-#T-xiahz~0e*bBR;vY5?*Mq1`_;K_VgQ_%Fk`=kwe zEjs?9Wd*_e7x2DoESQqrZ>nrsO*LaU3`j8i%*2qyTj(Kz#MrP;y(DeCTM?nX?+!zk zaKCp!yX;rKGn|17pb0#}0f7=S?GI3%G*fhMD-MaoDfJw?1OSd5f~it5NcE%|6n{?N z+*lOkuWiSM(u~sPW2Dl=E=c@Df$rd?K)(qSUXn$B-T5-JaO@WRT8r8x@E9bPh&)-Y z29qiO#taztVV%oJ2Vzcf;v36NrWw!}R-#;uE(}XI)s7hc=5gYKnC6W<{KRUXQq2TN z)S0kJW4aWF*zMGlQUfl(dU+DCVMEABx-d~XNc25K;Vie~1n`BOM+DBr zupR=4C__XIilVB%{t1+m2ApYxlC$>W2b_dd`H0Kw@QV!8Qr#)o>1e7;sA50U?iqNr zw32FO11DH}7}H@U9j{YwJ22rV0}2z+f0W78R^tAU3Bm|4ApX-BCdO(l!@qVS`@Rlx zUsU!>`Yy#0nEg<0c^bLoXAtMtz?=Mc04?6Av7xW@S2Rn?TDYH^4Z;A~j%{W6MjJC8 z7aA;dPy~h)@P^GIuo4XxT-e{GJHxw3ap4A;Fc8%9Y}wDnWCm?1iU55IBYy&al)vps z?zk0F(gC&ywrzADyuXkN7qXrWvLr-HDPC5suPo8YGDI!0qN+q*?FS{T)=oq!SV3e_ zk`*pTVnL0H#7e6)Mr8vFI=tL4r*e`yJ%SEHL<~=&-yg66D%!r2+{e6D6sf^KKxI9; zA?z0LC%+bjf3(?$zL3f1i~c><^5Lfk8A^1!wDN2_P}x{C=T-ORRII<2R&cXdkjZGV zsZ}L?9s+#oG4T+V>1&utO%`6Y`lD*28an8x0ck9)BY(YGEC1J6=$MpOQn|*xd#LVx z*Izs6W08q`U0~nKtgXvwvF2Jw%68=%;mWWK%9>j1%UWl|_=vCFHNV7+oBWd16J7Bf z)w#Ba#*9Ajt+7Boxhcbdu2%OObGW&LD&d^ZDDOKRPa99A{o@{Ts^j93ycZ?@?cg>W zb?GjvsW6FV&nOA07-LfsCBHD4sZ&^;o-8iB95RNFDpBIfBR}%)yBq15wpWyWrIr)5 zqAlN1O)ZOJ6#dg8wU|X7SvbajX&mfd39&D71P$(zHIL8pzP^9Gdg99_hpbQ7^G*M) zp|ZK8kz-|fM}CrM8%=*tAALU`eQ$ko@|BQSHDOqkC1N~tBG{SQ@>Ib+;W}iW3;9>^ zR9aEH6-CeGA`xpQ5D)Zivw;@W<@X$G&k_kj@ln>uIv>UzZad!ikJl?H()y=WnmqP; z30&_9!!tm&t1bOKcc7>%GlSzs(IF)nsxx7t>PnMVB2%iRTEVQUu9;FMTR@|om=s~j z*jj`1`b13*1_T9F=06_%ZmkZ&n_u9UZI#rg5Vorj?@n~c`mcK!+l?A?b1N%zQ`09h z9EGjgyy-kz8JGwp7P5stodKV;KqdMfBBL)G#4; zgYcAHkb#{mUw)K}`r%+1Pq2i1uMYX!Yo2nJ$!qKWlS>pwylZRvzW;{Nzhj*KR?u+r zn|kL-rmz9ns7BY}?gU9?3F*qa+--=`a0$8jIrf5tXoQQK^vH$K0Tp8(8qJ)OzrxCn zymo#4UoO2oS<^Yn$aK_#69O!NN_=%rvH%|}UNAQxP!nMfdK0&{q_V!g(!|RRe~hBIfro-QwX#Q)}#*O0sc<%^uO)O%@*q)yP8EVueL6sj1RqGZnF|H zSASeyuU$w&xcE^`vgGgTeGv*NH;z!cAhzKFSH^?Y$kD*TImgCXVP#R01`HZsx)p-| zx}-(nzq)8Epds>_vFA9%pw6ZRnrA^ZC)-nDwv%MjlV6oY+qSY$1wZe`{#c>2+W5_M zF(FA;BrD67#M4dM+1bb0*;2WFQTy^7_?r9aXGQ1r$ktY#lh)ysd5?LkPz#lRS=mwf z_|IR``O}%pQNIEyKg!No7b1RzHJn5LqmNU6x*m_}e^FyL(?VxyO_FpRWB1$qh^qBN zm6S`B?Zd)LhD=6n%;su)Nn>Scr?HgOe13Y83{N`GN;>XJ`T}sZtgP2G#UC^j`SCB8 z3kP($Vo{EC!QFxhp~yu{14#i9W(|Q*pXum>$mxPHHNc8{jvc7ILF|I7yBD`X@Y&`Z z<<=PK&(r0cEqyCh%BPbpy&4{^Qhs>sJet=F`sz}H-WsAbU34!5Nod8km%2t^;#zmO zwYxqnH@_m7<_sflx8v4x-gdbIu42dFkO(`sudopP4nnk%x-JX5-VE<$82LR$Z*8A( z<%ohHW5#;B9b1$(bU-%Tt2KUE-KQtY>$Tavg(`b`a@z4UR{PyrYRiYQ7R@Y| zZ&U@wpD^J+4RCge8M(>p-J6RN&h9$Yb#vx zy3P)4xLWhBq%c@o>#o(6{Ic8*41I20NmsdlEi>6~j}&eHqJ}w7x;>-Fw8ePs!Dp9p zqGA$8z5VJ^^yuW;_brAZtWyEZwJ8Rq^?FiP#LDFo`*Cn#uZitt-n4NM#X$ zc0Gahg}d_jw+^$H_;e^S>yU+$-&$_6qhD(1ilT8j?2iCXgUS8Rjbk!wzAVxDBD<&q zKb359T~p3;Av;Z2%xZTS^+w3j0^TM>pqM^&vcVLPgeKkEm!(6;7Up4nT z!)N2;5shP`hWeqEZq=2m*R~n;SehEwTnE|?51DK~#=dzc$-LaqJCc3FpL?yri9)gwu$VUq^9X_=d zW|m9~0xfiGXQ6l0Dfm~-*6+qLWrs+#@;(4W-o4szDguIK--4(C3s+Qa=aG1NYhu30 z%3cD}p9q#qiJjP0%B=C{<8g#mh%=|9zTizGHUNdail|C!;>w0N?-_pM7+PlfH`pyg zWUu3XV`r#ACpyP{3}U6a9Q@_^8t*UJrDY@Ji6&UJ-?q&oeRPCp;mQy7*+%+}ywDLS zTYekx*{$}xC*!WYPE-B%ug0|vt4tj_Tb(K{W?#a^4|qr~dxz%~l)k`aytW~yco~q1 zVIvCP&VEJUp>t>P-WlquaMxYu)n<^7+;z!+!wqw3^@Lk>si-(xI%Tpo#6&?GXgPc_^(H$0LEtmFzcD`%M`0 ztyU=ip$*4V%YT2c%1|(R9vZUTyVQ|l$hfCAm~-lhv~0qjo`P)Lbsd^2kz%wYst*>@KwYC`_Kb+oRIwtPj8Lzi{zoph{m{&M&jN% zZ$cO!<$O#!3WI|Fbu^lFjid8s0EPc;aU?s>CzFDHd3+!E>41o{!(z4j2pvy3q>F$8 zMGHh&2@LB3!vW;cOq4b*=>>**>Tgo$tj0J964n)L@U+5j#|@!=%xg3v8P6^hVxhlD zGL`+zHW#j2dyp^C(4Bg=e*AG93M)%%q0{2cH9^Bua87K)sv@&LaY{GefV^4WPM`*;t0QnQ*lE z#wsiGmBF)$)CXIe4G~bU3fhnbDoUCvbLJxBgF?@q64hAnRUm}V1E*=K09KV{6x|l zi0e1#^L=(G<<|(?hKJATt|1BvSs>#+G<+fs6~TU&lv#=Hj8|Yc*z_S&pB@g-J)E1} z%gtVM;*lfdYShokZWqd7&@NQBo-UuKpQ=~RdTuc4)2?~WEnGGTHMAJvd=Q{q$1F4^=OvH%N;XT>$Z6RmT@K_E-0?-bdpTN}+4 z4t@cDOwjA?aOvKz*xam5_kyw;bbtwp_k#M!KFAJ5ata&fkkE}Z6aZ4{8?|i;k9ooL z&KKgR;G_^Z#s|udoovJf4)BE!V``7;8Q}{kbBI-z7~FNqjx`=14A>=DKosmQczD|tpxJ})fvD6 zArz0*f4WraGe!3Mlg(E6m*q}OVvRuXy5FD7kXq~vI#Iu&})k&RM}I5 z4&Z?|H+X`8f^!R}#aqTya{TPp>+{869Oa21YXgk)da9FlCi|$DK#?rL!V-Wz;%n;{ zXsw|0qA80i<^8IRO_uOP7WICPfJ@-)uO56s2i)QfrawM5zg?vA|dTkby60-{N?5R@uf&vcYeOQT(9G~ z>t~tv+G-(_2EP+xFx1KsJyoH$qI7fa4?7aDju4`~O|ZlB+JTF8B_r(yi{^_S&nR0& z!8eN%Kd6&pkvEnSeZ+g_k{pP8rIJSxACMFFl1(HZCG`7Tc6}$!JdeD0n7K>;XP%N+ zK_AdLw}5BlAJ&ezcI|bdlc7hNvw~GFsrvjNm9f#GO8JI;-q^Oir|$fb)TR2ClISBc zDCW@a*^6@>EUxSI`qy7nazviCNHRl3_P9QSQXV1q9wBo$!QjoUT7HGu0L5@Zn^RsN7|2iVmN_S7AEjfPy(_i;^0UjD>uIWEGR{T({s_wzVZ z0*~w^2z>nt<`Yc#ml9$Ws_u5i(%I_K@XhYquRFzz#(HZ<)dPbz(ea~!^alG1=bzqJ z{aBuo1mtVoSGokAQWSOk2exu*5BB+b9^c%cHyI-FY7PX+5mOt3U1ogVJ9`KuTxRy& zjb)4-a3&uhF0YW_CazC8i;C@J%K)_FnD_)~$gdbpoJ)Q_isb-~M+n-t#K2l~RUAJv zg&M3nWI2pBvikK`&*I;p6_$v}(Rk{FVQDL-H=jM)zkIzQ!x~K)Hsq!{9O14T-C`<% zDi>l-1&(5wAj8iI!dJQ91Y_=JBr-_tr;%UP=ccHROnMU~X7Dp9I$>Bk)NQ*wr3x{% zZ*Q@&ygn-eel!1eWZLdk7$br>(j3034Z?jE4;$RyI|{uyx`OhUbKP|VT~iNgL~x;J z&>e`01-^Z=a%5YZ?ghr*XTF2`%l`*PK)Ju~y6WDV8shcbTz60DL!O zG_Pj^2G`UKk3+RiM?&x|(jj!d)#(iAr8yl583HM~Eh)MJd>-k#@C@mUMpB^D6&Q^= zodBF}S6!DOgLif5qSIuBNS#homlf(vbEE)i3JP=@Pdz!J(;V^CbDD+$I*H$pBmuup z0zTr`N&Mi`NveM$DN2*v-9d7<-V=kLX#6P}%ZUt)4O`lOb)pZcpU5`{xhd zMJ5gzJAT(hZTjHG{#ySb`BMkiGz}Y7T7F4icX#wvI_ei18^s$d<$Vn+|ApJ-{Pr;3 zS2^#iocA?M8>aU~bf}LSzso=d)m$+#l{Znd31K@0;Bsh?+t0trVg%KM9A=l?qh~GRN~@ymn>uL6h5SeewjM6c}P5Y zFjd(TEBoqvb)Pp*(0d4GzlE;9#cJnkW%lNH!*) z_#(*`BK(DR@=Hvod7hY+Jk9U(oPLc~GoDU_Y$H2h7TG~wCvU)6d}=4zN16$bss@wC z$x`wVS%aQ(0@mD3M&lu3{X>wQY$iqIY4nv(lUAg?mMkMJ!~@>sSL9BziXFqJRuK!y z!@-Oq^T@q0BDt7MB*%pnq@0W(zb5mcJ~=*lU-E(EbL4rlkNrN`PRztdrs2_=JR^RX z{3{AzB6*l>Cdc6c<8Gp1FZD?I1X)P7uv!6n?hG5)76?&9CE4(cHDCH(jB&|3j5%L&$g8UXNIMNW*!CmkH{GDDwC)3C1=jBRWN;l!U3-zSTctI0Kphvmrq!{kXE**+S2;#o@5kL3AV@ljwB10AsrcXfyqQ{=j5rW;W(#-Ptf! z%ciqM>^8QEHLyRhPub_}JiCZTQZNZYAy0@1QDK-cSy(JQDSRn>DNYpM5xouP3TSl*5#C9R zCKHk`kj=>%OhLz6w|I{FbE zLpNPIzbNej@RG0bcoi=Oi2KPp;V)zisZ6d<{u$BT6)o&$ay>@BCvlW#u!moki?Ue9YBy7(d6_b-l%#$)*icBJr}ELkC93&s~7RqyI0sAwinRsbx_7Xc|WhL$} z%a4~ndlcp}BMeFGzxaLPq1IL$!z9*3Z_&qKCJ*v4pcs=En(_)t#dz|9mKW((YL-km zJ-7%IMag`|XfQBFiEN0OY{q&cHDaWrxh=L*<7dEx7zNE@FNJJn!HZtbdX!64ZI9N* zbis0F+hceFyQ89lr{29F8qLuZ5M&b(C0u5u2B03!s?Z03yt5Mhys@~o$EUqpd$A_S zI(s(pRqD*=dVKOTu~0mQnsFKF1NvNOzhB~B=vkPxr00^N)t(oMJ|%`txzBp&-9;<< z&=vlbVcP70DOpp))Z^AXvk7}C@Ue&1`Rj7&V&B3Xx|rPVq3g0%t2~2pXfIzykVbO4 zged9JBhaI#$wYEIo?Lgx;|YaYOg&sCQ;$eD6-v7W`Z06P>fHQEQ=IdiTb-=PsX3|h zuelq%;EmG>nm>C$U|}d1a{Kn}HfgH`EL(d|3dtbPE?@8{M{jN0x!N`a%E@zWwU}WU z(RQ+}vTcpEXViL!dRVr`)>wI_#`FS;z4qrnlFoB5C`FEYdUA5y*wVf%1Zl`NBFs< z*yDDI(5F00l08{+1p4$TD~;smNp6=X3qay|NpT<6TJzqLzpb3J^VMmCjy|#J^~C=H zxkvW?UZbbi-*!_Xuz1MiVOLJg&xfkSo(FEc@2+ch?3gy~(WRT$ellj^eS=mWiZB1u zLy2AE7j-?jboF%`hO$*dW>yZLJZW&=@b2wpu=(1DudF#Zov+y^Agl^?O^E6EaTAe& zc!mux*uyCQ-X44BNn=KZ- z@DI&qGSP81YtTxquQ<|N^CiH~I0u_C!?`n`*h>o|c$9duJZ_b?FGoX=cX{EG;k_T*KR%QAE@9w&Yit_*GxF^vZ|i(tWd^e;2Xah;$*5Rus$G`M zK)w8%Aejivkmaz*vLy1ag!GSuEQ;AB$jksHNi-9phFsu!T|(>kycCCrHH-K>(d^Dr zlAS$&eae7Uo#U1})?OQ{D2h3)?7k1p&x7+T)(;hCp?7r^SvbEzzuD$oFaT|JOql8{cdBhb0Y zZd2QJz;nFI67cul9PdS~$b1RH-No7MQ@*El)V0MGsIaXI?uk@oPrVMg83=JYo8E*r z`f`1~vggzJj8;JvGLlcIPn?fL*~0vLxv)>xs;5X%RU6850m7w`Xec`r9hXsA*gcST zgZS><_&^InVGWLvk#fCNFXcmur3SK-2wRb6tMGKnH0t__tT%Nqo@TqH6kB|mF)RnU0yGcDw*c!U9EPqCehvYQFG_y>!Cv?g|%(9@_R+jnD()wBfr zimB(?)D+&=h&`jVccknr`nM*GG&0C{LkYn4jfwHu;y-?Hp}QNG{8F%s2T>PuA)&_+ zH1+X-FCd7nfW?x9PWH5}cf6owbHy{-iNb4$M^W&s@H$e2O4o{~RvfWD=2S#-X-ns@ zC5g9m3N=_SoYAt)W{Eec@*1Kl3P1C@jwXLzEP^iOtu+(m*wN zjwnRI>8U1J$?q@{F{jHHaJ_B;O|w^L)fu&LerYeXA4V0Uj)5k8C_`vWo=y?&tu}59 z+7(5KgVtPax0=nV0xBmKnyT$}goi5%wiF`#6=#N&7}BI9MY^Y&Yz(}0562GeEQPXFKN`wL8Z!STd4hN_IWXBU>HkSKV5+I9$=PLb zq1SAlYq1DE-F*sT%6)Q}s}AlLJq|R8y0>(y+y~lK^oz1IZqBi-H#aUCH2c`o@85R+ zzU@nwZr{Fa=~cD#7zl9rE0dcN$&V9>#GxIJ?u923k9>0$7uK`S%vy~YKaK(GkBBi7 zSUJL)OdTW76igXukxapql0}D5v~V@!(cK*3PP&0^HVCf>U?h@AnNb9V!V!}$T@#-t z0{rD}Jb6O*8(8>Sv+Hp6>u|N|a7Afp*&K`+#OdhsDWZn)q{!Q{^0q_>iJC~oY;z05 zU=>N3iUp||(SLZ6irg!?apo~4hBD~>^dAP76pWH4ibhb3T-KEsn&_blN<5rzmn69i z%~uKiv3cOJv5$OSv`Dypz|!EW!;VbGF~m^2Wt3ci7XB3DYeu_j@j9K-I15)OyIn7w z(Tu8!rGQHea7E4H1c3m*8}M84PC(%!48-Yv~wlOPqH*4miH>eUWq4r@U_7>!bmb zYLKKOexJ+l_Zj>?w3G&)pIHKGoIcky(hl}Gcz1I?31_ScsA9TA-A$d;-PED(mTFU7 z)-g1+T;*XuT~0zog}$0%-(5*3(|PnxD$o|%g#=;4E?r4$(eR#+a{H@mC$2Fn+uCbS z+B42N69%WeSXyN@V~*-qbJc(<{U&*q$f&3W%#D~b`r5aK)I#k-)LK5ZmK<5O&_JA( zG|#1q%c5(qE3Lge)J2i19>h_Bt1t9pIGDCK)i)g#>fvZHPaGe;M2p8V#Io8V46$Epzd47E_RLjh zyKe9-w%q1gZCU5KJLh=||771P$bkI;2Lk`#Za?rXN(+=VD~en2w$SHDHl3*%kvkFD zvp6ong`*QL9G%>Nqi%9&UWkUgT#rKa@+A++ogR`qJtWsfbl(vH5>X=*M}2NDe?GFY zhc^y=8?%o=3-rY>;Gkyi@C+L-i^BtHa7Ej6c%_a1xoB;N4`@Hh)d=Gwj_gga>Z~2>gUKiK$PSUDX}+KTcorD5i_1d$`p(pz9mx-GrmR26pS6-CR30NX<|dB zAZNU@!O%gIc1?y%LCh4SOu?8br2UvyUhNpK%v820+m*K!aReJ-c}QRmG+9KEm@Jyi zOh#{Lu^eH7i!p&&2vsb&SlCbZW8g?(t7amCfF$IINr=-M_llxP%MF&AGH%Y4imCL% z89lf%#i3lY$XZ^0sazi}lQ-HZ*HN>@RZ6HzLzGeeFnP}8Q7ds!bS5)YW&^0}y0$Mhk&4zAIf30M}@YPX)e&T)2TvEaEdQ>nW zH#ergltCaOjpkA`bA?hrszT8s6-u5T^Bxtc*EaAAZ!JkQXOAKnC1#;An>R+ zEWUt#Rn{XCX9gpVOu?z7XWNk}IFInB_s0z$S7aPU`(ZS4+{TqUbT@6&&%=GU<*v)!mBtuT6ks+yZRU{4fAdcISxP>vBASg*|*WU`2zMY!39CjdN{6#$gumRFc{%`VaGlHq9A!hZ)*6;&#ax3rEJi=H5K_ zuI3%32z!uMT z-vQs(o>QUoA?M|uCp|kntY5bqB-%AF(mI*r*v~tGW1~2H>C9%{ZE#>=C&UIjAvTyn zEH6U^F?XUfC(n1#nLE*$F|e~=3hs@U;j+5#ZnC=|V+sl~&Y>W)lq;ySXBG${yJn~M zjnTI<2U3Czn%sW8r z%KML~uP9pF8NLH(S!p5P>BO9%Q+C+(m0SceTbqdR`8zyIr;fQ}R3GTG|E4_`L4I>X z+wDufedd*q={wIay0vlp(mS4pG3t_EkGS*0`HHuC4j4W>4(gV~-xJ>@zDzW|`Z_Cp zY|r7x*YDiP{qsJIlvfK8{hdc@e=&r%S(1%ZiU}+Rl3=1SG;@UVHQCdK^d8TGHgqKz z=joV9?`DdEA+zaHnc8+Kaq|t$eXXsntfsZ~;)|`V*v5SFxzJzWU$rew?H<A|i~^+~j5H-BPA#lxvl!cfuzFDv_gWQ5kLXy0Y@^}ju)c!(< z)bY#NWsu^mx2DWB7zm&~85E$%Pf2B^zT`&S=0geOvoLdp8Q{i#?PT-4XxA0}SyQz)A}Kr&mM{?33b;Fy9Nd*j5(k20;G9Z2 z^duLDr8KtSl6DI^wOi29u3B9XQT)7J#l%}vIG7dQmg2h%c}y!oAmbwfCPk0;t<`~$ zz6}*h??Ii{J*-|x??3&}tfMwnkWxERCVdyGHrjupw_}H?HrCDq@T>Lfs?;hl_4{eV z0Ta$|3`2D8?D>8Gt_XEIrte1OG#VY7(yMDj7pE-vS8hL<A-2@)n?C7hs%|_cjH&$IauiKAXWu@<&p`&l(`wKTFzZ7p4 zkC9v`(%&3RqqB1y^Ok+A+47dsohp_Dpe3?(L3y99!6C>lXhuc#dwf|Jmv!F5**N zs!!ls?u}h5^pGmlwL-O_0_8XZ3d;!yMm1u)ibVL^abGYiGwE5GNzY18x~V!V5;6eV zW&P4pZP1Zo$PP@Kn0lcTt<@(G=MoF&+VlX*o|SqLUCVcLqfuCxqnXgI2{u(#gdAM+ zG|v@`iW3Wsa}}1FtJM2VePIq+l8~R*1?R-krKDKMk|W&NQ@6{(-M!HK#^s4aU$iCu z^4Lze;*Gz;W&K|-dE>$Df1h~MsnySZPHFFNe*7)``n@k;+^!Sv^w|2qGl_5R-=Fwu z-2v|1pF|%v0rlR7^OExJj!+P;Fr>88t_EzxkadX`UAl*!(V`$1j1hwRW|2`>38P7W zr{L9VbfwZggfEz@X2hzR(km`C6^fx!ssFQ5eVHv$d^NH z&Mu<#D>qsJQ?6-b1P$ znS1q)#2>^KckYPm6Gsofm`H4&TD+rA?;&5kaO(T+0scPe83Ydhw$V)5Qg4zaF<>yr zGGPLrGLtc2CI*>f+@(57<+1FlkSS!LCZ9zx(heV=*&pdJX2$;qV`en|7ptc9zb>r> z=_#nn7`ED~b0>dh$@n@&H0V}K6oD8sq7;5+wNm1Ahtug9q07Z5S@hzc*-EixN22nT zgk=Yp%{G+HDwK_p9Mff!r^{x83?1S@(L5faAv2{u^Z%zjG;`|RSlWCgekKi5|B3%q z8YeM2P6?v+5=rdUCGj63aQvqPwy{qyenA`BNAc13+tGd_a(WZm*L`ST3*be4?7kdV zj+;&?gh>V`I9Qi1B<#qd1tdUq1L)@50!Uc_D+>oCBS56Epvxti-ldbKcj?e{OLZ5F zv{8nIQ}q3%le%Q|pfJ7B^s$Z(>P5Oe^ zlpUFN-6ck~O07MgmZYkSl7~E*4VEa1lfU%VH%cq`z5?p_U?D%p@AGH-nWRM20(T@B zF%$@q`~t5fH%vS>XBdfH&X9~(d165r{AN^kmmN<5V>nE@F#fMd@jg-M`R7F)ff!eR zTtVz*T9+cld+6c^g3AiK^Fos6IUJ27#u#D&OC|;x$pCOTdE_TX z86ZYkp-TlSlwCfMT|SU)KG>6&lTKc*-;&Tx{R_e;IKo$^3jz)lB~_4A+tm(rwaQFh z7|IqpO9{P_Zm`)Y+iG(YNv-D!jYL5JWNOnA+Eq(kMbi{O=C;5>B9Lvvwl)qgrO=}a z9Ut2dPwn47$gz6|ABT%hO@rNov(dMC0Rhu3Xw7NRP9l-e{rCt-CXi2i0+3hTncVw^JO>L!iP)s9bQSH>b)NzV6lj!1Rie~MwGv1q!vuB^U zd-kcjXD2PgcH+pM{X6se!ZKxj*5U=bx{#+sHv&iK)H>kR ze_=oNX3#oM82XUD7<(`vOz_WG3NPobfor*q>P8PI64dLFG3fPyNDmX&MR5d+i)Ab> z4zswJk)(e?7P|97M#fP#{Pkrw2rS!bfe^Nxi?3J#%&c-D=>)4N7etyeQCNs@mce#!kh0c>D?*KWVb_D8JwvEIzcB54kb%y9t^c~4sWk;rX#*ae_ z=fh#7%;fF->Px1tsNKKt7vKBE@4(j3wj0m7`rqi!2f}^7UhxjrsmL>A&&QYnFC^<4 zrz#iDog>Ys*VAv%{5t6neF&LO81;$CSIcf&cnJFBbD5X5l!45mI5Iup5l zyeNr+#L^6tWF;TVqGt$^I3EHfNupTD03=#SZY3JZfMWXKBuj5%!B%z$+t0qoGVBZi zUz3}7kVG#34xZ-w;QH==h)_s1$;tnz%lG-PakLGG6SBkh=wPAq7><--#nOu5r?nM7 z5Vqi$0?sI-bBH8hc)@5DTEWa6p$lg2hz>^(u#^6$i3{zRGk$WsTk+tfJ#GaN!5NyT zMKCm@MZ}b3Adz#l4hi);y#Yi9ava_Q*~|%*z8quu za(GL2S0mD&D~nAm#Ged0*A%i84q`;nM{*oPqpcw5$&5hHW~Xiw%P>d*^q2SCyC41u z@Pqfm?+sCdCyyf_t%Gk2K09z9{NUpvWAh?YPpT*%vm=85BF)88LK4Sw;LmsSu!O3# zyLoiUrlbF58~5bbd<*WIe2WhXwn>Z4H;Q)6S6k#>JJE`{z@#=`zVUj(Kj$? zTN?=VvJL1E5hHR=2wH3}!G;u-)K?q8=!5w^ zNw$OSVv&Z1+qym24hrJ}%tC8ukmwE^&qU86Wls+mF#ooaYI^r4VjLrJ&J8z_Fef@8 zT~i8YF8EJML57Dg^g0EHUMFG9nL8BpT5UN{sY74v)Fk|(lSh8FHyk9EDa~8KwL){5{;vd@@KpuK<`~;9f<`}2~p8G%= zT+|c@j{{2pyRVqvUR=QLJ^lF)&uxEz9ym3P`OWEZ%zLLXB0Pw6Tmt)z5E7}RLvG+* zaATUg@}}$>rb0*wz?OxxFFpA??*L-42CN*ozICiZ&J$m?pG{mikjrgg2(!3)i5_}y4^l@$5*;X#(jC); zeJaEWJ%TkYhnBFvcUn%c#@giA9FMdS4%qdE5joZ-@zpB3a#pU&@tO}ky!iQvUN0gm zY_bB8eoTI`v!tFtnbg~iq|gEd_^+xZJ3877ut^U*5B`dVdw(@hL|k(Vb2H+YuG3w3 zat-pd-)3K>G%5;gn`mZ42R_5+iw2`nhA|kQ9F(KX6Tx2XMU4&yLs6Klusn0TbAnc6 z0lPq)Z_M*7@h%E33FRa6qjv=FhekL~(`H;2{UdBme;JebU0bs^@6X`&jOWXWRC&aU zczb!*;O22vJ>FCvTa$QSc{c&g;|(XE%tyK^K!xtAOxbW;?LfCx43op zOJLFS#lII1f))_%2J(-JN9>3vGl*ner9xn|ZP70Etn|T|#!TNu#zj6xR^kZAsbI*C z7nvhAPSEEBJj5J^S=`Wp$U?ux7KimN3fMg5-! zp1vN23zyp}!`X#SdrO?{aN}^q*~OuZoti=dP@0AVP@!)QK#dK?A=;Nz%7f@qFca3@ zGkeuN3qLKsT-*q5cM8m)>b1ZT>PYZNC=z3{R6RSHWeV&)p?fp0Wti$feWoRl%S;bV zk4;TXt(uw13ky8+{EK3XD)Nc>$@!Jb*~|PZGdE=Jirtm@bLg#1SPlU{(nY(XISN-g zHAQnw$QP<-C$S8q1GO|?n+XM2ic8Vn2n+EOicQDkIt_(%oEIY_m?l!jG?B7|RwUyM z;obGRLhE&1KrfbFyuV&oXuTyi^3H&fWPMjXtWUXYlycc9RTA7(1}O-+B(HLac%MXG z<#64wybg=&Y{xZmrIq9@oM>7wM|ql!myMSTP9lR^gOzgUnyBSxDT>!anM^uf8wjLz zXwfvECbG?odYs6%?#OntT^QY1*2sk`TJ5HkvOpLXeROraBl8{%024Ab%-=Sw$^G=9 zNB{S)iqCD|0j9o;ap20q54K(L6cYbK#rHw4>P-X2fPBFOV0uhp*8ZP%OrdOxC(sa5q*Z=yDvuo$g8alCm-j(x5rDpyg@W`$Ap7-NN zi%sm_IWJxJ;OiCD>GReWJHePAY?>(ZgKO#L3D=#o4EJg*9{P~^3;Rc^iJn4gRy&r=%`C0-#p|n1at{t6IN~h68aM6 zYWf<6sjeAE=VE8k)A?ByQxj*Wr`23QFXR_j%&)!8t5xB|17@DIOH{i=#wBW8qKfd9 z{brk}c8QEj)Zj?vG)&d1nKVq(HPz$wma4O>r#3E1=BwsauaZ}&E49mfOGDSm*Q?j- zHyLZwS68p6Z;~Rm#RkiSc-VCZ-ck8x-vP20j%?5mVza`zLCRs!nUF z%%)-$@ua$*b?vWM~E z1YRjmko1G&iiw3dOxigt5P&CabgVxXg4E?#MLg!i^Jxz zPEt2rLmH1st-O&3Q9?4AvhZb~Qzy91-y!z~^msbTZ&Q5rA=~chDbop;@(eAkG zmW$>zH?ORnynEf+gI8bk5soW0A**&Tu0;bu;=yt*Yu5xpBYd7Yz{OmJRsK>l+#-uAwW_5&`u7wt$6 z{zReo{_@Zpo>*WE9xi-fkRH-DCtXwe6YZe{j)r8%Xo9a}+nn-ooI8cyVg+-1G0LjX zJag)=c$TtU=|233rwKT$&a-#lZ9!_3}K!AID1s*6$*NAD-Eda9PLmKv2Nr9-(*xJ}%w^ee{|IjOWO zkb$xQol)B-u^sGYwx2!DvTPsR*e!Q#vqOoUxK|QC zLWbR)90?x_*&WJGO(ZUfv_ply;c(zCN=Hoie|L!{z$d|nNoU{5WwzbDM4@pIoPL2fo3}x*bLy5!I%C3ZW^7a90fMLIJlqPd-{#8 z)z@Cj)RDX)asl{t*!qWmx4VyYm$%T~AqjL?L@VPmeQ2=s4tm5pTz=Dst8f{vl!qu| zJe#3iZAiNW`hBidrJ;{-c~URqPrXb5D?_iMU!yuD!VYaU=j*79r_RiTa@2UFtHy_> zQ|EZ5o9BcUQ1d+t%=sbXKH)wcdO|pjW{{&}sWclP63+Tt*cRn%_H1RQ|3daczt#7WoA+NwIi74Z>kSg;+s|`$ImzKV&MR826iqG(C#0Ck>C! zFg&KH2q8bKdkh4|=$2SIWazpmA~rzx6f#YZhY}*eV8oarg1J-@t=L@3j~*7qg1Nm( zT3qEI?ZZpkHt*hH>cJmKCopD_#?wyv?8r;L2eDepIi7kpQS8K#b} zmFu;PIi8s$Op@^@o-16)6okd{BJD!+adF{1$;z+`9(J-9GR6B%I`Bm zl83`S_)$y4l)+I@MJfhD5|zjNirB&y&jON6Q3UvZGNO?^=G8S-1%{z|Os`i)+Xhvc zR=ko7I0Je`$?Hv0B2v*J4OKO%&^|?>k$RzN2)(MRD3s9X2Yw`JNySni!m%ZLlG0|W zU!tWx(6@Vuqe=QKiR-b9cH^Ky8|Y1zl%&Ew|Na!#B-!&$VEHSAj)adDjuj9=M6fVI z1~;%H#0@u(p+CBgC9G9AP=2x{?7%{z9_;vLNhXNrF5?_RI0vxT9*X8nTpAqBdF>N} zma#XQ6Dp%QJb-Ff4Ckf#twb#6MIJtl9;y}ywtCG#@C-pj6wM$?#(9a+Ci+Y>Co2`H zGXPbQYLz8SK};#$AiCxaqHCCfh#D!SL}z5<5}z_6ZkrB;L! zipqyTx}a*zS)k^RgM%=8ym)saHO61u3(5ms5LpO-;~=oGJGpAD4RXQ#?M$zfYf zcMC9F=SBG^&dZ*>AWov0$!Om`>^6f~W6FwaC3Q&<3B_(pm1QMK(dW;BcN5{*ZQ%(nJ~s$v$;3fY z9H;1g$4!EvUR84hh8XAA7dmDP+NTe&FVu=?lI}*DYQyMkRzTJlOFC09wE_2|80au_ zM-XX|SXn2Epoj{y7r`$*bi(dc!)`Jl!7q`NhM)%$jCXd1aa?QRH!`iGY<2;e!{IJz zm5dyOVU8u;yu=k7=2{P&JouYWK&pM}ncoJn_XqdDE9lw9X*b?@^=7brpnLE~*f*#{ z-t7*|o8SW5Mk}-DzuMxxD{pF8T6NXaaxOSWI9H@4K^7fb+0qnBQ-K^;kZ}^{5IPRF zwhbO|kTLrdgZ2*qMwA#qk}?&kmRbpXiCnEDV31kDNVRgT1>ghbo^EtzFc*38RrF8T zIL|>@iX%*v_5nOgh(TK$rT8YnLI(B>rA-EML<1Dd&85OB_G^*pG5Z7pH(V9mI{QRt zt8v&EC>2V#dU9la$-tjZjCz{kSPyHkQQTP|wL2oLOyxi*h2iR*-QgUpB%72a_=mQG zl1OcC1ne9GKIN~2pS7Pm@OvgQ@bW@>TMzxzr8Ay+W`Mt( zRIl7oTni6Ze_D8GnKQNveWw$x z#BVQ^;zxH;D`W5Q(`i`dC)%A5h2|N&aLiN|WC4n_$>Jp|N4?kJk8{SuYAbha)5B|4n zg|h=7j>Bgj?6jNaaBtl>Y>LdmR3exNWgF^Sa!jsaI&*GAURapDOjw>>r)*GOR=!lf z%z7rYpoKLW(=EZVDPL$w-Boq4F4m~EX?JT6YeO3Qu(n5ur_X4lV_D;HN3)i3G=vr+_`f@^X)!w32cPT?+0HwT?>9)&ne#$he6bkb4d=U1 zQ){HLF*tnRQVvML_`Jzm33^*xOIZtr}469RV97=HlzMt5klr)2PIE`!3@l={L z&cNXHOyl}V8Q*rA+;G~BFQxn7MV3}$;fWo|OjBlihRxxO4vsu#`i5S&iG8jI)}7Cc z$&pHmcvVYNu0IF2=0GlpyX5hQ2L-oMCs-Y-Y;*@hG`db*qYX@!C*PQUfjh{-1lPtv z&gaHAe5KhE_UDYwa~esl5d7ytB&VX_Z^n_FFQ<|G3MrE3#!MV8YsRCB>=`M{^Em+m4~9hwV8%rGMOMN0@V^7FmMuxSEgZjP9Z6Y*taUx;}ao zP7}v!Bzi2NX*m=O#(egC5x!LI-bNbENTSc3&`2Vr6UfiFmKwVi|67oROap#Anz1TF zbG!!aR%Y}jy7kikSh4-NbFMyj+{!mE2hCGA-h5rfj?k5_+_v$_c0&wSJ{Jpq=fG8q z$6m2~*}rEhzCUl;Q@5UX%XvOcjijrkD@UENurt(o$4u+u8KbW~e)`rkCW5zXV@B=l z#&bI^nsdf?asF>Tl4D%`V^9^)ByxNMU==;hj$@~?Y+GVS0wxlbvF6yBvDJyq32u_N zHP9NF6_^z%2nBV4UI=_UvO-v;F4M0JTp8(498%s4z8QYs`$_PV@PAjlml#TflWe2j z=xbuzbc>y(x3ibAZ&v(`Ib|q@UteJr_6;G#?DE@8L?-lFn|VvBaO4s;Bk?bK?D zrWi9O^Pw0c1I^D1c&&M|);yW`z#Dk2c_Q_{d-X+Zv6B0X)&lygNFER~+%-$3$BWl+qS98|1 zmcMtD!xa=QWb$7rEk#D(w(hL>?AbSqe_!*_ZO^=w*dD%l(Z(kq`@xF4z^%bO2SEjp zo(Axi?Tdgp|_|=e}!qi9;_z${QufsMTtVdbY}r^NowmhZjoc`!0xG z4liYwikJ90V*QC%+1I>phmUxV_&y8%C47V+Vjz*oMlg)dj9^UVN5ix_Ixq>2Q)j}d z>NMZ<*nBCkUalVDJ`9`!Co}{2X-zhCgp@Mxp%7Feoijxm0hOgm3ZZ5|?Hl$GsA`Ws z0#)^IWVdu)uQrTVJizc+o(@l!2jMCf6&qbWCWbE$v0yOHdN?dt9)h+WlGMRG;n6Tp zc-%^5k6V%K+2`IJ0@iCxp)_d7ol0bLS#RD<^KOP6SDIkXo1A}vKghq!5Ah7IF>+iIVET$7wz^DgqN*{oiq=A39y;Aw(W*%A6fs?O{X7y7|^%RodUH})1dj=U;pC8H-CEo>*kqAH^&iH`Vq$k zY)d~u#r(+UF0ci0p1hP^$zCNcl?A^&GnlOTVe5QMRmAYI#yrHH@|}z@W6Vk6F|jG; z?8ubZTyt^w{Mg0j6_JZ$*K*hTPr{QSg9-p$4F=l-H~~ioV)|xds{svziN++J+6$k= zvg&HFev53ifiP!_7vUIgl0N?bA2iyX4_YcRNl9)_b%%JVZnqDKF^M(xEjv`8MiRLD zr8?7s&wH@hnE;8vKGz`b%?FxG`e3-7T5$EWk>;&*eT&O4E}J?K;ap{6{ z6a~~4-zk1+B)9Kf2DYp}YuV%2=k+2s>|*~&1;MxNYEhpE^l)RiDQtyThaXTLRG(0V zh+3=e2=|AXFbNb!5-k;iN-KIy0)CkFc^R6cq=$XLH{`W9Yfs*5F~j2pTtEmqeeg1J zB^Zi^_W)AD-92Vv3n}H!#u6=?DG;_W1cfaXL68$QswEMlN(@R=gA+IU+$o*%Ii*t{ z6T6Buf{?kWeM6`A5O3_!Q205pmr7A5fke5%rP7|`Fcb2Z2~Zr%9xK>!COiZ)=ds&t zeTIh5J*#L=(naHJPrK8JX41pihHFw-Ic3iqMwU*eddDc&Peefx z#5sxQ$Q^d(Y#p|X5jv4!gsdSXqyd_uyfKzo@@U1CN;35ltvcuT))MUS+Fq$`)+3BU z2!dEHi03m9KeNW3sfG1caGcv5=`B-Umu;8Fo^{Pl8$%jcx8u*pul%n&pS%9?rGMV~ z{Kxk{e$$QHp1J*YIw*&=`;_=Zep!68a`(#NO zVb3UKT&1|Sja8FZszs}Le9Mps`b7{R#!SE>qd98H(TABw#9M zncGd`J|eCdAp`BM>?M6&=aC|rV9WTH9f9KkxH_;kup=-OU;@zRGLg?^6ramq zzG}NQ#Xz@r91lrPBB6PYVn{i=69qqI1qqrlZl`xygUTt}F{B`YFG$?c^Ze(uhstg2 z&aB(!-I+ZxlB?XoI<`}YgXILrG*08IHBN~FRX_+v;o$ZyR2C0=j`qqDCDANGuBM(< zEDu~K(QQPwXQXCK{NMMT+07)_&%Zflp52|iGhgs_Go}M1|%eUV?S-_T` z{0N}IC$cl)c*-w6c&EcJ`6|~Oq2`mta)j>9E*YM0qUH!KzfJC;Wpad?BQ#gNOtrCG zikrY@xH~y6Byyas6cdb2qT_PHx#heLfa<__=5PO={{H zpHpwB=cA(1cV(^7ha_*$=GFN;6tWABY{%Pp#{}ft_&E||X#e0&@Qjp0O>^oJXo|;}d=w9zE9Wt03XhV?B87q3U>nBJ>4@?taG)%x zq#$lmJpE8V5TNcV5K*;1mrP#ZOmY19$3CqXR{rMCJY<7p5NT83+75>xK zN|;l{W`-`^5T-Uwg2mG943fecDW~jM((ZsW+p;vOut^dN3!6#B{?0;Dxc}bH1YPYY zaUqy#J?#?UCPMIo`*xPlqRX8@vifAFNz485ioR0mYKM}m$0c4Uawy*+7K(u&K3X8q zOc$gQWM`P{{I?x3XLH!m?t~DAlB{X*r6FUf%>q`$Q!2|lQ>l|emO})f=?nsvfbeHu zWIN$YpJX4uh1>h>3vhdO#lU=2d{dV6f4L3MpN$k-W!XFg5fJLbv}b7Fqe@0bBc z%ygb_J!M|o)5g*1i=wDBj&smd>KmMO?HFh6G(X#Cr?AdvaK+qa?l8x;;>9tJDdrY) zYq>#=#X}+^#!-^UH&JD&09!|!0o(_UkuGLK8q>drG^Rq2#^f-kWBZA&;g`#*9vsZ& zS-X=Nn86O8%*bp;!?g|q3w?FU+|>Wx0ct<-~KDE1m;wWhrA@q@)quY|pjt8L(+YA1M$SX_A5}zKHsvT5m5^5oup+X%OA#c7FT&)`F5WS0>qr$@ z?l~-=MJOTK7K9ok)S2QnO&+g%s&mE0;x%vl^k>~=^UhfOP|rp4zqf8YTmJBjOD?}? z@3!3o73i_9OU6I^^Tr#``|*PVALgvr&+&5|gr8F{i=Sh7KYGUOH9uwk;y=cm z@bfIu4@xoLt~B8z=E3lh@L-rthygti^kM52@x9Zx8Pavtb5h3W7P_3+A{nnA5w0R6?KVu`Cxp<~vPSd4%a|c}!Qup=YJey_Bb_XhkcOFAwf|DhL-*zdp5{hk}S%C%$Uc|t2!P!Z zqCCWGNt1(^xfsqzS&GZ~O7iUF#^*h}bk`HtAG-AM^Gvy?`kE=ro@UE8ZaZi3^tzh| zmZ3YZyY|ctZwp$ zw(;%aRs2FxtT)H|#s?e1=a|!c(}L%O=W+9-^UV%lNAUdcwcNGReDhl0wZZw}8(@LN zbJ|>HHaAK})G6TtDjcI8RTp%D68mgDnX0c9AP`I;AuvKdorDAj4`WG5>o16FAJck{$@0dU z?gk#u#Loawb>iKnXvcs?aY39i74_M>!ix%TK(WPujSo$vA_BR<dWsR&h|gI^R7F0cHeQ=PUMFb_piwQdEmg8x56T*z4hi> z@4WKn8~Bp$$}VI}Fjx6N5qzIYq2;Q1nt8f8&172=+Y_ibQKgm@))mwho>jOwu|6S= z4~>sa4NZ-;i*wa^p?R@R@fvlZd2Q&L*uKQOfkWX#(RYjb0)0hC5`&3g8JjlK1r6+Y za}qn%oMV2bd|8+^6-#G=agwIN2jjW|^vE!Vig*|*l4q!RTO@fF?%xU>qj5^e4)}K3v1q%YSzd?n?co^ocC&zEN`tF0B*B@Rr=Yi4IQ!8%#`P0jn z?Z__VUc7ha%=-o(*_u81{qKz*ILSPDVE>!%zxl==G1pAVE@X~it}#Iz{+e=4mx9u$ zIy?bQLn~FjrJyA;Ewa97OA%M^uaC79P4rKU&GOHRUE#kXc4^VtqWAdseV_ARsDBNc zRj5==7c`*;^;|Sbor4yl57j?~KMj5n`8@V5G9ar3qH#sg`9Pe-tP;{QU>LW6VTlYw zu75xR&;~RO+ql$NYp_Ms^QkI)=6rEi5b=>DG6>`W}~l&Y^$2 z`BeUJ*aNZw${wtu^O_Q+?4b;24`{hb4P#w*{jezWsOpUuyqNuJ(YtG2S@Og{$uDkP z_SCi&*Kf@(MB;=Qa5NOQWN&-w{%_7^etF=)%dfrn!D~dXxdQ<7D&`Ig(tbhqgc?6I zSy;x_vuCrj*ahrzmX|D15+%)VNg7~8s8C@5WT|q!2*uKbANo=0$gYsy(f-dq@4N-~ zZ`<-H4m_3d!*o{1?ah094KsX`_kWk$yU*-6zLdZWlQC|}^>YH|@9xqmdRNC%*b&=9 zluE2iD!t5Dk1pxeBb`v3fam->o;YJ+%iN34IP0tl7YB;i^2e7<8UJ*}*Qm5RhbgG?NPkB#;K?=Q-Rb!KL`n%O|0A|V_-udu5S6~+q$)=8+PuJX@w?(olTKjB3-K3XY` z!e}yL`@{8hWcNB6oDMrnA|@iVi)e{i_kO!^68n9GjpQ3LuI?&Sm0FS z@7on`I#>;>$)U;DROgUKs&hiF+JRfe#PhkE-rZImrRP#oQC)v&-M%{1Qn$7a)sb|K zBnUg!A$@!j&TYW6G9kzr5@HWI$%HE&gKdeVK_^OsUWk!!W$rh`ge1MGsi<{AoK7i> zZM7MthjY%u$QU<|0?R{hX9uijr2Ci7$ffG0(@RJ;g~z1qC+T2m(m`_x&C?}b7=md) zR(Y)JkfZC{6{i)Iae-0gmgzJ7Cc~F%i5QS7g&5>c!;7K-ep#ZI#XxD9rixW^3|3Z1 zGM{E+px7)VR)K?XO&8P{txm67w+?t@H;H6)47~vz;}k$xsFar%j&_<2j#eVkXh9*> z{|bhZfoZe$5uFAr$}2`A(z5*&)CBxXfTm~|wq>Vr&#KioHl%*|>ZaB+$5lT#>*g2d zSliWQ3s-jrgEg_+U)tEV@YS2&{t%uXzh>!`6HhM-r|QmKH)Hb3%Hs5tRab@2pLc#^ zS-j9MCo^ZRo;PRng}=bkDmnPSsG8dZLhw53p-K$%2r0t~%!g>fL-QV5COFFF#5car zPGVwh1OljPGGsu|l+uQbwMIrU%u-MaweL{hT(HMdtiGvmP!P|N&bd@rEUXpQ3oO9q z!xmw?uunKB@D$+9MS43mttgTGO{GA6VC$@tLQnV*VAt>l|w$uf&#$oBQMCWdq zCoGVutE+JhfmFyz5+mszRwM1_N6`Y18U0@KA7;x3@Z8{BH;Lot6$jFy zIw2jDj!3MOQyiqc;^2nxWg57r^=UL%Pkjv%4UEZ&$unm?a5ri?`4Q%VD9NM1 zTp*(>PN@m=Ks$i%hIT-~yer?UjEh5=*aV-$n`Is1L?DYiXY8AF-S11)|yAW*SA1bG8^(Y2h0x+nD0?!Z8yeAxo=2+3K{`e z%~r{1sx{ZT-(twcQJ>F|T*AqbTw?PvTPiN8H{*p)Sl-@KoUCVgRr2#ODdOW;!19Wu z=%UXAekLHq#h6m4CqYW67Snn?Xb{GW6ZDD9WZo90i_?^|jmg$j-(2H--!;N~@haa+ z{w86$_#D62*zNl#e^RPctV&R+Rp^yQg|8+s4mA315bqQpVK%By!)MSl%2Vntu$$kj zzs`QZe<&Sgj~ajR9p}H1;tGWTRO!;>osvOEJ*Hk>SFFTj-C%vd5(P0O7%82&u5^LX zpqkQp2S2bI$uy>6=}=AmQyL8Td0DZ_<+L@MJzt(@by=&edo9_LSu88a?Qm|)NJNsF z^zj-82F&auzmDpR|6+E4p-3eHC&{v?sH$vQ7STTZmfaFKiqsS!sP*ix$n7g@Jh1ZwI6TQNC!DGd)ZSol4?3!dFdGO`sPB zk6?rH2!8$#_JCR=;p=r9_tN_DY1`{(4WXBag9mpAwUEAFGHcrQj2GHO96Yi^NH`z* zhPOy0Ad3fgW0MOX5YIFRcM7%SFgw9GwAVR&{)qYAL*Cu3!6V&rf=vMOd3&ylwLbXX zZeJ4^<)iqnJN!d6?M|edJfReJe7LpqpMJ>nKxYSkh~lR(6%3q~eSYt=Eo|o5=QcN- zzI$7?=lN%={)nfGNBgWd&~*ckymQ!G?-q7DN zKVsgO-qHSKekS{TLwF=U%Lr>`4v&OT2E`+hWyGI~N3wwD83&PsmnbHQVVDGx#4t27 zk4Iw4ynzhad=^H!X~ve)WqO_@_J`UlSu*G3YuVPNt0y9^Sw0MX<&|~&rof| zR_X8&H%!t0UODP!1T3!o(wnk5_oV?K2XJttMRdj?|>1hoa#F(TGV_ z)ZIy^*jTp_hXxt8tcl3AX#%{p|${eGB~y3s&+gw3XIPftw2M(C)SF^WEpaC-8{;jPio{ytOy*SNSi2 ze`*8f*MY%!k^qGmdKFFU3*37q#p%@QB!fUNqZQT70$-UE+JmhkU*8 ztlb7I1?R+M@(~>~JE7L9ttxY#I!Ix9&g!l)@Cc!no>*cvo=Wf#4v;ptnEOc^h_HFQ zFJks}Ea{Ji&3;N@&g&m~6hv>D8hI960G?^vbu5F!Lo)bz2NibkC=u|q?F<#cfx%C9 zH#W(ojZHch6T1qUEEh7jo!FtIg^bJp9vwX$+YupsR&2Q|Vi>YaN0aL4PK>d_$>wjQ zU{n1E*# z(M-zU+EX!6g({^Qvk5lI=fX*7l6bDvYR-eR(QI*!be`D-uRvFbozg0}TwEo6AKoF} zBYh2zqgX^NhgD))Y7+lP{38^I)YxMd)FV83Nd%m{%-00bcu7X0ETu1xwBwzjCh8cGgH0%a|D(Yn0ZXzFyJf7%_cFD+x`?gk!hSf;DiQ>7fKm7| z2N-2+rlg<}J-O_nY%4Q=;5Um_cET?=Fe1OXL(up^i#7;Y!&A*d0Wg@YFL6GlS+z6=k!eiN)!ma;a zgV_%ofq&e`BjolJ|x!l;x`qLejq)VX3`IV zFn+yLR7|o0ObuC$eiwh=<=rKBvkfnz%RvR2k6AyC-(jQ8SpHnTON~tEzR3Z!>7QYq znBI?PQ2giiz@-pHwAs}_N1r*+N1aKtGmWWgSX@=^OX=k(Ra71u(pIGu57r#(F=2rzx9ltoTo#-y*I9wq&uJfg+O z+G=#-*Rb=A*Rq@T@6T>}{Y}{U>&@ABfA%ySwRI~T_0+T3Kg?cL^z!$&e?0%W8}8Vi zxS{C!)@2X>VDX&0xp!aAKK#nd*+*V`4PO27EAX0^Z{C`H=gF(e8GPfx2LS@Jn17%-n9mdt0^iW@nYTHzErPxhzVf5P!eKvpTX@@# zUJ_pNqiw=AKiVv8_M-=c2mEM_u*Q#0iYEi8OY91uIpUlEQbjd@0)9~lsfGd=<7=Jy z8tEE>YO@BKHP{Q!vupf|gj<9M1V(`Vae-!CQ=74YWQU^l`t?v4CpIGpni=K+1W_cs zsv&32MSQ@IrfWXiFWb{-G52}ub6N*0<$Q!i~4>1DG5b8#= zibu3U3!Q*2$hAIT+4 z@W|5P#MW)VuWDeZKq5b!q(~wl@IuAdv5grIec^A4({o3SZD9USj$r?dhj7Bos>#7i zW(`qf7GBHz1J0zJ`4An;v8%-UM5KvuK!BeJUkT_%;cWpuD*Q@7bA&Ddi2`OgJQ7gB zV;q&_nh7hB>&{&@zTns{ zq~zJ=6pn#seiv`xV|FoLz|$#5+(WOS{9WNw0qqc87SR8S@Q32#B3dTiDxwR-D@BAv zDB}C<-qs?RzZj6ehx8^6J9+osIj8O3HIQR}!vC=z5eRF^!ykQ%S`glQv--Pk1Ay74 z!Pl5FI=4-8`|bhI!k_>)w*b=%Z?=gTDabbOcKqENsFp&C~mvTrgld z#pRd-ADM$0{MGFA$4+)P@#@#d$z6UGFK)uR76Vq%F7b#sojFp{Z&GjjR+<$L60{_v zFPAp)w;s&_6hAi9eleFjVbf4ED5ToTR@U(ryRi=}Fg~ZPaOkPYj=$HdbTaAjP&M*w})Gkg_JejG9c;>~~UTga-2TS#a8do6dNorVAZH)iV>T z0-dK1SmgX7_>H^q`NhE#^!#EBtA^3_VbW9QTZWZ67>$G(K?_HG(Y@$05QoLPEv=$O zhx%UB3uJVe9k5_5K3=E_yaco=y#hoEpS{{exFfts!iWRM$?QL1xe!y1owO@##ThFK z90}9z<`~9yXPS$53@ujilZ|f14`E%B>P)zpi0cSn)dCZ-)TD`L zomsH4@PRuw{$RpsTV|EPThXDWrnYyAs?xP*)SPWDTDanZ+0(`?J3YCQ*uv;dbSJ+4 zG}uP3-zpPLf0;SmFoGPcs3jU6zDy2Zc@-XKwJ=g~Npw*ZwM1c*Tz?Q>f20r^Tl`gt z3bCsEFo;w|D_|9fjLHo{zcUI0$LTOECF6icgIv+KBxBd2p%D#2uFNzP#WXpt3Sax4 z!e}HC3>M~ZsM%LXR23^jvdWz<1i>LhB7rY!42~QaUZ6b)u(DFJA&^Kam|aDSB|=L ze)4-$RB@us0ulel6UpXL$>gYJ=Aw9gZNN0c@flNBEM0o}f=OqsxoK?Ob)CN8`E7_F ze?}YrExmY7QFP8topa`N-oz{@mG$b;qsvPdfSOMZG}Rn9c!0JBsi`p!9xxB!Ck;~v z2!7EP*&PdpQ)>G*M4^$a@V=fg%Phuu19`8@^xy&_vens zyjNRaU;7YQ{3|miGbTx>Y-1h%`DJFzm<&3fEC-_G4Rl+6+ks!z*4Ne1jp6I$v+O*w z{1@5yAwn@fsv{QPm`wJMnar5O_yydEi8k_OtMCH8SXa|9Fa=W&*Vfjfgu78zz{F9q z+lTeF^`kLCIEhy2;yKI!3mr=k4IZ^ei)y{jOL5i!Jk%IoO930$_2cS+T@bD(W*ut9 zW;H4%nSqu`qyqIs!)Vx?KCu6ii#v!J<@6peeXFpp;sfKHfUuEBaq3>5DMRVrT9$gW-9c*!N>meVCU_A6jDY{tiyfdxL2sK+SYe_Tw3_W`CyRKvPG@z<$i2jSVFYkfbh_6)+YvF}n^v zeACreum61Yk5|EuvZ1aYLmmp*udz;Z5MT2crX3W4cDuN|U~B<0%}|wKslF;*)3A`o zN}{Gh{L9Grusyy&fU(G!=zzh?7#$O0EcVl<#v*MaYd-0(!*A5pnRq>>wgbBNg9_#f ze@Q`!kejLS%_`3xTpwLIsU~yb8IvacpcQ_Qy|=WreeveY=iIVr`fPZ*Z(*ux;u$mT z2wb`Hrw!{Dt^VGm%s4z^ALBEx#3L5QYS2_$$EOOls=|oB3ZHQ?K2=+n1ZlIhO+rw@ zgB2quZPA&lz&&Yvz8zM^>?fz(pZT~yQ$ud7GmSLRQ){62*D^~m4eQHF3j&$C?8lq= z!enOS=#?ubO`ADm&HrQXOTgnSjzqiq|L49hjYb-cW~8~KvCgqHx;3_C>#}9pSh6Hb zK6U$$ZCUt&aQKjAgDrCyV>`rdqrhMNWl_psAh*qu{Wv6PsQ&8xz*)*GS42; zmDKOlfzIquY7!jeyb%5H0J7Tn*+N**w&)MA6Zys>ZBsuk7t%6R zCgjb|q>O9JgkX%&GOZwU3IBX)RdVBrU47TjHzyXhl>Mvaylno!>2)2adPDw(JuQs` zHC`D#o4<4Su261OS((p0Cp+nLQ_G=M*_q3BR9E#j)}(n$a??$WHl>kvA%e6i!4Y!z zzGB!Hg1z}LlnX;Sux?iWEZR5=DrZ4Y+RilE6Z93T|f50J3GNq4ib1b7# zN=jv+Y4{Xbr84@5aA&2bcHbjCYwp^)Q1wW{@Q(0?`i%72o^V3gW1h3UCEs1XET{jV zX~bARaBTUC+xtq}+u@idymH5aj(c~_E81{;rS0a!>Ghi{OM4aul!`lSg>Ccm8;X+; zT<=cOS`w`Q=Om=oD87K=gTZ!M_|Cu(FW5s2a^1KNFB+KH;XRP0ql6$(8$ zvin(;RDsMt0-~BCZOT#Nj+Fx=p%pl^|{FBmM7wl zZ94eCnS&3md|;TqIes2KZH+|UdMk3_l^3;#hF-bt#Mv9o^iOAy(#s<4T;|0SHyIAM zZ}WEwlw z)XP-|qd_uFhzhIo&Tkxv0DbXgNQ?aO(%tXGKbZF7-9L!DwCB|6-Btk)4tL$c{(OYd?Z4kf%O=#y8O`Khe`)jBteZ0()2)PIpaidRzhW^ zw%X}+xk|lSmow;yi<_J1@CtJsqC$bXIt~C)QvVgDgJTzS|BBYGRIk^k6(&ch5DpW( z|D!CO6aWUZ*&zT*RxQd6cAFf^2+78Gbn$Y3>yFzyc0O@^Md99`f9J6`(;Z80>|1ri z+G5>P=H{DUyWx&EuFIDwjENJ(-E+;6>UH0$vU`_&t7*mm*taC5t-xDX?knDSa!t!{ z-(p*0mcH%g?oev&z|#1>2euY1IQ-^Kk)L!Q>svgxl>SO>v)NR-!i6o_g)1vOvpa5D z8N1`U4=LzCo8~*=jr+aO?g5#{>Y=?U&}ajh4I1O2G9J8!D-HV%!a)t}Rzr^*dS#F& zfKPyY3P&99EeEW3K&u0)9pE6u;w4VKlRBMg$#LuoGo3P7NtMLmL?S1qI&?y!L!y{u zWlmoI*V!2ug}q*Wd>7wGZnRij4uP!%f{RVcYpJBqx#iR|TkjnIe%q=u zU*3N7!_y64Jt3>veSi1qcl?*G69!EG^mzN7+pFQV?T=m+?tKALANw9?pYHAXapdC% zE3bWaaKV$0Le0lt6z_P1ja&B+B56hH*hxXyb){mzg6@-}$`6T7Hr-AfI+asnkUHW7 zEhTE?n6dKmi%iwZy{y5w3^7h%U)2UJ!AW)yPh_ncUUU8Z>wHh0lP9mJV%jbB)xBTnKr3YfAk)OfR%qG3zihVh-JqP@=3TDxUR9KJ- zl?kxG)@Y;i<6)lywkyCd7Kk)4=p$u zqW-U#`ArpO!hf;<9l9etgjkiW#+0QtQGuEpHnzj?>d65FkCMgz4YjT(XA~1 zZo&EI1#jdo4`Vz0%ZSj#+JVWn=h&$}BoMZ$WT-p}PN!m6K^3CHA(JZw2fHk5e2m>U zk<~W-_L%6?-F4=SxRRy&J><64>}EW&FI@kX z96nUSqslk2-zbS(CU>%Jv`V@B3kAp&KE-y$pyE-5M4>Q33gm*IB&fnta1x~%6Ci3C zb&3ipmB~O#1p?8wMv4^bu~6eiF{ax6i4f3->?L zyWz3Hh1Gk{hw8UJ586|Yfb;qFIc@vze_`uLzJ&0?SN>o{-PPTbY_w-!oWWzvSkZ zc3*R0xbEoAOO4rUZeF+Q+kK@a8;-Sf-rf;pqxw*!8%m?6<&o5|S)?8*n}l=nk0=GL zOu{yoz4J0F>DV~yS;(X8Ba@+#k&#HZ`j zxx}tetB_YO=CWFC8NZOrCSdrbvmtAY>}bT7O3Z1gMt@wqf1Z6+N0w{^GJFN828nQ5 zF3)M)UMX@bye_g#96=s&lLE3XTpkKlhG;0KGKUsqRAta+Rga2xQZ&UO(Qfv*)6Bq;XWzxMvCs>%lL?e4lYDETg{mwVP^wIW}X_td5b>NbSubl3PZ7x(rZSbXzq z*Wm!UWJ&$dSKZzaTH~kX(rm2q`@xQ5>sFlXD-W$d)!BZmBbU)zi)1L5WT1pj3F}o# zxkn;W6%9xwaw+HZv6q=>et8T{o2Xfn$5w)ZmQ=Xz?9)%5eey}+#37JJzC6Uf7>+Cz zK0rGrKo*8G_NPFvZkLWW>%eFvp0qT3hRUr}CZn0-v{QS!L#k4`?PjY|W0&Zde#6xC zayAT1vnx5>Jd-mT)~M|`)w>MAX=9b}LGH#gyBlxmD}TuJ`kbB`zgTvAZ_f?OQbsfx z%WD^|uSg!Tt-W{We9zMB+Y;|{)$VS-b;XK#{ij;!!1(J;*DXuSX&Y>yHa<6lx^)st zX(#FrTf)^XK`0DX2buEFX@y=BbZcR^=8%SN(7*vXju#32!`YCXt^2P?Yk z3e%G{*|)W?In`G(Z}&qR2Oha9oYni_RjqktX!!c8JIdy5y&@~KzVF7$ZL1b9nB&Tx zH*d$i9UTu{UsF5u;~gD8`Pm28tdx{zHSDTgyls)kzp$^W>Z%p9|Au4te_{_uJ1BOZ zD9XWw+z!GYaf`SG<)ww339r;?O-i#x5KUr%^thBt5%EZ*W{I>~0tFI~NkAeob(+9u zT5h5yDpx3Fpac(*nK1>jOUX8_DXC8h3Z)Iz4=UK@7L!tGvY-JYm7x(jA`xQ}at!-Y z)Bs0O47M!R)~HMj#&&*5aCk*^-oW*XHtq{;dK_%EV+JFzLo;2ef=ft+ph?ISe5jYn z1aZsDS4Z^Qo`GjB)NR(9^=hdoQE5!tO|T#`DsCCyhQnB1AU(kz$jI|Xe#v%C9mo0y zu>NM^BAH}GIGbeZ-H8&n-P28O_H`P7n#^cJ;}&tiQ4!PPwb4(*tCz!;9~Q;TI!ja`AJ2u80r#2rLCoo z@Rj#=M{?o$7hbStEg1j9#o4X%eZINP!Oy|CsI%0TICtZc2|`!v3u+oOmtS4)6}Joy zr&i4^%+$Keva<^v@=LEIW`(`JIhp)>$kvHZ#H*13++;_%vNi=m$q=$ZjRvaZ&@6)* z88is697i>`#X{V}?$hpv+(M2Uh+FS=x&^n}Yj-Cr0a=5%EeI~FUB_m`Ty}}-@{Cw? zf;*}MM5n{1*#mId$mM2$%$qvZfAd4))d@}Cy1QfW!lBBBW3TLPKe@Fo{#@m+TZUTE zrrWc4&v%{B*L1iezv0xc1`ob@^P=pg-Ld zMSd3vkAB{J%gR7*`>pFPid!PTkNh_Be&n4yg5BTQu<7{9G)8S!l2j~-iYyBIc-YEc^1f&!ZYJXXwvxmqe4J5;l7naOFAd0kVi#8!7);`!f2en0r`>87P8 z-y4QwjrYxo{LhZtJA(z?$5xG=h}=WfCmy`w_BZ!l|JJGHksrD*lx?|VRrj5n3Ohz8 zDJVAa_R9_%RUQSU5{+E&NaO)ZMWu{QdxFShSoxTd6EE6OW6{Ze7gy_ChM?GVe*Em{ zD6KnBmE&I^uN1;_(bQonrY?|#utGpKcoo?|;7bRrJ%BSJyHN<1j*fDAr%il9-$%?y z{9$#06pS9d-mGxTjrh_da)pX_LL3&#qn0btkWK$QS?_(k-n+s@GPIAC0u~JgpP3L8eM$l4IU!29Lg7&g zW~HD|5T%nDnT$F_;*?N{0GvJ#PYU_+F+<^H=HiMlJG&IM-uNtIAsSEGF>!2A60eVG z#emiV$R-tIao@#A=b7{8X~v%-aWwH*WH$=&m+0(>BgW^fze`A3*bvQKA`@fXO5lZv z^(RJBmOt-7*fhe>xNekVSyqUlJoFdYlIGu(RI3_H!xWQJ-pn2kn{D40dTC=RM_ zQ_(9`(4~S#70gG{Xf)ArQ6o7hft@%w>Z){f0Le#1y-p&^1dE4Kt5oJ;-(pjRU}guX zq~quZ^4RDX9ODe0%QZXpAsYVZr%Z*msmJ)K=cvMowj-ZShd5N2^Vv3bN!A%@j2`iC&$l;5B-qVh-ZbCOZQ-F+#|H`mB3HLH&D8mh>xrem+$w&ekUBX z!%!R)8EcHRRt-gJm@9{TIfP_TK_QQV#7%5^o6{!PY-kQ7v&BKXQsuD!9~K9rqte$_ z2+QbnlboKo=BKw^amBIMui5*?t@X=}zkYSo4QujfXx+hO4L5cc=B>L?+|zLK=X>}3 z{KT^6ldo<+{Oc1-FNr06r#m|D>MPFgyMJ5j@xId7=;T70Yl)4_4f}Rj4p`_e!$AX; zx`|1Tx|B(qsMdLi)~TghT|lMMC~Z?i)L#q-yap!MWWiC~nD}x;bf6mB{@|wBx$E!Q z7Wv)i=%s@PeO29az7)4)phjQ2x4kIRNNd{G7uEy}oYLPDzeGwWqF(<&_{9Do?8}9r zOc?S*Uc&qY8nRW|XtAZ%LTk-XXod;_LINz{1a}dqlg-k4v(+k9hYpq_$wgHDCGIXa zxSQBiF26ZZ@OtyJ-N{z4?svm>46?fdRgNYHbvW&Iqbi_QAJ9RMZl{j6>7Z5zMLI~s zq|)V}k|Q6>G0IdUqB_4WT31cs409YiH_EN&TRhzCLmsDHu-la>@p4a8 z*jmiy_<&5Na0XO-AX4ywh>w_2^=pz%a+%aCG{!XLOd*v^jTiweaaM3e7jj(U3%`BC zQ(9h=bJr-fx1Ziz@(=g#UO&DPiid`G4@Dk=P<~~=5YdZUoYmW#uD>%*%sBydjqQv1 zp4%Gitv2MLV)A%++m(edPyoBK4rbAv=|kyshX;n-u*V4@=&TWbwMv zihi_Fo333NyV+Ryh+Ak$VTBAlIL3+rDbp7y(-)Yvd13rzuC}o?R+sQmWcT^VHNum^ zYnQTw*G{uEj$$j-VH(M#C7j=!(33!yTe>XtkP^^ji_VGgk(>Q#x8wK zB02PIK#jM{IGuyvC{0o45Rq(RbRI&CDIQ{-!d2FLs&Dr_>kDkcV-l06ymfBZ&N9Q} z@NQmz-@4jaxl4QcdIR*P@y&r{wR5r(a$2rlNQbf1a_k$cvD7-$GmDo4G@=Ef(nv*t zN~!2!n~SL+P>qg&22gZ@nLs`3IIss`D?mE{P@PBw-cM*$VMD93lrIx;!}9V(HrGg| zKNj*i2zJJJ5G}XpNGq<6>kJukNEVU*J{*ywbr9in>Fg2HK5U`ht$xm2A>+#s!=QWt&m^^l@)GP0Gp$y zR+~a)RVh3+tJ!8%*iLfQqe=zoDu_n~#8zViTS6*UI~6><@&rUXoDjh;f;~Z`cBD~) z-JD<-6HalebTN87L*YDyTPSoUN;HN;l61FD{CJ6ZnjR`ctlc3cQ8`D-)6x5Tp z`dE~7Qz94%7^PuUXPH_MV8%MCbJOU`VouX$rpJsX^R>nRBt5^Z-s?+co8_62&$OK~ zfqg$6YYmgMIP%;BkuUXH0aY|@7hwo0+kI<4gWw_a4o8I&MOP5KemMnZR9 zp+Q%jb?G#!L&2qcy@ulQB0c?le6_!M>0D#>m2)WHh0VCGo$G_Qg_l~)a-udUOhj$e zD@+O3S?%fS*`*Jb4+rx+@mm=6$+CT)kd>MOVor4qDl=aRG-ymd?Z$tN?|ss zxfUn~qPR>~$l~_h`=+mLHS&y39?F-nf2w7tLQSC6gh9tG-}GBY5arf_0^J+utVyR zh)NN(9w&JSB`(BfxRH#4pyfhG;Ip9Yv;a2A)y71t{%y85j7?|9ii3?Kwnu!UkH}>0@M3N*`->3}rTe71xy2Ar^1^CN@1T8GLu||Zhe9~7)Vbio{AK=tISd1 zQk4hwL6ROdAvR8BU5xI2 zj$QV`G=joh_6oR*@~svpHwcucbk3KIshH$-mBC`eXT=Z9()wu}!V zpA}Z8>0O13GphGqS2sU<`OfMMcg)SKD#=Tn-8SE!I%h?}lAFSROkJ1ZTsWL-^!q)! z8RsxG zqo9#7&~DV-q3g`qODs=NBDS}j89-v$=e{Xc{)3%4w?E_$-gS$EYG{NO(TUroYd$G;mk zE&il_{|wB)4E#5R(|;2foq-wnF9<)Y|73}L24-LeW?%+pUNl$mtJ7DnT>Z%Ex7I9ObLU$1+QxP9>vpuKwb!=a(;;@e*V){8yz@8zAK-ue z_k}KbS6r97E4OP-*WwtgMA+DM)!!3z*K{{`cg?^I%)kuHz~2K9esUh&fNlp|OQhr- zA`th)5p+WnzeKkLT{AIHbQ3ob(BF;z3@_wv(ZmS4B^+} zz+IMd7N#@8&XmN^ES^plro-G4?zZyKa~Ly-F@K4!F7hS12JX5sP985?9=^-mBJQ$s zhIsrC&oM;wm_mr>8zM>EW$%VaE{{{eeHL)Hin|Lj-w;{K@dl1Ja=eM-Ej+bWbPF;4 z3Uu`xH*h=&;}r7r3o&KpR`Jk(KVpk!b4klXe;+`<^GS5M=*tR zysgh6B^iDWU91OvlCb@E>|@>pzGF+^T&Uzv0{_NWOHajcfmG0M#c*+290`f1KaSy2 zjQ@)mE+g$zapWYMei6eJx#Bd-I^PMrA5}EnE7%q?$^G{>A zI4zEZsLh|pa4C^lCQqT1k({YGauRPk8N(H1K0l?K{b*#=vXGsS_L3h6kJ+*R!$(vN>)-+!!e1xOrN93$J4o zkDKOiD8P;G5n=!5v^Ie1aur$_@^|81$_|%QQEOY?N*gsV# zMu#3=j}8B3c{({QoMbLOuf-7NyM|NZFY6dhr!Q7hC(mU7L)Y>8vZqc=dpo|nmHP}} ztaeU0C;CseM>Up-QKyH$w~5oXn7`k_V|0*>m?xujJ9nM25>3W+a{qqxVf5QP)qOy*K;Q2U- zALIA%8uU%kEsZpCTJ=xWCxq!T9=M#+A}rZ|E}tv;-wdz+z3}?i`QUOZRd7z&j&V03 zJy<(-BJ{-Sl)-7=hvn(vIn?oxZuDW)?B{J$&pBx;59#53=n8Z%*PYQU2X&|dY|*cC zIIH&nmSr=qWwgHko4soRjG{W%|C~*hKz3#~NCA<@fXFih1Ox;`0!c_9ByVu2#1)_Q5G7L{7$Dwj)JMYLXPRV>%4^#K-(Qmzj~sx5oJbLQ-0 zHXF71;*8%n#XyBc5&(R zHn~On@+xH9xa@hJA`u#Z^aD-08o6|%4GooTs3rLI(<^k}uWx?ckJJNy?KRsqE<^`-PmI2l ziTeE5=oQwpOz01Pe}1t*3|Fl^HFVEq(kjF9J@Rby$_R4|Dv?OUTk9W9e>prQ$Gdas zsDawWa%6&~`z@qUO4%#0u~67>nH*cbR`Jgg`NEouL@)hPHfwdf7#Wuc=Se-NiD==L zFhC$X@8?+T4~L2?38Ie00=L{^R9%SU5?Y89{%b>JnKy-@pW1Re2;}&yfk(@7r+I_CM%&(QT&u4t(W&|v!G-PF9jJKf$ zZduntq07Z`+~Y-`y>gy0u!kdqOUU0CXTKgBdQ~D3+^B)i1ID~k9MBXO1?Tf{JUb6# z5s;8e^xY%p96x^KiI{T8#;}p#8b=qiT9MS50sc1DKDNZ?G1H8$_mCQB$S6cVd&s} zXb8tGV}wdkT5yInTAd@>;+8X2d0;Fo7ag_RTq+Tgcqvo6(Ls-ZKy(aX@8 z#;nspNmL3sE@|L6`ey^a8Z4HQafh@ZPn>z3LAfkKirkR7qwE}bY#@K0=z)L68*4&w z7fSR9#EHDVHr9XsStckS|4bH?Q7EREbCn9LFvcoJ_B-;N>#Ai$y@B4B3N0-br5jdc z%)Fs9dP6n9Kfk3?vbdT_Dd1*fwseY^G{o_Bs}omdflESc5@PxzMV7qYUyRgjF%P98 z-ApmZ8D%(e&Hz7GU|b66g6G^cq|ZQEJa0115p^V^v@DU*DaxLX*mU^GG9Aw`88I`# z^Y9dbf<}EA$Ytyn(&U_Iv@{#>dZ35qR;7s={Vkgg&WZ9<<<&%#ohHiT?dSEUh;T-r zohh=Vi9$xaWM1ZEv?yJ0Ja#7h8Az8U>Q5AXHd>n@`jCR_MqiRe3wX^5vad!uE}vQQ z3LhihzH}VHUL^_{q>9!A&oJpdmSwecrQf9oj>4FRP${4B1 zqBmTsTn0%9PluZlkeySUjkY*LN;AuDwzwWlW%Msmo+k^*WeUz1jmd(`7GuS)#>=sE zihhLGI$LOBvPhLEdYl!|kQAZ4M(h3BY1EM!(h{RSKDME4@oTky4jVB_@n4@QN4ln5 zxYQGcOnAGp0yWoGa>Aqf@L^Yv*0T%T`gBjRr)*h?Tc7OlmUz6bvO-UBf}U7Zq&o{2 z7L=9hPIsx>Tj9=2&{Z|no#S;^>X{|(;%uHL-L=e9UZxj$78d5}xt@|`UYM1DJQ_J&8c}>{`g{68?XgT>FuRf_Tr>HR3Riw)r zk;a2c^-@o{H`fg>zpT>bb?fEDd2X*>#`}?$t)~~}x{FKQQ`SoW_X|my|lcfq^J9qWAg(`MidB?hBa*np5KS@0Mdf*1 zvHY#~6c;Vi2NVu8#x5i|N;p?*jiKi9^twyA-1smBE8y7!WsMUO7*L2>%G^u%n0gCQ zYo4dFxX9zmGfU59hzcr(?s!lY&gEq#P}Mv)?p2dy0xYLItF#gHv64M0T=!iabeoI(lRI$2VNMjVd&=)0Jpc)WIZc0C3|+FGg(i|(q}j`XQd@2C+YnYv%vR{ z*Jr0?r)JK~){(-Qn2|kK&rH!1Gv?~k(lV0b_2fA-oXJ^PdZtrPn?55wEg5lX8I#jz zCZ%Oe(I+8aMkXeoG*}`E&Cb+$g|eu$+PY1tXP%oG%w zsLx1rW~WV_nV#s>XUufY$jnMc^+_l;BP}DviCU7UCud|QpjO1`$+N)dS*eNX>7uH{ znP|OJv~P0ejJeLVDXH0dYG!&;G9o7>qh*Pc(vyv<(5cDkiD}d0^`yk+H0wZpnW=OYU#-#GWM2vd!{q%YR#b3-_#LuVts{NznOv`qXx>z3pCm+r9SYzt?U& zFKxTu-a7BM8>82D&%N!Qd)qztwtMd3Xx?_;-F)BOFP*k~?``+q+wQ%$uzT+zJ6M;P zBmDe_Vn^#X?Qq?uJ*?QpM)i!kI%-%W0dmAqw9iL&{;TWh?6-Z`wNd?uCcYiL7rbuV^!AevMA!Sy zCOXrd!-gT1Q4aBUA+y`qYGObzVrxlZ>(~QiVcXa?gnz<*g79{>9pRs{2NC`m`wZdF z*%^fYX^A7n($Uh9ESAeGDF{!oOhY)`ax20=wEU2mJ&o|5m_%YRlVVnqCFYhG^e*OyG20RT zY0OE4|1ahg!e6yVE$!#FuOv(RrLpZviR}=pk|kD)9f0t_*bxYijQu6TkHkKS@UGb3 zBm7+K0fb+O{U3y1iTxw7*jHnZBm7D1KM;R1_Dh6M#hym^>)5XmJ`)Sc$Nn?+8-%~b z;8|>n?Ripc2W&4Q{F3bpguk?%B4+zab&#UQsh5*Q?WWE`c(ytp;hQwnt39VZM@)O( z-jx*l<@Vmh?0xM0$YSqrpMaR_?bjnb(f%idU$cLL@Tc|@Nb?W-=ZN{j{v~2gIV_|& zq8w3VaYQ?!i8-u}<%n6~Sb><84vd{+vjb!2*b;XaDREVC7}K~-afpxG9Jd7;7bSI& zQE#CMh7K5`FUK7+cS6G1F&M{~IWdrM%ndQ`v>k+mUxb{wR6FC`MePE4c2yxm^>Qv}*`E${!m^j5U0zoX>AB0iMYMFG*S(n5 z6u5J|w7tkxR!omjcZy0$bYiVPJ$4;gMxmr+k4RnA9=mUNPUYxgx^Mm4CEzVDf^B!^DFU|)A26u!sJJlo90g~+unRSJ1x?!xkV_bS(fOv)I z9Or2G46Tep=-gbCm{%fQQJ`7;zkOohcYp@jpbZ*ylb~C@piRA@8PEp0iuz$aIsm)S zK{ObeGz7EgQ1MIq;WUCq(ls=SM$;I&7JGwnG@h=jrPR8{G5()Pb@CmsnD6rMR5~c# zltIc^C0of;%9J~mP09{sw{k#vQ~5|a#iCdz)|ZWBNi3V?v1<07rL!f&Qf1k1IT6(@ zDmAJisw!$rRCUzLQEx}bM4xRpr(Hq2rR`3~bc-mCb7@Lm9_Y1z+EB#|3DWON-P6*-QSSW7=?=6_guswxisl6qHFM2B^KaS$lX1?S$Gk^1T z!CN7xZm^g^u!^z9)yjF&uaN$I(tk|)2c-X=C?Oj9+LicSqG2-r?}ooLO8UC=$4h@s zq<@?Aw@d#S>AzV^z7M2-*6^2gm%i-JvRdj}mM{G~rT?(>e<%G~`nT+a;VlOlCjAoT?7hcdADolp7LnN-lNR7LBtBYBXj=?U6H`{^LPN{8t^Iz}gr+*Puj zRdU>_GNdoZxk`@n-JPT_+kW?I=}SFcJyrS-O8=DM-y`Gik>%az^rc?j zE939oY4~fUeXN}?eQ957&xl_4p{dyW-5~CLd1*PVqBV3sZKH?jF?x#j(sT4Oy+Lo& z5&DF_pl=k08KWcSj6Rq(hGX8Cq)b(uvP9W}bzZ|?FGp+rONPHeN?^kl!@sYa^ks|h zlNP^ml=P*ZZT!se?_VT+*|Q(@mA;hNrc~)m$!(Sr+al9#k&^mxg7js+tq$o+3*9RF z@xXHFpE3MxCDNA~{S#@~KY7paw@drj{-#+Qw;wTUboFw<+k|E&M9?}TRkie`js8;N zp_IM*6bXk4ULKI#K$vb&popw5La9j~+{seuYRAi|c){rWwiq-yAFS zY?_C?e34AER{F0P{;%XH{z^(?r^MNvvYn61em%a=@Sl)+{lwdb|D+ztW}lR;ep1@% zE@@@Eo)f9Z(Mr0L*3u^0PCIBP?WTQnfL@_D>0SDWPS7d(mlCDeluk-_rLPjNj8w)e zNlH3aJM*yKDZ+|pCDuG^vFh25b9P&7<-fkw@Sln|{NG44{f(S4cFP_=E%9=Xl*E5Z^m<0((z8-e_e!MP`-S2E zSF!Y^Uhk8d@!wK5`)$&fNb_4+{_loMUn14-rQJLy?dW-lM9<3^@PHD?=t*1B!0ZH-tZ4eyFT=);lC-%`*TO>?=k$t3k?5%W&Qsv$Lh<41+@W5W2cVf@4} zJ|&D#H`~j{PBZ_hc`vK{W2>1zxzfyk#=`g#GymmOGk@x&ng1#bMZcynzSzv48D{4H z`L>z=_Et0h?*V3X@x_Gkd13tTO!*mgH}kB3*z;ZauKtCQFE7PP|3PY_CM4emxOYV8 zoko_jK^*V!avD=s8?{{WjcI~13L0O=rA6GjYQz=b*d1Ax+y>1S*ji;C+DqTAMwHVd z5Q-qni;a9gfGZ1d4Ypa|?g()O#!$b+WyE({r1jjqP54?}Qy@B|> z=gL)wa+8GYcAIBcq1(Z=^6sD%8&_L%l7DXXy%mVLzmX+wFjoIKLgXT(71YAO{=j## zakVukL2@U<=DJrKT$Y?Gd`UurD{AOnlBlnM`>oerIr;Yb4#@r#__l}46^ne^&s&|} zg{D`XubNv2HA%7HrPoIFqvqIGTxjwws6EcN&$sVFwxx|Cle}-dK!kTS zZ(CX`aZ7Ha`cdPbS6sSuX*^kI8ai+H+~kiaHb88n}Oq z&<)Mk643%_5x)I~YuV)cvp5IZ*}N_Gy%20gE0Em_VSKZ+*mty!>HZQD{=@lcOY0%u zQA2K#q!)|}zv}1fD)TmKP73a21=q-V_R^uId_H?A(s$phyRhW@bNEapvjx{hpIG{;9UqtxFK^n(7w;23|ynzsD@QmP^ey zSNMMK+u-}y_pu0n9O3%Mp&>IDDgMHf@Avi2alZAgpiS=@(3W@5nv41#l>FW2H|L=> z=lmaymPRe3rM^q%KTGAWuX`EihTnS^cZqu$C5ck@g{+O=3Dl6`%aFeZ*)5*P3$*pk zz&x`^8e;YYe= z;{FmjMWmb;hJ33Vkf(`O^lkguM%G^`B=VTAGU7D@SsxSF_+XF=rZ8L^eK$q2+e?=k zwkPw4n|n{zyyW}P_o473V5o5=VxHH1fAXgQ_owsMzLreBKN!zhBRy>m#+k4B^F+FK z=}|+TZMRWF^e)JA|5DexihVp4|*YFchOQ8 zlWh*+C*N`Ti?bok(V*5u!MT)&jCs}{*EB1PrvJZEP?A98A)>X%;THI+Mf(@XR(JW% zRv}+Vss`u@>O2&f7m|$MJ2u@calS}m%yIu2(%a#CUC3~UZy)?xdSH%ktY)CDkn)V* zr?dju?SqsKaVbe_*@w0GJ{;BP&pMMWh4m%K%iPBUHdgOm`!<_o7bpjN#4`f~YY%eZFw1wd~*JTw!2Kmw*--eqaWzd6(WVw?@maRj=>-dq*+DirF=E20rh# z*Kw|Bi4?jk~xkzMcbx|*_8W5p}x zhjsic_hfvwkZa_S9r*(D|J8}O8Zn_c>d}hBK^;STYPlEH(#WrMV()6SS-evQvfSs} zYs?%W$T&uAaqFBkkJBT|5Yv8v_tp{ z_|8o3#Hs^V8(=3j>y9)MXFro|s-rA;J8LVe@dOLm;kPsMJv8APTFEVX2js->608&V zS9b7x@+^0+A-!+Ne)hcIziWE(w=ksb>*QD&7F^3puW9$^p*t2nGEG_b`6fTo`DGFq z@$Xn82lix*){L5C(NeW7GS$-B3%{;!RrgWONp)H4wt{<57ycRJg}Lu|L7vYpXo^xy zCCWSQSj+k6)Da?nhj`X={KDXNYkfWo$$cDr))0u5wi0&dyGux}TGvbscwSM*Jz2{l z@l;2yi{<@0V+FjUhBSAWxu#riwocjAmm*0_JfEeDr;klX{{QCZn&#j0Qs6#|)Yd~{ zM{MkbkGILtPyXlILUMs;-Te7?z{(F9n&-Fk^LNj!zRzcyo6MSK-bqA8qn3QXvgK0U ze!p@lQRoxMfEI?#!tys24Y=od2~ZuM^%%dVYNJr{>s{!x7xPm|`9ybL+YB2aAp+cKiwS(+7z{lEVgvJ2k( zH0<=_;GKeC`Zk*lQlz_cHRp`5n=^ z|8{YK{1#u^3ZRMTTwjm5w7xl0_wR|ceR(8Ez9ZsX=Wjgv4j4HuHS%rn6*TS}EG^@$ z%JnB-RmgYVs~S;G1MWe!w)<8=GQWwqA#a$KId?bqZTL;~HvJ1tP4x}cvu7?$o|Zwr zl_u`i2A5;JE4N4ewTI_vojM1kdnfpP@`l^2%%9W%*(J4F*%kQL5`t^w*UBJ;dcR+r z=V=Mw*{MH?H&_Q{*Wh3L%Xi_Qsr@UvwGq!#|6DDBnojQ;{mtZ7`d==-SNVR(S0=&@ z{MP%Wx<+X{@qI-jOK7G0ig5CO>&V!h*S%K_`CiI-_`Z2FQtL$SmO(A+Tji~d>i=yw zgBtRUt@H6+uI8hLqjnqKg?%Tg9%Otcs(!@tG~f4inwtFI>k;8g<_l|0L*ZY5t@~UN zysJ=;+8U6joK5PA-Qu90)_p@!^ z(`0-t{C?kyGAPHQ&*D_A~h(;`LZ_ z@H`jyFHteK%3n444pYQ;2R8Ptr|0vnsm)2ow?8Dcns0x!3~HU<{%9HGd(`xH*5mxW zv%WLN``q~(Z=17it&A?7_by%l^8MWO-v@`pmvF>elK3v8G4Iv(=ec;v_escmwO_3L zz1qGW4Y-fevOqQCb! zUixcmxvnTSvXDxhs4oqqp)`W7q0w|LjYZBhnn`o%2AW4XluJLOo%A^UhMuN9w3iOh zL3)WkpyTwZ!jvdQRqRTfa=CJa(o5;B3|8WmA<9r?xH3Z7qCBfSue_+dt{hShD}Pnq zS3XpZDt}WxSH4nCD_<-BRK8`z6c)|eu^85#bznB8GCS+SE@xM;?yMKnS#Q>t^463*id#g8_BL=quCgCEgQ?mvGMFWHi2EwCbC2}iA`onESaUSDJ+$xv8iktOJ~zr z2FqkK*!P)}WwC5Flg(nY*&H^P-N0^S^VkpAe0CFCz+5bkxmi9dV2jvdR>YRDV&-8b ztdv!-O16|$vDIv?TCP^8_o(aDP3l&4o4Q?nQ2m+ubM+VMW9qNeo$BN26Y7)d^XdWh z1@)l%f%>6(L_Mm0s-95)p?;~JQomA9tN&Kdsy>Z0MPr&pYo~S4Y?`XYX_sl8w60n= zt-IDk>#6BlZ>^8kPwTG@&<1IPwRmlamY@yQuGU6qBeiR^QQBzjT5YU0P8+XXr%lkV z*CuL{wJBPfHdULZrEAl*3@uZ0YFXM$ZI(7$o2xC<3baCPk+xVX(w1n&nnx?qZq~e7 zsaB?yYZY3hwp3fDE!S3PD~VxzEjSeDhYGF}4h!_8FGWFD22wQiWhhypGb5-S^yV6h zf$of^_RybesRMLqEX6{P#*+=Yl!h{9;?ST|bIA_9x`7)&Z?qP zH|VAv=Qt&fx+8gJ=%3$gNy^W`y(A^=_3;H{hbm;JK>J2>} zf$$b(3(9;}c^0KTuRMY_m%f?{!sZ4=cCF| zT>YE!H|h)B|D3LZ{(nXNU<0SAKkVRZ8US1PCk<4-RlcP`unD5U=!!z|u#IRM0{du3 z39ykE8VWmUPs3m<9q4MgvgyRp*<*iIK33H!O6u7M3*L8D+t-DxyzsTYlb zJ?X@4syAH=yXs40VO#wWGms6$c`zG{b3BWuaj>-n8V`FLO4q^WuBHjFyODG~Z0{PH z2>TmNiLk*jGzoTiEv}AbV`(z%aU3PVCdX4U?D9HFfo)EpDX`D$DHS$4k4s3ol&4u01p&MZPa}j?7yMb;52HZ&V zfCKaB2f%_K(0t&*e7Xska1$*6E-WAyu)#$+z=u4_1xC0j4>*xeZeT?LvYJZS zTDF$TfHUR9v8IAJ-rPf#z?}886u7gAmH~UV(sJO>Ho5{Bw4GJ}haRMrz@negEx@Cn z)2+ayU(gSMOHU&2^Xl`6IiMay7^s92j;KfIHel0Hr1@0+2g>$U5Vexf!JS0`(e5uTz=p{+p8G*wFD;z!P*Eo97 zQ#f?mje`kv?k&){k3i=u1qxp&P_?f>)xH8xuM&9LPf1V`fOH&H2PngoVL-a8m8%iM z5q6M3*uerr4XnIUpk%yqMma-61TrQFWE?6mahSlws{{^SEpX64z!3rgM=}R<0Q=%t z91Ub0Sw|q?W$ZE_U?&bco z?>KrU3iRyH`mjDgy(`(3z&nniN$e_i74VKDX$tGl`UCFRgVBZpfeZ>O%JOcYl1oqv;Ze}+F>AcK~Fvr1s zR>sPJdgVaFQh|nL0uA%nGPaD$1r81pI9MTYuu@&At^@+!qTT}hx?Q~;=R4FpfP)+# zSE%=@_W}Vos2gy;U%ekV_+$0Q2tS}cfHOzQTLnt~P@v>(0wr%(|3m!`TBYt#cOXr* zT1|Hd#9X27QgcB25JKl&yjSUz|i#qJvRvSyiXgZ4Fh6w4830)t_=se zjnGB_F-HPVHwrvmFOYPzHbxtR7>=h~fT!aT<`}w3VCY7Hp+6QFx>ZZm5)s3ZbfcD} zB_U0+mVz)x)eTxIP<5j~)eQnw*9%nLEKv0UfvVdCs&3R~XfuGb-v_pC6xh05%LcY? z1h&pXEwh2J8?`yw93U*m*^L5cD+JC~YL9D=(=zQ@Z67TM*4k(_wiFKb6koNn&)FFw zOGisbim^F{#b+$U6M%w$>`_Xv&_4ey2(f*qK&os&YuKg2AbwoL$Xtra8V+GA|Y<6s>xp7r- zKLVCA>dgL+eTKSwS^5yO^tX&6tL1jfDe4?OAUdAbM31+QqYc&x*2&5S>pbg1WwW)= zTB!Woy4YHzJZ$w^OO+k5zm9!Ism2n|qdcL#Z|};w+xy$Gnz2{g|HO*zKD&=?brd)j zvj-eY9Lw2H9qSyM*stQ;ajV#G;x@%?Vy{yHk?jQB7o^xA3ENpBHHs9q1AGTuXX$g- zJtW)*ZU9^Y+(@{w$TJas3S7E$PU+8)Za!R|bUeHWc}ha~`QR(0zY_i`xYcm$;Woi- zL;OSVtKoJ^_mpso`izW!O7w-dC*1M&8ExDTcL45XxYrPO817w!D}+;|Z-kG?@ZS+W z3I9|r>CC)852@b}CgBLzWIoLrF+RkxH*AY+CAJFNO4};iYT?$~HVL=Q_K>X_Zl~=j z;hwSW7w&-VW!r0Thi&f)cLZVX{*EwrCvB%}-(Z5)M3JnQpc;4 z)KoRYc1q1gx*OC5!i_?@NorTyDm7oY^=c7!s#jgA-m2cIu2Jt3ZVS?Kw;f^b9!3~0 z*k1J!;ez}V+^M^54+*yyVeWp19Wr;XNcV8jck`vovz@XpQpsMT-X~lI%HnP%!rZMw7|yoJzFN5T_VwJUYwVkZ z+hX6wT_F8KNdHhse#s+mwQ%e0JGrwzWqU}tXVfQz+mA4J2M~q}>WckkxYt7X!`#{5 zMcQ{Gra!{n|C9IiVO5=1zI*Sp&j#dtvG+dT-{(+5D6x*U)>_6e4mE^&t+mz~$53mH zL%oz5OD)%0LkzWsP)n$xUasX@LM@kT2;*2veRv#7tmP8N5=)3f2r-Of3891)5|hl#o#(mF{4tNuZ=JQ*yWX$$u6M2X-RF?lN9^MaYo~oOfoX<)#33*oiuD}B z+Uc+`94b9CJdO~M?#KcbSZoPh zdZxYUXdr*Qt=~lYEw{=~QTZubspGV*9Oz8ooZ~!j(Q%0}7kB3T-7#c40$d@UF-kmR zf_Q?h#xVudJ8m#IMx{x&<5XHQJ=+L6@jAz`G#?$>eU_252qA->v*|gT_{D@}bNcor zmO;kceoI?nD`nhz&ZFnN4|+~309qYQz=gE6z<{-wk+#9s2W&O~T|lD0KxJEj0ec-I zt%&4=+i@(dgppR7wkNIJT0xn=Dy@caB&}+0FV7*ZK7qyrniFVEpe=z80~`a=y3)GS zF3@M6RY)7K2Y|~|&bXR3W|>aAMxWR5Iit$z0@b0q=rf=?=K0wc#_ias#u#d*EyH?> zW1YItwn1HDYg3o2x#}u)wYpB-Xz5W43EQma7;}3;-C?_~?zGEupO*dVZs3r*mqEE; zJJ3KmgK#^asrwn$O3Oi@mUx1CP(8%34XB41)K(pENIk|-k6Wu5X%s6N>Ius+;H0&M zaXSX2l`!lhYCFT)sh$Dm^2se*kY5&CC)BgH47JC$Snah8s+2#~L3$p(y|;L;@v}Pe z-o0jzspIy{w2XQCsD<`XlR8PZnzr=J?Snb{X@X^tVL7WQmR?P<)oT`ls(EZ3K*-k3 zu(fIFK$n&UT+kK)3A<=ZZGAwFbqlbPct$?)ggf(&M)63Si%V;6&tF?l<5_Q=xNSFW z6L3c?y`{f}^cmZ!Jw~zR7_iIQ0+d-T+CHs9tEA6rts?EJWm2oP3ffVvfq~~HdTycT z7Jk-FS*EqqmP1-6Lpx_(1e{OcqAF{bREIW1pI21Jym9q1ZjFo11B_eG6l;Jf+Y#-C z?T9W}1{s!dJ=rp?+boB4oiVpgx5}|Dy3f+DSqQ2gu}tb2yw_-~1U;Lc7t{HuR%>AB z%jkIpJvY!Z;r2O6&tu&7PrZQgzVpVdcuet`VB4dw1r88jMYv-f^$oTTV6&~8Vc({2 zwePUItef;a#@w@QK+j`XFX}~%xtODu=%oxkC(u6H&X}uf?bP=GH}rCbP0|lA?mS!S zReB9@#Bzpl`^==*+g9j}wi>;eVd>Xf8G4&_JJ6x$0d1CpK!@cp&}FR#x~*G)3)C*7 zk8C?&74*wghj3?Z!&!$gcNUwA)pKVl{c36--Th|Gx*&=+`CZ~CggDV@a}`TiPLeOP zjyy*6Ir$PxAb%URg0heJi^^S0&HIVIW}aqEp_XV!eu!v}yo_ijs17P5=t5A^nH?5B z%RGO-MmWV($p-Z>HKPC+qs7+)ngvLnEuFPrhhDXhU$JzCYy+_LI0HLZ<)@1Mi3>R+)DDS*~i%?@)9WIa%=VG2Y7a7w#lc>A)-&9)~xb5wv4=mDVIvM@_m9RFQ0AV8OhvNBWsd< zzKhbwh%b`qu58MmeH8q!U@LC_h_pQGTjxfD5TkkuEk6a{ z=H4HX3y3ChJHmvL3i&^>4q6^Hf1Bv8nKw}idny*vx0?TwDRi>UuM&NhCE~NQo1pUp z;y-74o^(vJd)Vgkr?951|GIfQ)0s*1b%;kRe}yC&0`IRsnAxvlX0nf1C^(qHC+lVx zP-|;stS0k9*~~et(H6Axeb6wES$+gwaWA~$Uhp~KbD-~mCwS1>Ii}`^;C21*w*$PU z$}z0zAb1)4UUWUhf!S`fR)x}Bl$ufMgq_>4`b_Il+Q^jlMISt58Tba2#=!5S zx>u7P#H@MspWv2>-pvxwAlmsYw;;TfluUF=IZu*p@T<4Le+zZTG4d?)6TJIo{tlG( ziximo1LTLWH~$MfgyM|UJM%}-C|0wIJ?$oYW083+`xW{cg&ii8B2e%=Dzf==umJa- z&AVPKVoE!%9sctdL|eE`vi3{l=L_Kjjb@E{v0zVGm2aR;8mIU|QXY8rx7TJ~WKE2! z9r0l=?+D_*i#26=?(A8_5C=Tg0m&uQ+KKV7RVR`*gYwuuiLpI8tFQ<1z7tt>u9|&?DSHmlG5F72pg&-$+>M#O0ST|N%K3u4i{n^7 z$1&OqKZB>e0_%Mpns-BI99GSR7a6`C;Zd2MCHl+^MJMSi()XFa`83AAl_e(fAK5XR ziaj31D*q7{;59YPRPtINVxOA%Z&+~;)+hpd{tWhH`Z+VNOH5(^DP+$fe=fin6pZH! zh;^$VKM46U@IM284@&3)G(q1XZg#BqL*hm?@Z2o3Aw41W5Ub~ zX%5S<9%oo7AN%Dyh+~&${)V#~`v&dDW$=e)SmReXKMaF^61A3MY|mkAt(aX9IfbLH zMc6M$!a->zQSJZJ+xbypCEm+Fi1+e^crX8DyqD)(BBrJYC3FDlB=9ajPoEbF99M?u z^9o@!@yVE&$4?P%2!bRLk_k4NmrkEPLL`BV#AkK_iwVmTV4nO~%A5DRn4Sv~pKIxJ z17R~^E1`%`Lh@4j+(Rf&-~b>>RSEe4%!S8uCwP3u7;6Ye2=#GQ&e)PL{uTpdB`d!O!|{d|!8Jvw59P7?pQPx_&M>AWvJY-SJJ zI=chEJm8V23H=r9{j{@a7b;7XPuSkJP1)YDP1`?iUt<5HeVP5!_8ioq)4s4ZQHP^n zhUpWgrKZPCm8LgM6Q)0zu9@@A_bZE)k8>-^a^=&?3gzCp)@(OzGxodene$tV+x@ObV7j}K#{bBQ3+yk&}_GOedfHvpNU z68iQf#xTbpNbs~bWr{%Zkq^;(@AF(8L8fRWH-13bT)pNGl+VXUgw?dp+bHIjQSPat zeRND{rrml*=oT&tgThsc7Sp0E+C+~S6SKvoV!pUZ+$NTYd&L7{wOA)MiY;Qh*dq=K zCaFv6mM%zr(tvcC(!eEYNV+185_eS^BiS|L&PqMfxYSSFMJm4{4H4HWwMmzytHhn5 z@_uQUxT8{obY5y9u9?caDCSDiLFo|Ht|P9N%Fjs+#Fa{Wq(+LKlC+=7>!dTpotCys z)zU8F+Nk^h`(ss1GLMo!DDM`nr)l#9fj<^OXOIj~2C9Ymt zCKXUVk|YPUn=2h7E=2tl=)=RZ^T&Jqz<-&Ac>d6At{-% zr6gVz$HW=&8d<1GJTA3}C&^-G(C-NvSvzs3Xw*$&FL5=}5wV4Gki=zV-42YI%0(VQ zBema3nMRgeQa~ycH%ske5v@ikNzfK-*duNhx00kzI!4bYNYXAAh-?3oXNG^nJ0RJ| zXLos@z<0KBr5{7T81J{L^3E{8d-7CDn|FFPcDH}NIP znb)LA>22wsrR$VA?=$6_?l%>fKFgVt^5&<^pQgOIO1V$TSMFB|l+RNB{G75@`MmN4 z&Y{XC%AWr#wK?^Fr=Cb{Nqsi;-P9YYH&bUV0%g*T)(5Pctbb+QO!+i!Pq%-Ba_I~9 z-`o4_{q~pamnf&cVt>_s+5VdSAMID{f3T0(U$>7^j{Od0)$gYrOnW@7GOa4@2Wf}W zewbFB_GDU38sGEQ|A&nD-!s-P-8$b3?>XPko$cq&_jCN*8Gi*KFL73#JIl|V=QkwI z^taFT2AD6M$IoHzyw7L-syoi_#u?tgk;JF%L(a^UA#u*R#aheY<79lMd3-N&0!>1#aq#QFp9EclTDgeid>h*#@W|cLThf$yxw4LLHL1^}&R8F`7TPoD z7IV@5qWvH21NN8gL-t|&KiRK3o=W34RQkVIW4f44I6*j> zkTco|XAXO8tu8>5-06Hy`u_Q|JgcTChqx1(SH(w2|(K4!M+WJA%9i_njK~M}j0jB|k;i zua(Ig1#|MIX3t-_o1dyUlhI~To(RGcv$#@FeZFkm=b1%?~0O`C46736sv?* zu~vLh_*?N6@rv-4yhHvvMT|!I=M={}`MmslF-0Dc-w@N}DYHp*n$yi65#vgw z(jk6C=~R9#Zd9IAo)b4I-O3B%UnwsoDdIy(DM@besia_1NNh}sCOsk^PkAKefMia2 zJf%jmru;aiPI9OGB;|zUPkA<_NBU^W?^6b(`%+#>nUX%2^6mm%`dVsAYKrt&sx8$n zRivt^Zs|bktEnSWm1U=;UaGacZIz_oSp8PN^m}X28khR4S=KD+W$QiGd!#}8H|*b# zUJ;4~K^-BC6DA4Mf~1iNHHBay(1}X(B%VWrbV63*c~JsO6FNDBmA4>j`P9}L!g|6c zdGW{i)YZ66Aw zT<1?|NG(!J)KYbiTCN^YtJE6xh+3~Us?BPv+NO38-$kX}B)OpW5gkx3t5?-A^_qHJ zoq?o7leGn!L%puKw1C>D#Yl(rwM?qprY+Q#5Wk#T({hQHYYVBbHf$Un(y@BdB5x<7`YQ052rJvS2^>g}p{i3#!=p}6<+f5(Rujr#{ zhd!ZCsRQ~Ar=(@-6V7CHKs)BN@hs-iai%hhh@0WFh8 zQ01&~9&v7V)~nZ@jm~CgtFukp=_D+X;y?c{;i#x}?ol1+{ zyT~RRoF(p%yUe|h>Q=Zb^>lZ&yVkW|n^cRK*A~$1Jgz!D-L=g*qYjXM2K9TCd3S@m ziTD=xDO#g(_i0+wE6y3W;LLV+y3didiFcoO=D9CATlG=*CHIi~itB`XRIPDOxToAV zJd!7wR^fnq%475B9v`>qiFnAb3|?0~+2mtX*R$BO%(KFEBEjb|uU2^q)Mn3G&j!zC z&sI;7wvhe7eaTb8GxC&D3rA>FO~miN4%$odCw8>^)#b^ zr_ovBY4*@8jCJuetKFV9Plu<=lR@%sjP`=3PiyxKc-m+;je9N=f7LVQTIjjvxvq}6 zay>KZnCF@^k9n^Qo_2?Kfve8htWA0yUY9rEjd?S@3%yIc%e}dtHt#BJ+`HPl&byH! zNjpa{_ey9MaxdO(dX9GojiicVQ7*-eT2C|i|BRODDdDvsUj^^osnvORtBu}O-o4)a z-h(cgz1=k9V3@YD};7_Nv`J zfnrg&tgJd^u`| zZ;fv~ts{8n29CYHO};I@?Y?5)E=5_e?X_LMRUnNI=Uo}P7mA+b6A@N74ZiDNj zuSr|&Yaw}y@07PrTdn1i{Iu5N-R)`fb^6Zv&O0OC9&H_s;iB*K98cqKaYkIS?-F^n z;?#XZ)bADQchooGKIba*O=+2Az0K^&z8f?z6)~;KFS!Noi{qz1*&Xr@ljmIU+bB0R zyXyS9=J4D6KDF5&@n_KL_xrP50smtEGWCdmg+Gt1RPWDrUsAjM1zNzr*1v(W;T}In zW6B!-&1#W_lp1(ybM)b8L)PY3%?FyB=eT;t)m zu{oIU&JV5+Zqn7@7TSrP;Pzl~a96M_usgUfus>K4tPC6uRtIaz9}+RdzczT(EpSE% zHn{VBH(Vs=Y#Yo9HmRi)7j)N2m&`o-mFpz6-{J}w{^RXo-pG%>O|DhW0?#$yglpj( z?_BKL?yY0r^E3ueaWr6F8z;Vp+Br>r7z%a<&$%4TYrVlvUGUTd&(Ha%x9&Et$-$Q3 zMfa3{Meq`xZA!fBTzi8OjfC%KPzE?Y0LJ7}keBB2azA;l%#8S(ddib(T#C_A(`v`iZgEmrr?392Ww zf?CU?_|xJJg$mU2U_M32Y4-WhTF?!ovpKXiR1{i4v;_Jkp;DrIT)RW%p#!wnvT1el zLsd*^_tk}JsQn|M`cR{`ihYS9D*9p?qR33=sq|2*uVRjB)9Rj3n?ZHORTt_YuFF3V z>JD89^?@4vW!^8|bv%CWI>XcSd}_HabTu@l1-$!1*El}2XZk8a*F!U2hgu(+@m2W8 z!m_?4yddmg8tP!G3t?9{;LW5{A4iNco+9rdy*eBVXVOSo!wbVp)V}cYFs&r-sqm`s zYTsyhNqC*UkLYT$WR=z)4um(7J;@s0L!r{(5Vg<{F4UVs1^ycEA<8ntB%$?kjWZ2z z(~f(J!aFz)hj)aRkPi70uPlwT+ncH9Q13g9Q(34qygM(r8Pe|V7SaCk)R4v*7*sR~bOxfGo`TqnZQ{*H*iIU=G&EZX6S8qA`z_bT@&ovVAi z{c5?74iVadNQg3Bc_f`r;E^mBXT4IIOL;`#^L%6x_@&@;oLiaaj2T(!+@O|+ce32Q zMOTUE^M6|;pVskgL}i}j;NAIr2Z^lV)4r?FI~`e1XZzvs4v&xS3%Twx9uM!4$fi&- zjbTf0l;x4_x8%i;?*d=Oe0ZmKfqK<@knam&hs#0w3nTlq1;HHJL5;pno{R4k^N|Yh z>EyB00(or6R~e}!zB*E?7DbLiUd{4I1NbK9!;VOc|3c(cnr^O^La0w z;@y`bQ|!s!TpII@s1#lhO$J{K-sWtL>S~9-RXY*&sYOvek`s*(pTY8Ic6717ChB`1 zzYO{-f?3f#ZIx?@TZtBEax^cxR=pgtL^sUiH-q2Ge5ivmW_GlQytFpd%zUJbdCxpP zTEgcOIz#4#V}aG)-QHc^JM7x|3 zUskl+Hx#`P?bC(mK=g9-YIH1mO;3+rk6w$;P^}K~Mv6$@gM5p0jc~-)D`Rr_pr<22 z7sMPfS1b^V#WG_Hoo%rtp0U{SSZ-`pY;|m%aYv4A)JJ25eAA3=<6C5GM{H+oH=PQM z8?JG;#jSS!jn%lT8n@Kg-q`;4-c^m;XzXC@Q0#E5E_N(-Ja!^>GS(hD6FVF0iS@?% zV}r5bSide9?Zif6<62#8GBzC-xZk*fen+_9xW%|l{?yj3vn@A0O1OZ=3vBF6iH#2XB}ui#pd;`r%!r!PN#E`C00i|52I#xKQ(;#cCM z@d@wVfI|>xUNX-J;?0-&7uqv#^0$jKe`I=d4SumH$jzY7<6U?N{NI62fj%OLv%g5_ zlo0(|g8v2HQojZII^LH)3d(KT6D^+x56uMK0lE|vz0Cd}(8oaWo_=;M-l@I;zKY-L za^2afS-f#I<9iADInWEBKLy5 zNDnhFuZHAdNX8)r=as9 zN?*h;BxB5r-v*7L^j&DKgXBCUyCLa8t&J>EY=#cnH}oUWJj~RT1c}8Mv(W-mvw+dw zgLayr*~xrTG4y{2%_fvS4gS9;>=2}0ehhh(SHaZ4R9b}6DC8NCS3s^B5|rja{yWI? zFyCs!GMHTo#_vOE#!dcRdLGM#H&9w=@bIhGz?VTM1NcJ#g+ z{E#tPrgAFiGDz;_*2G5W_?e2M;J;!gw7wKGlO1UMQg8O3?q$Y;t}0-blE6JegbD;I0Wk_I!pl&N$- zf1@QO-yC2I;~T{yW9`7p;O~XzI3#yr3>}axhnJ>*3C*z>v*WqcC+1s*SrAS7rLm`At2S;S$qg&Dq0MBpGnudn z&;5&ucGx~X@Ey!c&vU8NixtU+q>@X;Y-3NcMD!&1Jop=blQs>_4AvB;F@^{vFES+y z^EkH|?O+|NF-Pn&VbIte7|8|bOu}y8g2f(2kCTSi!D9Cqvqoti&&ad_y_B(B_Caoi zpG;z2m25ro9A3>VXs%+pDG6=fkG|Sqe>=wPHr5xjcn2-iLFXOA2e1~OG{z6U618&8 zZxTI$Rd~VJiCij6&^*K6h|15PwT)QE9@y#))D0MNV=6E;e z*o$wNuVO8BVYfbq8J&b=26cY~&0-_c^52^Xvqr2l_8m*4a*W3hNi|v+K<`%G1@ba@ z?*_E<*C@51eP@F&XV=V4uDP&F{c}?n67z8+OA;?n3D}{K|vYt{B!cd>-<NVy~F0}Je@R8Xk5jpR|+I^KR$=@bRCX|jqUJw1`MAoQ5 zl-tW53%|NQaf--A@7M)wD~b}iumICDMtnvo>|^>H*yLy;!q4(vgWW!f(j@+y6y?0( zlV~l|$c&2NQILRNguVZYVPVi3;~WBi_!QbfJTdP#dWXCM>+(O*R|V|$k`aed_f2SC zM{7Rt$%s)uLan97zQ(F;#_rh-1;Y+`U z=C9Gq9<=rV#jsY~XZ|Akea6@qXdkPVvJjq+6Q=SMc;sT`E?6VS*e|f&7*jQmjP}h&q~(aQ4ddL* z`U}2^v2|eXIL9hQnDs97z69feFNreRc?c~JgDPgj8*>q{b^MNkNAg)?oHutPs_*6< zgjMK*t$MK^2e3vNi8#q)+iLi^u{-crlP1t!!@`KSi_z}}_|+O?mC^Ef<2(k5)i}@K z1UPKSu`7Q9{$>1?(+f-`YvO#%d;oiY8gslGn(r7Cz3)bAuRuS*5&>~cd;q?;9<}a6 zFY92vT=4m@VLtp2+1d18QEJ0l52CfdMmq(@nHhcE#7N#iFB8TI7Oi!Hw?bZv-SIN= z?1UkKpZvr)QKR(FaAs@8$ft}GJO2(>QqjwDjOR$gCOE_MZ_~`HjQnWCE0nflk9-ef zei9x6%gFD-)1EYL7KzeyoO3*Ee|UH^G(~vDli+=@)tKS!hCPut1OJ!3>jAT>s`h)I z|M&mBBjGfSL`XQ|MAJwFNJvOD5+Y6`B90>>A>oLKh~vBok%)+gG!J=1L_`zPd_+7R z%|jx^QE4PX!V!r_L+1jN4AcfPgGx@)h!_S$RzIs2Tu z&OU101>0^0|7Or%LVvg!v+Gpg-oUlMxxn*)S3~|+sQXG>+51B0R-}F!_(pXt13e1( z_sBH>{MFz*j4NF^Vu#+s+o``%H0G#s`0WnpzXR=yabyM1vbc6zC7?f#7AeIwq7fxMfE>YKXbJ!gIP#dR|?Dq`fPZ3HoP}VrQ)t(p1NP) z{$}2X^>cgl?JoQttFaMptQUauFeE3VXC6Y{FmSQelXCseq!~tj2bw3Mb$Xc`A^r%z z8Kd>Wy8Y`WY12bSEz|D(<`KRdGG<{Mk&H10cLBJkHgHcW_OXn7g=NG(aNc4L-Jc%8 z8jSM}gr3=ohUNm47+@^k#NEUg&~K?bP2k@Gzozb^o4OLlGZRgK(+xUHp|cw#*K&>Y zKBy6{=Gynwc;_cV#v@q03_$z-#d-{DfSycq{F~MbV>ZS+CuqHxBmWBfQ5X4F_sIb3 znTU43f@%2%``>V_g3JQbAr7uA+5&aQjdl;?ZM30+BQy<;pmT0=I0iFE%h!5py|o*$ ze|wR3i*|c*fA)K{QQCdlSnWaWQS8C~xK^pnFgshX2}1}`L@CuVRY4M4OOl-b_BTburhj`O~`^;<&u0lLF;GR`INpe>uN7OiGzWx#P-1?SP zm|BnPU0c@9>UoJb&tX*IDT21O<@tp6A~3Ez>OS7Riwdjjr0YL^GjE~bIACc%!+T7o z#0!2!j2GR-1o4>YEglz7ivEZf{GwPz$1UP#bPN%1&~d9cM8{C;HS*$Z_SN>sMX`O2 zeT}%?zRtc*46{FBcN2Hm1$KeB)9zvS5F_l~c5iW)-N)`DO6@P$MdEJzF1u9RW0%=w z;$A$9+f1#h{JC4~C+$bY32|C#(veZwPUi4in=)S(%AT^X9Kdht(0LfY!=v8qk(F|) zoFQk+xpIMAESJjVaux9^&k_71OM%(c{q=NKz!jO6q4 zPvdQ-jTgXwjIntaKS4E`n3k1{^&v?8E;zTCKc{&t3z8D}L1=ghI)?*Cz^R0uA3!Du zd>u;E=x&JXoD>gR~y`T5f(4S?F%s2S`n@=*Z6s;m3quX1?}>aTU>b>nkwoKTY)W$n`X1TD^C{vpB|!fd3oXW*B*x+w=IT0%NNT znol#f_JCdinei-dSl}FjhGNj!u%RR9>5Pr3I*mzr19IgvHs68%M#cs>+QW=#JaiD6 z3`?37h3!1$%yGUI`c$YebbaV;8XMQVzp=EYE}9WDdkF|G0nE{*@G%7uS(Si zWly8@nPelM)AePt$#0t<+RB>_Tvz@A2>WGWWJ$8_o?UDUr;~q@eyz#?%cx90a6S*X zE*^NcvClXk*JTBj>G{Sh+uw$)!>i-!$l4S?PIJ$c?#UdH{gUat=^WF~CU-vNEOY(q`8hYOz0P#r)bcwz z!mW2(XV)+3zK)JmemdJZ+3r;t&i;D%`#$R*6D{}Vjp)Q^MRZDZI%xOo&B@;QjLwQy zCuQbG7je1V@4fjtS`)2}u8h`sK1r9`v7xbHJg>(} zW23+u8yg>+6sv^XRGJfczD#dp@?mTS=}+g=_>aww&E>kq7POS%rNmU11Eb8m?-b9AcZ+ui-8!uXQ-viJ)BwI{whj%!hT zeY^^OGZ<0$R= z=buY4?tSOvbw6!RN;$V>@3b_3rj?hxR;FK9)6Xk>^PT_fwTU-h_f!5(Oi#@6##^E~ zF`vglVo{$K ziQUO@&ts3q9gjc1zQq2-p^R&9S8w8I;zY_gOq-*;xhQcuOG{bDa~h4~EGH`(KAF`n zVr1oHbg{Ql@OlzPeXajE>YXbBmpnE}nIpl9=+I|Xj1Je@v1@vo>k&rQmISaUS##S%J z4m2CkY~%k*eU2)fQ;mI$y?32ay85U7QDq6IYPUmwSL9j&dKl9>a>=PE_f6zF3O?+V zu+uo4A6+>(5sR680g2L6VK$W05}FTAXP)E9zuP;4#|Ij z|1LCigZ!0{`7vbP0R0Eh$CwT-M|+{|0%%hMZR(5$T?qOK&^IFQBIMlyYv(}!D=6za z&>w=lK+7tOSOTq^DvN1nAhcZ#ZBwA_1z5felCPt7+d)47dIsp5AoC~C$3aIx!*7O) zC$T|SfbIhtQ4pF0t^QMZ47~`^IPzA|<3WE0GEYP1X3*uJd!Tk-LhY^vjeeqk6f)S; zMY|p}da0&*DgNt}LC}aWkza<)Y{(1*JrZ;Q=seKvK$pNjsuy(x=K&R?0*|3h<+nlK z0Q!4qi)UfgZ$TrkjvnZsZx|*#_EYHjU*vrVd7lNp9{fG1T`uxQ!5;+vGoY1+zk$4a zk@p?g)>B1~s5t@S0zJxj5&V(Jt9t%A&=?Wg^Y9GzPLLJgqmOCm33fJYm<|2UfL{#T zZU(F6bXO-FC> znrIX^h;4LyR{m0M5`B%W#_OUVzm+Zq;3@M0QADsi(}%XXp)8u%DC7j+sjJ=()hxLgxc`n))`KziSPz4K6D7V3$;y_euljUO)$TX0=a>^bL%zbiM{xXP4*&ZP4ZVQJ02e75d26sE z+ZOEMq58lGwd1BUns6uT16@R(=qmC>H}OgFDN!gsO+DZpto?RhJKr8)RojE?q4qE;r`#^3 zQdnyPX-FRSC|h%nv9@C^vd6O)?;suOm}FO474}r(%wSza&$j2^V z_BPV0L4yZ%WE}(Nsi)ud_Dt^SmUFaNfjytCUB47o=fviAwphKW@ zpeyyu>OcWnlS&Bm2=rlab_EKk?T~}h0{sI;=sQVoD$m(V14Gc_$u^}vTpuVQ3np0& zff3xd0wV)spu0RU(V1pV3{;@6uCYfU2e-0johDm4Tblz@0@FR3529vKAB)ntnt=M4 z(?{lH4-N`+4Gs+sb8>^F zR$Xuuw^DGd-44E(XdMlX4^9eJ2B+GkR4W>R!5IXzgHwZZX|7olT#)qFn&9H#Qd;42 z?Pt-P;riX0Pgde=w+pTct_eODe2GVq$8&TT_&{>!jm^*ifO;83VvXkchCjqPgU)dosJ#XQ@Fh6hfEhKI^R zqeJ6D6YQQmACi5w*5=?&Drqv!&!@>RD`_?GjP>u6|NXl7^* z@#lpWhL(hu*@b~3XIE%NXmx0++7Q|l+8Wv(+7;*=+8a6;Iucq>^Uqpptp=WR zsXb_R3LOuff=|fquuwB4_h6#>hOKazt~GhhCwNt*Rsg_jaJ4?kn0LnI_&d-R@S>LM zwALH)EAZ4|IZ|gr{s1_5S4l60q*_VL1Ajaumw_`2bPnhS;9BIG4tguJodW$F$9d^v zz`=S#JkwN3+Cb|Q6dy7Z5D``eJNF>981x{d_64UqBHi$X3R!~GDEPc%n6w?(Spoh^ zwYMfX@Pq6G90AUTZL8hV`5s~`G!I~G_F-&Tz^lMNi9NdN)CvsIMpcMH`a0J||Fx<+ ztQrg44|>`u3!!HRWDctK!o5fd?oL*qcH5K(XoW~^)KpJpZDdU4)?;N>4^J|l%2?m3 zyn$B0(<5C&x%*(@5!9;=^*RDeMu3AUN{*neN?Q4cfF6t;3vtXps_>^_=nmtgVBWD$r7K z(EkoS8=x}_mTXpI2Q=!aFMzgcteZFD%LCcK6TvS-iDS{G6QOfp%eq-V2t6y+3LAKU zJMID;s{#)fxSnL6Y=_J!)^8kEz5-`5dPRZTL$(R;yDsy^XPJ?G-!W1 z;Nfi0rLg=IT45JBHQ>xgUG{@hjMkq5JPtSqcra4eK(dzZ1Nqx26W}G*fYvcz#Wn>Xmm$TSV+2l@f`I3E9Qr;JK;S-h7Tb2M~08-*M|>;4+D<5!1PIi zCiOdF5Cj!J5+`Wy$~C#NO=`jC8@==E-pTCd!+Q;=D z@&(;8gDrJV^4&Is4Q?Iz@cS|8&$v(CJ9AoZUmN?&fu31$T{g>_uOWCo#mXY_gT)ZeC+z^Z0D5mm45cs zBfWn`riEL^&P;+iENN|MUIKinf=Jlvhyr@MGcI9|Z?4F?w zJzu8tsjO(0TQ^@BUV1cJ)gfgLJX>E&n{UrJUuBw?3}sWaLkmCJnV>5{fzMZM%|o8= zGhLt3_|YD&p9!LU2>ORpu2az>f*}MYX}UVKKy(DbNS7X?+9nB}o^tm*k)VQLimHEG z5S^~T>vz#v?zuXgaxIO{Cs-6tnWv*Q?zz_WW0tS(-u0b)6h??&F&k$qt6~@Ls##S%J8nA&>;}P(eGq#^%EFrIf z<3Pr~3X*Sue>?CB#=6q~CTQd}-T>#9(76lrji43(F3=`$0-S!JE0K2+a1%-l19wE~ zF-YD4Ish4P^bq*}0KXeJKL-8-;~?x0pf1j6;3tr}2%6_0*LBcViqwHfodTW9z~2r$ z1DrnrN5F{zR{(3ke}+#M1CIyiY2b2{@+DyS!59OqeAo{7SK!PB9toTWTmlUL7!SZU zRmU4(|FghIb(9}|iqwZd*Q3N-(1U!iVJ%p^2>4-vw~`JH^6qhC9Q>hnz~MO0=i;c~X4X z`I_@Jk?VZJ`KGuEUj*ogF9LibbZzK5@u^Tjs6ccN9S$89pAK&b|3dT#zY=~$^o%4T z?M1Ihb|hQe_`a9dPY5}kV3y#oV+c8)U=cwLK`p^b_jet^I-$O*$-f(1*zC%vFKo8J zZl8?z#m%EaePNUHyI5ZK5PfR;*;-|bwYSw;miy@ML*d`_LoI+ zh%AvKZx>_FH|*_}vKyP)1+Mj;Y-ieyt*sr{n)cfB$@2YnZ?>FcgqrrM$VTjr;(px) z--C9)_hLOSTE6Zw5qPOce)Wa*B)=ZhPIzB^5%|WAupR`i0=^0ONsQLfgrAfArO7D1 z*&&<~=MI`(_?sOjzS$APH#;KEWan{_?M!o~(YTrJ%%E{I%lUWFF_a(rr05hn6naZ^ z2{(irL|){|$d%&S$cG~z7F{oy-s||0K0!DQvRue^&m9Ol6Lj@K0YMLfJ}z`{p}%`B z^66sPA%eecqaf_+_JGqyoE5G^#7*k4z7^-p{7i>@_lwO_gtsT5z*pJ@zTx8SLx`^@ zxjPebzcpR{B;eZ+N&7Zv^h~9VpCiBfMf}qs-aQGKQlZHTVTw}GSrq*X-bc`cspa#( zGg=|dyQbD%yHi-&Ol_vfk6stOQ+$G2CQdEW|FT>9K>csEJzX@IbU5kle zG#KqFJ|;B75hiu$%WdPo;9u}BxO||ATZH;Ybd(q?a_}$c#{iE&aKFR~@n7OCAsAroSdyh2_fz9>H=KO_drE9I5q z7WrZMVKGF0M1DlvDzB1PiJ|hN@}uH5`7!x1Q7o^PSBo#nkIRpX5_yfhM%*s1mDh@4 zw6dNh?%-9l7%msc1>#P*P%acBc!e$Ql8fbHQ7V_nCE{*cYuAV}xl}F{_sC^(nHWhc z?OJiKTrQW3QF4V`A@1XKw-_x~$yMUZa7n9|7xm`RachKEXh1@B3ipS;eos6C{LQ*}julTqqRX;M2fN|mHZ?aU~3dz$r=P{Ul;e(732EThlcyV|6y z>y8Z8x0V{7!TQ!xcV@7@wbY0V*6Z-OvR}2(T^X#`;Q^&hNtI@>zO~fd8LV$DRhGf} z)>8Lmu%6%B;8CsAx38G6|Lp&&Dbwm%ZcTM@(lK6 zl6x?NeVOFOXRt4m+(WJG^WJ>vF8H~R)cDQVnD!&>C)$5$tF`~p8bX24&qC`$KMy?@ zdOoy1^g^f}n!1P>K^KuP3TZ{tm#$xfXkHvfV`>!Pv0}V%@Bd|#pBFUE!Bc}n{G6z{ zb2HB_e?^R8m}g(vNkt>Fj9d!I`M`)>6?J%*#{nlyYbk?DsOGyf?J4a)>3;Ux+P6g@ z^ipVp2!>9EPKpSn+1e8AdHxo*wn=o*Ue*36uCX4o9utTQ6E{(v>cxQAk=Q$Qb&2A; z-I@>hw@d@(>po!KP`ZDfqs`M6QfbSy738tC+Inq+wn^KnZP#{bd$ohw5jr2&PEm)k z^st_#XX_pG&U#n9K<}aV@y^Ng{(6x*=-7eGv)-uh(0A+m^+Wnm{e*s+&j#J2a(*Lfv@>#yjz$+F-zYSC8hwoc z#vo&;F-%)#lp3Rqv3eh4yfMibYg8IjjTy#lW3I8lSZpjcmZzVS_IYR5KJT2A_w==K zK3BgPtBf_qbH+=?Mq>-rXPf6QkFV@7cBcC)>8A|-N%6}$`on7<&t89d(6h%lU>r7% zCF_6EXfh2mXvWR0-Ob)+KVy_R&>ZZwlUZyIH_Ob?9^V{iPB15%RpvBv zra8x)*QQ@wyON{q5b*uLHb%`P(1`z)H-qyhU_{xgxN`A*;2Rk?BeGt_N6Wtee-f#P zvR9F+@>}2_DqkRWUVI#Re*xS9G6C>s03$}Y`DtiCoV)xwFmj2xpsxU34QxU_q2>*6 z5Ya3UOWTZh1yuC01V^C0&D)?KWyv1`--OgvNQLI6?=gP&cZ^RfKOj1rRvj$!cVNW( zOT>4}hk;>9vCs~;@^<>8=!v$+!Oc~@b5zD-$m&^f`+k3{R1$((Tq5B zZ4^?WS^fl^t-$b={3d8bi%Vty32+d9P4`HQ?*)GgXvD?KkAZ_!(G3{yHwe57i7%JS z<_VC*8w}#N;2_?==^g0TkvbK)BV?WeU%iolH!Ap9IPt#?KHj~MZva0EJ|eYs)Lrik znUP5SDroc~iT)!C!9iY4y+wgHBy#lMznO9&x#ylSw|6~9#5qaNKhJ9+msd+y^3+{i`3v(6?#`nPbQN#F?xVFW`;T&( z%pqw$cF@7kI8G3+BOs}b_b3&OvP-L7Op`ifA<;c$UrMc)11ObkU|G^jsXfIyIY{Ps z^PW43@qUlMTSVeXUq8pV7C!~X3@K&XTa*sp|?_cqgp3UblZmU5?_nw;2yOlT@#M>9ql_p z;J+_vJ!(BFG-seQQ0UbDlZ8QTeq3}4ouHP#I(97f7tuLIXM6YFXy`@NnoTRP4mgT0 zs@~3|p{x5`;1Qy^&(o}eks4~#V;x<2e>&rRJ|7Gv9}G*8d+)aTb)VUS#!F~HW2-*p zFaK3HwF{l|>29+98GU-8?ZzweZgh-FT5@U1=}PN^0vw~=Crp>BBsFe^UXnheMo%%p z@Jpt>1NLsX_}X)*1v=7ELNMYI>hFkM#xK79Tw&2wm5*TrrI(I`Z>NUmP5qSfnm z(M8*#?G**uep<=iU`?_ni5sz=?T7X3=dhmbkM%770}-{-Y<*2R+#Iy!asw}ydEi}6-j&7;xn!B&Q+&ceT+@6 zKHAcHA*1x%Eb-PS%V!IZrH*N1NsYDh8xg}U!iYG(a=m^%{37)0^RICp)wxqE zuX)$_^Q%Ky@>+VKbvWPhy{qBKwevizA^%yd=BwXW-@W(czWR;x-JM@PTk>hOUPwnd!5H@`>gBVB$M3L< zGJfC7m2~(;8HMLpvNx7ST$HhN{$-DJ?*r5CB`##Xe&(DlQ1^?2KJJJ6skkxCfT`o+(_Ob&%H^E{6r)a|5q8Tn-y9O)H%53hLsw!ns>;>0063 zY*5eWy*N$(YWTZ?|FP>!qjjR#O7xZ5cS+j_pT2uZb#=4#=kV`d z=x?FFiNRP~+#;^zJ%jZ0%rh1mON?a% zD~#2~T4TMj!PrEw)!1(AGWHq=jUxodjZ>yDEi-Ip5o8;?%noK}v#VJ^(8KIw_BV@+ zt>zHQb%R3ydSy0&B6g)a+v|Cu$XO zj$3Q2=d72kjph_ryQluL^6lPsKZ1c)UwbgyVi()P?J~B-9?h27 z$W)k%^gmWSx2q1*Bs&uAq$2o&pRc~ z2!fFqoAb>^XAD8P>$4%wM02-Qi4r`?3X;S)a>#?ubky&pGs~$an9nsL4=y4s zbrz-7p~k6oRua@X>&y}>>eM?8PQ97!Y<3#?m(}Fd+lI5*j*FB?0Czt^6)S?MM|WRC z6?LOxq7WOS_Mud}gvuZ=b{G}d8I<3|7GAu~LSXDI>c+{ay~Gg@pmqs$GFC{huzLsuZ-MfJ!kaMbRMh+mS}yR`XQa1gttc4^h#1pj&HR1rHU zMMa3YyPvAkdqD=8-90Ra0;^cEJftF;Lf-_eEExnoqB1nZbE{oE)gGAwZK10;p8{aD zODG~h+?`zi2!0=6wTCNY+`TX-fO8ZW_PG1GBKAY7J>k(JY9~vzPp4FIO)7ds#g>3J z4g+HkNU;QTf8dhkCiY|0aA#ty+c#*u-zGUIVz#5d|_L0v;GwFmI)uxA=|!JiiDloz`~~0*|_D(|$rlaR@Q_ zyfta8$<;F%_7x>Hy_aWJ@4fU2_icwkm#O@0pBK4R7Nw;RxnS>P(mM1a)H;*iEaAOF zH946=a-rY2=|!l`&t|nf69!t&u7y7i< zYkmHYl&=O_@?X-&&hjtmh391NbG`bz^IFAuk3<<5E7bc=rMSDE<g~{?q%~@`e((Msh4E2+k!yD$Rw=KK#weNl0kX@xUSHU(E9YxlO)0;_bE#GcRkKL{=V26A-KxZc7JDV zO_BspER?M)k>{f2%E-jOF}{*7Ny$}edr8*&0dvY+1FEQeTOK}{Na~O#5LW6qN!9CQ zCoYAm|I<|(N#RmY>2$CM_9dREG$+3k%`IaP84cU~qDse^b1q+hcC@?0o8 z4=Oni+B7-vIi()Vwnj+znt}9DB}`o}(rqxie}G*wX-uvTOcSIQQvmfwUkj z*g1)VNgBhG4Adk4)kr;fgZ_Yu&PFVZ5F9wT&P6Ot7)P7HIFN$t&hx;h3CRMv{9MCB zuGYxZGjO%0U6=%RGI^GF_v`7%xqLf5)qF8oOJfOo&uO^ad3v!wy=5q0J;*;O@_*?> zTnlMW#-8%p!0E2DIDd)RIZ)n`)fe?wiIEOrv-PvD#5}0H9QR|N?IkwwBt@+LL&ot$ z#e}oG%x6!(D=)u1Tl!u3%6m5TyYklX+0*aJTgPWpzbkJo%k?$+A9p&gg>)g4OC5F3 zK8{hcHmJ(Z{#Ww9q~vOSQvO|^L6okpspm-98SV>^yWu$Mttt6;{8yZ6`(H2n>q{P3 zO;^;)&LLVoxBHpeO(OTlp2}_#8K-=wr~`XKq&)U#>4lePT+zC*TdJg`dKb4%x|M}%DwLD3egd?exH-y&P z-91!ucSJVo?ym5y74p>PNxbPHckOnf{r$J<%DZ&4@YdWp=$=n=!7raKrz_FFKV3uD zgU=?qm2RiIXaU_v3+Yk1oH6EQf>mZ!Ssbgyl2|>K%9^kitTjt#9ZFtIPrfoed|77< z7xb1^HrAc>VVRIGluOz}$|cKGQl65slu{1FN2ZJMAWSyP!7^phHEaYM!zQrF5Pmu> zWV6^@wt(farR;TRiM4D)NLe5)qR$-b)5hu~F`iXr>h!QW^STp#@MN$$>8MTst5d)F zyf2<7rg-mxI?>DSLc2Oai>H=3o>|nVa`6-?!}F}_tZgx#C#Ffnf4Y&~h+pH-j%RHd zp6O(Ga+DuLJD!nMHyG#>qHmyGojJzyqw3_VIzy>W-^!a&2sM0YpM_u5IafRht#$CL zdlJ;iV|4}>&y4Dm(CV!4B1}h}lvQW7@rjW&ssao>i65)NdR8wnI~LVylF{sG_FX2=TltQ8#no zoeD*GS{2HX2;96S;^Ul!ld)xF|*q{l$0>Mlqi3 zFWMheFVh13j->^9YcbZNKGQ!5{gEb%`(a$9Lv@b4xN4wxLoLgDs9NESNY>*MKsl15 z$ADeY#uFv9#GWesZU(4ndAhtmzEr<4c*3GQZ-0_ShLB+(YpU9q1ob)uYds6>^Wl3g zzOp8};!KwW@GZhK){TS+9C|Vh4DMh74aR`w< zi;!C$+ZNQ~?MU$bhNy`E-r-m`kNrV?FyJ8B`ka&8(L#ZuO5&f0+fk6WDt>}nCCAr)|r8SXsT*i;B@3AX`O=)TDwjpl(A>=_cEl}2%wj!bxG-B#3%b`@%P0W^)DZ>c#Qnp$c(6HD_goLx>|sK29QN@?%qrPg2iSxN}A?ar@QH1dVn5ggjvjH zl~@%P%WASjRtI1TYs{LnR;(>+&pNTLtQYIAq4LjSL)b7j8e)xy`Q0=&Q^%Ua<^#-S z`D{5`$=0y-Y!lncwzFNVfbC<2>?mj4%LPm1m3dVj$7}HYGF-Q!xRRxBlT`ZUa1KU( zLiiZ^;H{lXiyBqyV!IG_LrBpdweu0oQQc>%?`HL27^O!}-BOD8tLpW&;V37efAC$U zN*fz(h^f7WAvYq#wL*$zQ!8-{F``Pp+_h+Lgs~7`rA3fo83>j(_-4}MZxK~m4S70# z9f$t7Zm3q=7-GlnMu??l*B~5$A#t^iqCZ6*5PWN@T8p7dLtRJoQT|H5BCZCq9}p_d zib~I$T4Q|?;jI!H2suiY3|E5Gstw0hV9%l*Yn9=85Z#WkP`d`l`$PE^2$k-^8!+Ve znqw(#NH{~qHN=XZ^&?~lP4vSj=pM~_ z@MRM~mDVPi4yNKy1M`29eADJoaAsCtp2T}1&(r=Hfvh_tA6EGpWXFqM{1EIcx#b*V3+HMsbFj2$9*Nj8-s9E{pp#YQeC2R zkHHmBxih6i&t%2uf`sdR%=)XSvZ(-=a zLYgoC($O{e?@xv=d3AdD4^jTVgETOl{FkWB(#pm<>%WCiE@=-bS3dr~ROKltODW}$ z{{}H#84to>Tqsk?e?osfl%$Jxh%a#nE(^GW==TfMMm(EHJ;Yz2)?sO1gZ9p7zaQ-m z+Sj7J3)*|4U7&p=+Al}@yJ)`)?aR>K7VSf%y|^~QH>3}ZNB^N1rV`ro(cT*E3((#S z?K99`2krCF-Wctjq#b&(w5Ox}JG8IDFd1k+jBo;eosIq}(kEEcZE-jBS2}B7L3=lh zwGHi~(Qac3OVPdw{U@RQJG2kgVS+|!)MWT)jnXU8+~nt6k_Sp2R{$Z7N*+dX^>_^r zj_KQxpLx|2!~r^S4=9+)>7_iSHkBNOlwEh4Pz{7?m`x z|NQ+!*I0h|s2S1cPZ>4;M=|B0nAs)$7}A+tCdJIg63z}EO;H2iDUYU1=~Dk7Kr!?y z^p8W>RM(ZtU7nt7jXNjHvD4>-C6oHxGfw*bV~o^%b!wm$)I5-)l*2lPP=D~;=IILW zIx6qnCLr%In8Ae3Zs76HZS-7+21|}W-$8Sm0+kMg^{1icHsI3);^WK)D4zl4cL3V& zQzC!*Yv)ab_|KH002Im_}!#Y)SP@E%DoPAO?vsZH%wPWW(^jEuCl%{Z{8U0hV z<9`i~yL328sa)-E!PyJT!MGdIuI93zA;g&s$N7)(5ZbXk`~~zuxsv0blrzwBURCEH zho4Hz$yEGll+tolA*T)i1G7?p%W+&);MK9F?nV212yx|s9zlOxH{iIMq2`)uHAbxi z@CO1d$JBZY&h$C%c~bkFbo*hC;g}{zis4V8zuGUQ_GaPw16La6y9Tur&Or?PH)dXj z_G`~Bu zhw&T2PC+dgNVe7bkXdzr!v=b4iJWnK zPhE~Zbv;l#WP1GL?+qd2kj0a_t8EylV;N#I)aX&6X;|*oz9|j=>mVh z!aXib$sFB->RsI>q+}G7zSZtwwQpG6?86kTKN@H!)t6Myy9bxB`Xled@RFpv$hJa$e&~DyK1i=ypeQSgiXwDS>3vmxE>E=^(Py9XWe}dDeQB1 z_beLQzgu=DO(xZd(em1MFfX{d%^h*1!)aCkpcRv2UiqpkjsIGG=zD__2drHMXr+K zS1)nM1tcE0LtT8vNr8o#gPW>+ubB@pjBxw5)JiK3;1AbatmosdXm0mFd0G~BBRJ77)I_psYEU& zmyt%~T5=Om%kAWD(vM`52goq;u-sFHp$u{!i3RDPG0Jtff{f6M+(YgqIb=8)O~#S& zJ?aha!J8m#g|HpM&Io(;=+-}*4?=h!!l4L9AspMI$ACe6BElI6=OJ8za0SA32scY; z7zhQzDn0x6?QO&(Ohi}@VH(2b2wV5e95}#8N7w;jXN27m_UY9(vzw8LFdJbG!Vw6^ z^vdei!#0cJCVEfKas*bZSv|A9UFn_Uq0MA#4EAcXfJ96I3co_)Hn6v7FE z2iK`n;T(kX5#}PyN4Ol}N`z|=t_N7p+JtZ`!tDrmAuIq`-`a<;5aCe?Jq)2Y z8*ujsgfR$X5!OPOd~aso9-b70jS)6S*b1RsapJ&hlE@Vmuu*bB8PI^o1YQ(*5_Yxg zQ%XfK!2jw3AFB^MvLW!gtAJ}=4cw#=@PTW9FE$1Kb}ev(>wte=9}=@P8v~9TQw~$E zd`VcXOlX$@Iq<})BT#30$@k@W;wn`jd50a#@)WS0{!m@Ic=cdYn z)ysekB!F7wFw4s0PO^-w1sQ!eIRw&ld)gCZ=FuQ2FQaSeR=S%WVqR8-C9qW1ie<1Z zY#)#0Re2&$b#|hmA<1s*z}<8Lf>@Mn5CR7;h{ycbfYw zV)?8%tB%#oO1HXNgRBwOBx|;n=b7hO>RIER>YeM&k4T6}jc65-0rQz55o05!N6e2{ z7O^&BYsBt|Ly_LdDv=41sgbQBGa~yC4^{Mv6dJKi)2wuZ)DoEz>UL)Yxglb7EpXGo z_vmqs^Y$oT1IN$~=#0vq@0ekk@(Hn0COO6ZU-w zx*2fAN;-w1+MILTmv!3QADU+6N@4CQq3#PNhPp4@6Y8$kI>-(6QLTSy{am~-^!vqY z!@lnd{T|x@zuTzmA{lsk6Odoqf;`s+B)UvIGXz+~j!Bh5 zxc7y+Yo&#`cZa%b_X=}&|BKygLfwhgLfuKRVeV03?v0@ole{6!y#?I{jD#^-LkiS# z@-}5&SxuX|wXV#>&=-Sb&ULY>*~H-ccwNED6`&FZ5~!;eNB1wCn>XmrOjk*&eCR~ zG8=Z*=6G!`Q)WtrHdiY1suXQ5)TYiaRpXyJPnlOY*5+nqre!I!k*4lOd7-V)xK(Ja zH*OK;P7iZuhq-43xgq@~Z9~5|nHlC@80x+`H`Lv>L#X?fFuroj-cVk7OCh?el)_Pl z!F+WhnMP)jc_f!CB`e4pvVm+N+sSuiuPW^=tCg7^tIb?x-r7u?x)$5%R&1B4&8^D3 zO^*n-=@H^tA==dGbx75w9!WYJRc1#`?HxyJb8cv@ zXBeTilo5~a%B6DJ(&|N}Vrz4PHg_rW4vpO%y7Zkijdjvk-C0?i8rwVfD6_M!ozA+J z@6uS@rTfrbx({{9*5-O;{zLb{f6P^8*P5Z&b`7J!uItbp6*5w{A?-ib=|GZ zZh6Y=u4}%BZmAx+U-fLMO+CWgoukZN8pmFmLVC9fk~hH8dt2ye(R)`=8DSREM})a2 zhvLvTCd?fl=58J4&J1%GhPwOZgyz?8ZfN=X<%aTse#=7p)p73pFn3;9eqsH(->R_u z*M++8X&mNW6?E!PX%BCSDYYRt)0aGH5T=rmE&nKh{Fo#6qZ(5P^EUUkBZfD_n?cU^ z=6Hva81HcJNOGa~VeiAFn)ea!IC8Ofl6NMF^ZxAJPp*in9d$XW8&xN&4rvgzCu$FA zXs@>4Au0B|_PZq2iFRVh)lLqTOjfI*1OTBj{K<30IZp(OkNeuD~5|o9P#H7u`b-K+KgOLvI8rdMBPBD5OQq zVuHo6SXPTA;~9w-tPN|=Im zl8gpMW21%9#%KrfeRrduXDQ)OSBpHapqcAghUQ|=t7ztVmV>znY_FlY$n!dyxt=%B zT{$=4JP7>(nu|Oe(9HFGh~{F?Ml|z0A3^9m&n7JYLeIw@%mch^^L}Bm&WT` zjn{V?ukR7B-5ReSG+qT7uOBsDdo*4@AzphmUO#KR_G!F+(Rl6Gc>Ria9ng6FrdzL2 z<9ATwcSz&+JGS0ojpY%IiT#4AbTb%n+&S>tu3#;cCTt1jYIPvcczqpSw}X5RJWV#hc91~J){r@mPlHe z#?l1f(~W6Mnr?p#h z?=FA7-}>|Y&Y$o1{(N`)^Zmh}Z-GDGpZ)pn^XL1EKi~Z&`AVtBUWp^Nl-8<&v?X;_ zq~f2MRxnCufV3sgt;?G-ev!Kg%&W~t&~^-3PwuU0gS+J05vgyy6OngwcO~-NwCO(! zpMz7kOotW9yx6ZY1$Ge6eJ7x_LQqz@ z0nc0hF85^cNN$rzYmD^>ainZxwTYgJnh@%tCWOl6j1f51DK&%0+lJ)YN6bmYE^kTA zsAr?*M9mdj-BwuM)N+-GJ60sLoClKKR5g6`uv^$ta0= zVZgLN^N{g_+TtvIU&VRSXw!3%hGkP|QG$sie~@KJm;|0f^I$Adih zIG@U&InIp_m=4f+_ zIo2F+PB15$lg!EHRCAg+-JD_0G-sK!&AH}$bD^1M=9{mW%gxu!H_f-rcg^?BjpinE zv$@s$+}vS)W9~NhnET8F<{|TlS!{93V?|l66>XhoU0_wUVin$2yj9bxWhGdNR+5!$ z)v@YZ4XsqGk=4|?*1FE>Y<0EnwgyKniOP>!YBSriBW+<6pF*5$YrkKTCUfP zbcI{Vjd2s)B)5*+z)f``2z9GIG z-$dW!=w8wNqBEnjqO+riL=TOYtED?Y+ON(pgBHAk*X0fQNd7Ri;3Iq-e+*i13bx?C z__O>!rMBRE`~zsgPy8+T1OE|P@Mr#unP4WFjm;)zGqX9iV5_he>}B>dGtDgXJ~O9+ zEx0tK1wS-DGCwvy)h+nF`J?%>`Kx)bloq_uy7&YwSkGzzEtqCCv6@-Uu?2ftSy3-W zy%hCwSPRD5@%|R9V>hriRvyGW zZQ?%fE^=RVUv^)0-*De@-*Mmb-Q&yh-RGO+n;P9Gx_|Vb==-8`qK8FG4JJ<`-7Bge z2eclb^gp8T68bKSrvDs@tqzna>9T|-OQXl~QQ}XU2FpczKy{Ml0`zt~wOz^Umq~5! z^AGvQ{8ON|9Y}3I@*g#|C6=4omYIp>8|GW)JLY@l2mE6&KQTYk)b@kdSPq%XJ7J!nP_y9z0436nbkuuh zFzy2w_d$&N5XP;FajVI=)-Vh?9N`FrBN2{5_%OoJ2>&Ue{i}rTj|lfjsMlAeUMRVn zlo5+mids)hkPV;~c|pK#RWB{9&kTeO*fFe{saHe2tQ`D5<~!sXE%-3p-zaZIPJ#3d ze@=#q8~r5Mc1phz8_>jXNCSM7iRlZ}s1-+QqMU0$4vTaiF}N?frk1wlJf#_w&G45} z=M(h-*nR~$_RHvL{v4;3$`jDDFr)kL=q--^p<&|Lm=;b%?n@EIN z-)umHnF_O8pLM-;6RB*qwQeI9Sskp7q=t2ebtkzbYJSvWQY-3+O-QoS5oV4J+<3PZ zY3w$2o04nYjqWF;x%-7%Kw9|>pFukM9`rp(GJH?^o+NifkBOdwde|s`4&n0%ztJU( z2mIspUL=BdRFoFZ3)H;;Ld^wgo&~R@<9IdSP_u_Kiq}Mh|3>&F!X0uZCV7A^y}Z{t z7GMgra|&s!vAs!`zdUJpu&-AIxDC3uh+OXgSt_7NhjfIQ!f|?8?`D7PoqCRy$vW}{&{YF+6yA+sFC@Fc zwvVhJTeNL8_{!ZUX=hzMk30eHJ1SHI>7+YQX9|q5DWn6~hr)QB0;6sV(plSDKxQ_ovT2x{Glx-}3E(qDW!$8`No z`Nj~Aceupkw_5=kYMm}@txxTaRQC|pL>-qW4lQpkijeZ8d(=JT{_Y-jkGRKNxeF{p zN|RP!kZNxQx%PIDP~Rl-k3Ei#AfL#3s73;7dU8dYLXB3#R2g{<9wIu49+L8;{3?2p zpMko55i7)-qNi9X-V%2Q#euZN4Iyd#aU3ZdRd&WWkBCRb1o4;{FP;%kh^NHUVuqL~ z9v73ubTLIt7E{HOLdhaY(2DN^rGG#+kgv!gDyWZEq6=vrT|$@B1GJb4R+rTy@}96O zoYBrdogC*uXQ=a#Gt3$8jBrLeqnwAuJnr{r#bWWISSFT>*M*cKt{@iz4oNsJwE(W#7EgG{GcJ9B z{_X)DJOKLtt3jnLfbw!`>N3aCc>0ts`O9=EeFe(DmTsoIJdrRvZAG4S?se{ShB)^- z4>t!yPxP!dV*h; z$QJiPiJ)BKA@U*l2sn3dk}F1uk>X*H`<{UC{m5dn9Aafd?0X>we1nnmYv3o}lOM>B zz~_G_N60bi6`Al16a%Rx9)KrD3A_f44~8L3~?Vk_ro(p454%ATsn`=rwgEFaAFk!^Lp=27QyhMc=0H(09dX zc>W2`7(0>we7kw)3k#9+EAg#!az>{y1 zJ1Vf%(xG>?Bey~8-3}bQBk+wofJ5C0EqNDk?jGcB7)SerwCX_MD*p$wvccqD;5_$} zA>;v=pFIe?{~?%T4JRYXY{+>bSp*X2tH68TC2PrhFjj6Nn}H6#A>YE-SU~oWgXA!b zoJFLVGN23tXv0GzXe5oIwx*KvXk~gnjiFU&Ra%Y4BGp_%Ytl<;Et)_R>7#TSP|?%$ z89I~xi_W6|rnBj@^f~$;`d|7yeSt2bi|LE>C7>`#U$4>E=?c1%uA-~y8lblK=sNm7 zT~9xt8|a60Bi#h_w}pO6Kck=1?Q|#o8mJNX8aa)TYv6t)r)_Aj-@inrqTen)MbCGi<>?<>XCB26?Bjm0&hiD)XCiEBl3ah+%(t`{xE4WgB} zQM48}i8kV9(N^3d(#5T!ow!Z37q^QJqNB(Vmy0BEg-8}xiaMgMs3+=+2BM)z5m$*+ zaR>gH>%<;`%*L^C(2p2UL%fI-ju7G^QBA~(cyWoSDJ~UJ!WORZiD*$toF^)a^F@rf zKvWS`A>75Hx`-1sL~W5MYKhB4f`HjBF=#TaFSUcR^N7XHXP3kLegd07 z=U3-9=dg1`7{YYEbXGg>IqRGcoDI&0&d1It&Sqze^Qp7d`OMkoeC}*_b~s---#Xtr zyPY4LJxnV#|T|~GtrwmCYB+a8nmBhuZkdP#)lSoCG zQ!-1akdTDRtW23h=o)`(J?E6ThCAqf{r~kkpXZ$SIeYK5_ZptH*4}HaFXTKLa-B?L zj#K(1x3zD~X_9=l8s)Js=dh3SS24<4CDMHLNv>)UDNXBNORN7jA4t-=4mA;_$Ve&@ z(z*$uiBfgTCaGMKdSy^*$2kC}_m5Ni&ye2Lnx=SsmyPU7c0(EX3HcJe|AUgp`IrHPqt;Vme=Z$>FT8>M-i;&-AHpNrD`A(Yk+ev-Z~OH;Tc zeV_avq;Oor3PUNpy~Jxv$HFvv?XQmM!v4kuJdQi^Imj1-7sj`Pe(xOZ_v2yb6yLAg>~l_+{i#S~vB{$eVPK_+#WrkT*ttBpLaTFZf~PL7I4B z^J|fz|hLU$Wf~6)rniwGKb|?e<;6_0Lz4{SZFM>IM$bGm4+y z_W0pK_+kADRcY8r={&76RBGcs)zLo7iH=kyRZVczO|<`hydYi>F#wJ-5RNhkjxrdI zGNN(+I6dQZoJNq+l`FpA*?-S)N^%>XY0nAP+W6k#Y$&}Nu8IoeqAB3jRhs>Hl65^e z^bX$_X!B7_lQ2hE1(WxwviE3YQIO z(vtCe`?~KL130(h@oX;Won15J)=%RAr{s|TJSG2kNB>ruz}Fx5g{n14N6G)d%k6Da zPiR;P9gh!e|EKi%Z}*PZqHoT<+d;ic3~BIt$Hu=4T|*70x$0owBYb#mN*p$v;=G$F zHUGO%vM8;q!Rm{+EW~A^?++PH2IAW7|B0)K@1p(4SCb@oZ)ZcfhsSe%XyfAk00wQ( zpf>JC$tsQT%!n$~+h|Ga7N}$k1yMfC+gSiwi1n-6DBzk3+6K3w@m3OBD6vgLfJD*&R#4kfs)|~3H)S4E|E_Z5hcVq;v#XKxJ^7Do)Y!MJCY$~NCi@v#N++6NnNrh z*_Rwh8k3_)3vvQ!N4mhMzhH6}8BRu$(PSLCl1w2p$Su?oSji+BDGD!A9A*l)VRU35;~%`Ii8u&8L6`n)dPesLRX}& zLN}ytLU*L@c%E)Ne;`s%A*$Kq{sN?4LT{wrLLa0)LSLl5LO-N_cs6*Uzi=wjslouH z0m49}fx;l9L3m9B;WS||(qNP(DdBXKPAJI?h|qIEiRw|Bq)^IyiWFulgcax;MuSS~ zDdTWVf?xeUDgQ${&4Op0WJNF0RgJ<*-GzDkBT(GVAtO-C#(y-TvxF=suadVvJATuM zGN#NZ>yJijMx$6wrZT8ZY8RD99i>XBa_TB|n|egOpx)6uT8>tx+t3|pUAh--L>tp) zv^8xTq$jnT77oA5RrAz2?`YL^!e)Q2e%#MsM(~B`;j2Sb=nz3Wt7+)rs znZrad(M&v(%w#Z`%q}L6Im(nU<;+#)HuH#i!MtO6tQ@P%wqZN6x@<4jh&5)-SZmgf zbz^qa2YhX4%|u3`OZ1_t>0bm{_)-#dUaE^YuB!AwX3`2 z3v(hVAvQ%aHif2Y2)qO_F1$S#+Ljq_{{$I6-&EK-O8O>9;3>k|(2UYJ>R8nb-Z-X$ z*mz)(QV1q14XsW&3TZpCf)DRUuI3xTS#3rBy1WCg0-%0>Kl}OcAO}+#zDYuw^Ej;u zUv7B~+|tQ7IW5+b9&HYT#0|Y;JcDEtzJA8ouz^VxS94tF$f~hroOk~mM>VigMk|Wy zYw{O_3bML7YbH$uZBxzYc?nH8eVI2V?KNa8XiM4FhAxzK(#NVU@O88YhdNYNJ<6X? zfQ_bEpRi2UKG_k@t7-c>O_);&C19A+0JDZzzZe6f&9)blh9j0tT;9}K93%4LEwLQC zxM0<_FX|B{1szk}(0k%8eQ8Q$k+~uBjO&a!*0`bd#9AV`!O;ypR%^=k4m~C%AHc)r zjvY$aZIsaTFBw;p)J!VrISRA(G$10kw7GOTPbeBDxrlO;jC(WAwV6gG6k*U$nPN+4%SUg3vHNIFfn>25BcSKHzHL6%( zH^P$A6Z30?&cJT0LAL#KG@~7RoNjn&jFfXGqmDCEAD*cB&I#XF1=d#gY@dUUnPB{f znowW+qm!pF0`cfKaf)CG#7Tuw)pOs02DkYU1Yx~}5!FBnzson8lptm?B2`MBgkB&328wc|t|L~`ti6OM?BVZs0`0wlwR!{EZbMI7d& z9P?v_!$o^bD9a4o1ti01W4^_dB?IzPGWk`!s)Lmk2D(w6191J`zLI-IjrivmkNg%# zmKyk$QVtOBSNKW}CLZ=Jfh;3Xozem@<5viyjb_3EYy|v-(MB?P19YMU17`e9UX8qp zhcOWWUITu@Exj^<17ZMpVV96iXn;xpUYI3#6E5HcfER8F)&vd60%(F=LN#FmDpIBa zIQ^~R>M(|RDYXH0ekL#@i18S2Nrzo1SNyG!;^E#R$zlTE09;-z!I;nivj8rzO9&=J zKz)D<+!BTfA5a8v^J)psgbmmUxPe_lGNAx^18(4!uuQ~&dX%jI2Y<3x4zGq`DDMFm z{yT6CuRgvid?iZ-l%Na-#Jm!K-9ZKx0AgSTPGA7OoX;2NS!32R$(q`j^Yo0-+9r_9Y0F;@9sLi{W~7;3_ld zE9RiOvO0tF-l*s_;OB-W7Bw%x+D{Rd6J_`Ke-Snf-Gmc30yy?tgsFx5g4ItR zCW4Jbi3uR{ zcW~!OTUaKHz%oEFEXpg~S8rd*QUU>#{(t~Kco-B|*fJ^PGK2=iW@;Q1L|kk)l%aleFlBHbk#-P(L;!o1J>5v`C=mIX)$$bJR2cm`kzARE>lafcYY!tI7xn6sQ{I)$AY5pS>`xi_kY zvI2#)H|87lD)NZOEDAi82djs2SgwAkr^Pp2(kcB=bKX8j)-Afj--6z5Aw0rkNIr)! zQ&%PuK#-y6;reZM?zS2|KB(UBrc{MqlAd%h*!%SdLdkxdFJB1aV7657=0cB3^yx%KGI4t0;s}zEm;4P3V+M{JM;(kW} zs%5Wwr^Mgq+2!ZC5_fMEb#Ao0*b_X^5=$3&zmAiZT*v=Tm#anYCd=U_#gRB9w}CZ) zy)UEAf--`MTnSnA)H=-=q+S52n#Kf?{|#tn?c4K&0JWWx=7 z!I31+fzOsf|0Ru1E{$#=74;;nR0*AtZ(nL+Qcgw2@B9wutuS~I^}(LrlI<6)=Id98 zjbZbuj_QU>=_g9+Dst8Mni%q$(7M? z?ItI4dq0LR_#mK)I`mneWY+bP949vS%QQjni|x!~@`Sgd#&EX|MNxc+;f6{{VK-OG zUN6dvpoq8a8DX^hNU`>f-TYgbMcy%-hQfuCF*>a}Faezr^lkU;BPaNbPPQ5te5L%* zjrNivG2bD>V0A@|QET+hJH6a}vbZ&N_M2!EJ-IfRp2-T_dA%o4uqXC$$&iU?1Cs$} zs&%P%mQamEq5SOLX(T81w(^_OV{9Lf(nCWy;m4D~xXta&6!u?O^O?1$)NgMkGJaO@ z%AI;d3&Q3lzRFU4$aL6N8&y4eewZD+ zGiVY{lCDgu+H6Z$RyxU3Rx6ru)~n82F50R1*8XaW%8V9cKunB0XZgL2B+s4KcRxlM zXWbF^5QVAPJmSeqUGp$W7afmm-kD48d!qe&FtN|#%geLyY`2wH@k`CQ_RsNi?VG^N z{lPPm98%xKJK^>5bN6Q?fvE~J(WwfG9bq=!OLv1O@ky@j_Pwbn3SQrAo4vclV?&ff zufdtN`S)8nQB(1fy8Yg}2l2$Q%Rh!~;ySSC z$y#TO=K|%%C0+)wH8WmzMzVYzL`*&$%Wt`mCIx@d#H}XUJzplHkWPoZIEX4Mnf0YI zWEmfJ3uV~pTdi`^Klw`@T=j*jI$&J-ZeR;Sep4mt^#xGy2Pyla8o}eBa;3buQoSuJ z$_+QfICnilgyHhz{sX81j_FLiO@L%nJ^w`$+|r4`SCZdZ9EX*esH zDM^S%i`G^1G;`Ix)nQA4%b|cJysM^-H#_UtkxSFZ=;yaqGzY2NA@N9Y6~AnF5dmH{1i^)tdv)3i{sK_+0!_^ipJXLMAp? zCzxp`UU^|60-9=N_A8wS#Bs;F&2}D8U=ek-IPw7#yi#>u_4M?C^O@Sk2zpBVN#b<% z-3)Yd8Qb}tOS+X~83sVefkYH#@o+QM4*1B4MSR=6_5kky!X+H}76P0UKPxX>zkL|I zrLc)LXMI|}QR;qqtH=FNsIoZP{4TKz`#Zari_#6-{qBD6Es+lchTLntys1zN;{G(+ zys)nFc-u&GtTj}7xAKt^a|*lgCZk=RUC3_9DAF*J{6(%_uwK!sl>0G-=s4mHcwE;_ z`OUlG`ISwPVesh|bBgmHh`R-)*mX$+ClyJ61X=z7A!w}dKQ!Y=UZo+0K~$Q_(X z$3&MS3(JIV?-kyWSHoB$9ij^&%%RPZ&LPbaIWcNBgv!5W@|P?R?hV#jWe;@bCi`q+ z{7TrJGHv@t_XIschr0Lnc^iONo3E+?C}pHnC&2!WimZVU^c_}0119gg-#^LG1@E4@ zaYI&>PpK}4CF)X{pv;FwetHxDhpJj?bE07Q=%GAxAehi5GyjpTl&|I{iLCN{ z`3#AZj85p!5)2C(4|o5WvtaNm$1-%NsKzM@quCLFgEEdkXvm4^A8wML*7DLH z$&`#e}f8g1Hr4FhpGeK`4{^Y2Ne5PA?PEeW2VEjkvqX1NQ0De zGsK(yY!RSm4I-u^q+_(b;YM;oI#34b=eCRA`kf-IA+=F(6J5RfD*6@XE7buGs33O; z5DAD4Bn-@kWq}dF&_VS;Y(T$aJ`ez1=I-Va9gmYjLut4}spUj)=yq!LcfZOfz2le3 zR@5RN0d96O#LLz03_1uZh3V*IsPcfR1&opDsDZyFF?*7bCD>@5rYv}uhzrzl3QF@q z@&h6-%&qsbKZD;i$(@s`^=dG;e%oUwQnpjfV~Eek_spf-D?yIE!t8q7!iVS2v6_CZ z6EC%yj@eT<#33wYnOT%gy@2bBO+OmtihlL`${Fk8a$ap?hkb|Xf<;f?>&Z+1YWbUG z>M(s1`3ab8gXmzNu#lsl?Z-OX4~}6xo4k?6f%Vx4MvAWHi!1vRGvb|t?P?=Y6YPb( z5<-v87EwLB&R>Wjh#tHL1x5+6dY@eCgA|h!de$TH!Q#dt2hKao3ZiAY?))C@h?bwU zbu7{AxsQYjhdx)4ny*@^HfMVrRKqPOJBV85h)^gj_wnn=W|X6uo>lbjmX`oVbO4QICEoY$u=BQLQl!;ShU>0Z(SIL>k!n2x&Ge zJ4UOzXN^^Ov%0Q+cVav(%u=md@KXGgO~L7K-w}|+Ai3ZwoXu_86fjg8j%1*+=5hIK zK@?op1o@s!hApl4nz!NLz50j2XqZT?_%^sz%x;QI>ElI4S;1q2)JIySd+DuqaD(@8 zb=HtUg$^g@!1u_4{Z|NTsEs7Ujhlto`Z&pIGAZhBusqeYoFGYrDt${Hp^E_njsf*@xryD}G}wa~8D5Wm=5>PBg-i z6b=Y@dUQEECEKVxn#ERWoAeP~gLDdWoSaf@>~l^C(ARhxb8meLl6`OSkq8o$@dGc{ zdZf-P-bC7-hCd->ij3gA{OZ+giOS0=j2>K9-9DuRFPhE;Z~!Vvj|7sS3o4|JE7~&o9Zei(P!IT>)=qt5MBb(`jcDX^|;k{_P5z6 zY41{$xxnGtv_gVtnq9jnE@T}J6_d-)4q(&rsC5FC2g~l|8Sui$ZAjYpkPa;WBLYUE4!9FyO}VUx^DO-4@kRh z+|VKMvsBZDifEGN1C>j&9F?Ykuk|bW;S`EX{Ugsh=?~PUmC7R9@vr7k+YD2xYBL*aQsvW3cL|;pR^Be(x97W7 z(h#s$+O1AknabKD1-Q^bq5Z^>))sgfNcyNFBciTn@ogToK3csVSlJhp3Eu1|(#t;% z-`Hk@)1p@qt9SEV<>>K>4z=NZEu5C_D-!m)we!kiEOUdBv@-| z<#=(wm%neCCg$6RIJI=RMGLwgSB`iLERv(7(>`3^pUj4xxF-)ddJCzbdRiZlK3KoN zNlimSX6W(t7-H!4P%f3SZB|ANP_f&vye4d8Tpu-)_7%!;$9g zaOo;*>?}&X!`>9TdGAII>orfL+^m-jHmkm`rj6cu?Dd}xdHzxEF6fw<*IFQaJ z#h#Fgg54LgBNv#nKwL7cFwOyV9mPmKGghpM%DVhv?t3Gs0yUl`62)o8K`I`=sbFUX^ z^lh$auhVe5jr0q(I-1rKddEGHLLg2vBh1z%Nr%6`+P6(ntt-nM2{p2Kl-7PogcQDS z;H>f(wVY}#>tyue{xu=?()C$If^Dq8nFobKE~10vgfa+$yQS>Sox;PP6H<4d*CmFF7M(#=tb+Z!x_ ztj={Su-+L0OvY(Zw}GQnW5*O}%C@LiwJqLnDU z>ddFLZ|m8m2+IRgzc{;Hk(YnnsnKRGxO7u*xVY9+I*8mjgPiXFRHdWclUX{c<=O8 z_*Be?D7B)+X9I+vV1)zCHhQ7!iLQ4%4#1>W8xOg?`i5AdHygi)Ui2{@bax-q)z6Nt zQWU?mk6+9{S`Pu&(KO-4D`|Ett@&Sm8az*@U7JhWU~F;g{MyfH)|p=BK27PVP5Yu- zwJp_KzSj(gMR>7mILfiL989;8eK76Qb6DbhYAI;v(~ei>a~89-JlA)^9GTKV;-d4( zvbmDmiai0k$^WgxE$YeGV6rw&QFBAIvye^rYpzL&8`{cC4|zrO{q~Ke_qNyN0=p;z zJn1Nohhz9TC@#7WpN?M>)(-}~=2)#XEt#|>#kI}e4UU$5H2(FF+?N!zX|*RpMsyLQ zS7ytaszU#55X;rj#=N7uCSyL`#zq1WtR$A^RJp#oTNX2?d`-AyXFzL1r_dm+1O430 zGQ5DzlX#XfO`ttB!k5g?EJHI}DEwl5f=jf1c!3@`V+ddJ15e&t!U`8J01Z!Jbg$+$ ztF>Hd{A%*IQ2(D)q3F6ud;k8E&@hwq~nlcVEsrIcE zjjC#t=*@@K_4r!Nl0h_FV}|veY;<=}(4GsSu@z9>|D(pVVdSBV^$yt7^3NHXYwv%y3Os6rk|9 zb6Hh0xV^txGu28Hs}Iv6FVAQDWAp}NDfUrSm5Z0N-t`0B6dVVZ%{Lp6)usHN z?yP!rkXJv!8J2xx*8AtT1#h)nKFB>iEp*!AIkY)&3=}bwDQ>cw=lFD0 zE;Xl4x=khDDj=X;uon3f-G@R@l8d{QXJ3=6B`M1ix)#|C3~bjwJFVstD08g(DCVR- z#7cW|Vsol3HrbNi($-SF?q8!U-jN&|z=K5_OmS+`$mA*i5?t03BjlwMsWH2M|G>zoZ&IXL&t3O z8B#A7qex;_w7q_ThTC7s)@_GXq54aWZ^uqJ1rb(Qt&h_M)LJU3eZJHNGI}nsv`DY# z8<(HD@}iBa?4z%VwAQJnWH&8sFQMd^d)ufb9Yx*h^EoYT9eu%$kK1BiKRN!fd(BsM zp_|#96=%DAuN>KdKLB>Ohfs8PP0vf`oqV-AX-I=v(7j%>vDCW%y$LjRWP56YG=~|o zzBZLns?z2+%RZc)JH@jbygEu=GVYCAlRmqe+5^lLnB6T5buI1L8EwT+sU~tUZy1-`m0f0dk10>N@)y9`OSNg1 zCqM0+JU5`TUz3`^mXE`SmCMn;Aa*q0aJ9ImKjT`hVp5whu=s8b=(}fizV}m4;XfO`!l&{d9@4OzmnrzTrOsJ3J=Uep`q&0OK9Y&t*o(BhBu#7g+*Yonq zAGeaHc(!bFyHyX64J> z{Dxn)x~)6GOeD4sa5Bplje+6HgupqA1bDUhM+@b)WZPWv%!PjlV%k*Z$Nd!~vWewA znjOT&0q5O|rou1rQitWSX>skuGbgry?dVGq$J%AfBdKv~Z3=AHjHmB1O>(r}+PGUX z{cloXod!**QuzLr3rs7%=QOnH2!Q*z7TMLg# zv`=}GLVaAYF)>Xb_vp9)>Br5O0*I6KR<92;e2S3J$sb*Y zI~prz`(~J?cADN<(uK*4T@#5AFf-ff=2m~y_bk*MDcpHe>}?V=x#+LpYW_FAT}}(AZ@~_7nj7HH%occ@Z-Xxiuy4pXP@O#3*HG}) zy0jAUTzuHjg==rAVo9~$#Q%_cy2?bgwLD;ct&*gsxHDO>g7Yu#loX~JDO;p_9_ z%gNt$C5;-Rj!vuEp7#fAioY7ghjtn$^qo(hp&O5WxAA)SA=}dH^HzP3)21w5a6hQ2 z=>0y;k{lQ=M9I$hTLUwT&BS<`PPL+D!`hRFTRUifP4|e6JYI{8bp15qfq+YQho_$^93?0V;g#3UKO`w&omwI4^Dh z`%{DSS{$DmPW?lxrMWzq*?6p8Fw!}jq>$2LlLMU#SsVI>t!D#m@{`mLX2kS1IXE*q zkU@|9w_*jP2s&78V)P`mc@p(+d&j`hfTyec{(vZXgod`XqVPEJoZAtEX}|P&QX=yE z??l7DAUO-?KDP~~(-eku=T~BCzs4CFf;es=K4!!ar|j7kQ`t=7{61wo015PaZT}89>7I7&etNU-8E!Q&;M*y|yE+IvMVsNxnbT}z zgqMI=`|EXV|o-15TG2t8g?%soxA&uSX0vH_mA4V zywr5vO#p456Vo8R;0Ii~?E-f2H9J(yUm5Zvxe)nq@G zuDUyQwpna?*Rwr#rKO0mOk~uLC$`O_$ap57 ziDO|+ecU&wOPlVSDyV2R)j5Sp$!738g3btZ_A=Hk$!xqb6dCff3lUNhwpuUS(yAz%y7v)X-6t9L?6{k8?GmBODE~=e zkE67h)W+9%G)`DBW~Djoq10Npe{&zQg30MKrTb7`-NkqGF#JL_#Y#)J;HK+F#SZ(b zwgYzw1J%^l#L>yY)X3)Vqum!v3{*}oE=qRFzmK|t3t9yaKlh)y zc>jg}PaS-moPV!B&%7KQlze{);O72Y4-}T0?_W6hp*8-6g%Sych34=;@%>5pPsx8j z3vhG)EA1~7FXum)c>jZw_uq8=rJSApKh*ze(Lb%>gkt-1@j&zc-2c@7Pu@TGKV0~m z|4%t6>>rB$r2YGX(kbwVXS{!S%)td^EFae&;yL*K)vmvf(A0m}{O@Y@DfKD;S7O}% zmDoRQXNM;J`Tc4B{|f3)+8>zz7b5yMhCj{uQ{o?t|6u)t`TroEf8+lH^{3?jhhU(o z|6hdiKjr^b<3H^D%d&qf)Bhht@uyzi|83*{Z=e6l^?zl?1Fi6{l?e;8Nn2PunL4mZ zTN^og!7VC^f%=b;x#$L@G!@>0aYVUzR#$THZx z!}KoYrT`oV>o5*-?)_L_s8CC%{m4vgwV1Y6>l#?+QIXid?ZyXJ-7}-fX!Mzkw$Gm& zI+^@EF+uzaUN74jsS+$*)&8`EVVMi1yK*2F5m{v#*o-ZNW;JeO0-61zvy&seRp^o2 zk==o~Hc5PbF04+n2yvP>q{lS88f%0bIIh7gPzsYFQ;fJsY4bIQe`FT zU6aTyLU80xOqO8#NY4sDCgEy7>{#_`xpE6vzCzv5J|%D2(zfHS`fI+MC& zA*mBv%Mwui9|79NPEpL2g!TUi3icg-W*sUW` zyOl#1dKCQI`D%9Bkc-{7^VhhYcGlYuTx?G{`&HFcg3cJ=rnOf4zUAvF-@PlL8V}-0VJD=4iUIoi=K=jwUS5!U&wW&KDR+a&pADly>BvaLZn%oBJP%;4n{k9 zg_cAm^Naej6yitp94_uJFazLE&m38d?)ZTwJm7aBK2erx?cm;ononH1F6;JLB%1_~ zyv=YvtpgGzG^Y`M@W(QI%sPiYNo$1>^KmD+^b8c&>Cz`Sl6;g`?WDIQ*ZVUzOU}bN ziAe^|{9{~Rp|%pAB7a-h-g0~Y`4ns+@?LxG@ae_;RTmMVJCEnc$Mjs@G( zjy$@L6K6(xtB2n}(=12a#nT&YDQkZrWg@p`bLOGfIYfk8D`rbrHi(R{qruVK% z`P#BSjx{xV`0XXm56Uq?6ga6LzXP24Ao_A~67q*ioC(C1RA_VZKj%nIXh`RjT}lJX z6UfSZ<0CUw`LwWF^9(KkXu}x~Vi)!-Zz<+ffs8-gP8 zitq!ztHaKh;*-!42nIIHtuw$v3>gcELG)6&yXuIQ8-fYY@AHhIgQe8hBpTD>bLFpT z(|)R=>nLb|1iy#;RKsv0TtNJ;&?ynEj%Aat4O#+qPm@{t@v6}@1gGaZTJSayJZPoM zOn~m^U~LLoK?tA}3#vwmZElKXWt*~;(m+ChP^-(d#8?3pqAOxfa z-kHlefYalf`Ft4bL{b^-1N1zUBBGQ5 zhCSGIqPjwDLw@*BMNtr$r#17gY<+eJOaoE@_{wNa7lF#boCoYSAqJ8ulGVE&Z@lq6 zM7)`Kq;m?H@^lZjL8L7{5u$M(5w?ZpxjDr~2j;omMHvSq2j*a%#8t%wal5>uyqxU^ z_hncJ?Aj{`wKwB6=>zV9E?D|N^MU(n%n9#`_klUtQD~tWG(q1QXzOoVFeToN3gKCk zGn9oyJV$ngUFl!FJ6LmKx*|WQJ}_8D?Tqb0@653cr9EH*o#-Vv$sDF|ORVH#fwa_A zW)@mRWnT~=f@=tGirVvp4#*EAL7fc=r@^QBkGWWC)YoVac2%(;mjhdQiEeQkklhR% zNG4CL#BMqeWH-Bz_aa#UI{OA;J&}b(b;)3fcdH2HiRFf>i4{>ect<^xKG1l;Kk%P~ zoaWg9d==LfMa0GOWb#x%%^$_`a%P(I#I_@N0KVeu{-;G};yHz9lD;Sq4oHO0D+mt+ z`+?MhxiQpd?3%%YOikQ%3W$#Y%KWk|KawW z|9X~=r&tUUGjz3n&H-`tQl!{6et1nWI|N0KPcfT=Yy9wb@Jjz|ivz;JQLF+^eI|ic z1ckAJRumlzu7;N4fo8OGKrA?lBRTY=!0%t%k3bNt@+9h*NikE)1@5}d6eGf;BIIZj zMtWyxb3Z9QzAO!XtbtgW3puX!xW~ z>KW_bt_2tfc5ce~VH)$<(r8j+IfF!nA>xbH6>5w?fg)#&a3?cY&gj=2WqduBgt$+W zU$Z;#-chtFrNTcrrCRzbun7zHT=f&O*SDq}PjzRCDy7v;X}(q%E~V#WppE>Z3FKpl zP+D5|!(bBFGgJIxEB&p3YR~KttYc`~zG@oSdiHHp755bYio$ z?O@@)BNw7bP6mfP-IxhC(-Ydaf)Nv5rH2-LM=of0LF5UN@aPov#Fff1wjH$QP58ob zG*aDq7v=$s~&>)@)%@UfoPWI4?$Cz5=bqRrFQ5mJhUCne@*HEhur}MYP^} zdkgb8e~1z4(Y7>oml`9D3?%@^CfQh#@G3p-0;1m95`9-VLF z42Uz^!(1d+zca=ozSP#R{jh;@2El+}wQQt{uRDP--+kyUztcl^m&a(5wd9%yKC`~d)GdN;qFIz;Pgn^1r%!qaLypi*Y%(u#! zrB7{wP`OjO(Y2T_j(lb}o0@q2%hq-j=mW4`uu^jr&+8MeBUeCR+7Dlk<>EgvM0~UGy8hp2j1tMc z{ZkfhzdnBq$s*A@p^sNB{%!d&rc7R+$q+&DysWgId3qG$>3b-%X_lBL&!N-W{PB_u zwPeO8km1kZ4acRV3m80Yf2O*~+bngJ&4S;yj~P*xtet!l7zWn}9g7Y*Xr`H>4y}thW2o|HqOZ zw^l}D*^;+>2%gIP)cjSXcxj03v&vp$93Ru6Y+agNRuR z>h_VLJ^S(DrOulUf##>n^h?D3*(2Mh02D6&mn$dozZAk<|3{SHcG}@&@a>6W3J`Aw zT$eMx*d_-St=g7VMgoZ1&Omb%^V$vD#5@phttZkbZ`mNX~hc0k{w>hDzjU=LC z_Fa<(s@e^OZpttW5%D77`Gr{@&716WR8;}ChW-)=syU&k!r8DYaYG4ZE^X(W?Q5t4 zNt78wwbc7p0+)NM7gJV~?Q4qF?dNE;c%3bY$V{LIvz5CN2I8x&i zWIQ##UVlB3ow&cw=kqPp*)r%UKZ=q0Evu}}vzz{SyDoRDbfdfJ#~znL7WNEleJ) zClA^_2NDQ0`(E^o3I$^+2-xNGbe`VPLM45tqB512fsBdgEob!~B8wOJIJQ{HWH62+ z?TB7TReEwzA1e@AdY#hbdYp^rD_TTsW5>Y3c)Rw59v!R_n97NsGef36`)15w_W9>z zDL1D8a5y0raLIb)8Hvbonc>>xu{hXAi~yg2afgkb6&+tSuR0f0@^CXX;nv}%-D!a4 z4n4koLBVBbRVuq9>-27)XMfGMc;U@DJf0aW5eq`7Ej7R5mCk>SK0Mi}*;*X zPLgJ-{6`0${_+le+VnqmLOErBh{1tIhS4Cy5Mu3 zCK)QWLl1x-JN2)%Y|4g~-87T^u@)7}h4;g@t|n6x%d^TB>??d2p?&y_v)1^SQjMHR zy_Vs{nq@_4ho6zz%;|%S26(yfQR7O6i5Vl{FQM$5${M{-q(9f&G0udFn$PKgHlVNn zQ#DCGxs2CQZ41jM^8*%WWWzg zOhhbu3*Aq9EP~EkZy9UN1XbWbyZaw?#5fuo+586W$OLDUE$CPHSeTe-8uQ1MO)X8e zrBX+Gb+lVp$tKl9)jL)#%K{~04nJzVvm4ge(Zd;C0mn=g?RDUtU$v2Tf9_S>&}uoH zyWUFeTdWcN54lC5wim1t|ByTWmt2iPWW(JP#1dO(jlM%zntva_&n5_%tH;lRC!eoFxV+ODCq#8M)YVn_H8%?* zz9~snL@|ywMAQw|$riV9N2Sn_xqK|EkAcKSW3|SApOM32I>Q%DNx#Gy-fA5l;>Wuq zu)X^m4p>b7w|53ztohSK{4piC_IkESk#`hk(__N_KbBsZ@qJ|X!sNxHFG*C%V#&Px6SH(&dTQjC zIPKbW)Ci6DUkD}$cGE0b0#f*J?c??=Bi>W*$S7A%U)*Q}Maum(E4p{6P}lAgtjp`% z$-l?mXglgk^!Fvoa8J}hoO>>oj9Ra5%KQ_DsiF|sg4{tS3{|8`R=bc{ zPlw!DP1{1LL0HjL$3nZsWw0=I?CDuDobOHX^7;iTw4W3KKe@rVcZ#xGUw=j;8?oebDha&|3fk(J~SBem~m7? zyZ7=xe!>2YGY}TK=(dz8;8@z^922`Y$C^323~(f|+~;Pt{W`2ZWO>f`z4H3Q_=2{s zuEM)vjmg*~wd@U*mq~ZJt$&EF?6dq!^j>zxf8s;cgfmRC5B+aG#*!?mY%{e&y~1jB z`r2woTWcYTRw{=W!Iofs|5Xnl`!sA76H8#FXPAZ&mL-dw;pFX8h_bsyG_^a4SCDo&j#%1Xjg`3@N)gVtlzohGS zw=`CU@A1x0WOX{-9RC?EU4$@a-u5KK>a7|m$&rOkeszI1&yT{27-T}cM-!-I$|R%Pkr-p_RN z{$K@>)}gL~>vbtTZv=D<#FJ{jTYj%B&zT3w*6(vSkK1JNiK(s4cYZyOFBPu^8elZnOq3a;=ITw?(ZOZJBt&=$?t-lzI&ly@h7RT`Qlk(%nZc!PLUmtN6%w&% zuXf|!DOi3Its_LRsz*h{BZ(kptwHeqpMyGF{3`qOgRfoQJrRlFxiLisdkQ{^#p&xZW4R(J&wg@oyTjA@avSk{ zyv#o955o-C^wDX0<2QB1gU)e(wg$;hT73af4oE*-!_rz|QM0JoPO>l~3Ef9kA(iG$ zTy!4=S-&nGnKEcJvKKmB?V{n4?y2_Ixe5RPvUe?AIgit3t5=8%v|Qyx@?9#$4jp zpdQ9r^0Q$J6vzFIn)0M1uE!v%!-%ha)wnT!!;x%cpXzwkzC^Vdyh}D28oA30d4Pc5 zYiLjt8i$6J;hix&wD|3tFR15;F;0Y|w{pK<^q!0KZgdMTeK7I4e+=HYxee%tGcoK+!H4b+-+ew?B6#L7r9lUcBT@9hV-&?*DS97b5 ze6DV9(7VFTmA2l>?G1Lc@JxN^oUSymxlW5JnVzIX^{9cBWI2M_DAh}yAA2x626yoc zfeuDYJ7*q=Skq5zj$IctXlu!6q0kT|qDV_miPLSIa&BDEe9`yS1@r*+G{Ztw*!$s7 zUV1yUuRjUk97*>F297quEHVTvbTy`gB^PmCD}En)LAAIR7S0*&##c~O5l&k%OU>!} z4~s!z4Ki4z5cVcvN2Q8Y>}8FHv%xPcD(FY$$46p<%mvmJ+L}&C#}78fh?WjTy@JXZ z1IDCWEbOSef`Z%U0k(a?beGC3l$+0XS&UnHL$8$RrAV<;I%Ri(Lr(#l%+#gG^LfVG z&x*%?ZD6O*R~Q+qk(b)krUirOv)zm_Sj?PWo=tIKzZhBM1ea_IdER|q5=;jD<&Qs) zJk5CyJVm33FHT%Kz2LTE@#3K>@U4X7$Z2*N4H{U7L=ik8-Lj~vEY{*TqJ=C8X=~q| z22Zpfww)N53*K&yAgbPO;@wn%VlhvP4?EPkWGK!p6!`-;aDvpa1B7OzEZ7G~5p0Cr zfcwK>x20wAi{OpkW!_tk2#_V)fS?>&P{&;LW=Ha43IE-A`hm5Y#BQQhED)`=!KL3^ zyRbb~8Gg8~a}dx5&qTNpb;IiCGZnNI7Q-JC+Yag26icv8?9Fm2uW^a|BJP0ZPv8}m z$&OK?`aVHG-DPc!V(W&vcS-$1zYvZi!^aivL?EJi0ZrTHL(F(3vNXBZUSl+{XKI`K z!EpM(a5}=Ma-dWieY6K&`N=@A#n=22O_X76?Icp)O_GUf1BB^bgF;P^*}=;dM(8R| zC7==Rf~EJYl#O3a%zkC$IdEdO8u>seco$d~O)j%Zg(?TIPsJJv#X4`#NjZUks@>M0)?g<`!C8@k%fMCuLe~V;< zkkuFTRQf1+f_c-cc!C--4(r9g9#QU~;0|E(b8BsaP`#^oVvf>ygy)S5?~Ef6<;;{)2=*ls@eg%A(atS2!u+taNjz_IrjmmZ1bhFN zU;D6`_I^p=TtXuTPai#%Kr5sUecvIAq(uysP%Ge0KPdJtLHa*eCck+ja1_Bhw18pw z*8e~iqDMbO9rCs@E2xJOSceugj7J69{vY(|!6W%?`ad}TlX<8}9kr){f>h0aKt<`U zJ3Ial!NRnyVS@y)k!(~4TmO@~FvtI*|HMOWX|MnX<$3Er)Rlz_bGQBns*CnuP$(D_ z3@Rp@{C2pozC9Ewl~$cy|G+Ty{|g8dYOCG->nRto2|Z{ey;@YiL6qh{ zK%*Gep&kB*z~MBfeiwJy&sO~gFcMF_hS1C_|8bnO|6udKE2NF*nQt?3c57M@cIX2p zz$TrTEuH%Rq5ay%$1OXw&kCtdtd9U761eq$LWQ{XU-VB5D5+Wo{)0ngb=?}|f0&?d zc>sF-?~U#Q9R_Tpo!V=3``cAEsw$7}jh_HxX^XqLe!#6y??cToV`=j#-Mr|TAKw5e zPU%xd52cGJI*K-~tZ0Ye>#+8Xf*Su#n0lzQ1jcn3;;w* zE^)p3Ye^~^D`xXPcAT7K6}H3AW{Ng~&b-GXG=xZrDRC4xuRD;$mKhg&q`DwCrw@|FotZPL z#VV4+DiV;7tDK=JBMMp+R%K`LVoa(g7Azx(mfgclh?d){ngx)rqF2$&LtJP5`V8EG zu{T-;S8G>?t1luiqA#H6d~rBYLPrxf%5dfn=jFFA+Jv{2ABmZ4R1>dJR&Y*3uhZH3 z4{FOd3sfs}M;n~x!Im|bG@d^)24>HaErJtrt&XAA-i4e6XhaE0a`zuUO z;UTObMvf*OJzTl=rRP6COi-9po>QugsK}B$<^`8cFwY?2c8pVQsvKHFTJMSdoK--q zqlt{ZtiCsmPJrDJR2u5>!GTDv%w1TrG$G`uEIY8|sqpKPee(g3L{e0_NA>(1d!bNu zHetYG-JmV1s-xN!=+sd_S&NC5$G86u1q8(nwdIKFd>q#wrP3{o$Elvs_U~!F2Q>-) zLO_y55}+Q4sg2^v*a?aauCCW{SX3BiyZN{YS=*HA?LK9ef2MQxr|pA)Dk>{PhtCDMY3+`i-A3(|}GM37^!eLjPz4$9)YN_O3RT9lg#;@*48s9sN zwl%GnoH7H_e`PmP`9$T5e|M^1Ze(sP1v(bj^Y9_^1;d0C`PQPW0{Hq;@`9vA!8vEZ z<^97LA_yDWpyd&ewEzJi5Jtidc^GNf{5Hp;tT;@L*u%)2omO8cRK{^x;$M}S_f%=%_EIa|bbJCFBP`4TO~>zuX#G52i)A51LSA9-HE2YN2=E1|1P63j;DP>UAJv+6=S(KJdEwi;{b>rcr>qKYz zn4qbr2^piY^+B$q(T!3V%HWX}5)c-3DWFbYt*dv`)x;znoAohJt%`*OH}l~mcVGlH z*hjqXu``Eb*Xt`F5>mW%_SOU3j9~k7AW~Oz?V0%TK;TjGJhW(*2AS6vh3Y8w-~pJH zx~Wj=U(JhggV)dJ_ELRhCq1Qelkg>Jmn9>`y4w~U-!Hn z-#J{|KzCTe8GhdT;he`6@Xd+vYW{v&KR107C~tyB(g&n=_>W(X*mb{aNlX9p=RD>a zR@5FYJpJUnSlcg$QfyDbsJ!)sK2ae_5kPAvis!tN6L`z5J~Ui`^O@|MYq{fGCFVB7 zY^4y;oZnJqIaC>##^4I1Xwvo>z!L+CB5Sb;e@Rl{4SxMn{t_w~?s5U?ydzx++Kt|z z9PoCONzR_=p2fX9+dbT{{ZFOq8$^?b_7bH=N!uutjodt0K&f0MQeGYp9m^N z5dE}(?mh!o0M{^8d8I;b-nbd92h_=AD=bSoH?>sGzK;#Qbv>?begeY$T+DgxGv$BTC%R{x4P4DwFoK5pr>piTu!ml8Z}^CKlVc1X@W}mE zNOT*)W{eg9(M^S^^FDFYrDtRuG23iGwIi$tV0W%V0wwXUXM|3u-(mVMRAZbG4}2m} zbBbrgPpD6-PdF%h@5F9QInk$kFmLo;NlkIKV{lR?uJw;pRSzaaaryQ^c44!o0Gg3t(rJRZ;)C z0XFtF$Ob77bT254x797X&AIKo;Wd*!1L%!{&d!Po@)fxLp~w-a%?rGHik&|_)5YSw z`}%Q1>;dpdkG&naynB3e{sQ>HFbSWc4t*kBp1Z_ifID&`b&snG+}S;(#5qEGV1H+Q z&w*qLeJO@{vfmKcJo|hCZfx{Y8S-e9w?dTkH<1X=A5hyz*YC9BW207ySR86UAU~He z5B^Fuiap|mHkxA6h*IgRffnn4A-WfR0^ajMJ=?>MJKNP85}ik%6Mz@B1BmJbgzIN^ z1J3cQ9esY2*$VpgV?7YPLwW;A1DNs`qkBO^=Nm~VFUqOHlRkPiLbbX+vUUi=!q292 zz>Qu&yOs`J6nA3iMn0+Yqba21Yk-@xe&Y6s%PA@~BQ={I?WhmFVrdEIo_48+3$hH_ z?RyEjiYFmm3$52f{uNeU`qRDk=8TpZ3Y_-7OB>E%xo?U3W~>yVD>^AG zfX{CvIxq8u&OV_-s9Ml_$bqFNyQmrLDh6x~X4{lNiFI$A%&o9|&v@m}jw->;Goqg9WIqnj9={F3u3+aI zrgOPgSHyOROd;;PssJaR1)keN;t17?=!DQG< zofEQ`IJw%h854xGU~Ay2C*E>`2a~g^g}DW+2WrnJ(oMMUz_cEM^;L!Cfo=Q!nT0LxepUK*t}NVy1?BbP^Sq4ZjJ+~*sXls>9-zcX}_#i z>`zdPUVt}UVP>8$dX6HHLk^&;EeOm`ux7q7hTApH*)E+e<_*|T7wN*j_+`JPb6*;d zASvGlxuX_$KdsW?{aqFA9554%$62JvA$FdBsvL;hip2+NoGVRBp+6g#t^e(^fAEGJ zN(Fq+5b!gTNXbXMx)bkE+TSKt!6(RkN_(Iv0-%$4AsjBqWc1YmG+2WPjl0kjGM4xc zB_wUDt$-cj*#H@*7O{$dDI*dtJ6>Rcz-xc_5i!~#^#qeP#FB3W02#>?h)wkV#tHZ1 zIpNNTLbA#5K8#+OQYI!7UYk;g5>d({V{Ov%&36(Vgt0y3{TT_S2{IoA(dIjqPjkN0 zwQB-Mk>#I4i3{-Al=;AmPP(91o&#FHhsM{$8z5@W6@yR^diH^_1kjD6crVDJt@o08 z3}2I3;df}3X@$puyczuqrc@0xSsjnG=}#Zcl~{&lf0fqF*d5&jS5wOq@3*h498*Us zOJvY3c^7wqznnHeMovq&raxXc+b3Z|Sb8UPm|nE277R2Zj&`lp5xA0BxI8!Q(IsxS zFav4IOafV;Lc3%c86=z$1{@(QolFd1BGt^;AQg|*QaNmqEV0b;rKw%KZ^h^!za_HL zs*!^+RGfMyMUp_r;8{AT>W@7W0ogP7cEa3dramP2nRcvb+}3mkO?w7=#pXKm#-i;2 z_=)#-cK?qVjp}Qhj~MYgI$!=^8L$zq9wW-TVP4)4_?d~2>1_fJ-8PteTj+RyYwn-q zQz-1b@cRx2#&_!WRJnl-yVn(RK$ML!7*8XR6C-&%&UEmFKB9j$4MPp;Y0Y#afd5Vf zFs`_^#gD;bz!Vou5wq#wlEQ?r3Y1n@Tf5+`m58Dungy$0~OnCYYzz1vN*;k zf~xn5uRUDXQCgBX!8k*~Sk!;bHut`UO4zVzOotGhYn%jH*D5rqR7wZuMKYXgr!QL8 zt7Mj^k1Gs0Fls>rtp^WXH}&1oO0M%5Symp+SIPb)e7}V<6UW)war-?>4ykFo{yw`E!eVetrw+&wN{EX4u5UJ&wfkqWqgJcD#4}W%Z&A6-m=% z_ijlXc$|x5U60V@*^K(+<>~_aOi~L9zZ*JCy#f+D>w|pD~t$C zT$TQkVi;tHqqQ~x@3uD~Awwu`l;Hy;k@EIZ!3w;1Y!w^@CkQ)2x+P9}iz5?sU!lQ$ zPD_u%`PezQY+Fx8AMLlQ@U)oSCdn6GmPBDGqH1Yz>hA<>pg%9EKDlkD2!^&u?QRvm z_U!gpPJL|058EElAKIib*eoS=93?~Dba~H5ZQdUKxN^H4VD|5}^#yqr5PB>h;JB4o zi^n2eQ5i}M6@~?K6T0h|wwNY`Cb{W6!N-nbPmeox9My5c5h7BgQL+duC@HGl5s2j| ziV8;t0#wZt5(|6GpA~czvl$Re*?A;HmgYPR31 zI~V|(eQh%lm|o`QT?@&cuJ<>5F1`i7R$sNvU^r}7>+d;Ud|_2H9@wGFK}~`XtgKZG zI?^!=HxQ4)a`T3}aV;s4fn)^-^C!ew5Uo*A=~VS(EsQ?MoDh8?y!Na(A`eaxuyl2G zy%o^UZ;*&1PCa^T_v*PR0-HuE63|bq<9E;Osew>-`}>w{c@2&mYzG4XD|B-=I<3(x z5KVf{<4a4j>6FQ6Q<iDz>f= zE`*O(YYsz=={a5-)kHc&vT!Do15oNfHDc)#x2Jg!Mui~)%NY^mt&>vi-(_HM(M2l8liHnyc}2)M?91yCEWwDC-O2?~K@k%-i%Hl7j!J z;${71xApc^+W?!+Ku!y*rl3mb$WYf4=U&n~3KexS|(omUPz1eI%wF}g1AEUd0keSbo5-EJdxhe!4K>3q;vq@c7#_guEg=Vtu% zvw!$!fN0TEULwlEX_r5Bg7y2+VofXUy1^#G!uQe(Xi|~q?vYHzH#M6$;1K>5@fAE3 zaoo%hZ!Dya(=Wu|phO%4*x8vPz#|->UoAw4p*WBhYVZeSO1#@krUa5wv@aZ;E-_ig zMp;g=Uq{_s#6osxi*;_s=wDsQd)b`NjN66Q0{~A8CP42eK(GECg5Za9_ShXH5bp)B776J9Fjj3g9>_*wlg<5OF_ZJ6l*ZbGW09;_9K#FqFDOokW0!!J5NL_seYj>!% zow5V<&mPU)6iGYXp}2d2s%=JERH8r7M0u`>@OXJPW@%_pSWIhUm2OO{9DmZC}W6?aW^f6qt2>Qg`OUojDC}sm!)0)+|MFB z+9*lfwWU_e8vr+1gcbSS6_O?V~cd?lrF z0b`gO6tqBpeCb5u^yYYT&R~58r4B_%hx0_q1X68>-gDD-Ft(#Fb5(coD}Xr8AyQqC z0PF@@-zfeMW1O)sz82L9-;%DXE&PYw!fTa*3}#plchgcWc+otxzO%e=4?JBexs`@! z1ID63Y$*+Vo`1eQk`;|yvj3@4smz2ZIR9MO(pN-9$DJ5 zCkbaf;zzvSzWNZM>Toc6=ZfWW<#6kA#W*hu<*K2J;DLi01N~`r5JLA}X2Q4{>mDZ< z*EHrWqZRGf>!$XKxns%>c)#`%JK#ay@p_0jCY;?=E`bm&aHk5*`h83RN?BjOyJCn%Yt+b<`6q&aDeIIm$i?-I?ne#*H5#4=o;P zSo)z!vCD}^e>rQssx?q4C6_wKFkDg_M6@M~!Zo5!eDcQst`WWAB9CKrDko#rn+ucJ*_VD7%Iv^fNItK6^3&>* zP)d*++eo0#D>Ww}vJu^(S?C9;^_Beek?c`J=`y0AoRM0yK?S2?IW&GM^3}<-}VQdM-UB@-8F#eYXeSs)(gC zMs_8$MUndDoEXQ-q{OPAbY^QbHm0hCF9O`sV4Q%uIac#%yk&=f* zQ&8jDpwyU7#0q~&5A*15aTchdP36Xf625{yigJqhE@VH%2*YW#Wk)0S6WeKS8ls{-n?vI>moOa$?yrx9YS{m`pC*TJU3AI>mWX(bd?ztZ7kby)XonQ zt9z(uuWVI~RGm=KXE}338m&WRAe>y%5|_-ZHkr_PUMoBpn$$xuMqXE49Kq7h|B)ht zpO1EQ9jT$S zVa8#>VLag*;CU1!OqS4QbIqCD$G_V+?SpK?Lb-G=s9Wt`l?{b-3$YW!lM&5XHW9?< zoYi5ByZXjWZ)fGKEVA?wNZ~$opv`@sJo-|w*-0Mx$;u5J@bhw#?=oZJ)3eZqzQz9{ zZ_)0w+Kk2&neq8tCe_hmIt$S^o)+k2eRz+Qwr<4AInsCOE2HeN?>kFZLFPDV$2j5` z3nVzp@-Y=2xr>5W_-8h4ocYjH&Hj;a9aa$0Q1)R|yRphL#6l#Pa2+vd?P%I|?QQMN z7-B-zMBR+5)J!~)&{t5^ncN9f*&sB0sX~R`Qr{BXg52WVLTVjAZPnaXts)sRZ20W{ zsO7?1z8O7$Ktltc1vb7X@_G(3W)TW}R4B*axJKX-b{i>Wm4P|DZzi53M3^&K zoZ{%NV_=XUshl};ZwjdA0dV&xd~zjdDya>>A4KEgS|j_eouDa9s1SB^Rsp1e>vY%G zmg~-9`?^sxninU7^(N#zIrqog<+x10y;BDAx^Socv3xN7Tg967C%Cd@RU{#HA-)|6 zOow}&;Lgm;`2zS8)~b}$N4M9ZwvhU=c!1S|A+HDL-|(%{DWlcGqp7DM`&x4#vnW@t zZPZRx#LPBNzsW*KS7s|bJ*ZMvza&I4O%lDbS-01@eD>G#lA1|7t7NYgQ5TdEe2U59 zEcl&zH&u!%=dNmJZ=Z*>wV>%{>dJ$<{!`ZeLbZ%y?03rK4O0Esk^uVWJtqJNVT0yb#h!^eiP zy5HP}-ns`%b@)rit)_39_I#25)+_y9C+qrt(1THq$E%j4J!fSLK%x=Y>s*A4cJ{1~ zdSW>uv*rKf(|nRKCibabX86d4U>lY#J`_`Y>0WOLf4xvMDRt(+hm&7bS-?dvxvG2P zqdNuH{^=3YIDp}zQg)KlzbSLh0@b8Wsl>ahjoj-dsk@nM;Z`G8TbFX2 zYLJ(Ptp%p#YKP~;rYj@0i z-~C%|squ5&xEAf5U_a#idF={Kd$SJL+SO_&4cTqrWsNnEYszEyxzkdXMtDpezr0h&beXFe8h-#F8;Z9Bo9cPlQLBd$}-?7S0K7Hf*#s zEFCPr@`&aT@&InY1Aavf*33D866M+nVCBMBnXJRyT`?u4To z!0hu+I(}UzF#_A_j$#ODz25E_Tv34gkv>1AKc=IeY3J5J2H9T6KQ_u^wOX&J#Ik>} z%jjTFNDVY83)DiYkmgKCat{Mkhd7S}-{9ZVys5ys=Cui|`Yy*wTIAQJb`8x8>ZcOV zIo#<}0LLg@MBfkWn3S^qXcPqn(K`e>EFMV%Kaec2I26`|_oe%{`gi`_7+3m91;yIH z7@Slm{0zW0j%wDIR!vX9YW@O1}!>VzdCk=FD?T%0LW!!4U)OLY6qPx@awjy2DtIS z;t%BHFyqiH@C}@0x4Jz_hydUKo<_h}p_8b4#8a}z!b9Lg;YXmbo1&Yh_u>P@2l(4K z{^aUeTY;6SEac{LDHUy_%D%C4>oIl7-+HWkH5g4CeK^S2GC1|4rz6+#HIrjrD2ry{ z1@am|Fg{uWud&#clJwESj?l+A^DikR@&QD~)q1JS_9)A=eX^!YzmXt2&59yr;EMSa zisjnUF~lBdfC@73;*5(GCS?R-awV>K?7nd*e|?GAi-DpGUE&iemH=m0GmdD6Cam%yJK6iR_D8 z5NZqIpfHO<%Ou%YfRV3lU7o$VLSu0 zs9T%h*87&NIIPHe$8i_*jPI!InkGp6l}{|AvWS`h1e}Hx1E4@7i3=PIFEiICYSVYh zW051U6NT~b-EI|K(#~m98}udIrU0wfi~4+%U2zelET4BIUovkaiE8{*i% zv-$u>*440lFLpNRE435{A<*K_y63{z?rjvcA6o8_(<)*z*|IP*<9qZtY%0ze_}ys( zlpT0yiy}q)-n&9LG%n008uuyWyFadg@Qek{ZQ6W4~;-K z224)tD~scSMS^DNH<46Ja%+f42kt_k3P98g6q7Ta6T(af@QI#;0uC{HHa-Y6jT~yl zOfy6SkbSxCPetrGuZB#G#rE>-^MQV|>j+3&3Z7{kWn;@mhDAz=p>d(o?Lh=Vw=zz& z`eh6yiqO_-w1>BSAj*ldyl;N%II?Gmj1j*fTt>~2wF$@xEtRP!a6yhJP}s_wO$u-* zi93eT!Ny2o=ekw=M1?K3)f3Yb_<8D!`j;8!3(keMg|UU{!T6>!Mi8MAs|xJ~HFT4+ z(Pz*QVTJ4(X&aWJdVsqru3}?uD=KSQgF_i{dchtn2i$Pr=s9yF5_JbKSj*YxRDcecpQFdW)@w=dsA z-owsw0riy5ymt^m%-5LD*pCWqc;0AeG6hoSKM90rb7E_Pf+K0@WNMFMQ+C~jrr_Z3 z654QZ=umo`AXJ4iAP)Uk%=*PCU_NfokNRwK7uSP(>H1mNt%NuNzRkTwd8f7OvKZe~ z5a$O4A>$)u|3m3&@b#s6c}_0pzS$)8td2UI`g4@`A#}ACox9Wot0(_|*qt^Ye3F1z?AVB+Uc@^RAflK)8B zFT|MyYDy^fT6kuOy}MOK9tQ)1VCMe7&AH39tC!^wOq|N_yZT$(IKRJYMB@+xOM}!} zK`9ajiw5!`w-7QR^Kzir99`^L_-Jp-rY*CZGyfg^YnGYHjmF|g2EUSm`Zi<&A$xoR ziO?Urq+OqM)~2rv6OoPHte{33wX|}vd-1!GAsE=s)A1Qi=oAnyLc4$aQ>4c z%@bKo;Lo=rE+c*6iuz@CI{hU3q-UqExgOBEp8McW$Zy?u+%M%lyL@MllpWKxi!0z3$fw)SYmR92&iHb909 zYIq^r{(DU&UL2Xq2vL{iA5EnZ#8M8X6;WQeO(99ZStp8w9yT5Rrb45DkbDtMDxZe2({Y+U2dLo9TE@hd4jhX!cr)kjD7mnhyJi zhJPOPc-iN>^6j-LO3dRA%nXWJg6g5res zOj#Va7%4w^VssMyix6x-U`5xVxg;>+`$%Eo9j;1g?`-^3V!=mL()XXhSW95 zjFP@An+bc^A$&>2@I?gTD^=5|=aOVs6bX^z2IgHghZG7Lh_EuAg1YziFjiZuKjRpj z)c~N#-S|LBeGIy)JNJ>q`Hy$D>{4+6=`lIby~fGza+~3BMP|WZs7~_xwQX}_r&-hY zjx!SB_RB~N{jE0FSoDIs?q!~K2S|M1;qp3V3T!ai_YYR2F8GKQIzDtUvYa1 z9GMVDMyu?bnFsQFayn%wYg8;$t(pFmBv(7(3XiDbb zmG%&Pt^2SaKRI;O0)Ad34h1}TXq%ehX1oB{as~Gsgr|2VTHh<~mmS9MiHg@n zufH9-zl7d)AA_&`M`uTtMF^jguW8*Ws`ir3?Z%pWI&wU;JgpY|0(u%Vqn_U19=wES z!@^O1-spEP{ey7+`F6(T^VDtQN=o#`@`CM?4x{tC+dPiH9J^w9M-#?8-@(&Q(r)+YNoZOJ&kweMH_;R#+2j+9 zTSZ?8ipJyw%R_hCK!J+cBp+6uJq+*xSh6upE3$ZodfNwW9fY1yyh`*17irMd zx_dD9sC;qlpV2h7&YlXNcmg>)Q9D*EUORa^_8?RfNr*B}+YGKK%?kAewE)%>s#Em) z_wC=RzNoeD^6|$z>E^%{l5;qlq&xT=fF9#GkhqOL(N z#W9s#UF8hlp%CK;sbmBZA<~gbDEy!qywM=ukKNO9XK01-=H*fHyH9><^c>Cxvz_;3 z{>gL+-K_RHabWN27~96~(Ln@;-`B*05Oz=A?Vr_6kLYLg%WP+VH&3kXip^y=MsKUU zXG!nJzukPeM|B{EspEL-qY-s)D(?jDDK9-F*2)P8@cJXXz2e{r)am%Htk+n3W;#6h?lCzc!W55HDeW&eN^%7^81U>916L0wpRw08sA zN;4SpHLPe=UL74qqW_cCOW9(+%&ZgpodI5vV3BY$2vmV^@ZI)-z?O0t)P5(>@w{1- zy4ELr#JNaVl5w>L++j?AIejw(kKi6sc(LI{UgbjgTCE}O5SwNdQ47mRz8YCd)bp?z zmE8R({e3&YN&^cB)%F3L6Wn(v+VRt6 zb#|BVWLn2(?6l6`v#sj!6x&&?`)kO(>jJgWy?3Cd#^Lpkl6U3}b&TzYZ}CJ@*$n1J zcTZc=^yfD}{OVWRWpHzMClBYz4(x8!=nKFN2*(rQPUYUShxU@plgu;x2>q6;=@OI8 zQ5T&#;Y`6M4dBKCzj6t?rAVjw5Ifwhqup>8_3(^p=w6h__k^H-o435<9;$sODR1d9 z^r(5;u>N}X77`aDM4Lg-1{N)Js`yMCRuywdzX*a`0D|eMV3eWbKrN| zAMNv?cPd|%w=o0XfhUgli;yWGg~=CyZc@*ESK%~Q(l(9hp$V&8WkgK1`{aI%|Q zpo&-9Os+55uR5HzKvLG9&KsW^wJtiG%M9(WhBtRVrMR2FL#?hr{57IsmUH^P3e{^P zhT{>W503B1T&Z?4jWew@_6q6^>5@}MjqS5i4JRy&^tc3+%WY(U-i|_XlyOF>2@8nf z68+3G+cFH3?IZ71k8Oz@*JKlbHGg>VE$?wq?46C^4h5EOS9A$ZAKUxb2BATu{y4L) zpqHsdj9fiS8%cVo58H0{$#`S?`9loiA!E706`t)wWp;9u#&lWS1p!CfXs%_wpZb-Q zHuVBUiRYPe_Nj^c6yP9Z38a&sIKEA^aJF`~4&#(33AsjQvgtNqwe(>8)LjJ}dzHht zO0`VYa}`)Q^2mFvQL!YK$Df>aEnF5{W?ycbqPX#Qqwz{o13SjktbAFP+y!@Av{79vLrE?W>wE#EeUU4+b$dColdFCUpFij|>u3Qfw02{VR@xU} zsG^1@x>(8jZ|0^>i7eM;F+U+zUV{$UT1;NJpzYgdc7^W0yb! z*FmaE^73Ks<@n>{AX05obcPy_lQvFvgX~>$Dp3 znsKzsJTftVfb7Tqv`LnieK`_I8Hq&oFNpw7tKrlfIp>Y1`Qmr8U}&=2WCVAxqiAgV zYyR$y@YS#lZanpuVIERU`8_<~s&vdIsJf^or?o*};8)gapqET4=4aMW^mi7~M8W#( zoV8#NcTYD@4OB)U&kPvN1rMAFfg|rj-Ln3qa;17aq646RDx0LPo8U4eFX}Tpsb|B@ z_KoSbR;p+9C;zMcD?4lKmJ6$Cs&zY4ChL2&*2&w6XL_I8<=>rQwe zlZQs8ld7_QKWB1z3_^44o^GzsW9NoQ-z+QNgjA7y9h^&fPkD@cOf?rN1b{v``T?5Y z2-^&z{Hqt1(mlcYA?PVK*FTq(z%;)m4`<4LyT@NRN`3}y1~{p=EQrjXZXlzwv|2SV zcET;>=mw#>PY0PaOy09&5U5;?NFZXQhU!TQd%f4AbyeQxM|9!k za=dhk1|oz2khN3{^&_QcRFxuR$#7zGdFrKuN04g=6`RG#nuH1g@j`*drf7#JaPa{D z7M137M)1%zNIEP!*W2;ZqKdCW4~M*R2LNvRvRCKNrJ7Z3L$rXI4P|x|=>_%d<2NrV zsars>qdXRfQ60=9q^cL)gF4W)%kRNQ!Y*d!qP4zq;GaIezH;>5(iK1xVAZcknAQk!Z2TQ=hEgYQhEC^(}a# zfx#FC61zRVYZG>7e!@L;ev@w%D~F9=0!3Ju1Jlu7HP$7BLg7^*FHiNbgAHUbV)!rb zlU2EP=sKNJ7C#dJq(*-4(~a)SSkt<6dBAVxcw&1tl{Wigas5e}mw>IGMZJwH^&|zd zPV?XGaPrx#+0n)C5gB*6r}IJ0g`ZV-OGGR3$rmu=1Cp+8L)r~d4RiRb8vg7Sw-z88 zxtR<#03uIODqpW4v&jEo$D#8>&K#XgIxq9i;ZfKHxl6+<)fypsg!H8SUSPFf27c3- z8e&$QRiNG;EP;a&2R43q9Q=Uvg!lcg|CR&+U+3<*sg{pJ?`Wy1u5#>p{D=|?c_zD= zlt&I)Oc#8u`0IJ`TB&j-Yr;uEs^jSU;OXBf7iC;5l>*hH#9%L;^sP2oF>xxFytI=h zbr($;O*W{}9uo3k?`tm8poVCWN=KTi>B=&++8t5E$*IM4Jhf@l73j6|Eqmp(-&nCLEr-z?NTj>?#zBia!wAwB z-!M4E*hW~k%N%FGY09WFxOOUcYr}l6nbziss|J#hR)lphx52kz^;srz8K}S(@>K!Z zc&U8aL4e5he0Hd4exY}bc%arPLCt`{T;j5+p@skq+X4|K&u!_Ab!^xA&vMaO7jQ+Z zXUp*P$^;&LAEYZQe>A>xBN+5UetCr8$Kxq*5#X!Pw6SQzGH z0waYgar&nuhqltXUF7Bh`S@=OU7U*GOe$};9J8?Df^ZGX0cRnXsA8%nZy@_d{(Zzz zQ+b0M-gC3GoOEeoO%BGz^=bbHgFt-0o~E+mD(wO;(>4w-A3k+Wd&l^|u*~eM1He#L z@{fz;aBlWhrH*$kH+5cG=?vKCP^((T0z3H_57z|^DbYhb90;2KG{9q2Q?dY$9(aQ% z9HYO$zvthCCse5c4w1E>R?vfh(7$2Cky98wOOHLBU-ixqxKyvzV$r-~*bUdp+IhC3 znY@iZ;eQ2!v;CliFrhrcYzcUo1oHSpS;C|XV|+qx*Gt-hX1k5A(SjkBgJ5!w;Bvf`WB>;L z%ZTF^fvYIOXW4T+PS`(1dfhRrpx&xQKpvH2yKxQu)Bpb(`lo-r#aCax2BZJrIY>K# zTP|N?`VX!#q0f$(`mcErm)rk?YwYNg7wseTYwTz)noeiX@km5q#i9}vLkZM?vS=h~ zLsQW#G!HFCD*^kjsn^cGp?%V%nbTI?HgL$2!(k@el<6@ zRJK+Q7!WO;ixTf2YfKzFevApHL?U57e$0Lh)D`R;`|ECbkx2}Ba%eVc<#jo_g+J5!;SNr8(xqtujxVMt&bn;=g`7BkNs*SKct)UKn zevqoIO_2#~+Z$wGkh?FP+xx?0x~@(?8NbGkX*1dOGj{UBY>(Rtnw7Tp*x$&$yH`6eW7z zWy=3H$r7N%hnL%jU4YTp#?t1`v6fw6T=mqc7$6d2uo~?eEhskY`;#AzpC+;MK9 zPT3Xc8gEV7Me~(LhciOKROYTy~StNmg2poM@x^F za;2rg*clo;V+R=C?Xl}XEbVD*gu$m0JurIM0z|9|juDpuKqlS5KKi&lZqXY9SUhg% z=`8?<HGBG)g^NZ_n|15)88fEOblrHv(Aw+qlx0ng1J#>uZmOMkU42bW z{k$222K{XGsL}tJdrj?NHa}T}$WQ4&u$|(E!Kj|5niUf(=^$mrvrIq~mpzr_Z*UkqC z-rn~fe=TT@BpQy|)GCMDZC66k;lqnZBx49Q#%#qU#iSS|qh&R<>2%f58h1c)n5t@c zjs;A!sUBxzBGp^>MjZg9BcAnp>QXG%?HbA%2`_gs@rA+9Wy*5^$)tx8wrXSm^sGc= z^+ZC?|lQD*5uIE=z!MRVClF!a{2W)cLF{NQ50RRUL}_M z%84oD4-wJt^OG1zVuE6Yh3;6W_(4ESafPQSmNa3Tsf4|{v#_|_NYaC*Ym$MOYeo?kN zo9#)lIju{uDecL>4kbN+uyGktetmkWhaab%tQogp$jsZvm1-xkvt+`;dnPn2Up#wE z6?ey+d&Y-`Ed1uQi!bpL`lpmm-tQ>VsL+9$zAvW6L z_W5^?OD?R8)SD={THXS+1Gu6e!MH;E+Z71rU%Yr%{{Xq>e~oza3KYX=m^AorJsVpNR<=nN2o1?HUv4rf zw49Bhw;TR&qW8US`+MEMv6--^%#rehGbzVlvgf6jdb?g?3k@!2KKqP&9p%?W?}j_d zXsO!tm+N==KpiF4SJ}~z*Yj-oP;R~7UbWr?4ib~)VPpLq%dqmhwYz$EYo~CG zOu%>aE+@x&Q~Z(Md1OcL*#7!2IuyCUdK#@3j3@vhL!-qU7b;E`tHoS#aoinFf?f<9 zBFhhovck)pP{tA~1njPC9Z0sUPGoFuU`Td-esWkZbui*th8*Mirz=lh#LbGfv@eD| zJ7dPTZ)q8^>bt`t>XcM+a<)8@ol;jfS&h)458w91JG*9dj@^8G-G(>rZ|VK(bsHu{ z;uCM3kh^gU{FTyjX2oA>SjDY5kav8ko+bIjW<%ftd(8lB0++G;8ls0kV*|L113yZ6Q?$lW z;g8K9yL?=%wn%~Jn1@ZZ_=_q3Kf#25aPGc&RDTV!4QN{B2LMgisCI&ts7Va*N${dL zo+qp%SCLHuW#PJG-Hf(#&>Ukm$VL%ShPh2dyc=I0U*$H=DIR_+r}x`>gDWQ7N&K+pqM_vBS! zO4o%zJ3u)+0~pA};Aj#vf}uX++Xg)z$|`7ds!BKD?@LpsXFD5%MdN4ANoTH^m~};Q zz-F76jSQ==P&_!0So)()Yo5QU9?xq^6%D<%<(rkw$$)>ru&SvKle@Ld=~QZvr@XFc z(1-Xt7e{V;W6i+2sjFHipPSd{;tb@Vu027KW` zn^aYlF=w@yshQF!TQMW>yf97JAdo@AXo189&}zhHcVGtw(iGin5z15%iynuWvx$P0 z1*8uUj-vwDLSM7KPl(p`55Y8~dP1Rw6(PLh)uSETez)#{_jh(YcW}VWv1RS+y5?-07`g67Mwe{fz6tZj-hJDk`lN8E zFj=S;K3GT#3!|=R$eDB!r(VtLlwE9+P=1p7#|cApG3*y}Y(*+CrvCmNogLGRMWbcg zad+$T*n~AxYG#ZrXq~lkw3fi3heqWZLuRk9rm505V+36$E56yA58t@$-PT}biG$nN z+vO;$j|^WkZN=!Q#Pi0AemV$7sxYY{iZaLbuf&#-1>_#mEnQ|~L}F1qaFqaT0vvGHW?3_Mvvt!fFd2v^Gy z{VfhK1O=X4+aJEk)bb2g4~F^TSpLCIy$VbXzF99?z-*7W7B`|Y-;S}iivBc<~DX#Tl^u{ zy!U!5$nSSR9?aSyuei%t1!=sA6q zcdH{!B9+9bz`F&3H}O=WyabjI;V77796;cvQkd3Kf~XxVGis5dwF*WG_<#zhNCb<5 zEK?2}kX$y^ay`scV-^Jd@p|_584%I_gtO6p`+C}K?OxA=LBZ8Xdhzm17e}-ph zX?#Zeo_1)fb{gQ#;McYK-f8$RTeYY26#F@ho(CT#&_!_*?V!Z48>z_kW8eskhr7fa zmuVx9SPy%_LK9tfaplK(jPOjt2hd$=o7YqCA&nGNKQ>bo@K^+!B1Uf!@bv;7B8(MC zjerY5i^+1q%`QC0g;TEKE>h~kF8H&87H}jT#1ZgN#md_S7hvXq#VpzLTCCfttFNBA zI{h^u%mC1LdQ$p=Y8H?f$~CaJAv(%1{Ib!yia8(Wr=o0C4&jHif6+elN3D-)|H2O) zk*%_c$FmA*k`3h~`^6?MbMbZdq04$-jx;1{0{t_-T%YkNYG$3q)Ky=NFp&_`-ZP`~?#c0rDeL-miwYQZ zqf+or3+1rAFa(-~D=b72uj@(-vP#DTPN!S;{4aZ70~l3tEj;(`CfQ_j?`}c}1OmC? zCqHCK0s$fcHGw1~8j`$C2tOja$!^F(*v;E)h)}B3Dpe~=Ev1N5Tc1U0sai_u)5r6* z77-P!wm$5qRjUoOD~j@t4&$Ub5`^ zm3cAIQ5|;O?Hy;$=EAgD#Ri>T<@WEutwM6hhQge2W5=c?#3v-go8waw5@J$?^tf~} zJ)O+TNn!IxAaPJ@Tzo=`*<_;6X#OfCB|BlP5|bSy!%=iwu&l>%qfn)pokL&nkcG3G z$_1xvzHu3gZ*>5HU?(Ry%a%zM1!q5sIUPLL-m z=@Z86SW-8^l9`uft}VJ-?=elu&&XJlH}l%%<>T~Y?MpjOe_pxLY>18!JLZcI>hw{U zWmqnW6vemjtq*_Kr-RMqlUobRJ?TRFl$oi9iK)rSdu3srEUc6TnHbCl#ZYL_8w_LS zlhpkDDXHv@k@-{=sr0vvWt}`HWnwmci)VUD`grQc56&^BP=$==))+URt-b6er+@_A z^17N%ZhH3-O3_KqxBDnN{;?HGeUl+wpvEQoH-7Z-h;+d|e#454vU$pk+=NwSSM5mi z7I+?Pe(C+VjyK|JtE!ieowIyV-PRd(Yf}oA&2!%K#;2*m_BGeYDYK@)Nj54mE^&cU ze|zzDEA#d}5?fT5J7dhG2}!1e%(0f;8)jXztT=JTZ;pYsGQq!ojJx@?LeuZ`f<7|M zObMAos z=4*clEDynADmR8hyte<5^aRF4|qRlh>k(uNGAjwysplJl@1OgfzvZRp5WO;%}|}Z zKtFs3=Pv$RM6?ty9~WkI6nA{lQ7YvBPL7vB;VwLjh;zTV1LS#%pGXAy8{m-(QL}ps z8|so8lXfNPRwgnre8J9aw9A}=a*F{f_9Y>`ks+4R2d;MxK z<@t2eNe$Z!q>6J-43Me=!=4JK6&;lmtT_**rV{7P!^cqc`o~NronALa`enz*9WM!~ zuDGN~QHV9k5#JZ4-laF0jBsvAigO8*I$jX(m^(ktRGxDVwpiyrulZ(L+=9ys%wo>D z7tIBiFNjO~W{qfIJDhkJ)$O?6tt-4NCekQIM@1T`FN~ls9g7g7BaD&$&+{W;jf+k* z=n@P%GhG*nM8EwUO^h*-5u%Q7Y;br5IIQDb{uX{DPlwd3e(M`tUC<})@xtzo?ZT2% zF9; zf}Xw*Tu6ZFM?WbLq6p`RZSIb$o2}P^ZitOHp97L@t^8l87Jl7PCX@;WK@=8)b-ga` z>{uy0cy3+CGZ=`&lHhFa}QEQG!?~2>Qo#kAPdq60+t(>8qg3 z2jZu?DDnXz=Q2suK|;B~&l;xqJ``^h-xi{zO9iWM8@;AC@@p2~2jbVo58+y&Q0u#y z7!ScRgIDLWy5ceM#)!vRU2!$7J4RINiqDB(k2t~ViZ)i)tYdWn=JBwdyw*+lk_O>Y z9?sGrKGiwsHt7@f--hu2BDO@l6G^{8Vv4%dur|6e`n?!yjMb=*ofCUQ><7~A^3P1` zP48#}`1bYj(ed9H^R0xagipt|jXgH@SmNr$yT&z-dvpBC@h^{mIjMZYnTcB_ewe&x z(*DWcO|g!;@J)Z%*XwXP9Ksx4EIjCcWT%b?|aQiu2oj8|d2 z8shoTPBFyAP-Z^Vr7^8LAM4J?y7QsdA&4ng1yKG@h>H;~gOUYM{(Xq8h%du<1;(o( zUWigGL~a*iFAK4kg;47d#I%=%qy}?VV7wCIW!TF~h?~eNh!2s~h!awydymj>4biVg zO~9|?>rmq{Na^q!QwDJ_$93c~@p_KyNrJe8;}K-Mc!cATfWO4?C}Q`wV<5TWzc?OE zZi|TFxFqW%cB*d#5Tr4?IWCZhgdcNUB>IHY9M_SQgi{>XlbD1zI37V_6F%j5B#9j> za6F34^0#9kn>ns0iODX+ zBOyOBc?ZY!BtH2j#G|O*lJDm@=qh;^;s(f%O+L(VJsF?;5aQ7w^a&h*c4 zrhkSr{WF~DpW#gZ438r9$xm{e>7U_D{|uMpgh|s7r@!kbXBBfCWY4+;aU*7IGZM)RK$% zBplQGIZnrvja>?sw{o18FGYMB9aBpa$6-t@s}Y|;^<&w}anO&&i}*}zXD7#LJGW5W z5Tt)Ykp2xpav6f;iVZ3s8&p0vXk22|arp^R$ZV2JW`UnlNG)k14oH_0H*vwgmuw;} zn6nrt58yPmLB119WW$vr(hNZ%R>)fm^}VDODF>tuD7_J4JC>9nlmS%_xen3}IaS!Y z3;I?2sesluLECN6jsoqvp-m@g0K5V47P#i|_oMi^&jtUjkTgG)Pb|oT4O(b{vI_KT zgMMfm4P-qpdj(KUkV~(&0gtVInW!F|C`WU*{4}C26tW2DdbmP!ZKw&YjI13umsG)C z+Tdyf%1fz6XuBQidN8LAO4(6!3goNfQ4Ty&?KrWX3w65y>pQT7gKU64siy51E1V;> ztb+NikVEy?;vd0)9Q3*uxNt(vR?tEbmShsCQrM6uY5{iak@CDArEBb$^@Nrz(Db?p zt~8@88Bo%Ryu1Ax%OrKErB=Tr`OqRA{XiQt{cS7-?k=pY$KZe1-baePceaDTC>5h6 zv_n}J=!1@9BLpXxX(sC44g5H-tQ6^ z(ayF`H5fu#L{z zX+hc!bsB)Sa66&%k@aiw_Y*1s8?koOQv=SNu5{MUC3WJQYR1{4&h${-(>l$FWkC5% zjjeXwI^&_gx(%KQs(pIU_EmdRZNDoC)ZRPuwIIj_s3c4lFZQSUMi0)OO=v&#ZEY^} z7`ARDWwvM2SQVT3ZXPqK7*2gq3-?5nTXi(mc4$fJ?|QOP=CxgXWCE?LGsMZY>_Ok? z#5wHcV@vld>MGHQv$+|iRJE+NY735x4RJfSgU%i;bS7k=XQy%&z(OsH za8zxOM>Vt-N~qUzc$?RRc*#sYdjsC0)vqy?o4%|=z4ZG^a!4B$Y8%QVzcsIeJT^|M z)i`j?Z074lz`A={%T%lEem$cjSM8rUtwDPPHr~t%9K5f!Xv;1>?iQ5U!`B(+d#Goy zq5j!8t9H!ns)c)S)&pG!*t+8KTZ)YY*7Hz*HV9+k*N_cmck?wz^&fW3X#?G`ITG08 zD7dOMbDPOfdF*~{30=oDD>{sJW{{5TxXLtZ{7h#VduR{6uM_L3rMvcSmJsiz>OQnK z)f)4s!E&p71$JA3Srb@^)G@T6zjtFVjegn@WFgdVu@P#8)&eUmtcySxF=thsz_5Pae|I}3`pdWQ53+O1=r)X=n zqOV|MRnO(_dd;`~=xDNt5uzl>ikg0{=CJ<31rzZCIGKcA(X(<0OnZJD;Y7&xjxismkZv>M9QVE;uZ zGvl@rWhjN~OqLSlfcBitWo6~4e(LxYI!2Vg3J3wIickk-$W1_hiy^HB&T0Eg;A$XzKoA_XT4CZ7okolUp4-oyK6c7C(7*HS@}wBlS5hRcDcQqS{%w^ zx2MJJv3Z?tSGH2r+^krgYn!~Siq+BT@N9J0vlU4ybJTkr?MhXP!&OV`RMhk}^3Xa8Z9X?oNux==MX}nNTbh(Io2$XyupV-+a5uS>vNn4w?WwlO*{U=L zx6|nMD2tr+&CUi}v%-6XGH&QpX?3@G8XS-`dfROthtlShSDPE7w?$}`StXJHP z-D^k9EMPSkxtr}u#!_d4$4&XltaEr;X&?F7xw%+kCM~hF*54MYuGnL1ce>UpRgI0n zpE6Uiy6c@TrPA5ZX~NTT4r`6Xa`jyS&-T zN_U&G!L~_h14+G9r!-sfx|Ifx!{&8Z6uYyv1@vrDY%aUf;&H;&1}Nfy)YhuBI6NDi zUN1CPzX|oJYRwB5K=~dOX{0?^Xo_0*v(w^n+uItv7KK_1)V0t$Y6l=#dlN_\FZ z>U1?Ux7n#_soc9=&6|`AXC@oHpyJR%Pu#M>ruy_aTB+XXKm|IW)%|TPKn-L#p%<@X z107Y56MD6~+g;6Wn_a6t8&ee+8HnSCt{`snwt%tP9aKzOrpeLVqSYu&AlD{doDK*y z2>NMq);odcY)PV~)#z?+cB2V!Ra=yLTPyJDcKHoj9fXV~ueYTjC&%H+Zg;MCwm9rg zTejP?HiuF8wk|e zgcBB;u5Y80x0PmcD**{}K=4)v_-JT>jy2a(m#nf04_&fJ!!?aev^Tjo^dKXh25lY} zFyp`m>~3(p$jdrMgI6`MfE|PJ+nqS^3Ydx8>fIY1LF)qeKRRWQA3Die0+zxrwKmy6 zs(OcJ=GuY;_0aBHy)@`OKNJADyveyw7R0a1oFx& z7gsDRF0WjoEP{HKRj~Y&!%T!mYpWF6A#bX@q=q)Ow8Xl&49KEISfmIs+tn$z8IRVEUzrJLN6stODb!#p;yRLO6q`6YRZZ# zDzK}fWx%}^`CD97z0z8~q^wpctEwn2fy_lEz**6viW1fp2(`GPsC=nKDK1)Cw4?-U zRY5COEXKK8URHux&|eY!Ev_xEs-$8puBxoH0%-v$t+oED%gbv@EJ~5JyoM^I)LI42 zQ*}a(Dr^MmRhF<;sHzpsh(HlaFRLjD@KRh-Q~_<((8|GuwVxbS!bxK-o;T=8Cise% zvIHwfrdV}+Hx9I*`cU1R35dU0LcCbFB3g3?p-;WR9k01K`@$56z z@ICpFc~72=UiiLz_`ZDjzI^z;e5f}M-<#Lon^(0HzCRznKOeq7Kg{mWcX`Hjb~@wI zT_E*18*z^XCtl6fCAhz7#Wlo>epGwzeHYU81@)e2MN#z$OKMd zQ{9(Aws3PW?{6zo-8m;JYGb z6ColmVh+(o%#Fwg{E~@D-6O0ACq- z72vBQy@0nxwgJ8|vK{d2B5x*QhP{CQ!0LhRAlrvX16`!V4Ei2a0!v7bt2B1myk646N$q&mQt zOKSkXMuvXnC*>!JDF4BPLC(jfe?ZPBX0SZ7-mE7&bA&m9h~`N1X2|)P`D>7~#SCL-{+=1e&b%w`W+KFG zi-R$Z+ZhM>ao>yEMZd+uZBQhsXbH>)*y!_d2c26%!?gw&N5cvOXxOmI08$uih6acm z4J{CFG;D%+GmH)$mv2CPqv1x#`KIBUfZt@;2KcuOw*r2f;oE@kfU%>a_AwtL5k@Bq zaEmbqben6;Mg9K`@H56UsN1I?J{EfnH2gH^nQAo=;&IYA(C2swbSNcJJ#%?t$Qj)c z5@GY$>WR{@$OEv{v(4)w`$;mF;^JerIllToXb)*~kgBqb2ln!=f4{8|$W$_|p{2Ejyn^xD7{8D4 z=QI|?^$w3qh{bps#tSj7#kd*cn=rl&;~g09!gw$Juv54n<3}-m0^<`Hzk=~!F@B%M zqKI)Z#w##x-mreddT}epw_v;jJwg~?0a5V5?1ly3n227Bb0zm;gnL_P> zOeblu`_6zf_Y9H+wlov=3_1ASgV`jH%pr5hJd#f?A@kuRw16xmmv+-?Z}UW$7g4=R z%`j)aD!oaF5he&TgaV;funS({CSj-WfN)4SD!e4TEqo&C#RPGhI7ciNYel=bPkddM zsH@a%(>* zwZ<0XR^tQ4L&iVGPKYgwT@l+9yDN5I>|yXRr()lUJu5{@iBg(0Pb!t_q(*6@v`yM2 z?UN2m$D~uzJJMM>Qcjf9m%W z)M(mh+Gg5i+Gjd!I%Ya$ddGAYJawWu%{{A2Hmhr`bHM z;ORP^b|c@KT|7O+)8F&-LzZ46V?DYuC4yH>ecg zkYnU|a*Di8-XZVv+J9o{dOc6McGhp?DVKl!UwPWW(&p7XJ;KrreB?HGczT?rE}rk= z?YW+3shdmT-ojIEA1yq;Wh+nr$kKnG&C~07dIF`MLau<5?kc>~=OLTPjpR0R7uiGZ zCl8T>N!e{W;SMZd}aeXCEPq6fcVxB(1(yiQMZ9T}+Z&-M`Uu%uuIIOkkZ~q$U zShURSF077~I>XZ2d8@bI&(iG^c*@6fJJ-f`K6kfsE#EPZr`vdXFHg^Oo=`7mzLFCUQI3N%oQl$N_SQ93e-^3Gx#86M37Q zA)k;h1-%d}BnZjEG{GXw5f%!?LIv!0R>OX$8FoBdV9#?q?0WXXzUKh!e2&20=LGD2 z{sjA><_nbfC_Vy!g8TWJD{0E_v-_8#Z+ z`tdJW`d|B4dW83Xgy;Wv$h>``Qaf*d^K1zHrx5y+puG=_#gj3by`AvnjavG*f9yOH zkG{v!r^fTNR9ok%=FWAFt>P)4QODSxvx_~~(_Ax8U%^xEJD%p6dYX^W@hM%+#pArz zabD{N}x-^8Y2%#%O=-Lo^ zRS11;2;CS$H-*ry5ZW6;Zw{fihR`>K(6@!qJ3{DPA@tr5`rZ)whavR+A@l! ze+d0h2z?-gemI1FG=x4FLLUmD9}l5_9YP<|&X*G>wDgN1^XU&WwDe1|mj2%ZTKd!k zE&a#0wDc%Wtx zrT=<85%>R@p0yu({*gOi@4J(Pp6Lb7} zQa#g1vow(5(7=o>wDdCS;niTT%yx>t_nC#!IDm~Lz`e|QuQn*ZI`5i-*8*-&hj5Kh z=iUff-GJZceMgxO@Bf}@z+n1NGjQR6Sx!GIR}3gC!y4E+Hq=}Ue_&_)q2?kC!v)Uw z96VaV_p~+*gYT}M=|S&*gm|^{*HiEJ16}K6q-ZJ(-NUfjj}HL&^18_5`&ZvA-zeJ2 z4jl~WeU%jUKTzOHrNK`<5p?B=PKDPDT)(}C0Cz(PzGr9{&ifL|-O%r!I2X?hcRl&3 z3(jZXdh{J0EIx)W_@3@rN1<04J$x;0aN(=v_WfTFJ__w=_`<;4A0G%{t6QhsI$x z@BY5m>G&7>A21%8hWk@3L(QG^w>3y_CPTF^2!771*U#Vh_0&&}zk2`VI}qMKoe%g<4`JVbgz%Q{tqa`itNnR? zEb#Q%g$3WE7rsy4^Y*Tv=J5Rv<0mKvbI?zzwb=jY0pAhdk)E%^|6f8&V{VW2E;jJ} zU+^8ckZW&h@6WN)YHs)SE=K4{PwaYkrAL>Z7!3D21VazL!#&^a4!z1~-~W!zyX1ZR zTu;lLK>R z=<1oAkq5qZ)XGW3HG1(q3;%Bq4Ohbu@-*6EV_$)Jd86r@1YZrld;A!^hcE}{ANRq` z&d#&_-RIv10voj?)j#<5z*<4Qgq`!5)RUi}bu<}Ced`>0^ZO^TBX-Ya0JJmEfMa-) z`A?*&rjW*aTPJ(N^ZEGOU~jGVHZ1kDhgvybXHN1ve+Rji_Vk8l|60|r{R*?)0L8gD z$@V|~(HrvplkbMW7~;y)i4%1_f}Z(IXEPJE=)X6qa@ThbN7VjF>s6Av))woA0`Qw(8$90hu@bF#10Ld|e_62_5bXxTcY@Vst2DR^A`KMt6{*eP+x0a8KU*{rCW{lxQV+fxQ9G4eYQ_2kjB| zuxn6fHyeG5lb~k>RGs&UgOi=HPG!_{ORrlV@N-KeJB?^}D*^8m*v)`msAl#c#^Qra zPlRaeGJW=%gF(KpGB5x-@au`^Q0W6cjBhNBYOeBLtHpB4`O=Pka*^KXOiE7|?a zlYE~!3-fo=_6Pq{)sgeL6hA3w^bvHwTzgtc(&i0F|GhZ33_UQ;LU&APNvA_gl2NRu zK0~)&eFV!ipukRE>RH*J%U3352j_Fr8|e`EBvZvSXMFZqA3r&(W|l z!T;%Ta2)pQoxM_k3f>`HXugIQXrBZN_33;bj*?IDdIJHCX!qm(`wS-orG}2np@*)| zErH$nsMk}E&u6LtdU|f~^n>@pM#xhcLHD0RR=UA|QbW~KpGM*Wp9lS`9i44S!Cs2b zHugDf(Ai~_&by#bwK;tjzyemb910#BHCb&q>g!Qehmck#gBKF2z0 z!2jOl5wdO%9)zAyLiXdG&cCD8(mJ1bwdWR|cQ8x%aDKmxtp1K^-)r@^#|sVkJ2!zhX7250E5-epwX|0M z`n&L;op-)#``HTr{ouaW>R*2s9<l6X=aPBZm9SeDS*H8wr{Ap z7%9*nO^vi)D<3)-J^S%s=+Arq`}gkgf&9h13k|-Sq2^#@!0`C}yO99C*ZW?lf4?I! zkiR@}p`m~0V)ecMeXrG@-i8C5-|r*zv9FP=r&8_P$HLGx^zZjMN3T7Nl;7JJE}*@G z(A_6U_}-8{yT4^*Jg+-!!oVMzfz||jyhAn^vp;z+l zr6*+eG?@0iO6T_m@d11P_>cm9U$vhY#_t~=YUuL)ARtt_ni9Q$9l3q?_=$_h^(=9?_UCg^i(#P*3sI@LSsO~0TAfFN)Ng&fmCdnarWG=}k^GN|&NXp4FvXZPK zt4Td+Aor02KZP$uA_`)J7$q9SXfZ}Kim{?3n#6J9L@`-R5fw32 zoF=A;nPQfhE#`=G#JOU=c!^jbE)W-rmx`B(g<_FdES89+Vwre_c%@h&E)^@qDzRFu z5o^Udak;ocTqRy5t`@Hr*NE4M*NQgLE;__Uu}NGft{0od4WdhQi!EZSxKV5uuM@Y4 zw}`h(ZPG^RR_P9Dr?gwzBkh&$mF|;%B>h-=PP76@)EgB zE|;&6uaqm~D!E#=$~AJWTqoOQhukQym78RzyiQ&(H_IDjm+Y2X+vJUM zyL_FziHPJ`7;PPldIAIyMtvGknGp0a`Z**5f4w6TtY9vQ0!zpz2C#J&)?>nB5WgtANG5|t{sG!QC7gns*M!#~=MCWv zh~E_6g!nJQU*PIT!bcBB@~Qg(t7!e~P#)vT@A|g^m#1zwrh-pBi z7%5OnX-a8Ixs*#O&E=*%l!szU`6%Tgrj(CH8gsdnMm|JDnx>e1?^-$eQEI*S>+{^_ z{_{D{yJqb*Yxdr=_ge4X`-Dg2$SCo7HVk&ZZu6P{z{JfZkoURm4Ag{kHrX#l(h$oTXwPFTxe5rU!E|<&2 zOyv3t;%Vf2rI>}Be@#4tyk8+^BllN{FCqWeiaFqbb>dm@zx{Oay zPq!(=^WX?gJOiFc5nl#Zq=^OKi*)GtPrL};@QEsLhaZ-J8Gt2ZhQwFEBN0&zE{Tel zz$Y=W5S)@J{NRRgA!u#*CKEjF!QS=4D1R#5i20D8gllVq88k0heD)!exsGa5-W!E|*y^AWCrs zMH#LTGhmn*Fv1KN6?M2`;-7HE#THx%@k3mh;>Ti#xJoqQlFWu#%!XGp8)h^2Wiz8) z!;F@rv(*jER@X2? zqAlV8dq9N0xUup&c^xVl`(%k%=|Tl`RftpuW~s}PJ_=A@(K75mp#f{R>55Mn0!h;1)d^Cdt5#( zp9W76uRX!MHl2CxN#?Z~%xh0Eugzp$E0fR3=fu-;o}350m*eKk`C^uQ0ZjJ{Gu>=v zx-ZEW<%?ntb6hTS+_TJabB$`F8vON=@e+9F72_4iSB+P}R>Xbtjn|FW!D4S1Z$N&- z_y#!Zo5nXGiTl3H+_!+a??vXmD&u>`_rzC>2BQH!#C`LP?Z$SzyUW-E3-MqT^Wc2r zm&X5s{cYnN$kWCdJS7JFGBee}14^}e+Rx<;>#N1cS-1ic*-a=-* zmznhznF%uiCL-=z%-mPa-1ic5->b}hi<$dgW$vqC*83{6Uafh9c?0-}xNoU>qj@9P zZMZocEOrxka0&BZ4Kv{D<}KzeNgiAd9=sJgao;lYHuE;<#DHI823%nlm<6y94=ypk zXnqksh2|a5i4(tS-U&`z!kqY3=ENH2#Ml3Z6PK9xn)ibHO2CXum>E}^_k$UifEgb^ zE0e*GOUwt&2gTQ!C6_QuKFcgQ*W6-m5%bKQ=1;M@>^6TUUI1Tu#Zqj$eR2o5$CV$- zP9aoVwMD9WmwJy#^W5wiDNN5O&uzk|->KgtT)jkpK*aP?{ULF+{;>XtxF%zB#*f61 zjK6q=$TJ=?D#S=D+ZrOqShriZi!WM7tlx-2tJUfd#XilaiHCe&@qI;<`BwW@i--NS z{;z`}r3lIo+WA(_jzL~yf zR)i`@ZH|C4cCD(!W^##J|eFO1>>-3gJBqTo8&EBjN29!q9|bq~q=bg2{Uv z$WH2nTp$k^35*8D;+-PgCjgU@C<7{h=}F82<|aXUCElqXRGx+M;^ciP?kj**z&c<9 zunG39xbFa(fIUDna1iz*xF1WFTe&}1g8J9n$9CWha1OW#TbEFfeS+Iw3|$|jdwX@$ zh91T}bI`M#0X+#Z81x+b3xQ1HXUG|Gg^z-Kxzct8o?~3}b`cC==!O@tjj)jkEY)mnx8Z(U9xX;6V zfw7QLV=Oc3j5XlALSv(`8E3slMh*Pxj2Yf0V;7^@*h|0(@Q`uTIF6m(DMkl;3FnPV zjLXo0f&QA3F;Gq=n5Orb>3ZA2YN?DYa|mNt5+l4_j8RDxfJ+GDjWBp)Vt=_5&w);uZ&rOK7MZo?a&x7*7WLHw4JdCxc{}u-z;1IN9|cpd<=+tLVDy4k|;SwTh|>_N!2@)+qxBV(jB+8S#dw~DL@)+DRUsxTH3 z`sZ(qHQkzJ&Gj~0m5e6i6y~GRssu}$IIj*rb8Fk=?ttjt+ zy$N*^_9W446j}$366=U@ig65e5n7=G{d3u5wKJNnGX&$Lb&km*Z{s4K-64!%@yhc?@)5AXa>ZjDd17!B+zR$?%^7|0#dv zKb7E{VGi-l@Xa=}eDji6K!A;~&{u=!H56~YWdvUx%7isZtWRR2w~Mj47v>1xwj>&p z*p&pAeS6_Y*x!r381)_U9VHCJuLqP!ef34JB;n18K* zk$U<_|MD!eFQ5V-%rT(A7G>#dkOx- zRvx3J7kGApk&bu={B5uU13czENAREapY>lbj{7_P-L?j#`@8#cxevB4iC_}(B(jsp zO(HLek@jeNtX*VJFbeHSMu}Z!>}610gz5Gyqu8E{dnMni?Zx&|dxgCU_jUG)L2-7J z(a(*DF+xAr*&EEA_9n|`Z?$*WP4*tU**<9K_7UKiIfT*b?P9cB6YMiqS>N5;WS?X7 ztrO?5D<)iq4qUmO87IAa7#+|7`=Z@N=o^1;lOq_-j!tmA#wmtvG%~{8V@{^G-N`Xi z30JOBN%2QFE0ev>|3%TaZ zLwNzp3kPz|s&;CSHw}aGC=2DNv&_()I>co%5BkOrc^4)a!dYW@0oz&cFLgFLo2?*Y zo0Uzld`=@H?(AaZI(r$(adGxrd5l9C1Hw`0gyYbGE7u+8q_>N4su%s=-+}MxFeeU- zn{%EqP`*Uy_Xp1qT@ z9LnQSo(LVVr@N&_v0LtKcBc{CnZ`oKoFwMki`^=Fg}Vs%T6@Jnzue`7zJ9sj3POJw z>o=p`>|``RZ=ijUy9MoSM_W4yee=}+T)4a4eeMCnb`KkwZi{=OH`m-Y^p|iN{XdI! zxC8MFxEE0F#Pe?G-4w5V`=o$I=!?%ldca5coBc*VAA_G=@big4kZ~INSs*!&fwsu>tiGHW`J1twu>;hgC_qa&6*MOay;PtnqYY=j9?uq` zD5hsQ^z&jOWS3_#Th_4UG4`RSZ+WJ`o<_Q&@mm_(g*F88sD2&GY{>WYF!_rSkeS*9 z$T6A^GFKbLI!TwMNXi_RPYR`{UED)D|Mf|TMv`2o@N}`{r=B8~Z?exC))%mx!!n&~ zJIwN3_IZo#&-1syvuA^r2mLQvHh=E|{uY;X@e<^>sLq}bMJD7sEI$+$*K-5p4T9Su zJI<OrGF6y(^#Wml;`^*Mo;zo`Q43V*NajA60H@|>N!r9lvK7a;L)R+f8`km`9SwV zwqIsh1^+b9E|TnXp9g1m<@FxPPbn+!)u!R8(gROrowgJ57<;yRenYZHhxB@akj28L z(bmb5O=GK6P?Rba6lu!3ZfYf4J3@2XGlb?*rMX_vy`N{Tlv^Cf(R+w`t8L;4Dc}ex zV0{ehW7vN(&sQEt2t{(XX9Y?9UXH^Kj=*l3as6%f{DAdGIZjqm4c$X25_%4BZOi%T z)$I8l)*om6_w28;e~{xL%JC583_3}c6dzewHt7G(In^s?@Y5`QO0prv&vvRuO`)EA zg=1qiwGNp=7M3~suOQ#1dc=Dv4?+GZB?ftsB z=NvQl;pvg?Uy&p>(0tt#u``)P&rlykSIV^Kr4A1Aq^h%U-c$=V?V`MvXyIzTT+;#xc+y$x08SORI)Rx zyh-^2{UvUlT6wVN9cH0kHn@r{hxx4;+_xF*c{_Bcdo%PZieaUl8LXY=6c#`0Gbv&@ zN{f5>L7xRZUAqyosOPsNJq0XZ=eYVc$JGlgf5DbFSyF#arwG!S_bQn8eyV;O@?+-P z9_{-ahwpM!_ttX<$LIgyan9$s>WzOd>}NEzqHOK{E<7KXe}w+epL~z()F1h{T1$LI zvx%>!IaRus(JV0AH+H|koHLo{D2vB%B99@-+x4{^8^x5HdJAQx{uIadtIUe4S^oyh z?{j}{VEcXC^S3$jV;uQ0j&pkVU%TgWlzzx-$7r7A-*NOdaFkXsJ3YWPe8BN`6UQ4z zSITIf{bOvol{`~8_w_dFKhN)*T-&c%KG?H?zkL*cJ4rwHY8^+N(o?{^L^T)mP$ssg zEaG^W#xwqNZt-!>i+|;Dn9IHW4)grYoIzgh?J#;uk%`QGjx+Z;&fGUR7wS3k>v=7E zj`i>GEa&npH}jfO!ItaU@(Z>+&9gj`SL9QyOJ>4WmhbYsH}d?>XZ>GTe}Q|om-`uG zc@t;Qjr=VIf@o6fWRIqt)G=%M7QK}_W*ZdBIklzrb)nFrXvgZXwKamHIMuJKDDT|bFYZy z3=bkic*SBN#Zp-a>HIhSy`e)C@?RPr<-ask@Lw7pYynPu%Co<%lA%md^$0CFP}WSXlEhc(s;MU_K*3kgofQg->HRnZSV03<1IcC(kR~L&341Jg;!C1ouZ!e&B@h)@Pne=v#WvCGFf+X0k;(kqEp^I=3}& zB9YJWiZrcf7XPaV>W`g#i*{-X@(a1BkJN85KQ=F!e>S_Uo2`-7=dDrJZPplmhxUro zlJ8*E7DLoq)O__db(#8sdS3ldz2GVK+^vt$Z>C!G(fVzAfqr{mZRRI9n_p+;4zAVO zXT4?Zw|?n=-amh!5A^p(aX`-cAO8Dey85#EGTQ!_#!z3Ne^sPq9Lo5$2zfv9UKA0W zulI?V6|v$XZoO}v6v7)*V2`72!@UvMmAr#<)cr}F z0Pa!2J?e1)+@oUk0bdK1{t|jA3Gj^uzR^;XKwfKZ5~L%RwX8v9FACt`!q7 z&(p#D3$Ow$M>cH`TadGR!~tYHGUbQ-eaPrs}FuH49o?&4w)(T8=tY9j@j>8=;O;3)FGYeCk-W zNSy#J6VHp)5-cQ_Rq`-lquNHQaoEntb85cqf_4edhpDO1TDU#bEZgN7)vM;iIs_iRQ<`eJjLIxI1nZeL@a6oq)T2?dK+XX-OIai*$hopisA{Ux zs+!6f<(zU+Nad_@LDf|+wX2%)vZQfIS5Bg5o!qM~RhQYlPiZWnQSIq!HrlI}i{&0= zrJAYKV-B_m4g3)15#$k8*1{sFcG!oKU8xoS|F^CGmfyCt3Djrp8-n(K=jd#JsL!SP zRXVW@BVEnXacWX`@+h4qALU{X&b?}l4(3tMP@PJ(h|q3=Jtwi}2KqHbsbkM9_N?L7 zH}GD6Jo&>yo(HH8((cLO`m_18nZusLxh>l1jwgwFD!AP`(o-rS3s`2Ql(1exeV}uW zJV8>;>fTCqav#pn&fe2X^?O?ByRc`6Ov}R;C@HhMH$uiK20XmC*4p)2`W9}z!Xvm> zIJIh{@sOCPO$G?VG z<~?|8mZaZb9>U6eL0*&}%Rk9ZOHhRV|BjOa~oFYBK zV_l0C`)%tTtHnBI{nk2;mHS=m_g0(rp7rn6DeDi`8S9T$2Uha0VC`PwU+RC&zs$ef z|26*#{~P`~|C|1mSkVOV_}zdB0{K1YlgbiNqHX9&S(2-*`5J~RCF zxuF+*XNRh!zG#r%2RctI|C=*{z?vcWj6mms-N`*X=?9YSUWvo~dwhY_NXXMy;A|2X zl4b1nWcR1|4T7ox>3|OiezxzYV6w7DX~wF3L^-CkD($^1lG3GI#1a3Z)TLM2Qpm8( z#62u??t~GMK+=%sZ zn{33Ix(n-WBUa`^@+hw3{nvhFx;%*$xkH}Eb%|Ggx>9*fY`kL48oXNlW9!ua;|lek ztw*1|68#s}pyb-u)6Vj2|LXJE>&|6jW<^VxO_F|#gkH~*exEwf`zuvyF-!UdO-qgO z(<7|YZ;qn(cTDSei>CH+01F|`WyEKe!p`J&%wTDd3Z^>y^FGL|LRFUweOV|@qf zGg%&joFgmQ{v1n#$1sIu6`9icPw3b0^F7-kf7&yFJzH27v!p$UxcnWSrMW^?HmPMepZc`RgeNTA5lcZcKeS^>vY-T9>+B+>!c0>IE?| zWL6lQD*GiU%?3 z-^FUR3D?7zz3n(p{S>497)JXy;&IU?{zE(`{vghZFN;f}N4%s+WvE!9EK`F68ND(`+?}uc56RZRPB)Vj*_OG(cV}5+9i*w1UxyOYn5yCW%_RA zT79qnbEQmwOMgq5q94%TRvyuRo1!aErlh5Wl+`JTluV@|sk4(m@R~T z1~>;?1aN9|Focc{cmeFOoG_3Hi{UCdRaf7umJ;a_B4VwXoOQ4fYm$yS>xi4a+`QR@w*b!*+{(0+u%Ww0#y9^0{DlqTKCh z_97?UKH&K5l}-@#)H`w3v*A4mph|T+Z<;sEJe-)XOdF}&kD9ocV;0QUm6vNH-7-WCexqrpgb@>VA{2TX@QxJFEGamIvWD>166@Vu-Dpcf#rdf?#94ceB;JIy*)F~5ZHn_ zogdg9*csRz*cZTe!SisSC2%583!gUlwDgVuy~TRc5;z?=>l_SR2%HUc2D*bg0unazV z?^>rlSQg61=$$|YAioF-Li!64*xvP6V5r=FnufgvOtAL`7$4 zin}*7H8dkM+npMkXV-=nxHCcvLp7mgu-8Ff6IvhQ`a_#T+fZk+txzL$dbcjLE3`LQ z5!z2WdIQ~F6gp(D4IK>~51kC13U%1~Lgx_=2N0R~qR=JOusl%CJ-igU+^2_SIMr?l zn~3l|!O@?t2O982n2SJZ*v0Ih=$)6a>-fUaa8`IoXj|9~52GH2M}$YA&Vq21#y>m` z`uOm~P=2^HT#gxB5uWCjgi8Y>Sf9yy0py%uS$KYUPPhtkQMfi(0srOUmEpChzaI58 zgtvsZJ53=wywkoAJQv;#&wbQNxZVwi4}@K?*;pqRY_I@5IgB0#d*_0C3q9O|o}92( zVy;Jq+rp>AXDQn8b*J2^s1xzvbcHX3JNw3&{4sjH^IJMF{(*_8r#l=CwiEN%oe?dP z9`Qwjk+>6#WK({Hj)q$zxlXgQ!qxFK&zWSOjf})oEi#(*v8)f+iy{-8ipV5)0p9XO z$|4nRPGmY5zC1F^$&Jj#JXR6&M=HTQizC&c^H>EAL>5Pux(n?skrk0j;@HTl$hyc1 z*f&HrVZK^O50n%4Mz%(FIOifwkv+t>;i^b;c(+>^X(qOh93+m79Elu*-Wq9-oN+26 z=bX_I;@+Cb#YmSk8hvPw3cE9WA{>qC?&PR9YDdG)*g$PGGb;M@V3AuBwcU-;9A?pu z=+Nl!Xg+3kcXSLQzad)a1f#{scZ_7T#L2}-Lbn%1Cr76^JKP%dxjZ^GI>T;5E3>g$ zq(|ok%c2XMxV2MqPD!~ zGP{aqC%QklE_x_B&z=)K8lC5~Mvq5NMo&dMqPwE!qnDzWL&IY-mKxseG>1E#u9z9_ zjJc5sv8b~tmgU65yJJIQ!-7T8ZO&GET5LpYlwBT<#tLW^i|%)Pv2l@#*!bAQSZS<0 zHVyqe8=D#3<+R4KqWi-qA}eBZuu9g039H>HAv-qTu8+=$RiW-hSm`FmYQsCR{#IdS zERQWGJzO7K8Ev%p#nw7wWA(9y*p}FKXH#TWY-jX5xZjNJc57n$z^=8i17IOAVX!Ec zg>|qnb~x4&nd=;hortx?PRGv1F2p)x-I21m7Eh1+;=y=4o*mDP=i%M9a8`U|d~~ck zJ~mzypAerEFN;?=JL1!wJ@Hxbx$(+)bzpvcvEvIJax^gQk+2(I8eidP@l}-XftF~A z-4I_F-w?7LUwl(Ii{i(<9N!w>5zeAHh29k36K@V3jUPnLmd1~SSH_RUTVrSA?Xk}I znfN*G)kVaE7V=V^@vejjHqovlp(B1u?3qp;I0qb_@b<Kl{wRR-7IeXl?L}OwXdf1rQn<$3oUc_NdVt?XL z;%Imua-=SC95tUL>DHjP)rg-(iBpLVyOY~GPHlk|^H^_B6o>K?=iS0SiG5pMU{n}8 zl*A>hjAaS*AyWo7I2$rkGfkFmQm*3~Sh_igv`VVqsmzRKX1R9gROS%uMbFx8nZw+| z%n_mWsIxV+9t<@%b5v$Q=D64il8MVCL;0EGooZwO`b_nNIzqNPIddX%s@a~CSxVWI z`G48_9_Xm5YwvUJo!on8Ci5qM3?U?wnSllbq$x%O9uE*9rZgh*B1S}tlp@8HMnsy@ zJfxUXnnx*OK1x|B(#Xd{Op)>^4{1b1iin62kz$Gn$fG<&q?C_F3d!61ckUe~lR@pb zzSn+hy{^0VzI*oBXPG4Qg?vMy&rD-;f`%Gr=tA6k_@C2x6X zRYowgKC~t@mghlUm67K4v;tWf8k;#ev@x`Wyt+6lJG0k^c4lUW_E5hr z&Cbj!&M2mJQ8CSu+jG~3_J zFzDggd_}OOOKSS;yn4P~$S-C(zZCSiIJ%r^vVrMI;7{d|Eq_LSWyV%TXRlIp);PWf z$)A(HJ};Ep*tImjn(ElxZBLg5nqhn8Zl!hp9PT6e3)qIP&H0P?Iwha48fY#cejRLE z37OSQ=N-zNs+yR~HPL}^S5WMr1_5dyRv6yihQi%@|&6N){=jyTmSqcIUDj%4*)#`^oTAK!X-4u*3nhQ`K<0*7cL`uLU?k{hRn&G z=rQ4G8LPt;;aTCTjH2+otnJ~N>@DG{{9QEHTndi>T?~2v)8SgsOT)`^mWJzj)s%Ob z>HO85>6~mDTNY;fLu1M3GrN|C8^Y^CV`;tN;w!=MhVbU}#o22zO2gYSOTwGOJF*7T zyf(edfg74K7BNk$T%z;RyB22*r+6behgR2oy-C*sP1KiZE(`C@E4iU5ypQSpV$cV= zq~>hs+I+*Q@Zs>$@X7F*jI8ka@THvet_#9fa(YL!92$`#R>U94jO0YZL=%n_bV=MC-{@JU7vZbULRYyEW1`v?V)ik)e^1kZ&&Wid9{!;wm+=CbB-^S`}BL zk&Tfpk*3Jb$ezgl$iYZUp>nx?)$9J+Rn7O^GK!E8yS>6#_c;i?vDgybvbXfaL?`jpdUR@ZM#k!BrLB!tSga;#qUe%nU38^=cLH|| zqN~%VMAzb8#F}VhbW?Pzx)-6Y`lH*UyP~xIj5c>|R`(o~-_%_Nb^RVa6g?6>p;|=U zAF%IW;C=U9{s+K)OBe1p8$r+;fnO8$J}2xgk?p^7{Q|VY{C~nXTzo8p6AHA3otld=J(xYa8fafv@lk-~qrd0lx8;LHGiocVm;m{N~`v)1`PM0>}`)17{~_6ZY&y zu3Y9AesHo-)}KL#k$Mt3%YmDLHvvC_)WNV*Fr9J}a_wMjR)BsAlItM(5af=U#o6a4qVd z2RsQf#}PBnbE@nMel_?%$@H13Qf_B66Jy6O~#xAeYhNwWy=zoHTtC%*{Kyo59RKSu7Xqc^{m#v~YR-x8a zs8=)UMYQ?v=mkOeZ42i$yTD_OuzV|g*aZ1|pdm*+Q^OpJ2mW{QGXA?;5BUu6oAB@4 zW)&OY6hQJ(JI;wtnX2@lU6#V;XV5PDnNRXuqsLI|TKwO55p~%L4L3nUCQ`o(Pg-oJ zJ`{FVDLdiGsGXN})~RuTy&>O%PkKYX7^$zrdtXMmTU5Jns{RR5(W8mZM4WId-wKP0DgrUfB2s-tsFg~4D=(A?*q-<6d!eL0sp%kx2}PRuJO>53Y`Z*&w&lA)z||5 zH2D8%_-!2OSPBok!~gW^njInBN7gZiMqu_pp>10WQZW+3d*%GEul7e}3EKS*)e0!< z3d-t<)N}A#w#uu#0m&xtdqUEUHrNnSKb~D8|^k9W^}%Paahx zC+MH4nFaJOF^<(EwLGPr`wleRs#=Yo&@}d`Sr4W3QnMjsE<duU5B_wiz61ONw2OoXGC6w9XV?=kRD>9AMryNKD?-E9 zS(|J_yPv?E_#tQ`MMdUtjLb}b1?3i8ox|-2d=Z+%=-tiGze=rz?9q~KE9AWm@>RxK z9eSAs{0r2pKRh!Y8q(3q$DpAPM(>+}PoR{ap_O;yd8McEOq>t&D7E$jz6CY9QH_?! z`yO)T0ndW|Y{=Y!)*lYd527s|L@YfFz8`IO1bTME+J~T_3=y~n{Htn=g@zrVFJq_2 zCs+BI(B){&rQn2TYd%;qQZ5#Nhx?`Z9 zMQndxS&O#*1hfY|^hvcow^I$QF|ygKh|=}2;eL!KPl67@GiO!YsuddQ`z-J$7(Yj1 z3~vKH7+41`2Og$;rD_5E0C1sN*{;RiR`5i_q*22Y}Q7^765!pJ`nGTBHS${bqPaZ5dm-th+P zT!s2Rt2_@In!ykG-j@a0kI+AAa7Du0VTWcE-wwXl=3EH?LEZd>a+kW+=DhlQXz@`@YsKnn z6uB@*Ye(Q)TzhJ(;h&yp{o@$BQt{;2STTjLi+7z_w_ChRF-Pl*H?I%VMrgNdCEA_Z zJ$SqNecA-=tJ)OpYua?}o7!V|hx&K4x!S^%9>!b3C4?v;7(-A-FhS%HT}J20Vw$KB zvqY7chdq7qJNoK7?CG1vyZPEPa2M)5?9_C-Uc%j%EmVUo=y|ok@5HSsaL0wNDpooD zNnL5Fdl+g~R4Z=1H#mLNwKA}}ZdP|ea92Rh5?YtI*$=ageJxd>R)6qfDxRWSDfsC> zY5s41&t-=_cHa;)MUki!-xh<#cf|L^2<)-@ir7fUo#F*L#)x<5xJ#U&W32HOdGT(u zyZHq%&g^OS6!(~Y%syhgd6U^s+-nw^h2lPQfH^=+FbA81#r@_GbBLH|-eH!A2h97; ziQ=o~By*B@5PKK*QLC~?4~wJXBxye{E{Q7?Mkl2u{o<0$lsN=pe%?~{mjmTcIg-*w z%dv92oG7Qr>2ju=E$7Pla-m!-m&p})K4*$1!Tgf7yar-Igb&ih~jU!R!q_G1n+p&!zo)S zl9%v(NY^~R7w7s3=u+m>nx9ku%)6Cc8=01U!5;(qPR1$gfirCljhL?+u@2!}H$%g7 z!1EXzhd}25=R?~#y@AW(`<8l*P7$fUld_2;hB?}>l)Xfsbaf~E?<^_%^4@LvMaKF7 z&;=}Sq(je}`g71Wj_@m-sy*(?kk&Nr1tuH_ME{@~* z_YB7RUdD!>bsA4Ya}D@4iblC-py6TWXiZ#}cFwLB(J9YE{s3ba^lKF;B~^rkCQ~Jk zex~&!Yl-z^@0Yy&y*GP5qPXw**WFv1qKkIyA^j@$kUnVaFkX>$*gd)eyGI+ad-MQy zj~>VF(GT2@dor~V*b{mfdqUsEp3vW6Pv~*%3H^}wgz7oGCsgmndqVXac~7Wb$a_Nd zFY%sGy}vN8`xaU03+gwgwx+hlgU{vj_=3JHU#>5T-@SbOd_}&&pqW41R}7lcA?wK5 z`C@dbZye5!KGMQ5flA+;4*8g7JNV2{?OWhmMCC7vs|){L zLNa`IcIMJyI>2avwxWH*tk0G%&?Zqj0eu=fTL@X-9C>0 zI3Me5q~GL=SerR~r!82AlV_7}Ypi`8JMA`dcpcKV`*y{A%e?q99b5MLnsGklJAyn+ zJ7=eC{>|;_oE<%!#_ij9o&0v)V&@aS)5v$ucd=6)oO7bB&e^fWIp@aN)@av1J~ka# zoABF?mst5uJscj>m;Itc8TJ|J$?9*{HJcCNtbdHZ%xQD~1pj32TS&Lhu`${1gZ^p$3Mb7!%U{Li`sev;oOtrr z`j`5b`|BNl#oE`7QGbJfU965QzrnxRzslT=OtqdnUFgGwiurRQ=!}wA3DY3aWp>HR~RN{D* zI4;>f3M>n(2&@XMamJ9q`oPA(mOv9j%vXuyl2e9bi{sZgpLXDJ`%s&~&kQ>Qdjk6d z2jl0{Kuh2l{CX;Iwu7#?{uHp*aLu$Un>PumbI4UUWbW_{(sNx`YX8S!&?urfG@{S&MXF5tFB`zFrIB+E8&eYuXo zMZsWjNw5z2R|Z$d`zyFM*cjXt+#1{-+!fp#Yz`g@9toZZo(`T1UJPDN6KO_TYFc_) zc3LQ{M~AU6Zk+8fCVWbIC;7zqawVMO=FPO;0adSb3Iic~|Sd{F1U3(XG z^k-suvAHsFUQIkZ>yBWOGusir9wmRL4M-c}v=xuvX(Q4~xG$xRNh?d6kTw}GEvxpR?^ro0nFTR-3joZFyR3PC(zIe#iYUUSC>6+Pb7` zZ(DELhP2Hc*4YU*I%84VwzM6wHIdye+>g_Cr|s)-jp2$L>o^V%q#f?C9ru!Ig3Nlz+{3i_Bhb4c5581<{BNi)VOj?* zLA&tOuO?u_tNc8!F^I7RzDx1PGe-m8^#PvQwVxG6>JDf)2F*7>b1i86%Ph~p!aGoU zcgQ~n`FB9S2KuD39HqYv$!{QaBT^4T!!zLD4gTxk|A+E}$_4xke%!2$2pg#uvC(w}5A(Qe)$bSO;w}Bsq{x`s%hE_NZ zKU6|y24rpleIw{h`06rbt|D&(@}j1m^{5eA(2ZzuAzCa%hzk+oM&!5vAAo)Z^7vOm z8wFamApGyz5Beea1p5tS8R&OGS3u?d}aEVAspwPllasuv2+M zwTl6rhd_S_n}3e7n!#6XS_hryk+%wYkAOcDw*49M{|x#Ipwm&-HpssRJwqY?H2Cj> z|1somhJ07(l!(I@AbEs2_Fdp|!B5^x>pr0gZ-={K-w|^~k@#ovxELTd&@o87NylLE zmN+2(K^&yxALVOuuNdlTcD*fz^K;UalkefK5G4ew#2T?)Y!q8Wlh`Tti2amfk7yzK z81avZQ{pV89TXQtE1lcOL=TQ2L6*!V9Hpa|>?e!lVEQ#&7RypOPL|6_bWD{qWTl)V zt8pxl3rHg!a*;SF7x6Dy%^;VM>>`;K8(ARPeEH7I8X80(c~z`dMe)f zcO05uf#h6ZbLU$_f1+;2}h~L3q&u`Tl5wE#23YvM1OG$wfC)JAhl&Nwc}_}D#nPr#NA??xJQf^ z_fo{n7IVZrF(3Eo-_CR5^NG%#dfhv z>?Nw1s7-VnBB>by`&Pwm{Os{9%v*2CgI}jUQ}93G4l;I6SLpqX z3S*X0Wy~{bsPv`Aa--g8FxD9xjLpV2vZU77ZR|4+7>7yfsBzLbL#gMDOU4yro~fCZ z={GYecdeOYh6xuKRc2qazd6vTH;0-dNn*5d#vE&oHz!g#73LHwg|*Hi4Y9+VPI}Za z)0}P2HRnQ$b7=N4-&|q!*<>sw+w0Ap<{s3)ifcrAE}8qygP`Y`E#@(!#jogo>2 zhf!mdcd)+$P#W26_O~WkQ>_^>3*#UepLtfLH7DNsSS>2~?IL7vgAHs4`^K?)YNUMi#yXBuYm>Fr*k)}vc38Wty;if? zWE~=HeXS$b3G1|R*g9ujq`F=)CsK*jhLrm<)vv)V%>Hh}o$5|^XS+jYrn`r`x4Y0< z;2vNuc3P54a1U{hV4#{+nmH;5r@2eqV-P!zM;*^OEgoxAqB*u~FSyIx6Wo*C(>OZZ z6;#tJW?%O#*5Iyk&qEIK4e@G>EACqNQulIqJ=JXiS+aU|c1?1&QPhU@e&p^*m&q(fnRQeS&?9n`<-Am1ZNEz!H@0sYC z;+gK5>6uMEcAs0&=u&~+dWG`O_00DyG^d!;xd(a{TSxGF51prbmO1_+xn-Ueo>h>m zHU02AdJna`-HSYHJnKChJsaUyZuNCmuDRH=kYpw?c(!<&tZL6r&mObD0d5=5ek<2= z(9>c~^&IOI!4%s7^n1@K2G3c~1@3>IR!KKc zd9cbmiN>eHR;9bjJC*#d(b&9-TBbk8Jx1e+W~O(Bwbok+PJizlZ?$)Ucai55@t1h( zyeqw{iM!U@=-ot|t<-82-tFF9-o4({-e%MC9`YXXp75SF!`^c|vU=8_J!o|DUi4mu zPsr|65gRG@8Hk}&{$@h2_Dj6O4zqg=@D|L?t&CkWFdw@>8^H50H($QCCg3-_67GTP z`{ke~L(g8|gW%v<8ND)YeSoz>%2=e12kr-%xxhn#cR&)W6Pc~nA9x4(<+i!JGY%S# zTwApezmo08j<8M0we;HRM4txEO30Mh+LmxF7~5-(?ZD@e%5SWaCf<;kQiZ%b)jJ=- zfegP%k9PwBF9v6hZOKHooZp*HE1@NDsxg+BbDFhC5^2ria0f8J7d>ISaJ;7N_n57e%iL2 zy_C*gl{-}g+B$)m<37yTf>l;;w1|qF16;0!m@(GChCPf;3wln&!$pjZS$2y|L%m9P zS36^^oOeWO1#FLNGU}VFVoB{*hBsbU{=c@~)iu=%kct(v902)Ms7niERv@(!wH^+c zHFo?|qGc!Y{tFdFu>1&cFSWLYhu0`SL#J9d4+du;t@kOaA-~wJsVbeZr6hsZslEeG z7Qr)!)fDs*s|dANWXrI&{;K~fKiKhb5Po1h2Am4ubKG7U-hY}RprHkkJPG{W*vHz} z#;kb(%35pt_8?jTdx24-YTG9V(MHUlk5bZ+Ivsea&7TO*OoV&`^bmISf&RnjYq{uO zyFeGl)= zU9}SylIATRasOxSsG&J1^_Y;Ur?9g|re4r*PCb=+wgX%sXeDSf-qez||2F zZTU3t71?%0EgSa|6w&8ps&cBW?TI2ZfZR_MYd(FNM z=hh@VJ`av-V^2bvjxEFOb8(yvr#hAmUA^MY@p^JUCBIWQ`|K;V+iTo)?DZtE)j78% z*wmI#mJ{=?&j34K;$tl44@XD&^~*|H|HOJH+LVw~d)wRwr>n9L-CsRT0!DnG?v z|F6#1^ZVyKC+!2teE1pXSiL{v+{wqbpFZn+-FlqrSdYZ`^392B^J=?qwO%{N`naQO zL7dDYyPPH0>guZ_SQ%GdeEED{-LW6~))F)lY)Xxd6EWX!CDp7qlVgmLhqorme@b^1rLzDnRX?7GF3;iUUh3DP^Z z>8Hi!XU1CMc$I8iA|Ls)2}0NS{vHIq6~vFrNyj0_7SA=EF`s%8es8k?1fpaG2mI z!O4#CalLW(v(h`9Kkr!Q^sVd6J=Y!o6XW%IV{rVuoaD^wIkb7g`7`bKtg-h(!Z}I* zNjm?3UVmNh{D0X#*PAnwmf!C>=iFU)T*8iM7XWJ9-6J!$P#KlRg>UZ4#;`If>apPd3ZsG?D;_B5eiH-JH6zH3J zZN72(I`!i~|7-Q@FwfX!1_ma?iJcx8+A(IGb#kn(EHhH2^ObhWYTiG?Sna4G`ep1< zDdPWx7^jS9?D~MQF^I7S?0OWO^^DCQfv@O1#yYSI8Z4z}2lzJtzk|GYfd3ruYv8;M zdL!s(K)(+BCOE$Y{x@iD0bd8sM!BqgzpT*yGbXE5jikhvYDj00yCFm$Fo4V()61Mq8sQ7_kiSh5cIU2qNpe+aAK z4Pz(rwu29j>u%syVB~c@37JaJ@TU$*9hO+bVEGSGi|3(p0VIn-uK>OXd<*m_3r7Jf z$(Nz64YaDuA?W-$Xw+0YkJKa3^Jm~MAlEj?35tBL<|tn)<33=u7iui9x<>U$z+bS1)h45VD4#mS8Eta)Nq-27+}2 z8wfTNY!lA+Aw}%_km?(eN+$k0kqqbKWLQtKStcjYF%U3tzvCTZ>Rn-<{*Euv>Fr+eZ}e*Wh@X|d zx{LSov^6l@ez*D(2!H3ar>a`cSR)FCy&i>;0mLde3-26a}ffQ+JDAzAnBl;znOrUsuulzfEr+ zzTrubngHnp*#sf`+=HMuL7@!;?DG(U5jK?AFvdQY*^q7Pn?NwxhB8~X1DrN30hm`o zFe{ecN9+~Nf5CC+I&}PTg!kZFO>dvat*PE?*N!jh@O$bABl6YT=h`0teixV`T%@!k zR@l}Hg2MGsN(claxUCQ`J% zS|NYqOY2W`k#?Ujv_;w?(bwP0KVIBKEfb`c8Syu_^#2#ogiH33H&IysLHzy2!ylq7l(3o)_K4HadEW-Qu9= zg`Lc|iW77U6esBzBz{lFVDX=H{Db(Ajv?X_9sej=#V2B@_%j{D#Z@|PlbY1T2!7#; zxLq2wmKiB6=@z4;S9--A(kFeQLnpvEAi!` zT&|ES#C>w5Tq!2-3S8VTSIJdkqFgOkiwAghE++AtHN;otTDewCrgi!{@t|BU*NZ8# zQ8tRN(Heb&m?}5QjpFNaliVbx(Yk%Jct~!MTf}tvf_y=IL;hO+TFj6y$`{4M@+J9_ zsE{wqm&G^bEAkaFQ~pN&Mtn=YDqj_q@-_LIctpM~Ul+6F8}beDsC-ktDQ3&JYtvDtB&oF>Wxkx$-i|V(lUf|I z5dZS&$mnQJ4R>Nu~ZNLF#Z)sj>vAmZVbmBv?NiHO#f`m$voellnZ%)+TLT z_a?Evvs8H!>pM%`m&E$cQWKI`ufylce$_(vC$V0K2b4A?H8F|xouwW~Vtr?+NlC2l zEcMkS*7I{4+{<->Y`hCgh{;K#qO;tCN#mlk+?1q|(OK?mNn<11megW$Q$2zi>_*aqWwg; zy*s_TgvZA-#v*TQAfH=tG=zeS}`3kI~EY3HoGxnqHyL(yR1&dQD8eR$rh%bcj&wIeNH+00sXLkR6nVo(a-Cb^ecRJ(G{!9@5*%L{1ldg zS#GwQ>*l)!Zg;nr+gHwZ`?~|(V!6{D=9ajnZkapD?dwi)r$_TibR+mh+z5Wwb!WMA z-6!3rqxse2Hn!Z{XWgZ4g}XwobzgR0abJy;S0ujP@`{vGV)-PNOC!r8T7MSb==UP| zY;-rf+vNI4Ik`LB-R?g3pnKS@)~-&{sXAS^)9rPR?xZ{GuBuY^aHa08`{_bmqzCH} zdbA#^C+Nv~s-B@|>v?*CUZj`QTP_x_XfLY<{3_t*&}$%jYxW|^{};fo7+AC2Kr6j_ z5z-9B(^ZIpB)juNz#9->0r*=$NX^$=ji)^j^J~Dn5D$5Lt8@1hAS6r$OXfmq*!czE z?TClWK5OcU>Bs@H*ws4_&+_un-6L+(JcXn`%Z59kMLZ7(-i;+~9mrEV_aPp+)u2qO zziHsHKN@%xrNQ$4;=6!XAtj{U9gL06ml6K~;1I+>e%yg9FpbM5{e$qo1qkZ{0%cMI zOsXN>e+>Ex&H})5kOn0npv@rX0jA+8@?l*BiIR7I4F44Pj{*JwFbVOHQg^2 z{vr`XS<%|kKK%^o48N2xkDBc>Jn(8F*b9WTCz zcxYuh_=FnxedM@nc;iT z`p~4F-^AI`eD67$+Y?Vd-%2i9^{f;J$Pde&#;&K+#@O`~+np>Yo8s3Y-F7FJdh}L` z%QtszZpP{-#TS^oCqYPA_W_G*_&1iX90YOxj9%p6v`1tLVGgk&%#fYk16Y z&=LgqKIlU@yjF$=iGy-=pnJr+HOz0+pyv{H29^V&_lezrTWVXoK<^f;t%A0PQ{!#_ zs^Q-8FyhhX1^Tl11|ZtD_$46g_uLlON|~b^XY0(sMKLX*EmpI&&!zC?Q<6qq{7G}X z2fYV{^n3fgg`##bLAcZw4vF^3Rn#Ib3?B@CKqF9Wp6PZK)xTMD%^+Sa6IWrg=G%dC z=xBEk#*^Rl1sa#ogOlqmu`HWD_PK#?$CN>TDuaP>=}sKi*t{FYpt1!qs64Js#eV-a z`!t)}T$<_98!Xe4tvAEFccN=p6qA%|18+{ZvOn+36Ex5a}A`sxCOq@5-q2)MO#i~i?*D~7H&C- z`8RjVsci96nIxZya<%6XSGz@I%dK*! z$dkK>!@brk^UB0^;B$L`&%GXeZcp&J=3hnFdoXxsusC>E@b2J{;E3SJ;HcmO!EwRy z!3n@2wxs6Rk}5k1iasrjBegKs*20;9v*Abbi6cq37&pY@H8xM?K1!n8M}4`TOfPL5 zCK3K*bd*0ib-0+ml$FqzxUV&>M+|I+9?`V#M%r~zGqmfbQ=CIIw?D4bB6EDxXc!!w zOHY=DrhY#%8xD!ihMzVDpH!BWr?@N||NWLK%f@41%5qM07C#fld9Jg$Q4Zluz&TRS z^T0!%DOj7?uOw#eeX3`_(J`y@Q-@0~aqIbXjiGy_-CaF(*qHu1uvz-=iOi%$&C&~- z_T@-l8q_R(sp;PyV%LF*Yl)K?uYc5N40x?L3~R;WXzTlQamW+_db0!d#SXCdnR!aE zFfDL!%$~xj;e#Tr;Z$G{**A!^hEst<%hWOT4wJ-|Jr2k1e1h#slO zP^xisPt=d-X?mufqvzATP%qZcCA?Rzm+Mt@uhHu$rd)5(m2_{V(008`@6`u%l|Jf8 z&-YT?$$A{!$kS`%wbk>zwqBNA=Vd42;?DDO>CX2GyzX8vudh4R>r3xt>gT-v-axOI z?qObuS4uqIByS3ZrhBuzx!#lB)Aa0FZ>d+|t?*vr!^Q#ESH#2peRx~+*c8|jcr&n*?mdD1flcvkB0gmk+C+RSXsF&Bs_AB_+rXi~ z5nuS8A2MywZ|!IJnSO@5%n{GNUv{}z9Mp6?IvmimMIA$pfT(jTL% z{Bee&_*URgBx>jDz4Y!Q{xom1uJmX6bNu;KC-dB${z8AT|D0dWCGRiySNUuFb?BSr z?jC;w-IY{k9q0>N{q6oPq6+g`-Y-mO0bPPIoKxH zHkcL6PNX52tLF!EgZcg-`uZ)w0zHoIj9_=&!RsIF73fMg%03LvT{3+H*m%RvQ@}O5zqEPSw0HZ&K;Jkxe#gC zE+8ao+*G8*TTWj<*eeyI;6EEFS#BW<@vu1PgyEkIKct)3B05VeIk({{B(1=6s!OUSb+E(gdRIcN_o@x{_;)}k#SONm&il0oo8 zHji!1vOEdPs;M4$ic%%++xWQ_U~87Gb-IuqVOcenm}1F27qV6A0OHx!ChTj?|W(^Cw!*o9w!paJ92G3Y%Z&&zp~*Q(latM7 z0`Th-&FMsT$xi(16Rjpj-&6GcjF?h1wX!hb`7I}1I(6mRzZs~mE8o^4qTe+k`h?OY z|II${18Vx8)K`zswXdb7u$l9%kD9G5Le16|qK5T;+F-_s(DP7q1UT9KA;cbb=*`Qi7%?};l>51mgCAJ)zpjPsgiofa4wi3(HFGfoR^xW3X) zyZXvFjp~avSNlY<;nDiU%X=95$DC%S?qsmyQXhd{GWRsXD>7f7+^7_phng?9h;Axt zC-k-XJ$!<^V5APr8DP-Xi`K!z%~%H~ikJC!Gm`p1TY`?5cN$^l!6HOET&7;;pGLSz zv<@?>I+in>bVB)k8h@>ghHWM|2csV|AP!rj|MDc2;pvC9(N;Em-5T;`iYWqeVVnx=+9023{t6}S!8&( z_4K_QjO}%el%EA!U81j+TIVxOs}>#UGLn&o|J{I<$7h#XH;z`L-}hOjR*PJ^G6}aK zlzt<2MrMD8={4h$;arU+nod>%aZ-bOKuzUu8#7LJ6nUaMr8V|f3hX{v{aA4Mw-h#} zg&TXSPm;e@60$yQPF(h+CCV``in~0cFn1yAnJbJPieCk-y5qy3n|>0*2S4;4E73Ej*KkUV)Az-DjF{NlNq^Nt_HfsP$ADq8noy}S0`#c z=3kAm(Kq%JTG8o9g&RkMqR^R0g{FD5JIw=Ku5lY0?%YYG!M zuoL-aW94mI;>(SbG3E7QC(DiHSSi;;zO!YiZ&@4~R}SV6iuqqU8+#!G#Eg^P8))e= z%Zg$w&j5TQyD$7#Ns569tM$_lV-KjC^8TJ6@hH z{jPENo=*L)u_b)^^t;BE@#)m>8e7U{f6e^IeG+>igT>rBXWi3p#E9$-GVbz!n13pm z^ZumyyS_lMb+CD72<{Sc0Y(~5!BS4--|?rRNB6&8_UU6@yPM9fRh~g@^~~;PEKOqM zV^2n!#Jtluz3p0=5W|l(hfGN0za5e6m@ZC*WJgoVC^L%br!Sw;csygJEDTTmX-gn9 zr9^A-JQcDMO)1k_iHDiuR7gBDrBow-^5=+CDYwv+(#?s%`P4}tG#=x483Hq(pQ^v= zO)2GAj8CN`KvT*&_J967aVr1kHx_GSPaqdFso^(LtOfC5@ixSRWw0XNa~ig$OTpp0lR_uW{B<{067e+3IX}b~$^U0~D^JJdR2! zeVHQL$hI;|X3JceFAHRM*-Q47{pCQXN)|_Nlb^Xwess%WvIOa3?z(W3rLs&;l2Z&` z#vg~5!6|}I1edz-F!Y#w={=;GE@v5>7s^XmEoZA^3O!EAXC|=jX`zT}F0w8%Yt~wwV`vyVS%5ejfi*kjcaVm4f}tm^ zVAtPjf#6377#kDtVe6LKOyDsUVwOLQA7JPV*ezfDfm@U zYvEtYr=q6-WJOaJ>N6XTla=3Ip3I2mDs*iP=Qs2fRV%cW)`AfHbH4dWW-`SS3IY+B6I2Tink5kJrqy9PM=eF^9q%BeT)^nBw zm9^1pAB)?u_c>w&?3jM?JyuMhTAoTg^lX}O7KlY+3Ej&myhOZ6@r%StdcGR>T8bM1 z86#0kb#;1e`5Z$ZuSTyth7qh9z3CWAtQuNT$6({38l`azBhN96NY&8uJ_gOQV<^?? zWumSV3?GTk-3^`2;fOpDd#2$d4W>6azH&lu{Z8=tS5owX^gx4We$@NS&_1Hx+o>Zi z6g}aK@5nh{#*%I+J?Tr~GK!ysdy0sjN>shMwq9&4z_!6L%s$m?YHNzyZFLqPT5L5= zn>n^EruGX(?1_!gtEc;GD4TD8LU~9UQ_8G%l#zq6r~2Ui`o=$pxU{D0ee-wf#`5t- zVww2%6ukXO=e#uh_7f-d_PmpN`@1Lg_V*h7b{lG`reD>*{mJjq7pT6E|MsK!_UseH zoZtS=NxeO%33PXiq5IJWTXgMv!tw~rCzw5r*2k?F;%$l5t{aRjZ!wM0jenKDUD1eG%A%*$c#+0aFyUHg)|)Otk@a3 z0uZNZMNfM*5IkWG&MT|IIcYTuF*?CUNHwh5RF93BS$M9=iy7atV&<1Y7=29MkBR2f z2z(syc@a5_wivs!!&>w^Mvi;1P*zK~CBM`bW#;0)4r_e2%(qP2W*z_*7UU0T4P!=# zpfGk{QgA!yOK2I^&W}%bHJ~HH(k^HYckuxL$ zM?X5cmu9_$*dtp-{_$y#%&05&a9$&03D4?xS|o;O`}pDGarpTCx-k3rnYv;>>etBF z)^ z1*bN~l+3$zmBG#VV%jgD>|6#p0ba;MGlaIZd!TqqaY zG|$O$O0!(9l56BTxj|Oi+_uW?au+?>D-TfmDtS~%<*O9cMzvL0DqH2!m9Gj^chyVv zRsGdKRjh{Dw_+iGmmz-_P?e}sRc7Bk4mM1wnxv+v>1vjmtDa;UIi?O8nYviIVkv5v z7L*&~5Y5xP^)#h?mZ?)qRfSriURJNDSJg(fS#480)NZv;9aM*9hN^a5H_1(P)7^G% zdpF1J^)9O=frF&PO~y<-Hf| zKOKKQtKAF4X{HkUe|9hJ3BW6n66<7*JDU|{28B@;pzQ|$H}11uMh((ez9k)TFZdEvjm)Z$5DM7kgdhx>&|tnlnS~DWg^9oKJeYHjg!wb~~lrOZgW#-J|D(7CXb75}Qj_q(`y+ zMQ+*LCb(RGf*sN&YFO zR?y1r9x~d2i<5X2c0ydVA-AlyM%|6J=9=d$*VFro?D} zU*vD(28ypFKc_Q)B_FZ>0jpyENv6oQPPxpYG`nOro}2WM+vbOVh4z1;Nr(TC5w{N9 z%s)U`EQcAq@NY2|FN0GAp9n5>;2}%MZ}K(oQ5w8UI7R<;M#>?U-sR?fq9L}NC>+zS z-^9PeMQGh`!j`h}Z-aj<{Ex!l3jSB&?+gDZ;}=KZpN#lR;r})KH^ILW{$B7;gg?dj zYdRT!%`1q13HeOL)7FStj+j}9X^)t1!JiF(1^nIM?}wDT;U5HlIp7GS$*|w5wY$3% z@jVbf$)+*!o8TXce4c^7AN;o?w@Sp!LCkLWOW=>2v0)qWWM=Hxk#G%tbDf=KpQF)m zogKsMSV%FSG-F3b!o(Sy@GCjZ}NTgKvU zn|^u35;5Bv=6}N0^7YHL+yq+zw%j#a?}go7SnQ3|XrAaAtx1Hu5ZMyk)CR@4Acp%k)r&kY1`QeJtUXnaK)^V@`>-Pq+SxYMxv`W53G?WraR?t z`B3s8u}I0*(ZT1cfq(^giuI4fy8>4u9xEue6|ZiF%+R`YMMKR_wDa|Uv%maKKztWAgi37GZ)aGGoaVy0X&3#|2g}oQ`Iv{v>i9cGrtD_zO#10AX7pWTopQ)`sc^_hUH{&PppB+<+*h{gi zTZ{*G&w*zgmOH~5MDZ@i5WwFUsIg{oacYH&vn5=7QC|%I-JeR$)z$xEdLPwCeE-X* zI9xF`XV!j|R4eiQ&yUH2`=3vI>CwpU1o_bWsPEbOkJem8ZF^Un0C}%%d`!>d-J*Rl zHM+gFC%Gb~{?^y_3|oI?we_bU9p~bors8u9aDs%}rndL+9+^5TrdOf<+)TiuG4=Nv zAWpI16C~W#wia^;4#d1r|G(^})vTF!HaF>Rs0DESAGI|XQ~y-sW-OJ_7EoaJ0I&~G z+XARJQVZxF?YSl&lS?!Y+X7Ok_GRtv6xDvI;Z7psc(esT_QjsV!e?+`N6Enn7gkae z`@Sq+=wM&dawqE$k6lJ90mi+MB|&*_5;ey>gq5m9J9Dviw|itO0C^{p$9D8xiCI8F z9#r)J=zkt?K~NiN2Gt1QC`ITJJX$6&Rn{m6wf(NJI^{xoeF0~w7>D0 zG0a(mPiMYcv4k>nA-|1j_t<5UI88@#yT?f_e1?#fw#K`5&ls(f=S_wAj(IHm$ARZZ z9%Xs9#q7yrv%<>5<$jADWx3m8bp$vs2M)`Tvw??d4n|uHpG(Bw;`4{l^A*q9k$)V^ zLGNnNyBs(iw<>J%zk%3QVe?%lnp^$vMPw9N@^B4@=uUE0217y*9XE8C$Qu6exG`eW zz2ok=PgIrMGi;obIc8{Csnbcc6K?P83u%RMbH6*X#K14#(kn}p-Bw7DxYC*$kxX-N z5{(V#i%V!_bfvgK+%Ag67(5FJkDi}ReZ8Z&oci?VX?;>8?lS+n@HBv3%nQV&G_G7l zE0`~cJH%j7YM=U|l{iPVrxD`{(S^qF-eQorTRdQ&21Sa<5EqKeXw`Ey)!~iePBBD` zh1{-5VRn&?Y)gUYBW@OjG@9Hiz9J@wuZk(+>(NwUvx*a+6BmhV#7*KB@ntbwl!$TS zAu(AzDyB!%DUmA96+;QiegpbsiOvHGzi7_#7=H1SO_b9nyv;i@}eAHYJuV!)BZhmI*zV*w`sP6nI`IAi$m`^T!;fC~VZ z0KN#g8gM<}W&>RpFah7NaU0nP_p1h^D%`KZ!SW$tRgwSemZHvw)LHU5Dy?wf!+0rvpz z2RuZm4RwzgsC~e6zz%@1H;GY!GI$GM+1%poB%la{(DA@ z(o+Fv0L})S2e^Q;8K)NkE&*Hy_#)uS2h3Mi1Fi$y2)G4s`&a{a1MUMn2zVH|As%mM5K*cq@ZV2|lH^th<^IJ9*$qHRTt{vr+=jk!r&uXoCBA)+I82;+hLc15^fcn2S30jcTb(`5Vd={ZnIj8i zA6X=~$O9@#wN)KeSJhVyQlr%*HB&86OVuj1UTsr*)e$$zZR>V)ySjbdLGEaGk~`B~ zsdwlDp72t=EHBUN;q~{1cw@aO-W+d{R}okeSP@v~&-0)4mj`o#1;IYSB3k2249*BX z8GJ6dGWcq6Yj98SaFU;tk(85EkklusD5*pQ9D~2ltu?sPwpsGRR zR>-=2khi2!(Y|@sWa}5#h1uMbK_ggMHLC*W%1$c z)P(Th_;5~fLU>Jl_>%Pa@TD0sVZ!gyHVM!362iScAzYLYUK}6J?H?cRw6O)kF)ik} z@D_w!nhDdb8W5Z)aUwTbGw2^?Ae@^r6*65v_enX!SFZRyQ-m9Py-BL@UAy z8rjy+*tUsAw;eRT9iS0T&={9Wqgkh+PYQjUR7+}nbuv&ZkHnKu3`7;F4kRUUHiQPOMk%8><+M{Jz$J=Z7Uh@GP}3gaqG5;*0uQ!EU@kZ>mFtI zcH7!-pJv@><4e8BjW4Alp1s=CInvfuE}V;NSnBSu*blO8Y>=hu&NkMy z)ZV#|-C|oh#kQ31vQ*q<`_Nss4-GD}?gn=6wtet!J3kKT5Krxpgf=*2J;KRxGjBgJ zKopA+!s0Y!54%Gv*d1m|ez>iv;kI9m=xtp)!`w58-I12Yk+y~0+b4$KAkV$q;%AF{ zcg5gHtB{hEgz(&W8b+ljgxe>C`zC}-6T(&T;n9=gzc>2Xc>G3}$BzS}SH}0N`uOmD-4epD#ONimRrKD-sh_ync`4A9(zJHVj9e`7kCV(f=kvQ9*zzxTaM`s|;FUn$>}Z?Wft|RYw|4kifD) z1>x1sY43D&@|~_uPp7X_=nQg(IisDi&O~R5GsBtVJW0Ir5~ti*;jD&)+-B!ZXP2|j zIYe)+As%`YanU=VTTtaxOHZcAbeSo$Whdxr^pgGL09hsMwJ36pJC@QPx1HXV<9#{$Yg}^W2 zRs>d&`#kx61^4;D%W%sBzlQrlU^U!|z;A>kcMXNgDfMsRJ|B1mZh7E$a9;?lgtJXiBi81*g&BQO8pw#=K~wzmIwX}_l3YF zxD|oFQ0j_6CGcMsc-_*s+0yq{OWzht-`^#Sh_B;bak|JT?)E#EnSycx;k09F1K{$ zS-P$OUHO)-D=l4}EnQbxy1H1pt_EENmac0oU0p3**V@|aX6gGpYOlMc?>b9g4@=+m zOrJ38Lu02QNAx7WayrSj@noe*(vskDwbDLKlD1y6F2x@a_5FNTi+9*zrt5Yaa*kKiO}E3 z_XVWeYJE?H-hj`f+h%=Fg#I4QZ$~u0e?;?pGn(I9(fqbY^ZREszn#(i-X-6S{tXnj z&-$JSy$9bHC~m*?JrR04`rTd8@BSB7DHC9i|`AcTkB>e>5ZY-uc`I+R!$IUi5j1$f!z6AQz`@WO>L%}Dzb&jFDzVxwL z#ZJl_F_t_cZ{Ae@mr_SIG5x*V64k%G^OWhw$~)i7@-7h4Su5UBd)4{GCtj*L5og#% zO;yv>*VPO)llZ~!sCnwU>M7z17ZYFj6ZKQ|ym~?XO#NK_QvF)}R{dVBR~yw|)E4!I z`iJ_b`WNN3PrXO{;X$1fuF;>@*Xir^4Z4@^t#8tO^)0$k57dM7U_DIVtMAhf=<)g? z{Z;*lo}#DfX?nVzp=at@dbXaU=jwTSzJ5|K&NQ0q{7sBP%{ z(1oGwP)?|0C^vLP=&H~)p>Clbp)Z7P3f&y)9~uxU3KfTjghqtMr0hu9m9i&gU&{WJ zgDHnns#1=mREK5Q4SQifoD@z8w+^R=bHcgdym04mLAYD^$KjubUkJYx{zdp#;opRR z7yd)|PvO_Xe@-2hTADgGwJddF>ZH`!sdLjtrj1T3O&gb1mNqeMa+=vKeT%sL^VP*v zgO{l*)K%(H^%&LQH`F)Px2Xo7Kn?ytJ)?e9XAS;Qy+$?o*Jus?TfIv)_#gGY&e6HL zo9?cA=$@#-J_$8AQjgZ9dYqo1CpEDKSH#uepY>n#>-ulD2H(-|>i_5u^oMoS;JMy; z_0(X#*O_XttJmG@;q^ofj_}4M|19~X zDet7boAO@D`zar!{5R#Jlw)Bhtin1R2nWNh!fD~N!xx7y4PPFy2tNxm)x${SW<5{V%;&@7D))l|G`YJ?VK~lGjSTqx*ShtM=aKyfI!EJ%D_J zyd(Jt}dCu~lrHI4d5$FhVlyj7KOmWO`%y!IoEOsn+ta7Y%Z18I1 z730;>YoONSz8-eTYgwu7+KrG zM_OB;XOL$(&+?v?JgazC_pJGlwH+46#VK)KTo<>+J%`=laQHZKIR4`(?g(&{cD&(u z+cDWO-7(8C&#}m{%(2pu;z;!h_iE?W!E1om_uehN+jvKLckuq)`%CX0|KHmFp0%-D z%)@cTan)5*c3g8@H}a~d9kN&3L)MX9^=68xBkF0=zBQBUoSLjWwGqOpO%OwEfiA2Y zwFY{#Z>c39*TFN%9uMh%kdNZzrF8OBHp9a+j8bqp^PpBplRvFE=|Oksm9e7dSofGx zxd$W1I%aa#`BcU+x>ok?${yl5%(Z5y951>^y~-4-8BwjDYDYH-`>3}G-)C z&io449oPdH2kZ^il~=VghG-+^Z&y8Bn<%2jgChr$f@l6^DNsct~AsGiRJZsdK` zxn6qaxtZT_uB)Z)i?w7`;&-YCWgjgu3dT3e-JXN!{#wS9G}pD>L+RTg$=&}(Ht`kR zgBX{@{RP(i%Et<#o~zLlX1Je`9b=^nx@+6AwNa6D(=xPlKgYg>zFnqz?0)Zrj3*}C zf1+6JdXh`3r_uYYk$nuL{{(l(}Hi5 z`y8iPH80IeW1o0^;q?V;;5F21DErjAxA*s0DUPe-fKz}+-5UB)`2E}?u^9H=c+`1T zvhJyL)_Ah!(ey9v*fr{gyIK$b({RNDe+2Fa9+d4*=>y!_%l*3Z5C%~?2T?1|71|Hn z`u~-CSdiCq5iUTEm!9QC3IC(D=2(HmrMn-sJ7wN-?HKC{eT^)kf7%@!YzbRO9<2yF zLH}|r{vo!5zU?KiCdcL9Uo-N59~%m_Ixj%;xxl5sO~6CI!w-b-Ebubg+?(BDtw?d> z+9SIddYi(i9FV)|ltZtREA~Fjh`oRQ#B6LM+eda)irt}qIj{d3J4xRzuoW!L{Vj!9 zIr^mB3m4Bl9uxM1|5XgsW+7yqK~%;DvHJAAE0xzlRO(h{josg>qi4?*`!ydC`_DoT zAF}h!Y!9XW1^SJvt2a=SHBZ?>EMlex{@ZXPfXnTO3I<}vf6dCL6VJY!xkFPYcP8-feP z{MAem%gmkTW^;?VRV+6*m^;i}=5901OgHzKznJ^X{pLaQsCnExVg6>GHqV-u%`4_r z^O||nyk*`Mn$U$|-Zt-;e+VX)nzHuOgW1S#USoyW>r{UJhswL6R1OrU6e#h;5#=GQ zIax&uDmPk^#~R26QOP-j>I^ecimqp=Yy)}xP2_2|u&rzxdHkQrx9nuQs8l^dzUDV} ziv3Pyzzuej-DZDqg=^g4R&L{VZgL0r=05yoo`b)_U*)-ZUY?&9;IHx5`G5GgJb@?j z5quOM&6D_8KAunHllfFWohS2Id=8(-7x2Y=DPPWi;;Z-?zLu}&8~7%^g>U0O^PN16 z@8Ns-etwW2=0`0Sv#Q&^|EUc>DSx=^yP@(8*>_*1FYLQI^CMf9mMm>H)5@)6_0qP* zL)I;AJBwwzbAw#LN#p*!q+APA@nMGYvQm^vWjA)4 zZv8iA_J;bo>s)y5zax~(bnf{^y`%0*;nSO2C*HqC$b`4fg}s4f_7zL{A5vs;CDfSx ze`%}YPlp{z+m^+|<+J4zH`cD!Yc2%JBq>y|KWDG38YpSKQ8i|C8U3b{yfu}!L24w! zssDWf;2Vikeck`e*H=}qqxRe~dghpVyw)r5lLmJ!x~sqb@`Rsea=_PJm zWi0yQ`~e`C9ltAdLHdX%7^k?I{D37GJGsgJXd{?Dd4Twc(HT>{$?#~E+q-zF)|qI( zuk+~E8GOEd_=5Y!Ak>X|N$~<2uo}tOgApwcU&*QSxi-x>x7y8;P@pPekwFY)DniA~ zgL_;+f5ph>;Ztl3i#7^8>2kn0y~b8W`%owX4mm|y*%?n8kg z-i}9((GR%H`9t#*{oUvr9vMtz&$f3;{s3*q*>h^&Nf;kY3B@_fmd1mCI4!sgS@N?s z4wrX^L6+Va%UIQZx*69sLw(zFUktldwX z01~U}7{=cON?I>u649gspIIg3aEFaLHED4WwVrUztCjGgzIP}u+e+U8+*!-V87J~j zEoU@}J7mo>X8P7LCuypwX4z6zPC?>nO7ly2^});2CpK&2Fdn z4>AO`8!#%x8~%{DM&ppHg-oBP<#QlXG0QYyvKFErQneCu2T3TL0!z+voIZ zms~gG;~RcumL^S*SS)T!b97VwY4Cc^uxlTJ$}sh4 zU7bI}`)HCvnsX(|4m`;ztXDVe5S#K-;24G@Y-&LK9Xx_o7)%$CViGucfh@R7tnW7@ zghhsWsT~$C<=`Euyh|gITq5NaRIT}x(7g2J%?Q&ohH00*sii|=rOywtu_qIC|3=n% z*S4oWQS{Rqxmg&&j77@<7q=f?M5xqFu0n6!{s}dc~s-Rg$DY?*bl&c9plIrhf=tiwoy2tr+rS!YFF~&=&|#0+I3%IpFci7kIO2{vwjZ+ z-o%VduU6`FBeT0N4ec$&wk^ioD*ZB9W9RzK9*eDVM=J?Z<&n7epN-%!(t_syxC4BJ zlB)u*SeEPPZ#g*=H^_FjuCuco`lfYsIAZH0-i3Aob5(KMe%^65D5J2O@6f>KBzS+& z;zr^)!}X|7HVH{LUb~|C>v1H6QG37FqJH8=AZVn;Jf|!7#U*`092BJ|;`}CkFlb3A zy3r@Kv3Y=Bj{3*b-~7}DU(pALlkPdLYWuA+!5yn^%G^Ff+TSblx+~(g#Nf8Hp~FA* z2HE&`?xj|`>m(briCyaTvdE!M@C_he*JEf5Ez|%Fkksyy~SV6yHr2L5_6N> zDjgl|p|J2W*)TV};9DzHcoRB9Bhi`QWhHf7^Uh$T+9~dxXq>##%V_CzvW0IpAD^jujm+XStAA;quG>sOMC|R@l zkOowzNr1yC6gP-}$|5Eqfr28fcAhcS*0gO&-z_2sXud?{7W{jU;C@q|pD+FT6~WnG zKPr6(+Y?(qcySBa1Cu05%b(a&gJkge!b315epA|qJg@3zaGm}#q>$zNoK_-}r-;=! zrb={fg7$65TpbM&{VJGD5L=7`UQv_{I&!)r*{b-6l#GEmA-#JH7w<HYSxikMm5p^YWlV!Oy2LQYq3v{&Tga&mYY1!8 zUC60zZAh&XDU1%Rj%06~Npe&r=5pk=Ha5BdZqzHxa-m3?XCzuV?u`Gwjgp4Io^eJJ ztwvt#p83ilV~p!ngF%VrDUC8us2+ru>WbS=2c0P<323?{wd4}=rJv%!K275XEl27T z>exa|i5hXGoLW*U^az4!PTf~&RTNs96z36+y(+6xk@2d1WyG>Ks|0QR%KQbj<8t{q z0EfzHsoN+UJG++Nw<@K@GM)L)w*g)v0{7kgV`IDSK5R=6+a+_ zGo9mwHmu^s(?LFb!_ zq>dZ=+d#^l+fPq$Ns&($zWl?rPbLBxyDq+Qoe{ebz8MO+N(N=svs}q*r62ztOP$T! zAB9ViOvN9TNaxN?9%@MG&)ENQmtJSZ>Kjq(1MtVDOL^fhBO4^O#P~>jN`j6hhiPm= z_UEZfG0`e$SI#h@D#%n$HbE|kn+`DXEvQ8oVOxS@CzlE%oR*MGs+GVk;2XA+VA;`0 z@{RE@h8ymY$Y;&mr8TZ#&Da$)Zekc3h@aEpHY=zl~@yOS!7w_q(-J&rdVmt1}L3gsW9zcrfEtFrrI=SNKG+WND+9=~#P_DUF(BmirBOS;y+iE#VtB;S-8?fP? zw+FX>lv|VC!?=o=W)1q}Jvy?xre1D#n{cgC*_$apLEE_Bu%B4}rP6Pq*NLR05yYW1 z(bE8=@;kB*}8Y zcY%TuRZCHGGJ)T=1K1&P6?K~yo7iqWYeORU5&YVl7P~9kl-1*rP)JuuD9JLG~ z&1);nIr84*)D-o%8EHED+hjI*sm+u%!Kf80zm;HAq%x_b)i3zb+A4x8jVg z#78yb2VDZG12VwOAV85o>YxlbGYpV4kUB5}$&3v&3@i@FfG|Sv)`G7!uNK$gJb zzzh^KUeF=XEFc5i3!S)yT>5d5yxx*^*v)S?66}*0O#&8Xm;E& zUBGqs7$iIDm=EB(XAHI;YzzW`*v$x4k2WR(i0)>DsD~Rf0z~&P!qh{JVE|;i8KLX3 z##8{K-Hed+NMlZb(H=(FdV(=4KzUCEcsYQdTjgKmKf z!CI))*mCqBH2`6^4Ol(+m;`{Z#|Ek%dJG4k(`^G?k3FUiSnalftVbSm1FZJgz+SV1 z@_Js7%wR#pK(~NpcrzMM4$v)d8QKgN^c(0Fyo^kZEJpzP3^)YN^b`g!Lzum2biunCO8~ndOI(s@k1gS7iM6cLtiDPDh~sGt?}a90ee@`!mEW zo}4itw#Nr%pB<1FXbDja526NU23aB$(}9419$-+)Ch7|APc}WFu$h(au!9755NjE>h2G)L@gEo-2shy z`hy~&A+2kBv;$~N8InM8K;EFh*Cn7(ce2x=S{UffKqEd)B?4S0g?qW2e%+e{uOEfj^t++awvbXH# z6NT&K4u9R}QGZM*Ala2soX3;&_l)&l_ZFGdkV3p+oFazQaH)EC+@nu+%;aD}(uq&G4%;U?MGS7n(&BYn?wr3nymiXkAPWhYn zPAn1XPH^r#oXfvErDPJpPRGaf7r1M^(fsu8F@4{mJEc=s{?*;K%{RKWF zLWLFm&4Y5JPpt4!DkUUR>NJrS5;JjvLivd*zh732E*T&70s;VO}~4MSO< zDnCX>tR*F)juw4Sk=*A+Duq9i))qs#moi^Xy3k4gs~?%PEs^QxVTvhH?M10yti1bF zH#@W=MxM}a1YqIX{ivlpF%q_0uybe9a2GLQjO>*S+DC_J(~|1 z=&T*gyB+kxyf5XFxZd;PdzNiExA=E3^5kDSdj{q4`9<+#C2JY$zVSX8`a!xQ z%{z8Uzneb^DU=^Prx4?t{(7A&Js=ss^%1#l&vO>ykEJ7ay=N?cI&(jsq!F8Zm*#uR zH0UN&33IfIWnCfX@6!<&ou>K-ahkn3x?nk;?-5w(kEa81oMgUVz)$r12>sxZ)$P_j z7pY&UC~jT%{hnSb+~iHYOAo`tlC1QdJR|B0tVZWxQy+Slw`BY;5VMp z#B-*d*Ab6snr3@*Ej^Bim?qZAFQ2WW-;vET>wQl;g=oRhlyAoIfA_>O{lS)Oby1$m zAww{4tG5;79M1m06LM|&DJ9d^IlTTmU-tZ)FgGcR;r{FU{Z{sc+^lmiVpc9+uCv#f zhj1^?UPkdj3NELByU@YS+G|jV^MW(VK?N>lws)R0_kAbXR`!G3^+7)_r~jGH#NlD9 zKj+-zkDtftd39avLb6lXqPZ6?i&2uEfWCNkc|w`S-XCfdyZ6r{c#?VIZl0W87UkT` zTZHLsqX-DY6%4+dB8y?~BSSe|n54NWtyK*t6p=(ja@+pJ}$dY|JJwKnC>X zm7cz<_dVe1_XYY3i$a@T*|qhdo2I`~X}K5B4H1!lwLv2spsv-jLDw1JtkrvA{J3N? zN?&4{S=v$GEoRW-IjLjPpz)rIN{!dz(0w6S2_y_449p713e*YE30w_W4HSZO2m2`Z z2JQ|y`xdF7&y%&oQv9Euk;9?EiX*?`A3{H1=RKZ;UIEur2N%l&SAcLYsg7>77Us0p$WDW_a;YEY^DQ^8HP0SXs&PUN9l9+S(u?K-ZwdPJ zuLvfw#GYDBgBJ6mVa%hidgg*MU0n{vI>{sv-zASf!&#=~JxSy8?1k6 zec4QPi9H)Sk8o>n?&n@)o#(&Pd9p0qN}#iqnE3%DH>Q^AOk8vR|^a_hwtg zF{OK+Zz}NQhx)^(4)#|!6>v=l!rS32!skAw7FO;|Ztro)=c=$NG<&*Ea$*sT6Pyz^ z4008WBEU8pw7Da)G741jDoS+u+_leNsfsdHRLe>}s|BS3s6--_c^Q7E=#Mn3p(-j#B$nh> zP#Q0mr;hNNvOgXPjDYWfoU~iM>8hRq&l$d(sXCWE&WTvDawsvCr)e;h&(E(|`8L)P z{@|6>`^MZSsG&2jccfo;fO&*}o8%?hQEr(TzF%az z=))mYS+ifA>NKv{9j5_G{1$3GUBv^ZP0FNCcvYQZbg#-r!VSia#tp}f_u!j0M}i;+ zh5|`#rX9$J0fHieBtj&DB|^;x%ZAH_%0|kD$VSM9$wtWrmxGyrnt+&qnE;=Fo`9Ty zWd>u0VuoObVFqW0W`<;jt%9inF9utLSOi~$RQ+da{}0nT;ILbu+aSO@unXcI{2me& z3>5+u92GJiEFK~rJRVXJ%s;vGQ%4L+w*p4x*Sg)sux^QuG8dC|yF10*Kp;C%D(!_B z!3G=&vI(jQqUjA$kPHDY=MdF~wfnAHlk9V|E0l=qXjWgOiT;^3> zy;nJU7Gfr{_xC5KdK;s&T^oF?wiMBO-uKs_2&2azzZxu584Y61Y7@_=e53cCuWPNC zM2vLJ0gIUhYq!~J1^9g<88_*CJ^1O~HHHi`ZQAF@)XlWgjxF98x2e6J0lzKTZ}LUH zIvtKJk6qAOIm8a8D*sGVTYOBc*TnhdZj*b~c~)s>Rg1QeE3OGsKk3BI zq%;1fw=anyg*emr@N1Sf`@v;z0YoO{z+S~c%&a=!&Rm)Fk6!G763VilM(sOCVes2E zmOwb>3>8JbY#l5j|6b8x=f z7LbcVUUBwD_n4rh3_>mN5UMJ>kK zE^zW1oVsr~?hhNnK=Euiq`}jww%U|&5zI{1Y5DPbk9jg@dh!bFI=00>DO9>c>brOD zKc&)K{a%=^)b8Ic*S+uXIiIi8sLsia1>a-T;XIrwS}C$pk##wqvJZ(jPW(`m43zErvDxlM}39J zXS`q`?%_Mr>qf@Z&FejCnr2st-4s>hUb@67*CNrD>6DS+u5mW5bAjjl@G z;R^Tp$zQ4TZ5lO8fqSFp>MrRU$7{WTmOjm5ix+ZwhVranj`png9xNf273YPc5b@Pa7+60^Lvw*W?7&?PlyxlloM~g`=t7}xmbfEwa7be zolCdDRp;mlZB?(TJ}t%E1dZpZ$H42?!XMJ-w|>oEZERdxFsL#I#U7eF@)X|23s%x1 z>}Iv=sPc{TMfg6)+ZvEl;G5EuqYu-*9%7k8_Q^b|EHY(Vb7arw%%8ox(RXY(34K#7 zQHb~Y5)GnR<5@VQxb>A!rvB4eWaUdM^kYVbJa|={F(&Koh+&!eU`%;yQOKv00`wPnG$>UyDidrZu*2Aw15@)p+&?vKv8PDj&WwC!(%I1c9xGWFY*EPlq{-gKH_8?>FFdr%nN;h&#{Mq!WR z-yVL`gLFRCUVR!<6ii*W@cSX_GBg;f&xigj*`>=8?^t!#xKd)(yqR&o5OX1)cO1jc z?OCg;)vh^G*2&d+Q|fy}(yl49pjn@cdwi$sBW`H^Nuzi&>(;{}+Q(I=Ii|2pMktMC z3Lg#3T>Y08CmGq4be;;cdD`PF{11;>LRBpi-t_Br`Z*RtC+2L) zQYFJq*sXMFox@sjv9D|j!(pDe(t(a%$!_eWu{_gQu09T!USZ zEYpVmGjFP(XSJ2+x~1R#pQQBXoLhY5r!UKYyp-*8GcI$-AK!jpLuU60aJjBIbi7WT z!x6C=e>*ApJIk`HDdmxX3e>c0LUk^)N zGS1jqzkWL7-P}OvLq6HTe!61wG_t~am#`=~@1|!`Hg6SEpCb5H_9(fiTt-7c^7>@8 z0w=lt5IN|zra0HZdx`x@DAp^Rg>d=xYKC3# zZsXj$;0%jGPw#A>Bz&lJ)fsBtm&T}y-f-M zH8mG+4`DXkI^#McHlSsfJQbFE8r>NqBJL7nG~&yWbZROi^F>FA;ASVTPcMa0POge0 z>BPBZRI)%y&OCRh_Ve=f+tcvTN*T0O>}#p>(=wsIjaH}k-auCMf{+eZqw7~+_mN_D z$ulJT&kben%e@S@_dY1G5ABn6HI`k>uX>L^yL+1vUHnRHuVSMswi32Bp6r^Ce+%|D z*Ex@boE)dC*}61Zl%4w#O??~7%B4l{yxj~wi$d#4q@#gB@$p)ot+1Rf`_v;QOO@ki(<5MeP z^?|%VmVK1(-9Y6Xx@cU;`&8=z=-W-xuO4B2UlLa4#(+E z(D{D0!RhftNAt$orD&*z-|)hH^P5l;{Zh$%mg<6gwbmal>o?73!1?mS_2jyqx&{lGCgLak40zf|{d5P5;v^G&B`<_uX(6I=K{8U}HBoJImppe81;sKcEhJ zZY?`MjKo!JKjh`(Ue$hHx~6}8;`a37d;SKujgk!(2R;L!!?z4TE0gJQi=F}d{%|ew zr)&0}u|jA0PmOla9}bN_TbC=5!wYHx;J@?F(A{i>!;02l^vB6b1JVy62N?P&)o;ZV z_CmI?5WiT!?ecmzx_ycY+F}>59FbAOopiSBiHMo!7^K)<)i5V-**9-EHzI^a;x*>{ zYM^whOM6K7m3n-6$hqzGf#3?qP>Eoj9a;EGC}N*$%#CGVNXluMm|9 z(wR;1BGA7us&`_3QEQgMGfQ=#NCo=o9Tt>`*cn$wk~&YP+WIT7&>ZbA0$y5$7uNb^ zufscWH#I0pflI1HYynX3ZeJ$52=y>_v!Vl2uQbd6QDj8p zV(;FsJT(Y}%7xDO7K1K+7%ooy+><%YQ439N+o7HQAt_{U{JlHPDOtlXC`i<*0MYFX z0f~8Eepc`t`kg=mnZ!1~sk8B_^=JzAG%K)@%?S5w!M_y#n{wxh{pNTxl#4pWDbrXa zigNwbJ#uZK5C3a)uw`h-?wEw8M|$q1O_)Z$&i8DycN(=I{mB@`!=W`3K0^xWBNcQ3=wp%JhS4)q<% zNUOS-FDW1lMb1lU=`N_zs37$O_ITc+PF4ZD&(;#07~a`_ERrxyZGDs(#O|??L`tV+ zjjqhx&hpb;v3!QJlv=2UnrD(@92dt?Gog8QYL|`xd%lvD`CW1|#2GKBo!3FMGR$=m zs8d2=EA4y2p4efICI6+(`Pn=E(MOI;ZkNHgyk+1U4vm|GDw`^}Rsa49cxM~rH@X+_ z&l%&SwBO>7SH;1H^JW7!hy2B(ioiCrM5A6JM9<8j0Q{ULMPT?X_EX%QIw9a8+lrH# zQ~my?u&jZ^{T^*iK9*lKZKBN ziuXu(wpM=eOVyLFrpV~8FyBW-Ko`HTMWLADItpCof76jJe#+q~LG&#+gxQI};JZ>Kn<~(pPRhKb{&~hpcP`MW$$dDQB!J&<`55zoc;X5mYPP0Y6bdg)A zn(9-4$w;>yCA(C)ynEW^Lul2&Db;mN#BXi2sWH$a_wlq=IpL>>Ph+JV-0+ThG%0!t z?HLeHeMsQa7_AO-?o4F)$P61h1HY#^Ad@LSkds84#%Wub@=ktR7X+oRuAfBa-N8a3 z^-|E}$e%YhZN`Jz_9eK)9WM$6F+|Y7TLy#VdfBQ-vP+PcHNQA;@}Lx(Z&x}UAa-XF zwbru3Qk6=DMT$P;zgYtu-(f>ho~((==C*oFQWVwi+N+HWA{&;e?rPa(2$W`#g%Job z7~r*NFHXR-kX@Ap{T%vM8QIZiYcg# zlHb}sk50_qvAs=X|E}y%ZqiTxt{`|8u)Pk}-_2@Ar_Y=~Jw&n#R|nG)Sn=f}LEOj$ znGPC)0r`tT#O)bOJ>SQY3OxZ@mc@Gv*1`FUwG>uSEZCd9Z}AlVyz*?bKW#;RI5~YG zjpD4DUPqv3?piKE~ujXoadXHw@!suB6IW!LOLidSfd&4709yaZ6=fk;2xbTMJf z{5?s+bTJFBEw6BLojA6bp8UM6XKA*;LQ{t151 zbb6r(fKL0yA@l1zxG07vRIommTTk(O}J^L^%id!{#(;{YgXQ;GF z`06f9q2c3f6+4{0-K`9R!`TWciCjraghWY(fJPz<0{RBQxIq|_OA})$Y_->)rYlcQPIWJ@ zk6iOf9tcen2vELby4CKLbKP=27vfHgV|h~IwbnkwrDzUUz6NzIzSofQQ|;GfNw&a5 zwd;jHrPXb={Ow$QnmQ$dLm{NmCP~}Z2I~3Ds!OdKu9J1>gc){D!O zC=l?t2&VnnZHb)p2P9N4s%qL`)$mP);+P@f znMK10f6;D>+lzH)?Ol$AT+e|+Ma*~0nLszNkA2^T5-|)7f_g78C(Li>C+?{1$X06i zH)5yDgxghwCj@XT_2{|WxF`9yRTfLs25=UAVWiVy8Z_g>0fh_@AQM{!SoW}TZNd#m zz0nkP$cx$zrW2EsEB;nb&A5~!s*y5%!ou4ZP=h)BsK4n-hwZTFZ zG3TETwG|aK*7XJO^=E-KkkxUpv@p(+g2qhlPe6mp>`LvQU zXr^#+Owo(2$jvu*F%(hE`t5R%oBZ{HqHKSc|CC!dH52$v$}9Fz`^;{vhOsd-SL$$*^c zJikE#xI%So1t_r99^t-KDO1EbE0gGvF!dv0s267XAX{!iOfe}Aq_gp7qh3P1nmS~! ze16$WdPBV~-d+4-wuMHGxd&p=uHtL@38c%?-m3aS;gzu!PuhcDbkig-j{|qfJP?V< zP5SriH7#OZb~hWexL&&hbX)>VHQfAuwAP^}zfUpyRu>u1qv!M#`*ai}ErJ{uDW!NM z=@@EW>oLXY$~g$9ozQCn+74y>?6Rsn7uPE!3th8$s4t7s-QmR$&Af{jo$-YoBYzt{ z!R!19pNX|CI86^fOc*CZv7JRsp3fSTr7^PScd-9X5=88^=?V+=gqn@Oh=hz_YG>l? z;$&)Q`;TaEWQB~t#?D0sAp1wuAp_`;ad80j$jI1r$k@2JKLl2;|43{fMh*_n4;|a* z|B^ne|I)E@e+*?~`@4Pg`1~>c@6o?7KJ)zB#>Gv>$;tI$=lDSQx5W96?XT_wf#>t* z4~g?b`amV)WM%!oT6T8!e{_HK|3c>ach8R_GH!03|FVAc_`u=j&>>_0(Ei2x&)B~* z*GKQa?Z>7^rbqUFa>4!IT>QlZ{Qo}wWBrTsuU`L={?q<{$NpvHU)q0j^IzzHkN znHt-hn6k*3+L^mpkg>6|2?`=3{AY4`Wa}mLSoHyr!p{8=h*w1&lVsiD!YWM@M4M}E zP&b!ktTb&3xWn6DO`2T*fyhEnLYJ~vb2)tH7(=KC#e+}<*J%#$4EQ17Gza2(fv(iQ zzdnvv6eJ+suO>O1z2J$h2EFX=Cs_plu1AJE3-$RZt@{GicCI?vYGC}*gYO$8Lko=~ zN#ZhnDL)BU2MnKZ+9*2h9?RRYj)s$;zGaGm$4M_mPP)U4YT8zr>U5$DTz@;};frVFpDHvjgX<9*JEv|3{ifg9#a{6##)1%~qxbcFA_E*| zVDr{1@11Y)xuffvugiJj{QhIVpS>0L1*{uU7|d2-tN(JaWWpAF=n;Hc-_cN?$?0PmCOjn@mxo8GkA4D{s z`{uS&0G>S~F8x?4$6_r10Az@f>vFM-Z!kVYH~ceS0FtYztF!nn`)Dq#)Xm`4#*Yze z9EI%0dq1#)?_jxKze@N%meocnFS${Vpq3!rkH2t$nt_7(KYrB#oCwchy2~z`)E4n? zBnA2S@yU>{3yUPWrp6ve%H9Z-^eb4kZ>;Y~WMF6uJZ&pGe=XfDL0TM7wJ8y6IO_$A zM+G>|oukv+S8-*U+j+Vmxi#Vk*n=JM;k$b;RwZssxK8qyApI(472w|*P`-JbKFDEB zn&Z&+R5^^%GN)F=6il7aD?m4Qv+YPJ15E`m3mcLh*Jbn#fd)!UC_Jt>$Ul(`^h=cJkXn!-kZ&KUYO_m z2JcPs9UWX?7oUfQ;Fr+l*LuF^-38P&$H#8+V0kDH@*U4?_Yiq=f4A4-lrQiyWr&MB zG-BALXgNLj)6lww3J%a3Vq72b`>^hZ7!$4>`LG^jUO_bZxE`Opg1PchA7pTQ(!Y~F zd@>T6IscgiLk1&4W`qVMjSGZB5=II`+YKSp?+)d{QieijMe0TC`$VJ+NpQ#&5dhaO z6(JI1goivm^O0xrqs$*#G#;#D#3dR_PB@g*7r7A1eo83`IkQseN*5FrGH6z874%s$ zd0s?OL)w`>Aoon)Ct}u|EjYYD5IFt}3jjlcJT6E%A|rwB6=|{CqJJ6ynmB#KF&==J~wa0hOQfg-r!sXy%tlWd!SVz{BNit@-v zi^&y2EhA=utv3{M=9*y85ur*Eno!~q?7(6d0<&Jmel4XKO(d!aDx~UA>mpJBzd6N3 zAWy_%&uzqFpYEYI2(c)l=$qsmg&(Y`Qdk2xQpBE891(>YnfezhBPuoN4H0Y*nmhp2 zkz|_=gnEr${+*x}#;Pb;3DH$*F%W+miHqz2rc|=RdW?Vok~xn`YQg zB6YH=fYb;EL+ovOO(tLH^6%KS*mmOW*q3+}fgBOdJ+=|nTW*K4KZ#e+RyR?0*TCJ$ zeQ7F0bz$8Y@@BP8ve41$&^{h^@ihldmJ*OXv0YM&$LqItb06 zc2gH}^_UfM^#w`#_P1`=o3cUvO{lTtIDO)<8QV^3(YuDE6xN zSJucsK{fTLN(qHN!1E(dk_kepi!n6Fl8W-#NUovqp}BY0M@;rA9Ol(v=8F2DxP3Yc zLg`0Yiv3BLoBjqq*@qax(j6Va(o1p(cM_P6W)Rddw2b(iunx;Y(TP+|)(P=k)K^1_ zLPipxfo>4GSQx*_;X!=q>H*1P-<>7Z1#kbU6WX4l6B!mAwU;mAyt^&py!X?gs7L(P zClAs~--jpn2Ca`6W$OyC0+>PC=R%Nf*+8xzwm>X6uNIx`b2v~ zZ8cxyxS)NkQ$p_wCq?rQn2jjelI$nlLfTfmU^%qqh7_WBWeF4NV;Opco*>T+b)M02 zK$)QMCGit|()bzhK==~p0e&gJcCRb;M6N5+4wW->7{Yvr{D(Y%7ClI6(QOTtuN=!| z+I`6o`KGMsD39qlxy@*hQz`VFvSrD}fxzef-JA1gE3ISj%lXnK8(wM(7AQsJntvn-hy?zEYZwR*dCu- zzaz`Q9<=J~fv7g#mVM<(OVROCGJ@rV->e#XhRf5PQ$5b5-(KsVtpt=PG}ImxRU8sv z;Wl??N0m{PC`$d^HmKacNo-a(2qWEz5UTlg5KV$xLETTP-w*4VZu1qF`%Jt*7h!K7J zRr9ti`m`$od*+EI$}yDUE01(W=9}cr1L=$GC;x6!tH^A$nG0*UPo}D`Kz>H{N}TQe z7trai^8#j@xqYxW_$KsYvIE2>o2B{+GhiH7e@(CSm>aBmrm=6BmI{WvXJo*L5E4m*!!+j?q>s-4oA$mNT_Wl z*g+x6UTlB9LeHM9a->@@UyEn+`19l})|x8Fl2Ctf3PyMU_@9Loze@@sOh4+&u@v?_ z^P|a=B+3AG!#L0TYVWG_>I>{YF5<=#2FW~DCch$X3`J*ER2zn+BjGO{Ygwn26VWp- z0IZ)WJ*1R?0bP03@y+Qa;VZw#=LfX*3e|>8AtuqKhUQ}!uq%~|)IZ6v8;X#RTi*;# z@d0Ei$?JaIrq)Ik$;q8Cl!*>UjZ(UDO6$c_Do1A|WPr%_t;CM`cnE5Pb@@8*4p*H% zQ{~@&E+_$LM;PI2jD>_6BC{@b(MvWYsjx2c+6jNPwzEWOT0E;5Sui2|8VNsDnK zPgkDzYfa%r0#m}luZ3cjN2xVmec_9|LKVlCWYMoRSBWi8PR9+011&tlhK5v;@ajpn zQz=@)>?^GxM!DkbgYnE5h8SQf`U z{YH&t9!M!PT3jFh6@UJEQt$LQRfl6n#^?Rpk_E#g!`!ZXSCi(LEmPw&XLYIKgt}mU z$(VvxM_u$I*@S|lFh9eMiFIa30!;_n#C3V`(~q}ivZb68Bmux?XBl;@1|8TMP%1)9&s7)- zL`=!aK03g~fipMr@*_IVJJCFi3pZ8+3m4k8A9rt`EqlZPsm~-z_v&tUY6^wf^4aW3 zYKep>Ivy_Py0&{N#bR=5%p&uCHugsx^6S-bz?89veXIhqUTOwGE7rM5J1#JHL|h1; zP#afIL$x{It|$Se^Csob;rBV$gzCJkt<&Apl=TJSyCXI%TW>5|J}leRs3s@zRYvhu zZt+zIah;@mCjDugGK**>4+eo$tD>wK@iG{~JgcOk?B zr>)}1eJ^1lK@>75)PeKSlRH-kgGv0yf{?qZkqg(MnJD?aiK&*qFv`tIcClk`o8uxT zkCmjL7j7Q-%Z*k}w%tS)(#RG^Dn;UPvE9)k>(XGS#a+12$eFsBhTa(Iz&D_cUj{wm z?uPKvXHipDSUb5M2lQJue(V;7mb~2c4Qp?Q zH!-Z~sR}nS>L{#B?9lbxWjR_T+GQ)7nM<#lnVB&M+vFQsv?@^tq1(b<`sC=p#- z-2jS;L{?0Jz<%{<$zWpxci!F4w7*YK^{BbPe&!!A1qM5f-X)CelarQUXZ0=36qwM| znA@*elJ$Z3*!%v@Q`Zm)G~M`%g19e4t^-*(RAy9W)8t5a+Pe}$MyKL$T=58qUb*~+ zEGiVMqU<=^ggY#<$e#oKtLVblONZ?&Nt->|%q^^Zr1^)cg0YrO;0CeWd={~ zFRL&P8*BtETKAylyl!bzfxR0HSMcTiVb zr_+OY7BFat*p9T3KzRlC827HcLPwm^IjCLhp@NT6f0%{uK*Jy56yLX+9p#I@e*sm?P)vp)$KCz4N+|WX3aYIuQ*pYp*(TlYC6v;zKZ0TxAFm<{7lDtE* zyI-$}c}9`MP`I^)DCSHTI<93}NVcu~37~T=yVcx;t;U!)v zg;_u$5?jnY^h7ulaOR=R_(PvPsD^Lq#&b|z_gu%*@(Yz!GF-Ce!WQXn9N~P+;q#|+ zExCWdJh>rjn}!iySV?R!Nk*TA!A`l)c~1(%wnr#GA^4_4p!CpKY?xnQ`|5z@h@M`5 zGNeo_{N`W%Y3H&PXV4P7C6STZdRXGdnQu9AQP2si@*b~v8t1GZ8+&^HW-~HnGVG&9Jk4_HrD6~i<>muPI z=A!lDyMtPBYHU*DwrT2V%4uRwg7--9uIOIq6-ub?as_|cNf7Y`Z$sb2s3N}!w(`f? znW*etXg^l>1cv?W7K%b~k9e^iI1`M7%24eGd=4aPQinqm9DB0G{C90B=nUlhYte`B z2Wf|o8XO3ZmW4zJp|=jwO{6z<>UMmS!`hDuPJyckUu)8`Hd@5#KiMfsk!+FlMYO=P zeNu-Dq0kMh$r5v_UDF?!ErgU{*!6)CQaOxkk$k9D9v3O%dqlZ;(ct!v+ghXFB_qTb7U{1 zX-VIt(cEwqe!$S*77WGzX@$2m_K1I=k6HDZeGB6t>beYV5uLqCKGkEaqTl&*{3W{# zF1ZHYMFR~c5`XC~8|0*OpaMeA7qTz-e7!<~2ELrmGUjHTPd@utuIAJ+!zW{f?opiM z6k`-@V-yuC0kY&>=Sd1MxWZU>)3X9qr5D&$CCrM`O1QJtf z9^?}oW&S_Kopo4MPuuSe1Syq98YDz&_uim@gfvKlv~+hPAV_yAjRMl$As{I!9fE*_ zbSNdw**?$vyyyJb>%Goj=Q{fz*f;k*vpzFx<~wV+?paI(2T9a=T8s200^XnYj_fE$ z+yop5e*fz0k{EI~JIZ}25}5OG;kwHFPp%2S>5ATrke>#zRWBgi9PD5Y4lsMD^6u}p zSLJNa(`fFw*m*0esw&3F;Z(bX`9o`GIc#TbhGglkKd8kOjvu^UE~=7kUTz+dui=y_ zbw`R!0hPCe$9DfA@9Z<%PLa}kg)trl%J!|lUzLV1NIoShbhMA@9ekO8=j(2v+z%CQ zk2-2w7iDqCBB7tF&J~dG`ZMONll!~cHa7{59SP&$b5*8;AbNvU@Ulc1lD zWI&`-@M5e93y*|OG-s`aa7t^N2%Pcy{Csdy)aox=Ig$*5iCj3Nz&w=#2{BpmTGaOB zPn_-yZ$*21oV<~>v$MwYvop`Kep5kRW>3$dwQjHOiws?+cT3_&*SvME%m5zhl!@GW+yi zDO~y?H^f8xq-qYa$Iw>frG~fGo)^QH?uDfnL`@=0IV>*QBVUJ)oYP3CxVb*D!?+># zx#|NvrKF-dXUcks(nb86a0<0);})GlgCv$h1shNOWT46|``h`gIatpiPx7CNTwco!?PYk@< z{fsCIIPGTV;Ua^J;0_bTR$4F5+}%k;B3One9_T5EmKPgte_D|vCw25Z9j>-1@&4U* zy4_r&KUCB`?{oIuw4X3E;3rQ)6pBx)z+QKL4avg(A=~)C_m;)%+Q~xL*uHV-6WhyT zZI8K0b=Mq(uUobSO>woV7OlQsGB>Lz#U@k(SEz-kLYu55PvEPsW=eW(&*CSNIWdW+ zVT0tcd5(BNTMX7)7ItNyDS16{)%g zsBeYTBCA-;JsUsMl^_Y?Y_Z!11QA$aT$^t==}_%< z!uW^%5{43)wEodu!G~nKg;n2kQ%lPmFVjNil|br(DZkjKwj14^?uO?955y6Lf~`j1 z(!^h1`1Ck)y^cNCUJ{gje3=?beTp+N-@H`6-|SQ-+aqr+G~iO@@c#6%bv+M!%IuC{ z!P{vwI<*L1XARq^==qg(s>k8!+NCXW9Cnw@-{c<8)42zxsuB?il#hIklKMJjMj^47 zv02H%`#FBn3@JhEyN2AmQ7rd^X$h<$=3Vrl&$u$>_X<>_Auf*@ISxjt!@G~Sunde+oi#evmJBv4 zp>Z5GWh313AI_%a8g>g(Sf|X835&Y|nJRY>!xVj^#ld0Dc0U>vrVgmY3i2+Bl_e>^Ag~(OvFkF5Ayz;VH zQ-gPF)H2vZ-_I{b<>T^=|KO@kp73|eX{_>pdRSH1s5w! z(K5dveZchud)za;j;de8fy;?$oR~UcCl{Yep-Y(qp)RkXtNS%&I7->5EJ2)=4GD*{ zj7@qb`V}#&y)e&@wcy;x@#%&WI#~5HD{M1Z!0s1BTNtXii>XVh&A47)U`GTscj^aBm^(J$9mG_`Iwe|Q`a>pS1+wAH#W9{-|^tG z!pEl)b^MT;`<|b9kS%^)<%^cC+N^0Qa}Z3T%=$*r$jo)Vg1jEXT>HU7+{f@Ss(fnn zt0EhxCdO2eq2O%wA$6sI`uz|CeD5qS5}up~Vb_iGkY%-NTd!4j%q&Rvo`&Iilu=r& z$`l}9mi%;*tr~MW*=?E~nbz`u8N57Nc2sClnLy2@Ul*MuX_Ox}w%kM~OI%@|ytUx? zv{Y#Sd3;`2c z>ckIp$E>W3OgU5=Y>e@3M<;?aisa|>L<0CxO2JiJgP-liUQsDHU)Mh-+X@$zP99o@ zEDcRPNYvsVU$aKus*=XxQUt3{`%R4-NZyovdIHl<U+Y^mItFekqFS6wlRwKiU413v0C9ZLzmygz!TK1ukBB&nL>}VwGaxmWb+gt2! zQim(*2@6$7%uNg(1q6~4R@T)yg(H?61=I+-@AhOOOd5S8yV#sg(L`(TKQ=04Gy#70bATLcwW?kx8W^9eekNS;U6LBtdz2nw4YTfT)LV<=AZP zMue}JhcxSQQ9u)PhEXxsN~I4E`Zd(>Q_^I-AJ<`cFLMKTw@efEsgzjd`>-@KF$Y3W zO(a5+zueo39(JQ(t6VHlr#Piy^ib^3-vYk(DRawFSvsM_(qJNNK(DZq!I9yxO>YR0d-=XeSb(gum7o_ytRQf>D z=G&yn?xaeUlvBXn7WtWU1-#-{W9^Ko_2Q|ps6m>BS+XbZpeC* zJO1(dsFO*f|5`)8qNDX><3c8LYub{_gu|Rm^TmN$)hM~giGYHUCfCO1WP_JtiN@r* z@yji053!1d)JF*KK5xoQ$<4j$aREqUk;}ln*qL6KS8kJ0-$-@Y`Cdh11Ltvh*G}qU z<6|2B*tM_p29N0s(rKg02IvBdJcWazn3ixC{Vnc6Tx9m^57 zVU?X<7Rn-ZsoWKrh9Bpn%A?lN8~jvbn3u_tdsJ?M6=fUngtXlC_PHCMj?&Nyp=Bx@ zG7y>l4$=1k+;aM}&|@lM;OMt+o^tYKN%d0C!93RdHjAR2zzvn^Dk}?gkd#C$-c!Zu!*+o{s-E?bwj_>(dTJx`fmBW?Iz7gfD=A^x) zpm>tzP+BLKi7?s%bELri{rQ2KAn~~p%iEDfjb<|=rVze~* zuIu=x#Pj#PH^teSH8mguTC2J>rc2Stw_~%X<1t@rspEENl@X1OzrJqNcsALpxu50w zrN7mJGB>K4OqzY#Fi8Kh7t!dtY@K-F|6`_@dZ4LcYj(H8$fo(v@-e(9zrCuVx5-0g zs+8Hj_f-0PU}dZ$wg_q-d1n9BjQq>u6Zcww)CY0HDLqHC(&Qf;t~`Vnax^EszPe{z z8v=>thtpBwCCzrcp&#_Zf0P_(Zx-D@nf`KXu`hq5J`|sOJE&%xzPe3YQ}mXwKl{{^ zt@i#!{c$J+js53e+(k0nrgm)S_WM%%nr)z40ip5#$zQ ztKk;&mf!ZLx0=ywuC@*3Hx16|D=mlI6+9o@qA1F5kkoPe=C@=P_t5#w%WR?QSKC5O z0iTYW#fe1@&z)4ynU=&q>(6DnFTK9)-nY5MLlWwY+~I5%wAB1wF2>GaVj$9Ia>>`2 zqrX-=Jz$eZ5t;SOB$q0Ay!|*}-GFCPm-70`UH-Icn;rg|?WCQ(lG^n{iM@tDR152B z-?IpE)&CrmXp7uQkLCZ}??LUQ?esg?uI#!_NvdKW`uK*4k(&|R`H`-dbV>)5B~u~D z@vNEO`5VbKTNh+uJSN`sM%td)u3sY?_NT-NN?xt+=?$0GBrE3dXz^Kg=VkZrq`Gml z7uomclJVGi$jLQ%_oPKHX3~$}9`Q3>OnjE9%m4D^{kc!@7}4+FffeZ&L+4Aq$T|Cg z7KO#Rxp?Z!Mpo%*Cbb`s!&s~PN^7140p(*BT|WyZw5mCCQ?|o28n;*c?1_K$E~;l? znVz43Qr!a{u_#d6B!3}l+^cSfbR0iWX>@~z{SRjuc0$d_%2V>lvna-r&O zmjfmofy`POj`k|QT-f&Ly?zj5Kb?V)G+;u{m(>gwPHjSgx{LqDLob*ZZbhX(H z87kd*B3jMg?I(-$J?~`PS6j=!@OOGVuCml{cJFNEE(g0N+4JUBEz0ejXhFCAZw5b0 zPQ!hX5I^krYnDfhOZ(6JwCVesQ(kKm9yPHpZF?bE_~qv%L0@O^`&IY57ByV>et)_h zjg|QJOJG~i$WE)U-~->8TPFgCctsl9hL`UTkDK+sLJNZnw-zODGtjQxQ2ZDR!e!|A z$nh*on&(5NE{l)+%Gk8z~4^WgSkJK!LPYl`G-Y;Q2zSYrAI#>iFTcPNfbM68n%?$^zPqBh<{5$!T;XxP6yrjnC-JS1gK)^J!D zVfO<1s8&R)Yk}Oljxk6EtS2$>W{+!7X~)FG7|)pbVUhT%=Hs12S?6K4fRV#ZE%N24-@=>QUi?2?3 z4}anc|KKnR%=?y$jqmIz&a8Q-c;LsVtj7lO30}m4LaAq0W_Tl2x=mNudi0Ee@aD?` z#y05ut{_wQ*|nXEc0r)Osjd(vS*@AnvzSdDCHmKR|PTi{|Uf=E5KGxA` ztX6%V(tF#KeBXX(NQmI5>$B@!tte8;0|s4J?sd|W2S{E%YY`V=y1uC?$*3yJ?<;jE zcgaTvTey*6%lFf9jt9H9V}`$nVxO>5=c}z^*-Z|EB6d?r7gDsWz6y$rh~IlU$UcT> zKTw?OQ~PaUJXYA$<{t>6|Dxx?AODhUSf~4U!s|E#p#-nlBHzgun@Rp$2YrVS-IbH2 zXs-~bz~v#Q=;zTqt2Mp3hC=M^&$|t00$)i#IU`jJ-k|i@d!%4Pg{-8t=9ku@4jPUe z;gG54RWq8K;Iez!xvVgU^z!?$Bk`k&t*2rmm=4QoCF1qnxX>T>o=eq>sphZZY_~UU zXxqL0{=}jB(w+Z(!?Y)9h>OzR@A|XF3gVkl4YI--j9Cw_F+>TEzeedf49neMwNoUx z-X>0e2(q9Cb0j3>CNQ_k5inZgOI!rH6t0^;E|5h9)wMljY*ATM{JuyidE&5hlw-cN zyj>@L^HbfAEh?Ka*Eh3OCZpRF1W~WA$9SMh`TTBrUZd}#Yi&tvrujilbkTcH=i2f0 zBF1a0foqL8{v***!=difTYokJGq?_xJyJr)xTlb0SsYoCk;a6S!j3d9w)eXY{67gX zW8?FvxqdpwS9T2jHhO;_F{}8oMkp3b1EjV~crV?dbD$S!$9B$xstx8A4@V-g90c%XncEO&7W4UKOYGQkn0qrB8ZO7}vebU}RZFjIIQl z@W!?@GC+Lv0DGxd70rvC+%2b>bAts)xula0pX2cHxC?#a~qH#x?-Jc{Bx6#O&; zfuVeOL4&E<`WEvsq-+GbR{p*ZQ#8b4*Ob?Kc{Wr>UsP|5r*w=4;QNkZxwRe1kakiB zZjDiOLC(KRQe7h`6MW5Bc|lGuKTA0|Fm=}DJ7{qkG|qHgPgm>KMZ~*9TKwCuI2nVn z+CLsX2#)oT#VVaXn<(@5IU~9qrOoj4*VE4fbum@6cg&wb zz)B^Tt=t(Ul7xti(P7s_S2V`hu4mn6(Tuf}eUQHzLxnxUNQ(1-eXv@MhfO2RmU}?8 zSL>4=7!>_M?b)O6suyR~@`-|y#}$T)bkfGH&pgs^WpVR_cfIN++G<)Ksanq5vc0hr zgHPRDZz+-d^8PG`U`kvims1tlACA7N559ywbKl+h{UwEO<`~F_hr?4gq`-3?9da7wp(V5pE%hK z1*=gf@iw~3%bfl3I6h)=Q~dZfZ4mn%YRJkYMlMC zzs-Bt;G!K%jU{ zhQO%0jd8EsN6{Pu1kirlrn9phRjsL`MZd)*mP(E6*5~5Yu_+srkK~DeOHDb>>@I?c zv*9%|Qt!ry8+S7ns1{wTmrs{MuzzZ;jQVs(TMXe`AH$;y3Ka|vZX)@W1LAWoy-ABD z^;HaS_@>*NLLn&z|4V}Ei+g#rohdjnRKB$z_FqTHJDBIK5-qU1WKrssN7l{6<*OEp z6}$UQUB+Rx4rrbgc03=yN&MlO0x5AF&f`##(ve%0*ZW0EmCiiM2E2KjDDEXyc_LT%ai)f4dZ*~9Mx0x-&_|;HZwxwai%&wUARK<8N6+;-DcxIxSkfr@sMrRFw3}2&VC5}>P|P-O;3mK0p){7D@y0# z3kAhbj4FP<;y5osJnS7gQc{FJH0m0U6pbjYVNA@P;M039Q?ZjL8SNZX?L5nsT;whw z<}JGt7R|g%Oz&X()1#@#?xk5oXr4-EG=!b0JlN&V($Akqrw&`WtYzwC%cBNfp`6l&tR4} zwU%HcZZn0ny~wmn$BN4XR>r4M^u_Hz1{OR*350NIwm;(3Ht*bi_T%H0-RDn)D>yD8 zwZ?(%pSlB9`+MJL1ozJ{v{i%~#P}(noUa(=SgzxsO%3 ztW~cxuD3+$ba4Zx@KPrsaaMyc{zS~p+PPGayp7(bxao@q@?`! zDfsi&oa}Sd!g+HKyI)OT;~x#7+Tg;yc#^9aES&y`4Y&TOi+RJ;RC(Tm#cXjb@|*Kt z8rayH1RpSAVGBoIuC1n-bzWF}`^+_-m3 zlt}S)R)SwQJ*T26OJccacR=#IS)OL6a^7nXUVMNO8xU3T z^ucVIWNtF-=4tp2Y_H~XnM|+RzK>JW&e%z=BEWxWskD6S=Q9-xq__H$6&ZojYcmm& zW6kv2s*z1al=M5EuYAm-Rs~WmP`^iRb%zw4~y(6E*w6h^U}M-E_rRiy}3 zC-ifn-lN`=jHX1VDCcKX>QXKrbVS~vpL6W~q+<4Ez>4d5p-DF4P4N&`vwAO^?407- zTFk+VUcT&uARIasVl}c5Jk?X`y!HH*MA~w}1ljmTE>(nhkEJR_dk{ebx#CA`*S2rj zFT&qc)1ETl~>6_kB7yXHkB7K^Ih1QP8$C zEkAH>H9uoT^1QNld*$*PV?qnj|B%T8{!b>)zjEUcpuf3sV06kF9LD?ix4$`YFa+B8 zk1R6S-!!lP%BcHyHrW5p3Hv|4L;jTy1_%8+yX)^?{^R#ITkWs?KUrpfJ<#9(Sqt<( zwV*Szl-+ENc+?e*jCqvI+>Ou~dQcuUO$IOni~*gF$D?RtCfv^KV3_*c#v z`gc*yCt}ZpMG-KU~mL4j8_h@PGF}SMWb4hQVRberyqaNA8wiQQRhIFeyCAiR?l&fjB*r+AnCnM7I;7isqpQvn{I zU$}^7b7@T*&U~qlTAZk_CTi=Kc$^neu}iBgKhnR4Q=Yl!IED?oDKvyYL5W~zJ}~#7 zg>BxGwmpTCI|fe_ubYCLnfW4KB8bF{E;{XQv#8S>)9R47h@tz}=R_woht7rfEAhOu zS7q<{$RDwvXp1$6e_cs98^pi9>f^0;5{5o`>@xN~=e-*r^!yp`VGn^w16ph;Z#~ds z_G>c@dMy#;3kH#Q3K4__;(~}+g*asb*g<4;ZNdq6M)a`TTR0PN_w*3$B23IrA^mDzK9~^jl%DpXD@vHL>;%_{k`3naMI6I>i8Ra zB!z+c4}A$si7fSSaN=H*NVVLue)z`T6`O97fUNYEvoMQgU{NWd^J@y{79I4<2;bx7 zf51L$@yhjoV0-OOi%{;HHd|7;&tTLYwhwf2EoP>##ZWg*=4ny_@ds~E%o88I$4#1t zX!#V_5^BuzIkw8yUay%auWX?;4Q#Nb-)<3cy%zcYX8rr=1Zf*=*Z_8tuR2Y$|6ZM~ z3f`Xy237BrRar70tsylw0h2e;7dK=cXKn+ILRWhuV?sRiV1U8UKmO|jM=~Jba44MN z@1Oqb14buL{{1jm|F;bcfn(SpAaqXS6+bu40X1dM=V`XRySIpvBU3WlBmuG)|oHV6oc5eor>&}pmxjD+Yr#JHaH3eyVB?A)KvuH zYIz7G2yrzQ34wyHv>zCWPIkS*i?$(QSJ{vdUgT9aBoqR=S}zg`MPif(MO^J8FcOM_ zT;)K*K$x*85WpM(LXS&~IS1Vz7&Zh5zy=1eK>%#%6!)w18oEs}ZEye^Iw>3@7GR!4 z&qJ7g037K155o@$z=3W*Og{h)^q9u<1K>dSIi?=~$KQnctGwuW9K(hJ;6MRzpvNy} zEC2@zfCB}L@GU;qxZeqhD|aG=*dn0^2pXbr{ig8*=#wF1)*fCH_Un0^2p=ye399{>k>e#Z0z z;D7*dKmj<=>jRAP(CZ;g8vqAd2QmEsIG_L==u=fNV*xmz037J^BQRoN037J&OiVuj z4)i(}(+_|Hy=K7l1K@xGaGc$ZdJX~5bMzBGKzRThV9aq2 z0nl>@fS&(-_QT*sKZ9Y~05~83{Q;oo5C{MVfSyCpdnlOo0`v!fo};%3{uzrN_*OuM#QV>F9f%O`|I5|!$lDt^qYpXzdr|+|6IXJy T`ui2#ZdWgy7u}Bkx$yr5?6R*5 literal 0 HcmV?d00001 diff --git a/terraform/aws/tap/README.md b/terraform/aws/tap/README.md new file mode 100644 index 00000000..a3b2d231 --- /dev/null +++ b/terraform/aws/tap/README.md @@ -0,0 +1,259 @@ +# Check Point Traffic Access Point (TAP) Terraform module for AWS + +Terraform module which deploys a TAP solution in an existing VPC on AWS. + +To learn about Check Point's TAP solution, click [here](CheckPoint_NOW_onboarding_page.pdf). + + +These types of Terraform resources are supported: +* [AWS Instance](https://www.terraform.io/docs/providers/aws/r/instance.html) - TAP Gateway +* [AWS CloudFormation Stack](https://www.terraform.io/docs/providers/aws/r/cloudformation_stack.html) - creates Traffic Mirror Filter and Target +* [AWS Lambdas](https://www.terraform.io/docs/providers/aws/r/lambda_function.html) - TAP Lambda, TAP Termination Lambda + +Learn more about [TAP Lambda](#TAP-Lambda) and [TAP Termination Lambda](#TAP-Termination-Lambda) + +This solution uses the following modules: +- /terraform/aws/modules/amis + + +## Prerequisites +* **Internet Gateway -** The VPC deployed into **must** have an [Internet Gateway](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html) +configured as default route in the VPC's main route-table in order to allow communication between the TAP Gateway and Check Point NOW Cloud. +**Note:** Internet connectivity is mandatory pre-deployment. +* **License -** This module supports Check Point R80.40 NGTX-PAYG license only +* **NOW domain and Cyber Sentry -** +To create a NOW domain fill in the [NOW cloud registration form](https://now.checkpoint.com/register/index.html). +Once you are logged in to your NOW domain, create a Cyber Sentry and use its MAC address as the 'registration_key' variable in the terraform deployment. +For detailed information and instructions refer to the [NOW onboarding page](CheckPoint_NOW_onboarding_page.pdf). + +> **Note:** Make sure the Cyber Sentry you intend to connect to is 'decativated' pre-deployment in the NOW portal. + +### Notes and limitations +* As explained in [AWS Traffic Mirroring considerations](https://docs.aws.amazon.com/vpc/latest/mirroring/traffic-mirroring-considerations.html) page, +AWS supports traffic mirroring for [Nitro-based instance](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html#ec2-nitro-instances) only. +* Post-deployment refer to [Check Point NOW portal](https://now.checkpoint.com) > Cyber Sentries. +Once your Cyber sentry changes its state to 'activated' and 'connected' - the instance connected successfully to Check Point NOW Cloud. +This may take up to 20 minutes. +* Due to an AWS limitation the **maximum number of mirror sources per target** depends on the TAP Gateway instance type. +For a non-dedicated instance type as target, the limit is 10 sources. +For a dedicated instance type, the limit is 100 sources. +CGI supports the following dedicated instance types: c5.18xlarge and c5n.18xlarge +For more information please refer to [AWS Traffic Mirroring quotas and considerations](https://docs.aws.amazon.com/vpc/latest/mirroring/traffic-mirroring-considerations.html#traffic-mirroring-limits) page. + +## Note +The **main.tf** file includes the following provider configuration block used to configure the credentials for the authentication with AWS, as well as a default region for your resources: +``` +provider "aws" { + region = var.region + access_key = var.access_key + secret_key = var.secret_key +} +``` +The provider credentials can be provided either as static credentials or as [Environment Variables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#environment-variables). +- Static credentials can be provided by adding an access_key and secret_key in /terraform/aws/tap/**terraform.tfvars** file as follows: +``` +region = "us-east-1" +access_key = "my-access-key" +secret_key = "my-secret-key" +``` +- In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented: + ``` + provider "aws" { + // region = var.region + // access_key = var.access_key + // secret_key = var.secret_key + } + ``` + +## Usage +[Clone or download](https://github.com/CheckPointSW/CloudGuardIaaS) Check Point CloudGuard Network Github Repository. + +Configure your variables in /terraform/aws/tap/**terraform.tfvars** file as follows: +``` +// --- VPC Network Configuration --- +vpc_id = "vpc-12345678" +external_subnet_id = "subnet-abc123" +internal_subnet_id = "subnet-def456" +resources_tag_name = "env1" + +// --- TAP Configuration --- +registration_key = "10:10:10:10:10:10" +vxlan_id = 10 +blacklist_tags = { + env = "staging" + state = "stable" +} +schedule_scan_interval = 60 + +// --- EC2 Instance Configuration --- +instance_name = "tap-gateway" +instance_type = "c5.xlarge" +key_name = "publickey" +``` +**main.tf** - Refers to the above configured variables and does not require any changes: +``` +provider "aws" { + region = var.region + access_key = var.access_key + secret_key = var.secret_key +} + +module "tap" { + source = "../../modules/tap" + + // --- VPC Network Configuration --- + vpc_id = var.vpc_id + external_subnet_id = var.external_subnet_id + internal_subnet_id = var.internal_subnet_id + resources_tag_name = var.resources_tag_name + + // --- TAP Configuration --- + registration_key = var.registration_key + vxlan_id = var.vxlan_id + blacklist_tags = var.blacklist_tags + schedule_scan_interval = var.schedule_scan_interval + + // --- EC2 Instance Configuration --- + instance_name = var.instance_name + instance_type = var.instance_type + key_name = var.key_name +} +``` +From your tap directory's command line - +* Run 'terraform plan' to generate and show an execution plan +* Run 'terraform apply' to initiate deployment and build the TAP infrastructure +* Run 'terraform destroy' to destroy the terraform-managed infrastructure + +> Find Terraform commands doc [here](https://www.terraform.io/docs/commands/index.html). + +This module creates a Check Point TAP Gateway instance in the VPC specified by the user, +along with traffic mirror filter and target, and two lambda functions: TAP Lambda and TAP Termination Lambda. + +Once the Check Point TAP Gateway instance is deployed, the TAP Lambda is invoked and scans the entire +VPC for mirrorable NITRO instances. + +## Deployment + +First, purchase a [CloudGuard Network security gateway](https://aws.amazon.com/marketplace/pp/B07LB54LFB?qid=1586153579302&sr=0-2&ref_=srh_res_product_title) +with Threat Prevention & SandBlast from the AWS marketplace. +A named customer domain must be provisioned on the Check Point now.checkpoint.com SaaS – +during the Early Availability period, this must be performed by Check Point. +To create a NOW domain fill in the [NOW cloud registration form](https://now.checkpoint.com/register/index.html) and your request will be handled as soon as possible. +You will receive an email with a registration link – click that, and a certificate will be automatically generated and provided to you for download and import into your browser. +(Note: some browsers, e.g. Google Chrome, require a restart for the certificate to be activated – kill all instances of the browser, and restart it.) +Now point your browser at [now.checkpoint.com](https://now.checkpoint.com). You will be directed into your new domain. +Go to the Management > Sentries tab and click 'New' +* The New Sentry pane will open – select 'Virtual’, enter an optional description, verify the time zone, and click ADD +* A new sentry entry will appear. It will be uniquely identified by automatically generated 'Name’ and 'MAC Address’ +* Download the CloudGuard Network TAP Terraform module from [CloudGuard Network Github - TAP module](https://github.com/CheckPointSW/CloudGuardIaaS/tree/master/terraform/aws/modules/tap). +Edit terraform.tfvars file according to the instructions in the [Usage](#Usage) section above, using the sentry’s 'MAC Address’ for the registration_key variable. +* Launch the module using Terraform. As described above, this module creates a Check Point TAP Gateway instance in the VPC specified by the user, along with traffic mirror filter and target, and two lambda functions: 'TAP Lambda' and 'TAP Termination Lambda'. Once the Check Point CloudGuard Network TAP Gateway instance is deployed, the TAP Lambda is invoked and scans the entire VPC for mirrorable NITRO instances that meet the configured selection criteria. +* After up to 20 minutes, the sentry state will change to “Connected” in the NOW portal. +Check the Logs tab to see that network traffic is flowing into the sentry. + +### TAP Lambda + +#### IAM role +The module creates an IAM role for the TAP Lambda, named 'chkp_iam_tap_lambda' suffixed with a uuid. +This role is granted minimum permissions for the Lambda to execute. + +#### Responsibilities + +1. Invoked by Terraform once the Check Point TAP Gateway instance is deployed. + 1. Scans the VPC for mirrorable instances + 2. Creates traffic mirror sessions between the TAP Gateway traffic mirror target + and the primary ENI of non-blacklisted instances + 3. Skips traffic mirror session creation for blacklisted instances + +2. Invoked by an EC2 event: Every instance in the VPC that changes its state to 'Running'. + 1. Updates TAP for triggered instance - If not blacklisted and not TAPed, + creates traffic mirror session to the TAP Gateway traffic mirror target. + If blacklisted and TAPed, deletes traffic mirror session with the TAP Gateway target + 2. Scans VPC and updates TAP for all mirrorable instances (see 2.i) + +3. Invoked by a scheduled event: every X minutes, configured by the 'schedule_scan_interval' variable (default = 60). + 1. Scans the VPC for mirrorable instances + 2. Updates TAP for all mirrorable instances in the VPC (see 2.i) + + +#### Instances blacklisting: + +This module supports tag based blacklist mechanism to avoid TAP for desired instances. + +The Terraform TAP module holds a 'blacklist_tags' variable of type map(string). +The 'blacklist_tags' variable consists of key value pairs representing tag-key and tag-value pairs. + +The TAP Lambda will create traffic mirror sessions only for instances which **do not** hold any of +these tag pairs. Instances with any of these tag pairs will not be TAPed by the TAP Lambda function. +If a blacklisted instance is already TAPed, the TAP Lambda will act accordingly and +delete the traffic mirror session. + +During the solution deployment, the 'blacklist_tags' variable's values are joined to a string in the +following structure: "key1=value1:key2-value2:key3=value3" and so on. +This string is passed as 'TAP_BLACKLIST' environment variable to the TAP Lambda. +You can update the blacklist tags list by editing the TAP Lambda 'TAP_BLACKLIST' environment variable. +The structure "key1=value1:key2-value2:key3=value3" of the variable must be maintained. + + +### TAP Termination Lambda + + This Lambda should be manually invoked **prior** to destroying the Terraform environment. + The environment destruction **will fail** if skipping the Termination Lambda invocation. + +#### IAM role +The module creates an IAM role for the TAP Termination Lambda, named 'chkp_iam_tap_termination_lambda' suffixed with a uuid. +This role is granted minimum permissions for the Lambda to execute. + +#### Responsibilities: + +Lambda deletes all traffic mirror sessions associated with the TAP Gateway's target. +This step is crucial before environment destruction in order for destruction to finish successfully +(an alternative way is to navigate to AWS traffic mirror sessions page and manually +delete the relevant sessions). + + + +## Inputs +| Name | Description | Type | Allowed values | Default | Required | +|------------------------|-----------------------------------------------------------------------------------------------------|-------------|----------------|-------------------|----------| +| vpc_id | The VPC id in which to deploy | string | n/a | n/a | yes | +| external_subnet_id | The external subnet of the security gateway (internet access) | string | n/a | n/a | yes | +| internal_subnet_id | The internal subnet of the security gateway. This subnet will be connected to the mirrored sources. | string | n/a | n/a | yes | +| resources_tag_name | (Optional) Resources prefix tag | string | n/a | "" | no | +| registration_key | The gateway registration key to Check Point NOW cloud | string | n/a | n/a | yes | +| vxlan_id | (Optional) VXLAN ID (number) for mirroring sessions | number | n/a | 1 | no | +| blacklist_tags | Key value pairs of tag key and tag value. Instances with any of these tag pairs will not be TAPed | map(string) | n/a | {} | no | +| schedule_scan_interval | (minutes) Lambda will scan the VPC every X minutes for TAP updates | number | n/a | 60 | no | +| instance_name | AWS instance name to launch | string | n/a | CP-TAP-Gateway-tf | no | +| instance_type | AWS instance type - View [Notes and limitations](#Notes-and-limitations) section | string | n/a | c5.xlarge | no | +| key_name | The EC2 Key Pair name to allow SSH access to the instances | string | n/a | n/a | yes | + + +## Outputs +| Name | Description | +|--------------------------------|------------------------------------------------------------------------------------------------------------------------------------------| +| tap-gateway_instance_id | The instance id of the deployed Check Point TAP Gateway | +| gateway_instance_name | The instance name of the deployed Check Point TAP Gateway | +| gateway_instance_public_ip | The public ip address of the deployed Check Point TAP Gateway | +| traffic_mirror_filter_id | The traffic mirror filter id created during deployment by the 'tap_target_and_filter' stack | +| traffic_mirror_target_id | The traffic mirror target id pointing to the TAP Gateway's internal ENI - created during deployment by the 'tap_target_and_filter' stack | +| tap_lambda_name | TAP main lambda name (responsible for creating and deleting traffic mirror sessions with the TAP Gateway's target) | +| tap_lambda_description | TAP main lambda description | +| termination_lambda_name | TAP termination lambda name (deletes all traffic mirror sessions with the TAP Gateway's target) | +| termination_lambda_description | TAP termination lambda description | + +## Revision History +In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) + +| Template Version | Description | +|------------------|----------------------------------------------------------------------------------| +| 20200413 | First release of Check Point Traffic Access Point (TAP) Terraform module for AWS | +| 20210309 | AWS Terraform modules refactor | +| 20210329 | Stability fixes | + + + +## License + +This project is licensed under the MIT License - see the [LICENSE](../../LICENSE) file for details diff --git a/terraform/aws/tap/main.tf b/terraform/aws/tap/main.tf new file mode 100644 index 00000000..b3fac490 --- /dev/null +++ b/terraform/aws/tap/main.tf @@ -0,0 +1,301 @@ +provider "aws" { + region = var.region + access_key = var.access_key + secret_key = var.secret_key +} + +module "amis" { + source = "../modules/amis" + + version_license = var.version_license + chkp_type = "gateway" +} + +resource "aws_security_group" "tap_sg" { + description = format("%s Security group", var.resources_tag_name != "" ? var.resources_tag_name : var.instance_name) + vpc_id = var.vpc_id + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } + ingress { + protocol = "tcp" + from_port = 443 + to_port = 443 + cidr_blocks = ["0.0.0.0/0"] + } + ingress { + protocol = "tcp" + from_port = 22 + to_port = 22 + cidr_blocks = ["0.0.0.0/0"] + } + ingress { + description = "allow VXLAN for traffic mirroring" + protocol = "udp" + from_port = 4789 + to_port = 4789 + cidr_blocks = ["0.0.0.0/0"] + } + name = format("%s_SecurityGroup", var.resources_tag_name != "" ? var.resources_tag_name : var.instance_name) // Group name + tags = { + Name = format("%s_SecurityGroup", var.resources_tag_name != "" ? var.resources_tag_name : var.instance_name) // Resource name + } +} +resource "aws_network_interface" "external-eni" { + subnet_id = var.external_subnet_id + security_groups = [aws_security_group.tap_sg.id] + description = "eth0" + source_dest_check = false + tags = { + Name = format("%s-external_network_interface", var.resources_tag_name != "" ? var.resources_tag_name : var.instance_name) + } +} +resource "aws_network_interface" "internal-eni" { + subnet_id = var.internal_subnet_id + security_groups = [aws_security_group.tap_sg.id] + description = "eth1" + source_dest_check = false + tags = { + Name = format("%s-internal_network_interface", var.resources_tag_name != "" ? var.resources_tag_name : var.instance_name) + } +} +resource "aws_eip" "eip" { + network_interface = aws_network_interface.external-eni.id +} +resource "aws_instance" "tap_gateway" { + depends_on = [ + aws_network_interface.external-eni, + aws_network_interface.internal-eni, + aws_eip.eip + ] + + ami = module.amis.ami_id + tags = { + Name = var.instance_name + } + instance_type = var.instance_type + key_name = var.key_name + + ebs_block_device { + device_name = "/dev/xvda" + volume_type = "gp2" + volume_size = 100 + } + network_interface { + // external + network_interface_id = aws_network_interface.external-eni.id + device_index = 0 + } + network_interface { + // internal + network_interface_id = aws_network_interface.internal-eni.id + device_index = 1 + } + + user_data = templatefile("${path.module}/tap_user_data.sh", { + // script's arguments + RegistrationKey = var.registration_key + VxlanIds = var.vxlan_id + }) +} + +// Create CloudFormation Stack +resource "random_id" "stack_uuid" { + byte_length = 5 +} +resource "aws_cloudformation_stack" "tap_target_and_filter" { + depends_on = [aws_instance.tap_gateway] + name = format("traffic-mirror-filter-and-target-%s", random_id.stack_uuid.hex) + + parameters = { + MirroringNetworkInterfaceId = aws_network_interface.internal-eni.id + EnvironmentPrefix = var.resources_tag_name + } + template_url = "https://cgi-cfts.s3.amazonaws.com/utils/tap_target_and_filter.yaml" +} +locals { + trafficMirrorTargetId = aws_cloudformation_stack.tap_target_and_filter.outputs["TrafficMirrorTargetId"] + trafficMirrorFilterId = aws_cloudformation_stack.tap_target_and_filter.outputs["TrafficMirrorFilterId"] +} + +// Lambdas +// --- TAP Lambda --- +data "aws_iam_policy_document" "assume_policy_doc" { + statement { + effect = "Allow" + principals { + identifiers = ["lambda.amazonaws.com"] + type = "Service" + } + actions = ["sts:AssumeRole"] + } +} +data "aws_iam_policy_document" "tap_lambda_policy_doc" { + statement { + effect = "Allow" + actions = [ + "logs:CreateLogGroup", + "logs:CreateLogStream", + "logs:PutLogEvents", + "ec2:DescribeInstances", + "ec2:CreateTags", + "ec2:DeleteTrafficMirrorSession", + "ec2:CreateTrafficMirrorSession", + "ec2:DescribeTrafficMirrorSessions" + ] + resources = ["*"] + } +} +resource "aws_iam_role" "tap_lambda_iam_role" { + name_prefix = "chkp_iam_tap_lambda" + assume_role_policy = data.aws_iam_policy_document.assume_policy_doc.json +} +resource "aws_iam_role_policy" "tap_lambda_policy" { + policy = data.aws_iam_policy_document.tap_lambda_policy_doc.json + role = aws_iam_role.tap_lambda_iam_role.id +} +// Lambda Function +resource "random_id" "tap_lambda_uuid" { + byte_length = 5 +} +data "archive_file" "tap_lambda_zip" { + type = "zip" + source_file = "${path.module}/tap_lambda.py" + output_path = "${path.module}/tap_lambda.zip" +} +locals { + blacklisted_tag_pairs_joined = join(":", [for tag_key in keys(var.blacklist_tags): join("=", [tag_key, var.blacklist_tags[tag_key]])]) +} +resource "aws_lambda_function" "tap_lambda" { + depends_on = [aws_instance.tap_gateway] + function_name = format("chkp_tap_lambda-%s", random_id.tap_lambda_uuid.hex) + description = "The TAP lambda creates traffic mirror sessions with the TAP gateway instance, and removes them for blacklisted instances in the VPC." + + filename = "${path.module}/tap_lambda.zip" + + role = aws_iam_role.tap_lambda_iam_role.arn + handler = "tap_lambda.lambda_handler" + runtime = "python3.8" + timeout = 30 + + environment { + variables = { + VPC_ID = var.vpc_id + GW_ID = aws_instance.tap_gateway.id + TM_TARGET_ID = local.trafficMirrorTargetId + TM_FILTER_ID = local.trafficMirrorFilterId + VNI = var.vxlan_id + TAP_BLACKLIST = local.blacklisted_tag_pairs_joined + } + } +} +// CloudWatch event - EC2 state change to Running +resource "aws_cloudwatch_event_rule" "on_ec2_running_state" { + name_prefix = "tap_ec2_running_rule" + description = "Invoked when an instance changes its state to Running" + event_pattern = </var/log/aws-user-data.log 2>&1 + +echo template_name: TAP_tf >> /etc/cloud-version +echo template_version: 20210309 >> /etc/cloud-version +echo template_type: terraform >> $cv_path + +hname="CP-TAP" + +echo "Generating SIC password" +sic=$(tr -dc "0-9a-zA-Z" < /dev/urandom | head -c 8) + +blink_config -s "hostname='$hname'&gateway_cluster_member=false&ftw_sic_key='$sic'&upload_info=true&download_info=true" +rc=$? + +echo "Pulling NOW install script..." +INSTALLER=/var/log/now_installer + +runtime="10 minute" +endtime=$(date -ud "$runtime" +%s) + +while [[ $(date -u +%s) -le $endtime ]]; do + curl_cli -s -S --cacert "$CPDIR/conf/ca-bundle.crt" https://portal.now.checkpoint.com/static/configure.aws.sh -o $INSTALLER && break + sleep 2 +done + +chmod +x $INSTALLER +dos2unix $INSTALLER +$INSTALLER ${RegistrationKey} ${VxlanIds} >& $FWDIR/log/now_installer.elg + +LOADER=$FWDIR/bin/loadInstaller +echo '' > $LOADER +chmod +x "$LOADER" + +cpwd_admin start -name NOW_HF_LOADER -path "$LOADER" -command loadInstaller -slp_timeout 5 -retry_limit 10 +echo "done" diff --git a/terraform/aws/tap/terraform.tfvars b/terraform/aws/tap/terraform.tfvars new file mode 100644 index 00000000..f6fbebcb --- /dev/null +++ b/terraform/aws/tap/terraform.tfvars @@ -0,0 +1,21 @@ +//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW + +// --- VPC Network Configuration --- +vpc_id = "vpc-12345678" +external_subnet_id = "subnet-abc123" +internal_subnet_id = "subnet-def456" +resources_tag_name = "env1" + +// --- TAP Configuration --- +registration_key = "10:10:10:10:10:10" +vxlan_id = 10 +blacklist_tags = { + env = "staging" + state = "stable" +} +schedule_scan_interval = 60 + +// --- EC2 Instance Configuration --- +instance_name = "tap-gateway" +instance_type = "c5.xlarge" +key_name = "publickey" diff --git a/terraform/aws/tap/variables.tf b/terraform/aws/tap/variables.tf new file mode 100644 index 00000000..e7e45a6d --- /dev/null +++ b/terraform/aws/tap/variables.tf @@ -0,0 +1,89 @@ +// --- AWS Provider --- +variable "region" { + type = string + description = "AWS region" + default = "" +} +variable "access_key" { + type = string + description = "AWS access key" + default = "" +} +variable "secret_key" { + type = string + description = "AWS secret key" + default = "" +} + +// --- VPC Network Configuration --- +variable "vpc_id" { + type = string +} +variable "external_subnet_id" { + type = string + description = "The external subnet of the security gateway (internet access)" +} +variable "internal_subnet_id" { + type = string + description = "The internal subnet of the security gateway. This subnet will be connected to the mirrored sources." +} +variable "resources_tag_name" { + type = string + description = "(Optional) Resources prefix tag" + default = "" +} + +// --- TAP Configuration --- +variable "registration_key" { + type = string + description = "The gateway registration key to Check Point NOW cloud" +} +variable "vxlan_id" { + type = number + description = "(Optional) VXLAN ID (number) for mirroring sessions - Predefined VTEP number" + default = 1 +} +variable "blacklist_tags" { + type = map(string) + description = "Key value pairs of tag key and tag value. Instances with any of these tag pairs will not be TAPed" + default = {} +} +variable "schedule_scan_interval" { + type = number + description = "(minutes) Lambda will scan the VPC every X minutes for TAP updates" + default = 60 +} + +// --- EC2 Instance Configuration --- +variable "instance_name" { + type = string + description = "AWS instance name to launch" + default = "CP-TAP-Gateway-tf" +} +variable "instance_type" { + type = string + default = "c5.xlarge" +} +module "validate_instance_type" { + source = "../modules/common/instance_type" + + chkp_type = "gateway" + instance_type = var.instance_type +} +variable "key_name" { + type = string + description = "The EC2 Key Pair name to allow SSH access to the instance" +} + +// --- Check Point Settings --- +variable "version_license" { + type = string + description = "version and license" + default = "R80.40-PAYG-NGTX" +} +module "validate_version" { + source = "../modules/common/version_license" + + chkp_type = "gateway" + version_license = var.version_license +} diff --git a/terraform/aws/tgw-asg-master/README.md b/terraform/aws/tgw-asg-master/README.md new file mode 100755 index 00000000..7850cebd --- /dev/null +++ b/terraform/aws/tgw-asg-master/README.md @@ -0,0 +1,223 @@ +# Check Point CloudGuard Network Transit Gateway Auto Scaling Group Master Terraform module for AWS + +Terraform module which deploys a Check Point CloudGuard Network Security Gateway Auto Scaling Group for Transit Gateway with an optional Management Server in a new VPC. + +These types of Terraform resources are supported: +* [VPC](https://www.terraform.io/docs/providers/aws/r/vpc.html) +* [Subnet](https://www.terraform.io/docs/providers/aws/r/subnet.html) +* [AWS Instance](https://www.terraform.io/docs/providers/aws/r/instance.html) +* [Security Group](https://www.terraform.io/docs/providers/aws/r/security_group.html) +* [Network interface](https://www.terraform.io/docs/providers/aws/r/network_interface.html) +* [CloudWatch Metric Alarm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) +* [EIP](https://www.terraform.io/docs/providers/aws/r/eip.html) +* [Launch template](https://www.terraform.io/docs/providers/aws/r/launch_template.html) +* [Auto Scaling Group](https://www.terraform.io/docs/providers/aws/r/autoscaling_group.html) +* [IAM Role](https://www.terraform.io/docs/providers/aws/r/iam_role.html) - conditional creation + +See the [CloudGuard Network for AWS Transit Gateway R80.10 and Higher Deployment Guide](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_AWS_Transit_Gateway/Content/Topics-AWS-TGW-R80-10-AG/Introduction.htm) for additional information + +This solution uses the following modules: +- /terraform/aws/tgw-asg +- /terraform/aws/autoscale +- /terraform/aws/management +- /terraform/aws/cme-iam-role +- /terraform/aws/modules/vpc + +## Configurations + +The **main.tf** file includes the following provider configuration block used to configure the credentials for the authentication with AWS, as well as a default region for your resources: +``` +provider "aws" { + region = var.region + access_key = var.aws_access_key_ID + secret_key = var.aws_secret_access_key +} +``` +The provider credentials can be provided either as static credentials or as [Environment Variables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#environment-variables). +- Static credentials can be provided by adding an access_key and secret_key in /terraform/aws/tgw-asg-master/**terraform.tfvars** file as follows: +``` +region = "us-east-1" +access_key = "my-access-key" +secret_key = "my-secret-key" +``` +- In case the Static credentials are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented for sub-modules /terraform/aws/tgw-asg, /terraform/aws/autoscale, /terraform/aws/management and /terraform/aws/cme-iam-role: + ``` + provider "aws" { + // region = var.region + // access_key = var.access_key + // secret_key = var.secret_key + } + ``` +- In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented: + ``` + provider "aws" { + // region = var.region + // access_key = var.aws_access_key_ID + // secret_key = var.aws_secret_access_key + } + ``` + b. The next lines in main.tf file, in the provider aws resource, need to be commented for sub-modules /terraform/aws/tgw-asg, /terraform/aws/autoscale, /terraform/aws/management and /terraform/aws/cme-iam-role: + ``` + provider "aws" { + // region = var.region + // access_key = var.aws_access_key_ID + // secret_key = var.aws_secret_access_key + } + ``` + +## Usage +- Fill all variables in the /terraform/aws/tgw-asg-master/**terraform.tfvars** file with proper values (see below for variables descriptions). +- From a command line initialize the Terraform configuration directory: + ``` + terraform init + ``` +- Create an execution plan: + ``` + terraform plan + ``` +- Create or modify the deployment: + ``` + terraform apply + ``` + +- Variables are configured in /terraform/aws/tgw-asg-master/**terraform.tfvars** file as follows: + + ``` + //PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW + + // --- Network Configuration --- + vpc_cidr = "10.0.0.0/16" + public_subnets_map = { + "us-east-1a" = 1 + "us-east-1b" = 2 + } + subnets_bit_length = 8 + + // --- General Settings --- + key_name = "publickey" + enable_volume_encryption = true + enable_instance_connect = false + disable_instance_termination = false + allow_upload_download = true + + // --- Check Point CloudGuard Network Security Gateways Auto Scaling Group Configuration --- + gateway_name = "Check-Point-gateway" + gateway_instance_type = "c5.xlarge" + gateways_min_group_size = 2 + gateways_max_group_size = 8 + gateway_version = "R81.20-BYOL" + gateway_password_hash = "" + gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password. + gateway_SICKey = "12345678" + enable_cloudwatch = true + asn = "6500" + + // --- Check Point CloudGuard Network Security Management Server Configuration --- + management_deploy = true + management_instance_type = "m5.xlarge" + management_version = "R81.20-BYOL" + management_password_hash = "" + management_maintenance_mode_password_hash = "" # For R81.10 and below the management_password_hash is used also as maintenance-mode password. + management_permissions = "Create with read-write permissions" + management_predefined_role = "" + gateways_blades = true + admin_cidr = "0.0.0.0/0" + gateways_addresses = "0.0.0.0/0" + gateway_management = "Locally managed" + + // --- Automatic Provisioning with Security Management Server Settings --- + control_gateway_over_public_or_private_address = "private" + management_server = "management-server" + configuration_template = "template-name" + ``` + +- Conditional creation + - To create a Security Management server with IAM Role: + ``` + management_permissions = "Create with read permissions" | "Create with read-write permissions" | "Create with assume role permissions (specify an STS role ARN)" + ``` + - To enable cloudwatch for ASG: + ``` + enable_cloudwatch = true + ``` + Note: enabling cloudwatch will automatically create IAM role with cloudwatch:PutMetricData permission + - To deploy Security Management Server: + ``` + management_deploy = true + ``` +- To tear down your resources: + ``` + terraform destroy + ``` + +## Inputs +| Name | Description | Type | Allowed values | Default | Required | +|------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------|----------| +| vpc_cidr | The CIDR block of the VPC | string | n/a | n/a | yes | +| public_subnets_map | A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 2 pairs. (e.g. {\"us-east-1a\" = 1} ) | map | n/a | n/a | yes | +| subnets_bit_length | Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a subnets_bit_length value of 4, the resulting subnet address will have length /20 | number | n/a | n/a | yes | +| key_name | The EC2 Key Pair name to allow SSH access to the instances | string | n/a | n/a | yes | +| enable_volume_encryption | Encrypt Environment instances volume with default AWS KMS key | bool | true/false | true | no | +| enable_instance_connect | Enable SSH connection over AWS web console. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no | +| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no | +| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes | +| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no | +| gateway_name | (Optional) The name tag of the Security Gateway instances | string | n/a | Check-Point-Gateway | no | +| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no | +| gateways_min_group_size | The minimal number of Security Gateways | number | n/a | 2 | no | +| gateways_max_group_size | The maximal number of Security Gateways | number | n/a | 10 | no | +| gateway_version | Gateway version and license | string | - R80.40-BYOL
- R80.40-PAYG-NGTP
- R80.40-PAYG-NGTX
- R81-BYOL
- R81-PAYG-NGTP
- R81-PAYG-NGTX
- R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.10-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX | R81.20-BYOL | no | +| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | +| gateway_SIC_Key | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes | +| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no | +| asn | The organization Autonomous System Number (ASN) that identifies the routing domain for the Security Gateways | string | n/a | 6500 | no | +| management_deploy | Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section | bool | true/false | true | no | +| management_instance_type | The EC2 instance type of the Security Management Server | string | - c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| m5.xlarge | no | +| management_version | The license to install on the Security Management Server | string | - R80.40-BYOL
- R80.40-PAYG
- R81-BYOL
- R81-PAYG
- R81.10-BYOL
- R81.10-PAYG
- R81.20-BYOL
- R81.20-PAYG | R81.20-BYOL | no | +| management_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | +| management_permissions | IAM role to attach to the instance profile | string | - None (configure later)
- Use existing (specify an existing IAM role name)
- Create with assume role permissions (specify an STS role ARN)
- Create with read permissions
- Create with read-write permissions | Create with read-write permissions | no | +| management_predefined_role | ((Optional) A predefined IAM role to attach to the instance profile. Ignored if IAM role is not set to 'Use existing' | string | n/a | "" | no | +| gateways_blades | Turn on the Intrusion Prevention System, Application Control, Anti-Virus and Anti-Bot Blades (additional Blades can be manually turned on later) | bool | true/false | true | no | +| admin_cidr | (CIDR) Allow web, ssh, and graphical clients only from this network to communicate with the Management Server | string | valid CIDR | n/a | no | +| gateway_addresses | Allow gateways only from this network to communicate with the Security Management Server | string | valid CIDR | n/a | no | +| gateway_management | Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address | string | - Locally managed
- Over the internet | Locally managed | no | +| control_gateway_over_public_or_private_address | Determines if the gateways are provisioned using their private or public address | string | - private
- public | private | no | +| management_server | (Optional) The name that represents the Security Management Server in the automatic provisioning configuration | string | n/a | management-server | no | +| configuration_template | (Optional) A name of a Security Gateway configuration template in the automatic provisioning configuration | string | n/a | TGW-ASG-configuration | no | +| gateway_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | +| management_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | + + +## Outputs +| Name | Description | +|--------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| vpc_id | The id of the deployed vpc | +| public_subnets_ids_list | A list of the public subnets ids | +| management_instance_name | The deployed Security Management AWS instance name | +| management_public_ip | The deployed Security Management Server AWS public ip | +| management_url | URL to the portal of the deployed Security Management Server | +| autoscaling_group_name | The name of the deployed AutoScaling Group | +| configuration_template | The name that represents the configuration template. Configurations required to automatically provision the Gateways in the Auto Scaling Group, such as what Security Policy to install and which Blades to enable, will be placed under this template name | +| controller_name | The name that represents the controller. Configurations required to connect to your AWS environment, such as credentials and regions, will be placed under this controller name | + +## Revision History +In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) + +| Template Version | Description | +|------------------|-------------------------------------------------------------------------------------------------| +| 20210329 | First release of Check Point Transit Gateway Auto Scaling Group Master Terraform module for AWS | +| 20220606 | New instance type support | +| 20221123 | R81.20 version support | +| 20221226 | Support ASG Launch Template instead of Launch Configuration | +| 20230806 | Add support for c6in instance type | +| 20230829 | Change default Check Point version to R81.20 | +| 20230914 | Add support for maintenance mode password | +| 20230923 | Add support for C5d instance type | +| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | + +## License + +This project is licensed under the MIT License - see the [LICENSE](../../LICENSE) file for details diff --git a/terraform/aws/tgw-asg-master/locals.tf b/terraform/aws/tgw-asg-master/locals.tf new file mode 100755 index 00000000..54cef511 --- /dev/null +++ b/terraform/aws/tgw-asg-master/locals.tf @@ -0,0 +1,64 @@ +locals { + regex_valid_vpc_cidr = "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$" + // Will fail if var.vpc_cidr is invalid + regex_vpc_cidr = regex(local.regex_valid_vpc_cidr, var.vpc_cidr) == var.vpc_cidr ? 0 : "Variable [vpc_cidr] must be a valid vpc cidr" + + permissions_allowed_values = [ + "None (configure later)", + "Use existing (specify an existing IAM role name)", + "Create with assume role permissions (specify an STS role ARN)", + "Create with read permissions", + "Create with read-write permissions"] + // Will fail if var.management_permissions is invalid + validate_permissions = index(local.permissions_allowed_values, var.management_permissions) + + regex_valid_key_name = "[\\S\\s]+[\\S]+" + // will fail if var.key_name is invalid + regex_key_name_result=regex(local.regex_valid_key_name, var.key_name) == var.key_name ? 0 : "Variable [key_name] must be a none empty string" + + regex_valid_gateway_sic_key = "^[a-zA-Z0-9]{8,}$" + // Will fail if var.gateway_SIC_Key is invalid + regex_gateway_sic_result = regex(local.regex_valid_gateway_sic_key, var.gateway_SICKey) == var.gateway_SICKey ? 0 : "Variable [gateway_SIC_Key] must be at least 8 alphanumeric characters" + + control_over_public_or_private_allowed_values = [ + "public", + "private"] + // will fail if [var.control_gateway_over_public_or_private_address] is invalid: + validate_control_over_public_or_private = index(local.control_over_public_or_private_allowed_values, var.control_gateway_over_public_or_private_address) + + gateway_management_allowed_values = [ + "Locally managed", + "Over the internet"] + // will fail if [var.gateway_management] is invalid: + validate_gateway_management = index(local.gateway_management_allowed_values, var.gateway_management) + + regex_valid_management_password_hash = "^[\\$\\./a-zA-Z0-9]*$" + // Will fail if var.management_password_hash is invalid + regex_management_password_hash = regex(local.regex_valid_management_password_hash, var.management_password_hash) == var.management_password_hash ? 0 : "Variable [management_password_hash] must be a valid password hash" + + regex_valid_gateway_password_hash = "^[\\$\\./a-zA-Z0-9]*$" + // Will fail if var.gateway_password_hash is invalid + regex_gateway_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_password_hash) == var.gateway_password_hash ? 0 : "Variable [gateway_password_hash] must be a valid password hash" + + regex_valid_asn = "^[0-9]+$" + // Will fail if var.asn is invalid + regex_asn = regex(local.regex_valid_asn, var.asn) == var.asn ? 0 : "Variable [asn] must be a valid asn" + + regex_valid_admin_cidr = "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$" + // Will fail if var.admin_cidr is invalid + regex_admin_cidr = regex(local.regex_valid_admin_cidr, var.admin_cidr) == var.admin_cidr ? 0 : "Variable [admin_cidr] must be a valid CIDR" + + regex_valid_gateways_addresses = "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$" + // Will fail if var.gateways_addresses is invalid + regex_gateways_addresses = regex(local.regex_valid_gateways_addresses, var.gateways_addresses) == var.gateways_addresses ? 0 : "Variable [gateways_addresses] must be a valid gateways addresses" + + regex_valid_management_server = "^[0-9a-zA-Z-._]+$" + // Will fail if var.management_server is invalid + regex_management_server = regex(local.regex_valid_management_server, var.management_server) == var.management_server ? 0 : "Variable [management_server] can not be an empty string" + + regex_valid_configuration_template = "^[0-9a-zA-Z-._]+$" + // Will fail if var.configuration_template is invalid + regex_configuration_template = regex(local.regex_valid_configuration_template, var.configuration_template) == var.configuration_template ? 0 : "Variable [configuration_template] can not be an empty string" + + deploy_management_condition = var.management_deploy == true +} \ No newline at end of file diff --git a/terraform/aws/tgw-asg-master/main.tf b/terraform/aws/tgw-asg-master/main.tf new file mode 100755 index 00000000..a9fdd06e --- /dev/null +++ b/terraform/aws/tgw-asg-master/main.tf @@ -0,0 +1,55 @@ +provider "aws" { + region = var.region + access_key = var.access_key + secret_key = var.secret_key +} + +// --- VPC --- +module "launch_vpc" { + source = "../modules/vpc" + + vpc_cidr = var.vpc_cidr + public_subnets_map = var.public_subnets_map + private_subnets_map = {} + subnets_bit_length = var.subnets_bit_length +} + +module "launch_tgw_asg_into_vpc" { + source = "../tgw-asg" + providers = { + aws = aws + } + + vpc_id = module.launch_vpc.vpc_id + gateways_subnets = module.launch_vpc.public_subnets_ids_list + key_name = var.key_name + enable_volume_encryption = var.enable_volume_encryption + enable_instance_connect = var.enable_instance_connect + disable_instance_termination = var.disable_instance_termination + metadata_imdsv2_required = var.metadata_imdsv2_required + allow_upload_download = var.allow_upload_download + gateway_name = var.gateway_name + gateway_instance_type = var.gateway_instance_type + gateways_min_group_size = var.gateways_min_group_size + gateways_max_group_size = var.gateways_max_group_size + gateway_version = var.gateway_version + gateway_password_hash = var.gateway_password_hash + gateway_maintenance_mode_password_hash = var.gateway_maintenance_mode_password_hash + gateway_SICKey = var.gateway_SICKey + enable_cloudwatch = var.enable_cloudwatch + asn = var.asn + management_deploy = var.management_deploy + management_instance_type = var.management_instance_type + management_version = var.management_version + management_password_hash = var.management_password_hash + management_maintenance_mode_password_hash = var.management_maintenance_mode_password_hash + management_permissions = var.management_permissions + management_predefined_role = var.management_predefined_role + gateways_blades = var.gateways_blades + admin_cidr = var.admin_cidr + gateways_addresses = var.gateways_addresses + gateway_management = var.gateway_management + control_gateway_over_public_or_private_address = var.control_gateway_over_public_or_private_address + management_server = var.management_server + configuration_template = var.configuration_template +} diff --git a/terraform/aws/tgw-asg-master/output.tf b/terraform/aws/tgw-asg-master/output.tf new file mode 100755 index 00000000..ed183c0a --- /dev/null +++ b/terraform/aws/tgw-asg-master/output.tf @@ -0,0 +1,24 @@ +output "vpc_id" { + value = module.launch_vpc.vpc_id +} +output "public_subnets_ids_list" { + value = module.launch_vpc.public_subnets_ids_list +} +output "management_instance_name" { + value = module.launch_tgw_asg_into_vpc.management_instance_name +} +output "configuration_template" { + value = module.launch_tgw_asg_into_vpc.configuration_template +} +output "controller_name" { + value = module.launch_tgw_asg_into_vpc.controller_name +} +output "management_public_ip" { + value = module.launch_tgw_asg_into_vpc.management_public_ip +} +output "management_url" { + value = module.launch_tgw_asg_into_vpc.management_url +} +output "autoscaling_group_name" { + value = module.launch_tgw_asg_into_vpc.autoscaling_group_name +} diff --git a/terraform/aws/tgw-asg-master/terraform.tfvars b/terraform/aws/tgw-asg-master/terraform.tfvars new file mode 100755 index 00000000..7807cc3d --- /dev/null +++ b/terraform/aws/tgw-asg-master/terraform.tfvars @@ -0,0 +1,47 @@ +//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW + +// --- Network Configuration --- +vpc_cidr = "10.0.0.0/16" +public_subnets_map = { + "us-east-1a" = 1 + "us-east-1b" = 2 +} +subnets_bit_length = 8 + +// --- General Settings --- +key_name = "publickey" +enable_volume_encryption = true +enable_instance_connect = false +disable_instance_termination = false +metadata_imdsv2_required = true +allow_upload_download = true + +// --- Check Point CloudGuard Network Security Gateways Auto Scaling Group Configuration --- +gateway_name = "Check-Point-gateway" +gateway_instance_type = "c5.xlarge" +gateways_min_group_size = 2 +gateways_max_group_size = 8 +gateway_version = "R81.20-BYOL" +gateway_password_hash = "" +gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password. +gateway_SICKey = "12345678" +enable_cloudwatch = true +asn = "6500" + +// --- Check Point CloudGuard Network Security Management Server Configuration --- +management_deploy = true +management_instance_type = "m5.xlarge" +management_version = "R81.20-BYOL" +management_password_hash = "" +management_maintenance_mode_password_hash = "" # For R81.10 and below the management_password_hash is used also as maintenance-mode password. +management_permissions = "Create with read-write permissions" +management_predefined_role = "" +gateways_blades = true +admin_cidr = "0.0.0.0/0" +gateways_addresses = "0.0.0.0/0" +gateway_management = "Locally managed" + +// --- Automatic Provisioning with Security Management Server Settings --- +control_gateway_over_public_or_private_address = "private" +management_server = "management-server" +configuration_template = "template-name" \ No newline at end of file diff --git a/terraform/aws/tgw-asg-master/variables.tf b/terraform/aws/tgw-asg-master/variables.tf new file mode 100755 index 00000000..a709a74f --- /dev/null +++ b/terraform/aws/tgw-asg-master/variables.tf @@ -0,0 +1,217 @@ +// Module: Check Point CloudGuard Network Transit Gateway Auto Scaling Group +// Deploy an Auto Scaling Group of CloudGuard Security Gateways for Transit Gateway with an optional Management Server in a new VPC + +// --- AWS Provider --- +variable "region" { + type = string + description = "AWS region" + default = "" +} +variable "access_key" { + type = string + description = "AWS access key" + default = "" +} +variable "secret_key" { + type = string + description = "AWS secret key" + default = "" +} + +// --- Network Configuration --- +variable "vpc_cidr" { + type = string + description = "The CIDR block of the VPC" + default = "10.0.0.0/16" +} +variable "public_subnets_map" { + type = map(string) + description = "A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 2 pairs. (e.g. {\"us-east-1a\" = 1} ) " +} +variable "subnets_bit_length" { + type = number + description = "Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a subnets_bit_length value of 4, the resulting subnet address will have length /20" +} + +// --- General Settings --- +variable "key_name" { + type = string + description = "The EC2 Key Pair name to allow SSH access to the instances" + default = true +} +variable "enable_volume_encryption" { + type = bool + description = "Encrypt Environment instances volume with default AWS KMS key" + default = true +} +variable "enable_instance_connect" { + type = bool + description = "Enable SSH connection over AWS web console" + default = false +} +variable "disable_instance_termination" { + type = bool + description = "Prevents an instance from accidental termination" + default = false +} +variable "metadata_imdsv2_required" { + type = bool + description = "Set true to deploy the instance with metadata v2 token required" + default = true +} +variable "allow_upload_download" { + type = bool + description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + default = true +} + +// --- Check Point CloudGuard Network Security Gateways Auto Scaling Group Configuration --- +variable "gateway_name" { + type = string + description = "(Optional) The name tag of the Security Gateway instances" + default = "Check-Point-Gateway" +} +variable "gateway_instance_type" { + type = string + description = "The instance type of the Security Gateways" + default = "c5.xlarge" +} +module "validate_gateway_instance_type" { + source = "../modules/common/instance_type" + + chkp_type = "gateway" + instance_type = var.gateway_instance_type +} +variable "gateways_min_group_size" { + type = number + description = "The minimal number of Security Gateways" + default = 2 +} +variable "gateways_max_group_size" { + type = number + description = "The maximal number of Security Gateways" + default = 10 +} +variable "gateway_version" { + type = string + description = "Gateway version and license" + default = "R81.20-BYOL" +} +module "validate_gateway_version" { + source = "../modules/common/version_license" + + chkp_type = "gateway" + version_license = var.gateway_version +} +variable "gateway_password_hash" { + type = string + description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)" + default = "" +} +variable "gateway_maintenance_mode_password_hash" { + description = "Maintenance mode password hash for the gateway instances, relevant only for R81.20 and higher versions" + type = string + default = "" +} +variable "gateway_SICKey" { + type = string + description = "The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters" +} +variable "enable_cloudwatch" { + type = bool + description = "Report Check Point specific CloudWatch metrics" + default = false +} +variable "asn" { + type = string + description = "The organization Autonomous System Number (ASN) that identifies the routing domain for the Security Gateways" + default = "6500" +} + +// --- Check Point CloudGuard Network Security Management Server Configuration --- +variable "management_deploy" { + type = bool + description = "Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section" + default = true +} +variable "management_instance_type" { + type = string + description = "The EC2 instance type of the Security Management Server" + default = "m5.xlarge" +} +module "validate_management_instance_type" { + source = "../modules/common/instance_type" + + chkp_type = "management" + instance_type = var.management_instance_type +} +variable "management_version" { + type = string + description = "The license to install on the Security Management Server" + default = "R81.20-BYOL" +} +module "validate_management_version" { + source = "../modules/common/version_license" + + chkp_type = "management" + version_license = var.management_version +} +variable "management_password_hash" { + type = string + description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)" + default = "" +} +variable "management_maintenance_mode_password_hash" { + description = "Maintenance mode password hash for the management instance, relevant only for R81.20 and higher versions" + type = string + default = "" +} +variable "management_permissions" { + type = string + description = "IAM role to attach to the instance profile" + default = "Create with read-write permissions" +} +variable "management_predefined_role" { + type = string + description = "(Optional) A predefined IAM role to attach to the instance profile. Ignored if IAM role is not set to 'Use existing'" + default = "" +} +variable "gateways_blades" { + type = bool + description = "Turn on the Intrusion Prevention System, Application Control, Anti-Virus and Anti-Bot Blades (additional Blades can be manually turned on later)" + default = true +} +variable "admin_cidr" { + type = string + description = "Allow web, ssh, and graphical clients only from this network to communicate with the Security Management Server" +} +variable "gateways_addresses" { + type = string + description = "Allow gateways only from this network to communicate with the Security Management Server" +} +variable "gateway_management" { + type = string + description = "Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address" + default = "Locally managed" +} + +// --- Automatic Provisioning with Security Management Server Settings --- +variable "control_gateway_over_public_or_private_address" { + type = string + description = "Determines if the gateways are provisioned using their private or public address" + default = "private" +} +variable "management_server" { + type = string + description = "(Optional) The name that represents the Security Management Server in the automatic provisioning configuration" + default = "management-server" +} +variable "configuration_template" { + type = string + description = "(Optional) A name of a Security Gateway configuration template in the automatic provisioning configuration" + default = "TGW-ASG-configuration" + validation { + condition = length(var.configuration_template) < 31 + error_message = "The configuration_template name can not exceed 30 characters" + } +} diff --git a/terraform/aws/tgw-asg-master/versions.tf b/terraform/aws/tgw-asg-master/versions.tf new file mode 100755 index 00000000..dbebf275 --- /dev/null +++ b/terraform/aws/tgw-asg-master/versions.tf @@ -0,0 +1,15 @@ +terraform { + required_version = ">= 0.14.3" + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.20.0" + } + http = { + version = "~> 3.4.0" + } + random = { + version = "~> 3.5.1" + } + } +} diff --git a/terraform/aws/tgw-asg/README.md b/terraform/aws/tgw-asg/README.md new file mode 100755 index 00000000..540a8d28 --- /dev/null +++ b/terraform/aws/tgw-asg/README.md @@ -0,0 +1,213 @@ +# Check Point CloudGuard Network Transit Gateway Auto Scaling Group Terraform module for AWS + +Terraform module which deploys a Check Point CloudGuard Network Security Gateway Auto Scaling Group for Transit Gateway with an optional Management Server into an existing VPC. + +These types of Terraform resources are supported: +* [AWS Instance](https://www.terraform.io/docs/providers/aws/r/instance.html) +* [Security Group](https://www.terraform.io/docs/providers/aws/r/security_group.html) +* [Network interface](https://www.terraform.io/docs/providers/aws/r/network_interface.html) +* [CloudWatch Metric Alarm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) +* [EIP](https://www.terraform.io/docs/providers/aws/r/eip.html) +* [Launch template](https://www.terraform.io/docs/providers/aws/r/launch_template.html) +* [Auto Scaling Group](https://www.terraform.io/docs/providers/aws/r/autoscaling_group.html) +* [IAM Role](https://www.terraform.io/docs/providers/aws/r/iam_role.html) - conditional creation + +See the [CloudGuard Network for AWS Transit Gateway R80.10 and Higher Deployment Guide](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_AWS_Transit_Gateway/Content/Topics-AWS-TGW-R80-10-AG/Introduction.htm) for additional information + +This solution uses the following modules: +- /terraform/aws/autoscale +- /terraform/aws/management +- /terraform/aws/cme-iam-role + +## Configurations + +The **main.tf** file includes the following provider configuration block used to configure the credentials for the authentication with AWS, as well as a default region for your resources: +``` +provider "aws" { + region = var.region + access_key = var.aws_access_key_ID + secret_key = var.aws_secret_access_key +} +``` +The provider credentials can be provided either as static credentials or as [Environment Variables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#environment-variables). +- Static credentials can be provided by adding an access_key and secret_key in /terraform/aws/tgw-asg/**terraform.tfvars** file as follows: +``` +region = "us-east-1" +access_key = "my-access-key" +secret_key = "my-secret-key" +``` +- In case the Static credentials are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented for sub-modules /terraform/aws/autoscale, /terraform/aws/management and /terraform/aws/cme-iam-role: + ``` + provider "aws" { + // region = var.region + // access_key = var.access_key + // secret_key = var.secret_key + } + ``` +- In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented: + ``` + provider "aws" { + // region = var.region + // access_key = var.aws_access_key_ID + // secret_key = var.aws_secret_access_key + } + ``` + b. The next lines in main.tf file, in the provider aws resource, need to be commented for sub-modules /terraform/aws/autoscale, /terraform/aws/management and /terraform/aws/cme-iam-role: + ``` + provider "aws" { + // region = var.region + // access_key = var.aws_access_key_ID + // secret_key = var.aws_secret_access_key + } + ``` + +## Usage +- Fill all variables in the /terraform/aws/tgw-asg/**terraform.tfvars** file with proper values (see below for variables descriptions). +- From a command line initialize the Terraform configuration directory: + ``` + terraform init + ``` +- Create an execution plan: + ``` + terraform plan + ``` +- Create or modify the deployment: + ``` + terraform apply + ``` + +- Variables are configured in /terraform/aws/tgw-asg/**terraform.tfvars** file as follows: + + ``` + //PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW + + // --- Network Configuration --- + vpc_id = "vpc-12345678" + gateways_subnets = ["subnet-123b5678", "subnet-123a4567"] + + // --- General Settings --- + key_name = "publickey" + enable_volume_encryption = true + enable_instance_connect = false + disable_instance_termination = false + allow_upload_download = true + + // --- Check Point CloudGuard Network Security Gateways Auto Scaling Group Configuration --- + gateway_name = "Check-Point-gateway" + gateway_instance_type = "c5.xlarge" + gateways_min_group_size = 2 + gateways_max_group_size = 8 + gateway_version = "R81.20-BYOL" + gateway_password_hash = "" + gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password. + gateway_SICKey = "12345678" + enable_cloudwatch = true + asn = "6500" + + // --- Check Point CloudGuard Network Security Management Server Configuration --- + management_deploy = true + management_instance_type = "m5.xlarge" + management_version = "R81.20-BYOL" + management_password_hash = "" + management_maintenance_mode_password_hash = "" # For R81.10 and below the management_password_hash is used also as maintenance-mode password. + management_permissions = "Create with read-write permissions" + management_predefined_role = "" + gateways_blades = true + admin_cidr = "0.0.0.0/0" + gateways_addresses = "0.0.0.0/0" + gateway_management = "Locally managed" + + // --- Automatic Provisioning with Security Management Server Settings --- + control_gateway_over_public_or_private_address = "private" + management_server = "management-server" + configuration_template = "template-name" + ``` + +- Conditional creation + - To create a Security Management server with IAM Role: + ``` + management_permissions = "Create with read permissions" | "Create with read-write permissions" | "Create with assume role permissions (specify an STS role ARN)" + ``` + - To enable cloudwatch for ASG: + ``` + enable_cloudwatch = true + ``` + Note: enabling cloudwatch will automatically create IAM role with cloudwatch:PutMetricData permission + - To deploy Security Management Server: + ``` + management_deploy = true + ``` +- To tear down your resources: + ``` + terraform destroy + ``` + +## Inputs +| Name | Description | Type | Allowed values | Default | Required | +|------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------|----------| +| vpc_id | Select an existing VPC | string | n/a | n/a | yes | +| gateways_subnets | Select at least 2 public subnets in the VPC. If you choose to deploy a Security Management Server it will be deployed in the first subnet | list(string) | n/a | n/a | yes | +| key_name | The EC2 Key Pair name to allow SSH access to the instances | string | n/a | n/a | yes | +| enable_volume_encryption | Encrypt Environment instances volume with default AWS KMS key | bool | true/false | true | no | +| enable_instance_connect | Enable SSH connection over AWS web console. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no | +| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no | +| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes | +| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no | +| gateway_name | (Optional) The name tag of the Security Gateway instances | string | n/a | Check-Point-Gateway | no | +| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no | +| gateways_min_group_size | The minimal number of Security Gateways | number | n/a | 2 | no | +| gateways_max_group_size | The maximal number of Security Gateways | number | n/a | 10 | no | +| gateway_version | Gateway version and license | string | - R80.40-BYOL
- R80.40-PAYG-NGTP
- R80.40-PAYG-NGTX
- R81-BYOL
- R81-PAYG-NGTP
- R81-PAYG-NGTX
- R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.10-PAYG-NGTX
- R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.10-PAYG-NGTX | R81.20-BYOL | no | +| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | +| gateway_SIC_Key | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes | +| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no | +| asn | The organization Autonomous System Number (ASN) that identifies the routing domain for the Security Gateways | string | n/a | 6500 | no | +| management_deploy | Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section | bool | true/false | true | no | +| management_instance_type | The EC2 instance type of the Security Management Server | string | - c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| m5.xlarge | no | +| management_version | The license to install on the Security Management Server | string | - R80.40-BYOL
- R80.40-PAYG
- R81-BYOL
- R81-PAYG
- R81.10-BYOL
- R81.10-PAYG
- R81.20-BYOL
- R81.20-PAYG | R81.20-BYOL | no | +| management_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | +| management_permissions | IAM role to attach to the instance profile | string | - None (configure later)
- Use existing (specify an existing IAM role name)
- Create with assume role permissions (specify an STS role ARN)
- Create with read permissions
- Create with read-write permissions | Create with read-write permissions | no | +| management_predefined_role | ((Optional) A predefined IAM role to attach to the instance profile. Ignored if IAM role is not set to 'Use existing' | string | n/a | "" | no | +| gateways_blades | Turn on the Intrusion Prevention System, Application Control, Anti-Virus and Anti-Bot Blades (additional Blades can be manually turned on later) | bool | true/false | true | no | +| admin_cidr | (CIDR) Allow web, ssh, and graphical clients only from this network to communicate with the Management Server | string | valid CIDR | n/a | no | +| gateway_addresses | Allow gateways only from this network to communicate with the Security Management Server | string | valid CIDR | n/a | no | +| gateway_management | Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address | string | - Locally managed
- Over the internet | Locally managed | no | +| control_gateway_over_public_or_private_address | Determines if the gateways are provisioned using their private or public address | string | - private
- public | private | no | +| management_server | (Optional) The name that represents the Security Management Server in the automatic provisioning configuration | string | n/a | management-server | no | +| configuration_template | (Optional) A name of a Security Gateway configuration template in the automatic provisioning configuration | string | n/a | TGW-ASG-configuration | no | +| gateway_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | +| management_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | + + +## Outputs +| Name | Description | +|--------------------------|--------------------------------------------------------------------------------------------------------| +| management_instance_name | The deployed Security Management AWS instance name | +| management_public_ip | The deployed Security Management Server AWS public ip | +| management_url | URL to the portal of the deployed Security Management Server | +| autoscaling_group_name | The name of the deployed AutoScaling Group | +| configuration_template | The name that represents the configuration template. Configurations required to automatically provision the Gateways in the Auto Scaling Group, such as what Security Policy to install and which Blades to enable, will be placed under this template name | +| controller_name | The name that represents the controller. Configurations required to connect to your AWS environment, such as credentials and regions, will be placed under this controller name | + +## Revision History +In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) + +| Template Version | Description | +|------------------|------------------------------------------------------------------------------------------| +| 20210329 | First release of Check Point Transit Gateway Auto Scaling Group Terraform module for AWS | +| 20220606 | New instance type support | +| 20221123 | R81.20 version support | +| 20221226 | Support ASG Launch Template instead of Launch Configuration | +| 20230626 | Fixed missing x-chkp-* tags on Auto Scale Group | +| 20230806 | Add support for c6in instance type | +| 20230829 | Change default Check Point version to R81.20 | +| 20230914 | Add support for maintenance mode password | +| 20230923 | Add support for C5d instance type | +| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | + +## License + +This project is licensed under the MIT License - see the [LICENSE](../../LICENSE) file for details diff --git a/terraform/aws/tgw-asg/locals.tf b/terraform/aws/tgw-asg/locals.tf new file mode 100755 index 00000000..7ecd5cf4 --- /dev/null +++ b/terraform/aws/tgw-asg/locals.tf @@ -0,0 +1,64 @@ +locals { + permissions_allowed_values = [ + "None (configure later)", + "Use existing (specify an existing IAM role name)", + "Create with assume role permissions (specify an STS role ARN)", + "Create with read permissions", + "Create with read-write permissions"] + // Will fail if var.management_permissions is invalid + validate_permissions = index(local.permissions_allowed_values, var.management_permissions) + + regex_valid_key_name = "[\\S\\s]+[\\S]+" + // will fail if var.key_name is invalid + regex_key_name_result=regex(local.regex_valid_key_name, var.key_name) == var.key_name ? 0 : "Variable [key_name] must be a none empty string" + + regex_valid_gateway_sic_key = "^[a-zA-Z0-9]{8,}$" + // Will fail if var.gateway_SIC_Key is invalid + regex_gateway_sic_result = regex(local.regex_valid_gateway_sic_key, var.gateway_SICKey) == var.gateway_SICKey ? 0 : "Variable [gateway_SIC_Key] must be at least 8 alphanumeric characters" + + control_over_public_or_private_allowed_values = [ + "public", + "private"] + // will fail if [var.control_gateway_over_public_or_private_address] is invalid: + validate_control_over_public_or_private = index(local.control_over_public_or_private_allowed_values, var.control_gateway_over_public_or_private_address) + + gateway_management_allowed_values = [ + "Locally managed", + "Over the internet"] + // will fail if [var.gateway_management] is invalid: + validate_gateway_management = index(local.gateway_management_allowed_values, var.gateway_management) + + regex_valid_management_password_hash = "^[\\$\\./a-zA-Z0-9]*$" + // Will fail if var.management_password_hash is invalid + regex_management_password_hash = regex(local.regex_valid_management_password_hash, var.management_password_hash) == var.management_password_hash ? 0 : "Variable [management_password_hash] must be a valid password hash" + regex_management_maintenance_mode_password_hash = regex(local.regex_valid_management_password_hash, var.management_maintenance_mode_password_hash) == var.management_maintenance_mode_password_hash ? 0 : "Variable [management_maintenance_mode_password_hash] must be a valid password hash" + + + regex_valid_gateway_password_hash = "^[\\$\\./a-zA-Z0-9]*$" + // Will fail if var.gateway_password_hash is invalid + regex_gateway_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_password_hash) == var.gateway_password_hash ? 0 : "Variable [gateway_password_hash] must be a valid password hash" + regex_gateway_maintenance_mode_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_maintenance_mode_password_hash) == var.gateway_maintenance_mode_password_hash ? 0 : "Variable [gateway_maintenance_mode_password_hash] must be a valid password hash" + + + regex_valid_asn = "^[0-9]+$" + // Will fail if var.asn is invalid + regex_asn = regex(local.regex_valid_asn, var.asn) == var.asn ? 0 : "Variable [asn] must be a valid asn" + + regex_valid_admin_cidr = "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$" + // Will fail if var.admin_cidr is invalid + regex_admin_cidr = regex(local.regex_valid_admin_cidr, var.admin_cidr) == var.admin_cidr ? 0 : "Variable [admin_cidr] must be a valid CIDR" + + regex_valid_gateways_addresses = "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$" + // Will fail if var.gateways_addresses is invalid + regex_gateways_addresses = regex(local.regex_valid_gateways_addresses, var.gateways_addresses) == var.gateways_addresses ? 0 : "Variable [gateways_addresses] must be a valid gateways addresses" + + regex_valid_management_server = "^[0-9a-zA-Z-._]+$" + // Will fail if var.management_server is invalid + regex_management_server = regex(local.regex_valid_management_server, var.management_server) == var.management_server ? 0 : "Variable [management_server] can not be an empty string" + + regex_valid_configuration_template = "^[0-9a-zA-Z-._]+$" + // Will fail if var.configuration_template is invalid + regex_configuration_template = regex(local.regex_valid_configuration_template, var.configuration_template) == var.configuration_template ? 0 : "Variable [configuration_template] can not be an empty string" + + deploy_management_condition = var.management_deploy == true +} \ No newline at end of file diff --git a/terraform/aws/tgw-asg/main.tf b/terraform/aws/tgw-asg/main.tf new file mode 100755 index 00000000..8b7b3cf1 --- /dev/null +++ b/terraform/aws/tgw-asg/main.tf @@ -0,0 +1,64 @@ +provider "aws" { + region = var.region + access_key = var.access_key + secret_key = var.secret_key +} + +module "autoscale" { + source = "../autoscale" + providers = { + aws = aws + } + + vpc_id = var.vpc_id + subnet_ids = var.gateways_subnets + gateway_name = var.gateway_name + gateway_instance_type = var.gateway_instance_type + key_name = var.key_name + enable_volume_encryption = var.enable_volume_encryption + enable_instance_connect = var.enable_instance_connect + metadata_imdsv2_required = var.metadata_imdsv2_required + minimum_group_size = var.gateways_min_group_size + maximum_group_size = var.gateways_max_group_size + gateway_version = var.gateway_version + gateway_password_hash = var.gateway_password_hash + gateway_maintenance_mode_password_hash = var.gateway_maintenance_mode_password_hash + gateway_SICKey = var.gateway_SICKey + allow_upload_download = var.allow_upload_download + enable_cloudwatch = var.enable_cloudwatch + gateway_bootstrap_script = "echo -e '\nStarting Bootstrap script\n'; echo 'Adding tgw identifier to cloud-version'; cv_path='/etc/cloud-version'\n if test -f \"$cv_path\"; then sed -i '/template_name/c\\template_name: autoscale_tgw' /etc/cloud-version; fi; cv_json_path='/etc/cloud-version.json'\n cv_json_path_tmp='/etc/cloud-version-tmp.json'\n if test -f \"$cv_json_path\"; then cat \"$cv_json_path\" | jq '.template_name = \"'\"autoscale_tgw\"'\"' > \"$cv_json_path_tmp\"; mv \"$cv_json_path_tmp\" \"$cv_json_path\"; fi; echo 'Setting ASN to: ${var.asn}'; clish -c 'set as ${var.asn}' -s; echo -e '\nFinished Bootstrap script\n'" + gateways_provision_address_type = var.control_gateway_over_public_or_private_address + management_server = var.management_server + configuration_template = var.configuration_template +} + +data "aws_region" "current"{} + +module "management" { + providers = { + aws = aws + } + count = local.deploy_management_condition ? 1 : 0 + source = "../management" + + vpc_id = var.vpc_id + subnet_id = var.gateways_subnets[0] + management_name = var.management_server + management_instance_type = var.management_instance_type + key_name = var.key_name + allocate_and_associate_eip = true + volume_encryption = var.enable_volume_encryption ? "alias/aws/ebs" : "" + enable_instance_connect = var.enable_instance_connect + disable_instance_termination = var.disable_instance_termination + metadata_imdsv2_required = var.metadata_imdsv2_required + iam_permissions = var.management_permissions + predefined_role = var.management_predefined_role + management_version = var.management_version + management_password_hash = var.management_password_hash + management_maintenance_mode_password_hash = var.management_maintenance_mode_password_hash + allow_upload_download = var.allow_upload_download + admin_cidr = var.admin_cidr + gateway_addresses = var.gateways_addresses + gateway_management = var.gateway_management + management_bootstrap_script = "echo -e '\nStarting Bootstrap script\n'; echo 'Adding tgw identifier to cloud-version'; cv_path='/etc/cloud-version'\n if test -f \"$cv_path\"; then sed -i '/template_name/c\\template_name: management_tgw_asg' /etc/cloud-version; fi; cv_json_path='/etc/cloud-version.json'\n cv_json_path_tmp='/etc/cloud-version-tmp.json'\n if test -f \"$cv_json_path\"; then cat \"$cv_json_path\" | jq '.template_name = \"'\"management_tgw_asg\"'\"' > \"$cv_json_path_tmp\"; mv \"$cv_json_path_tmp\" \"$cv_json_path\"; fi; echo 'Configuring VPN community: tgw-community'; [[ -d /opt/CPcme/menu/additions ]] && /opt/CPcme/menu/additions/config-community.sh \"tgw-community\" || /etc/fw/scripts/autoprovision/config-community.sh \"tgw-community\"; echo 'Setting VPN rules'; mgmt_cli -r true add access-layer name 'Inline'; mgmt_cli -r true add access-rule layer Network position 1 name 'tgw-community VPN Traffic Rule' vpn.directional.1.from 'tgw-community' vpn.directional.1.to 'tgw-community' vpn.directional.2.from 'tgw-community' vpn.directional.2.to External_clear action 'Apply Layer' inline-layer 'Inline'; mgmt_cli -r true add nat-rule package standard position bottom install-on 'Policy Targets' original-source All_Internet translated-source All_Internet method hide; echo 'Creating CME configuration'; autoprov_cfg -f init AWS -mn ${var.management_server} -tn ${var.configuration_template} -cn tgw-controller -po Standard -otp ${var.gateway_SICKey} -r ${data.aws_region.current.name} -ver ${split("-", var.gateway_version)[0]} -iam -dt TGW; autoprov_cfg -f set controller AWS -cn tgw-controller -sv -com tgw-community; autoprov_cfg -f set template -tn ${var.configuration_template} -vpn -vd '''' -con tgw-community; ${var.gateways_blades} && autoprov_cfg -f set template -tn ${var.configuration_template} -ia -ips -appi -av -ab; echo -e '\nFinished Bootstrap script\n'" +} \ No newline at end of file diff --git a/terraform/aws/tgw-asg/output.tf b/terraform/aws/tgw-asg/output.tf new file mode 100755 index 00000000..8a282a53 --- /dev/null +++ b/terraform/aws/tgw-asg/output.tf @@ -0,0 +1,18 @@ +output "management_instance_name" { + value = module.management[0].management_instance_name +} +output "configuration_template" { + value = var.configuration_template +} +output "controller_name" { + value = "tgw-controller" +} +output "management_public_ip" { + value = module.management[0].management_public_ip +} +output "management_url" { + value = module.management[0].management_url +} +output "autoscaling_group_name" { + value = module.autoscale.autoscale_autoscaling_group_name +} diff --git a/terraform/aws/tgw-asg/terraform.tfvars b/terraform/aws/tgw-asg/terraform.tfvars new file mode 100755 index 00000000..9bdbb84e --- /dev/null +++ b/terraform/aws/tgw-asg/terraform.tfvars @@ -0,0 +1,43 @@ +//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW + +// --- Network Configuration --- +vpc_id = "vpc-12345678" +gateways_subnets = ["subnet-123b5678", "subnet-123a4567"] + +// --- General Settings --- +key_name = "publickey" +enable_volume_encryption = true +enable_instance_connect = false +disable_instance_termination = false +metadata_imdsv2_required = true +allow_upload_download = true + +// --- Check Point CloudGuard Network Security Gateways Auto Scaling Group Configuration --- +gateway_name = "Check-Point-gateway" +gateway_instance_type = "c5.xlarge" +gateways_min_group_size = 2 +gateways_max_group_size = 8 +gateway_version = "R81.20-BYOL" +gateway_password_hash = "" +gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password. +gateway_SICKey = "12345678" +enable_cloudwatch = true +asn = "65000" + +// --- Check Point CloudGuard Network Security Management Server Configuration --- +management_deploy = true +management_instance_type = "m5.xlarge" +management_version = "R81.20-BYOL" +management_password_hash = "12345678" +management_maintenance_mode_password_hash = "" # For R81.10 and below the management_password_hash is used also as maintenance-mode password. +management_permissions = "Create with read-write permissions" +management_predefined_role = "" +gateways_blades = true +admin_cidr = "0.0.0.0/0" +gateways_addresses = "0.0.0.0/0" +gateway_management = "Locally managed" + +// --- Automatic Provisioning with Security Management Server Settings --- +control_gateway_over_public_or_private_address = "private" +management_server = "management-server" +configuration_template = "template-name" \ No newline at end of file diff --git a/terraform/aws/tgw-asg/variables.tf b/terraform/aws/tgw-asg/variables.tf new file mode 100755 index 00000000..9a9a47e1 --- /dev/null +++ b/terraform/aws/tgw-asg/variables.tf @@ -0,0 +1,211 @@ +// Module: Check Point CloudGuard Network Transit Gateway Auto Scaling Group +// Deploy an Auto Scaling Group of CloudGuard Security Gateways for Transit Gateway with an optional Management Server into an existing VPC + +// --- AWS Provider --- +variable "region" { + type = string + description = "AWS region" + default = "" +} +variable "access_key" { + type = string + description = "AWS access key" + default = "" +} +variable "secret_key" { + type = string + description = "AWS secret key" + default = "" +} + +// --- Network Configuration --- +variable "vpc_id" { + type = string +} +variable "gateways_subnets" { + type = list(string) + description = "Select at least 2 external subnets in the VPC. If you choose to deploy a Security Management Server it will be deployed in the first subnet" +} + +// --- General Settings --- +variable "key_name" { + type = string + description = "The EC2 Key Pair name to allow SSH access to the instances" + default = true +} +variable "enable_volume_encryption" { + type = bool + description = "Encrypt Environment instances volume with default AWS KMS key" + default = true +} +variable "enable_instance_connect" { + type = bool + description = "Enable SSH connection over AWS web console" + default = false +} +variable "disable_instance_termination" { + type = bool + description = "Prevents an instance from accidental termination" + default = false +} +variable "metadata_imdsv2_required" { + type = bool + description = "Set true to deploy the instance with metadata v2 token required" + default = true +} +variable "allow_upload_download" { + type = bool + description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + default = true +} + +// --- Check Point CloudGuard Network Security Gateways Auto Scaling Group Configuration --- +variable "gateway_name" { + type = string + description = "(Optional) The name tag of the Security Gateway instances" + default = "Check-Point-Gateway" +} +variable "gateway_instance_type" { + type = string + description = "The instance type of the Security Gateways" + default = "c5.xlarge" +} +module "validate_gateway_instance_type" { + source = "../modules/common/instance_type" + + chkp_type = "gateway" + instance_type = var.gateway_instance_type +} +variable "gateways_min_group_size" { + type = number + description = "The minimal number of Security Gateways" + default = 2 +} +variable "gateways_max_group_size" { + type = number + description = "The maximal number of Security Gateways" + default = 10 +} +variable "gateway_version" { + type = string + description = "Gateway version and license" + default = "R81.20-BYOL" +} +module "validate_gateway_version" { + source = "../modules/common/version_license" + + chkp_type = "gateway" + version_license = var.gateway_version +} +variable "gateway_password_hash" { + type = string + description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)" + default = "" +} +variable "gateway_maintenance_mode_password_hash" { + description = "(optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here)." + type = string + default = "" +} +variable "gateway_SICKey" { + type = string + description = "The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters" +} +variable "enable_cloudwatch" { + type = bool + description = "Report Check Point specific CloudWatch metrics" + default = false +} +variable "asn" { + type = string + description = "The organization Autonomous System Number (ASN) that identifies the routing domain for the Security Gateways" + default = "6500" +} + +// --- Check Point CloudGuard Network Security Management Server Configuration --- +variable "management_deploy" { + type = bool + description = "Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section" + default = true +} +variable "management_instance_type" { + type = string + description = "The EC2 instance type of the Security Management Server" + default = "m5.xlarge" +} +module "validate_management_instance_type" { + source = "../modules/common/instance_type" + + chkp_type = "management" + instance_type = var.management_instance_type +} +variable "management_version" { + type = string + description = "The license to install on the Security Management Server" + default = "R81.20-BYOL" +} +module "validate_management_version" { + source = "../modules/common/version_license" + + chkp_type = "management" + version_license = var.management_version +} +variable "management_password_hash" { + type = string + description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)" + default = "" +} +variable "management_maintenance_mode_password_hash" { + description = "(optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here)." + type = string + default = "" +} +variable "management_permissions" { + type = string + description = "IAM role to attach to the instance profile" + default = "Create with read-write permissions" +} +variable "management_predefined_role" { + type = string + description = "(Optional) A predefined IAM role to attach to the instance profile. Ignored if IAM role is not set to 'Use existing'" + default = "" +} +variable "gateways_blades" { + type = bool + description = "Turn on the Intrusion Prevention System, Application Control, Anti-Virus and Anti-Bot Blades (additional Blades can be manually turned on later)" + default = true +} +variable "admin_cidr" { + type = string + description = "Allow web, ssh, and graphical clients only from this network to communicate with the Security Management Server" +} +variable "gateways_addresses" { + type = string + description = "Allow gateways only from this network to communicate with the Security Management Server" +} +variable "gateway_management" { + type = string + description = "Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address" + default = "Locally managed" +} + +// --- Automatic Provisioning with Security Management Server Settings --- +variable "control_gateway_over_public_or_private_address" { + type = string + description = "Determines if the gateways are provisioned using their private or public address" + default = "private" +} +variable "management_server" { + type = string + description = "(Optional) The name that represents the Security Management Server in the automatic provisioning configuration" + default = "management-server" +} +variable "configuration_template" { + type = string + description = "(Optional) A name of a Security Gateway configuration template in the automatic provisioning configuration" + default = "TGW-ASG-configuration" + validation { + condition = length(var.configuration_template) < 31 + error_message = "The configuration_template name can not exceed 30 characters" + } +} diff --git a/terraform/aws/tgw-asg/versions.tf b/terraform/aws/tgw-asg/versions.tf new file mode 100755 index 00000000..dbebf275 --- /dev/null +++ b/terraform/aws/tgw-asg/versions.tf @@ -0,0 +1,15 @@ +terraform { + required_version = ">= 0.14.3" + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.20.0" + } + http = { + version = "~> 3.4.0" + } + random = { + version = "~> 3.5.1" + } + } +} diff --git a/terraform/aws/tgw-cross-az-cluster-master/README.md b/terraform/aws/tgw-cross-az-cluster-master/README.md new file mode 100755 index 00000000..937444d8 --- /dev/null +++ b/terraform/aws/tgw-cross-az-cluster-master/README.md @@ -0,0 +1,210 @@ +# Check Point CloudGuard Network Security Cross AZ Cluster for Transit Gateway Terraform module for AWS + +Terraform module which deploys a Check Point CloudGuard Network Security Cross AZ Cluster with a new VPC on AWS for Transit Gateway. + +These types of Terraform resources are supported: +* [AWS Instance](https://www.terraform.io/docs/providers/aws/r/instance.html) +* [Security Group](https://www.terraform.io/docs/providers/aws/r/security_group.html) +* [Network interface](https://www.terraform.io/docs/providers/aws/r/network_interface.html) +* [IAM Role](https://www.terraform.io/docs/providers/aws/r/iam_role.html) - conditional creation + +See the [Deploying a Check Point Cluster in AWS (Amazon Web Services)](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_for_AWS_Cross_AZ_Cluster/Default.htm) for additional information + +This solution uses the following modules: +- /terraform/aws/modules/amis +- /terraform/aws/modules/cluster-iam-role + + +## Configurations + +The **main.tf** file includes the following provider configuration block used to configure the credentials for the authentication with AWS, as well as a default region for your resources: +``` +provider "aws" { + region = var.region + access_key = var.access_key + secret_key = var.secret_key +} +``` +The provider credentials can be provided either as static credentials or as [Environment Variables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#environment-variables). +- Static credentials can be provided by adding an access_key and secret_key in /terraform/aws/cluster/**terraform.tfvars** file as follows: +``` +region = "us-east-1" +access_key = "my-access-key" +secret_key = "my-secret-key" +``` +- In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented: + ``` + provider "aws" { + // region = var.region + // access_key = var.access_key + // secret_key = var.secret_key + } + ``` + +## Usage +- Fill all variables in the /terraform/aws/cluster/**terraform.tfvars** file with proper values (see below for variables descriptions). +- From a command line initialize the Terraform configuration directory: + ``` + terraform init + ``` +- Create an execution plan: + ``` + terraform plan + ``` +- Create or modify the deployment: + ``` + terraform apply -target=aws_route_table.private_subnet_rtb -auto-approve && terraform apply + ``` + + - Variables are configured in /terraform/aws/cluster/**terraform.tfvars** file as follows: + + ``` + //PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW + + // --- VPC Network Configuration --- + vpc_cidr = "10.0.0.0/16" + public_subnets_map = { + "us-east-1a" = 1 + "us-east-1b" = 2 + } + private_subnets_map = { + "us-east-1a" = 3 + "us-east-1b" = 4 + } + tgw_subnets_map = { + "us-east-1a" = 5 + "us-east-1b" = 6 + } + subnets_bit_length = 8 + + // --- EC2 Instance Configuration --- + gateway_name = "Check-Point-Cluster-tf" + gateway_instance_type = "c5.xlarge" + key_name = "publickey" + allocate_and_associate_eip = true + volume_size = 100 + volume_encryption = "alias/aws/ebs" + enable_instance_connect = false + disable_instance_termination = false + instance_tags = { + key1 = "value1" + key2 = "value2" + } + predefined_role = "" + + // --- Check Point Settings --- + gateway_version = "R81.20-BYOL" + admin_shell = "/etc/cli.sh" + gateway_SICKey = "12345678" + gateway_password_hash = "" + gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password. + // --- Quick connect to Smart-1 Cloud (Recommended) --- + memberAToken = "" + memberBToken = "" + + // --- Advanced Settings --- + resources_tag_name = "tag-name" + gateway_hostname = "gw-hostname" + allow_upload_download = true + enable_cloudwatch = false + gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt" + primary_ntp = "" + secondary_ntp = "" + ``` + +- Conditional creation + - To create an Elastic IP and associate it to each cluster member instance: + ``` + allocate_and_associate_eip = "true" + ``` + - To create IAM Role: + ``` + predefined_role = "" + ``` + - To create route from '0.0.0.0/0' to the Active Cluster member instance, please provide route table: + ``` + private_route_table = "rtb-12345678" + ``` +- To tear down your resources: + ``` + terraform destroy + ``` + ### Optional re-deploy of cluster member: + In case of re-deploying one cluster member, make sure that it's in STANDBY state, and the second member is the ACTIVE one. + Follow the commands below in order to re-deploy (replace MEMBER with a or b): + - terraform taint aws_instance.member-MEMBER-instance + - terraform plan (review the changes) + - terraform apply + - In Smart Console: reset SIC with the re-deployed member and install policy + +## Inputs +| Name | Description | Type | Allowed values | Default | Required | +|----------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------|----------| +| vpc_cidr | The CIDR block of the VPC | string | n/a | n/a | yes | +| public_subnets_map | A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 2 pairs. (e.g. {\"us-east-1a\" = 1 \"us-east-1b\" = 2} ) | map | n/a | n/a | yes | +| private_subnets_map | A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 2 pairs. (e.g. {\"us-east-1a\" = 3 \"us-east-1b\" = 4} ) | map | n/a | n/a | yes | +| tgw_subnets_map | A map of pairs {availability-zone = subnet-suffix-number} for the tgw subnets. Each entry creates a subnet. Minimum 2 pairs. (e.g. {\"us-east-1a\" = 1} ) | map | n/a | n/a | yes | +| subnets_bit_length | Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a subnets_bit_length value of 4, the resulting subnet address will have length /20 | number | n/a | n/a | yes | +| gateway_name | (Optional) The name tag of the Security Gateway instances | string | n/a | Check-Point-Cluster-tf | no | +| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no | +| key_name | The EC2 Key Pair name to allow SSH access to the instance | string | n/a | n/a | yes | +| allocate_and_associate_eip | If set to true, an elastic IP will be allocated and associated with each cluster member, in addition to the shared cluster Elastic IP | bool | true/false | true | no | +| volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no | +| volume_type | General Purpose SSD Volume Type | string | - gp3
- gp2 | gp3 | no | +| volume_encryption | KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs') | string | n/a | alias/aws/ebs | no | +| enable_instance_connect | Enable AWS Instance Connect. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no | +| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no | +| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes | +| instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Gateway EC2 Instances | map(string) | n/a | {} | no | +| predefined_role | (Optional) A predefined IAM role to attach to the cluster profile | string | n/a | "" | no | +| gateway_version | Gateway version and license | string | - R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX | R81.20-BYOL | no | +| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | +| gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes | +| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | +| memberAToken | (Recommended) Quick connect to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. | string | n/a | "" | no | +| memberBToken | (Recommended) Quick connect to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. | string | n/a | "" | no | +| resources_tag_name | (Optional) Name tag prefix of the resources | string | n/a | "" | no | +| gateway_hostname | (Optional) The host name will be appended with member-a/b accordingly. The name must not contain reserved words. For details, refer to sk40179. | string | n/a | "" | no | +| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no | +| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no | +| gateway_bootstrap_script | (Optional) Semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no | +| primary_ntp | (Optional) The IPv4 addresses of Network Time Protocol primary server | string | n/a | 169.254.169.123 | no | +| secondary_ntp | (Optional) The IPv4 addresses of Network Time Protocol secondary server | string | n/a | 0.pool.ntp.org | no | +| gateway_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | + + +## Outputs +| Name | Description | +|--------------------|-----------------------------------| +| cluster_public_ip | The public address of the cluster | +| member_a_public_ip | The public address of member A | +| member_b_public_ip | The public address of member B | +| member_a_ssh | SSH command to member A | +| member_b_ssh | SSH command to member B | +| member_a_url | URL to the member A portal | +| member_b_url | URL to the member B portal | + +## Revision History +In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) + +| Template Version | Description | +|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| 20221123 | First release of Check Point Security Cluster Terraform module for AWS | +| 20221229 | Removed unsupported versions | +| 20221123 | R81.20 version support | +| 20230411 | - Improved deployment experience for gateways and clusters managed by Smart-1 Cloud
- Multiple VIPs support for Cross Availability Zone Cluster. For more details refer to the [Cross Availability Zone Cluster for AWS R81.20 Administration Guide](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_for_AWS_Cross_AZ_Cluster/Content/Topics-AWS-CrossAZ-Cluster-AG/Check-Point-CloudGuard-for-AWS.htm) -> "Deploying Cross AZ Cluster with multiple VIPs" section. | +| 20230503 | Smart-1 Cloud token validation | +| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | +| 20230829 | Change default Check Point version to R81.20 | +| 20230806 | Add support for c6in instance type | +| 20230914 | Add support for maintenance mode password | +| 20230923 | Add support for C5d instance type | +| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | + + + +## License + +This project is licensed under the MIT License - see the [LICENSE](../../LICENSE) file for details diff --git a/terraform/aws/tgw-cross-az-cluster-master/locals.tf b/terraform/aws/tgw-cross-az-cluster-master/locals.tf new file mode 100755 index 00000000..387fb7c1 --- /dev/null +++ b/terraform/aws/tgw-cross-az-cluster-master/locals.tf @@ -0,0 +1,61 @@ +locals { + regex_valid_vpc_cidr = "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$" + // Will fail if var.vpc_cidr is invalid + regex_vpc_cidr = regex(local.regex_valid_vpc_cidr, var.vpc_cidr) == var.vpc_cidr ? 0 : "Variable [vpc_cidr] must be a valid vpc cidr" + + admin_shell_allowed_values = [ + "/etc/cli.sh", + "/bin/bash", + "/bin/csh", + "/bin/tcsh"] + // Will fail if var.admin_shell is invalid + validate_admin_shell = index(local.admin_shell_allowed_values, var.admin_shell) + + create_iam_role = var.predefined_role == "" ? 1 : 0 + + regex_valid_key_name = "[\\S\\s]+[\\S]+" + // will fail if var.key_name is invalid + regex_key_name_result=regex(local.regex_valid_key_name, var.key_name) == var.key_name ? 0 : "Variable [key_name] must be a none empty string" + + regex_valid_gateway_sic_key = "^[a-zA-Z0-9]{8,}$" + // Will fail if var.gateway_SIC_Key is invalid + regex_gateway_sic_result = regex(local.regex_valid_gateway_sic_key, var.gateway_SICKey) == var.gateway_SICKey ? 0 : "Variable [gateway_SIC_Key] must be at least 8 alphanumeric characters" + + is_both_tokens_used = length(var.memberAToken) > 0 == length(var.memberBToken) > 0 + validation_message_both = "Smart-1 Cloud Tokens for member A and member B can not be empty." + //Will fail if var.memberAToken is empty and var.memberBToken isn't and vice versa + regex_s1c_validate = regex("^$", (local.is_both_tokens_used ? "" : local.validation_message_both)) + + is_tokens_used = length(var.memberAToken) > 0 + is_both_tokens_the_same = var.memberAToken == var.memberBToken + validation_message_unique = "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token" + //Will fail if both s1c tokens are the same + regex_s1c_unique = local.is_tokens_used ? regex("^$", (local.is_both_tokens_the_same ? local.validation_message_unique : "")) : "" + + regex_valid_gateway_hostname = "^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$" + // Will fail if var.gateway_hostname is invalid + regex_gateway_hostname = regex(local.regex_valid_gateway_hostname, var.gateway_hostname) == var.gateway_hostname ? 0 : "Variable [gateway_hostname] must be a valid hostname label or an empty string" + volume_encryption_condition = var.volume_encryption != "" ? true : false + + regex_valid_gateway_password_hash = "^[\\$\\./a-zA-Z0-9]*$" + // Will fail if var.gateway_password_hash is invalid + regex_gateway_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_password_hash) == var.gateway_password_hash ? 0 : "Variable [gateway_password_hash] must be a valid password hash" + regex_gateway_maintenance_mode_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_maintenance_mode_password_hash) == var.gateway_maintenance_mode_password_hash ? 0 : "Variable [gateway_maintenance_mode_password_hash] must be a valid password hash" + + regex_valid_primary_ntp = "^[\\.a-zA-Z0-9\\-]*$" + // Will fail if var.primary_ntp is invalid + regex_primary_ntp = regex(local.regex_valid_primary_ntp, var.primary_ntp) == var.primary_ntp ? 0 : "Variable [primary_ntp] must be a valid ntp" + + regex_valid_secondary_ntp = "^[\\.a-zA-Z0-9\\-]*$" + // Will fail if var.secondary_ntp is invalid + regex_secondary_ntp = regex(local.regex_valid_secondary_ntp, var.secondary_ntp) == var.secondary_ntp ? 0 : "Variable [secondary_ntp] must be a valid ntp" + + //Splits the version and licence and returns the os version + version_split = element(split("-", var.gateway_version), 0) + + volume_type_allowed_values = [ + "gp3", + "gp2"] + // will fail if [var.VolumeType] is invalid: + validate_volume_type = index(local.volume_type_allowed_values, var.volume_type) +} diff --git a/terraform/aws/tgw-cross-az-cluster-master/main.tf b/terraform/aws/tgw-cross-az-cluster-master/main.tf new file mode 100755 index 00000000..d04b9548 --- /dev/null +++ b/terraform/aws/tgw-cross-az-cluster-master/main.tf @@ -0,0 +1,73 @@ +provider "aws" { + region = var.region + access_key = var.access_key + secret_key = var.secret_key +} + +module "launch_vpc" { + source = "../modules/vpc" + + vpc_cidr = var.vpc_cidr + public_subnets_map = var.public_subnets_map + private_subnets_map = var.private_subnets_map + tgw_subnets_map = var.tgw_subnets_map + subnets_bit_length = var.subnets_bit_length +} +resource "aws_route_table" "private_subnet_rtb" { + depends_on = [module.launch_vpc] + vpc_id = module.launch_vpc.vpc_id + tags = { + Name = "Private Subnets Route Table" + } +} +resource "aws_route_table_association" "private_rtb_to_private_subnet1" { + depends_on = [module.launch_vpc, aws_route_table.private_subnet_rtb] + route_table_id = aws_route_table.private_subnet_rtb.id + subnet_id = module.launch_vpc.private_subnets_ids_list[0] +} +resource "aws_route_table_association" "private_rtb_to_private_subnet2" { + depends_on = [module.launch_vpc, aws_route_table.private_subnet_rtb] + route_table_id = aws_route_table.private_subnet_rtb.id + subnet_id = module.launch_vpc.private_subnets_ids_list[1] +} +module "tgw_cluster_into_vpc" { + depends_on = [module.launch_vpc, aws_route_table.private_subnet_rtb] + source = "../tgw-cross-az-cluster" + providers = { + aws = aws + } + + vpc_id = module.launch_vpc.vpc_id + public_subnet_1 = module.launch_vpc.public_subnets_ids_list[0] + public_subnet_2 = module.launch_vpc.public_subnets_ids_list[1] + private_subnet_1 = module.launch_vpc.private_subnets_ids_list[0] + private_subnet_2 = module.launch_vpc.private_subnets_ids_list[1] + tgw_subnet_1_id = module.launch_vpc.tgw_subnets_ids_list[0] + tgw_subnet_2_id =module.launch_vpc.tgw_subnets_ids_list[1] + private_route_table = aws_route_table.private_subnet_rtb.id + gateway_name = var.gateway_name + gateway_instance_type = var.gateway_instance_type + key_name = var.key_name + volume_size = var.volume_size + volume_encryption = var.volume_encryption + enable_instance_connect = var.enable_instance_connect + disable_instance_termination = var.disable_instance_termination + metadata_imdsv2_required = var.metadata_imdsv2_required + instance_tags = var.instance_tags + predefined_role = var.predefined_role + gateway_version = var.gateway_version + admin_shell = var.admin_shell + gateway_SICKey = var.gateway_SICKey + gateway_password_hash = var.gateway_password_hash + gateway_maintenance_mode_password_hash = var.gateway_maintenance_mode_password_hash + memberAToken = var.memberAToken + memberBToken = var.memberBToken + resources_tag_name = var.resources_tag_name + gateway_hostname = var.gateway_hostname + allow_upload_download = var.allow_upload_download + enable_cloudwatch = var.enable_cloudwatch + gateway_bootstrap_script = var.gateway_bootstrap_script + primary_ntp = var.primary_ntp + secondary_ntp = var.secondary_ntp + volume_type = var.volume_type +} diff --git a/terraform/aws/tgw-cross-az-cluster-master/output.tf b/terraform/aws/tgw-cross-az-cluster-master/output.tf new file mode 100755 index 00000000..fd143a67 --- /dev/null +++ b/terraform/aws/tgw-cross-az-cluster-master/output.tf @@ -0,0 +1,30 @@ +output "cluster_public_ip" { + value = module.tgw_cluster_into_vpc.cluster_public_ip +} +output "member_a_public_ip" { + value = module.tgw_cluster_into_vpc.member_a_public_ip +} +output "member_b_public_ip" { + value = module.tgw_cluster_into_vpc.member_b_public_ip +} +output "member_a_ssh" { + value = module.tgw_cluster_into_vpc.member_a_ssh +} +output "member_b_ssh" { + value = module.tgw_cluster_into_vpc.member_b_ssh +} +output "member_a_url" { + value = module.tgw_cluster_into_vpc.member_a_url +} +output "member_b_url" { + value = module.tgw_cluster_into_vpc.member_b_url +} +output "member_a_eni" { + value = module.tgw_cluster_into_vpc.member_a_eni +} +output "member_b_eni" { + value = module.tgw_cluster_into_vpc.member_b_eni +} +output "vpc_id" { + value = module.launch_vpc.vpc_id +} diff --git a/terraform/aws/tgw-cross-az-cluster-master/terraform.tfvars b/terraform/aws/tgw-cross-az-cluster-master/terraform.tfvars new file mode 100755 index 00000000..2a1fee10 --- /dev/null +++ b/terraform/aws/tgw-cross-az-cluster-master/terraform.tfvars @@ -0,0 +1,48 @@ +//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW + +// --- VPC Network Configuration --- +vpc_cidr = "10.29.0.0/16" +public_subnets_map = { + "us-east-1a" = 1 + "us-east-1b" = 2 +} +private_subnets_map = { + "us-east-1a" = 3 + "us-east-1b" = 4 +} +tgw_subnets_map = { + "us-east-1a" = 5 + "us-east-1b" = 6 +} +subnets_bit_length = 8 + +// --- EC2 Instance Configuration --- +gateway_name = "Check-Point-Cluster-tf" +gateway_instance_type = "c5.xlarge" +key_name = "publickey" +volume_size = 100 +volume_encryption = "alias/aws/ebs" +enable_instance_connect = false +disable_instance_termination = false +metadata_imdsv2_required = true + +predefined_role = "" + +// --- Check Point Settings --- +gateway_version = "R81.20-BYOL" +admin_shell = "/etc/cli.sh" +gateway_SICKey = "12345678" +gateway_password_hash = "" +gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password. +// --- Quick connect to Smart-1 Cloud (Recommended) --- +memberAToken = "" +memberBToken = "" + +// --- Advanced Settings --- +resources_tag_name = "tag-name" +gateway_hostname = "gw-hostname" +allow_upload_download = true +enable_cloudwatch = false +gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt" +primary_ntp = "" +secondary_ntp = "" \ No newline at end of file diff --git a/terraform/aws/tgw-cross-az-cluster-master/variables.tf b/terraform/aws/tgw-cross-az-cluster-master/variables.tf new file mode 100755 index 00000000..1485389b --- /dev/null +++ b/terraform/aws/tgw-cross-az-cluster-master/variables.tf @@ -0,0 +1,200 @@ +// Module: Check Point CloudGuard Network Security Cluster into an existing VPC + +// --- AWS Provider --- +variable "region" { + type = string + description = "AWS region" + default = "" +} +variable "access_key" { + type = string + description = "AWS access key" + default = "" +} +variable "secret_key" { + type = string + description = "AWS secret key" + default = "" +} + +// ---VPC Network Configuration --- +variable "vpc_cidr" { + type = string + description = "The CIDR block of the VPC" + default = "10.0.0.0/16" +} +variable "public_subnets_map" { + type = map(string) + description = "A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 2 pairs. (e.g. {\"us-east-1a\" = 1} ) " +} +resource "null_resource" "tgw_availability_zones_validation1" { + count = length(var.public_subnets_map) == 2 ? 0 : "variable public_subnets_map size must be equal to variable 2" +} +variable "private_subnets_map" { + type = map(string) + description = "A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 1 pair. (e.g. {\"us-east-1a\" = 2} ) " +} +resource "null_resource" "tgw_availability_zones_validation2" { + count = length(var.private_subnets_map) == 2 ? 0 : "variable private_subnets_map size must be equal to variable 2" +} +variable "tgw_subnets_map" { + type = map(string) + description = "A map of pairs {availability-zone = subnet-suffix-number} for the tgw subnets. Each entry creates a subnet. Minimum 2 pairs. (e.g. {\"us-east-1a\" = 3} ) " +} +resource "null_resource" "tgw_availability_zones_validation3" { + count = length(var.tgw_subnets_map) == 2 ? 0 : "variable tgw_subnets_map size must be equal to variable 2" +} +variable "subnets_bit_length" { + type = number + description = "Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a subnets_bit_length value of 4, the resulting subnet address will have length /20" +} + + +// --- EC2 Instance Configuration --- +variable "gateway_name" { + type = string + description = "(Optional) The name tag of the Security Gateway instances" + default = "Check-Point-Cluster-tf" +} +variable "gateway_instance_type" { + type = string + description = "The instance type of the Security Gateways" + default = "c5.xlarge" +} +module "validate_instance_type" { + source = "../modules/common/instance_type" + + chkp_type = "gateway" + instance_type = var.gateway_instance_type +} +variable "key_name" { + type = string + description = "The EC2 Key Pair name to allow SSH access to the instance" +} +variable "allocate_and_associate_eip" { + type = bool + description = "If set to true, an elastic IP will be allocated and associated with each cluster member, in addition to the shared cluster Elastic IP" + default = true +} +variable "volume_size" { + type = number + description = "Root volume size (GB) - minimum 100" + default = 100 +} +resource "null_resource" "volume_size_too_small" { + // Volume Size validation - resource will not be created if the volume size is smaller than 100 + count = var.volume_size >= 100 ? 0 : "volume_size must be at least 100" +} +variable "volume_type" { + type = string + description = "General Purpose SSD Volume Type" + default = "gp3" +} +variable "volume_encryption" { + type = string + description = "KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs')" + default = "alias/aws/ebs" +} +variable "enable_instance_connect" { + type = bool + description = "Enable SSH connection over AWS web console" + default = false +} +variable "disable_instance_termination" { + type = bool + description = "Prevents an instance from accidental termination" + default = false +} +variable "metadata_imdsv2_required" { + type = bool + description = "Set true to deploy the instance with metadata v2 token required" + default = true +} +variable "instance_tags" { + type = map(string) + description = "(Optional) A map of tags as key=value pairs. All tags will be added to the Gateway EC2 Instances" + default = {} +} +variable "predefined_role" { + type = string + description = "(Optional) A predefined IAM role to attach to the cluster profile" + default = "" +} + +// --- Check Point Settings --- +variable "gateway_version" { + type = string + description = "Gateway version and license" + default = "R81.20-BYOL" +} +module "validate_gateway_version" { + source = "../modules/common/version_license" + + chkp_type = "gateway" + version_license = var.gateway_version +} +variable "admin_shell" { + type = string + description = "Set the admin shell to enable advanced command line configuration" + default = "/etc/cli.sh" +} +variable "gateway_SICKey" { + type = string + description = "The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters" +} +variable "gateway_password_hash" { + type = string + description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)" + default = "" +} +variable "gateway_maintenance_mode_password_hash" { + description = "Maintenance mode password hash for the gateway instances, relevant only for R81.20 and higher versions" + type = string + default = "" +} +// --- Quick connect to Smart-1 Cloud (Recommended) --- +variable "memberAToken" { + type = string + description = "Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud." +} +variable "memberBToken" { + type = string + description = "Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud." +} + +// --- Advanced Settings --- +variable "resources_tag_name" { + type = string + description = "(Optional) Name tag prefix of the resources" + default = "" +} +variable "gateway_hostname" { + type = string + description = "(Optional) The host name will be appended with member-a/b accordingly" + default = "" +} +variable "allow_upload_download" { + type = bool + description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + default = true +} +variable "enable_cloudwatch" { + type = bool + description = "Report Check Point specific CloudWatch metrics" + default = false +} +variable "gateway_bootstrap_script" { + type = string + description = "(Optional) An optional script with semicolon (;) separated commands to run on the initial boot" + default = "" +} +variable "primary_ntp" { + type = string + description = "(Optional) The IPv4 addresses of Network Time Protocol primary server" + default = "169.254.169.123" +} +variable "secondary_ntp" { + type = string + description = "(Optional) The IPv4 addresses of Network Time Protocol secondary server" + default = "0.pool.ntp.org" +} diff --git a/terraform/aws/tgw-cross-az-cluster-master/versions.tf b/terraform/aws/tgw-cross-az-cluster-master/versions.tf new file mode 100755 index 00000000..dbebf275 --- /dev/null +++ b/terraform/aws/tgw-cross-az-cluster-master/versions.tf @@ -0,0 +1,15 @@ +terraform { + required_version = ">= 0.14.3" + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.20.0" + } + http = { + version = "~> 3.4.0" + } + random = { + version = "~> 3.5.1" + } + } +} diff --git a/terraform/aws/tgw-cross-az-cluster/README.md b/terraform/aws/tgw-cross-az-cluster/README.md new file mode 100755 index 00000000..1dcb1b0c --- /dev/null +++ b/terraform/aws/tgw-cross-az-cluster/README.md @@ -0,0 +1,205 @@ +# Check Point CloudGuard Network Security Cross AZ Cluster for Transit Gateway Terraform module for AWS + +Terraform module which deploys a Check Point CloudGuard Network Security Cross AZ Cluster into an existing VPC on AWS for Transit Gateway. + +These types of Terraform resources are supported: +* [AWS Instance](https://www.terraform.io/docs/providers/aws/r/instance.html) +* [Security Group](https://www.terraform.io/docs/providers/aws/r/security_group.html) +* [Network interface](https://www.terraform.io/docs/providers/aws/r/network_interface.html) +* [IAM Role](https://www.terraform.io/docs/providers/aws/r/iam_role.html) - conditional creation + +See the [Deploying a Check Point Cluster in AWS (Amazon Web Services)](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_for_AWS_Cross_AZ_Cluster/Default.htm) for additional information + +This solution uses the following modules: +- /terraform/aws/modules/amis +- /terraform/aws/modules/cluster-iam-role + + +## Configurations + +The **main.tf** file includes the following provider configuration block used to configure the credentials for the authentication with AWS, as well as a default region for your resources: +``` +provider "aws" { + region = var.region + access_key = var.access_key + secret_key = var.secret_key +} +``` +The provider credentials can be provided either as static credentials or as [Environment Variables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#environment-variables). +- Static credentials can be provided by adding an access_key and secret_key in /terraform/aws/cluster/**terraform.tfvars** file as follows: +``` +region = "us-east-1" +access_key = "my-access-key" +secret_key = "my-secret-key" +``` +- In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented: + ``` + provider "aws" { + // region = var.region + // access_key = var.access_key + // secret_key = var.secret_key + } + ``` + +## Usage +- Fill all variables in the /terraform/aws/cluster/**terraform.tfvars** file with proper values (see below for variables descriptions). +- From a command line initialize the Terraform configuration directory: + ``` + terraform init + ``` +- Create an execution plan: + ``` + terraform plan + ``` +- Create or modify the deployment: + ``` + terraform apply + ``` + + - Variables are configured in /terraform/aws/cluster/**terraform.tfvars** file as follows: + + ``` + //PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW + + // --- VPC Network Configuration --- + vpc_id = "vpc-1234" + public_subnet_1 = "subnet-1234" + public_subnet_2 = "subnet-2345" + private_subnet_1 = "subnet-3456" + private_subnet_2 = "subnet-4567" + tgw_subnet_1_id = "subnet-5678" + tgw_subnet_2_id = "subnet-6789" + private_route_table = "" + + // --- EC2 Instance Configuration --- + gateway_name = "Check-Point-Cluster-tf" + gateway_instance_type = "c5.xlarge" + key_name = "publickey" + allocate_and_associate_eip = true + volume_size = 100 + volume_encryption = "alias/aws/ebs" + enable_instance_connect = false + disable_instance_termination = false + instance_tags = { + key1 = "value1" + key2 = "value2" + } + predefined_role = "" + + // --- Check Point Settings --- + gateway_version = "R81.20-BYOL" + admin_shell = "/etc/cli.sh" + gateway_SICKey = "12345678" + gateway_password_hash = "" + gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password. + + // --- Quick connect to Smart-1 Cloud (Recommended) --- + memberAToken = "" + memberBToken = "" + + // --- Advanced Settings --- + resources_tag_name = "tag-name" + gateway_hostname = "gw-hostname" + allow_upload_download = true + enable_cloudwatch = false + gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt" + primary_ntp = "" + secondary_ntp = "" + ``` + +- Conditional creation + - To create an Elastic IP and associate it to each cluster member instance: + ``` + allocate_and_associate_eip = "true" + ``` + - To create IAM Role: + ``` + predefined_role = "" + ``` + - To create route from '0.0.0.0/0' to the Active Cluster member instance, please provide route table: + ``` + private_route_table = "rtb-12345678" + ``` +- To tear down your resources: + ``` + terraform destroy + ``` + ### Optional re-deploy of cluster member: + In case of re-deploying one cluster member, make sure that it's in STANDBY state, and the second member is the ACTIVE one. + Follow the commands below in order to re-deploy (replace MEMBER with a or b): + - terraform taint aws_instance.member-MEMBER-instance + - terraform plan (review the changes) + - terraform apply + - In Smart Console: reset SIC with the re-deployed member and install policy + +## Inputs +| Name | Description | Type | Allowed values | Default | Required | +|-------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------|----------| +| vpc_id | The VPC id in which to deploy | string | n/a | n/a | yes | +| public_subnet_id | The public subnet of the cluster. The cluster's public IPs will be generated from this subnet | string | n/a | n/a | yes | +| private_subnet_id | The private subnet of the cluster. The cluster's private IPs will be generated from this subnet | string | n/a | n/a | yes | +| tgw_subnet_1_id | The TGW attachment subnet ID located in the 1st Availability Zone | string | n/a | n/a | yes | +| tgw_subnet_2_id | The TGW attachment subnet ID located in the 2st Availability Zone | string | n/a | n/a | yes | +| private_route_table | (Optional) Set 0.0.0.0/0 route to the Active Cluster member instance in this route table (e.g. rtb-12a34567). Route table cannot have an existing 0.0.0.0/0 route | string | n/a | "" | no | +| gateway_name | (Optional) The name tag of the Security Gateway instances | string | n/a | Check-Point-Cluster-tf | no | +| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no | +| key_name | The EC2 Key Pair name to allow SSH access to the instance | string | n/a | n/a | yes | +| allocate_and_associate_eip | If set to true, an elastic IP will be allocated and associated with each cluster member, in addition to the shared cluster Elastic IP | bool | true/false | true | no | +| volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no | +| volume_type | General Purpose SSD Volume Type | string | - gp3
- gp2 | gp3 | no | +| volume_encryption | KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs') | string | n/a | alias/aws/ebs | no | +| enable_instance_connect | Enable AWS Instance Connect. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no | +| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no | +| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes | +| instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Gateway EC2 Instances | map(string) | n/a | {} | no | +| predefined_role | (Optional) A predefined IAM role to attach to the cluster profile | string | n/a | "" | no | +| gateway_version | Gateway version and license | string | - R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX | R81.20-BYOL | no | +| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | +| gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes | +| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | +| memberAToken | (Recommended) Quick connect to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. | string | n/a | "" | no | +| memberBToken | (Recommended) Quick connect to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. | string | n/a | "" | no | +| resources_tag_name | (Optional) Name tag prefix of the resources | string | n/a | "" | no | +| gateway_hostname | (Optional) The host name will be appended with member-a/b accordingly. The name must not contain reserved words. For details, refer to sk40179. | string | n/a | "" | no | +| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no | +| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no | +| gateway_bootstrap_script | (Optional) Semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no | +| primary_ntp | (Optional) The IPv4 addresses of Network Time Protocol primary server | string | n/a | 169.254.169.123 | no | +| secondary_ntp | (Optional) The IPv4 addresses of Network Time Protocol secondary server | string | n/a | 0.pool.ntp.org | no | +| gateway_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | +| management_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | + + +## Outputs +| Name | Description | +|--------------------|-----------------------------------| +| cluster_public_ip | The public address of the cluster | +| member_a_public_ip | The public address of member A | +| member_b_public_ip | The public address of member B | +| member_a_ssh | SSH command to member A | +| member_b_ssh | SSH command to member B | +| member_a_url | URL to the member A portal | +| member_b_url | URL to the member B portal | + +## Revision History +In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) + +| Template Version | Description | +|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| 20221123 | First release of Check Point Security Cluster Terraform module for AWS | +| 20221123 | R81.20 version support | +| 20221229 | Removed unsupported versions | +| 20230411 | - Improved deployment experience for gateways and clusters managed by Smart-1 Cloud
- Multiple VIPs support for Cross Availability Zone Cluster. For more details refer to the [Cross Availability Zone Cluster for AWS R81.20 Administration Guide](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_for_AWS_Cross_AZ_Cluster/Content/Topics-AWS-CrossAZ-Cluster-AG/Check-Point-CloudGuard-for-AWS.htm) -> "Deploying Cross AZ Cluster with multiple VIPs" section. | +| 20230503 | Smart-1 Cloud token validation | +| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | +| 20230806 | Add support for c6in instance type | +| 20230829 | Change default Check Point version to R81.20 | +| 20230914 | Add support for maintenance mode password | +| 20230923 | Add support for C5d instance type | +| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | + +## License + +This project is licensed under the MIT License - see the [LICENSE](../../LICENSE) file for details diff --git a/terraform/aws/tgw-cross-az-cluster/locals.tf b/terraform/aws/tgw-cross-az-cluster/locals.tf new file mode 100755 index 00000000..9a9929b7 --- /dev/null +++ b/terraform/aws/tgw-cross-az-cluster/locals.tf @@ -0,0 +1,60 @@ +locals { + admin_shell_allowed_values = [ + "/etc/cli.sh", + "/bin/bash", + "/bin/csh", + "/bin/tcsh"] + // Will fail if var.admin_shell is invalid + validate_admin_shell = index(local.admin_shell_allowed_values, var.admin_shell) + + create_iam_role = var.predefined_role == "" ? 1 : 0 + provided_roue_table = var.private_route_table == "" ? 0 : 1 + internal_route_table_condition = var.private_route_table != "" ? 1 : 0 + + regex_valid_key_name = "[\\S\\s]+[\\S]+" + // will fail if var.key_name is invalid + regex_key_name_result=regex(local.regex_valid_key_name, var.key_name) == var.key_name ? 0 : "Variable [key_name] must be a none empty string" + + regex_valid_gateway_sic_key = "^[a-zA-Z0-9]{8,}$" + // Will fail if var.gateway_SIC_Key is invalid + regex_gateway_sic_result = regex(local.regex_valid_gateway_sic_key, var.gateway_SICKey) == var.gateway_SICKey ? 0 : "Variable [gateway_SIC_Key] must be at least 8 alphanumeric characters" + + is_both_tokens_used = length(var.memberAToken) > 0 == length(var.memberBToken) > 0 + validation_message_both = "Smart-1 Cloud Tokens for member A and member B can not be empty." + //Will fail if var.memberAToken is empty and var.memberBToken isn't and vice versa + regex_s1c_validate = regex("^$", (local.is_both_tokens_used ? "" : local.validation_message_both)) + + is_tokens_used = length(var.memberAToken) > 0 + is_both_tokens_the_same = var.memberAToken == var.memberBToken + validation_message_unique = "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token" + //Will fail if both s1c tokens are the same + regex_s1c_unique = local.is_tokens_used ? regex("^$", (local.is_both_tokens_the_same ? local.validation_message_unique : "")) : "" + + regex_valid_gateway_hostname = "^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$" + // Will fail if var.gateway_hostname is invalid + regex_gateway_hostname = regex(local.regex_valid_gateway_hostname, var.gateway_hostname) == var.gateway_hostname ? 0 : "Variable [gateway_hostname] must be a valid hostname label or an empty string" + volume_encryption_condition = var.volume_encryption != "" ? true : false + + regex_valid_gateway_password_hash = "^[\\$\\./a-zA-Z0-9]*$" + // Will fail if var.gateway_password_hash is invalid + regex_gateway_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_password_hash) == var.gateway_password_hash ? 0 : "Variable [gateway_password_hash] must be a valid password hash" + regex_gateway_maintenance_mode_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_maintenance_mode_password_hash) == var.gateway_maintenance_mode_password_hash ? 0 : "Variable [gateway_maintenance_mode_password_hash] must be a valid password hash" + + regex_valid_primary_ntp = "^[\\.a-zA-Z0-9\\-]*$" + // Will fail if var.primary_ntp is invalid + regex_primary_ntp = regex(local.regex_valid_primary_ntp, var.primary_ntp) == var.primary_ntp ? 0 : "Variable [primary_ntp] must be a valid ntp" + + regex_valid_secondary_ntp = "^[\\.a-zA-Z0-9\\-]*$" + // Will fail if var.secondary_ntp is invalid + regex_secondary_ntp = regex(local.regex_valid_secondary_ntp, var.secondary_ntp) == var.secondary_ntp ? 0 : "Variable [secondary_ntp] must be a valid ntp" + + gateway_bootstrap_script64 = base64encode(var.gateway_bootstrap_script) + //Splits the version and licence and returns the os version + version_split = element(split("-", var.gateway_version), 0) + + volume_type_allowed_values = [ + "gp3", + "gp2"] + // will fail if [var.VolumeType] is invalid: + validate_volume_type = index(local.volume_type_allowed_values, var.volume_type) +} diff --git a/terraform/aws/tgw-cross-az-cluster/main.tf b/terraform/aws/tgw-cross-az-cluster/main.tf new file mode 100755 index 00000000..4ae319ab --- /dev/null +++ b/terraform/aws/tgw-cross-az-cluster/main.tf @@ -0,0 +1,62 @@ +provider "aws" { + region = var.region + access_key = var.access_key + secret_key = var.secret_key +} + + +module "cluster_into_vpc" { + source = "../cross-az-cluster" + providers = { + aws = aws + } + + vpc_id = var.vpc_id + public_subnet_ids = tolist([var.public_subnet_1, var.public_subnet_2]) + private_subnet_ids = tolist([var.private_subnet_1, var.private_subnet_2]) + private_route_table = var.private_route_table + gateway_name = var.gateway_name + gateway_instance_type = var.gateway_instance_type + key_name = var.key_name + volume_size = var.volume_size + volume_encryption = var.volume_encryption + enable_instance_connect = var.enable_instance_connect + disable_instance_termination = var.disable_instance_termination + metadata_imdsv2_required = var.metadata_imdsv2_required + instance_tags = var.instance_tags + predefined_role = var.predefined_role + gateway_version = var.gateway_version + admin_shell = var.admin_shell + gateway_SICKey = var.gateway_SICKey + gateway_password_hash = var.gateway_password_hash + gateway_maintenance_mode_password_hash = var.gateway_maintenance_mode_password_hash + memberAToken = var.memberAToken + memberBToken = var.memberBToken + resources_tag_name = var.resources_tag_name + gateway_hostname = var.gateway_hostname + allow_upload_download = var.allow_upload_download + enable_cloudwatch = var.enable_cloudwatch + gateway_bootstrap_script = var.gateway_bootstrap_script + primary_ntp = var.primary_ntp + secondary_ntp = var.secondary_ntp + volume_type = var.volume_type +} +resource "aws_route_table" "tgw_route_table" { + vpc_id = var.vpc_id + route{ + cidr_block = "0.0.0.0/0" + network_interface_id = module.cluster_into_vpc.member_a_eni + } + tags = { + Name = "TGW Attachment Route Table" + Network = "Private" + } +} +resource "aws_route_table_association" "tgw_attachment1_rtb_assoc" { + subnet_id = var.tgw_subnet_1_id + route_table_id = aws_route_table.tgw_route_table.id +} +resource "aws_route_table_association" "tgw_attachment2_rtb_assoc" { + subnet_id = var.tgw_subnet_2_id + route_table_id = aws_route_table.tgw_route_table.id +} \ No newline at end of file diff --git a/terraform/aws/tgw-cross-az-cluster/output.tf b/terraform/aws/tgw-cross-az-cluster/output.tf new file mode 100755 index 00000000..2aa6d333 --- /dev/null +++ b/terraform/aws/tgw-cross-az-cluster/output.tf @@ -0,0 +1,27 @@ +output "cluster_public_ip" { + value = module.cluster_into_vpc.cluster_public_ip +} +output "member_a_public_ip" { + value = module.cluster_into_vpc.member_a_public_ip +} +output "member_b_public_ip" { + value = module.cluster_into_vpc.member_b_public_ip +} +output "member_a_eni" { + value = module.cluster_into_vpc.member_a_eni +} +output "member_a_ssh" { + value = module.cluster_into_vpc.member_a_ssh +} +output "member_b_ssh" { + value = module.cluster_into_vpc.member_b_ssh +} +output "member_a_url" { + value = module.cluster_into_vpc.member_a_url +} +output "member_b_url" { + value = module.cluster_into_vpc.member_b_url +} +output "member_b_eni" { + value = module.cluster_into_vpc.member_b_eni +} \ No newline at end of file diff --git a/terraform/aws/tgw-cross-az-cluster/terraform.tfvars b/terraform/aws/tgw-cross-az-cluster/terraform.tfvars new file mode 100755 index 00000000..c1008d0d --- /dev/null +++ b/terraform/aws/tgw-cross-az-cluster/terraform.tfvars @@ -0,0 +1,43 @@ +//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW + +// --- VPC Network Configuration --- +vpc_id = "vpc-1234" +public_subnet_1 = "subnet-1234" +public_subnet_2 = "subnet-2345" +private_subnet_1 = "subnet-3456" +private_subnet_2 = "subnet-4567" +tgw_subnet_1_id = "subnet-5678" +tgw_subnet_2_id = "subnet-6789" +private_route_table = "" + +// --- EC2 Instance Configuration --- +gateway_name = "Check-Point-Cluster-tf" +gateway_instance_type = "c5.xlarge" +key_name = "publickey" +volume_size = 100 +volume_encryption = "alias/aws/ebs" +enable_instance_connect = false +disable_instance_termination = false +metadata_imdsv2_required = true + +predefined_role = "" + +// --- Check Point Settings --- +gateway_version = "R81.20-BYOL" +admin_shell = "/etc/cli.sh" +gateway_SICKey = "12345678" +gateway_password_hash = "" +gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password. + +// --- Quick connect to Smart-1 Cloud (Recommended) --- +memberAToken = "" +memberBToken = "" + +// --- Advanced Settings --- +resources_tag_name = "tag-name" +gateway_hostname = "gw-hostname" +allow_upload_download = true +enable_cloudwatch = false +gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt" +primary_ntp = "" +secondary_ntp = "" \ No newline at end of file diff --git a/terraform/aws/tgw-cross-az-cluster/variables.tf b/terraform/aws/tgw-cross-az-cluster/variables.tf new file mode 100755 index 00000000..eb330795 --- /dev/null +++ b/terraform/aws/tgw-cross-az-cluster/variables.tf @@ -0,0 +1,201 @@ +// Module: Check Point CloudGuard Network Security Cluster into an existing VPC + +// --- AWS Provider --- +variable "region" { + type = string + description = "AWS region" + default = "" +} +variable "access_key" { + type = string + description = "AWS access key" + default = "" +} +variable "secret_key" { + type = string + description = "AWS secret key" + default = "" +} + +// --- VPC Network Configuration --- +variable "vpc_id" { + type = string +} +variable "public_subnet_1" { + type = string + description = "The public subnet ID of the cluster that located in the 1st Availability Zone" +} +variable "public_subnet_2" { + type = string + description = "The public subnet of the cluster that located in the 2st Availability Zone" +} +variable "private_subnet_1" { + type = string + description = "The private subnet of the cluster that located in the 1st Availability Zone" +} +variable "private_subnet_2" { + type = string + description = "The private subnet of the cluster that located in the 2st Availability Zone" +} +variable "tgw_subnet_1_id" { + type = string + description = "The TGW attachment subnet ID located in the 1st Availability Zone" +} +variable "tgw_subnet_2_id" { + type = string + description = "The TGW attachment subnet ID located in the 2st Availability Zone" +} +variable "private_route_table" { + type = string + description = "(Optional) Set 0.0.0.0/0 route to the Active Cluster member instance in this route table (e.g. rtb-12a34567). Route table cannot have an existing 0.0.0.0/0 route" + default= "" +} + +// --- EC2 Instance Configuration --- +variable "gateway_name" { + type = string + description = "(Optional) The name tag of the Security Gateway instances" + default = "Check-Point-Cluster-tf" +} +variable "gateway_instance_type" { + type = string + description = "The instance type of the Security Gateways" + default = "c5.xlarge" +} +module "validate_instance_type" { + source = "../modules/common/instance_type" + + chkp_type = "gateway" + instance_type = var.gateway_instance_type +} +variable "key_name" { + type = string + description = "The EC2 Key Pair name to allow SSH access to the instance" +} +variable "allocate_and_associate_eip" { + type = bool + description = "If set to true, an elastic IP will be allocated and associated with each cluster member, in addition to the shared cluster Elastic IP" + default = true +} +variable "volume_size" { + type = number + description = "Root volume size (GB) - minimum 100" + default = 100 +} +resource "null_resource" "volume_size_too_small" { + // Volume Size validation - resource will not be created if the volume size is smaller than 100 + count = var.volume_size >= 100 ? 0 : "volume_size must be at least 100" +} +variable "volume_type" { + type = string + description = "General Purpose SSD Volume Type" + default = "gp3" +} +variable "volume_encryption" { + type = string + description = "KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs')" + default = "alias/aws/ebs" +} +variable "enable_instance_connect" { + type = bool + description = "Enable SSH connection over AWS web console" + default = false +} +variable "disable_instance_termination" { + type = bool + description = "Prevents an instance from accidental termination" + default = false +} +variable "metadata_imdsv2_required" { + type = bool + description = "Set true to deploy the instance with metadata v2 token required" + default = true +} +variable "instance_tags" { + type = map(string) + description = "(Optional) A map of tags as key=value pairs. All tags will be added to the Gateway EC2 Instances" + default = {} +} +variable "predefined_role" { + type = string + description = "(Optional) A predefined IAM role to attach to the cluster profile" + default = "" +} + +// --- Check Point Settings --- +variable "gateway_version" { + type = string + description = "Gateway version and license" + default = "R81.20-BYOL" +} +module "validate_gateway_version" { + source = "../modules/common/version_license" + + chkp_type = "gateway" + version_license = var.gateway_version +} +variable "admin_shell" { + type = string + description = "Set the admin shell to enable advanced command line configuration" + default = "/etc/cli.sh" +} +variable "gateway_SICKey" { + type = string + description = "The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters" +} +variable "gateway_password_hash" { + type = string + description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)" + default = "" +} +variable "gateway_maintenance_mode_password_hash" { + description = "Maintenance mode password hash for the gateway instances, relevant only for R81.20 and higher versions" + type = string + default = "" +} +// --- Quick connect to Smart-1 Cloud (Recommended) --- +variable "memberAToken" { + type = string + description = "Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud." +} +variable "memberBToken" { + type = string + description = "Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud." +} + +// --- Advanced Settings --- +variable "resources_tag_name" { + type = string + description = "(Optional) Name tag prefix of the resources" + default = "" +} +variable "gateway_hostname" { + type = string + description = "(Optional) The host name will be appended with member-a/b accordingly" + default = "" +} +variable "allow_upload_download" { + type = bool + description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + default = true +} +variable "enable_cloudwatch" { + type = bool + description = "Report Check Point specific CloudWatch metrics" + default = false +} +variable "gateway_bootstrap_script" { + type = string + description = "(Optional) An optional script with semicolon (;) separated commands to run on the initial boot" + default = "" +} +variable "primary_ntp" { + type = string + description = "(Optional) The IPv4 addresses of Network Time Protocol primary server" + default = "169.254.169.123" +} +variable "secondary_ntp" { + type = string + description = "(Optional) The IPv4 addresses of Network Time Protocol secondary server" + default = "0.pool.ntp.org" +} diff --git a/terraform/aws/tgw-cross-az-cluster/versions.tf b/terraform/aws/tgw-cross-az-cluster/versions.tf new file mode 100755 index 00000000..dbebf275 --- /dev/null +++ b/terraform/aws/tgw-cross-az-cluster/versions.tf @@ -0,0 +1,15 @@ +terraform { + required_version = ">= 0.14.3" + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.20.0" + } + http = { + version = "~> 3.4.0" + } + random = { + version = "~> 3.5.1" + } + } +} diff --git a/terraform/aws/tgw-gwlb-master/README.md b/terraform/aws/tgw-gwlb-master/README.md new file mode 100755 index 00000000..fa8a0ffd --- /dev/null +++ b/terraform/aws/tgw-gwlb-master/README.md @@ -0,0 +1,264 @@ +# Check Point CloudGuard Network Gateway Load Balancer for Transit Gateway Terraform Master module for AWS + +Terraform module which deploys an AWS Auto Scaling group configured for Gateway Load Balancer into new Centralized Security VPC for Transit Gateway. + +These types of Terraform resources are supported: +* [AWS Instance](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance) +* [Security Group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) +* [Load Balancer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb) +* [Load Balancer Target Group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group) +* [Launch template](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template) +* [Auto Scaling Group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/autoscaling_group) +* [IAM Role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) - conditional creation + +See the [Check Point CloudGuard Gateway Load Balancer on AWS](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_Network_for_AWS_Centralized_Gateway_Load_Balancer/Content/Topics-AWS-GWLB-VPC-DG/Introduction.htm) for additional information + +This solution uses the following modules: +- /terraform/aws/autoscale-gwlb +- /terraform/aws/modules/vpc +- /terraform/aws/management +- /terraform/aws/cme-iam-role-gwlb +- /terraform/aws/modules/amis +- /terraform/aws/gwlb + +## Configurations + +The **main.tf** file includes the following provider configuration block used to configure the credentials for the authentication with AWS, as well as a default region for your resources: +``` +provider "aws" { + region = var.region + access_key = var.aws_access_key_ID + secret_key = var.aws_secret_access_key +} +``` +The provider credentials can be provided either as static credentials or as [Environment Variables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#environment-variables). +- Static credentials can be provided by adding an access_key and secret_key in /terraform/aws/qs-autoscale/**terraform.tfvars** file as follows: +``` +region = "us-east-1" +access_key = "my-access-key" +secret_key = "my-secret-key" +``` +- In case the Static credentials are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented for sub-modules /terraform/aws/autoscale-gwlb, /terraform/aws/management and /terraform/aws/cme-iam-role-gwlb: + ``` + provider "aws" { + // region = var.region + // access_key = var.access_key + // secret_key = var.secret_key + } + ``` +- In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented: + ``` + provider "aws" { + // region = var.region + // access_key = var.aws_access_key_ID + // secret_key = var.aws_secret_access_key + } + ``` + b. The next lines in main.tf file, in the provider aws resource, need to be commented for sub-modules /terraform/aws/autoscale, /terraform/aws/management and /terraform/aws/cme-iam-role-gwlb: + ``` + provider "aws" { + // region = var.region + // access_key = var.aws_access_key_ID + // secret_key = var.aws_secret_access_key + } + ``` + +## Usage +- Fill all variables in the /terraform/aws/gwlb/**terraform.tfvars** file with proper values (see below for variables descriptions). +- From a command line initialize the Terraform configuration directory: + ``` + terraform init + ``` +- Create an execution plan: + ``` + terraform plan + ``` + - Create or modify the deployment: + ``` + terraform apply + ``` + + - Variables are configured in /terraform/aws/qs-autoscale/**terraform.tfvars** file as follows: + + ``` + //PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW + + // --- VPC Network Configuration --- + vpc_cidr = "10.0.0.0/16" + public_subnets_map = { + "us-east-1a" = 1 + "us-east-1b" = 2 + "us-east-1c" = 3 + "us-east-1d" = 4 + } + tgw_subnets_map = { + "us-east-1a" = 5 + "us-east-1b" = 6 + "us-east-1c" = 7 + "us-east-1d" = 8 + } + subnets_bit_length = 8 + + availability_zones = ["us-east-1a", "us-east-1b", "us-east-1c", "us-east-1d"] + number_of_AZs = 4 + + nat_gw_subnet_1_cidr ="10.0.13.0/24" + nat_gw_subnet_2_cidr = "10.0.23.0/24" + nat_gw_subnet_3_cidr = "10.0.33.0/24" + nat_gw_subnet_4_cidr = "10.0.43.0/24" + + gwlbe_subnet_1_cidr = "10.0.14.0/24" + gwlbe_subnet_2_cidr = "10.0.24.0/24" + gwlbe_subnet_3_cidr = "10.0.34.0/24" + gwlbe_subnet_4_cidr = "10.0.44.0/24" + + // --- General Settings --- + key_name = "publickey" + enable_volume_encryption = true + volume_size = 100 + enable_instance_connect = false + disable_instance_termination = false + allow_upload_download = true + management_server = "CP-Management-gwlb-tf" + configuration_template = "gwlb-configuration" + admin_shell = "/etc/cli.sh" + + // --- Gateway Load Balancer Configuration --- + gateway_load_balancer_name = "gwlb1" + target_group_name = "tg1" + enable_cross_zone_load_balancing = "true" + + // --- Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration --- + gateway_name = "Check-Point-GW-tf" + gateway_instance_type = "c5.xlarge" + minimum_group_size = 2 + maximum_group_size = 10 + gateway_version = "R81.20-BYOL" + gateway_password_hash = "" + gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password. + gateway_SICKey = "12345678" + gateways_provision_address_type = "private" + allocate_public_IP = false + enable_cloudwatch = false + gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt" + + // --- Check Point CloudGuard IaaS Security Management Server Configuration --- + management_deploy = true + management_instance_type = "m5.xlarge" + management_version = "R81.20-BYOL" + management_password_hash = "" + management_maintenance_mode_password_hash = "" # For R81.10 and below the management_password_hash is used also as maintenance-mode password. + gateways_policy = "Standard" + gateway_management = "Locally managed" + admin_cidr = "0.0.0.0/0" + gateways_addresses = "0.0.0.0/0" + + // --- Other parameters --- + volume_type = "gp3" + ``` + +- Conditional creation + - To enable cloudwatch for tgw-gwlb-master: + ``` + enable_cloudwatch = true + ``` + Note: enabling cloudwatch will automatically create IAM role with cloudwatch:PutMetricData permission + - To deploy Security Management Server: + ``` + management_deploy = true + ``` +- To tear down your resources: + ``` + terraform destroy + ``` + +## Inputs +| Name | Description | Type | Allowed values | Default | Required | +|-------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------|-----------| +| vpc_cidr | The CIDR block of the VPC | string | n/a | n/a | yes | +| subnets_bit_length | Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a subnets_bit_length value of 4, the resulting subnet address will have length /20 | number | n/a | n/a | yes | +| public_subnets_map | A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 1 pair. (e.g. {\"us-east-1a\" = 1} ) | map | n/a | n/a | yes | +| availability_zones | The Availability Zones (AZs) to use for the subnets in the VPC. | string | n/a | n/a | yes | +| Number_of_AZs | Number of Availability Zones to use in the VPC. | number | n/a | 2 | yes | +| tgw_subnets_map | A map of pairs {availability-zone = subnet-suffix-number} for the tgw subnets. Each entry creates a subnet. Minimum 2 pairs. (e.g. {\"us-east-1a\" = 1} ) | map | n/a | n/a | yes | +| nat_gw_subnet_1_cidr | CIDR block for NAT subnet 1 located in the 1st Availability Zone | string | n/a | 10.0.13.0/24 | yes | +| nat_gw_subnet_2_cidr | CIDR block for NAT subnet 2 located in the 2st Availability Zone | string | n/a | 10.0.23.0/24 | yes | +| nat_gw_subnet_3_cidr | CIDR block for NAT subnet 3 located in the 3st Availability Zone | string | n/a | 10.0.33.0/24 | yes | +| nat_gw_subnet_4_cidr | CIDR block for NAT subnet 4 located in the 4st Availability Zone | string | n/a | 10.0.43.0/24 | yes | +| gwlbe_subnet_1_cidr | CIDR block for GWLBe subnet 1 located in the 1st Availability Zone | string | n/a | 10.0.14.0/24 | yes | +| gwlbe_subnet_2_cidr | CIDR block for GWLBe subnet 2 located in the 2st Availability Zone | string | n/a | 10.0.24.0/24 | yes | +| gwlbe_subnet_3_cidr | CIDR block for GWLBe subnet 3 located in the 3st Availability Zone | string | n/a | 10.0.34.0/24 | yes | +| gwlbe_subnet_4_cidr | CIDR block for GWLBe subnet 4 located in the 4st Availability Zone | string | n/a | 10.0.44.0/24 | yes | +| key_name | The EC2 Key Pair name to allow SSH access to the instances | string | n/a | n/a | yes | +| enable_volume_encryption | Encrypt Environment instances volume with default AWS KMS key | bool | true/false | true | no | +| enable_instance_connect | Enable SSH connection over AWS web console. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no | +| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no | +| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes | +| volume_size | Instances volume size | number | n/a | 100 | no | +| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no | +| management_server | The name that represents the Security Management Server in the automatic provisioning configuration. | string | n/a | CP-Management-gwlb-tf | yes | +| configuration_template | The tag is used by the Security Management Server to automatically provision the Security Gateways. Must be up to 12 alphanumeric characters and unique for each Quick Start deployment | string | n/a | gwlb-ter | no | +| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | +| gateway_load_balancer_name | Load Balancer name in AWS | string | n/a | gwlb-terraform | yes | +| target_group_name | Target Group Name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. | string | n/a | tg1-terraform | yes | +| connection_acceptance_required | Indicate whether requests from service consumers to create an endpoint to your service must be accepted. Default is set to false(acceptance not required). | bool | true/false | false | yes | +| enable_cross_zone_load_balancing | Select 'true' to enable cross-az load balancing. NOTE! this may cause a spike in cross-az charges. | bool | true/false | true | yes | +| gateway_name | The name tag of the Security Gateway instances. (optional) | string | n/a | gwlb-terraform | yes | +| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no | +| gateways_min_group_size | The minimal number of Security Gateways | number | n/a | 2 | no | +| gateways_max_group_size | The maximal number of Security Gateways | number | n/a | 10 | no | +| gateway_version | Gateway version and license | string | - R80.40-BYOL
- R80.40-PAYG-NGTP
- R80.40-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX | R81.20-BYOL | no | +| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | +| gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes | +| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no | +| gateway_bootstrap_script | (Optional) An optional script with semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no | +| gateways_provision_address_type | Determines if the gateways are provisioned using their private or public address. | string | - private
- public | private | no | +| allocate_public_IP | Allocate a Public IP for gateway members. | bool | true/false | false | no | +| management_deploy | Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section | bool | true/false | true | no | +| management_instance_type | The EC2 instance type of the Security Management Server | string | - c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| m5.xlarge | no | +| management_version | The license to install on the Security Management Server | string | - R80.40-BYOL
- R80.40-PAYG
- R81-BYOL
- R81-PAYG
- R81.10-BYOL
- R81.10-PAYG
- R81.20-BYOL
- R81.20-PAYG | R81.20-BYOL | no | +| management_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | +| gateways_policy | The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group | string | n/a | Standard | no | +| gateway_management | Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address. | string | - Locally managed
- Over the internet | Locally managed | no | +| admin_cidr | (CIDR) Allow web, ssh, and graphical clients only from this network to communicate with the Management Server | string | valid CIDR | n/a | no | +| gateway_addresses | (CIDR) Allow gateways only from this network to communicate with the Management Server | string | valid CIDR | n/a | no | +| volume_type | General Purpose SSD Volume Type | string | - gp3
- gp2 | gp3 | no | +| gateway_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | +| management_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | + + +## Outputs +| Name | Description | +|---------------------|---------------------------------------------------------------------------------------| +| managment_public_ip | The deployed Security Management AWS instance public IP | +| load_balancer_url | The URL of the external Load Balancer | +| template_name | Name of a gateway configuration template in the automatic provisioning configuration. | +| controller_name | The controller name in CME. | +| gwlb_name | The name of the deployed Gateway Load Balancer | +| gwlb_service_name | The service name for the deployed Gateway Load Balancer | +| gwlb_arn | The arn for the deployed Gateway Load Balancer | + + + +## Revision History +In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) + +| Template Version | Description | +|------------------|----------------------------------------------------------------------------------------------------------------------------| +| 20220414 | First release of Check Point CloudGuar d Network Gateway Load Balancer for Transit Gateway Master Terraform module for AWS | +| 20220606 | New instance type support | +| 20221123 | R81.20 version support | +| 20221226 | Support ASG Launch Template instead of Launch Configuration | +| 20230806 | Add support for c6in instance type | +| 20230829 | Change default Check Point version to R81.20 | +| 20230910 | Add bootstrap script execution option for deployed gateways | +| 20230914 | Add support for maintenance mode password | +| 20230923 | Add support for C5d instance type | +| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | + +## License + +This project is licensed under the MIT License - see the [LICENSE](../../LICENSE) file for details diff --git a/terraform/aws/tgw-gwlb-master/locals.tf b/terraform/aws/tgw-gwlb-master/locals.tf new file mode 100755 index 00000000..d75eeaa5 --- /dev/null +++ b/terraform/aws/tgw-gwlb-master/locals.tf @@ -0,0 +1,62 @@ +locals { + regex_valid_vpc_cidr = "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$" + // Will fail if var.vpc_cidr is invalid + regex_vpc_cidr = regex(local.regex_valid_vpc_cidr, var.vpc_cidr) == var.vpc_cidr ? 0 : "Variable [vpc_cidr] must be a valid vpc cidr" + + regex_valid_gateway_sic_key = "^[a-zA-Z0-9]{8,}$" + // Will fail if var.gateway_SIC_Key is invalid + regex_gateway_sic_result = regex(local.regex_valid_gateway_sic_key, var.gateway_SICKey) == var.gateway_SICKey ? 0 : "Variable [gateway_SIC_Key] must be at least 8 alphanumeric characters" + + control_over_public_or_private_allowed_values = [ + "public", + "private"] + // will fail if [var.control_gateway_over_public_or_private_address] is invalid: + validate_control_over_public_or_private = index(local.control_over_public_or_private_allowed_values, var.gateways_provision_address_type) + + gateway_management_allowed_values = [ + "Locally managed", + "Over the internet"] + // will fail if [var.gateway_management] is invalid: + validate_gateway_management = index(local.gateway_management_allowed_values, var.gateway_management) + + regex_valid_key_name = "[\\S\\s]+[\\S]+" + // will fail if var.key_name is invalid + regex_key_name_result=regex(local.regex_valid_key_name, var.key_name) == var.key_name ? 0 : "Variable [key_name] must be a none empty string" + + regex_valid_management_password_hash = "^[\\$\\./a-zA-Z0-9]*$" + // Will fail if var.management_password_hash is invalid + regex_management_password_hash = regex(local.regex_valid_management_password_hash, var.management_password_hash) == var.management_password_hash ? 0 : "Variable [management_password_hash] must be a valid password hash" + regex_management_maintenance_mode_password_hash = regex(local.regex_valid_management_password_hash, var.management_maintenance_mode_password_hash) == var.management_maintenance_mode_password_hash ? 0 : "Variable [management_maintenance_mode_password_hash] must be a valid password hash" + regex_valid_gateway_password_hash = "^[\\$\\./a-zA-Z0-9]*$" + // Will fail if var.gateway_password_hash is invalid + regex_gateway_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_password_hash) == var.gateway_password_hash ? 0 : "Variable [gateway_password_hash] must be a valid password hash" + regex_gateway_maintenance_mode_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_maintenance_mode_password_hash) == var.gateway_maintenance_mode_password_hash ? 0 : "Variable [gateway_maintenance_mode_password_hash] must be a valid password hash" + + + regex_valid_admin_cidr = "^([0-9]{1,3}\\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])$" + // Will fail if var.admin_cidr is invalid + regex_admin_cidr = regex(local.regex_valid_admin_cidr, var.admin_cidr) == var.admin_cidr ? 0 : "Variable [admin_cidr] must be a valid CIDR" + + regex_valid_gateways_addresses = "^([0-9]{1,3}\\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])$" + // Will fail if var.gateways_addresses is invalid + regex_gateways_addresses = regex(local.regex_valid_gateways_addresses, var.gateways_addresses) == var.gateways_addresses ? 0 : "Variable [gateways_addresses] must be a valid gateways addresses" + + regex_valid_management_server = "^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$" + // Will fail if var.management_server is invalid + regex_management_server = regex(local.regex_valid_management_server, var.management_server) == var.management_server ? 0 : "Variable [management_server] can not be an empty string" + + regex_valid_configuration_template = "^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$" + // Will fail if var.configuration_template is invalid + regex_configuration_template = regex(local.regex_valid_configuration_template, var.configuration_template) == var.configuration_template ? 0 : "Variable [configuration_template] can not be an empty string" + + deploy_management_condition = var.management_deploy == true + + volume_type_allowed_values = [ + "gp3", + "gp2"] + // will fail if [var.volume_type] is invalid: + validate_volume_type = index(local.volume_type_allowed_values, var.volume_type) + + + #note: we need to add validiation for every subnet in masters solution +} \ No newline at end of file diff --git a/terraform/aws/tgw-gwlb-master/main.tf b/terraform/aws/tgw-gwlb-master/main.tf new file mode 100755 index 00000000..3b616ebc --- /dev/null +++ b/terraform/aws/tgw-gwlb-master/main.tf @@ -0,0 +1,85 @@ +provider "aws" { + region = var.region + access_key = var.access_key + secret_key = var.secret_key +} + +module "launch_vpc" { + source = "../modules/vpc" + + vpc_cidr = var.vpc_cidr + public_subnets_map = var.public_subnets_map + private_subnets_map = {} + tgw_subnets_map = var.tgw_subnets_map + subnets_bit_length = var.subnets_bit_length +} +module "tgw-gwlb"{ + source = "../tgw-gwlb" + providers = { + aws = aws + } + vpc_id = module.launch_vpc.vpc_id + gateways_subnets = module.launch_vpc.public_subnets_ids_list + number_of_AZs = var.number_of_AZs + availability_zones = var.availability_zones + internet_gateway_id = module.launch_vpc.aws_igw + + transit_gateway_attachment_subnet_1_id = element(module.launch_vpc.tgw_subnets_ids_list, 0) + transit_gateway_attachment_subnet_2_id = element(module.launch_vpc.tgw_subnets_ids_list, 1) + transit_gateway_attachment_subnet_3_id = var.number_of_AZs >= 3 ? element(module.launch_vpc.tgw_subnets_ids_list, 2) : "" + transit_gateway_attachment_subnet_4_id = var.number_of_AZs >= 4 ? element(module.launch_vpc.tgw_subnets_ids_list, 3) : "" + + nat_gw_subnet_1_cidr = var.nat_gw_subnet_1_cidr + nat_gw_subnet_2_cidr = var.nat_gw_subnet_2_cidr + nat_gw_subnet_3_cidr = var.nat_gw_subnet_3_cidr + nat_gw_subnet_4_cidr = var.nat_gw_subnet_4_cidr + + gwlbe_subnet_1_cidr = var.gwlbe_subnet_1_cidr + gwlbe_subnet_2_cidr = var.gwlbe_subnet_2_cidr + gwlbe_subnet_3_cidr = var.gwlbe_subnet_3_cidr + gwlbe_subnet_4_cidr = var.gwlbe_subnet_4_cidr + + // --- General Settings --- + key_name = var.key_name + enable_volume_encryption = var.enable_volume_encryption + volume_size = var.volume_size + enable_instance_connect = var.enable_instance_connect + disable_instance_termination = var.disable_instance_termination + metadata_imdsv2_required = var.metadata_imdsv2_required + allow_upload_download = var.allow_upload_download + management_server = var.management_server + configuration_template = var.configuration_template + admin_shell = var.admin_shell + + // --- Gateway Load Balancer Configuration --- + gateway_load_balancer_name = var.gateway_load_balancer_name + target_group_name = var.target_group_name + enable_cross_zone_load_balancing = var.enable_cross_zone_load_balancing + + // --- Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration --- + gateway_name = var.gateway_name + gateway_instance_type = var.gateway_instance_type + minimum_group_size = var.minimum_group_size + maximum_group_size = var.maximum_group_size + gateway_version = var.gateway_version + gateway_password_hash = var.gateway_password_hash + gateway_maintenance_mode_password_hash = var.gateway_maintenance_mode_password_hash + gateway_SICKey = var.gateway_SICKey + gateways_provision_address_type = var.gateways_provision_address_type + allocate_public_IP = var.allocate_public_IP + enable_cloudwatch = var.enable_cloudwatch + gateway_bootstrap_script = var.gateway_bootstrap_script + + // --- Check Point CloudGuard IaaS Security Management Server Configuration --- + management_deploy = var.management_deploy + management_instance_type = var.management_instance_type + management_version = var.management_version + management_password_hash = var.management_password_hash + management_maintenance_mode_password_hash = var.management_maintenance_mode_password_hash + gateways_policy = var.gateways_policy + gateway_management = var.gateway_management + admin_cidr = var.admin_cidr + gateways_addresses = var.gateways_addresses + + volume_type = var.volume_type +} \ No newline at end of file diff --git a/terraform/aws/tgw-gwlb-master/output.tf b/terraform/aws/tgw-gwlb-master/output.tf new file mode 100755 index 00000000..67085776 --- /dev/null +++ b/terraform/aws/tgw-gwlb-master/output.tf @@ -0,0 +1,24 @@ +output "Deployment" { + value = "Finalizing instances configuration may take up to 20 minutes after deployment is finished." +} +output "management_public_ip" { + depends_on = [module.tgw-gwlb] + value = module.tgw-gwlb[*].management_public_ip +} +output "gwlb_arn" { + depends_on = [module.tgw-gwlb] + value = module.tgw-gwlb[*].gwlb_arn +} +output "gwlb_service_name" { + depends_on = [module.tgw-gwlb] + value = module.tgw-gwlb[*].gwlb_service_name +} +output "gwlb_name" { + value = var.gateway_load_balancer_name +} +output "controller_name" { + value = "gwlb-controller" +} +output "template_name" { + value = var.configuration_template +} \ No newline at end of file diff --git a/terraform/aws/tgw-gwlb-master/terraform.tfvars b/terraform/aws/tgw-gwlb-master/terraform.tfvars new file mode 100755 index 00000000..bdb7a361 --- /dev/null +++ b/terraform/aws/tgw-gwlb-master/terraform.tfvars @@ -0,0 +1,76 @@ +//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW + +// --- VPC Network Configuration --- +vpc_cidr = "10.0.0.0/16" +public_subnets_map = { + "us-east-1a" = 1 + "us-east-1b" = 2 + "us-east-1c" = 3 + "us-east-1d" = 4 +} +tgw_subnets_map = { + "us-east-1a" = 5 + "us-east-1b" = 6 + "us-east-1c" = 7 + "us-east-1d" = 8 +} +subnets_bit_length = 8 + +availability_zones = ["us-east-1a", "us-east-1b", "us-east-1c", "us-east-1d"] +number_of_AZs = 4 + +nat_gw_subnet_1_cidr = "10.0.13.0/24" +nat_gw_subnet_2_cidr = "10.0.23.0/24" +nat_gw_subnet_3_cidr = "10.0.33.0/24" +nat_gw_subnet_4_cidr = "10.0.43.0/24" + +gwlbe_subnet_1_cidr = "10.0.14.0/24" +gwlbe_subnet_2_cidr = "10.0.24.0/24" +gwlbe_subnet_3_cidr = "10.0.34.0/24" +gwlbe_subnet_4_cidr = "10.0.44.0/24" + +// --- General Settings --- +key_name = "publickey" +enable_volume_encryption = true +volume_size = 100 +enable_instance_connect = false +disable_instance_termination = false +metadata_imdsv2_required = true +allow_upload_download = true +management_server = "CP-Management-gwlb-tf" +configuration_template = "gwlb-configuration" +admin_shell = "/etc/cli.sh" + +// --- Gateway Load Balancer Configuration --- +gateway_load_balancer_name = "gwlb1" +target_group_name = "tg1" +enable_cross_zone_load_balancing = "true" + +// --- Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration --- +gateway_name = "Check-Point-GW-tf" +gateway_instance_type = "c5.xlarge" +minimum_group_size = 2 +maximum_group_size = 10 +gateway_version = "R81.20-BYOL" +gateway_password_hash = "" +gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password. +gateway_SICKey = "12345678" +gateways_provision_address_type = "private" +allocate_public_IP = false +enable_cloudwatch = false +gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt" + +// --- Check Point CloudGuard IaaS Security Management Server Configuration --- +management_deploy = true +management_instance_type = "m5.xlarge" +management_version = "R81.20-BYOL" +management_password_hash = "" +management_maintenance_mode_password_hash = "" # For R81.10 and below the management_password_hash is used also as maintenance-mode password. +gateways_policy = "Standard" +gateway_management = "Locally managed" +admin_cidr = "0.0.0.0/0" +gateways_addresses = "0.0.0.0/0" + +// --- Other parameters --- +volume_type = "gp3" + diff --git a/terraform/aws/tgw-gwlb-master/variables.tf b/terraform/aws/tgw-gwlb-master/variables.tf new file mode 100755 index 00000000..af425811 --- /dev/null +++ b/terraform/aws/tgw-gwlb-master/variables.tf @@ -0,0 +1,326 @@ +// Module: Check Point CloudGuard Network Gateway Load Balancer into an existing VPC + +// --- AWS Provider --- +variable "region" { + type = string + description = "AWS region" + default = "" +} +variable "access_key" { + type = string + description = "AWS access key" + default = "" +} +variable "secret_key" { + type = string + description = "AWS secret key" + default = "" +} + +// ---VPC Network Configuration --- +variable "number_of_AZs" { + type = number + description = "Number of Availability Zones to use in the VPC. This must match your selections in the list of Availability Zones parameter" + default = 2 +} +variable "availability_zones"{ + type = list(string) + description = "The Availability Zones (AZs) to use for the subnets in the VPC. Select two (the logical order is preserved)" +} +resource "null_resource" "tgw_availability_zones_validation1" { + count = var.number_of_AZs == length(var.availability_zones) ? 0 : "variable availability_zones list size must be equal to variable num_of_AZs" +} +variable "vpc_cidr" { + type = string + description = "The CIDR block of the VPC" + default = "10.0.0.0/16" +} +variable "public_subnets_map" { + type = map(string) + description = "A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 2 pairs. (e.g. {\"us-east-1a\" = 1} ) " +} +resource "null_resource" "tgw_availability_zones_validation2" { + count = var.number_of_AZs == length(var.public_subnets_map) ? 0 : "variable public_subnets_map size must be equal to variable num_of_AZs" +} +variable "subnets_bit_length" { + type = number + description = "Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a subnets_bit_length value of 4, the resulting subnet address will have length /20" +} +variable "tgw_subnets_map" { + type = map(string) + description = "A map of pairs {availability-zone = subnet-suffix-number} for the tgw subnets. Each entry creates a subnet. Minimum 2 pairs. (e.g. {\"us-east-1a\" = 1} ) " +} +resource "null_resource" "tgw_availability_zones_validation3" { + count = var.number_of_AZs == length(var.tgw_subnets_map) ? 0 : "variable tgw_subnets_map size must be equal to variable num_of_AZs" +} +variable "nat_gw_subnet_1_cidr" { + type = string + description = "CIDR block for NAT subnet 1 located in the 1st Availability Zone" + default = "10.0.13.0/24" +} +variable "nat_gw_subnet_2_cidr" { + type = string + description = "CIDR block for NAT subnet 2 located in the 2st Availability Zone" + default = "10.0.23.0/24" +} +variable "nat_gw_subnet_3_cidr" { + type = string + description = "CIDR block for NAT subnet 3 located in the 3st Availability Zone" + default = "10.0.33.0/24" +} +variable "nat_gw_subnet_4_cidr" { + type = string + description = "CIDR block for NAT subnet 4 located in the 4st Availability Zone" + default = "10.0.43.0/24" +} +variable "gwlbe_subnet_1_cidr" { + type = string + description = "CIDR block for Gateway Loadbalancer endpoint subnet 1 located in the 1st Availability Zone" + default = "10.0.14.0/24" +} +variable "gwlbe_subnet_2_cidr" { + type = string + description = "CIDR block for Gateway Loadbalancer endpoint subnet 2 located in the 2st Availability Zone" + default = "10.0.24.0/24" +} +variable "gwlbe_subnet_3_cidr" { + type = string + description = "CIDR block for Gateway Loadbalancer endpoint subnet 3 located in the 3st Availability Zone" + default = "10.0.34.0/24" +} +variable "gwlbe_subnet_4_cidr" { + type = string + description = "CIDR block for Gateway Loadbalancer endpoint subnet 4 located in the 4st Availability Zone" + default = "10.0.44.0/24" +} +// --- General Settings --- +variable "key_name" { + type = string + description = "The EC2 Key Pair name to allow SSH access to the instances" +} +variable "enable_volume_encryption" { + type = bool + description = "Encrypt Environment instances volume with default AWS KMS key" + default = true +} +variable "volume_size" { + type = number + description = "Root volume size (GB) - minimum 100" + default = 100 +} +resource "null_resource" "volume_size_too_small" { + // Will fail if var.volume_size is less than 100 + count = var.volume_size >= 100 ? 0 : "variable volume_size must be at least 100" +} +variable "volume_type" { + type = string + description = "General Purpose SSD Volume Type" + default = "gp3" +} +variable "enable_instance_connect" { + type = bool + description = "Enable SSH connection over AWS web console" + default = false +} +variable "disable_instance_termination" { + type = bool + description = "Prevents an instance from accidental termination" + default = false +} +variable "metadata_imdsv2_required" { + type = bool + description = "Set true to deploy the instance with metadata v2 token required" + default = true +} +variable "allow_upload_download" { + type = bool + description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + default = true +} +variable "management_server" { + type = string + description = "The name that represents the Security Management Server in the automatic provisioning configuration." + default = "gwlb-management-server" +} +variable "configuration_template" { + type = string + description = "A name of a gateway configuration template in the automatic provisioning configuration." + default = "gwlb-ASG-configuration" + validation { + condition = length(var.configuration_template) < 31 + error_message = "The configuration_template name can not exceed 30 characters" + } +} +variable "admin_shell" { + type = string + description = "Set the admin shell to enable advanced command line configuration" + default = "/etc/cli.sh" +} + +// --- Gateway Load Balancer Configuration --- + +variable "gateway_load_balancer_name" { + type = string + description = "Gateway Load Balancer name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. A name cannot begin or end with a hyphen." + default = "gwlb1" +} +resource "null_resource" "gateway_load_balancer_name_too_long" { + // Will fail if gateway_load_balancer_name more than 32 + count = length(var.gateway_load_balancer_name) <= 32 ? 0 : "variable gateway_load_balancer_name must be at most 32" +} +variable "target_group_name" { + type = string + description = "Target Group Name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. A name cannot begin or end with a hyphen." + default = "tg1" +} +resource "null_resource" "target_group_name_too_long" { + // Will fail if target_group_name more than 32 + count = length(var.target_group_name) <= 32 ? 0 : "variable target_group_name must be at most 32" +} +variable "enable_cross_zone_load_balancing" { + type = bool + description = "Select 'true' to enable cross-az load balancing. NOTE! this may cause a spike in cross-az charges." + default = true +} + +// --- Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration --- + +variable "gateway_name" { + type = string + description = "The name tag of the Security Gateway instances. (optional)" + default = "Check-Point-Gateway-tf" +} +variable "gateway_instance_type" { + type = string + description = "The EC2 instance type for the Security Gateways." + default = "c5.xlarge" +} +module "validate_instance_type" { + source = "../modules/common/instance_type" + + chkp_type = "gateway" + instance_type = var.gateway_instance_type +} +variable "minimum_group_size" { + type = number + description = "The minimal number of Security Gateways." + default = 2 +} +variable "maximum_group_size" { + type = number + description = "The maximal number of Security Gateways." + default = 10 +} +variable "gateway_version" { + type = string + description = "The version and license to install on the Security Gateways." + default = "R81.20-BYOL" +} +module "validate_gateway_version" { + source = "../modules/common/version_license" + + chkp_type = "gwlb_gw" + version_license = var.gateway_version +} +variable "gateway_password_hash" { + type = string + description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)" +} +variable "gateway_maintenance_mode_password_hash" { + description = "Maintenance mode password hash for the gateway instances, relevant only for R81.20 and higher versions" + type = string + default = "" +} +variable "gateway_SICKey" { + type = string + description = "The Secure Internal Communication key for trusted connection between Check Point components (at least 8 alphanumeric characters)" +} + +variable "gateways_provision_address_type" { + type = string + description = "Determines if the gateways are provisioned using their private or public address" + default = "private" +} + +variable "allocate_public_IP" { + type = bool + description = "Allocate an Elastic IP for security gateway." + default = false +} + +resource "null_resource" "invalid_allocation" { + // Will fail if var.gateways_provision_address_type is public and var.allocate_public_IP is false + count = var.gateways_provision_address_type != "public" ? 0 : var.allocate_public_IP == true ? 0 : "Gateway's selected to be provisioned by public IP, but [allocate_public_IP] parameter is false" +} + + +variable "enable_cloudwatch" { + type = bool + description = "Report Check Point specific CloudWatch metrics." + default = false +} + +variable "gateway_bootstrap_script" { + type = string + description = "(Optional) An optional script with semicolon (;) separated commands to run on the initial boot" + default = "" +} + +// --- Check Point CloudGuard IaaS Security Management Server Configuration --- + +variable "management_deploy" { + type = bool + description = "Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section" + default = true +} +variable "management_instance_type" { + type = string + description = "The EC2 instance type of the Security Management Server" + default = "m5.xlarge" +} +module "validate_management_instance_type" { + source = "../modules/common/instance_type" + + chkp_type = "management" + instance_type = var.management_instance_type +} +variable "management_version" { + type = string + description = "The license to install on the Security Management Server" + default = "R81.20-BYOL" +} +module "validate_management_version" { + source = "../modules/common/version_license" + + chkp_type = "management" + version_license = var.management_version +} +variable "management_password_hash" { + type = string + description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)" + default = "" +} +variable "management_maintenance_mode_password_hash" { + description = "Maintenance mode password hash for the management instance, relevant only for R81.20 and higher versions" + type = string + default = "" +} +variable "gateways_policy" { + type = string + description = "The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group" + default = "Standard" +} +variable "gateway_management" { + type = string + description = "Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address." + default = "Locally managed" +} +variable "admin_cidr" { + type = string + description = "Allow web, ssh, and graphical clients only from this network to communicate with the Security Management Server" +} +variable "gateways_addresses" { + type = string + description = "Allow gateways only from this network to communicate with the Security Management Server" +} + diff --git a/terraform/aws/tgw-gwlb-master/versions.tf b/terraform/aws/tgw-gwlb-master/versions.tf new file mode 100755 index 00000000..dbebf275 --- /dev/null +++ b/terraform/aws/tgw-gwlb-master/versions.tf @@ -0,0 +1,15 @@ +terraform { + required_version = ">= 0.14.3" + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.20.0" + } + http = { + version = "~> 3.4.0" + } + random = { + version = "~> 3.5.1" + } + } +} diff --git a/terraform/aws/tgw-gwlb/README.md b/terraform/aws/tgw-gwlb/README.md new file mode 100755 index 00000000..a01c29bc --- /dev/null +++ b/terraform/aws/tgw-gwlb/README.md @@ -0,0 +1,263 @@ +# Check Point CloudGuard Network Gateway Load Balancer for Transit Gateway Terraform module for AWS + +Terraform module which deploys an AWS Auto Scaling group configured for Gateway Load Balancer into existing Centralized Security VPC for Transit Gateway. + +These types of Terraform resources are supported: +* [AWS Instance](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance) +* [VPC](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc) +* [Security Group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) +* [Load Balancer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb) +* [Load Balancer Target Group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group) +* [Launch template](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template) +* [Auto Scaling Group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/autoscaling_group) +* [IAM Role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) - conditional creation + +See the [Check Point CloudGuard Gateway Load Balancer on AWS](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_Network_for_AWS_Centralized_Gateway_Load_Balancer/Content/Topics-AWS-GWLB-VPC-DG/Introduction.htm) for additional information + +This solution uses the following modules: +- /terraform/aws/autoscale-gwlb +- /terraform/aws/management +- /terraform/aws/cme-iam-role-gwlb +- /terraform/aws/modules/amis +- /terraform/aws/gwlb +## Configurations + +The **main.tf** file includes the following provider configuration block used to configure the credentials for the authentication with AWS, as well as a default region for your resources: +``` +provider "aws" { + region = var.region + access_key = var.aws_access_key_ID + secret_key = var.aws_secret_access_key +} +``` +The provider credentials can be provided either as static credentials or as [Environment Variables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#environment-variables). +- Static credentials can be provided by adding an access_key and secret_key in /terraform/aws/qs-autoscale/**terraform.tfvars** file as follows: +``` +region = "us-east-1" +access_key = "my-access-key" +secret_key = "my-secret-key" +``` +- In case the Static credentials are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented for sub-modules /terraform/aws/autoscale-gwlb, /terraform/aws/management and /terraform/aws/cme-iam-role-gwlb: + ``` + provider "aws" { + // region = var.region + // access_key = var.access_key + // secret_key = var.secret_key + } + ``` +- In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in main.tf file, in the provider aws resource, need to be commented: + ``` + provider "aws" { + // region = var.region + // access_key = var.aws_access_key_ID + // secret_key = var.aws_secret_access_key + } + ``` + b. The next lines in main.tf file, in the provider aws resource, need to be commented for sub-modules /terraform/aws/autoscale, /terraform/aws/management and /terraform/aws/cme-iam-role-gwlb: + ``` + provider "aws" { + // region = var.region + // access_key = var.aws_access_key_ID + // secret_key = var.aws_secret_access_key + } + ``` + +## Usage +- Fill all variables in the /terraform/aws/gwlb/**terraform.tfvars** file with proper values (see below for variables descriptions). +- From a command line initialize the Terraform configuration directory: + ``` + terraform init + ``` +- Create an execution plan: + ``` + terraform plan + ``` + - Create or modify the deployment: + ``` + terraform apply + ``` + + - Variables are configured in /terraform/aws/qs-autoscale/**terraform.tfvars** file as follows: + + ``` + //PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW + + // --- VPC Network Configuration --- + vpc_id = "vpc-12345678" + internet_gateway_id ="igw-12345" + availability_zones = ["us-east-1a", "us-east-1b"] + number_of_AZs = 2 + gateways_subnets= ["subnet-123456", "subnet-234567"] + + transit_gateway_attachment_subnet_1_id="subnet-3456" + transit_gateway_attachment_subnet_2_id="subnet-4567" + transit_gateway_attachment_subnet_3_id="subnet-5678" + transit_gateway_attachment_subnet_4_id="subnet-6789" + + nat_gw_subnet_1_cidr ="10.0.13.0/24" + nat_gw_subnet_2_cidr = "10.0.23.0/24" + nat_gw_subnet_3_cidr = "10.0.33.0/24" + nat_gw_subnet_4_cidr = "10.0.43.0/24" + + gwlbe_subnet_1_cidr = "10.0.14.0/24" + gwlbe_subnet_2_cidr = "10.0.24.0/24" + gwlbe_subnet_3_cidr = "10.0.34.0/24" + gwlbe_subnet_4_cidr = "10.0.44.0/24" + + + // --- General Settings --- + key_name = "publickey" + enable_volume_encryption = true + volume_size = 100 + enable_instance_connect = false + disable_instance_termination = false + allow_upload_download = true + management_server = "CP-Management-gwlb-tf" + configuration_template = "gwlb-configuration" + admin_shell = "/etc/cli.sh" + + // --- Gateway Load Balancer Configuration --- + gateway_load_balancer_name = "gwlb1" + target_group_name = "tg1" + connection_acceptance_required = "false" + enable_cross_zone_load_balancing = "true" + + // --- Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration --- + gateway_name = "Check-Point-GW-tf" + gateway_instance_type = "c5.xlarge" + minimum_group_size = 2 + maximum_group_size = 10 + gateway_version = "R81.20-BYOL" + gateway_password_hash = "" + gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password. + gateway_SICKey = "12345678" + gateways_provision_address_type = "private" + allocate_public_IP = false + enable_cloudwatch = false + gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt" + + // --- Check Point CloudGuard IaaS Security Management Server Configuration --- + management_deploy = true + management_instance_type = "m5.xlarge" + management_version = "R81.20-BYOL" + management_password_hash = "" + management_maintenance_mode_password_hash = "" # For R81.10 and below the management_password_hash is used also as maintenance-mode password. + gateways_policy = "Standard" + gateway_management = "Locally managed" + admin_cidr = "" + gateways_addresses = "" + + // --- Other parameters --- + VolumeType = "gp3" + + + ``` + +- Conditional creation + - To enable cloudwatch for tgw-gwlb: + ``` + enable_cloudwatch = true + ``` + Note: enabling cloudwatch will automatically create IAM role with cloudwatch:PutMetricData permission + - To deploy Security Management Server: + ``` + management_deploy = true + ``` +- To tear down your resources: + ``` + terraform destroy + ``` + +## Inputs +| Name | Description | Type | Allowed values | Default | Required | +|-------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------|----------| +| vpc_id | Select an existing VPC | string | n/a | n/a | yes | +| internet_gateway_id | VPC's Internet Gateway Id | string | n/a | n/a | yes | +| availability_zones | The Availability Zones (AZs) to use for the subnets in the VPC. | string | n/a | n/a | yes | +| Number_of_AZs | Number of Availability Zones to use in the VPC. | number | n/a | 2 | yes | +| Gateways_subnets | Select at least 2 public subnets in the VPC. If you choose to deploy a Security Management Server it will be deployed in the first subnet | string | n/a | n/a | yes | +| transit_gateway_attachment_subnet_1_id | The TGW attachment subnet ID located in the 1st Availability Zone | string | n/a | n/a | yes | +| transit_gateway_attachment_subnet_2_id | The TGW attachment subnet ID located in the 2st Availability Zone | string | n/a | n/a | yes | +| transit_gateway_attachment_subnet_3_id | The TGW attachment subnet ID located in the 3st Availability Zone | string | n/a | n/a | yes | +| transit_gateway_attachment_subnet_4_id | The TGW attachment subnet ID located in the 4st Availability Zone | string | n/a | n/a | yes | +| nat_gw_subnet_1_cidr | CIDR block for NAT subnet 1 located in the 1st Availability Zone | string | n/a | 10.0.13.0/24 | yes | +| nat_gw_subnet_2_cidr | CIDR block for NAT subnet 2 located in the 2st Availability Zone | string | n/a | 10.0.23.0/24 | yes | +| nat_gw_subnet_3_cidr | CIDR block for NAT subnet 3 located in the 3st Availability Zone | string | n/a | 10.0.33.0/24 | yes | +| nat_gw_subnet_4_cidr | CIDR block for NAT subnet 4 located in the 4st Availability Zone | string | n/a | 10.0.43.0/24 | yes | +| gwlbe_subnet_1_cidr | CIDR block for GWLBe subnet 1 located in the 1st Availability Zone | string | n/a | 10.0.14.0/24 | yes | +| gwlbe_subnet_2_cidr | CIDR block for GWLBe subnet 2 located in the 2st Availability Zone | string | n/a | 10.0.24.0/24 | yes | +| gwlbe_subnet_3_cidr | CIDR block for GWLBe subnet 3 located in the 3st Availability Zone | string | n/a | 10.0.34.0/24 | yes | +| gwlbe_subnet_4_cidr | CIDR block for GWLBe subnet 4 located in the 4st Availability Zone | string | n/a | 10.0.44.0/24 | yes | +| key_name | The EC2 Key Pair name to allow SSH access to the instances | string | n/a | n/a | yes | +| enable_volume_encryption | Encrypt Environment instances volume with default AWS KMS key | bool | true/false | true | no | +| management_server | The name that represents the Security Management Server in the automatic provisioning configuration. | string | n/a | CP-Management-gwlb-tf | yes | +| enable_instance_connect | Enable SSH connection over AWS web console. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no | +| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no | +| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes | +| volume_size | Instances volume size | number | n/a | 100 | no | +| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no | +| configuration_template | The tag is used by the Security Management Server to automatically provision the Security Gateways. Must be up to 12 alphanumeric characters and unique for each Quick Start deployment | string | n/a | gwlb-ter | no | +| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | +| gateway_load_balancer_name | Load Balancer name in AWS | string | n/a | gwlb-terraform | yes | +| target_group_name | Target Group Name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. | string | n/a | tg1-terraform | yes | +| connection_acceptance_required | Indicate whether requests from service consumers to create an endpoint to your service must be accepted. Default is set to false(acceptance not required). | bool | true/false | false | yes | +| enable_cross_zone_load_balancing | Select 'true' to enable cross-az load balancing. NOTE! this may cause a spike in cross-az charges. | bool | true/false | true | yes | +| gateway_name | The name tag of the Security Gateway instances. (optional) | string | n/a | gwlb-terraform | yes | +| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no | +| gateways_min_group_size | The minimal number of Security Gateways | number | n/a | 2 | no | +| gateways_max_group_size | The maximal number of Security Gateways | number | n/a | 10 | no | +| gateway_version | Gateway version and license | string | - R80.40-BYOL
- R80.40-PAYG-NGTP
- R80.40-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX | R81.20-BYOL | no | +| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | +| gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes | +| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no | +| gateway_bootstrap_script | (Optional) An optional script with semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no | +| gateways_provision_address_type | Determines if the gateways are provisioned using their private or public address. | string | - private
- public | private | no | +| allocate_public_IP | Allocate a Public IP for gateway members. | bool | true/false | false | no | +| management_deploy | Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section | bool | true/false | true | no | +| management_instance_type | The EC2 instance type of the Security Management Server | string | - c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| m5.xlarge | no | +| management_version | The license to install on the Security Management Server | string | - R80.40-BYOL
- R80.40-PAYG
- R81-BYOL
- R81-PAYG
- R81.10-BYOL
- R81.10-PAYG
- R81.20-BYOL
- R81.20-PAYG | R81.20-BYOL | no | +| management_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | +| gateways_policy | The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group | string | n/a | Standard | no | +| gateway_management | Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address. | string | - Locally managed
- Over the internet | Locally managed | no | +| admin_cidr | (CIDR) Allow web, ssh, and graphical clients only from this network to communicate with the Management Server | string | valid CIDR | n/a | no | +| gateway_addresses | (CIDR) Allow gateways only from this network to communicate with the Management Server | string | valid CIDR | n/a | no | +| volume_type | General Purpose SSD Volume Type | string | - gp3
- gp2 | gp3 | no | +| gateway_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | +| management_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | + + +## Outputs +| Name | Description | +|---------------------|---------------------------------------------------------------------------------------| +| managment_public_ip | The deployed Security Management AWS instance public IP | +| load_balancer_url | The URL of the external Load Balancer | +| template_name | Name of a gateway configuration template in the automatic provisioning configuration. | +| controller_name | The controller name in CME. | +| gwlb_name | The name of the deployed Gateway Load Balancer | +| gwlb_service_name | The service name for the deployed Gateway Load Balancer | +| gwlb_arn | The arn for the deployed Gateway Load Balancer | + + + +## Revision History +In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) + +| Template Version | Description | +|------------------|--------------------------------------------------------------------------------------------------------------------| +| 20220414 | First release of Check Point CloudGuard Network Gateway Load Balancer for Transit Gateway Terraform module for AWS | +| 20220606 | New instance type support | +| 20221123 | R81.20 version support | +| 20221226 | Support ASG Launch Template instead of Launch Configuration | +| 20230806 | Add support for c6in instance type | +| 20230829 | Change default Check Point version to R81.20 | +| 20230910 | Add bootstrap script execution option for deployed gateways | +| 20230914 | Add support for maintenance mode password | +| 20230923 | Add support for C5d instance type | +| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | + +## License + +This project is licensed under the MIT License - see the [LICENSE](../../LICENSE) file for details diff --git a/terraform/aws/tgw-gwlb/locals.tf b/terraform/aws/tgw-gwlb/locals.tf new file mode 100755 index 00000000..0693df6d --- /dev/null +++ b/terraform/aws/tgw-gwlb/locals.tf @@ -0,0 +1,60 @@ +locals { + + regex_valid_gateway_sic_key = "^[a-zA-Z0-9]{8,}$" + // Will fail if var.gateway_SIC_Key is invalid + regex_gateway_sic_result = regex(local.regex_valid_gateway_sic_key, var.gateway_SICKey) == var.gateway_SICKey ? 0 : "Variable [gateway_SIC_Key] must be at least 8 alphanumeric characters" + + control_over_public_or_private_allowed_values = [ + "public", + "private"] + // will fail if [var.control_gateway_over_public_or_private_address] is invalid: + validate_control_over_public_or_private = index(local.control_over_public_or_private_allowed_values, var.gateways_provision_address_type) + + gateway_management_allowed_values = [ + "Locally managed", + "Over the internet"] + // will fail if [var.gateway_management] is invalid: + validate_gateway_management = index(local.gateway_management_allowed_values, var.gateway_management) + + regex_valid_key_name = "[\\S\\s]+[\\S]+" + // will fail if var.key_name is invalid + regex_key_name_result=regex(local.regex_valid_key_name, var.key_name) == var.key_name ? 0 : "Variable [key_name] must be a none empty string" + + regex_valid_management_password_hash = "^[\\$\\./a-zA-Z0-9]*$" + // Will fail if var.management_password_hash is invalid + regex_management_password_hash = regex(local.regex_valid_management_password_hash, var.management_password_hash) == var.management_password_hash ? 0 : "Variable [management_password_hash] must be a valid password hash" + regex_management_maintenance_mode_password_hash = regex(local.regex_valid_management_password_hash, var.management_maintenance_mode_password_hash) == var.management_maintenance_mode_password_hash ? 0 : "Variable [management_maintenance_mode_password_hash] must be a valid password hash" + + regex_valid_gateway_password_hash = "^[\\$\\./a-zA-Z0-9]*$" + // Will fail if var.gateway_password_hash is invalid + regex_gateway_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_password_hash) == var.gateway_password_hash ? 0 : "Variable [gateway_password_hash] must be a valid password hash" + regex_gateway_maintenance_mode_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_maintenance_mode_password_hash) == var.gateway_maintenance_mode_password_hash ? 0 : "Variable [gateway_maintenance_mode_password_hash] must be a valid password hash" + + + regex_valid_admin_cidr = "^([0-9]{1,3}\\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])$" + // Will fail if var.admin_cidr is invalid + regex_admin_cidr = regex(local.regex_valid_admin_cidr, var.admin_cidr) == var.admin_cidr ? 0 : "Variable [admin_cidr] must be a valid CIDR" + + regex_valid_gateways_addresses = "^([0-9]{1,3}\\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])$" + // Will fail if var.gateways_addresses is invalid + regex_gateways_addresses = regex(local.regex_valid_gateways_addresses, var.gateways_addresses) == var.gateways_addresses ? 0 : "Variable [gateways_addresses] must be a valid gateways addresses" + + regex_valid_management_server = "^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$" + // Will fail if var.management_server is invalid + regex_management_server = regex(local.regex_valid_management_server, var.management_server) == var.management_server ? 0 : "Variable [management_server] can not be an empty string" + + regex_valid_configuration_template = "^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$" + // Will fail if var.configuration_template is invalid + regex_configuration_template = regex(local.regex_valid_configuration_template, var.configuration_template) == var.configuration_template ? 0 : "Variable [configuration_template] can not be an empty string" + + deploy_management_condition = var.management_deploy == true + + volume_type_allowed_values = [ + "gp3", + "gp2"] + // will fail if [var.VolumeType] is invalid: + validate_volume_type = index(local.volume_type_allowed_values, var.volume_type) + + + #note: we need to add validiation for every subnet in masters solution +} \ No newline at end of file diff --git a/terraform/aws/tgw-gwlb/main.tf b/terraform/aws/tgw-gwlb/main.tf new file mode 100755 index 00000000..64ce7101 --- /dev/null +++ b/terraform/aws/tgw-gwlb/main.tf @@ -0,0 +1,438 @@ +provider "aws" { + region = var.region + access_key = var.access_key + secret_key = var.secret_key +} + + +resource "aws_subnet" "gwlbe_subnet1" { + vpc_id = var.vpc_id + availability_zone = element(var.availability_zones, 0) + cidr_block = var.gwlbe_subnet_1_cidr + tags = { + Name = "GWLBe subnet 1" + Network = "Private" + } +} +resource "aws_route_table" "gwlbe_subnet1_rtb" { + vpc_id = var.vpc_id + route{ + cidr_block = "0.0.0.0/0" + nat_gateway_id = aws_nat_gateway.nat_gateway1.id + } + tags = { + Name = "GWLBe Subnet 1 Route Table" + Network = "Private" + } +} +resource "aws_route_table_association" "gwlbe_subnet1_rtb_assoc" { + subnet_id = aws_subnet.gwlbe_subnet1.id + route_table_id = aws_route_table.gwlbe_subnet1_rtb.id +} + + +resource "aws_subnet" "gwlbe_subnet2" { + vpc_id = var.vpc_id + availability_zone = element(var.availability_zones, 1) + cidr_block = var.gwlbe_subnet_2_cidr + tags = { + Name = "GWLBe subnet 2" + Network = "Private" + } +} +resource "aws_route_table" "gwlbe_subnet2_rtb" { + vpc_id = var.vpc_id + route{ + cidr_block = "0.0.0.0/0" + nat_gateway_id = aws_nat_gateway.nat_gateway2.id + } + tags = { + Name = "GWLBe Subnet 2 Route Table" + Network = "Private" + } +} +resource "aws_route_table_association" "gwlbe_subnet2_rtb_assoc" { + subnet_id = aws_subnet.gwlbe_subnet2.id + route_table_id = aws_route_table.gwlbe_subnet2_rtb.id +} + + +resource "aws_subnet" "gwlbe_subnet3" { + count = var.number_of_AZs >= 3 ? 1 :0 + vpc_id = var.vpc_id + availability_zone = element(var.availability_zones, 2) + cidr_block = var.gwlbe_subnet_3_cidr + tags = { + Name = "GWLBe subnet 3" + Network = "Private" + } +} +resource "aws_route_table" "gwlbe_subnet3_rtb" { + count = var.number_of_AZs >= 3 ? 1 :0 + vpc_id = var.vpc_id + route{ + cidr_block = "0.0.0.0/0" + nat_gateway_id = aws_nat_gateway.nat_gateway3[0].id + } + tags = { + Name = "GWLBe Subnet 3 Route Table" + Network = "Private" + } +} +resource "aws_route_table_association" "gwlbe_subnet3_rtb_assoc" { + count = var.number_of_AZs >= 3 ? 1 :0 + subnet_id = aws_subnet.gwlbe_subnet3[0].id + route_table_id = aws_route_table.gwlbe_subnet3_rtb[0].id +} + + +resource "aws_subnet" "gwlbe_subnet4" { + count = var.number_of_AZs >= 4 ? 1 :0 + vpc_id = var.vpc_id + availability_zone = element(var.availability_zones, 3) + cidr_block = var.gwlbe_subnet_4_cidr + tags = { + Name = "GWLBe subnet 4" + Network = "Private" + } +} +resource "aws_route_table" "gwlbe_subnet4_rtb" { + count = var.number_of_AZs >= 4 ? 1 :0 + vpc_id = var.vpc_id + route{ + cidr_block = "0.0.0.0/0" + nat_gateway_id = aws_nat_gateway.nat_gateway4[0].id + } + tags = { + Name = "GWLBe Subnet 4 Route Table" + Network = "Private" + } +} +resource "aws_route_table_association" "gwlbe_subnet4_rtb_assoc" { + count = var.number_of_AZs >= 4 ? 1 :0 + subnet_id = aws_subnet.gwlbe_subnet4[0].id + route_table_id = aws_route_table.gwlbe_subnet4_rtb[0].id +} + + + + +resource "aws_subnet" "nat_gw_subnet1" { + vpc_id = var.vpc_id + availability_zone = element(var.availability_zones, 0) + cidr_block = var.nat_gw_subnet_1_cidr + tags = { + Name = "NAT subnet 1" + Network = "Private" + } +} +resource "aws_route_table" "nat_gw_subnet1_rtb" { + vpc_id = var.vpc_id + route{ + cidr_block = "0.0.0.0/0" + gateway_id = var.internet_gateway_id + } + tags = { + Name = "NAT Subnet 1 Route Table" + Network = "Public" + } +} +resource "aws_route_table_association" "nat_gw_subnet1_rtb_assoc" { + subnet_id = aws_subnet.nat_gw_subnet1.id + route_table_id = aws_route_table.nat_gw_subnet1_rtb.id +} + +resource "aws_subnet" "nat_gw_subnet2" { + vpc_id = var.vpc_id + availability_zone = element(var.availability_zones, 1) + cidr_block = var.nat_gw_subnet_2_cidr + tags = { + Name = "NAT subnet 2" + Network = "Private" + } +} +resource "aws_route_table" "nat_gw_subnet2_rtb" { + vpc_id = var.vpc_id + route{ + cidr_block = "0.0.0.0/0" + gateway_id = var.internet_gateway_id + } + tags = { + Name = "NAT Subnet 2 Route Table" + Network = "Public" + } +} +resource "aws_route_table_association" "nat_gw_subnet2_rtb_assoc" { + subnet_id = aws_subnet.nat_gw_subnet2.id + route_table_id = aws_route_table.nat_gw_subnet2_rtb.id +} + +resource "aws_subnet" "nat_gw_subnet3" { + count = var.number_of_AZs >= 3 ? 1 :0 + vpc_id = var.vpc_id + availability_zone = element(var.availability_zones, 2) + cidr_block = var.nat_gw_subnet_3_cidr + tags = { + Name = "NAT subnet 3" + Network = "Private" + } +} +resource "aws_route_table" "nat_gw_subnet3_rtb" { + count = var.number_of_AZs >= 3 ? 1 :0 + vpc_id = var.vpc_id + route{ + cidr_block = "0.0.0.0/0" + gateway_id = var.internet_gateway_id + } + tags = { + Name = "NAT Subnet 3 Route Table" + Network = "Public" + } +} +resource "aws_route_table_association" "nat_gw_subnet3_rtb_assoc" { + count = var.number_of_AZs >= 3 ? 1 :0 + subnet_id = aws_subnet.nat_gw_subnet3[0].id + route_table_id = aws_route_table.nat_gw_subnet3_rtb[0].id +} + +resource "aws_subnet" "nat_gw_subnet4" { + count = var.number_of_AZs >= 4 ? 1 :0 + vpc_id = var.vpc_id + availability_zone = element(var.availability_zones, 3) + cidr_block = var.nat_gw_subnet_4_cidr + tags = { + Name = "NAT subnet 4" + Network = "Private" + } +} +resource "aws_route_table" "nat_gw_subnet4_rtb" { + count = var.number_of_AZs >= 4 ? 1 :0 + vpc_id = var.vpc_id + route{ + cidr_block = "0.0.0.0/0" + gateway_id = var.internet_gateway_id + } + tags = { + Name = "NAT Subnet 4 Route Table" + Network = "Public" + } +} +resource "aws_route_table_association" "nat_gw_subnet4_rtb_assoc" { + count = var.number_of_AZs >= 4 ? 1 :0 + subnet_id = aws_subnet.nat_gw_subnet4[0].id + route_table_id = aws_route_table.nat_gw_subnet4_rtb[0].id +} + +module "gwlb" { + source = "../gwlb" + providers = { + aws = aws + } + vpc_id = var.vpc_id + subnet_ids = var.gateways_subnets + + // --- General Settings --- + key_name = var.key_name + enable_volume_encryption = var.enable_volume_encryption + volume_size = var.volume_size + enable_instance_connect = var.enable_instance_connect + disable_instance_termination = var.disable_instance_termination + metadata_imdsv2_required = var.metadata_imdsv2_required + allow_upload_download = var.allow_upload_download + management_server = var.management_server + configuration_template = var.configuration_template + admin_shell = var.admin_shell + + // --- Gateway Load Balancer Configuration --- + gateway_load_balancer_name = var.gateway_load_balancer_name + target_group_name = var.target_group_name + connection_acceptance_required = false + enable_cross_zone_load_balancing = var.enable_cross_zone_load_balancing + + // --- Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration --- + gateway_name = var.gateway_name + gateway_instance_type = var.gateway_instance_type + minimum_group_size = var.minimum_group_size + maximum_group_size = var.maximum_group_size + gateway_version = var.gateway_version + gateway_password_hash = var.gateway_password_hash + gateway_maintenance_mode_password_hash = var.gateway_maintenance_mode_password_hash + gateway_SICKey = var.gateway_SICKey + gateways_provision_address_type = var.gateways_provision_address_type + allocate_public_IP = var.allocate_public_IP + enable_cloudwatch = var.enable_cloudwatch + gateway_bootstrap_script = var.gateway_bootstrap_script + + // --- Check Point CloudGuard IaaS Security Management Server Configuration --- + management_deploy = var.management_deploy + management_instance_type = var.management_instance_type + management_version = var.management_version + management_password_hash = var.management_password_hash + management_maintenance_mode_password_hash = var.management_maintenance_mode_password_hash + gateways_policy = var.gateways_policy + gateway_management = var.gateway_management + admin_cidr = var.admin_cidr + gateways_addresses = var.gateways_addresses + + volume_type = var.volume_type +} + +resource "aws_vpc_endpoint" "gwlb_endpoint1" { + depends_on = [module.gwlb, aws_subnet.gwlbe_subnet1] + vpc_id = var.vpc_id + vpc_endpoint_type = "GatewayLoadBalancer" + service_name = module.gwlb.gwlb_service_name + subnet_ids = aws_subnet.gwlbe_subnet1[*].id + tags = { + "Name" = "gwlb_endpoint1" + } +} +resource "aws_vpc_endpoint" "gwlb_endpoint2" { + depends_on = [module.gwlb, aws_subnet.gwlbe_subnet2] + vpc_id = var.vpc_id + vpc_endpoint_type = "GatewayLoadBalancer" + service_name = module.gwlb.gwlb_service_name + subnet_ids = aws_subnet.gwlbe_subnet2[*].id + tags = { + "Name" = "gwlb_endpoint2" + } +} +resource "aws_vpc_endpoint" "gwlb_endpoint3" { + count = var.number_of_AZs >= 3 ? 1 :0 + depends_on = [module.gwlb, aws_subnet.gwlbe_subnet3] + vpc_id = var.vpc_id + vpc_endpoint_type = "GatewayLoadBalancer" + service_name = module.gwlb.gwlb_service_name + subnet_ids = aws_subnet.gwlbe_subnet3[*].id + tags = { + "Name" = "gwlb_endpoint3" + } +} +resource "aws_vpc_endpoint" "gwlb_endpoint4" { + count = var.number_of_AZs >= 4 ? 1 :0 + depends_on = [module.gwlb, aws_subnet.gwlbe_subnet4] + vpc_id = var.vpc_id + vpc_endpoint_type = "GatewayLoadBalancer" + service_name = module.gwlb.gwlb_service_name + subnet_ids = aws_subnet.gwlbe_subnet4[*].id + tags = { + "Name" = "gwlb_endpoint4" + } +} + + +resource "aws_route_table" "tgw_attachment_subnet1_rtb" { + vpc_id = var.vpc_id + route{ + cidr_block = "0.0.0.0/0" + vpc_endpoint_id = aws_vpc_endpoint.gwlb_endpoint1.id + } + tags = { + Name = "TGW Attachment Subnet 1 Route Table" + Network = "Private" + } +} +resource "aws_route_table_association" "tgw_attachment1_rtb_assoc" { + subnet_id = var.transit_gateway_attachment_subnet_1_id + route_table_id = aws_route_table.tgw_attachment_subnet1_rtb.id +} +resource "aws_route_table" "tgw_attachment_subnet2_rtb" { + vpc_id = var.vpc_id + route{ + cidr_block = "0.0.0.0/0" + vpc_endpoint_id = aws_vpc_endpoint.gwlb_endpoint2.id + } + tags = { + Name = "TGW Attachment Subnet 2 Route Table" + Network = "Private" + } +} +resource "aws_route_table_association" "tgw_attachment2_rtb_assoc" { + subnet_id = var.transit_gateway_attachment_subnet_2_id + route_table_id = aws_route_table.tgw_attachment_subnet2_rtb.id +} +resource "aws_route_table" "tgw_attachment_subnet3_rtb" { + count = var.number_of_AZs >= 3 ? 1 :0 + vpc_id = var.vpc_id + route{ + cidr_block = "0.0.0.0/0" + vpc_endpoint_id = aws_vpc_endpoint.gwlb_endpoint3[0].id + } + tags = { + Name = "TGW Attachment Subnet 3 Route Table" + Network = "Private" + } +} +resource "aws_route_table_association" "tgw_attachment3_rtb_assoc" { + count = var.number_of_AZs >= 3 ? 1 :0 + subnet_id = var.transit_gateway_attachment_subnet_3_id + route_table_id = aws_route_table.tgw_attachment_subnet3_rtb[0].id +} +resource "aws_route_table" "tgw_attachment_subnet4_rtb" { + count = var.number_of_AZs >= 4 ? 1 :0 + vpc_id = var.vpc_id + route{ + cidr_block = "0.0.0.0/0" + vpc_endpoint_id = aws_vpc_endpoint.gwlb_endpoint4[0].id + } + tags = { + Name = "TGW Attachment Subnet 4 Route Table" + Network = "Private" + } +} +resource "aws_route_table_association" "tgw_attachment4_rtb_assoc" { + count = var.number_of_AZs >= 4 ? 1 :0 + subnet_id = var.transit_gateway_attachment_subnet_4_id + route_table_id = aws_route_table.tgw_attachment_subnet4_rtb[0].id +} + + +resource "aws_eip" "nat_gw_public_address1" { +} +resource "aws_eip" "nat_gw_public_address2" { +} +resource "aws_eip" "nat_gw_public_address3" { + count = var.number_of_AZs >= 3 ? 1 : 0 +} +resource "aws_eip" "nat_gw_public_address4" { + count = var.number_of_AZs >= 4 ? 1 : 0 +} + +resource "aws_nat_gateway" "nat_gateway1" { + depends_on = [aws_subnet.nat_gw_subnet1, aws_eip.nat_gw_public_address1] + allocation_id = aws_eip.nat_gw_public_address1.id + subnet_id = aws_subnet.nat_gw_subnet1.id + + tags = { + Name = "NatGW1" + } +} +resource "aws_nat_gateway" "nat_gateway2" { + depends_on = [aws_subnet.nat_gw_subnet2, aws_eip.nat_gw_public_address2] + allocation_id = aws_eip.nat_gw_public_address2.id + subnet_id = aws_subnet.nat_gw_subnet2.id + + tags = { + Name = "NatGW2" + } +} +resource "aws_nat_gateway" "nat_gateway3" { + count = var.number_of_AZs >= 3 ? 1 :0 + depends_on = [aws_subnet.nat_gw_subnet3, aws_eip.nat_gw_public_address3] + allocation_id = aws_eip.nat_gw_public_address3[0].id + subnet_id = aws_subnet.nat_gw_subnet3[0].id + + tags = { + Name = "NatGW3" + } +} +resource "aws_nat_gateway" "nat_gateway4" { + count = var.number_of_AZs >= 4 ? 1 :0 + depends_on = [aws_subnet.nat_gw_subnet4, aws_eip.nat_gw_public_address4] + allocation_id = aws_eip.nat_gw_public_address4[0].id + subnet_id = aws_subnet.nat_gw_subnet4[0].id + + tags = { + Name = "NatGW4" + } +} \ No newline at end of file diff --git a/terraform/aws/tgw-gwlb/output.tf b/terraform/aws/tgw-gwlb/output.tf new file mode 100755 index 00000000..15cb48a3 --- /dev/null +++ b/terraform/aws/tgw-gwlb/output.tf @@ -0,0 +1,24 @@ +output "Deployment" { + value = "Finalizing instances configuration may take up to 20 minutes after deployment is finished." +} +output "management_public_ip" { + depends_on = [module.gwlb] + value = module.gwlb[*].management_public_ip +} +output "gwlb_arn" { + depends_on = [module.gwlb] + value = module.gwlb[*].gwlb_arn +} +output "gwlb_service_name" { + depends_on = [module.gwlb] + value = module.gwlb[*].gwlb_service_name +} +output "gwlb_name" { + value = var.gateway_load_balancer_name +} +output "controller_name" { + value = "gwlb-controller" +} +output "template_name" { + value = var.configuration_template +} \ No newline at end of file diff --git a/terraform/aws/tgw-gwlb/terraform.tfvars b/terraform/aws/tgw-gwlb/terraform.tfvars new file mode 100755 index 00000000..266b4d1a --- /dev/null +++ b/terraform/aws/tgw-gwlb/terraform.tfvars @@ -0,0 +1,69 @@ +//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW + +// --- VPC Network Configuration --- +vpc_id = "vpc-12345678" +internet_gateway_id ="igw-12345" +availability_zones = ["us-east-1a", "us-east-1b"] +number_of_AZs = 2 +gateways_subnets= ["subnet-123456", "subnet-234567"] + +transit_gateway_attachment_subnet_1_id="subnet-3456" +transit_gateway_attachment_subnet_2_id="subnet-4567" +transit_gateway_attachment_subnet_3_id="subnet-5678" +transit_gateway_attachment_subnet_4_id="subnet-6789" + +nat_gw_subnet_1_cidr ="10.0.13.0/24" +nat_gw_subnet_2_cidr = "10.0.23.0/24" +nat_gw_subnet_3_cidr = "10.0.33.0/24" +nat_gw_subnet_4_cidr = "10.0.43.0/24" + +gwlbe_subnet_1_cidr = "10.0.14.0/24" +gwlbe_subnet_2_cidr = "10.0.24.0/24" +gwlbe_subnet_3_cidr = "10.0.34.0/24" +gwlbe_subnet_4_cidr = "10.0.44.0/24" + +// --- General Settings --- +key_name = "publickey" +enable_volume_encryption = true +volume_size = 100 +enable_instance_connect = false +disable_instance_termination = false +metadata_imdsv2_required = true +allow_upload_download = true +management_server = "CP-Management-gwlb-tf" +configuration_template = "gwlb-configuration" +admin_shell = "/etc/cli.sh" + +// --- Gateway Load Balancer Configuration --- +gateway_load_balancer_name = "gwlb1" +target_group_name = "tg1" +enable_cross_zone_load_balancing = "true" + +// --- Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration --- +gateway_name = "Check-Point-GW-tf" +gateway_instance_type = "c5.xlarge" +minimum_group_size = 2 +maximum_group_size = 10 +gateway_version = "R81.20-BYOL" +gateway_password_hash = "" +gateway_maintenance_mode_password_hash = "" # For R81.10 and below the gateway_password_hash is used also as maintenance-mode password. +gateway_SICKey = "12345678" +gateways_provision_address_type = "private" +allocate_public_IP = false +enable_cloudwatch = false +gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt" + +// --- Check Point CloudGuard IaaS Security Management Server Configuration --- +management_deploy = true +management_instance_type = "m5.xlarge" +management_version = "R81.20-BYOL" +management_password_hash = "" +management_maintenance_mode_password_hash = "" # For R81.10 and below the management_password_hash is used also as maintenance-mode password. +gateways_policy = "Standard" +gateway_management = "Locally managed" +admin_cidr = "0.0.0.0/0" +gateways_addresses = "0.0.0.0/0" + +// --- Other parameters --- +volume_type = "gp3" + diff --git a/terraform/aws/tgw-gwlb/variables.tf b/terraform/aws/tgw-gwlb/variables.tf new file mode 100755 index 00000000..52b97b13 --- /dev/null +++ b/terraform/aws/tgw-gwlb/variables.tf @@ -0,0 +1,333 @@ +// Module: Check Point CloudGuard Network Gateway Load Balancer into an existing VPC + +// --- AWS Provider --- +variable "region" { + type = string + description = "AWS region" + default = "" +} +variable "access_key" { + type = string + description = "AWS access key" + default = "" +} +variable "secret_key" { + type = string + description = "AWS secret key" + default = "" +} + +// ---VPC Network Configuration --- +variable "vpc_id" { + type = string +} +variable "internet_gateway_id" { + type = string + description = "VPC's Internet Gateway Id (e.g. igw-123a4567)" +} +variable "availability_zones"{ + type = list(string) + description = "The Availability Zones (AZs) to use for the subnets in the VPC. Select two (the logical order is preserved)" +} +variable "number_of_AZs" { + type = number + description = "Number of Availability Zones to use in the VPC. This must match your selections in the list of Availability Zones parameter" + default = 2 +} +resource "null_resource" "availability_zones_validation1" { + count = var.number_of_AZs == length(var.availability_zones) ? 0 : "variable availability_zones list size must be equal to variable num_of_AZs" +} + +variable "gateways_subnets" { + type = list(string) + description = "Select at least 2 public subnets in the VPC. If you choose to deploy a Security Management Server it will be deployed in the first subnet" +} + +variable "transit_gateway_attachment_subnet_1_id" { + type = string + description = "The TGW attachment subnet ID located in the 1st Availability Zone" +} +variable "transit_gateway_attachment_subnet_2_id" { + type = string + description = "The TGW attachment subnet ID located in the 2st Availability Zone" +} +variable "transit_gateway_attachment_subnet_3_id" { + type = string + description = "The TGW attachment subnet ID located in the 3st Availability Zone" + default = "" +} +variable "transit_gateway_attachment_subnet_4_id" { + type = string + description = "The TGW attachment subnet ID located in the 4st Availability Zone" + default = "" +} +variable "nat_gw_subnet_1_cidr" { + type = string + description = "CIDR block for NAT subnet 1 located in the 1st Availability Zone" + default = "10.0.13.0/24" +} +variable "nat_gw_subnet_2_cidr" { + type = string + description = "CIDR block for NAT subnet 2 located in the 2st Availability Zone" + default = "10.0.23.0/24" +} +variable "nat_gw_subnet_3_cidr" { + type = string + description = "CIDR block for NAT subnet 3 located in the 3st Availability Zone" + default = "10.0.33.0/24" +} +variable "nat_gw_subnet_4_cidr" { + type = string + description = "CIDR block for NAT subnet 4 located in the 4st Availability Zone" + default = "10.0.43.0/24" +} +variable "gwlbe_subnet_1_cidr" { + type = string + description = "CIDR block for Gateway Loadbalancer endpoint subnet 1 located in the 1st Availability Zone" + default = "10.0.14.0/24" +} +variable "gwlbe_subnet_2_cidr" { + type = string + description = "CIDR block for Gateway Loadbalancer endpoint subnet 2 located in the 2st Availability Zone" + default = "10.0.24.0/24" +} +variable "gwlbe_subnet_3_cidr" { + type = string + description = "CIDR block for Gateway Loadbalancer endpoint subnet 3 located in the 3st Availability Zone" + default = "10.0.34.0/24" +} +variable "gwlbe_subnet_4_cidr" { + type = string + description = "CIDR block for Gateway Loadbalancer endpoint subnet 4 located in the 4st Availability Zone" + default = "10.0.44.0/24" +} +// --- General Settings --- +variable "key_name" { + type = string + description = "The EC2 Key Pair name to allow SSH access to the instances" +} +variable "enable_volume_encryption" { + type = bool + description = "Encrypt Environment instances volume with default AWS KMS key" + default = true +} +variable "volume_size" { + type = number + description = "Root volume size (GB) - minimum 100" + default = 100 +} +resource "null_resource" "volume_size_too_small" { + // Will fail if var.volume_size is less than 100 + count = var.volume_size >= 100 ? 0 : "variable volume_size must be at least 100" +} +variable "volume_type" { + type = string + description = "General Purpose SSD Volume Type" + default = "gp3" +} +variable "enable_instance_connect" { + type = bool + description = "Enable SSH connection over AWS web console" + default = false +} +variable "disable_instance_termination" { + type = bool + description = "Prevents an instance from accidental termination" + default = false +} +variable "metadata_imdsv2_required" { + type = bool + description = "Set true to deploy the instance with metadata v2 token required" + default = true +} +variable "allow_upload_download" { + type = bool + description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + default = true +} +variable "management_server" { + type = string + description = "The name that represents the Security Management Server in the automatic provisioning configuration." + default = "gwlb-management-server" +} +variable "configuration_template" { + type = string + description = "A name of a gateway configuration template in the automatic provisioning configuration." + default = "gwlb-ASG-configuration" + validation { + condition = length(var.configuration_template) < 31 + error_message = "The configuration_template name can not exceed 30 characters" + } +} +variable "admin_shell" { + type = string + description = "Set the admin shell to enable advanced command line configuration" + default = "/etc/cli.sh" +} + +// --- Gateway Load Balancer Configuration --- + +variable "gateway_load_balancer_name" { + type = string + description = "Gateway Load Balancer name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. A name cannot begin or end with a hyphen." + default = "gwlb1" +} +resource "null_resource" "gateway_load_balancer_name_too_long" { + // Will fail if gateway_load_balancer_name more than 32 + count = length(var.gateway_load_balancer_name) <= 32 ? 0 : "variable gateway_load_balancer_name must be at most 32" +} +variable "target_group_name" { + type = string + description = "Target Group Name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. A name cannot begin or end with a hyphen." + default = "tg1" +} +resource "null_resource" "target_group_name_too_long" { + // Will fail if target_group_name more than 32 + count = length(var.target_group_name) <= 32 ? 0 : "variable target_group_name must be at most 32" +} +variable "enable_cross_zone_load_balancing" { + type = bool + description = "Select 'true' to enable cross-az load balancing. NOTE! this may cause a spike in cross-az charges." + default = true +} + +// --- Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration --- + +variable "gateway_name" { + type = string + description = "The name tag of the Security Gateway instances. (optional)" + default = "Check-Point-Gateway-tf" +} +variable "gateway_instance_type" { + type = string + description = "The EC2 instance type for the Security Gateways." + default = "c5.xlarge" +} +module "validate_instance_type" { + source = "../modules/common/instance_type" + + chkp_type = "gateway" + instance_type = var.gateway_instance_type +} +variable "minimum_group_size" { + type = number + description = "The minimal number of Security Gateways." + default = 2 +} +variable "maximum_group_size" { + type = number + description = "The maximal number of Security Gateways." + default = 10 +} +variable "gateway_version" { + type = string + description = "The version and license to install on the Security Gateways." + default = "R81.20-BYOL" +} +module "validate_gateway_version" { + source = "../modules/common/version_license" + + chkp_type = "gwlb_gw" + version_license = var.gateway_version +} +variable "gateway_password_hash" { + type = string + description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)" +} +variable "gateway_maintenance_mode_password_hash" { + description = "Maintenance mode password hash for the gateway instances, relevant only for R81.20 and higher versions" + type = string + default = "" +} +variable "gateway_SICKey" { + type = string + description = "The Secure Internal Communication key for trusted connection between Check Point components (at least 8 alphanumeric characters)" +} + +variable "gateways_provision_address_type" { + type = string + description = "Determines if the gateways are provisioned using their private or public address" + default = "private" +} + +variable "allocate_public_IP" { + type = bool + description = "Allocate an Elastic IP for security gateway." + default = false +} + +resource "null_resource" "invalid_allocation" { + // Will fail if var.gateways_provision_address_type is public and var.allocate_public_IP is false + count = var.gateways_provision_address_type != "public" ? 0 : var.allocate_public_IP == true ? 0 : "Gateway's selected to be provisioned by public IP, but [allocate_public_IP] parameter is false" +} + +variable "enable_cloudwatch" { + type = bool + description = "Report Check Point specific CloudWatch metrics." + default = false +} + +variable "gateway_bootstrap_script" { + type = string + description = "(Optional) An optional script with semicolon (;) separated commands to run on the initial boot" + default = "" +} + +// --- Check Point CloudGuard IaaS Security Management Server Configuration --- + +variable "management_deploy" { + type = bool + description = "Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section" + default = true +} +variable "management_instance_type" { + type = string + description = "The EC2 instance type of the Security Management Server" + default = "m5.xlarge" +} +module "validate_management_instance_type" { + source = "../modules/common/instance_type" + + chkp_type = "management" + instance_type = var.management_instance_type +} +variable "management_version" { + type = string + description = "The license to install on the Security Management Server" + default = "R81.20-BYOL" +} +module "validate_management_version" { + source = "../modules/common/version_license" + + chkp_type = "management" + version_license = var.management_version +} +variable "management_password_hash" { + type = string + description = "(Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash)" + default = "" +} +variable "management_maintenance_mode_password_hash" { + description = "Maintenance mode password hash for the management instance, relevant only for R81.20 and higher versions" + type = string + default = "" +} +variable "gateways_policy" { + type = string + description = "The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group" + default = "Standard" +} +variable "gateway_management" { + type = string + description = "Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address." + default = "Locally managed" +} +variable "admin_cidr" { + type = string + description = "Allow web, ssh, and graphical clients only from this network to communicate with the Security Management Server" +} +variable "gateways_addresses" { + type = string + description = "Allow gateways only from this network to communicate with the Security Management Server" +} + diff --git a/terraform/aws/tgw-gwlb/versions.tf b/terraform/aws/tgw-gwlb/versions.tf new file mode 100755 index 00000000..dbebf275 --- /dev/null +++ b/terraform/aws/tgw-gwlb/versions.tf @@ -0,0 +1,15 @@ +terraform { + required_version = ">= 0.14.3" + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.20.0" + } + http = { + version = "~> 3.4.0" + } + random = { + version = "~> 3.5.1" + } + } +} diff --git a/terraform/azure/README.md b/terraform/azure/README.md new file mode 100755 index 00000000..c24588d9 --- /dev/null +++ b/terraform/azure/README.md @@ -0,0 +1,12 @@ +# Check Point Terraform deployment modules for Azure + +This project was developed to allow Terraform deployments for Check Point CloudGuard IaaS solutions on Azure. + + +These modules use Terraform's [Azurerm provider](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs) in order to create and provision resources on Azure. + + + ## Prerequisites + +1. [Download Terraform](https://www.terraform.io/downloads.html) and follow the instructions according to your OS. +2. Get started with Terraform Azurerm provider - refer to [Terraform Azurerm provider best practices](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs). \ No newline at end of file diff --git a/terraform/azure/high-availability-existing-vnet/README.md b/terraform/azure/high-availability-existing-vnet/README.md new file mode 100755 index 00000000..c26e307a --- /dev/null +++ b/terraform/azure/high-availability-existing-vnet/README.md @@ -0,0 +1,239 @@ +# Check Point CloudGuard IaaS High Availability Terraform deployment for Azure + +This Terraform module deploys Check Point CloudGuard IaaS High Availability solution into an existing Vnet in Azure. +As part of the deployment the following resources are created: +- Resource group +- System assigned identity +- Availability Set - conditional creation + +For additional information, +please see the [CloudGuard Network for Azure High Availability Cluster Deployment Guide](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_Network_for_Azure_HA_Cluster/Default.htm) + +This solution uses the following modules: +- /terraform/azure/modules/common - used for creating a resource group and defining common variables. + + +## Configurations +- Install and configure Terraform to provision Azure resources: [Configure Terraform for Azure](https://docs.microsoft.com/en-us/azure/virtual-machines/linux/terraform-install-configure) +- In order to use ssh connection to VMs, it is **required** to add a public key to the /terraform/azure/high-availability-existing-vnet/azure_public_key file. + +## Usage +- Choose the preferred login method to Azure in order to deploy the solution: +
1. Using Service Principal: + - Create a [Service Principal](https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal) (or use the existing one) + - Grant the Service Principal at least "**Managed Application Contributor**", "**Storage Account Contributor**", "**Network Contributor**", "**Virtual Machine Contributor**", "**User Access Administrator**" permissions to the Azure subscription
+ - The Service Principal credentials can be stored either in the terraform.tfvars or as [Environment Variables](https://www.terraform.io/docs/providers/azuread/guides/service_principal_client_secret.html)
+ + In case the Environment Variables are used, perform modifications described below:
+ + a. The next lines in the main.tf file, in the provider azurerm resource, need to be deleted or commented: + + provider "azurerm" { + + // subscription_id = var.subscription_id + // client_id = var.client_id + // client_secret = var.client_secret + // tenant_id = var.tenant_id + + features {} + } + + b. In the terraform.tfvars file leave empty double quotes for client_secret, client_id , tenant_id and subscription_id variables: + + client_secret = "" + client_id = "" + tenant_id = "" + subscription_id = "" + +
2. Using **az** commands from a command-line: + - Run **az login** command + - Sign in with your account credentials in the browser + - [Accept Azure Marketplace image terms](https://docs.microsoft.com/en-us/cli/azure/vm/image/terms?view=azure-cli-latest) by running: +
**az vm image terms accept --urn publisher:offer:sku:version**, where: + - publisher = checkpoint; + - offer = vm_os_offer (see accepted values in the table below); + - sku = vm_os_sku (see accepted values in the table below); + - version = latest
+
Example:
+ az vm image terms accept --urn checkpoint:check-point-cg-r8040:sg-byol:latest + + - In the terraform.tfvars file leave empty double quotes for client_secret, client_id and tenant_id variables. + +- Fill all variables in the /terraform/azure/high-availability-existing-vnet/terraform.tfvars file with proper values (see below for variables descriptions). +- From a command line initialize the Terraform configuration directory: + + terraform init +- Create an execution plan: + + terraform plan +- Create or modify the deployment: + + terraform apply + +### terraform.tfvars variables: + | Name | Description | Type | Allowed values | Default | + | ------------- | ------------- |--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------| ------------- | + | **client_secret** | The client secret of the Service Principal used to deploy the solution | string | | n/a | + | | | | | | + | **client_id** | The client ID of the Service Principal used to deploy the solution | string | | n/a | + | | | | | | + | **tenant_id** | The tenant ID of the Service Principal used to deploy the solution | string | | n/a | + | | | | | | + | **subscription_id** | The subscription ID is used to pay for Azure cloud services | string | | n/a | + | | | | | | + | **source_image_vhd_uri** | The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images | string | | "noCustomUri" | + | | | | | | + | **resource_group_name** | The name of the resource group that will contain the contents of the deployment | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period | n/a | + | | | | | | + | **location** | The region where the resources will be deployed at | string | The full list of Azure regions can be found at https://azure.microsoft.com/regions | n/a | + | | | | | | + | **cluster_name** | The name of the Check Point Cluster Object | string | Only alphanumeric characters are allowed, and the name must be 1-30 characters long | n/a | + | | | | | | + | **vnet_name** | Virtual Network name | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | n/a | + | | | | | | + | **vnet_resource_group** | Resource Group of the existing virtual network | string | The exact name of the existing vnet's resource group | n/a | + | | | | | | + | **frontend_subnet_name** | Specifies the name of the external subnet | string | The exact name of the existing external subnet | n/a | + | | | | | | + | **backend_subnet_name** | Specifies the name of the internal subnet | string | The exact name of the existing internal subnet | n/a | + | | | | | | + | **frontend_IP_addresses** | A list of three whole numbers representing the private ip addresses of the members eth0 NICs and the cluster vip ip addresses. The numbers can be represented as binary integers with no more than the number of digits remaining in the address after the given frontend subnet prefix. The IP addresses are defined by their position in the frontend subnet | list(number) | | n/a + | | | | | | + | **backend_IP_addresses** | A list of three whole numbers representing the private ip addresses of the members eth1 NICs and the backend lb ip addresses. The numbers can be represented as binary integers with no more than the number of digits remaining in the address after the given backend subnet prefix. The IP addresses are defined by their position in the backend subnet | list(number) | | n/a + | | | | | | + | **admin_password** | The password associated with the local administrator account on each cluster member | string | Password must have 3 of the following: 1 lower case character, 1 upper case character, 1 number, and 1 special character | n/a | + | | | | | | + | **smart_1_cloud_token_a** | Smart-1 Cloud token to connect automatically ***Member A*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal | n/a | | + | | | | | | + | **smart_1_cloud_token_b** | Smart-1 Cloud token to connect automatically ***Member B*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501)| string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal | n/a | | + | | | | | | + | **sic_key** | The Secure Internal Communication one time secret used to set up trust between the cluster object and the management server | string | Only alphanumeric characters are allowed, and the value must be 12-30 characters long | n/a | + | | | | | | + | **vm_size** | Specifies the size of Virtual Machine | string | "Standard_DS2_v2", "Standard_DS3_v2", "Standard_DS4_v2", "Standard_DS5_v2", "Standard_F2s", "Standard_F4s", "Standard_F8s", "Standard_F16s", "Standard_D4s_v3", "Standard_D8s_v3", "Standard_D16s_v3", "Standard_D32s_v3", "Standard_D64s_v3", "Standard_E4s_v3", "Standard_E8s_v3", "Standard_E16s_v3", "Standard_E20s_v3", "Standard_E32s_v3", "Standard_E64s_v3", "Standard_E64is_v3", "Standard_F4s_v2", "Standard_F8s_v2", "Standard_F16s_v2", "Standard_F32s_v2", "Standard_F64s_v2", "Standard_M8ms", "Standard_M16ms", "Standard_M32ms", "Standard_M64ms", "Standard_M64s", "Standard_D2_v2", "Standard_D3_v2", "Standard_D4_v2", "Standard_D5_v2", "Standard_D11_v2", "Standard_D12_v2", "Standard_D13_v2", "Standard_D14_v2", "Standard_D15_v2", "Standard_F2", "Standard_F4", "Standard_F8", "Standard_F16", "Standard_D4_v3", "Standard_D8_v3", "Standard_D16_v3", "Standard_D32_v3", "Standard_D64_v3", "Standard_E4_v3", "Standard_E8_v3", "Standard_E16_v3", "Standard_E20_v3", "Standard_E32_v3", "Standard_E64_v3", "Standard_E64i_v3", "Standard_DS11_v2", "Standard_DS12_v2", "Standard_DS13_v2", "Standard_DS14_v2", "Standard_DS15_v2", "Standard_D2_v5", "Standard_D4_v5", "Standard_D8_v5", "Standard_D16_v5","Standard_D32_v5", "Standard_D2s_v5", "Standard_D4s_v5", "Standard_D8s_v5", "Standard_D16s_v5", "Standard_D2d_v5", "Standard_D4d_v5", "Standard_D8d_v5", "Standard_D16d_v5", "Standard_D32d_v5", "Standard_D2ds_v5", "Standard_D4ds_v5", "Standard_D8ds_v5", "Standard_D16ds_v5", "Standard_D32ds_v5" | n/a + | | | | | | + | **disk_size** | Storage data disk size size(GB) | string | A number in the range 100 - 3995 (GB) | n/a | + | | | | | | + | **vm_os_sku** | A sku of the image to be deployed | string | "sg-byol" - BYOL license;
"sg-ngtp" - NGTP PAYG license;
"sg-ngtx" - NGTX PAYG license; | n/a | + | | | | | | + | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r8040";
"check-point-cg-r81";
"check-point-cg-r81.10";
"check-point-cg-r81.20"; | n/a | + | | | | | | + | **os_version** | GAIA OS version | string | "R8040";
"R81";
"R8110";
"R8120"; | n/a | + | | | | | | + | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | n/a | + | | | | | | + | **allow_upload_download** | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | boolean | true;
false; | n/a | + | | | | | | + | **authentication_type** | Specifies whether a password authentication or SSH Public Key authentication should be used | string | "Password";
"SSH Public Key"; | n/a | + | | | | | | + | **availability_type** | Specifies whether to deploy the solution based on Azure Availability Set or based on Azure Availability Zone | string | "Availability Zone";
"Availability Set"; | "Availability Zone" | + | | | | | | + | **enable_custom_metrics** | Indicates whether CloudGuard Metrics will be use for Cluster members monitoring | boolean | true;
false; | true | + | | | | | | + | **enable_floating_ip** | Indicates whether the load balancers will be deployed with floating IP | boolean | true;
false; | false | + | | | | | | + | **use_public_ip_prefix** | Indicates whether the public IP resources will be deployed with public IP prefix | boolean | true;
false; | false | + | | | | | | + | **create_public_ip_prefix** | Indicates whether the public IP prefix will created or an existing will be used | boolean | true;
false; | false | + | | | | | | + | **existing_public_ip_prefix_id** | The existing public IP prefix resource id | string | Existing public IP prefix resource id | n/a | + | | | | | | + | **admin_shell** | Enables to select different admin shells | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh; | n/a | + | | | | | | + | **serial_console_password_hash** | Optional parameter, used to enable serial console connection in case of SSH key as authentication type, to generate password hash use the command 'openssl passwd -6 PASSWORD' on Linux and paste it here | string | | n/a + | | | | | | + | **maintenance_mode_password_hash** | Maintenance mode password hash, relevant only for R81.20 and higher versions, to generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here | string | | n/a + | | | | | | + | **add_storage_account_ip_rules** | Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, if false then accses will be allowed from all networks | boolean | true;
false; | false + | | | | | | + | **storage_account_additional_ips** | IPs/CIDRs that are allowed access to the Storage Account | list(string) | A list of valid IPs and CIDRs | [] + +## Conditional creation +- To deploy the solution based on Azure Availability Set and create a new Availability Set for the virtual machines: +``` +availability_type = "Availability Set" +``` + Otherwise, to deploy the solution based on Azure Availability Zone: +``` +availability_type = "Availability Zone" +``` +- To enable CloudGuard metrics in order to send statuses and statistics collected from HA instances to the Azure Monitor service: + ``` + enable_custom_metrics = true + ``` +- To create new public IP prefix for the public IP: + ``` + use_public_ip_prefix = true + create_public_ip_prefix = true + ``` +- To use an existing public IP prefix for the public IP: + ``` + use_public_ip_prefix = true + create_public_ip_prefix = false + existing_public_ip_prefix_id = "public IP prefix resource id" + ``` + +## Example + client_secret = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + client_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + tenant_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + subscription_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + source_image_vhd_uri = "noCustomUri" + resource_group_name = "checkpoint-ha-terraform" + cluster_name = "checkpoint-ha-terraform" + location = "eastus" + vnet_name = "checkpoint-ha-vnet" + vnet_resource_group = "existing-vnet" + frontend_subnet_name = "frontend" + backend_subnet_name = "backend" + frontend_IP_addresses = [5, 6, 7] + backend_IP_addresses = [5, 6, 7] + admin_password = "xxxxxxxxxxxx" + smart_1_cloud_token_a = "xxxxxxxxxxxx" + smart_1_cloud_token_b = "xxxxxxxxxxxx" + sic_key = "xxxxxxxxxxxx" + vm_size = "Standard_D3_v2" + disk_size = "110" + vm_os_sku = "sg-byol" + vm_os_offer = "check-point-cg-r8110" + os_version = "R8110" + bootstrap_script = "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" + allow_upload_download = true + authentication_type = "Password" + availability_type = "Availability Zone" + enable_custom_metrics = true + enable_floating_ip = false + use_public_ip_prefix = false + create_public_ip_prefix = false + existing_public_ip_prefix_id = "" + admin_shell = "/etc/cli.sh" + serial_console_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + maintenance_mode_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + add_storage_account_ip_rules = false + storage_account_additional_ips = [] + +## Revision History +In order to check the template version refer to the [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) + +| Template Version | Description | +| ---------------- |----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| 20240613 | - Updated Azure Terraform provider version
- Updated managed identity permissions
- Cosmetic fixes & default values
- Added option to limit storage account access by specify allowed sourcess
- Added validation for os_version & os_offer | +| | | | +| 20230910 | - R81.20 is the default version | +| | | | +| 20230212 | - Added Smart-1 Cloud support | +| | | | +| 20221124 | - Added R81.20 support
- Upgraded azurerm provider | +| | | | +| 20220111 | - Added support to select different shells. | +| | | | +| 20210309 | - Add "source_image_vhd_uri" variable for using a custom development image | +| | | | +| 20210111 | First release of Check Point CloudGuard IaaS High Availability Terraform deployment into an existing Vnet in Azure. | +| | | | +| | Addition of "templateType" parameter to "cloud-version" files. | +| | | | + +## License + +See the [LICENSE](../../LICENSE) file for details + diff --git a/terraform/azure/high-availability-existing-vnet/azure_public_key b/terraform/azure/high-availability-existing-vnet/azure_public_key new file mode 100755 index 00000000..e69de29b diff --git a/terraform/azure/high-availability-existing-vnet/cloud-init.sh b/terraform/azure/high-availability-existing-vnet/cloud-init.sh new file mode 100755 index 00000000..0609bfcf --- /dev/null +++ b/terraform/azure/high-availability-existing-vnet/cloud-init.sh @@ -0,0 +1,22 @@ +#!/usr/bin/python3 /etc/cloud_config.py + +installationType="${installation_type}" +allowUploadDownload="${allow_upload_download}" +osVersion="${os_version}" +templateName="${template_name}" +templateVersion="${template_version}" +templateType="${template_type}" +isBlink="${is_blink}" +bootstrapScript64="${bootstrap_script64}" +location="${location}" +sicKey="${sic_key}" +tenantId="${tenant_id}" +virtualNetwork="${virtual_network}" +clusterName="${cluster_name}" +externalPrivateAddresses="${external_private_addresses}" +customMetrics="${enable_custom_metrics}" +adminShell="${admin_shell}" +smart1CloudToken="${smart_1_cloud_token}" +Vips='[{"name": "cluster-vip", "privateIPAddress": "${external_private_addresses}", "publicIPAddress": "${cluster_name}"}]' +passwordHash="${serial_console_password_hash}" +MaintenanceModePassword="${maintenance_mode_password_hash}" diff --git a/terraform/azure/high-availability-existing-vnet/main.tf b/terraform/azure/high-availability-existing-vnet/main.tf new file mode 100755 index 00000000..934102da --- /dev/null +++ b/terraform/azure/high-availability-existing-vnet/main.tf @@ -0,0 +1,531 @@ +//********************** Providers **************************// +provider "azurerm" { + + subscription_id = var.subscription_id + client_id = var.client_id + client_secret = var.client_secret + tenant_id = var.tenant_id + + features {} +} + +//********************** Basic Configuration **************************// +module "common" { + source = "../modules/common" + resource_group_name = var.resource_group_name + location = var.location + admin_password = var.admin_password + installation_type = var.installation_type + template_name = var.template_name + template_version = var.template_version + number_of_vm_instances = var.number_of_vm_instances + allow_upload_download = var.allow_upload_download + vm_size = var.vm_size + disk_size = var.disk_size + is_blink = var.is_blink + os_version = var.os_version + vm_os_sku = var.vm_os_sku + vm_os_offer = var.vm_os_offer + authentication_type = var.authentication_type + serial_console_password_hash = var.serial_console_password_hash + maintenance_mode_password_hash = var.maintenance_mode_password_hash + storage_account_additional_ips = var.storage_account_additional_ips +} + +//********************** Networking **************************// +resource "random_id" "random_id" { + byte_length = 13 + keepers = { + rg_id = module.common.resource_group_id + } +} + +resource "azurerm_public_ip_prefix" "public_ip_prefix" { + count = var.use_public_ip_prefix && var.create_public_ip_prefix ? 1 : 0 + name = "${module.common.resource_group_name}-ipprefix" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + prefix_length = 30 +} + +data "azurerm_subnet" "frontend" { + name = var.frontend_subnet_name + virtual_network_name = var.vnet_name + resource_group_name = var.vnet_resource_group +} + +data "azurerm_subnet" "backend" { + name = var.backend_subnet_name + virtual_network_name = var.vnet_name + resource_group_name = var.vnet_resource_group +} + +resource "azurerm_public_ip" "public-ip" { + count = 2 + name = "${var.cluster_name}${count.index+1}_IP" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + allocation_method = var.vnet_allocation_method + sku = var.sku + domain_name_label = "${lower(var.cluster_name)}-${count.index+1}-${random_id.random_id.hex}" + public_ip_prefix_id = var.use_public_ip_prefix ? (var.create_public_ip_prefix ? azurerm_public_ip_prefix.public_ip_prefix[0].id : var.existing_public_ip_prefix_id) : null +} + +resource "azurerm_public_ip" "cluster-vip" { + name = var.cluster_name + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + allocation_method = var.vnet_allocation_method + sku = var.sku + domain_name_label = "${lower(var.cluster_name)}-vip-${random_id.random_id.hex}" + public_ip_prefix_id = var.use_public_ip_prefix ? (var.create_public_ip_prefix ? azurerm_public_ip_prefix.public_ip_prefix[0].id : var.existing_public_ip_prefix_id) : null +} + +resource "azurerm_network_interface" "nic_vip" { + depends_on = [ + azurerm_public_ip.cluster-vip, + azurerm_public_ip.public-ip] + name = "${var.cluster_name}1-eth0" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + enable_ip_forwarding = true + enable_accelerated_networking = true + + ip_configuration { + name = "ipconfig1" + primary = true + subnet_id = data.azurerm_subnet.frontend.id + private_ip_address_allocation = var.vnet_allocation_method + private_ip_address = cidrhost(data.azurerm_subnet.frontend.address_prefixes[0], var.frontend_IP_addresses[0]) + public_ip_address_id = azurerm_public_ip.public-ip.0.id + } + ip_configuration { + name = "cluster-vip" + subnet_id = data.azurerm_subnet.frontend.id + primary = false + private_ip_address_allocation = var.vnet_allocation_method + private_ip_address = cidrhost(data.azurerm_subnet.frontend.address_prefixes[0], var.frontend_IP_addresses[2]) + public_ip_address_id = azurerm_public_ip.cluster-vip.id + } + lifecycle { + ignore_changes = [ + # Ignore changes to ip_configuration when Re-applying, e.g. because a cluster failover and associating the cluster- vip with the other member. + # updates these based on some ruleset managed elsewhere. + ip_configuration + ] + } +} + +resource "azurerm_network_interface_backend_address_pool_association" "nic_vip_lb_association" { + depends_on = [azurerm_network_interface.nic_vip, azurerm_lb_backend_address_pool.frontend-lb-pool] + network_interface_id = azurerm_network_interface.nic_vip.id + ip_configuration_name = "ipconfig1" + backend_address_pool_id = azurerm_lb_backend_address_pool.frontend-lb-pool.id +} + +resource "azurerm_network_interface" "nic" { + depends_on = [ + azurerm_public_ip.public-ip, + azurerm_lb.frontend-lb] + name = "${var.cluster_name}2-eth0" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + enable_ip_forwarding = true + enable_accelerated_networking = true + + ip_configuration { + name = "ipconfig1" + primary = true + subnet_id = data.azurerm_subnet.frontend.id + private_ip_address_allocation = var.vnet_allocation_method + private_ip_address = cidrhost(data.azurerm_subnet.frontend.address_prefixes[0], var.frontend_IP_addresses[1]) + public_ip_address_id = azurerm_public_ip.public-ip.1.id + } + lifecycle { + ignore_changes = [ + # Ignore changes to ip_configuration when Re-applying, e.g. because a cluster failover and associating the cluster- vip with the other member. + # updates these based on some ruleset managed elsewhere. + ip_configuration + ] + } +} + +resource "azurerm_network_interface_backend_address_pool_association" "nic_lb_association" { + depends_on = [azurerm_network_interface.nic, azurerm_lb_backend_address_pool.frontend-lb-pool] + network_interface_id = azurerm_network_interface.nic.id + ip_configuration_name = "ipconfig1" + backend_address_pool_id = azurerm_lb_backend_address_pool.frontend-lb-pool.id +} + +resource "azurerm_network_interface" "nic1" { + depends_on = [ + azurerm_lb.backend-lb] + count = 2 + name = "${var.cluster_name}${count.index+1}-eth1" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + enable_ip_forwarding = true + enable_accelerated_networking = true + + ip_configuration { + name = "ipconfig2" + subnet_id = data.azurerm_subnet.backend.id + private_ip_address_allocation = var.vnet_allocation_method + private_ip_address = cidrhost(data.azurerm_subnet.backend.address_prefixes[0], var.backend_IP_addresses[count.index+1]) + } +} + +resource "azurerm_network_interface_backend_address_pool_association" "nic1_lb_association" { + depends_on = [azurerm_network_interface.nic1, azurerm_lb_backend_address_pool.backend-lb-pool] + count = 2 + network_interface_id = azurerm_network_interface.nic1[count.index].id + ip_configuration_name = "ipconfig2" + backend_address_pool_id = azurerm_lb_backend_address_pool.backend-lb-pool.id +} + +//********************** Load Balancers **************************// +resource "azurerm_public_ip" "public-ip-lb" { + name = "frontend_lb_ip" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + allocation_method = var.vnet_allocation_method + sku = var.sku + domain_name_label = "${lower(var.cluster_name)}-${random_id.random_id.hex}" + public_ip_prefix_id = var.use_public_ip_prefix ? (var.create_public_ip_prefix ? azurerm_public_ip_prefix.public_ip_prefix[0].id : var.existing_public_ip_prefix_id) : null +} + +resource "azurerm_lb" "frontend-lb" { + depends_on = [ + azurerm_public_ip.public-ip-lb] + name = "frontend-lb" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + sku = var.sku + + frontend_ip_configuration { + name = "LoadBalancerFrontend" + public_ip_address_id = azurerm_public_ip.public-ip-lb.id + } +} + +resource "azurerm_lb_backend_address_pool" "frontend-lb-pool" { + loadbalancer_id = azurerm_lb.frontend-lb.id + name = "frontend-lb-pool" +} + +resource "azurerm_lb" "backend-lb" { + name = "backend-lb" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + sku = var.sku + frontend_ip_configuration { + name = "backend-lb" + subnet_id = data.azurerm_subnet.backend.id + private_ip_address_allocation = var.vnet_allocation_method + private_ip_address = cidrhost(data.azurerm_subnet.backend.address_prefixes[0], var.backend_IP_addresses[0]) + } +} + +resource "azurerm_lb_backend_address_pool" "backend-lb-pool" { + name = "backend-lb-pool" + loadbalancer_id = azurerm_lb.backend-lb.id +} + +resource "azurerm_lb_probe" "azure_lb_healprob" { + count = 2 + loadbalancer_id = count.index == 0 ? azurerm_lb.frontend-lb.id : azurerm_lb.backend-lb.id + name = var.lb_probe_name + protocol = var.lb_probe_protocol + port = var.lb_probe_port + interval_in_seconds = var.lb_probe_interval + number_of_probes = var.lb_probe_unhealthy_threshold +} + +resource "azurerm_lb_rule" "backend_lb_rules" { + loadbalancer_id = azurerm_lb.backend-lb.id + name = "backend-lb" + protocol = "All" + frontend_port = 0 + backend_port = 0 + frontend_ip_configuration_name = "backend-lb" + load_distribution = "Default" + backend_address_pool_ids = [azurerm_lb_backend_address_pool.backend-lb-pool.id] + probe_id = azurerm_lb_probe.azure_lb_healprob[1].id + enable_floating_ip = var.enable_floating_ip +} + +//********************** Availability Set **************************// +locals { + availability_set_condition = var.availability_type == "Availability Set" ? true : false + SSH_authentication_type_condition = var.authentication_type == "SSH Public Key" ? true : false +} +resource "azurerm_availability_set" "availability-set" { + count = local.availability_set_condition ? 1 : 0 + name = "${var.cluster_name}-AvailabilitySet" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + platform_fault_domain_count = 2 + platform_update_domain_count = 5 + managed = true +} + +//********************** Storage accounts **************************// +// Generate random text for a unique storage account name +resource "random_id" "randomId" { + keepers = { + # Generate a new ID only when a new resource group is defined + resource_group = module.common.resource_group_name + } + byte_length = 8 +} +resource "azurerm_storage_account" "vm-boot-diagnostics-storage" { + name = "bootdiag${random_id.randomId.hex}" + resource_group_name = module.common.resource_group_name + location = module.common.resource_group_location + account_tier = module.common.storage_account_tier + account_replication_type = module.common.account_replication_type + network_rules { + default_action = var.add_storage_account_ip_rules ? "Deny" : "Allow" + ip_rules = module.common.storage_account_ip_rules + } + blob_properties { + delete_retention_policy { + days = "15" + } + } +} + +//********************** Virtual Machines **************************// +locals { + custom_image_condition = var.source_image_vhd_uri == "noCustomUri" ? false : true +} + +resource "azurerm_image" "custom-image" { + count = local.custom_image_condition ? 1 : 0 + name = "custom-image" + location = var.location + resource_group_name = module.common.resource_group_name + + os_disk { + os_type = "Linux" + os_state = "Generalized" + blob_uri = var.source_image_vhd_uri + } +} +resource "azurerm_virtual_machine" "vm-instance-availability-set" { + depends_on = [ + azurerm_network_interface.nic, + azurerm_network_interface.nic1, + azurerm_network_interface.nic_vip] + count = local.availability_set_condition ? module.common.number_of_vm_instances : 0 + name = "${var.cluster_name}${count.index+1}" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + availability_set_id = local.availability_set_condition ? azurerm_availability_set.availability-set[0].id : "" + vm_size = module.common.vm_size + network_interface_ids = count.index == 0 ? [ + azurerm_network_interface.nic_vip.id, + azurerm_network_interface.nic1.0.id] : [ + azurerm_network_interface.nic.id, + azurerm_network_interface.nic1.1.id] + delete_os_disk_on_termination = module.common.delete_os_disk_on_termination + primary_network_interface_id = count.index == 0 ? azurerm_network_interface.nic_vip.id : azurerm_network_interface.nic.id + identity { + type = module.common.vm_instance_identity + } + storage_image_reference { + id = local.custom_image_condition ? azurerm_image.custom-image[0].id : null + publisher = local.custom_image_condition ? null : module.common.publisher + offer = module.common.vm_os_offer + sku = module.common.vm_os_sku + version = module.common.vm_os_version + } + + storage_os_disk { + name = "${var.cluster_name}-${count.index+1}" + create_option = module.common.storage_os_disk_create_option + caching = module.common.storage_os_disk_caching + managed_disk_type = module.common.storage_account_type + disk_size_gb = module.common.disk_size + } + + dynamic "plan" { + for_each = local.custom_image_condition ? [ + ] : [1] + content { + name = module.common.vm_os_sku + publisher = module.common.publisher + product = module.common.vm_os_offer + } + } + + os_profile { + computer_name = "${lower(var.cluster_name)}${count.index+1}" + admin_username = module.common.admin_username + admin_password = module.common.admin_password + custom_data = templatefile("${path.module}/cloud-init.sh", { + installation_type = module.common.installation_type + allow_upload_download = module.common.allow_upload_download + os_version = module.common.os_version + template_name = module.common.template_name + template_version = module.common.template_version + template_type = "terraform" + is_blink = module.common.is_blink + bootstrap_script64 = base64encode(var.bootstrap_script) + location = module.common.resource_group_location + sic_key = var.sic_key + tenant_id = var.tenant_id + virtual_network = var.vnet_name + cluster_name = var.cluster_name + external_private_addresses = azurerm_network_interface.nic_vip.ip_configuration[1].private_ip_address + enable_custom_metrics = var.enable_custom_metrics ? "yes" : "no" + admin_shell = var.admin_shell + smart_1_cloud_token = count.index == 0 ? var.smart_1_cloud_token_a : var.smart_1_cloud_token_b + serial_console_password_hash = var.serial_console_password_hash + maintenance_mode_password_hash = var.maintenance_mode_password_hash + }) + } + + os_profile_linux_config { + disable_password_authentication = local.SSH_authentication_type_condition + + dynamic "ssh_keys" { + for_each = local.SSH_authentication_type_condition ? [ + 1] : [] + content { + path = "/home/notused/.ssh/authorized_keys" + key_data = file("${path.module}/azure_public_key") + } + } + } + + boot_diagnostics { + enabled = module.common.boot_diagnostics + storage_uri = module.common.boot_diagnostics ? join(",", azurerm_storage_account.vm-boot-diagnostics-storage.*.primary_blob_endpoint) : "" + } +} + +resource "azurerm_virtual_machine" "vm-instance-availability-zone" { + depends_on = [ + azurerm_network_interface.nic, + azurerm_network_interface.nic1, + azurerm_network_interface.nic_vip] + count = local.availability_set_condition ? 0 : module.common.number_of_vm_instances + name = "${var.cluster_name}${count.index+1}" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + zones = [ + count.index+1] + vm_size = module.common.vm_size + network_interface_ids = count.index == 0 ? [ + azurerm_network_interface.nic_vip.id, + azurerm_network_interface.nic1.0.id] : [ + azurerm_network_interface.nic.id, + azurerm_network_interface.nic1.1.id] + delete_os_disk_on_termination = module.common.delete_os_disk_on_termination + primary_network_interface_id = count.index == 0 ? azurerm_network_interface.nic_vip.id : azurerm_network_interface.nic.id + identity { + type = module.common.vm_instance_identity + } + storage_image_reference { + id = local.custom_image_condition ? azurerm_image.custom-image[0].id : null + publisher = local.custom_image_condition ? null : module.common.publisher + offer = module.common.vm_os_offer + sku = module.common.vm_os_sku + version = module.common.vm_os_version + } + + storage_os_disk { + name = "${var.cluster_name}-${count.index+1}" + create_option = module.common.storage_os_disk_create_option + caching = module.common.storage_os_disk_caching + managed_disk_type = module.common.storage_account_type + disk_size_gb = module.common.disk_size + } + + dynamic "plan" { + for_each = local.custom_image_condition ? [ + ] : [1] + content { + name = module.common.vm_os_sku + publisher = module.common.publisher + product = module.common.vm_os_offer + } + } + + os_profile { + computer_name = "${lower(var.cluster_name)}${count.index+1}" + admin_username = module.common.admin_username + admin_password = module.common.admin_password + custom_data = templatefile("${path.module}/cloud-init.sh", { + installation_type = module.common.installation_type + allow_upload_download = module.common.allow_upload_download + os_version = module.common.os_version + template_name = module.common.template_name + template_version = module.common.template_version + template_type = "terraform" + is_blink = module.common.is_blink + bootstrap_script64 = base64encode(var.bootstrap_script) + location = module.common.resource_group_location + sic_key = var.sic_key + tenant_id = var.tenant_id + virtual_network = var.vnet_name + cluster_name = var.cluster_name + external_private_addresses = azurerm_network_interface.nic_vip.ip_configuration[1].private_ip_address + enable_custom_metrics = var.enable_custom_metrics ? "yes" : "no" + admin_shell = var.admin_shell + smart_1_cloud_token = count.index == 0 ? var.smart_1_cloud_token_a : var.smart_1_cloud_token_b + serial_console_password_hash = var.serial_console_password_hash + maintenance_mode_password_hash = var.maintenance_mode_password_hash + }) + } + + os_profile_linux_config { + disable_password_authentication = local.SSH_authentication_type_condition + + dynamic "ssh_keys" { + for_each = local.SSH_authentication_type_condition ? [ + 1] : [] + content { + path = "/home/notused/.ssh/authorized_keys" + key_data = file("${path.module}/azure_public_key") + } + } + } + + boot_diagnostics { + enabled = module.common.boot_diagnostics + storage_uri = module.common.boot_diagnostics ? join(",", azurerm_storage_account.vm-boot-diagnostics-storage.*.primary_blob_endpoint) : "" + } +} +//********************** Role Assigments **************************// +data "azurerm_role_definition" "virtual_machine_contributor_role_definition" { + name = "Virtual Machine Contributor" +} +data "azurerm_role_definition" "reader_role_definition" { + name = "Reader" +} +data "azurerm_client_config" "client_config" { +} +resource "azurerm_role_assignment" "cluster_virtual_machine_contributor_assignment" { + count = 2 + lifecycle { + ignore_changes = [ + role_definition_id, principal_id + ] + } + scope = module.common.resource_group_id + role_definition_id = data.azurerm_role_definition.virtual_machine_contributor_role_definition.id + principal_id = local.availability_set_condition ? lookup(azurerm_virtual_machine.vm-instance-availability-set[count.index].identity[0], "principal_id") : lookup(azurerm_virtual_machine.vm-instance-availability-zone[count.index].identity[0], "principal_id") +} +resource "azurerm_role_assignment" "cluster_reader_assigment" { + count = 2 + lifecycle { + ignore_changes = [ + role_definition_id, principal_id + ] + } + scope = module.common.resource_group_id + role_definition_id = data.azurerm_role_definition.reader_role_definition.id + principal_id = local.availability_set_condition ? lookup(azurerm_virtual_machine.vm-instance-availability-set[count.index].identity[0], "principal_id") : lookup(azurerm_virtual_machine.vm-instance-availability-zone[count.index].identity[0], "principal_id") +} \ No newline at end of file diff --git a/terraform/azure/high-availability-existing-vnet/terraform.tfvars b/terraform/azure/high-availability-existing-vnet/terraform.tfvars new file mode 100755 index 00000000..e235eaa9 --- /dev/null +++ b/terraform/azure/high-availability-existing-vnet/terraform.tfvars @@ -0,0 +1,38 @@ +#PLEASE refer to the README.md for accepted values FOR THE VARIABLES BELOW +client_secret = "PLEASE ENTER CLIENT SECRET" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +client_id = "PLEASE ENTER CLIENT ID" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +tenant_id = "PLEASE ENTER TENANT ID" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +subscription_id = "PLEASE ENTER SUBSCRIPTION ID" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +source_image_vhd_uri = "PLEASE ENTER SOURCE IMAGE VHD URI OR noCustomUri" # "noCustomUri" +resource_group_name = "PLEASE ENTER RESOURCE GROUP NAME" # "checkpoint-ha-terraform" +cluster_name = "PLEASE ENTER CLUSTER NAME" # "checkpoint-ha-terraform" +location = "PLEASE ENTER LOCATION" # "eastus" +vnet_name = "PLEASE ENTER VIRTUAL NETWORK NAME" # "checkpoint-ha-vnet" +vnet_resource_group = "PLEASE ENTER VIRTUAL NETWORK'S RESOURCE GROUP NAME" # "existing-vnet" +frontend_subnet_name = "PLEASE ENTER EXTERNAL SUBNET NAME" # "frontend" +backend_subnet_name = "PLEASE ENTER INTERNAL SUBNET NAME" # "backend" +frontend_IP_addresses = "PLEASE ENTER 3 FRONTEND IP ADDRESS POSITIONAL NUMBER" # [5, 6, 7] +backend_IP_addresses = "PLEASE ENTER 3 BACKEND IP ADDRESSES POSITIONAL NUMBERS" # [5, 6, 7] +admin_password = "PLEASE ENTER ADMIN PASSWORD" # "xxxxxxxxxxxx" +smart_1_cloud_token_a = "PASTE TOKEN FROM SMART-1 CLOUD PORTAL" # "" +smart_1_cloud_token_b = "PASTE TOKEN FROM SMART-1 CLOUD PORTAL" # "" +sic_key = "PLEASE ENTER SIC KEY" # "xxxxxxxxxxxx" +vm_size = "PLEASE ENTER VM SIZE" # "Standard_D3_v2" +disk_size = "PLEASE ENTER DISK SIZE" # "110" +vm_os_sku = "PLEASE ENTER VM SKU" # "sg-byol" +vm_os_offer = "PLEASE ENTER VM OFFER" # "check-point-cg-r8110" +os_version = "PLEASE ENTER GAIA OS VERSION" # "R8110" +bootstrap_script = "PLEASE ENTER CUSTOM SCRIPT OR LEAVE EMPTY DOUBLE QUOTES" # "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" +allow_upload_download = "PLEASE ENTER true or false" # true +authentication_type = "PLEASE ENTER AUTHENTICATION TYPE" # "Password" +availability_type = "PLEASE ENTER AVAILABILITY TYPE" # "Availability Zone" +enable_custom_metrics = "PLEASE ENTER true or false" # true +enable_floating_ip = "PLEASE ENTER true or false" # false +use_public_ip_prefix = "PLEASE ENTER true or false" # false +create_public_ip_prefix = "PLEASE ENTER true or false" # false +existing_public_ip_prefix_id = "PLEASE ENTER IP PREFIX RESOURCE ID" # "" +admin_shell = "PLEASE ENTER ADMIN SHELL" # "/etc/cli.sh" +serial_console_password_hash = "PLEASE ENTER SERIAL CONSOLE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +maintenance_mode_password_hash = "PLEASE ENTER MAINTENANCE MODE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +add_storage_account_ip_rules = "PLEASE ENTER true or false" # false +storage_account_additional_ips = "PLEASE ENTER A LIST OF VALID IPS/CIDRS" # [] \ No newline at end of file diff --git a/terraform/azure/high-availability-existing-vnet/variables.tf b/terraform/azure/high-availability-existing-vnet/variables.tf new file mode 100755 index 00000000..c11fa238 --- /dev/null +++ b/terraform/azure/high-availability-existing-vnet/variables.tf @@ -0,0 +1,339 @@ +//********************** Basic Configuration Variables **************************// +variable "cluster_name" { + description = "Cluster name" + type = string +} + +variable "resource_group_name" { + description = "Azure Resource Group name to build into" + type = string +} + +variable "location" { + description = "The location/region where resources will be created. The full list of Azure regions can be found at https://azure.microsoft.com/regions" + type = string +} + +//********************** Virtual Machine Instances Variables **************************// +variable "availability_type" { + description = "Specifies whether to deploy the solution based on Azure Availability Set or based on Azure Availability Zone." + type = string + default = "Availability Zone" +} + +locals { // locals for 'availability_type' allowed values + availability_type_allowed_values = [ + "Availability Zone", + "Availability Set" + ] + // will fail if [var.availability_type] is invalid: + validate_availability_type_value = index(local.availability_type_allowed_values, var.availability_type) +} + +variable "source_image_vhd_uri" { + type = string + description = "The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images." + default = "noCustomUri" +} + +variable "admin_username" { + description = "Administrator username of deployed VM. Due to Azure limitations 'notused' name can be used" + default = "notused" +} + +variable "admin_password" { + description = "Administrator password of deployed Virtual Machine. The password must meet the complexity requirements of Azure" + type = string +} + +variable "serial_console_password_hash" { + description = "Optional parameter, used to enable serial console connection in case of SSH key as authentication type" + type = string +} + +variable "maintenance_mode_password_hash" { + description = "Maintenance mode password hash, relevant only for R81.20 and higher versions" + type = string +} + +variable "smart_1_cloud_token_a" { + description = "Smart-1 Cloud Token, for configuring member A" + type = string +} + +variable "smart_1_cloud_token_b" { + description = "Smart-1 Cloud Token, for configuring member B" + type = string +} + +variable "sic_key" { + description = "Secure Internal Communication(SIC) key" + type = string +} +resource "null_resource" "sic_key_invalid" { + count = length(var.sic_key) >= 12 ? 0 : "SIC key must be at least 12 characters long" +} + +variable "template_name" { + description = "Template name. Should be defined according to deployment type(ha, vmss)" + type = string + default = "ha_terraform" +} + +variable "template_version" { + description = "Template version. It is recommended to always use the latest template version" + type = string + default = "20230910" +} + +variable "installation_type" { + description = "Installation type" + type = string + default = "cluster" +} + +variable "number_of_vm_instances" { + description = "Number of VM instances to deploy " + type = string + default = "2" +} + +variable "vm_size" { + description = "Specifies size of Virtual Machine" + type = string +} + +variable "disk_size" { + description = "Storage data disk size size(GB). Select a number between 100 and 3995" + type = string +} + +variable "os_version" { + description = "GAIA OS version" + type = string +} + +locals { // locals for 'vm_os_offer' allowed values + os_version_allowed_values = [ + "R8040", + "R81", + "R8110", + "R8120" + ] + // will fail if [var.os_version] is invalid: + validate_os_version_value = index(local.os_version_allowed_values, var.os_version) +} + +variable "vm_os_sku" { + description = "The sku of the image to be deployed." + type = string +} + +variable "vm_os_offer" { + description = "The name of the image offer to be deployed.Choose from: check-point-cg-r8040, check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120" + type = string +} + +locals { // locals for 'vm_os_offer' allowed values + vm_os_offer_allowed_values = [ + "check-point-cg-r8040", + "check-point-cg-r81", + "check-point-cg-r8110", + "check-point-cg-r8120" + ] + // will fail if [var.vm_os_offer] is invalid: + validate_os_offer_value = index(local.vm_os_offer_allowed_values, var.vm_os_offer) +} + +variable "authentication_type" { + description = "Specifies whether a password authentication or SSH Public Key authentication should be used" + type = string +} +locals { // locals for 'authentication_type' allowed values + authentication_type_allowed_values = [ + "Password", + "SSH Public Key" + ] + // will fail if [var.authentication_type] is invalid: + validate_authentication_type_value = index(local.authentication_type_allowed_values, var.authentication_type) +} + +variable "allow_upload_download" { + description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + type = bool +} + +variable "is_blink" { + description = "Define if blink image is used for deployment" + default = true +} + +variable "admin_shell" { + description = "The admin shell to configure on machine or the first time" + type = string + default = "/etc/cli.sh" +} + +locals { + admin_shell_allowed_values = [ + "/etc/cli.sh", + "/bin/bash", + "/bin/csh", + "/bin/tcsh" + ] + // Will fail if [var.admin_shell] is invalid + validate_admin_shell_value = index(local.admin_shell_allowed_values, var.admin_shell) +} + +//********************** Networking Variables **************************// +variable "vnet_name" { + description = "Virtual Network name" + type = string +} + +variable "vnet_resource_group" { + description = "Resource group of existing vnet" + type = string +} + +variable "frontend_subnet_name" { + description = "Frontend subnet name" + type = string +} + +variable "backend_subnet_name" { + description = "Backend subnet name" + type = string +} + +variable "frontend_IP_addresses" { + description = "A list of three whole numbers representing the private ip addresses of the members eth0 NICs and the cluster vip ip addresses. The numbers can be represented as binary integers with no more than the number of digits remaining in the address after the given frontend subnet prefix. The IP addresses are defined by their position in the frontend subnet." + type = list(number) +} + +variable "backend_IP_addresses" { + description = "A list of three whole numbers representing the private ip addresses of the members eth1 NICs and the backend lb ip addresses. The numbers can be represented as binary integers with no more than the number of digits remaining in the address after the given backend subnet prefix. The IP addresses are defined by their position in the backend subnet." + type = list(number) +} + +variable "vnet_allocation_method" { + description = "IP address allocation method" + type = string + default = "Static" +} + +variable "lb_probe_name" { + description = "Name to be used for lb health probe" + default = "health_prob_port" +} + +variable "lb_probe_port" { + description = "Port to be used for load balancer health probes and rules" + default = "8117" +} + +variable "lb_probe_protocol" { + description = "Protocols to be used for load balancer health probes and rules" + default = "Tcp" +} + +variable "lb_probe_unhealthy_threshold" { + description = "Number of times load balancer health probe has an unsuccessful attempt before considering the endpoint unhealthy." + default = 2 +} + +variable "lb_probe_interval" { + description = "Interval in seconds load balancer health probe rule performs a check" + default = 5 +} + +variable "bootstrap_script" { + description = "An optional script to run on the initial boot" + #example: + #"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" +} + +variable "add_storage_account_ip_rules" { + type = bool + default = false + description = "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location" +} + +variable "storage_account_additional_ips" { + type = list(string) + description = "IPs/CIDRs that are allowed access to the Storage Account" + default = [] +} +//********************** Credentials **************************// +variable "tenant_id" { + description = "Tenant ID" + type = string +} + +variable "subscription_id" { + description = "Subscription ID" + type = string +} + +variable "client_id" { + description = "Application ID(Client ID)" + type = string +} + +variable "client_secret" { + description = "A secret string that the application uses to prove its identity when requesting a token. Also can be referred to as application password." + type = string +} + +variable "sku" { + description = "SKU" + type = string + default = "Standard" +} + +variable "enable_custom_metrics" { + description = "Indicates whether CloudGuard Metrics will be use for Cluster members monitoring." + type = bool + default = true +} + +variable "enable_floating_ip" { + description = "Indicates whether the load balancers will be deployed with floating IP." + type = bool + default = false +} + +variable "use_public_ip_prefix" { + description = "Indicates whether the public IP resources will be deployed with public IP prefix." + type = bool + default = false +} + +variable "create_public_ip_prefix" { + description = "Indicates whether the public IP prefix will created or an existing will be used." + type = bool + default = false +} + +variable "existing_public_ip_prefix_id" { + description = "The existing public IP prefix resource id." + type = string + default = "" +} + +locals{ + # Validate both s1c tokens are used or both empty + is_both_tokens_used = length(var.smart_1_cloud_token_a) > 0 == length(var.smart_1_cloud_token_b) > 0 + validation_message_both = "To connect to Smart-1 Cloud, you must provide two tokens (one per member)" + _ = regex("^$", (local.is_both_tokens_used ? "" : local.validation_message_both)) + + is_tokens_used = length(var.smart_1_cloud_token_a) > 0 + # Validate both s1c tokens are unqiue + token_parts_a = split(" ",var.smart_1_cloud_token_a) + token_parts_b = split(" ",var.smart_1_cloud_token_b) + acutal_token_a = local.token_parts_a[length(local.token_parts_a) - 1] + acutal_token_b = local.token_parts_b[length(local.token_parts_b) - 1] + is_both_tokens_the_same = local.acutal_token_a == local.acutal_token_b + validation_message_unique = "Same Smart-1 Cloud token used for both memeber, you must provide unique token for each member" + __ = local.is_tokens_used ? regex("^$", (local.is_both_tokens_the_same ? local.validation_message_unique : "")) : "" +} \ No newline at end of file diff --git a/terraform/azure/high-availability-existing-vnet/versions.tf b/terraform/azure/high-availability-existing-vnet/versions.tf new file mode 100755 index 00000000..0d5ca4f3 --- /dev/null +++ b/terraform/azure/high-availability-existing-vnet/versions.tf @@ -0,0 +1,12 @@ +terraform { + required_version = ">= 0.14.3" + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "~> 3.81.0" + } + random = { + version = "~> 3.5.1" + } + } +} \ No newline at end of file diff --git a/terraform/azure/high-availability-new-vnet/README.md b/terraform/azure/high-availability-new-vnet/README.md new file mode 100755 index 00000000..51153c0a --- /dev/null +++ b/terraform/azure/high-availability-new-vnet/README.md @@ -0,0 +1,242 @@ +# Check Point CloudGuard IaaS High Availability Terraform deployment for Azure + +This Terraform module deploys Check Point CloudGuard IaaS High Availability solution into a new Vnet in Azure. +As part of the deployment the following resources are created: +- Resource group +- Virtual network +- Network security group +- System assigned identity +- Availability Set - conditional creation + +For additional information, +please see the [CloudGuard Network for Azure High Availability Cluster Deployment Guide](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_Network_for_Azure_HA_Cluster/Default.htm) + +This solution uses the following modules: +- /terraform/azure/modules/common - used for creating a resource group and defining common variables. +- /terraform/azure/modules/vnet - used for creating new virtual network and subnets. +- /terraform/azure/modules/network-security-group - used for creating new network security groups and rules. + + +## Configurations +- Install and configure Terraform to provision Azure resources: [Configure Terraform for Azure](https://docs.microsoft.com/en-us/azure/virtual-machines/linux/terraform-install-configure) +- In order to use ssh connection to VMs, it is **required** to add a public key to the /terraform/azure/high-availability-new-vnet/azure_public_key file. + +## Usage +- Choose the preferred login method to Azure in order to deploy the solution: +
1. Using Service Principal: + - Create a [Service Principal](https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal) (or use the existing one) + - Grant the Service Principal at least "**Managed Application Contributor**", "**Storage Account Contributor**", "**Network Contributor**", "**Virtual Machine Contributor**", "**User Access Administrator**" permissions to the Azure subscription
+ - The Service Principal credentials can be stored either in the terraform.tfvars or as [Environment Variables](https://www.terraform.io/docs/providers/azuread/guides/service_principal_client_secret.html)
+ + In case the Environment Variables are used, perform modifications described below:
+ + a. The next lines in the main.tf file, in the provider azurerm resource, need to be deleted or commented: + + provider "azurerm" { + + // subscription_id = var.subscription_id + // client_id = var.client_id + // client_secret = var.client_secret + // tenant_id = var.tenant_id + + features {} + } + + b. In the terraform.tfvars file leave empty double quotes for client_secret, client_id , tenant_id and subscription_id variables: + + client_secret = "" + client_id = "" + tenant_id = "" + subscription_id = "" + +
2. Using **az** commands from a command-line: + - Run **az login** command + - Sign in with your account credentials in the browser + - [Accept Azure Marketplace image terms](https://docs.microsoft.com/en-us/cli/azure/vm/image/terms?view=azure-cli-latest) by running: +
**az vm image terms accept --urn publisher:offer:sku:version**, where: + - publisher = checkpoint; + - offer = vm_os_offer (see accepted values in the table below); + - sku = vm_os_sku (see accepted values in the table below); + - version = latest
+
Example:
+ az vm image terms accept --urn checkpoint:check-point-cg-r8040:sg-byol:latest + + - In the terraform.tfvars file leave empty double quotes for client_secret, client_id and tenant_id variables. + +- Fill all variables in the /terraform/azure/high-availability-new-vnet/terraform.tfvars file with proper values (see below for variables descriptions). +- From a command line initialize the Terraform configuration directory: + + terraform init +- Create an execution plan: + + terraform plan +- Create or modify the deployment: + + terraform apply + +### terraform.tfvars variables: + | Name | Description | Type | Allowed values | Default | + | ------------- | ------------- |--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------| ------------- | + | **client_secret** | The client secret of the Service Principal used to deploy the solution | string | | n/a | + | | | | | | + | **client_id** | The client ID of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **tenant_id** | The tenant ID of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **subscription_id** | The subscription ID is used to pay for Azure cloud services | string | | n/a + | | | | | | + | **source_image_vhd_uri** | The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images | string | | "noCustomUri" + | | | | | | + | **resource_group_name** | The name of the resource group that will contain the contents of the deployment | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period | n/a | + | | | | | | + | **location** | The region where the resources will be deployed at | string | The full list of Azure regions can be found at https://azure.microsoft.com/regions | n/a | + | | | | | | + | **cluster_name** | The name of the Check Point Cluster Object | string | Only alphanumeric characters are allowed, and the name must be 1-30 characters long | n/a | + | | | | | | + | **vnet_name** | The name of virtual network that will be created | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | n/a | + | | | | | | + | **address_space** | The address prefixes of the virtual network | string | Valid CIDR block | "10.0.0.0/16" | + | | | | | | + | **subnet_prefixes** | The address prefixes to be used for created subnets | string | The subnets need to contain within the address space for this virtual network(defined by address_space variable) | ["10.0.0.0/24", "10.0.1.0/24"] | + | | | | | | + | **admin_password** | The password associated with the local administrator account on each cluster member | string | Password must have 3 of the following: 1 lower case character, 1 upper case character, 1 number, and 1 special character | n/a | + | | | | | | + | **smart_1_cloud_token_a** | Smart-1 Cloud token to connect automatically ***Member A*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal | n/a | | + | | | | | | + | **smart_1_cloud_token_b** | Smart-1 Cloud token to connect automatically ***Member B*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal | n/a | | + | | | | | | + | **sic_key** | The Secure Internal Communication one time secret used to set up trust between the cluster object and the management server | string | Only alphanumeric characters are allowed, and the value must be 12-30 characters long | n/a | + | | | | | | + | **vm_size** | Specifies the size of Virtual Machine | string | "Standard_DS2_v2", "Standard_DS3_v2", "Standard_DS4_v2", "Standard_DS5_v2", "Standard_F2s", "Standard_F4s", "Standard_F8s", "Standard_F16s", "Standard_D4s_v3", "Standard_D8s_v3", "Standard_D16s_v3", "Standard_D32s_v3", "Standard_D64s_v3", "Standard_E4s_v3", "Standard_E8s_v3", "Standard_E16s_v3", "Standard_E20s_v3", "Standard_E32s_v3", "Standard_E64s_v3", "Standard_E64is_v3", "Standard_F4s_v2", "Standard_F8s_v2", "Standard_F16s_v2", "Standard_F32s_v2", "Standard_F64s_v2", "Standard_M8ms", "Standard_M16ms", "Standard_M32ms", "Standard_M64ms", "Standard_M64s", "Standard_D2_v2", "Standard_D3_v2", "Standard_D4_v2", "Standard_D5_v2", "Standard_D11_v2", "Standard_D12_v2", "Standard_D13_v2", "Standard_D14_v2", "Standard_D15_v2", "Standard_F2", "Standard_F4", "Standard_F8", "Standard_F16", "Standard_D4_v3", "Standard_D8_v3", "Standard_D16_v3", "Standard_D32_v3", "Standard_D64_v3", "Standard_E4_v3", "Standard_E8_v3", "Standard_E16_v3", "Standard_E20_v3", "Standard_E32_v3", "Standard_E64_v3", "Standard_E64i_v3", "Standard_DS11_v2", "Standard_DS12_v2", "Standard_DS13_v2", "Standard_DS14_v2", "Standard_DS15_v2", "Standard_D2_v5", "Standard_D4_v5", "Standard_D8_v5", "Standard_D16_v5","Standard_D32_v5", "Standard_D2s_v5", "Standard_D4s_v5", "Standard_D8s_v5", "Standard_D16s_v5", "Standard_D2d_v5", "Standard_D4d_v5", "Standard_D8d_v5", "Standard_D16d_v5", "Standard_D32d_v5", "Standard_D2ds_v5", "Standard_D4ds_v5", "Standard_D8ds_v5", "Standard_D16ds_v5", "Standard_D32ds_v5" | n/a + | | | | | | + | **disk_size** | Storage data disk size size(GB) | string | A number in the range 100 - 3995 (GB) | n/a | + | | | | | | + | **vm_os_sku** | A sku of the image to be deployed | string | "sg-byol" - BYOL license;
"sg-ngtp" - NGTP PAYG license;
"sg-ngtx" - NGTX PAYG license;| n/a | + | | | | | | + | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r8040";
"check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | n/a | + | | | | | | + | **os_version** | GAIA OS version | string | "R8040";
"R81";
"R8110";
"R8120"; | n/a | + | | | | | | + | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | n/a | + | | | | | | + | **allow_upload_download** | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | boolean | true;
false; | n/a | + | | | | | | + | **authentication_type** | Specifies whether a password authentication or SSH Public Key authentication should be used | string | "Password";
"SSH Public Key"; | n/a | + | | | | | | + | **availability_type** | Specifies whether to deploy the solution based on Azure Availability Set or based on Azure Availability Zone | string | "Availability Zone";
"Availability Set"; | "Availability Zone" | + | | | | | | + | **enable_custom_metrics** | Indicates whether CloudGuard Metrics will be use for Cluster members monitoring | boolean | true;
false; | true | + | | | | | | + | **enable_floating_ip** | Indicates whether the load balancers will be deployed with floating IP | boolean | true;
false; | false | + | | | | | | + | **use_public_ip_prefix** | Indicates whether the public IP resources will be deployed with public IP prefix | boolean | true;
false; | false| + | | | | | | + | **create_public_ip_prefix** | Indicates whether the public IP prefix will created or an existing will be used | boolean | true;
false; | false | + | | | | | | + | **existing_public_ip_prefix_id** | The existing public IP prefix resource id | string | Existing public IP prefix resource id | ""| + | | | | | | + | **admin_shell** | Enables to select different admin shells | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh; | "/etc/cli.sh" | + | | | | | | + | **serial_console_password_hash** | Optional parameter, used to enable serial console connection in case of SSH key as authentication type, to generate password hash use the command 'openssl passwd -6 PASSWORD' on Linux and paste it here | string | | n/a + | | | | | | + | **maintenance_mode_password_hash** | Maintenance mode password hash, relevant only for R81.20 and higher versions, to generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here | string | | n/a + | | | | | | + | **nsg_id** | Optional ID for a Network Security Group that already exists in Azure, if not provided, will create a default NSG | string | Existing NSG resource ID | "" | + | | | | | | + | **add_storage_account_ip_rules** | Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, if false then accses will be allowed from all networks | boolean | true;
false; | false + | | | | | | + | **storage_account_additional_ips** | IPs/CIDRs that are allowed access to the Storage Account | list(string) | A list of valid IPs and CIDRs | [] + + +## Conditional creation +- To deploy the solution based on Azure Availability Set and create a new Availability Set for the virtual machines: +``` +availability_type = "Availability Set" +``` + Otherwise, to deploy the solution based on Azure Availability Zone: +``` +availability_type = "Availability Zone" +``` +- To enable CloudGuard metrics in order to send statuses and statistics collected from HA instances to the Azure Monitor service: + ``` + enable_custom_metrics = true + ``` +- To create new public IP prefix for the public IP: + ``` + use_public_ip_prefix = true + create_public_ip_prefix = true + ``` +- To use an exisiting public IP prefix for the public IP: + ``` + use_public_ip_prefix = true + create_public_ip_prefix = false + existing_public_ip_prefix_id = "public IP prefix resource id" + ``` + +## Example + client_secret = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + client_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + tenant_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + subscription_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + source_image_vhd_uri = "noCustomUri" + resource_group_name = "checkpoint-ha-terraform" + cluster_name = "checkpoint-ha-terraform" + location = "eastus" + vnet_name = "checkpoint-ha-vnet" + address_space = "10.0.0.0/16" + subnet_prefixes = ["10.0.1.0/24","10.0.2.0/24"] + admin_password = "xxxxxxxxxxxx" + smart_1_cloud_token_a = "xxxxxxxxxxxx" + smart_1_cloud_token_b = "xxxxxxxxxxxx" + sic_key = "xxxxxxxxxxxx" + vm_size = "Standard_D3_v2" + disk_size = "110" + vm_os_sku = "sg-byol" + vm_os_offer = "check-point-cg-r8110" + os_version = "R8110" + bootstrap_script = "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" + allow_upload_download = true + authentication_type = "Password" + availability_type = "Availability Zone" + enable_custom_metrics = true + enable_floating_ip = false + use_public_ip_prefix = false + create_public_ip_prefix = false + existing_public_ip_prefix_id = "" + admin_shell = "/etc/cli.sh" + serial_console_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + maintenance_mode_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + nsg_id = "" + add_storage_account_ip_rules = false + storage_account_additional_ips = [] + +## Revision History +In order to check the template version refer to the [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) + +| Template Version | Description | +| ---------------- | ------------- | +| 20240613 | - Updated Azure Terraform provider version
- Updated managed identity permissions
- Cosmetic fixes & default values
- Added option to limit storage account access by specify allowed sourcess
- Added validation for os_version & os_offer | +| | | | +| 20230910 | - R81.20 is the default version | +| | | | +| 20230212 | - Added Smart-1 Cloud support | +| | | | +| 20221124 | - Added R81.20 support
- Upgraded azurerm provider | +| | | | +| 20220111 | - Added support to select different shells | +| | | | +| 20210309 | - Add "source_image_vhd_uri" variable for using a custom development image | +| | | | +| 20210111 |- Update terraform version to 0.14.3
- Update azurerm version to 2.17.0
- Add authentication_type variable for choosing the authentication type.
- Merge ha-availability-set-new-vnet and ha-availability-zones-new-vnet deployments to one deployment.
- Adding support for R81.
- Add support to CloudGuards metrics.
- Update resources for NSG https://github.com/CheckPointSW/CloudGuardIaaS/issues/67
- The cluster member current state is kept when redeploying.
- Avoid role-assignment re-creation when re-apply | +| | | | +| 20200508 |- Add backend load balancer rules resource.
- Rename the health probe for the backend load balancer.
- Rename the template name to "ha" | +| | | | +| 20200305 | First release of Check Point CloudGuard IaaS High Availability Terraform deployment for Azure | +| | | | +| | Addition of "templateType" parameter to "cloud-version" files | +| | | | + +## License + +See the [LICENSE](../../LICENSE) file for details + diff --git a/terraform/azure/high-availability-new-vnet/azure_public_key b/terraform/azure/high-availability-new-vnet/azure_public_key new file mode 100755 index 00000000..e69de29b diff --git a/terraform/azure/high-availability-new-vnet/cloud-init.sh b/terraform/azure/high-availability-new-vnet/cloud-init.sh new file mode 100755 index 00000000..0609bfcf --- /dev/null +++ b/terraform/azure/high-availability-new-vnet/cloud-init.sh @@ -0,0 +1,22 @@ +#!/usr/bin/python3 /etc/cloud_config.py + +installationType="${installation_type}" +allowUploadDownload="${allow_upload_download}" +osVersion="${os_version}" +templateName="${template_name}" +templateVersion="${template_version}" +templateType="${template_type}" +isBlink="${is_blink}" +bootstrapScript64="${bootstrap_script64}" +location="${location}" +sicKey="${sic_key}" +tenantId="${tenant_id}" +virtualNetwork="${virtual_network}" +clusterName="${cluster_name}" +externalPrivateAddresses="${external_private_addresses}" +customMetrics="${enable_custom_metrics}" +adminShell="${admin_shell}" +smart1CloudToken="${smart_1_cloud_token}" +Vips='[{"name": "cluster-vip", "privateIPAddress": "${external_private_addresses}", "publicIPAddress": "${cluster_name}"}]' +passwordHash="${serial_console_password_hash}" +MaintenanceModePassword="${maintenance_mode_password_hash}" diff --git a/terraform/azure/high-availability-new-vnet/main.tf b/terraform/azure/high-availability-new-vnet/main.tf new file mode 100755 index 00000000..1506b913 --- /dev/null +++ b/terraform/azure/high-availability-new-vnet/main.tf @@ -0,0 +1,550 @@ +//********************** Providers **************************// +provider "azurerm" { + subscription_id = var.subscription_id + client_id = var.client_id + client_secret = var.client_secret + tenant_id = var.tenant_id + + features {} +} + +//********************** Basic Configuration **************************// +module "common" { + source = "../modules/common" + resource_group_name = var.resource_group_name + location = var.location + admin_password = var.admin_password + installation_type = var.installation_type + template_name = var.template_name + template_version = var.template_version + number_of_vm_instances = var.number_of_vm_instances + allow_upload_download = var.allow_upload_download + vm_size = var.vm_size + disk_size = var.disk_size + is_blink = var.is_blink + os_version = var.os_version + vm_os_sku = var.vm_os_sku + vm_os_offer = var.vm_os_offer + authentication_type = var.authentication_type + serial_console_password_hash = var.serial_console_password_hash + maintenance_mode_password_hash = var.maintenance_mode_password_hash + storage_account_additional_ips = var.storage_account_additional_ips +} + +//********************** Networking **************************// +module "vnet" { + source = "../modules/vnet" + vnet_name = var.vnet_name + resource_group_name = module.common.resource_group_name + location = module.common.resource_group_location + nsg_id = var.nsg_id == "" ? module.network-security-group[0].network_security_group_id: var.nsg_id + address_space = var.address_space + subnet_prefixes = var.subnet_prefixes +} + +module "network-security-group" { + source = "../modules/network-security-group" + count = var.nsg_id == "" ? 1 : 0 + resource_group_name = module.common.resource_group_name + security_group_name = "${module.common.resource_group_name}_nsg" + location = module.common.resource_group_location + security_rules = [ + { + name = "AllowAllInBound" + priority = "100" + direction = "Inbound" + access = "Allow" + protocol = "*" + source_port_ranges = "*" + destination_port_ranges = "*" + description = "Allow all inbound connections" + source_address_prefix = "*" + destination_address_prefix = "*" + } + ] +} + +resource "random_id" "random_id" { + byte_length = 13 + keepers = { + rg_id = module.common.resource_group_id + } +} + +resource "azurerm_public_ip_prefix" "public_ip_prefix" { + count = var.use_public_ip_prefix && var.create_public_ip_prefix ? 1 : 0 + name = "${module.common.resource_group_name}-ipprefix" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + prefix_length = 30 +} + +resource "azurerm_public_ip" "public-ip" { + count = 2 + name = "${var.cluster_name}${count.index+1}_IP" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + allocation_method = module.vnet.allocation_method + sku = var.sku + domain_name_label = "${lower(var.cluster_name)}-${count.index+1}-${random_id.random_id.hex}" + public_ip_prefix_id = var.use_public_ip_prefix ? (var.create_public_ip_prefix ? azurerm_public_ip_prefix.public_ip_prefix[0].id : var.existing_public_ip_prefix_id) : null +} + +resource "azurerm_public_ip" "cluster-vip" { + name = var.cluster_name + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + allocation_method = module.vnet.allocation_method + sku = var.sku + domain_name_label = "${lower(var.cluster_name)}-vip-${random_id.random_id.hex}" + public_ip_prefix_id = var.use_public_ip_prefix ? (var.create_public_ip_prefix ? azurerm_public_ip_prefix.public_ip_prefix[0].id : var.existing_public_ip_prefix_id) : null +} + +resource "azurerm_network_interface" "nic_vip" { + depends_on = [ + azurerm_public_ip.cluster-vip, + azurerm_public_ip.public-ip] + name = "${var.cluster_name}1-eth0" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + enable_ip_forwarding = true + enable_accelerated_networking = true + + ip_configuration { + name = "ipconfig1" + primary = true + subnet_id = module.vnet.vnet_subnets[0] + private_ip_address_allocation = module.vnet.allocation_method + private_ip_address = cidrhost(module.vnet.subnet_prefixes[0], 5) + public_ip_address_id = azurerm_public_ip.public-ip.0.id + } + ip_configuration { + name = "cluster-vip" + subnet_id = module.vnet.vnet_subnets[0] + primary = false + private_ip_address_allocation = module.vnet.allocation_method + private_ip_address = cidrhost(module.vnet.subnet_prefixes[0], 7) + public_ip_address_id = azurerm_public_ip.cluster-vip.id + } + lifecycle { + ignore_changes = [ + # Ignore changes to ip_configuration when Re-applying, e.g. because a cluster failover and associating the cluster- vip with the other member. + # updates these based on some ruleset managed elsewhere. + ip_configuration + ] + } +} + +resource "azurerm_network_interface_backend_address_pool_association" "nic_vip_lb_association" { + depends_on = [azurerm_network_interface.nic_vip, azurerm_lb_backend_address_pool.frontend-lb-pool] + network_interface_id = azurerm_network_interface.nic_vip.id + ip_configuration_name = "ipconfig1" + backend_address_pool_id = azurerm_lb_backend_address_pool.frontend-lb-pool.id +} + +resource "azurerm_network_interface" "nic" { + depends_on = [ + azurerm_public_ip.public-ip, + azurerm_lb.frontend-lb] + name = "${var.cluster_name}2-eth0" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + enable_ip_forwarding = true + enable_accelerated_networking = true + + ip_configuration { + name = "ipconfig1" + primary = true + subnet_id = module.vnet.vnet_subnets[0] + private_ip_address_allocation = module.vnet.allocation_method + private_ip_address = cidrhost(module.vnet.subnet_prefixes[0], 6) + public_ip_address_id = azurerm_public_ip.public-ip.1.id + } + lifecycle { + ignore_changes = [ + # Ignore changes to ip_configuration when Re-applying, e.g. because a cluster failover and associating the cluster- vip with the other member. + # updates these based on some ruleset managed elsewhere. + ip_configuration + ] + } +} + +resource "azurerm_network_interface_backend_address_pool_association" "nic_lb_association" { + depends_on = [azurerm_network_interface.nic, azurerm_lb_backend_address_pool.frontend-lb-pool] + network_interface_id = azurerm_network_interface.nic.id + ip_configuration_name = "ipconfig1" + backend_address_pool_id = azurerm_lb_backend_address_pool.frontend-lb-pool.id +} + +resource "azurerm_network_interface" "nic1" { + depends_on = [ + azurerm_lb.backend-lb] + count = 2 + name = "${var.cluster_name}${count.index+1}-eth1" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + enable_ip_forwarding = true + enable_accelerated_networking = true + + ip_configuration { + name = "ipconfig2" + subnet_id = module.vnet.vnet_subnets[1] + private_ip_address_allocation = module.vnet.allocation_method + private_ip_address = cidrhost(module.vnet.subnet_prefixes[1], count.index+5) + } +} + +resource "azurerm_network_interface_backend_address_pool_association" "nic1_lb_association" { + depends_on = [azurerm_network_interface.nic1, azurerm_lb_backend_address_pool.backend-lb-pool] + count = 2 + network_interface_id = azurerm_network_interface.nic1[count.index].id + ip_configuration_name = "ipconfig2" + backend_address_pool_id = azurerm_lb_backend_address_pool.backend-lb-pool.id +} + +//********************** Load Balancers **************************// +resource "azurerm_public_ip" "public-ip-lb" { + name = "frontend_lb_ip" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + allocation_method = module.vnet.allocation_method + sku = var.sku + domain_name_label = "${lower(var.cluster_name)}-${random_id.random_id.hex}" + public_ip_prefix_id = var.use_public_ip_prefix ? (var.create_public_ip_prefix ? azurerm_public_ip_prefix.public_ip_prefix[0].id : var.existing_public_ip_prefix_id) : null +} + +resource "azurerm_lb" "frontend-lb" { +// depends_on = [ +// azurerm_public_ip.public-ip-lb] + name = "frontend-lb" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + sku = var.sku + + frontend_ip_configuration { + name = "LoadBalancerFrontend" + public_ip_address_id = azurerm_public_ip.public-ip-lb.id + } +} + +resource "azurerm_lb_backend_address_pool" "frontend-lb-pool" { + loadbalancer_id = azurerm_lb.frontend-lb.id + name = "frontend-lb-pool" +} + +resource "azurerm_lb" "backend-lb" { + name = "backend-lb" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + sku = var.sku + frontend_ip_configuration { + name = "backend-lb" + subnet_id = module.vnet.vnet_subnets[1] + private_ip_address_allocation = module.vnet.allocation_method + private_ip_address = cidrhost(module.vnet.subnet_prefixes[1], 4) + } +} + +resource "azurerm_lb_backend_address_pool" "backend-lb-pool" { + name = "backend-lb-pool" + loadbalancer_id = azurerm_lb.backend-lb.id +} + +resource "azurerm_lb_probe" "azure_lb_healprob" { + count = 2 + loadbalancer_id = count.index == 0 ? azurerm_lb.frontend-lb.id : azurerm_lb.backend-lb.id + name = var.lb_probe_name + protocol = var.lb_probe_protocol + port = var.lb_probe_port + interval_in_seconds = var.lb_probe_interval + number_of_probes = var.lb_probe_unhealthy_threshold +} + +resource "azurerm_lb_rule" "backend_lb_rules" { + loadbalancer_id = azurerm_lb.backend-lb.id + name = "backend-lb" + protocol = "All" + frontend_port = 0 + backend_port = 0 + frontend_ip_configuration_name = "backend-lb" + load_distribution = "Default" + backend_address_pool_ids = [azurerm_lb_backend_address_pool.backend-lb-pool.id] + probe_id = azurerm_lb_probe.azure_lb_healprob[1].id + enable_floating_ip = var.enable_floating_ip +} + +//********************** Availability Set **************************// +locals { + availability_set_condition = var.availability_type == "Availability Set" ? true : false + SSH_authentication_type_condition = var.authentication_type == "SSH Public Key" ? true : false +} +resource "azurerm_availability_set" "availability-set" { + count = local.availability_set_condition ? 1 : 0 + name = "${var.cluster_name}-AvailabilitySet" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + platform_fault_domain_count = 2 + platform_update_domain_count = 5 + managed = true +} + +//********************** Storage accounts **************************// +// Generate random text for a unique storage account name +resource "random_id" "randomId" { + keepers = { + # Generate a new ID only when a new resource group is defined + resource_group = module.common.resource_group_name + } + byte_length = 8 +} +resource "azurerm_storage_account" "vm-boot-diagnostics-storage" { + name = "bootdiag${random_id.randomId.hex}" + resource_group_name = module.common.resource_group_name + location = module.common.resource_group_location + account_tier = module.common.storage_account_tier + account_replication_type = module.common.account_replication_type + network_rules { + default_action = var.add_storage_account_ip_rules ? "Deny" : "Allow" + ip_rules = module.common.storage_account_ip_rules + } + blob_properties { + delete_retention_policy { + days = "15" + } + } +} + +//********************** Virtual Machines **************************// +locals { + custom_image_condition = var.source_image_vhd_uri == "noCustomUri" ? false : true +} + +resource "azurerm_image" "custom-image" { + count = local.custom_image_condition ? 1 : 0 + name = "custom-image" + location = var.location + resource_group_name = module.common.resource_group_name + + os_disk { + os_type = "Linux" + os_state = "Generalized" + blob_uri = var.source_image_vhd_uri + } +} +resource "azurerm_virtual_machine" "vm-instance-availability-set" { + depends_on = [ + azurerm_network_interface.nic, + azurerm_network_interface.nic1, + azurerm_network_interface.nic_vip] + count = local.availability_set_condition ? module.common.number_of_vm_instances : 0 + name = "${var.cluster_name}${count.index+1}" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + availability_set_id = local.availability_set_condition ? azurerm_availability_set.availability-set[0].id : "" + vm_size = module.common.vm_size + network_interface_ids = count.index == 0 ? [ + azurerm_network_interface.nic_vip.id, + azurerm_network_interface.nic1.0.id] : [ + azurerm_network_interface.nic.id, + azurerm_network_interface.nic1.1.id] + delete_os_disk_on_termination = module.common.delete_os_disk_on_termination + primary_network_interface_id = count.index == 0 ? azurerm_network_interface.nic_vip.id : azurerm_network_interface.nic.id + identity { + type = module.common.vm_instance_identity + } + storage_image_reference { + id = local.custom_image_condition ? azurerm_image.custom-image[0].id : null + publisher = local.custom_image_condition ? null : module.common.publisher + offer = module.common.vm_os_offer + sku = module.common.vm_os_sku + version = module.common.vm_os_version + } + + storage_os_disk { + name = "${var.cluster_name}-${count.index+1}" + create_option = module.common.storage_os_disk_create_option + caching = module.common.storage_os_disk_caching + managed_disk_type = module.common.storage_account_type + disk_size_gb = module.common.disk_size + } + + dynamic "plan" { + for_each = local.custom_image_condition ? [ + ] : [1] + content { + name = module.common.vm_os_sku + publisher = module.common.publisher + product = module.common.vm_os_offer + } + } + + os_profile { + computer_name = "${lower(var.cluster_name)}${count.index+1}" + admin_username = module.common.admin_username + admin_password = module.common.admin_password + custom_data = templatefile("${path.module}/cloud-init.sh", { + installation_type = module.common.installation_type + allow_upload_download = module.common.allow_upload_download + os_version = module.common.os_version + template_name = module.common.template_name + template_version = module.common.template_version + template_type = "terraform" + is_blink = module.common.is_blink + bootstrap_script64 = base64encode(var.bootstrap_script) + location = module.common.resource_group_location + sic_key = var.sic_key + tenant_id = var.tenant_id + virtual_network = module.vnet.vnet_name + cluster_name = var.cluster_name + external_private_addresses = azurerm_network_interface.nic_vip.ip_configuration[1].private_ip_address + enable_custom_metrics = var.enable_custom_metrics ? "yes" : "no" + admin_shell = var.admin_shell + smart_1_cloud_token = count.index == 0 ? var.smart_1_cloud_token_a : var.smart_1_cloud_token_b + serial_console_password_hash = var.serial_console_password_hash + maintenance_mode_password_hash = var.maintenance_mode_password_hash + }) + } + + os_profile_linux_config { + disable_password_authentication = local.SSH_authentication_type_condition + + dynamic "ssh_keys" { + for_each = local.SSH_authentication_type_condition ? [ + 1] : [] + content { + path = "/home/notused/.ssh/authorized_keys" + key_data = file("${path.module}/azure_public_key") + } + } + } + + boot_diagnostics { + enabled = module.common.boot_diagnostics + storage_uri = module.common.boot_diagnostics ? join(",", azurerm_storage_account.vm-boot-diagnostics-storage.*.primary_blob_endpoint) : "" + } +} + +resource "azurerm_virtual_machine" "vm-instance-availability-zone" { + depends_on = [ + azurerm_network_interface.nic, + azurerm_network_interface.nic1, + azurerm_network_interface.nic_vip] + count = local.availability_set_condition ? 0 : module.common.number_of_vm_instances + name = "${var.cluster_name}${count.index+1}" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + zones = [ + count.index+1] + vm_size = module.common.vm_size + network_interface_ids = count.index == 0 ? [ + azurerm_network_interface.nic_vip.id, + azurerm_network_interface.nic1.0.id] : [ + azurerm_network_interface.nic.id, + azurerm_network_interface.nic1.1.id] + delete_os_disk_on_termination = module.common.delete_os_disk_on_termination + primary_network_interface_id = count.index == 0 ? azurerm_network_interface.nic_vip.id : azurerm_network_interface.nic.id + identity { + type = module.common.vm_instance_identity + } + storage_image_reference { + id = local.custom_image_condition ? azurerm_image.custom-image[0].id : null + publisher = local.custom_image_condition ? null : module.common.publisher + offer = module.common.vm_os_offer + sku = module.common.vm_os_sku + version = module.common.vm_os_version + } + + storage_os_disk { + name = "${var.cluster_name}-${count.index+1}" + create_option = module.common.storage_os_disk_create_option + caching = module.common.storage_os_disk_caching + managed_disk_type = module.common.storage_account_type + disk_size_gb = module.common.disk_size + } + + dynamic "plan" { + for_each = local.custom_image_condition ? [ + ] : [1] + content { + name = module.common.vm_os_sku + publisher = module.common.publisher + product = module.common.vm_os_offer + } + } + + os_profile { + computer_name = "${lower(var.cluster_name)}${count.index+1}" + admin_username = module.common.admin_username + admin_password = module.common.admin_password + custom_data = templatefile("${path.module}/cloud-init.sh", { + installation_type = module.common.installation_type + allow_upload_download = module.common.allow_upload_download + os_version = module.common.os_version + template_name = module.common.template_name + template_version = module.common.template_version + template_type = "terraform" + is_blink = module.common.is_blink + bootstrap_script64 = base64encode(var.bootstrap_script) + location = module.common.resource_group_location + sic_key = var.sic_key + tenant_id = var.tenant_id + virtual_network = module.vnet.vnet_name + cluster_name = var.cluster_name + external_private_addresses = cidrhost(module.vnet.subnet_prefixes[0], 7) + enable_custom_metrics = var.enable_custom_metrics ? "yes" : "no" + admin_shell = var.admin_shell + smart_1_cloud_token = count.index == 0 ? var.smart_1_cloud_token_a : var.smart_1_cloud_token_b + serial_console_password_hash = var.serial_console_password_hash + maintenance_mode_password_hash = var.maintenance_mode_password_hash + }) + } + + os_profile_linux_config { + disable_password_authentication = local.SSH_authentication_type_condition + + dynamic "ssh_keys" { + for_each = local.SSH_authentication_type_condition ? [ + 1] : [] + content { + path = "/home/notused/.ssh/authorized_keys" + key_data = file("${path.module}/azure_public_key") + } + } + } + + boot_diagnostics { + enabled = module.common.boot_diagnostics + storage_uri = module.common.boot_diagnostics ? join(",", azurerm_storage_account.vm-boot-diagnostics-storage.*.primary_blob_endpoint) : "" + } +} +//********************** Role Assigments **************************// +data "azurerm_role_definition" "virtual_machine_contributor_role_definition" { + name = "Virtual Machine Contributor" +} +data "azurerm_role_definition" "reader_role_definition" { + name = "Reader" +} +data "azurerm_client_config" "client_config" { +} +resource "azurerm_role_assignment" "cluster_virtual_machine_contributor_assignment" { + count = 2 + lifecycle { + ignore_changes = [ + role_definition_id, principal_id + ] + } + scope = module.common.resource_group_id + role_definition_id = data.azurerm_role_definition.virtual_machine_contributor_role_definition.id + principal_id = local.availability_set_condition ? lookup(azurerm_virtual_machine.vm-instance-availability-set[count.index].identity[0], "principal_id") : lookup(azurerm_virtual_machine.vm-instance-availability-zone[count.index].identity[0], "principal_id") +} +resource "azurerm_role_assignment" "cluster_reader_assigment" { + count = 2 + lifecycle { + ignore_changes = [ + role_definition_id, principal_id + ] + } + scope = module.common.resource_group_id + role_definition_id = data.azurerm_role_definition.reader_role_definition.id + principal_id = local.availability_set_condition ? lookup(azurerm_virtual_machine.vm-instance-availability-set[count.index].identity[0], "principal_id") : lookup(azurerm_virtual_machine.vm-instance-availability-zone[count.index].identity[0], "principal_id") +} \ No newline at end of file diff --git a/terraform/azure/high-availability-new-vnet/terraform.tfvars b/terraform/azure/high-availability-new-vnet/terraform.tfvars new file mode 100755 index 00000000..7cd8490e --- /dev/null +++ b/terraform/azure/high-availability-new-vnet/terraform.tfvars @@ -0,0 +1,36 @@ +//#PLEASE refer to the README.md for accepted values FOR THE VARIABLES BELOW +client_secret = "PLEASE ENTER CLIENT SECRET" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +client_id = "PLEASE ENTER CLIENT ID" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +tenant_id = "PLEASE ENTER TENANT ID" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +subscription_id = "PLEASE ENTER SUBSCRIPTION ID" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +source_image_vhd_uri = "PLEASE ENTER SOURCE IMAGE VHD URI OR noCustomUri" # "noCustomUri" +resource_group_name = "PLEASE ENTER RESOURCE GROUP NAME" # "checkpoint-ha-terraform" +cluster_name = "PLEASE ENTER CLUSTER NAME" # "checkpoint-ha-terraform" +location = "PLEASE ENTER LOCATION" # "eastus" +vnet_name = "PLEASE ENTER VIRTUAL NETWORK NAME" # "checkpoint-ha-vnet" +address_space = "PLEASE ENTER VIRTUAL NETWORK ADDRESS SPACE" # "10.0.0.0/16" +subnet_prefixes = "PLEASE ENTER ADDRESS PREFIXES FOR SUBNETS" # ["10.0.1.0/24","10.0.2.0/24"] +admin_password = "PLEASE ENTER ADMIN PASSWORD" # "xxxxxxxxxxxx" +smart_1_cloud_token_a = "PASTE TOKEN FROM SMART-1 CLOUD PORTAL" # "" +smart_1_cloud_token_b = "PASTE TOKEN FROM SMART-1 CLOUD PORTAL" # "" +sic_key = "PLEASE ENTER SIC KEY" # "xxxxxxxxxxxx" +vm_size = "PLEASE ENTER VM SIZE" # "Standard_D3_v2" +disk_size = "PLEASE ENTER DISK SIZE" # "110" +vm_os_sku = "PLEASE ENTER VM SKU" # "sg-byol" +vm_os_offer = "PLEASE ENTER VM OFFER" # "check-point-cg-r8110" +os_version = "PLEASE ENTER GAIA OS VERSION" # "R8110" +bootstrap_script = "PLEASE ENTER CUSTOM SCRIPT OR LEAVE EMPTY DOUBLE QUOTES" # "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" +allow_upload_download = "PLEASE ENTER true or false" # true +authentication_type = "PLEASE ENTER AUTHENTICATION TYPE" # "Password" +availability_type = "PLEASE ENTER AVAILABILITY TYPE" # "Availability Zone" +enable_custom_metrics = "PLEASE ENTER true or false" # true +enable_floating_ip = "PLEASE ENTER true or false" # false +use_public_ip_prefix = "PLEASE ENTER true or false" # false +create_public_ip_prefix = "PLEASE ENTER true or false" # false +existing_public_ip_prefix_id = "PLEASE ENTER IP PREFIX RESOURCE ID" # "" +admin_shell = "PLEASE ENTER ADMIN SHELL" # "/etc/cli.sh" +serial_console_password_hash = "PLEASE ENTER SERIAL CONSOLE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +maintenance_mode_password_hash = "PLEASE ENTER MAINTENANCE MODE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +nsg_id = "PLEASE ENTER NETWORK SECURITY GROUP ID" # "" +add_storage_account_ip_rules = "PLEASE ENTER true or false" # false +storage_account_additional_ips = "PLEASE ENTER A LIST OF VALID IPS/CIDRS" # [] \ No newline at end of file diff --git a/terraform/azure/high-availability-new-vnet/variables.tf b/terraform/azure/high-availability-new-vnet/variables.tf new file mode 100755 index 00000000..6bb79338 --- /dev/null +++ b/terraform/azure/high-availability-new-vnet/variables.tf @@ -0,0 +1,328 @@ +//********************** Basic Configuration Variables **************************// +variable "cluster_name" { + description = "Cluster name" + type = string +} + +variable "resource_group_name" { + description = "Azure Resource Group name to build into" + type = string +} + +variable "location" { + description = "The location/region where resources will be created. The full list of Azure regions can be found at https://azure.microsoft.com/regions" + type = string +} + +//********************** Virtual Machine Instances Variables **************************// +variable "availability_type" { + description = "Specifies whether to deploy the solution based on Azure Availability Set or based on Azure Availability Zone." + type = string + default = "Availability Zone" +} + +locals { // locals for 'availability_type' allowed values + availability_type_allowed_values = [ + "Availability Zone", + "Availability Set" + ] + // will fail if [var.availability_type] is invalid: + validate_availability_type_value = index(local.availability_type_allowed_values, var.availability_type) +} + +variable "source_image_vhd_uri" { + type = string + description = "The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images." + default = "noCustomUri" +} + +variable "admin_username" { + description = "Administrator username of deployed VM. Due to Azure limitations 'notused' name can be used" + default = "notused" +} + +variable "admin_password" { + description = "Administrator password of deployed Virtual Macine. The password must meet the complexity requirements of Azure" + type = string +} + +variable "serial_console_password_hash" { + description = "Optional parameter, used to enable serial console connection in case of SSH key as authentication type" + type = string +} + +variable "maintenance_mode_password_hash" { + description = "Maintenance mode password hash, relevant only for R81.20 and higher versions" + type = string +} + +variable "smart_1_cloud_token_a" { + description = "Smart-1 Cloud Token, for configuring member A" + type = string +} + +variable "smart_1_cloud_token_b" { + description = "Smart-1 Cloud Token, for configuring member B" + type = string +} + +variable "sic_key" { + description = "Secure Internal Communication(SIC) key" + type = string +} +resource "null_resource" "sic_key_invalid" { + count = length(var.sic_key) >= 12 ? 0 : "SIC key must be at least 12 characters long" +} + +variable "template_name" { + description = "Template name. Should be defined according to deployment type(ha, vmss)" + type = string + default = "ha_terraform" +} + +variable "template_version" { + description = "Template version. It is reccomended to always use the latest template version" + type = string + default = "20230910" +} + +variable "installation_type" { + description = "Installaiton type" + type = string + default = "cluster" +} + +variable "number_of_vm_instances" { + description = "Number of VM instances to deploy " + type = string + default = "2" +} + +variable "vm_size" { + description = "Specifies size of Virtual Machine" + type = string +} + +variable "disk_size" { + description = "Storage data disk size size(GB). Select a number between 100 and 3995" + type = string +} + +variable "os_version" { + description = "GAIA OS version" + type = string +} + +locals { // locals for 'vm_os_offer' allowed values + os_version_allowed_values = [ + "R8040", + "R81", + "R8110", + "R8120" + ] + // will fail if [var.os_version] is invalid: + validate_os_version_value = index(local.os_version_allowed_values, var.os_version) +} + +variable "vm_os_sku" { + description = "The sku of the image to be deployed." + type = string +} + +variable "vm_os_offer" { + description = "The name of the image offer to be deployed.Choose from: check-point-cg-r8040, check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120" + type = string +} + +locals { // locals for 'vm_os_offer' allowed values + vm_os_offer_allowed_values = [ + "check-point-cg-r8040", + "check-point-cg-r81", + "check-point-cg-r8110", + "check-point-cg-r8120" + ] + // will fail if [var.vm_os_offer] is invalid: + validate_os_offer_value = index(local.vm_os_offer_allowed_values, var.vm_os_offer) +} + +variable "authentication_type" { + description = "Specifies whether a password authentication or SSH Public Key authentication should be used" + type = string +} +locals { // locals for 'authentication_type' allowed values + authentication_type_allowed_values = [ + "Password", + "SSH Public Key" + ] + // will fail if [var.authentication_type] is invalid: + validate_authentication_type_value = index(local.authentication_type_allowed_values, var.authentication_type) +} + +variable "allow_upload_download" { + description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + type = bool +} + +variable "is_blink" { + description = "Define if blink image is used for deployment" + default = true +} + +variable "admin_shell" { + description = "The admin shell to configure on machine or the first time" + type = string + default = "/etc/cli.sh" +} + +locals { + admin_shell_allowed_values = [ + "/etc/cli.sh", + "/bin/bash", + "/bin/csh", + "/bin/tcsh" + ] + // Will fail if [var.admin_shell] is invalid + validate_admin_shell_value = index(local.admin_shell_allowed_values, var.admin_shell) +} + +//********************** Natworking Variables **************************// +variable "vnet_name" { + description = "Virtual Network name" + type = string +} + +variable "address_space" { + description = "The address space that is used by a Virtual Network." + type = string + default = "10.0.0.0/16" +} + +variable "subnet_prefixes" { + description = "Address prefix to be used for netwok subnets" + type = list(string) + default = [ + "10.0.0.0/24", + "10.0.1.0/24"] +} + +variable "lb_probe_name" { + description = "Name to be used for lb health probe" + default = "health_prob_port" +} + +variable "lb_probe_port" { + description = "Port to be used for load balancer health probes and rules" + default = "8117" +} + +variable "lb_probe_protocol" { + description = "Protocols to be used for load balancer health probes and rules" + default = "Tcp" +} + +variable "lb_probe_unhealthy_threshold" { + description = "Number of times load balancer health probe has an unsuccessful attempt before considering the endpoint unhealthy." + default = 2 +} + +variable "lb_probe_interval" { + description = "Interval in seconds load balancer health probe rule perfoms a check" + default = 5 +} + +variable "bootstrap_script" { + description = "An optional script to run on the initial boot" + #example: + #"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" +} + +variable "nsg_id" { + description = "NSG ID - Optional - if empty use default NSG" + default = "" +} + +variable "add_storage_account_ip_rules" { + type = bool + default = false + description = "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location" +} + +variable "storage_account_additional_ips" { + type = list(string) + description = "IPs/CIDRs that are allowed access to the Storage Account" + default = [] +} +//********************** Credentials **************************// + +variable "tenant_id" { + description = "Tenant ID" + type = string +} + +variable "subscription_id" { + description = "Subscription ID" + type = string +} + +variable "client_id" { + description = "Aplication ID(Client ID)" + type = string +} + +variable "client_secret" { + description = "A secret string that the application uses to prove its identity when requesting a token. Also can be referred to as application password." + type = string +} + +variable "sku" { + description = "SKU" + type = string + default = "Standard" +} + +variable "enable_custom_metrics" { + description = "Indicates whether CloudGuard Metrics will be use for Cluster members monitoring." + type = bool + default = true +} + +variable "enable_floating_ip" { + description = "Indicates whether the load balancers will be deployed with floating IP." + type = bool + default = false +} + +variable "use_public_ip_prefix" { + description = "Indicates whether the public IP resources will be deployed with public IP prefix." + type = bool + default = false +} + +variable "create_public_ip_prefix" { + description = "Indicates whether the public IP prefix will created or an existing will be used." + type = bool + default = false +} + +variable "existing_public_ip_prefix_id" { + description = "The existing public IP prefix resource id." + type = string + default = "" +} + +locals{ + # Validate both s1c tokens are used or both empty + is_both_tokens_used = length(var.smart_1_cloud_token_a) > 0 == length(var.smart_1_cloud_token_b) > 0 + validation_message_both = "To connect to Smart-1 Cloud, you must provide two tokens (one per member)" + _ = regex("^$", (local.is_both_tokens_used ? "" : local.validation_message_both)) + + is_tokens_used = length(var.smart_1_cloud_token_a) > 0 + # Validate both s1c tokens are unqiue + token_parts_a = split(" ",var.smart_1_cloud_token_a) + token_parts_b = split(" ",var.smart_1_cloud_token_b) + acutal_token_a = local.token_parts_a[length(local.token_parts_a) - 1] + acutal_token_b = local.token_parts_b[length(local.token_parts_b) - 1] + is_both_tokens_the_same = local.acutal_token_a == local.acutal_token_b + validation_message_unique = "Same Smart-1 Cloud token used for both memeber, you must provide unique token for each member" + __ = local.is_tokens_used ? regex("^$", (local.is_both_tokens_the_same ? local.validation_message_unique : "")) : "" +} \ No newline at end of file diff --git a/terraform/azure/high-availability-new-vnet/versions.tf b/terraform/azure/high-availability-new-vnet/versions.tf new file mode 100755 index 00000000..0d5ca4f3 --- /dev/null +++ b/terraform/azure/high-availability-new-vnet/versions.tf @@ -0,0 +1,12 @@ +terraform { + required_version = ">= 0.14.3" + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "~> 3.81.0" + } + random = { + version = "~> 3.5.1" + } + } +} \ No newline at end of file diff --git a/terraform/azure/management-existing-vnet/README.md b/terraform/azure/management-existing-vnet/README.md new file mode 100755 index 00000000..3ab73dbd --- /dev/null +++ b/terraform/azure/management-existing-vnet/README.md @@ -0,0 +1,189 @@ +# Check Point CloudGuard IaaS Management Terraform deployment for Azure + +This Terraform module deploys Check Point CloudGuard IaaS Management solution into an existing Vnet in Azure. +As part of the deployment the following resources are created: +- Resource group +- Network security group +- Virtual Machine +- System assigned identity + +This solution uses the following modules: +- /terraform/azure/modules/common - used for creating a resource group and defining common variables. +- /terraform/azure/modules/network-security-group - used for creating new network security groups and rules. + + +## Configurations +- Install and configure Terraform to provision Azure resources: [Configure Terraform for Azure](https://docs.microsoft.com/en-us/azure/virtual-machines/linux/terraform-install-configure) +- In order to use ssh connection to VMs, it is **required** to add a public key to the /terraform/azure/management-existing-vnet/azure_public_key file. + +## Usage +- Choose the preferred login method to Azure in order to deploy the solution: +
1. Using Service Principal: + - Create a [Service Principal](https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal) (or use the existing one) + - Grant the Service Principal at least "**Managed Application Contributor**", "**Storage Account Contributor**", "**Network Contributor**", "**Virtual Machine Contributor**" permissions to the Azure subscription
+ - The Service Principal credentials can be stored either in the terraform.tfvars or as [Environment Variables](https://www.terraform.io/docs/providers/azuread/guides/service_principal_client_secret.html)
+ + In case the Environment Variables are used, perform modifications described below:
+ + a. The next lines in the main.tf file, in the provider azurerm resource, need to be deleted or commented: + + provider "azurerm" { + + // subscription_id = var.subscription_id + // client_id = var.client_id + // client_secret = var.client_secret + // tenant_id = var.tenant_id + + features {} + } + + b. In the terraform.tfvars file leave empty double quotes for client_secret, client_id , tenant_id and subscription_id variables: + + client_secret = "" + client_id = "" + tenant_id = "" + subscription_id = "" + +
2. Using **az** commands from a command-line: + - Run **az login** command + - Sign in with your account credentials in the browser + - [Accept Azure Marketplace image terms](https://docs.microsoft.com/en-us/cli/azure/vm/image/terms?view=azure-cli-latest) by running: +
**az vm image terms accept --urn publisher:offer:sku:version**, where: + - publisher = checkpoint; + - offer = vm_os_offer (see accepted values in the table below); + - sku = vm_os_sku (see accepted values in the table below); + - version = latest
+
Example:
+ az vm image terms accept --urn checkpoint:check-point-cg-r8040:sg-byol:latest + + - In the terraform.tfvars file leave empty double quotes for client_secret, client_id and tenant_id variables. + +- Fill all variables in the /terraform/azure/management-existing-vnet/terraform.tfvars file with proper values (see below for variables descriptions). +- From a command line initialize the Terraform configuration directory: + + terraform init +- Create an execution plan: + + terraform plan +- Create or modify the deployment: + + terraform apply + +### terraform.tfvars variables: + | Name | Description | Type | Allowed values | Default | + | ------------- | ------------- | ------------- | ------------- | ------------- | + | **client_secret** | The client secret of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **client_id** | The client ID of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **tenant_id** | The tenant ID of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **subscription_id** | The subscription ID is used to pay for Azure cloud services | string | | n/a + | | | | | | + | **source_image_vhd_uri** | The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images | string | | "noCustomUri" + | | | | | | + | **resource_group_name** | The name of the resource group that will contain the contents of the deployment | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period | n/a + | | | | | | + | **mgmt_name** | Management name | string | | n/a + | | | | | | + | **location** | The region where the resources will be deployed at | string | The full list of Azure regions can be found at https://azure.microsoft.com/regions | n/a + | | | | | | + | **vnet_name** | Virtual Network name | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | n/a + | | | | | | + | **vnet_resource_group** | Resource Group of the existing virtual network | string | The exact name of the existing vnet's resource group | n/a + | | | | | | + | **management_subnet_name** | Management subnet name | string | The exact name of the existing subnet | n/a + | | | | | | + | **subnet_1st_Address** | The first available address of the subnet | string | | n/a + | | | | | | + | **management_GUI_client_network** | Allowed GUI clients - GUI clients network CIDR | string | | n/a + | | | | | | + | **mgmt_enable_api** | Enable api access to the management | string | - "all";
- "management_only";
- "gui_clients"
- "disable"; | "disable" + | | | | | | + | **admin_password** | The password associated with the local administrator account on each cluster member | string | Password must have 3 of the following: 1 lower case character, 1 upper case character, 1 number, and 1 special character | n/a + | | | | | | + | **vm_size** | Specifies the size of Virtual Machine | string | "Standard_DS2_v2", "Standard_DS3_v2", "Standard_DS4_v2", "Standard_DS5_v2", "Standard_F2s", "Standard_F4s", "Standard_F8s", "Standard_F16s", "Standard_D4s_v3", "Standard_D8s_v3", "Standard_D16s_v3", "Standard_D32s_v3", "Standard_D64s_v3", "Standard_E4s_v3", "Standard_E8s_v3", "Standard_E16s_v3", "Standard_E20s_v3", "Standard_E32s_v3", "Standard_E64s_v3", "Standard_E64is_v3", "Standard_F4s_v2", "Standard_F8s_v2", "Standard_F16s_v2", "Standard_F32s_v2", "Standard_F64s_v2", "Standard_M8ms", "Standard_M16ms", "Standard_M32ms", "Standard_M64ms", "Standard_M64s", "Standard_D2_v2", "Standard_D3_v2", "Standard_D4_v2", "Standard_D5_v2", "Standard_D11_v2", "Standard_D12_v2", "Standard_D13_v2", "Standard_D14_v2", "Standard_D15_v2", "Standard_F2", "Standard_F4", "Standard_F8", "Standard_F16", "Standard_D4_v3", "Standard_D8_v3", "Standard_D16_v3", "Standard_D32_v3", "Standard_D64_v3", "Standard_E4_v3", "Standard_E8_v3", "Standard_E16_v3", "Standard_E20_v3", "Standard_E32_v3", "Standard_E64_v3", "Standard_E64i_v3", "Standard_DS11_v2", "Standard_DS12_v2", "Standard_DS13_v2", "Standard_DS14_v2", "Standard_DS15_v2", "Standard_D2_v5", "Standard_D4_v5", "Standard_D8_v5", "Standard_D16_v5","Standard_D32_v5", "Standard_D2s_v5", "Standard_D4s_v5", "Standard_D8s_v5", "Standard_D16s_v5", "Standard_D2d_v5", "Standard_D4d_v5", "Standard_D8d_v5", "Standard_D16d_v5", "Standard_D32d_v5", "Standard_D2ds_v5", "Standard_D4ds_v5", "Standard_D8ds_v5", "Standard_D16ds_v5", "Standard_D32ds_v5" | n/a + | | | | | | + | **disk_size** | Storage data disk size size(GB) | string | A number in the range 100 - 3995 (GB) | n/a + | | | | | | + | **vm_os_sku** | A sku of the image to be deployed | string | "mgmt-byol" - BYOL license;
"mgmt-25" - PAYG; | n/a + | | | | | | + | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r8040";
"check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | n/a + | | | | | | + | **os_version** | GAIA OS version | string | "R8040";
"R81";
"R8110";
"R8120";| n/a + | | | | | | + | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | "" + | | | | | | + | **allow_upload_download** | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | boolean | true;
false; | n/a + | | | | | | + | **authentication_type** | Specifies whether a password authentication or SSH Public Key authentication should be used | string | "Password";
"SSH Public Key"; | n/a + | | | | | | + | **admin_shell** | Enables to select different admin shells | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh; | "/etc/cli.sh" + | | | | | | + | **serial_console_password_hash** | Optional parameter, used to enable serial console connection in case of SSH key as authentication type, to generate password hash use the command 'openssl passwd -6 PASSWORD' on Linux and paste it here | string | | n/a + | | | | | | + | **maintenance_mode_password_hash** | Maintenance mode password hash, relevant only for R81.20 and higher versions, to generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here | string | | n/a + | | | | | | + | **nsg_id** | Optional ID for a Network Security Group that already exists in Azure, if not provided, will create a default NSG | string | Existing NSG resource ID | "" + | | | | | | + | **add_storage_account_ip_rules** | Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, if false then accses will be allowed from all networks | boolean | true;
false; | false + | | | | | | + | **storage_account_additional_ips** | IPs/CIDRs that are allowed access to the Storage Account | list(string) | A list of valid IPs and CIDRs | [] + + +## Example + client_secret = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + client_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + tenant_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + subscription_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + source_image_vhd_uri = "noCustomUri" + resource_group_name = "checkpoint-mgmt-terraform" + mgmt_name = "checkpoint-mgmt-terraform" + location = "eastus" + vnet_name = "checkpoint-mgmt-vnet" + vnet_resource_group = "existing-vnet" + management_subnet_name = "mgmt-subnet" + subnet_1st_Address = "10.0.1.4" + management_GUI_client_network = "0.0.0.0/0" + mgmt_enable_api = "disable" + admin_password = "xxxxxxxxxxxx" + vm_size = "Standard_D3_v2" + disk_size = "110" + vm_os_sku = "mgmt-byol" + vm_os_offer = "check-point-cg-r8110" + os_version = "R8110" + bootstrap_script = "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" + allow_upload_download = true + authentication_type = "Password" + admin_shell = "/etc/cli.sh" + serial_console_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + maintenance_mode_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + nsg_id = "" + add_storage_account_ip_rules = false + storage_account_additional_ips = [] + + +## Revision History +In order to check the template version refer to the [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) + +| Template Version | Description | +| ---------------- | ------------- | +| 20240613 | - Updated Azure Terraform provider version
- Cosmetic fixes & default values
- Added option to limit storage account access by specify allowed sourcess
- Updated Public IP sku to Standard
- Added validation for os_version & os_offer | +| | | | +| 20230910 | - R81.20 is the default version | +| | | | +| 20221124 | - Added R81.20 support
- Upgraded azurerm provider | +| | | | +| 20220111 | - Added support to select different shells | +| | | | +| 20210309 | - Add "source_image_vhd_uri" variable for using a custom development image | +| | | | +| 20210111 | First release of Check Point CloudGuard IaaS Management Terraform deployment into an existing Vnet in Azure | +| | | | +| | Addition of "templateType" parameter to "cloud-version" files | +| | | | + +## License + +See the [LICENSE](../../LICENSE) file for details + diff --git a/terraform/azure/management-existing-vnet/azure_public_key b/terraform/azure/management-existing-vnet/azure_public_key new file mode 100755 index 00000000..e69de29b diff --git a/terraform/azure/management-existing-vnet/cloud-init.sh b/terraform/azure/management-existing-vnet/cloud-init.sh new file mode 100755 index 00000000..4639554e --- /dev/null +++ b/terraform/azure/management-existing-vnet/cloud-init.sh @@ -0,0 +1,16 @@ +#!/usr/bin/python3 /etc/cloud_config.py + +installationType="${installation_type}" +allowUploadDownload="${allow_upload_download}" +osVersion="${os_version}" +templateName="${template_name}" +templateVersion="${template_version}" +templateType="${template_type}" +isBlink="${is_blink}" +bootstrapScript64="${bootstrap_script64}" +location="${location}" +managementGUIClientNetwork="${management_GUI_client_network}" +enableApi="${enable_api}" +adminShell="${admin_shell}" +passwordHash="${serial_console_password_hash}" +MaintenanceModePassword="${maintenance_mode_password_hash}" diff --git a/terraform/azure/management-existing-vnet/main.tf b/terraform/azure/management-existing-vnet/main.tf new file mode 100755 index 00000000..a471b842 --- /dev/null +++ b/terraform/azure/management-existing-vnet/main.tf @@ -0,0 +1,312 @@ +//********************** Providers **************************// +provider "azurerm" { + subscription_id = var.subscription_id + client_id = var.client_id + client_secret = var.client_secret + tenant_id = var.tenant_id + + features {} +} + +//********************** Basic Configuration **************************// +module "common" { + source = "../modules/common" + resource_group_name = var.resource_group_name + location = var.location + admin_password = var.admin_password + installation_type = var.installation_type + template_name = var.template_name + template_version = var.template_version + number_of_vm_instances = 1 + allow_upload_download = var.allow_upload_download + vm_size = var.vm_size + disk_size = var.disk_size + is_blink = false + os_version = var.os_version + vm_os_sku = var.vm_os_sku + vm_os_offer = var.vm_os_offer + authentication_type = var.authentication_type + serial_console_password_hash = var.serial_console_password_hash + maintenance_mode_password_hash = var.maintenance_mode_password_hash + storage_account_additional_ips = var.storage_account_additional_ips +} + +//********************** Networking **************************// +data "azurerm_subnet" "mgmt_subnet" { + name = var.management_subnet_name + virtual_network_name = var.vnet_name + resource_group_name = var.vnet_resource_group +} + +resource "azurerm_public_ip" "public-ip" { + name = var.mgmt_name + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + allocation_method = var.vnet_allocation_method + sku = var.sku + idle_timeout_in_minutes = 30 + domain_name_label = join("", [ + lower(var.mgmt_name), + "-", + random_id.randomId.hex]) +} + +module "network-security-group" { + source = "../modules/network-security-group" + count = var.nsg_id == "" ? 1 : 0 + resource_group_name = module.common.resource_group_name + security_group_name = "${module.common.resource_group_name}-nsg" + location = module.common.resource_group_location + security_rules = [ + { + name = "SSH" + priority = "100" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_ranges = "*" + destination_port_ranges = "22" + description = "Allow inbound SSH connection" + source_address_prefix = var.management_GUI_client_network + destination_address_prefix = "*" + }, + { + name = "GAiA-portal" + priority = "110" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_ranges = "*" + destination_port_ranges = "443" + description = "Allow inbound HTTPS access to the GAiA portal" + source_address_prefix = var.management_GUI_client_network + destination_address_prefix = "*" + }, + { + name = "SmartConsole-1" + priority = "120" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_ranges = "*" + destination_port_ranges = "18190" + description = "Allow inbound access using the SmartConsole GUI client" + source_address_prefix = var.management_GUI_client_network + destination_address_prefix = "*" + }, + { + name = "SmartConsole-2" + priority = "130" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_ranges = "*" + destination_port_ranges = "19009" + description = "Allow inbound access using the SmartConsole GUI client" + source_address_prefix = var.management_GUI_client_network + destination_address_prefix = "*" + }, + { + name = "Logs" + priority = "140" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_ranges = "*" + destination_port_ranges = "257" + description = "Allow inbound logging connections from managed gateways" + source_address_prefix = "*" + destination_address_prefix = "*" + }, + { + name = "ICA-pull" + priority = "150" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_ranges = "*" + destination_port_ranges = "18210" + description = "Allow security gateways to pull a SIC certificate" + source_address_prefix = "*" + destination_address_prefix = "*" + }, + { + name = "CRL-fetch" + priority = "160" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_ranges = "*" + destination_port_ranges = "18264" + description = "Allow security gateways to fetch CRLs" + source_address_prefix = "*" + destination_address_prefix = "*" + }, + { + name = "Policy-fetch" + priority = "170" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_ranges = "*" + destination_port_ranges = "18191" + description = "Allow security gateways to fetch policy" + source_address_prefix = "*" + destination_address_prefix = "*" + } + ] +} + +resource "azurerm_network_interface_security_group_association" "security_group_association" { + depends_on = [azurerm_network_interface.nic] + network_interface_id = azurerm_network_interface.nic.id + network_security_group_id = var.nsg_id == "" ? module.network-security-group[0].network_security_group_id: var.nsg_id +} + +resource "azurerm_network_interface" "nic" { + depends_on = [ + azurerm_public_ip.public-ip] + name = "${var.mgmt_name}-eth0" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + enable_ip_forwarding = false + + ip_configuration { + name = "ipconfig1" + subnet_id = data.azurerm_subnet.mgmt_subnet.id + private_ip_address_allocation = var.vnet_allocation_method + private_ip_address = var.subnet_1st_Address + public_ip_address_id = azurerm_public_ip.public-ip.id + } +} + +//********************** Storage accounts **************************// +// Generate random text for a unique storage account name +resource "random_id" "randomId" { + keepers = { + # Generate a new ID only when a new resource group is defined + resource_group = module.common.resource_group_name + } + byte_length = 8 +} +resource "azurerm_storage_account" "vm-boot-diagnostics-storage" { + name = "bootdiag${random_id.randomId.hex}" + resource_group_name = module.common.resource_group_name + location = module.common.resource_group_location + account_tier = module.common.storage_account_tier + account_replication_type = module.common.account_replication_type + account_kind = "Storage" + network_rules { + default_action = var.add_storage_account_ip_rules ? "Deny" : "Allow" + ip_rules = module.common.storage_account_ip_rules + } + blob_properties { + delete_retention_policy { + days = "15" + } + } + +} + +//********************** Virtual Machines **************************// +locals { + SSH_authentication_type_condition = var.authentication_type == "SSH Public Key" ? true : false + custom_image_condition = var.source_image_vhd_uri == "noCustomUri" ? false : true +} + +resource "azurerm_image" "custom-image" { + count = local.custom_image_condition ? 1 : 0 + name = "custom-image" + location = var.location + resource_group_name = module.common.resource_group_name + + os_disk { + os_type = "Linux" + os_state = "Generalized" + blob_uri = var.source_image_vhd_uri + } +} + +resource "azurerm_virtual_machine" "mgmt-vm-instance" { + depends_on = [ + azurerm_network_interface.nic] + location = module.common.resource_group_location + name = var.mgmt_name + network_interface_ids = [ + azurerm_network_interface.nic.id] + resource_group_name = module.common.resource_group_name + vm_size = module.common.vm_size + delete_os_disk_on_termination = module.common.delete_os_disk_on_termination + primary_network_interface_id = azurerm_network_interface.nic.id + + identity { + type = module.common.vm_instance_identity + } + + dynamic "plan" { + for_each = local.custom_image_condition ? [ + ] : [1] + content { + name = module.common.vm_os_sku + publisher = module.common.publisher + product = module.common.vm_os_offer + } + } + + boot_diagnostics { + enabled = module.common.boot_diagnostics + storage_uri = module.common.boot_diagnostics ? join(",", azurerm_storage_account.vm-boot-diagnostics-storage.*.primary_blob_endpoint) : "" + } + + os_profile { + computer_name = lower(var.mgmt_name) + admin_username = module.common.admin_username + admin_password = module.common.admin_password + custom_data = templatefile("${path.module}/cloud-init.sh", { + installation_type = module.common.installation_type + allow_upload_download = module.common.allow_upload_download + os_version = module.common.os_version + template_name = module.common.template_name + template_version = module.common.template_version + template_type = "terraform" + is_blink = module.common.is_blink + bootstrap_script64 = base64encode(var.bootstrap_script) + location = module.common.resource_group_location + management_GUI_client_network = var.management_GUI_client_network + enable_api = var.mgmt_enable_api + admin_shell = var.admin_shell + serial_console_password_hash = var.serial_console_password_hash + maintenance_mode_password_hash = var.maintenance_mode_password_hash + }) + } + + + os_profile_linux_config { + disable_password_authentication = local.SSH_authentication_type_condition + + dynamic "ssh_keys" { + for_each = local.SSH_authentication_type_condition ? [ + 1] : [] + content { + path = "/home/notused/.ssh/authorized_keys" + key_data = file("${path.module}/azure_public_key") + } + } + } + + storage_image_reference { + id = local.custom_image_condition ? azurerm_image.custom-image[0].id : null + publisher = local.custom_image_condition ? null : module.common.publisher + offer = module.common.vm_os_offer + sku = module.common.vm_os_sku + version = module.common.vm_os_version + } + + storage_os_disk { + name = var.mgmt_name + create_option = module.common.storage_os_disk_create_option + caching = module.common.storage_os_disk_caching + managed_disk_type = module.common.storage_account_type + disk_size_gb = module.common.disk_size + } +} \ No newline at end of file diff --git a/terraform/azure/management-existing-vnet/terraform.tfvars b/terraform/azure/management-existing-vnet/terraform.tfvars new file mode 100755 index 00000000..ea2f8f7e --- /dev/null +++ b/terraform/azure/management-existing-vnet/terraform.tfvars @@ -0,0 +1,30 @@ +#PLEASE refer to the README.md for accepted values FOR THE VARIABLES BELOW +client_secret = "PLEASE ENTER CLIENT SECRET" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +client_id = "PLEASE ENTER CLIENT ID" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +tenant_id = "PLEASE ENTER TENANT ID" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +subscription_id = "PLEASE ENTER SUBSCRIPTION ID" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +source_image_vhd_uri = "PLEASE ENTER SOURCE IMAGE VHD URI OR noCustomUri" # "noCustomUri" +resource_group_name = "PLEASE ENTER RESOURCE GROUP NAME" # "checkpoint-mgmt-terraform" +mgmt_name = "PLEASE ENTER MANAGEMENT NAME" # "checkpoint-mgmt-terraform" +location = "PLEASE ENTER LOCATION" # "eastus" +vnet_name = "PLEASE ENTER VIRTUAL NETWORK NAME" # "checkpoint-mgmt-vnet" +vnet_resource_group = "PLEASE ENTER VIRTUAL NETWORK'S RESOURCE GROUP NAME" # "existing-vnet" +management_subnet_name = "PLEASE ENTER MGMT SUBNET NAME" # "mgmt-subnet" +subnet_1st_Address = "PLEASE ENTER AVAILABLE ADDRESS OF THE SUBNET" # "10.0.1.4" +management_GUI_client_network = "PLEASE ENTER A MANAGEMENT GUI CLIENT NETWORK" # "0.0.0.0/0" +mgmt_enable_api = "PLEASE ENTER FOR WHOM TO ENABLE API ACCESS OR disable" # "disable" +admin_password = "PLEASE ENTER ADMIN PASSWORD" # "xxxxxxxxxxxx" +vm_size = "PLEASE ENTER VM SIZE" # "Standard_D3_v2" +disk_size = "PLEASE ENTER DISK SIZE" # "110" +vm_os_sku = "PLEASE ENTER VM SKU" # "mgmt-byol" +vm_os_offer = "PLEASE ENTER VM OFFER" # "check-point-cg-r8110" +os_version = "PLEASE ENTER GAIA OS VERSION" # "R8110" +bootstrap_script = "PLEASE ENTER CUSTOM SCRIPT OR LEAVE EMPTY DOUBLE QUOTES" # "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" +allow_upload_download = "PLEASE ENTER true or false" # true +authentication_type = "PLEASE ENTER AUTHENTICATION TYPE" # "Password" +admin_shell = "PLEASE ENTER ADMIN SHELL" # "/etc/cli.sh" +serial_console_password_hash = "PLEASE ENTER SERIAL CONSOLE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +maintenance_mode_password_hash = "PLEASE ENTER MAINTENANCE MODE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +nsg_id = "PLEASE ENTER NETWORK SECURITY GROUP ID" # "" +add_storage_account_ip_rules = "PLEASE ENTER true or false" # false +storage_account_additional_ips = "PLEASE ENTER A LIST OF VALID IPS/CIDRS" # [] \ No newline at end of file diff --git a/terraform/azure/management-existing-vnet/variables.tf b/terraform/azure/management-existing-vnet/variables.tf new file mode 100755 index 00000000..6030652b --- /dev/null +++ b/terraform/azure/management-existing-vnet/variables.tf @@ -0,0 +1,251 @@ +//********************** Basic Configuration Variables **************************// +variable "mgmt_name" { + description = "Management name" + type = string +} + +variable "resource_group_name" { + description = "Azure Resource Group name to build into" + type = string +} + +variable "location" { + description = "The location/region where resource will be created. The full list of Azure regions can be found at https://azure.microsoft.com/regions" + type = string +} + +//********************** Virtual Machine Instances Variables **************************// +variable "source_image_vhd_uri" { + type = string + description = "The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images." + default = "noCustomUri" +} + +variable "admin_username" { + description = "Administrator username of deployed VM. Due to Azure limitations 'notused' name can be used" + default = "notused" +} + +variable "admin_password" { + description = "Administrator password of deployed Virtual Machine. The password must meet the complexity requirements of Azure" + type = string +} + +variable "serial_console_password_hash" { + description = "Optional parameter, used to enable serial console connection in case of SSH key as authentication type" + type = string +} + +variable "maintenance_mode_password_hash" { + description = "Maintenance mode password hash, relevant only for R81.20 and higher versions" + type = string +} + +variable "authentication_type" { + description = "Specifies whether a password authentication or SSH Public Key authentication should be used" + type = string +} +locals { // locals for 'authentication_type' allowed values + authentication_type_allowed_values = [ + "Password", + "SSH Public Key" + ] + // will fail if [var.authentication_type] is invalid: + validate_authentication_type_value = index(local.authentication_type_allowed_values, var.authentication_type) +} + +variable "template_name" { + description = "Template name. Should be defined according to deployment type(mgmt, ha, vmss)" + type = string + default = "mgmt_terraform" +} + +variable "template_version" { + description = "Template version. It is recommended to always use the latest template version" + type = string + default = "20230910" +} + +variable "installation_type" { + description = "Installation type" + type = string + default = "management" +} + +variable "vm_size" { + description = "Specifies size of Virtual Machine" + type = string +} + +variable "disk_size" { + description = "Storage data disk size size(GB). Select a number between 100 and 3995" + type = string +} + +variable "os_version" { + description = "GAIA OS version" + type = string +} + +locals { // locals for 'vm_os_offer' allowed values + os_version_allowed_values = [ + "R8040", + "R81", + "R8110", + "R8120" + ] + // will fail if [var.os_version] is invalid: + validate_os_version_value = index(local.os_version_allowed_values, var.os_version) +} + +variable "vm_os_sku" { + description = "The sku of the image to be deployed." + type = string +} + +variable "vm_os_offer" { + description = "The name of the image offer to be deployed.Choose from: check-point-cg-r8040, check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120" + type = string +} + +locals { // locals for 'vm_os_offer' allowed values + vm_os_offer_allowed_values = [ + "check-point-cg-r8040", + "check-point-cg-r81", + "check-point-cg-r8110", + "check-point-cg-r8120", + ] + // will fail if [var.vm_os_offer] is invalid: + validate_os_offer_value = index(local.vm_os_offer_allowed_values, var.vm_os_offer) +} + +variable "allow_upload_download" { + description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + type = bool +} + +variable "admin_shell" { + description = "The admin shell to configure on machine or the first time" + type = string + default = "/etc/cli.sh" +} + +locals { + admin_shell_allowed_values = [ + "/etc/cli.sh", + "/bin/bash", + "/bin/csh", + "/bin/tcsh" + ] + // Will fail if [var.admin_shell] is invalid + validate_admin_shell_value = index(local.admin_shell_allowed_values, var.admin_shell) +} + +//********************** Networking Variables **************************// +variable "vnet_name" { + description = "Virtual Network name" + type = string +} + +variable "management_subnet_name" { + description = "management subnet name" + type = string +} + +variable "subnet_1st_Address" { + description = "The first available address of the subnet" + type = string +} + +variable "vnet_resource_group" { + description = "Resource group of existing vnet" + type = string +} + +variable "vnet_allocation_method" { + description = "IP address allocation method" + type = string + default = "Static" +} + +variable "management_GUI_client_network" { + description = "Allowed GUI clients - GUI clients network CIDR" + type = string +} + +variable "mgmt_enable_api" { + description = "Enable api access to the management. allowed values: all, management_only, gui_clients, disable" + type = string + default = "disable" +} + +locals { + regex_valid_management_GUI_client_network = "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(/(3[0-2]|2[0-9]|1[0-9]|[0-9]))$" + // Will fail if var.management_GUI_client_network is invalid + regex_management_GUI_client_network = regex(local.regex_valid_management_GUI_client_network, var.management_GUI_client_network) == var.management_GUI_client_network ? 0 : "Variable [management_GUI_client_network] must be a valid IPv4 network CIDR." + + mgmt_enable_api_allowed_values = [ + "disable", + "all", + "management_only", + "gui_clients" + ] + // will fail if [var.mgmt_enable_api] is invalid: + validate_mgmt_enable_api_value = index(local.mgmt_enable_api_allowed_values, var.mgmt_enable_api) + + regex_valid_subnet_1st_Address = "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$" + // Will fail if var.subnet_1st_Address is invalid + regex_subnet_1st_Address = regex(local.regex_valid_subnet_1st_Address, var.subnet_1st_Address) == var.subnet_1st_Address ? 0 : "Variable [subnet_1st_Address] must be a valid address." +} + +variable "bootstrap_script" { + description = "An optional script to run on the initial boot" + default = "" + type = string + #example: + #"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" +} + +variable "nsg_id" { + description = "NSG ID - Optional - if empty use default NSG" + default = "" +} + +variable "add_storage_account_ip_rules" { + type = bool + default = false + description = "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location" +} + +variable "storage_account_additional_ips" { + type = list(string) + description = "IPs/CIDRs that are allowed access to the Storage Account" + default = [] +} +//********************** Credentials **************************// + +variable "tenant_id" { + description = "Tenant ID" + type = string +} + +variable "subscription_id" { + description = "Subscription ID" + type = string +} + +variable "client_id" { + description = "Application ID(Client ID)" + type = string +} + +variable "client_secret" { + description = "A secret string that the application uses to prove its identity when requesting a token. Also can be referred to as application password." + type = string +} + +variable "sku" { + description = "SKU" + type = string + default = "Standard" +} diff --git a/terraform/azure/management-existing-vnet/versions.tf b/terraform/azure/management-existing-vnet/versions.tf new file mode 100755 index 00000000..0d5ca4f3 --- /dev/null +++ b/terraform/azure/management-existing-vnet/versions.tf @@ -0,0 +1,12 @@ +terraform { + required_version = ">= 0.14.3" + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "~> 3.81.0" + } + random = { + version = "~> 3.5.1" + } + } +} \ No newline at end of file diff --git a/terraform/azure/management-new-vnet/README.md b/terraform/azure/management-new-vnet/README.md new file mode 100755 index 00000000..f744dccc --- /dev/null +++ b/terraform/azure/management-new-vnet/README.md @@ -0,0 +1,187 @@ +# Check Point CloudGuard IaaS Management Terraform deployment for Azure + +This Terraform module deploys Check Point CloudGuard IaaS Management solution into a new Vnet in Azure. +As part of the deployment the following resources are created: +- Resource group +- Virtual network +- Network security group +- Virtual Machine +- System assigned identity + +This solution uses the following modules: +- /terraform/azure/modules/common - used for creating a resource group and defining common variables. +- /terraform/azure/modules/vnet - used for creating new virtual network and subnets. +- /terraform/azure/modules/network-security-group - used for creating new network security groups and rules. + + +## Configurations +- Install and configure Terraform to provision Azure resources: [Configure Terraform for Azure](https://docs.microsoft.com/en-us/azure/virtual-machines/linux/terraform-install-configure) +- In order to use ssh connection to VMs, it is **required** to add a public key to the /terraform/azure/management-new-vnet/azure_public_key file. + +## Usage +- Choose the preferred login method to Azure in order to deploy the solution: +
1. Using Service Principal: + - Create a [Service Principal](https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal) (or use the existing one) + - Grant the Service Principal at least "**Managed Application Contributor**", "**Storage Account Contributor**", "**Network Contributor**", "**Virtual Machine Contributor**" permissions to the Azure subscription
+ - The Service Principal credentials can be stored either in the terraform.tfvars or as [Environment Variables](https://www.terraform.io/docs/providers/azuread/guides/service_principal_client_secret.html)
+ + In case the Environment Variables are used, perform modifications described below:
+ + a. The next lines in the main.tf file, in the provider azurerm resource, need to be deleted or commented: + + provider "azurerm" { + + // subscription_id = var.subscription_id + // client_id = var.client_id + // client_secret = var.client_secret + // tenant_id = var.tenant_id + + features {} + } + + b. In the terraform.tfvars file leave empty double quotes for client_secret, client_id , tenant_id and subscription_id variables: + + client_secret = "" + client_id = "" + tenant_id = "" + subscription_id = "" + +
2. Using **az** commands from a command-line: + - Run **az login** command + - Sign in with your account credentials in the browser + - [Accept Azure Marketplace image terms](https://docs.microsoft.com/en-us/cli/azure/vm/image/terms?view=azure-cli-latest) by running: +
**az vm image terms accept --urn publisher:offer:sku:version**, where: + - publisher = checkpoint; + - offer = vm_os_offer (see accepted values in the table below); + - sku = vm_os_sku (see accepted values in the table below); + - version = latest
+
Example:
+ az vm image terms accept --urn checkpoint:check-point-cg-r8040:sg-byol:latest + + - In the terraform.tfvars file leave empty double quotes for client_secret, client_id and tenant_id variables. + +- Fill all variables in the /terraform/azure/management-new-vnet/terraform.tfvars file with proper values (see below for variables descriptions). +- From a command line initialize the Terraform configuration directory: + + terraform init +- Create an execution plan: + + terraform plan +- Create or modify the deployment: + + terraform apply + +### terraform.tfvars variables: + | Name | Description | Type | Allowed values | Default | + | ------------- | ------------- | ------------- | ------------- | ------------- | + | **client_secret** | The client secret of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **client_id** | The client ID of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **tenant_id** | The tenant ID of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **subscription_id** | The subscription ID is used to pay for Azure cloud services | string | | n/a + | | | | | | + | **source_image_vhd_uri** | The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images | string | | "noCustomUri" + | | | | | | + | **resource_group_name** | The name of the resource group that will contain the contents of the deployment | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period | n/a + | | | | | | + | **mgmt_name** | Management name | string | | n/a + | | | | | | + | **location** | The region where the resources will be deployed at | string | The full list of Azure regions can be found at https://azure.microsoft.com/regions | n/a + | | | | | | + | **vnet_name** | The name of virtual network that will be created | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | n/a + | | | | | | + | **address_space** | The address space that is used by a Virtual Network | string | A valid address in CIDR notation | "10.0.0.0/16" + | | | | | | + | **subnet_prefix** | Address prefix to be used for network subnet | string | A valid address in CIDR notation | "10.0.0.0/24" + | | | | | | + | **management_GUI_client_network** | Allowed GUI clients - GUI clients network CIDR | string | | n/a + | | | | | | + | **mgmt_enable_api** | Enable api access to the management | string | - "all";
- "management_only";
- "gui_clients"
- "disable"; | "disable" + | | | | | | + | **admin_password** | The password associated with the local administrator account on each cluster member | string | Password must have 3 of the following: 1 lower case character, 1 upper case character, 1 number, and 1 special character | n/a + | | | | | | + | **vm_size** | Specifies the size of Virtual Machine | string | "Standard_DS2_v2", "Standard_DS3_v2", "Standard_DS4_v2", "Standard_DS5_v2", "Standard_F2s", "Standard_F4s", "Standard_F8s", "Standard_F16s", "Standard_D4s_v3", "Standard_D8s_v3", "Standard_D16s_v3", "Standard_D32s_v3", "Standard_D64s_v3", "Standard_E4s_v3", "Standard_E8s_v3", "Standard_E16s_v3", "Standard_E20s_v3", "Standard_E32s_v3", "Standard_E64s_v3", "Standard_E64is_v3", "Standard_F4s_v2", "Standard_F8s_v2", "Standard_F16s_v2", "Standard_F32s_v2", "Standard_F64s_v2", "Standard_M8ms", "Standard_M16ms", "Standard_M32ms", "Standard_M64ms", "Standard_M64s", "Standard_D2_v2", "Standard_D3_v2", "Standard_D4_v2", "Standard_D5_v2", "Standard_D11_v2", "Standard_D12_v2", "Standard_D13_v2", "Standard_D14_v2", "Standard_D15_v2", "Standard_F2", "Standard_F4", "Standard_F8", "Standard_F16", "Standard_D4_v3", "Standard_D8_v3", "Standard_D16_v3", "Standard_D32_v3", "Standard_D64_v3", "Standard_E4_v3", "Standard_E8_v3", "Standard_E16_v3", "Standard_E20_v3", "Standard_E32_v3", "Standard_E64_v3", "Standard_E64i_v3", "Standard_DS11_v2", "Standard_DS12_v2", "Standard_DS13_v2", "Standard_DS14_v2", "Standard_DS15_v2", "Standard_D2_v5", "Standard_D4_v5", "Standard_D8_v5", "Standard_D16_v5","Standard_D32_v5", "Standard_D2s_v5", "Standard_D4s_v5", "Standard_D8s_v5", "Standard_D16s_v5", "Standard_D2d_v5", "Standard_D4d_v5", "Standard_D8d_v5", "Standard_D16d_v5", "Standard_D32d_v5", "Standard_D2ds_v5", "Standard_D4ds_v5", "Standard_D8ds_v5", "Standard_D16ds_v5", "Standard_D32ds_v5" | n/a + | | | | | | + | **disk_size** | Storage data disk size size(GB) | string | A number in the range 100 - 3995 (GB) | n/a + | | | | | | + | **vm_os_sku** | A sku of the image to be deployed | string | "mgmt-byol" - BYOL license;
"mgmt-25" - PAYG; | n/a + | | | | | | + | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r8040";
"check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | n/a + | | | | | | + | **os_version** | GAIA OS version | string | "R8040";
"R81";
"R8110";
"R8120";| n/a + | | | | | | + | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | "" + | | | | | | + | **allow_upload_download** | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | boolean | true;
false; | n/a + | | | | | | + | **authentication_type** | Specifies whether a password authentication or SSH Public Key authentication should be used | string | "Password";
"SSH Public Key"; | n/a + | | | | | | + | **admin_shell** | Enables to select different admin shells | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh; | "/etc/cli.sh" + | | | | | | + | **serial_console_password_hash** | Optional parameter, used to enable serial console connection in case of SSH key as authentication type, to generate password hash use the command 'openssl passwd -6 PASSWORD' on Linux and paste it here | string | | n/a + | | | | | | + | **maintenance_mode_password_hash** | Maintenance mode password hash, relevant only for R81.20 and higher versions, to generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here | string | | n/a + | | | | | | + | **nsg_id** | Optional ID for a Network Security Group that already exists in Azure, if not provided, will create a default NSG | string | Existing NSG resource ID | "" + | | | | | | + | **add_storage_account_ip_rules** | Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, if false then accses will be allowed from all networks | boolean | true;
false; | false + | | | | | | + | **storage_account_additional_ips** | IPs/CIDRs that are allowed access to the Storage Account | list(string) | A list of valid IPs and CIDRs | [] + + +## Example + client_secret = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + client_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + tenant_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + subscription_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + source_image_vhd_uri = "noCustomUri" + resource_group_name = "checkpoint-mgmt-terraform" + mgmt_name = "checkpoint-mgmt-terraform" + location = "eastus" + vnet_name = "checkpoint-mgmt-vnet" + address_space = "10.0.0.0/16" + subnet_prefix = "10.0.0.0/24" + management_GUI_client_network = "0.0.0.0/0" + mgmt_enable_api = "disable" + admin_password = "xxxxxxxxxxxx" + vm_size = "Standard_D3_v2" + disk_size = "110" + vm_os_sku = "mgmt-byol" + vm_os_offer = "check-point-cg-r8110" + os_version = "R8110" + bootstrap_script = "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" + allow_upload_download = true + authentication_type = "Password" + admin_shell = "/etc/cli.sh" + serial_console_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + maintenance_mode_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + nsg_id = "" + add_storage_account_ip_rules = false + storage_account_additional_ips = [] + +## Revision History +In order to check the template version refer to the [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) + +| Template Version | Description | +| ---------------- | ------------- | +| 20240613 | - Updated Azure Terraform provider version
- Cosmetic fixes & default values
- Added option to limit storage account access by specify allowed sourcess
- Updated Public IP sku to Standard
- Added validation for os_version & os_offer | +| | | | +| 20230910 | - R81.20 is the default version | +| | | | +| 20221124 | - Added R81.20 support
- Upgraded azurerm provider | +| | | | +| 20220111 | - Added support to select different shells | +| | | | +| 20210309 | - Add "source_image_vhd_uri" variable for using a custom development image | +| | | | +| 20210111 | First release of Check Point CloudGuard IaaS Management Terraform deployment into a new Vnet in Azure | +| | | | +| | Addition of "templateType" parameter to "cloud-version" files | +| | | | + +## License + +See the [LICENSE](../../LICENSE) file for details + diff --git a/terraform/azure/management-new-vnet/azure_public_key b/terraform/azure/management-new-vnet/azure_public_key new file mode 100755 index 00000000..e69de29b diff --git a/terraform/azure/management-new-vnet/cloud-init.sh b/terraform/azure/management-new-vnet/cloud-init.sh new file mode 100755 index 00000000..4639554e --- /dev/null +++ b/terraform/azure/management-new-vnet/cloud-init.sh @@ -0,0 +1,16 @@ +#!/usr/bin/python3 /etc/cloud_config.py + +installationType="${installation_type}" +allowUploadDownload="${allow_upload_download}" +osVersion="${os_version}" +templateName="${template_name}" +templateVersion="${template_version}" +templateType="${template_type}" +isBlink="${is_blink}" +bootstrapScript64="${bootstrap_script64}" +location="${location}" +managementGUIClientNetwork="${management_GUI_client_network}" +enableApi="${enable_api}" +adminShell="${admin_shell}" +passwordHash="${serial_console_password_hash}" +MaintenanceModePassword="${maintenance_mode_password_hash}" diff --git a/terraform/azure/management-new-vnet/main.tf b/terraform/azure/management-new-vnet/main.tf new file mode 100755 index 00000000..77c16ac6 --- /dev/null +++ b/terraform/azure/management-new-vnet/main.tf @@ -0,0 +1,316 @@ +//********************** Providers **************************// +provider "azurerm" { + subscription_id = var.subscription_id + client_id = var.client_id + client_secret = var.client_secret + tenant_id = var.tenant_id + + features {} +} + +//********************** Basic Configuration **************************// +module "common" { + source = "../modules/common" + resource_group_name = var.resource_group_name + location = var.location + admin_password = var.admin_password + installation_type = var.installation_type + template_name = var.template_name + template_version = var.template_version + number_of_vm_instances = 1 + allow_upload_download = var.allow_upload_download + vm_size = var.vm_size + disk_size = var.disk_size + is_blink = false + os_version = var.os_version + vm_os_sku = var.vm_os_sku + vm_os_offer = var.vm_os_offer + authentication_type = var.authentication_type + serial_console_password_hash = var.serial_console_password_hash + maintenance_mode_password_hash = var.maintenance_mode_password_hash + storage_account_additional_ips = var.storage_account_additional_ips +} + +//********************** Networking **************************// +module "vnet" { + source = "../modules/vnet" + + vnet_name = var.vnet_name + resource_group_name = module.common.resource_group_name + location = module.common.resource_group_location + address_space = var.address_space + subnet_prefixes = [var.subnet_prefix] + subnet_names = ["${var.mgmt_name}-subnet"] + nsg_id = var.nsg_id == "" ? module.network-security-group[0].network_security_group_id: var.nsg_id +} + +module "network-security-group" { + source = "../modules/network-security-group" + count = var.nsg_id == "" ? 1 : 0 + resource_group_name = module.common.resource_group_name + security_group_name = "${module.common.resource_group_name}-nsg" + location = module.common.resource_group_location + security_rules = [ + { + name = "SSH" + priority = "100" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_ranges = "*" + destination_port_ranges = "22" + description = "Allow inbound SSH connection" + source_address_prefix = var.management_GUI_client_network + destination_address_prefix = "*" + }, + { + name = "GAiA-portal" + priority = "110" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_ranges = "*" + destination_port_ranges = "443" + description = "Allow inbound HTTPS access to the GAiA portal" + source_address_prefix = var.management_GUI_client_network + destination_address_prefix = "*" + }, + { + name = "SmartConsole-1" + priority = "120" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_ranges = "*" + destination_port_ranges = "18190" + description = "Allow inbound access using the SmartConsole GUI client" + source_address_prefix = var.management_GUI_client_network + destination_address_prefix = "*" + }, + { + name = "SmartConsole-2" + priority = "130" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_ranges = "*" + destination_port_ranges = "19009" + description = "Allow inbound access using the SmartConsole GUI client" + source_address_prefix = var.management_GUI_client_network + destination_address_prefix = "*" + }, + { + name = "Logs" + priority = "140" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_ranges = "*" + destination_port_ranges = "257" + description = "Allow inbound logging connections from managed gateways" + source_address_prefix = "*" + destination_address_prefix = "*" + }, + { + name = "ICA-pull" + priority = "150" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_ranges = "*" + destination_port_ranges = "18210" + description = "Allow security gateways to pull a SIC certificate" + source_address_prefix = "*" + destination_address_prefix = "*" + }, + { + name = "CRL-fetch" + priority = "160" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_ranges = "*" + destination_port_ranges = "18264" + description = "Allow security gateways to fetch CRLs" + source_address_prefix = "*" + destination_address_prefix = "*" + }, + { + name = "Policy-fetch" + priority = "170" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_ranges = "*" + destination_port_ranges = "18191" + description = "Allow security gateways to fetch policy" + source_address_prefix = "*" + destination_address_prefix = "*" + } + ] +} + +resource "azurerm_public_ip" "public-ip" { + name = var.mgmt_name + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + allocation_method = var.vnet_allocation_method + sku = var.sku + idle_timeout_in_minutes = 30 + domain_name_label = join("", [ + lower(var.mgmt_name), + "-", + random_id.randomId.hex]) +} + +resource "azurerm_network_interface_security_group_association" "security_group_association" { + depends_on = [azurerm_network_interface.nic, module.network-security-group] + network_interface_id = azurerm_network_interface.nic.id + network_security_group_id = var.nsg_id == "" ? module.network-security-group[0].network_security_group_id: var.nsg_id +} + +resource "azurerm_network_interface" "nic" { + depends_on = [ + azurerm_public_ip.public-ip] + name = "${var.mgmt_name}-eth0" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + enable_ip_forwarding = false + + ip_configuration { + name = "ipconfig1" + subnet_id = module.vnet.vnet_subnets[0] + private_ip_address_allocation = var.vnet_allocation_method + private_ip_address = cidrhost(var.subnet_prefix, 4) + public_ip_address_id = azurerm_public_ip.public-ip.id + } +} + +//********************** Storage accounts **************************// +// Generate random text for a unique storage account name +resource "random_id" "randomId" { + keepers = { + # Generate a new ID only when a new resource group is defined + resource_group = module.common.resource_group_name + } + byte_length = 8 +} +resource "azurerm_storage_account" "vm-boot-diagnostics-storage" { + name = "bootdiag${random_id.randomId.hex}" + resource_group_name = module.common.resource_group_name + location = module.common.resource_group_location + account_tier = module.common.storage_account_tier + account_replication_type = module.common.account_replication_type + account_kind = "Storage" + network_rules { + default_action = var.add_storage_account_ip_rules ? "Deny" : "Allow" + ip_rules = module.common.storage_account_ip_rules + } + blob_properties { + delete_retention_policy { + days = "15" + } + } +} + +//********************** Virtual Machines **************************// +locals { + SSH_authentication_type_condition = var.authentication_type == "SSH Public Key" ? true : false + custom_image_condition = var.source_image_vhd_uri == "noCustomUri" ? false : true +} + +resource "azurerm_image" "custom-image" { + count = local.custom_image_condition ? 1 : 0 + name = "custom-image" + location = var.location + resource_group_name = module.common.resource_group_name + + os_disk { + os_type = "Linux" + os_state = "Generalized" + blob_uri = var.source_image_vhd_uri + } +} + +resource "azurerm_virtual_machine" "mgmt-vm-instance" { + depends_on = [ + azurerm_network_interface.nic] + location = module.common.resource_group_location + name = var.mgmt_name + network_interface_ids = [ + azurerm_network_interface.nic.id] + resource_group_name = module.common.resource_group_name + vm_size = module.common.vm_size + delete_os_disk_on_termination = module.common.delete_os_disk_on_termination + primary_network_interface_id = azurerm_network_interface.nic.id + + identity { + type = module.common.vm_instance_identity + } + + dynamic "plan" { + for_each = local.custom_image_condition ? [ + ] : [1] + content { + name = module.common.vm_os_sku + publisher = module.common.publisher + product = module.common.vm_os_offer + } + } + + boot_diagnostics { + enabled = module.common.boot_diagnostics + storage_uri = module.common.boot_diagnostics ? join(",", azurerm_storage_account.vm-boot-diagnostics-storage.*.primary_blob_endpoint) : "" + } + + os_profile { + computer_name = lower(var.mgmt_name) + admin_username = module.common.admin_username + admin_password = module.common.admin_password + custom_data = templatefile("${path.module}/cloud-init.sh", { + installation_type = module.common.installation_type + allow_upload_download = module.common.allow_upload_download + os_version = module.common.os_version + template_name = module.common.template_name + template_version = module.common.template_version + template_type = "terraform" + is_blink = module.common.is_blink + bootstrap_script64 = base64encode(var.bootstrap_script) + location = module.common.resource_group_location + management_GUI_client_network = var.management_GUI_client_network + enable_api = var.mgmt_enable_api + admin_shell = var.admin_shell + serial_console_password_hash = var.serial_console_password_hash + maintenance_mode_password_hash = var.maintenance_mode_password_hash + }) + } + + os_profile_linux_config { + disable_password_authentication = local.SSH_authentication_type_condition + + dynamic "ssh_keys" { + for_each = local.SSH_authentication_type_condition ? [ + 1] : [] + content { + path = "/home/notused/.ssh/authorized_keys" + key_data = file("${path.module}/azure_public_key") + } + } + } + + storage_image_reference { + id = local.custom_image_condition ? azurerm_image.custom-image[0].id : null + publisher = local.custom_image_condition ? null : module.common.publisher + offer = module.common.vm_os_offer + sku = module.common.vm_os_sku + version = module.common.vm_os_version + } + + storage_os_disk { + name = var.mgmt_name + create_option = module.common.storage_os_disk_create_option + caching = module.common.storage_os_disk_caching + managed_disk_type = module.common.storage_account_type + disk_size_gb = module.common.disk_size + } +} diff --git a/terraform/azure/management-new-vnet/terraform.tfvars b/terraform/azure/management-new-vnet/terraform.tfvars new file mode 100755 index 00000000..163314eb --- /dev/null +++ b/terraform/azure/management-new-vnet/terraform.tfvars @@ -0,0 +1,29 @@ +#PLEASE refer to the README.md for accepted values FOR THE VARIABLES BELOW +client_secret = "PLEASE ENTER CLIENT SECRET" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +client_id = "PLEASE ENTER CLIENT ID" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +tenant_id = "PLEASE ENTER TENANT ID" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +subscription_id = "PLEASE ENTER SUBSCRIPTION ID" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +source_image_vhd_uri = "PLEASE ENTER SOURCE IMAGE VHD URI OR noCustomUri" # "noCustomUri" +resource_group_name = "PLEASE ENTER RESOURCE GROUP NAME" # "checkpoint-mgmt-terraform" +mgmt_name = "PLEASE ENTER MANAGEMENT NAME" # "checkpoint-mgmt-terraform" +location = "PLEASE ENTER LOCATION" # "eastus" +vnet_name = "PLEASE ENTER VIRTUAL NETWORK NAME" # "checkpoint-mgmt-vnet" +address_space = "PLEASE ENTER VIRTUAL NETWORK ADDRESS SPACE" # "10.0.0.0/16" +subnet_prefix = "PLEASE ENTER ADDRESS PREFIX FOR SUBNET" # "10.0.0.0/24" +management_GUI_client_network = "PLEASE ENTER A MANAGEMENT GUI CLIENT NETWORK" # "0.0.0.0/0" +mgmt_enable_api = "PLEASE ENTER FOR WHOM TO ENABLE API ACCESS OR disable" # "disable" +admin_password = "PLEASE ENTER ADMIN PASSWORD" # "xxxxxxxxxxxx" +vm_size = "PLEASE ENTER VM SIZE" # "Standard_D3_v2" +disk_size = "PLEASE ENTER DISK SIZE" # "110" +vm_os_sku = "PLEASE ENTER VM SKU" # "mgmt-byol" +vm_os_offer = "PLEASE ENTER VM OFFER" # "check-point-cg-r8110" +os_version = "PLEASE ENTER GAIA OS VERSION" # "R8110" +bootstrap_script = "PLEASE ENTER CUSTOM SCRIPT OR LEAVE EMPTY DOUBLE QUOTES" # "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" +allow_upload_download = "PLEASE ENTER true or false" # true +authentication_type = "PLEASE ENTER AUTHENTICATION TYPE" # "Password" +admin_shell = "PLEASE ENTER ADMIN SHELL" # "/etc/cli.sh" +serial_console_password_hash = "PLEASE ENTER SERIAL CONSOLE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +maintenance_mode_password_hash = "PLEASE ENTER MAINTENANCE MODE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +nsg_id = "PLEASE ENTER NETWORK SECURITY GROUP ID" # "" +add_storage_account_ip_rules = "PLEASE ENTER true or false" # false +storage_account_additional_ips = "PLEASE ENTER A LIST OF VALID IPS/CIDRS" # [] \ No newline at end of file diff --git a/terraform/azure/management-new-vnet/variables.tf b/terraform/azure/management-new-vnet/variables.tf new file mode 100755 index 00000000..63839bd0 --- /dev/null +++ b/terraform/azure/management-new-vnet/variables.tf @@ -0,0 +1,249 @@ +//********************** Basic Configuration Variables **************************// +variable "mgmt_name" { + description = "Management name" + type = string +} + +variable "resource_group_name" { + description = "Azure Resource Group name to build into" + type = string +} + +variable "location" { + description = "The location/region where resource will be created. The full list of Azure regions can be found at https://azure.microsoft.com/regions" + type = string +} + +//********************** Virtual Machine Instances Variables **************************// +variable "source_image_vhd_uri" { + type = string + description = "The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images." + default = "noCustomUri" +} + +variable "admin_username" { + description = "Administrator username of deployed VM. Due to Azure limitations 'notused' name can be used" + default = "notused" +} + +variable "admin_password" { + description = "Administrator password of deployed Virtual Macine. The password must meet the complexity requirements of Azure" + type = string +} + +variable "serial_console_password_hash" { + description = "Optional parameter, used to enable serial console connection in case of SSH key as authentication type" + type = string +} + +variable "maintenance_mode_password_hash" { + description = "Maintenance mode password hash, relevant only for R81.20 and higher versions" + type = string +} + +variable "authentication_type" { + description = "Specifies whether a password authentication or SSH Public Key authentication should be used" + type = string +} +locals { // locals for 'authentication_type' allowed values + authentication_type_allowed_values = [ + "Password", + "SSH Public Key" + ] + // will fail if [var.authentication_type] is invalid: + validate_authentication_type_value = index(local.authentication_type_allowed_values, var.authentication_type) +} +variable "template_name" { + description = "Template name. Should be defined according to deployment type(mgmt, ha, vmss)" + type = string + default = "mgmt_terraform" +} + +variable "template_version" { + description = "Template version. It is reccomended to always use the latest template version" + type = string + default = "20230910" +} + +variable "installation_type" { + description = "Installaiton type" + type = string + default = "management" +} + +variable "vm_size" { + description = "Specifies size of Virtual Machine" + type = string +} + +variable "disk_size" { + description = "Storage data disk size size(GB). Select a number between 100 and 3995" + type = string +} + +variable "os_version" { + description = "GAIA OS version" + type = string +} + +locals { // locals for 'vm_os_offer' allowed values + os_version_allowed_values = [ + "R8040", + "R81", + "R8110", + "R8120", + ] + // will fail if [var.os_version] is invalid: + validate_os_version_value = index(local.os_version_allowed_values, var.os_version) +} + +variable "vm_os_sku" { + description = "The sku of the image to be deployed." + type = string +} + +variable "vm_os_offer" { + description = "The name of the image offer to be deployed.Choose from: check-point-cg-r8040, check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120" + type = string +} + +locals { // locals for 'vm_os_offer' allowed values + vm_os_offer_allowed_values = [ + "check-point-cg-r8040", + "check-point-cg-r81", + "check-point-cg-r8110", + "check-point-cg-r8120" + ] + // will fail if [var.vm_os_offer] is invalid: + validate_os_offer_value = index(local.vm_os_offer_allowed_values, var.vm_os_offer) +} + +variable "allow_upload_download" { + description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + type = bool +} + +variable "admin_shell" { + description = "The admin shell to configure on machine or the first time" + type = string + default = "/etc/cli.sh" +} + +locals { + admin_shell_allowed_values = [ + "/etc/cli.sh", + "/bin/bash", + "/bin/csh", + "/bin/tcsh" + ] + // Will fail if [var.admin_shell] is invalid + validate_admin_shell_value = index(local.admin_shell_allowed_values, var.admin_shell) +} + +//********************** Natworking Variables **************************// +variable "vnet_name" { + description = "Virtual Network name" + type = string +} + +variable "address_space" { + description = "The address space that is used by a Virtual Network." + type = string + default = "10.0.0.0/16" +} + +variable "subnet_prefix" { + description = "Address prefix to be used for network subnet" + type = string + default = "10.0.0.0/24" +} + +variable "vnet_allocation_method" { + description = "IP address allocation method" + type = string + default = "Static" +} + +variable "management_GUI_client_network" { + description = "Allowed GUI clients - GUI clients network CIDR" + type = string +} + +variable "mgmt_enable_api" { + description = "Enable api access to the management. allowed values: all, management_only, gui_clients, disable" + type = string + default = "disable" +} + +locals { + regex_valid_management_GUI_client_network = "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(/(3[0-2]|2[0-9]|1[0-9]|[0-9]))$" + // Will fail if var.management_GUI_client_network is invalid + regex_management_GUI_client_network = regex(local.regex_valid_management_GUI_client_network, var.management_GUI_client_network) == var.management_GUI_client_network ? 0 : "Variable [management_GUI_client_network] must be a valid IPv4 network CIDR." + + mgmt_enable_api_allowed_values = [ + "disable", + "all", + "management_only", + "gui_clients" + ] + // will fail if [var.mgmt_enable_api] is invalid: + validate_mgmt_enable_api_value = index(local.mgmt_enable_api_allowed_values, var.mgmt_enable_api) + + regex_valid_network_cidr = "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(/(3[0-2]|2[0-9]|1[0-9]|[0-9]))|$" + // Will fail if var.address_space is invalid + regex_address_space = regex(local.regex_valid_network_cidr, var.address_space) == var.address_space ? 0 : "Variable [address_space] must be a valid address in CIDR notation." + // Will fail if var.subnet_prefix is invalid + regex_subnet_prefix = regex(local.regex_valid_network_cidr, var.subnet_prefix) == var.subnet_prefix ? 0 : "Variable [subnet_prefix] must be a valid address in CIDR notation." +} + +variable "bootstrap_script" { + description = "An optional script to run on the initial boot" + default = "" + type = string + #example: + #"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" +} + +variable "nsg_id" { + description = "NSG ID - Optional - if empty use default NSG" + default = "" +} + +variable "add_storage_account_ip_rules" { + type = bool + default = false + description = "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location" +} + +variable "storage_account_additional_ips" { + type = list(string) + description = "IPs/CIDRs that are allowed access to the Storage Account" + default = [] +} +//********************** Credentials **************************// + +variable "tenant_id" { + description = "Tenant ID" + type = string +} + +variable "subscription_id" { + description = "Subscription ID" + type = string +} + +variable "client_id" { + description = "Aplication ID(Client ID)" + type = string +} + +variable "client_secret" { + description = "A secret string that the application uses to prove its identity when requesting a token. Also can be referred to as application password." + type = string +} + +variable "sku" { + description = "SKU" + type = string + default = "Standard" +} diff --git a/terraform/azure/management-new-vnet/versions.tf b/terraform/azure/management-new-vnet/versions.tf new file mode 100755 index 00000000..0d5ca4f3 --- /dev/null +++ b/terraform/azure/management-new-vnet/versions.tf @@ -0,0 +1,12 @@ +terraform { + required_version = ">= 0.14.3" + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "~> 3.81.0" + } + random = { + version = "~> 3.5.1" + } + } +} \ No newline at end of file diff --git a/terraform/azure/mds-existing-vnet/README.md b/terraform/azure/mds-existing-vnet/README.md new file mode 100755 index 00000000..7c8003fd --- /dev/null +++ b/terraform/azure/mds-existing-vnet/README.md @@ -0,0 +1,195 @@ +# Check Point CloudGuard Network Security MDS Terraform deployment for Azure + +This Terraform module deploys Check Point CloudGuard Network Security Management solution into a new Vnet in Azure. +As part of the deployment the following resources are created: +- Resource group +- Network security group +- Virtual Machine +- System assigned identity + +This solution uses the following modules: +- /terraform/azure/modules/common - used for creating a resource group and defining common variables. +- /terraform/azure/modules/network-security-group - used for creating new network security groups and rules. + + +## Configurations +- Install and configure Terraform to provision Azure resources: [Configure Terraform for Azure](https://docs.microsoft.com/en-us/azure/virtual-machines/linux/terraform-install-configure) +- In order to use ssh connection to VMs, it is **required** to add a public key to the /terraform/azure/mds-existing-vnet/azure_public_key file. + +## Usage +- Choose the preferred login method to Azure in order to deploy the solution: +
1. Using Service Principal: + - Create a [Service Principal](https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal) (or use the existing one) + - Grant the Service Principal at least "**Managed Application Contributor**", "**Storage Account Contributor**", "**Network Contributor**", "**Virtual Machine Contributor**" permissions to the Azure subscription
+ - The Service Principal credentials can be stored either in the terraform.tfvars or as [Environment Variables](https://www.terraform.io/docs/providers/azuread/guides/service_principal_client_secret.html)
+ + In case the Environment Variables are used, perform modifications described below:
+ + a. The next lines in the main.tf file, in the provider azurerm resource, need to be deleted or commented: + + provider "azurerm" { + + // subscription_id = var.subscription_id + // client_id = var.client_id + // client_secret = var.client_secret + // tenant_id = var.tenant_id + + features {} + } + + b. In the terraform.tfvars file leave empty double quotes for client_secret, client_id , tenant_id and subscription_id variables: + + client_secret = "" + client_id = "" + tenant_id = "" + subscription_id = "" + +
2. Using **az** commands from a command-line: + - Run **az login** command + - Sign in with your account credentials in the browser + - [Accept Azure Marketplace image terms](https://docs.microsoft.com/en-us/cli/azure/vm/image/terms?view=azure-cli-latest) by running: +
**az vm image terms accept --urn publisher:offer:sku:version**, where: + - publisher = checkpoint; + - offer = vm_os_offer (see accepted values in the table below); + - sku = vm_os_sku (see accepted values in the table below); + - version = latest
+
Example:
+ az vm image terms accept --urn checkpoint:check-point-cg-r8040:sg-byol:latest + + - In the terraform.tfvars file leave empty double quotes for client_secret, client_id and tenant_id variables. + +- Fill all variables in the /terraform/azure/mds-existing-vnet/terraform.tfvars file with proper values (see below for variables descriptions). +- From a command line initialize the Terraform configuration directory: + + terraform init +- Create an execution plan: + + terraform plan +- Create or modify the deployment: + + terraform apply + +### terraform.tfvars variables: + | Name | Description | Type | Allowed values | Default | + | ------------- | ------------- | ------------- | ------------- | ------------- | + | **client_secret** | The client secret value of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **client_id** | The client ID of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **tenant_id** | The tenant ID of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **subscription_id** | The subscription ID is used to pay for Azure cloud services | string | | n/a + | | | | | | + | **source_image_vhd_uri** | The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images | string | | "noCustomUri" + | | | | | | + | **resource_group_name** | The name of the resource group that will contain the contents of the deployment | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period | n/a + | | | | | | + | **mds_name** | MDS name | string | | n/a + | | | | | | + | **location** | The region where the resources will be deployed at | string | The full list of Azure regions can be found at https://azure.microsoft.com/regions | n/a + | | | | | | + | **vnet_name** | The name of virtual network that will be created | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | n/a + | | | | | | + | **vnet_resource_group** | Resource Group of the existing virtual network | string | The exact name of the existing vnet's resource group | n/a + | | | | | | + | **management_subnet_name** | Specifies the name of the external subnet | string | The exact name of the existing external subnet | n/a + | | | | | | + | **subnet_1st_Address** | First available address in management subnet | string | | n/a + | | | | | | + | **management_GUI_client_network** | Allowed GUI clients - GUI clients network CIDR | string | | n/a + | | | | | | + | **mds_enable_api** | Enable api access to the mds | string | - "all";
- "management_only";
- "gui_clients"
- "disable"; | "disable" + | | | | | | + | **admin_password** | The password associated with the local administrator account on the mds | string | Password must have 3 of the following: 1 lower case character, 1 upper case character, 1 number, and 1 special character | n/a + | | | | | | + | **vm_size** | Specifies the size of Virtual Machine | string | "Standard_DS2_v2", "Standard_DS3_v2", "Standard_DS4_v2", "Standard_DS5_v2", "Standard_F2s", "Standard_F4s", "Standard_F8s", "Standard_F16s", "Standard_D4s_v3", "Standard_D8s_v3", "Standard_D16s_v3", "Standard_D32s_v3", "Standard_D64s_v3", "Standard_E4s_v3", "Standard_E8s_v3", "Standard_E16s_v3", "Standard_E20s_v3", "Standard_E32s_v3", "Standard_E64s_v3", "Standard_E64is_v3", "Standard_F4s_v2", "Standard_F8s_v2", "Standard_F16s_v2", "Standard_F32s_v2", "Standard_F64s_v2", "Standard_M8ms", "Standard_M16ms", "Standard_M32ms", "Standard_M64ms", "Standard_M64s", "Standard_D2_v2", "Standard_D3_v2", "Standard_D4_v2", "Standard_D5_v2", "Standard_D11_v2", "Standard_D12_v2", "Standard_D13_v2", "Standard_D14_v2", "Standard_D15_v2", "Standard_F2", "Standard_F4", "Standard_F8", "Standard_F16", "Standard_D4_v3", "Standard_D8_v3", "Standard_D16_v3", "Standard_D32_v3", "Standard_D64_v3", "Standard_E4_v3", "Standard_E8_v3", "Standard_E16_v3", "Standard_E20_v3", "Standard_E32_v3", "Standard_E64_v3", "Standard_E64i_v3", "Standard_DS11_v2", "Standard_DS12_v2", "Standard_DS13_v2", "Standard_DS14_v2", "Standard_DS15_v2", "Standard_D2_v5", "Standard_D4_v5", "Standard_D8_v5", "Standard_D16_v5","Standard_D32_v5", "Standard_D2s_v5", "Standard_D4s_v5", "Standard_D8s_v5", "Standard_D16s_v5", "Standard_D2d_v5", "Standard_D4d_v5", "Standard_D8d_v5", "Standard_D16d_v5", "Standard_D32d_v5", "Standard_D2ds_v5", "Standard_D4ds_v5", "Standard_D8ds_v5", "Standard_D16ds_v5", "Standard_D32ds_v5" | n/a + | | | | | | + | **disk_size** | Storage data disk size size(GB) | string | A number in the range 100 - 3995 (GB) | n/a + | | | | | | + | **vm_os_sku** | A sku of the image to be deployed | string | "mgmt-byol" - BYOL license;
"mgmt-25" - PAYG; | n/a + | | | | | | + | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r8040";
"check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | n/a + | | | | | | + | **os_version** | GAIA OS version | string | "R8040";
"R81";
"R8110";
"R8120";| n/a + | | | | | | + | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | "" + | | | | | | + | **allow_upload_download** | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | boolean | true;
false; | n/a + | | | | | | + | **authentication_type** | Specifies whether a password authentication or SSH Public Key authentication should be used | string | "Password";
"SSH Public Key"; | n/a + | | | | | | + | **admin_shell** | Enables to select different admin shells | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh; | "/etc/cli.sh" + | | | | | | + | **sic_key** | Set the Secure Internal Communication one time secret used to set up trust between the primary and secondary servers. SIC key must be provided if installing a secondary Multi-Domain Server | string | Only alphanumeric characters are allowed, and the value must be 12-30 characters long | n/a + | | | | | | + | **installation_type** | Enables to select installation type - gateway/standalone | string | mds-primary;
mds-secondary;
mds-logserver; | n/a + | | | | | | + | **primary** | Indicates if the installation type is mds-primary | boolean | true;
false; | n/a + | | | | | | + | **secondary** | Indicates if the installation type is mds-secondary | boolean | true;
false; | n/a + | | | | | | + | **logserver** | Indicates if the installation type is mds-logserver | boolean | true;
false; | n/a + | | | | | | + | **serial_console_password_hash** | Optional parameter, used to enable serial console connection in case of SSH key as authentication type, to generate password hash use the command 'openssl passwd -6 PASSWORD' on Linux and paste it here | string | | n/a + | | | | | | + | **maintenance_mode_password_hash** | Maintenance mode password hash, relevant only for R81.20 and higher versions, to generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here | string | | n/a + | | | | | | + | **nsg_id** | Optional ID for a Network Security Group that already exists in Azure, if not provided, will create a default NSG | string | Existing NSG resource ID | "" + | | | | | | + | **add_storage_account_ip_rules** | Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, if false then accses will be allowed from all networks | boolean | true;
false; | false + | | | | | | + | **storage_account_additional_ips** | IPs/CIDRs that are allowed access to the Storage Account | list(string) | A list of valid IPs and CIDRs | [] + + +## Example + client_secret = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + client_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + tenant_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + subscription_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + source_image_vhd_uri = "noCustomUri" + resource_group_name = "checkpoint-mds-rg-terraform" + mds_name = "checkpoint-mds-terraform" + location = "eastus" + vnet_name = "checkpoint-mds-vnet" + vnet_resource_group = "existing-vnet" + management_subnet_name = "mgmt-subnet" + subnet_1st_Address = "10.0.1.4" + management_GUI_client_network = "0.0.0.0/0" + mds_enable_api = "disable" + admin_password = "xxxxxxxxxxxx" + vm_size = "Standard_D3_v2" + disk_size = "110" + vm_os_sku = "mgmt-byol" + vm_os_offer = "check-point-cg-r8110" + os_version = "R8110" + bootstrap_script = "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" + allow_upload_download = true + authentication_type = "Password" + admin_shell = "/etc/cli.sh" + sic_key = "xxxxxxxxxxxx" + installation_type = "mds-primary" + primary = "true" + secondary = "false" + logserver = "false" + serial_console_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + maintenance_mode_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + nsg_id = "" + add_storage_account_ip_rules = false + storage_account_additional_ips = [] + +## Revision History +In order to check the template version refer to the [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) + +| Template Version | Description | +|------------------|---------------------------------------------------------------------------------------------| +| 20240613 | - Updated Azure Terraform provider version
- Cosmetic fixes & default values
- Added option to limit storage account access by specify allowed sourcess
- Updated Public IP sku to Standard
- Added validation for os_version & os_offer | +| | | | +| 20230910 | - R81.20 is the default version | +| | | | +| 20230629 | First release of Check Point CloudGuard Network Security MDS Terraform deployment for Azure | +| | | | + +## License + +See the [LICENSE](../../LICENSE) file for details + diff --git a/terraform/azure/mds-existing-vnet/azure_public_key b/terraform/azure/mds-existing-vnet/azure_public_key new file mode 100644 index 00000000..e69de29b diff --git a/terraform/azure/mds-existing-vnet/cloud-init.sh b/terraform/azure/mds-existing-vnet/cloud-init.sh new file mode 100755 index 00000000..627de012 --- /dev/null +++ b/terraform/azure/mds-existing-vnet/cloud-init.sh @@ -0,0 +1,20 @@ +#!/usr/bin/python3 /etc/cloud_config.py + +installationType="${installation_type}" +allowUploadDownload="${allow_upload_download}" +osVersion="${os_version}" +templateName="${template_name}" +templateVersion="${template_version}" +templateType="${template_type}" +isBlink="${is_blink}" +bootstrapScript64="${bootstrap_script64}" +location="${location}" +managementGUIClientNetwork="${management_GUI_client_network}" +enableApi="${enable_api}" +adminShell="${admin_shell}" +sicKey="${sic_key}" +primary="${primary}" +secondary="${secondary}" +logserver="${logserver}" +passwordHash="${serial_console_password_hash}" +MaintenanceModePassword="${maintenance_mode_password_hash}" diff --git a/terraform/azure/mds-existing-vnet/main.tf b/terraform/azure/mds-existing-vnet/main.tf new file mode 100755 index 00000000..0c8719f1 --- /dev/null +++ b/terraform/azure/mds-existing-vnet/main.tf @@ -0,0 +1,316 @@ +//********************** Providers **************************// +provider "azurerm" { + subscription_id = var.subscription_id + client_id = var.client_id + client_secret = var.client_secret + tenant_id = var.tenant_id + + features {} +} + +//********************** Basic Configuration **************************// +module "common" { + source = "../modules/common" + resource_group_name = var.resource_group_name + location = var.location + admin_password = var.admin_password + template_name = var.template_name + installation_type = var.installation_type + template_version = var.template_version + number_of_vm_instances = 1 + allow_upload_download = var.allow_upload_download + vm_size = var.vm_size + disk_size = var.disk_size + is_blink = false + os_version = var.os_version + vm_os_sku = var.vm_os_sku + vm_os_offer = var.vm_os_offer + authentication_type = var.authentication_type + serial_console_password_hash = var.serial_console_password_hash + maintenance_mode_password_hash = var.maintenance_mode_password_hash + storage_account_additional_ips = var.storage_account_additional_ips +} + +//********************** Networking **************************// +data "azurerm_subnet" "mds_subnet" { + name = var.management_subnet_name + virtual_network_name = var.vnet_name + resource_group_name = var.vnet_resource_group +} + +resource "azurerm_public_ip" "public-ip" { + name = var.mds_name + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + allocation_method = var.vnet_allocation_method + sku = var.sku + idle_timeout_in_minutes = 30 + domain_name_label = join("", [ + lower(var.mds_name), + "-", + random_id.randomId.hex]) +} + +module "network-security-group" { + source = "../modules/network-security-group" + count = var.nsg_id == "" ? 1 : 0 + resource_group_name = module.common.resource_group_name + security_group_name = "${module.common.resource_group_name}-nsg" + location = module.common.resource_group_location + security_rules = [ + { + name = "SSH" + priority = "100" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_ranges = "*" + destination_port_ranges = "22" + description = "Allow inbound SSH connection" + source_address_prefix = var.management_GUI_client_network + destination_address_prefix = "*" + }, + { + name = "GAiA-portal" + priority = "110" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_ranges = "*" + destination_port_ranges = "443" + description = "Allow inbound HTTPS access to the GAiA portal" + source_address_prefix = var.management_GUI_client_network + destination_address_prefix = "*" + }, + { + name = "SmartConsole-1" + priority = "120" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_ranges = "*" + destination_port_ranges = "18190" + description = "Allow inbound access using the SmartConsole GUI client" + source_address_prefix = var.management_GUI_client_network + destination_address_prefix = "*" + }, + { + name = "SmartConsole-2" + priority = "130" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_ranges = "*" + destination_port_ranges = "19009" + description = "Allow inbound access using the SmartConsole GUI client" + source_address_prefix = var.management_GUI_client_network + destination_address_prefix = "*" + }, + { + name = "Logs" + priority = "140" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_ranges = "*" + destination_port_ranges = "257" + description = "Allow inbound logging connections from managed gateways" + source_address_prefix = "*" + destination_address_prefix = "*" + }, + { + name = "ICA-pull" + priority = "150" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_ranges = "*" + destination_port_ranges = "18210" + description = "Allow security gateways to pull a SIC certificate" + source_address_prefix = "*" + destination_address_prefix = "*" + }, + { + name = "CRL-fetch" + priority = "160" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_ranges = "*" + destination_port_ranges = "18264" + description = "Allow security gateways to fetch CRLs" + source_address_prefix = "*" + destination_address_prefix = "*" + }, + { + name = "Policy-fetch" + priority = "170" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_ranges = "*" + destination_port_ranges = "18191" + description = "Allow security gateways to fetch policy" + source_address_prefix = "*" + destination_address_prefix = "*" + } + ] +} + +resource "azurerm_network_interface_security_group_association" "security_group_association" { + depends_on = [azurerm_network_interface.nic] + network_interface_id = azurerm_network_interface.nic.id + network_security_group_id = var.nsg_id == "" ? module.network-security-group[0].network_security_group_id: var.nsg_id +} + +resource "azurerm_network_interface" "nic" { + depends_on = [ + azurerm_public_ip.public-ip] + name = "${var.mds_name}-eth0" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + enable_ip_forwarding = false + + ip_configuration { + name = "ipconfig1" + subnet_id = data.azurerm_subnet.mds_subnet.id + private_ip_address_allocation = var.vnet_allocation_method + private_ip_address = var.subnet_1st_Address + public_ip_address_id = azurerm_public_ip.public-ip.id + } +} + +//********************** Storage accounts **************************// +// Generate random text for a unique storage account name +resource "random_id" "randomId" { + keepers = { + # Generate a new ID only when a new resource group is defined + resource_group = module.common.resource_group_name + } + byte_length = 8 +} +resource "azurerm_storage_account" "vm-boot-diagnostics-storage" { + name = "bootdiag${random_id.randomId.hex}" + resource_group_name = module.common.resource_group_name + location = module.common.resource_group_location + account_tier = module.common.storage_account_tier + account_replication_type = module.common.account_replication_type + account_kind = "Storage" + network_rules { + default_action = var.add_storage_account_ip_rules ? "Deny" : "Allow" + ip_rules = module.common.storage_account_ip_rules + } + blob_properties { + delete_retention_policy { + days = "15" + } + } + +} + +//********************** Virtual Machines **************************// +locals { + SSH_authentication_type_condition = var.authentication_type == "SSH Public Key" ? true : false + custom_image_condition = var.source_image_vhd_uri == "noCustomUri" ? false : true +} + +resource "azurerm_image" "custom-image" { + count = local.custom_image_condition ? 1 : 0 + name = "custom-image" + location = var.location + resource_group_name = module.common.resource_group_name + + os_disk { + os_type = "Linux" + os_state = "Generalized" + blob_uri = var.source_image_vhd_uri + } +} + +resource "azurerm_virtual_machine" "mds-vm-instance" { + depends_on = [ + azurerm_network_interface.nic] + location = module.common.resource_group_location + name = var.mds_name + network_interface_ids = [ + azurerm_network_interface.nic.id] + resource_group_name = module.common.resource_group_name + vm_size = module.common.vm_size + delete_os_disk_on_termination = module.common.delete_os_disk_on_termination + primary_network_interface_id = azurerm_network_interface.nic.id + + identity { + type = module.common.vm_instance_identity + } + + dynamic "plan" { + for_each = local.custom_image_condition ? [ + ] : [1] + content { + name = module.common.vm_os_sku + publisher = module.common.publisher + product = module.common.vm_os_offer + } + } + + boot_diagnostics { + enabled = module.common.boot_diagnostics + storage_uri = module.common.boot_diagnostics ? join(",", azurerm_storage_account.vm-boot-diagnostics-storage.*.primary_blob_endpoint) : "" + } + + os_profile { + computer_name = lower(var.mds_name) + admin_username = module.common.admin_username + admin_password = module.common.admin_password + custom_data = templatefile("${path.module}/cloud-init.sh", { + installation_type = var.installation_type + allow_upload_download = module.common.allow_upload_download + os_version = module.common.os_version + template_name = module.common.template_name + template_version = module.common.template_version + template_type = "terraform" + is_blink = module.common.is_blink + bootstrap_script64 = base64encode(var.bootstrap_script) + location = module.common.resource_group_location + management_GUI_client_network = var.management_GUI_client_network + enable_api = var.mds_enable_api + admin_shell = var.admin_shell + sic_key = var.sic_key + primary = var.primary + secondary = var.secondary + logserver = var.logserver + serial_console_password_hash = var.serial_console_password_hash + maintenance_mode_password_hash = var.maintenance_mode_password_hash + }) + } + + + os_profile_linux_config { + disable_password_authentication = local.SSH_authentication_type_condition + + dynamic "ssh_keys" { + for_each = local.SSH_authentication_type_condition ? [ + 1] : [] + content { + path = "/home/notused/.ssh/authorized_keys" + key_data = file("${path.module}/azure_public_key") + } + } + } + + storage_image_reference { + id = local.custom_image_condition ? azurerm_image.custom-image[0].id : null + publisher = local.custom_image_condition ? null : module.common.publisher + offer = module.common.vm_os_offer + sku = module.common.vm_os_sku + version = module.common.vm_os_version + } + + storage_os_disk { + name = var.mds_name + create_option = module.common.storage_os_disk_create_option + caching = module.common.storage_os_disk_caching + managed_disk_type = module.common.storage_account_type + disk_size_gb = module.common.disk_size + } +} \ No newline at end of file diff --git a/terraform/azure/mds-existing-vnet/terraform.tfvars b/terraform/azure/mds-existing-vnet/terraform.tfvars new file mode 100755 index 00000000..61547ee1 --- /dev/null +++ b/terraform/azure/mds-existing-vnet/terraform.tfvars @@ -0,0 +1,35 @@ +#PLEASE refer to the README.md for accepted values for the variables below +client_secret = "PLEASE ENTER CLIENT SECRET" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +client_id = "PLEASE ENTER CLIENT ID" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +tenant_id = "PLEASE ENTER TENANT ID" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +subscription_id = "PLEASE ENTER SUBSCRIPTION ID" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +source_image_vhd_uri = "PLEASE ENTER SOURCE IMAGE VHD URI OR noCustomUri" # "noCustomUri" +resource_group_name = "PLEASE ENTER RESOURCE GROUP NAME" # "checkpoint-mds-rg-terraform" +mds_name = "PLEASE ENTER MDS NAME" # "checkpoint-mds-terraform" +location = "PLEASE ENTER LOCATION" # "eastus" +vnet_name = "PLEASE ENTER VIRTUAL NETWORK NAME" # "checkpoint-mds-vnet" +vnet_resource_group = "PLEASE ENTER VIRTUAL NETWORK RESOURCE GROUP NAME" # "existing-vnet" +management_subnet_name = "PLEASE ENTER MANAGEMENT SUBNET NAME" # "mgmt-subnet" +subnet_1st_Address = "PLEASE ENTER SUBNET FIRST ADDRESS" # "10.0.1.4" +management_GUI_client_network = "PLEASE ENTER A MANAGEMENT GUI CLIENT NETWORK" # "0.0.0.0/0" +mds_enable_api = "PLEASE ENTER FOR WHOM TO ENABLE API ACCESS OR disable" # "disable" +admin_password = "PLEASE ENTER ADMIN PASSWORD" # "xxxxxxxxxxxx" +vm_size = "PLEASE ENTER VM SIZE" # "Standard_D3_v2" +disk_size = "PLEASE ENTER DISK SIZE" # "110" +vm_os_sku = "PLEASE ENTER VM SKU" # "mgmt-byol" +vm_os_offer = "PLEASE ENTER VM OFFER" # "check-point-cg-r8110" +os_version = "PLEASE ENTER GAIA OS VERSION" # "R8110" +bootstrap_script = "PLEASE ENTER CUSTOM SCRIPT OR LEAVE EMPTY DOUBLE QUOTES" # "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" +allow_upload_download = "PLEASE ENTER true or false" # true +authentication_type = "PLEASE ENTER AUTHENTICATION TYPE" # "Password" +admin_shell = "PLEASE ENTER ADMIN SHELL" # "/etc/cli.sh" +sic_key = "PLEASE ENTER SIC KEY" # "xxxxxxxxxxxx" +installation_type = "PLEASE ENTER INSTALLATION TYPE" # "mds-primary" +primary = "PLEASE ENTER true or false" # "true" +secondary = "PLEASE ENTER true or false" # "false" +logserver = "PLEASE ENTER true or false" # "false" +serial_console_password_hash = "PLEASE ENTER SERIAL CONSOLE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +maintenance_mode_password_hash = "PLEASE ENTER MAINTENANCE MODE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +nsg_id = "PLEASE ENTER NETWORK SECURITY GROUP ID" # "" +add_storage_account_ip_rules = "PLEASE ENTER true or false" # false +storage_account_additional_ips = "PLEASE ENTER A LIST OF VALID IPS/CIDRS" # [] \ No newline at end of file diff --git a/terraform/azure/mds-existing-vnet/variables.tf b/terraform/azure/mds-existing-vnet/variables.tf new file mode 100755 index 00000000..8896ceae --- /dev/null +++ b/terraform/azure/mds-existing-vnet/variables.tf @@ -0,0 +1,280 @@ +//********************** Basic Configuration Variables **************************// +variable "mds_name" { + description = "MDS name" + type = string +} + +variable "resource_group_name" { + description = "Azure Resource Group name to build into" + type = string +} + +variable "location" { + description = "The location/region where resource will be created. The full list of Azure regions can be found at https://azure.microsoft.com/regions" + type = string +} + +//********************** Virtual Machine Instances Variables **************************// +variable "source_image_vhd_uri" { + type = string + description = "The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images." + default = "noCustomUri" +} + +variable "admin_username" { + description = "Administrator username of deployed VM. Due to Azure limitations 'notused' name can be used" + default = "notused" +} + +variable "admin_password" { + description = "Administrator password of deployed Virtual Machine. The password must meet the complexity requirements of Azure" + type = string +} + +variable "serial_console_password_hash" { + description = "Optional parameter, used to enable serial console connection in case of SSH key as authentication type" + type = string +} + +variable "maintenance_mode_password_hash" { + description = "Maintenance mode password hash, relevant only for R81.20 and higher versions" + type = string +} + +variable "authentication_type" { + description = "Specifies whether a password authentication or SSH Public Key authentication should be used" + type = string +} +locals { // locals for 'authentication_type' allowed values + authentication_type_allowed_values = [ + "Password", + "SSH Public Key" + ] + // will fail if [var.authentication_type] is invalid: + validate_authentication_type_value = index(local.authentication_type_allowed_values, var.authentication_type) +} + +variable "template_name" { + description = "Template name. Should be defined according to deployment type(mds, ha, vmss)" + type = string + default = "mds_terraform" +} + +variable "template_version" { + description = "Template version. It is recommended to always use the latest template version" + type = string + default = "20230910" +} + +variable "installation_type" { + description = "Installaiton type" + type = string + default = "mds-primary" +} + +variable "primary" { + type = string +} + +variable "secondary" { + type = string +} + +variable "logserver" { + type = string +} + +locals { //locals for 'installation_type' + isntallation_type_allowed_values = [ + "mds-primary", + "mds-secondary", + "mds-logserver" + ] +} + +variable "vm_size" { + description = "Specifies size of Virtual Machine" + type = string +} + +variable "disk_size" { + description = "Storage data disk size size(GB). Select a number between 100 and 3995" + type = string +} + +variable "os_version" { + description = "GAIA OS version" + type = string +} + +locals { // locals for 'vm_os_offer' allowed values + os_version_allowed_values = [ + "R8040", + "R81", + "R8110", + "R8120" + ] + // will fail if [var.os_version] is invalid: + validate_os_version_value = index(local.os_version_allowed_values, var.os_version) +} + +variable "vm_os_sku" { + description = "The sku of the image to be deployed." + type = string +} + +variable "vm_os_offer" { + description = "The name of the image offer to be deployed.Choose from: check-point-cg-r8040, check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120" + type = string +} + +locals { // locals for 'vm_os_offer' allowed values + vm_os_offer_allowed_values = [ + "check-point-cg-r8040", + "check-point-cg-r81", + "check-point-cg-r8110", + "check-point-cg-r8120" + ] + // will fail if [var.vm_os_offer] is invalid: + validate_os_offer_value = index(local.vm_os_offer_allowed_values, var.vm_os_offer) +} + +variable "allow_upload_download" { + description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + type = bool +} + +variable "admin_shell" { + description = "The admin shell to configure on machine or the first time" + type = string + default = "/etc/cli.sh" +} + +locals { + admin_shell_allowed_values = [ + "/etc/cli.sh", + "/bin/bash", + "/bin/csh", + "/bin/tcsh" + ] + // Will fail if [var.admin_shell] is invalid + validate_admin_shell_value = index(local.admin_shell_allowed_values, var.admin_shell) +} + +//********************** Networking Variables **************************// +variable "vnet_name" { + description = "Virtual Network name" + type = string +} + +variable "management_subnet_name" { + description = "management subnet name" + type = string +} + +variable "subnet_1st_Address" { + description = "The first available address of the subnet" + type = string +} + +variable "vnet_resource_group" { + description = "Resource group of existing vnet" + type = string +} + +variable "vnet_allocation_method" { + description = "IP address allocation method" + type = string + default = "Static" +} + +variable "management_GUI_client_network" { + description = "Allowed GUI clients - GUI clients network CIDR" + type = string + validation { + condition = can(regex("(^0\\.0\\.0\\.0\\/0$)|(^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/32)?$)", var.management_GUI_client_network)) && var.management_GUI_client_network != "0.0.0.0/32" + error_message = "Variable [management_GUI_client_network] must be a valid IPv4 network CIDR (only 0.0.0.0/0, X.X.X.X/32 or X.X.X.X are acceptable)." + } +} + +variable "mds_enable_api" { + description = "Enable api access to the management. allowed values: all, management_only, gui_clients, disable" + type = string + default = "disable" +} + +locals { + mds_enable_api_allowed_values = [ + "disable", + "all", + "management_only", + "gui_clients" + ] + // will fail if [var.mds_enable_api] is invalid: + validate_mds_enable_api_value = index(local.mds_enable_api_allowed_values, var.mds_enable_api) + + regex_valid_subnet_1st_Address = "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$" + // Will fail if var.subnet_1st_Address is invalid + regex_subnet_1st_Address = regex(local.regex_valid_subnet_1st_Address, var.subnet_1st_Address) == var.subnet_1st_Address ? 0 : "Variable [subnet_1st_Address] must be a valid address." +} + +variable "bootstrap_script" { + description = "An optional script to run on the initial boot" + default = "" + type = string + #example: + #"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" +} + +variable "nsg_id" { + description = "NSG ID - Optional - if empty use default NSG" + default = "" +} + +variable "add_storage_account_ip_rules" { + type = bool + default = false + description = "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location" +} + +variable "storage_account_additional_ips" { + type = list(string) + description = "IPs/CIDRs that are allowed access to the Storage Account" + default = [] +} +//********************** Credentials **************************// + +variable "tenant_id" { + description = "Tenant ID" + type = string +} + +variable "subscription_id" { + description = "Subscription ID" + type = string +} + +variable "client_id" { + description = "Application ID(Client ID)" + type = string +} + +variable "client_secret" { + description = "A secret string that the application uses to prove its identity when requesting a token. Also can be referred to as application password." + type = string +} + +variable sic_key { + description = "sic_key" + type = string +} + +resource "null_resource" "sic_key_invalid" { + count = length(var.sic_key) >= 12 ? 0 : "SIC key must be at least 12 characters long" +} + +variable "sku" { + description = "SKU" + type = string + default = "Standard" +} diff --git a/terraform/azure/mds-existing-vnet/versions.tf b/terraform/azure/mds-existing-vnet/versions.tf new file mode 100755 index 00000000..0d5ca4f3 --- /dev/null +++ b/terraform/azure/mds-existing-vnet/versions.tf @@ -0,0 +1,12 @@ +terraform { + required_version = ">= 0.14.3" + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "~> 3.81.0" + } + random = { + version = "~> 3.5.1" + } + } +} \ No newline at end of file diff --git a/terraform/azure/mds-new-vnet/README.md b/terraform/azure/mds-new-vnet/README.md new file mode 100755 index 00000000..293c3862 --- /dev/null +++ b/terraform/azure/mds-new-vnet/README.md @@ -0,0 +1,188 @@ +# Check Point CloudGuard Network Security MDS Terraform deployment for Azure + +This Terraform module deploys Check Point CloudGuard Network Security Management solution into a new Vnet in Azure. +As part of the deployment the following resources are created: +- Resource group +- Virtual network +- Network security group +- Virtual Machine +- System assigned identity + +This solution uses the following modules: +- /terraform/azure/modules/common - used for creating a resource group and defining common variables. +- /terraform/azure/modules/vnet - used for creating new virtual network and subnets. +- /terraform/azure/modules/network-security-group - used for creating new network security groups and rules. + + +## Configurations +- Install and configure Terraform to provision Azure resources: [Configure Terraform for Azure](https://docs.microsoft.com/en-us/azure/virtual-machines/linux/terraform-install-configure) +- In order to use ssh connection to VMs, it is **required** to add a public key to the /terraform/azure/mds-new-vnet/azure_public_key file. + +## Usage +- Choose the preferred login method to Azure in order to deploy the solution: +
1. Using Service Principal: + - Create a [Service Principal](https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal) (or use the existing one) + - Grant the Service Principal at least "**Managed Application Contributor**", "**Storage Account Contributor**", "**Network Contributor**", "**Virtual Machine Contributor**" permissions to the Azure subscription
+ - The Service Principal credentials can be stored either in the terraform.tfvars or as [Environment Variables](https://www.terraform.io/docs/providers/azuread/guides/service_principal_client_secret.html)
+ + In case the Environment Variables are used, perform modifications described below:
+ + a. The next lines in the main.tf file, in the provider azurerm resource, need to be deleted or commented: + + provider "azurerm" { + + // subscription_id = var.subscription_id + // client_id = var.client_id + // client_secret = var.client_secret + // tenant_id = var.tenant_id + + features {} + } + + b. In the terraform.tfvars file leave empty double quotes for client_secret, client_id , tenant_id and subscription_id variables: + + client_secret = "" + client_id = "" + tenant_id = "" + subscription_id = "" + +
2. Using **az** commands from a command-line: + - Run **az login** command + - Sign in with your account credentials in the browser + - [Accept Azure Marketplace image terms](https://docs.microsoft.com/en-us/cli/azure/vm/image/terms?view=azure-cli-latest) by running: +
**az vm image terms accept --urn publisher:offer:sku:version**, where: + - publisher = checkpoint; + - offer = vm_os_offer (see accepted values in the table below); + - sku = vm_os_sku (see accepted values in the table below); + - version = latest
+
Example:
+ az vm image terms accept --urn checkpoint:check-point-cg-r8040:sg-byol:latest + + - In the terraform.tfvars file leave empty double quotes for client_secret, client_id and tenant_id variables. + +- Fill all variables in the /terraform/azure/mds-new-vnet/terraform.tfvars file with proper values (see below for variables descriptions). +- From a command line initialize the Terraform configuration directory: + + terraform init +- Create an execution plan: + + terraform plan +- Create or modify the deployment: + + terraform apply + +### terraform.tfvars variables: + | Name | Description | Type | Allowed values | Default | + | ------------- | ------------- | ------------- | ------------- | ------------- | + | **client_secret** | The client secret value of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **client_id** | The client ID of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **tenant_id** | The tenant ID of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **subscription_id** | The subscription ID is used to pay for Azure cloud services | string | | n/a + | | | | | | + | **source_image_vhd_uri** | The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images | string | | "noCustomUri" + | | | | | | + | **resource_group_name** | The name of the resource group that will contain the contents of the deployment | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period | n/a + | | | | | | + | **mds_name** | MDS name | string | | n/a + | | | | | | + | **location** | The region where the resources will be deployed at | string | The full list of Azure regions can be found at https://azure.microsoft.com/regions | n/a + | | | | | | + | **vnet_name** | The name of virtual network that will be created | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | n/a + | | | | | | + | **address_space** | The address space that is used by a Virtual Network | string | A valid address in CIDR notation | "10.0.0.0/16" + | | | | | | + | **subnet_prefix** | Address prefix to be used for network subnet | string | A valid address in CIDR notation | "10.0.0.0/24" + | | | | | | + | **management_GUI_client_network** | Allowed GUI clients - GUI clients network CIDR | string | | n/a + | | | | | | + | **mds_enable_api** | Enable api access to the mds | string | - "all";
- "management_only";
- "gui_clients"
- "disable"; | "disable" + | | | | | | + | **admin_password** | The password associated with the local administrator account on the mds | string | Password must have 3 of the following: 1 lower case character, 1 upper case character, 1 number, and 1 special character | n/a + | | | | | | + | **vm_size** | Specifies the size of Virtual Machine | string | "Standard_DS2_v2", "Standard_DS3_v2", "Standard_DS4_v2", "Standard_DS5_v2", "Standard_F2s", "Standard_F4s", "Standard_F8s", "Standard_F16s", "Standard_D4s_v3", "Standard_D8s_v3", "Standard_D16s_v3", "Standard_D32s_v3", "Standard_D64s_v3", "Standard_E4s_v3", "Standard_E8s_v3", "Standard_E16s_v3", "Standard_E20s_v3", "Standard_E32s_v3", "Standard_E64s_v3", "Standard_E64is_v3", "Standard_F4s_v2", "Standard_F8s_v2", "Standard_F16s_v2", "Standard_F32s_v2", "Standard_F64s_v2", "Standard_M8ms", "Standard_M16ms", "Standard_M32ms", "Standard_M64ms", "Standard_M64s", "Standard_D2_v2", "Standard_D3_v2", "Standard_D4_v2", "Standard_D5_v2", "Standard_D11_v2", "Standard_D12_v2", "Standard_D13_v2", "Standard_D14_v2", "Standard_D15_v2", "Standard_F2", "Standard_F4", "Standard_F8", "Standard_F16", "Standard_D4_v3", "Standard_D8_v3", "Standard_D16_v3", "Standard_D32_v3", "Standard_D64_v3", "Standard_E4_v3", "Standard_E8_v3", "Standard_E16_v3", "Standard_E20_v3", "Standard_E32_v3", "Standard_E64_v3", "Standard_E64i_v3", "Standard_DS11_v2", "Standard_DS12_v2", "Standard_DS13_v2", "Standard_DS14_v2", "Standard_DS15_v2", "Standard_D2_v5", "Standard_D4_v5", "Standard_D8_v5", "Standard_D16_v5","Standard_D32_v5", "Standard_D2s_v5", "Standard_D4s_v5", "Standard_D8s_v5", "Standard_D16s_v5", "Standard_D2d_v5", "Standard_D4d_v5", "Standard_D8d_v5", "Standard_D16d_v5", "Standard_D32d_v5", "Standard_D2ds_v5", "Standard_D4ds_v5", "Standard_D8ds_v5", "Standard_D16ds_v5", "Standard_D32ds_v5" | n/a + | | | | | | + | **disk_size** | Storage data disk size size(GB) | string | A number in the range 100 - 3995 (GB) | n/a + | | | | | | + | **vm_os_sku** | A sku of the image to be deployed | string | "mgmt-byol" - BYOL license;
"mgmt-25" - PAYG; | n/a + | | | | | | + | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r8040";
"check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | n/a + | | | | | | + | **os_version** | GAIA OS version | string | "R8040";
"R81";
"R8110";
"R8120";| n/a + | | | | | | + | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | "" + | | | | | | + | **allow_upload_download** | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | boolean | true;
false; | n/a + | | | | | | + | **authentication_type** | Specifies whether a password authentication or SSH Public Key authentication should be used | string | "Password";
"SSH Public Key"; | n/a + | | | | | | + | **admin_shell** | Enables to select different admin shells | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh; | "/etc/cli.sh" + | | | | | | + | **sic_key** | Set the Secure Internal Communication one time secret used to set up trust between the primary and secondary servers. SIC key must be provided if installing a secondary Multi-Domain Server | string | Only alphanumeric characters are allowed, and the value must be 12-30 characters long | n/a + | | | | | | + | **installation_type** | Enables to select installation type- gateway/standalone | string | mds-primary;
mds-secondary;
mds-logserver; | n/a + | | | | | | + | **serial_console_password_hash** | Optional parameter, used to enable serial console connection in case of SSH key as authentication type, to generate password hash use the command 'openssl passwd -6 PASSWORD' on Linux and paste it here | string | | n/a + | | | | | | + | **maintenance_mode_password_hash** | Maintenance mode password hash, relevant only for R81.20 and higher versions, to generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here | string | | n/a + | | | | | | + | **nsg_id** | Optional ID for a Network Security Group that already exists in Azure, if not provided, will create a default NSG | string | Existing NSG resource ID | "" + | | | | | | + | **add_storage_account_ip_rules** | Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, if false then accses will be allowed from all networks | boolean | true;
false; | false + | | | | | | + | **storage_account_additional_ips** | IPs/CIDRs that are allowed access to the Storage Account | list(string) | A list of valid IPs and CIDRs | [] + + +## Example + client_secret = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + client_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + tenant_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + subscription_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + source_image_vhd_uri = "noCustomUri" + resource_group_name = "checkpoint-mds-rg-terraform" + mds_name = "checkpoint-mds-terraform" + location = "eastus" + vnet_name = "checkpoint-mds-vnet" + address_space = "10.0.0.0/16" + subnet_prefix = "10.0.0.0/24" + management_GUI_client_network = "0.0.0.0/0" + mds_enable_api = "disable" + admin_password = "xxxxxxxxxxxx" + vm_size = "Standard_D3_v2" + disk_size = "110" + vm_os_sku = "mgmt-byol" + vm_os_offer = "check-point-cg-r8110" + os_version = "R8110" + bootstrap_script = "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" + allow_upload_download = true + authentication_type = "Password" + admin_shell = "/etc/cli.sh" + sic_key = "xxxxxxxxxxxx" + installation_type = "mds-primary" + primary = "true" + secondary = "false" + logserver = "false" + serial_console_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + maintenance_mode_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + nsg_id = "" + add_storage_account_ip_rules = false + storage_account_additional_ips = [] + +## Revision History +In order to check the template version refer to the [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) + +| Template Version | Description | +|------------------|---------------------------------------------------------------------------------------------| +| 20240613 | - Updated Azure Terraform provider version
- Cosmetic fixes & default values
- Added option to limit storage account access by specify allowed sourcess
- Updated Public IP sku to Standard
- Added validation for os_version & os_offer | +| | | | +| 20230910 | - R81.20 is the default version | +| | | | +| 20230629 | First release of Check Point CloudGuard Network Security MDS Terraform deployment for Azure | +| | | | + +## License + +See the [LICENSE](../../LICENSE) file for details + diff --git a/terraform/azure/mds-new-vnet/azure_public_key b/terraform/azure/mds-new-vnet/azure_public_key new file mode 100644 index 00000000..e69de29b diff --git a/terraform/azure/mds-new-vnet/cloud-init.sh b/terraform/azure/mds-new-vnet/cloud-init.sh new file mode 100755 index 00000000..627de012 --- /dev/null +++ b/terraform/azure/mds-new-vnet/cloud-init.sh @@ -0,0 +1,20 @@ +#!/usr/bin/python3 /etc/cloud_config.py + +installationType="${installation_type}" +allowUploadDownload="${allow_upload_download}" +osVersion="${os_version}" +templateName="${template_name}" +templateVersion="${template_version}" +templateType="${template_type}" +isBlink="${is_blink}" +bootstrapScript64="${bootstrap_script64}" +location="${location}" +managementGUIClientNetwork="${management_GUI_client_network}" +enableApi="${enable_api}" +adminShell="${admin_shell}" +sicKey="${sic_key}" +primary="${primary}" +secondary="${secondary}" +logserver="${logserver}" +passwordHash="${serial_console_password_hash}" +MaintenanceModePassword="${maintenance_mode_password_hash}" diff --git a/terraform/azure/mds-new-vnet/main.tf b/terraform/azure/mds-new-vnet/main.tf new file mode 100755 index 00000000..7f2c1de9 --- /dev/null +++ b/terraform/azure/mds-new-vnet/main.tf @@ -0,0 +1,321 @@ +//********************** Providers **************************// +provider "azurerm" { + subscription_id = var.subscription_id + client_id = var.client_id + client_secret = var.client_secret + tenant_id = var.tenant_id + + features {} +} + +//********************** Basic Configuration **************************// +module "common" { + source = "../modules/common" + resource_group_name = var.resource_group_name + location = var.location + admin_password = var.admin_password + installation_type = var.installation_type + template_name = var.template_name + template_version = var.template_version + number_of_vm_instances = 1 + allow_upload_download = var.allow_upload_download + vm_size = var.vm_size + disk_size = var.disk_size + is_blink = false + os_version = var.os_version + vm_os_sku = var.vm_os_sku + vm_os_offer = var.vm_os_offer + authentication_type = var.authentication_type + serial_console_password_hash = var.serial_console_password_hash + maintenance_mode_password_hash = var.maintenance_mode_password_hash + storage_account_additional_ips = var.storage_account_additional_ips +} + +//********************** Networking **************************// +module "vnet" { + source = "../modules/vnet" + + vnet_name = var.vnet_name + resource_group_name = module.common.resource_group_name + location = module.common.resource_group_location + address_space = var.address_space + subnet_prefixes = [var.subnet_prefix] + subnet_names = ["${var.mds_name}-subnet"] + nsg_id = var.nsg_id == "" ? module.network-security-group[0].network_security_group_id: var.nsg_id +} + +module "network-security-group" { + source = "../modules/network-security-group" + count = var.nsg_id == "" ? 1 : 0 + resource_group_name = module.common.resource_group_name + security_group_name = "${module.common.resource_group_name}-nsg" + location = module.common.resource_group_location + security_rules = [ + { + name = "SSH" + priority = "100" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_ranges = "*" + destination_port_ranges = "22" + description = "Allow inbound SSH connection" + source_address_prefix = var.management_GUI_client_network + destination_address_prefix = "*" + }, + { + name = "GAiA-portal" + priority = "110" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_ranges = "*" + destination_port_ranges = "443" + description = "Allow inbound HTTPS access to the GAiA portal" + source_address_prefix = var.management_GUI_client_network + destination_address_prefix = "*" + }, + { + name = "SmartConsole-1" + priority = "120" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_ranges = "*" + destination_port_ranges = "18190" + description = "Allow inbound access using the SmartConsole GUI client" + source_address_prefix = var.management_GUI_client_network + destination_address_prefix = "*" + }, + { + name = "SmartConsole-2" + priority = "130" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_ranges = "*" + destination_port_ranges = "19009" + description = "Allow inbound access using the SmartConsole GUI client" + source_address_prefix = var.management_GUI_client_network + destination_address_prefix = "*" + }, + { + name = "Logs" + priority = "140" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_ranges = "*" + destination_port_ranges = "257" + description = "Allow inbound logging connections from managed gateways" + source_address_prefix = "*" + destination_address_prefix = "*" + }, + { + name = "ICA-pull" + priority = "150" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_ranges = "*" + destination_port_ranges = "18210" + description = "Allow security gateways to pull a SIC certificate" + source_address_prefix = "*" + destination_address_prefix = "*" + }, + { + name = "CRL-fetch" + priority = "160" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_ranges = "*" + destination_port_ranges = "18264" + description = "Allow security gateways to fetch CRLs" + source_address_prefix = "*" + destination_address_prefix = "*" + }, + { + name = "Policy-fetch" + priority = "170" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_ranges = "*" + destination_port_ranges = "18191" + description = "Allow security gateways to fetch policy" + source_address_prefix = "*" + destination_address_prefix = "*" + } + ] +} + +resource "azurerm_public_ip" "public-ip" { + name = var.mds_name + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + allocation_method = var.vnet_allocation_method + sku = var.sku + idle_timeout_in_minutes = 30 + domain_name_label = join("", [ + lower(var.mds_name), + "-", + random_id.randomId.hex]) +} + +resource "azurerm_network_interface_security_group_association" "security_group_association" { + depends_on = [azurerm_network_interface.nic, module.network-security-group] + network_interface_id = azurerm_network_interface.nic.id + network_security_group_id = var.nsg_id == "" ? module.network-security-group[0].network_security_group_id: var.nsg_id +} + +resource "azurerm_network_interface" "nic" { + depends_on = [ + azurerm_public_ip.public-ip] + name = "${var.mds_name}-eth0" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + enable_ip_forwarding = false + + ip_configuration { + name = "ipconfig1" + subnet_id = module.vnet.vnet_subnets[0] + private_ip_address_allocation = var.vnet_allocation_method + private_ip_address = cidrhost(var.subnet_prefix, 4) + public_ip_address_id = azurerm_public_ip.public-ip.id + } +} + +//********************** Storage accounts **************************// +// Generate random text for a unique storage account name +resource "random_id" "randomId" { + keepers = { + # Generate a new ID only when a new resource group is defined + resource_group = module.common.resource_group_name + } + byte_length = 8 +} +resource "azurerm_storage_account" "vm-boot-diagnostics-storage" { + name = "bootdiag${random_id.randomId.hex}" + resource_group_name = module.common.resource_group_name + location = module.common.resource_group_location + account_tier = module.common.storage_account_tier + account_replication_type = module.common.account_replication_type + account_kind = "Storage" + network_rules { + default_action = var.add_storage_account_ip_rules ? "Deny" : "Allow" + ip_rules = module.common.storage_account_ip_rules + } + blob_properties { + delete_retention_policy { + days = "15" + } + } + +} + +//********************** Virtual Machines **************************// +locals { + SSH_authentication_type_condition = var.authentication_type == "SSH Public Key" ? true : false + custom_image_condition = var.source_image_vhd_uri == "noCustomUri" ? false : true +} + +resource "azurerm_image" "custom-image" { + count = local.custom_image_condition ? 1 : 0 + name = "custom-image" + location = var.location + resource_group_name = module.common.resource_group_name + + os_disk { + os_type = "Linux" + os_state = "Generalized" + blob_uri = var.source_image_vhd_uri + } +} + +resource "azurerm_virtual_machine" "mds-vm-instance" { + depends_on = [ + azurerm_network_interface.nic] + location = module.common.resource_group_location + name = var.mds_name + network_interface_ids = [ + azurerm_network_interface.nic.id] + resource_group_name = module.common.resource_group_name + vm_size = module.common.vm_size + delete_os_disk_on_termination = module.common.delete_os_disk_on_termination + primary_network_interface_id = azurerm_network_interface.nic.id + + identity { + type = module.common.vm_instance_identity + } + + dynamic "plan" { + for_each = local.custom_image_condition ? [ + ] : [1] + content { + name = module.common.vm_os_sku + publisher = module.common.publisher + product = module.common.vm_os_offer + } + } + + boot_diagnostics { + enabled = module.common.boot_diagnostics + storage_uri = module.common.boot_diagnostics ? join(",", azurerm_storage_account.vm-boot-diagnostics-storage.*.primary_blob_endpoint) : "" + } + + os_profile { + computer_name = lower(var.mds_name) + admin_username = module.common.admin_username + admin_password = module.common.admin_password + custom_data = templatefile("${path.module}/cloud-init.sh", { + installation_type = var.installation_type + allow_upload_download = module.common.allow_upload_download + os_version = module.common.os_version + template_name = module.common.template_name + template_version = module.common.template_version + template_type = "terraform" + is_blink = module.common.is_blink + bootstrap_script64 = base64encode(var.bootstrap_script) + location = module.common.resource_group_location + management_GUI_client_network = var.management_GUI_client_network + enable_api = var.mds_enable_api + admin_shell = var.admin_shell + sic_key = var.sic_key + primary = var.primary + secondary = var.secondary + logserver = var.logserver + serial_console_password_hash = var.serial_console_password_hash + maintenance_mode_password_hash = var.maintenance_mode_password_hash + }) + } + + os_profile_linux_config { + disable_password_authentication = local.SSH_authentication_type_condition + + dynamic "ssh_keys" { + for_each = local.SSH_authentication_type_condition ? [ + 1] : [] + content { + path = "/home/notused/.ssh/authorized_keys" + key_data = file("${path.module}/azure_public_key") + } + } + } + + storage_image_reference { + id = local.custom_image_condition ? azurerm_image.custom-image[0].id : null + publisher = local.custom_image_condition ? null : module.common.publisher + offer = module.common.vm_os_offer + sku = module.common.vm_os_sku + version = module.common.vm_os_version + } + + storage_os_disk { + name = var.mds_name + create_option = module.common.storage_os_disk_create_option + caching = module.common.storage_os_disk_caching + managed_disk_type = module.common.storage_account_type + disk_size_gb = module.common.disk_size + } +} diff --git a/terraform/azure/mds-new-vnet/terraform.tfvars b/terraform/azure/mds-new-vnet/terraform.tfvars new file mode 100755 index 00000000..7a1045b3 --- /dev/null +++ b/terraform/azure/mds-new-vnet/terraform.tfvars @@ -0,0 +1,34 @@ +#PLEASE refer to the README.md for accepted values for the variables below +client_secret = "PLEASE ENTER CLIENT SECRET" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +client_id = "PLEASE ENTER CLIENT ID" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +tenant_id = "PLEASE ENTER TENANT ID" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +subscription_id = "PLEASE ENTER SUBSCRIPTION ID" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +source_image_vhd_uri = "PLEASE ENTER SOURCE IMAGE VHD URI OR noCustomUri" # "noCustomUri" +resource_group_name = "PLEASE ENTER RESOURCE GROUP NAME" # "checkpoint-mds-rg-terraform" +mds_name = "PLEASE ENTER MDS NAME" # "checkpoint-mds-terraform" +location = "PLEASE ENTER LOCATION" # "eastus" +vnet_name = "PLEASE ENTER VIRTUAL NETWORK NAME" # "checkpoint-mds-vnet" +address_space = "PLEASE ENTER VIRTUAL NETWORK ADDRESS SPACE" # "10.0.0.0/16" +subnet_prefix = "PLEASE ENTER ADDRESS PREFIX FOR SUBNET" # "10.0.0.0/24" +management_GUI_client_network = "PLEASE ENTER A MANAGEMENT GUI CLIENT NETWORK" # "0.0.0.0/0" +mds_enable_api = "PLEASE ENTER FOR WHOM TO ENABLE API ACCESS OR disable" # "disable" +admin_password = "PLEASE ENTER ADMIN PASSWORD" # "xxxxxxxxxxxx" +vm_size = "PLEASE ENTER VM SIZE" # "Standard_D3_v2" +disk_size = "PLEASE ENTER DISK SIZE" # "110" +vm_os_sku = "PLEASE ENTER VM SKU" # "mgmt-byol" +vm_os_offer = "PLEASE ENTER VM OFFER" # "check-point-cg-r8110" +os_version = "PLEASE ENTER GAIA OS VERSION" # "R8110" +bootstrap_script = "PLEASE ENTER CUSTOM SCRIPT OR LEAVE EMPTY DOUBLE QUOTES" # "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" +allow_upload_download = "PLEASE ENTER true or false" # true +authentication_type = "PLEASE ENTER AUTHENTICATION TYPE" # "Password" +admin_shell = "PLEASE ENTER ADMIN SHELL" # "/etc/cli.sh" +sic_key = "PLEASE ENTER SIC KEY" # "xxxxxxxxxxxx" +installation_type = "PLEASE ENTER INSTALLATION TYPE" # "mds-primary" +primary = "PLEASE ENTER true or false" # "true" +secondary = "PLEASE ENTER true or false" # "false" +logserver = "PLEASE ENTER true or false" # "false" +serial_console_password_hash = "PLEASE ENTER SERIAL CONSOLE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +maintenance_mode_password_hash = "PLEASE ENTER MAINTENANCE MODE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +nsg_id = "PLEASE ENTER NETWORK SECURITY GROUP ID" # "" +add_storage_account_ip_rules = "PLEASE ENTER true or false" # false +storage_account_additional_ips = "PLEASE ENTER A LIST OF VALID IPS/CIDRS" # [] \ No newline at end of file diff --git a/terraform/azure/mds-new-vnet/variables.tf b/terraform/azure/mds-new-vnet/variables.tf new file mode 100755 index 00000000..9ce9d0ba --- /dev/null +++ b/terraform/azure/mds-new-vnet/variables.tf @@ -0,0 +1,278 @@ +//********************** Basic Configuration Variables **************************// +variable "mds_name" { + description = "MDS name" + type = string +} + +variable "resource_group_name" { + description = "Azure Resource Group name to build into" + type = string +} + +variable "location" { + description = "The location/region where resource will be created. The full list of Azure regions can be found at https://azure.microsoft.com/regions" + type = string +} + +//********************** Virtual Machine Instances Variables **************************// +variable "source_image_vhd_uri" { + type = string + description = "The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images." + default = "noCustomUri" +} + +variable "admin_username" { + description = "Administrator username of deployed VM. Due to Azure limitations 'notused' name can be used" + default = "notused" +} + +variable "admin_password" { + description = "Administrator password of deployed Virtual Machine. The password must meet the complexity requirements of Azure" + type = string +} + +variable "serial_console_password_hash" { + description = "Optional parameter, used to enable serial console connection in case of SSH key as authentication type" + type = string +} + +variable "maintenance_mode_password_hash" { + description = "Maintenance mode password hash, relevant only for R81.20 and higher versions" + type = string +} + +variable "authentication_type" { + description = "Specifies whether a password authentication or SSH Public Key authentication should be used" + type = string +} +locals { // locals for 'authentication_type' allowed values + authentication_type_allowed_values = [ + "Password", + "SSH Public Key" + ] + // will fail if [var.authentication_type] is invalid: + validate_authentication_type_value = index(local.authentication_type_allowed_values, var.authentication_type) +} +variable "template_name" { + description = "Template name. Should be defined according to deployment type(mds, ha, vmss)" + type = string + default = "mds_terraform" +} + +variable "template_version" { + description = "Template version. It is recommended to always use the latest template version" + type = string + default = "20230910" +} + +variable "installation_type" { + description = "Installaiton type" + type = string + default = "mds-primary" +} + +variable "primary" { + type = string +} + +variable "secondary" { + type = string +} + +variable "logserver" { + type = string +} + +locals { //locals for 'installation_type' + isntallation_type_allowed_values = [ + "mds-primary", + "mds-secondary", + "mds-logserver" + ] +} + +variable "vm_size" { + description = "Specifies size of Virtual Machine" + type = string +} + +variable "disk_size" { + description = "Storage data disk size size(GB). Select a number between 100 and 3995" + type = string +} + +variable "os_version" { + description = "GAIA OS version" + type = string +} + +locals { // locals for 'vm_os_offer' allowed values + os_version_allowed_values = [ + "R8040", + "R81", + "R8110", + "R8120" + ] + // will fail if [var.os_version] is invalid: + validate_os_version_value = index(local.os_version_allowed_values, var.os_version) +} + +variable "vm_os_sku" { + description = "The sku of the image to be deployed." + type = string +} + +variable "vm_os_offer" { + description = "The name of the image offer to be deployed.Choose from: check-point-cg-r8040, check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120" + type = string +} + +locals { // locals for 'vm_os_offer' allowed values + vm_os_offer_allowed_values = [ + "check-point-cg-r8040", + "check-point-cg-r81", + "check-point-cg-r8110", + "check-point-cg-r8120" + ] + // will fail if [var.vm_os_offer] is invalid: + validate_os_offer_value = index(local.vm_os_offer_allowed_values, var.vm_os_offer) +} + +variable "allow_upload_download" { + description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + type = bool +} + +variable "admin_shell" { + description = "The admin shell to configure on machine or the first time" + type = string + default = "/etc/cli.sh" +} + +locals { + admin_shell_allowed_values = [ + "/etc/cli.sh", + "/bin/bash", + "/bin/csh", + "/bin/tcsh" + ] + // Will fail if [var.admin_shell] is invalid + validate_admin_shell_value = index(local.admin_shell_allowed_values, var.admin_shell) +} + +//********************** Networking Variables **************************// +variable "vnet_name" { + description = "Virtual Network name" + type = string +} + +variable "address_space" { + description = "The address space that is used by a Virtual Network." + type = string + default = "10.0.0.0/16" +} + +variable "subnet_prefix" { + description = "Address prefix to be used for network subnet" + type = string + default = "10.0.0.0/24" +} + +variable "vnet_allocation_method" { + description = "IP address allocation method" + type = string + default = "Static" +} + +variable "management_GUI_client_network" { + description = "Allowed GUI clients - GUI clients network CIDR" + type = string + validation { + condition = can(regex("(^0\\.0\\.0\\.0\\/0$)|(^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/32)?$)", var.management_GUI_client_network)) && var.management_GUI_client_network != "0.0.0.0/32" + error_message = "Variable [management_GUI_client_network] must be a valid IPv4 network CIDR (only 0.0.0.0/0, X.X.X.X/32 or X.X.X.X are acceptable)." + } +} + +variable "mds_enable_api" { + description = "Enable api access to the management. allowed values: all, management_only, gui_clients, disable" + type = string + default = "disable" +} + +locals { + mds_enable_api_allowed_values = [ + "disable", + "all", + "management_only", + "gui_clients" + ] + // will fail if [var.mds_enable_api] is invalid: + validate_mds_enable_api_value = index(local.mds_enable_api_allowed_values, var.mds_enable_api) + + regex_valid_network_cidr = "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(/(3[0-2]|2[0-9]|1[0-9]|[0-9]))|$" + // Will fail if var.address_space is invalid + regex_address_space = regex(local.regex_valid_network_cidr, var.address_space) == var.address_space ? 0 : "Variable [address_space] must be a valid address in CIDR notation." + // Will fail if var.subnet_prefix is invalid + regex_subnet_prefix = regex(local.regex_valid_network_cidr, var.subnet_prefix) == var.subnet_prefix ? 0 : "Variable [subnet_prefix] must be a valid address in CIDR notation." +} + +variable "bootstrap_script" { + description = "An optional script to run on the initial boot" + default = "" + type = string + #example: + #"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" +} + +variable "nsg_id" { + description = "NSG ID - Optional - if empty use default NSG" + default = "" +} + +variable "add_storage_account_ip_rules" { + type = bool + default = false + description = "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location" +} + +variable "storage_account_additional_ips" { + type = list(string) + description = "IPs/CIDRs that are allowed access to the Storage Account" + default = [] +} + +//********************** Credentials **************************// +variable "tenant_id" { + description = "Tenant ID" + type = string +} + +variable "subscription_id" { + description = "Subscription ID" + type = string +} + +variable "client_id" { + description = "Application ID(Client ID)" + type = string +} + +variable "client_secret" { + description = "A secret string that the application uses to prove its identity when requesting a token. Also can be referred to as application password." + type = string +} + +variable "sic_key" { + description = "sic key" + type = string +} + +resource "null_resource" "sic_key_invalid" { + count = length(var.sic_key) >= 12 ? 0 : "SIC key must be at least 12 characters long" +} + +variable "sku" { + description = "SKU" + type = string + default = "Standard" +} \ No newline at end of file diff --git a/terraform/azure/mds-new-vnet/versions.tf b/terraform/azure/mds-new-vnet/versions.tf new file mode 100755 index 00000000..de940e72 --- /dev/null +++ b/terraform/azure/mds-new-vnet/versions.tf @@ -0,0 +1,12 @@ +terraform { + required_version = ">= 0.14.3" + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "~> 3.81.0" + } + random = { + version = "~> 3.5.1" + } + } +} diff --git a/terraform/azure/modules/add-routing-intent.py b/terraform/azure/modules/add-routing-intent.py new file mode 100644 index 00000000..87437061 --- /dev/null +++ b/terraform/azure/modules/add-routing-intent.py @@ -0,0 +1,29 @@ +import json +import requests +import sys + + +def perform_put_request(url, data, headers=None): + """ + This function perform the PUT request to Azure in order to edit the vWAN Hub Routing-Intent + """ + result = {"status": "success", "message": ""} + try: + response = requests.put(url, json=data, headers=headers) + result["message"] = response.text + except Exception as e: + result["status"] = "error" + result["message"] = f"An error occurred: {str(e)}" + return result + + +if __name__ == "__main__": + """ + This script receives url, body, and authorization token as arguments and set vWAN Hub Routing-Intent + """ + api_url = sys.argv[1] + api_data = eval(sys.argv[2]) + auth_token = sys.argv[3] + api_headers = {"Authorization": f'Bearer {auth_token}'} + result = perform_put_request(api_url, api_data, api_headers) + print(json.dumps(result)) diff --git a/terraform/azure/modules/common/main.tf b/terraform/azure/modules/common/main.tf new file mode 100755 index 00000000..08bc5f97 --- /dev/null +++ b/terraform/azure/modules/common/main.tf @@ -0,0 +1,5 @@ +resource "azurerm_resource_group" "resource_group" { + name = var.resource_group_name + location = var.location +} + diff --git a/terraform/azure/modules/common/outputs.tf b/terraform/azure/modules/common/outputs.tf new file mode 100755 index 00000000..1d4ad2b0 --- /dev/null +++ b/terraform/azure/modules/common/outputs.tf @@ -0,0 +1,130 @@ +output "resource_group_name" { + value = azurerm_resource_group.resource_group.name +} + +output "resource_group_id" { + value = azurerm_resource_group.resource_group.id +} + +output "resource_group_location" { + value = azurerm_resource_group.resource_group.location +} + +output "azurerm_resource_group_id" { + value = azurerm_resource_group.resource_group.id +} + +output "admin_username" { + value = var.admin_username +} + +output "admin_password"{ + value = var.admin_password +} + +output "vm_instance_identity" { + value = var.vm_instance_identity_type +} + +output "template_name"{ + value = var.template_name +} + +output "template_version" { + value = var.template_version +} + +output "bootstrap_script"{ + value = var.bootstrap_script +} + +output "os_version" { + value = var.os_version +} + +output "installation_type" { + value = var.installation_type +} + +output "number_of_vm_instances" { + value = var.number_of_vm_instances +} + +output "allow_upload_download" { + value = var.allow_upload_download +} + +output "is_blink" { + value = var.is_blink +} + +output "vm_size" { + value = var.vm_size +} + +output "delete_os_disk_on_termination" { + value = var.delete_os_disk_on_termination +} + +output "vm_os_offer" { + value = var.vm_os_offer +} + +output "vm_os_sku" { + value = var.vm_os_sku +} + +output "vm_os_version" { + value = var.vm_os_version +} + +output "storage_account_type" { + value = var.storage_account_type +} + +output "storage_account_tier" { + value = var.storage_account_tier +} + +output "account_replication_type" { + value = var.account_replication_type +} + +output "disk_size" { + value = var.disk_size +} + +output "publisher" { + value = var.publisher +} + +output "storage_os_disk_create_option" { + value = var.storage_os_disk_create_option +} + +output "storage_os_disk_caching" { + value = var.storage_os_disk_caching +} + +output "managed_disk_type" { + value = var.managed_disk_type +} + +output "authentication_type" { + value = var.authentication_type +} + +output "tags" { + value = var.tags +} + +output "boot_diagnostics" { + value = var.boot_diagnostics +} + +output "storage_account_ip_rules" { + value = local.storage_account_ip_rules +} +output "role_definition" { + value = var.role_definition +} \ No newline at end of file diff --git a/terraform/azure/modules/common/variables.tf b/terraform/azure/modules/common/variables.tf new file mode 100755 index 00000000..e768159b --- /dev/null +++ b/terraform/azure/modules/common/variables.tf @@ -0,0 +1,369 @@ +//************** Basic config variables**************// +variable "resource_group_name" { + description = "Azure Resource Group name to build into" + type = string +} + +variable "resource_group_id" { + description = "Azure Resource Group ID to use." + type = string + default = "" +} + +variable "location" { + description = "The location/region where resources will be created. The full list of Azure regions can be found at https://azure.microsoft.com/regions" + type = string +} +//************** Virtual machine instance variables ************** +variable "admin_username" { + description = "Administrator username of deployed VM. Due to Azure limitations 'notused' name can be used" + type = string + default = "notused" +} + +variable "admin_password" { + description = "Administrator password of deployed Virtual Machine. The password must meet the complexity requirements of Azure" + type = string +} + +variable "serial_console_password_hash" { + description = "Optional parameter, used to enable serial console connection in case of SSH key as authentication type" + type = string +} + +variable "maintenance_mode_password_hash" { + description = "Maintenance mode password hash, relevant only for R81.20 and higher versions" + type = string +} + +variable "tags" { + type = map(string) + description = "A map of the tags to use on the resources that are deployed with this module." + default = {} +} + +variable "boot_diagnostics" { + type = bool + description = "Enable or Disable boot diagnostics" + default = true +} + +variable "storage_account_additional_ips" { + type = list(string) + description = "IPs/CIDRs that are allowed access to the Storage Account" + default = [] + validation { + condition = !contains(var.storage_account_additional_ips, "0.0.0.0") && can([for ip in var.storage_account_additional_ips: regex("^(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$", ip)]) + error_message = "Invalid IPv4 address." + } +} +locals { + serial_console_ips_per_location = { + "eastasia" : ["20.205.69.28", "20.195.85.180"], + "southeastasia" : ["20.205.69.28", "20.195.85.180"], + "australiacentral" : ["20.53.53.224", "20.70.222.112"], + "australiacentral2" : ["20.53.53.224", "20.70.222.112"], + "australiaeast" : ["20.53.53.224", "20.70.222.112"], + "australiasoutheast" : ["20.53.53.224", "20.70.222.112"], + "brazilsouth" : ["91.234.136.63", "20.206.0.194"], + "brazilsoutheast" : ["91.234.136.63", "20.206.0.194"], + "canadacentral" : ["52.228.86.177", "52.242.40.90"], + "canadaeast" : ["52.228.86.177", "52.242.40.90"], + "northeurope" : ["52.146.139.220", "20.105.209.72"], + "westeurope" : ["52.146.139.220", "20.105.209.72"], + "francecentral" : ["20.111.0.244", "52.136.191.10"], + "francesouth" : ["20.111.0.244", "52.136.191.10"], + "germanynorth" : ["51.116.75.88", "20.52.95.48"], + "germanywestcentral" : ["51.116.75.88", "20.52.95.48"], + "centralindia" : ["20.192.168.150", "20.192.153.104"], + "southindia" : ["20.192.168.150", "20.192.153.104"], + "westindia" : ["20.192.168.150", "20.192.153.104"], + "japaneast" : ["20.43.70.205", "20.189.228.222"], + "japanwest" : ["20.43.70.205", "20.189.228.222"], + "koreacentral" : ["20.200.196.96", "52.147.119.29"], + "koreasouth" : ["20.200.196.96", "52.147.119.29"], + "norwaywest" : ["20.100.1.184", "51.13.138.76"], + "norwayeast" : ["20.100.1.184", "51.13.138.76"], + "switzerlandnorth" : ["20.208.4.98", "51.107.251.190"], + "switzerlandwest" : ["20.208.4.98", "51.107.251.190"], + "uaecentral" : ["20.45.95.66", "20.38.141.5"], + "uaenorth" : ["20.45.95.66", "20.38.141.5"], + "uksouth" : ["20.90.132.144", "20.58.68.62"], + "ukwest" : ["20.90.132.144", "20.58.68.62"], + "swedencentral" : ["51.12.72.223", "51.12.22.174"], + "swedensouth" : ["51.12.72.223", "51.12.22.174"], + "centralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "eastus2" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "eastus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "northcentralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "southcentralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "westus2" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "westus3" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "westcentralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "westus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "eastus2euap" : ["20.45.242.18", "20.51.21.252"], + "centraluseuap" : ["20.45.242.18", "20.51.21.252"] + } + serial_console_ips = contains(keys(local.serial_console_ips_per_location),var.location) ? local.serial_console_ips_per_location[var.location] : [] + storage_account_ip_rules = concat(local.serial_console_ips, var.storage_account_additional_ips) +} +variable "vm_instance_identity_type" { + description = "Managed Service Identity type" + type = string + default = "SystemAssigned" +} + +variable "template_name"{ + description = "Template name. Should be defined according to deployment type(ha, vmss)" + type = string +} + +variable "template_version"{ + description = "Template name. Should be defined according to deployment type(e.g. ha, vmss)" + type = string +} + +variable "bootstrap_script" { + description = "An optional script to run on the initial boot" + type = string + default = "" +} + +variable "os_version"{ + description = "GAIA OS version" + type = string +} + +locals { // locals for 'os_version' allowed values + os_version_allowed_values = [ + "R8040", + "R81", + "R8110", + "R8120" + ] + // will fail if [var.installation_type] is invalid: + validate_os_version_value = index(local.os_version_allowed_values, var.os_version) +} + +variable "installation_type"{ + description = "Installation type. Allowed values: cluster, vmss" + type = string +} + +locals { // locals for 'installation_type' allowed values + installation_type_allowed_values = [ + "cluster", + "vmss", + "management", + "standalone", + "gateway", + "mds-primary", + "mds-secondary", + "mds-logserver" + ] + // will fail if [var.installation_type] is invalid: + validate_installation_type_value = index(local.installation_type_allowed_values, var.installation_type) +} + +variable "number_of_vm_instances"{ + description = "Number of VM instances to deploy" + type = string +} + +variable "allow_upload_download" { + description = "Allow upload/download to Check Point" + type = bool +} + +variable "is_blink" { + description = "Define if blink image is used for deployment" +} + +variable "vm_size" { + description = "Specifies size of Virtual Machine" + type = string +} + +locals {// locals for 'vm_size' allowed values + allowed_vm_sizes = ["Standard_DS2_v2", "Standard_DS3_v2", "Standard_DS4_v2", "Standard_DS5_v2", "Standard_F2s", + "Standard_F4s", "Standard_F8s", "Standard_F16s", "Standard_D4s_v3", "Standard_D8s_v3", + "Standard_D16s_v3", "Standard_D32s_v3", "Standard_D64s_v3", "Standard_E4s_v3", "Standard_E8s_v3", + "Standard_E16s_v3", "Standard_E20s_v3", "Standard_E32s_v3", "Standard_E64s_v3", "Standard_E64is_v3", + "Standard_F4s_v2", "Standard_F8s_v2", "Standard_F16s_v2", "Standard_F32s_v2", "Standard_F64s_v2", + "Standard_M8ms", "Standard_M16ms", "Standard_M32ms", "Standard_M64ms", "Standard_M64s", + "Standard_D2_v2", "Standard_D3_v2", "Standard_D4_v2", "Standard_D5_v2", "Standard_D11_v2", + "Standard_D12_v2", "Standard_D13_v2", "Standard_D14_v2", "Standard_D15_v2", "Standard_F2", + "Standard_F4", "Standard_F8", "Standard_F16", "Standard_D4_v3", "Standard_D8_v3", "Standard_D16_v3", + "Standard_D32_v3", "Standard_D64_v3", "Standard_E4_v3", "Standard_E8_v3", "Standard_E16_v3", + "Standard_E20_v3", "Standard_E32_v3", "Standard_E64_v3", "Standard_E64i_v3", "Standard_DS11_v2", + "Standard_DS12_v2", "Standard_DS13_v2", "Standard_DS14_v2", "Standard_DS15_v2", "Standard_D2_v5", "Standard_D4_v5", + "Standard_D8_v5", "Standard_D16_v5","Standard_D32_v5", "Standard_D2s_v5", "Standard_D4s_v5", "Standard_D8s_v5", + "Standard_D16s_v5", "Standard_D2d_v5", "Standard_D4d_v5", "Standard_D8d_v5", "Standard_D16d_v5", "Standard_D32d_v5", + "Standard_D2ds_v5", "Standard_D4ds_v5", "Standard_D8ds_v5", "Standard_D16ds_v5", "Standard_D32ds_v5" + ] + // will fail if [var.vm_size] is invalid: + validate_vm_size_value = index(local.allowed_vm_sizes, var.vm_size) +} +variable "delete_os_disk_on_termination" { + type = bool + description = "Delete datadisk when VM is terminated" + default = true +} + +variable "publisher" { + description = "CheckPoint publisher" + default = "checkpoint" +} + +//************** Storage image reference and plan variables ****************// +variable "vm_os_offer" { + description = "The name of the image offer to be deployed.Choose from: check-point-cg-r8040, check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120" + type = string +} + +locals { // locals for 'vm_os_offer' allowed values + vm_os_offer_allowed_values = [ + "check-point-cg-r8040", + "check-point-cg-r81", + "check-point-cg-r8110", + "check-point-cg-r8120" + ] + // will fail if [var.vm_os_offer] is invalid: + validate_os_offer_value = index(local.vm_os_offer_allowed_values, var.vm_os_offer) + validate_os_version_match = regex(split("-", var.vm_os_offer)[3], lower(var.os_version)) +} + +variable "vm_os_sku" { + /* + Choose from: + - "sg-byol" + - "sg-ngtp" (for R80.40 and above) + - "sg-ngtx" (for R80.40 and above) + - "mgmt-byol" + - "mgmt-25" + */ + description = "The sku of the image to be deployed" + type = string +} + +locals { // locals for 'vm_os_sku' allowed values + vm_os_sku_allowed_values = [ + "sg-byol", + "sg-ngtp", + "sg-ngtx", + "mgmt-byol", + "mgmt-25" + ] + // will fail if [var.vm_os_sku] is invalid: + validate_vm_os_sku_value = index(local.vm_os_sku_allowed_values, var.vm_os_sku) +} + +variable "vm_os_version" { + description = "The version of the image that you want to deploy. " + type = string + default = "latest" +} + +variable "storage_account_type" { + description = "Defines the type of storage account to be created. Valid options is Standard_LRS, Premium_LRS" + type = string + default = "Standard_LRS" +} + +locals { // locals for 'storage_account_type' allowed values + storage_account_type_allowed_values = [ + "Standard_LRS", + "Premium_LRS" + ] + // will fail if [var.storage_account_type] is invalid: + validate_storage_account_type_value = index(local.storage_account_type_allowed_values, var.storage_account_type) +} + +variable "storage_account_tier" { + description = "Defines the Tier to use for this storage account.Valid options are Standard and Premium" + default = "Standard" +} + +locals { // locals for 'storage_account_tier' allowed values + storage_account_tier_allowed_values = [ + "Standard", + "Premium" + ] + // will fail if [var.storage_account_tier] is invalid: + validate_storage_account_tier_value = index(local.storage_account_tier_allowed_values, var.storage_account_tier) +} + +variable "account_replication_type" { + description = "Defines the type of replication to use for this storage account.Valid options are LRS, GRS, RAGRS and ZRS" + type = string + default = "LRS" +} + +locals { // locals for 'account_replication_type' allowed values + account_replication_type_allowed_values = [ + "LRS", + "GRS", + "RAGRS", + "ZRS" + ] + // will fail if [var.account_replication_type] is invalid: + validate_account_replication_type_value = index(local.account_replication_type_allowed_values, var.account_replication_type) +} + +variable "disk_size" { + description = "Storage data disk size size(GB). Select a number between 100 and 3995" + type = string +} + +resource "null_resource" "disk_size_validation" { + // Will fail if var.disk_size is less than 100 or more than 3995 + count = tonumber(var.disk_size) >= 100 && tonumber(var.disk_size) <= 3995 ? 0 : "variable disk_size must be a number between 100 and 3995" +} + +//************** Storage OS disk variables **************// +variable "storage_os_disk_create_option" { + description = "The method to use when creating the managed disk" + type = string + default = "FromImage" +} + +variable "storage_os_disk_caching" { + description = "Specifies the caching requirements for the OS Disk" + default = "ReadWrite" +} + +variable "managed_disk_type" { + description = "Specifies the type of managed disk to create. Possible values are either Standard_LRS, StandardSSD_LRS, Premium_LRS" + type = string + default = "Standard_LRS" +} + +locals { // locals for 'managed_disk_type' allowed values + managed_disk_type_allowed_values = [ + "Standard_LRS", + "Premium_LRS" + ] + // will fail if [var.managed_disk_type] is invalid: + validate_managed_disk_type_value = index(local.managed_disk_type_allowed_values, var.managed_disk_type) +} + +variable "authentication_type" { + description = "Specifies whether a password authentication or SSH Public Key authentication should be used" + type = string +} +locals { // locals for 'authentication_type' allowed values + authentication_type_allowed_values = [ + "Password", + "SSH Public Key" + ] + // will fail if [var.authentication_type] is invalid: + validate_authentication_type_value = index(local.authentication_type_allowed_values, var.authentication_type) +} + + +//********************** Role Assignments variables**************************// +variable "role_definition" { + description = "Role definition. The full list of Azure Built-in role descriptions can be found at https://docs.microsoft.com/bs-latn-ba/azure/role-based-access-control/built-in-roles" + type = string + default = "Contributor" +} \ No newline at end of file diff --git a/terraform/azure/modules/common/versions.tf b/terraform/azure/modules/common/versions.tf new file mode 100755 index 00000000..0ec4dcca --- /dev/null +++ b/terraform/azure/modules/common/versions.tf @@ -0,0 +1,3 @@ +terraform { + required_version = ">= 0.14.3" +} \ No newline at end of file diff --git a/terraform/azure/modules/network-security-group/main.tf b/terraform/azure/modules/network-security-group/main.tf new file mode 100755 index 00000000..1beeaf14 --- /dev/null +++ b/terraform/azure/modules/network-security-group/main.tf @@ -0,0 +1,23 @@ +resource "azurerm_network_security_group" "nsg" { + name = var.security_group_name + location = var.location + resource_group_name = var.resource_group_name + tags = var.tags + } + +//************ Security Rule Example **************// +resource "azurerm_network_security_rule" "security_rule" { + count = length(var.security_rules) + name = lookup(var.security_rules[count.index], "name") + priority = lookup(var.security_rules[count.index], "priority", 4096 - length(var.security_rules) + count.index) + direction = lookup(var.security_rules[count.index], "direction") + access = lookup(var.security_rules[count.index], "access") + protocol = lookup(var.security_rules[count.index], "protocol") + source_port_range = lookup(var.security_rules[count.index], "source_port_ranges") + destination_port_range = lookup(var.security_rules[count.index], "destination_port_ranges") + description = lookup(var.security_rules[count.index], "description") + source_address_prefix = lookup(var.security_rules[count.index], "source_address_prefix") + destination_address_prefix = lookup(var.security_rules[count.index], "destination_address_prefix") + resource_group_name = var.resource_group_name + network_security_group_name = azurerm_network_security_group.nsg.name +} diff --git a/terraform/azure/modules/network-security-group/output.tf b/terraform/azure/modules/network-security-group/output.tf new file mode 100755 index 00000000..c1aa127d --- /dev/null +++ b/terraform/azure/modules/network-security-group/output.tf @@ -0,0 +1,7 @@ +output "network_security_group_id" { + value = azurerm_network_security_group.nsg.id +} + +output "network_security_group_name" { + value = azurerm_network_security_group.nsg.name +} \ No newline at end of file diff --git a/terraform/azure/modules/network-security-group/variables.tf b/terraform/azure/modules/network-security-group/variables.tf new file mode 100755 index 00000000..363489e3 --- /dev/null +++ b/terraform/azure/modules/network-security-group/variables.tf @@ -0,0 +1,43 @@ +variable "resource_group_name" { + description = "Azure Resource Group name to build into" + type = string +} + +variable "location" { + type = string + description = "The location/region where Network Security Group will be created. The full list of Azure regions can be found at https://azure.microsoft.com/regions" +} + +variable "security_group_name" { + description = "Network Security Group name" + default = "nsg" +} + +variable "tags" { + description = "The tags to associate with Network Security Group" + type = map(string) + default = {} +} + +# Security Rules definition + +variable "security_rules" { + description = "Security rules for the Network Security Group using this format name = [priority, direction, access, protocol, source_port_range, destination_port_range, source_address_prefix, destination_address_prefix, description]" + type = list(any) + default = [] +} + +variable "source_address_prefix" { + description = "Source address prefix to be applied to all rules" + type = list(string) + default = ["*"] + # Example ["10.0.3.0/24"] or ["VirtualNetwork"] +} + +variable "destination_address_prefix" { + description = "Destination address prefix to be applied to all rules" + type = list(string) + default = ["*"] + # Example ["10.0.3.0/32","10.0.3.128/32"] or ["VirtualNetwork"] +} + diff --git a/terraform/azure/modules/network-security-group/versions.tf b/terraform/azure/modules/network-security-group/versions.tf new file mode 100755 index 00000000..0ec4dcca --- /dev/null +++ b/terraform/azure/modules/network-security-group/versions.tf @@ -0,0 +1,3 @@ +terraform { + required_version = ">= 0.14.3" +} \ No newline at end of file diff --git a/terraform/azure/modules/vnet/main.tf b/terraform/azure/modules/vnet/main.tf new file mode 100755 index 00000000..2c67fc4f --- /dev/null +++ b/terraform/azure/modules/vnet/main.tf @@ -0,0 +1,80 @@ +resource "azurerm_virtual_network" "vnet" { + name = var.vnet_name + location = var.location + address_space = [var.address_space] + resource_group_name = var.resource_group_name + dns_servers = var.dns_servers + tags = var.tags +} + +resource "azurerm_subnet" "subnet" { + depends_on = [azurerm_virtual_network.vnet] + count = length(var.subnet_names) + name = var.subnet_names[count.index] + virtual_network_name = azurerm_virtual_network.vnet.name + resource_group_name = var.resource_group_name + address_prefixes = [var.subnet_prefixes[count.index]] +} + +resource "azurerm_subnet_network_security_group_association" "security_group_frontend_association" { + depends_on = [azurerm_virtual_network.vnet, azurerm_subnet.subnet[0]] + subnet_id = azurerm_subnet.subnet[0].id + network_security_group_id = var.nsg_id +} +resource "azurerm_subnet_network_security_group_association" "security_group_backend_association" { + count = length(var.subnet_names) >= 2 ? 1 : 0 + depends_on = [azurerm_virtual_network.vnet, azurerm_subnet.subnet[1]] + subnet_id = azurerm_subnet.subnet[1].id + network_security_group_id = var.nsg_id +} + +locals { // locals for 'next_hop_type' allowed values + next_hop_type_allowed_values = [ + "VirtualNetworkGateway", + "VnetLocal", + "Internet", + "VirtualAppliance", + "None" + ] +} + +resource "azurerm_route_table" "frontend" { + name = azurerm_subnet.subnet[0].name + location = var.location + resource_group_name = var.resource_group_name + + route { + name = "Local-Subnet" + address_prefix = azurerm_subnet.subnet[0].address_prefixes[0] + next_hop_type = local.next_hop_type_allowed_values[1] + } + route { + name = "To-Internal" + address_prefix = var.address_space + next_hop_type = local.next_hop_type_allowed_values[4] + } +} + +resource "azurerm_subnet_route_table_association" "frontend_association" { + subnet_id = azurerm_subnet.subnet[0].id + route_table_id = azurerm_route_table.frontend.id +} + +resource "azurerm_route_table" "backend" { + count = length(var.subnet_names) >= 2 ? 1 : 0 + name = azurerm_subnet.subnet[1].name + location = var.location + resource_group_name = var.resource_group_name + + route { + name = "To-Internet" + address_prefix = "0.0.0.0/0" + next_hop_type = local.next_hop_type_allowed_values[4] + } +} + +resource "azurerm_subnet_route_table_association" "backend_association" { + count = length(var.subnet_names) >= 2 ? 1 : 0 + subnet_id = azurerm_subnet.subnet[1].id + route_table_id = azurerm_route_table.backend[count.index].id +} diff --git a/terraform/azure/modules/vnet/outputs.tf b/terraform/azure/modules/vnet/outputs.tf new file mode 100755 index 00000000..9dc8e206 --- /dev/null +++ b/terraform/azure/modules/vnet/outputs.tf @@ -0,0 +1,27 @@ +output "vnet_id" { + value = azurerm_virtual_network.vnet.id +} + +output "vnet_name" { + value = azurerm_virtual_network.vnet.name +} + +output "vnet_location" { + value = azurerm_virtual_network.vnet.location +} + +output "vnet_address_space" { + value = azurerm_virtual_network.vnet.address_space +} + +output "vnet_subnets" { + value = azurerm_subnet.subnet.*.id +} + +output "subnet_prefixes" { + value = var.subnet_prefixes +} + +output "allocation_method" { + value = var.allocation_method +} \ No newline at end of file diff --git a/terraform/azure/modules/vnet/variables.tf b/terraform/azure/modules/vnet/variables.tf new file mode 100755 index 00000000..1f64d28e --- /dev/null +++ b/terraform/azure/modules/vnet/variables.tf @@ -0,0 +1,63 @@ +variable "vnet_name" { + description = "Name of Virtual Network" + type = string + default = "vnet01" +} + +variable "resource_group_name" { + description = "Azure Resource Group name to build into" + type = string +} + +variable "location" { + description = "The location/region where the core network will be created. The full list of Azure regions can be found at https://azure.microsoft.com/regions" + type = string +} + +variable "address_space" { + description = "The address prefixes of the virtual network" + type = string + default = "10.0.0.0/16" +} + +variable "dns_servers" { + description = " DNS servers to be used with a Virtual Network. If no values specified, this defaults to Azure DNS" + type = list(string) + default = [] +} + +variable "subnet_prefixes" { + description = "The address prefixes to be used for subnets" + type = list(string) + default = ["10.0.0.0/24","10.0.1.0/24"] +} + +variable "subnet_names" { + description = "A list of subnet names in a Virtual Network" + type = list(string) + default = ["Frontend","Backend"] +} + +variable "tags" { + description = "Tags to be associated with Virtual Network and subnets" + type = map(string) + default = {} +} +variable "nsg_id" { + description = "Network security group to be associated with a Virtual Network and subnets" + type = string +} + +variable "allocation_method" { + description = "IP address allocation method" + type = string + default = "Static" +} + +locals { // locals for 'allocation_method' allowed values + allocation_method_allowed_values = [ + "Static" + ] + // will fail if [var.allocation_method] is invalid: + validate_method_allowed_value = index(local.allocation_method_allowed_values, var.allocation_method) +} \ No newline at end of file diff --git a/terraform/azure/modules/vnet/versions.tf b/terraform/azure/modules/vnet/versions.tf new file mode 100755 index 00000000..0ec4dcca --- /dev/null +++ b/terraform/azure/modules/vnet/versions.tf @@ -0,0 +1,3 @@ +terraform { + required_version = ">= 0.14.3" +} \ No newline at end of file diff --git a/terraform/azure/nva-into-existing-hub/README.md b/terraform/azure/nva-into-existing-hub/README.md new file mode 100644 index 00000000..a2765298 --- /dev/null +++ b/terraform/azure/nva-into-existing-hub/README.md @@ -0,0 +1,172 @@ +# Check Point CloudGuard Network Security Virtual WAN Terraform deployment for Azure + +This Terraform module deploys Check Point CloudGuard Network Security Virtual WAN NVA solution into an existing vWAN Hub in Azure. +As part of the deployment the following resources are created: +- Resource groups +- Azure Managed Application: + - NVA + - Managed identity + +For additional information, +please see the [CloudGuard Network for Azure Virtual WAN Deployment Guide](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_Network_for_Azure_vWAN/Default.htm) + +## Configurations +- Install and configure Terraform to provision Azure resources: [Configure Terraform for Azure](https://docs.microsoft.com/en-us/azure/virtual-machines/linux/terraform-install-configure). +- In order to configure hub routing-intent policies it is **required** to have Python and 'requests' library installed. + +## Usage +- Choose the preferred login method to Azure in order to deploy the solution: +
1. Using Service Principal: + - Create a [Service Principal](https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal) (or use the existing one) + - Grant the Service Principal at least "**Contributor**" permissions to the Azure subscription
+ - The Service Principal credentials can be stored either in the terraform.tfvars or as [Environment Variables](https://www.terraform.io/docs/providers/azuread/guides/service_principal_client_secret.html)
+ + In case the Environment Variables are used, perform modifications described below:
+ + a. The next lines in the versions.tf file, in the provider azurerm resource, need to be deleted or commented: + + provider "azurerm" { + + // subscription_id = var.subscription_id + // client_id = var.client_id + // client_secret = var.client_secret + // tenant_id = var.tenant_id + + features {} + } + + b. In the terraform.tfvars file leave empty double quotes for client_secret, client_id , tenant_id and subscription_id variables: + + client_secret = "" + client_id = "" + tenant_id = "" + subscription_id = "" + +
2. Using **az** commands from a command-line: + - Run **az login** command + - Sign in with your account credentials in the browser + - In the terraform.tfvars file leave empty double quotes for client_secret, client_id and tenant_id variables. + +- Fill all variables in the /terraform/azure/nva-into-existing-hub/terraform.tfvars file with proper values (see below for variables descriptions). +- From a command line initialize the Terraform configuration directory: + + terraform init +- Create an execution plan: + + terraform plan +- Create or modify the deployment: + + terraform apply + +### terraform.tfvars variables: + | Name | Description | Type | Allowed values | Default | + |-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| ------------- | ------------- | + | **authentication_method** | The authentication method used to deploy the solution | string | "Service Principal";
"Azure CLI"; | n/a + | | + | **client_secret** | The client secret value of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **client_id** | The client ID of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **tenant_id** | The tenant ID of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **subscription_id** | The subscription ID is used to pay for Azure cloud services | string | | n/a + | | | | | | + | **resource-group-name** | The name of the resource group that will contain the managed application | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period| "tf-managed-app-resource-group" | + | | | | | | + | **location** | The region where the resources will be deployed at | string | The full list of supported Azure regions can be found at https://learn.microsoft.com/en-us/azure/virtual-wan/virtual-wan-locations-partners#locations | "westcentralus" | + | | | | | | + | **vwan-hub-name** | The name of the virtual WAN hub that will be created | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | n/a | + | | | | | | + | **vwan-hub-resource-group** | The virtual WAN hub resource group name | string | | n/a | + | | | | | | + | **managed-app-name** | The name of the managed application that will be created | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | "tf-vwan-managed-app-nva" | + | | | | | | + | **nva-name** | The name of the NVA that will be created | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | "tf-vwan-nva" | + | | | | | | + | **nva-rg-name** | The name of the resource group that will contain the NVA | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period | "tf-vwan-nva-rg"| + | | | | | | + | **os-version** | The GAIA os version | string | "R8110"
"R8120" | "R8120" | + | | | | | | + | **license-type** | The Check Point licence type | string | "Security Enforcement (NGTP)"
"Full Package (NGTX + S1C)"
"Full Package Premium (NGTX + S1C++)" | "Security Enforcement (NGTP)" | + | | | | | | | | | | + | **scale-unit** | The scale unit determines the size and number of resources deployed. The higher the scale unit, the greater the amount of traffic that can be handled. | string | "2"
"4"
"10"
"20"
"30"
"60"
"80"
| "2" | + | | | | | | + | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | "" + | | | | | | | | | | + | **admin_shell** | Enables to select different admin shells | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh; | "/etc/cli.sh" | + | | | | | | + | **sic-key** | The Secure Internal Communication one time secret used to set up trust between the gateway object and the management server | string | Only alphanumeric characters are allowed, and the value must be 12-30 characters long | n/a | + | | | | | | + | **ssh-public-key** | The public ssh key used for ssh connection to the NVA GW instances | string | ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxx generated-by-azure; | n/a | | string | gateway;
standalone; | + | | | | | | + | **bgp-asn** | The BGP autonomous system number | string | 64512 | "64512" || + | | | | | | + | **custom-metrics** | Indicates whether CloudGuard Metrics will be use for gateway monitoring | string | yes;
no; | "yes" | + | | | | | | + | **routing-intent-internet-traffic** | Set routing intent policy to allow internet traffic through the new nva | string | yes;
no;
Please verify routing-intent is configured successfully post-deployment | "yes" | + | | | | | | + | **routing-intent-private-traffic** | Set routing intent policy to allow private traffic through the new nva | string | yes;
no;
Please verify routing-intent is configured successfully post-deployment | "yes" | + | | | | | | + | **smart1-cloud-token-a** | Smart-1 Cloud token to connect automatically ***NVA instance a*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal | n/a | | + | | | | | | + | **smart1-cloud-token-b** | Smart-1 Cloud token to connect automatically ***NVA instance b*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal | n/a | | + | | | | | | + | **smart1-cloud-token-c** | Smart-1 Cloud token to connect automatically ***NVA instance c*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal | n/a | | + | | | | | | + | **smart1-cloud-token-d** | Smart-1 Cloud token to connect automatically ***NVA instance d*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal | n/a | | + | | | | | | + | **smart1-cloud-token-e** | Smart-1 Cloud token to connect automatically ***NVA instance e*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal | n/a | | + | | + +## Conditional creation +- To enable CloudGuard metrics in order to send statuses and statistics collected from the gateway instance to the Azure Monitor service: + ``` + custom-metrics = yes + ``` + +## Example + authentication_method = "Service Principal" + client_secret = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + client_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + tenant_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + subscription_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + resource-group-name = "tf-managed-app-resource-group" + location = "westcentralus" + vwan-hub-name = "tf-vwan-hub" + vwan-hub-resource-group = "tf-vwan-hub-rg" + managed-app-name = "tf-vwan-managed-app-nva" + nva-rg-name = "tf-vwan-nva-rg" + nva-name = "tf-vwan-nva" + os-version = "R8120" + license-type = "Security Enforcement (NGTP)" + scale-unit = "2" + bootstrap-script = "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" + admin-shell = "/etc/cli.sh" + sic-key = "xxxxxxxxxxxx" + ssh-public-key = "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxx imported-openssh-key" + bgp-asn = "64512" + custom-metrics = "yes" + routing-intent-internet-traffic = "yes" + routing-intent-private-traffic = "yes" + smart1-cloud-token-a = "" + smart1-cloud-token-b = "" + smart1-cloud-token-c = "" + smart1-cloud-token-d = "" + smart1-cloud-token-e = "" + existing-public-ip = "" + new-public-ip = "yes" + +## Revision History +In order to check the template version refer to the [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) + +| Template Version | Description | +|------------------|-------------------| +| 20240613 | Cosmetic fixes & default values | +| 20240228 | Added public IP for ingress support | | | +| 20231226 | First release of Check Point CloudGuard Network Security Virtual WAN Terraform deployment for Azure | | + + +## License + +See the [LICENSE](../../LICENSE) file for details + diff --git a/terraform/azure/nva-into-existing-hub/main.tf b/terraform/azure/nva-into-existing-hub/main.tf new file mode 100644 index 00000000..5987c76b --- /dev/null +++ b/terraform/azure/nva-into-existing-hub/main.tf @@ -0,0 +1,195 @@ +//********************** Basic Configuration **************************// +resource "azurerm_resource_group" "managed-app-rg" { + name = var.resource-group-name + location = var.location +} + +data "azurerm_virtual_hub" "vwan-hub" { + name = var.vwan-hub-name + resource_group_name = var.vwan-hub-resource-group +} + +//********************** Image Version **************************// + +data "external" "az_access_token" { + count = var.authentication_method == "Azure CLI" ? 1 : 0 + program = ["az", "account", "get-access-token", "--resource=https://management.azure.com", "--query={accessToken: accessToken}", "--output=json"] +} + +data "http" "azure_auth" { + count = var.authentication_method == "Service Principal" ? 1 : 0 + url = "https://login.microsoftonline.com/${var.tenant_id}/oauth2/v2.0/token" + method = "POST" + request_headers = { + "Content-Type" = "application/x-www-form-urlencoded" + } + request_body = "grant_type=client_credentials&client_id=${var.client_id}&client_secret=${var.client_secret}&scope=https://management.azure.com/.default" +} + +locals { + access_token = var.authentication_method == "Service Principal" ? jsondecode(data.http.azure_auth[0].response_body).access_token : data.external.az_access_token[0].result.accessToken +} + +data "http" "image-versions" { + method = "GET" + url = "https://management.azure.com/subscriptions/${var.subscription_id}/providers/Microsoft.Network/networkVirtualApplianceSKUs/checkpoint${var.license-type == "Full Package (NGTX + S1C)" ? "-ngtx" : var.license-type == "Full Package Premium (NGTX + S1C++)" ? "-premium" : ""}?api-version=2020-05-01" + request_headers = { + Accept = "application/json" + "Authorization" = "Bearer ${local.access_token}" + } +} + +locals { + image_versions = tolist([for version in jsondecode(data.http.image-versions.response_body).properties.availableVersions : version if substr(version, 0, 4) == substr(lower(var.os-version), 1, 4)]) + routing_intent-internet-policy = { + "name": "InternetTraffic", + "destinations": [ + "Internet" + ], + "nextHop": "/subscriptions/${var.subscription_id}/resourcegroups/${var.nva-rg-name}/providers/Microsoft.Network/networkVirtualAppliances/${var.nva-name}" + } + routing_intent-private-policy = { + "name": "PrivateTrafficPolicy", + "destinations": [ + "PrivateTraffic" + ], + "nextHop": "/subscriptions/${var.subscription_id}/resourcegroups/${var.nva-rg-name}/providers/Microsoft.Network/networkVirtualAppliances/${var.nva-name}" + } + routing-intent-policies = var.routing-intent-internet-traffic == "yes" ? (var.routing-intent-private-traffic == "yes" ? tolist([local.routing_intent-internet-policy, local.routing_intent-private-policy]) : tolist([local.routing_intent-internet-policy])) : (var.routing-intent-private-traffic == "yes" ? tolist([local.routing_intent-private-policy]) : []) + req_body = jsonencode({"properties": {"routingPolicies": local.routing-intent-policies}}) + req_url = "https://management.azure.com/subscriptions/${var.subscription_id}/resourceGroups/${var.vwan-hub-resource-group}/providers/Microsoft.Network/virtualHubs/${var.vwan-hub-name}/routingIntent/hubRoutingIntent?api-version=2022-01-01" +} + +//********************** Marketplace Terms & Solution Registration **************************// +data "http" "accept-marketplace-terms-existing-agreement" { + method = "GET" + url = "https://management.azure.com/subscriptions/${var.subscription_id}/providers/Microsoft.MarketplaceOrdering/agreements/checkpoint/offers/cp-vwan-managed-app/plans/vwan-app?api-version=2021-01-01" + request_headers = { + Accept = "application/json" + "Authorization" = "Bearer ${local.access_token}" + } +} + +resource "azurerm_marketplace_agreement" "accept-marketplace-terms" { + count = can(jsondecode(data.http.accept-marketplace-terms-existing-agreement.response_body).id) ? (jsondecode(data.http.accept-marketplace-terms-existing-agreement.response_body).properties.state == "Active" ? 0 : 1) : 1 + publisher = "checkpoint" + offer = "cp-vwan-managed-app" + plan = "vwan-app" +} + +data "http" "azurerm_resource_provider_registration-exist" { + method = "GET" + url = "https://management.azure.com/subscriptions/${var.subscription_id}/providers/Microsoft.Solutions?api-version=2021-01-01" + request_headers = { + Accept = "application/json" + "Authorization" = "Bearer ${local.access_token}" + } +} + +resource "azurerm_resource_provider_registration" "solutions" { + count = jsondecode(data.http.azurerm_resource_provider_registration-exist.response_body).registrationState == "Registered" ? 0 : 1 + name = "Microsoft.Solutions" +} + + +//********************** Managed Application Configuration **************************// +resource "azurerm_managed_application" "nva" { + depends_on = [azurerm_marketplace_agreement.accept-marketplace-terms, azurerm_resource_provider_registration.solutions] + name = var.managed-app-name + location = azurerm_resource_group.managed-app-rg.location + resource_group_name = azurerm_resource_group.managed-app-rg.name + kind = "MarketPlace" + managed_resource_group_name = var.nva-rg-name + + plan { + name = "vwan-app" + product = "cp-vwan-managed-app" + publisher = "checkpoint" + version = "1.0.14" + } + parameter_values = jsonencode({ + location = { + value = azurerm_resource_group.managed-app-rg.location + }, + hubId = { + value = data.azurerm_virtual_hub.vwan-hub.id + }, + osVersion = { + value = var.os-version + }, + LicenseType = { + value = var.license-type + }, + imageVersion = { + value = element(local.image_versions, length(local.image_versions) -1) + }, + scaleUnit = { + value = var.scale-unit + }, + bootstrapScript = { + value = var.bootstrap-script + }, + adminShell = { + value = var.admin-shell + }, + sicKey = { + value = var.sic-key + }, + sshPublicKey = { + value = var.ssh-public-key + }, + BGP = { + value = var.bgp-asn + }, + NVA = { + value = var.nva-name + }, + customMetrics = { + value = var.custom-metrics + }, + hubASN = { + value = data.azurerm_virtual_hub.vwan-hub.virtual_router_asn + }, + hubPeers = { + value = data.azurerm_virtual_hub.vwan-hub.virtual_router_ips + }, + smart1CloudTokenA = { + value = var.smart1-cloud-token-a + }, + smart1CloudTokenB = { + value = var.smart1-cloud-token-b + }, + smart1CloudTokenC = { + value = var.smart1-cloud-token-c + }, + smart1CloudTokenD = { + value = var.smart1-cloud-token-d + }, + smart1CloudTokenE = { + value = var.smart1-cloud-token-e + }, + publicIPIngress = { + value = (var.new-public-ip == "yes" || length(var.existing-public-ip) > 0) ? "yes" : "no" + }, + createNewIPIngress = { + value = var.new-public-ip + } + ipIngressExistingResourceId = { + value = var.existing-public-ip + } + }) +} + +//********************** Routing Intent **************************// + + +data "external" "update-routing-intent" { + count = length(local.routing-intent-policies) != 0 ? 1 : 0 + depends_on = [azurerm_managed_application.nva] + program = ["python", "../modules/add-routing-intent.py", "${local.req_url}", "${local.req_body}", "${local.access_token}"] +} + +output "api_request_result" { + value = length(local.routing-intent-policies) != 0 ? data.external.update-routing-intent[0].result : {routing-intent: "not changed"} +} + diff --git a/terraform/azure/nva-into-existing-hub/terraform.tfvars b/terraform/azure/nva-into-existing-hub/terraform.tfvars new file mode 100644 index 00000000..268fb4c1 --- /dev/null +++ b/terraform/azure/nva-into-existing-hub/terraform.tfvars @@ -0,0 +1,31 @@ +#PLEASE refer to the README.md for accepted values for the variables below +authentication_method = "PLEASE ENTER AUTHENTICATION METHOD" # "Service Principal" +client_secret = "PLEASE ENTER CLIENT SECRET" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +client_id = "PLEASE ENTER CLIENT ID" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +tenant_id = "PLEASE ENTER TENANT ID" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +subscription_id = "PLEASE ENTER SUBSCRIPTION ID" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +resource-group-name = "PLEASE ENTER RESOURCE GROUP NAME" # "tf-managed-app-resource-group" +location = "PLEASE ENTER LOCATION" # "westcentralus" +vwan-hub-name = "PLEASE ENTER VWAN HUB NAME" # "tf-vwan-hub" +vwan-hub-resource-group = "PLEASE ENTER VWAN HUB RESOURCE GROUP" # "tf-vwan-hub-rg" +managed-app-name = "PLEASE ENTER MANAGED APPLICATION NAME" # "tf-vwan-managed-app-nva" +nva-rg-name = "PLEASE ENTER NVA RESOURCE GROUP NAME" # "tf-vwan-nva-rg" +nva-name = "PLEASE ENTER NVA NAME" # "tf-vwan-nva" +os-version = "PLEASE ENTER GAIA OS VERSION" # "R8120" +license-type = "PLEASE ENTER LICENSE TYPE" # "Security Enforcement (NGTP)" +scale-unit = "PLEASE ENTER SCALE UNIT" # "2" +bootstrap-script = "PLEASE ENTER CUSTOM SCRIPT OR LEAVE EMPTY DOUBLE QUOTES" # "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" +admin-shell = "PLEASE ENTER ADMIN SHELL" # "/etc/cli.sh" +sic-key = "PLEASE ENTER SIC KEY" # "xxxxxxxxxx" +ssh-public-key = "PLEASE ENTER SSH PUBLIC KEY" # "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxx imported-openssh-key" +bgp-asn = "PLEASE ENTER BGP AUTONOMOUS SYSTEM NUMBER" # "64512" +custom-metrics = "PLEASE ENTER yes or no" # "yes" +routing-intent-internet-traffic = "PLEASE ENTER yes or no" # "yes" +routing-intent-private-traffic = "PLEASE ENTER yes or no" # "yes" +smart1-cloud-token-a = "PASTE TOKEN FROM SMART-1 CLOUD PORTAL FOR INSTANCE A OR LEAVE EMPTY DOUBLE QUOTES" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +smart1-cloud-token-b = "PASTE TOKEN FROM SMART-1 CLOUD PORTAL FOR INSTANCE B OR LEAVE EMPTY DOUBLE QUOTES" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +smart1-cloud-token-c = "PASTE TOKEN FROM SMART-1 CLOUD PORTAL FOR INSTANCE C OR LEAVE EMPTY DOUBLE QUOTES" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +smart1-cloud-token-d = "PASTE TOKEN FROM SMART-1 CLOUD PORTAL FOR INSTANCE D OR LEAVE EMPTY DOUBLE QUOTES" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +smart1-cloud-token-e = "PASTE TOKEN FROM SMART-1 CLOUD PORTAL FOR INSTANCE E OR LEAVE EMPTY DOUBLE QUOTES" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +existing-public-ip = "PLEASE ENTER THE RESOURCE ID OF A PUBLIC IP RESOURCE OR LEAVE EMPTY DOUBLE QUOTES" # "/subscription/123/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pip1" +new-public-ip = "PLEASE ENTER yes or no" # "no" \ No newline at end of file diff --git a/terraform/azure/nva-into-existing-hub/variables.tf b/terraform/azure/nva-into-existing-hub/variables.tf new file mode 100644 index 00000000..d00283d4 --- /dev/null +++ b/terraform/azure/nva-into-existing-hub/variables.tf @@ -0,0 +1,198 @@ +variable "authentication_method" { + description = "Azure authentication method" + type = string + validation { + condition = contains(["Azure CLI", "Service Principal"], var.authentication_method) + error_message = "Valid values for authentication_method are 'Azure CLI','Service Principal'" + } +} + +variable "subscription_id" { + description = "Subscription ID" + type = string +} + +variable "tenant_id" { + description = "Tenant ID" + type = string +} + +variable "client_id" { + description = "Application ID(Client ID)" + type = string +} + +variable "client_secret" { + description = "A secret string that the application uses to prove its identity when requesting a token. Also can be referred to as application password." + type = string +} + +variable "resource-group-name" { + type = string + default = "tf-managed-app-resource-group" +} + +variable "location" { + type = string + default = "westcentralus" +} + +variable "managed-app-name" { + type = string + default = "tf-vwan-managed-app-nva" +} + +variable "vwan-hub-name" { + type = string +} + +variable "vwan-hub-resource-group" { + type = string +} + +variable "nva-rg-name" { + type = string + default = "tf-vwan-nva-rg" +} + +variable "nva-name" { + type = string + default = "tf-vwan-nva" +} + +variable "os-version" { + description = "GAIA OS version" + type = string + default = "R8120" + validation { + condition = contains(["R8110", "R8120"], var.os-version) + error_message = "Allowed values for os-version are 'R8110', 'R8120'" + } +} + +variable "license-type" { + type = string + default = "Security Enforcement (NGTP)" + validation { + condition = contains(["Security Enforcement (NGTP)", "Full Package (NGTX + S1C)", "Full Package Premium (NGTX + S1C++)"], var.license-type) + error_message = "Allowed values for License Type are 'Security Enforcement (NGTP)', 'Full Package (NGTX + S1C)', 'Full Package Premium (NGTX + S1C++)'" + } +} + +variable "scale-unit" { + type = string + default = "2" + validation { + condition = contains(["2", "4", "10", "20", "30", "60", "80"], var.scale-unit) + error_message = "Valid values for CloudGuard version are '2', '4', '10', '20', '30', '60', '80'" + } +} + +variable "bootstrap-script" { + type = string + default = "" +} + +variable "admin-shell" { + type = string + default = "/etc/cli.sh" + validation { + condition = contains(["/etc/cli.sh", "/bin/bash", "/bin/tcsh", "/bin/csh"], var.admin-shell) + error_message = "Valid shells are '/etc/cli.sh', '/bin/bash', '/bin/tcsh', '/bin/csh'" + } +} + +variable "sic-key" { + type = string + default = "" + sensitive = true + validation { + condition = can(regex("^[a-z0-9A-Z]{12,30}$", var.sic-key)) + error_message = "Only alphanumeric characters are allowed, and the value must be 12-30 characters long." + } +} + +variable "ssh-public-key" { + type = string + default = "" +} + +variable "bgp-asn" { + type = string + default = "64512" + validation { + condition = tonumber(var.bgp-asn) >= 64512 && tonumber(var.bgp-asn) <= 65534 && !contains([65515, 65520], tonumber(var.bgp-asn)) + error_message = "Only numbers between 64512 to 65534 are allowed excluding 65515, 65520." + } +} + +variable "custom-metrics" { + type = string + default = "yes" + validation { + condition = contains(["yes", "no"], var.custom-metrics) + error_message = "Valid options are string('yes' or 'no')" + } +} + +variable "routing-intent-internet-traffic" { + default = "yes" + validation { + condition = contains(["yes", "no"], var.routing-intent-internet-traffic) + error_message = "Valid options are string('yes' or 'no')" + } +} + +variable "routing-intent-private-traffic" { + default = "yes" + validation { + condition = contains(["yes", "no"], var.routing-intent-private-traffic) + error_message = "Valid options are string('yes' or 'no')" + } +} + +variable "smart1-cloud-token-a" { + type = string + default = "" +} + +variable "smart1-cloud-token-b" { + type = string + default = "" +} + +variable "smart1-cloud-token-c" { + type = string + default = "" +} + +variable "smart1-cloud-token-d" { + type = string + default = "" +} + +variable "smart1-cloud-token-e" { + type = string + default = "" +} + +variable "existing-public-ip" { + type = string + default = "" +} + +variable "new-public-ip" { + type = string + default = "no" + validation { + condition = contains(["yes", "no"], var.new-public-ip) + error_message = "Valid options are string('yes' or 'no')" + } +} + +locals{ + # Validate that new-public-ip is false when existing-public-ip is used + is_both_params_used = length(var.existing-public-ip) > 0 && var.new-public-ip == "yes" + validation_message_both = "Only one parameter of existing-public-ip or new-public-ip can be used" + _ = regex("^$", (!local.is_both_params_used ? "" : local.validation_message_both)) +} \ No newline at end of file diff --git a/terraform/azure/nva-into-existing-hub/versions.tf b/terraform/azure/nva-into-existing-hub/versions.tf new file mode 100644 index 00000000..1c68a298 --- /dev/null +++ b/terraform/azure/nva-into-existing-hub/versions.tf @@ -0,0 +1,17 @@ +terraform { + required_version = ">= 1.5.0" + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = " 3.79.0" + } + } +} + +provider "azurerm" { + subscription_id = var.subscription_id + client_id = var.client_id + client_secret = var.client_secret + tenant_id = var.tenant_id + features {} +} diff --git a/terraform/azure/nva-into-new-vwan/README.md b/terraform/azure/nva-into-new-vwan/README.md new file mode 100644 index 00000000..52cc1b17 --- /dev/null +++ b/terraform/azure/nva-into-new-vwan/README.md @@ -0,0 +1,182 @@ +# Check Point CloudGuard Network Security Virtual WAN Terraform deployment for Azure + +This Terraform module deploys Check Point CloudGuard Network Security Virtual WAN NVA solution into a new vWAN Hub in Azure. +As part of the deployment the following resources are created: +- Resource groups +- Virtual WAN +- Virtual WAN Hub +- Azure Managed Application: + - NVA + - Managed identity + +For additional information, +please see the [CloudGuard Network for Azure Virtual WAN Deployment Guide](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_Network_for_Azure_vWAN/Default.htm) + + +## Configurations +- Install and configure Terraform to provision Azure resources: [Configure Terraform for Azure](https://docs.microsoft.com/en-us/azure/virtual-machines/linux/terraform-install-configure). +- In order to configure hub routing-intent policies it is **required** to have Python and 'requests' library installed. + +## Usage +- Choose the preferred login method to Azure in order to deploy the solution: +
1. Using Service Principal: + - Create a [Service Principal](https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal) (or use the existing one) + - Grant the Service Principal at least "**Contributor**" permissions to the Azure subscription
+ - The Service Principal credentials can be stored either in the terraform.tfvars or as [Environment Variables](https://www.terraform.io/docs/providers/azuread/guides/service_principal_client_secret.html)
+ + In case the Environment Variables are used, perform modifications described below:
+ + a. The next lines in the versions.tf file, in the provider azurerm resource, need to be deleted or commented: + + provider "azurerm" { + + // subscription_id = var.subscription_id + // client_id = var.client_id + // client_secret = var.client_secret + // tenant_id = var.tenant_id + + features {} + } + + b. In the terraform.tfvars file leave empty double quotes for client_secret, client_id , tenant_id and subscription_id variables: + + client_secret = "" + client_id = "" + tenant_id = "" + subscription_id = "" + +
2. Using **az** commands from a command-line: + - Run **az login** command + - Sign in with your account credentials in the browser + - In the terraform.tfvars file leave empty double quotes for client_secret, client_id and tenant_id variables. + +- Fill all variables in the /terraform/azure/nva-into-new-vwan/terraform.tfvars file with proper values (see below for variables descriptions). +- From a command line initialize the Terraform configuration directory: + + terraform init +- Create an execution plan: + + terraform plan +- Create or modify the deployment: + + terraform apply + +### terraform.tfvars variables: + | Name | Description | Type | Allowed values | Default | + |--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| ------------- | ------------- | + | **authentication_method** | The authentication method used to deploy the solution | string | "Service Principal";
"Azure CLI"; | n/a + | | + | **client_secret** | The client secret value of the Service Principal used to deploy the solution | string | | n/a + | || | | | + | **client_id** | The client ID of the Service Principal used to deploy the solution | string | | n/a + | || | | | + | **tenant_id** | The tenant ID of the Service Principal used to deploy the solution | string | | n/a + | || | | | + | **subscription_id** | The subscription ID is used to pay for Azure cloud services | string | | n/a + | || | | | + | **resource-group-name** | The name of the resource group that will contain the managed application | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period | "managed-app-resource-group" | + | || | | | + | **location** | The region where the resources will be deployed at | string | The full list of supported Azure regions can be found at https://learn.microsoft.com/en-us/azure/virtual-wan/virtual-wan-locations-partners#locations | "westcentralus" | + | || | | | + | **vwan-name** | The name of the virtual WAN that will be created | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | "tf-vwan" | + | || | | | + | **vwan-hub-name** | The name of the virtual WAN hub that will be created | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | "tf-vwan-hub" | + | || | | | + | **vwan-hub-address-prefix** | The address prefixes of the virtual hub | string | Valid CIDR block | "10.0.0.0/16" | + | || | | | + | **managed-app-name** | The name of the managed application that will be created | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | tf-vwan-managed-app | + | || | | | + | **nva-name** | The name of the NVA that will be created | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | tf-vwan-nva | + | || | | | + | **nva-rg-name** | The name of the resource group that will contain the NVA | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period | tf-vwan-nva-rg | + | || | | | + | **os-version** | The GAIA os version| string | "R8110"
"R8120" | "R8120" | + | || | | | + | **license-type** | The Check Point licence type | string | "Security Enforcement (NGTP)"
"Full Package (NGTX + S1C)"
"Full Package Premium (NGTX + S1C++)" | "Security Enforcement (NGTP)" | + | || | | | + | **scale-unit** | The scale unit determines the size and number of resources deployed. The higher the scale unit, the greater the amount of traffic that can be handled. | string | "2"
"4"
"10"
"20"
"30"
"60"
"80"
| "2" | + | || | | | + | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | "" + | || | | | | | | | + | **admin_shell** | Enables to select different admin shells | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh; | "/etc/cli.sh" | + | || | | | + | **sic-key** | The Secure Internal Communication one time secret used to set up trust between the gateway object and the management server | string | Only alphanumeric characters are allowed, and the value must be 12-30 characters long | n/a | + | || | | | + | **ssh-public-key** | The public ssh key used for ssh connection to the NVA GW instances | string | ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxx generated-by-azure; | n/a | | string | gateway;
standalone; | + | || | | | + | **bgp-asn** | The BGP autonomous system number. | string | 64512 | "64512" || + | || | | | + | **custom-metrics** | Indicates whether CloudGuard Metrics will be use for gateway monitoring | string | yes;
no; | "yes" | + | || | | | + | **routing-intent-internet-traffic** | Set routing intent policy to allow internet traffic through the new nva | string | yes;
no;
Please verify routing-intent is configured successfully post-deployment | "yes" | + | || | | | + | **routing-intent-private-traffic** | Set routing intent policy to allow private traffic through the new nva | string | yes;
no;
Please verify routing-intent is configured successfully post-deployment | "yes" | + | || | | | + | **smart1-cloud-token-a** | Smart-1 Cloud token to connect automatically ***NVA instance a*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal | n/a | | + | || | | | + | **smart1-cloud-token-b** | Smart-1 Cloud token to connect automatically ***NVA instance b*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal | n/a | | + | || | | | + | **smart1-cloud-token-c** | Smart-1 Cloud token to connect automatically ***NVA instance c*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal | n/a | | + | || | | | + | **smart1-cloud-token-d** | Smart-1 Cloud token to connect automatically ***NVA instance d*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal | n/a | | + | || | | | + | **smart1-cloud-token-e** | Smart-1 Cloud token to connect automatically ***NVA instance e*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal | n/a | | + | | + | **existing-public-ip** | Existing public IP reosurce to attach to the newly deployed NVA | string | A resource ID of the public IP resource | | + | | | | | | + | **new-public-ip** | Deploy a new public IP resource as part of the managed app and attach to the NVA | string | yes;
no;| | + | | + +## Conditional creation +- To enable CloudGuard metrics in order to send statuses and statistics collected from the gateway instance to the Azure Monitor service: + ``` + custom-metrics = yes + ``` + +## Example + authentication_method = "Service Principal" + client_secret = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + client_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + tenant_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + subscription_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + resource-group-name = "tf-managed-app-resource-group" + location = "westcentralus" + vwan-name = "tf-vwan" + vwan-hub-name = "tf-vwan-hub" + vwan-hub-address-prefix = "10.0.0.0/16" + managed-app-name = "tf-vwan-managed-app-nva" + nva-rg-name = "tf-vwan-nva-rg" + nva-name = "tf-vwan-nva" + os-version = "R8120" + license-type = "Security Enforcement (NGTP)" + scale-unit = "2" + bootstrap-script = "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" + admin-shell = "/etc/cli.sh" + sic-key = "xxxxxxxxxxxx" + ssh-public-key = "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxx imported-openssh-key" + bgp-asn = "64512" + custom-metrics = "yes" + routing-intent-internet-traffic = "yes" + routing-intent-private-traffic = "yes" + smart1-cloud-token-a = "" + smart1-cloud-token-b = "" + smart1-cloud-token-c = "" + smart1-cloud-token-d = "" + smart1-cloud-token-e = "" + existing-public-ip = "" + new-public-ip = "yes" + +## Revision History +In order to check the template version refer to the [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) + +| Template Version | Description | +|------------------|-----------------------------------------------------------------------------------------------| +| 20240613 | Cosmetic fixes & default values | +| 20240228 | Added public IP for ingress support | | | +| 20231226 | First release of Check Point CloudGuard Network Security Virtual WAN Terraform deployment for Azure | | | + + +## License + +See the [LICENSE](../../LICENSE) file for details + diff --git a/terraform/azure/nva-into-new-vwan/main.tf b/terraform/azure/nva-into-new-vwan/main.tf new file mode 100644 index 00000000..43a409c3 --- /dev/null +++ b/terraform/azure/nva-into-new-vwan/main.tf @@ -0,0 +1,202 @@ +//********************** Basic Configuration **************************// +resource "azurerm_resource_group" "managed-app-rg" { + name = var.resource-group-name + location = var.location +} + +resource "azurerm_virtual_wan" "vwan" { + name = var.vwan-name + resource_group_name = azurerm_resource_group.managed-app-rg.name + location = var.location +} + +resource "azurerm_virtual_hub" "vwan-hub" { + name = var.vwan-hub-name + resource_group_name = azurerm_resource_group.managed-app-rg.name + location = azurerm_resource_group.managed-app-rg.location + address_prefix = var.vwan-hub-address-prefix + virtual_wan_id = azurerm_virtual_wan.vwan.id +} + +//********************** Image Version **************************// + +data "external" "az_access_token" { + count = var.authentication_method == "Azure CLI" ? 1 : 0 + program = ["az", "account", "get-access-token", "--resource=https://management.azure.com", "--query={accessToken: accessToken}", "--output=json"] +} + +data "http" "azure_auth" { + count = var.authentication_method == "Service Principal" ? 1 : 0 + url = "https://login.microsoftonline.com/${var.tenant_id}/oauth2/v2.0/token" + method = "POST" + request_headers = { + "Content-Type" = "application/x-www-form-urlencoded" + } + request_body = "grant_type=client_credentials&client_id=${var.client_id}&client_secret=${var.client_secret}&scope=https://management.azure.com/.default" +} + +locals { + access_token = var.authentication_method == "Service Principal" ? jsondecode(data.http.azure_auth[0].response_body).access_token : data.external.az_access_token[0].result.accessToken +} + +data "http" "image-versions" { + method = "GET" + url = "https://management.azure.com/subscriptions/${var.subscription_id}/providers/Microsoft.Network/networkVirtualApplianceSKUs/checkpoint${var.license-type == "Full Package (NGTX + S1C)" ? "-ngtx" : var.license-type == "Full Package Premium (NGTX + S1C++)" ? "-premium" : ""}?api-version=2020-05-01" + request_headers = { + Accept = "application/json" + "Authorization" = "Bearer ${local.access_token}" + } +} + +locals { + image_versions = tolist([for version in jsondecode(data.http.image-versions.response_body).properties.availableVersions : version if substr(version, 0, 4) == substr(lower(var.os-version), 1, 4)]) + routing_intent-internet-policy = { + "name": "InternetTraffic", + "destinations": [ + "Internet" + ], + "nextHop": "/subscriptions/${var.subscription_id}/resourcegroups/${var.nva-rg-name}/providers/Microsoft.Network/networkVirtualAppliances/${var.nva-name}" + } + routing_intent-private-policy = { + "name": "PrivateTrafficPolicy", + "destinations": [ + "PrivateTraffic" + ], + "nextHop": "/subscriptions/${var.subscription_id}/resourcegroups/${var.nva-rg-name}/providers/Microsoft.Network/networkVirtualAppliances/${var.nva-name}" + } + routing-intent-policies = var.routing-intent-internet-traffic == "yes" ? (var.routing-intent-private-traffic == "yes" ? tolist([local.routing_intent-internet-policy, local.routing_intent-private-policy]) : tolist([local.routing_intent-internet-policy])) : (var.routing-intent-private-traffic == "yes" ? tolist([local.routing_intent-private-policy]) : []) + req_body = jsonencode({"properties": {"routingPolicies": local.routing-intent-policies}}) + req_url = "https://management.azure.com/subscriptions/${var.subscription_id}/resourceGroups/${azurerm_resource_group.managed-app-rg.name}/providers/Microsoft.Network/virtualHubs/${var.vwan-hub-name}/routingIntent/hubRoutingIntent?api-version=2022-01-01" + +} + +//********************** Marketplace Terms & Solution Registration **************************// +data "http" "accept-marketplace-terms-existing-agreement" { + method = "GET" + url = "https://management.azure.com/subscriptions/${var.subscription_id}/providers/Microsoft.MarketplaceOrdering/agreements/checkpoint/offers/cp-vwan-managed-app/plans/vwan-app?api-version=2021-01-01" + request_headers = { + Accept = "application/json" + "Authorization" = "Bearer ${local.access_token}" + } +} + +resource "azurerm_marketplace_agreement" "accept-marketplace-terms" { + count = can(jsondecode(data.http.accept-marketplace-terms-existing-agreement.response_body).id) ? (jsondecode(data.http.accept-marketplace-terms-existing-agreement.response_body).properties.state == "Active" ? 0 : 1) : 1 + publisher = "checkpoint" + offer = "cp-vwan-managed-app" + plan = "vwan-app" +} + + +data "http" "azurerm_resource_provider_registration-exist" { + method = "GET" + url = "https://management.azure.com/subscriptions/${var.subscription_id}/providers/Microsoft.Solutions?api-version=2021-01-01" + request_headers = { + Accept = "application/json" + "Authorization" = "Bearer ${local.access_token}" + } +} + +resource "azurerm_resource_provider_registration" "solutions" { + count = jsondecode(data.http.azurerm_resource_provider_registration-exist.response_body).registrationState == "Registered" ? 0 : 1 + name = "Microsoft.Solutions" +} + +//********************** Managed Application Configuration **************************// +resource "azurerm_managed_application" "nva" { + depends_on = [azurerm_marketplace_agreement.accept-marketplace-terms, azurerm_resource_provider_registration.solutions] + name = var.managed-app-name + location = azurerm_resource_group.managed-app-rg.location + resource_group_name = azurerm_resource_group.managed-app-rg.name + kind = "MarketPlace" + managed_resource_group_name = var.nva-rg-name + + plan { + name = "vwan-app" + product = "cp-vwan-managed-app" + publisher = "checkpoint" + version = "1.0.14" + } + parameter_values = jsonencode({ + location = { + value = azurerm_resource_group.managed-app-rg.location + }, + hubId = { + value = azurerm_virtual_hub.vwan-hub.id + }, + osVersion = { + value = var.os-version + }, + LicenseType = { + value = var.license-type + }, + imageVersion = { + value = element(local.image_versions, length(local.image_versions) -1) + }, + scaleUnit = { + value = var.scale-unit + }, + bootstrapScript = { + value = var.bootstrap-script + }, + adminShell = { + value = var.admin-shell + }, + sicKey = { + value = var.sic-key + }, + sshPublicKey = { + value = var.ssh-public-key + }, + BGP = { + value = var.bgp-asn + }, + NVA = { + value = var.nva-name + }, + customMetrics = { + value = var.custom-metrics + }, + hubASN = { + value = azurerm_virtual_hub.vwan-hub.virtual_router_asn + }, + hubPeers = { + value = azurerm_virtual_hub.vwan-hub.virtual_router_ips + }, + smart1CloudTokenA = { + value = var.smart1-cloud-token-a + }, + smart1CloudTokenB = { + value = var.smart1-cloud-token-b + }, + smart1CloudTokenC = { + value = var.smart1-cloud-token-c + }, + smart1CloudTokenD = { + value = var.smart1-cloud-token-d + }, + smart1CloudTokenE = { + value = var.smart1-cloud-token-e + }, + publicIPIngress = { + value = (var.new-public-ip == "yes" || length(var.existing-public-ip) > 0) ? "yes" : "no" + }, + createNewIPIngress = { + value = var.new-public-ip + } + ipIngressExistingResourceId = { + value = var.existing-public-ip + } + }) +} + +//********************** Routing Intent **************************// +data "external" "update-routing-intent" { + count = length(local.routing-intent-policies) != 0 ? 1 : 0 + depends_on = [azurerm_managed_application.nva] + program = ["python", "../modules/add-routing-intent.py", "${local.req_url}", "${local.req_body}", "${local.access_token}"] +} + +output "api_request_result" { + value = length(local.routing-intent-policies) != 0 ? data.external.update-routing-intent[0].result : {routing-intent: "not changed"} +} diff --git a/terraform/azure/nva-into-new-vwan/terraform.tfvars b/terraform/azure/nva-into-new-vwan/terraform.tfvars new file mode 100644 index 00000000..8473e72c --- /dev/null +++ b/terraform/azure/nva-into-new-vwan/terraform.tfvars @@ -0,0 +1,32 @@ +#PLEASE refer to the README.md for accepted values for the variables below +authentication_method = "PLEASE ENTER AUTHENTICATION METHOD" # "Service Principal" +client_secret = "PLEASE ENTER CLIENT SECRET" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +client_id = "PLEASE ENTER CLIENT ID" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +tenant_id = "PLEASE ENTER TENANT ID" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +subscription_id = "PLEASE ENTER SUBSCRIPTION ID" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +resource-group-name = "PLEASE ENTER RESOURCE GROUP NAME" # "tf-managed-app-resource-group" +location = "PLEASE ENTER LOCATION" # "westcentralus" +vwan-name = "PLEASE ENTER VIRTUAL WAN NAME" # "tf-cp-vwan" +vwan-hub-name = "PLEASE ENTER VWAN HUB NAME" # "tf-cp-vwan-hub" +vwan-hub-address-prefix = "PLEASE ENTER VWAN HUB ADDRESS PREFIX" # "10.0.0.0/16" +managed-app-name = "PLEASE ENTER MANAGED APPLICATION NAME" # "tf-vwan-managed-app-nva" +nva-rg-name = "PLEASE ENTER NVA RESOURCE GROUP NAME" # "tf-vwan-nva-rg" +nva-name = "PLEASE ENTER NVA NAME" # "tf-vwan-nva" +os-version = "PLEASE ENTER GAIA OS VERSION" # "R8120" +license-type = "PLEASE ENTER LICENSE TYPE" # "Security Enforcement (NGTP)" +scale-unit = "PLEASE ENTER SCALE UNIT" # "2" +bootstrap-script = "PLEASE ENTER CUSTOM SCRIPT OR LEAVE EMPTY DOUBLE QUOTES" # "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" +admin-shell = "PLEASE ENTER ADMIN SHELL" # "/etc/cli.sh" +sic-key = "PLEASE ENTER SIC KEY" # "xxxxxxxxxx" +ssh-public-key = "PLEASE ENTER SSH PUBLIC KEY" # "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxx imported-openssh-key" +bgp-asn = "PLEASE ENTER BGP AUTONOMOUS SYSTEM NUMBER" # "64512" +custom-metrics = "PLEASE ENTER yes or no" # "yes" +routing-intent-internet-traffic = "PLEASE ENTER yes or no" # "yes" +routing-intent-private-traffic = "PLEASE ENTER yes or no" # "yes" +smart1-cloud-token-a = "PASTE TOKEN FROM SMART-1 CLOUD PORTAL FOR INSTANCE A OR LEAVE EMPTY DOUBLE QUOTES" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +smart1-cloud-token-b = "PASTE TOKEN FROM SMART-1 CLOUD PORTAL FOR INSTANCE B OR LEAVE EMPTY DOUBLE QUOTES" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +smart1-cloud-token-c = "PASTE TOKEN FROM SMART-1 CLOUD PORTAL FOR INSTANCE C OR LEAVE EMPTY DOUBLE QUOTES" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +smart1-cloud-token-d = "PASTE TOKEN FROM SMART-1 CLOUD PORTAL FOR INSTANCE D OR LEAVE EMPTY DOUBLE QUOTES" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +smart1-cloud-token-e = "PASTE TOKEN FROM SMART-1 CLOUD PORTAL FOR INSTANCE E OR LEAVE EMPTY DOUBLE QUOTES" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +existing-public-ip = "PLEASE ENTER THE RESOURCE ID OF A PUBLIC IP RESOURCE OR LEAVE EMPTY DOUBLE QUOTES" # "/subscription/123/resourceGroups/rg1/providers/Microsoft.Network/publicIPAddresses/pip1" +new-public-ip = "PLEASE ENTER yes or no" # "no" \ No newline at end of file diff --git a/terraform/azure/nva-into-new-vwan/variables.tf b/terraform/azure/nva-into-new-vwan/variables.tf new file mode 100644 index 00000000..927592c9 --- /dev/null +++ b/terraform/azure/nva-into-new-vwan/variables.tf @@ -0,0 +1,209 @@ +variable "authentication_method" { + description = "Azure authentication method" + type = string + validation { + condition = contains(["Azure CLI", "Service Principal"], var.authentication_method) + error_message = "Valid values for authentication_method are 'Azure CLI','Service Principal'" + } +} + +variable "subscription_id" { + description = "Subscription ID" + type = string +} + +variable "tenant_id" { + description = "Tenant ID" + type = string +} + +variable "client_id" { + description = "Application ID(Client ID)" + type = string +} + +variable "client_secret" { + description = "A secret string that the application uses to prove its identity when requesting a token. Also can be referred to as application password." + type = string +} + +variable "resource-group-name" { + type = string + default = "managed-app-resource-group" +} + +variable "location" { + type = string + default = "westcentralus" +} + +variable "vwan-name" { + type = string + default = "tf-vwan" +} + +variable "vwan-hub-name" { + type = string + default = "tf-vwan-hub" +} + +variable "vwan-hub-address-prefix" { + type = string + default = "10.0.0.0/16" + validation { + condition = can(cidrhost(var.vwan-hub-address-prefix, 0)) + error_message = "Please provide a valid CIDR specification for the VWAN address space" + } +} + +variable "managed-app-name" { + type = string + default = "tf-vwan-managed-app" +} + +variable "nva-rg-name" { + type = string + default = "tf-vwan-nva-rg" +} + +variable "nva-name" { + type = string + default = "tf-vwan-nva" +} + +variable "os-version" { + description = "GAIA OS version" + type = string + default = "R8120" + validation { + condition = contains(["R8110", "R8120"], var.os-version) + error_message = "Allowed values for os-version are 'R8110', 'R8120'" + } +} + +variable "license-type" { + type = string + default = "Security Enforcement (NGTP)" + validation { + condition = contains(["Security Enforcement (NGTP)", "Full Package (NGTX + S1C)", "Full Package Premium (NGTX + S1C++)"], var.license-type) + error_message = "Allowed values for License Type are 'Security Enforcement (NGTP)', 'Full Package (NGTX + S1C)', 'Full Package Premium (NGTX + S1C++)'" + } +} + +variable "scale-unit" { + type = string + default = "2" + validation { + condition = contains(["2", "4", "10", "20", "30", "60", "80"], var.scale-unit) + error_message = "Valid values for CloudGuard version are '2', '4', '10', '20', '30', '60', '80'" + } +} + +variable "bootstrap-script" { + type = string + default = "" +} + +variable "admin-shell" { + type = string + default = "/etc/cli.sh" + validation { + condition = contains(["/etc/cli.sh", "/bin/bash", "/bin/tcsh", "/bin/csh"], var.admin-shell) + error_message = "Valid shells are '/etc/cli.sh', '/bin/bash', '/bin/tcsh', '/bin/csh'" + } +} + +variable "sic-key" { + type = string + default = "" + sensitive = true + validation { + condition = can(regex("^[a-z0-9A-Z]{12,30}$", var.sic-key)) + error_message = "Only alphanumeric characters are allowed, and the value must be 12-30 characters long." + } +} + +variable "ssh-public-key" { + type = string + default = "" +} + +variable "bgp-asn" { + type = string + default = "64512" + validation { + condition = tonumber(var.bgp-asn) >= 64512 && tonumber(var.bgp-asn) <= 65534 && !contains([65515, 65520], tonumber(var.bgp-asn)) + error_message = "Only numbers between 64512 to 65534 are allowed excluding 65515, 65520." + } +} + +variable "custom-metrics" { + type = string + default = "yes" + validation { + condition = contains(["yes", "no"], var.custom-metrics) + error_message = "Valid options are string('yes' or 'no')" + } +} + +variable "routing-intent-internet-traffic" { + default = "yes" + validation { + condition = contains(["yes", "no"], var.routing-intent-internet-traffic) + error_message = "Valid options are string('yes' or 'no')" + } +} + +variable "routing-intent-private-traffic" { + default = "yes" + validation { + condition = contains(["yes", "no"], var.routing-intent-private-traffic) + error_message = "Valid options are string('yes' or 'no')" + } +} + +variable "smart1-cloud-token-a" { + type = string + default = "" +} + +variable "smart1-cloud-token-b" { + type = string + default = "" +} + +variable "smart1-cloud-token-c" { + type = string + default = "" +} + +variable "smart1-cloud-token-d" { + type = string + default = "" +} + +variable "smart1-cloud-token-e" { + type = string + default = "" +} + +variable "existing-public-ip" { + type = string + default = "" +} + +variable "new-public-ip" { + type = string + default = "no" + validation { + condition = contains(["yes", "no"], var.new-public-ip) + error_message = "Valid options are string('yes' or 'no')" + } +} + +locals{ + # Validate that new-public-ip is false when existing-public-ip is used + is_both_params_used = length(var.existing-public-ip) > 0 && var.new-public-ip == "yes" + validation_message_both = "Only one parameter of existing-public-ip or new-public-ip can be used" + _ = regex("^$", (!local.is_both_params_used ? "" : local.validation_message_both)) +} \ No newline at end of file diff --git a/terraform/azure/nva-into-new-vwan/versions.tf b/terraform/azure/nva-into-new-vwan/versions.tf new file mode 100644 index 00000000..40d04f16 --- /dev/null +++ b/terraform/azure/nva-into-new-vwan/versions.tf @@ -0,0 +1,17 @@ +terraform { + required_version = ">= 1.5.0" + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = " 3.79.0" + } + } +} + +provider "azurerm" { + subscription_id = var.subscription_id + client_id = var.client_id + client_secret = var.client_secret + tenant_id = var.tenant_id + features {} +} \ No newline at end of file diff --git a/terraform/azure/single-gateway-existing-vnet/README.md b/terraform/azure/single-gateway-existing-vnet/README.md new file mode 100755 index 00000000..73fa074d --- /dev/null +++ b/terraform/azure/single-gateway-existing-vnet/README.md @@ -0,0 +1,200 @@ +# Check Point CloudGuard Network Security Single Gateway Terraform deployment for Azure + +This Terraform module deploys Check Point CloudGuard Network Security Single Gateway solution into an existing Vnet in Azure. +As part of the deployment the following resources are created: +- Resource group +- System assigned identity + + +This solution uses the following modules: +- /terraform/azure/modules/common - used for creating a resource group and defining common variables. + + +## Configurations +- Install and configure Terraform to provision Azure resources: [Configure Terraform for Azure](https://docs.microsoft.com/en-us/azure/virtual-machines/linux/terraform-install-configure) +- In order to use ssh connection to VMs, it is **required** to add a public key to the /terraform/azure/single-gateway-existing-vnet/azure_public_key file. + +## Usage +- Choose the preferred login method to Azure in order to deploy the solution: +
1. Using Service Principal: + - Create a [Service Principal](https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal) (or use the existing one) + - Grant the Service Principal at least "**Managed Application Contributor**", "**Storage Account Contributor**", "**Network Contributor**", "**Virtual Machine Contributor**" permissions to the Azure subscription
+ - The Service Principal credentials can be stored either in the terraform.tfvars or as [Environment Variables](https://www.terraform.io/docs/providers/azuread/guides/service_principal_client_secret.html)
+ + In case the Environment Variables are used, perform modifications described below:
+ + a. The next lines in the main.tf file, in the provider azurerm resource, need to be deleted or commented: + + provider "azurerm" { + + // subscription_id = var.subscription_id + // client_id = var.client_id + // client_secret = var.client_secret + // tenant_id = var.tenant_id + + features {} + } + + b. In the terraform.tfvars file leave empty double quotes for client_secret, client_id , tenant_id and subscription_id variables: + + client_secret = "" + client_id = "" + tenant_id = "" + subscription_id = "" + +
2. Using **az** commands from a command-line: + - Run **az login** command + - Sign in with your account credentials in the browser + - [Accept Azure Marketplace image terms](https://docs.microsoft.com/en-us/cli/azure/vm/image/terms?view=azure-cli-latest) by running: +
**az vm image terms accept --urn publisher:offer:sku:version**, where: + - publisher = checkpoint; + - offer = vm_os_offer (see accepted values in the table below); + - sku = vm_os_sku (see accepted values in the table below); + - version = latest
+
Example:
+ az vm image terms accept --urn checkpoint:check-point-cg-r8040:sg-byol:latest + + - In the terraform.tfvars file leave empty double quotes for client_secret, client_id and tenant_id variables. + +- Fill all variables in the /terraform/azure/single-gateway-existing-vnet/terraform.tfvars file with proper values (see below for variables descriptions). +- From a command line initialize the Terraform configuration directory: + + terraform init +- Create an execution plan: + + terraform plan +- Create or modify the deployment: + + terraform apply + +### terraform.tfvars variables: + | Name | Description | Type | Allowed values | Default | + |---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| ------------- | ------------- |---------| ------------- | + | **client_secret** | The client secret value of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **client_id** | The client ID of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **tenant_id** | The tenant ID of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **subscription_id** | The subscription ID is used to pay for Azure cloud services | string | | n/a + | | | | | | + | **source_image_vhd_uri** | The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images | string | | "noCustomUri" + | | | | | | + | **resource_group_name** | The name of the resource group that will contain the contents of the deployment | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period | n/a + | | | | | | + | **single_gateway_name** | The name of the Check Point single GW Object | string | Only alphanumeric characters are allowed, and the name must be 1-30 characters long | n/a + | | | | | | + | **location** | The region where the resources will be deployed at | string | The full list of Azure regions can be found at https://azure.microsoft.com/regions | n/a + | | | | | | + | **vnet_name** | The name of virtual network that will be created | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | n/a + | | | | | | + | **vnet_resource_group** | Resource Group of the existing virtual network | string | The exact name of the existing vnet's resource group | n/a + | | | | | | + | **frontend_subnet_name** | Specifies the name of the external subnet | string | The exact name of the existing external subnet | n/a + | | | | | | + | **backend_subnet_name** | Specifies the name of the internal subnet | string | The exact name of the existing internal subnet | n/a + | | | | | | + | **subnet_frontend_1st_Address** | First available address in frontend subnet | string | | n/a + | | | | | | + | **subnet_backend_1st_Address** | First available address in backend subnet | string | | n/a + | | | | | | + | **management_GUI_client_network** | Allowed GUI clients - GUI clients network CIDR | string | | n/a + | | | | | | + | **admin_password** | The password associated with the local administrator account on the gateway | string | Password must have 3 of the following: 1 lower case character, 1 upper case character, 1 number, and 1 special character | n/a + | | | | | | + | **smart_1_cloud_token** | Smart-1 Cloud token to connect automatically ***Gateway*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal | n/a | + | | | | | | + | **sic_key** | The Secure Internal Communication one time secret used to set up trust between the gateway object and the management server | string | Only alphanumeric characters are allowed, and the value must be 12-30 characters long | n/a + | | | | | | + | **vm_size** | Specifies the size of Virtual Machine | string | "Standard_DS2_v2", "Standard_DS3_v2", "Standard_DS4_v2", "Standard_DS5_v2", "Standard_F2s", "Standard_F4s", "Standard_F8s", "Standard_F16s", "Standard_D4s_v3", "Standard_D8s_v3", "Standard_D16s_v3", "Standard_D32s_v3", "Standard_D64s_v3", "Standard_E4s_v3", "Standard_E8s_v3", "Standard_E16s_v3", "Standard_E20s_v3", "Standard_E32s_v3", "Standard_E64s_v3", "Standard_E64is_v3", "Standard_F4s_v2", "Standard_F8s_v2", "Standard_F16s_v2", "Standard_F32s_v2", "Standard_F64s_v2", "Standard_M8ms", "Standard_M16ms", "Standard_M32ms", "Standard_M64ms", "Standard_M64s", "Standard_D2_v2", "Standard_D3_v2", "Standard_D4_v2", "Standard_D5_v2", "Standard_D11_v2", "Standard_D12_v2", "Standard_D13_v2", "Standard_D14_v2", "Standard_D15_v2", "Standard_F2", "Standard_F4", "Standard_F8", "Standard_F16", "Standard_D4_v3", "Standard_D8_v3", "Standard_D16_v3", "Standard_D32_v3", "Standard_D64_v3", "Standard_E4_v3", "Standard_E8_v3", "Standard_E16_v3", "Standard_E20_v3", "Standard_E32_v3", "Standard_E64_v3", "Standard_E64i_v3", "Standard_DS11_v2", "Standard_DS12_v2", "Standard_DS13_v2", "Standard_DS14_v2", "Standard_DS15_v2", "Standard_D2_v5", "Standard_D4_v5", "Standard_D8_v5", "Standard_D16_v5","Standard_D32_v5", "Standard_D2s_v5", "Standard_D4s_v5", "Standard_D8s_v5", "Standard_D16s_v5", "Standard_D2d_v5", "Standard_D4d_v5", "Standard_D8d_v5", "Standard_D16d_v5", "Standard_D32d_v5", "Standard_D2ds_v5", "Standard_D4ds_v5", "Standard_D8ds_v5", "Standard_D16ds_v5", "Standard_D32ds_v5" | n/a + | | | | | | + | **disk_size** | Storage data disk size size(GB) | string | A number in the range 100 - 3995 (GB) | n/a + | | | | | | + | **vm_os_sku** | A sku of the image to be deployed | string | "sg-byol" - BYOL license;
"sg-ngtp" - NGTP PAYG license;
"sg-ngtx" - NGTX PAYG license | n/a + | | | | | | + | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r8040";
"check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | n/a + | | | | | | + | **os_version** | GAIA OS version | string | "R8040";
"R81";
"R8110";
"R8120"; | n/a + | | | | | | + | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | "" + | | | | | | + | **allow_upload_download** | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | boolean | true;
false; | n/a + | | | | | | + | **authentication_type** | Specifies whether a password authentication or SSH Public Key authentication should be used | string | "Password";
"SSH Public Key"; | n/a + | | | | | | + | **enable_custom_metrics** | Indicates whether CloudGuard Metrics will be use for gateways monitoring | boolean | true;
false; | true + | | | | | | + | **admin_shell** | Enables to select different admin shells | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh; | "/etc/cli.sh" + | | | | | | + | **installation_type** | Enables to select installation type- gateway/standalone | string | gateway;
standalone; | n/a + | | | | | | + | **serial_console_password_hash** | Optional parameter, used to enable serial console connection in case of SSH key as authentication type, to generate password hash use the command 'openssl passwd -6 PASSWORD' on Linux and paste it here | string | | n/a + | | | | | | + | **maintenance_mode_password_hash** | Maintenance mode password hash, relevant only for R81.20 and higher versions, to generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here | string | | n/a + | | | | | | + | **nsg_id** | Optional ID for a Network Security Group that already exists in Azure, if not provided, will create a default NSG | string | Existing NSG resource ID | "" + | | | | | | + | **add_storage_account_ip_rules** | Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, if false then accses will be allowed from all networks | boolean | true;
false; | false + | | | | | | + | **storage_account_additional_ips** | IPs/CIDRs that are allowed access to the Storage Account | list(string) | A list of valid IPs and CIDRs | [] + +## Conditional creation +- To enable CloudGuard metrics in order to send statuses and statistics collected from the gateway instance to the Azure Monitor service: + ``` + enable_custom_metrics = true + ``` + +## Example + client_secret = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + client_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + tenant_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + subscription_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + source_image_vhd_uri = "noCustomUri" + resource_group_name = "checkpoint-single-gw-terraform" + single_gateway_name = "checkpoint-single-gw-terraform" + location = "eastus" + vnet_name = "checkpoint-single-gw-vnet" + vnet_resource_group = "existing-vnet-rg" + subnet_frontend_name = "frontend" + subnet_backend_name = "backend" + subnet_frontend_1st_Address = "10.0.1.4" + subnet_backend_1st_Address = "10.12.1.5" + management_GUI_client_network = "0.0.0.0/0" + admin_password = "xxxxxxxxxxxx" + smart_1_cloud_token = "xxxxxxxxxxxx" + sic_key = "xxxxxxxxxxxx" + vm_size = "Standard_D3_v2" + disk_size = "110" + vm_os_sku = "sg-byol" + vm_os_offer = "check-point-cg-r8110" + os_version = "R8110" + bootstrap_script = "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" + allow_upload_download = true + authentication_type = "Password" + enable_custom_metrics = true + admin_shell = "/etc/cli.sh" + installation_type = "gateway" + serial_console_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + maintenance_mode_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + nsg_id = "" + add_storage_account_ip_rules = false + storage_account_additional_ips = [] + +## Revision History +In order to check the template version refer to the [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) + +| Template Version | Description | +|------------------|---------------------------------------------------------------------------------------------------| +| 20240613 | - Updated Azure Terraform provider version
- Cosmetic fixes & default values
- Added option to limit storage account access by specify allowed sourcess
- Added accelerated networking to SGW Terraform templates
- Updated Public IP sku to Standard
- Added validation for os_version & os_offer | +| | | | +| 20230910 | - R81.20 is the default version | +| | | | +| 20230629 | First release of Check Point CloudGuard Network Security Single GW Terraform deployment for Azure | +| | | | + + + +## License + +See the [LICENSE](../../LICENSE) file for details + diff --git a/terraform/azure/single-gateway-existing-vnet/azure_public_key b/terraform/azure/single-gateway-existing-vnet/azure_public_key new file mode 100644 index 00000000..e69de29b diff --git a/terraform/azure/single-gateway-existing-vnet/cloud-init.sh b/terraform/azure/single-gateway-existing-vnet/cloud-init.sh new file mode 100755 index 00000000..71bf3916 --- /dev/null +++ b/terraform/azure/single-gateway-existing-vnet/cloud-init.sh @@ -0,0 +1,18 @@ +#!/usr/bin/python3 /etc/cloud_config.py + +installationType="${installation_type}" +allowUploadDownload="${allow_upload_download}" +osVersion="${os_version}" +templateName="${template_name}" +templateVersion="${template_version}" +templateType="${template_type}" +isBlink="${is_blink}" +bootstrapScript64="${bootstrap_script64}" +location="${location}" +adminShell="${admin_shell}" +sicKey="${sic_key}" +managementGUIClientNetwork="${management_GUI_client_network}" +smart1CloudToken="${smart_1_cloud_token}" +customMetrics="${enable_custom_metrics}" +passwordHash="${serial_console_password_hash}" +MaintenanceModePassword="${maintenance_mode_password_hash}" \ No newline at end of file diff --git a/terraform/azure/single-gateway-existing-vnet/main.tf b/terraform/azure/single-gateway-existing-vnet/main.tf new file mode 100755 index 00000000..81ced59f --- /dev/null +++ b/terraform/azure/single-gateway-existing-vnet/main.tf @@ -0,0 +1,257 @@ +//********************** Providers **************************// +provider "azurerm" { + subscription_id = var.subscription_id + client_id = var.client_id + client_secret = var.client_secret + tenant_id = var.tenant_id + + features {} +} + +//********************** Basic Configuration **************************// +module "common" { + source = "../modules/common" + resource_group_name = var.resource_group_name + location = var.location + admin_password = var.admin_password + installation_type = var.installation_type + template_name = var.template_name + template_version = var.template_version + number_of_vm_instances = 1 + allow_upload_download = var.allow_upload_download + vm_size = var.vm_size + disk_size = var.disk_size + is_blink = var.is_blink + os_version = var.os_version + vm_os_sku = var.vm_os_sku + vm_os_offer = var.vm_os_offer + authentication_type = var.authentication_type + serial_console_password_hash = var.serial_console_password_hash + maintenance_mode_password_hash = var.maintenance_mode_password_hash + storage_account_additional_ips = var.storage_account_additional_ips +} + +//********************** Networking **************************// +data "azurerm_subnet" "frontend_subnet" { + name = var.subnet_frontend_name + virtual_network_name = var.vnet_name + resource_group_name = var.vnet_resource_group +} + +data "azurerm_subnet" "backend_subnet" { + name = var.subnet_backend_name + virtual_network_name = var.vnet_name + resource_group_name = var.vnet_resource_group +} + +resource "azurerm_public_ip" "public-ip" { + name = var.single_gateway_name + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + allocation_method = var.vnet_allocation_method + sku = var.sku + idle_timeout_in_minutes = 30 + domain_name_label = join("", [ + lower(var.single_gateway_name), + "-", + random_id.randomId.hex]) +} + +module "network-security-group" { + source = "../modules/network-security-group" + count = var.nsg_id == "" ? 1 : 0 + resource_group_name = module.common.resource_group_name + security_group_name = "${module.common.resource_group_name}-nsg" + location = module.common.resource_group_location + security_rules = [ + { + name = "AllowAllInBound" + priority = "100" + direction = "Inbound" + access = "Allow" + protocol = "*" + source_port_ranges = "*" + destination_port_ranges = "*" + description = "Allow all inbound connections" + source_address_prefix = "*" + destination_address_prefix = "*" + } + ] +} + +resource "azurerm_network_interface_security_group_association" "security_group_association" { + depends_on = [azurerm_network_interface.nic] + network_interface_id = azurerm_network_interface.nic.id + network_security_group_id = var.nsg_id == "" ? module.network-security-group[0].network_security_group_id: var.nsg_id +} + +resource "azurerm_network_interface" "nic" { + depends_on = [ + azurerm_public_ip.public-ip] + name = "${var.single_gateway_name}-eth0" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + enable_ip_forwarding = true + enable_accelerated_networking = true + + + ip_configuration { + name = "ipconfig1" + subnet_id = data.azurerm_subnet.frontend_subnet.id + private_ip_address_allocation = var.vnet_allocation_method + private_ip_address = var.subnet_frontend_1st_Address + public_ip_address_id = azurerm_public_ip.public-ip.id + } +} + +resource "azurerm_network_interface" "nic1" { + depends_on = [] + name = "${var.single_gateway_name}-eth1" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + enable_ip_forwarding = true + enable_accelerated_networking = true + + + ip_configuration { + name = "ipconfig2" + subnet_id = data.azurerm_subnet.backend_subnet.id + private_ip_address_allocation = var.vnet_allocation_method + private_ip_address = var.subnet_backend_1st_Address + } +} + +//********************** Storage accounts **************************// +// Generate random text for a unique storage account name +resource "random_id" "randomId" { + keepers = { + # Generate a new ID only when a new resource group is defined + resource_group = module.common.resource_group_name + } + byte_length = 8 +} +resource "azurerm_storage_account" "vm-boot-diagnostics-storage" { + name = "bootdiag${random_id.randomId.hex}" + resource_group_name = module.common.resource_group_name + location = module.common.resource_group_location + account_tier = module.common.storage_account_tier + account_replication_type = module.common.account_replication_type + account_kind = "Storage" + network_rules { + default_action = var.add_storage_account_ip_rules ? "Deny" : "Allow" + ip_rules = module.common.storage_account_ip_rules + } + blob_properties { + delete_retention_policy { + days = "15" + } + } + +} + +//********************** Virtual Machines **************************// +locals { + SSH_authentication_type_condition = var.authentication_type == "SSH Public Key" ? true : false + custom_image_condition = var.source_image_vhd_uri == "noCustomUri" ? false : true +} + +resource "azurerm_image" "custom-image" { + count = local.custom_image_condition ? 1 : 0 + name = "custom-image" + location = var.location + resource_group_name = module.common.resource_group_name + + os_disk { + os_type = "Linux" + os_state = "Generalized" + blob_uri = var.source_image_vhd_uri + } +} + +resource "azurerm_virtual_machine" "single-gateway-vm-instance" { + depends_on = [ + azurerm_network_interface.nic, + azurerm_network_interface.nic1] + location = module.common.resource_group_location + name = var.single_gateway_name + network_interface_ids = [ + azurerm_network_interface.nic.id, + azurerm_network_interface.nic1.id] + resource_group_name = module.common.resource_group_name + vm_size = module.common.vm_size + delete_os_disk_on_termination = module.common.delete_os_disk_on_termination + primary_network_interface_id = azurerm_network_interface.nic.id + + identity { + type = module.common.vm_instance_identity + } + + dynamic "plan" { + for_each = local.custom_image_condition ? [ + ] : [1] + content { + name = module.common.vm_os_sku + publisher = module.common.publisher + product = module.common.vm_os_offer + } + } + + boot_diagnostics { + enabled = module.common.boot_diagnostics + storage_uri = module.common.boot_diagnostics ? join(",", azurerm_storage_account.vm-boot-diagnostics-storage.*.primary_blob_endpoint) : "" + } + + os_profile { + computer_name = lower(var.single_gateway_name) + admin_username = module.common.admin_username + admin_password = module.common.admin_password + custom_data = templatefile("${path.module}/cloud-init.sh", { + installation_type = module.common.installation_type + allow_upload_download = module.common.allow_upload_download + os_version = module.common.os_version + template_name = module.common.template_name + template_version = module.common.template_version + template_type = "terraform" + is_blink = module.common.is_blink + bootstrap_script64 = base64encode(var.bootstrap_script) + location = module.common.resource_group_location + admin_shell = var.admin_shell + sic_key = var.sic_key + management_GUI_client_network = var.management_GUI_client_network + smart_1_cloud_token = var.smart_1_cloud_token + enable_custom_metrics = var.enable_custom_metrics ? "yes" : "no" + serial_console_password_hash = var.serial_console_password_hash + maintenance_mode_password_hash = var.maintenance_mode_password_hash + }) + } + + + os_profile_linux_config { + disable_password_authentication = local.SSH_authentication_type_condition + + dynamic "ssh_keys" { + for_each = local.SSH_authentication_type_condition ? [ + 1] : [] + content { + path = "/home/notused/.ssh/authorized_keys" + key_data = file("${path.module}/azure_public_key") + } + } + } + + storage_image_reference { + id = local.custom_image_condition ? azurerm_image.custom-image[0].id : null + publisher = local.custom_image_condition ? null : module.common.publisher + offer = module.common.vm_os_offer + sku = module.common.vm_os_sku + version = module.common.vm_os_version + } + + storage_os_disk { + name = var.single_gateway_name + create_option = module.common.storage_os_disk_create_option + caching = module.common.storage_os_disk_caching + managed_disk_type = module.common.storage_account_type + disk_size_gb = module.common.disk_size + } +} diff --git a/terraform/azure/single-gateway-existing-vnet/terraform.tfvars b/terraform/azure/single-gateway-existing-vnet/terraform.tfvars new file mode 100755 index 00000000..0a186633 --- /dev/null +++ b/terraform/azure/single-gateway-existing-vnet/terraform.tfvars @@ -0,0 +1,35 @@ + #PLEASE refer to the README.md for accepted values for the variables below +client_secret = "PLEASE ENTER CLIENT SECRET" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +client_id = "PLEASE ENTER CLIENT ID" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +tenant_id = "PLEASE ENTER TENANT ID" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +subscription_id = "PLEASE ENTER SUBSCRIPTION ID" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +source_image_vhd_uri = "PLEASE ENTER SOURCE IMAGE VHD URI OR noCustomUri" # "noCustomUri" +resource_group_name = "PLEASE ENTER RESOURCE GROUP NAME" # "checkpoint-single-terraform" +single_gateway_name = "PLEASE ENTER GW NAME" # "checkpoint-single-terraform" +location = "PLEASE ENTER LOCATION" # "eastus" +vnet_name = "PLEASE ENTER VIRTUAL NETWORK NAME" # "checkpoint-single-vnet" +vnet_resource_group = "PLEASE ENTER VIRTUAL NETWORK RG NAME" # "existing-vnet-rg" +subnet_frontend_name = "PLEASE ENTER VIRTUAL NETWORK FRONTEND SUBNET NAME" # "frontend" +subnet_backend_name = "PLEASE ENTER VIRTUAL NETWORK BACKEND SUBNET NAME" # "backend" +subnet_frontend_1st_Address = "PLEASE ENTER VIRTUAL NETWORK FRONTEND SUBNET FIRST ADDRESS" # "10.0.1.4" +subnet_backend_1st_Address = "PLEASE ENTER VIRTUAL NETWORK BACKEND SUBNET FIRST ADDRESS" # "10.0.2.5" +management_GUI_client_network = "PLEASE ENTER A MANAGEMENT GUI CLIENT NETWORK" # "0.0.0.0/0" +admin_password = "PLEASE ENTER ADMIN PASSWORD" # "xxxxxxxxxxxx" +smart_1_cloud_token = "PASTE TOKEN FROM SMART-1 CLOUD PORTAL" # "" +sic_key = "PLEASE ENTER SIC KEY" # "xxxxxxxxxxxx" +vm_size = "PLEASE ENTER VM SIZE" # "Standard_D3_v2" +disk_size = "PLEASE ENTER DISK SIZE" # "110" +vm_os_sku = "PLEASE ENTER VM SKU" # "sg-byol" +vm_os_offer = "PLEASE ENTER VM OFFER" # "check-point-cg-r8110" +os_version = "PLEASE ENTER GAIA OS VERSION" # "R8110" +bootstrap_script = "PLEASE ENTER CUSTOM SCRIPT OR LEAVE EMPTY DOUBLE QUOTES" # "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" +allow_upload_download = "PLEASE ENTER true or false" # true +authentication_type = "PLEASE ENTER AUTHENTICATION TYPE" # "Password" +enable_custom_metrics = "PLEASE ENTER true or false" # true +admin_shell = "PLEASE ENTER ADMIN SHELL" # "/etc/cli.sh" +installation_type = "PLEASE ENTER INSTALLATION TYPE" # "gateway" +serial_console_password_hash = "PLEASE ENTER SERIAL CONSOLE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +maintenance_mode_password_hash = "PLEASE ENTER MAINTENANCE MODE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +nsg_id = "PLEASE ENTER NETWORK SECURITY GROUP ID" # "" +add_storage_account_ip_rules = "PLEASE ENTER true or false" # false +storage_account_additional_ips = "PLEASE ENTER A LIST OF VALID IPS/CIDRS" # [] diff --git a/terraform/azure/single-gateway-existing-vnet/variables.tf b/terraform/azure/single-gateway-existing-vnet/variables.tf new file mode 100755 index 00000000..dd4dc15e --- /dev/null +++ b/terraform/azure/single-gateway-existing-vnet/variables.tf @@ -0,0 +1,281 @@ +//********************** Basic Configuration Variables **************************// +variable "single_gateway_name" { + description = "Single gateway name" + type = string +} + +variable "resource_group_name" { + description = "Azure Resource Group name to build into" + type = string +} + +variable "location" { + description = "The location/region where resource will be created. The full list of Azure regions can be found at https://azure.microsoft.com/regions" + type = string +} + + +//********************** Virtual Machine Instances Variables **************************// +variable "source_image_vhd_uri" { + type = string + description = "The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images." + default = "noCustomUri" +} + +variable "admin_username" { + description = "Administrator username of deployed VM. Due to Azure limitations 'notused' name can be used" + default = "notused" +} + +variable "admin_password" { + description = "Administrator password of deployed Virtual Machine. The password must meet the complexity requirements of Azure" + type = string +} + +variable "serial_console_password_hash" { + description = "Optional parameter, used to enable serial console connection in case of SSH key as authentication type" + type = string +} + +variable "maintenance_mode_password_hash" { + description = "Maintenance mode password hash, relevant only for R81.20 and higher versions" + type = string +} + +variable "smart_1_cloud_token" { + description = "Smart-1 Cloud Token" + type = string +} + +variable "authentication_type" { + description = "Specifies whether a password authentication or SSH Public Key authentication should be used" + type = string +} +locals { // locals for 'authentication_type' allowed values + authentication_type_allowed_values = [ + "Password", + "SSH Public Key" + ] + // will fail if [var.authentication_type] is invalid: + validate_authentication_type_value = index(local.authentication_type_allowed_values, var.authentication_type) +} + +variable "template_name" { + description = "Template name. Should be defined according to deployment type(mgmt, ha, vmss, sg)" + type = string + default = "single" +} + +variable "template_version" { + description = "Template version. It is recommended to always use the latest template version" + type = string + default = "20230910" +} + +variable "installation_type" { + description = "Installation type" + type = string + default = "gateway" +} + +locals { // locals for 'installation_type' allowed values + installation_type_allowed_values = [ + "gateway", + "standalone" + ] +} + +variable "vm_size" { + description = "Specifies size of Virtual Machine" + type = string +} + +variable "disk_size" { + description = "Storage data disk size size(GB). Select a number between 100 and 3995" + type = string +} + +variable "os_version" { + description = "GAIA OS version" + type = string +} + +locals { // locals for 'vm_os_offer' allowed values + os_version_allowed_values = [ + "R8040", + "R81", + "R8110", + "R8120" + ] + // will fail if [var.os_version] is invalid: + validate_os_version_value = index(local.os_version_allowed_values, var.os_version) +} + +variable "vm_os_sku" { + description = "The sku of the image to be deployed." + type = string +} + +variable "vm_os_offer" { + description = "The name of the image offer to be deployed.Choose from: check-point-cg-r8040, check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120" + type = string +} + +locals { // locals for 'vm_os_offer' allowed values + vm_os_offer_allowed_values = [ + "check-point-cg-r8040", + "check-point-cg-r81", + "check-point-cg-r8110", + "check-point-cg-r8120" + ] + // will fail if [var.vm_os_offer] is invalid: + validate_os_offer_value = index(local.vm_os_offer_allowed_values, var.vm_os_offer) +} + +variable "allow_upload_download" { + description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + type = bool +} + +variable "enable_custom_metrics" { + description = "Indicates whether CloudGuard Metrics will be use for Cluster members monitoring." + type = bool + default = true +} + +variable "is_blink" { + description = "Define if blink image is used for deployment" + default = true +} + +variable "admin_shell" { + description = "The admin shell to configure on machine or the first time" + type = string + default = "/etc/cli.sh" +} + +locals { + admin_shell_allowed_values = [ + "/etc/cli.sh", + "/bin/bash", + "/bin/csh", + "/bin/tcsh" + ] + // Will fail if [var.admin_shell] is invalid + validate_admin_shell_value = index(local.admin_shell_allowed_values, var.admin_shell) +} + +//********************** Networking Variables **************************// +variable "vnet_name" { + description = "Virtual Network name" + type = string +} + +variable "subnet_frontend_name" { + description = "management subnet name" + type = string +} + +variable "subnet_backend_name" { + description = "management subnet name" + type = string +} + +variable "subnet_frontend_1st_Address" { + description = "The first available address of the frontend subnet" + type = string +} + +variable "subnet_backend_1st_Address" { + description = "The first available address of the backend subnet" + type = string +} + +variable "vnet_resource_group" { + description = "Resource group of existing vnet" + type = string +} + +variable "vnet_allocation_method" { + description = "IP address allocation method" + type = string + default = "Static" +} + +variable "management_GUI_client_network" { + description = "Allowed GUI clients - GUI clients network CIDR" + type = string +} + +locals { + regex_valid_single_GUI_client_network = "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(/(3[0-2]|2[0-9]|1[0-9]|[0-9]))$" + // Will fail if var.management_GUI_client_network is invalid + regex_single_GUI_client_network = regex(local.regex_valid_single_GUI_client_network, var.management_GUI_client_network) == var.management_GUI_client_network ? 0 : "Variable [management_GUI_client_network] must be a valid IPv4 network CIDR." + + + regex_valid_subnet_1st_Address = "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$" + // Will fail if var.subnet_1st_Address is invalid + regex_subnet_frontend_1st_Address = regex(local.regex_valid_subnet_1st_Address, var.subnet_frontend_1st_Address) == var.subnet_frontend_1st_Address ? 0 : "Variable [subnet_1st_Address] must be a valid address." + + regex_subnet_backend_1st_Address = regex(local.regex_valid_subnet_1st_Address, var.subnet_backend_1st_Address) == var.subnet_backend_1st_Address ? 0 : "Variable [subnet_1st_Address] must be a valid address." +} + +variable "bootstrap_script" { + description = "An optional script to run on the initial boot" + default = "" + type = string + #example: + #"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" +} + +variable "nsg_id" { + description = "NSG ID - Optional - if empty use default NSG" + default = "" +} + +variable "add_storage_account_ip_rules" { + type = bool + default = false + description = "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location" +} + +variable "storage_account_additional_ips" { + type = list(string) + description = "IPs/CIDRs that are allowed access to the Storage Account" + default = [] +} + +//********************** Credentials **************************// +variable "tenant_id" { + description = "Tenant ID" + type = string +} + +variable "subscription_id" { + description = "Subscription ID" + type = string +} + +variable "client_id" { + description = "Application ID(Client ID)" + type = string +} + +variable "client_secret" { + description = "A secret string that the application uses to prove its identity when requesting a token. Also can be referred to as application password." + type = string +} + +variable "sic_key" { + type = string +} + +resource "null_resource" "sic_key_invalid" { + count = length(var.sic_key) >= 12 ? 0 : "SIC key must be at least 12 characters long" +} + +variable "sku" { + description = "SKU" + type = string + default = "Standard" +} \ No newline at end of file diff --git a/terraform/azure/single-gateway-existing-vnet/versions.tf b/terraform/azure/single-gateway-existing-vnet/versions.tf new file mode 100755 index 00000000..0d5ca4f3 --- /dev/null +++ b/terraform/azure/single-gateway-existing-vnet/versions.tf @@ -0,0 +1,12 @@ +terraform { + required_version = ">= 0.14.3" + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "~> 3.81.0" + } + random = { + version = "~> 3.5.1" + } + } +} \ No newline at end of file diff --git a/terraform/azure/single-gateway-new-vnet/README.md b/terraform/azure/single-gateway-new-vnet/README.md new file mode 100755 index 00000000..d4d821ac --- /dev/null +++ b/terraform/azure/single-gateway-new-vnet/README.md @@ -0,0 +1,197 @@ +# Check Point CloudGuard Network Security Single Gateway Terraform deployment for Azure + +This Terraform module deploys Check Point CloudGuard Network Security Single Gateway solution into a new Vnet in Azure. +As part of the deployment the following resources are created: +- Resource group +- Virtual network +- Network security group +- System assigned identity + + +This solution uses the following modules: +- /terraform/azure/modules/common - used for creating a resource group and defining common variables. +- /terraform/azure/modules/vnet - used for creating new virtual network and subnets. +- /terraform/azure/modules/network-security-group - used for creating new network security groups and rules. + + +## Configurations +- Install and configure Terraform to provision Azure resources: [Configure Terraform for Azure](https://docs.microsoft.com/en-us/azure/virtual-machines/linux/terraform-install-configure) +- In order to use ssh connection to VMs, it is **required** to add a public key to the /terraform/azure/single-gateway-new-vnet/azure_public_key file. + +## Usage +- Choose the preferred login method to Azure in order to deploy the solution: +
1. Using Service Principal: + - Create a [Service Principal](https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal) (or use the existing one) + - Grant the Service Principal at least "**Managed Application Contributor**", "**Storage Account Contributor**", "**Network Contributor**", "**Virtual Machine Contributor**" permissions to the Azure subscription
+ - The Service Principal credentials can be stored either in the terraform.tfvars or as [Environment Variables](https://www.terraform.io/docs/providers/azuread/guides/service_principal_client_secret.html)
+ + In case the Environment Variables are used, perform modifications described below:
+ + a. The next lines in the main.tf file, in the provider azurerm resource, need to be deleted or commented: + + provider "azurerm" { + + // subscription_id = var.subscription_id + // client_id = var.client_id + // client_secret = var.client_secret + // tenant_id = var.tenant_id + + features {} + } + + b. In the terraform.tfvars file leave empty double quotes for client_secret, client_id , tenant_id and subscription_id variables: + + client_secret = "" + client_id = "" + tenant_id = "" + subscription_id = "" + +
2. Using **az** commands from a command-line: + - Run **az login** command + - Sign in with your account credentials in the browser + - [Accept Azure Marketplace image terms](https://docs.microsoft.com/en-us/cli/azure/vm/image/terms?view=azure-cli-latest) by running: +
**az vm image terms accept --urn publisher:offer:sku:version**, where: + - publisher = checkpoint; + - offer = vm_os_offer (see accepted values in the table below); + - sku = vm_os_sku (see accepted values in the table below); + - version = latest
+
Example:
+ az vm image terms accept --urn checkpoint:check-point-cg-r8040:sg-byol:latest + + - In the terraform.tfvars file leave empty double quotes for client_secret, client_id and tenant_id variables. + +- Fill all variables in the /terraform/azure/single-gateway-new-vnet/terraform.tfvars file with proper values (see below for variables descriptions). +- From a command line initialize the Terraform configuration directory: + + terraform init +- Create an execution plan: + + terraform plan +- Create or modify the deployment: + + terraform apply + +### terraform.tfvars variables: + | Name | Description | Type | Allowed values | Default | + |---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| ------------- | ------------- |----------------| ------------- | + | **client_secret** | The client secret value of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **client_id** | The client ID of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **tenant_id** | The tenant ID of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **subscription_id** | The subscription ID is used to pay for Azure cloud services | string | | n/a + | | | | | | + | **source_image_vhd_uri** | The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images | string | | "noCustomUri" + | | | | | | + | **resource_group_name** | The name of the resource group that will contain the contents of the deployment | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period | n/a + | | | | | | + | **single_gateway_name** | The name of the Check Point single GW Object | string | Only alphanumeric characters are allowed, and the name must be 1-30 characters long | n/a + | | | | | | + | **location** | The region where the resources will be deployed at | string | The full list of Azure regions can be found at https://azure.microsoft.com/regions | n/a + | | | | | | + | **vnet_name** | The name of virtual network that will be created | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | n/a + | | | | | | + | **address_space** | The address prefixes of the virtual network | string | Valid CIDR block | "10.12.0.0/16" + | | | | | | + | **frontend_subnet_prefix** | The address prefix to be used for created frontend subnet | string | The subnets need to contain within the address space for this virtual network(defined by address_space variable) | "10.12.0.0/24" + | | | | | | + | **backend_subnet_prefix** | The address prefix to be used for created backend subnet | string | The subnets need to contain within the address space for this virtual network(defined by address_space variable) | "10.12.1.0/24" + | | | | | | + | **management_GUI_client_network** | Allowed GUI clients - GUI clients network CIDR | string | | n/a + | | | | | | + | **admin_password** | The password associated with the local administrator account on the gateway | string | Password must have 3 of the following: 1 lower case character, 1 upper case character, 1 number, and 1 special character | n/a + | | | | | | + | **smart_1_cloud_token** | Smart-1 Cloud token to connect automatically ***Gateway*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal | n/a + | | | | | | + | **sic_key** | The Secure Internal Communication one time secret used to set up trust between the gateway object and the management server | string | Only alphanumeric characters are allowed, and the value must be 12-30 characters long | n/a + | | | | | | + | **vm_size** | Specifies the size of Virtual Machine | string | "Standard_DS2_v2", "Standard_DS3_v2", "Standard_DS4_v2", "Standard_DS5_v2", "Standard_F2s", "Standard_F4s", "Standard_F8s", "Standard_F16s", "Standard_D4s_v3", "Standard_D8s_v3", "Standard_D16s_v3", "Standard_D32s_v3", "Standard_D64s_v3", "Standard_E4s_v3", "Standard_E8s_v3", "Standard_E16s_v3", "Standard_E20s_v3", "Standard_E32s_v3", "Standard_E64s_v3", "Standard_E64is_v3", "Standard_F4s_v2", "Standard_F8s_v2", "Standard_F16s_v2", "Standard_F32s_v2", "Standard_F64s_v2", "Standard_M8ms", "Standard_M16ms", "Standard_M32ms", "Standard_M64ms", "Standard_M64s", "Standard_D2_v2", "Standard_D3_v2", "Standard_D4_v2", "Standard_D5_v2", "Standard_D11_v2", "Standard_D12_v2", "Standard_D13_v2", "Standard_D14_v2", "Standard_D15_v2", "Standard_F2", "Standard_F4", "Standard_F8", "Standard_F16", "Standard_D4_v3", "Standard_D8_v3", "Standard_D16_v3", "Standard_D32_v3", "Standard_D64_v3", "Standard_E4_v3", "Standard_E8_v3", "Standard_E16_v3", "Standard_E20_v3", "Standard_E32_v3", "Standard_E64_v3", "Standard_E64i_v3", "Standard_DS11_v2", "Standard_DS12_v2", "Standard_DS13_v2", "Standard_DS14_v2", "Standard_DS15_v2", "Standard_D2_v5", "Standard_D4_v5", "Standard_D8_v5", "Standard_D16_v5","Standard_D32_v5", "Standard_D2s_v5", "Standard_D4s_v5", "Standard_D8s_v5", "Standard_D16s_v5", "Standard_D2d_v5", "Standard_D4d_v5", "Standard_D8d_v5", "Standard_D16d_v5", "Standard_D32d_v5", "Standard_D2ds_v5", "Standard_D4ds_v5", "Standard_D8ds_v5", "Standard_D16ds_v5", "Standard_D32ds_v5" | n/a + | | | | | | + | **disk_size** | Storage data disk size size(GB) | string | A number in the range 100 - 3995 (GB) | n/a + | | | | | | + | **vm_os_sku** | A sku of the image to be deployed | string | "sg-byol" - BYOL license;
"sg-ngtp" - NGTP PAYG license;
"sg-ngtx" - NGTX PAYG license | n/a + | | | | | | + | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r8040";
"check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | n/a + | | | | | | + | **os_version** | GAIA OS version | string | "R8040";
"R81";
"R8110";
"R8120"; | n/a | + | | | | | | + | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | "" + | | | | | | + | **allow_upload_download** | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | boolean | true;
false; | n/a + | | | | | | + | **authentication_type** | Specifies whether a password authentication or SSH Public Key authentication should be used | string | "Password";
"SSH Public Key"; | n/a + | | | | | | + | **enable_custom_metrics** | Indicates whether CloudGuard Metrics will be use for gateway monitoring | boolean | true;
false; | true + | | | | | | + | **admin_shell** | Enables to select different admin shells | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh; | "/etc/cli.sh" + | | | | | | + | **installation_type** | Enables to select installation type- gateway/standalone | string | gateway;
standalone; | n/a | string | gateway;
standalone; | + | | | | | | + | **serial_console_password_hash** | Optional parameter, used to enable serial console connection in case of SSH key as authentication type, to generate password hash use the command 'openssl passwd -6 PASSWORD' on Linux and paste it here | string | | n/a + | | | | | | + | **maintenance_mode_password_hash** | Maintenance mode password hash, relevant only for R81.20 and higher versions, to generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here | string | | n/a + | | | | | | + | **nsg_id** | Optional ID for a Network Security Group that already exists in Azure, if isn't provided will create a default NSG | string | Existing NSG resource ID | "" + | | | | | | + | **add_storage_account_ip_rules** | Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, if false then accses will be allowed from all networks | boolean | true;
false; | false + | | | | | | + | **storage_account_additional_ips** | IPs/CIDRs that are allowed access to the Storage Account | list(string) | A list of valid IPs and CIDRs | [] + +## Conditional creation +- To enable CloudGuard metrics in order to send statuses and statistics collected from the gateway instance to the Azure Monitor service: + ``` + enable_custom_metrics = true + ``` + +## Example + client_secret = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + client_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + tenant_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + subscription_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + source_image_vhd_uri = "noCustomUri" + resource_group_name = "checkpoint-single-gw-terraform" + single_gateway_name = "checkpoint-single-gw-terraform" + location = "eastus" + vnet_name = "checkpoint-single-gw-vnet" + address_space = "10.0.0.0/16" + frontend_subnet_prefix = "10.0.1.0/24" + backend_subnet_prefix = "10.0.2.0/24" + management_GUI_client_network = "0.0.0.0/0" + admin_password = "xxxxxxxxxxxx" + smart_1_cloud_token = "xxxxxxxxxxxx" + sic_key = "xxxxxxxxxxxx" + vm_size = "Standard_D3_v2" + disk_size = "110" + vm_os_sku = "sg-byol" + vm_os_offer = "check-point-cg-r8110" + os_version = "R8110" + bootstrap_script = "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" + allow_upload_download = true + authentication_type = "Password" + enable_custom_metrics = true + admin_shell = "/etc/cli.sh" + installation_type = "gateway" + serial_console_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + maintenance_mode_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + nsg_id = "" + add_storage_account_ip_rules = false + storage_account_additional_ips = [] + +## Revision History +In order to check the template version refer to the [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) + +| Template Version | Description | +|------------------|---------------------------------------------------------------------------------------------------| +| 20240613 | - Updated Azure Terraform provider version
- Cosmetic fixes & default values
- Added option to limit storage account access by specify allowed sourcess
- Added accelerated networking to SGW Terraform templates
- Updated Public IP sku to Standard
- Added validation for os_version & os_offer | +| | | | +| 20230910 | - R81.20 is the default version | +| | | | +| 20230629 | First release of Check Point CloudGuard Network Security Single GW Terraform deployment for Azure | +| | | | + + +## License + +See the [LICENSE](../../LICENSE) file for details + diff --git a/terraform/azure/single-gateway-new-vnet/azure_public_key b/terraform/azure/single-gateway-new-vnet/azure_public_key new file mode 100644 index 00000000..e69de29b diff --git a/terraform/azure/single-gateway-new-vnet/cloud-init.sh b/terraform/azure/single-gateway-new-vnet/cloud-init.sh new file mode 100755 index 00000000..71bf3916 --- /dev/null +++ b/terraform/azure/single-gateway-new-vnet/cloud-init.sh @@ -0,0 +1,18 @@ +#!/usr/bin/python3 /etc/cloud_config.py + +installationType="${installation_type}" +allowUploadDownload="${allow_upload_download}" +osVersion="${os_version}" +templateName="${template_name}" +templateVersion="${template_version}" +templateType="${template_type}" +isBlink="${is_blink}" +bootstrapScript64="${bootstrap_script64}" +location="${location}" +adminShell="${admin_shell}" +sicKey="${sic_key}" +managementGUIClientNetwork="${management_GUI_client_network}" +smart1CloudToken="${smart_1_cloud_token}" +customMetrics="${enable_custom_metrics}" +passwordHash="${serial_console_password_hash}" +MaintenanceModePassword="${maintenance_mode_password_hash}" \ No newline at end of file diff --git a/terraform/azure/single-gateway-new-vnet/main.tf b/terraform/azure/single-gateway-new-vnet/main.tf new file mode 100755 index 00000000..dcb817bf --- /dev/null +++ b/terraform/azure/single-gateway-new-vnet/main.tf @@ -0,0 +1,256 @@ +//********************** Providers **************************// +provider "azurerm" { + subscription_id = var.subscription_id + client_id = var.client_id + client_secret = var.client_secret + tenant_id = var.tenant_id + + features {} +} + +//********************** Basic Configuration **************************// +module "common" { + source = "../modules/common" + resource_group_name = var.resource_group_name + location = var.location + admin_password = var.admin_password + installation_type = var.installation_type + template_name = var.template_name + template_version = var.template_version + number_of_vm_instances = 1 + allow_upload_download = var.allow_upload_download + vm_size = var.vm_size + disk_size = var.disk_size + os_version = var.os_version + vm_os_sku = var.vm_os_sku + vm_os_offer = var.vm_os_offer + is_blink = var.is_blink + authentication_type = var.authentication_type + serial_console_password_hash = var.serial_console_password_hash + maintenance_mode_password_hash = var.maintenance_mode_password_hash + storage_account_additional_ips = var.storage_account_additional_ips +} + +//********************** Networking **************************// +module "vnet" { + source = "../modules/vnet" + + vnet_name = var.vnet_name + resource_group_name = module.common.resource_group_name + location = module.common.resource_group_location + address_space = var.address_space + subnet_prefixes = [var.frontend_subnet_prefix, var.backend_subnet_prefix] + subnet_names = ["${var.single_gateway_name}-frontend-subnet", "${var.single_gateway_name}-backend-subnet"] + nsg_id = var.nsg_id == "" ? module.network-security-group[0].network_security_group_id: var.nsg_id +} + +module "network-security-group" { + source = "../modules/network-security-group" + count = var.nsg_id == "" ? 1 : 0 + resource_group_name = module.common.resource_group_name + security_group_name = "${module.common.resource_group_name}-nsg" + location = module.common.resource_group_location + security_rules = [ + { + name = "AllowAllInBound" + priority = "100" + direction = "Inbound" + access = "Allow" + protocol = "*" + source_port_ranges = "*" + destination_port_ranges = "*" + description = "Allow all inbound connections" + source_address_prefix = "*" + destination_address_prefix = "*" + } + ] +} + +resource "azurerm_public_ip" "public-ip" { + name = var.single_gateway_name + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + allocation_method = var.vnet_allocation_method + sku = var.sku + idle_timeout_in_minutes = 30 + domain_name_label = join("", [ + lower(var.single_gateway_name), + "-", + random_id.randomId.hex]) +} + +resource "azurerm_network_interface_security_group_association" "security_group_association" { + depends_on = [azurerm_network_interface.nic, module.network-security-group] + network_interface_id = azurerm_network_interface.nic.id + network_security_group_id = var.nsg_id == "" ? module.network-security-group[0].network_security_group_id: var.nsg_id +} + +resource "azurerm_network_interface" "nic" { + depends_on = [ + azurerm_public_ip.public-ip] + name = "${var.single_gateway_name}-eth0" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + enable_ip_forwarding = true + enable_accelerated_networking = true + + + ip_configuration { + name = "ipconfig1" + subnet_id = module.vnet.vnet_subnets[0] + private_ip_address_allocation = var.vnet_allocation_method + private_ip_address = cidrhost(var.frontend_subnet_prefix, 4) + public_ip_address_id = azurerm_public_ip.public-ip.id + } +} + +resource "azurerm_network_interface" "nic1" { + depends_on = [] + name = "${var.single_gateway_name}-eth1" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + enable_ip_forwarding = true + enable_accelerated_networking = true + + + ip_configuration { + name = "ipconfig2" + subnet_id = module.vnet.vnet_subnets[1] + private_ip_address_allocation = var.vnet_allocation_method + private_ip_address = cidrhost(var.backend_subnet_prefix, 4) + } +} + +//********************** Storage accounts **************************// +// Generate random text for a unique storage account name +resource "random_id" "randomId" { + keepers = { + # Generate a new ID only when a new resource group is defined + resource_group = module.common.resource_group_name + } + byte_length = 8 +} +resource "azurerm_storage_account" "vm-boot-diagnostics-storage" { + name = "bootdiag${random_id.randomId.hex}" + resource_group_name = module.common.resource_group_name + location = module.common.resource_group_location + account_tier = module.common.storage_account_tier + account_replication_type = module.common.account_replication_type + account_kind = "Storage" + network_rules { + default_action = var.add_storage_account_ip_rules ? "Deny" : "Allow" + ip_rules = module.common.storage_account_ip_rules + } + blob_properties { + delete_retention_policy { + days = "15" + } + } + +} + +//********************** Virtual Machines **************************// +locals { + SSH_authentication_type_condition = var.authentication_type == "SSH Public Key" ? true : false + custom_image_condition = var.source_image_vhd_uri == "noCustomUri" ? false : true +} + +resource "azurerm_image" "custom-image" { + count = local.custom_image_condition ? 1 : 0 + name = "custom-image" + location = var.location + resource_group_name = module.common.resource_group_name + + os_disk { + os_type = "Linux" + os_state = "Generalized" + blob_uri = var.source_image_vhd_uri + } +} + +resource "azurerm_virtual_machine" "single-gateway-vm-instance" { + depends_on = [ + azurerm_network_interface.nic, + azurerm_network_interface.nic1] + location = module.common.resource_group_location + name = var.single_gateway_name + network_interface_ids = [ + azurerm_network_interface.nic.id, + azurerm_network_interface.nic1.id] + resource_group_name = module.common.resource_group_name + vm_size = module.common.vm_size + delete_os_disk_on_termination = module.common.delete_os_disk_on_termination + primary_network_interface_id = azurerm_network_interface.nic.id + + identity { + type = module.common.vm_instance_identity + } + + dynamic "plan" { + for_each = local.custom_image_condition ? [ + ] : [1] + content { + name = module.common.vm_os_sku + publisher = module.common.publisher + product = module.common.vm_os_offer + } + } + + boot_diagnostics { + enabled = module.common.boot_diagnostics + storage_uri = module.common.boot_diagnostics ? join(",", azurerm_storage_account.vm-boot-diagnostics-storage.*.primary_blob_endpoint) : "" + } + + os_profile { + computer_name = lower(var.single_gateway_name) + admin_username = module.common.admin_username + admin_password = module.common.admin_password + custom_data = templatefile("${path.module}/cloud-init.sh", { + installation_type = module.common.installation_type + allow_upload_download = module.common.allow_upload_download + os_version = module.common.os_version + template_name = module.common.template_name + template_version = module.common.template_version + template_type = "terraform" + is_blink = module.common.is_blink + bootstrap_script64 = base64encode(var.bootstrap_script) + location = module.common.resource_group_location + admin_shell = var.admin_shell + sic_key = var.sic_key + management_GUI_client_network = var.management_GUI_client_network + smart_1_cloud_token = var.smart_1_cloud_token + enable_custom_metrics = var.enable_custom_metrics ? "yes" : "no" + serial_console_password_hash = var.serial_console_password_hash + maintenance_mode_password_hash = var.maintenance_mode_password_hash + }) + } + + os_profile_linux_config { + disable_password_authentication = local.SSH_authentication_type_condition + + dynamic "ssh_keys" { + for_each = local.SSH_authentication_type_condition ? [ + 1] : [] + content { + path = "/home/notused/.ssh/authorized_keys" + key_data = file("${path.module}/azure_public_key") + } + } + } + + storage_image_reference { + id = local.custom_image_condition ? azurerm_image.custom-image[0].id : null + publisher = local.custom_image_condition ? null : module.common.publisher + offer = module.common.vm_os_offer + sku = module.common.vm_os_sku + version = module.common.vm_os_version + } + + storage_os_disk { + name = var.single_gateway_name + create_option = module.common.storage_os_disk_create_option + caching = module.common.storage_os_disk_caching + managed_disk_type = module.common.storage_account_type + disk_size_gb = module.common.disk_size + } +} diff --git a/terraform/azure/single-gateway-new-vnet/terraform.tfvars b/terraform/azure/single-gateway-new-vnet/terraform.tfvars new file mode 100755 index 00000000..636e9491 --- /dev/null +++ b/terraform/azure/single-gateway-new-vnet/terraform.tfvars @@ -0,0 +1,33 @@ +#PLEASE refer to the README.md for accepted values for the variables below +client_secret = "PLEASE ENTER CLIENT SECRET" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +client_id = "PLEASE ENTER CLIENT ID" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +tenant_id = "PLEASE ENTER TENANT ID" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +subscription_id = "PLEASE ENTER SUBSCRIPTION ID" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +source_image_vhd_uri = "PLEASE ENTER SOURCE IMAGE VHD URI OR noCustomUri" # "noCustomUri" +resource_group_name = "PLEASE ENTER RESOURCE GROUP NAME" # "checkpoint-single-terraform" +single_gateway_name = "PLEASE ENTER GW NAME" # "checkpoint-single-terraform" +location = "PLEASE ENTER LOCATION" # "eastus" +vnet_name = "PLEASE ENTER VIRTUAL NETWORK NAME" # "checkpoint-single-vnet" +address_space = "PLEASE ENTER VIRTUAL NETWORK ADDRESS SPACE" # "10.0.0.0/16" +frontend_subnet_prefix = "PLEASE ENTER ADDRESS PREFIX FOR FRONTEND SUBNET" # "10.0.0.0/24" +backend_subnet_prefix = "PLEASE ENTER ADDRESS PREFIX FOR BACKEND SUBNET" # "10.0.1.0/24" +management_GUI_client_network = "PLEASE ENTER A MANAGEMENT GUI CLIENT NETWORK" # "0.0.0.0/0" +admin_password = "PLEASE ENTER ADMIN PASSWORD" # "xxxxxxxxxxxx" +smart_1_cloud_token = "PASTE TOKEN FROM SMART-1 CLOUD PORTAL" # "" +sic_key = "PLEASE ENTER SIC KEY" # "xxxxxxxxxxxx" +vm_size = "PLEASE ENTER VM SIZE" # "Standard_D3_v2" +disk_size = "PLEASE ENTER DISK SIZE" # "110" +vm_os_sku = "PLEASE ENTER VM SKU" # "sg-byol" +vm_os_offer = "PLEASE ENTER VM OFFER" # "check-point-cg-r8110" +os_version = "PLEASE ENTER GAIA OS VERSION" # "R8110" +bootstrap_script = "PLEASE ENTER CUSTOM SCRIPT OR LEAVE EMPTY DOUBLE QUOTES" # "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" +allow_upload_download = "PLEASE ENTER true or false" # true +authentication_type = "PLEASE ENTER AUTHENTICATION TYPE" # "Password" +enable_custom_metrics = "PLEASE ENTER true or false" # true +admin_shell = "PLEASE ENTER ADMIN SHELL" # "/etc/cli.sh" +installation_type = "PLEASE ENTER INSTALLATION TYPE" # "gateway" +serial_console_password_hash = "PLEASE ENTER SERIAL CONSOLE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +maintenance_mode_password_hash = "PLEASE ENTER MAINTENANCE MODE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +nsg_id = "PLEASE ENTER NETWORK SECURITY GROUP ID" # "" +add_storage_account_ip_rules = "PLEASE ENTER true or false" # false +storage_account_additional_ips = "PLEASE ENTER A LIST OF VALID IPS/CIDRS" # [] \ No newline at end of file diff --git a/terraform/azure/single-gateway-new-vnet/variables.tf b/terraform/azure/single-gateway-new-vnet/variables.tf new file mode 100755 index 00000000..65076afc --- /dev/null +++ b/terraform/azure/single-gateway-new-vnet/variables.tf @@ -0,0 +1,280 @@ +//********************** Basic Configuration Variables **************************// +variable "single_gateway_name" { + description = "Single gateway name" + type = string +} + +variable "resource_group_name" { + description = "Azure Resource Group name to build into" + type = string +} + +variable "location" { + description = "The location/region where resource will be created. The full list of Azure regions can be found at https://azure.microsoft.com/regions" + type = string +} + +//********************** Virtual Machine Instances Variables **************************// +variable "source_image_vhd_uri" { + type = string + description = "The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images." + default = "noCustomUri" +} + +variable "admin_username" { + description = "Administrator username of deployed VM. Due to Azure limitations 'notused' name can be used" + default = "notused" +} + +variable "admin_password" { + description = "Administrator password of deployed Virtual Machine. The password must meet the complexity requirements of Azure" + type = string +} + +variable "smart_1_cloud_token" { + description = "Smart-1 Cloud Token" + type = string +} + +variable "serial_console_password_hash" { + description = "Optional parameter, used to enable serial console connection in case of SSH key as authentication type" + type = string +} + +variable "maintenance_mode_password_hash" { + description = "Maintenance mode password hash, relevant only for R81.20 and higher versions" + type = string +} + +variable "authentication_type" { + description = "Specifies whether a password authentication or SSH Public Key authentication should be used" + type = string +} +locals { // locals for 'authentication_type' allowed values + authentication_type_allowed_values = [ + "Password", + "SSH Public Key" + ] + // will fail if [var.authentication_type] is invalid: + validate_authentication_type_value = index(local.authentication_type_allowed_values, var.authentication_type) +} + +variable "template_name" { + description = "Template name. Should be defined according to deployment type(mgmt, ha, vmss, sg)" + type = string + default = "single" +} + +variable "template_version" { + description = "Template version. It is recommended to always use the latest template version" + type = string + default = "20230910" +} + +variable "installation_type" { + description = "installation type" + type = string + default = "gateway" +} + +locals { // locals for 'installation_type' allowed values + installation_type_allowed_values = [ + "gateway", + "standalone" + ] +} + +variable "vm_size" { + description = "Specifies size of Virtual Machine" + type = string +} + +variable "disk_size" { + description = "Storage data disk size size(GB). Select a number between 100 and 3995" + type = string +} + +variable "os_version" { + description = "GAIA OS version" + type = string +} + +locals { // locals for 'vm_os_offer' allowed values + os_version_allowed_values = [ + "R8040", + "R81", + "R8110", + "R8120" + ] + // will fail if [var.os_version] is invalid: + validate_os_version_value = index(local.os_version_allowed_values, var.os_version) +} + +variable "vm_os_sku" { + description = "The sku of the image to be deployed." + type = string +} + +variable "vm_os_offer" { + description = "The name of the image offer to be deployed.Choose from: check-point-cg-r8040, check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120" + type = string +} + +locals { // locals for 'vm_os_offer' allowed values + vm_os_offer_allowed_values = [ + "check-point-cg-r8040", + "check-point-cg-r81", + "check-point-cg-r8110", + "check-point-cg-r8120" + ] + // will fail if [var.vm_os_offer] is invalid: + validate_os_offer_value = index(local.vm_os_offer_allowed_values, var.vm_os_offer) +} + +variable "allow_upload_download" { + description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + type = bool +} + +variable "enable_custom_metrics" { + description = "Indicates whether CloudGuard Metrics will be use for Cluster members monitoring." + type = bool + default = true +} + +variable "is_blink" { + description = "Define if blink image is used for deployment" + default = true +} + +variable "admin_shell" { + description = "The admin shell to configure on machine or the first time" + type = string + default = "/etc/cli.sh" +} + +locals { + admin_shell_allowed_values = [ + "/etc/cli.sh", + "/bin/bash", + "/bin/csh", + "/bin/tcsh" + ] + // Will fail if [var.admin_shell] is invalid + validate_admin_shell_value = index(local.admin_shell_allowed_values, var.admin_shell) +} + +//********************** Networking Variables **************************// +variable "vnet_name" { + description = "Virtual Network name" + type = string +} + +variable "address_space" { + description = "The address space that is used by a Virtual Network." + type = string + default = "10.12.0.0/16" +} + +variable "frontend_subnet_prefix" { + description = "Address prefix to be used for network frontend subnet" + type = string + default = "10.12.0.0/24" +} + +variable "backend_subnet_prefix" { + description = "Address prefix to be used for network backend subnet" + type = string + default = "10.12.1.0/24" +} + +variable "vnet_subnets" { + description = "Subnets in vnet" + type = list(string) + default = ["10.12.0.0/24", "10.12.1.0/24"] +} + +variable "vnet_allocation_method" { + description = "IP address allocation method" + type = string + default = "Static" +} + +variable "management_GUI_client_network" { + description = "Allowed GUI clients - GUI clients network CIDR" + type = string +} + +variable "nsg_id" { + description = "NSG ID - Optional - if empty use default NSG" + default = "" +} + +variable "add_storage_account_ip_rules" { + type = bool + default = false + description = "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location" +} + +variable "storage_account_additional_ips" { + type = list(string) + description = "IPs/CIDRs that are allowed access to the Storage Account" + default = [] +} +locals { + regex_valid_management_GUI_client_network = "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(/(3[0-2]|2[0-9]|1[0-9]|[0-9]))$" + // Will fail if var.management_GUI_client_network is invalid + regex_management_GUI_client_network = regex(local.regex_valid_management_GUI_client_network, var.management_GUI_client_network) == var.management_GUI_client_network ? 0 : "Variable [management_GUI_client_network] must be a valid IPv4 network CIDR." + + + regex_valid_network_cidr = "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(/(3[0-2]|2[0-9]|1[0-9]|[0-9]))|$" + // Will fail if var.address_space is invalid + regex_address_space = regex(local.regex_valid_network_cidr, var.address_space) == var.address_space ? 0 : "Variable [address_space] must be a valid address in CIDR notation." + // Will fail if var.subnet_prefix is invalid + regex_frontend_subnet_prefix = regex(local.regex_valid_network_cidr, var.frontend_subnet_prefix) == var.frontend_subnet_prefix ? 0 : "Variable [subnet_prefix] must be a valid address in CIDR notation." + // Will fail if var.subnet_prefix is invalid + regex_backend_subnet_prefix = regex(local.regex_valid_network_cidr, var.backend_subnet_prefix) == var.backend_subnet_prefix ? 0 : "Variable [subnet_prefix] must be a valid address in CIDR notation." +} + +variable "bootstrap_script" { + description = "An optional script to run on the initial boot" + default = "" + type = string + #example: + #"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" +} + +//********************** Credentials **************************// +variable "tenant_id" { + description = "Tenant ID" + type = string +} + +variable "subscription_id" { + description = "Subscription ID" + type = string +} + +variable "client_id" { + description = "Application ID(Client ID)" + type = string +} + +variable "client_secret" { + description = "A secret string that the application uses to prove its identity when requesting a token. Also can be referred to as application password." + type = string +} + +variable "sic_key" { + type = string +} + +resource "null_resource" "sic_key_invalid" { + count = length(var.sic_key) >= 12 ? 0 : "SIC key must be at least 12 characters long" +} + +variable "sku" { + description = "SKU" + type = string + default = "Standard" +} \ No newline at end of file diff --git a/terraform/azure/single-gateway-new-vnet/versions.tf b/terraform/azure/single-gateway-new-vnet/versions.tf new file mode 100755 index 00000000..0d5ca4f3 --- /dev/null +++ b/terraform/azure/single-gateway-new-vnet/versions.tf @@ -0,0 +1,12 @@ +terraform { + required_version = ">= 0.14.3" + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "~> 3.81.0" + } + random = { + version = "~> 3.5.1" + } + } +} \ No newline at end of file diff --git a/terraform/azure/vmss-existing-vnet/README.md b/terraform/azure/vmss-existing-vnet/README.md new file mode 100755 index 00000000..dca0361a --- /dev/null +++ b/terraform/azure/vmss-existing-vnet/README.md @@ -0,0 +1,247 @@ +# Check Point CloudGuard IaaS VMSS Terraform deployment for Azure + +This Terraform module deploys Check Point CloudGuard IaaS VMSS solution into an existing Vnet in Azure. +As part of the deployment the following resources are created: +- Resource group +- Role assignment - conditional creation + + +For additional information, +please see the [CloudGuard Network for Azure Virtual Machine Scale Sets (VMSS) Deployment Guide](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_VMSS_for_Azure/Default.htm) + +This solution uses the following modules: +- /terraform/azure/modules/common - used for creating a resource group and defining common variables. + + +## Configurations +- Install and configure Terraform to provision Azure resources: [Configure Terraform for Azure](https://docs.microsoft.com/en-us/azure/virtual-machines/linux/terraform-install-configure) +- In order to use ssh connection to VMs, it is **required** to add a public key to the /terraform/azure/vmss-existing-vnet/azure_public_key file + +## Usage +- Choose the preferred login method to Azure in order to deploy the solution: +
1. Using Service Principal: + - Create a [Service Principal](https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal) (or use the existing one) + - Grant the Service Principal at least "**Managed Application Contributor**", "**Storage Account Contributor**", "**Network Contributor**", "**Virtual Machine Contributor**" permissions to the Azure subscription
+ - The Service Principal credentials can be stored either in the terraform.tfvars or as [Environment Variables](https://www.terraform.io/docs/providers/azuread/guides/service_principal_client_secret.html)
+ + In case the Environment Variables are used, perform modifications described below:
+ + a. The next lines in the main.tf file, in the provider azurerm resource, need to be deleted or commented: + + provider "azurerm" { + + // subscription_id = var.subscription_id + // client_id = var.client_id + // client_secret = var.client_secret + // tenant_id = var.tenant_id + + features {} + } + + b. In the terraform.tfvars file leave empty double quotes for client_secret, client_id, tenant_id and subscription_id variables: + + client_secret = "" + client_id = "" + tenant_id = "" + subscription_id = "" + +
2. Using **az** commands from a command-line: + - Run **az login** command + - Sign in with your account credentials in the browser + - [Accept Azure Marketplace image terms](https://docs.microsoft.com/en-us/cli/azure/vm/image/terms?view=azure-cli-latest) by running: +
**az vm image terms accept --urn publisher:offer:sku:version**, where: + - publisher = checkpoint; + - offer = vm_os_offer (see accepted values in the table below); + - sku = vm_os_sku (see accepted values in the table below); + - version = latest
+
Example:
+ az vm image terms accept --urn checkpoint:check-point-cg-r8040:sg-byol:latest + + - In the terraform.tfvars file leave empty double quotes for client_secret, client_id and tenant_id variables. + +- Fill all variables in the /terraform/azure/vmss-existing-vnet/terraform.tfvars file with proper values (see below for variables descriptions). +- From a command line initialize the Terraform configuration directory: + + terraform init +- Create an execution plan: + + terraform plan +- Create or modify the deployment: + + terraform apply + +### terraform.tfvars variables: + | Name | Description | Type | Allowed values | Default | + | ------------- |-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| ------------- | ------------- | ------------- | + | **client_secret** | The client secret of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **client_id** | The client ID of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **tenant_id** | The tenant ID of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **subscription_id** | The subsscription ID is used to pay for Azure cloud services | string | | n/a + | | | | | | + | **source_image_vhd_uri** | The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images | string | | "noCustomUri" + | | | | | | + | **resource_group_name** | The name of the resource group that will contain the contents of the deployment | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period
Note: Resource group name must not contain reserved words based on: sk40179| n/a + | | | | | | + | **location** | The region where the resources will be deployed at | string | The full list of Azure regions can be found at https://azure.microsoft.com/regions | n/a + | | | | | | + | **vmss_name** | The name of the Check Point VMSS Object | string | Only alphanumeric characters are allowed, and the name must be 1-30 characters long
Note: vmss_name name must not contain reserved words based on: sk40179 | n/a + | | | | | | + | **vnet_name** | Virtual Network name | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | n/a + | | | | | | + | **vnet_resource_group** | Resource Group of the existing virtual network | string | The exact name of the existing vnet's resource group | n/a + | | | | | | + | **frontend_subnet_name** | Specifies the name of the external subnet | string | The exact name of the existing external subnet | n/a + | | | | | | + | **backend_subnet_name** | Specifies the name of the internal subnet | string | The exact name of the existing internal subnet | n/a + | | | | | | + | **backend_lb_IP_address** | Is a whole number that can be represented as a binary integer with no more than the number of digits remaining in the address after the given prefix | string | Starting from 5-th IP address in a subnet. For example: subnet - 10.0.1.0/24, backend_lb_IP_address = 4 , the LB IP is 10.0.1.4 | n/a + | | | | | | + | **admin_password** | The password associated with the local administrator account on each cluster member | string | Password must have 3 of the following: 1 lower case character, 1 upper case character, 1 number, and 1 special character | n/a + | | | | | | + | **sic_key** | The Secure Internal Communication one time secret used to set up trust between the cluster object and the management server | string | Only alphanumeric characters are allowed, and the value must be 12-30 characters long | n/a + | | | | | | + | **vm_size** | Specifies the size of Virtual Machine | string | "Standard_DS2_v2", "Standard_DS3_v2", "Standard_DS4_v2", "Standard_DS5_v2", "Standard_F2s", "Standard_F4s", "Standard_F8s", "Standard_F16s", "Standard_D4s_v3", "Standard_D8s_v3", "Standard_D16s_v3", "Standard_D32s_v3", "Standard_D64s_v3", "Standard_E4s_v3", "Standard_E8s_v3", "Standard_E16s_v3", "Standard_E20s_v3", "Standard_E32s_v3", "Standard_E64s_v3", "Standard_E64is_v3", "Standard_F4s_v2", "Standard_F8s_v2", "Standard_F16s_v2", "Standard_F32s_v2", "Standard_F64s_v2", "Standard_M8ms", "Standard_M16ms", "Standard_M32ms", "Standard_M64ms", "Standard_M64s", "Standard_D2_v2", "Standard_D3_v2", "Standard_D4_v2", "Standard_D5_v2", "Standard_D11_v2", "Standard_D12_v2", "Standard_D13_v2", "Standard_D14_v2", "Standard_D15_v2", "Standard_F2", "Standard_F4", "Standard_F8", "Standard_F16", "Standard_D4_v3", "Standard_D8_v3", "Standard_D16_v3", "Standard_D32_v3", "Standard_D64_v3", "Standard_E4_v3", "Standard_E8_v3", "Standard_E16_v3", "Standard_E20_v3", "Standard_E32_v3", "Standard_E64_v3", "Standard_E64i_v3", "Standard_DS11_v2", "Standard_DS12_v2", "Standard_DS13_v2", "Standard_DS14_v2", "Standard_DS15_v2", "Standard_D2_v5", "Standard_D4_v5", "Standard_D8_v5", "Standard_D16_v5","Standard_D32_v5", "Standard_D2s_v5", "Standard_D4s_v5", "Standard_D8s_v5", "Standard_D16s_v5", "Standard_D2d_v5", "Standard_D4d_v5", "Standard_D8d_v5", "Standard_D16d_v5", "Standard_D32d_v5", "Standard_D2ds_v5", "Standard_D4ds_v5", "Standard_D8ds_v5", "Standard_D16ds_v5", "Standard_D32ds_v5" | n/a + | | | | | | + | **disk_size** | Storage data disk size size(GB) must be 100 for versions R81.20 and below | string | A number in the range 100 - 3995 (GB) | 100 + | | | | | | + | **vm_os_sku** | A sku of the image to be deployed | string | "sg-byol" - BYOL license;
"sg-ngtp" - NGTP PAYG license;
"sg-ngtx" - NGTX PAYG license; | n/a + | | | | | | + | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r8040";
"check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | n/a + | | | | | | + | **os_version** | GAIA OS version | string | "R8040";
"R81";
"R8110";
"R8120"; | n/a + | | | | | | + | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | n/a + | | | | | | + | **allow_upload_download** | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | boolean | true;
false; | n/a + | | | | | | + | **authentication_type** | Specifies whether a password authentication or SSH Public Key authentication should be used | string | "Password";
"SSH Public Key"; | n/a + | | | | | | + | **availability_zones_num** | A list of a single item of the Availability Zone which the Virtual Machine should be allocated in | string | "centralus", "eastus2", "francecentral", "northeurope", "southeastasia", "westeurope", "westus2", "eastus", "uksouth" | n/a + | | | | | | + | **minimum_number_of_vm_instances** | The minimum number of VMSS instances for this resource | number | Valid values are in the range 0 - 10 | n/a + | | | | | | + | **maximum_number_of_vm_instances** | The maximum number of VMSS instances for this resource | number | Valid values are in the range 0 - 10 | n/a + | | | | | | + | **management_name** | The name of the management server as it appears in the configuration file | string | Field cannot be empty. Only alphanumeric characters or '_'/'-' are allowed, and the name must be 1-30 characters long | n/a + | | | | | | + | **management_IP** | The IP address used to manage the VMSS instances | string | A valid IP address | n/a + | | | | | | + | **management_interface** | Management option for the Gateways in the VMSS | string | "eth0-public" - Manages the GWs using their external NIC's public IP address;
"eth0-private" -Manages the GWs using their external NIC's private IP address;
"eth1-private" - Manages the GWs using their internal NIC's private IP address | "eth1-private" + | | | | | | + | **configuration_template_name** | The configuration template name as it appears in the configuration file | string | Field cannot be empty. Only alphanumeric characters or '_'/'-' are allowed, and the name must be 1-30 characters long | n/a + | | | | | | + | **frontend_load_distribution** | The load balancing distribution method for the External Load Balancer | string | "Default" - None(5-tuple);
"SourceIP" - ClientIP(2-tuple);
"SourceIPProtocol" - ClientIP and protocol(3-tuple) | n/a + | | | | | | + | **backend_load_distribution** | The load balancing distribution method for the Internal Load Balancer | string | "Default" - None(5-tuple);
"SourceIP" - ClientIP(2-tuple);
"SourceIPProtocol" - ClientIP and protocol(3-tuple) | n/a + | | | | | | + | **notification_email** | An email address to notify about scaling operations | string | Leave empty double quotes or enter a valid email address | n/a + | | | | | | + | **enable_custom_metrics** | Indicates whether Custom Metrics will be used for VMSS Scaling policy and VM monitoring | boolean | true;
false; | true + | | | | | | + | **enable_floating_ip** | Indicates whether the load balancers will be deployed with floating IP | boolean | true;
false; | false + | | | | | | + | **deployment_mode** | Indicates which load balancer need to be deployed. External + Internal(Standard), only External, only Internal | string | Standard ;
External;
Internal; | "Standard" + | | | | | | + | **admin_shell** | Enables to select different admin shells | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh; | "/etc/cli.sh" + | | | | | | + | **serial_console_password_hash** | Optional parameter, used to enable serial console connection in case of SSH key as authentication type, to generate password hash use the command 'openssl passwd -6 PASSWORD' on Linux and paste it here | string | | n/a + | | | | | | + | **maintenance_mode_password_hash** | Maintenance mode password hash, relevant only for R81.20 and higher versions, to generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here | string | | n/a + | | | | | | + | **nsg_id** | Optional ID for a Network Security Group that already exists in Azure, if not provided, will create a default NSG | string | Existing NSG resource ID | "" + | | | | | | + | **add_storage_account_ip_rules** | Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, if false then accses will be allowed from all networks | boolean | true;
false; | false + | | | | | | + | **storage_account_additional_ips** | IPs/CIDRs that are allowed access to the Storage Account | list(string) | A list of valid IPs and CIDRs | [] + +## Conditional creation +To create role assignment and enable CloudGuard metrics in order to send statuses and statistics collected from VMSS instances to the Azure Monitor service: +``` +enable_custom_metrics = true +``` + +## Example + client_secret = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + client_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + tenant_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + subscription_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + source_image_vhd_uri = "noCustomUri" + resource_group_name = "checkpoint-vmss-terraform" + location = "eastus" + vmss_name = "checkpoint-vmss-terraform" + vnet_name = "checkpoint-vmss-vnet" + vnet_resource_group = "existing-vnet" + frontend_subnet_name = "frontend" + backend_subnet_name = "backend" + backend_lb_IP_address = 4 + admin_password = "xxxxxxxxxxxx" + sic_key = "xxxxxxxxxxxx" + vm_size = "Standard_D3_v2" + disk_size = "100" + vm_os_sku = "sg-byol" + vm_os_offer = "check-point-cg-r8110" + os_version = "R8110" + bootstrap_script = "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" + allow_upload_download = true + authentication_type = "Password" + availability_zones_num = "1" + minimum_number_of_vm_instances = 2 + maximum_number_of_vm_instances = 10 + management_name = "mgmt" + management_IP = "13.92.42.181" + management_interface = "eth1-private" + configuration_template_name = "vmss_template" + notification_email = "" + frontend_load_distribution = "Default" + backend_load_distribution = "Default" + enable_custom_metrics = true + enable_floating_ip = false + deployment_mode = "Standard" + admin_shell = "/etc/cli.sh" + serial_console_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + maintenance_mode_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + nsg_id = "" + add_storage_account_ip_rules = false + storage_account_additional_ips = [] + + +## Deploy Without Public IP + +1. By default, the VMSS is deployed with public IP +2. To deploy without public IP, remove the "public_ip_address_configuration" block in main.tf + +## Known limitations + +## Revision History + +In order to check the template version refer to the [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) + +| Template Version | Description | +| ---------------- | ------------- | +| 20240613 | - Updated Azure Terraform provider version
- Cosmetic fixes & default values
- Added option to limit storage account access by specify allowed sourcess
- Updated diskSizeGB
- Added validation for os_version & os_offer | +| | | | +| 20230910 | - R81.20 is the default version | +| | | | +| 20221124 | - Added R81.20 support
- Upgraded azurerm provider | +| | | | +| 20220111 | - Added support to select different shells | +| | | | +| 20210309 | - Add "source_image_vhd_uri" variable for using a custom development image
- Fix zones filed for scale set be installed as multi-zone
- Modify "management_interface" variable and tags regarding managing the Gateways in the Scale Set | +| | | | +| 20210111 |- Update terraform version to 0.14.3
- Update azurerm version to 2.17.0
- Add authentication_type variable for choosing the authentication type.
- Adding support for R81.
- Add public IP addresses support.
- Add support to CloudGuards metrics.
- Avoid role-assignment re-creation when re-apply | +| | | | +| 20200323 | Remove the domain_name_label variable from the azurerm_public_ip resource; | +| | | | +| 20200305 | First release of Check Point CloudGuard IaaS VMSS Terraform deployment for Azure | +| | | | +| | Addition of "templateType" parameter to "cloud-version" files | +| | | | + + +## License + +See the [LICENSE](../../LICENSE) file for details + diff --git a/terraform/azure/vmss-existing-vnet/azure_public_key b/terraform/azure/vmss-existing-vnet/azure_public_key new file mode 100755 index 00000000..e69de29b diff --git a/terraform/azure/vmss-existing-vnet/cloud-init.sh b/terraform/azure/vmss-existing-vnet/cloud-init.sh new file mode 100755 index 00000000..f11f72c3 --- /dev/null +++ b/terraform/azure/vmss-existing-vnet/cloud-init.sh @@ -0,0 +1,17 @@ +#!/usr/bin/python3 /etc/cloud_config.py + +installationType="${installation_type}" +allowUploadDownload="${allow_upload_download}" +osVersion="${os_version}" +templateName="${template_name}" +templateVersion="${template_version}" +templateType="${template_type}" +isBlink="${is_blink}" +bootstrapScript64="${bootstrap_script64}" +location="${location}" +sicKey="${sic_key}" +vnet="${vnet}" +customMetrics="${enable_custom_metrics}" +adminShell="${admin_shell}" +passwordHash="${serial_console_password_hash}" +MaintenanceModePassword="${maintenance_mode_password_hash}" diff --git a/terraform/azure/vmss-existing-vnet/main.tf b/terraform/azure/vmss-existing-vnet/main.tf new file mode 100755 index 00000000..70e7169a --- /dev/null +++ b/terraform/azure/vmss-existing-vnet/main.tf @@ -0,0 +1,446 @@ +provider "azurerm" { + subscription_id = var.subscription_id + client_id = var.client_id + client_secret = var.client_secret + tenant_id = var.tenant_id + + features {} +} + +//********************** Basic Configuration **************************// +module "common" { + source = "../modules/common" + resource_group_name = var.resource_group_name + location = var.location + admin_password = var.authentication_type == "SSH Public Key" ? random_id.random_id.hex : var.admin_password + installation_type = var.installation_type + template_name = var.template_name + template_version = var.template_version + number_of_vm_instances = var.number_of_vm_instances + allow_upload_download = var.allow_upload_download + vm_size = var.vm_size + disk_size = var.disk_size + is_blink = var.is_blink + os_version = var.os_version + vm_os_sku = var.vm_os_sku + vm_os_offer = var.vm_os_offer + authentication_type = var.authentication_type + serial_console_password_hash = var.serial_console_password_hash + maintenance_mode_password_hash = var.maintenance_mode_password_hash + storage_account_additional_ips = var.storage_account_additional_ips +} + +//********************** Networking **************************// + +data "azurerm_subnet" "frontend" { + name = var.frontend_subnet_name + virtual_network_name = var.vnet_name + resource_group_name = var.vnet_resource_group +} + +data "azurerm_subnet" "backend" { + name = var.backend_subnet_name + virtual_network_name = var.vnet_name + resource_group_name = var.vnet_resource_group +} + +module "network-security-group" { + source = "../modules/network-security-group" + count = var.nsg_id == "" ? 1 : 0 + resource_group_name = module.common.resource_group_name + security_group_name = "${module.common.resource_group_name}_nsg" + location = module.common.resource_group_location + security_rules = [ + { + name = "AllowAllInBound" + priority = "100" + direction = "Inbound" + access = "Allow" + protocol = "*" + source_port_ranges = "*" + destination_port_ranges = "*" + description = "Allow all inbound connections" + source_address_prefix = "*" + destination_address_prefix = "*" + } + ] +} + +//********************** Load Balancers **************************// +resource "random_id" "random_id" { + byte_length = 13 + keepers = { + rg_id = module.common.resource_group_id + } +} + +resource "azurerm_public_ip" "public-ip-lb" { + count = var.deployment_mode != "Internal" ? 1 : 0 + name = "${var.vmss_name}-app-1" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + allocation_method = var.vnet_allocation_method + sku = var.sku + domain_name_label = "${lower(var.vmss_name)}-${random_id.random_id.hex}" +} + +resource "azurerm_lb" "frontend-lb" { + count = var.deployment_mode != "Internal" ? 1 : 0 + depends_on = [azurerm_public_ip.public-ip-lb] + name = "frontend-lb" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + sku = var.sku + + frontend_ip_configuration { + name = "${var.vmss_name}-app-1" + public_ip_address_id = azurerm_public_ip.public-ip-lb[0].id + } +} + +resource "azurerm_lb_backend_address_pool" "frontend-lb-pool" { + count = var.deployment_mode != "Internal" ? 1 : 0 + loadbalancer_id = azurerm_lb.frontend-lb[0].id + name = "${var.vmss_name}-app-1" +} + +resource "azurerm_lb" "backend-lb" { + count = var.deployment_mode != "External" ? 1 : 0 + name = "backend-lb" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + sku = var.sku + frontend_ip_configuration { + name = "backend-lb" + subnet_id = data.azurerm_subnet.backend.id + private_ip_address_allocation = "Static" + private_ip_address = cidrhost(data.azurerm_subnet.backend.address_prefixes[0],var.backend_lb_IP_address) + } +} + +resource "azurerm_lb_backend_address_pool" "backend-lb-pool" { + count = var.deployment_mode != "External" ? 1 : 0 + name = "backend-lb-pool" + loadbalancer_id = azurerm_lb.backend-lb[0].id +} + +resource "azurerm_lb_probe" "azure_lb_healprob" { + count = var.deployment_mode == "Standard" ? 2 : 1 + depends_on = [azurerm_lb.frontend-lb, azurerm_lb.backend-lb] + loadbalancer_id = var.deployment_mode == "Standard" ? (count.index == 0 ? azurerm_lb.frontend-lb[0].id : azurerm_lb.backend-lb[0].id) : (var.deployment_mode == "External" ? azurerm_lb.frontend-lb[0].id : azurerm_lb.backend-lb[0].id) + name = var.deployment_mode == "Standard" ? (count.index == 0 ? "${var.vmss_name}-app-1" : "backend-lb") : (var.deployment_mode == "External" ? "${var.vmss_name}-app-1" : "backend-lb") + protocol = var.lb_probe_protocol + port = var.lb_probe_port + interval_in_seconds = var.lb_probe_interval + number_of_probes = var.lb_probe_unhealthy_threshold +} + +// Standard deployment +resource "azurerm_lb_rule" "lbnatrule-standard" { + count = var.deployment_mode == "Standard" ? 2 : 0 + depends_on = [azurerm_lb.frontend-lb[0],azurerm_lb_probe.azure_lb_healprob,azurerm_lb.backend-lb[0]] + loadbalancer_id = count.index == 0 ? azurerm_lb.frontend-lb[0].id : azurerm_lb.backend-lb[0].id + name = count.index == 0 ? "${var.vmss_name}-app-1" : "backend-lb" + protocol = count.index == 0 ? "Tcp" : "All" + frontend_port = count.index == 0 ? var.frontend_port : "0" + backend_port = count.index == 0 ? var.backend_port : "0" + backend_address_pool_ids = count.index == 0 ? [azurerm_lb_backend_address_pool.frontend-lb-pool[0].id] : [azurerm_lb_backend_address_pool.backend-lb-pool[0].id] + frontend_ip_configuration_name = count.index == 0 ? azurerm_lb.frontend-lb[0].frontend_ip_configuration[0].name : azurerm_lb.backend-lb[0].frontend_ip_configuration[0].name + probe_id = azurerm_lb_probe.azure_lb_healprob[count.index].id + load_distribution = count.index == 0 ? var.frontend_load_distribution : var.backend_load_distribution + enable_floating_ip = var.enable_floating_ip +} + +// External deployment +resource "azurerm_lb_rule" "lbnatrule-external" { + count = var.deployment_mode == "External" ? 1 : 0 + depends_on = [azurerm_lb.frontend-lb[0],azurerm_lb_probe.azure_lb_healprob] + loadbalancer_id = azurerm_lb.frontend-lb[0].id + name = "${var.vmss_name}-app-1" + protocol = "Tcp" + frontend_port = var.frontend_port + backend_port = var.backend_port + backend_address_pool_ids = [azurerm_lb_backend_address_pool.frontend-lb-pool[0].id] + frontend_ip_configuration_name = azurerm_lb.frontend-lb[0].frontend_ip_configuration[0].name + probe_id = azurerm_lb_probe.azure_lb_healprob[0].id + load_distribution = var.frontend_load_distribution + enable_floating_ip = var.enable_floating_ip +} + +// Internal deployment +resource "azurerm_lb_rule" "lbnatrule-internal" { + count = var.deployment_mode == "Internal" ? 1 : 0 + depends_on = [azurerm_lb_probe.azure_lb_healprob,azurerm_lb.backend-lb[0]] + loadbalancer_id = azurerm_lb.backend-lb[0].id + name = "backend-lb" + protocol = "All" + frontend_port = "0" + backend_port = "0" + backend_address_pool_ids = [azurerm_lb_backend_address_pool.backend-lb-pool[0].id] + frontend_ip_configuration_name = azurerm_lb.backend-lb[0].frontend_ip_configuration[0].name + probe_id = azurerm_lb_probe.azure_lb_healprob[0].id + load_distribution = var.backend_load_distribution + enable_floating_ip = var.enable_floating_ip +} + +//********************** Storage accounts **************************// +// Generate random text for a unique storage account name +resource "random_id" "randomId" { + keepers = { + # Generate a new ID only when a new resource group is defined + resource_group = module.common.resource_group_name + } + byte_length = 8 +} +resource "azurerm_storage_account" "vm-boot-diagnostics-storage" { + name = "diag${random_id.randomId.hex}" + resource_group_name = module.common.resource_group_name + location = module.common.resource_group_location + account_tier = module.common.storage_account_tier + account_replication_type = module.common.account_replication_type + network_rules { + default_action = var.add_storage_account_ip_rules ? "Deny" : "Allow" + ip_rules = module.common.storage_account_ip_rules + } + blob_properties { + delete_retention_policy { + days = "15" + } + } +} + + +//********************** Virtual Machines **************************// +locals { + SSH_authentication_type_condition = var.authentication_type == "SSH Public Key" ? true : false + availability_zones_num_condition = var.availability_zones_num == "0" ? null : var.availability_zones_num == "1" ? ["1"] : var.availability_zones_num == "2" ? ["1", "2"] : ["1", "2", "3"] + custom_image_condition = var.source_image_vhd_uri == "noCustomUri" ? false : true + management_interface_name = split("-", var.management_interface)[0] + management_ip_address_type = split("-", var.management_interface)[1] +} + +resource "azurerm_image" "custom-image" { + count = local.custom_image_condition ? 1 : 0 + name = "custom-image" + location = var.location + resource_group_name = module.common.resource_group_name + + os_disk { + os_type = "Linux" + os_state = "Generalized" + blob_uri = var.source_image_vhd_uri + } +} + +resource "azurerm_linux_virtual_machine_scale_set" "vmss" { + name = var.vmss_name + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + sku = module.common.vm_size + zones = local.availability_zones_num_condition + instances = var.number_of_vm_instances + overprovision = false + + dynamic "identity" { + for_each = var.enable_custom_metrics ? [1] : [] + content { + type = "SystemAssigned" + } + } + + dynamic "source_image_reference" { + for_each = local.custom_image_condition ? [] : [1] + content { + publisher = module.common.publisher + offer = module.common.vm_os_offer + sku = module.common.vm_os_sku + version = module.common.vm_os_version + } + } + source_image_id = local.custom_image_condition? azurerm_image.custom-image[0].id : null + + os_disk { + disk_size_gb = module.common.disk_size + caching = module.common.storage_os_disk_caching + storage_account_type = module.common.storage_account_type + } + + dynamic "plan" { + for_each = local.custom_image_condition ? [] : [1] + content { + name = module.common.vm_os_sku + publisher = module.common.publisher + product = module.common.vm_os_offer + } + } + + computer_name_prefix = lower(var.vmss_name) + admin_username = module.common.admin_username + admin_password = module.common.admin_password + custom_data = base64encode(templatefile("${path.module}/cloud-init.sh", { + installation_type = module.common.installation_type + allow_upload_download = module.common.allow_upload_download + os_version = module.common.os_version + template_name = module.common.template_name + template_version = module.common.template_version + template_type = "terraform" + is_blink = module.common.is_blink + bootstrap_script64 = base64encode(var.bootstrap_script) + location = module.common.resource_group_location + sic_key = var.sic_key + vnet = data.azurerm_subnet.frontend.address_prefixes[0] + enable_custom_metrics = var.enable_custom_metrics ? "yes" : "no" + admin_shell = var.admin_shell + serial_console_password_hash = var.serial_console_password_hash + maintenance_mode_password_hash = var.maintenance_mode_password_hash + })) + + + disable_password_authentication = local.SSH_authentication_type_condition + + dynamic "admin_ssh_key" { + for_each = local.SSH_authentication_type_condition ? [ + 1] : [] + content { + public_key = file("azure_public_key") + username = "notused" + } + } + + + boot_diagnostics { + storage_account_uri = module.common.boot_diagnostics ? join(",", azurerm_storage_account.vm-boot-diagnostics-storage.*.primary_blob_endpoint) : "" + } + + upgrade_mode = "Manual" + + network_interface { + name = "eth0" + primary = true + enable_ip_forwarding = true + enable_accelerated_networking = true + network_security_group_id = module.network-security-group[0].network_security_group_id + ip_configuration { + name = "ipconfig1" + subnet_id = data.azurerm_subnet.frontend.id + load_balancer_backend_address_pool_ids = var.deployment_mode != "Internal" ? [azurerm_lb_backend_address_pool.frontend-lb-pool[0].id]: null + primary = true + public_ip_address { + name = "${var.vmss_name}-public-ip" + idle_timeout_in_minutes = 15 + domain_name_label = "${lower(var.vmss_name)}-dns-name" + } + } + } + + network_interface { + name = "eth1" + primary = false + enable_ip_forwarding = true + enable_accelerated_networking = true + ip_configuration { + name = "ipconfig2" + subnet_id = data.azurerm_subnet.backend.id + load_balancer_backend_address_pool_ids = var.deployment_mode != "External" ? [azurerm_lb_backend_address_pool.backend-lb-pool[0].id] : null + primary = true + } + } + + tags = var.management_interface == "eth0"?{ + x-chkp-management = var.management_name, + x-chkp-template = var.configuration_template_name, + x-chkp-ip-address = local.management_ip_address_type, + x-chkp-management-interface = local.management_interface_name, + x-chkp-management-address = var.management_IP, + x-chkp-topology = "eth0:external,eth1:internal", + x-chkp-anti-spoofing = "eth0:false,eth1:false", + x-chkp-srcImageUri = var.source_image_vhd_uri + }:{ + x-chkp-management = var.management_name, + x-chkp-template = var.configuration_template_name, + x-chkp-ip-address = local.management_ip_address_type, + x-chkp-management-interface = local.management_interface_name, + x-chkp-topology = "eth0:external,eth1:internal", + x-chkp-anti-spoofing = "eth0:false,eth1:false", + x-chkp-srcImageUri = var.source_image_vhd_uri + } +} + +resource "azurerm_monitor_autoscale_setting" "vmss_settings" { + depends_on = [azurerm_linux_virtual_machine_scale_set.vmss] + name = var.vmss_name + resource_group_name = module.common.resource_group_name + location = module.common.resource_group_location + target_resource_id = azurerm_linux_virtual_machine_scale_set.vmss.id + + profile { + name = "Profile1" + + capacity { + default = module.common.number_of_vm_instances + minimum = var.minimum_number_of_vm_instances + maximum = var.maximum_number_of_vm_instances + } + + rule { + metric_trigger { + metric_name = "Percentage CPU" + metric_resource_id = azurerm_linux_virtual_machine_scale_set.vmss.id + time_grain = "PT1M" + statistic = "Average" + time_window = "PT5M" + time_aggregation = "Average" + operator = "GreaterThan" + threshold = 80 + } + + scale_action { + direction = "Increase" + type = "ChangeCount" + value = "1" + cooldown = "PT5M" + } + } + + rule { + metric_trigger { + metric_name = "Percentage CPU" + metric_resource_id = azurerm_linux_virtual_machine_scale_set.vmss.id + time_grain = "PT1M" + statistic = "Average" + time_window = "PT5M" + time_aggregation = "Average" + operator = "LessThan" + threshold = 60 + } + + scale_action { + direction = "Decrease" + type = "ChangeCount" + value = "1" + cooldown = "PT5M" + } + } + } + + notification { + email { + send_to_subscription_administrator = false + send_to_subscription_co_administrator = false + custom_emails = var.notification_email == "" ? [] : [var.notification_email] + } + } +} + +resource "azurerm_role_assignment" "custom_metrics_role_assignment"{ + depends_on = [azurerm_linux_virtual_machine_scale_set.vmss] + count = var.enable_custom_metrics ? 1 : 0 + role_definition_id = join("", ["/subscriptions/", var.subscription_id, "/providers/Microsoft.Authorization/roleDefinitions/", "3913510d-42f4-4e42-8a64-420c390055eb"]) + principal_id = lookup(azurerm_linux_virtual_machine_scale_set.vmss.identity[0], "principal_id") + scope = module.common.resource_group_id + lifecycle { + ignore_changes = [ + role_definition_id, principal_id + ] + } +} diff --git a/terraform/azure/vmss-existing-vnet/terraform.tfvars b/terraform/azure/vmss-existing-vnet/terraform.tfvars new file mode 100755 index 00000000..66836af3 --- /dev/null +++ b/terraform/azure/vmss-existing-vnet/terraform.tfvars @@ -0,0 +1,43 @@ +#PLEASE refer to the README.md for accepted values FOR THE VARIABLES BELOW +client_secret = "PLEASE ENTER CLIENT SECRET" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +client_id = "PLEASE ENTER CLIENT ID" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +tenant_id = "PLEASE ENTER TENANT ID" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +subscription_id = "PLEASE ENTER SUBSCRIPTION ID" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +source_image_vhd_uri = "PLEASE ENTER SOURCE IMAGE VHD URI OR noCustomUri" # "noCustomUri" +resource_group_name = "PLEASE ENTER RESOURCE GROUP NAME" # "checkpoint-vmss-terraform" +vmss_name = "PLEASE ENTER SCALE SET NAME" # "checkpoint-vmss-terraform" +location = "PLEASE ENTER LOCATION" # "eastus" +vnet_name = "PLEASE ENTER VIRTUAL NETWORK NAME" # "checkpoint-vmss-vnet" +vnet_resource_group = "PLEASE ENTER VIRTUAL NETWORK'S RESOURCE GROUP NAME" # "existing-vnet" +frontend_subnet_name = "PLEASE ENTER EXTERNAL SUBNET NAME" # "frontend" +backend_subnet_name = "PLEASE ENTER INTERNAL SUBNET NAME" # "backend" +backend_lb_IP_address = "PLEASE ENTER BACKEND LB IP ADDRESS POSITIONAL NUMBER" # 4 +admin_password = "PLEASE ENTER ADMIN PASSWORD" # "xxxxxxxxxxxx" +sic_key = "PLEASE ENTER SIC KEY" # "xxxxxxxxxxxx" +vm_size = "PLEASE ENTER VM SIZE" # "Standard_D3_v2" +disk_size = "PLEASE ENTER DISK SIZE MUST BE 100 FOR VERSIONS R81.20 AND BELOW" # "100" +vm_os_sku = "PLEASE ENTER VM SKU" # "sg-byol" +vm_os_offer = "PLEASE ENTER VM OFFER" # "check-point-cg-r8110" +os_version = "PLEASE ENTER GAIA OS VERSION" # "R8110" +bootstrap_script = "PLEASE ENTER CUSTOM SCRIPT OR LEAVE EMPTY DOUBLE QUOTES" # "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" +allow_upload_download = "PLEASE ENTER true or false" # true +authentication_type = "PLEASE ENTER AUTHENTICATION TYPE" # "Password" +availability_zones_num = "PLEASE ENTER NUMBER OF AVAILABILITY ZONES" # "1" +minimum_number_of_vm_instances = "PLEASE ENTER MINIMUM NUMBER OF VM INSTANCES" # 2 +maximum_number_of_vm_instances = "PLEASE ENTER MAXIMUM NUMBER OF VM INSTANCES" # 10 +management_name = "PLEASE ENTER MANAGEMENT NAME" # "mgmt" +management_IP = "PLEASE ENTER MANAGEMENT IP" # "13.92.42.181" +management_interface = "PLEASE ENTER MANAGEMENT INTERFACE" # "eth1-private" +configuration_template_name = "PLEASE ENTER CONFIGURATION TEMPLATE NAME" # "vmss_template" +notification_email = "PLEASE ENTER NOTIFICATION MAIL OR LEAVE EMPTY DOUBLE QUOTES" # "" +frontend_load_distribution = "PLEASE ENTER EXTERNAL LOAD BALANCER SESSION PERSISTENCE" # "Default" +backend_load_distribution = "PLEASE ENTER INTERNAL LOAD BALANCER SESSION PERSISTENCE" # "Default" +enable_custom_metrics = "PLEASE ENTER true or false" # true +enable_floating_ip = "PLEASE ENTER true or false" # false +deployment_mode = "PLEASE ENTER DEPLOYMENT MODE" # "Standard" +admin_shell = "PLEASE ENTER ADMIN SHELL" # "/etc/cli.sh" +serial_console_password_hash = "PLEASE ENTER SERIAL CONSOLE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +maintenance_mode_password_hash = "PLEASE ENTER MAINTENANCE MODE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +add_storage_account_ip_rules = "PLEASE ENTER true or false" # false +storage_account_additional_ips = "PLEASE ENTER A LIST OF VALID IPS/CIDRS" # [] +nsg_id = "PLEASE ENTER NETWORK SECURITY GROUP ID" # "" \ No newline at end of file diff --git a/terraform/azure/vmss-existing-vnet/variables.tf b/terraform/azure/vmss-existing-vnet/variables.tf new file mode 100755 index 00000000..9ef598a3 --- /dev/null +++ b/terraform/azure/vmss-existing-vnet/variables.tf @@ -0,0 +1,404 @@ +//********************** Basic Configuration Variables **************************// +variable "vmss_name"{ + description = "vmss name" + type = string +} + +variable "resource_group_name" { + description = "Azure Resource Group name to build into" + type = string +} + +variable "location" { + description = "The location/region where resources will be created. The full list of Azure regions can be found at https://azure.microsoft.com/regions" + type = string +} + +//********************** Virtual Machine Instances Variables **************************// +variable "source_image_vhd_uri" { + type = string + description = "The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images." + default = "noCustomUri" +} + +variable "admin_username" { + description = "Administrator username of deployed VM. Due to Azure limitations 'notused' name can be used" + default = "notused" +} + +variable "admin_password" { + description = "Administrator password of deployed Virtual Machine. The password must meet the complexity requirements of Azure" + type = string +} + +variable "serial_console_password_hash" { + description = "Optional parameter, used to enable serial console connection in case of SSH key as authentication type" + type = string +} + +variable "maintenance_mode_password_hash" { + description = "Maintenance mode password hash, relevant only for R81.20 and higher versions" + type = string +} + +variable "availability_zones_num" { + description = "The number of availability zones to use for Scale Set. Note that the load balancers and their IP addresses will be redundant in any case" + #Availability Zones are only supported in several regions at this time + #"centralus", "eastus2", "francecentral", "northeurope", "southeastasia", "westeurope", "westus2", "eastus", "uksouth" + #type = list(string) +} + +locals { // locals for 'availability_zones_num' allowed values + availability_zones_num_allowed_values = [ + "0", + "1", + "2", + "3" + ] + // will fail if [var.availability_zones_num] is invalid: + validate_availability_zones_num_value = index(local.availability_zones_num_allowed_values, var.availability_zones_num) +} + +variable "sic_key" { + description = "Secure Internal Communication(SIC) key" + type = string +} +resource "null_resource" "sic_key_invalid" { + count = length(var.sic_key) >= 12 ? 0 : "SIC key must be at least 12 characters long" +} + +variable "template_name"{ + description = "Template name. Should be defined according to deployment type(ha, vmss)" + type = string + default = "vmss-terraform" +} + +variable "template_version"{ + description = "Template version. It is recommended to always use the latest template version" + type = string + default = "20230910" +} + +variable "installation_type"{ + description = "Installation type" + type = string + default = "vmss" +} + +variable "number_of_vm_instances"{ + description = "Default number of VM instances to deploy" + type = string + default = "2" +} + +variable "minimum_number_of_vm_instances" { + description = "Minimum number of VM instances to deploy" + type = string +} + +variable "maximum_number_of_vm_instances" { + description = "Maximum number of VM instances to deploy" + type = string +} + +variable "vm_size" { + description = "Specifies size of Virtual Machine" + type = string +} + + +variable "os_version" { + description = "GAIA OS version" + type = string +} + +locals { // locals for 'vm_os_offer' allowed values + os_version_allowed_values = [ + "R8040", + "R81", + "R8110", + "R8120" + ] + // will fail if [var.os_version] is invalid: + validate_os_version_value = index(local.os_version_allowed_values, var.os_version) +} +variable "disk_size" { + description = "Storage data disk size size(GB). Select a number between 100 and 3995, if you are using R81.20 or below, the disk size must be 100" + type = string + default = 100 +} +resource "null_resource" "disk_size_validation" { + // Will fail if var.disk_size is not 100 and the version is R81.20 or below + count = tonumber(var.disk_size) != 100 && contains(["R8040", "R81", "R8110", "R8120"], var.os_version) ? "variable disk_size can not be changed for R81.20 and below" : 0 +} +variable "vm_os_sku" { + description = "The sku of the image to be deployed." + type = string +} + +variable "authentication_type" { + description = "Specifies whether a password authentication or SSH Public Key authentication should be used" + type = string +} +locals { // locals for 'authentication_type' allowed values + authentication_type_allowed_values = [ + "Password", + "SSH Public Key" + ] + // will fail if [var.authentication_type] is invalid: + validate_authentication_type_value = index(local.authentication_type_allowed_values, var.authentication_type) +} + +variable "allow_upload_download" { + description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + type = bool +} + +variable "is_blink" { + description = "Define if blink image is used for deployment" + default = true +} + +variable "management_name" { + description = "The name of the management server as it appears in the configuration file" + type = string +} + +variable "management_IP" { + description = "The IP address used to manage the VMSS instances" + type = string +} + +variable "management_interface" { + description = "Manage the Gateways in the Scale Set via the instance's external (eth0) or internal (eth1) NIC's private IP address" + type = string + default = "eth1-private" +} +locals { // locals for 'management_interface' allowed values + management_interface_allowed_values = [ + "eth0-public", + "eth0-private", + "eth1-private" + ] + // will fail if [var.management_interface] is invalid: + validate_management_interface_value = index(local.management_interface_allowed_values, var.management_interface) +} + +variable "configuration_template_name" { + description = "The configuration template name as it appears in the configuration file" + type = string +} + +variable "admin_shell" { + description = "The admin shell to configure on machine or the first time" + type = string + default = "/etc/cli.sh" +} + +locals { + admin_shell_allowed_values = [ + "/etc/cli.sh", + "/bin/bash", + "/bin/csh", + "/bin/tcsh" + ] + // Will fail if [var.admin_shell] is invalid + validate_admin_shell_value = index(local.admin_shell_allowed_values, var.admin_shell) +} + +//********************** Networking Variables **************************// +variable "vnet_name" { + description = "Virtual Network name" + type = string +} + +variable "frontend_subnet_name" { + description = "Frontend subnet name" + type = string +} + +variable "backend_subnet_name" { + description = "Backend subnet name" + type = string +} + +variable "vnet_resource_group" { + description = "Resource group of existing vnet" + type = string +} + +variable "vnet_allocation_method" { + description = "IP address allocation method" + type = string + default = "Static" +} + +variable "add_storage_account_ip_rules" { + type = bool + default = false + description = "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location" +} + +variable "storage_account_additional_ips" { + type = list(string) + description = "IPs/CIDRs that are allowed access to the Storage Account" + default = [] +} + +//********************* Load Balancers Variables **********************// + +variable "deployment_mode" { + description = "The type of the deployment, can be 'Standard' for both load balancers or 'External' for external load balancer or 'Internal for internal load balancer" + type = string + default = "Standard" +} + +locals { // locals for 'deployment_mode' allowed values + deployment_mode_allowd_values = [ + "Standard", + "External", + "Internal" + ] + // will fail if [var.deployment_mode] is invalid: + validate_deployment_mode_value = index(local.deployment_mode_allowd_values, var.deployment_mode) +} + +variable "backend_lb_IP_address" { + description = "The IP address is defined by its position in the subnet" + type = number +} + +variable "lb_probe_port" { + description = "Port to be used for load balancer health probes and rules" + default = "8117" +} + +variable "lb_probe_protocol" { + description = "Protocols to be used for load balancer health probes and rules" + default = "Tcp" +} + +variable "lb_probe_unhealthy_threshold" { + description = "Number of times load balancer health probe has an unsuccessful attempt before considering the endpoint unhealthy." + default = 2 +} + +variable "lb_probe_interval" { + description = "Interval in seconds load balancer health probe rule performs a check" + default = 5 +} + +variable "frontend_port" { + description = "Port that will be exposed to the external Load Balancer" + type = string + default = "80" +} + +variable "backend_port" { + description = "Port that will be exposed to the external Load Balance" + type = string + default = "8081" +} + +variable "frontend_load_distribution" { + description = "Specifies the load balancing distribution type to be used by the frontend load balancer" + type = string +} + +locals { // locals for 'frontend_load_distribution' allowed values + frontend_load_distribution_allowed_values = [ + "Default", + "SourceIP", + "SourceIPProtocol" + ] + // will fail if [var.frontend_load_distribution] is invalid: + validate_frontend_load_distribution_value = index(local.frontend_load_distribution_allowed_values, var.frontend_load_distribution) +} + +variable "backend_load_distribution" { + description = "Specifies the load balancing distribution type to be used by the backend load balancer" + type = string +} + +locals { // locals for 'frontend_load_distribution' allowed values + backend_load_distribution_allowed_values = [ + "Default", + "SourceIP", + "SourceIPProtocol" + ] + // will fail if [var.backend_load_distribution] is invalid: + validate_backend_load_distribution_value = index(local.backend_load_distribution_allowed_values, var.backend_load_distribution) +} + +//********************** Scale Set variables *******************// + +variable "vm_os_offer" { + description = "The name of the offer of the image that you want to deploy.Choose from: check-point-cg-r8040, check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120" + type = string +} + +locals { // locals for 'vm_os_offer' allowed values + vm_os_offer_allowed_values = [ + "check-point-cg-r8040", + "check-point-cg-r81", + "check-point-cg-r8110", + "check-point-cg-r8120", + ] + // will fail if [var.vm_os_offer] is invalid: + validate_os_offer_value = index(local.vm_os_offer_allowed_values, var.vm_os_offer) +} + +variable "bootstrap_script"{ + description = "An optional script to run on the initial boot" + #example: + #"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" +} + +variable "notification_email" { + description = "Specifies a list of custom email addresses to which the email notifications will be sent" + type = string +} + +//********************** Credentials **************************// +variable "tenant_id" { + description = "Tenant ID" + type = string +} + +variable "subscription_id" { + description = "Subscription ID" + type = string +} + +variable "client_id" { + description = "Application ID(Client ID)" + type = string +} + +variable "client_secret" { + description = "A secret string that the application uses to prove its identity when requesting a token. Also can be referred to as application password." + type = string +} + +variable "sku" { + description = "SKU" + type = string + default = "Standard" +} + +variable "enable_custom_metrics" { + description = "Enable CloudGuard metrics in order to send statuses and statistics collected from VMSS instances to the Azure Monitor service." + type = bool + default = true +} + +variable "enable_floating_ip" { + description = "Indicates whether the load balancers will be deployed with floating IP." + type = bool + default = false +} + +variable "nsg_id" { + description = "NSG ID - Optional - if empty use default NSG" + default = "" +} diff --git a/terraform/azure/vmss-existing-vnet/versions.tf b/terraform/azure/vmss-existing-vnet/versions.tf new file mode 100644 index 00000000..df4caa26 --- /dev/null +++ b/terraform/azure/vmss-existing-vnet/versions.tf @@ -0,0 +1,14 @@ +terraform { + required_version = ">= 0.14.3" + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "~> 3.81.0" + } + random = { + version = "~> 3.5.1" + } + } +} + + diff --git a/terraform/azure/vmss-new-vnet/README.md b/terraform/azure/vmss-new-vnet/README.md new file mode 100755 index 00000000..b57e3011 --- /dev/null +++ b/terraform/azure/vmss-new-vnet/README.md @@ -0,0 +1,247 @@ +# Check Point CloudGuard IaaS VMSS Terraform deployment for Azure + +This Terraform module deploys Check Point CloudGuard IaaS VMSS solution into a new Vnet in Azure. +As part of the deployment the following resources are created: +- Resource group +- Virtual network +- Network security group +- Role assignment - conditional creation + + +For additional information, +please see the [CloudGuard Network for Azure Virtual Machine Scale Sets (VMSS) Deployment Guide](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_VMSS_for_Azure/Default.htm) + +This solution uses the following modules: +- /terraform/azure/modules/common - used for creating a resource group and defining common variables. +- /terraform/azure/modules/vnet - used for creating new virtual network and subnets. +- /terraform/azure/modules/network-security-group - used for creating new network security groups and rules. + + +## Configurations +- Install and configure Terraform to provision Azure resources: [Configure Terraform for Azure](https://docs.microsoft.com/en-us/azure/virtual-machines/linux/terraform-install-configure) +- In order to use ssh connection to VMs, it is **required** to add a public key to the /terraform/azure/vmss-new-vnet/azure_public_key file + +## Usage +- Choose the preferred login method to Azure in order to deploy the solution: +
1. Using Service Principal: + - Create a [Service Principal](https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal) (or use the existing one) + - Grant the Service Principal at least "**Managed Application Contributor**", "**Storage Account Contributor**", "**Network Contributor**", "**Virtual Machine Contributor**" permissions to the Azure subscription
+ - The Service Principal credentials can be stored either in the terraform.tfvars or as [Environment Variables](https://www.terraform.io/docs/providers/azuread/guides/service_principal_client_secret.html)
+ + In case the Environment Variables are used, perform modifications described below:
+ + a. The next lines in the main.tf file, in the provider azurerm resource, need to be deleted or commented: + + provider "azurerm" { + + // subscription_id = var.subscription_id + // client_id = var.client_id + // client_secret = var.client_secret + // tenant_id = var.tenant_id + + features {} + } + + b. In the terraform.tfvars file leave empty double quotes for client_secret, client_id , tenant_id and subscription_id variables: + + client_secret = "" + client_id = "" + tenant_id = "" + subscription_id = "" + +
2. Using **az** commands from a command-line: + - Run **az login** command + - Sign in with your account credentials in the browser + - [Accept Azure Marketplace image terms](https://docs.microsoft.com/en-us/cli/azure/vm/image/terms?view=azure-cli-latest) by running: +
**az vm image terms accept --urn publisher:offer:sku:version**, where: + - publisher = checkpoint; + - offer = vm_os_offer (see accepted values in the table below); + - sku = vm_os_sku (see accepted values in the table below); + - version = latest
+
Example:
+ az vm image terms accept --urn checkpoint:check-point-cg-r8040:sg-byol:latest + + - In the terraform.tfvars file leave empty double quotes for client_secret, client_id and tenant_id variables. + +- Fill all variables in the /terraform/azure/vmss-new-vnet/terraform.tfvars file with proper values (see below for variables descriptions). +- From a command line initialize the Terraform configuration directory: + + terraform init +- Create an execution plan: + + terraform plan +- Create or modify the deployment: + + terraform apply + +### terraform.tfvars variables: + | Name | Description | Type | Allowed values | Default | + | ------------- | ------------- | ------------- |---------| ------------- | + | **client_secret** | The client secret of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **client_id** | The client ID of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **tenant_id** | The tenant ID of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **subscription_id** | The subscription ID is used to pay for Azure cloud services | string | | n/a + | | | | | | + | **source_image_vhd_uri** | The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images | string | | "noCustomUri" + | | | | | | + | **resource_group_name** | The name of the resource group that will contain the contents of the deployment | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period
Note: Resource group name must not contain reserved words based on: sk40179| n/a + | | | | | | + | **location** | The region where the resources will be deployed at | string | The full list of Azure regions can be found at https://azure.microsoft.com/regions | n/a + | | | | | | + | **vmss_name** | The name of the Check Point VMSS Object | string | Only alphanumeric characters are allowed, and the name must be 1-30 characters long
Note: vmss name must not contain reserved words based on: sk40179 | n/a + | | | | | | + | **vnet_name** | The name of virtual network that will be created | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | n/a + | | | | | | + | **address_space** | The address prefixes of the virtual network | string | Valid CIDR block | "10.0.0.0/16" + | | | | | | + | **subnet_prefixes** | The address prefixes to be used for created subnets | string | The subnets need to contain within the address space for this virtual network(defined by address_space variable) | ["10.0.0.0/24","10.0.1.0/24"] + | | | | | | + | **backend_lb_IP_address** | Is a whole number that can be represented as a binary integer with no more than the number of digits remaining in the address after the given prefix| number | Starting from 5-th IP address in a subnet. For example: subnet - 10.0.1.0/24, backend_lb_IP_address = 4 , the LB IP is 10.0.1.4 | n/a + | | | | | | + | **admin_password** | The password associated with the local administrator account on each cluster member | string | Password must have 3 of the following: 1 lower case character, 1 upper case character, 1 number, and 1 special character | n/a + | | | | | | + | **sic_key** | The Secure Internal Communication one time secret used to set up trust between the cluster object and the management server | string | Only alphanumeric characters are allowed, and the value must be 12-30 characters long | n/a + | | | | | | + | **vm_size** | Specifies the size of Virtual Machine | string | "Standard_DS2_v2", "Standard_DS3_v2", "Standard_DS4_v2", "Standard_DS5_v2", "Standard_F2s", "Standard_F4s", "Standard_F8s", "Standard_F16s", "Standard_D4s_v3", "Standard_D8s_v3", "Standard_D16s_v3", "Standard_D32s_v3", "Standard_D64s_v3", "Standard_E4s_v3", "Standard_E8s_v3", "Standard_E16s_v3", "Standard_E20s_v3", "Standard_E32s_v3", "Standard_E64s_v3", "Standard_E64is_v3", "Standard_F4s_v2", "Standard_F8s_v2", "Standard_F16s_v2", "Standard_F32s_v2", "Standard_F64s_v2", "Standard_M8ms", "Standard_M16ms", "Standard_M32ms", "Standard_M64ms", "Standard_M64s", "Standard_D2_v2", "Standard_D3_v2", "Standard_D4_v2", "Standard_D5_v2", "Standard_D11_v2", "Standard_D12_v2", "Standard_D13_v2", "Standard_D14_v2", "Standard_D15_v2", "Standard_F2", "Standard_F4", "Standard_F8", "Standard_F16", "Standard_D4_v3", "Standard_D8_v3", "Standard_D16_v3", "Standard_D32_v3", "Standard_D64_v3", "Standard_E4_v3", "Standard_E8_v3", "Standard_E16_v3", "Standard_E20_v3", "Standard_E32_v3", "Standard_E64_v3", "Standard_E64i_v3", "Standard_DS11_v2", "Standard_DS12_v2", "Standard_DS13_v2", "Standard_DS14_v2", "Standard_DS15_v2", "Standard_D2_v5", "Standard_D4_v5", "Standard_D8_v5", "Standard_D16_v5","Standard_D32_v5", "Standard_D2s_v5", "Standard_D4s_v5", "Standard_D8s_v5", "Standard_D16s_v5", "Standard_D2d_v5", "Standard_D4d_v5", "Standard_D8d_v5", "Standard_D16d_v5", "Standard_D32d_v5", "Standard_D2ds_v5", "Standard_D4ds_v5", "Standard_D8ds_v5", "Standard_D16ds_v5", "Standard_D32ds_v5" | n/a + | | | | | | + | **disk_size** | Storage data disk size size(GB) must be 100 for versions R81.20 and below | string | A number in the range 100 - 3995 (GB) | 100 + | | | | | | + | **vm_os_sku** | A sku of the image to be deployed | string | "sg-byol" - BYOL license;
"sg-ngtp" - NGTP PAYG license;
"sg-ngtx" - NGTX PAYG license; | n/a + | | | | | | + | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r8040";
"check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | n/a + | | | | | | + | **os_version** | GAIA OS version | string | "R8040";
"R81";
"R8110";
"R8120"; | n/a + | | | | | | + | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | n/a + | | | | | | + | **allow_upload_download** | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | boolean | true;
false; | n/a + | | | | | | + | **authentication_type** | Specifies whether a password authentication or SSH Public Key authentication should be used | string | "Password";
"SSH Public Key"; | n/a + | | | | | | + | **availability_zones_num** | A list of a single item of the Availability Zone which the Virtual Machine should be allocated in | string | "centralus", "eastus2", "francecentral", "northeurope", "southeastasia", "westeurope", "westus2", "eastus", "uksouth" | n/a + | | | | | | + | **minimum_number_of_vm_instances** | The minimum number of VMSS instances for this resource | number | Valid values are in the range 0 - 10 | n/a + | | | | | | + | **maximum_number_of_vm_instances** | The maximum number of VMSS instances for this resource | number | Valid values are in the range 0 - 10 | n/a + | | | | | | + | **management_name** | The name of the management server as it appears in the configuration file | string | Field cannot be empty. Only alphanumeric characters or '_'/'-' are allowed, and the name must be 1-30 characters long | n/a + | | | | | | + | **management_IP** | The IP address used to manage the VMSS instances | string | A valid IP address | n/a + | | | | | | + | **management_interface** | Management option for the Gateways in the VMSS | string | "eth0-public" - Manages the GWs using their external NIC's public IP address;
"eth0-private" -Manages the GWs using their external NIC's private IP address;
"eth1-private" - Manages the GWs using their internal NIC's private IP address | "eth1-private" + | | | | | | + | **configuration_template_name** | The configuration template name as it appears in the configuration file | string | Field cannot be empty. Only alphanumeric characters or '_'/'-' are allowed, and the name must be 1-30 characters long | n/a + | | | | | | + | **frontend_load_distribution** | The load balancing distribution method for the External Load Balancer | string | "Default" - None(5-tuple);
"SourceIP" - ClientIP(2-tuple);
"SourceIPProtocol" - ClientIP and protocol(3-tuple) | n/a + | | | | | | + | **backend_load_distribution** | The load balancing distribution method for the Internal Load Balancer | string | "Default" - None(5-tuple);
"SourceIP" - ClientIP(2-tuple);
"SourceIPProtocol" - ClientIP and protocol(3-tuple) | n/a + | | | | | | + | **notification_email** | An email address to notify about scaling operations | string | Leave empty double quotes or enter a valid email address | n/a + | | | | | | + | **enable_custom_metrics** | Indicates whether Custom Metrics will be used for VMSS Scaling policy and VM monitoring | boolean | true;
false; | n/a + | | | | | | + | **enable_floating_ip** | Indicates whether the load balancers will be deployed with floating IP | boolean | true;
false; | n/a + | | | | | | + | **deployment_mode** | Indicates which load balancer need to be deployed. External + Internal(Standard), only External, only Internal | string | Standard ;
External;
Internal; | "Standard" + | | | | | | + | **admin_shell** | Enables to select different admin shells | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh; | "/etc/cli.sh" + | | | | | | + | **serial_console_password_hash** | Optional parameter, used to enable serial console connection in case of SSH key as authentication type, to generate password hash use the command 'openssl passwd -6 PASSWORD' on Linux and paste it here | string | | n/a + | | | | | | + | **maintenance_mode_password_hash** | Maintenance mode password hash, relevant only for R81.20 and higher versions, to generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here | string | | n/a + | | | | | | + | **nsg_id** | Optional ID for a Network Security Group that already exists in Azure, if not provided, will create a default NSG | string | Existing NSG resource ID | "" + | | | | | | + | **add_storage_account_ip_rules** | Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, if false then accses will be allowed from all networks | boolean | true;
false; | false + | | | | | | + | **storage_account_additional_ips** | IPs/CIDRs that are allowed access to the Storage Account | list(string) | A list of valid IPs and CIDRs | [] + +## Conditional creation +To create role assignment and enable CloudGuard metrics in order to send statuses and statistics collected from VMSS instances to the Azure Monitor service: +``` +enable_custom_metrics = true +``` + +## Example + client_secret = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + client_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + tenant_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + subscription_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + source_image_vhd_uri = "noCustomUri" + resource_group_name = "checkpoint-vmss-terraform" + location = "eastus" + vmss_name = "checkpoint-vmss-terraform" + vnet_name = "checkpoint-vmss-vnet" + address_space = "10.0.0.0/16" + subnet_prefixes = ["10.0.1.0/24","10.0.2.0/24"] + backend_lb_IP_address = 4 + admin_password = "xxxxxxxxxxxx" + sic_key = "xxxxxxxxxxxx" + vm_size = "Standard_D3_v2" + disk_size = "100" + vm_os_sku = "sg-byol" + vm_os_offer = "check-point-cg-r8110" + os_version = "R8110" + bootstrap_script = "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" + allow_upload_download = true + authentication_type = "Password" + availability_zones_num = "1" + minimum_number_of_vm_instances = 2 + maximum_number_of_vm_instances = 10 + management_name = "mgmt" + management_IP = "13.92.42.181" + management_interface = "eth1-private" + configuration_template_name = "vmss_template" + notification_email = "" + frontend_load_distribution = "Default" + backend_load_distribution = "Default" + enable_custom_metrics = true + enable_floating_ip = false + deployment_mode = "Standard" + admin_shell = "/etc/cli.sh" + serial_console_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + maintenance_mode_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + nsg_id = "" + add_storage_account_ip_rules = false + storage_account_additional_ips = [] + +## Deploy Without Public IP + +1. By default, the VMSS is deployed with public IP +2. To deploy without public IP, remove the "public_ip_address_configuration" block in main.tf + +## Known limitations + +## Revision History + +In order to check the template version refer to the [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) + +| Template Version | Description | +| ---------------- | --------- | +| 20240613 | - Updated Azure Terraform provider version
- Cosmetic fixes & default values
- Added option to limit storage account access by specify allowed sourcess
- Updated diskSizeGB
- Added validation for os_version & os_offer | +| | | | +| 20230910 | - R81.20 is the default version | +| | | | +| 20221124 | - Added R81.20 support
- Upgraded azurerm provider | +| | | | +| 20220111 | - Added support to select different shells | +| | | | +| 20210309 | - Add "source_image_vhd_uri" variable for using a custom development image
- Fix zones filed for scale set be installed as multi-zone
- Modify "management_interface" variable and tags regarding managing the Gateways in the Scale Set | +| | | | +| 20210111 |- Update terraform version to 0.14.3
- Update azurerm version to 2.17.0
- Add authentication_type variable for choosing the authentication type.
- Add support for R81.
- Add public IP addresses support.
- Add support to CloudGuards metrics.
- Update resources for NSG https://github.com/CheckPointSW/CloudGuardIaaS/issues/67
- Avoid role-assignment re-creation when re-applying | +| | | | +| 20200323 | Remove the domain_name_label variable from the azurerm_public_ip resource | +| | | | +| 20200305 | First release of Check Point CloudGuard IaaS VMSS Terraform deployment for Azure | +| | | | +| | Addition of "templateType" parameter to "cloud-version" files | +| | | | + + +## License + +See the [LICENSE](../../LICENSE) file for details + diff --git a/terraform/azure/vmss-new-vnet/azure_public_key b/terraform/azure/vmss-new-vnet/azure_public_key new file mode 100755 index 00000000..e69de29b diff --git a/terraform/azure/vmss-new-vnet/cloud-init.sh b/terraform/azure/vmss-new-vnet/cloud-init.sh new file mode 100755 index 00000000..f11f72c3 --- /dev/null +++ b/terraform/azure/vmss-new-vnet/cloud-init.sh @@ -0,0 +1,17 @@ +#!/usr/bin/python3 /etc/cloud_config.py + +installationType="${installation_type}" +allowUploadDownload="${allow_upload_download}" +osVersion="${os_version}" +templateName="${template_name}" +templateVersion="${template_version}" +templateType="${template_type}" +isBlink="${is_blink}" +bootstrapScript64="${bootstrap_script64}" +location="${location}" +sicKey="${sic_key}" +vnet="${vnet}" +customMetrics="${enable_custom_metrics}" +adminShell="${admin_shell}" +passwordHash="${serial_console_password_hash}" +MaintenanceModePassword="${maintenance_mode_password_hash}" diff --git a/terraform/azure/vmss-new-vnet/main.tf b/terraform/azure/vmss-new-vnet/main.tf new file mode 100755 index 00000000..2438915d --- /dev/null +++ b/terraform/azure/vmss-new-vnet/main.tf @@ -0,0 +1,442 @@ +provider "azurerm" { + subscription_id = var.subscription_id + client_id = var.client_id + client_secret = var.client_secret + tenant_id = var.tenant_id + + features {} +} + +//********************** Basic Configuration **************************// +module "common" { + source = "../modules/common" + resource_group_name = var.resource_group_name + location = var.location + admin_password = var.authentication_type == "SSH Public Key" ? random_id.random_id.hex : var.admin_password + installation_type = var.installation_type + template_name = var.template_name + template_version = var.template_version + number_of_vm_instances = var.number_of_vm_instances + allow_upload_download = var.allow_upload_download + vm_size = var.vm_size + disk_size = var.disk_size + is_blink = var.is_blink + os_version = var.os_version + vm_os_sku = var.vm_os_sku + vm_os_offer = var.vm_os_offer + authentication_type = var.authentication_type + serial_console_password_hash = var.serial_console_password_hash + maintenance_mode_password_hash = var.maintenance_mode_password_hash + storage_account_additional_ips = var.storage_account_additional_ips +} + +//********************** Networking **************************// +module "vnet" { + source = "../modules/vnet" + vnet_name = var.vnet_name + resource_group_name = module.common.resource_group_name + location = module.common.resource_group_location + nsg_id = var.nsg_id == "" ? module.network-security-group[0].network_security_group_id: var.nsg_id + address_space = var.address_space + subnet_prefixes = var.subnet_prefixes +} + +module "network-security-group" { + source = "../modules/network-security-group" + count = var.nsg_id == "" ? 1 : 0 + resource_group_name = module.common.resource_group_name + security_group_name = "${module.common.resource_group_name}_nsg" + location = module.common.resource_group_location + security_rules = [ + { + name = "AllowAllInBound" + priority = "100" + direction = "Inbound" + access = "Allow" + protocol = "*" + source_port_ranges = "*" + destination_port_ranges = "*" + description = "Allow all inbound connections" + source_address_prefix = "*" + destination_address_prefix = "*" + } + ] +} + +//********************** Load Balancers **************************// +resource "random_id" "random_id" { + byte_length = 13 + keepers = { + rg_id = module.common.resource_group_id + } +} + +resource "azurerm_public_ip" "public-ip-lb" { + count = var.deployment_mode != "Internal" ? 1 : 0 + name = "${var.vmss_name}-app-1" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + allocation_method = module.vnet.allocation_method + sku = var.sku + domain_name_label = "${lower(var.vmss_name)}-${random_id.random_id.hex}" +} + +resource "azurerm_lb" "frontend-lb" { + count = var.deployment_mode != "Internal" ? 1 : 0 + depends_on = [azurerm_public_ip.public-ip-lb] + name = "frontend-lb" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + sku = var.sku + + frontend_ip_configuration { + name = "${var.vmss_name}-app-1" + public_ip_address_id = azurerm_public_ip.public-ip-lb[0].id + } +} + +resource "azurerm_lb_backend_address_pool" "frontend-lb-pool" { + count = var.deployment_mode != "Internal" ? 1 : 0 + loadbalancer_id = azurerm_lb.frontend-lb[0].id + name = "${var.vmss_name}-app-1" +} + +resource "azurerm_lb" "backend-lb" { + count = var.deployment_mode != "External" ? 1 : 0 + name = "backend-lb" + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + sku = var.sku + frontend_ip_configuration { + name = "backend-lb" + subnet_id = module.vnet.vnet_subnets[1] + private_ip_address_allocation = module.vnet.allocation_method + private_ip_address = cidrhost(module.vnet.subnet_prefixes[1], var.backend_lb_IP_address) + } +} + +resource "azurerm_lb_backend_address_pool" "backend-lb-pool" { + count = var.deployment_mode != "External" ? 1 : 0 + name = "backend-lb-pool" + loadbalancer_id = azurerm_lb.backend-lb[0].id +} + +resource "azurerm_lb_probe" "azure_lb_healprob" { + count = var.deployment_mode == "Standard" ? 2 : 1 + depends_on = [azurerm_lb.frontend-lb, azurerm_lb.backend-lb] + loadbalancer_id = var.deployment_mode == "Standard" ? (count.index == 0 ? azurerm_lb.frontend-lb[0].id : azurerm_lb.backend-lb[0].id) : (var.deployment_mode == "External" ? azurerm_lb.frontend-lb[0].id : azurerm_lb.backend-lb[0].id) + name = var.deployment_mode == "Standard" ? (count.index == 0 ? "${var.vmss_name}-app-1" : "backend-lb") : (var.deployment_mode == "External" ? "${var.vmss_name}-app-1" : "backend-lb") + protocol = var.lb_probe_protocol + port = var.lb_probe_port + interval_in_seconds = var.lb_probe_interval + number_of_probes = var.lb_probe_unhealthy_threshold +} + +// Standard deployment +resource "azurerm_lb_rule" "lbnatrule-standard" { + count = var.deployment_mode == "Standard" ? 2 : 0 + depends_on = [azurerm_lb.frontend-lb[0],azurerm_lb_probe.azure_lb_healprob,azurerm_lb.backend-lb[0]] + loadbalancer_id = count.index == 0 ? azurerm_lb.frontend-lb[0].id : azurerm_lb.backend-lb[0].id + name = count.index == 0 ? "${var.vmss_name}-app-1" : "backend-lb" + protocol = count.index == 0 ? "Tcp" : "All" + frontend_port = count.index == 0 ? var.frontend_port : "0" + backend_port = count.index == 0 ? var.backend_port : "0" + backend_address_pool_ids = count.index == 0 ? [azurerm_lb_backend_address_pool.frontend-lb-pool[0].id] : [azurerm_lb_backend_address_pool.backend-lb-pool[0].id] + frontend_ip_configuration_name = count.index == 0 ? azurerm_lb.frontend-lb[0].frontend_ip_configuration[0].name : azurerm_lb.backend-lb[0].frontend_ip_configuration[0].name + probe_id = azurerm_lb_probe.azure_lb_healprob[count.index].id + load_distribution = count.index == 0 ? var.frontend_load_distribution : var.backend_load_distribution + enable_floating_ip = var.enable_floating_ip +} + +// External deployment +resource "azurerm_lb_rule" "lbnatrule-external" { + count = var.deployment_mode == "External" ? 1 : 0 + depends_on = [azurerm_lb.frontend-lb[0],azurerm_lb_probe.azure_lb_healprob] + loadbalancer_id = azurerm_lb.frontend-lb[0].id + name = "${var.vmss_name}-app-1" + protocol = "Tcp" + frontend_port = var.frontend_port + backend_port = var.backend_port + backend_address_pool_ids = [azurerm_lb_backend_address_pool.frontend-lb-pool[0].id] + frontend_ip_configuration_name = azurerm_lb.frontend-lb[0].frontend_ip_configuration[0].name + probe_id = azurerm_lb_probe.azure_lb_healprob[0].id + load_distribution = var.frontend_load_distribution + enable_floating_ip = var.enable_floating_ip +} + +// Internal deployment +resource "azurerm_lb_rule" "lbnatrule-internal" { + count = var.deployment_mode == "Internal" ? 1 : 0 + depends_on = [azurerm_lb_probe.azure_lb_healprob,azurerm_lb.backend-lb[0]] + loadbalancer_id = azurerm_lb.backend-lb[0].id + name = "backend-lb" + protocol = "All" + frontend_port = "0" + backend_port = "0" + backend_address_pool_ids = [azurerm_lb_backend_address_pool.backend-lb-pool[0].id] + frontend_ip_configuration_name = azurerm_lb.backend-lb[0].frontend_ip_configuration[0].name + probe_id = azurerm_lb_probe.azure_lb_healprob[0].id + load_distribution = var.backend_load_distribution + enable_floating_ip = var.enable_floating_ip +} + +//********************** Storage accounts **************************// +// Generate random text for a unique storage account name +resource "random_id" "randomId" { + keepers = { + # Generate a new ID only when a new resource group is defined + resource_group = module.common.resource_group_name + } + byte_length = 8 +} +resource "azurerm_storage_account" "vm-boot-diagnostics-storage" { + name = "diag${random_id.randomId.hex}" + resource_group_name = module.common.resource_group_name + location = module.common.resource_group_location + account_tier = module.common.storage_account_tier + account_replication_type = module.common.account_replication_type + network_rules { + default_action = var.add_storage_account_ip_rules ? "Deny" : "Allow" + ip_rules = module.common.storage_account_ip_rules + } + blob_properties { + delete_retention_policy { + days = "15" + } + } +} + +//********************** Virtual Machines **************************// +locals { + SSH_authentication_type_condition = var.authentication_type == "SSH Public Key" ? true : false + availability_zones_num_condition = var.availability_zones_num == "0" ? null : var.availability_zones_num == "1" ? ["1"] : var.availability_zones_num == "2" ? ["1", "2"] : ["1", "2", "3"] + custom_image_condition = var.source_image_vhd_uri == "noCustomUri" ? false : true + management_interface_name = split("-", var.management_interface)[0] + management_ip_address_type = split("-", var.management_interface)[1] +} + +resource "azurerm_image" "custom-image" { + count = local.custom_image_condition ? 1 : 0 + name = "custom-image" + location = var.location + resource_group_name = module.common.resource_group_name + + os_disk { + os_type = "Linux" + os_state = "Generalized" + blob_uri = var.source_image_vhd_uri + } +} + +resource "azurerm_linux_virtual_machine_scale_set" "vmss" { + name = var.vmss_name + location = module.common.resource_group_location + resource_group_name = module.common.resource_group_name + sku = module.common.vm_size + zones = local.availability_zones_num_condition + instances = var.number_of_vm_instances + overprovision = false + + dynamic "identity" { + for_each = var.enable_custom_metrics ? [1] : [] + content { + type = "SystemAssigned" + } + } + + dynamic "source_image_reference" { + for_each = local.custom_image_condition ? [] : [1] + content { + publisher = module.common.publisher + offer = module.common.vm_os_offer + sku = module.common.vm_os_sku + version = module.common.vm_os_version + } + } + source_image_id = local.custom_image_condition? azurerm_image.custom-image[0].id : null + + os_disk { + disk_size_gb = module.common.disk_size + caching = module.common.storage_os_disk_caching + storage_account_type = module.common.storage_account_type + } + + dynamic "plan" { + for_each = local.custom_image_condition ? [] : [1] + content { + name = module.common.vm_os_sku + publisher = module.common.publisher + product = module.common.vm_os_offer + } + } + + computer_name_prefix = lower(var.vmss_name) + admin_username = module.common.admin_username + admin_password = module.common.admin_password + custom_data = base64encode(templatefile("${path.module}/cloud-init.sh", { + installation_type = module.common.installation_type + allow_upload_download = module.common.allow_upload_download + os_version = module.common.os_version + template_name = module.common.template_name + template_version = module.common.template_version + template_type = "terraform" + is_blink = module.common.is_blink + bootstrap_script64 = base64encode(var.bootstrap_script) + location = module.common.resource_group_location + sic_key = var.sic_key + vnet = module.vnet.subnet_prefixes[0] + enable_custom_metrics = var.enable_custom_metrics ? "yes" : "no" + admin_shell = var.admin_shell + serial_console_password_hash = var.serial_console_password_hash + maintenance_mode_password_hash = var.maintenance_mode_password_hash + })) + + + disable_password_authentication = local.SSH_authentication_type_condition + + dynamic "admin_ssh_key" { + for_each = local.SSH_authentication_type_condition ? [ + 1] : [] + content { + public_key = file("azure_public_key") + username = "notused" + } + } + + + boot_diagnostics { + storage_account_uri = module.common.boot_diagnostics ? join(",", azurerm_storage_account.vm-boot-diagnostics-storage.*.primary_blob_endpoint) : "" + } + + upgrade_mode = "Manual" + + network_interface { + name = "eth0" + primary = true + enable_ip_forwarding = true + enable_accelerated_networking = true + network_security_group_id = module.network-security-group[0].network_security_group_id + ip_configuration { + name = "ipconfig1" + subnet_id = module.vnet.vnet_subnets[0] + load_balancer_backend_address_pool_ids = var.deployment_mode != "Internal" ? [azurerm_lb_backend_address_pool.frontend-lb-pool[0].id]: null + primary = true + public_ip_address { + name = "${var.vmss_name}-public-ip" + idle_timeout_in_minutes = 15 + domain_name_label = "${lower(var.vmss_name)}-dns-name" + } + } + } + + network_interface { + name = "eth1" + primary = false + enable_ip_forwarding = true + enable_accelerated_networking = true + ip_configuration { + name = "ipconfig2" + subnet_id = module.vnet.vnet_subnets[1] + load_balancer_backend_address_pool_ids = var.deployment_mode != "External" ? [azurerm_lb_backend_address_pool.backend-lb-pool[0].id] : null + primary = true + } + } + + tags = var.management_interface == "eth0"?{ + x-chkp-management = var.management_name, + x-chkp-template = var.configuration_template_name, + x-chkp-ip-address = local.management_ip_address_type, + x-chkp-management-interface = local.management_interface_name, + x-chkp-management-address = var.management_IP, + x-chkp-topology = "eth0:external,eth1:internal", + x-chkp-anti-spoofing = "eth0:false,eth1:false", + x-chkp-srcImageUri = var.source_image_vhd_uri + }:{ + x-chkp-management = var.management_name, + x-chkp-template = var.configuration_template_name, + x-chkp-ip-address = local.management_ip_address_type, + x-chkp-management-interface = local.management_interface_name, + x-chkp-topology = "eth0:external,eth1:internal", + x-chkp-anti-spoofing = "eth0:false,eth1:false", + x-chkp-srcImageUri = var.source_image_vhd_uri + } +} + +resource "azurerm_monitor_autoscale_setting" "vmss_settings" { + depends_on = [azurerm_linux_virtual_machine_scale_set.vmss] + name = var.vmss_name + resource_group_name = module.common.resource_group_name + location = module.common.resource_group_location + target_resource_id = azurerm_linux_virtual_machine_scale_set.vmss.id + + profile { + name = "Profile1" + + capacity { + default = module.common.number_of_vm_instances + minimum = var.minimum_number_of_vm_instances + maximum = var.maximum_number_of_vm_instances + } + + rule { + metric_trigger { + metric_name = "Percentage CPU" + metric_resource_id = azurerm_linux_virtual_machine_scale_set.vmss.id + time_grain = "PT1M" + statistic = "Average" + time_window = "PT5M" + time_aggregation = "Average" + operator = "GreaterThan" + threshold = 80 + } + + scale_action { + direction = "Increase" + type = "ChangeCount" + value = "1" + cooldown = "PT5M" + } + } + + rule { + metric_trigger { + metric_name = "Percentage CPU" + metric_resource_id = azurerm_linux_virtual_machine_scale_set.vmss.id + time_grain = "PT1M" + statistic = "Average" + time_window = "PT5M" + time_aggregation = "Average" + operator = "LessThan" + threshold = 60 + } + + scale_action { + direction = "Decrease" + type = "ChangeCount" + value = "1" + cooldown = "PT5M" + } + } + } + + notification { + email { + send_to_subscription_administrator = false + send_to_subscription_co_administrator = false + custom_emails = var.notification_email == "" ? [] : [var.notification_email] + } + } +} + +resource "azurerm_role_assignment" "custom_metrics_role_assignment"{ + depends_on = [azurerm_linux_virtual_machine_scale_set.vmss] + count = var.enable_custom_metrics ? 1 : 0 + role_definition_id = join("", ["/subscriptions/", var.subscription_id, "/providers/Microsoft.Authorization/roleDefinitions/", "3913510d-42f4-4e42-8a64-420c390055eb"]) + principal_id = lookup(azurerm_linux_virtual_machine_scale_set.vmss.identity[0], "principal_id") + scope = module.common.resource_group_id + lifecycle { + ignore_changes = [ + role_definition_id, principal_id + ] + } +} diff --git a/terraform/azure/vmss-new-vnet/terraform.tfvars b/terraform/azure/vmss-new-vnet/terraform.tfvars new file mode 100755 index 00000000..73266464 --- /dev/null +++ b/terraform/azure/vmss-new-vnet/terraform.tfvars @@ -0,0 +1,42 @@ +//#PLEASE refer to the README.md for accepted values FOR THE VARIABLES BELOW +client_secret = "PLEASE ENTER CLIENT SECRET" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +client_id = "PLEASE ENTER CLIENT ID" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +tenant_id = "PLEASE ENTER TENANT ID" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +subscription_id = "PLEASE ENTER SUBSCRIPTION ID" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +source_image_vhd_uri = "PLEASE ENTER SOURCE IMAGE VHD URI OR noCustomUri" # "noCustomUri" +resource_group_name = "PLEASE ENTER RESOURCE GROUP NAME" # "checkpoint-vmss-terraform" +vmss_name = "PLEASE ENTER SCALE SET NAME" # "checkpoint-vmss-terraform" +location = "PLEASE ENTER LOCATION" # "eastus" +vnet_name = "PLEASE ENTER VIRTUAL NETWORK NAME" # "checkpoint-vmss-vnet" +address_space = "PLEASE ENTER VIRTUAL NETWORK ADDRESS SPACE" # "10.0.0.0/16" +subnet_prefixes = "PLEASE ENTER ADDRESS PREFIXES FOR SUBNETS" # ["10.0.1.0/24","10.0.2.0/24"] +backend_lb_IP_address = "PLEASE ENTER BACKEND LB IP ADDRESS POSITIONAL NUMBER" # 4 +admin_password = "PLEASE ENTER ADMIN PASSWORD" # "xxxxxxxxxxxx" +sic_key = "PLEASE ENTER SIC KEY" # "xxxxxxxxxxxx" +vm_size = "PLEASE ENTER VM SIZE" # "Standard_D3_v2" +disk_size = "PLEASE ENTER DISK SIZE MUST BE 100 FOR VERSIONS R81.20 AND BELOW" # "100" +vm_os_sku = "PLEASE ENTER VM SKU" # "sg-byol" +vm_os_offer = "PLEASE ENTER VM OFFER" # "check-point-cg-r8110" +os_version = "PLEASE ENTER GAIA OS VERSION" # "R8110" +bootstrap_script = "PLEASE ENTER CUSTOM SCRIPT OR LEAVE EMPTY DOUBLE QUOTES" # "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" +allow_upload_download = "PLEASE ENTER true or false" # true +authentication_type = "PLEASE ENTER AUTHENTICATION TYPE" # "Password" +availability_zones_num = "PLEASE ENTER NUMBER OF AVAILABILITY ZONES" # "1" +minimum_number_of_vm_instances = "PLEASE ENTER MINIMUM NUMBER OF VM INSTANCES" # 2 +maximum_number_of_vm_instances = "PLEASE ENTER MAXIMUM NUMBER OF VM INSTANCES" # 10 +management_name = "PLEASE ENTER MANAGEMENT NAME" # "mgmt" +management_IP = "PLEASE ENTER MANAGEMENT IP" # "13.92.42.181" +management_interface = "PLEASE ENTER MANAGEMENT INTERFACE" # "eth1-private" +configuration_template_name = "PLEASE ENTER CONFIGURATION TEMPLATE NAME" # "vmss_template" +notification_email = "PLEASE ENTER NOTIFICATION MAIL OR LEAVE EMPTY DOUBLE QUOTES" # "" +frontend_load_distribution = "PLEASE ENTER EXTERNAL LOAD BALANCER SESSION PERSISTENCE" # "Default" +backend_load_distribution = "PLEASE ENTER INTERNAL LOAD BALANCER SESSION PERSISTENCE" # "Default" +enable_custom_metrics = "PLEASE ENTER true or false" # true +enable_floating_ip = "PLEASE ENTER true or false" # false +deployment_mode = "PLEASE ENTER DEPLOYMENT MODE" # "Standard" +admin_shell = "PLEASE ENTER ADMIN SHELL" # "/etc/cli.sh" +serial_console_password_hash = "PLEASE ENTER SERIAL CONSOLE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +maintenance_mode_password_hash = "PLEASE ENTER MAINTENANCE MODE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +nsg_id = "PLEASE ENTER NETWORK SECURITY GROUP ID" # "" +add_storage_account_ip_rules = "PLEASE ENTER true or false" # false +storage_account_additional_ips = "PLEASE ENTER A LIST OF VALID IPS/CIDRS" # [] \ No newline at end of file diff --git a/terraform/azure/vmss-new-vnet/variables.tf b/terraform/azure/vmss-new-vnet/variables.tf new file mode 100755 index 00000000..1760b8a2 --- /dev/null +++ b/terraform/azure/vmss-new-vnet/variables.tf @@ -0,0 +1,393 @@ +//********************** Basic Configuration Variables **************************// +variable "vmss_name"{ + description = "vmss name" + type = string +} + +variable "resource_group_name" { + description = "Azure Resource Group name to build into" + type = string +} + +variable "location" { + description = "The location/region where resources will be created. The full list of Azure regions can be found at https://azure.microsoft.com/regions" + type = string +} + +//********************** Virtual Machine Instances Variables **************************// +variable "source_image_vhd_uri" { + type = string + description = "The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images." + default = "noCustomUri" +} + +variable "admin_username" { + description = "Administrator username of deployed VM. Due to Azure limitations 'notused' name can be used" + default = "notused" +} + +variable "admin_password" { + description = "Administrator password of deployed Virtual Machine. The password must meet the complexity requirements of Azure" + type = string +} + +variable "serial_console_password_hash" { + description = "Optional parameter, used to enable serial console connection in case of SSH key as authentication type" + type = string +} + +variable "maintenance_mode_password_hash" { + description = "Maintenance mode password hash, relevant only for R81.20 and higher versions" + type = string +} + +variable "availability_zones_num" { + description = "The number of availability zones to use for Scale Set. Note that the load balancers and their IP addresses will be redundant in any case" + #Availability Zones are only supported in several regions at this time + #"centralus", "eastus2", "francecentral", "northeurope", "southeastasia", "westeurope", "westus2", "eastus", "uksouth" + #type = list(string) +} + +locals { // locals for 'availability_zones_num' allowed values + availability_zones_num_allowed_values = [ + "0", + "1", + "2", + "3" + ] + // will fail if [var.availability_zones_num] is invalid: + validate_availability_zones_num_value = index(local.availability_zones_num_allowed_values, var.availability_zones_num) +} + +variable "sic_key" { + description = "Secure Internal Communication(SIC) key" + type = string +} +resource "null_resource" "sic_key_invalid" { + count = length(var.sic_key) >= 12 ? 0 : "SIC key must be at least 12 characters long" +} + +variable "template_name"{ + description = "Template name. Should be defined according to deployment type(ha, vmss)" + type = string + default = "vmss-terraform" +} + +variable "template_version"{ + description = "Template version. It is recommended to always use the latest template version" + type = string + default = "20230910" +} + +variable "installation_type"{ + description = "Installation type" + type = string + default = "vmss" +} + +variable "number_of_vm_instances"{ + description = "Default number of VM instances to deploy" + type = string + default = "2" +} + +variable "minimum_number_of_vm_instances" { + description = "Minimum number of VM instances to deploy" + type = string +} + +variable "maximum_number_of_vm_instances" { + description = "Maximum number of VM instances to deploy" + type = string +} + +variable "vm_size" { + description = "Specifies size of Virtual Machine" + type = string +} + + +variable "os_version" { + description = "GAIA OS version" + type = string +} + +locals { // locals for 'vm_os_offer' allowed values + os_version_allowed_values = [ + "R8040", + "R81", + "R8110", + "R8120", + ] + // will fail if [var.os_version] is invalid: + validate_os_version_value = index(local.os_version_allowed_values, var.os_version) +} +variable "disk_size" { + description = "Storage data disk size size(GB). Select a number between 100 and 3995, if you are using R81.20 or below, the disk size must be 100" + type = string + default = 100 +} +resource "null_resource" "disk_size_validation" { + // Will fail if var.disk_size is not 100 and the version is R81.20 or below + count = tonumber(var.disk_size) != 100 && contains(["R8040", "R81", "R8110", "R8120"], var.os_version) ? "variable disk_size can not be changed for R81.20 and below" : 0 +} +variable "vm_os_sku" { + description = "The sku of the image to be deployed." + type = string +} + +variable "authentication_type" { + description = "Specifies whether a password authentication or SSH Public Key authentication should be used" + type = string +} +locals { // locals for 'authentication_type' allowed values + authentication_type_allowed_values = [ + "Password", + "SSH Public Key" + ] + // will fail if [var.authentication_type] is invalid: + validate_authentication_type_value = index(local.authentication_type_allowed_values, var.authentication_type) +} + +variable "allow_upload_download" { + description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + type = bool +} + +variable "is_blink" { + description = "Define if blink image is used for deployment" + default = true +} + +variable "management_name" { + description = "The name of the management server as it appears in the configuration file" + type = string +} + +variable "management_IP" { + description = "The IP address used to manage the VMSS instances" + type = string +} + +variable "management_interface" { + description = "Manage the Gateways in the Scale Set via the instance's external (eth0) or internal (eth1) NIC's private IP address" + type = string + default = "eth1-private" +} +locals { // locals for 'management_interface' allowed values + management_interface_allowed_values = [ + "eth0-public", + "eth0-private", + "eth1-private" + ] + // will fail if [var.management_interface] is invalid: + validate_management_interface_value = index(local.management_interface_allowed_values, var.management_interface) +} + +variable "configuration_template_name" { + description = "The configuration template name as it appears in the configuration file" + type = string +} + +variable "admin_shell" { + description = "The admin shell to configure on machine or the first time" + type = string + default = "/etc/cli.sh" +} + +locals { + admin_shell_allowed_values = [ + "/etc/cli.sh", + "/bin/bash", + "/bin/csh", + "/bin/tcsh" + ] + // Will fail if [var.admin_shell] is invalid + validate_admin_shell_value = index(local.admin_shell_allowed_values, var.admin_shell) +} + +//********************** Networking Variables **************************// +variable "vnet_name" { + description = "Virtual Network name" + type = string +} + +variable "address_space" { + description = "The address space that is used by a Virtual Network." + type = string + default = "10.0.0.0/16" +} + +variable "subnet_prefixes" { + description = "Address prefix to be used for network subnets" + type = list(string) + default = ["10.0.0.0/24","10.0.1.0/24"] +} + +variable "nsg_id" { + description = "NSG ID - Optional - if empty use default NSG" + default = "" +} + +variable "add_storage_account_ip_rules" { + type = bool + default = false + description = "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location" +} + +variable "storage_account_additional_ips" { + type = list(string) + description = "IPs/CIDRs that are allowed access to the Storage Account" + default = [] +} +//********************* Load Balancers Variables **********************// +variable "deployment_mode" { + description = "The type of the deployment, can be 'Standard' for both load balancers or 'External' for external load balancer or 'Internal for internal load balancer" + type = string + default = "Standard" +} + +locals { // locals for 'deployment_mode' allowed values + deployment_mode_allowd_values = [ + "Standard", + "External", + "Internal" + ] + // will fail if [var.deployment_mode] is invalid: + validate_deployment_mode_value = index(local.deployment_mode_allowd_values, var.deployment_mode) +} + +variable "backend_lb_IP_address" { + description = "The IP address is defined by its position in the subnet" + type = number +} + +variable "lb_probe_port" { + description = "Port to be used for load balancer health probes and rules" + default = "8117" +} + +variable "lb_probe_protocol" { + description = "Protocols to be used for load balancer health probes and rules" + default = "Tcp" +} + +variable "lb_probe_unhealthy_threshold" { + description = "Number of times load balancer health probe has an unsuccessful attempt before considering the endpoint unhealthy." + default = 2 +} + +variable "lb_probe_interval" { + description = "Interval in seconds load balancer health probe rule performs a check" + default = 5 +} + +variable "frontend_port" { + description = "Port that will be exposed to the external Load Balancer" + type = string + default = "80" +} + +variable "backend_port" { + description = "Port that will be exposed to the external Load Balance" + type = string + default = "8081" +} + +variable "frontend_load_distribution" { + description = "Specifies the load balancing distribution type to be used by the frontend load balancer" + type = string +} + +locals { // locals for 'frontend_load_distribution' allowed values + frontend_load_distribution_allowed_values = [ + "Default", + "SourceIP", + "SourceIPProtocol" + ] + // will fail if [var.frontend_load_distribution] is invalid: + validate_frontend_load_distribution_value = index(local.frontend_load_distribution_allowed_values, var.frontend_load_distribution) +} + +variable "backend_load_distribution" { + description = "Specifies the load balancing distribution type to be used by the backend load balancer" + type = string +} + +locals { // locals for 'frontend_load_distribution' allowed values + backend_load_distribution_allowed_values = [ + "Default", + "SourceIP", + "SourceIPProtocol" + ] + // will fail if [var.backend_load_distribution] is invalid: + validate_backend_load_distribution_value = index(local.backend_load_distribution_allowed_values, var.backend_load_distribution) +} + +//********************** Scale Set variables *******************// + +variable "vm_os_offer" { + description = "The name of the offer of the image that you want to deploy.Choose from: check-point-cg-r8040, check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120" + type = string +} + +locals { // locals for 'vm_os_offer' allowed values + vm_os_offer_allowed_values = [ + "check-point-cg-r8040", + "check-point-cg-r81", + "check-point-cg-r8110", + "check-point-cg-r8120", + ] + // will fail if [var.vm_os_offer] is invalid: + validate_os_offer_value = index(local.vm_os_offer_allowed_values, var.vm_os_offer) +} + +variable "bootstrap_script"{ + description = "An optional script to run on the initial boot" + #example: + #"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" +} + +variable "notification_email" { + description = "Specifies a list of custom email addresses to which the email notifications will be sent" + type = string +} + +//********************** Credentials **************************// +variable "tenant_id" { + description = "Tenant ID" + type = string +} + +variable "subscription_id" { + description = "Subscription ID" + type = string +} + +variable "client_id" { + description = "Application ID(Client ID)" + type = string +} + +variable "client_secret" { + description = "A secret string that the application uses to prove its identity when requesting a token. Also can be referred to as application password." + type = string +} + +variable "sku" { + description = "SKU" + type = string + default = "Standard" +} + +variable "enable_custom_metrics" { + description = "Enable CloudGuard metrics in order to send statuses and statistics collected from VMSS instances to the Azure Monitor service." + type = bool + default = true +} + +variable "enable_floating_ip" { + description = "Indicates whether the load balancers will be deployed with floating IP." + type = bool + default = false +} diff --git a/terraform/azure/vmss-new-vnet/versions.tf b/terraform/azure/vmss-new-vnet/versions.tf new file mode 100644 index 00000000..df4caa26 --- /dev/null +++ b/terraform/azure/vmss-new-vnet/versions.tf @@ -0,0 +1,14 @@ +terraform { + required_version = ">= 0.14.3" + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "~> 3.81.0" + } + random = { + version = "~> 3.5.1" + } + } +} + + diff --git a/terraform/gcp/README.md b/terraform/gcp/README.md new file mode 100755 index 00000000..121394b0 --- /dev/null +++ b/terraform/gcp/README.md @@ -0,0 +1,12 @@ +# Check Point Terraform deployment modules for Google Cloud Platform + +This project was developed to allow Terraform deployments for Check Point CloudGuard IaaS solutions on GCP. + + +These modules use Terraform's [Google Cloud Platform provider](https://registry.terraform.io/providers/hashicorp/google/latest/docs) in order to create and provision resources on GCP. + + + ## Prerequisites + +1. [Download Terraform](https://www.terraform.io/downloads.html) and follow the instructions according to your OS. +2. Get started with Terraform GCP provider - refer to [Terraform GCP provider best practices](https://registry.terraform.io/providers/hashicorp/google/latest/docs). \ No newline at end of file diff --git a/terraform/gcp/autoscale-into-existing-vpc/README.md b/terraform/gcp/autoscale-into-existing-vpc/README.md new file mode 100755 index 00000000..1c11c3d3 --- /dev/null +++ b/terraform/gcp/autoscale-into-existing-vpc/README.md @@ -0,0 +1,233 @@ +# Check Point Autoscale into VPC (MIG) Terraform module for GCP + +Terraform module which deploys an Auto Scaling Group of Check Point Security Gateways into an existing VPC on GCP. + +These types of Terraform resources are supported: +* [Instance Template](https://www.terraform.io/docs/providers/google/r/compute_instance_template.html) +* [Firewall](https://www.terraform.io/docs/providers/google/r/compute_firewall.html) - conditional creation +* [Instance Group Manager](https://www.terraform.io/docs/providers/google/r/compute_region_instance_group_manager.html) +* [Autoscaler](https://www.terraform.io/docs/providers/google/r/compute_region_autoscaler.html) + + +For additional information, +please see the [CloudGuard Network for GCP Autoscaling MIG Deployment Guide](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_Network_for_GCP_Autoscaling_MIG/Default.htm) + +Terraform is controlled via a very easy to use command-line interface (CLI). Terraform is only a single command-line application: **terraform**. + +## Before you begin +1. Create a project in the [Google Cloud Console](https://console.cloud.google.com/) and set up billing on that project. +2. [Install Terraform](https://learn.hashicorp.com/tutorials/terraform/install-cli) and read the Terraform getting started guide that follows. This guide will assume basic proficiency with Terraform - it is an introduction to the Google provider. + +## Configuring the Provider +The **main.tf** file includes the following provider configuration block used to configure the credentials you use to authenticate with GCP, as well as a default project and location for your resources: +``` +provider "google" { + credentials = file(var.service_account_path) + project = var.project + region = var.region +} +... +``` + +1. [Create a Service Account](https://cloud.google.com/docs/authentication/getting-started) (or use the existing one). Next, download the JSON key file. Name it something you can remember and store it somewhere secure on your machine.
+2. Select "Editor" Role or verify you have the following permissions: + ``` + compute.autoscalers.create + compute.autoscalers.delete + compute.autoscalers.get + compute.disks.create + compute.disks.delete + compute.firewalls.create + compute.firewalls.delete + compute.firewalls.get + compute.images.get + compute.images.useReadOnly + compute.instanceGroupManagers.create + compute.instanceGroupManagers.delete + compute.instanceGroupManagers.get + compute.instanceGroupManagers.use + compute.instanceTemplates.create + compute.instanceTemplates.delete + compute.instanceTemplates.get + compute.instanceTemplates.useReadOnly + compute.instances.create + compute.instances.delete + compute.instances.setMetadata + compute.instances.setTags + compute.networks.get + compute.networks.updatePolicy + compute.regions.list + compute.subnetworks.get + compute.subnetworks.use + compute.subnetworks.useExternalIp + iam.serviceAccountKeys.get + iam.serviceAccountKeys.list + iam.serviceAccounts.actAs + iam.serviceAccounts.get + iam.serviceAccounts.list + ``` +3. ```credentials``` - Your service account key file is used to complete a two-legged OAuth 2.0 flow to obtain access tokens to authenticate with the GCP API as needed; Terraform will use it to reauthenticate automatically when tokens expire.
+The provider credentials can be provided either as static credentials or as [Environment Variables](https://www.terraform.io/docs/providers/google/guides/provider_reference.html#credentials-1). + - Static credentials can be provided by adding the path to your service-account json file, project-id and region in /gcp/modules/autoscale-into-new-vpc/**terraform.tfvars** file as follows: + ``` + service_account_path = "service-accounts/service-account-file-name.json" + project = "project-id" + region = "us-central1" + ``` + - In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in the main.tf file, in the provider google resource, need to be deleted or commented: + ``` + provider "google" { + // credentials = file(var.service_account_path) + // project = var.project + + region = var.region + } + ``` + b.In the terraform.tfvars file leave empty double quotes for credentials and project variables: + ``` + service_account_path = "" + project = "" + ``` +## Usage +- Fill all variables in the /gcp/autoscale-into-existing-vpc/**terraform.tfvars** file with proper values (see below for variables descriptions). +- From a command line initialize the Terraform configuration directory: + ``` + terraform init + ``` +- Create an execution plan: + ``` + terraform plan + ``` +- Create or modify the deployment: + ``` + terraform apply + ``` + +#### Variables are configured in autoscale-into-existing-vpc/**terraform.tfvars** file as follows: +``` +# --- Google Provider --- +service_account_path = "service-accounts/service-account-file-name.json" +project = "project-id" + +# --- Check Point--- +prefix = "chkp-tf-mig" +license = "BYOL" +image_name = "check-point-r8110-gw-byol-mig-335-985-v20220126" +management_nic = "Ephemeral Public IP (eth0)" +management_name = "tf-checkpoint-management" +configuration_template_name = "tf-asg-autoprov-tmplt" +admin_SSH_key = "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxx imported-openssh-key" +network_defined_by_routes = true +admin_shell = "/etc/cli.sh" +allow_upload_download = true + +# --- Networking --- +region = "us-central1" +external_network_name = "default" +external_subnetwork_name = "default" +internal_network_name = "tf-vpc-network" +internal_subnetwork_name = "tf-vpc-subnetwork" +ICMP_traffic = ["123.123.0.0/24", "234.234.0.0/24"] +TCP_traffic = ["0.0.0.0/0"] +UDP_traffic = [] +SCTP_traffic = [] +ESP_traffic = [] + +# --- Instance Configuration --- +machine_type = "n1-standard-4" +cpu_usage = 60 +instances_min_grop_size = 2 +instances_max_grop_size = 10 +disk_type = "SSD Persistent Disk" +disk_size = 100 +enable_monitoring = false +``` + +- To tear down your resources: + ``` + terraform destroy + ``` + +## Conditional creation +To create Firewall and allow traffic for ICMP, TCP, UDP, SCTP or/and ESP - enter list of Source IP ranges. +``` +ICMP_traffic = ["123.123.0.0/24", "234.234.0.0/24"] +TCP_traffic = ["0.0.0.0/0"] +UDP_traffic = [] +SCTP_traffic = [] +ESP_traffic = [] +``` +Please leave empty list for a protocol if you want to disable traffic for it. + +## Inputs +| Name | Description | Type | Allowed values | Default | Required | +| ------------- | ------------- | ------------- | ------------- | ------------- | ------------- | +| service_account_path | User service account path in JSON format - From the service account key page in the Cloud Console choose an existing account or create a new one. Next, download the JSON key file. Name it something you can remember, store it somewhere secure on your machine, and supply the path to the location is stored. (e.g. "service-accounts/service-account-name.json") | string | N/A | "" | yes | +| project | Personal project id. The project indicates the default GCP project all of your resources will be created in. | string | N/A | "" | yes | +| | | | | | +| prefix | (Optional) Resources name prefix. | string | N/A | "chkp-tf-mig" | no | +| license | Checkpoint license (BYOL or PAYG). | string | - BYOL
- PAYG
| "BYOL" | no | +| image_name | The autoscaling (MIG) image name (e.g. check-point-r8110-gw-byol-mig-335-985-v20220126). You can choose the desired mig image value from [Github](https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/gcp/deployment-packages/autoscale-byol/images.py). | string | N/A | N/A | yes | +| management_nic | Management Interface - Autoscaling Security Gateways in GCP can be managed by an ephemeral public IP or using the private IP of the internal interface (eth1). | string | Ephemeral Public IP (eth0)
- Private IP (eth1) | "Ephemeral Public IP (eth0)" | no | +| management_name | The name of the Security Management Server as appears in autoprovisioning configuration. (Please enter a valid Security Management name including lowercase letters, digits and hyphens only). | string | N/A | "checkpoint-management" | no | +| configuration_template_name | Specify the provisioning configuration template name (for autoprovisioning). (Please enter a valid autoprovisioing configuration template name including lowercase letters, digits and hyphens only). | string | N/A | "gcp-asg-autoprov-tmplt" | no | +| admin_SSH_key | Public SSH key for the user 'admin' - The SSH public key for SSH authentication to the MIG instances. Leave this field blank to use all project-wide pre-configured SSH keys. | string | A valid public ssh key | "" | no | +| network_defined_by_routes | Set eth1 topology to define the networks behind this interface by the routes configured on the gateway. | bool | true/false | true | no | +| admin_shell | Change the admin shell to enable advanced command line configuration. | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | "/etc/cli.sh" | no | +| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no | +| | | | | | +| region | GCP region | string | N/A | N/A | yes | +| external_network_name | The network determines what network traffic the instance can access. | string | N/A | N/A | yes | +| external_subnetwork_name | Assigns the instance an IPv4 address from the subnetwork’s range. Instances in different subnetworks can communicate with each other using their internal IPs as long as they belong to the same network. | string | N/A | N/A | yes | +| internal_network_name | The network determines what network traffic the instance can access. | string | N/A | N/A | yes | +| internal_subnetwork_name | Assigns the instance an IPv4 address from the subnetwork’s range. Instances in different subnetworks can communicate with each other using their internal IPs as long as they belong to the same network. | string | N/A | N/A | yes | +| ICMP_traffic | (Optional) Source IP ranges for ICMP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable ICMP traffic. | list(string) | N/A | [] | no | +| TCP_traffic | (Optional) Source IP ranges for TCP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable TCP traffic. | list(string) | N/A | [] | no | +| UDP_traffic | (Optional) Source IP ranges for UDP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable UDP traffic. | list(string) | N/A | [] | no | +| SCTP_traffic | (Optional) Source IP ranges for SCTP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable SCTP traffic. | list(string) | N/A | [] | no | +| ESP_traffic | (Optional) Source IP ranges for ESP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable ESP traffic. | list(string) | N/A | [] | no | +| | | | | | +| machine_type | Machine Type. | string | N/A | "n1-standard-4" | no | +| cpu_usage | Target CPU usage (%) - Autoscaling adds or removes instances in the group to maintain this level of CPU usage on each instance. | number | number between 10 and 90 | 60 | no | +| instances_min_grop_size | The minimal number of instances | number | N/A | 2 | no | +| instances_max_grop_size | The maximal number of instances | number | N/A | 10 | no | +| disk_type | Storage space is much less expensive for a standard Persistent Disk. An SSD Persistent Disk is better for random IOPS or streaming throughput with low latency. | string | - SSD Persistent Disk
- Balanced Persistent Disk
- Standard Persistent Disk | "SSD Persistent Disk" | no | +| disk_size | Disk size in GB - Persistent disk performance is tied to the size of the persistent disk volume. You are charged for the actual amount of provisioned disk space. | number | number between 100 and 4096 | 100 | no | +| enable_monitoring | Enable Stackdriver monitoring | bool | true/false | false | no | + + +## Outputs +| Name | Description | +| ------------- | ------------- | +| SIC_key | Secure Internal Communication (SIC) initiation key. | +| management_name | Security Management server name. | +| configuration_template_name | Provisioning configuration template name. | +| instance_template_name | Instance template name. | +| instance_group_manager_name | Instance group manager name. | +| autoscaler_name | Autoscaler name. | +| ICMP_firewall_rules_name | If enable - the ICMP firewall rules name, otherwise, an empty list. | +| TCP_firewall_rules_name | If enable - the TCP firewall rules name, otherwise, an empty list. | +| UDP_firewall_rules_name | If enable - the UDP firewall rules name, otherwise, an empty list. | +| SCTP_firewall_rules_name | If enable - the SCTP firewall rules name, otherwise, an empty list. | +| ESP_firewall_rules_name | If enable - the ESP firewall rules name, otherwise, an empty list. | + + +## Revision History +In order to check the template version refer to the [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) + +| Template Version | Description | +| ---------------- | ------------- | +| 20230109 | Updated startup script to use cloud-config. | +| | | | +| 20201208 | First release of Check Point CloudGuard IaaS Auto Scaling Group of Check Point Security Gateways Terraform solution into an existing VPC on GCP. | +| | | | +| | Addition of "template_type" parameter to "cloud-version" files. | +| | | | + +## Authors + + +## License + +This project is licensed under the MIT License - see the [LICENSE](../../../LICENSE) file for details \ No newline at end of file diff --git a/terraform/gcp/autoscale-into-existing-vpc/locals.tf b/terraform/gcp/autoscale-into-existing-vpc/locals.tf new file mode 100755 index 00000000..058d0689 --- /dev/null +++ b/terraform/gcp/autoscale-into-existing-vpc/locals.tf @@ -0,0 +1,63 @@ +locals { + license_allowed_values = [ + "BYOL", + "PAYG"] + // will fail if [var.license] is invalid: + validate_license = index(local.license_allowed_values, upper(var.license)) + + regex_validate_image_name = "check-point-r8[0-1][1-4]0-gw-(byol|payg)-mig-[0-9]{3}-([0-9]{3,}|[a-z]+)-v[0-9]{8,}" + // will fail if the image name is not in the right syntax + validate_image_name = length(regexall(local.regex_validate_image_name, var.image_name)) > 0 ? 0 : index(split("-", var.image_name), "INVALID IMAGE NAME") + + management_nic_allowed_values = [ + "Ephemeral Public IP (eth0)", + "Private IP (eth1)"] + // will fail if [var.management_nic] is invalid: + validate_management_nic = index(local.management_nic_allowed_values, var.management_nic) + + regex_valid_management_name = "^([ -~]+)$" + // Will fail if var.management_name is invalid + regex_management_name = regex(local.regex_valid_management_name, var.management_name) == var.management_name ? 0 : "Variable [management_name] must be a valid Security Management name including ascii characters only" + + regex_valid_configuration_template_name = "^([ -~]+)$" + // Will fail if var.configuration_template_name is invalid + regex_configuration_template_name = regex(local.regex_valid_configuration_template_name, var.configuration_template_name) == var.configuration_template_name ? 0 : "Variable [configuration_template_name] must be a valid autoprovisioing configuration template name including ascii characters only" + + regex_valid_admin_SSH_key = "^(^$|ssh-rsa AAAA[0-9A-Za-z+/]+[=]{0,3})" + // Will fail if var.admin_SSH_key is invalid + regex_admin_SSH_key = regex(local.regex_valid_admin_SSH_key, var.admin_SSH_key) == var.admin_SSH_key ? 0 : "Please enter a valid SSH public key or leave empty" + + admin_shell_allowed_values = [ + "/etc/cli.sh", + "/bin/bash", + "/bin/csh", + "/bin/tcsh"] + // Will fail if var.admin_shell is invalid + validate_admin_shell = index(local.admin_shell_allowed_values, var.admin_shell) + + regions_allowed_values = data.google_compute_regions.available_regions.names + // Will fail if var.region is invalid + validate_region = index(local.regions_allowed_values, var.region) + + disk_type_allowed_values = [ + "SSD Persistent Disk", + "Balanced Persistent Disk", + "Standard Persistent Disk"] + // Will fail if var.disk_type is invalid + validate_disk_type = index(local.disk_type_allowed_values, var.disk_type) + + + + disk_type_condition = var.disk_type == "SSD Persistent Disk" ? "pd-ssd" : var.disk_type == "Balanced Persistent Disk" ? "pd-balanced" : var.disk_type == "Standard Persistent Disk" ? "pd-standard" : "" + mgmt_nic_condition = var.management_nic == "Ephemeral Public IP (eth0)" ? true : false + mgmt_nic_ip_address_condition = local.mgmt_nic_condition ? "x-chkp-ip-address--public" : "x-chkp-ip-address--private" + mgmt_nic_interface_condition = local.mgmt_nic_condition ? "x-chkp-management-interface--eth0" : "x-chkp-management-interface--eth1" + network_defined_by_routes_condition = var.network_defined_by_routes ? "x-chkp-topology-eth1--internal" : "" + network_defined_by_routes_settings_condition = var.network_defined_by_routes ? "x-chkp-topology-settings-eth1--network-defined-by-routes" : "" + admin_SSH_key_condition = var.admin_SSH_key != "" ? true : false + ICMP_traffic_condition = length(var.ICMP_traffic) == 0 ? 0 : 1 + TCP_traffic_condition = length(var.TCP_traffic) == 0 ? 0 : 1 + UDP_traffic_condition = length(var.UDP_traffic) == 0 ? 0 : 1 + SCTP_traffic_condition = length(var.SCTP_traffic) == 0 ? 0 : 1 + ESP_traffic_condition = length(var.ESP_traffic) == 0 ? 0 : 1 +} \ No newline at end of file diff --git a/terraform/gcp/autoscale-into-existing-vpc/main.tf b/terraform/gcp/autoscale-into-existing-vpc/main.tf new file mode 100755 index 00000000..24548144 --- /dev/null +++ b/terraform/gcp/autoscale-into-existing-vpc/main.tf @@ -0,0 +1,197 @@ +provider "google" { + credentials = file(var.service_account_path) + project = var.project + region = var.region +} + +resource "random_string" "random_string" { + length = 5 + special = false + upper = false + keepers = {} +} +data "google_compute_network" "external_network" { + name = var.external_network_name +} +data "google_compute_network" "internal_network" { + name = var.internal_network_name +} +resource "random_string" "random_sic_key" { + length = 12 + special = false +} + +resource "google_compute_instance_template" "instance_template" { + name = "${var.prefix}-tmplt-${random_string.random_string.result}" + machine_type = var.machine_type + can_ip_forward = true + + + disk { + source_image = "checkpoint-public/${var.image_name}" + auto_delete = true + boot = true + device_name = "${var.prefix}-boot-${random_string.random_string.result}" + disk_type = local.disk_type_condition + disk_size_gb = var.disk_size + mode = "READ_WRITE" + type = "PERSISTENT" + } + + network_interface { + network = data.google_compute_network.external_network.self_link + subnetwork = var.external_subnetwork_name + dynamic "access_config" { + for_each = local.mgmt_nic_condition ? [ + 1] : [] + content { + network_tier = local.mgmt_nic_condition ? "PREMIUM" : "STANDARD" + } + } + } + + network_interface { + network = data.google_compute_network.internal_network.self_link + subnetwork = var.internal_subnetwork_name + } + + scheduling { + automatic_restart = true + on_host_maintenance = "MIGRATE" + preemptible = false + } + + service_account { + email = "default" + scopes = [ + "https://www.googleapis.com/auth/devstorage.read_only", + "https://www.googleapis.com/auth/logging.write", + "https://www.googleapis.com/auth/monitoring.write", + "https://www.googleapis.com/auth/pubsub", + "https://www.googleapis.com/auth/service.management.readonly", + "https://www.googleapis.com/auth/servicecontrol", + "https://www.googleapis.com/auth/trace.append"] + } + tags = [ + format("x-chkp-management--%s", var.management_name), + format("x-chkp-template--%s", var.configuration_template_name), + "checkpoint-gateway", + local.mgmt_nic_ip_address_condition, + local.mgmt_nic_interface_condition, + local.network_defined_by_routes_condition, + local.network_defined_by_routes_settings_condition] + + metadata_startup_script = templatefile("${path.module}/../common/startup-script.sh", { + // script's arguments + generatePassword = "false" + config_url = "" + config_path = "" + sicKey = "" + allowUploadDownload = var.allow_upload_download + templateName = "autoscale_tf" + templateVersion = "20230109" + templateType = "terraform" + mgmtNIC = var.management_nic + hasInternet = "false" + enableMonitoring = var.enable_monitoring + shell = var.admin_shell + installationType = "AutoScale" + computed_sic_key = random_string.random_sic_key.result + managementGUIClientNetwork = "" + primary_cluster_address_name = "" + secondary_cluster_address_name = "" + managementNetwork = "" + numAdditionalNICs = "" + smart_1_cloud_token = "" + name = "" + zoneConfig = "" + region = "" + }) + + metadata = local.admin_SSH_key_condition ? { + serial-port-enable = "true" + instanceSSHKey = var.admin_SSH_key + } : { + serial-port-enable = "true" + } +} + +resource "google_compute_firewall" "ICMP_firewall_rules" { + count = local.ICMP_traffic_condition + name = "${var.prefix}-icmp-${random_string.random_string.result}" + network = data.google_compute_network.external_network.self_link + allow { + protocol = "icmp" + } + source_ranges = var.ICMP_traffic + target_tags = [ + "checkpoint-gateway"] +} +resource "google_compute_firewall" "TCP_firewall_rules" { + count = local.TCP_traffic_condition + name = "${var.prefix}-tcp-${random_string.random_string.result}" + network = data.google_compute_network.external_network.self_link + allow { + protocol = "tcp" + } + source_ranges = var.TCP_traffic + target_tags = [ + "checkpoint-gateway"] +} +resource "google_compute_firewall" "UDP_firewall_rules" { + count = local.UDP_traffic_condition + name = "${var.prefix}-udp-${random_string.random_string.result}" + network = data.google_compute_network.external_network.self_link + allow { + protocol = "udp" + } + source_ranges = var.UDP_traffic + target_tags = [ + "checkpoint-gateway"] +} +resource "google_compute_firewall" "SCTP_firewall_rules" { + count = local.SCTP_traffic_condition + name = "${var.prefix}-sctp-${random_string.random_string.result}" + network = data.google_compute_network.external_network.self_link + allow { + protocol = "sctp" + } + source_ranges = var.SCTP_traffic + target_tags = [ + "checkpoint-gateway"] +} +resource "google_compute_firewall" "ESP_firewall_rules" { + count = local.ESP_traffic_condition + name = "${var.prefix}-esp-${random_string.random_string.result}" + network = data.google_compute_network.external_network.self_link + allow { + protocol = "esp" + } + source_ranges = var.ESP_traffic + target_tags = [ + "checkpoint-gateway"] +} +resource "google_compute_region_instance_group_manager" "instance_group_manager" { + region = var.region + name = "${var.prefix}-igm-${random_string.random_string.result}" + version { + instance_template = google_compute_instance_template.instance_template.id + name = "${var.prefix}-tmplt" + } + base_instance_name = "${var.prefix}-${random_string.random_string.result}" +} +resource "google_compute_region_autoscaler" "autoscaler" { + region = var.region + name = "${var.prefix}-autoscaler-${random_string.random_string.result}" + target = google_compute_region_instance_group_manager.instance_group_manager.id + + autoscaling_policy { + max_replicas = var.instances_max_grop_size + min_replicas = var.instances_min_grop_size + cooldown_period = 90 + + cpu_utilization { + target = var.cpu_usage/100 + } + } +} diff --git a/terraform/gcp/autoscale-into-existing-vpc/output.tf b/terraform/gcp/autoscale-into-existing-vpc/output.tf new file mode 100755 index 00000000..62b1f028 --- /dev/null +++ b/terraform/gcp/autoscale-into-existing-vpc/output.tf @@ -0,0 +1,33 @@ +output "SIC_key" { + value = random_string.random_sic_key.result +} +output "management_name" { + value = var.management_name +} +output "configuration_template_name" { + value = var.configuration_template_name +} +output "instance_template_name" { + value = google_compute_instance_template.instance_template.name +} +output "instance_group_manager_name" { + value = google_compute_region_instance_group_manager.instance_group_manager.name +} +output "autoscaler_name" { + value = google_compute_region_autoscaler.autoscaler.name +} +output "ICMP_firewall_rules_name" { + value = google_compute_firewall.ICMP_firewall_rules[*].name +} +output "TCP_firewall_rules_name" { + value = google_compute_firewall.TCP_firewall_rules[*].name +} +output "UDP_firewall_rules_name" { + value = google_compute_firewall.UDP_firewall_rules[*].name +} +output "SCTP_firewall_rules_name" { + value = google_compute_firewall.SCTP_firewall_rules[*].name +} +output "ESP_firewall_rules_name" { + value = google_compute_firewall.ESP_firewall_rules[*].name +} \ No newline at end of file diff --git a/terraform/gcp/autoscale-into-existing-vpc/terraform.tfvars b/terraform/gcp/autoscale-into-existing-vpc/terraform.tfvars new file mode 100755 index 00000000..dfb828db --- /dev/null +++ b/terraform/gcp/autoscale-into-existing-vpc/terraform.tfvars @@ -0,0 +1,36 @@ +# --- Google Provider --- +service_account_path = "PLEASE ENTER SERVICE ACCOUNT PATH" # "service-accounts/service-account-file-name.json" +project = "PLEASE ENTER PROJECT ID" # "project-id" + +# --- Check Point--- +prefix = "PLEASE ENTER PREFIX" # "chkp-tf-mig" +license = "PLEASE ENTER LICENSE" # "BYOL" +image_name = "PLEASE ENTER IMAGE NAME" # "check-point-r8110-gw-byol-mig-335-985-v20220126" +management_nic = "PLEASE ENTER MANAGEMENT INTERFACE" # "Ephemeral Public IP (eth0)" +management_name = "PLEASE ENTER MANAGEMENT NAME" # "tf-checkpoint-management" +configuration_template_name = "PLEASE ENTER CONFIGURATION TEMPLATE NAME" # "tf-asg-autoprov-tmplt" +admin_SSH_key = "PLEASE ENTER ADMIN SSH KEY" # "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxx imported-openssh-key" +network_defined_by_routes = "PLEASE ENTER true OR false" # true +admin_shell = "PLEASE ENTER ADMIN SHELL" # "/etc/cli.sh" +allow_upload_download = "PLEASE ENTER true OR false" # true + +# --- Networking --- +region = "PLEASE ENTER REGION" # "us-central1" +external_network_name = "PLEASE ENTER EXTERNAL NETWORK NAME" # "default" +external_subnetwork_name = "PLEASE ENTER EXTERNAL SUBNETWORK NAME" # "default" +internal_network_name = "PLEASE ENTER INTERNAL NETWORK NAME" # "tf-vpc-network" +internal_subnetwork_name = "PLEASE ENTER INTERNAL SUBNETWORK NAME" # "tf-vpc-subnetwork" +ICMP_traffic = "PLEASE ENTER ICMP SOURCE IP RANGES" # ["123.123.0.0/24", "234.234.0.0/24"] +TCP_traffic = "PLEASE ENTER TCP SOURCE IP RANGES" # ["0.0.0.0/0"] +UDP_traffic = "PLEASE ENTER UDP SOURCE IP RANGES" # [] +SCTP_traffic = "PLEASE ENTER SCTP SOURCE IP RANGES" # [] +ESP_traffic = "PLEASE ENTER ESP SOURCE IP RANGES" # [] + +# --- Instance Configuration --- +machine_type = "PLEASE ENTER MACHINE TYPE" # "n1-standard-4" +cpu_usage = "PLEASE ENTER CPU USAGE" # 60 +instances_min_grop_size = "PLEASE ENTER INSTANCES MIN GROP SIZE" # 2 +instances_max_grop_size = "PLEASE ENTER INSTANCES MAX GROP SIZE" # 10 +disk_type = "PLEASE ENTER DISK TYPE" # "SSD Persistent Disk" +disk_size = "PLEASE ENTER DISK SIZE" # 100 +enable_monitoring = "PLEASE ENTER true OR false" # false \ No newline at end of file diff --git a/terraform/gcp/autoscale-into-existing-vpc/variables.tf b/terraform/gcp/autoscale-into-existing-vpc/variables.tf new file mode 100755 index 00000000..8acd8fda --- /dev/null +++ b/terraform/gcp/autoscale-into-existing-vpc/variables.tf @@ -0,0 +1,157 @@ +# Check Point CloudGuard IaaS Autoscaling - Terraform Template + +# --- Google Provider --- +variable "service_account_path" { + type = string + description = "User service account path in JSON format - From the service account key page in the Cloud Console choose an existing account or create a new one. Next, download the JSON key file. Name it something you can remember, store it somewhere secure on your machine, and supply the path to the location is stored." + default = "" +} +variable "project" { + type = string + description = "Personal project id. The project indicates the default GCP project all of your resources will be created in." + default = "" +} + +# --- Check Point--- +variable "prefix" { + type = string + description = "(Optional) Resources name prefix" + default = "chkp-tf-mig" +} +variable "license" { + type = string + description = "Checkpoint license (BYOL or PAYG)." + default = "BYOL" +} +variable "image_name" { + type = string + description = "The autoscaling (MIG) image name (e.g. check-point-r8110-gw-byol-mig-335-985-v20220126). You can choose the desired mig image value from: https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/gcp/deployment-packages/autoscale-byol/images.py" +} +variable "management_nic" { + type = string + description = "Management Interface - Autoscaling Security Gateways in GCP can be managed by an ephemeral public IP or using the private IP of the internal interface (eth1)." + default = "Ephemeral Public IP (eth0)" +} +variable "management_name" { + type = string + description = "The name of the Security Management Server as appears in autoprovisioning configuration. (Please enter a valid Security Management name including ascii characters only)" + default = "tf-checkpoint-management" +} +variable "configuration_template_name" { + type = string + description = "Specify the provisioning configuration template name (for autoprovisioning). (Please enter a valid autoprovisioing configuration template name including ascii characters only)" + default = "tf-asg-autoprov-tmplt" +} +variable "admin_SSH_key" { + type = string + description = "(Optional) The SSH public key for SSH authentication to the MIG instances. Leave this field blank to use all project-wide pre-configured SSH keys." + default = "" +} +variable "network_defined_by_routes" { + type = bool + description = "Set eth1 topology to define the networks behind this interface by the routes configured on the gateway." + default = true +} +variable "admin_shell" { + type = string + description = "Change the admin shell to enable advanced command line configuration." + default = "/etc/cli.sh" +} +variable "allow_upload_download" { + type = bool + description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + default = true +} + +# --- Networking --- +data "google_compute_regions" "available_regions" { +} +variable "region" { + type = string + default = "us-central1" +} +variable "external_network_name" { + type = string + description = "The network determines what network traffic the instance can access" +} +variable "external_subnetwork_name" { + type = string + description = "Assigns the instance an IPv4 address from the subnetwork’s range. Instances in different subnetworks can communicate with each other using their internal IPs as long as they belong to the same network." +} +variable "internal_network_name" { + type = string + description = "The network determines what network traffic the instance can access" +} +variable "internal_subnetwork_name" { + type = string + description = "Assigns the instance an IPv4 address from the subnetwork’s range. Instances in different subnetworks can communicate with each other using their internal IPs as long as they belong to the same network." +} +variable "ICMP_traffic" { + type = list(string) + description = "(Optional) Source IP ranges for ICMP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable ICMP traffic." + default = [] +} +variable "TCP_traffic" { + type = list(string) + description = "(Optional) Source IP ranges for TCP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable TCP traffic." + default = [] +} +variable "UDP_traffic" { + type = list(string) + description = "(Optional) Source IP ranges for UDP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable UDP traffic." + default = [] +} +variable "SCTP_traffic" { + type = list(string) + description = "(Optional) Source IP ranges for SCTP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable SCTP traffic." + default = [] +} +variable "ESP_traffic" { + type = list(string) + description = "(Optional) Source IP ranges for ESP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable ESP traffic." + default = [] +} + +# --- Instance Configuration --- +variable "machine_type" { + type = string + default = "n1-standard-4" +} +variable "cpu_usage" { + type = number + description = "Target CPU usage (%) - Autoscaling adds or removes instances in the group to maintain this level of CPU usage on each instance." + default = 60 +} +resource "null_resource" "cpu_usage_validation" { + // Will fail if var.cpu_usage is less than 10 or more than 90 + count = var.cpu_usage >= 10 && var.cpu_usage <= 90 ? 0 : "variable cpu_usage must be a number between 10 and 90" +} +variable "instances_min_grop_size" { + type = number + description = "The minimal number of instances" + default = 2 +} +variable "instances_max_grop_size" { + type = number + description = "The maximal number of instances" + default = 10 +} +variable "disk_type" { + type = string + description = "Storage space is much less expensive for a standard Persistent Disk. An SSD Persistent Disk is better for random IOPS or streaming throughput with low latency." + default = "SSD Persistent Disk" +} +variable "disk_size" { + type = number + description = "Disk size in GB - Persistent disk performance is tied to the size of the persistent disk volume. You are charged for the actual amount of provisioned disk space." + default = 100 +} +resource "null_resource" "disk_size_validation" { + // Will fail if var.disk_size is less than 100 or more than 4096 + count = var.disk_size >= 100 && var.disk_size <= 4096 ? 0 : "variable disk_size must be a number between 100 and 4096" +} +variable "enable_monitoring" { + type = bool + description = "Enable Stackdriver monitoring" + default = false +} \ No newline at end of file diff --git a/terraform/gcp/autoscale-into-new-vpc/README.md b/terraform/gcp/autoscale-into-new-vpc/README.md new file mode 100755 index 00000000..3439418c --- /dev/null +++ b/terraform/gcp/autoscale-into-new-vpc/README.md @@ -0,0 +1,241 @@ +# Check Point Autoscale (MIG) Terraform module for GCP + +Terraform module which deploys an Auto Scaling Group of Check Point Security Gateways into a new VPC on GCP. + +These types of Terraform resources are supported: +* [Network](https://www.terraform.io/docs/providers/google/d/compute_network.html) +* [Subnetwork](https://www.terraform.io/docs/providers/google/r/compute_subnetwork.html) +* [Instance Template](https://www.terraform.io/docs/providers/google/r/compute_instance_template.html) +* [Firewall](https://www.terraform.io/docs/providers/google/r/compute_firewall.html) - conditional creation +* [Instance Group Manager](https://www.terraform.io/docs/providers/google/r/compute_region_instance_group_manager.html) +* [Autoscaler](https://www.terraform.io/docs/providers/google/r/compute_region_autoscaler.html) + + +For additional information, +please see the [CloudGuard Network for GCP Autoscaling MIG Deployment Guide](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_Network_for_GCP_Autoscaling_MIG/Default.htm) + +This solution uses the following modules: +- /gcp/autoscale-into-existing-vpc + +Terraform is controlled via a very easy to use command-line interface (CLI). Terraform is only a single command-line application: **terraform**. + +## Before you begin +1. Create a project in the [Google Cloud Console](https://console.cloud.google.com/) and set up billing on that project. +2. [Install Terraform](https://learn.hashicorp.com/tutorials/terraform/install-cli) and read the Terraform getting started guide that follows. This guide will assume basic proficiency with Terraform - it is an introduction to the Google provider. + +## Configuring the Provider +The **main.tf** file includes the following provider configuration block used to configure the credentials you use to authenticate with GCP, as well as a default project and location for your resources: +``` +provider "google" { + credentials = file(var.service_account_path) + project = var.project + region = var.region +} +... +``` +1. [Create a Service Account](https://cloud.google.com/docs/authentication/getting-started) (or use the existing one). Next, download the JSON key file. Name it something you can remember and store it somewhere secure on your machine.
+2. Select "Editor" Role or verify you have the following permissions: + ``` + compute.autoscalers.create + compute.autoscalers.delete + compute.autoscalers.get + compute.disks.create + compute.disks.delete + compute.firewalls.create + compute.firewalls.delete + compute.firewalls.get + compute.images.get + compute.images.useReadOnly + compute.instanceGroupManagers.create + compute.instanceGroupManagers.delete + compute.instanceGroupManagers.get + compute.instanceGroupManagers.use + compute.instanceTemplates.create + compute.instanceTemplates.delete + compute.instanceTemplates.get + compute.instanceTemplates.useReadOnly + compute.instances.create + compute.instances.delete + compute.instances.setMetadata + compute.instances.setTags + compute.networks.create + compute.networks.delete + compute.networks.get + compute.networks.updatePolicy + compute.regions.list + compute.subnetworks.create + compute.subnetworks.delete + compute.subnetworks.get + compute.subnetworks.use + compute.subnetworks.useExternalIp + iam.serviceAccountKeys.get + iam.serviceAccountKeys.list + iam.serviceAccounts.actAs + iam.serviceAccounts.get + iam.serviceAccounts.list + ``` +3. ```credentials``` - Your service account key file is used to complete a two-legged OAuth 2.0 flow to obtain access tokens to authenticate with the GCP API as needed; Terraform will use it to reauthenticate automatically when tokens expire.
+The provider credentials can be provided either as static credentials or as [Environment Variables](https://www.terraform.io/docs/providers/google/guides/provider_reference.html#credentials-1). + - Static credentials can be provided by adding the path to your service-account json file, project-id and region in /gcp/modules/autoscale-into-new-vpc/**terraform.tfvars** file as follows: + ``` + service_account_path = "service-accounts/service-account-file-name.json" + project = "project-id" + region = "us-central1" + ``` + - In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in the main.tf file, in the provider google resource, need to be deleted or commented: + ``` + provider "google" { + // credentials = file(var.service_account_path) + // project = var.project + + region = var.region + } + ``` + b.In the terraform.tfvars file leave empty double quotes for credentials and project variables: + ``` + service_account_path = "" + project = "" + ``` + ## Usage +- Fill all variables in the /gcp/autoscale-into-new-vpc/**terraform.tfvars** file with proper values (see below for variables descriptions). +- From a command line initialize the Terraform configuration directory: + ``` + terraform init + ``` +- Create an execution plan: + ``` + terraform plan + ``` +- Create or modify the deployment: + ``` + terraform apply + ``` + +#### Variables are configured in autoscale-into-new-vpc/**terraform.tfvars** file as follows: +``` +# --- Google Provider --- +service_account_path = "service-accounts/service-account-file-name.json" +project = "project-id" + +# --- Check Point--- +prefix = "chkp-tf-mig" +license = "BYOL" +image_name = "check-point-r8110-gw-byol-mig-335-985-v20220126" +management_nic = "Ephemeral Public IP (eth0)" +management_name = "tf-checkpoint-management" +configuration_template_name = "tf-asg-autoprov-tmplt" +admin_SSH_key = "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxx imported-openssh-key" +network_defined_by_routes = true +admin_shell = "/etc/cli.sh" +allow_upload_download = true + +# --- Networking --- +region = "us-central1" +external_subnetwork_ip_cidr_range = "10.0.1.0/24" +internal_subnetwork_ip_cidr_range = "10.0.2.0/24" +ICMP_traffic = ["123.123.0.0/24", "234.234.0.0/24"] +TCP_traffic = ["0.0.0.0/0"] +UDP_traffic = [] +SCTP_traffic = [] +ESP_traffic = [] + +# --- Instance Configuration --- +machine_type = "n1-standard-4" +cpu_usage = 60 +instances_min_grop_size = 2 +instances_max_grop_size = 10 +disk_type = "SSD Persistent Disk" +disk_size = 100 +enable_monitoring = false +``` + +- To tear down your resources: + ``` + terraform destroy + ``` + +## Conditional creation +To create Firewall and allow traffic for ICMP, TCP, UDP, SCTP or/and ESP - enter list of Source IP ranges. +``` +ICMP_traffic = ["123.123.0.0/24", "234.234.0.0/24"] +TCP_traffic = ["0.0.0.0/0"] +UDP_traffic = [] +SCTP_traffic = [] +ESP_traffic = [] +``` +Please leave empty list for a protocol if you want to disable traffic for it. + +## Inputs +| Name | Description | Type | Allowed values | Default | Required | +| ------------- | ------------- | ------------- | ------------- | ------------- | ------------- | +| service_account_path | User service account path in JSON format - From the service account key page in the Cloud Console choose an existing account or create a new one. Next, download the JSON key file. Name it something you can remember, store it somewhere secure on your machine, and supply the path to the location is stored. (e.g. "service-accounts/service-account-name.json") | string | N/A | "" | yes | +| project | Personal project id. The project indicates the default GCP project all of your resources will be created in. | string | N/A | "" | yes | +| | | | | | +| prefix | (Optional) Resources name prefix. | string | N/A | "chkp-tf-mig" | no | +| license | Checkpoint license (BYOL or PAYG). | string | - BYOL
- PAYG
| "BYOL" | no | +| image_name | The autoscaling (MIG) image name (e.g. check-point-r8110-gw-byol-mig-335-985-v20220126). You can choose the desired mig image value from [Github](https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/gcp/deployment-packages/autoscale-byol/images.py). | string | N/A | N/A | yes | +| management_nic | Management Interface - Autoscaling Security Gateways in GCP can be managed by an ephemeral public IP or using the private IP of the internal interface (eth1). | string | Ephemeral Public IP (eth0)
- Private IP (eth1) | "Ephemeral Public IP (eth0)" | no | +| management_name | The name of the Security Management Server as appears in autoprovisioning configuration. (Please enter a valid Security Management name including lowercase letters, digits and hyphens only). | string | N/A | "checkpoint-management" | no | +| configuration_template_name | Specify the provisioning configuration template name (for autoprovisioning). (Please enter a valid autoprovisioing configuration template name including lowercase letters, digits and hyphens only). | string | N/A | "gcp-asg-autoprov-tmplt" | no | +| admin_SSH_key | Public SSH key for the user 'admin' - The SSH public key for SSH authentication to the MIG instances. Leave this field blank to use all project-wide pre-configured SSH keys. | string | A valid public ssh key | "" | no | +| network_defined_by_routes | Set eth1 topology to define the networks behind this interface by the routes configured on the gateway. | bool | true/false | true | no | +| admin_shell | Change the admin shell to enable advanced command line configuration. | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | "/etc/cli.sh" | no | +| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no | +| | | | | | +| region | GCP region | string | N/A | N/A | yes | +| external_subnetwork_ip_cidr_range | The range of internal addresses that are owned by this subnetwork, only IPv4 is supported (e.g. "10.0.0.0/8" or "192.168.0.0/16"). | string | N/A | N/A | yes | +| internal_subnetwork_ip_cidr_range | The range of internal addresses that are owned by this subnetwork, only IPv4 is supported (e.g. "10.0.0.0/8" or "192.168.0.0/16"). | string | N/A | N/A | yes | +| ICMP_traffic | (Optional) Source IP ranges for ICMP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable ICMP traffic. | list(string) | N/A | [] | no | +| TCP_traffic | (Optional) Source IP ranges for TCP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable TCP traffic. | list(string) | N/A | [] | no | +| UDP_traffic | (Optional) Source IP ranges for UDP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable UDP traffic. | list(string) | N/A | [] | no | +| SCTP_traffic | (Optional) Source IP ranges for SCTP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable SCTP traffic. | list(string) | N/A | [] | no | +| ESP_traffic | (Optional) Source IP ranges for ESP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable ESP traffic. | list(string) | N/A | [] | no | +| | | | | | +| machine_type | Machine Type. | string | N/A | "n1-standard-4" | no | +| cpu_usage | Target CPU usage (%) - Autoscaling adds or removes instances in the group to maintain this level of CPU usage on each instance. | number | number between 10 and 90 | 60 | no | +| instances_min_grop_size | The minimal number of instances | number | N/A | 2 | no | +| instances_max_grop_size | The maximal number of instances | number | N/A | 10 | no | +| disk_type | Storage space is much less expensive for a standard Persistent Disk. An SSD Persistent Disk is better for random IOPS or streaming throughput with low latency. | string | - SSD Persistent Disk
- Balanced Persistent Disk
- Standard Persistent Disk | "SSD Persistent Disk" | no | +| disk_size | Disk size in GB - Persistent disk performance is tied to the size of the persistent disk volume. You are charged for the actual amount of provisioned disk space. | number | number between 100 and 4096 | 100 | no | +| enable_monitoring | Enable Stackdriver monitoring | bool | true/false | false | no | + + + +## Outputs +| Name | Description | +| ------------- | ------------- | +| external_network_name | The external network name in which the gateways will reside. | +| external_subnetwork_name | The external subnetwork name. | +| internal_network_name | The internal network name in which application servers reside. | +| internal_subnetwork_name | The internal subnetwork name. | +| SIC_key | Secure Internal Communication (SIC) initiation key. | +| management_name | Security Management server name. | +| configuration_template_name | Provisioning configuration template name. | +| instance_template_name | Instance template name. | +| instance_group_manager_name | Instance group manager name. | +| autoscaler_name | Autoscaler name. | +| ICMP_firewall_rules_name | If enable - the ICMP firewall rules name, otherwise, an empty list. | +| TCP_firewall_rules_name | If enable - the TCP firewall rules name, otherwise, an empty list. | +| UDP_firewall_rules_name | If enable - the UDP firewall rules name, otherwise, an empty list. | +| SCTP_firewall_rules_name | If enable - the SCTP firewall rules name, otherwise, an empty list. | +| ESP_firewall_rules_name | If enable - the ESP firewall rules name, otherwise, an empty list. | + +## Revision History +In order to check the template version refer to the [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) + +| Template Version | Description | +| ---------------- | ------------- | +| 20230109 | Updated startup script to use cloud-config. | +| | | | +| 20201208 | First release of Check Point CloudGuard IaaS Auto Scaling Group of Check Point Security Gateways Terraform solution into a new VPC on GCP. | +| | | | +| | Addition of "template_type" parameter to "cloud-version" files. | +| | | | + +## Authors + + +## License + +This project is licensed under the MIT License - see the [LICENSE](../../../LICENSE) file for details diff --git a/terraform/gcp/autoscale-into-new-vpc/locals.tf b/terraform/gcp/autoscale-into-new-vpc/locals.tf new file mode 100755 index 00000000..451bbd93 --- /dev/null +++ b/terraform/gcp/autoscale-into-new-vpc/locals.tf @@ -0,0 +1,48 @@ +locals { + license_allowed_values = [ + "BYOL", + "PAYG"] + // will fail if [var.license] is invalid: + validate_license = index(local.license_allowed_values, upper(var.license)) + + regex_validate_image_name = "check-point-r8[0-1][1-4]0-gw-(byol|payg)-mig-[0-9]{3}-([0-9]{3,}|[a-z]+)-v[0-9]{8,}" + // will fail if the image name is not in the right syntax + validate_image_name = length(regexall(local.regex_validate_image_name, var.image_name)) > 0 ? 0 : index(split("-", var.image_name), "INVALID IMAGE NAME") + + management_nic_allowed_values = [ + "Ephemeral Public IP (eth0)", + "Private IP (eth1)"] + // will fail if [var.management_nic] is invalid: + validate_management_nic = index(local.management_nic_allowed_values, var.management_nic) + + regex_valid_management_name = "^([ -~]+)$" + // Will fail if var.management_name is invalid + regex_management_name = regex(local.regex_valid_management_name, var.management_name) == var.management_name ? 0 : "Variable [management_name] must be a valid Security Management name including ascii characters only" + + regex_valid_configuration_template_name = "^([ -~]+)$" + // Will fail if var.configuration_template_name is invalid + regex_configuration_template_name = regex(local.regex_valid_configuration_template_name, var.configuration_template_name) == var.configuration_template_name ? 0 : "Variable [configuration_template_name] must be a valid autoprovisioing configuration template name including ascii characters only" + + regex_valid_admin_SSH_key = "^(^$|ssh-rsa AAAA[0-9A-Za-z+/]+[=]{0,3})" + // Will fail if var.admin_SSH_key is invalid + regex_admin_SSH_key = regex(local.regex_valid_admin_SSH_key, var.admin_SSH_key) == var.admin_SSH_key ? 0 : "Please enter a valid SSH public key or leave empty" + + admin_shell_allowed_values = [ + "/etc/cli.sh", + "/bin/bash", + "/bin/csh", + "/bin/tcsh"] + // Will fail if var.admin_shell is invalid + validate_admin_shell = index(local.admin_shell_allowed_values, var.admin_shell) + + regions_allowed_values = data.google_compute_regions.available_regions.names + // Will fail if var.region is invalid + validate_region = index(local.regions_allowed_values, var.region) + + disk_type_allowed_values = [ + "SSD Persistent Disk", + "Balanced Persistent Disk", + "Standard Persistent Disk"] + // Will fail if var.disk_type is invalid + validate_disk_type = index(local.disk_type_allowed_values, var.disk_type) +} \ No newline at end of file diff --git a/terraform/gcp/autoscale-into-new-vpc/main.tf b/terraform/gcp/autoscale-into-new-vpc/main.tf new file mode 100755 index 00000000..16ec2197 --- /dev/null +++ b/terraform/gcp/autoscale-into-new-vpc/main.tf @@ -0,0 +1,73 @@ +provider "google" { + credentials = file(var.service_account_path) + project = var.project + region = var.region +} + +resource "random_string" "mig_random_string" { + length = 5 + special = false + upper = false + keepers = {} +} +resource "google_compute_network" "external_network" { + name = "${var.prefix}-ext-network-${random_string.mig_random_string.result}" + auto_create_subnetworks = false +} +resource "google_compute_subnetwork" "external_subnetwork" { + name = "${var.prefix}-ext-subnet-${random_string.mig_random_string.result}" + ip_cidr_range = var.external_subnetwork_ip_cidr_range + region = var.region + network = google_compute_network.external_network.id +} + +resource "google_compute_network" "internal_network" { + name = "${var.prefix}-int-network-${random_string.mig_random_string.result}" + auto_create_subnetworks = false +} +resource "google_compute_subnetwork" "internal_subnetwork" { + name = "${var.prefix}-int-subnet-${random_string.mig_random_string.result}" + ip_cidr_range = var.internal_subnetwork_ip_cidr_range + region = var.region + network = google_compute_network.internal_network.id +} + + +module "autoscale-into-existing-vpc" { + source = "../autoscale-into-existing-vpc" + + service_account_path = var.service_account_path + project = var.project + + # --- Check Point--- + prefix = var.prefix + image_name = var.image_name + management_nic = var.management_nic + management_name = var.management_name + configuration_template_name = var.configuration_template_name + admin_SSH_key = var.admin_SSH_key + network_defined_by_routes = var.network_defined_by_routes + admin_shell = var.admin_shell + allow_upload_download = var.allow_upload_download + + # --- Networking --- + region = var.region + external_network_name = google_compute_network.external_network.name + external_subnetwork_name = google_compute_subnetwork.external_subnetwork.name + internal_network_name = google_compute_network.internal_network.name + internal_subnetwork_name = google_compute_subnetwork.internal_subnetwork.name + ICMP_traffic = var.ICMP_traffic + TCP_traffic = var.TCP_traffic + UDP_traffic = var.UDP_traffic + SCTP_traffic = var.SCTP_traffic + ESP_traffic = var.ESP_traffic + + # --- Instance Configuration --- + machine_type = var.machine_type + cpu_usage = var.cpu_usage + instances_min_grop_size = var.instances_min_grop_size + instances_max_grop_size = var.instances_max_grop_size + disk_type = var.disk_type + disk_size = var.disk_size + enable_monitoring = var.enable_monitoring +} \ No newline at end of file diff --git a/terraform/gcp/autoscale-into-new-vpc/output.tf b/terraform/gcp/autoscale-into-new-vpc/output.tf new file mode 100755 index 00000000..ef020e27 --- /dev/null +++ b/terraform/gcp/autoscale-into-new-vpc/output.tf @@ -0,0 +1,46 @@ +output "external_network_name" { + value = google_compute_network.external_network.name +} +output "external_subnetwork_name" { + value = google_compute_subnetwork.external_subnetwork.name +} +output "internal_network_name" { + value = google_compute_network.internal_network.name +} +output "internal_subnetwork_name" { + value = google_compute_subnetwork.internal_subnetwork.name +} + +output "SIC_key" { + value = module.autoscale-into-existing-vpc.SIC_key +} +output "management_name" { + value = var.management_name +} +output "configuration_template_name" { + value = var.configuration_template_name +} +output "instance_template_name" { + value = module.autoscale-into-existing-vpc.instance_template_name +} +output "instance_group_manager_name" { + value = module.autoscale-into-existing-vpc.instance_group_manager_name +} +output "autoscaler_name" { + value = module.autoscale-into-existing-vpc.autoscaler_name +} +output "ICMP_firewall_rules_name" { + value = module.autoscale-into-existing-vpc.ICMP_firewall_rules_name +} +output "TCP_firewall_rules_name" { + value = module.autoscale-into-existing-vpc.TCP_firewall_rules_name +} +output "UDP_firewall_rules_name" { + value = module.autoscale-into-existing-vpc.UDP_firewall_rules_name +} +output "SCTP_firewall_rules_name" { + value = module.autoscale-into-existing-vpc.SCTP_firewall_rules_name +} +output "ESP_firewall_rules_name" { + value = module.autoscale-into-existing-vpc.ESP_firewall_rules_name +} diff --git a/terraform/gcp/autoscale-into-new-vpc/terraform.tfvars b/terraform/gcp/autoscale-into-new-vpc/terraform.tfvars new file mode 100755 index 00000000..48fe765a --- /dev/null +++ b/terraform/gcp/autoscale-into-new-vpc/terraform.tfvars @@ -0,0 +1,34 @@ +# --- Google Provider --- +service_account_path = "PLEASE ENTER SERVICE ACCOUNT PATH" # "service-accounts/service-account-file-name.json" +project = "PLEASE ENTER PROJECT ID" # "project-id" + +# --- Check Point--- +prefix = "PLEASE ENTER PREFIX" # "chkp-tf-mig" +license = "PLEASE ENTER LICENSE" # "BYOL" +image_name = "PLEASE ENTER IMAGE NAME" # "check-point-r8110-gw-byol-mig-335-985-v20220126" +management_nic = "PLEASE ENTER MANAGEMENT INTERFACE" # "Ephemeral Public IP (eth0)" +management_name = "PLEASE ENTER MANAGEMENT NAME" # "tf-checkpoint-management" +configuration_template_name = "PLEASE ENTER CONFIGURATION TEMPLATE NAME" # "tf-asg-autoprov-tmplt" +admin_SSH_key = "PLEASE ENTER ADMIN SSH KEY" # "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxx imported-openssh-key" +network_defined_by_routes = "PLEASE ENTER true OR false" # true +admin_shell = "PLEASE ENTER ADMIN SHELL" # "/etc/cli.sh" +allow_upload_download = "PLEASE ENTER true OR false" # true + +# --- Networking --- +region = "PLEASE ENTER REGION" # "us-central1" +external_subnetwork_ip_cidr_range = "PLEASE ENTER EXTERNAL SUBNETWORK CIDR" # "10.0.1.0/24" +internal_subnetwork_ip_cidr_range = "PLEASE ENTER INTERNAL SUBNETWORK CIDR" # "10.0.2.0/24" +ICMP_traffic = "PLEASE ENTER ICMP SOURCE IP RANGES" # ["123.123.0.0/24", "234.234.0.0/24"] +TCP_traffic = "PLEASE ENTER TCP SOURCE IP RANGES" # ["0.0.0.0/0"] +UDP_traffic = "PLEASE ENTER UDP SOURCE IP RANGES" # [] +SCTP_traffic = "PLEASE ENTER SCTP SOURCE IP RANGES" # [] +ESP_traffic = "PLEASE ENTER ESP SOURCE IP RANGES" # [] + +# --- Instance Configuration --- +machine_type = "PLEASE ENTER MACHINE TYPE" # "n1-standard-4" +cpu_usage = "PLEASE ENTER CPU USAGE" # 60 +instances_min_grop_size = "PLEASE ENTER INSTANCES MIN GROP SIZE" # 2 +instances_max_grop_size = "PLEASE ENTER INSTANCES MAX GROP SIZE" # 10 +disk_type = "PLEASE ENTER DISK TYPE" # "SSD Persistent Disk" +disk_size = "PLEASE ENTER DISK SIZE" # 100 +enable_monitoring = "PLEASE ENTER true OR false" # false \ No newline at end of file diff --git a/terraform/gcp/autoscale-into-new-vpc/variables.tf b/terraform/gcp/autoscale-into-new-vpc/variables.tf new file mode 100755 index 00000000..f19a77d2 --- /dev/null +++ b/terraform/gcp/autoscale-into-new-vpc/variables.tf @@ -0,0 +1,150 @@ +# Check Point CloudGuard IaaS Autoscaling - Terraform Template + +# --- Google Provider --- +variable "service_account_path" { + type = string + description = "User service account path in JSON format - From the service account key page in the Cloud Console choose an existing account or create a new one. Next, download the JSON key file. Name it something you can remember, store it somewhere secure on your machine, and supply the path to the location is stored." + default = "" +} +variable "project" { + type = string + description = "Personal project id. The project indicates the default GCP project all of your resources will be created in." + default = "" +} + +# --- Check Point--- +variable "prefix" { + type = string + description = "(Optional) Resources name prefix" + default = "chkp-tf-mig" +} +variable "license" { + type = string + description = "Checkpoint license (BYOL or PAYG)." + default = "BYOL" +} +variable "image_name" { + type = string + description = "The autoscaling (MIG) image name (e.g. check-point-r8110-gw-byol-mig-335-985-v20220126). You can choose the desired mig image value from: https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/gcp/deployment-packages/autoscale-byol/images.py" +} +variable "management_nic" { + type = string + description = "Management Interface - Autoscaling Security Gateways in GCP can be managed by an ephemeral public IP or using the private IP of the internal interface (eth1)." + default = "Ephemeral Public IP (eth0)" +} +variable "management_name" { + type = string + description = "The name of the Security Management Server as appears in autoprovisioning configuration. (Please enter a valid Security Management name including ascii characters only)" + default = "tf-checkpoint-management" +} +variable "configuration_template_name" { + type = string + description = "Specify the provisioning configuration template name (for autoprovisioning). (Please enter a valid autoprovisioing configuration template name including ascii characters only)" + default = "tf-asg-autoprov-tmplt" +} +variable "admin_SSH_key" { + type = string + description = "(Optional) The SSH public key for SSH authentication to the MIG instances. Leave this field blank to use all project-wide pre-configured SSH keys." + default = "" +} +variable "network_defined_by_routes" { + type = bool + description = "Set eth1 topology to define the networks behind this interface by the routes configured on the gateway." + default = true +} +variable "admin_shell" { + type = string + description = "Change the admin shell to enable advanced command line configuration." + default = "/etc/cli.sh" +} +variable "allow_upload_download" { + type = bool + description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + default = true +} + +# --- Networking --- +data "google_compute_regions" "available_regions" { +} +variable "region" { + type = string + default = "us-central1" +} + +variable "external_subnetwork_ip_cidr_range" { + type = string + description = "The range of external addresses that are owned by this subnetwork, only IPv4 is supported (e.g. \"10.0.0.0/8\" or \"192.168.0.0/16\")." +} +variable "internal_subnetwork_ip_cidr_range" { + type = string + description = "The range of internal addresses that are owned by this subnetwork, only IPv4 is supported (e.g. \"10.0.0.0/8\" or \"192.168.0.0/16\")." +} +variable "ICMP_traffic" { + type = list(string) + description = "(Optional) Source IP ranges for ICMP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable ICMP traffic." + default = [] +} +variable "TCP_traffic" { + type = list(string) + description = "(Optional) Source IP ranges for TCP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable TCP traffic." + default = [] +} +variable "UDP_traffic" { + type = list(string) + description = "(Optional) Source IP ranges for UDP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable UDP traffic." + default = [] +} +variable "SCTP_traffic" { + type = list(string) + description = "(Optional) Source IP ranges for SCTP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable SCTP traffic." + default = [] +} +variable "ESP_traffic" { + type = list(string) + description = "(Optional) Source IP ranges for ESP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable ESP traffic." + default = [] +} + +# --- Instance Configuration --- +variable "machine_type" { + type = string + default = "n1-standard-4" +} +variable "cpu_usage" { + type = number + description = "Target CPU usage (%) - Autoscaling adds or removes instances in the group to maintain this level of CPU usage on each instance." + default = 60 +} +resource "null_resource" "cpu_usage_validation" { + // Will fail if var.cpu_usage is less than 10 or more than 90 + count = var.cpu_usage >= 10 && var.cpu_usage <= 90 ? 0 : "variable cpu_usage must be a number between 10 and 90" +} +variable "instances_min_grop_size" { + type = number + description = "The minimal number of instances" + default = 2 +} +variable "instances_max_grop_size" { + type = number + description = "The maximal number of instances" + default = 10 +} +variable "disk_type" { + type = string + description = "Storage space is much less expensive for a standard Persistent Disk. An SSD Persistent Disk is better for random IOPS or streaming throughput with low latency." + default = "SSD Persistent Disk" +} +variable "disk_size" { + type = number + description = "Disk size in GB - Persistent disk performance is tied to the size of the persistent disk volume. You are charged for the actual amount of provisioned disk space." + default = 100 +} +resource "null_resource" "disk_size_validation" { + // Will fail if var.disk_size is less than 100 or more than 4096 + count = var.disk_size >= 100 && var.disk_size <= 4096 ? 0 : "variable disk_size must be a number between 100 and 4096" +} +variable "enable_monitoring" { + type = bool + description = "Enable Stackdriver monitoring" + default = false +} \ No newline at end of file diff --git a/terraform/gcp/common/cluster-member/main.tf b/terraform/gcp/common/cluster-member/main.tf new file mode 100755 index 00000000..c740f8b3 --- /dev/null +++ b/terraform/gcp/common/cluster-member/main.tf @@ -0,0 +1,130 @@ +locals { + disk_type_condition = var.disk_type == "SSD Persistent Disk" ? "pd-ssd" : var.disk_type == "Standard Persistent Disk" ? "pd-standard" : "" + admin_SSH_key_condition = var.admin_SSH_key != "" ? true : false +} + +resource "google_compute_address" "member_ip_address" { + name = "${var.member_name}-address" + region = var.region +} + +resource "google_compute_instance" "cluster_member" { + name = var.member_name + description = "CloudGuard Highly Available Security Cluster" + zone = var.zone + tags = [ + "checkpoint-gateway"] + machine_type = var.machine_type + can_ip_forward = true + + boot_disk { + auto_delete = true + device_name = "${var.prefix}-boot" + + initialize_params { + size = var.disk_size + type = local.disk_type_condition + image = var.image_name + } + } + + network_interface { + network = var.cluster_network[0] + subnetwork = var.cluster_network_subnetwork[0] + } + network_interface { + network = var.mgmt_network[0] + subnetwork = var.mgmt_network_subnetwork[0] + access_config { + nat_ip = google_compute_address.member_ip_address.address + } + } + dynamic "network_interface" { + for_each = var.num_internal_networks >= 1 ? [ + 1] : [] + content { + network = var.internal_network1_network[0] + subnetwork = var.internal_network1_subnetwork[0] + } + } + dynamic "network_interface" { + for_each = var.num_internal_networks >= 2 ? [ + 1] : [] + content { + network = var.internal_network2_network[0] + subnetwork = var.internal_network2_subnetwork[0] + } + } + dynamic "network_interface" { + for_each = var.num_internal_networks >= 3 ? [ + 1] : [] + content { + network = var.internal_network3_network[0] + subnetwork = var.internal_network3_subnetwork[0] + } + } + dynamic "network_interface" { + for_each = var.num_internal_networks >= 4 ? [ + 1] : [] + content { + network = var.internal_network4_network[0] + subnetwork = var.internal_network4_subnetwork[0] + } + } + dynamic "network_interface" { + for_each = var.num_internal_networks >= 5 ? [ + 1] : [] + content { + network = var.internal_network5_network[0] + subnetwork = var.internal_network5_subnetwork[0] + } + } + dynamic "network_interface" { + for_each = var.num_internal_networks == 6 ? [ + 1] : [] + content { + network = var.internal_network6_network[0] + subnetwork = var.internal_network6_subnetwork[0] + } + } + + service_account { + + scopes = [ + "https://www.googleapis.com/auth/monitoring.write", + "https://www.googleapis.com/auth/compute", + "https://www.googleapis.com/auth/cloudruntimeconfig"] + } + + metadata = local.admin_SSH_key_condition ? { + instanceSSHKey = var.admin_SSH_key + adminPasswordSourceMetadata = var.generate_password ? var.generated_admin_password : "" + } : { adminPasswordSourceMetadata = var.generate_password ? var.generated_admin_password : "" } + + metadata_startup_script = templatefile("${path.module}/../startup-script.sh", { + // script's arguments + generatePassword = var.generate_password + config_url = "https://runtimeconfig.googleapis.com/v1beta1/projects/${var.project}/configs/${var.prefix}-config" + config_path = "projects/${var.project}/configs/${var.prefix}-config" + sicKey = var.sic_key + allowUploadDownload = var.allow_upload_download + templateName = "cluster_tf" + templateVersion = "20230109" + templateType = "terraform" + mgmtNIC = "" + hasInternet = "true" + enableMonitoring = var.enable_monitoring + shell = var.admin_shell + installationType = "Cluster" + computed_sic_key = "" + managementGUIClientNetwork = "" + primary_cluster_address_name = var.primary_cluster_address_name + secondary_cluster_address_name = var.secondary_cluster_address_name + managementNetwork = var.management_network + numAdditionalNICs = var.num_internal_networks + smart_1_cloud_token = "${var.member_name}" == "${var.prefix}-member-a" ? var.smart_1_cloud_token_a : var.smart_1_cloud_token_b + name = var.member_name + zoneConfig = var.zone + region = var.region + }) +} \ No newline at end of file diff --git a/terraform/gcp/common/cluster-member/output.tf b/terraform/gcp/common/cluster-member/output.tf new file mode 100755 index 00000000..ab8ad2dc --- /dev/null +++ b/terraform/gcp/common/cluster-member/output.tf @@ -0,0 +1,6 @@ +output "cluster_member_name" { + value = google_compute_instance.cluster_member.name +} +output "cluster_member_ip_address" { + value = google_compute_address.member_ip_address.address +} diff --git a/terraform/gcp/common/cluster-member/variables.tf b/terraform/gcp/common/cluster-member/variables.tf new file mode 100755 index 00000000..51b0e1d9 --- /dev/null +++ b/terraform/gcp/common/cluster-member/variables.tf @@ -0,0 +1,174 @@ +variable "prefix" { + type = string + description = "(Optional) Resources name prefix" + default = "chkp-tf-ha" +} +variable "member_name" { + type = string +} +variable "region" { + type = string + default = "us-central1" +} +variable "zone" { + type = string + default = "us-central1-a" +} +variable "machine_type" { + type = string + description = "Machine types determine the specifications of your machines, such as the amount of memory, virtual cores, and persistent disk limits an instance will have." + default = "n1-standard-4" +} +variable "disk_size" { + type = number + description = "Disk size in GB - Persistent disk performance is tied to the size of the persistent disk volume. You are charged for the actual amount of provisioned disk space." + default = 100 +} +variable "disk_type" { + type = string + description = "Storage space is much less expensive for a standard Persistent Disk. An SSD Persistent Disk is better for random IOPS or streaming throughput with low latency." + default = "SSD Persistent Disk" +} +variable "image_name" { + type = string + description = "The High Availability (cluster) image name (e.g. check-point-r8110-gw-byol-cluster-335-985-v20220126). You can choose the desired cluster image value from: https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/gcp/deployment-packages/ha-byol/images.py" +} +variable "cluster_network" { + type = list(string) + description = "Cluster external network ID in the chosen zone." +} +variable "cluster_network_subnetwork" { + type = list(string) + description = "Cluster subnet ID in the chosen network." +} +variable "mgmt_network" { + type = list(string) + description = "Management network ID in the chosen zone." +} +variable "mgmt_network_subnetwork" { + type = list(string) + description = "Management subnet ID in the chosen network." +} +variable "num_internal_networks" { + type = number + description = "A number in the range 1 - 6 of internal network interfaces." + default = 1 +} +variable "internal_network1_network" { + type = list(string) + description = "1st internal network ID in the chosen zone." + default = [] +} +variable "internal_network1_subnetwork" { + type = list(string) + description = "1st internal subnet ID in the chosen network." + default = [] +} +variable "internal_network2_network" { + type = list(string) + description = "2nd internal network ID in the chosen zone." + default = [] +} +variable "internal_network2_subnetwork" { + type = list(string) + description = "2nd internal subnet ID in the chosen network." + default = [] +} +variable "internal_network3_network" { + type = list(string) + description = "3rd internal network ID in the chosen zone." + default = [] +} +variable "internal_network3_subnetwork" { + type = list(string) + description = "3rd internal subnet ID in the chosen network." + default = [] +} +variable "internal_network4_network" { + type = list(string) + description = "4th internal network ID in the chosen zone." + default = [] +} +variable "internal_network4_subnetwork" { + type = list(string) + description = "4th internal subnet ID in the chosen network." + default = [] +} +variable "internal_network5_network" { + type = list(string) + description = "5th internal network ID in the chosen zone." + default = [] +} +variable "internal_network5_subnetwork" { + type = list(string) + description = "5th internal subnet ID in the chosen network." + default = [] +} +variable "internal_network6_network" { + type = list(string) + description = "6th internal network ID in the chosen zone." + default = [] +} +variable "internal_network6_subnetwork" { + type = list(string) + description = "6th internal subnet ID in the chosen network." + default = [] +} +variable "admin_SSH_key" { + type = string + description = "(Optional) The SSH public key for SSH authentication to the MIG instances. Leave this field blank to use all project-wide pre-configured SSH keys." + default = "" +} +variable "project" { + type = string + description = "Personal project id. The project indicates the default GCP project all of your resources will be created in." + default = "" +} +variable "generate_password" { + type = bool + description = "Automatically generate an administrator password." + default = false +} +variable "sic_key" { + type = string + description = "The Secure Internal Communication one time secret used to set up trust between the cluster object and the management server. At least 8 alpha numeric characters. If SIC is not provided and needed, a key will be automatically generated" +} +variable "allow_upload_download" { + type = bool + description = "Allow download from/upload to Check Point." + default = false +} +variable "enable_monitoring" { + type = bool + description = "Enable Stackdriver monitoring" + default = false +} +variable "admin_shell" { + type = string + description = "Change the admin shell to enable advanced command line configuration." + default = "/etc/cli.sh" +} +variable "smart_1_cloud_token_a" { + type = string + description ="(Optional) Smart-1 cloud token for member A to connect this Gateway to Check Point's Security Management as a Service" + default = "" +} +variable "smart_1_cloud_token_b" { + type = string + description ="(Optional) Smart-1 cloud token for member B to connect this Gateway to Check Point's Security Management as a Service" + default = "" +} +variable "management_network" { + type = string + description = "Security Management Server address - The public address of the Security Management Server, in CIDR notation. If using Smart-1 Cloud management, insert 'S1C'. VPN peers addresses cannot be in this CIDR block, so this value cannot be the zero-address." +} +variable "generated_admin_password" { + type = string + description = "administrator password" +} +variable "primary_cluster_address_name" { + type = string +} +variable "secondary_cluster_address_name" { + type = string +} \ No newline at end of file diff --git a/terraform/gcp/common/firewall-rule/main.tf b/terraform/gcp/common/firewall-rule/main.tf new file mode 100755 index 00000000..9f440b4a --- /dev/null +++ b/terraform/gcp/common/firewall-rule/main.tf @@ -0,0 +1,10 @@ +resource "google_compute_firewall" "firewall_rules" { + name = var.rule_name + network = var.network[0] + allow { + protocol = var.protocol + } + source_ranges = var.source_ranges + target_tags = [ + "checkpoint-gateway"] +} \ No newline at end of file diff --git a/terraform/gcp/common/firewall-rule/output.tf b/terraform/gcp/common/firewall-rule/output.tf new file mode 100755 index 00000000..e6088959 --- /dev/null +++ b/terraform/gcp/common/firewall-rule/output.tf @@ -0,0 +1,3 @@ +output "firewall_rule_name" { + value = google_compute_firewall.firewall_rules.name +} \ No newline at end of file diff --git a/terraform/gcp/common/firewall-rule/variables.tf b/terraform/gcp/common/firewall-rule/variables.tf new file mode 100755 index 00000000..39ac095b --- /dev/null +++ b/terraform/gcp/common/firewall-rule/variables.tf @@ -0,0 +1,17 @@ +variable "protocol" { + type = string + description = "The IP protocol to which this rule applies." +} +variable "source_ranges" { + type = list(string) + description = "(Optional) Source IP ranges for the protocol traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only. Please leave empty list to unable this protocol traffic." + default = [] +} +variable "rule_name" { + type = string + description = "Firewall rule name." +} +variable "network" { + type = list(string) + description = "The name or self_link of the network to attach this firewall to." +} \ No newline at end of file diff --git a/terraform/gcp/common/members-a-b/main.tf b/terraform/gcp/common/members-a-b/main.tf new file mode 100755 index 00000000..d40ae6d1 --- /dev/null +++ b/terraform/gcp/common/members-a-b/main.tf @@ -0,0 +1,85 @@ +module "member_a" { + source = "../cluster-member" + + prefix = var.prefix + member_name = "${var.prefix}-member-a" + region = var.region + zone = var.zoneA + machine_type = var.machine_type + disk_size = var.disk_size + disk_type = var.disk_type + image_name = var.image_name + cluster_network = var.cluster_network + cluster_network_subnetwork = var.cluster_network_subnetwork + mgmt_network = var.mgmt_network + mgmt_network_subnetwork = var.mgmt_network_subnetwork + num_internal_networks = var.num_internal_networks + internal_network1_network = var.internal_network1_network + internal_network1_subnetwork = var.internal_network1_subnetwork + internal_network2_network = var.internal_network2_network + internal_network2_subnetwork = var.internal_network2_subnetwork + internal_network3_network = var.internal_network3_network + internal_network3_subnetwork = var.internal_network3_subnetwork + internal_network4_network = var.internal_network4_network + internal_network4_subnetwork = var.internal_network4_subnetwork + internal_network5_network = var.internal_network5_network + internal_network5_subnetwork = var.internal_network5_subnetwork + internal_network6_network = var.internal_network6_network + internal_network6_subnetwork = var.internal_network6_subnetwork + admin_SSH_key = var.admin_SSH_key + generated_admin_password = var.generated_admin_password + project = var.project + generate_password = var.generate_password + sic_key = var.sic_key + allow_upload_download = var.allow_upload_download + enable_monitoring = var.enable_monitoring + admin_shell = var.admin_shell + management_network = var.management_network + primary_cluster_address_name = var.primary_cluster_address_name + secondary_cluster_address_name = var.secondary_cluster_address_name + smart_1_cloud_token_a = var.smart_1_cloud_token_a + smart_1_cloud_token_b = var.smart_1_cloud_token_b +} + +module "member_b" { + source = "../cluster-member" + + prefix = var.prefix + member_name = "${var.prefix}-member-b" + region = var.region + zone = var.zoneB + machine_type = var.machine_type + disk_size = var.disk_size + disk_type = var.disk_type + image_name = var.image_name + cluster_network = var.cluster_network + cluster_network_subnetwork = var.cluster_network_subnetwork + mgmt_network = var.mgmt_network + mgmt_network_subnetwork = var.mgmt_network_subnetwork + num_internal_networks = var.num_internal_networks + internal_network1_network = var.internal_network1_network + internal_network1_subnetwork = var.internal_network1_subnetwork + internal_network2_network = var.internal_network2_network + internal_network2_subnetwork = var.internal_network2_subnetwork + internal_network3_network = var.internal_network3_network + internal_network3_subnetwork = var.internal_network3_subnetwork + internal_network4_network = var.internal_network4_network + internal_network4_subnetwork = var.internal_network4_subnetwork + internal_network5_network = var.internal_network5_network + internal_network5_subnetwork = var.internal_network5_subnetwork + internal_network6_network = var.internal_network6_network + internal_network6_subnetwork = var.internal_network6_subnetwork + admin_SSH_key = var.admin_SSH_key + generated_admin_password = var.generated_admin_password + project = var.project + generate_password = var.generate_password + sic_key = var.sic_key + allow_upload_download = var.allow_upload_download + enable_monitoring = var.enable_monitoring + admin_shell = var.admin_shell + management_network = var.management_network + primary_cluster_address_name = var.primary_cluster_address_name + secondary_cluster_address_name = var.secondary_cluster_address_name + smart_1_cloud_token_a = var.smart_1_cloud_token_a + smart_1_cloud_token_b = var.smart_1_cloud_token_b +} diff --git a/terraform/gcp/common/members-a-b/output.tf b/terraform/gcp/common/members-a-b/output.tf new file mode 100755 index 00000000..2398e6f3 --- /dev/null +++ b/terraform/gcp/common/members-a-b/output.tf @@ -0,0 +1,13 @@ +output "member_a_name" { + value = module.member_a.cluster_member_name +} +output "member_a_external_ip" { + value = module.member_a.cluster_member_ip_address +} + +output "member_b_name" { + value = module.member_b.cluster_member_name +} +output "member_b_external_ip" { + value = module.member_b.cluster_member_ip_address +} \ No newline at end of file diff --git a/terraform/gcp/common/members-a-b/variables.tf b/terraform/gcp/common/members-a-b/variables.tf new file mode 100755 index 00000000..4a5b6e04 --- /dev/null +++ b/terraform/gcp/common/members-a-b/variables.tf @@ -0,0 +1,175 @@ +variable "prefix" { + type = string + description = "(Optional) Resources name prefix" + default = "chkp-tf-ha" +} +variable "region" { + type = string + default = "us-central1" +} +variable "zoneA" { + type = string + default = "us-central1-a" +} +variable "zoneB" { + type = string + default = "us-central1-a" +} +variable "machine_type" { + type = string + description = "Machine types determine the specifications of your machines, such as the amount of memory, virtual cores, and persistent disk limits an instance will have." + default = "n1-standard-4" +} +variable "disk_size" { + type = number + description = "Disk size in GB - Persistent disk performance is tied to the size of the persistent disk volume. You are charged for the actual amount of provisioned disk space." + default = 100 +} +variable "disk_type" { + type = string + description = "Storage space is much less expensive for a standard Persistent Disk. An SSD Persistent Disk is better for random IOPS or streaming throughput with low latency." + default = "SSD Persistent Disk" +} +variable "image_name" { + type = string + description = "The High Availability (cluster) image name (e.g. check-point-r8110-gw-byol-cluster-335-985-v20220126). You can choose the desired cluster image value from: https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/gcp/deployment-packages/ha-byol/images.py" +} +variable "cluster_network" { + type = list(string) + description = "Cluster external network ID in the chosen zone." +} +variable "cluster_network_subnetwork" { + type = list(string) + description = "Cluster subnet ID in the chosen network." +} +variable "mgmt_network" { + type = list(string) + description = "Management network ID in the chosen zone." +} +variable "mgmt_network_subnetwork" { + type = list(string) + description = "Management subnet ID in the chosen network." +} +variable "num_internal_networks" { + type = number + description = "A number in the range 1 - 6 of internal network interfaces." + default = 1 +} +variable "internal_network1_network" { + type = list(string) + description = "1st internal network ID in the chosen zone." + default = [] +} +variable "internal_network1_subnetwork" { + type = list(string) + description = "1st internal subnet ID in the chosen network." + default = [] +} +variable "internal_network2_network" { + type = list(string) + description = "2nd internal network ID in the chosen zone." + default = [] +} +variable "internal_network2_subnetwork" { + type = list(string) + description = "2nd internal subnet ID in the chosen network." + default = [] +} +variable "internal_network3_network" { + type = list(string) + description = "3rd internal network ID in the chosen zone." + default = [] +} +variable "internal_network3_subnetwork" { + type = list(string) + description = "3rd internal subnet ID in the chosen network." + default = [] +} +variable "internal_network4_network" { + type = list(string) + description = "4th internal network ID in the chosen zone." + default = [] +} +variable "internal_network4_subnetwork" { + type = list(string) + description = "4th internal subnet ID in the chosen network." + default = [] +} +variable "internal_network5_network" { + type = list(string) + description = "5th internal network ID in the chosen zone." + default = [] +} +variable "internal_network5_subnetwork" { + type = list(string) + description = "5th internal subnet ID in the chosen network." + default = [] +} +variable "internal_network6_network" { + type = list(string) + description = "6th internal network ID in the chosen zone." + default = [] +} +variable "internal_network6_subnetwork" { + type = list(string) + description = "6th internal subnet ID in the chosen network." + default = [] +} +variable "admin_SSH_key" { + type = string + description = "(Optional) The SSH public key for SSH authentication to the MIG instances. Leave this field blank to use all project-wide pre-configured SSH keys." + default = "" +} +variable "project" { + type = string + description = "Personal project id. The project indicates the default GCP project all of your resources will be created in." + default = "" +} +variable "generate_password" { + type = bool + description = "Automatically generate an administrator password." + default = false +} +variable "sic_key" { + type = string + description = "The Secure Internal Communication one time secret used to set up trust between the cluster object and the management server. At least 8 alpha numeric characters. If SIC is not provided and needed, a key will be automatically generated" +} +variable "allow_upload_download" { + type = bool + description = "Allow download from/upload to Check Point." + default = false +} +variable "enable_monitoring" { + type = bool + description = "Enable Stackdriver monitoring" + default = false +} +variable "admin_shell" { + type = string + description = "Change the admin shell to enable advanced command line configuration." + default = "/etc/cli.sh" +} +variable "smart_1_cloud_token_a" { + type = string + description ="(Optional) Smart-1 cloud token for member A to connect this Gateway to Check Point's Security Management as a Service" + default = "" +} +variable "smart_1_cloud_token_b" { + type = string + description ="(Optional) Smart-1 cloud token for member B to connect this Gateway to Check Point's Security Management as a Service" + default = "" +} +variable "management_network" { + type = string + description = "Security Management Server address - The public address of the Security Management Server, in CIDR notation. If using Smart-1 Cloud management, insert 'S1C'. VPN peers addresses cannot be in this CIDR block, so this value cannot be the zero-address." +} +variable "generated_admin_password" { + type = string + description = "administrator password" +} +variable "primary_cluster_address_name" { + type = string +} +variable "secondary_cluster_address_name" { + type = string +} \ No newline at end of file diff --git a/terraform/gcp/common/network-and-subnet/main.tf b/terraform/gcp/common/network-and-subnet/main.tf new file mode 100755 index 00000000..7665da7c --- /dev/null +++ b/terraform/gcp/common/network-and-subnet/main.tf @@ -0,0 +1,21 @@ +locals { + create_network_condition = var.network_cidr == "" ? false : true +} + +resource "google_compute_network" "network" { + count = local.create_network_condition ? 1 : 0 + name = "${var.prefix}-${var.type}" + auto_create_subnetworks = false +} +resource "google_compute_subnetwork" "subnetwork" { + count = local.create_network_condition ? 1 : 0 + name = "${var.prefix}-${var.type}-subnet" + ip_cidr_range = var.network_cidr + private_ip_google_access = true + region = var.region + network = google_compute_network.network[count.index].id +} +data "google_compute_network" "network_name" { + count = local.create_network_condition ? 0 : 1 + name = var.network_name +} \ No newline at end of file diff --git a/terraform/gcp/common/network-and-subnet/output.tf b/terraform/gcp/common/network-and-subnet/output.tf new file mode 100755 index 00000000..862f84e4 --- /dev/null +++ b/terraform/gcp/common/network-and-subnet/output.tf @@ -0,0 +1,18 @@ +output "new_created_network_link" { + value = google_compute_network.network[*].self_link +} +output "new_created_subnet_link" { + value = google_compute_subnetwork.subnetwork[*].self_link +} +output "existing_network_link" { + value = data.google_compute_network.network_name[*].self_link +} +output "new_created_network_name" { + value = google_compute_network.network[*].name +} +output "new_created_subnet_name" { + value = google_compute_subnetwork.subnetwork[*].name +} +output "existing_network_name" { + value = data.google_compute_network.network_name[*].name +} \ No newline at end of file diff --git a/terraform/gcp/common/network-and-subnet/variables.tf b/terraform/gcp/common/network-and-subnet/variables.tf new file mode 100755 index 00000000..333d4f35 --- /dev/null +++ b/terraform/gcp/common/network-and-subnet/variables.tf @@ -0,0 +1,27 @@ +variable "prefix" { + type = string + description = "(Optional) Resources name prefix" + default = "chkp-tf-ha" +} +variable "type" { + type = string +} +variable "network_cidr" { + type = string + description = "External subnet CIDR. If the variable's value is not empty double quotes, a new network will be created." + default = "10.0.0.0/24" +} +variable "private_ip_google_access" { + type = bool + description = "When enabled, VMs in this subnetwork without external IP addresses can access Google APIs and services by using Private Google Access." + default = true +} +variable "region" { + type = string + default = "us-central1" +} +variable "network_name" { + type = string + description = "External network ID in the chosen zone. The network determines what network traffic the instance can access.If you have specified a CIDR block at var.network_cidr, this network name will not be used." + default = "" +} \ No newline at end of file diff --git a/terraform/gcp/common/startup-script.sh b/terraform/gcp/common/startup-script.sh new file mode 100755 index 00000000..196a04e3 --- /dev/null +++ b/terraform/gcp/common/startup-script.sh @@ -0,0 +1,3 @@ +#cloud-config +runcmd: + - 'python3 /etc/cloud_config.py generatePassword=\"${generatePassword}\" allowUploadDownload=\"${allowUploadDownload}\" templateName=\"${templateName}\" templateVersion=\"${templateVersion}\" mgmtNIC="X${mgmtNIC}X" hasInternet=\"${hasInternet}\" config_url=\"${config_url}\" config_path=\"${config_path}\" installationType="X${installationType}X" enableMonitoring=\"${enableMonitoring}\" shell=\"${shell}\" computed_sic_key=\"${computed_sic_key}\" sicKey=\"${sicKey}\" managementGUIClientNetwork=\"${managementGUIClientNetwork}\" primary_cluster_address_name=\"${primary_cluster_address_name}\" secondary_cluster_address_name=\"${secondary_cluster_address_name}\" managementNetwork=\"${managementNetwork}\" numAdditionalNICs=\"${numAdditionalNICs}\" smart1CloudToken="X${smart_1_cloud_token}X" name=\"${name}\" zone=\"${zoneConfig}\" region=\"${region}\"' \ No newline at end of file diff --git a/terraform/gcp/high-availability/README.md b/terraform/gcp/high-availability/README.md new file mode 100755 index 00000000..03e9d97b --- /dev/null +++ b/terraform/gcp/high-availability/README.md @@ -0,0 +1,317 @@ +# Check Point Cluster High Availability (HA) Terraform module for GCP + +Terraform module which deploys Check Point CloudGuard IaaS High Availability solution on GCP. + +These types of Terraform resources are supported: +* [Network](https://www.terraform.io/docs/providers/google/d/compute_network.html) - conditional creation +* [Subnetwork](https://www.terraform.io/docs/providers/google/r/compute_subnetwork.html) - conditional creation +* [Instance](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance) +* [IP address](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/compute_address) +* [Firewall](https://www.terraform.io/docs/providers/google/r/compute_firewall.html) - conditional creation + + +For additional information, +please see the [CloudGuard Network for GCP High Availability Cluster Deployment Guide](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_Network_for_GCP_HA_Cluster/Default.htm) + +This solution uses the following modules: +- \gcp\common\network-and-subnet +- \gcp\common\firewall-rule +- \gcp\common\cluster-member +- \gcp\common\members-a-b + +Terraform is controlled via a very easy to use command-line interface (CLI). Terraform is only a single command-line application: **terraform**. + +## Before you begin +1. Create a project in the [Google Cloud Console](https://console.cloud.google.com/) and set up billing on that project. +2. [Install Terraform](https://learn.hashicorp.com/tutorials/terraform/install-cli) and read the Terraform getting started guide that follows. This guide will assume basic proficiency with Terraform - it is an introduction to the Google provider. + +## Configuring the Provider +The **main.tf** file includes the following provider configuration block used to configure the credentials you use to authenticate with GCP, as well as a default project and location for your resources: +``` +provider "google" { + credentials = file(var.service_account_path) + project = var.project + region = var.region +} +... +``` +1. [Create a Service Account](https://cloud.google.com/docs/authentication/getting-started) (or use the existing one). Next, download the JSON key file. Name it something you can remember and store it somewhere secure on your machine.
+2. Select "Editor" Role or verify you have the following permissions: + ``` + compute.addresses.create + compute.addresses.delete + compute.addresses.get + compute.addresses.use + compute.disks.create + compute.firewalls.create + compute.firewalls.delete + compute.firewalls.get + compute.images.get + compute.images.useReadOnly + compute.instances.create + compute.instances.delete + compute.instances.get + compute.instances.setMetadata + compute.instances.setServiceAccount + compute.instances.setTags + compute.networks.create + compute.networks.delete + compute.networks.get + compute.networks.updatePolicy + compute.regions.list + compute.subnetworks.create + compute.subnetworks.delete + compute.subnetworks.get + compute.subnetworks.use + compute.subnetworks.useExternalIp + compute.zones.get + iam.serviceAccountKeys.get + iam.serviceAccountKeys.list + iam.serviceAccounts.actAs + iam.serviceAccounts.get + iam.serviceAccounts.list + ``` +3. ```credentials``` - Your service account key file is used to complete a two-legged OAuth 2.0 flow to obtain access tokens to authenticate with the GCP API as needed; Terraform will use it to reauthenticate automatically when tokens expire.
+The provider credentials can be provided either as static credentials or as [Environment Variables](https://www.terraform.io/docs/providers/google/guides/provider_reference.html#credentials-1). + - Static credentials can be provided by adding the path to your service-account json file, project-id and region in /gcp/modules/high-availability/**terraform.tfvars** file as follows: + ``` + service_account_path = "service-accounts/service-account-file-name.json" + project = "project-id" + region = "us-central1" + ``` + - In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in the main.tf file, in the provider google resource, need to be deleted or commented: + ``` + provider "google" { + // credentials = file(var.service_account_path) + // project = var.project + + region = var.region + } + ``` + b.In the terraform.tfvars file leave empty double quotes for credentials and project variables: + ``` + service_account_path = "" + project = "" + ``` + ## Usage +- Fill all variables in the /gcp/high-availability/**terraform.tfvars** file with proper values (see below for variables descriptions). +- From a command line initialize the Terraform configuration directory: + ``` + terraform init + ``` +- Create an execution plan: + ``` + terraform plan + ``` +- Create or modify the deployment: + ``` + terraform apply + ``` + +#### Variables are configured in high-availability/**terraform.tfvars** file as follows: +``` +# --- Google Provider --- +service_account_path = "service-accounts/service-account-file-name.json" +project = "project-id" + +# --- Check Point Deployment --- +prefix = "chkp-tf-ha" +license = "BYOL" +image_name = "check-point-r8110-gw-byol-cluster-335-985-v20220126" + +# --- Instances Configuration --- +region = "us-central1" +zoneA = "us-central1-a" +zoneB = "us-central1-a" +machine_type = "n1-standard-4" +disk_type = "SSD Persistent Disk" +disk_size = 100 +admin_SSH_key = "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxx imported-openssh-key" +enable_monitoring = false + +# --- Check Point --- +management_network = "209.87.209.100/32" +sic_key = "aaaaaaaa" +generate_password = false +allow_upload_download = false +admin_shell = "/bin/bash" + +#--- Quick connect to Smart-1 Cloud --- +smart_1_cloud_token_a = "xxxxxxxxxxxxxxxxxxxxxxxx" +smart_1_cloud_token_b = "xxxxxxxxxxxxxxxxxxxxxxxx" + +# --- Networking --- +cluster_network_cidr = "10.0.1.0/24" +cluster_network_name = "cluster-network" +cluster_network_subnetwork_name = "cluster-subnetwork" +cluster_ICMP_traffic = ["0.0.0.0/0"] +cluster_TCP_traffic = ["0.0.0.0/0"] +cluster_UDP_traffic = [] +cluster_SCTP_traffic = [] +cluster_ESP_traffic = [] +mgmt_network_cidr = "" +mgmt_network_name = "mgmt-network" +mgmt_network_subnetwork_name = "mgmt-subnetwork" +mgmt_ICMP_traffic = [] +mgmt_TCP_traffic = [] +mgmt_UDP_traffic = [] +mgmt_SCTP_traffic = ["0.0.0.0/0"] +mgmt_ESP_traffic = ["0.0.0.0/0"] +num_internal_networks = 1 +internal_network1_cidr = "10.0.3.0/24" +internal_network1_name = "" +internal_network1_subnetwork_name = "" + +``` + +- To tear down your resources: + ``` + terraform destroy + ``` + + +## Conditional creation +
1. For each network and subnet variable, you can choose whether to create a new network with a new subnet or to use an existing one. +- If you want to create a new network and subnet, please input a subnet CIDR block for the desired new network - In this case, the network name and subnetwork name will not be used: +``` + cluster_network_cidr = "10.0.1.0/24" + cluster_network_name = "not-use" + cluster_network_subnetwork_name = "not-use" +``` +- Otherwise, if you want to use existing network and subnet, please leave empty double quotes in the CIDR variable for the desired network: +``` + cluster_network_cidr = "" + cluster_network_name = "cluster-network" + cluster_network_subnetwork_name = "cluster-subnetwork" +``` +
2. To create Firewall and allow traffic for ICMP, TCP, UDP, SCTP or/and ESP - enter list of Source IP ranges. +
Please leave empty list for a protocol if you want to disable traffic for it. +- For cluster: +``` + cluster_ICMP_traffic = ["123.123.0.0/24", "234.234.0.0/24"] + cluster_TCP_traffic = ["0.0.0.0/0"] + cluster_UDP_traffic = [] + cluster_SCTP_traffic = [] + cluster_ESP_traffic = [] +``` +- For management: +``` + mgmt_ICMP_traffic = ["123.123.0.0/24", "234.234.0.0/24"] + mgmt_TCP_traffic = ["0.0.0.0/0"] + mgmt_UDP_traffic = [] + mgmt_SCTP_traffic = [] + mgmt_ESP_traffic = [] +``` +
3.The cluster members will each have a network interface in each internal network and create high priority routes that will route all outgoing traffic to the cluster member that is currently active. +
Using internal networks depends on the variable num_internal_networks, by selecting a number in range 1 - 6 that represents the number of internal networks: +``` + num_internal_networks = 3 + internal_network1_cidr = "" + internal_network1_name = "internal_network1" + internal_network1_subnetwork_name = "internal_subnetwork1" + internal_network2_cidr = "10.0.4.0/24" + internal_network2_name = "" + internal_network2_subnetwork_name = "" + internal_network3_cidr = "10.0.5.0/24" + internal_network3_name = "" + internal_network3_subnetwork_name = "" +``` + +## Inputs +| Name | Description | Type | Allowed values | Default | Required | +| ------------- | ------------- | ------------- | ------------- | ------------- | ------------- | +| service_account_path | User service account path in JSON format - From the service account key page in the Cloud Console choose an existing account or create a new one. Next, download the JSON key file. Name it something you can remember, store it somewhere secure on your machine, and supply the path to the location is stored. (e.g. "service-accounts/service-account-name.json") | string | N/A | "" | yes | +| project | Personal project id. The project indicates the default GCP project all of your resources will be created in. | string | N/A | "" | yes | +| | | | | | +| prefix | (Optional) Resources name prefix. | string | N/A | "chkp-tf-ha" | no | +| license | Checkpoint license (BYOL or PAYG). | string | - BYOL
- PAYG
| "BYOL" | no | +| image_name | The High Availability (cluster) image name (e.g. check-point-r8110-gw-byol-cluster-335-985-v20220126). You can choose the desired cluster image value from [Github](https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/gcp/deployment-packages/ha-byol/images.py). | string | N/A | N/A | yes | +| | | | | | +| region | GCP region | string | N/A | "us-central1" | no | +| zoneA | Member A Zone. The zone determines what computing resources are available and where your data is stored and used. | string | N/A | "us-central1-a" | no | +| zoneB | Member B Zone. | string | N/A | "us-central1-a" | no | +| machine_type | Machine types determine the specifications of your machines, such as the amount of memory, virtual cores, and persistent disk limits an instance will have. | string | N/A | "n1-standard-4" | no | +| disk_type | Storage space is much less expensive for a standard Persistent Disk. An SSD Persistent Disk is better for random IOPS or streaming throughput with low latency. | string | - SSD Persistent Disk
- Standard Persistent Disk | "SSD Persistent Disk" | no | +| disk_size | Disk size in GB - Persistent disk performance is tied to the size of the persistent disk volume. You are charged for the actual amount of provisioned disk space. | number | number between 100 and 4096 | 100 | no | +| enable_monitoring | Enable Stackdriver monitoring | bool | true/false | false | no | +| | | | | | +| management_network | Security Management Server address - The public address of the Security Management Server, in CIDR notation. If using Smart-1 Cloud management, insert 'S1C'. VPN peers addresses cannot be in this CIDR block, so this value cannot be the zero-address. | string | N/A | N/A | yes | +| sic_key | The Secure Internal Communication one time secret used to set up trust between the cluster object and the management server. At least 8 alpha numeric characters. If SIC is not provided and needed, a key will be automatically generated | string | N/A | N/A | yes | +| generate_password | Automatically generate an administrator password. | bool | true/false | false | no | +| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no | +| admin_shell | Change the admin shell to enable advanced command line configuration. | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | "/etc/cli.sh" | no | +| smart_1_cloud_token_a | Smart-1 Cloud token to connect ***member A*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal.| +| smart_1_cloud_token_b | Smart-1 Cloud token to connect ***member B*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501)| string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal.| +| cluster_network_cidr | Cluster external subnet CIDR. If the variable's value is not empty double quotes, a new network will be created. The Cluster public IP will be translated to a private address assigned to the active member in this external network. | string | N/A | "10.0.0.0/24" | no | +| cluster_network_name | Cluster external network ID in the chosen zone. The network determines what network traffic the instance can access.If you have specified a CIDR block at var.cluster_network_cidr, this network name will not be used. | string | N/A | "" | no | +| cluster_network_subnetwork_name | Cluster subnet ID in the chosen network. Assigns the instance an IPv4 address from the subnetwork’s range. If you have specified a CIDR block at var.cluster_network_cidr, this subnetwork will not be used. Instances in different subnetworks can communicate with each other using their internal IPs as long as they belong to the same network. | string | N/A | "" | no | +| cluster_ICMP_traffic | (Optional) Source IP ranges for ICMP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only. Please leave empty list to unable ICMP traffic. | list(string) | N/A | [] | no | +| cluster_TCP_traffic | (Optional) Source IP ranges for TCP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only. Please leave empty list to unable TCP traffic. | list(string) | N/A | [] | no | +| cluster_UDP_traffic | (Optional) Source IP ranges for UDP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only. Please leave empty list to unable UDP traffic. | list(string) | N/A | [] | no | +| cluster_SCTP_traffic | (Optional) Source IP ranges for SCTP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only. Please leave empty list to unable SCTP traffic. | list(string) | N/A | [] | no | +| cluster_ESP_traffic | (Optional) Source IP ranges for ESP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only. Please leave empty list to unable ESP traffic. | list(string) | N/A | [] | no | +| mgmt_network_cidr | Management external subnet CIDR. If the variable's value is not empty double quotes, a new network will be created. The public IP used to manage each member will be translated to a private address in this external network. | string | N/A | "10.0.1.0/24" | no | +| mgmt_network_name | Management network ID in the chosen zone. The network determines what network traffic the instance can access. If you have specified a CIDR block at var.mgmt_network_cidr, this network name will not be used. | string | N/A | "" | no | +| mgmt_network_subnetwork_name | Management subnet ID in the chosen network. Assigns the instance an IPv4 address from the subnetwork’s range. If you have specified a CIDR block at var.mgmt_network_cidr, this subnetwork will not be used. Instances in different subnetworks can communicate with each other using their internal IPs as long as they belong to the same network. | string | N/A | "" | no | +| mgmt_ICMP_traffic | (Optional) Source IP ranges for ICMP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway all ports are allowed. For management allowed ports are: 257,18191,18210,18264,22,443,18190,19009. Please leave empty list to unable ICMP traffic. | list(string) | N/A | [] | no | +| mgmt_TCP_traffic | (Optional) Source IP ranges for TCP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway all ports are allowed. For management allowed ports are: 257,18191,18210,18264,22,443,18190,19009. Please leave empty list to unable TCP traffic. | list(string) | N/A | [] | no | +| mgmt_UDP_traffic | (Optional) Source IP ranges for UDP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway all ports are allowed. For management allowed ports are: 257,18191,18210,18264,22,443,18190,19009. Please leave empty list to unable SCTP traffic. | list(string) | N/A | [] | no | +| mgmt_SCTP_traffic | (Optional) Source IP ranges for SCTP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway all ports are allowed. For management allowed ports are: 257,18191,18210,18264,22,443,18190,19009. Please leave empty list to unable TCP traffic. | list(string) | N/A | [] | no | +| mgmt_ESP_traffic | (Optional) Source IP ranges for ESP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway all ports are allowed. For management allowed ports are: 257,18191,18210,18264,22,443,18190,19009. Please leave empty list to unable ESP traffic. | list(string) | N/A | [] | no | +| num_internal_networks | A number in the range 1 - 6 of internal network interfaces. | number | 1 - 6 | 1 | no | +| internal_network1_cidr | 1st internal subnet CIDR. If the variable's value is not empty double quotes, a new subnet will be created. Assigns the cluster members an IPv4 address in this internal network. | string | N/A | "10.0.2.0/24" | no | +| internal_network1_name | 1st internal network ID in the chosen zone. The network determines what network traffic the instance can access. If you have specified a CIDR block at var.internal_network1_cidr, this network name will not be used. | string | N/A | "" | no | +| internal_network1_subnetwork_name | 1st internal subnet ID in the chosen network. Assigns the instance an IPv4 address from the subnetwork’s range. If you have specified a CIDR block at var.internal_network1_cidr, this subnetwork will not be used. Instances in different subnetworks can communicate with each other using their internal IPs as long as they belong to the same network. | string | N/A | "" | no | + + + +## Outputs +| Name | Description | +| ------------- | ------------- | +| cluster_new_created_network | If a new cluster network creation is selected - the cluster network name, otherwise, an empty list. | +| cluster_new_created_subnet | If a new cluster network creation is selected - the cluster subnetwork name, otherwise, an empty list. | +| mgmt_new_created_network | If a new management network creation is selected - the management network name, otherwise, an empty list. | +| mgmt_new_created_subnet | If a new management network creation is selected - the management subnetwork name, otherwise, an empty list. | +| int_network1_new_created_network | If a new internal network 1 creation is selected - the internal network 1 network name, otherwise, an empty list. | +| int_network1_new_created_subnet | If a new internal network 1 creation is selected - the internal network 1 subnetwork name, otherwise, an empty list. | +| cluster_ICMP_firewall_rule | If enable - the cluster ICMP firewall rules name, otherwise, an empty list. | +| cluster_TCP_firewall_rule | If enable - the cluster TCP firewall rules name, otherwise, an empty list. | +| cluster_UDP_firewall_rule | If enable - the cluster UDP firewall rules name, otherwise, an empty list. | +| cluster_SCTP_firewall_rule | If enable - the cluster SCTP firewall rules name, otherwise, an empty list. | +| cluster_ESP_firewall_rule | If enable - the cluster ESP firewall rules name, otherwise, an empty list. | +| mgmt_ICMP_firewall_rule | If enable - the mgmt ICMP firewall rules name, otherwise, an empty list. | +| mgmt_TCP_firewall_rule | If enable - the mgmt TCP firewall rules name, otherwise, an empty list. | +| mgmt_UDP_firewall_rule | If enable - the mgmt UDP firewall rules name, otherwise, an empty list. | +| mgmt_SCTP_firewall_rule | If enable - the mgmt SCTP firewall rules name, otherwise, an empty list. | +| mgmt_ESP_firewall_rule | If enable - the mgmt ESP firewall rules name, otherwise, an empty list. | +| cluster_ip_external_address | Primary public IP address. | +| admin_password | If enable generate_password - the administrator password, otherwise, an empty list. | +| sic_key | The Secure Internal Communication one time secret used to set up trust between the cluster object and the management server. | +| member_a_name | Member A name. | +| member_a_external_ip | Member A external ip. | +| member_a_zone | Member A Zone. | +| member_b_name | Member B name. | +| member_b_external_ip | Member B external ip. | +| member_b_zone | Member B Zone. | + +## Revision History +In order to check the template version refer to the [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) + +| Template Version | Description | +| ---------------- | ------------- | +| 20230209 | Added Smart-1 Cloud support. | +| | | | +| 20230109 | Updated startup script to use cloud-config. | +| | | | +| 20201208 | First release of Check Point Check Point CloudGuard IaaS High Availability Terraform solution on GCP. | +| | | | +| | Addition of "template_type" parameter to "cloud-version" files. | +| | | | + +## Authors + + +## License + +This project is licensed under the MIT License - see the [LICENSE](../../../LICENSE) file for details diff --git a/terraform/gcp/high-availability/locals.tf b/terraform/gcp/high-availability/locals.tf new file mode 100755 index 00000000..e764ccaf --- /dev/null +++ b/terraform/gcp/high-availability/locals.tf @@ -0,0 +1,106 @@ +locals { + license_allowed_values = [ + "BYOL", + "PAYG"] + // will fail if [var.license] is invalid: + validate_license = index(local.license_allowed_values, upper(var.license)) + + regex_validate_image_name = "check-point-r8[0-1][1-4]0-gw-(byol|payg)-cluster-[0-9]{3}-([0-9]{3,}|[a-z]+)-v[0-9]{8,}" + // will fail if the image name is not in the right syntax + validate_image_name = length(regexall(local.regex_validate_image_name, var.image_name)) > 0 ? 0 : index(split("-", var.image_name), "INVALID IMAGE NAME") + + split_zoneA = split("-", var.zoneA) + split_zoneB = split("-", var.zoneB) + // will fail if the var.zoneA and var.zoneB are not at the same region: + validate_zones = index(local.split_zoneA, local.split_zoneB[0]) == local.split_zoneA[0] && index(local.split_zoneA, local.split_zoneB[1]) == local.split_zoneA[0] ? 0 : "var.zoneA and var.zoneB are not at the same region" + + regex_valid_management_network = "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(/(3[0-2]|2[0-9]|1[0-9]|[0-9]))|(S1C)$" + // Will fail if var.management_network is invalid + regex_management_network = regex(local.regex_valid_management_network, var.management_network) == var.management_network ? 0 : "Variable [management_network] must be a valid address in CIDR notation or 'S1C'." + + regex_valid_network_cidr = "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(/(3[0-2]|2[0-9]|1[0-9]|[0-9]))|$" + + // Will fail if var.cluster_network_cidr is invalid + regex_cluster_network_cidr = regex(local.regex_valid_network_cidr, var.cluster_network_cidr) == var.cluster_network_cidr ? 0 : "Variable [cluster_network_cidr] must be a valid address in CIDR notation." + // Will fail if var.mgmt_network_cidr is invalid + regex_mgmt_network_cidr = regex(local.regex_valid_network_cidr, var.mgmt_network_cidr) == var.mgmt_network_cidr ? 0 : "Variable [mgmt_network_cidr] must be a valid address in CIDR notation." + // Will fail if var.internal_network1_cidr is invalid + regex_internal_network1_cidr = regex(local.regex_valid_network_cidr, var.internal_network1_cidr) == var.internal_network1_cidr ? 0 : "Variable [internal_network1_cidr] must be a valid address in CIDR notation." + + disk_type_allowed_values = [ + "SSD Persistent Disk", + "Standard Persistent Disk"] + // Will fail if var.disk_type is invalid + validate_disk_type = index(local.disk_type_allowed_values, var.disk_type) + + admin_shell_allowed_values = [ + "/etc/cli.sh", + "/bin/bash", + "/bin/csh", + "/bin/tcsh"] + // Will fail if var.admin_shell is invalid + validate_admin_shell = index(local.admin_shell_allowed_values, var.admin_shell) + + // Will fail if var.cluster_network_name or var.cluster_network_subnetwork_name are empty double quotes in case of use existing network. + validate_cluster_network = var.cluster_network_cidr == "" && var.cluster_network_name == "" ? index("error:", "using existing cluster network - cluster network name is missing") : 0 + validate_cluster_subnet = var.cluster_network_cidr == "" && var.cluster_network_subnetwork_name == "" ? index("error:", "using existing cluster network - cluster subnetwork name is missing") : 0 + + // Will fail if var.mgmt_network_name or var.mgmt_network_subnetwork_name are empty double quotes in case of use existing network. + validate_mgmt_network = var.mgmt_network_cidr == "" && var.mgmt_network_name == "" ? index("error:", "using existing mgmt network - mgmt network name is missing") : 0 + validate_mgmt_subnet = var.mgmt_network_cidr == "" && var.mgmt_network_subnetwork_name == "" ? index("error:", "using existing mgmt network - mgmt subnetwork name is missing") : 0 + + // Will fail if var.internal_network1_name or var.internal_network1_subnetwork_name are empty double quotes in case of use existing network. + validate_internal_network1 = var.internal_network1_cidr == "" && var.internal_network1_name == "" ? index("error:", "using existing network1 - internal network1 name is missing") : 0 + validate_internal_network1_subnet = var.internal_network1_cidr == "" && var.internal_network1_subnetwork_name == "" ? ("using existing network1 - internal network1 subnet name is missing") : 0 + + // Will fail if var.internal_network2_name or var.internal_network2_subnetwork_name are empty double quotes in case of use existing network. + validate_internal_network2 = var.num_internal_networks >= 2 && var.internal_network2_cidr == "" && var.internal_network2_name == "" ? index("error:", "using existing network2 - internal network2 name is missing") : 0 + validate_internal_network2_subnet = var.num_internal_networks >= 2 && var.internal_network2_cidr == "" && var.internal_network2_subnetwork_name == "" ? index("error:", "using existing network2 - internal network2 subnet name is missing") : 0 + + // Will fail if var.internal_network3_name or var.internal_network3_subnetwork_name are empty double quotes in case of use existing network. + validate_internal_network3 = var.num_internal_networks >= 3 && var.internal_network3_cidr == "" && var.internal_network3_name == "" ? index("error:", "using existing network3 - internal network3 name is missing") : 0 + validate_internal_network3_subnet = var.num_internal_networks >= 3 && var.internal_network3_cidr == "" && var.internal_network3_subnetwork_name == "" ? index("error:", "using existing network3 - internal network3 subnet name is missing") : 0 + + // Will fail if var.internal_network4_name or var.internal_network4_subnetwork_name are empty double quotes in case of use existing network. + validate_internal_network4 = var.num_internal_networks >= 4 && var.internal_network4_cidr == "" && var.internal_network4_name == "" ? index("error:", "using existing network4 - internal network4 name is missing") : 0 + validate_internal_network4_subnet = var.num_internal_networks >= 4 && var.internal_network4_cidr == "" && var.internal_network4_subnetwork_name == "" ? index("error:", "using existing network4 - internal network4 subnet name is missing") : 0 + + // Will fail if var.internal_network5_name or var.internal_network5_subnetwork_name are empty double quotes in case of use existing network. + validate_internal_network5 = var.num_internal_networks >= 5 && var.internal_network5_cidr == "" && var.internal_network5_name == "" ? index("error:", "using existing network5 - internal network5 name is missing") : 0 + validate_internal_network5_subnet = var.num_internal_networks >= 5 && var.internal_network5_cidr == "" && var.internal_network5_subnetwork_name == "" ? index("error:", "using existing network5 - internal network5 subnet name is missing") : 0 + + // Will fail if var.internal_network6_name or var.internal_network6_subnetwork_name are empty double quotes in case of use existing network. + validate_internal_network6 = var.num_internal_networks >= 6 && var.internal_network6_cidr == "" && var.internal_network6_name == "" ? index("error:", "using existing network6 - internal network6 name is missing") : 0 + validate_internal_network6_subnet = var.num_internal_networks >= 6 && var.internal_network6_cidr == "" && var.internal_network6_subnetwork_name == "" ? index("error:", "using existing network6 - internal network6 subnet name is missing") : 0 + + + regex_valid_admin_SSH_key = "^(^$|ssh-rsa AAAA[0-9A-Za-z+/]+[=]{0,3})" + // Will fail if var.admin_SSH_key is invalid + regex_admin_SSH_key = regex(local.regex_valid_admin_SSH_key, var.admin_SSH_key) == var.admin_SSH_key ? 0 : "Please enter a valid SSH public key or leave empty" + + regex_valid_sic_key = "^([a-z0-9A-Z]{8,30})$" + // Will fail if var.sic_key is invalid + regex_sic_key = regex(local.regex_valid_sic_key, var.sic_key) == var.sic_key ? 0 : "Variable [sic_key] must be at least 8 alpha numeric characters." + + + + + create_cluster_network_condition = var.cluster_network_cidr == "" ? false : true + create_mgmt_network_condition = var.mgmt_network_cidr == "" ? false : true + create_internal_network1_condition = var.internal_network1_cidr == "" ? false : true + create_internal_network2_condition = var.internal_network2_cidr == "" && var.num_internal_networks >= 2 ? false : true + create_internal_network3_condition = var.internal_network3_cidr == "" && var.num_internal_networks >= 3 ? false : true + create_internal_network4_condition = var.internal_network4_cidr == "" && var.num_internal_networks >= 4 ? false : true + create_internal_network5_condition = var.internal_network5_cidr == "" && var.num_internal_networks >= 5 ? false : true + create_internal_network6_condition = var.internal_network6_cidr == "" && var.num_internal_networks == 6 ? false : true + cluster_ICMP_traffic_condition = length(var.cluster_ICMP_traffic) == 0 ? 0 : 1 + cluster_TCP_traffic_condition = length(var.cluster_TCP_traffic) == 0 ? 0 : 1 + cluster_UDP_traffic_condition = length(var.cluster_UDP_traffic) == 0 ? 0 : 1 + cluster_SCTP_traffic_condition = length(var.cluster_SCTP_traffic) == 0 ? 0 : 1 + cluster_ESP_traffic_condition = length(var.cluster_ESP_traffic) == 0 ? 0 : 1 + mgmt_ICMP_traffic_condition = length(var.mgmt_ICMP_traffic) == 0 ? 0 : 1 + mgmt_TCP_traffic_condition = length(var.mgmt_TCP_traffic) == 0 ? 0 : 1 + mgmt_UDP_traffic_condition = length(var.mgmt_UDP_traffic) == 0 ? 0 : 1 + mgmt_SCTP_traffic_condition = length(var.mgmt_SCTP_traffic) == 0 ? 0 : 1 + mgmt_ESP_traffic_condition = length(var.mgmt_ESP_traffic) == 0 ? 0 : 1 +} \ No newline at end of file diff --git a/terraform/gcp/high-availability/main.tf b/terraform/gcp/high-availability/main.tf new file mode 100755 index 00000000..821d3542 --- /dev/null +++ b/terraform/gcp/high-availability/main.tf @@ -0,0 +1,250 @@ +provider "google" { + credentials = file(var.service_account_path) + project = var.project + region = var.region +} + +resource "random_string" "random_string" { + length = 5 + special = false + upper = false + keepers = {} +} + +module "cluster_network_and_subnet" { + source = "../common/network-and-subnet" + + prefix = "${var.prefix}-${random_string.random_string.result}" + type = "cluster" + network_cidr = var.cluster_network_cidr + private_ip_google_access = true + region = var.region + network_name = var.cluster_network_name +} +module "cluster_ICMP_firewall_rules" { + count = local.cluster_ICMP_traffic_condition + source = "../common/firewall-rule" + + protocol = "icmp" + source_ranges = var.cluster_ICMP_traffic + rule_name = "${var.prefix}-cluster-icmp-${random_string.random_string.result}" + network = local.create_cluster_network_condition ? module.cluster_network_and_subnet.new_created_network_link : module.cluster_network_and_subnet.existing_network_link +} +module "cluster_TCP_firewall_rules" { + count = local.cluster_TCP_traffic_condition + source = "../common/firewall-rule" + + protocol = "tcp" + source_ranges = var.cluster_TCP_traffic + rule_name = "${var.prefix}-cluster-tcp-${random_string.random_string.result}" + network = local.create_cluster_network_condition ? module.cluster_network_and_subnet.new_created_network_link : module.cluster_network_and_subnet.existing_network_link +} +module "cluster_UDP_firewall_rules" { + count = local.cluster_UDP_traffic_condition + source = "../common/firewall-rule" + + protocol = "udp" + source_ranges = var.cluster_UDP_traffic + rule_name = "${var.prefix}-cluster-udp-${random_string.random_string.result}" + network = local.create_cluster_network_condition ? module.cluster_network_and_subnet.new_created_network_link : module.cluster_network_and_subnet.existing_network_link +} +module "cluster_SCTP_firewall_rules" { + count = local.cluster_SCTP_traffic_condition + source = "../common/firewall-rule" + + protocol = "sctp" + source_ranges = var.cluster_SCTP_traffic + rule_name = "${var.prefix}-cluster-sctp-${random_string.random_string.result}" + network = local.create_cluster_network_condition ? module.cluster_network_and_subnet.new_created_network_link : module.cluster_network_and_subnet.existing_network_link +} +module "cluster_ESP_firewall_rules" { + count = local.cluster_ESP_traffic_condition + source = "../common/firewall-rule" + + protocol = "esp" + source_ranges = var.cluster_ESP_traffic + rule_name = "${var.prefix}-cluster-esp-${random_string.random_string.result}" + network = local.create_cluster_network_condition ? module.cluster_network_and_subnet.new_created_network_link : module.cluster_network_and_subnet.existing_network_link +} + +module "mgmt_network_and_subnet" { + source = "../common/network-and-subnet" + + prefix = "${var.prefix}-${random_string.random_string.result}" + type = "mgmt" + network_cidr = var.mgmt_network_cidr + private_ip_google_access = false + region = var.region + network_name = var.mgmt_network_name +} +module "mgmt_ICMP_firewall_rules" { + count = local.mgmt_ICMP_traffic_condition + source = "../common/firewall-rule" + + protocol = "icmp" + source_ranges = var.mgmt_ICMP_traffic + rule_name = "${var.prefix}-mgmt-icmp-${random_string.random_string.result}" + network = local.create_mgmt_network_condition ? module.mgmt_network_and_subnet.new_created_network_link : module.mgmt_network_and_subnet.existing_network_link +} +module "mgmt_TCP_firewall_rules" { + count = local.mgmt_TCP_traffic_condition + source = "../common/firewall-rule" + + protocol = "tcp" + source_ranges = var.mgmt_TCP_traffic + rule_name = "${var.prefix}-mgmt-tcp-${random_string.random_string.result}" + network = local.create_mgmt_network_condition ? module.mgmt_network_and_subnet.new_created_network_link : module.mgmt_network_and_subnet.existing_network_link +} +module "mgmt_UDP_firewall_rules" { + count = local.mgmt_UDP_traffic_condition + source = "../common/firewall-rule" + + protocol = "udp" + source_ranges = var.mgmt_UDP_traffic + rule_name = "${var.prefix}-mgmt-udp-${random_string.random_string.result}" + network = local.create_mgmt_network_condition ? module.mgmt_network_and_subnet.new_created_network_link : module.mgmt_network_and_subnet.existing_network_link +} +module "mgmt_SCTP_firewall_rules" { + count = local.mgmt_SCTP_traffic_condition + source = "../common/firewall-rule" + + protocol = "sctp" + source_ranges = var.mgmt_SCTP_traffic + rule_name = "${var.prefix}-mgmt-sctp-${random_string.random_string.result}" + network = local.create_mgmt_network_condition ? module.mgmt_network_and_subnet.new_created_network_link : module.mgmt_network_and_subnet.existing_network_link +} +module "mgmt_ESP_firewall_rules" { + count = local.mgmt_ESP_traffic_condition + source = "../common/firewall-rule" + + protocol = "esp" + source_ranges = var.mgmt_ESP_traffic + rule_name = "${var.prefix}-mgmt-esp-${random_string.random_string.result}" + network = local.create_mgmt_network_condition ? module.mgmt_network_and_subnet.new_created_network_link : module.mgmt_network_and_subnet.existing_network_link +} + +module "internal_network1_and_subnet" { + source = "../common/network-and-subnet" + + prefix = "${var.prefix}-${random_string.random_string.result}" + type = "internal-network1" + network_cidr = var.internal_network1_cidr + private_ip_google_access = false + region = var.region + network_name = var.internal_network1_name +} + +module "internal_network2_and_subnet" { + count = var.num_internal_networks < 2 ? 0 : 1 + source = "../common/network-and-subnet" + + prefix = "${var.prefix}-${random_string.random_string.result}" + type = "internal-network2" + network_cidr = var.internal_network2_cidr + private_ip_google_access = false + region = var.region + network_name = var.internal_network2_name +} + +module "internal_network3_and_subnet" { + count = var.num_internal_networks < 3 ? 0 : 1 + source = "../common/network-and-subnet" + + prefix = "${var.prefix}-${random_string.random_string.result}" + type = "internal-network3" + network_cidr = var.internal_network3_cidr + private_ip_google_access = false + region = var.region + network_name = var.internal_network3_name +} + +module "internal_network4_and_subnet" { + count = var.num_internal_networks < 4 ? 0 : 1 + source = "../common/network-and-subnet" + + prefix = "${var.prefix}-${random_string.random_string.result}" + type = "internal-network4" + network_cidr = var.internal_network4_cidr + private_ip_google_access = false + region = var.region + network_name = var.internal_network4_name +} + +module "internal_network5_and_subnet" { + count = var.num_internal_networks < 5 ? 0 : 1 + source = "../common/network-and-subnet" + + prefix = "${var.prefix}-${random_string.random_string.result}" + type = "internal-network5" + network_cidr = var.internal_network5_cidr + private_ip_google_access = false + region = var.region + network_name = var.internal_network5_name +} + +module "internal_network6_and_subnet" { + count = var.num_internal_networks < 6 ? 0 : 1 + source = "../common/network-and-subnet" + + prefix = "${var.prefix}-${random_string.random_string.result}" + type = "internal-network6" + network_cidr = var.internal_network6_cidr + private_ip_google_access = false + region = var.region + network_name = var.internal_network6_name +} +resource "google_compute_address" "primary_cluster_ip_ext_address" { + name = "${var.prefix}-primary-cluster-address-${random_string.random_string.result}" + region = var.region +} +resource "google_compute_address" "secondary_cluster_ip_ext_address" { + name = "${var.prefix}-secondary-cluster-address-${random_string.random_string.result}" + region = var.region +} +resource "random_string" "generated_password" { + length = 12 + special = false +} + +module "members_a_b" { + source = "../common/members-a-b" + + prefix = "${var.prefix}-${random_string.random_string.result}" + region = var.region + zoneA = var.zoneA + zoneB = var.zoneB + machine_type = var.machine_type + disk_size = var.disk_size + disk_type = var.disk_type + image_name = "checkpoint-public/${var.image_name}" + cluster_network = local.create_cluster_network_condition ? module.cluster_network_and_subnet.new_created_network_link : module.cluster_network_and_subnet.existing_network_link + cluster_network_subnetwork = local.create_cluster_network_condition ? module.cluster_network_and_subnet.new_created_subnet_link : [var.cluster_network_subnetwork_name] + mgmt_network = local.create_mgmt_network_condition ? module.mgmt_network_and_subnet.new_created_network_link : module.mgmt_network_and_subnet.existing_network_link + mgmt_network_subnetwork = local.create_mgmt_network_condition ? module.mgmt_network_and_subnet.new_created_subnet_link : [var.mgmt_network_subnetwork_name] + num_internal_networks = var.num_internal_networks + internal_network1_network = local.create_internal_network1_condition ? module.internal_network1_and_subnet.new_created_network_link : [var.internal_network1_name] + internal_network1_subnetwork = local.create_internal_network1_condition ? module.internal_network1_and_subnet.new_created_subnet_link : [var.internal_network1_subnetwork_name] + internal_network2_network = var.num_internal_networks < 2 ? [] : local.create_internal_network2_condition ? module.internal_network2_and_subnet[0].new_created_network_link : [var.internal_network2_name] + internal_network2_subnetwork = var.num_internal_networks < 2 ? [] : local.create_internal_network2_condition ? module.internal_network2_and_subnet[0].new_created_subnet_link : [var.internal_network2_subnetwork_name] + internal_network3_network = var.num_internal_networks < 3 ? [] : local.create_internal_network3_condition ? module.internal_network3_and_subnet[0].new_created_network_link : [var.internal_network3_name] + internal_network3_subnetwork = var.num_internal_networks < 3 ? [] : local.create_internal_network3_condition ? module.internal_network3_and_subnet[0].new_created_subnet_link : [var.internal_network3_subnetwork_name] + internal_network4_network = var.num_internal_networks < 4 ? [] : local.create_internal_network4_condition ? module.internal_network4_and_subnet[0].new_created_network_link : [var.internal_network4_name] + internal_network4_subnetwork = var.num_internal_networks < 4 ? [] : local.create_internal_network4_condition ? module.internal_network4_and_subnet[0].new_created_subnet_link : [var.internal_network4_subnetwork_name] + internal_network5_network = var.num_internal_networks < 5 ? [] : local.create_internal_network5_condition ? module.internal_network5_and_subnet[0].new_created_network_link : [var.internal_network5_name] + internal_network5_subnetwork = var.num_internal_networks < 5 ? [] : local.create_internal_network5_condition ? module.internal_network5_and_subnet[0].new_created_subnet_link : [var.internal_network5_subnetwork_name] + internal_network6_network = var.num_internal_networks < 6 ? [] : local.create_internal_network6_condition ? module.internal_network6_and_subnet[0].new_created_network_link : [var.internal_network6_name] + internal_network6_subnetwork = var.num_internal_networks < 6 ? [] : local.create_internal_network6_condition ? module.internal_network6_and_subnet[0].new_created_subnet_link : [var.internal_network6_subnetwork_name] + admin_SSH_key = var.admin_SSH_key + generated_admin_password = var.generate_password ? random_string.generated_password.result : "" + project = var.project + generate_password = var.generate_password + sic_key = var.sic_key + allow_upload_download = var.allow_upload_download + enable_monitoring = var.enable_monitoring + admin_shell = var.admin_shell + management_network = var.management_network + primary_cluster_address_name = google_compute_address.primary_cluster_ip_ext_address.name + secondary_cluster_address_name = google_compute_address.secondary_cluster_ip_ext_address.name + smart_1_cloud_token_a = var.smart_1_cloud_token_a + smart_1_cloud_token_b = var.smart_1_cloud_token_b +} \ No newline at end of file diff --git a/terraform/gcp/high-availability/output.tf b/terraform/gcp/high-availability/output.tf new file mode 100755 index 00000000..12009d32 --- /dev/null +++ b/terraform/gcp/high-availability/output.tf @@ -0,0 +1,117 @@ +output "cluster_new_created_network" { + value = module.cluster_network_and_subnet.new_created_network_name +} +output "cluster_new_created_subnet" { + value = module.cluster_network_and_subnet.new_created_subnet_name +} + +output "mgmt_new_created_network" { + value = module.mgmt_network_and_subnet.new_created_network_name +} +output "mgmt_new_created_subnet" { + value = module.mgmt_network_and_subnet.new_created_subnet_name +} + +output "int_network1_new_created_network" { + value = module.internal_network1_and_subnet.new_created_network_name +} +output "int_network1_new_created_subnet" { + value = module.internal_network1_and_subnet.new_created_subnet_name +} + +output "int_network2_new_created_network" { + value = module.internal_network2_and_subnet[*].new_created_network_name +} +output "int_network2_new_created_subnet" { + value = module.internal_network2_and_subnet[*].new_created_subnet_name +} + +output "int_network3_new_created_network" { + value = module.internal_network3_and_subnet[*].new_created_network_name +} +output "int_network3_new_created_subnet" { + value = module.internal_network3_and_subnet[*].new_created_subnet_name +} + +output "int_network4_new_created_network" { + value = module.internal_network4_and_subnet[*].new_created_network_name +} +output "int_network4_new_created_subnet" { + value = module.internal_network4_and_subnet[*].new_created_subnet_name +} + +output "int_network5_new_created_network" { + value = module.internal_network5_and_subnet[*].new_created_network_name +} +output "int_network5_new_created_subnet" { + value = module.internal_network5_and_subnet[*].new_created_subnet_name +} + +output "int_network6_new_created_network" { + value = module.internal_network6_and_subnet[*].new_created_network_name +} +output "int_network6_new_created_subnet" { + value = module.internal_network6_and_subnet[*].new_created_subnet_name +} + +output "cluster_ICMP_firewall_rule" { + value = module.cluster_ICMP_firewall_rules[*].firewall_rule_name +} +output "cluster_TCP_firewall_rule" { + value = module.cluster_TCP_firewall_rules[*].firewall_rule_name +} +output "cluster_UDP_firewall_rule" { + value = module.cluster_UDP_firewall_rules[*].firewall_rule_name +} +output "cluster_SCTP_firewall_rule" { + value = module.cluster_SCTP_firewall_rules[*].firewall_rule_name +} +output "cluster_ESP_firewall_rule" { + value = module.cluster_ESP_firewall_rules[*].firewall_rule_name +} + +output "mgmt_ICMP_firewall_rule" { + value = module.mgmt_ICMP_firewall_rules[*].firewall_rule_name +} +output "mgmt_TCP_firewall_rule" { + value = module.mgmt_TCP_firewall_rules[*].firewall_rule_name +} +output "mgmt_UDP_firewall_rule" { + value = module.mgmt_UDP_firewall_rules[*].firewall_rule_name +} +output "mgmt_SCTP_firewall_rule" { + value = module.mgmt_SCTP_firewall_rules[*].firewall_rule_name +} +output "mgmt_ESP_firewall_rule" { + value = module.mgmt_ESP_firewall_rules[*].firewall_rule_name +} + +output "cluster_ip_external_address" { + value = google_compute_address.primary_cluster_ip_ext_address.address +} +output "admin_password" { + value = var.generate_password ? [random_string.generated_password.result] : [] +} +output "sic_key" { + value = var.sic_key +} + +output "member_a_name" { + value = module.members_a_b.member_a_name +} +output "member_a_external_ip" { + value = module.members_a_b.member_a_external_ip +} +output "member_a_zone" { + value = var.zoneA +} + +output "member_b_name" { + value = module.members_a_b.member_b_name +} +output "member_b_external_ip" { + value = module.members_a_b.member_b_external_ip +} +output "member_b_zone" { + value = var.zoneB +} \ No newline at end of file diff --git a/terraform/gcp/high-availability/terraform.tfvars b/terraform/gcp/high-availability/terraform.tfvars new file mode 100755 index 00000000..f888479f --- /dev/null +++ b/terraform/gcp/high-availability/terraform.tfvars @@ -0,0 +1,53 @@ +# --- Google Provider --- +service_account_path = "PLEASE ENTER SERVICE ACCOUNT PATH" # "service-accounts/service-account-file-name.json" +project = "PLEASE ENTER PROJECT ID" # "project-id" + +# --- Check Point Deployment --- +prefix = "PLEASE ENTER PREFIX" # "chkp-tf-ha" +license = "PLEASE ENTER LICENSE" # "BYOL" +image_name = "PLEASE ENTER IMAGE NAME" # "check-point-r8110-gw-byol-cluster-335-985-v20220126" + +# --- Instances Configuration --- +region = "PLEASE ENTER REGION" # "us-central1" +zoneA = "PLEASE ENTER ZONE A" # "us-central1-a" +zoneB = "PLEASE ENTER ZONE B" # "us-central1-a" +machine_type = "PLEASE ENTER MACHINE TYPE" # "n1-standard-4" +disk_type = "PLEASE ENTER DISK TYPE" # "SSD Persistent Disk" +disk_size = "PLEASE ENTER DISK SIZE" # 100 +admin_SSH_key = "PLEASE ENTER ADMIN SSH KEY" # "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxx imported-openssh-key" +enable_monitoring = "PLEASE ENTER true OR false" # false + +# --- Check Point --- +management_network = "PLEASE ENTER MANAGEMENT IP OR S1C IF USING SMART-1 CLOUD MANAGEMENT" # "209.87.209.100/32" +sic_key = "PLEASE ENTER A SIC KEY" # "aaaaaaaa" +generate_password = "PLEASE ENTER true or false" # false +allow_upload_download = "PLEASE ENTER true OR false" # true +admin_shell = "PLEASE ENTER ADMIN SHELL" # "/etc/cli.sh" + +# --- Quick connect to Smart-1 Cloud --- +smart_1_cloud_token_a = "PASTE TOKEN FROM SMART-1 CLOUD PORTAL" # "" +smart_1_cloud_token_b = "PASTE TOKEN FROM SMART-1 CLOUD PORTAL" # "" + +# --- Networking --- +cluster_network_cidr = "PLEASE ENTER CLUSTER NETWORK CIDR" # "10.0.1.0/24" +cluster_network_name = "PLEASE ENTER CLUSTER NETWORK ID" # "cluster-network" +cluster_network_subnetwork_name = "PLEASE ENTER CLUSTER SUBNETWORK ID" # "cluster-subnetwork" +cluster_ICMP_traffic = "PLEASE ENTER ICMP SOURCE IP RANGES" # ["123.123.0.0/24", "234.234.0.0/24"] +cluster_TCP_traffic = "PLEASE ENTER TCP SOURCE IP RANGES" # ["0.0.0.0/0"] +cluster_UDP_traffic = "PLEASE ENTER UDP SOURCE IP RANGES" # [] +cluster_SCTP_traffic = "PLEASE ENTER SCTP SOURCE IP RANGES" # [] +cluster_ESP_traffic = "PLEASE ENTER ESP SOURCE IP RANGES" # [] +mgmt_network_cidr = "PLEASE ENTER MANAGEMENT NETWORK CIDR" # "" +mgmt_network_name = "PLEASE ENTER MANAGEMENT NETWORK ID" # "mgmt-network" +mgmt_network_subnetwork_name = "PLEASE ENTER MANAGEMENT SUBNETWORK ID" # "mgmt-subnetwork" +mgmt_ICMP_traffic = "PLEASE ENTER ICMP SOURCE IP RANGES" # ["123.123.0.0/24", "234.234.0.0/24"] +mgmt_TCP_traffic = "PLEASE ENTER TCP SOURCE IP RANGES" # ["0.0.0.0/0"] +mgmt_UDP_traffic = "PLEASE ENTER UDP SOURCE IP RANGES" # [] +mgmt_SCTP_traffic = "PLEASE ENTER SCTP SOURCE IP RANGES" # [] +mgmt_ESP_traffic = "PLEASE ENTER ESP SOURCE IP RANGES" # [] +num_internal_networks = "PLEASE ENTER A NUMBER OF ADDITIONAL NICS" # 1 +internal_network1_cidr = "PLEASE ENTER 1ST INTERNAL NETWORK CIDR" # "10.0.3.0/24" +internal_network1_name = "PLEASE ENTER 1ST INTERNAL NETWORK ID" # "" +internal_network1_subnetwork_name = "PLEASE ENTER INTERNAL SUBNETWORK ID" # "" + +#Define internal NICs networks and subnetworks according the defined num_internal_networks value diff --git a/terraform/gcp/high-availability/variables.tf b/terraform/gcp/high-availability/variables.tf new file mode 100755 index 00000000..a7bede31 --- /dev/null +++ b/terraform/gcp/high-availability/variables.tf @@ -0,0 +1,302 @@ +# Check Point CloudGuard IaaS High Availability - Terraform Template + +# --- Google Provider --- +variable "service_account_path" { + type = string + description = "User service account path in JSON format - From the service account key page in the Cloud Console choose an existing account or create a new one. Next, download the JSON key file. Name it something you can remember, store it somewhere secure on your machine, and supply the path to the location is stored." + default = "" +} +variable "project" { + type = string + description = "Personal project id. The project indicates the default GCP project all of your resources will be created in." + default = "" +} + +# --- Check Point Deployment --- +variable "prefix" { + type = string + description = "(Optional) Resources name prefix" + default = "chkp-tf-ha" +} +variable "license" { + type = string + description = "Checkpoint license (BYOL or PAYG)." + default = "BYOL" +} +variable "image_name" { + type = string + description = "The High Availability (cluster) image name (e.g. check-point-r8110-gw-byol-cluster-335-985-v20220126). You can choose the desired cluster image value from: https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/gcp/deployment-packages/ha-byol/images.py" +} + +# --- Instances Configuration --- +data "google_compute_regions" "available_regions" { +} +variable "region" { + type = string + default = "us-central1" +} +variable "zoneA" { + type = string + description = "Member A Zone. The zone determines what computing resources are available and where your data is stored and used." + default = "us-central1-a" +} +variable "zoneB" { + type = string + description = "Member B Zone." + default = "us-central1-a" +} +variable "machine_type" { + type = string + description = "Machine types determine the specifications of your machines, such as the amount of memory, virtual cores, and persistent disk limits an instance will have." + default = "n1-standard-4" +} +variable "disk_type" { + type = string + description = "Storage space is much less expensive for a standard Persistent Disk. An SSD Persistent Disk is better for random IOPS or streaming throughput with low latency." + default = "SSD Persistent Disk" +} +variable "disk_size" { + type = number + description = "Disk size in GB - Persistent disk performance is tied to the size of the persistent disk volume. You are charged for the actual amount of provisioned disk space." + default = 100 +} +variable "admin_SSH_key" { + type = string + description = "(Optional) The SSH public key for SSH authentication to the MIG instances. Leave this field blank to use all project-wide pre-configured SSH keys." + default = "" +} +variable "enable_monitoring" { + type = bool + description = "Enable Stackdriver monitoring" + default = false +} + +# --- Check Point --- +variable "management_network" { + type = string + description = "Security Management Server address - The public address of the Security Management Server, in CIDR notation. If using Smart-1 Cloud management, insert 'S1C'. VPN peers addresses cannot be in this CIDR block, so this value cannot be the zero-address." + validation { + condition = var.management_network != "0.0.0.0/0" + error_message = "Var.management_network value cannot be the zero-address." + } +} +resource "null_resource" "validate_mgmt_network_if_required" { + count = var.smart_1_cloud_token_a == "" && var.management_network == "S1C" ? "Public address of the Security Management Server is required" : 0 +} +variable "sic_key" { + type = string + description = "The Secure Internal Communication one time secret used to set up trust between the cluster object and the management server. At least 8 alpha numeric characters. If SIC is not provided and needed, a key will be automatically generated" +} +variable "generate_password" { + type = bool + description = "Automatically generate an administrator password." + default = false +} +variable "allow_upload_download" { + type = bool + description = "Allow download from/upload to Check Point." + default = false +} +variable "admin_shell" { + type = string + description = "Change the admin shell to enable advanced command line configuration." + default = "/etc/cli.sh" +} +# --- Quick connect to Smart-1 Cloud --- +variable "smart_1_cloud_token_a" { + type = string + description ="(Optional) Smart-1 cloud token for member A to connect this Gateway to Check Point's Security Management as a Service" + default = "" +} +variable "smart_1_cloud_token_b" { + type = string + description ="(Optional) Smart-1 cloud token for member B to connect this Gateway to Check Point's Security Management as a Service" + default = "" +} + +resource "null_resource" "validate_both_tokens" { + count = (var.smart_1_cloud_token_a != "" && var.smart_1_cloud_token_b != "") || (var.smart_1_cloud_token_a == "" && var.smart_1_cloud_token_b == "") ? 0 : "To connect to Smart-1 Cloud, you must provide two tokens (one per member)" +} +resource "null_resource" "validate_different_tokens" { + count = var.smart_1_cloud_token_a != "" && var.smart_1_cloud_token_a == var.smart_1_cloud_token_b ? "To connect to Smart-1 Cloud, you must provide two different tokens" : 0 +} +# --- Networking --- +variable "cluster_network_cidr" { + type = string + description = "Cluster external subnet CIDR. If the variable's value is not empty double quotes, a new network will be created. The Cluster public IP will be translated to a private address assigned to the active member in this external network." + default = "10.0.0.0/24" +} +variable "cluster_network_name" { + type = string + description = "Cluster external network ID in the chosen zone. The network determines what network traffic the instance can access.If you have specified a CIDR block at var.cluster_network_cidr, this network name will not be used." + default = "" +} +variable "cluster_network_subnetwork_name" { + type = string + description = "Cluster subnet ID in the chosen network. Assigns the instance an IPv4 address from the subnetwork’s range. If you have specified a CIDR block at var.cluster_network_cidr, this subnetwork will not be used. Instances in different subnetworks can communicate with each other using their internal IPs as long as they belong to the same network." + default = "" +} +variable "cluster_ICMP_traffic" { + type = list(string) + description = "(Optional) Source IP ranges for ICMP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only. Please leave empty list to unable ICMP traffic." + default = [] +} +variable "cluster_TCP_traffic" { + type = list(string) + description = "(Optional) Source IP ranges for TCP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only. Please leave empty list to unable TCP traffic." + default = [] +} +variable "cluster_UDP_traffic" { + type = list(string) + description = "(Optional) Source IP ranges for UDP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only. Please leave empty list to unable UDP traffic." + default = [] +} +variable "cluster_SCTP_traffic" { + type = list(string) + description = "(Optional) Source IP ranges for SCTP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only. Please leave empty list to unable SCTP traffic." + default = [] +} +variable "cluster_ESP_traffic" { + type = list(string) + description = "(Optional) Source IP ranges for ESP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only. Please leave empty list to unable ESP traffic." + default = [] +} +variable "mgmt_network_cidr" { + type = string + description = "Management external subnet CIDR. If the variable's value is not empty double quotes, a new network will be created. The public IP used to manage each member will be translated to a private address in this external network" + default = "10.0.1.0/24" +} +variable "mgmt_network_name" { + type = string + description = "Management network ID in the chosen zone. The network determines what network traffic the instance can access. If you have specified a CIDR block at var.mgmt_network_cidr, this network name will not be used. " + default = "" +} +variable "mgmt_network_subnetwork_name" { + type = string + description = "Management subnet ID in the chosen network. Assigns the instance an IPv4 address from the subnetwork’s range. If you have specified a CIDR block at var.mgmt_network_cidr, this subnetwork will not be used. Instances in different subnetworks can communicate with each other using their internal IPs as long as they belong to the same network." + default = "" +} +variable "mgmt_ICMP_traffic" { + type = list(string) + description = "(Optional) Source IP ranges for ICMP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway all ports are allowed. For management allowed ports are: 257,18191,18210,18264,22,443,18190,19009. Please leave empty list to unable ICMP traffic." + default = [] +} +variable "mgmt_TCP_traffic" { + type = list(string) + description = "(Optional) Source IP ranges for TCP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway all ports are allowed. For management allowed ports are: 257,18191,18210,18264,22,443,18190,19009. Please leave empty list to unable TCP traffic." + default = [] +} +variable "mgmt_UDP_traffic" { + type = list(string) + description = "(Optional) Source IP ranges for UDP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway all ports are allowed. For management allowed ports are: 257,18191,18210,18264,22,443,18190,19009. Please leave empty list to unable UDP traffic." + default = [] +} +variable "mgmt_SCTP_traffic" { + type = list(string) + description = "(Optional) Source IP ranges for SCTP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway all ports are allowed. For management allowed ports are: 257,18191,18210,18264,22,443,18190,19009. Please leave empty list to unable SCTP traffic." + default = [] +} +variable "mgmt_ESP_traffic" { + type = list(string) + description = "(Optional) Source IP ranges for ESP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway all ports are allowed. For management allowed ports are: 257,18191,18210,18264,22,443,18190,19009. Please leave empty list to unable ESP traffic." + default = [] +} +variable "num_internal_networks" { + type = number + description = "A number in the range 1 - 6 of internal network interfaces." + default = 1 +} +resource "null_resource" "num_internal_networks_validation" { + // Will fail if var.num_internal_networks is less than 1 or more than 6 + count = var.num_internal_networks >= 1 && var.num_internal_networks <= 6 ? 0 : "variable num_internal_networks must be a number between 1 and 6. Multiple network interfaces deployment is described in: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk121637" +} +variable "internal_network1_cidr" { + type = string + description = "1st internal subnet CIDR. If the variable's value is not empty double quotes, a new subnet will be created. Assigns the cluster members an IPv4 address in this internal network." + default = "10.0.2.0/24" +} +variable "internal_network1_name" { + type = string + description = "1st internal network ID in the chosen zone. The network determines what network traffic the instance can access. If you have specified a CIDR block at var.internal_network1_cidr, this network name will not be used. " + default = "" +} +variable "internal_network1_subnetwork_name" { + type = string + description = "1st internal subnet ID in the chosen network. Assigns the instance an IPv4 address from the subnetwork’s range. If you have specified a CIDR block at var.internal_network1_cidr, this subnetwork will not be used. Instances in different subnetworks can communicate with each other using their internal IPs as long as they belong to the same network." + default = "" +} +variable "internal_network2_cidr" { + type = string + description = "Used only if var.num_internal_networks is 2 or and above - 2nd internal subnet CIDR. If the variable's value is not empty double quotes, a new subnet will be created. Assigns the cluster members an IPv4 address in this internal network." + default = "" +} +variable "internal_network2_name" { + type = string + description = "Used only if var.num_internal_networks is 2 or and above - 2nd internal network ID in the chosen zone. The network determines what network traffic the instance can access. If you have specified a CIDR block at var.internal_network2_cidr, this network name will not be used. " + default = "" +} +variable "internal_network2_subnetwork_name" { + type = string + description = "Used only if var.num_internal_networks is 2 or and above - 2nd internal subnet ID in the chosen network. Assigns the instance an IPv4 address from the subnetwork’s range. If you have specified a CIDR block at var.internal_network2_cidr, this subnetwork will not be used. Instances in different subnetworks can communicate with each other using their internal IPs as long as they belong to the same network." + default = "" +} +variable "internal_network3_cidr" { + type = string + description = "Used only if var.num_internal_networks is 3 or and above - 3rd internal subnet CIDR. If the variable's value is not empty double quotes, a new subnet will be created. Assigns the cluster members an IPv4 address in this internal network." + default = "" +} +variable "internal_network3_name" { + type = string + description = "Used only if var.num_internal_networks is 3 or and above - 3rd internal network ID in the chosen zone. The network determines what network traffic the instance can access. If you have specified a CIDR block at var.internal_network3_cidr, this network name will not be used. " + default = "" +} +variable "internal_network3_subnetwork_name" { + type = string + description = "Used only if var.num_internal_networks is 3 or and above - 3rd internal subnet ID in the chosen network. Assigns the instance an IPv4 address from the subnetwork’s range. If you have specified a CIDR block at var.internal_network3_cidr, this subnetwork will not be used. Instances in different subnetworks can communicate with each other using their internal IPs as long as they belong to the same network." + default = "" +} +variable "internal_network4_cidr" { + type = string + description = "Used only if var.num_internal_networks is 4 or and above - 4th internal subnet CIDR. If the variable's value is not empty double quotes, a new subnet will be created. Assigns the cluster members an IPv4 address in this internal network." + default = "" +} +variable "internal_network4_name" { + type = string + description = "Used only if var.num_internal_networks is 4 or and above - 4th internal network ID in the chosen zone. The network determines what network traffic the instance can access. If you have specified a CIDR block at var.internal_network4_cidr, this network name will not be used. " + default = "" +} +variable "internal_network4_subnetwork_name" { + type = string + description = "Used only if var.num_internal_networks is 4 or and above - 4th internal subnet ID in the chosen network. Assigns the instance an IPv4 address from the subnetwork’s range. If you have specified a CIDR block at var.internal_network4_cidr, this subnetwork will not be used. Instances in different subnetworks can communicate with each other using their internal IPs as long as they belong to the same network." + default = "" +} +variable "internal_network5_cidr" { + type = string + description = "Used only if var.num_internal_networks is 5 or and above - 5th internal subnet CIDR. If the variable's value is not empty double quotes, a new subnet will be created. Assigns the cluster members an IPv4 address in this internal network." + default = "" +} +variable "internal_network5_name" { + type = string + description = "Used only if var.num_internal_networks is 5 or and above - 5th internal network ID in the chosen zone. The network determines what network traffic the instance can access. If you have specified a CIDR block at var.internal_network5_cidr, this network name will not be used. " + default = "" +} +variable "internal_network5_subnetwork_name" { + type = string + description = "Used only if var.num_internal_networks is 5 or and above - 5th internal subnet ID in the chosen network. Assigns the instance an IPv4 address from the subnetwork’s range. If you have specified a CIDR block at var.internal_network5_cidr, this subnetwork will not be used. Instances in different subnetworks can communicate with each other using their internal IPs as long as they belong to the same network." + default = "" +} +variable "internal_network6_cidr" { + type = string + description = "Used only if var.num_internal_networks equals 6 - 6th internal subnet CIDR. If the variable's value is not empty double quotes, a new subnet will be created. Assigns the cluster members an IPv4 address in this internal network." + default = "" +} +variable "internal_network6_name" { + type = string + description = "Used only if var.num_internal_networks equals 6 - 6th internal network ID in the chosen zone. The network determines what network traffic the instance can access. If you have specified a CIDR block at var.internal_network6_cidr, this network name will not be used. " + default = "" +} +variable "internal_network6_subnetwork_name" { + type = string + description = "Used only if var.num_internal_networks equals 6 - 6th internal subnet ID in the chosen network. Assigns the instance an IPv4 address from the subnetwork’s range. If you have specified a CIDR block at var.internal_network6_cidr, this subnetwork will not be used. Instances in different subnetworks can communicate with each other using their internal IPs as long as they belong to the same network." + default = "" +} \ No newline at end of file diff --git a/terraform/gcp/single-into-existing-vpc/README.md b/terraform/gcp/single-into-existing-vpc/README.md new file mode 100755 index 00000000..a3213acb --- /dev/null +++ b/terraform/gcp/single-into-existing-vpc/README.md @@ -0,0 +1,275 @@ +# Check Point single gateway and management Terraform module for GCP + +Terraform module which deploys a single gateway and management of Check Point Security Gateways. + +These types of Terraform resources are supported: + [Instance Template](https://www.terraform.io/docs/providers/google/r/compute_instance_template.html) + [Firewall](https://www.terraform.io/docs/providers/google/r/compute_firewall.html) - conditional creation + [Instance Group Manager](https://www.terraform.io/docs/providers/google/r/compute_region_instance_group_manager.html) + [Compute instance](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance) + + +See Check Point's documentation for Single [here](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk114577) + +Terraform is controlled via a very easy to use command-line interface (CLI). Terraform is only a single command-line application: terraform. + +## Before you begin +1. Create a project in the [Google Cloud Console](https://console.cloud.google.com/) and set up billing on that project. +2. [Install Terraform](https://learn.hashicorp.com/tutorials/terraform/install-cli) and read the Terraform getting started guide that follows. This guide will assume basic proficiency with Terraform - it is an introduction to the Google provider. + +## Configuring the Provider +The main.tf file includes the following provider configuration block used to configure the credentials you use to authenticate with GCP, as well as a default project and location for your resources: +``` +provider "google" { + credentials = file(var.service_account_path) + project = var.project +} +... +``` + +1. [Create a Service Account](https://cloud.google.com/docs/authentication/getting-started) (or use the existing one). Next, download the JSON key file. Name it something you can remember and store it somewhere secure on your machine.
+2. Select "Editor" Role or verify you have the following permissions: + ``` + compute.addresses.get + compute.addresses.use + compute.addresses.create + compute.disks.create + compute.disks.delete + compute.firewalls.create + compute.firewalls.delete + compute.firewalls.get + compute.images.get + compute.images.useReadOnly + compute.images.getFromFamily + compute.instanceTemplates.create + compute.instanceTemplates.delete + compute.instanceTemplates.get + compute.instanceTemplates.useReadOnly + compute.instances.addAccessConfig + compute.instances.create + compute.instances.delete + compute.instances.get + compute.instances.setMetadata + compute.instances.setTags + compute.instances.setLabels + compute.networks.get + compute.networks.updatePolicy + compute.regions.list + compute.subnetworks.get + compute.subnetworks.use + compute.subnetworks.useExternalIp + compute.zones.get + iam.serviceAccountKeys.get + iam.serviceAccountKeys.list + iam.serviceAccounts.actAs + iam.serviceAccounts.get + iam.serviceAccounts.list + iam.serviceAccounts.set + ``` +3. ```credentials``` - Your service account key file is used to complete a two-legged OAuth 2.0 flow to obtain access tokens to authenticate with the GCP API as needed; Terraform will use it to reauthenticate automatically when tokens expire.
+The provider credentials can be provided either as static credentials or as [Environment Variables](https://www.terraform.io/docs/providers/google/guides/provider_reference.html#credentials-1). + - Static credentials can be provided by adding the path to your service-account json file, project-id and region in /gcp/modules/single/terraform.tfvars file as follows: + ``` + service_account_path = "service-accounts/service-account-file-name.json" + project = "project-id" + ``` + - In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in the main.tf file, in the provider google resource, need to be deleted or commented: + ``` + provider "google" { + // credentials = file(var.service_account_path) + // project = var.project + + } + ``` + b.In the terraform.tfvars file leave empty double quotes for credentials and project variables: + ``` + service_account_path = "" + project = "" + ``` +## Usage +- Fill all variables in the /gcp/single/terraform.tfvars file with proper values (see below for variables descriptions). +- From a command line initialize the Terraform configuration directory: + ``` + terraform init + ``` +- Create an execution plan: + ``` + terraform plan + ``` +- Create or modify the deployment: + ``` + terraform apply + ``` + +#### Variables are configured in single/terraform.tfvars file as follows: +``` +# --- Google Provider --- +service_account_path = "service-accounts/service-account-file-name.json" +project = "project-id" + +# --- Check Point--- +image_name = "check-point-r8110-gw-byol-single-335-985-v20220126" +installationType = "Gateway only" +license = "BYOL" +prefix = "chkp-single-tf-" +management_nic = "Ephemeral Public IP (eth0)" +admin_shell = "/etc/cli.sh" +admin_SSH_key = "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxx imported-openssh-key" +generatePassword = false +allow_upload_download = true +sicKey = "" +managementGUIClientNetwork = "0.0.0.0/0" + +#--- Quick connect to Smart-1 Cloud --- +smart_1_cloud_token = "xxxxxxxxxxxxxxxxxxxxxxxx" + +# --- Networking --- +zone = "us-central1-a +network = ["default"] +subnetwork = ["default"] +network_enableTcp= true +network_tcpSourceRanges= ["0.0.0.0/0"] +network_enableGwNetwork= false +network_gwNetworkSourceRanges= [""] +network_enableIcmp= false +network_icmpSourceRanges = [""] +network_enableUdp= false +network_udpSourceRanges= [""] +network_enableSctp= false +network_sctpSourceRanges= [""] +network_enableEsp= false +network_espSourceRanges= [""] +numAdditionalNICs= 1 +externalIP= "static" +internal_network1_network= [""] +internal_network1_subnetwork = [""] + +# --- Instance Configuration --- +machine_type = "n1-standard-4" +diskType = "SSD Persistent Disk" +bootDiskSizeGb = 100 +enableMonitoring = false + +``` + +- To tear down your resources: + ``` + terraform destroy + ``` + +## Conditional creation +To create Firewall and allow traffic for ICMP, TCP, UDP, SCTP or/and ESP - enter list of Source IP ranges. +``` +ICMP_traffic = ["123.123.0.0/24", "234.234.0.0/24"] +TCP_traffic = ["0.0.0.0/0"] +UDP_traffic = ["0.0.0.0/0"] +SCTP_traffic = ["0.0.0.0/0"] +ESP_traffic = ["0.0.0.0/0"] +``` +Please leave empty list for a protocol if you want to disable traffic for it. + +## Inputs +| Name | Description | Type | Allowed values |Default| Required | +| ------------- | ------------- | ------------- | ------------- |-------|---------------| +| service_account_path | User service account path in JSON format - From the service account key page in the Cloud Console choose an existing account or create a new one. Next, download the JSON key file. Name it something you can remember, store it somewhere secure on your machine, and supply the path to the location is stored. (e.g. "service-accounts/service-account-name.json") | string | N/A | "" | yes | +| | | | | | +| project | Personal project id. The project indicates the default GCP project all of your resources will be created in. | string | N/A | "" | yes | +| | | | | | +| zone | The zone determines what computing resources are available and where your data is stored and used | string | List of allowed [Regions and Zones](https://cloud.google.com/compute/docs/regions-zones?_ga=2.31926582.-962483654.1585043745) |us-central1-a|yes| +| | | | | | +| image_name |The single gateway or management image name (e.g. check-point-r8110-gw-byol-single-335-985-v20220126 for gateway or check-point-r8110-byol-335-883-v20210706 for management). You can choose the desired gateway image value from [Github](https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/gcp/deployment-packages/single-byol/images.py).| string | N/A | N/A | yes | +| | | | | | +| installationType | Installation type and version | string |Gateway only;
Management only;
Manual Configuration
Gateway and Management (Standalone) |Gateway only|yes| +| | | | | | +| license | Checkpoint license (BYOL or PAYG).|string|BYOL;
PAYG;|BYOL|yes| +| | | | | | +| prefix | (Optional) Resources name prefix|string|N\A|chkp-single-tf-|no| +| | | | | | +| machineType | Machine types determine the specifications of your machines, such as the amount of memory, virtual cores, and persistent disk limits an instance will have | string | [Learn more about Machine Types](https://cloud.google.com/compute/docs/machine-types?hl=en_US&_ga=2.267871494.-962483654.1585043745) | n1-standard-4|no| +| | | | | | +| network | The network determines what network traffic the instance can access | list(string) | Available network in the chosen zone |N/A|yes| +| | | | | | +| Subnetwork | Assigns the instance an IPv4 address from the subnetwork’s range. Instances in different subnetworks can communicate with each other using their internal IPs as long as they belong to the same network. | list(string) | Available subnetwork in the chosen network |N/A|yes| +| | | | | | +| network_enableTcp | Allow TCP traffic from the Internet | boolean | true;
false; |false|no| +| | | | | | +| network_tcpSourceRanges | Allow TCP traffic from the Internet | list(string) | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway all ports are allowed. For management allowed ports are: 257,18191,18210,18264,22,443,18190,19009 [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) |N/A|no| +| | | | | | +| network_enableGwNetwork | This is relevant for Management only. The network in which managed gateways reside | boolean | true;
false; |false|no| +| | | | | | +| network_gwNetworkSourceRanges | Allow TCP traffic from the Internet | list(string) | Enter a valid IPv4 network CIDR (e.g. 0.0.0.0/0) |N/A|no| +| | | | | | +| network_enableIcmp | Allow ICMP traffic from the Internet | boolean | true;
false; |false|no| +| | | | | | +| network_icmpSourceRanges | Source IP ranges for ICMP traffic | list(string) | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) |N/A|no| +| | | | | | +| network_enableUdp | Allow UDP traffic from the Internet | boolean | true;
false; |false|no| +| | | | | | +| network_udpSourceRanges | Source IP ranges for UDP traffic | list(string) | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only - all ports are allowed. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) |N/A|no| +| | | | | | +| network_enableSctp | Allow SCTP traffic from the Internet | boolean | true;
false; |false|no| +| | | | | | +| network_sctpSourceRanges | Source IP ranges for SCTP traffic | list(string) | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only - all ports are allowed. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) |N/A|no| +| | | | | | +| network_enableEsp | Allow ESP traffic from the Internet | boolean | true;
false; |false|no| +| | | | | | +| network_espSourceRanges | Source IP ranges for ESP traffic | list(string) | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) |N/A|no| +| | | | | | +| diskType | Disk type | string | SSD Persistent Disk;
standard-Persistent Disk;
Storage space is much less expensive for a standard persistent disk. An SSD persistent disk is better for random IOPS or streaming throughput with low latency. [Learn more](https://cloud.google.com/compute/docs/disks/?hl=en_US&_ga=2.66020774.-962483654.1585043745#overview_of_disk_types)|SSD Persistent Disk|no| +| | | | | | +| bootDiskSizeGb | Disk size in GB | number | Persistent disk performance is tied to the size of the persistent disk volume. You are charged for the actual amount of provisioned disk space. [Learn more](https://cloud.google.com/compute/docs/disks/?hl=en_US&_ga=2.232680471.-962483654.1585043745#pdperformance)|100|no| +| | | | | | +| generatePassword | Automatically generate an administrator password | boolean | true;
false; |false|no| +| | | | | | +| allowUploadDownload | Allow download from/upload to Check Point | boolean | true;
false; |false|no| +| | | | | | +| enableMonitoring | Enable Stackdriver monitoring | boolean | true;
false; |false|no| +| | | | | | +| admin_shell | Change the admin shell to enable advanced command line configuration. | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh;
|/etc/cli.sh|no| +| | | | | | +| admin_SSH_key | Public SSH key for the user 'admin' - The SSH public key for SSH authentication to the instances. Leave this field blank to use all project-wide pre-configured SSH keys. | string | A valid public ssh key | "" | no | +| | | | | | +| sicKey | The Secure Internal Communication one time secret used to set up trust between the single gateway object and the management server | string | At least 8 alpha numeric characters.
If SIC is not provided and needed, a key will be automatically generated |""|no| +| | | | | | +| managementGUIClientNetwork | Allowed GUI clients | string | A valid IPv4 network CIDR (e.g. 0.0.0.0/0) |0.0.0.0/0|no| +| | | | | | +| smart_1_cloud_token | Smart-1 Cloud token to connect this gateway to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal.| +| | | | | | +| numAdditionalNICs | Number of additional network interfaces | number | A number in the range 0 - 8.
Multiple network interfaces deployment is described in [sk121637 - Deploy a CloudGuard for GCP with Multiple Network Interfaces](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk121637) |0|no| +| | | | | | +| externalIP | External IP address type | string | Static;
Ephemeral;
An external IP address associated with this instance. Selecting "None" will result in the instance having no external internet access. [Learn more](https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address?_ga=2.259654658.-962483654.1585043745) |static|no| +| | | | | | +| management_nic | Management Interface - Security Gateways in GCP can be managed by an ephemeral public IP or using the private IP of the internal interface (eth1). | string | Ephemeral Public IP (eth0)
- Private IP (eth1) |XEphemeral Public IP (eth0)|no| +| | | | | | + +## Outputs +| Name | Description | +| ------------- | ------------- | +| SIC_key | Secure Internal Communication (SIC) initiation key. | +| ICMP_firewall_rules_name | If enable - the ICMP firewall rules name, otherwise, an empty list. | +| TCP_firewall_rules_name | If enable - the TCP firewall rules name, otherwise, an empty list. | +| UDP_firewall_rules_name | If enable - the UDP firewall rules name, otherwise, an empty list. | +| SCTP_firewall_rules_name | If enable - the SCTP firewall rules name, otherwise, an empty list. | +| ESP_firewall_rules_name | If enable - the ESP firewall rules name, otherwise, an empty list. | + +## Revision History +In order to check the template version refer to the [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) + +| Template Version | Description | +| ---------------- | ------------- | +| 20230209 | Added Smart-1 Cloud support. | +| | | | +| 20230109 | Updated startup script to use cloud-config. | +| | | | +| 20201208 | First release of Check Point Check Point CloudGuard IaaS High Availability Terraform solution on GCP. | +| | | | +| | Addition of "template_type" parameter to "cloud-version" files. | +| | | | + +## Authors + + +## License + +This project is licensed under the MIT License - see the [LICENSE](../../../LICENSE) file for details diff --git a/terraform/gcp/single-into-existing-vpc/locals.tf b/terraform/gcp/single-into-existing-vpc/locals.tf new file mode 100755 index 00000000..39527714 --- /dev/null +++ b/terraform/gcp/single-into-existing-vpc/locals.tf @@ -0,0 +1,55 @@ +locals { + license_allowed_values = [ + "BYOL", + "PAYG"] + // will fail if [var.license] is invalid: + validate_license = index(local.license_allowed_values, upper(var.license)) + + installation_type_allowed_values = [ + "Gateway only", + "Management only", + "Standalone", + "Manual Configuration" + ] + // Will fail if the installation type is none of the above + validate_installation_type = index(local.installation_type_allowed_values, var.installationType) + + regex_valid_sicKey = "^([a-z0-9A-Z]{8,30})$" + // Will fail if var.sicKey is invalid + regex_sicKey = regex(local.regex_valid_sicKey, var.sicKey) == var.sicKey ? 0 : "Variable [sicKey] must be at least 8 alphanumeric characters." + + regex_validate_mgmt_image_name = "check-point-r8[0-1][1-4]0-(byol|payg)-[0-9]{3}-([0-9]{3,}|[a-z]+)-v[0-9]{8,}" + regex_validate_single_image_name = "check-point-r8[0-1][1-4]0-gw-(byol|payg)-single-[0-9]{3}-([0-9]{3,}|[a-z]+)-v[0-9]{8,}" + // will fail if the image name is not in the right syntax + validate_image_name = var.installationType != "Gateway only" && length(regexall(local.regex_validate_mgmt_image_name, var.image_name)) > 0 ? 0 : (var.installationType == "Gateway only" && length(regexall(local.regex_validate_single_image_name, var.image_name)) > 0 ? 0 : index(split("-", var.image_name), "INVALID IMAGE NAME")) + regex_valid_admin_SSH_key = "^(^$|ssh-rsa AAAA[0-9A-Za-z+/]+[=]{0,3})" + // Will fail if var.admin_SSH_key is invalid + regex_admin_SSH_key = regex(local.regex_valid_admin_SSH_key, var.admin_SSH_key) == var.admin_SSH_key ? 0 : "Please enter a valid SSH public key or leave empty" + admin_shell_allowed_values = [ + "/etc/cli.sh", + "/bin/bash", + "/bin/csh", + "/bin/tcsh"] + // Will fail if var.admin_shell is invalid + validate_admin_shell = index(local.admin_shell_allowed_values, var.admin_shell) + disk_type_allowed_values = [ + "SSD Persistent Disk", + "Balanced Persistent Disk", + "Standard Persistent Disk"] + // Will fail if var.disk_type is invalid + validate_disk_type = index(local.disk_type_allowed_values, var.diskType) + adminPasswordSourceMetadata = var.generatePassword ?random_string.generated_password.result : "" + disk_type_condition = var.diskType == "SSD Persistent Disk" ? "pd-ssd" : var.diskType == "Balanced Persistent Disk" ? "pd-balanced" : var.diskType == "Standard Persistent Disk" ? "pd-standard" : "" + admin_SSH_key_condition = var.admin_SSH_key != "" ? true : false + ICMP_traffic_condition = length(var.network_icmpSourceRanges ) == 0 ? 0 : 1 + TCP_traffic_condition = length(var.network_tcpSourceRanges) == 0 ? 0 : 1 + UDP_traffic_condition = length(var.network_udpSourceRanges ) == 0 ? 0 : 1 + SCTP_traffic_condition = length(var.network_sctpSourceRanges) == 0 ? 0 : 1 + ESP_traffic_condition = length(var.network_espSourceRanges) == 0 ? 0 : 1 + // Will fail if management_only and payg + is_management_only = var.installationType == "Management only" + is_license_payg = var.license == "PAYG" + validation_message = "Cannot use 'Management only' installation type with 'PAYG' license." + _= regex("^$",local.is_management_only && local.is_license_payg ? local.validation_message : "") + +} diff --git a/terraform/gcp/single-into-existing-vpc/main.tf b/terraform/gcp/single-into-existing-vpc/main.tf new file mode 100755 index 00000000..aeab8b93 --- /dev/null +++ b/terraform/gcp/single-into-existing-vpc/main.tf @@ -0,0 +1,218 @@ +provider "google" { + credentials = file(var.service_account_path) + project = var.project + zone = var.zone +} + +resource "random_string" "random_string" { + length = 5 + special = false + upper = false + keepers = {} +} +data "google_compute_network" "external_network" { + name = var.network[0] +} +resource "random_string" "random_sic_key" { + length = 12 + special = false +} + +resource "google_compute_firewall" "ICMP_firewall_rules" { + count = local.ICMP_traffic_condition + name = "${var.prefix}-icmp-${random_string.random_string.result}" + network = data.google_compute_network.external_network.self_link + allow { + protocol = "icmp" + } + source_ranges = var.network_icmpSourceRanges + target_tags = [ + "checkpoint-${replace(replace(lower(var.installationType)," ","-"),"(standalone)","standalone")}"] +} +resource "google_compute_firewall" "TCP_firewall_rules" { + count = local.TCP_traffic_condition + name = "${var.prefix}-tcp-${random_string.random_string.result}" + network = data.google_compute_network.external_network.self_link + allow { + protocol = "tcp" + } + source_ranges = var.network_tcpSourceRanges + target_tags = [ + "checkpoint-${replace(replace(lower(var.installationType)," ","-"),"(standalone)","standalone")}"] +} +resource "google_compute_firewall" "UDP_firewall_rules" { + count = local.UDP_traffic_condition + name = "${var.prefix}-udp-${random_string.random_string.result}" + network = data.google_compute_network.external_network.self_link + allow { + protocol = "udp" + } + source_ranges = var.network_udpSourceRanges + target_tags = [ + "checkpoint-${replace(replace(lower(var.installationType)," ","-"),"(standalone)","standalone")}"] +} +resource "random_string" "generated_password" { + length = 12 + special = false +} +resource "google_compute_firewall" "SCTP_firewall_rules" { + count = local.SCTP_traffic_condition + name = "${var.prefix}-sctp-${random_string.random_string.result}" + network = data.google_compute_network.external_network.self_link + allow { + protocol = "sctp" + } + source_ranges = var.network_sctpSourceRanges + target_tags = [ + "checkpoint-${replace(replace(lower(var.installationType)," ","-"),"(standalone)","standalone")}"] +} +resource "google_compute_firewall" "ESP_firewall_rules" { + count = local.ESP_traffic_condition + name = "${var.prefix}-esp-${random_string.random_string.result}" + network = data.google_compute_network.external_network.self_link + allow { + protocol = "esp" + } + source_ranges = var.network_espSourceRanges + target_tags = [ + "checkpoint-${replace(replace(lower(var.installationType)," ","-"),"(standalone)","standalone")}"] +} + +resource "google_compute_instance" "gateway" { + name = "${var.prefix}-${random_string.random_string.result}" + description = "Check Point Security ${replace(var.installationType,"(Standalone)","--")==var.installationType?split(" ",var.installationType)[0]:" Gateway and Management"}" + zone = var.zone + labels = {goog-dm = "${var.prefix}-${random_string.random_string.result}"} + tags =replace(var.installationType,"(Standalone)","--")==var.installationType?[ + "checkpoint-${split(" ",lower(var.installationType))[0]}","${var.prefix}${random_string.random_string.result}" + ]:["checkpoint-gateway","checkpoint-management","${var.prefix}${random_string.random_string.result}"] + machine_type = var.machine_type + can_ip_forward = var.installationType == "Management only"? false:true + boot_disk { + auto_delete = true + device_name = "chkp-single-boot-${random_string.random_string.result}" + initialize_params { + size = var.bootDiskSizeGb + type = local.disk_type_condition + image = "checkpoint-public/${var.image_name}" + } + } + network_interface { + network = var.network[0] + subnetwork = var.subnetwork[0] + dynamic "access_config" { + for_each = var.externalIP == "None"? []:[1] + content { + nat_ip = var.externalIP=="static" ? google_compute_address.static.address : null + } + } + + } + dynamic "network_interface" { + for_each = var.numAdditionalNICs >= 1 ? [ + 1] : [] + content { + network = var.internal_network1_network[0] + subnetwork = var.internal_network1_subnetwork[0] + } + } + dynamic "network_interface" { + for_each = var.numAdditionalNICs >= 2 ? [ + 1] : [] + content { + network = var.internal_network2_network[0] + subnetwork = var.internal_network2_subnetwork[0] + } + } + dynamic "network_interface" { + for_each = var.numAdditionalNICs >= 3 ? [ + 1] : [] + content { + network = var.internal_network3_network[0] + subnetwork = var.internal_network3_subnetwork[0] + } + } + dynamic "network_interface" { + for_each = var.numAdditionalNICs >= 4 ? [ + 1] : [] + content { + network = var.internal_network4_network[0] + subnetwork = var.internal_network4_subnetwork[0] + } + } + dynamic "network_interface" { + for_each = var.numAdditionalNICs >= 5 ? [ + 1] : [] + content { + network = var.internal_network5_network[0] + subnetwork = var.internal_network5_subnetwork[0] + } + } + dynamic "network_interface" { + for_each = var.numAdditionalNICs == 6 ? [ + 1] : [] + content { + network = var.internal_network6_network[0] + subnetwork = var.internal_network6_subnetwork[0] + } + } + dynamic "network_interface" { + for_each = var.numAdditionalNICs == 7 ? [ + 1] : [] + content { + network = var.internal_network7_network[0] + subnetwork = var.internal_network7_subnetwork[0] + } + } + dynamic "network_interface" { + for_each = var.numAdditionalNICs == 8 ? [ + 1] : [] + content { + network = var.internal_network8_network[0] + subnetwork = var.internal_network8_subnetwork[0] + } + } + + service_account { + scopes = [ + "https://www.googleapis.com/auth/cloudruntimeconfig", + "https://www.googleapis.com/auth/monitoring.write"] + } + + metadata = local.admin_SSH_key_condition ? { + instanceSSHKey = var.admin_SSH_key + adminPasswordSourceMetadata = var.generatePassword ?random_string.generated_password.result : "" + } : {adminPasswordSourceMetadata = var.generatePassword?random_string.generated_password.result : ""} + + metadata_startup_script = templatefile("${path.module}/../common/startup-script.sh", { + // script's arguments + generatePassword = var.generatePassword + config_url = "https://runtimeconfig.googleapis.com/v1beta1/projects/${var.project}/configs/-config" + config_path = "projects/${var.project}/configs/-config" + sicKey = "" + allowUploadDownload = var.allowUploadDownload + templateName = "single_tf" + templateVersion = "20230109" + templateType = "terraform" + hasInternet = "true" + enableMonitoring = var.enableMonitoring + shell = var.admin_shell + installationType = var.installationType + computed_sic_key = var.sicKey + managementGUIClientNetwork = var.managementGUIClientNetwork + installSecurityManagement = true + primary_cluster_address_name = "" + secondary_cluster_address_name = "" + subnet_router_meta_path = "" + mgmtNIC = var.management_nic + managementNetwork = "" + numAdditionalNICs = "" + smart_1_cloud_token = var.smart_1_cloud_token + name = "" + zoneConfig = "" + region = "" + }) +} +resource "google_compute_address" "static" { + name = "ipv4-address-${random_string.random_string.result}" +} \ No newline at end of file diff --git a/terraform/gcp/single-into-existing-vpc/output.tf b/terraform/gcp/single-into-existing-vpc/output.tf new file mode 100755 index 00000000..0f0882d0 --- /dev/null +++ b/terraform/gcp/single-into-existing-vpc/output.tf @@ -0,0 +1,18 @@ +output "SIC_key" { + value = random_string.random_sic_key.result +} +output "ICMP_firewall_rules_name" { + value = google_compute_firewall.ICMP_firewall_rules[*].name +} +output "TCP_firewall_rules_name" { + value = google_compute_firewall.TCP_firewall_rules[*].name +} +output "UDP_firewall_rules_name" { + value = google_compute_firewall.UDP_firewall_rules[*].name +} +output "SCTP_firewall_rules_name" { + value = google_compute_firewall.SCTP_firewall_rules[*].name +} +output "ESP_firewall_rules_name" { + value = google_compute_firewall.ESP_firewall_rules[*].name +} \ No newline at end of file diff --git a/terraform/gcp/single-into-existing-vpc/terraform.tfvars b/terraform/gcp/single-into-existing-vpc/terraform.tfvars new file mode 100755 index 00000000..8ac21504 --- /dev/null +++ b/terraform/gcp/single-into-existing-vpc/terraform.tfvars @@ -0,0 +1,46 @@ +# --- Google Provider --- +service_account_path = "PLEASE ENTER SERVICE_ACCOUNT_PATH" # "service-accounts/service-account-file-name.json" +project = "PLEASE ENTER PROJECT ID" # "project-id" + +# --- Check Point Deployment--- +image_name = "PLEASE ENTER IMAGE_NAME" # "check-point-r8110-gw-byol-single-335-985-v20220126" +installationType = "PLEASE ENTER INSTALLATION TYPE" # "Gateway only" +license = "PLEASE ENTER LICENSE" # "BYOL" +prefix = "PLEASE ENTER PREFIX" # "chkp-single-tf-" +management_nic = "PLEASE ENTER MANAGEMENT_NIC" # "Ephemeral Public IP (eth0)" +admin_shell = "PLEASE ENTER ADMIN_SHELL" # "/etc/cli.sh" +admin_SSH_key = "PLEASE ENTER ADMIN_SSH_KEY" # "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxx imported-openssh-key" +generatePassword = "PLEASE ENTER GENERATE PASSWORD" # false +allowUploadDownload = "PLEASE ENTER ALLOW UPLOAD DOWNLOAD" # false +sicKey = "PLEASE ENTER SIC KEY" # "" +managementGUIClientNetwork = "PLEASE ENTER MANAGEMENT GUI CLIENT NETWORK" # "0.0.0.0/0" + +# --- Quick connect to Smart-1 Cloud --- +smart_1_cloud_token = "PASTE TOKEN FROM SMART-1 CLOUD PORTAL" # "" + +# --- Networking--- +zone = "PLEASE ENTER ZONE" # "us-central1-a" +network = "PLEASE ENTER NETWORK" # ["default"] +subnetwork = "PLEASE ENTER SUBNETWORK" # ["default"] +network_enableTcp = "PLEASE ENTER NETWORK ENABLE TCP" # false +network_tcpSourceRanges = "PLEASE ENTER NETWORK TCP SOURCE RANGES" # [""] +network_enableGwNetwork = "PLEASE ENTER NETWORK ENABLE GW NETWORK" # false +network_gwNetworkSourceRanges = "PLEASE ENTER NETWORK GW NETWORK SOURCE RANGES" # [""] +network_enableIcmp = "PLEASE ENTER NETWORK ENABLE ICMP" # false +network_icmpSourceRanges = "PLEASE ENTER NETWORK ICMP SOURCE RANGES" # [""] +network_enableUdp = "PLEASE ENTER NETWORK ENABLE UDP" # false +network_udpSourceRanges = "PLEASE ENTER NETWORK UDP SOURCE RANGES" # [""] +network_enableSctp = "PLEASE ENTER NETWORK ENABLE SCTP" # false +network_sctpSourceRanges = "PLEASE ENTER NETWORK SCTP SOURCE RANGES" # [""] +network_enableEsp = "PLEASE ENTER NETWORK ENABLE ESP" # false +network_espSourceRanges = "PLEASE ENTER NETWORK ESP SOURCE RANGES" # [""] +numAdditionalNICs = "PLEASE ENTER NUM ADDITIONAL NICS" # 1 +externalIP = "PLEASE ENTER EXTERNAL IP" # "static" +internal_network1_network = "PLEASE ENTER INTERNAL_NETWORK1_NETWORK" # [""] +internal_network1_subnetwork = "PLEASE ENTER INTERNAL_NETWORK1_SUBNETWORK" # [""] + +# --- Instances configuration--- +machine_type = "PLEASE ENTER MACHINE_TYPE" # "n1-standard-4" +diskType = "PLEASE ENTER DISK TYPE" # "SSD Persistent Disk" +bootDiskSizeGb = "PLEASE ENTER BOOT DISK SIZE GB" # 100 +enableMonitoring = "PLEASE ENTER ENABLE MONITORING" # false diff --git a/terraform/gcp/single-into-existing-vpc/variables.tf b/terraform/gcp/single-into-existing-vpc/variables.tf new file mode 100755 index 00000000..cc620851 --- /dev/null +++ b/terraform/gcp/single-into-existing-vpc/variables.tf @@ -0,0 +1,254 @@ +variable "service_account_path" { + type = string + description = "User service account path in JSON format - From the service account key page in the Cloud Console choose an existing account or create a new one. Next, download the JSON key file. Name it something you can remember, store it somewhere secure on your machine, and supply the path to the location is stored." + default = "" +} +variable "project" { + type = string + description = "Personal project id. The project indicates the default GCP project all of your resources will be created in." + default = "" +} +variable "zone" { + type = string + description = "The zone determines what computing resources are available and where your data is stored and used" + default = "us-central1-a" +} +variable "image_name" { + type = string + description = "The single gateway and management image name. You can choose the desired image value from: https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/gcp/deployment-packages/single-byol/images.py" +} +variable "installationType" { + type = string + description = "Installation type and version" + default = "Gateway only" +} +variable "license" { + type = string + description = "Checkpoint license (BYOL or PAYG)." + default = "BYOL" +} +variable "prefix" { + type = string + description = "(Optional) Resources name prefix" + default = "chkp-single-tf-" +} +variable "machine_type" { + type = string + default = "n1-standard-4" +} +variable "network" { + type = list(string) + description = "The network determines what network traffic the instance can access" + default = ["default"] +} +variable "subnetwork" { + type = list(string) + description = "Assigns the instance an IPv4 address from the subnetwork’s range. Instances in different subnetworks can communicate with each other using their internal IPs as long as they belong to the same network." + default = ["default"] +} +variable "network_enableTcp" { + type = bool + description = "Allow TCP traffic from the Internet" + default = false +} +variable "network_tcpSourceRanges" { + type = list(string) + description = "Allow TCP traffic from the Internet" + default = [] +} +variable "network_enableGwNetwork" { + type = bool + description = "This is relevant for Management only. The network in which managed gateways reside" + default = false +} +variable network_gwNetworkSourceRanges{ + type = list(string) + description = "Allow TCP traffic from the Internet" + default = [] +} +variable "network_enableIcmp" { + type = bool + description ="Allow ICMP traffic from the Internet" + default = false +} +variable "network_icmpSourceRanges" { + type = list(string) + description = "(Optional) Source IP ranges for ICMP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable ICMP traffic." + default = [] +} +variable network_enableUdp{ + type = bool + description ="Allow UDP traffic from the Internet" + default = false +} +variable "network_udpSourceRanges" { + type = list(string) + description = "(Optional) Source IP ranges for UDP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable UDP traffic." + default = [] +} +variable "network_enableSctp" { + type = bool + description ="Allow SCTP traffic from the Internet" + default = false +} +variable "network_sctpSourceRanges" { + type = list(string) + description = "(Optional) Source IP ranges for SCTP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable SCTP traffic." + default = [] +} + +variable "network_enableEsp" { + type = bool + description ="Allow ESP traffic from the Internet " + default = false +} +variable "network_espSourceRanges" { + type = list(string) + description = "(Optional) Source IP ranges for ESP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable ESP traffic." + default = [] +} +variable "diskType" { + type = string + description ="Disk type" + default = "SSD Persistent Disk" +} +variable "bootDiskSizeGb" { + type = number + description ="Disk size in GB" + default = 100 +} +variable "generatePassword" { + type = bool + description ="Automatically generate an administrator password " + default = false +} +variable "management_nic" { + type = string + description = "Management Interface - Gateways in GCP can be managed by an ephemeral public IP or using the private IP of the internal interface (eth1)." + default = "Ephemeral Public IP (eth0)" +} +variable "allowUploadDownload" { + type = string + description ="Allow download from/upload to Check Point" + default = true +} +variable "enableMonitoring" { + type = bool + description ="Enable Stackdriver monitoring" + default = false +} +variable "admin_shell" { + type = string + description = "Change the admin shell to enable advanced command line configuration." + default = "/etc/cli.sh" +} +variable "admin_SSH_key" { + type = string + description = "(Optional) The SSH public key for SSH authentication to the template instances. Leave this field blank to use all project-wide pre-configured SSH keys." + default = "" +} +variable "sicKey" { + type = string + description ="The Secure Internal Communication one time secret used to set up trust between the single gateway object and the management server" + default = "" +} +variable "managementGUIClientNetwork" { + type = string + description ="Allowed GUI clients " + default = "0.0.0.0/0" +} +variable "smart_1_cloud_token" { + type = string + description ="(Optional) Smart-1 cloud token to connect this Gateway to Check Point's Security Management as a Service" + default = "" +} +variable "numAdditionalNICs" { + type = number + description ="Number of additional network interfaces" + default = 0 +} +variable "externalIP" { + type = string + description = "External IP address type" + default = "static" +} +variable "internal_network1_network" { + type = list(string) + description = "1st internal network ID in the chosen zone." + default = [] +} +variable "internal_network1_subnetwork" { + type = list(string) + description = "1st internal subnet ID in the chosen network." + default = [] +} +variable "internal_network2_network" { + type = list(string) + description = "2nd internal network ID in the chosen zone." + default = [] +} +variable "internal_network2_subnetwork" { + type = list(string) + description = "2nd internal subnet ID in the chosen network." + default = [] +} +variable "internal_network3_network" { + type = list(string) + description = "3rd internal network ID in the chosen zone." + default = [] +} +variable "internal_network3_subnetwork" { + type = list(string) + description = "3rd internal subnet ID in the chosen network." + default = [] +} +variable "internal_network4_network" { + type = list(string) + description = "4th internal network ID in the chosen zone." + default = [] +} +variable "internal_network4_subnetwork" { + type = list(string) + description = "4th internal subnet ID in the chosen network." + default = [] +} +variable "internal_network5_network" { + type = list(string) + description = "5th internal network ID in the chosen zone." + default = [] +} +variable "internal_network5_subnetwork" { + type = list(string) + description = "5th internal subnet ID in the chosen network." + default = [] +} +variable "internal_network6_network" { + type = list(string) + description = "6th internal network ID in the chosen zone." + default = [] +} +variable "internal_network6_subnetwork" { + type = list(string) + description = "6th internal subnet ID in the chosen network." + default = [] +} +variable "internal_network7_network" { + type = list(string) + description = "7th internal network ID in the chosen zone." + default = [] +} +variable "internal_network7_subnetwork" { + type = list(string) + description = "7th internal subnet ID in the chosen network." + default = [] +} +variable "internal_network8_network" { + type = list(string) + description = "8th internal network ID in the chosen zone." + default = [] +} +variable "internal_network8_subnetwork" { + type = list(string) + description = "8th internal subnet ID in the chosen network." + default = [] +} diff --git a/terraform/gcp/single-into-new-vpc/README.md b/terraform/gcp/single-into-new-vpc/README.md new file mode 100644 index 00000000..857b7c75 --- /dev/null +++ b/terraform/gcp/single-into-new-vpc/README.md @@ -0,0 +1,270 @@ +# Check Point single gateway and management Terraform module for GCP + +Terraform module which deploys a single gateway and management of Check Point Security Gateways. + +These types of Terraform resources are supported: + [Instance Template](https://www.terraform.io/docs/providers/google/r/compute_instance_template.html) + [Firewall](https://www.terraform.io/docs/providers/google/r/compute_firewall.html) - conditional creation + [Instance Group Manager](https://www.terraform.io/docs/providers/google/r/compute_region_instance_group_manager.html) + [Compute instance](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance) + + +See Check Point's documentation for Single [here](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk114577) + +Terraform is controlled via a very easy to use command-line interface (CLI). Terraform is only a single command-line application: terraform. + +## Before you begin +1. Create a project in the [Google Cloud Console](https://console.cloud.google.com/) and set up billing on that project. +2. [Install Terraform](https://learn.hashicorp.com/tutorials/terraform/install-cli) and read the Terraform getting started guide that follows. This guide will assume basic proficiency with Terraform - it is an introduction to the Google provider. + +## Configuring the Provider +The main.tf file includes the following provider configuration block used to configure the credentials you use to authenticate with GCP, as well as a default project and location for your resources: +``` +provider "google" { + credentials = file(var.service_account_path) + project = var.project +} +... +``` + +1. [Create a Service Account](https://cloud.google.com/docs/authentication/getting-started) (or use the existing one). Next, download the JSON key file. Name it something you can remember and store it somewhere secure on your machine.
+2. Select "Editor" Role or verify you have the following permissions: + ``` + compute.addresses.get + compute.addresses.use + compute.addresses.create + compute.disks.create + compute.disks.delete + compute.firewalls.create + compute.firewalls.delete + compute.firewalls.get + compute.images.get + compute.images.useReadOnly + compute.images.getFromFamily + compute.instanceTemplates.create + compute.instanceTemplates.delete + compute.instanceTemplates.get + compute.instanceTemplates.useReadOnly + compute.instances.addAccessConfig + compute.instances.create + compute.instances.delete + compute.instances.get + compute.instances.setMetadata + compute.instances.setTags + compute.instances.setLabels + compute.networks.get + compute.networks.updatePolicy + compute.regions.list + compute.subnetworks.get + compute.subnetworks.use + compute.subnetworks.useExternalIp + compute.zones.get + iam.serviceAccountKeys.get + iam.serviceAccountKeys.list + iam.serviceAccounts.actAs + iam.serviceAccounts.get + iam.serviceAccounts.list + iam.serviceAccounts.set + ``` +3. ```credentials``` - Your service account key file is used to complete a two-legged OAuth 2.0 flow to obtain access tokens to authenticate with the GCP API as needed; Terraform will use it to reauthenticate automatically when tokens expire.
+The provider credentials can be provided either as static credentials or as [Environment Variables](https://www.terraform.io/docs/providers/google/guides/provider_reference.html#credentials-1). + - Static credentials can be provided by adding the path to your service-account json file, project-id and region in /gcp/modules/single/terraform.tfvars file as follows: + ``` + service_account_path = "service-accounts/service-account-file-name.json" + project = "project-id" + ``` + - In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in the main.tf file, in the provider google resource, need to be deleted or commented: + ``` + provider "google" { + // credentials = file(var.service_account_path) + // project = var.project + + } + ``` + b.In the terraform.tfvars file leave empty double quotes for credentials and project variables: + ``` + service_account_path = "" + project = "" + ``` +## Usage +- Fill all variables in the /gcp/single/terraform.tfvars file with proper values (see below for variables descriptions). +- From a command line initialize the Terraform configuration directory: + ``` + terraform init + ``` +- Create an execution plan: + ``` + terraform plan + ``` +- Create or modify the deployment: + ``` + terraform apply + ``` + +#### Variables are configured in single/terraform.tfvars file as follows: +``` +# --- Google Provider --- +service_account_path = "service-accounts/service-account-file-name.json" +project = "project-id" + +# --- Check Point--- +image_name = "check-point-r8120-gw-byol-single-631-991001335-v20230622" +installationType = "Gateway only" +license = "BYOL" +prefix = "chkp-single-tf-" +management_nic = "Ephemeral Public IP (eth0)" +admin_shell = "/etc/cli.sh" +admin_SSH_key = "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxx imported-openssh-key" +generatePassword = false +allow_upload_download = true +sicKey = "" +managementGUIClientNetwork = "0.0.0.0/0" + +#--- Quick connect to Smart-1 Cloud --- +smart_1_cloud_token = "xxxxxxxxxxxxxxxxxxxxxxxx" + +# --- Networking --- +region = "us-central1" +zone = "us-central1-a" +subnetwork_cidr = "10.0.0.0/24" +network_enableTcp= true +network_tcpSourceRanges= ["0.0.0.0/0"] +network_enableGwNetwork= false +network_gwNetworkSourceRanges= [] +network_enableIcmp= false +network_icmpSourceRanges = [] +network_enableUdp= false +network_udpSourceRanges= [] +network_enableSctp= false +network_sctpSourceRanges= [] +network_enableEsp= false +network_espSourceRanges= [] +numAdditionalNICs= 1 +externalIP= "static" +internal_subnetwork_cidr = "10.0.1.0/24" + +# --- Instance Configuration --- +machine_type = "n1-standard-4" +diskType = "SSD Persistent Disk" +bootDiskSizeGb = 100 +enableMonitoring = false + +``` + +- To tear down your resources: + ``` + terraform destroy + ``` + +## Conditional creation +To create Firewall and allow traffic for ICMP, TCP, UDP, SCTP or/and ESP - enter list of Source IP ranges. +``` +ICMP_traffic = ["123.123.0.0/24", "234.234.0.0/24"] +TCP_traffic = ["0.0.0.0/0"] +UDP_traffic = ["0.0.0.0/0"] +SCTP_traffic = ["0.0.0.0/0"] +ESP_traffic = ["0.0.0.0/0"] +``` +Please leave empty list for a protocol if you want to disable traffic for it. + +## Inputs +| Name | Description | Type | Allowed values |Default| Required | +| ------------- | ------------- | ------------- | ------------- |-------|---------------| +| service_account_path | User service account path in JSON format - From the service account key page in the Cloud Console choose an existing account or create a new one. Next, download the JSON key file. Name it something you can remember, store it somewhere secure on your machine, and supply the path to the location is stored. (e.g. "service-accounts/service-account-name.json") | string | N/A | "" | yes | +| | | | | | +| project | Personal project id. The project indicates the default GCP project all of your resources will be created in. | string | N/A | "" | yes | +| | | | | | +| region | GCP region | string | N/A | N/A | yes | +| | | | | | +| zone | The zone determines what computing resources are available and where your data is stored and used | string | List of allowed [Regions and Zones](https://cloud.google.com/compute/docs/regions-zones?_ga=2.31926582.-962483654.1585043745) |us-central1-a|yes| +| | | | | | +| image_name |The single gateway or management image name (e.g. check-point-r8120-gw-byol-single-631-991001335-v20230622 for gateway or check-point-r8120-byol-631-991001335-v20230621 for management). You can choose the desired gateway image value from [Github](https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/gcp/deployment-packages/single-byol/images.py).| string | N/A | N/A | yes | +| | | | | | +| installationType | Installation type and version | string |Gateway only;
Management only;
Manual Configuration
Gateway and Management (Standalone) |Gateway only|yes| +| | | | | | +| license | Checkpoint license (BYOL or PAYG).|string|BYOL;
PAYG;|BYOL|yes| +| | | | | | +| prefix | (Optional) Resources name prefix|string|N\A|chkp-single-tf-|no| +| | | | | | +| machineType | Machine types determine the specifications of your machines, such as the amount of memory, virtual cores, and persistent disk limits an instance will have | string | [Learn more about Machine Types](https://cloud.google.com/compute/docs/machine-types?hl=en_US&_ga=2.267871494.-962483654.1585043745) | n1-standard-4|no| +| | | | | | +| subnetwork_cidr | The range of internal addresses that are owned by this subnetwork, only IPv4 is supported (e.g. "10.0.0.0/8" or "192.168.0.0/16"). | string | N/A | N/A | yes | +| | | | | | +| network_enableTcp | Allow TCP traffic from the Internet | boolean | true;
false; |false|no| +| | | | | | +| network_tcpSourceRanges | Allow TCP traffic from the Internet | list(string) | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway all ports are allowed. For management allowed ports are: 257,18191,18210,18264,22,443,18190,19009 [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) |N/A|no| +| | | | | | +| network_enableGwNetwork | This is relevant for Management only. The network in which managed gateways reside | boolean | true;
false; |false|no| +| | | | | | +| network_gwNetworkSourceRanges | Allow TCP traffic from the Internet | list(string) | Enter a valid IPv4 network CIDR (e.g. 0.0.0.0/0) |N/A|no| +| | | | | | +| network_enableIcmp | Allow ICMP traffic from the Internet | boolean | true;
false; |false|no| +| | | | | | +| network_icmpSourceRanges | Source IP ranges for ICMP traffic | list(string) | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) |N/A|no| +| | | | | | +| network_enableUdp | Allow UDP traffic from the Internet | boolean | true;
false; |false|no| +| | | | | | +| network_udpSourceRanges | Source IP ranges for UDP traffic | list(string) | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only - all ports are allowed. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) |N/A|no| +| | | | | | +| network_enableSctp | Allow SCTP traffic from the Internet | boolean | true;
false; |false|no| +| | | | | | +| network_sctpSourceRanges | Source IP ranges for SCTP traffic | list(string) | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only - all ports are allowed. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) |N/A|no| +| | | | | | +| network_enableEsp | Allow ESP traffic from the Internet | boolean | true;
false; |false|no| +| | | | | | +| network_espSourceRanges | Source IP ranges for ESP traffic | list(string) | Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only. [Learn more](https://cloud.google.com/vpc/docs/vpc?_ga=2.36703144.-962483654.1585043745#firewalls) |N/A|no| +| | | | | | +| diskType | Disk type | string | SSD Persistent Disk;
standard-Persistent Disk;
Storage space is much less expensive for a standard persistent disk. An SSD persistent disk is better for random IOPS or streaming throughput with low latency. [Learn more](https://cloud.google.com/compute/docs/disks/?hl=en_US&_ga=2.66020774.-962483654.1585043745#overview_of_disk_types)|SSD Persistent Disk|no| +| | | | | | +| bootDiskSizeGb | Disk size in GB | number | Persistent disk performance is tied to the size of the persistent disk volume. You are charged for the actual amount of provisioned disk space. [Learn more](https://cloud.google.com/compute/docs/disks/?hl=en_US&_ga=2.232680471.-962483654.1585043745#pdperformance)|100|no| +| | | | | | +| generatePassword | Automatically generate an administrator password | boolean | true;
false; |false|no| +| | | | | | +| allowUploadDownload | Allow download from/upload to Check Point | boolean | true;
false; |false|no| +| | | | | | +| enableMonitoring | Enable Stackdriver monitoring | boolean | true;
false; |false|no| +| | | | | | +| admin_shell | Change the admin shell to enable advanced command line configuration. | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh;
|/etc/cli.sh|no| +| | | | | | +| admin_SSH_key | Public SSH key for the user 'admin' - The SSH public key for SSH authentication to the instances. Leave this field blank to use all project-wide pre-configured SSH keys. | string | A valid public ssh key | "" | no | +| | | | | | +| sicKey | The Secure Internal Communication one time secret used to set up trust between the single gateway object and the management server | string | At least 8 alpha numeric characters.
If SIC is not provided and needed, a key will be automatically generated |""|no| +| | | | | | +| managementGUIClientNetwork | Allowed GUI clients | string | A valid IPv4 network CIDR (e.g. 0.0.0.0/0) |0.0.0.0/0|no| +| | | | | | +| smart_1_cloud_token | Smart-1 Cloud token to connect this gateway to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal.| +| | | | | | +| numAdditionalNICs | Number of additional network interfaces | number | A number in the range 0 - 8.
Multiple network interfaces deployment is described in [sk121637 - Deploy a CloudGuard for GCP with Multiple Network Interfaces](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk121637) |0|no| +| | | | | | +| externalIP | External IP address type | string | Static;
Ephemeral;
An external IP address associated with this instance. Selecting "None" will result in the instance having no external internet access. [Learn more](https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address?_ga=2.259654658.-962483654.1585043745) |static|no| +| | | | | | +| internal_subnetwork_cidr | The range of internal addresses that are owned by this subnetwork, only IPv4 is supported (e.g. "10.0.0.0/8" or "192.168.0.0/16"). | string | N/A | N/A | yes | +| | | | | | +| management_nic | Management Interface - Security Gateways in GCP can be managed by an ephemeral public IP or using the private IP of the internal interface (eth1). | string | Ephemeral Public IP (eth0)
- Private IP (eth1) |XEphemeral Public IP (eth0)|no| +| | | | | | + +## Outputs +| Name | Description | +| ------------- | ------------- | +| SIC_key | Secure Internal Communication (SIC) initiation key. | +| ICMP_firewall_rules_name | If enable - the ICMP firewall rules name, otherwise, an empty list. | +| TCP_firewall_rules_name | If enable - the TCP firewall rules name, otherwise, an empty list. | +| UDP_firewall_rules_name | If enable - the UDP firewall rules name, otherwise, an empty list. | +| SCTP_firewall_rules_name | If enable - the SCTP firewall rules name, otherwise, an empty list. | +| ESP_firewall_rules_name | If enable - the ESP firewall rules name, otherwise, an empty list. | + +## Revision History +In order to check the template version refer to the [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) + +| Template Version | Description | +|------------------|-------------------------------------| +| 20230921 | Added single-into-new-vpc template. | +| | | + +## Authors + + +## License + +This project is licensed under the MIT License - see the [LICENSE](../../LICENSE) file for details diff --git a/terraform/gcp/single-into-new-vpc/main.tf b/terraform/gcp/single-into-new-vpc/main.tf new file mode 100644 index 00000000..1597ae33 --- /dev/null +++ b/terraform/gcp/single-into-new-vpc/main.tf @@ -0,0 +1,90 @@ +provider "google" { + credentials = file(var.service_account_path) + project = var.project + region = var.region +} + +resource "random_string" "random_string" { + length = 5 + special = false + upper = false + keepers = {} +} + +resource "google_compute_network" "network" { + name = "${var.prefix}-network-${random_string.random_string.result}" + auto_create_subnetworks = false +} + +resource "google_compute_subnetwork" "subnetwork" { + name = "${var.prefix}-subnetwork-${random_string.random_string.result}" + ip_cidr_range = var.subnetwork_cidr + private_ip_google_access = true + region = var.region + network = google_compute_network.network.id +} + +resource "google_compute_network" "internal_network" { + name = "${var.prefix}-internal-network-${random_string.random_string.result}" + auto_create_subnetworks = false +} + +resource "google_compute_subnetwork" "internal_subnetwork" { + name = "${var.prefix}-internal-subnetwork-${random_string.random_string.result}" + ip_cidr_range = var.internal_subnetwork_cidr + private_ip_google_access = true + region = var.region + network = google_compute_network.internal_network.id +} + + +module "single-into-existing-vpc" { + source = "../single-into-existing-vpc" + + service_account_path = var.service_account_path + project = var.project + + + # --- Check Point Deployment--- + image_name = var.image_name + installationType = var.installationType + license = var.license + prefix = var.prefix + management_nic = var.management_nic + admin_shell = var.admin_shell + admin_SSH_key = var.admin_SSH_key + generatePassword = var.generatePassword + allowUploadDownload = var.allowUploadDownload + sicKey = var.sicKey + managementGUIClientNetwork = var.managementGUIClientNetwork + + # --- Quick connect to Smart-1 Cloud --- + smart_1_cloud_token = var.smart_1_cloud_token + + # --- Networking --- + zone = var.zone + network = [google_compute_network.network.name] + subnetwork = [google_compute_subnetwork.subnetwork.name] + network_enableTcp = var.network_enableTcp + network_tcpSourceRanges = var.network_tcpSourceRanges + network_enableGwNetwork = var.network_enableGwNetwork + network_gwNetworkSourceRanges = var.network_gwNetworkSourceRanges + network_enableIcmp = var.network_enableIcmp + network_icmpSourceRanges = var.network_icmpSourceRanges + network_enableUdp = var.network_enableUdp + network_udpSourceRanges = var.network_udpSourceRanges + network_enableSctp = var.network_enableSctp + network_sctpSourceRanges = var.network_sctpSourceRanges + network_enableEsp = var.network_enableEsp + network_espSourceRanges = var.network_espSourceRanges + numAdditionalNICs = var.numAdditionalNICs + externalIP = var.externalIP + internal_network1_network = [google_compute_network.internal_network.name] + internal_network1_subnetwork = [google_compute_subnetwork.internal_subnetwork.name] + + # --- Instances configuration--- + machine_type = var.machine_type + diskType = var.diskType + bootDiskSizeGb = var.bootDiskSizeGb + enableMonitoring = var.enableMonitoring +} \ No newline at end of file diff --git a/terraform/gcp/single-into-new-vpc/output.tf b/terraform/gcp/single-into-new-vpc/output.tf new file mode 100644 index 00000000..f1ba99cf --- /dev/null +++ b/terraform/gcp/single-into-new-vpc/output.tf @@ -0,0 +1,30 @@ +output "network" { + value = google_compute_network.network.name +} +output "subnetwork" { + value = google_compute_subnetwork.subnetwork.name +} +output "internal_network" { + value = google_compute_network.internal_network.name +} +output "internal_subnetwork" { + value = google_compute_subnetwork.internal_subnetwork.name +} +output "SIC_key" { + value = module.single-into-existing-vpc.SIC_key +} +output "ICMP_firewall_rules_name" { + value = module.single-into-existing-vpc.ICMP_firewall_rules_name +} +output "TCP_firewall_rules_name" { + value = module.single-into-existing-vpc.TCP_firewall_rules_name +} +output "UDP_firewall_rules_name" { + value = module.single-into-existing-vpc.UDP_firewall_rules_name +} +output "SCTP_firewall_rules_name" { + value = module.single-into-existing-vpc.SCTP_firewall_rules_name +} +output "ESP_firewall_rules_name" { + value = module.single-into-existing-vpc.ESP_firewall_rules_name +} diff --git a/terraform/gcp/single-into-new-vpc/terraform.tfvars b/terraform/gcp/single-into-new-vpc/terraform.tfvars new file mode 100644 index 00000000..b387fa3d --- /dev/null +++ b/terraform/gcp/single-into-new-vpc/terraform.tfvars @@ -0,0 +1,45 @@ +# --- Google Provider --- +service_account_path = "PLEASE ENTER SERVICE_ACCOUNT_PATH" # "service-accounts/service-account-file-name.json" +project = "PLEASE ENTER PROJECT ID" # "project-id" + +# --- Check Point Deployment--- +image_name = "PLEASE ENTER IMAGE_NAME" # "check-point-r8120-gw-byol-single-631-991001335-v20230622" +installationType = "PLEASE ENTER INSTALLATION TYPE" # "Gateway only" +license = "PLEASE ENTER LICENSE" # "BYOL" +prefix = "PLEASE ENTER PREFIX" # "chkp-single-tf-" +management_nic = "PLEASE ENTER MANAGEMENT_NIC" # "Ephemeral Public IP (eth0)" +admin_shell = "PLEASE ENTER ADMIN_SHELL" # "/etc/cli.sh" +admin_SSH_key = "PLEASE ENTER ADMIN_SSH_KEY" # "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxx imported-openssh-key" +generatePassword = "PLEASE ENTER GENERATE PASSWORD" # false +allowUploadDownload = "PLEASE ENTER ALLOW UPLOAD DOWNLOAD" # false +sicKey = "PLEASE ENTER SIC KEY" # "" +managementGUIClientNetwork = "PLEASE ENTER MANAGEMENT GUI CLIENT NETWORK" # "0.0.0.0/0" + +# --- Quick connect to Smart-1 Cloud --- +smart_1_cloud_token = "PASTE TOKEN FROM SMART-1 CLOUD PORTAL" # "" + +# --- Networking--- +region = "PLEASE ENTER REGION" # "us-central1" +zone = "PLEASE ENTER ZONE" # "us-central1-a" +subnetwork_cidr = "PLEASE ENTER SUBNETWORK CIDR" # "10.0.1.0/24" +network_enableTcp = "PLEASE ENTER NETWORK ENABLE TCP" # false +network_tcpSourceRanges = "PLEASE ENTER NETWORK TCP SOURCE RANGES" # [] +network_enableGwNetwork = "PLEASE ENTER NETWORK ENABLE GW NETWORK" # false +network_gwNetworkSourceRanges = "PLEASE ENTER NETWORK GW NETWORK SOURCE RANGES" # [] +network_enableIcmp = "PLEASE ENTER NETWORK ENABLE ICMP" # false +network_icmpSourceRanges = "PLEASE ENTER NETWORK ICMP SOURCE RANGES" # [] +network_enableUdp = "PLEASE ENTER NETWORK ENABLE UDP" # false +network_udpSourceRanges = "PLEASE ENTER NETWORK UDP SOURCE RANGES" # [] +network_enableSctp = "PLEASE ENTER NETWORK ENABLE SCTP" # false +network_sctpSourceRanges = "PLEASE ENTER NETWORK SCTP SOURCE RANGES" # [] +network_enableEsp = "PLEASE ENTER NETWORK ENABLE ESP" # false +network_espSourceRanges = "PLEASE ENTER NETWORK ESP SOURCE RANGES" # [] +numAdditionalNICs = "PLEASE ENTER NUM ADDITIONAL NICS" # 1 +externalIP = "PLEASE ENTER EXTERNAL IP" # "static" +internal_subnetwork_cidr = "PLEASE ENTER INTERNAL SUBNETWORK CIDR" # "10.0.2.0/24" + +# --- Instances configuration--- +machine_type = "PLEASE ENTER MACHINE_TYPE" # "n1-standard-4" +diskType = "PLEASE ENTER DISK TYPE" # "SSD Persistent Disk" +bootDiskSizeGb = "PLEASE ENTER BOOT DISK SIZE GB" # 100 +enableMonitoring = "PLEASE ENTER ENABLE MONITORING" # false \ No newline at end of file diff --git a/terraform/gcp/single-into-new-vpc/variables.tf b/terraform/gcp/single-into-new-vpc/variables.tf new file mode 100644 index 00000000..3d6454cf --- /dev/null +++ b/terraform/gcp/single-into-new-vpc/variables.tf @@ -0,0 +1,256 @@ +variable "service_account_path" { + type = string + description = "User service account path in JSON format - From the service account key page in the Cloud Console choose an existing account or create a new one. Next, download the JSON key file. Name it something you can remember, store it somewhere secure on your machine, and supply the path to the location is stored." + default = "" +} +variable "project" { + type = string + description = "Personal project id. The project indicates the default GCP project all of your resources will be created in." + default = "" +} +variable "region" { + type = string + default = "us-central1" +} +variable "zone" { + type = string + description = "The zone determines what computing resources are available and where your data is stored and used" + default = "us-central1-a" +} +variable "image_name" { + type = string + description = "The single gateway and management image name. You can choose the desired image value from: https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/gcp/deployment-packages/single-byol/images.py" +} +variable "installationType" { + type = string + description = "Installation type and version" + default = "Gateway only" +} +variable "license" { + type = string + description = "Checkpoint license (BYOL or PAYG)." + default = "BYOL" +} +variable "prefix" { + type = string + description = "(Optional) Resources name prefix" + default = "chkp-single-tf-" +} +variable "machine_type" { + type = string + default = "n1-standard-4" +} +variable "subnetwork_cidr" { + type = string + description = "The range of external addresses that are owned by this subnetwork, only IPv4 is supported (e.g. \"10.0.0.0/8\" or \"192.168.0.0/16\")." +} +variable "internal_subnetwork_cidr" { + type = string + description = "The range of internal addresses that are owned by this subnetwork, only IPv4 is supported (e.g. \"10.0.0.0/8\" or \"192.168.0.0/16\")." +} +variable "network_enableTcp" { + type = bool + description = "Allow TCP traffic from the Internet" + default = false +} +variable "network_tcpSourceRanges" { + type = list(string) + description = "Allow TCP traffic from the Internet" + default = [] +} +variable "network_enableGwNetwork" { + type = bool + description = "This is relevant for Management only. The network in which managed gateways reside" + default = false +} +variable network_gwNetworkSourceRanges{ + type = list(string) + description = "Allow TCP traffic from the Internet" + default = [] +} +variable "network_enableIcmp" { + type = bool + description ="Allow ICMP traffic from the Internet" + default = false +} +variable "network_icmpSourceRanges" { + type = list(string) + description = "(Optional) Source IP ranges for ICMP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable ICMP traffic." + default = [] +} +variable network_enableUdp{ + type = bool + description ="Allow UDP traffic from the Internet" + default = false +} +variable "network_udpSourceRanges" { + type = list(string) + description = "(Optional) Source IP ranges for UDP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable UDP traffic." + default = [] +} +variable "network_enableSctp" { + type = bool + description ="Allow SCTP traffic from the Internet" + default = false +} +variable "network_sctpSourceRanges" { + type = list(string) + description = "(Optional) Source IP ranges for SCTP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable SCTP traffic." + default = [] +} + +variable "network_enableEsp" { + type = bool + description ="Allow ESP traffic from the Internet " + default = false +} +variable "network_espSourceRanges" { + type = list(string) + description = "(Optional) Source IP ranges for ESP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable ESP traffic." + default = [] +} +variable "diskType" { + type = string + description ="Disk type" + default = "SSD Persistent Disk" +} +variable "bootDiskSizeGb" { + type = number + description ="Disk size in GB" + default = 100 +} +variable "generatePassword" { + type = bool + description ="Automatically generate an administrator password " + default = false +} +variable "management_nic" { + type = string + description = "Management Interface - Gateways in GCP can be managed by an ephemeral public IP or using the private IP of the internal interface (eth1)." + default = "Ephemeral Public IP (eth0)" +} +variable "allowUploadDownload" { + type = string + description ="Allow download from/upload to Check Point" + default = true +} +variable "enableMonitoring" { + type = bool + description ="Enable Stackdriver monitoring" + default = false +} +variable "admin_shell" { + type = string + description = "Change the admin shell to enable advanced command line configuration." + default = "/etc/cli.sh" +} +variable "admin_SSH_key" { + type = string + description = "(Optional) The SSH public key for SSH authentication to the template instances. Leave this field blank to use all project-wide pre-configured SSH keys." + default = "" +} +variable "sicKey" { + type = string + description ="The Secure Internal Communication one time secret used to set up trust between the single gateway object and the management server" + default = "" +} +variable "managementGUIClientNetwork" { + type = string + description ="Allowed GUI clients " + default = "0.0.0.0/0" +} +variable "smart_1_cloud_token" { + type = string + description ="(Optional) Smart-1 cloud token to connect this Gateway to Check Point's Security Management as a Service" + default = "" +} +variable "numAdditionalNICs" { + type = number + description ="Number of additional network interfaces" + default = 0 +} +variable "externalIP" { + type = string + description = "External IP address type" + default = "static" +} +variable "internal_network1_network" { + type = list(string) + description = "1st internal network ID in the chosen zone." + default = [] +} +variable "internal_network1_subnetwork" { + type = list(string) + description = "1st internal subnet ID in the chosen network." + default = [] +} +variable "internal_network2_network" { + type = list(string) + description = "2nd internal network ID in the chosen zone." + default = [] +} +variable "internal_network2_subnetwork" { + type = list(string) + description = "2nd internal subnet ID in the chosen network." + default = [] +} +variable "internal_network3_network" { + type = list(string) + description = "3rd internal network ID in the chosen zone." + default = [] +} +variable "internal_network3_subnetwork" { + type = list(string) + description = "3rd internal subnet ID in the chosen network." + default = [] +} +variable "internal_network4_network" { + type = list(string) + description = "4th internal network ID in the chosen zone." + default = [] +} +variable "internal_network4_subnetwork" { + type = list(string) + description = "4th internal subnet ID in the chosen network." + default = [] +} +variable "internal_network5_network" { + type = list(string) + description = "5th internal network ID in the chosen zone." + default = [] +} +variable "internal_network5_subnetwork" { + type = list(string) + description = "5th internal subnet ID in the chosen network." + default = [] +} +variable "internal_network6_network" { + type = list(string) + description = "6th internal network ID in the chosen zone." + default = [] +} +variable "internal_network6_subnetwork" { + type = list(string) + description = "6th internal subnet ID in the chosen network." + default = [] +} +variable "internal_network7_network" { + type = list(string) + description = "7th internal network ID in the chosen zone." + default = [] +} +variable "internal_network7_subnetwork" { + type = list(string) + description = "7th internal subnet ID in the chosen network." + default = [] +} +variable "internal_network8_network" { + type = list(string) + description = "8th internal network ID in the chosen zone." + default = [] +} +variable "internal_network8_subnetwork" { + type = list(string) + description = "8th internal subnet ID in the chosen network." + default = [] +} From db9e8dbc543e100492529ff8d3b56d8f7581a062 Mon Sep 17 00:00:00 2001 From: eddiek Date: Wed, 25 Sep 2024 14:16:35 +0000 Subject: [PATCH 02/12] Add new file .gitlab-ci.yml --- .gitlab-ci.yml | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 .gitlab-ci.yml diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml new file mode 100644 index 00000000..e69de29b From 008dbe167a0ec90ea59ea38f3efc27518de4ff98 Mon Sep 17 00:00:00 2001 From: eddiek Date: Wed, 25 Sep 2024 16:59:01 +0300 Subject: [PATCH 03/12] resolve code analysis feedbacks --- aws/templates/asg/autoscale.yaml | 30 ++- aws/templates/cluster/cluster-master.yaml | 29 ++- aws/templates/cluster/cluster.yaml | 199 ++++++++++------- .../cross-az-cluster-master.yaml | 23 +- .../cross-az-cluster/cross-az-cluster.yaml | 209 ++++++++++-------- .../geo-cluster/geo-cluster-master.yaml | 29 ++- aws/templates/geo-cluster/geo-cluster.yaml | 198 ++++++++++------- aws/templates/gwlb-asg/gwlb-master.yaml | 39 ++-- aws/templates/gwlb-asg/gwlb.yaml | 36 ++- aws/templates/gwlb-asg/qs-gwlb-master.yaml | 23 +- aws/templates/gwlb-asg/qs-gwlb.yaml | 26 ++- aws/templates/gwlb-asg/tgw-gwlb-master.yaml | 39 ++-- aws/templates/gwlb-asg/tgw-gwlb.yaml | 37 +++- aws/templates/management/management.yaml | 94 ++++---- aws/templates/mds/mds.yaml | 90 +++++--- aws/templates/single-gw/gateway-master.yaml | 31 ++- aws/templates/single-gw/gateway.yaml | 105 +++++---- .../standalone/standalone-master.yaml | 27 ++- aws/templates/standalone/standalone.yaml | 99 +++++---- aws/templates/tgw-asg/tgw-asg-master.yaml | 35 +-- aws/templates/tgw-asg/tgw-asg.yaml | 36 +-- .../tgw-cross-az-cluster-master.yaml | 23 +- .../tgw-cross-az-cluster.yaml | 23 +- aws/templates/tgw-ha/tgw-ha-master.yaml | 30 ++- aws/templates/tgw-ha/tgw-ha.yaml | 27 ++- azure/misc/azure_ha_test.py | 16 -- .../README.md | 1 - .../createUiDefinition.json | 6 +- .../mainTemplate.json | 25 ++- .../marketplace-ha/createUiDefinition.json | 28 +-- .../marketplace-ha/mainTemplate.json | 4 +- .../createUiDefinition.json | 6 +- .../marketplace-management/mainTemplate.json | 4 +- .../marketplace-mds/createUiDefinition.json | 4 +- .../marketplace-mds/mainTemplate.json | 4 +- .../createUiDefinition.json | 4 +- .../marketplace-single-waap/mainTemplate.json | 7 +- .../createUiDefinition.json | 14 +- .../marketplace-single/mainTemplate.json | 4 +- .../createUiDefinition.json | 4 +- .../marketplace-vmss-waap/mainTemplate.json | 8 +- .../marketplace-vmss/createUiDefinition.json | 6 +- .../marketplace-vmss/mainTemplate.json | 4 +- .../nestedtemplates/storageAccount-new.json | 5 +- .../vnet-1-subnet-existing.json | 2 +- .../vnet-2-subnet-ha2-existing.json | 2 +- .../vnet-2-subnet-ha2-new.json | 2 +- .../vnet-existing-stack-ha.json | 2 +- .../nestedtemplates/vnet-existing.json | 2 +- .../nestedtemplates/vnet-new-stack-ha.json | 2 +- azure/templates/single-ipv6/README.md | 1 - azure/templates/single-ipv6/mainTemplate.json | 4 +- azure/templates/vmss-ipv6/mainTemplate.json | 4 +- azure/templates/vwan-managed-app/README.md | 4 +- .../vwan-managed-app/mainTemplate.json | 4 +- common/custom-management-script.py | 3 - .../terraform-azure-gwlb/cpcluster-main.tf | 5 + contrib/terraform-azure-gwlb/cpmgmt-main.tf | 5 + contrib/terraform-azure-gwlb/terraform.tfvars | 38 ++-- .../azure/vmss-new-vnet-with-peer/main.tf | 5 + .../vmss-new-vnet-with-peer/terraform.tfvars | 58 ++--- .../R8040-R81/autoscale-into-new-vpc/main.tf | 2 + terraform/alicloud/cluster-master/README.md | 7 +- terraform/alicloud/cluster/README.md | 7 +- .../cluster/cluster_member_a_userdata.yaml | 2 +- .../cluster/cluster_member_b_userdata.yaml | 2 +- terraform/alicloud/cluster/main.tf | 2 +- terraform/alicloud/gateway-master/README.md | 5 +- terraform/alicloud/gateway/README.md | 5 +- .../alicloud/management-master/README.md | 6 +- terraform/alicloud/management/README.md | 8 +- .../management/management_userdata.yaml | 2 +- .../gateway_instance/gateway_userdata.yaml | 2 +- .../modules/common/version_license/main.tf | 5 - terraform/alicloud/modules/images/images.yaml | 58 ----- terraform/aws/autoscale-gwlb/README.md | 84 +++---- terraform/aws/autoscale-gwlb/locals.tf | 1 - terraform/aws/autoscale-gwlb/main.tf | 28 +-- terraform/aws/autoscale-gwlb/terraform.tfvars | 2 +- terraform/aws/autoscale-gwlb/variables.tf | 2 +- terraform/aws/autoscale/README.md | 90 ++++---- terraform/aws/autoscale/asg_userdata.yaml | 2 +- terraform/aws/autoscale/main.tf | 14 +- terraform/aws/autoscale/terraform.tfvars | 2 +- terraform/aws/autoscale/variables.tf | 2 +- terraform/aws/cluster-master/README.md | 25 ++- terraform/aws/cluster-master/terraform.tfvars | 2 +- terraform/aws/cluster-master/variables.tf | 2 +- terraform/aws/cluster/README.md | 88 ++++---- .../cluster/cluster_member_a_userdata.yaml | 2 +- terraform/aws/cluster/terraform.tfvars | 2 +- terraform/aws/cluster/variables.tf | 2 +- terraform/aws/cme-iam-role-gwlb/README.md | 11 +- terraform/aws/cme-iam-role/README.md | 7 +- .../aws/cross-az-cluster-master/README.md | 20 +- .../cross-az-cluster-master/terraform.tfvars | 2 +- .../aws/cross-az-cluster-master/variables.tf | 2 +- terraform/aws/cross-az-cluster/README.md | 22 +- .../cluster_member_a_userdata.yaml | 2 +- .../cluster_member_b_userdata.yaml | 2 +- .../aws/cross-az-cluster/terraform.tfvars | 2 +- terraform/aws/cross-az-cluster/variables.tf | 2 +- terraform/aws/gateway-master/README.md | 25 ++- terraform/aws/gateway-master/terraform.tfvars | 2 +- terraform/aws/gateway-master/variables.tf | 2 +- terraform/aws/gateway/README.md | 87 ++++---- terraform/aws/gateway/terraform.tfvars | 2 +- terraform/aws/gateway/variables.tf | 2 +- terraform/aws/gwlb-master/README.md | 106 ++++----- terraform/aws/gwlb-master/terraform.tfvars | 2 +- terraform/aws/gwlb-master/variables.tf | 2 +- terraform/aws/gwlb/README.md | 32 +-- terraform/aws/gwlb/terraform.tfvars | 2 +- terraform/aws/gwlb/variables.tf | 2 +- terraform/aws/management/README.md | 25 ++- .../aws/management/management_userdata.yaml | 2 +- terraform/aws/mds/README.md | 22 +- terraform/aws/mds/mds_userdata.yaml | 2 +- terraform/aws/modules/amis/main.tf | 7 +- .../gateway_instance/gateway_userdata.yaml | 2 +- .../common/gateway_instance/variables.tf | 2 +- .../aws/modules/common/instance_type/main.tf | 2 +- .../modules/common/load_balancer/variables.tf | 2 +- .../modules/common/version_license/main.tf | 19 -- .../aws/modules/custom-autoscale/main.tf | 6 +- terraform/aws/qs-autoscale-master/README.md | 21 +- .../aws/qs-autoscale-master/terraform.tfvars | 2 +- .../aws/qs-autoscale-master/variables.tf | 2 +- terraform/aws/qs-autoscale/README.md | 109 +++++---- terraform/aws/qs-autoscale/terraform.tfvars | 2 +- terraform/aws/qs-autoscale/variables.tf | 2 +- terraform/aws/standalone-master/README.md | 21 +- terraform/aws/standalone-master/locals.tf | 1 + terraform/aws/standalone/README.md | 90 ++++---- .../aws/standalone/standalone_userdata.yaml | 2 +- terraform/aws/tgw-asg-master/README.md | 23 +- terraform/aws/tgw-asg-master/locals.tf | 2 + terraform/aws/tgw-asg-master/terraform.tfvars | 2 +- terraform/aws/tgw-asg-master/variables.tf | 2 +- terraform/aws/tgw-asg/README.md | 25 ++- terraform/aws/tgw-asg/terraform.tfvars | 2 +- terraform/aws/tgw-asg/variables.tf | 2 +- .../aws/tgw-cross-az-cluster-master/README.md | 90 ++++---- .../terraform.tfvars | 2 +- .../tgw-cross-az-cluster-master/variables.tf | 2 +- terraform/aws/tgw-cross-az-cluster/README.md | 92 ++++---- .../aws/tgw-cross-az-cluster/terraform.tfvars | 2 +- .../aws/tgw-cross-az-cluster/variables.tf | 2 +- terraform/aws/tgw-gwlb-master/README.md | 126 +++++------ .../aws/tgw-gwlb-master/terraform.tfvars | 2 +- terraform/aws/tgw-gwlb-master/variables.tf | 2 +- terraform/aws/tgw-gwlb/README.md | 132 +++++------ terraform/aws/tgw-gwlb/terraform.tfvars | 2 +- terraform/aws/tgw-gwlb/variables.tf | 2 +- .../high-availability-existing-vnet/README.md | 40 ++-- .../high-availability-existing-vnet/main.tf | 1 + .../variables.tf | 4 +- .../high-availability-new-vnet/README.md | 8 +- .../azure/high-availability-new-vnet/main.tf | 1 + .../high-availability-new-vnet/variables.tf | 4 +- .../azure/management-existing-vnet/README.md | 8 +- .../azure/management-existing-vnet/main.tf | 1 + .../management-existing-vnet/variables.tf | 4 +- terraform/azure/management-new-vnet/README.md | 8 +- terraform/azure/management-new-vnet/main.tf | 1 + .../azure/management-new-vnet/variables.tf | 4 +- terraform/azure/mds-existing-vnet/README.md | 8 +- terraform/azure/mds-existing-vnet/main.tf | 1 + .../azure/mds-existing-vnet/variables.tf | 4 +- terraform/azure/mds-new-vnet/README.md | 8 +- terraform/azure/mds-new-vnet/main.tf | 1 + terraform/azure/mds-new-vnet/variables.tf | 4 +- terraform/azure/modules/common/variables.tf | 8 +- .../azure/nva-into-existing-hub/README.md | 5 +- terraform/azure/nva-into-new-vwan/README.md | 9 +- .../single-gateway-existing-vnet/README.md | 8 +- .../single-gateway-existing-vnet/main.tf | 1 + .../single-gateway-existing-vnet/variables.tf | 4 +- .../azure/single-gateway-new-vnet/README.md | 8 +- .../azure/single-gateway-new-vnet/main.tf | 1 + .../single-gateway-new-vnet/variables.tf | 4 +- terraform/azure/vmss-existing-vnet/README.md | 176 ++++++++------- terraform/azure/vmss-existing-vnet/main.tf | 1 + .../azure/vmss-existing-vnet/terraform.tfvars | 3 +- .../azure/vmss-existing-vnet/variables.tf | 16 +- terraform/azure/vmss-new-vnet/README.md | 8 +- terraform/azure/vmss-new-vnet/main.tf | 1 + terraform/azure/vmss-new-vnet/variables.tf | 6 +- .../gcp/autoscale-into-existing-vpc/README.md | 28 ++- .../gcp/autoscale-into-existing-vpc/locals.tf | 9 + .../gcp/autoscale-into-existing-vpc/main.tf | 25 ++- .../terraform.tfvars | 61 ++--- .../autoscale-into-existing-vpc/variables.tf | 17 +- .../gcp/autoscale-into-new-vpc/README.md | 15 +- .../gcp/autoscale-into-new-vpc/locals.tf | 8 + terraform/gcp/autoscale-into-new-vpc/main.tf | 5 + .../autoscale-into-new-vpc/terraform.tfvars | 5 +- .../gcp/autoscale-into-new-vpc/variables.tf | 17 +- terraform/gcp/common/cluster-member/main.tf | 4 +- .../gcp/common/cluster-member/variables.tf | 12 +- terraform/gcp/common/members-a-b/main.tf | 4 + terraform/gcp/common/members-a-b/variables.tf | 10 + terraform/gcp/common/startup-script.sh | 2 +- terraform/gcp/high-availability/README.md | 24 +- terraform/gcp/high-availability/locals.tf | 12 +- terraform/gcp/high-availability/main.tf | 2 + .../gcp/high-availability/terraform.tfvars | 4 +- terraform/gcp/high-availability/variables.tf | 14 +- .../gcp/single-into-existing-vpc/README.md | 37 ++-- .../gcp/single-into-existing-vpc/locals.tf | 16 +- .../gcp/single-into-existing-vpc/main.tf | 4 +- .../single-into-existing-vpc/terraform.tfvars | 18 +- .../gcp/single-into-existing-vpc/variables.tf | 12 +- terraform/gcp/single-into-new-vpc/README.md | 42 ++-- terraform/gcp/single-into-new-vpc/main.tf | 2 + .../gcp/single-into-new-vpc/terraform.tfvars | 2 + .../gcp/single-into-new-vpc/variables.tf | 12 +- 217 files changed, 2342 insertions(+), 1942 deletions(-) diff --git a/aws/templates/asg/autoscale.yaml b/aws/templates/asg/autoscale.yaml index 15e36d55..97627bd8 100644 --- a/aws/templates/asg/autoscale.yaml +++ b/aws/templates/asg/autoscale.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Create an Auto Scaling group of Check Point gateways (20240417) +Description: Create an Auto Scaling group of Check Point gateways (__VERSION__) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -18,6 +18,7 @@ Metadata: - VolumeType - EnableVolumeEncryption - EnableInstanceConnect + - MetaDataToken - Label: default: Auto Scaling Configuration Parameters: @@ -67,6 +68,8 @@ Metadata: default: Enable volume encryption EnableInstanceConnect: default: Enable AWS Instance Connect + MetaDataToken: + default: Metadata HTTP token GatewaysMinSize: default: Minimum Gateway group size GatewaysMaxSize: @@ -119,7 +122,7 @@ Parameters: GatewayInstanceType: Description: The instance type of the Secutiry Gateways. Type: String - Default: c5.xlarge + Default: c6in.xlarge AllowedValues: - c4.large - c4.xlarge @@ -262,6 +265,13 @@ Parameters: AllowedValues: - true - false + MetaDataToken: + Description: Set true to deploy the instance with metadata v2 token required. + Type: String + Default: true + AllowedValues: + - true + - false GatewaysMinSize: Description: The minimal number of gateways in the Auto Scaling group. Type: Number @@ -287,12 +297,6 @@ Parameters: Type: String Default: R81.20-BYOL AllowedValues: - - R80.40-BYOL - - R80.40-PAYG-NGTP - - R80.40-PAYG-NGTX - - R81-BYOL - - R81-PAYG-NGTP - - R81-PAYG-NGTX - R81.10-BYOL - R81.10-PAYG-NGTP - R81.10-PAYG-NGTX @@ -386,6 +390,7 @@ Conditions: ProvidedTargetGroups: !Not [!Equals [!Ref GatewaysTargetGroups, '']] EnableCloudWatch: !Equals [!Ref CloudWatch, true] CreateELB: !Not [!Equals [!Ref ELBType, none]] + EnableMetaDataToken: !Equals [!Ref MetaDataToken, true] Resources: ChkpGatewayRole: Type: AWS::IAM::Role @@ -405,7 +410,7 @@ Resources: Condition: EnableCloudWatch Type: AWS::CloudFormation::Stack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/iam/cloudwatch-policy.yaml + TemplateURL: __URL__/iam/cloudwatch-policy.yaml Parameters: PolicyName: ChkpGatewayPolicy PolicyRole: !Ref ChkpGatewayRole @@ -419,7 +424,7 @@ Resources: AMI: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/utils/amis.yaml + TemplateURL: __URL__/utils/amis.yaml Parameters: Version: !Join ['-', [!Ref GatewayVersion, GW]] NotificationTopic: @@ -515,6 +520,8 @@ Resources: KeyName: !Ref KeyName ImageId: !GetAtt AMI.Outputs.ImageId InstanceType: !Ref GatewayInstanceType + MetadataOptions: + HttpTokens: !If [EnableMetaDataToken, required, optional] BlockDeviceMappings: - DeviceName: '/dev/xvda' Ebs: @@ -538,7 +545,7 @@ Resources: - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"']] - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']] - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}] - - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" sicKey=\"${sic}\" installationType=\"autoscale\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20240204\" templateName=\"autoscale\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" bootstrapScript64=\"${bootstrap}\"' + - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" sicKey=\"${sic}\" installationType=\"autoscale\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"__VERSION__\" templateName=\"autoscale\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" bootstrapScript64=\"${bootstrap}\"' VersionDescription: Initial template version GatewayScaleUpPolicy: Type: AWS::AutoScaling::ScalingPolicy @@ -605,3 +612,4 @@ Outputs: SecurityGroup: Description: The Security Group of the Auto Scaling group. Value: !GetAtt PermissiveSecurityGroup.GroupId + diff --git a/aws/templates/cluster/cluster-master.yaml b/aws/templates/cluster/cluster-master.yaml index 0f73a08c..6243e34c 100755 --- a/aws/templates/cluster/cluster-master.yaml +++ b/aws/templates/cluster/cluster-master.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploy a Check Point Cluster in a new VPC (20240204) +Description: Deploy a Check Point Cluster in a new VPC (__VERSION__) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -23,6 +23,7 @@ Metadata: - EnableInstanceConnect - GatewayPredefinedRole - TerminationProtection + - MetaDataToken - Label: default: Check Point Settings Parameters: @@ -75,6 +76,8 @@ Metadata: default: Existing IAM role name TerminationProtection: default: Termination Protection + MetaDataToken: + default: Metadata HTTP token GatewayVersion: default: Version & license Shell: @@ -133,7 +136,7 @@ Parameters: GatewayInstanceType: Description: The instance type of the Secutiry Gateway. Type: String - Default: c5.xlarge + Default: c6in.xlarge AllowedValues: - c4.large - c4.xlarge @@ -290,16 +293,17 @@ Parameters: AllowedValues: - true - false + MetaDataToken: + Description: Set true to deploy the instance with metadata v2 token required. + Type: String + Default: true + AllowedValues: + - true + - false GatewayVersion: Type: String Default: R81.20-BYOL AllowedValues: - - R80.40-BYOL - - R80.40-PAYG-NGTP - - R80.40-PAYG-NGTX - - R81-BYOL - - R81-PAYG-NGTP - - R81-PAYG-NGTX - R81.10-BYOL - R81.10-PAYG-NGTP - R81.10-PAYG-NGTX @@ -391,7 +395,7 @@ Resources: VPCStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/utils/vpc.yaml + TemplateURL: __URL__/utils/vpc.yaml Parameters: AvailabilityZones: !Ref AvailabilityZone NumberOfAZs: 1 @@ -410,7 +414,7 @@ Resources: Type: AWS::CloudFormation::Stack DependsOn: VPCStack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/cluster/cluster.yaml + TemplateURL: __URL__/cluster/cluster.yaml Parameters: VPC: !GetAtt VPCStack.Outputs.VPCID PublicSubnet: !GetAtt VPCStack.Outputs.PublicSubnet1ID @@ -426,6 +430,7 @@ Resources: EnableInstanceConnect: !Ref EnableInstanceConnect GatewayPredefinedRole: !Ref GatewayPredefinedRole TerminationProtection: !Ref TerminationProtection + MetaDataToken: !Ref MetaDataToken GatewayVersion: !Ref GatewayVersion Shell: !Ref Shell GatewayPasswordHash: !Ref GatewayPasswordHash @@ -494,12 +499,12 @@ Rules: MemberATokenNotProvided: RuleCondition: !Equals [!Ref MemberAToken, ''] Assertions: - - AssertDescription: "Smart-1 Cloud Token for member A can not be empty." + - AssertDescription: "Smart-1 Cloud Token for member A can not be empty" Assert: !Equals [!Ref MemberBToken, ''] MemberBTokenNotProvided: RuleCondition: !Equals [ !Ref MemberBToken, '' ] Assertions: - - AssertDescription: "Smart-1 Cloud Token for member B can not be empty." + - AssertDescription: "Smart-1 Cloud Token for member B can not be empty" Assert: !Equals [ !Ref MemberAToken, '' ] MembersTokenValueEquals: RuleCondition: !EachMemberEquals [ [ !Ref MemberBToken ], !Ref MemberAToken ] diff --git a/aws/templates/cluster/cluster.yaml b/aws/templates/cluster/cluster.yaml index f065f4f3..f1263257 100755 --- a/aws/templates/cluster/cluster.yaml +++ b/aws/templates/cluster/cluster.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploys a Check Point Cluster into an existing VPC (20240204) +Description: Deploys a Check Point Cluster into an existing VPC (__VERSION__) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -23,6 +23,7 @@ Metadata: - EnableInstanceConnect - GatewayPredefinedRole - TerminationProtection + - MetaDataToken - Label: default: Check Point Settings Parameters: @@ -75,6 +76,8 @@ Metadata: default: Existing IAM role name TerminationProtection: default: Termination Protection + MetaDataToken: + default: Metadata HTTP token GatewayVersion: default: Version & license Shell: @@ -127,7 +130,7 @@ Parameters: GatewayInstanceType: Description: The instance type of the Secutiry Gateway. Type: String - Default: c5.xlarge + Default: c6in.xlarge AllowedValues: - c4.large - c4.xlarge @@ -285,16 +288,17 @@ Parameters: AllowedValues: - true - false + MetaDataToken: + Description: Set true to deploy the instance with metadata v2 token required. + Type: String + Default: true + AllowedValues: + - true + - false GatewayVersion: Type: String Default: R81.20-BYOL AllowedValues: - - R80.40-BYOL - - R80.40-PAYG-NGTP - - R80.40-PAYG-NGTX - - R81-BYOL - - R81-PAYG-NGTP - - R81-PAYG-NGTX - R81.10-BYOL - R81.10-PAYG-NGTP - R81.10-PAYG-NGTX @@ -390,6 +394,7 @@ Conditions: ProvidedResourcesTag: !Not [!Equals [!Ref ResourcesTagName, '']] EmptyHostName: !Equals [!Ref GatewayHostname, ''] EnableCloudWatch: !Equals [!Ref CloudWatch, true] + EnableMetaDataToken: !Equals [!Ref MetaDataToken, true] Resources: ClusterReadyHandle: Type: AWS::CloudFormation::WaitConditionHandle @@ -407,7 +412,7 @@ Resources: Condition: CreateRole Type: AWS::CloudFormation::Stack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/iam/cluster-iam-role.yaml + TemplateURL: __URL__/iam/cluster-iam-role.yaml ClusterInstanceProfile: Type: AWS::IAM::InstanceProfile Properties: @@ -417,14 +422,14 @@ Resources: Condition: EnableCloudWatch Type: AWS::CloudFormation::Stack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/iam/cloudwatch-policy.yaml + TemplateURL: __URL__/iam/cloudwatch-policy.yaml Parameters: PolicyName: !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName'] PolicyRole: !If [CreateRole, !GetAtt ClusterRole.Outputs.ClusterIAMRole, !Ref GatewayPredefinedRole] AMI: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/utils/amis.yaml + TemplateURL: __URL__/utils/amis.yaml Parameters: Version: !Join [-, [!Ref GatewayVersion, GW]] PermissiveSecurityGroup: @@ -520,8 +525,12 @@ Resources: SubnetId: !Ref PrivateSubnet MemberAInstance: Type: AWS::EC2::Instance - DependsOn: [MemberAExternalInterface, MemberAInternalInterface] + DependsOn: [MemberAExternalInterface, MemberAInternalInterface, MemberAGatewayLaunchTemplate] Properties: + LaunchTemplate: + LaunchTemplateId: !Ref MemberAGatewayLaunchTemplate + Version: !GetAtt MemberAGatewayLaunchTemplate.LatestVersionNumber + DisableApiTermination: !Ref TerminationProtection Tags: - Key: Name Value: !Join ['-', [!Ref GatewayName, Member-A]] @@ -537,46 +546,14 @@ Resources: - - !Join [ '=', [ cluster-ip, !Ref ClusterPublicAddress ] ] - !Join [ '=', [ cluster-eth0-private-ip, !Select [ 0, !GetAtt MemberAExternalInterface.SecondaryPrivateIpAddresses ] ] ] - !Join [ '=', [ cluster-eth1-private-ip, !Select [ 0, !GetAtt MemberAInternalInterface.SecondaryPrivateIpAddresses ] ] ] - ImageId: !GetAtt AMI.Outputs.ImageId - InstanceType: !Ref GatewayInstanceType - BlockDeviceMappings: - - DeviceName: '/dev/xvda' - Ebs: - Encrypted: !If [EncryptedVolume, true, false] - KmsKeyId: !If [EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue'] - VolumeType: !Ref VolumeType - VolumeSize: !Ref VolumeSize - KeyName: !Ref KeyName - NetworkInterfaces: - - DeviceIndex: 0 - NetworkInterfaceId: !Ref MemberAExternalInterface - - DeviceIndex: 1 - NetworkInterfaceId: !Ref MemberAInternalInterface - IamInstanceProfile: !Ref ClusterInstanceProfile - DisableApiTermination: !Ref TerminationProtection - UserData: - 'Fn::Base64': - !Join - - |+ - - - - '#cloud-config' - - 'runcmd:' - - ' - |' - - ' set -e' - - !Sub ' admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; cw=${CloudWatch} ; eic=${EnableInstanceConnect} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; tokenA=''${MemberAToken}''' - - !If [AllocateAddress, !Sub ' wait_handle=''${ClusterReadyHandle}''',!Ref 'AWS::NoValue'] - - !If [EmptyHostName, ' hostname=""',!Sub ' hostname=${GatewayHostname}-member-a'] - - !Join ['', [' eip="', !If [AllocateAddress, !Ref MemberAPublicAddress, ''], '"']] - - !Join ['', [' sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ')"']] - - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayPasswordHash, ')"']] - - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"']] - - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']] - - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}] - - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${tokenA}\"" installationType=\"cluster\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20240204\" templateName=\"cluster\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" elasticIp=\"${eip}\" bootstrapScript64=\"${bootstrap}\"' MemberBInstance: Type: AWS::EC2::Instance - DependsOn: [MemberBExternalInterface, MemberBInternalInterface] + DependsOn: [MemberBExternalInterface, MemberBInternalInterface, MemberBGatewayLaunchTemplate] Properties: + LaunchTemplate: + LaunchTemplateId: !Ref MemberBGatewayLaunchTemplate + Version: !GetAtt MemberBGatewayLaunchTemplate.LatestVersionNumber + DisableApiTermination: !Ref TerminationProtection Tags: - Key: Name Value: !Join ['-', [!Ref GatewayName, Member-B]] @@ -592,41 +569,92 @@ Resources: - - !Join [ '=', [ cluster-ip, !Ref ClusterPublicAddress ] ] - !Join [ '=', [ cluster-eth0-private-ip, !Select [ 0, !GetAtt MemberAExternalInterface.SecondaryPrivateIpAddresses ] ] ] - !Join [ '=', [ cluster-eth1-private-ip, !Select [ 0, !GetAtt MemberAInternalInterface.SecondaryPrivateIpAddresses ] ] ] - ImageId: !GetAtt AMI.Outputs.ImageId - InstanceType: !Ref GatewayInstanceType - BlockDeviceMappings: - - DeviceName: '/dev/xvda' - Ebs: - Encrypted: !If [EncryptedVolume, true, false] - KmsKeyId: !If [EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue'] - VolumeType: !Ref VolumeType - VolumeSize: !Ref VolumeSize - KeyName: !Ref KeyName - NetworkInterfaces: - - DeviceIndex: 0 - NetworkInterfaceId: !Ref MemberBExternalInterface - - DeviceIndex: 1 - NetworkInterfaceId: !Ref MemberBInternalInterface - IamInstanceProfile: !Ref ClusterInstanceProfile - DisableApiTermination: !Ref TerminationProtection - UserData: - 'Fn::Base64': - !Join - - |+ + MemberAGatewayLaunchTemplate: + Type: AWS::EC2::LaunchTemplate + Properties: + LaunchTemplateData: + NetworkInterfaces: + - DeviceIndex: 0 + NetworkInterfaceId: !Ref MemberAExternalInterface + - DeviceIndex: 1 + NetworkInterfaceId: !Ref MemberAInternalInterface + KeyName: !Ref KeyName + ImageId: !GetAtt AMI.Outputs.ImageId + InstanceType: !Ref GatewayInstanceType + MetadataOptions: + HttpTokens: !If [EnableMetaDataToken, required, optional] + BlockDeviceMappings: + - DeviceName: '/dev/xvda' + Ebs: + Encrypted: !If [ EncryptedVolume, true, false ] + KmsKeyId: !If [ EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue' ] + VolumeType: !Ref VolumeType + VolumeSize: !Ref VolumeSize + IamInstanceProfile: + Name: !Ref ClusterInstanceProfile + UserData: + 'Fn::Base64': + !Join + - |+ - - - '#cloud-config' - - 'runcmd:' - - ' - |' - - ' set -e' - - !Sub ' admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; cw=${CloudWatch} ; eic=${EnableInstanceConnect} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; tokenB=''${MemberBToken}''' - - !If [AllocateAddress, !Sub ' wait_handle=''${ClusterReadyHandle}''',!Ref 'AWS::NoValue'] - - !If [EmptyHostName, ' hostname=""',!Sub ' hostname=${GatewayHostname}-member-b'] - - !Join ['', [' eip="', !If [AllocateAddress, !Ref MemberBPublicAddress, ''], '"']] - - !Join ['', [' sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ')"']] - - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayPasswordHash, ')"']] - - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']] - - !Sub [' version=${Version}', {Version: !Select [0, !Split ['.', !Select [0, !Split ['-', !Ref GatewayVersion]]]]}] - - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${tokenB}\"" installationType=\"cluster\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20230923\" templateName=\"cluster\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" elasticIp=\"${eip}\" bootstrapScript64=\"${bootstrap}\"' + - - '#cloud-config' + - 'runcmd:' + - ' - |' + - ' set -e' + - !Sub ' admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; cw=${CloudWatch} ; eic=${EnableInstanceConnect} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; tokenA=''${MemberAToken}''' + - !If [AllocateAddress, !Sub ' wait_handle=''${ClusterReadyHandle}''',!Ref 'AWS::NoValue'] + - !If [EmptyHostName, ' hostname=""',!Sub ' hostname=${GatewayHostname}-member-a'] + - !Join ['', [' eip="', !If [AllocateAddress, !Ref MemberAPublicAddress, ''], '"']] + - !Join ['', [' sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ')"']] + - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayPasswordHash, ')"']] + - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"']] + - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']] + - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}] + - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${tokenA}\"" installationType=\"cluster\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"__VERSION__\" templateName=\"cluster\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" elasticIp=\"${eip}\" bootstrapScript64=\"${bootstrap}\"' + VersionDescription: Initial template version + MemberBGatewayLaunchTemplate: + Type: AWS::EC2::LaunchTemplate + Properties: + LaunchTemplateData: + NetworkInterfaces: + - DeviceIndex: 0 + NetworkInterfaceId: !Ref MemberBExternalInterface + - DeviceIndex: 1 + NetworkInterfaceId: !Ref MemberBInternalInterface + KeyName: !Ref KeyName + ImageId: !GetAtt AMI.Outputs.ImageId + InstanceType: !Ref GatewayInstanceType + MetadataOptions: + HttpTokens: !If [EnableMetaDataToken, required, optional] + BlockDeviceMappings: + - DeviceName: '/dev/xvda' + Ebs: + Encrypted: !If [ EncryptedVolume, true, false ] + KmsKeyId: !If [ EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue' ] + VolumeType: !Ref VolumeType + VolumeSize: !Ref VolumeSize + IamInstanceProfile: + Name: !Ref ClusterInstanceProfile + UserData: + 'Fn::Base64': + !Join + - |+ + + - - '#cloud-config' + - 'runcmd:' + - ' - |' + - ' set -e' + - !Sub ' admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; cw=${CloudWatch} ; eic=${EnableInstanceConnect} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; tokenB=''${MemberBToken}''' + - !If [AllocateAddress, !Sub ' wait_handle=''${ClusterReadyHandle}''',!Ref 'AWS::NoValue'] + - !If [EmptyHostName, ' hostname=""',!Sub ' hostname=${GatewayHostname}-member-b'] + - !Join ['', [' eip="', !If [AllocateAddress, !Ref MemberBPublicAddress, ''], '"']] + - !Join ['', [' sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ')"']] + - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayPasswordHash, ')"']] + - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"']] + - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']] + - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}] + - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${tokenB}\"" installationType=\"cluster\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"__VERSION__\" templateName=\"cluster\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" elasticIp=\"${eip}\" bootstrapScript64=\"${bootstrap}\"' + VersionDescription: Initial template version ClusterPublicAddress: Type: AWS::EC2::EIP Properties: @@ -719,12 +747,12 @@ Rules: MemberATokenNotProvided: RuleCondition: !Equals [!Ref MemberAToken, ''] Assertions: - - AssertDescription: "Smart-1 Cloud Token for member A can not be empty." + - AssertDescription: "Smart-1 Cloud Token for member A can not be empty" Assert: !Equals [!Ref MemberBToken, ''] MemberBTokenNotProvided: RuleCondition: !Equals [ !Ref MemberBToken, '' ] Assertions: - - AssertDescription: "Smart-1 Cloud Token for member B can not be empty." + - AssertDescription: "Smart-1 Cloud Token for member B can not be empty" Assert: !Equals [ !Ref MemberAToken, '' ] MembersTokenValueEquals: RuleCondition: !EachMemberEquals [[!Ref MemberBToken], !Ref MemberAToken] @@ -734,3 +762,4 @@ Rules: - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token" Assert: !Equals [ !Ref MemberBToken, '' ] + diff --git a/aws/templates/cross-az-cluster/cross-az-cluster-master.yaml b/aws/templates/cross-az-cluster/cross-az-cluster-master.yaml index 65ed15aa..dcc61a70 100644 --- a/aws/templates/cross-az-cluster/cross-az-cluster-master.yaml +++ b/aws/templates/cross-az-cluster/cross-az-cluster-master.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploy a Check Point Cluster in a new VPC (20240204) +Description: Deploy a Check Point Cluster in a new VPC (__VERSION__) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -24,6 +24,7 @@ Metadata: - EnableInstanceConnect - GatewayPredefinedRole - TerminationProtection + - MetaDataToken - Label: default: Check Point Settings Parameters: @@ -78,6 +79,8 @@ Metadata: default: Existing IAM role name TerminationProtection: default: Termination Protection + MetaDataToken: + default: Metadata HTTP token GatewayVersion: default: Version & license Shell: @@ -148,7 +151,7 @@ Parameters: GatewayInstanceType: Description: The instance type of the Secutiry Gateway. Type: String - Default: c5.xlarge + Default: c6in.xlarge AllowedValues: - c4.large - c4.xlarge @@ -298,6 +301,13 @@ Parameters: AllowedValues: - true - false + MetaDataToken: + Description: Set true to deploy the instance with metadata v2 token required. + Type: String + Default: true + AllowedValues: + - true + - false GatewayVersion: Type: String Default: R81.20-BYOL @@ -391,7 +401,7 @@ Resources: VPCStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/utils/vpc.yaml + TemplateURL: __URL__/utils/vpc.yaml Parameters: AvailabilityZones: !Join [',', !Ref AvailabilityZones] NumberOfAZs: 2 @@ -412,7 +422,7 @@ Resources: Type: AWS::CloudFormation::Stack DependsOn: VPCStack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/cluster/cross-az-cluster.yaml + TemplateURL: __URL__/cluster/cross-az-cluster.yaml Parameters: VPC: !GetAtt VPCStack.Outputs.VPCID PublicSubnetA: !GetAtt VPCStack.Outputs.PublicSubnet1ID @@ -429,6 +439,7 @@ Resources: EnableInstanceConnect: !Ref EnableInstanceConnect GatewayPredefinedRole: !Ref GatewayPredefinedRole TerminationProtection: !Ref TerminationProtection + MetaDataToken: !Ref MetaDataToken GatewayVersion: !Ref GatewayVersion Shell: !Ref Shell GatewayPasswordHash: !Ref GatewayPasswordHash @@ -497,12 +508,12 @@ Rules: MemberATokenNotProvided: RuleCondition: !Equals [!Ref MemberAToken, ''] Assertions: - - AssertDescription: "Smart-1 Cloud Token for member A can not be empty." + - AssertDescription: "Smart-1 Cloud Token for member A can not be empty" Assert: !Equals [!Ref MemberBToken, ''] MemberBTokenNotProvided: RuleCondition: !Equals [ !Ref MemberBToken, '' ] Assertions: - - AssertDescription: "Smart-1 Cloud Token for member B can not be empty." + - AssertDescription: "Smart-1 Cloud Token for member B can not be empty" Assert: !Equals [ !Ref MemberAToken, '' ] MembersTokenValueEquals: RuleCondition: !EachMemberEquals [ [ !Ref MemberBToken ], !Ref MemberAToken ] diff --git a/aws/templates/cross-az-cluster/cross-az-cluster.yaml b/aws/templates/cross-az-cluster/cross-az-cluster.yaml index 7f4a56ac..5d294579 100644 --- a/aws/templates/cross-az-cluster/cross-az-cluster.yaml +++ b/aws/templates/cross-az-cluster/cross-az-cluster.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploys a Check Point Cluster into an existing VPC (20240204) +Description: Deploys a Check Point Cluster into an existing VPC (__VERSION__) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -25,6 +25,7 @@ Metadata: - EnableInstanceConnect - GatewayPredefinedRole - TerminationProtection + - MetaDataToken - Label: default: Check Point Settings Parameters: @@ -81,6 +82,8 @@ Metadata: default: Existing IAM role name TerminationProtection: default: Termination Protection + MetaDataToken: + default: Metadata HTTP token GatewayVersion: default: Version & license Shell: @@ -145,7 +148,7 @@ Parameters: GatewayInstanceType: Description: The instance type of the Secutiry Gateway. Type: String - Default: c5.xlarge + Default: c6in.xlarge AllowedValues: - c4.large - c4.xlarge @@ -303,6 +306,13 @@ Parameters: AllowedValues: - true - false + MetaDataToken: + Description: Set true to deploy the instance with metadata v2 token required. + Type: String + Default: true + AllowedValues: + - true + - false GatewayVersion: Type: String Default: R81.20-BYOL @@ -398,6 +408,7 @@ Conditions: ProvidedResourcesTag: !Not [!Equals [!Ref ResourcesTagName, '']] EmptyHostName: !Equals [!Ref GatewayHostname, ''] EnableCloudWatch: !Equals [!Ref CloudWatch, true] + EnableMetaDataToken: !Equals [!Ref MetaDataToken, true] Resources: ClusterReadyHandle: Type: AWS::CloudFormation::WaitConditionHandle @@ -415,7 +426,7 @@ Resources: Condition: CreateRole Type: AWS::CloudFormation::Stack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/iam/cluster-iam-role.yaml + TemplateURL: __URL__/iam/cluster-iam-role.yaml ClusterInstanceProfile: Type: AWS::IAM::InstanceProfile Properties: @@ -425,14 +436,14 @@ Resources: Condition: EnableCloudWatch Type: AWS::CloudFormation::Stack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/iam/cloudwatch-policy.yaml + TemplateURL: __URL__/iam/cloudwatch-policy.yaml Parameters: PolicyName: !If [ ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName' ] PolicyRole: !If [CreateRole, !GetAtt ClusterRole.Outputs.ClusterIAMRole, !Ref GatewayPredefinedRole] AMI: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/utils/amis.yaml + TemplateURL: __URL__/utils/amis.yaml Parameters: Version: !Join ['-', [!Ref GatewayVersion, GW]] PermissiveSecurityGroup: @@ -571,8 +582,12 @@ Resources: PrivateIpAddress: !GetAtt MemberBExternalInterface.PrimaryPrivateIpAddress MemberAInstance: Type: AWS::EC2::Instance - DependsOn: [MemberAExternalInterface, MemberAInternalInterface, ClusterPublicAddress, MemberBInternalInterface, MemberBExternalInterface] + DependsOn: [MemberAExternalInterface, MemberAInternalInterface, ClusterPublicAddress, MemberBInternalInterface, MemberBExternalInterface, MemberAGatewayLaunchTemplate] Properties: + LaunchTemplate: + LaunchTemplateId: !Ref MemberAGatewayLaunchTemplate + Version: !GetAtt MemberAGatewayLaunchTemplate.LatestVersionNumber + DisableApiTermination: !Ref TerminationProtection Tags: - Key: Name Value: !Join ['-', [!Ref GatewayName, Member-A]] @@ -587,50 +602,14 @@ Resources: - ':' - - !Join [ '=', [ cluster-ip, !Ref ClusterPublicAddress ] ] - !Join [ '=', [ secondary-external-private-ip, !Select [ 0, !GetAtt MemberAExternalInterface.SecondaryPrivateIpAddresses ] ] ] - ImageId: !GetAtt AMI.Outputs.ImageId - InstanceType: !Ref GatewayInstanceType - BlockDeviceMappings: - - DeviceName: '/dev/xvda' - Ebs: - Encrypted: !If [EncryptedVolume, true, false] - KmsKeyId: !If [EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue'] - VolumeType: !Ref VolumeType - VolumeSize: !Ref VolumeSize - KeyName: !Ref KeyName - NetworkInterfaces: - - DeviceIndex: 0 - NetworkInterfaceId: !Ref MemberAExternalInterface - - DeviceIndex: 1 - NetworkInterfaceId: !Ref MemberAInternalInterface - IamInstanceProfile: !Ref ClusterInstanceProfile - DisableApiTermination: !Ref TerminationProtection - UserData: - 'Fn::Base64': - !Join - - |+ - - - - '#cloud-config' - - 'runcmd:' - - ' - |' - - ' set -e' - - !Sub ' admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; cw=${CloudWatch} ; eic=${EnableInstanceConnect} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; tokenA=''${MemberAToken}''' - - !If [AllocateAddress, !Sub ' wait_handle=''${ClusterReadyHandle}''',!Ref 'AWS::NoValue'] - - !If [EmptyHostName, ' hostname=""',!Sub ' hostname=${GatewayHostname}-member-a'] - - !Join ['', [' other_member_ip="', !GetAtt MemberBInternalInterface.PrimaryPrivateIpAddress, '"']] - - !Join ['', [' secondary_ip="', !Select [0, !GetAtt MemberAExternalInterface.SecondaryPrivateIpAddresses], '"']] - - !Join ['', [' remote_secondary_ip="', !Select [0, !GetAtt MemberBExternalInterface.SecondaryPrivateIpAddresses], '"']] - - !Join ['', [' cluster_ip="', !Ref ClusterPublicAddress, '"']] - - !Join ['', [' eip="', !If [AllocateAddress, !Ref MemberAPublicAddress, ''], '"']] - - !Join ['', [' sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ')"']] - - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayPasswordHash, ')"']] - - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"']] - - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']] - - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}] - - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${tokenA}\"" installationType=\"cross-az-cluster\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20240204\" templateName=\"cross_az_cluster\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" elasticIp=\"${eip}\" otherMemberIp=\"${other_member_ip}\" clusterIp=\"${cluster_ip}\" secondaryIp=\"${secondary_ip}\" otherMemberPrivateClusterIp=\"${remote_secondary_ip}\" bootstrapScript64=\"${bootstrap}\"' MemberBInstance: Type: AWS::EC2::Instance - DependsOn: [MemberBExternalInterface, MemberBInternalInterface, ClusterPublicAddress, MemberAInternalInterface, MemberAExternalInterface] + DependsOn: [MemberBExternalInterface, MemberBInternalInterface, ClusterPublicAddress, MemberAInternalInterface, MemberBGatewayLaunchTemplate] Properties: + LaunchTemplate: + LaunchTemplateId: !Ref MemberBGatewayLaunchTemplate + Version: !GetAtt MemberBGatewayLaunchTemplate.LatestVersionNumber + DisableApiTermination: !Ref TerminationProtection Tags: - Key: Name Value: !Join ['-', [!Ref GatewayName, Member-B]] @@ -645,46 +624,100 @@ Resources: - ':' - - !Join [ '=', [ cluster-ip, !Ref ClusterPublicAddress ] ] - !Join [ '=', [ secondary-external-private-ip, !Select [ 0, !GetAtt MemberBExternalInterface.SecondaryPrivateIpAddresses ] ] ] - ImageId: !GetAtt AMI.Outputs.ImageId - InstanceType: !Ref GatewayInstanceType - BlockDeviceMappings: - - DeviceName: '/dev/xvda' - Ebs: - Encrypted: !If [EncryptedVolume, true, false] - KmsKeyId: !If [EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue'] - VolumeType: !Ref VolumeType - VolumeSize: !Ref VolumeSize - KeyName: !Ref KeyName - NetworkInterfaces: - - DeviceIndex: 0 - NetworkInterfaceId: !Ref MemberBExternalInterface - - DeviceIndex: 1 - NetworkInterfaceId: !Ref MemberBInternalInterface - IamInstanceProfile: !Ref ClusterInstanceProfile - DisableApiTermination: !Ref TerminationProtection - UserData: - 'Fn::Base64': - !Join - - |+ + MemberAGatewayLaunchTemplate: + Type: AWS::EC2::LaunchTemplate + Properties: + LaunchTemplateData: + NetworkInterfaces: + - DeviceIndex: 0 + NetworkInterfaceId: !Ref MemberAExternalInterface + - DeviceIndex: 1 + NetworkInterfaceId: !Ref MemberAInternalInterface + KeyName: !Ref KeyName + ImageId: !GetAtt AMI.Outputs.ImageId + InstanceType: !Ref GatewayInstanceType + MetadataOptions: + HttpTokens: !If [EnableMetaDataToken, required, optional] + BlockDeviceMappings: + - DeviceName: '/dev/xvda' + Ebs: + Encrypted: !If [ EncryptedVolume, true, false ] + KmsKeyId: !If [ EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue' ] + VolumeType: !Ref VolumeType + VolumeSize: !Ref VolumeSize + IamInstanceProfile: + Name: !Ref ClusterInstanceProfile + UserData: + 'Fn::Base64': + !Join + - |+ + + - - '#cloud-config' + - 'runcmd:' + - ' - |' + - ' set -e' + - !Sub ' admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; cw=${CloudWatch} ; eic=${EnableInstanceConnect} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; tokenA=''${MemberAToken}''' + - !If [AllocateAddress, !Sub ' wait_handle=''${ClusterReadyHandle}''',!Ref 'AWS::NoValue'] + - !If [EmptyHostName, ' hostname=""',!Sub ' hostname=${GatewayHostname}-member-a'] + - !Join ['', [' other_member_ip="', !GetAtt MemberBInternalInterface.PrimaryPrivateIpAddress, '"']] + - !Join ['', [' secondary_ip="', !Select [0, !GetAtt MemberAExternalInterface.SecondaryPrivateIpAddresses], '"']] + - !Join ['', [' remote_secondary_ip="', !Select [0, !GetAtt MemberBExternalInterface.SecondaryPrivateIpAddresses], '"']] + - !Join ['', [' cluster_ip="', !Ref ClusterPublicAddress, '"']] + - !Join ['', [' eip="', !If [AllocateAddress, !Ref MemberAPublicAddress, ''], '"']] + - !Join ['', [' sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ')"']] + - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayPasswordHash, ')"']] + - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"']] + - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']] + - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}] + - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${tokenA}\"" installationType=\"cross-az-cluster\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"__VERSION__\" templateName=\"cross_az_cluster\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" elasticIp=\"${eip}\" otherMemberIp=\"${other_member_ip}\" clusterIp=\"${cluster_ip}\" secondaryIp=\"${secondary_ip}\" otherMemberPrivateClusterIp=\"${remote_secondary_ip}\" bootstrapScript64=\"${bootstrap}\"' + VersionDescription: Initial template version + MemberBGatewayLaunchTemplate: + Type: AWS::EC2::LaunchTemplate + Properties: + LaunchTemplateData: + NetworkInterfaces: + - DeviceIndex: 0 + NetworkInterfaceId: !Ref MemberBExternalInterface + - DeviceIndex: 1 + NetworkInterfaceId: !Ref MemberBInternalInterface + KeyName: !Ref KeyName + ImageId: !GetAtt AMI.Outputs.ImageId + InstanceType: !Ref GatewayInstanceType + MetadataOptions: + HttpTokens: !If [EnableMetaDataToken, required, optional] + BlockDeviceMappings: + - DeviceName: '/dev/xvda' + Ebs: + Encrypted: !If [ EncryptedVolume, true, false ] + KmsKeyId: !If [ EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue' ] + VolumeType: !Ref VolumeType + VolumeSize: !Ref VolumeSize + IamInstanceProfile: + Name: !Ref ClusterInstanceProfile + UserData: + 'Fn::Base64': + !Join + - |+ - - - '#cloud-config' - - 'runcmd:' - - ' - |' - - ' set -e' - - !Sub ' admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; cw=${CloudWatch} ; eic=${EnableInstanceConnect} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; tokenB=''${MemberBToken}''' - - !If [AllocateAddress, !Sub ' wait_handle=''${ClusterReadyHandle}''',!Ref 'AWS::NoValue'] - - !If [EmptyHostName, ' hostname=""',!Sub ' hostname=${GatewayHostname}-member-b'] - - !Join ['', [' other_member_ip="', !GetAtt MemberAInternalInterface.PrimaryPrivateIpAddress, '"']] - - !Join ['', [' secondary_ip="', !Select [0, !GetAtt MemberBExternalInterface.SecondaryPrivateIpAddresses], '"']] - - !Join ['', [' remote_secondary_ip="', !Select [0, !GetAtt MemberAExternalInterface.SecondaryPrivateIpAddresses], '"']] - - !Join ['', [' cluster_ip="', !Ref ClusterPublicAddress, '"']] - - !Join ['', [' eip="', !If [AllocateAddress, !Ref MemberBPublicAddress, ''], '"']] - - !Join ['', [' sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ')"']] - - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayPasswordHash, ')"']] - - !Join [ '', [ ' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"' ] ] - - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']] - - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}] - - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${tokenB}\"" installationType=\"cross-az-cluster\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20240204\" templateName=\"cross_az_cluster\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" elasticIp=\"${eip}\" otherMemberIp=\"${other_member_ip}\" clusterIp=\"${cluster_ip}\" secondaryIp=\"${secondary_ip}\" otherMemberPrivateClusterIp=\"${remote_secondary_ip}\" bootstrapScript64=\"${bootstrap}\"' + - - '#cloud-config' + - 'runcmd:' + - ' - |' + - ' set -e' + - !Sub ' admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; cw=${CloudWatch} ; eic=${EnableInstanceConnect} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; tokenB=''${MemberBToken}''' + - !If [AllocateAddress, !Sub ' wait_handle=''${ClusterReadyHandle}''',!Ref 'AWS::NoValue'] + - !If [EmptyHostName, ' hostname=""',!Sub ' hostname=${GatewayHostname}-member-b'] + - !Join ['', [' other_member_ip="', !GetAtt MemberAInternalInterface.PrimaryPrivateIpAddress, '"']] + - !Join ['', [' secondary_ip="', !Select [0, !GetAtt MemberBExternalInterface.SecondaryPrivateIpAddresses], '"']] + - !Join ['', [' remote_secondary_ip="', !Select [0, !GetAtt MemberAExternalInterface.SecondaryPrivateIpAddresses], '"']] + - !Join ['', [' cluster_ip="', !Ref ClusterPublicAddress, '"']] + - !Join ['', [' eip="', !If [AllocateAddress, !Ref MemberBPublicAddress, ''], '"']] + - !Join ['', [' sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ')"']] + - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayPasswordHash, ')"']] + - !Join [ '', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"' ] ] + - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']] + - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}] + - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${tokenB}\"" installationType=\"cross-az-cluster\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"__VERSION__\" templateName=\"cross_az_cluster\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" elasticIp=\"${eip}\" otherMemberIp=\"${other_member_ip}\" clusterIp=\"${cluster_ip}\" secondaryIp=\"${secondary_ip}\" otherMemberPrivateClusterIp=\"${remote_secondary_ip}\" bootstrapScript64=\"${bootstrap}\"' + VersionDescription: Initial template version Outputs: ClusterPublicAddress: Description: The public address of the cluster. @@ -739,12 +772,12 @@ Rules: MemberATokenNotProvided: RuleCondition: !Equals [!Ref MemberAToken, ''] Assertions: - - AssertDescription: "Smart-1 Cloud Token for member A can not be empty." + - AssertDescription: "Smart-1 Cloud Token for member A can not be empty" Assert: !Equals [!Ref MemberBToken, ''] MemberBTokenNotProvided: RuleCondition: !Equals [ !Ref MemberBToken, '' ] Assertions: - - AssertDescription: "Smart-1 Cloud Token for member B can not be empty." + - AssertDescription: "Smart-1 Cloud Token for member B can not be empty" Assert: !Equals [ !Ref MemberAToken, '' ] MembersTokenValueEquals: RuleCondition: !EachMemberEquals [ [ !Ref MemberBToken ], !Ref MemberAToken ] diff --git a/aws/templates/geo-cluster/geo-cluster-master.yaml b/aws/templates/geo-cluster/geo-cluster-master.yaml index d030832c..a07c6ed7 100644 --- a/aws/templates/geo-cluster/geo-cluster-master.yaml +++ b/aws/templates/geo-cluster/geo-cluster-master.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploy a Check Point cross AZ Cluster in a new VPC (20240204) +Description: Deploy a Check Point cross AZ Cluster in a new VPC (__VERSION__) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -25,6 +25,7 @@ Metadata: - EnableInstanceConnect - GatewayPredefinedRole - TerminationProtection + - MetaDataToken - Label: default: Check Point Settings Parameters: @@ -81,6 +82,8 @@ Metadata: default: Existing IAM role name TerminationProtection: default: Termination Protection + MetaDataToken: + default: Metadata HTTP token GatewayVersion: default: Gateways version & license Shell: @@ -151,7 +154,7 @@ Parameters: GatewayInstanceType: Description: The instance type of the Secutiry Gateway. Type: String - Default: c5.xlarge + Default: c6in.xlarge AllowedValues: - c4.large - c4.xlarge @@ -309,17 +312,18 @@ Parameters: AllowedValues: - true - false + MetaDataToken: + Description: Set true to deploy the instance with metadata v2 token required. + Type: String + Default: true + AllowedValues: + - true + - false GatewayVersion: Description: The license to install on the Security Gateways. Type: String Default: R81.10-BYOL AllowedValues: - - R80.40-BYOL - - R80.40-PAYG-NGTP - - R80.40-PAYG-NGTX - - R81-BYOL - - R81-PAYG-NGTP - - R81-PAYG-NGTX - R81.10-BYOL - R81.10-PAYG-NGTP - R81.10-PAYG-NGTX @@ -409,7 +413,7 @@ Resources: VPCStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/utils/vpc.yaml + TemplateURL: __URL__/utils/vpc.yaml Parameters: AvailabilityZones: !Join [',', !Ref AvailabilityZones] NumberOfAZs: 2 @@ -429,7 +433,7 @@ Resources: ClusterStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/cluster/geo-cluster.yaml + TemplateURL: __URL__/cluster/geo-cluster.yaml Parameters: VPC: !GetAtt VPCStack.Outputs.VPCID PublicSubnetA: !GetAtt VPCStack.Outputs.PublicSubnet1ID @@ -447,6 +451,7 @@ Resources: EnableInstanceConnect: !Ref EnableInstanceConnect GatewayPredefinedRole: !Ref GatewayPredefinedRole TerminationProtection: !Ref TerminationProtection + MetaDataToken: !Ref MetaDataToken GatewayVersion: !Ref GatewayVersion Shell: !Ref Shell GatewayPasswordHash: !Ref GatewayPasswordHash @@ -502,12 +507,12 @@ Rules: MemberATokenNotProvided: RuleCondition: !Equals [!Ref MemberAToken, ''] Assertions: - - AssertDescription: "Smart-1 Cloud Token for member A can not be empty." + - AssertDescription: "Smart-1 Cloud Token for member A can not be empty" Assert: !Equals [!Ref MemberBToken, ''] MemberBTokenNotProvided: RuleCondition: !Equals [ !Ref MemberBToken, '' ] Assertions: - - AssertDescription: "Smart-1 Cloud Token for member B can not be empty." + - AssertDescription: "Smart-1 Cloud Token for member B can not be empty" Assert: !Equals [ !Ref MemberAToken, '' ] MembersTokenValueEquals: RuleCondition: !EachMemberEquals [ [ !Ref MemberBToken ], !Ref MemberAToken ] diff --git a/aws/templates/geo-cluster/geo-cluster.yaml b/aws/templates/geo-cluster/geo-cluster.yaml index 86d9ea95..eee0a855 100644 --- a/aws/templates/geo-cluster/geo-cluster.yaml +++ b/aws/templates/geo-cluster/geo-cluster.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploys a Check Point cross AZ Cluster into an existing VPC (20240204) +Description: Deploys a Check Point cross AZ Cluster into an existing VPC (__VERSION__) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -25,6 +25,7 @@ Metadata: - EnableInstanceConnect - GatewayPredefinedRole - TerminationProtection + - MetaDataToken - Label: default: Check Point Settings Parameters: @@ -81,6 +82,8 @@ Metadata: default: Existing IAM role name TerminationProtection: default: Termination Protection + MetaDataToken: + default: Metadata HTTP token GatewayVersion: default: Gateways version & license Shell: @@ -145,7 +148,7 @@ Parameters: Default: Check-Point-Cluster GatewayInstanceType: Type: String - Default: c5.xlarge + Default: c6in.xlarge AllowedValues: - c4.large - c4.xlarge @@ -303,17 +306,18 @@ Parameters: AllowedValues: - true - false + MetaDataToken: + Description: Set true to deploy the instance with metadata v2 token required. + Type: String + Default: true + AllowedValues: + - true + - false GatewayVersion: Description: The license to install on the Security Gateways. Type: String Default: R81.10-BYOL AllowedValues: - - R80.40-BYOL - - R80.40-PAYG-NGTP - - R80.40-PAYG-NGTX - - R81-BYOL - - R81-PAYG-NGTP - - R81-PAYG-NGTX - R81.10-BYOL - R81.10-PAYG-NGTP - R81.10-PAYG-NGTX @@ -406,6 +410,7 @@ Conditions: ProvidedResourcesTag: !Not [!Equals [!Ref ResourcesTagName, '']] EmptyHostName: !Equals [!Ref GatewayHostname, ''] EnableCloudWatch: !Equals [!Ref CloudWatch, true] + EnableMetaDataToken: !Equals [!Ref MetaDataToken, true] Resources: ClusterReadyHandle: Type: AWS::CloudFormation::WaitConditionHandle @@ -422,7 +427,7 @@ Resources: ClusterRole: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/iam/cluster-iam-role.yaml + TemplateURL: __URL__/iam/cluster-iam-role.yaml ClusterInstanceProfile: Type: AWS::IAM::InstanceProfile Properties: @@ -432,14 +437,14 @@ Resources: Condition: EnableCloudWatch Type: AWS::CloudFormation::Stack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/iam/cloudwatch-policy.yaml + TemplateURL: __URL__/iam/cloudwatch-policy.yaml Parameters: PolicyName: !If [ ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName' ] PolicyRole: !If [CreateRole, !GetAtt ClusterRole.Outputs.ClusterIAMRole, !Ref GatewayPredefinedRole] AMI: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/utils/amis.yaml + TemplateURL: __URL__/utils/amis.yaml Parameters: Version: !Join ['-', [!Ref GatewayVersion, GW]] PermissiveSecurityGroup: @@ -535,90 +540,111 @@ Resources: SubnetId: !Ref PrivateSubnetB MemberAInstance: Type: AWS::EC2::Instance - DependsOn: MemberAInternalInterface + DependsOn: [MemberAInternalInterface, MemberAGatewayLaunchTemplate] Properties: + LaunchTemplate: + LaunchTemplateId: !Ref MemberAGatewayLaunchTemplate + Version: !GetAtt MemberAGatewayLaunchTemplate.LatestVersionNumber + DisableApiTermination: !Ref TerminationProtection Tags: - Key: Name Value: !Join ['-', [!Ref GatewayName, Member-A]] - ImageId: !GetAtt AMI.Outputs.ImageId - InstanceType: !Ref GatewayInstanceType - BlockDeviceMappings: - - DeviceName: '/dev/xvda' - Ebs: - Encrypted: !If [EncryptedVolume, true, false] - KmsKeyId: !If [EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue'] - VolumeType: !Ref VolumeType - VolumeSize: !Ref VolumeSize - KeyName: !Ref KeyName - NetworkInterfaces: - - DeviceIndex: 0 - NetworkInterfaceId: !Ref MemberAExternalInterface - - DeviceIndex: 1 - NetworkInterfaceId: !Ref MemberAInternalInterface - IamInstanceProfile: !Ref ClusterInstanceProfile - DisableApiTermination: !Ref TerminationProtection - UserData: !Base64 - 'Fn::Join': - - |+ - - - - '#cloud-config' - - 'runcmd:' - - ' - |' - - ' set -e' - - !Sub ' admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; cw=${CloudWatch} ; eic=${EnableInstanceConnect} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; tokenA=''${MemberAToken}''' - - !If [AllocateAddress, !Sub ' wait_handle=''${ClusterReadyHandle}''',!Ref 'AWS::NoValue'] - - !If [EmptyHostName, ' hostname=""',!Sub ' hostname=${GatewayHostname}-member-a'] - - !Join ['', [' other_member_ip="', !GetAtt MemberBInternalInterface.PrimaryPrivateIpAddress, '"']] - - !Join ['', [' eip="', !If [AllocateAddress, !Ref MemberAPublicAddress, ''], '"']] - - !Join ['', [' sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ')"']] - - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayPasswordHash, ')"']] - - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"']] - - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']] - - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}] - - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${tokenA}\"" installationType=\"geo-cluster\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20240204\" templateName=\"geo_cluster\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" elasticIp=\"${eip}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" otherMemberIp=\"${other_member_ip}\" bootstrapScript64=\"${bootstrap}\"' MemberBInstance: Type: AWS::EC2::Instance - DependsOn: MemberBInternalInterface + DependsOn: [MemberBInternalInterface, MemberBGatewayLaunchTemplate] Properties: + LaunchTemplate: + LaunchTemplateId: !Ref MemberBGatewayLaunchTemplate + Version: !GetAtt MemberBGatewayLaunchTemplate.LatestVersionNumber + DisableApiTermination: !Ref TerminationProtection Tags: - Key: Name Value: !Join ['-', [!Ref GatewayName, Member-B]] - ImageId: !GetAtt AMI.Outputs.ImageId - InstanceType: !Ref GatewayInstanceType - BlockDeviceMappings: - - DeviceName: '/dev/xvda' - Ebs: - Encrypted: !If [EncryptedVolume, true, false] - KmsKeyId: !If [EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue'] - VolumeType: !Ref VolumeType - VolumeSize: !Ref VolumeSize - KeyName: !Ref KeyName - NetworkInterfaces: - - DeviceIndex: 0 - NetworkInterfaceId: !Ref MemberBExternalInterface - - DeviceIndex: 1 - NetworkInterfaceId: !Ref MemberBInternalInterface - IamInstanceProfile: !Ref ClusterInstanceProfile - DisableApiTermination: !Ref TerminationProtection - UserData: !Base64 - 'Fn::Join': - - |+ + MemberAGatewayLaunchTemplate: + Type: AWS::EC2::LaunchTemplate + Properties: + LaunchTemplateData: + NetworkInterfaces: + - DeviceIndex: 0 + NetworkInterfaceId: !Ref MemberAExternalInterface + - DeviceIndex: 1 + NetworkInterfaceId: !Ref MemberAInternalInterface + KeyName: !Ref KeyName + ImageId: !GetAtt AMI.Outputs.ImageId + InstanceType: !Ref GatewayInstanceType + MetadataOptions: + HttpTokens: !If [EnableMetaDataToken, required, optional] + BlockDeviceMappings: + - DeviceName: '/dev/xvda' + Ebs: + Encrypted: !If [ EncryptedVolume, true, false ] + KmsKeyId: !If [ EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue' ] + VolumeType: !Ref VolumeType + VolumeSize: !Ref VolumeSize + IamInstanceProfile: + Name: !Ref ClusterInstanceProfile + UserData: !Base64 + 'Fn::Join': + - |+ + + - - '#cloud-config' + - 'runcmd:' + - ' - |' + - ' set -e' + - !Sub ' admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; cw=${CloudWatch} ; eic=${EnableInstanceConnect} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; tokenA=''${MemberAToken}''' + - !If [AllocateAddress, !Sub ' wait_handle=''${ClusterReadyHandle}''',!Ref 'AWS::NoValue'] + - !If [EmptyHostName, ' hostname=""',!Sub ' hostname=${GatewayHostname}-member-a'] + - !Join ['', [' other_member_ip="', !GetAtt MemberBInternalInterface.PrimaryPrivateIpAddress, '"']] + - !Join ['', [' eip="', !If [AllocateAddress, !Ref MemberAPublicAddress, ''], '"']] + - !Join ['', [' sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ')"']] + - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayPasswordHash, ')"']] + - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"']] + - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']] + - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}] + - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${tokenA}\"" installationType=\"geo-cluster\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"__VERSION__\" templateName=\"geo_cluster\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" elasticIp=\"${eip}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" otherMemberIp=\"${other_member_ip}\" bootstrapScript64=\"${bootstrap}\"' + MemberBGatewayLaunchTemplate: + Type: AWS::EC2::LaunchTemplate + Properties: + LaunchTemplateData: + NetworkInterfaces: + - DeviceIndex: 0 + NetworkInterfaceId: !Ref MemberBExternalInterface + - DeviceIndex: 1 + NetworkInterfaceId: !Ref MemberBInternalInterface + KeyName: !Ref KeyName + ImageId: !GetAtt AMI.Outputs.ImageId + InstanceType: !Ref GatewayInstanceType + MetadataOptions: + HttpTokens: !If [EnableMetaDataToken, required, optional] + BlockDeviceMappings: + - DeviceName: '/dev/xvda' + Ebs: + Encrypted: !If [ EncryptedVolume, true, false ] + KmsKeyId: !If [ EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue' ] + VolumeType: !Ref VolumeType + VolumeSize: !Ref VolumeSize + IamInstanceProfile: + Name: !Ref ClusterInstanceProfile + UserData: !Base64 + 'Fn::Join': + - |+ - - - '#cloud-config' - - 'runcmd:' - - ' - |' - - ' set -e' - - !Sub ' admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; cw=${CloudWatch} ; eic=${EnableInstanceConnect} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; tokenB=''${MemberBToken}''' - - !If [AllocateAddress, !Sub ' wait_handle=''${ClusterReadyHandle}''',!Ref 'AWS::NoValue'] - - !If [EmptyHostName, ' hostname=""',!Sub ' hostname=${GatewayHostname}-member-b'] - - !Join ['', [' other_member_ip="', !GetAtt MemberAInternalInterface.PrimaryPrivateIpAddress, '"']] - - !Join ['', [' eip="', !If [AllocateAddress, !Ref MemberBPublicAddress, ''], '"']] - - !Join ['', [' sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ')"']] - - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayPasswordHash, ')"']] - - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"']] - - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']] - - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}] - - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${tokenB}\"" installationType=\"geo-cluster\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20240204\" templateName=\"geo_cluster\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" elasticIp=\"${eip}\" otherMemberIp=\"${other_member_ip}\" bootstrapScript64=\"${bootstrap}\"' + - - '#cloud-config' + - 'runcmd:' + - ' - |' + - ' set -e' + - !Sub ' admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; cw=${CloudWatch} ; eic=${EnableInstanceConnect} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; tokenB=''${MemberBToken}''' + - !If [AllocateAddress, !Sub ' wait_handle=''${ClusterReadyHandle}''',!Ref 'AWS::NoValue'] + - !If [EmptyHostName, ' hostname=""',!Sub ' hostname=${GatewayHostname}-member-b'] + - !Join ['', [' other_member_ip="', !GetAtt MemberAInternalInterface.PrimaryPrivateIpAddress, '"']] + - !Join ['', [' eip="', !If [AllocateAddress, !Ref MemberBPublicAddress, ''], '"']] + - !Join ['', [' sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ')"']] + - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayPasswordHash, ')"']] + - !Join [ '', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"' ] ] + - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']] + - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}] + - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${tokenB}\"" installationType=\"geo-cluster\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"__VERSION__\" templateName=\"geo_cluster\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" elasticIp=\"${eip}\" otherMemberIp=\"${other_member_ip}\" bootstrapScript64=\"${bootstrap}\"' + VersionDescription: Initial template version MemberAPublicAddress: Type: AWS::EC2::EIP Condition: AllocateAddress @@ -692,12 +718,12 @@ Rules: MemberATokenNotProvided: RuleCondition: !Equals [!Ref MemberAToken, ''] Assertions: - - AssertDescription: "Smart-1 Cloud Token for member A can not be empty." + - AssertDescription: "Smart-1 Cloud Token for member A can not be empty" Assert: !Equals [!Ref MemberBToken, ''] MemberBTokenNotProvided: RuleCondition: !Equals [ !Ref MemberBToken, '' ] Assertions: - - AssertDescription: "Smart-1 Cloud Token for member B can not be empty." + - AssertDescription: "Smart-1 Cloud Token for member B can not be empty" Assert: !Equals [ !Ref MemberAToken, '' ] MembersTokenValueEquals: RuleCondition: !EachMemberEquals [ [ !Ref MemberBToken ], !Ref MemberAToken ] diff --git a/aws/templates/gwlb-asg/gwlb-master.yaml b/aws/templates/gwlb-asg/gwlb-master.yaml index d10e85ad..6766a1b3 100644 --- a/aws/templates/gwlb-asg/gwlb-master.yaml +++ b/aws/templates/gwlb-asg/gwlb-master.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploy a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, in a new VPC (20240204) +Description: Deploy a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, in a new VPC (__VERSION__) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -22,6 +22,7 @@ Metadata: - VolumeType - EnableInstanceConnect - TerminationProtection + - MetaDataToken - AllowUploadDownload - ManagementServer - ConfigurationTemplate @@ -48,6 +49,7 @@ Metadata: - ControlGatewayOverPrivateOrPublicAddress - AllocatePublicAddress - CloudWatch + - GatewayBootstrapScript - Label: default: Check Point CloudGuard IaaS Security Management Server Configuration Parameters: @@ -87,6 +89,8 @@ Metadata: default: Enable AWS Instance Connect TerminationProtection: default: Termination Protection + MetaDataToken: + default: Metadata HTTP token AllowUploadDownload: default: Allow upload & download ManagementServer: @@ -127,6 +131,8 @@ Metadata: default: Allocate Public IPs CloudWatch: default: CloudWatch metrics + GatewayBootstrapScript: + default: Gateways bootstrap script ManagementDeploy: default: Deploy Management Server ManagementInstanceType: @@ -223,6 +229,13 @@ Parameters: AllowedValues: - true - false + MetaDataToken: + Description: Set true to deploy the instance with metadata v2 token required. + Type: String + Default: true + AllowedValues: + - true + - false AllowUploadDownload: Description: Automatically download updates and share statistical data for product improvement purpose. Type: String @@ -289,7 +302,7 @@ Parameters: GatewayInstanceType: Description: The EC2 instance type for the Security Gateways. Type: String - Default: c5.xlarge + Default: c6in.xlarge AllowedValues: - c4.large - c4.xlarge @@ -417,9 +430,6 @@ Parameters: Type: String Default: R81.20-BYOL AllowedValues: - - R80.40-BYOL - - R80.40-PAYG-NGTP - - R80.40-PAYG-NGTX - R81.20-BYOL - R81.20-PAYG-NGTP - R81.20-PAYG-NGTX @@ -462,6 +472,11 @@ Parameters: AllowedValues: - true - false + GatewayBootstrapScript: + Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional) + Type: String + Default: '' + NoEcho: true ManagementDeploy: Description: Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section. Type: String @@ -588,10 +603,6 @@ Parameters: Type: String Default: R81.20-BYOL AllowedValues: - - R80.40-BYOL - - R80.40-PAYG - - R81-BYOL - - R81-PAYG - R81.10-BYOL - R81.10-PAYG - R81.20-BYOL @@ -636,7 +647,7 @@ Resources: VPCStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/utils/vpc.yaml + TemplateURL: __URL__/utils/vpc.yaml Parameters: AvailabilityZones: !Join [',' , !Ref AvailabilityZones] NumberOfAZs: !Ref NumberOfAZs @@ -649,7 +660,7 @@ Resources: GWLBStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/gwlb/gwlb.yaml + TemplateURL: __URL__/gwlb/gwlb.yaml Parameters: VPC: !GetAtt VPCStack.Outputs.VPCID GatewaysSubnets: !Join @@ -664,6 +675,7 @@ Resources: VolumeSize: !Ref VolumeSize EnableInstanceConnect: !Ref EnableInstanceConnect TerminationProtection: !Ref TerminationProtection + MetaDataToken: !Ref MetaDataToken AllowUploadDownload: !Ref AllowUploadDownload ManagementServer: !Ref ManagementServer ConfigurationTemplate: !Ref ConfigurationTemplate @@ -684,6 +696,7 @@ Resources: ControlGatewayOverPrivateOrPublicAddress: !Ref ControlGatewayOverPrivateOrPublicAddress AllocatePublicAddress: !Ref AllocatePublicAddress CloudWatch: !Ref CloudWatch + GatewayBootstrapScript: !Ref GatewayBootstrapScript ManagementDeploy: !Ref ManagementDeploy ManagementInstanceType: !Ref ManagementInstanceType ManagementVersion: !Ref ManagementVersion @@ -715,7 +728,7 @@ Outputs: Value: !GetAtt GWLBStack.Outputs.GWLBServiceName Rules: GatewayAddressAllocationRule: - RuleCondition: !Equals [!Ref ControlGatewayOverPrivateOrPublicAddress, 'public'] - Assertions: + RuleCondition: !Equals [!Ref ControlGatewayOverPrivateOrPublicAddress, 'public'] + Assertions: - AssertDescription: "Gateway's selected to be provisioned by public IP, but ['AllocatePublicAddress'] parameter is false" Assert: !Equals [!Ref AllocatePublicAddress, 'true'] diff --git a/aws/templates/gwlb-asg/gwlb.yaml b/aws/templates/gwlb-asg/gwlb.yaml index 8b2d8830..8d0340f7 100644 --- a/aws/templates/gwlb-asg/gwlb.yaml +++ b/aws/templates/gwlb-asg/gwlb.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploy a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, in a new VPC (20240204) +Description: Deploy a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, in a new VPC (__VERSION__) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -17,6 +17,7 @@ Metadata: - VolumeType - EnableInstanceConnect - TerminationProtection + - MetaDataToken - AllowUploadDownload - ManagementServer - ConfigurationTemplate @@ -43,6 +44,7 @@ Metadata: - ControlGatewayOverPrivateOrPublicAddress - AllocatePublicAddress - CloudWatch + - GatewayBootstrapScript - Label: default: Check Point CloudGuard IaaS Security Management Server Configuration Parameters: @@ -72,6 +74,8 @@ Metadata: default: Enable AWS Instance Connect TerminationProtection: default: Termination Protection + MetaDataToken: + default: Metadata HTTP token AllowUploadDownload: default: Allow upload & download ManagementServer: @@ -112,6 +116,8 @@ Metadata: default: Allocate Public IPs CloudWatch: default: CloudWatch metrics + GatewayBootstrapScript: + default: Gateways bootstrap script ManagementDeploy: default: Deploy Management Server ManagementInstanceType: @@ -177,6 +183,13 @@ Parameters: AllowedValues: - true - false + MetaDataToken: + Description: Set true to deploy the instance with metadata v2 token required. + Type: String + Default: true + AllowedValues: + - true + - false AllowUploadDownload: Description: Automatically download updates and share statistical data for product improvement purpose. Type: String @@ -239,7 +252,7 @@ Parameters: GatewayInstanceType: Description: The EC2 instance type for the Security Gateways. Type: String - Default: c5.xlarge + Default: c6in.xlarge AllowedValues: - c4.large - c4.xlarge @@ -367,9 +380,6 @@ Parameters: Type: String Default: R81.20-BYOL AllowedValues: - - R80.40-BYOL - - R80.40-PAYG-NGTP - - R80.40-PAYG-NGTX - R81.20-BYOL - R81.20-PAYG-NGTP - R81.20-PAYG-NGTX @@ -412,6 +422,11 @@ Parameters: AllowedValues: - true - false + GatewayBootstrapScript: + Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional) + Type: String + Default: '' + NoEcho: true ManagementDeploy: Description: Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section. Type: String @@ -538,10 +553,6 @@ Parameters: Type: String Default: R81.20-BYOL AllowedValues: - - R80.40-BYOL - - R80.40-PAYG - - R81-BYOL - - R81-PAYG - R81.10-BYOL - R81.10-PAYG - R81.20-BYOL @@ -631,7 +642,7 @@ Resources: SecurityGatewaysStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/gwlb/autoscale-gwlb.yaml + TemplateURL: __URL__/gwlb/autoscale-gwlb.yaml Parameters: VPC: !Ref VPC GatewaysSubnets: !Join [',', !Ref GatewaysSubnets] @@ -643,6 +654,7 @@ Resources: VolumeType: !Ref VolumeType VolumeSize: !Ref VolumeSize EnableInstanceConnect: !Ref EnableInstanceConnect + MetaDataToken: !Ref MetaDataToken GatewaysMinSize: !Ref GatewaysMinSize GatewaysMaxSize: !Ref GatewaysMaxSize AdminEmail: !Ref AdminEmail @@ -655,13 +667,14 @@ Resources: ControlGatewayOverPrivateOrPublicAddress: !Ref ControlGatewayOverPrivateOrPublicAddress AllocatePublicAddress: !Ref AllocatePublicAddress CloudWatch: !Ref CloudWatch + GatewayBootstrapScript: !Ref GatewayBootstrapScript ManagementServer: !Ref ManagementServer ConfigurationTemplate: !Ref ConfigurationTemplate ManagementStack: Type: AWS::CloudFormation::Stack Condition: DeployManagement Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/gwlb/management-gwlb.yaml + TemplateURL: __URL__/gwlb/management-gwlb.yaml Parameters: VPC: !Ref VPC ManagementSubnet: !Select [0, !Ref GatewaysSubnets] @@ -682,6 +695,7 @@ Resources: GatewayManagement: !Ref GatewayManagement GatewaysAddresses: !Ref GatewaysAddresses TerminationProtection: !Ref TerminationProtection + MetaDataToken: !Ref MetaDataToken ManagementBootstrapScript: !Join - ';' - - 'echo -e "\nStarting Bootstrap script\n"' diff --git a/aws/templates/gwlb-asg/qs-gwlb-master.yaml b/aws/templates/gwlb-asg/qs-gwlb-master.yaml index c95da46e..6979b470 100644 --- a/aws/templates/gwlb-asg/qs-gwlb-master.yaml +++ b/aws/templates/gwlb-asg/qs-gwlb-master.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploy a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, in a new VPC (05072024) +Description: Deploy a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, in a new VPC (__VERSION__) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -37,6 +37,7 @@ Metadata: - VolumeType - EnableInstanceConnect - TerminationProtection + - MetaDataToken - AllowUploadDownload - ManagementServer - ConfigurationTemplate @@ -133,6 +134,8 @@ Metadata: default: Enable AWS Instance Connect TerminationProtection: default: Termination Protection + MetaDataToken: + default: Metadata HTTP token AllowUploadDownload: default: Allow upload & download ManagementServer: @@ -335,6 +338,13 @@ Parameters: AllowedValues: - true - false + MetaDataToken: + Description: Set true to deploy the instance with metadata v2 token required. + Type: String + Default: true + AllowedValues: + - true + - false AllowUploadDownload: Description: Automatically download updates and share statistical data for product improvement purpose. Type: String @@ -401,7 +411,7 @@ Parameters: GatewayInstanceType: Description: The EC2 instance type for the Security Gateways. Type: String - Default: c5.xlarge + Default: c6in.xlarge AllowedValues: - c4.large - c4.xlarge @@ -697,8 +707,6 @@ Parameters: Type: String Default: R81.20-BYOL AllowedValues: - - R81-BYOL - - R81-PAYG - R81.10-BYOL - R81.10-PAYG - R81.20-BYOL @@ -792,7 +800,7 @@ Resources: SecurityVPCStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/utils/vpc.yaml + TemplateURL: __URL__/utils/vpc.yaml Parameters: AvailabilityZones: !Join [',' , !Ref AvailabilityZones] NumberOfAZs: !Ref NumberOfAZs @@ -805,7 +813,7 @@ Resources: ServersVPCStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/gwlb/qs-gwlb-servers-vpc.yaml + TemplateURL: __URL__/gwlb/qs-gwlb-servers-vpc.yaml Parameters: AvailabilityZones: !Join [ ',' , !Ref AvailabilityZones ] NumberOfAZs: !Ref NumberOfAZs @@ -824,7 +832,7 @@ Resources: Type: AWS::CloudFormation::Stack DependsOn: [SecurityVPCStack, ServersVPCStack] Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/gwlb/qs-gwlb.yaml + TemplateURL: __URL__/gwlb/qs-gwlb.yaml Parameters: SecurityVPC: !GetAtt SecurityVPCStack.Outputs.VPCID NumberOfAZs: !Ref NumberOfAZs @@ -843,6 +851,7 @@ Resources: VolumeSize: !Ref VolumeSize EnableInstanceConnect: !Ref EnableInstanceConnect TerminationProtection: !Ref TerminationProtection + MetaDataToken: !Ref MetaDataToken AllowUploadDownload: !Ref AllowUploadDownload ManagementServer: !Ref ManagementServer ConfigurationTemplate: !Ref ConfigurationTemplate diff --git a/aws/templates/gwlb-asg/qs-gwlb.yaml b/aws/templates/gwlb-asg/qs-gwlb.yaml index 1e560d67..70723206 100644 --- a/aws/templates/gwlb-asg/qs-gwlb.yaml +++ b/aws/templates/gwlb-asg/qs-gwlb.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: "Deploy a Quick-Start Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, optionally: Security Management Server and Application Server Autoscale in an existing VPC (05072024)" +Description: "Deploy a Quick-Start Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, optionally: Security Management Server and Application Server Autoscale in an existing VPC (__VERSION__)" Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -29,6 +29,7 @@ Metadata: - VolumeType - EnableInstanceConnect - TerminationProtection + - MetaDataToken - AllowUploadDownload - ManagementServer - ConfigurationTemplate @@ -105,6 +106,8 @@ Metadata: default: Enable AWS Instance Connect TerminationProtection: default: Termination Protection + MetaDataToken: + default: Metadata HTTP token AllowUploadDownload: default: Allow upload & download ManagementServer: @@ -244,6 +247,13 @@ Parameters: AllowedValues: - true - false + MetaDataToken: + Description: Set true to deploy the instance with metadata v2 token required. + Type: String + Default: true + AllowedValues: + - true + - false AllowUploadDownload: Description: Automatically download updates and share statistical data for product improvement purpose. Type: String @@ -306,7 +316,7 @@ Parameters: GatewayInstanceType: Description: The EC2 instance type for the Security Gateways. Type: String - Default: c5.xlarge + Default: c6in.xlarge AllowedValues: - c4.large - c4.xlarge @@ -602,8 +612,6 @@ Parameters: Type: String Default: R81.20-BYOL AllowedValues: - - R81-BYOL - - R81-PAYG - R81.10-BYOL - R81.10-PAYG - R81.20-BYOL @@ -741,7 +749,7 @@ Resources: SecurityGatewaysStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/gwlb/autoscale-gwlb.yaml + TemplateURL: __URL__/gwlb/autoscale-gwlb.yaml Parameters: VPC: !Ref SecurityVPC GatewaysSubnets: !Join [',', !Ref GatewaysSubnets] @@ -753,6 +761,7 @@ Resources: VolumeType: !Ref VolumeType VolumeSize: !Ref VolumeSize EnableInstanceConnect: !Ref EnableInstanceConnect + MetaDataToken: !Ref MetaDataToken GatewaysMinSize: !Ref GatewaysMinSize GatewaysMaxSize: !Ref GatewaysMaxSize AdminEmail: !Ref AdminEmail @@ -783,7 +792,7 @@ Resources: Condition: DeployManagement DependsOn: GWLBeEndpointStack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/gwlb/management-gwlb.yaml + TemplateURL: __URL__/gwlb/management-gwlb.yaml Parameters: VPC: !Ref SecurityVPC ManagementSubnet: !Select [0, !Ref GatewaysSubnets] @@ -804,6 +813,7 @@ Resources: GatewayManagement: !Ref GatewayManagement GatewaysAddresses: !Ref GatewaysAddresses TerminationProtection: !Ref TerminationProtection + MetaDataToken: !Ref MetaDataToken ManagementBootstrapScript: !Join - ';' - - 'echo -e "\nStarting Bootstrap script\n"' @@ -831,7 +841,7 @@ Resources: Type: AWS::CloudFormation::Stack DependsOn: VpcEndpointService Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/gwlb/qs-gwlb-endpoints.yaml + TemplateURL: __URL__/gwlb/qs-gwlb-endpoints.yaml Parameters: NumberOfAZs: !Ref NumberOfAZs GWLBeVPC: !Ref ServersVPC @@ -844,7 +854,7 @@ Resources: Type: AWS::CloudFormation::Stack DependsOn: GWLBeEndpointStack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/gwlb/qs-gwlb-servers-autoscale.yaml + TemplateURL: __URL__/gwlb/qs-gwlb-servers-autoscale.yaml Parameters: VPC: !Ref ServersVPC Subnets: !Join [',', !Ref ServersSubnets] diff --git a/aws/templates/gwlb-asg/tgw-gwlb-master.yaml b/aws/templates/gwlb-asg/tgw-gwlb-master.yaml index f0284de3..cdf99b9c 100644 --- a/aws/templates/gwlb-asg/tgw-gwlb-master.yaml +++ b/aws/templates/gwlb-asg/tgw-gwlb-master.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploy a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, Gateway Load Balancer Endpoints and NAT Gateways for each AZ, in a new VPC for Transit Gateway (20240204) +Description: Deploy a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, Gateway Load Balancer Endpoints and NAT Gateways for each AZ, in a new VPC for Transit Gateway (__VERSION__) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -34,6 +34,7 @@ Metadata: - VolumeType - EnableInstanceConnect - TerminationProtection + - MetaDataToken - AllowUploadDownload - ManagementServer - ConfigurationTemplate @@ -59,6 +60,7 @@ Metadata: - ControlGatewayOverPrivateOrPublicAddress - AllocatePublicAddress - CloudWatch + - GatewayBootstrapScript - Label: default: Check Point CloudGuard IaaS Security Management Server Configuration Parameters: @@ -122,6 +124,8 @@ Metadata: default: Enable AWS Instance Connect TerminationProtection: default: Termination Protection + MetaDataToken: + default: Metadata HTTP token AllowUploadDownload: default: Allow upload & download ManagementServer: @@ -160,6 +164,8 @@ Metadata: default: Allocate Public IPs CloudWatch: default: CloudWatch metrics + GatewayBootstrapScript: + default: Gateways bootstrap script ManagementDeploy: default: Deploy Management Server ManagementInstanceType: @@ -322,6 +328,13 @@ Parameters: AllowedValues: - true - false + MetaDataToken: + Description: Set true to deploy the instance with metadata v2 token required. + Type: String + Default: true + AllowedValues: + - true + - false AllowUploadDownload: Description: Automatically download updates and share statistical data for product improvement purpose. Type: String @@ -382,7 +395,7 @@ Parameters: GatewayInstanceType: Description: The EC2 instance type for the Security Gateways Type: String - Default: c5.xlarge + Default: c6in.xlarge AllowedValues: - c4.large - c4.xlarge @@ -510,9 +523,6 @@ Parameters: Type: String Default: R81.20-BYOL AllowedValues: - - R80.40-BYOL - - R80.40-PAYG-NGTP - - R80.40-PAYG-NGTX - R81.20-BYOL - R81.20-PAYG-NGTP - R81.20-PAYG-NGTX @@ -555,6 +565,11 @@ Parameters: AllowedValues: - true - false + GatewayBootstrapScript: + Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional) + Type: String + Default: '' + NoEcho: true ManagementDeploy: Description: Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section. Type: String @@ -681,10 +696,6 @@ Parameters: Type: String Default: R81.20-BYOL AllowedValues: - - R80.40-BYOL - - R80.40-PAYG - - R81-BYOL - - R81-PAYG - R81.10-BYOL - R81.10-PAYG - R81.20-BYOL @@ -730,7 +741,7 @@ Resources: VPCStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/utils/vpc.yaml + TemplateURL: __URL__/utils/vpc.yaml Parameters: AvailabilityZones: !Join [',', !Ref AvailabilityZones] NumberOfAZs: !Ref NumberOfAZs @@ -748,7 +759,7 @@ Resources: TgwGwlbStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/gwlb/tgw-gwlb.yaml + TemplateURL: __URL__/gwlb/tgw-gwlb.yaml Parameters: VPC: !GetAtt VPCStack.Outputs.VPCID IGWID: !GetAtt VPCStack.Outputs.IGWID @@ -778,6 +789,7 @@ Resources: VolumeSize: !Ref VolumeSize EnableInstanceConnect: !Ref EnableInstanceConnect TerminationProtection: !Ref TerminationProtection + MetaDataToken: !Ref MetaDataToken AllowUploadDownload: !Ref AllowUploadDownload ManagementServer: !Ref ManagementServer ConfigurationTemplate: !Ref ConfigurationTemplate @@ -794,6 +806,7 @@ Resources: ControlGatewayOverPrivateOrPublicAddress: !Ref ControlGatewayOverPrivateOrPublicAddress AllocatePublicAddress: !Ref AllocatePublicAddress CloudWatch: !Ref CloudWatch + GatewayBootstrapScript: !Ref GatewayBootstrapScript GWLBName: !Ref GWLBName TargetGroupName: !Ref TargetGroupName CrossZoneLoadBalancing: !Ref CrossZoneLoadBalancing @@ -856,7 +869,7 @@ Outputs: Condition: 4AZs Rules: GatewayAddressAllocationRule: - RuleCondition: !Equals [!Ref ControlGatewayOverPrivateOrPublicAddress, 'public'] - Assertions: + RuleCondition: !Equals [!Ref ControlGatewayOverPrivateOrPublicAddress, 'public'] + Assertions: - AssertDescription: "Gateway's selected to be provisioned by public IP, but ['AllocatePublicAddress'] parameter is false" Assert: !Equals [!Ref AllocatePublicAddress, 'true'] diff --git a/aws/templates/gwlb-asg/tgw-gwlb.yaml b/aws/templates/gwlb-asg/tgw-gwlb.yaml index 0801a10a..123d500a 100644 --- a/aws/templates/gwlb-asg/tgw-gwlb.yaml +++ b/aws/templates/gwlb-asg/tgw-gwlb.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploy a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, Gateway Load Balancer Endpoints and NAT Gateways for each AZ, in an existing VPC for Transit Gateway (20240204) +Description: Deploy a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, Gateway Load Balancer Endpoints and NAT Gateways for each AZ, in an existing VPC for Transit Gateway (__VERSION__) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -32,6 +32,7 @@ Metadata: - VolumeType - EnableInstanceConnect - TerminationProtection + - MetaDataToken - AllowUploadDownload - ManagementServer - ConfigurationTemplate @@ -51,6 +52,7 @@ Metadata: - ControlGatewayOverPrivateOrPublicAddress - AllocatePublicAddress - CloudWatch + - GatewayBootstrapScript - Label: default: Gateway Load Balancer Configuration Parameters: @@ -116,6 +118,8 @@ Metadata: default: Enable AWS Instance Connect TerminationProtection: default: Termination Protection + MetaDataToken: + default: Metadata HTTP token AllowUploadDownload: default: Allow upload & download ManagementServer: @@ -148,6 +152,8 @@ Metadata: default: Allocate Public IPs CloudWatch: default: CloudWatch metrics + GatewayBootstrapScript: + default: Gateways bootstrap script GWLBName: default: Gateway Load Balancer Name TargetGroupName: @@ -223,6 +229,7 @@ Parameters: Description: CIDR block for NAT subnet 2 located in the 2nd Availability Zone. Type: String Default: 10.0.23.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. NatGwSubnet3CIDR: Description: CIDR block for NAT subnet 3 located in the 3rd Availability Zone. @@ -234,6 +241,7 @@ Parameters: Description: CIDR block for NAT subnet 4 located in the 4th Availability Zone. Type: String Default: 10.0.43.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. GWLBeSubnet1CIDR: Description: CIDR block for GWLBe subnet 1 located in the 1st Availability Zone. @@ -245,6 +253,7 @@ Parameters: Description: CIDR block for GWLBe subnet 2 located in the 2nd Availability Zone. Type: String Default: 10.0.24.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. GWLBeSubnet3CIDR: Description: CIDR block for GWLBe subnet 3 located in the 3rd Availability Zone. @@ -256,6 +265,7 @@ Parameters: Description: CIDR block for GWLBe subnet 4 located in the 4th Availability Zone. Type: String Default: 10.0.44.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. KeyName: Description: The EC2 Key Pair to allow SSH access to the instances created by this stack. @@ -294,6 +304,13 @@ Parameters: AllowedValues: - true - false + MetaDataToken: + Description: Set true to deploy the instance with metadata v2 token required. + Type: String + Default: true + AllowedValues: + - true + - false AllowUploadDownload: Description: Automatically download updates and share statistical data for product improvement purpose. Type: String @@ -333,7 +350,7 @@ Parameters: GatewayInstanceType: Description: The EC2 instance type for the Security Gateways. Type: String - Default: c5.xlarge + Default: c6in.xlarge AllowedValues: - c4.large - c4.xlarge @@ -461,9 +478,6 @@ Parameters: Type: String Default: R81.20-BYOL AllowedValues: - - R80.40-BYOL - - R80.40-PAYG-NGTP - - R80.40-PAYG-NGTX - R81.20-BYOL - R81.20-PAYG-NGTP - R81.20-PAYG-NGTX @@ -506,6 +520,11 @@ Parameters: AllowedValues: - true - false + GatewayBootstrapScript: + Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional) + Type: String + Default: '' + NoEcho: true GWLBName: Description: Gateway Load Balancer name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. A name cannot begin or end with a hyphen. Type: String @@ -649,10 +668,6 @@ Parameters: Type: String Default: R81.20-BYOL AllowedValues: - - R80.40-BYOL - - R80.40-PAYG - - R81-BYOL - - R81-PAYG - R81.10-BYOL - R81.10-PAYG - R81.20-BYOL @@ -962,7 +977,7 @@ Resources: GWLBStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/gwlb/gwlb.yaml + TemplateURL: __URL__/gwlb/gwlb.yaml Parameters: VPC: !Ref VPC GatewaysSubnets: !Join [',', !Ref GatewaysSubnets] @@ -972,6 +987,7 @@ Resources: VolumeSize: !Ref VolumeSize EnableInstanceConnect: !Ref EnableInstanceConnect TerminationProtection: !Ref TerminationProtection + MetaDataToken: !Ref MetaDataToken AllowUploadDownload: !Ref AllowUploadDownload ManagementServer: !Ref ManagementServer ConfigurationTemplate: !Ref ConfigurationTemplate @@ -992,6 +1008,7 @@ Resources: ControlGatewayOverPrivateOrPublicAddress: !Ref ControlGatewayOverPrivateOrPublicAddress AllocatePublicAddress: !Ref AllocatePublicAddress CloudWatch: !Ref CloudWatch + GatewayBootstrapScript: !Ref GatewayBootstrapScript ManagementDeploy: !Ref ManagementDeploy ManagementInstanceType: !Ref ManagementInstanceType ManagementVersion: !Ref ManagementVersion diff --git a/aws/templates/management/management.yaml b/aws/templates/management/management.yaml index 4ec20f7a..dd756635 100755 --- a/aws/templates/management/management.yaml +++ b/aws/templates/management/management.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploys a Check Point Management Server (20240417) +Description: Deploys a Check Point Management Server (__VERSION__) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -20,6 +20,7 @@ Metadata: - VolumeEncryption - EnableInstanceConnect - TerminationProtection + - MetaDataToken - Label: default: IAM Permissions (ignored when the installation is not Primary Management Server) @@ -70,6 +71,8 @@ Metadata: default: Enable AWS Instance Connect TerminationProtection: default: Termination Protection + MetaDataToken: + default: Metadata HTTP token ManagementPermissions: default: IAM role ManagementPredefinedRole: @@ -273,6 +276,13 @@ Parameters: AllowedValues: - true - false + MetaDataToken: + Description: Set true to deploy the instance with metadata v2 token required. + Type: String + Default: true + AllowedValues: + - true + - false ManagementPermissions: Description: IAM role to attach to the instance profile. Type: String @@ -299,10 +309,6 @@ Parameters: Type: String Default: R81.20-BYOL AllowedValues: - - R80.40-BYOL - - R80.40-PAYG - - R81-BYOL - - R81-PAYG - R81.10-BYOL - R81.10-PAYG - R81.20-BYOL @@ -330,7 +336,7 @@ Parameters: AllowedPattern: '[\$\./a-zA-Z0-9]*' NoEcho: true ManagementHostname: - Description: The name must not contain reserved words. For details, refer to sk40179 (optional). + Description: The name must not contain reserved words. For details, refer to sk40179. (optional) Type: String Default: mgmt-aws AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$' @@ -406,11 +412,12 @@ Conditions: UseRole: !Not [!Equals [!Ref ManagementPermissions, None (configure later)]] NoSIC: !Equals [!Ref SICKey, ''] PreRole: !And [!Condition UseRole, !Not [!Condition CreateRole]] + EnableMetaDataToken: !Equals [!Ref MetaDataToken, true] Resources: AMI: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/utils/amis.yaml + TemplateURL: __URL__/utils/amis.yaml Parameters: Version: !Join ['-', [!Ref ManagementVersion, MGMT]] ManagementReadyHandle: @@ -486,7 +493,7 @@ Resources: Type: AWS::CloudFormation::Stack Condition: CreateRole Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/iam/cme-iam-role.yaml + TemplateURL: __URL__/iam/cme-iam-role.yaml Parameters: Permissions: !Ref ManagementPermissions STSRoles: !Join [',', !Ref ManagementSTSRoles] @@ -499,15 +506,15 @@ Resources: - !Ref ManagementPredefinedRole ManagementInstance: Type: AWS::EC2::Instance - DependsOn: ManagementSecurityGroup + DependsOn: ManagementLaunchTemplate Properties: + LaunchTemplate: + LaunchTemplateId: !Ref ManagementLaunchTemplate + Version: !GetAtt ManagementLaunchTemplate.LatestVersionNumber + DisableApiTermination: !Ref TerminationProtection Tags: - Key: Name Value: !Ref ManagementName - ImageId: !GetAtt AMI.Outputs.ImageId - InstanceType: !Ref ManagementInstanceType - IamInstanceProfile: !If [UseRole, !If [PreRole, !Ref InstanceProfile, !GetAtt ManagementRoleStack.Outputs.CMEIAMRole], !Ref 'AWS::NoValue'] - KeyName: !Ref KeyName NetworkInterfaces: - DeviceIndex: 0 AssociatePublicIpAddress: false @@ -516,32 +523,43 @@ Resources: - !Ref ManagementSecurityGroup DeleteOnTermination: true SubnetId: !Ref ManagementSubnet - BlockDeviceMappings: - - DeviceName: /dev/xvda - Ebs: - Encrypted: !If [EncryptedVolume, true, false] - KmsKeyId: !If [EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue'] - VolumeType: !Ref VolumeType - VolumeSize: !Ref VolumeSize - DisableApiTermination: !Ref TerminationProtection - UserData: - 'Fn::Base64': - !Join - - |+ + ManagementLaunchTemplate: + Type: AWS::EC2::LaunchTemplate + Properties: + LaunchTemplateData: + KeyName: !Ref KeyName + ImageId: !GetAtt AMI.Outputs.ImageId + InstanceType: !Ref ManagementInstanceType + MetadataOptions: + HttpTokens: !If [EnableMetaDataToken, required, optional] + BlockDeviceMappings: + - DeviceName: '/dev/xvda' + Ebs: + Encrypted: !If [ EncryptedVolume, true, false ] + KmsKeyId: !If [ EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue' ] + VolumeType: !Ref VolumeType + VolumeSize: !Ref VolumeSize + IamInstanceProfile: + Name: !If [ UseRole, !If [ PreRole, !Ref InstanceProfile, !GetAtt ManagementRoleStack.Outputs.CMEIAMRole ], !Ref 'AWS::NoValue' ] + UserData: + 'Fn::Base64': + !Join + - |+ - - - '#cloud-config' - - 'runcmd:' - - ' - |' - - ' set -e' - - !Sub ' admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; hostname=${ManagementHostname} ; eic=${EnableInstanceConnect} ; admin_subnet=${AdminCIDR} ; eip=${AllocatePublicAddress} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; mgmt_install_type=''${ManagementInstallationType}''' - - !If [EIP, !Sub ' wait_handle=''${ManagementReadyHandle}''',!Ref 'AWS::NoValue'] - - !If [NoSIC, ' sic=""', !Join ['', [' sic="$(echo ', 'Fn::Base64': !Ref SICKey, ')"']]] - - !If [ManageOverInternetAndEIP, ' pub_mgmt=true', ' pub_mgmt=false'] - - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref ManagementBootstrapScript, ')"']] - - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref ManagementPasswordHash, ')"']] - - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref ManagementMaintenancePasswordHash, ')"']] - - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref ManagementVersion]]}] - - ' python3 /etc/cloud_config.py waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" installationType=\"management\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20240204\" templateName=\"management\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" "management_installation_type=\"${mgmt_install_type}\"" adminSubnet=\"${admin_subnet}\" allocatePublicAddress=\"${eip}\" overTheInternet=\"${pub_mgmt}\" bootstrapScript64=\"${bootstrap}\"' + - - '#cloud-config' + - 'runcmd:' + - ' - |' + - ' set -e' + - !Sub ' admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; hostname=${ManagementHostname} ; eic=${EnableInstanceConnect} ; admin_subnet=${AdminCIDR} ; eip=${AllocatePublicAddress} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; mgmt_install_type=''${ManagementInstallationType}''' + - !If [EIP, !Sub ' wait_handle=''${ManagementReadyHandle}''',!Ref 'AWS::NoValue'] + - !If [NoSIC, ' sic=""', !Join ['', [' sic="$(echo ', 'Fn::Base64': !Ref SICKey, ')"']]] + - !If [ManageOverInternetAndEIP, ' pub_mgmt=true', ' pub_mgmt=false'] + - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref ManagementBootstrapScript, ')"']] + - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref ManagementPasswordHash, ')"']] + - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref ManagementMaintenancePasswordHash, ')"']] + - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref ManagementVersion]]}] + - ' python3 /etc/cloud_config.py waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" installationType=\"management\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"__VERSION__\" templateName=\"management\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" "management_installation_type=\"${mgmt_install_type}\"" adminSubnet=\"${admin_subnet}\" allocatePublicAddress=\"${eip}\" overTheInternet=\"${pub_mgmt}\" bootstrapScript64=\"${bootstrap}\"' + VersionDescription: Initial template version PublicAddress: Type: AWS::EC2::EIP Condition: EIP diff --git a/aws/templates/mds/mds.yaml b/aws/templates/mds/mds.yaml index 241bb981..1f5a9b41 100644 --- a/aws/templates/mds/mds.yaml +++ b/aws/templates/mds/mds.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: '2010-09-09' -Description: Deploys a Check Point Multi-Domain Server (20240417) +Description: Deploys a Check Point Multi-Domain Server (__VERSION__) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -19,6 +19,7 @@ Metadata: - VolumeEncryption - EnableInstanceConnect - TerminationProtection + - MetaDataToken - Label: default: IAM Permissions (ignored when the installation type is not Primary Multi-Domain Server) @@ -66,6 +67,8 @@ Metadata: default: Enable AWS Instance Connect TerminationProtection: default: Termination Protection + MetaDataToken: + default: Metadata HTTP token MDSPermissions: default: IAM role MDSPredefinedRole: @@ -260,6 +263,13 @@ Parameters: AllowedValues: - true - false + MetaDataToken: + Description: Set true to deploy the instance with metadata v2 token required. + Type: String + Default: true + AllowedValues: + - true + - false MDSPermissions: Description: IAM role to attach to the instance profile. Type: String @@ -286,8 +296,6 @@ Parameters: Type: String Default: R81.20-BYOL AllowedValues: - - R80.40-BYOL - - R81-BYOL - R81.10-BYOL - R81.20-BYOL Shell: @@ -313,7 +321,7 @@ Parameters: AllowedPattern: '[\$\./a-zA-Z0-9]*' NoEcho: true MDSHostname: - Description: The name must not contain reserved words. For details, refer to sk40179 (optional). + Description: The name must not contain reserved words. For details, refer to sk40179. (optional) Type: String Default: mds-aws AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$' @@ -350,7 +358,7 @@ Parameters: with the Multi-Domain Server. The address should be either 0.0.0.0/0 (any address) or /32 (specific address) Type: String AllowedPattern: '^((0.0.0.0\/0)|)$|^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/32)$' - ConstraintDescription: Administrator address must be either 0.0.0.0/0 or /32 + ConstraintDescription: Administrator address must be either 0.0.0.0/0 or /32 GatewaysAddresses: Description: Allow gateways only from this network to communicate with the Multi-Domain. Server @@ -385,11 +393,12 @@ Conditions: PrimaryMDS: !Equals [!Ref MDSInstallationType, Primary Multi-Domain Server] SecondaryMDS: !Equals [!Ref MDSInstallationType, Secondary Multi-Domain Server] PreRole: !And [!Condition UseRole, !Not [!Condition CreateRole]] + EnableMetaDataToken: !Equals [!Ref MetaDataToken, true] Resources: AMI: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/utils/amis.yaml + TemplateURL: __URL__/utils/amis.yaml Parameters: Version: !Join ['-', [!Ref MDSVersion, MGMT]] MDSSecurityGroup: @@ -454,7 +463,7 @@ Resources: Type: AWS::CloudFormation::Stack Condition: CreateRole Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/iam/cme-iam-role.yaml + TemplateURL: __URL__/iam/cme-iam-role.yaml Parameters: Permissions: !Ref MDSPermissions STSRoles: !Join [',', !Ref MDSSTSRoles] @@ -467,15 +476,15 @@ Resources: - !Ref MDSPredefinedRole MDSInstance: Type: AWS::EC2::Instance - DependsOn: MDSSecurityGroup + DependsOn: [MDSSecurityGroup, MDSLaunchTemplate] Properties: + LaunchTemplate: + LaunchTemplateId: !Ref MDSLaunchTemplate + Version: !GetAtt MDSLaunchTemplate.LatestVersionNumber + DisableApiTermination: !Ref TerminationProtection Tags: - Key: Name Value: !Ref MDSName - ImageId: !GetAtt AMI.Outputs.ImageId - InstanceType: !Ref MDSInstanceType - IamInstanceProfile: !If [UseRole, !If [PreRole, !Ref InstanceProfile, !GetAtt MDSRoleStack.Outputs.CMEIAMRole], !Ref 'AWS::NoValue'] - KeyName: !Ref KeyName NetworkInterfaces: - DeviceIndex: 0 AssociatePublicIpAddress: false @@ -484,27 +493,38 @@ Resources: - !Ref MDSSecurityGroup DeleteOnTermination: true SubnetId: !Ref MDSSubnet - BlockDeviceMappings: - - DeviceName: /dev/xvda - Ebs: - Encrypted: !If [EncryptedVolume, true, false] - KmsKeyId: !If [EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue'] - VolumeType: !Ref VolumeType - VolumeSize: !Ref VolumeSize - DisableApiTermination: !Ref TerminationProtection - UserData: !Base64 - Fn::Join: - - |+ + MDSLaunchTemplate: + Type: AWS::EC2::LaunchTemplate + Properties: + LaunchTemplateData: + KeyName: !Ref KeyName + ImageId: !GetAtt AMI.Outputs.ImageId + InstanceType: !Ref MDSInstanceType + MetadataOptions: + HttpTokens: !If [EnableMetaDataToken, required, optional] + BlockDeviceMappings: + - DeviceName: '/dev/xvda' + Ebs: + Encrypted: !If [ EncryptedVolume, true, false ] + KmsKeyId: !If [ EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue' ] + VolumeType: !Ref VolumeType + VolumeSize: !Ref VolumeSize + IamInstanceProfile: + Name: !If [ UseRole, !If [ PreRole, !Ref InstanceProfile, !GetAtt MDSRoleStack.Outputs.CMEIAMRole ], !Ref 'AWS::NoValue' ] + UserData: !Base64 + Fn::Join: + - |+ - - - '#cloud-config' - - 'runcmd:' - - ' - |' - - ' set -e' - - !Sub ' admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; hostname=${MDSHostname} ; eic=${EnableInstanceConnect} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; admin_subnet=${AdminCIDR}' - - !If [PrimaryMDS, ' primary=true ; secondary=false', !If [SecondaryMDS, ' primary=false ; secondary=true', ' primary=false ; secondary=false']] - - !If [PrimaryMDS, ' sic=notused', !Join ['', [' sic="$(echo ', 'Fn::Base64': !Ref MDSSICKey, ')"']]] - - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref MDSBootstrapScript, ')"']] - - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref MDSPasswordHash, ')"']] - - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref MDSMaintenancePasswordHash, ')"']] - - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref MDSVersion]]}] - - ' python3 /etc/cloud_config.py sicKey=\"${sic}\" installationType=\"mds\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20240204\" templateName=\"mds\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" primary=\"${primary}\" secondary=\"${secondary}\" adminSubnet=\"${admin_subnet}\" bootstrapScript64=\"${bootstrap}\"' \ No newline at end of file + - - '#cloud-config' + - 'runcmd:' + - ' - |' + - ' set -e' + - !Sub ' admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; hostname=${MDSHostname} ; eic=${EnableInstanceConnect} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; admin_subnet=${AdminCIDR}' + - !If [PrimaryMDS, ' primary=true ; secondary=false', !If [SecondaryMDS, ' primary=false ; secondary=true', ' primary=false ; secondary=false']] + - !If [PrimaryMDS, ' sic=notused', !Join ['', [' sic="$(echo ', 'Fn::Base64': !Ref MDSSICKey, ')"']]] + - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref MDSBootstrapScript, ')"']] + - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref MDSPasswordHash, ')"']] + - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref MDSMaintenancePasswordHash, ')"']] + - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref MDSVersion]]}] + - ' python3 /etc/cloud_config.py sicKey=\"${sic}\" installationType=\"mds\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"__VERSION__\" templateName=\"mds\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" primary=\"${primary}\" secondary=\"${secondary}\" adminSubnet=\"${admin_subnet}\" bootstrapScript64=\"${bootstrap}\"' + VersionDescription: Initial template version \ No newline at end of file diff --git a/aws/templates/single-gw/gateway-master.yaml b/aws/templates/single-gw/gateway-master.yaml index 3c34df22..c7c1d195 100644 --- a/aws/templates/single-gw/gateway-master.yaml +++ b/aws/templates/single-gw/gateway-master.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploys a Check Point Security Gateway into a new VPC (20240204) +Description: Deploys a Check Point Security Gateway into a new VPC (__VERSION__) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -22,6 +22,7 @@ Metadata: - VolumeEncryption - EnableInstanceConnect - TerminationProtection + - MetaDataToken - Label: default: Check Point Settings Parameters: @@ -77,6 +78,8 @@ Metadata: default: Enable AWS Instance Connect TerminationProtection: default: Termination Protection + MetaDataToken: + default: Metadata HTTP token GatewayVersion: default: Gateway Version & license Shell: @@ -124,17 +127,21 @@ Parameters: Description: The public subnet of the Security Gateway. Type: String Default: 10.0.10.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. PrivateSubnetCIDR: Description: The private subnet of the Security Gateway. Type: String Default: 10.0.11.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. GatewayName: Type: String Default: Check-Point-Gateway GatewayInstanceType: Description: The instance type of the Secutiry Gateways. Type: String - Default: c5.xlarge + Default: c6in.xlarge AllowedValues: - c4.large - c4.xlarge @@ -287,16 +294,17 @@ Parameters: AllowedValues: - true - false + MetaDataToken: + Description: Set true to deploy the instance with metadata v2 token required. + Type: String + Default: true + AllowedValues: + - true + - false GatewayVersion: Type: String Default: R81.20-BYOL AllowedValues: - - R80.40-BYOL - - R80.40-PAYG-NGTP - - R80.40-PAYG-NGTX - - R81-BYOL - - R81-PAYG-NGTP - - R81-PAYG-NGTX - R81.10-BYOL - R81.10-PAYG-NGTP - R81.10-PAYG-NGTX @@ -342,7 +350,7 @@ Parameters: Type: String Default: '' GatewayHostname: - Description: The name must not contain reserved words. For details, refer to sk40179 (optional). + Description: The name must not contain reserved words. For details, refer to sk40179. (optional) Type: String Default: '' AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$' @@ -400,7 +408,7 @@ Resources: VPCStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/utils/vpc.yaml + TemplateURL: __URL__/utils/vpc.yaml Parameters: AvailabilityZones: !Ref AvailabilityZone NumberOfAZs: 1 @@ -428,7 +436,7 @@ Resources: GatewayStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/gateway/gateway.yaml + TemplateURL: __URL__/gateway/gateway.yaml Parameters: VPC: !GetAtt VPCStack.Outputs.VPCID PublicSubnet: !GetAtt VPCStack.Outputs.PublicSubnet1ID @@ -443,6 +451,7 @@ Resources: VolumeEncryption: !Ref VolumeEncryption EnableInstanceConnect: !Ref EnableInstanceConnect TerminationProtection: !Ref TerminationProtection + MetaDataToken: !Ref MetaDataToken GatewayVersion: !Ref GatewayVersion Shell: !Ref Shell GatewaySICKey: !Ref GatewaySICKey diff --git a/aws/templates/single-gw/gateway.yaml b/aws/templates/single-gw/gateway.yaml index 5c66f2fa..76c5cef6 100644 --- a/aws/templates/single-gw/gateway.yaml +++ b/aws/templates/single-gw/gateway.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploys a Check Point Security Gateway into an existing VPC (20240204) +Description: Deploys a Check Point Security Gateway into an existing VPC (__VERSION__) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -22,6 +22,7 @@ Metadata: - VolumeEncryption - EnableInstanceConnect - TerminationProtection + - MetaDataToken - Label: default: Check Point Settings Parameters: @@ -77,6 +78,8 @@ Metadata: default: Enable AWS Instance Connect TerminationProtection: default: Termination Protection + MetaDataToken: + default: Metadata HTTP token GatewayVersion: default: Gateway Version & license Shell: @@ -132,7 +135,7 @@ Parameters: GatewayInstanceType: Description: The instance type of the Secutiry Gateway. Type: String - Default: c5.xlarge + Default: c6in.xlarge AllowedValues: - c4.large - c4.xlarge @@ -285,16 +288,17 @@ Parameters: AllowedValues: - true - false + MetaDataToken: + Description: Set true to deploy the instance with metadata v2 token required. + Type: String + Default: true + AllowedValues: + - true + - false GatewayVersion: Type: String Default: R81.20-BYOL AllowedValues: - - R80.40-BYOL - - R80.40-PAYG-NGTP - - R80.40-PAYG-NGTX - - R81-BYOL - - R81-PAYG-NGTP - - R81-PAYG-NGTX - R81.10-BYOL - R81.10-PAYG-NGTP - R81.10-PAYG-NGTX @@ -340,7 +344,7 @@ Parameters: Type: String Default: '' GatewayHostname: - Description: The name must not contain reserved words. For details, refer to sk40179 (optional). + Description: The name must not contain reserved words. For details, refer to sk40179. (optional) Type: String Default: '' AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$' @@ -398,6 +402,7 @@ Conditions: ProvidedResourcesTag: !Not [!Equals [!Ref ResourcesTagName, '']] ProvidedManagementParameters: !And [!Not [!Equals [!Ref ManagementServer, '']], !Not [!Equals [!Ref ConfigurationTemplate, '']]] EnableCloudWatch: !Equals [!Ref CloudWatch, true] + EnableMetaDataToken: !Equals [!Ref MetaDataToken, true] Resources: ReadyHandle: Type: AWS::CloudFormation::WaitConditionHandle @@ -432,14 +437,14 @@ Resources: Condition: EnableCloudWatch Type: AWS::CloudFormation::Stack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/iam/cloudwatch-policy.yaml + TemplateURL: __URL__/iam/cloudwatch-policy.yaml Parameters: PolicyName: !If [ ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName' ] PolicyRole: !Ref GatewayIAMRole AMI: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/utils/amis.yaml + TemplateURL: __URL__/utils/amis.yaml Parameters: Version: !Join ['-', [!Ref GatewayVersion,GW]] ExternalNetworkInterface: @@ -496,7 +501,12 @@ Resources: RouteTableId: !Ref InternalRouteTable GatewayInstance: Type: AWS::EC2::Instance + DependsOn: GatewayLaunchTemplate Properties: + LaunchTemplate: + LaunchTemplateId: !Ref GatewayLaunchTemplate + Version: !GetAtt GatewayLaunchTemplate.LatestVersionNumber + DisableApiTermination: !Ref TerminationProtection Tags: - Key: Name Value: !Ref GatewayName @@ -510,40 +520,47 @@ Resources: - !Join ['=', [template,!Ref ConfigurationTemplate]] - !Join ['=',[ip-address, !Ref ControlGatewayOverPrivateOrPublicAddress]] - !Ref 'AWS::NoValue' - ImageId: !GetAtt AMI.Outputs.ImageId - InstanceType: !Ref GatewayInstanceType - BlockDeviceMappings: - - DeviceName: '/dev/xvda' - Ebs: - Encrypted: !If [EncryptedVolume, true, false] - KmsKeyId: !If [EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue'] - VolumeType: !Ref VolumeType - VolumeSize: !Ref VolumeSize - IamInstanceProfile: !If [EnableCloudWatch, !Ref GatewayInstanceProfile, !Ref 'AWS::NoValue'] - DisableApiTermination: !Ref TerminationProtection - UserData: - 'Fn::Base64': - !Join - - |+ + GatewayLaunchTemplate: + Type: AWS::EC2::LaunchTemplate + Properties: + LaunchTemplateData: + NetworkInterfaces: + - DeviceIndex: 0 + NetworkInterfaceId: !Ref ExternalNetworkInterface + - DeviceIndex: 1 + NetworkInterfaceId: !Ref InternalNetworkInterface + KeyName: !Ref KeyName + ImageId: !GetAtt AMI.Outputs.ImageId + InstanceType: !Ref GatewayInstanceType + MetadataOptions: + HttpTokens: !If [EnableMetaDataToken, required, optional] + BlockDeviceMappings: + - DeviceName: '/dev/xvda' + Ebs: + Encrypted: !If [ EncryptedVolume, true, false ] + KmsKeyId: !If [ EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue' ] + VolumeType: !Ref VolumeType + VolumeSize: !Ref VolumeSize + IamInstanceProfile: + Name: !If [EnableCloudWatch, !Ref GatewayInstanceProfile, !Ref 'AWS::NoValue'] + UserData: + 'Fn::Base64': + !Join + - |+ - - - '#cloud-config' - - 'runcmd:' - - ' - |' - - ' set -e' - - !Sub ' admin_shell=${Shell} ; hostname=${GatewayHostname} ; allow_info=${AllowUploadDownload} ; cw=${CloudWatch} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; eic=${EnableInstanceConnect} ; eip=${AllocatePublicAddress} ; token=''${GatewayToken}''' - - !If [AllocateAddress, !Sub ' wait_handle=''${ReadyHandle}''',!Ref 'AWS::NoValue'] - - !Join ['', [' sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ')"']] - - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayPasswordHash, ')"']] - - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"']] - - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']] - - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}] - - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${token}\"" installationType=\"gateway\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20240204\" templateName=\"gateway\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" allocatePublicAddress=\"${eip}\" bootstrapScript64=\"${bootstrap}\"' - KeyName: !Ref KeyName - NetworkInterfaces: - - DeviceIndex: 0 - NetworkInterfaceId: !Ref ExternalNetworkInterface - - DeviceIndex: 1 - NetworkInterfaceId: !Ref InternalNetworkInterface + - - '#cloud-config' + - 'runcmd:' + - ' - |' + - ' set -e' + - !Sub ' admin_shell=${Shell} ; hostname=${GatewayHostname} ; allow_info=${AllowUploadDownload} ; cw=${CloudWatch} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; eic=${EnableInstanceConnect} ; eip=${AllocatePublicAddress} ; token=''${GatewayToken}''' + - !If [AllocateAddress, !Sub ' wait_handle=''${ReadyHandle}''',!Ref 'AWS::NoValue'] + - !Join ['', [' sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ')"']] + - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayPasswordHash, ')"']] + - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"']] + - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']] + - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}] + - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${token}\"" installationType=\"gateway\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"__VERSION__\" templateName=\"gateway\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" allocatePublicAddress=\"${eip}\" bootstrapScript64=\"${bootstrap}\"' + VersionDescription: Initial template version PublicAddress: Type: AWS::EC2::EIP Condition: AllocateAddress diff --git a/aws/templates/standalone/standalone-master.yaml b/aws/templates/standalone/standalone-master.yaml index 4f598a3f..42832747 100644 --- a/aws/templates/standalone/standalone-master.yaml +++ b/aws/templates/standalone/standalone-master.yaml @@ -1,6 +1,6 @@ AWSTemplateFormatVersion: 2010-09-09 Description: Deploys either a manually configurable or a Check Point CloudGuard IaaS - Security Gateway & Management (Standalone) instance in a new VPC (20240204) + Security Gateway & Management (Standalone) instance in a new VPC (__VERSION__) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -23,6 +23,7 @@ Metadata: - VolumeEncryption - EnableInstanceConnect - TerminationProtection + - MetaDataToken - Label: default: Check Point Settings Parameters: @@ -69,6 +70,8 @@ Metadata: default: Enable AWS Instance Connect TerminationProtection: default: Termination Protection + MetaDataToken: + default: Metadata HTTP token StandaloneVersion: default: License Shell: @@ -110,10 +113,14 @@ Parameters: Description: The public subnet of the Security Gateway. Type: String Default: 10.0.10.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. PrivateSubnetCIDR: Description: The private subnet of the Security Gateway. Type: String Default: 10.0.11.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. StandaloneName: Type: String Default: Check-Point-Instance @@ -157,15 +164,18 @@ Parameters: AllowedValues: - true - false + MetaDataToken: + Description: Set true to deploy the instance with metadata v2 token required. + Type: String + Default: true + AllowedValues: + - true + - false StandaloneVersion: Description: Standalone Version & License. Type: String Default: R81.20-BYOL AllowedValues: - - R80.40-PAYG-NGTP - - R80.40-BYOL - - R81-PAYG-NGTP - - R81-BYOL - R81.10-PAYG-NGTP - R81.10-BYOL - R81.20-PAYG-NGTP @@ -313,7 +323,7 @@ Parameters: Type: String Default: '' StandaloneHostname: - Description: The name must not contain reserved words. For details, refer to sk40179 (optional). + Description: (optional) Type: String Default: '' AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$' @@ -364,7 +374,7 @@ Resources: VPCStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/utils/vpc.yaml + TemplateURL: __URL__/utils/vpc.yaml Parameters: AvailabilityZones: !Ref AvailabilityZone NumberOfAZs: 1 @@ -391,7 +401,7 @@ Resources: StandaloneStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/gateway/standalone.yaml + TemplateURL: __URL__/gateway/standalone.yaml Parameters: VPC: !GetAtt VPCStack.Outputs.VPCID PublicSubnet: !GetAtt VPCStack.Outputs.PublicSubnet1ID @@ -406,6 +416,7 @@ Resources: VolumeEncryption: !Ref VolumeEncryption EnableInstanceConnect: !Ref EnableInstanceConnect TerminationProtection: !Ref TerminationProtection + MetaDataToken: !Ref MetaDataToken StandaloneVersion: !Ref StandaloneVersion Shell: !Ref Shell StandalonePasswordHash: !Ref StandalonePasswordHash diff --git a/aws/templates/standalone/standalone.yaml b/aws/templates/standalone/standalone.yaml index 78f36aba..cc565f6c 100644 --- a/aws/templates/standalone/standalone.yaml +++ b/aws/templates/standalone/standalone.yaml @@ -1,6 +1,6 @@ AWSTemplateFormatVersion: 2010-09-09 Description: Deploys either a manually configurable or a Check Point CloudGuard IaaS - Security Gateway & Management (Standalone) instance into an existing VPC (20240204) + Security Gateway & Management (Standalone) instance into an existing VPC (__VERSION__) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -23,6 +23,7 @@ Metadata: - VolumeEncryption - EnableInstanceConnect - TerminationProtection + - MetaDataToken - Label: default: Check Point Settings Parameters: @@ -69,6 +70,8 @@ Metadata: default: Enable AWS Instance Connect TerminationProtection: default: Termination Protection + MetaDataToken: + default: Metadata HTTP token StandaloneVersion: default: License Shell: @@ -270,15 +273,18 @@ Parameters: AllowedValues: - true - false + MetaDataToken: + Description: Set true to deploy the instance with metadata v2 token required. + Type: String + Default: true + AllowedValues: + - true + - false StandaloneVersion: Description: Standalone Version & License. Type: String Default: R81.20-BYOL AllowedValues: - - R80.40-PAYG-NGTP - - R80.40-BYOL - - R81-PAYG-NGTP - - R81-BYOL - R81.10-PAYG-NGTP - R81.10-BYOL - R81.20-PAYG-NGTP @@ -310,7 +316,7 @@ Parameters: Type: String Default: '' StandaloneHostname: - Description: The name must not contain reserved words. For details, refer to sk40179 (optional). + Description: (optional) Type: String Default: '' AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$' @@ -361,6 +367,7 @@ Conditions: ProvidedRouteTable: !Not [!Equals [!Ref InternalRouteTable, '']] EnableCloudWatch: !Equals [!Ref CloudWatch, true] IsBYOL: !Equals [!Select [1, !Split ['-', !Ref StandaloneVersion]], 'BYOL'] + EnableMetaDataToken: !Equals [!Ref MetaDataToken, true] Resources: ReadyHandle: Type: AWS::CloudFormation::WaitConditionHandle @@ -395,14 +402,14 @@ Resources: Condition: EnableCloudWatch Type: AWS::CloudFormation::Stack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/iam/cloudwatch-policy.yaml + TemplateURL: __URL__/iam/cloudwatch-policy.yaml Parameters: PolicyName: !If [ ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName' ] PolicyRole: !Ref StandaloneIAMRole AMI: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/utils/amis.yaml + TemplateURL: __URL__/utils/amis.yaml Parameters: Version: !If [IsBYOL, !Join ['-', [!Ref StandaloneVersion,MGMT]], !Ref StandaloneVersion] ExternalNetworkInterface: @@ -456,43 +463,55 @@ Resources: RouteTableId: !Ref InternalRouteTable StandaloneInstance: Type: AWS::EC2::Instance + DependsOn: GatewayLaunchTemplate Properties: + LaunchTemplate: + LaunchTemplateId: !Ref GatewayLaunchTemplate + Version: !GetAtt GatewayLaunchTemplate.LatestVersionNumber + DisableApiTermination: !Ref TerminationProtection Tags: - Key: Name Value: !Ref StandaloneName - ImageId: !GetAtt AMI.Outputs.ImageId - InstanceType: !Ref StandaloneInstanceType - BlockDeviceMappings: - - DeviceName: /dev/xvda - Ebs: - Encrypted: !If [EncryptedVolume, true, false] - KmsKeyId: !If [EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue'] - VolumeType: !Ref VolumeType - VolumeSize: !Ref VolumeSize - IamInstanceProfile: !If [EnableCloudWatch, !Ref StandaloneInstanceProfile, !Ref 'AWS::NoValue'] - DisableApiTermination: !Ref TerminationProtection - UserData: - 'Fn::Base64': - !Join - - |+ + GatewayLaunchTemplate: + Type: AWS::EC2::LaunchTemplate + Properties: + LaunchTemplateData: + NetworkInterfaces: + - DeviceIndex: 0 + NetworkInterfaceId: !Ref ExternalNetworkInterface + - DeviceIndex: 1 + NetworkInterfaceId: !Ref InternalNetworkInterface + KeyName: !Ref KeyName + ImageId: !GetAtt AMI.Outputs.ImageId + InstanceType: !Ref StandaloneInstanceType + MetadataOptions: + HttpTokens: !If [EnableMetaDataToken, required, optional] + BlockDeviceMappings: + - DeviceName: '/dev/xvda' + Ebs: + Encrypted: !If [ EncryptedVolume, true, false ] + KmsKeyId: !If [ EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue' ] + VolumeType: !Ref VolumeType + VolumeSize: !Ref VolumeSize + IamInstanceProfile: + Name: !If [ EnableCloudWatch, !Ref StandaloneInstanceProfile, !Ref 'AWS::NoValue' ] + UserData: + 'Fn::Base64': + !Join + - |+ - - - '#cloud-config' - - 'runcmd:' - - ' - |' - - ' set -e' - - !Sub ' admin_shell=${Shell} ; hostname=${StandaloneHostname} ; allow_info=${AllowUploadDownload} ; cw=${CloudWatch} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; eic=${EnableInstanceConnect} ; eip=${AllocatePublicAddress} ; admin_subnet=${AdminCIDR}' - - !If [AllocateAddress, !Sub ' wait_handle=''${ReadyHandle}''',!Ref 'AWS::NoValue'] - - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref StandaloneBootstrapScript, ')"']] - - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref StandalonePasswordHash, ')"']] - - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref StandaloneMaintenancePasswordHash, ')"']] - - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref StandaloneVersion]]}] - - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" installationType=\"standalone\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20240204\" templateName=\"standalone\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" adminSubnet=\"${admin_subnet}\" allocatePublicAddress=\"${eip}\" bootstrapScript64=\"${bootstrap}\"' - KeyName: !Ref KeyName - NetworkInterfaces: - - DeviceIndex: 0 - NetworkInterfaceId: !Ref ExternalNetworkInterface - - DeviceIndex: 1 - NetworkInterfaceId: !Ref InternalNetworkInterface + - - '#cloud-config' + - 'runcmd:' + - ' - |' + - ' set -e' + - !Sub ' admin_shell=${Shell} ; hostname=${StandaloneHostname} ; allow_info=${AllowUploadDownload} ; cw=${CloudWatch} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; eic=${EnableInstanceConnect} ; eip=${AllocatePublicAddress} ; admin_subnet=${AdminCIDR}' + - !If [ AllocateAddress, !Sub ' wait_handle=''${ReadyHandle}''',!Ref 'AWS::NoValue' ] + - !Join [ '', [ ' bootstrap="$(echo ', 'Fn::Base64': !Ref StandaloneBootstrapScript, ')"' ] ] + - !Join [ '', [ ' pwd_hash="$(echo ', 'Fn::Base64': !Ref StandalonePasswordHash, ')"' ] ] + - !Join [ '', [ ' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref StandaloneMaintenancePasswordHash, ')"' ] ] + - !Sub [ ' version=${Version}', { Version: !Select [ 0, !Split [ '-', !Ref StandaloneVersion ] ] } ] + - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" installationType=\"standalone\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"__VERSION__\" templateName=\"standalone\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" adminSubnet=\"${admin_subnet}\" allocatePublicAddress=\"${eip}\" bootstrapScript64=\"${bootstrap}\"' + VersionDescription: Initial template version PublicAddress: Type: AWS::EC2::EIP Condition: AllocateAddress diff --git a/aws/templates/tgw-asg/tgw-asg-master.yaml b/aws/templates/tgw-asg/tgw-asg-master.yaml index 076e24a7..bd72aa0e 100644 --- a/aws/templates/tgw-asg/tgw-asg-master.yaml +++ b/aws/templates/tgw-asg/tgw-asg-master.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploy an Auto Scaling Group of CloudGuard Security Gateways for Transit Gateway with an optional Management Server in a new VPC (20240204) +Description: Deploy an Auto Scaling Group of CloudGuard Security Gateways for Transit Gateway with an optional Management Server in a new VPC (__VERSION__) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -22,6 +22,7 @@ Metadata: - VolumeType - EnableInstanceConnect - TerminationProtection + - MetaDataToken - AllowUploadDownload - Label: default: Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration @@ -84,6 +85,8 @@ Metadata: default: Enable AWS Instance Connect TerminationProtection: default: Termination Protection + MetaDataToken: + default: Metadata HTTP token AllowUploadDownload: default: Allow upload & download GatewayName: @@ -214,6 +217,13 @@ Parameters: AllowedValues: - true - false + MetaDataToken: + Description: Set true to deploy the instance with metadata v2 token required. + Type: String + Default: true + AllowedValues: + - true + - false AllowUploadDownload: Description: Automatically download updates and share statistical data for product improvement purpose. Type: String @@ -228,7 +238,7 @@ Parameters: GatewayInstanceType: Description: The EC2 instance type for the Security Gateways. Type: String - Default: c5.xlarge + Default: c6in.xlarge AllowedValues: - c4.large - c4.xlarge @@ -356,12 +366,6 @@ Parameters: Type: String Default: R81.20-BYOL AllowedValues: - - R80.40-BYOL - - R80.40-PAYG-NGTP - - R80.40-PAYG-NGTX - - R81-BYOL - - R81-PAYG-NGTP - - R81-PAYG-NGTX - R81.10-BYOL - R81.10-PAYG-NGTP - R81.10-PAYG-NGTX @@ -530,10 +534,6 @@ Parameters: Type: String Default: R81.20-BYOL AllowedValues: - - R80.40-BYOL - - R80.40-PAYG - - R81-BYOL - - R81-PAYG - R81.10-BYOL - R81.10-PAYG - R81.20-BYOL @@ -612,7 +612,7 @@ Resources: VPCStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/utils/vpc.yaml + TemplateURL: __URL__/utils/vpc.yaml Parameters: AvailabilityZones: !Join [',', !Ref AvailabilityZones] NumberOfAZs: !Ref NumberOfAZs @@ -625,7 +625,7 @@ Resources: MainStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/autoscale/tgw-asg.yaml + TemplateURL: __URL__/autoscale/tgw-asg.yaml Parameters: VPC: !GetAtt VPCStack.Outputs.VPCID GatewaysSubnets: !Join @@ -640,6 +640,7 @@ Resources: VolumeSize: !Ref VolumeSize EnableInstanceConnect: !Ref EnableInstanceConnect TerminationProtection: !Ref TerminationProtection + MetaDataToken: !Ref MetaDataToken AllowUploadDownload: !Ref AllowUploadDownload GatewayName: !Ref GatewayName GatewayInstanceType: !Ref GatewayInstanceType @@ -682,7 +683,7 @@ Outputs: Condition: DeployManagement Rules: GatewayAddressRule: - RuleCondition: !Equals [!Ref ManagementDeploy, 'true'] - Assertions: + RuleCondition: !Equals [!Ref ManagementDeploy, 'true'] + Assertions: - AssertDescription: "Gateway's netowrk to communicate with the Security Management Server must be provided" - Assert: !Not [ !Equals [!Ref GatewaysAddresses, '']] \ No newline at end of file + Assert: !Not [ !Equals [!Ref GatewaysAddresses, '']] diff --git a/aws/templates/tgw-asg/tgw-asg.yaml b/aws/templates/tgw-asg/tgw-asg.yaml index c63676e1..096570d1 100644 --- a/aws/templates/tgw-asg/tgw-asg.yaml +++ b/aws/templates/tgw-asg/tgw-asg.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: '2010-09-09' -Description: Deploy an Auto Scaling Group of CloudGuard Security Gateways for Transit Gateway with an optional Management Server into an existing VPC (20240204) +Description: Deploy an Auto Scaling Group of CloudGuard Security Gateways for Transit Gateway with an optional Management Server into an existing VPC (__VERSION__) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -17,6 +17,7 @@ Metadata: - VolumeType - EnableInstanceConnect - TerminationProtection + - MetaDataToken - AllowUploadDownload - Label: default: Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration @@ -69,6 +70,8 @@ Metadata: default: Enable AWS Instance Connect TerminationProtection: default: Termination Protection + MetaDataToken: + default: Metadata HTTP token AllowUploadDownload: default: Allow upload & download GatewayName: @@ -168,6 +171,13 @@ Parameters: AllowedValues: - true - false + MetaDataToken: + Description: Set true to deploy the instance with metadata v2 token required. + Type: String + Default: true + AllowedValues: + - true + - false AllowUploadDownload: Description: Automatically download updates and share statistical data for product improvement purpose. Type: String @@ -182,7 +192,7 @@ Parameters: GatewayInstanceType: Description: The EC2 instance type for the Security Gateways. Type: String - Default: c5.xlarge + Default: c6in.xlarge AllowedValues: - c4.large - c4.xlarge @@ -310,12 +320,6 @@ Parameters: Type: String Default: R81.20-BYOL AllowedValues: - - R80.40-BYOL - - R80.40-PAYG-NGTP - - R80.40-PAYG-NGTX - - R81-BYOL - - R81-PAYG-NGTP - - R81-PAYG-NGTX - R81.10-BYOL - R81.10-PAYG-NGTP - R81.10-PAYG-NGTX @@ -484,10 +488,6 @@ Parameters: Type: String Default: R81.20-BYOL AllowedValues: - - R80.40-BYOL - - R80.40-PAYG - - R81-BYOL - - R81-PAYG - R81.10-BYOL - R81.10-PAYG - R81.20-BYOL @@ -566,7 +566,7 @@ Resources: Type: AWS::CloudFormation::Stack Condition: DeployManagement Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/management/management.yaml + TemplateURL: __URL__/management/management.yaml Parameters: VPC: !Ref VPC ManagementSubnet: !Select [0, !Ref GatewaysSubnets] @@ -579,6 +579,7 @@ Resources: VolumeSize: !Ref VolumeSize EnableInstanceConnect: !Ref EnableInstanceConnect TerminationProtection: !Ref TerminationProtection + MetaDataToken: !Ref MetaDataToken ManagementPermissions: !Ref ManagementPermissions ManagementPredefinedRole: !Ref ManagementPredefinedRole ManagementVersion: !Ref ManagementVersion @@ -619,7 +620,7 @@ Resources: SecurityGatewaysStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/autoscale/autoscale.yaml + TemplateURL: __URL__/autoscale/autoscale.yaml Parameters: VPC: !Ref VPC GatewaysSubnets: !Join [',', !Ref GatewaysSubnets] @@ -630,6 +631,7 @@ Resources: VolumeType: !Ref VolumeType VolumeSize: !Ref VolumeSize EnableInstanceConnect: !Ref EnableInstanceConnect + MetaDataToken: !Ref MetaDataToken GatewaysMinSize: !Ref GatewaysMinSize GatewaysMaxSize: !Ref GatewaysMaxSize AdminEmail: !Ref AdminEmail @@ -673,7 +675,7 @@ Outputs: Condition: DeployManagement Rules: GatewayAddressRule: - RuleCondition: !Equals [!Ref ManagementDeploy, 'true'] - Assertions: + RuleCondition: !Equals [!Ref ManagementDeploy, 'true'] + Assertions: - AssertDescription: "Gateway's netowrk to communicate with the Security Management Server must be provided" - Assert: !Not [ !Equals [!Ref GatewaysAddresses, '']] \ No newline at end of file + Assert: !Not [ !Equals [!Ref GatewaysAddresses, '']] diff --git a/aws/templates/tgw-cross-az-cluster/tgw-cross-az-cluster-master.yaml b/aws/templates/tgw-cross-az-cluster/tgw-cross-az-cluster-master.yaml index 076c1390..4c03ed53 100644 --- a/aws/templates/tgw-cross-az-cluster/tgw-cross-az-cluster-master.yaml +++ b/aws/templates/tgw-cross-az-cluster/tgw-cross-az-cluster-master.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploy a Check Point TGW Cross Availabilty Zone Cluster in a new VPC (20240204) +Description: Deploy a Check Point TGW Cross Availabilty Zone Cluster in a new VPC (__VERSION__) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -27,6 +27,7 @@ Metadata: - EnableInstanceConnect - GatewayPredefinedRole - TerminationProtection + - MetaDataToken - Label: default: Check Point Settings Parameters: @@ -87,6 +88,8 @@ Metadata: default: Existing IAM role name TerminationProtection: default: Termination Protection + MetaDataToken: + default: Metadata HTTP token GatewayVersion: default: Gateways version & license Shell: @@ -168,7 +171,7 @@ Parameters: GatewayInstanceType: Description: The instance type of the Secutiry Gateway. Type: String - Default: c5.xlarge + Default: c6in.xlarge AllowedValues: - c4.large - c4.xlarge @@ -325,6 +328,13 @@ Parameters: AllowedValues: - true - false + MetaDataToken: + Description: Set true to deploy the instance with metadata v2 token required. + Type: String + Default: true + AllowedValues: + - true + - false GatewayVersion: Type: String Default: R81.20-BYOL @@ -417,7 +427,7 @@ Resources: VPCStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/utils/vpc.yaml + TemplateURL: __URL__/utils/vpc.yaml Parameters: AvailabilityZones: !Join [',', !Ref AvailabilityZones] NumberOfAZs: 2 @@ -441,7 +451,7 @@ Resources: Type: AWS::CloudFormation::Stack DependsOn: VPCStack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/cluster/tgw-cross-az-cluster.yaml + TemplateURL: __URL__/cluster/tgw-cross-az-cluster.yaml Parameters: VPC: !GetAtt VPCStack.Outputs.VPCID PublicSubnetA: !GetAtt VPCStack.Outputs.PublicSubnet1ID @@ -461,6 +471,7 @@ Resources: EnableInstanceConnect: !Ref EnableInstanceConnect GatewayPredefinedRole: !Ref GatewayPredefinedRole TerminationProtection: !Ref TerminationProtection + MetaDataToken: !Ref MetaDataToken GatewayVersion: !Ref GatewayVersion Shell: !Ref Shell GatewayPasswordHash: !Ref GatewayPasswordHash @@ -507,12 +518,12 @@ Rules: MemberATokenNotProvided: RuleCondition: !Equals [!Ref MemberAToken, ''] Assertions: - - AssertDescription: "Smart-1 Cloud Token for member A can not be empty." + - AssertDescription: "Smart-1 Cloud Token for member A can not be empty" Assert: !Equals [!Ref MemberBToken, ''] MemberBTokenNotProvided: RuleCondition: !Equals [ !Ref MemberBToken, '' ] Assertions: - - AssertDescription: "Smart-1 Cloud Token for member B can not be empty." + - AssertDescription: "Smart-1 Cloud Token for member B can not be empty" Assert: !Equals [ !Ref MemberAToken, '' ] MembersTokenValueEquals: RuleCondition: !EachMemberEquals [ [ !Ref MemberBToken ], !Ref MemberAToken ] diff --git a/aws/templates/tgw-cross-az-cluster/tgw-cross-az-cluster.yaml b/aws/templates/tgw-cross-az-cluster/tgw-cross-az-cluster.yaml index 651a4554..92cce90f 100644 --- a/aws/templates/tgw-cross-az-cluster/tgw-cross-az-cluster.yaml +++ b/aws/templates/tgw-cross-az-cluster/tgw-cross-az-cluster.yaml @@ -1,5 +1,7 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploys a Check Point TGW Cross Availabilty Zone Cluster into an existing VPC (20240204) +Description: Deploys a Check Point TGW Cross Availabilty Zone Cluster into an + existing VPC + (__VERSION__) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -27,6 +29,7 @@ Metadata: - EnableInstanceConnect - GatewayPredefinedRole - TerminationProtection + - MetaDataToken - Label: default: Check Point Settings Parameters: @@ -87,6 +90,8 @@ Metadata: default: Existing IAM role name TerminationProtection: default: Termination Protection + MetaDataToken: + default: Metadata HTTP token GatewayVersion: default: Gateways version & license Shell: @@ -162,7 +167,7 @@ Parameters: GatewayInstanceType: Description: The instance type of the Secutiry Gateway. Type: String - Default: c5.xlarge + Default: c6in.xlarge AllowedValues: - c4.large - c4.xlarge @@ -320,6 +325,13 @@ Parameters: AllowedValues: - true - false + MetaDataToken: + Description: Set true to deploy the instance with metadata v2 token required. + Type: String + Default: true + AllowedValues: + - true + - false GatewayVersion: Description: The license to install on the Security Gateways. Type: String @@ -413,7 +425,7 @@ Resources: ClusterStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/cluster/cross-az-cluster.yaml + TemplateURL: __URL__/cluster/cross-az-cluster.yaml Parameters: VPC: !Ref VPC PublicSubnetA: !Ref PublicSubnetA @@ -431,6 +443,7 @@ Resources: EnableInstanceConnect: !Ref EnableInstanceConnect GatewayPredefinedRole: !Ref GatewayPredefinedRole TerminationProtection: !Ref TerminationProtection + MetaDataToken: !Ref MetaDataToken GatewayVersion: !Ref GatewayVersion Shell: !Ref Shell GatewayPasswordHash: !Ref GatewayPasswordHash @@ -503,12 +516,12 @@ Rules: MemberATokenNotProvided: RuleCondition: !Equals [!Ref MemberAToken, ''] Assertions: - - AssertDescription: "Smart-1 Cloud Token for member A can not be empty." + - AssertDescription: "Smart-1 Cloud Token for member A can not be empty" Assert: !Equals [!Ref MemberBToken, ''] MemberBTokenNotProvided: RuleCondition: !Equals [ !Ref MemberBToken, '' ] Assertions: - - AssertDescription: "Smart-1 Cloud Token for member B can not be empty." + - AssertDescription: "Smart-1 Cloud Token for member B can not be empty" Assert: !Equals [ !Ref MemberAToken, '' ] MembersTokenValueEquals: RuleCondition: !EachMemberEquals [ [ !Ref MemberBToken ], !Ref MemberAToken ] diff --git a/aws/templates/tgw-ha/tgw-ha-master.yaml b/aws/templates/tgw-ha/tgw-ha-master.yaml index 7eb8db40..dcb860be 100644 --- a/aws/templates/tgw-ha/tgw-ha-master.yaml +++ b/aws/templates/tgw-ha/tgw-ha-master.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploy a Check Point TGW HA cross AZ Cluster in a new VPC (20240204) +Description: Deploy a Check Point TGW HA cross AZ Cluster in a new VPC (__VERSION__) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -27,6 +27,7 @@ Metadata: - EnableInstanceConnect - GatewayPredefinedRole - TerminationProtection + - MetaDataToken - Label: default: Check Point Settings Parameters: @@ -87,6 +88,8 @@ Metadata: default: Existing IAM role name TerminationProtection: default: Termination Protection + MetaDataToken: + default: Metadata HTTP token GatewayVersion: default: Gateways version & license Shell: @@ -160,6 +163,7 @@ Parameters: Description: CIDR block for TGW HA subnet 2 located in the 2nd Availability Zone. Type: String Default: 10.0.22.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. GatewayName: Description: The name tag of the Security Gateway instances. (optional) @@ -168,7 +172,7 @@ Parameters: GatewayInstanceType: Description: The instance type of the Secutiry Gateway. Type: String - Default: c5.xlarge + Default: c6in.xlarge AllowedValues: - c4.large - c4.xlarge @@ -325,16 +329,17 @@ Parameters: AllowedValues: - true - false + MetaDataToken: + Description: Set true to deploy the instance with metadata v2 token required. + Type: String + Default: true + AllowedValues: + - true + - false GatewayVersion: Type: String Default: R81.10-BYOL AllowedValues: - - R80.40-BYOL - - R80.40-PAYG-NGTP - - R80.40-PAYG-NGTX - - R81-BYOL - - R81-PAYG-NGTP - - R81-PAYG-NGTX - R81.10-BYOL - R81.10-PAYG-NGTP - R81.10-PAYG-NGTX @@ -423,7 +428,7 @@ Resources: VPCStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/utils/vpc.yaml + TemplateURL: __URL__/utils/vpc.yaml Parameters: AvailabilityZones: !Join [',', !Ref AvailabilityZones] NumberOfAZs: 2 @@ -446,7 +451,7 @@ Resources: ClusterStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/cluster/tgw-ha.yaml + TemplateURL: __URL__/cluster/tgw-ha.yaml Parameters: VPC: !GetAtt VPCStack.Outputs.VPCID PublicSubnetA: !GetAtt VPCStack.Outputs.PublicSubnet1ID @@ -466,6 +471,7 @@ Resources: EnableInstanceConnect: !Ref EnableInstanceConnect GatewayPredefinedRole: !Ref GatewayPredefinedRole TerminationProtection: !Ref TerminationProtection + MetaDataToken: !Ref MetaDataToken GatewayVersion: !Ref GatewayVersion Shell: !Ref Shell GatewayPasswordHash: !Ref GatewayPasswordHash @@ -509,12 +515,12 @@ Rules: MemberATokenNotProvided: RuleCondition: !Equals [!Ref MemberAToken, ''] Assertions: - - AssertDescription: "Smart-1 Cloud Token for member A can not be empty." + - AssertDescription: "Smart-1 Cloud Token for member A can not be empty" Assert: !Equals [!Ref MemberBToken, ''] MemberBTokenNotProvided: RuleCondition: !Equals [ !Ref MemberBToken, '' ] Assertions: - - AssertDescription: "Smart-1 Cloud Token for member B can not be empty." + - AssertDescription: "Smart-1 Cloud Token for member B can not be empty" Assert: !Equals [ !Ref MemberAToken, '' ] MembersTokenValueEquals: RuleCondition: !EachMemberEquals [ [ !Ref MemberBToken ], !Ref MemberAToken ] diff --git a/aws/templates/tgw-ha/tgw-ha.yaml b/aws/templates/tgw-ha/tgw-ha.yaml index e02d8e5e..d05a2e2b 100644 --- a/aws/templates/tgw-ha/tgw-ha.yaml +++ b/aws/templates/tgw-ha/tgw-ha.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploys a Check Point TGW HA Cluster into an existing VPC (20240204) +Description: Deploys a Check Point TGW HA Cluster into an existing VPC (__VERSION__) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -27,6 +27,7 @@ Metadata: - EnableInstanceConnect - GatewayPredefinedRole - TerminationProtection + - MetaDataToken - Label: default: Check Point Settings Parameters: @@ -87,6 +88,8 @@ Metadata: default: Existing IAM role name TerminationProtection: default: Termination Protection + MetaDataToken: + default: Metadata HTTP token GatewayVersion: default: Gateways version & license Shell: @@ -161,7 +164,7 @@ Parameters: Default: Check-Point-Cluster GatewayInstanceType: Type: String - Default: c5.xlarge + Default: c6in.xlarge AllowedValues: - c4.large - c4.xlarge @@ -319,17 +322,18 @@ Parameters: AllowedValues: - true - false + MetaDataToken: + Description: Set true to deploy the instance with metadata v2 token required. + Type: String + Default: true + AllowedValues: + - true + - false GatewayVersion: Description: The license to install on the Security Gateways. Type: String Default: R81.10-BYOL AllowedValues: - - R80.40-BYOL - - R80.40-PAYG-NGTP - - R80.40-PAYG-NGTX - - R81-BYOL - - R81-PAYG-NGTP - - R81-PAYG-NGTX - R81.10-BYOL - R81.10-PAYG-NGTP - R81.10-PAYG-NGTX @@ -419,7 +423,7 @@ Resources: ClusterStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: https://cgi-cfts.s3.amazonaws.com/cluster/geo-cluster.yaml + TemplateURL: __URL__/cluster/geo-cluster.yaml Parameters: VPC: !Ref VPC PublicSubnetA: !Ref PublicSubnetA @@ -437,6 +441,7 @@ Resources: EnableInstanceConnect: !Ref EnableInstanceConnect GatewayPredefinedRole: !Ref GatewayPredefinedRole TerminationProtection: !Ref TerminationProtection + MetaDataToken: !Ref MetaDataToken GatewayVersion: !Ref GatewayVersion Shell: !Ref Shell GatewayPasswordHash: !Ref GatewayPasswordHash @@ -506,12 +511,12 @@ Rules: MemberATokenNotProvided: RuleCondition: !Equals [!Ref MemberAToken, ''] Assertions: - - AssertDescription: "Smart-1 Cloud Token for member A can not be empty." + - AssertDescription: "Smart-1 Cloud Token for member A can not be empty" Assert: !Equals [!Ref MemberBToken, ''] MemberBTokenNotProvided: RuleCondition: !Equals [ !Ref MemberBToken, '' ] Assertions: - - AssertDescription: "Smart-1 Cloud Token for member B can not be empty." + - AssertDescription: "Smart-1 Cloud Token for member B can not be empty" Assert: !Equals [ !Ref MemberAToken, '' ] MembersTokenValueEquals: RuleCondition: !EachMemberEquals [ [ !Ref MemberBToken ], !Ref MemberAToken ] diff --git a/azure/misc/azure_ha_test.py b/azure/misc/azure_ha_test.py index 48fcac18..53601177 100755 --- a/azure/misc/azure_ha_test.py +++ b/azure/misc/azure_ha_test.py @@ -35,7 +35,6 @@ def set_arm_versions(): - """#TODO fixDocstring""" global ARM_VERSIONS log('Setting api versions for "%s" solution\n' % templateName) if templateName == 'stack-ha': @@ -48,17 +47,14 @@ def set_arm_versions(): def is_azure(): - """#TODO fixDocstring""" return os.path.isfile('/etc/in-azure') def log(msg): - """#TODO fixDocstring""" sys.stderr.write(msg) def test_rw(rid, allow_not_found=False, test_write=True): - """#TODO fixDocstring""" components = rid.split('/') log('Id : %s\n' % rid) log('Subscription : %s\n' % components[2]) @@ -85,7 +81,6 @@ def test_rw(rid, allow_not_found=False, test_write=True): def get_vm_primary_nic(vm): - """#TODO fixDocstring""" nis = vm['properties']['networkProfile']['networkInterfaces'] if len(nis) == 1: ni = nis[0] @@ -97,7 +92,6 @@ def get_vm_primary_nic(vm): def test_cluster_ip(): - """#TODO fixDocstring""" def test_vip(vip_resource): if '/' in vip_resource: cluster_ip_id = vip_resource @@ -116,7 +110,6 @@ def test_vip(vip_resource): def test_load_balancer(): - """#TODO fixDocstring""" load_balancer_nm = conf.get('lbName', '') if not load_balancer_nm: log('An external load balancer name is not configured.\n') @@ -129,7 +122,6 @@ def test_load_balancer(): def vnet_rg(): - """#TODO fixDocstring""" local_vm = azure.arm('GET', conf['baseId'] + 'microsoft.compute/virtualmachines/' + conf['hostname'])[1] @@ -140,7 +132,6 @@ def vnet_rg(): def get_route_table_ids_for_vnet(vnet): - """#TODO fixDocstring""" route_table_ids = set() for subnet in vnet['properties'].get('subnets', []): if subnet['properties'].get('routeTable'): @@ -149,7 +140,6 @@ def get_route_table_ids_for_vnet(vnet): def get_vnet_id(): - """#TODO fixDocstring""" vnet_id = conf.get('vnetId') if vnet_id: return vnet_id @@ -164,7 +154,6 @@ def get_vnet_id(): def get_route_table_ids_for_peering(vnet): - """#TODO fixDocstring""" route_table_ids = set() for peering in vnet['properties'].get('virtualNetworkPeerings', []): @@ -185,7 +174,6 @@ def get_route_table_ids_for_peering(vnet): def get_route_table_ids(): - """#TODO fixDocstring""" route_table_ids = set() vnet_id = get_vnet_id() @@ -198,7 +186,6 @@ def get_route_table_ids(): def interfaces_test_rw(interface_id): - """#TODO fixDocstring""" interface = test_rw(interface_id['id']) if not interface['properties'].get('enableIPForwarding'): raise Exception( @@ -207,7 +194,6 @@ def interfaces_test_rw(interface_id): def test_cluster_parameters(): - """#TODO fixDocstring""" path = "/var/opt/fw.boot/modules/fwkern.conf" text1 = "fwha_dead_timeout_multiplier=20" text2 = "fwha_if_problem_tolerance=200" @@ -248,7 +234,6 @@ def test_cluster_parameters(): def test(): - """#TODO fixDocstring""" global conf if not is_azure(): @@ -412,7 +397,6 @@ def test(): def main(): - """#TODO fixDocstring""" try: test() except Exception: diff --git a/azure/templates/marketplace-gateway-load-balancer/README.md b/azure/templates/marketplace-gateway-load-balancer/README.md index a970e1a3..4b5df7cc 100644 --- a/azure/templates/marketplace-gateway-load-balancer/README.md +++ b/azure/templates/marketplace-gateway-load-balancer/README.md @@ -19,4 +19,3 @@ Benefits: To deploy with full control over all the template options use: [Full Control Deployment](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FCheckPointSW%2FCloudGuardIaaS%2Fmaster%2Fazure%2Ftemplates%2Fmarketplace-gateway-load-balancer%2FmainTemplate.json) - diff --git a/azure/templates/marketplace-gateway-load-balancer/createUiDefinition.json b/azure/templates/marketplace-gateway-load-balancer/createUiDefinition.json index 54fd25cc..1de1c662 100644 --- a/azure/templates/marketplace-gateway-load-balancer/createUiDefinition.json +++ b/azure/templates/marketplace-gateway-load-balancer/createUiDefinition.json @@ -1120,7 +1120,7 @@ } }, { - "visible": "[bool(basics('auth').sshPublicKey)]", + "visible": "[bool(basics('auth').sshPublicKey)]", "name": "EnableSerialConsolePassword", "type": "Microsoft.Common.OptionsGroup", "label": "Enable Serial console password", @@ -1508,9 +1508,9 @@ "deployNewNSG": "[steps('network').NSG]", "ExistingNSG": "[steps('network').nsgSelector]", "NewNsgName": "[steps('network').NSGName]", - "addStorageAccountIpRules": "[steps('network').addStorageAccountIpRules]", + "addStorageAccountIpRules":"[steps('network').addStorageAccountIpRules]", "SerialConsolePasswordHash": "[steps('chkp').AdditionalPassword]", "MaintenanceModePasswordHash": "[steps('chkp').MaintenanceModePassword]" } } -} \ No newline at end of file +} diff --git a/azure/templates/marketplace-gateway-load-balancer/mainTemplate.json b/azure/templates/marketplace-gateway-load-balancer/mainTemplate.json index f9db5e37..12d29edc 100644 --- a/azure/templates/marketplace-gateway-load-balancer/mainTemplate.json +++ b/azure/templates/marketplace-gateway-load-balancer/mainTemplate.json @@ -414,7 +414,7 @@ "variables": { "resourceGroup": "[resourceGroup()]", "templateName": "gwlb", - "templateVersion": "20240716", + "templateVersion": "20240904", "location": "[parameters('location')]", "offers": { "R81.10 - Bring Your Own License": "BYOL", @@ -639,7 +639,23 @@ "diskSize100GB": 100, "additionalDiskSizeGB": "[if(contains('R8110 R8120', variables('osVersion')), 0, parameters('additionalDiskSizeGB'))]", "diskSizeGB": "[add(variables('additionalDiskSizeGB'), variables('diskSize100GB'))]", - "customData": "[concat('#!/usr/bin/python3 /etc/cloud_config.py\n', '\n', 'installationType=\"', variables('installationType'), '\"', '\n', 'allowUploadDownload=\"', variables('allowUploadDownload'), '\"', '\n', 'osVersion=\"', variables('osVersion'), '\"', '\n', 'templateName=\"', variables('templateName'), '\"', '\n', 'isBlink=\"', variables('isBlink'), '\"', '\n', 'templateVersion=\"', variables('templateVersion'), '\"', '\n', 'bootstrapScript64=\"', variables('bootstrapScript64'), '\"', '\n', 'location=\"', variables('location'), '\"', '\n', 'sicKey=\"', variables('sicKey'), '\"', '\n', 'customMetrics=\"', variables('customMetrics'), '\"', '\n', 'adminShell=\"', parameters('adminShell'), '\"', '\n', 'MaintenanceModePassword=\"', parameters('MaintenanceModePasswordHash'), '\"', '\n', 'passwordHash=\"', parameters('SerialConsolePasswordHash'), '\"', '\n')]", + "vxlanParametersForR82": "kernel_parameters:\n sim:\n - sim_enable_vxlan=3\n - sim_enable_gre=3\n fw: \n - fw_enable_vxlan=1\n - fw_enable_gre=1", + "cloudConfigParams":[ + "[concat('installationType=\\\"', variables('installationType'), '\\\"')]", + "[concat('allowUploadDownload=\\\"', variables('allowUploadDownload'), '\\\"')]", + "[concat('osVersion=\\\"', variables('osVersion'), '\\\"')]", + "[concat('templateName=\\\"', variables('templateName'), '\\\"')]", + "[concat('isBlink=\\\"', variables('isBlink'), '\\\"')]", + "[concat('templateVersion=\\\"', variables('templateVersion'), '\\\"')]", + "[concat('bootstrapScript64=\\\"', variables('bootstrapScript64'), '\\\"')]", + "[concat('location=\\\"', variables('location'), '\\\"')]", + "[concat('sicKey=\\\"', variables('sicKey'), '\\\"')]", + "[concat('customMetrics=\\\"', variables('customMetrics'), '\\\"')]", + "[concat('adminShell=\\\"', parameters('adminShell'), '\\\"')]", + "[concat('MaintenanceModePassword=\\\"', parameters('MaintenanceModePasswordHash'), '\\\"')]", + "[concat('passwordHash=\\\"', parameters('SerialConsolePasswordHash'), '\\\"')]" + ], + "customData": "[concat('#cloud-config','\n', if(equals(variables('osVersion'),'R82'),variables('vxlanParametersForR82'), ''),'\n', 'runcmd:\n - python3 /etc/cloud_config.py ', join(variables('cloudConfigParams'), ' '))]", "imageOffer": "[concat('check-point-cg-', toLower(variables('osVersion')))]", "imagePublisher": "checkpoint", "imageReferenceBYOL": { @@ -1032,7 +1048,7 @@ "mode": "Manual" }, "virtualMachineProfile": { - "UserData": "[base64(concat(variables('customData'), '\n', 'vnet=\"', if(equals(parameters('vnetNewOrExisting'), 'new'), reference('networkNewSetup').outputs.vnetAddressPrefix.value, reference('networkExistingSetup').outputs.vnetAddressPrefix.value), '\"', '\n' ))]", + "UserData": "[base64(concat(variables('customData'), '\n'))]", "storageProfile": { "osDisk": { "diskSizeGB": "[variables('diskSizeGB')]", @@ -1048,7 +1064,6 @@ "adminPassword": "[parameters('adminPassword')]", "adminUsername": "[concat('not','used')]", "computerNamePrefix": "[toLower(parameters('vmName'))]", - "customData": "[base64(concat(variables('customData'), '\n', 'vnet=\"', if(equals(parameters('vnetNewOrExisting'), 'new'), reference('networkNewSetup').outputs.vnetAddressPrefix.value, reference('networkExistingSetup').outputs.vnetAddressPrefix.value), '\"', '\n' ))]", "linuxConfiguration": "[variables('linuxConfiguration')]" }, "networkProfile": { @@ -1079,7 +1094,7 @@ "diagnosticsProfile": { "bootDiagnostics": { "enabled": "true", - "storageUri": "[reference(variables('storageAccountId'), '2019-06-01').primaryEndpoints.blob]" + "storageUri": "[reference(variables('storageAccountId'), '2023-01-01').primaryEndpoints.blob]" } } }, diff --git a/azure/templates/marketplace-ha/createUiDefinition.json b/azure/templates/marketplace-ha/createUiDefinition.json index a547363d..c770250c 100644 --- a/azure/templates/marketplace-ha/createUiDefinition.json +++ b/azure/templates/marketplace-ha/createUiDefinition.json @@ -836,7 +836,7 @@ } }, { - "visible": "[bool(basics('auth').sshPublicKey)]", + "visible": "[bool(basics('auth').sshPublicKey)]", "name": "EnableSerialConsolePassword", "type": "Microsoft.Common.OptionsGroup", "label": "Enable Serial console password", @@ -946,7 +946,7 @@ "label": "Availability options", "defaultValue": "Availability Set", "toolTip": "Use replicated Cluster VMs in Availability Set or Availability Zones. Note that the load balancers and their IP addresses will be zone redundant in any case.", - "visible": "[contains(' australiaeast brazilsouth canadacentral centralus eastasia eastus eastus2 francecentral germanywestcentral japaneast koreacentral northeurope norwayeast southafricanorth southcentralus southeastasia swedencentral uksouth usgovvirginia westeurope westus2 westus3 switzerlandnorth qatarcentral centralindia uaenorth italynorth ', concat(' ', location(), ' '))]", + "visible": "[contains(' australiaeast brazilsouth canadacentral centralus eastasia eastus eastus2 francecentral germanywestcentral japaneast koreacentral northeurope norwayeast southafricanorth southcentralus southeastasia swedencentral uksouth usgovvirginia westeurope westus2 westus3 switzerlandnorth qatarcentral centralindia uaenorth italynorth \\ ', concat(' ', location(), ' '))]", "constraints": { "allowedValues": [ { @@ -1199,7 +1199,7 @@ "label": "Quick connect to Smart-1 Cloud", "defaultValue": "Yes", "toolTip": "Automatically connect this Cluster to Smart-1 Cloud - Check Point's Security Management as a Service", - "constraints": { + "constraints": { "allowedValues": [ { "label": "Yes", @@ -1238,16 +1238,16 @@ "visible": "[equals(steps('chkp').allowSmart1CloudConnection, 'yes')]" }, { - "name": "Smart1CloudTokenB", - "type": "Microsoft.Common.TextBox", - "label": "Smart-1 Cloud Token Member B", - "toolTip": "Paste here the token copied from the Connect Gateway (Member B) screen in Smart-1 Cloud portal", - "constraints": { - "required": true, - "regex": "[\\S\\s]{5,}", - "validationMessage": "Smart1Cloud Token Should contain at lease 5 characters" - }, - "visible": "[equals(steps('chkp').allowSmart1CloudConnection, 'yes')]" + "name": "Smart1CloudTokenB", + "type": "Microsoft.Common.TextBox", + "label": "Smart-1 Cloud Token Member B", + "toolTip": "Paste here the token copied from the Connect Gateway (Member B) screen in Smart-1 Cloud portal", + "constraints": { + "required": true, + "regex": "[\\S\\s]{5,}", + "validationMessage": "Smart1Cloud Token Should contain at lease 5 characters" + }, + "visible": "[equals(steps('chkp').allowSmart1CloudConnection, 'yes')]" } ] }, @@ -1640,7 +1640,7 @@ "deployNewNSG": "[steps('network').NSG]", "ExistingNSG": "[steps('network').nsgSelector]", "NewNsgName": "[steps('network').NSGName]", - "addStorageAccountIpRules": "[steps('network').addStorageAccountIpRules]", + "addStorageAccountIpRules":"[steps('network').addStorageAccountIpRules]", "VipsNumber": "[int(steps('network').Vips_Number)]", "VipNames": "[concat(steps('network').VIP_Names.VIP2_Name, ',', steps('network').VIP_Names.VIP3_Name, ',', steps('network').VIP_Names.VIP4_Name, ',', steps('network').VIP_Names.VIP5_Name, ',', steps('network').VIP_Names.VIP6_Name, ',', steps('network').VIP_Names.VIP7_Name, ',', steps('network').VIP_Names.VIP8_Name, ',', steps('network').VIP_Names.VIP9_Name, ',', steps('network').VIP_Names.VIP10_Name)]", "SerialConsolePasswordHash": "[steps('chkp').AdditionalPassword]", diff --git a/azure/templates/marketplace-ha/mainTemplate.json b/azure/templates/marketplace-ha/mainTemplate.json index 77c7fbf3..92ebdc45 100644 --- a/azure/templates/marketplace-ha/mainTemplate.json +++ b/azure/templates/marketplace-ha/mainTemplate.json @@ -357,7 +357,7 @@ "VIPs_Number": "[int(parameters('VipsNumber'))]", "Vip_Names": "[split(parameters('VipNames'), ',')]", "templateName": "ha", - "templateVersion": "20240716", + "templateVersion": "20240904", "location": "[parameters('location')]", "elbPublicIPName": "frontend-lb-address", "haPublicIPName": "[parameters('vmName')]", @@ -1210,7 +1210,7 @@ "diagnosticsProfile": { "bootDiagnostics": { "enabled": "true", - "storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName')), '2022-09-01').primaryEndpoints.blob]" + "storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName')), '2023-01-01').primaryEndpoints.blob]" } }, "hardwareProfile": { diff --git a/azure/templates/marketplace-management/createUiDefinition.json b/azure/templates/marketplace-management/createUiDefinition.json index 83dcc85d..7e945af8 100644 --- a/azure/templates/marketplace-management/createUiDefinition.json +++ b/azure/templates/marketplace-management/createUiDefinition.json @@ -225,7 +225,7 @@ } }, { - "visible": "[bool(basics('auth').sshPublicKey)]", + "visible": "[bool(basics('auth').sshPublicKey)]", "name": "EnableSerialConsolePassword", "type": "Microsoft.Common.OptionsGroup", "label": "Enable Serial console password", @@ -422,7 +422,7 @@ } ] } - }, + }, { "name": "enableApi", "type": "Microsoft.Common.DropDown", @@ -694,7 +694,7 @@ "deployNewNSG": "[steps('network').NSG]", "ExistingNSG": "[steps('network').nsgSelector]", "NewNsgName": "[steps('network').NSGName]", - "addStorageAccountIpRules": "[steps('network').addStorageAccountIpRules]", + "addStorageAccountIpRules":"[steps('network').addStorageAccountIpRules]", "SerialConsolePasswordHash": "[steps('chkp').AdditionalPassword]", "MaintenanceModePasswordHash": "[steps('chkp').MaintenanceModePassword]" } diff --git a/azure/templates/marketplace-management/mainTemplate.json b/azure/templates/marketplace-management/mainTemplate.json index 409cb73f..eb3153c8 100644 --- a/azure/templates/marketplace-management/mainTemplate.json +++ b/azure/templates/marketplace-management/mainTemplate.json @@ -269,7 +269,7 @@ }, "variables": { "templateName": "management", - "templateVersion": "20240716", + "templateVersion": "20240904", "location": "[parameters('location')]", "offers": { "R81.10 - Bring Your Own License": "BYOL", @@ -868,7 +868,7 @@ "diagnosticsProfile": { "bootDiagnostics": { "enabled": "true", - "storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName')), '2022-09-01').primaryEndpoints.blob]" + "storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName')), '2023-01-01').primaryEndpoints.blob]" } }, "hardwareProfile": { diff --git a/azure/templates/marketplace-mds/createUiDefinition.json b/azure/templates/marketplace-mds/createUiDefinition.json index 52056087..de11e136 100644 --- a/azure/templates/marketplace-mds/createUiDefinition.json +++ b/azure/templates/marketplace-mds/createUiDefinition.json @@ -186,7 +186,7 @@ } }, { - "visible": "[bool(basics('auth').sshPublicKey)]", + "visible": "[bool(basics('auth').sshPublicKey)]", "name": "EnableSerialConsolePassword", "type": "Microsoft.Common.OptionsGroup", "label": "Enable Serial console password", @@ -629,7 +629,7 @@ "deployNewNSG": "[steps('network').NSG]", "ExistingNSG": "[steps('network').nsgSelector]", "NewNsgName": "[steps('network').NSGName]", - "addStorageAccountIpRules": "[steps('network').addStorageAccountIpRules]", + "addStorageAccountIpRules":"[steps('network').addStorageAccountIpRules]", "SerialConsolePasswordHash": "[steps('chkp').AdditionalPassword]", "MaintenanceModePasswordHash": "[steps('chkp').MaintenanceModePassword]" } diff --git a/azure/templates/marketplace-mds/mainTemplate.json b/azure/templates/marketplace-mds/mainTemplate.json index 91f313fc..98e056c2 100644 --- a/azure/templates/marketplace-mds/mainTemplate.json +++ b/azure/templates/marketplace-mds/mainTemplate.json @@ -262,7 +262,7 @@ }, "variables": { "templateName": "mds", - "templateVersion": "20240716", + "templateVersion": "20240904", "location": "[parameters('location')]", "offers": { "R81.10 - Bring Your Own License": "BYOL", @@ -851,7 +851,7 @@ "diagnosticsProfile": { "bootDiagnostics": { "enabled": "true", - "storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName')), '2022-09-01').primaryEndpoints.blob]" + "storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName')), '2023-01-01').primaryEndpoints.blob]" } }, "hardwareProfile": { diff --git a/azure/templates/marketplace-single-waap/createUiDefinition.json b/azure/templates/marketplace-single-waap/createUiDefinition.json index 3ebd285b..42e2ebff 100755 --- a/azure/templates/marketplace-single-waap/createUiDefinition.json +++ b/azure/templates/marketplace-single-waap/createUiDefinition.json @@ -67,8 +67,8 @@ "toolTip": "Token can be obtained by logging in to [https://portal.checkpoint.com/](https://portal.checkpoint.com/) –> INFINITY POLICY -> CLOUD -> Profiles", "constraints": { "required": true, - "regex": "^cp-[a-z0-9A-Z-]{72,72}$", - "validationMessage": "Token should begin with 'cp-' and must be 75 characters long" + "regex": "^cp-(([a-z0-9A-Z-]{72,72})|([a-z0-9A-Z-]{75,75}))$", + "validationMessage": "Token should begin with 'cp-' and must be 75 or 78 characters long" }, "options": { "hideConfirmation": false diff --git a/azure/templates/marketplace-single-waap/mainTemplate.json b/azure/templates/marketplace-single-waap/mainTemplate.json index 1d4f4b84..d7704b90 100755 --- a/azure/templates/marketplace-single-waap/mainTemplate.json +++ b/azure/templates/marketplace-single-waap/mainTemplate.json @@ -50,7 +50,7 @@ "waapAgentToken": { "type": "securestring", "minLength": 75, - "maxLength": 75, + "maxLength": 78, "metadata": { "description": "Infinity Next Agent Token" } @@ -203,7 +203,7 @@ }, "variables": { "templateName": "checkpoint_waap", - "templateVersion": "20210922", + "templateVersion": "20211028", "location": "[parameters('location')]", "osVersion": "R8040", "installationType": "waap", @@ -282,6 +282,9 @@ { "type": "Microsoft.Storage/storageAccounts", "name": "[variables('storageAccountName')]", + "properties": { + "minimalTlsVersion": "TLS1_2" + }, "apiVersion": "2021-04-01", "location": "[variables('location')]", "sku": { diff --git a/azure/templates/marketplace-single/createUiDefinition.json b/azure/templates/marketplace-single/createUiDefinition.json index b02e4ffd..4df2533a 100644 --- a/azure/templates/marketplace-single/createUiDefinition.json +++ b/azure/templates/marketplace-single/createUiDefinition.json @@ -785,7 +785,7 @@ "name": "installationType", "type": "Microsoft.Common.DropDown", "label": "Installation type", - "visible": "[or(equals(equals(steps('chkp').cloudGuardVersion, 'R81.10'), equals(steps('chkp').cloudGuardVersion, 'R81.20'))]", + "visible": "[or(equals(steps('chkp').cloudGuardVersion, 'R81.10'), equals(steps('chkp').cloudGuardVersion, 'R81.20'))]", "defaultValue": "Gateway only", "toolTip": "Select the type of deployment", "constraints": { @@ -831,7 +831,7 @@ { "name": "standaloneValidation", "type": "Microsoft.Common.InfoBox", - "visible": "[and(equals(steps('chkp').installationType, 'standalone'), not(and(equals(steps('chkp').R80Offer, 'Bring Your Own License'),or(equals(equals(steps('chkp').cloudGuardVersion, 'R81.10'), equals(steps('chkp').cloudGuardVersion, 'R81.20')))))]", + "visible": "[and(equals(steps('chkp').installationType, 'standalone'), not(and(equals(steps('chkp').R80Offer, 'Bring Your Own License'),or(equals(steps('chkp').cloudGuardVersion, 'R81.10'), equals(steps('chkp').cloudGuardVersion, 'R81.20')))))]", "options": { "icon": "Error", "text": "Standalone deployment is ONLY supported for CloudGuard versions R81.10 and R81.20 Bring Your Own License." @@ -877,7 +877,7 @@ } }, { - "visible": "[bool(basics('auth').sshPublicKey)]", + "visible": "[bool(basics('auth').sshPublicKey)]", "name": "EnableSerialConsolePassword", "type": "Microsoft.Common.OptionsGroup", "label": "Enable Serial console password", @@ -1120,7 +1120,7 @@ "label": "Quick connect to Smart-1 Cloud", "defaultValue": "Yes", "toolTip": "Automatically connect this single gateway to Smart-1 Cloud - Check Point's Security Management as a Service", - "constraints": { + "constraints": { "allowedValues": [ { "label": "Yes", @@ -1157,7 +1157,7 @@ "validationMessage": "Smart1Cloud Token Should contain at lease 5 characters" }, "visible": "[equals(steps('chkp').allowSmart1CloudConnection, 'yes')]" - } + } ] }, { @@ -1347,7 +1347,7 @@ "deployNewNSG": "[steps('network').NSG]", "ExistingNSG": "[steps('network').nsgSelector]", "NewNsgName": "[steps('network').NSGName]", - "addStorageAccountIpRules": "[steps('network').addStorageAccountIpRules]" + "addStorageAccountIpRules":"[steps('network').addStorageAccountIpRules]" } } -} \ No newline at end of file +} diff --git a/azure/templates/marketplace-single/mainTemplate.json b/azure/templates/marketplace-single/mainTemplate.json index 57fea308..6085d845 100644 --- a/azure/templates/marketplace-single/mainTemplate.json +++ b/azure/templates/marketplace-single/mainTemplate.json @@ -306,7 +306,7 @@ }, "variables": { "templateName": "single", - "templateVersion": "20240716", + "templateVersion": "20240904", "location": "[parameters('location')]", "offers": { "R81.10 - Bring Your Own License": "BYOL", @@ -869,7 +869,7 @@ "diagnosticsProfile": { "bootDiagnostics": { "enabled": "true", - "storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName')), '2022-09-01').primaryEndpoints.blob]" + "storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName')), '2023-01-01').primaryEndpoints.blob]" } }, "hardwareProfile": { diff --git a/azure/templates/marketplace-vmss-waap/createUiDefinition.json b/azure/templates/marketplace-vmss-waap/createUiDefinition.json index 2ca24a11..51c05e9c 100755 --- a/azure/templates/marketplace-vmss-waap/createUiDefinition.json +++ b/azure/templates/marketplace-vmss-waap/createUiDefinition.json @@ -67,8 +67,8 @@ "toolTip": "Token can be obtained by logging in to [https://portal.checkpoint.com/](https://portal.checkpoint.com/) –> INFINITY POLICY -> CLOUD -> Profiles", "constraints": { "required": true, - "regex": "^cp-[a-z0-9A-Z-]{72,72}$", - "validationMessage": "Token should begin with 'cp-' and must be 75 characters long" + "regex": "^cp-(([a-z0-9A-Z-]{72,72})|([a-z0-9A-Z-]{75,75}))$", + "validationMessage": "Token should begin with 'cp-' and must be 75 or 78 characters long" }, "options": { "hideConfirmation": false diff --git a/azure/templates/marketplace-vmss-waap/mainTemplate.json b/azure/templates/marketplace-vmss-waap/mainTemplate.json index bd80fffb..0b921194 100755 --- a/azure/templates/marketplace-vmss-waap/mainTemplate.json +++ b/azure/templates/marketplace-vmss-waap/mainTemplate.json @@ -51,7 +51,7 @@ "waapAgentToken": { "type": "securestring", "minLength": 75, - "maxLength": 75, + "maxLength": 78, "metadata": { "description": "Infinity Next Agent Token" } @@ -73,6 +73,7 @@ "availabilityZonesNum": { "type": "int", "allowedValues": [ + 0, 1, 2, 3 @@ -387,7 +388,7 @@ }, "variables": { "templateName": "waap_vmss", - "templateVersion": "20210922", + "templateVersion": "20211028", "location": "[parameters('location')]", "osVersion": "R8040", "isBlink": true, @@ -661,6 +662,9 @@ { "type": "Microsoft.Storage/storageAccounts", "name": "[variables('storageAccountName')]", + "properties": { + "minimalTlsVersion": "TLS1_2" + }, "apiVersion": "2021-04-01", "location": "[variables('location')]", "sku": { diff --git a/azure/templates/marketplace-vmss/createUiDefinition.json b/azure/templates/marketplace-vmss/createUiDefinition.json index 6b3ebbce..0f2cf56a 100644 --- a/azure/templates/marketplace-vmss/createUiDefinition.json +++ b/azure/templates/marketplace-vmss/createUiDefinition.json @@ -1331,7 +1331,7 @@ } }, { - "visible": "[bool(basics('auth').sshPublicKey)]", + "visible": "[bool(basics('auth').sshPublicKey)]", "name": "EnableSerialConsolePassword", "type": "Microsoft.Common.OptionsGroup", "label": "Enable Serial console password", @@ -1744,9 +1744,9 @@ "deployNewNSG": "[steps('network').NSG]", "ExistingNSG": "[steps('network').nsgSelector]", "NewNsgName": "[steps('network').NSGName]", - "addStorageAccountIpRules": "[steps('network').addStorageAccountIpRules]", + "addStorageAccountIpRules":"[steps('network').addStorageAccountIpRules]", "SerialConsolePasswordHash": "[steps('chkp').AdditionalPassword]", "MaintenanceModePasswordHash": "[steps('chkp').MaintenanceModePassword]" } } -} \ No newline at end of file +} diff --git a/azure/templates/marketplace-vmss/mainTemplate.json b/azure/templates/marketplace-vmss/mainTemplate.json index 0dd69d8d..077e926c 100644 --- a/azure/templates/marketplace-vmss/mainTemplate.json +++ b/azure/templates/marketplace-vmss/mainTemplate.json @@ -502,7 +502,7 @@ "resourceGroup": "[resourceGroup()]", "resourceGroupName": "[resourceGroup().name]", "templateName": "vmss-v2", - "templateVersion": "20240716", + "templateVersion": "20240904", "location": "[parameters('location')]", "offers": { "R81.10 - Bring Your Own License": "BYOL", @@ -1229,7 +1229,7 @@ "diagnosticsProfile": { "bootDiagnostics": { "enabled": "true", - "storageUri": "[reference(variables('storageAccountId'), '2021-04-01').primaryEndpoints.blob]" + "storageUri": "[reference(variables('storageAccountId'), '2023-01-01').primaryEndpoints.blob]" } } }, diff --git a/azure/templates/nestedtemplates/storageAccount-new.json b/azure/templates/nestedtemplates/storageAccount-new.json index 51820aac..b08a25a7 100644 --- a/azure/templates/nestedtemplates/storageAccount-new.json +++ b/azure/templates/nestedtemplates/storageAccount-new.json @@ -30,6 +30,9 @@ { "type": "Microsoft.Storage/storageAccounts", "name": "[parameters('storageAccountName')]", + "properties": { + "minimalTlsVersion": "TLS1_2" + }, "apiVersion": "[parameters('apiVersion')]", "location": "[parameters('location')]", "sku": { @@ -39,4 +42,4 @@ "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Storage/storageAccounts'), parameters('tagsByResource')['Microsoft.Storage/storageAccounts'], json('{}')) ]" } ] -} +} \ No newline at end of file diff --git a/azure/templates/nestedtemplates/vnet-1-subnet-existing.json b/azure/templates/nestedtemplates/vnet-1-subnet-existing.json index 81fc0d5a..cb335d9a 100644 --- a/azure/templates/nestedtemplates/vnet-1-subnet-existing.json +++ b/azure/templates/nestedtemplates/vnet-1-subnet-existing.json @@ -84,4 +84,4 @@ "type": "object" } } -} +} \ No newline at end of file diff --git a/azure/templates/nestedtemplates/vnet-2-subnet-ha2-existing.json b/azure/templates/nestedtemplates/vnet-2-subnet-ha2-existing.json index 17781d8c..04e3694c 100644 --- a/azure/templates/nestedtemplates/vnet-2-subnet-ha2-existing.json +++ b/azure/templates/nestedtemplates/vnet-2-subnet-ha2-existing.json @@ -73,4 +73,4 @@ "type": "array" } } -} +} \ No newline at end of file diff --git a/azure/templates/nestedtemplates/vnet-2-subnet-ha2-new.json b/azure/templates/nestedtemplates/vnet-2-subnet-ha2-new.json index be5ae374..d9ca08ba 100644 --- a/azure/templates/nestedtemplates/vnet-2-subnet-ha2-new.json +++ b/azure/templates/nestedtemplates/vnet-2-subnet-ha2-new.json @@ -189,4 +189,4 @@ "type": "array" } } -} +} \ No newline at end of file diff --git a/azure/templates/nestedtemplates/vnet-existing-stack-ha.json b/azure/templates/nestedtemplates/vnet-existing-stack-ha.json index 6d7eaf7f..2f99a6f4 100644 --- a/azure/templates/nestedtemplates/vnet-existing-stack-ha.json +++ b/azure/templates/nestedtemplates/vnet-existing-stack-ha.json @@ -90,4 +90,4 @@ "type": "string" } } -} +} \ No newline at end of file diff --git a/azure/templates/nestedtemplates/vnet-existing.json b/azure/templates/nestedtemplates/vnet-existing.json index 415f5361..64533665 100644 --- a/azure/templates/nestedtemplates/vnet-existing.json +++ b/azure/templates/nestedtemplates/vnet-existing.json @@ -73,4 +73,4 @@ "type": "string" } } -} +} \ No newline at end of file diff --git a/azure/templates/nestedtemplates/vnet-new-stack-ha.json b/azure/templates/nestedtemplates/vnet-new-stack-ha.json index f941bb4c..c7e9b1ad 100644 --- a/azure/templates/nestedtemplates/vnet-new-stack-ha.json +++ b/azure/templates/nestedtemplates/vnet-new-stack-ha.json @@ -138,4 +138,4 @@ "type": "string" } } -} +} \ No newline at end of file diff --git a/azure/templates/single-ipv6/README.md b/azure/templates/single-ipv6/README.md index 57e098d6..7021c048 100755 --- a/azure/templates/single-ipv6/README.md +++ b/azure/templates/single-ipv6/README.md @@ -7,4 +7,3 @@ Follow [sk170760](https://supportcenter.checkpoint.com/supportcenter/portal?even Deploy to Azure - diff --git a/azure/templates/single-ipv6/mainTemplate.json b/azure/templates/single-ipv6/mainTemplate.json index 3ef03349..ea4efc14 100755 --- a/azure/templates/single-ipv6/mainTemplate.json +++ b/azure/templates/single-ipv6/mainTemplate.json @@ -296,7 +296,7 @@ "subnetName": "[parameters('Subnet1Name')]", "subnet2Name": "[parameters('Subnet2Name')]", "templateName": "singleIpv6", - "templateVersion": "20240716", + "templateVersion": "20240904", "location": "[parameters('location')]", "subnet-id": "[resourceId(parameters('virtualNetworkExistingRGName'), 'Microsoft.Network/virtualNetworks/subnets', variables('virtualNetworkName'), variables('subnetName'))]", "subnet2-id": "[resourceId(parameters('virtualNetworkExistingRGName'), 'Microsoft.Network/virtualNetworks/subnets', variables('virtualNetworkName'), variables('subnet2Name'))]", @@ -990,7 +990,7 @@ "diagnosticsProfile": { "bootDiagnostics": { "enabled": "true", - "storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName')), '2021-06-01').primaryEndpoints.blob]" + "storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName')), '2023-01-01').primaryEndpoints.blob]" } }, "hardwareProfile": { diff --git a/azure/templates/vmss-ipv6/mainTemplate.json b/azure/templates/vmss-ipv6/mainTemplate.json index 4c0f3b0a..f137e829 100755 --- a/azure/templates/vmss-ipv6/mainTemplate.json +++ b/azure/templates/vmss-ipv6/mainTemplate.json @@ -374,7 +374,7 @@ "subnet2Name": "[parameters('Subnet2Name')]", "resourceGroup": "[resourceGroup()]", "templateName": "vmss-v2", - "templateVersion": "20240716", + "templateVersion": "20240904", "location": "[parameters('location')]", "subnet-id": "[resourceId(parameters('virtualNetworkExistingRGName'), 'Microsoft.Network/virtualNetworks/subnets', variables('virtualNetworkName'), variables('subnetName'))]", "subnet2-id": "[resourceId(parameters('virtualNetworkExistingRGName'), 'Microsoft.Network/virtualNetworks/subnets', variables('virtualNetworkName'), variables('subnet2Name'))]", @@ -1283,7 +1283,7 @@ "diagnosticsProfile": { "bootDiagnostics": { "enabled": "true", - "storageUri": "[reference(variables('storageAccountId'), '2021-06-01').primaryEndpoints.blob]" + "storageUri": "[reference(variables('storageAccountId'), '2023-01-01').primaryEndpoints.blob]" } } }, diff --git a/azure/templates/vwan-managed-app/README.md b/azure/templates/vwan-managed-app/README.md index 293238e2..085e0620 100644 --- a/azure/templates/vwan-managed-app/README.md +++ b/azure/templates/vwan-managed-app/README.md @@ -64,8 +64,8 @@ https://management.azure.com/subscriptions/{subscription_id}/providers/Microsoft } ], "availableVersions": [ - "8110.900335.1522", - "8120.900631.1522", + "8110.900335.1435", + "8120.900631.1433", "latest" ], "marketPlaceLink": "https://aka.ms/Checkpointmarketplace", diff --git a/azure/templates/vwan-managed-app/mainTemplate.json b/azure/templates/vwan-managed-app/mainTemplate.json index 5b733a83..1856f822 100644 --- a/azure/templates/vwan-managed-app/mainTemplate.json +++ b/azure/templates/vwan-managed-app/mainTemplate.json @@ -25,7 +25,7 @@ } }, "imageVersion": { - "defaultValue": "8120.900631.1594", + "defaultValue": "8120.900634.1641", "type": "String", "metadata": { "description": "The image version that will be used to deploy the solution. To get the image version, make API call to https://management.azure.com/subscriptions/{subscription_id}/providers/Microsoft.Network/networkVirtualApplianceSkus/checkpoint?api-version=2023-05-01" @@ -281,4 +281,4 @@ } } ] - } + } \ No newline at end of file diff --git a/common/custom-management-script.py b/common/custom-management-script.py index 8b53028c..38264dd1 100755 --- a/common/custom-management-script.py +++ b/common/custom-management-script.py @@ -9,11 +9,8 @@ # and at the beginning of the deprovisioning process. # Important: This is a placeholder script, and you should implement __add and __delete functions. -import collections import os -import subprocess import sys -import traceback import logging from logging.handlers import RotatingFileHandler diff --git a/contrib/terraform-azure-gwlb/cpcluster-main.tf b/contrib/terraform-azure-gwlb/cpcluster-main.tf index dc622c82..1af9d1e4 100644 --- a/contrib/terraform-azure-gwlb/cpcluster-main.tf +++ b/contrib/terraform-azure-gwlb/cpcluster-main.tf @@ -233,6 +233,11 @@ resource "random_id" "clusterrandomId" { byte_length = 8 } resource "azurerm_storage_account" "vm-boot-diagnostics-storage" { + blob_properties { + delete_retention_policy { + days = 7 + } + } name = "bootdiag${random_id.clusterrandomId.hex}" resource_group_name = module.common.resource_group_name location = module.common.resource_group_location diff --git a/contrib/terraform-azure-gwlb/cpmgmt-main.tf b/contrib/terraform-azure-gwlb/cpmgmt-main.tf index 8dabd6ab..b009a3b4 100644 --- a/contrib/terraform-azure-gwlb/cpmgmt-main.tf +++ b/contrib/terraform-azure-gwlb/cpmgmt-main.tf @@ -124,6 +124,11 @@ resource "random_id" "randomId" { # Create storage account for boot diagnostics resource "azurerm_storage_account" "ckp-storageaccount" { + blob_properties { + delete_retention_policy { + days = 7 + } + } name = "diag${random_id.randomId.hex}" resource_group_name = azurerm_resource_group.rg-ckpmgmt.name location = azurerm_resource_group.rg-ckpmgmt.location diff --git a/contrib/terraform-azure-gwlb/terraform.tfvars b/contrib/terraform-azure-gwlb/terraform.tfvars index f35851c3..a3259c79 100644 --- a/contrib/terraform-azure-gwlb/terraform.tfvars +++ b/contrib/terraform-azure-gwlb/terraform.tfvars @@ -1,31 +1,31 @@ # Set in this file your deployment variables # Specify the Azure values -azure-client-id = "xxxxx-xxxxx-xxxxx-xxxxx" -azure-client-secret = "xxxxx-xxxxx-xxxxx-xxxxx" -azure-subscription = "xxxxx-xxxxx-xxxxx-xxxxx" -azure-tenant = "xxxxx-xxxxx-xxxxx-xxxxx" +azure-client-id = "PLEASE ENTER AZURE CLIENT ID" # "xxxxx-xxxxx-xxxxx-xxxxx" +azure-client-secret = "PLEASE ENTER AZURE CLIENT SECRET" # "xxxxx-xxxxx-xxxxx-xxxxx" +azure-subscription = "PLEASE ENTER AZURE SUBSCRIPTION" # "xxxxx-xxxxx-xxxxx-xxxxx" +azure-tenant = "PLEASE ENTER AZURE TENANT" # "xxxxx-xxxxx-xxxxx-xxxxx" # Specify where you want to deploy it and where you are coming from -location = "France Central" -my-pub-ip = "x.x.x.x/32" +location = "PLEASE ENTER LOCATION" # "France Central" +my-pub-ip = "PLEASE ENTER PUBLIC IP" # "x.x.x.x/32" # Management details -mgmt-sku-enabled = false # Have you ever deployed a R81.10 CKP management? Set to false if not -mgmt-dns-suffix = "xxxxx" -mgmt-admin-pwd = "xxxxx" +mgmt-sku-enabled = "PLEASE ENTER true or false" # false # Have you ever deployed a R81.10 CKP management? Set to false if not +mgmt-dns-suffix = "PLEASE ENTER MANAGEMENT DNS SUFFIX" # "xxxxx" +mgmt-admin-pwd = "PLEASE ENTER MANAGEMENT ADMIN PASSWORD" # "xxxxx" # VMspoke details -vmspoke-sku-enabled = false # Have you ever deployed a Nginx VM before? set to false if not -vmspoke-usr = "xxxxx" -vmspoke-pwd = "xxxxx" +vmspoke-sku-enabled = "PLEASE ENTER true or false" # false # Have you ever deployed a Nginx VM before? set to false if not +vmspoke-usr = "PLEASE ENTER VMSPOKE USER" # "xxxxx" +vmspoke-pwd = "PLEASE ENTER VMSPOKE PASSWORD" # "xxxxx" # Cluster Details -cpcluster-sku-enabled = false # Have you ever deployed a R80.40 CKP cluster? set to false if not" -admin_username = "xxxxx" -admin_password = "xxxxx" -sic_key = "xxxxx" +cpcluster-sku-enabled = "PLEASE ENTER true or false" # false # Have you ever deployed a R80.40 CKP cluster? set to false if not" +admin_username = "PLEASE ENTER ADMIN USERNAME" # "xxxxx" +admin_password = "PLEASE ENTER ADMIN PASSWORD" # "xxxxx" +sic_key = "PLEASE ENTER SIC KEY" # "xxxxx" # GWLB VMSS Details -gwlb-vmss-agreement = false # Have you ever deployed a GWLB VMSS? set to false if not -chkp-admin-pwd = "xxxxx" -chkp-sic = "xxxxx" +gwlb-vmss-agreement = "PLEASE ENTER true or false" # false # Have you ever deployed a GWLB VMSS? set to false if not +chkp-admin-pwd = "PLEASE ENTER CHKP ADMIN PASSWORD" # "xxxxx" +chkp-sic = "PLEASE ENTER CHKP SIC" # "xxxxx" diff --git a/contrib/terraform/azure/vmss-new-vnet-with-peer/main.tf b/contrib/terraform/azure/vmss-new-vnet-with-peer/main.tf index f114b8ba..8b3cd410 100755 --- a/contrib/terraform/azure/vmss-new-vnet-with-peer/main.tf +++ b/contrib/terraform/azure/vmss-new-vnet-with-peer/main.tf @@ -176,6 +176,11 @@ resource "random_id" "randomId" { byte_length = 8 } resource "azurerm_storage_account" "vm-boot-diagnostics-storage" { + blob_properties { + delete_retention_policy { + days = 7 + } + } name = "diag${random_id.randomId.hex}" resource_group_name = module.common.resource_group_name location = module.common.resource_group_location diff --git a/contrib/terraform/azure/vmss-new-vnet-with-peer/terraform.tfvars b/contrib/terraform/azure/vmss-new-vnet-with-peer/terraform.tfvars index c227cb53..8fda9c83 100755 --- a/contrib/terraform/azure/vmss-new-vnet-with-peer/terraform.tfvars +++ b/contrib/terraform/azure/vmss-new-vnet-with-peer/terraform.tfvars @@ -1,29 +1,29 @@ -resource_group_name = "checkpoint-vmss-terraform" -location = "eastus" -vmss_name = "checkpoint-vmss-terraform" -vnet_name = "checkpoint-vmss-vnet" -address_space = "172.16.0.0/16" -subnet_prefixes = ["172.16.1.0/24","172.16.2.0/24"] -backend_lb_IP_address = 4 -admin_password = "xxxxxxxxxx" -sic_key = "xxxxxxxxxx" -vm_size = "Standard_D3_v2" -disk_size = "110" -vm_os_sku = "sg-byol" -vm_os_offer = "check-point-cg-r8040" -os_version = "R80.40" -bootstrap_script = "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" -allow_upload_download = true -disable_password_authentication = false -availability_zones_num = "1" -minimum_number_of_vm_instances = 2 -maximum_number_of_vm_instances = 10 -management_name = "mgmt" -management_IP = "192.168.100.4" -management_interface = "eth0" -configuration_template_name = "vmss_template" -notification_email = "name@company.com" -frontend_load_distribution = "Default" -backend_load_distribution = "Default" -mgmt_vnet_name = "mgmt-vnet" -mgmt_resource_group_name = "management" +resource_group_name = "PLEASE ENTER RESOURCE GROUP NAME" # "checkpoint-vmss-terraform" +location = "PLEASE ENTER LOCATION" # "eastus" +vmss_name = "PLEASE ENTER SCALE SET NAME" # "checkpoint-vmss-terraform" +vnet_name = "PLEASE ENTER VIRTUAL NETWORK NAME" # "checkpoint-vmss-vnet" +address_space = "PLEASE ENTER ADDRESS SPACE" # "172.16.0.0/16" +subnet_prefixes = "PLEASE ENTER SUBNET PREFIXES" # ["172.16.1.0/24","172.16.2.0/24"] +backend_lb_IP_address = "PLEASE ENTER BACKEND LB IP ADDRESS POSITIONAL NUMBER" # 4 +admin_password = "PLEASE ENTER ADMIN PASSWORD" # "xxxxxxxxxx" +sic_key = "PLEASE ENTER SIC KEY" # "xxxxxxxxxx" +vm_size = "PLEASE ENTER VM SIZE" # "Standard_D3_v2" +disk_size = "PLEASE ENTER DISK SIZE" # "110" +vm_os_sku = "PLEASE ENTER VM SKU" # "sg-byol" +vm_os_offer = "PLEASE ENTER VM OFFER" # "check-point-cg-r8040" +os_version = "PLEASE ENTER GAIA OS VERSION" # "R80.40" +bootstrap_script = "PLEASE ENTER CUSTOM SCRIPT OR LEAVE EMPTY DOUBLE QUOTES" # "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" +allow_upload_download = "PLEASE ENTER true or false" # true +disable_password_authentication = "PLEASE ENTER true or false" # false +availability_zones_num = "PLEASE ENTER NUMBER OF AVAILABILITY ZONES" # "1" +minimum_number_of_vm_instances = "PLEASE ENTER MINIMUM NUMBER OF VM INSTANCES" # 2 +maximum_number_of_vm_instances = "PLEASE ENTER MAXIMUM NUMBER OF VM INSTANCES" # 10 +management_name = "PLEASE ENTER MANAGEMENT NAME" # "mgmt" +management_IP = "PLEASE ENTER MANAGEMENT IP" # "192.168.100.4" +management_interface = "PLEASE ENTER MANAGEMENT INTERFACE" # "eth0" +configuration_template_name = "PLEASE ENTER CONFIGURATION TEMPLATE NAME" # "vmss_template" +notification_email = "PLEASE ENTER NOTIFICATION MAIL OR LEAVE EMPTY DOUBLE QUOTES" # "name@company.com" +frontend_load_distribution = "PLEASE ENTER EXTERNAL LOAD BALANCER SESSION PERSISTENCE" # "Default" +backend_load_distribution = "PLEASE ENTER INTERNAL LOAD BALANCER SESSION PERSISTENCE" # "Default" +mgmt_vnet_name = "PLEASE ENTER MANAGEMENT VIRTUAL NETWORK NAME" # "mgmt-vnet" +mgmt_resource_group_name = "PLEASE ENTER MANAGEMENT RESOURCE GROUP NAME" # "management" diff --git a/deprecated/terraform/gcp/R8040-R81/autoscale-into-new-vpc/main.tf b/deprecated/terraform/gcp/R8040-R81/autoscale-into-new-vpc/main.tf index 16ec2197..d6dda38a 100644 --- a/deprecated/terraform/gcp/R8040-R81/autoscale-into-new-vpc/main.tf +++ b/deprecated/terraform/gcp/R8040-R81/autoscale-into-new-vpc/main.tf @@ -15,6 +15,7 @@ resource "google_compute_network" "external_network" { auto_create_subnetworks = false } resource "google_compute_subnetwork" "external_subnetwork" { + private_ip_google_access = true name = "${var.prefix}-ext-subnet-${random_string.mig_random_string.result}" ip_cidr_range = var.external_subnetwork_ip_cidr_range region = var.region @@ -26,6 +27,7 @@ resource "google_compute_network" "internal_network" { auto_create_subnetworks = false } resource "google_compute_subnetwork" "internal_subnetwork" { + private_ip_google_access = true name = "${var.prefix}-int-subnet-${random_string.mig_random_string.result}" ip_cidr_range = var.internal_subnetwork_ip_cidr_range region = var.region diff --git a/terraform/alicloud/cluster-master/README.md b/terraform/alicloud/cluster-master/README.md index 8c16dc10..010a8a35 100755 --- a/terraform/alicloud/cluster-master/README.md +++ b/terraform/alicloud/cluster-master/README.md @@ -63,8 +63,8 @@ Configure envrionment variables in Windows: | volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no | | disk_category | The ECS disk category | string | - cloud
- cloud_efficiency
- cloud_ssd,
- cloud_essd | "cloud_efficiency" | no | | ram_role_name | A predefined RAM role name to attach to the cluster's security gateway instances | string | n/a | "" | no | -| instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Gateway ECS Instances | map(string) | n/a | {} | no | -| gateway_version | Gateway version and license | string | - R81-BYOL
- R81.10-BYOL
- R81.20-BYOL | R81.20-BYOL | no | +| instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Gateway ECS Instances | map(string) | n/a | {}} | no | +| gateway_version | Gateway version and license | string | - R81.10-BYOL
- R81.20-BYOL | R81.20-BYOL | no | | admin_shell | Set the admin shell to enable advanced command line configuration. | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | "/etc/cli.sh" | no | | gateway_SIC_Key | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | n/a | yes | | gateway_password_hash | (optional) Admin user's password hash (use command \"openssl passwd -6 PASSWORD\" to get the PASSWORD's hash) | string | n/a | "" | no | @@ -161,7 +161,8 @@ ram_role_name = "" | Template Version | Description | |------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 20230830 | Change default Check Point version to R81.20 | +| 20240704 | R81 version deprecation | +| 20230829 | Change default Check Point version to R81.20 | | 20230615 | - Improved userdata quality and stability by moving to cloud-config
- Define default primary and secondary NTP servers
- Improved deployment experience for gateways and clusters managed by Smart-1 Cloud | | 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | | 20230420 | Change alicloud terraform provider version to 1.203.0 | diff --git a/terraform/alicloud/cluster/README.md b/terraform/alicloud/cluster/README.md index a703b75c..0df21dbd 100755 --- a/terraform/alicloud/cluster/README.md +++ b/terraform/alicloud/cluster/README.md @@ -56,7 +56,7 @@ Configure envrionment variables in Windows: | disk_category | The ECS disk category | string | - cloud
- cloud_efficiency
- cloud_ssd,
- cloud_essd | "cloud_efficiency" | no | | ram_role_name | A predefined RAM role name to attach to the cluster's security gateway instances | string | n/a | "" | no | | instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Gateway ECS Instances | map(string) | n/a | {} | no | -| gateway_version | Gateway version and license | string | - R81-BYOL
- R81.10-BYOL
- R81.20-BYOL | R81.20-BYOL | no | +| gateway_version | Gateway version and license | string | - R81.10-BYOL
- R81.20-BYOL | R81.20-BYOL | no | | admin_shell | Set the admin shell to enable advanced command line configuration. | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | "/etc/cli.sh" | no | | gateway_SIC_Key | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | n/a | yes | | gateway_password_hash | (optional) Admin user's password hash (use command \"openssl passwd -6 PASSWORD\" to get the PASSWORD's hash) | string | n/a | "" | no | @@ -145,7 +145,8 @@ ram_role_name = "" | Template Version | Description | |------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 20230830 | Change default Check Point version to R81.20 | +| 20240704 | R81 version deprecation | +| 20230829 | Change default version to R81.20 | | 20230615 | - Improved userdata quality and stability by moving to cloud-config
- Define default primary and secondary NTP servers
- Improved deployment experience for gateways and clusters managed by Smart-1 Cloud | | 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | | 20230420 | Change alicloud terraform provider version to 1.203.0 | @@ -155,4 +156,4 @@ ram_role_name = "" ## License -This project is licensed under the MIT License - see the [LICENSE](../../../LICENSE) file for details \ No newline at end of file +This project is licensed under the MIT License - see the [LICENSE](../../../LICENSE) file for details diff --git a/terraform/alicloud/cluster/cluster_member_a_userdata.yaml b/terraform/alicloud/cluster/cluster_member_a_userdata.yaml index 534d8e42..13d3d35d 100644 --- a/terraform/alicloud/cluster/cluster_member_a_userdata.yaml +++ b/terraform/alicloud/cluster/cluster_member_a_userdata.yaml @@ -1,4 +1,4 @@ #cloud-config runcmd: - | - python3 /etc/cloud_config.py managementIpAddress=\"${ManagementIpAddress}\" sicKey=\"${SICKey}\" installationType=\"cluster\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20230830\" templateName=\"cluster\" templateType=\"terraform\" shell=\"${Shell}\" hostName=\"${Hostname}\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" "smart1CloudToken=\"${TokenA}\"" bootstrapScript64=\"${GatewayBootstrapScript}\" \ No newline at end of file + python3 /etc/cloud_config.py managementIpAddress=\"${ManagementIpAddress}\" sicKey=\"${SICKey}\" installationType=\"cluster\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20240704\" templateName=\"cluster\" templateType=\"terraform\" shell=\"${Shell}\" hostName=\"${Hostname}\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" "smart1CloudToken=\"${TokenA}\"" bootstrapScript64=\"${GatewayBootstrapScript}\" \ No newline at end of file diff --git a/terraform/alicloud/cluster/cluster_member_b_userdata.yaml b/terraform/alicloud/cluster/cluster_member_b_userdata.yaml index 43c69a99..0a4c0633 100644 --- a/terraform/alicloud/cluster/cluster_member_b_userdata.yaml +++ b/terraform/alicloud/cluster/cluster_member_b_userdata.yaml @@ -1,4 +1,4 @@ #cloud-config runcmd: - | - python3 /etc/cloud_config.py managementIpAddress=\"${ManagementIpAddress}\" sicKey=\"${SICKey}\" installationType=\"cluster\" osVersion=\"{OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20230830\" templateName=\"cluster\" templateType=\"terraform\" shell=\"${Shell}\" hostName=\"${Hostname }\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" "smart1CloudToken=\"${TokenB}\"" bootstrapScript64=\"${GatewayBootstrapScript}\" \ No newline at end of file + python3 /etc/cloud_config.py managementIpAddress=\"${ManagementIpAddress}\" sicKey=\"${SICKey}\" installationType=\"cluster\" osVersion=\"{OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20240704\" templateName=\"cluster\" templateType=\"terraform\" shell=\"${Shell}\" hostName=\"${Hostname }\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" "smart1CloudToken=\"${TokenB}\"" bootstrapScript64=\"${GatewayBootstrapScript}\" \ No newline at end of file diff --git a/terraform/alicloud/cluster/main.tf b/terraform/alicloud/cluster/main.tf index 5fa001d6..db2d9c93 100755 --- a/terraform/alicloud/cluster/main.tf +++ b/terraform/alicloud/cluster/main.tf @@ -79,7 +79,7 @@ resource "alicloud_instance" "member-b-instance" { resource "alicloud_network_interface" "member_a_mgmt_eni" { network_interface_name = format("%s-Member-A-management-eni", var.resources_tag_name != "" ? var.resources_tag_name : var.gateway_name) vswitch_id = var.mgmt_vswitch_id - security_group_ids = [ + security_group_ids = [ module.common_permissive_sg.permissive_sg_id] description = "eth2" } diff --git a/terraform/alicloud/gateway-master/README.md b/terraform/alicloud/gateway-master/README.md index 301c12a6..a90166fb 100755 --- a/terraform/alicloud/gateway-master/README.md +++ b/terraform/alicloud/gateway-master/README.md @@ -61,7 +61,7 @@ Configure envrionment variables in Windows: | volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no | | disk_category | The ECS disk category | string | - cloud
- cloud_efficiency
- cloud_ssd,
- cloud_essd | "cloud_efficiency" | no | | ram_role_name | A predefined RAM role name to attach to the security gateway instance | string | n/a | "" | no | -| gateway_version | Gateway version and license | string | - R81-BYOL
- R81.10-BYOL
- R81.20-BYOL | R81.20-BYOL | no | +| gateway_version | Gateway version and license | string | - R81.10-BYOL
- R81.20-BYOL | R81.20-BYOL | no | | admin_shell | Set the admin shell to enable advanced command line configuration. | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | "/etc/cli.sh" | no | | gateway_SIC_Key | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | n/a | yes | | password_hash | Admin user's password hash (use command \"openssl passwd -6 PASSWORD\" to get the PASSWORD's hash) (optional) | string | n/a | "" | no | @@ -142,7 +142,8 @@ allocate_and_associate_eip = true | Template Version | Description | |------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 20230830 | Change default Check Point version to R81.20 | +| 20240704 | R81 version deprecation | +| 20230829 | Change default Check Point version to R81.20 | | 20230615 | - Improved userdata quality and stability by moving to cloud-config
- Define default primary and secondary NTP servers
- Improved deployment experience for gateways and clusters managed by Smart-1 Cloud | | 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | | 20230420 | Change alicloud terraform provider version to 1.203.0 | diff --git a/terraform/alicloud/gateway/README.md b/terraform/alicloud/gateway/README.md index db7c32e2..32ba9dfc 100755 --- a/terraform/alicloud/gateway/README.md +++ b/terraform/alicloud/gateway/README.md @@ -53,7 +53,7 @@ Configure envrionment variables in Windows: | volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no | | disk_category | The ECS disk category | string | - cloud
- cloud_efficiency
- cloud_ssd,
- cloud_essd | "cloud_efficiency" | no | | ram_role_name | A predefined RAM role name to attach to the security gateway instance | string | n/a | "" | no | -| gateway_version | Gateway version and license | string | - R81-BYOL
- R81.10-BYOL
- R81.20-BYOL | R81.20-BYOL | no | +| gateway_version | Gateway version and license | string | - R81.10-BYOL
- R81.20-BYOL | R81.20-BYOL | no | | admin_shell | Set the admin shell to enable advanced command line configuration. | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | "/etc/cli.sh" | no | | gateway_SIC_Key | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | n/a | yes | | password_hash | Admin user's password hash (use command \"openssl passwd -6 PASSWORD\" to get the PASSWORD's hash) (optional) | string | n/a | "" | no | @@ -128,7 +128,8 @@ private_route_table = "rtb-12345678" | Template Version | Description | |------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 20230830 | Change default Check Point version to R81.20 | +| 20240704 | R81 version deprecation | +| 20230829 | Change default Check Point version to R81.20 | | 20230615 | - Improved userdata quality and stability by moving to cloud-config
- Define default primary and secondary NTP servers
- Improved deployment experience for gateways and clusters managed by Smart-1 Cloud | | 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | | 20230420 | Change alicloud terraform provider version to 1.203.0 | diff --git a/terraform/alicloud/management-master/README.md b/terraform/alicloud/management-master/README.md index ec200646..8e7ea6c2 100755 --- a/terraform/alicloud/management-master/README.md +++ b/terraform/alicloud/management-master/README.md @@ -49,7 +49,7 @@ Configure envrionment variables in Windows: | disk_category | The ECS disk category | string | - cloud
- cloud_efficiency
- cloud_ssd,
- cloud_essd | "cloud_essd" | no | | ram_role_name | RAM role name to attach to the instance profile, leave it empty for automatic creation | string | n/a | "" | no | | instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Management ECS Instance | map(string) | n/a | {} | no | -| version_license | Version and license of the Check Point Security Management | string | - R81-BYOL
- R81.10-BYOL
- R81.20-BYOL | R81.20-BYOL | no | +| version_license | Version and license of the Check Point Security Management | string | - R81.10-BYOL
- R81.20-BYOL | R81.20-BYOL | no | | admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | | password_hash | (Optional) Admin user's password hash (use command \"openssl passwd -6 PASSWORD\" to get the PASSWORD's hash) | string | n/a | "" | no | | hostname | (Optional) Management prompt hostname. The name must not contain reserved words. For details, refer to sk40179. | string | n/a | n/a | no | @@ -121,10 +121,10 @@ bootstrap_script = "echo 'this is bootstrap script' > /home/admin/testfile.txt" | Template Version | Description | |------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 20230830 | Change default Check Point version to R81.20 | +| 20240704 | R81 version deprecation | +| 20230829 | Change default Check Point version to R81.20 | | 20230615 | - Improved userdata quality and stability by moving to cloud-config
- Define default primary and secondary NTP servers
- Improved deployment experience for gateways and clusters managed by Smart-1 Cloud | | 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | -| 20230512 | New images with Jumbo Hotfix | | 20230420 | Change alicloud terraform provider version to 1.203.0 | | 20230330 | - Added support of ECS disk category.
- Stability fixes. | | 20230129 | First release of R81.20 CloudGuard Management Terraform deployment in Alibaba Cloud. | diff --git a/terraform/alicloud/management/README.md b/terraform/alicloud/management/README.md index ccff6e8f..0c07c661 100755 --- a/terraform/alicloud/management/README.md +++ b/terraform/alicloud/management/README.md @@ -49,7 +49,7 @@ Configure envrionment variables in Windows: | disk_category | The ECS disk category | string | - cloud
- cloud_efficiency
- cloud_ssd,
- cloud_essd | "cloud_essd" | no | | ram_role_name | RAM role name to attach to the instance profile, leave it empty for automatic creation | string | n/a | "" | no | | instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Management ECS Instance | map(string) | n/a | {} | no | -| version_license | Version and license of the Check Point Security Management | string | - R81-BYOL
- R81.10-BYOL
- R81.20-BYOL | R81.20-BYOL | | +| version_license | Version and license of the Check Point Security Management | string | - R81.10-BYOL
- R81.20-BYOL | R81.20-BYOL | no | | admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | | password_hash | (Optional) Admin user's password hash (use command \"openssl passwd -6 PASSWORD\" to get the PASSWORD's hash) | string | n/a | "" | no | | hostname | (Optional) Management prompt hostname. The name must not contain reserved words. For details, refer to sk40179. | string | n/a | n/a | no | @@ -114,13 +114,13 @@ bootstrap_script = "echo 'this is bootstrap script' > /home/admin/testfile.txt" | Template Version | Description | |------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 20230830 | Change default Check Point version to R81.20 | +| 20240704 | R81 version deprecation | +| 20230829 | Change default Check Point version to R81.20 | | 20230615 | - Improved userdata quality and stability by moving to cloud-config
- Define default primary and secondary NTP servers
- Improved deployment experience for gateways and clusters managed by Smart-1 Cloud | | 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | -| 20230512 | New images with Jumbo Hotfix | | 20230420 | Change alicloud terraform provider version to 1.203.0 | | 20230330 | - Added support of ECS disk category.
- Stability fixes. | -| 20230129 | First release of R81.20 CloudGuard Management Terraform deployment in Alibaba Cloud. | +| 20230129 | First release of R81.20 CloudGuard Management Terraform deployment in Alibaba Cloud. | | | | | 20211011 | First release of Check Point CloudGaurd Management Terraform deployment into an existing VPC in Alibaba cloud. | ## License diff --git a/terraform/alicloud/management/management_userdata.yaml b/terraform/alicloud/management/management_userdata.yaml index 9d957968..46540bbd 100644 --- a/terraform/alicloud/management/management_userdata.yaml +++ b/terraform/alicloud/management/management_userdata.yaml @@ -1,4 +1,4 @@ #cloud-config runcmd: - | - python3 /etc/cloud_config.py sicKey=\"${SICKey}\" installationType=\"management\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20230830\" templateName=\"management\" templateType=\"terraform\" shell=\"${Shell}\" hostName=\"${Hostname}\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" primary=\"${IsPrimary}\" adminSubnet=\"${AdminSubnet}\" allocatePublicAddress=\"${AllocateElasticIP}\" "overTheInternet=\"${GatewayManagement}\"" bootstrapScript64=\"${BootstrapScript}\" + python3 /etc/cloud_config.py sicKey=\"${SICKey}\" installationType=\"management\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20240704\" templateName=\"management\" templateType=\"terraform\" shell=\"${Shell}\" hostName=\"${Hostname}\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" primary=\"${IsPrimary}\" adminSubnet=\"${AdminSubnet}\" allocatePublicAddress=\"${AllocateElasticIP}\" "overTheInternet=\"${GatewayManagement}\"" bootstrapScript64=\"${BootstrapScript}\" diff --git a/terraform/alicloud/modules/common/gateway_instance/gateway_userdata.yaml b/terraform/alicloud/modules/common/gateway_instance/gateway_userdata.yaml index 312ca453..cd294845 100644 --- a/terraform/alicloud/modules/common/gateway_instance/gateway_userdata.yaml +++ b/terraform/alicloud/modules/common/gateway_instance/gateway_userdata.yaml @@ -1,4 +1,4 @@ #cloud-config runcmd: - | - python3 /etc/cloud_config.py sicKey=\"${SICKey}\" "smart1CloudToken=\"${TokenKey}\"" installationType=\"gateway\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20230830\" templateName=\"gateway\" templateType=\"terraform\" shell=\"${Shell}\" hostName=\"${Hostname}\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" bootstrapScript64=\"${GatewayBootstrapScript}\" \ No newline at end of file + python3 /etc/cloud_config.py sicKey=\"${SICKey}\" "smart1CloudToken=\"${TokenKey}\"" installationType=\"gateway\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20240704\" templateName=\"gateway\" templateType=\"terraform\" shell=\"${Shell}\" hostName=\"${Hostname}\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" bootstrapScript64=\"${GatewayBootstrapScript}\" \ No newline at end of file diff --git a/terraform/alicloud/modules/common/version_license/main.tf b/terraform/alicloud/modules/common/version_license/main.tf index 94d144cd..dfe4739e 100755 --- a/terraform/alicloud/modules/common/version_license/main.tf +++ b/terraform/alicloud/modules/common/version_license/main.tf @@ -1,14 +1,9 @@ locals { gw_versions = [ - //"R81-PAYG-NGTP", - // "R81-PAYG-NGTX", - "R81-BYOL", "R81.10-BYOL", "R81.20-BYOL" ] mgmt_versions = [ - //"R81-PAYG", - "R81-BYOL", "R81.10-BYOL", "R81.20-BYOL" ] diff --git a/terraform/alicloud/modules/images/images.yaml b/terraform/alicloud/modules/images/images.yaml index c2eb1d52..126c819f 100755 --- a/terraform/alicloud/modules/images/images.yaml +++ b/terraform/alicloud/modules/images/images.yaml @@ -5,18 +5,12 @@ Parameters: Type: String Default: R81.20-BYOL-GW AllowedValues: - - R81-BYOL-GW - - R81-BYOL-MGMT - R81.10-BYOL-GW - R81.10-BYOL-MGMT - R81.20-BYOL-GW - R81.20-BYOL-MGMT Mappings: ConverterMap: - R81-BYOL-GW: - Value: R81BYOLGW - R81-BYOL-MGMT: - Value: R81BYOLMGMT R81.10-BYOL-GW: Value: R8110BYOLGW R81.10-BYOL-MGMT: @@ -27,183 +21,131 @@ Mappings: Value: R8120BYOLMGMT RegionMap: cn-hongkong: - R81BYOLMGMT: m-j6c55b1lpz95colzzz1y - R81BYOLGW: m-j6c3gd3gcahojs40842v R8110BYOLMGMT: m-j6c5n6p0tkx8clx72qes R8110BYOLGW: m-j6c0x6ugw2012axbdmkn R8120BYOLMGMT: m-j6c2gv0tohwb5otjzbk4 R8120BYOLGW: m-j6cdnsm44k0csckg4cxa ap-southeast-1: - R81BYOLMGMT: m-t4ngdphpnhzw065e30jt - R81BYOLGW: m-t4n99ag8zbinnc7n7xmw R8110BYOLMGMT: m-t4n9x963l2fx13d4mzi8 R8110BYOLGW: m-t4ndsvficp1ukrcpt4as R8120BYOLMGMT: m-t4n3m9t1icbv1ptf8b67 R8120BYOLGW: m-t4nj16t8nnlp7a70214i us-west-1: - R81BYOLMGMT: m-rj95ffd9q3c8u7rpc7v5 - R81BYOLGW: m-rj9eblv5oe0ypm77no86 R8110BYOLMGMT: m-rj9ebcmy6gxp3lzkjnrp R8110BYOLGW: m-rj952h5pzgaecqhg9h6u R8120BYOLMGMT: m-rj92n7t0j5uvmss2dak5 R8120BYOLGW: m-rj99hmyezcyqa0in2us9 us-east-1: - R81BYOLMGMT: m-0xi064illsngi8q7ejln - R81BYOLGW: m-0xiiv7m3m3ex8zai0lq4 R8110BYOLMGMT: m-0xie3j6n8rxa26v6abni R8110BYOLGW: m-0xiebcmy6gxpiyg830vh R8120BYOLMGMT: m-0xihsclzmkgsxpsmfil2 R8120BYOLGW: m-0xickak3e8yimpt90lh9 ap-southeast-2: - R81BYOLMGMT: m-p0w0pl2rajygi6otl2mh - R81BYOLGW: m-p0w78ynl3rpgo1yq43qf R8110BYOLMGMT: m-p0w7z34zl8gl2nmgzo75 R8110BYOLGW: m-p0w2nhgtaqxil6bruwe2 R8120BYOLMGMT: m-p0w2mgbmrn1pq4973ncq R8120BYOLGW: m-p0wd45q8v82grbipwqkw ap-southeast-3: - R81BYOLMGMT: m-8psi42zrfpq57cibgu2b - R81BYOLGW: m-8ps8swns48itw97zsb2i R8110BYOLMGMT: m-8psc710cdd9x9guiajuk R8110BYOLGW: m-8ps6mel7llq3ffzc2txa R8120BYOLMGMT: m-8psc710cdd9x6k9vbn5m R8120BYOLGW: m-8psf1zkz08byz41qrt1r ap-southeast-5: - R81BYOLMGMT: m-k1aajdkea2t5oyxicbu8 - R81BYOLGW: m-k1afqua8zzbgdaosx7sf R8110BYOLMGMT: m-k1ahug645c79svl6tgbp R8110BYOLGW: m-k1a6n0hj1qidjiig80o0 R8120BYOLMGMT: m-k1ahgt585wlm71lmpmg1 R8120BYOLGW: m-k1a20f2u7nspfcja9mfc ap-southeast-6: - R81BYOLMGMT: m-5ts832hgbk52wwnxzjlx - R81BYOLGW: m-5tsf5buudxrwbijypr0v R8110BYOLMGMT: m-5tsa5qwchhf7q22qj685 R8110BYOLGW: m-5tsdw01mce246abvrnes R8120BYOLMGMT: m-5ts5ukwjgsl6t34hx7po R8120BYOLGW: m-5tsa5qwchhf7pw5n70as ap-northeast-1: - R81BYOLMGMT: m-6we8l9kvu9shqf3j5v4e - R81BYOLGW: m-6we42rtltap69nckfynw R8110BYOLMGMT: m-6we20qh4jffzabapyyle R8110BYOLGW: m-6wefezctjbied9npzp1n R8120BYOLMGMT: m-6weihbzpoyt5h6i2i42e R8120BYOLGW: m-6we215381e51fkneyv5v eu-central-1: - R81BYOLMGMT: m-gw81j322yjmx03hq26qt - R81BYOLGW: m-gw82fm7sbwj7x6fpj1mn R8110BYOLMGMT: m-gw89gvg18gk6nzo3gxe1 R8110BYOLGW: m-gw8divjg7azjl2ndt34v R8120BYOLMGMT: m-gw8csbodb1ntgbtu653c R8120BYOLGW: m-gw83wxmsb5524ke9f6m7 eu-west-1: - R81BYOLMGMT: m-d7ocob57ud2nqiv9fk8w - R81BYOLGW: m-d7oez9xgn0qg5g815tip R8110BYOLMGMT: m-d7o7nj4f81gs8cyo52jd R8110BYOLGW: m-d7o7nj4f81gsnpfbofnh R8120BYOLMGMT: m-d7o63e77fokjsv4aq4kt R8120BYOLGW: m-d7oj29ec4xx04sr8h61z me-east-1: - R81BYOLMGMT: m-eb35op3wyu89kabry2zw - R81BYOLGW: m-eb35op3wyu89iv0z0nmz R8110BYOLMGMT: m-eb33tyrfiy726a0xlw6g R8110BYOLGW: m-eb30m4ho9mkzfb3xi78i R8120BYOLMGMT: m-eb3bbb1nen46tqmcujmn R8120BYOLGW: m-eb3dphy5uzm33cduxr7i ap-south-1: - R81BYOLMGMT: m-a2d16a0v0ms9mg5xh1nm - R81BYOLGW: m-a2didx39bhgf547thni0 R8110BYOLMGMT: m-a2d4ffz0q8dflg62j0zq R8110BYOLGW: m-a2d9j14yemliag92m9d1 R8120BYOLMGMT: m-a2d1e5s7uy9vv5a6n9cn R8120BYOLGW: m-a2d1e5s7uy9vxvxqa04e ap-southeast-7: - R81BYOLMGMT: m-0jo742iyh0qbzg51b6fd - R81BYOLGW: m-0joian1mgt9qt2lpvfnk R8110BYOLMGMT: m-0jo3qwrwsdx3663is0b4 R8110BYOLGW: m-0jogq1yzljp8ziw4caci R8120BYOLMGMT: m-0jo67k42jvg301wis5ol R8120BYOLGW: m-0jo5t1ypg4zy4h12i9c5 ap-northeast-2: - R81BYOLMGMT: m-mj75cxsn1dhdiqhfc3a0 - R81BYOLGW: m-mj7bybnr5b9gebqrf3xt R8110BYOLMGMT: m-mj7h0j7db1ryrwczg9ef R8110BYOLGW: m-mj73osasl4gyi0zqscr5 R8120BYOLMGMT: m-mj7aktw6610pznjgb16z R8120BYOLGW: m-mj79jylrqomj0fv99s3b cn-qingdao: - R81BYOLMGMT: m-m5e1i33z6ohq98tllukn - R81BYOLGW: m-m5eb1zyo5cjbvte7ovay R8110BYOLMGMT: m-m5eftm32pjq4ghtwcn25 R8110BYOLGW: m-m5ef0hxxec3ws2c2y26b R8120BYOLMGMT: m-m5ebt96quorb2gj7dhku R8120BYOLGW: m-m5eftm32pjq4g9xrwf5o cn-beijing: - R81BYOLMGMT: m-2ze5d2jit72gotjw5d77 - R81BYOLGW: m-2zec8i2qli4cnqfw9e3o R8110BYOLMGMT: m-2zehvbpbae19t51owc0j R8110BYOLGW: m-2zeiwvllkl9jybavtmey R8120BYOLMGMT: m-2ze1781062lxfwe35d1p R8120BYOLGW: m-2ze347cq3f6fg3udyb1p cn-zhangjiakou: - R81BYOLMGMT: m-8vb1rjkshxdaynvqbexj - R81BYOLGW: m-8vb1rjkshxdax8kxdzkk R8110BYOLMGMT: m-8vb83tbc4hwpesbvte9d R8110BYOLGW: m-8vbblzj10mzvpnkzdint R8120BYOLMGMT: m-8vbeoj3rrq2tm6o5bhaa R8120BYOLGW: m-8vbd1bffbjhlxjkb0k4i cn-huhehaote: - R81BYOLMGMT: m-hp309790we62uhpo5eed - R81BYOLGW: m-hp3ab2tvfxuar5snxu2r R8110BYOLMGMT: m-hp3h3tzxij7kl9tdrqg2 R8110BYOLGW: m-hp325dwey9rn4tyiyuyu R8120BYOLMGMT: m-hp31ci7e1eeaj062wki0 R8120BYOLGW: m-hp31ci7e1eealqtmjb9n cn-wulanchabu: - R81BYOLMGMT: m-0jlhwuucdujv3wee7m96 - R81BYOLGW: m-0jle5qxpr97s1c64e72k R8110BYOLMGMT: m-0jl54w11sr4odheytky1 R8110BYOLGW: m-0jlbavg2r5fjc4jxypp7 R8120BYOLMGMT: m-0jl54w11sr4oakubuo94 R8120BYOLGW: m-0jlbavg2r5fiwm6736o3 cn-hangzhou: - R81BYOLMGMT: m-bp14kps2wrk6qquv5ok0 - R81BYOLGW: m-bp1aa9u6zcazi4o1hnjh R8110BYOLMGMT: m-bp1dz2nq9fqppcf8smpk R8110BYOLGW: m-bp1hamqhfny1smyl8ql7 R8120BYOLMGMT: m-bp149dep83kgo5p0dw3l R8120BYOLGW: m-bp1gvq0d0413vbnakoqj cn-shanghai: - R81BYOLMGMT: m-uf6cj9tqmxx1bsfmbu45 - R81BYOLGW: m-uf63qkdigbprn96zy3vm R8110BYOLMGMT: m-uf655j7a9r7otwa2xemv R8110BYOLGW: m-uf6idj2b3zt57omxvzbr R8120BYOLMGMT: m-uf62vrhc5bapfoy9lw7n R8120BYOLGW: m-uf6c9vxp1n58y56ep033 cn-shenzhen: - R81BYOLMGMT: m-wz9d9s75jsh11z089uuj - R81BYOLGW: m-wz9czejz43gyhdztsjnr R8110BYOLMGMT: m-wz95gswem9lea2z0d9se R8110BYOLGW: m-wz93e5pwshkmiv35y9ii R8120BYOLMGMT: m-wz9am290ax9js6dfdt5o R8120BYOLGW: m-wz94fs2enyvm6qhx3ged cn-heyuan: - R81BYOLMGMT: m-f8z61z784gwfm1fhxgre - R81BYOLGW: m-f8z7wvp6hhvsvevtpb0j R8110BYOLMGMT: m-f8z5o7741si10yq0piws R8110BYOLGW: m-f8z985hmyc9d8951pr76 R8120BYOLMGMT: m-f8zj0s3cyg3glnlz414g R8120BYOLGW: m-f8z5o7741si10ssxdczf cn-guangzhou: - R81BYOLMGMT: m-7xv95xjo0yd0lg4y1z9p - R81BYOLGW: m-7xv95xjo0yd0k0u54jwr R8110BYOLMGMT: m-7xv4bih29ge5i2je9amd R8110BYOLGW: m-7xv7i7fhzogppdgxa2cc R8120BYOLMGMT: m-7xv3lyr4gpzmp8ei0qgi R8120BYOLGW: m-7xv7i7fhzogp9v36ejbr cn-chengdu: - R81BYOLMGMT: m-2vcho1h20xnncjlroavq - R81BYOLGW: m-2vc0m9vq9oty74yz83d4 R8110BYOLMGMT: m-2vc13w2rjk7p9o285gtj R8110BYOLGW: m-2vc13w2rjk7pp0ivotxs R8120BYOLMGMT: m-2vc0nlbyccv29t5ql0oh diff --git a/terraform/aws/autoscale-gwlb/README.md b/terraform/aws/autoscale-gwlb/README.md index a156f3cc..1ca4b595 100755 --- a/terraform/aws/autoscale-gwlb/README.md +++ b/terraform/aws/autoscale-gwlb/README.md @@ -116,36 +116,36 @@ secret_key = "my-secret-key" ## Inputs -| Name | Description | Type | Allowed values | Default | Required | -|----------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------|----------| -| prefix | (Optional) Instances name prefix | string | n/a | "" | no | -| asg_name | Autoscaling Group name | string | n/a | Check-Point-ASG-tf | no | -| vpc_id | The VPC id in which to deploy | string | n/a | n/a | yes | -| subnet_ids | List of public subnet IDs to launch resources into. Recommended at least 2 | list(string) | n/a | n/a | yes | -| gateways_provision_address_type | Determines if the gateways are provisioned using their private or public address. | string | - private
- public | private | no | -| allocate_public_IP | Allocate a Public IP for gateway members. | bool | true/false | false | no | -| management_server | The name that represents the Security Management Server in the CME configuration | string | n/a | n/a | yes | -| configuration_template | Name of the provisioning template in the CME configuration | string | n/a | n/a | yes | -| gateway_name | The name tag of the Security Gateways instances | string | n/a | Check-Point-ASG-gateway-tf | no | -| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no | -| key_name | The EC2 Key Pair name to allow SSH access to the instances | string | n/a | n/a | yes | -| volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no | -| enable_volume_encryption | Encrypt Environment instances volume with default AWS KMS key | bool | true/false | true | no | -| instances_tags | (Optional) A map of tags as key=value pairs. All tags will be added on all AutoScaling Group instances | map(string) | n/a | {} | no | -| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes | -| minimum_group_size | The minimum number of instances in the Auto Scaling group | number | n/a | 2 | no | -| maximum_group_size | The maximum number of instances in the Auto Scaling group | number | n/a | 10 | no | -| target_groups | (Optional) List of Target Group ARNs to associate with the Auto Scaling group | list(string) | n/a | [] | no | -| gateway_version | Gateway version and license | string | - R80.40-BYOL
- R80.40-PAYG-NGTP
- R80.40-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX | R81.20-BYOL | no | -| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | -| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | -| gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components (at least 8 alphanumeric characters) | string | n/a | "12345678" | yes | -| enable_instance_connect | Enable SSH connection over AWS web console. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no | -| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no | -| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no | -| gateway_bootstrap_script | (Optional) Semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no | -| volume_type | General Purpose SSD Volume Type | string | - gp3
- gp2 | gp3 | no | -| gateway_maintenance_mode_password_hash | (optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here). | string | n/a | "" | no | +| Name | Description | Type | Allowed values | Default | Required | +|----------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------|------------------| +| prefix | (Optional) Instances name prefix | string | n/a | "" | no | +| asg_name | Autoscaling Group name | string | n/a | Check-Point-ASG-tf | no | +| vpc_id | The VPC id in which to deploy | string | n/a | n/a | yes | +| subnet_ids | List of public subnet IDs to launch resources into. Recommended at least 2 | list(string) | n/a | n/a | yes | +| gateways_provision_address_type | Determines if the gateways are provisioned using their private or public address. | string | - private
- public | private | no | +| allocate_public_IP | Allocate a Public IP for gateway members. | bool | true/false | false | no | +| management_server | The name that represents the Security Management Server in the CME configuration | string | n/a | n/a | yes | +| configuration_template | Name of the provisioning template in the CME configuration | string | n/a | n/a | yes | +| gateway_name | The name tag of the Security Gateways instances | string | n/a | Check-Point-ASG-gateway-tf | no | +| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no | +| key_name | The EC2 Key Pair name to allow SSH access to the instances | string | n/a | n/a | yes | +| volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no | +| enable_volume_encryption | Encrypt Environment instances volume with default AWS KMS key | bool | true/false | true | no | +| instances_tags | (Optional) A map of tags as key=value pairs. All tags will be added on all AutoScaling Group instances | map(string) | n/a | {} | no | +| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes | +| minimum_group_size | The minimum number of instances in the Auto Scaling group | number | n/a | 2 | no | +| maximum_group_size | The maximum number of instances in the Auto Scaling group | number | n/a | 10 | no | +| target_groups | (Optional) List of Target Group ARNs to associate with the Auto Scaling group | list(string) | n/a | [] | no | +| gateway_version | Gateway version and license | string | - R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX
- R81.20-PAYG-NGTX | R81.20-BYOL | no | +| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | +| gateway_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | +| gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components (at least 8 alphanumeric characters) | string | n/a | "12345678" | yes | +| enable_instance_connect | Enable SSH connection over AWS web console. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no | +| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no | +| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no | +| gateway_bootstrap_script | (Optional) Semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no | +| volume_type | General Purpose SSD Volume Type | string | - gp3
- gp2 | gp3 | no | +| gateway_maintenance_mode_password_hash | (optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here). | string | n/a | "" | no | ## Outputs | Name | Description | @@ -167,18 +167,20 @@ In order to check the template version, please refer to [sk116585](https://suppo | Template Version | Description | |------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 20220414 | First release of Check Point Auto Scaling GWLB Terraform module for AWS | -| 20220606 | New instance type support | -| 20221123 | R81.20 version support | -| 20221226 | Support ASG Launch Template instead of Launch Configuration | -| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | -| 20230806 | Add support for c6in instance type | -| 20230829 | Change default Check Point version to R81.20 | -| 20230914 | Add support for maintenance mode password | -| 20230923 | Add support for C5d instance type | -| 20231012 | Update AWS Terraform provider version to 5.20.1 | -| 20240414 | - Add support for Elastic Load Balancer Health Checks.
- EC2 Auto Scaling will start to detect and act on health checks performed by Elastic Load Balancing. | +| 20240704 | - R80.40 version deprecation.
- R81 version deprecation | | 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | +| 20240417 | - Add support for Elastic Load Balancer Health Checks.
- EC2 Auto Scaling will start to detect and act on health checks performed by Elastic Load Balancing. | +| 20240310 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | +| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20230923 | Add support for C5d instance type | +| 20230914 | Add support for maintenance mode password | +| 20230829 | Change default Check Point version to R81.20 | +| 20230806 | Add support for c6in instance type | +| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | +| 20221226 | Support ASG Launch Template instead of Launch Configuration | +| 20221123 | R81.20 version support | +| 20220606 | New instance type support | +| 20220414 | First release of Check Point Auto Scaling GWLB Terraform module for AWS | ## License diff --git a/terraform/aws/autoscale-gwlb/locals.tf b/terraform/aws/autoscale-gwlb/locals.tf index ef1abdf2..2c811532 100755 --- a/terraform/aws/autoscale-gwlb/locals.tf +++ b/terraform/aws/autoscale-gwlb/locals.tf @@ -42,7 +42,6 @@ locals { gateway_SICkey_base64 = base64encode(var.gateway_SICKey) gateway_password_hash_base64 = base64encode(var.gateway_password_hash) maintenance_mode_password_hash_base64 = base64encode(var.gateway_maintenance_mode_password_hash) - is_gwlb_ami = length(regexall(".*R80.40.*", var.gateway_version)) > 0 } resource "null_resource" "tags_as_list_of_maps" { diff --git a/terraform/aws/autoscale-gwlb/main.tf b/terraform/aws/autoscale-gwlb/main.tf index 3c7b7948..67691dca 100755 --- a/terraform/aws/autoscale-gwlb/main.tf +++ b/terraform/aws/autoscale-gwlb/main.tf @@ -7,7 +7,7 @@ provider "aws" { module "amis" { source = "../modules/amis" version_license = var.gateway_version - amis_url = local.is_gwlb_ami == true ? "https://cgi-cfts.s3.amazonaws.com/gwlb/amis-gwlb.yaml" : "https://cgi-cfts.s3.amazonaws.com/utils/amis.yaml" + amis_url = "https://cgi-cfts-staging.s3.amazonaws.com/utils/amis.yaml" } @@ -91,28 +91,28 @@ resource "aws_autoscaling_group" "asg" { health_check_type = "ELB" tag { - key = "Name" - value = format("%s%s", var.prefix != "" ? format("%s-", var.prefix) : "", var.gateway_name) - propagate_at_launch = true + key = "Name" + value = format("%s%s", var.prefix != "" ? format("%s-", var.prefix) : "", var.gateway_name) + propagate_at_launch = true } tag { - key = "x-chkp-tags" - value = format("management=%s:template=%s:ip-address=%s", var.management_server, var.configuration_template, var.gateways_provision_address_type) - propagate_at_launch = true + key = "x-chkp-tags" + value = format("management=%s:template=%s:ip-address=%s", var.management_server, var.configuration_template, var.gateways_provision_address_type) + propagate_at_launch = true } tag { - key = "x-chkp-topology" - value = "internal" - propagate_at_launch = true + key = "x-chkp-topology" + value = "internal" + propagate_at_launch = true } tag { - key = "x-chkp-solution" - value = "autoscale_gwlb" - propagate_at_launch = true - } + key = "x-chkp-solution" + value = "autoscale_gwlb" + propagate_at_launch = true + } dynamic "tag" { for_each = var.instances_tags diff --git a/terraform/aws/autoscale-gwlb/terraform.tfvars b/terraform/aws/autoscale-gwlb/terraform.tfvars index 4cced958..4938ae44 100755 --- a/terraform/aws/autoscale-gwlb/terraform.tfvars +++ b/terraform/aws/autoscale-gwlb/terraform.tfvars @@ -16,7 +16,7 @@ configuration_template = "tmpl_env1" // --- EC2 Instances Configuration --- gateway_name = "asg_gateway" -gateway_instance_type = "c5.xlarge" +gateway_instance_type = "c6in.xlarge" key_name = "publickey" instances_tags = { key1 = "value1" diff --git a/terraform/aws/autoscale-gwlb/variables.tf b/terraform/aws/autoscale-gwlb/variables.tf index cb1a985c..82e7396a 100644 --- a/terraform/aws/autoscale-gwlb/variables.tf +++ b/terraform/aws/autoscale-gwlb/variables.tf @@ -78,7 +78,7 @@ variable "gateway_name" { variable "gateway_instance_type" { type = string description = "The instance type of the Security Gateways" - default = "c5.xlarge" + default = "c6in.xlarge" } module "validate_instance_type" { source = "../modules/common/instance_type" diff --git a/terraform/aws/autoscale/README.md b/terraform/aws/autoscale/README.md index eb13ecd4..38d4d034 100755 --- a/terraform/aws/autoscale/README.md +++ b/terraform/aws/autoscale/README.md @@ -125,37 +125,37 @@ secret_key = "my-secret-key" ## Inputs -| Name | Description | Type | Allowed values | Default | Required | -|----------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------|----------| -| prefix | (Optional) Instances name prefix | string | n/a | "" | no | -| asg_name | Autoscaling Group name | string | n/a | Check-Point-ASG-tf | no | -| vpc_id | The VPC id in which to deploy | string | n/a | n/a | yes | -| subnet_ids | List of public subnet IDs to launch resources into. Recommended at least 2 | list(string) | n/a | n/a | yes | -| gateways_provision_address_type | Determines if the gateways are provisioned using their private or public address. | string | - private
- public | private | no | -| management_server | The name that represents the Security Management Server in the CME configuration | string | n/a | n/a | yes | -| configuration_template | Name of the provisioning template in the CME configuration | string | n/a | n/a | yes | -| gateway_name | The name tag of the Security Gateways instances | string | n/a | Check-Point-ASG-gateway-tf | no | -| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no | -| key_name | The EC2 Key Pair name to allow SSH access to the instances | string | n/a | n/a | yes | -| volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no | -| enable_volume_encryption | Encrypt Environment instances volume with default AWS KMS key | bool | true/false | true | no | -| instances_tags | (Optional) A map of tags as key=value pairs. All tags will be added on all AutoScaling Group instances | map(string) | n/a | {} | no | -| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes | -| minimum_group_size | The minimum number of instances in the Auto Scaling group | number | n/a | 2 | no | -| maximum_group_size | The maximum number of instances in the Auto Scaling group | number | n/a | 10 | no | -| target_groups | (Optional) List of Target Group ARNs to associate with the Auto Scaling group | list(string) | n/a | [] | no | -| gateway_version | Gateway version and license | string | - R80.40-BYOL
- R80.40-PAYG-NGTP
- R80.40-PAYG-NGTX
- R81-BYOL
- R81-PAYG-NGTP
- R81-PAYG-NGTX
- R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.10-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX | R81.20-BYOL | no | -| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | -| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | -| gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components (at least 8 alphanumeric characters) | string | n/a | "12345678" | yes | -| enable_instance_connect | Enable SSH connection over AWS web console. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no | -| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no | -| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no | -| gateway_bootstrap_script | (Optional) Semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no | -| proxy_elb_type | Type of ELB to create as an HTTP/HTTPS outbound proxy | string | - none
- internal
- internet-facing | none | no | -| proxy_elb_port | The TCP port on which the proxy will be listening | number | n/a | 8080 | no | -| proxy_elb_clients | The CIDR range of the clients of the proxy | string | n/a | 0.0.0.0/0 | no | -| gateway_maintenance_mode_password_hash | (optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here). | string | n/a | "" | no | +| Name | Description | Type | Allowed values | Default | Required | +|----------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------|----------| +| prefix | (Optional) Instances name prefix | string | n/a | "" | no | +| asg_name | Autoscaling Group name | string | n/a | Check-Point-ASG-tf | no | +| vpc_id | The VPC id in which to deploy | string | n/a | n/a | yes | +| subnet_ids | List of public subnet IDs to launch resources into. Recommended at least 2 | list(string) | n/a | n/a | yes | +| gateways_provision_address_type | Determines if the gateways are provisioned using their private or public address. | string | - private
- public | private | no | +| management_server | The name that represents the Security Management Server in the CME configuration | string | n/a | n/a | yes | +| configuration_template | Name of the provisioning template in the CME configuration | string | n/a | n/a | yes | +| gateway_name | The name tag of the Security Gateways instances | string | n/a | Check-Point-ASG-gateway-tf | no | +| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no | +| key_name | The EC2 Key Pair name to allow SSH access to the instances | string | n/a | n/a | yes | +| volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no | +| enable_volume_encryption | Encrypt Environment instances volume with default AWS KMS key | bool | true/false | true | no | +| instances_tags | (Optional) A map of tags as key=value pairs. All tags will be added on all AutoScaling Group instances | map(string) | n/a | {} | no | +| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes | +| minimum_group_size | The minimum number of instances in the Auto Scaling group | number | n/a | 2 | no | +| maximum_group_size | The maximum number of instances in the Auto Scaling group | number | n/a | 10 | no | +| target_groups | (Optional) List of Target Group ARNs to associate with the Auto Scaling group | list(string) | n/a | [] | no | +| gateway_version | Gateway version and license | string | - R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.10-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX | R81.20-BYOL | no | +| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | +| gateway_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | +| gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components (at least 8 alphanumeric characters) | string | n/a | "12345678" | yes | +| enable_instance_connect | Enable SSH connection over AWS web console. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no | +| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no | +| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no | +| gateway_bootstrap_script | (Optional) Semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no | +| proxy_elb_type | Type of ELB to create as an HTTP/HTTPS outbound proxy | string | - none
- internal
- internet-facing | none | no | +| proxy_elb_port | The TCP port on which the proxy will be listening | number | n/a | 8080 | no | +| proxy_elb_clients | The CIDR range of the clients of the proxy | string | n/a | 0.0.0.0/0 | no | +| gateway_maintenance_mode_password_hash | (optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here). | string | n/a | "" | no | ## Outputs @@ -179,20 +179,22 @@ In order to check the template version, please refer to [sk116585](https://suppo | Template Version | Description | |------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 20200318 | First release of Check Point Auto Scaling Terraform module for AWS | -| 20210309 | AWS Terraform modules refactor | -| 20210329 | Stability fixes | -| 20220606 | New instance type support | -| 20221123 | R81.20 version support | -| 20221226 | Support ASG Launch Template instead of Launch Configuration | -| 20230521 | Change default shell for the admin user to /etc/cli.sh | -| 20230806 | Add support for c6in instance type | -| 20230829 | Change default Check Point version to R81.20 | -| 20230914 | Add support for maintenance mode password | -| 20230923 | Add support for C5d instance type | -| 20231012 | Update AWS Terraform provider version to 5.20.1 | -| 20240414 | - Add support for Elastic Load Balancer Health Checks.
- EC2 Auto Scaling will start to detect and act on health checks performed by Elastic Load Balancing. | +| 20240704 | - R80.40 version deprecation.
- R81 version deprecation. | | 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | +| 20240417 | - Add support for Elastic Load Balancer Health Checks.
- EC2 Auto Scaling will start to detect and act on health checks performed by Elastic Load Balancing. | +| 20240310 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | +| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20230923 | Add support for C5d instance type | +| 20230914 | Add support for maintenance mode password | +| 20230829 | Change default Check Point version to R81.20 | +| 20230806 | Add support for c6in instance type | +| 20230521 | Change default shell for the admin user to /etc/cli.sh | +| 20221226 | Support ASG Launch Template instead of Launch Configuration | +| 20221123 | R81.20 version support | +| 20220606 | New instance type support | +| 20210329 | Stability fixes | +| 20210309 | AWS Terraform modules refactor | +| 20200318 | First release of Check Point Auto Scaling Terraform module for AWS | ## License diff --git a/terraform/aws/autoscale/asg_userdata.yaml b/terraform/aws/autoscale/asg_userdata.yaml index ea6de749..4c6633c3 100755 --- a/terraform/aws/autoscale/asg_userdata.yaml +++ b/terraform/aws/autoscale/asg_userdata.yaml @@ -1,4 +1,4 @@ #cloud-config runcmd: - | - python3 /etc/cloud_config.py enableCloudWatch=\"${EnableCloudWatch}\" sicKey=\"${SICKey}\" installationType=\"autoscale\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20231012\" templateName=\"autoscale\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" bootstrapScript64=\"${BootstrapScript}\" + python3 /etc/cloud_config.py enableCloudWatch=\"${EnableCloudWatch}\" sicKey=\"${SICKey}\" installationType=\"autoscale\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20240704\" templateName=\"autoscale\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" bootstrapScript64=\"${BootstrapScript}\" diff --git a/terraform/aws/autoscale/main.tf b/terraform/aws/autoscale/main.tf index dea10eca..68abbfe0 100755 --- a/terraform/aws/autoscale/main.tf +++ b/terraform/aws/autoscale/main.tf @@ -91,16 +91,16 @@ resource "aws_autoscaling_group" "asg" { health_check_type = "ELB" tag { - key = "Name" - value = format("%s%s", var.prefix != "" ? format("%s-", var.prefix) : "", var.gateway_name) - propagate_at_launch = true + key = "Name" + value = format("%s%s", var.prefix != "" ? format("%s-", var.prefix) : "", var.gateway_name) + propagate_at_launch = true } tag { - key = "x-chkp-tags" - value = format("management=%s:template=%s:ip-address=%s", var.management_server, var.configuration_template, var.gateways_provision_address_type) - propagate_at_launch = true - } + key = "x-chkp-tags" + value = format("management=%s:template=%s:ip-address=%s", var.management_server, var.configuration_template, var.gateways_provision_address_type) + propagate_at_launch = true + } dynamic "tag" { for_each = var.instances_tags diff --git a/terraform/aws/autoscale/terraform.tfvars b/terraform/aws/autoscale/terraform.tfvars index d513fcd5..d4716480 100755 --- a/terraform/aws/autoscale/terraform.tfvars +++ b/terraform/aws/autoscale/terraform.tfvars @@ -15,7 +15,7 @@ configuration_template = "tmpl_env1" // --- EC2 Instances Configuration --- gateway_name = "asg_gateway" -gateway_instance_type = "c5.xlarge" +gateway_instance_type = "c6in.xlarge" key_name = "publickey" instances_tags = { key1 = "value1" diff --git a/terraform/aws/autoscale/variables.tf b/terraform/aws/autoscale/variables.tf index 81d256ab..2244fcbb 100755 --- a/terraform/aws/autoscale/variables.tf +++ b/terraform/aws/autoscale/variables.tf @@ -66,7 +66,7 @@ variable "gateway_name" { variable "gateway_instance_type" { type = string description = "The instance type of the Security Gateways" - default = "c5.xlarge" + default = "c6in.xlarge" } module "validate_instance_type" { source = "../modules/common/instance_type" diff --git a/terraform/aws/cluster-master/README.md b/terraform/aws/cluster-master/README.md index cfabfd18..7354af59 100755 --- a/terraform/aws/cluster-master/README.md +++ b/terraform/aws/cluster-master/README.md @@ -171,7 +171,7 @@ secret_key = "my-secret-key" | metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes | | instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Gateway EC2 Instances | map(string) | n/a | {} | no | | predefined_role | (Optional) A predefined IAM role to attach to the cluster profile | string | n/a | "" | no | -| gateway_version | Gateway version and license | string | - R80.40-BYOL
- R80.40-PAYG-NGTP
- R80.40-PAYG-NGTX
- R81-BYOL
- R81-PAYG-NGTP
- R81-PAYG-NGTX
- R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.10-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX | R81.20-BYOL | no | +| gateway_version | Gateway version and license | string | - R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.10-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX
- R81.20-PAYG-NGTX | R81.20-BYOL | no | | admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | | gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes | | gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | @@ -203,18 +203,19 @@ In order to check the template version, please refer to [sk116585](https://suppo | Template Version | Description | |------------------|---------------------------------------------------------------------------------------------------------------| -| 20210309 | First release of Check Point Security Cluster Master Terraform module for AWS | -| 20220606 | New instance type support | -| 20221123 | R81.20 version support | -| 20230411 | Improved deployment experience for gateways and clusters managed by Smart-1 Cloud | -| 20230503 | Smart-1 Cloud token validation | -| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | -| 20230806 | Add support for c6in instance type | -| 20230829 | Change default Check Point version to R81.20 | -| 20230914 | Add support for maintenance mode password | -| 20230923 | Add support for C5d instance type | -| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20240704 | - R80.40 version deprecation.
- R81 version deprecation. | | 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | +| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20230923 | Add support for C5d instance type | +| 20230914 | Add support for maintenance mode password | +| 20230829 | Change default Check Point version to R81.20 | +| 20230806 | Add support for c6in instance type | +| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | +| 20230503 | Smart-1 Cloud token validation | +| 20230411 | Improved deployment experience for gateways and clusters managed by Smart-1 Cloud | +| 20221123 | R81.20 version support | +| 20220606 | New instance type support | +| 20210309 | First release of Check Point Security Cluster Master Terraform module for AWS | ## License diff --git a/terraform/aws/cluster-master/terraform.tfvars b/terraform/aws/cluster-master/terraform.tfvars index 1e7b2c78..491c61dd 100755 --- a/terraform/aws/cluster-master/terraform.tfvars +++ b/terraform/aws/cluster-master/terraform.tfvars @@ -12,7 +12,7 @@ subnets_bit_length = 8 // --- EC2 Instance Configuration --- gateway_name = "Check-Point-Cluster-tf" -gateway_instance_type = "c5.xlarge" +gateway_instance_type = "c6in.xlarge" key_name = "publickey" allocate_and_associate_eip = true volume_size = 100 diff --git a/terraform/aws/cluster-master/variables.tf b/terraform/aws/cluster-master/variables.tf index d1faf72c..af1995e4 100755 --- a/terraform/aws/cluster-master/variables.tf +++ b/terraform/aws/cluster-master/variables.tf @@ -46,7 +46,7 @@ variable "gateway_name" { variable "gateway_instance_type" { type = string description = "The instance type of the Security Gateways" - default = "c5.xlarge" + default = "c6in.xlarge" } module "validate_instance_type" { source = "../modules/common/instance_type" diff --git a/terraform/aws/cluster/README.md b/terraform/aws/cluster/README.md index 073c7fe7..ecb44584 100755 --- a/terraform/aws/cluster/README.md +++ b/terraform/aws/cluster/README.md @@ -132,37 +132,37 @@ secret_key = "my-secret-key" - In Smart Console: reset SIC with the re-deployed member and install policy ## Inputs -| Name | Description | Type | Allowed values | Default | Required | -|----------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------|----------| -| vpc_id | The VPC id in which to deploy | string | n/a | n/a | yes | -| public_subnet_id | The public subnet of the cluster. The cluster's public IPs will be generated from this subnet | string | n/a | n/a | yes | -| private_subnet_id | The private subnet of the cluster. The cluster's private IPs will be generated from this subnet | string | n/a | n/a | yes | -| private_route_table | (Optional) Set 0.0.0.0/0 route to the Active Cluster member instance in this route table (e.g. rtb-12a34567). Route table cannot have an existing 0.0.0.0/0 route | string | n/a | "" | no | -| gateway_name | (Optional) The name tag of the Security Gateway instances | string | n/a | Check-Point-Cluster-tf | no | -| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no | -| key_name | The EC2 Key Pair name to allow SSH access to the instance | string | n/a | n/a | yes | -| allocate_and_associate_eip | If set to true, an elastic IP will be allocated and associated with each cluster member, in addition to the shared cluster Elastic IP | bool | true/false | true | no | -| volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no | -| volume_encryption | KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs') | string | n/a | alias/aws/ebs | no | -| enable_instance_connect | Enable AWS Instance Connect. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no | -| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no | -| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes | -| instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Gateway EC2 Instances | map(string) | n/a | {} | no | -| predefined_role | (Optional) A predefined IAM role to attach to the cluster profile | string | n/a | "" | no | -| gateway_version | Gateway version and license | string | - R80.40-BYOL
- R80.40-PAYG-NGTP
- R80.40-PAYG-NGTX
- R81-BYOL
- R81-PAYG-NGTP
- R81-PAYG-NGTX
- R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.10-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX | R81.20-BYOL | no | -| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | -| gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | no | -| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | -| memberAToken | (Recommended) Quick connect to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. | string | n/a | "" | no | -| memberBToken | (Recommended) Quick connect to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. | string | n/a | "" | no | -| resources_tag_name | (Optional) Name tag prefix of the resources | string | n/a | "" | no | -| gateway_hostname | (Optional) The host name will be appended with member-a/b accordingly. The name must not contain reserved words. For details, refer to sk40179. | string | n/a | "" | no | -| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no | -| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no | -| gateway_bootstrap_script | (Optional) Semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no | -| primary_ntp | (Optional) The IPv4 addresses of Network Time Protocol primary server | string | n/a | 169.254.169.123 | no | -| secondary_ntp | (Optional) The IPv4 addresses of Network Time Protocol secondary server | string | n/a | 0.pool.ntp.org | no | -| gateway_maintenance_mode_password_hash | (optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here). | string | n/a | "" | no | +| Name | Description | Type | Allowed values | Default | Required | +|----------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------|-----------| +| vpc_id | The VPC id in which to deploy | string | n/a | n/a | yes | +| public_subnet_id | The public subnet of the cluster. The cluster's public IPs will be generated from this subnet | string | n/a | n/a | yes | +| private_subnet_id | The private subnet of the cluster. The cluster's private IPs will be generated from this subnet | string | n/a | n/a | yes | +| private_route_table | (Optional) Set 0.0.0.0/0 route to the Active Cluster member instance in this route table (e.g. rtb-12a34567). Route table cannot have an existing 0.0.0.0/0 route | string | n/a | "" | no | +| gateway_name | (Optional) The name tag of the Security Gateway instances | string | n/a | Check-Point-Cluster-tf | no | +| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no | +| key_name | The EC2 Key Pair name to allow SSH access to the instance | string | n/a | n/a | yes | +| allocate_and_associate_eip | If set to true, an elastic IP will be allocated and associated with each cluster member, in addition to the shared cluster Elastic IP | bool | true/false | true | no | +| volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no | +| volume_encryption | KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs') | string | n/a | alias/aws/ebs | no | +| enable_instance_connect | Enable AWS Instance Connect. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no | +| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no | +| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes | +| instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Gateway EC2 Instances | map(string) | n/a | {} | no | +| predefined_role | (Optional) A predefined IAM role to attach to the cluster profile | string | n/a | "" | no | +| gateway_version | Gateway version and license | string | - R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.10-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX
- R81.20-PAYG-NGTX | R81.20-BYOL | no | +| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | +| gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | no | +| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | +| memberAToken | (Recommended) Quick connect to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. | string | n/a | "" | no | +| memberBToken | (Recommended) Quick connect to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. | string | n/a | "" | no | +| resources_tag_name | (Optional) Name tag prefix of the resources | string | n/a | "" | no | +| gateway_hostname | (Optional) The host name will be appended with member-a/b accordingly. The name must not contain reserved words. For details, refer to sk40179. | string | n/a | "" | no | +| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no | +| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no | +| gateway_bootstrap_script | (Optional) Semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no | +| primary_ntp | (Optional) The IPv4 addresses of Network Time Protocol primary server | string | n/a | 169.254.169.123 | no | +| secondary_ntp | (Optional) The IPv4 addresses of Network Time Protocol secondary server | string | n/a | 0.pool.ntp.org | no | +| gateway_maintenance_mode_password_hash | (optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here). | string | n/a | "" | no | ## Outputs | Name | Description | @@ -181,20 +181,20 @@ In order to check the template version, please refer to [sk116585](https://suppo | Template Version | Description | |------------------|---------------------------------------------------------------------------------------------------------------| -| 20210309 | First release of Check Point Security Cluster Terraform module for AWS | -| 20220606 | New instance type support | -| 20221123 | R81.20 version support | -| 20230411 | Improved deployment experience for gateways and clusters managed by Smart-1 Cloud | -| 20230503 | Smart-1 Cloud token validation | -| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | -| 20230806 | Add support for c6in instance type | -| 20230829 | Change default Check Point version to R81.20 | -| 20230914 | Add support for maintenance mode password | -| 20230923 | Add support for C5d instance type | -| 20231012 | Update AWS Terraform provider version to 5.20.1 | -| 20240304 | Add x-chkp-cluster-ips, x-chkp-member-ips tags to cluster members | +| 20240704 | - R80.40 version deprecation.
- R81 version deprecation. | | 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | - +| 20240304 | Add x-chkp-cluster-ips, x-chkp-member-ips tags to cluster members | +| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20230923 | Add support for C5d instance type | +| 20230914 | Add support for maintenance mode password | +| 20230829 | Change default Check Point version to R81.20 | +| 20230806 | Add support for c6in instance type | +| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | +| 20230503 | Smart-1 Cloud token validation | +| 20230411 | Improved deployment experience for gateways and clusters managed by Smart-1 Cloud | +| 20221123 | R81.20 version support | +| 20220606 | New instance type support | +| 20210309 | First release of Check Point Security Cluster Terraform module for AWS | ## License diff --git a/terraform/aws/cluster/cluster_member_a_userdata.yaml b/terraform/aws/cluster/cluster_member_a_userdata.yaml index 6329e2cf..1fa105c0 100755 --- a/terraform/aws/cluster/cluster_member_a_userdata.yaml +++ b/terraform/aws/cluster/cluster_member_a_userdata.yaml @@ -1,4 +1,4 @@ #cloud-config runcmd: - | - python3 /etc/cloud_config.py enableCloudWatch=\"${EnableCloudWatch}\" sicKey=\"${SICKey}\" "smart1CloudToken=\"${TokenA}\"" installationType=\"cluster\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" elasticIp=\"${MemberAPublicAddress}\" templateVersion=\"20231012\" templateName=\"cluster\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" hostName=\"${Hostname}\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" allocatePublicAddress=\"${AllocateAddress}\" bootstrapScript64=\"${GatewayBootstrapScript}\" \ No newline at end of file + python3 /etc/cloud_config.py enableCloudWatch=\"${EnableCloudWatch}\" sicKey=\"${SICKey}\" "smart1CloudToken=\"${TokenA}\"" installationType=\"cluster\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" elasticIp=\"${MemberAPublicAddress}\" templateVersion=\"20240704\" templateName=\"cluster\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" hostName=\"${Hostname}\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" allocatePublicAddress=\"${AllocateAddress}\" bootstrapScript64=\"${GatewayBootstrapScript}\" \ No newline at end of file diff --git a/terraform/aws/cluster/terraform.tfvars b/terraform/aws/cluster/terraform.tfvars index 179fe10b..ea7aa4d9 100755 --- a/terraform/aws/cluster/terraform.tfvars +++ b/terraform/aws/cluster/terraform.tfvars @@ -8,7 +8,7 @@ private_route_table = "rtb-12345678" // --- EC2 Instance Configuration --- gateway_name = "Check-Point-Cluster-tf" -gateway_instance_type = "c5.xlarge" +gateway_instance_type = "c6in.xlarge" key_name = "publickey" allocate_and_associate_eip = true volume_size = 100 diff --git a/terraform/aws/cluster/variables.tf b/terraform/aws/cluster/variables.tf index 1b515744..af28f15c 100755 --- a/terraform/aws/cluster/variables.tf +++ b/terraform/aws/cluster/variables.tf @@ -44,7 +44,7 @@ variable "gateway_name" { variable "gateway_instance_type" { type = string description = "The instance type of the Security Gateways" - default = "c5.xlarge" + default = "c6in.xlarge" } module "validate_instance_type" { source = "../modules/common/instance_type" diff --git a/terraform/aws/cme-iam-role-gwlb/README.md b/terraform/aws/cme-iam-role-gwlb/README.md index 2d6e639b..ae261614 100644 --- a/terraform/aws/cme-iam-role-gwlb/README.md +++ b/terraform/aws/cme-iam-role-gwlb/README.md @@ -89,12 +89,11 @@ secret_key = "my-secret-key" ## Revision History In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) -| Template Version | Description | -|------------------|-------------------------------------------------------------------| -| 20230926 | CME instance profile for IAM Role | -| 20231012 | Update AWS Terraform provider version to 5.20.1 | -| 20240507 | Add ec2:DescribeRegions read permission to the IAM role policy | - +| Template Version | Description | +|------------------|--------------------------------------------------------------------| +| 20240507 | Add ec2:DescribeRegions read permission to the IAM role policy | +| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20230926 | CME instance profile for IAM Role | ## License diff --git a/terraform/aws/cme-iam-role/README.md b/terraform/aws/cme-iam-role/README.md index 203326cb..bc7f0f58 100755 --- a/terraform/aws/cme-iam-role/README.md +++ b/terraform/aws/cme-iam-role/README.md @@ -91,11 +91,10 @@ In order to check the template version, please refer to [sk116585](https://suppo | Template Version | Description | |------------------|--------------------------------------------------------------------| -| 20210309 | First release of Check Point CME IAM Role Terraform module for AWS | -| 20230514 | CME instance profile for IAM Role | -| 20231012 | Update AWS Terraform provider version to 5.20.1 | | 20240507 | Add ec2:DescribeRegions read permission to the IAM role policy | - +| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20230514 | CME instance profile for IAM Role | +| 20210309 | First release of Check Point CME IAM Role Terraform module for AWS | ## License diff --git a/terraform/aws/cross-az-cluster-master/README.md b/terraform/aws/cross-az-cluster-master/README.md index 9209ec51..ce475b0d 100755 --- a/terraform/aws/cross-az-cluster-master/README.md +++ b/terraform/aws/cross-az-cluster-master/README.md @@ -202,17 +202,17 @@ In order to check the template version, please refer to [sk116585](https://suppo | Template Version | Description | |------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 20221123 | First release of Check Point Security Cross AZ Cluster Master Terraform module for AWS | -| 20221123 | Changed default version and added instances types | -| 20221123 | R81.20 version support | -| 20230411 | - Improved deployment experience for gateways and clusters managed by Smart-1 Cloud
- Multiple VIPs support for Cross Availability Zone Cluster. For more details refer to the [Cross Availability Zone Cluster for AWS R81.20 Administration Guide](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_for_AWS_Cross_AZ_Cluster/Content/Topics-AWS-CrossAZ-Cluster-AG/Check-Point-CloudGuard-for-AWS.htm) -> "Deploying Cross AZ Cluster with multiple VIPs" section. | -| 20230503 | Smart-1 Cloud token validation | -| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | -| 20230806 | Add support for c6in instance type | -| 20230914 | Add support for maintenance mode password | -| 20230923 | Add support for C5d instance type | -| 20231012 | Update AWS Terraform provider version to 5.20.1 | | 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | +| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20230923 | Add support for C5d instance type | +| 20230914 | Add support for maintenance mode password | +| 20230806 | Add support for c6in instance type | +| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | +| 20230503 | Smart-1 Cloud token validation | +| 20230411 | - Improved deployment experience for gateways and clusters managed by Smart-1 Cloud
- Multiple VIPs support for Cross Availability Zone Cluster. For more details refer to the [Cross Availability Zone Cluster for AWS R81.20 Administration Guide](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_for_AWS_Cross_AZ_Cluster/Content/Topics-AWS-CrossAZ-Cluster-AG/Check-Point-CloudGuard-for-AWS.htm) -> "Deploying Cross AZ Cluster with multiple VIPs" section. | +| 20221123 | R81.20 version support | +| 20221123 | Changed default version and added instances types | +| 20221123 | First release of Check Point Security Cross AZ Cluster Master Terraform module for AWS | ## License diff --git a/terraform/aws/cross-az-cluster-master/terraform.tfvars b/terraform/aws/cross-az-cluster-master/terraform.tfvars index 28cb64a3..a658cb8b 100755 --- a/terraform/aws/cross-az-cluster-master/terraform.tfvars +++ b/terraform/aws/cross-az-cluster-master/terraform.tfvars @@ -14,7 +14,7 @@ subnets_bit_length = 8 // --- EC2 Instance Configuration --- gateway_name = "Check-Point-Cluster-tf" -gateway_instance_type = "c5.xlarge" +gateway_instance_type = "c6in.xlarge" key_name = "publickey" volume_size = 100 volume_encryption = "alias/aws/ebs" diff --git a/terraform/aws/cross-az-cluster-master/variables.tf b/terraform/aws/cross-az-cluster-master/variables.tf index d49cf50c..783f77ff 100755 --- a/terraform/aws/cross-az-cluster-master/variables.tf +++ b/terraform/aws/cross-az-cluster-master/variables.tf @@ -46,7 +46,7 @@ variable "gateway_name" { variable "gateway_instance_type" { type = string description = "The instance type of the Security Gateways" - default = "c5.xlarge" + default = "c6in.xlarge" } module "validate_instance_type" { source = "../modules/common/instance_type" diff --git a/terraform/aws/cross-az-cluster/README.md b/terraform/aws/cross-az-cluster/README.md index f473732d..ed0737da 100755 --- a/terraform/aws/cross-az-cluster/README.md +++ b/terraform/aws/cross-az-cluster/README.md @@ -178,18 +178,18 @@ In order to check the template version, please refer to [sk116585](https://suppo | Template Version | Description | |------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 20221123 | First release of Check Point Security Cross AZ Cluster Terraform module for AWS | -| 20221123 | Changed default version and added instances types | -| 20221123 | R81.20 version support | -| 20230411 | - Improved deployment experience for gateways and clusters managed by Smart-1 Cloud
- Multiple VIPs support for Cross Availability Zone Cluster. For more details refer to the [Cross Availability Zone Cluster for AWS R81.20 Administration Guide](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_for_AWS_Cross_AZ_Cluster/Content/Topics-AWS-CrossAZ-Cluster-AG/Check-Point-CloudGuard-for-AWS.htm) -> "Deploying Cross AZ Cluster with multiple VIPs" section. | -| 20230503 | Smart-1 Cloud token validation | -| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | -| 20230806 | Add support for c6in instance type | -| 20230914 | Add support for maintenance mode password | -| 20230923 | Add support for C5d instance type | -| 20231012 | Update AWS Terraform provider version to 5.20.1 | -| 20240304 | Add x-chkp-cluster-ips, x-chkp-member-ips tags to cluster members | | 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | +| 20240304 | Add x-chkp-cluster-ips, x-chkp-member-ips tags to cluster members | +| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20230923 | Add support for C5d instance type | +| 20230914 | Add support for maintenance mode password | +| 20230806 | Add support for c6in instance type | +| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | +| 20230503 | Smart-1 Cloud token validation | +| 20230411 | - Improved deployment experience for gateways and clusters managed by Smart-1 Cloud
- Multiple VIPs support for Cross Availability Zone Cluster. For more details refer to the [Cross Availability Zone Cluster for AWS R81.20 Administration Guide](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_for_AWS_Cross_AZ_Cluster/Content/Topics-AWS-CrossAZ-Cluster-AG/Check-Point-CloudGuard-for-AWS.htm) -> "Deploying Cross AZ Cluster with multiple VIPs" section. | +| 20221123 | R81.20 version support | +| 20221123 | Changed default version and added instances types | +| 20221123 | First release of Check Point Security Cross AZ Cluster Terraform module for AWS | ## License diff --git a/terraform/aws/cross-az-cluster/cluster_member_a_userdata.yaml b/terraform/aws/cross-az-cluster/cluster_member_a_userdata.yaml index 1a3095e2..f9a926c5 100755 --- a/terraform/aws/cross-az-cluster/cluster_member_a_userdata.yaml +++ b/terraform/aws/cross-az-cluster/cluster_member_a_userdata.yaml @@ -1,4 +1,4 @@ #cloud-config runcmd: - | - python3 /etc/cloud_config.py enableCloudWatch=\"${EnableCloudWatch}\" sicKey=\"${SICKey}\" "smart1CloudToken=\"${TokenA}\"" installationType=\"cross-az-cluster\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20231012\" templateName=\"cross_az_cluster\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" hostName=\"${Hostname}\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" elasticIp=\"${MemberAPublicAddress}\" otherMemberIp=\"${MemberBPrivateAddressCluster}\" clusterIp=\"${PublicAddressCluster}\" secondaryIp=\"${MemberAPrivateAddressSecondary}\" otherMemberPrivateClusterIp=\"${MemberBPrivateAddressSecondary}\" bootstrapScript64=\"${GatewayBootstrapScript}\" \ No newline at end of file + python3 /etc/cloud_config.py enableCloudWatch=\"${EnableCloudWatch}\" sicKey=\"${SICKey}\" "smart1CloudToken=\"${TokenA}\"" installationType=\"cross-az-cluster\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20240310\" templateName=\"cross_az_cluster\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" hostName=\"${Hostname}\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" elasticIp=\"${MemberAPublicAddress}\" otherMemberIp=\"${MemberBPrivateAddressCluster}\" clusterIp=\"${PublicAddressCluster}\" secondaryIp=\"${MemberAPrivateAddressSecondary}\" otherMemberPrivateClusterIp=\"${MemberBPrivateAddressSecondary}\" bootstrapScript64=\"${GatewayBootstrapScript}\" \ No newline at end of file diff --git a/terraform/aws/cross-az-cluster/cluster_member_b_userdata.yaml b/terraform/aws/cross-az-cluster/cluster_member_b_userdata.yaml index 9ec9d23a..a374aaa6 100755 --- a/terraform/aws/cross-az-cluster/cluster_member_b_userdata.yaml +++ b/terraform/aws/cross-az-cluster/cluster_member_b_userdata.yaml @@ -1,4 +1,4 @@ #cloud-config runcmd: - | - python3 /etc/cloud_config.py enableCloudWatch=\"${EnableCloudWatch}\" sicKey=\"${SICKey}\" "smart1CloudToken=\"${TokenB}\"" installationType=\"cross-az-cluster\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20231012\" templateName=\"cross_az_cluster\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" hostName=\"${Hostname}\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" elasticIp=\"${MemberBPublicAddress}\" otherMemberIp=\"${MemberAPrivateAddressCluster}\" clusterIp=\"${PublicAddressCluster}\" secondaryIp=\"${MemberBPrivateAddressSecondary}\" otherMemberPrivateClusterIp=\"${MemberAPrivateAddressSecondary}\" bootstrapScript64=\"${GatewayBootstrapScript}\" \ No newline at end of file + python3 /etc/cloud_config.py enableCloudWatch=\"${EnableCloudWatch}\" sicKey=\"${SICKey}\" "smart1CloudToken=\"${TokenB}\"" installationType=\"cross-az-cluster\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20240310\" templateName=\"cross_az_cluster\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" hostName=\"${Hostname}\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" elasticIp=\"${MemberBPublicAddress}\" otherMemberIp=\"${MemberAPrivateAddressCluster}\" clusterIp=\"${PublicAddressCluster}\" secondaryIp=\"${MemberBPrivateAddressSecondary}\" otherMemberPrivateClusterIp=\"${MemberAPrivateAddressSecondary}\" bootstrapScript64=\"${GatewayBootstrapScript}\" \ No newline at end of file diff --git a/terraform/aws/cross-az-cluster/terraform.tfvars b/terraform/aws/cross-az-cluster/terraform.tfvars index 8c6aff9b..6823b86f 100755 --- a/terraform/aws/cross-az-cluster/terraform.tfvars +++ b/terraform/aws/cross-az-cluster/terraform.tfvars @@ -8,7 +8,7 @@ private_route_table = "rtb-12345678" // --- EC2 Instance Configuration --- gateway_name = "Check-Point-Cluster-tf" -gateway_instance_type = "c5.xlarge" +gateway_instance_type = "c6in.xlarge" key_name = "publickey" volume_size = 100 volume_encryption = "alias/aws/ebs" diff --git a/terraform/aws/cross-az-cluster/variables.tf b/terraform/aws/cross-az-cluster/variables.tf index c2d66839..e32d7e96 100755 --- a/terraform/aws/cross-az-cluster/variables.tf +++ b/terraform/aws/cross-az-cluster/variables.tf @@ -44,7 +44,7 @@ variable "gateway_name" { variable "gateway_instance_type" { type = string description = "The instance type of the Security Gateways" - default = "c5.xlarge" + default = "c6in.xlarge" } module "validate_instance_type" { source = "../modules/common/instance_type" diff --git a/terraform/aws/gateway-master/README.md b/terraform/aws/gateway-master/README.md index e6f56bec..00594f44 100755 --- a/terraform/aws/gateway-master/README.md +++ b/terraform/aws/gateway-master/README.md @@ -161,7 +161,7 @@ secret_key = "my-secret-key" | disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no | | metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes | | instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Security Gateway EC2 Instance | map(string) | n/a | {} | no | -| gateway_version | Gateway version and license | string | - R80.40-BYOL
- R80.40-PAYG-NGTP
- R80.40-PAYG-NGTX
- R81-BYOL
- R81-PAYG-NGTP
- R81-PAYG-NGTX
- R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.10-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX | R81.20-BYOL | no | +| gateway_version | Gateway version and license | string | - R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.10-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX
- R81.20-PAYG-NGTX | R81.20-BYOL | no | | admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | | gateway_SIC_Key | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes | | gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | @@ -198,18 +198,19 @@ In order to check the template version, please refer to [sk116585](https://suppo | Template Version | Description | |------------------|---------------------------------------------------------------------------------------------------------------| -| 20210309 | First release of Check Point Security Gateway Master Terraform module for AWS | -| 20220606 | New instance type support | -| 20221123 | R81.20 version support | -| 20230411 | Improved deployment experience for gateways and clusters managed by Smart-1 Cloud | -| 20230503 | Smart-1 Cloud token validation | -| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | -| 20230806 | Add support for c6in instance type | -| 20230829 | Change default Check Point version to R81.20 | -| 20230914 | Add support for maintenance mode password | -| 20230923 | Add support for C5d instance type | -| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20240704 | - R80.40 version deprecation.
- R81 version deprecation. | | 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | +| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20230923 | Add support for C5d instance type | +| 20230914 | Add support for maintenance mode password | +| 20230829 | Change default Check Point version to R81.20 | +| 20230806 | Add support for c6in instance type | +| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | +| 20230503 | Smart-1 Cloud token validation | +| 20230411 | Improved deployment experience for gateways and clusters managed by Smart-1 Cloud | +| 20221123 | R81.20 version support | +| 20220606 | New instance type support | +| 20210309 | First release of Check Point Security Gateway Master Terraform module for AWS | ## License diff --git a/terraform/aws/gateway-master/terraform.tfvars b/terraform/aws/gateway-master/terraform.tfvars index a8eb1d58..f42c018e 100755 --- a/terraform/aws/gateway-master/terraform.tfvars +++ b/terraform/aws/gateway-master/terraform.tfvars @@ -12,7 +12,7 @@ subnets_bit_length = 8 // --- EC2 Instance Configuration --- gateway_name = "Check-Point-Gateway-tf" -gateway_instance_type = "c5.xlarge" +gateway_instance_type = "c6in.xlarge" key_name = "publickey" allocate_and_associate_eip = true volume_size = 100 diff --git a/terraform/aws/gateway-master/variables.tf b/terraform/aws/gateway-master/variables.tf index 1c00c4f3..61e7389c 100755 --- a/terraform/aws/gateway-master/variables.tf +++ b/terraform/aws/gateway-master/variables.tf @@ -46,7 +46,7 @@ variable "gateway_name" { variable "gateway_instance_type" { type = string description = "The instance type of the Security Gateway" - default = "c5.xlarge" + default = "c6in.xlarge" } module "validate_instance_type" { source = "../modules/common/instance_type" diff --git a/terraform/aws/gateway/README.md b/terraform/aws/gateway/README.md index 0ee957ff..fefc7512 100755 --- a/terraform/aws/gateway/README.md +++ b/terraform/aws/gateway/README.md @@ -123,38 +123,38 @@ secret_key = "my-secret-key" ## Inputs -| Name | Description | Type | Allowed values | Default | Required | -|------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------|----------| -| vpc_id | The VPC id in which to deploy | string | n/a | n/a | yes | -| public_subnet_id | The public subnet of the security gateway | string | n/a | n/a | yes | -| private_subnet_id | The private subnet of the security gateway | string | n/a | n/a | yes | -| private_route_table | Sets '0.0.0.0/0' route to the Gateway instance in the specified route table (e.g. rtb-12a34567) | string | n/a | "" | no | -| gateway_name | (Optional) The name tag of the Security Gateway instance | string | n/a | Check-Point-Gateway-tf | no | -| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no | -| key_name | The EC2 Key Pair name to allow SSH access to the instance | string | n/a | n/a | yes | -| allocate_and_associate_eip | If set to true, an elastic IP will be allocated and associated with the launched instance | bool | true/false | true | no | -| volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no | -| volume_encryption | KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs') | string | n/a | alias/aws/ebs | no | -| enable_instance_connect | Enable SSH connection over AWS web console. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no | -| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no | -| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes | -| instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Security Gateway EC2 Instance | map(string) | n/a | {} | no | -| gateway_version | Gateway version and license | string | - R80.40-BYOL
- R80.40-PAYG-NGTP
- R80.40-PAYG-NGTX
- R81-BYOL
- R81-PAYG-NGTP
- R81-PAYG-NGTX
- R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.10-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX | R81.20-BYOL | no | -| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | -| gateway_SIC_Key | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes | -| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | -| gateway_TokenKey | (Recommended) Quick connect to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. | string | n/a | "" | no | -| resources_tag_name | (optional) | string | n/a | "" | no | -| gateway_hostname | (Optional) Security Gateway prompt hostname. The name must not contain reserved words. For details, refer to sk40179. | string | n/a | "" | no | -| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no | -| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no | -| gateway_bootstrap_script | (Optional) Semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no | -| primary_ntp | (Optional) The IPv4 addresses of Network Time Protocol primary server | string | n/a | 169.254.169.123 | no | -| secondary_ntp | (Optional) The IPv4 addresses of Network Time Protocol secondary server | string | n/a | 0.pool.ntp.org | no | -| control_gateway_over_public_or_private_address | Determines if the Security Gateway is provisioned using its private or public address | string | - public
- private | private | no | -| management_server | (Optional) The name that represents the Security Management Server in the automatic provisioning configuration | string | n/a | "" | no | -| configuration_template | (Optional) A name of a Security Gateway configuration template in the automatic provisioning configuration | string | n/a | "" | no | -| gateway_maintenance_mode_password_hash | (optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here). | string | n/a | "" | no | +| Name | Description | Type | Allowed values | Default | Required | +|------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------|----------| +| vpc_id | The VPC id in which to deploy | string | n/a | n/a | yes | +| public_subnet_id | The public subnet of the security gateway | string | n/a | n/a | yes | +| private_subnet_id | The private subnet of the security gateway | string | n/a | n/a | yes | +| private_route_table | Sets '0.0.0.0/0' route to the Gateway instance in the specified route table (e.g. rtb-12a34567) | string | n/a | "" | no | +| gateway_name | (Optional) The name tag of the Security Gateway instance | string | n/a | Check-Point-Gateway-tf | no | +| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no | +| key_name | The EC2 Key Pair name to allow SSH access to the instance | string | n/a | n/a | yes | +| allocate_and_associate_eip | If set to true, an elastic IP will be allocated and associated with the launched instance | bool | true/false | true | no | +| volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no | +| volume_encryption | KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs') | string | n/a | alias/aws/ebs | no | +| enable_instance_connect | Enable SSH connection over AWS web console. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no | +| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no | +| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes | +| instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Security Gateway EC2 Instance | map(string) | n/a | {} | no | +| gateway_version | Gateway version and license | string | - R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.10-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX | R81.20-BYOL | no | +| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | +| gateway_SIC_Key | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes | +| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | +| gateway_TokenKey | (Recommended) Quick connect to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. | string | n/a | "" | no | +| resources_tag_name | (optional) | string | n/a | "" | no | +| gateway_hostname | (Optional) Security Gateway prompt hostname. The name must not contain reserved words. For details, refer to sk40179. | string | n/a | "" | no | +| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no | +| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no | +| gateway_bootstrap_script | (Optional) Semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no | +| primary_ntp | (Optional) The IPv4 addresses of Network Time Protocol primary server | string | n/a | 169.254.169.123 | no | +| secondary_ntp | (Optional) The IPv4 addresses of Network Time Protocol secondary server | string | n/a | 0.pool.ntp.org | no | +| control_gateway_over_public_or_private_address | Determines if the Security Gateway is provisioned using its private or public address | string | - public
- private | private | no | +| management_server | (Optional) The name that represents the Security Management Server in the automatic provisioning configuration | string | n/a | "" | no | +| configuration_template | (Optional) A name of a Security Gateway configuration template in the automatic provisioning configuration | string | n/a | "" | no | +| gateway_maintenance_mode_password_hash | (optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here). | string | n/a | "" | no | ## Outputs @@ -173,18 +173,19 @@ In order to check the template version, please refer to [sk116585](https://suppo | Template Version | Description | |------------------|---------------------------------------------------------------------------------------------------------------| -| 20210309 | First release of Check Point Security Gateway Terraform module for AWS | -| 20220606 | New instance type support | -| 20221123 | R81.20 version support | -| 20230411 | Improved deployment experience for gateways and clusters managed by Smart-1 Cloud | -| 20230503 | Smart-1 Cloud token validation | -| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | -| 20230806 | Add support for c6in instance type | -| 20230829 | Change default Check Point version to R81.20 | -| 20230914 | Add support for maintenance mode password | -| 20230923 | Add support for C5d instance type | -| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20240704 | - R80.40 version deprecation.
- R81 version deprecation. | | 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | +| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20230923 | Add support for C5d instance type | +| 20230914 | Add support for maintenance mode password | +| 20230829 | Change default Check Point version to R81.20 | +| 20230806 | Add support for c6in instance type | +| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | +| 20230503 | Smart-1 Cloud token validation | +| 20230411 | Improved deployment experience for gateways and clusters managed by Smart-1 Cloud | +| 20221123 | R81.20 version support | +| 20220606 | New instance type support | +| 20210309 | First release of Check Point Security Gateway Terraform module for AWS | ## License diff --git a/terraform/aws/gateway/terraform.tfvars b/terraform/aws/gateway/terraform.tfvars index 02b1f781..a6414963 100755 --- a/terraform/aws/gateway/terraform.tfvars +++ b/terraform/aws/gateway/terraform.tfvars @@ -8,7 +8,7 @@ private_route_table = "rtb-12345678" // --- EC2 Instance Configuration --- gateway_name = "Check-Point-Gateway-tf" -gateway_instance_type = "c5.xlarge" +gateway_instance_type = "c6in.xlarge" key_name = "publickey" allocate_and_associate_eip = true volume_size = 100 diff --git a/terraform/aws/gateway/variables.tf b/terraform/aws/gateway/variables.tf index 7d32ab1a..f06d4b05 100755 --- a/terraform/aws/gateway/variables.tf +++ b/terraform/aws/gateway/variables.tf @@ -44,7 +44,7 @@ variable "gateway_name" { variable "gateway_instance_type" { type = string description = "The instance type of the Security Gateway" - default = "c5.xlarge" + default = "c6in.xlarge" } module "validate_instance_type" { source = "../modules/common/instance_type" diff --git a/terraform/aws/gwlb-master/README.md b/terraform/aws/gwlb-master/README.md index 4fcdeaa2..c84a3ee7 100755 --- a/terraform/aws/gwlb-master/README.md +++ b/terraform/aws/gwlb-master/README.md @@ -157,48 +157,47 @@ secret_key = "my-secret-key" ``` ## Inputs -| Name | Description | Type | Allowed values | Default | Required | -|-------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------|----------| -| vpc_cidr | The CIDR block of the VPC | string | n/a | n/a | yes | -| public_subnets_map | A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 1 pair. (e.g. {\"us-east-1a\" = 1} ) | map | n/a | n/a | yes | -| subnets_bit_length | Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a subnets_bit_length value of 4, the resulting subnet address will have length /20 | number | n/a | n/a | yes | -| key_name | The EC2 Key Pair name to allow SSH access to the instances | string | n/a | n/a | yes | -| enable_volume_encryption | Encrypt Environment instances volume with default AWS KMS key | bool | true/false | true | no | -| enable_instance_connect | Enable SSH connection over AWS web console. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no | -| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no | -| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes | -| volume_size | Instances volume size | number | n/a | 100 | no | -| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no | -| management_server | The name that represents the Security Management Server in the automatic provisioning configuration. | string | n/a | CP-Management-gwlb-tf | yes | -| configuration_template | The tag is used by the Security Management Server to automatically provision the Security Gateways. Must be up to 12 alphanumeric characters and unique for each Quick Start deployment | string | n/a | gwlb-configuration | no | -| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | -| gateway_load_balancer_name | Load Balancer name in AWS | string | n/a | gwlb1 | yes | -| target_group_name | Target Group Name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. | string | n/a | tg1 | yes | -| connection_acceptance_required | Indicate whether requests from service consumers to create an endpoint to your service must be accepted. Default is set to false(acceptance not required). | bool | true/false | false | yes | -| enable_cross_zone_load_balancing | Select 'true' to enable cross-az load balancing. NOTE! this may cause a spike in cross-az charges. | bool | true/false | true | yes | -| gateway_name | The name tag of the Security Gateway instances. (optional) | string | n/a | Check-Point-GW-tf | yes | -| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no | -| gateways_min_group_size | The minimal number of Security Gateways | number | n/a | 2 | no | -| gateways_max_group_size | The maximal number of Security Gateways | number | n/a | 10 | no | -| gateway_version | Gateway version and license | string | - R80.40-BYOL
- R80.40-PAYG-NGTP
- R80.40-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX | R81.20-BYOL | no | -| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | -| gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes | -| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no | -| gateway_bootstrap_script | (Optional) An optional script with semicolon (;) separated commands to run on the initial boot | string | n/ a | "" | no | -| gateways_provision_address_type | Determines if the gateways are provisioned using their private or public address. | string | - private
- public | private | no | -| allocate_public_IP | Allocate a Public IP for gateway members. | bool | true/false | false | no | -| management_deploy | Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section | bool | true/false | true | no | -| management_instance_type | The EC2 instance type of the Security Management Server | string | - c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| m5.xlarge | no | -| management_version | The license to install on the Security Management Server | string | - R80.40-BYOL
- R80.40-PAYG
- R81-BYOL
- R81-PAYG
- R81.10-BYOL
- R81.10-PAYG | R81.20-BYOL | no | -| management_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | -| gateways_policy | The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group | string | n/a | Standard | no | -| gateway_management | Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address. | string | - Locally managed
- Over the internet | Locally managed | no | -| admin_cidr | (CIDR) Allow web, ssh, and graphical clients only from this network to communicate with the Management Server | string | valid CIDR | n/a | no | -| gateway_addresses | (CIDR) Allow gateways only from this network to communicate with the Management Server | string | valid CIDR | n/a | no | -| volume_type | General Purpose SSD Volume Type | string | - gp3
- gp2 | gp3 | no | -| gateway_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | -| management_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | - +| Name | Description | Type | Allowed values | Default | Required | +|-------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------|----------| +| vpc_cidr | The CIDR block of the VPC | string | n/a | n/a | yes | +| public_subnets_map | A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 1 pair. (e.g. {\"us-east-1a\" = 1} ) | map | n/a | n/a | yes | +| subnets_bit_length | Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a subnets_bit_length value of 4, the resulting subnet address will have length /20 | number | n/a | n/a | yes | +| key_name | The EC2 Key Pair name to allow SSH access to the instances | string | n/a | n/a | yes | +| enable_volume_encryption | Encrypt Environment instances volume with default AWS KMS key | bool | true/false | true | no | +| enable_instance_connect | Enable SSH connection over AWS web console. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no | +| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no | +| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes | +| volume_size | Instances volume size | number | n/a | 100 | no | +| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no | +| management_server | The name that represents the Security Management Server in the automatic provisioning configuration. | string | n/a | CP-Management-gwlb-tf | yes | +| configuration_template | The tag is used by the Security Management Server to automatically provision the Security Gateways. Must be up to 12 alphanumeric characters and unique for each Quick Start deployment | string | n/a | gwlb-configuration | no | +| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | +| gateway_load_balancer_name | Load Balancer name in AWS | string | n/a | gwlb1 | yes | +| target_group_name | Target Group Name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. | string | n/a | tg1 | yes | +| connection_acceptance_required | Indicate whether requests from service consumers to create an endpoint to your service must be accepted. Default is set to false(acceptance not required). | bool | true/false | false | yes | +| enable_cross_zone_load_balancing | Select 'true' to enable cross-az load balancing. NOTE! this may cause a spike in cross-az charges. | bool | true/false | true | yes | +| gateway_name | The name tag of the Security Gateway instances. (optional) | string | n/a | Check-Point-GW-tf | yes | +| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no | +| gateways_min_group_size | The minimal number of Security Gateways | number | n/a | 2 | no | +| gateways_max_group_size | The maximal number of Security Gateways | number | n/a | 10 | no | +| gateway_version | Gateway version and license | string | - R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX
- R81.20-PAYG-NGTX | R81.20-BYOL | no | +| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | +| gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes | +| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no | +| gateway_bootstrap_script | (Optional) An optional script with semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no | +| gateways_provision_address_type | Determines if the gateways are provisioned using their private or public address. | string | - private
- public | private | no | +| allocate_public_IP | Allocate a Public IP for gateway members. | bool | true/false | false | no | +| management_deploy | Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section | bool | true/false | true | no | +| management_instance_type | The EC2 instance type of the Security Management Server | string | - c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| m5.xlarge | no | +| management_version | The license to install on the Security Management Server | string | - R81.10-BYOL
- R81.10-PAYG
- R81.20-BYOL
- R81.20-PAYG | R81.20-BYOL | no | +| management_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | +| gateways_policy | The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group | string | n/a | Standard | no | +| gateway_management | Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address. | string | - Locally managed
- Over the internet | Locally managed | no | +| admin_cidr | (CIDR) Allow web, ssh, and graphical clients only from this network to communicate with the Management Server | string | valid CIDR | n/a | no | +| gateway_addresses | (CIDR) Allow gateways only from this network to communicate with the Management Server | string | valid CIDR | n/a | no | +| volume_type | General Purpose SSD Volume Type | string | - gp3
- gp2 | gp3 | no | +| gateway_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | +| management_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | ## Outputs | Name | Description | @@ -217,18 +216,19 @@ In order to check the template version, please refer to [sk116585](https://suppo | Template Version | Description | |------------------|---------------------------------------------------------------------------------------------| -| 20220414 | First release of Check Point CloudGuard Network Gateway Load Balancer master module for AWS | -| 20220606 | New instance type support | -| 20221123 | R81.20 version support | -| 20221215 | Support ASG Launch Template instead of Launch Configuration | -| 20230521 | Change default shell for the admin user to /etc/cli.sh | -| 20230806 | Add support for c6in instance type | -| 20230829 | Change default Check Point version to R81.20 | -| 20230910 | Add bootstrap script execution option for deployed gateways | -| 20230914 | Add support for maintenance mode password | -| 20230923 | Add support for C5d instance type | -| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20240704 | R80.40 version deprecation | | 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | +| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20230923 | Add support for C5d instance type | +| 20230914 | Add support for maintenance mode password | +| 20230910 | Add bootstrap script execution option for deployed gateways | +| 20230829 | Change default Check Point version to R81.20 | +| 20230806 | Add support for c6in instance type | +| 20230521 | Change default shell for the admin user to /etc/cli.sh | +| 20221215 | Support ASG Launch Template instead of Launch Configuration | +| 20221123 | R81.20 version support | +| 20220606 | New instance type support | +| 20220414 | First release of Check Point CloudGuard Network Gateway Load Balancer master module for AWS | ## License diff --git a/terraform/aws/gwlb-master/terraform.tfvars b/terraform/aws/gwlb-master/terraform.tfvars index f0f13c92..d5e1c853 100755 --- a/terraform/aws/gwlb-master/terraform.tfvars +++ b/terraform/aws/gwlb-master/terraform.tfvars @@ -28,7 +28,7 @@ enable_cross_zone_load_balancing = "true" // --- Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration --- gateway_name = "Check-Point-GW-tf" -gateway_instance_type = "c5.xlarge" +gateway_instance_type = "c6in.xlarge" minimum_group_size = 2 maximum_group_size = 10 gateway_version = "R81.20-BYOL" diff --git a/terraform/aws/gwlb-master/variables.tf b/terraform/aws/gwlb-master/variables.tf index fd72c46c..bf51e406 100755 --- a/terraform/aws/gwlb-master/variables.tf +++ b/terraform/aws/gwlb-master/variables.tf @@ -135,7 +135,7 @@ variable "gateway_name" { variable "gateway_instance_type" { type = string description = "The EC2 instance type for the Security Gateways." - default = "c5.xlarge" + default = "c6in.xlarge" } module "validate_instance_type" { source = "../modules/common/instance_type" diff --git a/terraform/aws/gwlb/README.md b/terraform/aws/gwlb/README.md index 4363e8c9..46a142c0 100755 --- a/terraform/aws/gwlb/README.md +++ b/terraform/aws/gwlb/README.md @@ -172,7 +172,7 @@ secret_key = "my-secret-key" | gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no | | gateways_min_group_size | The minimal number of Security Gateways | number | n/a | 2 | no | | gateways_max_group_size | The maximal number of Security Gateways | number | n/a | 10 | no | -| gateway_version | Gateway version and license | string | - R80.40-BYOL
- R80.40-PAYG-NGTP
- R80.40-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX | R81.20-BYOL | no | +| gateway_version | Gateway version and license | string | - R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX
- R81.20-PAYG-NGTX | R81.20-BYOL | no | | gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | | gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes | | enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no | @@ -181,7 +181,7 @@ secret_key = "my-secret-key" | allocate_public_IP | Allocate a Public IP for gateway members. | bool | true/false | false | no | | management_deploy | Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section | bool | true/false | true | no | | management_instance_type | The EC2 instance type of the Security Management Server | string | - c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| m5.xlarge | no | -| management_version | The license to install on the Security Management Server | string | - R80.40-BYOL
- R80.40-PAYG
- R81-BYOL
- R81-PAYG
- R81.10-BYOL
- R81.10-PAYG | R81.20-BYOL | no | +| management_version | The license to install on the Security Management Server | string | - R81.10-BYOL
- R81.10-PAYG
- R81.20-BYOL
- R81.20-PAYG | R81.20-BYOL | no | | management_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | | gateways_policy | The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group | string | n/a | Standard | no | | gateway_management | Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address. | string | - Locally managed
- Over the internet | Locally managed | no | @@ -208,20 +208,22 @@ In order to check the template version, please refer to [sk116585](https://suppo | Template Version | Description | |------------------|---------------------------------------------------------------------------------------| -| 20220414 | First release of Check Point CloudGuard Network Gateway Load Balancer module for AWS | -| 20220523 | Add support for cross zone load balancing | -| 20220606 | New instance type support | -| 20221123 | R81.20 version support | -| 20221226 | Support ASG Launch Template instead of Launch Configuration | -| 20230521 | Change default shell for the admin user to /etc/cli.sh | -| 20230806 | Add support for c6in instance type | -| 20230829 | Change default Check Point version to R81.20 | -| 20230910 | Add bootstrap script execution option for deployed gateways | -| 20230914 | Add support for maintenance mode password | -| 20230923 | Add support for C5d instance type | -| 20231012 | Update AWS Terraform provider version to 5.20.1 | -| 20231022 | Fixed template to populate x-chkp-tags correctly | +| 20240704 | R80.40 version deprecation | | 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | +| 20240310 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | +| 20231022 | Fixed template to populate x-chkp-tags correctly | +| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20230923 | Add support for C5d instance type | +| 20230914 | Add support for maintenance mode password | +| 20230910 | Add bootstrap script execution option for deployed gateways | +| 20230829 | Change default Check Point version to R81.20 | +| 20230806 | Add support for c6in instance type | +| 20230521 | Change default shell for the admin user to /etc/cli.sh | +| 20221226 | Support ASG Launch Template instead of Launch Configuration | +| 20221123 | R81.20 version support | +| 20220606 | New instance type support | +| 20220523 | Add support for cross zone load balancing | +| 20220414 | First release of Check Point CloudGuard Network Gateway Load Balancer module for AWS | ## License diff --git a/terraform/aws/gwlb/terraform.tfvars b/terraform/aws/gwlb/terraform.tfvars index 0e26ad11..daffb3e2 100755 --- a/terraform/aws/gwlb/terraform.tfvars +++ b/terraform/aws/gwlb/terraform.tfvars @@ -24,7 +24,7 @@ enable_cross_zone_load_balancing = "true" // --- Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration --- gateway_name = "Check-Point-GW-tf" -gateway_instance_type = "c5.xlarge" +gateway_instance_type = "c6in.xlarge" minimum_group_size = 2 maximum_group_size = 10 gateway_version = "R81.20-BYOL" diff --git a/terraform/aws/gwlb/variables.tf b/terraform/aws/gwlb/variables.tf index 5f099c6c..834842c2 100755 --- a/terraform/aws/gwlb/variables.tf +++ b/terraform/aws/gwlb/variables.tf @@ -124,7 +124,7 @@ variable "gateway_name" { variable "gateway_instance_type" { type = string description = "The EC2 instance type for the Security Gateways." - default = "c5.xlarge" + default = "c6in.xlarge" } module "validate_instance_type" { source = "../modules/common/instance_type" diff --git a/terraform/aws/management/README.md b/terraform/aws/management/README.md index dd57ea4d..8545ff85 100755 --- a/terraform/aws/management/README.md +++ b/terraform/aws/management/README.md @@ -152,7 +152,7 @@ secret_key = "my-secret-key" | iam_permissions | IAM role to attach to the instance profile | string | - None (configure later)
- Use existing (specify an existing IAM role name)
- Create with assume role permissions (specify an STS role ARN)
- Create with read permissions
- Create with read-write permissions | Create with read permissions | no | | predefined_role | (Optional) A predefined IAM role to attach to the instance profile. Ignored if var.iam_permissions is not set to 'Use existing' | string | n/a | "" | no | | sts_roles | (Optional) The IAM role will be able to assume these STS Roles (list of ARNs). Ignored if var.iam_permissions is set to 'None' or 'Use existing' | list(string) | n/a | [] | no | -| management_version | Management version and license | string | - R80.40-BYOL
- R80.40-PAYG
- R81-BYOL
- R81-PAYG
- R81.10-BYOL
- R81.10-PAYG
- R81.20-BYOL
- R81.20-PAYG | R81.20-BYOL | no | +| management_version | Management version and license | string | - R81.10-BYOL
- R81.10-PAYG
- R81.20-BYOL
- R81.20-PAYG | R81.20-BYOL | no | | admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | | management_password_hash | (Optional) Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash) | string | n/a | "" | no | | management_hostname | (Optional) Security Management Server prompt hostname. The name must not contain reserved words. For details, refer to sk40179. | string | n/a | "" | no | @@ -182,18 +182,19 @@ In order to check the template version, please refer to [sk116585](https://suppo | Template Version | Description | |------------------|---------------------------------------------------------------------------------------------------------------| -| 20210309 | First release of Check Point Security Management Server Terraform module for AWS | -| 20210329 | Stability fixes | -| 20220606 | New instance type support | -| 20221123 | R81.20 version support | -| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | -| 20230806 | Add support for c6in instance type | -| 20230829 | Change default Check Point version to R81.20 | -| 20230914 | Add support for maintenance mode password | -| 20230923 | Add support for C5d instance type | -| 20231012 | Update AWS Terraform provider version to 5.20.1 | -| 20240207 | Added Log Server installation support | +| 20240704 | - R80.40 version deprecation.
- R81 version deprecation. | | 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | +| 20240207 | Added Log Server installation support | +| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20230923 | Add support for C5d instance type | +| 20230914 | Add support for maintenance mode password | +| 20230829 | Change default Check Point version to R81.20 | +| 20230806 | Add support for c6in instance type | +| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | +| 20221123 | R81.20 version support | +| 20220606 | New instance type support | +| 20210329 | Stability fixes | +| 20210309 | First release of Check Point Security Management Server Terraform module for AWS | ## License diff --git a/terraform/aws/management/management_userdata.yaml b/terraform/aws/management/management_userdata.yaml index 0f3801ff..cfd9e5dc 100755 --- a/terraform/aws/management/management_userdata.yaml +++ b/terraform/aws/management/management_userdata.yaml @@ -1,4 +1,4 @@ #cloud-config runcmd: - | - python3 /etc/cloud_config.py sicKey=\"${SICKey}\" installationType=\"management\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20231012\" templateName=\"management\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" hostName=\"${Hostname }\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" "management_installation_type=\"${ManagementInstallationType}\"" adminSubnet=\"${AdminSubnet}\" allocatePublicAddress=\"${AllocateElasticIP}\" overTheInternet=\"${PubMgmt}\" bootstrapScript64=\"${BootstrapScript}\" \ No newline at end of file + python3 /etc/cloud_config.py sicKey=\"${SICKey}\" installationType=\"management\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20240704\" templateName=\"management\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" hostName=\"${Hostname }\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" "management_installation_type=\"${ManagementInstallationType}\"" adminSubnet=\"${AdminSubnet}\" allocatePublicAddress=\"${AllocateElasticIP}\" overTheInternet=\"${PubMgmt}\" bootstrapScript64=\"${BootstrapScript}\" \ No newline at end of file diff --git a/terraform/aws/mds/README.md b/terraform/aws/mds/README.md index 5da9667d..156aad68 100755 --- a/terraform/aws/mds/README.md +++ b/terraform/aws/mds/README.md @@ -147,7 +147,7 @@ secret_key = "my-secret-key" | iam_permissions | IAM role to attach to the instance profile | string | - None (configure later)
- Use existing (specify an existing IAM role name)
- Create with assume role permissions (specify an STS role ARN)
- Create with read permissions
- Create with read-write permissions | Create with read permissions | no | | predefined_role | (Optional) A predefined IAM role to attach to the instance profile. Ignored if var.iam_permissions is not set to 'Use existing' | string | n/a | "" | no | | sts_roles | (Optional) The IAM role will be able to assume these STS Roles (list of ARNs). Ignored if var.iam_permissions is set to 'None' or 'Use existing' | list(string) | n/a | [] | no | -| mds_version | Multi-Domain Server version and license | string | - R80.40-BYOL
- R81-BYOL
- R81.10-BYOL
- R81.20-BYOL | R81.20-BYOL | no | +| mds_version | Multi-Domain Server version and license | string | - R81.10-BYOL
- R81.20-BYOL | R81.20-BYOL | no | | mds_admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | | mds_password_hash | (Optional) Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash) | string | n/a | "" | no | | mds_hostname | (Optional) Multi-Domain Server prompt hostname. The name must not contain reserved words. For details, refer to sk40179. | string | n/a | "" | no | @@ -174,16 +174,18 @@ In order to check the template version, please refer to [sk116585](https://suppo | Template Version | Description | |------------------|---------------------------------------------------------------------------------------------------------------| -| 20210309 | First release of Check Point Multi-Domain Server Terraform module for AWS | -| 20210329 | Stability fixes | -| 20221123 | R81.20 version support | -| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | -| 20230806 | Add support for c6in instance type | -| 20230829 | Change default Check Point version to R81.20 | -| 20230914 | Add support for maintenance mode password | -| 20230923 | Add support for C5d instance type | -| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20240704 | - R80.40 version deprecation.
- R81 version deprecation. | | 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | +| 20240310 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | +| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20230923 | Add support for C5d instance type | +| 20230914 | Add support for maintenance mode password | +| 20230829 | Change default Check Point version to R81.20 | +| 20230806 | Add support for c6in instance type | +| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | +| 20221123 | R81.20 version support | +| 20210329 | Stability fixes | +| 20210309 | First release of Check Point Multi-Domain Server Terraform module for AWS | ## License diff --git a/terraform/aws/mds/mds_userdata.yaml b/terraform/aws/mds/mds_userdata.yaml index 3321cd60..cd0085c6 100755 --- a/terraform/aws/mds/mds_userdata.yaml +++ b/terraform/aws/mds/mds_userdata.yaml @@ -1,4 +1,4 @@ #cloud-config runcmd: - | - python3 /etc/cloud_config.py sicKey=\"${SICKey}\" installationType=\"mds\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20231012\" templateName=\"mds\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" hostName=\"${Hostname }\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" primary=\"${IsPrimary}\" secondary=\"${IsSecondary}\" adminSubnet=\"${AdminSubnet}\" bootstrapScript64=\"${BootstrapScript}\" \ No newline at end of file + python3 /etc/cloud_config.py sicKey=\"${SICKey}\" installationType=\"mds\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20240704\" templateName=\"mds\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" hostName=\"${Hostname }\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" primary=\"${IsPrimary}\" secondary=\"${IsSecondary}\" adminSubnet=\"${AdminSubnet}\" bootstrapScript64=\"${BootstrapScript}\" \ No newline at end of file diff --git a/terraform/aws/modules/amis/main.tf b/terraform/aws/modules/amis/main.tf index 4e76baa3..19d136d2 100644 --- a/terraform/aws/modules/amis/main.tf +++ b/terraform/aws/modules/amis/main.tf @@ -4,10 +4,11 @@ locals { // Variables example: - // version_license = "R80.40-PAYG-NGTX" + // version_license = "R81.10-PAYG-NGTX" // RESULT: - // version_license_key = "R80.40-PAYG-NGTX-GW" - // version_license_value = "R8040PAYGNGTXGW" + // version_license_key = "R81.10-PAYG-NGTX-GW" + + // version_license_value = "R8110PAYGNGTXGW" version_license_key_mgmt_gw = format("%s%s", var.version_license, var.chkp_type == "gateway" ? "-GW" : var.chkp_type == "management" ? "-MGMT" : var.chkp_type == "mds" ? "-MGMT" : "") version_license_key = var.chkp_type == "standalone" ? format("%s%s", var.version_license, element(split("-", var.version_license), 1) == "BYOL" ? "-MGMT" : "") : local.version_license_key_mgmt_gw diff --git a/terraform/aws/modules/common/gateway_instance/gateway_userdata.yaml b/terraform/aws/modules/common/gateway_instance/gateway_userdata.yaml index 05538232..ba55e025 100755 --- a/terraform/aws/modules/common/gateway_instance/gateway_userdata.yaml +++ b/terraform/aws/modules/common/gateway_instance/gateway_userdata.yaml @@ -1,4 +1,4 @@ #cloud-config runcmd: - | - python3 /etc/cloud_config.py enableCloudWatch=\"${EnableCloudWatch}\" sicKey=\"${SICKey}\" "smart1CloudToken=\"${TokenKey}\"" installationType=\"gateway\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20231012\" templateName=\"gateway\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" hostName=\"${Hostname }\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" bootstrapScript64=\"${GatewayBootstrapScript}\" \ No newline at end of file + python3 /etc/cloud_config.py enableCloudWatch=\"${EnableCloudWatch}\" sicKey=\"${SICKey}\" "smart1CloudToken=\"${TokenKey}\"" installationType=\"gateway\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20240704\" templateName=\"gateway\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" hostName=\"${Hostname }\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" bootstrapScript64=\"${GatewayBootstrapScript}\" \ No newline at end of file diff --git a/terraform/aws/modules/common/gateway_instance/variables.tf b/terraform/aws/modules/common/gateway_instance/variables.tf index 0e1a010c..5e6ac6bf 100755 --- a/terraform/aws/modules/common/gateway_instance/variables.tf +++ b/terraform/aws/modules/common/gateway_instance/variables.tf @@ -52,7 +52,7 @@ variable "gateway_version" { variable "gateway_instance_type" { type = string description = "The instance type of the Security Gateways" - default = "c5.xlarge" + default = "c6in.xlarge" } module "validate_instance_type" { source = "../instance_type" diff --git a/terraform/aws/modules/common/instance_type/main.tf b/terraform/aws/modules/common/instance_type/main.tf index 22fffe49..418d3415 100755 --- a/terraform/aws/modules/common/instance_type/main.tf +++ b/terraform/aws/modules/common/instance_type/main.tf @@ -350,4 +350,4 @@ locals { sa_values = var.chkp_type == "standalone" ? concat(local.gw_types, local.mgmt_types) : [] allowed_values = coalescelist(local.gw_values, local.mgmt_values, local.mds_values, local.sa_values , local.server_types) is_allowed_type = index(local.allowed_values, var.instance_type) -} \ No newline at end of file +} diff --git a/terraform/aws/modules/common/load_balancer/variables.tf b/terraform/aws/modules/common/load_balancer/variables.tf index 7cc6464e..2e143fc7 100755 --- a/terraform/aws/modules/common/load_balancer/variables.tf +++ b/terraform/aws/modules/common/load_balancer/variables.tf @@ -59,4 +59,4 @@ variable "health_check_protocol" { description = "The health check protocol" type = string default = null -} +} \ No newline at end of file diff --git a/terraform/aws/modules/common/version_license/main.tf b/terraform/aws/modules/common/version_license/main.tf index 43512f98..c0aaca14 100755 --- a/terraform/aws/modules/common/version_license/main.tf +++ b/terraform/aws/modules/common/version_license/main.tf @@ -1,11 +1,5 @@ locals { gw_versions = [ - "R80.40-BYOL", - "R80.40-PAYG-NGTP", - "R80.40-PAYG-NGTX", - "R81-BYOL", - "R81-PAYG-NGTP", - "R81-PAYG-NGTX", "R81.10-BYOL", "R81.10-PAYG-NGTP", "R81.10-PAYG-NGTX", @@ -14,35 +8,22 @@ locals { "R81.20-PAYG-NGTX" ] mgmt_versions = [ - "R80.40-BYOL", - "R80.40-PAYG", - "R81-BYOL", - "R81-PAYG", "R81.10-BYOL", "R81.10-PAYG", "R81.20-BYOL", "R81.20-PAYG" ] mds_versions = [ - "R80.40-BYOL", - "R81-BYOL", "R81.10-BYOL", "R81.20-BYOL" ] standalone_versions = [ - "R80.40-BYOL", - "R80.40-PAYG-NGTP", - "R81-BYOL", - "R81-PAYG-NGTP", "R81.10-BYOL", "R81.10-PAYG-NGTP", "R81.20-BYOL", "R81.20-PAYG-NGTP" ] gwlb_gw_versions = [ - "R80.40-BYOL", - "R80.40-PAYG-NGTP", - "R80.40-PAYG-NGTX", "R81.20-BYOL", "R81.20-PAYG-NGTP", "R81.20-PAYG-NGTX" diff --git a/terraform/aws/modules/custom-autoscale/main.tf b/terraform/aws/modules/custom-autoscale/main.tf index e7d3decd..c361388d 100755 --- a/terraform/aws/modules/custom-autoscale/main.tf +++ b/terraform/aws/modules/custom-autoscale/main.tf @@ -43,9 +43,9 @@ resource "aws_autoscaling_group" "servers_group" { target_group_arns = local.provided_target_groups_condition ? [var.servers_target_groups] : [] tag { - key = "Name" - value = format("%s%s", var.prefix != "" ? format("%s-", var.prefix) : "", var.server_name) - propagate_at_launch = true + key = "Name" + value = format("%s%s", var.prefix != "" ? format("%s-", var.prefix) : "", var.server_name) + propagate_at_launch = true } } resource "aws_autoscaling_policy" "scale_up_policy" { diff --git a/terraform/aws/qs-autoscale-master/README.md b/terraform/aws/qs-autoscale-master/README.md index 809de14a..6d140f0f 100755 --- a/terraform/aws/qs-autoscale-master/README.md +++ b/terraform/aws/qs-autoscale-master/README.md @@ -167,7 +167,6 @@ secret_key = "my-secret-key" ``` ## Inputs - | Name | Description | Type | Allowed values | Default | Required | |-------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------|----------| | prefix | (Optional) Instances name prefix | string | n/a | "" | no | @@ -240,18 +239,18 @@ In order to check the template version, please refer to [sk116585](https://suppo | Template Version | Description | |------------------|---------------------------------------------------------------------------------------| -| 20210309 | First release of Check Point Quick Start Auto Scaling Master Terraform module for AWS | -| 20220606 | New instance type support | -| 20221123 | R81.20 version support | -| 20221226 | Support ASG Launch Template instead of Launch Configuration | -| 20230806 | Add support for c6in instance type | -| 20230829 | Change default Check Point version to R81.20 | -| 20230914 | Add support for maintenance mode password | -| 20230923 | Add support for C5d instance type | -| 20231012 | Update AWS Terraform provider version to 5.20.1 | -| 20231127 | Add support for parameter admin shell | | 20240425 | Remove support for R81 and lower versions | | 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | +| 20231127 | Add support for parameter admin shell | +| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20230923 | Add support for C5d instance type | +| 20230914 | Add support for maintenance mode password | +| 20230829 | Change default Check Point version to R81.20 | +| 20230806 | Add support for c6in instance type | +| 20221226 | Support ASG Launch Template instead of Launch Configuration | +| 20221123 | R81.20 version support | +| 20220606 | New instance type support | +| 20210309 | First release of Check Point Quick Start Auto Scaling Master Terraform module for AWS | ## License diff --git a/terraform/aws/qs-autoscale-master/terraform.tfvars b/terraform/aws/qs-autoscale-master/terraform.tfvars index 37a07774..6272f051 100755 --- a/terraform/aws/qs-autoscale-master/terraform.tfvars +++ b/terraform/aws/qs-autoscale-master/terraform.tfvars @@ -31,7 +31,7 @@ service_port = "80" admin_shell = "/etc/cli.sh" // --- Check Point CloudGuard Network Security Gateways Auto Scaling Group Configuration --- -gateway_instance_type = "c5.xlarge" +gateway_instance_type = "c6in.xlarge" gateways_min_group_size = 2 gateways_max_group_size = 8 gateway_version = "R81.20-BYOL" diff --git a/terraform/aws/qs-autoscale-master/variables.tf b/terraform/aws/qs-autoscale-master/variables.tf index 317b1c94..35071b1c 100755 --- a/terraform/aws/qs-autoscale-master/variables.tf +++ b/terraform/aws/qs-autoscale-master/variables.tf @@ -111,7 +111,7 @@ variable "admin_shell" { variable "gateway_instance_type" { type = string description = "The instance type of the Security Gateways" - default = "c5.xlarge" + default = "c6in.xlarge" } module "validate_gateway_instance_type" { source = "../modules/common/instance_type" diff --git a/terraform/aws/qs-autoscale/README.md b/terraform/aws/qs-autoscale/README.md index adadaeff..68244779 100755 --- a/terraform/aws/qs-autoscale/README.md +++ b/terraform/aws/qs-autoscale/README.md @@ -154,47 +154,45 @@ secret_key = "my-secret-key" ``` ## Inputs - -| Name | Description | Type | Allowed values | Default | Required | -|-------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------|----------| -| prefix | (Optional) Instances name prefix | string | n/a | "" | no | -| asg_name | Autoscaling Group name | string | n/a | Check-Point-ASG-tf | no | -| vpc_id | Select an existing VPC | string | n/a | n/a | yes | -| key_name | The EC2 Key Pair name to allow SSH access to the instances | string | n/a | n/a | yes | -| enable_volume_encryption | Encrypt Environment instances volume with default AWS KMS key | bool | true/false | true | no | -| enable_instance_connect | Enable SSH connection over AWS web console. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no | -| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no | -| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes | -| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no | -| provision_tag | The tag is used by the Security Management Server to automatically provision the Security Gateways. Must be up to 12 alphanumeric characters and unique for each Quick Start deployment | string | n/a | quickstart | no | -| load_balancers_type | Use Network Load Balancer if you wish to preserve the source IP address and Application Load Balancer if you wish to use content based routing | string | - Network Load Balancer
- Application Load Balancer
| Network Load Balancer | no | -| load_balancer_protocol | The protocol to use on the Load Balancer | string | Network Load Balancer:
- TCP
- TLS
- UDP
- TCP_UDP

Application Load Balancer:
- HTTP
- HTTPS | TCP | yes | -| certificate | Amazon Resource Name (ARN) of an HTTPS Certificate, ignored if the selected protocol is HTTP | string | n/a | n/a | no | -| service_port | The external Load Balancer listens to this port. Leave this field blank to use default ports: 80 for HTTP and 443 for HTTPS | string | n/a | n/a | no | -| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | -| gateways_subnets | Select at least 2 public subnets in the VPC. If you choose to deploy a Security Management Server it will be deployed in the first subnet | list(string) | n/a | n/a | yes | -| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no | -| gateways_min_group_size | The minimal number of Security Gateways | number | n/a | 2 | no | -| gateways_max_group_size | The maximal number of Security Gateways | number | n/a | 10 | no | -| gateway_version | Gateway version and license | string | - R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.10-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX | R81.20-BYOL | no | -| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | -| gateway_SIC_Key | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes | -| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no | -| management_deploy | Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section | bool | true/false | true | no | -| management_instance_type | The EC2 instance type of the Security Management Server | string | - c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| m5.xlarge | no | -| management_version | The license to install on the Security Management Server | string | - R81.10-BYOL
- R81.10-PAYG
- R81.20-BYOL
- R81.20-PAYG | R81.20-BYOL | no | -| management_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | -| gateways_policy | The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group | string | n/a | Standard | no | -| gateways_blades | Turn on the Intrusion Prevention System, Application Control, Anti-Virus and Anti-Bot Blades (additional Blades can be manually turned on later) | bool | true/false | true | no | -| admin_cidr | (CIDR) Allow web, ssh, and graphical clients only from this network to communicate with the Management Server | string | valid CIDR | n/a | no | -| gateway_addresses | (CIDR) Allow gateways only from this network to communicate with the Management Server | string | valid CIDR | n/a | no | -| servers_deploy | Select 'true' to deploy web servers and an internal Application Load Balancer. If you select 'false' the other parameters of this section will be ignored | bool | true/false | false | no | -| servers_subnets | Provide at least 2 private subnet IDs in the chosen VPC, separated by commas (e.g. subnet-0d72417c,subnet-1f61306f,subnet-1061d06f). | list(string) | n/a | n/a | yes | -| servers_instance_type | The EC2 instance type for the web servers | string | - t3.nano
- t3.micro
- t3.small
- t3.medium
- t3.large
- t3.xlarge
- t3.2xlarge | t3.micro | no | -| server_ami | The Amazon Machine Image ID of a preconfigured web server (e.g. ami-0dc7dc63) | string | n/a | n/a | yes | -| gateway_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | -| management_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | - +| Name | Description | Type | Allowed values | Default | Required | +|-------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------|----------| +| prefix | (Optional) Instances name prefix | string | n/a | "" | no | +| asg_name | Autoscaling Group name | string | n/a | Check-Point-ASG-tf | no | +| vpc_id | Select an existing VPC | string | n/a | n/a | yes | +| key_name | The EC2 Key Pair name to allow SSH access to the instances | string | n/a | n/a | yes | +| enable_volume_encryption | Encrypt Environment instances volume with default AWS KMS key | bool | true/false | true | no | +| enable_instance_connect | Enable SSH connection over AWS web console. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no | +| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no | +| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes | +| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no | +| provision_tag | The tag is used by the Security Management Server to automatically provision the Security Gateways. Must be up to 12 alphanumeric characters and unique for each Quick Start deployment | string | n/a | quickstart | no | +| load_balancers_type | Use Network Load Balancer if you wish to preserve the source IP address and Application Load Balancer if you wish to use content based routing | string | - Network Load Balancer
- Application Load Balancer
| Network Load Balancer | no | +| load_balancer_protocol | The protocol to use on the Load Balancer | string | Network Load Balancer:
- TCP
- TLS
- UDP
- TCP_UDP

Application Load Balancer:
- HTTP
- HTTPS | TCP | yes | +| certificate | Amazon Resource Name (ARN) of an HTTPS Certificate, ignored if the selected protocol is HTTP | string | n/a | n/a | no | +| service_port | The external Load Balancer listens to this port. Leave this field blank to use default ports: 80 for HTTP and 443 for HTTPS | string | n/a | n/a | no | +| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | +| gateways_subnets | Select at least 2 public subnets in the VPC. If you choose to deploy a Security Management Server it will be deployed in the first subnet | list(string) | n/a | n/a | yes | +| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no | +| gateways_min_group_size | The minimal number of Security Gateways | number | n/a | 2 | no | +| gateways_max_group_size | The maximal number of Security Gateways | number | n/a | 10 | no | +| gateway_version | Gateway version and license | string | - R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.10-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX | R81.20-BYOL | no | +| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | +| gateway_SIC_Key | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes | +| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no | +| management_deploy | Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section | bool | true/false | true | no | +| management_instance_type | The EC2 instance type of the Security Management Server | string | - c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| m5.xlarge | no | +| management_version | The license to install on the Security Management Server | string | - R81.10-BYOL
- R81.10-PAYG
- R81.20-BYOL
- R81.20-PAYG | R81.20-BYOL | no | +| management_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | +| gateways_policy | The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group | string | n/a | Standard | no | +| gateways_blades | Turn on the Intrusion Prevention System, Application Control, Anti-Virus and Anti-Bot Blades (additional Blades can be manually turned on later) | bool | true/false | true | no | +| admin_cidr | (CIDR) Allow web, ssh, and graphical clients only from this network to communicate with the Management Server | string | valid CIDR | n/a | no | +| gateway_addresses | (CIDR) Allow gateways only from this network to communicate with the Management Server | string | valid CIDR | n/a | no | +| servers_deploy | Select 'true' to deploy web servers and an internal Application Load Balancer. If you select 'false' the other parameters of this section will be ignored | bool | true/false | false | no | +| servers_subnets | Provide at least 2 private subnet IDs in the chosen VPC, separated by commas (e.g. subnet-0d72417c,subnet-1f61306f,subnet-1061d06f). | list(string) | n/a | n/a | yes | +| servers_instance_type | The EC2 instance type for the web servers | string | - t3.nano
- t3.micro
- t3.small
- t3.medium
- t3.large
- t3.xlarge
- t3.2xlarge | t3.micro | no | +| server_ami | The Amazon Machine Image ID of a preconfigured web server (e.g. ami-0dc7dc63) | string | n/a | n/a | yes | +| gateway_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | +| management_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | ## Outputs | Name | Description | @@ -218,21 +216,22 @@ In order to check the template version, please refer to [sk116585](https://suppo | Template Version | Description | |------------------|-------------------------------------------------------------------------------------------------------------------------------------| -| 20210309 | First release of Check Point Quick Start Auto Scaling Terraform module for AWS | -| 20210329 | Stability fixes | -| 20220606 | New instance type support | -| 20221123 | R81.20 version support | -| 20221226 | Support ASG Launch Template instead of Launch Configuration | -| 20230806 | Add support for c6in instance type | -| 20230829 | Change default Check Point version to R81.20 | -| 20230914 | Add support for maintenance mode password | -| 20230923 | Add support for C5d instance type | -| 20231012 | Update AWS Terraform provider version to 5.20.1 | -| 20231022 | Fixed template to populate x-chkp-tags correctly | -| 20231127 | Add support for parameter admin shell | -| 20240130 | Network Load Balancer Health Check configuration change for higher than R81 version. New Health Check Port is 8117 and Protocol TCP | -| 20240425 | Remove support for R81 and lower versions | | 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | +| 20240425 | Remove support for R81 and lower versions | +| 20240310 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | +| 20240130 | Network Load Balancer Health Check configuration change for higher than R81 version. New Health Check Port is 8117 and Protocol TCP | +| 20231127 | Add support for parameter admin shell | +| 20231022 | Fixed template to populate x-chkp-tags correctly | +| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20230923 | Add support for C5d instance type | +| 20230914 | Add support for maintenance mode password | +| 20230829 | Change default Check Point version to R81.20 | +| 20230806 | Add support for c6in instance type | +| 20221226 | Support ASG Launch Template instead of Launch Configuration | +| 20221123 | R81.20 version support | +| 20220606 | New instance type support | +| 20210329 | Stability fixes | +| 20210309 | First release of Check Point Quick Start Auto Scaling Terraform module for AWS | ## License diff --git a/terraform/aws/qs-autoscale/terraform.tfvars b/terraform/aws/qs-autoscale/terraform.tfvars index d9eb16f4..c9b51179 100755 --- a/terraform/aws/qs-autoscale/terraform.tfvars +++ b/terraform/aws/qs-autoscale/terraform.tfvars @@ -21,7 +21,7 @@ admin_shell = "/etc/cli.sh" // --- Check Point CloudGuard Network Security Gateways Auto Scaling Group Configuration --- gateways_subnets = ["subnet-123b5678", "subnet-123a4567"] -gateway_instance_type = "c5.xlarge" +gateway_instance_type = "c6in.xlarge" gateways_min_group_size = 2 gateways_max_group_size = 8 gateway_version = "R81.20-BYOL" diff --git a/terraform/aws/qs-autoscale/variables.tf b/terraform/aws/qs-autoscale/variables.tf index 070ec4f4..b1539ba3 100755 --- a/terraform/aws/qs-autoscale/variables.tf +++ b/terraform/aws/qs-autoscale/variables.tf @@ -98,7 +98,7 @@ variable "gateways_subnets" { variable "gateway_instance_type" { type = string description = "The instance type of the Security Gateways" - default = "c5.xlarge" + default = "c6in.xlarge" } module "validate_gateway_instance_type" { source = "../modules/common/instance_type" diff --git a/terraform/aws/standalone-master/README.md b/terraform/aws/standalone-master/README.md index 7802954c..ef5219d9 100755 --- a/terraform/aws/standalone-master/README.md +++ b/terraform/aws/standalone-master/README.md @@ -152,7 +152,7 @@ secret_key = "my-secret-key" | disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no | | metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes | | instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Standalone EC2 Instance | map(string) | n/a | {} | no | -| standalone_version | Security Gateway & Management (Standalone) version and license | string | - R80.40-BYOL
- R80.40-PAYG-NGTP
- R81-BYOL
- R81-PAYG-NGTP
- R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.20-BYOL
- R81.20-PAYG-NGTP | R81.20-BYOL | no | +| standalone_version | Security Gateway & Management (Standalone) version and license | string | - R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.20-BYOL
- R81.20-PAYG-NGTP | R81.20-BYOL | no | | admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | | standalone_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | | resources_tag_name | (optional) | string | n/a | "" | no | @@ -185,16 +185,17 @@ In order to check the template version, please refer to [sk116585](https://suppo | Template Version | Description | |------------------|-------------------------------------------------------------------------------------------------------------------------| -| 20210309 | First release of Check Point Security Management Server & Security Gateway (Standalone) Master Terraform module for AWS | -| 20220606 | New instance type support | -| 20221123 | R81.20 version support | -| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | -| 20230806 | Add support for c6in instance type | -| 20230829 | Change default Check Point version to R81.20 | -| 20230914 | Add support for maintenance mode password | -| 20231012 | Update AWS Terraform Provider version to 5.20.1 | -| 20231113 | Add support for BYOL license type for Standalone | +| 20240704 | - R80.40 version deprecation.
- R81 version deprecation. | | 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | +| 20231113 | Add support for BYOL license type for Standalone | +| 20231012 | Update AWS Terraform Provider version to 5.20.1 | +| 20230914 | Add support for maintenance mode password | +| 20230829 | Change default Check Point version to R81.20 | +| 20230806 | Add support for c6in instance type | +| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | +| 20221123 | R81.20 version support | +| 20220606 | New instance type support | +| 20210309 | First release of Check Point Security Management Server & Security Gateway (Standalone) Master Terraform module for AWS | ## License diff --git a/terraform/aws/standalone-master/locals.tf b/terraform/aws/standalone-master/locals.tf index e2e6ab47..61326301 100755 --- a/terraform/aws/standalone-master/locals.tf +++ b/terraform/aws/standalone-master/locals.tf @@ -32,4 +32,5 @@ locals { // Will fail if var.standalone_password_hash is invalid regex_standalone_password_hash = regex(local.regex_valid_standalone_password_hash, var.standalone_password_hash) == var.standalone_password_hash ? 0 : "Variable [standalone_password_hash] must be a valid password hash" regex_maintenance_mode_password_hash = regex(local.regex_valid_standalone_password_hash, var.standalone_maintenance_mode_password_hash) == var.standalone_maintenance_mode_password_hash ? 0 : "Variable [standalone_maintenance_mode_password_hash] must be a valid password hash" + } \ No newline at end of file diff --git a/terraform/aws/standalone/README.md b/terraform/aws/standalone/README.md index 388bba1e..e16f1fe8 100755 --- a/terraform/aws/standalone/README.md +++ b/terraform/aws/standalone/README.md @@ -113,36 +113,35 @@ secret_key = "my-secret-key" ## Inputs -| Name | Description | Type | Allowed values | Default | Required | -|-------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------|----------| -| vpc_id | The VPC id in which to deploy | string | n/a | n/a | yes | -| public_subnet_id | The public subnet of the Security Gateway & Management (Standalone) | string | n/a | n/a | yes | -| private_subnet_id | The private subnet of the Security Gateway & Management (Standalone) | string | n/a | n/a | yes | -| private_route_table | Sets '0.0.0.0/0' route to the Security Gateway & Management (Standalone) instance in the specified route table (e.g. rtb-12a34567) | string | n/a | "" | no | -| standalone_name | (Optional) The name tag of the Security Gateway & Management (Standalone) instance | string | n/a | Check-Point-Standalone-tf | no | -| standalone_instance_type | The instance type of the Security Gateway & Management (Standalone) instance | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no | -| key_name | The EC2 Key Pair name to allow SSH access to the instances | string | n/a | n/a | yes | -| allocate_and_associate_eip | If set to true, an elastic IP will be allocated and associated with the launched instance | bool | true/false | true | no | -| volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no | -| volume_encryption | KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs') | string | n/a | alias/aws/ebs | no | -| enable_instance_connect | Enable SSH connection over AWS web console. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no | -| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no | -| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes | -| instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Standalone EC2 Instance | map(string) | n/a | {} | no | -| standalone_version | Security Gateway & Management (Standalone) version and license | string | - R80.40-BYOL
- R80.40-PAYG-NGTP
- R81-BYOL
- R81-PAYG-NGTP
- R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.20-BYOL
- R81.20-PAYG-NGTP | R81.20-BYOL | no | -| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | -| standalone_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | -| resources_tag_name | (optional) | string | n/a | "" | no | -| standalone_hostname | (Optional) Security Gateway & Management (Standalone) prompt hostname. The name must not contain reserved words. For details, refer to sk40179. | string | n/a | "" | no | -| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no | -| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no | -| standalone_bootstrap_script | (Optional) Semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no | -| primary_ntp | (Optional) The IPv4 addresses of Network Time Protocol primary server | string | n/a | 169.254.169.123 | no | -| secondary_ntp | (Optional) The IPv4 addresses of Network Time Protocol secondary server | string | n/a | 0.pool.ntp.org | no | -| admin_cidr | (CIDR) Allow web, ssh, and graphical clients only from this network to communicate with the Management Server | string | n/a | 0.0.0.0/0 | no | -| gateway_addresses | (CIDR) Allow gateways only from this network to communicate with the Management Server | string | n/a | 0.0.0.0/0 | no | -| standalone_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | - +| Name | Description | Type | Allowed values | Default | Required | +|-------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------|----------| +| vpc_id | The VPC id in which to deploy | string | n/a | n/a | yes | +| public_subnet_id | The public subnet of the Security Gateway & Management (Standalone) | string | n/a | n/a | yes | +| private_subnet_id | The private subnet of the Security Gateway & Management (Standalone) | string | n/a | n/a | yes | +| private_route_table | Sets '0.0.0.0/0' route to the Security Gateway & Management (Standalone) instance in the specified route table (e.g. rtb-12a34567) | string | n/a | "" | no | +| standalone_name | (Optional) The name tag of the Security Gateway & Management (Standalone) instance | string | n/a | Check-Point-Standalone-tf | no | +| standalone_instance_type | The instance type of the Security Gateway & Management (Standalone) instance | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no | +| key_name | The EC2 Key Pair name to allow SSH access to the instances | string | n/a | n/a | yes | +| allocate_and_associate_eip | If set to true, an elastic IP will be allocated and associated with the launched instance | bool | true/false | true | no | +| volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no | +| volume_encryption | KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs') | string | n/a | alias/aws/ebs | no | +| enable_instance_connect | Enable SSH connection over AWS web console. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no | +| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no | +| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes | +| instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Standalone EC2 Instance | map(string) | n/a | {} | no | +| standalone_version | Security Gateway & Management (Standalone) version and license | string | - R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.20-BYOL
- R81.20-PAYG-NGTP | R81.20-BYOL | no | +| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | +| standalone_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | +| resources_tag_name | (optional) | string | n/a | "" | no | +| standalone_hostname | (Optional) Security Gateway & Management (Standalone) prompt hostname. The name must not contain reserved words. For details, refer to sk40179. | string | n/a | "" | no | +| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no | +| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no | +| standalone_bootstrap_script | (Optional) Semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no | +| primary_ntp | (Optional) The IPv4 addresses of Network Time Protocol primary server | string | n/a | 169.254.169.123 | no | +| secondary_ntp | (Optional) The IPv4 addresses of Network Time Protocol secondary server | string | n/a | 0.pool.ntp.org | no | +| admin_cidr | (CIDR) Allow web, ssh, and graphical clients only from this network to communicate with the Management Server | string | n/a | 0.0.0.0/0 | no | +| gateway_addresses | (CIDR) Allow gateways only from this network to communicate with the Management Server | string | n/a | 0.0.0.0/0 | no | +| standalone_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | ## Outputs | Name | Description | @@ -155,22 +154,21 @@ secret_key = "my-secret-key" ## Revision History In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) - -| Template Version | Description | -|--------------------|------------------------------------------------------------------------------------------------------------------| -| 20210309 | First release of Check Point Security Management Server & Security Gateway (Standalone) Terraform module for AWS | -| 20210329 | Stability fixes | -| 20220606 | New instance type support | -| 20221123 | R81.20 version support | -| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | -| 20230806 | Add support for c6in instance type | -| 20230829 | Change default Check Point version to R81.20 | -| 20230914 | Add support for maintenance mode password | -| 20230923 | Add support for C5d instance type | -| 20231012 | Update AWS Terraform provider version to 5.20.1 | -| 20231113 | Add support for BYOL license type for Standalone | -| 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | - +| Template Version | Description | +|------------------|------------------------------------------------------------------------------------------------------------------| +| 20240704 | - R80.40 version deprecation.
- R81 version deprecation. | +| 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | +| 20231113 | Add support for BYOL license type for Standalone | +| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20230923 | Add support for C5d instance type | +| 20230914 | Add support for maintenance mode password | +| 20230829 | Change default Check Point version to R81.20 | +| 20230806 | Add support for c6in instance type | +| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | +| 20221123 | R81.20 version support | +| 20220606 | New instance type support | +| 20210329 | Stability fixes | +| 20210309 | First release of Check Point Security Management Server & Security Gateway (Standalone) Terraform module for AWS | ## License diff --git a/terraform/aws/standalone/standalone_userdata.yaml b/terraform/aws/standalone/standalone_userdata.yaml index 1bdf7eca..0bf47ec4 100755 --- a/terraform/aws/standalone/standalone_userdata.yaml +++ b/terraform/aws/standalone/standalone_userdata.yaml @@ -1,4 +1,4 @@ #cloud-config runcmd: - | - python3 /etc/cloud_config.py enableCloudWatch=\"${EnableCloudWatch}\" installationType=\"standalone\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20231012\" templateName=\"standalone\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" hostName=\"${Hostname }\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" adminSubnet=\"${AdminSubnet}\" allocatePublicAddress=\"${AllocateElasticIP}\" bootstrapScript64=\"${StandaloneBootstrapScript}\" \ No newline at end of file + python3 /etc/cloud_config.py enableCloudWatch=\"${EnableCloudWatch}\" installationType=\"standalone\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20240704\" templateName=\"standalone\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" hostName=\"${Hostname }\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" adminSubnet=\"${AdminSubnet}\" allocatePublicAddress=\"${AllocateElasticIP}\" bootstrapScript64=\"${StandaloneBootstrapScript}\" \ No newline at end of file diff --git a/terraform/aws/tgw-asg-master/README.md b/terraform/aws/tgw-asg-master/README.md index 7850cebd..18940e6e 100755 --- a/terraform/aws/tgw-asg-master/README.md +++ b/terraform/aws/tgw-asg-master/README.md @@ -168,14 +168,14 @@ secret_key = "my-secret-key" | gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no | | gateways_min_group_size | The minimal number of Security Gateways | number | n/a | 2 | no | | gateways_max_group_size | The maximal number of Security Gateways | number | n/a | 10 | no | -| gateway_version | Gateway version and license | string | - R80.40-BYOL
- R80.40-PAYG-NGTP
- R80.40-PAYG-NGTX
- R81-BYOL
- R81-PAYG-NGTP
- R81-PAYG-NGTX
- R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.10-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX | R81.20-BYOL | no | +| gateway_version | Gateway version and license | string | - R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.10-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX | R81.20-BYOL | no | | gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | | gateway_SIC_Key | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes | | enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no | | asn | The organization Autonomous System Number (ASN) that identifies the routing domain for the Security Gateways | string | n/a | 6500 | no | | management_deploy | Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section | bool | true/false | true | no | | management_instance_type | The EC2 instance type of the Security Management Server | string | - c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| m5.xlarge | no | -| management_version | The license to install on the Security Management Server | string | - R80.40-BYOL
- R80.40-PAYG
- R81-BYOL
- R81-PAYG
- R81.10-BYOL
- R81.10-PAYG
- R81.20-BYOL
- R81.20-PAYG | R81.20-BYOL | no | +| management_version | The license to install on the Security Management Server | string | - R81.10-BYOL
- R81.10-PAYG
- R81.20-BYOL
- R81.20-PAYG | R81.20-BYOL | no | | management_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | | management_permissions | IAM role to attach to the instance profile | string | - None (configure later)
- Use existing (specify an existing IAM role name)
- Create with assume role permissions (specify an STS role ARN)
- Create with read permissions
- Create with read-write permissions | Create with read-write permissions | no | | management_predefined_role | ((Optional) A predefined IAM role to attach to the instance profile. Ignored if IAM role is not set to 'Use existing' | string | n/a | "" | no | @@ -207,16 +207,17 @@ In order to check the template version, please refer to [sk116585](https://suppo | Template Version | Description | |------------------|-------------------------------------------------------------------------------------------------| -| 20210329 | First release of Check Point Transit Gateway Auto Scaling Group Master Terraform module for AWS | -| 20220606 | New instance type support | -| 20221123 | R81.20 version support | -| 20221226 | Support ASG Launch Template instead of Launch Configuration | -| 20230806 | Add support for c6in instance type | -| 20230829 | Change default Check Point version to R81.20 | -| 20230914 | Add support for maintenance mode password | -| 20230923 | Add support for C5d instance type | -| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20240704 | - R80.40 version deprecation.
- R81 version deprecation. | | 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | +| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20230923 | Add support for C5d instance type | +| 20230914 | Add support for maintenance mode password | +| 20230829 | Change default Check Point version to R81.20 | +| 20230806 | Add support for c6in instance type | +| 20221226 | Support ASG Launch Template instead of Launch Configuration | +| 20221123 | R81.20 version support | +| 20220606 | New instance type support | +| 20210329 | First release of Check Point Transit Gateway Auto Scaling Group Master Terraform module for AWS | ## License diff --git a/terraform/aws/tgw-asg-master/locals.tf b/terraform/aws/tgw-asg-master/locals.tf index 54cef511..467c4b4e 100755 --- a/terraform/aws/tgw-asg-master/locals.tf +++ b/terraform/aws/tgw-asg-master/locals.tf @@ -35,10 +35,12 @@ locals { regex_valid_management_password_hash = "^[\\$\\./a-zA-Z0-9]*$" // Will fail if var.management_password_hash is invalid regex_management_password_hash = regex(local.regex_valid_management_password_hash, var.management_password_hash) == var.management_password_hash ? 0 : "Variable [management_password_hash] must be a valid password hash" + regex_management_maintenance_mode_password_hash = regex(local.regex_valid_management_password_hash, var.management_maintenance_mode_password_hash) == var.management_maintenance_mode_password_hash ? 0 : "Variable [management_maintenance_mode_password_hash] must be a valid password hash" regex_valid_gateway_password_hash = "^[\\$\\./a-zA-Z0-9]*$" // Will fail if var.gateway_password_hash is invalid regex_gateway_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_password_hash) == var.gateway_password_hash ? 0 : "Variable [gateway_password_hash] must be a valid password hash" + regex_gateway_maintenance_mode_password_hash = regex(local.regex_valid_gateway_password_hash, var.gateway_maintenance_mode_password_hash) == var.gateway_maintenance_mode_password_hash ? 0 : "Variable [gateway_maintenance_mode_password_hash] must be a valid password hash" regex_valid_asn = "^[0-9]+$" // Will fail if var.asn is invalid diff --git a/terraform/aws/tgw-asg-master/terraform.tfvars b/terraform/aws/tgw-asg-master/terraform.tfvars index 7807cc3d..5fb15521 100755 --- a/terraform/aws/tgw-asg-master/terraform.tfvars +++ b/terraform/aws/tgw-asg-master/terraform.tfvars @@ -18,7 +18,7 @@ allow_upload_download = true // --- Check Point CloudGuard Network Security Gateways Auto Scaling Group Configuration --- gateway_name = "Check-Point-gateway" -gateway_instance_type = "c5.xlarge" +gateway_instance_type = "c6in.xlarge" gateways_min_group_size = 2 gateways_max_group_size = 8 gateway_version = "R81.20-BYOL" diff --git a/terraform/aws/tgw-asg-master/variables.tf b/terraform/aws/tgw-asg-master/variables.tf index a709a74f..f1713e76 100755 --- a/terraform/aws/tgw-asg-master/variables.tf +++ b/terraform/aws/tgw-asg-master/variables.tf @@ -74,7 +74,7 @@ variable "gateway_name" { variable "gateway_instance_type" { type = string description = "The instance type of the Security Gateways" - default = "c5.xlarge" + default = "c6in.xlarge" } module "validate_gateway_instance_type" { source = "../modules/common/instance_type" diff --git a/terraform/aws/tgw-asg/README.md b/terraform/aws/tgw-asg/README.md index 540a8d28..44e1c298 100755 --- a/terraform/aws/tgw-asg/README.md +++ b/terraform/aws/tgw-asg/README.md @@ -159,14 +159,14 @@ secret_key = "my-secret-key" | gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no | | gateways_min_group_size | The minimal number of Security Gateways | number | n/a | 2 | no | | gateways_max_group_size | The maximal number of Security Gateways | number | n/a | 10 | no | -| gateway_version | Gateway version and license | string | - R80.40-BYOL
- R80.40-PAYG-NGTP
- R80.40-PAYG-NGTX
- R81-BYOL
- R81-PAYG-NGTP
- R81-PAYG-NGTX
- R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.10-PAYG-NGTX
- R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.10-PAYG-NGTX | R81.20-BYOL | no | +| gateway_version | Gateway version and license | string | - R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.10-PAYG-NGTX
- R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.10-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX
- R81.20-PAYG-NGTX | R81.20-BYOL | no | | gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | | gateway_SIC_Key | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes | | enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no | | asn | The organization Autonomous System Number (ASN) that identifies the routing domain for the Security Gateways | string | n/a | 6500 | no | | management_deploy | Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section | bool | true/false | true | no | | management_instance_type | The EC2 instance type of the Security Management Server | string | - c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| m5.xlarge | no | -| management_version | The license to install on the Security Management Server | string | - R80.40-BYOL
- R80.40-PAYG
- R81-BYOL
- R81-PAYG
- R81.10-BYOL
- R81.10-PAYG
- R81.20-BYOL
- R81.20-PAYG | R81.20-BYOL | no | +| management_version | The license to install on the Security Management Server | string | - R81.10-BYOL
- R81.10-PAYG
- R81.20-BYOL
- R81.20-PAYG | R81.20-BYOL | no | | management_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | | management_permissions | IAM role to attach to the instance profile | string | - None (configure later)
- Use existing (specify an existing IAM role name)
- Create with assume role permissions (specify an STS role ARN)
- Create with read permissions
- Create with read-write permissions | Create with read-write permissions | no | | management_predefined_role | ((Optional) A predefined IAM role to attach to the instance profile. Ignored if IAM role is not set to 'Use existing' | string | n/a | "" | no | @@ -196,17 +196,18 @@ In order to check the template version, please refer to [sk116585](https://suppo | Template Version | Description | |------------------|------------------------------------------------------------------------------------------| -| 20210329 | First release of Check Point Transit Gateway Auto Scaling Group Terraform module for AWS | -| 20220606 | New instance type support | -| 20221123 | R81.20 version support | -| 20221226 | Support ASG Launch Template instead of Launch Configuration | -| 20230626 | Fixed missing x-chkp-* tags on Auto Scale Group | -| 20230806 | Add support for c6in instance type | -| 20230829 | Change default Check Point version to R81.20 | -| 20230914 | Add support for maintenance mode password | -| 20230923 | Add support for C5d instance type | -| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20240704 | - R80.40 version deprecation.
- R81 version deprecation. | | 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | +| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20230923 | Add support for C5d instance type | +| 20230914 | Add support for maintenance mode password | +| 20230829 | Change default Check Point version to R81.20 | +| 20230806 | Add support for c6in instance type | +| 20230626 | Fixed missing x-chkp-* tags on Auto Scale Group | +| 20221226 | Support ASG Launch Template instead of Launch Configuration | +| 20221123 | R81.20 version support | +| 20220606 | New instance type support | +| 20210329 | First release of Check Point Transit Gateway Auto Scaling Group Terraform module for AWS | ## License diff --git a/terraform/aws/tgw-asg/terraform.tfvars b/terraform/aws/tgw-asg/terraform.tfvars index 9bdbb84e..c0f038e4 100755 --- a/terraform/aws/tgw-asg/terraform.tfvars +++ b/terraform/aws/tgw-asg/terraform.tfvars @@ -14,7 +14,7 @@ allow_upload_download = true // --- Check Point CloudGuard Network Security Gateways Auto Scaling Group Configuration --- gateway_name = "Check-Point-gateway" -gateway_instance_type = "c5.xlarge" +gateway_instance_type = "c6in.xlarge" gateways_min_group_size = 2 gateways_max_group_size = 8 gateway_version = "R81.20-BYOL" diff --git a/terraform/aws/tgw-asg/variables.tf b/terraform/aws/tgw-asg/variables.tf index 9a9a47e1..bd4af5b7 100755 --- a/terraform/aws/tgw-asg/variables.tf +++ b/terraform/aws/tgw-asg/variables.tf @@ -68,7 +68,7 @@ variable "gateway_name" { variable "gateway_instance_type" { type = string description = "The instance type of the Security Gateways" - default = "c5.xlarge" + default = "c6in.xlarge" } module "validate_gateway_instance_type" { source = "../modules/common/instance_type" diff --git a/terraform/aws/tgw-cross-az-cluster-master/README.md b/terraform/aws/tgw-cross-az-cluster-master/README.md index 937444d8..3a821c9c 100755 --- a/terraform/aws/tgw-cross-az-cluster-master/README.md +++ b/terraform/aws/tgw-cross-az-cluster-master/README.md @@ -139,40 +139,39 @@ secret_key = "my-secret-key" - In Smart Console: reset SIC with the re-deployed member and install policy ## Inputs -| Name | Description | Type | Allowed values | Default | Required | -|----------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------|----------| -| vpc_cidr | The CIDR block of the VPC | string | n/a | n/a | yes | -| public_subnets_map | A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 2 pairs. (e.g. {\"us-east-1a\" = 1 \"us-east-1b\" = 2} ) | map | n/a | n/a | yes | -| private_subnets_map | A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 2 pairs. (e.g. {\"us-east-1a\" = 3 \"us-east-1b\" = 4} ) | map | n/a | n/a | yes | -| tgw_subnets_map | A map of pairs {availability-zone = subnet-suffix-number} for the tgw subnets. Each entry creates a subnet. Minimum 2 pairs. (e.g. {\"us-east-1a\" = 1} ) | map | n/a | n/a | yes | -| subnets_bit_length | Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a subnets_bit_length value of 4, the resulting subnet address will have length /20 | number | n/a | n/a | yes | -| gateway_name | (Optional) The name tag of the Security Gateway instances | string | n/a | Check-Point-Cluster-tf | no | -| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no | -| key_name | The EC2 Key Pair name to allow SSH access to the instance | string | n/a | n/a | yes | -| allocate_and_associate_eip | If set to true, an elastic IP will be allocated and associated with each cluster member, in addition to the shared cluster Elastic IP | bool | true/false | true | no | -| volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no | -| volume_type | General Purpose SSD Volume Type | string | - gp3
- gp2 | gp3 | no | -| volume_encryption | KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs') | string | n/a | alias/aws/ebs | no | -| enable_instance_connect | Enable AWS Instance Connect. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no | -| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no | -| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes | -| instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Gateway EC2 Instances | map(string) | n/a | {} | no | -| predefined_role | (Optional) A predefined IAM role to attach to the cluster profile | string | n/a | "" | no | -| gateway_version | Gateway version and license | string | - R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX | R81.20-BYOL | no | -| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | -| gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes | -| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | -| memberAToken | (Recommended) Quick connect to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. | string | n/a | "" | no | -| memberBToken | (Recommended) Quick connect to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. | string | n/a | "" | no | -| resources_tag_name | (Optional) Name tag prefix of the resources | string | n/a | "" | no | -| gateway_hostname | (Optional) The host name will be appended with member-a/b accordingly. The name must not contain reserved words. For details, refer to sk40179. | string | n/a | "" | no | -| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no | -| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no | -| gateway_bootstrap_script | (Optional) Semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no | -| primary_ntp | (Optional) The IPv4 addresses of Network Time Protocol primary server | string | n/a | 169.254.169.123 | no | -| secondary_ntp | (Optional) The IPv4 addresses of Network Time Protocol secondary server | string | n/a | 0.pool.ntp.org | no | -| gateway_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | - +| Name | Description | Type | Allowed values | Default | Required | +|----------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------|----------| +| vpc_cidr | The CIDR block of the VPC | string | n/a | n/a | yes | +| public_subnets_map | A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 2 pairs. (e.g. {\"us-east-1a\" = 1 \"us-east-1b\" = 2} ) | map | n/a | n/a | yes | +| private_subnets_map | A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 2 pairs. (e.g. {\"us-east-1a\" = 3 \"us-east-1b\" = 4} ) | map | n/a | n/a | yes | +| tgw_subnets_map | A map of pairs {availability-zone = subnet-suffix-number} for the tgw subnets. Each entry creates a subnet. Minimum 2 pairs. (e.g. {\"us-east-1a\" = 1} ) | map | n/a | n/a | yes | +| subnets_bit_length | Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a subnets_bit_length value of 4, the resulting subnet address will have length /20 | number | n/a | n/a | yes | +| gateway_name | (Optional) The name tag of the Security Gateway instances | string | n/a | Check-Point-Cluster-tf | no | +| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no | +| key_name | The EC2 Key Pair name to allow SSH access to the instance | string | n/a | n/a | yes | +| allocate_and_associate_eip | If set to true, an elastic IP will be allocated and associated with each cluster member, in addition to the shared cluster Elastic IP | bool | true/false | true | no | +| volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no | +| volume_type | General Purpose SSD Volume Type | string | - gp3
- gp2 | gp3 | no | +| volume_encryption | KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs') | string | n/a | alias/aws/ebs | no | +| enable_instance_connect | Enable AWS Instance Connect. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no | +| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no | +| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes | +| instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Gateway EC2 Instances | map(string) | n/a | {} | no | +| predefined_role | (Optional) A predefined IAM role to attach to the cluster profile | string | n/a | "" | no | +| gateway_version | Gateway version and license | string | - R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX | R81.20-BYOL | no | +| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | +| gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes | +| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | +| memberAToken | (Recommended) Quick connect to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. | string | n/a | "" | no | +| memberBToken | (Recommended) Quick connect to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. | string | n/a | "" | no | +| resources_tag_name | (Optional) Name tag prefix of the resources | string | n/a | "" | no | +| gateway_hostname | (Optional) The host name will be appended with member-a/b accordingly. The name must not contain reserved words. For details, refer to sk40179. | string | n/a | "" | no | +| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no | +| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no | +| gateway_bootstrap_script | (Optional) Semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no | +| primary_ntp | (Optional) The IPv4 addresses of Network Time Protocol primary server | string | n/a | 169.254.169.123 | no | +| secondary_ntp | (Optional) The IPv4 addresses of Network Time Protocol secondary server | string | n/a | 0.pool.ntp.org | no | +| gateway_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | ## Outputs | Name | Description | @@ -190,20 +189,17 @@ In order to check the template version, please refer to [sk116585](https://suppo | Template Version | Description | |------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 20221123 | First release of Check Point Security Cluster Terraform module for AWS | -| 20221229 | Removed unsupported versions | -| 20221123 | R81.20 version support | -| 20230411 | - Improved deployment experience for gateways and clusters managed by Smart-1 Cloud
- Multiple VIPs support for Cross Availability Zone Cluster. For more details refer to the [Cross Availability Zone Cluster for AWS R81.20 Administration Guide](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_for_AWS_Cross_AZ_Cluster/Content/Topics-AWS-CrossAZ-Cluster-AG/Check-Point-CloudGuard-for-AWS.htm) -> "Deploying Cross AZ Cluster with multiple VIPs" section. | -| 20230503 | Smart-1 Cloud token validation | -| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | -| 20230829 | Change default Check Point version to R81.20 | -| 20230806 | Add support for c6in instance type | -| 20230914 | Add support for maintenance mode password | -| 20230923 | Add support for C5d instance type | -| 20231012 | Update AWS Terraform provider version to 5.20.1 | | 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | - - +| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20230923 | Add support for C5d instance type | +| 20230914 | Add support for maintenance mode password | +| 20230829 | Change default Check Point version to R81.20 | +| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | +| 20230503 | Smart-1 Cloud token validation | +| 20230411 | - Improved deployment experience for gateways and clusters managed by Smart-1 Cloud
- Multiple VIPs support for Cross Availability Zone Cluster. For more details refer to the [Cross Availability Zone Cluster for AWS R81.20 Administration Guide](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_for_AWS_Cross_AZ_Cluster/Content/Topics-AWS-CrossAZ-Cluster-AG/Check-Point-CloudGuard-for-AWS.htm) -> "Deploying Cross AZ Cluster with multiple VIPs" section. | +| 20221123 | R81.20 version support | +| 20221229 | Removed unsupported versions | +| 20221123 | First release of Check Point Security Cluster Terraform module for AWS | ## License diff --git a/terraform/aws/tgw-cross-az-cluster-master/terraform.tfvars b/terraform/aws/tgw-cross-az-cluster-master/terraform.tfvars index 2a1fee10..a7403f7b 100755 --- a/terraform/aws/tgw-cross-az-cluster-master/terraform.tfvars +++ b/terraform/aws/tgw-cross-az-cluster-master/terraform.tfvars @@ -18,7 +18,7 @@ subnets_bit_length = 8 // --- EC2 Instance Configuration --- gateway_name = "Check-Point-Cluster-tf" -gateway_instance_type = "c5.xlarge" +gateway_instance_type = "c6in.xlarge" key_name = "publickey" volume_size = 100 volume_encryption = "alias/aws/ebs" diff --git a/terraform/aws/tgw-cross-az-cluster-master/variables.tf b/terraform/aws/tgw-cross-az-cluster-master/variables.tf index 1485389b..8d14327a 100755 --- a/terraform/aws/tgw-cross-az-cluster-master/variables.tf +++ b/terraform/aws/tgw-cross-az-cluster-master/variables.tf @@ -59,7 +59,7 @@ variable "gateway_name" { variable "gateway_instance_type" { type = string description = "The instance type of the Security Gateways" - default = "c5.xlarge" + default = "c6in.xlarge" } module "validate_instance_type" { source = "../modules/common/instance_type" diff --git a/terraform/aws/tgw-cross-az-cluster/README.md b/terraform/aws/tgw-cross-az-cluster/README.md index 1dcb1b0c..a8fd8013 100755 --- a/terraform/aws/tgw-cross-az-cluster/README.md +++ b/terraform/aws/tgw-cross-az-cluster/README.md @@ -134,42 +134,40 @@ secret_key = "my-secret-key" - In Smart Console: reset SIC with the re-deployed member and install policy ## Inputs -| Name | Description | Type | Allowed values | Default | Required | -|-------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------|----------| -| vpc_id | The VPC id in which to deploy | string | n/a | n/a | yes | -| public_subnet_id | The public subnet of the cluster. The cluster's public IPs will be generated from this subnet | string | n/a | n/a | yes | -| private_subnet_id | The private subnet of the cluster. The cluster's private IPs will be generated from this subnet | string | n/a | n/a | yes | -| tgw_subnet_1_id | The TGW attachment subnet ID located in the 1st Availability Zone | string | n/a | n/a | yes | -| tgw_subnet_2_id | The TGW attachment subnet ID located in the 2st Availability Zone | string | n/a | n/a | yes | -| private_route_table | (Optional) Set 0.0.0.0/0 route to the Active Cluster member instance in this route table (e.g. rtb-12a34567). Route table cannot have an existing 0.0.0.0/0 route | string | n/a | "" | no | -| gateway_name | (Optional) The name tag of the Security Gateway instances | string | n/a | Check-Point-Cluster-tf | no | -| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no | -| key_name | The EC2 Key Pair name to allow SSH access to the instance | string | n/a | n/a | yes | -| allocate_and_associate_eip | If set to true, an elastic IP will be allocated and associated with each cluster member, in addition to the shared cluster Elastic IP | bool | true/false | true | no | -| volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no | -| volume_type | General Purpose SSD Volume Type | string | - gp3
- gp2 | gp3 | no | -| volume_encryption | KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs') | string | n/a | alias/aws/ebs | no | -| enable_instance_connect | Enable AWS Instance Connect. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no | -| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no | -| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes | -| instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Gateway EC2 Instances | map(string) | n/a | {} | no | -| predefined_role | (Optional) A predefined IAM role to attach to the cluster profile | string | n/a | "" | no | -| gateway_version | Gateway version and license | string | - R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX | R81.20-BYOL | no | -| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | -| gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes | -| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | -| memberAToken | (Recommended) Quick connect to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. | string | n/a | "" | no | -| memberBToken | (Recommended) Quick connect to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. | string | n/a | "" | no | -| resources_tag_name | (Optional) Name tag prefix of the resources | string | n/a | "" | no | -| gateway_hostname | (Optional) The host name will be appended with member-a/b accordingly. The name must not contain reserved words. For details, refer to sk40179. | string | n/a | "" | no | -| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no | -| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no | -| gateway_bootstrap_script | (Optional) Semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no | -| primary_ntp | (Optional) The IPv4 addresses of Network Time Protocol primary server | string | n/a | 169.254.169.123 | no | -| secondary_ntp | (Optional) The IPv4 addresses of Network Time Protocol secondary server | string | n/a | 0.pool.ntp.org | no | -| gateway_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | -| management_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | - +| Name | Description | Type | Allowed values | Default | Required | +|----------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------|----------| +| vpc_id | The VPC id in which to deploy | string | n/a | n/a | yes | +| public_subnet_id | The public subnet of the cluster. The cluster's public IPs will be generated from this subnet | string | n/a | n/a | yes | +| private_subnet_id | The private subnet of the cluster. The cluster's private IPs will be generated from this subnet | string | n/a | n/a | yes | +| tgw_subnet_1_id | The TGW attachment subnet ID located in the 1st Availability Zone | string | n/a | n/a | yes | +| tgw_subnet_2_id | The TGW attachment subnet ID located in the 2st Availability Zone | string | n/a | n/a | yes | +| private_route_table | (Optional) Set 0.0.0.0/0 route to the Active Cluster member instance in this route table (e.g. rtb-12a34567). Route table cannot have an existing 0.0.0.0/0 route | string | n/a | "" | no | +| gateway_name | (Optional) The name tag of the Security Gateway instances | string | n/a | Check-Point-Cluster-tf | no | +| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no | +| key_name | The EC2 Key Pair name to allow SSH access to the instance | string | n/a | n/a | yes | +| allocate_and_associate_eip | If set to true, an elastic IP will be allocated and associated with each cluster member, in addition to the shared cluster Elastic IP | bool | true/false | true | no | +| volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no | +| volume_type | General Purpose SSD Volume Type | string | - gp3
- gp2 | gp3 | no | +| volume_encryption | KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs') | string | n/a | alias/aws/ebs | no | +| enable_instance_connect | Enable AWS Instance Connect. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no | +| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no | +| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes | +| instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Gateway EC2 Instances | map(string) | n/a | {} | no | +| predefined_role | (Optional) A predefined IAM role to attach to the cluster profile | string | n/a | "" | no | +| gateway_version | Gateway version and license | string | - R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX | R81.20-BYOL | no | +| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | +| gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes | +| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | +| memberAToken | (Recommended) Quick connect to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. | string | n/a | "" | no | +| memberBToken | (Recommended) Quick connect to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. | string | n/a | "" | no | +| resources_tag_name | (Optional) Name tag prefix of the resources | string | n/a | "" | no | +| gateway_hostname | (Optional) The host name will be appended with member-a/b accordingly. The name must not contain reserved words. For details, refer to sk40179. | string | n/a | "" | no | +| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no | +| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no | +| gateway_bootstrap_script | (Optional) Semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no | +| primary_ntp | (Optional) The IPv4 addresses of Network Time Protocol primary server | string | n/a | 169.254.169.123 | no | +| secondary_ntp | (Optional) The IPv4 addresses of Network Time Protocol secondary server | string | n/a | 0.pool.ntp.org | no | +| gateway_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | ## Outputs | Name | Description | @@ -187,18 +185,18 @@ In order to check the template version, please refer to [sk116585](https://suppo | Template Version | Description | |------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 20221123 | First release of Check Point Security Cluster Terraform module for AWS | -| 20221123 | R81.20 version support | -| 20221229 | Removed unsupported versions | -| 20230411 | - Improved deployment experience for gateways and clusters managed by Smart-1 Cloud
- Multiple VIPs support for Cross Availability Zone Cluster. For more details refer to the [Cross Availability Zone Cluster for AWS R81.20 Administration Guide](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_for_AWS_Cross_AZ_Cluster/Content/Topics-AWS-CrossAZ-Cluster-AG/Check-Point-CloudGuard-for-AWS.htm) -> "Deploying Cross AZ Cluster with multiple VIPs" section. | -| 20230503 | Smart-1 Cloud token validation | -| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | -| 20230806 | Add support for c6in instance type | -| 20230829 | Change default Check Point version to R81.20 | -| 20230914 | Add support for maintenance mode password | -| 20230923 | Add support for C5d instance type | -| 20231012 | Update AWS Terraform provider version to 5.20.1 | | 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | +| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20230923 | Add support for C5d instance type | +| 20230914 | Add support for maintenance mode password | +| 20230829 | Change default Check Point version to R81.20 | +| 20230806 | Add support for c6in instance type | +| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | +| 20230503 | Smart-1 Cloud token validation | +| 20230411 | - Improved deployment experience for gateways and clusters managed by Smart-1 Cloud
- Multiple VIPs support for Cross Availability Zone Cluster. For more details refer to the [Cross Availability Zone Cluster for AWS R81.20 Administration Guide](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_for_AWS_Cross_AZ_Cluster/Content/Topics-AWS-CrossAZ-Cluster-AG/Check-Point-CloudGuard-for-AWS.htm) -> "Deploying Cross AZ Cluster with multiple VIPs" section. | +| 20221229 | Removed unsupported versions | +| 20221123 | R81.20 version support | +| 20221123 | First release of Check Point Security Cluster Terraform module for AWS | ## License diff --git a/terraform/aws/tgw-cross-az-cluster/terraform.tfvars b/terraform/aws/tgw-cross-az-cluster/terraform.tfvars index c1008d0d..64e995b8 100755 --- a/terraform/aws/tgw-cross-az-cluster/terraform.tfvars +++ b/terraform/aws/tgw-cross-az-cluster/terraform.tfvars @@ -12,7 +12,7 @@ private_route_table = "" // --- EC2 Instance Configuration --- gateway_name = "Check-Point-Cluster-tf" -gateway_instance_type = "c5.xlarge" +gateway_instance_type = "c6in.xlarge" key_name = "publickey" volume_size = 100 volume_encryption = "alias/aws/ebs" diff --git a/terraform/aws/tgw-cross-az-cluster/variables.tf b/terraform/aws/tgw-cross-az-cluster/variables.tf index eb330795..9f17451b 100755 --- a/terraform/aws/tgw-cross-az-cluster/variables.tf +++ b/terraform/aws/tgw-cross-az-cluster/variables.tf @@ -60,7 +60,7 @@ variable "gateway_name" { variable "gateway_instance_type" { type = string description = "The instance type of the Security Gateways" - default = "c5.xlarge" + default = "c6in.xlarge" } module "validate_instance_type" { source = "../modules/common/instance_type" diff --git a/terraform/aws/tgw-gwlb-master/README.md b/terraform/aws/tgw-gwlb-master/README.md index fa8a0ffd..a28b180a 100755 --- a/terraform/aws/tgw-gwlb-master/README.md +++ b/terraform/aws/tgw-gwlb-master/README.md @@ -175,59 +175,58 @@ secret_key = "my-secret-key" ``` ## Inputs -| Name | Description | Type | Allowed values | Default | Required | -|-------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------|-----------| -| vpc_cidr | The CIDR block of the VPC | string | n/a | n/a | yes | -| subnets_bit_length | Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a subnets_bit_length value of 4, the resulting subnet address will have length /20 | number | n/a | n/a | yes | -| public_subnets_map | A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 1 pair. (e.g. {\"us-east-1a\" = 1} ) | map | n/a | n/a | yes | -| availability_zones | The Availability Zones (AZs) to use for the subnets in the VPC. | string | n/a | n/a | yes | -| Number_of_AZs | Number of Availability Zones to use in the VPC. | number | n/a | 2 | yes | -| tgw_subnets_map | A map of pairs {availability-zone = subnet-suffix-number} for the tgw subnets. Each entry creates a subnet. Minimum 2 pairs. (e.g. {\"us-east-1a\" = 1} ) | map | n/a | n/a | yes | -| nat_gw_subnet_1_cidr | CIDR block for NAT subnet 1 located in the 1st Availability Zone | string | n/a | 10.0.13.0/24 | yes | -| nat_gw_subnet_2_cidr | CIDR block for NAT subnet 2 located in the 2st Availability Zone | string | n/a | 10.0.23.0/24 | yes | -| nat_gw_subnet_3_cidr | CIDR block for NAT subnet 3 located in the 3st Availability Zone | string | n/a | 10.0.33.0/24 | yes | -| nat_gw_subnet_4_cidr | CIDR block for NAT subnet 4 located in the 4st Availability Zone | string | n/a | 10.0.43.0/24 | yes | -| gwlbe_subnet_1_cidr | CIDR block for GWLBe subnet 1 located in the 1st Availability Zone | string | n/a | 10.0.14.0/24 | yes | -| gwlbe_subnet_2_cidr | CIDR block for GWLBe subnet 2 located in the 2st Availability Zone | string | n/a | 10.0.24.0/24 | yes | -| gwlbe_subnet_3_cidr | CIDR block for GWLBe subnet 3 located in the 3st Availability Zone | string | n/a | 10.0.34.0/24 | yes | -| gwlbe_subnet_4_cidr | CIDR block for GWLBe subnet 4 located in the 4st Availability Zone | string | n/a | 10.0.44.0/24 | yes | -| key_name | The EC2 Key Pair name to allow SSH access to the instances | string | n/a | n/a | yes | -| enable_volume_encryption | Encrypt Environment instances volume with default AWS KMS key | bool | true/false | true | no | -| enable_instance_connect | Enable SSH connection over AWS web console. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no | -| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no | -| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes | -| volume_size | Instances volume size | number | n/a | 100 | no | -| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no | -| management_server | The name that represents the Security Management Server in the automatic provisioning configuration. | string | n/a | CP-Management-gwlb-tf | yes | -| configuration_template | The tag is used by the Security Management Server to automatically provision the Security Gateways. Must be up to 12 alphanumeric characters and unique for each Quick Start deployment | string | n/a | gwlb-ter | no | -| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | -| gateway_load_balancer_name | Load Balancer name in AWS | string | n/a | gwlb-terraform | yes | -| target_group_name | Target Group Name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. | string | n/a | tg1-terraform | yes | -| connection_acceptance_required | Indicate whether requests from service consumers to create an endpoint to your service must be accepted. Default is set to false(acceptance not required). | bool | true/false | false | yes | -| enable_cross_zone_load_balancing | Select 'true' to enable cross-az load balancing. NOTE! this may cause a spike in cross-az charges. | bool | true/false | true | yes | -| gateway_name | The name tag of the Security Gateway instances. (optional) | string | n/a | gwlb-terraform | yes | -| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no | -| gateways_min_group_size | The minimal number of Security Gateways | number | n/a | 2 | no | -| gateways_max_group_size | The maximal number of Security Gateways | number | n/a | 10 | no | -| gateway_version | Gateway version and license | string | - R80.40-BYOL
- R80.40-PAYG-NGTP
- R80.40-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX | R81.20-BYOL | no | -| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | -| gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes | -| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no | -| gateway_bootstrap_script | (Optional) An optional script with semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no | -| gateways_provision_address_type | Determines if the gateways are provisioned using their private or public address. | string | - private
- public | private | no | -| allocate_public_IP | Allocate a Public IP for gateway members. | bool | true/false | false | no | -| management_deploy | Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section | bool | true/false | true | no | -| management_instance_type | The EC2 instance type of the Security Management Server | string | - c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| m5.xlarge | no | -| management_version | The license to install on the Security Management Server | string | - R80.40-BYOL
- R80.40-PAYG
- R81-BYOL
- R81-PAYG
- R81.10-BYOL
- R81.10-PAYG
- R81.20-BYOL
- R81.20-PAYG | R81.20-BYOL | no | -| management_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | -| gateways_policy | The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group | string | n/a | Standard | no | -| gateway_management | Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address. | string | - Locally managed
- Over the internet | Locally managed | no | -| admin_cidr | (CIDR) Allow web, ssh, and graphical clients only from this network to communicate with the Management Server | string | valid CIDR | n/a | no | -| gateway_addresses | (CIDR) Allow gateways only from this network to communicate with the Management Server | string | valid CIDR | n/a | no | -| volume_type | General Purpose SSD Volume Type | string | - gp3
- gp2 | gp3 | no | -| gateway_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | -| management_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | - +| Name | Description | Type | Allowed values | Default | Required | +|-------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------|----------| +| vpc_cidr | The CIDR block of the VPC | string | n/a | n/a | yes | +| subnets_bit_length | Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a subnets_bit_length value of 4, the resulting subnet address will have length /20 | number | n/a | n/a | yes | +| public_subnets_map | A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 1 pair. (e.g. {\"us-east-1a\" = 1} ) | map | n/a | n/a | yes | +| availability_zones | The Availability Zones (AZs) to use for the subnets in the VPC. | string | n/a | n/a | yes | +| Number_of_AZs | Number of Availability Zones to use in the VPC. | number | n/a | 2 | yes | +| tgw_subnets_map | A map of pairs {availability-zone = subnet-suffix-number} for the tgw subnets. Each entry creates a subnet. Minimum 2 pairs. (e.g. {\"us-east-1a\" = 1} ) | map | n/a | n/a | yes | +| nat_gw_subnet_1_cidr | CIDR block for NAT subnet 1 located in the 1st Availability Zone | string | n/a | 10.0.13.0/24 | yes | +| nat_gw_subnet_2_cidr | CIDR block for NAT subnet 2 located in the 2st Availability Zone | string | n/a | 10.0.23.0/24 | yes | +| nat_gw_subnet_3_cidr | CIDR block for NAT subnet 3 located in the 3st Availability Zone | string | n/a | 10.0.33.0/24 | yes | +| nat_gw_subnet_4_cidr | CIDR block for NAT subnet 4 located in the 4st Availability Zone | string | n/a | 10.0.43.0/24 | yes | +| gwlbe_subnet_1_cidr | CIDR block for GWLBe subnet 1 located in the 1st Availability Zone | string | n/a | 10.0.14.0/24 | yes | +| gwlbe_subnet_2_cidr | CIDR block for GWLBe subnet 2 located in the 2st Availability Zone | string | n/a | 10.0.24.0/24 | yes | +| gwlbe_subnet_3_cidr | CIDR block for GWLBe subnet 3 located in the 3st Availability Zone | string | n/a | 10.0.34.0/24 | yes | +| gwlbe_subnet_4_cidr | CIDR block for GWLBe subnet 4 located in the 4st Availability Zone | string | n/a | 10.0.44.0/24 | yes | +| key_name | The EC2 Key Pair name to allow SSH access to the instances | string | n/a | n/a | yes | +| enable_volume_encryption | Encrypt Environment instances volume with default AWS KMS key | bool | true/false | true | no | +| enable_instance_connect | Enable SSH connection over AWS web console. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no | +| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no | +| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes | +| volume_size | Instances volume size | number | n/a | 100 | no | +| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no | +| management_server | The name that represents the Security Management Server in the automatic provisioning configuration. | string | n/a | CP-Management-gwlb-tf | yes | +| configuration_template | The tag is used by the Security Management Server to automatically provision the Security Gateways. Must be up to 12 alphanumeric characters and unique for each Quick Start deployment | string | n/a | gwlb-ter | no | +| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | +| gateway_load_balancer_name | Load Balancer name in AWS | string | n/a | gwlb-terraform | yes | +| target_group_name | Target Group Name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. | string | n/a | tg1-terraform | yes | +| connection_acceptance_required | Indicate whether requests from service consumers to create an endpoint to your service must be accepted. Default is set to false(acceptance not required). | bool | true/false | false | yes | +| enable_cross_zone_load_balancing | Select 'true' to enable cross-az load balancing. NOTE! this may cause a spike in cross-az charges. | bool | true/false | true | yes | +| gateway_name | The name tag of the Security Gateway instances. (optional) | string | n/a | gwlb-terraform | yes | +| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no | +| gateways_min_group_size | The minimal number of Security Gateways | number | n/a | 2 | no | +| gateways_max_group_size | The maximal number of Security Gateways | number | n/a | 10 | no | +| gateway_version | Gateway version and license | string | - R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX | R81.20-BYOL | no | +| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | +| gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes | +| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no | +| gateway_bootstrap_script | (Optional) An optional script with semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no | +| gateways_provision_address_type | Determines if the gateways are provisioned using their private or public address. | string | - private
- public | private | no | +| allocate_public_IP | Allocate a Public IP for gateway members. | bool | true/false | false | no | +| management_deploy | Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section | bool | true/false | true | no | +| management_instance_type | The EC2 instance type of the Security Management Server | string | - c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| m5.xlarge | no | +| management_version | The license to install on the Security Management Server | string | - R81.10-BYOL
- R81.10-PAYG
- R81.20-BYOL
- R81.20-PAYG | R81.20-BYOL | no | +| management_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | +| gateways_policy | The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group | string | n/a | Standard | no | +| gateway_management | Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address. | string | - Locally managed
- Over the internet | Locally managed | no | +| admin_cidr | (CIDR) Allow web, ssh, and graphical clients only from this network to communicate with the Management Server | string | valid CIDR | n/a | no | +| gateway_addresses | (CIDR) Allow gateways only from this network to communicate with the Management Server | string | valid CIDR | n/a | no | +| volume_type | General Purpose SSD Volume Type | string | - gp3
- gp2 | gp3 | no | +| gateway_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | +| management_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | ## Outputs | Name | Description | @@ -247,17 +246,18 @@ In order to check the template version, please refer to [sk116585](https://suppo | Template Version | Description | |------------------|----------------------------------------------------------------------------------------------------------------------------| -| 20220414 | First release of Check Point CloudGuar d Network Gateway Load Balancer for Transit Gateway Master Terraform module for AWS | -| 20220606 | New instance type support | -| 20221123 | R81.20 version support | -| 20221226 | Support ASG Launch Template instead of Launch Configuration | -| 20230806 | Add support for c6in instance type | -| 20230829 | Change default Check Point version to R81.20 | -| 20230910 | Add bootstrap script execution option for deployed gateways | -| 20230914 | Add support for maintenance mode password | -| 20230923 | Add support for C5d instance type | -| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20240704 | R80.40 version deprecation | | 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | +| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20230923 | Add support for C5d instance type | +| 20230914 | Add support for maintenance mode password | +| 20230910 | Add bootstrap script execution option for deployed gateways | +| 20230829 | Change default Check Point version to R81.20 | +| 20230806 | Add support for c6in instance type | +| 20221226 | Support ASG Launch Template instead of Launch Configuration | +| 20221123 | R81.20 version support | +| 20220606 | New instance type support | +| 20220414 | First release of Check Point CloudGuar d Network Gateway Load Balancer for Transit Gateway Master Terraform module for AWS | ## License diff --git a/terraform/aws/tgw-gwlb-master/terraform.tfvars b/terraform/aws/tgw-gwlb-master/terraform.tfvars index bdb7a361..57cb8a02 100755 --- a/terraform/aws/tgw-gwlb-master/terraform.tfvars +++ b/terraform/aws/tgw-gwlb-master/terraform.tfvars @@ -48,7 +48,7 @@ enable_cross_zone_load_balancing = "true" // --- Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration --- gateway_name = "Check-Point-GW-tf" -gateway_instance_type = "c5.xlarge" +gateway_instance_type = "c6in.xlarge" minimum_group_size = 2 maximum_group_size = 10 gateway_version = "R81.20-BYOL" diff --git a/terraform/aws/tgw-gwlb-master/variables.tf b/terraform/aws/tgw-gwlb-master/variables.tf index af425811..830caffa 100755 --- a/terraform/aws/tgw-gwlb-master/variables.tf +++ b/terraform/aws/tgw-gwlb-master/variables.tf @@ -193,7 +193,7 @@ variable "gateway_name" { variable "gateway_instance_type" { type = string description = "The EC2 instance type for the Security Gateways." - default = "c5.xlarge" + default = "c6in.xlarge" } module "validate_instance_type" { source = "../modules/common/instance_type" diff --git a/terraform/aws/tgw-gwlb/README.md b/terraform/aws/tgw-gwlb/README.md index a01c29bc..5daec1a3 100755 --- a/terraform/aws/tgw-gwlb/README.md +++ b/terraform/aws/tgw-gwlb/README.md @@ -171,62 +171,61 @@ secret_key = "my-secret-key" ``` ## Inputs -| Name | Description | Type | Allowed values | Default | Required | -|-------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------|----------| -| vpc_id | Select an existing VPC | string | n/a | n/a | yes | -| internet_gateway_id | VPC's Internet Gateway Id | string | n/a | n/a | yes | -| availability_zones | The Availability Zones (AZs) to use for the subnets in the VPC. | string | n/a | n/a | yes | -| Number_of_AZs | Number of Availability Zones to use in the VPC. | number | n/a | 2 | yes | -| Gateways_subnets | Select at least 2 public subnets in the VPC. If you choose to deploy a Security Management Server it will be deployed in the first subnet | string | n/a | n/a | yes | -| transit_gateway_attachment_subnet_1_id | The TGW attachment subnet ID located in the 1st Availability Zone | string | n/a | n/a | yes | -| transit_gateway_attachment_subnet_2_id | The TGW attachment subnet ID located in the 2st Availability Zone | string | n/a | n/a | yes | -| transit_gateway_attachment_subnet_3_id | The TGW attachment subnet ID located in the 3st Availability Zone | string | n/a | n/a | yes | -| transit_gateway_attachment_subnet_4_id | The TGW attachment subnet ID located in the 4st Availability Zone | string | n/a | n/a | yes | -| nat_gw_subnet_1_cidr | CIDR block for NAT subnet 1 located in the 1st Availability Zone | string | n/a | 10.0.13.0/24 | yes | -| nat_gw_subnet_2_cidr | CIDR block for NAT subnet 2 located in the 2st Availability Zone | string | n/a | 10.0.23.0/24 | yes | -| nat_gw_subnet_3_cidr | CIDR block for NAT subnet 3 located in the 3st Availability Zone | string | n/a | 10.0.33.0/24 | yes | -| nat_gw_subnet_4_cidr | CIDR block for NAT subnet 4 located in the 4st Availability Zone | string | n/a | 10.0.43.0/24 | yes | -| gwlbe_subnet_1_cidr | CIDR block for GWLBe subnet 1 located in the 1st Availability Zone | string | n/a | 10.0.14.0/24 | yes | -| gwlbe_subnet_2_cidr | CIDR block for GWLBe subnet 2 located in the 2st Availability Zone | string | n/a | 10.0.24.0/24 | yes | -| gwlbe_subnet_3_cidr | CIDR block for GWLBe subnet 3 located in the 3st Availability Zone | string | n/a | 10.0.34.0/24 | yes | -| gwlbe_subnet_4_cidr | CIDR block for GWLBe subnet 4 located in the 4st Availability Zone | string | n/a | 10.0.44.0/24 | yes | -| key_name | The EC2 Key Pair name to allow SSH access to the instances | string | n/a | n/a | yes | -| enable_volume_encryption | Encrypt Environment instances volume with default AWS KMS key | bool | true/false | true | no | -| management_server | The name that represents the Security Management Server in the automatic provisioning configuration. | string | n/a | CP-Management-gwlb-tf | yes | -| enable_instance_connect | Enable SSH connection over AWS web console. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no | -| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no | -| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes | -| volume_size | Instances volume size | number | n/a | 100 | no | -| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no | -| configuration_template | The tag is used by the Security Management Server to automatically provision the Security Gateways. Must be up to 12 alphanumeric characters and unique for each Quick Start deployment | string | n/a | gwlb-ter | no | -| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | -| gateway_load_balancer_name | Load Balancer name in AWS | string | n/a | gwlb-terraform | yes | -| target_group_name | Target Group Name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. | string | n/a | tg1-terraform | yes | -| connection_acceptance_required | Indicate whether requests from service consumers to create an endpoint to your service must be accepted. Default is set to false(acceptance not required). | bool | true/false | false | yes | -| enable_cross_zone_load_balancing | Select 'true' to enable cross-az load balancing. NOTE! this may cause a spike in cross-az charges. | bool | true/false | true | yes | -| gateway_name | The name tag of the Security Gateway instances. (optional) | string | n/a | gwlb-terraform | yes | -| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no | -| gateways_min_group_size | The minimal number of Security Gateways | number | n/a | 2 | no | -| gateways_max_group_size | The maximal number of Security Gateways | number | n/a | 10 | no | -| gateway_version | Gateway version and license | string | - R80.40-BYOL
- R80.40-PAYG-NGTP
- R80.40-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX | R81.20-BYOL | no | -| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | -| gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes | -| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no | -| gateway_bootstrap_script | (Optional) An optional script with semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no | -| gateways_provision_address_type | Determines if the gateways are provisioned using their private or public address. | string | - private
- public | private | no | -| allocate_public_IP | Allocate a Public IP for gateway members. | bool | true/false | false | no | -| management_deploy | Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section | bool | true/false | true | no | -| management_instance_type | The EC2 instance type of the Security Management Server | string | - c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| m5.xlarge | no | -| management_version | The license to install on the Security Management Server | string | - R80.40-BYOL
- R80.40-PAYG
- R81-BYOL
- R81-PAYG
- R81.10-BYOL
- R81.10-PAYG
- R81.20-BYOL
- R81.20-PAYG | R81.20-BYOL | no | -| management_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | -| gateways_policy | The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group | string | n/a | Standard | no | -| gateway_management | Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address. | string | - Locally managed
- Over the internet | Locally managed | no | -| admin_cidr | (CIDR) Allow web, ssh, and graphical clients only from this network to communicate with the Management Server | string | valid CIDR | n/a | no | -| gateway_addresses | (CIDR) Allow gateways only from this network to communicate with the Management Server | string | valid CIDR | n/a | no | -| volume_type | General Purpose SSD Volume Type | string | - gp3
- gp2 | gp3 | no | -| gateway_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | -| management_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | - +| Name | Description | Type | Allowed values | Default | Required | +|-------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------|----------| +| vpc_id | Select an existing VPC | string | n/a | n/a | yes | +| internet_gateway_id | VPC's Internet Gateway Id | string | n/a | n/a | yes | +| availability_zones | The Availability Zones (AZs) to use for the subnets in the VPC. | string | n/a | n/a | yes | +| Number_of_AZs | Number of Availability Zones to use in the VPC. | number | n/a | 2 | yes | +| Gateways_subnets | Select at least 2 public subnets in the VPC. If you choose to deploy a Security Management Server it will be deployed in the first subnet | string | n/a | n/a | yes | +| transit_gateway_attachment_subnet_1_id | The TGW attachment subnet ID located in the 1st Availability Zone | string | n/a | n/a | yes | +| transit_gateway_attachment_subnet_2_id | The TGW attachment subnet ID located in the 2st Availability Zone | string | n/a | n/a | yes | +| transit_gateway_attachment_subnet_3_id | The TGW attachment subnet ID located in the 3st Availability Zone | string | n/a | n/a | yes | +| transit_gateway_attachment_subnet_4_id | The TGW attachment subnet ID located in the 4st Availability Zone | string | n/a | n/a | yes | +| nat_gw_subnet_1_cidr | CIDR block for NAT subnet 1 located in the 1st Availability Zone | string | n/a | 10.0.13.0/24 | yes | +| nat_gw_subnet_2_cidr | CIDR block for NAT subnet 2 located in the 2st Availability Zone | string | n/a | 10.0.23.0/24 | yes | +| nat_gw_subnet_3_cidr | CIDR block for NAT subnet 3 located in the 3st Availability Zone | string | n/a | 10.0.33.0/24 | yes | +| nat_gw_subnet_4_cidr | CIDR block for NAT subnet 4 located in the 4st Availability Zone | string | n/a | 10.0.43.0/24 | yes | +| gwlbe_subnet_1_cidr | CIDR block for GWLBe subnet 1 located in the 1st Availability Zone | string | n/a | 10.0.14.0/24 | yes | +| gwlbe_subnet_2_cidr | CIDR block for GWLBe subnet 2 located in the 2st Availability Zone | string | n/a | 10.0.24.0/24 | yes | +| gwlbe_subnet_3_cidr | CIDR block for GWLBe subnet 3 located in the 3st Availability Zone | string | n/a | 10.0.34.0/24 | yes | +| gwlbe_subnet_4_cidr | CIDR block for GWLBe subnet 4 located in the 4st Availability Zone | string | n/a | 10.0.44.0/24 | yes | +| key_name | The EC2 Key Pair name to allow SSH access to the instances | string | n/a | n/a | yes | +| enable_volume_encryption | Encrypt Environment instances volume with default AWS KMS key | bool | true/false | true | no | +| management_server | The name that represents the Security Management Server in the automatic provisioning configuration. | string | n/a | CP-Management-gwlb-tf | yes | +| enable_instance_connect | Enable SSH connection over AWS web console. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no | +| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no | +| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes | +| volume_size | Instances volume size | number | n/a | 100 | no | +| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no | +| configuration_template | The tag is used by the Security Management Server to automatically provision the Security Gateways. Must be up to 12 alphanumeric characters and unique for each Quick Start deployment | string | n/a | gwlb-ter | no | +| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | +| gateway_load_balancer_name | Load Balancer name in AWS | string | n/a | gwlb-terraform | yes | +| target_group_name | Target Group Name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. | string | n/a | tg1-terraform | yes | +| connection_acceptance_required | Indicate whether requests from service consumers to create an endpoint to your service must be accepted. Default is set to false(acceptance not required). | bool | true/false | false | yes | +| enable_cross_zone_load_balancing | Select 'true' to enable cross-az load balancing. NOTE! this may cause a spike in cross-az charges. | bool | true/false | true | yes | +| gateway_name | The name tag of the Security Gateway instances. (optional) | string | n/a | gwlb-terraform | yes | +| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no | +| gateways_min_group_size | The minimal number of Security Gateways | number | n/a | 2 | no | +| gateways_max_group_size | The maximal number of Security Gateways | number | n/a | 10 | no | +| gateway_version | Gateway version and license | string | - R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX | R81.20-BYOL | no | +| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | +| gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes | +| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no | +| gateway_bootstrap_script | (Optional) An optional script with semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no | +| gateways_provision_address_type | Determines if the gateways are provisioned using their private or public address. | string | - private
- public | private | no | +| allocate_public_IP | Allocate a Public IP for gateway members. | bool | true/false | false | no | +| management_deploy | Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section | bool | true/false | true | no | +| management_instance_type | The EC2 instance type of the Security Management Server | string | - c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| m5.xlarge | no | +| management_version | The license to install on the Security Management Server | string | - R81.10-BYOL
- R81.10-PAYG
- R81.20-BYOL
- R81.20-PAYG | R81.20-BYOL | no | +| management_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | +| gateways_policy | The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group | string | n/a | Standard | no | +| gateway_management | Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address. | string | - Locally managed
- Over the internet | Locally managed | no | +| admin_cidr | (CIDR) Allow web, ssh, and graphical clients only from this network to communicate with the Management Server | string | valid CIDR | n/a | no | +| gateway_addresses | (CIDR) Allow gateways only from this network to communicate with the Management Server | string | valid CIDR | n/a | no | +| volume_type | General Purpose SSD Volume Type | string | - gp3
- gp2 | gp3 | no | +| gateway_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | +| management_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | ## Outputs | Name | Description | @@ -246,17 +245,18 @@ In order to check the template version, please refer to [sk116585](https://suppo | Template Version | Description | |------------------|--------------------------------------------------------------------------------------------------------------------| -| 20220414 | First release of Check Point CloudGuard Network Gateway Load Balancer for Transit Gateway Terraform module for AWS | -| 20220606 | New instance type support | -| 20221123 | R81.20 version support | -| 20221226 | Support ASG Launch Template instead of Launch Configuration | -| 20230806 | Add support for c6in instance type | -| 20230829 | Change default Check Point version to R81.20 | -| 20230910 | Add bootstrap script execution option for deployed gateways | -| 20230914 | Add support for maintenance mode password | -| 20230923 | Add support for C5d instance type | -| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20240704 | R80.40 version deprecation | | 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | +| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20230923 | Add support for C5d instance type | +| 20230914 | Add support for maintenance mode password | +| 20230910 | Add bootstrap script execution option for deployed gateways | +| 20230829 | Change default Check Point version to R81.20 | +| 20230806 | Add support for c6in instance type | +| 20221226 | Support ASG Launch Template instead of Launch Configuration | +| 20221123 | R81.20 version support | +| 20220606 | New instance type support | +| 20220414 | First release of Check Point CloudGuard Network Gateway Load Balancer for Transit Gateway Terraform module for AWS | ## License diff --git a/terraform/aws/tgw-gwlb/terraform.tfvars b/terraform/aws/tgw-gwlb/terraform.tfvars index 266b4d1a..e6df1c8b 100755 --- a/terraform/aws/tgw-gwlb/terraform.tfvars +++ b/terraform/aws/tgw-gwlb/terraform.tfvars @@ -41,7 +41,7 @@ enable_cross_zone_load_balancing = "true" // --- Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration --- gateway_name = "Check-Point-GW-tf" -gateway_instance_type = "c5.xlarge" +gateway_instance_type = "c6in.xlarge" minimum_group_size = 2 maximum_group_size = 10 gateway_version = "R81.20-BYOL" diff --git a/terraform/aws/tgw-gwlb/variables.tf b/terraform/aws/tgw-gwlb/variables.tf index 52b97b13..767885aa 100755 --- a/terraform/aws/tgw-gwlb/variables.tf +++ b/terraform/aws/tgw-gwlb/variables.tf @@ -201,7 +201,7 @@ variable "gateway_name" { variable "gateway_instance_type" { type = string description = "The EC2 instance type for the Security Gateways." - default = "c5.xlarge" + default = "c6in.xlarge" } module "validate_instance_type" { source = "../modules/common/instance_type" diff --git a/terraform/azure/high-availability-existing-vnet/README.md b/terraform/azure/high-availability-existing-vnet/README.md index c26e307a..666aec67 100755 --- a/terraform/azure/high-availability-existing-vnet/README.md +++ b/terraform/azure/high-availability-existing-vnet/README.md @@ -55,7 +55,7 @@ This solution uses the following modules: - sku = vm_os_sku (see accepted values in the table below); - version = latest

Example:
- az vm image terms accept --urn checkpoint:check-point-cg-r8040:sg-byol:latest + az vm image terms accept --urn checkpoint:check-point-cg-r8120:sg-byol:latest - In the terraform.tfvars file leave empty double quotes for client_secret, client_id and tenant_id variables. @@ -115,9 +115,9 @@ This solution uses the following modules: | | | | | | | **vm_os_sku** | A sku of the image to be deployed | string | "sg-byol" - BYOL license;
"sg-ngtp" - NGTP PAYG license;
"sg-ngtx" - NGTX PAYG license; | n/a | | | | | | | - | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r8040";
"check-point-cg-r81";
"check-point-cg-r81.10";
"check-point-cg-r81.20"; | n/a | + | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r81";
"check-point-cg-r81.10";
"check-point-cg-r81.20"; | n/a | | | | | | | - | **os_version** | GAIA OS version | string | "R8040";
"R81";
"R8110";
"R8120"; | n/a | + | **os_version** | GAIA OS version | string | "R81";
"R8110";
"R8120"; | n/a | | | | | | | | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | n/a | | | | | | | @@ -214,24 +214,22 @@ availability_type = "Availability Zone" ## Revision History In order to check the template version refer to the [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) -| Template Version | Description | -| ---------------- |----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 20240613 | - Updated Azure Terraform provider version
- Updated managed identity permissions
- Cosmetic fixes & default values
- Added option to limit storage account access by specify allowed sourcess
- Added validation for os_version & os_offer | -| | | | -| 20230910 | - R81.20 is the default version | -| | | | -| 20230212 | - Added Smart-1 Cloud support | -| | | | -| 20221124 | - Added R81.20 support
- Upgraded azurerm provider | -| | | | -| 20220111 | - Added support to select different shells. | -| | | | -| 20210309 | - Add "source_image_vhd_uri" variable for using a custom development image | -| | | | -| 20210111 | First release of Check Point CloudGuard IaaS High Availability Terraform deployment into an existing Vnet in Azure. | -| | | | -| | Addition of "templateType" parameter to "cloud-version" files. | -| | | | +| Template Version | Description | +| ---------------- | ------------- | +| 20230910 | - R81.20 is the default version | +| | | | +| 20230212 | - Added Smart-1 Cloud support | +| | | | +| 20221124 | - Added R81.20 support
- Upgraded azurerm provider | +| | | | +| 20220111 | - Added support to select different shells. | +| | | | +| 20210309 | - Add "source_image_vhd_uri" variable for using a custom development image | +| | | | +| 20210111 | First release of Check Point CloudGuard IaaS High Availability Terraform deployment into an existing Vnet in Azure. | +| | | | +| | Addition of "templateType" parameter to "cloud-version" files. | +| | | | ## License diff --git a/terraform/azure/high-availability-existing-vnet/main.tf b/terraform/azure/high-availability-existing-vnet/main.tf index 934102da..86cf812b 100755 --- a/terraform/azure/high-availability-existing-vnet/main.tf +++ b/terraform/azure/high-availability-existing-vnet/main.tf @@ -284,6 +284,7 @@ resource "azurerm_storage_account" "vm-boot-diagnostics-storage" { location = module.common.resource_group_location account_tier = module.common.storage_account_tier account_replication_type = module.common.account_replication_type + min_tls_version = "TLS1_2" network_rules { default_action = var.add_storage_account_ip_rules ? "Deny" : "Allow" ip_rules = module.common.storage_account_ip_rules diff --git a/terraform/azure/high-availability-existing-vnet/variables.tf b/terraform/azure/high-availability-existing-vnet/variables.tf index c11fa238..4aa5ca72 100755 --- a/terraform/azure/high-availability-existing-vnet/variables.tf +++ b/terraform/azure/high-availability-existing-vnet/variables.tf @@ -115,7 +115,6 @@ variable "os_version" { locals { // locals for 'vm_os_offer' allowed values os_version_allowed_values = [ - "R8040", "R81", "R8110", "R8120" @@ -130,13 +129,12 @@ variable "vm_os_sku" { } variable "vm_os_offer" { - description = "The name of the image offer to be deployed.Choose from: check-point-cg-r8040, check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120" + description = "The name of the image offer to be deployed.Choose from: check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120" type = string } locals { // locals for 'vm_os_offer' allowed values vm_os_offer_allowed_values = [ - "check-point-cg-r8040", "check-point-cg-r81", "check-point-cg-r8110", "check-point-cg-r8120" diff --git a/terraform/azure/high-availability-new-vnet/README.md b/terraform/azure/high-availability-new-vnet/README.md index 51153c0a..2218fd5a 100755 --- a/terraform/azure/high-availability-new-vnet/README.md +++ b/terraform/azure/high-availability-new-vnet/README.md @@ -59,7 +59,7 @@ This solution uses the following modules: - sku = vm_os_sku (see accepted values in the table below); - version = latest

Example:
- az vm image terms accept --urn checkpoint:check-point-cg-r8040:sg-byol:latest + az vm image terms accept --urn checkpoint:check-point-cg-r8120:sg-byol:latest - In the terraform.tfvars file leave empty double quotes for client_secret, client_id and tenant_id variables. @@ -113,9 +113,9 @@ This solution uses the following modules: | | | | | | | **vm_os_sku** | A sku of the image to be deployed | string | "sg-byol" - BYOL license;
"sg-ngtp" - NGTP PAYG license;
"sg-ngtx" - NGTX PAYG license;| n/a | | | | | | | - | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r8040";
"check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | n/a | + | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | n/a | | | | | | | - | **os_version** | GAIA OS version | string | "R8040";
"R81";
"R8110";
"R8120"; | n/a | + | **os_version** | GAIA OS version | string | "R81";
"R8110";
"R8120"; | n/a | | | | | | | | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | n/a | | | | | | | @@ -215,8 +215,6 @@ In order to check the template version refer to the [sk116585](https://supportce | Template Version | Description | | ---------------- | ------------- | -| 20240613 | - Updated Azure Terraform provider version
- Updated managed identity permissions
- Cosmetic fixes & default values
- Added option to limit storage account access by specify allowed sourcess
- Added validation for os_version & os_offer | -| | | | | 20230910 | - R81.20 is the default version | | | | | | 20230212 | - Added Smart-1 Cloud support | diff --git a/terraform/azure/high-availability-new-vnet/main.tf b/terraform/azure/high-availability-new-vnet/main.tf index 1506b913..641826ed 100755 --- a/terraform/azure/high-availability-new-vnet/main.tf +++ b/terraform/azure/high-availability-new-vnet/main.tf @@ -303,6 +303,7 @@ resource "azurerm_storage_account" "vm-boot-diagnostics-storage" { location = module.common.resource_group_location account_tier = module.common.storage_account_tier account_replication_type = module.common.account_replication_type + min_tls_version = "TLS1_2" network_rules { default_action = var.add_storage_account_ip_rules ? "Deny" : "Allow" ip_rules = module.common.storage_account_ip_rules diff --git a/terraform/azure/high-availability-new-vnet/variables.tf b/terraform/azure/high-availability-new-vnet/variables.tf index 6bb79338..15e5ee4e 100755 --- a/terraform/azure/high-availability-new-vnet/variables.tf +++ b/terraform/azure/high-availability-new-vnet/variables.tf @@ -115,7 +115,6 @@ variable "os_version" { locals { // locals for 'vm_os_offer' allowed values os_version_allowed_values = [ - "R8040", "R81", "R8110", "R8120" @@ -130,13 +129,12 @@ variable "vm_os_sku" { } variable "vm_os_offer" { - description = "The name of the image offer to be deployed.Choose from: check-point-cg-r8040, check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120" + description = "The name of the image offer to be deployed.Choose from: check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120" type = string } locals { // locals for 'vm_os_offer' allowed values vm_os_offer_allowed_values = [ - "check-point-cg-r8040", "check-point-cg-r81", "check-point-cg-r8110", "check-point-cg-r8120" diff --git a/terraform/azure/management-existing-vnet/README.md b/terraform/azure/management-existing-vnet/README.md index 3ab73dbd..e2877075 100755 --- a/terraform/azure/management-existing-vnet/README.md +++ b/terraform/azure/management-existing-vnet/README.md @@ -54,7 +54,7 @@ This solution uses the following modules: - sku = vm_os_sku (see accepted values in the table below); - version = latest

Example:
- az vm image terms accept --urn checkpoint:check-point-cg-r8040:sg-byol:latest + az vm image terms accept --urn checkpoint:check-point-cg-r8120:sg-byol:latest - In the terraform.tfvars file leave empty double quotes for client_secret, client_id and tenant_id variables. @@ -108,9 +108,9 @@ This solution uses the following modules: | | | | | | | **vm_os_sku** | A sku of the image to be deployed | string | "mgmt-byol" - BYOL license;
"mgmt-25" - PAYG; | n/a | | | | | | - | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r8040";
"check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | n/a + | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | n/a | | | | | | - | **os_version** | GAIA OS version | string | "R8040";
"R81";
"R8110";
"R8120";| n/a + | **os_version** | GAIA OS version | string | "R81";
"R8110";
"R8120";| n/a | | | | | | | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | "" | | | | | | @@ -168,8 +168,6 @@ In order to check the template version refer to the [sk116585](https://supportce | Template Version | Description | | ---------------- | ------------- | -| 20240613 | - Updated Azure Terraform provider version
- Cosmetic fixes & default values
- Added option to limit storage account access by specify allowed sourcess
- Updated Public IP sku to Standard
- Added validation for os_version & os_offer | -| | | | | 20230910 | - R81.20 is the default version | | | | | | 20221124 | - Added R81.20 support
- Upgraded azurerm provider | diff --git a/terraform/azure/management-existing-vnet/main.tf b/terraform/azure/management-existing-vnet/main.tf index a471b842..ed9b2b85 100755 --- a/terraform/azure/management-existing-vnet/main.tf +++ b/terraform/azure/management-existing-vnet/main.tf @@ -196,6 +196,7 @@ resource "azurerm_storage_account" "vm-boot-diagnostics-storage" { account_tier = module.common.storage_account_tier account_replication_type = module.common.account_replication_type account_kind = "Storage" + min_tls_version = "TLS1_2" network_rules { default_action = var.add_storage_account_ip_rules ? "Deny" : "Allow" ip_rules = module.common.storage_account_ip_rules diff --git a/terraform/azure/management-existing-vnet/variables.tf b/terraform/azure/management-existing-vnet/variables.tf index 6030652b..ec9272a4 100755 --- a/terraform/azure/management-existing-vnet/variables.tf +++ b/terraform/azure/management-existing-vnet/variables.tf @@ -89,7 +89,6 @@ variable "os_version" { locals { // locals for 'vm_os_offer' allowed values os_version_allowed_values = [ - "R8040", "R81", "R8110", "R8120" @@ -104,13 +103,12 @@ variable "vm_os_sku" { } variable "vm_os_offer" { - description = "The name of the image offer to be deployed.Choose from: check-point-cg-r8040, check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120" + description = "The name of the image offer to be deployed.Choose from: check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120" type = string } locals { // locals for 'vm_os_offer' allowed values vm_os_offer_allowed_values = [ - "check-point-cg-r8040", "check-point-cg-r81", "check-point-cg-r8110", "check-point-cg-r8120", diff --git a/terraform/azure/management-new-vnet/README.md b/terraform/azure/management-new-vnet/README.md index f744dccc..8851e3d6 100755 --- a/terraform/azure/management-new-vnet/README.md +++ b/terraform/azure/management-new-vnet/README.md @@ -56,7 +56,7 @@ This solution uses the following modules: - sku = vm_os_sku (see accepted values in the table below); - version = latest

Example:
- az vm image terms accept --urn checkpoint:check-point-cg-r8040:sg-byol:latest + az vm image terms accept --urn checkpoint:check-point-cg-r8120:sg-byol:latest - In the terraform.tfvars file leave empty double quotes for client_secret, client_id and tenant_id variables. @@ -108,9 +108,9 @@ This solution uses the following modules: | | | | | | | **vm_os_sku** | A sku of the image to be deployed | string | "mgmt-byol" - BYOL license;
"mgmt-25" - PAYG; | n/a | | | | | | - | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r8040";
"check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | n/a + | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | n/a | | | | | | - | **os_version** | GAIA OS version | string | "R8040";
"R81";
"R8110";
"R8120";| n/a + | **os_version** | GAIA OS version | string | "R81";
"R8110";
"R8120";| n/a | | | | | | | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | "" | | | | | | @@ -166,8 +166,6 @@ In order to check the template version refer to the [sk116585](https://supportce | Template Version | Description | | ---------------- | ------------- | -| 20240613 | - Updated Azure Terraform provider version
- Cosmetic fixes & default values
- Added option to limit storage account access by specify allowed sourcess
- Updated Public IP sku to Standard
- Added validation for os_version & os_offer | -| | | | | 20230910 | - R81.20 is the default version | | | | | | 20221124 | - Added R81.20 support
- Upgraded azurerm provider | diff --git a/terraform/azure/management-new-vnet/main.tf b/terraform/azure/management-new-vnet/main.tf index 77c16ac6..c334c034 100755 --- a/terraform/azure/management-new-vnet/main.tf +++ b/terraform/azure/management-new-vnet/main.tf @@ -202,6 +202,7 @@ resource "azurerm_storage_account" "vm-boot-diagnostics-storage" { account_tier = module.common.storage_account_tier account_replication_type = module.common.account_replication_type account_kind = "Storage" + min_tls_version = "TLS1_2" network_rules { default_action = var.add_storage_account_ip_rules ? "Deny" : "Allow" ip_rules = module.common.storage_account_ip_rules diff --git a/terraform/azure/management-new-vnet/variables.tf b/terraform/azure/management-new-vnet/variables.tf index 63839bd0..3ed686e1 100755 --- a/terraform/azure/management-new-vnet/variables.tf +++ b/terraform/azure/management-new-vnet/variables.tf @@ -88,7 +88,6 @@ variable "os_version" { locals { // locals for 'vm_os_offer' allowed values os_version_allowed_values = [ - "R8040", "R81", "R8110", "R8120", @@ -103,13 +102,12 @@ variable "vm_os_sku" { } variable "vm_os_offer" { - description = "The name of the image offer to be deployed.Choose from: check-point-cg-r8040, check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120" + description = "The name of the image offer to be deployed.Choose from: check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120" type = string } locals { // locals for 'vm_os_offer' allowed values vm_os_offer_allowed_values = [ - "check-point-cg-r8040", "check-point-cg-r81", "check-point-cg-r8110", "check-point-cg-r8120" diff --git a/terraform/azure/mds-existing-vnet/README.md b/terraform/azure/mds-existing-vnet/README.md index 7c8003fd..f83a56e8 100755 --- a/terraform/azure/mds-existing-vnet/README.md +++ b/terraform/azure/mds-existing-vnet/README.md @@ -54,7 +54,7 @@ This solution uses the following modules: - sku = vm_os_sku (see accepted values in the table below); - version = latest

Example:
- az vm image terms accept --urn checkpoint:check-point-cg-r8040:sg-byol:latest + az vm image terms accept --urn checkpoint:check-point-cg-r8120:sg-byol:latest - In the terraform.tfvars file leave empty double quotes for client_secret, client_id and tenant_id variables. @@ -108,9 +108,9 @@ This solution uses the following modules: | | | | | | | **vm_os_sku** | A sku of the image to be deployed | string | "mgmt-byol" - BYOL license;
"mgmt-25" - PAYG; | n/a | | | | | | - | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r8040";
"check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | n/a + | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | n/a | | | | | | - | **os_version** | GAIA OS version | string | "R8040";
"R81";
"R8110";
"R8120";| n/a + | **os_version** | GAIA OS version | string | "R81";
"R8110";
"R8120";| n/a | | | | | | | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | "" | | | | | | @@ -182,8 +182,6 @@ In order to check the template version refer to the [sk116585](https://supportce | Template Version | Description | |------------------|---------------------------------------------------------------------------------------------| -| 20240613 | - Updated Azure Terraform provider version
- Cosmetic fixes & default values
- Added option to limit storage account access by specify allowed sourcess
- Updated Public IP sku to Standard
- Added validation for os_version & os_offer | -| | | | | 20230910 | - R81.20 is the default version | | | | | | 20230629 | First release of Check Point CloudGuard Network Security MDS Terraform deployment for Azure | diff --git a/terraform/azure/mds-existing-vnet/main.tf b/terraform/azure/mds-existing-vnet/main.tf index 0c8719f1..6a64aea0 100755 --- a/terraform/azure/mds-existing-vnet/main.tf +++ b/terraform/azure/mds-existing-vnet/main.tf @@ -196,6 +196,7 @@ resource "azurerm_storage_account" "vm-boot-diagnostics-storage" { account_tier = module.common.storage_account_tier account_replication_type = module.common.account_replication_type account_kind = "Storage" + min_tls_version = "TLS1_2" network_rules { default_action = var.add_storage_account_ip_rules ? "Deny" : "Allow" ip_rules = module.common.storage_account_ip_rules diff --git a/terraform/azure/mds-existing-vnet/variables.tf b/terraform/azure/mds-existing-vnet/variables.tf index 8896ceae..745c78c7 100755 --- a/terraform/azure/mds-existing-vnet/variables.tf +++ b/terraform/azure/mds-existing-vnet/variables.tf @@ -109,7 +109,6 @@ variable "os_version" { locals { // locals for 'vm_os_offer' allowed values os_version_allowed_values = [ - "R8040", "R81", "R8110", "R8120" @@ -124,13 +123,12 @@ variable "vm_os_sku" { } variable "vm_os_offer" { - description = "The name of the image offer to be deployed.Choose from: check-point-cg-r8040, check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120" + description = "The name of the image offer to be deployed.Choose from: check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120" type = string } locals { // locals for 'vm_os_offer' allowed values vm_os_offer_allowed_values = [ - "check-point-cg-r8040", "check-point-cg-r81", "check-point-cg-r8110", "check-point-cg-r8120" diff --git a/terraform/azure/mds-new-vnet/README.md b/terraform/azure/mds-new-vnet/README.md index 293c3862..cb782964 100755 --- a/terraform/azure/mds-new-vnet/README.md +++ b/terraform/azure/mds-new-vnet/README.md @@ -56,7 +56,7 @@ This solution uses the following modules: - sku = vm_os_sku (see accepted values in the table below); - version = latest

Example:
- az vm image terms accept --urn checkpoint:check-point-cg-r8040:sg-byol:latest + az vm image terms accept --urn checkpoint:check-point-cg-r8120:sg-byol:latest - In the terraform.tfvars file leave empty double quotes for client_secret, client_id and tenant_id variables. @@ -108,9 +108,9 @@ This solution uses the following modules: | | | | | | | **vm_os_sku** | A sku of the image to be deployed | string | "mgmt-byol" - BYOL license;
"mgmt-25" - PAYG; | n/a | | | | | | - | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r8040";
"check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | n/a + | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | n/a | | | | | | - | **os_version** | GAIA OS version | string | "R8040";
"R81";
"R8110";
"R8120";| n/a + | **os_version** | GAIA OS version | string | "R81";
"R8110";
"R8120";| n/a | | | | | | | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | "" | | | | | | @@ -175,8 +175,6 @@ In order to check the template version refer to the [sk116585](https://supportce | Template Version | Description | |------------------|---------------------------------------------------------------------------------------------| -| 20240613 | - Updated Azure Terraform provider version
- Cosmetic fixes & default values
- Added option to limit storage account access by specify allowed sourcess
- Updated Public IP sku to Standard
- Added validation for os_version & os_offer | -| | | | | 20230910 | - R81.20 is the default version | | | | | | 20230629 | First release of Check Point CloudGuard Network Security MDS Terraform deployment for Azure | diff --git a/terraform/azure/mds-new-vnet/main.tf b/terraform/azure/mds-new-vnet/main.tf index 7f2c1de9..26ad4d00 100755 --- a/terraform/azure/mds-new-vnet/main.tf +++ b/terraform/azure/mds-new-vnet/main.tf @@ -202,6 +202,7 @@ resource "azurerm_storage_account" "vm-boot-diagnostics-storage" { account_tier = module.common.storage_account_tier account_replication_type = module.common.account_replication_type account_kind = "Storage" + min_tls_version = "TLS1_2" network_rules { default_action = var.add_storage_account_ip_rules ? "Deny" : "Allow" ip_rules = module.common.storage_account_ip_rules diff --git a/terraform/azure/mds-new-vnet/variables.tf b/terraform/azure/mds-new-vnet/variables.tf index 9ce9d0ba..45c2175a 100755 --- a/terraform/azure/mds-new-vnet/variables.tf +++ b/terraform/azure/mds-new-vnet/variables.tf @@ -108,7 +108,6 @@ variable "os_version" { locals { // locals for 'vm_os_offer' allowed values os_version_allowed_values = [ - "R8040", "R81", "R8110", "R8120" @@ -123,13 +122,12 @@ variable "vm_os_sku" { } variable "vm_os_offer" { - description = "The name of the image offer to be deployed.Choose from: check-point-cg-r8040, check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120" + description = "The name of the image offer to be deployed.Choose from: check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120" type = string } locals { // locals for 'vm_os_offer' allowed values vm_os_offer_allowed_values = [ - "check-point-cg-r8040", "check-point-cg-r81", "check-point-cg-r8110", "check-point-cg-r8120" diff --git a/terraform/azure/modules/common/variables.tf b/terraform/azure/modules/common/variables.tf index e768159b..33d85f45 100755 --- a/terraform/azure/modules/common/variables.tf +++ b/terraform/azure/modules/common/variables.tf @@ -136,7 +136,6 @@ variable "os_version"{ locals { // locals for 'os_version' allowed values os_version_allowed_values = [ - "R8040", "R81", "R8110", "R8120" @@ -217,13 +216,12 @@ variable "publisher" { //************** Storage image reference and plan variables ****************// variable "vm_os_offer" { - description = "The name of the image offer to be deployed.Choose from: check-point-cg-r8040, check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120" + description = "The name of the image offer to be deployed.Choose from: check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120" type = string } locals { // locals for 'vm_os_offer' allowed values vm_os_offer_allowed_values = [ - "check-point-cg-r8040", "check-point-cg-r81", "check-point-cg-r8110", "check-point-cg-r8120" @@ -237,8 +235,8 @@ variable "vm_os_sku" { /* Choose from: - "sg-byol" - - "sg-ngtp" (for R80.40 and above) - - "sg-ngtx" (for R80.40 and above) + - "sg-ngtp" (for R81 and above) + - "sg-ngtx" (for R81 and above) - "mgmt-byol" - "mgmt-25" */ diff --git a/terraform/azure/nva-into-existing-hub/README.md b/terraform/azure/nva-into-existing-hub/README.md index a2765298..253cce89 100644 --- a/terraform/azure/nva-into-existing-hub/README.md +++ b/terraform/azure/nva-into-existing-hub/README.md @@ -1,6 +1,6 @@ # Check Point CloudGuard Network Security Virtual WAN Terraform deployment for Azure -This Terraform module deploys Check Point CloudGuard Network Security Virtual WAN NVA solution into an existing vWAN Hub in Azure. +This Terraform module deploys Check Point CloudGuard Network Security vWAN NVA solution into an existing vWAN Hub in Azure. As part of the deployment the following resources are created: - Resource groups - Azure Managed Application: @@ -77,7 +77,7 @@ please see the [CloudGuard Network for Azure Virtual WAN Deployment Guide](https | | | | | | | **vwan-hub-name** | The name of the virtual WAN hub that will be created | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | n/a | | | | | | | - | **vwan-hub-resource-group** | The virtual WAN hub resource group name | string | | n/a | + | **vwan-hub-resource-group** | The vWAN hub resource group name | string | | n/a | | | | | | | | **managed-app-name** | The name of the managed application that will be created | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | "tf-vwan-managed-app-nva" | | | | | | | @@ -161,7 +161,6 @@ In order to check the template version refer to the [sk116585](https://supportce | Template Version | Description | |------------------|-------------------| -| 20240613 | Cosmetic fixes & default values | | 20240228 | Added public IP for ingress support | | | | 20231226 | First release of Check Point CloudGuard Network Security Virtual WAN Terraform deployment for Azure | | diff --git a/terraform/azure/nva-into-new-vwan/README.md b/terraform/azure/nva-into-new-vwan/README.md index 52cc1b17..c7f06c09 100644 --- a/terraform/azure/nva-into-new-vwan/README.md +++ b/terraform/azure/nva-into-new-vwan/README.md @@ -1,6 +1,6 @@ # Check Point CloudGuard Network Security Virtual WAN Terraform deployment for Azure -This Terraform module deploys Check Point CloudGuard Network Security Virtual WAN NVA solution into a new vWAN Hub in Azure. +This Terraform module deploys Check Point CloudGuard Network Security vWAN NVA solution into a new vWAN Hub in Azure. As part of the deployment the following resources are created: - Resource groups - Virtual WAN @@ -170,10 +170,9 @@ please see the [CloudGuard Network for Azure Virtual WAN Deployment Guide](https In order to check the template version refer to the [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) | Template Version | Description | -|------------------|-----------------------------------------------------------------------------------------------| -| 20240613 | Cosmetic fixes & default values | -| 20240228 | Added public IP for ingress support | | | -| 20231226 | First release of Check Point CloudGuard Network Security Virtual WAN Terraform deployment for Azure | | | +|------------------|---------------------------------------------------------------------------------------------------| +| 20240228 | Added public IP for ingress support | | | +| 20231226 | First release of Check Point CloudGuard Network Security Virtual WAN Terraform deployment for Azure | | | ## License diff --git a/terraform/azure/single-gateway-existing-vnet/README.md b/terraform/azure/single-gateway-existing-vnet/README.md index 73fa074d..feebb542 100755 --- a/terraform/azure/single-gateway-existing-vnet/README.md +++ b/terraform/azure/single-gateway-existing-vnet/README.md @@ -52,7 +52,7 @@ This solution uses the following modules: - sku = vm_os_sku (see accepted values in the table below); - version = latest

Example:
- az vm image terms accept --urn checkpoint:check-point-cg-r8040:sg-byol:latest + az vm image terms accept --urn checkpoint:check-point-cg-r81200:sg-byol:latest - In the terraform.tfvars file leave empty double quotes for client_secret, client_id and tenant_id variables. @@ -112,9 +112,9 @@ This solution uses the following modules: | | | | | | | **vm_os_sku** | A sku of the image to be deployed | string | "sg-byol" - BYOL license;
"sg-ngtp" - NGTP PAYG license;
"sg-ngtx" - NGTX PAYG license | n/a | | | | | | - | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r8040";
"check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | n/a + | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | n/a | | | | | | - | **os_version** | GAIA OS version | string | "R8040";
"R81";
"R8110";
"R8120"; | n/a + | **os_version** | GAIA OS version | string | "R81";
"R8110";
"R8120"; | n/a | | | | | | | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | "" | | | | | | @@ -185,8 +185,6 @@ In order to check the template version refer to the [sk116585](https://supportce | Template Version | Description | |------------------|---------------------------------------------------------------------------------------------------| -| 20240613 | - Updated Azure Terraform provider version
- Cosmetic fixes & default values
- Added option to limit storage account access by specify allowed sourcess
- Added accelerated networking to SGW Terraform templates
- Updated Public IP sku to Standard
- Added validation for os_version & os_offer | -| | | | | 20230910 | - R81.20 is the default version | | | | | | 20230629 | First release of Check Point CloudGuard Network Security Single GW Terraform deployment for Azure | diff --git a/terraform/azure/single-gateway-existing-vnet/main.tf b/terraform/azure/single-gateway-existing-vnet/main.tf index 81ced59f..e7a9e174 100755 --- a/terraform/azure/single-gateway-existing-vnet/main.tf +++ b/terraform/azure/single-gateway-existing-vnet/main.tf @@ -137,6 +137,7 @@ resource "azurerm_storage_account" "vm-boot-diagnostics-storage" { account_tier = module.common.storage_account_tier account_replication_type = module.common.account_replication_type account_kind = "Storage" + min_tls_version = "TLS1_2" network_rules { default_action = var.add_storage_account_ip_rules ? "Deny" : "Allow" ip_rules = module.common.storage_account_ip_rules diff --git a/terraform/azure/single-gateway-existing-vnet/variables.tf b/terraform/azure/single-gateway-existing-vnet/variables.tf index dd4dc15e..f6f2da36 100755 --- a/terraform/azure/single-gateway-existing-vnet/variables.tf +++ b/terraform/azure/single-gateway-existing-vnet/variables.tf @@ -102,7 +102,6 @@ variable "os_version" { locals { // locals for 'vm_os_offer' allowed values os_version_allowed_values = [ - "R8040", "R81", "R8110", "R8120" @@ -117,13 +116,12 @@ variable "vm_os_sku" { } variable "vm_os_offer" { - description = "The name of the image offer to be deployed.Choose from: check-point-cg-r8040, check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120" + description = "The name of the image offer to be deployed.Choose from: check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120" type = string } locals { // locals for 'vm_os_offer' allowed values vm_os_offer_allowed_values = [ - "check-point-cg-r8040", "check-point-cg-r81", "check-point-cg-r8110", "check-point-cg-r8120" diff --git a/terraform/azure/single-gateway-new-vnet/README.md b/terraform/azure/single-gateway-new-vnet/README.md index d4d821ac..b9227c85 100755 --- a/terraform/azure/single-gateway-new-vnet/README.md +++ b/terraform/azure/single-gateway-new-vnet/README.md @@ -56,7 +56,7 @@ This solution uses the following modules: - sku = vm_os_sku (see accepted values in the table below); - version = latest

Example:
- az vm image terms accept --urn checkpoint:check-point-cg-r8040:sg-byol:latest + az vm image terms accept --urn checkpoint:check-point-cg-r8120:sg-byol:latest - In the terraform.tfvars file leave empty double quotes for client_secret, client_id and tenant_id variables. @@ -112,9 +112,9 @@ This solution uses the following modules: | | | | | | | **vm_os_sku** | A sku of the image to be deployed | string | "sg-byol" - BYOL license;
"sg-ngtp" - NGTP PAYG license;
"sg-ngtx" - NGTX PAYG license | n/a | | | | | | - | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r8040";
"check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | n/a + | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | n/a | | | | | | - | **os_version** | GAIA OS version | string | "R8040";
"R81";
"R8110";
"R8120"; | n/a | + | **os_version** | GAIA OS version | string | "R81";
"R8110";
"R8120"; | n/a | | | | | | | | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | "" | | | | | | @@ -183,8 +183,6 @@ In order to check the template version refer to the [sk116585](https://supportce | Template Version | Description | |------------------|---------------------------------------------------------------------------------------------------| -| 20240613 | - Updated Azure Terraform provider version
- Cosmetic fixes & default values
- Added option to limit storage account access by specify allowed sourcess
- Added accelerated networking to SGW Terraform templates
- Updated Public IP sku to Standard
- Added validation for os_version & os_offer | -| | | | | 20230910 | - R81.20 is the default version | | | | | | 20230629 | First release of Check Point CloudGuard Network Security Single GW Terraform deployment for Azure | diff --git a/terraform/azure/single-gateway-new-vnet/main.tf b/terraform/azure/single-gateway-new-vnet/main.tf index dcb817bf..c7673cd2 100755 --- a/terraform/azure/single-gateway-new-vnet/main.tf +++ b/terraform/azure/single-gateway-new-vnet/main.tf @@ -137,6 +137,7 @@ resource "azurerm_storage_account" "vm-boot-diagnostics-storage" { account_tier = module.common.storage_account_tier account_replication_type = module.common.account_replication_type account_kind = "Storage" + min_tls_version = "TLS1_2" network_rules { default_action = var.add_storage_account_ip_rules ? "Deny" : "Allow" ip_rules = module.common.storage_account_ip_rules diff --git a/terraform/azure/single-gateway-new-vnet/variables.tf b/terraform/azure/single-gateway-new-vnet/variables.tf index 65076afc..7b247e96 100755 --- a/terraform/azure/single-gateway-new-vnet/variables.tf +++ b/terraform/azure/single-gateway-new-vnet/variables.tf @@ -101,7 +101,6 @@ variable "os_version" { locals { // locals for 'vm_os_offer' allowed values os_version_allowed_values = [ - "R8040", "R81", "R8110", "R8120" @@ -116,13 +115,12 @@ variable "vm_os_sku" { } variable "vm_os_offer" { - description = "The name of the image offer to be deployed.Choose from: check-point-cg-r8040, check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120" + description = "The name of the image offer to be deployed.Choose from: check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120" type = string } locals { // locals for 'vm_os_offer' allowed values vm_os_offer_allowed_values = [ - "check-point-cg-r8040", "check-point-cg-r81", "check-point-cg-r8110", "check-point-cg-r8120" diff --git a/terraform/azure/vmss-existing-vnet/README.md b/terraform/azure/vmss-existing-vnet/README.md index dca0361a..f0602c30 100755 --- a/terraform/azure/vmss-existing-vnet/README.md +++ b/terraform/azure/vmss-existing-vnet/README.md @@ -55,7 +55,7 @@ This solution uses the following modules: - sku = vm_os_sku (see accepted values in the table below); - version = latest

Example:
- az vm image terms accept --urn checkpoint:check-point-cg-r8040:sg-byol:latest + az vm image terms accept --urn checkpoint:check-point-cg-r8120:sg-byol:latest - In the terraform.tfvars file leave empty double quotes for client_secret, client_id and tenant_id variables. @@ -71,91 +71,89 @@ This solution uses the following modules: terraform apply ### terraform.tfvars variables: - | Name | Description | Type | Allowed values | Default | - | ------------- |-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| ------------- | ------------- | ------------- | - | **client_secret** | The client secret of the Service Principal used to deploy the solution | string | | n/a - | | | | | | - | **client_id** | The client ID of the Service Principal used to deploy the solution | string | | n/a - | | | | | | - | **tenant_id** | The tenant ID of the Service Principal used to deploy the solution | string | | n/a - | | | | | | - | **subscription_id** | The subsscription ID is used to pay for Azure cloud services | string | | n/a - | | | | | | - | **source_image_vhd_uri** | The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images | string | | "noCustomUri" - | | | | | | - | **resource_group_name** | The name of the resource group that will contain the contents of the deployment | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period
Note: Resource group name must not contain reserved words based on: sk40179| n/a - | | | | | | - | **location** | The region where the resources will be deployed at | string | The full list of Azure regions can be found at https://azure.microsoft.com/regions | n/a - | | | | | | - | **vmss_name** | The name of the Check Point VMSS Object | string | Only alphanumeric characters are allowed, and the name must be 1-30 characters long
Note: vmss_name name must not contain reserved words based on: sk40179 | n/a - | | | | | | - | **vnet_name** | Virtual Network name | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | n/a - | | | | | | - | **vnet_resource_group** | Resource Group of the existing virtual network | string | The exact name of the existing vnet's resource group | n/a - | | | | | | - | **frontend_subnet_name** | Specifies the name of the external subnet | string | The exact name of the existing external subnet | n/a - | | | | | | - | **backend_subnet_name** | Specifies the name of the internal subnet | string | The exact name of the existing internal subnet | n/a - | | | | | | - | **backend_lb_IP_address** | Is a whole number that can be represented as a binary integer with no more than the number of digits remaining in the address after the given prefix | string | Starting from 5-th IP address in a subnet. For example: subnet - 10.0.1.0/24, backend_lb_IP_address = 4 , the LB IP is 10.0.1.4 | n/a - | | | | | | - | **admin_password** | The password associated with the local administrator account on each cluster member | string | Password must have 3 of the following: 1 lower case character, 1 upper case character, 1 number, and 1 special character | n/a - | | | | | | - | **sic_key** | The Secure Internal Communication one time secret used to set up trust between the cluster object and the management server | string | Only alphanumeric characters are allowed, and the value must be 12-30 characters long | n/a - | | | | | | - | **vm_size** | Specifies the size of Virtual Machine | string | "Standard_DS2_v2", "Standard_DS3_v2", "Standard_DS4_v2", "Standard_DS5_v2", "Standard_F2s", "Standard_F4s", "Standard_F8s", "Standard_F16s", "Standard_D4s_v3", "Standard_D8s_v3", "Standard_D16s_v3", "Standard_D32s_v3", "Standard_D64s_v3", "Standard_E4s_v3", "Standard_E8s_v3", "Standard_E16s_v3", "Standard_E20s_v3", "Standard_E32s_v3", "Standard_E64s_v3", "Standard_E64is_v3", "Standard_F4s_v2", "Standard_F8s_v2", "Standard_F16s_v2", "Standard_F32s_v2", "Standard_F64s_v2", "Standard_M8ms", "Standard_M16ms", "Standard_M32ms", "Standard_M64ms", "Standard_M64s", "Standard_D2_v2", "Standard_D3_v2", "Standard_D4_v2", "Standard_D5_v2", "Standard_D11_v2", "Standard_D12_v2", "Standard_D13_v2", "Standard_D14_v2", "Standard_D15_v2", "Standard_F2", "Standard_F4", "Standard_F8", "Standard_F16", "Standard_D4_v3", "Standard_D8_v3", "Standard_D16_v3", "Standard_D32_v3", "Standard_D64_v3", "Standard_E4_v3", "Standard_E8_v3", "Standard_E16_v3", "Standard_E20_v3", "Standard_E32_v3", "Standard_E64_v3", "Standard_E64i_v3", "Standard_DS11_v2", "Standard_DS12_v2", "Standard_DS13_v2", "Standard_DS14_v2", "Standard_DS15_v2", "Standard_D2_v5", "Standard_D4_v5", "Standard_D8_v5", "Standard_D16_v5","Standard_D32_v5", "Standard_D2s_v5", "Standard_D4s_v5", "Standard_D8s_v5", "Standard_D16s_v5", "Standard_D2d_v5", "Standard_D4d_v5", "Standard_D8d_v5", "Standard_D16d_v5", "Standard_D32d_v5", "Standard_D2ds_v5", "Standard_D4ds_v5", "Standard_D8ds_v5", "Standard_D16ds_v5", "Standard_D32ds_v5" | n/a - | | | | | | - | **disk_size** | Storage data disk size size(GB) must be 100 for versions R81.20 and below | string | A number in the range 100 - 3995 (GB) | 100 - | | | | | | - | **vm_os_sku** | A sku of the image to be deployed | string | "sg-byol" - BYOL license;
"sg-ngtp" - NGTP PAYG license;
"sg-ngtx" - NGTX PAYG license; | n/a - | | | | | | - | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r8040";
"check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | n/a - | | | | | | - | **os_version** | GAIA OS version | string | "R8040";
"R81";
"R8110";
"R8120"; | n/a - | | | | | | - | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | n/a - | | | | | | - | **allow_upload_download** | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | boolean | true;
false; | n/a - | | | | | | - | **authentication_type** | Specifies whether a password authentication or SSH Public Key authentication should be used | string | "Password";
"SSH Public Key"; | n/a - | | | | | | - | **availability_zones_num** | A list of a single item of the Availability Zone which the Virtual Machine should be allocated in | string | "centralus", "eastus2", "francecentral", "northeurope", "southeastasia", "westeurope", "westus2", "eastus", "uksouth" | n/a - | | | | | | - | **minimum_number_of_vm_instances** | The minimum number of VMSS instances for this resource | number | Valid values are in the range 0 - 10 | n/a - | | | | | | - | **maximum_number_of_vm_instances** | The maximum number of VMSS instances for this resource | number | Valid values are in the range 0 - 10 | n/a - | | | | | | - | **management_name** | The name of the management server as it appears in the configuration file | string | Field cannot be empty. Only alphanumeric characters or '_'/'-' are allowed, and the name must be 1-30 characters long | n/a - | | | | | | - | **management_IP** | The IP address used to manage the VMSS instances | string | A valid IP address | n/a - | | | | | | - | **management_interface** | Management option for the Gateways in the VMSS | string | "eth0-public" - Manages the GWs using their external NIC's public IP address;
"eth0-private" -Manages the GWs using their external NIC's private IP address;
"eth1-private" - Manages the GWs using their internal NIC's private IP address | "eth1-private" - | | | | | | - | **configuration_template_name** | The configuration template name as it appears in the configuration file | string | Field cannot be empty. Only alphanumeric characters or '_'/'-' are allowed, and the name must be 1-30 characters long | n/a - | | | | | | - | **frontend_load_distribution** | The load balancing distribution method for the External Load Balancer | string | "Default" - None(5-tuple);
"SourceIP" - ClientIP(2-tuple);
"SourceIPProtocol" - ClientIP and protocol(3-tuple) | n/a - | | | | | | - | **backend_load_distribution** | The load balancing distribution method for the Internal Load Balancer | string | "Default" - None(5-tuple);
"SourceIP" - ClientIP(2-tuple);
"SourceIPProtocol" - ClientIP and protocol(3-tuple) | n/a - | | | | | | - | **notification_email** | An email address to notify about scaling operations | string | Leave empty double quotes or enter a valid email address | n/a - | | | | | | - | **enable_custom_metrics** | Indicates whether Custom Metrics will be used for VMSS Scaling policy and VM monitoring | boolean | true;
false; | true - | | | | | | - | **enable_floating_ip** | Indicates whether the load balancers will be deployed with floating IP | boolean | true;
false; | false - | | | | | | - | **deployment_mode** | Indicates which load balancer need to be deployed. External + Internal(Standard), only External, only Internal | string | Standard ;
External;
Internal; | "Standard" - | | | | | | - | **admin_shell** | Enables to select different admin shells | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh; | "/etc/cli.sh" - | | | | | | - | **serial_console_password_hash** | Optional parameter, used to enable serial console connection in case of SSH key as authentication type, to generate password hash use the command 'openssl passwd -6 PASSWORD' on Linux and paste it here | string | | n/a - | | | | | | - | **maintenance_mode_password_hash** | Maintenance mode password hash, relevant only for R81.20 and higher versions, to generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here | string | | n/a - | | | | | | - | **nsg_id** | Optional ID for a Network Security Group that already exists in Azure, if not provided, will create a default NSG | string | Existing NSG resource ID | "" - | | | | | | - | **add_storage_account_ip_rules** | Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, if false then accses will be allowed from all networks | boolean | true;
false; | false - | | | | | | - | **storage_account_additional_ips** | IPs/CIDRs that are allowed access to the Storage Account | list(string) | A list of valid IPs and CIDRs | [] + | Name | Description | Type | Allowed values | Default | + | ------------- | ------------- | ------------- | ------------- | ------------- | + | **client_secret** | The client secret of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **client_id** | The client ID of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **tenant_id** | The tenant ID of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **subscription_id** | The subscription ID is used to pay for Azure cloud services | string | | n/a + | | | | | | + | **source_image_vhd_uri** | The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images | string | | "noCustomUri" + | | | | | | + | **resource_group_name** | The name of the resource group that will contain the contents of the deployment | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period
Note: Resource group name must not contain reserved words based on: sk40179| n/a + | | | | | | + | **location** | The region where the resources will be deployed at | string | The full list of Azure regions can be found at https://azure.microsoft.com/regions | n/a + | | | | | | + | **vmss_name** | The name of the Check Point VMSS Object | string | Only alphanumeric characters are allowed, and the name must be 1-30 characters long
Note: vmss_name name must not contain reserved words based on: sk40179 | n/a + | | | | | | + | **vnet_name** | Virtual Network name | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | n/a + | | | | | | + | **vnet_resource_group** | Resource Group of the existing virtual network | string | The exact name of the existing vnet's resource group | n/a + | | | | | | + | **frontend_subnet_name** | Specifies the name of the external subnet | string | The exact name of the existing external subnet | n/a + | | | | | | + | **backend_subnet_name** | Specifies the name of the internal subnet | string | The exact name of the existing internal subnet | n/a + | | | | | | + | **backend_lb_IP_address** | Is a whole number that can be represented as a binary integer with no more than the number of digits remaining in the address after the given prefix| string | Starting from 5-th IP address in a subnet. For example: subnet - 10.0.1.0/24, backend_lb_IP_address = 4 , the LB IP is 10.0.1.4 | n/a + | | | | | | + | **admin_password** | The password associated with the local administrator account on each cluster member | string | Password must have 3 of the following: 1 lower case character, 1 upper case character, 1 number, and 1 special character | n/a + | | | | | | + | **sic_key** | The Secure Internal Communication one time secret used to set up trust between the cluster object and the management server | string | Only alphanumeric characters are allowed, and the value must be 12-30 characters long | n/a + | | | | | | + | **vm_size** | Specifies the size of Virtual Machine | string | "Standard_DS2_v2", "Standard_DS3_v2", "Standard_DS4_v2", "Standard_DS5_v2", "Standard_F2s", "Standard_F4s", "Standard_F8s", "Standard_F16s", "Standard_D4s_v3", "Standard_D8s_v3", "Standard_D16s_v3", "Standard_D32s_v3", "Standard_D64s_v3", "Standard_E4s_v3", "Standard_E8s_v3", "Standard_E16s_v3", "Standard_E20s_v3", "Standard_E32s_v3", "Standard_E64s_v3", "Standard_E64is_v3", "Standard_F4s_v2", "Standard_F8s_v2", "Standard_F16s_v2", "Standard_F32s_v2", "Standard_F64s_v2", "Standard_M8ms", "Standard_M16ms", "Standard_M32ms", "Standard_M64ms", "Standard_M64s", "Standard_D2_v2", "Standard_D3_v2", "Standard_D4_v2", "Standard_D5_v2", "Standard_D11_v2", "Standard_D12_v2", "Standard_D13_v2", "Standard_D14_v2", "Standard_D15_v2", "Standard_F2", "Standard_F4", "Standard_F8", "Standard_F16", "Standard_D4_v3", "Standard_D8_v3", "Standard_D16_v3", "Standard_D32_v3", "Standard_D64_v3", "Standard_E4_v3", "Standard_E8_v3", "Standard_E16_v3", "Standard_E20_v3", "Standard_E32_v3", "Standard_E64_v3", "Standard_E64i_v3", "Standard_DS11_v2", "Standard_DS12_v2", "Standard_DS13_v2", "Standard_DS14_v2", "Standard_DS15_v2", "Standard_D2_v5", "Standard_D4_v5", "Standard_D8_v5", "Standard_D16_v5","Standard_D32_v5", "Standard_D2s_v5", "Standard_D4s_v5", "Standard_D8s_v5", "Standard_D16s_v5", "Standard_D2d_v5", "Standard_D4d_v5", "Standard_D8d_v5", "Standard_D16d_v5", "Standard_D32d_v5", "Standard_D2ds_v5", "Standard_D4ds_v5", "Standard_D8ds_v5", "Standard_D16ds_v5", "Standard_D32ds_v5" | n/a + | | | | | | + | **disk_size** | Storage data disk size size(GB) must be 100 for versions R81.20 and below | string | A number in the range 100 - 3995 (GB) | 100 + | | | | | | + | **vm_os_sku** | A sku of the image to be deployed | string | "sg-byol" - BYOL license;
"sg-ngtp" - NGTP PAYG license;
"sg-ngtx" - NGTX PAYG license; | n/a + | | | | | | + | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | n/a + | | | | | | + | **os_version** | GAIA OS version | string | "R81";
"R8110";
"R8120"; | n/a + | | | | | | + | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | n/a + | | | | | | + | **allow_upload_download** | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | boolean | true;
false; | n/a + | | | | | | + | **authentication_type** | Specifies whether a password authentication or SSH Public Key authentication should be used | string | "Password";
"SSH Public Key"; | n/a + | | | | | | + | **availability_zones_num** | A list of a single item of the Availability Zone which the Virtual Machine should be allocated in | string | "centralus", "eastus2", "francecentral", "northeurope", "southeastasia", "westeurope", "westus2", "eastus", "uksouth" | n/a + | | | | | | + | **minimum_number_of_vm_instances** | The minimum number of VMSS instances for this resource | number | Valid values are in the range 0 - 10 | n/a + | | | | | | + | **maximum_number_of_vm_instances** | The maximum number of VMSS instances for this resource | number | Valid values are in the range 0 - 10 | n/a + | | | | | | + | **management_name** | The name of the management server as it appears in the configuration file | string | Field cannot be empty. Only alphanumeric characters or '_'/'-' are allowed, and the name must be 1-30 characters long | n/a + | | | | | | + | **management_IP** | The IP address used to manage the VMSS instances | string | A valid IP address | n/a + | | | | | | + | **management_interface** | Management option for the Gateways in the VMSS | string | "eth0-public" - Manages the GWs using their external NIC's public IP address;
"eth0-private" -Manages the GWs using their external NIC's private IP address;
"eth1-private" - Manages the GWs using their internal NIC's private IP address | "eth1-private" + | | | | | | + | **configuration_template_name** | The configuration template name as it appears in the configuration file | string | Field cannot be empty. Only alphanumeric characters or '_'/'-' are allowed, and the name must be 1-30 characters long | n/a + | | | | | | + | **frontend_load_distribution** | The load balancing distribution method for the External Load Balancer | string | "Default" - None(5-tuple);
"SourceIP" - ClientIP(2-tuple);
"SourceIPProtocol" - ClientIP and protocol(3-tuple) | n/a + | | | | | | + | **backend_load_distribution** | The load balancing distribution method for the Internal Load Balancer | string | "Default" - None(5-tuple);
"SourceIP" - ClientIP(2-tuple);
"SourceIPProtocol" - ClientIP and protocol(3-tuple) | n/a + | | | | | | + | **notification_email** | An email address to notify about scaling operations | string | Leave empty double quotes or enter a valid email address | n/a + | | | | | | + | **enable_custom_metrics** | Indicates whether Custom Metrics will be used for VMSS Scaling policy and VM monitoring | boolean | true;
false; | true + | | | | | | + | **enable_floating_ip** | Indicates whether the load balancers will be deployed with floating IP | boolean | true;
false; | false + | | | | | | + | **deployment_mode** | Indicates which load balancer need to be deployed. External + Internal(Standard), only External, only Internal | string | Standard ;
External;
Internal; | "Standard" + | | | | | | + | **admin_shell** | Enables to select different admin shells | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh; | "/etc/cli.sh" + | | | | | | + | **serial_console_password_hash** | Optional parameter, used to enable serial console connection in case of SSH key as authentication type, to generate password hash use the command 'openssl passwd -6 PASSWORD' on Linux and paste it here | string | | n/a + | | | | | | + | **maintenance_mode_password_hash** | Maintenance mode password hash, relevant only for R81.20 and higher versions, to generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here | string | | n/a + | | | | | | + | **add_storage_account_ip_rules** | Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, if false then accses will be allowed from all networks | boolean | true;
false; | false + | | | | | | + | **storage_account_additional_ips** | IPs/CIDRs that are allowed access to the Storage Account | list(string) | A list of valid IPs and CIDRs | [] ## Conditional creation To create role assignment and enable CloudGuard metrics in order to send statuses and statistics collected from VMSS instances to the Azure Monitor service: @@ -203,7 +201,6 @@ enable_custom_metrics = true admin_shell = "/etc/cli.sh" serial_console_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" maintenance_mode_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - nsg_id = "" add_storage_account_ip_rules = false storage_account_additional_ips = [] @@ -215,14 +212,15 @@ enable_custom_metrics = true ## Known limitations +1. Deploy the VMSS with External load balancer only (Inbound inspection only) is not supported +2. Deploy the VMSS with Internal load balancer only (Outbound and E-W inspection only) is not supported + ## Revision History In order to check the template version refer to the [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) | Template Version | Description | | ---------------- | ------------- | -| 20240613 | - Updated Azure Terraform provider version
- Cosmetic fixes & default values
- Added option to limit storage account access by specify allowed sourcess
- Updated diskSizeGB
- Added validation for os_version & os_offer | -| | | | | 20230910 | - R81.20 is the default version | | | | | | 20221124 | - Added R81.20 support
- Upgraded azurerm provider | diff --git a/terraform/azure/vmss-existing-vnet/main.tf b/terraform/azure/vmss-existing-vnet/main.tf index 70e7169a..af194878 100755 --- a/terraform/azure/vmss-existing-vnet/main.tf +++ b/terraform/azure/vmss-existing-vnet/main.tf @@ -198,6 +198,7 @@ resource "azurerm_storage_account" "vm-boot-diagnostics-storage" { location = module.common.resource_group_location account_tier = module.common.storage_account_tier account_replication_type = module.common.account_replication_type + min_tls_version = "TLS1_2" network_rules { default_action = var.add_storage_account_ip_rules ? "Deny" : "Allow" ip_rules = module.common.storage_account_ip_rules diff --git a/terraform/azure/vmss-existing-vnet/terraform.tfvars b/terraform/azure/vmss-existing-vnet/terraform.tfvars index 66836af3..399ffeef 100755 --- a/terraform/azure/vmss-existing-vnet/terraform.tfvars +++ b/terraform/azure/vmss-existing-vnet/terraform.tfvars @@ -39,5 +39,4 @@ admin_shell = "PLEASE ENTER ADMIN SHELL" serial_console_password_hash = "PLEASE ENTER SERIAL CONSOLE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" maintenance_mode_password_hash = "PLEASE ENTER MAINTENANCE MODE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" add_storage_account_ip_rules = "PLEASE ENTER true or false" # false -storage_account_additional_ips = "PLEASE ENTER A LIST OF VALID IPS/CIDRS" # [] -nsg_id = "PLEASE ENTER NETWORK SECURITY GROUP ID" # "" \ No newline at end of file +storage_account_additional_ips = "PLEASE ENTER A LIST OF VALID IPS/CIDRS" # [] \ No newline at end of file diff --git a/terraform/azure/vmss-existing-vnet/variables.tf b/terraform/azure/vmss-existing-vnet/variables.tf index 9ef598a3..aa405627 100755 --- a/terraform/azure/vmss-existing-vnet/variables.tf +++ b/terraform/azure/vmss-existing-vnet/variables.tf @@ -114,7 +114,6 @@ variable "os_version" { locals { // locals for 'vm_os_offer' allowed values os_version_allowed_values = [ - "R8040", "R81", "R8110", "R8120" @@ -129,7 +128,7 @@ variable "disk_size" { } resource "null_resource" "disk_size_validation" { // Will fail if var.disk_size is not 100 and the version is R81.20 or below - count = tonumber(var.disk_size) != 100 && contains(["R8040", "R81", "R8110", "R8120"], var.os_version) ? "variable disk_size can not be changed for R81.20 and below" : 0 + count = tonumber(var.disk_size) != 100 && contains(["R81", "R8110", "R8120"], var.os_version) ? "variable disk_size can not be changed for R81.20 and below" : 0 } variable "vm_os_sku" { description = "The sku of the image to be deployed." @@ -243,10 +242,7 @@ variable "storage_account_additional_ips" { type = list(string) description = "IPs/CIDRs that are allowed access to the Storage Account" default = [] -} - -//********************* Load Balancers Variables **********************// - +}//********************* Load Balancers Variables **********************// variable "deployment_mode" { description = "The type of the deployment, can be 'Standard' for both load balancers or 'External' for external load balancer or 'Internal for internal load balancer" type = string @@ -333,13 +329,12 @@ locals { // locals for 'frontend_load_distribution' allowed values //********************** Scale Set variables *******************// variable "vm_os_offer" { - description = "The name of the offer of the image that you want to deploy.Choose from: check-point-cg-r8040, check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120" + description = "The name of the offer of the image that you want to deploy.Choose from: check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120" type = string } locals { // locals for 'vm_os_offer' allowed values vm_os_offer_allowed_values = [ - "check-point-cg-r8040", "check-point-cg-r81", "check-point-cg-r8110", "check-point-cg-r8120", @@ -397,8 +392,3 @@ variable "enable_floating_ip" { type = bool default = false } - -variable "nsg_id" { - description = "NSG ID - Optional - if empty use default NSG" - default = "" -} diff --git a/terraform/azure/vmss-new-vnet/README.md b/terraform/azure/vmss-new-vnet/README.md index b57e3011..06f786e7 100755 --- a/terraform/azure/vmss-new-vnet/README.md +++ b/terraform/azure/vmss-new-vnet/README.md @@ -59,7 +59,7 @@ This solution uses the following modules: - sku = vm_os_sku (see accepted values in the table below); - version = latest

Example:
- az vm image terms accept --urn checkpoint:check-point-cg-r8040:sg-byol:latest + az vm image terms accept --urn checkpoint:check-point-cg-r8120:sg-byol:latest - In the terraform.tfvars file leave empty double quotes for client_secret, client_id and tenant_id variables. @@ -111,9 +111,9 @@ This solution uses the following modules: | | | | | | | **vm_os_sku** | A sku of the image to be deployed | string | "sg-byol" - BYOL license;
"sg-ngtp" - NGTP PAYG license;
"sg-ngtx" - NGTX PAYG license; | n/a | | | | | | - | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r8040";
"check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | n/a + | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | n/a | | | | | | - | **os_version** | GAIA OS version | string | "R8040";
"R81";
"R8110";
"R8120"; | n/a + | **os_version** | GAIA OS version | string | "R81";
"R8110";
"R8120"; | n/a | | | | | | | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | n/a | | | | | | @@ -221,8 +221,6 @@ In order to check the template version refer to the [sk116585](https://supportce | Template Version | Description | | ---------------- | --------- | -| 20240613 | - Updated Azure Terraform provider version
- Cosmetic fixes & default values
- Added option to limit storage account access by specify allowed sourcess
- Updated diskSizeGB
- Added validation for os_version & os_offer | -| | | | | 20230910 | - R81.20 is the default version | | | | | | 20221124 | - Added R81.20 support
- Upgraded azurerm provider | diff --git a/terraform/azure/vmss-new-vnet/main.tf b/terraform/azure/vmss-new-vnet/main.tf index 2438915d..025592dc 100755 --- a/terraform/azure/vmss-new-vnet/main.tf +++ b/terraform/azure/vmss-new-vnet/main.tf @@ -195,6 +195,7 @@ resource "azurerm_storage_account" "vm-boot-diagnostics-storage" { location = module.common.resource_group_location account_tier = module.common.storage_account_tier account_replication_type = module.common.account_replication_type + min_tls_version = "TLS1_2" network_rules { default_action = var.add_storage_account_ip_rules ? "Deny" : "Allow" ip_rules = module.common.storage_account_ip_rules diff --git a/terraform/azure/vmss-new-vnet/variables.tf b/terraform/azure/vmss-new-vnet/variables.tf index 1760b8a2..afc907c5 100755 --- a/terraform/azure/vmss-new-vnet/variables.tf +++ b/terraform/azure/vmss-new-vnet/variables.tf @@ -114,7 +114,6 @@ variable "os_version" { locals { // locals for 'vm_os_offer' allowed values os_version_allowed_values = [ - "R8040", "R81", "R8110", "R8120", @@ -129,7 +128,7 @@ variable "disk_size" { } resource "null_resource" "disk_size_validation" { // Will fail if var.disk_size is not 100 and the version is R81.20 or below - count = tonumber(var.disk_size) != 100 && contains(["R8040", "R81", "R8110", "R8120"], var.os_version) ? "variable disk_size can not be changed for R81.20 and below" : 0 + count = tonumber(var.disk_size) != 100 && contains(["R81", "R8110", "R8120"], var.os_version) ? "variable disk_size can not be changed for R81.20 and below" : 0 } variable "vm_os_sku" { description = "The sku of the image to be deployed." @@ -327,13 +326,12 @@ locals { // locals for 'frontend_load_distribution' allowed values //********************** Scale Set variables *******************// variable "vm_os_offer" { - description = "The name of the offer of the image that you want to deploy.Choose from: check-point-cg-r8040, check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120" + description = "The name of the offer of the image that you want to deploy.Choose from: check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120" type = string } locals { // locals for 'vm_os_offer' allowed values vm_os_offer_allowed_values = [ - "check-point-cg-r8040", "check-point-cg-r81", "check-point-cg-r8110", "check-point-cg-r8120", diff --git a/terraform/gcp/autoscale-into-existing-vpc/README.md b/terraform/gcp/autoscale-into-existing-vpc/README.md index 1c11c3d3..2ce564df 100755 --- a/terraform/gcp/autoscale-into-existing-vpc/README.md +++ b/terraform/gcp/autoscale-into-existing-vpc/README.md @@ -35,23 +35,22 @@ provider "google" { compute.autoscalers.create compute.autoscalers.delete compute.autoscalers.get + compute.autoscalers.update compute.disks.create - compute.disks.delete compute.firewalls.create compute.firewalls.delete compute.firewalls.get - compute.images.get - compute.images.useReadOnly + compute.firewalls.update compute.instanceGroupManagers.create compute.instanceGroupManagers.delete compute.instanceGroupManagers.get compute.instanceGroupManagers.use + compute.instanceGroups.delete compute.instanceTemplates.create compute.instanceTemplates.delete compute.instanceTemplates.get compute.instanceTemplates.useReadOnly compute.instances.create - compute.instances.delete compute.instances.setMetadata compute.instances.setTags compute.networks.get @@ -60,11 +59,7 @@ provider "google" { compute.subnetworks.get compute.subnetworks.use compute.subnetworks.useExternalIp - iam.serviceAccountKeys.get - iam.serviceAccountKeys.list iam.serviceAccounts.actAs - iam.serviceAccounts.get - iam.serviceAccounts.list ``` 3. ```credentials``` - Your service account key file is used to complete a two-legged OAuth 2.0 flow to obtain access tokens to authenticate with the GCP API as needed; Terraform will use it to reauthenticate automatically when tokens expire.
The provider credentials can be provided either as static credentials or as [Environment Variables](https://www.terraform.io/docs/providers/google/guides/provider_reference.html#credentials-1). @@ -113,11 +108,14 @@ project = "project-id" # --- Check Point--- prefix = "chkp-tf-mig" license = "BYOL" -image_name = "check-point-r8110-gw-byol-mig-335-985-v20220126" +image_name = "check-point-r8120-gw-byol-mig-631-991001335-v20230622" +os_version = "R8120" management_nic = "Ephemeral Public IP (eth0)" management_name = "tf-checkpoint-management" configuration_template_name = "tf-asg-autoprov-tmplt" +generate_password = true admin_SSH_key = "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxx imported-openssh-key" +maintenance_mode_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" network_defined_by_routes = true admin_shell = "/etc/cli.sh" allow_upload_download = true @@ -166,13 +164,17 @@ Please leave empty list for a protocol if you want to disable traffic for it. | service_account_path | User service account path in JSON format - From the service account key page in the Cloud Console choose an existing account or create a new one. Next, download the JSON key file. Name it something you can remember, store it somewhere secure on your machine, and supply the path to the location is stored. (e.g. "service-accounts/service-account-name.json") | string | N/A | "" | yes | | project | Personal project id. The project indicates the default GCP project all of your resources will be created in. | string | N/A | "" | yes | | | | | | | -| prefix | (Optional) Resources name prefix. | string | N/A | "chkp-tf-mig" | no | +| prefix | (Optional) Resources name prefix.
Note: resource name must not contain reserved words based on: sk40179. | string | N/A | "chkp-tf-mig" | no | | license | Checkpoint license (BYOL or PAYG). | string | - BYOL
- PAYG
| "BYOL" | no | -| image_name | The autoscaling (MIG) image name (e.g. check-point-r8110-gw-byol-mig-335-985-v20220126). You can choose the desired mig image value from [Github](https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/gcp/deployment-packages/autoscale-byol/images.py). | string | N/A | N/A | yes | +| image_name | The autoscaling (MIG) image name (e.g. check-point-r8120-gw-byol-mig-631-991001335-v20230622). You can choose the desired mig image value from [Github](https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/gcp/deployment-packages/autoscale-byol/images.py). | string | N/A | N/A | yes | +| os_version |GAIA OS Version | string | R81;
R8110;
R8120 | R8120 | yes | +| | | | | | | management_nic | Management Interface - Autoscaling Security Gateways in GCP can be managed by an ephemeral public IP or using the private IP of the internal interface (eth1). | string | Ephemeral Public IP (eth0)
- Private IP (eth1) | "Ephemeral Public IP (eth0)" | no | | management_name | The name of the Security Management Server as appears in autoprovisioning configuration. (Please enter a valid Security Management name including lowercase letters, digits and hyphens only). | string | N/A | "checkpoint-management" | no | | configuration_template_name | Specify the provisioning configuration template name (for autoprovisioning). (Please enter a valid autoprovisioing configuration template name including lowercase letters, digits and hyphens only). | string | N/A | "gcp-asg-autoprov-tmplt" | no | +| generate_password | Automatically generate an administrator password. | bool | true/false | false | no | | admin_SSH_key | Public SSH key for the user 'admin' - The SSH public key for SSH authentication to the MIG instances. Leave this field blank to use all project-wide pre-configured SSH keys. | string | A valid public ssh key | "" | no | +| maintenance_mode_password_hash | Maintenance mode password hash, relevant only for R81.20 and higher versions, to generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here. | string | N/A | "" | no | | network_defined_by_routes | Set eth1 topology to define the networks behind this interface by the routes configured on the gateway. | bool | true/false | true | no | | admin_shell | Change the admin shell to enable advanced command line configuration. | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | "/etc/cli.sh" | no | | allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no | @@ -197,6 +199,7 @@ Please leave empty list for a protocol if you want to disable traffic for it. | enable_monitoring | Enable Stackdriver monitoring | bool | true/false | false | no | + ## Outputs | Name | Description | | ------------- | ------------- | @@ -212,12 +215,13 @@ Please leave empty list for a protocol if you want to disable traffic for it. | SCTP_firewall_rules_name | If enable - the SCTP firewall rules name, otherwise, an empty list. | | ESP_firewall_rules_name | If enable - the ESP firewall rules name, otherwise, an empty list. | - ## Revision History In order to check the template version refer to the [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) | Template Version | Description | | ---------------- | ------------- | +| 20230910 | - R81.20 is the default version | +| | | | | 20230109 | Updated startup script to use cloud-config. | | | | | | 20201208 | First release of Check Point CloudGuard IaaS Auto Scaling Group of Check Point Security Gateways Terraform solution into an existing VPC on GCP. | diff --git a/terraform/gcp/autoscale-into-existing-vpc/locals.tf b/terraform/gcp/autoscale-into-existing-vpc/locals.tf index 058d0689..9687f394 100755 --- a/terraform/gcp/autoscale-into-existing-vpc/locals.tf +++ b/terraform/gcp/autoscale-into-existing-vpc/locals.tf @@ -9,6 +9,14 @@ locals { // will fail if the image name is not in the right syntax validate_image_name = length(regexall(local.regex_validate_image_name, var.image_name)) > 0 ? 0 : index(split("-", var.image_name), "INVALID IMAGE NAME") + version_allowed_values = [ + "R81", + "R8110", + "R8120" + ] + // Will fail if var.os_version is invalid: + validate_os_version = index(local.version_allowed_values, var.os_version) + management_nic_allowed_values = [ "Ephemeral Public IP (eth0)", "Private IP (eth1)"] @@ -48,6 +56,7 @@ locals { + adminPasswordSourceMetadata = var.generate_password ? random_string.generated_password.result : "" disk_type_condition = var.disk_type == "SSD Persistent Disk" ? "pd-ssd" : var.disk_type == "Balanced Persistent Disk" ? "pd-balanced" : var.disk_type == "Standard Persistent Disk" ? "pd-standard" : "" mgmt_nic_condition = var.management_nic == "Ephemeral Public IP (eth0)" ? true : false mgmt_nic_ip_address_condition = local.mgmt_nic_condition ? "x-chkp-ip-address--public" : "x-chkp-ip-address--private" diff --git a/terraform/gcp/autoscale-into-existing-vpc/main.tf b/terraform/gcp/autoscale-into-existing-vpc/main.tf index 24548144..b854e133 100755 --- a/terraform/gcp/autoscale-into-existing-vpc/main.tf +++ b/terraform/gcp/autoscale-into-existing-vpc/main.tf @@ -20,7 +20,10 @@ resource "random_string" "random_sic_key" { length = 12 special = false } - +resource "random_string" "generated_password" { + length = 12 + special = false +} resource "google_compute_instance_template" "instance_template" { name = "${var.prefix}-tmplt-${random_string.random_string.result}" machine_type = var.machine_type @@ -81,9 +84,18 @@ resource "google_compute_instance_template" "instance_template" { local.network_defined_by_routes_condition, local.network_defined_by_routes_settings_condition] + metadata = local.admin_SSH_key_condition ? { + serial-port-enable = "true" + instanceSSHKey = var.admin_SSH_key + adminPasswordSourceMetadata = var.generate_password ?random_string.generated_password.result : "" + } : { + serial-port-enable = "true" + adminPasswordSourceMetadata = var.generate_password?random_string.generated_password.result : "" + } + metadata_startup_script = templatefile("${path.module}/../common/startup-script.sh", { // script's arguments - generatePassword = "false" + generatePassword = var.generate_password config_url = "" config_path = "" sicKey = "" @@ -106,14 +118,9 @@ resource "google_compute_instance_template" "instance_template" { name = "" zoneConfig = "" region = "" + os_version = var.os_version + maintenance_mode_password_hash = var.maintenance_mode_password_hash }) - - metadata = local.admin_SSH_key_condition ? { - serial-port-enable = "true" - instanceSSHKey = var.admin_SSH_key - } : { - serial-port-enable = "true" - } } resource "google_compute_firewall" "ICMP_firewall_rules" { diff --git a/terraform/gcp/autoscale-into-existing-vpc/terraform.tfvars b/terraform/gcp/autoscale-into-existing-vpc/terraform.tfvars index dfb828db..2f402aa6 100755 --- a/terraform/gcp/autoscale-into-existing-vpc/terraform.tfvars +++ b/terraform/gcp/autoscale-into-existing-vpc/terraform.tfvars @@ -1,36 +1,39 @@ # --- Google Provider --- -service_account_path = "PLEASE ENTER SERVICE ACCOUNT PATH" # "service-accounts/service-account-file-name.json" -project = "PLEASE ENTER PROJECT ID" # "project-id" +service_account_path = "PLEASE ENTER SERVICE ACCOUNT PATH" # "service-accounts/service-account-file-name.json" +project = "PLEASE ENTER PROJECT ID" # "project-id" # --- Check Point--- -prefix = "PLEASE ENTER PREFIX" # "chkp-tf-mig" -license = "PLEASE ENTER LICENSE" # "BYOL" -image_name = "PLEASE ENTER IMAGE NAME" # "check-point-r8110-gw-byol-mig-335-985-v20220126" -management_nic = "PLEASE ENTER MANAGEMENT INTERFACE" # "Ephemeral Public IP (eth0)" -management_name = "PLEASE ENTER MANAGEMENT NAME" # "tf-checkpoint-management" -configuration_template_name = "PLEASE ENTER CONFIGURATION TEMPLATE NAME" # "tf-asg-autoprov-tmplt" -admin_SSH_key = "PLEASE ENTER ADMIN SSH KEY" # "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxx imported-openssh-key" -network_defined_by_routes = "PLEASE ENTER true OR false" # true -admin_shell = "PLEASE ENTER ADMIN SHELL" # "/etc/cli.sh" -allow_upload_download = "PLEASE ENTER true OR false" # true +prefix = "PLEASE ENTER PREFIX" # "chkp-tf-mig" +license = "PLEASE ENTER LICENSE" # "BYOL" +image_name = "PLEASE ENTER IMAGE NAME" # "check-point-r8120-gw-byol-mig-631-991001335-v20230622" +os_version = "PLEASE ENTER GAIA OS VERSION" # "R8120" +management_nic = "PLEASE ENTER MANAGEMENT INTERFACE" # "Ephemeral Public IP (eth0)" +management_name = "PLEASE ENTER MANAGEMENT NAME" # "tf-checkpoint-management" +configuration_template_name = "PLEASE ENTER CONFIGURATION TEMPLATE NAME" # "tf-asg-autoprov-tmplt" +generate_password = "PLEASE ENTER true or false" # false +admin_SSH_key = "PLEASE ENTER ADMIN SSH KEY" # "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxx imported-openssh-key" +maintenance_mode_password_hash = "PLEASE ENTER MAINTENANCE MODE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +network_defined_by_routes = "PLEASE ENTER true OR false" # true +admin_shell = "PLEASE ENTER ADMIN SHELL" # "/etc/cli.sh" +allow_upload_download = "PLEASE ENTER true OR false" # true # --- Networking --- -region = "PLEASE ENTER REGION" # "us-central1" -external_network_name = "PLEASE ENTER EXTERNAL NETWORK NAME" # "default" -external_subnetwork_name = "PLEASE ENTER EXTERNAL SUBNETWORK NAME" # "default" -internal_network_name = "PLEASE ENTER INTERNAL NETWORK NAME" # "tf-vpc-network" -internal_subnetwork_name = "PLEASE ENTER INTERNAL SUBNETWORK NAME" # "tf-vpc-subnetwork" -ICMP_traffic = "PLEASE ENTER ICMP SOURCE IP RANGES" # ["123.123.0.0/24", "234.234.0.0/24"] -TCP_traffic = "PLEASE ENTER TCP SOURCE IP RANGES" # ["0.0.0.0/0"] -UDP_traffic = "PLEASE ENTER UDP SOURCE IP RANGES" # [] -SCTP_traffic = "PLEASE ENTER SCTP SOURCE IP RANGES" # [] -ESP_traffic = "PLEASE ENTER ESP SOURCE IP RANGES" # [] +region = "PLEASE ENTER REGION" # "us-central1" +external_network_name = "PLEASE ENTER EXTERNAL NETWORK NAME" # "default" +external_subnetwork_name = "PLEASE ENTER EXTERNAL SUBNETWORK NAME" # "default" +internal_network_name = "PLEASE ENTER INTERNAL NETWORK NAME" # "tf-vpc-network" +internal_subnetwork_name = "PLEASE ENTER INTERNAL SUBNETWORK NAME" # "tf-vpc-subnetwork" +ICMP_traffic = "PLEASE ENTER ICMP SOURCE IP RANGES" # ["123.123.0.0/24", "234.234.0.0/24"] +TCP_traffic = "PLEASE ENTER TCP SOURCE IP RANGES" # ["0.0.0.0/0"] +UDP_traffic = "PLEASE ENTER UDP SOURCE IP RANGES" # [] +SCTP_traffic = "PLEASE ENTER SCTP SOURCE IP RANGES" # [] +ESP_traffic = "PLEASE ENTER ESP SOURCE IP RANGES" # [] # --- Instance Configuration --- -machine_type = "PLEASE ENTER MACHINE TYPE" # "n1-standard-4" -cpu_usage = "PLEASE ENTER CPU USAGE" # 60 -instances_min_grop_size = "PLEASE ENTER INSTANCES MIN GROP SIZE" # 2 -instances_max_grop_size = "PLEASE ENTER INSTANCES MAX GROP SIZE" # 10 -disk_type = "PLEASE ENTER DISK TYPE" # "SSD Persistent Disk" -disk_size = "PLEASE ENTER DISK SIZE" # 100 -enable_monitoring = "PLEASE ENTER true OR false" # false \ No newline at end of file +machine_type = "PLEASE ENTER MACHINE TYPE" # "n1-standard-4" +cpu_usage = "PLEASE ENTER CPU USAGE" # 60 +instances_min_grop_size = "PLEASE ENTER INSTANCES MIN GROP SIZE" # 2 +instances_max_grop_size = "PLEASE ENTER INSTANCES MAX GROP SIZE" # 10 +disk_type = "PLEASE ENTER DISK TYPE" # "SSD Persistent Disk" +disk_size = "PLEASE ENTER DISK SIZE" # 100 +enable_monitoring = "PLEASE ENTER true OR false" # false \ No newline at end of file diff --git a/terraform/gcp/autoscale-into-existing-vpc/variables.tf b/terraform/gcp/autoscale-into-existing-vpc/variables.tf index 8acd8fda..54fd97f1 100755 --- a/terraform/gcp/autoscale-into-existing-vpc/variables.tf +++ b/terraform/gcp/autoscale-into-existing-vpc/variables.tf @@ -25,7 +25,12 @@ variable "license" { } variable "image_name" { type = string - description = "The autoscaling (MIG) image name (e.g. check-point-r8110-gw-byol-mig-335-985-v20220126). You can choose the desired mig image value from: https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/gcp/deployment-packages/autoscale-byol/images.py" + description = "The autoscaling (MIG) image name (e.g. check-point-r8120-gw-byol-mig-123-456-v12345678). You can choose the desired mig image value from: https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/gcp/deployment-packages/autoscale-byol/images.py" +} +variable "os_version" { + type = string + description = "GAIA OS version" + default = "R8120" } variable "management_nic" { type = string @@ -47,6 +52,16 @@ variable "admin_SSH_key" { description = "(Optional) The SSH public key for SSH authentication to the MIG instances. Leave this field blank to use all project-wide pre-configured SSH keys." default = "" } +variable "generate_password" { + type = bool + description = "Automatically generate an administrator password" + default = false +} +variable "maintenance_mode_password_hash" { + description = "Maintenance mode password hash, relevant only for R81.20 and higher versions" + type = string + default = "" +} variable "network_defined_by_routes" { type = bool description = "Set eth1 topology to define the networks behind this interface by the routes configured on the gateway." diff --git a/terraform/gcp/autoscale-into-new-vpc/README.md b/terraform/gcp/autoscale-into-new-vpc/README.md index 3439418c..3958865d 100755 --- a/terraform/gcp/autoscale-into-new-vpc/README.md +++ b/terraform/gcp/autoscale-into-new-vpc/README.md @@ -121,11 +121,14 @@ project = "project-id" # --- Check Point--- prefix = "chkp-tf-mig" license = "BYOL" -image_name = "check-point-r8110-gw-byol-mig-335-985-v20220126" +image_name = "check-point-r8120-gw-byol-mig-631-991001335-v20230622" +os_version = "R8120" management_nic = "Ephemeral Public IP (eth0)" management_name = "tf-checkpoint-management" configuration_template_name = "tf-asg-autoprov-tmplt" +generate_password = true admin_SSH_key = "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxx imported-openssh-key" +maintenance_mode_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" network_defined_by_routes = true admin_shell = "/etc/cli.sh" allow_upload_download = true @@ -172,13 +175,17 @@ Please leave empty list for a protocol if you want to disable traffic for it. | service_account_path | User service account path in JSON format - From the service account key page in the Cloud Console choose an existing account or create a new one. Next, download the JSON key file. Name it something you can remember, store it somewhere secure on your machine, and supply the path to the location is stored. (e.g. "service-accounts/service-account-name.json") | string | N/A | "" | yes | | project | Personal project id. The project indicates the default GCP project all of your resources will be created in. | string | N/A | "" | yes | | | | | | | -| prefix | (Optional) Resources name prefix. | string | N/A | "chkp-tf-mig" | no | +| prefix | (Optional) Resources name prefix.
Note: resource name must not contain reserved words based on: sk40179. | string | N/A | "chkp-tf-mig" | no | | license | Checkpoint license (BYOL or PAYG). | string | - BYOL
- PAYG
| "BYOL" | no | -| image_name | The autoscaling (MIG) image name (e.g. check-point-r8110-gw-byol-mig-335-985-v20220126). You can choose the desired mig image value from [Github](https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/gcp/deployment-packages/autoscale-byol/images.py). | string | N/A | N/A | yes | +| image_name | The autoscaling (MIG) image name (e.g. check-point-r8120-gw-byol-mig-631-991001335-v20230622). You can choose the desired mig image value from [Github](https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/gcp/deployment-packages/autoscale-byol/images.py). | string | N/A | N/A | yes | +| os_version |GAIA OS Version | string | R81;
R8110;
R8120 | R8120 | yes | +| | | | | | | management_nic | Management Interface - Autoscaling Security Gateways in GCP can be managed by an ephemeral public IP or using the private IP of the internal interface (eth1). | string | Ephemeral Public IP (eth0)
- Private IP (eth1) | "Ephemeral Public IP (eth0)" | no | | management_name | The name of the Security Management Server as appears in autoprovisioning configuration. (Please enter a valid Security Management name including lowercase letters, digits and hyphens only). | string | N/A | "checkpoint-management" | no | | configuration_template_name | Specify the provisioning configuration template name (for autoprovisioning). (Please enter a valid autoprovisioing configuration template name including lowercase letters, digits and hyphens only). | string | N/A | "gcp-asg-autoprov-tmplt" | no | +| generate_password | Automatically generate an administrator password. | bool | true/false | false | no | | admin_SSH_key | Public SSH key for the user 'admin' - The SSH public key for SSH authentication to the MIG instances. Leave this field blank to use all project-wide pre-configured SSH keys. | string | A valid public ssh key | "" | no | +| maintenance_mode_password_hash | Maintenance mode password hash, relevant only for R81.20 and higher versions, to generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here. | string | | "" | no | | network_defined_by_routes | Set eth1 topology to define the networks behind this interface by the routes configured on the gateway. | bool | true/false | true | no | | admin_shell | Change the admin shell to enable advanced command line configuration. | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | "/etc/cli.sh" | no | | allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no | @@ -226,6 +233,8 @@ In order to check the template version refer to the [sk116585](https://supportce | Template Version | Description | | ---------------- | ------------- | +| 20230910 | - R81.20 is the default version | +| | | | | 20230109 | Updated startup script to use cloud-config. | | | | | | 20201208 | First release of Check Point CloudGuard IaaS Auto Scaling Group of Check Point Security Gateways Terraform solution into a new VPC on GCP. | diff --git a/terraform/gcp/autoscale-into-new-vpc/locals.tf b/terraform/gcp/autoscale-into-new-vpc/locals.tf index 451bbd93..d49e09c4 100755 --- a/terraform/gcp/autoscale-into-new-vpc/locals.tf +++ b/terraform/gcp/autoscale-into-new-vpc/locals.tf @@ -9,6 +9,14 @@ locals { // will fail if the image name is not in the right syntax validate_image_name = length(regexall(local.regex_validate_image_name, var.image_name)) > 0 ? 0 : index(split("-", var.image_name), "INVALID IMAGE NAME") + version_allowed_values = [ + "R81", + "R8110", + "R8120" + ] + // Will fail if var.os_version is invalid: + validate_os_version = index(local.version_allowed_values, var.os_version) + management_nic_allowed_values = [ "Ephemeral Public IP (eth0)", "Private IP (eth1)"] diff --git a/terraform/gcp/autoscale-into-new-vpc/main.tf b/terraform/gcp/autoscale-into-new-vpc/main.tf index 16ec2197..180ff6c3 100755 --- a/terraform/gcp/autoscale-into-new-vpc/main.tf +++ b/terraform/gcp/autoscale-into-new-vpc/main.tf @@ -17,6 +17,7 @@ resource "google_compute_network" "external_network" { resource "google_compute_subnetwork" "external_subnetwork" { name = "${var.prefix}-ext-subnet-${random_string.mig_random_string.result}" ip_cidr_range = var.external_subnetwork_ip_cidr_range + private_ip_google_access = true region = var.region network = google_compute_network.external_network.id } @@ -28,6 +29,7 @@ resource "google_compute_network" "internal_network" { resource "google_compute_subnetwork" "internal_subnetwork" { name = "${var.prefix}-int-subnet-${random_string.mig_random_string.result}" ip_cidr_range = var.internal_subnetwork_ip_cidr_range + private_ip_google_access = true region = var.region network = google_compute_network.internal_network.id } @@ -42,10 +44,13 @@ module "autoscale-into-existing-vpc" { # --- Check Point--- prefix = var.prefix image_name = var.image_name + os_version = var.os_version management_nic = var.management_nic management_name = var.management_name configuration_template_name = var.configuration_template_name + generate_password = var.generate_password admin_SSH_key = var.admin_SSH_key + maintenance_mode_password_hash = var.maintenance_mode_password_hash network_defined_by_routes = var.network_defined_by_routes admin_shell = var.admin_shell allow_upload_download = var.allow_upload_download diff --git a/terraform/gcp/autoscale-into-new-vpc/terraform.tfvars b/terraform/gcp/autoscale-into-new-vpc/terraform.tfvars index 48fe765a..a7e7eb72 100755 --- a/terraform/gcp/autoscale-into-new-vpc/terraform.tfvars +++ b/terraform/gcp/autoscale-into-new-vpc/terraform.tfvars @@ -5,11 +5,14 @@ project = "PLEASE ENTER PROJECT ID" # --- Check Point--- prefix = "PLEASE ENTER PREFIX" # "chkp-tf-mig" license = "PLEASE ENTER LICENSE" # "BYOL" -image_name = "PLEASE ENTER IMAGE NAME" # "check-point-r8110-gw-byol-mig-335-985-v20220126" +image_name = "PLEASE ENTER IMAGE NAME" # "check-point-r8120-gw-byol-mig-631-991001335-v20230622" +os_version = "PLEASE ENTER GAIA OS VERSION" # "R8120" management_nic = "PLEASE ENTER MANAGEMENT INTERFACE" # "Ephemeral Public IP (eth0)" management_name = "PLEASE ENTER MANAGEMENT NAME" # "tf-checkpoint-management" configuration_template_name = "PLEASE ENTER CONFIGURATION TEMPLATE NAME" # "tf-asg-autoprov-tmplt" +generate_password = "PLEASE ENTER true or false" # false admin_SSH_key = "PLEASE ENTER ADMIN SSH KEY" # "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxx imported-openssh-key" +maintenance_mode_password_hash = "PLEASE ENTER MAINTENANCE MODE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" network_defined_by_routes = "PLEASE ENTER true OR false" # true admin_shell = "PLEASE ENTER ADMIN SHELL" # "/etc/cli.sh" allow_upload_download = "PLEASE ENTER true OR false" # true diff --git a/terraform/gcp/autoscale-into-new-vpc/variables.tf b/terraform/gcp/autoscale-into-new-vpc/variables.tf index f19a77d2..e929d1ff 100755 --- a/terraform/gcp/autoscale-into-new-vpc/variables.tf +++ b/terraform/gcp/autoscale-into-new-vpc/variables.tf @@ -25,7 +25,12 @@ variable "license" { } variable "image_name" { type = string - description = "The autoscaling (MIG) image name (e.g. check-point-r8110-gw-byol-mig-335-985-v20220126). You can choose the desired mig image value from: https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/gcp/deployment-packages/autoscale-byol/images.py" + description = "The autoscaling (MIG) image name (e.g. check-point-r8120-gw-byol-mig-123-456-v12345678). You can choose the desired mig image value from: https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/gcp/deployment-packages/autoscale-byol/images.py" +} +variable "os_version" { + type = string + description = "GAIA OS version" + default = "R8120" } variable "management_nic" { type = string @@ -42,11 +47,21 @@ variable "configuration_template_name" { description = "Specify the provisioning configuration template name (for autoprovisioning). (Please enter a valid autoprovisioing configuration template name including ascii characters only)" default = "tf-asg-autoprov-tmplt" } +variable "generate_password" { + type = bool + description = "Automatically generate an administrator password" + default = false +} variable "admin_SSH_key" { type = string description = "(Optional) The SSH public key for SSH authentication to the MIG instances. Leave this field blank to use all project-wide pre-configured SSH keys." default = "" } +variable "maintenance_mode_password_hash" { + description = "Maintenance mode password hash, relevant only for R81.20 and higher versions" + type = string + default = "" +} variable "network_defined_by_routes" { type = bool description = "Set eth1 topology to define the networks behind this interface by the routes configured on the gateway." diff --git a/terraform/gcp/common/cluster-member/main.tf b/terraform/gcp/common/cluster-member/main.tf index c740f8b3..c5ae7eda 100755 --- a/terraform/gcp/common/cluster-member/main.tf +++ b/terraform/gcp/common/cluster-member/main.tf @@ -109,7 +109,7 @@ resource "google_compute_instance" "cluster_member" { sicKey = var.sic_key allowUploadDownload = var.allow_upload_download templateName = "cluster_tf" - templateVersion = "20230109" + templateVersion = "20230910" templateType = "terraform" mgmtNIC = "" hasInternet = "true" @@ -126,5 +126,7 @@ resource "google_compute_instance" "cluster_member" { name = var.member_name zoneConfig = var.zone region = var.region + os_version = var.os_version + maintenance_mode_password_hash = var.maintenance_mode_password_hash }) } \ No newline at end of file diff --git a/terraform/gcp/common/cluster-member/variables.tf b/terraform/gcp/common/cluster-member/variables.tf index 51b0e1d9..333e509f 100755 --- a/terraform/gcp/common/cluster-member/variables.tf +++ b/terraform/gcp/common/cluster-member/variables.tf @@ -31,7 +31,12 @@ variable "disk_type" { } variable "image_name" { type = string - description = "The High Availability (cluster) image name (e.g. check-point-r8110-gw-byol-cluster-335-985-v20220126). You can choose the desired cluster image value from: https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/gcp/deployment-packages/ha-byol/images.py" + description = "The High Availability (cluster) image name (e.g. check-point-r8120-gw-byol-cluster-123-456-v12345678). You can choose the desired cluster image value from: https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/gcp/deployment-packages/ha-byol/images.py" +} +variable "os_version" { + type = string + description = "GAIA OS version" + default = "R8120" } variable "cluster_network" { type = list(string) @@ -158,6 +163,11 @@ variable "smart_1_cloud_token_b" { description ="(Optional) Smart-1 cloud token for member B to connect this Gateway to Check Point's Security Management as a Service" default = "" } +variable "maintenance_mode_password_hash" { + description = "Maintenance mode password hash, relevant only for R81.20 and higher versions" + type = string + default = "" +} variable "management_network" { type = string description = "Security Management Server address - The public address of the Security Management Server, in CIDR notation. If using Smart-1 Cloud management, insert 'S1C'. VPN peers addresses cannot be in this CIDR block, so this value cannot be the zero-address." diff --git a/terraform/gcp/common/members-a-b/main.tf b/terraform/gcp/common/members-a-b/main.tf index d40ae6d1..8424e7d8 100755 --- a/terraform/gcp/common/members-a-b/main.tf +++ b/terraform/gcp/common/members-a-b/main.tf @@ -39,6 +39,8 @@ module "member_a" { secondary_cluster_address_name = var.secondary_cluster_address_name smart_1_cloud_token_a = var.smart_1_cloud_token_a smart_1_cloud_token_b = var.smart_1_cloud_token_b + os_version = var.os_version + maintenance_mode_password_hash = var.maintenance_mode_password_hash } module "member_b" { @@ -82,4 +84,6 @@ module "member_b" { secondary_cluster_address_name = var.secondary_cluster_address_name smart_1_cloud_token_a = var.smart_1_cloud_token_a smart_1_cloud_token_b = var.smart_1_cloud_token_b + os_version = var.os_version + maintenance_mode_password_hash = var.maintenance_mode_password_hash } diff --git a/terraform/gcp/common/members-a-b/variables.tf b/terraform/gcp/common/members-a-b/variables.tf index 4a5b6e04..6fa8b30c 100755 --- a/terraform/gcp/common/members-a-b/variables.tf +++ b/terraform/gcp/common/members-a-b/variables.tf @@ -34,6 +34,11 @@ variable "image_name" { type = string description = "The High Availability (cluster) image name (e.g. check-point-r8110-gw-byol-cluster-335-985-v20220126). You can choose the desired cluster image value from: https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/gcp/deployment-packages/ha-byol/images.py" } +variable "os_version" { + type = string + description = "GAIA OS version" + default = "R8120" +} variable "cluster_network" { type = list(string) description = "Cluster external network ID in the chosen zone." @@ -159,6 +164,11 @@ variable "smart_1_cloud_token_b" { description ="(Optional) Smart-1 cloud token for member B to connect this Gateway to Check Point's Security Management as a Service" default = "" } +variable "maintenance_mode_password_hash" { + description = "Maintenance mode password hash, relevant only for R81.20 and higher versions" + type = string + default = "" +} variable "management_network" { type = string description = "Security Management Server address - The public address of the Security Management Server, in CIDR notation. If using Smart-1 Cloud management, insert 'S1C'. VPN peers addresses cannot be in this CIDR block, so this value cannot be the zero-address." diff --git a/terraform/gcp/common/startup-script.sh b/terraform/gcp/common/startup-script.sh index 196a04e3..c8192303 100755 --- a/terraform/gcp/common/startup-script.sh +++ b/terraform/gcp/common/startup-script.sh @@ -1,3 +1,3 @@ #cloud-config runcmd: - - 'python3 /etc/cloud_config.py generatePassword=\"${generatePassword}\" allowUploadDownload=\"${allowUploadDownload}\" templateName=\"${templateName}\" templateVersion=\"${templateVersion}\" mgmtNIC="X${mgmtNIC}X" hasInternet=\"${hasInternet}\" config_url=\"${config_url}\" config_path=\"${config_path}\" installationType="X${installationType}X" enableMonitoring=\"${enableMonitoring}\" shell=\"${shell}\" computed_sic_key=\"${computed_sic_key}\" sicKey=\"${sicKey}\" managementGUIClientNetwork=\"${managementGUIClientNetwork}\" primary_cluster_address_name=\"${primary_cluster_address_name}\" secondary_cluster_address_name=\"${secondary_cluster_address_name}\" managementNetwork=\"${managementNetwork}\" numAdditionalNICs=\"${numAdditionalNICs}\" smart1CloudToken="X${smart_1_cloud_token}X" name=\"${name}\" zone=\"${zoneConfig}\" region=\"${region}\"' \ No newline at end of file + - 'python3 /etc/cloud_config.py generatePassword=\"${generatePassword}\" allowUploadDownload=\"${allowUploadDownload}\" templateName=\"${templateName}\" templateVersion=\"${templateVersion}\" mgmtNIC="X${mgmtNIC}X" hasInternet=\"${hasInternet}\" config_url=\"${config_url}\" config_path=\"${config_path}\" installationType="X${installationType}X" enableMonitoring=\"${enableMonitoring}\" shell=\"${shell}\" computed_sic_key=\"${computed_sic_key}\" sicKey=\"${sicKey}\" managementGUIClientNetwork=\"${managementGUIClientNetwork}\" primary_cluster_address_name=\"${primary_cluster_address_name}\" secondary_cluster_address_name=\"${secondary_cluster_address_name}\" managementNetwork=\"${managementNetwork}\" numAdditionalNICs=\"${numAdditionalNICs}\" smart1CloudToken="X${smart_1_cloud_token}X" name=\"${name}\" zone=\"${zoneConfig}\" region=\"${region}\" osVersion=\"${os_version}\" MaintenanceModePassword=\"${maintenance_mode_password_hash}\"' \ No newline at end of file diff --git a/terraform/gcp/high-availability/README.md b/terraform/gcp/high-availability/README.md index 03e9d97b..d83af628 100755 --- a/terraform/gcp/high-availability/README.md +++ b/terraform/gcp/high-availability/README.md @@ -46,17 +46,20 @@ provider "google" { compute.firewalls.create compute.firewalls.delete compute.firewalls.get - compute.images.get - compute.images.useReadOnly + compute.firewalls.update compute.instances.create compute.instances.delete compute.instances.get + compute.instances.setLabels + compute.instances.setMachineType compute.instances.setMetadata compute.instances.setServiceAccount compute.instances.setTags + compute.instances.updateNetworkInterface compute.networks.create compute.networks.delete compute.networks.get + compute.networks.list compute.networks.updatePolicy compute.regions.list compute.subnetworks.create @@ -65,11 +68,7 @@ provider "google" { compute.subnetworks.use compute.subnetworks.useExternalIp compute.zones.get - iam.serviceAccountKeys.get - iam.serviceAccountKeys.list iam.serviceAccounts.actAs - iam.serviceAccounts.get - iam.serviceAccounts.list ``` 3. ```credentials``` - Your service account key file is used to complete a two-legged OAuth 2.0 flow to obtain access tokens to authenticate with the GCP API as needed; Terraform will use it to reauthenticate automatically when tokens expire.
The provider credentials can be provided either as static credentials or as [Environment Variables](https://www.terraform.io/docs/providers/google/guides/provider_reference.html#credentials-1). @@ -118,7 +117,8 @@ project = "project-id" # --- Check Point Deployment --- prefix = "chkp-tf-ha" license = "BYOL" -image_name = "check-point-r8110-gw-byol-cluster-335-985-v20220126" +image_name = "check-point-r8120-gw-byol-cluster-631-991001335-v20230622" +os_version = "R8120" # --- Instances Configuration --- region = "us-central1" @@ -135,7 +135,8 @@ management_network = "209.87.209.100/32" sic_key = "aaaaaaaa" generate_password = false allow_upload_download = false -admin_shell = "/bin/bash" +admin_shell = "/etc/cli.sh" +maintenance_mode_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" #--- Quick connect to Smart-1 Cloud --- smart_1_cloud_token_a = "xxxxxxxxxxxxxxxxxxxxxxxx" @@ -226,7 +227,9 @@ internal_network1_subnetwork_name = "" | | | | | | | prefix | (Optional) Resources name prefix. | string | N/A | "chkp-tf-ha" | no | | license | Checkpoint license (BYOL or PAYG). | string | - BYOL
- PAYG
| "BYOL" | no | -| image_name | The High Availability (cluster) image name (e.g. check-point-r8110-gw-byol-cluster-335-985-v20220126). You can choose the desired cluster image value from [Github](https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/gcp/deployment-packages/ha-byol/images.py). | string | N/A | N/A | yes | +| image_name | The High Availability (cluster) image name (e.g. check-point-r8120-gw-byol-cluster-631-991001335-v20230622). You can choose the desired cluster image value from [Github](https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/gcp/deployment-packages/ha-byol/images.py). | string | N/A | N/A | yes | +| | | | | | +| os_version |GAIA OS Version | string | R81;
R8110;
R8120 | R8120 | yes | | | | | | | | region | GCP region | string | N/A | "us-central1" | no | | zoneA | Member A Zone. The zone determines what computing resources are available and where your data is stored and used. | string | N/A | "us-central1-a" | no | @@ -241,6 +244,7 @@ internal_network1_subnetwork_name = "" | generate_password | Automatically generate an administrator password. | bool | true/false | false | no | | allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no | | admin_shell | Change the admin shell to enable advanced command line configuration. | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | "/etc/cli.sh" | no | +| maintenance_mode_password_hash | Maintenance mode password hash, relevant only for R81.20 and higher versions, to generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here. | string | | "" | no | | smart_1_cloud_token_a | Smart-1 Cloud token to connect ***member A*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal.| | smart_1_cloud_token_b | Smart-1 Cloud token to connect ***member B*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501)| string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal.| | cluster_network_cidr | Cluster external subnet CIDR. If the variable's value is not empty double quotes, a new network will be created. The Cluster public IP will be translated to a private address assigned to the active member in this external network. | string | N/A | "10.0.0.0/24" | no | @@ -300,6 +304,8 @@ In order to check the template version refer to the [sk116585](https://supportce | Template Version | Description | | ---------------- | ------------- | +| 20230910 | - R81.20 is the default version | +| | | | | 20230209 | Added Smart-1 Cloud support. | | | | | | 20230109 | Updated startup script to use cloud-config. | diff --git a/terraform/gcp/high-availability/locals.tf b/terraform/gcp/high-availability/locals.tf index e764ccaf..680c7f9c 100755 --- a/terraform/gcp/high-availability/locals.tf +++ b/terraform/gcp/high-availability/locals.tf @@ -9,14 +9,22 @@ locals { // will fail if the image name is not in the right syntax validate_image_name = length(regexall(local.regex_validate_image_name, var.image_name)) > 0 ? 0 : index(split("-", var.image_name), "INVALID IMAGE NAME") + version_allowed_values = [ + "R81", + "R8110", + "R8120" + ] + // Will fail if var.os_version is invalid: + validate_os_version = index(local.version_allowed_values, var.os_version) + split_zoneA = split("-", var.zoneA) split_zoneB = split("-", var.zoneB) // will fail if the var.zoneA and var.zoneB are not at the same region: validate_zones = index(local.split_zoneA, local.split_zoneB[0]) == local.split_zoneA[0] && index(local.split_zoneA, local.split_zoneB[1]) == local.split_zoneA[0] ? 0 : "var.zoneA and var.zoneB are not at the same region" - regex_valid_management_network = "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(/(3[0-2]|2[0-9]|1[0-9]|[0-9]))|(S1C)$" + regex_valid_management_network = "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(/(3[0-2]|2[0-9]|1[0-9]|[0-9]))|(S1C)$" // Will fail if var.management_network is invalid - regex_management_network = regex(local.regex_valid_management_network, var.management_network) == var.management_network ? 0 : "Variable [management_network] must be a valid address in CIDR notation or 'S1C'." + regex_management_network = regex(local.regex_valid_management_network, var.management_network) == var.management_network ? 0 : "Variable [management_network] must be a valid address in CIDR notation or S1C." regex_valid_network_cidr = "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(/(3[0-2]|2[0-9]|1[0-9]|[0-9]))|$" diff --git a/terraform/gcp/high-availability/main.tf b/terraform/gcp/high-availability/main.tf index 821d3542..1abd6c7b 100755 --- a/terraform/gcp/high-availability/main.tf +++ b/terraform/gcp/high-availability/main.tf @@ -247,4 +247,6 @@ module "members_a_b" { secondary_cluster_address_name = google_compute_address.secondary_cluster_ip_ext_address.name smart_1_cloud_token_a = var.smart_1_cloud_token_a smart_1_cloud_token_b = var.smart_1_cloud_token_b + os_version = var.os_version + maintenance_mode_password_hash = var.maintenance_mode_password_hash } \ No newline at end of file diff --git a/terraform/gcp/high-availability/terraform.tfvars b/terraform/gcp/high-availability/terraform.tfvars index f888479f..bb4f9e5e 100755 --- a/terraform/gcp/high-availability/terraform.tfvars +++ b/terraform/gcp/high-availability/terraform.tfvars @@ -5,7 +5,8 @@ project = "PLEASE ENTER PROJECT ID" # --- Check Point Deployment --- prefix = "PLEASE ENTER PREFIX" # "chkp-tf-ha" license = "PLEASE ENTER LICENSE" # "BYOL" -image_name = "PLEASE ENTER IMAGE NAME" # "check-point-r8110-gw-byol-cluster-335-985-v20220126" +image_name = "PLEASE ENTER IMAGE NAME" # "check-point-r8120-gw-byol-cluster-631-991001335-v20230622" +os_version = "PLEASE ENTER GAIA OS VERSION" # "R8120" # --- Instances Configuration --- region = "PLEASE ENTER REGION" # "us-central1" @@ -23,6 +24,7 @@ sic_key = "PLEASE ENTER A SIC KEY" generate_password = "PLEASE ENTER true or false" # false allow_upload_download = "PLEASE ENTER true OR false" # true admin_shell = "PLEASE ENTER ADMIN SHELL" # "/etc/cli.sh" +maintenance_mode_password_hash = "PLEASE ENTER MAINTENANCE MODE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" # --- Quick connect to Smart-1 Cloud --- smart_1_cloud_token_a = "PASTE TOKEN FROM SMART-1 CLOUD PORTAL" # "" diff --git a/terraform/gcp/high-availability/variables.tf b/terraform/gcp/high-availability/variables.tf index a7bede31..72f4e916 100755 --- a/terraform/gcp/high-availability/variables.tf +++ b/terraform/gcp/high-availability/variables.tf @@ -25,9 +25,13 @@ variable "license" { } variable "image_name" { type = string - description = "The High Availability (cluster) image name (e.g. check-point-r8110-gw-byol-cluster-335-985-v20220126). You can choose the desired cluster image value from: https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/gcp/deployment-packages/ha-byol/images.py" + description = "The High Availability (cluster) image name (e.g. check-point-r8120-gw-byol-cluster-123-456-v12345678). You can choose the desired cluster image value from: https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/gcp/deployment-packages/ha-byol/images.py" +} +variable "os_version" { + type = string + description = "GAIA OS version" + default = "R8120" } - # --- Instances Configuration --- data "google_compute_regions" "available_regions" { } @@ -102,6 +106,11 @@ variable "admin_shell" { description = "Change the admin shell to enable advanced command line configuration." default = "/etc/cli.sh" } +variable "maintenance_mode_password_hash" { + description = "Maintenance mode password hash, relevant only for R81.20 and higher versions" + type = string + default = "" +} # --- Quick connect to Smart-1 Cloud --- variable "smart_1_cloud_token_a" { type = string @@ -120,6 +129,7 @@ resource "null_resource" "validate_both_tokens" { resource "null_resource" "validate_different_tokens" { count = var.smart_1_cloud_token_a != "" && var.smart_1_cloud_token_a == var.smart_1_cloud_token_b ? "To connect to Smart-1 Cloud, you must provide two different tokens" : 0 } + # --- Networking --- variable "cluster_network_cidr" { type = string diff --git a/terraform/gcp/single-into-existing-vpc/README.md b/terraform/gcp/single-into-existing-vpc/README.md index a3213acb..72bc8265 100755 --- a/terraform/gcp/single-into-existing-vpc/README.md +++ b/terraform/gcp/single-into-existing-vpc/README.md @@ -30,41 +30,30 @@ provider "google" { 1. [Create a Service Account](https://cloud.google.com/docs/authentication/getting-started) (or use the existing one). Next, download the JSON key file. Name it something you can remember and store it somewhere secure on your machine.
2. Select "Editor" Role or verify you have the following permissions: ``` + compute.addresses.create + compute.addresses.delete compute.addresses.get compute.addresses.use - compute.addresses.create compute.disks.create - compute.disks.delete compute.firewalls.create compute.firewalls.delete compute.firewalls.get - compute.images.get - compute.images.useReadOnly - compute.images.getFromFamily - compute.instanceTemplates.create - compute.instanceTemplates.delete - compute.instanceTemplates.get - compute.instanceTemplates.useReadOnly - compute.instances.addAccessConfig + compute.firewalls.update compute.instances.create compute.instances.delete compute.instances.get + compute.instances.setLabels + compute.instances.setMachineType compute.instances.setMetadata + compute.instances.setServiceAccount compute.instances.setTags - compute.instances.setLabels + compute.instances.updateNetworkInterface compute.networks.get compute.networks.updatePolicy - compute.regions.list - compute.subnetworks.get compute.subnetworks.use compute.subnetworks.useExternalIp compute.zones.get - iam.serviceAccountKeys.get - iam.serviceAccountKeys.list iam.serviceAccounts.actAs - iam.serviceAccounts.get - iam.serviceAccounts.list - iam.serviceAccounts.set ``` 3. ```credentials``` - Your service account key file is used to complete a two-legged OAuth 2.0 flow to obtain access tokens to authenticate with the GCP API as needed; Terraform will use it to reauthenticate automatically when tokens expire.
The provider credentials can be provided either as static credentials or as [Environment Variables](https://www.terraform.io/docs/providers/google/guides/provider_reference.html#credentials-1). @@ -109,13 +98,15 @@ service_account_path = "service-accounts/service-account-file-name.json" project = "project-id" # --- Check Point--- -image_name = "check-point-r8110-gw-byol-single-335-985-v20220126" +image_name = "check-point-r8120-gw-byol-single-631-991001335-v20230622" +os_version = "R8120" installationType = "Gateway only" license = "BYOL" prefix = "chkp-single-tf-" management_nic = "Ephemeral Public IP (eth0)" admin_shell = "/etc/cli.sh" admin_SSH_key = "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxx imported-openssh-key" +maintenance_mode_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" generatePassword = false allow_upload_download = true sicKey = "" @@ -178,7 +169,9 @@ Please leave empty list for a protocol if you want to disable traffic for it. | | | | | | | zone | The zone determines what computing resources are available and where your data is stored and used | string | List of allowed [Regions and Zones](https://cloud.google.com/compute/docs/regions-zones?_ga=2.31926582.-962483654.1585043745) |us-central1-a|yes| | | | | | | -| image_name |The single gateway or management image name (e.g. check-point-r8110-gw-byol-single-335-985-v20220126 for gateway or check-point-r8110-byol-335-883-v20210706 for management). You can choose the desired gateway image value from [Github](https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/gcp/deployment-packages/single-byol/images.py).| string | N/A | N/A | yes | +| image_name |The single gateway or management image name (e.g. check-point-r8120-gw-byol-single-631-991001335-v20230622 for gateway or check-point-r8120-byol-631-991001335-v20230621 for management). You can choose the desired gateway image value from [Github](https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/gcp/deployment-packages/single-byol/images.py).| string | N/A | N/A | yes | +| | | | | | +| os_version |GAIA OS Version | string | R81;
R8110;
R8120 | R8120 | yes | | | | | | | | installationType | Installation type and version | string |Gateway only;
Management only;
Manual Configuration
Gateway and Management (Standalone) |Gateway only|yes| | | | | | | @@ -230,6 +223,8 @@ Please leave empty list for a protocol if you want to disable traffic for it. | | | | | | | admin_SSH_key | Public SSH key for the user 'admin' - The SSH public key for SSH authentication to the instances. Leave this field blank to use all project-wide pre-configured SSH keys. | string | A valid public ssh key | "" | no | | | | | | | +| maintenance_mode_password_hash | Maintenance mode password hash, relevant only for R81.20 and higher versions, to generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here. | string | | "" | no| +| | | | | | | sicKey | The Secure Internal Communication one time secret used to set up trust between the single gateway object and the management server | string | At least 8 alpha numeric characters.
If SIC is not provided and needed, a key will be automatically generated |""|no| | | | | | | | managementGUIClientNetwork | Allowed GUI clients | string | A valid IPv4 network CIDR (e.g. 0.0.0.0/0) |0.0.0.0/0|no| @@ -258,6 +253,8 @@ In order to check the template version refer to the [sk116585](https://supportce | Template Version | Description | | ---------------- | ------------- | +| 20230910 | - R81.20 is the default version | +| | | | | 20230209 | Added Smart-1 Cloud support. | | | | | | 20230109 | Updated startup script to use cloud-config. | diff --git a/terraform/gcp/single-into-existing-vpc/locals.tf b/terraform/gcp/single-into-existing-vpc/locals.tf index 39527714..3bfa4737 100755 --- a/terraform/gcp/single-into-existing-vpc/locals.tf +++ b/terraform/gcp/single-into-existing-vpc/locals.tf @@ -22,6 +22,15 @@ locals { regex_validate_single_image_name = "check-point-r8[0-1][1-4]0-gw-(byol|payg)-single-[0-9]{3}-([0-9]{3,}|[a-z]+)-v[0-9]{8,}" // will fail if the image name is not in the right syntax validate_image_name = var.installationType != "Gateway only" && length(regexall(local.regex_validate_mgmt_image_name, var.image_name)) > 0 ? 0 : (var.installationType == "Gateway only" && length(regexall(local.regex_validate_single_image_name, var.image_name)) > 0 ? 0 : index(split("-", var.image_name), "INVALID IMAGE NAME")) + + version_allowed_values = [ + "R81", + "R8110", + "R8120" + ] + // Will fail if var.os_version is invalid: + validate_os_version = index(local.version_allowed_values, var.os_version) + regex_valid_admin_SSH_key = "^(^$|ssh-rsa AAAA[0-9A-Za-z+/]+[=]{0,3})" // Will fail if var.admin_SSH_key is invalid regex_admin_SSH_key = regex(local.regex_valid_admin_SSH_key, var.admin_SSH_key) == var.admin_SSH_key ? 0 : "Please enter a valid SSH public key or leave empty" @@ -49,7 +58,6 @@ locals { // Will fail if management_only and payg is_management_only = var.installationType == "Management only" is_license_payg = var.license == "PAYG" - validation_message = "Cannot use 'Management only' installation type with 'PAYG' license." - _= regex("^$",local.is_management_only && local.is_license_payg ? local.validation_message : "") - -} + validation_massage = "Cannot use 'Management only' installation type with 'Payg' license." + _= regex("^$",local.is_management_only && local.is_license_payg ? local.validation_massage : "") +} \ No newline at end of file diff --git a/terraform/gcp/single-into-existing-vpc/main.tf b/terraform/gcp/single-into-existing-vpc/main.tf index aeab8b93..7e34492d 100755 --- a/terraform/gcp/single-into-existing-vpc/main.tf +++ b/terraform/gcp/single-into-existing-vpc/main.tf @@ -192,7 +192,7 @@ resource "google_compute_instance" "gateway" { sicKey = "" allowUploadDownload = var.allowUploadDownload templateName = "single_tf" - templateVersion = "20230109" + templateVersion = "20230910" templateType = "terraform" hasInternet = "true" enableMonitoring = var.enableMonitoring @@ -211,6 +211,8 @@ resource "google_compute_instance" "gateway" { name = "" zoneConfig = "" region = "" + os_version = var.os_version + maintenance_mode_password_hash = var.maintenance_mode_password_hash }) } resource "google_compute_address" "static" { diff --git a/terraform/gcp/single-into-existing-vpc/terraform.tfvars b/terraform/gcp/single-into-existing-vpc/terraform.tfvars index 8ac21504..f2dd4fbe 100755 --- a/terraform/gcp/single-into-existing-vpc/terraform.tfvars +++ b/terraform/gcp/single-into-existing-vpc/terraform.tfvars @@ -1,15 +1,17 @@ # --- Google Provider --- service_account_path = "PLEASE ENTER SERVICE_ACCOUNT_PATH" # "service-accounts/service-account-file-name.json" -project = "PLEASE ENTER PROJECT ID" # "project-id" +project = "PLEASE ENTER PROJECT ID" # "project-id" # --- Check Point Deployment--- -image_name = "PLEASE ENTER IMAGE_NAME" # "check-point-r8110-gw-byol-single-335-985-v20220126" +image_name = "PLEASE ENTER IMAGE_NAME" # "check-point-r8120-gw-byol-single-631-991001335-v20230622" +os_version = "PLEASE ENTER GAIA OS VERSION" # "R8120" installationType = "PLEASE ENTER INSTALLATION TYPE" # "Gateway only" license = "PLEASE ENTER LICENSE" # "BYOL" prefix = "PLEASE ENTER PREFIX" # "chkp-single-tf-" management_nic = "PLEASE ENTER MANAGEMENT_NIC" # "Ephemeral Public IP (eth0)" admin_shell = "PLEASE ENTER ADMIN_SHELL" # "/etc/cli.sh" admin_SSH_key = "PLEASE ENTER ADMIN_SSH_KEY" # "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxx imported-openssh-key" +maintenance_mode_password_hash = "PLEASE ENTER MAINTENANCE MODE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" generatePassword = "PLEASE ENTER GENERATE PASSWORD" # false allowUploadDownload = "PLEASE ENTER ALLOW UPLOAD DOWNLOAD" # false sicKey = "PLEASE ENTER SIC KEY" # "" @@ -23,17 +25,17 @@ zone = "PLEASE ENTER ZONE" network = "PLEASE ENTER NETWORK" # ["default"] subnetwork = "PLEASE ENTER SUBNETWORK" # ["default"] network_enableTcp = "PLEASE ENTER NETWORK ENABLE TCP" # false -network_tcpSourceRanges = "PLEASE ENTER NETWORK TCP SOURCE RANGES" # [""] +network_tcpSourceRanges = "PLEASE ENTER NETWORK TCP SOURCE RANGES" # [] network_enableGwNetwork = "PLEASE ENTER NETWORK ENABLE GW NETWORK" # false -network_gwNetworkSourceRanges = "PLEASE ENTER NETWORK GW NETWORK SOURCE RANGES" # [""] +network_gwNetworkSourceRanges = "PLEASE ENTER NETWORK GW NETWORK SOURCE RANGES" # [] network_enableIcmp = "PLEASE ENTER NETWORK ENABLE ICMP" # false -network_icmpSourceRanges = "PLEASE ENTER NETWORK ICMP SOURCE RANGES" # [""] +network_icmpSourceRanges = "PLEASE ENTER NETWORK ICMP SOURCE RANGES" # [] network_enableUdp = "PLEASE ENTER NETWORK ENABLE UDP" # false -network_udpSourceRanges = "PLEASE ENTER NETWORK UDP SOURCE RANGES" # [""] +network_udpSourceRanges = "PLEASE ENTER NETWORK UDP SOURCE RANGES" # [] network_enableSctp = "PLEASE ENTER NETWORK ENABLE SCTP" # false -network_sctpSourceRanges = "PLEASE ENTER NETWORK SCTP SOURCE RANGES" # [""] +network_sctpSourceRanges = "PLEASE ENTER NETWORK SCTP SOURCE RANGES" # [] network_enableEsp = "PLEASE ENTER NETWORK ENABLE ESP" # false -network_espSourceRanges = "PLEASE ENTER NETWORK ESP SOURCE RANGES" # [""] +network_espSourceRanges = "PLEASE ENTER NETWORK ESP SOURCE RANGES" # [] numAdditionalNICs = "PLEASE ENTER NUM ADDITIONAL NICS" # 1 externalIP = "PLEASE ENTER EXTERNAL IP" # "static" internal_network1_network = "PLEASE ENTER INTERNAL_NETWORK1_NETWORK" # [""] diff --git a/terraform/gcp/single-into-existing-vpc/variables.tf b/terraform/gcp/single-into-existing-vpc/variables.tf index cc620851..196e4678 100755 --- a/terraform/gcp/single-into-existing-vpc/variables.tf +++ b/terraform/gcp/single-into-existing-vpc/variables.tf @@ -15,7 +15,12 @@ variable "zone" { } variable "image_name" { type = string - description = "The single gateway and management image name. You can choose the desired image value from: https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/gcp/deployment-packages/single-byol/images.py" + description = "The single gateway and management image name" +} +variable "os_version" { + type = string + description = "GAIA OS version" + default = "R8120" } variable "installationType" { type = string @@ -147,6 +152,11 @@ variable "admin_SSH_key" { description = "(Optional) The SSH public key for SSH authentication to the template instances. Leave this field blank to use all project-wide pre-configured SSH keys." default = "" } +variable "maintenance_mode_password_hash" { + description = "Maintenance mode password hash, relevant only for R81.20 and higher versions" + type = string + default = "" +} variable "sicKey" { type = string description ="The Secure Internal Communication one time secret used to set up trust between the single gateway object and the management server" diff --git a/terraform/gcp/single-into-new-vpc/README.md b/terraform/gcp/single-into-new-vpc/README.md index 857b7c75..62e0b19f 100644 --- a/terraform/gcp/single-into-new-vpc/README.md +++ b/terraform/gcp/single-into-new-vpc/README.md @@ -30,48 +30,45 @@ provider "google" { 1. [Create a Service Account](https://cloud.google.com/docs/authentication/getting-started) (or use the existing one). Next, download the JSON key file. Name it something you can remember and store it somewhere secure on your machine.
2. Select "Editor" Role or verify you have the following permissions: ``` + compute.addresses.create + compute.addresses.delete compute.addresses.get compute.addresses.use - compute.addresses.create compute.disks.create - compute.disks.delete compute.firewalls.create compute.firewalls.delete compute.firewalls.get - compute.images.get - compute.images.useReadOnly - compute.images.getFromFamily - compute.instanceTemplates.create - compute.instanceTemplates.delete - compute.instanceTemplates.get - compute.instanceTemplates.useReadOnly - compute.instances.addAccessConfig + compute.firewalls.update compute.instances.create compute.instances.delete + compute.instances.deleteAccessConfig compute.instances.get + compute.instances.setLabels + compute.instances.setMachineType compute.instances.setMetadata + compute.instances.setServiceAccount compute.instances.setTags - compute.instances.setLabels + compute.instances.updateNetworkInterface + compute.networks.create + compute.networks.delete compute.networks.get compute.networks.updatePolicy + compute.regionOperations.get compute.regions.list + compute.subnetworks.create + compute.subnetworks.delete compute.subnetworks.get compute.subnetworks.use compute.subnetworks.useExternalIp compute.zones.get - iam.serviceAccountKeys.get - iam.serviceAccountKeys.list iam.serviceAccounts.actAs - iam.serviceAccounts.get - iam.serviceAccounts.list - iam.serviceAccounts.set ``` 3. ```credentials``` - Your service account key file is used to complete a two-legged OAuth 2.0 flow to obtain access tokens to authenticate with the GCP API as needed; Terraform will use it to reauthenticate automatically when tokens expire.
The provider credentials can be provided either as static credentials or as [Environment Variables](https://www.terraform.io/docs/providers/google/guides/provider_reference.html#credentials-1). - - Static credentials can be provided by adding the path to your service-account json file, project-id and region in /gcp/modules/single/terraform.tfvars file as follows: + - Static credentials can be provided by adding the path to your service-account json file, project-name and region in /gcp/modules/single/terraform.tfvars file as follows: ``` service_account_path = "service-accounts/service-account-file-name.json" - project = "project-id" + project = "project-name" ``` - In case the Environment Variables are used, perform modifications described below:
a. The next lines in the main.tf file, in the provider google resource, need to be deleted or commented: @@ -106,16 +103,18 @@ The provider credentials can be provided either as static credentials or as [Env ``` # --- Google Provider --- service_account_path = "service-accounts/service-account-file-name.json" -project = "project-id" +project = "project-name" # --- Check Point--- image_name = "check-point-r8120-gw-byol-single-631-991001335-v20230622" +os_version = "R8120" installationType = "Gateway only" license = "BYOL" prefix = "chkp-single-tf-" management_nic = "Ephemeral Public IP (eth0)" admin_shell = "/etc/cli.sh" admin_SSH_key = "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxx imported-openssh-key" +maintenance_mode_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" generatePassword = false allow_upload_download = true sicKey = "" @@ -181,6 +180,8 @@ Please leave empty list for a protocol if you want to disable traffic for it. | | | | | | | image_name |The single gateway or management image name (e.g. check-point-r8120-gw-byol-single-631-991001335-v20230622 for gateway or check-point-r8120-byol-631-991001335-v20230621 for management). You can choose the desired gateway image value from [Github](https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/gcp/deployment-packages/single-byol/images.py).| string | N/A | N/A | yes | | | | | | | +| os_version |GAIA OS Version | string | R81;
R8110;
R8120 | R8120 | yes | +| | | | | | | installationType | Installation type and version | string |Gateway only;
Management only;
Manual Configuration
Gateway and Management (Standalone) |Gateway only|yes| | | | | | | | license | Checkpoint license (BYOL or PAYG).|string|BYOL;
PAYG;|BYOL|yes| @@ -229,6 +230,8 @@ Please leave empty list for a protocol if you want to disable traffic for it. | | | | | | | admin_SSH_key | Public SSH key for the user 'admin' - The SSH public key for SSH authentication to the instances. Leave this field blank to use all project-wide pre-configured SSH keys. | string | A valid public ssh key | "" | no | | | | | | | +| maintenance_mode_password_hash | Maintenance mode password hash, relevant only for R81.20 and higher versions, to generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here. | string | | "" | no| +| | | | | | | sicKey | The Secure Internal Communication one time secret used to set up trust between the single gateway object and the management server | string | At least 8 alpha numeric characters.
If SIC is not provided and needed, a key will be automatically generated |""|no| | | | | | | | managementGUIClientNetwork | Allowed GUI clients | string | A valid IPv4 network CIDR (e.g. 0.0.0.0/0) |0.0.0.0/0|no| @@ -262,6 +265,7 @@ In order to check the template version refer to the [sk116585](https://supportce | 20230921 | Added single-into-new-vpc template. | | | | + ## Authors diff --git a/terraform/gcp/single-into-new-vpc/main.tf b/terraform/gcp/single-into-new-vpc/main.tf index 1597ae33..a9dacc6f 100644 --- a/terraform/gcp/single-into-new-vpc/main.tf +++ b/terraform/gcp/single-into-new-vpc/main.tf @@ -47,12 +47,14 @@ module "single-into-existing-vpc" { # --- Check Point Deployment--- image_name = var.image_name + os_version = var.os_version installationType = var.installationType license = var.license prefix = var.prefix management_nic = var.management_nic admin_shell = var.admin_shell admin_SSH_key = var.admin_SSH_key + maintenance_mode_password_hash = var.maintenance_mode_password_hash generatePassword = var.generatePassword allowUploadDownload = var.allowUploadDownload sicKey = var.sicKey diff --git a/terraform/gcp/single-into-new-vpc/terraform.tfvars b/terraform/gcp/single-into-new-vpc/terraform.tfvars index b387fa3d..dee19701 100644 --- a/terraform/gcp/single-into-new-vpc/terraform.tfvars +++ b/terraform/gcp/single-into-new-vpc/terraform.tfvars @@ -4,12 +4,14 @@ project = "PLEASE ENTER PROJECT ID" # --- Check Point Deployment--- image_name = "PLEASE ENTER IMAGE_NAME" # "check-point-r8120-gw-byol-single-631-991001335-v20230622" +os_version = "PLEASE ENTER GAIA OS VERSION" # "R8120" installationType = "PLEASE ENTER INSTALLATION TYPE" # "Gateway only" license = "PLEASE ENTER LICENSE" # "BYOL" prefix = "PLEASE ENTER PREFIX" # "chkp-single-tf-" management_nic = "PLEASE ENTER MANAGEMENT_NIC" # "Ephemeral Public IP (eth0)" admin_shell = "PLEASE ENTER ADMIN_SHELL" # "/etc/cli.sh" admin_SSH_key = "PLEASE ENTER ADMIN_SSH_KEY" # "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxx imported-openssh-key" +maintenance_mode_password_hash = "PLEASE ENTER MAINTENANCE MODE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" generatePassword = "PLEASE ENTER GENERATE PASSWORD" # false allowUploadDownload = "PLEASE ENTER ALLOW UPLOAD DOWNLOAD" # false sicKey = "PLEASE ENTER SIC KEY" # "" diff --git a/terraform/gcp/single-into-new-vpc/variables.tf b/terraform/gcp/single-into-new-vpc/variables.tf index 3d6454cf..6a40d8e8 100644 --- a/terraform/gcp/single-into-new-vpc/variables.tf +++ b/terraform/gcp/single-into-new-vpc/variables.tf @@ -19,7 +19,12 @@ variable "zone" { } variable "image_name" { type = string - description = "The single gateway and management image name. You can choose the desired image value from: https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/gcp/deployment-packages/single-byol/images.py" + description = "The single gateway and management image name" +} +variable "os_version" { + type = string + description = "GAIA OS version" + default = "R8120" } variable "installationType" { type = string @@ -149,6 +154,11 @@ variable "admin_SSH_key" { description = "(Optional) The SSH public key for SSH authentication to the template instances. Leave this field blank to use all project-wide pre-configured SSH keys." default = "" } +variable "maintenance_mode_password_hash" { + description = "Maintenance mode password hash, relevant only for R81.20 and higher versions" + type = string + default = "" +} variable "sicKey" { type = string description ="The Secure Internal Communication one time secret used to set up trust between the single gateway object and the management server" From 97324254f23360fd0598c1f68d25cf71776b10c5 Mon Sep 17 00:00:00 2001 From: yairra Date: Thu, 26 Sep 2024 17:10:09 +0300 Subject: [PATCH 04/12] Azure TF | Updated azurerm provider veriosn to 3.90.0 --- terraform/azure/high-availability-existing-vnet/versions.tf | 2 +- terraform/azure/high-availability-new-vnet/versions.tf | 2 +- terraform/azure/management-existing-vnet/versions.tf | 2 +- terraform/azure/management-new-vnet/versions.tf | 2 +- terraform/azure/mds-existing-vnet/versions.tf | 2 +- terraform/azure/mds-new-vnet/versions.tf | 2 +- terraform/azure/nva-into-existing-hub/versions.tf | 2 +- terraform/azure/nva-into-new-vwan/versions.tf | 2 +- terraform/azure/single-gateway-existing-vnet/versions.tf | 2 +- terraform/azure/single-gateway-new-vnet/versions.tf | 2 +- terraform/azure/vmss-existing-vnet/versions.tf | 2 +- terraform/azure/vmss-new-vnet/versions.tf | 2 +- 12 files changed, 12 insertions(+), 12 deletions(-) diff --git a/terraform/azure/high-availability-existing-vnet/versions.tf b/terraform/azure/high-availability-existing-vnet/versions.tf index 0d5ca4f3..8827a9f0 100755 --- a/terraform/azure/high-availability-existing-vnet/versions.tf +++ b/terraform/azure/high-availability-existing-vnet/versions.tf @@ -3,7 +3,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "~> 3.81.0" + version = "~> 3.90.0" } random = { version = "~> 3.5.1" diff --git a/terraform/azure/high-availability-new-vnet/versions.tf b/terraform/azure/high-availability-new-vnet/versions.tf index 0d5ca4f3..8827a9f0 100755 --- a/terraform/azure/high-availability-new-vnet/versions.tf +++ b/terraform/azure/high-availability-new-vnet/versions.tf @@ -3,7 +3,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "~> 3.81.0" + version = "~> 3.90.0" } random = { version = "~> 3.5.1" diff --git a/terraform/azure/management-existing-vnet/versions.tf b/terraform/azure/management-existing-vnet/versions.tf index 0d5ca4f3..8827a9f0 100755 --- a/terraform/azure/management-existing-vnet/versions.tf +++ b/terraform/azure/management-existing-vnet/versions.tf @@ -3,7 +3,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "~> 3.81.0" + version = "~> 3.90.0" } random = { version = "~> 3.5.1" diff --git a/terraform/azure/management-new-vnet/versions.tf b/terraform/azure/management-new-vnet/versions.tf index 0d5ca4f3..8827a9f0 100755 --- a/terraform/azure/management-new-vnet/versions.tf +++ b/terraform/azure/management-new-vnet/versions.tf @@ -3,7 +3,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "~> 3.81.0" + version = "~> 3.90.0" } random = { version = "~> 3.5.1" diff --git a/terraform/azure/mds-existing-vnet/versions.tf b/terraform/azure/mds-existing-vnet/versions.tf index 0d5ca4f3..8827a9f0 100755 --- a/terraform/azure/mds-existing-vnet/versions.tf +++ b/terraform/azure/mds-existing-vnet/versions.tf @@ -3,7 +3,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "~> 3.81.0" + version = "~> 3.90.0" } random = { version = "~> 3.5.1" diff --git a/terraform/azure/mds-new-vnet/versions.tf b/terraform/azure/mds-new-vnet/versions.tf index de940e72..0018913d 100755 --- a/terraform/azure/mds-new-vnet/versions.tf +++ b/terraform/azure/mds-new-vnet/versions.tf @@ -3,7 +3,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "~> 3.81.0" + version = "~> 3.90.0" } random = { version = "~> 3.5.1" diff --git a/terraform/azure/nva-into-existing-hub/versions.tf b/terraform/azure/nva-into-existing-hub/versions.tf index 1c68a298..2c81dc30 100644 --- a/terraform/azure/nva-into-existing-hub/versions.tf +++ b/terraform/azure/nva-into-existing-hub/versions.tf @@ -3,7 +3,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = " 3.79.0" + version = "~> 3.90.0" } } } diff --git a/terraform/azure/nva-into-new-vwan/versions.tf b/terraform/azure/nva-into-new-vwan/versions.tf index 40d04f16..ca6ac207 100644 --- a/terraform/azure/nva-into-new-vwan/versions.tf +++ b/terraform/azure/nva-into-new-vwan/versions.tf @@ -3,7 +3,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = " 3.79.0" + version = "~> 3.90.0" } } } diff --git a/terraform/azure/single-gateway-existing-vnet/versions.tf b/terraform/azure/single-gateway-existing-vnet/versions.tf index 0d5ca4f3..8827a9f0 100755 --- a/terraform/azure/single-gateway-existing-vnet/versions.tf +++ b/terraform/azure/single-gateway-existing-vnet/versions.tf @@ -3,7 +3,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "~> 3.81.0" + version = "~> 3.90.0" } random = { version = "~> 3.5.1" diff --git a/terraform/azure/single-gateway-new-vnet/versions.tf b/terraform/azure/single-gateway-new-vnet/versions.tf index 0d5ca4f3..8827a9f0 100755 --- a/terraform/azure/single-gateway-new-vnet/versions.tf +++ b/terraform/azure/single-gateway-new-vnet/versions.tf @@ -3,7 +3,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "~> 3.81.0" + version = "~> 3.90.0" } random = { version = "~> 3.5.1" diff --git a/terraform/azure/vmss-existing-vnet/versions.tf b/terraform/azure/vmss-existing-vnet/versions.tf index df4caa26..5bf8d9db 100644 --- a/terraform/azure/vmss-existing-vnet/versions.tf +++ b/terraform/azure/vmss-existing-vnet/versions.tf @@ -3,7 +3,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "~> 3.81.0" + version = "~> 3.90.0" } random = { version = "~> 3.5.1" diff --git a/terraform/azure/vmss-new-vnet/versions.tf b/terraform/azure/vmss-new-vnet/versions.tf index df4caa26..5bf8d9db 100644 --- a/terraform/azure/vmss-new-vnet/versions.tf +++ b/terraform/azure/vmss-new-vnet/versions.tf @@ -3,7 +3,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "~> 3.81.0" + version = "~> 3.90.0" } random = { version = "~> 3.5.1" From 06565385944e3f0ff101a7021132ab03788ba600 Mon Sep 17 00:00:00 2001 From: natanelm Date: Mon, 30 Sep 2024 15:37:50 +0300 Subject: [PATCH 05/12] Git alignment --- azure/templates/README.MD | 2 +- .../createUiDefinition.json | 6 +++--- .../marketplace-ha/createUiDefinition.json | 6 +++--- .../marketplace-management/createUiDefinition.json | 4 ++-- .../marketplace-mds/createUiDefinition.json | 2 +- .../createUiDefinition.json | 4 ++-- .../marketplace-single-waap/mainTemplate.json | 7 ++----- .../marketplace-vmss-waap/createUiDefinition.json | 4 ++-- .../marketplace-vmss-waap/mainTemplate.json | 5 ++--- .../marketplace-vmss/createUiDefinition.json | 2 +- azure/templates/vwan-managed-app/README.md | 4 ++-- .../azure/vmss-new-vnet-with-peer/terraform.tfvars | 4 ++-- .../R8040-R81/ha-r8040-r81/mainTemplate.json | 6 +++--- .../R8040-R81/mds-r8040-r81/mainTemplate.json | 4 ++-- .../R8040-R81/mgmt-r840-r81/mainTemplate.json | 4 ++-- .../R8040-R81/single-r8040-r81/mainTemplate.json | 4 ++-- .../R8040-R81/vmss-r8040-r81/mainTemplate.json | 2 +- .../stack-ha-r8040-r81/mainTemplate.json | 2 +- .../stack-management-r8040-r81/mainTemplate.json | 2 +- .../stack-single-r8040-r81/mainTemplate.json | 2 +- .../high-availability-existing-vnet/README.md | 4 +++- .../azure/high-availability-new-vnet/README.md | 2 ++ terraform/azure/management-existing-vnet/README.md | 2 ++ terraform/azure/management-new-vnet/README.md | 2 ++ terraform/azure/mds-existing-vnet/README.md | 2 ++ terraform/azure/mds-new-vnet/README.md | 2 ++ terraform/azure/nva-into-existing-hub/README.md | 5 +++-- terraform/azure/nva-into-new-vwan/README.md | 5 +++-- .../azure/single-gateway-existing-vnet/README.md | 2 ++ terraform/azure/vmss-existing-vnet/README.md | 14 ++++++++------ .../azure/vmss-existing-vnet/terraform.tfvars | 3 ++- terraform/azure/vmss-existing-vnet/variables.tf | 10 +++++++++- terraform/azure/vmss-new-vnet/README.md | 2 ++ .../gcp/autoscale-into-existing-vpc/README.md | 2 +- terraform/gcp/high-availability/variables.tf | 2 +- terraform/gcp/single-into-existing-vpc/locals.tf | 5 +++-- .../gcp/single-into-existing-vpc/variables.tf | 2 +- terraform/gcp/single-into-new-vpc/README.md | 1 - terraform/gcp/single-into-new-vpc/variables.tf | 2 +- 39 files changed, 85 insertions(+), 60 deletions(-) diff --git a/azure/templates/README.MD b/azure/templates/README.MD index e5ef10fb..522ac7cb 100644 --- a/azure/templates/README.MD +++ b/azure/templates/README.MD @@ -66,4 +66,4 @@ To deploy a specific Azure image, adjust the image version during the manual dep template_name: management template_version: 20231002 template_type: marketplace - + \ No newline at end of file diff --git a/azure/templates/marketplace-gateway-load-balancer/createUiDefinition.json b/azure/templates/marketplace-gateway-load-balancer/createUiDefinition.json index 1de1c662..54fd25cc 100644 --- a/azure/templates/marketplace-gateway-load-balancer/createUiDefinition.json +++ b/azure/templates/marketplace-gateway-load-balancer/createUiDefinition.json @@ -1120,7 +1120,7 @@ } }, { - "visible": "[bool(basics('auth').sshPublicKey)]", + "visible": "[bool(basics('auth').sshPublicKey)]", "name": "EnableSerialConsolePassword", "type": "Microsoft.Common.OptionsGroup", "label": "Enable Serial console password", @@ -1508,9 +1508,9 @@ "deployNewNSG": "[steps('network').NSG]", "ExistingNSG": "[steps('network').nsgSelector]", "NewNsgName": "[steps('network').NSGName]", - "addStorageAccountIpRules":"[steps('network').addStorageAccountIpRules]", + "addStorageAccountIpRules": "[steps('network').addStorageAccountIpRules]", "SerialConsolePasswordHash": "[steps('chkp').AdditionalPassword]", "MaintenanceModePasswordHash": "[steps('chkp').MaintenanceModePassword]" } } -} +} \ No newline at end of file diff --git a/azure/templates/marketplace-ha/createUiDefinition.json b/azure/templates/marketplace-ha/createUiDefinition.json index c770250c..886f864a 100644 --- a/azure/templates/marketplace-ha/createUiDefinition.json +++ b/azure/templates/marketplace-ha/createUiDefinition.json @@ -836,7 +836,7 @@ } }, { - "visible": "[bool(basics('auth').sshPublicKey)]", + "visible": "[bool(basics('auth').sshPublicKey)]", "name": "EnableSerialConsolePassword", "type": "Microsoft.Common.OptionsGroup", "label": "Enable Serial console password", @@ -946,7 +946,7 @@ "label": "Availability options", "defaultValue": "Availability Set", "toolTip": "Use replicated Cluster VMs in Availability Set or Availability Zones. Note that the load balancers and their IP addresses will be zone redundant in any case.", - "visible": "[contains(' australiaeast brazilsouth canadacentral centralus eastasia eastus eastus2 francecentral germanywestcentral japaneast koreacentral northeurope norwayeast southafricanorth southcentralus southeastasia swedencentral uksouth usgovvirginia westeurope westus2 westus3 switzerlandnorth qatarcentral centralindia uaenorth italynorth \\ ', concat(' ', location(), ' '))]", + "visible": "[contains(' australiaeast brazilsouth canadacentral centralus eastasia eastus eastus2 francecentral germanywestcentral japaneast koreacentral northeurope norwayeast southafricanorth southcentralus southeastasia swedencentral uksouth usgovvirginia westeurope westus2 westus3 switzerlandnorth qatarcentral centralindia uaenorth italynorth ', concat(' ', location(), ' '))]", "constraints": { "allowedValues": [ { @@ -1640,7 +1640,7 @@ "deployNewNSG": "[steps('network').NSG]", "ExistingNSG": "[steps('network').nsgSelector]", "NewNsgName": "[steps('network').NSGName]", - "addStorageAccountIpRules":"[steps('network').addStorageAccountIpRules]", + "addStorageAccountIpRules": "[steps('network').addStorageAccountIpRules]", "VipsNumber": "[int(steps('network').Vips_Number)]", "VipNames": "[concat(steps('network').VIP_Names.VIP2_Name, ',', steps('network').VIP_Names.VIP3_Name, ',', steps('network').VIP_Names.VIP4_Name, ',', steps('network').VIP_Names.VIP5_Name, ',', steps('network').VIP_Names.VIP6_Name, ',', steps('network').VIP_Names.VIP7_Name, ',', steps('network').VIP_Names.VIP8_Name, ',', steps('network').VIP_Names.VIP9_Name, ',', steps('network').VIP_Names.VIP10_Name)]", "SerialConsolePasswordHash": "[steps('chkp').AdditionalPassword]", diff --git a/azure/templates/marketplace-management/createUiDefinition.json b/azure/templates/marketplace-management/createUiDefinition.json index 7e945af8..fdb719a2 100644 --- a/azure/templates/marketplace-management/createUiDefinition.json +++ b/azure/templates/marketplace-management/createUiDefinition.json @@ -422,7 +422,7 @@ } ] } - }, + }, { "name": "enableApi", "type": "Microsoft.Common.DropDown", @@ -694,7 +694,7 @@ "deployNewNSG": "[steps('network').NSG]", "ExistingNSG": "[steps('network').nsgSelector]", "NewNsgName": "[steps('network').NSGName]", - "addStorageAccountIpRules":"[steps('network').addStorageAccountIpRules]", + "addStorageAccountIpRules": "[steps('network').addStorageAccountIpRules]", "SerialConsolePasswordHash": "[steps('chkp').AdditionalPassword]", "MaintenanceModePasswordHash": "[steps('chkp').MaintenanceModePassword]" } diff --git a/azure/templates/marketplace-mds/createUiDefinition.json b/azure/templates/marketplace-mds/createUiDefinition.json index de11e136..ad06592d 100644 --- a/azure/templates/marketplace-mds/createUiDefinition.json +++ b/azure/templates/marketplace-mds/createUiDefinition.json @@ -629,7 +629,7 @@ "deployNewNSG": "[steps('network').NSG]", "ExistingNSG": "[steps('network').nsgSelector]", "NewNsgName": "[steps('network').NSGName]", - "addStorageAccountIpRules":"[steps('network').addStorageAccountIpRules]", + "addStorageAccountIpRules": "[steps('network').addStorageAccountIpRules]", "SerialConsolePasswordHash": "[steps('chkp').AdditionalPassword]", "MaintenanceModePasswordHash": "[steps('chkp').MaintenanceModePassword]" } diff --git a/azure/templates/marketplace-single-waap/createUiDefinition.json b/azure/templates/marketplace-single-waap/createUiDefinition.json index 42e2ebff..3ebd285b 100755 --- a/azure/templates/marketplace-single-waap/createUiDefinition.json +++ b/azure/templates/marketplace-single-waap/createUiDefinition.json @@ -67,8 +67,8 @@ "toolTip": "Token can be obtained by logging in to [https://portal.checkpoint.com/](https://portal.checkpoint.com/) –> INFINITY POLICY -> CLOUD -> Profiles", "constraints": { "required": true, - "regex": "^cp-(([a-z0-9A-Z-]{72,72})|([a-z0-9A-Z-]{75,75}))$", - "validationMessage": "Token should begin with 'cp-' and must be 75 or 78 characters long" + "regex": "^cp-[a-z0-9A-Z-]{72,72}$", + "validationMessage": "Token should begin with 'cp-' and must be 75 characters long" }, "options": { "hideConfirmation": false diff --git a/azure/templates/marketplace-single-waap/mainTemplate.json b/azure/templates/marketplace-single-waap/mainTemplate.json index d7704b90..1d4f4b84 100755 --- a/azure/templates/marketplace-single-waap/mainTemplate.json +++ b/azure/templates/marketplace-single-waap/mainTemplate.json @@ -50,7 +50,7 @@ "waapAgentToken": { "type": "securestring", "minLength": 75, - "maxLength": 78, + "maxLength": 75, "metadata": { "description": "Infinity Next Agent Token" } @@ -203,7 +203,7 @@ }, "variables": { "templateName": "checkpoint_waap", - "templateVersion": "20211028", + "templateVersion": "20210922", "location": "[parameters('location')]", "osVersion": "R8040", "installationType": "waap", @@ -282,9 +282,6 @@ { "type": "Microsoft.Storage/storageAccounts", "name": "[variables('storageAccountName')]", - "properties": { - "minimalTlsVersion": "TLS1_2" - }, "apiVersion": "2021-04-01", "location": "[variables('location')]", "sku": { diff --git a/azure/templates/marketplace-vmss-waap/createUiDefinition.json b/azure/templates/marketplace-vmss-waap/createUiDefinition.json index 51c05e9c..2ca24a11 100755 --- a/azure/templates/marketplace-vmss-waap/createUiDefinition.json +++ b/azure/templates/marketplace-vmss-waap/createUiDefinition.json @@ -67,8 +67,8 @@ "toolTip": "Token can be obtained by logging in to [https://portal.checkpoint.com/](https://portal.checkpoint.com/) –> INFINITY POLICY -> CLOUD -> Profiles", "constraints": { "required": true, - "regex": "^cp-(([a-z0-9A-Z-]{72,72})|([a-z0-9A-Z-]{75,75}))$", - "validationMessage": "Token should begin with 'cp-' and must be 75 or 78 characters long" + "regex": "^cp-[a-z0-9A-Z-]{72,72}$", + "validationMessage": "Token should begin with 'cp-' and must be 75 characters long" }, "options": { "hideConfirmation": false diff --git a/azure/templates/marketplace-vmss-waap/mainTemplate.json b/azure/templates/marketplace-vmss-waap/mainTemplate.json index 0b921194..df1bc1cf 100755 --- a/azure/templates/marketplace-vmss-waap/mainTemplate.json +++ b/azure/templates/marketplace-vmss-waap/mainTemplate.json @@ -51,7 +51,7 @@ "waapAgentToken": { "type": "securestring", "minLength": 75, - "maxLength": 78, + "maxLength": 75, "metadata": { "description": "Infinity Next Agent Token" } @@ -73,7 +73,6 @@ "availabilityZonesNum": { "type": "int", "allowedValues": [ - 0, 1, 2, 3 @@ -388,7 +387,7 @@ }, "variables": { "templateName": "waap_vmss", - "templateVersion": "20211028", + "templateVersion": "20210922", "location": "[parameters('location')]", "osVersion": "R8040", "isBlink": true, diff --git a/azure/templates/marketplace-vmss/createUiDefinition.json b/azure/templates/marketplace-vmss/createUiDefinition.json index 0f2cf56a..cf04efcd 100644 --- a/azure/templates/marketplace-vmss/createUiDefinition.json +++ b/azure/templates/marketplace-vmss/createUiDefinition.json @@ -1744,7 +1744,7 @@ "deployNewNSG": "[steps('network').NSG]", "ExistingNSG": "[steps('network').nsgSelector]", "NewNsgName": "[steps('network').NSGName]", - "addStorageAccountIpRules":"[steps('network').addStorageAccountIpRules]", + "addStorageAccountIpRules": "[steps('network').addStorageAccountIpRules]", "SerialConsolePasswordHash": "[steps('chkp').AdditionalPassword]", "MaintenanceModePasswordHash": "[steps('chkp').MaintenanceModePassword]" } diff --git a/azure/templates/vwan-managed-app/README.md b/azure/templates/vwan-managed-app/README.md index 085e0620..293238e2 100644 --- a/azure/templates/vwan-managed-app/README.md +++ b/azure/templates/vwan-managed-app/README.md @@ -64,8 +64,8 @@ https://management.azure.com/subscriptions/{subscription_id}/providers/Microsoft } ], "availableVersions": [ - "8110.900335.1435", - "8120.900631.1433", + "8110.900335.1522", + "8120.900631.1522", "latest" ], "marketPlaceLink": "https://aka.ms/Checkpointmarketplace", diff --git a/contrib/terraform/azure/vmss-new-vnet-with-peer/terraform.tfvars b/contrib/terraform/azure/vmss-new-vnet-with-peer/terraform.tfvars index 8fda9c83..81133f6f 100755 --- a/contrib/terraform/azure/vmss-new-vnet-with-peer/terraform.tfvars +++ b/contrib/terraform/azure/vmss-new-vnet-with-peer/terraform.tfvars @@ -25,5 +25,5 @@ configuration_template_name = "PLEASE ENTER CONFIGURATION TEMPLATE NAME" notification_email = "PLEASE ENTER NOTIFICATION MAIL OR LEAVE EMPTY DOUBLE QUOTES" # "name@company.com" frontend_load_distribution = "PLEASE ENTER EXTERNAL LOAD BALANCER SESSION PERSISTENCE" # "Default" backend_load_distribution = "PLEASE ENTER INTERNAL LOAD BALANCER SESSION PERSISTENCE" # "Default" -mgmt_vnet_name = "PLEASE ENTER MANAGEMENT VIRTUAL NETWORK NAME" # "mgmt-vnet" -mgmt_resource_group_name = "PLEASE ENTER MANAGEMENT RESOURCE GROUP NAME" # "management" +mgmt_vnet_name = "PLEASE ENTER MANAGEMENT VIRTUAL NETWORK NAME" # "mgmt-vnet" +mgmt_resource_group_name = "PLEASE ENTER MANAGEMENT RESOURCE GROUP NAME" # "management" diff --git a/deprecated/azure/templates/R8040-R81/ha-r8040-r81/mainTemplate.json b/deprecated/azure/templates/R8040-R81/ha-r8040-r81/mainTemplate.json index 59952e87..b281ecef 100644 --- a/deprecated/azure/templates/R8040-R81/ha-r8040-r81/mainTemplate.json +++ b/deprecated/azure/templates/R8040-R81/ha-r8040-r81/mainTemplate.json @@ -17,7 +17,7 @@ "R80.40 - Pay As You Go (NGTX)", "R81 - Bring Your Own License", "R81 - Pay As You Go (NGTP)", - "R81 - Pay As You Go (NGTX)", + "R81 - Pay As You Go (NGTX)" ], "defaultValue": "R81 - Bring Your Own License", "metadata": { @@ -361,7 +361,7 @@ "R80.40 - Pay As You Go (NGTX)": "NGTX", "R81 - Bring Your Own License": "BYOL", "R81 - Pay As You Go (NGTP)": "NGTP", - "R81 - Pay As You Go (NGTX)": "NGTX", + "R81 - Pay As You Go (NGTX)": "NGTX" }, "offer": "[variables('offers')[parameters('cloudGuardVersion')]]", "osVersions": { @@ -370,7 +370,7 @@ "R80.40 - Pay As You Go (NGTX)": "R8040", "R81 - Bring Your Own License": "R81", "R81 - Pay As You Go (NGTP)": "R81", - "R81 - Pay As You Go (NGTX)": "R81", + "R81 - Pay As You Go (NGTX)": "R81" }, "osVersion": "[variables('osVersions')[parameters('cloudGuardVersion')]]", "SerialConsoleGeographies": { diff --git a/deprecated/azure/templates/R8040-R81/mds-r8040-r81/mainTemplate.json b/deprecated/azure/templates/R8040-R81/mds-r8040-r81/mainTemplate.json index c9800935..fc8ce67a 100644 --- a/deprecated/azure/templates/R8040-R81/mds-r8040-r81/mainTemplate.json +++ b/deprecated/azure/templates/R8040-R81/mds-r8040-r81/mainTemplate.json @@ -13,9 +13,9 @@ "type": "string", "allowedValues": [ "R80.40 - Bring Your Own License", - "R81 - Bring Your Own License", + "R81 - Bring Your Own License" ], - "defaultValue": "R81.20 - Bring Your Own License", + "defaultValue": "R81 - Bring Your Own License", "metadata": { "description": "Version of Check Point CloudGuard" } diff --git a/deprecated/azure/templates/R8040-R81/mgmt-r840-r81/mainTemplate.json b/deprecated/azure/templates/R8040-R81/mgmt-r840-r81/mainTemplate.json index 44f62298..72ecc81c 100644 --- a/deprecated/azure/templates/R8040-R81/mgmt-r840-r81/mainTemplate.json +++ b/deprecated/azure/templates/R8040-R81/mgmt-r840-r81/mainTemplate.json @@ -17,7 +17,7 @@ "R81 - Bring Your Own License", "R81 - Pay As You Go (MGMT25)" ], - "defaultValue": "R81.20 - Bring Your Own License", + "defaultValue": "R81 - Bring Your Own License", "metadata": { "description": "Version of Check Point CloudGuard" } @@ -319,7 +319,7 @@ "storageAccountType": "Standard_LRS", "diskSize100GB": 100, "diskSizeGB": "[add(parameters('additionalDiskSizeGB'), variables('diskSize100GB'))]", - "customData": "[concat('#!/usr/bin/python3 /etc/cloud_config.py\n', '\n', 'installationType=\"', parameters('installationType'), '\"', '\n', 'allowUploadDownload=\"', variables('allowUploadDownload'), '\"', '\n', 'osVersion=\"', variables('osVersion'), '\"', '\n', 'templateName=\"', variables('templateName'), '\"', '\n', 'isBlink=\"', variables('isBlink'), '\"', '\n', 'templateVersion=\"', variables('templateVersion'), '\"', '\n', 'bootstrapScript64=\"', variables('bootstrapScript64'), '\"', '\n', 'location=\"', variables('location'), '\"', '\n', 'managementGUIClientNetwork=\"', variables('managementGUIClientNetwork'), '\"', '\n', 'enableApi=\"', parameters('enableApi'), '\"', '\n', 'adminShell=\"', parameters('adminShell'), '\"', '\n', 'passwordHash=\"', parameters('SerialConsolePasswordHash'), '\"', '\n')]", + "customData": "[concat('#!/usr/bin/python3 /etc/cloud_config.py\n', '\n', 'installationType=\"', parameters('installationType'), '\"', '\n', 'allowUploadDownload=\"', variables('allowUploadDownload'), '\"', '\n', 'osVersion=\"', variables('osVersion'), '\"', '\n', 'templateName=\"', variables('templateName'), '\"', '\n', 'isBlink=\"', variables('isBlink'), '\"', '\n', 'templateVersion=\"', variables('templateVersion'), '\"', '\n', 'bootstrapScript64=\"', variables('bootstrapScript64'), '\"', '\n', 'location=\"', variables('location'), '\"', '\n', 'managementGUIClientNetwork=\"', variables('managementGUIClientNetwork'), '\"', '\n', 'adminShell=\"', parameters('adminShell'), '\"', '\n', 'passwordHash=\"', parameters('SerialConsolePasswordHash'), '\"', '\n')]", "customData64": "[base64(variables('customData'))]", "imageOffer": "[concat('check-point-cg-', toLower(variables('osVersion')))]", "imagePublisher": "checkpoint", diff --git a/deprecated/azure/templates/R8040-R81/single-r8040-r81/mainTemplate.json b/deprecated/azure/templates/R8040-R81/single-r8040-r81/mainTemplate.json index 911b8572..95563c19 100644 --- a/deprecated/azure/templates/R8040-R81/single-r8040-r81/mainTemplate.json +++ b/deprecated/azure/templates/R8040-R81/single-r8040-r81/mainTemplate.json @@ -24,9 +24,9 @@ "R80.40 - Pay As You Go (NGTX)", "R81 - Bring Your Own License", "R81 - Pay As You Go (NGTP)", - "R81 - Pay As You Go (NGTX)", + "R81 - Pay As You Go (NGTX)" ], - "defaultValue": "R81.20 - Bring Your Own License", + "defaultValue": "R81 - Bring Your Own License", "metadata": { "description": "Version of Check Point CloudGuard" } diff --git a/deprecated/azure/templates/R8040-R81/vmss-r8040-r81/mainTemplate.json b/deprecated/azure/templates/R8040-R81/vmss-r8040-r81/mainTemplate.json index b343976c..4a0efc1f 100644 --- a/deprecated/azure/templates/R8040-R81/vmss-r8040-r81/mainTemplate.json +++ b/deprecated/azure/templates/R8040-R81/vmss-r8040-r81/mainTemplate.json @@ -561,7 +561,7 @@ "additionalDiskSizeGB": "[if(contains('R8040 R81', variables('osVersion')), 0, parameters('additionalDiskSizeGB'))]", "diskSizeGB": "[add(variables('additionalDiskSizeGB'), variables('diskSize100GB'))]", "enableFloatingIP": "[equals(parameters('floatingIP'), 'yes')]", - "customData": "[concat('#!/usr/bin/python3 /etc/cloud_config.py\n', '\n', 'installationType=\"', variables('installationType'), '\"', '\n', 'allowUploadDownload=\"', variables('allowUploadDownload'), '\"', '\n', 'osVersion=\"', variables('osVersion'), '\"', '\n', 'templateName=\"', variables('templateName'), '\"', '\n', 'isBlink=\"', variables('isBlink'), '\"', '\n', 'templateVersion=\"', variables('templateVersion'), '\"', '\n', 'bootstrapScript64=\"', variables('bootstrapScript64'), '\"', '\n', 'location=\"', variables('location'), '\"', '\n', 'sicKey=\"', variables('sicKey'), '\"', '\n', 'customMetrics=\"', variables('customMetrics'), '\"', '\n', 'adminShell=\"', parameters('adminShell'), '\"', '\n', 'MaintenanceModePassword=\"', parameters('MaintenanceModePasswordHash'), '\"', '\n', 'passwordHash=\"', parameters('SerialConsolePasswordHash'), '\"', '\n')]", + "customData": "[concat('#!/usr/bin/python3 /etc/cloud_config.py\n', '\n', 'installationType=\"', variables('installationType'), '\"', '\n', 'allowUploadDownload=\"', variables('allowUploadDownload'), '\"', '\n', 'osVersion=\"', variables('osVersion'), '\"', '\n', 'templateName=\"', variables('templateName'), '\"', '\n', 'isBlink=\"', variables('isBlink'), '\"', '\n', 'templateVersion=\"', variables('templateVersion'), '\"', '\n', 'bootstrapScript64=\"', variables('bootstrapScript64'), '\"', '\n', 'location=\"', variables('location'), '\"', '\n', 'sicKey=\"', variables('sicKey'), '\"', '\n', 'customMetrics=\"', variables('customMetrics'), '\"', '\n', 'adminShell=\"', parameters('adminShell'), '\"', '\n', 'passwordHash=\"', parameters('SerialConsolePasswordHash'), '\"', '\n')]", "imageOffer": "[concat('check-point-cg-', toLower(variables('osVersion')))]", "imagePublisher": "checkpoint", "imageReferenceBYOL": { diff --git a/deprecated/azure/templates/stack-R8040-R81/stack-ha-r8040-r81/mainTemplate.json b/deprecated/azure/templates/stack-R8040-R81/stack-ha-r8040-r81/mainTemplate.json index 0847143c..c776a882 100644 --- a/deprecated/azure/templates/stack-R8040-R81/stack-ha-r8040-r81/mainTemplate.json +++ b/deprecated/azure/templates/stack-R8040-R81/stack-ha-r8040-r81/mainTemplate.json @@ -17,7 +17,7 @@ "R80.40 - Pay As You Go (NGTX)", "R81 - Bring Your Own License", "R81 - Pay As You Go (NGTP)", - "R81 - Pay As You Go (NGTX)", + "R81 - Pay As You Go (NGTX)" ], "defaultValue": "R81 - Bring Your Own License", "metadata": { diff --git a/deprecated/azure/templates/stack-R8040-R81/stack-management-r8040-r81/mainTemplate.json b/deprecated/azure/templates/stack-R8040-R81/stack-management-r8040-r81/mainTemplate.json index d2e59edb..bbee571d 100644 --- a/deprecated/azure/templates/stack-R8040-R81/stack-management-r8040-r81/mainTemplate.json +++ b/deprecated/azure/templates/stack-R8040-R81/stack-management-r8040-r81/mainTemplate.json @@ -15,7 +15,7 @@ "R80.40 - Bring Your Own License", "R80.40 - Pay As You Go (MGMT25)", "R81 - Bring Your Own License", - "R81 - Pay As You Go (MGMT25)", + "R81 - Pay As You Go (MGMT25)" ], "defaultValue": "R81 - Bring Your Own License", "metadata": { diff --git a/deprecated/azure/templates/stack-R8040-R81/stack-single-r8040-r81/mainTemplate.json b/deprecated/azure/templates/stack-R8040-R81/stack-single-r8040-r81/mainTemplate.json index 50422c53..a6d5f888 100644 --- a/deprecated/azure/templates/stack-R8040-R81/stack-single-r8040-r81/mainTemplate.json +++ b/deprecated/azure/templates/stack-R8040-R81/stack-single-r8040-r81/mainTemplate.json @@ -17,7 +17,7 @@ "R80.40 - Pay As You Go (NGTX)", "R81 - Bring Your Own License", "R81 - Pay As You Go (NGTP)", - "R81 - Pay As You Go (NGTX)", + "R81 - Pay As You Go (NGTX)" ], "defaultValue": "R81 - Bring Your Own License", "metadata": { diff --git a/terraform/azure/high-availability-existing-vnet/README.md b/terraform/azure/high-availability-existing-vnet/README.md index 666aec67..2aa7468d 100755 --- a/terraform/azure/high-availability-existing-vnet/README.md +++ b/terraform/azure/high-availability-existing-vnet/README.md @@ -215,7 +215,9 @@ availability_type = "Availability Zone" In order to check the template version refer to the [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) | Template Version | Description | -| ---------------- | ------------- | +| ---------------- |----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| 20240613 | - Updated Azure Terraform provider version
- Updated managed identity permissions
- Cosmetic fixes & default values
- Added option to limit storage account access by specify allowed sourcess
- Added validation for os_version & os_offer | +| | | | | 20230910 | - R81.20 is the default version | | | | | | 20230212 | - Added Smart-1 Cloud support | diff --git a/terraform/azure/high-availability-new-vnet/README.md b/terraform/azure/high-availability-new-vnet/README.md index 2218fd5a..15bfa197 100755 --- a/terraform/azure/high-availability-new-vnet/README.md +++ b/terraform/azure/high-availability-new-vnet/README.md @@ -215,6 +215,8 @@ In order to check the template version refer to the [sk116585](https://supportce | Template Version | Description | | ---------------- | ------------- | +| 20240613 | - Updated Azure Terraform provider version
- Updated managed identity permissions
- Cosmetic fixes & default values
- Added option to limit storage account access by specify allowed sourcess
- Added validation for os_version & os_offer | +| | | | | 20230910 | - R81.20 is the default version | | | | | | 20230212 | - Added Smart-1 Cloud support | diff --git a/terraform/azure/management-existing-vnet/README.md b/terraform/azure/management-existing-vnet/README.md index e2877075..41c772e4 100755 --- a/terraform/azure/management-existing-vnet/README.md +++ b/terraform/azure/management-existing-vnet/README.md @@ -168,6 +168,8 @@ In order to check the template version refer to the [sk116585](https://supportce | Template Version | Description | | ---------------- | ------------- | +| 20240613 | - Updated Azure Terraform provider version
- Cosmetic fixes & default values
- Added option to limit storage account access by specify allowed sourcess
- Updated Public IP sku to Standard
- Added validation for os_version & os_offer | +| | | | | 20230910 | - R81.20 is the default version | | | | | | 20221124 | - Added R81.20 support
- Upgraded azurerm provider | diff --git a/terraform/azure/management-new-vnet/README.md b/terraform/azure/management-new-vnet/README.md index 8851e3d6..bd14ac2d 100755 --- a/terraform/azure/management-new-vnet/README.md +++ b/terraform/azure/management-new-vnet/README.md @@ -166,6 +166,8 @@ In order to check the template version refer to the [sk116585](https://supportce | Template Version | Description | | ---------------- | ------------- | +| 20240613 | - Updated Azure Terraform provider version
- Cosmetic fixes & default values
- Added option to limit storage account access by specify allowed sourcess
- Updated Public IP sku to Standard
- Added validation for os_version & os_offer | +| | | | | 20230910 | - R81.20 is the default version | | | | | | 20221124 | - Added R81.20 support
- Upgraded azurerm provider | diff --git a/terraform/azure/mds-existing-vnet/README.md b/terraform/azure/mds-existing-vnet/README.md index f83a56e8..6980d7cc 100755 --- a/terraform/azure/mds-existing-vnet/README.md +++ b/terraform/azure/mds-existing-vnet/README.md @@ -182,6 +182,8 @@ In order to check the template version refer to the [sk116585](https://supportce | Template Version | Description | |------------------|---------------------------------------------------------------------------------------------| +| 20240613 | - Updated Azure Terraform provider version
- Cosmetic fixes & default values
- Added option to limit storage account access by specify allowed sourcess
- Updated Public IP sku to Standard
- Added validation for os_version & os_offer | +| | | | | 20230910 | - R81.20 is the default version | | | | | | 20230629 | First release of Check Point CloudGuard Network Security MDS Terraform deployment for Azure | diff --git a/terraform/azure/mds-new-vnet/README.md b/terraform/azure/mds-new-vnet/README.md index cb782964..8b3afc49 100755 --- a/terraform/azure/mds-new-vnet/README.md +++ b/terraform/azure/mds-new-vnet/README.md @@ -175,6 +175,8 @@ In order to check the template version refer to the [sk116585](https://supportce | Template Version | Description | |------------------|---------------------------------------------------------------------------------------------| +| 20240613 | - Updated Azure Terraform provider version
- Cosmetic fixes & default values
- Added option to limit storage account access by specify allowed sourcess
- Updated Public IP sku to Standard
- Added validation for os_version & os_offer | +| | | | | 20230910 | - R81.20 is the default version | | | | | | 20230629 | First release of Check Point CloudGuard Network Security MDS Terraform deployment for Azure | diff --git a/terraform/azure/nva-into-existing-hub/README.md b/terraform/azure/nva-into-existing-hub/README.md index 253cce89..a2765298 100644 --- a/terraform/azure/nva-into-existing-hub/README.md +++ b/terraform/azure/nva-into-existing-hub/README.md @@ -1,6 +1,6 @@ # Check Point CloudGuard Network Security Virtual WAN Terraform deployment for Azure -This Terraform module deploys Check Point CloudGuard Network Security vWAN NVA solution into an existing vWAN Hub in Azure. +This Terraform module deploys Check Point CloudGuard Network Security Virtual WAN NVA solution into an existing vWAN Hub in Azure. As part of the deployment the following resources are created: - Resource groups - Azure Managed Application: @@ -77,7 +77,7 @@ please see the [CloudGuard Network for Azure Virtual WAN Deployment Guide](https | | | | | | | **vwan-hub-name** | The name of the virtual WAN hub that will be created | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | n/a | | | | | | | - | **vwan-hub-resource-group** | The vWAN hub resource group name | string | | n/a | + | **vwan-hub-resource-group** | The virtual WAN hub resource group name | string | | n/a | | | | | | | | **managed-app-name** | The name of the managed application that will be created | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | "tf-vwan-managed-app-nva" | | | | | | | @@ -161,6 +161,7 @@ In order to check the template version refer to the [sk116585](https://supportce | Template Version | Description | |------------------|-------------------| +| 20240613 | Cosmetic fixes & default values | | 20240228 | Added public IP for ingress support | | | | 20231226 | First release of Check Point CloudGuard Network Security Virtual WAN Terraform deployment for Azure | | diff --git a/terraform/azure/nva-into-new-vwan/README.md b/terraform/azure/nva-into-new-vwan/README.md index c7f06c09..17fa1ffe 100644 --- a/terraform/azure/nva-into-new-vwan/README.md +++ b/terraform/azure/nva-into-new-vwan/README.md @@ -1,6 +1,6 @@ # Check Point CloudGuard Network Security Virtual WAN Terraform deployment for Azure -This Terraform module deploys Check Point CloudGuard Network Security vWAN NVA solution into a new vWAN Hub in Azure. +This Terraform module deploys Check Point CloudGuard Network Security Virtual WAN NVA solution into a new vWAN Hub in Azure. As part of the deployment the following resources are created: - Resource groups - Virtual WAN @@ -170,7 +170,8 @@ please see the [CloudGuard Network for Azure Virtual WAN Deployment Guide](https In order to check the template version refer to the [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) | Template Version | Description | -|------------------|---------------------------------------------------------------------------------------------------| +|------------------|-----------------------------------------------------------------------------------------------| +| 20240613 | Cosmetic fixes & default values | | 20240228 | Added public IP for ingress support | | | | 20231226 | First release of Check Point CloudGuard Network Security Virtual WAN Terraform deployment for Azure | | | diff --git a/terraform/azure/single-gateway-existing-vnet/README.md b/terraform/azure/single-gateway-existing-vnet/README.md index feebb542..b49b1886 100755 --- a/terraform/azure/single-gateway-existing-vnet/README.md +++ b/terraform/azure/single-gateway-existing-vnet/README.md @@ -185,6 +185,8 @@ In order to check the template version refer to the [sk116585](https://supportce | Template Version | Description | |------------------|---------------------------------------------------------------------------------------------------| +| 20240613 | - Updated Azure Terraform provider version
- Cosmetic fixes & default values
- Added option to limit storage account access by specify allowed sourcess
- Added accelerated networking to SGW Terraform templates
- Updated Public IP sku to Standard
- Added validation for os_version & os_offer | +| | | | | 20230910 | - R81.20 is the default version | | | | | | 20230629 | First release of Check Point CloudGuard Network Security Single GW Terraform deployment for Azure | diff --git a/terraform/azure/vmss-existing-vnet/README.md b/terraform/azure/vmss-existing-vnet/README.md index f0602c30..73b83eb3 100755 --- a/terraform/azure/vmss-existing-vnet/README.md +++ b/terraform/azure/vmss-existing-vnet/README.md @@ -72,7 +72,7 @@ This solution uses the following modules: ### terraform.tfvars variables: | Name | Description | Type | Allowed values | Default | - | ------------- | ------------- | ------------- | ------------- | ------------- | + | ------------- |-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| ------------- | ------------- | ------------- | | **client_secret** | The client secret of the Service Principal used to deploy the solution | string | | n/a | | | | | | | **client_id** | The client ID of the Service Principal used to deploy the solution | string | | n/a @@ -97,7 +97,7 @@ This solution uses the following modules: | | | | | | | **backend_subnet_name** | Specifies the name of the internal subnet | string | The exact name of the existing internal subnet | n/a | | | | | | - | **backend_lb_IP_address** | Is a whole number that can be represented as a binary integer with no more than the number of digits remaining in the address after the given prefix| string | Starting from 5-th IP address in a subnet. For example: subnet - 10.0.1.0/24, backend_lb_IP_address = 4 , the LB IP is 10.0.1.4 | n/a + | **backend_lb_IP_address** | Is a whole number that can be represented as a binary integer with no more than the number of digits remaining in the address after the given prefix | string | Starting from 5-th IP address in a subnet. For example: subnet - 10.0.1.0/24, backend_lb_IP_address = 4 , the LB IP is 10.0.1.4 | n/a | | | | | | | **admin_password** | The password associated with the local administrator account on each cluster member | string | Password must have 3 of the following: 1 lower case character, 1 upper case character, 1 number, and 1 special character | n/a | | | | | | @@ -151,6 +151,8 @@ This solution uses the following modules: | | | | | | | **maintenance_mode_password_hash** | Maintenance mode password hash, relevant only for R81.20 and higher versions, to generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here | string | | n/a | | | | | | + | **nsg_id** | Optional ID for a Network Security Group that already exists in Azure, if not provided, will create a default NSG | string | Existing NSG resource ID | "" + | | | | | | | **add_storage_account_ip_rules** | Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, if false then accses will be allowed from all networks | boolean | true;
false; | false | | | | | | | **storage_account_additional_ips** | IPs/CIDRs that are allowed access to the Storage Account | list(string) | A list of valid IPs and CIDRs | [] @@ -200,7 +202,8 @@ enable_custom_metrics = true deployment_mode = "Standard" admin_shell = "/etc/cli.sh" serial_console_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - maintenance_mode_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + maintenance_mode_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + nsg_id = "" add_storage_account_ip_rules = false storage_account_additional_ips = [] @@ -212,15 +215,14 @@ enable_custom_metrics = true ## Known limitations -1. Deploy the VMSS with External load balancer only (Inbound inspection only) is not supported -2. Deploy the VMSS with Internal load balancer only (Outbound and E-W inspection only) is not supported - ## Revision History In order to check the template version refer to the [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) | Template Version | Description | | ---------------- | ------------- | +| 20240613 | - Updated Azure Terraform provider version
- Cosmetic fixes & default values
- Added option to limit storage account access by specify allowed sourcess
- Updated diskSizeGB
- Added validation for os_version & os_offer | +| | | | | 20230910 | - R81.20 is the default version | | | | | | 20221124 | - Added R81.20 support
- Upgraded azurerm provider | diff --git a/terraform/azure/vmss-existing-vnet/terraform.tfvars b/terraform/azure/vmss-existing-vnet/terraform.tfvars index 399ffeef..66836af3 100755 --- a/terraform/azure/vmss-existing-vnet/terraform.tfvars +++ b/terraform/azure/vmss-existing-vnet/terraform.tfvars @@ -39,4 +39,5 @@ admin_shell = "PLEASE ENTER ADMIN SHELL" serial_console_password_hash = "PLEASE ENTER SERIAL CONSOLE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" maintenance_mode_password_hash = "PLEASE ENTER MAINTENANCE MODE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" add_storage_account_ip_rules = "PLEASE ENTER true or false" # false -storage_account_additional_ips = "PLEASE ENTER A LIST OF VALID IPS/CIDRS" # [] \ No newline at end of file +storage_account_additional_ips = "PLEASE ENTER A LIST OF VALID IPS/CIDRS" # [] +nsg_id = "PLEASE ENTER NETWORK SECURITY GROUP ID" # "" \ No newline at end of file diff --git a/terraform/azure/vmss-existing-vnet/variables.tf b/terraform/azure/vmss-existing-vnet/variables.tf index aa405627..1ad5bb46 100755 --- a/terraform/azure/vmss-existing-vnet/variables.tf +++ b/terraform/azure/vmss-existing-vnet/variables.tf @@ -242,7 +242,10 @@ variable "storage_account_additional_ips" { type = list(string) description = "IPs/CIDRs that are allowed access to the Storage Account" default = [] -}//********************* Load Balancers Variables **********************// +} + +//********************* Load Balancers Variables **********************// + variable "deployment_mode" { description = "The type of the deployment, can be 'Standard' for both load balancers or 'External' for external load balancer or 'Internal for internal load balancer" type = string @@ -392,3 +395,8 @@ variable "enable_floating_ip" { type = bool default = false } + +variable "nsg_id" { + description = "NSG ID - Optional - if empty use default NSG" + default = "" +} diff --git a/terraform/azure/vmss-new-vnet/README.md b/terraform/azure/vmss-new-vnet/README.md index 06f786e7..71857101 100755 --- a/terraform/azure/vmss-new-vnet/README.md +++ b/terraform/azure/vmss-new-vnet/README.md @@ -221,6 +221,8 @@ In order to check the template version refer to the [sk116585](https://supportce | Template Version | Description | | ---------------- | --------- | +| 20240613 | - Updated Azure Terraform provider version
- Cosmetic fixes & default values
- Added option to limit storage account access by specify allowed sourcess
- Updated diskSizeGB
- Added validation for os_version & os_offer | +| | | | | 20230910 | - R81.20 is the default version | | | | | | 20221124 | - Added R81.20 support
- Upgraded azurerm provider | diff --git a/terraform/gcp/autoscale-into-existing-vpc/README.md b/terraform/gcp/autoscale-into-existing-vpc/README.md index 2ce564df..45abf434 100755 --- a/terraform/gcp/autoscale-into-existing-vpc/README.md +++ b/terraform/gcp/autoscale-into-existing-vpc/README.md @@ -199,7 +199,6 @@ Please leave empty list for a protocol if you want to disable traffic for it. | enable_monitoring | Enable Stackdriver monitoring | bool | true/false | false | no | - ## Outputs | Name | Description | | ------------- | ------------- | @@ -215,6 +214,7 @@ Please leave empty list for a protocol if you want to disable traffic for it. | SCTP_firewall_rules_name | If enable - the SCTP firewall rules name, otherwise, an empty list. | | ESP_firewall_rules_name | If enable - the ESP firewall rules name, otherwise, an empty list. | + ## Revision History In order to check the template version refer to the [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) diff --git a/terraform/gcp/high-availability/variables.tf b/terraform/gcp/high-availability/variables.tf index 72f4e916..114c8608 100755 --- a/terraform/gcp/high-availability/variables.tf +++ b/terraform/gcp/high-availability/variables.tf @@ -32,6 +32,7 @@ variable "os_version" { description = "GAIA OS version" default = "R8120" } + # --- Instances Configuration --- data "google_compute_regions" "available_regions" { } @@ -129,7 +130,6 @@ resource "null_resource" "validate_both_tokens" { resource "null_resource" "validate_different_tokens" { count = var.smart_1_cloud_token_a != "" && var.smart_1_cloud_token_a == var.smart_1_cloud_token_b ? "To connect to Smart-1 Cloud, you must provide two different tokens" : 0 } - # --- Networking --- variable "cluster_network_cidr" { type = string diff --git a/terraform/gcp/single-into-existing-vpc/locals.tf b/terraform/gcp/single-into-existing-vpc/locals.tf index 3bfa4737..78145861 100755 --- a/terraform/gcp/single-into-existing-vpc/locals.tf +++ b/terraform/gcp/single-into-existing-vpc/locals.tf @@ -58,6 +58,7 @@ locals { // Will fail if management_only and payg is_management_only = var.installationType == "Management only" is_license_payg = var.license == "PAYG" - validation_massage = "Cannot use 'Management only' installation type with 'Payg' license." - _= regex("^$",local.is_management_only && local.is_license_payg ? local.validation_massage : "") + validation_message = "Cannot use 'Management only' installation type with 'PAYG' license." + _= regex("^$",local.is_management_only && local.is_license_payg ? local.validation_message : "") + } \ No newline at end of file diff --git a/terraform/gcp/single-into-existing-vpc/variables.tf b/terraform/gcp/single-into-existing-vpc/variables.tf index 196e4678..ef107746 100755 --- a/terraform/gcp/single-into-existing-vpc/variables.tf +++ b/terraform/gcp/single-into-existing-vpc/variables.tf @@ -15,7 +15,7 @@ variable "zone" { } variable "image_name" { type = string - description = "The single gateway and management image name" + description = "The single gateway and management image name. You can choose the desired image value from: https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/gcp/deployment-packages/single-byol/images.py" } variable "os_version" { type = string diff --git a/terraform/gcp/single-into-new-vpc/README.md b/terraform/gcp/single-into-new-vpc/README.md index 62e0b19f..59db07be 100644 --- a/terraform/gcp/single-into-new-vpc/README.md +++ b/terraform/gcp/single-into-new-vpc/README.md @@ -265,7 +265,6 @@ In order to check the template version refer to the [sk116585](https://supportce | 20230921 | Added single-into-new-vpc template. | | | | - ## Authors diff --git a/terraform/gcp/single-into-new-vpc/variables.tf b/terraform/gcp/single-into-new-vpc/variables.tf index 6a40d8e8..eb6e7120 100644 --- a/terraform/gcp/single-into-new-vpc/variables.tf +++ b/terraform/gcp/single-into-new-vpc/variables.tf @@ -19,7 +19,7 @@ variable "zone" { } variable "image_name" { type = string - description = "The single gateway and management image name" + description = "The single gateway and management image name. You can choose the desired image value from: https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/gcp/deployment-packages/single-byol/images.py" } variable "os_version" { type = string From 69ad67536d9a7a76f91d2513f724f17b1e5841b0 Mon Sep 17 00:00:00 2001 From: natanelm Date: Mon, 30 Sep 2024 17:19:30 +0300 Subject: [PATCH 06/12] Align aws --- aws/templates/asg/autoscale.yaml | 9 ++++----- aws/templates/cluster/cluster-master.yaml | 10 +++++----- aws/templates/cluster/cluster.yaml | 17 ++++++++--------- .../cross-az-cluster-master.yaml | 10 +++++----- .../cross-az-cluster/cross-az-cluster.yaml | 16 ++++++++-------- .../geo-cluster/geo-cluster-master.yaml | 10 +++++----- aws/templates/geo-cluster/geo-cluster.yaml | 16 ++++++++-------- aws/templates/gwlb-asg/gwlb-master.yaml | 10 +++++----- aws/templates/gwlb-asg/gwlb.yaml | 6 +++--- aws/templates/gwlb-asg/qs-gwlb-master.yaml | 8 ++++---- aws/templates/gwlb-asg/qs-gwlb.yaml | 10 +++++----- aws/templates/gwlb-asg/tgw-gwlb-master.yaml | 10 +++++----- aws/templates/gwlb-asg/tgw-gwlb.yaml | 4 ++-- aws/templates/management/management.yaml | 10 +++++----- aws/templates/mds/mds.yaml | 12 ++++++------ aws/templates/single-gw/gateway-master.yaml | 8 ++++---- aws/templates/single-gw/gateway.yaml | 10 +++++----- .../standalone/standalone-master.yaml | 8 ++++---- aws/templates/standalone/standalone.yaml | 10 +++++----- aws/templates/tgw-asg/tgw-asg-master.yaml | 10 +++++----- aws/templates/tgw-asg/tgw-asg.yaml | 10 +++++----- .../tgw-cross-az-cluster-master.yaml | 10 +++++----- .../tgw-cross-az-cluster.yaml | 10 ++++------ aws/templates/tgw-ha/tgw-ha-master.yaml | 10 +++++----- aws/templates/tgw-ha/tgw-ha.yaml | 8 ++++---- terraform/alicloud/cluster-master/README.md | 2 +- terraform/alicloud/cluster/README.md | 2 +- terraform/alicloud/gateway-master/README.md | 2 +- terraform/alicloud/gateway/README.md | 2 +- terraform/alicloud/management-master/README.md | 3 ++- terraform/alicloud/management/README.md | 5 +++-- terraform/aws/autoscale-gwlb/README.md | 2 +- terraform/aws/autoscale/README.md | 2 +- terraform/aws/cluster/README.md | 2 +- terraform/aws/gateway/README.md | 2 +- terraform/aws/gwlb-master/README.md | 3 ++- terraform/aws/qs-autoscale-master/README.md | 1 + terraform/aws/qs-autoscale/README.md | 4 +++- terraform/aws/standalone-master/locals.tf | 1 - terraform/aws/standalone/README.md | 18 ++++-------------- .../aws/tgw-cross-az-cluster-master/README.md | 3 ++- terraform/aws/tgw-cross-az-cluster/README.md | 4 +++- terraform/aws/tgw-gwlb-master/README.md | 3 ++- terraform/aws/tgw-gwlb/README.md | 3 ++- 44 files changed, 156 insertions(+), 160 deletions(-) diff --git a/aws/templates/asg/autoscale.yaml b/aws/templates/asg/autoscale.yaml index 97627bd8..04a1adbb 100644 --- a/aws/templates/asg/autoscale.yaml +++ b/aws/templates/asg/autoscale.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Create an Auto Scaling group of Check Point gateways (__VERSION__) +Description: Create an Auto Scaling group of Check Point gateways (20240417) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -410,7 +410,7 @@ Resources: Condition: EnableCloudWatch Type: AWS::CloudFormation::Stack Properties: - TemplateURL: __URL__/iam/cloudwatch-policy.yaml + TemplateURL: https://cgi-cfts.s3.amazonaws.com/iam/cloudwatch-policy.yaml Parameters: PolicyName: ChkpGatewayPolicy PolicyRole: !Ref ChkpGatewayRole @@ -424,7 +424,7 @@ Resources: AMI: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: __URL__/utils/amis.yaml + TemplateURL: https://cgi-cfts.s3.amazonaws.com/utils/amis.yaml Parameters: Version: !Join ['-', [!Ref GatewayVersion, GW]] NotificationTopic: @@ -545,7 +545,7 @@ Resources: - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"']] - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']] - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}] - - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" sicKey=\"${sic}\" installationType=\"autoscale\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"__VERSION__\" templateName=\"autoscale\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" bootstrapScript64=\"${bootstrap}\"' + - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" sicKey=\"${sic}\" installationType=\"autoscale\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20240204\" templateName=\"autoscale\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" bootstrapScript64=\"${bootstrap}\"' VersionDescription: Initial template version GatewayScaleUpPolicy: Type: AWS::AutoScaling::ScalingPolicy @@ -612,4 +612,3 @@ Outputs: SecurityGroup: Description: The Security Group of the Auto Scaling group. Value: !GetAtt PermissiveSecurityGroup.GroupId - diff --git a/aws/templates/cluster/cluster-master.yaml b/aws/templates/cluster/cluster-master.yaml index 6243e34c..87d54b56 100755 --- a/aws/templates/cluster/cluster-master.yaml +++ b/aws/templates/cluster/cluster-master.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploy a Check Point Cluster in a new VPC (__VERSION__) +Description: Deploy a Check Point Cluster in a new VPC (20240204) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -395,7 +395,7 @@ Resources: VPCStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: __URL__/utils/vpc.yaml + TemplateURL: https://cgi-cfts.s3.amazonaws.com/utils/vpc.yaml Parameters: AvailabilityZones: !Ref AvailabilityZone NumberOfAZs: 1 @@ -414,7 +414,7 @@ Resources: Type: AWS::CloudFormation::Stack DependsOn: VPCStack Properties: - TemplateURL: __URL__/cluster/cluster.yaml + TemplateURL: https://cgi-cfts.s3.amazonaws.com/cluster/cluster.yaml Parameters: VPC: !GetAtt VPCStack.Outputs.VPCID PublicSubnet: !GetAtt VPCStack.Outputs.PublicSubnet1ID @@ -499,12 +499,12 @@ Rules: MemberATokenNotProvided: RuleCondition: !Equals [!Ref MemberAToken, ''] Assertions: - - AssertDescription: "Smart-1 Cloud Token for member A can not be empty" + - AssertDescription: "Smart-1 Cloud Token for member A can not be empty." Assert: !Equals [!Ref MemberBToken, ''] MemberBTokenNotProvided: RuleCondition: !Equals [ !Ref MemberBToken, '' ] Assertions: - - AssertDescription: "Smart-1 Cloud Token for member B can not be empty" + - AssertDescription: "Smart-1 Cloud Token for member B can not be empty." Assert: !Equals [ !Ref MemberAToken, '' ] MembersTokenValueEquals: RuleCondition: !EachMemberEquals [ [ !Ref MemberBToken ], !Ref MemberAToken ] diff --git a/aws/templates/cluster/cluster.yaml b/aws/templates/cluster/cluster.yaml index f1263257..9bea983a 100755 --- a/aws/templates/cluster/cluster.yaml +++ b/aws/templates/cluster/cluster.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploys a Check Point Cluster into an existing VPC (__VERSION__) +Description: Deploys a Check Point Cluster into an existing VPC (20240204) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -412,7 +412,7 @@ Resources: Condition: CreateRole Type: AWS::CloudFormation::Stack Properties: - TemplateURL: __URL__/iam/cluster-iam-role.yaml + TemplateURL: https://cgi-cfts.s3.amazonaws.com/iam/cluster-iam-role.yaml ClusterInstanceProfile: Type: AWS::IAM::InstanceProfile Properties: @@ -422,14 +422,14 @@ Resources: Condition: EnableCloudWatch Type: AWS::CloudFormation::Stack Properties: - TemplateURL: __URL__/iam/cloudwatch-policy.yaml + TemplateURL: https://cgi-cfts.s3.amazonaws.com/iam/cloudwatch-policy.yaml Parameters: PolicyName: !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName'] PolicyRole: !If [CreateRole, !GetAtt ClusterRole.Outputs.ClusterIAMRole, !Ref GatewayPredefinedRole] AMI: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: __URL__/utils/amis.yaml + TemplateURL: https://cgi-cfts.s3.amazonaws.com/utils/amis.yaml Parameters: Version: !Join [-, [!Ref GatewayVersion, GW]] PermissiveSecurityGroup: @@ -610,7 +610,7 @@ Resources: - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"']] - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']] - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}] - - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${tokenA}\"" installationType=\"cluster\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"__VERSION__\" templateName=\"cluster\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" elasticIp=\"${eip}\" bootstrapScript64=\"${bootstrap}\"' + - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${tokenA}\"" installationType=\"cluster\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20240204\" templateName=\"cluster\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" elasticIp=\"${eip}\" bootstrapScript64=\"${bootstrap}\"' VersionDescription: Initial template version MemberBGatewayLaunchTemplate: Type: AWS::EC2::LaunchTemplate @@ -653,7 +653,7 @@ Resources: - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"']] - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']] - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}] - - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${tokenB}\"" installationType=\"cluster\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"__VERSION__\" templateName=\"cluster\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" elasticIp=\"${eip}\" bootstrapScript64=\"${bootstrap}\"' + - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${tokenB}\"" installationType=\"cluster\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20230923\" templateName=\"cluster\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" elasticIp=\"${eip}\" bootstrapScript64=\"${bootstrap}\"' VersionDescription: Initial template version ClusterPublicAddress: Type: AWS::EC2::EIP @@ -747,12 +747,12 @@ Rules: MemberATokenNotProvided: RuleCondition: !Equals [!Ref MemberAToken, ''] Assertions: - - AssertDescription: "Smart-1 Cloud Token for member A can not be empty" + - AssertDescription: "Smart-1 Cloud Token for member A can not be empty." Assert: !Equals [!Ref MemberBToken, ''] MemberBTokenNotProvided: RuleCondition: !Equals [ !Ref MemberBToken, '' ] Assertions: - - AssertDescription: "Smart-1 Cloud Token for member B can not be empty" + - AssertDescription: "Smart-1 Cloud Token for member B can not be empty." Assert: !Equals [ !Ref MemberAToken, '' ] MembersTokenValueEquals: RuleCondition: !EachMemberEquals [[!Ref MemberBToken], !Ref MemberAToken] @@ -762,4 +762,3 @@ Rules: - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token" Assert: !Equals [ !Ref MemberBToken, '' ] - diff --git a/aws/templates/cross-az-cluster/cross-az-cluster-master.yaml b/aws/templates/cross-az-cluster/cross-az-cluster-master.yaml index dcc61a70..9826d072 100644 --- a/aws/templates/cross-az-cluster/cross-az-cluster-master.yaml +++ b/aws/templates/cross-az-cluster/cross-az-cluster-master.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploy a Check Point Cluster in a new VPC (__VERSION__) +Description: Deploy a Check Point Cluster in a new VPC (20240204) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -401,7 +401,7 @@ Resources: VPCStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: __URL__/utils/vpc.yaml + TemplateURL: https://cgi-cfts.s3.amazonaws.com/utils/vpc.yaml Parameters: AvailabilityZones: !Join [',', !Ref AvailabilityZones] NumberOfAZs: 2 @@ -422,7 +422,7 @@ Resources: Type: AWS::CloudFormation::Stack DependsOn: VPCStack Properties: - TemplateURL: __URL__/cluster/cross-az-cluster.yaml + TemplateURL: https://cgi-cfts.s3.amazonaws.com/cluster/cross-az-cluster.yaml Parameters: VPC: !GetAtt VPCStack.Outputs.VPCID PublicSubnetA: !GetAtt VPCStack.Outputs.PublicSubnet1ID @@ -508,12 +508,12 @@ Rules: MemberATokenNotProvided: RuleCondition: !Equals [!Ref MemberAToken, ''] Assertions: - - AssertDescription: "Smart-1 Cloud Token for member A can not be empty" + - AssertDescription: "Smart-1 Cloud Token for member A can not be empty." Assert: !Equals [!Ref MemberBToken, ''] MemberBTokenNotProvided: RuleCondition: !Equals [ !Ref MemberBToken, '' ] Assertions: - - AssertDescription: "Smart-1 Cloud Token for member B can not be empty" + - AssertDescription: "Smart-1 Cloud Token for member B can not be empty." Assert: !Equals [ !Ref MemberAToken, '' ] MembersTokenValueEquals: RuleCondition: !EachMemberEquals [ [ !Ref MemberBToken ], !Ref MemberAToken ] diff --git a/aws/templates/cross-az-cluster/cross-az-cluster.yaml b/aws/templates/cross-az-cluster/cross-az-cluster.yaml index 5d294579..3c5f6ad8 100644 --- a/aws/templates/cross-az-cluster/cross-az-cluster.yaml +++ b/aws/templates/cross-az-cluster/cross-az-cluster.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploys a Check Point Cluster into an existing VPC (__VERSION__) +Description: Deploys a Check Point Cluster into an existing VPC (20240204) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -426,7 +426,7 @@ Resources: Condition: CreateRole Type: AWS::CloudFormation::Stack Properties: - TemplateURL: __URL__/iam/cluster-iam-role.yaml + TemplateURL: https://cgi-cfts.s3.amazonaws.com/iam/cluster-iam-role.yaml ClusterInstanceProfile: Type: AWS::IAM::InstanceProfile Properties: @@ -436,14 +436,14 @@ Resources: Condition: EnableCloudWatch Type: AWS::CloudFormation::Stack Properties: - TemplateURL: __URL__/iam/cloudwatch-policy.yaml + TemplateURL: https://cgi-cfts.s3.amazonaws.com/iam/cloudwatch-policy.yaml Parameters: PolicyName: !If [ ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName' ] PolicyRole: !If [CreateRole, !GetAtt ClusterRole.Outputs.ClusterIAMRole, !Ref GatewayPredefinedRole] AMI: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: __URL__/utils/amis.yaml + TemplateURL: https://cgi-cfts.s3.amazonaws.com/utils/amis.yaml Parameters: Version: !Join ['-', [!Ref GatewayVersion, GW]] PermissiveSecurityGroup: @@ -669,7 +669,7 @@ Resources: - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"']] - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']] - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}] - - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${tokenA}\"" installationType=\"cross-az-cluster\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"__VERSION__\" templateName=\"cross_az_cluster\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" elasticIp=\"${eip}\" otherMemberIp=\"${other_member_ip}\" clusterIp=\"${cluster_ip}\" secondaryIp=\"${secondary_ip}\" otherMemberPrivateClusterIp=\"${remote_secondary_ip}\" bootstrapScript64=\"${bootstrap}\"' + - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${tokenA}\"" installationType=\"cross-az-cluster\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20240204\" templateName=\"cross_az_cluster\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" elasticIp=\"${eip}\" otherMemberIp=\"${other_member_ip}\" clusterIp=\"${cluster_ip}\" secondaryIp=\"${secondary_ip}\" otherMemberPrivateClusterIp=\"${remote_secondary_ip}\" bootstrapScript64=\"${bootstrap}\"' VersionDescription: Initial template version MemberBGatewayLaunchTemplate: Type: AWS::EC2::LaunchTemplate @@ -716,7 +716,7 @@ Resources: - !Join [ '', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"' ] ] - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']] - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}] - - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${tokenB}\"" installationType=\"cross-az-cluster\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"__VERSION__\" templateName=\"cross_az_cluster\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" elasticIp=\"${eip}\" otherMemberIp=\"${other_member_ip}\" clusterIp=\"${cluster_ip}\" secondaryIp=\"${secondary_ip}\" otherMemberPrivateClusterIp=\"${remote_secondary_ip}\" bootstrapScript64=\"${bootstrap}\"' + - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${tokenB}\"" installationType=\"cross-az-cluster\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20240204\" templateName=\"cross_az_cluster\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" elasticIp=\"${eip}\" otherMemberIp=\"${other_member_ip}\" clusterIp=\"${cluster_ip}\" secondaryIp=\"${secondary_ip}\" otherMemberPrivateClusterIp=\"${remote_secondary_ip}\" bootstrapScript64=\"${bootstrap}\"' VersionDescription: Initial template version Outputs: ClusterPublicAddress: @@ -772,12 +772,12 @@ Rules: MemberATokenNotProvided: RuleCondition: !Equals [!Ref MemberAToken, ''] Assertions: - - AssertDescription: "Smart-1 Cloud Token for member A can not be empty" + - AssertDescription: "Smart-1 Cloud Token for member A can not be empty." Assert: !Equals [!Ref MemberBToken, ''] MemberBTokenNotProvided: RuleCondition: !Equals [ !Ref MemberBToken, '' ] Assertions: - - AssertDescription: "Smart-1 Cloud Token for member B can not be empty" + - AssertDescription: "Smart-1 Cloud Token for member B can not be empty." Assert: !Equals [ !Ref MemberAToken, '' ] MembersTokenValueEquals: RuleCondition: !EachMemberEquals [ [ !Ref MemberBToken ], !Ref MemberAToken ] diff --git a/aws/templates/geo-cluster/geo-cluster-master.yaml b/aws/templates/geo-cluster/geo-cluster-master.yaml index a07c6ed7..b2d4e02f 100644 --- a/aws/templates/geo-cluster/geo-cluster-master.yaml +++ b/aws/templates/geo-cluster/geo-cluster-master.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploy a Check Point cross AZ Cluster in a new VPC (__VERSION__) +Description: Deploy a Check Point cross AZ Cluster in a new VPC (20240204) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -413,7 +413,7 @@ Resources: VPCStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: __URL__/utils/vpc.yaml + TemplateURL: https://cgi-cfts.s3.amazonaws.com/utils/vpc.yaml Parameters: AvailabilityZones: !Join [',', !Ref AvailabilityZones] NumberOfAZs: 2 @@ -433,7 +433,7 @@ Resources: ClusterStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: __URL__/cluster/geo-cluster.yaml + TemplateURL: https://cgi-cfts.s3.amazonaws.com/cluster/geo-cluster.yaml Parameters: VPC: !GetAtt VPCStack.Outputs.VPCID PublicSubnetA: !GetAtt VPCStack.Outputs.PublicSubnet1ID @@ -507,12 +507,12 @@ Rules: MemberATokenNotProvided: RuleCondition: !Equals [!Ref MemberAToken, ''] Assertions: - - AssertDescription: "Smart-1 Cloud Token for member A can not be empty" + - AssertDescription: "Smart-1 Cloud Token for member A can not be empty." Assert: !Equals [!Ref MemberBToken, ''] MemberBTokenNotProvided: RuleCondition: !Equals [ !Ref MemberBToken, '' ] Assertions: - - AssertDescription: "Smart-1 Cloud Token for member B can not be empty" + - AssertDescription: "Smart-1 Cloud Token for member B can not be empty." Assert: !Equals [ !Ref MemberAToken, '' ] MembersTokenValueEquals: RuleCondition: !EachMemberEquals [ [ !Ref MemberBToken ], !Ref MemberAToken ] diff --git a/aws/templates/geo-cluster/geo-cluster.yaml b/aws/templates/geo-cluster/geo-cluster.yaml index eee0a855..c358dfba 100644 --- a/aws/templates/geo-cluster/geo-cluster.yaml +++ b/aws/templates/geo-cluster/geo-cluster.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploys a Check Point cross AZ Cluster into an existing VPC (__VERSION__) +Description: Deploys a Check Point cross AZ Cluster into an existing VPC (20240204) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -427,7 +427,7 @@ Resources: ClusterRole: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: __URL__/iam/cluster-iam-role.yaml + TemplateURL: https://cgi-cfts.s3.amazonaws.com/iam/cluster-iam-role.yaml ClusterInstanceProfile: Type: AWS::IAM::InstanceProfile Properties: @@ -437,14 +437,14 @@ Resources: Condition: EnableCloudWatch Type: AWS::CloudFormation::Stack Properties: - TemplateURL: __URL__/iam/cloudwatch-policy.yaml + TemplateURL: https://cgi-cfts.s3.amazonaws.com/iam/cloudwatch-policy.yaml Parameters: PolicyName: !If [ ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName' ] PolicyRole: !If [CreateRole, !GetAtt ClusterRole.Outputs.ClusterIAMRole, !Ref GatewayPredefinedRole] AMI: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: __URL__/utils/amis.yaml + TemplateURL: https://cgi-cfts.s3.amazonaws.com/utils/amis.yaml Parameters: Version: !Join ['-', [!Ref GatewayVersion, GW]] PermissiveSecurityGroup: @@ -601,7 +601,7 @@ Resources: - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"']] - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']] - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}] - - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${tokenA}\"" installationType=\"geo-cluster\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"__VERSION__\" templateName=\"geo_cluster\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" elasticIp=\"${eip}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" otherMemberIp=\"${other_member_ip}\" bootstrapScript64=\"${bootstrap}\"' + - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${tokenA}\"" installationType=\"geo-cluster\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20240204\" templateName=\"geo_cluster\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" elasticIp=\"${eip}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" otherMemberIp=\"${other_member_ip}\" bootstrapScript64=\"${bootstrap}\"' MemberBGatewayLaunchTemplate: Type: AWS::EC2::LaunchTemplate Properties: @@ -643,7 +643,7 @@ Resources: - !Join [ '', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"' ] ] - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']] - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}] - - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${tokenB}\"" installationType=\"geo-cluster\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"__VERSION__\" templateName=\"geo_cluster\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" elasticIp=\"${eip}\" otherMemberIp=\"${other_member_ip}\" bootstrapScript64=\"${bootstrap}\"' + - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${tokenB}\"" installationType=\"geo-cluster\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20240204\" templateName=\"geo_cluster\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" elasticIp=\"${eip}\" otherMemberIp=\"${other_member_ip}\" bootstrapScript64=\"${bootstrap}\"' VersionDescription: Initial template version MemberAPublicAddress: Type: AWS::EC2::EIP @@ -718,12 +718,12 @@ Rules: MemberATokenNotProvided: RuleCondition: !Equals [!Ref MemberAToken, ''] Assertions: - - AssertDescription: "Smart-1 Cloud Token for member A can not be empty" + - AssertDescription: "Smart-1 Cloud Token for member A can not be empty." Assert: !Equals [!Ref MemberBToken, ''] MemberBTokenNotProvided: RuleCondition: !Equals [ !Ref MemberBToken, '' ] Assertions: - - AssertDescription: "Smart-1 Cloud Token for member B can not be empty" + - AssertDescription: "Smart-1 Cloud Token for member B can not be empty." Assert: !Equals [ !Ref MemberAToken, '' ] MembersTokenValueEquals: RuleCondition: !EachMemberEquals [ [ !Ref MemberBToken ], !Ref MemberAToken ] diff --git a/aws/templates/gwlb-asg/gwlb-master.yaml b/aws/templates/gwlb-asg/gwlb-master.yaml index 6766a1b3..0e4eb4c7 100644 --- a/aws/templates/gwlb-asg/gwlb-master.yaml +++ b/aws/templates/gwlb-asg/gwlb-master.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploy a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, in a new VPC (__VERSION__) +Description: Deploy a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, in a new VPC (20240204) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -647,7 +647,7 @@ Resources: VPCStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: __URL__/utils/vpc.yaml + TemplateURL: https://cgi-cfts.s3.amazonaws.com/utils/vpc.yaml Parameters: AvailabilityZones: !Join [',' , !Ref AvailabilityZones] NumberOfAZs: !Ref NumberOfAZs @@ -660,7 +660,7 @@ Resources: GWLBStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: __URL__/gwlb/gwlb.yaml + TemplateURL: https://cgi-cfts.s3.amazonaws.com/gwlb/gwlb.yaml Parameters: VPC: !GetAtt VPCStack.Outputs.VPCID GatewaysSubnets: !Join @@ -728,7 +728,7 @@ Outputs: Value: !GetAtt GWLBStack.Outputs.GWLBServiceName Rules: GatewayAddressAllocationRule: - RuleCondition: !Equals [!Ref ControlGatewayOverPrivateOrPublicAddress, 'public'] - Assertions: + RuleCondition: !Equals [!Ref ControlGatewayOverPrivateOrPublicAddress, 'public'] + Assertions: - AssertDescription: "Gateway's selected to be provisioned by public IP, but ['AllocatePublicAddress'] parameter is false" Assert: !Equals [!Ref AllocatePublicAddress, 'true'] diff --git a/aws/templates/gwlb-asg/gwlb.yaml b/aws/templates/gwlb-asg/gwlb.yaml index 8d0340f7..50d8e335 100644 --- a/aws/templates/gwlb-asg/gwlb.yaml +++ b/aws/templates/gwlb-asg/gwlb.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploy a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, in a new VPC (__VERSION__) +Description: Deploy a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, in a new VPC (20240204) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -642,7 +642,7 @@ Resources: SecurityGatewaysStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: __URL__/gwlb/autoscale-gwlb.yaml + TemplateURL: https://cgi-cfts.s3.amazonaws.com/gwlb/autoscale-gwlb.yaml Parameters: VPC: !Ref VPC GatewaysSubnets: !Join [',', !Ref GatewaysSubnets] @@ -674,7 +674,7 @@ Resources: Type: AWS::CloudFormation::Stack Condition: DeployManagement Properties: - TemplateURL: __URL__/gwlb/management-gwlb.yaml + TemplateURL: https://cgi-cfts.s3.amazonaws.com/gwlb/management-gwlb.yaml Parameters: VPC: !Ref VPC ManagementSubnet: !Select [0, !Ref GatewaysSubnets] diff --git a/aws/templates/gwlb-asg/qs-gwlb-master.yaml b/aws/templates/gwlb-asg/qs-gwlb-master.yaml index 6979b470..4d7e56a7 100644 --- a/aws/templates/gwlb-asg/qs-gwlb-master.yaml +++ b/aws/templates/gwlb-asg/qs-gwlb-master.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploy a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, in a new VPC (__VERSION__) +Description: Deploy a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, in a new VPC (05072024) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -800,7 +800,7 @@ Resources: SecurityVPCStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: __URL__/utils/vpc.yaml + TemplateURL: https://cgi-cfts.s3.amazonaws.com/utils/vpc.yaml Parameters: AvailabilityZones: !Join [',' , !Ref AvailabilityZones] NumberOfAZs: !Ref NumberOfAZs @@ -813,7 +813,7 @@ Resources: ServersVPCStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: __URL__/gwlb/qs-gwlb-servers-vpc.yaml + TemplateURL: https://cgi-cfts.s3.amazonaws.com/gwlb/qs-gwlb-servers-vpc.yaml Parameters: AvailabilityZones: !Join [ ',' , !Ref AvailabilityZones ] NumberOfAZs: !Ref NumberOfAZs @@ -832,7 +832,7 @@ Resources: Type: AWS::CloudFormation::Stack DependsOn: [SecurityVPCStack, ServersVPCStack] Properties: - TemplateURL: __URL__/gwlb/qs-gwlb.yaml + TemplateURL: https://cgi-cfts.s3.amazonaws.com/gwlb/qs-gwlb.yaml Parameters: SecurityVPC: !GetAtt SecurityVPCStack.Outputs.VPCID NumberOfAZs: !Ref NumberOfAZs diff --git a/aws/templates/gwlb-asg/qs-gwlb.yaml b/aws/templates/gwlb-asg/qs-gwlb.yaml index 70723206..1ff5555b 100644 --- a/aws/templates/gwlb-asg/qs-gwlb.yaml +++ b/aws/templates/gwlb-asg/qs-gwlb.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: "Deploy a Quick-Start Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, optionally: Security Management Server and Application Server Autoscale in an existing VPC (__VERSION__)" +Description: "Deploy a Quick-Start Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, optionally: Security Management Server and Application Server Autoscale in an existing VPC (05072024)" Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -749,7 +749,7 @@ Resources: SecurityGatewaysStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: __URL__/gwlb/autoscale-gwlb.yaml + TemplateURL: https://cgi-cfts.s3.amazonaws.com/gwlb/autoscale-gwlb.yaml Parameters: VPC: !Ref SecurityVPC GatewaysSubnets: !Join [',', !Ref GatewaysSubnets] @@ -792,7 +792,7 @@ Resources: Condition: DeployManagement DependsOn: GWLBeEndpointStack Properties: - TemplateURL: __URL__/gwlb/management-gwlb.yaml + TemplateURL: https://cgi-cfts.s3.amazonaws.com/gwlb/management-gwlb.yaml Parameters: VPC: !Ref SecurityVPC ManagementSubnet: !Select [0, !Ref GatewaysSubnets] @@ -841,7 +841,7 @@ Resources: Type: AWS::CloudFormation::Stack DependsOn: VpcEndpointService Properties: - TemplateURL: __URL__/gwlb/qs-gwlb-endpoints.yaml + TemplateURL: https://cgi-cfts.s3.amazonaws.com/gwlb/qs-gwlb-endpoints.yaml Parameters: NumberOfAZs: !Ref NumberOfAZs GWLBeVPC: !Ref ServersVPC @@ -854,7 +854,7 @@ Resources: Type: AWS::CloudFormation::Stack DependsOn: GWLBeEndpointStack Properties: - TemplateURL: __URL__/gwlb/qs-gwlb-servers-autoscale.yaml + TemplateURL: https://cgi-cfts.s3.amazonaws.com/gwlb/qs-gwlb-servers-autoscale.yaml Parameters: VPC: !Ref ServersVPC Subnets: !Join [',', !Ref ServersSubnets] diff --git a/aws/templates/gwlb-asg/tgw-gwlb-master.yaml b/aws/templates/gwlb-asg/tgw-gwlb-master.yaml index cdf99b9c..7fe4c750 100644 --- a/aws/templates/gwlb-asg/tgw-gwlb-master.yaml +++ b/aws/templates/gwlb-asg/tgw-gwlb-master.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploy a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, Gateway Load Balancer Endpoints and NAT Gateways for each AZ, in a new VPC for Transit Gateway (__VERSION__) +Description: Deploy a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, Gateway Load Balancer Endpoints and NAT Gateways for each AZ, in a new VPC for Transit Gateway (20240204) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -741,7 +741,7 @@ Resources: VPCStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: __URL__/utils/vpc.yaml + TemplateURL: https://cgi-cfts.s3.amazonaws.com/utils/vpc.yaml Parameters: AvailabilityZones: !Join [',', !Ref AvailabilityZones] NumberOfAZs: !Ref NumberOfAZs @@ -759,7 +759,7 @@ Resources: TgwGwlbStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: __URL__/gwlb/tgw-gwlb.yaml + TemplateURL: https://cgi-cfts.s3.amazonaws.com/gwlb/tgw-gwlb.yaml Parameters: VPC: !GetAtt VPCStack.Outputs.VPCID IGWID: !GetAtt VPCStack.Outputs.IGWID @@ -869,7 +869,7 @@ Outputs: Condition: 4AZs Rules: GatewayAddressAllocationRule: - RuleCondition: !Equals [!Ref ControlGatewayOverPrivateOrPublicAddress, 'public'] - Assertions: + RuleCondition: !Equals [!Ref ControlGatewayOverPrivateOrPublicAddress, 'public'] + Assertions: - AssertDescription: "Gateway's selected to be provisioned by public IP, but ['AllocatePublicAddress'] parameter is false" Assert: !Equals [!Ref AllocatePublicAddress, 'true'] diff --git a/aws/templates/gwlb-asg/tgw-gwlb.yaml b/aws/templates/gwlb-asg/tgw-gwlb.yaml index 123d500a..89fbbc8b 100644 --- a/aws/templates/gwlb-asg/tgw-gwlb.yaml +++ b/aws/templates/gwlb-asg/tgw-gwlb.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploy a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, Gateway Load Balancer Endpoints and NAT Gateways for each AZ, in an existing VPC for Transit Gateway (__VERSION__) +Description: Deploy a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, Gateway Load Balancer Endpoints and NAT Gateways for each AZ, in an existing VPC for Transit Gateway (20240204) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -977,7 +977,7 @@ Resources: GWLBStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: __URL__/gwlb/gwlb.yaml + TemplateURL: https://cgi-cfts.s3.amazonaws.com/gwlb/gwlb.yaml Parameters: VPC: !Ref VPC GatewaysSubnets: !Join [',', !Ref GatewaysSubnets] diff --git a/aws/templates/management/management.yaml b/aws/templates/management/management.yaml index dd756635..04e3d00e 100755 --- a/aws/templates/management/management.yaml +++ b/aws/templates/management/management.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploys a Check Point Management Server (__VERSION__) +Description: Deploys a Check Point Management Server (20240417) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -336,7 +336,7 @@ Parameters: AllowedPattern: '[\$\./a-zA-Z0-9]*' NoEcho: true ManagementHostname: - Description: The name must not contain reserved words. For details, refer to sk40179. (optional) + Description: The name must not contain reserved words. For details, refer to sk40179 (optional). Type: String Default: mgmt-aws AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$' @@ -417,7 +417,7 @@ Resources: AMI: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: __URL__/utils/amis.yaml + TemplateURL: https://cgi-cfts.s3.amazonaws.com/utils/amis.yaml Parameters: Version: !Join ['-', [!Ref ManagementVersion, MGMT]] ManagementReadyHandle: @@ -493,7 +493,7 @@ Resources: Type: AWS::CloudFormation::Stack Condition: CreateRole Properties: - TemplateURL: __URL__/iam/cme-iam-role.yaml + TemplateURL: https://cgi-cfts.s3.amazonaws.com/iam/cme-iam-role.yaml Parameters: Permissions: !Ref ManagementPermissions STSRoles: !Join [',', !Ref ManagementSTSRoles] @@ -558,7 +558,7 @@ Resources: - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref ManagementPasswordHash, ')"']] - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref ManagementMaintenancePasswordHash, ')"']] - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref ManagementVersion]]}] - - ' python3 /etc/cloud_config.py waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" installationType=\"management\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"__VERSION__\" templateName=\"management\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" "management_installation_type=\"${mgmt_install_type}\"" adminSubnet=\"${admin_subnet}\" allocatePublicAddress=\"${eip}\" overTheInternet=\"${pub_mgmt}\" bootstrapScript64=\"${bootstrap}\"' + - ' python3 /etc/cloud_config.py waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" installationType=\"management\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20240204\" templateName=\"management\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" "management_installation_type=\"${mgmt_install_type}\"" adminSubnet=\"${admin_subnet}\" allocatePublicAddress=\"${eip}\" overTheInternet=\"${pub_mgmt}\" bootstrapScript64=\"${bootstrap}\"' VersionDescription: Initial template version PublicAddress: Type: AWS::EC2::EIP diff --git a/aws/templates/mds/mds.yaml b/aws/templates/mds/mds.yaml index 1f5a9b41..ec7913b2 100644 --- a/aws/templates/mds/mds.yaml +++ b/aws/templates/mds/mds.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: '2010-09-09' -Description: Deploys a Check Point Multi-Domain Server (__VERSION__) +Description: Deploys a Check Point Multi-Domain Server (20240417) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -321,7 +321,7 @@ Parameters: AllowedPattern: '[\$\./a-zA-Z0-9]*' NoEcho: true MDSHostname: - Description: The name must not contain reserved words. For details, refer to sk40179. (optional) + Description: The name must not contain reserved words. For details, refer to sk40179 (optional). Type: String Default: mds-aws AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$' @@ -358,7 +358,7 @@ Parameters: with the Multi-Domain Server. The address should be either 0.0.0.0/0 (any address) or /32 (specific address) Type: String AllowedPattern: '^((0.0.0.0\/0)|)$|^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/32)$' - ConstraintDescription: Administrator address must be either 0.0.0.0/0 or /32 + ConstraintDescription: Administrator address must be either 0.0.0.0/0 or /32 GatewaysAddresses: Description: Allow gateways only from this network to communicate with the Multi-Domain. Server @@ -398,7 +398,7 @@ Resources: AMI: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: __URL__/utils/amis.yaml + TemplateURL: https://cgi-cfts.s3.amazonaws.com/utils/amis.yaml Parameters: Version: !Join ['-', [!Ref MDSVersion, MGMT]] MDSSecurityGroup: @@ -463,7 +463,7 @@ Resources: Type: AWS::CloudFormation::Stack Condition: CreateRole Properties: - TemplateURL: __URL__/iam/cme-iam-role.yaml + TemplateURL: https://cgi-cfts.s3.amazonaws.com/iam/cme-iam-role.yaml Parameters: Permissions: !Ref MDSPermissions STSRoles: !Join [',', !Ref MDSSTSRoles] @@ -526,5 +526,5 @@ Resources: - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref MDSPasswordHash, ')"']] - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref MDSMaintenancePasswordHash, ')"']] - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref MDSVersion]]}] - - ' python3 /etc/cloud_config.py sicKey=\"${sic}\" installationType=\"mds\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"__VERSION__\" templateName=\"mds\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" primary=\"${primary}\" secondary=\"${secondary}\" adminSubnet=\"${admin_subnet}\" bootstrapScript64=\"${bootstrap}\"' + - ' python3 /etc/cloud_config.py sicKey=\"${sic}\" installationType=\"mds\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20240204\" templateName=\"mds\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" primary=\"${primary}\" secondary=\"${secondary}\" adminSubnet=\"${admin_subnet}\" bootstrapScript64=\"${bootstrap}\"' VersionDescription: Initial template version \ No newline at end of file diff --git a/aws/templates/single-gw/gateway-master.yaml b/aws/templates/single-gw/gateway-master.yaml index c7c1d195..20c82362 100644 --- a/aws/templates/single-gw/gateway-master.yaml +++ b/aws/templates/single-gw/gateway-master.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploys a Check Point Security Gateway into a new VPC (__VERSION__) +Description: Deploys a Check Point Security Gateway into a new VPC (20240204) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -350,7 +350,7 @@ Parameters: Type: String Default: '' GatewayHostname: - Description: The name must not contain reserved words. For details, refer to sk40179. (optional) + Description: The name must not contain reserved words. For details, refer to sk40179 (optional). Type: String Default: '' AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$' @@ -408,7 +408,7 @@ Resources: VPCStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: __URL__/utils/vpc.yaml + TemplateURL: https://cgi-cfts.s3.amazonaws.com/utils/vpc.yaml Parameters: AvailabilityZones: !Ref AvailabilityZone NumberOfAZs: 1 @@ -436,7 +436,7 @@ Resources: GatewayStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: __URL__/gateway/gateway.yaml + TemplateURL: https://cgi-cfts.s3.amazonaws.com/gateway/gateway.yaml Parameters: VPC: !GetAtt VPCStack.Outputs.VPCID PublicSubnet: !GetAtt VPCStack.Outputs.PublicSubnet1ID diff --git a/aws/templates/single-gw/gateway.yaml b/aws/templates/single-gw/gateway.yaml index 76c5cef6..645eab2f 100644 --- a/aws/templates/single-gw/gateway.yaml +++ b/aws/templates/single-gw/gateway.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploys a Check Point Security Gateway into an existing VPC (__VERSION__) +Description: Deploys a Check Point Security Gateway into an existing VPC (20240204) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -344,7 +344,7 @@ Parameters: Type: String Default: '' GatewayHostname: - Description: The name must not contain reserved words. For details, refer to sk40179. (optional) + Description: The name must not contain reserved words. For details, refer to sk40179 (optional). Type: String Default: '' AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$' @@ -437,14 +437,14 @@ Resources: Condition: EnableCloudWatch Type: AWS::CloudFormation::Stack Properties: - TemplateURL: __URL__/iam/cloudwatch-policy.yaml + TemplateURL: https://cgi-cfts.s3.amazonaws.com/iam/cloudwatch-policy.yaml Parameters: PolicyName: !If [ ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName' ] PolicyRole: !Ref GatewayIAMRole AMI: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: __URL__/utils/amis.yaml + TemplateURL: https://cgi-cfts.s3.amazonaws.com/utils/amis.yaml Parameters: Version: !Join ['-', [!Ref GatewayVersion,GW]] ExternalNetworkInterface: @@ -559,7 +559,7 @@ Resources: - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"']] - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']] - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}] - - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${token}\"" installationType=\"gateway\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"__VERSION__\" templateName=\"gateway\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" allocatePublicAddress=\"${eip}\" bootstrapScript64=\"${bootstrap}\"' + - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${token}\"" installationType=\"gateway\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20240204\" templateName=\"gateway\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" allocatePublicAddress=\"${eip}\" bootstrapScript64=\"${bootstrap}\"' VersionDescription: Initial template version PublicAddress: Type: AWS::EC2::EIP diff --git a/aws/templates/standalone/standalone-master.yaml b/aws/templates/standalone/standalone-master.yaml index 42832747..6c9847cc 100644 --- a/aws/templates/standalone/standalone-master.yaml +++ b/aws/templates/standalone/standalone-master.yaml @@ -1,6 +1,6 @@ AWSTemplateFormatVersion: 2010-09-09 Description: Deploys either a manually configurable or a Check Point CloudGuard IaaS - Security Gateway & Management (Standalone) instance in a new VPC (__VERSION__) + Security Gateway & Management (Standalone) instance in a new VPC (20240204) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -323,7 +323,7 @@ Parameters: Type: String Default: '' StandaloneHostname: - Description: (optional) + Description: The name must not contain reserved words. For details, refer to sk40179 (optional). Type: String Default: '' AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$' @@ -374,7 +374,7 @@ Resources: VPCStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: __URL__/utils/vpc.yaml + TemplateURL: https://cgi-cfts.s3.amazonaws.com/utils/vpc.yaml Parameters: AvailabilityZones: !Ref AvailabilityZone NumberOfAZs: 1 @@ -401,7 +401,7 @@ Resources: StandaloneStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: __URL__/gateway/standalone.yaml + TemplateURL: https://cgi-cfts.s3.amazonaws.com/gateway/standalone.yaml Parameters: VPC: !GetAtt VPCStack.Outputs.VPCID PublicSubnet: !GetAtt VPCStack.Outputs.PublicSubnet1ID diff --git a/aws/templates/standalone/standalone.yaml b/aws/templates/standalone/standalone.yaml index cc565f6c..a73e2d34 100644 --- a/aws/templates/standalone/standalone.yaml +++ b/aws/templates/standalone/standalone.yaml @@ -1,6 +1,6 @@ AWSTemplateFormatVersion: 2010-09-09 Description: Deploys either a manually configurable or a Check Point CloudGuard IaaS - Security Gateway & Management (Standalone) instance into an existing VPC (__VERSION__) + Security Gateway & Management (Standalone) instance into an existing VPC (20240204) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -316,7 +316,7 @@ Parameters: Type: String Default: '' StandaloneHostname: - Description: (optional) + Description: The name must not contain reserved words. For details, refer to sk40179 (optional). Type: String Default: '' AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$' @@ -402,14 +402,14 @@ Resources: Condition: EnableCloudWatch Type: AWS::CloudFormation::Stack Properties: - TemplateURL: __URL__/iam/cloudwatch-policy.yaml + TemplateURL: https://cgi-cfts.s3.amazonaws.com/iam/cloudwatch-policy.yaml Parameters: PolicyName: !If [ ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName' ] PolicyRole: !Ref StandaloneIAMRole AMI: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: __URL__/utils/amis.yaml + TemplateURL: https://cgi-cfts.s3.amazonaws.com/utils/amis.yaml Parameters: Version: !If [IsBYOL, !Join ['-', [!Ref StandaloneVersion,MGMT]], !Ref StandaloneVersion] ExternalNetworkInterface: @@ -510,7 +510,7 @@ Resources: - !Join [ '', [ ' pwd_hash="$(echo ', 'Fn::Base64': !Ref StandalonePasswordHash, ')"' ] ] - !Join [ '', [ ' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref StandaloneMaintenancePasswordHash, ')"' ] ] - !Sub [ ' version=${Version}', { Version: !Select [ 0, !Split [ '-', !Ref StandaloneVersion ] ] } ] - - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" installationType=\"standalone\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"__VERSION__\" templateName=\"standalone\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" adminSubnet=\"${admin_subnet}\" allocatePublicAddress=\"${eip}\" bootstrapScript64=\"${bootstrap}\"' + - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" installationType=\"standalone\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20240204\" templateName=\"standalone\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" adminSubnet=\"${admin_subnet}\" allocatePublicAddress=\"${eip}\" bootstrapScript64=\"${bootstrap}\"' VersionDescription: Initial template version PublicAddress: Type: AWS::EC2::EIP diff --git a/aws/templates/tgw-asg/tgw-asg-master.yaml b/aws/templates/tgw-asg/tgw-asg-master.yaml index bd72aa0e..4ddf23df 100644 --- a/aws/templates/tgw-asg/tgw-asg-master.yaml +++ b/aws/templates/tgw-asg/tgw-asg-master.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploy an Auto Scaling Group of CloudGuard Security Gateways for Transit Gateway with an optional Management Server in a new VPC (__VERSION__) +Description: Deploy an Auto Scaling Group of CloudGuard Security Gateways for Transit Gateway with an optional Management Server in a new VPC (20240204) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -612,7 +612,7 @@ Resources: VPCStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: __URL__/utils/vpc.yaml + TemplateURL: https://cgi-cfts.s3.amazonaws.com/utils/vpc.yaml Parameters: AvailabilityZones: !Join [',', !Ref AvailabilityZones] NumberOfAZs: !Ref NumberOfAZs @@ -625,7 +625,7 @@ Resources: MainStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: __URL__/autoscale/tgw-asg.yaml + TemplateURL: https://cgi-cfts.s3.amazonaws.com/autoscale/tgw-asg.yaml Parameters: VPC: !GetAtt VPCStack.Outputs.VPCID GatewaysSubnets: !Join @@ -683,7 +683,7 @@ Outputs: Condition: DeployManagement Rules: GatewayAddressRule: - RuleCondition: !Equals [!Ref ManagementDeploy, 'true'] - Assertions: + RuleCondition: !Equals [!Ref ManagementDeploy, 'true'] + Assertions: - AssertDescription: "Gateway's netowrk to communicate with the Security Management Server must be provided" Assert: !Not [ !Equals [!Ref GatewaysAddresses, '']] diff --git a/aws/templates/tgw-asg/tgw-asg.yaml b/aws/templates/tgw-asg/tgw-asg.yaml index 096570d1..e1a5633f 100644 --- a/aws/templates/tgw-asg/tgw-asg.yaml +++ b/aws/templates/tgw-asg/tgw-asg.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: '2010-09-09' -Description: Deploy an Auto Scaling Group of CloudGuard Security Gateways for Transit Gateway with an optional Management Server into an existing VPC (__VERSION__) +Description: Deploy an Auto Scaling Group of CloudGuard Security Gateways for Transit Gateway with an optional Management Server into an existing VPC (20240204) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -566,7 +566,7 @@ Resources: Type: AWS::CloudFormation::Stack Condition: DeployManagement Properties: - TemplateURL: __URL__/management/management.yaml + TemplateURL: https://cgi-cfts.s3.amazonaws.com/management/management.yaml Parameters: VPC: !Ref VPC ManagementSubnet: !Select [0, !Ref GatewaysSubnets] @@ -620,7 +620,7 @@ Resources: SecurityGatewaysStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: __URL__/autoscale/autoscale.yaml + TemplateURL: https://cgi-cfts.s3.amazonaws.com/autoscale/autoscale.yaml Parameters: VPC: !Ref VPC GatewaysSubnets: !Join [',', !Ref GatewaysSubnets] @@ -675,7 +675,7 @@ Outputs: Condition: DeployManagement Rules: GatewayAddressRule: - RuleCondition: !Equals [!Ref ManagementDeploy, 'true'] - Assertions: + RuleCondition: !Equals [!Ref ManagementDeploy, 'true'] + Assertions: - AssertDescription: "Gateway's netowrk to communicate with the Security Management Server must be provided" Assert: !Not [ !Equals [!Ref GatewaysAddresses, '']] diff --git a/aws/templates/tgw-cross-az-cluster/tgw-cross-az-cluster-master.yaml b/aws/templates/tgw-cross-az-cluster/tgw-cross-az-cluster-master.yaml index 4c03ed53..4ab74737 100644 --- a/aws/templates/tgw-cross-az-cluster/tgw-cross-az-cluster-master.yaml +++ b/aws/templates/tgw-cross-az-cluster/tgw-cross-az-cluster-master.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploy a Check Point TGW Cross Availabilty Zone Cluster in a new VPC (__VERSION__) +Description: Deploy a Check Point TGW Cross Availabilty Zone Cluster in a new VPC (20240204) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -427,7 +427,7 @@ Resources: VPCStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: __URL__/utils/vpc.yaml + TemplateURL: https://cgi-cfts.s3.amazonaws.com/utils/vpc.yaml Parameters: AvailabilityZones: !Join [',', !Ref AvailabilityZones] NumberOfAZs: 2 @@ -451,7 +451,7 @@ Resources: Type: AWS::CloudFormation::Stack DependsOn: VPCStack Properties: - TemplateURL: __URL__/cluster/tgw-cross-az-cluster.yaml + TemplateURL: https://cgi-cfts.s3.amazonaws.com/cluster/tgw-cross-az-cluster.yaml Parameters: VPC: !GetAtt VPCStack.Outputs.VPCID PublicSubnetA: !GetAtt VPCStack.Outputs.PublicSubnet1ID @@ -518,12 +518,12 @@ Rules: MemberATokenNotProvided: RuleCondition: !Equals [!Ref MemberAToken, ''] Assertions: - - AssertDescription: "Smart-1 Cloud Token for member A can not be empty" + - AssertDescription: "Smart-1 Cloud Token for member A can not be empty." Assert: !Equals [!Ref MemberBToken, ''] MemberBTokenNotProvided: RuleCondition: !Equals [ !Ref MemberBToken, '' ] Assertions: - - AssertDescription: "Smart-1 Cloud Token for member B can not be empty" + - AssertDescription: "Smart-1 Cloud Token for member B can not be empty." Assert: !Equals [ !Ref MemberAToken, '' ] MembersTokenValueEquals: RuleCondition: !EachMemberEquals [ [ !Ref MemberBToken ], !Ref MemberAToken ] diff --git a/aws/templates/tgw-cross-az-cluster/tgw-cross-az-cluster.yaml b/aws/templates/tgw-cross-az-cluster/tgw-cross-az-cluster.yaml index 92cce90f..63062132 100644 --- a/aws/templates/tgw-cross-az-cluster/tgw-cross-az-cluster.yaml +++ b/aws/templates/tgw-cross-az-cluster/tgw-cross-az-cluster.yaml @@ -1,7 +1,5 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploys a Check Point TGW Cross Availabilty Zone Cluster into an - existing VPC - (__VERSION__) +Description: Deploys a Check Point TGW Cross Availabilty Zone Cluster into an existing VPC (20240204) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -425,7 +423,7 @@ Resources: ClusterStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: __URL__/cluster/cross-az-cluster.yaml + TemplateURL: https://cgi-cfts.s3.amazonaws.com/cluster/cross-az-cluster.yaml Parameters: VPC: !Ref VPC PublicSubnetA: !Ref PublicSubnetA @@ -516,12 +514,12 @@ Rules: MemberATokenNotProvided: RuleCondition: !Equals [!Ref MemberAToken, ''] Assertions: - - AssertDescription: "Smart-1 Cloud Token for member A can not be empty" + - AssertDescription: "Smart-1 Cloud Token for member A can not be empty." Assert: !Equals [!Ref MemberBToken, ''] MemberBTokenNotProvided: RuleCondition: !Equals [ !Ref MemberBToken, '' ] Assertions: - - AssertDescription: "Smart-1 Cloud Token for member B can not be empty" + - AssertDescription: "Smart-1 Cloud Token for member B can not be empty." Assert: !Equals [ !Ref MemberAToken, '' ] MembersTokenValueEquals: RuleCondition: !EachMemberEquals [ [ !Ref MemberBToken ], !Ref MemberAToken ] diff --git a/aws/templates/tgw-ha/tgw-ha-master.yaml b/aws/templates/tgw-ha/tgw-ha-master.yaml index dcb860be..503a1b23 100644 --- a/aws/templates/tgw-ha/tgw-ha-master.yaml +++ b/aws/templates/tgw-ha/tgw-ha-master.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploy a Check Point TGW HA cross AZ Cluster in a new VPC (__VERSION__) +Description: Deploy a Check Point TGW HA cross AZ Cluster in a new VPC (20240204) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -428,7 +428,7 @@ Resources: VPCStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: __URL__/utils/vpc.yaml + TemplateURL: https://cgi-cfts.s3.amazonaws.com/utils/vpc.yaml Parameters: AvailabilityZones: !Join [',', !Ref AvailabilityZones] NumberOfAZs: 2 @@ -451,7 +451,7 @@ Resources: ClusterStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: __URL__/cluster/tgw-ha.yaml + TemplateURL: https://cgi-cfts.s3.amazonaws.com/cluster/tgw-ha.yaml Parameters: VPC: !GetAtt VPCStack.Outputs.VPCID PublicSubnetA: !GetAtt VPCStack.Outputs.PublicSubnet1ID @@ -515,12 +515,12 @@ Rules: MemberATokenNotProvided: RuleCondition: !Equals [!Ref MemberAToken, ''] Assertions: - - AssertDescription: "Smart-1 Cloud Token for member A can not be empty" + - AssertDescription: "Smart-1 Cloud Token for member A can not be empty." Assert: !Equals [!Ref MemberBToken, ''] MemberBTokenNotProvided: RuleCondition: !Equals [ !Ref MemberBToken, '' ] Assertions: - - AssertDescription: "Smart-1 Cloud Token for member B can not be empty" + - AssertDescription: "Smart-1 Cloud Token for member B can not be empty." Assert: !Equals [ !Ref MemberAToken, '' ] MembersTokenValueEquals: RuleCondition: !EachMemberEquals [ [ !Ref MemberBToken ], !Ref MemberAToken ] diff --git a/aws/templates/tgw-ha/tgw-ha.yaml b/aws/templates/tgw-ha/tgw-ha.yaml index d05a2e2b..9a20ff99 100644 --- a/aws/templates/tgw-ha/tgw-ha.yaml +++ b/aws/templates/tgw-ha/tgw-ha.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploys a Check Point TGW HA Cluster into an existing VPC (__VERSION__) +Description: Deploys a Check Point TGW HA Cluster into an existing VPC (20240204) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -423,7 +423,7 @@ Resources: ClusterStack: Type: AWS::CloudFormation::Stack Properties: - TemplateURL: __URL__/cluster/geo-cluster.yaml + TemplateURL: https://cgi-cfts.s3.amazonaws.com/cluster/geo-cluster.yaml Parameters: VPC: !Ref VPC PublicSubnetA: !Ref PublicSubnetA @@ -511,12 +511,12 @@ Rules: MemberATokenNotProvided: RuleCondition: !Equals [!Ref MemberAToken, ''] Assertions: - - AssertDescription: "Smart-1 Cloud Token for member A can not be empty" + - AssertDescription: "Smart-1 Cloud Token for member A can not be empty." Assert: !Equals [!Ref MemberBToken, ''] MemberBTokenNotProvided: RuleCondition: !Equals [ !Ref MemberBToken, '' ] Assertions: - - AssertDescription: "Smart-1 Cloud Token for member B can not be empty" + - AssertDescription: "Smart-1 Cloud Token for member B can not be empty." Assert: !Equals [ !Ref MemberAToken, '' ] MembersTokenValueEquals: RuleCondition: !EachMemberEquals [ [ !Ref MemberBToken ], !Ref MemberAToken ] diff --git a/terraform/alicloud/cluster-master/README.md b/terraform/alicloud/cluster-master/README.md index 010a8a35..06b5ddf1 100755 --- a/terraform/alicloud/cluster-master/README.md +++ b/terraform/alicloud/cluster-master/README.md @@ -162,7 +162,7 @@ ram_role_name = "" | Template Version | Description | |------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | 20240704 | R81 version deprecation | -| 20230829 | Change default Check Point version to R81.20 | +| 20230830 | Change default Check Point version to R81.20 | | 20230615 | - Improved userdata quality and stability by moving to cloud-config
- Define default primary and secondary NTP servers
- Improved deployment experience for gateways and clusters managed by Smart-1 Cloud | | 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | | 20230420 | Change alicloud terraform provider version to 1.203.0 | diff --git a/terraform/alicloud/cluster/README.md b/terraform/alicloud/cluster/README.md index 0df21dbd..d057f8a0 100755 --- a/terraform/alicloud/cluster/README.md +++ b/terraform/alicloud/cluster/README.md @@ -146,7 +146,7 @@ ram_role_name = "" | Template Version | Description | |------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | 20240704 | R81 version deprecation | -| 20230829 | Change default version to R81.20 | +| 20230830 | Change default Check Point version to R81.20 | | 20230615 | - Improved userdata quality and stability by moving to cloud-config
- Define default primary and secondary NTP servers
- Improved deployment experience for gateways and clusters managed by Smart-1 Cloud | | 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | | 20230420 | Change alicloud terraform provider version to 1.203.0 | diff --git a/terraform/alicloud/gateway-master/README.md b/terraform/alicloud/gateway-master/README.md index a90166fb..501fadc7 100755 --- a/terraform/alicloud/gateway-master/README.md +++ b/terraform/alicloud/gateway-master/README.md @@ -143,7 +143,7 @@ allocate_and_associate_eip = true | Template Version | Description | |------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | 20240704 | R81 version deprecation | -| 20230829 | Change default Check Point version to R81.20 | +| 20230830 | Change default Check Point version to R81.20 | | 20230615 | - Improved userdata quality and stability by moving to cloud-config
- Define default primary and secondary NTP servers
- Improved deployment experience for gateways and clusters managed by Smart-1 Cloud | | 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | | 20230420 | Change alicloud terraform provider version to 1.203.0 | diff --git a/terraform/alicloud/gateway/README.md b/terraform/alicloud/gateway/README.md index 32ba9dfc..737799cd 100755 --- a/terraform/alicloud/gateway/README.md +++ b/terraform/alicloud/gateway/README.md @@ -129,7 +129,7 @@ private_route_table = "rtb-12345678" | Template Version | Description | |------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | 20240704 | R81 version deprecation | -| 20230829 | Change default Check Point version to R81.20 | +| 20230830 | Change default Check Point version to R81.20 | | 20230615 | - Improved userdata quality and stability by moving to cloud-config
- Define default primary and secondary NTP servers
- Improved deployment experience for gateways and clusters managed by Smart-1 Cloud | | 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | | 20230420 | Change alicloud terraform provider version to 1.203.0 | diff --git a/terraform/alicloud/management-master/README.md b/terraform/alicloud/management-master/README.md index 8e7ea6c2..c3e4b81b 100755 --- a/terraform/alicloud/management-master/README.md +++ b/terraform/alicloud/management-master/README.md @@ -122,9 +122,10 @@ bootstrap_script = "echo 'this is bootstrap script' > /home/admin/testfile.txt" | Template Version | Description | |------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | 20240704 | R81 version deprecation | -| 20230829 | Change default Check Point version to R81.20 | +| 20230830 | Change default Check Point version to R81.20 | | 20230615 | - Improved userdata quality and stability by moving to cloud-config
- Define default primary and secondary NTP servers
- Improved deployment experience for gateways and clusters managed by Smart-1 Cloud | | 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | +| 20230512 | New images with Jumbo Hotfix | | 20230420 | Change alicloud terraform provider version to 1.203.0 | | 20230330 | - Added support of ECS disk category.
- Stability fixes. | | 20230129 | First release of R81.20 CloudGuard Management Terraform deployment in Alibaba Cloud. | diff --git a/terraform/alicloud/management/README.md b/terraform/alicloud/management/README.md index 0c07c661..6a0077ec 100755 --- a/terraform/alicloud/management/README.md +++ b/terraform/alicloud/management/README.md @@ -115,12 +115,13 @@ bootstrap_script = "echo 'this is bootstrap script' > /home/admin/testfile.txt" | Template Version | Description | |------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | 20240704 | R81 version deprecation | -| 20230829 | Change default Check Point version to R81.20 | +| 20230830 | Change default Check Point version to R81.20 | | 20230615 | - Improved userdata quality and stability by moving to cloud-config
- Define default primary and secondary NTP servers
- Improved deployment experience for gateways and clusters managed by Smart-1 Cloud | | 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | +| 20230512 | New images with Jumbo Hotfix | | 20230420 | Change alicloud terraform provider version to 1.203.0 | | 20230330 | - Added support of ECS disk category.
- Stability fixes. | -| 20230129 | First release of R81.20 CloudGuard Management Terraform deployment in Alibaba Cloud. | | | | +| 20230129 | First release of R81.20 CloudGuard Management Terraform deployment in Alibaba Cloud. | | 20211011 | First release of Check Point CloudGaurd Management Terraform deployment into an existing VPC in Alibaba cloud. | ## License diff --git a/terraform/aws/autoscale-gwlb/README.md b/terraform/aws/autoscale-gwlb/README.md index 1ca4b595..b6c58219 100755 --- a/terraform/aws/autoscale-gwlb/README.md +++ b/terraform/aws/autoscale-gwlb/README.md @@ -117,7 +117,7 @@ secret_key = "my-secret-key" ## Inputs | Name | Description | Type | Allowed values | Default | Required | -|----------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------|------------------| +|----------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------|----------| | prefix | (Optional) Instances name prefix | string | n/a | "" | no | | asg_name | Autoscaling Group name | string | n/a | Check-Point-ASG-tf | no | | vpc_id | The VPC id in which to deploy | string | n/a | n/a | yes | diff --git a/terraform/aws/autoscale/README.md b/terraform/aws/autoscale/README.md index 38d4d034..a46954ae 100755 --- a/terraform/aws/autoscale/README.md +++ b/terraform/aws/autoscale/README.md @@ -126,7 +126,7 @@ secret_key = "my-secret-key" ## Inputs | Name | Description | Type | Allowed values | Default | Required | -|----------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------|----------| +|----------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------|----------| | prefix | (Optional) Instances name prefix | string | n/a | "" | no | | asg_name | Autoscaling Group name | string | n/a | Check-Point-ASG-tf | no | | vpc_id | The VPC id in which to deploy | string | n/a | n/a | yes | diff --git a/terraform/aws/cluster/README.md b/terraform/aws/cluster/README.md index ecb44584..e1b48f4f 100755 --- a/terraform/aws/cluster/README.md +++ b/terraform/aws/cluster/README.md @@ -133,7 +133,7 @@ secret_key = "my-secret-key" ## Inputs | Name | Description | Type | Allowed values | Default | Required | -|----------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------|-----------| +|----------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------|----------| | vpc_id | The VPC id in which to deploy | string | n/a | n/a | yes | | public_subnet_id | The public subnet of the cluster. The cluster's public IPs will be generated from this subnet | string | n/a | n/a | yes | | private_subnet_id | The private subnet of the cluster. The cluster's private IPs will be generated from this subnet | string | n/a | n/a | yes | diff --git a/terraform/aws/gateway/README.md b/terraform/aws/gateway/README.md index fefc7512..52c8ff8a 100755 --- a/terraform/aws/gateway/README.md +++ b/terraform/aws/gateway/README.md @@ -124,7 +124,7 @@ secret_key = "my-secret-key" ## Inputs | Name | Description | Type | Allowed values | Default | Required | -|------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------|----------| +|------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------|----------| | vpc_id | The VPC id in which to deploy | string | n/a | n/a | yes | | public_subnet_id | The public subnet of the security gateway | string | n/a | n/a | yes | | private_subnet_id | The private subnet of the security gateway | string | n/a | n/a | yes | diff --git a/terraform/aws/gwlb-master/README.md b/terraform/aws/gwlb-master/README.md index c84a3ee7..2adb1f59 100755 --- a/terraform/aws/gwlb-master/README.md +++ b/terraform/aws/gwlb-master/README.md @@ -158,7 +158,7 @@ secret_key = "my-secret-key" ## Inputs | Name | Description | Type | Allowed values | Default | Required | -|-------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------|----------| +|-------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------|----------| | vpc_cidr | The CIDR block of the VPC | string | n/a | n/a | yes | | public_subnets_map | A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 1 pair. (e.g. {\"us-east-1a\" = 1} ) | map | n/a | n/a | yes | | subnets_bit_length | Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a subnets_bit_length value of 4, the resulting subnet address will have length /20 | number | n/a | n/a | yes | @@ -199,6 +199,7 @@ secret_key = "my-secret-key" | gateway_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | | management_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | + ## Outputs | Name | Description | |---------------------|---------------------------------------------------------------------------------------| diff --git a/terraform/aws/qs-autoscale-master/README.md b/terraform/aws/qs-autoscale-master/README.md index 6d140f0f..0c998024 100755 --- a/terraform/aws/qs-autoscale-master/README.md +++ b/terraform/aws/qs-autoscale-master/README.md @@ -167,6 +167,7 @@ secret_key = "my-secret-key" ``` ## Inputs + | Name | Description | Type | Allowed values | Default | Required | |-------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------|----------| | prefix | (Optional) Instances name prefix | string | n/a | "" | no | diff --git a/terraform/aws/qs-autoscale/README.md b/terraform/aws/qs-autoscale/README.md index 68244779..ee559913 100755 --- a/terraform/aws/qs-autoscale/README.md +++ b/terraform/aws/qs-autoscale/README.md @@ -154,8 +154,9 @@ secret_key = "my-secret-key" ``` ## Inputs + | Name | Description | Type | Allowed values | Default | Required | -|-------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------|----------| +|-------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------|----------| | prefix | (Optional) Instances name prefix | string | n/a | "" | no | | asg_name | Autoscaling Group name | string | n/a | Check-Point-ASG-tf | no | | vpc_id | Select an existing VPC | string | n/a | n/a | yes | @@ -194,6 +195,7 @@ secret_key = "my-secret-key" | gateway_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | | management_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | + ## Outputs | Name | Description | |----------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| diff --git a/terraform/aws/standalone-master/locals.tf b/terraform/aws/standalone-master/locals.tf index 61326301..e2e6ab47 100755 --- a/terraform/aws/standalone-master/locals.tf +++ b/terraform/aws/standalone-master/locals.tf @@ -32,5 +32,4 @@ locals { // Will fail if var.standalone_password_hash is invalid regex_standalone_password_hash = regex(local.regex_valid_standalone_password_hash, var.standalone_password_hash) == var.standalone_password_hash ? 0 : "Variable [standalone_password_hash] must be a valid password hash" regex_maintenance_mode_password_hash = regex(local.regex_valid_standalone_password_hash, var.standalone_maintenance_mode_password_hash) == var.standalone_maintenance_mode_password_hash ? 0 : "Variable [standalone_maintenance_mode_password_hash] must be a valid password hash" - } \ No newline at end of file diff --git a/terraform/aws/standalone/README.md b/terraform/aws/standalone/README.md index e16f1fe8..1614c44d 100755 --- a/terraform/aws/standalone/README.md +++ b/terraform/aws/standalone/README.md @@ -114,7 +114,7 @@ secret_key = "my-secret-key" ## Inputs | Name | Description | Type | Allowed values | Default | Required | -|-------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------|----------| +|-------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------|----------| | vpc_id | The VPC id in which to deploy | string | n/a | n/a | yes | | public_subnet_id | The public subnet of the Security Gateway & Management (Standalone) | string | n/a | n/a | yes | | private_subnet_id | The private subnet of the Security Gateway & Management (Standalone) | string | n/a | n/a | yes | @@ -143,6 +143,7 @@ secret_key = "my-secret-key" | gateway_addresses | (CIDR) Allow gateways only from this network to communicate with the Management Server | string | n/a | 0.0.0.0/0 | no | | standalone_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | + ## Outputs | Name | Description | |--------------------------|------------------------------------------------------------------------------| @@ -154,20 +155,9 @@ secret_key = "my-secret-key" ## Revision History In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) + | Template Version | Description | -|------------------|------------------------------------------------------------------------------------------------------------------| -| 20240704 | - R80.40 version deprecation.
- R81 version deprecation. | -| 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | -| 20231113 | Add support for BYOL license type for Standalone | -| 20231012 | Update AWS Terraform provider version to 5.20.1 | -| 20230923 | Add support for C5d instance type | -| 20230914 | Add support for maintenance mode password | -| 20230829 | Change default Check Point version to R81.20 | -| 20230806 | Add support for c6in instance type | -| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | -| 20221123 | R81.20 version support | -| 20220606 | New instance type support | -| 20210329 | Stability fixes | +|--------------------|------------------------------------------------------------------------------------------------------------------| | 20210309 | First release of Check Point Security Management Server & Security Gateway (Standalone) Terraform module for AWS | ## License diff --git a/terraform/aws/tgw-cross-az-cluster-master/README.md b/terraform/aws/tgw-cross-az-cluster-master/README.md index 3a821c9c..6f488b2d 100755 --- a/terraform/aws/tgw-cross-az-cluster-master/README.md +++ b/terraform/aws/tgw-cross-az-cluster-master/README.md @@ -140,7 +140,7 @@ secret_key = "my-secret-key" ## Inputs | Name | Description | Type | Allowed values | Default | Required | -|----------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------|----------| +|----------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------|----------| | vpc_cidr | The CIDR block of the VPC | string | n/a | n/a | yes | | public_subnets_map | A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 2 pairs. (e.g. {\"us-east-1a\" = 1 \"us-east-1b\" = 2} ) | map | n/a | n/a | yes | | private_subnets_map | A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 2 pairs. (e.g. {\"us-east-1a\" = 3 \"us-east-1b\" = 4} ) | map | n/a | n/a | yes | @@ -173,6 +173,7 @@ secret_key = "my-secret-key" | secondary_ntp | (Optional) The IPv4 addresses of Network Time Protocol secondary server | string | n/a | 0.pool.ntp.org | no | | gateway_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | + ## Outputs | Name | Description | |--------------------|-----------------------------------| diff --git a/terraform/aws/tgw-cross-az-cluster/README.md b/terraform/aws/tgw-cross-az-cluster/README.md index a8fd8013..de08521c 100755 --- a/terraform/aws/tgw-cross-az-cluster/README.md +++ b/terraform/aws/tgw-cross-az-cluster/README.md @@ -135,7 +135,7 @@ secret_key = "my-secret-key" ## Inputs | Name | Description | Type | Allowed values | Default | Required | -|----------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------|----------| +|-------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------|----------| | vpc_id | The VPC id in which to deploy | string | n/a | n/a | yes | | public_subnet_id | The public subnet of the cluster. The cluster's public IPs will be generated from this subnet | string | n/a | n/a | yes | | private_subnet_id | The private subnet of the cluster. The cluster's private IPs will be generated from this subnet | string | n/a | n/a | yes | @@ -168,6 +168,8 @@ secret_key = "my-secret-key" | primary_ntp | (Optional) The IPv4 addresses of Network Time Protocol primary server | string | n/a | 169.254.169.123 | no | | secondary_ntp | (Optional) The IPv4 addresses of Network Time Protocol secondary server | string | n/a | 0.pool.ntp.org | no | | gateway_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | +| management_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | + ## Outputs | Name | Description | diff --git a/terraform/aws/tgw-gwlb-master/README.md b/terraform/aws/tgw-gwlb-master/README.md index a28b180a..28d62d04 100755 --- a/terraform/aws/tgw-gwlb-master/README.md +++ b/terraform/aws/tgw-gwlb-master/README.md @@ -176,7 +176,7 @@ secret_key = "my-secret-key" ## Inputs | Name | Description | Type | Allowed values | Default | Required | -|-------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------|----------| +|-------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------|-----------| | vpc_cidr | The CIDR block of the VPC | string | n/a | n/a | yes | | subnets_bit_length | Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a subnets_bit_length value of 4, the resulting subnet address will have length /20 | number | n/a | n/a | yes | | public_subnets_map | A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 1 pair. (e.g. {\"us-east-1a\" = 1} ) | map | n/a | n/a | yes | @@ -228,6 +228,7 @@ secret_key = "my-secret-key" | gateway_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | | management_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | + ## Outputs | Name | Description | |---------------------|---------------------------------------------------------------------------------------| diff --git a/terraform/aws/tgw-gwlb/README.md b/terraform/aws/tgw-gwlb/README.md index 5daec1a3..d85546e3 100755 --- a/terraform/aws/tgw-gwlb/README.md +++ b/terraform/aws/tgw-gwlb/README.md @@ -172,7 +172,7 @@ secret_key = "my-secret-key" ## Inputs | Name | Description | Type | Allowed values | Default | Required | -|-------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------|----------| +|-------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------|----------| | vpc_id | Select an existing VPC | string | n/a | n/a | yes | | internet_gateway_id | VPC's Internet Gateway Id | string | n/a | n/a | yes | | availability_zones | The Availability Zones (AZs) to use for the subnets in the VPC. | string | n/a | n/a | yes | @@ -227,6 +227,7 @@ secret_key = "my-secret-key" | gateway_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | | management_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | + ## Outputs | Name | Description | |---------------------|---------------------------------------------------------------------------------------| From f68f4556b1e7d0d1edc376d31565b3d9148b8dba Mon Sep 17 00:00:00 2001 From: natanelm Date: Sun, 6 Oct 2024 13:52:06 +0000 Subject: [PATCH 07/12] Cosmetic update for Azure README --- azure/templates/README.MD | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/azure/templates/README.MD b/azure/templates/README.MD index 522ac7cb..e5ef10fb 100644 --- a/azure/templates/README.MD +++ b/azure/templates/README.MD @@ -66,4 +66,4 @@ To deploy a specific Azure image, adjust the image version during the manual dep template_name: management template_version: 20231002 template_type: marketplace - \ No newline at end of file + From f5f5b4d2278fcb2e22409d91d6fd28ec2eb87d77 Mon Sep 17 00:00:00 2001 From: natanelm Date: Sun, 6 Oct 2024 14:53:58 +0000 Subject: [PATCH 08/12] Cosmetic update for Azure README --- azure/templates/README.MD | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/azure/templates/README.MD b/azure/templates/README.MD index e5ef10fb..522ac7cb 100644 --- a/azure/templates/README.MD +++ b/azure/templates/README.MD @@ -66,4 +66,4 @@ To deploy a specific Azure image, adjust the image version during the manual dep template_name: management template_version: 20231002 template_type: marketplace - + \ No newline at end of file From 2844646faf278cccc4f6e22009e7c512cf936bdb Mon Sep 17 00:00:00 2001 From: eddiek Date: Tue, 15 Oct 2024 18:35:36 +0000 Subject: [PATCH 09/12] Move code analysis to internal scanners --- .github/workflows/code-analysis.yaml | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/.github/workflows/code-analysis.yaml b/.github/workflows/code-analysis.yaml index 527a9415..e69de29b 100644 --- a/.github/workflows/code-analysis.yaml +++ b/.github/workflows/code-analysis.yaml @@ -1,10 +0,0 @@ -name: Secure Code Analysis - -on: - - push - - pull_request - -jobs: - code-analysis: - uses: CheckPointSW/secure-code-workflow/.github/workflows/code-analysis.yml@latest - secrets: inherit From a858ae8d990b41c5ad0ed1f32c74f4f27b46da30 Mon Sep 17 00:00:00 2001 From: almogar Date: Mon, 28 Oct 2024 13:53:33 +0000 Subject: [PATCH 10/12] add r82 version to templates --- aws/templates/asg/autoscale.yaml | 5 +- aws/templates/cluster/cluster-master.yaml | 5 +- aws/templates/cluster/cluster.yaml | 5 +- .../cross-az-cluster-master.yaml | 5 +- .../cross-az-cluster/cross-az-cluster.yaml | 5 +- .../geo-cluster/geo-cluster-master.yaml | 5 +- aws/templates/geo-cluster/geo-cluster.yaml | 5 +- aws/templates/gwlb-asg/gwlb-master.yaml | 7 +- aws/templates/gwlb-asg/gwlb.yaml | 7 +- aws/templates/gwlb-asg/qs-gwlb-master.yaml | 7 +- aws/templates/gwlb-asg/qs-gwlb.yaml | 7 +- aws/templates/gwlb-asg/tgw-gwlb-master.yaml | 7 +- aws/templates/gwlb-asg/tgw-gwlb.yaml | 7 +- aws/templates/management/management.yaml | 4 +- aws/templates/mds/mds.yaml | 3 +- aws/templates/single-gw/gateway.yaml | 5 +- .../standalone/standalone-master.yaml | 4 +- aws/templates/standalone/standalone.yaml | 4 +- aws/templates/tgw-asg/tgw-asg-master.yaml | 7 +- aws/templates/tgw-asg/tgw-asg.yaml | 7 +- .../tgw-cross-az-cluster-master.yaml | 5 +- .../tgw-cross-az-cluster.yaml | 5 +- aws/templates/tgw-ha/tgw-ha-master.yaml | 5 +- aws/templates/tgw-ha/tgw-ha.yaml | 5 +- terraform/aws/autoscale-gwlb/README.md | 61 +++++++------- .../aws/autoscale-gwlb/asg_userdata.yaml | 2 +- terraform/aws/autoscale/README.md | 5 +- terraform/aws/autoscale/asg_userdata.yaml | 2 +- terraform/aws/cluster-master/README.md | 3 +- terraform/aws/cluster/README.md | 5 +- .../cluster/cluster_member_a_userdata.yaml | 2 +- .../cluster/cluster_member_b_userdata.yaml | 2 +- .../aws/cross-az-cluster-master/README.md | 3 +- terraform/aws/cross-az-cluster/README.md | 3 +- .../cluster_member_a_userdata.yaml | 2 +- .../cluster_member_b_userdata.yaml | 2 +- terraform/aws/gateway-master/README.md | 3 +- terraform/aws/gateway/README.md | 5 +- terraform/aws/gwlb-master/README.md | 83 ++++++++++--------- terraform/aws/gwlb/README.md | 3 +- terraform/aws/management/README.md | 33 ++++---- .../aws/management/management_userdata.yaml | 2 +- terraform/aws/mds/README.md | 3 +- terraform/aws/mds/mds_userdata.yaml | 2 +- .../modules/common/version_license/main.tf | 27 ++++-- terraform/aws/qs-autoscale-master/README.md | 33 ++++---- terraform/aws/qs-autoscale/README.md | 7 +- terraform/aws/standalone-master/README.md | 3 +- terraform/aws/standalone/README.md | 7 +- .../aws/standalone/standalone_userdata.yaml | 2 +- terraform/aws/tgw-asg-master/README.md | 5 +- terraform/aws/tgw-asg/README.md | 47 ++++++----- .../aws/tgw-cross-az-cluster-master/README.md | 5 +- terraform/aws/tgw-cross-az-cluster/README.md | 71 ++++++++-------- terraform/aws/tgw-gwlb-master/README.md | 7 +- terraform/aws/tgw-gwlb/README.md | 7 +- 56 files changed, 347 insertions(+), 231 deletions(-) diff --git a/aws/templates/asg/autoscale.yaml b/aws/templates/asg/autoscale.yaml index 04a1adbb..87720f66 100644 --- a/aws/templates/asg/autoscale.yaml +++ b/aws/templates/asg/autoscale.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Create an Auto Scaling group of Check Point gateways (20240417) +Description: Create an Auto Scaling group of Check Point gateways (20241027) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -303,6 +303,9 @@ Parameters: - R81.20-BYOL - R81.20-PAYG-NGTP - R81.20-PAYG-NGTX + - R82-BYOL + - R82-PAYG-NGTP + - R82-PAYG-NGTX Shell: Description: Change the admin shell to enable advanced command line configuration. Type: String diff --git a/aws/templates/cluster/cluster-master.yaml b/aws/templates/cluster/cluster-master.yaml index 87d54b56..61ba3b5c 100755 --- a/aws/templates/cluster/cluster-master.yaml +++ b/aws/templates/cluster/cluster-master.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploy a Check Point Cluster in a new VPC (20240204) +Description: Deploy a Check Point Cluster in a new VPC (20241027) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -310,6 +310,9 @@ Parameters: - R81.20-BYOL - R81.20-PAYG-NGTP - R81.20-PAYG-NGTX + - R82-BYOL + - R82-PAYG-NGTP + - R82-PAYG-NGTX Shell: Description: Change the admin shell to enable advanced command line configuration. Type: String diff --git a/aws/templates/cluster/cluster.yaml b/aws/templates/cluster/cluster.yaml index 9bea983a..243234a7 100755 --- a/aws/templates/cluster/cluster.yaml +++ b/aws/templates/cluster/cluster.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploys a Check Point Cluster into an existing VPC (20240204) +Description: Deploys a Check Point Cluster into an existing VPC (20241027) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -305,6 +305,9 @@ Parameters: - R81.20-BYOL - R81.20-PAYG-NGTP - R81.20-PAYG-NGTX + - R82-BYOL + - R82-PAYG-NGTP + - R82-PAYG-NGTX Shell: Description: Change the admin shell to enable advanced command line configuration. Type: String diff --git a/aws/templates/cross-az-cluster/cross-az-cluster-master.yaml b/aws/templates/cross-az-cluster/cross-az-cluster-master.yaml index 9826d072..f53a0547 100644 --- a/aws/templates/cross-az-cluster/cross-az-cluster-master.yaml +++ b/aws/templates/cross-az-cluster/cross-az-cluster-master.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploy a Check Point Cluster in a new VPC (20240204) +Description: Deploy a Check Point Cluster in a new VPC (20241027) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -315,6 +315,9 @@ Parameters: - R81.20-BYOL - R81.20-PAYG-NGTP - R81.20-PAYG-NGTX + - R82-BYOL + - R82-PAYG-NGTP + - R82-PAYG-NGTX Shell: Description: Change the admin shell to enable advanced command line configuration. Type: String diff --git a/aws/templates/cross-az-cluster/cross-az-cluster.yaml b/aws/templates/cross-az-cluster/cross-az-cluster.yaml index 3c5f6ad8..b616d331 100644 --- a/aws/templates/cross-az-cluster/cross-az-cluster.yaml +++ b/aws/templates/cross-az-cluster/cross-az-cluster.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploys a Check Point Cluster into an existing VPC (20240204) +Description: Deploys a Check Point Cluster into an existing VPC (20241027) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -320,6 +320,9 @@ Parameters: - R81.20-BYOL - R81.20-PAYG-NGTP - R81.20-PAYG-NGTX + - R82-BYOL + - R82-PAYG-NGTP + - R82-PAYG-NGTX Shell: Description: Change the admin shell to enable advanced command line configuration. Type: String diff --git a/aws/templates/geo-cluster/geo-cluster-master.yaml b/aws/templates/geo-cluster/geo-cluster-master.yaml index b2d4e02f..61d20c0c 100644 --- a/aws/templates/geo-cluster/geo-cluster-master.yaml +++ b/aws/templates/geo-cluster/geo-cluster-master.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploy a Check Point cross AZ Cluster in a new VPC (20240204) +Description: Deploy a Check Point cross AZ Cluster in a new VPC (20241027) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -327,6 +327,9 @@ Parameters: - R81.10-BYOL - R81.10-PAYG-NGTP - R81.10-PAYG-NGTX + - R82-BYOL + - R82-PAYG-NGTP + - R82-PAYG-NGTX Shell: Description: Change the admin shell to enable advanced command line configuration. Type: String diff --git a/aws/templates/geo-cluster/geo-cluster.yaml b/aws/templates/geo-cluster/geo-cluster.yaml index c358dfba..77ac4de2 100644 --- a/aws/templates/geo-cluster/geo-cluster.yaml +++ b/aws/templates/geo-cluster/geo-cluster.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploys a Check Point cross AZ Cluster into an existing VPC (20240204) +Description: Deploys a Check Point cross AZ Cluster into an existing VPC (20241027) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -321,6 +321,9 @@ Parameters: - R81.10-BYOL - R81.10-PAYG-NGTP - R81.10-PAYG-NGTX + - R82-BYOL + - R82-PAYG-NGTP + - R82-PAYG-NGTX Shell: Description: Change the admin shell to enable advanced command line configuration. Type: String diff --git a/aws/templates/gwlb-asg/gwlb-master.yaml b/aws/templates/gwlb-asg/gwlb-master.yaml index 0e4eb4c7..3dd36c24 100644 --- a/aws/templates/gwlb-asg/gwlb-master.yaml +++ b/aws/templates/gwlb-asg/gwlb-master.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploy a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, in a new VPC (20240204) +Description: Deploy a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, in a new VPC (20241027) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -433,6 +433,9 @@ Parameters: - R81.20-BYOL - R81.20-PAYG-NGTP - R81.20-PAYG-NGTX + - R82-BYOL + - R82-PAYG-NGTP + - R82-PAYG-NGTX GatewayPasswordHash: Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash). (optional) Type: String @@ -607,6 +610,8 @@ Parameters: - R81.10-PAYG - R81.20-BYOL - R81.20-PAYG + - R82-BYOL + - R82-PAYG ManagementPasswordHash: Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash). (optional) Type: String diff --git a/aws/templates/gwlb-asg/gwlb.yaml b/aws/templates/gwlb-asg/gwlb.yaml index 50d8e335..bd6cdbbe 100644 --- a/aws/templates/gwlb-asg/gwlb.yaml +++ b/aws/templates/gwlb-asg/gwlb.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploy a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, in a new VPC (20240204) +Description: Deploy a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, in a new VPC (20241027) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -383,6 +383,9 @@ Parameters: - R81.20-BYOL - R81.20-PAYG-NGTP - R81.20-PAYG-NGTX + - R82-BYOL + - R82-PAYG-NGTP + - R82-PAYG-NGTX GatewayPasswordHash: Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash). (optional) Type: String @@ -557,6 +560,8 @@ Parameters: - R81.10-PAYG - R81.20-BYOL - R81.20-PAYG + - R82-BYOL + - R82-PAYG ManagementPasswordHash: Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash). (optional) Type: String diff --git a/aws/templates/gwlb-asg/qs-gwlb-master.yaml b/aws/templates/gwlb-asg/qs-gwlb-master.yaml index 4d7e56a7..942106cc 100644 --- a/aws/templates/gwlb-asg/qs-gwlb-master.yaml +++ b/aws/templates/gwlb-asg/qs-gwlb-master.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploy a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, in a new VPC (05072024) +Description: Deploy a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, in a new VPC (20241027) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -542,6 +542,9 @@ Parameters: - R81.20-BYOL - R81.20-PAYG-NGTP - R81.20-PAYG-NGTX + - R82-BYOL + - R82-PAYG-NGTP + - R82-PAYG-NGTX GatewayPasswordHash: Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash). (optional) Type: String @@ -711,6 +714,8 @@ Parameters: - R81.10-PAYG - R81.20-BYOL - R81.20-PAYG + - R82-BYOL + - R82-PAYG ManagementPasswordHash: Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash). (optional) Type: String diff --git a/aws/templates/gwlb-asg/qs-gwlb.yaml b/aws/templates/gwlb-asg/qs-gwlb.yaml index 1ff5555b..ebff2add 100644 --- a/aws/templates/gwlb-asg/qs-gwlb.yaml +++ b/aws/templates/gwlb-asg/qs-gwlb.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: "Deploy a Quick-Start Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, optionally: Security Management Server and Application Server Autoscale in an existing VPC (05072024)" +Description: "Deploy a Quick-Start Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, optionally: Security Management Server and Application Server Autoscale in an existing VPC (20241027)" Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -447,6 +447,9 @@ Parameters: - R81.20-BYOL - R81.20-PAYG-NGTP - R81.20-PAYG-NGTX + - R82-BYOL + - R82-PAYG-NGTP + - R82-PAYG-NGTX GatewayPasswordHash: Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash). (optional) Type: String @@ -616,6 +619,8 @@ Parameters: - R81.10-PAYG - R81.20-BYOL - R81.20-PAYG + - R82-BYOL + - R82-PAYG ManagementPasswordHash: Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash). (optional) Type: String diff --git a/aws/templates/gwlb-asg/tgw-gwlb-master.yaml b/aws/templates/gwlb-asg/tgw-gwlb-master.yaml index 7fe4c750..c0598bf5 100644 --- a/aws/templates/gwlb-asg/tgw-gwlb-master.yaml +++ b/aws/templates/gwlb-asg/tgw-gwlb-master.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploy a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, Gateway Load Balancer Endpoints and NAT Gateways for each AZ, in a new VPC for Transit Gateway (20240204) +Description: Deploy a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, Gateway Load Balancer Endpoints and NAT Gateways for each AZ, in a new VPC for Transit Gateway (20241027) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -526,6 +526,9 @@ Parameters: - R81.20-BYOL - R81.20-PAYG-NGTP - R81.20-PAYG-NGTX + - R82-BYOL + - R82-PAYG-NGTP + - R82-PAYG-NGTX GatewayPasswordHash: Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash). (optional) Type: String @@ -700,6 +703,8 @@ Parameters: - R81.10-PAYG - R81.20-BYOL - R81.20-PAYG + - R82-BYOL + - R82-PAYG ManagementPasswordHash: Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash). (optional) Type: String diff --git a/aws/templates/gwlb-asg/tgw-gwlb.yaml b/aws/templates/gwlb-asg/tgw-gwlb.yaml index 89fbbc8b..58601a0a 100644 --- a/aws/templates/gwlb-asg/tgw-gwlb.yaml +++ b/aws/templates/gwlb-asg/tgw-gwlb.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploy a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, Gateway Load Balancer Endpoints and NAT Gateways for each AZ, in an existing VPC for Transit Gateway (20240204) +Description: Deploy a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, Gateway Load Balancer Endpoints and NAT Gateways for each AZ, in an existing VPC for Transit Gateway (20241027) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -481,6 +481,9 @@ Parameters: - R81.20-BYOL - R81.20-PAYG-NGTP - R81.20-PAYG-NGTX + - R82-BYOL + - R82-PAYG-NGTP + - R82-PAYG-NGTX GatewayPasswordHash: Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash). (optional) Type: String @@ -672,6 +675,8 @@ Parameters: - R81.10-PAYG - R81.20-BYOL - R81.20-PAYG + - R82-BYOL + - R82-PAYG ManagementPasswordHash: Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash). (optional) Type: String diff --git a/aws/templates/management/management.yaml b/aws/templates/management/management.yaml index 04e3d00e..4ae6c52c 100755 --- a/aws/templates/management/management.yaml +++ b/aws/templates/management/management.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploys a Check Point Management Server (20240417) +Description: Deploys a Check Point Management Server (20241027) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -313,6 +313,8 @@ Parameters: - R81.10-PAYG - R81.20-BYOL - R81.20-PAYG + - R82-BYOL + - R82-PAYG Shell: Description: Change the admin shell to enable advanced command line configuration. Type: String diff --git a/aws/templates/mds/mds.yaml b/aws/templates/mds/mds.yaml index ec7913b2..3d2eeb7a 100644 --- a/aws/templates/mds/mds.yaml +++ b/aws/templates/mds/mds.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: '2010-09-09' -Description: Deploys a Check Point Multi-Domain Server (20240417) +Description: Deploys a Check Point Multi-Domain Server (20241027) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -298,6 +298,7 @@ Parameters: AllowedValues: - R81.10-BYOL - R81.20-BYOL + - R82-BYOL Shell: Description: Change the admin shell to enable advanced command line configuration. Type: String diff --git a/aws/templates/single-gw/gateway.yaml b/aws/templates/single-gw/gateway.yaml index 645eab2f..26865610 100644 --- a/aws/templates/single-gw/gateway.yaml +++ b/aws/templates/single-gw/gateway.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploys a Check Point Security Gateway into an existing VPC (20240204) +Description: Deploys a Check Point Security Gateway into an existing VPC (20241027) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -305,6 +305,9 @@ Parameters: - R81.20-BYOL - R81.20-PAYG-NGTP - R81.20-PAYG-NGTX + - R82-BYOL + - R82-PAYG-NGTP + - R82-PAYG-NGTX Shell: Description: Change the admin shell to enable advanced command line configuration. Type: String diff --git a/aws/templates/standalone/standalone-master.yaml b/aws/templates/standalone/standalone-master.yaml index 6c9847cc..28e8b447 100644 --- a/aws/templates/standalone/standalone-master.yaml +++ b/aws/templates/standalone/standalone-master.yaml @@ -1,6 +1,6 @@ AWSTemplateFormatVersion: 2010-09-09 Description: Deploys either a manually configurable or a Check Point CloudGuard IaaS - Security Gateway & Management (Standalone) instance in a new VPC (20240204) + Security Gateway & Management (Standalone) instance in a new VPC (20241027) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -180,6 +180,8 @@ Parameters: - R81.10-BYOL - R81.20-PAYG-NGTP - R81.20-BYOL + - R82-PAYG-NGTP + - R82-BYOL Shell: Description: Change the admin shell to enable advanced command line configuration. Type: String diff --git a/aws/templates/standalone/standalone.yaml b/aws/templates/standalone/standalone.yaml index a73e2d34..41876109 100644 --- a/aws/templates/standalone/standalone.yaml +++ b/aws/templates/standalone/standalone.yaml @@ -1,6 +1,6 @@ AWSTemplateFormatVersion: 2010-09-09 Description: Deploys either a manually configurable or a Check Point CloudGuard IaaS - Security Gateway & Management (Standalone) instance into an existing VPC (20240204) + Security Gateway & Management (Standalone) instance into an existing VPC (20241027) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -289,6 +289,8 @@ Parameters: - R81.10-BYOL - R81.20-PAYG-NGTP - R81.20-BYOL + - R82-PAYG-NGTP + - R82-BYOL Shell: Description: Change the admin shell to enable advanced command line configuration. Type: String diff --git a/aws/templates/tgw-asg/tgw-asg-master.yaml b/aws/templates/tgw-asg/tgw-asg-master.yaml index 4ddf23df..339da4e9 100644 --- a/aws/templates/tgw-asg/tgw-asg-master.yaml +++ b/aws/templates/tgw-asg/tgw-asg-master.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploy an Auto Scaling Group of CloudGuard Security Gateways for Transit Gateway with an optional Management Server in a new VPC (20240204) +Description: Deploy an Auto Scaling Group of CloudGuard Security Gateways for Transit Gateway with an optional Management Server in a new VPC (20241027) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -372,6 +372,9 @@ Parameters: - R81.20-BYOL - R81.20-PAYG-NGTP - R81.20-PAYG-NGTX + - R82-BYOL + - R82-PAYG-NGTP + - R82-PAYG-NGTX GatewayPasswordHash: Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash). (optional) Type: String @@ -538,6 +541,8 @@ Parameters: - R81.10-PAYG - R81.20-BYOL - R81.20-PAYG + - R82-BYOL + - R82-PAYG ManagementPasswordHash: Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash). (optional) Type: String diff --git a/aws/templates/tgw-asg/tgw-asg.yaml b/aws/templates/tgw-asg/tgw-asg.yaml index e1a5633f..bf7d2ab1 100644 --- a/aws/templates/tgw-asg/tgw-asg.yaml +++ b/aws/templates/tgw-asg/tgw-asg.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: '2010-09-09' -Description: Deploy an Auto Scaling Group of CloudGuard Security Gateways for Transit Gateway with an optional Management Server into an existing VPC (20240204) +Description: Deploy an Auto Scaling Group of CloudGuard Security Gateways for Transit Gateway with an optional Management Server into an existing VPC (20241027) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -326,6 +326,9 @@ Parameters: - R81.20-BYOL - R81.20-PAYG-NGTP - R81.20-PAYG-NGTX + - R82-BYOL + - R82-PAYG-NGTP + - R82-PAYG-NGTX GatewayPasswordHash: Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash). (optional) Type: String @@ -492,6 +495,8 @@ Parameters: - R81.10-PAYG - R81.20-BYOL - R81.20-PAYG + - R82-BYOL + - R82-PAYG ManagementPasswordHash: Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash). (optional) Type: String diff --git a/aws/templates/tgw-cross-az-cluster/tgw-cross-az-cluster-master.yaml b/aws/templates/tgw-cross-az-cluster/tgw-cross-az-cluster-master.yaml index 4ab74737..232ca1b5 100644 --- a/aws/templates/tgw-cross-az-cluster/tgw-cross-az-cluster-master.yaml +++ b/aws/templates/tgw-cross-az-cluster/tgw-cross-az-cluster-master.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploy a Check Point TGW Cross Availabilty Zone Cluster in a new VPC (20240204) +Description: Deploy a Check Point TGW Cross Availabilty Zone Cluster in a new VPC (20241027) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -342,6 +342,9 @@ Parameters: - R81.20-BYOL - R81.20-PAYG-NGTP - R81.20-PAYG-NGTX + - R82-BYOL + - R82-PAYG-NGTP + - R82-PAYG-NGTX Shell: Description: Change the admin shell to enable advanced command line configuration. Type: String diff --git a/aws/templates/tgw-cross-az-cluster/tgw-cross-az-cluster.yaml b/aws/templates/tgw-cross-az-cluster/tgw-cross-az-cluster.yaml index 63062132..56d58083 100644 --- a/aws/templates/tgw-cross-az-cluster/tgw-cross-az-cluster.yaml +++ b/aws/templates/tgw-cross-az-cluster/tgw-cross-az-cluster.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploys a Check Point TGW Cross Availabilty Zone Cluster into an existing VPC (20240204) +Description: Deploys a Check Point TGW Cross Availabilty Zone Cluster into an existing VPC (20241027) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -338,6 +338,9 @@ Parameters: - R81.20-BYOL - R81.20-PAYG-NGTP - R81.20-PAYG-NGTX + - R82-BYOL + - R82-PAYG-NGTP + - R82-PAYG-NGTX Shell: Description: Change the admin shell to enable advanced command line configuration. Type: String diff --git a/aws/templates/tgw-ha/tgw-ha-master.yaml b/aws/templates/tgw-ha/tgw-ha-master.yaml index 503a1b23..d8a734ea 100644 --- a/aws/templates/tgw-ha/tgw-ha-master.yaml +++ b/aws/templates/tgw-ha/tgw-ha-master.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploy a Check Point TGW HA cross AZ Cluster in a new VPC (20240204) +Description: Deploy a Check Point TGW HA cross AZ Cluster in a new VPC (20241027) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -343,6 +343,9 @@ Parameters: - R81.10-BYOL - R81.10-PAYG-NGTP - R81.10-PAYG-NGTX + - R82-BYOL + - R82-PAYG-NGTP + - R82-PAYG-NGTX Shell: Description: Change the admin shell to enable advanced command line configuration. Type: String diff --git a/aws/templates/tgw-ha/tgw-ha.yaml b/aws/templates/tgw-ha/tgw-ha.yaml index 9a20ff99..c4f5426e 100644 --- a/aws/templates/tgw-ha/tgw-ha.yaml +++ b/aws/templates/tgw-ha/tgw-ha.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploys a Check Point TGW HA Cluster into an existing VPC (20240204) +Description: Deploys a Check Point TGW HA Cluster into an existing VPC (20241027) Metadata: AWS::CloudFormation::Interface: ParameterGroups: @@ -337,6 +337,9 @@ Parameters: - R81.10-BYOL - R81.10-PAYG-NGTP - R81.10-PAYG-NGTX + - R82-BYOL + - R82-PAYG-NGTP + - R82-PAYG-NGTX Shell: Description: Change the admin shell to enable advanced command line configuration. Type: String diff --git a/terraform/aws/autoscale-gwlb/README.md b/terraform/aws/autoscale-gwlb/README.md index b6c58219..4d4115db 100755 --- a/terraform/aws/autoscale-gwlb/README.md +++ b/terraform/aws/autoscale-gwlb/README.md @@ -116,36 +116,36 @@ secret_key = "my-secret-key" ## Inputs -| Name | Description | Type | Allowed values | Default | Required | -|----------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------|----------| -| prefix | (Optional) Instances name prefix | string | n/a | "" | no | -| asg_name | Autoscaling Group name | string | n/a | Check-Point-ASG-tf | no | -| vpc_id | The VPC id in which to deploy | string | n/a | n/a | yes | -| subnet_ids | List of public subnet IDs to launch resources into. Recommended at least 2 | list(string) | n/a | n/a | yes | -| gateways_provision_address_type | Determines if the gateways are provisioned using their private or public address. | string | - private
- public | private | no | -| allocate_public_IP | Allocate a Public IP for gateway members. | bool | true/false | false | no | -| management_server | The name that represents the Security Management Server in the CME configuration | string | n/a | n/a | yes | -| configuration_template | Name of the provisioning template in the CME configuration | string | n/a | n/a | yes | -| gateway_name | The name tag of the Security Gateways instances | string | n/a | Check-Point-ASG-gateway-tf | no | -| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no | -| key_name | The EC2 Key Pair name to allow SSH access to the instances | string | n/a | n/a | yes | -| volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no | -| enable_volume_encryption | Encrypt Environment instances volume with default AWS KMS key | bool | true/false | true | no | -| instances_tags | (Optional) A map of tags as key=value pairs. All tags will be added on all AutoScaling Group instances | map(string) | n/a | {} | no | -| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes | -| minimum_group_size | The minimum number of instances in the Auto Scaling group | number | n/a | 2 | no | -| maximum_group_size | The maximum number of instances in the Auto Scaling group | number | n/a | 10 | no | -| target_groups | (Optional) List of Target Group ARNs to associate with the Auto Scaling group | list(string) | n/a | [] | no | -| gateway_version | Gateway version and license | string | - R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX
- R81.20-PAYG-NGTX | R81.20-BYOL | no | -| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | -| gateway_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | -| gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components (at least 8 alphanumeric characters) | string | n/a | "12345678" | yes | -| enable_instance_connect | Enable SSH connection over AWS web console. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no | -| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no | -| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no | -| gateway_bootstrap_script | (Optional) Semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no | -| volume_type | General Purpose SSD Volume Type | string | - gp3
- gp2 | gp3 | no | -| gateway_maintenance_mode_password_hash | (optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here). | string | n/a | "" | no | +| Name | Description | Type | Allowed values | Default | Required | +|----------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------|-------------| +| prefix | (Optional) Instances name prefix | string | n/a | "" | no | +| asg_name | Autoscaling Group name | string | n/a | Check-Point-ASG-tf | no | +| vpc_id | The VPC id in which to deploy | string | n/a | n/a | yes | +| subnet_ids | List of public subnet IDs to launch resources into. Recommended at least 2 | list(string) | n/a | n/a | yes | +| gateways_provision_address_type | Determines if the gateways are provisioned using their private or public address. | string | - private
- public | private | no | +| allocate_public_IP | Allocate a Public IP for gateway members. | bool | true/false | false | no | +| management_server | The name that represents the Security Management Server in the CME configuration | string | n/a | n/a | yes | +| configuration_template | Name of the provisioning template in the CME configuration | string | n/a | n/a | yes | +| gateway_name | The name tag of the Security Gateways instances | string | n/a | Check-Point-ASG-gateway-tf | no | +| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no | +| key_name | The EC2 Key Pair name to allow SSH access to the instances | string | n/a | n/a | yes | +| volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no | +| enable_volume_encryption | Encrypt Environment instances volume with default AWS KMS key | bool | true/false | true | no | +| instances_tags | (Optional) A map of tags as key=value pairs. All tags will be added on all AutoScaling Group instances | map(string) | n/a | {} | no | +| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes | +| minimum_group_size | The minimum number of instances in the Auto Scaling group | number | n/a | 2 | no | +| maximum_group_size | The maximum number of instances in the Auto Scaling group | number | n/a | 10 | no | +| target_groups | (Optional) List of Target Group ARNs to associate with the Auto Scaling group | list(string) | n/a | [] | no | +| gateway_version | Gateway version and license | string | - R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX
- R81.20-PAYG-NGTX
- R82-BYOL
- R82-PAYG-NGTP
- R82-PAYG-NGTX | R81.20-BYOL | no | +| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | +| gateway_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | +| gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components (at least 8 alphanumeric characters) | string | n/a | "12345678" | yes | +| enable_instance_connect | Enable SSH connection over AWS web console. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no | +| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no | +| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no | +| gateway_bootstrap_script | (Optional) Semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no | +| volume_type | General Purpose SSD Volume Type | string | - gp3
- gp2 | gp3 | no | +| gateway_maintenance_mode_password_hash | (optional) Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here). | string | n/a | "" | no | ## Outputs | Name | Description | @@ -167,6 +167,7 @@ In order to check the template version, please refer to [sk116585](https://suppo | Template Version | Description | |------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| 20241027 | R82 version support | | 20240704 | - R80.40 version deprecation.
- R81 version deprecation | | 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | | 20240417 | - Add support for Elastic Load Balancer Health Checks.
- EC2 Auto Scaling will start to detect and act on health checks performed by Elastic Load Balancing. | diff --git a/terraform/aws/autoscale-gwlb/asg_userdata.yaml b/terraform/aws/autoscale-gwlb/asg_userdata.yaml index bb095c01..8cc2a7a5 100755 --- a/terraform/aws/autoscale-gwlb/asg_userdata.yaml +++ b/terraform/aws/autoscale-gwlb/asg_userdata.yaml @@ -26,4 +26,4 @@ bootcmd: - echo "cpprod_util CPPROD_SetValue \"fw1\" \"AwsGwlb\" 4 1 1" >> /etc/rc.local runcmd: - | - python3 /etc/cloud_config.py enableCloudWatch=\"${EnableCloudWatch}\" sicKey=\"${SICKey}\" installationType=\"autoscale\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20231012\" templateName=\"autoscale_gwlb\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" bootstrapScript64=\"${BootstrapScript}\" \ No newline at end of file + python3 /etc/cloud_config.py enableCloudWatch=\"${EnableCloudWatch}\" sicKey=\"${SICKey}\" installationType=\"autoscale\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20241027\" templateName=\"autoscale_gwlb\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" bootstrapScript64=\"${BootstrapScript}\" \ No newline at end of file diff --git a/terraform/aws/autoscale/README.md b/terraform/aws/autoscale/README.md index a46954ae..834e4618 100755 --- a/terraform/aws/autoscale/README.md +++ b/terraform/aws/autoscale/README.md @@ -126,7 +126,7 @@ secret_key = "my-secret-key" ## Inputs | Name | Description | Type | Allowed values | Default | Required | -|----------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------|----------| +|----------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------|----------| | prefix | (Optional) Instances name prefix | string | n/a | "" | no | | asg_name | Autoscaling Group name | string | n/a | Check-Point-ASG-tf | no | | vpc_id | The VPC id in which to deploy | string | n/a | n/a | yes | @@ -144,7 +144,7 @@ secret_key = "my-secret-key" | minimum_group_size | The minimum number of instances in the Auto Scaling group | number | n/a | 2 | no | | maximum_group_size | The maximum number of instances in the Auto Scaling group | number | n/a | 10 | no | | target_groups | (Optional) List of Target Group ARNs to associate with the Auto Scaling group | list(string) | n/a | [] | no | -| gateway_version | Gateway version and license | string | - R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.10-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX | R81.20-BYOL | no | +| gateway_version | Gateway version and license | string | - R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.10-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX
- R82-BYOL
- R82-PAYG-NGTP
- R82-PAYG-NGTX | R81.20-BYOL | no | | admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | | gateway_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | | gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components (at least 8 alphanumeric characters) | string | n/a | "12345678" | yes | @@ -179,6 +179,7 @@ In order to check the template version, please refer to [sk116585](https://suppo | Template Version | Description | |------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| 20241027 | R82 version support | | 20240704 | - R80.40 version deprecation.
- R81 version deprecation. | | 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | | 20240417 | - Add support for Elastic Load Balancer Health Checks.
- EC2 Auto Scaling will start to detect and act on health checks performed by Elastic Load Balancing. | diff --git a/terraform/aws/autoscale/asg_userdata.yaml b/terraform/aws/autoscale/asg_userdata.yaml index 4c6633c3..140f2d8d 100755 --- a/terraform/aws/autoscale/asg_userdata.yaml +++ b/terraform/aws/autoscale/asg_userdata.yaml @@ -1,4 +1,4 @@ #cloud-config runcmd: - | - python3 /etc/cloud_config.py enableCloudWatch=\"${EnableCloudWatch}\" sicKey=\"${SICKey}\" installationType=\"autoscale\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20240704\" templateName=\"autoscale\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" bootstrapScript64=\"${BootstrapScript}\" + python3 /etc/cloud_config.py enableCloudWatch=\"${EnableCloudWatch}\" sicKey=\"${SICKey}\" installationType=\"autoscale\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20241027\" templateName=\"autoscale\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" bootstrapScript64=\"${BootstrapScript}\" diff --git a/terraform/aws/cluster-master/README.md b/terraform/aws/cluster-master/README.md index 7354af59..680c3dfc 100755 --- a/terraform/aws/cluster-master/README.md +++ b/terraform/aws/cluster-master/README.md @@ -171,7 +171,7 @@ secret_key = "my-secret-key" | metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes | | instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Gateway EC2 Instances | map(string) | n/a | {} | no | | predefined_role | (Optional) A predefined IAM role to attach to the cluster profile | string | n/a | "" | no | -| gateway_version | Gateway version and license | string | - R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.10-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX
- R81.20-PAYG-NGTX | R81.20-BYOL | no | +| gateway_version | Gateway version and license | string | - R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.10-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX
- R82-BYOL
- R82-PAYG-NGTP
- R82-PAYG-NGTX | R81.20-BYOL | no | | admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | | gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes | | gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | @@ -203,6 +203,7 @@ In order to check the template version, please refer to [sk116585](https://suppo | Template Version | Description | |------------------|---------------------------------------------------------------------------------------------------------------| +| 20241027 | R82 version support | | 20240704 | - R80.40 version deprecation.
- R81 version deprecation. | | 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | | 20231012 | Update AWS Terraform provider version to 5.20.1 | diff --git a/terraform/aws/cluster/README.md b/terraform/aws/cluster/README.md index e1b48f4f..cbe60b62 100755 --- a/terraform/aws/cluster/README.md +++ b/terraform/aws/cluster/README.md @@ -133,7 +133,7 @@ secret_key = "my-secret-key" ## Inputs | Name | Description | Type | Allowed values | Default | Required | -|----------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------|----------| +|----------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------|-----------| | vpc_id | The VPC id in which to deploy | string | n/a | n/a | yes | | public_subnet_id | The public subnet of the cluster. The cluster's public IPs will be generated from this subnet | string | n/a | n/a | yes | | private_subnet_id | The private subnet of the cluster. The cluster's private IPs will be generated from this subnet | string | n/a | n/a | yes | @@ -149,7 +149,7 @@ secret_key = "my-secret-key" | metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes | | instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Gateway EC2 Instances | map(string) | n/a | {} | no | | predefined_role | (Optional) A predefined IAM role to attach to the cluster profile | string | n/a | "" | no | -| gateway_version | Gateway version and license | string | - R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.10-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX
- R81.20-PAYG-NGTX | R81.20-BYOL | no | +| gateway_version | Gateway version and license | string | - R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.10-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX
- R81.20-PAYG-NGTX
- R82-BYOL
- R82-PAYG-NGTP
- R82-PAYG-NGTX | R81.20-BYOL | no | | admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | | gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | no | | gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | @@ -181,6 +181,7 @@ In order to check the template version, please refer to [sk116585](https://suppo | Template Version | Description | |------------------|---------------------------------------------------------------------------------------------------------------| +| 20241027 | R82 version support | | 20240704 | - R80.40 version deprecation.
- R81 version deprecation. | | 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | | 20240304 | Add x-chkp-cluster-ips, x-chkp-member-ips tags to cluster members | diff --git a/terraform/aws/cluster/cluster_member_a_userdata.yaml b/terraform/aws/cluster/cluster_member_a_userdata.yaml index 1fa105c0..da66a948 100755 --- a/terraform/aws/cluster/cluster_member_a_userdata.yaml +++ b/terraform/aws/cluster/cluster_member_a_userdata.yaml @@ -1,4 +1,4 @@ #cloud-config runcmd: - | - python3 /etc/cloud_config.py enableCloudWatch=\"${EnableCloudWatch}\" sicKey=\"${SICKey}\" "smart1CloudToken=\"${TokenA}\"" installationType=\"cluster\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" elasticIp=\"${MemberAPublicAddress}\" templateVersion=\"20240704\" templateName=\"cluster\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" hostName=\"${Hostname}\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" allocatePublicAddress=\"${AllocateAddress}\" bootstrapScript64=\"${GatewayBootstrapScript}\" \ No newline at end of file + python3 /etc/cloud_config.py enableCloudWatch=\"${EnableCloudWatch}\" sicKey=\"${SICKey}\" "smart1CloudToken=\"${TokenA}\"" installationType=\"cluster\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" elasticIp=\"${MemberAPublicAddress}\" templateVersion=\"20241027\" templateName=\"cluster\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" hostName=\"${Hostname}\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" allocatePublicAddress=\"${AllocateAddress}\" bootstrapScript64=\"${GatewayBootstrapScript}\" \ No newline at end of file diff --git a/terraform/aws/cluster/cluster_member_b_userdata.yaml b/terraform/aws/cluster/cluster_member_b_userdata.yaml index 36d29dc5..9109013c 100755 --- a/terraform/aws/cluster/cluster_member_b_userdata.yaml +++ b/terraform/aws/cluster/cluster_member_b_userdata.yaml @@ -1,4 +1,4 @@ #cloud-config runcmd: - | - python3 /etc/cloud_config.py enableCloudWatch=\"${EnableCloudWatch}\" sicKey=\"${SICKey}\" "smart1CloudToken=\"${TokenB}\"" installationType=\"cluster\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" elasticIp=\"${MemberBPublicAddress}\" templateVersion=\"20231012\" templateName=\"cluster\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" hostName=\"${Hostname }\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" allocatePublicAddress=\"${AllocateAddress}\" bootstrapScript64=\"${GatewayBootstrapScript}\" \ No newline at end of file + python3 /etc/cloud_config.py enableCloudWatch=\"${EnableCloudWatch}\" sicKey=\"${SICKey}\" "smart1CloudToken=\"${TokenB}\"" installationType=\"cluster\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" elasticIp=\"${MemberBPublicAddress}\" templateVersion=\"20241027\" templateName=\"cluster\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" hostName=\"${Hostname }\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" allocatePublicAddress=\"${AllocateAddress}\" bootstrapScript64=\"${GatewayBootstrapScript}\" \ No newline at end of file diff --git a/terraform/aws/cross-az-cluster-master/README.md b/terraform/aws/cross-az-cluster-master/README.md index ce475b0d..f3d5ebb1 100755 --- a/terraform/aws/cross-az-cluster-master/README.md +++ b/terraform/aws/cross-az-cluster-master/README.md @@ -170,7 +170,7 @@ secret_key = "my-secret-key" | metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes | | instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Gateway EC2 Instances | map(string) | n/a | {} | no | | predefined_role | (Optional) A predefined IAM role to attach to the cluster profile | string | n/a | "" | no | -| gateway_version | Gateway version and license | string | - R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX | R81.20-BYOL | no | +| gateway_version | Gateway version and license | string | - R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX
- R82-BYOL
- R82-PAYG-NGTP
- R82-PAYG-NGTX | R81.20-BYOL | no | | admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | | gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes | | gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | @@ -202,6 +202,7 @@ In order to check the template version, please refer to [sk116585](https://suppo | Template Version | Description | |------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| 20241027 | R82 version support | | 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | | 20231012 | Update AWS Terraform provider version to 5.20.1 | | 20230923 | Add support for C5d instance type | diff --git a/terraform/aws/cross-az-cluster/README.md b/terraform/aws/cross-az-cluster/README.md index ed0737da..34d9b77f 100755 --- a/terraform/aws/cross-az-cluster/README.md +++ b/terraform/aws/cross-az-cluster/README.md @@ -145,7 +145,7 @@ secret_key = "my-secret-key" | metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes | | instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Gateway EC2 Instances | map(string) | n/a | {} | no | | predefined_role | (Optional) A predefined IAM role to attach to the cluster profile | string | n/a | "" | no | -| gateway_version | Gateway version and license | string | - R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX | R81.20-BYOL | no | +| gateway_version | Gateway version and license | string | - R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX
- R82-BYOL
- R82-PAYG-NGTP
- R82-PAYG-NGTX | R81.20-BYOL | no | | admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | | gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes | | gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | @@ -178,6 +178,7 @@ In order to check the template version, please refer to [sk116585](https://suppo | Template Version | Description | |------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| 20241027 | R82 version support | | 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | | 20240304 | Add x-chkp-cluster-ips, x-chkp-member-ips tags to cluster members | | 20231012 | Update AWS Terraform provider version to 5.20.1 | diff --git a/terraform/aws/cross-az-cluster/cluster_member_a_userdata.yaml b/terraform/aws/cross-az-cluster/cluster_member_a_userdata.yaml index f9a926c5..2d8ab4a0 100755 --- a/terraform/aws/cross-az-cluster/cluster_member_a_userdata.yaml +++ b/terraform/aws/cross-az-cluster/cluster_member_a_userdata.yaml @@ -1,4 +1,4 @@ #cloud-config runcmd: - | - python3 /etc/cloud_config.py enableCloudWatch=\"${EnableCloudWatch}\" sicKey=\"${SICKey}\" "smart1CloudToken=\"${TokenA}\"" installationType=\"cross-az-cluster\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20240310\" templateName=\"cross_az_cluster\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" hostName=\"${Hostname}\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" elasticIp=\"${MemberAPublicAddress}\" otherMemberIp=\"${MemberBPrivateAddressCluster}\" clusterIp=\"${PublicAddressCluster}\" secondaryIp=\"${MemberAPrivateAddressSecondary}\" otherMemberPrivateClusterIp=\"${MemberBPrivateAddressSecondary}\" bootstrapScript64=\"${GatewayBootstrapScript}\" \ No newline at end of file + python3 /etc/cloud_config.py enableCloudWatch=\"${EnableCloudWatch}\" sicKey=\"${SICKey}\" "smart1CloudToken=\"${TokenA}\"" installationType=\"cross-az-cluster\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20241027\" templateName=\"cross_az_cluster\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" hostName=\"${Hostname}\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" elasticIp=\"${MemberAPublicAddress}\" otherMemberIp=\"${MemberBPrivateAddressCluster}\" clusterIp=\"${PublicAddressCluster}\" secondaryIp=\"${MemberAPrivateAddressSecondary}\" otherMemberPrivateClusterIp=\"${MemberBPrivateAddressSecondary}\" bootstrapScript64=\"${GatewayBootstrapScript}\" \ No newline at end of file diff --git a/terraform/aws/cross-az-cluster/cluster_member_b_userdata.yaml b/terraform/aws/cross-az-cluster/cluster_member_b_userdata.yaml index a374aaa6..44e2eb70 100755 --- a/terraform/aws/cross-az-cluster/cluster_member_b_userdata.yaml +++ b/terraform/aws/cross-az-cluster/cluster_member_b_userdata.yaml @@ -1,4 +1,4 @@ #cloud-config runcmd: - | - python3 /etc/cloud_config.py enableCloudWatch=\"${EnableCloudWatch}\" sicKey=\"${SICKey}\" "smart1CloudToken=\"${TokenB}\"" installationType=\"cross-az-cluster\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20240310\" templateName=\"cross_az_cluster\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" hostName=\"${Hostname}\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" elasticIp=\"${MemberBPublicAddress}\" otherMemberIp=\"${MemberAPrivateAddressCluster}\" clusterIp=\"${PublicAddressCluster}\" secondaryIp=\"${MemberBPrivateAddressSecondary}\" otherMemberPrivateClusterIp=\"${MemberAPrivateAddressSecondary}\" bootstrapScript64=\"${GatewayBootstrapScript}\" \ No newline at end of file + python3 /etc/cloud_config.py enableCloudWatch=\"${EnableCloudWatch}\" sicKey=\"${SICKey}\" "smart1CloudToken=\"${TokenB}\"" installationType=\"cross-az-cluster\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20241027\" templateName=\"cross_az_cluster\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" hostName=\"${Hostname}\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" elasticIp=\"${MemberBPublicAddress}\" otherMemberIp=\"${MemberAPrivateAddressCluster}\" clusterIp=\"${PublicAddressCluster}\" secondaryIp=\"${MemberBPrivateAddressSecondary}\" otherMemberPrivateClusterIp=\"${MemberAPrivateAddressSecondary}\" bootstrapScript64=\"${GatewayBootstrapScript}\" \ No newline at end of file diff --git a/terraform/aws/gateway-master/README.md b/terraform/aws/gateway-master/README.md index 00594f44..15fd6892 100755 --- a/terraform/aws/gateway-master/README.md +++ b/terraform/aws/gateway-master/README.md @@ -161,7 +161,7 @@ secret_key = "my-secret-key" | disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no | | metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes | | instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Security Gateway EC2 Instance | map(string) | n/a | {} | no | -| gateway_version | Gateway version and license | string | - R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.10-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX
- R81.20-PAYG-NGTX | R81.20-BYOL | no | +| gateway_version | Gateway version and license | string | - R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.10-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX
- R81.20-PAYG-NGTX
- R82-BYOL
- R82-PAYG-NGTP
- R82-PAYG-NGTX | R81.20-BYOL | no | | admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | | gateway_SIC_Key | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes | | gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | @@ -198,6 +198,7 @@ In order to check the template version, please refer to [sk116585](https://suppo | Template Version | Description | |------------------|---------------------------------------------------------------------------------------------------------------| +| 20241027 | R82 version support | | 20240704 | - R80.40 version deprecation.
- R81 version deprecation. | | 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | | 20231012 | Update AWS Terraform provider version to 5.20.1 | diff --git a/terraform/aws/gateway/README.md b/terraform/aws/gateway/README.md index 52c8ff8a..ea58cb3b 100755 --- a/terraform/aws/gateway/README.md +++ b/terraform/aws/gateway/README.md @@ -124,7 +124,7 @@ secret_key = "my-secret-key" ## Inputs | Name | Description | Type | Allowed values | Default | Required | -|------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------|----------| +|------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------|----------| | vpc_id | The VPC id in which to deploy | string | n/a | n/a | yes | | public_subnet_id | The public subnet of the security gateway | string | n/a | n/a | yes | | private_subnet_id | The private subnet of the security gateway | string | n/a | n/a | yes | @@ -139,7 +139,7 @@ secret_key = "my-secret-key" | disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no | | metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes | | instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Security Gateway EC2 Instance | map(string) | n/a | {} | no | -| gateway_version | Gateway version and license | string | - R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.10-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX | R81.20-BYOL | no | +| gateway_version | Gateway version and license | string | - R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.10-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX
- R82-BYOL
- R82-PAYG-NGTP
- R82-PAYG-NGTX
| R81.20-BYOL | no | | admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | | gateway_SIC_Key | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes | | gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | @@ -173,6 +173,7 @@ In order to check the template version, please refer to [sk116585](https://suppo | Template Version | Description | |------------------|---------------------------------------------------------------------------------------------------------------| +| 20241027 | R82 version support | | 20240704 | - R80.40 version deprecation.
- R81 version deprecation. | | 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | | 20231012 | Update AWS Terraform provider version to 5.20.1 | diff --git a/terraform/aws/gwlb-master/README.md b/terraform/aws/gwlb-master/README.md index 2adb1f59..9bb7568c 100755 --- a/terraform/aws/gwlb-master/README.md +++ b/terraform/aws/gwlb-master/README.md @@ -157,47 +157,47 @@ secret_key = "my-secret-key" ``` ## Inputs -| Name | Description | Type | Allowed values | Default | Required | -|-------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------|----------| -| vpc_cidr | The CIDR block of the VPC | string | n/a | n/a | yes | -| public_subnets_map | A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 1 pair. (e.g. {\"us-east-1a\" = 1} ) | map | n/a | n/a | yes | -| subnets_bit_length | Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a subnets_bit_length value of 4, the resulting subnet address will have length /20 | number | n/a | n/a | yes | -| key_name | The EC2 Key Pair name to allow SSH access to the instances | string | n/a | n/a | yes | -| enable_volume_encryption | Encrypt Environment instances volume with default AWS KMS key | bool | true/false | true | no | -| enable_instance_connect | Enable SSH connection over AWS web console. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no | -| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no | -| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes | -| volume_size | Instances volume size | number | n/a | 100 | no | -| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no | -| management_server | The name that represents the Security Management Server in the automatic provisioning configuration. | string | n/a | CP-Management-gwlb-tf | yes | -| configuration_template | The tag is used by the Security Management Server to automatically provision the Security Gateways. Must be up to 12 alphanumeric characters and unique for each Quick Start deployment | string | n/a | gwlb-configuration | no | -| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | -| gateway_load_balancer_name | Load Balancer name in AWS | string | n/a | gwlb1 | yes | -| target_group_name | Target Group Name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. | string | n/a | tg1 | yes | -| connection_acceptance_required | Indicate whether requests from service consumers to create an endpoint to your service must be accepted. Default is set to false(acceptance not required). | bool | true/false | false | yes | -| enable_cross_zone_load_balancing | Select 'true' to enable cross-az load balancing. NOTE! this may cause a spike in cross-az charges. | bool | true/false | true | yes | -| gateway_name | The name tag of the Security Gateway instances. (optional) | string | n/a | Check-Point-GW-tf | yes | -| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no | -| gateways_min_group_size | The minimal number of Security Gateways | number | n/a | 2 | no | -| gateways_max_group_size | The maximal number of Security Gateways | number | n/a | 10 | no | -| gateway_version | Gateway version and license | string | - R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX
- R81.20-PAYG-NGTX | R81.20-BYOL | no | -| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | -| gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes | -| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no | -| gateway_bootstrap_script | (Optional) An optional script with semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no | -| gateways_provision_address_type | Determines if the gateways are provisioned using their private or public address. | string | - private
- public | private | no | -| allocate_public_IP | Allocate a Public IP for gateway members. | bool | true/false | false | no | -| management_deploy | Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section | bool | true/false | true | no | -| management_instance_type | The EC2 instance type of the Security Management Server | string | - c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| m5.xlarge | no | -| management_version | The license to install on the Security Management Server | string | - R81.10-BYOL
- R81.10-PAYG
- R81.20-BYOL
- R81.20-PAYG | R81.20-BYOL | no | -| management_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | -| gateways_policy | The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group | string | n/a | Standard | no | -| gateway_management | Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address. | string | - Locally managed
- Over the internet | Locally managed | no | -| admin_cidr | (CIDR) Allow web, ssh, and graphical clients only from this network to communicate with the Management Server | string | valid CIDR | n/a | no | -| gateway_addresses | (CIDR) Allow gateways only from this network to communicate with the Management Server | string | valid CIDR | n/a | no | -| volume_type | General Purpose SSD Volume Type | string | - gp3
- gp2 | gp3 | no | -| gateway_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | -| management_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | +| Name | Description | Type | Allowed values | Default | Required | +|-------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------|----------| +| vpc_cidr | The CIDR block of the VPC | string | n/a | n/a | yes | +| public_subnets_map | A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 1 pair. (e.g. {\"us-east-1a\" = 1} ) | map | n/a | n/a | yes | +| subnets_bit_length | Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a subnets_bit_length value of 4, the resulting subnet address will have length /20 | number | n/a | n/a | yes | +| key_name | The EC2 Key Pair name to allow SSH access to the instances | string | n/a | n/a | yes | +| enable_volume_encryption | Encrypt Environment instances volume with default AWS KMS key | bool | true/false | true | no | +| enable_instance_connect | Enable SSH connection over AWS web console. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no | +| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no | +| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes | +| volume_size | Instances volume size | number | n/a | 100 | no | +| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no | +| management_server | The name that represents the Security Management Server in the automatic provisioning configuration. | string | n/a | CP-Management-gwlb-tf | yes | +| configuration_template | The tag is used by the Security Management Server to automatically provision the Security Gateways. Must be up to 12 alphanumeric characters and unique for each Quick Start deployment | string | n/a | gwlb-configuration | no | +| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | +| gateway_load_balancer_name | Load Balancer name in AWS | string | n/a | gwlb1 | yes | +| target_group_name | Target Group Name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. | string | n/a | tg1 | yes | +| connection_acceptance_required | Indicate whether requests from service consumers to create an endpoint to your service must be accepted. Default is set to false(acceptance not required). | bool | true/false | false | yes | +| enable_cross_zone_load_balancing | Select 'true' to enable cross-az load balancing. NOTE! this may cause a spike in cross-az charges. | bool | true/false | true | yes | +| gateway_name | The name tag of the Security Gateway instances. (optional) | string | n/a | Check-Point-GW-tf | yes | +| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no | +| gateways_min_group_size | The minimal number of Security Gateways | number | n/a | 2 | no | +| gateways_max_group_size | The maximal number of Security Gateways | number | n/a | 10 | no | +| gateway_version | Gateway version and license | string | - R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX
- R81.20-PAYG-NGTX
- R82-BYOL
- R82-PAYG-NGTP
- R82-PAYG-NGTX | R81.20-BYOL | no | +| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | +| gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes | +| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no | +| gateway_bootstrap_script | (Optional) An optional script with semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no | +| gateways_provision_address_type | Determines if the gateways are provisioned using their private or public address. | string | - private
- public | private | no | +| allocate_public_IP | Allocate a Public IP for gateway members. | bool | true/false | false | no | +| management_deploy | Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section | bool | true/false | true | no | +| management_instance_type | The EC2 instance type of the Security Management Server | string | - c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| m5.xlarge | no | +| management_version | The license to install on the Security Management Server | string | - R81.10-BYOL
- R81.10-PAYG
- R81.20-BYOL
- R81.20-PAYG | R81.20-BYOL | no | +| management_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | +| gateways_policy | The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group | string | n/a | Standard | no | +| gateway_management | Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address. | string | - Locally managed
- Over the internet | Locally managed | no | +| admin_cidr | (CIDR) Allow web, ssh, and graphical clients only from this network to communicate with the Management Server | string | valid CIDR | n/a | no | +| gateway_addresses | (CIDR) Allow gateways only from this network to communicate with the Management Server | string | valid CIDR | n/a | no | +| volume_type | General Purpose SSD Volume Type | string | - gp3
- gp2 | gp3 | no | +| gateway_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | +| management_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | ## Outputs @@ -217,6 +217,7 @@ In order to check the template version, please refer to [sk116585](https://suppo | Template Version | Description | |------------------|---------------------------------------------------------------------------------------------| +| 20241027 | R82 version support | | 20240704 | R80.40 version deprecation | | 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | | 20231012 | Update AWS Terraform provider version to 5.20.1 | diff --git a/terraform/aws/gwlb/README.md b/terraform/aws/gwlb/README.md index 46a142c0..465eef86 100755 --- a/terraform/aws/gwlb/README.md +++ b/terraform/aws/gwlb/README.md @@ -172,7 +172,7 @@ secret_key = "my-secret-key" | gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no | | gateways_min_group_size | The minimal number of Security Gateways | number | n/a | 2 | no | | gateways_max_group_size | The maximal number of Security Gateways | number | n/a | 10 | no | -| gateway_version | Gateway version and license | string | - R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX
- R81.20-PAYG-NGTX | R81.20-BYOL | no | +| gateway_version | Gateway version and license | string | - R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX
- R81.20-PAYG-NGTX
- R82-BYOL
- R82-PAYG-NGTP
- R82-PAYG-NGTX | R81.20-BYOL | no | | gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | | gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes | | enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no | @@ -208,6 +208,7 @@ In order to check the template version, please refer to [sk116585](https://suppo | Template Version | Description | |------------------|---------------------------------------------------------------------------------------| +| 20241027 | R82 version support | | 20240704 | R80.40 version deprecation | | 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | | 20240310 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | diff --git a/terraform/aws/management/README.md b/terraform/aws/management/README.md index 8545ff85..9c3a0a2b 100755 --- a/terraform/aws/management/README.md +++ b/terraform/aws/management/README.md @@ -152,7 +152,7 @@ secret_key = "my-secret-key" | iam_permissions | IAM role to attach to the instance profile | string | - None (configure later)
- Use existing (specify an existing IAM role name)
- Create with assume role permissions (specify an STS role ARN)
- Create with read permissions
- Create with read-write permissions | Create with read permissions | no | | predefined_role | (Optional) A predefined IAM role to attach to the instance profile. Ignored if var.iam_permissions is not set to 'Use existing' | string | n/a | "" | no | | sts_roles | (Optional) The IAM role will be able to assume these STS Roles (list of ARNs). Ignored if var.iam_permissions is set to 'None' or 'Use existing' | list(string) | n/a | [] | no | -| management_version | Management version and license | string | - R81.10-BYOL
- R81.10-PAYG
- R81.20-BYOL
- R81.20-PAYG | R81.20-BYOL | no | +| management_version | Management version and license | string | - R81.10-BYOL
- R81.10-PAYG
- R81.20-BYOL
- R81.20-PAYG
- R82-BYOL
- R82-PAYG | R81.20-BYOL | no | | admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | | management_password_hash | (Optional) Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash) | string | n/a | "" | no | | management_hostname | (Optional) Security Management Server prompt hostname. The name must not contain reserved words. For details, refer to sk40179. | string | n/a | "" | no | @@ -180,21 +180,22 @@ secret_key = "my-secret-key" ## Revision History In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) -| Template Version | Description | -|------------------|---------------------------------------------------------------------------------------------------------------| -| 20240704 | - R80.40 version deprecation.
- R81 version deprecation. | -| 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | -| 20240207 | Added Log Server installation support | -| 20231012 | Update AWS Terraform provider version to 5.20.1 | -| 20230923 | Add support for C5d instance type | -| 20230914 | Add support for maintenance mode password | -| 20230829 | Change default Check Point version to R81.20 | -| 20230806 | Add support for c6in instance type | -| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | -| 20221123 | R81.20 version support | -| 20220606 | New instance type support | -| 20210329 | Stability fixes | -| 20210309 | First release of Check Point Security Management Server Terraform module for AWS | +| Template Version | Description | +|-------------------|---------------------------------------------------------------------------------------------------------------| +| 20241027 | R82 version support | +| 20240704 | - R80.40 version deprecation.
- R81 version deprecation. | +| 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | +| 20240207 | Added Log Server installation support | +| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20230923 | Add support for C5d instance type | +| 20230914 | Add support for maintenance mode password | +| 20230829 | Change default Check Point version to R81.20 | +| 20230806 | Add support for c6in instance type | +| 20230521 | - Change default shell for the admin user to /etc/cli.sh
- Add description for reserved words in hostname | +| 20221123 | R81.20 version support | +| 20220606 | New instance type support | +| 20210329 | Stability fixes | +| 20210309 | First release of Check Point Security Management Server Terraform module for AWS | ## License diff --git a/terraform/aws/management/management_userdata.yaml b/terraform/aws/management/management_userdata.yaml index cfd9e5dc..1b87042a 100755 --- a/terraform/aws/management/management_userdata.yaml +++ b/terraform/aws/management/management_userdata.yaml @@ -1,4 +1,4 @@ #cloud-config runcmd: - | - python3 /etc/cloud_config.py sicKey=\"${SICKey}\" installationType=\"management\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20240704\" templateName=\"management\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" hostName=\"${Hostname }\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" "management_installation_type=\"${ManagementInstallationType}\"" adminSubnet=\"${AdminSubnet}\" allocatePublicAddress=\"${AllocateElasticIP}\" overTheInternet=\"${PubMgmt}\" bootstrapScript64=\"${BootstrapScript}\" \ No newline at end of file + python3 /etc/cloud_config.py sicKey=\"${SICKey}\" installationType=\"management\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20241027\" templateName=\"management\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" hostName=\"${Hostname }\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" "management_installation_type=\"${ManagementInstallationType}\"" adminSubnet=\"${AdminSubnet}\" allocatePublicAddress=\"${AllocateElasticIP}\" overTheInternet=\"${PubMgmt}\" bootstrapScript64=\"${BootstrapScript}\" \ No newline at end of file diff --git a/terraform/aws/mds/README.md b/terraform/aws/mds/README.md index 156aad68..92186771 100755 --- a/terraform/aws/mds/README.md +++ b/terraform/aws/mds/README.md @@ -147,7 +147,7 @@ secret_key = "my-secret-key" | iam_permissions | IAM role to attach to the instance profile | string | - None (configure later)
- Use existing (specify an existing IAM role name)
- Create with assume role permissions (specify an STS role ARN)
- Create with read permissions
- Create with read-write permissions | Create with read permissions | no | | predefined_role | (Optional) A predefined IAM role to attach to the instance profile. Ignored if var.iam_permissions is not set to 'Use existing' | string | n/a | "" | no | | sts_roles | (Optional) The IAM role will be able to assume these STS Roles (list of ARNs). Ignored if var.iam_permissions is set to 'None' or 'Use existing' | list(string) | n/a | [] | no | -| mds_version | Multi-Domain Server version and license | string | - R81.10-BYOL
- R81.20-BYOL | R81.20-BYOL | no | +| mds_version | Multi-Domain Server version and license | string | - R81.10-BYOL
- R81.20-BYOL
- R82-BYOL | R81.20-BYOL | no | | mds_admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | | mds_password_hash | (Optional) Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash) | string | n/a | "" | no | | mds_hostname | (Optional) Multi-Domain Server prompt hostname. The name must not contain reserved words. For details, refer to sk40179. | string | n/a | "" | no | @@ -174,6 +174,7 @@ In order to check the template version, please refer to [sk116585](https://suppo | Template Version | Description | |------------------|---------------------------------------------------------------------------------------------------------------| +| 20241027 | R82 version support | | 20240704 | - R80.40 version deprecation.
- R81 version deprecation. | | 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | | 20240310 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | diff --git a/terraform/aws/mds/mds_userdata.yaml b/terraform/aws/mds/mds_userdata.yaml index cd0085c6..bf30aa1b 100755 --- a/terraform/aws/mds/mds_userdata.yaml +++ b/terraform/aws/mds/mds_userdata.yaml @@ -1,4 +1,4 @@ #cloud-config runcmd: - | - python3 /etc/cloud_config.py sicKey=\"${SICKey}\" installationType=\"mds\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20240704\" templateName=\"mds\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" hostName=\"${Hostname }\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" primary=\"${IsPrimary}\" secondary=\"${IsSecondary}\" adminSubnet=\"${AdminSubnet}\" bootstrapScript64=\"${BootstrapScript}\" \ No newline at end of file + python3 /etc/cloud_config.py sicKey=\"${SICKey}\" installationType=\"mds\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20241027\" templateName=\"mds\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" hostName=\"${Hostname }\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" primary=\"${IsPrimary}\" secondary=\"${IsSecondary}\" adminSubnet=\"${AdminSubnet}\" bootstrapScript64=\"${BootstrapScript}\" \ No newline at end of file diff --git a/terraform/aws/modules/common/version_license/main.tf b/terraform/aws/modules/common/version_license/main.tf index c0aaca14..93515298 100755 --- a/terraform/aws/modules/common/version_license/main.tf +++ b/terraform/aws/modules/common/version_license/main.tf @@ -4,29 +4,40 @@ locals { "R81.10-PAYG-NGTP", "R81.10-PAYG-NGTX", "R81.20-BYOL", - "R81.20-PAYG-NGTP", - "R81.20-PAYG-NGTX" + "R81.20-PAYG-NGTP", + "R81.20-PAYG-NGTX", + "R82-BYOL", + "R82-PAYG-NGTP", + "R82-PAYG-NGTX" ] mgmt_versions = [ "R81.10-BYOL", "R81.10-PAYG", "R81.20-BYOL", - "R81.20-PAYG" + "R81.20-PAYG", + "R82-BYOL", + "R82-PAYG" ] mds_versions = [ "R81.10-BYOL", - "R81.20-BYOL" + "R81.20-BYOL", + "R82-BYOL" ] standalone_versions = [ "R81.10-BYOL", "R81.10-PAYG-NGTP", "R81.20-BYOL", - "R81.20-PAYG-NGTP" + "R81.20-PAYG-NGTP", + "R82-BYOL", + "R82-PAYG-NGTP" ] gwlb_gw_versions = [ - "R81.20-BYOL", - "R81.20-PAYG-NGTP", - "R81.20-PAYG-NGTX" + "R81.20-BYOL", + "R81.20-PAYG-NGTP", + "R81.20-PAYG-NGTX", + "R82-BYOL", + "R82-PAYG-NGTP", + "R82-PAYG-NGTX" ] } diff --git a/terraform/aws/qs-autoscale-master/README.md b/terraform/aws/qs-autoscale-master/README.md index 0c998024..d42f1fa2 100755 --- a/terraform/aws/qs-autoscale-master/README.md +++ b/terraform/aws/qs-autoscale-master/README.md @@ -192,13 +192,13 @@ secret_key = "my-secret-key" | gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no | | gateways_min_group_size | The minimal number of Security Gateways | number | n/a | 2 | no | | gateways_max_group_size | The maximal number of Security Gateways | number | n/a | 10 | no | -| gateway_version | Gateway version and license | string | - R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.10-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX | R81.20-BYOL | no | +| gateway_version | Gateway version and license | string | - R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.10-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX
- R82-BYOL
- R82-PAYG-NGTP
- R82-PAYG-NGTX | R81.20-BYOL | no | | gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | | gateway_SIC_Key | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes | | enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no | | management_deploy | Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section | bool | true/false | true | no | | management_instance_type | The EC2 instance type of the Security Management Server | string | - c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| m5.xlarge | no | -| management_version | The license to install on the Security Management Server | string | - R81.10-BYOL
- R81.10-PAYG
- R81.20-BYOL
- R81.20-PAYG | R81.20-BYOL | no | +| management_version | The license to install on the Security Management Server | string | - R81.10-BYOL
- R81.10-PAYG
- R81.20-BYOL
- R81.20-PAYG
- R82-BYOL
- R82-PAYG | R81.20-BYOL | no | | management_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | | gateways_policy | The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group | string | n/a | Standard | no | | gateways_blades | Turn on the Intrusion Prevention System, Application Control, Anti-Virus and Anti-Bot Blades (additional Blades can be manually turned on later) | bool | true/false | true | no | @@ -238,20 +238,21 @@ secret_key = "my-secret-key" In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) -| Template Version | Description | -|------------------|---------------------------------------------------------------------------------------| -| 20240425 | Remove support for R81 and lower versions | -| 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | -| 20231127 | Add support for parameter admin shell | -| 20231012 | Update AWS Terraform provider version to 5.20.1 | -| 20230923 | Add support for C5d instance type | -| 20230914 | Add support for maintenance mode password | -| 20230829 | Change default Check Point version to R81.20 | -| 20230806 | Add support for c6in instance type | -| 20221226 | Support ASG Launch Template instead of Launch Configuration | -| 20221123 | R81.20 version support | -| 20220606 | New instance type support | -| 20210309 | First release of Check Point Quick Start Auto Scaling Master Terraform module for AWS | +| Template Version | Description | +|------------------|-----------------------------------------------------------------------------------------------| +| 20241027 | R82 version support | +| 20240425 | Remove support for R81 and lower versions | +| 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | +| 20231127 | Add support for parameter admin shell | +| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20230923 | Add support for C5d instance type | +| 20230914 | Add support for maintenance mode password | +| 20230829 | Change default Check Point version to R81.20 | +| 20230806 | Add support for c6in instance type | +| 20221226 | Support ASG Launch Template instead of Launch Configuration | +| 20221123 | R81.20 version support | +| 20220606 | New instance type support | +| 20210309 | First release of Check Point Quick Start Auto Scaling Master Terraform module for AWS | ## License diff --git a/terraform/aws/qs-autoscale/README.md b/terraform/aws/qs-autoscale/README.md index ee559913..fe0398e9 100755 --- a/terraform/aws/qs-autoscale/README.md +++ b/terraform/aws/qs-autoscale/README.md @@ -156,7 +156,7 @@ secret_key = "my-secret-key" ## Inputs | Name | Description | Type | Allowed values | Default | Required | -|-------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------|----------| +|-------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------|----------| | prefix | (Optional) Instances name prefix | string | n/a | "" | no | | asg_name | Autoscaling Group name | string | n/a | Check-Point-ASG-tf | no | | vpc_id | Select an existing VPC | string | n/a | n/a | yes | @@ -176,13 +176,13 @@ secret_key = "my-secret-key" | gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no | | gateways_min_group_size | The minimal number of Security Gateways | number | n/a | 2 | no | | gateways_max_group_size | The maximal number of Security Gateways | number | n/a | 10 | no | -| gateway_version | Gateway version and license | string | - R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.10-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX | R81.20-BYOL | no | +| gateway_version | Gateway version and license | string | - R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.10-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX
- R82-BYOL
- R82-PAYG-NGTP
- R82-PAYG-NGTX | R81.20-BYOL | no | | gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | | gateway_SIC_Key | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes | | enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no | | management_deploy | Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section | bool | true/false | true | no | | management_instance_type | The EC2 instance type of the Security Management Server | string | - c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| m5.xlarge | no | -| management_version | The license to install on the Security Management Server | string | - R81.10-BYOL
- R81.10-PAYG
- R81.20-BYOL
- R81.20-PAYG | R81.20-BYOL | no | +| management_version | The license to install on the Security Management Server | string | - R81.10-BYOL
- R81.10-PAYG
- R81.20-BYOL
- R81.20-PAYG
- R82-BYOL
- R82-PAYG | R81.20-BYOL | no | | management_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | | gateways_policy | The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group | string | n/a | Standard | no | | gateways_blades | Turn on the Intrusion Prevention System, Application Control, Anti-Virus and Anti-Bot Blades (additional Blades can be manually turned on later) | bool | true/false | true | no | @@ -218,6 +218,7 @@ In order to check the template version, please refer to [sk116585](https://suppo | Template Version | Description | |------------------|-------------------------------------------------------------------------------------------------------------------------------------| +| 20241027 | R82 version support | | 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | | 20240425 | Remove support for R81 and lower versions | | 20240310 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | diff --git a/terraform/aws/standalone-master/README.md b/terraform/aws/standalone-master/README.md index ef5219d9..78d42f12 100755 --- a/terraform/aws/standalone-master/README.md +++ b/terraform/aws/standalone-master/README.md @@ -152,7 +152,7 @@ secret_key = "my-secret-key" | disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no | | metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes | | instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Standalone EC2 Instance | map(string) | n/a | {} | no | -| standalone_version | Security Gateway & Management (Standalone) version and license | string | - R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.20-BYOL
- R81.20-PAYG-NGTP | R81.20-BYOL | no | +| standalone_version | Security Gateway & Management (Standalone) version and license | string | - R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R82-BYOL
- R82-PAYG-NGTP | R81.20-BYOL | no | | admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | | standalone_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | | resources_tag_name | (optional) | string | n/a | "" | no | @@ -185,6 +185,7 @@ In order to check the template version, please refer to [sk116585](https://suppo | Template Version | Description | |------------------|-------------------------------------------------------------------------------------------------------------------------| +| 20241027 | R82 version support | | 20240704 | - R80.40 version deprecation.
- R81 version deprecation. | | 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | | 20231113 | Add support for BYOL license type for Standalone | diff --git a/terraform/aws/standalone/README.md b/terraform/aws/standalone/README.md index 1614c44d..619be496 100755 --- a/terraform/aws/standalone/README.md +++ b/terraform/aws/standalone/README.md @@ -114,7 +114,7 @@ secret_key = "my-secret-key" ## Inputs | Name | Description | Type | Allowed values | Default | Required | -|-------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------|----------| +|-------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------|----------| | vpc_id | The VPC id in which to deploy | string | n/a | n/a | yes | | public_subnet_id | The public subnet of the Security Gateway & Management (Standalone) | string | n/a | n/a | yes | | private_subnet_id | The private subnet of the Security Gateway & Management (Standalone) | string | n/a | n/a | yes | @@ -129,7 +129,7 @@ secret_key = "my-secret-key" | disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no | | metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes | | instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Standalone EC2 Instance | map(string) | n/a | {} | no | -| standalone_version | Security Gateway & Management (Standalone) version and license | string | - R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.20-BYOL
- R81.20-PAYG-NGTP | R81.20-BYOL | no | +| standalone_version | Security Gateway & Management (Standalone) version and license | string | - R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R82-BYOL
- R82-PAYG | R81.20-BYOL | no | | admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | | standalone_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | | resources_tag_name | (optional) | string | n/a | "" | no | @@ -157,7 +157,8 @@ secret_key = "my-secret-key" In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) | Template Version | Description | -|--------------------|------------------------------------------------------------------------------------------------------------------| +|------------------|------------------------------------------------------------------------------------------------------------------| +| 20241027 | R82 version support | | 20210309 | First release of Check Point Security Management Server & Security Gateway (Standalone) Terraform module for AWS | ## License diff --git a/terraform/aws/standalone/standalone_userdata.yaml b/terraform/aws/standalone/standalone_userdata.yaml index 0bf47ec4..205b5bc3 100755 --- a/terraform/aws/standalone/standalone_userdata.yaml +++ b/terraform/aws/standalone/standalone_userdata.yaml @@ -1,4 +1,4 @@ #cloud-config runcmd: - | - python3 /etc/cloud_config.py enableCloudWatch=\"${EnableCloudWatch}\" installationType=\"standalone\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20240704\" templateName=\"standalone\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" hostName=\"${Hostname }\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" adminSubnet=\"${AdminSubnet}\" allocatePublicAddress=\"${AllocateElasticIP}\" bootstrapScript64=\"${StandaloneBootstrapScript}\" \ No newline at end of file + python3 /etc/cloud_config.py enableCloudWatch=\"${EnableCloudWatch}\" installationType=\"standalone\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20241027\" templateName=\"standalone\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" hostName=\"${Hostname }\" ntpPrimary=\"${NTPPrimary}\" ntpSecondary=\"${NTPSecondary}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" adminSubnet=\"${AdminSubnet}\" allocatePublicAddress=\"${AllocateElasticIP}\" bootstrapScript64=\"${StandaloneBootstrapScript}\" \ No newline at end of file diff --git a/terraform/aws/tgw-asg-master/README.md b/terraform/aws/tgw-asg-master/README.md index 18940e6e..85b2aa3c 100755 --- a/terraform/aws/tgw-asg-master/README.md +++ b/terraform/aws/tgw-asg-master/README.md @@ -168,14 +168,14 @@ secret_key = "my-secret-key" | gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no | | gateways_min_group_size | The minimal number of Security Gateways | number | n/a | 2 | no | | gateways_max_group_size | The maximal number of Security Gateways | number | n/a | 10 | no | -| gateway_version | Gateway version and license | string | - R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.10-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX | R81.20-BYOL | no | +| gateway_version | Gateway version and license | string | - R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.10-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX
- R82-BYOL
- R82-PAYG-NGTP
- R82-PAYG-NGTX | R81.20-BYOL | no | | gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | | gateway_SIC_Key | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes | | enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no | | asn | The organization Autonomous System Number (ASN) that identifies the routing domain for the Security Gateways | string | n/a | 6500 | no | | management_deploy | Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section | bool | true/false | true | no | | management_instance_type | The EC2 instance type of the Security Management Server | string | - c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| m5.xlarge | no | -| management_version | The license to install on the Security Management Server | string | - R81.10-BYOL
- R81.10-PAYG
- R81.20-BYOL
- R81.20-PAYG | R81.20-BYOL | no | +| management_version | The license to install on the Security Management Server | string | - R81.10-BYOL
- R81.10-PAYG
- R81.20-BYOL
- R81.20-PAYG
- R82-BYOL
- R82-PAYG | R81.20-BYOL | no | | management_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | | management_permissions | IAM role to attach to the instance profile | string | - None (configure later)
- Use existing (specify an existing IAM role name)
- Create with assume role permissions (specify an STS role ARN)
- Create with read permissions
- Create with read-write permissions | Create with read-write permissions | no | | management_predefined_role | ((Optional) A predefined IAM role to attach to the instance profile. Ignored if IAM role is not set to 'Use existing' | string | n/a | "" | no | @@ -207,6 +207,7 @@ In order to check the template version, please refer to [sk116585](https://suppo | Template Version | Description | |------------------|-------------------------------------------------------------------------------------------------| +| 20241027 | R82 version support | | 20240704 | - R80.40 version deprecation.
- R81 version deprecation. | | 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | | 20231012 | Update AWS Terraform provider version to 5.20.1 | diff --git a/terraform/aws/tgw-asg/README.md b/terraform/aws/tgw-asg/README.md index 44e1c298..e32fa852 100755 --- a/terraform/aws/tgw-asg/README.md +++ b/terraform/aws/tgw-asg/README.md @@ -159,14 +159,14 @@ secret_key = "my-secret-key" | gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no | | gateways_min_group_size | The minimal number of Security Gateways | number | n/a | 2 | no | | gateways_max_group_size | The maximal number of Security Gateways | number | n/a | 10 | no | -| gateway_version | Gateway version and license | string | - R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.10-PAYG-NGTX
- R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.10-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX
- R81.20-PAYG-NGTX | R81.20-BYOL | no | +| gateway_version | Gateway version and license | string | - R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.10-PAYG-NGTX
- R81.10-BYOL
- R81.10-PAYG-NGTP
- R81.10-PAYG-NGTX
- R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX
- R81.20-PAYG-NGTX
- R82-BYOL
- R82-PAYG-NGTP
- R82-PAYG-NGTX | R81.20-BYOL | no | | gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | | gateway_SIC_Key | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes | | enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no | | asn | The organization Autonomous System Number (ASN) that identifies the routing domain for the Security Gateways | string | n/a | 6500 | no | | management_deploy | Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section | bool | true/false | true | no | | management_instance_type | The EC2 instance type of the Security Management Server | string | - c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| m5.xlarge | no | -| management_version | The license to install on the Security Management Server | string | - R81.10-BYOL
- R81.10-PAYG
- R81.20-BYOL
- R81.20-PAYG | R81.20-BYOL | no | +| management_version | The license to install on the Security Management Server | string | - R81.10-BYOL
- R81.10-PAYG
- R81.20-BYOL
- R81.20-PAYG
- R82-BYOL
- R82-PAYG | R81.20-BYOL | no | | management_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | | management_permissions | IAM role to attach to the instance profile | string | - None (configure later)
- Use existing (specify an existing IAM role name)
- Create with assume role permissions (specify an STS role ARN)
- Create with read permissions
- Create with read-write permissions | Create with read-write permissions | no | | management_predefined_role | ((Optional) A predefined IAM role to attach to the instance profile. Ignored if IAM role is not set to 'Use existing' | string | n/a | "" | no | @@ -182,32 +182,33 @@ secret_key = "my-secret-key" ## Outputs -| Name | Description | -|--------------------------|--------------------------------------------------------------------------------------------------------| -| management_instance_name | The deployed Security Management AWS instance name | -| management_public_ip | The deployed Security Management Server AWS public ip | -| management_url | URL to the portal of the deployed Security Management Server | -| autoscaling_group_name | The name of the deployed AutoScaling Group | +| Name | Description | +|--------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| management_instance_name | The deployed Security Management AWS instance name | +| management_public_ip | The deployed Security Management Server AWS public ip | +| management_url | URL to the portal of the deployed Security Management Server | +| autoscaling_group_name | The name of the deployed AutoScaling Group | | configuration_template | The name that represents the configuration template. Configurations required to automatically provision the Gateways in the Auto Scaling Group, such as what Security Policy to install and which Blades to enable, will be placed under this template name | -| controller_name | The name that represents the controller. Configurations required to connect to your AWS environment, such as credentials and regions, will be placed under this controller name | +| controller_name | The name that represents the controller. Configurations required to connect to your AWS environment, such as credentials and regions, will be placed under this controller name | ## Revision History In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) -| Template Version | Description | -|------------------|------------------------------------------------------------------------------------------| -| 20240704 | - R80.40 version deprecation.
- R81 version deprecation. | -| 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | -| 20231012 | Update AWS Terraform provider version to 5.20.1 | -| 20230923 | Add support for C5d instance type | -| 20230914 | Add support for maintenance mode password | -| 20230829 | Change default Check Point version to R81.20 | -| 20230806 | Add support for c6in instance type | -| 20230626 | Fixed missing x-chkp-* tags on Auto Scale Group | -| 20221226 | Support ASG Launch Template instead of Launch Configuration | -| 20221123 | R81.20 version support | -| 20220606 | New instance type support | -| 20210329 | First release of Check Point Transit Gateway Auto Scaling Group Terraform module for AWS | +| Template Version | Description | +|------------------|-----------------------------------------------------------------------------------------------| +| 20241027 | R82 version support | +| 20240704 | - R80.40 version deprecation.
- R81 version deprecation. | +| 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | +| 20231012 | Update AWS Terraform provider version to 5.20.1 | +| 20230923 | Add support for C5d instance type | +| 20230914 | Add support for maintenance mode password | +| 20230829 | Change default Check Point version to R81.20 | +| 20230806 | Add support for c6in instance type | +| 20230626 | Fixed missing x-chkp-* tags on Auto Scale Group | +| 20221226 | Support ASG Launch Template instead of Launch Configuration | +| 20221123 | R81.20 version support | +| 20220606 | New instance type support | +| 20210329 | First release of Check Point Transit Gateway Auto Scaling Group Terraform module for AWS | ## License diff --git a/terraform/aws/tgw-cross-az-cluster-master/README.md b/terraform/aws/tgw-cross-az-cluster-master/README.md index 6f488b2d..210d40b5 100755 --- a/terraform/aws/tgw-cross-az-cluster-master/README.md +++ b/terraform/aws/tgw-cross-az-cluster-master/README.md @@ -140,7 +140,7 @@ secret_key = "my-secret-key" ## Inputs | Name | Description | Type | Allowed values | Default | Required | -|----------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------|----------| +|----------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------|----------| | vpc_cidr | The CIDR block of the VPC | string | n/a | n/a | yes | | public_subnets_map | A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 2 pairs. (e.g. {\"us-east-1a\" = 1 \"us-east-1b\" = 2} ) | map | n/a | n/a | yes | | private_subnets_map | A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 2 pairs. (e.g. {\"us-east-1a\" = 3 \"us-east-1b\" = 4} ) | map | n/a | n/a | yes | @@ -158,7 +158,7 @@ secret_key = "my-secret-key" | metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes | | instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Gateway EC2 Instances | map(string) | n/a | {} | no | | predefined_role | (Optional) A predefined IAM role to attach to the cluster profile | string | n/a | "" | no | -| gateway_version | Gateway version and license | string | - R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX | R81.20-BYOL | no | +| gateway_version | Gateway version and license | string | - R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX
- R82-BYOL
- R82-PAYG-NGTP
- R82-PAYG-NGTX | R81.20-BYOL | no | | admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | | gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes | | gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | @@ -190,6 +190,7 @@ In order to check the template version, please refer to [sk116585](https://suppo | Template Version | Description | |------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| 20241027 | R82 version support | | 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | | 20231012 | Update AWS Terraform provider version to 5.20.1 | | 20230923 | Add support for C5d instance type | diff --git a/terraform/aws/tgw-cross-az-cluster/README.md b/terraform/aws/tgw-cross-az-cluster/README.md index de08521c..971ea70b 100755 --- a/terraform/aws/tgw-cross-az-cluster/README.md +++ b/terraform/aws/tgw-cross-az-cluster/README.md @@ -134,41 +134,41 @@ secret_key = "my-secret-key" - In Smart Console: reset SIC with the re-deployed member and install policy ## Inputs -| Name | Description | Type | Allowed values | Default | Required | -|-------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------|----------| -| vpc_id | The VPC id in which to deploy | string | n/a | n/a | yes | -| public_subnet_id | The public subnet of the cluster. The cluster's public IPs will be generated from this subnet | string | n/a | n/a | yes | -| private_subnet_id | The private subnet of the cluster. The cluster's private IPs will be generated from this subnet | string | n/a | n/a | yes | -| tgw_subnet_1_id | The TGW attachment subnet ID located in the 1st Availability Zone | string | n/a | n/a | yes | -| tgw_subnet_2_id | The TGW attachment subnet ID located in the 2st Availability Zone | string | n/a | n/a | yes | -| private_route_table | (Optional) Set 0.0.0.0/0 route to the Active Cluster member instance in this route table (e.g. rtb-12a34567). Route table cannot have an existing 0.0.0.0/0 route | string | n/a | "" | no | -| gateway_name | (Optional) The name tag of the Security Gateway instances | string | n/a | Check-Point-Cluster-tf | no | -| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no | -| key_name | The EC2 Key Pair name to allow SSH access to the instance | string | n/a | n/a | yes | -| allocate_and_associate_eip | If set to true, an elastic IP will be allocated and associated with each cluster member, in addition to the shared cluster Elastic IP | bool | true/false | true | no | -| volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no | -| volume_type | General Purpose SSD Volume Type | string | - gp3
- gp2 | gp3 | no | -| volume_encryption | KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs') | string | n/a | alias/aws/ebs | no | -| enable_instance_connect | Enable AWS Instance Connect. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no | -| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no | -| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes | -| instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Gateway EC2 Instances | map(string) | n/a | {} | no | -| predefined_role | (Optional) A predefined IAM role to attach to the cluster profile | string | n/a | "" | no | -| gateway_version | Gateway version and license | string | - R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX | R81.20-BYOL | no | -| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | -| gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes | -| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | -| memberAToken | (Recommended) Quick connect to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. | string | n/a | "" | no | -| memberBToken | (Recommended) Quick connect to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. | string | n/a | "" | no | -| resources_tag_name | (Optional) Name tag prefix of the resources | string | n/a | "" | no | -| gateway_hostname | (Optional) The host name will be appended with member-a/b accordingly. The name must not contain reserved words. For details, refer to sk40179. | string | n/a | "" | no | -| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no | -| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no | -| gateway_bootstrap_script | (Optional) Semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no | -| primary_ntp | (Optional) The IPv4 addresses of Network Time Protocol primary server | string | n/a | 169.254.169.123 | no | -| secondary_ntp | (Optional) The IPv4 addresses of Network Time Protocol secondary server | string | n/a | 0.pool.ntp.org | no | -| gateway_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | -| management_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | +| Name | Description | Type | Allowed values | Default | Required | +|-------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------|----------| +| vpc_id | The VPC id in which to deploy | string | n/a | n/a | yes | +| public_subnet_id | The public subnet of the cluster. The cluster's public IPs will be generated from this subnet | string | n/a | n/a | yes | +| private_subnet_id | The private subnet of the cluster. The cluster's private IPs will be generated from this subnet | string | n/a | n/a | yes | +| tgw_subnet_1_id | The TGW attachment subnet ID located in the 1st Availability Zone | string | n/a | n/a | yes | +| tgw_subnet_2_id | The TGW attachment subnet ID located in the 2st Availability Zone | string | n/a | n/a | yes | +| private_route_table | (Optional) Set 0.0.0.0/0 route to the Active Cluster member instance in this route table (e.g. rtb-12a34567). Route table cannot have an existing 0.0.0.0/0 route | string | n/a | "" | no | +| gateway_name | (Optional) The name tag of the Security Gateway instances | string | n/a | Check-Point-Cluster-tf | no | +| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no | +| key_name | The EC2 Key Pair name to allow SSH access to the instance | string | n/a | n/a | yes | +| allocate_and_associate_eip | If set to true, an elastic IP will be allocated and associated with each cluster member, in addition to the shared cluster Elastic IP | bool | true/false | true | no | +| volume_size | Root volume size (GB) - minimum 100 | number | n/a | 100 | no | +| volume_type | General Purpose SSD Volume Type | string | - gp3
- gp2 | gp3 | no | +| volume_encryption | KMS or CMK key Identifier: Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs') | string | n/a | alias/aws/ebs | no | +| enable_instance_connect | Enable AWS Instance Connect. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false | false | no | +| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true terraform destroy won't work properly | bool | true/false | false | no | +| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false | true | yes | +| instance_tags | (Optional) A map of tags as key=value pairs. All tags will be added to the Gateway EC2 Instances | map(string) | n/a | {} | no | +| predefined_role | (Optional) A predefined IAM role to attach to the cluster profile | string | n/a | "" | no | +| gateway_version | Gateway version and license | string | - R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX
- R82-BYOL
- R82-PAYG-NGTP
- R82-PAYG-NGTX | R81.20-BYOL | no | +| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh | /etc/cli.sh | no | +| gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes | +| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | +| memberAToken | (Recommended) Quick connect to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. | string | n/a | "" | no | +| memberBToken | (Recommended) Quick connect to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. | string | n/a | "" | no | +| resources_tag_name | (Optional) Name tag prefix of the resources | string | n/a | "" | no | +| gateway_hostname | (Optional) The host name will be appended with member-a/b accordingly. The name must not contain reserved words. For details, refer to sk40179. | string | n/a | "" | no | +| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false | true | no | +| enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no | +| gateway_bootstrap_script | (Optional) Semicolon (;) separated commands to run on the initial boot | string | n/a | "" | no | +| primary_ntp | (Optional) The IPv4 addresses of Network Time Protocol primary server | string | n/a | 169.254.169.123 | no | +| secondary_ntp | (Optional) The IPv4 addresses of Network Time Protocol secondary server | string | n/a | 0.pool.ntp.org | no | +| gateway_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | +| management_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) | string | n/a | "" | no | ## Outputs @@ -187,6 +187,7 @@ In order to check the template version, please refer to [sk116585](https://suppo | Template Version | Description | |------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| 20241027 | R82 version support | | 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | | 20231012 | Update AWS Terraform provider version to 5.20.1 | | 20230923 | Add support for C5d instance type | diff --git a/terraform/aws/tgw-gwlb-master/README.md b/terraform/aws/tgw-gwlb-master/README.md index 28d62d04..0ccc4165 100755 --- a/terraform/aws/tgw-gwlb-master/README.md +++ b/terraform/aws/tgw-gwlb-master/README.md @@ -176,7 +176,7 @@ secret_key = "my-secret-key" ## Inputs | Name | Description | Type | Allowed values | Default | Required | -|-------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------|-----------| +|-------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------|----------| | vpc_cidr | The CIDR block of the VPC | string | n/a | n/a | yes | | subnets_bit_length | Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a subnets_bit_length value of 4, the resulting subnet address will have length /20 | number | n/a | n/a | yes | | public_subnets_map | A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 1 pair. (e.g. {\"us-east-1a\" = 1} ) | map | n/a | n/a | yes | @@ -209,7 +209,7 @@ secret_key = "my-secret-key" | gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no | | gateways_min_group_size | The minimal number of Security Gateways | number | n/a | 2 | no | | gateways_max_group_size | The maximal number of Security Gateways | number | n/a | 10 | no | -| gateway_version | Gateway version and license | string | - R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX | R81.20-BYOL | no | +| gateway_version | Gateway version and license | string | - R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX
- R82-BYOL
- R82-PAYG-NGTP
- R82-PAYG-NGTX | R81.20-BYOL | no | | gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | | gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes | | enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no | @@ -218,7 +218,7 @@ secret_key = "my-secret-key" | allocate_public_IP | Allocate a Public IP for gateway members. | bool | true/false | false | no | | management_deploy | Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section | bool | true/false | true | no | | management_instance_type | The EC2 instance type of the Security Management Server | string | - c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| m5.xlarge | no | -| management_version | The license to install on the Security Management Server | string | - R81.10-BYOL
- R81.10-PAYG
- R81.20-BYOL
- R81.20-PAYG | R81.20-BYOL | no | +| management_version | The license to install on the Security Management Server | string | - R81.10-BYOL
- R81.10-PAYG
- R81.20-BYOL
- R81.20-PAYG
- R82-BYOL
- R82-PAYG | R81.20-BYOL | no | | management_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | | gateways_policy | The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group | string | n/a | Standard | no | | gateway_management | Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address. | string | - Locally managed
- Over the internet | Locally managed | no | @@ -247,6 +247,7 @@ In order to check the template version, please refer to [sk116585](https://suppo | Template Version | Description | |------------------|----------------------------------------------------------------------------------------------------------------------------| +| 20241027 | R82 version support | | 20240704 | R80.40 version deprecation | | 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | | 20231012 | Update AWS Terraform provider version to 5.20.1 | diff --git a/terraform/aws/tgw-gwlb/README.md b/terraform/aws/tgw-gwlb/README.md index d85546e3..89325fd5 100755 --- a/terraform/aws/tgw-gwlb/README.md +++ b/terraform/aws/tgw-gwlb/README.md @@ -172,7 +172,7 @@ secret_key = "my-secret-key" ## Inputs | Name | Description | Type | Allowed values | Default | Required | -|-------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------|----------| +|-------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------|----------| | vpc_id | Select an existing VPC | string | n/a | n/a | yes | | internet_gateway_id | VPC's Internet Gateway Id | string | n/a | n/a | yes | | availability_zones | The Availability Zones (AZs) to use for the subnets in the VPC. | string | n/a | n/a | yes | @@ -208,7 +208,7 @@ secret_key = "my-secret-key" | gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| c5.xlarge | no | | gateways_min_group_size | The minimal number of Security Gateways | number | n/a | 2 | no | | gateways_max_group_size | The maximal number of Security Gateways | number | n/a | 10 | no | -| gateway_version | Gateway version and license | string | - R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX | R81.20-BYOL | no | +| gateway_version | Gateway version and license | string | - R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX
- R82-BYOL
- R82-PAYG-NGTP
- R82-PAYG-NGTX | R81.20-BYOL | no | | gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | | gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | n/a | "12345678" | yes | | enable_cloudwatch | Report Check Point specific CloudWatch metrics | bool | true/false | false | no | @@ -217,7 +217,7 @@ secret_key = "my-secret-key" | allocate_public_IP | Allocate a Public IP for gateway members. | bool | true/false | false | no | | management_deploy | Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section | bool | true/false | true | no | | management_instance_type | The EC2 instance type of the Security Management Server | string | - c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge - m6a.32xlarge
- m6a.48xlarge
| m5.xlarge | no | -| management_version | The license to install on the Security Management Server | string | - R81.10-BYOL
- R81.10-PAYG
- R81.20-BYOL
- R81.20-PAYG | R81.20-BYOL | no | +| management_version | The license to install on the Security Management Server | string | - R81.10-BYOL
- R81.10-PAYG
- R81.20-BYOL
- R81.20-PAYG
- R82-BYOL
- R82-PAYG | R81.20-BYOL | no | | management_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | n/a | "" | no | | gateways_policy | The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group | string | n/a | Standard | no | | gateway_management | Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address. | string | - Locally managed
- Over the internet | Locally managed | no | @@ -246,6 +246,7 @@ In order to check the template version, please refer to [sk116585](https://suppo | Template Version | Description | |------------------|--------------------------------------------------------------------------------------------------------------------| +| 20241027 | R82 version support | | 20240704 | R80.40 version deprecation | | 20240515 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | | 20231012 | Update AWS Terraform provider version to 5.20.1 | From c94cfce8d21aa1814d47792e174fbf97bc467028 Mon Sep 17 00:00:00 2001 From: olgami Date: Mon, 28 Oct 2024 13:09:48 +0000 Subject: [PATCH 11/12] GCP | Added R82 support --- .../autoscale-byol/README.md | 2 +- .../check-point-autoscale--byol.py | 3 +- .../check-point-autoscale--byol.py.schema | 1 + .../autoscale-byol/images.py | 64 +++++++++---------- .../autoscale-payg/README.md | 2 +- .../check-point-autoscale--payg.py | 3 +- .../check-point-autoscale--payg.py.schema | 1 + .../autoscale-payg/images.py | 64 +++++++++---------- gcp/deployment-packages/ha-byol/README.md | 2 +- .../ha-byol/check-point-cluster--byol.py | 3 +- .../check-point-cluster--byol.py.schema | 1 + gcp/deployment-packages/ha-byol/images.py | 64 +++++++++---------- gcp/deployment-packages/ha-payg/README.md | 2 +- .../ha-payg/check-point-cluster--payg.py | 3 +- .../check-point-cluster--payg.py.schema | 1 + gcp/deployment-packages/ha-payg/images.py | 64 +++++++++---------- gcp/deployment-packages/single-byol/README.md | 2 +- .../single-byol/check-point-vsec--byol.py | 4 +- .../check-point-vsec--byol.py.schema | 4 ++ gcp/deployment-packages/single-byol/images.py | 64 +++++++++---------- gcp/deployment-packages/single-payg/README.md | 2 +- .../single-payg/check-point-vsec--payg.py | 4 +- .../check-point-vsec--payg.py.schema | 4 ++ gcp/deployment-packages/single-payg/images.py | 64 +++++++++---------- .../gcp/autoscale-into-existing-vpc/README.md | 4 +- .../gcp/autoscale-into-existing-vpc/locals.tf | 5 +- .../gcp/autoscale-into-new-vpc/README.md | 4 +- .../gcp/autoscale-into-new-vpc/locals.tf | 5 +- terraform/gcp/high-availability/README.md | 4 +- terraform/gcp/high-availability/locals.tf | 5 +- .../gcp/single-into-existing-vpc/README.md | 4 +- .../gcp/single-into-existing-vpc/locals.tf | 7 +- terraform/gcp/single-into-new-vpc/README.md | 4 +- 33 files changed, 252 insertions(+), 218 deletions(-) diff --git a/gcp/deployment-packages/autoscale-byol/README.md b/gcp/deployment-packages/autoscale-byol/README.md index d11c9a1b..b9f8aec7 100644 --- a/gcp/deployment-packages/autoscale-byol/README.md +++ b/gcp/deployment-packages/autoscale-byol/README.md @@ -35,7 +35,7 @@ To deploy the Deployment Manager's package manually, without using the GCP Marke ## config.yaml variables | Name | Description | Type | Allowed values | | ------------- | ------------- | ------------- | ------------- | -| **autoscalingVersion** | Autoscaling Version | string | R80.40 Autoscaling;
R81.00 Autoscaling;
R81.10 Autoscaling;
R81.20 Autoscaling;| +| **autoscalingVersion** | Autoscaling Version | string | R80.40 Autoscaling;
R81.00 Autoscaling;
R81.10 Autoscaling;
R81.20 Autoscaling;
R82 Autoscaling;| | | | | | | | **managementName** | Security Management Server name | string | The name of the Security Management Server as appears in autoprovisioning configuration | | | | | | | diff --git a/gcp/deployment-packages/autoscale-byol/check-point-autoscale--byol.py b/gcp/deployment-packages/autoscale-byol/check-point-autoscale--byol.py index 226e09ea..06748f67 100755 --- a/gcp/deployment-packages/autoscale-byol/check-point-autoscale--byol.py +++ b/gcp/deployment-packages/autoscale-byol/check-point-autoscale--byol.py @@ -12,7 +12,8 @@ VERSIONS = { 'R81.10-GW': 'r8110-gw', - 'R81.20-GW': 'r8120-gw' + 'R81.20-GW': 'r8120-gw', + 'R82-GW': 'r82-gw' } TEMPLATE_NAME = 'autoscale' diff --git a/gcp/deployment-packages/autoscale-byol/check-point-autoscale--byol.py.schema b/gcp/deployment-packages/autoscale-byol/check-point-autoscale--byol.py.schema index 65b41f3d..219adc72 100755 --- a/gcp/deployment-packages/autoscale-byol/check-point-autoscale--byol.py.schema +++ b/gcp/deployment-packages/autoscale-byol/check-point-autoscale--byol.py.schema @@ -171,6 +171,7 @@ properties: enum: - R81.10 Autoscaling - R81.20 Autoscaling + - R82 Autoscaling managementName: type: string default: 'checkpoint-management' diff --git a/gcp/deployment-packages/autoscale-byol/images.py b/gcp/deployment-packages/autoscale-byol/images.py index 7b04bee0..46c40abd 100755 --- a/gcp/deployment-packages/autoscale-byol/images.py +++ b/gcp/deployment-packages/autoscale-byol/images.py @@ -1,34 +1,34 @@ IMAGES = { - "check-point-r8120-payg": "check-point-r8120-payg-631-991001560-v20240425", - "check-point-r8120-gw-payg-single": "check-point-r8120-gw-payg-single-631-991001560-v20240425", - "check-point-r8120-gw-payg-mig": "check-point-r8120-gw-payg-mig-631-991001560-v20240425", - "check-point-r8120-gw-payg-cluster": "check-point-r8120-gw-payg-cluster-631-991001560-v20240425", - "check-point-r8120-gw-byol-single": "check-point-r8120-gw-byol-single-631-991001560-v20240425", - "check-point-r8120-gw-byol-mig": "check-point-r8120-gw-byol-mig-631-991001560-v20240425", - "check-point-r8120-gw-byol-cluster": "check-point-r8120-gw-byol-cluster-631-991001560-v20240425", - "check-point-r8120-byol": "check-point-r8120-byol-631-991001560-v20240425", - "check-point-r8110-payg": "check-point-r8110-payg-335-991001560-v20240425", - "check-point-r8110-gw-payg-single": "check-point-r8110-gw-payg-single-335-991001560-v20240425", - "check-point-r8110-gw-payg-mig": "check-point-r8110-gw-payg-mig-335-991001560-v20240425", - "check-point-r8110-gw-payg-cluster": "check-point-r8110-gw-payg-cluster-335-991001560-v20240425", - "check-point-r8110-gw-byol-single": "check-point-r8110-gw-byol-single-335-991001560-v20240425", - "check-point-r8110-gw-byol-mig": "check-point-r8110-gw-byol-mig-335-991001560-v20240425", - "check-point-r8110-gw-byol-cluster": "check-point-r8110-gw-byol-cluster-335-991001560-v20240425", - "check-point-r8110-byol": "check-point-r8110-byol-335-991001560-v20240425", - "check-point-r81-payg": "check-point-r81-payg-392-991001560-v20240425", - "check-point-r81-gw-payg-single": "check-point-r81-gw-payg-single-392-991001560-v20240425", - "check-point-r81-gw-payg-mig": "check-point-r81-gw-payg-mig-392-991001560-v20240425", - "check-point-r81-gw-payg-cluster": "check-point-r81-gw-payg-cluster-392-991001560-v20240425", - "check-point-r81-gw-byol-single": "check-point-r81-gw-byol-single-392-991001560-v20240425", - "check-point-r81-gw-byol-mig": "check-point-r81-gw-byol-mig-392-991001560-v20240425", - "check-point-r81-gw-byol-cluster": "check-point-r81-gw-byol-cluster-392-991001560-v20240425", - "check-point-r81-byol": "check-point-r81-byol-392-991001560-v20240425", - "check-point-r8040-payg": "check-point-r8040-payg-294-991001560-v20240425", - "check-point-r8040-gw-payg-single": "check-point-r8040-gw-payg-single-294-991001564-v20240505", - "check-point-r8040-gw-payg-mig": "check-point-r8040-gw-payg-mig-294-991001564-v20240505", - "check-point-r8040-gw-payg-cluster": "check-point-r8040-gw-payg-cluster-294-991001564-v20240505", - "check-point-r8040-gw-byol-single": "check-point-r8040-gw-byol-single-294-991001564-v20240505", - "check-point-r8040-gw-byol-mig": "check-point-r8040-gw-byol-mig-294-991001564-v20240505", - "check-point-r8040-gw-byol-cluster": "check-point-r8040-gw-byol-cluster-294-991001564-v20240505", - "check-point-r8040-byol": "check-point-r8040-byol-294-991001560-v20240425" + "check-point-r82-payg": "check-point-r82-payg-777-991001695-v20241021", + "check-point-r82-gw-payg-single": "check-point-r82-gw-payg-single-777-991001695-v20241021", + "check-point-r82-gw-payg-mig": "check-point-r82-gw-payg-mig-777-991001695-v20241021", + "check-point-r82-gw-payg-cluster": "check-point-r82-gw-payg-cluster-777-991001695-v20241021", + "check-point-r82-gw-byol-single": "check-point-r82-gw-byol-single-777-991001695-v20241021", + "check-point-r82-gw-byol-mig": "check-point-r82-gw-byol-mig-777-991001695-v20241021", + "check-point-r82-gw-byol-cluster": "check-point-r82-gw-byol-cluster-777-991001695-v20241021", + "check-point-r82-byol": "check-point-r82-byol-777-991001695-v20241021", + "check-point-r8120-payg": "check-point-r8120-payg-634-991001641-v20240807", + "check-point-r8120-gw-payg-single": "check-point-r8120-gw-payg-single-631-991001669-v20240923", + "check-point-r8120-gw-payg-mig": "check-point-r8120-gw-payg-mig-631-991001669-v20240923", + "check-point-r8120-gw-payg-cluster": "check-point-r8120-gw-payg-cluster-631-991001669-v20240923", + "check-point-r8120-gw-byol-single": "check-point-r8120-gw-byol-single-631-991001669-v20240923", + "check-point-r8120-gw-byol-mig": "check-point-r8120-gw-byol-mig-631-991001669-v20240923", + "check-point-r8120-gw-byol-cluster": "check-point-r8120-gw-byol-cluster-631-991001669-v20240923", + "check-point-r8120-byol": "check-point-r8120-byol-634-991001641-v20240807", + "check-point-r8110-payg": "check-point-r8110-payg-335-991001681-v20241009", + "check-point-r8110-gw-payg-single": "check-point-r8110-gw-payg-single-335-991001681-v20241009", + "check-point-r8110-gw-payg-mig": "check-point-r8110-gw-payg-mig-335-991001681-v20241009", + "check-point-r8110-gw-payg-cluster": "check-point-r8110-gw-payg-cluster-335-991001681-v20241009", + "check-point-r8110-gw-byol-single": "check-point-r8110-gw-byol-single-335-991001681-v20241009", + "check-point-r8110-gw-byol-mig": "check-point-r8110-gw-byol-mig-335-991001681-v20241009", + "check-point-r8110-gw-byol-cluster": "check-point-r8110-gw-byol-cluster-335-991001681-v20241009", + "check-point-r8110-byol": "check-point-r8110-byol-335-991001681-v20241009", + "check-point-r81-payg": "check-point-r81-payg-392-991001616-v20240619", + "check-point-r81-gw-payg-single": "check-point-r81-gw-payg-single-392-991001616-v20240619", + "check-point-r81-gw-payg-mig": "check-point-r81-gw-payg-mig-392-991001616-v20240619", + "check-point-r81-gw-payg-cluster": "check-point-r81-gw-payg-cluster-392-991001616-v20240619", + "check-point-r81-gw-byol-single": "check-point-r81-gw-byol-single-392-991001616-v20240619", + "check-point-r81-gw-byol-mig": "check-point-r81-gw-byol-mig-392-991001616-v20240619", + "check-point-r81-gw-byol-cluster": "check-point-r81-gw-byol-cluster-392-991001616-v20240619", + "check-point-r81-byol": "check-point-r81-byol-392-991001616-v20240619" } \ No newline at end of file diff --git a/gcp/deployment-packages/autoscale-payg/README.md b/gcp/deployment-packages/autoscale-payg/README.md index 9dfa6b83..bef206ee 100644 --- a/gcp/deployment-packages/autoscale-payg/README.md +++ b/gcp/deployment-packages/autoscale-payg/README.md @@ -35,7 +35,7 @@ To deploy the Deployment Manager's package manually, without using the GCP Marke ## config.yaml variables | Name | Description | Type | Allowed values | | ------------- | ------------- | ------------- | ------------- | -| **autoscalingVersion** | Autoscaling Version | string | R80.40 Autoscaling;
R81.00 Autoscaling;
R81.10 Autoscaling;
R81.20 Autoscaling;| +| **autoscalingVersion** | Autoscaling Version | string | R80.40 Autoscaling;
R81.00 Autoscaling;
R81.10 Autoscaling;
R81.20 Autoscaling;
R82 Autoscaling;| | | | | | | | **managementName** | Security Management Server name | string | The name of the Security Management Server as appears in autoprovisioning configuration | | | | | | | diff --git a/gcp/deployment-packages/autoscale-payg/check-point-autoscale--payg.py b/gcp/deployment-packages/autoscale-payg/check-point-autoscale--payg.py index b13af6da..8dd5e401 100755 --- a/gcp/deployment-packages/autoscale-payg/check-point-autoscale--payg.py +++ b/gcp/deployment-packages/autoscale-payg/check-point-autoscale--payg.py @@ -12,7 +12,8 @@ VERSIONS = { 'R81.10-GW': 'r8110-gw', - 'R81.20-GW': 'r8120-gw' + 'R81.20-GW': 'r8120-gw', + 'R82-GW': 'r82-gw' } TEMPLATE_NAME = 'autoscale' diff --git a/gcp/deployment-packages/autoscale-payg/check-point-autoscale--payg.py.schema b/gcp/deployment-packages/autoscale-payg/check-point-autoscale--payg.py.schema index b9341dfa..e8dbbe5d 100755 --- a/gcp/deployment-packages/autoscale-payg/check-point-autoscale--payg.py.schema +++ b/gcp/deployment-packages/autoscale-payg/check-point-autoscale--payg.py.schema @@ -171,6 +171,7 @@ properties: enum: - R81.10 Autoscaling - R81.20 Autoscaling + - R82 Autoscaling managementName: type: string default: 'checkpoint-management' diff --git a/gcp/deployment-packages/autoscale-payg/images.py b/gcp/deployment-packages/autoscale-payg/images.py index 7b04bee0..46c40abd 100755 --- a/gcp/deployment-packages/autoscale-payg/images.py +++ b/gcp/deployment-packages/autoscale-payg/images.py @@ -1,34 +1,34 @@ IMAGES = { - "check-point-r8120-payg": "check-point-r8120-payg-631-991001560-v20240425", - "check-point-r8120-gw-payg-single": "check-point-r8120-gw-payg-single-631-991001560-v20240425", - "check-point-r8120-gw-payg-mig": "check-point-r8120-gw-payg-mig-631-991001560-v20240425", - "check-point-r8120-gw-payg-cluster": "check-point-r8120-gw-payg-cluster-631-991001560-v20240425", - "check-point-r8120-gw-byol-single": "check-point-r8120-gw-byol-single-631-991001560-v20240425", - "check-point-r8120-gw-byol-mig": "check-point-r8120-gw-byol-mig-631-991001560-v20240425", - "check-point-r8120-gw-byol-cluster": "check-point-r8120-gw-byol-cluster-631-991001560-v20240425", - "check-point-r8120-byol": "check-point-r8120-byol-631-991001560-v20240425", - "check-point-r8110-payg": "check-point-r8110-payg-335-991001560-v20240425", - "check-point-r8110-gw-payg-single": "check-point-r8110-gw-payg-single-335-991001560-v20240425", - "check-point-r8110-gw-payg-mig": "check-point-r8110-gw-payg-mig-335-991001560-v20240425", - "check-point-r8110-gw-payg-cluster": "check-point-r8110-gw-payg-cluster-335-991001560-v20240425", - "check-point-r8110-gw-byol-single": "check-point-r8110-gw-byol-single-335-991001560-v20240425", - "check-point-r8110-gw-byol-mig": "check-point-r8110-gw-byol-mig-335-991001560-v20240425", - "check-point-r8110-gw-byol-cluster": "check-point-r8110-gw-byol-cluster-335-991001560-v20240425", - "check-point-r8110-byol": "check-point-r8110-byol-335-991001560-v20240425", - "check-point-r81-payg": "check-point-r81-payg-392-991001560-v20240425", - "check-point-r81-gw-payg-single": "check-point-r81-gw-payg-single-392-991001560-v20240425", - "check-point-r81-gw-payg-mig": "check-point-r81-gw-payg-mig-392-991001560-v20240425", - "check-point-r81-gw-payg-cluster": "check-point-r81-gw-payg-cluster-392-991001560-v20240425", - "check-point-r81-gw-byol-single": "check-point-r81-gw-byol-single-392-991001560-v20240425", - "check-point-r81-gw-byol-mig": "check-point-r81-gw-byol-mig-392-991001560-v20240425", - "check-point-r81-gw-byol-cluster": "check-point-r81-gw-byol-cluster-392-991001560-v20240425", - "check-point-r81-byol": "check-point-r81-byol-392-991001560-v20240425", - "check-point-r8040-payg": "check-point-r8040-payg-294-991001560-v20240425", - "check-point-r8040-gw-payg-single": "check-point-r8040-gw-payg-single-294-991001564-v20240505", - "check-point-r8040-gw-payg-mig": "check-point-r8040-gw-payg-mig-294-991001564-v20240505", - "check-point-r8040-gw-payg-cluster": "check-point-r8040-gw-payg-cluster-294-991001564-v20240505", - "check-point-r8040-gw-byol-single": "check-point-r8040-gw-byol-single-294-991001564-v20240505", - "check-point-r8040-gw-byol-mig": "check-point-r8040-gw-byol-mig-294-991001564-v20240505", - "check-point-r8040-gw-byol-cluster": "check-point-r8040-gw-byol-cluster-294-991001564-v20240505", - "check-point-r8040-byol": "check-point-r8040-byol-294-991001560-v20240425" + "check-point-r82-payg": "check-point-r82-payg-777-991001695-v20241021", + "check-point-r82-gw-payg-single": "check-point-r82-gw-payg-single-777-991001695-v20241021", + "check-point-r82-gw-payg-mig": "check-point-r82-gw-payg-mig-777-991001695-v20241021", + "check-point-r82-gw-payg-cluster": "check-point-r82-gw-payg-cluster-777-991001695-v20241021", + "check-point-r82-gw-byol-single": "check-point-r82-gw-byol-single-777-991001695-v20241021", + "check-point-r82-gw-byol-mig": "check-point-r82-gw-byol-mig-777-991001695-v20241021", + "check-point-r82-gw-byol-cluster": "check-point-r82-gw-byol-cluster-777-991001695-v20241021", + "check-point-r82-byol": "check-point-r82-byol-777-991001695-v20241021", + "check-point-r8120-payg": "check-point-r8120-payg-634-991001641-v20240807", + "check-point-r8120-gw-payg-single": "check-point-r8120-gw-payg-single-631-991001669-v20240923", + "check-point-r8120-gw-payg-mig": "check-point-r8120-gw-payg-mig-631-991001669-v20240923", + "check-point-r8120-gw-payg-cluster": "check-point-r8120-gw-payg-cluster-631-991001669-v20240923", + "check-point-r8120-gw-byol-single": "check-point-r8120-gw-byol-single-631-991001669-v20240923", + "check-point-r8120-gw-byol-mig": "check-point-r8120-gw-byol-mig-631-991001669-v20240923", + "check-point-r8120-gw-byol-cluster": "check-point-r8120-gw-byol-cluster-631-991001669-v20240923", + "check-point-r8120-byol": "check-point-r8120-byol-634-991001641-v20240807", + "check-point-r8110-payg": "check-point-r8110-payg-335-991001681-v20241009", + "check-point-r8110-gw-payg-single": "check-point-r8110-gw-payg-single-335-991001681-v20241009", + "check-point-r8110-gw-payg-mig": "check-point-r8110-gw-payg-mig-335-991001681-v20241009", + "check-point-r8110-gw-payg-cluster": "check-point-r8110-gw-payg-cluster-335-991001681-v20241009", + "check-point-r8110-gw-byol-single": "check-point-r8110-gw-byol-single-335-991001681-v20241009", + "check-point-r8110-gw-byol-mig": "check-point-r8110-gw-byol-mig-335-991001681-v20241009", + "check-point-r8110-gw-byol-cluster": "check-point-r8110-gw-byol-cluster-335-991001681-v20241009", + "check-point-r8110-byol": "check-point-r8110-byol-335-991001681-v20241009", + "check-point-r81-payg": "check-point-r81-payg-392-991001616-v20240619", + "check-point-r81-gw-payg-single": "check-point-r81-gw-payg-single-392-991001616-v20240619", + "check-point-r81-gw-payg-mig": "check-point-r81-gw-payg-mig-392-991001616-v20240619", + "check-point-r81-gw-payg-cluster": "check-point-r81-gw-payg-cluster-392-991001616-v20240619", + "check-point-r81-gw-byol-single": "check-point-r81-gw-byol-single-392-991001616-v20240619", + "check-point-r81-gw-byol-mig": "check-point-r81-gw-byol-mig-392-991001616-v20240619", + "check-point-r81-gw-byol-cluster": "check-point-r81-gw-byol-cluster-392-991001616-v20240619", + "check-point-r81-byol": "check-point-r81-byol-392-991001616-v20240619" } \ No newline at end of file diff --git a/gcp/deployment-packages/ha-byol/README.md b/gcp/deployment-packages/ha-byol/README.md index f915c4b4..660afa73 100644 --- a/gcp/deployment-packages/ha-byol/README.md +++ b/gcp/deployment-packages/ha-byol/README.md @@ -43,7 +43,7 @@ To deploy the Deployment Manager's package manually, without using the GCP Marke ## config.yaml variables | Name | Description | Type | Allowed values | | ------------- | ------------- | ------------- | ------------- | -| **ha_version** | High Availability Version | string | R80.40 Cluster;
R81.00 Cluster;
R81.10 Cluster;
R81.20 Cluster; | +| **ha_version** | High Availability Version | string | R80.40 Cluster;
R81.00 Cluster;
R81.10 Cluster;
R81.20 Cluster;
R82 Cluster;| | | | | | | | **zoneA** | Member A Zone. The zone determines what computing resources are available and where your data is stored and used | string | List of allowed [Regions and Zones](https://cloud.google.com/compute/docs/regions-zones?_ga=2.31926582.-962483654.1585043745) | | | | | | | diff --git a/gcp/deployment-packages/ha-byol/check-point-cluster--byol.py b/gcp/deployment-packages/ha-byol/check-point-cluster--byol.py index 4a66ea50..9a7ad76e 100755 --- a/gcp/deployment-packages/ha-byol/check-point-cluster--byol.py +++ b/gcp/deployment-packages/ha-byol/check-point-cluster--byol.py @@ -17,7 +17,8 @@ VERSIONS = { 'R81.10': 'r8110-gw', - 'R81.20': 'r8120-gw' + 'R81.20': 'r8120-gw', + 'R82': 'r82-gw' } TEMPLATE_NAME = 'cluster' diff --git a/gcp/deployment-packages/ha-byol/check-point-cluster--byol.py.schema b/gcp/deployment-packages/ha-byol/check-point-cluster--byol.py.schema index d01c7887..eddbcbf4 100755 --- a/gcp/deployment-packages/ha-byol/check-point-cluster--byol.py.schema +++ b/gcp/deployment-packages/ha-byol/check-point-cluster--byol.py.schema @@ -73,6 +73,7 @@ properties: enum: - R81.10 Cluster - R81.20 Cluster + - R82 Cluster enableMonitoring: type: boolean default: False diff --git a/gcp/deployment-packages/ha-byol/images.py b/gcp/deployment-packages/ha-byol/images.py index 7b04bee0..46c40abd 100755 --- a/gcp/deployment-packages/ha-byol/images.py +++ b/gcp/deployment-packages/ha-byol/images.py @@ -1,34 +1,34 @@ IMAGES = { - "check-point-r8120-payg": "check-point-r8120-payg-631-991001560-v20240425", - "check-point-r8120-gw-payg-single": "check-point-r8120-gw-payg-single-631-991001560-v20240425", - "check-point-r8120-gw-payg-mig": "check-point-r8120-gw-payg-mig-631-991001560-v20240425", - "check-point-r8120-gw-payg-cluster": "check-point-r8120-gw-payg-cluster-631-991001560-v20240425", - "check-point-r8120-gw-byol-single": "check-point-r8120-gw-byol-single-631-991001560-v20240425", - "check-point-r8120-gw-byol-mig": "check-point-r8120-gw-byol-mig-631-991001560-v20240425", - "check-point-r8120-gw-byol-cluster": "check-point-r8120-gw-byol-cluster-631-991001560-v20240425", - "check-point-r8120-byol": "check-point-r8120-byol-631-991001560-v20240425", - "check-point-r8110-payg": "check-point-r8110-payg-335-991001560-v20240425", - "check-point-r8110-gw-payg-single": "check-point-r8110-gw-payg-single-335-991001560-v20240425", - "check-point-r8110-gw-payg-mig": "check-point-r8110-gw-payg-mig-335-991001560-v20240425", - "check-point-r8110-gw-payg-cluster": "check-point-r8110-gw-payg-cluster-335-991001560-v20240425", - "check-point-r8110-gw-byol-single": "check-point-r8110-gw-byol-single-335-991001560-v20240425", - "check-point-r8110-gw-byol-mig": "check-point-r8110-gw-byol-mig-335-991001560-v20240425", - "check-point-r8110-gw-byol-cluster": "check-point-r8110-gw-byol-cluster-335-991001560-v20240425", - "check-point-r8110-byol": "check-point-r8110-byol-335-991001560-v20240425", - "check-point-r81-payg": "check-point-r81-payg-392-991001560-v20240425", - "check-point-r81-gw-payg-single": "check-point-r81-gw-payg-single-392-991001560-v20240425", - "check-point-r81-gw-payg-mig": "check-point-r81-gw-payg-mig-392-991001560-v20240425", - "check-point-r81-gw-payg-cluster": "check-point-r81-gw-payg-cluster-392-991001560-v20240425", - "check-point-r81-gw-byol-single": "check-point-r81-gw-byol-single-392-991001560-v20240425", - "check-point-r81-gw-byol-mig": "check-point-r81-gw-byol-mig-392-991001560-v20240425", - "check-point-r81-gw-byol-cluster": "check-point-r81-gw-byol-cluster-392-991001560-v20240425", - "check-point-r81-byol": "check-point-r81-byol-392-991001560-v20240425", - "check-point-r8040-payg": "check-point-r8040-payg-294-991001560-v20240425", - "check-point-r8040-gw-payg-single": "check-point-r8040-gw-payg-single-294-991001564-v20240505", - "check-point-r8040-gw-payg-mig": "check-point-r8040-gw-payg-mig-294-991001564-v20240505", - "check-point-r8040-gw-payg-cluster": "check-point-r8040-gw-payg-cluster-294-991001564-v20240505", - "check-point-r8040-gw-byol-single": "check-point-r8040-gw-byol-single-294-991001564-v20240505", - "check-point-r8040-gw-byol-mig": "check-point-r8040-gw-byol-mig-294-991001564-v20240505", - "check-point-r8040-gw-byol-cluster": "check-point-r8040-gw-byol-cluster-294-991001564-v20240505", - "check-point-r8040-byol": "check-point-r8040-byol-294-991001560-v20240425" + "check-point-r82-payg": "check-point-r82-payg-777-991001695-v20241021", + "check-point-r82-gw-payg-single": "check-point-r82-gw-payg-single-777-991001695-v20241021", + "check-point-r82-gw-payg-mig": "check-point-r82-gw-payg-mig-777-991001695-v20241021", + "check-point-r82-gw-payg-cluster": "check-point-r82-gw-payg-cluster-777-991001695-v20241021", + "check-point-r82-gw-byol-single": "check-point-r82-gw-byol-single-777-991001695-v20241021", + "check-point-r82-gw-byol-mig": "check-point-r82-gw-byol-mig-777-991001695-v20241021", + "check-point-r82-gw-byol-cluster": "check-point-r82-gw-byol-cluster-777-991001695-v20241021", + "check-point-r82-byol": "check-point-r82-byol-777-991001695-v20241021", + "check-point-r8120-payg": "check-point-r8120-payg-634-991001641-v20240807", + "check-point-r8120-gw-payg-single": "check-point-r8120-gw-payg-single-631-991001669-v20240923", + "check-point-r8120-gw-payg-mig": "check-point-r8120-gw-payg-mig-631-991001669-v20240923", + "check-point-r8120-gw-payg-cluster": "check-point-r8120-gw-payg-cluster-631-991001669-v20240923", + "check-point-r8120-gw-byol-single": "check-point-r8120-gw-byol-single-631-991001669-v20240923", + "check-point-r8120-gw-byol-mig": "check-point-r8120-gw-byol-mig-631-991001669-v20240923", + "check-point-r8120-gw-byol-cluster": "check-point-r8120-gw-byol-cluster-631-991001669-v20240923", + "check-point-r8120-byol": "check-point-r8120-byol-634-991001641-v20240807", + "check-point-r8110-payg": "check-point-r8110-payg-335-991001681-v20241009", + "check-point-r8110-gw-payg-single": "check-point-r8110-gw-payg-single-335-991001681-v20241009", + "check-point-r8110-gw-payg-mig": "check-point-r8110-gw-payg-mig-335-991001681-v20241009", + "check-point-r8110-gw-payg-cluster": "check-point-r8110-gw-payg-cluster-335-991001681-v20241009", + "check-point-r8110-gw-byol-single": "check-point-r8110-gw-byol-single-335-991001681-v20241009", + "check-point-r8110-gw-byol-mig": "check-point-r8110-gw-byol-mig-335-991001681-v20241009", + "check-point-r8110-gw-byol-cluster": "check-point-r8110-gw-byol-cluster-335-991001681-v20241009", + "check-point-r8110-byol": "check-point-r8110-byol-335-991001681-v20241009", + "check-point-r81-payg": "check-point-r81-payg-392-991001616-v20240619", + "check-point-r81-gw-payg-single": "check-point-r81-gw-payg-single-392-991001616-v20240619", + "check-point-r81-gw-payg-mig": "check-point-r81-gw-payg-mig-392-991001616-v20240619", + "check-point-r81-gw-payg-cluster": "check-point-r81-gw-payg-cluster-392-991001616-v20240619", + "check-point-r81-gw-byol-single": "check-point-r81-gw-byol-single-392-991001616-v20240619", + "check-point-r81-gw-byol-mig": "check-point-r81-gw-byol-mig-392-991001616-v20240619", + "check-point-r81-gw-byol-cluster": "check-point-r81-gw-byol-cluster-392-991001616-v20240619", + "check-point-r81-byol": "check-point-r81-byol-392-991001616-v20240619" } \ No newline at end of file diff --git a/gcp/deployment-packages/ha-payg/README.md b/gcp/deployment-packages/ha-payg/README.md index 4f8405cd..fa12d90c 100644 --- a/gcp/deployment-packages/ha-payg/README.md +++ b/gcp/deployment-packages/ha-payg/README.md @@ -43,7 +43,7 @@ To deploy the Deployment Manager's package manually, without using the GCP Marke ## config.yaml variables | Name | Description | Type | Allowed values | | ------------- | ------------- | ------------- | ------------- | -| **ha_version** | High Availability Version | string | R80.40 Cluster;
R81.00 Cluster;
R81.10 Cluster;
R81.20 Cluster; | +| **ha_version** | High Availability Version | string | R80.40 Cluster;
R81.00 Cluster;
R81.10 Cluster;
R81.20 Cluster;
R82 Cluster;| | | | | | | | **zoneA** | Member A Zone. The zone determines what computing resources are available and where your data is stored and used | string | List of allowed [Regions and Zones](https://cloud.google.com/compute/docs/regions-zones?_ga=2.31926582.-962483654.1585043745) | | | | | | | diff --git a/gcp/deployment-packages/ha-payg/check-point-cluster--payg.py b/gcp/deployment-packages/ha-payg/check-point-cluster--payg.py index d65178a6..0bc5dc6c 100755 --- a/gcp/deployment-packages/ha-payg/check-point-cluster--payg.py +++ b/gcp/deployment-packages/ha-payg/check-point-cluster--payg.py @@ -17,7 +17,8 @@ VERSIONS = { 'R81.10': 'r8110-gw', - 'R81.20': 'r8120-gw' + 'R81.20': 'r8120-gw', + 'R82': 'r82-gw' } TEMPLATE_NAME = 'cluster' diff --git a/gcp/deployment-packages/ha-payg/check-point-cluster--payg.py.schema b/gcp/deployment-packages/ha-payg/check-point-cluster--payg.py.schema index b3b513b6..d257e117 100755 --- a/gcp/deployment-packages/ha-payg/check-point-cluster--payg.py.schema +++ b/gcp/deployment-packages/ha-payg/check-point-cluster--payg.py.schema @@ -73,6 +73,7 @@ properties: enum: - R81.10 Cluster - R81.20 Cluster + - R82 Cluster enableMonitoring: type: boolean default: False diff --git a/gcp/deployment-packages/ha-payg/images.py b/gcp/deployment-packages/ha-payg/images.py index 7b04bee0..46c40abd 100755 --- a/gcp/deployment-packages/ha-payg/images.py +++ b/gcp/deployment-packages/ha-payg/images.py @@ -1,34 +1,34 @@ IMAGES = { - "check-point-r8120-payg": "check-point-r8120-payg-631-991001560-v20240425", - "check-point-r8120-gw-payg-single": "check-point-r8120-gw-payg-single-631-991001560-v20240425", - "check-point-r8120-gw-payg-mig": "check-point-r8120-gw-payg-mig-631-991001560-v20240425", - "check-point-r8120-gw-payg-cluster": "check-point-r8120-gw-payg-cluster-631-991001560-v20240425", - "check-point-r8120-gw-byol-single": "check-point-r8120-gw-byol-single-631-991001560-v20240425", - "check-point-r8120-gw-byol-mig": "check-point-r8120-gw-byol-mig-631-991001560-v20240425", - "check-point-r8120-gw-byol-cluster": "check-point-r8120-gw-byol-cluster-631-991001560-v20240425", - "check-point-r8120-byol": "check-point-r8120-byol-631-991001560-v20240425", - "check-point-r8110-payg": "check-point-r8110-payg-335-991001560-v20240425", - "check-point-r8110-gw-payg-single": "check-point-r8110-gw-payg-single-335-991001560-v20240425", - "check-point-r8110-gw-payg-mig": "check-point-r8110-gw-payg-mig-335-991001560-v20240425", - "check-point-r8110-gw-payg-cluster": "check-point-r8110-gw-payg-cluster-335-991001560-v20240425", - "check-point-r8110-gw-byol-single": "check-point-r8110-gw-byol-single-335-991001560-v20240425", - "check-point-r8110-gw-byol-mig": "check-point-r8110-gw-byol-mig-335-991001560-v20240425", - "check-point-r8110-gw-byol-cluster": "check-point-r8110-gw-byol-cluster-335-991001560-v20240425", - "check-point-r8110-byol": "check-point-r8110-byol-335-991001560-v20240425", - "check-point-r81-payg": "check-point-r81-payg-392-991001560-v20240425", - "check-point-r81-gw-payg-single": "check-point-r81-gw-payg-single-392-991001560-v20240425", - "check-point-r81-gw-payg-mig": "check-point-r81-gw-payg-mig-392-991001560-v20240425", - "check-point-r81-gw-payg-cluster": "check-point-r81-gw-payg-cluster-392-991001560-v20240425", - "check-point-r81-gw-byol-single": "check-point-r81-gw-byol-single-392-991001560-v20240425", - "check-point-r81-gw-byol-mig": "check-point-r81-gw-byol-mig-392-991001560-v20240425", - "check-point-r81-gw-byol-cluster": "check-point-r81-gw-byol-cluster-392-991001560-v20240425", - "check-point-r81-byol": "check-point-r81-byol-392-991001560-v20240425", - "check-point-r8040-payg": "check-point-r8040-payg-294-991001560-v20240425", - "check-point-r8040-gw-payg-single": "check-point-r8040-gw-payg-single-294-991001564-v20240505", - "check-point-r8040-gw-payg-mig": "check-point-r8040-gw-payg-mig-294-991001564-v20240505", - "check-point-r8040-gw-payg-cluster": "check-point-r8040-gw-payg-cluster-294-991001564-v20240505", - "check-point-r8040-gw-byol-single": "check-point-r8040-gw-byol-single-294-991001564-v20240505", - "check-point-r8040-gw-byol-mig": "check-point-r8040-gw-byol-mig-294-991001564-v20240505", - "check-point-r8040-gw-byol-cluster": "check-point-r8040-gw-byol-cluster-294-991001564-v20240505", - "check-point-r8040-byol": "check-point-r8040-byol-294-991001560-v20240425" + "check-point-r82-payg": "check-point-r82-payg-777-991001695-v20241021", + "check-point-r82-gw-payg-single": "check-point-r82-gw-payg-single-777-991001695-v20241021", + "check-point-r82-gw-payg-mig": "check-point-r82-gw-payg-mig-777-991001695-v20241021", + "check-point-r82-gw-payg-cluster": "check-point-r82-gw-payg-cluster-777-991001695-v20241021", + "check-point-r82-gw-byol-single": "check-point-r82-gw-byol-single-777-991001695-v20241021", + "check-point-r82-gw-byol-mig": "check-point-r82-gw-byol-mig-777-991001695-v20241021", + "check-point-r82-gw-byol-cluster": "check-point-r82-gw-byol-cluster-777-991001695-v20241021", + "check-point-r82-byol": "check-point-r82-byol-777-991001695-v20241021", + "check-point-r8120-payg": "check-point-r8120-payg-634-991001641-v20240807", + "check-point-r8120-gw-payg-single": "check-point-r8120-gw-payg-single-631-991001669-v20240923", + "check-point-r8120-gw-payg-mig": "check-point-r8120-gw-payg-mig-631-991001669-v20240923", + "check-point-r8120-gw-payg-cluster": "check-point-r8120-gw-payg-cluster-631-991001669-v20240923", + "check-point-r8120-gw-byol-single": "check-point-r8120-gw-byol-single-631-991001669-v20240923", + "check-point-r8120-gw-byol-mig": "check-point-r8120-gw-byol-mig-631-991001669-v20240923", + "check-point-r8120-gw-byol-cluster": "check-point-r8120-gw-byol-cluster-631-991001669-v20240923", + "check-point-r8120-byol": "check-point-r8120-byol-634-991001641-v20240807", + "check-point-r8110-payg": "check-point-r8110-payg-335-991001681-v20241009", + "check-point-r8110-gw-payg-single": "check-point-r8110-gw-payg-single-335-991001681-v20241009", + "check-point-r8110-gw-payg-mig": "check-point-r8110-gw-payg-mig-335-991001681-v20241009", + "check-point-r8110-gw-payg-cluster": "check-point-r8110-gw-payg-cluster-335-991001681-v20241009", + "check-point-r8110-gw-byol-single": "check-point-r8110-gw-byol-single-335-991001681-v20241009", + "check-point-r8110-gw-byol-mig": "check-point-r8110-gw-byol-mig-335-991001681-v20241009", + "check-point-r8110-gw-byol-cluster": "check-point-r8110-gw-byol-cluster-335-991001681-v20241009", + "check-point-r8110-byol": "check-point-r8110-byol-335-991001681-v20241009", + "check-point-r81-payg": "check-point-r81-payg-392-991001616-v20240619", + "check-point-r81-gw-payg-single": "check-point-r81-gw-payg-single-392-991001616-v20240619", + "check-point-r81-gw-payg-mig": "check-point-r81-gw-payg-mig-392-991001616-v20240619", + "check-point-r81-gw-payg-cluster": "check-point-r81-gw-payg-cluster-392-991001616-v20240619", + "check-point-r81-gw-byol-single": "check-point-r81-gw-byol-single-392-991001616-v20240619", + "check-point-r81-gw-byol-mig": "check-point-r81-gw-byol-mig-392-991001616-v20240619", + "check-point-r81-gw-byol-cluster": "check-point-r81-gw-byol-cluster-392-991001616-v20240619", + "check-point-r81-byol": "check-point-r81-byol-392-991001616-v20240619" } \ No newline at end of file diff --git a/gcp/deployment-packages/single-byol/README.md b/gcp/deployment-packages/single-byol/README.md index 4c14d447..5e589c22 100644 --- a/gcp/deployment-packages/single-byol/README.md +++ b/gcp/deployment-packages/single-byol/README.md @@ -65,7 +65,7 @@ To deploy the Deployment Manager's package manually, without using the GCP Marke | | | | | | | **externalIP** | External IP address type | string | Static;
Ephemeral;
None;
An external IP address associated with this instance. Selecting "None" will result in the instance having no external internet access. [Learn more](https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address?_ga=2.259654658.-962483654.1585043745) | | | | | | | -| **installationType** | Installation type and version | string | R80.40 Gateway only
R80.40 Management only
R80.40 Manual Configuration
R80.40 Gateway and Management (Standalone)
R81.00 Gateway only
R81.00 Management only
R81.00 Manual Configuration
R81.00 Gateway and Management (Standalone)
R81.10 Gateway only
R81.10 Management only
R81.10 Manual Configuration
R81.10 Gateway and Management (Standalone)
R81.20 Gateway only
R81.20 Management only
R81.20 Manual Configuration
R81.20 Gateway and Management (Standalone) | +| **installationType** | Installation type and version | string | R81.10 Gateway only
R81.10 Management only
R81.10 Manual Configuration
R81.10 Gateway and Management (Standalone)
R81.20 Gateway only
R81.20 Management only
R81.20 Manual Configuration
R81.20 Gateway and Management (Standalone)
R82 Gateway only
R82 Management only
R82 Manual Configuration
R82 Gateway and Management (Standalone) | | | | | | | | **smart1CloudToken** | Smart-1 Cloud token to connect this gateway to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal.| | | | | | | diff --git a/gcp/deployment-packages/single-byol/check-point-vsec--byol.py b/gcp/deployment-packages/single-byol/check-point-vsec--byol.py index 3cef893f..2916b92d 100755 --- a/gcp/deployment-packages/single-byol/check-point-vsec--byol.py +++ b/gcp/deployment-packages/single-byol/check-point-vsec--byol.py @@ -15,7 +15,9 @@ 'R81.10': 'r8110', 'R81.10-GW': 'r8110-gw', 'R81.20': 'r8120', - 'R81.20-GW': 'r8120-gw' + 'R81.20-GW': 'r8120-gw', + 'R82': 'r82', + 'R82-GW': 'r82-gw' } ADDITIONAL_NETWORK = 'additionalNetwork{}' diff --git a/gcp/deployment-packages/single-byol/check-point-vsec--byol.py.schema b/gcp/deployment-packages/single-byol/check-point-vsec--byol.py.schema index 2a3c922a..4ca0f5a2 100755 --- a/gcp/deployment-packages/single-byol/check-point-vsec--byol.py.schema +++ b/gcp/deployment-packages/single-byol/check-point-vsec--byol.py.schema @@ -154,6 +154,10 @@ properties: - R81.20 Management only - R81.20 Manual Configuration - R81.20 Gateway and Management (Standalone) + - R82 Gateway only + - R82 Management only + - R82 Manual Configuration + - R82 Gateway and Management (Standalone) maintenanceMode: type: string pattern: ^([a-z0-9A-Z.]{12,300}|)$ diff --git a/gcp/deployment-packages/single-byol/images.py b/gcp/deployment-packages/single-byol/images.py index 7b04bee0..46c40abd 100755 --- a/gcp/deployment-packages/single-byol/images.py +++ b/gcp/deployment-packages/single-byol/images.py @@ -1,34 +1,34 @@ IMAGES = { - "check-point-r8120-payg": "check-point-r8120-payg-631-991001560-v20240425", - "check-point-r8120-gw-payg-single": "check-point-r8120-gw-payg-single-631-991001560-v20240425", - "check-point-r8120-gw-payg-mig": "check-point-r8120-gw-payg-mig-631-991001560-v20240425", - "check-point-r8120-gw-payg-cluster": "check-point-r8120-gw-payg-cluster-631-991001560-v20240425", - "check-point-r8120-gw-byol-single": "check-point-r8120-gw-byol-single-631-991001560-v20240425", - "check-point-r8120-gw-byol-mig": "check-point-r8120-gw-byol-mig-631-991001560-v20240425", - "check-point-r8120-gw-byol-cluster": "check-point-r8120-gw-byol-cluster-631-991001560-v20240425", - "check-point-r8120-byol": "check-point-r8120-byol-631-991001560-v20240425", - "check-point-r8110-payg": "check-point-r8110-payg-335-991001560-v20240425", - "check-point-r8110-gw-payg-single": "check-point-r8110-gw-payg-single-335-991001560-v20240425", - "check-point-r8110-gw-payg-mig": "check-point-r8110-gw-payg-mig-335-991001560-v20240425", - "check-point-r8110-gw-payg-cluster": "check-point-r8110-gw-payg-cluster-335-991001560-v20240425", - "check-point-r8110-gw-byol-single": "check-point-r8110-gw-byol-single-335-991001560-v20240425", - "check-point-r8110-gw-byol-mig": "check-point-r8110-gw-byol-mig-335-991001560-v20240425", - "check-point-r8110-gw-byol-cluster": "check-point-r8110-gw-byol-cluster-335-991001560-v20240425", - "check-point-r8110-byol": "check-point-r8110-byol-335-991001560-v20240425", - "check-point-r81-payg": "check-point-r81-payg-392-991001560-v20240425", - "check-point-r81-gw-payg-single": "check-point-r81-gw-payg-single-392-991001560-v20240425", - "check-point-r81-gw-payg-mig": "check-point-r81-gw-payg-mig-392-991001560-v20240425", - "check-point-r81-gw-payg-cluster": "check-point-r81-gw-payg-cluster-392-991001560-v20240425", - "check-point-r81-gw-byol-single": "check-point-r81-gw-byol-single-392-991001560-v20240425", - "check-point-r81-gw-byol-mig": "check-point-r81-gw-byol-mig-392-991001560-v20240425", - "check-point-r81-gw-byol-cluster": "check-point-r81-gw-byol-cluster-392-991001560-v20240425", - "check-point-r81-byol": "check-point-r81-byol-392-991001560-v20240425", - "check-point-r8040-payg": "check-point-r8040-payg-294-991001560-v20240425", - "check-point-r8040-gw-payg-single": "check-point-r8040-gw-payg-single-294-991001564-v20240505", - "check-point-r8040-gw-payg-mig": "check-point-r8040-gw-payg-mig-294-991001564-v20240505", - "check-point-r8040-gw-payg-cluster": "check-point-r8040-gw-payg-cluster-294-991001564-v20240505", - "check-point-r8040-gw-byol-single": "check-point-r8040-gw-byol-single-294-991001564-v20240505", - "check-point-r8040-gw-byol-mig": "check-point-r8040-gw-byol-mig-294-991001564-v20240505", - "check-point-r8040-gw-byol-cluster": "check-point-r8040-gw-byol-cluster-294-991001564-v20240505", - "check-point-r8040-byol": "check-point-r8040-byol-294-991001560-v20240425" + "check-point-r82-payg": "check-point-r82-payg-777-991001695-v20241021", + "check-point-r82-gw-payg-single": "check-point-r82-gw-payg-single-777-991001695-v20241021", + "check-point-r82-gw-payg-mig": "check-point-r82-gw-payg-mig-777-991001695-v20241021", + "check-point-r82-gw-payg-cluster": "check-point-r82-gw-payg-cluster-777-991001695-v20241021", + "check-point-r82-gw-byol-single": "check-point-r82-gw-byol-single-777-991001695-v20241021", + "check-point-r82-gw-byol-mig": "check-point-r82-gw-byol-mig-777-991001695-v20241021", + "check-point-r82-gw-byol-cluster": "check-point-r82-gw-byol-cluster-777-991001695-v20241021", + "check-point-r82-byol": "check-point-r82-byol-777-991001695-v20241021", + "check-point-r8120-payg": "check-point-r8120-payg-634-991001641-v20240807", + "check-point-r8120-gw-payg-single": "check-point-r8120-gw-payg-single-631-991001669-v20240923", + "check-point-r8120-gw-payg-mig": "check-point-r8120-gw-payg-mig-631-991001669-v20240923", + "check-point-r8120-gw-payg-cluster": "check-point-r8120-gw-payg-cluster-631-991001669-v20240923", + "check-point-r8120-gw-byol-single": "check-point-r8120-gw-byol-single-631-991001669-v20240923", + "check-point-r8120-gw-byol-mig": "check-point-r8120-gw-byol-mig-631-991001669-v20240923", + "check-point-r8120-gw-byol-cluster": "check-point-r8120-gw-byol-cluster-631-991001669-v20240923", + "check-point-r8120-byol": "check-point-r8120-byol-634-991001641-v20240807", + "check-point-r8110-payg": "check-point-r8110-payg-335-991001681-v20241009", + "check-point-r8110-gw-payg-single": "check-point-r8110-gw-payg-single-335-991001681-v20241009", + "check-point-r8110-gw-payg-mig": "check-point-r8110-gw-payg-mig-335-991001681-v20241009", + "check-point-r8110-gw-payg-cluster": "check-point-r8110-gw-payg-cluster-335-991001681-v20241009", + "check-point-r8110-gw-byol-single": "check-point-r8110-gw-byol-single-335-991001681-v20241009", + "check-point-r8110-gw-byol-mig": "check-point-r8110-gw-byol-mig-335-991001681-v20241009", + "check-point-r8110-gw-byol-cluster": "check-point-r8110-gw-byol-cluster-335-991001681-v20241009", + "check-point-r8110-byol": "check-point-r8110-byol-335-991001681-v20241009", + "check-point-r81-payg": "check-point-r81-payg-392-991001616-v20240619", + "check-point-r81-gw-payg-single": "check-point-r81-gw-payg-single-392-991001616-v20240619", + "check-point-r81-gw-payg-mig": "check-point-r81-gw-payg-mig-392-991001616-v20240619", + "check-point-r81-gw-payg-cluster": "check-point-r81-gw-payg-cluster-392-991001616-v20240619", + "check-point-r81-gw-byol-single": "check-point-r81-gw-byol-single-392-991001616-v20240619", + "check-point-r81-gw-byol-mig": "check-point-r81-gw-byol-mig-392-991001616-v20240619", + "check-point-r81-gw-byol-cluster": "check-point-r81-gw-byol-cluster-392-991001616-v20240619", + "check-point-r81-byol": "check-point-r81-byol-392-991001616-v20240619" } \ No newline at end of file diff --git a/gcp/deployment-packages/single-payg/README.md b/gcp/deployment-packages/single-payg/README.md index c3f9443a..18b4bf04 100644 --- a/gcp/deployment-packages/single-payg/README.md +++ b/gcp/deployment-packages/single-payg/README.md @@ -65,7 +65,7 @@ To deploy the Deployment Manager's package manually, without using the GCP Marke | | | | | | | **externalIP** | External IP address type | string | Static;
Ephemeral;
None;
An external IP address associated with this instance. Selecting "None" will result in the instance having no external internet access. [Learn more](https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address?_ga=2.259654658.-962483654.1585043745) | | | | | | | -| **installationType** | Installation type and version | string | R80.40 Gateway only
R80.40 Management only
R80.40 Manual Configuration
R80.40 Gateway and Management (Standalone)
R81.00 Gateway only
R81.00 Management only
R81.00 Manual Configuration
R81.00 Gateway and Management (Standalone)
R81.10 Gateway only
R81.10 Management only
R81.10 Manual Configuration
R81.10 Gateway and Management (Standalone)
R81.20 Gateway only
R81.20 Management only
R81.20 Manual Configuration
R81.20 Gateway and Management (Standalone) | +| **installationType** | Installation type and version | string | R81.10 Gateway only
R81.10 Management only
R81.10 Manual Configuration
R81.10 Gateway and Management (Standalone)
R81.20 Gateway only
R81.20 Management only
R81.20 Manual Configuration
R81.20 Gateway and Management (Standalone)
R82 Gateway only
R82 Management only
R82 Manual Configuration
R82 Gateway and Management (Standalone) | | **smart1CloudToken** | Smart-1 Cloud token to connect this gateway to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal.| | | | | | | | **diskType** | Disk type | string | pd-ssd;
pd-standard;
Storage space is much less expensive for a standard persistent disk. An SSD persistent disk is better for random IOPS or streaming throughput with low latency. [Learn more](https://cloud.google.com/compute/docs/disks/?hl=en_US&_ga=2.66020774.-962483654.1585043745#overview_of_disk_types)| diff --git a/gcp/deployment-packages/single-payg/check-point-vsec--payg.py b/gcp/deployment-packages/single-payg/check-point-vsec--payg.py index a5dfbedf..100134ae 100755 --- a/gcp/deployment-packages/single-payg/check-point-vsec--payg.py +++ b/gcp/deployment-packages/single-payg/check-point-vsec--payg.py @@ -15,7 +15,9 @@ 'R81.10': 'r8110', 'R81.10-GW': 'r8110-gw', 'R81.20': 'r8120', - 'R81.20-GW': 'r8120-gw' + 'R81.20-GW': 'r8120-gw', + 'R82': 'r82', + 'R82-GW': 'r82-gw' } ADDITIONAL_NETWORK = 'additionalNetwork{}' diff --git a/gcp/deployment-packages/single-payg/check-point-vsec--payg.py.schema b/gcp/deployment-packages/single-payg/check-point-vsec--payg.py.schema index 50f3e9bb..988c88f7 100755 --- a/gcp/deployment-packages/single-payg/check-point-vsec--payg.py.schema +++ b/gcp/deployment-packages/single-payg/check-point-vsec--payg.py.schema @@ -152,6 +152,10 @@ properties: - R81.20 Gateway only - R81.20 Manual Configuration - R81.20 Gateway and Management (Standalone) + - R82 Gateway only + - R82 Management only + - R82 Manual Configuration + - R82 Gateway and Management (Standalone) maintenanceMode: type: string pattern: ^([a-z0-9A-Z.]{12,300}|)$ diff --git a/gcp/deployment-packages/single-payg/images.py b/gcp/deployment-packages/single-payg/images.py index 7b04bee0..46c40abd 100755 --- a/gcp/deployment-packages/single-payg/images.py +++ b/gcp/deployment-packages/single-payg/images.py @@ -1,34 +1,34 @@ IMAGES = { - "check-point-r8120-payg": "check-point-r8120-payg-631-991001560-v20240425", - "check-point-r8120-gw-payg-single": "check-point-r8120-gw-payg-single-631-991001560-v20240425", - "check-point-r8120-gw-payg-mig": "check-point-r8120-gw-payg-mig-631-991001560-v20240425", - "check-point-r8120-gw-payg-cluster": "check-point-r8120-gw-payg-cluster-631-991001560-v20240425", - "check-point-r8120-gw-byol-single": "check-point-r8120-gw-byol-single-631-991001560-v20240425", - "check-point-r8120-gw-byol-mig": "check-point-r8120-gw-byol-mig-631-991001560-v20240425", - "check-point-r8120-gw-byol-cluster": "check-point-r8120-gw-byol-cluster-631-991001560-v20240425", - "check-point-r8120-byol": "check-point-r8120-byol-631-991001560-v20240425", - "check-point-r8110-payg": "check-point-r8110-payg-335-991001560-v20240425", - "check-point-r8110-gw-payg-single": "check-point-r8110-gw-payg-single-335-991001560-v20240425", - "check-point-r8110-gw-payg-mig": "check-point-r8110-gw-payg-mig-335-991001560-v20240425", - "check-point-r8110-gw-payg-cluster": "check-point-r8110-gw-payg-cluster-335-991001560-v20240425", - "check-point-r8110-gw-byol-single": "check-point-r8110-gw-byol-single-335-991001560-v20240425", - "check-point-r8110-gw-byol-mig": "check-point-r8110-gw-byol-mig-335-991001560-v20240425", - "check-point-r8110-gw-byol-cluster": "check-point-r8110-gw-byol-cluster-335-991001560-v20240425", - "check-point-r8110-byol": "check-point-r8110-byol-335-991001560-v20240425", - "check-point-r81-payg": "check-point-r81-payg-392-991001560-v20240425", - "check-point-r81-gw-payg-single": "check-point-r81-gw-payg-single-392-991001560-v20240425", - "check-point-r81-gw-payg-mig": "check-point-r81-gw-payg-mig-392-991001560-v20240425", - "check-point-r81-gw-payg-cluster": "check-point-r81-gw-payg-cluster-392-991001560-v20240425", - "check-point-r81-gw-byol-single": "check-point-r81-gw-byol-single-392-991001560-v20240425", - "check-point-r81-gw-byol-mig": "check-point-r81-gw-byol-mig-392-991001560-v20240425", - "check-point-r81-gw-byol-cluster": "check-point-r81-gw-byol-cluster-392-991001560-v20240425", - "check-point-r81-byol": "check-point-r81-byol-392-991001560-v20240425", - "check-point-r8040-payg": "check-point-r8040-payg-294-991001560-v20240425", - "check-point-r8040-gw-payg-single": "check-point-r8040-gw-payg-single-294-991001564-v20240505", - "check-point-r8040-gw-payg-mig": "check-point-r8040-gw-payg-mig-294-991001564-v20240505", - "check-point-r8040-gw-payg-cluster": "check-point-r8040-gw-payg-cluster-294-991001564-v20240505", - "check-point-r8040-gw-byol-single": "check-point-r8040-gw-byol-single-294-991001564-v20240505", - "check-point-r8040-gw-byol-mig": "check-point-r8040-gw-byol-mig-294-991001564-v20240505", - "check-point-r8040-gw-byol-cluster": "check-point-r8040-gw-byol-cluster-294-991001564-v20240505", - "check-point-r8040-byol": "check-point-r8040-byol-294-991001560-v20240425" + "check-point-r82-payg": "check-point-r82-payg-777-991001695-v20241021", + "check-point-r82-gw-payg-single": "check-point-r82-gw-payg-single-777-991001695-v20241021", + "check-point-r82-gw-payg-mig": "check-point-r82-gw-payg-mig-777-991001695-v20241021", + "check-point-r82-gw-payg-cluster": "check-point-r82-gw-payg-cluster-777-991001695-v20241021", + "check-point-r82-gw-byol-single": "check-point-r82-gw-byol-single-777-991001695-v20241021", + "check-point-r82-gw-byol-mig": "check-point-r82-gw-byol-mig-777-991001695-v20241021", + "check-point-r82-gw-byol-cluster": "check-point-r82-gw-byol-cluster-777-991001695-v20241021", + "check-point-r82-byol": "check-point-r82-byol-777-991001695-v20241021", + "check-point-r8120-payg": "check-point-r8120-payg-634-991001641-v20240807", + "check-point-r8120-gw-payg-single": "check-point-r8120-gw-payg-single-631-991001669-v20240923", + "check-point-r8120-gw-payg-mig": "check-point-r8120-gw-payg-mig-631-991001669-v20240923", + "check-point-r8120-gw-payg-cluster": "check-point-r8120-gw-payg-cluster-631-991001669-v20240923", + "check-point-r8120-gw-byol-single": "check-point-r8120-gw-byol-single-631-991001669-v20240923", + "check-point-r8120-gw-byol-mig": "check-point-r8120-gw-byol-mig-631-991001669-v20240923", + "check-point-r8120-gw-byol-cluster": "check-point-r8120-gw-byol-cluster-631-991001669-v20240923", + "check-point-r8120-byol": "check-point-r8120-byol-634-991001641-v20240807", + "check-point-r8110-payg": "check-point-r8110-payg-335-991001681-v20241009", + "check-point-r8110-gw-payg-single": "check-point-r8110-gw-payg-single-335-991001681-v20241009", + "check-point-r8110-gw-payg-mig": "check-point-r8110-gw-payg-mig-335-991001681-v20241009", + "check-point-r8110-gw-payg-cluster": "check-point-r8110-gw-payg-cluster-335-991001681-v20241009", + "check-point-r8110-gw-byol-single": "check-point-r8110-gw-byol-single-335-991001681-v20241009", + "check-point-r8110-gw-byol-mig": "check-point-r8110-gw-byol-mig-335-991001681-v20241009", + "check-point-r8110-gw-byol-cluster": "check-point-r8110-gw-byol-cluster-335-991001681-v20241009", + "check-point-r8110-byol": "check-point-r8110-byol-335-991001681-v20241009", + "check-point-r81-payg": "check-point-r81-payg-392-991001616-v20240619", + "check-point-r81-gw-payg-single": "check-point-r81-gw-payg-single-392-991001616-v20240619", + "check-point-r81-gw-payg-mig": "check-point-r81-gw-payg-mig-392-991001616-v20240619", + "check-point-r81-gw-payg-cluster": "check-point-r81-gw-payg-cluster-392-991001616-v20240619", + "check-point-r81-gw-byol-single": "check-point-r81-gw-byol-single-392-991001616-v20240619", + "check-point-r81-gw-byol-mig": "check-point-r81-gw-byol-mig-392-991001616-v20240619", + "check-point-r81-gw-byol-cluster": "check-point-r81-gw-byol-cluster-392-991001616-v20240619", + "check-point-r81-byol": "check-point-r81-byol-392-991001616-v20240619" } \ No newline at end of file diff --git a/terraform/gcp/autoscale-into-existing-vpc/README.md b/terraform/gcp/autoscale-into-existing-vpc/README.md index 45abf434..1949b511 100755 --- a/terraform/gcp/autoscale-into-existing-vpc/README.md +++ b/terraform/gcp/autoscale-into-existing-vpc/README.md @@ -167,7 +167,7 @@ Please leave empty list for a protocol if you want to disable traffic for it. | prefix | (Optional) Resources name prefix.
Note: resource name must not contain reserved words based on: sk40179. | string | N/A | "chkp-tf-mig" | no | | license | Checkpoint license (BYOL or PAYG). | string | - BYOL
- PAYG
| "BYOL" | no | | image_name | The autoscaling (MIG) image name (e.g. check-point-r8120-gw-byol-mig-631-991001335-v20230622). You can choose the desired mig image value from [Github](https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/gcp/deployment-packages/autoscale-byol/images.py). | string | N/A | N/A | yes | -| os_version |GAIA OS Version | string | R81;
R8110;
R8120 | R8120 | yes | +| os_version |GAIA OS Version | string | R81;
R8110;
R8120;
R82 | R8120 | yes | | | | | | | | management_nic | Management Interface - Autoscaling Security Gateways in GCP can be managed by an ephemeral public IP or using the private IP of the internal interface (eth1). | string | Ephemeral Public IP (eth0)
- Private IP (eth1) | "Ephemeral Public IP (eth0)" | no | | management_name | The name of the Security Management Server as appears in autoprovisioning configuration. (Please enter a valid Security Management name including lowercase letters, digits and hyphens only). | string | N/A | "checkpoint-management" | no | @@ -220,6 +220,8 @@ In order to check the template version refer to the [sk116585](https://supportce | Template Version | Description | | ---------------- | ------------- | +| 20241027 | Added R82 support | +| | | | | 20230910 | - R81.20 is the default version | | | | | | 20230109 | Updated startup script to use cloud-config. | diff --git a/terraform/gcp/autoscale-into-existing-vpc/locals.tf b/terraform/gcp/autoscale-into-existing-vpc/locals.tf index 9687f394..20143f79 100755 --- a/terraform/gcp/autoscale-into-existing-vpc/locals.tf +++ b/terraform/gcp/autoscale-into-existing-vpc/locals.tf @@ -5,14 +5,15 @@ locals { // will fail if [var.license] is invalid: validate_license = index(local.license_allowed_values, upper(var.license)) - regex_validate_image_name = "check-point-r8[0-1][1-4]0-gw-(byol|payg)-mig-[0-9]{3}-([0-9]{3,}|[a-z]+)-v[0-9]{8,}" + regex_validate_image_name = "^check-point-${lower(var.os_version)}-gw-.*[0-9]{3}-([0-9]{3,}|[a-z]+)-v[0-9]{8,}.*" // will fail if the image name is not in the right syntax validate_image_name = length(regexall(local.regex_validate_image_name, var.image_name)) > 0 ? 0 : index(split("-", var.image_name), "INVALID IMAGE NAME") version_allowed_values = [ "R81", "R8110", - "R8120" + "R8120", + "R82" ] // Will fail if var.os_version is invalid: validate_os_version = index(local.version_allowed_values, var.os_version) diff --git a/terraform/gcp/autoscale-into-new-vpc/README.md b/terraform/gcp/autoscale-into-new-vpc/README.md index 3958865d..873dcb67 100755 --- a/terraform/gcp/autoscale-into-new-vpc/README.md +++ b/terraform/gcp/autoscale-into-new-vpc/README.md @@ -178,7 +178,7 @@ Please leave empty list for a protocol if you want to disable traffic for it. | prefix | (Optional) Resources name prefix.
Note: resource name must not contain reserved words based on: sk40179. | string | N/A | "chkp-tf-mig" | no | | license | Checkpoint license (BYOL or PAYG). | string | - BYOL
- PAYG
| "BYOL" | no | | image_name | The autoscaling (MIG) image name (e.g. check-point-r8120-gw-byol-mig-631-991001335-v20230622). You can choose the desired mig image value from [Github](https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/gcp/deployment-packages/autoscale-byol/images.py). | string | N/A | N/A | yes | -| os_version |GAIA OS Version | string | R81;
R8110;
R8120 | R8120 | yes | +| os_version |GAIA OS Version | string | R81;
R8110;
R8120;
R82 | R8120 | yes | | | | | | | | management_nic | Management Interface - Autoscaling Security Gateways in GCP can be managed by an ephemeral public IP or using the private IP of the internal interface (eth1). | string | Ephemeral Public IP (eth0)
- Private IP (eth1) | "Ephemeral Public IP (eth0)" | no | | management_name | The name of the Security Management Server as appears in autoprovisioning configuration. (Please enter a valid Security Management name including lowercase letters, digits and hyphens only). | string | N/A | "checkpoint-management" | no | @@ -233,6 +233,8 @@ In order to check the template version refer to the [sk116585](https://supportce | Template Version | Description | | ---------------- | ------------- | +| 20241027 | Added R82 support | +| | | | | 20230910 | - R81.20 is the default version | | | | | | 20230109 | Updated startup script to use cloud-config. | diff --git a/terraform/gcp/autoscale-into-new-vpc/locals.tf b/terraform/gcp/autoscale-into-new-vpc/locals.tf index d49e09c4..b4679b97 100755 --- a/terraform/gcp/autoscale-into-new-vpc/locals.tf +++ b/terraform/gcp/autoscale-into-new-vpc/locals.tf @@ -5,14 +5,15 @@ locals { // will fail if [var.license] is invalid: validate_license = index(local.license_allowed_values, upper(var.license)) - regex_validate_image_name = "check-point-r8[0-1][1-4]0-gw-(byol|payg)-mig-[0-9]{3}-([0-9]{3,}|[a-z]+)-v[0-9]{8,}" + regex_validate_image_name = "^check-point-${lower(var.os_version)}-gw-.*[0-9]{3}-([0-9]{3,}|[a-z]+)-v[0-9]{8,}.*" // will fail if the image name is not in the right syntax validate_image_name = length(regexall(local.regex_validate_image_name, var.image_name)) > 0 ? 0 : index(split("-", var.image_name), "INVALID IMAGE NAME") version_allowed_values = [ "R81", "R8110", - "R8120" + "R8120", + "R82" ] // Will fail if var.os_version is invalid: validate_os_version = index(local.version_allowed_values, var.os_version) diff --git a/terraform/gcp/high-availability/README.md b/terraform/gcp/high-availability/README.md index d83af628..037bc592 100755 --- a/terraform/gcp/high-availability/README.md +++ b/terraform/gcp/high-availability/README.md @@ -229,7 +229,7 @@ internal_network1_subnetwork_name = "" | license | Checkpoint license (BYOL or PAYG). | string | - BYOL
- PAYG
| "BYOL" | no | | image_name | The High Availability (cluster) image name (e.g. check-point-r8120-gw-byol-cluster-631-991001335-v20230622). You can choose the desired cluster image value from [Github](https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/gcp/deployment-packages/ha-byol/images.py). | string | N/A | N/A | yes | | | | | | | -| os_version |GAIA OS Version | string | R81;
R8110;
R8120 | R8120 | yes | +| os_version |GAIA OS Version | string | R81;
R8110;
R8120;
R82 | R8120 | yes | | | | | | | | region | GCP region | string | N/A | "us-central1" | no | | zoneA | Member A Zone. The zone determines what computing resources are available and where your data is stored and used. | string | N/A | "us-central1-a" | no | @@ -304,6 +304,8 @@ In order to check the template version refer to the [sk116585](https://supportce | Template Version | Description | | ---------------- | ------------- | +| 20241027 | Added R82 support | +| | | | | 20230910 | - R81.20 is the default version | | | | | | 20230209 | Added Smart-1 Cloud support. | diff --git a/terraform/gcp/high-availability/locals.tf b/terraform/gcp/high-availability/locals.tf index 680c7f9c..53a9eb7a 100755 --- a/terraform/gcp/high-availability/locals.tf +++ b/terraform/gcp/high-availability/locals.tf @@ -5,14 +5,15 @@ locals { // will fail if [var.license] is invalid: validate_license = index(local.license_allowed_values, upper(var.license)) - regex_validate_image_name = "check-point-r8[0-1][1-4]0-gw-(byol|payg)-cluster-[0-9]{3}-([0-9]{3,}|[a-z]+)-v[0-9]{8,}" + regex_validate_image_name = "^check-point-${lower(var.os_version)}-gw-.*[0-9]{3}-([0-9]{3,}|[a-z]+)-v[0-9]{8,}.*" // will fail if the image name is not in the right syntax validate_image_name = length(regexall(local.regex_validate_image_name, var.image_name)) > 0 ? 0 : index(split("-", var.image_name), "INVALID IMAGE NAME") version_allowed_values = [ "R81", "R8110", - "R8120" + "R8120", + "R82" ] // Will fail if var.os_version is invalid: validate_os_version = index(local.version_allowed_values, var.os_version) diff --git a/terraform/gcp/single-into-existing-vpc/README.md b/terraform/gcp/single-into-existing-vpc/README.md index 72bc8265..51f2a85e 100755 --- a/terraform/gcp/single-into-existing-vpc/README.md +++ b/terraform/gcp/single-into-existing-vpc/README.md @@ -171,7 +171,7 @@ Please leave empty list for a protocol if you want to disable traffic for it. | | | | | | | image_name |The single gateway or management image name (e.g. check-point-r8120-gw-byol-single-631-991001335-v20230622 for gateway or check-point-r8120-byol-631-991001335-v20230621 for management). You can choose the desired gateway image value from [Github](https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/gcp/deployment-packages/single-byol/images.py).| string | N/A | N/A | yes | | | | | | | -| os_version |GAIA OS Version | string | R81;
R8110;
R8120 | R8120 | yes | +| os_version |GAIA OS Version | string | R81;
R8110;
R8120;
R82 | R8120 | yes | | | | | | | | installationType | Installation type and version | string |Gateway only;
Management only;
Manual Configuration
Gateway and Management (Standalone) |Gateway only|yes| | | | | | | @@ -253,6 +253,8 @@ In order to check the template version refer to the [sk116585](https://supportce | Template Version | Description | | ---------------- | ------------- | +| 20241027 | Added R82 support | +| | | | | 20230910 | - R81.20 is the default version | | | | | | 20230209 | Added Smart-1 Cloud support. | diff --git a/terraform/gcp/single-into-existing-vpc/locals.tf b/terraform/gcp/single-into-existing-vpc/locals.tf index 78145861..4efc3b29 100755 --- a/terraform/gcp/single-into-existing-vpc/locals.tf +++ b/terraform/gcp/single-into-existing-vpc/locals.tf @@ -18,15 +18,16 @@ locals { // Will fail if var.sicKey is invalid regex_sicKey = regex(local.regex_valid_sicKey, var.sicKey) == var.sicKey ? 0 : "Variable [sicKey] must be at least 8 alphanumeric characters." - regex_validate_mgmt_image_name = "check-point-r8[0-1][1-4]0-(byol|payg)-[0-9]{3}-([0-9]{3,}|[a-z]+)-v[0-9]{8,}" - regex_validate_single_image_name = "check-point-r8[0-1][1-4]0-gw-(byol|payg)-single-[0-9]{3}-([0-9]{3,}|[a-z]+)-v[0-9]{8,}" + regex_validate_mgmt_image_name = "^check-point-${lower(var.os_version)}-[^(gw)].*[0-9]{3}-([0-9]{3,}|[a-z]+)-v[0-9]{8,}.*" + regex_validate_single_image_name = "^check-point-${lower(var.os_version)}-gw-.*[0-9]{3}-([0-9]{3,}|[a-z]+)-v[0-9]{8,}.*" // will fail if the image name is not in the right syntax validate_image_name = var.installationType != "Gateway only" && length(regexall(local.regex_validate_mgmt_image_name, var.image_name)) > 0 ? 0 : (var.installationType == "Gateway only" && length(regexall(local.regex_validate_single_image_name, var.image_name)) > 0 ? 0 : index(split("-", var.image_name), "INVALID IMAGE NAME")) version_allowed_values = [ "R81", "R8110", - "R8120" + "R8120", + "R82" ] // Will fail if var.os_version is invalid: validate_os_version = index(local.version_allowed_values, var.os_version) diff --git a/terraform/gcp/single-into-new-vpc/README.md b/terraform/gcp/single-into-new-vpc/README.md index 59db07be..029f71da 100644 --- a/terraform/gcp/single-into-new-vpc/README.md +++ b/terraform/gcp/single-into-new-vpc/README.md @@ -180,7 +180,7 @@ Please leave empty list for a protocol if you want to disable traffic for it. | | | | | | | image_name |The single gateway or management image name (e.g. check-point-r8120-gw-byol-single-631-991001335-v20230622 for gateway or check-point-r8120-byol-631-991001335-v20230621 for management). You can choose the desired gateway image value from [Github](https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/gcp/deployment-packages/single-byol/images.py).| string | N/A | N/A | yes | | | | | | | -| os_version |GAIA OS Version | string | R81;
R8110;
R8120 | R8120 | yes | +| os_version |GAIA OS Version | string | R81;
R8110;
R8120;
R82 | R8120 | yes | | | | | | | | installationType | Installation type and version | string |Gateway only;
Management only;
Manual Configuration
Gateway and Management (Standalone) |Gateway only|yes| | | | | | | @@ -262,6 +262,8 @@ In order to check the template version refer to the [sk116585](https://supportce | Template Version | Description | |------------------|-------------------------------------| +| 20241027 | Added R82 support | +| | | | | 20230921 | Added single-into-new-vpc template. | | | | From fb1dfc0a0ca8881bfa27c9b3c798ac83e5f8c75b Mon Sep 17 00:00:00 2001 From: yairra Date: Mon, 28 Oct 2024 16:42:26 +0200 Subject: [PATCH 12/12] Azure tempaltes | Added R82 support --- .../createUiDefinition.json | 345 ++++++++++++++++- .../mainTemplate.json | 15 +- .../marketplace-ha/createUiDefinition.json | 345 ++++++++++++++++- .../marketplace-ha/mainTemplate.json | 15 +- .../createUiDefinition.json | 64 +++- .../marketplace-management/mainTemplate.json | 12 +- .../marketplace-mds/createUiDefinition.json | 35 +- .../marketplace-mds/mainTemplate.json | 9 +- .../createUiDefinition.json | 353 +++++++++++++++++- .../marketplace-single/mainTemplate.json | 17 +- .../marketplace-vmss/createUiDefinition.json | 345 ++++++++++++++++- .../marketplace-vmss/mainTemplate.json | 15 +- .../vwan-managed-app/mainTemplate.json | 5 +- .../high-availability-existing-vnet/README.md | 4 +- .../variables.tf | 6 +- .../high-availability-new-vnet/README.md | 4 +- .../high-availability-new-vnet/variables.tf | 8 +- .../azure/management-existing-vnet/README.md | 4 +- .../management-existing-vnet/variables.tf | 6 +- terraform/azure/management-new-vnet/README.md | 4 +- .../azure/management-new-vnet/variables.tf | 6 +- terraform/azure/mds-existing-vnet/README.md | 4 +- .../azure/mds-existing-vnet/variables.tf | 8 +- terraform/azure/mds-new-vnet/README.md | 4 +- terraform/azure/mds-new-vnet/variables.tf | 8 +- terraform/azure/modules/common/variables.tf | 8 +- .../azure/nva-into-existing-hub/README.md | 7 +- terraform/azure/nva-into-existing-hub/main.tf | 4 +- .../azure/nva-into-existing-hub/variables.tf | 4 +- terraform/azure/nva-into-new-vwan/README.md | 3 +- terraform/azure/nva-into-new-vwan/main.tf | 4 +- .../azure/nva-into-new-vwan/variables.tf | 4 +- .../single-gateway-existing-vnet/README.md | 4 +- .../single-gateway-existing-vnet/variables.tf | 8 +- .../azure/single-gateway-new-vnet/README.md | 4 +- .../single-gateway-new-vnet/variables.tf | 8 +- terraform/azure/vmss-existing-vnet/README.md | 4 +- .../azure/vmss-existing-vnet/variables.tf | 6 +- terraform/azure/vmss-new-vnet/README.md | 4 +- terraform/azure/vmss-new-vnet/variables.tf | 4 +- 40 files changed, 1627 insertions(+), 90 deletions(-) diff --git a/azure/templates/marketplace-gateway-load-balancer/createUiDefinition.json b/azure/templates/marketplace-gateway-load-balancer/createUiDefinition.json index 54fd25cc..f4c53009 100644 --- a/azure/templates/marketplace-gateway-load-balancer/createUiDefinition.json +++ b/azure/templates/marketplace-gateway-load-balancer/createUiDefinition.json @@ -360,6 +360,10 @@ { "label": "R81.20", "value": "R81.20" + }, + { + "label": "R82", + "value": "R82" } ] } @@ -1066,6 +1070,345 @@ }, "count": "[steps('autoprovision').vmCount]" }, + { + "name": "R82vmSizeUiBYOL", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R82'), contains(steps('chkp').R80Offer, 'Bring Your Own License'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D4ds_v5", + "Standard_D4d_v5" + ], + "constraints": { + "allowedSizes": [ + "Standard_D4_v4", + "Standard_D8_v4", + "Standard_D16_v4", + "Standard_D32_v4", + "Standard_D48_v4", + "Standard_D64_v4", + "Standard_D4s_v4", + "Standard_D8s_v4", + "Standard_D16s_v4", + "Standard_D32s_v4", + "Standard_D48s_v4", + "Standard_D64s_v4", + "Standard_D2_v5", + "Standard_D4_v5", + "Standard_D8_v5", + "Standard_D16_v5", + "Standard_D32_v5", + "Standard_D2s_v5", + "Standard_D4s_v5", + "Standard_D8s_v5", + "Standard_D16s_v5", + "Standard_D2d_v5", + "Standard_D4d_v5", + "Standard_D8d_v5", + "Standard_D16d_v5", + "Standard_D32d_v5", + "Standard_D2ds_v5", + "Standard_D4ds_v5", + "Standard_D8ds_v5", + "Standard_D16ds_v5", + "Standard_D32ds_v5", + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r82", + "sku": "sg-byol" + }, + "count": "[steps('autoprovision').vmCount]" + }, + { + "name": "R82vmSizeUiNGTP", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R82'), contains(steps('chkp').R80Offer, '(NGTP)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D4ds_v5", + "Standard_D4d_v5" + ], + "constraints": { + "allowedSizes": [ + "Standard_D4_v4", + "Standard_D8_v4", + "Standard_D16_v4", + "Standard_D32_v4", + "Standard_D48_v4", + "Standard_D64_v4", + "Standard_D4s_v4", + "Standard_D8s_v4", + "Standard_D16s_v4", + "Standard_D32s_v4", + "Standard_D48s_v4", + "Standard_D64s_v4", + "Standard_D2_v5", + "Standard_D4_v5", + "Standard_D8_v5", + "Standard_D16_v5", + "Standard_D32_v5", + "Standard_D2s_v5", + "Standard_D4s_v5", + "Standard_D8s_v5", + "Standard_D16s_v5", + "Standard_D2d_v5", + "Standard_D4d_v5", + "Standard_D8d_v5", + "Standard_D16d_v5", + "Standard_D32d_v5", + "Standard_D2ds_v5", + "Standard_D4ds_v5", + "Standard_D8ds_v5", + "Standard_D16ds_v5", + "Standard_D32ds_v5", + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r82", + "sku": "sg-ngtp" + }, + "count": "[steps('autoprovision').vmCount]" + }, + { + "name": "R82vmSizeUiNGTX", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R82'), contains(steps('chkp').R80Offer, '(NGTX)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D4ds_v5", + "Standard_D4d_v5" + ], + "constraints": { + "allowedSizes": [ + "Standard_D4_v4", + "Standard_D8_v4", + "Standard_D16_v4", + "Standard_D32_v4", + "Standard_D48_v4", + "Standard_D64_v4", + "Standard_D4s_v4", + "Standard_D8s_v4", + "Standard_D16s_v4", + "Standard_D32s_v4", + "Standard_D48s_v4", + "Standard_D64s_v4", + "Standard_D2_v5", + "Standard_D4_v5", + "Standard_D8_v5", + "Standard_D16_v5", + "Standard_D32_v5", + "Standard_D2s_v5", + "Standard_D4s_v5", + "Standard_D8s_v5", + "Standard_D16s_v5", + "Standard_D2d_v5", + "Standard_D4d_v5", + "Standard_D8d_v5", + "Standard_D16d_v5", + "Standard_D32d_v5", + "Standard_D2ds_v5", + "Standard_D4ds_v5", + "Standard_D8ds_v5", + "Standard_D16ds_v5", + "Standard_D32ds_v5", + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r82", + "sku": "sg-ngtx" + }, + "count": "[steps('autoprovision').vmCount]" + }, { "name": "adminShell", "type": "Microsoft.Common.DropDown", @@ -1489,7 +1832,7 @@ "availabilityZonesNum": "[coalesce(steps('autoprovision').availabilityZonesNum, int('0'))]", "customMetrics": "[steps('autoprovision').customMetrics]", "cloudGuardVersion": "[concat(steps('chkp').cloudGuardVersion, ' - ', coalesce(steps('chkp').R80Offer, 'Bring Your Own License'))]", - "vmSize": "[coalesce(steps('chkp').R8110vmSizeUiBYOL, steps('chkp').R8110vmSizeUiNGTP, steps('chkp').R8110vmSizeUiNGTX, steps('chkp').R8120vmSizeUiBYOL, steps('chkp').R8120vmSizeUiNGTP, steps('chkp').R8120vmSizeUiNGTX)]", + "vmSize": "[coalesce(steps('chkp').R8110vmSizeUiBYOL, steps('chkp').R8110vmSizeUiNGTP, steps('chkp').R8110vmSizeUiNGTX, steps('chkp').R8120vmSizeUiBYOL, steps('chkp').R8120vmSizeUiNGTP, steps('chkp').R8120vmSizeUiNGTX, steps('chkp').R82vmSizeUiBYOL, steps('chkp').R82vmSizeUiNGTP, steps('chkp').R82vmSizeUiNGTX)]", "sicKey": "[steps('chkp').sicKeyUi]", "bootstrapScript": "[steps('chkp').bootstrapScript]", "allowDownloadFromUploadToCheckPoint": "[coalesce(steps('chkp').allowUploadDownload, 'true')]", diff --git a/azure/templates/marketplace-gateway-load-balancer/mainTemplate.json b/azure/templates/marketplace-gateway-load-balancer/mainTemplate.json index 12d29edc..e2307459 100644 --- a/azure/templates/marketplace-gateway-load-balancer/mainTemplate.json +++ b/azure/templates/marketplace-gateway-load-balancer/mainTemplate.json @@ -24,7 +24,10 @@ "R81.10 - Pay As You Go (NGTX)", "R81.20 - Bring Your Own License", "R81.20 - Pay As You Go (NGTP)", - "R81.20 - Pay As You Go (NGTX)" + "R81.20 - Pay As You Go (NGTX)", + "R82 - Bring Your Own License", + "R82 - Pay As You Go (NGTP)", + "R82 - Pay As You Go (NGTX)" ], "defaultValue": "R81.20 - Bring Your Own License", "metadata": { @@ -422,7 +425,10 @@ "R81.10 - Pay As You Go (NGTX)": "NGTX", "R81.20 - Bring Your Own License": "BYOL", "R81.20 - Pay As You Go (NGTP)": "NGTP", - "R81.20 - Pay As You Go (NGTX)": "NGTX" + "R81.20 - Pay As You Go (NGTX)": "NGTX", + "R82 - Bring Your Own License": "BYOL", + "R82 - Pay As You Go (NGTP)": "NGTP", + "R82 - Pay As You Go (NGTX)": "NGTX" }, "offer": "[variables('offers')[parameters('cloudGuardVersion')]]", "osVersions": { @@ -431,7 +437,10 @@ "R81.10 - Pay As You Go (NGTX)": "R8110", "R81.20 - Bring Your Own License": "R8120", "R81.20 - Pay As You Go (NGTP)": "R8120", - "R81.20 - Pay As You Go (NGTX)": "R8120" + "R81.20 - Pay As You Go (NGTX)": "R8120", + "R82 - Bring Your Own License": "R82", + "R82 - Pay As You Go (NGTP)": "R82", + "R82 - Pay As You Go (NGTX)": "R82" }, "osVersion": "[variables('osVersions')[parameters('cloudGuardVersion')]]", "SerialConsoleGeographies": { diff --git a/azure/templates/marketplace-ha/createUiDefinition.json b/azure/templates/marketplace-ha/createUiDefinition.json index 886f864a..5061798d 100644 --- a/azure/templates/marketplace-ha/createUiDefinition.json +++ b/azure/templates/marketplace-ha/createUiDefinition.json @@ -75,6 +75,10 @@ { "label": "R81.20", "value": "R81.20" + }, + { + "label": "R82", + "value": "R82" } ] } @@ -781,6 +785,345 @@ }, "count": 2 }, + { + "name": "R82vmSizeUiBYOL", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R82'), contains(steps('chkp').R80Offer, 'Bring Your Own License'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D4ds_v5", + "Standard_D4d_v5" + ], + "constraints": { + "allowedSizes": [ + "Standard_D4_v4", + "Standard_D8_v4", + "Standard_D16_v4", + "Standard_D32_v4", + "Standard_D48_v4", + "Standard_D64_v4", + "Standard_D4s_v4", + "Standard_D8s_v4", + "Standard_D16s_v4", + "Standard_D32s_v4", + "Standard_D48s_v4", + "Standard_D64s_v4", + "Standard_D2_v5", + "Standard_D4_v5", + "Standard_D8_v5", + "Standard_D16_v5", + "Standard_D32_v5", + "Standard_D2s_v5", + "Standard_D4s_v5", + "Standard_D8s_v5", + "Standard_D16s_v5", + "Standard_D2d_v5", + "Standard_D4d_v5", + "Standard_D8d_v5", + "Standard_D16d_v5", + "Standard_D32d_v5", + "Standard_D2ds_v5", + "Standard_D4ds_v5", + "Standard_D8ds_v5", + "Standard_D16ds_v5", + "Standard_D32ds_v5", + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r82", + "sku": "sg-byol" + }, + "count": 2 + }, + { + "name": "R82vmSizeUiNGTP", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R82'), contains(steps('chkp').R80Offer, '(NGTP)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D4ds_v5", + "Standard_D4d_v5" + ], + "constraints": { + "allowedSizes": [ + "Standard_D4_v4", + "Standard_D8_v4", + "Standard_D16_v4", + "Standard_D32_v4", + "Standard_D48_v4", + "Standard_D64_v4", + "Standard_D4s_v4", + "Standard_D8s_v4", + "Standard_D16s_v4", + "Standard_D32s_v4", + "Standard_D48s_v4", + "Standard_D64s_v4", + "Standard_D2_v5", + "Standard_D4_v5", + "Standard_D8_v5", + "Standard_D16_v5", + "Standard_D32_v5", + "Standard_D2s_v5", + "Standard_D4s_v5", + "Standard_D8s_v5", + "Standard_D16s_v5", + "Standard_D2d_v5", + "Standard_D4d_v5", + "Standard_D8d_v5", + "Standard_D16d_v5", + "Standard_D32d_v5", + "Standard_D2ds_v5", + "Standard_D4ds_v5", + "Standard_D8ds_v5", + "Standard_D16ds_v5", + "Standard_D32ds_v5", + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r82", + "sku": "sg-ngtp" + }, + "count": 2 + }, + { + "name": "R82vmSizeUiNGTX", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R82'), contains(steps('chkp').R80Offer, '(NGTX)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D4ds_v5", + "Standard_D4d_v5" + ], + "constraints": { + "allowedSizes": [ + "Standard_D4_v4", + "Standard_D8_v4", + "Standard_D16_v4", + "Standard_D32_v4", + "Standard_D48_v4", + "Standard_D64_v4", + "Standard_D4s_v4", + "Standard_D8s_v4", + "Standard_D16s_v4", + "Standard_D32s_v4", + "Standard_D48s_v4", + "Standard_D64s_v4", + "Standard_D2_v5", + "Standard_D4_v5", + "Standard_D8_v5", + "Standard_D16_v5", + "Standard_D32_v5", + "Standard_D2s_v5", + "Standard_D4s_v5", + "Standard_D8s_v5", + "Standard_D16s_v5", + "Standard_D2d_v5", + "Standard_D4d_v5", + "Standard_D8d_v5", + "Standard_D16d_v5", + "Standard_D32d_v5", + "Standard_D2ds_v5", + "Standard_D4ds_v5", + "Standard_D8ds_v5", + "Standard_D16ds_v5", + "Standard_D32ds_v5", + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r82", + "sku": "sg-ngtx" + }, + "count": 2 + }, { "name": "adminShell", "type": "Microsoft.Common.DropDown", @@ -1609,7 +1952,7 @@ "authenticationType": "[basics('auth').authenticationType]", "sshPublicKey": "[basics('auth').sshPublicKey]", "vmName": "[basics('clusterObjectNameUi')]", - "vmSize": "[coalesce(steps('chkp').R8110vmSizeUiBYOL, steps('chkp').R8110vmSizeUiNGTP, steps('chkp').R8110vmSizeUiNGTX, steps('chkp').R8120vmSizeUiBYOL, steps('chkp').R8120vmSizeUiNGTP, steps('chkp').R8120vmSizeUiNGTX)]", + "vmSize": "[coalesce(steps('chkp').R8110vmSizeUiBYOL, steps('chkp').R8110vmSizeUiNGTP, steps('chkp').R8110vmSizeUiNGTX, steps('chkp').R8120vmSizeUiBYOL, steps('chkp').R8120vmSizeUiNGTP, steps('chkp').R8120vmSizeUiNGTX, steps('chkp').R82vmSizeUiBYOL, steps('chkp').R82vmSizeUiNGTP, steps('chkp').R82vmSizeUiNGTX)]", "sicKey": "[steps('chkp').sicKeyUi]", "virtualNetworkName": "[steps('network').virtualNetwork.name]", "virtualNetworkAddressPrefixes": "[steps('network').virtualNetwork.addressPrefixes]", diff --git a/azure/templates/marketplace-ha/mainTemplate.json b/azure/templates/marketplace-ha/mainTemplate.json index 92ebdc45..cebd2dfb 100644 --- a/azure/templates/marketplace-ha/mainTemplate.json +++ b/azure/templates/marketplace-ha/mainTemplate.json @@ -17,7 +17,10 @@ "R81.10 - Pay As You Go (NGTX)", "R81.20 - Bring Your Own License", "R81.20 - Pay As You Go (NGTP)", - "R81.20 - Pay As You Go (NGTX)" + "R81.20 - Pay As You Go (NGTX)", + "R82 - Bring Your Own License", + "R82 - Pay As You Go (NGTP)", + "R82 - Pay As You Go (NGTX)" ], "defaultValue": "R81.20 - Bring Your Own License", "metadata": { @@ -367,7 +370,10 @@ "R81.10 - Pay As You Go (NGTX)": "NGTX", "R81.20 - Bring Your Own License": "BYOL", "R81.20 - Pay As You Go (NGTP)": "NGTP", - "R81.20 - Pay As You Go (NGTX)": "NGTX" + "R81.20 - Pay As You Go (NGTX)": "NGTX", + "R82 - Bring Your Own License": "BYOL", + "R82 - Pay As You Go (NGTP)": "NGTP", + "R82 - Pay As You Go (NGTX)": "NGTX" }, "offer": "[variables('offers')[parameters('cloudGuardVersion')]]", "osVersions": { @@ -376,7 +382,10 @@ "R81.10 - Pay As You Go (NGTX)": "R8110", "R81.20 - Bring Your Own License": "R8120", "R81.20 - Pay As You Go (NGTP)": "R8120", - "R81.20 - Pay As You Go (NGTX)": "R8120" + "R81.20 - Pay As You Go (NGTX)": "R8120", + "R82 - Bring Your Own License": "R82", + "R82 - Pay As You Go (NGTP)": "R82", + "R82 - Pay As You Go (NGTX)": "R82" }, "osVersion": "[variables('osVersions')[parameters('cloudGuardVersion')]]", "SerialConsoleGeographies": { diff --git a/azure/templates/marketplace-management/createUiDefinition.json b/azure/templates/marketplace-management/createUiDefinition.json index fdb719a2..f35c7c0f 100644 --- a/azure/templates/marketplace-management/createUiDefinition.json +++ b/azure/templates/marketplace-management/createUiDefinition.json @@ -75,6 +75,10 @@ { "label": "R81.20", "value": "R81.20" + }, + { + "label": "R82", + "value": "R82" } ] } @@ -215,6 +219,64 @@ }, "count": 1 }, + { + "name": "R82vmSizeUiBYOL", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R82'), contains(steps('chkp').R80Offer, 'Bring Your Own License'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Management", + "recommendedSizes": [ + "Standard_DS3_v2", + "Standard_D3_v2" + ], + "constraints": { + "excludedSizes": [ + "Standard_A1_v2", + "Standard_D1_v2", + "Standard_DS1_v2", + "Standard_F1", + "Standard_F1s", + "Standard_G1", + "Standard_GS1" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r82", + "sku": "mgmt-byol" + }, + "count": 1 + }, + { + "name": "R82vmSizeUiMGMT25", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R82'), contains(steps('chkp').R80Offer, '(MGMT25)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Management", + "recommendedSizes": [ + "Standard_DS3_v2", + "Standard_D3_v2" + ], + "constraints": { + "excludedSizes": [ + "Standard_A1_v2", + "Standard_D1_v2", + "Standard_DS1_v2", + "Standard_F1", + "Standard_F1s", + "Standard_G1", + "Standard_GS1" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r82", + "sku": "mgmt-25" + }, + "count": 1 + }, { "name": "SerialPasswordInfoBox", "type": "Microsoft.Common.InfoBox", @@ -673,7 +735,7 @@ "authenticationType": "[basics('auth').authenticationType]", "sshPublicKey": "[basics('auth').sshPublicKey]", "vmName": "[basics('gatewayNameUi')]", - "vmSize": "[coalesce(steps('chkp').R8110vmSizeUiBYOL, steps('chkp').R8110vmSizeUiMGMT25, steps('chkp').R8120vmSizeUiBYOL, steps('chkp').R8120vmSizeUiMGMT25)]", + "vmSize": "[coalesce(steps('chkp').R8110vmSizeUiBYOL, steps('chkp').R8110vmSizeUiMGMT25, steps('chkp').R8120vmSizeUiBYOL, steps('chkp').R8120vmSizeUiMGMT25, steps('chkp').R82vmSizeUiBYOL, steps('chkp').R82vmSizeUiMGMT25)]", "virtualNetworkName": "[steps('network').virtualNetwork.name]", "virtualNetworkAddressPrefix": "[steps('network').virtualNetwork.addressPrefix]", "Subnet1Name": "[steps('network').virtualNetwork.subnets.subnet1.name]", diff --git a/azure/templates/marketplace-management/mainTemplate.json b/azure/templates/marketplace-management/mainTemplate.json index eb3153c8..7c7d26cd 100644 --- a/azure/templates/marketplace-management/mainTemplate.json +++ b/azure/templates/marketplace-management/mainTemplate.json @@ -15,7 +15,9 @@ "R81.10 - Bring Your Own License", "R81.10 - Pay As You Go (MGMT25)", "R81.20 - Bring Your Own License", - "R81.20 - Pay As You Go (MGMT25)" + "R81.20 - Pay As You Go (MGMT25)", + "R82 - Bring Your Own License", + "R82 - Pay As You Go (MGMT25)" ], "defaultValue": "R81.20 - Bring Your Own License", "metadata": { @@ -275,14 +277,18 @@ "R81.10 - Bring Your Own License": "BYOL", "R81.10 - Pay As You Go (MGMT25)": "MGMT25", "R81.20 - Bring Your Own License": "BYOL", - "R81.20 - Pay As You Go (MGMT25)": "MGMT25" + "R81.20 - Pay As You Go (MGMT25)": "MGMT25", + "R82 - Bring Your Own License": "BYOL", + "R82 - Pay As You Go (MGMT25)": "MGMT25" }, "offer": "[variables('offers')[parameters('cloudGuardVersion')]]", "osVersions": { "R81.10 - Bring Your Own License": "R8110", "R81.10 - Pay As You Go (MGMT25)": "R8110", "R81.20 - Bring Your Own License": "R8120", - "R81.20 - Pay As You Go (MGMT25)": "R8120" + "R81.20 - Pay As You Go (MGMT25)": "R8120", + "R82 - Bring Your Own License": "R82", + "R82 - Pay As You Go (MGMT25)": "R82" }, "osVersion": "[variables('osVersions')[parameters('cloudGuardVersion')]]", "SerialConsoleGeographies": { diff --git a/azure/templates/marketplace-mds/createUiDefinition.json b/azure/templates/marketplace-mds/createUiDefinition.json index ad06592d..87e4004f 100644 --- a/azure/templates/marketplace-mds/createUiDefinition.json +++ b/azure/templates/marketplace-mds/createUiDefinition.json @@ -75,6 +75,10 @@ { "label": "R81.20", "value": "R81.20" + }, + { + "label": "R82", + "value": "R82" } ] } @@ -153,6 +157,35 @@ }, "count": 1 }, + { + "name": "R82vmSizeUiBYOL", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R82'), contains(steps('chkp').R80Offer, 'Bring Your Own License'))]", + "label": "Virtual machine size", + "toolTip": "The VM size. Minimum of 16 cores and 64 GB RAM is required.", + "recommendedSizes": [ + "Standard_DS15_v2", + "Standard_DS5_v2" + ], + "constraints": { + "excludedSizes": [ + "Standard_A1_v2", + "Standard_D1_v2", + "Standard_DS1_v2", + "Standard_F1", + "Standard_F1s", + "Standard_G1", + "Standard_GS1" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r82", + "sku": "mgmt-byol" + }, + "count": 1 + }, { "name": "installationType", "type": "Microsoft.Common.DropDown", @@ -608,7 +641,7 @@ "authenticationType": "[basics('auth').authenticationType]", "sshPublicKey": "[basics('auth').sshPublicKey]", "vmName": "[basics('gatewayNameUi')]", - "vmSize": "[coalesce(steps('chkp').R8110vmSizeUiBYOL, steps('chkp').R8120vmSizeUiBYOL)]", + "vmSize": "[coalesce(steps('chkp').R8110vmSizeUiBYOL, steps('chkp').R8120vmSizeUiBYOL, steps('chkp').R82vmSizeUiBYOL)]", "virtualNetworkName": "[steps('network').virtualNetwork.name]", "virtualNetworkAddressPrefix": "[steps('network').virtualNetwork.addressPrefix]", "Subnet1Name": "[steps('network').virtualNetwork.subnets.subnet1.name]", diff --git a/azure/templates/marketplace-mds/mainTemplate.json b/azure/templates/marketplace-mds/mainTemplate.json index 98e056c2..7c1dca78 100644 --- a/azure/templates/marketplace-mds/mainTemplate.json +++ b/azure/templates/marketplace-mds/mainTemplate.json @@ -13,7 +13,8 @@ "type": "string", "allowedValues": [ "R81.10 - Bring Your Own License", - "R81.20 - Bring Your Own License" + "R81.20 - Bring Your Own License", + "R82 - Bring Your Own License" ], "defaultValue": "R81.20 - Bring Your Own License", "metadata": { @@ -266,12 +267,14 @@ "location": "[parameters('location')]", "offers": { "R81.10 - Bring Your Own License": "BYOL", - "R81.20 - Bring Your Own License": "BYOL" + "R81.20 - Bring Your Own License": "BYOL", + "R82 - Bring Your Own License": "BYOL" }, "offer": "[variables('offers')[parameters('cloudGuardVersion')]]", "osVersions": { "R81.10 - Bring Your Own License": "R8110", - "R81.20 - Bring Your Own License": "R8120" + "R81.20 - Bring Your Own License": "R8120", + "R82 - Bring Your Own License": "R82" }, "osVersion": "[variables('osVersions')[parameters('cloudGuardVersion')]]", "serialConsoleGeographies": { diff --git a/azure/templates/marketplace-single/createUiDefinition.json b/azure/templates/marketplace-single/createUiDefinition.json index 4df2533a..77059428 100644 --- a/azure/templates/marketplace-single/createUiDefinition.json +++ b/azure/templates/marketplace-single/createUiDefinition.json @@ -75,6 +75,10 @@ { "label": "R81.20", "value": "R81.20" + }, + { + "label": "R82", + "value": "R82" } ] } @@ -781,11 +785,350 @@ }, "count": 1 }, + { + "name": "R82vmSizeUiBYOL", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R82'), contains(steps('chkp').R80Offer, 'Bring Your Own License'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D4ds_v5", + "Standard_D4d_v5" + ], + "constraints": { + "allowedSizes": [ + "Standard_D4_v4", + "Standard_D8_v4", + "Standard_D16_v4", + "Standard_D32_v4", + "Standard_D48_v4", + "Standard_D64_v4", + "Standard_D4s_v4", + "Standard_D8s_v4", + "Standard_D16s_v4", + "Standard_D32s_v4", + "Standard_D48s_v4", + "Standard_D64s_v4", + "Standard_D2_v5", + "Standard_D4_v5", + "Standard_D8_v5", + "Standard_D16_v5", + "Standard_D32_v5", + "Standard_D2s_v5", + "Standard_D4s_v5", + "Standard_D8s_v5", + "Standard_D16s_v5", + "Standard_D2d_v5", + "Standard_D4d_v5", + "Standard_D8d_v5", + "Standard_D16d_v5", + "Standard_D32d_v5", + "Standard_D2ds_v5", + "Standard_D4ds_v5", + "Standard_D8ds_v5", + "Standard_D16ds_v5", + "Standard_D32ds_v5", + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r82", + "sku": "sg-byol" + }, + "count": 1 + }, + { + "name": "R82vmSizeUiNGTP", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R82'), contains(steps('chkp').R80Offer, '(NGTP)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D4ds_v5", + "Standard_D4d_v5" + ], + "constraints": { + "allowedSizes": [ + "Standard_D4_v4", + "Standard_D8_v4", + "Standard_D16_v4", + "Standard_D32_v4", + "Standard_D48_v4", + "Standard_D64_v4", + "Standard_D4s_v4", + "Standard_D8s_v4", + "Standard_D16s_v4", + "Standard_D32s_v4", + "Standard_D48s_v4", + "Standard_D64s_v4", + "Standard_D2_v5", + "Standard_D4_v5", + "Standard_D8_v5", + "Standard_D16_v5", + "Standard_D32_v5", + "Standard_D2s_v5", + "Standard_D4s_v5", + "Standard_D8s_v5", + "Standard_D16s_v5", + "Standard_D2d_v5", + "Standard_D4d_v5", + "Standard_D8d_v5", + "Standard_D16d_v5", + "Standard_D32d_v5", + "Standard_D2ds_v5", + "Standard_D4ds_v5", + "Standard_D8ds_v5", + "Standard_D16ds_v5", + "Standard_D32ds_v5", + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r82", + "sku": "sg-ngtp" + }, + "count": 1 + }, + { + "name": "R82vmSizeUiNGTX", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R82'), contains(steps('chkp').R80Offer, '(NGTX)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D4ds_v5", + "Standard_D4d_v5" + ], + "constraints": { + "allowedSizes": [ + "Standard_D4_v4", + "Standard_D8_v4", + "Standard_D16_v4", + "Standard_D32_v4", + "Standard_D48_v4", + "Standard_D64_v4", + "Standard_D4s_v4", + "Standard_D8s_v4", + "Standard_D16s_v4", + "Standard_D32s_v4", + "Standard_D48s_v4", + "Standard_D64s_v4", + "Standard_D2_v5", + "Standard_D4_v5", + "Standard_D8_v5", + "Standard_D16_v5", + "Standard_D32_v5", + "Standard_D2s_v5", + "Standard_D4s_v5", + "Standard_D8s_v5", + "Standard_D16s_v5", + "Standard_D2d_v5", + "Standard_D4d_v5", + "Standard_D8d_v5", + "Standard_D16d_v5", + "Standard_D32d_v5", + "Standard_D2ds_v5", + "Standard_D4ds_v5", + "Standard_D8ds_v5", + "Standard_D16ds_v5", + "Standard_D32ds_v5", + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r82", + "sku": "sg-ngtx" + }, + "count": 1 + }, { "name": "installationType", "type": "Microsoft.Common.DropDown", "label": "Installation type", - "visible": "[or(equals(steps('chkp').cloudGuardVersion, 'R81.10'), equals(steps('chkp').cloudGuardVersion, 'R81.20'))]", + "visible": "[or(equals(steps('chkp').cloudGuardVersion, 'R81.10'), equals(steps('chkp').cloudGuardVersion, 'R81.20'), equals(steps('chkp').cloudGuardVersion, 'R82'))]", "defaultValue": "Gateway only", "toolTip": "Select the type of deployment", "constraints": { @@ -831,10 +1174,10 @@ { "name": "standaloneValidation", "type": "Microsoft.Common.InfoBox", - "visible": "[and(equals(steps('chkp').installationType, 'standalone'), not(and(equals(steps('chkp').R80Offer, 'Bring Your Own License'),or(equals(steps('chkp').cloudGuardVersion, 'R81.10'), equals(steps('chkp').cloudGuardVersion, 'R81.20')))))]", + "visible": "[and(equals(steps('chkp').installationType, 'standalone'), not(and(equals(steps('chkp').R80Offer, 'Bring Your Own License'),or(equals(steps('chkp').cloudGuardVersion, 'R81.10'), equals(steps('chkp').cloudGuardVersion, 'R81.20'), equals(steps('chkp').cloudGuardVersion, 'R82')))))]", "options": { "icon": "Error", - "text": "Standalone deployment is ONLY supported for CloudGuard versions R81.10 and R81.20 Bring Your Own License." + "text": "Standalone deployment is ONLY supported for CloudGuard versions R81.10, R81.20 and R82 Bring Your Own License." } }, { @@ -847,7 +1190,7 @@ "regex": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$", "validationMessage": "Enter a valid IPv4 network CIDR" }, - "visible": "[and(or(equals(steps('chkp').cloudGuardVersion, 'R81.10'), equals(steps('chkp').cloudGuardVersion, 'R81.20')), equals(steps('chkp').installationType, 'standalone'))]" + "visible": "[and(or(equals(steps('chkp').cloudGuardVersion, 'R81.10'), equals(steps('chkp').cloudGuardVersion, 'R81.20'), equals(steps('chkp').cloudGuardVersion, 'R82')), equals(steps('chkp').installationType, 'standalone'))]" }, { "name": "sicKeyUi", @@ -1321,7 +1664,7 @@ "authenticationType": "[basics('auth').authenticationType]", "sshPublicKey": "[basics('auth').sshPublicKey]", "vmName": "[basics('gatewayNameUi')]", - "vmSize": "[coalesce(steps('chkp').R8110vmSizeUiBYOL, steps('chkp').R8110vmSizeUiNGTP, steps('chkp').R8110vmSizeUiNGTX, steps('chkp').R8120vmSizeUiBYOL, steps('chkp').R8120vmSizeUiNGTP, steps('chkp').R8120vmSizeUiNGTX )]", + "vmSize": "[coalesce(steps('chkp').R8110vmSizeUiBYOL, steps('chkp').R8110vmSizeUiNGTP, steps('chkp').R8110vmSizeUiNGTX, steps('chkp').R8120vmSizeUiBYOL, steps('chkp').R8120vmSizeUiNGTP, steps('chkp').R8120vmSizeUiNGTX, steps('chkp').R82vmSizeUiBYOL, steps('chkp').R82vmSizeUiNGTP, steps('chkp').R82vmSizeUiNGTX )]", "sicKey": "[coalesce(steps('chkp').sicKeyUi, 'notused')]", "virtualNetworkName": "[steps('network').virtualNetwork.name]", "virtualNetworkAddressPrefix": "[steps('network').virtualNetwork.addressPrefix]", diff --git a/azure/templates/marketplace-single/mainTemplate.json b/azure/templates/marketplace-single/mainTemplate.json index 6085d845..d3216bf3 100644 --- a/azure/templates/marketplace-single/mainTemplate.json +++ b/azure/templates/marketplace-single/mainTemplate.json @@ -24,7 +24,10 @@ "R81.10 - Pay As You Go (NGTX)", "R81.20 - Bring Your Own License", "R81.20 - Pay As You Go (NGTP)", - "R81.20 - Pay As You Go (NGTX)" + "R81.20 - Pay As You Go (NGTX)", + "R82 - Bring Your Own License", + "R82 - Pay As You Go (NGTP)", + "R82 - Pay As You Go (NGTX)" ], "defaultValue": "R81.20 - Bring Your Own License", "metadata": { @@ -314,7 +317,10 @@ "R81.10 - Pay As You Go (NGTX)": "NGTX", "R81.20 - Bring Your Own License": "BYOL", "R81.20 - Pay As You Go (NGTP)": "NGTP", - "R81.20 - Pay As You Go (NGTX)": "NGTX" + "R81.20 - Pay As You Go (NGTX)": "NGTX", + "R82 - Bring Your Own License": "BYOL", + "R82 - Pay As You Go (NGTP)": "NGTP", + "R82 - Pay As You Go (NGTX)": "NGTX" }, "offer": "[variables('offers')[parameters('cloudGuardVersion')]]", "osVersions": { @@ -323,7 +329,10 @@ "R81.10 - Pay As You Go (NGTX)": "R8110", "R81.20 - Bring Your Own License": "R8120", "R81.20 - Pay As You Go (NGTP)": "R8120", - "R81.20 - Pay As You Go (NGTX)": "R8120" + "R81.20 - Pay As You Go (NGTX)": "R8120", + "R82 - Bring Your Own License": "R82", + "R82 - Pay As You Go (NGTP)": "R82", + "R82 - Pay As You Go (NGTX)": "R82" }, "osVersion": "[variables('osVersions')[parameters('cloudGuardVersion')]]", "serialConsoleGeographies": { @@ -541,7 +550,7 @@ "customData": "[concat('#!/usr/bin/python3 /etc/cloud_config.py\n', '\n', 'installationType=\"', variables('installationType'), '\"', '\n', 'allowUploadDownload=\"', variables('allowUploadDownload'), '\"', '\n', 'osVersion=\"', variables('osVersion'), '\"', '\n', 'templateName=\"', variables('templateName'), '\"', '\n', 'isBlink=\"', variables('isBlink'), '\"', '\n', 'templateVersion=\"', variables('templateVersion'), '\"', '\n', 'bootstrapScript64=\"', variables('bootstrapScript64'), '\"', '\n', 'location=\"', variables('location'), '\"', '\n', 'sicKey=\"', variables('sicKey'), '\"', '\n', 'managementGUIClientNetwork=\"', variables('managementGUIClientNetwork'), '\"', '\n', 'customMetrics=\"', variables('customMetrics'), '\"', '\n', 'adminShell=\"', parameters('adminShell'), '\"', '\n', 'smart1CloudToken=\"', parameters('smart1CloudToken'), '\"', '\n', 'MaintenanceModePassword=\"', parameters('MaintenanceModePasswordHash'), '\"', '\n', 'passwordHash=\"', parameters('SerialConsolePasswordHash'), '\"', '\n')]", "imageOffer": "[concat('check-point-cg-', toLower(variables('osVersion')))]", "imagePublisher": "checkpoint", - "imageSku": "[if(and(equals(parameters('installationType'), 'standalone'), or(equals(variables('osVersion'),'R8110'), equals(variables('osVersion'),'R8120'))), 'mgmt-byol', 'sg-byol')]", + "imageSku": "[if(and(equals(parameters('installationType'), 'standalone'), or(equals(variables('osVersion'),'R8110'), equals(variables('osVersion'),'R8120'), equals(variables('osVersion'),'R82'))), 'mgmt-byol', 'sg-byol')]", "imageReferenceBYOL": { "offer": "[variables('imageOffer')]", "publisher": "[variables('imagePublisher')]", diff --git a/azure/templates/marketplace-vmss/createUiDefinition.json b/azure/templates/marketplace-vmss/createUiDefinition.json index cf04efcd..3228cb59 100644 --- a/azure/templates/marketplace-vmss/createUiDefinition.json +++ b/azure/templates/marketplace-vmss/createUiDefinition.json @@ -571,6 +571,10 @@ { "label": "R81.20", "value": "R81.20" + }, + { + "label": "R82", + "value": "R82" } ] } @@ -1277,6 +1281,345 @@ }, "count": "[steps('autoprovision').vmCount]" }, + { + "name": "R82vmSizeUiBYOL", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R82'), contains(steps('chkp').R80Offer, 'Bring Your Own License'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D4ds_v5", + "Standard_D4d_v5" + ], + "constraints": { + "allowedSizes": [ + "Standard_D4_v4", + "Standard_D8_v4", + "Standard_D16_v4", + "Standard_D32_v4", + "Standard_D48_v4", + "Standard_D64_v4", + "Standard_D4s_v4", + "Standard_D8s_v4", + "Standard_D16s_v4", + "Standard_D32s_v4", + "Standard_D48s_v4", + "Standard_D64s_v4", + "Standard_D2_v5", + "Standard_D4_v5", + "Standard_D8_v5", + "Standard_D16_v5", + "Standard_D32_v5", + "Standard_D2s_v5", + "Standard_D4s_v5", + "Standard_D8s_v5", + "Standard_D16s_v5", + "Standard_D2d_v5", + "Standard_D4d_v5", + "Standard_D8d_v5", + "Standard_D16d_v5", + "Standard_D32d_v5", + "Standard_D2ds_v5", + "Standard_D4ds_v5", + "Standard_D8ds_v5", + "Standard_D16ds_v5", + "Standard_D32ds_v5", + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r82", + "sku": "sg-byol" + }, + "count": "[steps('autoprovision').vmCount]" + }, + { + "name": "R82vmSizeUiNGTP", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R82'), contains(steps('chkp').R80Offer, '(NGTP)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D4ds_v5", + "Standard_D4d_v5" + ], + "constraints": { + "allowedSizes": [ + "Standard_D4_v4", + "Standard_D8_v4", + "Standard_D16_v4", + "Standard_D32_v4", + "Standard_D48_v4", + "Standard_D64_v4", + "Standard_D4s_v4", + "Standard_D8s_v4", + "Standard_D16s_v4", + "Standard_D32s_v4", + "Standard_D48s_v4", + "Standard_D64s_v4", + "Standard_D2_v5", + "Standard_D4_v5", + "Standard_D8_v5", + "Standard_D16_v5", + "Standard_D32_v5", + "Standard_D2s_v5", + "Standard_D4s_v5", + "Standard_D8s_v5", + "Standard_D16s_v5", + "Standard_D2d_v5", + "Standard_D4d_v5", + "Standard_D8d_v5", + "Standard_D16d_v5", + "Standard_D32d_v5", + "Standard_D2ds_v5", + "Standard_D4ds_v5", + "Standard_D8ds_v5", + "Standard_D16ds_v5", + "Standard_D32ds_v5", + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r82", + "sku": "sg-ngtp" + }, + "count": "[steps('autoprovision').vmCount]" + }, + { + "name": "R82vmSizeUiNGTX", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R82'), contains(steps('chkp').R80Offer, '(NGTX)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D4ds_v5", + "Standard_D4d_v5" + ], + "constraints": { + "allowedSizes": [ + "Standard_D4_v4", + "Standard_D8_v4", + "Standard_D16_v4", + "Standard_D32_v4", + "Standard_D48_v4", + "Standard_D64_v4", + "Standard_D4s_v4", + "Standard_D8s_v4", + "Standard_D16s_v4", + "Standard_D32s_v4", + "Standard_D48s_v4", + "Standard_D64s_v4", + "Standard_D2_v5", + "Standard_D4_v5", + "Standard_D8_v5", + "Standard_D16_v5", + "Standard_D32_v5", + "Standard_D2s_v5", + "Standard_D4s_v5", + "Standard_D8s_v5", + "Standard_D16s_v5", + "Standard_D2d_v5", + "Standard_D4d_v5", + "Standard_D8d_v5", + "Standard_D16d_v5", + "Standard_D32d_v5", + "Standard_D2ds_v5", + "Standard_D4ds_v5", + "Standard_D8ds_v5", + "Standard_D16ds_v5", + "Standard_D32ds_v5", + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_D4s_v3", + "Standard_D8s_v3", + "Standard_D16s_v3", + "Standard_D32s_v3", + "Standard_D64s_v3", + "Standard_E4s_v3", + "Standard_E8s_v3", + "Standard_E16s_v3", + "Standard_E20s_v3", + "Standard_E32s_v3", + "Standard_E64s_v3", + "Standard_E64is_v3", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_D15_v2", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16", + "Standard_D4_v3", + "Standard_D8_v3", + "Standard_D16_v3", + "Standard_D32_v3", + "Standard_D64_v3", + "Standard_E4_v3", + "Standard_E8_v3", + "Standard_E16_v3", + "Standard_E20_v3", + "Standard_E32_v3", + "Standard_E64_v3", + "Standard_E64i_v3", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_DS15_v2" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "checkpoint", + "offer": "check-point-cg-r82", + "sku": "sg-ngtx" + }, + "count": "[steps('autoprovision').vmCount]" + }, { "name": "adminShell", "type": "Microsoft.Common.DropDown", @@ -1718,7 +2061,7 @@ "availabilityZonesNum": "[coalesce(steps('autoprovision').availabilityZonesNum, int('0'))]", "customMetrics": "[steps('autoprovision').customMetrics]", "cloudGuardVersion": "[concat(steps('chkp').cloudGuardVersion, ' - ', coalesce(steps('chkp').R80Offer, 'Bring Your Own License'))]", - "vmSize": "[coalesce(steps('chkp').R8110vmSizeUiBYOL, steps('chkp').R8110vmSizeUiNGTP, steps('chkp').R8110vmSizeUiNGTX, steps('chkp').R8120vmSizeUiBYOL, steps('chkp').R8120vmSizeUiNGTP, steps('chkp').R8120vmSizeUiNGTX)]", + "vmSize": "[coalesce(steps('chkp').R8110vmSizeUiBYOL, steps('chkp').R8110vmSizeUiNGTP, steps('chkp').R8110vmSizeUiNGTX, steps('chkp').R8120vmSizeUiBYOL, steps('chkp').R8120vmSizeUiNGTP, steps('chkp').R8120vmSizeUiNGTX, steps('chkp').R82vmSizeUiBYOL, steps('chkp').R82vmSizeUiNGTP, steps('chkp').R82vmSizeUiNGTX)]", "sicKey": "[steps('chkp').sicKeyUi]", "bootstrapScript": "[steps('chkp').bootstrapScript]", "allowDownloadFromUploadToCheckPoint": "[coalesce(steps('chkp').allowUploadDownload, 'true')]", diff --git a/azure/templates/marketplace-vmss/mainTemplate.json b/azure/templates/marketplace-vmss/mainTemplate.json index 077e926c..d0159464 100644 --- a/azure/templates/marketplace-vmss/mainTemplate.json +++ b/azure/templates/marketplace-vmss/mainTemplate.json @@ -24,7 +24,10 @@ "R81.10 - Pay As You Go (NGTX)", "R81.20 - Bring Your Own License", "R81.20 - Pay As You Go (NGTP)", - "R81.20 - Pay As You Go (NGTX)" + "R81.20 - Pay As You Go (NGTX)", + "R82 - Bring Your Own License", + "R82 - Pay As You Go (NGTP)", + "R82 - Pay As You Go (NGTX)" ], "defaultValue": "R81.20 - Bring Your Own License", "metadata": { @@ -510,7 +513,10 @@ "R81.10 - Pay As You Go (NGTX)": "NGTX", "R81.20 - Bring Your Own License": "BYOL", "R81.20 - Pay As You Go (NGTP)": "NGTP", - "R81.20 - Pay As You Go (NGTX)": "NGTX" + "R81.20 - Pay As You Go (NGTX)": "NGTX", + "R82 - Bring Your Own License": "BYOL", + "R82 - Pay As You Go (NGTP)": "NGTP", + "R82 - Pay As You Go (NGTX)": "NGTX" }, "offer": "[variables('offers')[parameters('cloudGuardVersion')]]", "osVersions": { @@ -519,7 +525,10 @@ "R81.10 - Pay As You Go (NGTX)": "R8110", "R81.20 - Bring Your Own License": "R8120", "R81.20 - Pay As You Go (NGTP)": "R8120", - "R81.20 - Pay As You Go (NGTX)": "R8120" + "R81.20 - Pay As You Go (NGTX)": "R8120", + "R82 - Bring Your Own License": "R82", + "R82 - Pay As You Go (NGTP)": "R82", + "R82 - Pay As You Go (NGTX)": "R82" }, "osVersion": "[variables('osVersions')[parameters('cloudGuardVersion')]]", "SerialConsoleGeographies": { diff --git a/azure/templates/vwan-managed-app/mainTemplate.json b/azure/templates/vwan-managed-app/mainTemplate.json index 1856f822..eb3efcdc 100644 --- a/azure/templates/vwan-managed-app/mainTemplate.json +++ b/azure/templates/vwan-managed-app/mainTemplate.json @@ -35,7 +35,8 @@ "defaultValue": "R8120", "allowedValues": [ "R8110", - "R8120" + "R8120", + "R82" ], "type": "String", "metadata": { @@ -200,7 +201,7 @@ "name": "vwan-app", "product": "cp-vwan-managed-app", "publisher": "checkpoint", - "version": "1.0.14" + "version": "1.0.15" }, "properties": { "managedResourceGroupId": "[variables('managedResourceGroupId')]", diff --git a/terraform/azure/high-availability-existing-vnet/README.md b/terraform/azure/high-availability-existing-vnet/README.md index 2aa7468d..50753f21 100755 --- a/terraform/azure/high-availability-existing-vnet/README.md +++ b/terraform/azure/high-availability-existing-vnet/README.md @@ -115,9 +115,9 @@ This solution uses the following modules: | | | | | | | **vm_os_sku** | A sku of the image to be deployed | string | "sg-byol" - BYOL license;
"sg-ngtp" - NGTP PAYG license;
"sg-ngtx" - NGTX PAYG license; | n/a | | | | | | | - | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r81";
"check-point-cg-r81.10";
"check-point-cg-r81.20"; | n/a | + | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r81";
"check-point-cg-r81.10";
"check-point-cg-r81.20";
"check-point-cg-r82"; | n/a | | | | | | | - | **os_version** | GAIA OS version | string | "R81";
"R8110";
"R8120"; | n/a | + | **os_version** | GAIA OS version | string | "R81";
"R8110";
"R8120";
"R82"; | n/a | | | | | | | | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | n/a | | | | | | | diff --git a/terraform/azure/high-availability-existing-vnet/variables.tf b/terraform/azure/high-availability-existing-vnet/variables.tf index 4aa5ca72..319c945b 100755 --- a/terraform/azure/high-availability-existing-vnet/variables.tf +++ b/terraform/azure/high-availability-existing-vnet/variables.tf @@ -117,7 +117,8 @@ locals { // locals for 'vm_os_offer' allowed values os_version_allowed_values = [ "R81", "R8110", - "R8120" + "R8120", + "R82" ] // will fail if [var.os_version] is invalid: validate_os_version_value = index(local.os_version_allowed_values, var.os_version) @@ -129,7 +130,7 @@ variable "vm_os_sku" { } variable "vm_os_offer" { - description = "The name of the image offer to be deployed.Choose from: check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120" + description = "The name of the image offer to be deployed.Choose from: check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120, check-point-cg-r82" type = string } @@ -138,6 +139,7 @@ locals { // locals for 'vm_os_offer' allowed values "check-point-cg-r81", "check-point-cg-r8110", "check-point-cg-r8120" + "check-point-cg-r82" ] // will fail if [var.vm_os_offer] is invalid: validate_os_offer_value = index(local.vm_os_offer_allowed_values, var.vm_os_offer) diff --git a/terraform/azure/high-availability-new-vnet/README.md b/terraform/azure/high-availability-new-vnet/README.md index 15bfa197..a2dcb08b 100755 --- a/terraform/azure/high-availability-new-vnet/README.md +++ b/terraform/azure/high-availability-new-vnet/README.md @@ -113,9 +113,9 @@ This solution uses the following modules: | | | | | | | **vm_os_sku** | A sku of the image to be deployed | string | "sg-byol" - BYOL license;
"sg-ngtp" - NGTP PAYG license;
"sg-ngtx" - NGTX PAYG license;| n/a | | | | | | | - | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | n/a | + | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120";
"check-point-cg-r82"; | n/a | | | | | | | - | **os_version** | GAIA OS version | string | "R81";
"R8110";
"R8120"; | n/a | + | **os_version** | GAIA OS version | string | "R81";
"R8110";
"R8120";
"R82";| n/a | | | | | | | | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | n/a | | | | | | | diff --git a/terraform/azure/high-availability-new-vnet/variables.tf b/terraform/azure/high-availability-new-vnet/variables.tf index 15e5ee4e..b40d7e9f 100755 --- a/terraform/azure/high-availability-new-vnet/variables.tf +++ b/terraform/azure/high-availability-new-vnet/variables.tf @@ -117,7 +117,8 @@ locals { // locals for 'vm_os_offer' allowed values os_version_allowed_values = [ "R81", "R8110", - "R8120" + "R8120", + "R82" ] // will fail if [var.os_version] is invalid: validate_os_version_value = index(local.os_version_allowed_values, var.os_version) @@ -129,7 +130,7 @@ variable "vm_os_sku" { } variable "vm_os_offer" { - description = "The name of the image offer to be deployed.Choose from: check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120" + description = "The name of the image offer to be deployed.Choose from: check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120, check-point-cg-r82" type = string } @@ -137,7 +138,8 @@ locals { // locals for 'vm_os_offer' allowed values vm_os_offer_allowed_values = [ "check-point-cg-r81", "check-point-cg-r8110", - "check-point-cg-r8120" + "check-point-cg-r8120", + "check-point-cg-r82" ] // will fail if [var.vm_os_offer] is invalid: validate_os_offer_value = index(local.vm_os_offer_allowed_values, var.vm_os_offer) diff --git a/terraform/azure/management-existing-vnet/README.md b/terraform/azure/management-existing-vnet/README.md index 41c772e4..8159b782 100755 --- a/terraform/azure/management-existing-vnet/README.md +++ b/terraform/azure/management-existing-vnet/README.md @@ -108,9 +108,9 @@ This solution uses the following modules: | | | | | | | **vm_os_sku** | A sku of the image to be deployed | string | "mgmt-byol" - BYOL license;
"mgmt-25" - PAYG; | n/a | | | | | | - | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | n/a + | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120";
"check-point-cg-r82"; | n/a | | | | | | - | **os_version** | GAIA OS version | string | "R81";
"R8110";
"R8120";| n/a + | **os_version** | GAIA OS version | string | "R81";
"R8110";
"R8120";
"R82"; | n/a | | | | | | | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | "" | | | | | | diff --git a/terraform/azure/management-existing-vnet/variables.tf b/terraform/azure/management-existing-vnet/variables.tf index ec9272a4..94436ce3 100755 --- a/terraform/azure/management-existing-vnet/variables.tf +++ b/terraform/azure/management-existing-vnet/variables.tf @@ -91,7 +91,8 @@ locals { // locals for 'vm_os_offer' allowed values os_version_allowed_values = [ "R81", "R8110", - "R8120" + "R8120", + "R82" ] // will fail if [var.os_version] is invalid: validate_os_version_value = index(local.os_version_allowed_values, var.os_version) @@ -103,7 +104,7 @@ variable "vm_os_sku" { } variable "vm_os_offer" { - description = "The name of the image offer to be deployed.Choose from: check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120" + description = "The name of the image offer to be deployed.Choose from: check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120, check-point-cg-r82" type = string } @@ -112,6 +113,7 @@ locals { // locals for 'vm_os_offer' allowed values "check-point-cg-r81", "check-point-cg-r8110", "check-point-cg-r8120", + "check-point-cg-r82", ] // will fail if [var.vm_os_offer] is invalid: validate_os_offer_value = index(local.vm_os_offer_allowed_values, var.vm_os_offer) diff --git a/terraform/azure/management-new-vnet/README.md b/terraform/azure/management-new-vnet/README.md index bd14ac2d..d19866e5 100755 --- a/terraform/azure/management-new-vnet/README.md +++ b/terraform/azure/management-new-vnet/README.md @@ -108,9 +108,9 @@ This solution uses the following modules: | | | | | | | **vm_os_sku** | A sku of the image to be deployed | string | "mgmt-byol" - BYOL license;
"mgmt-25" - PAYG; | n/a | | | | | | - | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | n/a + | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120";
"check-point-cg-r82"; | n/a | | | | | | - | **os_version** | GAIA OS version | string | "R81";
"R8110";
"R8120";| n/a + | **os_version** | GAIA OS version | string | "R81";
"R8110";
"R8120";
"R82"; | n/a | | | | | | | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | "" | | | | | | diff --git a/terraform/azure/management-new-vnet/variables.tf b/terraform/azure/management-new-vnet/variables.tf index 3ed686e1..7097c647 100755 --- a/terraform/azure/management-new-vnet/variables.tf +++ b/terraform/azure/management-new-vnet/variables.tf @@ -91,6 +91,7 @@ locals { // locals for 'vm_os_offer' allowed values "R81", "R8110", "R8120", + "R82" ] // will fail if [var.os_version] is invalid: validate_os_version_value = index(local.os_version_allowed_values, var.os_version) @@ -102,7 +103,7 @@ variable "vm_os_sku" { } variable "vm_os_offer" { - description = "The name of the image offer to be deployed.Choose from: check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120" + description = "The name of the image offer to be deployed.Choose from: check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120, check-point-cg-r82" type = string } @@ -110,7 +111,8 @@ locals { // locals for 'vm_os_offer' allowed values vm_os_offer_allowed_values = [ "check-point-cg-r81", "check-point-cg-r8110", - "check-point-cg-r8120" + "check-point-cg-r8120", + "check-point-cg-r82" ] // will fail if [var.vm_os_offer] is invalid: validate_os_offer_value = index(local.vm_os_offer_allowed_values, var.vm_os_offer) diff --git a/terraform/azure/mds-existing-vnet/README.md b/terraform/azure/mds-existing-vnet/README.md index 6980d7cc..5ab6f874 100755 --- a/terraform/azure/mds-existing-vnet/README.md +++ b/terraform/azure/mds-existing-vnet/README.md @@ -108,9 +108,9 @@ This solution uses the following modules: | | | | | | | **vm_os_sku** | A sku of the image to be deployed | string | "mgmt-byol" - BYOL license;
"mgmt-25" - PAYG; | n/a | | | | | | - | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | n/a + | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120";
"check-point-cg-r82"; | n/a | | | | | | - | **os_version** | GAIA OS version | string | "R81";
"R8110";
"R8120";| n/a + | **os_version** | GAIA OS version | string | "R81";
"R8110";
"R8120";
"R82"; | n/a | | | | | | | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | "" | | | | | | diff --git a/terraform/azure/mds-existing-vnet/variables.tf b/terraform/azure/mds-existing-vnet/variables.tf index 745c78c7..f870ad8d 100755 --- a/terraform/azure/mds-existing-vnet/variables.tf +++ b/terraform/azure/mds-existing-vnet/variables.tf @@ -111,7 +111,8 @@ locals { // locals for 'vm_os_offer' allowed values os_version_allowed_values = [ "R81", "R8110", - "R8120" + "R8120", + "R82" ] // will fail if [var.os_version] is invalid: validate_os_version_value = index(local.os_version_allowed_values, var.os_version) @@ -123,7 +124,7 @@ variable "vm_os_sku" { } variable "vm_os_offer" { - description = "The name of the image offer to be deployed.Choose from: check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120" + description = "The name of the image offer to be deployed.Choose from: check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120, check-point-cg-r82" type = string } @@ -131,7 +132,8 @@ locals { // locals for 'vm_os_offer' allowed values vm_os_offer_allowed_values = [ "check-point-cg-r81", "check-point-cg-r8110", - "check-point-cg-r8120" + "check-point-cg-r8120", + "check-point-cg-r82" ] // will fail if [var.vm_os_offer] is invalid: validate_os_offer_value = index(local.vm_os_offer_allowed_values, var.vm_os_offer) diff --git a/terraform/azure/mds-new-vnet/README.md b/terraform/azure/mds-new-vnet/README.md index 8b3afc49..c1c7e9d3 100755 --- a/terraform/azure/mds-new-vnet/README.md +++ b/terraform/azure/mds-new-vnet/README.md @@ -108,9 +108,9 @@ This solution uses the following modules: | | | | | | | **vm_os_sku** | A sku of the image to be deployed | string | "mgmt-byol" - BYOL license;
"mgmt-25" - PAYG; | n/a | | | | | | - | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | n/a + | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120";
"check-point-cg-r82"; | n/a | | | | | | - | **os_version** | GAIA OS version | string | "R81";
"R8110";
"R8120";| n/a + | **os_version** | GAIA OS version | string | "R81";
"R8110";
"R8120";
"R82"; | n/a | | | | | | | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | "" | | | | | | diff --git a/terraform/azure/mds-new-vnet/variables.tf b/terraform/azure/mds-new-vnet/variables.tf index 45c2175a..57891273 100755 --- a/terraform/azure/mds-new-vnet/variables.tf +++ b/terraform/azure/mds-new-vnet/variables.tf @@ -110,7 +110,8 @@ locals { // locals for 'vm_os_offer' allowed values os_version_allowed_values = [ "R81", "R8110", - "R8120" + "R8120", + "R82" ] // will fail if [var.os_version] is invalid: validate_os_version_value = index(local.os_version_allowed_values, var.os_version) @@ -122,7 +123,7 @@ variable "vm_os_sku" { } variable "vm_os_offer" { - description = "The name of the image offer to be deployed.Choose from: check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120" + description = "The name of the image offer to be deployed.Choose from: check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120, check-point-cg-r82" type = string } @@ -130,7 +131,8 @@ locals { // locals for 'vm_os_offer' allowed values vm_os_offer_allowed_values = [ "check-point-cg-r81", "check-point-cg-r8110", - "check-point-cg-r8120" + "check-point-cg-r8120", + "check-point-cg-r82" ] // will fail if [var.vm_os_offer] is invalid: validate_os_offer_value = index(local.vm_os_offer_allowed_values, var.vm_os_offer) diff --git a/terraform/azure/modules/common/variables.tf b/terraform/azure/modules/common/variables.tf index 33d85f45..99aa176a 100755 --- a/terraform/azure/modules/common/variables.tf +++ b/terraform/azure/modules/common/variables.tf @@ -138,7 +138,8 @@ locals { // locals for 'os_version' allowed values os_version_allowed_values = [ "R81", "R8110", - "R8120" + "R8120", + "R82" ] // will fail if [var.installation_type] is invalid: validate_os_version_value = index(local.os_version_allowed_values, var.os_version) @@ -216,7 +217,7 @@ variable "publisher" { //************** Storage image reference and plan variables ****************// variable "vm_os_offer" { - description = "The name of the image offer to be deployed.Choose from: check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120" + description = "The name of the image offer to be deployed.Choose from: check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120, check-point-cg-r82" type = string } @@ -224,7 +225,8 @@ locals { // locals for 'vm_os_offer' allowed values vm_os_offer_allowed_values = [ "check-point-cg-r81", "check-point-cg-r8110", - "check-point-cg-r8120" + "check-point-cg-r8120", + "check-point-cg-r82" ] // will fail if [var.vm_os_offer] is invalid: validate_os_offer_value = index(local.vm_os_offer_allowed_values, var.vm_os_offer) diff --git a/terraform/azure/nva-into-existing-hub/README.md b/terraform/azure/nva-into-existing-hub/README.md index a2765298..6dca42ef 100644 --- a/terraform/azure/nva-into-existing-hub/README.md +++ b/terraform/azure/nva-into-existing-hub/README.md @@ -85,7 +85,7 @@ please see the [CloudGuard Network for Azure Virtual WAN Deployment Guide](https | | | | | | | **nva-rg-name** | The name of the resource group that will contain the NVA | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period | "tf-vwan-nva-rg"| | | | | | | - | **os-version** | The GAIA os version | string | "R8110"
"R8120" | "R8120" | + | **os-version** | The GAIA os version | string | "R8110"
"R8120"
"R82" | "R8120" | | | | | | | | **license-type** | The Check Point licence type | string | "Security Enforcement (NGTP)"
"Full Package (NGTX + S1C)"
"Full Package Premium (NGTX + S1C++)" | "Security Enforcement (NGTP)" | | | | | | | | | | | @@ -161,8 +161,9 @@ In order to check the template version refer to the [sk116585](https://supportce | Template Version | Description | |------------------|-------------------| -| 20240613 | Cosmetic fixes & default values | -| 20240228 | Added public IP for ingress support | | | +| 20241028 |Added R82 version support | +| 20240613 | Cosmetic fixes & default values | +| 20240228 | Added public IP for ingress support | | | | 20231226 | First release of Check Point CloudGuard Network Security Virtual WAN Terraform deployment for Azure | | diff --git a/terraform/azure/nva-into-existing-hub/main.tf b/terraform/azure/nva-into-existing-hub/main.tf index 5987c76b..5580d250 100644 --- a/terraform/azure/nva-into-existing-hub/main.tf +++ b/terraform/azure/nva-into-existing-hub/main.tf @@ -40,7 +40,7 @@ data "http" "image-versions" { } locals { - image_versions = tolist([for version in jsondecode(data.http.image-versions.response_body).properties.availableVersions : version if substr(version, 0, 4) == substr(lower(var.os-version), 1, 4)]) + image_versions = tolist([for version in jsondecode(data.http.image-versions.response_body).properties.availableVersions : version if substr(version, 0, 4) == substr(lower(length(var.os-version) > 3 ? var.os-version : "${var.os-version}00"), 1, 4)]) routing_intent-internet-policy = { "name": "InternetTraffic", "destinations": [ @@ -105,7 +105,7 @@ resource "azurerm_managed_application" "nva" { name = "vwan-app" product = "cp-vwan-managed-app" publisher = "checkpoint" - version = "1.0.14" + version = "1.0.15" } parameter_values = jsonencode({ location = { diff --git a/terraform/azure/nva-into-existing-hub/variables.tf b/terraform/azure/nva-into-existing-hub/variables.tf index d00283d4..2d6c8e48 100644 --- a/terraform/azure/nva-into-existing-hub/variables.tf +++ b/terraform/azure/nva-into-existing-hub/variables.tf @@ -65,8 +65,8 @@ variable "os-version" { type = string default = "R8120" validation { - condition = contains(["R8110", "R8120"], var.os-version) - error_message = "Allowed values for os-version are 'R8110', 'R8120'" + condition = contains(["R8110", "R8120", "R82"], var.os-version) + error_message = "Allowed values for os-version are 'R8110', 'R8120', 'R82'" } } diff --git a/terraform/azure/nva-into-new-vwan/README.md b/terraform/azure/nva-into-new-vwan/README.md index 17fa1ffe..b5d82afc 100644 --- a/terraform/azure/nva-into-new-vwan/README.md +++ b/terraform/azure/nva-into-new-vwan/README.md @@ -90,7 +90,7 @@ please see the [CloudGuard Network for Azure Virtual WAN Deployment Guide](https | || | | | | **nva-rg-name** | The name of the resource group that will contain the NVA | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period | tf-vwan-nva-rg | | || | | | - | **os-version** | The GAIA os version| string | "R8110"
"R8120" | "R8120" | + | **os-version** | The GAIA os version| string | "R8110"
"R8120"
"R82" | "R8120" | | || | | | | **license-type** | The Check Point licence type | string | "Security Enforcement (NGTP)"
"Full Package (NGTX + S1C)"
"Full Package Premium (NGTX + S1C++)" | "Security Enforcement (NGTP)" | | || | | | @@ -171,6 +171,7 @@ In order to check the template version refer to the [sk116585](https://supportce | Template Version | Description | |------------------|-----------------------------------------------------------------------------------------------| +| 20241028 |Added R82 version support | | 20240613 | Cosmetic fixes & default values | | 20240228 | Added public IP for ingress support | | | | 20231226 | First release of Check Point CloudGuard Network Security Virtual WAN Terraform deployment for Azure | | | diff --git a/terraform/azure/nva-into-new-vwan/main.tf b/terraform/azure/nva-into-new-vwan/main.tf index 43a409c3..627b0728 100644 --- a/terraform/azure/nva-into-new-vwan/main.tf +++ b/terraform/azure/nva-into-new-vwan/main.tf @@ -49,7 +49,7 @@ data "http" "image-versions" { } locals { - image_versions = tolist([for version in jsondecode(data.http.image-versions.response_body).properties.availableVersions : version if substr(version, 0, 4) == substr(lower(var.os-version), 1, 4)]) + image_versions = tolist([for version in jsondecode(data.http.image-versions.response_body).properties.availableVersions : version if substr(version, 0, 4) == substr(lower(length(var.os-version) > 3 ? var.os-version : "${var.os-version}00"), 1, 4)]) routing_intent-internet-policy = { "name": "InternetTraffic", "destinations": [ @@ -115,7 +115,7 @@ resource "azurerm_managed_application" "nva" { name = "vwan-app" product = "cp-vwan-managed-app" publisher = "checkpoint" - version = "1.0.14" + version = "1.0.15" } parameter_values = jsonencode({ location = { diff --git a/terraform/azure/nva-into-new-vwan/variables.tf b/terraform/azure/nva-into-new-vwan/variables.tf index 927592c9..b5ec36b9 100644 --- a/terraform/azure/nva-into-new-vwan/variables.tf +++ b/terraform/azure/nva-into-new-vwan/variables.tf @@ -76,8 +76,8 @@ variable "os-version" { type = string default = "R8120" validation { - condition = contains(["R8110", "R8120"], var.os-version) - error_message = "Allowed values for os-version are 'R8110', 'R8120'" + condition = contains(["R8110", "R8120", "R82"], var.os-version) + error_message = "Allowed values for os-version are 'R8110', 'R8120', 'R82'" } } diff --git a/terraform/azure/single-gateway-existing-vnet/README.md b/terraform/azure/single-gateway-existing-vnet/README.md index b49b1886..47eb8a5c 100755 --- a/terraform/azure/single-gateway-existing-vnet/README.md +++ b/terraform/azure/single-gateway-existing-vnet/README.md @@ -112,9 +112,9 @@ This solution uses the following modules: | | | | | | | **vm_os_sku** | A sku of the image to be deployed | string | "sg-byol" - BYOL license;
"sg-ngtp" - NGTP PAYG license;
"sg-ngtx" - NGTX PAYG license | n/a | | | | | | - | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | n/a + | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120";
"check-point-cg-r82"; | n/a | | | | | | - | **os_version** | GAIA OS version | string | "R81";
"R8110";
"R8120"; | n/a + | **os_version** | GAIA OS version | string | "R81";
"R8110";
"R8120";
"R82"; | n/a | | | | | | | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | "" | | | | | | diff --git a/terraform/azure/single-gateway-existing-vnet/variables.tf b/terraform/azure/single-gateway-existing-vnet/variables.tf index f6f2da36..debd9b9d 100755 --- a/terraform/azure/single-gateway-existing-vnet/variables.tf +++ b/terraform/azure/single-gateway-existing-vnet/variables.tf @@ -104,7 +104,8 @@ locals { // locals for 'vm_os_offer' allowed values os_version_allowed_values = [ "R81", "R8110", - "R8120" + "R8120", + "R82" ] // will fail if [var.os_version] is invalid: validate_os_version_value = index(local.os_version_allowed_values, var.os_version) @@ -116,7 +117,7 @@ variable "vm_os_sku" { } variable "vm_os_offer" { - description = "The name of the image offer to be deployed.Choose from: check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120" + description = "The name of the image offer to be deployed.Choose from: check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120, check-point-cg-r82" type = string } @@ -124,7 +125,8 @@ locals { // locals for 'vm_os_offer' allowed values vm_os_offer_allowed_values = [ "check-point-cg-r81", "check-point-cg-r8110", - "check-point-cg-r8120" + "check-point-cg-r8120", + "check-point-cg-r82" ] // will fail if [var.vm_os_offer] is invalid: validate_os_offer_value = index(local.vm_os_offer_allowed_values, var.vm_os_offer) diff --git a/terraform/azure/single-gateway-new-vnet/README.md b/terraform/azure/single-gateway-new-vnet/README.md index b9227c85..bfe2cfcc 100755 --- a/terraform/azure/single-gateway-new-vnet/README.md +++ b/terraform/azure/single-gateway-new-vnet/README.md @@ -112,9 +112,9 @@ This solution uses the following modules: | | | | | | | **vm_os_sku** | A sku of the image to be deployed | string | "sg-byol" - BYOL license;
"sg-ngtp" - NGTP PAYG license;
"sg-ngtx" - NGTX PAYG license | n/a | | | | | | - | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | n/a + | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120";
"check-point-cg-r82"; | n/a | | | | | | - | **os_version** | GAIA OS version | string | "R81";
"R8110";
"R8120"; | n/a | + | **os_version** | GAIA OS version | string | "R81";
"R8110";
"R8120";
"R82"; | n/a | | | | | | | | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | "" | | | | | | diff --git a/terraform/azure/single-gateway-new-vnet/variables.tf b/terraform/azure/single-gateway-new-vnet/variables.tf index 7b247e96..5a75c23d 100755 --- a/terraform/azure/single-gateway-new-vnet/variables.tf +++ b/terraform/azure/single-gateway-new-vnet/variables.tf @@ -103,7 +103,8 @@ locals { // locals for 'vm_os_offer' allowed values os_version_allowed_values = [ "R81", "R8110", - "R8120" + "R8120", + "R82" ] // will fail if [var.os_version] is invalid: validate_os_version_value = index(local.os_version_allowed_values, var.os_version) @@ -115,7 +116,7 @@ variable "vm_os_sku" { } variable "vm_os_offer" { - description = "The name of the image offer to be deployed.Choose from: check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120" + description = "The name of the image offer to be deployed.Choose from: check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120, check-point-cg-r82" type = string } @@ -123,7 +124,8 @@ locals { // locals for 'vm_os_offer' allowed values vm_os_offer_allowed_values = [ "check-point-cg-r81", "check-point-cg-r8110", - "check-point-cg-r8120" + "check-point-cg-r8120", + "check-point-cg-r82" ] // will fail if [var.vm_os_offer] is invalid: validate_os_offer_value = index(local.vm_os_offer_allowed_values, var.vm_os_offer) diff --git a/terraform/azure/vmss-existing-vnet/README.md b/terraform/azure/vmss-existing-vnet/README.md index 73b83eb3..f19aa45a 100755 --- a/terraform/azure/vmss-existing-vnet/README.md +++ b/terraform/azure/vmss-existing-vnet/README.md @@ -109,9 +109,9 @@ This solution uses the following modules: | | | | | | | **vm_os_sku** | A sku of the image to be deployed | string | "sg-byol" - BYOL license;
"sg-ngtp" - NGTP PAYG license;
"sg-ngtx" - NGTX PAYG license; | n/a | | | | | | - | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | n/a + | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120";
"check-point-cg-r82"; | n/a | | | | | | - | **os_version** | GAIA OS version | string | "R81";
"R8110";
"R8120"; | n/a + | **os_version** | GAIA OS version | string | "R81";
"R8110";
"R8120";
"R82"; | n/a | | | | | | | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | n/a | | | | | | diff --git a/terraform/azure/vmss-existing-vnet/variables.tf b/terraform/azure/vmss-existing-vnet/variables.tf index 1ad5bb46..b95ee2e4 100755 --- a/terraform/azure/vmss-existing-vnet/variables.tf +++ b/terraform/azure/vmss-existing-vnet/variables.tf @@ -116,7 +116,8 @@ locals { // locals for 'vm_os_offer' allowed values os_version_allowed_values = [ "R81", "R8110", - "R8120" + "R8120", + "R82" ] // will fail if [var.os_version] is invalid: validate_os_version_value = index(local.os_version_allowed_values, var.os_version) @@ -332,7 +333,7 @@ locals { // locals for 'frontend_load_distribution' allowed values //********************** Scale Set variables *******************// variable "vm_os_offer" { - description = "The name of the offer of the image that you want to deploy.Choose from: check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120" + description = "The name of the offer of the image that you want to deploy.Choose from: check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120, check-point-cg-r82" type = string } @@ -341,6 +342,7 @@ locals { // locals for 'vm_os_offer' allowed values "check-point-cg-r81", "check-point-cg-r8110", "check-point-cg-r8120", + "check-point-cg-r82" ] // will fail if [var.vm_os_offer] is invalid: validate_os_offer_value = index(local.vm_os_offer_allowed_values, var.vm_os_offer) diff --git a/terraform/azure/vmss-new-vnet/README.md b/terraform/azure/vmss-new-vnet/README.md index 71857101..b9feac93 100755 --- a/terraform/azure/vmss-new-vnet/README.md +++ b/terraform/azure/vmss-new-vnet/README.md @@ -111,9 +111,9 @@ This solution uses the following modules: | | | | | | | **vm_os_sku** | A sku of the image to be deployed | string | "sg-byol" - BYOL license;
"sg-ngtp" - NGTP PAYG license;
"sg-ngtx" - NGTX PAYG license; | n/a | | | | | | - | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | n/a + | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120";
"check-point-cg-r82"; | n/a | | | | | | - | **os_version** | GAIA OS version | string | "R81";
"R8110";
"R8120"; | n/a + | **os_version** | GAIA OS version | string | "R81";
"R8110";
"R8120";
"R82"; | n/a | | | | | | | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | n/a | | | | | | diff --git a/terraform/azure/vmss-new-vnet/variables.tf b/terraform/azure/vmss-new-vnet/variables.tf index afc907c5..f59e7007 100755 --- a/terraform/azure/vmss-new-vnet/variables.tf +++ b/terraform/azure/vmss-new-vnet/variables.tf @@ -117,6 +117,7 @@ locals { // locals for 'vm_os_offer' allowed values "R81", "R8110", "R8120", + "R82" ] // will fail if [var.os_version] is invalid: validate_os_version_value = index(local.os_version_allowed_values, var.os_version) @@ -326,7 +327,7 @@ locals { // locals for 'frontend_load_distribution' allowed values //********************** Scale Set variables *******************// variable "vm_os_offer" { - description = "The name of the offer of the image that you want to deploy.Choose from: check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120" + description = "The name of the offer of the image that you want to deploy.Choose from: check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120, check-point-cg-r82" type = string } @@ -335,6 +336,7 @@ locals { // locals for 'vm_os_offer' allowed values "check-point-cg-r81", "check-point-cg-r8110", "check-point-cg-r8120", + "check-point-cg-r82" ] // will fail if [var.vm_os_offer] is invalid: validate_os_offer_value = index(local.vm_os_offer_allowed_values, var.vm_os_offer)